add json gateway for netbird daemon

2026-06-20 23:09:55 +00:00 · 2026-05-27 19:04:55 +02:00
309 changed files with 6857 additions and 19620 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,45 +0,0 @@
 version: 2
 updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 15
    groups:
      actions:
        patterns:
          - "*"
    ignore:
      # git-town/action v1.3.x crashes on cyclic PR graphs (self-loop main->main
      # fork PRs) via its topological-sort visualization. Pinned to v1.2.1 in
      # git-town.yml; block v1.3.x until upstream tolerates cyclic edges.
      - dependency-name: "git-town/action"
        update-types:
          - "version-update:semver-minor"
          - "version-update:semver-major"
  - package-ecosystem: "gomod"
    directories:
      - "/"
    schedule:
      interval: "daily"
    open-pull-requests-limit: 15
    groups:
      aws-sdk:
        patterns:
          - "github.com/aws/aws-sdk-go-v2/*"
      pion:
        patterns:
          - "github.com/pion/*"
      gorm:
        patterns:
          - "gorm.io/*"
      otel:
        patterns:
          - "go.opentelemetry.io/*"
      testcontainers:
        patterns:
          - "github.com/testcontainers/testcontainers-go/*"
      wireguard:
        patterns:
          - "golang.zx2c4.com/wireguard*"
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -2,16 +2,16 @@ name: Check License Dependencies
 on:
  push:
-    branches: [main]
+    branches: [ main ]
    paths:
-      - "go.mod"
+      - 'go.mod'
-      - "go.sum"
+      - 'go.sum'
-      - ".github/workflows/check-license-dependencies.yml"
+      - '.github/workflows/check-license-dependencies.yml'
  pull_request:
    paths:
-      - "go.mod"
+      - 'go.mod'
-      - "go.sum"
+      - 'go.sum'
-      - ".github/workflows/check-license-dependencies.yml"
+      - '.github/workflows/check-license-dependencies.yml'
 jobs:
  check-internal-dependencies:
@@ -19,10 +19,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout code
+      - uses: actions/checkout@v4
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Check for problematic license dependencies
        run: |
@@ -59,57 +56,55 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@v4
        with:
          persist-credentials: false
-      - name: Set up Go
+    - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      uses: actions/setup-go@v5
-        with:
+      with:
-          go-version-file: "go.mod"
+        go-version-file: 'go.mod'
-          cache: true
+        cache: true
-      - name: Install go-licenses
+    - name: Install go-licenses
-        run: go install github.com/google/go-licenses@v1.6.0
+      run: go install github.com/google/go-licenses@v1.6.0
-      - name: Check for GPL/AGPL licensed dependencies
+    - name: Check for GPL/AGPL licensed dependencies
-        run: |
+      run: |
-          echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
+        echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
        echo ""
        # Check all Go packages for copyleft licenses, excluding internal netbird packages
        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
        if [ -n "$COPYLEFT_DEPS" ]; then
          echo "Found copyleft licensed dependencies:"
          echo "$COPYLEFT_DEPS"
          echo ""
-          # Check all Go packages for copyleft licenses, excluding internal netbird packages
+          # Filter out dependencies that are only pulled in by internal AGPL packages
-          COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
+          INCOMPATIBLE=""
          while IFS=',' read -r package url license; do
            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
              # Find ALL packages that import this GPL package using go list
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
-          if [ -n "$COPYLEFT_DEPS" ]; then
+              # Check if any importer is NOT in management/signal/relay
-            echo "Found copyleft licensed dependencies:"
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
            echo "$COPYLEFT_DEPS"
            echo ""
-            # Filter out dependencies that are only pulled in by internal AGPL packages
+              if [ -n "$BSD_IMPORTER" ]; then
-            INCOMPATIBLE=""
+                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
-            while IFS=',' read -r package url license; do
+                INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
-              if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
+              else
-                # Find ALL packages that import this GPL package using go list
+                echo "✓ $package ($license) is only used by internal AGPL packages - OK"
                IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
                # Check if any importer is NOT in management/signal/relay
                BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
                if [ -n "$BSD_IMPORTER" ]; then
                  echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
                  INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
                else
                  echo "✓ $package ($license) is only used by internal AGPL packages - OK"
                fi
              fi
            done <<< "$COPYLEFT_DEPS"
            if [ -n "$INCOMPATIBLE" ]; then
              echo ""
              echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
              echo -e "$INCOMPATIBLE"
              exit 1
            fi
-          fi
+          done <<< "$COPYLEFT_DEPS"
-          echo "✅ All external license dependencies are compatible with BSD-3-Clause"
+          if [ -n "$INCOMPATIBLE" ]; then
            echo ""
            echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
            echo -e "$INCOMPATIBLE"
            exit 1
          fi
        fi
        echo "✅ All external license dependencies are compatible with BSD-3-Clause"
--- a/.github/workflows/docs-ack.yml
+++ b/.github/workflows/docs-ack.yml
@@ -83,7 +83,7 @@ jobs:
      - name: Verify docs PR exists (and is open or merged)
        if: steps.validate.outputs.mode == 'added'
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
        id: verify
        with:
          pr_number: ${{ steps.extract.outputs.pr_number }}
--- a/.github/workflows/forum.yml
+++ b/.github/workflows/forum.yml
@@ -8,10 +8,11 @@ jobs:
  post:
    runs-on: ubuntu-latest
    steps:
-      - uses: roots/discourse-topic-github-release-action@557d74ea05b6cc0c47f555c1d5d28a89d904005b # v1.1.0
+      - uses: roots/discourse-topic-github-release-action@main
        with:
          discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
          discourse-base-url: https://forum.netbird.io
          discourse-author-username: NetBird
          discourse-category: 17
-          discourse-tags: releases
+          discourse-tags:
            releases
--- a/.github/workflows/git-town.yml
+++ b/.github/workflows/git-town.yml
@@ -3,7 +3,7 @@ name: Git Town
 on:
  pull_request:
    branches:
-      - "**"
+      - '**'
 jobs:
  git-town:
@@ -15,9 +15,7 @@ jobs:
      pull-requests: write
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@v4
-        with:
+      - uses: git-town/action@v1.2.1
          persist-credentials: false
      - uses: git-town/action@3d8b878379abb1ee393fb49865a28b4a6c2cd3b0 # v1.2.1
        with:
          skip-single-stacks: true
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -16,18 +16,16 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: ~/go/pkg/mod
          key: macos-gotest-${{ hashFiles('**/go.sum') }}
@@ -45,11 +43,5 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -coverprofile=coverage.txt -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
      - name: Upload coverage reports to Codecov
        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
          flags: unit,client
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -15,31 +15,20 @@ jobs:
    name: "Client / Unit"
    runs-on: ubuntu-22.04
    steps:
-      - name: Checkout code
+      - uses: actions/checkout@v4
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Read Go version from go.mod
        id: goversion
        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
      - name: Test in FreeBSD
        id: test
-        env:
+        uses: vmactions/freebsd-vm@v1
          GO_VERSION: ${{ steps.goversion.outputs.version }}
        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
        with:
          usesh: true
          copyback: false
-          release: "15.0"
+          release: "14.2"
          envs: "GO_VERSION"
          prepare: |
            pkg install -y curl pkgconf xorg
-            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.3.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -vLO "$GO_URL"
-            tar -C /usr/local -vxzf "$GO_TARBALL"
+            tar -C /usr/local -vxzf "$GO_TARBALL"            
          # -x - to print all executed commands
          # -e - to faile on first error
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -18,11 +18,9 @@ jobs:
      management: ${{ steps.filter.outputs.management }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
-      - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+      - uses: dorny/paths-filter@v3
        id: filter
        with:
          filters: |
@@ -30,7 +28,7 @@ jobs:
              - 'management/**'
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -38,10 +36,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        id: cache
        with:
          path: |
@@ -115,16 +113,14 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: ["386", "amd64"]
+        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -132,10 +128,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -158,29 +154,18 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -coverprofile=coverage.txt -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
          flags: unit,client
  test_client_on_docker:
    name: "Client (Docker) / Unit"
-    needs: [build-cache]
+    needs: [ build-cache ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -192,7 +177,7 @@ jobs:
          echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        id: cache-restore
        with:
          path: |
@@ -246,12 +231,10 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -263,10 +246,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -285,33 +268,23 @@ jobs:
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          go test ${{ matrix.raceFlag }} \
-            -exec 'sudo' -coverprofile=coverage.txt \
+            -exec 'sudo' \
            -timeout 10m -p 1 ./relay/... ./shared/relay/...
      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
          flags: unit,relay
  test_proxy:
    name: "Proxy / Unit"
    needs: [build-cache]
    strategy:
      fail-fast: false
      matrix:
-        arch: ["386", "amd64"]
+        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -325,7 +298,7 @@ jobs:
          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -343,15 +316,7 @@ jobs:
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
-          go test -timeout 10m -p 1 -coverprofile=coverage.txt ./proxy/...
+          go test -timeout 10m -p 1 ./proxy/...
      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
          flags: unit,proxy
  test_signal:
    name: "Signal / Unit"
@@ -359,16 +324,14 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        arch: ["386", "amd64"]
+        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -380,10 +343,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -402,34 +365,24 @@ jobs:
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          go test \
-            -exec 'sudo' -coverprofile=coverage.txt \
+            -exec 'sudo' \
            -timeout 10m ./signal/... ./shared/signal/...
      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
          flags: unit,signal
  test_management:
    name: "Management / Unit"
-    needs: [build-cache]
+    needs: [ build-cache ]
    strategy:
      fail-fast: false
      matrix:
-        arch: ["amd64"]
+        arch: [ 'amd64' ]
-        store: ["sqlite", "postgres", "mysql"]
+        store: [ 'sqlite', 'postgres', 'mysql' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -437,10 +390,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -457,7 +410,7 @@ jobs:
      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -474,31 +427,23 @@ jobs:
        run: docker pull mlsmaycon/warmed-mysql:8
      - name: Test
-        run: |
+        run: |          
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
            CI=true \
-          go test -tags=devcert -coverprofile=coverage.txt \
+          go test -tags=devcert \
            -exec "sudo --preserve-env=CI,NETBIRD_STORE_ENGINE" \
            -timeout 20m ./management/... ./shared/management/...
      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
          flags: unit,management
  benchmark:
    name: "Management / Benchmark"
-    needs: [build-cache]
+    needs: [ build-cache ]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: ["amd64"]
+        arch: [ 'amd64' ]
-        store: ["sqlite", "postgres"]
+        store: [ 'sqlite', 'postgres' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
@@ -529,12 +474,10 @@ jobs:
            prom/prometheus
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -542,10 +485,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -562,7 +505,7 @@ jobs:
      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -586,13 +529,13 @@ jobs:
  api_benchmark:
    name: "Management / Benchmark (API)"
-    needs: [build-cache]
+    needs: [ build-cache ]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: ["amd64"]
+        arch: [ 'amd64' ]
-        store: ["sqlite", "postgres"]
+        store: [ 'sqlite', 'postgres' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Create Docker network
@@ -623,12 +566,10 @@ jobs:
            prom/prometheus
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -636,10 +577,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -656,7 +597,7 @@ jobs:
      - name: Login to Docker hub
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
@@ -682,22 +623,20 @@ jobs:
  api_integration_test:
    name: "Management / Integration"
-    needs: [build-cache]
+    needs: [ build-cache ]
    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
    strategy:
      fail-fast: false
      matrix:
-        arch: ["amd64"]
+        arch: [ 'amd64' ]
-        store: ["sqlite", "postgres"]
+        store: [ 'sqlite', 'postgres']
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -705,10 +644,10 @@ jobs:
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
-          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
@@ -728,14 +667,6 @@ jobs:
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
          CI=true \
-          go test -tags=integration -coverprofile=coverage.txt \
+          go test -tags=integration \
          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
          -timeout 20m ./management/server/http/...
      - name: Upload coverage reports to Codecov
        if: matrix.arch == 'amd64'
        uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 #v6.0.1
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          slug: netbirdio/netbird
          flags: integration,management
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -18,12 +18,10 @@ jobs:
    runs-on: windows-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        id: go
        with:
          go-version-file: "go.mod"
@@ -35,7 +33,7 @@ jobs:
          echo "modcache=$(go env GOMODCACHE)" >> $env:GITHUB_ENV
      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: |
            ${{ env.cache }}
@@ -46,15 +44,16 @@ jobs:
            ${{ runner.os }}-go-
      - name: Download wintun
        uses: carlosperate/download-file-action@v2
        id: download-wintun
        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          destination: ${{ env.downloadPath }}\wintun.zip
+          file-name: wintun.zip
-          sha256: 07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51
+          location: ${{ env.downloadPath }}
          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
      - name: Decompressing wintun files
-        run: tar -xvf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
      - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -15,11 +15,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: codespell
-        uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2.2
+        uses: codespell-project/actions-codespell@v2
        with:
          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA,ede,additionals
          skip: go.mod,go.sum,**/proxy/web/**
@@ -40,15 +38,13 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Check for duplicate constants
        if: matrix.os == 'ubuntu-latest'
        run: |
          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
@@ -56,7 +52,7 @@ jobs:
        if: matrix.os == 'ubuntu-latest'
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: latest
          skip-cache: true
--- a/.github/workflows/install-script-test.yml
+++ b/.github/workflows/install-script-test.yml
@@ -22,9 +22,7 @@ jobs:
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: run install script
        env:
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -16,25 +16,23 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Setup Android SDK
-        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
+        uses: android-actions/setup-android@v3
        with:
          cmdline-tools-version: 8512546
      - name: Setup Java
-        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
+        uses: actions/setup-java@v4
        with:
          java-version: "11"
          distribution: "adopt"
      - name: NDK Cache
        id: ndk-cache
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: /usr/local/lib/android/sdk/ndk
          key: ndk-cache-23.1.7779620
@@ -54,11 +52,9 @@ jobs:
    runs-on: macos-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: install gomobile
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Validate PR title prefix
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
        with:
          script: |
            const title = context.payload.pull_request.title;
--- a/.github/workflows/proto-version-check.yml
+++ b/.github/workflows/proto-version-check.yml
@@ -10,7 +10,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check for proto tool version changes
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
        with:
          script: |
            const files = await github.paginate(github.rest.pulls.listFiles, {
@@ -20,30 +20,15 @@ jobs:
              per_page: 100,
            });
-            // Cover renamed .pb.go files in addition to plain edits.
+            const modifiedPbFiles = files.filter(
-            // Renamed entries land under the new path with previous_filename
+              f => f.filename.endsWith('.pb.go') && f.status === 'modified'
-            // pointing at the base-side name, so we read the base content
+            );
-            // from the old path when present.
+            if (modifiedPbFiles.length === 0) {
-            const changedPbFiles = files
+              console.log('No modified .pb.go files to check');
              .filter(f => (f.status === 'modified' || f.status === 'renamed')
                && f.filename.endsWith('.pb.go'))
              .map(f => ({
                headPath: f.filename,
                basePath: f.previous_filename || f.filename,
              }));
            if (changedPbFiles.length === 0) {
              console.log('No modified or renamed .pb.go files to check');
              return;
            }
-            // Matches the generator version headers protoc writes at the top
+            const versionPattern = /^\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
            // of generated files:
            //   //   protoc           v3.21.12
            //   //   protoc-gen-go    v1.26.0
            //   // - protoc-gen-go-grpc v1.6.1   (grpc files prefix with "- ")
            // The optional "- " prefix and the optional -gen-go / -gen-go-grpc
            // suffixes keep the *_grpc.pb.go headers in scope.
            const versionPattern = /^\s*\/\/\s+(?:-\s+)?protoc(?:-gen-go(?:-grpc)?)?\s+v[\d.]+/;
            const baseSha = context.payload.pull_request.base.sha;
            const headSha = context.payload.pull_request.head.sha;
@@ -70,22 +55,20 @@ jobs:
            }
            const violations = [];
-            for (const file of changedPbFiles) {
+            for (const file of modifiedPbFiles) {
              const [base, head] = await Promise.all([
-                getVersionHeader(file.basePath, baseSha),
+                getVersionHeader(file.filename, baseSha),
-                getVersionHeader(file.headPath, headSha),
+                getVersionHeader(file.filename, headSha),
              ]);
              if (!base.ok || !head.ok) {
                core.warning(
-                  `Skipping ${file.headPath}: base=${base.ok ? 'ok' : base.reason}, head=${head.ok ? 'ok' : head.reason}`
+                  `Skipping ${file.filename}: base=${base.ok ? 'ok' : base.reason}, head=${head.ok ? 'ok' : head.reason}`
                );
                continue;
              }
              if (base.lines.join('\n') !== head.lines.join('\n')) {
                violations.push({
-                  file: file.basePath === file.headPath
+                  file: file.filename,
                    ? file.headPath
                    : `${file.basePath} → ${file.headPath}`,
                  base: base.lines,
                  head: head.lines,
                });
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,13 +9,10 @@ on:
  pull_request:
 env:
-  SIGN_PIPE_VER: "v0.1.6"
+  SIGN_PIPE_VER: "v0.1.4"
-  GORELEASER_VER: "v2.16.0"
+  GORELEASER_VER: "v2.14.3"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
  flags: ""
  SKIP_PUBLISH: "true"
  SKIP_DOCKER_PUSH: "false"
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -27,15 +24,13 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Generate FreeBSD port diff
-        run: bash -x release_files/freebsd-port-diff.sh
+        run: bash release_files/freebsd-port-diff.sh
      - name: Generate FreeBSD port issue body
-        run: bash -x release_files/freebsd-port-issue-body.sh
+        run: bash release_files/freebsd-port-issue-body.sh
      - name: Check if diff was generated
        id: check_diff
@@ -56,26 +51,19 @@ jobs:
          echo "Generated files for version: $VERSION"
          cat netbird-*.diff
      - name: Read Go version from go.mod
        id: goversion
        run: echo "version=$(awk '/^go / {print $2}' go.mod)" >> "$GITHUB_OUTPUT"
      - name: Test FreeBSD port
        if: steps.check_diff.outputs.diff_exists == 'true'
-        env:
+        uses: vmactions/freebsd-vm@v1
          GO_VERSION: ${{ steps.goversion.outputs.version }}
        uses: vmactions/freebsd-vm@d1e65811565151536c0c894fff74f06351ed26e6 # v1.4.5
        with:
          usesh: true
          copyback: false
          release: "15.0"
          envs: "GO_VERSION"
          prepare: |
            # Install required packages
-            pkg install -y git curl portlint
+            pkg install -y git curl portlint go
            # Install Go for building
-            GO_TARBALL="go${GO_VERSION}.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.25.5.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -LO "$GO_URL"
            tar -C /usr/local -xzf "$GO_TARBALL"
@@ -105,19 +93,19 @@ jobs:
            # Show patched Makefile
            version=$(cat security/netbird/Makefile | grep -E '^DISTVERSION=' | awk '{print $NF}')
-
+            
            cd /usr/ports/security/netbird
            export BATCH=yes
            make package
            pkg add ./work/pkg/netbird-*.pkg
-
+            
            netbird version | grep "$version"
            echo "FreeBSD port test completed successfully!"
      - name: Upload FreeBSD port files
        if: steps.check_diff.outputs.diff_exists == 'true'
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: freebsd-port-files
          path: |
@@ -133,45 +121,29 @@ jobs:
      windows_packages_artifact_url: ${{ steps.upload_windows_packages.outputs.artifact-url }}
      macos_packages_artifact_url: ${{ steps.upload_macos_packages.outputs.artifact-url }}
      ghcr_images: ${{ steps.tag_and_push_images.outputs.images_markdown }}
    env:
      flags: ""
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
          persist-credentials: false
      - name: Parse semver string
        id: semver_parser
-        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: booxmedialtd/ws-action-parse-semver@v1
-
+        with:
-      - name: Set snapshot flag
+          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
-        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+          version_extractor_regex: '\/v(.*)$'
        run: | 
          echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Set build vars
        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
        run: |
          if [[ "x-${{ steps.semver_parser.outputs.prerelease }}" == "x-" && "x-${{ github.repository }}" == "x-netbirdio/netbird" ]]; then
            echo "x-${{ github.repository }}" 
            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
            echo "SKIP_PUBLISH=false" >> $GITHUB_ENV
          else
            echo "x-${{ github.repository }}" 
            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
          fi
          if [[ "x-${{ github.repository }}" != "x-netbirdio/netbird" ]]; then
            echo "SKIP_DOCKER_PUSH=true" >> $GITHUB_ENV
          fi
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
      - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
@@ -181,23 +153,21 @@ jobs:
            ${{ runner.os }}-go-releaser-
      - name: Install modules
        run: go mod tidy
      - name: run openapi generator
        run: bash shared/management/http/api/generate.sh
      - name: check git status
        run: git --no-pager diff --exit-code
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
+        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
+        uses: docker/setup-buildx-action@v2
      - name: Login to Docker hub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -221,7 +191,7 @@ jobs:
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
+        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --clean ${{ env.flags }}
@@ -232,8 +202,6 @@ jobs:
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
          NFPM_NETBIRD_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
          SKIP_PUBLISH: ${{ env.SKIP_PUBLISH }}
          SKIP_DOCKER_PUSH: ${{ env.SKIP_DOCKER_PUSH }}
      - name: Verify RPM signatures
        run: |
          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
@@ -314,28 +282,28 @@ jobs:
          } >> "$GITHUB_OUTPUT"
      - name: upload non tags for debug purposes
        id: upload_release
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: release
          path: dist/
          retention-days: 7
      - name: upload linux packages
        id: upload_linux_packages
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: linux-packages
          path: dist/netbird_linux**
          retention-days: 7
      - name: upload windows packages
        id: upload_windows_packages
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: windows-packages
          path: dist/netbird_windows**
          retention-days: 7
      - name: upload macos packages
        id: upload_macos_packages
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: macos-packages
          path: dist/netbird_darwin**
@@ -346,40 +314,27 @@ jobs:
    outputs:
      release_ui_artifact_url: ${{ steps.upload_release_ui.outputs.artifact-url }}
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
          persist-credentials: false
      - name: Parse semver string
        id: semver_parser
-        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: booxmedialtd/ws-action-parse-semver@v1
        with:
          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
          version_extractor_regex: '\/v(.*)$'
-      - name: Set snapshot flag
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
-        if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
-        run: |
+      - name: Checkout
-          echo "flags=--snapshot" >> $GITHUB_ENV
+        uses: actions/checkout@v4
-
+        with:
-      - name: Set build vars
+          fetch-depth: 0 # It is required for GoReleaser to work properly
        if: ${{ startsWith(github.ref, 'refs/tags/v') }}
        run: |
          if [[ "x-${{ steps.semver_parser.outputs.prerelease }}" == "x-" && "x-${{ github.repository }}" == "x-netbirdio/netbird" ]]; then
            echo "x-${{ github.repository }}" 
            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
            echo "SKIP_PUBLISH=false" >> $GITHUB_ENV
          else
            echo "x-${{ github.repository }}" 
            echo "x-${{ steps.semver_parser.outputs.prerelease }}"
          fi
      - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
@@ -420,7 +375,7 @@ jobs:
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso
      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
+        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui.yaml --clean ${{ env.flags }}
@@ -431,7 +386,6 @@ jobs:
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
          NFPM_NETBIRD_UI_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
          SKIP_PUBLISH: ${{ env.SKIP_PUBLISH }}
      - name: Verify RPM signatures
        run: |
          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
@@ -450,7 +404,7 @@ jobs:
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
        id: upload_release_ui
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: release-ui
          path: dist/
@@ -464,17 +418,16 @@ jobs:
      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
        run: echo "flags=--snapshot" >> $GITHUB_ENV
      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
          persist-credentials: false
      - name: Set up Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: |
            ~/go/pkg/mod
@@ -488,7 +441,7 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Run GoReleaser
        id: goreleaser
-        uses: goreleaser/goreleaser-action@4c6ab561adb47e50c45ef534e2155934e91c40c1 # v7.2.0
+        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
          args: release --config .goreleaser_ui_darwin.yaml --clean ${{ env.flags }}
@@ -496,7 +449,7 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: upload non tags for debug purposes
        id: upload_release_ui_darwin
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: release-ui-darwin
          path: dist/
@@ -521,26 +474,27 @@ jobs:
      PackageWorkdir: netbird_windows_${{ matrix.arch }}
      downloadPath: '${{ github.workspace }}\temp'
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Parse semver string
        id: semver_parser
-        uses: netbirdio/shared-actions/actions/parse-semver@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: booxmedialtd/ws-action-parse-semver@v1
        with:
          input_string: ${{ (startsWith(github.ref, 'refs/tags/v') && github.ref) || 'refs/tags/v0.0.0' }}
          version_extractor_regex: '\/v(.*)$'
      - name: Checkout
        uses: actions/checkout@v4
      - name: Add 7-Zip to PATH
        run: echo "C:\Program Files\7-Zip" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
      - name: Download release artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
+        uses: actions/download-artifact@v4
        with:
          name: release
          path: release
      - name: Download UI release artifacts
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.1
+        uses: actions/download-artifact@v4
        with:
          name: release-ui
          path: release-ui
@@ -560,27 +514,29 @@ jobs:
          Get-ChildItem $workdir
      - name: Download wintun
        uses: carlosperate/download-file-action@v2
        id: download-wintun
        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
-          destination: ${{ env.downloadPath }}\wintun.zip
+          file-name: wintun.zip
-          sha256: 07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51
+          location: ${{ env.downloadPath }}
          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
      - name: Decompress wintun files
-        run: tar -xvf "${{ env.downloadPath }}\wintun.zip" -C ${{ env.downloadPath }}
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
      - name: Move wintun.dll into dist
        run: mv ${{ env.downloadPath }}\wintun\bin\${{ matrix.wintun_arch }}\wintun.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
      - name: Download Mesa3D (amd64 only)
        uses: carlosperate/download-file-action@v2
        id: download-mesa3d
        if: matrix.arch == 'amd64'
        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          url: https://pkgs.netbird.io/mesa3d/MesaForWindows-x64-20.1.8.7z
+          file-url: https://downloads.fdossena.com/Projects/Mesa3D/Builds/MesaForWindows-x64-20.1.8.7z
-          destination: ${{ env.downloadPath }}\mesa3d.7z
+          file-name: mesa3d.7z
-          sha256: 71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9
+          location: ${{ env.downloadPath }}
          sha256: '71c7cb64ec229a1d6b8d62fa08e1889ed2bd17c0eeede8689daf0f25cb31d6b9'
      - name: Extract Mesa3D driver (amd64 only)
        if: matrix.arch == 'amd64'
@@ -591,38 +547,35 @@ jobs:
        run: mv ${{ env.downloadPath }}\opengl32.dll ${{ github.workspace }}\dist\${{ env.PackageWorkdir }}\
      - name: Download EnVar plugin for NSIS
-        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
+        uses: carlosperate/download-file-action@v2
        with:
-          url: https://pkgs.netbird.io/nsis/EnVar_plugin.zip
+          file-url: https://nsis.sourceforge.io/mediawiki/images/7/7f/EnVar_plugin.zip
-          destination: ${{ github.workspace }}\envar_plugin.zip
+          file-name: envar_plugin.zip
-          sha256: e9aa92de351345ed82795251d838f1ae9041ba35af9d381a5780c7843b01f56a
+          location: ${{ github.workspace }}
      - name: Extract EnVar plugin
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/envar_plugin.zip"
      - name: Download ShellExecAsUser plugin for NSIS (amd64 only)
        uses: carlosperate/download-file-action@v2
        if: matrix.arch == 'amd64'
        uses: netbirdio/shared-actions/actions/win-download-and-verify@be5df6047383da2236e02243cceb857d8567c27e # v0.0.2
        with:
-          url: https://pkgs.netbird.io/nsis/ShellExecAsUser_amd64-Unicode.7z
+          file-url: https://nsis.sourceforge.io/mediawiki/images/6/68/ShellExecAsUser_amd64-Unicode.7z
-          destination: ${{ github.workspace }}\ShellExecAsUser_amd64-Unicode.7z
+          file-name: ShellExecAsUser_amd64-Unicode.7z
-          sha256: 0a55ea25c7330a92cec028eda8afcaf1b1a7092e0dfb77c21c8f654564b4ff9d
+          location: ${{ github.workspace }}
      - name: Extract ShellExecAsUser plugin (amd64 only)
        if: matrix.arch == 'amd64'
        run: 7z x -o"${{ github.workspace }}/NSIS_Plugins" "${{ github.workspace }}/ShellExecAsUser_amd64-Unicode.7z"
      - name: Build NSIS installer
-        shell: pwsh
+        uses: joncloud/makensis-action@v3.3
        with:
          additional-plugin-paths: ${{ github.workspace }}/NSIS_Plugins/Plugins
          script-file: client/installer.nsis
          arguments: "/V4 /DARCH=${{ matrix.arch }}"
        env:
          APPVER: ${{ steps.semver_parser.outputs.major }}.${{ steps.semver_parser.outputs.minor }}.${{ steps.semver_parser.outputs.patch }}.${{ github.run_id }}
        run: |
          $nsisPluginDir = "C:\Program Files (x86)\NSIS\Plugins\x86-unicode"
          $srcPlugins    = "${{ github.workspace }}\NSIS_Plugins\Plugins"
          Get-ChildItem -Path $srcPlugins -Recurse -Filter *.dll |
            Copy-Item -Destination $nsisPluginDir -Force
          & "C:\Program Files (x86)\NSIS\makensis.exe" /V4 "/DARCH=${{ matrix.arch }}" client\installer.nsis
          if ($LASTEXITCODE -ne 0) { throw "makensis failed with exit code $LASTEXITCODE" }
      - name: Rename NSIS installer
        run: mv netbird-installer.exe netbird_installer_test_windows_${{ matrix.arch }}.exe
@@ -639,7 +592,7 @@ jobs:
      - name: Upload installer artifacts
        if: always()
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7.0.1
+        uses: actions/upload-artifact@v4
        with:
          name: windows-installer-test-${{ matrix.arch }}
          path: |
@@ -658,7 +611,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Create or update PR comment
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@v7
        env:
          RELEASE_RESULT: ${{ needs.release.result }}
          RELEASE_UI_RESULT: ${{ needs.release_ui.result }}
@@ -750,7 +703,7 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Trigger binaries sign pipelines
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: Sign bin and installer
          repo: netbirdio/sign-pipelines
--- a/.github/workflows/sync-main.yml
+++ b/.github/workflows/sync-main.yml
@@ -14,9 +14,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger main branch sync
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: sync-main.yml
          repo: ${{ secrets.UPSTREAM_REPO }}
          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "sha": "${{ github.sha }}" }'
+          inputs: '{ "sha": "${{ github.sha }}" }'
--- a/.github/workflows/sync-tag.yml
+++ b/.github/workflows/sync-tag.yml
@@ -3,7 +3,7 @@ name: sync tag
 on:
  push:
    tags:
-      - "v*"
+      - 'v*'
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -16,7 +16,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Trigger release tag sync
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: sync-tag.yml
          ref: main
@@ -29,7 +29,7 @@ jobs:
    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
    steps:
      - name: Trigger android-client submodule bump
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
        with:
          workflow: bump-netbird.yml
          ref: main
@@ -42,10 +42,10 @@ jobs:
    if: github.event.created && !github.event.deleted && startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
    steps:
      - name: Trigger ios-client submodule bump
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1.3.1
        with:
          workflow: bump-netbird.yml
          ref: main
          repo: netbirdio/ios-client
          token: ${{ secrets.NC_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref_name }}" }'
+          inputs: '{ "tag": "${{ github.ref_name }}" }'
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -6,10 +6,10 @@ on:
      - main
  pull_request:
    paths:
-      - "infrastructure_files/**"
+      - 'infrastructure_files/**'
-      - ".github/workflows/test-infrastructure-files.yml"
+      - '.github/workflows/test-infrastructure-files.yml'
-      - "management/cmd/**"
+      - 'management/cmd/**'
-      - "signal/cmd/**"
+      - 'signal/cmd/**'
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
@@ -20,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    strategy:
      matrix:
-        store: ["sqlite", "postgres", "mysql"]
+        store: [ 'sqlite', 'postgres', 'mysql' ]
    services:
      postgres:
        image: ${{ (matrix.store == 'postgres') && 'postgres' || '' }}
@@ -68,17 +68,15 @@ jobs:
        run: sudo apt-get install -y curl
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Cache Go modules
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@v4
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -141,8 +139,8 @@ jobs:
          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
          CI_NETBIRD_SIGNAL_PORT: 12345
          CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
-          NETBIRD_STORE_ENGINE_POSTGRES_DSN: "${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$"
+          NETBIRD_STORE_ENGINE_POSTGRES_DSN: '${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$'
-          NETBIRD_STORE_ENGINE_MYSQL_DSN: "${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$"
+          NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
          CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
          CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY: false
@@ -256,9 +254,7 @@ jobs:
        run: sudo apt-get install -y jq
      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: run script with Zitadel PostgreSQL
        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@@ -3,9 +3,9 @@ name: update docs
 on:
  push:
    tags:
-      - "v*"
+      - 'v*'
    paths:
-      - "shared/management/http/api/openapi.yml"
+      - 'shared/management/http/api/openapi.yml'
 jobs:
  trigger_docs_api_update:
@@ -13,10 +13,10 @@ jobs:
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Trigger API pages generation
-        uses: benc-uk/workflow-dispatch@31e2b3319479a63f0ab15bf800eff9e913504e26 # v1.3.2
+        uses: benc-uk/workflow-dispatch@v1
        with:
          workflow: generate api pages
          repo: netbirdio/docs
          ref: "refs/heads/main"
          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -19,17 +19,15 @@ jobs:
      GOARCH: wasm
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee #v9.2.1
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
        with:
          version: latest
          install-mode: binary
@@ -44,11 +42,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Install Go
-        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
      - name: Build Wasm client
@@ -65,7 +61,8 @@ jobs:
          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
-          if [ ${SIZE} -gt 62914560 ]; then
+          if [ ${SIZE} -gt 58720256 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 60MB limit!"
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
            exit 1
          fi
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,7 +1,5 @@
 version: 2
-env:
+
  - SKIP_PUBLISH={{ if index .Env "SKIP_PUBLISH" }}{{ .Env.SKIP_PUBLISH }}{{ else }}true{{ end }}
  - SKIP_DOCKER_PUSH={{ if index .Env "SKIP_DOCKER_PUSH" }}{{ .Env.SKIP_DOCKER_PUSH }}{{ else }}false{{ end }}
 project_name: netbird
 builds:
  - id: netbird-wasm
@@ -76,8 +74,6 @@ builds:
      - amd64
      - arm64
      - arm
    goarm:
      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -92,8 +88,6 @@ builds:
      - amd64
      - arm64
      - arm
    goarm:
      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -108,8 +102,6 @@ builds:
      - amd64
      - arm64
      - arm
    goarm:
      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -130,8 +122,6 @@ builds:
      - amd64
      - arm64
      - arm
    goarm:
      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -146,8 +136,6 @@ builds:
      - amd64
      - arm64
      - arm
    goarm:
      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -162,8 +150,6 @@ builds:
      - amd64
      - arm64
      - arm
    goarm:
      - 7
    ldflags:
      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -184,8 +170,6 @@ builds:
      - amd64
      - arm64
      - arm
    goarm:
      - 7
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -238,192 +222,670 @@ nfpms:
    rpm:
      signature:
        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
-dockers_v2:
+dockers:
-   - id: netbird
+  - image_templates:
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+      - netbirdio/netbird:{{ .Version }}-amd64
-     ids:
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-       - netbird
+    ids:
-     images:
+      - netbird
-       - netbirdio/netbird
+    goarch: amd64
-       - ghcr.io/netbirdio/netbird
+    use: buildx
-     tags:
+    dockerfile: client/Dockerfile
-       - "v{{ .Version }}"
+    extra_files:
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+      - client/netbird-entrypoint.sh
-     dockerfile: client/Dockerfile
+    build_flag_templates:
-     extra_files:
+      - "--platform=linux/amd64"
-       - client/netbird-entrypoint.sh
+      - "--label=org.opencontainers.image.created={{.Date}}"
-     platforms:
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-       - linux/amd64
+      - "--label=org.opencontainers.image.version={{.Version}}"
-       - linux/arm64
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-       - linux/arm/6
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-     annotations:
+      - "--label=maintainer=dev@netbird.io"
-       "org.opencontainers.image.created": "{{.Date}}"
+  - image_templates:
-       "org.opencontainers.image.title": "{{.ProjectName}}"
+      - netbirdio/netbird:{{ .Version }}-arm64v8
-       "org.opencontainers.image.version": "{{.Version}}"
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
+    ids:
-       "org.opencontainers.image.source": "{{.GitURL}}"
+      - netbird
-       "maintainer": "dev@netbird.io"
+    goarch: arm64
-   - id: netbird-rootless
+    use: buildx
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+    dockerfile: client/Dockerfile
-     ids:
+    extra_files:
-       - netbird
+      - client/netbird-entrypoint.sh
-     images:
+    build_flag_templates:
-       - netbirdio/netbird
+      - "--platform=linux/arm64"
-       - ghcr.io/netbirdio/netbird
+      - "--label=org.opencontainers.image.created={{.Date}}"
-     tags:
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-       - "v{{ .Version }}-rootless"
+      - "--label=org.opencontainers.image.version={{.Version}}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-     dockerfile: client/Dockerfile-rootless
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-     extra_files:
+      - "--label=maintainer=dev@netbird.io"
-       - client/netbird-entrypoint.sh
+  - image_templates:
-     platforms:
+      - netbirdio/netbird:{{ .Version }}-arm
-       - linux/amd64
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-       - linux/arm64
+    ids:
-       - linux/arm/6
+      - netbird
-     annotations:
+    goarch: arm
-       "org.opencontainers.image.created": "{{.Date}}"
+    goarm: 6
-       "org.opencontainers.image.title": "{{.ProjectName}}"
+    use: buildx
-       "org.opencontainers.image.version": "{{.Version}}"
+    dockerfile: client/Dockerfile
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
+    extra_files:
-       "org.opencontainers.image.source": "{{.GitURL}}"
+      - client/netbird-entrypoint.sh
-       "maintainer": "dev@netbird.io"
+    build_flag_templates:
-   - id: relay
+      - "--platform=linux/arm"
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+      - "--label=org.opencontainers.image.created={{.Date}}"
-     ids:
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-       - netbird-relay
+      - "--label=org.opencontainers.image.version={{.Version}}"
-     images:
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-       - netbirdio/relay
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-       - ghcr.io/netbirdio/relay
+      - "--label=maintainer=dev@netbird.io"
-     tags:
+
-       - "v{{ .Version }}"
+  - image_templates:
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+      - netbirdio/netbird:{{ .Version }}-rootless-amd64
-     dockerfile: relay/Dockerfile
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-     platforms:
+    ids:
-       - linux/amd64
+      - netbird
-       - linux/arm64
+    goarch: amd64
-       - linux/arm
+    use: buildx
-     annotations:
+    dockerfile: client/Dockerfile-rootless
-       "org.opencontainers.image.created": "{{.Date}}"
+    extra_files:
-       "org.opencontainers.image.title": "{{.ProjectName}}"
+      - client/netbird-entrypoint.sh
-       "org.opencontainers.image.version": "{{.Version}}"
+    build_flag_templates:
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
+      - "--platform=linux/amd64"
-       "org.opencontainers.image.source": "{{.GitURL}}"
+      - "--label=org.opencontainers.image.created={{.Date}}"
-       "maintainer": "dev@netbird.io"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-   - id: signal
+      - "--label=org.opencontainers.image.version={{.Version}}"
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-     ids:
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-       - netbird-signal
+      - "--label=maintainer=dev@netbird.io"
-     images:
+  - image_templates:
-       - netbirdio/signal
+      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-       - ghcr.io/netbirdio/signal
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-     tags:
+    ids:
-       - "v{{ .Version }}"
+      - netbird
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+    goarch: arm64
-     dockerfile: signal/Dockerfile
+    use: buildx
-     platforms:
+    dockerfile: client/Dockerfile-rootless
-       - linux/amd64
+    extra_files:
-       - linux/arm64
+      - client/netbird-entrypoint.sh
-       - linux/arm
+    build_flag_templates:
-     annotations:
+      - "--platform=linux/arm64"
-       "org.opencontainers.image.created": "{{.Date}}"
+      - "--label=org.opencontainers.image.created={{.Date}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-       "maintainer": "dev@netbird.io"
+      - "--label=maintainer=dev@netbird.io"
-   - id: management
+  - image_templates:
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+      - netbirdio/netbird:{{ .Version }}-rootless-arm
-     ids:
+      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-       - netbird-mgmt
+    ids:
-     images:
+      - netbird
-       - netbirdio/management
+    goarch: arm
-       - ghcr.io/netbirdio/management
+    goarm: 6
-     tags:
+    use: buildx
-       - "v{{ .Version }}"
+    dockerfile: client/Dockerfile-rootless
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+    extra_files:
-     dockerfile: management/Dockerfile
+      - client/netbird-entrypoint.sh
-     platforms:
+    build_flag_templates:
-       - linux/amd64
+      - "--platform=linux/arm"
-       - linux/arm64
+      - "--label=org.opencontainers.image.created={{.Date}}"
-       - linux/arm
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-     annotations:
+      - "--label=org.opencontainers.image.version={{.Version}}"
-       "org.opencontainers.image.created": "{{.Date}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
+
-       "org.opencontainers.image.source": "{{.GitURL}}"
+  - image_templates:
-       "maintainer": "dev@netbird.io"
+      - netbirdio/relay:{{ .Version }}-amd64
-   - id: upload
+      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+    ids:
-     ids:
+      - netbird-relay
-       - netbird-upload
+    goarch: amd64
-     images:
+    use: buildx
-       - netbirdio/upload
+    dockerfile: relay/Dockerfile
-       - ghcr.io/netbirdio/upload
+    build_flag_templates:
-     tags:
+      - "--platform=linux/amd64"
-       - "v{{ .Version }}"
+      - "--label=org.opencontainers.image.created={{.Date}}"
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-     dockerfile: upload-server/Dockerfile
+      - "--label=org.opencontainers.image.version={{.Version}}"
-     platforms:
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-       - linux/amd64
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-       - linux/arm64
+      - "--label=maintainer=dev@netbird.io"
-       - linux/arm
+  - image_templates:
-     annotations:
+      - netbirdio/relay:{{ .Version }}-arm64v8
-       "org.opencontainers.image.created": "{{.Date}}"
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-       "org.opencontainers.image.title": "{{.ProjectName}}"
+    ids:
-       "org.opencontainers.image.version": "{{.Version}}"
+      - netbird-relay
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
+    goarch: arm64
-       "org.opencontainers.image.source": "{{.GitURL}}"
+    use: buildx
-       "maintainer": "dev@netbird.io"
+    dockerfile: relay/Dockerfile
-   - id: netbird-server
+    build_flag_templates:
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+      - "--platform=linux/arm64"
-     ids:
+      - "--label=org.opencontainers.image.created={{.Date}}"
-       - netbird-server
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-     images:
+      - "--label=org.opencontainers.image.version={{.Version}}"
-       - netbirdio/netbird-server
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-       - ghcr.io/netbirdio/netbird-server
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-     tags:
+      - "--label=maintainer=dev@netbird.io"
-       - "v{{ .Version }}"
+  - image_templates:
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+      - netbirdio/relay:{{ .Version }}-arm
-     dockerfile: combined/Dockerfile
+      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-     platforms:
+    ids:
-       - linux/amd64
+      - netbird-relay
-       - linux/arm64
+    goarch: arm
-       - linux/arm
+    goarm: 6
-     annotations:
+    use: buildx
-       "org.opencontainers.image.created": "{{.Date}}"
+    dockerfile: relay/Dockerfile
-       "org.opencontainers.image.title": "{{.ProjectName}}"
+    build_flag_templates:
-       "org.opencontainers.image.version": "{{.Version}}"
+      - "--platform=linux/arm"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
+      - "--label=org.opencontainers.image.created={{.Date}}"
-       "org.opencontainers.image.source": "{{.GitURL}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-       "maintainer": "dev@netbird.io"
+      - "--label=org.opencontainers.image.version={{.Version}}"
-   - id: netbird-proxy
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-     disable: "{{ .Env.SKIP_DOCKER_PUSH }}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-     ids:
+      - "--label=maintainer=dev@netbird.io"
-       - netbird-proxy
+  - image_templates:
-     images:
+      - netbirdio/signal:{{ .Version }}-amd64
-       - netbirdio/reverse-proxy
+      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-       - ghcr.io/netbirdio/reverse-proxy
+    ids:
-     tags:
+      - netbird-signal
-       - "v{{ .Version }}"
+    goarch: amd64
-       - "{{ if eq .Env.SKIP_PUBLISH \"false\" }}latest{{ end }}"
+    use: buildx
-     dockerfile: proxy/Dockerfile
+    dockerfile: signal/Dockerfile
-     platforms:
+    build_flag_templates:
-       - linux/amd64
+      - "--platform=linux/amd64"
-       - linux/arm64
+      - "--label=org.opencontainers.image.created={{.Date}}"
-       - linux/arm
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-     annotations:
+      - "--label=org.opencontainers.image.version={{.Version}}"
-       "org.opencontainers.image.created": "{{.Date}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-       "org.opencontainers.image.title": "{{.ProjectName}}"
+      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-       "org.opencontainers.image.version": "{{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
-       "org.opencontainers.image.revision": "{{.FullCommit}}"
+  - image_templates:
-       "org.opencontainers.image.source": "{{.GitURL}}"
+      - netbirdio/signal:{{ .Version }}-arm64v8
-       "maintainer": "dev@netbird.io"
+      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
    ids:
      - netbird-signal
    goarch: arm64
    use: buildx
    dockerfile: signal/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/signal:{{ .Version }}-arm
      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
    ids:
      - netbird-signal
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: signal/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/management:{{ .Version }}-amd64
      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
    ids:
      - netbird-mgmt
    goarch: amd64
    use: buildx
    dockerfile: management/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/management:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
    ids:
      - netbird-mgmt
    goarch: arm64
    use: buildx
    dockerfile: management/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/management:{{ .Version }}-arm
      - ghcr.io/netbirdio/management:{{ .Version }}-arm
    ids:
      - netbird-mgmt
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: management/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/management:{{ .Version }}-debug-amd64
      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
    ids:
      - netbird-mgmt
    goarch: amd64
    use: buildx
    dockerfile: management/Dockerfile.debug
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/management:{{ .Version }}-debug-arm64v8
      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
    ids:
      - netbird-mgmt
    goarch: arm64
    use: buildx
    dockerfile: management/Dockerfile.debug
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/management:{{ .Version }}-debug-arm
      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
    ids:
      - netbird-mgmt
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: management/Dockerfile.debug
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/upload:{{ .Version }}-amd64
      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
    ids:
      - netbird-upload
    goarch: amd64
    use: buildx
    dockerfile: upload-server/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/upload:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
    ids:
      - netbird-upload
    goarch: arm64
    use: buildx
    dockerfile: upload-server/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/upload:{{ .Version }}-arm
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
    ids:
      - netbird-upload
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: upload-server/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/netbird-server:{{ .Version }}-amd64
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
    ids:
      - netbird-server
    goarch: amd64
    use: buildx
    dockerfile: combined/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
    ids:
      - netbird-server
    goarch: arm64
    use: buildx
    dockerfile: combined/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
    ids:
      - netbird-server
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: combined/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-amd64
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
    ids:
      - netbird-proxy
    goarch: amd64
    use: buildx
    dockerfile: proxy/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
    ids:
      - netbird-proxy
    goarch: arm64
    use: buildx
    dockerfile: proxy/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
    ids:
      - netbird-proxy
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: proxy/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
      - netbirdio/netbird:{{ .Version }}-arm64v8
      - netbirdio/netbird:{{ .Version }}-arm
      - netbirdio/netbird:{{ .Version }}-amd64
  - name_template: netbirdio/netbird:latest
    image_templates:
      - netbirdio/netbird:{{ .Version }}-arm64v8
      - netbirdio/netbird:{{ .Version }}-arm
      - netbirdio/netbird:{{ .Version }}-amd64
  - name_template: netbirdio/netbird:{{ .Version }}-rootless
    image_templates:
      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
      - netbirdio/netbird:{{ .Version }}-rootless-arm
      - netbirdio/netbird:{{ .Version }}-rootless-amd64
  - name_template: netbirdio/netbird:rootless-latest
    image_templates:
      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
      - netbirdio/netbird:{{ .Version }}-rootless-arm
      - netbirdio/netbird:{{ .Version }}-rootless-amd64
  - name_template: netbirdio/relay:{{ .Version }}
    image_templates:
      - netbirdio/relay:{{ .Version }}-arm64v8
      - netbirdio/relay:{{ .Version }}-arm
      - netbirdio/relay:{{ .Version }}-amd64
  - name_template: netbirdio/relay:latest
    image_templates:
      - netbirdio/relay:{{ .Version }}-arm64v8
      - netbirdio/relay:{{ .Version }}-arm
      - netbirdio/relay:{{ .Version }}-amd64
  - name_template: netbirdio/signal:{{ .Version }}
    image_templates:
      - netbirdio/signal:{{ .Version }}-arm64v8
      - netbirdio/signal:{{ .Version }}-arm
      - netbirdio/signal:{{ .Version }}-amd64
  - name_template: netbirdio/signal:latest
    image_templates:
      - netbirdio/signal:{{ .Version }}-arm64v8
      - netbirdio/signal:{{ .Version }}-arm
      - netbirdio/signal:{{ .Version }}-amd64
  - name_template: netbirdio/management:{{ .Version }}
    image_templates:
      - netbirdio/management:{{ .Version }}-arm64v8
      - netbirdio/management:{{ .Version }}-arm
      - netbirdio/management:{{ .Version }}-amd64
  - name_template: netbirdio/management:latest
    image_templates:
      - netbirdio/management:{{ .Version }}-arm64v8
      - netbirdio/management:{{ .Version }}-arm
      - netbirdio/management:{{ .Version }}-amd64
  - name_template: netbirdio/management:debug-latest
    image_templates:
      - netbirdio/management:{{ .Version }}-debug-arm64v8
      - netbirdio/management:{{ .Version }}-debug-arm
      - netbirdio/management:{{ .Version }}-debug-amd64
  - name_template: netbirdio/upload:{{ .Version }}
    image_templates:
      - netbirdio/upload:{{ .Version }}-arm64v8
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64
  - name_template: netbirdio/upload:latest
    image_templates:
      - netbirdio/upload:{{ .Version }}-arm64v8
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64
  - name_template: netbirdio/netbird-server:{{ .Version }}
    image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm64v8
      - netbirdio/netbird-server:{{ .Version }}-arm
      - netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: netbirdio/netbird-server:latest
    image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm64v8
      - netbirdio/netbird-server:{{ .Version }}-arm
      - netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird:latest
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}-rootless
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
  - name_template: ghcr.io/netbirdio/netbird:rootless-latest
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
  - name_template: ghcr.io/netbirdio/relay:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/relay:latest
    image_templates:
      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/signal:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/signal:latest
    image_templates:
      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/management:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/management:{{ .Version }}-arm
      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/management:latest
    image_templates:
      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/management:{{ .Version }}-arm
      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/management:debug-latest
    image_templates:
      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
  - name_template: ghcr.io/netbirdio/upload:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/upload:latest
    image_templates:
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird-server:latest
    image_templates:
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: netbirdio/reverse-proxy:{{ .Version }}
    image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - netbirdio/reverse-proxy:{{ .Version }}-arm
      - netbirdio/reverse-proxy:{{ .Version }}-amd64
  - name_template: netbirdio/reverse-proxy:latest
    image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - netbirdio/reverse-proxy:{{ .Version }}-arm
      - netbirdio/reverse-proxy:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
    image_templates:
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
 brews:
  - ids:
      - default
    skip_upload: "{{ .Env.SKIP_PUBLISH }}"
    repository:
      owner: netbirdio
      name: homebrew-tap
@@ -440,7 +902,6 @@ brews:
 uploads:
  - name: debian
    skip: "{{ .Env.SKIP_PUBLISH }}"
    ids:
      - netbird_deb
    mode: archive
@@ -449,7 +910,6 @@ uploads:
    method: PUT
  - name: yum
    skip: "{{ .Env.SKIP_PUBLISH }}"
    ids:
      - netbird_rpm
    mode: archive
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -1,6 +1,5 @@
 version: 2
-env:
+
  - SKIP_PUBLISH={{ if index .Env "SKIP_PUBLISH" }}{{ .Env.SKIP_PUBLISH }}{{ else }}true{{ end }}
 project_name: netbird-ui
 builds:
  - id: netbird-ui
@@ -102,7 +101,6 @@ nfpms:
 uploads:
  - name: debian
    skip: "{{ .Env.SKIP_PUBLISH }}"
    ids:
      - netbird_ui_deb
    mode: archive
@@ -111,7 +109,6 @@ uploads:
    method: PUT
  - name: yum
    skip: "{{ .Env.SKIP_PUBLISH }}"
    ids:
      - netbird_ui_rpm
    mode: archive
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest
-FROM alpine:3.24
+FROM alpine:3.23.3
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
    bash \
@@ -21,7 +21,7 @@ ENV \
    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
-ARG TARGETPLATFORM
+
-ARG NETBIRD_BINARY=$TARGETPLATFORM/netbird
+ARG NETBIRD_BINARY=netbird
 COPY client/netbird-entrypoint.sh /usr/local/bin/netbird-entrypoint.sh
 COPY "${NETBIRD_BINARY}"  /usr/local/bin/netbird
--- a/client/Dockerfile-rootless
+++ b/client/Dockerfile-rootless
@@ -4,7 +4,7 @@
 #   podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest
-FROM alpine:3.24
+FROM alpine:3.22.0
 RUN apk add --no-cache \
      bash \
@@ -27,7 +27,7 @@ ENV \
    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
-ARG TARGETPLATFORM
+
-ARG NETBIRD_BINARY=$TARGETPLATFORM/netbird
+ARG NETBIRD_BINARY=netbird
 COPY client/netbird-entrypoint.sh /usr/local/bin/netbird-entrypoint.sh
 COPY "${NETBIRD_BINARY}"  /usr/local/bin/netbird
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -3,14 +3,12 @@ package cmd
 import (
 	"context"
 	"fmt"
 	"os/user"
 	"strings"
 	"time"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"github.com/netbirdio/netbird/client/internal"
@@ -21,7 +19,6 @@ import (
 	"github.com/netbirdio/netbird/client/server"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/upload-server/types"
 	"github.com/netbirdio/netbird/version"
 )
 const errCloseConnection = "Failed to close connection: %v"
@@ -87,73 +84,6 @@ var persistenceCmd = &cobra.Command{
 	RunE:    setSyncResponsePersistence,
 }
 var debugConfigCmd = &cobra.Command{
 	Use:     "config",
 	Example: "  netbird debug config",
 	Short:   "Dump the effective configuration",
 	Long:    "Prints the daemon's resolved configuration (after applying defaults, file, env, CLI input, and MDM policy overrides) as JSON. Includes the list of MDM-managed fields.",
 	RunE:    debugConfigDump,
 }
 // debugConfigDump implements `netbird debug config`. It resolves the
 // active profile, queries the daemon for the effective configuration
 // via GetConfig, and prints the resulting GetConfigResponse as JSON
 // (via protojson with EmitUnpopulated=true so the output is stable
 // across runs and includes zero-valued fields).
 //
 // Useful for verifying MDM enforcement end-to-end: the response's
 // mDMManagedFields array is the single source of truth for "which
 // fields is the daemon currently enforcing from the MDM source", and
 // every config field side-by-side with that list confirms the merge
 // result. Secrets in the response (e.g. PreSharedKey) are already
 // redacted by the daemon-side handler.
 func debugConfigDump(cmd *cobra.Command, _ []string) error {
 	pm := profilemanager.NewProfileManager()
 	activeProf, err := pm.GetActiveProfile()
 	if err != nil {
 		return fmt.Errorf("get active profile: %v", err)
 	}
 	currUser, err := user.Current()
 	if err != nil {
 		return fmt.Errorf("get current user: %v", err)
 	}
 	conn, err := getClient(cmd)
 	if err != nil {
 		return err
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
 			log.Errorf(errCloseConnection, err)
 		}
 	}()
 	client := proto.NewDaemonServiceClient(conn)
 	resp, err := client.GetConfig(cmd.Context(), &proto.GetConfigRequest{
 		ProfileName: activeProf.Name,
 		Username:    currUser.Username,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to get config: %v", status.Convert(err).Message())
 	}
 	// Use protojson so well-known fields render correctly; emit defaults so
 	// the operator sees every field even when zero/empty.
 	m := protojson.MarshalOptions{Multiline: true, Indent: "  ", EmitUnpopulated: true}
 	out, err := m.Marshal(resp)
 	if err != nil {
 		return fmt.Errorf("marshal config: %w", err)
 	}
 	cmd.Println(string(out))
 	return nil
 }
 // debugBundle requests the daemon to create a debug bundle and prints
 // the resulting local file path and, if uploaded, the uploaded file
 // key. It uses the package flags (anonymize, system info, log file
 // count, CLI version, optional upload URL) to configure the bundle
 // request. Returns an error if the RPC fails or if the daemon reports
 // an upload failure reason.
 func debugBundle(cmd *cobra.Command, _ []string) error {
 	conn, err := getClient(cmd)
 	if err != nil {
@@ -170,7 +100,6 @@ func debugBundle(cmd *cobra.Command, _ []string) error {
 		Anonymize:    anonymizeFlag,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
 		CliVersion:   version.NetbirdVersion(),
 	}
 	if uploadBundleFlag {
 		request.UploadURL = uploadBundleURLFlag
@@ -369,7 +298,6 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		Anonymize:    anonymizeFlag,
 		SystemInfo:   systemInfoFlag,
 		LogFileCount: logFileCount,
 		CliVersion:   version.NetbirdVersion(),
 	}
 	if uploadBundleFlag {
 		request.UploadURL = uploadBundleURLFlag
@@ -504,7 +432,6 @@ func generateDebugBundle(config *profilemanager.Config, recorder *peer.Status, c
 			SyncResponse:   syncResponse,
 			LogPath:        logFilePath,
 			CPUProfile:     nil,
 			DaemonVersion:  version.NetbirdVersion(), // acting as daemon
 		},
 		debug.BundleConfig{
 			IncludeSystemInfo: true,
--- a/client/cmd/kubernetes.go
+++ b/client/cmd/kubernetes.go
@@ -1,301 +0,0 @@
 package cmd
 import (
 	"context"
 	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
 	"slices"
 	"strings"
 	"github.com/goccy/go-yaml"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/netbirdio/netbird/client/proto"
 )
 const (
 	KubernetesDNSSuffix = "netbird-kubeapi-proxy"
 )
 var kubernetesCmd = &cobra.Command{
 	Use:   "kubernetes",
 	Short: "Kubernetes cluster commands.",
 	Long:  "Kubernetes cluster commands.",
 }
 var kubernetesListCmd = &cobra.Command{
 	Use:   "list",
 	RunE:  kubernetesList,
 	Short: "List Kubernetes clusters.",
 	Long:  "List Kubernetes clusters by discovering NetBird peers running netbird-kubeapi-proxy.",
 }
 var kubernetesWriteKubeconfigCmd = &cobra.Command{
 	Use:   "write-kubeconfig",
 	RunE:  kubernetesWriteKubeconfig,
 	Args:  cobra.ExactArgs(1),
 	Short: "Write kubeconfig for a Kubernetes cluster.",
 	Long:  "Updates kubeconfig in place to allow token-less access to the Kubernetes cluster through NetBird.",
 }
 func init() {
 	kubernetesWriteKubeconfigCmd.Flags().String("kubeconfig", "", "path to kubeconfig file")
 }
 func kubernetesList(cmd *cobra.Command, _ []string) error {
 	conn, err := getClient(cmd)
 	if err != nil {
 		return err
 	}
 	defer conn.Close()
 	client := proto.NewDaemonServiceClient(conn)
 	statusResp, err := client.Status(cmd.Context(), &proto.StatusRequest{GetFullPeerStatus: true})
 	if err != nil {
 		return err
 	}
 	kcs, err := getKubernetesClusters(cmd.Context(), statusResp.FullStatus.Peers, "")
 	if err != nil {
 		return err
 	}
 	if len(kcs) == 0 {
 		cmd.Println("No Kubernetes clusters available.")
 		return nil
 	}
 	cmd.Println("Available Kubernetes clusters:")
 	for _, k := range kcs {
 		cmd.Printf("\n  - Name: %s\n    FQDN: %s\n    Version: %s\n", k.name, k.url.Host, k.version)
 	}
 	return nil
 }
 func kubernetesWriteKubeconfig(cmd *cobra.Command, args []string) error {
 	kubeconfigPath, err := resolveKubeconfigPath(cmd)
 	if err != nil {
 		return err
 	}
 	conn, err := getClient(cmd)
 	if err != nil {
 		return err
 	}
 	defer conn.Close()
 	client := proto.NewDaemonServiceClient(conn)
 	statusResp, err := client.Status(cmd.Context(), &proto.StatusRequest{GetFullPeerStatus: true})
 	if err != nil {
 		return err
 	}
 	clusterName := args[0]
 	kcs, err := getKubernetesClusters(cmd.Context(), statusResp.FullStatus.Peers, clusterName)
 	if err != nil {
 		return err
 	}
 	if len(kcs) == 0 {
 		return fmt.Errorf("kubernetes cluster named %s not found", clusterName)
 	}
 	if len(kcs) > 1 {
 		return fmt.Errorf("too many Kubernetes clusters returned")
 	}
 	err = writeKubeconfig(kubeconfigPath, kcs[0])
 	if err != nil {
 		return err
 	}
 	return nil
 }
 type kubernetesCluster struct {
 	name    string
 	url     *url.URL
 	version string
 }
 func getKubernetesClusters(ctx context.Context, peers []*proto.PeerState, nameFilter string) ([]kubernetesCluster, error) {
 	transport := http.DefaultTransport.(*http.Transport).Clone()
 	transport.TLSClientConfig = &tls.Config{
 		InsecureSkipVerify: true,
 	}
 	httpClient := &http.Client{
 		Transport: transport,
 	}
 	resolver := net.Resolver{
 		// Required so both DNS records are returned.
 		// https://github.com/golang/go/issues/17093
 		PreferGo: true,
 	}
 	kcs := []kubernetesCluster{}
 	attempted := map[string]struct{}{}
 	for _, peer := range peers {
 		fqdns, err := resolver.LookupAddr(ctx, peer.IP)
 		if err != nil {
 			return nil, err
 		}
 		for _, fqdn := range fqdns {
 			if _, ok := attempted[fqdn]; ok {
 				continue
 			}
 			attempted[fqdn] = struct{}{}
 			comps := strings.Split(fqdn, ".")
 			if len(comps) < 2 {
 				continue
 			}
 			if comps[1] != KubernetesDNSSuffix {
 				continue
 			}
 			if nameFilter != "" && nameFilter != comps[0] {
 				continue
 			}
 			clusterURL, clusterVersion, err := fingerprintClusters(ctx, httpClient, fqdn)
 			if err != nil {
 				log.Debugf("could not fingerprint Kubernetes cluster %s %q", fqdn, err)
 				continue
 			}
 			kc := kubernetesCluster{
 				name:    comps[0],
 				url:     clusterURL,
 				version: clusterVersion,
 			}
 			if nameFilter != "" {
 				return []kubernetesCluster{kc}, nil
 			}
 			kcs = append(kcs, kc)
 		}
 	}
 	return kcs, nil
 }
 func fingerprintClusters(ctx context.Context, httpClient *http.Client, fqdn string) (*url.URL, string, error) {
 	clusterURL, err := url.Parse("https://" + fqdn)
 	if err != nil {
 		return nil, "", err
 	}
 	versionURL, err := clusterURL.Parse("/version")
 	if err != nil {
 		return nil, "", err
 	}
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, versionURL.String(), nil)
 	if err != nil {
 		return nil, "", err
 	}
 	resp, err := httpClient.Do(req)
 	if err != nil {
 		return nil, "", err
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
 		return nil, "", fmt.Errorf("expected %d response but got %s", http.StatusOK, resp.Status)
 	}
 	b, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, "", err
 	}
 	versionData := map[string]string{}
 	err = json.Unmarshal(b, &versionData)
 	if err != nil {
 		return nil, "", err
 	}
 	version, ok := versionData["gitVersion"]
 	if !ok {
 		return nil, "", errors.New("no version found in response")
 	}
 	return clusterURL, version, nil
 }
 func resolveKubeconfigPath(cmd *cobra.Command) (string, error) {
 	if cmd.Flags().Changed("kubeconfig") {
 		path, err := cmd.Flags().GetString("kubeconfig")
 		if err != nil {
 			return "", err
 		}
 		return path, nil
 	}
 	if env := os.Getenv("KUBECONFIG"); env != "" {
 		return env, nil
 	}
 	home, err := os.UserHomeDir()
 	if err != nil {
 		return "", fmt.Errorf("could not determine home directory: %w", err)
 	}
 	return filepath.Join(home, ".kube", "config"), nil
 }
 func writeKubeconfig(kubeconfigPath string, kc kubernetesCluster) error {
 	b, err := os.ReadFile(kubeconfigPath)
 	if err != nil && !errors.Is(err, os.ErrNotExist) {
 		return err
 	}
 	var cfg map[string]any
 	if err := yaml.Unmarshal(b, &cfg); err != nil {
 		return err
 	}
 	if cfg == nil {
 		cfg = map[string]any{
 			"apiVersion": "v1",
 			"kind":       "Config",
 		}
 	}
 	cfg["clusters"] = appendWithName(cfg["clusters"], map[string]any{
 		"name": kc.name,
 		"cluster": map[string]any{
 			"server":                   kc.url.String(),
 			"insecure-skip-tls-verify": true,
 		},
 	})
 	cfg["users"] = appendWithName(cfg["users"], map[string]any{
 		"name": "netbird",
 		"user": map[string]any{
 			"token": "none",
 		},
 	})
 	cfg["contexts"] = appendWithName(cfg["contexts"], map[string]any{
 		"name": kc.name,
 		"context": map[string]any{
 			"cluster":   kc.name,
 			"user":      "netbird",
 			"namespace": "default",
 		},
 	})
 	cfg["current-context"] = kc.name
 	out, err := yaml.Marshal(cfg)
 	if err != nil {
 		return err
 	}
 	if err := os.WriteFile(kubeconfigPath, out, 0o600); err != nil {
 		return err
 	}
 	return nil
 }
 func appendWithName(data any, add map[string]any) any {
 	if data == nil {
 		return []any{add}
 	}
 	v, ok := data.([]any)
 	if !ok {
 		return []any{add}
 	}
 	i := slices.IndexFunc(v, func(item any) bool {
 		m, ok := item.(map[string]any)
 		if !ok {
 			return false
 		}
 		return m["name"] == add["name"]
 	})
 	if i == -1 {
 		return append(v, add)
 	}
 	v[i] = add
 	return v
 }
--- a/client/cmd/kubernetes_test.go
+++ b/client/cmd/kubernetes_test.go
@@ -1,120 +0,0 @@
 package cmd
 import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"os"
 	"path/filepath"
 	"testing"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/require"
 )
 func TestFingerprintClusters(t *testing.T) {
 	t.Parallel()
 	srv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		//nolint: errcheck
 		w.Write([]byte(`{"gitVersion": "foobar"}`))
 	}))
 	defer srv.Close()
 	clusterURL, clusterVersion, err := fingerprintClusters(t.Context(), srv.Client(), srv.Listener.Addr().String())
 	require.NoError(t, err)
 	require.Equal(t, srv.URL, clusterURL.String())
 	require.Equal(t, "foobar", clusterVersion)
 }
 func TestResolveKubeconfigPath(t *testing.T) {
 	home, err := os.UserHomeDir()
 	if err != nil {
 		t.Fatalf("could not determine home directory: %v", err)
 	}
 	defaultPath := filepath.Join(home, ".kube", "config")
 	path, err := resolveKubeconfigPath(&cobra.Command{})
 	require.NoError(t, err)
 	require.Equal(t, defaultPath, path)
 	flagPath := "flag-path"
 	cmd := &cobra.Command{}
 	cmd.Flags().String("kubeconfig", "", "")
 	err = cmd.Flags().Set("kubeconfig", flagPath)
 	require.NoError(t, err)
 	path, err = resolveKubeconfigPath(cmd)
 	require.NoError(t, err)
 	require.Equal(t, flagPath, path)
 	envPath := "env-path"
 	t.Setenv("KUBECONFIG", envPath)
 	path, err = resolveKubeconfigPath(&cobra.Command{})
 	require.NoError(t, err)
 	require.Equal(t, envPath, path)
 }
 func TestWriteKubeconfig(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
 		name     string
 		existing string
 	}{
 		{
 			name: "empty file",
 		},
 		{
 			name: "existing content",
 			existing: `apiVersion: v1
 clusters:
 - cluster:
    insecure-skip-tls-verify: true
    server: https://foobar.com
  name: foo
 current-context: test
 kind: Config
 users: []
 `,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			kubeconfigPath := filepath.Join(t.TempDir(), "config")
 			err := os.WriteFile(kubeconfigPath, []byte(tt.existing), 0o644)
 			require.NoError(t, err)
 			kc := kubernetesCluster{
 				name: "foo",
 				url:  &url.URL{Scheme: "https", Host: "example.com"},
 			}
 			err = writeKubeconfig(kubeconfigPath, kc)
 			require.NoError(t, err)
 			b, err := os.ReadFile(kubeconfigPath)
 			require.NoError(t, err)
 			expected := `apiVersion: v1
 clusters:
 - cluster:
    insecure-skip-tls-verify: true
    server: https://example.com
  name: foo
 contexts:
 - context:
    cluster: foo
    namespace: default
    user: netbird
  name: foo
 current-context: foo
 kind: Config
 users:
 - name: netbird
  user:
    token: none
 `
 			require.Equal(t, expected, string(b))
 		})
 	}
 }
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -95,9 +95,7 @@ var (
 	}
 )
-// Execute runs the appropriate Cobra command for the CLI.
+// Execute executes the root command.
 // If the process is the update binary it delegates to updateCmd; otherwise it runs the root command.
 // It returns any error produced during command execution.
 func Execute() error {
 	if isUpdateBinary() {
 		return updateCmd.Execute()
@@ -105,16 +103,6 @@ func Execute() error {
 	return rootCmd.Execute()
 }
 // init initialises package-level defaults and configures the root
 // Cobra command tree. Sets platform-specific config / log directory
 // paths (including legacy Wiretrustee fallbacks) and a default daemon
 // address; registers persistent CLI flags (daemon address,
 // management / admin URLs, logging, setup key (file and inline,
 // mutually exclusive), preshared key, hostname, anonymise, config
 // path); attaches top-level and nested subcommands to the root
 // command; and registers `up`-specific persistent flags (external IP
 // maps, custom DNS resolver address, Rosenpass options, auto-connect
 // disabling, lazy connection).
 func init() {
 	defaultConfigPathDir = "/etc/netbird/"
 	defaultLogFileDir = "/var/log/netbird/"
@@ -180,12 +168,6 @@ func init() {
 	logCmd.AddCommand(logLevelCmd)
 	debugCmd.AddCommand(forCmd)
 	debugCmd.AddCommand(persistenceCmd)
 	debugCmd.AddCommand(debugConfigCmd)
 	// kubernetes commands
 	rootCmd.AddCommand(kubernetesCmd)
 	kubernetesCmd.AddCommand(kubernetesListCmd)
 	kubernetesCmd.AddCommand(kubernetesWriteKubeconfigCmd)
 	// profile commands
 	profileCmd.AddCommand(profileListCmd)
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -5,6 +5,7 @@ package cmd
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"runtime"
 	"strings"
 	"sync"
@@ -22,15 +23,21 @@ var serviceCmd = &cobra.Command{
 	Short: "Manage the NetBird daemon service",
 }
 const defaultJSONSocket = "unix:///var/run/netbird-http.sock"
 var (
-	serviceName    string
+	serviceName        string
-	serviceEnvVars []string
+	serviceEnvVars     []string
 	jsonSocket         string
 	jsonSocketDisabled bool
 )
 type program struct {
 	ctx              context.Context
 	cancel           context.CancelFunc
 	serv             *grpc.Server
 	jsonServ         *http.Server
 	jsonServMu       sync.Mutex
 	serverInstance   *server.Server
 	serverInstanceMu sync.Mutex
 }
@@ -46,6 +53,8 @@ func init() {
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
 	serviceCmd.PersistentFlags().BoolVar(&captureEnabled, "enable-capture", false, "Enables packet capture via 'netbird debug capture'. To persist, use: netbird service install --enable-capture")
 	serviceCmd.PersistentFlags().BoolVar(&networksDisabled, "disable-networks", false, "Disables network selection. If enabled, the client will not allow listing, selecting, or deselecting networks. To persist, use: netbird service install --disable-networks")
 	serviceCmd.PersistentFlags().StringVar(&jsonSocket, "json-socket", defaultJSONSocket, "HTTP/JSON API socket address served by grpc-gateway [unix|tcp]://[path|host:port]. To persist, use: netbird service install --json-socket")
 	serviceCmd.PersistentFlags().BoolVar(&jsonSocketDisabled, "disable-json-socket", false, "Disables the HTTP/JSON API socket. To persist, use: netbird service install --disable-json-socket")
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -5,9 +5,6 @@ package cmd
 import (
 	"context"
 	"fmt"
 	"net"
 	"os"
 	"strings"
 	"time"
 	"github.com/kardianos/service"
@@ -32,31 +29,35 @@ func (p *program) Start(svc service.Service) error {
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()
-	split := strings.Split(daemonAddr, "://")
+	daemonListener, err := listenOnAddress(daemonAddr)
 	switch split[0] {
 	case "unix":
 		// cleanup failed close
 		stat, err := os.Stat(split[1])
 		if err == nil && !stat.IsDir() {
 			if err := os.Remove(split[1]); err != nil {
 				log.Debugf("remove socket file: %v", err)
 			}
 		}
 	case "tcp":
 	default:
 		return fmt.Errorf("unsupported daemon address protocol: %v", split[0])
 	}
 	listen, err := net.Listen(split[0], split[1])
 	if err != nil {
 		return fmt.Errorf("listen daemon interface: %w", err)
 	}
 	go func() {
 		defer listen.Close()
-		if split[0] == "unix" {
+	var jsonListener *socketListener
-			if err := os.Chmod(split[1], 0666); err != nil {
+	if !jsonSocketDisabled {
-				log.Errorf("failed setting daemon permissions: %v", split[1])
+		jsonListener, err = listenOnAddress(jsonSocket)
 		if err != nil {
 			_ = daemonListener.Close()
 			return fmt.Errorf("listen daemon JSON interface: %w", err)
 		}
 	} else {
 		removeStaleUnixSocketForAddress(jsonSocket)
 	}
 	go func() {
 		defer daemonListener.Close()
 		if jsonListener != nil {
 			defer jsonListener.Close()
 		}
 		if err := daemonListener.chmodUnixSocket("daemon"); err != nil {
 			log.Error(err)
 			return
 		}
 		if jsonListener != nil {
 			if err := jsonListener.chmodUnixSocket("daemon JSON"); err != nil {
 				log.Error(err)
 				return
 			}
 		}
@@ -71,8 +72,16 @@ func (p *program) Start(svc service.Service) error {
 		p.serverInstance = serverInstance
 		p.serverInstanceMu.Unlock()
-		log.Printf("started daemon server: %v", split[1])
+		if jsonListener != nil {
-		if err := p.serv.Serve(listen); err != nil {
+			if err := p.startJSONGateway(jsonListener, daemonAddr); err != nil {
 				log.Fatalf("failed to start daemon JSON server: %v", err)
 			}
 		} else {
 			log.Debug("daemon JSON socket disabled")
 		}
 		log.Printf("started daemon server: %v", daemonListener.address)
 		if err := p.serv.Serve(daemonListener.Listener); err != nil {
 			log.Errorf("failed to serve daemon requests: %v", err)
 		}
 	}()
@@ -92,6 +101,20 @@ func (p *program) Stop(srv service.Service) error {
 	p.cancel()
 	p.jsonServMu.Lock()
 	jsonServ := p.jsonServ
 	p.jsonServMu.Unlock()
 	if jsonServ != nil {
 		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 2*time.Second)
 		if err := jsonServ.Shutdown(shutdownCtx); err != nil {
 			log.Errorf("failed to stop daemon JSON server gracefully: %v", err)
 			if err := jsonServ.Close(); err != nil {
 				log.Errorf("failed to close daemon JSON server: %v", err)
 			}
 		}
 		shutdownCancel()
 	}
 	if p.serv != nil {
 		p.serv.Stop()
 	}
@@ -102,7 +125,7 @@ func (p *program) Stop(srv service.Service) error {
 }
 // Common setup for service control commands
-func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc, consoleLog bool) (service.Service, error) {
+func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc) (service.Service, error) {
 	// rootCmd env vars are already applied by PersistentPreRunE.
 	SetFlagsFromEnvVars(serviceCmd)
@@ -112,14 +135,8 @@ func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel
 		return nil, err
 	}
-	if consoleLog {
+	if err := util.InitLog(logLevel, logFiles...); err != nil {
-		if err := util.InitLog(logLevel, util.LogConsole); err != nil {
+		return nil, fmt.Errorf("init log: %w", err)
 			return nil, fmt.Errorf("init log: %w", err)
 		}
 	} else {
 		if err := util.InitLog(logLevel, logFiles...); err != nil {
 			return nil, fmt.Errorf("init log: %w", err)
 		}
 	}
 	cfg, err := newSVCConfig()
@@ -144,7 +161,7 @@ var runCmd = &cobra.Command{
 		SetupCloseHandler(ctx, cancel)
 		SetupDebugHandler(ctx, nil, nil, nil, util.FindFirstLogPath(logFiles))
-		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel)
 		if err != nil {
 			return err
 		}
@@ -158,7 +175,7 @@ var startCmd = &cobra.Command{
 	Short: "starts NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel)
 		if err != nil {
 			return err
 		}
@@ -176,7 +193,7 @@ var stopCmd = &cobra.Command{
 	Short: "stops NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel)
 		if err != nil {
 			return err
 		}
@@ -194,7 +211,7 @@ var restartCmd = &cobra.Command{
 	Short: "restarts NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel, false)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel)
 		if err != nil {
 			return err
 		}
@@ -212,7 +229,7 @@ var svcStatusCmd = &cobra.Command{
 	Short: "shows NetBird service status",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		ctx, cancel := context.WithCancel(cmd.Context())
-		s, err := setupServiceControlCommand(cmd, ctx, cancel, true)
+		s, err := setupServiceControlCommand(cmd, ctx, cancel)
 		if err != nil {
 			return err
 		}
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -67,6 +67,11 @@ func buildServiceArguments() []string {
 		args = append(args, "--disable-networks")
 	}
 	args = append(args, "--json-socket", jsonSocket)
 	if jsonSocketDisabled {
 		args = append(args, "--disable-json-socket")
 	}
 	return args
 }
--- a/client/cmd/service_json_gateway.go
+++ b/client/cmd/service_json_gateway.go
@@ -0,0 +1,52 @@
 //go:build !ios && !android
 package cmd
 import (
 	"context"
 	"errors"
 	"net"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 	"github.com/netbirdio/netbird/client/proto"
 )
 func grpcGatewayEndpoint(addr string) string {
 	return strings.TrimPrefix(addr, "tcp://")
 }
 func (p *program) startJSONGateway(jsonListener *socketListener, daemonEndpoint string) error {
 	mux := runtime.NewServeMux()
 	opts := []grpc.DialOption{grpc.WithTransportCredentials(insecure.NewCredentials())}
 	if err := proto.RegisterDaemonServiceHandlerFromEndpoint(p.ctx, mux, grpcGatewayEndpoint(daemonEndpoint), opts); err != nil {
 		return err
 	}
 	jsonServer := &http.Server{
 		Handler:           mux,
 		ReadHeaderTimeout: 5 * time.Second,
 		BaseContext: func(net.Listener) context.Context {
 			return p.ctx
 		},
 	}
 	p.jsonServMu.Lock()
 	p.jsonServ = jsonServer
 	p.jsonServMu.Unlock()
 	go func() {
 		log.Printf("started daemon JSON server: %v", jsonListener.address)
 		if err := jsonServer.Serve(jsonListener.Listener); err != nil && !errors.Is(err, http.ErrServerClosed) {
 			log.Errorf("failed to serve daemon JSON requests: %v", err)
 		}
 	}()
 	return nil
 }
--- a/client/cmd/service_params.go
+++ b/client/cmd/service_params.go
@@ -23,6 +23,7 @@ const serviceParamsFile = "service.json"
 type serviceParams struct {
 	LogLevel              string            `json:"log_level"`
 	DaemonAddr            string            `json:"daemon_addr"`
 	JSONSocket            string            `json:"json_socket"`
 	ManagementURL         string            `json:"management_url,omitempty"`
 	ConfigPath            string            `json:"config_path,omitempty"`
 	LogFiles              []string          `json:"log_files,omitempty"`
@@ -30,6 +31,7 @@ type serviceParams struct {
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
 	EnableCapture         bool              `json:"enable_capture,omitempty"`
 	DisableNetworks       bool              `json:"disable_networks,omitempty"`
 	DisableJSONSocket     bool              `json:"disable_json_socket,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
@@ -75,6 +77,7 @@ func currentServiceParams() *serviceParams {
 	params := &serviceParams{
 		LogLevel:              logLevel,
 		DaemonAddr:            daemonAddr,
 		JSONSocket:            jsonSocket,
 		ManagementURL:         managementURL,
 		ConfigPath:            configPath,
 		LogFiles:              logFiles,
@@ -82,6 +85,7 @@ func currentServiceParams() *serviceParams {
 		DisableUpdateSettings: updateSettingsDisabled,
 		EnableCapture:         captureEnabled,
 		DisableNetworks:       networksDisabled,
 		DisableJSONSocket:     jsonSocketDisabled,
 	}
 	if len(serviceEnvVars) > 0 {
@@ -113,9 +117,8 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		return
 	}
-	// For fields with non-empty defaults (log-level, daemon-addr), keep the
+	// For fields with non-empty defaults, keep the != "" guard so that an older
-	// != "" guard so that an older service.json missing the field doesn't
+	// service.json missing the field doesn't clobber the default with an empty string.
 	// clobber the default with an empty string.
 	if !rootCmd.PersistentFlags().Changed("log-level") && params.LogLevel != "" {
 		logLevel = params.LogLevel
 	}
@@ -124,6 +127,20 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		daemonAddr = params.DaemonAddr
 	}
 	jsonSocketChanged := serviceCmd.PersistentFlags().Changed("json-socket")
 	if !jsonSocketChanged && params.JSONSocket != "" {
 		jsonSocket = params.JSONSocket
 	}
 	if !serviceCmd.PersistentFlags().Changed("disable-json-socket") {
 		jsonSocketDisabled = params.DisableJSONSocket
 		// Passing --json-socket should re-enable the JSON gateway unless
 		// --disable-json-socket was explicitly provided too.
 		if jsonSocketChanged {
 			jsonSocketDisabled = false
 		}
 	}
 	// For optional fields where empty means "use default", always apply so
 	// that an explicit clear (--management-url "") persists across reinstalls.
 	if !rootCmd.PersistentFlags().Changed("management-url") {
--- a/client/cmd/service_params_test.go
+++ b/client/cmd/service_params_test.go
@@ -530,6 +530,7 @@ func fieldToGlobalVar(field string) string {
 	m := map[string]string{
 		"LogLevel":              "logLevel",
 		"DaemonAddr":            "daemonAddr",
 		"JSONSocket":            "jsonSocket",
 		"ManagementURL":         "managementURL",
 		"ConfigPath":            "configPath",
 		"LogFiles":              "logFiles",
@@ -537,6 +538,7 @@ func fieldToGlobalVar(field string) string {
 		"DisableUpdateSettings": "updateSettingsDisabled",
 		"EnableCapture":         "captureEnabled",
 		"DisableNetworks":       "networksDisabled",
 		"DisableJSONSocket":     "jsonSocketDisabled",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}
 	if v, ok := m[field]; ok {
--- a/client/cmd/service_socket.go
+++ b/client/cmd/service_socket.go
@@ -0,0 +1,83 @@
 //go:build !ios && !android
 package cmd
 import (
 	"fmt"
 	"net"
 	"os"
 	"strings"
 	log "github.com/sirupsen/logrus"
 )
 type socketListener struct {
 	net.Listener
 	network string
 	address string
 }
 func listenOnAddress(addr string) (*socketListener, error) {
 	network, address, err := parseListenAddress(addr)
 	if err != nil {
 		return nil, err
 	}
 	if network == "unix" {
 		removeStaleUnixSocket(address)
 	}
 	listener, err := net.Listen(network, address)
 	if err != nil {
 		return nil, err
 	}
 	return &socketListener{Listener: listener, network: network, address: address}, nil
 }
 func parseListenAddress(addr string) (string, string, error) {
 	network, address, ok := strings.Cut(addr, "://")
 	if !ok || network == "" || address == "" {
 		return "", "", fmt.Errorf("address must be in [unix|tcp]://[path|host:port] format: %q", addr)
 	}
 	switch network {
 	case "unix", "tcp":
 		return network, address, nil
 	default:
 		return "", "", fmt.Errorf("unsupported daemon address protocol: %v", network)
 	}
 }
 func removeStaleUnixSocket(path string) {
 	stat, err := os.Stat(path)
 	if err == nil && !stat.IsDir() {
 		if err := os.Remove(path); err != nil {
 			log.Debugf("remove socket file: %v", err)
 		}
 		return
 	}
 	if err != nil && !os.IsNotExist(err) {
 		log.Debugf("stat socket file: %v", err)
 	}
 }
 func removeStaleUnixSocketForAddress(addr string) {
 	network, address, err := parseListenAddress(addr)
 	if err != nil || network != "unix" {
 		return
 	}
 	removeStaleUnixSocket(address)
 }
 func (l *socketListener) chmodUnixSocket(description string) error {
 	if l == nil || l.network != "unix" {
 		return nil
 	}
 	if err := os.Chmod(l.address, 0666); err != nil {
 		return fmt.Errorf("failed setting %s permissions for %s: %w", description, l.address, err)
 	}
 	return nil
 }
--- a/client/cmd/version.go
+++ b/client/cmd/version.go
@@ -12,13 +12,7 @@ var (
 		Short: "Print the NetBird's client application version",
 		Run: func(cmd *cobra.Command, args []string) {
 			cmd.SetOut(cmd.OutOrStdout())
-			out := version.NetbirdVersion()
+			cmd.Println(version.NetbirdVersion())
 			if version.IsDevelopmentVersion(out) {
 				if commit := version.NetbirdCommit(); commit != "" {
 					out += "-" + commit
 				}
 			}
 			cmd.Println(out)
 		},
 	}
 )
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -279,10 +279,6 @@ func (c *Client) Start(startCtx context.Context) error {
 	select {
 	case <-startCtx.Done():
 		// Cancel the client context before stopping: Engine.Start blocks on the
 		// signal stream while holding the engine mutex and only unblocks on
 		// cancellation. Stopping first would deadlock on that mutex.
 		cancel()
 		if stopErr := client.Stop(); stopErr != nil {
 			return fmt.Errorf("stop error after context done. Stop error: %w. Context done: %w", stopErr, startCtx.Err())
 		}
@@ -446,8 +442,8 @@ func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession,
 // IdentityForIP looks up a remote peer by its tunnel IP using the
 // embedded client's status recorder. Returns the peer's WireGuard public
-// key and FQDN. ok=false means the IP doesn't belong to an active peer
+// key and FQDN. ok=false means the IP isn't in this client's peer
-// — offline roster peers are treated as unknown, same as foreign IPs.
+// roster — callers should treat that as "unknown peer".
 func (c *Client) IdentityForIP(ip netip.Addr) (pubKey, fqdn string, ok bool) {
 	if !ip.IsValid() || c.recorder == nil {
 		return "", "", false
--- a/client/embed/embed_test.go
+++ b/client/embed/embed_test.go
@@ -1,168 +0,0 @@
 package embed
 import (
 	"context"
 	"net"
 	"testing"
 	"time"
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	mgmt "github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator/validator"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/job"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/types"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/util"
 )
 const testSetupKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
 // TestClientStartTimeoutRollback reproduces a deadlock between Engine.Start and
 // Engine.Stop. The signal endpoint accepts gRPC connections but never serves the
 // SignalExchange service, so Engine.Start parks in WaitStreamConnected while
 // holding the engine mutex. When the Start context expires, the rollback path
 // calls ConnectClient.Stop, which must not block forever acquiring that mutex.
 func TestClientStartTimeoutRollback(t *testing.T) {
 	signalAddr := startBlackholeSignal(t)
 	mgmAddr := startManagement(t, signalAddr)
 	wgPort := 0
 	client, err := New(Options{
 		DeviceName:    "embed-rollback-test",
 		SetupKey:      testSetupKey,
 		ManagementURL: "http://" + mgmAddr,
 		WireguardPort: &wgPort,
 	})
 	require.NoError(t, err, "embed client creation must succeed")
 	startCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	startErr := make(chan error, 1)
 	go func() {
 		startErr <- client.Start(startCtx)
 	}()
 	select {
 	case err := <-startErr:
 		require.ErrorIs(t, err, context.DeadlineExceeded)
 	case <-time.After(60 * time.Second):
 		t.Fatal("client.Start did not return after its context expired: Engine.Stop deadlocked against Engine.Start waiting for the signal stream")
 	}
 }
 // startBlackholeSignal starts a gRPC server without the SignalExchange service
 // registered. Connections succeed, but the signal stream can never be
 // established, which keeps Engine.Start parked in WaitStreamConnected.
 func startBlackholeSignal(t *testing.T) string {
 	t.Helper()
 	lis, err := net.Listen("tcp", "localhost:0")
 	require.NoError(t, err)
 	s := grpc.NewServer()
 	go func() {
 		if err := s.Serve(lis); err != nil {
 			t.Error(err)
 		}
 	}()
 	t.Cleanup(s.Stop)
 	return lis.Addr().String()
 }
 func startManagement(t *testing.T, signalAddr string) string {
 	t.Helper()
 	cfg := &config.Config{
 		Stuns:      []*config.Host{},
 		TURNConfig: &config.TURNConfig{},
 		Relay: &config.Relay{
 			Addresses:      []string{"127.0.0.1:1234"},
 			CredentialsTTL: util.Duration{Duration: time.Hour},
 			Secret:         "222222222222222222",
 		},
 		Signal: &config.Host{
 			Proto: "http",
 			URI:   signalAddr,
 		},
 		Datadir:    t.TempDir(),
 		HttpConfig: nil,
 	}
 	lis, err := net.Listen("tcp", "localhost:0")
 	require.NoError(t, err)
 	s := grpc.NewServer()
 	testStore, cleanUp, err := store.NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", cfg.Datadir)
 	require.NoError(t, err)
 	t.Cleanup(cleanUp)
 	eventStore := &activity.InMemoryEventStore{}
 	permissionsManager := permissions.NewManager(testStore)
 	peersManager := peers.NewManager(testStore, permissionsManager)
 	jobManager := job.NewJobManager(nil, testStore, peersManager)
 	cacheStore, err := nbcache.NewStore(context.Background(), 100*time.Millisecond, 300*time.Millisecond, 100)
 	require.NoError(t, err)
 	iv, err := validator.NewIntegratedValidator(context.Background(), peersManager, nil, eventStore, cacheStore)
 	require.NoError(t, err)
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
 	ctrl := gomock.NewController(t)
 	t.Cleanup(ctrl.Finish)
 	settingsMockManager := settings.NewMockManager(ctrl)
 	settingsMockManager.EXPECT().
 		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
 		Return(&types.Settings{}, nil).
 		AnyTimes()
 	settingsMockManager.EXPECT().
 		GetExtraSettings(gomock.Any(), gomock.Any()).
 		Return(&types.ExtraSettings{}, nil).
 		AnyTimes()
 	groupsManager := groups.NewManagerMock()
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := mgmt.NewAccountRequestBuffer(context.Background(), testStore)
 	networkMapController := controller.NewController(context.Background(), testStore, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(testStore, peersManager), cfg)
 	accountManager, err := mgmt.BuildManager(context.Background(), cfg, testStore, networkMapController, jobManager, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false, cacheStore)
 	require.NoError(t, err)
 	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, cfg.TURNConfig, cfg.Relay, settingsMockManager, groupsManager)
 	require.NoError(t, err)
 	mgmtServer, err := nbgrpc.NewServer(cfg, accountManager, settingsMockManager, jobManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController, nil, nil)
 	require.NoError(t, err)
 	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
 	go func() {
 		if err := s.Serve(lis); err != nil {
 			t.Error(err)
 		}
 	}()
 	t.Cleanup(s.Stop)
 	return lis.Addr().String()
 }
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -3,7 +3,6 @@ package iptables
 import (
 	"errors"
 	"fmt"
 	"maps"
 	"net"
 	"slices"
@@ -422,17 +421,12 @@ func (m *aclManager) updateState() {
 	currentState.Lock()
 	defer currentState.Unlock()
 	// Clone the maps so the persisted state holds a private snapshot. The
 	// live maps keep being mutated by subsequent rule operations while the
 	// state manager marshals the state from its periodic-save goroutine.
 	// Sharing them by reference races the two and aborts the process with a
 	// concurrent map iteration and write.
 	if m.v6 {
-		currentState.ACLEntries6 = maps.Clone(m.entries)
+		currentState.ACLEntries6 = m.entries
-		currentState.ACLIPsetStore6 = m.ipsetStore.clone()
+		currentState.ACLIPsetStore6 = m.ipsetStore
 	} else {
-		currentState.ACLEntries = maps.Clone(m.entries)
+		currentState.ACLEntries = m.entries
-		currentState.ACLIPsetStore = m.ipsetStore.clone()
+		currentState.ACLIPsetStore = m.ipsetStore
 	}
 	if err := m.stateManager.UpdateState(currentState); err != nil {
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -4,7 +4,6 @@ package iptables
 import (
 	"fmt"
 	"maps"
 	"net/netip"
 	"strconv"
 	"strings"
@@ -750,17 +749,11 @@ func (r *router) updateState() {
 	currentState.Lock()
 	defer currentState.Unlock()
 	// Clone the rule map so the persisted state holds a private snapshot. The
 	// live map keeps being mutated by subsequent rule operations while the
 	// state manager marshals the state from its periodic-save goroutine.
 	// Sharing it by reference races the two and aborts the process with a
 	// concurrent map iteration and write. The ipset counter guards itself
 	// during marshaling, so it can be shared directly.
 	if r.v6 {
-		currentState.RouteRules6 = maps.Clone(r.rules)
+		currentState.RouteRules6 = r.rules
 		currentState.RouteIPsetCounter6 = r.ipsetCounter
 	} else {
-		currentState.RouteRules = maps.Clone(r.rules)
+		currentState.RouteRules = r.rules
 		currentState.RouteIPsetCounter = r.ipsetCounter
 	}
--- a/client/firewall/iptables/rulestore_linux.go
+++ b/client/firewall/iptables/rulestore_linux.go
@@ -1,9 +1,6 @@
 package iptables
-import (
+import "encoding/json"
 	"encoding/json"
 	"maps"
 )
 type ipList struct {
 	ips map[string]struct{}
@@ -22,14 +19,6 @@ func (s *ipList) addIP(ip string) {
 	s.ips[ip] = struct{}{}
 }
 // clone returns a deep copy of the ipList with its own ips map.
 func (s *ipList) clone() *ipList {
 	if s == nil {
 		return nil
 	}
 	return &ipList{ips: maps.Clone(s.ips)}
 }
 // MarshalJSON implements json.Marshaler
 func (s *ipList) MarshalJSON() ([]byte, error) {
 	return json.Marshal(struct {
@@ -66,19 +55,6 @@ func newIpsetStore() *ipsetStore {
 	}
 }
 // clone returns a deep copy of the ipsetStore with its own ipsets map and
 // independent ipList entries.
 func (s *ipsetStore) clone() *ipsetStore {
 	if s == nil {
 		return nil
 	}
 	cloned := &ipsetStore{ipsets: make(map[string]*ipList, len(s.ipsets))}
 	for name, list := range s.ipsets {
 		cloned.ipsets[name] = list.clone()
 	}
 	return cloned
 }
 func (s *ipsetStore) ipset(ipsetName string) (*ipList, bool) {
 	r, ok := s.ipsets[ipsetName]
 	return r, ok
--- a/client/firewall/uspfilter/forwarder/icmp.go
+++ b/client/firewall/uspfilter/forwarder/icmp.go
@@ -362,10 +362,6 @@ func (f *Forwarder) injectICMPv6Reply(id stack.TransportEndpointID, icmpPayload
 		return 0
 	}
 	if pc := f.endpoint.capture.Load(); pc != nil {
 		(*pc).Offer(fullPacket, true)
 	}
 	return len(fullPacket)
 }
--- a/client/iface/bind/ice_bind.go
+++ b/client/iface/bind/ice_bind.go
@@ -41,6 +41,7 @@ type ICEBind struct {
 	*wgConn.StdNetBind
 	transportNet transport.Net
 	filterFn     udpmux.FilterFn
 	address      wgaddr.Address
 	mtu          uint16
@@ -60,11 +61,12 @@ type ICEBind struct {
 	ipv6Conn *net.UDPConn
 }
-func NewICEBind(transportNet transport.Net, address wgaddr.Address, mtu uint16) *ICEBind {
+func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
 		StdNetBind:       b,
 		transportNet:     transportNet,
 		filterFn:         filterFn,
 		address:          address,
 		mtu:              mtu,
 		endpoints:        make(map[netip.Addr]net.Conn),
@@ -263,6 +265,7 @@ func (s *ICEBind) createOrUpdateMux() {
 		udpmux.UniversalUDPMuxParams{
 			UDPConn:   muxConn,
 			Net:       s.transportNet,
 			FilterFn:  s.filterFn,
 			WGAddress: s.address,
 			MTU:       s.mtu,
 		},
--- a/client/iface/bind/ice_bind_test.go
+++ b/client/iface/bind/ice_bind_test.go
@@ -289,7 +289,7 @@ func setupICEBind(t *testing.T) *ICEBind {
 		IP:      netip.MustParseAddr("100.64.0.1"),
 		Network: netip.MustParsePrefix("100.64.0.0/10"),
 	}
-	return NewICEBind(transportNet, address, 1280)
+	return NewICEBind(transportNet, nil, address, 1280)
 }
 func createDualStackConns(t *testing.T) (*net.UDPConn, *net.UDPConn) {
--- a/client/iface/device/device_filter.go
+++ b/client/iface/device/device_filter.go
@@ -1,13 +1,10 @@
 package device
 import (
 	"fmt"
 	"net/netip"
 	"runtime/debug"
 	"sync"
 	"sync/atomic"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun"
 )
@@ -44,13 +41,10 @@ type PacketCapture interface {
 type FilteredDevice struct {
 	tun.Device
-	filter  PacketFilter
+	filter    PacketFilter
-	capture atomic.Pointer[PacketCapture]
+	capture   atomic.Pointer[PacketCapture]
-	// panicHandler is invoked after a panic in the underlying device is
+	mutex     sync.RWMutex
-	// recovered in Read or Write.
+	closeOnce sync.Once
 	panicHandler atomic.Pointer[func()]
 	mutex        sync.RWMutex
 	closeOnce    sync.Once
 }
 // newDeviceFilter constructor function
@@ -76,7 +70,7 @@ func (d *FilteredDevice) Close() error {
 // Read wraps read method with filtering feature
 func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
-	if n, err = d.deviceRead(bufs, sizes, offset); err != nil {
+	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {
 		return 0, err
 	}
@@ -118,7 +112,7 @@ func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
 	d.mutex.RUnlock()
 	if filter == nil {
-		return d.deviceWrite(bufs, offset)
+		return d.Device.Write(bufs, offset)
 	}
 	filteredBufs := make([][]byte, 0, len(bufs))
@@ -131,44 +125,9 @@ func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
 		}
 	}
-	n, err := d.deviceWrite(filteredBufs, offset)
+	n, err := d.Device.Write(filteredBufs, offset)
-	if err != nil {
+	n += dropped
-		return n, err
+	return n, err
 	}
 	return n + dropped, nil
 }
 // deviceRead calls the underlying device Read, recovering from panics in the
 // wintun read path and converting them into errors.
 func (d *FilteredDevice) deviceRead(bufs [][]byte, sizes []int, offset int) (n int, err error) {
 	defer d.recoverFromPanic("read", &n, &err)
 	return d.Device.Read(bufs, sizes, offset)
 }
 // deviceWrite calls the underlying device Write, recovering from panics in the
 // wintun write path and converting them into errors.
 func (d *FilteredDevice) deviceWrite(bufs [][]byte, offset int) (n int, err error) {
 	defer d.recoverFromPanic("write", &n, &err)
 	return d.Device.Write(bufs, offset)
 }
 // recoverFromPanic converts a panic in the underlying device into a regular
 // error and invokes the registered panic handler. The wintun read path is
 // known to panic on zero-length packets that third-party filter drivers can
 // place in the ring.
 func (d *FilteredDevice) recoverFromPanic(op string, n *int, err *error) {
 	r := recover()
 	if r == nil {
 		return
 	}
 	log.Errorf("recovered panic in tun device %s: %v\n%s", op, r, debug.Stack())
 	*n = 0
 	*err = fmt.Errorf("tun device %s panic: %v", op, r)
 	if handler := d.panicHandler.Load(); handler != nil {
 		(*handler)()
 	}
 }
 // SetFilter sets packet filter to device
@@ -178,17 +137,6 @@ func (d *FilteredDevice) SetFilter(filter PacketFilter) {
 	d.mutex.Unlock()
 }
 // SetPanicHandler registers a handler invoked after a recovered panic in Read
 // or Write. The device is unusable after such a panic; the handler should
 // trigger recreation of the interface. Pass nil to remove.
 func (d *FilteredDevice) SetPanicHandler(handler func()) {
 	if handler == nil {
 		d.panicHandler.Store(nil)
 		return
 	}
 	d.panicHandler.Store(&handler)
 }
 // SetCapture sets or clears the packet capture sink. Pass nil to disable.
 // Uses atomic store so the hot path (Read/Write) is a single pointer load
 // with no locking overhead when capture is off.
--- a/client/iface/device/device_filter_test.go
+++ b/client/iface/device/device_filter_test.go
@@ -221,60 +221,3 @@ func TestDeviceWrapperRead(t *testing.T) {
 		}
 	})
 }
 func TestDeviceWrapperReadPanic(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	tun := mocks.NewMockDevice(ctrl)
 	tun.EXPECT().Read(gomock.Any(), gomock.Any(), gomock.Any()).
 		DoAndReturn(func(bufs [][]byte, sizes []int, offset int) (int, error) {
 			// Reproduce the wintun zero-length packet panic (index out of range).
 			packet := make([]byte, 0)
 			return int(packet[0]), nil
 		})
 	wrapped := newDeviceFilter(tun)
 	handlerCalled := false
 	wrapped.SetPanicHandler(func() { handlerCalled = true })
 	n, err := wrapped.Read([][]byte{{}}, []int{0}, 0)
 	if err == nil {
 		t.Errorf("expected error from recovered panic, got nil")
 	}
 	if n != 0 {
 		t.Errorf("expected n=0, got %d", n)
 	}
 	if !handlerCalled {
 		t.Errorf("expected panic handler to be called")
 	}
 }
 func TestDeviceWrapperWritePanic(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	tun := mocks.NewMockDevice(ctrl)
 	tun.EXPECT().Write(gomock.Any(), gomock.Any()).
 		DoAndReturn(func(bufs [][]byte, offset int) (int, error) {
 			packet := make([]byte, 0)
 			return int(packet[0]), nil
 		})
 	wrapped := newDeviceFilter(tun)
 	handlerCalled := false
 	wrapped.SetPanicHandler(func() { handlerCalled = true })
 	n, err := wrapped.Write([][]byte{{0x45, 0x00}}, 0)
 	if err == nil {
 		t.Errorf("expected error from recovered panic, got nil")
 	}
 	if n != 0 {
 		t.Errorf("expected n=0, got %d", n)
 	}
 	if !handlerCalled {
 		t.Errorf("expected panic handler to be called")
 	}
 }
--- a/client/iface/device/device_kernel_unix.go
+++ b/client/iface/device/device_kernel_unix.go
@@ -32,6 +32,8 @@ type TunKernelDevice struct {
 	link       *wgLink
 	udpMuxConn net.PacketConn
 	udpMux     *udpmux.UniversalUDPMuxDefault
 	filterFn udpmux.FilterFn
 }
 func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, transportNet transport.Net) *TunKernelDevice {
@@ -102,6 +104,7 @@ func (t *TunKernelDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	bindParams := udpmux.UniversalUDPMuxParams{
 		UDPConn:   nbnet.WrapPacketConn(rawSock),
 		Net:       t.transportNet,
 		FilterFn:  t.filterFn,
 		WGAddress: t.address,
 		MTU:       t.mtu,
 	}
--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -63,6 +63,7 @@ type WGIFaceOpts struct {
 	MTU          uint16
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
 	FilterFn     udpmux.FilterFn
 	DisableDNS   bool
 }
--- a/client/iface/iface_new.go
+++ b/client/iface/iface_new.go
@@ -11,7 +11,7 @@ import (
 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.Address, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
 	var tun WGTunDevice
 	if netstack.IsEnabled() {
--- a/client/iface/iface_new_android.go
+++ b/client/iface/iface_new_android.go
@@ -9,7 +9,7 @@ import (
 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.Address, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
 	if netstack.IsEnabled() {
 		wgIFace := &WGIface{
--- a/client/iface/iface_new_ios.go
+++ b/client/iface/iface_new_ios.go
@@ -10,7 +10,7 @@ import (
 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.Address, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
 	wgIFace := &WGIface{
 		tun:            device.NewTunDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
--- a/client/iface/iface_new_linux.go
+++ b/client/iface/iface_new_linux.go
@@ -14,7 +14,7 @@ import (
 // NewWGIFace Creates a new WireGuard interface instance
 func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.Address, opts.MTU)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
 		return &WGIface{
 			tun:            device.NewNetstackDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
 			userspaceBind:  true,
@@ -30,7 +30,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	}
 	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.Address, opts.MTU)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, opts.Address, opts.MTU)
 		return &WGIface{
 			tun:            device.NewTunDevice(opts.IFaceName, opts.Address, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind),
 			userspaceBind:  true,
--- a/client/iface/udpmux/universal.go
+++ b/client/iface/udpmux/universal.go
@@ -8,6 +8,8 @@ import (
 	"context"
 	"fmt"
 	"net"
 	"net/netip"
 	"sync"
 	"time"
 	log "github.com/sirupsen/logrus"
@@ -20,6 +22,10 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 // FilterFn is a function that filters out candidates based on the address.
 // If it returns true, the address is to be filtered. It also returns the prefix of matching route.
 type FilterFn func(address netip.Addr) (bool, netip.Prefix, error)
 // UniversalUDPMuxDefault handles STUN and TURN servers packets by wrapping the original UDPConn
 // It then passes packets to the UDPMux that does the actual connection muxing.
 type UniversalUDPMuxDefault struct {
@@ -37,6 +43,7 @@ type UniversalUDPMuxParams struct {
 	UDPConn               net.PacketConn
 	XORMappedAddrCacheTTL time.Duration
 	Net                   transport.Net
 	FilterFn              FilterFn
 	WGAddress             wgaddr.Address
 	MTU                   uint16
 }
@@ -61,6 +68,7 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 		PacketConn: params.UDPConn,
 		mux:        m,
 		logger:     params.Logger,
 		filterFn:   params.FilterFn,
 		address:    params.WGAddress,
 	}
@@ -107,12 +115,15 @@ func (m *UniversalUDPMuxDefault) ReadFromConn(ctx context.Context) {
 	}
 }
-// UDPConn is a wrapper around UDPMux conn that overrides WriteTo to drop packets destined for the overlay subnet.
+// UDPConn is a wrapper around UDPMux conn that overrides ReadFrom and handles STUN/TURN packets
 type UDPConn struct {
 	net.PacketConn
-	mux     *UniversalUDPMuxDefault
+	mux      *UniversalUDPMuxDefault
-	logger  logging.LeveledLogger
+	logger   logging.LeveledLogger
-	address wgaddr.Address
+	filterFn FilterFn
 	// TODO: reset cache on route changes
 	addrCache sync.Map
 	address   wgaddr.Address
 }
 // GetPacketConn returns the underlying PacketConn
@@ -121,18 +132,67 @@ func (u *UDPConn) GetPacketConn() net.PacketConn {
 }
 func (u *UDPConn) WriteTo(b []byte, addr net.Addr) (int, error) {
-	udpAddr, ok := addr.(*net.UDPAddr)
+	if u.filterFn == nil {
 	if !ok {
 		return u.PacketConn.WriteTo(b, addr)
 	}
-	dst := udpAddr.AddrPort().Addr().Unmap()
+
-	if (u.address.Network.IsValid() && u.address.Network.Contains(dst)) || (u.address.IPv6Net.IsValid() && u.address.IPv6Net.Contains(dst)) {
+	if isRouted, found := u.addrCache.Load(addr.String()); found {
-		log.Warnf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
+		return u.handleCachedAddress(isRouted.(bool), b, addr)
-		return 0, fmt.Errorf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
+	}
 	return u.handleUncachedAddress(b, addr)
 }
 func (u *UDPConn) handleCachedAddress(isRouted bool, b []byte, addr net.Addr) (int, error) {
 	if isRouted {
 		return 0, fmt.Errorf("address %s is part of a routed network, refusing to write", addr)
 	}
 	return u.PacketConn.WriteTo(b, addr)
 }
 func (u *UDPConn) handleUncachedAddress(b []byte, addr net.Addr) (int, error) {
 	if err := u.performFilterCheck(addr); err != nil {
 		return 0, err
 	}
 	return u.PacketConn.WriteTo(b, addr)
 }
 func (u *UDPConn) performFilterCheck(addr net.Addr) error {
 	host, err := getHostFromAddr(addr)
 	if err != nil {
 		log.Errorf("Failed to get host from address %s: %v", addr, err)
 		return nil
 	}
 	a, err := netip.ParseAddr(host)
 	if err != nil {
 		log.Errorf("Failed to parse address %s: %v", addr, err)
 		return nil
 	}
 	if u.address.Network.Contains(a) {
 		log.Warnf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 		return fmt.Errorf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 	}
 	if isRouted, prefix, err := u.filterFn(a); err != nil {
 		log.Errorf("Failed to check if address %s is routed: %v", addr, err)
 	} else {
 		u.addrCache.Store(addr.String(), isRouted)
 		if isRouted {
 			// Extra log, as the error only shows up with ICE logging enabled
 			log.Infof("address %s is part of routed network %s, refusing to write", addr, prefix)
 			return fmt.Errorf("address %s is part of routed network %s, refusing to write", addr, prefix)
 		}
 	}
 	return nil
 }
 func getHostFromAddr(addr net.Addr) (string, error) {
 	host, _, err := net.SplitHostPort(addr.String())
 	return host, err
 }
 // GetSharedConn returns the shared udp conn
 func (m *UniversalUDPMuxDefault) GetSharedConn() net.PacketConn {
 	return m.params.UDPConn
@@ -165,13 +225,6 @@ func (m *UniversalUDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.A
 		return nil
 	}
 	src := udpAddr.AddrPort().Addr().Unmap()
 	wg := m.params.WGAddress
 	if (wg.Network.IsValid() && wg.Network.Contains(src)) || (wg.IPv6Net.IsValid() && wg.IPv6Net.Contains(src)) {
 		log.Debugf("dropping STUN message from overlay source %s", udpAddr)
 		return nil
 	}
 	if m.isXORMappedResponse(msg, udpAddr.String()) {
 		err := m.handleXORMappedResponse(udpAddr, msg)
 		if err != nil {
--- a/client/iface/wgproxy/proxy_linux_test.go
+++ b/client/iface/wgproxy/proxy_linux_test.go
@@ -66,7 +66,7 @@ func seedProxyForProxyCloseByRemoteConn() ([]proxyInstance, error) {
 	if err != nil {
 		return nil, err
 	}
-	iceBind := bind.NewICEBind(nil, wgAddress, 1280)
+	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
 	endpointAddress := &net.UDPAddr{
 		IP:   net.IPv4(10, 0, 0, 1),
 		Port: 1234,
--- a/client/iface/wgproxy/proxy_seed_test.go
+++ b/client/iface/wgproxy/proxy_seed_test.go
@@ -22,7 +22,7 @@ func seedProxyForProxyCloseByRemoteConn() ([]proxyInstance, error) {
 	if err != nil {
 		return nil, err
 	}
-	iceBind := bind.NewICEBind(nil, wgAddress, 1280)
+	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
 	endpointAddress := &net.UDPAddr{
 		IP:   net.IPv4(10, 0, 0, 1),
 		Port: 1234,
--- a/client/internal/auth/pkce_flow.go
+++ b/client/internal/auth/pkce_flow.go
@@ -360,13 +360,7 @@ func isRedirectURLPortUsed(redirectURL string, excludedRanges []excludedPortRang
 		return true
 	}
-	// FreeBSD 15 disables connecting to INADDR_ANY (0.0.0.0) as a localhost
+	addr := fmt.Sprintf(":%s", port)
 	// alias by default, ensure explicit ip for localhost.
 	host := parsedURL.Hostname()
 	if host == "" {
 		host = "127.0.0.1"
 	}
 	addr := net.JoinHostPort(host, port)
 	conn, err := net.DialTimeout("tcp", addr, 3*time.Second)
 	if err != nil {
 		return false
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
 	"path/filepath"
 	"runtime"
 	"runtime/debug"
 	"strings"
@@ -118,8 +117,6 @@ func (c *ConnectClient) RunOniOS(
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
 	stateFilePath string,
 	cacheDir string,
 	logFilePath string,
 ) error {
 	// Set GC percent to 5% to reduce memory usage as iOS only allows 50MB of memory for the extension.
 	debug.SetGCPercent(5)
@@ -129,9 +126,8 @@ func (c *ConnectClient) RunOniOS(
 		NetworkChangeListener: networkChangeListener,
 		DnsManager:            dnsManager,
 		StateFilePath:         stateFilePath,
 		TempDir:               cacheDir,
 	}
-	return c.run(mobileDependency, nil, logFilePath)
+	return c.run(mobileDependency, nil, "")
 }
 func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan struct{}, logPath string) error {
@@ -350,11 +346,6 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			return wrapErr(err)
 		}
 		engineConfig.TempDir = mobileDependency.TempDir
 		// Leave StateDir empty when there is no state path so a disk-backed
 		// syncstore falls back to os.TempDir() instead of filepath.Dir("") == ".".
 		if path != "" {
 			engineConfig.StateDir = filepath.Dir(path)
 		}
 		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String(), engineConfig.MTU)
 		c.statusRecorder.SetRelayMgr(relayManager)
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -250,13 +250,10 @@ type BundleGenerator struct {
 	syncResponse   *mgmProto.SyncResponse
 	logPath        string
 	tempDir        string
 	statePath      string
 	cpuProfile     []byte
 	capturePath    string
 	refreshStatus  func() // Optional callback to refresh status before bundle generation
 	clientMetrics  MetricsExporter
 	daemonVersion  string
 	cliVersion     string
 	anonymize         bool
 	includeSystemInfo bool
@@ -277,13 +274,10 @@ type GeneratorDependencies struct {
 	SyncResponse   *mgmProto.SyncResponse
 	LogPath        string
 	TempDir        string // Directory for temporary bundle zip files. If empty, os.TempDir() is used.
 	StatePath      string // Path to the state file. If empty, the ServiceManager default path is used.
 	CPUProfile     []byte
 	CapturePath    string
 	RefreshStatus  func()
 	ClientMetrics  MetricsExporter
 	DaemonVersion  string
 	CliVersion     string
 }
 func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGenerator {
@@ -301,13 +295,10 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		syncResponse:   deps.SyncResponse,
 		logPath:        deps.LogPath,
 		tempDir:        deps.TempDir,
 		statePath:      deps.StatePath,
 		cpuProfile:     deps.CPUProfile,
 		capturePath:    deps.CapturePath,
 		refreshStatus:  deps.RefreshStatus,
 		clientMetrics:  deps.ClientMetrics,
 		daemonVersion:  deps.DaemonVersion,
 		cliVersion:     deps.CliVersion,
 		anonymize:         cfg.Anonymize,
 		includeSystemInfo: cfg.IncludeSystemInfo,
@@ -468,11 +459,9 @@ func (g *BundleGenerator) addStatus() error {
 		protoFullStatus := nbstatus.ToProtoFullStatus(fullStatus)
 		protoFullStatus.Events = g.statusRecorder.GetEventHistory()
 		overview := nbstatus.ConvertToStatusOutputOverview(protoFullStatus, nbstatus.ConvertOptions{
-			Anonymize:     g.anonymize,
+			Anonymize:   g.anonymize,
-			ProfileName:   profName,
+			ProfileName: profName,
 			DaemonVersion: g.daemonVersion,
 		})
 		overview.CliVersion = g.cliVersion
 		statusOutput := overview.FullDetailSummary()
 		statusReader := strings.NewReader(statusOutput)
@@ -519,14 +508,6 @@ func (g *BundleGenerator) addConfig() error {
 		}
 	}
 	// Surface the set of MDM-enforced keys so a support engineer reading
 	// the bundle can tell which field values are user-set vs MDM-overridden.
 	// Same semantics as the mDMManagedFields list returned by the
 	// GetConfig RPC consumed by `netbird debug config`.
 	if managed := g.internalConfig.Policy().ManagedKeys(); len(managed) > 0 {
 		configContent.WriteString(fmt.Sprintf("MDMManagedFields: %v\n", managed))
 	}
 	configReader := strings.NewReader(configContent.String())
 	if err := g.addFileToZip(configReader, "config.txt"); err != nil {
 		return fmt.Errorf("add config file to zip: %w", err)
@@ -817,8 +798,6 @@ func (g *BundleGenerator) addSyncResponse() error {
 		AllowPartial:    true,
 	}
 	g.maskSecrets()
 	jsonBytes, err := options.Marshal(g.syncResponse)
 	if err != nil {
 		return fmt.Errorf("generate json: %w", err)
@@ -831,33 +810,9 @@ func (g *BundleGenerator) addSyncResponse() error {
 	return nil
 }
 func (g *BundleGenerator) maskSecrets() {
 	if g.syncResponse == nil || g.syncResponse.NetbirdConfig == nil {
 		return
 	}
 	if g.syncResponse.NetbirdConfig.Flow != nil {
 		g.syncResponse.NetbirdConfig.Flow.TokenPayload = maskedValue
 	}
 	if g.syncResponse.NetbirdConfig.Relay != nil {
 		g.syncResponse.NetbirdConfig.Relay.TokenPayload = maskedValue
 	}
 	for i := range g.syncResponse.NetbirdConfig.Turns {
 		if g.syncResponse.NetbirdConfig.Turns[i] != nil {
 			g.syncResponse.NetbirdConfig.Turns[i].Password = maskedValue
 		}
 	}
 }
 func (g *BundleGenerator) addStateFile() error {
-	path := g.statePath
+	sm := profilemanager.NewServiceManager("")
-	if path == "" {
+	path := sm.GetStatePath()
 		sm := profilemanager.NewServiceManager("")
 		path = sm.GetStatePath()
 	}
 	if path == "" {
 		return nil
 	}
@@ -1084,8 +1039,7 @@ func (g *BundleGenerator) addRotatedLogFiles(logDir string) {
 		return
 	}
-	// This regex will match both logs rotated by us and logrotate on linux
+	pattern := filepath.Join(logDir, "client-*.log.gz")
 	pattern := filepath.Join(logDir, "client*.log.*")
 	files, err := filepath.Glob(pattern)
 	if err != nil {
 		log.Warnf("failed to glob rotated logs: %v", err)
@@ -1118,12 +1072,7 @@ func (g *BundleGenerator) addRotatedLogFiles(logDir string) {
 	for i := 0; i < maxFiles; i++ {
 		name := filepath.Base(files[i])
-		if strings.HasSuffix(name, ".gz") {
+		if err := g.addSingleLogFileGz(files[i], name); err != nil {
 			err = g.addSingleLogFileGz(files[i], name)
 		} else {
 			err = g.addSingleLogfile(files[i], name)
 		}
 		if err != nil {
 			log.Warnf("failed to add rotated log %s: %v", name, err)
 		}
 	}
--- a/client/internal/debug/debug_ios.go
+++ b/client/internal/debug/debug_ios.go
@@ -1,36 +0,0 @@
 //go:build ios
 package debug
 import (
 	"path/filepath"
 	log "github.com/sirupsen/logrus"
 )
 // swiftLogFile is the Swift app log written by the iOS app into the same log
 // directory as the Go client log, so it can be collected into the bundle.
 const swiftLogFile = "swift-log.log"
 // addPlatformLog collects logs for the iOS debug bundle. iOS has no logcat or
 // systemd journal, so we rely on file-based logs. addLogfile handles the Go
 // client log (logPath) with rotation, the stderr/stdout companions and
 // anonymization. The iOS app writes its own Swift log into the same directory,
 // so we add it alongside the Go log.
 func (g *BundleGenerator) addPlatformLog() error {
 	if err := g.addLogfile(); err != nil {
 		return err
 	}
 	if g.logPath == "" {
 		return nil
 	}
 	swiftLogPath := filepath.Join(filepath.Dir(g.logPath), swiftLogFile)
 	if err := g.addSingleLogfile(swiftLogPath, swiftLogFile); err != nil {
 		// The Swift log is best-effort: the app may not have written it yet.
 		log.Warnf("failed to add %s to debug bundle: %v", swiftLogFile, err)
 	}
 	return nil
 }
--- a/client/internal/debug/debug_logfiles_test.go
+++ b/client/internal/debug/debug_logfiles_test.go
@@ -1,103 +0,0 @@
 package debug
 import (
 	"archive/zip"
 	"bytes"
 	"compress/gzip"
 	"io"
 	"os"
 	"path/filepath"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/require"
 )
 // TestAddRotatedLogFiles_PicksUpAllVariants asserts that the rotated-log
 // glob picks up logs rotated by timberjack (gzipped) and by logrotate (plain
 // and gzipped), and skips unrelated files.
 func TestAddRotatedLogFiles_PicksUpAllVariants(t *testing.T) {
 	dir := t.TempDir()
 	writeFile(t, filepath.Join(dir, "client.log"), "active log\n")
 	writeFile(t, filepath.Join(dir, "other.log"), "unrelated\n")
 	timberjackRotated := "client-2026-05-21T10-30-45.000.log.gz"
 	writeGzFile(t, filepath.Join(dir, timberjackRotated), "timberjack rotated content\n")
 	logrotatePlain := "client.log.1"
 	writeFile(t, filepath.Join(dir, logrotatePlain), "logrotate plain content\n")
 	logrotateGz := "client.log.2.gz"
 	writeGzFile(t, filepath.Join(dir, logrotateGz), "logrotate gz content\n")
 	names := runAddRotatedLogFiles(t, dir, 10)
 	require.Contains(t, names, timberjackRotated, "timberjack rotated file should be in bundle")
 	require.Contains(t, names, logrotatePlain, "logrotate plain rotated file should be in bundle")
 	require.Contains(t, names, logrotateGz, "logrotate gzipped rotated file should be in bundle")
 	require.NotContains(t, names, "client.log", "active log should not be added by addRotatedLogFiles")
 	require.NotContains(t, names, "other.log", "unrelated files should not be in bundle")
 }
 // TestAddRotatedLogFiles_RespectsLogFileCount asserts that only the newest
 // logFileCount rotated files are bundled, ordered by mtime.
 func TestAddRotatedLogFiles_RespectsLogFileCount(t *testing.T) {
 	dir := t.TempDir()
 	oldest := filepath.Join(dir, "client.log.3")
 	middle := filepath.Join(dir, "client.log.2")
 	newest := filepath.Join(dir, "client.log.1")
 	writeFile(t, oldest, "old\n")
 	writeFile(t, middle, "mid\n")
 	writeFile(t, newest, "new\n")
 	now := time.Now()
 	require.NoError(t, os.Chtimes(oldest, now.Add(-2*time.Hour), now.Add(-2*time.Hour)))
 	require.NoError(t, os.Chtimes(middle, now.Add(-1*time.Hour), now.Add(-1*time.Hour)))
 	require.NoError(t, os.Chtimes(newest, now, now))
 	names := runAddRotatedLogFiles(t, dir, 2)
 	require.Contains(t, names, "client.log.1")
 	require.Contains(t, names, "client.log.2")
 	require.NotContains(t, names, "client.log.3", "oldest file should be dropped when logFileCount=2")
 }
 // runAddRotatedLogFiles calls addRotatedLogFiles against a fresh in-memory
 // zip writer and returns the set of entry names that ended up in the archive.
 func runAddRotatedLogFiles(t *testing.T, dir string, logFileCount uint32) map[string]struct{} {
 	t.Helper()
 	var buf bytes.Buffer
 	g := &BundleGenerator{
 		archive:      zip.NewWriter(&buf),
 		logFileCount: logFileCount,
 	}
 	g.addRotatedLogFiles(dir)
 	require.NoError(t, g.archive.Close())
 	zr, err := zip.NewReader(bytes.NewReader(buf.Bytes()), int64(buf.Len()))
 	require.NoError(t, err)
 	names := make(map[string]struct{}, len(zr.File))
 	for _, f := range zr.File {
 		names[f.Name] = struct{}{}
 	}
 	return names
 }
 func writeFile(t *testing.T, path, content string) {
 	t.Helper()
 	require.NoError(t, os.WriteFile(path, []byte(content), 0o644))
 }
 func writeGzFile(t *testing.T, path, content string) {
 	t.Helper()
 	var buf bytes.Buffer
 	gw := gzip.NewWriter(&buf)
 	_, err := io.WriteString(gw, content)
 	require.NoError(t, err)
 	require.NoError(t, gw.Close())
 	require.NoError(t, os.WriteFile(path, buf.Bytes(), 0o644))
 }
--- a/client/internal/debug/debug_nonandroid.go
+++ b/client/internal/debug/debug_nonandroid.go
@@ -1,4 +1,4 @@
-//go:build !android && !ios
+//go:build !android
 package debug
--- a/client/internal/debug/debug_test.go
+++ b/client/internal/debug/debug_test.go
@@ -843,7 +843,6 @@ func TestAddConfig_AllFieldsCovered(t *testing.T) {
 		"PreSharedKey":      "sensitive: WireGuard pre-shared key",
 		"SSHKey":            "sensitive: SSH private key",
 		"ClientCertKeyPair": "non-config: parsed cert pair, not serialized",
 		"policy":            "non-config: in-memory MDM policy snapshot, surfaced via Config.Policy() / GetConfigResponse.MDMManagedFields",
 	}
 	mURL, _ := url.Parse("https://api.example.com:443")
--- a/client/internal/dns/local/local.go
+++ b/client/internal/dns/local/local.go
@@ -482,7 +482,7 @@ func (d *Resolver) logDNSError(logger *log.Entry, hostname string, qtype uint16,
 // completely when every proxy peer is offline (the upstream may still
 // be reachable some other way, or the peerstore may be stale).
 func (d *Resolver) filterDisconnectedPeerAnswers(logger *log.Entry, question dns.Question, records []dns.RR) []dns.RR {
-	if len(records) < 2 {
+	if len(records) == 0 {
 		return records
 	}
 	d.mu.RLock()
--- a/client/internal/dns/local/local_test.go
+++ b/client/internal/dns/local/local_test.go
@@ -2738,17 +2738,6 @@ func TestLocalResolver_FilterDisconnectedPeerAnswers(t *testing.T) {
 			connByIP:    nil,
 			wantInOrder: []string{"100.64.0.10", "100.64.0.11"},
 		},
 		{
 			// A single answer is never filtered: dropping it would only
 			// trigger the empty-answer escape hatch, so the fast path
 			// returns it untouched.
 			name:    "single disconnected answer passes through",
 			records: []nbdns.SimpleRecord{disconnectedRec},
 			connByIP: map[string]ipState{
 				"100.64.0.11": {known: true, connected: false},
 			},
 			wantInOrder: []string{"100.64.0.11"},
 		},
 	}
 	for _, tc := range tests {
--- a/client/internal/dns/resutil/resolve.go
+++ b/client/internal/dns/resutil/resolve.go
@@ -14,10 +14,6 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 // errNoSuitableAddress mirrors the unexported error string the net package
 // uses when a resolved host has no addresses of the requested family.
 const errNoSuitableAddress = "no suitable address found"
 // GenerateRequestID creates a random 8-character hex string for request tracing.
 func GenerateRequestID() string {
 	bytes := make([]byte, 4)
@@ -130,14 +126,6 @@ func LookupIP(ctx context.Context, r resolver, network, host string, qtype uint1
 }
 func getRcodeForError(ctx context.Context, r resolver, host string, qtype uint16, err error) int {
 	// The net package returns this AddrError when the host resolves but has
 	// no addresses of the requested family. The domain exists, so answer
 	// NODATA instead of SERVFAIL.
 	var addrErr *net.AddrError
 	if errors.As(err, &addrErr) && addrErr.Err == errNoSuitableAddress {
 		return dns.RcodeSuccess
 	}
 	var dnsErr *net.DNSError
 	if !errors.As(err, &dnsErr) {
 		return dns.RcodeServerFailure
--- a/client/internal/dns/resutil/resolve_test.go
+++ b/client/internal/dns/resutil/resolve_test.go
@@ -1,122 +0,0 @@
 package resutil
 import (
 	"context"
 	"errors"
 	"net"
 	"net/netip"
 	"testing"
 	"github.com/miekg/dns"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 type mockResolver struct {
 	// results maps network ("ip4"/"ip6") to the lookup outcome.
 	results map[string]mockLookup
 }
 type mockLookup struct {
 	ips []netip.Addr
 	err error
 }
 func (m *mockResolver) LookupNetIP(_ context.Context, network, _ string) ([]netip.Addr, error) {
 	res, ok := m.results[network]
 	if !ok {
 		return nil, errors.New("unexpected network: " + network)
 	}
 	return res.ips, res.err
 }
 func TestLookupIP_Success(t *testing.T) {
 	r := &mockResolver{results: map[string]mockLookup{
 		"ip4": {ips: []netip.Addr{netip.MustParseAddr("::ffff:192.0.2.1")}},
 	}}
 	result := LookupIP(context.Background(), r, "ip4", "example.com.", dns.TypeA)
 	assert.Equal(t, dns.RcodeSuccess, result.Rcode, "successful lookup should return NOERROR")
 	require.Len(t, result.IPs, 1, "should return the resolved address")
 	assert.Equal(t, netip.MustParseAddr("192.0.2.1"), result.IPs[0], "v4-mapped address should be unmapped")
 }
 func TestLookupIP_NoSuitableAddress(t *testing.T) {
 	// The net package returns this AddrError when the host resolves but has
 	// no addresses of the requested family (e.g. AAAA query for a v4-only
 	// hosts file entry). The domain exists, so this is NODATA, not SERVFAIL.
 	r := &mockResolver{results: map[string]mockLookup{
 		"ip6": {err: &net.AddrError{Err: "no suitable address found", Addr: "example.com."}},
 	}}
 	result := LookupIP(context.Background(), r, "ip6", "example.com.", dns.TypeAAAA)
 	assert.Equal(t, dns.RcodeSuccess, result.Rcode, "no suitable address should map to NODATA")
 	assert.Empty(t, result.IPs, "NODATA response should carry no addresses")
 }
 // TestErrNoSuitableAddressMatchesNetPackage pins our copy of the error string
 // to what the net package actually emits. A literal IP of the wrong family
 // takes the same filterAddrList path as a resolved hostname, without network
 // access.
 func TestErrNoSuitableAddressMatchesNetPackage(t *testing.T) {
 	_, err := (&net.Resolver{}).LookupNetIP(context.Background(), "ip6", "192.0.2.1")
 	require.Error(t, err)
 	var addrErr *net.AddrError
 	require.ErrorAs(t, err, &addrErr, "wrong-family lookup should return AddrError")
 	assert.Equal(t, errNoSuitableAddress, addrErr.Err, "net package error string should match our constant")
 }
 func TestLookupIP_OtherAddrError(t *testing.T) {
 	r := &mockResolver{results: map[string]mockLookup{
 		"ip4": {err: &net.AddrError{Err: "some other address problem", Addr: "example.com."}},
 	}}
 	result := LookupIP(context.Background(), r, "ip4", "example.com.", dns.TypeA)
 	assert.Equal(t, dns.RcodeServerFailure, result.Rcode, "unrecognized AddrError should map to SERVFAIL")
 }
 func TestLookupIP_NotFoundNXDomain(t *testing.T) {
 	r := &mockResolver{results: map[string]mockLookup{
 		"ip4": {err: &net.DNSError{Err: "no such host", Name: "example.com.", IsNotFound: true}},
 		"ip6": {err: &net.DNSError{Err: "no such host", Name: "example.com.", IsNotFound: true}},
 	}}
 	result := LookupIP(context.Background(), r, "ip4", "example.com.", dns.TypeA)
 	assert.Equal(t, dns.RcodeNameError, result.Rcode, "not found for both families should map to NXDOMAIN")
 }
 func TestLookupIP_NotFoundNoData(t *testing.T) {
 	r := &mockResolver{results: map[string]mockLookup{
 		"ip6": {err: &net.DNSError{Err: "no such host", Name: "example.com.", IsNotFound: true}},
 		"ip4": {ips: []netip.Addr{netip.MustParseAddr("192.0.2.1")}},
 	}}
 	result := LookupIP(context.Background(), r, "ip6", "example.com.", dns.TypeAAAA)
 	assert.Equal(t, dns.RcodeSuccess, result.Rcode, "not found with the other family present should map to NODATA")
 }
 func TestLookupIP_GenericError(t *testing.T) {
 	r := &mockResolver{results: map[string]mockLookup{
 		"ip4": {err: errors.New("connection refused")},
 	}}
 	result := LookupIP(context.Background(), r, "ip4", "example.com.", dns.TypeA)
 	assert.Equal(t, dns.RcodeServerFailure, result.Rcode, "generic error should map to SERVFAIL")
 }
 func TestLookupIP_DNSErrorNotIsNotFound(t *testing.T) {
 	r := &mockResolver{results: map[string]mockLookup{
 		"ip4": {err: &net.DNSError{Err: "server misbehaving", Name: "example.com.", IsTemporary: true}},
 	}}
 	result := LookupIP(context.Background(), r, "ip4", "example.com.", dns.TypeA)
 	assert.Equal(t, dns.RcodeServerFailure, result.Rcode, "upstream failure should map to SERVFAIL")
 }
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -777,24 +777,13 @@ func (s *DefaultServer) applyHostConfig() {
 // context is released rather than leaked until GC.
 func (s *DefaultServer) registerFallback() {
 	originalNameservers := s.hostManager.getOriginalNameservers()
-
+	if len(originalNameservers) == 0 {
 	serverIP := s.service.RuntimeIP()
 	var servers []netip.AddrPort
 	for _, ns := range originalNameservers {
 		if ns == serverIP {
 			log.Debugf("skipping original nameserver %s as it is the same as the server IP %s", ns, serverIP)
 			continue
 		}
 		servers = append(servers, netip.AddrPortFrom(ns, DefaultPort))
 	}
 	if len(servers) == 0 {
 		log.Debugf("no fallback upstreams to register; clearing PriorityFallback handler")
 		s.clearFallback()
 		return
 	}
-	log.Infof("registering original nameservers %v as upstream handlers with priority %d", servers, PriorityFallback)
+	log.Infof("registering original nameservers %v as upstream handlers with priority %d", originalNameservers, PriorityFallback)
 	handler, err := newUpstreamResolver(
 		s.ctx,
@@ -808,6 +797,11 @@ func (s *DefaultServer) registerFallback() {
 		return
 	}
 	handler.selectedRoutes = s.selectedRoutes
 	var servers []netip.AddrPort
 	for _, ns := range originalNameservers {
 		servers = append(servers, netip.AddrPortFrom(ns, DefaultPort))
 	}
 	handler.addRace(servers)
 	prev := s.fallbackHandler
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -22,6 +22,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/protobuf/proto"
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall"
@@ -53,8 +54,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/syncstore"
 	"github.com/netbirdio/netbird/client/internal/updater"
 	"github.com/netbirdio/netbird/client/jobexec"
 	cProto "github.com/netbirdio/netbird/client/proto"
@@ -71,7 +72,6 @@ import (
 	sProto "github.com/netbirdio/netbird/shared/signal/proto"
 	"github.com/netbirdio/netbird/util"
 	"github.com/netbirdio/netbird/util/capture"
 	"github.com/netbirdio/netbird/version"
 )
 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -148,10 +148,6 @@ type EngineConfig struct {
 	LogPath string
 	TempDir string
 	// StateDir is the directory holding the state file. The sync response
 	// (network map) is serialized here on platforms that persist it to disk.
 	StateDir string
 }
 // EngineServices holds the external service dependencies required by the Engine.
@@ -230,16 +226,11 @@ type Engine struct {
 	afpacketCapture *capture.AFPacketCapture
-	// Sync response persistence (protected by syncRespMux).
+	// Sync response persistence (protected by syncRespMux)
-	// syncStore is nil unless persistence has been enabled; its presence is
+	syncRespMux         sync.RWMutex
-	// what marks persistence as active. The backend (disk or memory) is
+	persistSyncResponse bool
-	// selected per-platform; see the syncstore package. syncStoreDir is where
+	latestSyncResponse  *mgmProto.SyncResponse
-	// a disk-backed store serializes to.
+	flowManager         nftypes.FlowManager
 	syncRespMux  sync.RWMutex
 	syncStore    syncstore.Store
 	syncStoreDir string
 	flowManager nftypes.FlowManager
 	// auto-update
 	updateManager *updater.Manager
@@ -301,7 +292,6 @@ func NewEngine(
 		jobExecutor:        jobexec.NewExecutor(),
 		clientMetrics:      services.ClientMetrics,
 		updateManager:      services.UpdateManager,
 		syncStoreDir:       config.StateDir,
 	}
 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
@@ -530,10 +520,6 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		return fmt.Errorf("create wg interface: %w", err)
 	}
 	if filteredDevice := e.wgInterface.GetDevice(); filteredDevice != nil {
 		filteredDevice.SetPanicHandler(e.triggerClientRestart)
 	}
 	if err := e.createFirewall(); err != nil {
 		e.close()
 		return err
@@ -883,25 +869,63 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		e.handleAutoUpdateVersion(update.NetworkMap.PeerConfig.AutoUpdate)
 	}
-	if err := e.updateNetbirdConfig(update.GetNetbirdConfig()); err != nil {
+	if update.GetNetbirdConfig() != nil {
-		return err
+		wCfg := update.GetNetbirdConfig()
-	}
+		err := e.updateTURNs(wCfg.GetTurns())
 		if err != nil {
 			return fmt.Errorf("update TURNs: %w", err)
 		}
-	// Posture checks are bound to the network map presence:
+		err = e.updateSTUNs(wCfg.GetStuns())
-	//   NetworkMap != nil, checks present -> apply the received checks
+		if err != nil {
-	//   NetworkMap != nil, checks nil     -> posture checks were removed, clear them
+			return fmt.Errorf("update STUNs: %w", err)
-	//   NetworkMap == nil                 -> config-only update (e.g. relay token rotation),
+		}
-	//                                        leave the previously applied checks untouched
+
-	nm := update.GetNetworkMap()
+		var stunTurn []*stun.URI
-	if nm == nil {
+		stunTurn = append(stunTurn, e.STUNs...)
-		return nil
+		stunTurn = append(stunTurn, e.TURNs...)
 		e.stunTurn.Store(stunTurn)
 		err = e.handleRelayUpdate(wCfg.GetRelay())
 		if err != nil {
 			return err
 		}
 		err = e.handleFlowUpdate(wCfg.GetFlow())
 		if err != nil {
 			return fmt.Errorf("handle the flow configuration: %w", err)
 		}
 		if err := e.PopulateNetbirdConfig(wCfg, nil); err != nil {
 			log.Warnf("Failed to update DNS server config: %v", err)
 		}
 		// todo update signal
 	}
 	if err := e.updateChecksIfNew(update.Checks); err != nil {
 		return err
 	}
-	e.persistSyncResponse(update)
+	nm := update.GetNetworkMap()
 	if nm == nil {
 		return nil
 	}
 	// Persist sync response under the dedicated lock (syncRespMux), not under syncMsgMux.
 	// Read the storage-enabled flag under the syncRespMux too.
 	e.syncRespMux.RLock()
 	enabled := e.persistSyncResponse
 	e.syncRespMux.RUnlock()
 	// Store sync response if persistence is enabled
 	if enabled {
 		e.syncRespMux.Lock()
 		e.latestSyncResponse = update
 		e.syncRespMux.Unlock()
 		log.Debugf("sync response persisted with serial %d", nm.GetSerial())
 	}
 	// only apply new changes and ignore old ones
 	if err := e.updateNetworkMap(nm); err != nil {
@@ -913,64 +937,6 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	return nil
 }
 // updateNetbirdConfig applies the management-provided NetBird configuration:
 // STUN/TURN and relay servers, flow logging and DNS settings. A nil config is a no-op,
 // which is the case for sync updates carrying only a network map.
 func (e *Engine) updateNetbirdConfig(wCfg *mgmProto.NetbirdConfig) error {
 	if wCfg == nil {
 		return nil
 	}
 	if err := e.updateTURNs(wCfg.GetTurns()); err != nil {
 		return fmt.Errorf("update TURNs: %w", err)
 	}
 	if err := e.updateSTUNs(wCfg.GetStuns()); err != nil {
 		return fmt.Errorf("update STUNs: %w", err)
 	}
 	var stunTurn []*stun.URI
 	stunTurn = append(stunTurn, e.STUNs...)
 	stunTurn = append(stunTurn, e.TURNs...)
 	e.stunTurn.Store(stunTurn)
 	if err := e.handleRelayUpdate(wCfg.GetRelay()); err != nil {
 		return err
 	}
 	if err := e.handleFlowUpdate(wCfg.GetFlow()); err != nil {
 		return fmt.Errorf("handle the flow configuration: %w", err)
 	}
 	if err := e.PopulateNetbirdConfig(wCfg, nil); err != nil {
 		log.Warnf("Failed to update DNS server config: %v", err)
 	}
 	// todo update signal
 	return nil
 }
 // persistSyncResponse stores the full sync response so it can be restored on the next
 // startup. Persistence is enabled only when syncStore is set. The dedicated syncRespMux
 // (not syncMsgMux) is held for the whole Set so the store cannot be cleared (disabled /
 // engine close) mid-call and have this write resurrect a file that was just removed.
 func (e *Engine) persistSyncResponse(update *mgmProto.SyncResponse) {
 	e.syncRespMux.RLock()
 	defer e.syncRespMux.RUnlock()
 	if e.syncStore == nil {
 		return
 	}
 	if err := e.syncStore.Set(update); err != nil {
 		log.Errorf("failed to persist sync response: %v", err)
 		return
 	}
 	log.Debugf("sync response persisted with serial %d", update.GetNetworkMap().GetSerial())
 }
 func (e *Engine) handleRelayUpdate(update *mgmProto.RelayConfig) error {
 	if update != nil {
 		// when we receive token we expect valid address list too
@@ -1097,7 +1063,6 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	state.PubKey = e.config.WgPrivateKey.PublicKey().String()
 	state.KernelInterface = !e.wgInterface.IsUserspaceBind()
 	state.FQDN = conf.GetFqdn()
 	state.WgPort = e.config.WgPort
 	e.statusRecorder.UpdateLocalPeerState(state)
@@ -1176,7 +1141,6 @@ func (e *Engine) handleBundle(params *mgmProto.BundleParameters) (*mgmProto.JobR
 		LogPath:        e.config.LogPath,
 		TempDir:        e.config.TempDir,
 		ClientMetrics:  e.clientMetrics,
 		DaemonVersion:  version.NetbirdVersion(),
 		RefreshStatus: func() {
 			e.RunHealthProbes(true)
 		},
@@ -1714,13 +1678,6 @@ func (e *Engine) receiveSignalEvents() {
 				return e.ctx.Err()
 			}
 			// Self-addressed heartbeat: the signal client's receive watchdog
 			// round-trips this through the server to confirm the receive stream
 			// is delivering. Liveness is already recorded before this handler.
 			if msg.GetBody().GetType() == sProto.Body_HEARTBEAT {
 				return nil
 			}
 			conn, ok := e.peerStore.PeerConn(msg.Key)
 			if !ok {
 				return fmt.Errorf("wrongly addressed message %s", msg.Key)
@@ -1856,18 +1813,6 @@ func (e *Engine) close() {
 	if err := e.portForwardManager.GracefullyStop(ctx); err != nil {
 		log.Warnf("failed to gracefully stop port forwarding manager: %s", err)
 	}
 	// Drop any persisted sync response so its network map does not linger on
 	// disk after the engine stops (and cannot leak into a later run).
 	e.syncRespMux.Lock()
 	store := e.syncStore
 	e.syncStore = nil
 	e.syncRespMux.Unlock()
 	if store != nil {
 		if err := store.Clear(); err != nil {
 			log.Warnf("failed to clear persisted sync response on close: %v", err)
 		}
 	}
 }
 func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, error) {
@@ -1919,6 +1864,7 @@ func (e *Engine) newWgIface() (*iface.WGIface, error) {
 		WGPrivKey:    e.config.WgPrivateKey.String(),
 		MTU:          e.config.MTU,
 		TransportNet: transportNet,
 		FilterFn:     e.addrViaRoutes,
 		DisableDNS:   e.config.DisableDNS,
 	}
@@ -2166,6 +2112,21 @@ func (e *Engine) startNetworkMonitor() {
 	}()
 }
 func (e *Engine) addrViaRoutes(addr netip.Addr) (bool, netip.Prefix, error) {
 	var vpnRoutes []netip.Prefix
 	for _, routes := range e.routeManager.GetClientRoutes() {
 		if len(routes) > 0 && routes[0] != nil {
 			vpnRoutes = append(vpnRoutes, routes[0].Network)
 		}
 	}
 	if isVpn, prefix := systemops.IsAddrRouted(addr, vpnRoutes); isVpn {
 		return true, prefix, nil
 	}
 	return false, netip.Prefix{}, nil
 }
 func (e *Engine) stopDNSServer() {
 	if e.dnsServer == nil {
 		return
@@ -2181,42 +2142,45 @@ func (e *Engine) stopDNSServer() {
 	e.statusRecorder.UpdateDNSStates(nsGroupStates)
 }
-// SetSyncResponsePersistence enables or disables sync response persistence.
+// SetSyncResponsePersistence enables or disables sync response persistence
 // The store is only instantiated while persistence is enabled; construction
 // itself drops any stale data left over from an earlier run (see syncstore).
 func (e *Engine) SetSyncResponsePersistence(enabled bool) {
 	e.syncRespMux.Lock()
 	defer e.syncRespMux.Unlock()
-	if enabled == (e.syncStore != nil) {
+	if enabled == e.persistSyncResponse {
 		return
 	}
 	e.persistSyncResponse = enabled
 	log.Debugf("Sync response persistence is set to %t", enabled)
 	if !enabled {
-		if err := e.syncStore.Clear(); err != nil {
+		e.latestSyncResponse = nil
 			log.Warnf("failed to clear persisted sync response: %v", err)
 		}
 		e.syncStore = nil
 		return
 	}
 	e.syncStore = syncstore.New(e.syncStoreDir)
 }
 // GetLatestSyncResponse returns the stored sync response if persistence is enabled
 func (e *Engine) GetLatestSyncResponse() (*mgmProto.SyncResponse, error) {
 	// Hold the lock for the whole Get so the store cannot be cleared
 	// (disabled / engine close) mid-call.
 	e.syncRespMux.RLock()
-	defer e.syncRespMux.RUnlock()
+	enabled := e.persistSyncResponse
 	latest := e.latestSyncResponse
 	e.syncRespMux.RUnlock()
-	if e.syncStore == nil {
+	if !enabled {
 		return nil, errors.New("sync response persistence is disabled")
 	}
-	//nolint:nilnil
+	if latest == nil {
-	return e.syncStore.Get()
+		//nolint:nilnil
 		return nil, nil
 	}
 	log.Debugf("Retrieving latest sync response with size %d bytes", proto.Size(latest))
 	sr, ok := proto.Clone(latest).(*mgmProto.SyncResponse)
 	if !ok {
 		return nil, fmt.Errorf("failed to clone sync response")
 	}
 	return sr, nil
 }
 // GetWgAddr returns the wireguard address
@@ -2252,7 +2216,7 @@ func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
 ) {
-	if e.config.DisableServerRoutes || e.config.BlockInbound {
+	if e.config.DisableServerRoutes {
 		return
 	}
--- a/client/internal/lazyconn/support.go
+++ b/client/internal/lazyconn/support.go
@@ -4,8 +4,6 @@ import (
 	"strings"
 	"github.com/hashicorp/go-version"
 	nbversion "github.com/netbirdio/netbird/version"
 )
 var (
@@ -13,7 +11,7 @@ var (
 )
 func IsSupported(agentVersion string) bool {
-	if nbversion.IsDevelopmentVersion(agentVersion) {
+	if agentVersion == "development" {
 		return true
 	}
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -23,7 +23,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/id"
 	"github.com/netbirdio/netbird/client/internal/peer/worker"
 	"github.com/netbirdio/netbird/client/internal/portforward"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -900,7 +899,7 @@ func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	}
 	// Fallback to deterministic key if no NetBird PSK is configured
-	determKey, err := rosenpass.DeterministicSeedKey(conn.config.LocalKey, conn.config.Key)
+	determKey, err := conn.rosenpassDetermKey()
 	if err != nil {
 		conn.Log.Errorf("failed to generate Rosenpass initial key: %v", err)
 		return nil
@@ -909,6 +908,26 @@ func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	return determKey
 }
 // todo: move this logic into Rosenpass package
 func (conn *Conn) rosenpassDetermKey() (*wgtypes.Key, error) {
 	lk := []byte(conn.config.LocalKey)
 	rk := []byte(conn.config.Key) // remote key
 	var keyInput []byte
 	if string(lk) > string(rk) {
 		//nolint:gocritic
 		keyInput = append(lk[:16], rk[:16]...)
 	} else {
 		//nolint:gocritic
 		keyInput = append(rk[:16], lk[:16]...)
 	}
 	key, err := wgtypes.NewKey(keyInput)
 	if err != nil {
 		return nil, err
 	}
 	return &key, nil
 }
 func isController(config ConnConfig) bool {
 	return config.LocalKey > config.Key
 }
--- a/client/internal/peer/conn_status.go
+++ b/client/internal/peer/conn_status.go
@@ -26,6 +26,7 @@ type connStatusInputs struct {
 	iceInProgress       bool // a negotiation is currently in flight
 }
 // ConnStatus describe the status of a peer's connection
 type ConnStatus int32
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -111,7 +111,6 @@ type LocalPeerState struct {
 	PubKey          string
 	KernelInterface bool
 	FQDN            string
 	WgPort          int
 	Routes          map[string]struct{}
 }
@@ -193,7 +192,6 @@ func (s *StatusChangeSubscription) Events() chan map[string]RouterState {
 type Status struct {
 	mux                   sync.RWMutex
 	peers                 map[string]State
 	ipToKey               map[string]string
 	changeNotify          map[string]map[string]*StatusChangeSubscription // map[peerID]map[subscriptionID]*StatusChangeSubscription
 	signalState           bool
 	signalError           error
@@ -232,7 +230,6 @@ type Status struct {
 func NewRecorder(mgmAddress string) *Status {
 	return &Status{
 		peers:                 make(map[string]State),
 		ipToKey:               make(map[string]string),
 		changeNotify:          make(map[string]map[string]*StatusChangeSubscription),
 		eventStreams:          make(map[string]chan *proto.SystemEvent),
 		eventQueue:            NewEventQueue(eventQueueSize),
@@ -284,12 +281,6 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string, ip string, ipv6 string)
 		Mux:        new(sync.RWMutex),
 	}
 	d.peerListChangedForNotification = true
 	if ipv6 != "" {
 		d.ipToKey[ipv6] = peerPubKey
 	}
 	if ip != "" {
 		d.ipToKey[ip] = peerPubKey
 	}
 	return nil
 }
@@ -319,22 +310,19 @@ func (d *Status) PeerByIP(ip string) (string, bool) {
 // PeerStateByIP returns the full peer State for the given tunnel IP.
 // Matches against either the IPv4 (State.IP) or IPv6 (State.IPv6) tunnel
-// address so dual-stack peers are reachable on either family. Only
+// address so dual-stack peers are reachable on either family. Returns the
-// active peers are matched; peers moved into the offline slice by
+// zero State and false when no peer matches or the input is empty.
 // ReplaceOfflinePeers are intentionally treated as unknown.
 func (d *Status) PeerStateByIP(ip string) (State, bool) {
 	if ip == "" {
 		return State{}, false
 	}
 	d.mux.RLock()
 	defer d.mux.RUnlock()
-	key, ok := d.ipToKey[ip]
+
-	if !ok {
+	for _, state := range d.peers {
-		return State{}, false
+		if (state.IP != "" && state.IP == ip) || (state.IPv6 != "" && state.IPv6 == ip) {
-	}
+			return state, true
-	state, ok := d.peers[key]
+		}
 	if ok {
 		return state, true
 	}
 	return State{}, false
 }
@@ -344,18 +332,12 @@ func (d *Status) RemovePeer(peerPubKey string) error {
 	d.mux.Lock()
 	defer d.mux.Unlock()
-	p, ok := d.peers[peerPubKey]
+	_, ok := d.peers[peerPubKey]
 	if !ok {
 		return errors.New("no peer with to remove")
 	}
 	delete(d.peers, peerPubKey)
 	if mappedKey, exists := d.ipToKey[p.IP]; exists && mappedKey == peerPubKey {
 		delete(d.ipToKey, p.IP)
 	}
 	if mappedKey, exists := d.ipToKey[p.IPv6]; exists && mappedKey == peerPubKey {
 		delete(d.ipToKey, p.IPv6)
 	}
 	d.peerListChangedForNotification = true
 	return nil
 }
@@ -1024,17 +1006,14 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 		return d.relayStates
 	}
-	// extend the list of stun, turn servers with the relay server connections
+	// extend the list of stun, turn servers with relay address
 	relayStates := slices.Clone(d.relayStates)
-	states := d.relayMgr.RelayStates()
+	// if the server connection is not established then we will use the general address
-	if len(states) == 0 {
+	// in case of connection we will use the instance specific address
-		// no relay connection tracked yet; surface configured servers as
+	instanceAddr, _, err := d.relayMgr.RelayInstanceAddress()
-		// unavailable with the real reconnect error when known
+	if err != nil {
-		err := relayClient.ErrRelayClientNotConnected
+		// TODO add their status
 		if connErr := d.relayMgr.RelayConnectError(); connErr != nil {
 			err = connErr
 		}
 		for _, r := range d.relayMgr.ServerURLs() {
 			relayStates = append(relayStates, relay.ProbeResult{
 				URI: r,
@@ -1044,14 +1023,10 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 		return relayStates
 	}
-	for _, rs := range states {
+	relayState := relay.ProbeResult{
-		relayStates = append(relayStates, relay.ProbeResult{
+		URI: instanceAddr,
 			URI:       rs.URL,
 			Err:       rs.Err,
 			Transport: rs.Transport,
 		})
 	}
-	return relayStates
+	return append(relayStates, relayState)
 }
 func (d *Status) ForwardingRules() []firewall.ForwardRule {
@@ -1373,7 +1348,6 @@ func (fs FullStatus) ToProto() *proto.FullStatus {
 	pbFullStatus.LocalPeerState.PubKey = fs.LocalPeerState.PubKey
 	pbFullStatus.LocalPeerState.KernelInterface = fs.LocalPeerState.KernelInterface
 	pbFullStatus.LocalPeerState.Fqdn = fs.LocalPeerState.FQDN
 	pbFullStatus.LocalPeerState.WgPort = int32(fs.LocalPeerState.WgPort)
 	pbFullStatus.LocalPeerState.RosenpassPermissive = fs.RosenpassState.Permissive
 	pbFullStatus.LocalPeerState.RosenpassEnabled = fs.RosenpassState.Enabled
 	pbFullStatus.NumberOfForwardingRules = int32(fs.NumOfForwardingRules)
@@ -1412,7 +1386,6 @@ func (fs FullStatus) ToProto() *proto.FullStatus {
 		pbRelayState := &proto.RelayState{
 			URI:       relayState.URI,
 			Available: relayState.Err == nil,
 			Transport: relayState.Transport,
 		}
 		if err := relayState.Err; err != nil {
 			pbRelayState.Error = err.Error()
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -90,45 +90,6 @@ func TestStatus_PeerStateByIP_MatchesIPv6(t *testing.T) {
 	req.Equal("pk-1", state.PubKey, "matching state must carry the right pub key")
 }
 // TestStatus_PeerStateByIP_IgnoresOfflinePeers documents that peers
 // moved into the offline slice via ReplaceOfflinePeers are intentionally
 // not resolvable by IP: only active peers can carry traffic, so callers
 // (DNS filter, embed.Client.IdentityForIP) treat them as unknown.
 func TestStatus_PeerStateByIP_IgnoresOfflinePeers(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	req := require.New(t)
 	status.ReplaceOfflinePeers([]State{
 		{PubKey: "pk-offline", FQDN: "offline.netbird", IP: "100.64.0.20", IPv6: "fd00::20"},
 	})
 	_, ok := status.PeerStateByIP("100.64.0.20")
 	req.False(ok, "offline peer must not resolve by IPv4 tunnel address")
 	_, ok = status.PeerStateByIP("fd00::20")
 	req.False(ok, "offline peer must not resolve by IPv6 tunnel address")
 }
 // TestStatus_PeerStateByIP_RemovedPeer verifies RemovePeer drops the
 // IP index entries for both address families.
 func TestStatus_PeerStateByIP_RemovedPeer(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	req := require.New(t)
 	req.NoError(status.AddPeer("pk-1", "peer-1.netbird", "100.64.0.10", "fd00::1"))
 	_, ok := status.PeerStateByIP("100.64.0.10")
 	req.True(ok, "active peer must resolve before removal")
 	req.NoError(status.RemovePeer("pk-1"))
 	_, ok = status.PeerStateByIP("100.64.0.10")
 	req.False(ok, "removed peer must not resolve by IPv4 tunnel address")
 	_, ok = status.PeerStateByIP("fd00::1")
 	req.False(ok, "removed peer must not resolve by IPv6 tunnel address")
 }
 func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	key := "abc"
 	fqdn := "peer-a.netbird.local"
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
 	"net/netip"
 	"strconv"
 	"sync"
 	"time"
@@ -164,6 +165,10 @@ func (w *WorkerICE) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HA
 		return
 	}
 	if candidateViaRoutes(candidate, haRoutes) {
 		return
 	}
 	if err := w.agent.AddRemoteCandidate(candidate); err != nil {
 		w.log.Errorf("error while handling remote candidate")
 		return
@@ -584,6 +589,34 @@ func extraSrflxCandidate(candidate ice.Candidate) (*ice.CandidateServerReflexive
 	return ec, nil
 }
 func candidateViaRoutes(candidate ice.Candidate, clientRoutes route.HAMap) bool {
 	addr, err := netip.ParseAddr(candidate.Address())
 	if err != nil {
 		log.Errorf("Failed to parse IP address %s: %v", candidate.Address(), err)
 		return false
 	}
 	var routePrefixes []netip.Prefix
 	for _, routes := range clientRoutes {
 		if len(routes) > 0 && routes[0] != nil {
 			routePrefixes = append(routePrefixes, routes[0].Network)
 		}
 	}
 	for _, prefix := range routePrefixes {
 		// default route is handled by route exclusion / ip rules
 		if prefix.Bits() == 0 {
 			continue
 		}
 		if prefix.Contains(addr) {
 			log.Debugf("Ignoring candidate [%s], its address is part of routed network %s", candidate.String(), prefix)
 			return true
 		}
 	}
 	return false
 }
 func isRelayCandidate(candidate ice.Candidate) bool {
 	return candidate.Type() == ice.CandidateTypeRelay
 }
--- a/client/internal/portforward/pcp/nat.go
+++ b/client/internal/portforward/pcp/nat.go
@@ -179,10 +179,8 @@ func getDefaultGateway() (gateway net.IP, localIP net.IP, err error) {
 	}
 	dst := net.IPv4zero
-	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
+	if runtime.GOOS == "linux" {
-		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux/Android.
+		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux.
 		// TODO: on android/ios, use platform APIs (ConnectivityManager.getLinkProperties /
 		// NWPathMonitor) when netlink-based lookup is restricted or unavailable.
 		dst = net.IPv4(0, 0, 0, 1)
 	}
 	_, gateway, localIP, err = router.Route(dst)
@@ -205,7 +203,7 @@ func getDefaultGateway6() (gateway net.IP, localIP net.IP, err error) {
 	}
 	dst := net.IPv6zero
-	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
+	if runtime.GOOS == "linux" {
 		// ::2
 		dst = net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}
 	}
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -22,7 +22,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/client/mdm"
 	"github.com/netbirdio/netbird/client/ssh"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/domain"
@@ -58,10 +57,6 @@ var DefaultInterfaceBlacklist = []string{
 	"Tailscale", "tailscale", "docker", "veth", "br-", "lo",
 }
 // loadMDMPolicy is the package-level indirection used by apply() to read the
 // active MDM policy. Tests override this to inject a fake policy.
 var loadMDMPolicy = mdm.LoadPolicy
 // ConfigInput carries configuration changes to the client
 type ConfigInput struct {
 	ManagementURL                 string
@@ -179,23 +174,6 @@ type Config struct {
 	LazyConnectionEnabled bool
 	MTU uint16
 	// policy is the MDM policy that produced the currently-set values for
 	// any MDM-enforced fields. Set by applyMDMPolicy at the tail of apply()
 	// and reset on every apply() invocation. Never persisted to disk.
 	// Callers query enforcement state via Policy() and the mdm.Policy API
 	// (HasKey, ManagedKeys, IsEmpty).
 	policy *mdm.Policy `json:"-"`
 }
 // Policy returns the MDM policy applied to this Config. Returns a non-nil
 // empty Policy when MDM enforcement is inactive; callers can always invoke
 // HasKey / ManagedKeys / IsEmpty without a nil check.
 func (config *Config) Policy() *mdm.Policy {
 	if config == nil || config.policy == nil {
 		return mdm.NewPolicy(nil)
 	}
 	return config.policy
 }
 var ConfigDirOverride string
@@ -634,93 +612,10 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 	// MDM is the last override layer: any key present in the policy
 	// supersedes defaults, on-disk config, env vars and CLI input.
 	config.applyMDMPolicy(loadMDMPolicy())
 	return updated, nil
 }
-// applyMDMPolicy overlays MDM-supplied values on top of the resolved Config.
+// parseURL parses and validates a service URL
 // The provided Policy is also stored on the Config so callers can later query
 // which fields are enforced. Invalid values (e.g. malformed URLs) are logged
 // and skipped to avoid bricking the client; the field keeps its previous
 // resolved value but is still marked as managed (Policy.HasKey returns true
 // for the key, so per-field rejection of user writes still applies).
 func (config *Config) applyMDMPolicy(policy *mdm.Policy) {
 	config.policy = policy
 	if policy.IsEmpty() {
 		return
 	}
 	// Helper: log the application of a single MDM-managed key. Values for
 	// keys in mdm.SecretKeys are redacted.
 	logApplied := func(key string, displayValue any) {
 		if _, secret := mdm.SecretKeys[key]; secret {
 			log.Infof("MDM override %s = ********** (secret)", key)
 			return
 		}
 		log.Infof("MDM override %s = %v", key, displayValue)
 	}
 	if v, ok := policy.GetString(mdm.KeyManagementURL); ok {
 		if u, err := parseURL("Management URL", v); err != nil {
 			log.Warnf("MDM management URL %q invalid: %v; keeping previous value", v, err)
 		} else {
 			config.ManagementURL = u
 			logApplied(mdm.KeyManagementURL, u.String())
 		}
 	}
 	if v, ok := policy.GetString(mdm.KeyPreSharedKey); ok {
 		// Defensive: refuse the redaction mask in case it round-tripped
 		// through a manifest by mistake.
 		if !isPreSharedKeyHidden(&v) {
 			config.PreSharedKey = v
 			logApplied(mdm.KeyPreSharedKey, "")
 		}
 	}
 	// applyBool collapses the per-key "read + set + log" boilerplate
 	// for every plain bool MDM key into a single helper. Keeps the
 	// outer function's cognitive complexity below SonarCube's
 	// threshold; functional behaviour is identical to the inlined
 	// branches it replaces.
 	applyBool := func(key string, setter func(bool)) {
 		v, ok := policy.GetBool(key)
 		if !ok {
 			return
 		}
 		setter(v)
 		logApplied(key, v)
 	}
 	applyBool(mdm.KeyAllowServerSSH, func(v bool) { bv := v; config.ServerSSHAllowed = &bv })
 	applyBool(mdm.KeyDisableClientRoutes, func(v bool) { config.DisableClientRoutes = v })
 	applyBool(mdm.KeyDisableServerRoutes, func(v bool) { config.DisableServerRoutes = v })
 	applyBool(mdm.KeyBlockInbound, func(v bool) { config.BlockInbound = v })
 	applyBool(mdm.KeyDisableAutoConnect, func(v bool) { config.DisableAutoConnect = v })
 	applyBool(mdm.KeyRosenpassEnabled, func(v bool) { config.RosenpassEnabled = v })
 	applyBool(mdm.KeyRosenpassPermissive, func(v bool) { config.RosenpassPermissive = v })
 	if v, ok := policy.GetInt(mdm.KeyWireguardPort); ok {
 		// REG_DWORD is 32-bit; UDP port range is 1-65535. Clamp at the
 		// upper bound and reject obviously-invalid values to avoid the
 		// engine binding to an unusable port if the admin pushes garbage.
 		if v >= 1 && v <= 65535 {
 			config.WgPort = int(v)
 			logApplied(mdm.KeyWireguardPort, v)
 		} else {
 			log.Warnf("MDM wireguard port %d out of range [1,65535]; keeping previous value", v)
 		}
 	}
 }
 // parseURL parses and validates the URL for the named service. The URL
 // must use the http or https scheme; if no port is present, ":443" is
 // appended for https or ":80" for http. The serviceName parameter is
 // used to contextualise error messages. On success returns the parsed
 // *url.URL; on failure returns a non-nil error.
 func parseURL(serviceName, serviceURL string) (*url.URL, error) {
 	parsedMgmtURL, err := url.ParseRequestURI(serviceURL)
 	if err != nil {
--- a/client/internal/profilemanager/config_mdm_test.go
+++ b/client/internal/profilemanager/config_mdm_test.go
@@ -1,152 +0,0 @@
 package profilemanager
 import (
 	"path/filepath"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/mdm"
 )
 // withMDMPolicy temporarily overrides the package-level loadMDMPolicy hook so
 // apply() observes the supplied Policy. The original loader is restored at
 // test cleanup.
 func withMDMPolicy(t *testing.T, policy *mdm.Policy) {
 	t.Helper()
 	prev := loadMDMPolicy
 	loadMDMPolicy = func() *mdm.Policy { return policy }
 	t.Cleanup(func() { loadMDMPolicy = prev })
 }
 func TestApply_MDMEmpty_NoEnforcement(t *testing.T) {
 	withMDMPolicy(t, mdm.NewPolicy(nil))
 	cfg, err := UpdateOrCreateConfig(ConfigInput{
 		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
 	})
 	require.NoError(t, err)
 	require.NotNil(t, cfg)
 	assert.True(t, cfg.Policy().IsEmpty(), "no MDM source ⇒ empty Policy")
 	assert.False(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
 	assert.Empty(t, cfg.Policy().ManagedKeys())
 	// Default management URL still resolves.
 	assert.Equal(t, DefaultManagementURL, cfg.ManagementURL.String())
 }
 func TestApply_MDMOnly_OverridesDefaults(t *testing.T) {
 	const mdmURL = "https://corp.mdm.example.com:443"
 	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
 		mdm.KeyManagementURL:       mdmURL,
 		mdm.KeyDisableClientRoutes: true,
 		mdm.KeyBlockInbound:        true,
 	}))
 	cfg, err := UpdateOrCreateConfig(ConfigInput{
 		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
 	})
 	require.NoError(t, err)
 	require.NotNil(t, cfg)
 	assert.Equal(t, mdmURL, cfg.ManagementURL.String())
 	assert.True(t, cfg.DisableClientRoutes)
 	assert.True(t, cfg.BlockInbound)
 	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
 	assert.True(t, cfg.Policy().HasKey(mdm.KeyDisableClientRoutes))
 	assert.True(t, cfg.Policy().HasKey(mdm.KeyBlockInbound))
 	assert.False(t, cfg.Policy().HasKey(mdm.KeyAllowServerSSH))
 }
 func TestApply_MDMBeatsCLIInput(t *testing.T) {
 	const mdmURL = "https://mdm.example.com:443"
 	const cliURL = "https://cli.example.com:443"
 	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
 		mdm.KeyManagementURL: mdmURL,
 	}))
 	cfg, err := UpdateOrCreateConfig(ConfigInput{
 		ConfigPath:    filepath.Join(t.TempDir(), "config.json"),
 		ManagementURL: cliURL,
 	})
 	require.NoError(t, err)
 	require.NotNil(t, cfg)
 	// MDM wins over CLI-supplied management URL.
 	assert.Equal(t, mdmURL, cfg.ManagementURL.String())
 	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
 }
 func TestApply_MDMInvalidURL_KeepsPreviousValue(t *testing.T) {
 	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
 		mdm.KeyManagementURL: "not-a-url",
 	}))
 	cfg, err := UpdateOrCreateConfig(ConfigInput{
 		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
 	})
 	require.NoError(t, err)
 	require.NotNil(t, cfg)
 	// Invalid MDM URL is logged and skipped: default URL stays in place
 	// to keep the client functional.
 	assert.Equal(t, DefaultManagementURL, cfg.ManagementURL.String())
 	// But the key is still considered MDM-managed (admin intent is to
 	// enforce, daemon rejects user writes to this field — phase-1 scaffolding
 	// reflects this by keeping Policy.HasKey true even on parse failure).
 	assert.True(t, cfg.Policy().HasKey(mdm.KeyManagementURL))
 }
 func TestApply_MDMBoolKeysOverrideOnDiskValue(t *testing.T) {
 	tmp := filepath.Join(t.TempDir(), "config.json")
 	// Seed without MDM.
 	withMDMPolicy(t, mdm.NewPolicy(nil))
 	_, err := UpdateOrCreateConfig(ConfigInput{
 		ConfigPath:          tmp,
 		DisableClientRoutes: boolPtr(false),
 		RosenpassEnabled:    boolPtr(false),
 	})
 	require.NoError(t, err)
 	// Now enable MDM enforcement for these keys.
 	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
 		mdm.KeyDisableClientRoutes: true,
 		mdm.KeyRosenpassEnabled:    true,
 	}))
 	cfg, err := UpdateOrCreateConfig(ConfigInput{ConfigPath: tmp})
 	require.NoError(t, err)
 	require.NotNil(t, cfg)
 	assert.True(t, cfg.DisableClientRoutes, "MDM override should flip on-disk false to true")
 	assert.True(t, cfg.RosenpassEnabled)
 	assert.True(t, cfg.Policy().HasKey(mdm.KeyDisableClientRoutes))
 	assert.True(t, cfg.Policy().HasKey(mdm.KeyRosenpassEnabled))
 }
 func TestApply_MDMPreSharedKeyRedactionSentinelRejected(t *testing.T) {
 	const maskSentinel = "**********"
 	withMDMPolicy(t, mdm.NewPolicy(map[string]any{
 		mdm.KeyPreSharedKey: maskSentinel,
 	}))
 	cfg, err := UpdateOrCreateConfig(ConfigInput{
 		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
 	})
 	require.NoError(t, err)
 	require.NotNil(t, cfg)
 	// Mask sentinel must not be persisted as the actual PSK.
 	assert.NotEqual(t, maskSentinel, cfg.PreSharedKey)
 	// Key still marked managed so user writes are still rejected.
 	assert.True(t, cfg.Policy().HasKey(mdm.KeyPreSharedKey))
 }
 func boolPtr(b bool) *bool { return &b }
--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -32,9 +32,6 @@ type ProbeResult struct {
 	URI  string
 	Err  error
 	Addr string
 	// Transport is the negotiated relay transport, empty
 	// for stun/turn probes or when not connected.
 	Transport string
 }
 type StunTurnProbe struct {
--- a/client/internal/rosenpass/manager.go
+++ b/client/internal/rosenpass/manager.go
@@ -28,15 +28,6 @@ func hashRosenpassKey(key []byte) string {
 	return hex.EncodeToString(hasher.Sum(nil))
 }
 // rpServer is the subset of rp.Server used by Manager. Defined as an interface
 // so tests can substitute a mock without spinning up a real UDP server.
 type rpServer interface {
 	AddPeer(rp.PeerConfig) (rp.PeerID, error)
 	RemovePeer(rp.PeerID) error
 	Run() error
 	Close() error
 }
 type Manager struct {
 	ifaceName    string
 	spk          []byte
@@ -45,7 +36,7 @@ type Manager struct {
 	preSharedKey *[32]byte
 	rpPeerIDs    map[string]*rp.PeerID
 	rpWgHandler  *NetbirdHandler
-	server       rpServer
+	server       *rp.Server
 	lock         sync.Mutex
 	port         int
 	wgIface      PresharedKeySetter
@@ -60,22 +51,7 @@ func NewManager(preSharedKey *wgtypes.Key, wgIfaceName string) (*Manager, error)
 	rpKeyHash := hashRosenpassKey(public)
 	log.Tracef("generated new rosenpass key pair with public key %s", rpKeyHash)
-	return &Manager{
+	return &Manager{ifaceName: wgIfaceName, rpKeyHash: rpKeyHash, spk: public, ssk: secret, preSharedKey: (*[32]byte)(preSharedKey), rpPeerIDs: make(map[string]*rp.PeerID), lock: sync.Mutex{}}, nil
 		ifaceName:    wgIfaceName,
 		rpKeyHash:    rpKeyHash,
 		spk:          public,
 		ssk:          secret,
 		preSharedKey: (*[32]byte)(preSharedKey),
 		rpPeerIDs:    make(map[string]*rp.PeerID),
 		// rpWgHandler is created here (instead of only in generateConfig) so it
 		// is never nil between NewManager and Run(). Otherwise an early
 		// OnConnected call (race observed on Android, issue #4341) panics on
 		// nil receiver in addPeer -> m.rpWgHandler.AddPeer. generateConfig will
 		// replace it with a fresh handler on each Run() to clear stale peer
 		// state from previous engine sessions.
 		rpWgHandler: NewNetbirdHandler(),
 		lock:        sync.Mutex{},
 	}, nil
 }
 func (m *Manager) GetPubKey() []byte {
@@ -89,16 +65,6 @@ func (m *Manager) GetAddress() *net.UDPAddr {
 // addPeer adds a new peer to the Rosenpass server
 func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuardIP string, wireGuardPubKey string) error {
 	// Defense in depth against issue #4341 (Android crash): if Run() has not
 	// completed yet, m.server / m.rpWgHandler may be nil. Return an explicit
 	// error instead of panicking on nil-receiver dereference.
 	if m.server == nil {
 		return fmt.Errorf("rosenpass server not initialized")
 	}
 	if m.rpWgHandler == nil {
 		return fmt.Errorf("rosenpass wg handler not initialized")
 	}
 	var err error
 	pcfg := rp.PeerConfig{PublicKey: rosenpassPubKey}
 	if m.preSharedKey != nil {
@@ -113,16 +79,6 @@ func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuar
 		if pcfg.Endpoint, err = net.ResolveUDPAddr("udp", peerAddr); err != nil {
 			return fmt.Errorf("failed to resolve peer endpoint address: %w", err)
 		}
 		// Our local Rosenpass UDP server binds on the IPv6 wildcard ([::]) — see
 		// GetAddress(). The remote peer's endpoint (pcfg.Endpoint) is the destination
 		// our server will sendto when initiating handshakes. ResolveUDPAddr returns a
 		// 4-byte IPv4 for IPv4 hosts, which the kernel rejects (EDESTADDRREQ) when
 		// sent from an AF_INET6 socket. Normalize the remote endpoint to IPv4-mapped
 		// IPv6 so its address family matches our listening socket.
 		// TODO: maybe bind the Rosenpass UDP server to the peer wg IP addr
 		if v4 := pcfg.Endpoint.IP.To4(); v4 != nil {
 			pcfg.Endpoint.IP = v4.To16()
 		}
 	}
 	peerID, err := m.server.AddPeer(pcfg)
 	if err != nil {
@@ -226,31 +182,24 @@ func (m *Manager) Run() error {
 		return err
 	}
-	server, err := rp.NewUDPServer(conf)
+	m.server, err = rp.NewUDPServer(conf)
 	if err != nil {
 		return err
 	}
 	m.lock.Lock()
 	m.server = server
 	m.lock.Unlock()
 	log.Infof("starting rosenpass server on port %d", m.port)
-	return server.Run()
+	return m.server.Run()
 }
 // Close closes the Rosenpass server
 func (m *Manager) Close() error {
-	m.lock.Lock()
+	if m.server != nil {
-	server := m.server
+		err := m.server.Close()
-	m.server = nil
+		if err != nil {
-	m.lock.Unlock()
+			log.Errorf("failed closing local rosenpass server")
-	if server == nil {
+		}
-		return nil
+		m.server = nil
 	}
 	if err := server.Close(); err != nil {
 		log.Errorf("failed closing local rosenpass server: %v", err)
 	}
 	return nil
 }
--- a/client/internal/rosenpass/manager_test.go
+++ b/client/internal/rosenpass/manager_test.go
@@ -1,412 +1,14 @@
 package rosenpass
 import (
 	"errors"
 	"os"
 	"sync"
 	"testing"
 	rp "cunicu.li/go-rosenpass"
 	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 // --- test doubles -----------------------------------------------------------
 type addPeerCall struct {
 	cfg rp.PeerConfig
 }
 type removePeerCall struct {
 	id rp.PeerID
 }
 type mockServer struct {
 	mu        sync.Mutex
 	addCalls  []addPeerCall
 	removed   []removePeerCall
 	nextID    rp.PeerID
 	addErr    error
 	removeErr error
 	closed    bool
 	ran       bool
 }
 func (m *mockServer) AddPeer(cfg rp.PeerConfig) (rp.PeerID, error) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.addCalls = append(m.addCalls, addPeerCall{cfg: cfg})
 	if m.addErr != nil {
 		return rp.PeerID{}, m.addErr
 	}
 	// Increment a byte in nextID so distinct peers get distinct IDs.
 	m.nextID[0]++
 	return m.nextID, nil
 }
 func (m *mockServer) RemovePeer(id rp.PeerID) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.removed = append(m.removed, removePeerCall{id: id})
 	return m.removeErr
 }
 func (m *mockServer) Run() error   { m.ran = true; return nil }
 func (m *mockServer) Close() error { m.closed = true; return nil }
 type setPSKCall struct {
 	peerKey    string
 	psk        wgtypes.Key
 	updateOnly bool
 }
 type mockIface struct {
 	mu    sync.Mutex
 	calls []setPSKCall
 	err   error
 }
 func (m *mockIface) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 	m.calls = append(m.calls, setPSKCall{peerKey: peerKey, psk: psk, updateOnly: updateOnly})
 	return m.err
 }
 // newTestManager builds a Manager with deterministic spk so tie-break
 // against a peer pubkey is controllable from tests. The provided spk byte
 // becomes the first byte; remaining bytes are zero.
 func newTestManager(spkFirstByte byte, mock *mockServer) *Manager {
 	spk := make([]byte, 32)
 	spk[0] = spkFirstByte
 	return &Manager{
 		ifaceName:   "wt0",
 		spk:         spk,
 		ssk:         make([]byte, 32),
 		rpKeyHash:   "test-hash",
 		rpPeerIDs:   make(map[string]*rp.PeerID),
 		rpWgHandler: NewNetbirdHandler(),
 		server:      mock,
 	}
 }
 // validWGKey returns a deterministic 32-byte wireguard public key (base64).
 func validWGKey(t *testing.T, lastByte byte) string {
 	t.Helper()
 	var k wgtypes.Key
 	k[31] = lastByte
 	return k.String()
 }
 // --- pure helpers ----------------------------------------------------------
 func TestHashRosenpassKey_Deterministic(t *testing.T) {
 	key := []byte("hello-rosenpass")
 	require.Equal(t, hashRosenpassKey(key), hashRosenpassKey(key))
 	require.Len(t, hashRosenpassKey(key), 64) // sha256 hex
 }
 func TestHashRosenpassKey_DifferentInputsDifferOutputs(t *testing.T) {
 	require.NotEqual(t, hashRosenpassKey([]byte("a")), hashRosenpassKey([]byte("b")))
 }
 func TestGetLogLevel_DefaultWhenUnset(t *testing.T) {
 	// Snapshot + unset to exercise the LookupEnv ok=false branch. t.Setenv
 	// can only set, not delete, so do it manually with restore via t.Cleanup.
 	prev, hadPrev := os.LookupEnv(defaultLogLevelVar)
 	require.NoError(t, os.Unsetenv(defaultLogLevelVar))
 	t.Cleanup(func() {
 		if hadPrev {
 			_ = os.Setenv(defaultLogLevelVar, prev)
 		} else {
 			_ = os.Unsetenv(defaultLogLevelVar)
 		}
 	})
 	require.Equal(t, defaultLog.String(), getLogLevel().String())
 }
 func TestGetLogLevel_Cases(t *testing.T) {
 	cases := map[string]string{
 		"debug":   "DEBUG",
 		"info":    "INFO",
 		"warn":    "WARN",
 		"error":   "ERROR",
 		"unknown": "INFO", // default fallback
 	}
 	for input, wantStr := range cases {
 		input, wantStr := input, wantStr
 		t.Run(input, func(t *testing.T) {
 			t.Setenv(defaultLogLevelVar, input)
 			require.Equal(t, wantStr, getLogLevel().String())
 		})
 	}
 }
 func TestFindRandomAvailableUDPPort(t *testing.T) {
 	port, err := findRandomAvailableUDPPort()
 	require.NoError(t, err)
 	require.Greater(t, port, 0)
 	require.LessOrEqual(t, port, 65535)
 }
 // --- addPeer ---------------------------------------------------------------
 func TestAddPeer_HigherLocalPubkey_SetsEndpoint(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv) // local spk lexicographically larger
 	remotePubKey := make([]byte, 32) // remote spk = all zeros (smaller)
 	err := m.addPeer(remotePubKey, "rosenpass-host:7000", "100.1.1.1", validWGKey(t, 1))
 	require.NoError(t, err)
 	require.Len(t, srv.addCalls, 1)
 	ep := srv.addCalls[0].cfg.Endpoint
 	require.NotNil(t, ep, "initiator side must set Endpoint")
 	require.Equal(t, 7000, ep.Port)
 	require.Equal(t, "100.1.1.1", ep.IP.String())
 }
 func TestAddPeer_HigherLocalPubkey_EndpointIPIsIPv4Mapped(t *testing.T) {
 	// Regression guard for the EDESTADDRREQ fix: Endpoint.IP must be 16-byte
 	// (IPv4-mapped IPv6) so it matches the AF_INET6 listening socket family.
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv)
 	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
 	require.NoError(t, err)
 	ep := srv.addCalls[0].cfg.Endpoint
 	require.NotNil(t, ep)
 	require.Len(t, ep.IP, 16, "IPv4 endpoint must be normalized to 16-byte v4-mapped form")
 	require.True(t, ep.IP.To4() != nil, "Endpoint must still be detected as IPv4")
 }
 func TestAddPeer_LowerLocalPubkey_LeavesEndpointNil(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0x00, srv) // local spk smaller
 	remotePubKey := make([]byte, 32)
 	remotePubKey[0] = 0xFF
 	err := m.addPeer(remotePubKey, "rp:5000", "100.1.1.1", validWGKey(t, 2))
 	require.NoError(t, err)
 	require.Nil(t, srv.addCalls[0].cfg.Endpoint, "responder side must NOT set Endpoint")
 }
 func TestAddPeer_PresharedKeyPropagated(t *testing.T) {
 	srv := &mockServer{}
 	psk := &wgtypes.Key{0x42}
 	m := newTestManager(0xFF, srv)
 	m.preSharedKey = (*[32]byte)(psk)
 	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 3))
 	require.NoError(t, err)
 	require.Equal(t, [32]byte(*psk), [32]byte(srv.addCalls[0].cfg.PresharedKey))
 }
 func TestAddPeer_InvalidRosenpassAddr_ReturnsError(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv) // initiator path → parses rosenpassAddr
 	err := m.addPeer(make([]byte, 32), "not-a-host-port", "100.1.1.1", validWGKey(t, 1))
 	require.Error(t, err)
 	require.Empty(t, srv.addCalls, "server.AddPeer must not run when address parse fails")
 }
 func TestAddPeer_InvalidWireGuardPubKey_ReturnsError(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv)
 	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", "not-a-valid-key")
 	require.Error(t, err)
 }
 func TestAddPeer_ServerError_Propagates(t *testing.T) {
 	srv := &mockServer{addErr: errors.New("boom")}
 	m := newTestManager(0xFF, srv)
 	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
 	require.Error(t, err)
 }
 // Regression guard for issue #4341 (Android crash). If Run() has not completed
 // before OnConnected fires, m.rpWgHandler or m.server may be nil. Without the
 // nil guards, m.rpWgHandler.AddPeer panics on nil receiver.
 func TestAddPeer_NilHandler_ReturnsErrorNoCrash(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv)
 	m.rpWgHandler = nil // simulate Run() not yet completed
 	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "wg handler not initialized")
 }
 func TestAddPeer_NilServer_ReturnsErrorNoCrash(t *testing.T) {
 	m := newTestManager(0xFF, nil)
 	m.server = nil // simulate Run() not yet completed
 	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "server not initialized")
 }
 // NewManager must pre-initialize rpWgHandler so the nil-receiver crash from
 // issue #4341 cannot occur in the window between NewManager and Run().
 func TestNewManager_PreInitializesHandler(t *testing.T) {
 	psk := wgtypes.Key{}
 	m, err := NewManager(&psk, "wt0")
 	require.NoError(t, err)
 	require.NotNil(t, m.rpWgHandler, "rpWgHandler must be initialized in NewManager")
 }
 func TestAddPeer_RecordsPeerID(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv)
 	wgKey := validWGKey(t, 5)
 	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey)
 	require.NoError(t, err)
 	require.Contains(t, m.rpPeerIDs, wgKey)
 }
 // --- OnConnected / OnDisconnected ------------------------------------------
 func TestOnConnected_NilRemotePubKey_NoAddPeer(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv)
 	m.OnConnected(validWGKey(t, 1), nil, "100.1.1.1", "rp:5000")
 	require.Empty(t, srv.addCalls, "nil remote rosenpass pubkey must skip AddPeer")
 	require.Empty(t, m.rpPeerIDs)
 }
 func TestOnConnected_ValidPubKey_CallsAddPeer(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv)
 	wgKey := validWGKey(t, 1)
 	m.OnConnected(wgKey, make([]byte, 32), "100.1.1.1", "rp:5000")
 	require.Len(t, srv.addCalls, 1)
 	require.Contains(t, m.rpPeerIDs, wgKey)
 }
 func TestOnDisconnected_UnknownPeer_NoOp(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv)
 	m.OnDisconnected(validWGKey(t, 99))
 	require.Empty(t, srv.removed, "unknown peer key must not call RemovePeer")
 }
 func TestOnDisconnected_KnownPeer_CallsRemoveAndForgets(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv)
 	wgKey := validWGKey(t, 1)
 	require.NoError(t, m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey))
 	require.Contains(t, m.rpPeerIDs, wgKey)
 	m.OnDisconnected(wgKey)
 	require.Len(t, srv.removed, 1)
 	require.NotContains(t, m.rpPeerIDs, wgKey, "peer must be forgotten after disconnect")
 }
 // --- IsPresharedKeyInitialized ---------------------------------------------
 func TestIsPresharedKeyInitialized_UnknownPeer_ReturnsFalse(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv)
 	require.False(t, m.IsPresharedKeyInitialized(validWGKey(t, 1)))
 }
 func TestIsPresharedKeyInitialized_AddedButNotHandshaken_ReturnsFalse(t *testing.T) {
 	srv := &mockServer{}
 	m := newTestManager(0xFF, srv)
 	wgKey := validWGKey(t, 2)
 	require.NoError(t, m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey))
 	require.False(t, m.IsPresharedKeyInitialized(wgKey))
 }
 // --- NetbirdHandler.outputKey ----------------------------------------------
 func TestHandler_OutputKey_FirstCallUsesUpdateOnlyFalse(t *testing.T) {
 	h := NewNetbirdHandler()
 	iface := &mockIface{}
 	h.SetInterface(iface)
 	pid := rp.PeerID{0x01}
 	wgKey := wgtypes.Key{0xAA}
 	h.AddPeer(pid, "wt0", rp.Key(wgKey))
 	psk := rp.Key{0xBB}
 	h.HandshakeCompleted(pid, psk)
 	require.Len(t, iface.calls, 1)
 	require.False(t, iface.calls[0].updateOnly, "first PSK rotation must use updateOnly=false")
 	require.Equal(t, wgKey.String(), iface.calls[0].peerKey)
 }
 func TestHandler_OutputKey_SubsequentCallsUseUpdateOnlyTrue(t *testing.T) {
 	h := NewNetbirdHandler()
 	iface := &mockIface{}
 	h.SetInterface(iface)
 	pid := rp.PeerID{0x02}
 	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{0xCC}))
 	h.HandshakeCompleted(pid, rp.Key{0x01}) // first
 	h.HandshakeCompleted(pid, rp.Key{0x02}) // second
 	require.Len(t, iface.calls, 2)
 	require.False(t, iface.calls[0].updateOnly)
 	require.True(t, iface.calls[1].updateOnly, "subsequent rotations must use updateOnly=true")
 }
 func TestHandler_OutputKey_NilInterface_NoCrashNoCall(t *testing.T) {
 	h := NewNetbirdHandler()
 	// no SetInterface — iface remains nil
 	pid := rp.PeerID{0x03}
 	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{}))
 	// Must not panic.
 	h.HandshakeCompleted(pid, rp.Key{})
 }
 func TestHandler_OutputKey_UnknownPeer_NoCall(t *testing.T) {
 	h := NewNetbirdHandler()
 	iface := &mockIface{}
 	h.SetInterface(iface)
 	h.HandshakeCompleted(rp.PeerID{0xFF}, rp.Key{})
 	require.Empty(t, iface.calls, "unknown peer id must not trigger SetPresharedKey")
 }
 func TestHandler_RemovePeer_ClearsInitializedState(t *testing.T) {
 	h := NewNetbirdHandler()
 	iface := &mockIface{}
 	h.SetInterface(iface)
 	pid := rp.PeerID{0x04}
 	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{0xDD}))
 	h.HandshakeCompleted(pid, rp.Key{0x01})
 	require.True(t, h.IsPeerInitialized(pid))
 	h.RemovePeer(pid)
 	require.False(t, h.IsPeerInitialized(pid), "RemovePeer must clear initialized flag")
 }
 func TestHandler_SetInterfaceAfterAddPeer_StillReceivesKey(t *testing.T) {
 	h := NewNetbirdHandler()
 	pid := rp.PeerID{0x05}
 	wgKey := wgtypes.Key{0xEE}
 	h.AddPeer(pid, "wt0", rp.Key(wgKey))
 	iface := &mockIface{}
 	h.SetInterface(iface) // set after AddPeer
 	h.HandshakeCompleted(pid, rp.Key{0x42})
 	require.Len(t, iface.calls, 1)
 	require.Equal(t, wgKey.String(), iface.calls[0].peerKey)
 }
--- a/client/internal/rosenpass/seed.go
+++ b/client/internal/rosenpass/seed.go
@@ -1,42 +0,0 @@
 package rosenpass
 import (
 	"fmt"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 // DeterministicSeedKey derives a 32-byte WireGuard preshared key from a pair
 // of peer public keys. Both peers, given the same key pair, produce the same
 // output regardless of which side runs the function: the inputs are ordered
 // lexicographically before concatenation.
 //
 // NetBird uses this value as the initial Rosenpass-side preshared key when no
 // explicit account-level PSK is configured, so both peers converge on the same
 // PSK before the first post-quantum handshake completes.
 //
 // The resulting key MUST NOT be treated as quantum-safe: it is deterministic
 // from public keys and exists only to seed WireGuard until Rosenpass rotates
 // in a real post-quantum PSK.
 func DeterministicSeedKey(localKey, remoteKey string) (*wgtypes.Key, error) {
 	lk := []byte(localKey)
 	rk := []byte(remoteKey)
 	if len(lk) < 16 || len(rk) < 16 {
 		return nil, fmt.Errorf("rosenpass: peer keys must be at least 16 bytes (got local=%d, remote=%d)", len(lk), len(rk))
 	}
 	var keyInput []byte
 	if localKey > remoteKey {
 		keyInput = append(keyInput, lk[:16]...)
 		keyInput = append(keyInput, rk[:16]...)
 	} else {
 		keyInput = append(keyInput, rk[:16]...)
 		keyInput = append(keyInput, lk[:16]...)
 	}
 	key, err := wgtypes.NewKey(keyInput)
 	if err != nil {
 		return nil, fmt.Errorf("rosenpass: deterministic seed key: %w", err)
 	}
 	return &key, nil
 }
--- a/client/internal/rosenpass/seed_test.go
+++ b/client/internal/rosenpass/seed_test.go
@@ -1,43 +0,0 @@
 package rosenpass
 import (
 	"strings"
 	"testing"
 	"github.com/stretchr/testify/require"
 )
 func TestDeterministicSeedKey_SameForBothSides(t *testing.T) {
 	// Peer A and peer B must derive the same PSK regardless of which side
 	// computes it: the function orders inputs internally.
 	a := strings.Repeat("a", 32)
 	b := strings.Repeat("b", 32)
 	keyAB, err := DeterministicSeedKey(a, b)
 	require.NoError(t, err)
 	keyBA, err := DeterministicSeedKey(b, a)
 	require.NoError(t, err)
 	require.Equal(t, keyAB.String(), keyBA.String(), "swapping arguments must yield identical key")
 }
 func TestDeterministicSeedKey_ChangesWithKeys(t *testing.T) {
 	a := strings.Repeat("a", 32)
 	b := strings.Repeat("b", 32)
 	c := strings.Repeat("c", 32)
 	keyAB, err := DeterministicSeedKey(a, b)
 	require.NoError(t, err)
 	keyAC, err := DeterministicSeedKey(a, c)
 	require.NoError(t, err)
 	require.NotEqual(t, keyAB.String(), keyAC.String(), "different peer pair must yield different key")
 }
 func TestDeterministicSeedKey_TooShortKey_ReturnsError(t *testing.T) {
 	short := "short" // < 16 bytes
 	long := strings.Repeat("x", 32)
 	_, err := DeterministicSeedKey(short, long)
 	require.Error(t, err)
 	_, err = DeterministicSeedKey(long, short)
 	require.Error(t, err)
 }
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -9,7 +9,6 @@ import (
 	"net/url"
 	"runtime"
 	"slices"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -333,8 +332,6 @@ func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 		}
 	}
 	m.notifier.Close()
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	m.clientRoutes = nil
@@ -703,15 +700,6 @@ func resolveURLsToIPs(urls []string) []net.IP {
 // updateRouteSelectorFromManagement updates the route selector based on the isSelected status from the management server
 func (m *DefaultManager) updateRouteSelectorFromManagement(clientRoutes route.HAMap) {
 	m.mirrorV6ExitPairSelections(clientRoutes)
 	// An explicit user "deselect all" must not be overridden by management auto-apply.
 	// Auto-applying an exit node here would call SelectRoutes, which clears the
 	// deselect-all flag and re-enables every route the user turned off.
 	if m.routeSelector.IsDeselectAll() {
 		return
 	}
 	exitNodeInfo := m.collectExitNodeInfo(clientRoutes)
 	if len(exitNodeInfo.allIDs) == 0 {
 		return
@@ -721,24 +709,6 @@ func (m *DefaultManager) updateRouteSelectorFromManagement(clientRoutes route.HA
 	m.logExitNodeUpdate(exitNodeInfo)
 }
 // mirrorV6ExitPairSelections keeps every synthesized "-v6" exit route's selection
 // consistent with its v4 base. The v4/v6 exit pair is a single toggle, so the v6
 // entry always follows the base: deselecting the v4 exit node also drops its ::/0
 // pair, and any stale (orphaned) explicit selection on the v6 entry is reset. This
 // runs before selection is read so both collectExitNodeInfo and FilterSelectedExitNodes
 // see consistent state, including pairs loaded from persisted selector state.
 func (m *DefaultManager) mirrorV6ExitPairSelections(clientRoutes route.HAMap) {
 	routesByNetID := make(map[route.NetID][]*route.Route, len(clientRoutes))
 	for haID, routes := range clientRoutes {
 		routesByNetID[haID.NetID()] = routes
 	}
 	for v6ID := range route.V6ExitMergeSet(routesByNetID) {
 		baseID := route.NetID(strings.TrimSuffix(string(v6ID), route.V6ExitSuffix))
 		m.routeSelector.SyncPairedSelection(baseID, v6ID)
 	}
 }
 type exitNodeInfo struct {
 	allIDs               []route.NetID
 	selectedByManagement []route.NetID
--- a/client/internal/routemanager/manager_v6exit_test.go
+++ b/client/internal/routemanager/manager_v6exit_test.go
@@ -1,47 +0,0 @@
 package routemanager
 import (
 	"net/netip"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/route"
 )
 // TestUpdateRouteSelectorFromManagement_MirrorsV6ExitPair reproduces the bug seen
 // in netbird-engine.log: persisted selector state has the v4 exit node deselected
 // but its synthesized "-v6" pair explicitly selected (orphaned), so the ::/0 route
 // leaked onto the tunnel. The management update must mirror the v4 deselect onto the
 // v6 pair so FilterSelectedExitNodes drops it.
 func TestUpdateRouteSelectorFromManagement_MirrorsV6ExitPair(t *testing.T) {
 	const (
 		v4ID = route.NetID("Exit Node (raspberrypi)")
 		v6ID = route.NetID("Exit Node (raspberrypi)-v6")
 	)
 	all := []route.NetID{v4ID, v6ID}
 	rs := routeselector.NewRouteSelector()
 	// Orphan the v6 selection: select the pair, then deselect only the v4 base.
 	require.NoError(t, rs.SelectRoutes([]route.NetID{v4ID, v6ID}, true, all))
 	require.NoError(t, rs.DeselectRoutes([]route.NetID{v4ID}, all))
 	require.True(t, rs.IsSelected(v6ID), "precondition: orphaned v6 selection survives v4 deselect")
 	m := &DefaultManager{routeSelector: rs}
 	v4Route := &route.Route{NetID: v4ID, Network: netip.MustParsePrefix("0.0.0.0/0")}
 	v6Route := &route.Route{NetID: v6ID, Network: netip.MustParsePrefix("::/0")}
 	clientRoutes := route.HAMap{
 		"Exit Node (raspberrypi)|0.0.0.0/0": {v4Route},
 		"Exit Node (raspberrypi)-v6|::/0":   {v6Route},
 	}
 	m.updateRouteSelectorFromManagement(clientRoutes)
 	assert.False(t, rs.IsSelected(v6ID), "v6 pair must follow the v4 base deselect after the management update")
 	filtered := rs.FilterSelectedExitNodes(clientRoutes)
 	assert.Empty(t, filtered, "deselected v4 exit node must not leak its ::/0 pair onto the tunnel")
 }
--- a/client/internal/routemanager/notifier/notifier_android.go
+++ b/client/internal/routemanager/notifier/notifier_android.go
@@ -16,7 +16,7 @@ import (
 type Notifier struct {
 	initialRoutes []*route.Route
 	currentRoutes []*route.Route
-	fakeIPRoutes  []*route.Route
+	fakeIPRoutes []*route.Route
 	listener    listener.NetworkChangeListener
 	listenerMux sync.Mutex
@@ -119,7 +119,3 @@ func (n *Notifier) GetInitialRouteRanges() []string {
 	sort.Strings(initialStrings)
 	return initialStrings
 }
 func (n *Notifier) Close() {
 	// unused
 }
--- a/client/internal/routemanager/notifier/notifier_ios.go
+++ b/client/internal/routemanager/notifier/notifier_ios.go
@@ -3,7 +3,6 @@
 package notifier
 import (
 	"container/list"
 	"net/netip"
 	"slices"
 	"sort"
@@ -15,26 +14,19 @@ import (
 )
 type Notifier struct {
 	mu              sync.Mutex
 	cond            *sync.Cond
 	currentPrefixes []string
-	listener        listener.NetworkChangeListener
+
-	queue           *list.List
+	listener    listener.NetworkChangeListener
-	closed          bool
+	listenerMux sync.Mutex
 }
 func NewNotifier() *Notifier {
-	n := &Notifier{
+	return &Notifier{}
 		queue: list.New(),
 	}
 	n.cond = sync.NewCond(&n.mu)
 	go n.deliverLoop()
 	return n
 }
 func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
-	n.mu.Lock()
+	n.listenerMux.Lock()
-	defer n.mu.Unlock()
+	defer n.listenerMux.Unlock()
 	n.listener = listener
 }
@@ -51,52 +43,32 @@ func (n *Notifier) OnNewRoutes(route.HAMap) {
 }
 func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
-	newNets := make([]string, 0, len(prefixes))
+	newNets := make([]string, 0)
 	for _, prefix := range prefixes {
 		newNets = append(newNets, prefix.String())
 	}
 	sort.Strings(newNets)
 	n.mu.Lock()
 	if slices.Equal(n.currentPrefixes, newNets) {
 		n.mu.Unlock()
 		return
 	}
 	n.currentPrefixes = newNets
 	routes := strings.Join(n.currentPrefixes, ",")
 	n.queue.PushBack(routes)
 	n.cond.Signal()
 	n.mu.Unlock()
 }
-func (n *Notifier) Close() {
+	n.currentPrefixes = newNets
-	n.mu.Lock()
+	n.notify()
-	n.closed = true
+}
-	n.cond.Signal()
+func (n *Notifier) notify() {
-	n.mu.Unlock()
+	n.listenerMux.Lock()
 	defer n.listenerMux.Unlock()
 	if n.listener == nil {
 		return
 	}
 	go func(l listener.NetworkChangeListener) {
 		l.OnNetworkChanged(strings.Join(n.currentPrefixes, ","))
 	}(n.listener)
 }
 func (n *Notifier) GetInitialRouteRanges() []string {
 	return nil
 }
 func (n *Notifier) deliverLoop() {
 	for {
 		n.mu.Lock()
 		for n.queue.Len() == 0 && !n.closed {
 			n.cond.Wait()
 		}
 		if n.closed && n.queue.Len() == 0 {
 			n.mu.Unlock()
 			return
 		}
 		routes := n.queue.Remove(n.queue.Front()).(string)
 		l := n.listener
 		n.mu.Unlock()
 		if l != nil {
 			l.OnNetworkChanged(routes)
 		}
 	}
 }
--- a/client/internal/routemanager/notifier/notifier_other.go
+++ b/client/internal/routemanager/notifier/notifier_other.go
@@ -38,7 +38,3 @@ func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
 func (n *Notifier) GetInitialRouteRanges() []string {
 	return []string{}
 }
 func (n *Notifier) Close() {
 	// unused
 }
--- a/client/internal/routemanager/selector_management_test.go
+++ b/client/internal/routemanager/selector_management_test.go
@@ -1,71 +0,0 @@
 package routemanager
 import (
 	"net/netip"
 	"testing"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/route"
 )
 func exitNodeRoutes(netID route.NetID, skipAutoApply bool) route.HAMap {
 	haID := route.HAUniqueID(string(netID) + "|0.0.0.0/0")
 	return route.HAMap{
 		haID: []*route.Route{
 			{
 				ID:            "r-" + route.ID(netID),
 				NetID:         netID,
 				Network:       netip.MustParsePrefix("0.0.0.0/0"),
 				NetworkType:   route.IPv4Network,
 				Enabled:       true,
 				SkipAutoApply: skipAutoApply,
 			},
 		},
 	}
 }
 func TestUpdateRouteSelectorFromManagement(t *testing.T) {
 	t.Run("management auto-apply selects exit node without user selection", func(t *testing.T) {
 		m := &DefaultManager{routeSelector: routeselector.NewRouteSelector()}
 		routes := exitNodeRoutes("exit1", false)
 		m.updateRouteSelectorFromManagement(routes)
 		require.True(t, m.routeSelector.IsSelected("exit1"), "auto-apply exit node should be selected")
 		require.Len(t, m.routeSelector.FilterSelectedExitNodes(routes), 1, "selected exit node should pass the filter")
 	})
 	t.Run("management SkipAutoApply leaves exit node deselected", func(t *testing.T) {
 		m := &DefaultManager{routeSelector: routeselector.NewRouteSelector()}
 		routes := exitNodeRoutes("exit1", true)
 		m.updateRouteSelectorFromManagement(routes)
 		require.False(t, m.routeSelector.IsSelected("exit1"), "SkipAutoApply exit node should not be selected")
 		require.Empty(t, m.routeSelector.FilterSelectedExitNodes(routes), "deselected exit node should be filtered out")
 	})
 	t.Run("user selection is not overridden by management", func(t *testing.T) {
 		m := &DefaultManager{routeSelector: routeselector.NewRouteSelector()}
 		require.NoError(t, m.routeSelector.SelectRoutes([]route.NetID{"exit1"}, true, []route.NetID{"exit1"}))
 		routes := exitNodeRoutes("exit1", true)
 		m.updateRouteSelectorFromManagement(routes)
 		require.True(t, m.routeSelector.IsSelected("exit1"), "explicit user selection must survive a management sync that wants to skip auto-apply")
 		require.Len(t, m.routeSelector.FilterSelectedExitNodes(routes), 1, "user-selected exit node should pass the filter")
 	})
 	t.Run("deselect-all is preserved across a management sync", func(t *testing.T) {
 		m := &DefaultManager{routeSelector: routeselector.NewRouteSelector()}
 		m.routeSelector.DeselectAllRoutes()
 		routes := exitNodeRoutes("exit1", false)
 		m.updateRouteSelectorFromManagement(routes)
 		require.True(t, m.routeSelector.IsDeselectAll(), "an explicit deselect-all must not be cleared by management auto-apply")
 		require.Empty(t, m.routeSelector.FilterSelectedExitNodes(routes), "no routes should be selected while deselect-all is set")
 	})
 }
--- a/client/internal/routemanager/systemops/systemops_generic.go
+++ b/client/internal/routemanager/systemops/systemops_generic.go
@@ -121,12 +121,9 @@ func (r *SysOps) addRouteToNonVPNIntf(prefix netip.Prefix, vpnIntf wgIface, init
 		return Nexthop{}, vars.ErrRouteNotAllowed
 	}
-	// BSDs blackhole a /32 added inside a directly-connected subnet; Linux/Windows need it to beat the wt0 route.
+	// Check if the prefix is part of any local subnets
-	switch runtime.GOOS {
+	if isLocal, subnet := r.isPrefixInLocalSubnets(prefix); isLocal {
-	case "darwin", "freebsd", "netbsd", "openbsd", "dragonfly":
+		return Nexthop{}, fmt.Errorf("prefix %s is part of local subnet %s: %w", prefix, subnet, vars.ErrRouteNotAllowed)
 		if isLocal, subnet := r.isPrefixInLocalSubnets(prefix); isLocal {
 			return Nexthop{}, fmt.Errorf("prefix %s is part of local subnet %s: %w", prefix, subnet, vars.ErrRouteNotAllowed)
 		}
 	}
 	// Determine the exit interface and next hop for the prefix, so we can add a specific route
--- a/client/internal/routeselector/routeselector.go
+++ b/client/internal/routeselector/routeselector.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"slices"
 	"strings"
 	"sync"
 	"github.com/hashicorp/go-multierror"
@@ -115,14 +116,6 @@ func (rs *RouteSelector) DeselectAllRoutes() {
 	clear(rs.selectedRoutes)
 }
 // IsDeselectAll reports whether the user has explicitly deselected all routes.
 func (rs *RouteSelector) IsDeselectAll() bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()
 	return rs.deselectAll
 }
 // IsSelected checks if a specific route is selected.
 func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	rs.mu.RLock()
@@ -131,33 +124,6 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	return rs.isSelectedLocked(routeID)
 }
 // SyncPairedSelection forces pairedID's explicit selection state to match baseID's,
 // so a synthesized "-v6" exit route always follows its v4 base: selecting or
 // deselecting the v4 exit node governs the ::/0 pair, and any stale (orphaned)
 // explicit state on the v6 entry is reset. The v4/v6 exit pair is treated as a single
 // toggle, so the v6 entry carries no independent selection of its own.
 func (rs *RouteSelector) SyncPairedSelection(baseID, pairedID route.NetID) {
 	rs.mu.Lock()
 	defer rs.mu.Unlock()
 	if rs.deselectAll {
 		return
 	}
 	_, baseSelected := rs.selectedRoutes[baseID]
 	_, baseDeselected := rs.deselectedRoutes[baseID]
 	delete(rs.selectedRoutes, pairedID)
 	delete(rs.deselectedRoutes, pairedID)
 	switch {
 	case baseSelected:
 		rs.selectedRoutes[pairedID] = struct{}{}
 	case baseDeselected:
 		rs.deselectedRoutes[pairedID] = struct{}{}
 	}
 }
 // FilterSelected removes unselected routes from the provided map.
 func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {
 	rs.mu.RLock()
@@ -177,13 +143,14 @@ func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {
 }
 // HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this route.
-// The lookup is literal; v4/v6 exit pairs are kept consistent at write time via SyncPairedSelection,
+// Intended for exit-node code paths: a v6 exit-node pair (e.g. "MyExit-v6") with no explicit state of
-// so a synthesized "-v6" entry carries the same explicit state as its v4 base.
+// its own inherits its v4 base's state, so legacy persisted selections that predate v6 pairing
 // transparently apply to the synthesized v6 entry.
 func (rs *RouteSelector) HasUserSelectionForRoute(routeID route.NetID) bool {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()
-	return rs.hasUserSelectionForRouteLocked(routeID)
+	return rs.hasUserSelectionForRouteLocked(rs.effectiveNetID(routeID))
 }
 func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap {
@@ -212,6 +179,83 @@ func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap
 	return filtered
 }
 // effectiveNetID returns the v4 base for a "-v6" exit pair entry that has no explicit
 // state of its own, so selections made on the v4 entry govern the v6 entry automatically.
 // Only call this from exit-node-specific code paths: applying it to a non-exit "-v6" route
 // would make it inherit unrelated v4 state. Must be called with rs.mu held.
 func (rs *RouteSelector) effectiveNetID(id route.NetID) route.NetID {
 	name := string(id)
 	if !strings.HasSuffix(name, route.V6ExitSuffix) {
 		return id
 	}
 	if _, ok := rs.selectedRoutes[id]; ok {
 		return id
 	}
 	if _, ok := rs.deselectedRoutes[id]; ok {
 		return id
 	}
 	return route.NetID(strings.TrimSuffix(name, route.V6ExitSuffix))
 }
 func (rs *RouteSelector) isSelectedLocked(routeID route.NetID) bool {
 	if rs.deselectAll {
 		return false
 	}
 	_, deselected := rs.deselectedRoutes[routeID]
 	return !deselected
 }
 func (rs *RouteSelector) isDeselectedLocked(netID route.NetID) bool {
 	if rs.deselectAll {
 		return true
 	}
 	_, deselected := rs.deselectedRoutes[netID]
 	return deselected
 }
 func (rs *RouteSelector) hasUserSelectionForRouteLocked(routeID route.NetID) bool {
 	_, selected := rs.selectedRoutes[routeID]
 	_, deselected := rs.deselectedRoutes[routeID]
 	return selected || deselected
 }
 func isExitNode(rt []*route.Route) bool {
 	return len(rt) > 0 && (route.IsV4DefaultRoute(rt[0].Network) || route.IsV6DefaultRoute(rt[0].Network))
 }
 func (rs *RouteSelector) applyExitNodeFilter(
 	id route.HAUniqueID,
 	netID route.NetID,
 	rt []*route.Route,
 	out route.HAMap,
 ) {
 	// Exit-node path: apply the v4/v6 pair mirror so a deselect on the v4 base also
 	// drops the synthesized v6 entry that lacks its own explicit state.
 	effective := rs.effectiveNetID(netID)
 	if rs.hasUserSelectionForRouteLocked(effective) {
 		if rs.isSelectedLocked(effective) {
 			out[id] = rt
 		}
 		return
 	}
 	// no explicit selection for this route: defer to management's SkipAutoApply flag
 	sel := collectSelected(rt)
 	if len(sel) > 0 {
 		out[id] = sel
 	}
 }
 func collectSelected(rt []*route.Route) []*route.Route {
 	var sel []*route.Route
 	for _, r := range rt {
 		if !r.SkipAutoApply {
 			sel = append(sel, r)
 		}
 	}
 	return sel
 }
 // MarshalJSON implements the json.Marshaler interface
 func (rs *RouteSelector) MarshalJSON() ([]byte, error) {
 	rs.mu.RLock()
@@ -265,59 +309,3 @@ func (rs *RouteSelector) UnmarshalJSON(data []byte) error {
 	return nil
 }
 func (rs *RouteSelector) isSelectedLocked(routeID route.NetID) bool {
 	if rs.deselectAll {
 		return false
 	}
 	_, deselected := rs.deselectedRoutes[routeID]
 	return !deselected
 }
 func (rs *RouteSelector) isDeselectedLocked(netID route.NetID) bool {
 	if rs.deselectAll {
 		return true
 	}
 	_, deselected := rs.deselectedRoutes[netID]
 	return deselected
 }
 func (rs *RouteSelector) hasUserSelectionForRouteLocked(routeID route.NetID) bool {
 	_, selected := rs.selectedRoutes[routeID]
 	_, deselected := rs.deselectedRoutes[routeID]
 	return selected || deselected
 }
 func (rs *RouteSelector) applyExitNodeFilter(
 	id route.HAUniqueID,
 	netID route.NetID,
 	rt []*route.Route,
 	out route.HAMap,
 ) {
 	if rs.hasUserSelectionForRouteLocked(netID) {
 		if rs.isSelectedLocked(netID) {
 			out[id] = rt
 		}
 		return
 	}
 	// no explicit selection for this route: defer to management's SkipAutoApply flag
 	sel := collectSelected(rt)
 	if len(sel) > 0 {
 		out[id] = sel
 	}
 }
 func isExitNode(rt []*route.Route) bool {
 	return len(rt) > 0 && (route.IsV4DefaultRoute(rt[0].Network) || route.IsV6DefaultRoute(rt[0].Network))
 }
 func collectSelected(rt []*route.Route) []*route.Route {
 	var sel []*route.Route
 	for _, r := range rt {
 		if !r.SkipAutoApply {
 			sel = append(sel, r)
 		}
 	}
 	return sel
 }
--- a/client/internal/routeselector/routeselector_test.go
+++ b/client/internal/routeselector/routeselector_test.go
@@ -330,73 +330,39 @@ func TestRouteSelector_FilterSelectedExitNodes(t *testing.T) {
 	assert.Len(t, filtered, 0) // No routes should be selected
 }
-// TestRouteSelector_V6ExitPairSync covers SyncPairedSelection, which keeps a v4
+// TestRouteSelector_V6ExitPairInherits covers the v4/v6 exit-node pair selection
-// exit node and its synthesized "-v6" counterpart consistent. The selector itself
+// mirror. The mirror is scoped to exit-node code paths: HasUserSelectionForRoute
-// is literal and never infers a v6 entry's state from its v4 base; callers that know
+// and FilterSelectedExitNodes resolve a "-v6" entry without explicit state to its
-// the pairing (exit-node code paths) call SyncPairedSelection to force the v6 entry
+// v4 base, so legacy persisted selections that predate v6 pairing transparently
-// to follow the base, treating the pair as a single toggle.
+// apply to the synthesized v6 entry. General lookups (IsSelected, FilterSelected)
-func TestRouteSelector_V6ExitPairSync(t *testing.T) {
+// stay literal so unrelated routes named "*-v6" don't inherit unrelated state.
 func TestRouteSelector_V6ExitPairInherits(t *testing.T) {
 	all := []route.NetID{"exit1", "exit1-v6", "exit2", "exit2-v6", "corp", "corp-v6"}
-	t.Run("selector lookups stay literal without sync", func(t *testing.T) {
+	t.Run("HasUserSelectionForRoute mirrors deselected v4 base", func(t *testing.T) {
 		rs := routeselector.NewRouteSelector()
 		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
-		// The selector does not pair-resolve: the v6 entry is independent until synced.
+		assert.True(t, rs.HasUserSelectionForRoute("exit1-v6"), "v6 pair sees v4 base's user selection")
 		assert.False(t, rs.HasUserSelectionForRoute("exit1-v6"), "v6 entry has no state of its own")
 		assert.True(t, rs.IsSelected("exit1-v6"), "unsynced v6 entry stays selected by default")
-		// A route literally named "exit1-something" must never pair-resolve either.
+		// unrelated v6 with no v4 base touched is unaffected
-		assert.False(t, rs.HasUserSelectionForRoute("exit1-something"))
+		assert.False(t, rs.HasUserSelectionForRoute("exit2-v6"))
 	})
-	t.Run("sync mirrors deselected v4 base onto v6", func(t *testing.T) {
+	t.Run("IsSelected stays literal for non-exit lookups", func(t *testing.T) {
 		rs := routeselector.NewRouteSelector()
 		require.NoError(t, rs.DeselectRoutes([]route.NetID{"corp"}, all))
 		// A non-exit route literally named "corp-v6" must not inherit "corp"'s state
 		// via the mirror; the mirror only applies in exit-node code paths.
 		assert.False(t, rs.IsSelected("corp"))
 		assert.True(t, rs.IsSelected("corp-v6"), "non-exit *-v6 routes must not inherit unrelated v4 state")
 	})
 	t.Run("explicit v6 state overrides v4 base in filter", func(t *testing.T) {
 		rs := routeselector.NewRouteSelector()
 		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
 		rs.SyncPairedSelection("exit1", "exit1-v6")
 		assert.False(t, rs.IsSelected("exit1"))
 		assert.False(t, rs.IsSelected("exit1-v6"), "v6 pair follows v4 base deselect")
 		assert.True(t, rs.HasUserSelectionForRoute("exit1-v6"), "v6 carries explicit deselect after sync")
 	})
 	t.Run("sync mirrors selected v4 base onto v6", func(t *testing.T) {
 		rs := routeselector.NewRouteSelector()
 		require.NoError(t, rs.SelectRoutes([]route.NetID{"exit1"}, false, all))
 		rs.SyncPairedSelection("exit1", "exit1-v6")
 		assert.True(t, rs.IsSelected("exit1"))
 		assert.True(t, rs.IsSelected("exit1-v6"), "v6 pair follows v4 base select")
 	})
 	t.Run("sync clears v6 state when base has no explicit selection", func(t *testing.T) {
 		rs := routeselector.NewRouteSelector()
 		require.NoError(t, rs.SelectRoutes([]route.NetID{"exit1-v6"}, true, all))
 		require.True(t, rs.HasUserSelectionForRoute("exit1-v6"))
 		rs.SyncPairedSelection("exit1", "exit1-v6")
 		assert.False(t, rs.HasUserSelectionForRoute("exit1-v6"),
 			"v6 explicit state is cleared so it follows management like its base")
 	})
 	// Regression for the observed bug (see netbird-engine.log): persisted state has
 	// the v4 base deselected but the v6 sibling explicitly selected (orphaned). The
 	// sync must reset the orphan so the ::/0 route does not leak onto the tunnel.
 	t.Run("sync clears orphaned explicit v6 selection on deselected base", func(t *testing.T) {
 		rs := routeselector.NewRouteSelector()
 		// Prior state: both explicitly selected, then only the v4 base deselected,
 		// leaving the v6 entry as a stale explicit selection.
 		require.NoError(t, rs.SelectRoutes([]route.NetID{"exit1", "exit1-v6"}, true, all))
 		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
 		require.True(t, rs.IsSelected("exit1-v6"), "precondition: orphaned v6 selection")
 		rs.SyncPairedSelection("exit1", "exit1-v6")
 		assert.False(t, rs.IsSelected("exit1-v6"), "orphaned v6 selection reset to follow v4 deselect")
 		v4Route := &route.Route{NetID: "exit1", Network: netip.MustParsePrefix("0.0.0.0/0")}
 		v6Route := &route.Route{NetID: "exit1-v6", Network: netip.MustParsePrefix("::/0")}
@@ -404,14 +370,23 @@ func TestRouteSelector_V6ExitPairSync(t *testing.T) {
 			"exit1|0.0.0.0/0": {v4Route},
 			"exit1-v6|::/0":   {v6Route},
 		}
 		filtered := rs.FilterSelectedExitNodes(routes)
-		assert.Empty(t, filtered, "deselecting v4 base must drop the v6 pair even if it was explicitly selected before")
+		assert.NotContains(t, filtered, route.HAUniqueID("exit1|0.0.0.0/0"))
 		assert.Contains(t, filtered, route.HAUniqueID("exit1-v6|::/0"), "explicit v6 select wins over v4 base")
 	})
-	t.Run("filter drops synced v6 pair of deselected v4 base", func(t *testing.T) {
+	t.Run("non-v6-suffix routes unaffected", func(t *testing.T) {
 		rs := routeselector.NewRouteSelector()
 		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
 		// A route literally named "exit1-something" must not pair-resolve.
 		assert.False(t, rs.HasUserSelectionForRoute("exit1-something"))
 	})
 	t.Run("filter v6 paired with deselected v4 base", func(t *testing.T) {
 		rs := routeselector.NewRouteSelector()
 		require.NoError(t, rs.DeselectRoutes([]route.NetID{"exit1"}, all))
 		rs.SyncPairedSelection("exit1", "exit1-v6")
 		v4Route := &route.Route{NetID: "exit1", Network: netip.MustParsePrefix("0.0.0.0/0")}
 		v6Route := &route.Route{NetID: "exit1-v6", Network: netip.MustParsePrefix("::/0")}
@@ -424,15 +399,6 @@ func TestRouteSelector_V6ExitPairSync(t *testing.T) {
 		assert.Empty(t, filtered, "deselecting v4 base must also drop the v6 pair")
 	})
 	t.Run("deselectAll makes sync a no-op", func(t *testing.T) {
 		rs := routeselector.NewRouteSelector()
 		rs.DeselectAllRoutes()
 		rs.SyncPairedSelection("exit1", "exit1-v6")
 		assert.False(t, rs.HasUserSelectionForRoute("exit1-v6"), "sync must not write explicit state under deselectAll")
 	})
 	t.Run("non-exit *-v6 routes pass through FilterSelectedExitNodes", func(t *testing.T) {
 		rs := routeselector.NewRouteSelector()
 		require.NoError(t, rs.DeselectRoutes([]route.NetID{"corp"}, all))
--- a/client/internal/statemanager/manager.go
+++ b/client/internal/statemanager/manager.go
@@ -96,19 +96,17 @@ func (m *Manager) Stop(ctx context.Context) error {
 	}
 	m.mu.Lock()
-	cancel := m.cancel
+	defer m.mu.Unlock()
 	done := m.done
 	m.mu.Unlock()
-	if cancel == nil {
+	if m.cancel == nil {
 		return nil
 	}
-	cancel()
+	m.cancel()
 	select {
 	case <-ctx.Done():
 		return ctx.Err()
-	case <-done:
+	case <-m.done:
 	}
 	return nil
--- a/client/internal/syncstore/disk.go
+++ b/client/internal/syncstore/disk.go
@@ -1,99 +0,0 @@
 package syncstore
 import (
 	"context"
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"sync"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/protobuf/proto"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/util"
 )
 // syncResponseFileName is the name of the file the sync response is serialized
 // to, placed inside the configured directory (the state directory).
 const syncResponseFileName = "networkmap.pb"
 // diskStore serializes the latest sync response to a file on disk instead of
 // keeping it in memory. This trades disk I/O for a much smaller memory
 // footprint, which matters on memory-constrained platforms (iOS).
 type diskStore struct {
 	mu   sync.Mutex
 	path string
 }
 // NewDiskStore returns a Store that serializes the sync response to a file in
 // the given directory. If dir is empty it falls back to the OS temp directory.
 //
 // Any file left over from a previous run is removed on construction so a fresh
 // store never reads stale data (e.g. another profile's network map).
 func NewDiskStore(dir string) Store {
 	if dir == "" {
 		dir = os.TempDir()
 	}
 	s := &diskStore{
 		path: filepath.Join(dir, syncResponseFileName),
 	}
 	if err := s.Clear(); err != nil {
 		log.Warnf("failed to clear stale sync response file: %v", err)
 	}
 	return s
 }
 func (s *diskStore) Set(resp *mgmProto.SyncResponse) error {
 	if resp == nil {
 		return s.Clear()
 	}
 	bs, err := proto.Marshal(resp)
 	if err != nil {
 		return fmt.Errorf("marshal sync response: %w", err)
 	}
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if err := util.WriteBytesWithRestrictedPermission(context.Background(), s.path, bs); err != nil {
 		return fmt.Errorf("write sync response to %s: %w", s.path, err)
 	}
 	log.Debugf("sync response persisted to %s (%d bytes)", s.path, len(bs))
 	return nil
 }
 func (s *diskStore) Get() (*mgmProto.SyncResponse, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	bs, err := os.ReadFile(s.path)
 	if err != nil {
 		if errors.Is(err, os.ErrNotExist) {
 			//nolint:nilnil // nil,nil means "nothing stored", per the Store contract; preserve the original behaviour
 			return nil, nil
 		}
 		return nil, fmt.Errorf("read sync response from %s: %w", s.path, err)
 	}
 	resp := &mgmProto.SyncResponse{}
 	if err := proto.Unmarshal(bs, resp); err != nil {
 		return nil, fmt.Errorf("unmarshal sync response: %w", err)
 	}
 	log.Debugf("retrieving latest sync response from %s (%d bytes)", s.path, len(bs))
 	return resp, nil
 }
 func (s *diskStore) Clear() error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if err := os.Remove(s.path); err != nil && !errors.Is(err, os.ErrNotExist) {
 		return fmt.Errorf("remove sync response file %s: %w", s.path, err)
 	}
 	return nil
 }
--- a/client/internal/syncstore/factory_ios.go
+++ b/client/internal/syncstore/factory_ios.go
@@ -1,9 +0,0 @@
 //go:build ios
 package syncstore
 // New returns the platform default store. On iOS the sync response is
 // serialized to disk (in dir) to keep it out of the constrained process memory.
 func New(dir string) Store {
 	return NewDiskStore(dir)
 }
--- a/client/internal/syncstore/factory_other.go
+++ b/client/internal/syncstore/factory_other.go
@@ -1,9 +0,0 @@
 //go:build !ios
 package syncstore
 // New returns the platform default store. On all non-iOS platforms the sync
 // response is kept in memory; dir is unused.
 func New(_ string) Store {
 	return NewMemoryStore()
 }
--- a/client/internal/syncstore/memory.go
+++ b/client/internal/syncstore/memory.go
@@ -1,56 +0,0 @@
 package syncstore
 import (
 	"fmt"
 	"sync"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/protobuf/proto"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )
 // memoryStore keeps the latest sync response in memory.
 type memoryStore struct {
 	mu     sync.RWMutex
 	latest *mgmProto.SyncResponse
 }
 // NewMemoryStore returns a Store that keeps the sync response in memory.
 func NewMemoryStore() Store {
 	return &memoryStore{}
 }
 func (s *memoryStore) Set(resp *mgmProto.SyncResponse) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.latest = resp
 	return nil
 }
 func (s *memoryStore) Get() (*mgmProto.SyncResponse, error) {
 	s.mu.RLock()
 	latest := s.latest
 	s.mu.RUnlock()
 	if latest == nil {
 		//nolint:nilnil // nil,nil means "nothing stored", per the Store contract; preserve the original behaviour
 		return nil, nil
 	}
 	log.Debugf("retrieving latest sync response with size %d bytes", proto.Size(latest))
 	sr, ok := proto.Clone(latest).(*mgmProto.SyncResponse)
 	if !ok {
 		return nil, fmt.Errorf("clone sync response")
 	}
 	return sr, nil
 }
 func (s *memoryStore) Clear() error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.latest = nil
 	return nil
 }
--- a/client/internal/syncstore/syncstore.go
+++ b/client/internal/syncstore/syncstore.go
@@ -1,29 +0,0 @@
 // Package syncstore stores the latest Management sync response (which carries
 // the network map) for debug bundle generation.
 //
 // The storage backend is selected at build time per operating system: on iOS
 // the response is serialized to disk to keep it out of the (tightly
 // constrained) process memory, while on all other platforms it is kept in
 // memory. The backend is chosen by the New constructor; see factory_ios.go and
 // factory_other.go.
 package syncstore
 import (
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )
 // Store persists the latest sync response and returns it on demand.
 //
 // Implementations must be safe for concurrent use.
 type Store interface {
 	// Set stores the given sync response, replacing any previously stored one.
 	Set(resp *mgmProto.SyncResponse) error
 	// Get returns the stored sync response, or nil if none is stored.
 	// The returned value is an independent copy that the caller may retain.
 	Get() (*mgmProto.SyncResponse, error)
 	// Clear removes any stored sync response. It is safe to call when nothing
 	// is stored.
 	Clear() error
 }
--- a/client/internal/updater/manager.go
+++ b/client/internal/updater/manager.go
@@ -19,6 +19,8 @@ import (
 const (
 	latestVersion = "latest"
 	// this version will be ignored
 	developmentVersion = "development"
 )
 var errNoUpdateState = errors.New("no update state found")
@@ -481,7 +483,7 @@ func (m *Manager) loadAndDeleteUpdateState(ctx context.Context) (*UpdateState, e
 }
 func (m *Manager) shouldUpdate(updateVersion *v.Version, forceUpdate bool) bool {
-	if version.IsDevelopmentVersion(m.currentVersion) {
+	if m.currentVersion == developmentVersion {
 		log.Debugf("skipping auto-update, running development version")
 		return false
 	}
--- a/client/ios/NetBirdSDK/client.go
+++ b/client/ios/NetBirdSDK/client.go
@@ -17,7 +17,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -26,7 +25,6 @@ import (
 	"github.com/netbirdio/netbird/formatter"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	types "github.com/netbirdio/netbird/upload-server/types"
 )
 // ConnectionListener export internal Listener for mobile
@@ -56,7 +54,6 @@ type selectRoute struct {
 	Network       netip.Prefix
 	Domains       domain.List
 	Selected      bool
 	Status        string
 	extraNetworks []netip.Prefix
 }
@@ -68,8 +65,6 @@ func init() {
 type Client struct {
 	cfgFile               string
 	stateFile             string
 	cacheDir              string
 	logFilePath           string
 	recorder              *peer.Status
 	ctxCancel             context.CancelFunc
 	ctxCancelLock         *sync.Mutex
@@ -80,21 +75,16 @@ type Client struct {
 	onHostDnsFn           func([]string)
 	dnsManager            dns.IosDnsManager
 	loginComplete         bool
 	connectClient         *internal.ConnectClient
 	// preloadedConfig holds config loaded from JSON (used on tvOS where file writes are blocked)
 	preloadedConfig *profilemanager.Config
 	stateMu       sync.RWMutex
 	connectClient *internal.ConnectClient
 	config        *profilemanager.Config
 }
 // NewClient instantiate a new Client
-func NewClient(cfgFile, stateFile, cacheDir, logFilePath, deviceName string, osVersion string, osName string, networkChangeListener NetworkChangeListener, dnsManager DnsManager) *Client {
+func NewClient(cfgFile, stateFile, deviceName string, osVersion string, osName string, networkChangeListener NetworkChangeListener, dnsManager DnsManager) *Client {
 	return &Client{
 		cfgFile:               cfgFile,
 		stateFile:             stateFile,
 		cacheDir:              cacheDir,
 		logFilePath:           logFilePath,
 		deviceName:            deviceName,
 		osName:                osName,
 		osVersion:             osVersion,
@@ -171,13 +161,8 @@ func (c *Client) Run(fd int32, interfaceName string, envList *EnvList) error {
 	c.onHostDnsFn = func([]string) {}
 	cfg.WgIface = interfaceName
-	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	c.setState(cfg, connectClient)
+	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, c.stateFile)
 	// Persist the latest sync response so DebugBundle can include the network
 	// map. On iOS this is backed by disk to keep it out of the constrained
 	// process memory (see the syncstore package).
 	connectClient.SetSyncResponsePersistence(true)
 	return connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, c.stateFile, c.cacheDir, c.logFilePath)
 }
 // Stop the internal client and free the resources
@@ -189,84 +174,6 @@ func (c *Client) Stop() {
 	}
 	c.ctxCancel()
 	c.setState(nil, nil)
 }
 // DebugBundle generates a debug bundle, uploads it and returns the upload key.
 // It works with or without a running engine: when the engine is up it reuses
 // the live config, sync response and client metrics; otherwise it loads the
 // config from disk (or the preloaded tvOS config).
 func (c *Client) DebugBundle(anonymize bool) (string, error) {
 	cfg, cc := c.stateSnapshot()
 	// If the engine hasn't been started, load config so we can reach management.
 	if cfg == nil {
 		if c.preloadedConfig != nil {
 			cfg = c.preloadedConfig
 		} else {
 			var err error
 			// Use DirectUpdateOrCreateConfig to avoid atomic file operations
 			// (temp file + rename) blocked by the tvOS sandbox.
 			cfg, err = profilemanager.DirectUpdateOrCreateConfig(profilemanager.ConfigInput{
 				ConfigPath:    c.cfgFile,
 				StateFilePath: c.stateFile,
 			})
 			if err != nil {
 				return "", fmt.Errorf("load config: %w", err)
 			}
 		}
 	}
 	deps := debug.GeneratorDependencies{
 		InternalConfig: cfg,
 		StatusRecorder: c.recorder,
 		TempDir:        c.cacheDir,
 		StatePath:      c.stateFile,
 		LogPath:        c.logFilePath,
 	}
 	if cc != nil {
 		resp, err := cc.GetLatestSyncResponse()
 		if err != nil {
 			log.Warnf("get latest sync response: %v", err)
 		}
 		deps.SyncResponse = resp
 		if e := cc.Engine(); e != nil {
 			if cm := e.GetClientMetrics(); cm != nil {
 				deps.ClientMetrics = cm
 			}
 		}
 	}
 	bundleGenerator := debug.NewBundleGenerator(
 		deps,
 		debug.BundleConfig{
 			Anonymize:         anonymize,
 			IncludeSystemInfo: true,
 		},
 	)
 	path, err := bundleGenerator.Generate()
 	if err != nil {
 		return "", fmt.Errorf("generate debug bundle: %w", err)
 	}
 	defer func() {
 		if err := os.Remove(path); err != nil {
 			log.Errorf("failed to remove debug bundle file: %v", err)
 		}
 	}()
 	uploadCtx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 	defer cancel()
 	key, err := debug.UploadDebugBundle(uploadCtx, types.DefaultBundleURL, cfg.ManagementURL.String(), path)
 	if err != nil {
 		return "", fmt.Errorf("upload debug bundle: %w", err)
 	}
 	log.Infof("debug bundle uploaded with key %s", key)
 	return key, nil
 }
 // SetTraceLogLevel configure the logger to trace level
@@ -320,16 +227,6 @@ func (c *Client) RemoveConnectionListener() {
 	c.recorder.RemoveConnectionListener()
 }
 // IsLoginRequiredCached reports whether the LAST observed management error was an
 // auth failure (PermissionDenied/InvalidArgument), using the in-memory status
 // recorder. Unlike IsLoginRequired() it performs NO network call, so it is safe to
 // call from the connection listener during teardown (e.g. onDisconnected) without
 // blocking on a slow or unavailable network. Returns false while connected to
 // management or when the last error was not auth-related.
 func (c *Client) IsLoginRequiredCached() bool {
 	return c.recorder.IsLoginRequired()
 }
 func (c *Client) IsLoginRequired() bool {
 	var ctx context.Context
 	//nolint
@@ -457,12 +354,11 @@ func (c *Client) ClearLoginComplete() {
 }
 func (c *Client) GetRoutesSelectionDetails() (*RoutesSelectionDetails, error) {
-	_, connectClient := c.stateSnapshot()
+	if c.connectClient == nil {
 	if connectClient == nil {
 		return nil, fmt.Errorf("not connected")
 	}
-	engine := connectClient.Engine()
+	engine := c.connectClient.Engine()
 	if engine == nil {
 		return nil, fmt.Errorf("not connected")
 	}
@@ -481,57 +377,9 @@ func (c *Client) GetRoutesSelectionDetails() (*RoutesSelectionDetails, error) {
 	routes := buildSelectRoutes(routesMap, routeSelector.IsSelected, v6ExitMerged)
 	resolvedDomains := c.recorder.GetResolvedDomainsStates()
 	// Compute each route's connection status in the core (mirroring the Android
 	// bridge), so the UI doesn't have to infer it by string-matching the joined
 	// Network value against peer routes. For a merged exit node the status reflects
 	// whichever of the v4/v6 prefixes is served by a connected peer; for dynamic
 	// (DNS) routes the peer route key is the domain pattern (see dynamic.Route.String).
 	connectedRoutes := c.connectedRouteSet()
 	for _, r := range routes {
 		r.Status = routeStatus(r, connectedRoutes)
 	}
 	return prepareRouteSelectionDetails(routes, resolvedDomains), nil
 }
 // connectedRouteSet returns the set of route keys (as strings) currently served by a
 // connected peer, gathered across all connected peers' route tables. The keys match
 // what the route manager records: a prefix string for static routes (e.g. "0.0.0.0/0")
 // and the domain pattern for dynamic routes (e.g. "*.example.com").
 func (c *Client) connectedRouteSet() map[string]struct{} {
 	connected := map[string]struct{}{}
 	for _, p := range c.recorder.GetFullStatus().Peers {
 		if p.ConnStatus != peer.StatusConnected {
 			continue
 		}
 		for r := range p.GetRoutes() {
 			connected[r] = struct{}{}
 		}
 	}
 	return connected
 }
 // routeStatus reports "Connected" if any of the route's keys is served by a connected
 // peer: the primary Network prefix, an extra v6 network of a merged exit node, or the
 // domain pattern for a dynamic DNS route. Otherwise "Idle".
 func routeStatus(r *selectRoute, connectedRoutes map[string]struct{}) string {
 	keys := make([]string, 0, 1+len(r.extraNetworks))
 	if len(r.Domains) > 0 {
 		keys = append(keys, r.Domains.SafeString())
 	} else {
 		keys = append(keys, r.Network.String())
 	}
 	for _, extra := range r.extraNetworks {
 		keys = append(keys, extra.String())
 	}
 	for _, k := range keys {
 		if _, ok := connectedRoutes[k]; ok {
 			return peer.StatusConnected.String()
 		}
 	}
 	return peer.StatusIdle.String()
 }
 func buildSelectRoutes(routesMap map[route.NetID][]*route.Route, isSelected func(route.NetID) bool, v6Merged map[route.NetID]struct{}) []*selectRoute {
 	var routes []*selectRoute
 	for id, rt := range routesMap {
@@ -614,7 +462,6 @@ func prepareRouteSelectionDetails(routes []*selectRoute, resolvedDomains map[dom
 			Network:  netStr,
 			Domains:  &domainDetails,
 			Selected: r.Selected,
 			Status:   r.Status,
 		})
 	}
@@ -623,12 +470,11 @@ func prepareRouteSelectionDetails(routes []*selectRoute, resolvedDomains map[dom
 }
 func (c *Client) SelectRoute(id string) error {
-	_, connectClient := c.stateSnapshot()
+	if c.connectClient == nil {
 	if connectClient == nil {
 		return fmt.Errorf("not connected")
 	}
-	engine := connectClient.Engine()
+	engine := c.connectClient.Engine()
 	if engine == nil {
 		return fmt.Errorf("not connected")
 	}
@@ -654,11 +500,10 @@ func (c *Client) SelectRoute(id string) error {
 }
 func (c *Client) DeselectRoute(id string) error {
-	_, connectClient := c.stateSnapshot()
+	if c.connectClient == nil {
 	if connectClient == nil {
 		return fmt.Errorf("not connected")
 	}
-	engine := connectClient.Engine()
+	engine := c.connectClient.Engine()
 	if engine == nil {
 		return fmt.Errorf("not connected")
 	}
@@ -682,22 +527,6 @@ func (c *Client) DeselectRoute(id string) error {
 	return nil
 }
 // setState stores the running engine state so DebugBundle can reuse the live
 // config and ConnectClient. It is cleared on Stop.
 func (c *Client) setState(cfg *profilemanager.Config, cc *internal.ConnectClient) {
 	c.stateMu.Lock()
 	defer c.stateMu.Unlock()
 	c.config = cfg
 	c.connectClient = cc
 }
 // stateSnapshot returns the current config and ConnectClient under the lock.
 func (c *Client) stateSnapshot() (*profilemanager.Config, *internal.ConnectClient) {
 	c.stateMu.RLock()
 	defer c.stateMu.RUnlock()
 	return c.config, c.connectClient
 }
 func formatDuration(d time.Duration) string {
 	ds := d.String()
 	dotIndex := strings.Index(ds, ".")
--- a/client/ios/NetBirdSDK/routes.go
+++ b/client/ios/NetBirdSDK/routes.go
@@ -20,7 +20,6 @@ type RoutesSelectionInfo struct {
 	Network  string
 	Domains  *DomainDetails
 	Selected bool
 	Status   string
 }
 type DomainCollection interface {
--- a/Show More
+++ b/Show More
`@@ -1,4 +1,4 @@`
	`//go:build !android && !ios`	`//go:build !android`

	`package debug`	`package debug`