Bump github.com/oapi-codegen/runtime from 1.1.2 to 1.4.2

Bumps [github.com/oapi-codegen/runtime](https://github.com/oapi-codegen/runtime) from 1.1.2 to 1.4.2.
- [Release notes](https://github.com/oapi-codegen/runtime/releases)
- [Commits](https://github.com/oapi-codegen/runtime/compare/v1.1.2...v1.4.2)

---
updated-dependencies:
- dependency-name: github.com/oapi-codegen/runtime
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

client/android/env_list.go

@@ -10,7 +10,7 @@ var (
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
 
 	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
-	EnvKeyNBLazyConn = lazyconn.EnvLazyConn
+	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
 
 	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
 	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold

client/cmd/root.go

@@ -210,8 +210,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "[Experimental] Enable Rosenpass feature. If enabled, the connection will be post-quantum secured via Rosenpass.")
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
-	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "Deprecated: no longer used. Lazy connections are controlled by the server and the NB_LAZY_CONN environment variable.")
-	_ = upCmd.PersistentFlags().MarkDeprecated(enableLazyConnectionFlag, "no longer used; lazy connections are controlled by the server and the NB_LAZY_CONN environment variable")
+	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand. Note: this setting may be overridden by management configuration.")
 
 }
 

client/cmd/up.go

@@ -479,6 +479,10 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 		req.DisableIpv6 = &disableIPv6
 	}
 
+	if cmd.Flag(enableLazyConnectionFlag).Changed {
+		req.LazyConnectionEnabled = &lazyConnEnabled
+	}
+
 	return &req
 }
 
@@ -596,6 +600,9 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.DisableIPv6 = &disableIPv6
 	}
 
+	if cmd.Flag(enableLazyConnectionFlag).Changed {
+		ic.LazyConnectionEnabled = &lazyConnEnabled
+	}
 	return &ic, nil
 }
 
@@ -711,6 +718,9 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.DisableIpv6 = &disableIPv6
 	}
 
+	if cmd.Flag(enableLazyConnectionFlag).Changed {
+		loginRequest.LazyConnectionEnabled = &lazyConnEnabled
+	}
 	return &loginRequest, nil
 }
 

client/iface/wgproxy/bind/proxy.go

@@ -136,11 +136,6 @@ func (p *ProxyBind) CloseConn() error {
 	return p.close()
 }
 
-// InjectPacket is a no-op for the userspace proxy: first-packet reinjection is kernel-only.
-func (p *ProxyBind) InjectPacket(_ []byte) error {
-	return nil
-}
-
 func (p *ProxyBind) close() error {
 	if p.remoteConn == nil {
 		return nil

client/iface/wgproxy/ebpf/wrapper.go

@@ -219,17 +219,6 @@ func (p *ProxyWrapper) RedirectAs(endpoint *net.UDPAddr) {
 	p.pausedCond.L.Unlock()
 }
 
-// InjectPacket writes b to the remote peer over the underlying transport.
-func (p *ProxyWrapper) InjectPacket(b []byte) error {
-	if p.remoteConn == nil {
-		return errors.New("proxy not started")
-	}
-	if _, err := p.remoteConn.Write(b); err != nil {
-		return err
-	}
-	return nil
-}
-
 // CloseConn close the remoteConn and automatically remove the conn instance from the map
 func (p *ProxyWrapper) CloseConn() error {
 	if p.cancel == nil {

client/iface/wgproxy/proxy.go

@@ -18,9 +18,4 @@ type Proxy interface {
 	RedirectAs(endpoint *net.UDPAddr)
 	CloseConn() error
 	SetDisconnectListener(disconnected func())
-
-	// InjectPacket writes a raw packet directly to the remote peer over the underlying transport,
-	// bypassing WireGuard. Used to replay the captured lazyconn handshake initiation. Only the
-	// kernel-mode proxies act on it; the userspace proxy is a no-op since reinjection is kernel-only.
-	InjectPacket(b []byte) error
 }

client/iface/wgproxy/udp/proxy.go

@@ -147,17 +147,6 @@ func (p *WGUDPProxy) RedirectAs(endpoint *net.UDPAddr) {
 	p.sendPkg = p.srcFakerConn.SendPkg
 }
 
-// InjectPacket writes b to the remote peer over the underlying transport.
-func (p *WGUDPProxy) InjectPacket(b []byte) error {
-	if p.remoteConn == nil {
-		return errors.New("proxy not started")
-	}
-	if _, err := p.remoteConn.Write(b); err != nil {
-		return err
-	}
-	return nil
-}
-
 // CloseConn close the localConn
 func (p *WGUDPProxy) CloseConn() error {
 	if p.cancel == nil {

client/internal/auth/auth.go

@@ -322,6 +322,7 @@ func (a *Auth) setSystemInfoFlags(info *system.Info) {
 		a.config.BlockLANAccess,
 		a.config.BlockInbound,
 		a.config.DisableIPv6,
+		a.config.LazyConnectionEnabled,
 		a.config.EnableSSHRoot,
 		a.config.EnableSSHSFTP,
 		a.config.EnableSSHLocalPortForwarding,

client/internal/conn_mgr.go

@@ -16,16 +16,6 @@ import (
 	"github.com/netbirdio/netbird/route"
 )
 
-// lazyForce is the resolved local decision for lazy connections, layered above the
-// management feature flag. lazyForceNone defers to management.
-type lazyForce int
-
-const (
-	lazyForceNone lazyForce = iota
-	lazyForceOn
-	lazyForceOff
-)
-
 // ConnMgr coordinates both lazy connections (established on-demand) and permanent peer connections.
 //
 // The connection manager is responsible for:
@@ -38,7 +28,7 @@ type ConnMgr struct {
 	peerStore        *peerstore.Store
 	statusRecorder   *peer.Status
 	iface            lazyconn.WGIface
-	force            lazyForce
+	enabledLocally   bool
 	rosenpassEnabled bool
 
 	lazyConnMgr *manager.Manager
@@ -53,27 +43,23 @@ func NewConnMgr(engineConfig *EngineConfig, statusRecorder *peer.Status, peerSto
 		peerStore:        peerStore,
 		statusRecorder:   statusRecorder,
 		iface:            iface,
-		force:            resolveLazyForce(engineConfig.LazyConnection),
 		rosenpassEnabled: engineConfig.RosenpassEnabled,
 	}
+	if engineConfig.LazyConnectionEnabled || lazyconn.IsLazyConnEnabledByEnv() {
+		e.enabledLocally = true
+	}
 	return e
 }
 
-// Start initializes the connection manager. It starts the lazy connection manager when a
-// local override forces it on; with no local override it waits for the management feature flag.
+// Start initializes the connection manager and starts the lazy connection manager if enabled by env var or cmd line option.
 func (e *ConnMgr) Start(ctx context.Context) {
 	if e.lazyConnMgr != nil {
 		log.Errorf("lazy connection manager is already started")
 		return
 	}
 
-	switch e.force {
-	case lazyForceOff:
-		log.Infof("lazy connection manager is disabled by %s", lazyconn.EnvLazyConn)
-		e.statusRecorder.UpdateLazyConnection(false)
-		return
-	case lazyForceNone:
-		log.Infof("lazy connection manager is managed by the management feature flag")
+	if !e.enabledLocally {
+		log.Infof("lazy connection manager is disabled")
 		return
 	}
 
@@ -90,8 +76,8 @@ func (e *ConnMgr) Start(ctx context.Context) {
 // If enabled, it initializes the lazy connection manager and start it. Do not need to call Start() again.
 // If disabled, then it closes the lazy connection manager and open the connections to all peers.
 func (e *ConnMgr) UpdatedRemoteFeatureFlag(ctx context.Context, enabled bool) error {
-	// a local override (NB_LAZY_CONN or local config) takes precedence over management
-	if e.force != lazyForceNone {
+	// do not disable lazy connection manager if it was enabled by env var
+	if e.enabledLocally {
 		return nil
 	}
 
@@ -323,25 +309,6 @@ func (e *ConnMgr) isStartedWithLazyMgr() bool {
 	return e.lazyConnMgr != nil && e.lazyCtxCancel != nil
 }
 
-// resolveLazyForce determines the local override. NB_LAZY_CONN takes precedence; when it
-// is unset the MDM policy override (mdmState) applies. Either wins in both directions over
-// the management feature flag; StateUnset for both defers to management.
-func resolveLazyForce(mdmState lazyconn.State) lazyForce {
-	state := lazyconn.EnvState()
-	if state == lazyconn.StateUnset {
-		state = mdmState
-	}
-
-	switch state {
-	case lazyconn.StateOn:
-		return lazyForceOn
-	case lazyconn.StateOff:
-		return lazyForceOff
-	default:
-		return lazyForceNone
-	}
-}
-
 func inactivityThresholdEnv() *time.Duration {
 	envValue := os.Getenv(lazyconn.EnvInactivityThreshold)
 	if envValue == "" {

client/internal/conn_mgr_test.go

@@ -1,40 +0,0 @@
-package internal
-
-import (
-	"os"
-	"testing"
-
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-)
-
-func TestResolveLazyForce(t *testing.T) {
-	tests := []struct {
-		name   string
-		env    string
-		envSet bool
-		mdm    lazyconn.State
-		want   lazyForce
-	}{
-		{name: "env unset, mdm unset -> defer to management", mdm: lazyconn.StateUnset, want: lazyForceNone},
-		{name: "env on -> force on", env: "on", envSet: true, mdm: lazyconn.StateUnset, want: lazyForceOn},
-		{name: "env off -> force off", env: "off", envSet: true, mdm: lazyconn.StateUnset, want: lazyForceOff},
-		{name: "env unset, mdm on -> force on", mdm: lazyconn.StateOn, want: lazyForceOn},
-		{name: "env unset, mdm off -> force off", mdm: lazyconn.StateOff, want: lazyForceOff},
-		{name: "env on beats mdm off", env: "on", envSet: true, mdm: lazyconn.StateOff, want: lazyForceOn},
-		{name: "env off beats mdm on", env: "off", envSet: true, mdm: lazyconn.StateOn, want: lazyForceOff},
-		{name: "unrecognized env, mdm on -> mdm wins", env: "auto", envSet: true, mdm: lazyconn.StateOn, want: lazyForceOn},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			t.Setenv(lazyconn.EnvLazyConn, tt.env)
-			if !tt.envSet {
-				os.Unsetenv(lazyconn.EnvLazyConn)
-			}
-
-			if got := resolveLazyForce(tt.mdm); got != tt.want {
-				t.Fatalf("resolveLazyForce(%v) = %v, want %v", tt.mdm, got, tt.want)
-			}
-		})
-	}
-}

client/internal/connect.go

@@ -27,7 +27,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/metrics"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -597,7 +596,7 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		BlockInbound:        config.BlockInbound,
 		DisableIPv6:         config.DisableIPv6,
 
-		LazyConnection: lazyconn.ParseState(config.LazyConnection),
+		LazyConnectionEnabled: config.LazyConnectionEnabled,
 
 		MTU:     selectMTU(config.MTU, peerConfig.Mtu),
 		LogPath: logPath,
@@ -671,6 +670,7 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.BlockLANAccess,
 		config.BlockInbound,
 		config.DisableIPv6,
+		config.LazyConnectionEnabled,
 		config.EnableSSHRoot,
 		config.EnableSSHSFTP,
 		config.EnableSSHLocalPortForwarding,

client/internal/debug/debug.go

@@ -681,7 +681,7 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 		configContent.WriteString(fmt.Sprintf("ClientCertKeyPath: %s\n", g.internalConfig.ClientCertKeyPath))
 	}
 
-	configContent.WriteString(fmt.Sprintf("LazyConnection: %q\n", g.internalConfig.LazyConnection))
+	configContent.WriteString(fmt.Sprintf("LazyConnectionEnabled: %v\n", g.internalConfig.LazyConnectionEnabled))
 	configContent.WriteString(fmt.Sprintf("MTU: %d\n", g.internalConfig.MTU))
 }
 

client/internal/debug/debug_test.go

@@ -885,7 +885,7 @@ func TestAddConfig_AllFieldsCovered(t *testing.T) {
 		DNSRouteInterval:              5 * time.Second,
 		ClientCertPath:                "/tmp/cert",
 		ClientCertKeyPath:             "/tmp/key",
-		LazyConnection:                "on",
+		LazyConnectionEnabled:         true,
 		MTU:                           1280,
 	}
 

client/internal/engine.go

@@ -40,7 +40,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	"github.com/netbirdio/netbird/client/internal/metrics"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
@@ -83,12 +82,6 @@ const (
 	PeerConnectionTimeoutMax = 45000 // ms
 	PeerConnectionTimeoutMin = 30000 // ms
 	disableAutoUpdate        = "disabled"
-
-	// systemInfoTimeout bounds how long the sync loop waits for system info / posture
-	// check gathering. The gathering runs uncancellable system calls (process scan,
-	// exec, os.Stat); without this bound a single stuck call freezes handleSync, and
-	// thus syncMsgMux, for as long as the call hangs (observed multi-minute freezes).
-	systemInfoTimeout = 15 * time.Second
 )
 
 var ErrResetConnection = fmt.Errorf("reset connection")
@@ -148,9 +141,7 @@ type EngineConfig struct {
 	BlockInbound        bool
 	DisableIPv6         bool
 
-	// LazyConnection is the MDM-sourced lazy-connection override; StateUnset defers to
-	// the env var and management feature flag.
-	LazyConnection lazyconn.State
+	LazyConnectionEnabled bool
 
 	MTU uint16
 
@@ -1093,22 +1084,11 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 	}
 	e.checks = checks
 
-	info, ok := system.GetInfoWithChecksTimeout(e.ctx, systemInfoTimeout, checks, e.overlayAddresses()...)
-	if !ok {
-		// Gathering timed out; skip the meta sync this cycle rather than blocking the
-		// sync loop (and syncMsgMux) on a stuck system call. A later sync will retry.
-		return nil
+	info, err := system.GetInfoWithChecks(e.ctx, checks, e.overlayAddresses()...)
+	if err != nil {
+		log.Warnf("failed to get system info with checks: %v", err)
+		info = system.GetInfo(e.ctx)
 	}
-	e.applyInfoFlags(info)
-
-	if err := e.mgmClient.SyncMeta(info); err != nil {
-		return fmt.Errorf("could not sync meta: error %s", err)
-	}
-	return nil
-}
-
-// applyInfoFlags sets the engine's config-derived feature flags on the gathered system info.
-func (e *Engine) applyInfoFlags(info *system.Info) {
 	info.SetFlags(
 		e.config.RosenpassEnabled,
 		e.config.RosenpassPermissive,
@@ -1120,12 +1100,19 @@ func (e *Engine) applyInfoFlags(info *system.Info) {
 		e.config.BlockLANAccess,
 		e.config.BlockInbound,
 		e.config.DisableIPv6,
+		e.config.LazyConnectionEnabled,
 		e.config.EnableSSHRoot,
 		e.config.EnableSSHSFTP,
 		e.config.EnableSSHLocalPortForwarding,
 		e.config.EnableSSHRemotePortForwarding,
 		e.config.DisableSSHAuth,
 	)
+
+	if err := e.mgmClient.SyncMeta(info); err != nil {
+		log.Errorf("could not sync meta: error %s", err)
+		return err
+	}
+	return nil
 }
 
 // overlayAddresses returns our own WireGuard overlay address (v4 and v6) so it
@@ -1285,15 +1272,31 @@ func (e *Engine) receiveManagementEvents() {
 	e.shutdownWg.Add(1)
 	go func() {
 		defer e.shutdownWg.Done()
-		info, ok := system.GetInfoWithChecksTimeout(e.ctx, systemInfoTimeout, e.checks, e.overlayAddresses()...)
-		if !ok {
-			// Gathering timed out; connect the stream with base info so management
-			// connectivity still comes up rather than blocking here.
+		info, err := system.GetInfoWithChecks(e.ctx, e.checks, e.overlayAddresses()...)
+		if err != nil {
+			log.Warnf("failed to get system info with checks: %v", err)
 			info = system.GetInfo(e.ctx)
 		}
-		e.applyInfoFlags(info)
+		info.SetFlags(
+			e.config.RosenpassEnabled,
+			e.config.RosenpassPermissive,
+			&e.config.ServerSSHAllowed,
+			e.config.DisableClientRoutes,
+			e.config.DisableServerRoutes,
+			e.config.DisableDNS,
+			e.config.DisableFirewall,
+			e.config.BlockLANAccess,
+			e.config.BlockInbound,
+			e.config.DisableIPv6,
+			e.config.LazyConnectionEnabled,
+			e.config.EnableSSHRoot,
+			e.config.EnableSSHSFTP,
+			e.config.EnableSSHLocalPortForwarding,
+			e.config.EnableSSHRemotePortForwarding,
+			e.config.DisableSSHAuth,
+		)
 
-		err := e.mgmClient.Sync(e.ctx, info, e.handleSync)
+		err = e.mgmClient.Sync(e.ctx, info, e.handleSync)
 		if err != nil {
 			// happens if management is unavailable for a long time.
 			// We want to cancel the operation of the whole client
@@ -1988,6 +1991,7 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, err
 		e.config.BlockLANAccess,
 		e.config.BlockInbound,
 		e.config.DisableIPv6,
+		e.config.LazyConnectionEnabled,
 		e.config.EnableSSHRoot,
 		e.config.EnableSSHSFTP,
 		e.config.EnableSSHLocalPortForwarding,

client/internal/engine_test.go

@@ -178,10 +178,6 @@ func (m *MockWGIface) LastActivities() map[string]monotime.Time {
 	return nil
 }
 
-func (m *MockWGIface) MTU() uint16 {
-	return 1280
-}
-
 func (m *MockWGIface) SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error {
 	return nil
 }

client/internal/iface_common.go

@@ -44,5 +44,4 @@ type wgIfaceBase interface {
 	FullStats() (*configurer.Stats, error)
 	LastActivities() map[string]monotime.Time
 	SetPresharedKey(peerKey string, psk wgtypes.Key, updateOnly bool) error
-	MTU() uint16
 }

client/internal/lazyconn/activity/listener_bind.go

@@ -124,11 +124,6 @@ func (d *BindListener) ReadPackets() {
 	d.done.Done()
 }
 
-// CapturedPacket is unused in userspace bind mode: first-packet reinjection is kernel-only.
-func (d *BindListener) CapturedPacket() []byte {
-	return nil
-}
-
 // Close stops the listener and cleans up resources.
 func (d *BindListener) Close() {
 	d.peerCfg.Log.Infof("closing activity listener (LazyConn)")

client/internal/lazyconn/activity/listener_bind_test.go

@@ -45,6 +45,10 @@ type MockWGIfaceBind struct {
 	endpointMgr *mockEndpointManager
 }
 
+func (m *MockWGIfaceBind) RemovePeer(string) error {
+	return nil
+}
+
 func (m *MockWGIfaceBind) UpdatePeer(string, []netip.Prefix, time.Duration, *net.UDPAddr, *wgtypes.Key) error {
 	return nil
 }
@@ -64,10 +68,6 @@ func (m *MockWGIfaceBind) GetBind() device.EndpointManager {
 	return m.endpointMgr
 }
 
-func (m *MockWGIfaceBind) MTU() uint16 {
-	return 1280
-}
-
 func TestBindListener_Creation(t *testing.T) {
 	mockEndpointMgr := newMockEndpointManager()
 	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
@@ -207,9 +207,8 @@ func TestManager_BindMode(t *testing.T) {
 	require.NoError(t, err)
 
 	select {
-	case ev := <-mgr.OnActivityChan:
-		assert.Equal(t, cfg.PeerConnID, ev.PeerConnID, "Received peer connection ID should match")
-		assert.Nil(t, ev.FirstPacket, "Bind mode does not capture packets: reinjection is kernel-only")
+	case peerConnID := <-mgr.OnActivityChan:
+		assert.Equal(t, cfg.PeerConnID, peerConnID, "Received peer connection ID should match")
 	case <-time.After(2 * time.Second):
 		t.Fatal("timeout waiting for activity notification")
 	}
@@ -267,8 +266,8 @@ func TestManager_BindMode_MultiplePeers(t *testing.T) {
 	receivedPeers := make(map[peerid.ConnID]bool)
 	for i := 0; i < 2; i++ {
 		select {
-		case ev := <-mgr.OnActivityChan:
-			receivedPeers[ev.PeerConnID] = true
+		case peerConnID := <-mgr.OnActivityChan:
+			receivedPeers[peerConnID] = true
 		case <-time.After(2 * time.Second):
 			t.Fatal("timeout waiting for activity notifications")
 		}

client/internal/lazyconn/activity/listener_udp.go

@@ -3,13 +3,11 @@ package activity
 import (
 	"fmt"
 	"net"
-	"slices"
 	"sync"
 	"sync/atomic"
 
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 )
 
@@ -22,8 +20,6 @@ type UDPListener struct {
 	done     sync.Mutex
 
 	isClosed atomic.Bool
-
-	capturedPacket []byte
 }
 
 // NewUDPListener creates a listener that detects activity via UDP socket reads.
@@ -50,13 +46,9 @@ func NewUDPListener(wgIface WgInterface, cfg lazyconn.PeerConfig) (*UDPListener,
 }
 
 // ReadPackets blocks reading from the UDP socket until activity is detected or the listener is closed.
-// The first packet that triggers activity is captured so it can be reinjected through the real
-// transport once it is established. Without this, kernel WireGuard's handshake initiation would be
-// dropped and WG would only retry after REKEY_TIMEOUT.
 func (d *UDPListener) ReadPackets() {
 	for {
-		buf := make([]byte, int(d.wgIface.MTU())+bufsize.WGBufferOverhead)
-		n, remoteAddr, err := d.conn.ReadFromUDP(buf)
+		n, remoteAddr, err := d.conn.ReadFromUDP(make([]byte, 1))
 		if err != nil {
 			if d.isClosed.Load() {
 				d.peerCfg.Log.Infof("exit from activity listener")
@@ -70,24 +62,20 @@ func (d *UDPListener) ReadPackets() {
 			d.peerCfg.Log.Warnf("received %d bytes from %s, too short", n, remoteAddr)
 			continue
 		}
-		d.capturedPacket = slices.Clone(buf[:n])
-		d.peerCfg.Log.Infof("activity detected, captured %d bytes for reinjection", n)
+		d.peerCfg.Log.Infof("activity detected")
 		break
 	}
 
-	// Leave the peer in place. ConfigureWGEndpoint will UpdatePeer with the real endpoint;
-	// removing the peer here wipes kernel WG's staged queue and drops the user packet that
-	// triggered activation.
+	d.peerCfg.Log.Debugf("removing lazy endpoint: %s", d.endpoint.String())
+	if err := d.wgIface.RemovePeer(d.peerCfg.PublicKey); err != nil {
+		d.peerCfg.Log.Errorf("failed to remove endpoint: %s", err)
+	}
+
+	// Ignore close error as it may return "use of closed network connection" if already closed.
 	_ = d.conn.Close()
 	d.done.Unlock()
 }
 
-// CapturedPacket returns the first packet that triggered activity, or nil if none was captured.
-// Safe to call after ReadPackets returns.
-func (d *UDPListener) CapturedPacket() []byte {
-	return d.capturedPacket
-}
-
 // Close stops the listener and cleans up resources.
 func (d *UDPListener) Close() {
 	d.peerCfg.Log.Infof("closing activity listener: %s", d.conn.LocalAddr().String())

client/internal/lazyconn/activity/manager.go

@@ -19,25 +19,17 @@ import (
 type listener interface {
 	ReadPackets()
 	Close()
-	CapturedPacket() []byte
-}
-
-// Event reports activity on a managed peer. FirstPacket is the bytes that triggered activation,
-// captured for reinjection through the real transport.
-type Event struct {
-	PeerConnID  peerid.ConnID
-	FirstPacket []byte
 }
 
 type WgInterface interface {
+	RemovePeer(peerKey string) error
 	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
 	IsUserspaceBind() bool
 	Address() wgaddr.Address
-	MTU() uint16
 }
 
 type Manager struct {
-	OnActivityChan chan Event
+	OnActivityChan chan peerid.ConnID
 
 	wgIface WgInterface
 
@@ -49,7 +41,7 @@ type Manager struct {
 
 func NewManager(wgIface WgInterface) *Manager {
 	m := &Manager{
-		OnActivityChan: make(chan Event, 1),
+		OnActivityChan: make(chan peerid.ConnID, 1),
 		wgIface:        wgIface,
 		peers:          make(map[peerid.ConnID]listener),
 		done:           make(chan struct{}),
@@ -124,12 +116,12 @@ func (m *Manager) waitForTraffic(l listener, peerConnID peerid.ConnID) {
 	delete(m.peers, peerConnID)
 	m.mu.Unlock()
 
-	m.notify(Event{PeerConnID: peerConnID, FirstPacket: l.CapturedPacket()})
+	m.notify(peerConnID)
 }
 
-func (m *Manager) notify(ev Event) {
+func (m *Manager) notify(peerConnID peerid.ConnID) {
 	select {
 	case <-m.done:
-	case m.OnActivityChan <- ev:
+	case m.OnActivityChan <- peerConnID:
 	}
 }

client/internal/lazyconn/activity/manager_test.go

@@ -1,7 +1,6 @@
 package activity
 
 import (
-	"bytes"
 	"net"
 	"net/netip"
 	"testing"
@@ -26,6 +25,10 @@ func (m *MocPeer) ConnID() peerid.ConnID {
 type MocWGIface struct {
 }
 
+func (m MocWGIface) RemovePeer(string) error {
+	return nil
+}
+
 func (m MocWGIface) UpdatePeer(string, []netip.Prefix, time.Duration, *net.UDPAddr, *wgtypes.Key) error {
 	return nil
 }
@@ -41,10 +44,6 @@ func (m MocWGIface) Address() wgaddr.Address {
 	}
 }
 
-func (m MocWGIface) MTU() uint16 {
-	return 1280
-}
-
 // GetPeerListener is a test helper to access listeners
 func (m *Manager) GetPeerListener(peerConnID peerid.ConnID) (listener, bool) {
 	m.mu.Lock()
@@ -87,15 +86,11 @@ func TestManager_MonitorPeerActivity(t *testing.T) {
 	}
 
 	select {
-	case ev := <-mgr.OnActivityChan:
-		if ev.PeerConnID != peerCfg1.PeerConnID {
-			t.Fatalf("unexpected peerConnID: %v", ev.PeerConnID)
-		}
-		if !bytes.Equal(ev.FirstPacket, []byte{0x01, 0x02, 0x03, 0x04, 0x05}) {
-			t.Fatalf("unexpected first packet: %v", ev.FirstPacket)
+	case peerConnID := <-mgr.OnActivityChan:
+		if peerConnID != peerCfg1.PeerConnID {
+			t.Fatalf("unexpected peerConnID: %v", peerConnID)
 		}
 	case <-time.After(1 * time.Second):
-		t.Fatal("timed out waiting for activity")
 	}
 }
 

client/internal/lazyconn/env.go

@@ -3,57 +3,24 @@ package lazyconn
 import (
 	"os"
 	"strconv"
-	"strings"
 
 	log "github.com/sirupsen/logrus"
 )
 
 const (
-	EnvLazyConn            = "NB_LAZY_CONN"
+	EnvEnableLazyConn      = "NB_ENABLE_EXPERIMENTAL_LAZY_CONN"
 	EnvInactivityThreshold = "NB_LAZY_CONN_INACTIVITY_THRESHOLD"
 )
 
-// State is the tri-state local override for lazy connections read from the environment.
-type State int
-
-const (
-	// StateUnset means no local override; defer to the management feature flag.
-	StateUnset State = iota
-	// StateOn forces lazy connections on, overriding management.
-	StateOn
-	// StateOff forces lazy connections off, overriding management.
-	StateOff
-)
-
-// EnvState reads NB_LAZY_CONN and returns the local override state.
-func EnvState() State {
-	return ParseState(os.Getenv(EnvLazyConn))
-}
-
-// ParseState interprets a lazy-connection override value (from the environment or an MDM
-// policy). It accepts the on/off aliases plus any value strconv.ParseBool understands
-// (true/false/1/0). An empty or unrecognized value returns StateUnset so that the
-// management feature flag remains in control.
-func ParseState(raw string) State {
-	if raw == "" {
-		return StateUnset
+func IsLazyConnEnabledByEnv() bool {
+	val := os.Getenv(EnvEnableLazyConn)
+	if val == "" {
+		return false
 	}
-
-	normalized := strings.ToLower(strings.TrimSpace(raw))
-	switch normalized {
-	case "on":
-		return StateOn
-	case "off":
-		return StateOff
-	}
-
-	enabled, err := strconv.ParseBool(normalized)
+	enabled, err := strconv.ParseBool(val)
 	if err != nil {
-		log.Warnf("failed to parse %s value %q: %v", EnvLazyConn, raw, err)
-		return StateUnset
+		log.Warnf("failed to parse %s: %v", EnvEnableLazyConn, err)
+		return false
 	}
-	if enabled {
-		return StateOn
-	}
-	return StateOff
+	return enabled
 }

client/internal/lazyconn/env_test.go

@@ -1,45 +0,0 @@
-package lazyconn
-
-import (
-	"os"
-	"testing"
-)
-
-func TestEnvState(t *testing.T) {
-	tests := []struct {
-		value string
-		set   bool
-		want  State
-	}{
-		{set: false, want: StateUnset},
-		{value: "", set: true, want: StateUnset},
-		{value: "on", set: true, want: StateOn},
-		{value: "ON", set: true, want: StateOn},
-		{value: "true", set: true, want: StateOn},
-		{value: "1", set: true, want: StateOn},
-		{value: " on ", set: true, want: StateOn},
-		{value: "off", set: true, want: StateOff},
-		{value: "OFF", set: true, want: StateOff},
-		{value: "false", set: true, want: StateOff},
-		{value: "0", set: true, want: StateOff},
-		{value: "auto", set: true, want: StateUnset},
-		{value: "garbage", set: true, want: StateUnset},
-	}
-
-	for _, tt := range tests {
-		name := tt.value
-		if !tt.set {
-			name = "unset"
-		}
-		t.Run(name, func(t *testing.T) {
-			t.Setenv(EnvLazyConn, tt.value)
-			if !tt.set {
-				os.Unsetenv(EnvLazyConn)
-			}
-
-			if got := EnvState(); got != tt.want {
-				t.Fatalf("EnvState() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}

client/internal/lazyconn/manager/manager.go

@@ -130,8 +130,8 @@ func (m *Manager) Start(ctx context.Context) {
 		select {
 		case <-ctx.Done():
 			return
-		case ev := <-m.activityManager.OnActivityChan:
-			m.onPeerActivity(ev)
+		case peerConnID := <-m.activityManager.OnActivityChan:
+			m.onPeerActivity(peerConnID)
 		case peerIDs := <-m.inactivityManager.InactivePeersChan():
 			m.onPeerInactivityTimedOut(peerIDs)
 		}
@@ -513,13 +513,13 @@ func (m *Manager) checkHaGroupActivity(haGroup route.HAUniqueID, peerID string,
 	return false
 }
 
-func (m *Manager) onPeerActivity(ev activity.Event) {
+func (m *Manager) onPeerActivity(peerConnID peerid.ConnID) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
 
-	mp, ok := m.managedPeersByConnID[ev.PeerConnID]
+	mp, ok := m.managedPeersByConnID[peerConnID]
 	if !ok {
-		log.Errorf("peer not found by conn id: %v", ev.PeerConnID)
+		log.Errorf("peer not found by conn id: %v", peerConnID)
 		return
 	}
 
@@ -536,7 +536,7 @@ func (m *Manager) onPeerActivity(ev activity.Event) {
 
 	m.activateHAGroupPeers(mp.peerCfg)
 
-	m.peerStore.PeerConnOpenWithFirstPacket(m.engineCtx, mp.peerCfg.PublicKey, ev.FirstPacket)
+	m.peerStore.PeerConnOpen(m.engineCtx, mp.peerCfg.PublicKey)
 }
 
 func (m *Manager) onPeerInactivityTimedOut(peerIDs map[string]struct{}) {

client/internal/lazyconn/wgiface.go

@@ -17,5 +17,4 @@ type WGIface interface {
 	IsUserspaceBind() bool
 	Address() wgaddr.Address
 	LastActivities() map[string]monotime.Time
-	MTU() uint16
 }

client/internal/peer/conn.go

@@ -6,7 +6,6 @@ import (
 	"net"
 	"net/netip"
 	"runtime"
-	"slices"
 	"sync"
 	"time"
 
@@ -137,39 +136,6 @@ type Conn struct {
 	// Connection stage timestamps for metrics
 	metricsRecorder MetricsRecorder
 	metricsStages   *MetricsStages
-
-	// pendingFirstPacket is the lazyconn-captured handshake init, replayed once the real
-	// transport is up.
-	pendingFirstPacket []byte
-}
-
-// injectPendingFirstPacket replays the captured handshake through the proxy if present, else
-// directly through the ICE conn. The packet is cleared only after a successful write, so a failed
-// or transport-less attempt leaves it available for a later reinjection. Caller must hold conn.mu.
-func (conn *Conn) injectPendingFirstPacket(proxy wgproxy.Proxy, directConn net.Conn) {
-	pkt := conn.pendingFirstPacket
-	if len(pkt) == 0 {
-		return
-	}
-
-	switch {
-	case proxy != nil:
-		if err := proxy.InjectPacket(pkt); err != nil {
-			conn.Log.Debugf("failed to reinject captured first packet via proxy: %v", err)
-			return
-		}
-	case directConn != nil:
-		if _, err := directConn.Write(pkt); err != nil {
-			conn.Log.Debugf("failed to reinject captured first packet via direct conn: %v", err)
-			return
-		}
-	default:
-		conn.Log.Debugf("no transport available to reinject captured first packet")
-		return
-	}
-
-	conn.pendingFirstPacket = nil
-	conn.Log.Debugf("reinjected captured first packet (%d bytes)", len(pkt))
 }
 
 // NewConn creates a new not opened Conn to the remote peer.
@@ -206,16 +172,6 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 // It will try to establish a connection using ICE and in parallel with relay. The higher priority connection type will
 // be used.
 func (conn *Conn) Open(engineCtx context.Context) error {
-	return conn.open(engineCtx, nil)
-}
-
-// OpenWithFirstPacket opens the connection like Open and stashes firstPacket to be replayed once
-// the real transport is established. The packet is retained only on a successful open.
-func (conn *Conn) OpenWithFirstPacket(engineCtx context.Context, firstPacket []byte) error {
-	return conn.open(engineCtx, firstPacket)
-}
-
-func (conn *Conn) open(engineCtx context.Context, firstPacket []byte) error {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()
 
@@ -271,9 +227,6 @@ func (conn *Conn) open(engineCtx context.Context, firstPacket []byte) error {
 		defer conn.wg.Done()
 		conn.guard.Start(conn.ctx, conn.onGuardEvent)
 	}()
-	if len(firstPacket) > 0 {
-		conn.pendingFirstPacket = slices.Clone(firstPacket)
-	}
 	conn.opened = true
 	return nil
 }
@@ -470,8 +423,6 @@ func (conn *Conn) onICEConnectionIsReady(priority conntype.ConnPriority, iceConn
 		conn.wgProxyRelay.RedirectAs(ep)
 	}
 
-	conn.injectPendingFirstPacket(wgProxy, iceConnInfo.RemoteConn)
-
 	conn.currentConnPriority = priority
 	conn.statusICE.SetConnected()
 	conn.updateIceState(iceConnInfo, updateTime)
@@ -595,8 +546,6 @@ func (conn *Conn) onRelayConnectionIsReady(rci RelayConnInfo) {
 
 	wgConfigWorkaround()
 
-	conn.injectPendingFirstPacket(wgProxy, nil)
-
 	conn.rosenpassRemoteKey = rci.rosenpassPubKey
 	conn.currentConnPriority = conntype.Relay
 	conn.statusRelay.SetConnected()

client/internal/peerstore/store.go

@@ -88,24 +88,11 @@ func (s *Store) PeerConnOpen(ctx context.Context, pubKey string) {
 	if !ok {
 		return
 	}
+	// this can be blocked because of the connect open limiter semaphore
 	if err := p.Open(ctx); err != nil {
 		p.Log.Errorf("failed to open peer connection: %v", err)
 	}
-}
 
-// PeerConnOpenWithFirstPacket opens the peer connection and stashes a first packet to be
-// reinjected once the real transport is established.
-func (s *Store) PeerConnOpenWithFirstPacket(ctx context.Context, pubKey string, firstPacket []byte) {
-	s.peerConnsMu.RLock()
-	defer s.peerConnsMu.RUnlock()
-
-	p, ok := s.peerConns[pubKey]
-	if !ok {
-		return
-	}
-	if err := p.OpenWithFirstPacket(ctx, firstPacket); err != nil {
-		p.Log.Errorf("failed to open peer connection: %v", err)
-	}
 }
 
 func (s *Store) PeerConnIdle(pubKey string) {

client/internal/profilemanager/config.go

@@ -101,6 +101,8 @@ type ConfigInput struct {
 
 	DNSLabels domain.List
 
+	LazyConnectionEnabled *bool
+
 	MTU *uint16
 }
 
@@ -178,9 +180,7 @@ type Config struct {
 
 	ClientCertKeyPair *tls.Certificate `json:"-"`
 
-	// LazyConnection is the MDM-managed lazy-connection override ("on"/"off"/"").
-	// Runtime-only: re-derived from MDM policy on each load, never persisted.
-	LazyConnection string `json:"-"`
+	LazyConnectionEnabled bool
 
 	MTU uint16
 
@@ -632,6 +632,12 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
+	if input.LazyConnectionEnabled != nil && *input.LazyConnectionEnabled != config.LazyConnectionEnabled {
+		log.Infof("switching lazy connection to %t", *input.LazyConnectionEnabled)
+		config.LazyConnectionEnabled = *input.LazyConnectionEnabled
+		updated = true
+	}
+
 	if input.MTU != nil && *input.MTU != config.MTU {
 		log.Infof("updating MTU to %d (old value %d)", *input.MTU, config.MTU)
 		config.MTU = *input.MTU
@@ -722,11 +728,6 @@ func (config *Config) applyMDMPolicy(policy *mdm.Policy) {
 			log.Warnf("MDM wireguard port %d out of range [1,65535]; keeping previous value", v)
 		}
 	}
-
-	if v, ok := policy.GetString(mdm.KeyLazyConnection); ok {
-		config.LazyConnection = v
-		logApplied(mdm.KeyLazyConnection, v)
-	}
 }
 
 // parseURL parses and validates the URL for the named service. The URL

client/ios/NetBirdSDK/env_list.go

@@ -38,7 +38,7 @@ func GetEnvKeyNBForceRelay() string {
 
 // GetEnvKeyNBLazyConn Exports the environment variable for the iOS client
 func GetEnvKeyNBLazyConn() string {
-	return lazyconn.EnvLazyConn
+	return lazyconn.EnvEnableLazyConn
 }
 
 // GetEnvKeyNBInactivityThreshold Exports the environment variable for the iOS client

client/mdm/policy.go

@@ -41,10 +41,6 @@ const (
 	// construction — only one mode can be set at a time.
 	KeySplitTunnelMode = "splitTunnelMode"
 	KeySplitTunnelApps = "splitTunnelApps"
-
-	// KeyLazyConnection forces the lazy-connection feature on or off, overriding
-	// the management feature flag. Values: "on" / "off" (absent = defer to management).
-	KeyLazyConnection = "lazyConnection"
 )
 
 // Split-tunnel mode literals (KeySplitTunnelMode values).
@@ -71,6 +67,7 @@ var boolStringLiterals = map[string]bool{
 	"no":    false,
 }
 
+
 // Policy holds MDM-managed settings read from the platform source. A nil or
 // empty Policy means no enforcement is active.
 type Policy struct {

client/server/mdm.go

@@ -152,6 +152,7 @@ func (s *Server) restartEngineForMDMLocked() error {
 	s.config = config
 	s.statusRecorder.UpdateManagementAddress(config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(config.RosenpassEnabled, config.RosenpassPermissive)
+	s.statusRecorder.UpdateLazyConnection(config.LazyConnectionEnabled)
 
 	ctx, cancel := context.WithCancel(s.rootCtx)
 	s.actCancel = cancel
@@ -304,6 +305,7 @@ func setConfigRequestHasConfigOverrides(msg *proto.SetConfigRequest) bool {
 		msg.DisableFirewall != nil ||
 		msg.BlockLanAccess != nil ||
 		msg.DisableNotifications != nil ||
+		msg.LazyConnectionEnabled != nil ||
 		msg.BlockInbound != nil ||
 		msg.DisableIpv6 != nil ||
 		msg.EnableSSHRoot != nil ||
@@ -346,6 +348,7 @@ func loginRequestHasConfigOverrides(msg *proto.LoginRequest) bool {
 		msg.BlockLanAccess != nil ||
 		msg.DisableNotifications != nil ||
 		len(msg.DnsLabels) > 0 || msg.CleanDNSLabels ||
+		msg.LazyConnectionEnabled != nil ||
 		msg.BlockInbound != nil
 }
 

client/server/server.go

@@ -214,6 +214,7 @@ func (s *Server) Start() error {
 
 	s.statusRecorder.UpdateManagementAddress(config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(config.RosenpassEnabled, config.RosenpassPermissive)
+	s.statusRecorder.UpdateLazyConnection(config.LazyConnectionEnabled)
 
 	if s.sessionWatcher == nil {
 		s.sessionWatcher = internal.NewSessionWatcher(s.rootCtx, s.statusRecorder)
@@ -462,6 +463,7 @@ func (s *Server) setConfigInputFromRequest(msg *proto.SetConfigRequest) (profile
 	config.DisableFirewall = msg.DisableFirewall
 	config.BlockLANAccess = msg.BlockLanAccess
 	config.DisableNotifications = msg.DisableNotifications
+	config.LazyConnectionEnabled = msg.LazyConnectionEnabled
 	config.BlockInbound = msg.BlockInbound
 	config.DisableIPv6 = msg.DisableIpv6
 	config.EnableSSHRoot = msg.EnableSSHRoot
@@ -1645,6 +1647,7 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		ServerSSHAllowed:              *cfg.ServerSSHAllowed,
 		RosenpassEnabled:              cfg.RosenpassEnabled,
 		RosenpassPermissive:           cfg.RosenpassPermissive,
+		LazyConnectionEnabled:         cfg.LazyConnectionEnabled,
 		BlockInbound:                  cfg.BlockInbound,
 		DisableNotifications:          disableNotifications,
 		NetworkMonitor:                networkMonitor,

client/server/setconfig_test.go

@@ -69,41 +69,43 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	disableFirewall := true
 	blockLANAccess := true
 	disableNotifications := true
+	lazyConnectionEnabled := true
 	blockInbound := true
 	disableIPv6 := true
 	mtu := int64(1280)
 	sshJWTCacheTTL := int32(300)
 
 	req := &proto.SetConfigRequest{
-		ProfileName:          profName,
-		Username:             currUser.Username,
-		ManagementUrl:        "https://new-api.netbird.io:443",
-		AdminURL:             "https://new-admin.netbird.io",
-		RosenpassEnabled:     &rosenpassEnabled,
-		RosenpassPermissive:  &rosenpassPermissive,
-		ServerSSHAllowed:     &serverSSHAllowed,
-		InterfaceName:        &interfaceName,
-		WireguardPort:        &wireguardPort,
-		OptionalPreSharedKey: &preSharedKey,
-		DisableAutoConnect:   &disableAutoConnect,
-		NetworkMonitor:       &networkMonitor,
-		DisableClientRoutes:  &disableClientRoutes,
-		DisableServerRoutes:  &disableServerRoutes,
-		DisableDns:           &disableDNS,
-		DisableFirewall:      &disableFirewall,
-		BlockLanAccess:       &blockLANAccess,
-		DisableNotifications: &disableNotifications,
-		BlockInbound:         &blockInbound,
-		DisableIpv6:          &disableIPv6,
-		NatExternalIPs:       []string{"1.2.3.4", "5.6.7.8"},
-		CleanNATExternalIPs:  false,
-		CustomDNSAddress:     []byte("1.1.1.1:53"),
-		ExtraIFaceBlacklist:  []string{"eth1", "eth2"},
-		DnsLabels:            []string{"label1", "label2"},
-		CleanDNSLabels:       false,
-		DnsRouteInterval:     durationpb.New(2 * time.Minute),
-		Mtu:                  &mtu,
-		SshJWTCacheTTL:       &sshJWTCacheTTL,
+		ProfileName:           profName,
+		Username:              currUser.Username,
+		ManagementUrl:         "https://new-api.netbird.io:443",
+		AdminURL:              "https://new-admin.netbird.io",
+		RosenpassEnabled:      &rosenpassEnabled,
+		RosenpassPermissive:   &rosenpassPermissive,
+		ServerSSHAllowed:      &serverSSHAllowed,
+		InterfaceName:         &interfaceName,
+		WireguardPort:         &wireguardPort,
+		OptionalPreSharedKey:  &preSharedKey,
+		DisableAutoConnect:    &disableAutoConnect,
+		NetworkMonitor:        &networkMonitor,
+		DisableClientRoutes:   &disableClientRoutes,
+		DisableServerRoutes:   &disableServerRoutes,
+		DisableDns:            &disableDNS,
+		DisableFirewall:       &disableFirewall,
+		BlockLanAccess:        &blockLANAccess,
+		DisableNotifications:  &disableNotifications,
+		LazyConnectionEnabled: &lazyConnectionEnabled,
+		BlockInbound:          &blockInbound,
+		DisableIpv6:           &disableIPv6,
+		NatExternalIPs:        []string{"1.2.3.4", "5.6.7.8"},
+		CleanNATExternalIPs:   false,
+		CustomDNSAddress:      []byte("1.1.1.1:53"),
+		ExtraIFaceBlacklist:   []string{"eth1", "eth2"},
+		DnsLabels:             []string{"label1", "label2"},
+		CleanDNSLabels:        false,
+		DnsRouteInterval:      durationpb.New(2 * time.Minute),
+		Mtu:                   &mtu,
+		SshJWTCacheTTL:        &sshJWTCacheTTL,
 	}
 
 	_, err = s.SetConfig(ctx, req)
@@ -138,6 +140,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.Equal(t, blockLANAccess, cfg.BlockLANAccess)
 	require.NotNil(t, cfg.DisableNotifications)
 	require.Equal(t, disableNotifications, *cfg.DisableNotifications)
+	require.Equal(t, lazyConnectionEnabled, cfg.LazyConnectionEnabled)
 	require.Equal(t, blockInbound, cfg.BlockInbound)
 	require.Equal(t, disableIPv6, cfg.DisableIPv6)
 	require.Equal(t, []string{"1.2.3.4", "5.6.7.8"}, cfg.NATExternalIPs)
@@ -161,14 +164,13 @@ func verifyAllFieldsCovered(t *testing.T, req *proto.SetConfigRequest) {
 	t.Helper()
 
 	metadataFields := map[string]bool{
-		"state":                 true, // protobuf internal
-		"sizeCache":             true, // protobuf internal
-		"unknownFields":         true, // protobuf internal
-		"Username":              true, // metadata
-		"ProfileName":           true, // metadata
-		"CleanNATExternalIPs":   true, // control flag for clearing
-		"CleanDNSLabels":        true, // control flag for clearing
-		"LazyConnectionEnabled": true, // deprecated: proto field retained for compat, no longer applied
+		"state":               true, // protobuf internal
+		"sizeCache":           true, // protobuf internal
+		"unknownFields":       true, // protobuf internal
+		"Username":            true, // metadata
+		"ProfileName":         true, // metadata
+		"CleanNATExternalIPs": true, // control flag for clearing
+		"CleanDNSLabels":      true, // control flag for clearing
 	}
 
 	expectedFields := map[string]bool{
@@ -188,6 +190,7 @@ func verifyAllFieldsCovered(t *testing.T, req *proto.SetConfigRequest) {
 		"DisableFirewall":               true,
 		"BlockLanAccess":                true,
 		"DisableNotifications":          true,
+		"LazyConnectionEnabled":         true,
 		"BlockInbound":                  true,
 		"DisableIpv6":                   true,
 		"NatExternalIPs":                true,
@@ -249,6 +252,7 @@ func TestCLIFlags_MappedToSetConfig(t *testing.T) {
 		"block-lan-access":                  "BlockLanAccess",
 		"block-inbound":                     "BlockInbound",
 		"disable-ipv6":                      "DisableIpv6",
+		"enable-lazy-connection":            "LazyConnectionEnabled",
 		"external-ip-map":                   "NatExternalIPs",
 		"dns-resolver-address":              "CustomDNSAddress",
 		"extra-iface-blacklist":             "ExtraIFaceBlacklist",
@@ -265,8 +269,7 @@ func TestCLIFlags_MappedToSetConfig(t *testing.T) {
 
 	// SetConfigRequest fields that don't have CLI flags (settable only via UI or other means).
 	fieldsWithoutCLIFlags := map[string]bool{
-		"DisableNotifications":  true, // Only settable via UI
-		"LazyConnectionEnabled": true, // deprecated: no longer settable (managed by server + NB_LAZY_CONN)
+		"DisableNotifications": true, // Only settable via UI
 	}
 
 	// Get all SetConfigRequest fields to verify our map is complete.

client/system/info.go

@@ -2,11 +2,9 @@ package system
 
 import (
 	"context"
-	"errors"
 	"net/netip"
 	"slices"
 	"strings"
-	"time"
 
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/metadata"
@@ -74,6 +72,8 @@ type Info struct {
 	BlockInbound        bool
 	DisableIPv6         bool
 
+	LazyConnectionEnabled bool
+
 	EnableSSHRoot                 bool
 	EnableSSHSFTP                 bool
 	EnableSSHLocalPortForwarding  bool
@@ -85,7 +85,7 @@ func (i *Info) SetFlags(
 	rosenpassEnabled, rosenpassPermissive bool,
 	serverSSHAllowed *bool,
 	disableClientRoutes, disableServerRoutes,
-	disableDNS, disableFirewall, blockLANAccess, blockInbound, disableIPv6 bool,
+	disableDNS, disableFirewall, blockLANAccess, blockInbound, disableIPv6, lazyConnectionEnabled bool,
 	enableSSHRoot, enableSSHSFTP, enableSSHLocalPortForwarding, enableSSHRemotePortForwarding *bool,
 	disableSSHAuth *bool,
 ) {
@@ -103,6 +103,8 @@ func (i *Info) SetFlags(
 	i.BlockInbound = blockInbound
 	i.DisableIPv6 = disableIPv6
 
+	i.LazyConnectionEnabled = lazyConnectionEnabled
+
 	if enableSSHRoot != nil {
 		i.EnableSSHRoot = *enableSSHRoot
 	}
@@ -172,7 +174,7 @@ func GetInfoWithChecks(ctx context.Context, checks []*proto.Checks, excludeIPs .
 		processCheckPaths = append(processCheckPaths, check.GetFiles()...)
 	}
 
-	files, err := checkFileAndProcess(ctx, processCheckPaths)
+	files, err := checkFileAndProcess(processCheckPaths)
 	if err != nil {
 		return nil, err
 	}
@@ -185,43 +187,3 @@ func GetInfoWithChecks(ctx context.Context, checks []*proto.Checks, excludeIPs .
 	log.Debugf("all system information gathered successfully")
 	return info, nil
 }
-
-// GetInfoWithChecksTimeout is GetInfoWithChecks bounded by timeout. Posture-check gathering
-// runs uncancellable system calls (process enumeration, os.Stat), so calling it inline can
-// block the caller for as long as such a call hangs. It runs in a goroutine instead: if it
-// does not return within timeout the caller gets (nil, false) and should proceed with
-// degraded behavior rather than block. On a gathering error it falls back to base GetInfo.
-//
-// The buffered channel lets the abandoned goroutine finish and exit once its blocking call
-// returns, so it does not leak beyond the duration of that call.
-func GetInfoWithChecksTimeout(ctx context.Context, timeout time.Duration, checks []*proto.Checks, excludeIPs ...netip.Addr) (*Info, bool) {
-	ctx, cancel := context.WithTimeout(ctx, timeout)
-	defer cancel()
-
-	infoCh := make(chan *Info, 1)
-	go func() {
-		info, err := GetInfoWithChecks(ctx, checks, excludeIPs...)
-		if err != nil {
-			if ctx.Err() != nil {
-				return
-			}
-			log.Warnf("failed to get system info with checks: %v", err)
-			info = GetInfo(ctx)
-			info.removeAddresses(excludeIPs...)
-		}
-		infoCh <- info
-	}()
-
-	select {
-	case info := <-infoCh:
-		return info, true
-	case <-ctx.Done():
-		if errors.Is(ctx.Err(), context.DeadlineExceeded) {
-			log.Warnf("gathering system info with checks timed out after %s", timeout)
-		} else {
-			// Parent context canceled (e.g. shutdown), not a timeout.
-			log.Warnf("gathering system info with checks canceled: %v", ctx.Err())
-		}
-		return nil, false
-	}
-}

client/system/info_android.go

@@ -50,7 +50,7 @@ func GetInfo(ctx context.Context) *Info {
 }
 
 // checkFileAndProcess checks if the file path exists and if a process is running at that path.
-func checkFileAndProcess(_ context.Context, _ []string) ([]File, error) {
+func checkFileAndProcess(paths []string) ([]File, error) {
 	return []File{}, nil
 }
 

client/system/info_darwin.go

@@ -32,7 +32,7 @@ func GetInfo(ctx context.Context) *Info {
 	sysName := string(bytes.Split(utsname.Sysname[:], []byte{0})[0])
 	machine := string(bytes.Split(utsname.Machine[:], []byte{0})[0])
 	release := string(bytes.Split(utsname.Release[:], []byte{0})[0])
-	swVersion, err := exec.CommandContext(ctx, "sw_vers", "-productVersion").Output()
+	swVersion, err := exec.Command("sw_vers", "-productVersion").Output()
 	if err != nil {
 		log.Warnf("got an error while retrieving macOS version with sw_vers, error: %s. Using darwin version instead.\n", err)
 		swVersion = []byte(release)

client/system/info_ios.go

@@ -105,7 +105,7 @@ func isDuplicated(addresses []NetworkAddress, addr NetworkAddress) bool {
 }
 
 // checkFileAndProcess checks if the file path exists and if a process is running at that path.
-func checkFileAndProcess(_ context.Context, _ []string) ([]File, error) {
+func checkFileAndProcess(paths []string) ([]File, error) {
 	return []File{}, nil
 }
 

client/system/info_js.go

@@ -103,7 +103,7 @@ func collectLocationInfo(info *Info) {
 	}
 }
 
-func checkFileAndProcess(_ context.Context, _ []string) ([]File, error) {
+func checkFileAndProcess(_ []string) ([]File, error) {
 	return []File{}, nil
 }
 

client/system/info_test.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"net/netip"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc/metadata"
@@ -36,20 +35,6 @@ func Test_CustomHostname(t *testing.T) {
 	assert.Equal(t, want, got.Hostname)
 }
 
-func TestGetInfoWithChecksTimeout_Success(t *testing.T) {
-	info, ok := GetInfoWithChecksTimeout(context.Background(), 30*time.Second, nil)
-	assert.True(t, ok, "expected gathering to complete within the timeout")
-	assert.NotNil(t, info)
-}
-
-func TestGetInfoWithChecksTimeout_Timeout(t *testing.T) {
-	// A 1ns budget expires before the (real) system-info gathering can finish, so the
-	// caller must get (nil, false) instead of blocking on the in-flight goroutine.
-	info, ok := GetInfoWithChecksTimeout(context.Background(), time.Nanosecond, nil)
-	assert.False(t, ok, "expected timeout to be reported")
-	assert.Nil(t, info)
-}
-
 func Test_NetAddresses(t *testing.T) {
 	addr, err := networkAddresses()
 	if err != nil {

client/system/process.go

@@ -3,30 +3,24 @@
 package system
 
 import (
-	"context"
 	"os"
 	"slices"
 
 	"github.com/shirou/gopsutil/v3/process"
 )
 
-// getRunningProcesses returns a list of running process paths. The context bounds the work:
-// the per-PID loop bails as soon as ctx is done, and the gopsutil calls honor it where they
-// can, so a stuck enumeration cannot run unbounded.
-func getRunningProcesses(ctx context.Context) ([]string, error) {
-	processIDs, err := process.PidsWithContext(ctx)
+// getRunningProcesses returns a list of running process paths.
+func getRunningProcesses() ([]string, error) {
+	processIDs, err := process.Pids()
 	if err != nil {
 		return nil, err
 	}
 
 	processMap := make(map[string]bool)
 	for _, pID := range processIDs {
-		if err := ctx.Err(); err != nil {
-			return nil, err
-		}
 		p := &process.Process{Pid: pID}
 
-		path, _ := p.ExeWithContext(ctx)
+		path, _ := p.Exe()
 		if path != "" {
 			processMap[path] = false
 		}
@@ -41,21 +35,18 @@ func getRunningProcesses(ctx context.Context) ([]string, error) {
 }
 
 // checkFileAndProcess checks if the file path exists and if a process is running at that path.
-func checkFileAndProcess(ctx context.Context, paths []string) ([]File, error) {
+func checkFileAndProcess(paths []string) ([]File, error) {
 	files := make([]File, len(paths))
 	if len(paths) == 0 {
 		return files, nil
 	}
 
-	runningProcesses, err := getRunningProcesses(ctx)
+	runningProcesses, err := getRunningProcesses()
 	if err != nil {
 		return nil, err
 	}
 
 	for i, path := range paths {
-		if err := ctx.Err(); err != nil {
-			return nil, err
-		}
 		file := File{Path: path}
 
 		_, err := os.Stat(path)

client/system/process_test.go

@@ -1,7 +1,6 @@
 package system
 
 import (
-	"context"
 	"testing"
 
 	"github.com/shirou/gopsutil/v3/process"
@@ -10,7 +9,7 @@ import (
 func Benchmark_getRunningProcesses(b *testing.B) {
 	b.Run("getRunningProcesses new", func(b *testing.B) {
 		for i := 0; i < b.N; i++ {
-			ps, err := getRunningProcesses(context.Background())
+			ps, err := getRunningProcesses()
 			if err != nil {
 				b.Fatalf("unexpected error: %v", err)
 			}
@@ -30,38 +29,12 @@ func Benchmark_getRunningProcesses(b *testing.B) {
 			}
 		}
 	})
-	s, _ := getRunningProcesses(context.Background())
+	s, _ := getRunningProcesses()
 	b.Logf("getRunningProcesses returned %d processes", len(s))
 	s, _ = getRunningProcessesOld()
 	b.Logf("getRunningProcessesOld returned %d processes", len(s))
 }
 
-func TestCheckFileAndProcess_ContextCanceled(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	// With a canceled context and non-empty paths the gathering must bail with an error
-	// instead of running the (potentially blocking) process scan / stat loop.
-	if _, err := checkFileAndProcess(ctx, []string{"/does/not/exist"}); err == nil {
-		t.Fatal("expected error on canceled context, got nil")
-	}
-}
-
-func TestCheckFileAndProcess_EmptyPaths(t *testing.T) {
-	// No check paths means no work to do: it must return immediately with no error,
-	// even on a canceled context (nothing to scan or stat).
-	ctx, cancel := context.WithCancel(context.Background())
-	cancel()
-
-	files, err := checkFileAndProcess(ctx, nil)
-	if err != nil {
-		t.Fatalf("unexpected error for empty paths: %v", err)
-	}
-	if len(files) != 0 {
-		t.Fatalf("expected no files, got %d", len(files))
-	}
-}
-
 func getRunningProcessesOld() ([]string, error) {
 	processes, err := process.Processes()
 	if err != nil {

client/ui/client_ui.go

@@ -266,6 +266,7 @@ type serviceClient struct {
 	mAllowSSH          *systray.MenuItem
 	mAutoConnect       *systray.MenuItem
 	mEnableRosenpass   *systray.MenuItem
+	mLazyConnEnabled   *systray.MenuItem
 	mBlockInbound      *systray.MenuItem
 	mNotifications     *systray.MenuItem
 	mAdvancedSettings  *systray.MenuItem
@@ -335,11 +336,11 @@ type serviceClient struct {
 	// mNetworks + mExitNode submenu items. Combines features.DisableNetworks
 	// AND s.connected — both must be true for the menus to be active.
 	// Zero value (false) matches the Disable() call at AddMenuItem time.
-	networksMenuEnabled bool
-	showNetworks        bool
-	wNetworks           fyne.Window
-	wProfiles           fyne.Window
-	wQuickActions       fyne.Window
+	networksMenuEnabled  bool
+	showNetworks         bool
+	wNetworks            fyne.Window
+	wProfiles            fyne.Window
+	wQuickActions        fyne.Window
 
 	eventManager *event.Manager
 
@@ -1093,6 +1094,7 @@ func (s *serviceClient) onTrayReady() {
 	s.mAllowSSH = s.mSettings.AddSubMenuItemCheckbox("Allow SSH", allowSSHMenuDescr, false)
 	s.mAutoConnect = s.mSettings.AddSubMenuItemCheckbox("Connect on Startup", autoConnectMenuDescr, false)
 	s.mEnableRosenpass = s.mSettings.AddSubMenuItemCheckbox("Enable Quantum-Resistance", quantumResistanceMenuDescr, false)
+	s.mLazyConnEnabled = s.mSettings.AddSubMenuItemCheckbox("Enable Lazy Connections", lazyConnMenuDescr, false)
 	s.mBlockInbound = s.mSettings.AddSubMenuItemCheckbox("Block Inbound Connections", blockInboundMenuDescr, false)
 	s.mNotifications = s.mSettings.AddSubMenuItemCheckbox("Notifications", notificationsMenuDescr, false)
 	s.mSettings.AddSeparator()
@@ -1576,6 +1578,7 @@ func protoConfigToConfig(cfg *proto.GetConfigResponse) *profilemanager.Config {
 	config.RosenpassEnabled = cfg.RosenpassEnabled
 	config.RosenpassPermissive = cfg.RosenpassPermissive
 	config.DisableNotifications = &cfg.DisableNotifications
+	config.LazyConnectionEnabled = cfg.LazyConnectionEnabled
 	config.BlockInbound = cfg.BlockInbound
 	config.NetworkMonitor = &cfg.NetworkMonitor
 	config.DisableDNS = cfg.DisableDns
@@ -1679,6 +1682,12 @@ func (s *serviceClient) loadSettings() {
 		s.mEnableRosenpass.Uncheck()
 	}
 
+	if cfg.LazyConnectionEnabled {
+		s.mLazyConnEnabled.Check()
+	} else {
+		s.mLazyConnEnabled.Uncheck()
+	}
+
 	if cfg.BlockInbound {
 		s.mBlockInbound.Check()
 	} else {
@@ -1824,6 +1833,7 @@ func (s *serviceClient) updateConfig() error {
 	disableAutoStart := !s.mAutoConnect.Checked()
 	sshAllowed := s.mAllowSSH.Checked()
 	rosenpassEnabled := s.mEnableRosenpass.Checked()
+	lazyConnectionEnabled := s.mLazyConnEnabled.Checked()
 	blockInbound := s.mBlockInbound.Checked()
 	notificationsDisabled := !s.mNotifications.Checked()
 
@@ -1846,13 +1856,14 @@ func (s *serviceClient) updateConfig() error {
 	}
 
 	req := proto.SetConfigRequest{
-		ProfileName:          activeProf.ID.String(),
-		Username:             currUser.Username,
-		DisableAutoConnect:   &disableAutoStart,
-		ServerSSHAllowed:     &sshAllowed,
-		RosenpassEnabled:     &rosenpassEnabled,
-		BlockInbound:         &blockInbound,
-		DisableNotifications: &notificationsDisabled,
+		ProfileName:           activeProf.ID.String(),
+		Username:              currUser.Username,
+		DisableAutoConnect:    &disableAutoStart,
+		ServerSSHAllowed:      &sshAllowed,
+		RosenpassEnabled:      &rosenpassEnabled,
+		LazyConnectionEnabled: &lazyConnectionEnabled,
+		BlockInbound:          &blockInbound,
+		DisableNotifications:  &notificationsDisabled,
 	}
 
 	if _, err := conn.SetConfig(s.ctx, &req); err != nil {

client/ui/const.go

@@ -4,6 +4,7 @@ const (
 	allowSSHMenuDescr          = "Allow SSH connections"
 	autoConnectMenuDescr       = "Connect automatically when the service starts"
 	quantumResistanceMenuDescr = "Enable post-quantum security via Rosenpass"
+	lazyConnMenuDescr          = "[Experimental] Enable lazy connections"
 	blockInboundMenuDescr      = "Block inbound connections to the local machine and routed networks"
 	notificationsMenuDescr     = "Enable notifications"
 	advancedSettingsMenuDescr  = "Advanced settings of the application"

client/ui/event_handler.go

@@ -43,6 +43,8 @@ func (h *eventHandler) listen(ctx context.Context) {
 			h.handleAutoConnectClick()
 		case <-h.client.mEnableRosenpass.ClickedCh:
 			h.handleRosenpassClick()
+		case <-h.client.mLazyConnEnabled.ClickedCh:
+			h.handleLazyConnectionClick()
 		case <-h.client.mBlockInbound.ClickedCh:
 			h.handleBlockInboundClick()
 		case <-h.client.mAdvancedSettings.ClickedCh:
@@ -150,6 +152,15 @@ func (h *eventHandler) handleRosenpassClick() {
 	}
 }
 
+func (h *eventHandler) handleLazyConnectionClick() {
+	h.toggleCheckbox(h.client.mLazyConnEnabled)
+	if err := h.updateConfigWithErr(); err != nil {
+		h.toggleCheckbox(h.client.mLazyConnEnabled) // revert checkbox state on error
+		log.Errorf("failed to update config: %v", err)
+		h.client.notifier.Send("Error", "Failed to update lazy connection settings")
+	}
+}
+
 func (h *eventHandler) handleBlockInboundClick() {
 	h.toggleCheckbox(h.client.mBlockInbound)
 	if err := h.updateConfigWithErr(); err != nil {

go.mod

@@ -81,7 +81,7 @@ require (
 	github.com/moby/moby/api v1.54.1
 	github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
-	github.com/oapi-codegen/runtime v1.1.2
+	github.com/oapi-codegen/runtime v1.4.2
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/ory/dockertest/v4 v4.0.0
 	github.com/oschwald/maxminddb-golang v1.12.0

go.sum

@@ -528,8 +528,10 @@ github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
 github.com/nxadm/tail v1.4.11 h1:8feyoE3OzPrcshW5/MJ4sGESc5cqmGkGCWlco4l0bqY=
 github.com/nxadm/tail v1.4.11/go.mod h1:OTaG3NK980DZzxbRq6lEuzgU+mug70nY11sMd4JXXHc=
-github.com/oapi-codegen/runtime v1.1.2 h1:P2+CubHq8fO4Q6fV1tqDBZHCwpVpvPg7oKiYzQgXIyI=
-github.com/oapi-codegen/runtime v1.1.2/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
+github.com/oapi-codegen/nullable v1.1.0 h1:eAh8JVc5430VtYVnq00Hrbpag9PFRGWLjxR1/3KntMs=
+github.com/oapi-codegen/nullable v1.1.0/go.mod h1:KUZ3vUzkmEKY90ksAmit2+5juDIhIZhfDl+0PwOQlFY=
+github.com/oapi-codegen/runtime v1.4.2 h1:GMxFVYLzoYLua+/KvzgSphkyK1lLTReQI9Vf4hvATKE=
+github.com/oapi-codegen/runtime v1.4.2/go.mod h1:GwV7hC2hviaMzj+ITfHVRESK5J2W/GefVwIND/bMGvU=
 github.com/oklog/ulid v1.3.1 h1:EGfNDEx6MqHz8B3uNV6QAib1UR2Lm97sHi3ocA6ESJ4=
 github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
 github.com/okta/okta-sdk-golang/v2 v2.18.0 h1:cfDasMb7CShbZvOrF6n+DnLevWwiHgedWMGJ8M8xKDc=

infrastructure_files/getting-started-enterprise.sh

@@ -9,8 +9,6 @@ set -o pipefail
 
 SED_STRIP_PADDING='s/=//g'
 
-NETBIRD_EULA_URL="https://netbird.io/self-hosted-EULA"
-
 check_docker_compose() {
   if command -v docker-compose &> /dev/null; then
     echo "docker-compose"
@@ -141,43 +139,6 @@ read_yes_no() {
   esac
 }
 
-# Gate the install on explicit acceptance of the NetBird On-Premise EULA.
-require_eula_acceptance() {
-  cat > /dev/stderr <<EOF
-
-  ──────────────────────────────────────────────────────────────────────
-   NetBird On-Premise End User License Agreement
-  ──────────────────────────────────────────────────────────────────────
-  NetBird's on-premise software is commercial software, licensed and not
-  sold. Your installation, deployment and use are governed by the NetBird
-  On-Premise End User License Agreement (the "EULA"). Please read the EULA
-  in full before continuing:
-
-      ${NETBIRD_EULA_URL}
-
-  By typing "accept" and continuing the installation, you confirm that you
-  have read and agree to the EULA, that you are authorized to accept it on
-  behalf of your organization (the "Customer"), and that the Software is
-  used for business purposes only.
-  ──────────────────────────────────────────────────────────────────────
-EOF
-
-  if [[ "${NB_ACCEPT_EULA:-}" == "yes" ]]; then
-    echo "EULA accepted via NB_ACCEPT_EULA=yes." > /dev/stderr
-    return 0
-  fi
-
-  local ans=""
-  echo -n 'Type "accept" to agree, or anything else to abort: ' > /dev/stderr
-  read -r ans < /dev/tty
-  if [[ "$ans" != "accept" ]]; then
-    echo "" > /dev/stderr
-    echo "EULA not accepted. Aborting installation." > /dev/stderr
-    exit 1
-  fi
-  echo "" > /dev/stderr
-}
-
 wait_postgres() {
   set +e
   echo -n "Waiting for postgres to become ready"
@@ -213,9 +174,6 @@ init_environment() {
     exit 1
   fi
 
-  require_eula_acceptance
-  NETBIRD_EULA_ACCEPTED_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)
-
   echo "NetBird Enterprise bootstrap"
   echo ""
   echo "Traffic flow:"
@@ -302,11 +260,6 @@ render_env() {
 # Generated by getting-started-enterprise.sh
 # Holds all configuration and secrets for the stack. Mode 600.
 
-# NetBird On-Premise EULA acceptance
-NETBIRD_EULA_ACCEPTED=yes
-NETBIRD_EULA_ACCEPTED_AT=${NETBIRD_EULA_ACCEPTED_AT}
-NETBIRD_EULA_URL=${NETBIRD_EULA_URL}
-
 # Features (set by the script; don't edit without re-running)
 NETBIRD_TRAFFIC_FLOW_ENABLED=${NETBIRD_TRAFFIC_FLOW}
 

infrastructure_files/migrate-to-enterprise.sh

@@ -25,8 +25,6 @@ set -o pipefail
 OVERRIDE_FILE="docker-compose.override.yml"
 ENTERPRISE_CONFIG_FILE="config.yaml.enterprise"
 
-NETBIRD_EULA_URL="https://netbird.io/self-hosted-EULA"
-
 check_docker_compose() {
   if command -v docker-compose &> /dev/null; then
     echo "docker-compose"
@@ -117,43 +115,6 @@ read_yes_no() {
   esac
 }
 
-# Gate the migration on explicit acceptance of the NetBird On-Premise EULA.
-require_eula_acceptance() {
-  cat > /dev/stderr <<EOF
-
-  ──────────────────────────────────────────────────────────────────────
-   NetBird On-Premise End User License Agreement
-  ──────────────────────────────────────────────────────────────────────
-  NetBird's on-premise software is commercial software, licensed and not
-  sold. Your installation, deployment and use are governed by the NetBird
-  On-Premise End User License Agreement (the "EULA"). Please read the EULA
-  in full before continuing:
-
-      ${NETBIRD_EULA_URL}
-
-  By typing "accept" and continuing the installation, you confirm that you
-  have read and agree to the EULA, that you are authorized to accept it on
-  behalf of your organization (the "Customer"), and that the Software is
-  used for business purposes only.
-  ──────────────────────────────────────────────────────────────────────
-EOF
-
-  if [[ "${NB_ACCEPT_EULA:-}" == "yes" ]]; then
-    echo "EULA accepted via NB_ACCEPT_EULA=yes." > /dev/stderr
-    return 0
-  fi
-
-  local ans=""
-  echo -n 'Type "accept" to agree, or anything else to abort: ' > /dev/stderr
-  read -r ans < /dev/tty
-  if [[ "$ans" != "accept" ]]; then
-    echo "" > /dev/stderr
-    echo "EULA not accepted. Aborting migration." > /dev/stderr
-    exit 1
-  fi
-  echo "" > /dev/stderr
-}
-
 # ---------------------------------------------------------------------------
 # Detection — read the operator's existing compose to find service names and
 # paths we need to override. Bail loudly if shape isn't recognised.
@@ -475,9 +436,6 @@ init_migration() {
   echo "  Network:          $COMPOSE_NETWORK"
   echo ""
 
-  require_eula_acceptance
-  NETBIRD_EULA_ACCEPTED_AT=$(date -u +%Y-%m-%dT%H:%M:%SZ)
-
   local proceed
   proceed=$(read_yes_no "Proceed with migration?" "y")
   if [[ "$proceed" != "yes" ]]; then
@@ -571,10 +529,6 @@ apply_changes() {
   {
     echo ""
     echo "# Added by migrate-to-enterprise.sh on $(date -u +%Y-%m-%dT%H:%M:%SZ)"
-    echo "# NetBird On-Premise EULA accepted at install time"
-    echo "NETBIRD_EULA_ACCEPTED=yes"
-    echo "NETBIRD_EULA_ACCEPTED_AT=${NETBIRD_EULA_ACCEPTED_AT}"
-    echo "NETBIRD_EULA_URL=${NETBIRD_EULA_URL}"
     echo "NB_LICENSE_KEY=${NB_LICENSE_KEY}"
     if [[ -n "${NETBIRD_LICENSE_SERVER_BASE_URL:-}" ]]; then
       echo "NETBIRD_LICENSE_SERVER_BASE_URL=${NETBIRD_LICENSE_SERVER_BASE_URL}"

shared/management/client/grpc.go

@@ -1030,6 +1030,8 @@ func infoToMetaData(info *system.Info) *proto.PeerSystemMeta {
 			BlockLANAccess:      info.BlockLANAccess,
 			BlockInbound:        info.BlockInbound,
 			DisableIPv6:         info.DisableIPv6,
+
+			LazyConnectionEnabled: info.LazyConnectionEnabled,
 		},
 
 		Capabilities: peerCapabilities(*info),