Apply netroute unspecified-destination workaround on android

* [client] Add short flags for status command options

* uppercase filters

client/cmd/status.go

@@ -43,16 +43,16 @@ func init() {
 	ipsFilterMap = make(map[string]struct{})
 	prefixNamesFilterMap = make(map[string]struct{})
 	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information in human-readable format")
-	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
-	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
-	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.PersistentFlags().BoolVar(&ipv6Flag, "ipv6", false, "display only NetBird IPv6 of this peer")
+	statusCmd.PersistentFlags().BoolVarP(&jsonFlag, "json", "j", false, "display detailed status information in json format")
+	statusCmd.PersistentFlags().BoolVarP(&yamlFlag, "yaml", "y", false, "display detailed status information in yaml format")
+	statusCmd.PersistentFlags().BoolVarP(&ipv4Flag, "ipv4", "4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
+	statusCmd.PersistentFlags().BoolVarP(&ipv6Flag, "ipv6", "6", false, "display only NetBird IPv6 of this peer")
 	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4", "ipv6")
-	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
-	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
-	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
-	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
-	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
+	statusCmd.PersistentFlags().StringSliceVarP(&ipsFilter, "filter-by-ips", "I", []string{}, "filters the detailed output by a list of one or more IPs (v4 or v6), e.g., --filter-by-ips 100.64.0.100,fd00::1")
+	statusCmd.PersistentFlags().StringSliceVarP(&prefixNamesFilter, "filter-by-names", "N", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
+	statusCmd.PersistentFlags().StringVarP(&statusFilter, "filter-by-status", "S", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
+	statusCmd.PersistentFlags().StringVarP(&connectionTypeFilter, "filter-by-connection-type", "T", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
+	statusCmd.PersistentFlags().StringVarP(&checkFlag, "check", "C", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }
 
 func statusFunc(cmd *cobra.Command, args []string) error {

client/embed/embed.go

@@ -336,7 +336,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
+	listenAddr := net.JoinHostPort(addr.String(), port)
 
 	tcpAddr, err := net.ResolveTCPAddr("tcp", listenAddr)
 	if err != nil {
@@ -357,7 +357,7 @@ func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	if err != nil {
 		return nil, fmt.Errorf("split host port: %w", err)
 	}
-	listenAddr := fmt.Sprintf("%s:%s", addr, port)
+	listenAddr := net.JoinHostPort(addr.String(), port)
 
 	udpAddr, err := net.ResolveUDPAddr("udp", listenAddr)
 	if err != nil {

client/internal/debug/debug.go

@@ -45,8 +45,11 @@ netbird.out: Most recent, anonymized stdout log file of the NetBird client.
 routes.txt: Detailed system routing table in tabular format including destination, gateway, interface, metrics, and protocol information, if --system-info flag was provided.
 interfaces.txt: Anonymized network interface information, if --system-info flag was provided.
 ip_rules.txt: Detailed IP routing rules in tabular format including priority, source, destination, interfaces, table, and action information (Linux only), if --system-info flag was provided.
-iptables.txt: Anonymized iptables rules with packet counters, if --system-info flag was provided.
-nftables.txt: Anonymized nftables rules with packet counters, if --system-info flag was provided.
+iptables.txt: Anonymized iptables (IPv4) rules with packet counters, if --system-info flag was provided.
+ip6tables.txt: Anonymized ip6tables (IPv6) rules with packet counters, if --system-info flag was provided.
+ipset.txt: Anonymized ipset list output, if --system-info flag was provided.
+nftables.txt: Anonymized nftables rules with packet counters across all families (ip, ip6, inet, etc.), if --system-info flag was provided.
+sysctls.txt: Forwarding, reverse-path filter, source-validation, and conntrack accounting sysctl values that the NetBird client may read or modify, if --system-info flag was provided (Linux only).
 resolv.conf: DNS resolver configuration from /etc/resolv.conf (Unix systems only), if --system-info flag was provided.
 scutil_dns.txt: DNS configuration from scutil --dns (macOS only), if --system-info flag was provided.
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
@@ -165,22 +168,33 @@ The config.txt file contains anonymized configuration information of the NetBird
 Other non-sensitive configuration options are included without anonymization.
 
 Firewall Rules (Linux only)
-The bundle includes two separate firewall rule files:
+The bundle includes the following firewall-related files:
 
 iptables.txt:
-- Complete iptables ruleset with packet counters using 'iptables -v -n -L'
+- IPv4 iptables ruleset with packet counters using 'iptables-save' and 'iptables -v -n -L'
 - Includes all tables (filter, nat, mangle, raw, security)
 - Shows packet and byte counters for each rule
 - All IP addresses are anonymized
 - Chain names, table names, and other non-sensitive information remain unchanged
 
+ip6tables.txt:
+- IPv6 ip6tables ruleset with packet counters using 'ip6tables-save' and 'ip6tables -v -n -L'
+- Same table coverage and anonymization as iptables.txt
+- Omitted when ip6tables is not installed or no IPv6 rules are present
+
+ipset.txt:
+- Output of 'ipset list' (family-agnostic)
+- IP addresses are anonymized; set names and types remain unchanged
+
 nftables.txt:
-- Complete nftables ruleset obtained via 'nft -a list ruleset'
+- Complete nftables ruleset across all families (ip, ip6, inet, arp, bridge, netdev) via 'nft -a list ruleset'
 - Includes rule handle numbers and packet counters
-- All tables, chains, and rules are included
-- Shows packet and byte counters for each rule
-- All IP addresses are anonymized
-- Chain names, table names, and other non-sensitive information remain unchanged
+- All IP addresses are anonymized; chain/table names remain unchanged
+
+sysctls.txt:
+- Forwarding (IPv4 + IPv6, global and per-interface), reverse-path filter, source-validation, conntrack accounting, and TCP-related sysctls that netbird may read or modify
+- Per-interface keys are enumerated from /proc/sys/net/ipv{4,6}/conf
+- Interface names anonymized when --anonymize is set
 
 IP Rules (Linux only)
 The ip_rules.txt file contains detailed IP routing rule information:
@@ -412,6 +426,10 @@ func (g *BundleGenerator) addSystemInfo() {
 		log.Errorf("failed to add firewall rules to debug bundle: %v", err)
 	}
 
+	if err := g.addSysctls(); err != nil {
+		log.Errorf("failed to add sysctls to debug bundle: %v", err)
+	}
+
 	if err := g.addDNSInfo(); err != nil {
 		log.Errorf("failed to add DNS info to debug bundle: %v", err)
 	}

client/internal/debug/debug_linux.go

@@ -124,15 +124,18 @@ func getSystemdLogs(serviceName string) (string, error) {
 // addFirewallRules collects and adds firewall rules to the archive
 func (g *BundleGenerator) addFirewallRules() error {
 	log.Info("Collecting firewall rules")
-	iptablesRules, err := collectIPTablesRules()
+	g.addIPTablesRulesToBundle("iptables-save", "iptables", "iptables.txt")
+	g.addIPTablesRulesToBundle("ip6tables-save", "ip6tables", "ip6tables.txt")
+
+	ipsetOutput, err := collectIPSets()
 	if err != nil {
-		log.Warnf("Failed to collect iptables rules: %v", err)
+		log.Warnf("Failed to collect ipset information: %v", err)
 	} else {
 		if g.anonymize {
-			iptablesRules = g.anonymizer.AnonymizeString(iptablesRules)
+			ipsetOutput = g.anonymizer.AnonymizeString(ipsetOutput)
 		}
-		if err := g.addFileToZip(strings.NewReader(iptablesRules), "iptables.txt"); err != nil {
-			log.Warnf("Failed to add iptables rules to bundle: %v", err)
+		if err := g.addFileToZip(strings.NewReader(ipsetOutput), "ipset.txt"); err != nil {
+			log.Warnf("Failed to add ipset output to bundle: %v", err)
 		}
 	}
 
@@ -151,44 +154,65 @@ func (g *BundleGenerator) addFirewallRules() error {
 	return nil
 }
 
-// collectIPTablesRules collects rules using both iptables-save and verbose listing
-func collectIPTablesRules() (string, error) {
-	var builder strings.Builder
-
-	saveOutput, err := collectIPTablesSave()
+// addIPTablesRulesToBundle collects iptables/ip6tables rules and writes them to the bundle.
+func (g *BundleGenerator) addIPTablesRulesToBundle(saveBin, listBin, filename string) {
+	rules, err := collectIPTablesRules(saveBin, listBin)
 	if err != nil {
-		log.Warnf("Failed to collect iptables rules using iptables-save: %v", err)
-	} else {
-		builder.WriteString("=== iptables-save output ===\n")
+		log.Warnf("Failed to collect %s rules: %v", listBin, err)
+		return
+	}
+	if g.anonymize {
+		rules = g.anonymizer.AnonymizeString(rules)
+	}
+	if err := g.addFileToZip(strings.NewReader(rules), filename); err != nil {
+		log.Warnf("Failed to add %s rules to bundle: %v", listBin, err)
+	}
+}
+
+// collectIPTablesRules collects rules using both <saveBin> and verbose listing via <listBin>.
+// Returns an error when neither command produced any output (e.g. the binary is missing),
+// so the caller can skip writing an empty file.
+func collectIPTablesRules(saveBin, listBin string) (string, error) {
+	var builder strings.Builder
+	var collected bool
+	var firstErr error
+
+	saveOutput, err := runCommand(saveBin)
+	switch {
+	case err != nil:
+		firstErr = err
+		log.Warnf("Failed to collect %s output: %v", saveBin, err)
+	case strings.TrimSpace(saveOutput) == "":
+		log.Debugf("%s produced no output, skipping", saveBin)
+	default:
+		builder.WriteString(fmt.Sprintf("=== %s output ===\n", saveBin))
 		builder.WriteString(saveOutput)
 		builder.WriteString("\n")
+		collected = true
 	}
 
-	ipsetOutput, err := collectIPSets()
-	if err != nil {
-		log.Warnf("Failed to collect ipset information: %v", err)
-	} else {
-		builder.WriteString("=== ipset list output ===\n")
-		builder.WriteString(ipsetOutput)
-		builder.WriteString("\n")
-	}
-
-	builder.WriteString("=== iptables -v -n -L output ===\n")
+	listHeader := fmt.Sprintf("=== %s -v -n -L output ===\n", listBin)
+	builder.WriteString(listHeader)
 
 	tables := []string{"filter", "nat", "mangle", "raw", "security"}
-
 	for _, table := range tables {
-		builder.WriteString(fmt.Sprintf("*%s\n", table))
-
-		stats, err := getTableStatistics(table)
+		stats, err := runCommand(listBin, "-v", "-n", "-L", "-t", table)
 		if err != nil {
-			log.Warnf("Failed to get statistics for table %s: %v", table, err)
+			if firstErr == nil {
+				firstErr = err
+			}
+			log.Warnf("Failed to get %s statistics for table %s: %v", listBin, table, err)
 			continue
 		}
+		builder.WriteString(fmt.Sprintf("*%s\n", table))
 		builder.WriteString(stats)
 		builder.WriteString("\n")
+		collected = true
 	}
 
+	if !collected {
+		return "", fmt.Errorf("collect %s rules: %w", listBin, firstErr)
+	}
 	return builder.String(), nil
 }
 
@@ -214,34 +238,15 @@ func collectIPSets() (string, error) {
 	return ipsets, nil
 }
 
-// collectIPTablesSave uses iptables-save to get rule definitions
-func collectIPTablesSave() (string, error) {
-	cmd := exec.Command("iptables-save")
+// runCommand executes a command and returns its stdout, wrapping stderr in the error on failure.
+func runCommand(name string, args ...string) (string, error) {
+	cmd := exec.Command(name, args...)
 	var stdout, stderr bytes.Buffer
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
 
 	if err := cmd.Run(); err != nil {
-		return "", fmt.Errorf("execute iptables-save: %w (stderr: %s)", err, stderr.String())
-	}
-
-	rules := stdout.String()
-	if strings.TrimSpace(rules) == "" {
-		return "", fmt.Errorf("no iptables rules found")
-	}
-
-	return rules, nil
-}
-
-// getTableStatistics gets verbose statistics for an entire table using iptables command
-func getTableStatistics(table string) (string, error) {
-	cmd := exec.Command("iptables", "-v", "-n", "-L", "-t", table)
-	var stdout, stderr bytes.Buffer
-	cmd.Stdout = &stdout
-	cmd.Stderr = &stderr
-
-	if err := cmd.Run(); err != nil {
-		return "", fmt.Errorf("execute iptables -v -n -L: %w (stderr: %s)", err, stderr.String())
+		return "", fmt.Errorf("execute %s: %w (stderr: %s)", name, err, stderr.String())
 	}
 
 	return stdout.String(), nil
@@ -804,3 +809,91 @@ func formatSetKeyType(keyType nftables.SetDatatype) string {
 		return fmt.Sprintf("type-%v", keyType)
 	}
 }
+
+// addSysctls collects forwarding and netbird-managed sysctl values and writes them to the bundle.
+func (g *BundleGenerator) addSysctls() error {
+	log.Info("Collecting sysctls")
+	content := collectSysctls()
+	if g.anonymize {
+		content = g.anonymizer.AnonymizeString(content)
+	}
+	if err := g.addFileToZip(strings.NewReader(content), "sysctls.txt"); err != nil {
+		return fmt.Errorf("add sysctls to bundle: %w", err)
+	}
+	return nil
+}
+
+// collectSysctls reads every sysctl that the netbird client may modify, plus
+// global IPv4/IPv6 forwarding, and returns a formatted dump grouped by topic.
+// Per-interface values are enumerated by listing /proc/sys/net/ipv{4,6}/conf.
+func collectSysctls() string {
+	var builder strings.Builder
+
+	writeSysctlGroup(&builder, "forwarding", []string{
+		"net.ipv4.ip_forward",
+		"net.ipv6.conf.all.forwarding",
+		"net.ipv6.conf.default.forwarding",
+	})
+	writeSysctlGroup(&builder, "ipv4 per-interface forwarding", listInterfaceSysctls("ipv4", "forwarding"))
+	writeSysctlGroup(&builder, "ipv6 per-interface forwarding", listInterfaceSysctls("ipv6", "forwarding"))
+	writeSysctlGroup(&builder, "rp_filter", append(
+		[]string{"net.ipv4.conf.all.rp_filter", "net.ipv4.conf.default.rp_filter"},
+		listInterfaceSysctls("ipv4", "rp_filter")...,
+	))
+	writeSysctlGroup(&builder, "src_valid_mark", append(
+		[]string{"net.ipv4.conf.all.src_valid_mark", "net.ipv4.conf.default.src_valid_mark"},
+		listInterfaceSysctls("ipv4", "src_valid_mark")...,
+	))
+	writeSysctlGroup(&builder, "conntrack", []string{
+		"net.netfilter.nf_conntrack_acct",
+		"net.netfilter.nf_conntrack_tcp_loose",
+	})
+	writeSysctlGroup(&builder, "tcp", []string{
+		"net.ipv4.tcp_tw_reuse",
+	})
+
+	return builder.String()
+}
+
+func writeSysctlGroup(builder *strings.Builder, title string, keys []string) {
+	builder.WriteString(fmt.Sprintf("=== %s ===\n", title))
+	for _, key := range keys {
+		value, err := readSysctl(key)
+		if err != nil {
+			builder.WriteString(fmt.Sprintf("%s = <error: %v>\n", key, err))
+			continue
+		}
+		builder.WriteString(fmt.Sprintf("%s = %s\n", key, value))
+	}
+	builder.WriteString("\n")
+}
+
+// listInterfaceSysctls returns net.ipvX.conf.<iface>.<leaf> keys for every
+// interface present in /proc/sys/net/ipvX/conf, skipping "all" and "default"
+// (callers add those explicitly so they appear first).
+func listInterfaceSysctls(family, leaf string) []string {
+	dir := fmt.Sprintf("/proc/sys/net/%s/conf", family)
+	entries, err := os.ReadDir(dir)
+	if err != nil {
+		return nil
+	}
+	var keys []string
+	for _, e := range entries {
+		name := e.Name()
+		if name == "all" || name == "default" {
+			continue
+		}
+		keys = append(keys, fmt.Sprintf("net.%s.conf.%s.%s", family, name, leaf))
+	}
+	sort.Strings(keys)
+	return keys
+}
+
+func readSysctl(key string) (string, error) {
+	path := fmt.Sprintf("/proc/sys/%s", strings.ReplaceAll(key, ".", "/"))
+	value, err := os.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(value)), nil
+}

client/internal/debug/debug_nonlinux.go

@@ -17,3 +17,8 @@ func (g *BundleGenerator) addIPRules() error {
 	// IP rules are only supported on Linux
 	return nil
 }
+
+func (g *BundleGenerator) addSysctls() error {
+	// Sysctl collection is only supported on Linux
+	return nil
+}

client/internal/peer/conn.go

@@ -23,7 +23,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/id"
 	"github.com/netbirdio/netbird/client/internal/peer/worker"
 	"github.com/netbirdio/netbird/client/internal/portforward"
-	"github.com/netbirdio/netbird/client/internal/rosenpass"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -900,7 +899,7 @@ func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	}
 
 	// Fallback to deterministic key if no NetBird PSK is configured
-	determKey, err := rosenpass.DeterministicSeedKey(conn.config.LocalKey, conn.config.Key)
+	determKey, err := conn.rosenpassDetermKey()
 	if err != nil {
 		conn.Log.Errorf("failed to generate Rosenpass initial key: %v", err)
 		return nil
@@ -909,6 +908,26 @@ func (conn *Conn) presharedKey(remoteRosenpassKey []byte) *wgtypes.Key {
 	return determKey
 }
 
+// todo: move this logic into Rosenpass package
+func (conn *Conn) rosenpassDetermKey() (*wgtypes.Key, error) {
+	lk := []byte(conn.config.LocalKey)
+	rk := []byte(conn.config.Key) // remote key
+	var keyInput []byte
+	if string(lk) > string(rk) {
+		//nolint:gocritic
+		keyInput = append(lk[:16], rk[:16]...)
+	} else {
+		//nolint:gocritic
+		keyInput = append(rk[:16], lk[:16]...)
+	}
+
+	key, err := wgtypes.NewKey(keyInput)
+	if err != nil {
+		return nil, err
+	}
+	return &key, nil
+}
+
 func isController(config ConnConfig) bool {
 	return config.LocalKey > config.Key
 }

client/internal/portforward/pcp/nat.go

@@ -179,8 +179,10 @@ func getDefaultGateway() (gateway net.IP, localIP net.IP, err error) {
 	}
 
 	dst := net.IPv4zero
-	if runtime.GOOS == "linux" {
-		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux.
+	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
+		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux/Android.
+		// TODO: on android/ios, use platform APIs (ConnectivityManager.getLinkProperties /
+		// NWPathMonitor) when netlink-based lookup is restricted or unavailable.
 		dst = net.IPv4(0, 0, 0, 1)
 	}
 	_, gateway, localIP, err = router.Route(dst)
@@ -203,7 +205,7 @@ func getDefaultGateway6() (gateway net.IP, localIP net.IP, err error) {
 	}
 
 	dst := net.IPv6zero
-	if runtime.GOOS == "linux" {
+	if runtime.GOOS == "linux" || runtime.GOOS == "android" {
 		// ::2
 		dst = net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}
 	}

client/internal/rosenpass/manager.go

@@ -28,15 +28,6 @@ func hashRosenpassKey(key []byte) string {
 	return hex.EncodeToString(hasher.Sum(nil))
 }
 
-// rpServer is the subset of rp.Server used by Manager. Defined as an interface
-// so tests can substitute a mock without spinning up a real UDP server.
-type rpServer interface {
-	AddPeer(rp.PeerConfig) (rp.PeerID, error)
-	RemovePeer(rp.PeerID) error
-	Run() error
-	Close() error
-}
-
 type Manager struct {
 	ifaceName    string
 	spk          []byte
@@ -45,7 +36,7 @@ type Manager struct {
 	preSharedKey *[32]byte
 	rpPeerIDs    map[string]*rp.PeerID
 	rpWgHandler  *NetbirdHandler
-	server       rpServer
+	server       *rp.Server
 	lock         sync.Mutex
 	port         int
 	wgIface      PresharedKeySetter
@@ -60,22 +51,7 @@ func NewManager(preSharedKey *wgtypes.Key, wgIfaceName string) (*Manager, error)
 
 	rpKeyHash := hashRosenpassKey(public)
 	log.Tracef("generated new rosenpass key pair with public key %s", rpKeyHash)
-	return &Manager{
-		ifaceName:    wgIfaceName,
-		rpKeyHash:    rpKeyHash,
-		spk:          public,
-		ssk:          secret,
-		preSharedKey: (*[32]byte)(preSharedKey),
-		rpPeerIDs:    make(map[string]*rp.PeerID),
-		// rpWgHandler is created here (instead of only in generateConfig) so it
-		// is never nil between NewManager and Run(). Otherwise an early
-		// OnConnected call (race observed on Android, issue #4341) panics on
-		// nil receiver in addPeer -> m.rpWgHandler.AddPeer. generateConfig will
-		// replace it with a fresh handler on each Run() to clear stale peer
-		// state from previous engine sessions.
-		rpWgHandler: NewNetbirdHandler(),
-		lock:        sync.Mutex{},
-	}, nil
+	return &Manager{ifaceName: wgIfaceName, rpKeyHash: rpKeyHash, spk: public, ssk: secret, preSharedKey: (*[32]byte)(preSharedKey), rpPeerIDs: make(map[string]*rp.PeerID), lock: sync.Mutex{}}, nil
 }
 
 func (m *Manager) GetPubKey() []byte {
@@ -89,16 +65,6 @@ func (m *Manager) GetAddress() *net.UDPAddr {
 
 // addPeer adds a new peer to the Rosenpass server
 func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuardIP string, wireGuardPubKey string) error {
-	// Defense in depth against issue #4341 (Android crash): if Run() has not
-	// completed yet, m.server / m.rpWgHandler may be nil. Return an explicit
-	// error instead of panicking on nil-receiver dereference.
-	if m.server == nil {
-		return fmt.Errorf("rosenpass server not initialized")
-	}
-	if m.rpWgHandler == nil {
-		return fmt.Errorf("rosenpass wg handler not initialized")
-	}
-
 	var err error
 	pcfg := rp.PeerConfig{PublicKey: rosenpassPubKey}
 	if m.preSharedKey != nil {
@@ -113,16 +79,6 @@ func (m *Manager) addPeer(rosenpassPubKey []byte, rosenpassAddr string, wireGuar
 		if pcfg.Endpoint, err = net.ResolveUDPAddr("udp", peerAddr); err != nil {
 			return fmt.Errorf("failed to resolve peer endpoint address: %w", err)
 		}
-		// Our local Rosenpass UDP server binds on the IPv6 wildcard ([::]) — see
-		// GetAddress(). The remote peer's endpoint (pcfg.Endpoint) is the destination
-		// our server will sendto when initiating handshakes. ResolveUDPAddr returns a
-		// 4-byte IPv4 for IPv4 hosts, which the kernel rejects (EDESTADDRREQ) when
-		// sent from an AF_INET6 socket. Normalize the remote endpoint to IPv4-mapped
-		// IPv6 so its address family matches our listening socket.
-		// TODO: maybe bind the Rosenpass UDP server to the peer wg IP addr
-		if v4 := pcfg.Endpoint.IP.To4(); v4 != nil {
-			pcfg.Endpoint.IP = v4.To16()
-		}
 	}
 	peerID, err := m.server.AddPeer(pcfg)
 	if err != nil {
@@ -226,31 +182,24 @@ func (m *Manager) Run() error {
 		return err
 	}
 
-	server, err := rp.NewUDPServer(conf)
+	m.server, err = rp.NewUDPServer(conf)
 	if err != nil {
 		return err
 	}
 
-	m.lock.Lock()
-	m.server = server
-	m.lock.Unlock()
-
 	log.Infof("starting rosenpass server on port %d", m.port)
 
-	return server.Run()
+	return m.server.Run()
 }
 
 // Close closes the Rosenpass server
 func (m *Manager) Close() error {
-	m.lock.Lock()
-	server := m.server
-	m.server = nil
-	m.lock.Unlock()
-	if server == nil {
-		return nil
-	}
-	if err := server.Close(); err != nil {
-		log.Errorf("failed closing local rosenpass server: %v", err)
+	if m.server != nil {
+		err := m.server.Close()
+		if err != nil {
+			log.Errorf("failed closing local rosenpass server")
+		}
+		m.server = nil
 	}
 	return nil
 }

client/internal/rosenpass/manager_test.go

@@ -1,412 +1,14 @@
 package rosenpass
 
 import (
-	"errors"
-	"os"
-	"sync"
 	"testing"
 
-	rp "cunicu.li/go-rosenpass"
 	"github.com/stretchr/testify/require"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
-// --- test doubles -----------------------------------------------------------
-
-type addPeerCall struct {
-	cfg rp.PeerConfig
-}
-
-type removePeerCall struct {
-	id rp.PeerID
-}
-
-type mockServer struct {
-	mu         sync.Mutex
-	addCalls   []addPeerCall
-	removed    []removePeerCall
-	nextID     rp.PeerID
-	addErr     error
-	removeErr  error
-	closed     bool
-	ran        bool
-}
-
-func (m *mockServer) AddPeer(cfg rp.PeerConfig) (rp.PeerID, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.addCalls = append(m.addCalls, addPeerCall{cfg: cfg})
-	if m.addErr != nil {
-		return rp.PeerID{}, m.addErr
-	}
-	// Increment a byte in nextID so distinct peers get distinct IDs.
-	m.nextID[0]++
-	return m.nextID, nil
-}
-
-func (m *mockServer) RemovePeer(id rp.PeerID) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.removed = append(m.removed, removePeerCall{id: id})
-	return m.removeErr
-}
-
-func (m *mockServer) Run() error  { m.ran = true; return nil }
-func (m *mockServer) Close() error { m.closed = true; return nil }
-
-type setPSKCall struct {
-	peerKey    string
-	psk        wgtypes.Key
-	updateOnly bool
-}
-
-type mockIface struct {
-	mu    sync.Mutex
-	calls []setPSKCall
-	err   error
-}
-
-func (m *mockIface) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.calls = append(m.calls, setPSKCall{peerKey: peerKey, psk: psk, updateOnly: updateOnly})
-	return m.err
-}
-
-// newTestManager builds a Manager with deterministic spk so tie-break
-// against a peer pubkey is controllable from tests. The provided spk byte
-// becomes the first byte; remaining bytes are zero.
-func newTestManager(spkFirstByte byte, mock *mockServer) *Manager {
-	spk := make([]byte, 32)
-	spk[0] = spkFirstByte
-	return &Manager{
-		ifaceName:   "wt0",
-		spk:         spk,
-		ssk:         make([]byte, 32),
-		rpKeyHash:   "test-hash",
-		rpPeerIDs:   make(map[string]*rp.PeerID),
-		rpWgHandler: NewNetbirdHandler(),
-		server:      mock,
-	}
-}
-
-// validWGKey returns a deterministic 32-byte wireguard public key (base64).
-func validWGKey(t *testing.T, lastByte byte) string {
-	t.Helper()
-	var k wgtypes.Key
-	k[31] = lastByte
-	return k.String()
-}
-
-// --- pure helpers ----------------------------------------------------------
-
-func TestHashRosenpassKey_Deterministic(t *testing.T) {
-	key := []byte("hello-rosenpass")
-	require.Equal(t, hashRosenpassKey(key), hashRosenpassKey(key))
-	require.Len(t, hashRosenpassKey(key), 64) // sha256 hex
-}
-
-func TestHashRosenpassKey_DifferentInputsDifferOutputs(t *testing.T) {
-	require.NotEqual(t, hashRosenpassKey([]byte("a")), hashRosenpassKey([]byte("b")))
-}
-
-func TestGetLogLevel_DefaultWhenUnset(t *testing.T) {
-	// Snapshot + unset to exercise the LookupEnv ok=false branch. t.Setenv
-	// can only set, not delete, so do it manually with restore via t.Cleanup.
-	prev, hadPrev := os.LookupEnv(defaultLogLevelVar)
-	require.NoError(t, os.Unsetenv(defaultLogLevelVar))
-	t.Cleanup(func() {
-		if hadPrev {
-			_ = os.Setenv(defaultLogLevelVar, prev)
-		} else {
-			_ = os.Unsetenv(defaultLogLevelVar)
-		}
-	})
-	require.Equal(t, defaultLog.String(), getLogLevel().String())
-}
-
-func TestGetLogLevel_Cases(t *testing.T) {
-	cases := map[string]string{
-		"debug":   "DEBUG",
-		"info":    "INFO",
-		"warn":    "WARN",
-		"error":   "ERROR",
-		"unknown": "INFO", // default fallback
-	}
-	for input, wantStr := range cases {
-		input, wantStr := input, wantStr
-		t.Run(input, func(t *testing.T) {
-			t.Setenv(defaultLogLevelVar, input)
-			require.Equal(t, wantStr, getLogLevel().String())
-		})
-	}
-}
-
 func TestFindRandomAvailableUDPPort(t *testing.T) {
 	port, err := findRandomAvailableUDPPort()
 	require.NoError(t, err)
 	require.Greater(t, port, 0)
 	require.LessOrEqual(t, port, 65535)
 }
-
-// --- addPeer ---------------------------------------------------------------
-
-func TestAddPeer_HigherLocalPubkey_SetsEndpoint(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv) // local spk lexicographically larger
-
-	remotePubKey := make([]byte, 32) // remote spk = all zeros (smaller)
-	err := m.addPeer(remotePubKey, "rosenpass-host:7000", "100.1.1.1", validWGKey(t, 1))
-	require.NoError(t, err)
-	require.Len(t, srv.addCalls, 1)
-
-	ep := srv.addCalls[0].cfg.Endpoint
-	require.NotNil(t, ep, "initiator side must set Endpoint")
-	require.Equal(t, 7000, ep.Port)
-	require.Equal(t, "100.1.1.1", ep.IP.String())
-}
-
-func TestAddPeer_HigherLocalPubkey_EndpointIPIsIPv4Mapped(t *testing.T) {
-	// Regression guard for the EDESTADDRREQ fix: Endpoint.IP must be 16-byte
-	// (IPv4-mapped IPv6) so it matches the AF_INET6 listening socket family.
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.NoError(t, err)
-
-	ep := srv.addCalls[0].cfg.Endpoint
-	require.NotNil(t, ep)
-	require.Len(t, ep.IP, 16, "IPv4 endpoint must be normalized to 16-byte v4-mapped form")
-	require.True(t, ep.IP.To4() != nil, "Endpoint must still be detected as IPv4")
-}
-
-func TestAddPeer_LowerLocalPubkey_LeavesEndpointNil(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0x00, srv) // local spk smaller
-
-	remotePubKey := make([]byte, 32)
-	remotePubKey[0] = 0xFF
-	err := m.addPeer(remotePubKey, "rp:5000", "100.1.1.1", validWGKey(t, 2))
-	require.NoError(t, err)
-
-	require.Nil(t, srv.addCalls[0].cfg.Endpoint, "responder side must NOT set Endpoint")
-}
-
-func TestAddPeer_PresharedKeyPropagated(t *testing.T) {
-	srv := &mockServer{}
-	psk := &wgtypes.Key{0x42}
-	m := newTestManager(0xFF, srv)
-	m.preSharedKey = (*[32]byte)(psk)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 3))
-	require.NoError(t, err)
-	require.Equal(t, [32]byte(*psk), [32]byte(srv.addCalls[0].cfg.PresharedKey))
-}
-
-func TestAddPeer_InvalidRosenpassAddr_ReturnsError(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv) // initiator path → parses rosenpassAddr
-
-	err := m.addPeer(make([]byte, 32), "not-a-host-port", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-	require.Empty(t, srv.addCalls, "server.AddPeer must not run when address parse fails")
-}
-
-func TestAddPeer_InvalidWireGuardPubKey_ReturnsError(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", "not-a-valid-key")
-	require.Error(t, err)
-}
-
-func TestAddPeer_ServerError_Propagates(t *testing.T) {
-	srv := &mockServer{addErr: errors.New("boom")}
-	m := newTestManager(0xFF, srv)
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-}
-
-// Regression guard for issue #4341 (Android crash). If Run() has not completed
-// before OnConnected fires, m.rpWgHandler or m.server may be nil. Without the
-// nil guards, m.rpWgHandler.AddPeer panics on nil receiver.
-func TestAddPeer_NilHandler_ReturnsErrorNoCrash(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-	m.rpWgHandler = nil // simulate Run() not yet completed
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "wg handler not initialized")
-}
-
-func TestAddPeer_NilServer_ReturnsErrorNoCrash(t *testing.T) {
-	m := newTestManager(0xFF, nil)
-	m.server = nil // simulate Run() not yet completed
-
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", validWGKey(t, 1))
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "server not initialized")
-}
-
-// NewManager must pre-initialize rpWgHandler so the nil-receiver crash from
-// issue #4341 cannot occur in the window between NewManager and Run().
-func TestNewManager_PreInitializesHandler(t *testing.T) {
-	psk := wgtypes.Key{}
-	m, err := NewManager(&psk, "wt0")
-	require.NoError(t, err)
-	require.NotNil(t, m.rpWgHandler, "rpWgHandler must be initialized in NewManager")
-}
-
-func TestAddPeer_RecordsPeerID(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 5)
-	err := m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey)
-	require.NoError(t, err)
-	require.Contains(t, m.rpPeerIDs, wgKey)
-}
-
-// --- OnConnected / OnDisconnected ------------------------------------------
-
-func TestOnConnected_NilRemotePubKey_NoAddPeer(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	m.OnConnected(validWGKey(t, 1), nil, "100.1.1.1", "rp:5000")
-	require.Empty(t, srv.addCalls, "nil remote rosenpass pubkey must skip AddPeer")
-	require.Empty(t, m.rpPeerIDs)
-}
-
-func TestOnConnected_ValidPubKey_CallsAddPeer(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 1)
-	m.OnConnected(wgKey, make([]byte, 32), "100.1.1.1", "rp:5000")
-	require.Len(t, srv.addCalls, 1)
-	require.Contains(t, m.rpPeerIDs, wgKey)
-}
-
-func TestOnDisconnected_UnknownPeer_NoOp(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	m.OnDisconnected(validWGKey(t, 99))
-	require.Empty(t, srv.removed, "unknown peer key must not call RemovePeer")
-}
-
-func TestOnDisconnected_KnownPeer_CallsRemoveAndForgets(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 1)
-	require.NoError(t, m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey))
-	require.Contains(t, m.rpPeerIDs, wgKey)
-
-	m.OnDisconnected(wgKey)
-	require.Len(t, srv.removed, 1)
-	require.NotContains(t, m.rpPeerIDs, wgKey, "peer must be forgotten after disconnect")
-}
-
-// --- IsPresharedKeyInitialized ---------------------------------------------
-
-func TestIsPresharedKeyInitialized_UnknownPeer_ReturnsFalse(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-	require.False(t, m.IsPresharedKeyInitialized(validWGKey(t, 1)))
-}
-
-func TestIsPresharedKeyInitialized_AddedButNotHandshaken_ReturnsFalse(t *testing.T) {
-	srv := &mockServer{}
-	m := newTestManager(0xFF, srv)
-
-	wgKey := validWGKey(t, 2)
-	require.NoError(t, m.addPeer(make([]byte, 32), "rp:5000", "100.1.1.1", wgKey))
-	require.False(t, m.IsPresharedKeyInitialized(wgKey))
-}
-
-// --- NetbirdHandler.outputKey ----------------------------------------------
-
-func TestHandler_OutputKey_FirstCallUsesUpdateOnlyFalse(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	pid := rp.PeerID{0x01}
-	wgKey := wgtypes.Key{0xAA}
-	h.AddPeer(pid, "wt0", rp.Key(wgKey))
-
-	psk := rp.Key{0xBB}
-	h.HandshakeCompleted(pid, psk)
-
-	require.Len(t, iface.calls, 1)
-	require.False(t, iface.calls[0].updateOnly, "first PSK rotation must use updateOnly=false")
-	require.Equal(t, wgKey.String(), iface.calls[0].peerKey)
-}
-
-func TestHandler_OutputKey_SubsequentCallsUseUpdateOnlyTrue(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	pid := rp.PeerID{0x02}
-	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{0xCC}))
-
-	h.HandshakeCompleted(pid, rp.Key{0x01}) // first
-	h.HandshakeCompleted(pid, rp.Key{0x02}) // second
-
-	require.Len(t, iface.calls, 2)
-	require.False(t, iface.calls[0].updateOnly)
-	require.True(t, iface.calls[1].updateOnly, "subsequent rotations must use updateOnly=true")
-}
-
-func TestHandler_OutputKey_NilInterface_NoCrashNoCall(t *testing.T) {
-	h := NewNetbirdHandler()
-	// no SetInterface — iface remains nil
-	pid := rp.PeerID{0x03}
-	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{}))
-
-	// Must not panic.
-	h.HandshakeCompleted(pid, rp.Key{})
-}
-
-func TestHandler_OutputKey_UnknownPeer_NoCall(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	h.HandshakeCompleted(rp.PeerID{0xFF}, rp.Key{})
-	require.Empty(t, iface.calls, "unknown peer id must not trigger SetPresharedKey")
-}
-
-func TestHandler_RemovePeer_ClearsInitializedState(t *testing.T) {
-	h := NewNetbirdHandler()
-	iface := &mockIface{}
-	h.SetInterface(iface)
-
-	pid := rp.PeerID{0x04}
-	h.AddPeer(pid, "wt0", rp.Key(wgtypes.Key{0xDD}))
-	h.HandshakeCompleted(pid, rp.Key{0x01})
-	require.True(t, h.IsPeerInitialized(pid))
-
-	h.RemovePeer(pid)
-	require.False(t, h.IsPeerInitialized(pid), "RemovePeer must clear initialized flag")
-}
-
-func TestHandler_SetInterfaceAfterAddPeer_StillReceivesKey(t *testing.T) {
-	h := NewNetbirdHandler()
-	pid := rp.PeerID{0x05}
-	wgKey := wgtypes.Key{0xEE}
-	h.AddPeer(pid, "wt0", rp.Key(wgKey))
-
-	iface := &mockIface{}
-	h.SetInterface(iface) // set after AddPeer
-
-	h.HandshakeCompleted(pid, rp.Key{0x42})
-	require.Len(t, iface.calls, 1)
-	require.Equal(t, wgKey.String(), iface.calls[0].peerKey)
-}

client/internal/rosenpass/seed.go

@@ -1,42 +0,0 @@
-package rosenpass
-
-import (
-	"fmt"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-)
-
-// DeterministicSeedKey derives a 32-byte WireGuard preshared key from a pair
-// of peer public keys. Both peers, given the same key pair, produce the same
-// output regardless of which side runs the function: the inputs are ordered
-// lexicographically before concatenation.
-//
-// NetBird uses this value as the initial Rosenpass-side preshared key when no
-// explicit account-level PSK is configured, so both peers converge on the same
-// PSK before the first post-quantum handshake completes.
-//
-// The resulting key MUST NOT be treated as quantum-safe: it is deterministic
-// from public keys and exists only to seed WireGuard until Rosenpass rotates
-// in a real post-quantum PSK.
-func DeterministicSeedKey(localKey, remoteKey string) (*wgtypes.Key, error) {
-	lk := []byte(localKey)
-	rk := []byte(remoteKey)
-	if len(lk) < 16 || len(rk) < 16 {
-		return nil, fmt.Errorf("rosenpass: peer keys must be at least 16 bytes (got local=%d, remote=%d)", len(lk), len(rk))
-	}
-
-	var keyInput []byte
-	if localKey > remoteKey {
-		keyInput = append(keyInput, lk[:16]...)
-		keyInput = append(keyInput, rk[:16]...)
-	} else {
-		keyInput = append(keyInput, rk[:16]...)
-		keyInput = append(keyInput, lk[:16]...)
-	}
-
-	key, err := wgtypes.NewKey(keyInput)
-	if err != nil {
-		return nil, fmt.Errorf("rosenpass: deterministic seed key: %w", err)
-	}
-	return &key, nil
-}

client/internal/rosenpass/seed_test.go

@@ -1,44 +0,0 @@
-package rosenpass
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestDeterministicSeedKey_SameForBothSides(t *testing.T) {
-	// Peer A and peer B must derive the same PSK regardless of which side
-	// computes it: the function orders inputs internally.
-	a := strings.Repeat("a", 32)
-	b := strings.Repeat("b", 32)
-
-	keyAB, err := DeterministicSeedKey(a, b)
-	require.NoError(t, err)
-	keyBA, err := DeterministicSeedKey(b, a)
-	require.NoError(t, err)
-	require.Equal(t, keyAB.String(), keyBA.String(), "swapping arguments must yield identical key")
-}
-
-func TestDeterministicSeedKey_ChangesWithKeys(t *testing.T) {
-	a := strings.Repeat("a", 32)
-	b := strings.Repeat("b", 32)
-	c := strings.Repeat("c", 32)
-
-	keyAB, err := DeterministicSeedKey(a, b)
-	require.NoError(t, err)
-	keyAC, err := DeterministicSeedKey(a, c)
-	require.NoError(t, err)
-	require.NotEqual(t, keyAB.String(), keyAC.String(), "different peer pair must yield different key")
-}
-
-func TestDeterministicSeedKey_TooShortKey_ReturnsError(t *testing.T) {
-	short := "short" // < 16 bytes
-	long := strings.Repeat("x", 32)
-
-	_, err := DeterministicSeedKey(short, long)
-	require.Error(t, err)
-	_, err = DeterministicSeedKey(long, short)
-	require.Error(t, err)
-}
-

go.mod

@@ -3,7 +3,7 @@ module github.com/netbirdio/netbird
 go 1.25.5
 
 require (
-	cunicu.li/go-rosenpass v0.5.42
+	cunicu.li/go-rosenpass v0.4.0
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/golang/protobuf v1.5.4
@@ -19,8 +19,8 @@ require (
 	github.com/vishvananda/netlink v1.3.1
 	golang.org/x/crypto v0.50.0
 	golang.org/x/sys v0.43.0
-	golang.zx2c4.com/wireguard v0.0.0-20231211153847-12269c276173
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
+	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	google.golang.org/grpc v1.80.0
 	google.golang.org/protobuf v1.36.11
@@ -38,7 +38,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.87.3
 	github.com/c-robinson/iplib v1.0.3
 	github.com/caddyserver/certmagic v0.21.3
-	github.com/cilium/ebpf v0.19.0
+	github.com/cilium/ebpf v0.15.0
 	github.com/coder/websocket v1.8.14
 	github.com/coreos/go-iptables v0.7.0
 	github.com/coreos/go-oidc/v3 v3.18.0
@@ -60,7 +60,7 @@ require (
 	github.com/google/go-cmp v0.7.0
 	github.com/google/gopacket v1.1.19
 	github.com/google/nftables v0.3.0
-	github.com/gopacket/gopacket v1.4.0
+	github.com/gopacket/gopacket v1.1.1
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.2-0.20240212192251-757544f21357
 	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2

go.sum

@@ -7,8 +7,8 @@ cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdB
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
 codeberg.org/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6 h1:b8xUw3004wk+3ipBhu0VU4RtUJsegMIiqjxSK4++lzA=
 codeberg.org/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6/go.mod h1:+CauBF6R70Jqcyl8N2hC8pAXYbWkGIezuSbuGLtRhnw=
-cunicu.li/go-rosenpass v0.5.42 h1:fRDsGwCxd7DhDgZI1Pxeo8GtNyq8BESZJ7w2/BGGJtU=
-cunicu.li/go-rosenpass v0.5.42/go.mod h1:YRBeyKOe/gWpSX2kpDUec5p9t0XOLsshTguId5gTGVg=
+cunicu.li/go-rosenpass v0.4.0 h1:LtPtBgFWY/9emfgC4glKLEqS0MJTylzV6+ChRhiZERw=
+cunicu.li/go-rosenpass v0.4.0/go.mod h1:MPbjH9nxV4l3vEagKVdFNwHOketqgS5/To1VYJplf/M=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw=
@@ -111,8 +111,8 @@ github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1x
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cilium/ebpf v0.19.0 h1:Ro/rE64RmFBeA9FGjcTc+KmCeY6jXmryu6FfnzPRIao=
-github.com/cilium/ebpf v0.19.0/go.mod h1:fLCgMo3l8tZmAdM3B2XqdFzXBpwkcSTroaVqN08OWVY=
+github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
+github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
 github.com/coder/websocket v1.8.14/go.mod h1:NX3SzP+inril6yawo5CQXx8+fk145lPDC6pumgx0mVg=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
@@ -225,8 +225,8 @@ github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3Bum
 github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
 github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM=
 github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY=
-github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6 h1:teYtXy9B7y5lHTp8V9KPxpYRAVA7dozigQcMiBust1s=
-github.com/go-quicktest/qt v1.101.1-0.20240301121107-c6c8733fa1e6/go.mod h1:p4lGIVX+8Wa6ZPNDvqcxq36XpUDLh42FLetFU7odllI=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
+github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
@@ -307,8 +307,8 @@ github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA
 github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/gax-go/v2 v2.21.0 h1:h45NjjzEO3faG9Lg/cFrBh2PgegVVgzqKzuZl/wMbiI=
 github.com/googleapis/gax-go/v2 v2.21.0/go.mod h1:But/NJU6TnZsrLai/xBAQLLz+Hc7fHZJt/hsCz3Fih4=
-github.com/gopacket/gopacket v1.4.0 h1:cr1OlFpzksCkZHNO0eLjaSSOrMQnpPXg0j6qHIY3y2U=
-github.com/gopacket/gopacket v1.4.0/go.mod h1:EpvsxINeehp5qj4YMKMLf2/dekdhKn2IIAO/ZOifS7o=
+github.com/gopacket/gopacket v1.1.1 h1:zbx9F9d6A7sWNkFKrvMBZTfGgxFoY4NgUudFVVHMfcw=
+github.com/gopacket/gopacket v1.1.1/go.mod h1:HavMeONEl7W9036of9LbSWoonqhH7HA1+ZRO+rMIvFs=
 github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
 github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
@@ -390,8 +390,6 @@ github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbd
 github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/jsimonetti/rtnetlink/v2 v2.0.1 h1:xda7qaHDSVOsADNouv7ukSuicKZO7GgVUCXxpaIEIlM=
-github.com/jsimonetti/rtnetlink/v2 v2.0.1/go.mod h1:7MoNYNbb3UaDHtF8udiJo/RH6VsTKP1pqKLUTVCvToE=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25 h1:YLvr1eE6cdCqjOe972w/cYF+FjW34v27+9Vo5106B4M=
 github.com/jsummers/gobmp v0.0.0-20230614200233-a9de23ed2e25/go.mod h1:kLgvv7o6UM+0QSf0QjAse3wReFDsb9qbZJdfexWlrQw=
@@ -902,8 +900,8 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeunTOisW56dUokqW/FOteYJJ/yg=
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6 h1:CawjfCvYQH2OU3/TnxLx97WDSUDRABfT18pCOYwc2GE=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6/go.mod h1:3rxYc4HtVcSG9gVaTs2GEBdehh+sYPOwKtyUWEOTb80=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
 gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=

management/internals/modules/reverseproxy/domain/manager/manager.go

@@ -304,10 +304,27 @@ func (m Manager) getClusterAllowList(ctx context.Context, accountID string) ([]s
 	if err != nil {
 		return nil, fmt.Errorf("get BYOP cluster addresses: %w", err)
 	}
-	if len(byopAddresses) > 0 {
-		return byopAddresses, nil
+	publicAddresses, err := m.proxyManager.GetActiveClusterAddresses(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("get public cluster addresses: %w", err)
 	}
-	return m.proxyManager.GetActiveClusterAddresses(ctx)
+	seen := make(map[string]struct{}, len(byopAddresses)+len(publicAddresses))
+	merged := make([]string, 0, len(byopAddresses)+len(publicAddresses))
+	for _, addr := range byopAddresses {
+		if _, ok := seen[addr]; ok {
+			continue
+		}
+		seen[addr] = struct{}{}
+		merged = append(merged, addr)
+	}
+	for _, addr := range publicAddresses {
+		if _, ok := seen[addr]; ok {
+			continue
+		}
+		seen[addr] = struct{}{}
+		merged = append(merged, addr)
+	}
+	return merged, nil
 }
 
 func extractClusterFromCustomDomains(serviceDomain string, customDomains []*domain.Domain) (string, bool) {

management/internals/modules/reverseproxy/domain/manager/manager_test.go

@@ -40,22 +40,37 @@ func (m *mockProxyManager) ClusterSupportsCrowdSec(_ context.Context, _ string)
 	return nil
 }
 
-func TestGetClusterAllowList_BYOPProxy(t *testing.T) {
+func TestGetClusterAllowList_BYOPMergedWithPublic(t *testing.T) {
 	pm := &mockProxyManager{
 		getActiveClusterAddressesForAccountFunc: func(_ context.Context, accID string) ([]string, error) {
 			assert.Equal(t, "acc-123", accID)
 			return []string{"byop.example.com"}, nil
 		},
 		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
-			t.Fatal("should not call GetActiveClusterAddresses when BYOP addresses exist")
-			return nil, nil
+			return []string{"eu.proxy.netbird.io"}, nil
 		},
 	}
 
 	mgr := Manager{proxyManager: pm}
 	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
 	require.NoError(t, err)
-	assert.Equal(t, []string{"byop.example.com"}, result)
+	assert.Equal(t, []string{"byop.example.com", "eu.proxy.netbird.io"}, result)
+}
+
+func TestGetClusterAllowList_DeduplicatesBYOPAndPublic(t *testing.T) {
+	pm := &mockProxyManager{
+		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
+			return []string{"shared.example.com", "byop.example.com"}, nil
+		},
+		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
+			return []string{"shared.example.com", "eu.proxy.netbird.io"}, nil
+		},
+	}
+
+	mgr := Manager{proxyManager: pm}
+	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
+	require.NoError(t, err)
+	assert.Equal(t, []string{"shared.example.com", "byop.example.com", "eu.proxy.netbird.io"}, result)
 }
 
 func TestGetClusterAllowList_NoBYOP_FallbackToShared(t *testing.T) {
@@ -79,10 +94,6 @@ func TestGetClusterAllowList_BYOPError_ReturnsError(t *testing.T) {
 		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
 			return nil, errors.New("db error")
 		},
-		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
-			t.Fatal("should not call GetActiveClusterAddresses when BYOP lookup fails")
-			return nil, nil
-		},
 	}
 
 	mgr := Manager{proxyManager: pm}
@@ -92,6 +103,23 @@ func TestGetClusterAllowList_BYOPError_ReturnsError(t *testing.T) {
 	assert.Contains(t, err.Error(), "BYOP cluster addresses")
 }
 
+func TestGetClusterAllowList_PublicError_ReturnsError(t *testing.T) {
+	pm := &mockProxyManager{
+		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
+			return []string{"byop.example.com"}, nil
+		},
+		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
+			return nil, errors.New("db error")
+		},
+	}
+
+	mgr := Manager{proxyManager: pm}
+	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
+	require.Error(t, err)
+	assert.Nil(t, result)
+	assert.Contains(t, err.Error(), "public cluster addresses")
+}
+
 func TestGetClusterAllowList_BYOPEmptySlice_FallbackToShared(t *testing.T) {
 	pm := &mockProxyManager{
 		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
@@ -108,3 +136,19 @@ func TestGetClusterAllowList_BYOPEmptySlice_FallbackToShared(t *testing.T) {
 	assert.Equal(t, []string{"eu.proxy.netbird.io"}, result)
 }
 
+func TestGetClusterAllowList_PublicEmpty_BYOPOnly(t *testing.T) {
+	pm := &mockProxyManager{
+		getActiveClusterAddressesForAccountFunc: func(_ context.Context, _ string) ([]string, error) {
+			return []string{"byop.example.com"}, nil
+		},
+		getActiveClusterAddressesFunc: func(_ context.Context) ([]string, error) {
+			return nil, nil
+		},
+	}
+
+	mgr := Manager{proxyManager: pm}
+	result, err := mgr.getClusterAllowList(context.Background(), "acc-123")
+	require.NoError(t, err)
+	assert.Equal(t, []string{"byop.example.com"}, result)
+}
+

management/internals/modules/reverseproxy/service/manager/manager.go

@@ -306,6 +306,10 @@ func (m *Manager) validateSubdomainRequirement(ctx context.Context, domain, clus
 func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *service.Service) error {
 	customPorts := m.clusterCustomPorts(ctx, svc)
 
+	if err := validateTargetReferences(ctx, m.store, accountID, svc.Targets); err != nil {
+		return err
+	}
+
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if svc.Domain != "" {
 			if err := m.checkDomainAvailable(ctx, transaction, svc.Domain, ""); err != nil {
@@ -321,10 +325,6 @@ func (m *Manager) persistNewService(ctx context.Context, accountID string, svc *
 			return err
 		}
 
-		if err := validateTargetReferences(ctx, transaction, accountID, svc.Targets); err != nil {
-			return err
-		}
-
 		if err := transaction.CreateService(ctx, svc); err != nil {
 			return fmt.Errorf("create service: %w", err)
 		}
@@ -435,6 +435,10 @@ func (m *Manager) assignPort(ctx context.Context, tx store.Store, cluster string
 func (m *Manager) persistNewEphemeralService(ctx context.Context, accountID, peerID string, svc *service.Service) error {
 	customPorts := m.clusterCustomPorts(ctx, svc)
 
+	if err := validateTargetReferences(ctx, m.store, accountID, svc.Targets); err != nil {
+		return err
+	}
+
 	return m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		if err := m.validateEphemeralPreconditions(ctx, transaction, accountID, peerID, svc); err != nil {
 			return err
@@ -448,10 +452,6 @@ func (m *Manager) persistNewEphemeralService(ctx context.Context, accountID, pee
 			return err
 		}
 
-		if err := validateTargetReferences(ctx, transaction, accountID, svc.Targets); err != nil {
-			return err
-		}
-
 		if err := transaction.CreateService(ctx, svc); err != nil {
 			return fmt.Errorf("create service: %w", err)
 		}
@@ -552,10 +552,22 @@ func (m *Manager) persistServiceUpdate(ctx context.Context, accountID string, se
 	svcForCaps.ProxyCluster = effectiveCluster
 	customPorts := m.clusterCustomPorts(ctx, &svcForCaps)
 
+	if err := validateTargetReferences(ctx, m.store, accountID, service.Targets); err != nil {
+		return nil, err
+	}
+
+	// Validate subdomain requirement *before* the transaction: the underlying
+	// capability lookup talks to the main DB pool, and SQLite's single-connection
+	// pool would self-deadlock if this ran while the tx already held the only
+	// connection.
+	if err := m.validateSubdomainRequirement(ctx, service.Domain, effectiveCluster); err != nil {
+		return nil, err
+	}
+
 	var updateInfo serviceUpdateInfo
 
 	err = m.store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo, customPorts)
+		return m.executeServiceUpdate(ctx, transaction, accountID, service, &updateInfo, customPorts, effectiveCluster)
 	})
 
 	return &updateInfo, err
@@ -585,7 +597,7 @@ func (m *Manager) resolveEffectiveCluster(ctx context.Context, accountID string,
 	return existing.ProxyCluster, nil
 }
 
-func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo, customPorts *bool) error {
+func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.Store, accountID string, service *service.Service, updateInfo *serviceUpdateInfo, customPorts *bool, effectiveCluster string) error {
 	existingService, err := transaction.GetServiceByID(ctx, store.LockingStrengthUpdate, accountID, service.ID)
 	if err != nil {
 		return err
@@ -603,17 +615,13 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	updateInfo.domainChanged = existingService.Domain != service.Domain
 
 	if updateInfo.domainChanged {
-		if err := m.handleDomainChange(ctx, transaction, accountID, service); err != nil {
+		if err := m.handleDomainChange(ctx, transaction, service, effectiveCluster); err != nil {
 			return err
 		}
 	} else {
 		service.ProxyCluster = existingService.ProxyCluster
 	}
 
-	if err := m.validateSubdomainRequirement(ctx, service.Domain, service.ProxyCluster); err != nil {
-		return err
-	}
-
 	m.preserveExistingAuthSecrets(service, existingService)
 	if err := validateHeaderAuthValues(service.Auth.HeaderAuths); err != nil {
 		return err
@@ -628,9 +636,6 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	if err := m.checkPortConflict(ctx, transaction, service); err != nil {
 		return err
 	}
-	if err := validateTargetReferences(ctx, transaction, accountID, service.Targets); err != nil {
-		return err
-	}
 	if err := transaction.UpdateService(ctx, service); err != nil {
 		return fmt.Errorf("update service: %w", err)
 	}
@@ -638,20 +643,18 @@ func (m *Manager) executeServiceUpdate(ctx context.Context, transaction store.St
 	return nil
 }
 
-func (m *Manager) handleDomainChange(ctx context.Context, transaction store.Store, accountID string, svc *service.Service) error {
+// handleDomainChange validates the new domain is free inside the transaction
+// and applies the pre-resolved cluster (computed outside the tx by
+// resolveEffectiveCluster). It must NOT call clusterDeriver here: that talks
+// to the main DB pool and would self-deadlock under SQLite (max_open_conns=1)
+// because the transaction already holds the only connection.
+func (m *Manager) handleDomainChange(ctx context.Context, transaction store.Store, svc *service.Service, effectiveCluster string) error {
 	if err := m.checkDomainAvailable(ctx, transaction, svc.Domain, svc.ID); err != nil {
 		return err
 	}
-
-	if m.clusterDeriver != nil {
-		newCluster, err := m.clusterDeriver.DeriveClusterFromDomain(ctx, accountID, svc.Domain)
-		if err != nil {
-			log.WithError(err).Warnf("could not derive cluster from domain %s", svc.Domain)
-		} else {
-			svc.ProxyCluster = newCluster
-		}
+	if effectiveCluster != "" {
+		svc.ProxyCluster = effectiveCluster
 	}
-
 	return nil
 }
 

management/internals/modules/reverseproxy/service/service.go

@@ -381,13 +381,14 @@ func (s *Service) buildPathMappings() []*proto.PathMapping {
 		}
 
 		// HTTP/HTTPS: build full URL
+		hostNoBrackets := strings.TrimSuffix(strings.TrimPrefix(target.Host, "["), "]")
 		targetURL := url.URL{
 			Scheme: target.Protocol,
-			Host:   target.Host,
+			Host:   bracketIPv6Host(hostNoBrackets),
 			Path:   "/",
 		}
 		if target.Port > 0 && !isDefaultPort(target.Protocol, target.Port) {
-			targetURL.Host = net.JoinHostPort(targetURL.Host, strconv.FormatUint(uint64(target.Port), 10))
+			targetURL.Host = net.JoinHostPort(hostNoBrackets, strconv.FormatUint(uint64(target.Port), 10))
 		}
 
 		path := "/"
@@ -405,6 +406,19 @@ func (s *Service) buildPathMappings() []*proto.PathMapping {
 	return pathMappings
 }
 
+// bracketIPv6Host wraps host in square brackets when it is an IPv6 literal, as
+// required for the Host field of net/url.URL (RFC 3986 §3.2.2). v4-mapped IPv6
+// addresses are bracketed too since their textual form contains colons.
+func bracketIPv6Host(host string) string {
+	if strings.HasPrefix(host, "[") {
+		return host
+	}
+	if addr, err := netip.ParseAddr(host); err == nil && addr.Is6() {
+		return "[" + host + "]"
+	}
+	return host
+}
+
 func operationToProtoType(op Operation) proto.ProxyMappingUpdateType {
 	switch op {
 	case Create:

management/internals/modules/reverseproxy/service/service_test.go

@@ -351,6 +351,83 @@ func TestToProtoMapping_PortInTargetURL(t *testing.T) {
 			port:       80,
 			wantTarget: "https://10.0.0.1:80/",
 		},
+		{
+			name:       "domain host without port is unchanged",
+			protocol:   "http",
+			host:       "example.com",
+			port:       0,
+			wantTarget: "http://example.com/",
+		},
+		{
+			name:       "domain host with non-default port is unchanged",
+			protocol:   "http",
+			host:       "example.com",
+			port:       8080,
+			wantTarget: "http://example.com:8080/",
+		},
+		{
+			name:       "ipv6 host without port is bracketed",
+			protocol:   "http",
+			host:       "fb00:cafe:1::3",
+			port:       0,
+			wantTarget: "http://[fb00:cafe:1::3]/",
+		},
+		{
+			name:       "ipv6 host with default port omits port and brackets host",
+			protocol:   "http",
+			host:       "fb00:cafe:1::3",
+			port:       80,
+			wantTarget: "http://[fb00:cafe:1::3]/",
+		},
+		{
+			name:       "ipv6 host with non-default port is bracketed",
+			protocol:   "http",
+			host:       "fb00:cafe:1::3",
+			port:       8080,
+			wantTarget: "http://[fb00:cafe:1::3]:8080/",
+		},
+		{
+			name:       "ipv6 loopback without port is bracketed",
+			protocol:   "http",
+			host:       "::1",
+			port:       0,
+			wantTarget: "http://[::1]/",
+		},
+		{
+			name:       "ipv6 host with 5-digit port is bracketed",
+			protocol:   "http",
+			host:       "fb00:cafe::1",
+			port:       18080,
+			wantTarget: "http://[fb00:cafe::1]:18080/",
+		},
+		{
+			name:       "pre-bracketed ipv6 without port stays single-bracketed",
+			protocol:   "http",
+			host:       "[fb00:cafe::1]",
+			port:       0,
+			wantTarget: "http://[fb00:cafe::1]/",
+		},
+		{
+			name:       "pre-bracketed ipv6 with port is not double-bracketed",
+			protocol:   "http",
+			host:       "[fb00:cafe::1]",
+			port:       8080,
+			wantTarget: "http://[fb00:cafe::1]:8080/",
+		},
+		{
+			name:       "v4-mapped ipv6 host without port is bracketed",
+			protocol:   "http",
+			host:       "::ffff:10.0.0.1",
+			port:       0,
+			wantTarget: "http://[::ffff:10.0.0.1]/",
+		},
+		{
+			name:       "full-form 8-group ipv6 without port is bracketed",
+			protocol:   "http",
+			host:       "fb00:cafe:1:0:0:0:0:3",
+			port:       0,
+			wantTarget: "http://[fb00:cafe:1:0:0:0:0:3]/",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

management/server/account.go

@@ -2487,6 +2487,18 @@ func (am *DefaultAccountManager) buildIPv6AllowedPeers(ctx context.Context, tran
 			allowedPeers[peerID] = struct{}{}
 		}
 	}
+
+	// Embedded proxy peers sit outside regular group membership but must
+	// participate in any v6-enabled overlay to reach v6-only peers.
+	peers, err := transaction.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, "", "")
+	if err != nil {
+		return nil, fmt.Errorf("get peers: %w", err)
+	}
+	for _, p := range peers {
+		if p.ProxyMeta.Embedded {
+			allowedPeers[p.ID] = struct{}{}
+		}
+	}
 	return allowedPeers, nil
 }
 

management/server/peer.go

@@ -762,16 +762,19 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		newPeer.IP = freeIP
 
 		if len(settings.IPv6EnabledGroups) > 0 && network.NetV6.IP != nil {
-			var allGroupID string
-			if !peer.ProxyMeta.Embedded {
-				allGroup, err := am.Store.GetGroupByName(ctx, store.LockingStrengthNone, accountID, "All")
-				if err != nil {
-					log.WithContext(ctx).Debugf("get All group for IPv6 allocation: %v", err)
-				} else {
+			// Embedded proxy peers are not group members but participate in any
+			// IPv6-enabled overlay so reverse-proxy traffic reaches v6-only peers.
+			allocate := peer.ProxyMeta.Embedded
+			if !allocate {
+				var allGroupID string
+				if allGroup, err := am.Store.GetGroupByName(ctx, store.LockingStrengthNone, accountID, types.GroupAllName); err == nil {
 					allGroupID = allGroup.ID
+				} else {
+					log.WithContext(ctx).Debugf("get All group for IPv6 allocation: %v", err)
 				}
+				allocate = peerWillHaveIPv6(settings, peerAddConfig.GroupsToAdd, allGroupID)
 			}
-			if peerWillHaveIPv6(settings, peerAddConfig.GroupsToAdd, allGroupID) {
+			if allocate {
 				v6Prefix, err := netip.ParsePrefix(network.NetV6.String())
 				if err != nil {
 					return nil, nil, nil, fmt.Errorf("parse IPv6 prefix: %w", err)

management/server/store/sql_store.go

@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"net/url"
 	"os"
 	"path/filepath"
 	"runtime"
@@ -2794,12 +2795,27 @@ func NewSqliteStore(ctx context.Context, dataDir string, metrics telemetry.AppMe
 		connStr = filepath.Join(dataDir, filePath)
 	}
 
-	// Append query parameters: user-provided take precedence, otherwise default to cache=shared on non-Windows
-	if hasQuery {
-		connStr += "?" + query
-	} else if runtime.GOOS != "windows" {
+	// Compose query parameters. User-provided ?_busy_timeout (or its mattn alias
+	// ?_timeout) overrides our default; otherwise inject 30s so SQLite waits at
+	// most that long on a lock instead of blocking the only Go-side connection.
+	// mattn/go-sqlite3 applies PRAGMA from the DSN on every fresh connection, so
+	// the value survives ConnMaxIdleTime/ConnMaxLifetime recycling. cache=shared
+	// stays the default on non-Windows for the same reason as before.
+	parsed, _ := url.ParseQuery(query)
+	var defaults []string
+	if parsed.Get("_busy_timeout") == "" && parsed.Get("_timeout") == "" {
+		defaults = append(defaults, "_busy_timeout=30000")
+	}
+	if !hasQuery && runtime.GOOS != "windows" {
 		// To avoid `The process cannot access the file because it is being used by another process` on Windows
-		connStr += "?cache=shared"
+		defaults = append(defaults, "cache=shared")
+	}
+	parts := defaults
+	if hasQuery {
+		parts = append(parts, query)
+	}
+	if len(parts) > 0 {
+		connStr += "?" + strings.Join(parts, "&")
 	}
 
 	db, err := gorm.Open(sqlite.Open(connStr), getGormConfig())
@@ -3402,7 +3418,7 @@ func (s *SqlStore) IncrementNetworkSerial(ctx context.Context, accountId string)
 }
 
 func (s *SqlStore) ExecuteInTransaction(ctx context.Context, operation func(store Store) error) error {
-	timeoutCtx, cancel := context.WithTimeout(context.Background(), s.transactionTimeout)
+	timeoutCtx, cancel := context.WithTimeout(ctx, s.transactionTimeout)
 	defer cancel()
 
 	startTime := time.Now()

management/server/store/sql_store_test.go

@@ -4592,3 +4592,55 @@ func TestSqlStore_DeleteZoneDNSRecords(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, 0, len(remainingRecords))
 }
+
+// TestNewSqliteStore_BusyTimeoutApplied opens a fresh SQLite store and verifies
+// that the _busy_timeout DSN parameter took effect at the driver level. Without
+// this, lock contention on the single SQLite connection waits indefinitely on
+// the Go side and can be hidden behind the 5-minute transactionTimeout.
+func TestNewSqliteStore_BusyTimeoutApplied(t *testing.T) {
+	dir := t.TempDir()
+	store, err := NewSqliteStore(context.Background(), dir, nil, true)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = store.Close(context.Background())
+	})
+
+	sqlDB, err := store.db.DB()
+	require.NoError(t, err)
+	row := sqlDB.QueryRow("PRAGMA busy_timeout")
+	var busyTimeout int
+	require.NoError(t, row.Scan(&busyTimeout))
+	assert.Equal(t, 30000, busyTimeout, "SQLite busy_timeout must be set via DSN so it survives connection recycling")
+}
+
+// TestNewSqliteStore_BusyTimeoutRespectsUserOverride confirms that an operator
+// passing _busy_timeout or its mattn alias _timeout via NB_STORE_ENGINE_SQLITE_FILE
+// wins over our 30s default. This guards the DSN merge logic in NewSqliteStore.
+func TestNewSqliteStore_BusyTimeoutRespectsUserOverride(t *testing.T) {
+	cases := []struct {
+		name     string
+		envFile  string
+		expected int
+	}{
+		{name: "explicit _busy_timeout wins", envFile: "store.db?_busy_timeout=5000", expected: 5000},
+		{name: "alias _timeout wins", envFile: "store.db?_timeout=7000", expected: 7000},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Setenv("NB_STORE_ENGINE_SQLITE_FILE", tc.envFile)
+			dir := t.TempDir()
+			store, err := NewSqliteStore(context.Background(), dir, nil, true)
+			require.NoError(t, err)
+			t.Cleanup(func() {
+				_ = store.Close(context.Background())
+			})
+
+			sqlDB, err := store.db.DB()
+			require.NoError(t, err)
+			row := sqlDB.QueryRow("PRAGMA busy_timeout")
+			var busyTimeout int
+			require.NoError(t, row.Scan(&busyTimeout))
+			assert.Equal(t, tc.expected, busyTimeout)
+		})
+	}
+}

management/server/types/account.go

@@ -598,28 +598,21 @@ func (a *Account) GetPeerGroups(peerID string) LookupMap {
 	return groupList
 }
 
-// PeerIPv6Allowed reports whether the given peer is in any of the account's IPv6 enabled groups.
+// PeerIPv6Allowed reports whether the given peer participates in the IPv6 overlay.
 // Returns false if IPv6 is disabled or no groups are configured.
 func (a *Account) PeerIPv6Allowed(peerID string) bool {
-	if len(a.Settings.IPv6EnabledGroups) == 0 {
-		return false
-	}
-
-	for _, groupID := range a.Settings.IPv6EnabledGroups {
-		group, ok := a.Groups[groupID]
-		if !ok {
-			continue
-		}
-		if slices.Contains(group.Peers, peerID) {
-			return true
-		}
-	}
-	return false
+	_, ok := a.peerIPv6AllowedSet()[peerID]
+	return ok
 }
 
-// peerIPv6AllowedSet returns a set of peer IDs that belong to any IPv6-enabled group.
+// peerIPv6AllowedSet returns the set of peer IDs that participate in the IPv6 overlay:
+// members of any IPv6-enabled group, plus every embedded proxy peer (which sit outside
+// regular group membership but must reach v6-enabled peers).
 func (a *Account) peerIPv6AllowedSet() map[string]struct{} {
 	result := make(map[string]struct{})
+	if len(a.Settings.IPv6EnabledGroups) == 0 {
+		return result
+	}
 	for _, groupID := range a.Settings.IPv6EnabledGroups {
 		group, ok := a.Groups[groupID]
 		if !ok {
@@ -629,6 +622,11 @@ func (a *Account) peerIPv6AllowedSet() map[string]struct{} {
 			result[peerID] = struct{}{}
 		}
 	}
+	for id, p := range a.Peers {
+		if p != nil && p.ProxyMeta.Embedded {
+			result[id] = struct{}{}
+		}
+	}
 	return result
 }
 

management/server/types/group.go

@@ -92,9 +92,12 @@ func (g *Group) HasPeers() bool {
 	return len(g.Peers) > 0
 }
 
+// GroupAllName is the reserved name of the default group that contains every peer in an account.
+const GroupAllName = "All"
+
 // IsGroupAll checks if the group is a default "All" group.
 func (g *Group) IsGroupAll() bool {
-	return g.Name == "All"
+	return g.Name == GroupAllName
 }
 
 // AddPeer adds peerID to Peers if not present, returning true if added.

management/server/types/ipv6_groups_test.go

@@ -232,3 +232,33 @@ func TestIPv6RecalculationOnGroupChange(t *testing.T) {
 		assert.True(t, account.PeerIPv6Allowed("peer3"), "peer3 now in infra")
 	})
 }
+
+func TestPeerIPv6AllowedEmbeddedProxy(t *testing.T) {
+	account := &Account{
+		Peers: map[string]*nbpeer.Peer{
+			"peer1": {ID: "peer1"},
+			"proxy": {ID: "proxy", ProxyMeta: nbpeer.ProxyMeta{Embedded: true, Cluster: "netbird.test"}},
+		},
+		Groups: map[string]*Group{
+			"group-devs": {ID: "group-devs", Peers: []string{"peer1"}},
+		},
+		Settings: &Settings{},
+	}
+
+	t.Run("embedded proxy allowed when any v6 group exists, without group membership", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = []string{"group-devs"}
+		assert.True(t, account.PeerIPv6Allowed("proxy"), "embedded proxy participates in v6 overlay")
+		assert.True(t, account.PeerIPv6Allowed("peer1"), "regular peer in enabled group still allowed")
+	})
+
+	t.Run("embedded proxy denied when no v6 group enabled", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = nil
+		assert.False(t, account.PeerIPv6Allowed("proxy"), "v6 disabled account-wide denies embedded proxies too")
+	})
+
+	t.Run("non-embedded peer outside any enabled group is not pulled in", func(t *testing.T) {
+		account.Settings.IPv6EnabledGroups = []string{"group-devs"}
+		account.Peers["lonely"] = &nbpeer.Peer{ID: "lonely"}
+		assert.False(t, account.PeerIPv6Allowed("lonely"), "embedded-proxy bypass must not leak to regular peers")
+	})
+}