Bump github.com/docker/docker

Bumps [github.com/docker/docker](https://github.com/docker/docker) from 26.1.5+incompatible to 28.0.0+incompatible. - [Release notes](https://github.com/docker/docker/releases) - [Commits](https://github.com/docker/docker/compare/v26.1.5...v28.0.0) --- updated-dependencies: - dependency-name: github.com/docker/docker dependency-version: 28.0.0+incompatible dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
2026-04-20 01:06:45 +00:00 · 2025-08-27 16:32:02 +00:00
1282 changed files with 15996 additions and 205090 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,15 +1,15 @@
-FROM golang:1.25-bookworm
+FROM golang:1.23-bullseye
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
    && apt-get -y install --no-install-recommends\
-        gettext-base=0.21-12 \
+        gettext-base=0.21-4 \ 
-        iptables=1.8.9-2 \
+        iptables=1.8.7-1 \
-        libgl1-mesa-dev=22.3.6-1+deb12u1 \
+        libgl1-mesa-dev=20.3.5-1 \
-        xorg-dev=1:7.7+23 \
+        xorg-dev=1:7.7+22 \
-        libayatana-appindicator3-dev=0.5.92-1 \
+        libayatana-appindicator3-dev=0.5.5-2+deb11u2 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* \
-    && go install -v golang.org/x/tools/gopls@latest
+    && go install -v golang.org/x/tools/gopls@v0.18.1
 WORKDIR /app
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +0,0 @@
 .env
 .env.*
 *.pem
 *.key
 *.crt
 *.p12
--- a/.githooks/pre-push
+++ b/.githooks/pre-push
@@ -1,11 +0,0 @@
 #!/bin/bash
 echo "Running pre-push hook..."
 if ! make lint; then
    echo ""
    echo "Hint: To push without verification, run:"
    echo "  git push --no-verify"
    exit 1
 fi
 echo "All checks passed!"
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,14 +0,0 @@
 blank_issues_enabled: true
 contact_links:
  - name: Community Support
    url: https://forum.netbird.io/
    about: Community support forum
  - name: Cloud Support
    url: https://docs.netbird.io/help/report-bug-issues
    about: Contact us for support
  - name: Client/Connection Troubleshooting
    url: https://docs.netbird.io/help/troubleshooting-client
    about: See our client troubleshooting guide for help addressing common issues
  - name: Self-host Troubleshooting
    url: https://docs.netbird.io/selfhosted/troubleshooting
    about: See our self-host troubleshooting guide for help addressing common issues
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -3,108 +3,39 @@ name: Check License Dependencies
 on:
  push:
    branches: [ main ]
    paths:
      - 'go.mod'
      - 'go.sum'
      - '.github/workflows/check-license-dependencies.yml'
  pull_request:
    paths:
      - 'go.mod'
      - 'go.sum'
      - '.github/workflows/check-license-dependencies.yml'
 jobs:
-  check-internal-dependencies:
+  check-dependencies:
    name: Check Internal AGPL Dependencies
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Check for problematic license dependencies
        run: |
          echo "Checking for dependencies on management/, signal/, relay/, and proxy/ packages..."
          echo ""
          # Find all directories except the problematic ones and system dirs
          FOUND_ISSUES=0
          while IFS= read -r dir; do
            echo "=== Checking $dir ==="
            # Search for problematic imports, excluding test files
            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" | grep -v "tools/idp-migrate/" || true)
            if [ -n "$RESULTS" ]; then
              echo "❌ Found problematic dependencies:"
              echo "$RESULTS"
              FOUND_ISSUES=1
            else
              echo "✓ No problematic dependencies found"
            fi
          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name "combined" -not -name ".git*" | sort)
          echo ""
          if [ $FOUND_ISSUES -eq 1 ]; then
            echo "❌ Found dependencies on management/, signal/, relay/, or proxy/ packages"
            echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
            exit 1
          else
            echo ""
            echo "✅ All internal license dependencies are clean"
          fi
  check-external-licenses:
    name: Check External GPL/AGPL Licenses
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
-    - name: Set up Go
+    - name: Check for problematic license dependencies
      uses: actions/setup-go@v5
      with:
        go-version-file: 'go.mod'
        cache: true
    - name: Install go-licenses
      run: go install github.com/google/go-licenses@v1.6.0
    - name: Check for GPL/AGPL licensed dependencies
      run: |
-        echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
+        echo "Checking for dependencies on management/, signal/, and relay/ packages..."
        echo ""
-        # Check all Go packages for copyleft licenses, excluding internal netbird packages
+        # Find all directories except the problematic ones and system dirs
-        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
+        FOUND_ISSUES=0
-
+        find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort | while read dir; do
-        if [ -n "$COPYLEFT_DEPS" ]; then
+          echo "=== Checking $dir ==="
-          echo "Found copyleft licensed dependencies:"
+          # Search for problematic imports, excluding test files
-          echo "$COPYLEFT_DEPS"
+          RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
-          echo ""
+          if [ ! -z "$RESULTS" ]; then
-
+            echo "❌ Found problematic dependencies:"
-          # Filter out dependencies that are only pulled in by internal AGPL packages
+            echo "$RESULTS"
-          INCOMPATIBLE=""
+            FOUND_ISSUES=1
-          while IFS=',' read -r package url license; do
+          else
-            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
+            echo "✓ No problematic dependencies found"
              # Find ALL packages that import this GPL package using go list
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
              # Check if any importer is NOT in management/signal/relay
              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
              if [ -n "$BSD_IMPORTER" ]; then
                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
                INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
              else
                echo "✓ $package ($license) is only used by internal AGPL packages - OK"
              fi
            fi
          done <<< "$COPYLEFT_DEPS"
          if [ -n "$INCOMPATIBLE" ]; then
            echo ""
            echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
            echo -e "$INCOMPATIBLE"
            exit 1
          fi
        done
        if [ $FOUND_ISSUES -eq 1 ]; then
          echo ""
          echo "❌ Found dependencies on management/, signal/, or relay/ packages"
          echo "These packages will change license and should not be imported by client or shared code"
          exit 1
        else
          echo ""
          echo "✅ All license dependencies are clean"
        fi
        echo "✅ All external license dependencies are compatible with BSD-3-Clause"
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -15,14 +15,13 @@ jobs:
    name: "Client / Unit"
    runs-on: macos-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Cache Go modules
        uses: actions/cache@v4
@@ -43,5 +42,5 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -25,7 +25,7 @@ jobs:
          release: "14.2"
          prepare: |
            pkg install -y curl pkgconf xorg
-            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.23.12.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -vLO "$GO_URL"
            tar -C /usr/local -vxzf "$GO_TARBALL"            
@@ -39,12 +39,13 @@ jobs:
            # check all component except management, since we do not support management server on freebsd
            time go test -timeout 1m -failfast ./base62/...
            # NOTE: without -p1 `client/internal/dns` will fail because of `listen udp4 :33100: bind: address already in use`
-            time go test -timeout 8m -failfast -v -p 1 ./client/...
+            time go test -timeout 8m -failfast -p 1 ./client/...
            time go test -timeout 1m -failfast ./dns/...
            time go test -timeout 1m -failfast ./encryption/...
            time go test -timeout 1m -failfast ./formatter/...
            time go test -timeout 1m -failfast ./client/iface/...
            time go test -timeout 1m -failfast ./route/...
            time go test -timeout 1m -failfast ./sharedsock/...
            time go test -timeout 1m -failfast ./signal/...
            time go test -timeout 1m -failfast ./util/...
            time go test -timeout 1m -failfast ./version/...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -30,7 +30,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Get Go environment
@@ -97,16 +97,6 @@ jobs:
        working-directory: relay
        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .
      - name: Build combined
        if: steps.cache.outputs.cache-hit != 'true'
        working-directory: combined
        run: CGO_ENABLED=1 go build .
      - name: Build combined 386
        if: steps.cache.outputs.cache-hit != 'true'
        working-directory: combined
        run: CGO_ENABLED=1 GOARCH=386 go build -o combined-386 .
  test:
    name: "Client / Unit"
    needs: [build-cache]
@@ -116,15 +106,15 @@ jobs:
        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -154,22 +144,22 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
  test_client_on_docker:
    name: "Client (Docker) / Unit"
    needs: [ build-cache ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        id: go-env
        run: |
@@ -210,11 +200,11 @@ jobs:
            -e GOCACHE=${CONTAINER_GOCACHE} \
            -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
            -e CONTAINER=${CONTAINER} \
-            golang:1.25-alpine \
+            golang:1.23-alpine \
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
            '
  test_relay:
@@ -227,18 +217,18 @@ jobs:
          - arch: "386"
            raceFlag: ""
          - arch: "amd64"
-            raceFlag: "-race"
+            raceFlag: ""
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install dependencies
        if: steps.cache.outputs.cache-hit != 'true'
        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
@@ -269,54 +259,7 @@ jobs:
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          go test ${{ matrix.raceFlag }} \
            -exec 'sudo' \
-            -timeout 10m -p 1 ./relay/... ./shared/relay/...
+            -timeout 10m ./relay/... ./shared/relay/...
  test_proxy:
    name: "Proxy / Unit"
    needs: [build-cache]
    strategy:
      fail-fast: false
      matrix:
        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
      - name: Cache Go modules
        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
            ${{ env.modcache }}
          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-gotest-cache-
      - name: Install modules
        run: go mod tidy
      - name: check git status
        run: git --no-pager diff --exit-code
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          go test -timeout 10m -p 1 ./proxy/...
  test_signal:
    name: "Signal / Unit"
@@ -327,15 +270,15 @@ jobs:
        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install dependencies
        if: steps.cache.outputs.cache-hit != 'true'
        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
@@ -378,15 +321,15 @@ jobs:
        store: [ 'sqlite', 'postgres', 'mysql' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -409,19 +352,12 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
-        uses: docker/login-action@v3
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: docker login for root user
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
        env:
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
      - name: download mysql image
        if: matrix.store == 'mysql'
        run: docker pull mlsmaycon/warmed-mysql:8
@@ -446,42 +382,15 @@ jobs:
        store: [ 'sqlite', 'postgres' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
        run: docker network create promnet
      - name: Start Prometheus Pushgateway
        run: docker run -d --name pushgateway --network promnet -p 9091:9091 prom/pushgateway
      - name: Start Prometheus (for Pushgateway forwarding)
        run: |
          echo '
          global:
            scrape_interval: 15s
          scrape_configs:
            - job_name: "pushgateway"
              static_configs:
                - targets: ["pushgateway:9091"]
          remote_write:
            - url: ${{ secrets.GRAFANA_URL }}
              basic_auth:
                username: ${{ secrets.GRAFANA_USER }}
                password: ${{ secrets.GRAFANA_API_KEY }}
          ' > prometheus.yml
          docker run -d --name prometheus --network promnet \
            -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml \
            -p 9090:9090 \
            prom/prometheus
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -504,28 +413,24 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
-        uses: docker/login-action@v3
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: docker login for root user
+      - name: download mysql image
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        if: matrix.store == 'mysql'
-        env:
+        run: docker pull mlsmaycon/warmed-mysql:8
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
          CI=true \
          GIT_BRANCH=${{ github.ref_name }} \
          go test -tags devcert -run=^$ -bench=. \
-          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
+          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/... ./shared/management/... $(go list ./management/... ./shared/management/... | grep -v -e /management/server/http)
+          -timeout 20m ./management/... ./shared/management/...
  api_benchmark:
    name: "Management / Benchmark (API)"
@@ -565,15 +470,15 @@ jobs:
            -p 9090:9090 \
            prom/prometheus
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -596,18 +501,15 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Login to Docker hub
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
-        uses: docker/login-action@v3
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: docker login for root user
+      - name: download mysql image
-        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
+        if: matrix.store == 'mysql'
-        env:
+        run: docker pull mlsmaycon/warmed-mysql:8
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
      - name: Test
        run: |
@@ -619,7 +521,7 @@ jobs:
            -run=^$ \
            -bench=. \
            -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
-            -timeout 20m ./management/server/http/...
+            -timeout 20m ./management/... ./shared/management/...
  api_integration_test:
    name: "Management / Integration"
@@ -632,15 +534,15 @@ jobs:
        store: [ 'sqlite', 'postgres']
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -669,4 +571,4 @@ jobs:
          CI=true \
          go test -tags=integration \
          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/server/http/...
+          -timeout 20m ./management/... ./shared/management/...
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -24,7 +24,7 @@ jobs:
        uses: actions/setup-go@v5
        id: go
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Get Go environment
@@ -63,15 +63,10 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - name: Generate test script
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' })" >> $env:GITHUB_ENV
        run: |
          $packages = go list ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' }
          $goExe = "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe"
          $cmd = "$goExe test -tags=devcert -timeout 10m -p 1 $($packages -join ' ') > test-out.txt 2>&1"
          Set-Content -Path "${{ github.workspace }}\run-tests.cmd" -Value $cmd
      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "${{ github.workspace }}\run-tests.cmd"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
      - name: test output
        if: ${{ always() }}
        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,8 +19,8 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
-          skip: go.mod,go.sum,**/proxy/web/**
+          skip: go.mod,go.sum
  golangci:
    strategy:
      fail-fast: false
@@ -46,16 +46,13 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
          cache: false
      - name: Install dependencies
        if: matrix.os == 'ubuntu-latest'
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
+        uses: golangci/golangci-lint-action@v4
        with:
          version: latest
-          skip-cache: true
+          args: --timeout=12m --out-format colored-line-number
          skip-save-cache: true
          cache-invalidation-interval: 0
          args: --timeout=12m
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -20,7 +20,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
      - name: Setup Android SDK
        uses: android-actions/setup-android@v3
        with:
@@ -39,7 +39,7 @@ jobs:
      - name: Setup NDK
        run: /usr/local/lib/android/sdk/cmdline-tools/7.0/bin/sdkmanager --install "ndk;23.1.7779620"
      - name: install gomobile
-        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20251113184115-a159579294ab
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
      - name: gomobile init
        run: gomobile init
      - name: build android netbird lib
@@ -56,9 +56,9 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
      - name: install gomobile
-        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20251113184115-a159579294ab
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
      - name: gomobile init
        run: gomobile init
      - name: build iOS netbird lib
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -1,51 +0,0 @@
 name: PR Title Check
 on:
  pull_request:
    types: [opened, edited, synchronize, reopened]
 jobs:
  check-title:
    runs-on: ubuntu-latest
    steps:
      - name: Validate PR title prefix
        uses: actions/github-script@v7
        with:
          script: |
            const title = context.payload.pull_request.title;
            const allowedTags = [
              'management',
              'client',
              'signal',
              'proxy',
              'relay',
              'misc',
              'infrastructure',
              'self-hosted',
              'doc',
            ];
            const pattern = /^\[([^\]]+)\]\s+.+/;
            const match = title.match(pattern);
            if (!match) {
              core.setFailed(
                `PR title must start with a tag in brackets.\n` +
                `Example: [client] fix something\n` +
                `Allowed tags: ${allowedTags.join(', ')}`
              );
              return;
            }
            const tags = match[1].split(',').map(t => t.trim().toLowerCase());
            const invalid = tags.filter(t => !allowedTags.includes(t));
            if (invalid.length > 0) {
              core.setFailed(
                `Invalid tag(s): ${invalid.join(', ')}\n` +
                `Allowed tags: ${allowedTags.join(', ')}`
              );
              return;
            }
            console.log(`Valid PR title tags: [${tags.join(', ')}]`);
--- a/.github/workflows/proto-version-check.yml
+++ b/.github/workflows/proto-version-check.yml
@@ -1,62 +0,0 @@
 name: Proto Version Check
 on:
  pull_request:
    paths:
      - "**/*.pb.go"
 jobs:
  check-proto-versions:
    runs-on: ubuntu-latest
    steps:
      - name: Check for proto tool version changes
        uses: actions/github-script@v7
        with:
          script: |
            const files = await github.paginate(github.rest.pulls.listFiles, {
              owner: context.repo.owner,
              repo: context.repo.repo,
              pull_number: context.issue.number,
              per_page: 100,
            });
            const pbFiles = files.filter(f => f.filename.endsWith('.pb.go'));
            const missingPatch = pbFiles.filter(f => !f.patch).map(f => f.filename);
            if (missingPatch.length > 0) {
              core.setFailed(
                `Cannot inspect patch data for:\n` +
                missingPatch.map(f => `- ${f}`).join('\n') +
                `\nThis can happen with very large PRs. Verify proto versions manually.`
              );
              return;
            }
            const versionPattern = /^[+-]\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
            const violations = [];
            for (const file of pbFiles) {
              const changed = file.patch
                .split('\n')
                .filter(line => versionPattern.test(line));
              if (changed.length > 0) {
                violations.push({
                  file: file.filename,
                  lines: changed,
                });
              }
            }
            if (violations.length > 0) {
              const details = violations.map(v =>
                `${v.file}:\n${v.lines.map(l => '  ' + l).join('\n')}`
              ).join('\n\n');
              core.setFailed(
                `Proto version strings changed in generated files.\n` +
                `This usually means the wrong protoc or protoc-gen-go version was used.\n` +
                `Regenerate with the matching tool versions.\n\n` +
                details
              );
              return;
            }
            console.log('No proto version string changes detected');
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,8 +9,8 @@ on:
  pull_request:
 env:
-  SIGN_PIPE_VER: "v0.1.2"
+  SIGN_PIPE_VER: "v0.0.22"
-  GORELEASER_VER: "v2.14.3"
+  GORELEASER_VER: "v2.3.2"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
@@ -19,102 +19,8 @@ concurrency:
  cancel-in-progress: true
 jobs:
  release_freebsd_port:
    name: "FreeBSD Port / Build & Test"
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Generate FreeBSD port diff
        run: bash release_files/freebsd-port-diff.sh
      - name: Generate FreeBSD port issue body
        run: bash release_files/freebsd-port-issue-body.sh
      - name: Check if diff was generated
        id: check_diff
        run: |
          if ls netbird-*.diff 1> /dev/null 2>&1; then
            echo "diff_exists=true" >> $GITHUB_OUTPUT
          else
            echo "diff_exists=false" >> $GITHUB_OUTPUT
            echo "No diff file generated (port may already be up to date)"
          fi
      - name: Extract version
        if: steps.check_diff.outputs.diff_exists == 'true'
        id: version
        run: |
          VERSION=$(ls netbird-*.diff | sed 's/netbird-\(.*\)\.diff/\1/')
          echo "version=$VERSION" >> $GITHUB_OUTPUT
          echo "Generated files for version: $VERSION"
          cat netbird-*.diff
      - name: Test FreeBSD port
        if: steps.check_diff.outputs.diff_exists == 'true'
        uses: vmactions/freebsd-vm@v1
        with:
          usesh: true
          copyback: false
          release: "15.0"
          prepare: |
            # Install required packages
            pkg install -y git curl portlint go
            # Install Go for building
            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -LO "$GO_URL"
            tar -C /usr/local -xzf "$GO_TARBALL"
            # Clone ports tree (shallow, only what we need)
            git clone --depth 1 --filter=blob:none https://git.FreeBSD.org/ports.git /usr/ports
            cd /usr/ports
          run: |
            set -e -x
            export PATH=$PATH:/usr/local/go/bin
            # Find the diff file
            echo "Finding diff file..."
            DIFF_FILE=$(find $PWD -name "netbird-*.diff" -type f 2>/dev/null | head -1)
            echo "Found: $DIFF_FILE"
            if [[ -z "$DIFF_FILE" ]]; then
              echo "ERROR: Could not find diff file"
              find ~ -name "*.diff" -type f 2>/dev/null || true
              exit 1
            fi
            # Apply the generated diff from /usr/ports (diff has a/security/netbird/... paths)
            cd /usr/ports
            patch -p1 -V none < "$DIFF_FILE"
            # Show patched Makefile
            version=$(cat security/netbird/Makefile | grep -E '^DISTVERSION=' | awk '{print $NF}')
            cd /usr/ports/security/netbird
            export BATCH=yes
            make package
            pkg add ./work/pkg/netbird-*.pkg
            netbird version | grep "$version"
            echo "FreeBSD port test completed successfully!"
      - name: Upload FreeBSD port files
        if: steps.check_diff.outputs.diff_exists == 'true'
        uses: actions/upload-artifact@v4
        with:
          name: freebsd-port-files
          path: |
            ./netbird-*-issue.txt
            ./netbird-*.diff
          retention-days: 30
  release:
-    runs-on: ubuntu-latest-m
+    runs-on: ubuntu-22.04
    env:
      flags: ""
    steps:
@@ -134,7 +40,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23"
          cache: false
      - name: Cache Go modules
        uses: actions/cache@v4
@@ -160,7 +66,7 @@ jobs:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
+        if: github.event_name != 'pull_request'
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@@ -169,14 +75,6 @@ jobs:
      - name: Install OS build dependencies
        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
      - name: Decode GPG signing key
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        env:
          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
        run: |
          echo "$GPG_RPM_PRIVATE_KEY" | base64 -d > /tmp/gpg-rpm-signing-key.asc
          echo "GPG_RPM_KEY_FILE=/tmp/gpg-rpm-signing-key.asc" >> $GITHUB_ENV
      - name: Install goversioninfo
        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
      - name: Generate windows syso amd64
@@ -184,7 +82,6 @@ jobs:
      - name: Generate windows syso arm64
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
@@ -194,55 +91,6 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
          NFPM_NETBIRD_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
      - name: Verify RPM signatures
        run: |
          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
            dnf install -y -q rpm-sign curl >/dev/null 2>&1
            curl -sSL https://pkgs.netbird.io/yum/repodata/repomd.xml.key -o /tmp/rpm-pub.key
            rpm --import /tmp/rpm-pub.key
            echo "=== Verifying RPM signatures ==="
            for rpm_file in /dist/*amd64*.rpm; do
              [ -f "$rpm_file" ] || continue
              echo "--- $(basename $rpm_file) ---"
              rpm -K "$rpm_file"
            done
          '
      - name: Clean up GPG key
        if: always()
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: Tag and push images (amd64 only)
        if: |
          (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
          (github.event_name == 'push' && github.ref == 'refs/heads/main')
        run: |
          resolve_tags() {
            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
              echo "pr-${{ github.event.pull_request.number }}"
            else
              echo "main sha-$(git rev-parse --short HEAD)"
            fi
          }
          tag_and_push() {
            local src="$1" img_name tag dst
            img_name="${src%%:*}"
            for tag in $(resolve_tags); do
              dst="${img_name}:${tag}"
              echo "Tagging ${src} -> ${dst}"
              docker tag "$src" "$dst"
              docker push "$dst"
            done
          }
          export -f tag_and_push resolve_tags
          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
            grep '^ghcr.io/' | while read -r SRC; do
              tag_and_push "$SRC"
            done
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
@@ -288,7 +136,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23"
          cache: false
      - name: Cache Go modules
        uses: actions/cache@v4
@@ -309,14 +157,6 @@ jobs:
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64
      - name: Decode GPG signing key
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        env:
          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
        run: |
          echo "$GPG_RPM_PRIVATE_KEY" | base64 -d > /tmp/gpg-rpm-signing-key.asc
          echo "GPG_RPM_KEY_FILE=/tmp/gpg-rpm-signing-key.asc" >> $GITHUB_ENV
      - name: Install LLVM-MinGW for ARM64 cross-compilation
        run: |
          cd /tmp
@@ -341,24 +181,6 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
          NFPM_NETBIRD_UI_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
      - name: Verify RPM signatures
        run: |
          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
            dnf install -y -q rpm-sign curl >/dev/null 2>&1
            curl -sSL https://pkgs.netbird.io/yum/repodata/repomd.xml.key -o /tmp/rpm-pub.key
            rpm --import /tmp/rpm-pub.key
            echo "=== Verifying RPM signatures ==="
            for rpm_file in /dist/*.rpm; do
              [ -f "$rpm_file" ] || continue
              echo "--- $(basename $rpm_file) ---"
              rpm -K "$rpm_file"
            done
          '
      - name: Clean up GPG key
        if: always()
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
@@ -378,7 +200,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23"
          cache: false
      - name: Cache Go modules
        uses: actions/cache@v4
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -67,13 +67,10 @@ jobs:
      - name: Install curl
        run: sudo apt-get install -y curl
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version-file: "go.mod"
+          go-version: "1.23.x"
      - name: Cache Go modules
        uses: actions/cache@v4
@@ -83,6 +80,9 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup MySQL privileges
        if: matrix.store == 'mysql'
        run: |
@@ -243,7 +243,6 @@ jobs:
        working-directory: infrastructure_files/artifacts
        run: |
          sleep 30
          docker compose logs
          docker compose exec management ls -l /var/lib/netbird/ | grep -i GeoLite2-City_[0-9]*.mmdb
          docker compose exec management ls -l /var/lib/netbird/ | grep -i geonames_[0-9]*.db
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -1,68 +0,0 @@
 name: Wasm
 on:
  push:
    branches:
      - main
  pull_request:
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
  cancel-in-progress: true
 jobs:
  js_lint:
    name: "JS / Lint"
    runs-on: ubuntu-latest
    env:
      GOOS: js
      GOARCH: wasm
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: Install golangci-lint
        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: latest
          install-mode: binary
          skip-cache: true
          skip-save-cache: true
          cache-invalidation-interval: 0
          working-directory: ./client
        continue-on-error: true
  js_build:
    name: "JS / Build"
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Build Wasm client
        run: GOOS=js GOARCH=wasm go build -o netbird.wasm ./client/wasm/cmd
        env:
          CGO_ENABLED: 0
      - name: Check Wasm build size
        run: |
          echo "Wasm build size:"
          ls -lh netbird.wasm
          SIZE=$(stat -c%s netbird.wasm)
          SIZE_MB=$((SIZE / 1024 / 1024))
          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
          if [ ${SIZE} -gt 58720256 ]; then
            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
            exit 1
          fi
--- a/.gitignore
+++ b/.gitignore
@@ -2,7 +2,6 @@
 .run
 *.iml
 dist/
 !proxy/web/dist/
 bin/
 .env
 conf.json
@@ -32,4 +31,3 @@ infrastructure_files/setup-*.env
 .DS_Store
 vendor/
 /netbird
 client/netbird-electron/
--- a/.gitmodules
+++ b/.gitmodules
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,124 +1,139 @@
-version: "2"
+run:
-linters:
+  # Timeout for analysis, e.g. 30s, 5m.
-  default: none
+  # Default: 1m
-  enable:
+  timeout: 6m
-    - bodyclose
+
-    - dupword
+# This file contains only configs which differ from defaults.
-    - durationcheck
+# All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml
-    - errcheck
+linters-settings:
-    - forbidigo
+  errcheck:
-    - gocritic
+    # Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
-    - gosec
+    # Such cases aren't reported by default.
-    - govet
+    # Default: false
-    - ineffassign
+    check-type-assertions: false
-    - mirror
+
-    - misspell
+  gosec:
-    - nilerr
+    includes:
-    - nilnil
+      - G101 # Look for hard coded credentials
-    - predeclared
+      #- G102 # Bind to all interfaces
-    - revive
+      - G103 # Audit the use of unsafe block
-    - sqlclosecheck
+      - G104 # Audit errors not checked
-    - staticcheck
+      - G106 # Audit the use of ssh.InsecureIgnoreHostKey
-    - unused
+      #- G107 # Url provided to HTTP request as taint input
-    - wastedassign
+      - G108 # Profiling endpoint automatically exposed on /debug/pprof
-  settings:
+      - G109 # Potential Integer overflow made by strconv.Atoi result conversion to int16/32
-    errcheck:
+      - G110 # Potential DoS vulnerability via decompression bomb
-      check-type-assertions: false
+      - G111 # Potential directory traversal
-    gocritic:
+      #- G112 # Potential slowloris attack
-      disabled-checks:
+      - G113 # Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
-        - commentFormatting
+      #- G114 # Use of net/http serve function that has no support for setting timeouts
-        - captLocal
+      - G201 # SQL query construction using format string
-        - deprecatedComment
+      - G202 # SQL query construction using string concatenation
-    gosec:
+      - G203 # Use of unescaped data in HTML templates
-      includes:
+      #- G204 # Audit use of command execution
-        - G101
+      - G301 # Poor file permissions used when creating a directory
-        - G103
+      - G302 # Poor file permissions used with chmod
-        - G104
+      - G303 # Creating tempfile using a predictable path
-        - G106
+      - G304 # File path provided as taint input
-        - G108
+      - G305 # File traversal when extracting zip/tar archive
-        - G109
+      - G306 # Poor file permissions used when writing to a new file
-        - G110
+      - G307 # Poor file permissions used when creating a file with os.Create
-        - G111
+      #- G401 # Detect the usage of DES, RC4, MD5 or SHA1
-        - G201
+      #- G402 # Look for bad TLS connection settings
-        - G202
+      - G403 # Ensure minimum RSA key length of 2048 bits
-        - G203
+      #- G404 # Insecure random number source (rand)
-        - G301
+      #- G501 # Import blocklist: crypto/md5
-        - G302
+      - G502 # Import blocklist: crypto/des
-        - G303
+      - G503 # Import blocklist: crypto/rc4
-        - G304
+      - G504 # Import blocklist: net/http/cgi
-        - G305
+      #- G505 # Import blocklist: crypto/sha1
-        - G306
+      - G601 # Implicit memory aliasing of items from a range statement
-        - G307
+      - G602 # Slice access out of bounds
-        - G403
+
-        - G502
+  gocritic:
-        - G503
+    disabled-checks:
-        - G504
+      - commentFormatting
-        - G601
+      - captLocal
-        - G602
+      - deprecatedComment
-    govet:
+
-      enable:
+  govet:
-        - nilness
+    # Enable all analyzers.
-      enable-all: false
+    # Default: false
-    revive:
+    enable-all: false
-      rules:
+    enable:
-        - name: exported
+      - nilness
-          arguments:
+
-            - checkPrivateReceivers
+  revive:
            - sayRepetitiveInsteadOfStutters
          severity: warning
          disabled: false
  exclusions:
    generated: lax
    presets:
      - comments
      - common-false-positives
      - legacy
      - std-error-handling
    rules:
-      - linters:
+      - name: exported
-          - forbidigo
+        severity: warning
-        path: management/cmd/root\.go
+        disabled: false
-      - linters:
+        arguments:
-          - forbidigo
+          - "checkPrivateReceivers"
-        path: signal/cmd/root\.go
+          - "sayRepetitiveInsteadOfStutters"
-      - linters:
+  tenv:
-          - unused
+    # The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures.
-        path: sharedsock/filter\.go
+    # Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked.
-      - linters:
+    # Default: false
-          - unused
+    all: true
-        path: client/firewall/iptables/rule\.go
+
-      - linters:
+linters:
-          - gosec
+  disable-all: true
-          - mirror
+  enable:
-        path: test\.go
+    ## enabled by default
-      - linters:
+    - errcheck # checking for unchecked errors, these unchecked errors can be critical bugs in some cases
-          - nilnil
+    - gosimple # specializes in simplifying a code
-        path: mock\.go
+    - govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string
-      - linters:
+    - ineffassign # detects when assignments to existing variables are not used
-          - staticcheck
+    - staticcheck # is a go vet on steroids, applying a ton of static analysis checks
-        text: grpc.DialContext is deprecated
+    - tenv # Tenv is analyzer that detects using os.Setenv instead of t.Setenv since Go1.17.
-      - linters:
+    - typecheck # like the front-end of a Go compiler, parses and type-checks Go code
-          - staticcheck
+    - unused # checks for unused constants, variables, functions and types
-        text: grpc.WithBlock is deprecated
+    ## disable by default but the have interesting results so lets add them
-      - linters:
+    - bodyclose # checks whether HTTP response body is closed successfully
-          - staticcheck
+    - dupword # dupword checks for duplicate words in the source code
-        text: "QF1001"
+    - durationcheck # durationcheck checks for two durations multiplied together
-      - linters:
+    - forbidigo # forbidigo forbids identifiers
-          - staticcheck
+    - gocritic # provides diagnostics that check for bugs, performance and style issues
-        text: "QF1008"
+    - gosec # inspects source code for security problems
-      - linters:
+    - mirror # mirror reports wrong mirror patterns of bytes/strings usage
-          - staticcheck
+    - misspell # misspess finds commonly misspelled English words in comments
-        text: "QF1012"
+    - nilerr # finds the code that returns nil even if it checks that the error is not nil
-    paths:
+    - nilnil # checks that there is no simultaneous return of nil error and an invalid value
-      - third_party$
+    - predeclared # predeclared finds code that shadows one of Go's predeclared identifiers
-      - builtin$
+    - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
-      - examples$
+    - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
    # - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
    - wastedassign # wastedassign finds wasted assignment statements
 issues:
  # Maximum count of issues with the same text.
  # Set to 0 to disable.
  # Default: 3
  max-same-issues: 5
-formatters:
+
-  exclusions:
+  exclude-rules:
-    generated: lax
+    # allow fmt
-    paths:
+    - path: management/cmd/root\.go
-      - third_party$
+      linters: forbidigo
-      - builtin$
+    - path: signal/cmd/root\.go
-      - examples$
+      linters: forbidigo
    - path: sharedsock/filter\.go
      linters:
      - unused
    - path: client/firewall/iptables/rule\.go
      linters:
      - unused
    - path: test\.go
      linters:
      - mirror
      - gosec
    - path: mock\.go
      linters:
      - nilnil
    # Exclude specific deprecation warnings for grpc methods
    - linters:
       - staticcheck
      text: "grpc.DialContext is deprecated"
    - linters:
        - staticcheck
      text: "grpc.WithBlock is deprecated"
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -2,18 +2,6 @@ version: 2
 project_name: netbird
 builds:
  - id: netbird-wasm
    dir: client/wasm/cmd
    binary: netbird
    env: [GOOS=js, GOARCH=wasm, CGO_ENABLED=0]
    goos:
      - js
    goarch:
      - wasm
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
  - id: netbird
    dir: client
    binary: netbird
@@ -106,26 +94,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
  - id: netbird-server
    dir: combined
    env:
      - CGO_ENABLED=1
      - >-
        {{- if eq .Runtime.Goos "linux" }}
          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
        {{- end }}
    binary: netbird-server
    goos:
      - linux
    goarch:
      - amd64
      - arm64
      - arm
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
  - id: netbird-upload
    dir: upload-server
    env: [CGO_ENABLED=0]
@@ -140,40 +108,6 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
  - id: netbird-proxy
    dir: proxy/cmd/proxy
    env: [CGO_ENABLED=0]
    binary: netbird-proxy
    goos:
      - linux
    goarch:
      - amd64
      - arm64
      - arm
    ldflags:
      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
    mod_timestamp: "{{ .CommitTimestamp }}"
  - id: netbird-idp-migrate
    dir: tools/idp-migrate
    env:
      - CGO_ENABLED=1
      - >-
        {{- if eq .Runtime.Goos "linux" }}
          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
        {{- end }}
    binary: netbird-idp-migrate
    goos:
      - linux
    goarch:
      - amd64
      - arm64
      - arm
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
 universal_binaries:
  - id: netbird
@@ -181,27 +115,18 @@ archives:
  - builds:
      - netbird
      - netbird-static
  - id: netbird-wasm
    builds:
      - netbird-wasm
    name_template: "{{ .ProjectName }}_{{ .Version }}"
    format: binary
  - id: netbird-idp-migrate
    builds:
      - netbird-idp-migrate
    name_template: "netbird-idp-migrate_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
 nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    license: BSD-3-Clause
+    id: netbird-deb
    id: netbird_deb
    bindir: /usr/bin
    builds:
      - netbird
    formats:
      - deb
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
@@ -209,19 +134,16 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    license: BSD-3-Clause
+    id: netbird-rpm
    id: netbird_rpm
    bindir: /usr/bin
    builds:
      - netbird
    formats:
      - rpm
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
    rpm:
      signature:
        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
 dockers:
  - image_templates:
      - netbirdio/netbird:{{ .Version }}-amd64
@@ -581,104 +503,6 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/netbird-server:{{ .Version }}-amd64
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
    ids:
      - netbird-server
    goarch: amd64
    use: buildx
    dockerfile: combined/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
    ids:
      - netbird-server
    goarch: arm64
    use: buildx
    dockerfile: combined/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
    ids:
      - netbird-server
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: combined/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-amd64
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
    ids:
      - netbird-proxy
    goarch: amd64
    use: buildx
    dockerfile: proxy/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
    ids:
      - netbird-proxy
    goarch: arm64
    use: buildx
    dockerfile: proxy/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
    ids:
      - netbird-proxy
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: proxy/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
@@ -757,18 +581,6 @@ docker_manifests:
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64
  - name_template: netbirdio/netbird-server:{{ .Version }}
    image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm64v8
      - netbirdio/netbird-server:{{ .Version }}-arm
      - netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: netbirdio/netbird-server:latest
    image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm64v8
      - netbirdio/netbird-server:{{ .Version }}-arm
      - netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
@@ -846,43 +658,6 @@ docker_manifests:
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird-server:latest
    image_templates:
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: netbirdio/reverse-proxy:{{ .Version }}
    image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - netbirdio/reverse-proxy:{{ .Version }}-arm
      - netbirdio/reverse-proxy:{{ .Version }}-amd64
  - name_template: netbirdio/reverse-proxy:latest
    image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - netbirdio/reverse-proxy:{{ .Version }}-arm
      - netbirdio/reverse-proxy:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
    image_templates:
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
 brews:
  - ids:
      - default
@@ -903,7 +678,7 @@ brews:
 uploads:
  - name: debian
    ids:
-      - netbird_deb
+      - netbird-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -911,7 +686,7 @@ uploads:
  - name: yum
    ids:
-      - netbird_rpm
+      - netbird-rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
@@ -921,10 +696,8 @@ checksum:
  extra_files:
    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
    - glob: ./release_files/install.sh
    - glob: ./infrastructure_files/getting-started.sh
 release:
  extra_files:
    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
    - glob: ./release_files/install.sh
    - glob: ./infrastructure_files/getting-started.sh
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -61,7 +61,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
-    id: netbird_ui_deb
+    id: netbird-ui-deb
    package_name: netbird-ui
    builds:
      - netbird-ui
@@ -80,7 +80,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
-    id: netbird_ui_rpm
+    id: netbird-ui-rpm
    package_name: netbird-ui
    builds:
      - netbird-ui
@@ -95,14 +95,11 @@ nfpms:
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
    rpm:
      signature:
        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
 uploads:
  - name: debian
    ids:
-      - netbird_ui_deb
+      - netbird-ui-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -110,7 +107,7 @@ uploads:
  - name: yum
    ids:
-      - netbird_ui_rpm
+      - netbird-ui-rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -136,14 +136,6 @@ checked out and set up:
   go mod tidy
   ```
 6. Configure Git hooks for automatic linting:
   ```bash
   make setup-hooks
   ```
   This will configure Git to run linting automatically before each push, helping catch issues early.
 ### Dev Container Support
 If you prefer using a dev container for development, NetBird now includes support for dev containers. 
--- a/CONTRIBUTOR_LICENSE_AGREEMENT.md
+++ b/CONTRIBUTOR_LICENSE_AGREEMENT.md
@@ -1,7 +1,7 @@
 ##  Contributor License Agreement
 This Contributor License Agreement (referred to as the "Agreement") is entered into by the individual 
-submitting this Agreement and NetBird GmbH, Brunnenstraße 196, 10119 Berlin, Germany, 
+submitting this Agreement and NetBird GmbH, c/o Max-Beer-Straße 2-4 Münzstraße 12 10178 Berlin, Germany, 
 referred to as "NetBird" (collectively, the "Parties"). The Agreement outlines the terms and conditions 
 under which NetBird may utilize software contributions provided by the Contributor for inclusion in 
 its software development projects. By submitting this Agreement, the Contributor confirms their acceptance 
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/, relay/ and combined/.
+This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/ and relay/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.
 BSD 3-Clause License
--- a/27
+++ b/27
@@ -1,27 +0,0 @@
 .PHONY: lint lint-all lint-install setup-hooks
 GOLANGCI_LINT := $(shell pwd)/bin/golangci-lint
 # Install golangci-lint locally if needed
 $(GOLANGCI_LINT):
 	@echo "Installing golangci-lint..."
 	@mkdir -p ./bin
 	@GOBIN=$(shell pwd)/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 # Lint only changed files (fast, for pre-push)
 lint: $(GOLANGCI_LINT)
 	@echo "Running lint on changed files..."
 	@$(GOLANGCI_LINT) run --new-from-rev=origin/main --timeout=2m
 # Lint entire codebase (slow, matches CI)
 lint-all: $(GOLANGCI_LINT)
 	@echo "Running lint on all files..."
 	@$(GOLANGCI_LINT) run --timeout=12m
 # Just install the linter
 lint-install: $(GOLANGCI_LINT)
 # Setup git hooks for all developers
 setup-hooks:
 	@git config core.hooksPath .githooks
 	@chmod +x .githooks/pre-push
 	@echo "✅ Git hooks configured! Pre-push will now run 'make lint'"
--- a/README.md
+++ b/README.md
@@ -1,4 +1,3 @@
 <div align="center">
 <br/>
  <br/>
@@ -38,11 +37,6 @@
 </strong>
 <br>
 <strong>
  🚀 <a href="https://careers.netbird.io">We are hiring! Join us at careers.netbird.io</a>
 </strong>
 <br>
 <br>
 <a href="https://registry.terraform.io/providers/netbirdio/netbird/latest">
    New: NetBird terraform provider
  </a> 
@@ -58,10 +52,10 @@
 ### Open Source Network Security in a Single Platform
-https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
+<img width="1188" alt="centralized-network-management 1" src="https://github.com/user-attachments/assets/c28cc8e4-15d2-4d2f-bb97-a6433db39d56" />
-### Self-Host NetBird (Video)
+### NetBird on Lawrence Systems (Video)
-[![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
+[![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)
 ### Key features
@@ -90,7 +84,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird
 **Infrastructure requirements:**
 - A Linux VM with at least **1CPU** and **2GB** of memory.
- The VM should be publicly accessible on TCP ports **80** and **443** and UDP port: **3478**.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP ports: **3478**, **49152-65535**.
 - **Public domain** name pointing to the VM.
 **Software requirements:**
@@ -103,7 +97,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird
 **Steps**
 - Download and run the installation script:
 ```bash
-export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started.sh | bash
+export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
 ```
 - Once finished, you can manage the resources via `docker-compose`
@@ -118,7 +112,7 @@ export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbird
 [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/about-netbird/high-level-dia.png" width="700"/>
+  <img src="https://docs.netbird.io/docs-static/img/architecture/high-level-dia.png" width="700"/>
 </p>
 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.
@@ -126,7 +120,6 @@ See a complete [architecture overview](https://docs.netbird.io/about-netbird/how
 ### Community projects
 -  [NetBird installer script](https://github.com/physk/netbird-installer)
 -  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
 -  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings
 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest
-FROM alpine:3.23.3
+FROM alpine:3.22.0
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
    bash \
@@ -17,7 +17,8 @@ ENV \
    NETBIRD_BIN="/usr/local/bin/netbird" \
    NB_LOG_FILE="console,/var/log/netbird/client.log" \
    NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
--- a/client/Dockerfile-rootless
+++ b/client/Dockerfile-rootless
@@ -23,7 +23,8 @@ ENV \
    NB_DAEMON_ADDR="unix:///var/lib/netbird/netbird.sock" \
    NB_LOG_FILE="console,/var/lib/netbird/client.log" \
    NB_DISABLE_DNS="true" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -4,13 +4,9 @@ package android
 import (
 	"context"
 	"fmt"
 	"os"
 	"slices"
 	"sync"
 	"golang.org/x/exp/maps"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/iface/device"
@@ -19,13 +15,10 @@ import (
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/util/net"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 // ConnectionListener export internal Listener for mobile
@@ -59,6 +52,7 @@ func init() {
 // Client struct manage the life circle of background service
 type Client struct {
 	cfgFile               string
 	tunAdapter            device.TunAdapter
 	iFaceDiscover         IFaceDiscover
 	recorder              *peer.Status
@@ -72,11 +66,12 @@ type Client struct {
 }
 // NewClient instantiate a new Client
-func NewClient(androidSDKVersion int, deviceName string, uiVersion string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
+func NewClient(cfgFile string, androidSDKVersion int, deviceName string, uiVersion string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
 	execWorkaround(androidSDKVersion)
 	net.SetAndroidProtectSocketFn(tunAdapter.ProtectSocket)
 	return &Client{
 		cfgFile:               cfgFile,
 		deviceName:            deviceName,
 		uiVersion:             uiVersion,
 		tunAdapter:            tunAdapter,
@@ -88,16 +83,9 @@ func NewClient(androidSDKVersion int, deviceName string, uiVersion string, tunAd
 }
 // Run start the internal client. It is a blocker function
-func (c *Client) Run(platformFiles PlatformFiles, urlOpener URLOpener, isAndroidTV bool, dns *DNSList, dnsReadyListener DnsReadyListener, envList *EnvList) error {
+func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsReadyListener) error {
 	exportEnvList(envList)
 	cfgFile := platformFiles.ConfigurationFilePath()
 	stateFile := platformFiles.StateFilePath()
 	log.Infof("Starting client with config: %s, state: %s", cfgFile, stateFile)
 	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
-		ConfigPath: cfgFile,
+		ConfigPath: c.cfgFile,
 	})
 	if err != nil {
 		return err
@@ -117,7 +105,7 @@ func (c *Client) Run(platformFiles PlatformFiles, urlOpener URLOpener, isAndroid
 	c.ctxCancelLock.Unlock()
 	auth := NewAuthWithConfig(ctx, cfg)
-	err = auth.login(urlOpener, isAndroidTV)
+	err = auth.login(urlOpener)
 	if err != nil {
 		return err
 	}
@@ -125,21 +113,14 @@ func (c *Client) Run(platformFiles PlatformFiles, urlOpener URLOpener, isAndroid
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
+	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
 }
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
 // In this case make no sense handle registration steps.
-func (c *Client) RunWithoutLogin(platformFiles PlatformFiles, dns *DNSList, dnsReadyListener DnsReadyListener, envList *EnvList) error {
+func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener) error {
 	exportEnvList(envList)
 	cfgFile := platformFiles.ConfigurationFilePath()
 	stateFile := platformFiles.StateFilePath()
 	log.Infof("Starting client without login with config: %s, state: %s", cfgFile, stateFile)
 	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
-		ConfigPath: cfgFile,
+		ConfigPath: c.cfgFile,
 	})
 	if err != nil {
 		return err
@@ -158,7 +139,7 @@ func (c *Client) RunWithoutLogin(platformFiles PlatformFiles, dns *DNSList, dnsR
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
+	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
 }
 // Stop the internal client and free the resources
@@ -172,19 +153,6 @@ func (c *Client) Stop() {
 	c.ctxCancel()
 }
 func (c *Client) RenewTun(fd int) error {
 	if c.connectClient == nil {
 		return fmt.Errorf("engine not running")
 	}
 	e := c.connectClient.Engine()
 	if e == nil {
 		return fmt.Errorf("engine not initialized")
 	}
 	return e.RenewTun(fd)
 }
 // SetTraceLogLevel configure the logger to trace level
 func (c *Client) SetTraceLogLevel() {
 	log.SetLevel(log.TraceLevel)
@@ -205,8 +173,7 @@ func (c *Client) PeersList() *PeerInfoArray {
 		pi := PeerInfo{
 			p.IP,
 			p.FQDN,
-			int(p.ConnStatus),
+			p.ConnStatus.String(),
 			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi
 	}
@@ -231,43 +198,31 @@ func (c *Client) Networks() *NetworkArray {
 		return nil
 	}
 	routeSelector := routeManager.GetRouteSelector()
 	if routeSelector == nil {
 		log.Error("could not get route selector")
 		return nil
 	}
 	networkArray := &NetworkArray{
 		items: make([]Network, 0),
 	}
 	resolvedDomains := c.recorder.GetResolvedDomainsStates()
 	for id, routes := range routeManager.GetClientRoutesWithNetID() {
 		if len(routes) == 0 {
 			continue
 		}
 		r := routes[0]
 		domains := c.getNetworkDomainsFromRoute(r, resolvedDomains)
 		netStr := r.Network.String()
 		if r.IsDynamic() {
 			netStr = r.Domains.SafeString()
 		}
-		routePeer, err := c.recorder.GetPeer(routes[0].Peer)
+		peer, err := c.recorder.GetPeer(routes[0].Peer)
 		if err != nil {
 			log.Errorf("could not get peer info for %s: %v", routes[0].Peer, err)
 			continue
 		}
 		network := Network{
-			Name:       string(id),
+			Name:    string(id),
-			Network:    netStr,
+			Network: netStr,
-			Peer:       routePeer.FQDN,
+			Peer:    peer.FQDN,
-			Status:     routePeer.ConnStatus.String(),
+			Status:  peer.ConnStatus.String(),
 			IsSelected: routeSelector.IsSelected(id),
 			Domains:    domains,
 		}
 		networkArray.Add(network)
 	}
@@ -294,77 +249,3 @@ func (c *Client) SetConnectionListener(listener ConnectionListener) {
 func (c *Client) RemoveConnectionListener() {
 	c.recorder.RemoveConnectionListener()
 }
 func (c *Client) toggleRoute(command routeCommand) error {
 	return command.toggleRoute()
 }
 func (c *Client) getRouteManager() (routemanager.Manager, error) {
 	client := c.connectClient
 	if client == nil {
 		return nil, fmt.Errorf("not connected")
 	}
 	engine := client.Engine()
 	if engine == nil {
 		return nil, fmt.Errorf("engine is not running")
 	}
 	manager := engine.GetRouteManager()
 	if manager == nil {
 		return nil, fmt.Errorf("could not get route manager")
 	}
 	return manager, nil
 }
 func (c *Client) SelectRoute(route string) error {
 	manager, err := c.getRouteManager()
 	if err != nil {
 		return err
 	}
 	return c.toggleRoute(selectRouteCommand{route: route, manager: manager})
 }
 func (c *Client) DeselectRoute(route string) error {
 	manager, err := c.getRouteManager()
 	if err != nil {
 		return err
 	}
 	return c.toggleRoute(deselectRouteCommand{route: route, manager: manager})
 }
 // getNetworkDomainsFromRoute extracts domains from a route and enriches each domain
 // with its resolved IP addresses from the provided resolvedDomains map.
 func (c *Client) getNetworkDomainsFromRoute(route *route.Route, resolvedDomains map[domain.Domain]peer.ResolvedDomainInfo) NetworkDomains {
 	domains := NetworkDomains{}
 	for _, d := range route.Domains {
 		networkDomain := NetworkDomain{
 			Address: d.SafeString(),
 		}
 		if info, exists := resolvedDomains[d]; exists {
 			for _, prefix := range info.Prefixes {
 				networkDomain.addResolvedIP(prefix.Addr().String())
 			}
 		}
 		domains.Add(&networkDomain)
 	}
 	return domains
 }
 func exportEnvList(list *EnvList) {
 	if list == nil {
 		return
 	}
 	for k, v := range list.AllItems() {
 		if err := os.Setenv(k, v); err != nil {
 			log.Errorf("could not set env variable %s: %v", k, err)
 		}
 	}
 }
--- a/client/android/env_list.go
+++ b/client/android/env_list.go
@@ -1,41 +0,0 @@
 package android
 import (
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	"github.com/netbirdio/netbird/client/internal/peer"
 )
 var (
 	// EnvKeyNBForceRelay Exported for Android java client to force relay connections
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
 	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
 	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
 	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
 	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold
 )
 // EnvList wraps a Go map for export to Java
 type EnvList struct {
 	data map[string]string
 }
 // NewEnvList creates a new EnvList
 func NewEnvList() *EnvList {
 	return &EnvList{data: make(map[string]string)}
 }
 // Put adds a key-value pair
 func (el *EnvList) Put(key, value string) {
 	el.data[key] = value
 }
 // Get retrieves a value by key
 func (el *EnvList) Get(key string) string {
 	return el.data[key]
 }
 func (el *EnvList) AllItems() map[string]string {
 	return el.data
 }
--- a/client/android/login.go
+++ b/client/android/login.go
@@ -3,7 +3,15 @@ package android
 import (
 	"context"
 	"fmt"
 	"time"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 	"github.com/netbirdio/netbird/client/cmd"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
@@ -24,8 +32,7 @@ type ErrListener interface {
 // URLOpener it is a callback interface. The Open function will be triggered if
 // the backend want to show an url for the user
 type URLOpener interface {
-	Open(url string, userCode string)
+	Open(string)
 	OnLoginSuccess()
 }
 // Auth can register or login new client
@@ -76,21 +83,34 @@ func (a *Auth) SaveConfigIfSSOSupported(listener SSOListener) {
 }
 func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
-	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
+	supportsSSO := true
-	if err != nil {
+	err := a.withBackOff(a.ctx, func() (err error) {
-		return false, fmt.Errorf("failed to create auth client: %v", err)
+		_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL, nil)
-	}
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
-	defer authClient.Close()
+			_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
 			s, ok := gstatus.FromError(err)
 			if !ok {
 				return err
 			}
 			if s.Code() == codes.NotFound || s.Code() == codes.Unimplemented {
 				supportsSSO = false
 				err = nil
 			}
-	supportsSSO, err := authClient.IsSSOSupported(a.ctx)
+			return err
-	if err != nil {
+		}
-		return false, fmt.Errorf("failed to check SSO support: %v", err)
+
-	}
+		return err
 	})
 	if !supportsSSO {
 		return false, nil
 	}
 	if err != nil {
 		return false, fmt.Errorf("backoff cycle failed: %v", err)
 	}
 	err = profilemanager.WriteOutConfig(a.cfgPath, a.config)
 	return true, err
 }
@@ -108,26 +128,28 @@ func (a *Auth) LoginWithSetupKeyAndSaveConfig(resultListener ErrListener, setupK
 }
 func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string) error {
 	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
 	if err != nil {
 		return fmt.Errorf("failed to create auth client: %v", err)
 	}
 	defer authClient.Close()
 	//nolint
 	ctxWithValues := context.WithValue(a.ctx, system.DeviceNameCtxKey, deviceName)
-	err, _ = authClient.Login(ctxWithValues, setupKey, "")
+
 	err := a.withBackOff(a.ctx, func() error {
 		backoffErr := internal.Login(ctxWithValues, a.config, setupKey, "")
 		if s, ok := gstatus.FromError(backoffErr); ok && (s.Code() == codes.PermissionDenied) {
 			// we got an answer from management, exit backoff earlier
 			return backoff.Permanent(backoffErr)
 		}
 		return backoffErr
 	})
 	if err != nil {
-		return fmt.Errorf("login failed: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}
 	return profilemanager.WriteOutConfig(a.cfgPath, a.config)
 }
 // Login try register the client on the server
-func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener, isAndroidTV bool) {
+func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener) {
 	go func() {
-		err := a.login(urlOpener, isAndroidTV)
+		err := a.login(urlOpener)
 		if err != nil {
 			resultListener.OnError(err)
 		} else {
@@ -136,42 +158,45 @@ func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener, isAndroidT
 	}()
 }
-func (a *Auth) login(urlOpener URLOpener, isAndroidTV bool) error {
+func (a *Auth) login(urlOpener URLOpener) error {
-	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
+	var needsLogin bool
 	if err != nil {
 		return fmt.Errorf("failed to create auth client: %v", err)
 	}
 	defer authClient.Close()
 	// check if we need to generate JWT token
-	needsLogin, err := authClient.IsLoginRequired(a.ctx)
+	err := a.withBackOff(a.ctx, func() (err error) {
 		needsLogin, err = internal.IsLoginRequired(a.ctx, a.config)
 		return
 	})
 	if err != nil {
-		return fmt.Errorf("failed to check login requirement: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}
 	jwtToken := ""
 	if needsLogin {
-		tokenInfo, err := a.foregroundGetTokenInfo(authClient, urlOpener, isAndroidTV)
+		tokenInfo, err := a.foregroundGetTokenInfo(urlOpener)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
 		jwtToken = tokenInfo.GetTokenToUse()
 	}
-	err, _ = authClient.Login(a.ctx, "", jwtToken)
+	err = a.withBackOff(a.ctx, func() error {
 		err := internal.Login(a.ctx, a.config, "", jwtToken)
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 			return nil
 		}
 		return err
 	})
 	if err != nil {
-		return fmt.Errorf("login failed: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}
 	go urlOpener.OnLoginSuccess()
 	return nil
 }
-func (a *Auth) foregroundGetTokenInfo(authClient *auth.Auth, urlOpener URLOpener, isAndroidTV bool) (*auth.TokenInfo, error) {
+func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*auth.TokenInfo, error) {
-	oAuthFlow, err := authClient.GetOAuthFlow(a.ctx, isAndroidTV)
+	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false)
 	if err != nil {
-		return nil, fmt.Errorf("failed to get OAuth flow: %v", err)
+		return nil, err
 	}
 	flowInfo, err := oAuthFlow.RequestAuthInfo(context.TODO())
@@ -179,12 +204,24 @@ func (a *Auth) foregroundGetTokenInfo(authClient *auth.Auth, urlOpener URLOpener
 		return nil, fmt.Errorf("getting a request OAuth flow info failed: %v", err)
 	}
-	go urlOpener.Open(flowInfo.VerificationURIComplete, flowInfo.UserCode)
+	go urlOpener.Open(flowInfo.VerificationURIComplete)
-	tokenInfo, err := oAuthFlow.WaitToken(a.ctx, flowInfo)
+	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
 	waitCTX, cancel := context.WithTimeout(a.ctx, waitTimeout)
 	defer cancel()
 	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}
 	return &tokenInfo, nil
 }
 func (a *Auth) withBackOff(ctx context.Context, bf func() error) error {
 	return backoff.RetryNotify(
 		bf,
 		backoff.WithContext(cmd.CLIBackOffSettings, ctx),
 		func(err error, duration time.Duration) {
 			log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
 		})
 }
--- a/client/android/network_domains.go
+++ b/client/android/network_domains.go
@@ -1,56 +0,0 @@
 //go:build android
 package android
 import "fmt"
 type ResolvedIPs struct {
 	resolvedIPs []string
 }
 func (r *ResolvedIPs) Add(ipAddress string) {
 	r.resolvedIPs = append(r.resolvedIPs, ipAddress)
 }
 func (r *ResolvedIPs) Get(i int) (string, error) {
 	if i < 0 || i >= len(r.resolvedIPs) {
 		return "", fmt.Errorf("%d is out of range", i)
 	}
 	return r.resolvedIPs[i], nil
 }
 func (r *ResolvedIPs) Size() int {
 	return len(r.resolvedIPs)
 }
 type NetworkDomain struct {
 	Address     string
 	resolvedIPs ResolvedIPs
 }
 func (d *NetworkDomain) addResolvedIP(resolvedIP string) {
 	d.resolvedIPs.Add(resolvedIP)
 }
 func (d *NetworkDomain) GetResolvedIPs() *ResolvedIPs {
 	return &d.resolvedIPs
 }
 type NetworkDomains struct {
 	domains []*NetworkDomain
 }
 func (n *NetworkDomains) Add(domain *NetworkDomain) {
 	n.domains = append(n.domains, domain)
 }
 func (n *NetworkDomains) Get(i int) (*NetworkDomain, error) {
 	if i < 0 || i >= len(n.domains) {
 		return nil, fmt.Errorf("%d is out of range", i)
 	}
 	return n.domains[i], nil
 }
 func (n *NetworkDomains) Size() int {
 	return len(n.domains)
 }
--- a/client/android/networks.go
+++ b/client/android/networks.go
@@ -3,16 +3,10 @@
 package android
 type Network struct {
-	Name       string
+	Name    string
-	Network    string
+	Network string
-	Peer       string
+	Peer    string
-	Status     string
+	Status  string
 	IsSelected bool
 	Domains    NetworkDomains
 }
 func (n Network) GetNetworkDomains() *NetworkDomains {
 	return &n.Domains
 }
 type NetworkArray struct {
--- a/client/android/peer_notifier.go
+++ b/client/android/peer_notifier.go
@@ -1,26 +1,10 @@
 //go:build android
 package android
 import "github.com/netbirdio/netbird/client/internal/peer"
 // Connection status constants exported via gomobile.
 const (
 	ConnStatusIdle       = int(peer.StatusIdle)
 	ConnStatusConnecting = int(peer.StatusConnecting)
 	ConnStatusConnected  = int(peer.StatusConnected)
 )
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
 	IP         string
 	FQDN       string
-	ConnStatus int
+	ConnStatus string // Todo replace to enum
 	Routes     PeerRoutes
 }
 func (p *PeerInfo) GetPeerRoutes() *PeerRoutes {
 	return &p.Routes
 }
 // PeerInfoArray is a wrapper of []PeerInfo
--- a/client/android/peer_routes.go
+++ b/client/android/peer_routes.go
@@ -1,20 +0,0 @@
 //go:build android
 package android
 import "fmt"
 type PeerRoutes struct {
 	routes []string
 }
 func (p *PeerRoutes) Get(i int) (string, error) {
 	if i < 0 || i >= len(p.routes) {
 		return "", fmt.Errorf("%d is out of range", i)
 	}
 	return p.routes[i], nil
 }
 func (p *PeerRoutes) Size() int {
 	return len(p.routes)
 }
--- a/client/android/platform_files.go
+++ b/client/android/platform_files.go
@@ -1,10 +0,0 @@
 //go:build android
 package android
 // PlatformFiles groups paths to files used internally by the engine that can't be created/modified
 // at their default locations due to android OS restrictions.
 type PlatformFiles interface {
 	ConfigurationFilePath() string
 	StateFilePath() string
 }
--- a/client/android/preferences.go
+++ b/client/android/preferences.go
@@ -201,94 +201,6 @@ func (p *Preferences) SetServerSSHAllowed(allowed bool) {
 	p.configInput.ServerSSHAllowed = &allowed
 }
 // GetEnableSSHRoot reads SSH root login setting from config file
 func (p *Preferences) GetEnableSSHRoot() (bool, error) {
 	if p.configInput.EnableSSHRoot != nil {
 		return *p.configInput.EnableSSHRoot, nil
 	}
 	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
 	if cfg.EnableSSHRoot == nil {
 		// Default to false for security on Android
 		return false, nil
 	}
 	return *cfg.EnableSSHRoot, err
 }
 // SetEnableSSHRoot stores the given value and waits for commit
 func (p *Preferences) SetEnableSSHRoot(enabled bool) {
 	p.configInput.EnableSSHRoot = &enabled
 }
 // GetEnableSSHSFTP reads SSH SFTP setting from config file
 func (p *Preferences) GetEnableSSHSFTP() (bool, error) {
 	if p.configInput.EnableSSHSFTP != nil {
 		return *p.configInput.EnableSSHSFTP, nil
 	}
 	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
 	if cfg.EnableSSHSFTP == nil {
 		// Default to false for security on Android
 		return false, nil
 	}
 	return *cfg.EnableSSHSFTP, err
 }
 // SetEnableSSHSFTP stores the given value and waits for commit
 func (p *Preferences) SetEnableSSHSFTP(enabled bool) {
 	p.configInput.EnableSSHSFTP = &enabled
 }
 // GetEnableSSHLocalPortForwarding reads SSH local port forwarding setting from config file
 func (p *Preferences) GetEnableSSHLocalPortForwarding() (bool, error) {
 	if p.configInput.EnableSSHLocalPortForwarding != nil {
 		return *p.configInput.EnableSSHLocalPortForwarding, nil
 	}
 	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
 	if cfg.EnableSSHLocalPortForwarding == nil {
 		// Default to false for security on Android
 		return false, nil
 	}
 	return *cfg.EnableSSHLocalPortForwarding, err
 }
 // SetEnableSSHLocalPortForwarding stores the given value and waits for commit
 func (p *Preferences) SetEnableSSHLocalPortForwarding(enabled bool) {
 	p.configInput.EnableSSHLocalPortForwarding = &enabled
 }
 // GetEnableSSHRemotePortForwarding reads SSH remote port forwarding setting from config file
 func (p *Preferences) GetEnableSSHRemotePortForwarding() (bool, error) {
 	if p.configInput.EnableSSHRemotePortForwarding != nil {
 		return *p.configInput.EnableSSHRemotePortForwarding, nil
 	}
 	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
 	if err != nil {
 		return false, err
 	}
 	if cfg.EnableSSHRemotePortForwarding == nil {
 		// Default to false for security on Android
 		return false, nil
 	}
 	return *cfg.EnableSSHRemotePortForwarding, err
 }
 // SetEnableSSHRemotePortForwarding stores the given value and waits for commit
 func (p *Preferences) SetEnableSSHRemotePortForwarding(enabled bool) {
 	p.configInput.EnableSSHRemotePortForwarding = &enabled
 }
 // GetBlockInbound reads block inbound setting from config file
 func (p *Preferences) GetBlockInbound() (bool, error) {
 	if p.configInput.BlockInbound != nil {
--- a/client/android/profile_manager.go
+++ b/client/android/profile_manager.go
@@ -1,257 +0,0 @@
 //go:build android
 package android
 import (
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
 const (
 	// Android-specific config filename (different from desktop default.json)
 	defaultConfigFilename = "netbird.cfg"
 	// Subdirectory for non-default profiles (must match Java Preferences.java)
 	profilesSubdir = "profiles"
 	// Android uses a single user context per app (non-empty username required by ServiceManager)
 	androidUsername = "android"
 )
 // Profile represents a profile for gomobile
 type Profile struct {
 	Name     string
 	IsActive bool
 }
 // ProfileArray wraps profiles for gomobile compatibility
 type ProfileArray struct {
 	items []*Profile
 }
 // Length returns the number of profiles
 func (p *ProfileArray) Length() int {
 	return len(p.items)
 }
 // Get returns the profile at index i
 func (p *ProfileArray) Get(i int) *Profile {
 	if i < 0 || i >= len(p.items) {
 		return nil
 	}
 	return p.items[i]
 }
 /*
 /data/data/io.netbird.client/files/           ← configDir parameter
 ├── netbird.cfg                                 ← Default profile config
 ├── state.json                                  ← Default profile state
 ├── active_profile.json                         ← Active profile tracker (JSON with Name + Username)
 └── profiles/                                   ← Subdirectory for non-default profiles
    ├── work.json                              ← Work profile config
    ├── work.state.json                        ← Work profile state
    ├── personal.json                          ← Personal profile config
    └── personal.state.json                    ← Personal profile state
 */
 // ProfileManager manages profiles for Android
 // It wraps the internal profilemanager to provide Android-specific behavior
 type ProfileManager struct {
 	configDir  string
 	serviceMgr *profilemanager.ServiceManager
 }
 // NewProfileManager creates a new profile manager for Android
 func NewProfileManager(configDir string) *ProfileManager {
 	// Set the default config path for Android (stored in root configDir, not profiles/)
 	defaultConfigPath := filepath.Join(configDir, defaultConfigFilename)
 	// Set global paths for Android
 	profilemanager.DefaultConfigPathDir = configDir
 	profilemanager.DefaultConfigPath = defaultConfigPath
 	profilemanager.ActiveProfileStatePath = filepath.Join(configDir, "active_profile.json")
 	// Create ServiceManager with profiles/ subdirectory
 	// This avoids modifying the global ConfigDirOverride for profile listing
 	profilesDir := filepath.Join(configDir, profilesSubdir)
 	serviceMgr := profilemanager.NewServiceManagerWithProfilesDir(defaultConfigPath, profilesDir)
 	return &ProfileManager{
 		configDir:  configDir,
 		serviceMgr: serviceMgr,
 	}
 }
 // ListProfiles returns all available profiles
 func (pm *ProfileManager) ListProfiles() (*ProfileArray, error) {
 	// Use ServiceManager (looks in profiles/ directory, checks active_profile.json for IsActive)
 	internalProfiles, err := pm.serviceMgr.ListProfiles(androidUsername)
 	if err != nil {
 		return nil, fmt.Errorf("failed to list profiles: %w", err)
 	}
 	// Convert internal profiles to Android Profile type
 	var profiles []*Profile
 	for _, p := range internalProfiles {
 		profiles = append(profiles, &Profile{
 			Name:     p.Name,
 			IsActive: p.IsActive,
 		})
 	}
 	return &ProfileArray{items: profiles}, nil
 }
 // GetActiveProfile returns the currently active profile name
 func (pm *ProfileManager) GetActiveProfile() (string, error) {
 	// Use ServiceManager to stay consistent with ListProfiles
 	// ServiceManager uses active_profile.json
 	activeState, err := pm.serviceMgr.GetActiveProfileState()
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
 	return activeState.Name, nil
 }
 // SwitchProfile switches to a different profile
 func (pm *ProfileManager) SwitchProfile(profileName string) error {
 	// Use ServiceManager to stay consistent with ListProfiles
 	// ServiceManager uses active_profile.json
 	err := pm.serviceMgr.SetActiveProfileState(&profilemanager.ActiveProfileState{
 		Name:     profileName,
 		Username: androidUsername,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to switch profile: %w", err)
 	}
 	log.Infof("switched to profile: %s", profileName)
 	return nil
 }
 // AddProfile creates a new profile
 func (pm *ProfileManager) AddProfile(profileName string) error {
 	// Use ServiceManager (creates profile in profiles/ directory)
 	if err := pm.serviceMgr.AddProfile(profileName, androidUsername); err != nil {
 		return fmt.Errorf("failed to add profile: %w", err)
 	}
 	log.Infof("created new profile: %s", profileName)
 	return nil
 }
 // LogoutProfile logs out from a profile (clears authentication)
 func (pm *ProfileManager) LogoutProfile(profileName string) error {
 	profileName = sanitizeProfileName(profileName)
 	configPath, err := pm.getProfileConfigPath(profileName)
 	if err != nil {
 		return err
 	}
 	// Check if profile exists
 	if _, err := os.Stat(configPath); os.IsNotExist(err) {
 		return fmt.Errorf("profile '%s' does not exist", profileName)
 	}
 	// Read current config using internal profilemanager
 	config, err := profilemanager.ReadConfig(configPath)
 	if err != nil {
 		return fmt.Errorf("failed to read profile config: %w", err)
 	}
 	// Clear authentication by removing private key and SSH key
 	config.PrivateKey = ""
 	config.SSHKey = ""
 	// Save config using internal profilemanager
 	if err := profilemanager.WriteOutConfig(configPath, config); err != nil {
 		return fmt.Errorf("failed to save config: %w", err)
 	}
 	log.Infof("logged out from profile: %s", profileName)
 	return nil
 }
 // RemoveProfile deletes a profile
 func (pm *ProfileManager) RemoveProfile(profileName string) error {
 	// Use ServiceManager (removes profile from profiles/ directory)
 	if err := pm.serviceMgr.RemoveProfile(profileName, androidUsername); err != nil {
 		return fmt.Errorf("failed to remove profile: %w", err)
 	}
 	log.Infof("removed profile: %s", profileName)
 	return nil
 }
 // getProfileConfigPath returns the config file path for a profile
 // This is needed for Android-specific path handling (netbird.cfg for default profile)
 func (pm *ProfileManager) getProfileConfigPath(profileName string) (string, error) {
 	if profileName == "" || profileName == profilemanager.DefaultProfileName {
 		// Android uses netbird.cfg for default profile instead of default.json
 		// Default profile is stored in root configDir, not in profiles/
 		return filepath.Join(pm.configDir, defaultConfigFilename), nil
 	}
 	// Non-default profiles are stored in profiles subdirectory
 	// This matches the Java Preferences.java expectation
 	profileName = sanitizeProfileName(profileName)
 	profilesDir := filepath.Join(pm.configDir, profilesSubdir)
 	return filepath.Join(profilesDir, profileName+".json"), nil
 }
 // GetConfigPath returns the config file path for a given profile
 // Java should call this instead of constructing paths with Preferences.configFile()
 func (pm *ProfileManager) GetConfigPath(profileName string) (string, error) {
 	return pm.getProfileConfigPath(profileName)
 }
 // GetStateFilePath returns the state file path for a given profile
 // Java should call this instead of constructing paths with Preferences.stateFile()
 func (pm *ProfileManager) GetStateFilePath(profileName string) (string, error) {
 	if profileName == "" || profileName == profilemanager.DefaultProfileName {
 		return filepath.Join(pm.configDir, "state.json"), nil
 	}
 	profileName = sanitizeProfileName(profileName)
 	profilesDir := filepath.Join(pm.configDir, profilesSubdir)
 	return filepath.Join(profilesDir, profileName+".state.json"), nil
 }
 // GetActiveConfigPath returns the config file path for the currently active profile
 // Java should call this instead of Preferences.getActiveProfileName() + Preferences.configFile()
 func (pm *ProfileManager) GetActiveConfigPath() (string, error) {
 	activeProfile, err := pm.GetActiveProfile()
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
 	return pm.GetConfigPath(activeProfile)
 }
 // GetActiveStateFilePath returns the state file path for the currently active profile
 // Java should call this instead of Preferences.getActiveProfileName() + Preferences.stateFile()
 func (pm *ProfileManager) GetActiveStateFilePath() (string, error) {
 	activeProfile, err := pm.GetActiveProfile()
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
 	return pm.GetStateFilePath(activeProfile)
 }
 // sanitizeProfileName removes invalid characters from profile name
 func sanitizeProfileName(name string) string {
 	// Keep only alphanumeric, underscore, and hyphen
 	var result strings.Builder
 	for _, r := range name {
 		if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') ||
 			(r >= '0' && r <= '9') || r == '_' || r == '-' {
 			result.WriteRune(r)
 		}
 	}
 	return result.String()
 }
--- a/client/android/route_command.go
+++ b/client/android/route_command.go
@@ -1,67 +0,0 @@
 //go:build android
 package android
 import (
 	"fmt"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/route"
 )
 func executeRouteToggle(id string, manager routemanager.Manager,
 	operationName string,
 	routeOperation func(routes []route.NetID, allRoutes []route.NetID) error) error {
 	netID := route.NetID(id)
 	routes := []route.NetID{netID}
 	log.Debugf("%s with id: %s", operationName, id)
 	if err := routeOperation(routes, maps.Keys(manager.GetClientRoutesWithNetID())); err != nil {
 		log.Debugf("error when %s: %s", operationName, err)
 		return fmt.Errorf("error %s: %w", operationName, err)
 	}
 	manager.TriggerSelection(manager.GetClientRoutes())
 	return nil
 }
 type routeCommand interface {
 	toggleRoute() error
 }
 type selectRouteCommand struct {
 	route   string
 	manager routemanager.Manager
 }
 func (s selectRouteCommand) toggleRoute() error {
 	routeSelector := s.manager.GetRouteSelector()
 	if routeSelector == nil {
 		return fmt.Errorf("no route selector available")
 	}
 	routeOperation := func(routes []route.NetID, allRoutes []route.NetID) error {
 		return routeSelector.SelectRoutes(routes, true, allRoutes)
 	}
 	return executeRouteToggle(s.route, s.manager, "selecting route", routeOperation)
 }
 type deselectRouteCommand struct {
 	route   string
 	manager routemanager.Manager
 }
 func (d deselectRouteCommand) toggleRoute() error {
 	routeSelector := d.manager.GetRouteSelector()
 	if routeSelector == nil {
 		return fmt.Errorf("no route selector available")
 	}
 	return executeRouteToggle(d.route, d.manager, "deselecting route", routeSelector.DeselectRoutes)
 }
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -16,6 +16,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/server"
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/upload-server/types"
 )
@@ -97,6 +98,7 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 	client := proto.NewDaemonServiceClient(conn)
 	request := &proto.DebugBundleRequest{
 		Anonymize:    anonymizeFlag,
 		Status:       getStatusOutput(cmd, anonymizeFlag),
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
 	}
@@ -134,7 +136,6 @@ func setLogLevel(cmd *cobra.Command, args []string) error {
 	client := proto.NewDaemonServiceClient(conn)
 	level := server.ParseLogLevel(args[0])
 	if level == proto.LogLevel_UNKNOWN {
 		//nolint
 		return fmt.Errorf("unknown log level: %s. Available levels are: panic, fatal, error, warn, info, debug, trace\n", args[0])
 	}
@@ -167,7 +168,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	client := proto.NewDaemonServiceClient(conn)
-	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{ShouldRunProbes: true})
+	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{})
 	if err != nil {
 		return fmt.Errorf("failed to get status: %v", status.Convert(err).Message())
 	}
@@ -181,11 +182,10 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if stateWasDown {
 		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
+			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 		} else {
 			cmd.Println("netbird up")
 			time.Sleep(time.Second * 10)
 		}
 		cmd.Println("netbird up")
 		time.Sleep(time.Second * 10)
 	}
 	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
@@ -199,13 +199,10 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level set to trace.")
 	}
 	needsRestoreUp := false
 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-		cmd.PrintErrf("Failed to bring service down: %v\n", status.Convert(err).Message())
+		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 	} else {
 		needsRestoreUp = !stateWasDown
 		cmd.Println("netbird down")
 	}
 	cmd.Println("netbird down")
 	time.Sleep(1 * time.Second)
@@ -213,49 +210,31 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if _, err := client.SetSyncResponsePersistence(cmd.Context(), &proto.SetSyncResponsePersistenceRequest{
 		Enabled: true,
 	}); err != nil {
-		cmd.PrintErrf("Failed to enable sync response persistence: %v\n", status.Convert(err).Message())
+		return fmt.Errorf("failed to enable sync response persistence: %v", status.Convert(err).Message())
 	}
 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-		cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
+		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
 	} else {
 		needsRestoreUp = false
 		cmd.Println("netbird up")
 	}
 	cmd.Println("netbird up")
 	time.Sleep(3 * time.Second)
-	cpuProfilingStarted := false
+	headerPostUp := fmt.Sprintf("----- NetBird post-up - Timestamp: %s", time.Now().Format(time.RFC3339))
-	if _, err := client.StartCPUProfile(cmd.Context(), &proto.StartCPUProfileRequest{}); err != nil {
+	statusOutput := fmt.Sprintf("%s\n%s", headerPostUp, getStatusOutput(cmd, anonymizeFlag))
 		cmd.PrintErrf("Failed to start CPU profiling: %v\n", err)
 	} else {
 		cpuProfilingStarted = true
 		defer func() {
 			if cpuProfilingStarted {
 				if _, err := client.StopCPUProfile(cmd.Context(), &proto.StopCPUProfileRequest{}); err != nil {
 					cmd.PrintErrf("Failed to stop CPU profiling: %v\n", err)
 				}
 			}
 		}()
 	}
 	if waitErr := waitForDurationOrCancel(cmd.Context(), duration, cmd); waitErr != nil {
 		return waitErr
 	}
 	cmd.Println("\nDuration completed")
 	if cpuProfilingStarted {
 		if _, err := client.StopCPUProfile(cmd.Context(), &proto.StopCPUProfileRequest{}); err != nil {
 			cmd.PrintErrf("Failed to stop CPU profiling: %v\n", err)
 		} else {
 			cpuProfilingStarted = false
 		}
 	}
 	cmd.Println("Creating debug bundle...")
 	headerPreDown := fmt.Sprintf("----- NetBird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
 	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd, anonymizeFlag))
 	request := &proto.DebugBundleRequest{
 		Anonymize:    anonymizeFlag,
 		Status:       statusOutput,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
 	}
@@ -267,28 +246,18 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
 	if needsRestoreUp {
 		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
 			cmd.PrintErrf("Failed to restore service up state: %v\n", status.Convert(err).Message())
 		} else {
 			cmd.Println("netbird up (restored)")
 		}
 	}
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-			cmd.PrintErrf("Failed to restore service down state: %v\n", status.Convert(err).Message())
+			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
 		} else {
 			cmd.Println("netbird down")
 		}
 		cmd.Println("netbird down")
 	}
 	if !initialLevelTrace {
 		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
-			cmd.PrintErrf("Failed to restore log level: %v\n", status.Convert(err).Message())
+			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
 		} else {
 			cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 		}
 		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}
 	cmd.Printf("Local file:\n%s\n", resp.GetPath())
@@ -332,6 +301,19 @@ func setSyncResponsePersistence(cmd *cobra.Command, args []string) error {
 	return nil
 }
 func getStatusOutput(cmd *cobra.Command, anon bool) string {
 	var statusOutputString string
 	statusResp, err := getStatus(cmd.Context())
 	if err != nil {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
 		statusOutputString = nbstatus.ParseToFullDetailSummary(
 			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", ""),
 		)
 	}
 	return statusOutputString
 }
 func waitForDurationOrCancel(ctx context.Context, duration time.Duration, cmd *cobra.Command) error {
 	ticker := time.NewTicker(1 * time.Second)
 	defer ticker.Stop()
@@ -390,8 +372,7 @@ func generateDebugBundle(config *profilemanager.Config, recorder *peer.Status, c
 			InternalConfig: config,
 			StatusRecorder: recorder,
 			SyncResponse:   syncResponse,
-			LogPath:        logFilePath,
+			LogFile:        logFilePath,
 			CPUProfile:     nil,
 		},
 		debug.BundleConfig{
 			IncludeSystemInfo: true,
--- a/client/cmd/debug_js.go
+++ b/client/cmd/debug_js.go
@@ -1,8 +0,0 @@
 package cmd
 import "context"
 // SetupDebugHandler is a no-op for WASM
 func SetupDebugHandler(context.Context, interface{}, interface{}, interface{}, string) {
 	// Debug handler not needed for WASM
 }
--- a/client/cmd/down.go
+++ b/client/cmd/down.go
@@ -27,7 +27,7 @@ var downCmd = &cobra.Command{
 			return err
 		}
-		ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*7)
 		defer cancel()
 		conn, err := DialClientGRPCServer(ctx, daemonAddr)
--- a/client/cmd/expose.go
+++ b/client/cmd/expose.go
@@ -1,287 +0,0 @@
 package cmd
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/signal"
 	"regexp"
 	"strconv"
 	"strings"
 	"syscall"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
 	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/util"
 )
 var pinRegexp = regexp.MustCompile(`^\d{6}$`)
 var (
 	exposePin          string
 	exposePassword     string
 	exposeUserGroups   []string
 	exposeDomain       string
 	exposeNamePrefix   string
 	exposeProtocol     string
 	exposeExternalPort uint16
 )
 var exposeCmd = &cobra.Command{
 	Use:   "expose <port>",
 	Short: "Expose a local port via the NetBird reverse proxy",
 	Args:  cobra.ExactArgs(1),
 	Example: `  netbird expose --with-password safe-pass 8080
  netbird expose --protocol tcp 5432
  netbird expose --protocol tcp --with-external-port 5433 5432
  netbird expose --protocol tls --with-custom-domain tls.example.com 4443`,
 	RunE: exposeFn,
 }
 func init() {
 	exposeCmd.Flags().StringVar(&exposePin, "with-pin", "", "Protect the exposed service with a 6-digit PIN (e.g. --with-pin 123456)")
 	exposeCmd.Flags().StringVar(&exposePassword, "with-password", "", "Protect the exposed service with a password (e.g. --with-password my-secret)")
 	exposeCmd.Flags().StringSliceVar(&exposeUserGroups, "with-user-groups", nil, "Restrict access to specific user groups with SSO (e.g. --with-user-groups devops,Backend)")
 	exposeCmd.Flags().StringVar(&exposeDomain, "with-custom-domain", "", "Custom domain for the exposed service, must be configured to your account (e.g. --with-custom-domain myapp.example.com)")
 	exposeCmd.Flags().StringVar(&exposeNamePrefix, "with-name-prefix", "", "Prefix for the generated service name (e.g. --with-name-prefix my-app)")
 	exposeCmd.Flags().StringVar(&exposeProtocol, "protocol", "http", "Protocol to use: http, https, tcp, udp, or tls (e.g. --protocol tcp)")
 	exposeCmd.Flags().Uint16Var(&exposeExternalPort, "with-external-port", 0, "Public-facing external port on the proxy cluster (defaults to the target port for L4)")
 }
 // isClusterProtocol returns true for L4/TLS protocols that reject HTTP-style auth flags.
 func isClusterProtocol(protocol string) bool {
 	switch strings.ToLower(protocol) {
 	case "tcp", "udp", "tls":
 		return true
 	default:
 		return false
 	}
 }
 // isPortBasedProtocol returns true for pure port-based protocols (TCP/UDP)
 // where domain display doesn't apply. TLS uses SNI so it has a domain.
 func isPortBasedProtocol(protocol string) bool {
 	switch strings.ToLower(protocol) {
 	case "tcp", "udp":
 		return true
 	default:
 		return false
 	}
 }
 // extractPort returns the port portion of a URL like "tcp://host:12345", or
 // falls back to the given default formatted as a string.
 func extractPort(serviceURL string, fallback uint16) string {
 	u := serviceURL
 	if idx := strings.Index(u, "://"); idx != -1 {
 		u = u[idx+3:]
 	}
 	if i := strings.LastIndex(u, ":"); i != -1 {
 		if p := u[i+1:]; p != "" {
 			return p
 		}
 	}
 	return strconv.FormatUint(uint64(fallback), 10)
 }
 // resolveExternalPort returns the effective external port, defaulting to the target port.
 func resolveExternalPort(targetPort uint64) uint16 {
 	if exposeExternalPort != 0 {
 		return exposeExternalPort
 	}
 	return uint16(targetPort)
 }
 func validateExposeFlags(cmd *cobra.Command, portStr string) (uint64, error) {
 	port, err := strconv.ParseUint(portStr, 10, 32)
 	if err != nil {
 		return 0, fmt.Errorf("invalid port number: %s", portStr)
 	}
 	if port == 0 || port > 65535 {
 		return 0, fmt.Errorf("invalid port number: must be between 1 and 65535")
 	}
 	if !isProtocolValid(exposeProtocol) {
 		return 0, fmt.Errorf("unsupported protocol %q: must be http, https, tcp, udp, or tls", exposeProtocol)
 	}
 	if isClusterProtocol(exposeProtocol) {
 		if exposePin != "" || exposePassword != "" || len(exposeUserGroups) > 0 {
 			return 0, fmt.Errorf("auth flags (--with-pin, --with-password, --with-user-groups) are not supported for %s protocol", exposeProtocol)
 		}
 	} else if cmd.Flags().Changed("with-external-port") {
 		return 0, fmt.Errorf("--with-external-port is not supported for %s protocol", exposeProtocol)
 	}
 	if exposePin != "" && !pinRegexp.MatchString(exposePin) {
 		return 0, fmt.Errorf("invalid pin: must be exactly 6 digits")
 	}
 	if cmd.Flags().Changed("with-password") && exposePassword == "" {
 		return 0, fmt.Errorf("password cannot be empty")
 	}
 	if cmd.Flags().Changed("with-user-groups") && len(exposeUserGroups) == 0 {
 		return 0, fmt.Errorf("user groups cannot be empty")
 	}
 	return port, nil
 }
 func isProtocolValid(exposeProtocol string) bool {
 	switch strings.ToLower(exposeProtocol) {
 	case "http", "https", "tcp", "udp", "tls":
 		return true
 	default:
 		return false
 	}
 }
 func exposeFn(cmd *cobra.Command, args []string) error {
 	SetFlagsFromEnvVars(rootCmd)
 	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
 		log.Errorf("failed initializing log %v", err)
 		return err
 	}
 	cmd.Root().SilenceUsage = false
 	port, err := validateExposeFlags(cmd, args[0])
 	if err != nil {
 		return err
 	}
 	cmd.Root().SilenceUsage = true
 	ctx, cancel := context.WithCancel(cmd.Context())
 	defer cancel()
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
 	go func() {
 		<-sigCh
 		cancel()
 	}()
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		return fmt.Errorf("connect to daemon: %w", err)
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
 			log.Debugf("failed to close daemon connection: %v", err)
 		}
 	}()
 	client := proto.NewDaemonServiceClient(conn)
 	protocol, err := toExposeProtocol(exposeProtocol)
 	if err != nil {
 		return err
 	}
 	req := &proto.ExposeServiceRequest{
 		Port:       uint32(port),
 		Protocol:   protocol,
 		Pin:        exposePin,
 		Password:   exposePassword,
 		UserGroups: exposeUserGroups,
 		Domain:     exposeDomain,
 		NamePrefix: exposeNamePrefix,
 	}
 	if isClusterProtocol(exposeProtocol) {
 		req.ListenPort = uint32(resolveExternalPort(port))
 	}
 	stream, err := client.ExposeService(ctx, req)
 	if err != nil {
 		return fmt.Errorf("expose service: %v", status.Convert(err).Message())
 	}
 	if err := handleExposeReady(cmd, stream, port); err != nil {
 		return err
 	}
 	return waitForExposeEvents(cmd, ctx, stream)
 }
 func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
 	p, err := expose.ParseProtocolType(exposeProtocol)
 	if err != nil {
 		return 0, fmt.Errorf("invalid protocol: %w", err)
 	}
 	switch p {
 	case expose.ProtocolHTTP:
 		return proto.ExposeProtocol_EXPOSE_HTTP, nil
 	case expose.ProtocolHTTPS:
 		return proto.ExposeProtocol_EXPOSE_HTTPS, nil
 	case expose.ProtocolTCP:
 		return proto.ExposeProtocol_EXPOSE_TCP, nil
 	case expose.ProtocolUDP:
 		return proto.ExposeProtocol_EXPOSE_UDP, nil
 	case expose.ProtocolTLS:
 		return proto.ExposeProtocol_EXPOSE_TLS, nil
 	default:
 		return 0, fmt.Errorf("unhandled protocol type: %d", p)
 	}
 }
 func handleExposeReady(cmd *cobra.Command, stream proto.DaemonService_ExposeServiceClient, port uint64) error {
 	event, err := stream.Recv()
 	if err != nil {
 		return fmt.Errorf("receive expose event: %v", status.Convert(err).Message())
 	}
 	ready, ok := event.Event.(*proto.ExposeServiceEvent_Ready)
 	if !ok {
 		return fmt.Errorf("unexpected expose event: %T", event.Event)
 	}
 	printExposeReady(cmd, ready.Ready, port)
 	return nil
 }
 func printExposeReady(cmd *cobra.Command, r *proto.ExposeServiceReady, port uint64) {
 	cmd.Println("Service exposed successfully!")
 	cmd.Printf("  Name:     %s\n", r.ServiceName)
 	if r.ServiceUrl != "" {
 		cmd.Printf("  URL:      %s\n", r.ServiceUrl)
 	}
 	if r.Domain != "" && !isPortBasedProtocol(exposeProtocol) {
 		cmd.Printf("  Domain:   %s\n", r.Domain)
 	}
 	cmd.Printf("  Protocol: %s\n", exposeProtocol)
 	cmd.Printf("  Internal: %d\n", port)
 	if isClusterProtocol(exposeProtocol) {
 		cmd.Printf("  External: %s\n", extractPort(r.ServiceUrl, resolveExternalPort(port)))
 	}
 	if r.PortAutoAssigned && exposeExternalPort != 0 {
 		cmd.Printf("\n  Note: requested port %d was reassigned\n", exposeExternalPort)
 	}
 	cmd.Println()
 	cmd.Println("Press Ctrl+C to stop exposing.")
 }
 func waitForExposeEvents(cmd *cobra.Command, ctx context.Context, stream proto.DaemonService_ExposeServiceClient) error {
 	for {
 		_, err := stream.Recv()
 		if err != nil {
 			if ctx.Err() != nil {
 				cmd.Println("\nService stopped.")
 				//nolint:nilerr
 				return nil
 			}
 			if errors.Is(err, io.EOF) {
 				return fmt.Errorf("connection to daemon closed unexpectedly")
 			}
 			return fmt.Errorf("stream error: %w", err)
 		}
 	}
 }
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -7,8 +7,10 @@ import (
 	"os/user"
 	"runtime"
 	"strings"
 	"time"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
@@ -80,7 +82,6 @@ var loginCmd = &cobra.Command{
 func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey string, activeProf *profilemanager.Profile, username string, pm *profilemanager.ProfileManager) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
@@ -104,13 +105,6 @@ func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey str
 		Username:            &username,
 	}
 	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
 		loginRequest.Hint = &profileState.Email
 	}
 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
 		loginRequest.OptionalPreSharedKey = &preSharedKey
 	}
@@ -206,7 +200,6 @@ func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManage
 func switchProfile(ctx context.Context, profileName string, username string) error {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
@@ -234,7 +227,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 	}
 	// update host's static platform and system information
-	system.UpdateStaticInfoAsync()
+	system.UpdateStaticInfo()
 	configFilePath, err := activeProf.FilePath()
 	if err != nil {
@@ -247,7 +240,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 		return fmt.Errorf("read config file %s: %v", configFilePath, err)
 	}
-	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.Name)
+	err = foregroundLogin(ctx, cmd, config, setupKey)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -275,46 +268,54 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 	return nil
 }
-func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey string) error {
-	authClient, err := auth.NewAuth(ctx, config.PrivateKey, config.ManagementURL, config)
+	needsLogin := false
 	if err != nil {
 		return fmt.Errorf("failed to create auth client: %v", err)
 	}
 	defer authClient.Close()
-	needsLogin, err := authClient.IsLoginRequired(ctx)
+	err := WithBackOff(func() error {
 		err := internal.Login(ctx, config, "", "")
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 			needsLogin = true
 			return nil
 		}
 		return err
 	})
 	if err != nil {
-		return fmt.Errorf("check login required: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}
 	jwtToken := ""
 	if setupKey == "" && needsLogin {
-		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileName)
+		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
 		jwtToken = tokenInfo.GetTokenToUse()
 	}
-	err, _ = authClient.Login(ctx, setupKey, jwtToken)
+	var lastError error
 	err = WithBackOff(func() error {
 		err := internal.Login(ctx, config, setupKey, jwtToken)
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 			lastError = err
 			return nil
 		}
 		return err
 	})
 	if lastError != nil {
 		return fmt.Errorf("login failed: %v", lastError)
 	}
 	if err != nil {
-		return fmt.Errorf("login failed: %v", err)
+		return fmt.Errorf("backoff cycle failed: %v", err)
 	}
 	return nil
 }
-func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileName string) (*auth.TokenInfo, error) {
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config) (*auth.TokenInfo, error) {
-	hint := ""
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop())
 	pm := profilemanager.NewProfileManager()
 	profileState, err := pm.GetProfileState(profileName)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
 		hint = profileState.Email
 	}
 	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop(), false, hint)
 	if err != nil {
 		return nil, err
 	}
@@ -326,7 +327,11 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *pro
 	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode, noBrowser)
-	tokenInfo, err := oAuthFlow.WaitToken(context.TODO(), flowInfo)
+	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
 	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout)
 	defer c()
 	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}
@@ -351,7 +356,7 @@ func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBro
 	cmd.Println("")
 	if !noBrowser {
-		if err := util.OpenBrowser(verificationURIComplete); err != nil {
+		if err := open.Run(verificationURIComplete); err != nil {
 			cmd.Println("\nAlternatively, you may want to use a setup key, see:\n\n" +
 				"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
 		}
--- a/client/cmd/pprof.go
+++ b/client/cmd/pprof.go
@@ -1,4 +1,5 @@
 //go:build pprof
 // +build pprof
 package cmd
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -22,7 +22,6 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
@@ -36,6 +35,7 @@ const (
 	wireguardPortFlag        = "wireguard-port"
 	networkMonitorFlag       = "network-monitor"
 	disableAutoConnectFlag   = "disable-auto-connect"
 	serverSSHAllowedFlag     = "allow-server-ssh"
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	enableLazyConnectionFlag = "enable-lazy-connection"
@@ -64,6 +64,7 @@ var (
 	customDNSAddress        string
 	rosenpassEnabled        bool
 	rosenpassPermissive     bool
 	serverSSHAllowed        bool
 	interfaceName           string
 	wireguardPort           uint16
 	networkMonitor          bool
@@ -75,30 +76,17 @@ var (
 	mtu                     uint16
 	profilesDisabled        bool
 	updateSettingsDisabled  bool
 	networksDisabled        bool
 	rootCmd = &cobra.Command{
 		Use:          "netbird",
 		Short:        "",
 		Long:         "",
 		SilenceUsage: true,
 		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 			SetFlagsFromEnvVars(cmd.Root())
 			// Don't resolve for service commands — they create the socket, not connect to it.
 			if !isServiceCmd(cmd) {
 				daemonAddr = daddr.ResolveUnixDaemonAddr(daemonAddr)
 			}
 			return nil
 		},
 	}
 )
 // Execute executes the root command.
 func Execute() error {
 	if isUpdateBinary() {
 		return updateCmd.Execute()
 	}
 	return rootCmd.Execute()
 }
@@ -155,7 +143,6 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
 	rootCmd.AddCommand(exposeCmd)
 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
@@ -189,6 +176,7 @@ func init() {
 	)
 	upCmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "[Experimental] Enable Rosenpass feature. If enabled, the connection will be post-quantum secured via Rosenpass.")
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
 	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
 	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand. Note: this setting may be overridden by management configuration.")
@@ -243,7 +231,7 @@ func FlagNameToEnvVar(cmdFlag string, prefix string) string {
 // DialClientGRPCServer returns client connection to the daemon server.
 func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, error) {
-	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
+	ctx, cancel := context.WithTimeout(ctx, time.Second*3)
 	defer cancel()
 	return grpc.DialContext(
@@ -397,11 +385,11 @@ func migrateToNetbird(oldPath, newPath string) bool {
 }
 func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
 	SetFlagsFromEnvVars(rootCmd)
 	cmd.SetOut(cmd.OutOrStdout())
 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
 	if err != nil {
 		//nolint
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
@@ -409,13 +397,3 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
 	return conn, nil
 }
 // isServiceCmd returns true if cmd is the "service" command or a child of it.
 func isServiceCmd(cmd *cobra.Command) bool {
 	for c := cmd; c != nil; c = c.Parent() {
 		if c.Name() == "service" {
 			return true
 		}
 	}
 	return false
 }
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -41,16 +41,13 @@ func init() {
 		defaultServiceName = "Netbird"
 	}
-	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
 	serviceCmd.PersistentFlags().BoolVar(&networksDisabled, "disable-networks", false, "Disables network selection. If enabled, the client will not allow listing, selecting, or deselecting networks. To persist, use: netbird service install --disable-networks")
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +
 		`You can specify a comma-separated list of KEY=VALUE pairs. ` +
 		`New keys are merged with previously saved env vars; existing keys are overwritten. ` +
 		`Use --service-env "" to clear all saved env vars. ` +
 		`E.g. --service-env NB_LOG_LEVEL=debug,CUSTOM_VAR=value`
 	installCmd.Flags().StringSliceVar(&serviceEnvVars, "service-env", nil, serviceEnvDesc)
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -27,7 +27,7 @@ func (p *program) Start(svc service.Service) error {
 	log.Info("starting NetBird service") //nolint
 	// Collect static system and platform information
-	system.UpdateStaticInfoAsync()
+	system.UpdateStaticInfo()
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()
@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
-		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled, networksDisabled)
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}
@@ -103,7 +103,7 @@ func (p *program) Stop(srv service.Service) error {
 // Common setup for service control commands
 func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc) (service.Service, error) {
-	// rootCmd env vars are already applied by PersistentPreRunE.
+	SetFlagsFromEnvVars(rootCmd)
 	SetFlagsFromEnvVars(serviceCmd)
 	cmd.SetOut(cmd.OutOrStdout())
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -10,8 +10,6 @@ import (
 	"path/filepath"
 	"runtime"
 	log "github.com/sirupsen/logrus"
 	"github.com/kardianos/service"
 	"github.com/spf13/cobra"
@@ -59,10 +57,6 @@ func buildServiceArguments() []string {
 		args = append(args, "--disable-update-settings")
 	}
 	if networksDisabled {
 		args = append(args, "--disable-networks")
 	}
 	return args
 }
@@ -87,10 +81,6 @@ func configurePlatformSpecificSettings(svcConfig *service.Config) error {
 				svcConfig.Option["LogDirectory"] = dir
 			}
 		}
 		if err := configureSystemdNetworkd(); err != nil {
 			log.Warnf("failed to configure systemd-networkd: %v", err)
 		}
 	}
 	if runtime.GOOS == "windows" {
@@ -123,10 +113,6 @@ var installCmd = &cobra.Command{
 			return err
 		}
 		if err := loadAndApplyServiceParams(cmd); err != nil {
 			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
 		}
 		svcConfig, err := createServiceConfigForInstall()
 		if err != nil {
 			return err
@@ -144,10 +130,6 @@ var installCmd = &cobra.Command{
 			return fmt.Errorf("install service: %w", err)
 		}
 		if err := saveServiceParams(currentServiceParams()); err != nil {
 			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
 		}
 		cmd.Println("NetBird service has been installed")
 		return nil
 	},
@@ -178,12 +160,6 @@ var uninstallCmd = &cobra.Command{
 			return fmt.Errorf("uninstall service: %w", err)
 		}
 		if runtime.GOOS == "linux" {
 			if err := cleanupSystemdNetworkd(); err != nil {
 				log.Warnf("failed to cleanup systemd-networkd configuration: %v", err)
 			}
 		}
 		cmd.Println("NetBird service has been uninstalled")
 		return nil
 	},
@@ -199,10 +175,6 @@ This command will temporarily stop the service, update its configuration, and re
 			return err
 		}
 		if err := loadAndApplyServiceParams(cmd); err != nil {
 			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
 		}
 		wasRunning, err := isServiceRunning()
 		if err != nil && !errors.Is(err, ErrGetServiceStatus) {
 			return fmt.Errorf("check service status: %w", err)
@@ -238,10 +210,6 @@ This command will temporarily stop the service, update its configuration, and re
 			return fmt.Errorf("install service with new config: %w", err)
 		}
 		if err := saveServiceParams(currentServiceParams()); err != nil {
 			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
 		}
 		if wasRunning {
 			cmd.Println("Starting NetBird service...")
 			if err := s.Start(); err != nil {
@@ -277,50 +245,3 @@ func isServiceRunning() (bool, error) {
 	return status == service.StatusRunning, nil
 }
 const (
 	networkdConf        = "/etc/systemd/networkd.conf"
 	networkdConfDir     = "/etc/systemd/networkd.conf.d"
 	networkdConfFile    = "/etc/systemd/networkd.conf.d/99-netbird.conf"
 	networkdConfContent = `# Created by NetBird to prevent systemd-networkd from removing
 # routes and policy rules managed by NetBird.
 [Network]
 ManageForeignRoutes=no
 ManageForeignRoutingPolicyRules=no
 `
 )
 // configureSystemdNetworkd creates a drop-in configuration file to prevent
 // systemd-networkd from removing NetBird's routes and policy rules.
 func configureSystemdNetworkd() error {
 	if _, err := os.Stat(networkdConf); os.IsNotExist(err) {
 		log.Debug("systemd-networkd not in use, skipping configuration")
 		return nil
 	}
 	// nolint:gosec // standard networkd permissions
 	if err := os.MkdirAll(networkdConfDir, 0755); err != nil {
 		return fmt.Errorf("create networkd.conf.d directory: %w", err)
 	}
 	// nolint:gosec // standard networkd permissions
 	if err := os.WriteFile(networkdConfFile, []byte(networkdConfContent), 0644); err != nil {
 		return fmt.Errorf("write networkd configuration: %w", err)
 	}
 	return nil
 }
 // cleanupSystemdNetworkd removes the NetBird systemd-networkd configuration file.
 func cleanupSystemdNetworkd() error {
 	if _, err := os.Stat(networkdConfFile); os.IsNotExist(err) {
 		return nil
 	}
 	if err := os.Remove(networkdConfFile); err != nil {
 		return fmt.Errorf("remove networkd configuration: %w", err)
 	}
 	return nil
 }
--- a/client/cmd/service_params.go
+++ b/client/cmd/service_params.go
@@ -1,218 +0,0 @@
 //go:build !ios && !android
 package cmd
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"maps"
 	"os"
 	"path/filepath"
 	"github.com/spf13/cobra"
 	"github.com/netbirdio/netbird/client/configs"
 	"github.com/netbirdio/netbird/util"
 )
 const serviceParamsFile = "service.json"
 // serviceParams holds install-time service parameters that persist across
 // uninstall/reinstall cycles. Saved to <stateDir>/service.json.
 type serviceParams struct {
 	LogLevel              string            `json:"log_level"`
 	DaemonAddr            string            `json:"daemon_addr"`
 	ManagementURL         string            `json:"management_url,omitempty"`
 	ConfigPath            string            `json:"config_path,omitempty"`
 	LogFiles              []string          `json:"log_files,omitempty"`
 	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
 	DisableNetworks       bool              `json:"disable_networks,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
 // serviceParamsPath returns the path to the service params file.
 func serviceParamsPath() string {
 	return filepath.Join(configs.StateDir, serviceParamsFile)
 }
 // loadServiceParams reads saved service parameters from disk.
 // Returns nil with no error if the file does not exist.
 func loadServiceParams() (*serviceParams, error) {
 	path := serviceParamsPath()
 	data, err := os.ReadFile(path)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil, nil //nolint:nilnil
 		}
 		return nil, fmt.Errorf("read service params %s: %w", path, err)
 	}
 	var params serviceParams
 	if err := json.Unmarshal(data, &params); err != nil {
 		return nil, fmt.Errorf("parse service params %s: %w", path, err)
 	}
 	return &params, nil
 }
 // saveServiceParams writes current service parameters to disk atomically
 // with restricted permissions.
 func saveServiceParams(params *serviceParams) error {
 	path := serviceParamsPath()
 	if err := util.WriteJsonWithRestrictedPermission(context.Background(), path, params); err != nil {
 		return fmt.Errorf("save service params: %w", err)
 	}
 	return nil
 }
 // currentServiceParams captures the current state of all package-level
 // variables into a serviceParams struct.
 func currentServiceParams() *serviceParams {
 	params := &serviceParams{
 		LogLevel:              logLevel,
 		DaemonAddr:            daemonAddr,
 		ManagementURL:         managementURL,
 		ConfigPath:            configPath,
 		LogFiles:              logFiles,
 		DisableProfiles:       profilesDisabled,
 		DisableUpdateSettings: updateSettingsDisabled,
 		DisableNetworks:       networksDisabled,
 	}
 	if len(serviceEnvVars) > 0 {
 		parsed, err := parseServiceEnvVars(serviceEnvVars)
 		if err == nil {
 			params.ServiceEnvVars = parsed
 		}
 	}
 	return params
 }
 // loadAndApplyServiceParams loads saved params from disk and applies them
 // to any flags that were not explicitly set.
 func loadAndApplyServiceParams(cmd *cobra.Command) error {
 	params, err := loadServiceParams()
 	if err != nil {
 		return err
 	}
 	applyServiceParams(cmd, params)
 	return nil
 }
 // applyServiceParams merges saved parameters into package-level variables
 // for any flag that was not explicitly set by the user (via CLI or env var).
 // Flags that were Changed() are left untouched.
 func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 	if params == nil {
 		return
 	}
 	// For fields with non-empty defaults (log-level, daemon-addr), keep the
 	// != "" guard so that an older service.json missing the field doesn't
 	// clobber the default with an empty string.
 	if !rootCmd.PersistentFlags().Changed("log-level") && params.LogLevel != "" {
 		logLevel = params.LogLevel
 	}
 	if !rootCmd.PersistentFlags().Changed("daemon-addr") && params.DaemonAddr != "" {
 		daemonAddr = params.DaemonAddr
 	}
 	// For optional fields where empty means "use default", always apply so
 	// that an explicit clear (--management-url "") persists across reinstalls.
 	if !rootCmd.PersistentFlags().Changed("management-url") {
 		managementURL = params.ManagementURL
 	}
 	if !rootCmd.PersistentFlags().Changed("config") {
 		configPath = params.ConfigPath
 	}
 	if !rootCmd.PersistentFlags().Changed("log-file") {
 		logFiles = params.LogFiles
 	}
 	if !serviceCmd.PersistentFlags().Changed("disable-profiles") {
 		profilesDisabled = params.DisableProfiles
 	}
 	if !serviceCmd.PersistentFlags().Changed("disable-update-settings") {
 		updateSettingsDisabled = params.DisableUpdateSettings
 	}
 	if !serviceCmd.PersistentFlags().Changed("disable-networks") {
 		networksDisabled = params.DisableNetworks
 	}
 	applyServiceEnvParams(cmd, params)
 }
 // applyServiceEnvParams merges saved service environment variables.
 // If --service-env was explicitly set with values, explicit values win on key
 // conflict but saved keys not in the explicit set are carried over.
 // If --service-env was explicitly set to empty, all saved env vars are cleared.
 // If --service-env was not set, saved env vars are used entirely.
 func applyServiceEnvParams(cmd *cobra.Command, params *serviceParams) {
 	if !cmd.Flags().Changed("service-env") {
 		if len(params.ServiceEnvVars) > 0 {
 			// No explicit env vars: rebuild serviceEnvVars from saved params.
 			serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
 		}
 		return
 	}
 	// Flag was explicitly set: parse what the user provided.
 	explicit, err := parseServiceEnvVars(serviceEnvVars)
 	if err != nil {
 		cmd.PrintErrf("Warning: parse explicit service env vars for merge: %v\n", err)
 		return
 	}
 	// If the user passed an empty value (e.g. --service-env ""), clear all
 	// saved env vars rather than merging.
 	if len(explicit) == 0 {
 		serviceEnvVars = nil
 		return
 	}
 	if len(params.ServiceEnvVars) == 0 {
 		return
 	}
 	// Merge saved values underneath explicit ones.
 	merged := make(map[string]string, len(params.ServiceEnvVars)+len(explicit))
 	maps.Copy(merged, params.ServiceEnvVars)
 	maps.Copy(merged, explicit) // explicit wins on conflict
 	serviceEnvVars = envMapToSlice(merged)
 }
 var resetParamsCmd = &cobra.Command{
 	Use:   "reset-params",
 	Short: "Remove saved service install parameters",
 	Long:  "Removes the saved service.json file so the next install uses default parameters.",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		path := serviceParamsPath()
 		if err := os.Remove(path); err != nil {
 			if os.IsNotExist(err) {
 				cmd.Println("No saved service parameters found")
 				return nil
 			}
 			return fmt.Errorf("remove service params: %w", err)
 		}
 		cmd.Printf("Removed saved service parameters (%s)\n", path)
 		return nil
 	},
 }
 // envMapToSlice converts a map of env vars to a KEY=VALUE slice.
 func envMapToSlice(m map[string]string) []string {
 	s := make([]string, 0, len(m))
 	for k, v := range m {
 		s = append(s, k+"="+v)
 	}
 	return s
 }
--- a/client/cmd/service_params_test.go
+++ b/client/cmd/service_params_test.go
@@ -1,559 +0,0 @@
 //go:build !ios && !android
 package cmd
 import (
 	"encoding/json"
 	"go/ast"
 	"go/parser"
 	"go/token"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/configs"
 )
 func TestServiceParamsPath(t *testing.T) {
 	original := configs.StateDir
 	t.Cleanup(func() { configs.StateDir = original })
 	configs.StateDir = "/var/lib/netbird"
 	assert.Equal(t, filepath.Join("/var/lib/netbird", "service.json"), serviceParamsPath())
 	configs.StateDir = "/custom/state"
 	assert.Equal(t, filepath.Join("/custom/state", "service.json"), serviceParamsPath())
 }
 func TestSaveAndLoadServiceParams(t *testing.T) {
 	tmpDir := t.TempDir()
 	original := configs.StateDir
 	t.Cleanup(func() { configs.StateDir = original })
 	configs.StateDir = tmpDir
 	params := &serviceParams{
 		LogLevel:              "debug",
 		DaemonAddr:            "unix:///var/run/netbird.sock",
 		ManagementURL:         "https://my.server.com",
 		ConfigPath:            "/etc/netbird/config.json",
 		LogFiles:              []string{"/var/log/netbird/client.log", "console"},
 		DisableProfiles:       true,
 		DisableUpdateSettings: false,
 		ServiceEnvVars:        map[string]string{"NB_LOG_FORMAT": "json", "CUSTOM": "val"},
 	}
 	err := saveServiceParams(params)
 	require.NoError(t, err)
 	// Verify the file exists and is valid JSON.
 	data, err := os.ReadFile(filepath.Join(tmpDir, "service.json"))
 	require.NoError(t, err)
 	assert.True(t, json.Valid(data))
 	loaded, err := loadServiceParams()
 	require.NoError(t, err)
 	require.NotNil(t, loaded)
 	assert.Equal(t, params.LogLevel, loaded.LogLevel)
 	assert.Equal(t, params.DaemonAddr, loaded.DaemonAddr)
 	assert.Equal(t, params.ManagementURL, loaded.ManagementURL)
 	assert.Equal(t, params.ConfigPath, loaded.ConfigPath)
 	assert.Equal(t, params.LogFiles, loaded.LogFiles)
 	assert.Equal(t, params.DisableProfiles, loaded.DisableProfiles)
 	assert.Equal(t, params.DisableUpdateSettings, loaded.DisableUpdateSettings)
 	assert.Equal(t, params.ServiceEnvVars, loaded.ServiceEnvVars)
 }
 func TestLoadServiceParams_FileNotExists(t *testing.T) {
 	tmpDir := t.TempDir()
 	original := configs.StateDir
 	t.Cleanup(func() { configs.StateDir = original })
 	configs.StateDir = tmpDir
 	params, err := loadServiceParams()
 	assert.NoError(t, err)
 	assert.Nil(t, params)
 }
 func TestLoadServiceParams_InvalidJSON(t *testing.T) {
 	tmpDir := t.TempDir()
 	original := configs.StateDir
 	t.Cleanup(func() { configs.StateDir = original })
 	configs.StateDir = tmpDir
 	err := os.WriteFile(filepath.Join(tmpDir, "service.json"), []byte("not json"), 0600)
 	require.NoError(t, err)
 	params, err := loadServiceParams()
 	assert.Error(t, err)
 	assert.Nil(t, params)
 }
 func TestCurrentServiceParams(t *testing.T) {
 	origLogLevel := logLevel
 	origDaemonAddr := daemonAddr
 	origManagementURL := managementURL
 	origConfigPath := configPath
 	origLogFiles := logFiles
 	origProfilesDisabled := profilesDisabled
 	origUpdateSettingsDisabled := updateSettingsDisabled
 	origServiceEnvVars := serviceEnvVars
 	t.Cleanup(func() {
 		logLevel = origLogLevel
 		daemonAddr = origDaemonAddr
 		managementURL = origManagementURL
 		configPath = origConfigPath
 		logFiles = origLogFiles
 		profilesDisabled = origProfilesDisabled
 		updateSettingsDisabled = origUpdateSettingsDisabled
 		serviceEnvVars = origServiceEnvVars
 	})
 	logLevel = "trace"
 	daemonAddr = "tcp://127.0.0.1:9999"
 	managementURL = "https://mgmt.example.com"
 	configPath = "/tmp/test-config.json"
 	logFiles = []string{"/tmp/test.log"}
 	profilesDisabled = true
 	updateSettingsDisabled = true
 	serviceEnvVars = []string{"FOO=bar", "BAZ=qux"}
 	params := currentServiceParams()
 	assert.Equal(t, "trace", params.LogLevel)
 	assert.Equal(t, "tcp://127.0.0.1:9999", params.DaemonAddr)
 	assert.Equal(t, "https://mgmt.example.com", params.ManagementURL)
 	assert.Equal(t, "/tmp/test-config.json", params.ConfigPath)
 	assert.Equal(t, []string{"/tmp/test.log"}, params.LogFiles)
 	assert.True(t, params.DisableProfiles)
 	assert.True(t, params.DisableUpdateSettings)
 	assert.Equal(t, map[string]string{"FOO": "bar", "BAZ": "qux"}, params.ServiceEnvVars)
 }
 func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
 	origLogLevel := logLevel
 	origDaemonAddr := daemonAddr
 	origManagementURL := managementURL
 	origConfigPath := configPath
 	origLogFiles := logFiles
 	origProfilesDisabled := profilesDisabled
 	origUpdateSettingsDisabled := updateSettingsDisabled
 	origServiceEnvVars := serviceEnvVars
 	t.Cleanup(func() {
 		logLevel = origLogLevel
 		daemonAddr = origDaemonAddr
 		managementURL = origManagementURL
 		configPath = origConfigPath
 		logFiles = origLogFiles
 		profilesDisabled = origProfilesDisabled
 		updateSettingsDisabled = origUpdateSettingsDisabled
 		serviceEnvVars = origServiceEnvVars
 	})
 	// Reset all flags to defaults.
 	logLevel = "info"
 	daemonAddr = "unix:///var/run/netbird.sock"
 	managementURL = ""
 	configPath = "/etc/netbird/config.json"
 	logFiles = []string{"/var/log/netbird/client.log"}
 	profilesDisabled = false
 	updateSettingsDisabled = false
 	serviceEnvVars = nil
 	// Reset Changed state on all relevant flags.
 	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
 		f.Changed = false
 	})
 	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
 		f.Changed = false
 	})
 	// Simulate user explicitly setting --log-level via CLI.
 	logLevel = "warn"
 	require.NoError(t, rootCmd.PersistentFlags().Set("log-level", "warn"))
 	saved := &serviceParams{
 		LogLevel:              "debug",
 		DaemonAddr:            "tcp://127.0.0.1:5555",
 		ManagementURL:         "https://saved.example.com",
 		ConfigPath:            "/saved/config.json",
 		LogFiles:              []string{"/saved/client.log"},
 		DisableProfiles:       true,
 		DisableUpdateSettings: true,
 		ServiceEnvVars:        map[string]string{"SAVED_KEY": "saved_val"},
 	}
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	applyServiceParams(cmd, saved)
 	// log-level was Changed, so it should keep "warn", not use saved "debug".
 	assert.Equal(t, "warn", logLevel)
 	// All other fields were not Changed, so they should use saved values.
 	assert.Equal(t, "tcp://127.0.0.1:5555", daemonAddr)
 	assert.Equal(t, "https://saved.example.com", managementURL)
 	assert.Equal(t, "/saved/config.json", configPath)
 	assert.Equal(t, []string{"/saved/client.log"}, logFiles)
 	assert.True(t, profilesDisabled)
 	assert.True(t, updateSettingsDisabled)
 	assert.Equal(t, []string{"SAVED_KEY=saved_val"}, serviceEnvVars)
 }
 func TestApplyServiceParams_BooleanRevertToFalse(t *testing.T) {
 	origProfilesDisabled := profilesDisabled
 	origUpdateSettingsDisabled := updateSettingsDisabled
 	t.Cleanup(func() {
 		profilesDisabled = origProfilesDisabled
 		updateSettingsDisabled = origUpdateSettingsDisabled
 	})
 	// Simulate current state where booleans are true (e.g. set by previous install).
 	profilesDisabled = true
 	updateSettingsDisabled = true
 	// Reset Changed state so flags appear unset.
 	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
 		f.Changed = false
 	})
 	// Saved params have both as false.
 	saved := &serviceParams{
 		DisableProfiles:       false,
 		DisableUpdateSettings: false,
 	}
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	applyServiceParams(cmd, saved)
 	assert.False(t, profilesDisabled, "saved false should override current true")
 	assert.False(t, updateSettingsDisabled, "saved false should override current true")
 }
 func TestApplyServiceParams_ClearManagementURL(t *testing.T) {
 	origManagementURL := managementURL
 	t.Cleanup(func() { managementURL = origManagementURL })
 	managementURL = "https://leftover.example.com"
 	// Simulate saved params where management URL was explicitly cleared.
 	saved := &serviceParams{
 		LogLevel:   "info",
 		DaemonAddr: "unix:///var/run/netbird.sock",
 		// ManagementURL intentionally empty: was cleared with --management-url "".
 	}
 	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
 		f.Changed = false
 	})
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	applyServiceParams(cmd, saved)
 	assert.Equal(t, "", managementURL, "saved empty management URL should clear the current value")
 }
 func TestApplyServiceParams_NilParams(t *testing.T) {
 	origLogLevel := logLevel
 	t.Cleanup(func() { logLevel = origLogLevel })
 	logLevel = "info"
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	// Should be a no-op.
 	applyServiceParams(cmd, nil)
 	assert.Equal(t, "info", logLevel)
 }
 func TestApplyServiceEnvParams_MergeExplicitAndSaved(t *testing.T) {
 	origServiceEnvVars := serviceEnvVars
 	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
 	// Set up a command with --service-env marked as Changed.
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	require.NoError(t, cmd.Flags().Set("service-env", "EXPLICIT=yes,OVERLAP=explicit"))
 	serviceEnvVars = []string{"EXPLICIT=yes", "OVERLAP=explicit"}
 	saved := &serviceParams{
 		ServiceEnvVars: map[string]string{
 			"SAVED":   "val",
 			"OVERLAP": "saved",
 		},
 	}
 	applyServiceEnvParams(cmd, saved)
 	// Parse result for easier assertion.
 	result, err := parseServiceEnvVars(serviceEnvVars)
 	require.NoError(t, err)
 	assert.Equal(t, "yes", result["EXPLICIT"])
 	assert.Equal(t, "val", result["SAVED"])
 	// Explicit wins on conflict.
 	assert.Equal(t, "explicit", result["OVERLAP"])
 }
 func TestApplyServiceEnvParams_NotChanged(t *testing.T) {
 	origServiceEnvVars := serviceEnvVars
 	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
 	serviceEnvVars = nil
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	saved := &serviceParams{
 		ServiceEnvVars: map[string]string{"FROM_SAVED": "val"},
 	}
 	applyServiceEnvParams(cmd, saved)
 	result, err := parseServiceEnvVars(serviceEnvVars)
 	require.NoError(t, err)
 	assert.Equal(t, map[string]string{"FROM_SAVED": "val"}, result)
 }
 func TestApplyServiceEnvParams_ExplicitEmptyClears(t *testing.T) {
 	origServiceEnvVars := serviceEnvVars
 	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
 	// Simulate --service-env "" which produces [""] in the slice.
 	serviceEnvVars = []string{""}
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	require.NoError(t, cmd.Flags().Set("service-env", ""))
 	saved := &serviceParams{
 		ServiceEnvVars: map[string]string{"OLD_VAR": "should_be_cleared"},
 	}
 	applyServiceEnvParams(cmd, saved)
 	assert.Nil(t, serviceEnvVars, "explicit empty --service-env should clear all saved env vars")
 }
 func TestCurrentServiceParams_EmptyEnvVarsAfterParse(t *testing.T) {
 	origServiceEnvVars := serviceEnvVars
 	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
 	// Simulate --service-env "" which produces [""] in the slice.
 	serviceEnvVars = []string{""}
 	params := currentServiceParams()
 	// After parsing, the empty string is skipped, resulting in an empty map.
 	// The map should still be set (not nil) so it overwrites saved values.
 	assert.NotNil(t, params.ServiceEnvVars, "empty env vars should produce empty map, not nil")
 	assert.Empty(t, params.ServiceEnvVars, "no valid env vars should be parsed from empty string")
 }
 // TestServiceParams_FieldsCoveredInFunctions ensures that all serviceParams fields are
 // referenced in both currentServiceParams() and applyServiceParams(). If a new field is
 // added to serviceParams but not wired into these functions, this test fails.
 func TestServiceParams_FieldsCoveredInFunctions(t *testing.T) {
 	fset := token.NewFileSet()
 	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
 	require.NoError(t, err)
 	// Collect all JSON field names from the serviceParams struct.
 	structFields := extractStructJSONFields(t, file, "serviceParams")
 	require.NotEmpty(t, structFields, "failed to find serviceParams struct fields")
 	// Collect field names referenced in currentServiceParams and applyServiceParams.
 	currentFields := extractFuncFieldRefs(t, file, "currentServiceParams", structFields)
 	applyFields := extractFuncFieldRefs(t, file, "applyServiceParams", structFields)
 	// applyServiceEnvParams handles ServiceEnvVars indirectly.
 	applyEnvFields := extractFuncFieldRefs(t, file, "applyServiceEnvParams", structFields)
 	for k, v := range applyEnvFields {
 		applyFields[k] = v
 	}
 	for _, field := range structFields {
 		assert.Contains(t, currentFields, field,
 			"serviceParams field %q is not captured in currentServiceParams()", field)
 		assert.Contains(t, applyFields, field,
 			"serviceParams field %q is not restored in applyServiceParams()/applyServiceEnvParams()", field)
 	}
 }
 // TestServiceParams_BuildArgsCoversAllFlags ensures that buildServiceArguments references
 // all serviceParams fields that should become CLI args. ServiceEnvVars is excluded because
 // it flows through newSVCConfig() EnvVars, not CLI args.
 func TestServiceParams_BuildArgsCoversAllFlags(t *testing.T) {
 	fset := token.NewFileSet()
 	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
 	require.NoError(t, err)
 	structFields := extractStructJSONFields(t, file, "serviceParams")
 	require.NotEmpty(t, structFields)
 	installerFile, err := parser.ParseFile(fset, "service_installer.go", nil, 0)
 	require.NoError(t, err)
 	// Fields that are handled outside of buildServiceArguments (env vars go through newSVCConfig).
 	fieldsNotInArgs := map[string]bool{
 		"ServiceEnvVars": true,
 	}
 	buildFields := extractFuncGlobalRefs(t, installerFile, "buildServiceArguments")
 	// Forward: every struct field must appear in buildServiceArguments.
 	for _, field := range structFields {
 		if fieldsNotInArgs[field] {
 			continue
 		}
 		globalVar := fieldToGlobalVar(field)
 		assert.Contains(t, buildFields, globalVar,
 			"serviceParams field %q (global %q) is not referenced in buildServiceArguments()", field, globalVar)
 	}
 	// Reverse: every service-related global used in buildServiceArguments must
 	// have a corresponding serviceParams field. This catches a developer adding
 	// a new flag to buildServiceArguments without adding it to the struct.
 	globalToField := make(map[string]string, len(structFields))
 	for _, field := range structFields {
 		globalToField[fieldToGlobalVar(field)] = field
 	}
 	// Identifiers in buildServiceArguments that are not service params
 	// (builtins, boilerplate, loop variables).
 	nonParamGlobals := map[string]bool{
 		"args": true, "append": true, "string": true, "_": true,
 		"logFile": true, // range variable over logFiles
 	}
 	for ref := range buildFields {
 		if nonParamGlobals[ref] {
 			continue
 		}
 		_, inStruct := globalToField[ref]
 		assert.True(t, inStruct,
 			"buildServiceArguments() references global %q which has no corresponding serviceParams field", ref)
 	}
 }
 // extractStructJSONFields returns field names from a named struct type.
 func extractStructJSONFields(t *testing.T, file *ast.File, structName string) []string {
 	t.Helper()
 	var fields []string
 	ast.Inspect(file, func(n ast.Node) bool {
 		ts, ok := n.(*ast.TypeSpec)
 		if !ok || ts.Name.Name != structName {
 			return true
 		}
 		st, ok := ts.Type.(*ast.StructType)
 		if !ok {
 			return false
 		}
 		for _, f := range st.Fields.List {
 			if len(f.Names) > 0 {
 				fields = append(fields, f.Names[0].Name)
 			}
 		}
 		return false
 	})
 	return fields
 }
 // extractFuncFieldRefs returns which of the given field names appear inside the
 // named function, either as selector expressions (params.FieldName) or as
 // composite literal keys (&serviceParams{FieldName: ...}).
 func extractFuncFieldRefs(t *testing.T, file *ast.File, funcName string, fields []string) map[string]bool {
 	t.Helper()
 	fieldSet := make(map[string]bool, len(fields))
 	for _, f := range fields {
 		fieldSet[f] = true
 	}
 	found := make(map[string]bool)
 	fn := findFuncDecl(file, funcName)
 	require.NotNil(t, fn, "function %s not found", funcName)
 	ast.Inspect(fn.Body, func(n ast.Node) bool {
 		switch v := n.(type) {
 		case *ast.SelectorExpr:
 			if fieldSet[v.Sel.Name] {
 				found[v.Sel.Name] = true
 			}
 		case *ast.KeyValueExpr:
 			if ident, ok := v.Key.(*ast.Ident); ok && fieldSet[ident.Name] {
 				found[ident.Name] = true
 			}
 		}
 		return true
 	})
 	return found
 }
 // extractFuncGlobalRefs returns all identifier names referenced in the named function body.
 func extractFuncGlobalRefs(t *testing.T, file *ast.File, funcName string) map[string]bool {
 	t.Helper()
 	fn := findFuncDecl(file, funcName)
 	require.NotNil(t, fn, "function %s not found", funcName)
 	refs := make(map[string]bool)
 	ast.Inspect(fn.Body, func(n ast.Node) bool {
 		if ident, ok := n.(*ast.Ident); ok {
 			refs[ident.Name] = true
 		}
 		return true
 	})
 	return refs
 }
 func findFuncDecl(file *ast.File, name string) *ast.FuncDecl {
 	for _, decl := range file.Decls {
 		fn, ok := decl.(*ast.FuncDecl)
 		if ok && fn.Name.Name == name {
 			return fn
 		}
 	}
 	return nil
 }
 // fieldToGlobalVar maps serviceParams field names to the package-level variable
 // names used in buildServiceArguments and applyServiceParams.
 func fieldToGlobalVar(field string) string {
 	m := map[string]string{
 		"LogLevel":              "logLevel",
 		"DaemonAddr":            "daemonAddr",
 		"ManagementURL":         "managementURL",
 		"ConfigPath":            "configPath",
 		"LogFiles":              "logFiles",
 		"DisableProfiles":       "profilesDisabled",
 		"DisableUpdateSettings": "updateSettingsDisabled",
 		"DisableNetworks":       "networksDisabled",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}
 	if v, ok := m[field]; ok {
 		return v
 	}
 	// Default: lowercase first letter.
 	return strings.ToLower(field[:1]) + field[1:]
 }
 func TestEnvMapToSlice(t *testing.T) {
 	m := map[string]string{"A": "1", "B": "2"}
 	s := envMapToSlice(m)
 	assert.Len(t, s, 2)
 	assert.Contains(t, s, "A=1")
 	assert.Contains(t, s, "B=2")
 }
 func TestEnvMapToSlice_Empty(t *testing.T) {
 	s := envMapToSlice(map[string]string{})
 	assert.Empty(t, s)
 }
--- a/client/cmd/service_test.go
+++ b/client/cmd/service_test.go
@@ -4,9 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
 	"os/signal"
 	"runtime"
 	"syscall"
 	"testing"
 	"time"
@@ -15,22 +13,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 // TestMain intercepts when this test binary is run as a daemon subprocess.
 // On FreeBSD, the rc.d service script runs the binary via daemon(8) -r with
 // "service run ..." arguments. Since the test binary can't handle cobra CLI
 // args, it exits immediately, causing daemon -r to respawn rapidly until
 // hitting the rate limit and exiting. This makes service restart unreliable.
 // Blocking here keeps the subprocess alive until the init system sends SIGTERM.
 func TestMain(m *testing.M) {
 	if len(os.Args) > 2 && os.Args[1] == "service" && os.Args[2] == "run" {
 		sig := make(chan os.Signal, 1)
 		signal.Notify(sig, syscall.SIGTERM, os.Interrupt)
 		<-sig
 		return
 	}
 	os.Exit(m.Run())
 }
 const (
 	serviceStartTimeout = 10 * time.Second
 	serviceStopTimeout  = 5 * time.Second
@@ -97,34 +79,6 @@ func TestServiceLifecycle(t *testing.T) {
 	logLevel = "info"
 	daemonAddr = fmt.Sprintf("unix://%s/netbird-test.sock", tempDir)
 	// Ensure cleanup even if a subtest fails and Stop/Uninstall subtests don't run.
 	t.Cleanup(func() {
 		cfg, err := newSVCConfig()
 		if err != nil {
 			t.Errorf("cleanup: create service config: %v", err)
 			return
 		}
 		ctxSvc, cancel := context.WithCancel(context.Background())
 		defer cancel()
 		s, err := newSVC(newProgram(ctxSvc, cancel), cfg)
 		if err != nil {
 			t.Errorf("cleanup: create service: %v", err)
 			return
 		}
 		// If the subtests already cleaned up, there's nothing to do.
 		if _, err := s.Status(); err != nil {
 			return
 		}
 		if err := s.Stop(); err != nil {
 			t.Errorf("cleanup: stop service: %v", err)
 		}
 		if err := s.Uninstall(); err != nil {
 			t.Errorf("cleanup: uninstall service: %v", err)
 		}
 	})
 	ctx := context.Background()
 	t.Run("Install", func(t *testing.T) {
--- a/client/cmd/signer/artifactkey.go
+++ b/client/cmd/signer/artifactkey.go
@@ -1,176 +0,0 @@
 package main
 import (
 	"fmt"
 	"os"
 	"time"
 	"github.com/spf13/cobra"
 	"github.com/netbirdio/netbird/client/internal/updater/reposign"
 )
 var (
 	bundlePubKeysRootPrivKeyFile string
 	bundlePubKeysPubKeyFiles     []string
 	bundlePubKeysFile            string
 	createArtifactKeyRootPrivKeyFile string
 	createArtifactKeyPrivKeyFile     string
 	createArtifactKeyPubKeyFile      string
 	createArtifactKeyExpiration      time.Duration
 )
 var createArtifactKeyCmd = &cobra.Command{
 	Use:   "create-artifact-key",
 	Short: "Create a new artifact signing key",
 	Long: `Generate a new artifact signing key pair signed by the root private key.
 The artifact key will be used to sign software artifacts/updates.`,
 	SilenceUsage: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if createArtifactKeyExpiration <= 0 {
 			return fmt.Errorf("--expiration must be a positive duration (e.g., 720h, 365d, 8760h)")
 		}
 		if err := handleCreateArtifactKey(cmd, createArtifactKeyRootPrivKeyFile, createArtifactKeyPrivKeyFile, createArtifactKeyPubKeyFile, createArtifactKeyExpiration); err != nil {
 			return fmt.Errorf("failed to create artifact key: %w", err)
 		}
 		return nil
 	},
 }
 var bundlePubKeysCmd = &cobra.Command{
 	Use:   "bundle-pub-keys",
 	Short: "Bundle multiple artifact public keys into a signed package",
 	Long: `Bundle one or more artifact public keys into a signed package using the root private key.
 This command is typically used to distribute or authorize a set of valid artifact signing keys.`,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if len(bundlePubKeysPubKeyFiles) == 0 {
 			return fmt.Errorf("at least one --artifact-pub-key-file must be provided")
 		}
 		if err := handleBundlePubKeys(cmd, bundlePubKeysRootPrivKeyFile, bundlePubKeysPubKeyFiles, bundlePubKeysFile); err != nil {
 			return fmt.Errorf("failed to bundle public keys: %w", err)
 		}
 		return nil
 	},
 }
 func init() {
 	rootCmd.AddCommand(createArtifactKeyCmd)
 	createArtifactKeyCmd.Flags().StringVar(&createArtifactKeyRootPrivKeyFile, "root-private-key-file", "", "Path to the root private key file used to sign the artifact key")
 	createArtifactKeyCmd.Flags().StringVar(&createArtifactKeyPrivKeyFile, "artifact-priv-key-file", "", "Path where the artifact private key will be saved")
 	createArtifactKeyCmd.Flags().StringVar(&createArtifactKeyPubKeyFile, "artifact-pub-key-file", "", "Path where the artifact public key will be saved")
 	createArtifactKeyCmd.Flags().DurationVar(&createArtifactKeyExpiration, "expiration", 0, "Expiration duration for the artifact key (e.g., 720h, 365d, 8760h)")
 	if err := createArtifactKeyCmd.MarkFlagRequired("root-private-key-file"); err != nil {
 		panic(fmt.Errorf("mark root-private-key-file as required: %w", err))
 	}
 	if err := createArtifactKeyCmd.MarkFlagRequired("artifact-priv-key-file"); err != nil {
 		panic(fmt.Errorf("mark artifact-priv-key-file as required: %w", err))
 	}
 	if err := createArtifactKeyCmd.MarkFlagRequired("artifact-pub-key-file"); err != nil {
 		panic(fmt.Errorf("mark artifact-pub-key-file as required: %w", err))
 	}
 	if err := createArtifactKeyCmd.MarkFlagRequired("expiration"); err != nil {
 		panic(fmt.Errorf("mark expiration as required: %w", err))
 	}
 	rootCmd.AddCommand(bundlePubKeysCmd)
 	bundlePubKeysCmd.Flags().StringVar(&bundlePubKeysRootPrivKeyFile, "root-private-key-file", "", "Path to the root private key file used to sign the bundle")
 	bundlePubKeysCmd.Flags().StringArrayVar(&bundlePubKeysPubKeyFiles, "artifact-pub-key-file", nil, "Path(s) to the artifact public key files to include in the bundle (can be repeated)")
 	bundlePubKeysCmd.Flags().StringVar(&bundlePubKeysFile, "bundle-pub-key-file", "", "Path where the public keys will be saved")
 	if err := bundlePubKeysCmd.MarkFlagRequired("root-private-key-file"); err != nil {
 		panic(fmt.Errorf("mark root-private-key-file as required: %w", err))
 	}
 	if err := bundlePubKeysCmd.MarkFlagRequired("artifact-pub-key-file"); err != nil {
 		panic(fmt.Errorf("mark artifact-pub-key-file as required: %w", err))
 	}
 	if err := bundlePubKeysCmd.MarkFlagRequired("bundle-pub-key-file"); err != nil {
 		panic(fmt.Errorf("mark bundle-pub-key-file as required: %w", err))
 	}
 }
 func handleCreateArtifactKey(cmd *cobra.Command, rootPrivKeyFile, artifactPrivKeyFile, artifactPubKeyFile string, expiration time.Duration) error {
 	cmd.Println("Creating new artifact signing key...")
 	privKeyPEM, err := os.ReadFile(rootPrivKeyFile)
 	if err != nil {
 		return fmt.Errorf("read root private key file: %w", err)
 	}
 	privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
 	if err != nil {
 		return fmt.Errorf("failed to parse private root key: %w", err)
 	}
 	artifactKey, privPEM, pubPEM, signature, err := reposign.GenerateArtifactKey(privateRootKey, expiration)
 	if err != nil {
 		return fmt.Errorf("generate artifact key: %w", err)
 	}
 	if err := os.WriteFile(artifactPrivKeyFile, privPEM, 0o600); err != nil {
 		return fmt.Errorf("write private key file (%s): %w", artifactPrivKeyFile, err)
 	}
 	if err := os.WriteFile(artifactPubKeyFile, pubPEM, 0o600); err != nil {
 		return fmt.Errorf("write public key file (%s): %w", artifactPubKeyFile, err)
 	}
 	signatureFile := artifactPubKeyFile + ".sig"
 	if err := os.WriteFile(signatureFile, signature, 0o600); err != nil {
 		return fmt.Errorf("write signature file (%s): %w", signatureFile, err)
 	}
 	cmd.Printf("✅ Artifact key created successfully.\n")
 	cmd.Printf("%s\n", artifactKey.String())
 	return nil
 }
 func handleBundlePubKeys(cmd *cobra.Command, rootPrivKeyFile string, artifactPubKeyFiles []string, bundlePubKeysFile string) error {
 	cmd.Println("📦 Bundling public keys into signed package...")
 	privKeyPEM, err := os.ReadFile(rootPrivKeyFile)
 	if err != nil {
 		return fmt.Errorf("read root private key file: %w", err)
 	}
 	privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
 	if err != nil {
 		return fmt.Errorf("failed to parse private root key: %w", err)
 	}
 	publicKeys := make([]reposign.PublicKey, 0, len(artifactPubKeyFiles))
 	for _, pubFile := range artifactPubKeyFiles {
 		pubPem, err := os.ReadFile(pubFile)
 		if err != nil {
 			return fmt.Errorf("read public key file: %w", err)
 		}
 		pk, err := reposign.ParseArtifactPubKey(pubPem)
 		if err != nil {
 			return fmt.Errorf("failed to parse artifact key: %w", err)
 		}
 		publicKeys = append(publicKeys, pk)
 	}
 	parsedKeys, signature, err := reposign.BundleArtifactKeys(privateRootKey, publicKeys)
 	if err != nil {
 		return fmt.Errorf("bundle artifact keys: %w", err)
 	}
 	if err := os.WriteFile(bundlePubKeysFile, parsedKeys, 0o600); err != nil {
 		return fmt.Errorf("write public keys file (%s): %w", bundlePubKeysFile, err)
 	}
 	signatureFile := bundlePubKeysFile + ".sig"
 	if err := os.WriteFile(signatureFile, signature, 0o600); err != nil {
 		return fmt.Errorf("write signature file (%s): %w", signatureFile, err)
 	}
 	cmd.Printf("✅ Bundle created with %d public keys.\n", len(artifactPubKeyFiles))
 	return nil
 }
--- a/client/cmd/signer/artifactsign.go
+++ b/client/cmd/signer/artifactsign.go
@@ -1,276 +0,0 @@
 package main
 import (
 	"fmt"
 	"os"
 	"github.com/spf13/cobra"
 	"github.com/netbirdio/netbird/client/internal/updater/reposign"
 )
 const (
 	envArtifactPrivateKey = "NB_ARTIFACT_PRIV_KEY"
 )
 var (
 	signArtifactPrivKeyFile  string
 	signArtifactArtifactFile string
 	verifyArtifactPubKeyFile    string
 	verifyArtifactFile          string
 	verifyArtifactSignatureFile string
 	verifyArtifactKeyPubKeyFile     string
 	verifyArtifactKeyRootPubKeyFile string
 	verifyArtifactKeySignatureFile  string
 	verifyArtifactKeyRevocationFile string
 )
 var signArtifactCmd = &cobra.Command{
 	Use:   "sign-artifact",
 	Short: "Sign an artifact using an artifact private key",
 	Long: `Sign a software artifact (e.g., update bundle or binary) using the artifact's private key.
 This command produces a detached signature that can be verified using the corresponding artifact public key.`,
 	SilenceUsage: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if err := handleSignArtifact(cmd, signArtifactPrivKeyFile, signArtifactArtifactFile); err != nil {
 			return fmt.Errorf("failed to sign artifact: %w", err)
 		}
 		return nil
 	},
 }
 var verifyArtifactCmd = &cobra.Command{
 	Use:          "verify-artifact",
 	Short:        "Verify an artifact signature using an artifact public key",
 	Long:         `Verify a software artifact signature using the artifact's public key.`,
 	SilenceUsage: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if err := handleVerifyArtifact(cmd, verifyArtifactPubKeyFile, verifyArtifactFile, verifyArtifactSignatureFile); err != nil {
 			return fmt.Errorf("failed to verify artifact: %w", err)
 		}
 		return nil
 	},
 }
 var verifyArtifactKeyCmd = &cobra.Command{
 	Use:   "verify-artifact-key",
 	Short: "Verify an artifact public key was signed by a root key",
 	Long: `Verify that an artifact public key (or bundle) was properly signed by a root key.
 This validates the chain of trust from the root key to the artifact key.`,
 	SilenceUsage: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if err := handleVerifyArtifactKey(cmd, verifyArtifactKeyPubKeyFile, verifyArtifactKeyRootPubKeyFile, verifyArtifactKeySignatureFile, verifyArtifactKeyRevocationFile); err != nil {
 			return fmt.Errorf("failed to verify artifact key: %w", err)
 		}
 		return nil
 	},
 }
 func init() {
 	rootCmd.AddCommand(signArtifactCmd)
 	rootCmd.AddCommand(verifyArtifactCmd)
 	rootCmd.AddCommand(verifyArtifactKeyCmd)
 	signArtifactCmd.Flags().StringVar(&signArtifactPrivKeyFile, "artifact-key-file", "", fmt.Sprintf("Path to the artifact private key file used for signing (or set %s env var)", envArtifactPrivateKey))
 	signArtifactCmd.Flags().StringVar(&signArtifactArtifactFile, "artifact-file", "", "Path to the artifact to be signed")
 	// artifact-file is required, but artifact-key-file can come from env var
 	if err := signArtifactCmd.MarkFlagRequired("artifact-file"); err != nil {
 		panic(fmt.Errorf("mark artifact-file as required: %w", err))
 	}
 	verifyArtifactCmd.Flags().StringVar(&verifyArtifactPubKeyFile, "artifact-public-key-file", "", "Path to the artifact public key file")
 	verifyArtifactCmd.Flags().StringVar(&verifyArtifactFile, "artifact-file", "", "Path to the artifact to be verified")
 	verifyArtifactCmd.Flags().StringVar(&verifyArtifactSignatureFile, "signature-file", "", "Path to the signature file")
 	if err := verifyArtifactCmd.MarkFlagRequired("artifact-public-key-file"); err != nil {
 		panic(fmt.Errorf("mark artifact-public-key-file as required: %w", err))
 	}
 	if err := verifyArtifactCmd.MarkFlagRequired("artifact-file"); err != nil {
 		panic(fmt.Errorf("mark artifact-file as required: %w", err))
 	}
 	if err := verifyArtifactCmd.MarkFlagRequired("signature-file"); err != nil {
 		panic(fmt.Errorf("mark signature-file as required: %w", err))
 	}
 	verifyArtifactKeyCmd.Flags().StringVar(&verifyArtifactKeyPubKeyFile, "artifact-key-file", "", "Path to the artifact public key file or bundle")
 	verifyArtifactKeyCmd.Flags().StringVar(&verifyArtifactKeyRootPubKeyFile, "root-key-file", "", "Path to the root public key file or bundle")
 	verifyArtifactKeyCmd.Flags().StringVar(&verifyArtifactKeySignatureFile, "signature-file", "", "Path to the signature file")
 	verifyArtifactKeyCmd.Flags().StringVar(&verifyArtifactKeyRevocationFile, "revocation-file", "", "Path to the revocation list file (optional)")
 	if err := verifyArtifactKeyCmd.MarkFlagRequired("artifact-key-file"); err != nil {
 		panic(fmt.Errorf("mark artifact-key-file as required: %w", err))
 	}
 	if err := verifyArtifactKeyCmd.MarkFlagRequired("root-key-file"); err != nil {
 		panic(fmt.Errorf("mark root-key-file as required: %w", err))
 	}
 	if err := verifyArtifactKeyCmd.MarkFlagRequired("signature-file"); err != nil {
 		panic(fmt.Errorf("mark signature-file as required: %w", err))
 	}
 }
 func handleSignArtifact(cmd *cobra.Command, privKeyFile, artifactFile string) error {
 	cmd.Println("🖋️  Signing artifact...")
 	// Load private key from env var or file
 	var privKeyPEM []byte
 	var err error
 	if envKey := os.Getenv(envArtifactPrivateKey); envKey != "" {
 		// Use key from environment variable
 		privKeyPEM = []byte(envKey)
 	} else if privKeyFile != "" {
 		// Fall back to file
 		privKeyPEM, err = os.ReadFile(privKeyFile)
 		if err != nil {
 			return fmt.Errorf("read private key file: %w", err)
 		}
 	} else {
 		return fmt.Errorf("artifact private key must be provided via %s environment variable or --artifact-key-file flag", envArtifactPrivateKey)
 	}
 	privateKey, err := reposign.ParseArtifactKey(privKeyPEM)
 	if err != nil {
 		return fmt.Errorf("failed to parse artifact private key: %w", err)
 	}
 	artifactData, err := os.ReadFile(artifactFile)
 	if err != nil {
 		return fmt.Errorf("read artifact file: %w", err)
 	}
 	signature, err := reposign.SignData(privateKey, artifactData)
 	if err != nil {
 		return fmt.Errorf("sign artifact: %w", err)
 	}
 	sigFile := artifactFile + ".sig"
 	if err := os.WriteFile(artifactFile+".sig", signature, 0o600); err != nil {
 		return fmt.Errorf("write signature file (%s): %w", sigFile, err)
 	}
 	cmd.Printf("✅ Artifact signed successfully.\n")
 	cmd.Printf("Signature file: %s\n", sigFile)
 	return nil
 }
 func handleVerifyArtifact(cmd *cobra.Command, pubKeyFile, artifactFile, signatureFile string) error {
 	cmd.Println("🔍 Verifying artifact...")
 	// Read artifact public key
 	pubKeyPEM, err := os.ReadFile(pubKeyFile)
 	if err != nil {
 		return fmt.Errorf("read public key file: %w", err)
 	}
 	publicKey, err := reposign.ParseArtifactPubKey(pubKeyPEM)
 	if err != nil {
 		return fmt.Errorf("failed to parse artifact public key: %w", err)
 	}
 	// Read artifact data
 	artifactData, err := os.ReadFile(artifactFile)
 	if err != nil {
 		return fmt.Errorf("read artifact file: %w", err)
 	}
 	// Read signature
 	sigBytes, err := os.ReadFile(signatureFile)
 	if err != nil {
 		return fmt.Errorf("read signature file: %w", err)
 	}
 	signature, err := reposign.ParseSignature(sigBytes)
 	if err != nil {
 		return fmt.Errorf("failed to parse signature: %w", err)
 	}
 	// Validate artifact
 	if err := reposign.ValidateArtifact([]reposign.PublicKey{publicKey}, artifactData, *signature); err != nil {
 		return fmt.Errorf("artifact verification failed: %w", err)
 	}
 	cmd.Println("✅ Artifact signature is valid")
 	cmd.Printf("Artifact: %s\n", artifactFile)
 	cmd.Printf("Signed by key: %s\n", signature.KeyID)
 	cmd.Printf("Signature timestamp: %s\n", signature.Timestamp.Format("2006-01-02 15:04:05 MST"))
 	return nil
 }
 func handleVerifyArtifactKey(cmd *cobra.Command, artifactKeyFile, rootKeyFile, signatureFile, revocationFile string) error {
 	cmd.Println("🔍 Verifying artifact key...")
 	// Read artifact key data
 	artifactKeyData, err := os.ReadFile(artifactKeyFile)
 	if err != nil {
 		return fmt.Errorf("read artifact key file: %w", err)
 	}
 	// Read root public key(s)
 	rootKeyData, err := os.ReadFile(rootKeyFile)
 	if err != nil {
 		return fmt.Errorf("read root key file: %w", err)
 	}
 	rootPublicKeys, err := parseRootPublicKeys(rootKeyData)
 	if err != nil {
 		return fmt.Errorf("failed to parse root public key(s): %w", err)
 	}
 	// Read signature
 	sigBytes, err := os.ReadFile(signatureFile)
 	if err != nil {
 		return fmt.Errorf("read signature file: %w", err)
 	}
 	signature, err := reposign.ParseSignature(sigBytes)
 	if err != nil {
 		return fmt.Errorf("failed to parse signature: %w", err)
 	}
 	// Read optional revocation list
 	var revocationList *reposign.RevocationList
 	if revocationFile != "" {
 		revData, err := os.ReadFile(revocationFile)
 		if err != nil {
 			return fmt.Errorf("read revocation file: %w", err)
 		}
 		revocationList, err = reposign.ParseRevocationList(revData)
 		if err != nil {
 			return fmt.Errorf("failed to parse revocation list: %w", err)
 		}
 	}
 	// Validate artifact key(s)
 	validKeys, err := reposign.ValidateArtifactKeys(rootPublicKeys, artifactKeyData, *signature, revocationList)
 	if err != nil {
 		return fmt.Errorf("artifact key verification failed: %w", err)
 	}
 	cmd.Println("✅ Artifact key(s) verified successfully")
 	cmd.Printf("Signed by root key: %s\n", signature.KeyID)
 	cmd.Printf("Signature timestamp: %s\n", signature.Timestamp.Format("2006-01-02 15:04:05 MST"))
 	cmd.Printf("\nValid artifact keys (%d):\n", len(validKeys))
 	for i, key := range validKeys {
 		cmd.Printf("  [%d] Key ID: %s\n", i+1, key.Metadata.ID)
 		cmd.Printf("      Created: %s\n", key.Metadata.CreatedAt.Format("2006-01-02 15:04:05 MST"))
 		if !key.Metadata.ExpiresAt.IsZero() {
 			cmd.Printf("      Expires: %s\n", key.Metadata.ExpiresAt.Format("2006-01-02 15:04:05 MST"))
 		} else {
 			cmd.Printf("      Expires: Never\n")
 		}
 	}
 	return nil
 }
 // parseRootPublicKeys parses a root public key from PEM data
 func parseRootPublicKeys(data []byte) ([]reposign.PublicKey, error) {
 	key, err := reposign.ParseRootPublicKey(data)
 	if err != nil {
 		return nil, err
 	}
 	return []reposign.PublicKey{key}, nil
 }
--- a/client/cmd/signer/main.go
+++ b/client/cmd/signer/main.go
@@ -1,21 +0,0 @@
 package main
 import (
 	"os"
 	"github.com/spf13/cobra"
 )
 var rootCmd = &cobra.Command{
 	Use:   "signer",
 	Short: "A CLI tool for managing cryptographic keys and artifacts",
 	Long: `signer is a command-line tool that helps you manage
 root keys, artifact keys, and revocation lists securely.`,
 }
 func main() {
 	if err := rootCmd.Execute(); err != nil {
 		rootCmd.Println(err)
 		os.Exit(1)
 	}
 }
--- a/client/cmd/signer/revocation.go
+++ b/client/cmd/signer/revocation.go
@@ -1,220 +0,0 @@
 package main
 import (
 	"fmt"
 	"os"
 	"time"
 	"github.com/spf13/cobra"
 	"github.com/netbirdio/netbird/client/internal/updater/reposign"
 )
 const (
 	defaultRevocationListExpiration = 365 * 24 * time.Hour // 1 year
 )
 var (
 	keyID              string
 	revocationListFile string
 	privateRootKeyFile string
 	publicRootKeyFile  string
 	signatureFile      string
 	expirationDuration time.Duration
 )
 var createRevocationListCmd = &cobra.Command{
 	Use:          "create-revocation-list",
 	Short:        "Create a new revocation list signed by the private root key",
 	SilenceUsage: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		return handleCreateRevocationList(cmd, revocationListFile, privateRootKeyFile)
 	},
 }
 var extendRevocationListCmd = &cobra.Command{
 	Use:          "extend-revocation-list",
 	Short:        "Extend an existing revocation list with a given key ID",
 	SilenceUsage: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		return handleExtendRevocationList(cmd, keyID, revocationListFile, privateRootKeyFile)
 	},
 }
 var verifyRevocationListCmd = &cobra.Command{
 	Use:          "verify-revocation-list",
 	Short:        "Verify a revocation list signature using the public root key",
 	SilenceUsage: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		return handleVerifyRevocationList(cmd, revocationListFile, signatureFile, publicRootKeyFile)
 	},
 }
 func init() {
 	rootCmd.AddCommand(createRevocationListCmd)
 	rootCmd.AddCommand(extendRevocationListCmd)
 	rootCmd.AddCommand(verifyRevocationListCmd)
 	createRevocationListCmd.Flags().StringVar(&revocationListFile, "revocation-list-file", "", "Path to the existing revocation list file")
 	createRevocationListCmd.Flags().StringVar(&privateRootKeyFile, "private-root-key", "", "Path to the private root key PEM file")
 	createRevocationListCmd.Flags().DurationVar(&expirationDuration, "expiration", defaultRevocationListExpiration, "Expiration duration for the revocation list (e.g., 8760h for 1 year)")
 	if err := createRevocationListCmd.MarkFlagRequired("revocation-list-file"); err != nil {
 		panic(err)
 	}
 	if err := createRevocationListCmd.MarkFlagRequired("private-root-key"); err != nil {
 		panic(err)
 	}
 	extendRevocationListCmd.Flags().StringVar(&keyID, "key-id", "", "ID of the key to extend the revocation list for")
 	extendRevocationListCmd.Flags().StringVar(&revocationListFile, "revocation-list-file", "", "Path to the existing revocation list file")
 	extendRevocationListCmd.Flags().StringVar(&privateRootKeyFile, "private-root-key", "", "Path to the private root key PEM file")
 	extendRevocationListCmd.Flags().DurationVar(&expirationDuration, "expiration", defaultRevocationListExpiration, "Expiration duration for the revocation list (e.g., 8760h for 1 year)")
 	if err := extendRevocationListCmd.MarkFlagRequired("key-id"); err != nil {
 		panic(err)
 	}
 	if err := extendRevocationListCmd.MarkFlagRequired("revocation-list-file"); err != nil {
 		panic(err)
 	}
 	if err := extendRevocationListCmd.MarkFlagRequired("private-root-key"); err != nil {
 		panic(err)
 	}
 	verifyRevocationListCmd.Flags().StringVar(&revocationListFile, "revocation-list-file", "", "Path to the revocation list file")
 	verifyRevocationListCmd.Flags().StringVar(&signatureFile, "signature-file", "", "Path to the signature file")
 	verifyRevocationListCmd.Flags().StringVar(&publicRootKeyFile, "public-root-key", "", "Path to the public root key PEM file")
 	if err := verifyRevocationListCmd.MarkFlagRequired("revocation-list-file"); err != nil {
 		panic(err)
 	}
 	if err := verifyRevocationListCmd.MarkFlagRequired("signature-file"); err != nil {
 		panic(err)
 	}
 	if err := verifyRevocationListCmd.MarkFlagRequired("public-root-key"); err != nil {
 		panic(err)
 	}
 }
 func handleCreateRevocationList(cmd *cobra.Command, revocationListFile string, privateRootKeyFile string) error {
 	privKeyPEM, err := os.ReadFile(privateRootKeyFile)
 	if err != nil {
 		return fmt.Errorf("failed to read private root key file: %w", err)
 	}
 	privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
 	if err != nil {
 		return fmt.Errorf("failed to parse private root key: %w", err)
 	}
 	rlBytes, sigBytes, err := reposign.CreateRevocationList(*privateRootKey, expirationDuration)
 	if err != nil {
 		return fmt.Errorf("failed to create revocation list: %w", err)
 	}
 	if err := writeOutputFiles(revocationListFile, revocationListFile+".sig", rlBytes, sigBytes); err != nil {
 		return fmt.Errorf("failed to write output files: %w", err)
 	}
 	cmd.Println("✅ Revocation list created successfully")
 	return nil
 }
 func handleExtendRevocationList(cmd *cobra.Command, keyID, revocationListFile, privateRootKeyFile string) error {
 	privKeyPEM, err := os.ReadFile(privateRootKeyFile)
 	if err != nil {
 		return fmt.Errorf("failed to read private root key file: %w", err)
 	}
 	privateRootKey, err := reposign.ParseRootKey(privKeyPEM)
 	if err != nil {
 		return fmt.Errorf("failed to parse private root key: %w", err)
 	}
 	rlBytes, err := os.ReadFile(revocationListFile)
 	if err != nil {
 		return fmt.Errorf("failed to read revocation list file: %w", err)
 	}
 	rl, err := reposign.ParseRevocationList(rlBytes)
 	if err != nil {
 		return fmt.Errorf("failed to parse revocation list: %w", err)
 	}
 	kid, err := reposign.ParseKeyID(keyID)
 	if err != nil {
 		return fmt.Errorf("invalid key ID: %w", err)
 	}
 	newRLBytes, sigBytes, err := reposign.ExtendRevocationList(*privateRootKey, *rl, kid, expirationDuration)
 	if err != nil {
 		return fmt.Errorf("failed to extend revocation list: %w", err)
 	}
 	if err := writeOutputFiles(revocationListFile, revocationListFile+".sig", newRLBytes, sigBytes); err != nil {
 		return fmt.Errorf("failed to write output files: %w", err)
 	}
 	cmd.Println("✅ Revocation list extended successfully")
 	return nil
 }
 func handleVerifyRevocationList(cmd *cobra.Command, revocationListFile, signatureFile, publicRootKeyFile string) error {
 	// Read revocation list file
 	rlBytes, err := os.ReadFile(revocationListFile)
 	if err != nil {
 		return fmt.Errorf("failed to read revocation list file: %w", err)
 	}
 	// Read signature file
 	sigBytes, err := os.ReadFile(signatureFile)
 	if err != nil {
 		return fmt.Errorf("failed to read signature file: %w", err)
 	}
 	// Read public root key file
 	pubKeyPEM, err := os.ReadFile(publicRootKeyFile)
 	if err != nil {
 		return fmt.Errorf("failed to read public root key file: %w", err)
 	}
 	// Parse public root key
 	publicKey, err := reposign.ParseRootPublicKey(pubKeyPEM)
 	if err != nil {
 		return fmt.Errorf("failed to parse public root key: %w", err)
 	}
 	// Parse signature
 	signature, err := reposign.ParseSignature(sigBytes)
 	if err != nil {
 		return fmt.Errorf("failed to parse signature: %w", err)
 	}
 	// Validate revocation list
 	rl, err := reposign.ValidateRevocationList([]reposign.PublicKey{publicKey}, rlBytes, *signature)
 	if err != nil {
 		return fmt.Errorf("failed to validate revocation list: %w", err)
 	}
 	// Display results
 	cmd.Println("✅ Revocation list signature is valid")
 	cmd.Printf("Last Updated: %s\n", rl.LastUpdated.Format(time.RFC3339))
 	cmd.Printf("Expires At: %s\n", rl.ExpiresAt.Format(time.RFC3339))
 	cmd.Printf("Number of revoked keys: %d\n", len(rl.Revoked))
 	if len(rl.Revoked) > 0 {
 		cmd.Println("\nRevoked Keys:")
 		for keyID, revokedTime := range rl.Revoked {
 			cmd.Printf("  - %s (revoked at: %s)\n", keyID, revokedTime.Format(time.RFC3339))
 		}
 	}
 	return nil
 }
 func writeOutputFiles(rlPath, sigPath string, rlBytes, sigBytes []byte) error {
 	if err := os.WriteFile(rlPath, rlBytes, 0o600); err != nil {
 		return fmt.Errorf("failed to write revocation list file: %w", err)
 	}
 	if err := os.WriteFile(sigPath, sigBytes, 0o600); err != nil {
 		return fmt.Errorf("failed to write signature file: %w", err)
 	}
 	return nil
 }
--- a/client/cmd/signer/rootkey.go
+++ b/client/cmd/signer/rootkey.go
@@ -1,74 +0,0 @@
 package main
 import (
 	"fmt"
 	"os"
 	"time"
 	"github.com/spf13/cobra"
 	"github.com/netbirdio/netbird/client/internal/updater/reposign"
 )
 var (
 	privKeyFile    string
 	pubKeyFile     string
 	rootExpiration time.Duration
 )
 var createRootKeyCmd = &cobra.Command{
 	Use:          "create-root-key",
 	Short:        "Create a new root key pair",
 	Long:         `Create a new root key pair and specify an expiration time for it.`,
 	SilenceUsage: true,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		// Validate expiration
 		if rootExpiration <= 0 {
 			return fmt.Errorf("--expiration must be a positive duration (e.g., 720h, 365d, 8760h)")
 		}
 		// Run main logic
 		if err := handleGenerateRootKey(cmd, privKeyFile, pubKeyFile, rootExpiration); err != nil {
 			return fmt.Errorf("failed to generate root key: %w", err)
 		}
 		return nil
 	},
 }
 func init() {
 	rootCmd.AddCommand(createRootKeyCmd)
 	createRootKeyCmd.Flags().StringVar(&privKeyFile, "priv-key-file", "", "Path to output private key file")
 	createRootKeyCmd.Flags().StringVar(&pubKeyFile, "pub-key-file", "", "Path to output public key file")
 	createRootKeyCmd.Flags().DurationVar(&rootExpiration, "expiration", 0, "Expiration time for the root key (e.g., 720h,)")
 	if err := createRootKeyCmd.MarkFlagRequired("priv-key-file"); err != nil {
 		panic(err)
 	}
 	if err := createRootKeyCmd.MarkFlagRequired("pub-key-file"); err != nil {
 		panic(err)
 	}
 	if err := createRootKeyCmd.MarkFlagRequired("expiration"); err != nil {
 		panic(err)
 	}
 }
 func handleGenerateRootKey(cmd *cobra.Command, privKeyFile, pubKeyFile string, expiration time.Duration) error {
 	rk, privPEM, pubPEM, err := reposign.GenerateRootKey(expiration)
 	if err != nil {
 		return fmt.Errorf("generate root key: %w", err)
 	}
 	// Write private key
 	if err := os.WriteFile(privKeyFile, privPEM, 0o600); err != nil {
 		return fmt.Errorf("write private key file (%s): %w", privKeyFile, err)
 	}
 	// Write public key
 	if err := os.WriteFile(pubKeyFile, pubPEM, 0o600); err != nil {
 		return fmt.Errorf("write public key file (%s): %w", pubKeyFile, err)
 	}
 	cmd.Printf("%s\n\n", rk.String())
 	cmd.Printf("✅ Root key pair generated successfully.\n")
 	return nil
 }
--- a/client/cmd/ssh.go
+++ b/client/cmd/ssh.go
@@ -3,886 +3,125 @@ package cmd
 import (
 	"context"
 	"errors"
 	"flag"
 	"fmt"
 	"net"
 	"os"
 	"os/signal"
 	"os/user"
 	"slices"
 	"strconv"
 	"strings"
 	"syscall"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/ssh"
 	"github.com/netbirdio/netbird/client/internal"
-	sshclient "github.com/netbirdio/netbird/client/ssh/client"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	"github.com/netbirdio/netbird/client/ssh/detection"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
 	sshproxy "github.com/netbirdio/netbird/client/ssh/proxy"
 	sshserver "github.com/netbirdio/netbird/client/ssh/server"
 	"github.com/netbirdio/netbird/util"
 )
 const (
 	sshUsernameDesc      = "SSH username"
 	hostArgumentRequired = "host argument required"
 	serverSSHAllowedFlag           = "allow-server-ssh"
 	enableSSHRootFlag              = "enable-ssh-root"
 	enableSSHSFTPFlag              = "enable-ssh-sftp"
 	enableSSHLocalPortForwardFlag  = "enable-ssh-local-port-forwarding"
 	enableSSHRemotePortForwardFlag = "enable-ssh-remote-port-forwarding"
 	disableSSHAuthFlag             = "disable-ssh-auth"
 	sshJWTCacheTTLFlag             = "ssh-jwt-cache-ttl"
 )
 var (
-	port                  int
+	port     int
-	username              string
+	userName = "root"
-	host                  string
+	host     string
 	command               string
 	localForwards         []string
 	remoteForwards        []string
 	strictHostKeyChecking bool
 	knownHostsFile        string
 	identityFile          string
 	skipCachedToken       bool
 	requestPTY            bool
 	sshNoBrowser          bool
 )
 var (
 	serverSSHAllowed           bool
 	enableSSHRoot              bool
 	enableSSHSFTP              bool
 	enableSSHLocalPortForward  bool
 	enableSSHRemotePortForward bool
 	disableSSHAuth             bool
 	sshJWTCacheTTL             int
 )
 func init() {
 	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer")
 	upCmd.PersistentFlags().BoolVar(&enableSSHRoot, enableSSHRootFlag, false, "Enable root login for SSH server")
 	upCmd.PersistentFlags().BoolVar(&enableSSHSFTP, enableSSHSFTPFlag, false, "Enable SFTP subsystem for SSH server")
 	upCmd.PersistentFlags().BoolVar(&enableSSHLocalPortForward, enableSSHLocalPortForwardFlag, false, "Enable local port forwarding for SSH server")
 	upCmd.PersistentFlags().BoolVar(&enableSSHRemotePortForward, enableSSHRemotePortForwardFlag, false, "Enable remote port forwarding for SSH server")
 	upCmd.PersistentFlags().BoolVar(&disableSSHAuth, disableSSHAuthFlag, false, "Disable SSH authentication")
 	upCmd.PersistentFlags().IntVar(&sshJWTCacheTTL, sshJWTCacheTTLFlag, 0, "SSH JWT token cache TTL in seconds (0=disabled)")
 	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", sshserver.DefaultSSHPort, "Remote SSH port")
 	sshCmd.PersistentFlags().StringVarP(&username, "user", "u", "", sshUsernameDesc)
 	sshCmd.PersistentFlags().StringVar(&username, "login", "", sshUsernameDesc+" (alias for --user)")
 	sshCmd.PersistentFlags().BoolVarP(&requestPTY, "tty", "t", false, "Force pseudo-terminal allocation")
 	sshCmd.PersistentFlags().BoolVar(&strictHostKeyChecking, "strict-host-key-checking", true, "Enable strict host key checking (default: true)")
 	sshCmd.PersistentFlags().StringVarP(&knownHostsFile, "known-hosts", "o", "", "Path to known_hosts file (default: ~/.ssh/known_hosts)")
 	sshCmd.PersistentFlags().StringVarP(&identityFile, "identity", "i", "", "Path to SSH private key file (deprecated)")
 	_ = sshCmd.PersistentFlags().MarkDeprecated("identity", "this flag is no longer used")
 	sshCmd.PersistentFlags().BoolVar(&skipCachedToken, "no-cache", false, "Skip cached JWT token and force fresh authentication")
 	sshCmd.PersistentFlags().BoolVar(&sshNoBrowser, noBrowserFlag, false, noBrowserDesc)
 	sshCmd.PersistentFlags().StringArrayP("L", "L", []string{}, "Local port forwarding [bind_address:]port:host:hostport")
 	sshCmd.PersistentFlags().StringArrayP("R", "R", []string{}, "Remote port forwarding [bind_address:]port:host:hostport")
 	sshCmd.AddCommand(sshSftpCmd)
 	sshCmd.AddCommand(sshProxyCmd)
 	sshCmd.AddCommand(sshDetectCmd)
 }
 var sshCmd = &cobra.Command{
-	Use:   "ssh [flags] [user@]host [command]",
+	Use: "ssh [user@]host",
-	Short: "Connect to a NetBird peer via SSH",
+	Args: func(cmd *cobra.Command, args []string) error {
-	Long: `Connect to a NetBird peer using SSH with support for port forwarding.
+		if len(args) < 1 {
-
+			return errors.New("requires a host argument")
 Port Forwarding:
  -L [bind_address:]port:host:hostport   Local port forwarding
  -L [bind_address:]port:/path/to/socket Local port forwarding to Unix socket
  -R [bind_address:]port:host:hostport   Remote port forwarding
  -R [bind_address:]port:/path/to/socket Remote port forwarding to Unix socket
 SSH Options:
  -p, --port int                       Remote SSH port (default 22)
  -u, --user string                    SSH username
      --login string                   SSH username (alias for --user)
  -t, --tty                            Force pseudo-terminal allocation
      --strict-host-key-checking       Enable strict host key checking (default: true)
  -o, --known-hosts string             Path to known_hosts file
 Examples:
  netbird ssh peer-hostname
  netbird ssh root@peer-hostname
  netbird ssh --login root peer-hostname
  netbird ssh peer-hostname ls -la
  netbird ssh peer-hostname whoami
  netbird ssh -t peer-hostname tmux                  # Force PTY for tmux/screen
  netbird ssh -t peer-hostname sudo -i               # Force PTY for interactive sudo
  netbird ssh -L 8080:localhost:80 peer-hostname     # Local port forwarding
  netbird ssh -R 9090:localhost:3000 peer-hostname   # Remote port forwarding
  netbird ssh -L "*:8080:localhost:80" peer-hostname # Bind to all interfaces
  netbird ssh -L 8080:/tmp/socket peer-hostname      # Unix socket forwarding`,
 	DisableFlagParsing: true,
 	Args:               validateSSHArgsWithoutFlagParsing,
 	RunE:               sshFn,
 	Aliases:            []string{"ssh"},
 }
 func sshFn(cmd *cobra.Command, args []string) error {
 	for _, arg := range args {
 		if arg == "-h" || arg == "--help" {
 			return cmd.Help()
 		}
 	}
-	SetFlagsFromEnvVars(rootCmd)
+		split := strings.Split(args[0], "@")
-	SetFlagsFromEnvVars(cmd)
+		if len(split) == 2 {
-
+			userName = split[0]
-	cmd.SetOut(cmd.OutOrStdout())
+			host = split[1]
 	logOutput := "console"
 	if firstLogFile := util.FindFirstLogPath(logFiles); firstLogFile != "" && firstLogFile != defaultLogFile {
 		logOutput = firstLogFile
 	}
 	if err := util.InitLog(logLevel, logOutput); err != nil {
 		return fmt.Errorf("init log: %w", err)
 	}
 	ctx := internal.CtxInitState(cmd.Context())
 	sig := make(chan os.Signal, 1)
 	signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
 	sshctx, cancel := context.WithCancel(ctx)
 	errCh := make(chan error, 1)
 	go func() {
 		if err := runSSH(sshctx, host, cmd); err != nil {
 			errCh <- err
 		}
 		cancel()
 	}()
 	select {
 	case <-sig:
 		cancel()
 		<-sshctx.Done()
 		return nil
 	case err := <-errCh:
 		return err
 	case <-sshctx.Done():
 	}
 	return nil
 }
 // getEnvOrDefault checks for environment variables with WT_ and NB_ prefixes
 func getEnvOrDefault(flagName, defaultValue string) string {
 	if envValue := os.Getenv("WT_" + flagName); envValue != "" {
 		return envValue
 	}
 	if envValue := os.Getenv("NB_" + flagName); envValue != "" {
 		return envValue
 	}
 	return defaultValue
 }
 // getBoolEnvOrDefault checks for boolean environment variables with WT_ and NB_ prefixes
 func getBoolEnvOrDefault(flagName string, defaultValue bool) bool {
 	if envValue := os.Getenv("WT_" + flagName); envValue != "" {
 		if parsed, err := strconv.ParseBool(envValue); err == nil {
 			return parsed
 		}
 	}
 	if envValue := os.Getenv("NB_" + flagName); envValue != "" {
 		if parsed, err := strconv.ParseBool(envValue); err == nil {
 			return parsed
 		}
 	}
 	return defaultValue
 }
 // resetSSHGlobals sets SSH globals to their default values
 func resetSSHGlobals() {
 	port = sshserver.DefaultSSHPort
 	username = ""
 	host = ""
 	command = ""
 	localForwards = nil
 	remoteForwards = nil
 	strictHostKeyChecking = true
 	knownHostsFile = ""
 	identityFile = ""
 	sshNoBrowser = false
 }
 // parseCustomSSHFlags extracts -L, -R flags and returns filtered args
 func parseCustomSSHFlags(args []string) ([]string, []string, []string) {
 	var localForwardFlags []string
 	var remoteForwardFlags []string
 	var filteredArgs []string
 	for i := 0; i < len(args); i++ {
 		arg := args[i]
 		switch {
 		case strings.HasPrefix(arg, "-L"):
 			localForwardFlags, i = parseForwardFlag(arg, args, i, localForwardFlags)
 		case strings.HasPrefix(arg, "-R"):
 			remoteForwardFlags, i = parseForwardFlag(arg, args, i, remoteForwardFlags)
 		default:
 			filteredArgs = append(filteredArgs, arg)
 		}
 	}
 	return filteredArgs, localForwardFlags, remoteForwardFlags
 }
 func parseForwardFlag(arg string, args []string, i int, flags []string) ([]string, int) {
 	if arg == "-L" || arg == "-R" {
 		if i+1 < len(args) {
 			flags = append(flags, args[i+1])
 			i++
 		}
 	} else if len(arg) > 2 {
 		flags = append(flags, arg[2:])
 	}
 	return flags, i
 }
 // extractGlobalFlags parses global flags that were passed before 'ssh' command
 func extractGlobalFlags(args []string) {
 	sshPos := findSSHCommandPosition(args)
 	if sshPos == -1 {
 		return
 	}
 	globalArgs := args[:sshPos]
 	parseGlobalArgs(globalArgs)
 }
 // findSSHCommandPosition locates the 'ssh' command in the argument list
 func findSSHCommandPosition(args []string) int {
 	for i, arg := range args {
 		if arg == "ssh" {
 			return i
 		}
 	}
 	return -1
 }
 const (
 	configFlag   = "config"
 	logLevelFlag = "log-level"
 	logFileFlag  = "log-file"
 )
 // parseGlobalArgs processes the global arguments and sets the corresponding variables
 func parseGlobalArgs(globalArgs []string) {
 	flagHandlers := map[string]func(string){
 		configFlag:   func(value string) { configPath = value },
 		logLevelFlag: func(value string) { logLevel = value },
 		logFileFlag: func(value string) {
 			if !slices.Contains(logFiles, value) {
 				logFiles = append(logFiles, value)
 			}
 		},
 	}
 	shortFlags := map[string]string{
 		"c": configFlag,
 		"l": logLevelFlag,
 	}
 	for i := 0; i < len(globalArgs); i++ {
 		arg := globalArgs[i]
 		if handled, nextIndex := parseFlag(arg, globalArgs, i, flagHandlers, shortFlags); handled {
 			i = nextIndex
 		}
 	}
 }
 // parseFlag handles generic flag parsing for both long and short forms
 func parseFlag(arg string, args []string, currentIndex int, flagHandlers map[string]func(string), shortFlags map[string]string) (bool, int) {
 	if parsedValue, found := parseEqualsFormat(arg, flagHandlers, shortFlags); found {
 		flagHandlers[parsedValue.flagName](parsedValue.value)
 		return true, currentIndex
 	}
 	if parsedValue, found := parseSpacedFormat(arg, args, currentIndex, flagHandlers, shortFlags); found {
 		flagHandlers[parsedValue.flagName](parsedValue.value)
 		return true, currentIndex + 1
 	}
 	return false, currentIndex
 }
 type parsedFlag struct {
 	flagName string
 	value    string
 }
 // parseEqualsFormat handles --flag=value and -f=value formats
 func parseEqualsFormat(arg string, flagHandlers map[string]func(string), shortFlags map[string]string) (parsedFlag, bool) {
 	if !strings.Contains(arg, "=") {
 		return parsedFlag{}, false
 	}
 	parts := strings.SplitN(arg, "=", 2)
 	if len(parts) != 2 {
 		return parsedFlag{}, false
 	}
 	if strings.HasPrefix(parts[0], "--") {
 		flagName := strings.TrimPrefix(parts[0], "--")
 		if _, exists := flagHandlers[flagName]; exists {
 			return parsedFlag{flagName: flagName, value: parts[1]}, true
 		}
 	}
 	if strings.HasPrefix(parts[0], "-") && len(parts[0]) == 2 {
 		shortFlag := strings.TrimPrefix(parts[0], "-")
 		if longFlag, exists := shortFlags[shortFlag]; exists {
 			if _, exists := flagHandlers[longFlag]; exists {
 				return parsedFlag{flagName: longFlag, value: parts[1]}, true
 			}
 		}
 	}
 	return parsedFlag{}, false
 }
 // parseSpacedFormat handles --flag value and -f value formats
 func parseSpacedFormat(arg string, args []string, currentIndex int, flagHandlers map[string]func(string), shortFlags map[string]string) (parsedFlag, bool) {
 	if currentIndex+1 >= len(args) {
 		return parsedFlag{}, false
 	}
 	if strings.HasPrefix(arg, "--") {
 		flagName := strings.TrimPrefix(arg, "--")
 		if _, exists := flagHandlers[flagName]; exists {
 			return parsedFlag{flagName: flagName, value: args[currentIndex+1]}, true
 		}
 	}
 	if strings.HasPrefix(arg, "-") && len(arg) == 2 {
 		shortFlag := strings.TrimPrefix(arg, "-")
 		if longFlag, exists := shortFlags[shortFlag]; exists {
 			if _, exists := flagHandlers[longFlag]; exists {
 				return parsedFlag{flagName: longFlag, value: args[currentIndex+1]}, true
 			}
 		}
 	}
 	return parsedFlag{}, false
 }
 // createSSHFlagSet creates and configures the flag set for SSH command parsing
 // sshFlags contains all SSH-related flags and parameters
 type sshFlags struct {
 	Port                  int
 	Username              string
 	Login                 string
 	RequestPTY            bool
 	StrictHostKeyChecking bool
 	KnownHostsFile        string
 	IdentityFile          string
 	SkipCachedToken       bool
 	NoBrowser             bool
 	ConfigPath            string
 	LogLevel              string
 	LocalForwards         []string
 	RemoteForwards        []string
 	Host                  string
 	Command               string
 }
 func createSSHFlagSet() (*flag.FlagSet, *sshFlags) {
 	defaultConfigPath := getEnvOrDefault("CONFIG", configPath)
 	defaultLogLevel := getEnvOrDefault("LOG_LEVEL", logLevel)
 	defaultNoBrowser := getBoolEnvOrDefault("NO_BROWSER", false)
 	fs := flag.NewFlagSet("ssh-flags", flag.ContinueOnError)
 	fs.SetOutput(nil)
 	flags := &sshFlags{}
 	fs.IntVar(&flags.Port, "p", sshserver.DefaultSSHPort, "SSH port")
 	fs.IntVar(&flags.Port, "port", sshserver.DefaultSSHPort, "SSH port")
 	fs.StringVar(&flags.Username, "u", "", sshUsernameDesc)
 	fs.StringVar(&flags.Username, "user", "", sshUsernameDesc)
 	fs.StringVar(&flags.Login, "login", "", sshUsernameDesc+" (alias for --user)")
 	fs.BoolVar(&flags.RequestPTY, "t", false, "Force pseudo-terminal allocation")
 	fs.BoolVar(&flags.RequestPTY, "tty", false, "Force pseudo-terminal allocation")
 	fs.BoolVar(&flags.StrictHostKeyChecking, "strict-host-key-checking", true, "Enable strict host key checking")
 	fs.StringVar(&flags.KnownHostsFile, "o", "", "Path to known_hosts file")
 	fs.StringVar(&flags.KnownHostsFile, "known-hosts", "", "Path to known_hosts file")
 	fs.StringVar(&flags.IdentityFile, "i", "", "Path to SSH private key file")
 	fs.StringVar(&flags.IdentityFile, "identity", "", "Path to SSH private key file")
 	fs.BoolVar(&flags.SkipCachedToken, "no-cache", false, "Skip cached JWT token and force fresh authentication")
 	fs.BoolVar(&flags.NoBrowser, "no-browser", defaultNoBrowser, noBrowserDesc)
 	fs.StringVar(&flags.ConfigPath, "c", defaultConfigPath, "Netbird config file location")
 	fs.StringVar(&flags.ConfigPath, "config", defaultConfigPath, "Netbird config file location")
 	fs.StringVar(&flags.LogLevel, "l", defaultLogLevel, "sets Netbird log level")
 	fs.StringVar(&flags.LogLevel, "log-level", defaultLogLevel, "sets Netbird log level")
 	return fs, flags
 }
 func validateSSHArgsWithoutFlagParsing(_ *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		return errors.New(hostArgumentRequired)
 	}
 	resetSSHGlobals()
 	if len(os.Args) > 2 {
 		extractGlobalFlags(os.Args[1:])
 	}
 	filteredArgs, localForwardFlags, remoteForwardFlags := parseCustomSSHFlags(args)
 	fs, flags := createSSHFlagSet()
 	if err := fs.Parse(filteredArgs); err != nil {
 		if errors.Is(err, flag.ErrHelp) {
 			return nil
 		}
 		return err
 	}
 	remaining := fs.Args()
 	if len(remaining) < 1 {
 		return errors.New(hostArgumentRequired)
 	}
 	port = flags.Port
 	if flags.Username != "" {
 		username = flags.Username
 	} else if flags.Login != "" {
 		username = flags.Login
 	}
 	requestPTY = flags.RequestPTY
 	strictHostKeyChecking = flags.StrictHostKeyChecking
 	knownHostsFile = flags.KnownHostsFile
 	identityFile = flags.IdentityFile
 	skipCachedToken = flags.SkipCachedToken
 	sshNoBrowser = flags.NoBrowser
 	if flags.ConfigPath != getEnvOrDefault("CONFIG", configPath) {
 		configPath = flags.ConfigPath
 	}
 	if flags.LogLevel != getEnvOrDefault("LOG_LEVEL", logLevel) {
 		logLevel = flags.LogLevel
 	}
 	localForwards = localForwardFlags
 	remoteForwards = remoteForwardFlags
 	return parseHostnameAndCommand(remaining)
 }
 func parseHostnameAndCommand(args []string) error {
 	if len(args) < 1 {
 		return errors.New(hostArgumentRequired)
 	}
 	arg := args[0]
 	if strings.Contains(arg, "@") {
 		parts := strings.SplitN(arg, "@", 2)
 		if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
 			return errors.New("invalid user@host format")
 		}
 		if username == "" {
 			username = parts[0]
 		}
 		host = parts[1]
 	} else {
 		host = arg
 	}
 	if username == "" {
 		if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
 			username = sudoUser
 		} else if currentUser, err := user.Current(); err == nil {
 			username = currentUser.Username
 		} else {
-			username = "root"
+			host = args[0]
 		}
 	}
 	// Everything after hostname becomes the command
 	if len(args) > 1 {
 		command = strings.Join(args[1:], " ")
 	}
 	return nil
 }
 func runSSH(ctx context.Context, addr string, cmd *cobra.Command) error {
 	target := fmt.Sprintf("%s:%d", addr, port)
 	c, err := sshclient.Dial(ctx, target, username, sshclient.DialOptions{
 		KnownHostsFile:     knownHostsFile,
 		IdentityFile:       identityFile,
 		DaemonAddr:         daemonAddr,
 		SkipCachedToken:    skipCachedToken,
 		InsecureSkipVerify: !strictHostKeyChecking,
 		NoBrowser:          sshNoBrowser,
 	})
 	if err != nil {
 		cmd.Printf("Failed to connect to %s@%s\n", username, target)
 		cmd.Printf("\nTroubleshooting steps:\n")
 		cmd.Printf("  1. Check peer connectivity: netbird status -d\n")
 		cmd.Printf("  2. Verify SSH server is enabled on the peer\n")
 		cmd.Printf("  3. Ensure correct hostname/IP is used\n")
 		return fmt.Errorf("dial %s: %w", target, err)
 	}
 	sshCtx, cancel := context.WithCancel(ctx)
 	defer cancel()
 	go func() {
 		<-sshCtx.Done()
 		if err := c.Close(); err != nil {
 			cmd.Printf("Error closing SSH connection: %v\n", err)
 		}
 	}()
 	if err := startPortForwarding(sshCtx, c, cmd); err != nil {
 		return fmt.Errorf("start port forwarding: %w", err)
 	}
 	if command != "" {
 		return executeSSHCommand(sshCtx, c, command)
 	}
 	return openSSHTerminal(sshCtx, c)
 }
 // executeSSHCommand executes a command over SSH.
 func executeSSHCommand(ctx context.Context, c *sshclient.Client, command string) error {
 	var err error
 	if requestPTY {
 		err = c.ExecuteCommandWithPTY(ctx, command)
 	} else {
 		err = c.ExecuteCommandWithIO(ctx, command)
 	}
 	if err != nil {
 		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
 			return nil
 		}
 		var exitErr *ssh.ExitError
 		if errors.As(err, &exitErr) {
 			os.Exit(exitErr.ExitStatus())
 		}
 		var exitMissingErr *ssh.ExitMissingError
 		if errors.As(err, &exitMissingErr) {
 			log.Debugf("Remote command exited without exit status: %v", err)
 			return nil
 		}
 		return fmt.Errorf("execute command: %w", err)
 	}
 	return nil
 }
 // openSSHTerminal opens an interactive SSH terminal.
 func openSSHTerminal(ctx context.Context, c *sshclient.Client) error {
 	if err := c.OpenTerminal(ctx); err != nil {
 		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
 			return nil
 		}
 		var exitMissingErr *ssh.ExitMissingError
 		if errors.As(err, &exitMissingErr) {
 			log.Debugf("Remote terminal exited without exit status: %v", err)
 			return nil
 		}
 		return fmt.Errorf("open terminal: %w", err)
 	}
 	return nil
 }
 // startPortForwarding starts local and remote port forwarding based on command line flags
 func startPortForwarding(ctx context.Context, c *sshclient.Client, cmd *cobra.Command) error {
 	for _, forward := range localForwards {
 		if err := parseAndStartLocalForward(ctx, c, forward, cmd); err != nil {
 			return fmt.Errorf("local port forward %s: %w", forward, err)
 		}
 	}
 	for _, forward := range remoteForwards {
 		if err := parseAndStartRemoteForward(ctx, c, forward, cmd); err != nil {
 			return fmt.Errorf("remote port forward %s: %w", forward, err)
 		}
 	}
 	return nil
 }
 // parseAndStartLocalForward parses and starts a local port forward (-L)
 func parseAndStartLocalForward(ctx context.Context, c *sshclient.Client, forward string, cmd *cobra.Command) error {
 	localAddr, remoteAddr, err := parsePortForwardSpec(forward)
 	if err != nil {
 		return err
 	}
 	if err := validateDestinationPort(remoteAddr); err != nil {
 		return fmt.Errorf("invalid remote address: %w", err)
 	}
 	log.Debugf("Local port forwarding: %s -> %s", localAddr, remoteAddr)
 	go func() {
 		if err := c.LocalPortForward(ctx, localAddr, remoteAddr); err != nil && !errors.Is(err, context.Canceled) {
 			cmd.Printf("Local port forward error: %v\n", err)
 		}
 	}()
 	return nil
 }
 // parseAndStartRemoteForward parses and starts a remote port forward (-R)
 func parseAndStartRemoteForward(ctx context.Context, c *sshclient.Client, forward string, cmd *cobra.Command) error {
 	remoteAddr, localAddr, err := parsePortForwardSpec(forward)
 	if err != nil {
 		return err
 	}
 	if err := validateDestinationPort(localAddr); err != nil {
 		return fmt.Errorf("invalid local address: %w", err)
 	}
 	log.Debugf("Remote port forwarding: %s -> %s", remoteAddr, localAddr)
 	go func() {
 		if err := c.RemotePortForward(ctx, remoteAddr, localAddr); err != nil && !errors.Is(err, context.Canceled) {
 			cmd.Printf("Remote port forward error: %v\n", err)
 		}
 	}()
 	return nil
 }
 // validateDestinationPort checks that the destination address has a valid port.
 // Port 0 is only valid for bind addresses (where the OS picks an available port),
 // not for destination addresses where we need to connect.
 func validateDestinationPort(addr string) error {
 	if strings.HasPrefix(addr, "/") || strings.HasPrefix(addr, "./") {
 		return nil
-	}
+	},
 	Short: "Connect to a remote SSH server",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		SetFlagsFromEnvVars(rootCmd)
 		SetFlagsFromEnvVars(cmd)
-	_, portStr, err := net.SplitHostPort(addr)
+		cmd.SetOut(cmd.OutOrStdout())
 		err := util.InitLog(logLevel, util.LogConsole)
 		if err != nil {
 			return fmt.Errorf("failed initializing log %v", err)
 		}
 		if !util.IsAdmin() {
 			cmd.Printf("error: you must have Administrator privileges to run this command\n")
 			return nil
 		}
 		ctx := internal.CtxInitState(cmd.Context())
 		sm := profilemanager.NewServiceManager(configPath)
 		activeProf, err := sm.GetActiveProfileState()
 		if err != nil {
 			return fmt.Errorf("get active profile: %v", err)
 		}
 		profPath, err := activeProf.FilePath()
 		if err != nil {
 			return fmt.Errorf("get active profile path: %v", err)
 		}
 		config, err := profilemanager.ReadConfig(profPath)
 		if err != nil {
 			return fmt.Errorf("read profile config: %v", err)
 		}
 		sig := make(chan os.Signal, 1)
 		signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
 		sshctx, cancel := context.WithCancel(ctx)
 		go func() {
 			// blocking
 			if err := runSSH(sshctx, host, []byte(config.SSHKey), cmd); err != nil {
 				cmd.Printf("Error: %v\n", err)
 				os.Exit(1)
 			}
 			cancel()
 		}()
 		select {
 		case <-sig:
 			cancel()
 		case <-sshctx.Done():
 		}
 		return nil
 	},
 }
 func runSSH(ctx context.Context, addr string, pemKey []byte, cmd *cobra.Command) error {
 	c, err := nbssh.DialWithKey(fmt.Sprintf("%s:%d", addr, port), userName, pemKey)
 	if err != nil {
-		return fmt.Errorf("parse address %s: %w", addr, err)
+		cmd.Printf("Error: %v\n", err)
 		cmd.Printf("Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer" +
 			"\nYou can verify the connection by running:\n\n" +
 			" netbird status\n\n")
 		return err
 	}
-
+	go func() {
-	port, err := strconv.Atoi(portStr)
+		<-ctx.Done()
-	if err != nil {
+		err = c.Close()
-		return fmt.Errorf("invalid port %s: %w", portStr, err)
+		if err != nil {
-	}
+			return
 	if port == 0 {
 		return fmt.Errorf("port 0 is not valid for destination address")
 	}
 	if port < 0 || port > 65535 {
 		return fmt.Errorf("port %d out of range (1-65535)", port)
 	}
 	return nil
 }
 // parsePortForwardSpec parses port forward specifications like "8080:localhost:80" or "[::1]:8080:localhost:80".
 // Also supports Unix sockets like "8080:/tmp/socket" or "127.0.0.1:8080:/tmp/socket".
 func parsePortForwardSpec(spec string) (string, string, error) {
 	// Support formats:
 	// port:host:hostport  -> localhost:port -> host:hostport
 	// host:port:host:hostport  -> host:port -> host:hostport
 	// [host]:port:host:hostport -> [host]:port -> host:hostport
 	// port:unix_socket_path -> localhost:port -> unix_socket_path
 	// host:port:unix_socket_path -> host:port -> unix_socket_path
 	if strings.HasPrefix(spec, "[") && strings.Contains(spec, "]:") {
 		return parseIPv6ForwardSpec(spec)
 	}
 	parts := strings.Split(spec, ":")
 	if len(parts) < 2 {
 		return "", "", fmt.Errorf("invalid port forward specification: %s (expected format: [local_host:]local_port:remote_target)", spec)
 	}
 	switch len(parts) {
 	case 2:
 		return parseTwoPartForwardSpec(parts, spec)
 	case 3:
 		return parseThreePartForwardSpec(parts)
 	case 4:
 		return parseFourPartForwardSpec(parts)
 	default:
 		return "", "", fmt.Errorf("invalid port forward specification: %s", spec)
 	}
 }
 // parseTwoPartForwardSpec handles "port:unix_socket" format.
 func parseTwoPartForwardSpec(parts []string, spec string) (string, string, error) {
 	if isUnixSocket(parts[1]) {
 		localAddr := "localhost:" + parts[0]
 		remoteAddr := parts[1]
 		return localAddr, remoteAddr, nil
 	}
 	return "", "", fmt.Errorf("invalid port forward specification: %s (expected format: [local_host:]local_port:remote_host:remote_port or [local_host:]local_port:unix_socket)", spec)
 }
 // parseThreePartForwardSpec handles "port:host:hostport" or "host:port:unix_socket" formats.
 func parseThreePartForwardSpec(parts []string) (string, string, error) {
 	if isUnixSocket(parts[2]) {
 		localHost := normalizeLocalHost(parts[0])
 		localAddr := localHost + ":" + parts[1]
 		remoteAddr := parts[2]
 		return localAddr, remoteAddr, nil
 	}
 	localAddr := "localhost:" + parts[0]
 	remoteAddr := parts[1] + ":" + parts[2]
 	return localAddr, remoteAddr, nil
 }
 // parseFourPartForwardSpec handles "host:port:host:hostport" format.
 func parseFourPartForwardSpec(parts []string) (string, string, error) {
 	localHost := normalizeLocalHost(parts[0])
 	localAddr := localHost + ":" + parts[1]
 	remoteAddr := parts[2] + ":" + parts[3]
 	return localAddr, remoteAddr, nil
 }
 // parseIPv6ForwardSpec handles "[host]:port:host:hostport" format.
 func parseIPv6ForwardSpec(spec string) (string, string, error) {
 	idx := strings.Index(spec, "]:")
 	if idx == -1 {
 		return "", "", fmt.Errorf("invalid IPv6 port forward specification: %s", spec)
 	}
 	ipv6Host := spec[:idx+1]
 	remaining := spec[idx+2:]
 	parts := strings.Split(remaining, ":")
 	if len(parts) != 3 {
 		return "", "", fmt.Errorf("invalid IPv6 port forward specification: %s (expected [ipv6]:port:host:hostport)", spec)
 	}
 	localAddr := ipv6Host + ":" + parts[0]
 	remoteAddr := parts[1] + ":" + parts[2]
 	return localAddr, remoteAddr, nil
 }
 // isUnixSocket checks if a path is a Unix socket path.
 func isUnixSocket(path string) bool {
 	return strings.HasPrefix(path, "/") || strings.HasPrefix(path, "./")
 }
 // normalizeLocalHost converts "*" to "0.0.0.0" for binding to all interfaces.
 func normalizeLocalHost(host string) string {
 	if host == "*" {
 		return "0.0.0.0"
 	}
 	return host
 }
 var sshProxyCmd = &cobra.Command{
 	Use:    "proxy <host> <port>",
 	Short:  "Internal SSH proxy for native SSH client integration",
 	Long:   "Internal command used by SSH ProxyCommand to handle JWT authentication",
 	Hidden: true,
 	Args:   cobra.ExactArgs(2),
 	RunE:   sshProxyFn,
 }
 func sshProxyFn(cmd *cobra.Command, args []string) error {
 	logOutput := "console"
 	if firstLogFile := util.FindFirstLogPath(logFiles); firstLogFile != "" && firstLogFile != defaultLogFile {
 		logOutput = firstLogFile
 	}
 	proxyLogLevel := getEnvOrDefault("LOG_LEVEL", logLevel)
 	if err := util.InitLog(proxyLogLevel, logOutput); err != nil {
 		return fmt.Errorf("init log: %w", err)
 	}
 	host := args[0]
 	portStr := args[1]
 	port, err := strconv.Atoi(portStr)
 	if err != nil {
 		return fmt.Errorf("invalid port: %s", portStr)
 	}
 	// Check env var for browser setting since this command is invoked via SSH ProxyCommand
 	// where command-line flags cannot be passed. Default is to open browser.
 	noBrowser := getBoolEnvOrDefault("NO_BROWSER", false)
 	var browserOpener func(string) error
 	if !noBrowser {
 		browserOpener = util.OpenBrowser
 	}
 	proxy, err := sshproxy.New(daemonAddr, host, port, cmd.ErrOrStderr(), browserOpener)
 	if err != nil {
 		return fmt.Errorf("create SSH proxy: %w", err)
 	}
 	defer func() {
 		if err := proxy.Close(); err != nil {
 			log.Debugf("close SSH proxy: %v", err)
 		}
 	}()
-	if err := proxy.Connect(cmd.Context()); err != nil {
+	err = c.OpenTerminal()
-		return fmt.Errorf("SSH proxy: %w", err)
+	if err != nil {
 		return err
 	}
 	return nil
 }
-var sshDetectCmd = &cobra.Command{
+func init() {
-	Use:    "detect <host> <port>",
+	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", nbssh.DefaultSSHPort, "Sets remote SSH port. Defaults to "+fmt.Sprint(nbssh.DefaultSSHPort))
 	Short:  "Detect if a host is running NetBird SSH",
 	Long:   "Internal command used by SSH Match exec to detect NetBird SSH servers. Exit codes: 0=JWT, 1=no-JWT, 2=regular SSH",
 	Hidden: true,
 	Args:   cobra.ExactArgs(2),
 	RunE:   sshDetectFn,
 }
 func sshDetectFn(cmd *cobra.Command, args []string) error {
 	detectLogLevel := getEnvOrDefault("LOG_LEVEL", logLevel)
 	if err := util.InitLog(detectLogLevel, "console"); err != nil {
 		os.Exit(detection.ServerTypeRegular.ExitCode())
 	}
 	host := args[0]
 	portStr := args[1]
 	port, err := strconv.Atoi(portStr)
 	if err != nil {
 		log.Debugf("invalid port %q: %v", portStr, err)
 		os.Exit(detection.ServerTypeRegular.ExitCode())
 	}
 	ctx, cancel := context.WithTimeout(cmd.Context(), detection.DefaultTimeout)
 	dialer := &net.Dialer{}
 	serverType, err := detection.DetectSSHServerType(ctx, dialer, host, port)
 	if err != nil {
 		log.Debugf("SSH server detection failed: %v", err)
 		cancel()
 		os.Exit(detection.ServerTypeRegular.ExitCode())
 	}
 	cancel()
 	os.Exit(serverType.ExitCode())
 	return nil
 }
--- a/client/cmd/ssh_exec_unix.go
+++ b/client/cmd/ssh_exec_unix.go
@@ -1,74 +0,0 @@
 //go:build unix
 package cmd
 import (
 	"fmt"
 	"os"
 	"github.com/spf13/cobra"
 	sshserver "github.com/netbirdio/netbird/client/ssh/server"
 )
 var (
 	sshExecUID        uint32
 	sshExecGID        uint32
 	sshExecGroups     []uint
 	sshExecWorkingDir string
 	sshExecShell      string
 	sshExecCommand    string
 	sshExecPTY        bool
 )
 // sshExecCmd represents the hidden ssh exec subcommand for privilege dropping
 var sshExecCmd = &cobra.Command{
 	Use:    "exec",
 	Short:  "Internal SSH execution with privilege dropping (hidden)",
 	Hidden: true,
 	RunE:   runSSHExec,
 }
 func init() {
 	sshExecCmd.Flags().Uint32Var(&sshExecUID, "uid", 0, "Target user ID")
 	sshExecCmd.Flags().Uint32Var(&sshExecGID, "gid", 0, "Target group ID")
 	sshExecCmd.Flags().UintSliceVar(&sshExecGroups, "groups", nil, "Supplementary group IDs (can be repeated)")
 	sshExecCmd.Flags().StringVar(&sshExecWorkingDir, "working-dir", "", "Working directory")
 	sshExecCmd.Flags().StringVar(&sshExecShell, "shell", "/bin/sh", "Shell to execute")
 	sshExecCmd.Flags().BoolVar(&sshExecPTY, "pty", false, "Request PTY (will fail as executor doesn't support PTY)")
 	sshExecCmd.Flags().StringVar(&sshExecCommand, "cmd", "", "Command to execute")
 	if err := sshExecCmd.MarkFlagRequired("uid"); err != nil {
 		_, _ = fmt.Fprintf(os.Stderr, "failed to mark uid flag as required: %v\n", err)
 		os.Exit(1)
 	}
 	if err := sshExecCmd.MarkFlagRequired("gid"); err != nil {
 		_, _ = fmt.Fprintf(os.Stderr, "failed to mark gid flag as required: %v\n", err)
 		os.Exit(1)
 	}
 	sshCmd.AddCommand(sshExecCmd)
 }
 // runSSHExec handles the SSH exec subcommand execution.
 func runSSHExec(cmd *cobra.Command, _ []string) error {
 	privilegeDropper := sshserver.NewPrivilegeDropper()
 	var groups []uint32
 	for _, groupInt := range sshExecGroups {
 		groups = append(groups, uint32(groupInt))
 	}
 	config := sshserver.ExecutorConfig{
 		UID:        sshExecUID,
 		GID:        sshExecGID,
 		Groups:     groups,
 		WorkingDir: sshExecWorkingDir,
 		Shell:      sshExecShell,
 		Command:    sshExecCommand,
 		PTY:        sshExecPTY,
 	}
 	privilegeDropper.ExecuteWithPrivilegeDrop(cmd.Context(), config)
 	return nil
 }
--- a/client/cmd/ssh_sftp_unix.go
+++ b/client/cmd/ssh_sftp_unix.go
@@ -1,94 +0,0 @@
 //go:build unix
 package cmd
 import (
 	"errors"
 	"io"
 	"os"
 	"github.com/pkg/sftp"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	sshserver "github.com/netbirdio/netbird/client/ssh/server"
 )
 var (
 	sftpUID        uint32
 	sftpGID        uint32
 	sftpGroupsInt  []uint
 	sftpWorkingDir string
 )
 var sshSftpCmd = &cobra.Command{
 	Use:    "sftp",
 	Short:  "SFTP server with privilege dropping (internal use)",
 	Hidden: true,
 	RunE:   sftpMain,
 }
 func init() {
 	sshSftpCmd.Flags().Uint32Var(&sftpUID, "uid", 0, "Target user ID")
 	sshSftpCmd.Flags().Uint32Var(&sftpGID, "gid", 0, "Target group ID")
 	sshSftpCmd.Flags().UintSliceVar(&sftpGroupsInt, "groups", nil, "Supplementary group IDs (can be repeated)")
 	sshSftpCmd.Flags().StringVar(&sftpWorkingDir, "working-dir", "", "Working directory")
 }
 func sftpMain(cmd *cobra.Command, _ []string) error {
 	privilegeDropper := sshserver.NewPrivilegeDropper()
 	var groups []uint32
 	for _, groupInt := range sftpGroupsInt {
 		groups = append(groups, uint32(groupInt))
 	}
 	config := sshserver.ExecutorConfig{
 		UID:        sftpUID,
 		GID:        sftpGID,
 		Groups:     groups,
 		WorkingDir: sftpWorkingDir,
 		Shell:      "",
 		Command:    "",
 	}
 	log.Tracef("dropping privileges for SFTP to UID=%d, GID=%d, groups=%v", config.UID, config.GID, config.Groups)
 	if err := privilegeDropper.DropPrivileges(config.UID, config.GID, config.Groups); err != nil {
 		cmd.PrintErrf("privilege drop failed: %v\n", err)
 		os.Exit(sshserver.ExitCodePrivilegeDropFail)
 	}
 	if config.WorkingDir != "" {
 		if err := os.Chdir(config.WorkingDir); err != nil {
 			cmd.PrintErrf("failed to change to working directory %s: %v\n", config.WorkingDir, err)
 		}
 	}
 	sftpServer, err := sftp.NewServer(struct {
 		io.Reader
 		io.WriteCloser
 	}{
 		Reader:      os.Stdin,
 		WriteCloser: os.Stdout,
 	})
 	if err != nil {
 		cmd.PrintErrf("SFTP server creation failed: %v\n", err)
 		os.Exit(sshserver.ExitCodeShellExecFail)
 	}
 	log.Tracef("starting SFTP server with dropped privileges")
 	if err := sftpServer.Serve(); err != nil && !errors.Is(err, io.EOF) {
 		cmd.PrintErrf("SFTP server error: %v\n", err)
 		if closeErr := sftpServer.Close(); closeErr != nil {
 			cmd.PrintErrf("SFTP server close error: %v\n", closeErr)
 		}
 		os.Exit(sshserver.ExitCodeShellExecFail)
 	}
 	if closeErr := sftpServer.Close(); closeErr != nil {
 		cmd.PrintErrf("SFTP server close error: %v\n", closeErr)
 	}
 	os.Exit(sshserver.ExitCodeSuccess)
 	return nil
 }
--- a/client/cmd/ssh_sftp_windows.go
+++ b/client/cmd/ssh_sftp_windows.go
@@ -1,94 +0,0 @@
 //go:build windows
 package cmd
 import (
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/user"
 	"strings"
 	"github.com/pkg/sftp"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	sshserver "github.com/netbirdio/netbird/client/ssh/server"
 )
 var (
 	sftpWorkingDir  string
 	windowsUsername string
 	windowsDomain   string
 )
 var sshSftpCmd = &cobra.Command{
 	Use:    "sftp",
 	Short:  "SFTP server with user switching for Windows (internal use)",
 	Hidden: true,
 	RunE:   sftpMain,
 }
 func init() {
 	sshSftpCmd.Flags().StringVar(&sftpWorkingDir, "working-dir", "", "Working directory")
 	sshSftpCmd.Flags().StringVar(&windowsUsername, "windows-username", "", "Windows username for user switching")
 	sshSftpCmd.Flags().StringVar(&windowsDomain, "windows-domain", "", "Windows domain for user switching")
 }
 func sftpMain(cmd *cobra.Command, _ []string) error {
 	return sftpMainDirect(cmd)
 }
 func sftpMainDirect(cmd *cobra.Command) error {
 	currentUser, err := user.Current()
 	if err != nil {
 		cmd.PrintErrf("failed to get current user: %v\n", err)
 		os.Exit(sshserver.ExitCodeValidationFail)
 	}
 	if windowsUsername != "" {
 		expectedUsername := windowsUsername
 		if windowsDomain != "" {
 			expectedUsername = fmt.Sprintf(`%s\%s`, windowsDomain, windowsUsername)
 		}
 		if !strings.EqualFold(currentUser.Username, expectedUsername) && !strings.EqualFold(currentUser.Username, windowsUsername) {
 			cmd.PrintErrf("user switching failed\n")
 			os.Exit(sshserver.ExitCodeValidationFail)
 		}
 	}
 	log.Debugf("SFTP process running as: %s (UID: %s, Name: %s)", currentUser.Username, currentUser.Uid, currentUser.Name)
 	if sftpWorkingDir != "" {
 		if err := os.Chdir(sftpWorkingDir); err != nil {
 			cmd.PrintErrf("failed to change to working directory %s: %v\n", sftpWorkingDir, err)
 		}
 	}
 	sftpServer, err := sftp.NewServer(struct {
 		io.Reader
 		io.WriteCloser
 	}{
 		Reader:      os.Stdin,
 		WriteCloser: os.Stdout,
 	})
 	if err != nil {
 		cmd.PrintErrf("SFTP server creation failed: %v\n", err)
 		os.Exit(sshserver.ExitCodeShellExecFail)
 	}
 	log.Debugf("starting SFTP server")
 	exitCode := sshserver.ExitCodeSuccess
 	if err := sftpServer.Serve(); err != nil && !errors.Is(err, io.EOF) {
 		cmd.PrintErrf("SFTP server error: %v\n", err)
 		exitCode = sshserver.ExitCodeShellExecFail
 	}
 	if err := sftpServer.Close(); err != nil {
 		log.Debugf("SFTP server close error: %v", err)
 	}
 	os.Exit(exitCode)
 	return nil
 }
--- a/client/cmd/ssh_test.go
+++ b/client/cmd/ssh_test.go
@@ -1,717 +0,0 @@
 package cmd
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 func TestSSHCommand_FlagParsing(t *testing.T) {
 	tests := []struct {
 		name         string
 		args         []string
 		expectedHost string
 		expectedUser string
 		expectedPort int
 		expectedCmd  string
 		expectError  bool
 	}{
 		{
 			name:         "basic host",
 			args:         []string{"hostname"},
 			expectedHost: "hostname",
 			expectedUser: "",
 			expectedPort: 22,
 			expectedCmd:  "",
 		},
 		{
 			name:         "user@host format",
 			args:         []string{"user@hostname"},
 			expectedHost: "hostname",
 			expectedUser: "user",
 			expectedPort: 22,
 			expectedCmd:  "",
 		},
 		{
 			name:         "host with command",
 			args:         []string{"hostname", "echo", "hello"},
 			expectedHost: "hostname",
 			expectedUser: "",
 			expectedPort: 22,
 			expectedCmd:  "echo hello",
 		},
 		{
 			name:         "command with flags should be preserved",
 			args:         []string{"hostname", "ls", "-la", "/tmp"},
 			expectedHost: "hostname",
 			expectedUser: "",
 			expectedPort: 22,
 			expectedCmd:  "ls -la /tmp",
 		},
 		{
 			name:         "double dash separator",
 			args:         []string{"hostname", "--", "ls", "-la"},
 			expectedHost: "hostname",
 			expectedUser: "",
 			expectedPort: 22,
 			expectedCmd:  "-- ls -la",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Reset global variables
 			host = ""
 			username = ""
 			port = 22
 			command = ""
 			// Mock command for testing
 			cmd := sshCmd
 			cmd.SetArgs(tt.args)
 			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
 			if tt.expectError {
 				assert.Error(t, err)
 				return
 			}
 			require.NoError(t, err, "SSH args validation should succeed for valid input")
 			assert.Equal(t, tt.expectedHost, host, "host mismatch")
 			if tt.expectedUser != "" {
 				assert.Equal(t, tt.expectedUser, username, "username mismatch")
 			}
 			assert.Equal(t, tt.expectedPort, port, "port mismatch")
 			assert.Equal(t, tt.expectedCmd, command, "command mismatch")
 		})
 	}
 }
 func TestSSHCommand_FlagConflictPrevention(t *testing.T) {
 	// Test that SSH flags don't conflict with command flags
 	tests := []struct {
 		name        string
 		args        []string
 		expectedCmd string
 		description string
 	}{
 		{
 			name:        "ls with -la flags",
 			args:        []string{"hostname", "ls", "-la"},
 			expectedCmd: "ls -la",
 			description: "ls flags should be passed to remote command",
 		},
 		{
 			name:        "grep with -r flag",
 			args:        []string{"hostname", "grep", "-r", "pattern", "/path"},
 			expectedCmd: "grep -r pattern /path",
 			description: "grep flags should be passed to remote command",
 		},
 		{
 			name:        "ps with aux flags",
 			args:        []string{"hostname", "ps", "aux"},
 			expectedCmd: "ps aux",
 			description: "ps flags should be passed to remote command",
 		},
 		{
 			name:        "command with double dash",
 			args:        []string{"hostname", "--", "ls", "-la"},
 			expectedCmd: "-- ls -la",
 			description: "double dash should be preserved in command",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Reset global variables
 			host = ""
 			username = ""
 			port = 22
 			command = ""
 			cmd := sshCmd
 			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
 			require.NoError(t, err, "SSH args validation should succeed for valid input")
 			assert.Equal(t, tt.expectedCmd, command, tt.description)
 		})
 	}
 }
 func TestSSHCommand_NonInteractiveExecution(t *testing.T) {
 	// Test that commands with arguments should execute the command and exit,
 	// not drop to an interactive shell
 	tests := []struct {
 		name        string
 		args        []string
 		expectedCmd string
 		shouldExit  bool
 		description string
 	}{
 		{
 			name:        "ls command should execute and exit",
 			args:        []string{"hostname", "ls"},
 			expectedCmd: "ls",
 			shouldExit:  true,
 			description: "ls command should execute and exit, not drop to shell",
 		},
 		{
 			name:        "ls with flags should execute and exit",
 			args:        []string{"hostname", "ls", "-la"},
 			expectedCmd: "ls -la",
 			shouldExit:  true,
 			description: "ls with flags should execute and exit, not drop to shell",
 		},
 		{
 			name:        "pwd command should execute and exit",
 			args:        []string{"hostname", "pwd"},
 			expectedCmd: "pwd",
 			shouldExit:  true,
 			description: "pwd command should execute and exit, not drop to shell",
 		},
 		{
 			name:        "echo command should execute and exit",
 			args:        []string{"hostname", "echo", "hello"},
 			expectedCmd: "echo hello",
 			shouldExit:  true,
 			description: "echo command should execute and exit, not drop to shell",
 		},
 		{
 			name:        "no command should open shell",
 			args:        []string{"hostname"},
 			expectedCmd: "",
 			shouldExit:  false,
 			description: "no command should open interactive shell",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Reset global variables
 			host = ""
 			username = ""
 			port = 22
 			command = ""
 			cmd := sshCmd
 			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
 			require.NoError(t, err, "SSH args validation should succeed for valid input")
 			assert.Equal(t, tt.expectedCmd, command, tt.description)
 			// When command is present, it should execute the command and exit
 			// When command is empty, it should open interactive shell
 			hasCommand := command != ""
 			assert.Equal(t, tt.shouldExit, hasCommand, "Command presence should match expected behavior")
 		})
 	}
 }
 func TestSSHCommand_FlagHandling(t *testing.T) {
 	// Test that flags after hostname are not parsed by netbird but passed to SSH command
 	tests := []struct {
 		name         string
 		args         []string
 		expectedHost string
 		expectedCmd  string
 		expectError  bool
 		description  string
 	}{
 		{
 			name:         "ls with -la flag should not be parsed by netbird",
 			args:         []string{"debian2", "ls", "-la"},
 			expectedHost: "debian2",
 			expectedCmd:  "ls -la",
 			expectError:  false,
 			description:  "ls -la should be passed as SSH command, not parsed as netbird flags",
 		},
 		{
 			name:         "command with netbird-like flags should be passed through",
 			args:         []string{"hostname", "echo", "--help"},
 			expectedHost: "hostname",
 			expectedCmd:  "echo --help",
 			expectError:  false,
 			description:  "--help should be passed to echo, not parsed by netbird",
 		},
 		{
 			name:         "command with -p flag should not conflict with SSH port flag",
 			args:         []string{"hostname", "ps", "-p", "1234"},
 			expectedHost: "hostname",
 			expectedCmd:  "ps -p 1234",
 			expectError:  false,
 			description:  "ps -p should be passed to ps command, not parsed as port",
 		},
 		{
 			name:         "tar with flags should be passed through",
 			args:         []string{"hostname", "tar", "-czf", "backup.tar.gz", "/home"},
 			expectedHost: "hostname",
 			expectedCmd:  "tar -czf backup.tar.gz /home",
 			expectError:  false,
 			description:  "tar flags should be passed to tar command",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Reset global variables
 			host = ""
 			username = ""
 			port = 22
 			command = ""
 			cmd := sshCmd
 			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
 			if tt.expectError {
 				assert.Error(t, err)
 				return
 			}
 			require.NoError(t, err, "SSH args validation should succeed for valid input")
 			assert.Equal(t, tt.expectedHost, host, "host mismatch")
 			assert.Equal(t, tt.expectedCmd, command, tt.description)
 		})
 	}
 }
 func TestSSHCommand_RegressionFlagParsing(t *testing.T) {
 	// Regression test for the specific issue: "sudo ./netbird ssh debian2 ls -la"
 	// should not parse -la as netbird flags but pass them to the SSH command
 	tests := []struct {
 		name         string
 		args         []string
 		expectedHost string
 		expectedCmd  string
 		expectError  bool
 		description  string
 	}{
 		{
 			name:         "original issue: ls -la should be preserved",
 			args:         []string{"debian2", "ls", "-la"},
 			expectedHost: "debian2",
 			expectedCmd:  "ls -la",
 			expectError:  false,
 			description:  "The original failing case should now work",
 		},
 		{
 			name:         "ls -l should be preserved",
 			args:         []string{"hostname", "ls", "-l"},
 			expectedHost: "hostname",
 			expectedCmd:  "ls -l",
 			expectError:  false,
 			description:  "Single letter flags should be preserved",
 		},
 		{
 			name:         "SSH port flag should work",
 			args:         []string{"-p", "2222", "hostname", "ls", "-la"},
 			expectedHost: "hostname",
 			expectedCmd:  "ls -la",
 			expectError:  false,
 			description:  "SSH -p flag should be parsed, command flags preserved",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Reset global variables
 			host = ""
 			username = ""
 			port = 22
 			command = ""
 			cmd := sshCmd
 			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
 			if tt.expectError {
 				assert.Error(t, err)
 				return
 			}
 			require.NoError(t, err, "SSH args validation should succeed for valid input")
 			assert.Equal(t, tt.expectedHost, host, "host mismatch")
 			assert.Equal(t, tt.expectedCmd, command, tt.description)
 			// Check port for the test case with -p flag
 			if len(tt.args) > 0 && tt.args[0] == "-p" {
 				assert.Equal(t, 2222, port, "port should be parsed from -p flag")
 			}
 		})
 	}
 }
 func TestSSHCommand_PortForwardingFlagParsing(t *testing.T) {
 	tests := []struct {
 		name           string
 		args           []string
 		expectedHost   string
 		expectedLocal  []string
 		expectedRemote []string
 		expectError    bool
 		description    string
 	}{
 		{
 			name:           "local port forwarding -L",
 			args:           []string{"-L", "8080:localhost:80", "hostname"},
 			expectedHost:   "hostname",
 			expectedLocal:  []string{"8080:localhost:80"},
 			expectedRemote: []string{},
 			expectError:    false,
 			description:    "Single -L flag should be parsed correctly",
 		},
 		{
 			name:           "remote port forwarding -R",
 			args:           []string{"-R", "8080:localhost:80", "hostname"},
 			expectedHost:   "hostname",
 			expectedLocal:  []string{},
 			expectedRemote: []string{"8080:localhost:80"},
 			expectError:    false,
 			description:    "Single -R flag should be parsed correctly",
 		},
 		{
 			name:           "multiple local port forwards",
 			args:           []string{"-L", "8080:localhost:80", "-L", "9090:localhost:443", "hostname"},
 			expectedHost:   "hostname",
 			expectedLocal:  []string{"8080:localhost:80", "9090:localhost:443"},
 			expectedRemote: []string{},
 			expectError:    false,
 			description:    "Multiple -L flags should be parsed correctly",
 		},
 		{
 			name:           "multiple remote port forwards",
 			args:           []string{"-R", "8080:localhost:80", "-R", "9090:localhost:443", "hostname"},
 			expectedHost:   "hostname",
 			expectedLocal:  []string{},
 			expectedRemote: []string{"8080:localhost:80", "9090:localhost:443"},
 			expectError:    false,
 			description:    "Multiple -R flags should be parsed correctly",
 		},
 		{
 			name:           "mixed local and remote forwards",
 			args:           []string{"-L", "8080:localhost:80", "-R", "9090:localhost:443", "hostname"},
 			expectedHost:   "hostname",
 			expectedLocal:  []string{"8080:localhost:80"},
 			expectedRemote: []string{"9090:localhost:443"},
 			expectError:    false,
 			description:    "Mixed -L and -R flags should be parsed correctly",
 		},
 		{
 			name:           "port forwarding with bind address",
 			args:           []string{"-L", "127.0.0.1:8080:localhost:80", "hostname"},
 			expectedHost:   "hostname",
 			expectedLocal:  []string{"127.0.0.1:8080:localhost:80"},
 			expectedRemote: []string{},
 			expectError:    false,
 			description:    "Port forwarding with bind address should work",
 		},
 		{
 			name:           "port forwarding with command",
 			args:           []string{"-L", "8080:localhost:80", "hostname", "ls", "-la"},
 			expectedHost:   "hostname",
 			expectedLocal:  []string{"8080:localhost:80"},
 			expectedRemote: []string{},
 			expectError:    false,
 			description:    "Port forwarding with command should work",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Reset global variables
 			host = ""
 			username = ""
 			port = 22
 			command = ""
 			localForwards = nil
 			remoteForwards = nil
 			cmd := sshCmd
 			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
 			if tt.expectError {
 				assert.Error(t, err)
 				return
 			}
 			require.NoError(t, err, "SSH args validation should succeed for valid input")
 			assert.Equal(t, tt.expectedHost, host, "host mismatch")
 			// Handle nil vs empty slice comparison
 			if len(tt.expectedLocal) == 0 {
 				assert.True(t, len(localForwards) == 0, tt.description+" - local forwards should be empty")
 			} else {
 				assert.Equal(t, tt.expectedLocal, localForwards, tt.description+" - local forwards")
 			}
 			if len(tt.expectedRemote) == 0 {
 				assert.True(t, len(remoteForwards) == 0, tt.description+" - remote forwards should be empty")
 			} else {
 				assert.Equal(t, tt.expectedRemote, remoteForwards, tt.description+" - remote forwards")
 			}
 		})
 	}
 }
 func TestParsePortForward(t *testing.T) {
 	tests := []struct {
 		name           string
 		spec           string
 		expectedLocal  string
 		expectedRemote string
 		expectError    bool
 		description    string
 	}{
 		{
 			name:           "simple port forward",
 			spec:           "8080:localhost:80",
 			expectedLocal:  "localhost:8080",
 			expectedRemote: "localhost:80",
 			expectError:    false,
 			description:    "Simple port:host:port format should work",
 		},
 		{
 			name:           "port forward with bind address",
 			spec:           "127.0.0.1:8080:localhost:80",
 			expectedLocal:  "127.0.0.1:8080",
 			expectedRemote: "localhost:80",
 			expectError:    false,
 			description:    "bind_address:port:host:port format should work",
 		},
 		{
 			name:           "port forward to different host",
 			spec:           "8080:example.com:443",
 			expectedLocal:  "localhost:8080",
 			expectedRemote: "example.com:443",
 			expectError:    false,
 			description:    "Forwarding to different host should work",
 		},
 		{
 			name:        "port forward with IPv6 (needs bracket support)",
 			spec:        "::1:8080:localhost:80",
 			expectError: true,
 			description: "IPv6 without brackets fails as expected (feature to implement)",
 		},
 		{
 			name:        "invalid format - too few parts",
 			spec:        "8080:localhost",
 			expectError: true,
 			description: "Invalid format with too few parts should fail",
 		},
 		{
 			name:        "invalid format - too many parts",
 			spec:        "127.0.0.1:8080:localhost:80:extra",
 			expectError: true,
 			description: "Invalid format with too many parts should fail",
 		},
 		{
 			name:        "empty spec",
 			spec:        "",
 			expectError: true,
 			description: "Empty spec should fail",
 		},
 		{
 			name:           "unix socket local forward",
 			spec:           "8080:/tmp/socket",
 			expectedLocal:  "localhost:8080",
 			expectedRemote: "/tmp/socket",
 			expectError:    false,
 			description:    "Unix socket forwarding should work",
 		},
 		{
 			name:           "unix socket with bind address",
 			spec:           "127.0.0.1:8080:/tmp/socket",
 			expectedLocal:  "127.0.0.1:8080",
 			expectedRemote: "/tmp/socket",
 			expectError:    false,
 			description:    "Unix socket with bind address should work",
 		},
 		{
 			name:           "wildcard bind all interfaces",
 			spec:           "*:8080:localhost:80",
 			expectedLocal:  "0.0.0.0:8080",
 			expectedRemote: "localhost:80",
 			expectError:    false,
 			description:    "Wildcard * should bind to all interfaces (0.0.0.0)",
 		},
 		{
 			name:           "wildcard for port only",
 			spec:           "8080:*:80",
 			expectedLocal:  "localhost:8080",
 			expectedRemote: "*:80",
 			expectError:    false,
 			description:    "Wildcard in remote host should be preserved",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			localAddr, remoteAddr, err := parsePortForwardSpec(tt.spec)
 			if tt.expectError {
 				assert.Error(t, err, tt.description)
 				return
 			}
 			require.NoError(t, err, tt.description)
 			assert.Equal(t, tt.expectedLocal, localAddr, tt.description+" - local address")
 			assert.Equal(t, tt.expectedRemote, remoteAddr, tt.description+" - remote address")
 		})
 	}
 }
 func TestSSHCommand_IntegrationPortForwarding(t *testing.T) {
 	// Integration test for port forwarding with the actual SSH command implementation
 	tests := []struct {
 		name           string
 		args           []string
 		expectedHost   string
 		expectedLocal  []string
 		expectedRemote []string
 		expectedCmd    string
 		description    string
 	}{
 		{
 			name:           "local forward with command",
 			args:           []string{"-L", "8080:localhost:80", "hostname", "echo", "test"},
 			expectedHost:   "hostname",
 			expectedLocal:  []string{"8080:localhost:80"},
 			expectedRemote: []string{},
 			expectedCmd:    "echo test",
 			description:    "Local forwarding should work with commands",
 		},
 		{
 			name:           "remote forward with command",
 			args:           []string{"-R", "8080:localhost:80", "hostname", "ls", "-la"},
 			expectedHost:   "hostname",
 			expectedLocal:  []string{},
 			expectedRemote: []string{"8080:localhost:80"},
 			expectedCmd:    "ls -la",
 			description:    "Remote forwarding should work with commands",
 		},
 		{
 			name:           "multiple forwards with user and command",
 			args:           []string{"-L", "8080:localhost:80", "-R", "9090:localhost:443", "user@hostname", "ps", "aux"},
 			expectedHost:   "hostname",
 			expectedLocal:  []string{"8080:localhost:80"},
 			expectedRemote: []string{"9090:localhost:443"},
 			expectedCmd:    "ps aux",
 			description:    "Complex case with multiple forwards, user, and command",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Reset global variables
 			host = ""
 			username = ""
 			port = 22
 			command = ""
 			localForwards = nil
 			remoteForwards = nil
 			cmd := sshCmd
 			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
 			require.NoError(t, err, "SSH args validation should succeed for valid input")
 			assert.Equal(t, tt.expectedHost, host, "host mismatch")
 			// Handle nil vs empty slice comparison
 			if len(tt.expectedLocal) == 0 {
 				assert.True(t, len(localForwards) == 0, tt.description+" - local forwards should be empty")
 			} else {
 				assert.Equal(t, tt.expectedLocal, localForwards, tt.description+" - local forwards")
 			}
 			if len(tt.expectedRemote) == 0 {
 				assert.True(t, len(remoteForwards) == 0, tt.description+" - remote forwards should be empty")
 			} else {
 				assert.Equal(t, tt.expectedRemote, remoteForwards, tt.description+" - remote forwards")
 			}
 			assert.Equal(t, tt.expectedCmd, command, tt.description+" - command")
 		})
 	}
 }
 func TestSSHCommand_ParameterIsolation(t *testing.T) {
 	tests := []struct {
 		name        string
 		args        []string
 		expectedCmd string
 	}{
 		{
 			name:        "cmd flag passed as command",
 			args:        []string{"hostname", "--cmd", "echo test"},
 			expectedCmd: "--cmd echo test",
 		},
 		{
 			name:        "uid flag passed as command",
 			args:        []string{"hostname", "--uid", "1000"},
 			expectedCmd: "--uid 1000",
 		},
 		{
 			name:        "shell flag passed as command",
 			args:        []string{"hostname", "--shell", "/bin/bash"},
 			expectedCmd: "--shell /bin/bash",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			host = ""
 			username = ""
 			port = 22
 			command = ""
 			err := validateSSHArgsWithoutFlagParsing(sshCmd, tt.args)
 			require.NoError(t, err)
 			assert.Equal(t, "hostname", host)
 			assert.Equal(t, tt.expectedCmd, command)
 		})
 	}
 }
 func TestSSHCommand_InvalidFlagRejection(t *testing.T) {
 	// Test that invalid flags are properly rejected and not misinterpreted as hostnames
 	tests := []struct {
 		name        string
 		args        []string
 		description string
 	}{
 		{
 			name:        "invalid long flag before hostname",
 			args:        []string{"--invalid-flag", "hostname"},
 			description: "Invalid flag should return parse error, not treat flag as hostname",
 		},
 		{
 			name:        "invalid short flag before hostname",
 			args:        []string{"-x", "hostname"},
 			description: "Invalid short flag should return parse error",
 		},
 		{
 			name:        "invalid flag with value before hostname",
 			args:        []string{"--invalid-option=value", "hostname"},
 			description: "Invalid flag with value should return parse error",
 		},
 		{
 			name:        "typo in known flag",
 			args:        []string{"--por", "2222", "hostname"},
 			description: "Typo in flag name should return parse error (not silently ignored)",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Reset global variables
 			host = ""
 			username = ""
 			port = 22
 			command = ""
 			err := validateSSHArgsWithoutFlagParsing(sshCmd, tt.args)
 			// Should return an error for invalid flags
 			assert.Error(t, err, tt.description)
 			// Should not have set host to the invalid flag
 			assert.NotEqual(t, tt.args[0], host, "Invalid flag should not be interpreted as hostname")
 		})
 	}
 }
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -28,7 +28,6 @@ var (
 	ipsFilterMap         map[string]struct{}
 	prefixNamesFilterMap map[string]struct{}
 	connectionTypeFilter string
 	checkFlag            string
 )
 var statusCmd = &cobra.Command{
@@ -50,7 +49,6 @@ func init() {
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
 	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
 	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
 	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }
 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -58,10 +56,6 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	cmd.SetOut(cmd.OutOrStdout())
 	if checkFlag != "" {
 		return runHealthCheck(cmd)
 	}
 	err := parseFilters()
 	if err != nil {
 		return err
@@ -74,17 +68,15 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	ctx := internal.CtxInitState(cmd.Context())
-	resp, err := getStatus(ctx, true, false)
+	resp, err := getStatus(ctx)
 	if err != nil {
 		return err
 	}
 	status := resp.GetStatus()
-	needsAuth := status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
+	if status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
-		status == string(internal.StatusSessionExpired)
+		status == string(internal.StatusSessionExpired) {
 	if needsAuth && !jsonFlag && !yamlFlag {
 		cmd.Printf("Daemon status: %s\n\n"+
 			"Run UP command to log in with SSO (interactive login):\n\n"+
 			" netbird up \n\n"+
@@ -107,27 +99,17 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		profName = activeProf.Name
 	}
-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), nbstatus.ConvertOptions{
+	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
 		Anonymize:            anonymizeFlag,
 		DaemonVersion:        resp.GetDaemonVersion(),
 		DaemonStatus:         nbstatus.ParseDaemonStatus(status),
 		StatusFilter:         statusFilter,
 		PrefixNamesFilter:    prefixNamesFilter,
 		PrefixNamesFilterMap: prefixNamesFilterMap,
 		IPsFilter:            ipsFilterMap,
 		ConnectionTypeFilter: connectionTypeFilter,
 		ProfileName:          profName,
 	})
 	var statusOutputString string
 	switch {
 	case detailFlag:
-		statusOutputString = outputInformationHolder.FullDetailSummary()
+		statusOutputString = nbstatus.ParseToFullDetailSummary(outputInformationHolder)
 	case jsonFlag:
-		statusOutputString, err = outputInformationHolder.JSON()
+		statusOutputString, err = nbstatus.ParseToJSON(outputInformationHolder)
 	case yamlFlag:
-		statusOutputString, err = outputInformationHolder.YAML()
+		statusOutputString, err = nbstatus.ParseToYAML(outputInformationHolder)
 	default:
-		statusOutputString = outputInformationHolder.GeneralSummary(false, false, false, false)
+		statusOutputString = nbstatus.ParseGeneralSummary(outputInformationHolder, false, false, false)
 	}
 	if err != nil {
@@ -139,17 +121,16 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }
-func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (*proto.StatusResponse, error) {
+func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
 	}
 	defer conn.Close()
-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: fullPeerStatus, ShouldRunProbes: shouldRunProbes})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: true})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}
@@ -203,83 +184,6 @@ func enableDetailFlagWhenFilterFlag() {
 	}
 }
 func runHealthCheck(cmd *cobra.Command) error {
 	check := strings.ToLower(checkFlag)
 	switch check {
 	case "live", "ready", "startup":
 	default:
 		return fmt.Errorf("unknown check %q, must be one of: live, ready, startup", checkFlag)
 	}
 	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
 		return fmt.Errorf("init log: %w", err)
 	}
 	ctx := internal.CtxInitState(cmd.Context())
 	isStartup := check == "startup"
 	resp, err := getStatus(ctx, isStartup, false)
 	if err != nil {
 		return err
 	}
 	switch check {
 	case "live":
 		return nil
 	case "ready":
 		return checkReadiness(resp)
 	case "startup":
 		return checkStartup(resp)
 	default:
 		return nil
 	}
 }
 func checkReadiness(resp *proto.StatusResponse) error {
 	daemonStatus := internal.StatusType(resp.GetStatus())
 	switch daemonStatus {
 	case internal.StatusIdle, internal.StatusConnecting, internal.StatusConnected:
 		return nil
 	case internal.StatusNeedsLogin, internal.StatusLoginFailed, internal.StatusSessionExpired:
 		return fmt.Errorf("readiness check: daemon status is %s", daemonStatus)
 	default:
 		return fmt.Errorf("readiness check: unexpected daemon status %q", daemonStatus)
 	}
 }
 func checkStartup(resp *proto.StatusResponse) error {
 	fullStatus := resp.GetFullStatus()
 	if fullStatus == nil {
 		return fmt.Errorf("startup check: no full status available")
 	}
 	if !fullStatus.GetManagementState().GetConnected() {
 		return fmt.Errorf("startup check: management not connected")
 	}
 	if !fullStatus.GetSignalState().GetConnected() {
 		return fmt.Errorf("startup check: signal not connected")
 	}
 	var relayCount, relaysConnected int
 	for _, r := range fullStatus.GetRelays() {
 		uri := r.GetURI()
 		if !strings.HasPrefix(uri, "rel://") && !strings.HasPrefix(uri, "rels://") {
 			continue
 		}
 		relayCount++
 		if r.GetAvailable() {
 			relaysConnected++
 		}
 	}
 	if relayCount > 0 && relaysConnected == 0 {
 		return fmt.Errorf("startup check: no relay servers available (0/%d connected)", relayCount)
 	}
 	return nil
 }
 func parseInterfaceIP(interfaceIP string) string {
 	ip, _, err := net.ParseCIDR(interfaceIP)
 	if err != nil {
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -9,21 +9,8 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"
 	"google.golang.org/grpc"
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/server/job"
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	mgmt "github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
@@ -32,10 +19,19 @@ import (
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/util"
 	"google.golang.org/grpc"
 	"github.com/netbirdio/management-integrations/integrations"
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	mgmt "github.com/netbirdio/netbird/management/server"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 	sigProto "github.com/netbirdio/netbird/shared/signal/proto"
 	sig "github.com/netbirdio/netbird/signal/server"
 	"github.com/netbirdio/netbird/util"
 )
 func startTestingServices(t *testing.T) string {
@@ -89,23 +85,20 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	}
 	t.Cleanup(cleanUp)
 	peersUpdateManager := mgmt.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
-
+	if err != nil {
-	ctrl := gomock.NewController(t)
+		return nil, nil
-	t.Cleanup(ctrl.Finish)
+	}
-
+	iv, _ := integrations.NewIntegratedValidator(context.Background(), eventStore)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
 	peersmanager := peers.NewManager(store, permissionsManagerMock)
 	settingsManagerMock := settings.NewMockManager(ctrl)
 	jobManager := job.NewJobManager(nil, store, peersmanager)
 	iv, _ := integrations.NewIntegratedValidator(context.Background(), peersmanager, settingsManagerMock, eventStore)
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
 	groupsManager := groups.NewManagerMock()
 	settingsMockManager.EXPECT().
@@ -113,21 +106,13 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		Return(&types.Settings{}, nil).
 		AnyTimes()
-	ctx := context.Background()
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
 	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersmanager), config)
 	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}
-	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	if err != nil {
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &mgmt.MockIntegratedValidator{})
 		t.Fatal(err)
 	}
 	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -152,7 +137,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 	server := client.New(ctx,
-		"", "", false, false, false)
+		"", "", false, false)
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -185,7 +185,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 	_, _ = profilemanager.UpdateOldManagementURL(ctx, config, configFilePath)
-	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.Name)
+	err = foregroundLogin(ctx, cmd, config, providedSetupKey)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -200,7 +200,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 	connectClient := internal.NewConnectClient(ctx, config, r)
 	SetupDebugHandler(ctx, config, r, connectClient, "")
-	return connectClient.Run(nil, util.FindFirstLogPath(logFiles))
+	return connectClient.Run(nil)
 }
 func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager.ProfileManager, activeProf *profilemanager.Profile, profileSwitched bool) error {
@@ -216,7 +216,6 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
 		return fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
@@ -231,9 +230,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 	client := proto.NewDaemonServiceClient(conn)
-	status, err := client.Status(ctx, &proto.StatusRequest{
+	status, err := client.Status(ctx, &proto.StatusRequest{})
 		WaitForReady: func() *bool { b := true; return &b }(),
 	})
 	if err != nil {
 		return fmt.Errorf("unable to get daemon status: %v", err)
 	}
@@ -287,13 +284,6 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	loginRequest.ProfileName = &activeProf.Name
 	loginRequest.Username = &username
 	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
 		loginRequest.Hint = &profileState.Email
 	}
 	var loginErr error
 	var loginResp *proto.LoginResponse
@@ -356,25 +346,6 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		req.ServerSSHAllowed = &serverSSHAllowed
 	}
 	if cmd.Flag(enableSSHRootFlag).Changed {
 		req.EnableSSHRoot = &enableSSHRoot
 	}
 	if cmd.Flag(enableSSHSFTPFlag).Changed {
 		req.EnableSSHSFTP = &enableSSHSFTP
 	}
 	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
 		req.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
 	}
 	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
 		req.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
 	}
 	if cmd.Flag(disableSSHAuthFlag).Changed {
 		req.DisableSSHAuth = &disableSSHAuth
 	}
 	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
 		sshJWTCacheTTL32 := int32(sshJWTCacheTTL)
 		req.SshJWTCacheTTL = &sshJWTCacheTTL32
 	}
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			log.Errorf("parse interface name: %v", err)
@@ -459,30 +430,6 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.ServerSSHAllowed = &serverSSHAllowed
 	}
 	if cmd.Flag(enableSSHRootFlag).Changed {
 		ic.EnableSSHRoot = &enableSSHRoot
 	}
 	if cmd.Flag(enableSSHSFTPFlag).Changed {
 		ic.EnableSSHSFTP = &enableSSHSFTP
 	}
 	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
 		ic.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
 	}
 	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
 		ic.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
 	}
 	if cmd.Flag(disableSSHAuthFlag).Changed {
 		ic.DisableSSHAuth = &disableSSHAuth
 	}
 	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
 		ic.SSHJWTCacheTTL = &sshJWTCacheTTL
 	}
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			return nil, err
@@ -583,31 +530,6 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.ServerSSHAllowed = &serverSSHAllowed
 	}
 	if cmd.Flag(enableSSHRootFlag).Changed {
 		loginRequest.EnableSSHRoot = &enableSSHRoot
 	}
 	if cmd.Flag(enableSSHSFTPFlag).Changed {
 		loginRequest.EnableSSHSFTP = &enableSSHSFTP
 	}
 	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
 		loginRequest.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
 	}
 	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
 		loginRequest.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
 	}
 	if cmd.Flag(disableSSHAuthFlag).Changed {
 		loginRequest.DisableSSHAuth = &disableSSHAuth
 	}
 	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
 		sshJWTCacheTTL32 := int32(sshJWTCacheTTL)
 		loginRequest.SshJWTCacheTTL = &sshJWTCacheTTL32
 	}
 	if cmd.Flag(disableAutoConnectFlag).Changed {
 		loginRequest.DisableAutoConnect = &autoConnectDisabled
 	}
--- a/client/cmd/update.go
+++ b/client/cmd/update.go
@@ -1,13 +0,0 @@
 //go:build !windows && !darwin
 package cmd
 import (
 	"github.com/spf13/cobra"
 )
 var updateCmd *cobra.Command
 func isUpdateBinary() bool {
 	return false
 }
--- a/client/cmd/update_supported.go
+++ b/client/cmd/update_supported.go
@@ -1,75 +0,0 @@
 //go:build windows || darwin
 package cmd
 import (
 	"context"
 	"os"
 	"path/filepath"
 	"strings"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/netbirdio/netbird/client/internal/updater/installer"
 	"github.com/netbirdio/netbird/util"
 )
 var (
 	updateCmd = &cobra.Command{
 		Use:   "update",
 		Short: "Update the NetBird client application",
 		RunE:  updateFunc,
 	}
 	tempDirFlag    string
 	installerFile  string
 	serviceDirFlag string
 	dryRunFlag     bool
 )
 func init() {
 	updateCmd.Flags().StringVar(&tempDirFlag, "temp-dir", "", "temporary dir")
 	updateCmd.Flags().StringVar(&installerFile, "installer-file", "", "installer file")
 	updateCmd.Flags().StringVar(&serviceDirFlag, "service-dir", "", "service directory")
 	updateCmd.Flags().BoolVar(&dryRunFlag, "dry-run", false, "dry run the update process without making any changes")
 }
 // isUpdateBinary checks if the current executable is named "update" or "update.exe"
 func isUpdateBinary() bool {
 	// Remove extension for cross-platform compatibility
 	execPath, err := os.Executable()
 	if err != nil {
 		return false
 	}
 	baseName := filepath.Base(execPath)
 	name := strings.TrimSuffix(baseName, filepath.Ext(baseName))
 	return name == installer.UpdaterBinaryNameWithoutExtension()
 }
 func updateFunc(cmd *cobra.Command, args []string) error {
 	if err := setupLogToFile(tempDirFlag); err != nil {
 		return err
 	}
 	log.Infof("updater started: %s", serviceDirFlag)
 	updater := installer.NewWithDir(tempDirFlag)
 	if err := updater.Setup(context.Background(), dryRunFlag, installerFile, serviceDirFlag); err != nil {
 		log.Errorf("failed to update application: %v", err)
 		return err
 	}
 	return nil
 }
 func setupLogToFile(dir string) error {
 	logFile := filepath.Join(dir, installer.LogFile)
 	if _, err := os.Stat(logFile); err == nil {
 		if err := os.Remove(logFile); err != nil {
 			log.Errorf("failed to remove existing log file: %v\n", err)
 		}
 	}
 	return util.InitLog(logLevel, util.LogConsole, logFile)
 }
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -14,55 +14,32 @@ import (
 	"github.com/sirupsen/logrus"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sshcommon "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )
-var (
+var ErrClientAlreadyStarted = errors.New("client already started")
-	ErrClientAlreadyStarted = errors.New("client already started")
+var ErrClientNotStarted = errors.New("client not started")
 	ErrClientNotStarted     = errors.New("client not started")
 	ErrEngineNotStarted     = errors.New("engine not started")
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )
-const (
+// Client manages a netbird embedded client instance
 	// PeerStatusConnected indicates the peer is in connected state.
 	PeerStatusConnected = peer.StatusConnected
 )
 // PeerConnStatus is a peer's connection status.
 type PeerConnStatus = peer.ConnStatus
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string
 	config     *profilemanager.Config
 	mu         sync.Mutex
 	cancel     context.CancelFunc
 	setupKey   string
 	jwtToken   string
 	connect    *internal.ConnectClient
 	recorder   *peer.Status
 }
-// Options configures a new Client.
+// Options configures a new Client
 type Options struct {
 	// DeviceName is this peer's name in the network
 	DeviceName string
 	// SetupKey is used for authentication
 	SetupKey string
 	// JWTToken is used for JWT-based authentication
 	JWTToken string
 	// PrivateKey is used for direct private key authentication
 	PrivateKey string
 	// ManagementURL overrides the default management server URL
 	ManagementURL string
 	// PreSharedKey is the pre-shared key for the WireGuard interface
@@ -79,55 +56,10 @@ type Options struct {
 	StatePath string
 	// DisableClientRoutes disables the client routes
 	DisableClientRoutes bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
 	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
 	WireguardPort *int
 	// MTU is the MTU for the WireGuard interface.
 	// Valid values are in the range 576..8192 bytes.
 	// If non-nil, this value overrides any value stored in the config file.
 	// If nil, the existing config MTU (if non-zero) is preserved; otherwise it defaults to 1280.
 	// Set to a higher value (e.g. 1400) if carrying QUIC or other protocols that require larger datagrams.
 	MTU *uint16
 	// DNSLabels defines additional DNS labels configured in the peer.
 	DNSLabels []string
 }
-// validateCredentials checks that exactly one credential type is provided
+// New creates a new netbird embedded client
 func (opts *Options) validateCredentials() error {
 	credentialsProvided := 0
 	if opts.SetupKey != "" {
 		credentialsProvided++
 	}
 	if opts.JWTToken != "" {
 		credentialsProvided++
 	}
 	if opts.PrivateKey != "" {
 		credentialsProvided++
 	}
 	if credentialsProvided == 0 {
 		return fmt.Errorf("one of SetupKey, JWTToken, or PrivateKey must be provided")
 	}
 	if credentialsProvided > 1 {
 		return fmt.Errorf("only one of SetupKey, JWTToken, or PrivateKey can be specified")
 	}
 	return nil
 }
 // New creates a new netbird embedded client.
 func New(opts Options) (*Client, error) {
 	if err := opts.validateCredentials(); err != nil {
 		return nil, err
 	}
 	if opts.MTU != nil {
 		if err := iface.ValidateMTU(*opts.MTU); err != nil {
 			return nil, fmt.Errorf("invalid MTU: %w", err)
 		}
 	}
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -156,24 +88,15 @@ func New(opts Options) (*Client, error) {
 		}
 	}
 	var err error
 	var parsedLabels domain.List
 	if parsedLabels, err = domain.FromStringList(opts.DNSLabels); err != nil {
 		return nil, fmt.Errorf("invalid dns labels: %w", err)
 	}
 	t := true
 	var config *profilemanager.Config
 	var err error
 	input := profilemanager.ConfigInput{
 		ConfigPath:          opts.ConfigPath,
 		ManagementURL:       opts.ManagementURL,
 		PreSharedKey:        &opts.PreSharedKey,
 		DisableServerRoutes: &t,
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		BlockInbound:        &opts.BlockInbound,
 		WireguardPort:       opts.WireguardPort,
 		MTU:                 opts.MTU,
 		DNSLabels:           parsedLabels,
 	}
 	if opts.ConfigPath != "" {
 		config, err = profilemanager.UpdateOrCreateConfig(input)
@@ -184,16 +107,10 @@ func New(opts Options) (*Client, error) {
 		return nil, fmt.Errorf("create config: %w", err)
 	}
 	if opts.PrivateKey != "" {
 		config.PrivateKey = opts.PrivateKey
 	}
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
 		jwtToken:   opts.JWTToken,
 		config:     config,
 		recorder:   peer.NewRecorder(config.ManagementURL.String()),
 	}, nil
 }
@@ -202,38 +119,26 @@ func New(opts Options) (*Client, error) {
 func (c *Client) Start(startCtx context.Context) error {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	if c.connect != nil {
+	if c.cancel != nil {
 		return ErrClientAlreadyStarted
 	}
-	ctx, cancel := context.WithCancel(internal.CtxInitState(context.Background()))
+	ctx := internal.CtxInitState(context.Background())
 	defer func() {
 		if c.connect == nil {
 			cancel()
 		}
 	}()
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-
+	if err := internal.Login(ctx, c.config, c.setupKey, ""); err != nil {
 	authClient, err := auth.NewAuth(ctx, c.config.PrivateKey, c.config.ManagementURL, c.config)
 	if err != nil {
 		return fmt.Errorf("create auth client: %w", err)
 	}
 	defer authClient.Close()
 	if err, _ := authClient.Login(ctx, c.setupKey, c.jwtToken); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
-	client := internal.NewConnectClient(ctx, c.config, c.recorder)
+
-	client.SetSyncResponsePersistence(true)
+	recorder := peer.NewRecorder(c.config.ManagementURL.String())
 	client := internal.NewConnectClient(ctx, c.config, recorder)
 	// either startup error (permanent backoff err) or nil err (successful engine up)
 	// TODO: make after-startup backoff err available
-	run := make(chan struct{})
+	run := make(chan struct{}, 1)
 	clientErr := make(chan error, 1)
 	go func() {
-		if err := client.Run(run, ""); err != nil {
+		if err := client.Run(run); err != nil {
 			clientErr <- err
 		}
 	}()
@@ -250,7 +155,6 @@ func (c *Client) Start(startCtx context.Context) error {
 	}
 	c.connect = client
 	c.cancel = cancel
 	return nil
 }
@@ -265,23 +169,17 @@ func (c *Client) Stop(ctx context.Context) error {
 		return ErrClientNotStarted
 	}
 	if c.cancel != nil {
 		c.cancel()
 		c.cancel = nil
 	}
 	done := make(chan error, 1)
 	connect := c.connect
 	go func() {
-		done <- connect.Stop()
+		done <- c.connect.Stop()
 	}()
 	select {
 	case <-ctx.Done():
-		c.connect = nil
+		c.cancel = nil
 		return ctx.Err()
 	case err := <-done:
-		c.connect = nil
+		c.cancel = nil
 		if err != nil {
 			return fmt.Errorf("stop: %w", err)
 		}
@@ -289,22 +187,20 @@ func (c *Client) Stop(ctx context.Context) error {
 	}
 }
 // GetConfig returns a copy of the internal client config.
 func (c *Client) GetConfig() (profilemanager.Config, error) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	if c.config == nil {
 		return profilemanager.Config{}, ErrConfigNotInitialized
 	}
 	return *c.config, nil
 }
 // Dial dials a network address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
-	engine, err := c.getEngine()
+	c.mu.Lock()
-	if err != nil {
+	connect := c.connect
-		return nil, err
+	if connect == nil {
 		c.mu.Unlock()
 		return nil, ErrClientNotStarted
 	}
 	c.mu.Unlock()
 	engine := connect.Engine()
 	if engine == nil {
 		return nil, errors.New("engine not started")
 	}
 	nsnet, err := engine.GetNet()
@@ -315,12 +211,7 @@ func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return nsnet.DialContext(ctx, network, address)
 }
-// DialContext dials a network address in the netbird network with context
+// ListenTCP listens on the given address in the netbird network
 func (c *Client) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
 	return c.Dial(ctx, network, address)
 }
 // ListenTCP listens on the given address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	nsnet, addr, err := c.getNet()
@@ -341,7 +232,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	return nsnet.ListenTCP(tcpAddr)
 }
-// ListenUDP listens on the given address in the netbird network.
+// ListenUDP listens on the given address in the netbird network
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	nsnet, addr, err := c.getNet()
@@ -375,124 +266,18 @@ func (c *Client) NewHTTPClient() *http.Client {
 	}
 }
-// Expose exposes a local service via the NetBird reverse proxy, making it accessible through a public URL.
+func (c *Client) getNet() (*wgnetstack.Net, netip.Addr, error) {
 // It returns an ExposeSession. Call Wait on the session to keep it alive.
 func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession, error) {
 	engine, err := c.getEngine()
 	if err != nil {
 		return nil, err
 	}
 	mgr := engine.GetExposeManager()
 	if mgr == nil {
 		return nil, fmt.Errorf("expose manager not available")
 	}
 	resp, err := mgr.Expose(ctx, req)
 	if err != nil {
 		return nil, fmt.Errorf("expose: %w", err)
 	}
 	return &ExposeSession{
 		Domain:      resp.Domain,
 		ServiceName: resp.ServiceName,
 		ServiceURL:  resp.ServiceURL,
 		mgr:         mgr,
 	}, nil
 }
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
 	connect := c.connect
 	c.mu.Unlock()
 	if connect != nil {
 		engine := connect.Engine()
 		if engine != nil {
 			_ = engine.RunHealthProbes(false)
 		}
 	}
 	return c.recorder.GetFullStatus(), nil
 }
 // GetLatestSyncResponse returns the latest sync response from the management server.
 func (c *Client) GetLatestSyncResponse() (*mgmProto.SyncResponse, error) {
 	engine, err := c.getEngine()
 	if err != nil {
 		return nil, err
 	}
 	syncResp, err := engine.GetLatestSyncResponse()
 	if err != nil {
 		return nil, fmt.Errorf("get sync response: %w", err)
 	}
 	return syncResp, nil
 }
 // SetLogLevel sets the logging level for the client and its components.
 func (c *Client) SetLogLevel(levelStr string) error {
 	level, err := logrus.ParseLevel(levelStr)
 	if err != nil {
 		return fmt.Errorf("parse log level: %w", err)
 	}
 	logrus.SetLevel(level)
 	c.mu.Lock()
 	connect := c.connect
 	c.mu.Unlock()
 	if connect != nil {
 		connect.SetLogLevel(level)
 	}
 	return nil
 }
 // VerifySSHHostKey verifies an SSH host key against stored peer keys.
 // Returns nil if the key matches, ErrPeerNotFound if peer is not in network,
 // ErrNoStoredKey if peer has no stored key, or an error for verification failures.
 func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
 	engine, err := c.getEngine()
 	if err != nil {
 		return err
 	}
 	storedKey, found := engine.GetPeerSSHKey(peerAddress)
 	if !found {
 		return sshcommon.ErrPeerNotFound
 	}
 	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
 }
 // getEngine safely retrieves the engine from the client with proper locking.
 // Returns ErrClientNotStarted if the client is not started.
 // Returns ErrEngineNotStarted if the engine is not available.
 func (c *Client) getEngine() (*internal.Engine, error) {
 	c.mu.Lock()
 	connect := c.connect
 	c.mu.Unlock()
 	if connect == nil {
-		return nil, ErrClientNotStarted
+		c.mu.Unlock()
 		return nil, netip.Addr{}, errors.New("client not started")
 	}
 	c.mu.Unlock()
 	engine := connect.Engine()
 	if engine == nil {
-		return nil, ErrEngineNotStarted
+		return nil, netip.Addr{}, errors.New("engine not started")
 	}
 	return engine, nil
 }
 func (c *Client) getNet() (*wgnetstack.Net, netip.Addr, error) {
 	engine, err := c.getEngine()
 	if err != nil {
 		return nil, netip.Addr{}, err
 	}
 	addr, err := engine.Address()
--- a/client/embed/expose.go
+++ b/client/embed/expose.go
@@ -1,45 +0,0 @@
 package embed
 import (
 	"context"
 	"errors"
 	"github.com/netbirdio/netbird/client/internal/expose"
 )
 const (
 	// ExposeProtocolHTTP exposes the service as HTTP.
 	ExposeProtocolHTTP = expose.ProtocolHTTP
 	// ExposeProtocolHTTPS exposes the service as HTTPS.
 	ExposeProtocolHTTPS = expose.ProtocolHTTPS
 	// ExposeProtocolTCP exposes the service as TCP.
 	ExposeProtocolTCP = expose.ProtocolTCP
 	// ExposeProtocolUDP exposes the service as UDP.
 	ExposeProtocolUDP = expose.ProtocolUDP
 	// ExposeProtocolTLS exposes the service as TLS.
 	ExposeProtocolTLS = expose.ProtocolTLS
 )
 // ExposeRequest is a request to expose a local service via the NetBird reverse proxy.
 type ExposeRequest = expose.Request
 // ExposeProtocolType represents the protocol used for exposing a service.
 type ExposeProtocolType = expose.ProtocolType
 // ExposeSession represents an active expose session. Use Wait to block until the session ends.
 type ExposeSession struct {
 	Domain      string
 	ServiceName string
 	ServiceURL  string
 	mgr *expose.Manager
 }
 // Wait blocks while keeping the expose session alive.
 // It returns when ctx is cancelled or a keep-alive error occurs, then terminates the session.
 func (s *ExposeSession) Wait(ctx context.Context) error {
 	if s == nil || s.mgr == nil {
 		return errors.New("expose session is not initialized")
 	}
 	return s.mgr.KeepAlive(ctx, s.Domain)
 }
--- a/client/firewall/create.go
+++ b/client/firewall/create.go
@@ -15,13 +15,13 @@ import (
 )
 // NewFirewall creates a firewall manager instance
-func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
 	if !iface.IsUserspaceBind() {
 		return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
 	}
 	// use userspace packet filtering firewall
-	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
+	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger)
 	if err != nil {
 		return nil, err
 	}
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
 	"strconv"
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/nftables"
@@ -35,39 +34,25 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 // FWType is the type for the firewall type
 type FWType int
-func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
-	// We run in userspace mode and force userspace firewall was requested. We don't attempt native firewall.
+	// on the linux system we try to user nftables or iptables
-	if iface.IsUserspaceBind() && forceUserspaceFirewall() {
+	// in any case, because we need to allow netbird interface traffic
-		log.Info("forcing userspace firewall")
+	// so we use AllowNetbird traffic from these firewall managers
-		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
+	// for the userspace packet filtering firewall
-	}
+	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes)
 	// Use native firewall for either kernel or userspace, the interface appears identical to netfilter
 	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)
 	// Kernel cannot fall back to anything else, need to return error
 	if !iface.IsUserspaceBind() {
 		return fm, err
 	}
 	// Fall back to the userspace packet filter if native is unavailable
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
 		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}
-
+	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger)
 	// Native firewall handles packet filtering, but the userspace WireGuard bind
 	// needs a device filter for DNS interception hooks. Install a minimal
 	// hooks-only filter that passes all traffic through to the kernel firewall.
 	if err := iface.SetFilter(&uspfilter.HooksFilter{}); err != nil {
 		log.Warnf("failed to set hooks filter, DNS via memory hooks will not work: %v", err)
 	}
 	return fm, nil
 }
-func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
+func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool) (firewall.Manager, error) {
-	fm, err := createFW(iface, mtu)
+	fm, err := createFW(iface)
 	if err != nil {
 		return nil, fmt.Errorf("create firewall: %s", err)
 	}
@@ -79,26 +64,26 @@ func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager,
 	return fm, nil
 }
-func createFW(iface IFaceMapper, mtu uint16) (firewall.Manager, error) {
+func createFW(iface IFaceMapper) (firewall.Manager, error) {
 	switch check() {
 	case IPTABLES:
 		log.Info("creating an iptables firewall manager")
-		return nbiptables.Create(iface, mtu)
+		return nbiptables.Create(iface)
 	case NFTABLES:
 		log.Info("creating an nftables firewall manager")
-		return nbnftables.Create(iface, mtu)
+		return nbnftables.Create(iface)
 	default:
 		log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
 		return nil, errors.New("no firewall manager found")
 	}
 }
-func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (firewall.Manager, error) {
+func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (firewall.Manager, error) {
 	var errUsp error
 	if fm != nil {
-		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
+		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger)
 	} else {
-		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
+		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger)
 	}
 	if errUsp != nil {
@@ -175,17 +160,3 @@ func isIptablesClientAvailable(client *iptables.IPTables) bool {
 	_, err := client.ListChains("filter")
 	return err == nil
 }
 func forceUserspaceFirewall() bool {
 	val := os.Getenv(EnvForceUserspaceFirewall)
 	if val == "" {
 		return false
 	}
 	force, err := strconv.ParseBool(val)
 	if err != nil {
 		log.Warnf("failed to parse %s: %v", EnvForceUserspaceFirewall, err)
 		return false
 	}
 	return force
 }
--- a/client/firewall/iface.go
+++ b/client/firewall/iface.go
@@ -7,12 +7,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 // EnvForceUserspaceFirewall forces the use of the userspace packet filter even when
 // native iptables/nftables is available. This only applies when the WireGuard interface
 // runs in userspace mode. When set, peer ACLs are handled by USPFilter instead of
 // kernel netfilter rules.
 const EnvForceUserspaceFirewall = "NB_FORCE_USERSPACE_FIREWALL"
 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
 	Name() string
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -1,19 +1,18 @@
 package iptables
 import (
 	"errors"
 	"fmt"
 	"net"
 	"slices"
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/uuid"
-	ipset "github.com/lrh3321/ipset-go"
+	"github.com/nadoo/ipset"
 	log "github.com/sirupsen/logrus"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 const (
@@ -21,10 +20,6 @@ const (
 	// rules chains contains the effective ACL rules
 	chainNameInputRules = "NETBIRD-ACL-INPUT"
 	// mangleFwdKey is the entries map key for mangle FORWARD guard rules that prevent
 	// external DNAT from bypassing ACL rules.
 	mangleFwdKey = "MANGLE-FORWARD"
 )
 type aclEntries map[string][][]string
@@ -45,13 +40,19 @@ type aclManager struct {
 }
 func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*aclManager, error) {
-	return &aclManager{
+	m := &aclManager{
 		iptablesClient:  iptablesClient,
 		wgIface:         wgIface,
 		entries:         make(map[string][][]string),
 		optionalEntries: make(map[string][]entry),
 		ipsetStore:      newIpsetStore(),
-	}, nil
+	}
 	if err := ipset.Init(); err != nil {
 		return nil, fmt.Errorf("init ipset: %w", err)
 	}
 	return m, nil
 }
 func (m *aclManager) init(stateManager *statemanager.Manager) error {
@@ -97,8 +98,8 @@ func (m *aclManager) AddPeerFiltering(
 	specs = append(specs, "-j", actionToStr(action))
 	if ipsetName != "" {
 		if ipList, ipsetExists := m.ipsetStore.ipset(ipsetName); ipsetExists {
-			if err := m.addToIPSet(ipsetName, ip); err != nil {
+			if err := ipset.Add(ipsetName, ip.String()); err != nil {
-				return nil, fmt.Errorf("add IP to ipset: %w", err)
+				return nil, fmt.Errorf("failed to add IP to ipset: %w", err)
 			}
 			// if ruleset already exists it means we already have the firewall rule
 			// so we need to update IPs in the ruleset and return new fw.Rule object for ACL manager.
@@ -112,18 +113,14 @@ func (m *aclManager) AddPeerFiltering(
 			}}, nil
 		}
-		if err := m.flushIPSet(ipsetName); err != nil {
+		if err := ipset.Flush(ipsetName); err != nil {
-			if errors.Is(err, ipset.ErrSetNotExist) {
+			log.Errorf("flush ipset %s before use it: %s", ipsetName, err)
 				log.Debugf("flush ipset %s before use: %v", ipsetName, err)
 			} else {
 				log.Errorf("flush ipset %s before use: %v", ipsetName, err)
 			}
 		}
-		if err := m.createIPSet(ipsetName); err != nil {
+		if err := ipset.Create(ipsetName); err != nil {
-			return nil, fmt.Errorf("create ipset: %w", err)
+			return nil, fmt.Errorf("failed to create ipset: %w", err)
 		}
-		if err := m.addToIPSet(ipsetName, ip); err != nil {
+		if err := ipset.Add(ipsetName, ip.String()); err != nil {
-			return nil, fmt.Errorf("add IP to ipset: %w", err)
+			return nil, fmt.Errorf("failed to add IP to ipset: %w", err)
 		}
 		ipList := newIpList(ip.String())
@@ -175,16 +172,11 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		return fmt.Errorf("invalid rule type")
 	}
 	shouldDestroyIpset := false
 	if ipsetList, ok := m.ipsetStore.ipset(r.ipsetName); ok {
 		// delete IP from ruleset IPs list and ipset
 		if _, ok := ipsetList.ips[r.ip]; ok {
-			ip := net.ParseIP(r.ip)
+			if err := ipset.Del(r.ipsetName, r.ip); err != nil {
-			if ip == nil {
+				return fmt.Errorf("failed to delete ip from ipset: %w", err)
 				return fmt.Errorf("parse IP %s", r.ip)
 			}
 			if err := m.delFromIPSet(r.ipsetName, ip); err != nil {
 				return fmt.Errorf("delete ip from ipset: %w", err)
 			}
 			delete(ipsetList.ips, r.ip)
 		}
@@ -198,7 +190,10 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		// we delete last IP from the set, that means we need to delete
 		// set itself and associated firewall rule too
 		m.ipsetStore.deleteIpset(r.ipsetName)
-		shouldDestroyIpset = true
+
 		if err := ipset.Destroy(r.ipsetName); err != nil {
 			log.Errorf("delete empty ipset: %v", err)
 		}
 	}
 	if err := m.iptablesClient.Delete(tableName, r.chain, r.specs...); err != nil {
@@ -211,16 +206,6 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		}
 	}
 	if shouldDestroyIpset {
 		if err := m.destroyIPSet(r.ipsetName); err != nil {
 			if errors.Is(err, ipset.ErrBusy) || errors.Is(err, ipset.ErrSetNotExist) {
 				log.Debugf("destroy empty ipset: %v", err)
 			} else {
 				log.Errorf("destroy empty ipset: %v", err)
 			}
 		}
 	}
 	m.updateState()
 	return nil
@@ -278,26 +263,12 @@ func (m *aclManager) cleanChains() error {
 		}
 	}
 	for _, rule := range m.entries[mangleFwdKey] {
 		if err := m.iptablesClient.DeleteIfExists(tableMangle, chainFORWARD, rule...); err != nil {
 			log.Errorf("failed to delete mangle FORWARD guard rule: %v, %s", rule, err)
 		}
 	}
 	for _, ipsetName := range m.ipsetStore.ipsetNames() {
-		if err := m.flushIPSet(ipsetName); err != nil {
+		if err := ipset.Flush(ipsetName); err != nil {
-			if errors.Is(err, ipset.ErrSetNotExist) {
+			log.Errorf("flush ipset %q during reset: %v", ipsetName, err)
 				log.Debugf("flush ipset %q during reset: %v", ipsetName, err)
 			} else {
 				log.Errorf("flush ipset %q during reset: %v", ipsetName, err)
 			}
 		}
-		if err := m.destroyIPSet(ipsetName); err != nil {
+		if err := ipset.Destroy(ipsetName); err != nil {
-			if errors.Is(err, ipset.ErrBusy) || errors.Is(err, ipset.ErrSetNotExist) {
+			log.Errorf("delete ipset %q during reset: %v", ipsetName, err)
 				log.Debugf("destroy ipset %q during reset: %v", ipsetName, err)
 			} else {
 				log.Errorf("destroy ipset %q during reset: %v", ipsetName, err)
 			}
 		}
 		m.ipsetStore.deleteIpset(ipsetName)
 	}
@@ -313,10 +284,6 @@ func (m *aclManager) createDefaultChains() error {
 	}
 	for chainName, rules := range m.entries {
 		// mangle FORWARD guard rules are handled separately below
 		if chainName == mangleFwdKey {
 			continue
 		}
 		for _, rule := range rules {
 			if err := m.iptablesClient.InsertUnique(tableName, chainName, 1, rule...); err != nil {
 				log.Debugf("failed to create input chain jump rule: %s", err)
@@ -336,13 +303,6 @@ func (m *aclManager) createDefaultChains() error {
 	}
 	clear(m.optionalEntries)
 	// Insert mangle FORWARD guard rules to prevent external DNAT bypass.
 	for _, rule := range m.entries[mangleFwdKey] {
 		if err := m.iptablesClient.AppendUnique(tableMangle, chainFORWARD, rule...); err != nil {
 			log.Errorf("failed to add mangle FORWARD guard rule: %v", err)
 		}
 	}
 	return nil
 }
@@ -364,22 +324,6 @@ func (m *aclManager) seedInitialEntries() {
 	m.appendToEntries("FORWARD", []string{"-o", m.wgIface.Name(), "-j", chainRTFWDOUT})
 	m.appendToEntries("FORWARD", []string{"-i", m.wgIface.Name(), "-j", chainRTFWDIN})
 	// Mangle FORWARD guard: when external DNAT redirects traffic from the wg interface, it
 	// traverses FORWARD instead of INPUT, bypassing ACL rules. ACCEPT rules in filter FORWARD
 	// can be inserted above ours. Mangle runs before filter, so these guard rules enforce the
 	// ACL mark check where it cannot be overridden.
 	m.appendToEntries(mangleFwdKey, []string{
 		"-i", m.wgIface.Name(),
 		"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED",
 		"-j", "ACCEPT",
 	})
 	m.appendToEntries(mangleFwdKey, []string{
 		"-i", m.wgIface.Name(),
 		"-m", "conntrack", "--ctstate", "DNAT",
 		"-m", "mark", "!", "--mark", fmt.Sprintf("%#x", nbnet.PreroutingFwmarkRedirected),
 		"-j", "DROP",
 	})
 }
 func (m *aclManager) seedInitialOptionalEntries() {
@@ -423,8 +367,11 @@ func (m *aclManager) updateState() {
 // filterRuleSpecs returns the specs of a filtering rule
 func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
-	// don't use IP matching if IP is 0.0.0.0
+	matchByIP := true
-	matchByIP := !ip.IsUnspecified()
+	// don't use IP matching if IP is ip 0.0.0.0
 	if ip.String() == "0.0.0.0" {
 		matchByIP = false
 	}
 	if matchByIP {
 		if ipsetName != "" {
@@ -453,6 +400,7 @@ func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action fi
 		return ""
 	}
 	// Include action in the ipset name to prevent squashing rules with different actions
 	actionSuffix := ""
 	if action == firewall.ActionDrop {
 		actionSuffix = "-drop"
@@ -469,61 +417,3 @@ func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action fi
 		return ipsetName + actionSuffix
 	}
 }
 func (m *aclManager) createIPSet(name string) error {
 	opts := ipset.CreateOptions{
 		Replace: true,
 	}
 	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
 		return fmt.Errorf("create ipset %s: %w", name, err)
 	}
 	log.Debugf("created ipset %s with type hash:net", name)
 	return nil
 }
 func (m *aclManager) addToIPSet(name string, ip net.IP) error {
 	cidr := uint8(32)
 	if ip.To4() == nil {
 		cidr = 128
 	}
 	entry := &ipset.Entry{
 		IP:      ip,
 		CIDR:    cidr,
 		Replace: true,
 	}
 	if err := ipset.Add(name, entry); err != nil {
 		return fmt.Errorf("add IP to ipset %s: %w", name, err)
 	}
 	return nil
 }
 func (m *aclManager) delFromIPSet(name string, ip net.IP) error {
 	cidr := uint8(32)
 	if ip.To4() == nil {
 		cidr = 128
 	}
 	entry := &ipset.Entry{
 		IP:   ip,
 		CIDR: cidr,
 	}
 	if err := ipset.Del(name, entry); err != nil {
 		return fmt.Errorf("delete IP from ipset %s: %w", name, err)
 	}
 	return nil
 }
 func (m *aclManager) flushIPSet(name string) error {
 	return ipset.Flush(name)
 }
 func (m *aclManager) destroyIPSet(name string) error {
 	return ipset.Destroy(name)
 }
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -23,20 +23,20 @@ type Manager struct {
 	wgIface iFaceMapper
-	ipv4Client   *iptables.IPTables
+	ipv4Client *iptables.IPTables
-	aclMgr       *aclManager
+	aclMgr     *aclManager
-	router       *router
+	router     *router
 	rawSupported bool
 }
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
 	IsUserspaceBind() bool
 }
 // Create iptables firewall manager
-func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
+func Create(wgIface iFaceMapper) (*Manager, error) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("init iptables: %w", err)
@@ -47,7 +47,7 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		ipv4Client: iptablesClient,
 	}
-	m.router, err = newRouter(iptablesClient, wgIface, mtu)
+	m.router, err = newRouter(iptablesClient, wgIface)
 	if err != nil {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
@@ -63,9 +63,9 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	state := &ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:   m.wgIface.Name(),
+			NameStr:       m.wgIface.Name(),
-			WGAddress: m.wgIface.Address(),
+			WGAddress:     m.wgIface.Address(),
-			MTU:       m.router.mtu,
+			UserspaceBind: m.wgIface.IsUserspaceBind(),
 		},
 	}
 	stateManager.RegisterState(state)
@@ -82,10 +82,6 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		return fmt.Errorf("acl manager init: %w", err)
 	}
 	if err := m.initNoTrackChain(); err != nil {
 		log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
 	}
 	// persist early to ensure cleanup of chains
 	go func() {
 		if err := stateManager.PersistState(context.Background()); err != nil {
@@ -180,10 +176,6 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	var merr *multierror.Error
 	if err := m.cleanupNoTrackChain(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("cleanup notrack chain: %w", err))
 	}
 	if err := m.aclMgr.Reset(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("reset acl manager: %w", err))
 	}
@@ -201,10 +193,12 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nberrors.FormatErrorOrNil(merr)
 }
-// AllowNetbird allows netbird interface traffic.
+// AllowNetbird allows netbird interface traffic
 // This is called when USPFilter wraps the native firewall, adding blanket accept
 // rules so that packet filtering is handled in userspace instead of by netfilter.
 func (m *Manager) AllowNetbird() error {
 	if !m.wgIface.IsUserspaceBind() {
 		return nil
 	}
 	_, err := m.AddPeerFiltering(
 		nil,
 		net.IP{0, 0, 0, 0},
@@ -266,166 +260,6 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return m.router.UpdateSet(set, prefixes)
 }
 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
 func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // RemoveInboundDNAT removes an inbound DNAT rule.
 func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
 func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
 func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 const (
 	chainNameRaw = "NETBIRD-RAW"
 	chainOUTPUT  = "OUTPUT"
 	tableRaw     = "raw"
 )
 // SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
 // This prevents conntrack from tracking WireGuard proxy traffic on loopback, which
 // can interfere with MASQUERADE rules (e.g., from container runtimes like Podman/netavark).
 //
 // Traffic flows that need NOTRACK:
 //
 //  1. Egress: WireGuard -> fake endpoint (before eBPF rewrite)
 //     src=127.0.0.1:wgPort -> dst=127.0.0.1:fakePort
 //     Matched by: sport=wgPort
 //
 //  2. Egress: Proxy -> WireGuard (via raw socket)
 //     src=127.0.0.1:fakePort -> dst=127.0.0.1:wgPort
 //     Matched by: dport=wgPort
 //
 //  3. Ingress: Packets to WireGuard
 //     dst=127.0.0.1:wgPort
 //     Matched by: dport=wgPort
 //
 //  4. Ingress: Packets to proxy (after eBPF rewrite)
 //     dst=127.0.0.1:proxyPort
 //     Matched by: dport=proxyPort
 //
 // Rules are cleaned up when the firewall manager is closed.
 func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	if !m.rawSupported {
 		return fmt.Errorf("raw table not available")
 	}
 	wgPortStr := fmt.Sprintf("%d", wgPort)
 	proxyPortStr := fmt.Sprintf("%d", proxyPort)
 	// Egress rules: match outgoing loopback UDP packets
 	outputRuleSport := []string{"-o", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--sport", wgPortStr, "-j", "NOTRACK"}
 	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, outputRuleSport...); err != nil {
 		return fmt.Errorf("add output sport notrack rule: %w", err)
 	}
 	outputRuleDport := []string{"-o", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", wgPortStr, "-j", "NOTRACK"}
 	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, outputRuleDport...); err != nil {
 		return fmt.Errorf("add output dport notrack rule: %w", err)
 	}
 	// Ingress rules: match incoming loopback UDP packets
 	preroutingRuleWg := []string{"-i", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", wgPortStr, "-j", "NOTRACK"}
 	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, preroutingRuleWg...); err != nil {
 		return fmt.Errorf("add prerouting wg notrack rule: %w", err)
 	}
 	preroutingRuleProxy := []string{"-i", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", proxyPortStr, "-j", "NOTRACK"}
 	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, preroutingRuleProxy...); err != nil {
 		return fmt.Errorf("add prerouting proxy notrack rule: %w", err)
 	}
 	log.Debugf("set up ebpf proxy notrack rules for ports %d,%d", proxyPort, wgPort)
 	return nil
 }
 func (m *Manager) initNoTrackChain() error {
 	if err := m.cleanupNoTrackChain(); err != nil {
 		log.Debugf("cleanup notrack chain: %v", err)
 	}
 	if err := m.ipv4Client.NewChain(tableRaw, chainNameRaw); err != nil {
 		return fmt.Errorf("create chain: %w", err)
 	}
 	jumpRule := []string{"-j", chainNameRaw}
 	if err := m.ipv4Client.InsertUnique(tableRaw, chainOUTPUT, 1, jumpRule...); err != nil {
 		if delErr := m.ipv4Client.DeleteChain(tableRaw, chainNameRaw); delErr != nil {
 			log.Debugf("delete orphan chain: %v", delErr)
 		}
 		return fmt.Errorf("add output jump rule: %w", err)
 	}
 	if err := m.ipv4Client.InsertUnique(tableRaw, chainPREROUTING, 1, jumpRule...); err != nil {
 		if delErr := m.ipv4Client.DeleteIfExists(tableRaw, chainOUTPUT, jumpRule...); delErr != nil {
 			log.Debugf("delete output jump rule: %v", delErr)
 		}
 		if delErr := m.ipv4Client.DeleteChain(tableRaw, chainNameRaw); delErr != nil {
 			log.Debugf("delete orphan chain: %v", delErr)
 		}
 		return fmt.Errorf("add prerouting jump rule: %w", err)
 	}
 	m.rawSupported = true
 	return nil
 }
 func (m *Manager) cleanupNoTrackChain() error {
 	exists, err := m.ipv4Client.ChainExists(tableRaw, chainNameRaw)
 	if err != nil {
 		if !m.rawSupported {
 			return nil
 		}
 		return fmt.Errorf("check chain exists: %w", err)
 	}
 	if !exists {
 		return nil
 	}
 	jumpRule := []string{"-j", chainNameRaw}
 	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainOUTPUT, jumpRule...); err != nil {
 		return fmt.Errorf("remove output jump rule: %w", err)
 	}
 	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainPREROUTING, jumpRule...); err != nil {
 		return fmt.Errorf("remove prerouting jump rule: %w", err)
 	}
 	if err := m.ipv4Client.ClearAndDeleteChain(tableRaw, chainNameRaw); err != nil {
 		return fmt.Errorf("clear and delete chain: %w", err)
 	}
 	m.rawSupported = false
 	return nil
 }
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -11,7 +11,6 @@ import (
 	"github.com/stretchr/testify/require"
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -47,12 +46,14 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }
 func (i *iFaceMock) IsUserspaceBind() bool { return false }
 func TestIptablesManager(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)
 	// just check on the local interface
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	manager, err := Create(ifaceMock)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
@@ -113,7 +114,7 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	manager, err := Create(ifaceMock)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
@@ -159,7 +160,7 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 			t.Logf("  [%d] %s", i, rule)
 		}
-		var denyRuleIndex, acceptRuleIndex = -1, -1
+		var denyRuleIndex, acceptRuleIndex int = -1, -1
 		for i, rule := range rules {
 			if strings.Contains(rule, "DROP") {
 				t.Logf("Found DROP rule at index %d: %s", i, rule)
@@ -197,7 +198,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	}
 	// just check on the local interface
-	manager, err := Create(mock, iface.DefaultMTU)
+	manager, err := Create(mock)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
@@ -263,7 +264,7 @@ func TestIptablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock, iface.DefaultMTU)
+			manager, err := Create(mock)
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second)
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -10,7 +10,7 @@ import (
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/hashicorp/go-multierror"
-	ipset "github.com/lrh3321/ipset-go"
+	"github.com/nadoo/ipset"
 	log "github.com/sirupsen/logrus"
 	nberrors "github.com/netbirdio/netbird/client/errors"
@@ -19,7 +19,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 // constants needed to manage and create iptable rules
@@ -30,22 +30,17 @@ const (
 	chainPOSTROUTING        = "POSTROUTING"
 	chainPREROUTING         = "PREROUTING"
 	chainFORWARD            = "FORWARD"
 	chainRTNAT              = "NETBIRD-RT-NAT"
 	chainRTFWDIN            = "NETBIRD-RT-FWD-IN"
 	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
 	chainRTPRE              = "NETBIRD-RT-PRE"
 	chainRTRDR              = "NETBIRD-RT-RDR"
 	chainNATOutput          = "NETBIRD-NAT-OUTPUT"
 	chainRTMSSCLAMP         = "NETBIRD-RT-MSSCLAMP"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"
 	jumpManglePre  = "jump-mangle-pre"
 	jumpNatPre     = "jump-nat-pre"
 	jumpNatPost    = "jump-nat-post"
 	jumpNatOutput  = "jump-nat-output"
 	jumpMSSClamp   = "jump-mss-clamp"
 	markManglePre  = "mark-mangle-pre"
 	markManglePost = "mark-mangle-post"
 	matchSet       = "--match-set"
@@ -53,9 +48,6 @@ const (
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
 	fwdSuffix  = "_fwd"
 	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
 	ipTCPHeaderMinSize = 40
 )
 type ruleInfo struct {
@@ -85,18 +77,16 @@ type router struct {
 	ipsetCounter     *ipsetCounter
 	wgIface          iFaceMapper
 	legacyManagement bool
 	mtu              uint16
 	stateManager *statemanager.Manager
 	ipFwdState   *ipfwdstate.IPForwardingState
 }
-func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint16) (*router, error) {
+func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router, error) {
 	r := &router{
 		iptablesClient: iptablesClient,
 		rules:          make(map[string][]string),
 		wgIface:        wgIface,
 		mtu:            mtu,
 		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}
@@ -109,6 +99,10 @@ func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint1
 		},
 	)
 	if err := ipset.Init(); err != nil {
 		return nil, fmt.Errorf("init ipset: %w", err)
 	}
 	return r, nil
 }
@@ -230,12 +224,12 @@ func (r *router) findSets(rule []string) []string {
 }
 func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
-	if err := r.createIPSet(setName); err != nil {
+	if err := ipset.Create(setName, ipset.OptTimeout(0)); err != nil {
 		return fmt.Errorf("create set %s: %w", setName, err)
 	}
 	for _, prefix := range sources {
-		if err := r.addPrefixToIPSet(setName, prefix); err != nil {
+		if err := ipset.AddPrefix(setName, prefix); err != nil {
 			return fmt.Errorf("add element to set %s: %w", setName, err)
 		}
 	}
@@ -244,7 +238,7 @@ func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
 }
 func (r *router) deleteIpSet(setName string) error {
-	if err := r.destroyIPSet(setName); err != nil {
+	if err := ipset.Destroy(setName); err != nil {
 		return fmt.Errorf("destroy set %s: %w", setName, err)
 	}
@@ -389,14 +383,6 @@ func (r *router) cleanUpDefaultForwardRules() error {
 	}
 	log.Debug("flushing routing related tables")
 	// Remove jump rules from built-in chains before deleting custom chains,
 	// otherwise the chain deletion fails with "device or resource busy".
 	jumpRule := []string{"-j", chainNATOutput}
 	if err := r.iptablesClient.Delete(tableNat, "OUTPUT", jumpRule...); err != nil {
 		log.Debugf("clean OUTPUT jump rule: %v", err)
 	}
 	for _, chainInfo := range []struct {
 		chain string
 		table string
@@ -406,8 +392,6 @@ func (r *router) cleanUpDefaultForwardRules() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
 		{chainNATOutput, tableNat},
 		{chainRTMSSCLAMP, tableMangle},
 	} {
 		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
 		if err != nil {
@@ -432,7 +416,6 @@ func (r *router) createContainers() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
 		{chainRTMSSCLAMP, tableMangle},
 	} {
 		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
 			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
@@ -455,10 +438,6 @@ func (r *router) createContainers() error {
 		return fmt.Errorf("add jump rules: %w", err)
 	}
 	if err := r.addMSSClampingRules(); err != nil {
 		log.Errorf("failed to add MSS clamping rules: %s", err)
 	}
 	return nil
 }
@@ -539,35 +518,6 @@ func (r *router) addPostroutingRules() error {
 	return nil
 }
 // addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
 // TODO: Add IPv6 support
 func (r *router) addMSSClampingRules() error {
 	mss := r.mtu - ipTCPHeaderMinSize
 	// Add jump rule from FORWARD chain in mangle table to our custom chain
 	jumpRule := []string{
 		"-j", chainRTMSSCLAMP,
 	}
 	if err := r.iptablesClient.Insert(tableMangle, chainFORWARD, 1, jumpRule...); err != nil {
 		return fmt.Errorf("add jump to MSS clamp chain: %w", err)
 	}
 	r.rules[jumpMSSClamp] = jumpRule
 	ruleOut := []string{
 		"-o", r.wgIface.Name(),
 		"-p", "tcp",
 		"--tcp-flags", "SYN,RST", "SYN",
 		"-j", "TCPMSS",
 		"--set-mss", fmt.Sprintf("%d", mss),
 	}
 	if err := r.iptablesClient.Append(tableMangle, chainRTMSSCLAMP, ruleOut...); err != nil {
 		return fmt.Errorf("add outbound MSS clamp rule: %w", err)
 	}
 	r.rules["mss-clamp-out"] = ruleOut
 	return nil
 }
 func (r *router) insertEstablishedRule(chain string) error {
 	establishedRule := getConntrackEstablished()
@@ -608,7 +558,7 @@ func (r *router) addJumpRules() error {
 }
 func (r *router) cleanJumpRules() error {
-	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre, jumpMSSClamp} {
+	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre} {
 		if rule, exists := r.rules[ruleKey]; exists {
 			var table, chain string
 			switch ruleKey {
@@ -621,9 +571,6 @@ func (r *router) cleanJumpRules() error {
 			case jumpNatPre:
 				table = tableNat
 				chain = chainPREROUTING
 			case jumpMSSClamp:
 				table = tableMangle
 				chain = chainFORWARD
 			default:
 				return fmt.Errorf("unknown jump rule: %s", ruleKey)
 			}
@@ -922,8 +869,8 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
 			continue
 		}
-		if err := r.addPrefixToIPSet(set.HashedName(), prefix); err != nil {
+		if err := ipset.AddPrefix(set.HashedName(), prefix); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("add prefix to ipset: %w", err))
+			merr = multierror.Append(merr, fmt.Errorf("increment ipset counter: %w", err))
 		}
 	}
 	if merr == nil {
@@ -933,129 +880,6 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nberrors.FormatErrorOrNil(merr)
 }
 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
 func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 	if _, exists := r.rules[ruleID]; exists {
 		return nil
 	}
 	dnatRule := []string{
 		"-i", r.wgIface.Name(),
 		"-p", strings.ToLower(string(protocol)),
 		"--dport", strconv.Itoa(int(sourcePort)),
 		"-d", localAddr.String(),
 		"-m", "addrtype", "--dst-type", "LOCAL",
 		"-j", "DNAT",
 		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
 	}
 	ruleInfo := ruleInfo{
 		table: tableNat,
 		chain: chainRTRDR,
 		rule:  dnatRule,
 	}
 	if err := r.iptablesClient.Append(ruleInfo.table, ruleInfo.chain, ruleInfo.rule...); err != nil {
 		return fmt.Errorf("add inbound DNAT rule: %w", err)
 	}
 	r.rules[ruleID] = ruleInfo.rule
 	r.updateState()
 	return nil
 }
 // RemoveInboundDNAT removes an inbound DNAT rule.
 func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 	if dnatRule, exists := r.rules[ruleID]; exists {
 		if err := r.iptablesClient.Delete(tableNat, chainRTRDR, dnatRule...); err != nil {
 			return fmt.Errorf("delete inbound DNAT rule: %w", err)
 		}
 		delete(r.rules, ruleID)
 	}
 	r.updateState()
 	return nil
 }
 // ensureNATOutputChain lazily creates the OUTPUT NAT chain and jump rule on first use.
 func (r *router) ensureNATOutputChain() error {
 	if _, exists := r.rules[jumpNatOutput]; exists {
 		return nil
 	}
 	chainExists, err := r.iptablesClient.ChainExists(tableNat, chainNATOutput)
 	if err != nil {
 		return fmt.Errorf("check chain %s: %w", chainNATOutput, err)
 	}
 	if !chainExists {
 		if err := r.iptablesClient.NewChain(tableNat, chainNATOutput); err != nil {
 			return fmt.Errorf("create chain %s: %w", chainNATOutput, err)
 		}
 	}
 	jumpRule := []string{"-j", chainNATOutput}
 	if err := r.iptablesClient.Insert(tableNat, "OUTPUT", 1, jumpRule...); err != nil {
 		if !chainExists {
 			if delErr := r.iptablesClient.ClearAndDeleteChain(tableNat, chainNATOutput); delErr != nil {
 				log.Warnf("failed to rollback chain %s: %v", chainNATOutput, delErr)
 			}
 		}
 		return fmt.Errorf("add OUTPUT jump rule: %w", err)
 	}
 	r.rules[jumpNatOutput] = jumpRule
 	r.updateState()
 	return nil
 }
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
 func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 	if _, exists := r.rules[ruleID]; exists {
 		return nil
 	}
 	if err := r.ensureNATOutputChain(); err != nil {
 		return err
 	}
 	dnatRule := []string{
 		"-p", strings.ToLower(string(protocol)),
 		"--dport", strconv.Itoa(int(sourcePort)),
 		"-d", localAddr.String(),
 		"-j", "DNAT",
 		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
 	}
 	if err := r.iptablesClient.Append(tableNat, chainNATOutput, dnatRule...); err != nil {
 		return fmt.Errorf("add output DNAT rule: %w", err)
 	}
 	r.rules[ruleID] = dnatRule
 	r.updateState()
 	return nil
 }
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
 func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 	if dnatRule, exists := r.rules[ruleID]; exists {
 		if err := r.iptablesClient.Delete(tableNat, chainNATOutput, dnatRule...); err != nil {
 			return fmt.Errorf("delete output DNAT rule: %w", err)
 		}
 		delete(r.rules, ruleID)
 	}
 	r.updateState()
 	return nil
 }
 func applyPort(flag string, port *firewall.Port) []string {
 	if port == nil {
 		return nil
@@ -1075,37 +899,3 @@ func applyPort(flag string, port *firewall.Port) []string {
 	return []string{flag, strconv.Itoa(int(port.Values[0]))}
 }
 func (r *router) createIPSet(name string) error {
 	opts := ipset.CreateOptions{
 		Replace: true,
 	}
 	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
 		return fmt.Errorf("create ipset %s: %w", name, err)
 	}
 	log.Debugf("created ipset %s with type hash:net", name)
 	return nil
 }
 func (r *router) addPrefixToIPSet(name string, prefix netip.Prefix) error {
 	addr := prefix.Addr()
 	ip := addr.AsSlice()
 	entry := &ipset.Entry{
 		IP:      ip,
 		CIDR:    uint8(prefix.Bits()),
 		Replace: true,
 	}
 	if err := ipset.Add(name, entry); err != nil {
 		return fmt.Errorf("add prefix to ipset %s: %w", name, err)
 	}
 	return nil
 }
 func (r *router) destroyIPSet(name string) error {
 	return ipset.Destroy(name)
 }
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -14,8 +14,7 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
-	"github.com/netbirdio/netbird/client/iface"
+	nbnet "github.com/netbirdio/netbird/util/net"
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
 func isIptablesSupported() bool {
@@ -31,7 +30,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "failed to init iptables client")
-	manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+	manager, err := newRouter(iptablesClient, ifaceMock)
 	require.NoError(t, err, "should return a valid iptables manager")
 	require.NoError(t, manager.init(nil))
@@ -39,6 +38,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 		assert.NoError(t, manager.Reset(), "shouldn't return error")
 	}()
 	// Now 5 rules:
 	// 1. established rule forward in
 	// 2. estbalished rule forward out
 	// 3. jump rule to POST nat chain
@@ -48,9 +48,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	// 7. static return masquerade rule
 	// 8. mangle prerouting mark rule
 	// 9. mangle postrouting mark rule
-	// 10. jump rule to MSS clamping chain
+	require.Len(t, manager.rules, 9, "should have created rules map")
 	// 11. MSS clamping rule for outbound traffic
 	require.Len(t, manager.rules, 11, "should have created rules map")
 	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, "-j", chainRTNAT)
 	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPOSTROUTING)
@@ -84,7 +82,7 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 			require.NoError(t, err, "failed to init iptables client")
-			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+			manager, err := newRouter(iptablesClient, ifaceMock)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
@@ -157,7 +155,7 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 		t.Run(testCase.Name, func(t *testing.T) {
 			iptablesClient, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+			manager, err := newRouter(iptablesClient, ifaceMock)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
 			defer func() {
@@ -219,7 +217,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "Failed to create iptables client")
-	r, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+	r, err := newRouter(iptablesClient, ifaceMock)
 	require.NoError(t, err, "Failed to create router manager")
 	require.NoError(t, r.init(nil))
--- a/client/firewall/iptables/state_linux.go
+++ b/client/firewall/iptables/state_linux.go
@@ -4,14 +4,13 @@ import (
 	"fmt"
 	"sync"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 type InterfaceState struct {
-	NameStr   string         `json:"name"`
+	NameStr       string         `json:"name"`
-	WGAddress wgaddr.Address `json:"wg_address"`
+	WGAddress     wgaddr.Address `json:"wg_address"`
-	MTU       uint16         `json:"mtu"`
+	UserspaceBind bool           `json:"userspace_bind"`
 }
 func (i *InterfaceState) Name() string {
@@ -22,6 +21,10 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }
 func (i *InterfaceState) IsUserspaceBind() bool {
 	return i.UserspaceBind
 }
 type ShutdownState struct {
 	sync.Mutex
@@ -39,11 +42,7 @@ func (s *ShutdownState) Name() string {
 }
 func (s *ShutdownState) Cleanup() error {
-	mtu := s.InterfaceState.MTU
+	ipt, err := Create(s.InterfaceState)
 	if mtu == 0 {
 		mtu = iface.DefaultMTU
 	}
 	ipt, err := Create(s.InterfaceState, mtu)
 	if err != nil {
 		return fmt.Errorf("create iptables manager: %w", err)
 	}
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -100,9 +100,6 @@ type Manager interface {
 	//
 	// If comment argument is empty firewall manager should set
 	// rule ID as comment for the rule
 	//
 	// Note: Callers should call Flush() after adding rules to ensure
 	// they are applied to the kernel and rule handles are refreshed.
 	AddPeerFiltering(
 		id []byte,
 		ip net.IP,
@@ -154,32 +151,14 @@ type Manager interface {
 	DisableRouting() error
-	// AddDNATRule adds outbound DNAT rule for forwarding external traffic to the NetBird network.
+	// AddDNATRule adds a DNAT rule
 	AddDNATRule(ForwardRule) (Rule, error)
-	// DeleteDNATRule deletes the outbound DNAT rule.
+	// DeleteDNATRule deletes a DNAT rule
 	DeleteDNATRule(Rule) error
 	// UpdateSet updates the set with the given prefixes
 	UpdateSet(hash Set, prefixes []netip.Prefix) error
 	// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services
 	AddInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 	// RemoveInboundDNAT removes inbound DNAT rule
 	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 	// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
 	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
 	AddOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 	// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
 	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
 	RemoveOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 	// SetupEBPFProxyNoTrack creates static notrack rules for eBPF proxy loopback traffic.
 	// This prevents conntrack from interfering with WireGuard proxy communication.
 	SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error
 }
 func GenKey(format string, pair RouterPair) string {
--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
@@ -16,7 +16,7 @@ import (
 	"golang.org/x/sys/unix"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 const (
@@ -29,6 +29,8 @@ const (
 	chainNameForwardFilter     = "netbird-acl-forward-filter"
 	chainNameManglePrerouting  = "netbird-mangle-prerouting"
 	chainNameManglePostrouting = "netbird-mangle-postrouting"
 	allowNetbirdInputRuleID = "allow Netbird incoming traffic"
 )
 const flushError = "flush: %w"
@@ -193,6 +195,25 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 // createDefaultAllowRules creates default allow rules for the input and output chains
 func (m *AclManager) createDefaultAllowRules() error {
 	expIn := []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
 			Offset:       12,
 			Len:          4,
 		},
 		// mask
 		&expr.Bitwise{
 			SourceRegister: 1,
 			DestRegister:   1,
 			Len:            4,
 			Mask:           []byte{0, 0, 0, 0},
 			Xor:            []byte{0, 0, 0, 0},
 		},
 		// net address
 		&expr.Cmp{
 			Register: 1,
 			Data:     []byte{0, 0, 0, 0},
 		},
 		&expr.Verdict{
 			Kind: expr.VerdictAccept,
 		},
@@ -237,7 +258,7 @@ func (m *AclManager) addIOFiltering(
 	action firewall.Action,
 	ipset *nftables.Set,
 ) (*Rule, error) {
-	ruleId := generatePeerRuleId(ip, proto, sPort, dPort, action, ipset)
+	ruleId := generatePeerRuleId(ip, sPort, dPort, action, ipset)
 	if r, ok := m.rules[ruleId]; ok {
 		return &Rule{
 			nftRule:    r.nftRule,
@@ -336,12 +357,11 @@ func (m *AclManager) addIOFiltering(
 	}
 	if err := m.rConn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush input rule %s: %v", ruleId, err)
+		return nil, fmt.Errorf(flushError, err)
 	}
 	ruleStruct := &Rule{
-		nftRule: nftRule,
+		nftRule:    nftRule,
 		// best effort mangle rule
 		mangleRule: m.createPreroutingRule(expressions, userData),
 		nftSet:     ipset,
 		ruleID:     ruleId,
@@ -400,19 +420,12 @@ func (m *AclManager) createPreroutingRule(expressions []expr.Any, userData []byt
 		},
 	)
-	nfRule := m.rConn.AddRule(&nftables.Rule{
+	return m.rConn.AddRule(&nftables.Rule{
 		Table:    m.workTable,
 		Chain:    m.chainPrerouting,
 		Exprs:    preroutingExprs,
 		UserData: userData,
 	})
 	if err := m.rConn.Flush(); err != nil {
 		log.Errorf("failed to flush mangle rule %s: %v", string(userData), err)
 		return nil
 	}
 	return nfRule
 }
 func (m *AclManager) createDefaultChains() (err error) {
@@ -684,8 +697,8 @@ func (m *AclManager) refreshRuleHandles(chain *nftables.Chain, mangle bool) erro
 	return nil
 }
-func generatePeerRuleId(ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
+func generatePeerRuleId(ip net.IP, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
-	rulesetID := ":" + string(proto) + ":"
+	rulesetID := ":"
 	if sPort != nil {
 		rulesetID += sPort.String()
 	}
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -1,18 +1,17 @@
 package nftables
 import (
 	"bytes"
 	"context"
 	"fmt"
 	"net"
 	"net/netip"
 	"os"
 	"sync"
 	"github.com/google/nftables"
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
@@ -20,26 +19,18 @@ import (
 )
 const (
-	// tableNameNetbird is the default name of the table that is used for filtering by the Netbird client
+	// tableNameNetbird is the name of the table that is used for filtering by the Netbird client
 	tableNameNetbird = "netbird"
 	// envTableName is the environment variable to override the table name
 	envTableName = "NB_NFTABLES_TABLE"
 	tableNameFilter = "filter"
 	chainNameInput  = "INPUT"
 )
 func getTableName() string {
 	if name := os.Getenv(envTableName); name != "" {
 		return name
 	}
 	return tableNameNetbird
 }
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
 	IsUserspaceBind() bool
 }
 // Manager of iptables firewall
@@ -48,23 +39,21 @@ type Manager struct {
 	rConn   *nftables.Conn
 	wgIface iFaceMapper
-	router                 *router
+	router     *router
-	aclManager             *AclManager
+	aclManager *AclManager
 	notrackOutputChain     *nftables.Chain
 	notrackPreroutingChain *nftables.Chain
 }
 // Create nftables firewall manager
-func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
+func Create(wgIface iFaceMapper) (*Manager, error) {
 	m := &Manager{
 		rConn:   &nftables.Conn{},
 		wgIface: wgIface,
 	}
-	workTable := &nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4}
+	workTable := &nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4}
 	var err error
-	m.router, err = newRouter(workTable, wgIface, mtu)
+	m.router, err = newRouter(workTable, wgIface)
 	if err != nil {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
@@ -93,10 +82,6 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		return fmt.Errorf("acl manager init: %w", err)
 	}
 	if err := m.initNoTrackChains(workTable); err != nil {
 		log.Warnf("raw priority chains not available, notrack rules will be disabled: %v", err)
 	}
 	stateManager.RegisterState(&ShutdownState{})
 	// We only need to record minimal interface state for potential recreation.
@@ -105,9 +90,9 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	// cleanup using Close() without needing to store specific rules.
 	if err := stateManager.UpdateState(&ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:   m.wgIface.Name(),
+			NameStr:       m.wgIface.Name(),
-			WGAddress: m.wgIface.Address(),
+			WGAddress:     m.wgIface.Address(),
-			MTU:       m.router.mtu,
+			UserspaceBind: m.wgIface.IsUserspaceBind(),
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -203,18 +188,53 @@ func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	return m.router.RemoveNatRule(pair)
 }
-// AllowNetbird allows netbird interface traffic.
+// AllowNetbird allows netbird interface traffic
 // This is called when USPFilter wraps the native firewall, adding blanket accept
 // rules so that packet filtering is handled in userspace instead of by netfilter.
 func (m *Manager) AllowNetbird() error {
 	if !m.wgIface.IsUserspaceBind() {
 		return nil
 	}
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	if err := m.aclManager.createDefaultAllowRules(); err != nil {
+	err := m.aclManager.createDefaultAllowRules()
-		return fmt.Errorf("create default allow rules: %w", err)
+	if err != nil {
 		return fmt.Errorf("failed to create default allow rules: %v", err)
 	}
-	if err := m.rConn.Flush(); err != nil {
+
-		return fmt.Errorf("flush allow input netbird rules: %w", err)
+	chains, err := m.rConn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return fmt.Errorf("list of chains: %w", err)
 	}
 	var chain *nftables.Chain
 	for _, c := range chains {
 		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
 			chain = c
 			break
 		}
 	}
 	if chain == nil {
 		log.Debugf("chain INPUT not found. Skipping add allow netbird rule")
 		return nil
 	}
 	rules, err := m.rConn.GetRules(chain.Table, chain)
 	if err != nil {
 		return fmt.Errorf("failed to get rules for the INPUT chain: %v", err)
 	}
 	if rule := m.detectAllowNetbirdRule(rules); rule != nil {
 		log.Debugf("allow netbird rule already exists: %v", rule)
 		return nil
 	}
 	m.applyAllowNetbirdRules(chain)
 	err = m.rConn.Flush()
 	if err != nil {
 		return fmt.Errorf("failed to flush allow input netbird rules: %v", err)
 	}
 	return nil
@@ -230,6 +250,10 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	if err := m.resetNetbirdInputRules(); err != nil {
 		return fmt.Errorf("reset netbird input rules: %v", err)
 	}
 	if err := m.router.Reset(); err != nil {
 		return fmt.Errorf("reset router: %v", err)
 	}
@@ -249,15 +273,49 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nil
 }
 func (m *Manager) resetNetbirdInputRules() error {
 	chains, err := m.rConn.ListChains()
 	if err != nil {
 		return fmt.Errorf("list chains: %w", err)
 	}
 	m.deleteNetbirdInputRules(chains)
 	return nil
 }
 func (m *Manager) deleteNetbirdInputRules(chains []*nftables.Chain) {
 	for _, c := range chains {
 		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
 			rules, err := m.rConn.GetRules(c.Table, c)
 			if err != nil {
 				log.Errorf("get rules for chain %q: %v", c.Name, err)
 				continue
 			}
 			m.deleteMatchingRules(rules)
 		}
 	}
 }
 func (m *Manager) deleteMatchingRules(rules []*nftables.Rule) {
 	for _, r := range rules {
 		if bytes.Equal(r.UserData, []byte(allowNetbirdInputRuleID)) {
 			if err := m.rConn.DelRule(r); err != nil {
 				log.Errorf("delete rule: %v", err)
 			}
 		}
 	}
 }
 func (m *Manager) cleanupNetbirdTables() error {
 	tables, err := m.rConn.ListTables()
 	if err != nil {
 		return fmt.Errorf("list tables: %w", err)
 	}
 	tableName := getTableName()
 	for _, t := range tables {
-		if t.Name == tableName {
+		if t.Name == tableNameNetbird {
 			m.rConn.DelTable(t)
 		}
 	}
@@ -291,15 +349,7 @@ func (m *Manager) Flush() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	if err := m.aclManager.Flush(); err != nil {
+	return m.aclManager.Flush()
 		return err
 	}
 	if err := m.refreshNoTrackChains(); err != nil {
 		log.Errorf("failed to refresh notrack chains: %v", err)
 	}
 	return nil
 }
 // AddDNATRule adds a DNAT rule
@@ -326,226 +376,61 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return m.router.UpdateSet(set, prefixes)
 }
 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
 func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // RemoveInboundDNAT removes an inbound DNAT rule.
 func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
 func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
 func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 const (
 	chainNameRawOutput     = "netbird-raw-out"
 	chainNameRawPrerouting = "netbird-raw-pre"
 )
 // SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
 // This prevents conntrack from tracking WireGuard proxy traffic on loopback, which
 // can interfere with MASQUERADE rules (e.g., from container runtimes like Podman/netavark).
 //
 // Traffic flows that need NOTRACK:
 //
 //  1. Egress: WireGuard -> fake endpoint (before eBPF rewrite)
 //     src=127.0.0.1:wgPort -> dst=127.0.0.1:fakePort
 //     Matched by: sport=wgPort
 //
 //  2. Egress: Proxy -> WireGuard (via raw socket)
 //     src=127.0.0.1:fakePort -> dst=127.0.0.1:wgPort
 //     Matched by: dport=wgPort
 //
 //  3. Ingress: Packets to WireGuard
 //     dst=127.0.0.1:wgPort
 //     Matched by: dport=wgPort
 //
 //  4. Ingress: Packets to proxy (after eBPF rewrite)
 //     dst=127.0.0.1:proxyPort
 //     Matched by: dport=proxyPort
 //
 // Rules are cleaned up when the firewall manager is closed.
 func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	if m.notrackOutputChain == nil || m.notrackPreroutingChain == nil {
 		return fmt.Errorf("notrack chains not initialized")
 	}
 	proxyPortBytes := binaryutil.BigEndian.PutUint16(proxyPort)
 	wgPortBytes := binaryutil.BigEndian.PutUint16(wgPort)
 	loopback := []byte{127, 0, 0, 1}
 	// Egress rules: match outgoing loopback UDP packets
 	m.rConn.AddRule(&nftables.Rule{
 		Table: m.notrackOutputChain.Table,
 		Chain: m.notrackOutputChain,
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 0, Len: 2},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // sport=wgPort
 			&expr.Counter{},
 			&expr.Notrack{},
 		},
 	})
 	m.rConn.AddRule(&nftables.Rule{
 		Table: m.notrackOutputChain.Table,
 		Chain: m.notrackOutputChain,
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // dport=wgPort
 			&expr.Counter{},
 			&expr.Notrack{},
 		},
 	})
 	// Ingress rules: match incoming loopback UDP packets
 	m.rConn.AddRule(&nftables.Rule{
 		Table: m.notrackPreroutingChain.Table,
 		Chain: m.notrackPreroutingChain,
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // dport=wgPort
 			&expr.Counter{},
 			&expr.Notrack{},
 		},
 	})
 	m.rConn.AddRule(&nftables.Rule{
 		Table: m.notrackPreroutingChain.Table,
 		Chain: m.notrackPreroutingChain,
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: proxyPortBytes}, // dport=proxyPort
 			&expr.Counter{},
 			&expr.Notrack{},
 		},
 	})
 	if err := m.rConn.Flush(); err != nil {
 		return fmt.Errorf("flush notrack rules: %w", err)
 	}
 	log.Debugf("set up ebpf proxy notrack rules for ports %d,%d", proxyPort, wgPort)
 	return nil
 }
 func (m *Manager) initNoTrackChains(table *nftables.Table) error {
 	m.notrackOutputChain = m.rConn.AddChain(&nftables.Chain{
 		Name:     chainNameRawOutput,
 		Table:    table,
 		Type:     nftables.ChainTypeFilter,
 		Hooknum:  nftables.ChainHookOutput,
 		Priority: nftables.ChainPriorityRaw,
 	})
 	m.notrackPreroutingChain = m.rConn.AddChain(&nftables.Chain{
 		Name:     chainNameRawPrerouting,
 		Table:    table,
 		Type:     nftables.ChainTypeFilter,
 		Hooknum:  nftables.ChainHookPrerouting,
 		Priority: nftables.ChainPriorityRaw,
 	})
 	if err := m.rConn.Flush(); err != nil {
 		return fmt.Errorf("flush chain creation: %w", err)
 	}
 	return nil
 }
 func (m *Manager) refreshNoTrackChains() error {
 	chains, err := m.rConn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return fmt.Errorf("list chains: %w", err)
 	}
 	tableName := getTableName()
 	for _, c := range chains {
 		if c.Table.Name != tableName {
 			continue
 		}
 		switch c.Name {
 		case chainNameRawOutput:
 			m.notrackOutputChain = c
 		case chainNameRawPrerouting:
 			m.notrackPreroutingChain = c
 		}
 	}
 	return nil
 }
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}
 	tableName := getTableName()
 	for _, t := range tables {
-		if t.Name == tableName {
+		if t.Name == tableNameNetbird {
 			m.rConn.DelTable(t)
 		}
 	}
-	table := m.rConn.AddTable(&nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4})
 	err = m.rConn.Flush()
 	return table, err
 }
 func (m *Manager) applyAllowNetbirdRules(chain *nftables.Chain) {
 	rule := &nftables.Rule{
 		Table: chain.Table,
 		Chain: chain,
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
 			&expr.Cmp{
 				Op:       expr.CmpOpEq,
 				Register: 1,
 				Data:     ifname(m.wgIface.Name()),
 			},
 			&expr.Verdict{
 				Kind: expr.VerdictAccept,
 			},
 		},
 		UserData: []byte(allowNetbirdInputRuleID),
 	}
 	_ = m.rConn.InsertRule(rule)
 }
 func (m *Manager) detectAllowNetbirdRule(existedRules []*nftables.Rule) *nftables.Rule {
 	ifName := ifname(m.wgIface.Name())
 	for _, rule := range existedRules {
 		if rule.Table.Name == tableNameFilter && rule.Chain.Name == chainNameInput {
 			if len(rule.Exprs) < 4 {
 				if e, ok := rule.Exprs[0].(*expr.Meta); !ok || e.Key != expr.MetaKeyIIFNAME {
 					continue
 				}
 				if e, ok := rule.Exprs[1].(*expr.Cmp); !ok || e.Op != expr.CmpOpEq || !bytes.Equal(e.Data, ifName) {
 					continue
 				}
 				return rule
 			}
 		}
 	}
 	return nil
 }
 func insertReturnTrafficRule(conn *nftables.Conn, table *nftables.Table, chain *nftables.Chain) {
 	rule := &nftables.Rule{
 		Table: table,
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -16,7 +16,6 @@ import (
 	"golang.org/x/sys/unix"
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -52,10 +51,12 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }
 func (i *iFaceMock) IsUserspaceBind() bool { return false }
 func TestNftablesManager(t *testing.T) {
 	// just check on the local interface
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	manager, err := Create(ifaceMock)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 	time.Sleep(time.Second * 3)
@@ -167,7 +168,7 @@ func TestNftablesManager(t *testing.T) {
 func TestNftablesManagerRuleOrder(t *testing.T) {
 	// This test verifies rule insertion order in nftables peer ACLs
 	// We add accept rule first, then deny rule to test ordering behavior
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	manager, err := Create(ifaceMock)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
@@ -196,7 +197,7 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 	t.Logf("Found %d rules in nftables chain", len(rules))
 	// Find the accept and deny rules and verify deny comes before accept
-	var acceptRuleIndex, denyRuleIndex = -1, -1
+	var acceptRuleIndex, denyRuleIndex int = -1, -1
 	for i, rule := range rules {
 		hasAcceptHTTPSet := false
 		hasDenyHTTPSet := false
@@ -206,13 +207,11 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 		for _, e := range rule.Exprs {
 			// Check for set lookup
 			if lookup, ok := e.(*expr.Lookup); ok {
-				switch lookup.SetName {
+				if lookup.SetName == "accept-http" {
 				case "accept-http":
 					hasAcceptHTTPSet = true
-				case "deny-http":
+				} else if lookup.SetName == "deny-http" {
 					hasDenyHTTPSet = true
 				}
 			}
 			// Check for port 80
 			if cmp, ok := e.(*expr.Cmp); ok {
@@ -222,10 +221,9 @@ func TestNftablesManagerRuleOrder(t *testing.T) {
 			}
 			// Check for verdict
 			if verdict, ok := e.(*expr.Verdict); ok {
-				switch verdict.Kind {
+				if verdict.Kind == expr.VerdictAccept {
 				case expr.VerdictAccept:
 					action = "ACCEPT"
-				case expr.VerdictDrop:
+				} else if verdict.Kind == expr.VerdictDrop {
 					action = "DROP"
 				}
 			}
@@ -263,7 +261,7 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock, iface.DefaultMTU)
+			manager, err := Create(mock)
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second * 3)
@@ -347,7 +345,7 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	stdout, stderr := runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	manager, err := Create(ifaceMock)
 	require.NoError(t, err, "failed to create manager")
 	require.NoError(t, manager.Init(nil))
@@ -387,97 +385,6 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	verifyIptablesOutput(t, stdout, stderr)
 }
 func TestNftablesManagerCompatibilityWithIptablesFor6kPrefixes(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
 	}
 	if _, err := exec.LookPath("iptables-save"); err != nil {
 		t.Skipf("iptables-save not available on this system: %v", err)
 	}
 	// First ensure iptables-nft tables exist by running iptables-save
 	stdout, stderr := runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "failed to create manager")
 	require.NoError(t, manager.Init(nil))
 	t.Cleanup(func() {
 		err := manager.Close(nil)
 		require.NoError(t, err, "failed to reset manager state")
 		// Verify iptables output after reset
 		stdout, stderr := runIptablesSave(t)
 		verifyIptablesOutput(t, stdout, stderr)
 	})
 	const octet2Count = 25
 	const octet3Count = 255
 	prefixes := make([]netip.Prefix, 0, (octet2Count-1)*(octet3Count-1))
 	for i := 1; i < octet2Count; i++ {
 		for j := 1; j < octet3Count; j++ {
 			addr := netip.AddrFrom4([4]byte{192, byte(j), byte(i), 0})
 			prefixes = append(prefixes, netip.PrefixFrom(addr, 24))
 		}
 	}
 	_, err = manager.AddRouteFiltering(
 		nil,
 		prefixes,
 		fw.Network{Prefix: netip.MustParsePrefix("10.2.0.0/24")},
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err, "failed to add route filtering rule")
 	stdout, stderr = runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 }
 func TestNftablesManagerCompatibilityWithIptablesForEmptyPrefixes(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
 	}
 	if _, err := exec.LookPath("iptables-save"); err != nil {
 		t.Skipf("iptables-save not available on this system: %v", err)
 	}
 	// First ensure iptables-nft tables exist by running iptables-save
 	stdout, stderr := runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "failed to create manager")
 	require.NoError(t, manager.Init(nil))
 	t.Cleanup(func() {
 		err := manager.Close(nil)
 		require.NoError(t, err, "failed to reset manager state")
 		// Verify iptables output after reset
 		stdout, stderr := runIptablesSave(t)
 		verifyIptablesOutput(t, stdout, stderr)
 	})
 	_, err = manager.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{},
 		fw.Network{Prefix: netip.MustParsePrefix("10.2.0.0/24")},
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err, "failed to add route filtering rule")
 	stdout, stderr = runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 }
 func compareExprsIgnoringCounters(t *testing.T, got, want []expr.Any) {
 	t.Helper()
 	require.Equal(t, len(got), len(want), "expression count mismatch")
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -17,8 +17,6 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
 )
 const (
@@ -38,7 +36,7 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 	for _, testCase := range test.InsertRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
 			// need fw manager to init both acl mgr and router for all chains to be present
-			manager, err := Create(ifaceMock, iface.DefaultMTU)
+			manager, err := Create(ifaceMock)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
 			})
@@ -127,7 +125,7 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {
 	for _, testCase := range test.RemoveRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			manager, err := Create(ifaceMock, iface.DefaultMTU)
+			manager, err := Create(ifaceMock)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
 			})
@@ -199,7 +197,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 	defer deleteWorkTable()
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	r, err := newRouter(workTable, ifaceMock)
 	require.NoError(t, err, "Failed to create router")
 	require.NoError(t, r.init(workTable))
@@ -366,7 +364,7 @@ func TestNftablesCreateIpSet(t *testing.T) {
 	defer deleteWorkTable()
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	r, err := newRouter(workTable, ifaceMock)
 	require.NoError(t, err, "Failed to create router")
 	require.NoError(t, r.init(workTable))
@@ -720,137 +718,3 @@ func deleteWorkTable() {
 		}
 	}
 }
 func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
 	}
 	workTable, err := createWorkTable()
 	require.NoError(t, err)
 	defer deleteWorkTable()
 	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, r.init(workTable))
 	defer func() { require.NoError(t, r.Reset()) }()
 	// Add a real rule to the kernel
 	ruleKey, err := r.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
 		firewall.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
 		firewall.ProtocolTCP,
 		nil,
 		&firewall.Port{Values: []uint16{80}},
 		firewall.ActionAccept,
 	)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, r.DeleteRouteRule(ruleKey))
 	})
 	// Inject a stale entry with Handle=0 (simulates store-before-flush failure)
 	staleKey := "stale-rule-that-does-not-exist"
 	r.rules[staleKey] = &nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameRoutingFw],
 		Handle:   0,
 		UserData: []byte(staleKey),
 	}
 	require.Contains(t, r.rules, staleKey, "stale entry should be in map before refresh")
 	err = r.refreshRulesMap()
 	require.NoError(t, err)
 	assert.NotContains(t, r.rules, staleKey, "stale entry should be removed after refresh")
 	realRule, ok := r.rules[ruleKey.ID()]
 	assert.True(t, ok, "real rule should still exist after refresh")
 	assert.NotZero(t, realRule.Handle, "real rule should have a valid handle")
 }
 func TestRouter_DeleteRouteRule_StaleHandle(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
 	}
 	workTable, err := createWorkTable()
 	require.NoError(t, err)
 	defer deleteWorkTable()
 	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, r.init(workTable))
 	defer func() { require.NoError(t, r.Reset()) }()
 	// Inject a stale entry with Handle=0
 	staleKey := "stale-route-rule"
 	r.rules[staleKey] = &nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameRoutingFw],
 		Handle:   0,
 		UserData: []byte(staleKey),
 	}
 	// DeleteRouteRule should not return an error for stale handles
 	err = r.DeleteRouteRule(id.RuleID(staleKey))
 	assert.NoError(t, err, "deleting a stale rule should not error")
 	assert.NotContains(t, r.rules, staleKey, "stale entry should be cleaned up")
 }
 func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
 	}
 	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	pair := firewall.RouterPair{
 		ID:          "staletest",
 		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
 		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
 		Masquerade:  true,
 	}
 	rtr := manager.router
 	// First add succeeds
 	err = rtr.AddNatRule(pair)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, rtr.RemoveNatRule(pair))
 	})
 	// Corrupt the handle to simulate stale state
 	natRuleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
 	if rule, exists := rtr.rules[natRuleKey]; exists {
 		rule.Handle = 0
 	}
 	inverseKey := firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair))
 	if rule, exists := rtr.rules[inverseKey]; exists {
 		rule.Handle = 0
 	}
 	// Adding the same rule again should succeed despite stale handles
 	err = rtr.AddNatRule(pair)
 	assert.NoError(t, err, "AddNatRule should succeed even with stale entries")
 	// Verify rules exist in kernel
 	rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
 	require.NoError(t, err)
 	found := 0
 	for _, rule := range rules {
 		if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
 			found++
 		}
 	}
 	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
 }
--- a/client/firewall/nftables/state_linux.go
+++ b/client/firewall/nftables/state_linux.go
@@ -3,14 +3,13 @@ package nftables
 import (
 	"fmt"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 type InterfaceState struct {
-	NameStr   string         `json:"name"`
+	NameStr       string         `json:"name"`
-	WGAddress wgaddr.Address `json:"wg_address"`
+	WGAddress     wgaddr.Address `json:"wg_address"`
-	MTU       uint16         `json:"mtu"`
+	UserspaceBind bool           `json:"userspace_bind"`
 }
 func (i *InterfaceState) Name() string {
@@ -21,6 +20,10 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }
 func (i *InterfaceState) IsUserspaceBind() bool {
 	return i.UserspaceBind
 }
 type ShutdownState struct {
 	InterfaceState *InterfaceState `json:"interface_state,omitempty"`
 }
@@ -30,11 +33,7 @@ func (s *ShutdownState) Name() string {
 }
 func (s *ShutdownState) Cleanup() error {
-	mtu := s.InterfaceState.MTU
+	nft, err := Create(s.InterfaceState)
 	if mtu == 0 {
 		mtu = iface.DefaultMTU
 	}
 	nft, err := Create(s.InterfaceState, mtu)
 	if err != nil {
 		return fmt.Errorf("create nftables manager: %w", err)
 	}
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -3,6 +3,12 @@
 package uspfilter
 import (
 	"context"
 	"net/netip"
 	"time"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -11,7 +17,33 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	m.resetState()
+	m.outgoingRules = make(map[netip.Addr]RuleSet)
 	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
 	m.incomingRules = make(map[netip.Addr]RuleSet)
 	if m.udpTracker != nil {
 		m.udpTracker.Close()
 	}
 	if m.icmpTracker != nil {
 		m.icmpTracker.Close()
 	}
 	if m.tcpTracker != nil {
 		m.tcpTracker.Close()
 	}
 	if fwder := m.forwarder.Load(); fwder != nil {
 		fwder.Stop()
 	}
 	if m.logger != nil {
 		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 		defer cancel()
 		if err := m.logger.Stop(ctx); err != nil {
 			log.Errorf("failed to shutdown logger: %v", err)
 		}
 	}
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -1,9 +1,12 @@
 package uspfilter
 import (
 	"context"
 	"fmt"
 	"net/netip"
 	"os/exec"
 	"syscall"
 	"time"
 	log "github.com/sirupsen/logrus"
@@ -23,7 +26,33 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	m.resetState()
+	m.outgoingRules = make(map[netip.Addr]RuleSet)
 	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
 	m.incomingRules = make(map[netip.Addr]RuleSet)
 	if m.udpTracker != nil {
 		m.udpTracker.Close()
 	}
 	if m.icmpTracker != nil {
 		m.icmpTracker.Close()
 	}
 	if m.tcpTracker != nil {
 		m.tcpTracker.Close()
 	}
 	if fwder := m.forwarder.Load(); fwder != nil {
 		fwder.Stop()
 	}
 	if m.logger != nil {
 		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 		defer cancel()
 		if err := m.logger.Stop(ctx); err != nil {
 			log.Errorf("failed to shutdown logger: %v", err)
 		}
 	}
 	if !isWindowsFirewallReachable() {
 		return nil
--- a/client/firewall/uspfilter/common/hooks.go
+++ b/client/firewall/uspfilter/common/hooks.go
@@ -1,37 +0,0 @@
 package common
 import (
 	"net/netip"
 	"sync/atomic"
 )
 // PacketHook stores a registered hook for a specific IP:port.
 type PacketHook struct {
 	IP   netip.Addr
 	Port uint16
 	Fn   func([]byte) bool
 }
 // HookMatches checks if a packet's destination matches the hook and invokes it.
 func HookMatches(h *PacketHook, dstIP netip.Addr, dport uint16, packetData []byte) bool {
 	if h == nil {
 		return false
 	}
 	if h.IP == dstIP && h.Port == dport {
 		return h.Fn(packetData)
 	}
 	return false
 }
 // SetHook atomically stores a hook, handling nil removal.
 func SetHook(ptr *atomic.Pointer[PacketHook], ip netip.Addr, dPort uint16, hook func([]byte) bool) {
 	if hook == nil {
 		ptr.Store(nil)
 		return
 	}
 	ptr.Store(&PacketHook{
 		IP:   ip,
 		Port: dPort,
 		Fn:   hook,
 	})
 }
--- a/client/firewall/uspfilter/conntrack/common.go
+++ b/client/firewall/uspfilter/conntrack/common.go
@@ -22,8 +22,6 @@ type BaseConnTrack struct {
 	PacketsRx atomic.Uint64
 	BytesTx   atomic.Uint64
 	BytesRx   atomic.Uint64
 	DNATOrigPort atomic.Uint32
 }
 // these small methods will be inlined by the compiler
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -115,17 +115,6 @@ func (t *TCPConnTrack) IsTombstone() bool {
 	return t.tombstone.Load()
 }
 // IsSupersededBy returns true if this connection should be replaced by a new one
 // carrying the given flags. Tombstoned connections are always superseded; TIME-WAIT
 // connections are superseded by a pure SYN (a new connection attempt for the same
 // four-tuple, as contemplated by RFC 1122 §4.2.2.13 and RFC 6191).
 func (t *TCPConnTrack) IsSupersededBy(flags uint8) bool {
 	if t.tombstone.Load() {
 		return true
 	}
 	return flags&TCPSyn != 0 && flags&TCPAck == 0 && TCPState(t.state.Load()) == TCPStateTimeWait
 }
 // SetTombstone safely marks the connection for deletion
 func (t *TCPConnTrack) SetTombstone() {
 	t.tombstone.Store(true)
@@ -168,7 +157,7 @@ func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	return tracker
 }
-func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, uint16, bool) {
+func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, bool) {
 	key := ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
@@ -180,32 +169,30 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
-	if exists && !conn.IsSupersededBy(flags) {
+	if exists {
 		t.updateState(key, conn, flags, direction, size)
-		return key, uint16(conn.DNATOrigPort.Load()), true
+		return key, true
 	}
-	return key, 0, false
+	return key, false
 }
-// TrackOutbound records an outbound TCP connection and returns the original port if DNAT reversal is needed
+// TrackOutbound records an outbound TCP connection
-func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) uint16 {
+func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) {
-	if _, origPort, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, flags, nftypes.Egress, size); exists {
+	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, flags, nftypes.Egress, size); !exists {
-		return origPort
+		// if (inverted direction) conn is not tracked, track this direction
 		t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Egress, nil, size)
 	}
 	// if (inverted direction) conn is not tracked, track this direction
 	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Egress, nil, size, 0)
 	return 0
 }
 // TrackInbound processes an inbound TCP packet and updates connection state
-func (t *TCPTracker) TrackInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, ruleID []byte, size int, dnatOrigPort uint16) {
+func (t *TCPTracker) TrackInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, ruleID []byte, size int) {
-	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Ingress, ruleID, size, dnatOrigPort)
+	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Ingress, ruleID, size)
 }
 // track is the common implementation for tracking both inbound and outbound connections
-func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int, origPort uint16) {
+func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int) {
-	key, _, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, flags, direction, size)
+	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, flags, direction, size)
 	if exists || flags&TCPSyn == 0 {
 		return
 	}
@@ -223,13 +210,8 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla
 	conn.tombstone.Store(false)
 	conn.state.Store(int32(TCPStateNew))
 	conn.DNATOrigPort.Store(uint32(origPort))
-	if origPort != 0 {
+	t.logger.Trace2("New %s TCP connection: %s", direction, key)
 		t.logger.Trace4("New %s TCP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
 	} else {
 		t.logger.Trace2("New %s TCP connection: %s", direction, key)
 	}
 	t.updateState(key, conn, flags, direction, size)
 	t.mutex.Lock()
@@ -252,7 +234,7 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
-	if !exists || conn.IsSupersededBy(flags) {
+	if !exists || conn.IsTombstone() {
 		return false
 	}
@@ -467,21 +449,6 @@ func (t *TCPTracker) cleanup() {
 	}
 }
 // GetConnection safely retrieves a connection state
 func (t *TCPTracker) GetConnection(srcIP netip.Addr, srcPort uint16, dstIP netip.Addr, dstPort uint16) (*TCPConnTrack, bool) {
 	t.mutex.RLock()
 	defer t.mutex.RUnlock()
 	key := ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
 		SrcPort: srcPort,
 		DstPort: dstPort,
 	}
 	conn, exists := t.connections[key]
 	return conn, exists
 }
 // Close stops the cleanup routine and releases resources
 func (t *TCPTracker) Close() {
 	t.tickerCancel()
--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -485,261 +485,6 @@ func TestTCPAbnormalSequences(t *testing.T) {
 	})
 }
 // TestTCPPortReuseTombstone verifies that a new connection on a port with a
 // tombstoned (closed) conntrack entry is properly tracked. Without the fix,
 // updateIfExists treats tombstoned entries as live, causing track() to skip
 // creating a new connection. The subsequent SYN-ACK then fails IsValidInbound
 // because the entry is tombstoned, and the response packet gets dropped by ACL.
 func TestTCPPortReuseTombstone(t *testing.T) {
 	srcIP := netip.MustParseAddr("100.64.0.1")
 	dstIP := netip.MustParseAddr("100.64.0.2")
 	srcPort := uint16(12345)
 	dstPort := uint16(80)
 	t.Run("Outbound port reuse after graceful close", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish and gracefully close a connection (server-initiated close)
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		// Server sends FIN
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
 		require.True(t, valid)
 		// Client sends FIN-ACK
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
 		// Server sends final ACK
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		require.True(t, valid)
 		// Connection should be tombstoned
 		conn := tracker.connections[key]
 		require.NotNil(t, conn, "old connection should still be in map")
 		require.True(t, conn.IsTombstone(), "old connection should be tombstoned")
 		// Now reuse the same port for a new connection
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
 		// The old tombstoned entry should be replaced with a new one
 		newConn := tracker.connections[key]
 		require.NotNil(t, newConn, "new connection should exist")
 		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
 		require.Equal(t, TCPStateSynSent, newConn.GetState())
 		// SYN-ACK for the new connection should be valid
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
 		require.True(t, valid, "SYN-ACK for new connection on reused port should be accepted")
 		require.Equal(t, TCPStateEstablished, newConn.GetState())
 		// Data transfer should work
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 500)
 		require.True(t, valid, "data should be allowed on new connection")
 	})
 	t.Run("Outbound port reuse after RST", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish and RST a connection
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst|TCPAck, 0)
 		require.True(t, valid)
 		conn := tracker.connections[key]
 		require.True(t, conn.IsTombstone(), "RST connection should be tombstoned")
 		// Reuse the same port
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
 		newConn := tracker.connections[key]
 		require.NotNil(t, newConn)
 		require.False(t, newConn.IsTombstone())
 		require.Equal(t, TCPStateSynSent, newConn.GetState())
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
 		require.True(t, valid, "SYN-ACK should be accepted after RST tombstone")
 	})
 	t.Run("Inbound port reuse after close", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		clientIP := srcIP
 		serverIP := dstIP
 		clientPort := srcPort
 		serverPort := dstPort
 		key := ConnKey{SrcIP: clientIP, DstIP: serverIP, SrcPort: clientPort, DstPort: serverPort}
 		// Inbound connection: client SYN → server SYN-ACK → client ACK
 		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
 		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
 		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
 		conn := tracker.connections[key]
 		require.Equal(t, TCPStateEstablished, conn.GetState())
 		// Server-initiated close to reach Closed/tombstoned:
 		// Server FIN (opposite dir) → CloseWait
 		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPFin|TCPAck, 100)
 		require.Equal(t, TCPStateCloseWait, conn.GetState())
 		// Client FIN-ACK (same dir as conn) → LastAck
 		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPFin|TCPAck, nil, 100, 0)
 		require.Equal(t, TCPStateLastAck, conn.GetState())
 		// Server final ACK (opposite dir) → Closed → tombstoned
 		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
 		require.True(t, conn.IsTombstone())
 		// New inbound connection on same ports
 		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
 		newConn := tracker.connections[key]
 		require.NotNil(t, newConn)
 		require.False(t, newConn.IsTombstone())
 		require.Equal(t, TCPStateSynReceived, newConn.GetState())
 		// Complete handshake: server SYN-ACK, then client ACK
 		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
 		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
 		require.Equal(t, TCPStateEstablished, newConn.GetState())
 	})
 	t.Run("Late ACK on tombstoned connection is harmless", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish and close via passive close (server-initiated FIN → Closed → tombstoned)
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0) // CloseWait
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)  // LastAck
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)        // Closed
 		conn := tracker.connections[key]
 		require.True(t, conn.IsTombstone())
 		// Late ACK should be rejected (tombstoned)
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		require.False(t, valid, "late ACK on tombstoned connection should be rejected")
 		// Late outbound ACK should not create a new connection (not a SYN)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
 		require.True(t, tracker.connections[key].IsTombstone(), "late outbound ACK should not replace tombstoned entry")
 	})
 }
 func TestTCPPortReuseTimeWait(t *testing.T) {
 	srcIP := netip.MustParseAddr("100.64.0.1")
 	dstIP := netip.MustParseAddr("100.64.0.2")
 	srcPort := uint16(12345)
 	dstPort := uint16(80)
 	t.Run("Outbound port reuse during TIME-WAIT (active close)", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish connection
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		// Active close: client (outbound initiator) sends FIN first
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
 		conn := tracker.connections[key]
 		require.Equal(t, TCPStateFinWait1, conn.GetState())
 		// Server ACKs the FIN
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		require.True(t, valid)
 		require.Equal(t, TCPStateFinWait2, conn.GetState())
 		// Server sends its own FIN
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
 		require.True(t, valid)
 		require.Equal(t, TCPStateTimeWait, conn.GetState())
 		// Client sends final ACK (TIME-WAIT stays, not tombstoned)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
 		require.False(t, conn.IsTombstone(), "TIME-WAIT should not be tombstoned")
 		// New outbound SYN on the same port (port reuse during TIME-WAIT)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
 		// Per RFC 1122/6191, new SYN during TIME-WAIT should start a new connection
 		newConn := tracker.connections[key]
 		require.NotNil(t, newConn, "new connection should exist")
 		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
 		require.Equal(t, TCPStateSynSent, newConn.GetState(), "new connection should be in SYN-SENT")
 		// SYN-ACK for new connection should be valid
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
 		require.True(t, valid, "SYN-ACK for new connection should be accepted")
 		require.Equal(t, TCPStateEstablished, newConn.GetState())
 	})
 	t.Run("Inbound SYN during TIME-WAIT falls through to normal tracking", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish outbound connection and close via active close → TIME-WAIT
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
 		conn := tracker.connections[key]
 		require.Equal(t, TCPStateTimeWait, conn.GetState())
 		// Inbound SYN on same ports during TIME-WAIT: IsValidInbound returns false
 		// so the filter falls through to ACL check + TrackInbound (which creates
 		// a new connection via track() → updateIfExists skips TIME-WAIT for SYN)
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, 0)
 		require.False(t, valid, "inbound SYN during TIME-WAIT should fail conntrack validation")
 		// Simulate what the filter does next: TrackInbound via the normal path
 		tracker.TrackInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, nil, 100, 0)
 		// The new inbound connection uses the inverted key (dst→src becomes src→dst in track)
 		invertedKey := ConnKey{SrcIP: dstIP, DstIP: srcIP, SrcPort: dstPort, DstPort: srcPort}
 		newConn := tracker.connections[invertedKey]
 		require.NotNil(t, newConn, "new inbound connection should be tracked")
 		require.Equal(t, TCPStateSynReceived, newConn.GetState())
 		require.False(t, newConn.IsTombstone())
 	})
 	t.Run("Late retransmit during TIME-WAIT still allowed", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish and active close → TIME-WAIT
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
 		conn := tracker.connections[key]
 		require.Equal(t, TCPStateTimeWait, conn.GetState())
 		// Late ACK retransmits during TIME-WAIT should still be accepted
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		require.True(t, valid, "retransmitted ACK during TIME-WAIT should be accepted")
 	})
 }
 func TestTCPTimeoutHandling(t *testing.T) {
 	// Create tracker with a very short timeout for testing
 	shortTimeout := 100 * time.Millisecond
@@ -858,7 +603,7 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	serverPort := uint16(80)
 	// 1. Client sends SYN (we receive it as inbound)
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100)
 	key := ConnKey{
 		SrcIP:   clientIP,
@@ -878,12 +623,12 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
 	// 3. Client sends ACK to complete handshake
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)
 	require.Equal(t, TCPStateEstablished, conn.GetState(), "Connection should be ESTABLISHED after handshake completion")
 	// 4. Test data transfer
 	// Client sends data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPPush|TCPAck, nil, 1000, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPPush|TCPAck, nil, 1000)
 	// Server sends ACK for data
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
@@ -892,7 +637,7 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPPush|TCPAck, 1500)
 	// Client sends ACK for data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)
 	// Verify state and counters
 	require.Equal(t, TCPStateEstablished, conn.GetState())
--- a/client/firewall/uspfilter/conntrack/udp.go
+++ b/client/firewall/uspfilter/conntrack/udp.go
@@ -58,23 +58,20 @@ func NewUDPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	return tracker
 }
-// TrackOutbound records an outbound UDP connection and returns the original port if DNAT reversal is needed
+// TrackOutbound records an outbound UDP connection
-func (t *UDPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, size int) uint16 {
+func (t *UDPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, size int) {
-	_, origPort, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, nftypes.Egress, size)
+	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, nftypes.Egress, size); !exists {
-	if exists {
+		// if (inverted direction) conn is not tracked, track this direction
-		return origPort
+		t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Egress, nil, size)
 	}
 	// if (inverted direction) conn is not tracked, track this direction
 	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Egress, nil, size, 0)
 	return 0
 }
 // TrackInbound records an inbound UDP connection
-func (t *UDPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, ruleID []byte, size int, dnatOrigPort uint16) {
+func (t *UDPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, ruleID []byte, size int) {
-	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Ingress, ruleID, size, dnatOrigPort)
+	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Ingress, ruleID, size)
 }
-func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, size int) (ConnKey, uint16, bool) {
+func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, size int) (ConnKey, bool) {
 	key := ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
@@ -89,15 +86,15 @@ func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort
 	if exists {
 		conn.UpdateLastSeen()
 		conn.UpdateCounters(direction, size)
-		return key, uint16(conn.DNATOrigPort.Load()), true
+		return key, true
 	}
-	return key, 0, false
+	return key, false
 }
 // track is the common implementation for tracking both inbound and outbound connections
-func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, ruleID []byte, size int, origPort uint16) {
+func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, ruleID []byte, size int) {
-	key, _, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, direction, size)
+	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, direction, size)
 	if exists {
 		return
 	}
@@ -112,7 +109,6 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 		SourcePort: srcPort,
 		DestPort:   dstPort,
 	}
 	conn.DNATOrigPort.Store(uint32(origPort))
 	conn.UpdateLastSeen()
 	conn.UpdateCounters(direction, size)
@@ -120,11 +116,7 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 	t.connections[key] = conn
 	t.mutex.Unlock()
-	if origPort != 0 {
+	t.logger.Trace2("New %s UDP connection: %s", direction, key)
 		t.logger.Trace4("New %s UDP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
 	} else {
 		t.logger.Trace2("New %s UDP connection: %s", direction, key)
 	}
 	t.sendEvent(nftypes.TypeStart, conn, ruleID)
 }
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -1,8 +1,6 @@
 package uspfilter
 import (
 	"context"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"net"
@@ -13,13 +11,11 @@ import (
 	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
@@ -27,23 +23,11 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
-const (
+const layerTypeAll = 0
 	layerTypeAll = 255
 	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
 	ipTCPHeaderMinSize = 40
 )
 // serviceKey represents a protocol/port combination for netstack service registry
 type serviceKey struct {
 	protocol gopacket.LayerType
 	port     uint16
 }
 const (
 	// EnvDisableConntrack disables the stateful filter, replies to outbound traffic won't be allowed.
@@ -52,9 +36,6 @@ const (
 	// EnvDisableUserspaceRouting disables userspace routing, to-be-routed packets will be dropped.
 	EnvDisableUserspaceRouting = "NB_DISABLE_USERSPACE_ROUTING"
 	// EnvDisableMSSClamping disables TCP MSS clamping for forwarded traffic.
 	EnvDisableMSSClamping = "NB_DISABLE_MSS_CLAMPING"
 	// EnvForceUserspaceRouter forces userspace routing even if native routing is available.
 	EnvForceUserspaceRouter = "NB_FORCE_USERSPACE_ROUTER"
@@ -93,7 +74,6 @@ type Manager struct {
 	incomingDenyRules map[netip.Addr]RuleSet
 	incomingRules     map[netip.Addr]RuleSet
 	routeRules        RouteRules
 	routeRulesMap     map[nbid.RuleID]*RouteRule
 	decoders          sync.Pool
 	wgIface           common.IFaceMapper
 	nativeFirewall    firewall.Manager
@@ -129,21 +109,6 @@ type Manager struct {
 	dnatMappings map[netip.Addr]netip.Addr
 	dnatMutex    sync.RWMutex
 	dnatBiMap    *biDNATMap
 	portDNATEnabled atomic.Bool
 	portDNATRules   []portDNATRule
 	portDNATMutex   sync.RWMutex
 	netstackServices     map[serviceKey]struct{}
 	netstackServiceMutex sync.RWMutex
 	mtu             uint16
 	mssClampValue   uint16
 	mssClampEnabled bool
 	// Only one hook per protocol is supported. Outbound direction only.
 	udpHookOut atomic.Pointer[common.PacketHook]
 	tcpHookOut atomic.Pointer[common.PacketHook]
 }
 // decoder for packages
@@ -157,21 +122,19 @@ type decoder struct {
 	icmp6   layers.ICMPv6
 	decoded []gopacket.LayerType
 	parser  *gopacket.DecodingLayerParser
 	dnatOrigPort uint16
 }
 // Create userspace firewall manager constructor
-func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
+func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
-	return create(iface, nil, disableServerRoutes, flowLogger, mtu)
+	return create(iface, nil, disableServerRoutes, flowLogger)
 }
-func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
+func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
 	if nativeFirewall == nil {
 		return nil, errors.New("native firewall is nil")
 	}
-	mgr, err := create(iface, nativeFirewall, disableServerRoutes, flowLogger, mtu)
+	mgr, err := create(iface, nativeFirewall, disableServerRoutes, flowLogger)
 	if err != nil {
 		return nil, err
 	}
@@ -179,8 +142,8 @@ func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.
 	return mgr, nil
 }
-func parseCreateEnv() (bool, bool, bool) {
+func parseCreateEnv() (bool, bool) {
-	var disableConntrack, enableLocalForwarding, disableMSSClamping bool
+	var disableConntrack, enableLocalForwarding bool
 	var err error
 	if val := os.Getenv(EnvDisableConntrack); val != "" {
 		disableConntrack, err = strconv.ParseBool(val)
@@ -199,18 +162,12 @@ func parseCreateEnv() (bool, bool, bool) {
 			log.Warnf("failed to parse %s: %v", EnvEnableLocalForwarding, err)
 		}
 	}
 	if val := os.Getenv(EnvDisableMSSClamping); val != "" {
 		disableMSSClamping, err = strconv.ParseBool(val)
 		if err != nil {
 			log.Warnf("failed to parse %s: %v", EnvDisableMSSClamping, err)
 		}
 	}
-	return disableConntrack, enableLocalForwarding, disableMSSClamping
+	return disableConntrack, enableLocalForwarding
 }
-func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
+func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
-	disableConntrack, enableLocalForwarding, disableMSSClamping := parseCreateEnv()
+	disableConntrack, enableLocalForwarding := parseCreateEnv()
 	m := &Manager{
 		decoders: sync.Pool{
@@ -238,21 +195,14 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		flowLogger:          flowLogger,
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
 		routeRulesMap:       make(map[nbid.RuleID]*RouteRule),
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
 		netstackServices:    make(map[serviceKey]struct{}),
 		mtu:                 mtu,
 	}
 	m.routingEnabled.Store(false)
 	if !disableMSSClamping {
 		m.mssClampEnabled = true
 		m.mssClampValue = mtu - ipTCPHeaderMinSize
 	}
 	if err := m.localipmanager.UpdateLocalIPs(iface); err != nil {
 		return nil, fmt.Errorf("update local IPs: %w", err)
 	}
 	if disableConntrack {
 		log.Info("conntrack is disabled")
 	} else {
@@ -260,11 +210,14 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout, m.logger, flowLogger)
 		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout, m.logger, flowLogger)
 	}
 	// netstack needs the forwarder for local traffic
 	if m.netstack && m.localForwarding {
 		if err := m.initForwarder(); err != nil {
 			log.Errorf("failed to initialize forwarder: %v", err)
 		}
 	}
 	if err := iface.SetFilter(m); err != nil {
 		return nil, fmt.Errorf("set filter: %w", err)
 	}
@@ -272,7 +225,10 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 }
 func (m *Manager) blockInvalidRouted(iface common.IFaceMapper) (firewall.Rule, error) {
-	wgPrefix := iface.Address().Network
+	wgPrefix, err := netip.ParsePrefix(iface.Address().Network.String())
 	if err != nil {
 		return nil, fmt.Errorf("parse wireguard network: %w", err)
 	}
 	log.Debugf("blocking invalid routed traffic for %s", wgPrefix)
 	rule, err := m.addRouteFiltering(
@@ -364,7 +320,7 @@ func (m *Manager) initForwarder() error {
 		return errors.New("forwarding not supported")
 	}
-	forwarder, err := forwarder.New(m.wgIface, m.logger, m.flowLogger, m.netstack, m.mtu)
+	forwarder, err := forwarder.New(m.wgIface, m.logger, m.flowLogger, m.netstack)
 	if err != nil {
 		m.routingEnabled.Store(false)
 		return fmt.Errorf("create forwarder: %w", err)
@@ -446,7 +402,19 @@ func (m *Manager) AddPeerFiltering(
 	r.sPort = sPort
 	r.dPort = dPort
-	r.protoLayer = protoToLayer(proto, r.ipLayer)
+	switch proto {
 	case firewall.ProtocolTCP:
 		r.protoLayer = layers.LayerTypeTCP
 	case firewall.ProtocolUDP:
 		r.protoLayer = layers.LayerTypeUDP
 	case firewall.ProtocolICMP:
 		r.protoLayer = layers.LayerTypeICMPv4
 		if r.ipLayer == layers.LayerTypeIPv6 {
 			r.protoLayer = layers.LayerTypeICMPv6
 		}
 	case firewall.ProtocolALL:
 		r.protoLayer = layerTypeAll
 	}
 	m.mutex.Lock()
 	var targetMap map[netip.Addr]RuleSet
@@ -490,22 +458,17 @@ func (m *Manager) addRouteFiltering(
 		return m.nativeFirewall.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}
-	ruleKey := nbid.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
+	ruleID := uuid.New().String()
 	if existingRule, ok := m.routeRulesMap[ruleKey]; ok {
 		return existingRule, nil
 	}
 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:         string(ruleKey),
+		id:      ruleID,
-		mgmtId:     id,
+		mgmtId:  id,
-		sources:    sources,
+		sources: sources,
-		dstSet:     destination.Set,
+		dstSet:  destination.Set,
-		protoLayer: protoToLayer(proto, layers.LayerTypeIPv4),
+		proto:   proto,
-		srcPort:    sPort,
+		srcPort: sPort,
-		dstPort:    dPort,
+		dstPort: dPort,
-		action:     action,
+		action:  action,
 	}
 	if destination.IsPrefix() {
 		rule.destinations = []netip.Prefix{destination.Prefix}
@@ -513,7 +476,6 @@ func (m *Manager) addRouteFiltering(
 	m.routeRules = append(m.routeRules, &rule)
 	m.routeRules.Sort()
 	m.routeRulesMap[ruleKey] = &rule
 	return &rule, nil
 }
@@ -530,20 +492,15 @@ func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}
-	ruleKey := nbid.RuleID(rule.ID())
+	ruleID := rule.ID()
 	if _, ok := m.routeRulesMap[ruleKey]; !ok {
 		return fmt.Errorf("route rule not found: %s", ruleKey)
 	}
 	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
-		return r.id == string(ruleKey)
+		return r.id == ruleID
 	})
 	if idx < 0 {
-		return fmt.Errorf("route rule not found in slice: %s", ruleKey)
+		return fmt.Errorf("route rule not found: %s", ruleID)
 	}
 	m.routeRules = slices.Delete(m.routeRules, idx, idx+1)
 	delete(m.routeRulesMap, ruleKey)
 	return nil
 }
@@ -590,50 +547,6 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }
 // resetState clears all firewall rules and closes connection trackers.
 // Must be called with m.mutex held.
 func (m *Manager) resetState() {
 	maps.Clear(m.outgoingRules)
 	maps.Clear(m.incomingDenyRules)
 	maps.Clear(m.incomingRules)
 	maps.Clear(m.routeRulesMap)
 	m.routeRules = m.routeRules[:0]
 	m.udpHookOut.Store(nil)
 	m.tcpHookOut.Store(nil)
 	if m.udpTracker != nil {
 		m.udpTracker.Close()
 	}
 	if m.icmpTracker != nil {
 		m.icmpTracker.Close()
 	}
 	if m.tcpTracker != nil {
 		m.tcpTracker.Close()
 	}
 	if fwder := m.forwarder.Load(); fwder != nil {
 		fwder.Stop()
 	}
 	if m.logger != nil {
 		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 		defer cancel()
 		if err := m.logger.Stop(ctx); err != nil {
 			log.Errorf("failed to shutdown logger: %v", err)
 		}
 	}
 }
 // SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
 func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	if m.nativeFirewall == nil {
 		return nil
 	}
 	return m.nativeFirewall.SetupEBPFProxyNoTrack(proxyPort, wgPort)
 }
 // UpdateSet updates the rule destinations associated with the given set
 // by merging the existing prefixes with the new ones, then deduplicating.
 func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
@@ -713,23 +626,11 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 		return false
 	}
-	switch d.decoded[1] {
+	if d.decoded[1] == layers.LayerTypeUDP && m.udpHooksDrop(uint16(d.udp.DstPort), dstIP, packetData) {
-	case layers.LayerTypeUDP:
+		return true
 		if m.udpHooksDrop(uint16(d.udp.DstPort), dstIP, packetData) {
 			return true
 		}
 	case layers.LayerTypeTCP:
 		if m.tcpHooksDrop(uint16(d.tcp.DstPort), dstIP, packetData) {
 			return true
 		}
 		// Clamp MSS on all TCP SYN packets, including those from local IPs.
 		// SNATed routed traffic may appear as local IP but still requires clamping.
 		if m.mssClampEnabled {
 			m.clampTCPMSS(packetData, d)
 		}
 	}
-	m.trackOutbound(d, srcIP, dstIP, packetData, size)
+	m.trackOutbound(d, srcIP, dstIP, size)
 	m.translateOutboundDNAT(packetData, d)
 	return false
@@ -773,117 +674,14 @@ func getTCPFlags(tcp *layers.TCP) uint8 {
 	return flags
 }
-// clampTCPMSS clamps the TCP MSS option in SYN and SYN-ACK packets to prevent fragmentation.
+func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, size int) {
 // Both sides advertise their MSS during connection establishment, so we need to clamp both.
 func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
 	if !d.tcp.SYN {
 		return false
 	}
 	if len(d.tcp.Options) == 0 {
 		return false
 	}
 	mssOptionIndex := -1
 	var currentMSS uint16
 	for i, opt := range d.tcp.Options {
 		if opt.OptionType == layers.TCPOptionKindMSS && len(opt.OptionData) == 2 {
 			currentMSS = binary.BigEndian.Uint16(opt.OptionData)
 			if currentMSS > m.mssClampValue {
 				mssOptionIndex = i
 				break
 			}
 		}
 	}
 	if mssOptionIndex == -1 {
 		return false
 	}
 	ipHeaderSize := int(d.ip4.IHL) * 4
 	if ipHeaderSize < 20 {
 		return false
 	}
 	if !m.updateMSSOption(packetData, d, mssOptionIndex, ipHeaderSize) {
 		return false
 	}
 	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, m.mssClampValue)
 	return true
 }
 func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex, ipHeaderSize int) bool {
 	tcpHeaderStart := ipHeaderSize
 	tcpOptionsStart := tcpHeaderStart + 20
 	optOffset := tcpOptionsStart
 	for j := 0; j < mssOptionIndex; j++ {
 		switch d.tcp.Options[j].OptionType {
 		case layers.TCPOptionKindEndList, layers.TCPOptionKindNop:
 			optOffset++
 		default:
 			optOffset += 2 + len(d.tcp.Options[j].OptionData)
 		}
 	}
 	mssValueOffset := optOffset + 2
 	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], m.mssClampValue)
 	m.recalculateTCPChecksum(packetData, d, tcpHeaderStart)
 	return true
 }
 func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeaderStart int) {
 	tcpLayer := packetData[tcpHeaderStart:]
 	tcpLength := len(packetData) - tcpHeaderStart
 	tcpLayer[16] = 0
 	tcpLayer[17] = 0
 	var pseudoSum uint32
 	pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
 	pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
 	pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
 	pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
 	pseudoSum += uint32(d.ip4.Protocol)
 	pseudoSum += uint32(tcpLength)
 	var sum = pseudoSum
 	for i := 0; i < tcpLength-1; i += 2 {
 		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
 	}
 	if tcpLength%2 == 1 {
 		sum += uint32(tcpLayer[tcpLength-1]) << 8
 	}
 	for sum > 0xFFFF {
 		sum = (sum & 0xFFFF) + (sum >> 16)
 	}
 	checksum := ^uint16(sum)
 	binary.BigEndian.PutUint16(tcpLayer[16:18], checksum)
 }
 func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) {
 	transport := d.decoded[1]
 	switch transport {
 	case layers.LayerTypeUDP:
-		origPort := m.udpTracker.TrackOutbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), size)
+		m.udpTracker.TrackOutbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), size)
 		if origPort == 0 {
 			break
 		}
 		if err := m.rewriteUDPPort(packetData, d, origPort, sourcePortOffset); err != nil {
 			m.logger.Error1("failed to rewrite UDP port: %v", err)
 		}
 	case layers.LayerTypeTCP:
 		flags := getTCPFlags(&d.tcp)
-		origPort := m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
+		m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
 		if origPort == 0 {
 			break
 		}
 		if err := m.rewriteTCPPort(packetData, d, origPort, sourcePortOffset); err != nil {
 			m.logger.Error1("failed to rewrite TCP port: %v", err)
 		}
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
 	}
@@ -893,23 +691,48 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 	transport := d.decoded[1]
 	switch transport {
 	case layers.LayerTypeUDP:
-		m.udpTracker.TrackInbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), ruleID, size, d.dnatOrigPort)
+		m.udpTracker.TrackInbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), ruleID, size)
 	case layers.LayerTypeTCP:
 		flags := getTCPFlags(&d.tcp)
-		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size, d.dnatOrigPort)
+		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size)
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
 	}
 	d.dnatOrigPort = 0
 }
 // udpHooksDrop checks if any UDP hooks should drop the packet
 func (m *Manager) udpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return common.HookMatches(m.udpHookOut.Load(), dstIP, dport, packetData)
+	m.mutex.RLock()
-}
+	defer m.mutex.RUnlock()
-func (m *Manager) tcpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
+	// Check specific destination IP first
-	return common.HookMatches(m.tcpHookOut.Load(), dstIP, dport, packetData)
+	if rules, exists := m.outgoingRules[dstIP]; exists {
 		for _, rule := range rules {
 			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
 				return rule.udpHook(packetData)
 			}
 		}
 	}
 	// Check IPv4 unspecified address
 	if rules, exists := m.outgoingRules[netip.IPv4Unspecified()]; exists {
 		for _, rule := range rules {
 			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
 				return rule.udpHook(packetData)
 			}
 		}
 	}
 	// Check IPv6 unspecified address
 	if rules, exists := m.outgoingRules[netip.IPv6Unspecified()]; exists {
 		for _, rule := range rules {
 			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
 				return rule.udpHook(packetData)
 			}
 		}
 	}
 	return false
 }
 // filterInbound implements filtering logic for incoming packets.
@@ -936,20 +759,10 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 		return false
 	}
 	// TODO: optimize port DNAT by caching matched rules in conntrack
 	if translated := m.translateInboundPortDNAT(packetData, d, srcIP, dstIP); translated {
 		// Re-decode after port DNAT translation to update port information
 		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
 			m.logger.Error1("failed to re-decode packet after port DNAT: %v", err)
 			return true
 		}
 		srcIP, dstIP = m.extractIPs(d)
 	}
 	if translated := m.translateInboundReverse(packetData, d); translated {
 		// Re-decode after translation to get original addresses
 		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			m.logger.Error1("failed to re-decode packet after reverse DNAT: %v", err)
+			m.logger.Error1("Failed to re-decode packet after reverse DNAT: %v", err)
 			return true
 		}
 		srcIP, dstIP = m.extractIPs(d)
@@ -971,7 +784,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool {
 	ruleID, blocked := m.peerACLsBlock(srcIP, d, packetData)
 	if blocked {
-		pnum := getProtocolFromPacket(d)
+		_, pnum := getProtocolFromPacket(d)
 		srcPort, dstPort := getPortsFromPacket(d)
 		m.logger.Trace6("Dropping local packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
@@ -994,7 +807,9 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		return true
 	}
-	if m.shouldForward(d, dstIP) {
+	// If requested we pass local traffic to internal interfaces to the forwarder.
 	// netstack doesn't have an interface to forward packets to the native stack so we always need to use the forwarder.
 	if m.localForwarding && (m.netstack || dstIP != m.wgIface.Address().IP) {
 		return m.handleForwardedLocalTraffic(packetData)
 	}
@@ -1036,22 +851,20 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 		return false
 	}
-	protoLayer := d.decoded[1]
+	proto, pnum := getProtocolFromPacket(d)
 	srcPort, dstPort := getPortsFromPacket(d)
-	ruleID, pass := m.routeACLsPass(srcIP, dstIP, protoLayer, srcPort, dstPort)
+	ruleID, pass := m.routeACLsPass(srcIP, dstIP, proto, srcPort, dstPort)
 	if !pass {
 		proto := getProtocolFromPacket(d)
 		m.logger.Trace6("Dropping routed packet (ACL denied): rule_id=%s proto=%v src=%s:%d dst=%s:%d",
-			ruleID, proto, srcIP, srcPort, dstIP, dstPort)
+			ruleID, pnum, srcIP, srcPort, dstIP, dstPort)
 		m.flowLogger.StoreEvent(nftypes.EventFields{
 			FlowID:     uuid.New(),
 			Type:       nftypes.TypeDrop,
 			RuleID:     ruleID,
 			Direction:  nftypes.Ingress,
-			Protocol:   proto,
+			Protocol:   pnum,
 			SourceIP:   srcIP,
 			DestIP:     dstIP,
 			SourcePort: srcPort,
@@ -1080,33 +893,16 @@ func (m *Manager) handleRoutedTraffic(d *decoder, srcIP, dstIP netip.Addr, packe
 	return true
 }
-func protoToLayer(proto firewall.Protocol, ipLayer gopacket.LayerType) gopacket.LayerType {
+func getProtocolFromPacket(d *decoder) (firewall.Protocol, nftypes.Protocol) {
 	switch proto {
 	case firewall.ProtocolTCP:
 		return layers.LayerTypeTCP
 	case firewall.ProtocolUDP:
 		return layers.LayerTypeUDP
 	case firewall.ProtocolICMP:
 		if ipLayer == layers.LayerTypeIPv6 {
 			return layers.LayerTypeICMPv6
 		}
 		return layers.LayerTypeICMPv4
 	case firewall.ProtocolALL:
 		return layerTypeAll
 	}
 	return 0
 }
 func getProtocolFromPacket(d *decoder) nftypes.Protocol {
 	switch d.decoded[1] {
 	case layers.LayerTypeTCP:
-		return nftypes.TCP
+		return firewall.ProtocolTCP, nftypes.TCP
 	case layers.LayerTypeUDP:
-		return nftypes.UDP
+		return firewall.ProtocolUDP, nftypes.UDP
 	case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
-		return nftypes.ICMP
+		return firewall.ProtocolICMP, nftypes.ICMP
 	default:
-		return nftypes.ProtocolUnknown
+		return firewall.ProtocolALL, nftypes.ProtocolUnknown
 	}
 }
@@ -1260,6 +1056,12 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 				return rule.mgmtId, rule.drop, true
 			}
 		case layers.LayerTypeUDP:
 			// if rule has UDP hook (and if we are here we match this rule)
 			// we ignore rule.drop and call this hook
 			if rule.udpHook != nil {
 				return rule.mgmtId, rule.udpHook(packetData), true
 			}
 			if portsMatch(rule.sPort, uint16(d.udp.SrcPort)) && portsMatch(rule.dPort, uint16(d.udp.DstPort)) {
 				return rule.mgmtId, rule.drop, true
 			}
@@ -1272,30 +1074,19 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 }
 // routeACLsPass returns true if the packet is allowed by the route ACLs
-func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, protoLayer gopacket.LayerType, srcPort, dstPort uint16) ([]byte, bool) {
+func (m *Manager) routeACLsPass(srcIP, dstIP netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) ([]byte, bool) {
 	m.mutex.RLock()
 	defer m.mutex.RUnlock()
 	for _, rule := range m.routeRules {
-		if matches := m.ruleMatches(rule, srcIP, dstIP, protoLayer, srcPort, dstPort); matches {
+		if matches := m.ruleMatches(rule, srcIP, dstIP, proto, srcPort, dstPort); matches {
 			return rule.mgmtId, rule.action == firewall.ActionAccept
 		}
 	}
 	return nil, false
 }
-func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, protoLayer gopacket.LayerType, srcPort, dstPort uint16) bool {
+func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, proto firewall.Protocol, srcPort, dstPort uint16) bool {
 	// TODO: handle ipv6 vs ipv4 icmp rules
 	if rule.protoLayer != layerTypeAll && rule.protoLayer != protoLayer {
 		return false
 	}
 	if protoLayer == layers.LayerTypeTCP || protoLayer == layers.LayerTypeUDP {
 		if !portsMatch(rule.srcPort, srcPort) || !portsMatch(rule.dstPort, dstPort) {
 			return false
 		}
 	}
 	destMatched := false
 	for _, dst := range rule.destinations {
 		if dst.Contains(dstAddr) {
@@ -1314,18 +1105,82 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 			break
 		}
 	}
 	if !sourceMatched {
 		return false
 	}
-	return sourceMatched
+	if rule.proto != firewall.ProtocolALL && rule.proto != proto {
 		return false
 	}
 	if proto == firewall.ProtocolTCP || proto == firewall.ProtocolUDP {
 		if !portsMatch(rule.srcPort, srcPort) || !portsMatch(rule.dstPort, dstPort) {
 			return false
 		}
 	}
 	return true
 }
-// SetUDPPacketHook sets the outbound UDP packet hook. Pass nil hook to remove.
+// AddUDPPacketHook calls hook when UDP packet from given direction matched
-func (m *Manager) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
+//
-	common.SetHook(&m.udpHookOut, ip, dPort, hook)
+// Hook function returns flag which indicates should be the matched package dropped or not
 func (m *Manager) AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook func(packet []byte) bool) string {
 	r := PeerRule{
 		id:         uuid.New().String(),
 		ip:         ip,
 		protoLayer: layers.LayerTypeUDP,
 		dPort:      &firewall.Port{Values: []uint16{dPort}},
 		ipLayer:    layers.LayerTypeIPv6,
 		udpHook:    hook,
 	}
 	if ip.Is4() {
 		r.ipLayer = layers.LayerTypeIPv4
 	}
 	m.mutex.Lock()
 	if in {
 		// Incoming UDP hooks are stored in allow rules map
 		if _, ok := m.incomingRules[r.ip]; !ok {
 			m.incomingRules[r.ip] = make(map[string]PeerRule)
 		}
 		m.incomingRules[r.ip][r.id] = r
 	} else {
 		if _, ok := m.outgoingRules[r.ip]; !ok {
 			m.outgoingRules[r.ip] = make(map[string]PeerRule)
 		}
 		m.outgoingRules[r.ip][r.id] = r
 	}
 	m.mutex.Unlock()
 	return r.id
 }
-// SetTCPPacketHook sets the outbound TCP packet hook. Pass nil hook to remove.
+// RemovePacketHook removes packet hook by given ID
-func (m *Manager) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
+func (m *Manager) RemovePacketHook(hookID string) error {
-	common.SetHook(&m.tcpHookOut, ip, dPort, hook)
+	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	// Check incoming hooks (stored in allow rules)
 	for _, arr := range m.incomingRules {
 		for _, r := range arr {
 			if r.id == hookID {
 				delete(arr, r.id)
 				return nil
 			}
 		}
 	}
 	// Check outgoing hooks
 	for _, arr := range m.outgoingRules {
 		for _, r := range arr {
 			if r.id == hookID {
 				delete(arr, r.id)
 				return nil
 			}
 		}
 	}
 	return fmt.Errorf("hook with given id not found")
 }
 // SetLogLevel sets the log level for the firewall manager
@@ -1388,86 +1243,3 @@ func (m *Manager) DisableRouting() error {
 	return nil
 }
 // RegisterNetstackService registers a service as listening on the netstack for the given protocol and port
 func (m *Manager) RegisterNetstackService(protocol nftypes.Protocol, port uint16) {
 	m.netstackServiceMutex.Lock()
 	defer m.netstackServiceMutex.Unlock()
 	layerType := m.protocolToLayerType(protocol)
 	key := serviceKey{protocol: layerType, port: port}
 	m.netstackServices[key] = struct{}{}
 	m.logger.Debug3("RegisterNetstackService: registered %s:%d (layerType=%s)", protocol, port, layerType)
 	m.logger.Debug1("RegisterNetstackService: current registry size: %d", len(m.netstackServices))
 }
 // UnregisterNetstackService removes a service from the netstack registry
 func (m *Manager) UnregisterNetstackService(protocol nftypes.Protocol, port uint16) {
 	m.netstackServiceMutex.Lock()
 	defer m.netstackServiceMutex.Unlock()
 	layerType := m.protocolToLayerType(protocol)
 	key := serviceKey{protocol: layerType, port: port}
 	delete(m.netstackServices, key)
 	m.logger.Debug2("Unregistered netstack service on protocol %s port %d", protocol, port)
 }
 // protocolToLayerType converts nftypes.Protocol to gopacket.LayerType for internal use
 func (m *Manager) protocolToLayerType(protocol nftypes.Protocol) gopacket.LayerType {
 	switch protocol {
 	case nftypes.TCP:
 		return layers.LayerTypeTCP
 	case nftypes.UDP:
 		return layers.LayerTypeUDP
 	case nftypes.ICMP:
 		return layers.LayerTypeICMPv4
 	default:
 		return gopacket.LayerType(0) // Invalid/unknown
 	}
 }
 // shouldForward determines if a packet should be forwarded to the forwarder.
 // The forwarder handles routing packets to the native OS network stack.
 // Returns true if packet should go to the forwarder, false if it should go to netstack listeners or the native stack directly.
 func (m *Manager) shouldForward(d *decoder, dstIP netip.Addr) bool {
 	// not enabled, never forward
 	if !m.localForwarding {
 		return false
 	}
 	// netstack always needs to forward because it's lacking a native interface
 	// exception for registered netstack services, those should go to netstack listeners
 	if m.netstack {
 		return !m.hasMatchingNetstackService(d)
 	}
 	// traffic to our other local interfaces (not NetBird IP) - always forward
 	if dstIP != m.wgIface.Address().IP {
 		return true
 	}
 	// traffic to our NetBird IP, not netstack mode - send to netstack listeners
 	return false
 }
 // hasMatchingNetstackService checks if there's a registered netstack service for this packet
 func (m *Manager) hasMatchingNetstackService(d *decoder) bool {
 	if len(d.decoded) < 2 {
 		return false
 	}
 	var dstPort uint16
 	switch d.decoded[1] {
 	case layers.LayerTypeTCP:
 		dstPort = uint16(d.tcp.DstPort)
 	case layers.LayerTypeUDP:
 		dstPort = uint16(d.udp.DstPort)
 	default:
 		return false
 	}
 	key := serviceKey{protocol: d.decoded[1], port: dstPort}
 	m.netstackServiceMutex.RLock()
 	_, exists := m.netstackServices[key]
 	m.netstackServiceMutex.RUnlock()
 	return exists
 }
--- a/client/firewall/uspfilter/filter_bench_test.go
+++ b/client/firewall/uspfilter/filter_bench_test.go
@@ -17,7 +17,6 @@ import (
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
@@ -170,7 +169,7 @@ func BenchmarkCoreFiltering(b *testing.B) {
 				// Create manager and basic setup
 				manager, _ := Create(&IFaceMock{
 					SetFilterFunc: func(device.PacketFilter) error { return nil },
-				}, false, flowLogger, iface.DefaultMTU)
+				}, false, flowLogger)
 				defer b.Cleanup(func() {
 					require.NoError(b, manager.Close(nil))
 				})
@@ -210,7 +209,7 @@ func BenchmarkStateScaling(b *testing.B) {
 		b.Run(fmt.Sprintf("conns_%d", count), func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -253,7 +252,7 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -411,7 +410,7 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -538,7 +537,7 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -621,7 +620,7 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -732,7 +731,7 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -812,7 +811,7 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -897,6 +896,38 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 	}
 }
 // generateTCPPacketWithFlags creates a TCP packet with specific flags
 func generateTCPPacketWithFlags(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort, flags uint16) []byte {
 	b.Helper()
 	ipv4 := &layers.IPv4{
 		TTL:      64,
 		Version:  4,
 		SrcIP:    srcIP,
 		DstIP:    dstIP,
 		Protocol: layers.IPProtocolTCP,
 	}
 	tcp := &layers.TCP{
 		SrcPort: layers.TCPPort(srcPort),
 		DstPort: layers.TCPPort(dstPort),
 	}
 	// Set TCP flags
 	tcp.SYN = (flags & uint16(conntrack.TCPSyn)) != 0
 	tcp.ACK = (flags & uint16(conntrack.TCPAck)) != 0
 	tcp.PSH = (flags & uint16(conntrack.TCPPush)) != 0
 	tcp.RST = (flags & uint16(conntrack.TCPRst)) != 0
 	tcp.FIN = (flags & uint16(conntrack.TCPFin)) != 0
 	require.NoError(b, tcp.SetNetworkLayerForChecksum(ipv4))
 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
 	require.NoError(b, gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test")))
 	return buf.Bytes()
 }
 func BenchmarkRouteACLs(b *testing.B) {
 	manager := setupRoutedManager(b, "10.10.0.100/16")
@@ -955,235 +986,7 @@ func BenchmarkRouteACLs(b *testing.B) {
 		for _, tc := range cases {
 			srcIP := netip.MustParseAddr(tc.srcIP)
 			dstIP := netip.MustParseAddr(tc.dstIP)
-			manager.routeACLsPass(srcIP, dstIP, protoToLayer(tc.proto, layers.LayerTypeIPv4), 0, tc.dstPort)
+			manager.routeACLsPass(srcIP, dstIP, tc.proto, 0, tc.dstPort)
 		}
 	}
 }
 // BenchmarkMSSClamping benchmarks the MSS clamping impact on filterOutbound.
 // This shows the overhead difference between the common case (non-SYN packets, fast path)
 // and the rare case (SYN packets that need clamping, expensive path).
 func BenchmarkMSSClamping(b *testing.B) {
 	scenarios := []struct {
 		name        string
 		description string
 		genPacket   func(*testing.B, net.IP, net.IP) []byte
 		frequency   string
 	}{
 		{
 			name:        "syn_needs_clamp",
 			description: "SYN packet needing MSS clamping",
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
 			},
 			frequency: "~0.1% of traffic - EXPENSIVE",
 		},
 		{
 			name:        "syn_no_clamp_needed",
 			description: "SYN packet with already-small MSS",
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1200)
 			},
 			frequency: "~0.05% of traffic",
 		},
 		{
 			name:        "tcp_ack",
 			description: "Non-SYN TCP packet (ACK, data transfer)",
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
 			},
 			frequency: "~60-70% of traffic - FAST PATH",
 		},
 		{
 			name:        "tcp_psh_ack",
 			description: "TCP data packet (PSH+ACK)",
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPPush|conntrack.TCPAck))
 			},
 			frequency: "~10-20% of traffic - FAST PATH",
 		},
 		{
 			name:        "udp",
 			description: "UDP packet",
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generatePacket(b, src, dst, 12345, 80, layers.IPProtocolUDP)
 			},
 			frequency: "~20-30% of traffic - FAST PATH",
 		},
 	}
 	for _, sc := range scenarios {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
 			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
 			}()
 			manager.mssClampEnabled = true
 			manager.mssClampValue = 1240
 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")
 			packet := sc.genPacket(b, srcIP, dstIP)
 			b.ReportAllocs()
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
 				manager.filterOutbound(packet, len(packet))
 			}
 		})
 	}
 }
 // BenchmarkMSSClampingOverhead compares overhead of MSS clamping enabled vs disabled
 // for the common case (non-SYN TCP packets).
 func BenchmarkMSSClampingOverhead(b *testing.B) {
 	scenarios := []struct {
 		name      string
 		enabled   bool
 		genPacket func(*testing.B, net.IP, net.IP) []byte
 	}{
 		{
 			name:    "disabled_tcp_ack",
 			enabled: false,
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
 			},
 		},
 		{
 			name:    "enabled_tcp_ack",
 			enabled: true,
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
 			},
 		},
 		{
 			name:    "disabled_syn_needs_clamp",
 			enabled: false,
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
 			},
 		},
 		{
 			name:    "enabled_syn_needs_clamp",
 			enabled: true,
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
 			},
 		},
 	}
 	for _, sc := range scenarios {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
 			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
 			}()
 			manager.mssClampEnabled = sc.enabled
 			if sc.enabled {
 				manager.mssClampValue = 1240
 			}
 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")
 			packet := sc.genPacket(b, srcIP, dstIP)
 			b.ReportAllocs()
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
 				manager.filterOutbound(packet, len(packet))
 			}
 		})
 	}
 }
 // BenchmarkMSSClampingMemory measures memory allocations for common vs rare cases
 func BenchmarkMSSClampingMemory(b *testing.B) {
 	scenarios := []struct {
 		name      string
 		genPacket func(*testing.B, net.IP, net.IP) []byte
 	}{
 		{
 			name: "tcp_ack_fast_path",
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
 			},
 		},
 		{
 			name: "syn_needs_clamp",
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
 			},
 		},
 		{
 			name: "udp_fast_path",
 			genPacket: func(b *testing.B, src, dst net.IP) []byte {
 				return generatePacket(b, src, dst, 12345, 80, layers.IPProtocolUDP)
 			},
 		},
 	}
 	for _, sc := range scenarios {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
 			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
 			}()
 			manager.mssClampEnabled = true
 			manager.mssClampValue = 1240
 			srcIP := net.ParseIP("100.64.0.2")
 			dstIP := net.ParseIP("8.8.8.8")
 			packet := sc.genPacket(b, srcIP, dstIP)
 			b.ReportAllocs()
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
 				manager.filterOutbound(packet, len(packet))
 			}
 		})
 	}
 }
 func generateSYNPacketNoMSS(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort uint16) []byte {
 	b.Helper()
 	ip := &layers.IPv4{
 		Version:  4,
 		IHL:      5,
 		TTL:      64,
 		Protocol: layers.IPProtocolTCP,
 		SrcIP:    srcIP,
 		DstIP:    dstIP,
 	}
 	tcp := &layers.TCP{
 		SrcPort: layers.TCPPort(srcPort),
 		DstPort: layers.TCPPort(dstPort),
 		SYN:     true,
 		Seq:     1000,
 		Window:  65535,
 	}
 	require.NoError(b, tcp.SetNetworkLayerForChecksum(ip))
 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{
 		FixLengths:       true,
 		ComputeChecksums: true,
 	}
 	require.NoError(b, gopacket.SerializeLayers(buf, opts, ip, tcp, gopacket.Payload([]byte{})))
 	return buf.Bytes()
 }
--- a/client/firewall/uspfilter/filter_filter_test.go
+++ b/client/firewall/uspfilter/filter_filter_test.go
@@ -12,7 +12,6 @@ import (
 	wgdevice "golang.zx2c4.com/wireguard/device"
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
@@ -32,7 +31,7 @@ func TestPeerACLFiltering(t *testing.T) {
 		},
 	}
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	require.NotNil(t, manager)
@@ -617,7 +616,7 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 		},
 	}
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(tb, err)
 	require.NoError(tb, manager.EnableRouting())
 	require.NotNil(tb, manager)
@@ -1259,7 +1258,7 @@ func TestRouteACLFiltering(t *testing.T) {
 			// testing routeACLsPass only and not FilterInbound, as routed packets are dropped after being passed
 			// to the forwarder
-			_, isAllowed := manager.routeACLsPass(srcIP, dstIP, protoToLayer(tc.proto, layers.LayerTypeIPv4), tc.srcPort, tc.dstPort)
+			_, isAllowed := manager.routeACLsPass(srcIP, dstIP, tc.proto, tc.srcPort, tc.dstPort)
 			require.Equal(t, tc.shouldPass, isAllowed)
 		})
 	}
@@ -1445,7 +1444,7 @@ func TestRouteACLOrder(t *testing.T) {
 				srcIP := netip.MustParseAddr(p.srcIP)
 				dstIP := netip.MustParseAddr(p.dstIP)
-				_, isAllowed := manager.routeACLsPass(srcIP, dstIP, protoToLayer(p.proto, layers.LayerTypeIPv4), p.srcPort, p.dstPort)
+				_, isAllowed := manager.routeACLsPass(srcIP, dstIP, p.proto, p.srcPort, p.dstPort)
 				require.Equal(t, p.shouldPass, isAllowed, "packet %d failed", i)
 			}
 		})
@@ -1463,7 +1462,7 @@ func TestRouteACLSet(t *testing.T) {
 		},
 	}
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -1488,13 +1487,13 @@ func TestRouteACLSet(t *testing.T) {
 	dstIP := netip.MustParseAddr("192.168.1.100")
 	// Check that traffic is dropped (empty set shouldn't match anything)
-	_, isAllowed := manager.routeACLsPass(srcIP, dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed := manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
 	require.False(t, isAllowed, "Empty set should not allow any traffic")
 	err = manager.UpdateSet(set, []netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")})
 	require.NoError(t, err)
 	// Now the packet should be allowed
-	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed = manager.routeACLsPass(srcIP, dstIP, fw.ProtocolTCP, 12345, 80)
 	require.True(t, isAllowed, "After set update, traffic to the added network should be allowed")
 }
--- a/client/firewall/uspfilter/filter_routeacl_test.go
+++ b/client/firewall/uspfilter/filter_routeacl_test.go
@@ -1,376 +0,0 @@
 package uspfilter
 import (
 	"net/netip"
 	"testing"
 	"github.com/golang/mock/gomock"
 	"github.com/google/gopacket/layers"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	wgdevice "golang.zx2c4.com/wireguard/device"
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 // TestAddRouteFilteringReturnsExistingRule verifies that adding the same route
 // filtering rule twice returns the same rule ID (idempotent behavior).
 func TestAddRouteFilteringReturnsExistingRule(t *testing.T) {
 	manager := setupTestManager(t)
 	sources := []netip.Prefix{
 		netip.MustParsePrefix("100.64.1.0/24"),
 		netip.MustParsePrefix("100.64.2.0/24"),
 	}
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
 	// Add rule first time
 	rule1, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	require.NotNil(t, rule1)
 	// Add the same rule again
 	rule2, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	require.NotNil(t, rule2)
 	// These should be the same (idempotent) like nftables/iptables implementations
 	assert.Equal(t, rule1.ID(), rule2.ID(),
 		"Adding the same rule twice should return the same rule ID (idempotent)")
 	manager.mutex.RLock()
 	ruleCount := len(manager.routeRules)
 	manager.mutex.RUnlock()
 	assert.Equal(t, 2, ruleCount,
 		"Should have exactly 2 rules (1 user rule + 1 block rule)")
 }
 // TestAddRouteFilteringDifferentRulesGetDifferentIDs verifies that rules with
 // different parameters get distinct IDs.
 func TestAddRouteFilteringDifferentRulesGetDifferentIDs(t *testing.T) {
 	manager := setupTestManager(t)
 	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
 	// Add first rule
 	rule1, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	// Add different rule (different destination)
 	rule2, err := manager.AddRouteFiltering(
 		[]byte("policy-2"),
 		sources,
 		fw.Network{Prefix: netip.MustParsePrefix("192.168.2.0/24")}, // Different!
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	assert.NotEqual(t, rule1.ID(), rule2.ID(),
 		"Different rules should have different IDs")
 	manager.mutex.RLock()
 	ruleCount := len(manager.routeRules)
 	manager.mutex.RUnlock()
 	assert.Equal(t, 3, ruleCount, "Should have 3 rules (2 user rules + 1 block rule)")
 }
 // TestRouteRuleUpdateDoesNotCauseGap verifies that re-adding the same route
 // rule during a network map update does not disrupt existing traffic.
 func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
 	manager := setupTestManager(t)
 	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
 	rule1, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	srcIP := netip.MustParseAddr("100.64.1.5")
 	dstIP := netip.MustParseAddr("192.168.1.10")
 	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
 	require.True(t, pass, "Traffic should pass with rule in place")
 	// Re-add same rule (simulates network map update)
 	rule2, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	// Idempotent IDs mean rule1.ID() == rule2.ID(), so the ACL manager
 	// won't delete rule1 during cleanup. If IDs differed, deleting rule1
 	// would remove the only matching rule and cause a traffic gap.
 	if rule1.ID() != rule2.ID() {
 		err = manager.DeleteRouteRule(rule1)
 		require.NoError(t, err)
 	}
 	_, passAfter := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
 	assert.True(t, passAfter,
 		"Traffic should still pass after rule update - no gap should occur")
 }
 // TestBlockInvalidRoutedIdempotent verifies that blockInvalidRouted creates
 // exactly one drop rule for the WireGuard network prefix, and calling it again
 // returns the same rule without duplicating.
 func TestBlockInvalidRoutedIdempotent(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	dev := mocks.NewMockDevice(ctrl)
 	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
 	wgNet := netip.MustParsePrefix("100.64.0.1/16")
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
 				IP:      wgNet.Addr(),
 				Network: wgNet,
 			}
 		},
 		GetDeviceFunc: func() *device.FilteredDevice {
 			return &device.FilteredDevice{Device: dev}
 		},
 		GetWGDeviceFunc: func() *wgdevice.Device {
 			return &wgdevice.Device{}
 		},
 	}
 	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	// Call blockInvalidRouted directly multiple times
 	rule1, err := manager.blockInvalidRouted(ifaceMock)
 	require.NoError(t, err)
 	require.NotNil(t, rule1)
 	rule2, err := manager.blockInvalidRouted(ifaceMock)
 	require.NoError(t, err)
 	require.NotNil(t, rule2)
 	rule3, err := manager.blockInvalidRouted(ifaceMock)
 	require.NoError(t, err)
 	require.NotNil(t, rule3)
 	// All should return the same rule
 	assert.Equal(t, rule1.ID(), rule2.ID(), "Second call should return same rule")
 	assert.Equal(t, rule2.ID(), rule3.ID(), "Third call should return same rule")
 	// Should have exactly 1 route rule
 	manager.mutex.RLock()
 	ruleCount := len(manager.routeRules)
 	manager.mutex.RUnlock()
 	assert.Equal(t, 1, ruleCount, "Should have exactly 1 block rule after 3 calls")
 	// Verify the rule blocks traffic to the WG network
 	srcIP := netip.MustParseAddr("10.0.0.1")
 	dstIP := netip.MustParseAddr("100.64.0.50")
 	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 80)
 	assert.False(t, pass, "Block rule should deny traffic to WG prefix")
 }
 // TestBlockRuleNotAccumulatedOnRepeatedEnableRouting verifies that calling
 // EnableRouting multiple times (as happens on each route update) does not
 // accumulate duplicate block rules in the routeRules slice.
 func TestBlockRuleNotAccumulatedOnRepeatedEnableRouting(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	dev := mocks.NewMockDevice(ctrl)
 	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
 	wgNet := netip.MustParsePrefix("100.64.0.1/16")
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
 				IP:      wgNet.Addr(),
 				Network: wgNet,
 			}
 		},
 		GetDeviceFunc: func() *device.FilteredDevice {
 			return &device.FilteredDevice{Device: dev}
 		},
 		GetWGDeviceFunc: func() *wgdevice.Device {
 			return &wgdevice.Device{}
 		},
 	}
 	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	// Call EnableRouting multiple times (simulating repeated route updates)
 	for i := 0; i < 5; i++ {
 		require.NoError(t, manager.EnableRouting())
 	}
 	manager.mutex.RLock()
 	ruleCount := len(manager.routeRules)
 	manager.mutex.RUnlock()
 	assert.Equal(t, 1, ruleCount,
 		"Repeated EnableRouting should not accumulate block rules")
 }
 // TestRouteRuleCountStableAcrossUpdates verifies that adding the same route
 // rule multiple times does not create duplicate entries.
 func TestRouteRuleCountStableAcrossUpdates(t *testing.T) {
 	manager := setupTestManager(t)
 	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
 	// Simulate 5 network map updates with the same route rule
 	for i := 0; i < 5; i++ {
 		rule, err := manager.AddRouteFiltering(
 			[]byte("policy-1"),
 			sources,
 			destination,
 			fw.ProtocolTCP,
 			nil,
 			&fw.Port{Values: []uint16{443}},
 			fw.ActionAccept,
 		)
 		require.NoError(t, err)
 		require.NotNil(t, rule)
 	}
 	manager.mutex.RLock()
 	ruleCount := len(manager.routeRules)
 	manager.mutex.RUnlock()
 	assert.Equal(t, 2, ruleCount,
 		"Should have exactly 2 rules (1 user rule + 1 block rule) after 5 updates")
 }
 // TestDeleteRouteRuleAfterIdempotentAdd verifies that deleting a route rule
 // after adding it multiple times works correctly.
 func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
 	manager := setupTestManager(t)
 	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
 	// Add same rule twice
 	rule1, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	rule2, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	require.Equal(t, rule1.ID(), rule2.ID(), "Should return same rule ID")
 	// Delete using first reference
 	err = manager.DeleteRouteRule(rule1)
 	require.NoError(t, err)
 	// Verify traffic no longer passes
 	srcIP := netip.MustParseAddr("100.64.1.5")
 	dstIP := netip.MustParseAddr("192.168.1.10")
 	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
 	assert.False(t, pass, "Traffic should not pass after rule deletion")
 }
 func setupTestManager(t *testing.T) *Manager {
 	t.Helper()
 	ctrl := gomock.NewController(t)
 	dev := mocks.NewMockDevice(ctrl)
 	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
 	wgNet := netip.MustParsePrefix("100.64.0.1/16")
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
 				IP:      wgNet.Addr(),
 				Network: wgNet,
 			}
 		},
 		GetDeviceFunc: func() *device.FilteredDevice {
 			return &device.FilteredDevice{Device: dev}
 		},
 		GetWGDeviceFunc: func() *wgdevice.Device {
 			return &wgdevice.Device{}
 		},
 	}
 	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.EnableRouting())
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	return manager
 }
--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -1,7 +1,6 @@
 package uspfilter
 import (
 	"encoding/binary"
 	"fmt"
 	"net"
 	"net/netip"
@@ -12,18 +11,15 @@ import (
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	wgdevice "golang.zx2c4.com/wireguard/device"
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	nbiface "github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
@@ -70,7 +66,7 @@ func TestManagerCreate(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, false, flowLogger)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -90,7 +86,7 @@ func TestManagerAddPeerFiltering(t *testing.T) {
 		},
 	}
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, false, flowLogger)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -123,7 +119,7 @@ func TestManagerDeleteRule(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, false, flowLogger)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -187,204 +183,81 @@ func TestManagerDeleteRule(t *testing.T) {
 	}
 }
-func TestSetUDPPacketHook(t *testing.T) {
+func TestAddUDPPacketHook(t *testing.T) {
-	manager, err := Create(&IFaceMock{
+	tests := []struct {
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		name       string
-	}, false, flowLogger, nbiface.DefaultMTU)
+		in         bool
-	require.NoError(t, err)
+		expDir     fw.RuleDirection
-	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
+		ip         netip.Addr
-
+		dPort      uint16
-	var called bool
+		hook       func([]byte) bool
-	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, func([]byte) bool {
+		expectedID string
-		called = true
+	}{
-		return true
+		{
-	})
+			name:   "Test Outgoing UDP Packet Hook",
-
+			in:     false,
-	h := manager.udpHookOut.Load()
+			expDir: fw.RuleDirectionOUT,
-	require.NotNil(t, h)
+			ip:     netip.MustParseAddr("10.168.0.1"),
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.IP)
+			dPort:  8000,
-	assert.Equal(t, uint16(8000), h.Port)
+			hook:   func([]byte) bool { return true },
-	assert.True(t, h.Fn(nil))
+		},
-	assert.True(t, called)
+		{
-
+			name:   "Test Incoming UDP Packet Hook",
-	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, nil)
+			in:     true,
-	assert.Nil(t, manager.udpHookOut.Load())
+			expDir: fw.RuleDirectionIN,
-}
+			ip:     netip.MustParseAddr("::1"),
-
+			dPort:  9000,
-func TestSetTCPPacketHook(t *testing.T) {
+			hook:   func([]byte) bool { return false },
-	manager, err := Create(&IFaceMock{
+		},
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
 	var called bool
 	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, func([]byte) bool {
 		called = true
 		return true
 	})
 	h := manager.tcpHookOut.Load()
 	require.NotNil(t, h)
 	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.IP)
 	assert.Equal(t, uint16(53), h.Port)
 	assert.True(t, h.Fn(nil))
 	assert.True(t, called)
 	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, nil)
 	assert.Nil(t, manager.tcpHookOut.Load())
 }
 // TestPeerRuleLifecycleDenyRules verifies that deny rules are correctly added
 // to the deny map and can be cleanly deleted without leaving orphans.
 func TestPeerRuleLifecycleDenyRules(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	for _, tt := range tests {
-	require.NoError(t, err)
+		t.Run(tt.name, func(t *testing.T) {
-	defer func() {
+			manager, err := Create(&IFaceMock{
-		require.NoError(t, m.Close(nil))
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}()
+			}, false, flowLogger)
 			require.NoError(t, err)
-	ip := net.ParseIP("192.168.1.1")
+			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)
 	addr := netip.MustParseAddr("192.168.1.1")
-	// Add multiple deny rules for different ports
+			var addedRule PeerRule
-	rule1, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+			if tt.in {
-		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
+				// Incoming UDP hooks are stored in allow rules map
-	require.NoError(t, err)
+				if len(manager.incomingRules[tt.ip]) != 1 {
 					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules[tt.ip]))
 					return
 				}
 				for _, rule := range manager.incomingRules[tt.ip] {
 					addedRule = rule
 				}
 			} else {
 				if len(manager.outgoingRules[tt.ip]) != 1 {
 					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules[tt.ip]))
 					return
 				}
 				for _, rule := range manager.outgoingRules[tt.ip] {
 					addedRule = rule
 				}
 			}
-	rule2, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
+			if tt.ip.Compare(addedRule.ip) != 0 {
-		&fw.Port{Values: []uint16{80}}, fw.ActionDrop, "")
+				t.Errorf("expected ip %s, got %s", tt.ip, addedRule.ip)
-	require.NoError(t, err)
+				return
-
+			}
-	m.mutex.RLock()
+			if tt.dPort != addedRule.dPort.Values[0] {
-	denyCount := len(m.incomingDenyRules[addr])
+				t.Errorf("expected dPort %d, got %d", tt.dPort, addedRule.dPort.Values[0])
-	m.mutex.RUnlock()
+				return
-	require.Equal(t, 2, denyCount, "Should have exactly 2 deny rules")
+			}
-
+			if layers.LayerTypeUDP != addedRule.protoLayer {
-	// Delete the first deny rule
+				t.Errorf("expected protoLayer %s, got %s", layers.LayerTypeUDP, addedRule.protoLayer)
-	err = m.DeletePeerRule(rule1[0])
+				return
-	require.NoError(t, err)
+			}
-
+			if addedRule.udpHook == nil {
-	m.mutex.RLock()
+				t.Errorf("expected udpHook to be set")
-	denyCount = len(m.incomingDenyRules[addr])
+				return
-	m.mutex.RUnlock()
+			}
-	require.Equal(t, 1, denyCount, "Should have 1 deny rule after deleting first")
+		})
 	// Delete the second deny rule
 	err = m.DeletePeerRule(rule2[0])
 	require.NoError(t, err)
 	m.mutex.RLock()
 	_, exists := m.incomingDenyRules[addr]
 	m.mutex.RUnlock()
 	require.False(t, exists, "Deny rules IP entry should be cleaned up when empty")
 }
 // TestPeerRuleAddAndDeleteDontLeak verifies that repeatedly adding and deleting
 // peer rules (simulating network map updates) does not leak rules in the maps.
 func TestPeerRuleAddAndDeleteDontLeak(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, m.Close(nil))
 	}()
 	ip := net.ParseIP("192.168.1.1")
 	addr := netip.MustParseAddr("192.168.1.1")
 	// Simulate 10 network map updates: add rule, delete old, add new
 	for i := 0; i < 10; i++ {
 		// Add a deny rule
 		rules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
 			&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
 		require.NoError(t, err)
 		// Add an allow rule
 		allowRules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
 			&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
 		require.NoError(t, err)
 		// Delete them (simulating ACL manager cleanup)
 		for _, r := range rules {
 			require.NoError(t, m.DeletePeerRule(r))
 		}
 		for _, r := range allowRules {
 			require.NoError(t, m.DeletePeerRule(r))
 		}
 	}
 	m.mutex.RLock()
 	denyCount := len(m.incomingDenyRules[addr])
 	allowCount := len(m.incomingRules[addr])
 	m.mutex.RUnlock()
 	require.Equal(t, 0, denyCount, "No deny rules should remain after cleanup")
 	require.Equal(t, 0, allowCount, "No allow rules should remain after cleanup")
 }
 // TestMixedAllowDenyRulesSameIP verifies that allow and deny rules for the same
 // IP are stored in separate maps and don't interfere with each other.
 func TestMixedAllowDenyRulesSameIP(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, m.Close(nil))
 	}()
 	ip := net.ParseIP("192.168.1.1")
 	// Add allow rule for port 80
 	allowRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
 		&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
 	require.NoError(t, err)
 	// Add deny rule for port 22
 	denyRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
 		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
 	require.NoError(t, err)
 	addr := netip.MustParseAddr("192.168.1.1")
 	m.mutex.RLock()
 	allowCount := len(m.incomingRules[addr])
 	denyCount := len(m.incomingDenyRules[addr])
 	m.mutex.RUnlock()
 	require.Equal(t, 1, allowCount, "Should have 1 allow rule")
 	require.Equal(t, 1, denyCount, "Should have 1 deny rule")
 	// Delete allow rule should not affect deny rule
 	err = m.DeletePeerRule(allowRule[0])
 	require.NoError(t, err)
 	m.mutex.RLock()
 	denyCountAfter := len(m.incomingDenyRules[addr])
 	m.mutex.RUnlock()
 	require.Equal(t, 1, denyCountAfter, "Deny rule should still exist after deleting allow rule")
 	// Delete deny rule
 	err = m.DeletePeerRule(denyRule[0])
 	require.NoError(t, err)
 	m.mutex.RLock()
 	_, denyExists := m.incomingDenyRules[addr]
 	_, allowExists := m.incomingRules[addr]
 	m.mutex.RUnlock()
 	require.False(t, denyExists, "Deny rules should be empty")
 	require.False(t, allowExists, "Allow rules should be empty")
 }
 func TestManagerReset(t *testing.T) {
@@ -392,7 +265,7 @@ func TestManagerReset(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, false, flowLogger)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -431,7 +304,7 @@ func TestNotMatchByIP(t *testing.T) {
 		},
 	}
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, false, flowLogger)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -494,7 +367,7 @@ func TestRemovePacketHook(t *testing.T) {
 	}
 	// creating manager instance
-	manager, err := Create(iface, false, flowLogger, nbiface.DefaultMTU)
+	manager, err := Create(iface, false, flowLogger)
 	if err != nil {
 		t.Fatalf("Failed to create Manager: %s", err)
 	}
@@ -502,18 +375,45 @@ func TestRemovePacketHook(t *testing.T) {
 		require.NoError(t, manager.Close(nil))
 	}()
-	manager.SetUDPPacketHook(netip.MustParseAddr("192.168.0.1"), 8080, func([]byte) bool { return true })
+	// Add a UDP packet hook
 	hookFunc := func(data []byte) bool { return true }
 	hookID := manager.AddUDPPacketHook(false, netip.MustParseAddr("192.168.0.1"), 8080, hookFunc)
-	require.NotNil(t, manager.udpHookOut.Load(), "hook should be registered")
+	// Assert the hook is added by finding it in the manager's outgoing rules
 	found := false
 	for _, arr := range manager.outgoingRules {
 		for _, rule := range arr {
 			if rule.id == hookID {
 				found = true
 				break
 			}
 		}
 	}
-	manager.SetUDPPacketHook(netip.MustParseAddr("192.168.0.1"), 8080, nil)
+	if !found {
-	assert.Nil(t, manager.udpHookOut.Load(), "hook should be removed")
+		t.Fatalf("The hook was not added properly.")
 	}
 	// Now remove the packet hook
 	err = manager.RemovePacketHook(hookID)
 	if err != nil {
 		t.Fatalf("Failed to remove hook: %s", err)
 	}
 	// Assert the hook is removed by checking it in the manager's outgoing rules
 	for _, arr := range manager.outgoingRules {
 		for _, rule := range arr {
 			if rule.id == hookID {
 				t.Fatalf("The hook was not removed properly.")
 			}
 		}
 	}
 }
 func TestProcessOutgoingHooks(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
+	}, false, flowLogger)
 	require.NoError(t, err)
 	manager.udpTracker.Close()
@@ -537,7 +437,8 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	}
 	hookCalled := false
-	manager.SetUDPPacketHook(
+	hookID := manager.AddUDPPacketHook(
 		false,
 		netip.MustParseAddr("100.10.0.100"),
 		53,
 		func([]byte) bool {
@@ -545,6 +446,7 @@ func TestProcessOutgoingHooks(t *testing.T) {
 			return true
 		},
 	)
 	require.NotEmpty(t, hookID)
 	// Create test UDP packet
 	ipv4 := &layers.IPv4{
@@ -593,7 +495,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 			ifaceMock := &IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
 			}
-			manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+			manager, err := Create(ifaceMock, false, flowLogger)
 			require.NoError(t, err)
 			time.Sleep(time.Second)
@@ -620,7 +522,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
+	}, false, flowLogger)
 	require.NoError(t, err)
 	manager.udpTracker.Close() // Close the existing tracker
@@ -827,7 +729,7 @@ func TestUpdateSetMerge(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
-	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -862,9 +764,9 @@ func TestUpdateSetMerge(t *testing.T) {
 	dstIP2 := netip.MustParseAddr("192.168.1.100")
 	dstIP3 := netip.MustParseAddr("172.16.0.100")
-	_, isAllowed1 := manager.routeACLsPass(srcIP, dstIP1, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed1 := manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed2 := manager.routeACLsPass(srcIP, dstIP2, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed2 := manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed3 := manager.routeACLsPass(srcIP, dstIP3, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed3 := manager.routeACLsPass(srcIP, dstIP3, fw.ProtocolTCP, 12345, 80)
 	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should be allowed")
 	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should be allowed")
@@ -879,8 +781,8 @@ func TestUpdateSetMerge(t *testing.T) {
 	require.NoError(t, err)
 	// Check that all original prefixes are still included
-	_, isAllowed1 = manager.routeACLsPass(srcIP, dstIP1, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed1 = manager.routeACLsPass(srcIP, dstIP1, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed2 = manager.routeACLsPass(srcIP, dstIP2, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed2 = manager.routeACLsPass(srcIP, dstIP2, fw.ProtocolTCP, 12345, 80)
 	require.True(t, isAllowed1, "Traffic to 10.0.0.100 should still be allowed after update")
 	require.True(t, isAllowed2, "Traffic to 192.168.1.100 should still be allowed after update")
@@ -888,8 +790,8 @@ func TestUpdateSetMerge(t *testing.T) {
 	dstIP4 := netip.MustParseAddr("172.16.1.100")
 	dstIP5 := netip.MustParseAddr("10.1.0.50")
-	_, isAllowed4 := manager.routeACLsPass(srcIP, dstIP4, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed4 := manager.routeACLsPass(srcIP, dstIP4, fw.ProtocolTCP, 12345, 80)
-	_, isAllowed5 := manager.routeACLsPass(srcIP, dstIP5, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+	_, isAllowed5 := manager.routeACLsPass(srcIP, dstIP5, fw.ProtocolTCP, 12345, 80)
 	require.True(t, isAllowed4, "Traffic to new prefix 172.16.0.0/16 should be allowed")
 	require.True(t, isAllowed5, "Traffic to new prefix 10.1.0.0/24 should be allowed")
@@ -913,7 +815,7 @@ func TestUpdateSetDeduplication(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
-	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -1017,331 +919,7 @@ func TestUpdateSetDeduplication(t *testing.T) {
 	srcIP := netip.MustParseAddr("100.10.0.1")
 	for _, tc := range testCases {
-		_, isAllowed := manager.routeACLsPass(srcIP, tc.dstIP, protoToLayer(fw.ProtocolTCP, layers.LayerTypeIPv4), 12345, 80)
+		_, isAllowed := manager.routeACLsPass(srcIP, tc.dstIP, fw.ProtocolTCP, 12345, 80)
 		require.Equal(t, tc.expected, isAllowed, tc.desc)
 	}
 }
 func TestMSSClamping(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
 				IP:      netip.MustParseAddr("100.10.0.100"),
 				Network: netip.MustParsePrefix("100.10.0.0/16"),
 			}
 		},
 	}
 	manager, err := Create(ifaceMock, false, flowLogger, 1280)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
 	}()
 	require.True(t, manager.mssClampEnabled, "MSS clamping should be enabled by default")
 	expectedMSSValue := uint16(1280 - ipTCPHeaderMinSize)
 	require.Equal(t, expectedMSSValue, manager.mssClampValue, "MSS clamp value should be MTU - 40")
 	err = manager.UpdateLocalIPs()
 	require.NoError(t, err)
 	srcIP := net.ParseIP("100.10.0.2")
 	dstIP := net.ParseIP("8.8.8.8")
 	t.Run("SYN packet with high MSS gets clamped", func(t *testing.T) {
 		highMSS := uint16(1460)
 		packet := generateSYNPacketWithMSS(t, srcIP, dstIP, 12345, 80, highMSS)
 		manager.filterOutbound(packet, len(packet))
 		d := parsePacket(t, packet)
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		require.Equal(t, uint8(layers.TCPOptionKindMSS), uint8(d.tcp.Options[0].OptionType))
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
 		require.Equal(t, expectedMSSValue, actualMSS, "MSS should be clamped to MTU - 40")
 	})
 	t.Run("SYN packet with low MSS unchanged", func(t *testing.T) {
 		lowMSS := uint16(1200)
 		packet := generateSYNPacketWithMSS(t, srcIP, dstIP, 12345, 80, lowMSS)
 		manager.filterOutbound(packet, len(packet))
 		d := parsePacket(t, packet)
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
 		require.Equal(t, lowMSS, actualMSS, "Low MSS should not be modified")
 	})
 	t.Run("SYN-ACK packet gets clamped", func(t *testing.T) {
 		highMSS := uint16(1460)
 		packet := generateSYNACKPacketWithMSS(t, srcIP, dstIP, 12345, 80, highMSS)
 		manager.filterOutbound(packet, len(packet))
 		d := parsePacket(t, packet)
 		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
 		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
 		require.Equal(t, expectedMSSValue, actualMSS, "MSS in SYN-ACK should be clamped")
 	})
 	t.Run("Non-SYN packet unchanged", func(t *testing.T) {
 		packet := generateTCPPacketWithFlags(t, srcIP, dstIP, 12345, 80, uint16(conntrack.TCPAck))
 		manager.filterOutbound(packet, len(packet))
 		d := parsePacket(t, packet)
 		require.Empty(t, d.tcp.Options, "ACK packet should have no options")
 	})
 }
 func generateSYNPacketWithMSS(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, mss uint16) []byte {
 	tb.Helper()
 	ipLayer := &layers.IPv4{
 		Version:  4,
 		TTL:      64,
 		Protocol: layers.IPProtocolTCP,
 		SrcIP:    srcIP,
 		DstIP:    dstIP,
 	}
 	tcpLayer := &layers.TCP{
 		SrcPort: layers.TCPPort(srcPort),
 		DstPort: layers.TCPPort(dstPort),
 		SYN:     true,
 		Window:  65535,
 		Options: []layers.TCPOption{
 			{
 				OptionType:   layers.TCPOptionKindMSS,
 				OptionLength: 4,
 				OptionData:   binary.BigEndian.AppendUint16(nil, mss),
 			},
 		},
 	}
 	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
 	require.NoError(tb, err)
 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
 	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
 	require.NoError(tb, err)
 	return buf.Bytes()
 }
 func generateSYNACKPacketWithMSS(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, mss uint16) []byte {
 	tb.Helper()
 	ipLayer := &layers.IPv4{
 		Version:  4,
 		TTL:      64,
 		Protocol: layers.IPProtocolTCP,
 		SrcIP:    srcIP,
 		DstIP:    dstIP,
 	}
 	tcpLayer := &layers.TCP{
 		SrcPort: layers.TCPPort(srcPort),
 		DstPort: layers.TCPPort(dstPort),
 		SYN:     true,
 		ACK:     true,
 		Window:  65535,
 		Options: []layers.TCPOption{
 			{
 				OptionType:   layers.TCPOptionKindMSS,
 				OptionLength: 4,
 				OptionData:   binary.BigEndian.AppendUint16(nil, mss),
 			},
 		},
 	}
 	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
 	require.NoError(tb, err)
 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
 	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
 	require.NoError(tb, err)
 	return buf.Bytes()
 }
 func generateTCPPacketWithFlags(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, flags uint16) []byte {
 	tb.Helper()
 	ipLayer := &layers.IPv4{
 		Version:  4,
 		TTL:      64,
 		Protocol: layers.IPProtocolTCP,
 		SrcIP:    srcIP,
 		DstIP:    dstIP,
 	}
 	tcpLayer := &layers.TCP{
 		SrcPort: layers.TCPPort(srcPort),
 		DstPort: layers.TCPPort(dstPort),
 		Window:  65535,
 	}
 	if flags&uint16(conntrack.TCPSyn) != 0 {
 		tcpLayer.SYN = true
 	}
 	if flags&uint16(conntrack.TCPAck) != 0 {
 		tcpLayer.ACK = true
 	}
 	if flags&uint16(conntrack.TCPFin) != 0 {
 		tcpLayer.FIN = true
 	}
 	if flags&uint16(conntrack.TCPRst) != 0 {
 		tcpLayer.RST = true
 	}
 	if flags&uint16(conntrack.TCPPush) != 0 {
 		tcpLayer.PSH = true
 	}
 	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
 	require.NoError(tb, err)
 	buf := gopacket.NewSerializeBuffer()
 	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
 	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
 	require.NoError(tb, err)
 	return buf.Bytes()
 }
 func TestShouldForward(t *testing.T) {
 	// Set up test addresses
 	wgIP := netip.MustParseAddr("100.10.0.1")
 	otherIP := netip.MustParseAddr("100.10.0.2")
 	// Create test manager with mock interface
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 	// Set the mock to return our test WG IP
 	ifaceMock.AddressFunc = func() wgaddr.Address {
 		return wgaddr.Address{IP: wgIP, Network: netip.PrefixFrom(wgIP, 24)}
 	}
 	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
 	}()
 	// Helper to create decoder with TCP packet
 	createTCPDecoder := func(dstPort uint16) *decoder {
 		ipv4 := &layers.IPv4{
 			Version:  4,
 			Protocol: layers.IPProtocolTCP,
 			SrcIP:    net.ParseIP("192.168.1.100"),
 			DstIP:    wgIP.AsSlice(),
 		}
 		tcp := &layers.TCP{
 			SrcPort: 54321,
 			DstPort: layers.TCPPort(dstPort),
 		}
 		err := tcp.SetNetworkLayerForChecksum(ipv4)
 		require.NoError(t, err)
 		buf := gopacket.NewSerializeBuffer()
 		opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
 		err = gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test"))
 		require.NoError(t, err)
 		d := &decoder{
 			decoded: []gopacket.LayerType{},
 		}
 		d.parser = gopacket.NewDecodingLayerParser(
 			layers.LayerTypeIPv4,
 			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
 		)
 		d.parser.IgnoreUnsupported = true
 		err = d.parser.DecodeLayers(buf.Bytes(), &d.decoded)
 		require.NoError(t, err)
 		return d
 	}
 	tests := []struct {
 		name              string
 		localForwarding   bool
 		netstack          bool
 		dstIP             netip.Addr
 		serviceRegistered bool
 		servicePort       uint16
 		expected          bool
 		description       string
 	}{
 		{
 			name:            "no local forwarding",
 			localForwarding: false,
 			netstack:        true,
 			dstIP:           wgIP,
 			expected:        false,
 			description:     "should never forward when local forwarding disabled",
 		},
 		{
 			name:            "traffic to other local interface",
 			localForwarding: true,
 			netstack:        false,
 			dstIP:           otherIP,
 			expected:        true,
 			description:     "should forward traffic to our other local interfaces (not NetBird IP)",
 		},
 		{
 			name:            "traffic to NetBird IP, no netstack",
 			localForwarding: true,
 			netstack:        false,
 			dstIP:           wgIP,
 			expected:        false,
 			description:     "should send to netstack listeners (final return false path)",
 		},
 		{
 			name:            "traffic to our IP, netstack mode, no service",
 			localForwarding: true,
 			netstack:        true,
 			dstIP:           wgIP,
 			expected:        true,
 			description:     "should forward when in netstack mode with no matching service",
 		},
 		{
 			name:              "traffic to our IP, netstack mode, with service",
 			localForwarding:   true,
 			netstack:          true,
 			dstIP:             wgIP,
 			serviceRegistered: true,
 			servicePort:       22,
 			expected:          false,
 			description:       "should send to netstack listeners when service is registered",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Configure manager
 			manager.localForwarding = tt.localForwarding
 			manager.netstack = tt.netstack
 			// Register service if needed
 			if tt.serviceRegistered {
 				manager.RegisterNetstackService(nftypes.TCP, tt.servicePort)
 				defer manager.UnregisterNetstackService(nftypes.TCP, tt.servicePort)
 			}
 			// Create decoder for the test
 			decoder := createTCPDecoder(tt.servicePort)
 			if !tt.serviceRegistered {
 				decoder = createTCPDecoder(8080) // Use non-registered port
 			}
 			// Test the method
 			result := manager.shouldForward(decoder, tt.dstIP)
 			require.Equal(t, tt.expected, result, tt.description)
 		})
 	}
 }
--- a/client/firewall/uspfilter/forwarder/endpoint.go
+++ b/client/firewall/uspfilter/forwarder/endpoint.go
@@ -2,7 +2,6 @@ package forwarder
 import (
 	"fmt"
 	"sync/atomic"
 	wgdevice "golang.zx2c4.com/wireguard/device"
 	"gvisor.dev/gvisor/pkg/tcpip"
@@ -17,7 +16,7 @@ type endpoint struct {
 	logger     *nblog.Logger
 	dispatcher stack.NetworkDispatcher
 	device     *wgdevice.Device
-	mtu        atomic.Uint32
+	mtu        uint32
 }
 func (e *endpoint) Attach(dispatcher stack.NetworkDispatcher) {
@@ -29,7 +28,7 @@ func (e *endpoint) IsAttached() bool {
 }
 func (e *endpoint) MTU() uint32 {
-	return e.mtu.Load()
+	return e.mtu
 }
 func (e *endpoint) Capabilities() stack.LinkEndpointCapabilities {
@@ -83,22 +82,6 @@ func (e *endpoint) ParseHeader(*stack.PacketBuffer) bool {
 	return true
 }
 func (e *endpoint) Close() {
 	// Endpoint cleanup - nothing to do as device is managed externally
 }
 func (e *endpoint) SetLinkAddress(tcpip.LinkAddress) {
 	// Link address is not used for this endpoint type
 }
 func (e *endpoint) SetMTU(mtu uint32) {
 	e.mtu.Store(mtu)
 }
 func (e *endpoint) SetOnCloseAction(func()) {
 	// No action needed on close
 }
 type epID stack.TransportEndpointID
 func (i epID) String() string {
--- a/client/firewall/uspfilter/forwarder/forwarder.go
+++ b/client/firewall/uspfilter/forwarder/forwarder.go
@@ -7,7 +7,6 @@ import (
 	"net/netip"
 	"runtime"
 	"sync"
 	"time"
 	log "github.com/sirupsen/logrus"
 	"gvisor.dev/gvisor/pkg/buffer"
@@ -36,19 +35,17 @@ type Forwarder struct {
 	logger     *nblog.Logger
 	flowLogger nftypes.FlowLogger
 	// ruleIdMap is used to store the rule ID for a given connection
-	ruleIdMap        sync.Map
+	ruleIdMap    sync.Map
-	stack            *stack.Stack
+	stack        *stack.Stack
-	endpoint         *endpoint
+	endpoint     *endpoint
-	udpForwarder     *udpForwarder
+	udpForwarder *udpForwarder
-	ctx              context.Context
+	ctx          context.Context
-	cancel           context.CancelFunc
+	cancel       context.CancelFunc
-	ip               tcpip.Address
+	ip           tcpip.Address
-	netstack         bool
+	netstack     bool
 	hasRawICMPAccess bool
 	pingSemaphore    chan struct{}
 }
-func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
+func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool) (*Forwarder, error) {
 	s := stack.New(stack.Options{
 		NetworkProtocols: []stack.NetworkProtocolFactory{ipv4.NewProtocol},
 		TransportProtocols: []stack.TransportProtocolFactory{
@@ -59,15 +56,19 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		HandleLocal: false,
 	})
 	mtu, err := iface.GetDevice().MTU()
 	if err != nil {
 		return nil, fmt.Errorf("get MTU: %w", err)
 	}
 	nicID := tcpip.NICID(1)
 	endpoint := &endpoint{
 		logger: logger,
 		device: iface.GetWGDevice(),
 		mtu:    uint32(mtu),
 	}
 	endpoint.mtu.Store(uint32(mtu))
 	if err := s.CreateNIC(nicID, endpoint); err != nil {
-		return nil, fmt.Errorf("create NIC: %v", err)
+		return nil, fmt.Errorf("failed to create NIC: %v", err)
 	}
 	protoAddr := tcpip.ProtocolAddress{
@@ -106,16 +107,15 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	ctx, cancel := context.WithCancel(context.Background())
 	f := &Forwarder{
-		logger:        logger,
+		logger:       logger,
-		flowLogger:    flowLogger,
+		flowLogger:   flowLogger,
-		stack:         s,
+		stack:        s,
-		endpoint:      endpoint,
+		endpoint:     endpoint,
-		udpForwarder:  newUDPForwarder(mtu, logger, flowLogger),
+		udpForwarder: newUDPForwarder(mtu, logger, flowLogger),
-		ctx:           ctx,
+		ctx:          ctx,
-		cancel:        cancel,
+		cancel:       cancel,
-		netstack:      netstack,
+		netstack:     netstack,
-		ip:            tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		ip:           tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
 		pingSemaphore: make(chan struct{}, 3),
 	}
 	receiveWindow := defaultReceiveWindow
@@ -133,8 +133,6 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	s.SetTransportProtocolHandler(icmp.ProtocolNumber4, f.handleICMP)
 	f.checkICMPCapability()
 	log.Debugf("forwarder: Initialization complete with NIC %d", nicID)
 	return f, nil
 }
@@ -204,24 +202,3 @@ func buildKey(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) conntrack.ConnKe
 		DstPort: dstPort,
 	}
 }
 // checkICMPCapability tests whether we have raw ICMP socket access at startup.
 func (f *Forwarder) checkICMPCapability() {
 	ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
 	defer cancel()
 	lc := net.ListenConfig{}
 	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
 	if err != nil {
 		f.hasRawICMPAccess = false
 		f.logger.Debug("forwarder: No raw ICMP socket access, will use ping binary fallback")
 		return
 	}
 	if err := conn.Close(); err != nil {
 		f.logger.Debug1("forwarder: Failed to close ICMP capability test socket: %v", err)
 	}
 	f.hasRawICMPAccess = true
 	f.logger.Debug("forwarder: Raw ICMP socket access available")
 }
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -2,11 +2,8 @@ package forwarder
 import (
 	"context"
 	"fmt"
 	"net"
 	"net/netip"
 	"os/exec"
 	"runtime"
 	"time"
 	"github.com/google/uuid"
@@ -17,95 +14,30 @@ import (
 )
 // handleICMP handles ICMP packets from the network stack
-func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt *stack.PacketBuffer) bool {
+func (f *Forwarder) handleICMP(id stack.TransportEndpointID, pkt stack.PacketBufferPtr) bool {
 	icmpHdr := header.ICMPv4(pkt.TransportHeader().View().AsSlice())
 	icmpType := uint8(icmpHdr.Type())
 	icmpCode := uint8(icmpHdr.Code())
-	flowID := uuid.New()
+	if header.ICMPv4Type(icmpType) == header.ICMPv4EchoReply {
-	f.sendICMPEvent(nftypes.TypeStart, flowID, id, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 0, 0)
+		// dont process our own replies
 	// For Echo Requests, send and wait for response
 	if icmpHdr.Type() == header.ICMPv4Echo {
 		return f.handleICMPEcho(flowID, id, pkt, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()))
 	}
 	// For other ICMP types (Time Exceeded, Destination Unreachable, etc), forward without waiting
 	if !f.hasRawICMPAccess {
 		f.logger.Debug2("forwarder: Cannot handle ICMP type %v without raw socket access for %v", icmpHdr.Type(), epID(id))
 		return false
 	}
 	icmpData := stack.PayloadSince(pkt.TransportHeader()).AsSlice()
 	conn, err := f.forwardICMPPacket(id, icmpData, uint8(icmpHdr.Type()), uint8(icmpHdr.Code()), 100*time.Millisecond)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to forward ICMP packet for %v: %v", epID(id), err)
 		return true
 	}
 	if err := conn.Close(); err != nil {
 		f.logger.Debug1("forwarder: Failed to close ICMP socket: %v", err)
 	}
-	return true
+	flowID := uuid.New()
-}
+	f.sendICMPEvent(nftypes.TypeStart, flowID, id, icmpType, icmpCode, 0, 0)
-// handleICMPEcho handles ICMP echo requests asynchronously with rate limiting.
+	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
 func (f *Forwarder) handleICMPEcho(flowID uuid.UUID, id stack.TransportEndpointID, pkt *stack.PacketBuffer, icmpType, icmpCode uint8) bool {
 	select {
 	case f.pingSemaphore <- struct{}{}:
 		icmpData := stack.PayloadSince(pkt.TransportHeader()).ToSlice()
 		rxBytes := pkt.Size()
 		go func() {
 			defer func() { <-f.pingSemaphore }()
 			if f.hasRawICMPAccess {
 				f.handleICMPViaSocket(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
 			} else {
 				f.handleICMPViaPing(flowID, id, icmpType, icmpCode, icmpData, rxBytes)
 			}
 		}()
 	default:
 		f.logger.Debug3("forwarder: ICMP rate limit exceeded for %v type %v code %v",
 			epID(id), icmpType, icmpCode)
 	}
 	return true
 }
 // forwardICMPPacket creates a raw ICMP socket and sends the packet, returning the connection.
 // The caller is responsible for closing the returned connection.
 func (f *Forwarder) forwardICMPPacket(id stack.TransportEndpointID, payload []byte, icmpType, icmpCode uint8, timeout time.Duration) (net.PacketConn, error) {
 	ctx, cancel := context.WithTimeout(f.ctx, timeout)
 	defer cancel()
 	lc := net.ListenConfig{}
 	// TODO: support non-root
 	conn, err := lc.ListenPacket(ctx, "ip4:icmp", "0.0.0.0")
 	if err != nil {
-		return nil, fmt.Errorf("create ICMP socket: %w", err)
+		f.logger.Error2("forwarder: Failed to create ICMP socket for %v: %v", epID(id), err)
 	}
-	dstIP := f.determineDialAddr(id.LocalAddress)
+		// This will make netstack reply on behalf of the original destination, that's ok for now
-	dst := &net.IPAddr{IP: dstIP}
+		return false
 	if _, err = conn.WriteTo(payload, dst); err != nil {
 		if closeErr := conn.Close(); closeErr != nil {
 			f.logger.Debug1("forwarder: Failed to close ICMP socket: %v", closeErr)
 		}
 		return nil, fmt.Errorf("write ICMP packet: %w", err)
 	}
 	f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
 		epID(id), icmpType, icmpCode)
 	return conn, nil
 }
 // handleICMPViaSocket handles ICMP echo requests using raw sockets.
 func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
 	sendTime := time.Now()
 	conn, err := f.forwardICMPPacket(id, icmpData, icmpType, icmpCode, 5*time.Second)
 	if err != nil {
 		f.logger.Error2("forwarder: Failed to send ICMP packet for %v: %v", epID(id), err)
 		return
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
@@ -113,22 +45,38 @@ func (f *Forwarder) handleICMPViaSocket(flowID uuid.UUID, id stack.TransportEndp
 		}
 	}()
-	txBytes := f.handleEchoResponse(conn, id)
+	dstIP := f.determineDialAddr(id.LocalAddress)
-	rtt := time.Since(sendTime).Round(10 * time.Microsecond)
+	dst := &net.IPAddr{IP: dstIP}
-	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, raw socket)",
+	fullPacket := stack.PayloadSince(pkt.TransportHeader())
-		epID(id), icmpType, icmpCode, rtt)
+	payload := fullPacket.AsSlice()
-	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
+	if _, err = conn.WriteTo(payload, dst); err != nil {
 		f.logger.Error2("forwarder: Failed to write ICMP packet for %v: %v", epID(id), err)
 		return true
 	}
 	f.logger.Trace3("forwarder: Forwarded ICMP packet %v type %v code %v",
 		epID(id), icmpHdr.Type(), icmpHdr.Code())
 	// For Echo Requests, send and handle response
 	if header.ICMPv4Type(icmpType) == header.ICMPv4Echo {
 		rxBytes := pkt.Size()
 		txBytes := f.handleEchoResponse(icmpHdr, conn, id)
 		f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 	}
 	// For other ICMP types (Time Exceeded, Destination Unreachable, etc) do nothing
 	return true
 }
-func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEndpointID) int {
+func (f *Forwarder) handleEchoResponse(icmpHdr header.ICMPv4, conn net.PacketConn, id stack.TransportEndpointID) int {
 	if err := conn.SetReadDeadline(time.Now().Add(5 * time.Second)); err != nil {
 		f.logger.Error1("forwarder: Failed to set read deadline for ICMP response: %v", err)
 		return 0
 	}
-	response := make([]byte, f.endpoint.mtu.Load())
+	response := make([]byte, f.endpoint.mtu)
 	n, _, err := conn.ReadFrom(response)
 	if err != nil {
 		if !isTimeout(err) {
@@ -137,7 +85,31 @@ func (f *Forwarder) handleEchoResponse(conn net.PacketConn, id stack.TransportEn
 		return 0
 	}
-	return f.injectICMPReply(id, response[:n])
+	ipHdr := make([]byte, header.IPv4MinimumSize)
 	ip := header.IPv4(ipHdr)
 	ip.Encode(&header.IPv4Fields{
 		TotalLength: uint16(header.IPv4MinimumSize + n),
 		TTL:         64,
 		Protocol:    uint8(header.ICMPv4ProtocolNumber),
 		SrcAddr:     id.LocalAddress,
 		DstAddr:     id.RemoteAddress,
 	})
 	ip.SetChecksum(^ip.CalculateChecksum())
 	fullPacket := make([]byte, 0, len(ipHdr)+n)
 	fullPacket = append(fullPacket, ipHdr...)
 	fullPacket = append(fullPacket, response[:n]...)
 	if err := f.InjectIncomingPacket(fullPacket); err != nil {
 		f.logger.Error1("forwarder: Failed to inject ICMP response: %v", err)
 		return 0
 	}
 	f.logger.Trace3("forwarder: Forwarded ICMP echo reply for %v type %v code %v",
 		epID(id), icmpHdr.Type(), icmpHdr.Code())
 	return len(fullPacket)
 }
 // sendICMPEvent stores flow events for ICMP packets
@@ -180,95 +152,3 @@ func (f *Forwarder) sendICMPEvent(typ nftypes.Type, flowID uuid.UUID, id stack.T
 	f.flowLogger.StoreEvent(fields)
 }
 // handleICMPViaPing handles ICMP echo requests by executing the system ping binary.
 // This is used as a fallback when raw socket access is not available.
 func (f *Forwarder) handleICMPViaPing(flowID uuid.UUID, id stack.TransportEndpointID, icmpType, icmpCode uint8, icmpData []byte, rxBytes int) {
 	ctx, cancel := context.WithTimeout(f.ctx, 5*time.Second)
 	defer cancel()
 	dstIP := f.determineDialAddr(id.LocalAddress)
 	cmd := buildPingCommand(ctx, dstIP, 5*time.Second)
 	pingStart := time.Now()
 	if err := cmd.Run(); err != nil {
 		f.logger.Warn4("forwarder: Ping binary failed for %v type %v code %v: %v", epID(id),
 			icmpType, icmpCode, err)
 		return
 	}
 	rtt := time.Since(pingStart).Round(10 * time.Microsecond)
 	f.logger.Trace3("forwarder: Forwarded ICMP echo request %v type %v code %v",
 		epID(id), icmpType, icmpCode)
 	txBytes := f.synthesizeEchoReply(id, icmpData)
 	f.logger.Trace4("forwarder: Forwarded ICMP echo reply %v type %v code %v (rtt=%v, ping binary)",
 		epID(id), icmpType, icmpCode, rtt)
 	f.sendICMPEvent(nftypes.TypeEnd, flowID, id, icmpType, icmpCode, uint64(rxBytes), uint64(txBytes))
 }
 // buildPingCommand creates a platform-specific ping command.
 func buildPingCommand(ctx context.Context, target net.IP, timeout time.Duration) *exec.Cmd {
 	timeoutSec := int(timeout.Seconds())
 	if timeoutSec < 1 {
 		timeoutSec = 1
 	}
 	switch runtime.GOOS {
 	case "linux", "android":
 		return exec.CommandContext(ctx, "ping", "-c", "1", "-W", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
 	case "darwin", "ios":
 		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), "-q", target.String())
 	case "freebsd":
 		return exec.CommandContext(ctx, "ping", "-c", "1", "-t", fmt.Sprintf("%d", timeoutSec), target.String())
 	case "openbsd", "netbsd":
 		return exec.CommandContext(ctx, "ping", "-c", "1", "-w", fmt.Sprintf("%d", timeoutSec), target.String())
 	case "windows":
 		return exec.CommandContext(ctx, "ping", "-n", "1", "-w", fmt.Sprintf("%d", timeoutSec*1000), target.String())
 	default:
 		return exec.CommandContext(ctx, "ping", "-c", "1", target.String())
 	}
 }
 // synthesizeEchoReply creates an ICMP echo reply from raw ICMP data and injects it back into the network stack.
 // Returns the size of the injected packet.
 func (f *Forwarder) synthesizeEchoReply(id stack.TransportEndpointID, icmpData []byte) int {
 	replyICMP := make([]byte, len(icmpData))
 	copy(replyICMP, icmpData)
 	replyICMPHdr := header.ICMPv4(replyICMP)
 	replyICMPHdr.SetType(header.ICMPv4EchoReply)
 	replyICMPHdr.SetChecksum(0)
 	replyICMPHdr.SetChecksum(header.ICMPv4Checksum(replyICMPHdr, 0))
 	return f.injectICMPReply(id, replyICMP)
 }
 // injectICMPReply wraps an ICMP payload in an IP header and injects it into the network stack.
 // Returns the total size of the injected packet, or 0 if injection failed.
 func (f *Forwarder) injectICMPReply(id stack.TransportEndpointID, icmpPayload []byte) int {
 	ipHdr := make([]byte, header.IPv4MinimumSize)
 	ip := header.IPv4(ipHdr)
 	ip.Encode(&header.IPv4Fields{
 		TotalLength: uint16(header.IPv4MinimumSize + len(icmpPayload)),
 		TTL:         64,
 		Protocol:    uint8(header.ICMPv4ProtocolNumber),
 		SrcAddr:     id.LocalAddress,
 		DstAddr:     id.RemoteAddress,
 	})
 	ip.SetChecksum(^ip.CalculateChecksum())
 	fullPacket := make([]byte, 0, len(ipHdr)+len(icmpPayload))
 	fullPacket = append(fullPacket, ipHdr...)
 	fullPacket = append(fullPacket, icmpPayload...)
 	// Bypass netstack and send directly to peer to avoid looping through our ICMP handler
 	if err := f.endpoint.device.CreateOutboundPacket(fullPacket, id.RemoteAddress.AsSlice()); err != nil {
 		f.logger.Error1("forwarder: Failed to send ICMP reply to peer: %v", err)
 		return 0
 	}
 	return len(fullPacket)
 }
--- a/Show More
+++ b/Show More