Fix id assignment

client/android/profile_manager.go

@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
-	"strings"
 
 	log "github.com/sirupsen/logrus"
 
@@ -24,6 +23,7 @@ const (
 
 // Profile represents a profile for gomobile
 type Profile struct {
+	ID       string
 	Name     string
 	IsActive bool
 }
@@ -53,10 +53,10 @@ func (p *ProfileArray) Get(i int) *Profile {
 ├── state.json                                  ← Default profile state
 ├── active_profile.json                         ← Active profile tracker (JSON with Name + Username)
 └── profiles/                                   ← Subdirectory for non-default profiles
-    ├── work.json                              ← Work profile config
-    ├── work.state.json                        ← Work profile state
-    ├── personal.json                          ← Personal profile config
-    └── personal.state.json                    ← Personal profile state
+    ├── work.json                              			← Legacy work profile config
+    ├── work.state.json                        			← Legacy work profile state
+    ├── 4c5f5c8198c3989cffb5b5394f5a7ae0.json  			← ID profile config
+    ├── 4c5f5c8198c3989cffb5b5394f5a7ae0.state.json ← ID profile state
 */
 
 // ProfileManager manages profiles for Android
@@ -99,6 +99,7 @@ func (pm *ProfileManager) ListProfiles() (*ProfileArray, error) {
 	var profiles []*Profile
 	for _, p := range internalProfiles {
 		profiles = append(profiles, &Profile{
+			ID:       p.ID.String(),
 			Name:     p.Name,
 			IsActive: p.IsActive,
 		})
@@ -108,55 +109,65 @@ func (pm *ProfileManager) ListProfiles() (*ProfileArray, error) {
 }
 
 // GetActiveProfile returns the currently active profile name
-func (pm *ProfileManager) GetActiveProfile() (string, error) {
+func (pm *ProfileManager) GetActiveProfile() (*Profile, error) {
 	// Use ServiceManager to stay consistent with ListProfiles
 	// ServiceManager uses active_profile.json
 	activeState, err := pm.serviceMgr.GetActiveProfileState()
 	if err != nil {
-		return "", fmt.Errorf("failed to get active profile: %w", err)
+		return nil, fmt.Errorf("failed to get active profile: %w", err)
 	}
-	return activeState.Name, nil
+
+	// ActiveProfileState only stores the ID (and username), not the display
+	// name. Resolve the ID to the full profile so callers get the real Name.
+	prof, err := pm.serviceMgr.ResolveProfile(activeState.ID.String(), androidUsername)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve active profile %q: %w", activeState.ID, err)
+	}
+	return &Profile{ID: prof.ID.String(), Name: prof.Name, IsActive: true}, nil
 }
 
 // SwitchProfile switches to a different profile
-func (pm *ProfileManager) SwitchProfile(profileName string) error {
+func (pm *ProfileManager) SwitchProfile(id string) error {
 	// Use ServiceManager to stay consistent with ListProfiles
 	// ServiceManager uses active_profile.json
 	err := pm.serviceMgr.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     profileName,
+		ID:       profilemanager.ID(id),
 		Username: androidUsername,
 	})
 	if err != nil {
 		return fmt.Errorf("failed to switch profile: %w", err)
 	}
 
-	log.Infof("switched to profile: %s", profileName)
+	log.Infof("switched to profile: %s", id)
 	return nil
 }
 
 // AddProfile creates a new profile
 func (pm *ProfileManager) AddProfile(profileName string) error {
 	// Use ServiceManager (creates profile in profiles/ directory)
-	if err := pm.serviceMgr.AddProfile(profileName, androidUsername); err != nil {
+	profile, err := pm.serviceMgr.AddProfile(profileName, androidUsername)
+	if err != nil {
 		return fmt.Errorf("failed to add profile: %w", err)
 	}
 
-	log.Infof("created new profile: %s", profileName)
+	log.Infof("created new profile: %s", profile.ID)
 	return nil
 }
 
 // LogoutProfile logs out from a profile (clears authentication)
-func (pm *ProfileManager) LogoutProfile(profileName string) error {
-	profileName = sanitizeProfileName(profileName)
-
-	configPath, err := pm.getProfileConfigPath(profileName)
+func (pm *ProfileManager) LogoutProfile(id string) error {
+	configPath, err := pm.getProfileConfigPath(id)
 	if err != nil {
 		return err
 	}
 
+	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
+		return fmt.Errorf("id '%s' is not valid", id)
+	}
+
 	// Check if profile exists
 	if _, err := os.Stat(configPath); os.IsNotExist(err) {
-		return fmt.Errorf("profile '%s' does not exist", profileName)
+		return fmt.Errorf("profile '%s' does not exist", id)
 	}
 
 	// Read current config using internal profilemanager
@@ -174,53 +185,56 @@ func (pm *ProfileManager) LogoutProfile(profileName string) error {
 		return fmt.Errorf("failed to save config: %w", err)
 	}
 
-	log.Infof("logged out from profile: %s", profileName)
+	log.Infof("logged out from profile: %s", id)
 	return nil
 }
 
 // RemoveProfile deletes a profile
-func (pm *ProfileManager) RemoveProfile(profileName string) error {
+func (pm *ProfileManager) RemoveProfile(id string) error {
 	// Use ServiceManager (removes profile from profiles/ directory)
-	if err := pm.serviceMgr.RemoveProfile(profileName, androidUsername); err != nil {
+	if err := pm.serviceMgr.RemoveProfile(profilemanager.ID(id), androidUsername); err != nil {
 		return fmt.Errorf("failed to remove profile: %w", err)
 	}
 
-	log.Infof("removed profile: %s", profileName)
+	log.Infof("removed profile: %s", id)
 	return nil
 }
 
 // getProfileConfigPath returns the config file path for a profile
 // This is needed for Android-specific path handling (netbird.cfg for default profile)
-func (pm *ProfileManager) getProfileConfigPath(profileName string) (string, error) {
-	if profileName == "" || profileName == profilemanager.DefaultProfileName {
+func (pm *ProfileManager) getProfileConfigPath(id string) (string, error) {
+	if id == "" || id == profilemanager.DefaultProfileName {
+		if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
+			return "", fmt.Errorf("id %q is not valid", id)
+		}
 		// Android uses netbird.cfg for default profile instead of default.json
 		// Default profile is stored in root configDir, not in profiles/
 		return filepath.Join(pm.configDir, defaultConfigFilename), nil
 	}
 
-	// Non-default profiles are stored in profiles subdirectory
-	// This matches the Java Preferences.java expectation
-	profileName = sanitizeProfileName(profileName)
 	profilesDir := filepath.Join(pm.configDir, profilesSubdir)
-	return filepath.Join(profilesDir, profileName+".json"), nil
+	return filepath.Join(profilesDir, id+".json"), nil
 }
 
-// GetConfigPath returns the config file path for a given profile
+// GetConfigPath returns the config file path for a given profile id
 // Java should call this instead of constructing paths with Preferences.configFile()
-func (pm *ProfileManager) GetConfigPath(profileName string) (string, error) {
-	return pm.getProfileConfigPath(profileName)
+func (pm *ProfileManager) GetConfigPath(id string) (string, error) {
+	return pm.getProfileConfigPath(id)
 }
 
 // GetStateFilePath returns the state file path for a given profile
 // Java should call this instead of constructing paths with Preferences.stateFile()
-func (pm *ProfileManager) GetStateFilePath(profileName string) (string, error) {
-	if profileName == "" || profileName == profilemanager.DefaultProfileName {
+func (pm *ProfileManager) GetStateFilePath(id string) (string, error) {
+	if id == "" || id == profilemanager.DefaultProfileName {
 		return filepath.Join(pm.configDir, "state.json"), nil
 	}
 
-	profileName = sanitizeProfileName(profileName)
+	if !profilemanager.IsValidProfileFilenameStem(profilemanager.ID(id)) {
+		return "", fmt.Errorf("id %q is not valid", id)
+	}
+
 	profilesDir := filepath.Join(pm.configDir, profilesSubdir)
-	return filepath.Join(profilesDir, profileName+".state.json"), nil
+	return filepath.Join(profilesDir, id+".state.json"), nil
 }
 
 // GetActiveConfigPath returns the config file path for the currently active profile
@@ -230,7 +244,7 @@ func (pm *ProfileManager) GetActiveConfigPath() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
-	return pm.GetConfigPath(activeProfile)
+	return pm.GetConfigPath(activeProfile.ID)
 }
 
 // GetActiveStateFilePath returns the state file path for the currently active profile
@@ -240,18 +254,5 @@ func (pm *ProfileManager) GetActiveStateFilePath() (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("failed to get active profile: %w", err)
 	}
-	return pm.GetStateFilePath(activeProfile)
-}
-
-// sanitizeProfileName removes invalid characters from profile name
-func sanitizeProfileName(name string) string {
-	// Keep only alphanumeric, underscore, and hyphen
-	var result strings.Builder
-	for _, r := range name {
-		if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') ||
-			(r >= '0' && r <= '9') || r == '_' || r == '-' {
-			result.WriteRune(r)
-		}
-	}
-	return result.String()
+	return pm.GetStateFilePath(activeProfile.ID)
 }

client/cmd/login.go

@@ -96,17 +96,19 @@ func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey str
 		dnsLabelsReq = dnsLabelsValidated.ToSafeStringList()
 	}
 
+	handle := activeProf.ID.String()
+
 	loginRequest := proto.LoginRequest{
 		SetupKey:            providedSetupKey,
 		ManagementUrl:       managementURL,
 		IsUnixDesktopClient: isUnixRunningDesktop(),
 		Hostname:            hostName,
 		DnsLabels:           dnsLabelsReq,
-		ProfileName:         &activeProf.Name,
+		ProfileName:         &handle,
 		Username:            &username,
 	}
 
-	profileState, err := pm.GetProfileState(activeProf.Name)
+	profileState, err := pm.GetProfileState(activeProf.ID)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -170,14 +172,13 @@ func getActiveProfile(ctx context.Context, pm *profilemanager.ProfileManager, pr
 	return activeProf, nil
 }
 
-func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManager, profileName string, username string) error {
-	err := switchProfile(context.Background(), profileName, username)
+func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManager, handle string, username string) error {
+	resolvedID, err := switchProfile(ctx, handle, username)
 	if err != nil {
 		return fmt.Errorf("switch profile on daemon: %v", err)
 	}
 
-	err = pm.SwitchProfile(profileName)
-	if err != nil {
+	if err := pm.SwitchProfile(resolvedID); err != nil {
 		return fmt.Errorf("switch profile: %v", err)
 	}
 
@@ -205,11 +206,15 @@ func switchProfileOnDaemon(ctx context.Context, pm *profilemanager.ProfileManage
 	return nil
 }
 
-func switchProfile(ctx context.Context, profileName string, username string) error {
+// switchProfile asks the daemon to switch to the profile identified by
+// handle (a name, ID, or unique ID prefix). Returns the resolved profile
+// ID so the caller can update the local active-profile state without
+// re-resolving the handle.
+func switchProfile(ctx context.Context, handle string, username string) (profilemanager.ID, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
-		return fmt.Errorf("failed to connect to daemon error: %v\n"+
+		return "", fmt.Errorf("failed to connect to daemon error: %v\n"+
 			"If the daemon is not running please run: "+
 			"\nnetbird service install \nnetbird service start\n", err)
 	}
@@ -217,15 +222,15 @@ func switchProfile(ctx context.Context, profileName string, username string) err
 
 	client := proto.NewDaemonServiceClient(conn)
 
-	_, err = client.SwitchProfile(ctx, &proto.SwitchProfileRequest{
-		ProfileName: &profileName,
+	resp, err := client.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+		ProfileName: &handle,
 		Username:    &username,
 	})
 	if err != nil {
-		return fmt.Errorf("switch profile failed: %v", err)
+		return "", fmt.Errorf("switch profile failed: %v", err)
 	}
 
-	return nil
+	return profilemanager.ID(resp.Id), nil
 }
 
 func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string, activeProf *profilemanager.Profile) error {
@@ -249,7 +254,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 		return fmt.Errorf("read config file %s: %v", configFilePath, err)
 	}
 
-	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.Name)
+	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.ID)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -277,7 +282,7 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 	return nil
 }
 
-func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey string, profileID profilemanager.ID) error {
 	authClient, err := auth.NewAuth(ctx, config.PrivateKey, config.ManagementURL, config)
 	if err != nil {
 		return fmt.Errorf("failed to create auth client: %v", err)
@@ -291,7 +296,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 
 	jwtToken := ""
 	if setupKey == "" && needsLogin {
-		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileName)
+		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileID)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
@@ -306,10 +311,10 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	return nil
 }
 
-func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileName string) (*auth.TokenInfo, error) {
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileID profilemanager.ID) (*auth.TokenInfo, error) {
 	hint := ""
 	pm := profilemanager.NewProfileManager()
-	profileState, err := pm.GetProfileState(profileName)
+	profileState, err := pm.GetProfileState(profileID)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {

client/cmd/login_test.go

@@ -27,7 +27,7 @@ func TestLogin(t *testing.T) {
 	profilemanager.ActiveProfileStatePath = tempDir + "/active_profile.json"
 	sm := profilemanager.ServiceManager{}
 	err = sm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     "default",
+		ID:       "default",
 		Username: currUser.Username,
 	})
 	if err != nil {

client/cmd/profile.go

@@ -2,11 +2,16 @@ package cmd
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os/user"
+	"strings"
+	"text/tabwriter"
 	"time"
 
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
@@ -14,6 +19,8 @@ import (
 	"github.com/netbirdio/netbird/util"
 )
 
+var profileListShowID bool
+
 var profileCmd = &cobra.Command{
 	Use:   "profile",
 	Short: "Manage NetBird client profiles",
@@ -31,27 +38,32 @@ var profileListCmd = &cobra.Command{
 var profileAddCmd = &cobra.Command{
 	Use:   "add <profile_name>",
 	Short: "Add a new profile",
-	Long:  `Add a new profile to the NetBird client. The profile name must be unique.`,
+	Long:  `Add a new profile. Profile name is free-form, a unique ID is generated for the on-disk config file.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  addProfileFunc,
 }
 
 var profileRemoveCmd = &cobra.Command{
-	Use:   "remove <profile_name>",
-	Short: "Remove a profile",
-	Long:  `Remove a profile from the NetBird client. The profile must not be inactive.`,
-	Args:  cobra.ExactArgs(1),
-	RunE:  removeProfileFunc,
+	Use:     "remove <profile>",
+	Short:   "Remove a profile",
+	Long:    `Remove a profile by name, ID, or unique ID prefix.`,
+	Aliases: []string{"rm"},
+	Args:    cobra.ExactArgs(1),
+	RunE:    removeProfileFunc,
 }
 
 var profileSelectCmd = &cobra.Command{
-	Use:   "select <profile_name>",
+	Use:   "select <profile>",
 	Short: "Select a profile",
-	Long:  `Make the specified profile active. This will switch the client to use the selected profile's configuration.`,
+	Long:  `Make the specified profile active. Accepts a name, ID, or unique ID prefix.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  selectProfileFunc,
 }
 
+func init() {
+	profileListCmd.Flags().BoolVar(&profileListShowID, "show-id", false, "show the profile ID column")
+}
+
 func setupCmd(cmd *cobra.Command) error {
 	SetFlagsFromEnvVars(rootCmd)
 	SetFlagsFromEnvVars(cmd)
@@ -65,6 +77,7 @@ func setupCmd(cmd *cobra.Command) error {
 
 	return nil
 }
+
 func listProfilesFunc(cmd *cobra.Command, _ []string) error {
 	if err := setupCmd(cmd); err != nil {
 		return err
@@ -83,25 +96,33 @@ func listProfilesFunc(cmd *cobra.Command, _ []string) error {
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
 
-	profiles, err := daemonClient.ListProfiles(cmd.Context(), &proto.ListProfilesRequest{
+	resp, err := daemonClient.ListProfiles(cmd.Context(), &proto.ListProfilesRequest{
 		Username: currUser.Username,
 	})
 	if err != nil {
 		return err
 	}
 
-	// list profiles, add a tick if the profile is active
-	cmd.Println("Found", len(profiles.Profiles), "profiles:")
-	for _, profile := range profiles.Profiles {
-		// use a cross to indicate the passive profiles
-		activeMarker := "✗"
-		if profile.IsActive {
-			activeMarker = "✓"
-		}
-		cmd.Println(activeMarker, profile.Name)
+	tw := tabwriter.NewWriter(cmd.OutOrStdout(), 0, 0, 2, ' ', 0)
+	if profileListShowID {
+		fmt.Fprintln(tw, "ID\tNAME\tACTIVE")
+	} else {
+		fmt.Fprintln(tw, "NAME\tACTIVE")
 	}
-
-	return nil
+	for _, profile := range resp.Profiles {
+		marker := ""
+		if profile.IsActive {
+			marker = "✓"
+		}
+		name := profilemanager.StripCtrlChars(profile.Name)
+		id := profilemanager.ID(profile.Id)
+		if profileListShowID {
+			fmt.Fprintf(tw, "%s\t%s\t%s\n", id.ShortID(), name, marker)
+		} else {
+			fmt.Fprintf(tw, "%s\t%s\n", name, marker)
+		}
+	}
+	return tw.Flush()
 }
 
 func addProfileFunc(cmd *cobra.Command, args []string) error {
@@ -121,19 +142,51 @@ func addProfileFunc(cmd *cobra.Command, args []string) error {
 	}
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
-
 	profileName := args[0]
 
-	_, err = daemonClient.AddProfile(cmd.Context(), &proto.AddProfileRequest{
+	resp, err := daemonClient.AddProfile(cmd.Context(), &proto.AddProfileRequest{
 		ProfileName: profileName,
 		Username:    currUser.Username,
 	})
-	if err != nil {
-		return err
+	if err == nil {
+		id := profilemanager.ID(resp.Id)
+		cmd.Printf("Profile added: %s  %s\n", id.ShortID(), profilemanager.StripCtrlChars(profileName))
+		return nil
 	}
 
-	cmd.Println("Profile added successfully:", profileName)
-	return nil
+	if st, ok := gstatus.FromError(err); ok && st.Code() == codes.AlreadyExists {
+		dupCount, _ := countProfilesWithName(cmd.Context(), daemonClient, currUser.Username, profileName)
+		if dupCount > 0 {
+			cmd.Printf("Warning: %d other profile(s) already use the name %q.\n", dupCount, profileName)
+			cmd.Println("Use `netbird profile list --show-id` to disambiguate later.")
+		}
+		resp, err = daemonClient.AddProfile(cmd.Context(), &proto.AddProfileRequest{
+			ProfileName: profileName,
+			Username:    currUser.Username,
+		})
+		if err != nil {
+			return err
+		}
+		id := profilemanager.ID(resp.Id)
+		cmd.Printf("Profile added: %s  %s\n", id.ShortID(), profilemanager.StripCtrlChars(profileName))
+		return nil
+	}
+
+	return err
+}
+
+func countProfilesWithName(ctx context.Context, c proto.DaemonServiceClient, username, name string) (int, error) {
+	resp, err := c.ListProfiles(ctx, &proto.ListProfilesRequest{Username: username})
+	if err != nil {
+		return 0, err
+	}
+	n := 0
+	for _, p := range resp.Profiles {
+		if p.Name == name {
+			n++
+		}
+	}
+	return n, nil
 }
 
 func removeProfileFunc(cmd *cobra.Command, args []string) error {
@@ -153,18 +206,17 @@ func removeProfileFunc(cmd *cobra.Command, args []string) error {
 	}
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
+	handle := args[0]
 
-	profileName := args[0]
-
-	_, err = daemonClient.RemoveProfile(cmd.Context(), &proto.RemoveProfileRequest{
-		ProfileName: profileName,
+	resp, err := daemonClient.RemoveProfile(cmd.Context(), &proto.RemoveProfileRequest{
+		ProfileName: handle,
 		Username:    currUser.Username,
 	})
 	if err != nil {
-		return err
+		return wrapAmbiguityError(err, handle)
 	}
 
-	cmd.Println("Profile removed successfully:", profileName)
+	cmd.Printf("Profile removed: %s\n", resp.Id)
 	return nil
 }
 
@@ -174,7 +226,7 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 	}
 
 	profileManager := profilemanager.NewProfileManager()
-	profileName := args[0]
+	handle := args[0]
 
 	currUser, err := user.Current()
 	if err != nil {
@@ -191,32 +243,15 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 
 	daemonClient := proto.NewDaemonServiceClient(conn)
 
-	profiles, err := daemonClient.ListProfiles(ctx, &proto.ListProfilesRequest{
-		Username: currUser.Username,
+	switchResp, err := daemonClient.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+		ProfileName: &handle,
+		Username:    &currUser.Username,
 	})
 	if err != nil {
-		return fmt.Errorf("list profiles: %w", err)
+		return wrapAmbiguityError(err, handle)
 	}
 
-	var profileExists bool
-
-	for _, profile := range profiles.Profiles {
-		if profile.Name == profileName {
-			profileExists = true
-			break
-		}
-	}
-
-	if !profileExists {
-		return fmt.Errorf("profile %s does not exist", profileName)
-	}
-
-	if err := switchProfile(cmd.Context(), profileName, currUser.Username); err != nil {
-		return err
-	}
-
-	err = profileManager.SwitchProfile(profileName)
-	if err != nil {
+	if err := profileManager.SwitchProfile(profilemanager.ID(switchResp.Id)); err != nil {
 		return err
 	}
 
@@ -231,6 +266,30 @@ func selectProfileFunc(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	cmd.Println("Profile switched successfully to:", profileName)
+	id := profilemanager.ID(switchResp.Id)
+	cmd.Printf("Profile switched to: %s\n", id.ShortID())
 	return nil
 }
+
+// wrapAmbiguityError turns the daemon's gRPC InvalidArgument errors
+// (which carry the resolver's message verbatim) into CLI-friendly text
+// that points the user at --show-id.
+func wrapAmbiguityError(err error, handle string) error {
+	if err == nil {
+		return nil
+	}
+	st, ok := gstatus.FromError(err)
+	if !ok {
+		return err
+	}
+	switch st.Code() {
+	case codes.InvalidArgument:
+		msg := st.Message()
+		if strings.Contains(msg, "ambiguous") {
+			return errors.New(msg + "\nRun `netbird profile list --show-id` to see IDs, then select by ID prefix:\n  netbird profile select|remove <id-prefix>")
+		}
+	case codes.NotFound:
+		return fmt.Errorf("profile %q not found", handle)
+	}
+	return err
+}

client/cmd/up.go

@@ -128,13 +128,12 @@ func upFunc(cmd *cobra.Command, args []string) error {
 	var profileSwitched bool
 	// switch profile if provided
 	if profileName != "" {
-		err = switchProfile(cmd.Context(), profileName, username.Username)
+		resolvedID, err := switchProfile(cmd.Context(), profileName, username.Username)
 		if err != nil {
 			return fmt.Errorf("switch profile: %v", err)
 		}
 
-		err = pm.SwitchProfile(profileName)
-		if err != nil {
+		if err := pm.SwitchProfile(resolvedID); err != nil {
 			return fmt.Errorf("switch profile: %v", err)
 		}
 
@@ -190,7 +189,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 
 	_, _ = profilemanager.UpdateOldManagementURL(ctx, config, configFilePath)
 
-	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.Name)
+	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.ID)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -261,10 +260,10 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 	}
 
 	// set the new config
-	req := setupSetConfigReq(customDNSAddressConverted, cmd, activeProf.Name, username.Username)
+	req := setupSetConfigReq(customDNSAddressConverted, cmd, activeProf.ID.String(), username.Username)
 	if _, err := client.SetConfig(ctx, req); err != nil {
 		if st, ok := gstatus.FromError(err); ok && st.Code() == codes.Unavailable {
-			log.Warnf("setConfig method is not available in the daemon")
+			log.Warnf("setConfig method is not available in the daemon: %s", st.Message())
 		} else {
 			return fmt.Errorf("call service setConfig method: %v", err)
 		}
@@ -289,10 +288,11 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 		return fmt.Errorf("setup login request: %v", err)
 	}
 
-	loginRequest.ProfileName = &activeProf.Name
+	profileID := activeProf.ID.String()
+	loginRequest.ProfileName = &profileID
 	loginRequest.Username = &username
 
-	profileState, err := pm.GetProfileState(activeProf.Name)
+	profileState, err := pm.GetProfileState(activeProf.ID)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -329,7 +329,7 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	}
 
 	if _, err := client.Up(ctx, &proto.UpRequest{
-		ProfileName: &activeProf.Name,
+		ProfileName: &profileID,
 		Username:    &username,
 	}); err != nil {
 		return fmt.Errorf("call service up method: %v", err)

client/cmd/up_daemon_test.go

@@ -29,14 +29,14 @@ func TestUpDaemon(t *testing.T) {
 	}
 
 	sm := profilemanager.ServiceManager{}
-	err = sm.AddProfile("test1", currUser.Username)
+	created, err := sm.AddProfile("test1", currUser.Username)
 	if err != nil {
 		t.Fatalf("failed to add profile: %v", err)
 		return
 	}
 
 	err = sm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     "test1",
+		ID:       created.ID,
 		Username: currUser.Username,
 	})
 	if err != nil {

client/firewall/iptables/acl_linux.go

@@ -3,7 +3,6 @@ package iptables
 import (
 	"errors"
 	"fmt"
-	"maps"
 	"net"
 	"slices"
 
@@ -422,17 +421,12 @@ func (m *aclManager) updateState() {
 	currentState.Lock()
 	defer currentState.Unlock()
 
-	// Clone the maps so the persisted state holds a private snapshot. The
-	// live maps keep being mutated by subsequent rule operations while the
-	// state manager marshals the state from its periodic-save goroutine.
-	// Sharing them by reference races the two and aborts the process with a
-	// concurrent map iteration and write.
 	if m.v6 {
-		currentState.ACLEntries6 = maps.Clone(m.entries)
-		currentState.ACLIPsetStore6 = m.ipsetStore.clone()
+		currentState.ACLEntries6 = m.entries
+		currentState.ACLIPsetStore6 = m.ipsetStore
 	} else {
-		currentState.ACLEntries = maps.Clone(m.entries)
-		currentState.ACLIPsetStore = m.ipsetStore.clone()
+		currentState.ACLEntries = m.entries
+		currentState.ACLIPsetStore = m.ipsetStore
 	}
 
 	if err := m.stateManager.UpdateState(currentState); err != nil {

client/firewall/iptables/router_linux.go

@@ -4,7 +4,6 @@ package iptables
 
 import (
 	"fmt"
-	"maps"
 	"net/netip"
 	"strconv"
 	"strings"
@@ -750,17 +749,11 @@ func (r *router) updateState() {
 	currentState.Lock()
 	defer currentState.Unlock()
 
-	// Clone the rule map so the persisted state holds a private snapshot. The
-	// live map keeps being mutated by subsequent rule operations while the
-	// state manager marshals the state from its periodic-save goroutine.
-	// Sharing it by reference races the two and aborts the process with a
-	// concurrent map iteration and write. The ipset counter guards itself
-	// during marshaling, so it can be shared directly.
 	if r.v6 {
-		currentState.RouteRules6 = maps.Clone(r.rules)
+		currentState.RouteRules6 = r.rules
 		currentState.RouteIPsetCounter6 = r.ipsetCounter
 	} else {
-		currentState.RouteRules = maps.Clone(r.rules)
+		currentState.RouteRules = r.rules
 		currentState.RouteIPsetCounter = r.ipsetCounter
 	}
 

client/firewall/iptables/rulestore_linux.go

@@ -1,9 +1,6 @@
 package iptables
 
-import (
-	"encoding/json"
-	"maps"
-)
+import "encoding/json"
 
 type ipList struct {
 	ips map[string]struct{}
@@ -22,14 +19,6 @@ func (s *ipList) addIP(ip string) {
 	s.ips[ip] = struct{}{}
 }
 
-// clone returns a deep copy of the ipList with its own ips map.
-func (s *ipList) clone() *ipList {
-	if s == nil {
-		return nil
-	}
-	return &ipList{ips: maps.Clone(s.ips)}
-}
-
 // MarshalJSON implements json.Marshaler
 func (s *ipList) MarshalJSON() ([]byte, error) {
 	return json.Marshal(struct {
@@ -66,19 +55,6 @@ func newIpsetStore() *ipsetStore {
 	}
 }
 
-// clone returns a deep copy of the ipsetStore with its own ipsets map and
-// independent ipList entries.
-func (s *ipsetStore) clone() *ipsetStore {
-	if s == nil {
-		return nil
-	}
-	cloned := &ipsetStore{ipsets: make(map[string]*ipList, len(s.ipsets))}
-	for name, list := range s.ipsets {
-		cloned.ipsets[name] = list.clone()
-	}
-	return cloned
-}
-
 func (s *ipsetStore) ipset(ipsetName string) (*ipList, bool) {
 	r, ok := s.ipsets[ipsetName]
 	return r, ok

client/internal/debug/debug_test.go

@@ -843,6 +843,7 @@ func TestAddConfig_AllFieldsCovered(t *testing.T) {
 		"PreSharedKey":      "sensitive: WireGuard pre-shared key",
 		"SSHKey":            "sensitive: SSH private key",
 		"ClientCertKeyPair": "non-config: parsed cert pair, not serialized",
+		"Name":              "non-config: profile name is not needed for debug purposes",
 	}
 
 	mURL, _ := url.Parse("https://api.example.com:443")

client/internal/dns/server.go

@@ -777,24 +777,13 @@ func (s *DefaultServer) applyHostConfig() {
 // context is released rather than leaked until GC.
 func (s *DefaultServer) registerFallback() {
 	originalNameservers := s.hostManager.getOriginalNameservers()
-
-	serverIP := s.service.RuntimeIP()
-	var servers []netip.AddrPort
-	for _, ns := range originalNameservers {
-		if ns == serverIP {
-			log.Debugf("skipping original nameserver %s as it is the same as the server IP %s", ns, serverIP)
-			continue
-		}
-		servers = append(servers, netip.AddrPortFrom(ns, DefaultPort))
-	}
-
-	if len(servers) == 0 {
+	if len(originalNameservers) == 0 {
 		log.Debugf("no fallback upstreams to register; clearing PriorityFallback handler")
 		s.clearFallback()
 		return
 	}
 
-	log.Infof("registering original nameservers %v as upstream handlers with priority %d", servers, PriorityFallback)
+	log.Infof("registering original nameservers %v as upstream handlers with priority %d", originalNameservers, PriorityFallback)
 
 	handler, err := newUpstreamResolver(
 		s.ctx,
@@ -808,6 +797,11 @@ func (s *DefaultServer) registerFallback() {
 		return
 	}
 	handler.selectedRoutes = s.selectedRoutes
+
+	var servers []netip.AddrPort
+	for _, ns := range originalNameservers {
+		servers = append(servers, netip.AddrPortFrom(ns, DefaultPort))
+	}
 	handler.addRace(servers)
 
 	prev := s.fallbackHandler

client/internal/profilemanager/config.go

@@ -103,6 +103,10 @@ type ConfigInput struct {
 
 // Config Configuration type
 type Config struct {
+	// Name is the human-readable profile name shown in CLI/UI listings.
+	// It is independent of the profile's on-disk filename (which is the ID).
+	Name string
+
 	// Wireguard private key of local peer
 	PrivateKey                    string
 	PreSharedKey                  string
@@ -248,6 +252,16 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 }
 
 func (config *Config) apply(input ConfigInput) (updated bool, err error) {
+	if config.Name != "" {
+		sanitized, err := sanitizeDisplayName(config.Name)
+		if err != nil {
+			return false, fmt.Errorf("invalid profile name: %w", err)
+		}
+		if sanitized != config.Name {
+			config.Name = sanitized
+			updated = true
+		}
+	}
 	if config.ManagementURL == nil {
 		log.Infof("using default Management URL %s", DefaultManagementURL)
 		config.ManagementURL, err = parseURL("Management URL", DefaultManagementURL)

client/internal/profilemanager/id.go

@@ -0,0 +1,118 @@
+package profilemanager
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"path/filepath"
+	"strings"
+	"unicode"
+	"unicode/utf8"
+)
+
+const (
+	// profileIDByteLen is the number of random bytes generated for a new
+	// profile ID. The resulting hex string is twice this length.
+	profileIDByteLen = 16
+
+	// shortIDLen is the number of leading characters of an ID we render in
+	// list output. Profiles per device are few, so 8 chars is collision-safe
+	// in practice and easy to type as a prefix.
+	shortIDLen = 8
+
+	// maxProfileNameLen caps the human-readable profile name to keep table
+	// output legible and prevent denial-of-service via huge JSON fields.
+	maxProfileNameLen = 128
+
+	// maxProfileIDLen bounds the on-disk filename we'll accept. New
+	// IDs are 32 hex chars, legacy stems are sanitized profile names. The
+	// cap is generous enough to cover both without permitting absurdly
+	// long filenames.
+	maxProfileIDLen = 64
+)
+
+type ID string
+
+// generateProfileID returns a new random hex ID for a profile file.
+func generateProfileID() (ID, error) {
+	buf := make([]byte, profileIDByteLen)
+	if _, err := rand.Read(buf); err != nil {
+		return "", fmt.Errorf("read random bytes: %w", err)
+	}
+	return ID(hex.EncodeToString(buf)), nil
+}
+
+// IsValidProfileFilenameStem reports whether id is safe to use as the stem
+// of a profile JSON filename.
+func IsValidProfileFilenameStem(id ID) bool {
+	s := id.String()
+	if s == "" || len(s) > maxProfileIDLen {
+		return false
+	}
+	if s == defaultProfileName {
+		return true
+	}
+	if strings.ContainsAny(s, `/\`) || strings.Contains(s, "..") {
+		return false
+	}
+	// filepath.Base catches any leftover separators on platforms with
+	// exotic path conventions.
+	if filepath.Base(s) != s {
+		return false
+	}
+	for _, r := range s {
+		if !(unicode.IsLetter(r) || unicode.IsDigit(r) || r == '_' || r == '-') {
+			return false
+		}
+	}
+	return true
+}
+
+// sanitizeDisplayName normalizes a user-supplied profile display name for
+// storage. It strips ASCII control characters, rejects invalid UTF-8, and
+// caps the length. Emojis, spaces, punctuation, and non-ASCII letters are
+// preserved. Returns an error if nothing usable remains.
+func sanitizeDisplayName(name string) (string, error) {
+	if !utf8.ValidString(name) {
+		return "", fmt.Errorf("name is not valid UTF-8")
+	}
+	name = StripCtrlChars(name)
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return "", fmt.Errorf("name is empty after sanitization")
+	}
+	if utf8.RuneCountInString(name) > maxProfileNameLen {
+		return "", fmt.Errorf("name exceeds %d characters", maxProfileNameLen)
+	}
+	return name, nil
+}
+
+// StripCtrlChars control characters from a name before printing it.
+func StripCtrlChars(name string) string {
+	var b strings.Builder
+	b.Grow(len(name))
+	for _, r := range name {
+		// Skip C0 controls and DEL, plus C1 controls (0x80–0x9F).
+		if r < 0x20 || r == 0x7F || (r >= 0x80 && r <= 0x9F) {
+			continue
+		}
+		b.WriteRune(r)
+	}
+	return b.String()
+}
+
+// ShortID truncates an ID for display.
+func (id ID) ShortID() string {
+	if id == DefaultProfileName {
+		return DefaultProfileName
+	}
+	runes := []rune(id)
+	if len(runes) <= shortIDLen {
+		return id.String()
+	}
+	return string(runes[:shortIDLen])
+}
+
+func (id ID) String() string {
+	return string(id)
+}

client/internal/profilemanager/profilemanager.go

@@ -19,19 +19,41 @@ const (
 )
 
 type Profile struct {
-	Name     string
+	// ID is the on-disk filename stem (without .json). For new profiles
+	// it is a 32-char hex string; legacy profiles created before the
+	// ID-keyed layout keep their original name as their ID. The reserved
+	// value "default" identifies the special default profile.
+	ID ID
+	// Name is the human-readable display name. Falls back to ID when the
+	// underlying JSON has no "name" field set.
+	Name string
+	// Path is the absolute path to the profile JSON. Populated by the
+	// loader so callers do not have to reconstruct it from ID + dir.
+	Path     string
 	IsActive bool
 }
 
 func (p *Profile) FilePath() (string, error) {
-	if p.Name == "" {
-		return "", fmt.Errorf("active profile name is empty")
+	if p.Path != "" {
+		return p.Path, nil
 	}
 
-	if p.Name == defaultProfileName {
+	id := p.ID
+	if id == "" {
+		id = ID(p.Name)
+	}
+	if id == "" {
+		return "", fmt.Errorf("profile ID is empty")
+	}
+
+	if id == defaultProfileName {
 		return DefaultConfigPath, nil
 	}
 
+	if !IsValidProfileFilenameStem(id) {
+		return "", fmt.Errorf("invalid profile ID: %q", id)
+	}
+
 	username, err := user.Current()
 	if err != nil {
 		return "", fmt.Errorf("failed to get current user: %w", err)
@@ -42,10 +64,13 @@ func (p *Profile) FilePath() (string, error) {
 		return "", fmt.Errorf("failed to get config directory for user %s: %w", username.Username, err)
 	}
 
-	return filepath.Join(configDir, p.Name+".json"), nil
+	return filepath.Join(configDir, id.String()+".json"), nil
 }
 
 func (p *Profile) IsDefault() bool {
+	if p.ID != "" {
+		return p.ID == defaultProfileName
+	}
 	return p.Name == defaultProfileName
 }
 
@@ -57,18 +82,24 @@ func NewProfileManager() *ProfileManager {
 	return &ProfileManager{}
 }
 
+// GetActiveProfile returns the active profile as recorded in the local
+// user state file. Only ID is populated.
 func (pm *ProfileManager) GetActiveProfile() (*Profile, error) {
 	pm.mu.Lock()
 	defer pm.mu.Unlock()
 
-	prof := pm.getActiveProfileState()
-	return &Profile{Name: prof}, nil
+	id := pm.getActiveProfileState()
+	return &Profile{ID: id}, nil
 }
 
-func (pm *ProfileManager) SwitchProfile(profileName string) error {
-	profileName = sanitizeProfileName(profileName)
+// SwitchProfile records the given profile ID as active in the local user
+// state file.
+func (pm *ProfileManager) SwitchProfile(id ID) error {
+	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
+		return fmt.Errorf("invalid profile ID: %q", id)
+	}
 
-	if err := pm.setActiveProfileState(profileName); err != nil {
+	if err := pm.setActiveProfileState(id); err != nil {
 		return fmt.Errorf("failed to switch profile: %w", err)
 	}
 	return nil
@@ -85,7 +116,7 @@ func sanitizeProfileName(name string) string {
 	}, name)
 }
 
-func (pm *ProfileManager) getActiveProfileState() string {
+func (pm *ProfileManager) getActiveProfileState() ID {
 
 	configDir, err := getConfigDir()
 	if err != nil {
@@ -113,10 +144,10 @@ func (pm *ProfileManager) getActiveProfileState() string {
 		return defaultProfileName
 	}
 
-	return profileName
+	return ID(profileName)
 }
 
-func (pm *ProfileManager) setActiveProfileState(profileName string) error {
+func (pm *ProfileManager) setActiveProfileState(id ID) error {
 
 	configDir, err := getConfigDir()
 	if err != nil {
@@ -125,7 +156,7 @@ func (pm *ProfileManager) setActiveProfileState(profileName string) error {
 
 	statePath := filepath.Join(configDir, activeProfileStateFilename)
 
-	err = os.WriteFile(statePath, []byte(profileName), 0600)
+	err = os.WriteFile(statePath, []byte(id), 0600)
 	if err != nil {
 		return fmt.Errorf("failed to write active profile state: %w", err)
 	}
@@ -142,7 +173,7 @@ func GetLoginHint() string {
 		return ""
 	}
 
-	profileState, err := pm.GetProfileState(activeProf.Name)
+	profileState, err := pm.GetProfileState(activeProf.ID)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 		return ""

client/internal/profilemanager/profilemanager_test.go

@@ -50,14 +50,14 @@ func TestServiceManager_CreateAndGetDefaultProfile(t *testing.T) {
 
 			state, err := sm.GetActiveProfileState()
 			assert.NoError(t, err)
-			assert.Equal(t, state.Name, defaultProfileName) // No active profile state yet
+			assert.Equal(t, defaultProfileName, state.ID.String()) // No active profile state yet
 
 			err = sm.SetActiveProfileStateToDefault()
 			assert.NoError(t, err)
 
 			active, err := sm.GetActiveProfileState()
 			assert.NoError(t, err)
-			assert.Equal(t, "default", active.Name)
+			assert.Equal(t, "default", active.ID.String())
 		})
 	})
 }
@@ -92,14 +92,14 @@ func TestServiceManager_SetActiveProfileState(t *testing.T) {
 			currUser, err := user.Current()
 			assert.NoError(t, err)
 			sm := &ServiceManager{}
-			state := &ActiveProfileState{Name: "foo", Username: currUser.Username}
+			state := &ActiveProfileState{ID: "foo", Username: currUser.Username}
 			err = sm.SetActiveProfileState(state)
 			assert.NoError(t, err)
 
 			// Should error on nil or incomplete state
 			err = sm.SetActiveProfileState(nil)
 			assert.Error(t, err)
-			err = sm.SetActiveProfileState(&ActiveProfileState{Name: "", Username: ""})
+			err = sm.SetActiveProfileState(&ActiveProfileState{ID: "", Username: ""})
 			assert.Error(t, err)
 		})
 	})

client/internal/profilemanager/service.go

@@ -2,6 +2,7 @@ package profilemanager
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -23,12 +24,43 @@ var (
 	DefaultConfigPathDir   = ""
 	DefaultConfigPath      = ""
 	ActiveProfileStatePath = ""
-)
 
-var (
 	ErrorOldDefaultConfigNotFound = errors.New("old default config not found")
 )
 
+// ErrAmbiguousHandle is returned when a profile handle (ID prefix or name)
+// matches more than one profile. Callers can render Candidates to help the
+// user disambiguate.
+type ErrAmbiguousHandle struct {
+	Handle     string
+	Candidates []Profile
+	Kind       AmbiguityKind
+}
+
+// AmbiguityKind describes which matcher produced the ambiguity, so callers
+// can tailor the error message.
+type AmbiguityKind int
+
+const (
+	AmbiguityKindIDPrefix AmbiguityKind = iota
+	AmbiguityKindName
+)
+
+// profileMeta is the minimal slice of a profile JSON we need, so we avoid
+// reading all fields
+type profileMeta struct {
+	Name string
+}
+
+func (e *ErrAmbiguousHandle) Error() string {
+	switch e.Kind {
+	case AmbiguityKindIDPrefix:
+		return fmt.Sprintf("ID prefix %q is ambiguous (matches %d profiles)", e.Handle, len(e.Candidates))
+	default:
+		return fmt.Sprintf("name %q is ambiguous (%d profiles share this name)", e.Handle, len(e.Candidates))
+	}
+}
+
 func init() {
 
 	DefaultConfigPathDir = "/var/lib/netbird/"
@@ -54,25 +86,34 @@ func init() {
 }
 
 type ActiveProfileState struct {
-	Name     string `json:"name"`
+	// ID is the on-disk filename stem of the active profile. The JSON tag stays
+	// as "name" for backwards compatibility with active state files written
+	// before the ID-based config files. Legacy values were profile names, which
+	// were also the legacy filename stems, so they still resolve to the correct
+	// file on disk.
+	ID       ID     `json:"name"`
 	Username string `json:"username"`
 }
 
 func (a *ActiveProfileState) FilePath() (string, error) {
-	if a.Name == "" {
-		return "", fmt.Errorf("active profile name is empty")
+	if a.ID == "" {
+		return "", fmt.Errorf("active profile ID is empty")
 	}
 
-	if a.Name == defaultProfileName {
+	if a.ID == defaultProfileName {
 		return DefaultConfigPath, nil
 	}
 
+	if !IsValidProfileFilenameStem(a.ID) {
+		return "", fmt.Errorf("invalid profile ID: %q", a.ID)
+	}
+
 	configDir, err := getConfigDirForUser(a.Username)
 	if err != nil {
 		return "", fmt.Errorf("failed to get config directory for user %s: %w", a.Username, err)
 	}
 
-	return filepath.Join(configDir, a.Name+".json"), nil
+	return filepath.Join(configDir, a.ID.String()+".json"), nil
 }
 
 type ServiceManager struct {
@@ -178,7 +219,7 @@ func (s *ServiceManager) GetActiveProfileState() (*ActiveProfileState, error) {
 				return nil, fmt.Errorf("failed to set active profile to default: %w", err)
 			}
 			return &ActiveProfileState{
-				Name:     "default",
+				ID:       defaultProfileName,
 				Username: "",
 			}, nil
 		} else {
@@ -186,12 +227,12 @@ func (s *ServiceManager) GetActiveProfileState() (*ActiveProfileState, error) {
 		}
 	}
 
-	if activeProfile.Name == "" {
+	if activeProfile.ID == "" {
 		if err := s.SetActiveProfileStateToDefault(); err != nil {
 			return nil, fmt.Errorf("failed to set active profile to default: %w", err)
 		}
 		return &ActiveProfileState{
-			Name:     "default",
+			ID:       defaultProfileName,
 			Username: "",
 		}, nil
 	}
@@ -216,25 +257,29 @@ func (s *ServiceManager) setDefaultActiveState() error {
 }
 
 func (s *ServiceManager) SetActiveProfileState(a *ActiveProfileState) error {
-	if a == nil || a.Name == "" {
+	if a == nil || a.ID == "" {
 		return errors.New("invalid active profile state")
 	}
 
-	if a.Name != defaultProfileName && a.Username == "" {
-		return fmt.Errorf("username must be set for non-default profiles, got: %s", a.Name)
+	if a.ID != defaultProfileName && a.Username == "" {
+		return fmt.Errorf("username must be set for non-default profiles, got: %s", a.ID)
+	}
+
+	if a.ID != defaultProfileName && !IsValidProfileFilenameStem(a.ID) {
+		return fmt.Errorf("invalid profile ID: %q", a.ID)
 	}
 
 	if err := util.WriteJsonWithRestrictedPermission(context.Background(), ActiveProfileStatePath, a); err != nil {
 		return fmt.Errorf("failed to write active profile state: %w", err)
 	}
 
-	log.Infof("active profile set to %s for %s", a.Name, a.Username)
+	log.Infof("active profile set to %s for %s", a.ID, a.Username)
 	return nil
 }
 
 func (s *ServiceManager) SetActiveProfileStateToDefault() error {
 	return s.SetActiveProfileState(&ActiveProfileState{
-		Name:     "default",
+		ID:       defaultProfileName,
 		Username: "",
 	})
 }
@@ -243,57 +288,75 @@ func (s *ServiceManager) DefaultProfilePath() string {
 	return DefaultConfigPath
 }
 
-func (s *ServiceManager) AddProfile(profileName, username string) error {
+// AddProfile creates a new profile with a generated ID. The user-supplied
+// displayName is stored inside the JSON's name field, the on-disk filename
+// uses the generated ID.
+//
+// The returned Profile carries the freshly-generated ID so callers can
+// show it to the user (and so the gRPC AddProfileResponse can include
+// it).
+func (s *ServiceManager) AddProfile(displayName, username string) (*Profile, error) {
 	configDir, err := s.getConfigDir(username)
 	if err != nil {
-		return fmt.Errorf("failed to get config directory: %w", err)
+		return nil, fmt.Errorf("failed to get config directory: %w", err)
 	}
 
-	profileName = sanitizeProfileName(profileName)
-
-	if profileName == defaultProfileName {
-		return fmt.Errorf("cannot create profile with reserved name: %s", defaultProfileName)
-	}
-
-	profPath := filepath.Join(configDir, profileName+".json")
-	profileExists, err := fileExists(profPath)
+	displayName, err = sanitizeDisplayName(displayName)
 	if err != nil {
-		return fmt.Errorf("failed to check if profile exists: %w", err)
-	}
-	if profileExists {
-		return ErrProfileAlreadyExists
+		return nil, fmt.Errorf("invalid profile name: %w", err)
 	}
 
+	if displayName == defaultProfileName {
+		return nil, fmt.Errorf("cannot create profile with reserved name: %s", defaultProfileName)
+	}
+
+	id, err := generateProfileID()
+	if err != nil {
+		return nil, fmt.Errorf("generate profile id: %w", err)
+	}
+
+	profPath := filepath.Join(configDir, id.String()+".json")
 	cfg, err := createNewConfig(ConfigInput{ConfigPath: profPath})
 	if err != nil {
-		return fmt.Errorf("failed to create new config: %w", err)
+		return nil, fmt.Errorf("failed to create new config: %w", err)
+	}
+	cfg.Name = displayName
+
+	if err := util.WriteJson(context.Background(), profPath, cfg); err != nil {
+		return nil, fmt.Errorf("failed to write profile config: %w", err)
 	}
 
-	err = util.WriteJson(context.Background(), profPath, cfg)
-	if err != nil {
-		return fmt.Errorf("failed to write profile config: %w", err)
-	}
-
-	return nil
+	return &Profile{
+		ID:   id,
+		Name: displayName,
+		Path: profPath,
+	}, nil
 }
 
-func (s *ServiceManager) RemoveProfile(profileName, username string) error {
-	configDir, err := s.getConfigDir(username)
-	if err != nil {
-		return fmt.Errorf("failed to get config directory: %w", err)
-	}
-
-	profileName = sanitizeProfileName(profileName)
-
-	if profileName == defaultProfileName {
+// RemoveProfile deletes the profile identified by id. Callers must have
+// already resolved any user-supplied handle to a concrete ID via
+// ResolveProfile.
+func (s *ServiceManager) RemoveProfile(id ID, username string) error {
+	if id == defaultProfileName {
 		return fmt.Errorf("cannot remove profile with reserved name: %s", defaultProfileName)
 	}
-	profPath := filepath.Join(configDir, profileName+".json")
-	profileExists, err := fileExists(profPath)
-	if err != nil {
-		return fmt.Errorf("failed to check if profile exists: %w", err)
+	if !IsValidProfileFilenameStem(id) {
+		return fmt.Errorf("invalid profile ID: %q", id)
 	}
-	if !profileExists {
+
+	profiles, err := s.loadAllProfiles(username)
+	if err != nil {
+		return fmt.Errorf("load profiles: %w", err)
+	}
+
+	var target *Profile
+	for i := range profiles {
+		if profiles[i].ID == id {
+			target = &profiles[i]
+			break
+		}
+	}
+	if target == nil {
 		return ErrProfileNotFound
 	}
 
@@ -301,57 +364,26 @@ func (s *ServiceManager) RemoveProfile(profileName, username string) error {
 	if err != nil && !errors.Is(err, ErrNoActiveProfile) {
 		return fmt.Errorf("failed to get active profile: %w", err)
 	}
-
-	if activeProf != nil && activeProf.Name == profileName {
-		return fmt.Errorf("cannot remove active profile: %s", profileName)
+	if activeProf != nil && activeProf.ID == id {
+		return fmt.Errorf("cannot remove active profile: %s", id)
 	}
 
-	err = util.RemoveJson(profPath)
-	if err != nil {
+	if err := util.RemoveJson(target.Path); err != nil {
 		return fmt.Errorf("failed to remove profile config: %w", err)
 	}
+
+	stateFile := filepath.Join(filepath.Dir(target.Path), id.String()+".state.json")
+	if err := os.Remove(stateFile); err != nil && !os.IsNotExist(err) {
+		log.Warnf("failed to remove profile state file %s: %v", stateFile, err)
+	}
+
 	return nil
 }
 
+// ListProfiles returns every profile for the given user, including the
+// default profile, with IsActive flags set.
 func (s *ServiceManager) ListProfiles(username string) ([]Profile, error) {
-	configDir, err := s.getConfigDir(username)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get config directory: %w", err)
-	}
-
-	files, err := util.ListFiles(configDir, "*.json")
-	if err != nil {
-		return nil, fmt.Errorf("failed to list profile files: %w", err)
-	}
-
-	var filtered []string
-	for _, file := range files {
-		if strings.HasSuffix(file, "state.json") {
-			continue // skip state files
-		}
-		filtered = append(filtered, file)
-	}
-	sort.Strings(filtered)
-
-	var activeProfName string
-	activeProf, err := s.GetActiveProfileState()
-	if err == nil {
-		activeProfName = activeProf.Name
-	}
-
-	var profiles []Profile
-	// add default profile always
-	profiles = append(profiles, Profile{Name: defaultProfileName, IsActive: activeProfName == "" || activeProfName == defaultProfileName})
-	for _, file := range filtered {
-		profileName := strings.TrimSuffix(filepath.Base(file), ".json")
-		var isActive bool
-		if activeProfName != "" && activeProfName == profileName {
-			isActive = true
-		}
-		profiles = append(profiles, Profile{Name: profileName, IsActive: isActive})
-	}
-
-	return profiles, nil
+	return s.loadAllProfiles(username)
 }
 
 // GetStatePath returns the path to the state file based on the operating system
@@ -369,7 +401,12 @@ func (s *ServiceManager) GetStatePath() string {
 		return defaultStatePath
 	}
 
-	if activeProf.Name == defaultProfileName {
+	if activeProf.ID == defaultProfileName {
+		return defaultStatePath
+	}
+
+	if !IsValidProfileFilenameStem(activeProf.ID) {
+		log.Warnf("invalid active profile ID %q, using default state path", activeProf.ID)
 		return defaultStatePath
 	}
 
@@ -379,7 +416,7 @@ func (s *ServiceManager) GetStatePath() string {
 		return defaultStatePath
 	}
 
-	return filepath.Join(configDir, activeProf.Name+".state.json")
+	return filepath.Join(configDir, activeProf.ID.String()+".state.json")
 }
 
 // getConfigDir returns the profiles directory, using profilesDir if set, otherwise getConfigDirForUser
@@ -390,3 +427,165 @@ func (s *ServiceManager) getConfigDir(username string) (string, error) {
 
 	return getConfigDirForUser(username)
 }
+
+// loadAllProfiles returns every profile visible to the daemon for the
+// given user, including the default profile. The returned slice is sorted
+// by ID for a stable display order.
+//
+// Each Profile is fully populated: ID is the filename stem, Name comes
+// from the JSON's "name" field (falling back to the filename stem when absent)
+// and Path is built from a basename read off disk.
+func (s *ServiceManager) loadAllProfiles(username string) ([]Profile, error) {
+	activeID, activeIsDefault := s.activeProfileID()
+
+	profiles := []Profile{{
+		ID:       defaultProfileName,
+		Name:     defaultProfileName,
+		Path:     DefaultConfigPath,
+		IsActive: activeIsDefault,
+	}}
+
+	configDir, err := s.getConfigDir(username)
+	if err != nil {
+		return nil, fmt.Errorf("get config directory: %w", err)
+	}
+
+	entries, err := os.ReadDir(configDir)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return profiles, nil
+		}
+		return nil, fmt.Errorf("read profile directory: %w", err)
+	}
+
+	var fileProfiles []Profile
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		base := entry.Name()
+		if !strings.HasSuffix(base, ".json") {
+			continue
+		}
+		if strings.HasSuffix(base, ".state.json") {
+			continue
+		}
+		stem := ID(strings.TrimSuffix(base, ".json"))
+		if stem == defaultProfileName {
+			// default lives at the top-level config dir, not under /<user>
+			continue
+		}
+		if !IsValidProfileFilenameStem(ID(stem)) {
+			continue
+		}
+		path := filepath.Join(configDir, base)
+		name := readProfileName(path)
+		if name == "" {
+			name = stem.String()
+		}
+		fileProfiles = append(fileProfiles, Profile{
+			ID:       stem,
+			Name:     name,
+			Path:     path,
+			IsActive: stem == ID(activeID),
+		})
+	}
+
+	sort.Slice(fileProfiles, func(i, j int) bool {
+		if fileProfiles[i].Name != fileProfiles[j].Name {
+			return fileProfiles[i].Name < fileProfiles[j].Name
+		}
+		// Sort tie-break on ID so duplicate names always render in the same order.
+		return fileProfiles[i].ID < fileProfiles[j].ID
+	})
+	profiles = append(profiles, fileProfiles...)
+	return profiles, nil
+}
+
+// readProfileName parses just the "name" field from the profile Json.
+func readProfileName(path string) string {
+	data, err := os.ReadFile(path)
+	if err != nil {
+		return ""
+	}
+	var meta profileMeta
+	if err := json.Unmarshal(data, &meta); err != nil {
+		return ""
+	}
+	return meta.Name
+}
+
+// activeProfileID returns the currently-active profile's ID. The second
+// return value is true when the active profile is the default one.
+func (s *ServiceManager) activeProfileID() (ID, bool) {
+	state, err := s.GetActiveProfileState()
+	if err != nil || state == nil {
+		return defaultProfileName, true
+	}
+	if state.ID == "" || state.ID == defaultProfileName {
+		return defaultProfileName, true
+	}
+	return state.ID, false
+}
+
+// ResolveProfile turns a user-supplied handle into a Profile. Resolution
+// precedence is: exact ID match, then unique ID prefix, then unique exact
+// name. Ambiguous matches return *ErrAmbiguousHandle so callers can
+// surface the candidates.
+func (s *ServiceManager) ResolveProfile(handle, username string) (*Profile, error) {
+	if handle == "" {
+		return nil, fmt.Errorf("profile handle is empty")
+	}
+
+	profiles, err := s.loadAllProfiles(username)
+	if err != nil {
+		return nil, err
+	}
+
+	for i := range profiles {
+		if profiles[i].ID == ID(handle) {
+			return &profiles[i], nil
+		}
+	}
+
+	// ID prefix match. Skip the default profile so `select d` does not
+	// accidentally pick it via prefix.
+	var prefixMatches []Profile
+	for i := range profiles {
+		if profiles[i].ID == defaultProfileName {
+			continue
+		}
+		if strings.HasPrefix(profiles[i].ID.String(), handle) {
+			prefixMatches = append(prefixMatches, profiles[i])
+		}
+	}
+	if len(prefixMatches) == 1 {
+		return &prefixMatches[0], nil
+	}
+	if len(prefixMatches) > 1 {
+		return nil, &ErrAmbiguousHandle{
+			Handle:     handle,
+			Candidates: prefixMatches,
+			Kind:       AmbiguityKindIDPrefix,
+		}
+	}
+
+	var nameMatches []Profile
+	for i := range profiles {
+		if profiles[i].Name == handle {
+			nameMatches = append(nameMatches, profiles[i])
+		}
+	}
+	if len(nameMatches) == 1 {
+		return &nameMatches[0], nil
+	}
+	if len(nameMatches) > 1 {
+		return nil, &ErrAmbiguousHandle{
+			Handle:     handle,
+			Candidates: nameMatches,
+			Kind:       AmbiguityKindName,
+		}
+	}
+
+	return nil, ErrProfileNotFound
+}

client/internal/profilemanager/service_test.go

@@ -0,0 +1,230 @@
+package profilemanager
+
+import (
+	"context"
+	"errors"
+	"os"
+	"os/user"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/util"
+)
+
+// withTestSM wires up patched globals + a clean config dir and returns a
+// fully initialized ServiceManager plus the username we are scoped to.
+func withTestSM(t *testing.T, fn func(sm *ServiceManager, username string)) {
+	t.Helper()
+	withTempConfigDir(t, func(configDir string) {
+		withPatchedGlobals(t, configDir, func() {
+			u, err := user.Current()
+			require.NoError(t, err)
+			sm := &ServiceManager{}
+			require.NoError(t, sm.CreateDefaultProfile())
+			fn(sm, u.Username)
+		})
+	})
+}
+
+func TestServiceProfile_ExactID(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		created, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		got, err := sm.ResolveProfile(created.ID.String(), username)
+		require.NoError(t, err)
+		assert.Equal(t, created.ID, got.ID)
+		assert.Equal(t, "work", got.Name)
+	})
+}
+
+func TestServiceProfile_IDPrefix(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		created, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		prefix := created.ID[:4]
+		got, err := sm.ResolveProfile(prefix.String(), username)
+		require.NoError(t, err)
+		assert.Equal(t, created.ID, got.ID)
+	})
+}
+
+func TestServiceProfile_AmbiguousPrefix(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		// Plant two profiles whose IDs share a known prefix by writing
+		// the files directly, since generated IDs are random.
+		configDir, err := sm.getConfigDir(username)
+		require.NoError(t, err)
+		for _, id := range []string{"abcd1111aaaa", "abcd2222bbbb"} {
+			path := filepath.Join(configDir, id+".json")
+			require.NoError(t, util.WriteJson(context.Background(), path, &Config{Name: id}))
+		}
+
+		_, err = sm.ResolveProfile("abcd", username)
+		var amb *ErrAmbiguousHandle
+		require.ErrorAs(t, err, &amb)
+		assert.Equal(t, AmbiguityKindIDPrefix, amb.Kind)
+		assert.Len(t, amb.Candidates, 2)
+	})
+}
+
+func TestServiceProfile_ExactNameUnique(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		_, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		got, err := sm.ResolveProfile("work", username)
+		require.NoError(t, err)
+		assert.Equal(t, "work", got.Name)
+	})
+}
+
+func TestServiceProfile_AmbiguousName(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		_, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+		_, err = sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		_, err = sm.ResolveProfile("work", username)
+		var amb *ErrAmbiguousHandle
+		require.ErrorAs(t, err, &amb)
+		assert.Equal(t, AmbiguityKindName, amb.Kind)
+		assert.Len(t, amb.Candidates, 2)
+	})
+}
+
+func TestServiceProfile_NotFound(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		_, err := sm.ResolveProfile("nope", username)
+		assert.ErrorIs(t, err, ErrProfileNotFound)
+	})
+}
+
+func TestServiceProfile_DefaultByExactID(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		got, err := sm.ResolveProfile(defaultProfileName, username)
+		require.NoError(t, err)
+		assert.Equal(t, defaultProfileName, got.ID.String())
+	})
+}
+
+func TestServiceProfile_LegacyFilenameCoexists(t *testing.T) {
+	// Legacy profiles stored as <name>.json with no "name" JSON field
+	// should still be discoverable by name and removable by name.
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		configDir, err := sm.getConfigDir(username)
+		require.NoError(t, err)
+		path := filepath.Join(configDir, "legacy.json")
+		require.NoError(t, util.WriteJson(context.Background(), path, &Config{}))
+
+		got, err := sm.ResolveProfile("legacy", username)
+		require.NoError(t, err)
+		assert.Equal(t, "legacy", got.ID.String())
+		// Name falls back to the filename stem when JSON omits it.
+		assert.Equal(t, "legacy", got.Name)
+	})
+}
+
+func TestAddProfile_AllowsDuplicateWithFlag(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		first, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		second, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+		assert.NotEqual(t, first.ID, second.ID)
+		assert.Equal(t, "work", second.Name)
+	})
+}
+
+func TestAddProfile_RejectsInvalidNames(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		cases := []string{
+			"",                                       // empty
+			"\x00\x01",                               // only control chars (becomes empty)
+			strings.Repeat("a", maxProfileNameLen+1), // too long
+		}
+		for _, name := range cases {
+			_, err := sm.AddProfile(name, username)
+			assert.Error(t, err, "expected error for %q", name)
+		}
+	})
+}
+
+func TestRemoveProfile_RejectsInvalidID(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		err := sm.RemoveProfile("../escape", username)
+		assert.Error(t, err)
+	})
+}
+
+func TestSanitizeDisplayName(t *testing.T) {
+	cases := []struct {
+		in      string
+		want    string
+		wantErr bool
+	}{
+		{"work", "work", false},
+		{"My Work Account", "My Work Account", false},
+		{"emoji 🚀 ok", "emoji 🚀 ok", false},
+		{"漢字テスト", "漢字テスト", false},
+		{"with\x00null", "withnull", false},
+		{"\x01\x02\x03", "", true},
+		{"", "", true},
+	}
+	for _, tc := range cases {
+		got, err := sanitizeDisplayName(tc.in)
+		if tc.wantErr {
+			assert.Error(t, err, "case %q", tc.in)
+			continue
+		}
+		assert.NoError(t, err, "case %q", tc.in)
+		assert.Equal(t, tc.want, got, "case %q", tc.in)
+	}
+}
+
+func TestIsValidProfileFilenameStem(t *testing.T) {
+	cases := []struct {
+		in   string
+		want bool
+	}{
+		{"default", true},
+		{"abc123def456", true},
+		{"legacy-name", true},
+		{"legacy_name", true},
+		{"", false},
+		{"..", false},
+		{"../etc", false},
+		{"foo/bar", false},
+		{`foo\bar`, false},
+		{"with space", false},
+		{"with.dot", false},
+		{strings.Repeat("a", maxProfileIDLen+1), false},
+	}
+	for _, tc := range cases {
+		got := IsValidProfileFilenameStem(ID(tc.in))
+		assert.Equal(t, tc.want, got, "case %q", tc.in)
+	}
+}
+
+func TestRemoveProfile_DeletesStateFile(t *testing.T) {
+	withTestSM(t, func(sm *ServiceManager, username string) {
+		created, err := sm.AddProfile("work", username)
+		require.NoError(t, err)
+
+		configDir, err := sm.getConfigDir(username)
+		require.NoError(t, err)
+		statePath := filepath.Join(configDir, created.ID.String()+".state.json")
+		require.NoError(t, os.WriteFile(statePath, []byte(`{"email":"a@b"}`), 0600))
+
+		require.NoError(t, sm.RemoveProfile(created.ID, username))
+		_, err = os.Stat(statePath)
+		assert.True(t, errors.Is(err, os.ErrNotExist), "state file should be removed")
+	})
+}

client/internal/profilemanager/state.go

@@ -13,13 +13,20 @@ type ProfileState struct {
 	Email string `json:"email"`
 }
 
-func (pm *ProfileManager) GetProfileState(profileName string) (*ProfileState, error) {
+// GetProfileState reads the per-profile state file keyed by profile ID.
+// The state file lives in the user's config directory. Legacy state files
+// keyed by the old profile name remain readable.
+func (pm *ProfileManager) GetProfileState(id ID) (*ProfileState, error) {
 	configDir, err := getConfigDir()
 	if err != nil {
 		return nil, fmt.Errorf("get config directory: %w", err)
 	}
 
-	stateFile := filepath.Join(configDir, profileName+".state.json")
+	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
+		return nil, fmt.Errorf("invalid profile ID: %q", id)
+	}
+
+	stateFile := filepath.Join(configDir, id.String()+".state.json")
 	stateFileExists, err := fileExists(stateFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to check if profile state file exists: %w", err)
@@ -51,7 +58,12 @@ func (pm *ProfileManager) SetActiveProfileState(state *ProfileState) error {
 		return fmt.Errorf("get active profile: %w", err)
 	}
 
-	stateFile := filepath.Join(configDir, activeProf.Name+".state.json")
+	id := activeProf.ID
+	if id != defaultProfileName && !IsValidProfileFilenameStem(id) {
+		return fmt.Errorf("invalid active profile ID: %q", id)
+	}
+
+	stateFile := filepath.Join(configDir, id.String()+".state.json")
 	err = util.WriteJsonWithRestrictedPermission(context.Background(), stateFile, state)
 	if err != nil {
 		return fmt.Errorf("write profile state: %w", err)

client/internal/routemanager/manager.go

@@ -700,13 +700,6 @@ func resolveURLsToIPs(urls []string) []net.IP {
 
 // updateRouteSelectorFromManagement updates the route selector based on the isSelected status from the management server
 func (m *DefaultManager) updateRouteSelectorFromManagement(clientRoutes route.HAMap) {
-	// An explicit user "deselect all" must not be overridden by management auto-apply.
-	// Auto-applying an exit node here would call SelectRoutes, which clears the
-	// deselect-all flag and re-enables every route the user turned off.
-	if m.routeSelector.IsDeselectAll() {
-		return
-	}
-
 	exitNodeInfo := m.collectExitNodeInfo(clientRoutes)
 	if len(exitNodeInfo.allIDs) == 0 {
 		return

client/internal/routemanager/selector_management_test.go

@@ -1,71 +0,0 @@
-package routemanager
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal/routeselector"
-	"github.com/netbirdio/netbird/route"
-)
-
-func exitNodeRoutes(netID route.NetID, skipAutoApply bool) route.HAMap {
-	haID := route.HAUniqueID(string(netID) + "|0.0.0.0/0")
-	return route.HAMap{
-		haID: []*route.Route{
-			{
-				ID:            "r-" + route.ID(netID),
-				NetID:         netID,
-				Network:       netip.MustParsePrefix("0.0.0.0/0"),
-				NetworkType:   route.IPv4Network,
-				Enabled:       true,
-				SkipAutoApply: skipAutoApply,
-			},
-		},
-	}
-}
-
-func TestUpdateRouteSelectorFromManagement(t *testing.T) {
-	t.Run("management auto-apply selects exit node without user selection", func(t *testing.T) {
-		m := &DefaultManager{routeSelector: routeselector.NewRouteSelector()}
-		routes := exitNodeRoutes("exit1", false)
-
-		m.updateRouteSelectorFromManagement(routes)
-
-		require.True(t, m.routeSelector.IsSelected("exit1"), "auto-apply exit node should be selected")
-		require.Len(t, m.routeSelector.FilterSelectedExitNodes(routes), 1, "selected exit node should pass the filter")
-	})
-
-	t.Run("management SkipAutoApply leaves exit node deselected", func(t *testing.T) {
-		m := &DefaultManager{routeSelector: routeselector.NewRouteSelector()}
-		routes := exitNodeRoutes("exit1", true)
-
-		m.updateRouteSelectorFromManagement(routes)
-
-		require.False(t, m.routeSelector.IsSelected("exit1"), "SkipAutoApply exit node should not be selected")
-		require.Empty(t, m.routeSelector.FilterSelectedExitNodes(routes), "deselected exit node should be filtered out")
-	})
-
-	t.Run("user selection is not overridden by management", func(t *testing.T) {
-		m := &DefaultManager{routeSelector: routeselector.NewRouteSelector()}
-		require.NoError(t, m.routeSelector.SelectRoutes([]route.NetID{"exit1"}, true, []route.NetID{"exit1"}))
-		routes := exitNodeRoutes("exit1", true)
-
-		m.updateRouteSelectorFromManagement(routes)
-
-		require.True(t, m.routeSelector.IsSelected("exit1"), "explicit user selection must survive a management sync that wants to skip auto-apply")
-		require.Len(t, m.routeSelector.FilterSelectedExitNodes(routes), 1, "user-selected exit node should pass the filter")
-	})
-
-	t.Run("deselect-all is preserved across a management sync", func(t *testing.T) {
-		m := &DefaultManager{routeSelector: routeselector.NewRouteSelector()}
-		m.routeSelector.DeselectAllRoutes()
-		routes := exitNodeRoutes("exit1", false)
-
-		m.updateRouteSelectorFromManagement(routes)
-
-		require.True(t, m.routeSelector.IsDeselectAll(), "an explicit deselect-all must not be cleared by management auto-apply")
-		require.Empty(t, m.routeSelector.FilterSelectedExitNodes(routes), "no routes should be selected while deselect-all is set")
-	})
-}

client/internal/routeselector/routeselector.go

@@ -116,14 +116,6 @@ func (rs *RouteSelector) DeselectAllRoutes() {
 	clear(rs.selectedRoutes)
 }
 
-// IsDeselectAll reports whether the user has explicitly deselected all routes.
-func (rs *RouteSelector) IsDeselectAll() bool {
-	rs.mu.RLock()
-	defer rs.mu.RUnlock()
-
-	return rs.deselectAll
-}
-
 // IsSelected checks if a specific route is selected.
 func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	rs.mu.RLock()

client/proto/daemon.pb.go

@@ -3931,9 +3931,11 @@ func (x *GetEventsResponse) GetEvents() []*SystemEvent {
 }
 
 type SwitchProfileRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	ProfileName   *string                `protobuf:"bytes,1,opt,name=profileName,proto3,oneof" json:"profileName,omitempty"`
-	Username      *string                `protobuf:"bytes,2,opt,name=username,proto3,oneof" json:"username,omitempty"`
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// profileName is treated as a handle: exact ID, unique ID prefix, or
+	// unique display name. The daemon resolves it server-side.
+	ProfileName   *string `protobuf:"bytes,1,opt,name=profileName,proto3,oneof" json:"profileName,omitempty"`
+	Username      *string `protobuf:"bytes,2,opt,name=username,proto3,oneof" json:"username,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -3983,7 +3985,11 @@ func (x *SwitchProfileRequest) GetUsername() string {
 }
 
 type SwitchProfileResponse struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// id is the resolved on-disk ID of the profile that became active.
+	// Lets CLI clients update their local active-profile state without
+	// duplicating the resolution logic.
+	Id            string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -4018,6 +4024,13 @@ func (*SwitchProfileResponse) Descriptor() ([]byte, []int) {
 	return file_daemon_proto_rawDescGZIP(), []int{55}
 }
 
+func (x *SwitchProfileResponse) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
 type SetConfigRequest struct {
 	state       protoimpl.MessageState `protogen:"open.v1"`
 	Username    string                 `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
@@ -4374,9 +4387,11 @@ func (*SetConfigResponse) Descriptor() ([]byte, []int) {
 }
 
 type AddProfileRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Username      string                 `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
-	ProfileName   string                 `protobuf:"bytes,2,opt,name=profileName,proto3" json:"profileName,omitempty"`
+	state    protoimpl.MessageState `protogen:"open.v1"`
+	Username string                 `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
+	// profileName carries the human-readable display name for the new
+	// profile. The on-disk filename is a separately-generated ID.
+	ProfileName   string `protobuf:"bytes,2,opt,name=profileName,proto3" json:"profileName,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -4426,7 +4441,10 @@ func (x *AddProfileRequest) GetProfileName() string {
 }
 
 type AddProfileResponse struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// id is the generated on-disk ID of the new profile. CLI clients
+	// display a truncated form, UI clients can ignore it.
+	Id            string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -4461,10 +4479,19 @@ func (*AddProfileResponse) Descriptor() ([]byte, []int) {
 	return file_daemon_proto_rawDescGZIP(), []int{59}
 }
 
+func (x *AddProfileResponse) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
 type RemoveProfileRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Username      string                 `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
-	ProfileName   string                 `protobuf:"bytes,2,opt,name=profileName,proto3" json:"profileName,omitempty"`
+	state    protoimpl.MessageState `protogen:"open.v1"`
+	Username string                 `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
+	// profileName is treated as a handle: an exact ID, a unique ID
+	// prefix, or a unique display name. Resolution happens server-side.
+	ProfileName   string `protobuf:"bytes,2,opt,name=profileName,proto3" json:"profileName,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -4514,7 +4541,10 @@ func (x *RemoveProfileRequest) GetProfileName() string {
 }
 
 type RemoveProfileResponse struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// id is the full resolved ID of the removed profile, so callers can
+	// confirm exactly which profile a name/prefix handle resolved to.
+	Id            string `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -4549,6 +4579,13 @@ func (*RemoveProfileResponse) Descriptor() ([]byte, []int) {
 	return file_daemon_proto_rawDescGZIP(), []int{61}
 }
 
+func (x *RemoveProfileResponse) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
 type ListProfilesRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Username      string                 `protobuf:"bytes,1,opt,name=username,proto3" json:"username,omitempty"`
@@ -4641,6 +4678,7 @@ type Profile struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Name          string                 `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
 	IsActive      bool                   `protobuf:"varint,2,opt,name=is_active,json=isActive,proto3" json:"is_active,omitempty"`
+	Id            string                 `protobuf:"bytes,3,opt,name=id,proto3" json:"id,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -4689,6 +4727,13 @@ func (x *Profile) GetIsActive() bool {
 	return false
 }
 
+func (x *Profile) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
 type GetActiveProfileRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
@@ -4729,6 +4774,7 @@ type GetActiveProfileResponse struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	ProfileName   string                 `protobuf:"bytes,1,opt,name=profileName,proto3" json:"profileName,omitempty"`
 	Username      string                 `protobuf:"bytes,2,opt,name=username,proto3" json:"username,omitempty"`
+	Id            string                 `protobuf:"bytes,3,opt,name=id,proto3" json:"id,omitempty"`
 	unknownFields protoimpl.UnknownFields
 	sizeCache     protoimpl.SizeCache
 }
@@ -4777,6 +4823,13 @@ func (x *GetActiveProfileResponse) GetUsername() string {
 	return ""
 }
 
+func (x *GetActiveProfileResponse) GetId() string {
+	if x != nil {
+		return x.Id
+	}
+	return ""
+}
+
 type LogoutRequest struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	ProfileName   *string                `protobuf:"bytes,1,opt,name=profileName,proto3,oneof" json:"profileName,omitempty"`
@@ -6598,8 +6651,9 @@ const file_daemon_proto_rawDesc = "" +
 	"\vprofileName\x18\x01 \x01(\tH\x00R\vprofileName\x88\x01\x01\x12\x1f\n" +
 	"\busername\x18\x02 \x01(\tH\x01R\busername\x88\x01\x01B\x0e\n" +
 	"\f_profileNameB\v\n" +
-	"\t_username\"\x17\n" +
-	"\x15SwitchProfileResponse\"\x98\x11\n" +
+	"\t_username\"'\n" +
+	"\x15SwitchProfileResponse\x12\x0e\n" +
+	"\x02id\x18\x01 \x01(\tR\x02id\"\x98\x11\n" +
 	"\x10SetConfigRequest\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12 \n" +
 	"\vprofileName\x18\x02 \x01(\tR\vprofileName\x12$\n" +
@@ -6668,23 +6722,27 @@ const file_daemon_proto_rawDesc = "" +
 	"\x11SetConfigResponse\"Q\n" +
 	"\x11AddProfileRequest\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12 \n" +
-	"\vprofileName\x18\x02 \x01(\tR\vprofileName\"\x14\n" +
-	"\x12AddProfileResponse\"T\n" +
+	"\vprofileName\x18\x02 \x01(\tR\vprofileName\"$\n" +
+	"\x12AddProfileResponse\x12\x0e\n" +
+	"\x02id\x18\x01 \x01(\tR\x02id\"T\n" +
 	"\x14RemoveProfileRequest\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12 \n" +
-	"\vprofileName\x18\x02 \x01(\tR\vprofileName\"\x17\n" +
-	"\x15RemoveProfileResponse\"1\n" +
+	"\vprofileName\x18\x02 \x01(\tR\vprofileName\"'\n" +
+	"\x15RemoveProfileResponse\x12\x0e\n" +
+	"\x02id\x18\x01 \x01(\tR\x02id\"1\n" +
 	"\x13ListProfilesRequest\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\"C\n" +
 	"\x14ListProfilesResponse\x12+\n" +
-	"\bprofiles\x18\x01 \x03(\v2\x0f.daemon.ProfileR\bprofiles\":\n" +
+	"\bprofiles\x18\x01 \x03(\v2\x0f.daemon.ProfileR\bprofiles\"J\n" +
 	"\aProfile\x12\x12\n" +
 	"\x04name\x18\x01 \x01(\tR\x04name\x12\x1b\n" +
-	"\tis_active\x18\x02 \x01(\bR\bisActive\"\x19\n" +
-	"\x17GetActiveProfileRequest\"X\n" +
+	"\tis_active\x18\x02 \x01(\bR\bisActive\x12\x0e\n" +
+	"\x02id\x18\x03 \x01(\tR\x02id\"\x19\n" +
+	"\x17GetActiveProfileRequest\"h\n" +
 	"\x18GetActiveProfileResponse\x12 \n" +
 	"\vprofileName\x18\x01 \x01(\tR\vprofileName\x12\x1a\n" +
-	"\busername\x18\x02 \x01(\tR\busername\"t\n" +
+	"\busername\x18\x02 \x01(\tR\busername\x12\x0e\n" +
+	"\x02id\x18\x03 \x01(\tR\x02id\"t\n" +
 	"\rLogoutRequest\x12%\n" +
 	"\vprofileName\x18\x01 \x01(\tH\x00R\vprofileName\x88\x01\x01\x12\x1f\n" +
 	"\busername\x18\x02 \x01(\tH\x01R\busername\x88\x01\x01B\x0e\n" +

client/proto/daemon.proto

@@ -615,11 +615,18 @@ message GetEventsResponse {
 }
 
 message SwitchProfileRequest {
+  // profileName is treated as a handle: exact ID, unique ID prefix, or
+  // unique display name. The daemon resolves it server-side.
   optional string profileName = 1;
   optional string username = 2;
 }
 
-message SwitchProfileResponse {}
+message SwitchProfileResponse {
+  // id is the resolved on-disk ID of the profile that became active.
+  // Lets CLI clients update their local active-profile state without
+  // duplicating the resolution logic.
+  string id = 1;
+}
 
 message SetConfigRequest {
   string username = 1;
@@ -686,17 +693,29 @@ message SetConfigResponse{}
 
 message AddProfileRequest {
   string username = 1;
+  // profileName carries the human-readable display name for the new
+  // profile. The on-disk filename is a separately-generated ID.
   string profileName = 2;
 }
 
-message AddProfileResponse {}
+message AddProfileResponse {
+  // id is the generated on-disk ID of the new profile. CLI clients
+  // display a truncated form, UI clients can ignore it.
+  string id = 1;
+}
 
 message RemoveProfileRequest {
   string username = 1;
+  // profileName is treated as a handle: an exact ID, a unique ID
+  // prefix, or a unique display name. Resolution happens server-side.
   string profileName = 2;
 }
 
-message RemoveProfileResponse {}
+message RemoveProfileResponse {
+  // id is the full resolved ID of the removed profile, so callers can
+  // confirm exactly which profile a name/prefix handle resolved to.
+  string id = 1;
+}
 
 message ListProfilesRequest {
   string username = 1;
@@ -709,6 +728,7 @@ message ListProfilesResponse {
 message Profile {
   string name = 1;
   bool is_active = 2;
+  string id = 3;
 }
 
 message GetActiveProfileRequest {}
@@ -716,6 +736,7 @@ message GetActiveProfileRequest {}
 message GetActiveProfileResponse {
   string profileName = 1;
   string username = 2;
+  string id = 3;
 }
 
 message LogoutRequest {

client/server/login_overrides_test.go

@@ -79,7 +79,7 @@ func TestPersistLoginOverrides(t *testing.T) {
 			_, err := profilemanager.UpdateOrCreateConfig(seed)
 			require.NoError(t, err, "seed config")
 
-			activeProf := &profilemanager.ActiveProfileState{Name: "default"}
+			activeProf := &profilemanager.ActiveProfileState{ID: "default"}
 			err = persistLoginOverrides(activeProf, tt.newMgmtURL, tt.newPSK)
 			require.NoError(t, err, "persistLoginOverrides")
 

client/server/server.go

@@ -308,15 +308,14 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 		return nil, gstatus.Errorf(codes.Unavailable, errUpdateSettingsDisabled)
 	}
 
-	profState := profilemanager.ActiveProfileState{
-		Name:     msg.ProfileName,
-		Username: msg.Username,
-	}
-
-	profPath, err := profState.FilePath()
+	resolved, err := s.resolveProfileHandle(msg.ProfileName, msg.Username)
 	if err != nil {
-		log.Errorf("failed to get active profile file path: %v", err)
-		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
+		log.Errorf("failed to resolve profile %q: %v", msg.ProfileName, err)
+		return nil, err
+	}
+	profPath := resolved.Path
+	if profPath == "" {
+		profPath = profilemanager.DefaultConfigPath
 	}
 
 	var config profilemanager.ConfigInput
@@ -446,30 +445,9 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 	}
 
 	if msg.ProfileName != nil {
-		if *msg.ProfileName != "default" && (msg.Username == nil || *msg.Username == "") {
-			log.Errorf("profile name is set to %s, but username is not provided", *msg.ProfileName)
-			return nil, fmt.Errorf("profile name is set to %s, but username is not provided", *msg.ProfileName)
-		}
-
-		var username string
-		if *msg.ProfileName != "default" {
-			username = *msg.Username
-		}
-
-		if *msg.ProfileName != activeProf.Name && username != activeProf.Username {
-			if s.checkProfilesDisabled() {
-				log.Errorf("profiles are disabled, you cannot use this feature without profiles enabled")
-				return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
-			}
-
-			log.Infof("switching to profile %s for user '%s'", *msg.ProfileName, username)
-			if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
-				Name:     *msg.ProfileName,
-				Username: username,
-			}); err != nil {
-				log.Errorf("failed to set active profile state: %v", err)
-				return nil, fmt.Errorf("failed to set active profile state: %w", err)
-			}
+		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+			log.Errorf("failed to switch profile: %v", err)
+			return nil, err
 		}
 	}
 
@@ -479,7 +457,7 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
 
-	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)
+	log.Infof("active profile: %s for %s", activeProf.ID, activeProf.Username)
 
 	s.mutex.Lock()
 
@@ -711,10 +689,10 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 	}
 
 	if msg != nil && msg.ProfileName != nil {
-		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
 			s.mutex.Unlock()
 			log.Errorf("failed to switch profile: %v", err)
-			return nil, fmt.Errorf("failed to switch profile: %w", err)
+			return nil, err
 		}
 	}
 
@@ -725,7 +703,7 @@ func (s *Server) Up(callerCtx context.Context, msg *proto.UpRequest) (*proto.UpR
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
 
-	log.Infof("active profile: %s for %s", activeProf.Name, activeProf.Username)
+	log.Infof("active profile: %s for %s", activeProf.ID, activeProf.Username)
 
 	config, _, err := s.getConfig(activeProf)
 	if err != nil {
@@ -768,34 +746,60 @@ func (s *Server) waitForUp(callerCtx context.Context) (*proto.UpResponse, error)
 	}
 }
 
-func (s *Server) switchProfileIfNeeded(profileName string, userName *string, activeProf *profilemanager.ActiveProfileState) error {
-	if profileName != "default" && (userName == nil || *userName == "") {
-		log.Errorf("profile name is set to %s, but username is not provided", profileName)
-		return fmt.Errorf("profile name is set to %s, but username is not provided", profileName)
+// resolveProfileHandle resolves a wire-level profile handle (display
+// name, ID, or unique ID prefix) to a concrete profile. Returns gRPC
+// status errors so handlers can return them directly.
+func (s *Server) resolveProfileHandle(handle, username string) (*profilemanager.Profile, error) {
+	p, err := s.profileManager.ResolveProfile(handle, username)
+	if err == nil {
+		return p, nil
+	}
+	var amb *profilemanager.ErrAmbiguousHandle
+	if errors.As(err, &amb) {
+		return nil, gstatus.Errorf(codes.InvalidArgument, "%v", amb)
+	}
+	if errors.Is(err, profilemanager.ErrProfileNotFound) {
+		return nil, gstatus.Errorf(codes.NotFound, "profile %q not found", handle)
+	}
+	return nil, fmt.Errorf("resolve profile: %w", err)
+}
+
+// switchProfileIfNeeded resolves the user-supplied handle, updates the
+// active profile state if it differs from the current one, and returns
+// the resolved profile so callers can include its ID in RPC responses.
+func (s *Server) switchProfileIfNeeded(handle string, userName *string, activeProf *profilemanager.ActiveProfileState) (*profilemanager.Profile, error) {
+	if handle != profilemanager.DefaultProfileName && (userName == nil || *userName == "") {
+		log.Errorf("profile name is set to %s, but username is not provided", handle)
+		return nil, fmt.Errorf("profile name is set to %s, but username is not provided", handle)
 	}
 
 	var username string
-	if profileName != "default" {
+	if handle != profilemanager.DefaultProfileName {
 		username = *userName
 	}
 
-	if profileName != activeProf.Name || username != activeProf.Username {
+	resolved, err := s.resolveProfileHandle(handle, username)
+	if err != nil {
+		return nil, err
+	}
+
+	if resolved.ID != activeProf.ID || username != activeProf.Username {
 		if s.checkProfilesDisabled() {
 			log.Errorf("profiles are disabled, you cannot use this feature without profiles enabled")
-			return gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
+			return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
 		}
 
-		log.Infof("switching to profile %s for user %s", profileName, username)
+		log.Infof("switching to profile %s (%s) for user %s", resolved.Name, resolved.ID, username)
 		if err := s.profileManager.SetActiveProfileState(&profilemanager.ActiveProfileState{
-			Name:     profileName,
+			ID:       resolved.ID,
 			Username: username,
 		}); err != nil {
 			log.Errorf("failed to set active profile state: %v", err)
-			return fmt.Errorf("failed to set active profile state: %w", err)
+			return nil, fmt.Errorf("failed to set active profile state: %w", err)
 		}
 	}
 
-	return nil
+	return resolved, nil
 }
 
 // SwitchProfile switches the active profile in the daemon.
@@ -810,9 +814,9 @@ func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfi
 	}
 
 	if msg != nil && msg.ProfileName != nil {
-		if err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
+		if _, err := s.switchProfileIfNeeded(*msg.ProfileName, msg.Username, activeProf); err != nil {
 			log.Errorf("failed to switch profile: %v", err)
-			return nil, fmt.Errorf("failed to switch profile: %w", err)
+			return nil, err
 		}
 	}
 	activeProf, err = s.profileManager.GetActiveProfileState()
@@ -828,7 +832,7 @@ func (s *Server) SwitchProfile(callerCtx context.Context, msg *proto.SwitchProfi
 
 	s.config = config
 
-	return &proto.SwitchProfileResponse{}, nil
+	return &proto.SwitchProfileResponse{Id: activeProf.ID.String()}, nil
 }
 
 // Down engine work in the daemon.
@@ -912,22 +916,27 @@ func (s *Server) Logout(ctx context.Context, msg *proto.LogoutRequest) (*proto.L
 }
 
 func (s *Server) handleProfileLogout(ctx context.Context, msg *proto.LogoutRequest) (*proto.LogoutResponse, error) {
-	if err := s.validateProfileOperation(*msg.ProfileName, true); err != nil {
-		return nil, err
-	}
-
 	if msg.Username == nil || *msg.Username == "" {
 		return nil, gstatus.Errorf(codes.InvalidArgument, "username must be provided when profile name is specified")
 	}
 	username := *msg.Username
 
-	if err := s.logoutFromProfile(ctx, *msg.ProfileName, username); err != nil {
-		log.Errorf("failed to logout from profile %s: %v", *msg.ProfileName, err)
+	resolved, err := s.resolveProfileHandle(*msg.ProfileName, username)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := s.validateProfileOperation(resolved.ID, true); err != nil {
+		return nil, err
+	}
+
+	if err := s.logoutFromProfile(ctx, resolved); err != nil {
+		log.Errorf("failed to logout from profile %s: %v", resolved.ID, err)
 		return nil, gstatus.Errorf(codes.Internal, "logout: %v", err)
 	}
 
 	activeProf, _ := s.profileManager.GetActiveProfileState()
-	if activeProf != nil && activeProf.Name == *msg.ProfileName {
+	if activeProf != nil && activeProf.ID == resolved.ID {
 		if err := s.cleanupConnection(); err != nil && !errors.Is(err, ErrServiceNotUp) {
 			log.Errorf("failed to cleanup connection: %v", err)
 		}
@@ -989,30 +998,30 @@ func (s *Server) getConfig(activeProf *profilemanager.ActiveProfileState) (*prof
 	return config, configExisted, nil
 }
 
-func (s *Server) canRemoveProfile(profileName string) error {
-	if profileName == profilemanager.DefaultProfileName {
+func (s *Server) canRemoveProfile(id profilemanager.ID) error {
+	if id == profilemanager.DefaultProfileName {
 		return fmt.Errorf("remove profile with reserved name: %s", profilemanager.DefaultProfileName)
 	}
 
 	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err == nil && activeProf.Name == profileName {
-		return fmt.Errorf("remove active profile: %s", profileName)
+	if err == nil && activeProf.ID == id {
+		return fmt.Errorf("remove active profile: %s", id)
 	}
 
 	return nil
 }
 
-func (s *Server) validateProfileOperation(profileName string, allowActiveProfile bool) error {
+func (s *Server) validateProfileOperation(id profilemanager.ID, allowActiveProfile bool) error {
 	if s.checkProfilesDisabled() {
 		return gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
 	}
 
-	if profileName == "" {
+	if id == "" {
 		return gstatus.Errorf(codes.InvalidArgument, "profile name must be provided")
 	}
 
 	if !allowActiveProfile {
-		if err := s.canRemoveProfile(profileName); err != nil {
+		if err := s.canRemoveProfile(id); err != nil {
 			return gstatus.Errorf(codes.InvalidArgument, "%v", err)
 		}
 	}
@@ -1020,25 +1029,20 @@ func (s *Server) validateProfileOperation(profileName string, allowActiveProfile
 	return nil
 }
 
-// logoutFromProfile logs out from a specific profile by loading its config and sending logout request
-func (s *Server) logoutFromProfile(ctx context.Context, profileName, username string) error {
+func (s *Server) logoutFromProfile(ctx context.Context, profile *profilemanager.Profile) error {
 	activeProf, err := s.profileManager.GetActiveProfileState()
-	if err == nil && activeProf.Name == profileName && s.connectClient != nil {
+	if err == nil && activeProf.ID == profile.ID && s.connectClient != nil {
 		return s.sendLogoutRequest(ctx)
 	}
 
-	profileState := &profilemanager.ActiveProfileState{
-		Name:     profileName,
-		Username: username,
-	}
-	profilePath, err := profileState.FilePath()
-	if err != nil {
-		return fmt.Errorf("get profile path: %w", err)
+	cfgPath := profile.Path
+	if cfgPath == "" {
+		cfgPath = profilemanager.DefaultConfigPath
 	}
 
-	config, err := profilemanager.GetConfig(profilePath)
+	config, err := profilemanager.GetConfig(cfgPath)
 	if err != nil {
-		return fmt.Errorf("profile '%s' not found", profileName)
+		return fmt.Errorf("profile '%s' not found", profile.ID)
 	}
 
 	return s.sendLogoutRequestWithConfig(ctx, config)
@@ -1452,15 +1456,14 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 		return nil, ctx.Err()
 	}
 
-	prof := profilemanager.ActiveProfileState{
-		Name:     req.ProfileName,
-		Username: req.Username,
-	}
-
-	cfgPath, err := prof.FilePath()
+	resolved, err := s.resolveProfileHandle(req.ProfileName, req.Username)
 	if err != nil {
-		log.Errorf("failed to get active profile file path: %v", err)
-		return nil, fmt.Errorf("failed to get active profile file path: %w", err)
+		log.Errorf("failed to resolve profile %q: %v", req.ProfileName, err)
+		return nil, err
+	}
+	cfgPath := resolved.Path
+	if cfgPath == "" {
+		cfgPath = profilemanager.DefaultConfigPath
 	}
 
 	cfg, err := profilemanager.GetConfig(cfgPath)
@@ -1564,12 +1567,16 @@ func (s *Server) AddProfile(ctx context.Context, msg *proto.AddProfileRequest) (
 		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name and username must be provided")
 	}
 
-	if err := s.profileManager.AddProfile(msg.ProfileName, msg.Username); err != nil {
+	created, err := s.profileManager.AddProfile(msg.ProfileName, msg.Username)
+	if err != nil {
+		if errors.Is(err, profilemanager.ErrProfileAlreadyExists) {
+			return nil, gstatus.Errorf(codes.AlreadyExists, "profile %q already exists", msg.ProfileName)
+		}
 		log.Errorf("failed to create profile: %v", err)
 		return nil, fmt.Errorf("failed to create profile: %w", err)
 	}
 
-	return &proto.AddProfileResponse{}, nil
+	return &proto.AddProfileResponse{Id: created.ID.String()}, nil
 }
 
 // RemoveProfile removes a profile from the daemon.
@@ -1577,20 +1584,29 @@ func (s *Server) RemoveProfile(ctx context.Context, msg *proto.RemoveProfileRequ
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if err := s.validateProfileOperation(msg.ProfileName, false); err != nil {
+	if msg.ProfileName == "" {
+		return nil, gstatus.Errorf(codes.InvalidArgument, "profile name must be provided")
+	}
+
+	resolved, err := s.resolveProfileHandle(msg.ProfileName, msg.Username)
+	if err != nil {
 		return nil, err
 	}
 
-	if err := s.logoutFromProfile(ctx, msg.ProfileName, msg.Username); err != nil {
-		log.Warnf("failed to logout from profile %s before removal: %v", msg.ProfileName, err)
+	if err := s.validateProfileOperation(resolved.ID, false); err != nil {
+		return nil, err
 	}
 
-	if err := s.profileManager.RemoveProfile(msg.ProfileName, msg.Username); err != nil {
+	if err := s.logoutFromProfile(ctx, resolved); err != nil {
+		log.Warnf("failed to logout from profile %s before removal: %v", resolved.ID, err)
+	}
+
+	if err := s.profileManager.RemoveProfile(resolved.ID, msg.Username); err != nil {
 		log.Errorf("failed to remove profile: %v", err)
 		return nil, fmt.Errorf("failed to remove profile: %w", err)
 	}
 
-	return &proto.RemoveProfileResponse{}, nil
+	return &proto.RemoveProfileResponse{Id: resolved.ID.String()}, nil
 }
 
 // ListProfiles lists all profiles in the daemon.
@@ -1613,6 +1629,7 @@ func (s *Server) ListProfiles(ctx context.Context, msg *proto.ListProfilesReques
 	}
 	for i, profile := range profiles {
 		response.Profiles[i] = &proto.Profile{
+			Id:       profile.ID.String(),
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		}
@@ -1621,7 +1638,9 @@ func (s *Server) ListProfiles(ctx context.Context, msg *proto.ListProfilesReques
 	return response, nil
 }
 
-// GetActiveProfile returns the active profile in the daemon.
+// GetActiveProfile returns the active profile in the daemon. The ProfileName
+// field carries the display name for backwards compatibility with UI clients,
+// new callers should prefer Id.
 func (s *Server) GetActiveProfile(ctx context.Context, msg *proto.GetActiveProfileRequest) (*proto.GetActiveProfileResponse, error) {
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
@@ -1632,9 +1651,23 @@ func (s *Server) GetActiveProfile(ctx context.Context, msg *proto.GetActiveProfi
 		return nil, fmt.Errorf("failed to get active profile state: %w", err)
 	}
 
+	// Fallback to legacy name == ID
+	displayName := activeProfile.ID.String()
+	if activeProfile.ID != profilemanager.DefaultProfileName {
+		if profiles, lerr := s.profileManager.ListProfiles(activeProfile.Username); lerr == nil {
+			for _, p := range profiles {
+				if p.ID == activeProfile.ID {
+					displayName = p.Name
+					break
+				}
+			}
+		}
+	}
+
 	return &proto.GetActiveProfileResponse{
-		ProfileName: activeProfile.Name,
+		ProfileName: displayName,
 		Username:    activeProfile.Username,
+		Id:          activeProfile.ID.String(),
 	}, nil
 }
 

client/server/server_test.go

@@ -97,7 +97,7 @@ func TestConnectWithRetryRuns(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     "test-profile",
+		ID:       "test-profile",
 		Username: currUser.Username,
 	})
 	if err != nil {
@@ -158,7 +158,7 @@ func TestServer_Up(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     profName,
+		ID:       profilemanager.ID(profName),
 		Username: currUser.Username,
 	})
 	if err != nil {
@@ -228,7 +228,7 @@ func TestServer_SubcribeEvents(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     "default",
+		ID:       "default",
 		Username: currUser.Username,
 	})
 	if err != nil {

client/server/setconfig_test.go

@@ -47,7 +47,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 
 	pm := profilemanager.ServiceManager{}
 	err = pm.SetActiveProfileState(&profilemanager.ActiveProfileState{
-		Name:     profName,
+		ID:       profilemanager.ID(profName),
 		Username: currUser.Username,
 	})
 	require.NoError(t, err)
@@ -96,7 +96,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 		DisableNotifications:  &disableNotifications,
 		LazyConnectionEnabled: &lazyConnectionEnabled,
 		BlockInbound:          &blockInbound,
-		DisableIpv6:          &disableIPv6,
+		DisableIpv6:           &disableIPv6,
 		NatExternalIPs:        []string{"1.2.3.4", "5.6.7.8"},
 		CleanNATExternalIPs:   false,
 		CustomDNSAddress:      []byte("1.1.1.1:53"),
@@ -112,7 +112,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.NoError(t, err)
 
 	profState := profilemanager.ActiveProfileState{
-		Name:     profName,
+		ID:       profilemanager.ID(profName),
 		Username: currUser.Username,
 	}
 	cfgPath, err := profState.FilePath()

client/ui/client_ui.go

@@ -622,7 +622,7 @@ func (s *serviceClient) buildSetConfigRequest(iMngURL string, port, mtu int64) (
 	}
 
 	req := &proto.SetConfigRequest{
-		ProfileName: activeProf.Name,
+		ProfileName: activeProf.ID.String(),
 		Username:    currUser.Username,
 	}
 
@@ -787,13 +787,15 @@ func (s *serviceClient) login(ctx context.Context, openURL bool) (*proto.LoginRe
 		return nil, fmt.Errorf("get current user: %w", err)
 	}
 
+	handle := activeProf.ID.String()
+
 	loginReq := &proto.LoginRequest{
 		IsUnixDesktopClient: runtime.GOOS == "linux" || runtime.GOOS == "freebsd",
-		ProfileName:         &activeProf.Name,
+		ProfileName:         &handle,
 		Username:            &currUser.Username,
 	}
 
-	profileState, err := s.profileManager.GetProfileState(activeProf.Name)
+	profileState, err := s.profileManager.GetProfileState(activeProf.ID)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
@@ -1309,7 +1311,7 @@ func (s *serviceClient) getSrvConfig() {
 	}
 
 	srvCfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
-		ProfileName: activeProf.Name,
+		ProfileName: activeProf.ID.String(),
 		Username:    currUser.Username,
 	})
 	if err != nil {
@@ -1533,7 +1535,7 @@ func (s *serviceClient) loadSettings() {
 	}
 
 	cfg, err := conn.GetConfig(s.ctx, &proto.GetConfigRequest{
-		ProfileName: activeProf.Name,
+		ProfileName: activeProf.ID.String(),
 		Username:    currUser.Username,
 	})
 	if err != nil {
@@ -1610,7 +1612,7 @@ func (s *serviceClient) updateConfig() error {
 	}
 
 	req := proto.SetConfigRequest{
-		ProfileName:           activeProf.Name,
+		ProfileName:           activeProf.ID.String(),
 		Username:              currUser.Username,
 		DisableAutoConnect:    &disableAutoStart,
 		ServerSSHAllowed:      &sshAllowed,

client/ui/profile.go

@@ -66,7 +66,7 @@ func (s *serviceClient) showProfilesUI() {
 			} else {
 				indicator.SetText("")
 			}
-			nameLabel.SetText(profile.Name)
+			nameLabel.SetText(formatProfileLabel(profile, profiles))
 
 			// Configure Select/Active button
 			selectBtn.SetText(func() string {
@@ -88,7 +88,7 @@ func (s *serviceClient) showProfilesUI() {
 							return
 						}
 						// switch
-						err = s.switchProfile(profile.Name)
+						err = s.switchProfile(profile.ID)
 						if err != nil {
 							log.Errorf("failed to switch profile: %v", err)
 							dialog.ShowError(errors.New("failed to select profile"), s.wProfiles)
@@ -130,7 +130,7 @@ func (s *serviceClient) showProfilesUI() {
 			logoutBtn.Show()
 			logoutBtn.SetText("Deregister")
 			logoutBtn.OnTapped = func() {
-				s.handleProfileLogout(profile.Name, refresh)
+				s.handleProfileLogout(profile, refresh)
 			}
 
 			// Remove profile
@@ -144,7 +144,7 @@ func (s *serviceClient) showProfilesUI() {
 							return
 						}
 
-						err = s.removeProfile(profile.Name)
+						err = s.removeProfile(profile.ID)
 						if err != nil {
 							log.Errorf("failed to remove profile: %v", err)
 							dialog.ShowError(fmt.Errorf("failed to remove profile"), s.wProfiles)
@@ -250,7 +250,7 @@ func (s *serviceClient) addProfile(profileName string) error {
 	return nil
 }
 
-func (s *serviceClient) switchProfile(profileName string) error {
+func (s *serviceClient) switchProfile(handle string) error {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
 		return fmt.Errorf(getClientFMT, err)
@@ -261,15 +261,15 @@ func (s *serviceClient) switchProfile(profileName string) error {
 		return fmt.Errorf("get current user: %w", err)
 	}
 
-	if _, err := conn.SwitchProfile(s.ctx, &proto.SwitchProfileRequest{
-		ProfileName: &profileName,
+	resp, err := conn.SwitchProfile(s.ctx, &proto.SwitchProfileRequest{
+		ProfileName: &handle,
 		Username:    &currUser.Username,
-	}); err != nil {
+	})
+	if err != nil {
 		return fmt.Errorf("switch profile failed: %w", err)
 	}
 
-	err = s.profileManager.SwitchProfile(profileName)
-	if err != nil {
+	if err := s.profileManager.SwitchProfile(profilemanager.ID(resp.Id)); err != nil {
 		return fmt.Errorf("switch profile: %w", err)
 	}
 
@@ -299,10 +299,27 @@ func (s *serviceClient) removeProfile(profileName string) error {
 }
 
 type Profile struct {
+	ID       string
 	Name     string
 	IsActive bool
 }
 
+// formatProfileLabel returns the display label for a profile. Profiles can
+// share the same Name, so when more than one profile in profiles carries this
+// Name, a short form of the ID is appended to disambiguate the entries.
+func formatProfileLabel(profile Profile, profiles []Profile) string {
+	count := 0
+	for _, p := range profiles {
+		if p.Name == profile.Name {
+			count++
+		}
+	}
+	if count <= 1 {
+		return profile.Name
+	}
+	return fmt.Sprintf("%s (%s)", profile.Name, profilemanager.ID(profile.ID).ShortID())
+}
+
 func (s *serviceClient) getProfiles() ([]Profile, error) {
 	conn, err := s.getSrvClient(defaultFailTimeout)
 	if err != nil {
@@ -324,6 +341,7 @@ func (s *serviceClient) getProfiles() ([]Profile, error) {
 
 	for _, profile := range profilesResp.Profiles {
 		profiles = append(profiles, Profile{
+			ID:       profile.Id,
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		})
@@ -332,10 +350,10 @@ func (s *serviceClient) getProfiles() ([]Profile, error) {
 	return profiles, nil
 }
 
-func (s *serviceClient) handleProfileLogout(profileName string, refreshCallback func()) {
+func (s *serviceClient) handleProfileLogout(profile Profile, refreshCallback func()) {
 	dialog.ShowConfirm(
 		"Deregister",
-		fmt.Sprintf("Are you sure you want to deregister from '%s'?", profileName),
+		fmt.Sprintf("Are you sure you want to deregister from '%s'?", profile.Name),
 		func(confirm bool) {
 			if !confirm {
 				return
@@ -356,8 +374,10 @@ func (s *serviceClient) handleProfileLogout(profileName string, refreshCallback
 			}
 
 			username := currUser.Username
+			// ProfileName is treated as a handle; send the ID so the
+			// daemon resolves to exactly this profile.
 			_, err = conn.Logout(s.ctx, &proto.LogoutRequest{
-				ProfileName: &profileName,
+				ProfileName: &profile.ID,
 				Username:    &username,
 			})
 			if err != nil {
@@ -368,7 +388,7 @@ func (s *serviceClient) handleProfileLogout(profileName string, refreshCallback
 
 			dialog.ShowInformation(
 				"Deregistered",
-				fmt.Sprintf("Successfully deregistered from '%s'", profileName),
+				fmt.Sprintf("Successfully deregistered from '%s'", profile.Name),
 				s.wProfiles,
 			)
 
@@ -461,6 +481,7 @@ func (p *profileMenu) getProfiles() ([]Profile, error) {
 
 	for _, profile := range profilesResp.Profiles {
 		profiles = append(profiles, Profile{
+			ID:       profile.Id,
 			Name:     profile.Name,
 			IsActive: profile.IsActive,
 		})
@@ -501,7 +522,7 @@ func (p *profileMenu) refresh() {
 	}
 
 	if activeProf.ProfileName == "default" || activeProf.Username == currUser.Username {
-		activeProfState, err := p.profileManager.GetProfileState(activeProf.ProfileName)
+		activeProfState, err := p.profileManager.GetProfileState(profilemanager.ID(activeProf.Id))
 		if err != nil {
 			log.Warnf("failed to get active profile state: %v", err)
 			p.emailMenuItem.Hide()
@@ -512,7 +533,7 @@ func (p *profileMenu) refresh() {
 	}
 
 	for _, profile := range profiles {
-		item := p.profileMenuItem.AddSubMenuItem(profile.Name, "")
+		item := p.profileMenuItem.AddSubMenuItem(formatProfileLabel(profile, profiles), "")
 		if profile.IsActive {
 			item.Check()
 		}
@@ -541,8 +562,8 @@ func (p *profileMenu) refresh() {
 						return
 					}
 
-					_, err = conn.SwitchProfile(ctx, &proto.SwitchProfileRequest{
-						ProfileName: &profile.Name,
+					switchResp, err := conn.SwitchProfile(ctx, &proto.SwitchProfileRequest{
+						ProfileName: &profile.ID,
 						Username:    &currUser.Username,
 					})
 					if err != nil {
@@ -552,7 +573,7 @@ func (p *profileMenu) refresh() {
 						return
 					}
 
-					err = p.profileManager.SwitchProfile(profile.Name)
+					err = p.profileManager.SwitchProfile(profilemanager.ID(switchResp.Id))
 					if err != nil {
 						log.Errorf("failed to switch profile '%s': %v", profile.Name, err)
 						return
@@ -695,7 +716,10 @@ func (p *profileMenu) updateMenu() {
 			}
 
 			sort.Slice(profiles, func(i, j int) bool {
-				return profiles[i].Name < profiles[j].Name
+				if profiles[i].Name != profiles[j].Name {
+					return profiles[i].Name < profiles[j].Name
+				}
+				return profiles[i].ID < profiles[j].ID
 			})
 
 			p.mu.Lock()

formatter/hook/hook.go

@@ -99,9 +99,6 @@ func addFields(entry *logrus.Entry) {
 	if ctxAccountID, ok := entry.Context.Value(context.AccountIDKey).(string); ok {
 		entry.Data[context.AccountIDKey] = ctxAccountID
 	}
-	if ctxUserAgent, ok := entry.Context.Value(context.UserAgentKey).(string); ok {
-		entry.Data[context.UserAgentKey] = ctxUserAgent
-	}
 	if ctxInitiatorID, ok := entry.Context.Value(context.UserIDKey).(string); ok {
 		entry.Data[context.UserIDKey] = ctxInitiatorID
 	}

infrastructure_files/getting-started.sh

@@ -19,46 +19,6 @@ readonly MSG_SEPARATOR="=========================================="
 # Utility Functions
 ############################################
 
-check_docker_sock_perms() {
-  local sock="${DOCKER_HOST:-unix:///var/run/docker.sock}"
-  sock="${sock#unix://}"
-
-  if [[ ! -S "$sock" ]]; then
-    return 0
-  fi
-
-  if [[ ! -r "$sock" ]] || [[ ! -w "$sock" ]]; then
-    local group
-    if [[ "${OSTYPE}" == "darwin"* ]]; then
-      group="$(stat -f '%Sg' "$sock")"
-    else
-      group="$(stat -c '%G' "$sock")"
-    fi
-
-    echo "Cannot access Docker socket: $sock" > /dev/stderr
-    echo "" > /dev/stderr
-    echo "Socket permissions:" > /dev/stderr
-    ls -l "$sock" > /dev/stderr
-    echo "" > /dev/stderr
-
-    if [[ "$group" == "docker" ]]; then
-      echo "Your user may need to be added to the '$group' group:" > /dev/stderr
-      echo "  sudo usermod -aG $group \"$USER\"" > /dev/stderr
-      echo "Then log out and back in, or run this for the current shell:" > /dev/stderr
-      echo "  newgrp $group" > /dev/stderr
-      echo "Note: newgrp is temporary; usermod is the permanent group change." > /dev/stderr
-    else
-      echo "The Docker socket is owned by the '$group' group, which is not the standard 'docker' group." > /dev/stderr
-      echo "For safety, this script will not suggest adding your user to '$group'." > /dev/stderr
-      echo "Instead, either run this script with appropriate privileges (for example, via sudo) or follow Docker's post-install steps to configure access via the 'docker' group:" > /dev/stderr
-      echo "  https://docs.docker.com/engine/install/linux-postinstall/" > /dev/stderr
-    fi
-
-    exit 1
-  fi
-  return 0
-}
-
 check_docker_compose() {
   if command -v docker-compose &> /dev/null
   then
@@ -621,15 +581,12 @@ start_services_and_show_instructions() {
 }
 
 init_environment() {
-  # Check if docker compose is installed using check_docker_compose function
-  DOCKER_COMPOSE_COMMAND=$(check_docker_compose)
-  check_docker_sock_perms
-
   initialize_default_values
   configure_domain
   configure_reverse_proxy
 
   check_jq
+  DOCKER_COMPOSE_COMMAND=$(check_docker_compose)
 
   check_existing_installation
   generate_configuration_files

management/internals/shared/grpc/proxy.go

@@ -666,10 +666,8 @@ func (s *ProxyServiceServer) sender(conn *proxyConnection, errChan chan<- error)
 		case resp := <-conn.sendChan:
 			if err := conn.sendResponse(resp); err != nil {
 				errChan <- err
-				log.WithContext(conn.ctx).Tracef("Failed to send response to proxy %s: %v", conn.proxyID, err)
 				return
 			}
-			log.WithContext(conn.ctx).Tracef("Send response to proxy %s", conn.proxyID)
 		case <-conn.ctx.Done():
 			return
 		}

management/server/context/keys.go

@@ -12,7 +12,6 @@ const (
 	RoleKey      = nbcontext.RoleKey
 	UserIDKey    = nbcontext.UserIDKey
 	PeerIDKey    = nbcontext.PeerIDKey
-	UserAgentKey = nbcontext.UserAgentKey
 )
 
 // RoleFromContext returns the role stored in ctx, or empty string and false if absent.

management/server/telemetry/http_api_metrics.go

@@ -21,8 +21,6 @@ const (
 	httpRequestCounterPrefix  = "management.http.request.counter"
 	httpResponseCounterPrefix = "management.http.response.counter"
 	httpRequestDurationPrefix = "management.http.request.duration.ms"
-
-	RequestIDHeader = "X-Request-Id"
 )
 
 // WrappedResponseWriter is a wrapper for http.ResponseWriter that allows the
@@ -174,10 +172,6 @@ func (m *HTTPMiddleware) Handler(h http.Handler) http.Handler {
 		reqID := xid.New().String()
 		//nolint
 		ctx = context.WithValue(ctx, nbContext.RequestIDKey, reqID)
-		//nolint
-		ctx = context.WithValue(ctx, nbContext.UserAgentKey, r.UserAgent())
-
-		rw.Header().Set(RequestIDHeader, reqID)
 
 		log.WithContext(ctx).Tracef("HTTP request %v: %v %v", reqID, r.Method, r.URL)
 

management/server/types/networkmap_components.go

@@ -557,6 +557,7 @@ func (c *NetworkMapComponents) getRoutingPeerRoutes(peerID string) (enabledRoute
 	return enabledRoutes, disabledRoutes
 }
 
+
 func (c *NetworkMapComponents) filterRoutesByGroups(routes []*route.Route, groupListMap LookupMap) []*route.Route {
 	var filteredRoutes []*route.Route
 	for _, r := range routes {
@@ -627,14 +628,9 @@ func (c *NetworkMapComponents) getDefaultPermit(r *route.Route, includeIPv6 bool
 
 	rules := []*RouteFirewallRule{&rule}
 
-	isDefaultV4 := r.Network.Addr().Is4() && r.Network.Bits() == 0
-	if includeIPv6 && (r.IsDynamic() || isDefaultV4) {
+	if includeIPv6 && r.IsDynamic() {
 		ruleV6 := rule
 		ruleV6.SourceRanges = []string{"::/0"}
-		if isDefaultV4 {
-			ruleV6.Destination = "::/0"
-			ruleV6.RouteID = r.ID + "-v6-default"
-		}
 		rules = append(rules, &ruleV6)
 	}
 

management/server/types/networkmap_components_correctness_test.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"slices"
 	"testing"
 	"time"
 
@@ -1030,48 +1029,6 @@ func TestComponents_RouteDefaultPermit(t *testing.T) {
 	assert.True(t, hasDefaultPermit, "route without ACG should have default permit rule with 0.0.0.0/0 source")
 }
 
-// TestComponents_ExitNodeDefaultPermitIPv6 verifies that a default exit node route
-// (0.0.0.0/0) without AccessControlGroups also emits an IPv6 default permit rule
-// (::/0 source and destination) for peers that support IPv6, mirroring the route
-// the client installs. Without it, IPv6 traffic is routed to the exit node but
-// dropped at the forward chain.
-func TestComponents_ExitNodeDefaultPermitIPv6(t *testing.T) {
-	account, validatedPeers := scalableTestAccount(20, 2)
-
-	routingPeerID := "peer-5"
-	routingPeer := account.Peers[routingPeerID]
-	routingPeer.IPv6 = netip.MustParseAddr("fd00::5")
-	routingPeer.Meta.Capabilities = append(routingPeer.Meta.Capabilities, nbpeer.PeerCapabilityIPv6Overlay)
-
-	account.Routes["route-exit"] = &route.Route{
-		ID: "route-exit", Network: netip.MustParsePrefix("0.0.0.0/0"),
-		PeerID: routingPeerID, Peer: routingPeer.Key,
-		Enabled: true, Groups: []string{"group-all"}, PeerGroups: []string{"group-0"},
-		AccessControlGroups: []string{},
-		AccountID:           "test-account",
-	}
-
-	nm := componentsNetworkMap(account, routingPeerID, validatedPeers)
-	require.NotNil(t, nm)
-
-	hasV4 := false
-	hasV6 := false
-	for _, rfr := range nm.RoutesFirewallRules {
-		switch rfr.Destination {
-		case "0.0.0.0/0":
-			if slices.Contains(rfr.SourceRanges, "0.0.0.0/0") {
-				hasV4 = true
-			}
-		case "::/0":
-			if slices.Contains(rfr.SourceRanges, "::/0") {
-				hasV6 = true
-			}
-		}
-	}
-	assert.True(t, hasV4, "exit node route should have an IPv4 default permit rule (0.0.0.0/0)")
-	assert.True(t, hasV6, "exit node route should have an IPv6 default permit rule (::/0)")
-}
-
 // ──────────────────────────────────────────────────────────────────────────────
 // 15. MULTIPLE ROUTERS PER NETWORK
 // ──────────────────────────────────────────────────────────────────────────────

proxy/cmd/proxy/cmd/root.go

@@ -249,7 +249,6 @@ func runServer(cmd *cobra.Command, args []string) error {
 		Private:                  private,
 		MaxDialTimeout:           maxDialTimeout,
 		MaxSessionIdleTimeout:    maxSessionIdleTimeout,
-		MappingBatchWatchdog:     envDurationOrDefault("NB_PROXY_MAPPING_BATCH_WATCHDOG", 0),
 		GeoDataDir:               geoDataDir,
 		CrowdSecAPIURL:           crowdsecAPIURL,
 		CrowdSecAPIKey:           crowdsecAPIKey,

proxy/internal/roundtrip/netbird.go

@@ -28,10 +28,6 @@ import (
 
 const deviceNamePrefix = "ingress-proxy-"
 
-const clientStopTimeout = 30 * time.Second
-
-const createProxyPeerTimeout = 30 * time.Second
-
 // backendKey identifies a backend by its host:port from the target URL.
 type backendKey string
 
@@ -166,7 +162,6 @@ type NetBird struct {
 
 	clientsMux     sync.RWMutex
 	clients        map[types.AccountID]*clientEntry
-	lifecycleMu    sync.Map
 	initLogOnce    sync.Once
 	statusNotifier statusNotifier
 	// readyHandler runs after the embedded client for an account reports
@@ -182,10 +177,6 @@ type NetBird struct {
 	// (i.e. when a new client was actually created, not when an existing one
 	// was reused). The duration covers keygen + gRPC CreateProxyPeer + embed.New.
 	OnAddPeer func(d time.Duration, err error)
-
-	// startClient runs the post-create client startup. Nil uses runClientStartup;
-	// tests override it to avoid a real embed client.Start.
-	startClient func(accountID types.AccountID, client *embed.Client)
 }
 
 // ClientDebugInfo contains debug information about a client.
@@ -209,20 +200,31 @@ type skipTLSVerifyContextKey struct{}
 func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key ServiceKey, authToken string, serviceID types.ServiceID) error {
 	si := serviceInfo{serviceID: serviceID}
 
-	if n.registerExistingClient(accountID, key, si) {
-		return nil
-	}
+	n.clientsMux.Lock()
 
-	lifecycle := n.accountLifecycle(accountID)
-	lifecycle.Lock()
-	transferred := false
-	defer func() {
-		if !transferred {
-			lifecycle.Unlock()
+	entry, exists := n.clients[accountID]
+	if exists {
+		entry.services[key] = si
+		started := entry.started
+		n.clientsMux.Unlock()
+
+		n.logger.WithFields(log.Fields{
+			"account_id":  accountID,
+			"service_key": key,
+		}).Debug("registered service with existing client")
+
+		if started && n.statusNotifier != nil {
+			// Use a background context, not the caller's: the management
+			// connection notification must land even if the request /
+			// stream that triggered this registration is cancelled.
+			// Mirrors the async runClientStartup path.
+			if err := n.statusNotifier.NotifyStatus(context.Background(), accountID, serviceID, true); err != nil {
+				n.logger.WithFields(log.Fields{
+					"account_id":  accountID,
+					"service_key": key,
+				}).WithError(err).Warn("failed to notify status for existing client")
+			}
 		}
-	}()
-
-	if n.registerExistingClient(accountID, key, si) {
 		return nil
 	}
 
@@ -232,10 +234,10 @@ func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key Se
 		n.OnAddPeer(time.Since(createStart), err)
 	}
 	if err != nil {
+		n.clientsMux.Unlock()
 		return err
 	}
 
-	n.clientsMux.Lock()
 	n.clients[accountID] = entry
 	n.clientsMux.Unlock()
 
@@ -244,64 +246,17 @@ func (n *NetBird) AddPeer(ctx context.Context, accountID types.AccountID, key Se
 		"service_key": key,
 	}).Info("created new client for account")
 
-	transferred = true
-	go func() {
-		defer lifecycle.Unlock()
-		n.startClientStartup(accountID, entry.client)
-	}()
+	// Attempt to start the client in the background; if this fails we will
+	// retry on the first request via RoundTrip. runClientStartup uses its
+	// own background context so the caller's request-scoped ctx can't
+	// cancel the inbound bring-up.
+	go n.runClientStartup(accountID, entry.client)
 
 	return nil
 }
 
-func (n *NetBird) startClientStartup(accountID types.AccountID, client *embed.Client) {
-	if n.startClient != nil {
-		n.startClient(accountID, client)
-		return
-	}
-	n.runClientStartup(accountID, client)
-}
-
-// registerExistingClient registers the service against an already-present
-// client for the account and returns true when it did. It notifies management
-// of the new service when the client is already started.
-func (n *NetBird) registerExistingClient(accountID types.AccountID, key ServiceKey, si serviceInfo) bool {
-	n.clientsMux.Lock()
-	entry, exists := n.clients[accountID]
-	if !exists {
-		n.clientsMux.Unlock()
-		return false
-	}
-	entry.services[key] = si
-	started := entry.started
-	n.clientsMux.Unlock()
-
-	n.logger.WithFields(log.Fields{
-		"account_id":  accountID,
-		"service_key": key,
-	}).Debug("registered service with existing client")
-
-	if started && n.statusNotifier != nil {
-		if err := n.statusNotifier.NotifyStatus(context.Background(), accountID, si.serviceID, true); err != nil {
-			n.logger.WithFields(log.Fields{
-				"account_id":  accountID,
-				"service_key": key,
-			}).WithError(err).Warn("failed to notify status for existing client")
-		}
-	}
-	return true
-}
-
-// accountLifecycle returns the per-account lifecycle mutex, serialising client
-// creation against teardown so a slow client.Stop cannot race a new
-// client.Start for the same account, without blocking clientsMux.
-func (n *NetBird) accountLifecycle(accountID types.AccountID) *sync.Mutex {
-	mu, _ := n.lifecycleMu.LoadOrStore(accountID, &sync.Mutex{})
-	return mu.(*sync.Mutex)
-}
-
 // createClientEntry generates a WireGuard keypair, authenticates with management,
-// and creates an embedded NetBird client. Must be called with the account's
-// lifecycle mutex held.
+// and creates an embedded NetBird client. Must be called with clientsMux held.
 func (n *NetBird) createClientEntry(ctx context.Context, accountID types.AccountID, key ServiceKey, authToken string, si serviceInfo) (*clientEntry, error) {
 	serviceID := si.serviceID
 	n.logger.WithFields(log.Fields{
@@ -321,9 +276,7 @@ func (n *NetBird) createClientEntry(ctx context.Context, accountID types.Account
 		"public_key": publicKey.String(),
 	}).Debug("authenticating new proxy peer with management")
 
-	createCtx, cancel := context.WithTimeout(ctx, createProxyPeerTimeout)
-	defer cancel()
-	resp, err := n.mgmtClient.CreateProxyPeer(createCtx, &proto.CreateProxyPeerRequest{
+	resp, err := n.mgmtClient.CreateProxyPeer(ctx, &proto.CreateProxyPeerRequest{
 		ServiceId:          string(serviceID),
 		AccountId:          string(accountID),
 		Token:              authToken,
@@ -491,15 +444,6 @@ func (n *NetBird) notifyClientReady(accountID types.AccountID, client *embed.Cli
 // RemovePeer unregisters a service from an account. The client is only stopped
 // when no services are using it anymore.
 func (n *NetBird) RemovePeer(ctx context.Context, accountID types.AccountID, key ServiceKey) error {
-	lifecycle := n.accountLifecycle(accountID)
-	lifecycle.Lock()
-	transferred := false
-	defer func() {
-		if !transferred {
-			lifecycle.Unlock()
-		}
-	}()
-
 	n.clientsMux.Lock()
 
 	entry, exists := n.clients[accountID]
@@ -522,8 +466,17 @@ func (n *NetBird) RemovePeer(ctx context.Context, accountID types.AccountID, key
 	delete(entry.services, key)
 
 	stopClient := len(entry.services) == 0
+	var client *embed.Client
+	var transport, insecureTransport *http.Transport
+	var inbound any
+	var stopHandler func(types.AccountID, any)
 	if stopClient {
 		n.logger.WithField("account_id", accountID).Info("stopping client, no more services")
+		client = entry.client
+		transport = entry.transport
+		insecureTransport = entry.insecureTransport
+		inbound = entry.inbound
+		stopHandler = n.stopHandler
 		delete(n.clients, accountID)
 	} else {
 		n.logger.WithFields(log.Fields{
@@ -537,40 +490,19 @@ func (n *NetBird) RemovePeer(ctx context.Context, accountID types.AccountID, key
 	n.notifyDisconnect(ctx, accountID, key, si.serviceID)
 
 	if stopClient {
-		transferred = true
-		go n.stopClientLocked(accountID, lifecycle, entry)
+		if inbound != nil && stopHandler != nil {
+			stopHandler(accountID, inbound)
+		}
+		transport.CloseIdleConnections()
+		insecureTransport.CloseIdleConnections()
+		if err := client.Stop(ctx); err != nil {
+			n.logger.WithField("account_id", accountID).WithError(err).Warn("failed to stop netbird client")
+		}
 	}
 
 	return nil
 }
 
-// stopClientLocked releases a client's resources off the caller's goroutine so a
-// slow client.Stop cannot wedge the mapping receive loop (which calls RemovePeer
-// synchronously). It unlocks lifecycle when done so a new client.Start for the
-// same account waits for this teardown.
-func (n *NetBird) stopClientLocked(accountID types.AccountID, lifecycle *sync.Mutex, entry *clientEntry) {
-	defer lifecycle.Unlock()
-
-	if entry.inbound != nil && n.stopHandler != nil {
-		n.stopHandler(accountID, entry.inbound)
-	}
-	if entry.transport != nil {
-		entry.transport.CloseIdleConnections()
-	}
-	if entry.insecureTransport != nil {
-		entry.insecureTransport.CloseIdleConnections()
-	}
-	if entry.client == nil {
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), clientStopTimeout)
-	defer cancel()
-	if err := entry.client.Stop(ctx); err != nil {
-		n.logger.WithField("account_id", accountID).WithError(err).Warn("failed to stop netbird client")
-	}
-}
-
 func (n *NetBird) notifyDisconnect(ctx context.Context, accountID types.AccountID, key ServiceKey, serviceID types.ServiceID) {
 	if n.statusNotifier == nil {
 		return

proxy/internal/roundtrip/netbird_test.go

@@ -6,7 +6,6 @@ import (
 	"net/netip"
 	"sync"
 	"testing"
-	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -23,18 +22,6 @@ func (m *mockMgmtClient) CreateProxyPeer(_ context.Context, _ *proto.CreateProxy
 	return &proto.CreateProxyPeerResponse{Success: true}, nil
 }
 
-// signalMgmtClient closes entered the first time CreateProxyPeer is called, so
-// tests can detect AddPeer reaching client creation.
-type signalMgmtClient struct {
-	entered chan struct{}
-	once    sync.Once
-}
-
-func (m *signalMgmtClient) CreateProxyPeer(_ context.Context, _ *proto.CreateProxyPeerRequest, _ ...grpc.CallOption) (*proto.CreateProxyPeerResponse, error) {
-	m.once.Do(func() { close(m.entered) })
-	return &proto.CreateProxyPeerResponse{Success: true}, nil
-}
-
 type mockStatusNotifier struct {
 	mu       sync.Mutex
 	statuses []statusCall
@@ -65,15 +52,11 @@ func (m *mockStatusNotifier) calls() []statusCall {
 // mockNetBird creates a NetBird instance for testing without actually connecting.
 // It uses an invalid management URL to prevent real connections.
 func mockNetBird() *NetBird {
-	nb := NewNetBird(context.Background(), "test-proxy", "invalid.test", ClientConfig{
+	return NewNetBird(context.Background(), "test-proxy", "invalid.test", ClientConfig{
 		MgmtAddr:     "http://invalid.test:9999",
 		WGPort:       0,
 		PreSharedKey: "",
 	}, nil, nil, &mockMgmtClient{})
-	// Skip the real embed client.Start, which would hang against the unreachable
-	// mgmt URL and (now that the lifecycle lock spans startup) serialise removes.
-	nb.startClient = func(types.AccountID, *embed.Client) {}
-	return nb
 }
 
 func TestNetBird_AddPeer_CreatesClientForNewAccount(t *testing.T) {
@@ -305,7 +288,6 @@ func TestNetBird_AddPeer_ExistingStartedClient_NotifiesStatus(t *testing.T) {
 		WGPort:       0,
 		PreSharedKey: "",
 	}, nil, notifier, &mockMgmtClient{})
-	nb.startClient = func(types.AccountID, *embed.Client) {}
 	accountID := types.AccountID("account-1")
 
 	// Add first service — creates a new client entry.
@@ -390,117 +372,6 @@ func TestNetBird_RemovePeer_NotifiesDisconnection(t *testing.T) {
 	assert.False(t, calls[0].connected)
 }
 
-// TestNetBird_RemovePeer_TeardownIsAsync proves the fix for the receive-loop
-// stall: RemovePeer must return promptly even when the client teardown blocks,
-// because teardown runs off the caller's goroutine. The receive loop calls
-// RemovePeer synchronously, so a blocking teardown inline would wedge it.
-func TestNetBird_RemovePeer_TeardownIsAsync(t *testing.T) {
-	nb := NewNetBird(context.Background(), "test-proxy", "invalid.test", ClientConfig{
-		MgmtAddr: "http://invalid.test:9999",
-	}, nil, &mockStatusNotifier{}, &mockMgmtClient{})
-
-	accountID := types.AccountID("acct-async-teardown")
-	key := DomainServiceKey("svc.example")
-
-	teardownEntered := make(chan struct{})
-	releaseTeardown := make(chan struct{})
-	nb.SetClientLifecycle(nil, func(types.AccountID, any) {
-		close(teardownEntered)
-		<-releaseTeardown
-	})
-
-	nb.clientsMux.Lock()
-	nb.clients[accountID] = &clientEntry{
-		services: map[ServiceKey]serviceInfo{key: {serviceID: types.ServiceID("svc-1")}},
-		started:  true,
-		inbound:  struct{}{},
-	}
-	nb.clientsMux.Unlock()
-
-	done := make(chan error, 1)
-	go func() { done <- nb.RemovePeer(context.Background(), accountID, key) }()
-
-	select {
-	case err := <-done:
-		require.NoError(t, err)
-	case <-time.After(2 * time.Second):
-		t.Fatal("RemovePeer did not return while teardown was blocked — teardown is not async")
-	}
-
-	select {
-	case <-teardownEntered:
-	case <-time.After(2 * time.Second):
-		t.Fatal("teardown never ran")
-	}
-
-	close(releaseTeardown)
-}
-
-// TestNetBird_AddPeer_WaitsForTeardown proves the lifecycle lock serialises a
-// new client bringup behind an in-flight teardown for the same account, so a
-// slow client.Stop can never race a new client.Start for that account.
-//
-// It targets the handoff race specifically: AddPeer is launched immediately
-// after RemovePeer returns, WITHOUT waiting for the teardown goroutine to start.
-// This only passes if RemovePeer acquires the lifecycle lock synchronously
-// (before returning) and hands it to the teardown goroutine — if the goroutine
-// acquired the lock itself, AddPeer could win the lock in this window and start
-// a replacement client while the old teardown is still pending.
-func TestNetBird_AddPeer_WaitsForTeardown(t *testing.T) {
-	nb := NewNetBird(context.Background(), "test-proxy", "invalid.test", ClientConfig{
-		MgmtAddr: "http://invalid.test:9999",
-	}, nil, &mockStatusNotifier{}, &mockMgmtClient{})
-	nb.startClient = func(types.AccountID, *embed.Client) {}
-
-	accountID := types.AccountID("acct-serialize")
-	key := DomainServiceKey("svc.example")
-
-	addEntered := make(chan struct{})
-	releaseTeardown := make(chan struct{})
-	nb.SetClientLifecycle(nil, func(types.AccountID, any) {
-		// Block teardown until released. If AddPeer ever reaches createClientEntry
-		// (signalled via the mgmt client below) while we hold the lock, the lock
-		// failed to serialise and the test fails before we release.
-		<-releaseTeardown
-	})
-
-	nb.clientsMux.Lock()
-	nb.clients[accountID] = &clientEntry{
-		services: map[ServiceKey]serviceInfo{key: {serviceID: types.ServiceID("svc-1")}},
-		started:  true,
-		inbound:  struct{}{},
-	}
-	nb.clientsMux.Unlock()
-
-	// createClientEntry calls CreateProxyPeer; closing addEntered there tells us
-	// AddPeer got past the lifecycle lock and into client creation.
-	nb.mgmtClient = &signalMgmtClient{entered: addEntered}
-
-	require.NoError(t, nb.RemovePeer(context.Background(), accountID, key))
-
-	// Launch AddPeer with NO synchronisation against the teardown goroutine.
-	addReturned := make(chan struct{})
-	go func() {
-		_ = nb.AddPeer(context.Background(), accountID, DomainServiceKey("svc2.example"), "key-2", types.ServiceID("svc-2"))
-		close(addReturned)
-	}()
-
-	select {
-	case <-addEntered:
-		t.Fatal("AddPeer entered client creation while teardown held the lifecycle lock — handoff race not closed")
-	case <-addReturned:
-		t.Fatal("AddPeer completed while teardown held the lifecycle lock — not serialised")
-	case <-time.After(300 * time.Millisecond):
-	}
-
-	close(releaseTeardown)
-	select {
-	case <-addReturned:
-	case <-time.After(2 * time.Second):
-		t.Fatal("AddPeer never completed after teardown released the lifecycle lock")
-	}
-}
-
 // TestNotifyClientReady_UsesBackgroundCtx pins the contract that the
 // post-Start hooks (readyHandler + statusNotifier.NotifyStatus) run on
 // a fresh context.Background() rather than inheriting the AddPeer

proxy/lifecycle.go

@@ -114,10 +114,6 @@ type Config struct {
 	MaxDialTimeout time.Duration
 	// MaxSessionIdleTimeout caps the per-service session idle timeout.
 	MaxSessionIdleTimeout time.Duration
-	// MappingBatchWatchdog bounds how long a single mapping batch may spend
-	// being applied before the receive loop reconnects to resync. Zero falls
-	// back to the internal default.
-	MappingBatchWatchdog time.Duration
 
 	// GeoDataDir is the directory containing GeoLite2 MMDB files.
 	GeoDataDir string
@@ -168,7 +164,6 @@ func New(ctx context.Context, cfg Config) *Server {
 		Private:                  cfg.Private,
 		MaxDialTimeout:           cfg.MaxDialTimeout,
 		MaxSessionIdleTimeout:    cfg.MaxSessionIdleTimeout,
-		MappingBatchWatchdog:     cfg.MappingBatchWatchdog,
 		GeoDataDir:               cfg.GeoDataDir,
 		CrowdSecAPIURL:           cfg.CrowdSecAPIURL,
 		CrowdSecAPIKey:           cfg.CrowdSecAPIKey,

proxy/mapping_stall_test.go

@@ -1,282 +0,0 @@
-package proxy
-
-import (
-	"context"
-	"sync"
-	"sync/atomic"
-	"testing"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/metadata"
-
-	"github.com/netbirdio/netbird/proxy/internal/roundtrip"
-	"github.com/netbirdio/netbird/proxy/internal/types"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// blockingMgmtClient implements roundtrip's managementClient interface.
-// CreateProxyPeer parks until release is closed, signalling entry on entered.
-// This reproduces the confirmed real-world stall: createClientEntry calls
-// CreateProxyPeer synchronously while holding clientsMux, and the proxy's
-// receive loop calls that path synchronously inside processMappings.
-type blockingMgmtClient struct {
-	entered chan struct{}
-	once    sync.Once
-}
-
-func (b *blockingMgmtClient) CreateProxyPeer(ctx context.Context, _ *proto.CreateProxyPeerRequest, _ ...grpc.CallOption) (*proto.CreateProxyPeerResponse, error) {
-	b.once.Do(func() { close(b.entered) })
-	// Park until the caller's context is cancelled. In production this ctx is
-	// the gRPC mapping-stream context with no per-call timeout, so a slow or
-	// unresponsive CreateProxyPeer parks the receive loop here indefinitely.
-	<-ctx.Done()
-	return nil, ctx.Err()
-}
-
-// gatedMappingStream is a mock GetMappingUpdate client stream that hands out a
-// pre-seeded list of messages, then records how many times Recv advanced. It
-// lets the test observe whether the single-threaded receive loop ever gets
-// past the first (blocking) batch to pull the second message.
-type gatedMappingStream struct {
-	grpc.ClientStream
-	messages []*proto.GetMappingUpdateResponse
-	idx      int32
-}
-
-func (g *gatedMappingStream) Recv() (*proto.GetMappingUpdateResponse, error) {
-	i := int(atomic.LoadInt32(&g.idx))
-	if i >= len(g.messages) {
-		// Block instead of returning EOF so the loop doesn't exit; we only
-		// care whether the loop ever reaches this second Recv at all.
-		select {}
-	}
-	msg := g.messages[i]
-	atomic.AddInt32(&g.idx, 1)
-	return msg, nil
-}
-
-func (g *gatedMappingStream) deliveredCount() int32 { return atomic.LoadInt32(&g.idx) }
-
-func (g *gatedMappingStream) Header() (metadata.MD, error) { return nil, nil } //nolint:nilnil
-func (g *gatedMappingStream) Trailer() metadata.MD         { return nil }
-func (g *gatedMappingStream) CloseSend() error             { return nil }
-func (g *gatedMappingStream) Context() context.Context     { return context.Background() }
-func (g *gatedMappingStream) SendMsg(any) error            { return nil }
-func (g *gatedMappingStream) RecvMsg(any) error            { return nil }
-
-// noopNotifier satisfies roundtrip's statusNotifier interface.
-type noopNotifier struct{}
-
-func (noopNotifier) NotifyStatus(context.Context, types.AccountID, types.ServiceID, bool) error {
-	return nil
-}
-
-// noopProxyClient is a proto.ProxyServiceClient that no-ops the one method the
-// teardown unwind reaches (SendStatusUpdate, via notifyError when the parked
-// AddPeer is cancelled). The embedded nil interface satisfies the rest at
-// compile time; none of those methods are called by this test.
-type noopProxyClient struct {
-	proto.ProxyServiceClient
-}
-
-func (noopProxyClient) SendStatusUpdate(context.Context, *proto.SendStatusUpdateRequest, ...grpc.CallOption) (*proto.SendStatusUpdateResponse, error) {
-	return &proto.SendStatusUpdateResponse{}, nil
-}
-
-// TestMappingStream_StallsWhenApplyBlocks proves the deadlock: the proxy's
-// mapping receive loop processes batches strictly serially, so when applying
-// one batch blocks (here: createClientEntry parked on a synchronous
-// CreateProxyPeer call, exactly as observed in production), the loop never
-// advances to Recv the next batch. Management can keep sending updates onto
-// the stream with no error and no channel overflow, yet the proxy applies
-// nothing further — it is stuck.
-func TestMappingStream_StallsWhenApplyBlocks(t *testing.T) {
-	logger := log.New()
-	logger.SetLevel(log.PanicLevel)
-
-	mgmt := &blockingMgmtClient{
-		entered: make(chan struct{}),
-	}
-
-	nb := roundtrip.NewNetBird(
-		context.Background(),
-		"proxy-test",
-		"proxy.example.com",
-		roundtrip.ClientConfig{},
-		logger,
-		noopNotifier{},
-		mgmt,
-	)
-
-	s := &Server{
-		Logger:       logger,
-		netbird:      nb,
-		mgmtClient:   noopProxyClient{},
-		routerReady:  closedChan(),
-		lastMappings: make(map[types.ServiceID]*proto.ProxyMapping),
-	}
-
-	// First batch: a CREATED mapping for a brand-new account. addMapping ->
-	// netbird.AddPeer -> createClientEntry -> CreateProxyPeer, which blocks.
-	// Empty Path keeps setupHTTPMapping a no-op (it returns early), so the
-	// ONLY blocking point is the synchronous CreateProxyPeer in AddPeer —
-	// no routers/auth need wiring. The second batch exists only to detect
-	// whether the loop ever advances past the blocked first batch.
-	stream := &gatedMappingStream{
-		messages: []*proto.GetMappingUpdateResponse{
-			{
-				Mapping: []*proto.ProxyMapping{
-					{
-						Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
-						Id:        "svc-1",
-						AccountId: "acct-1",
-						AuthToken: "token-1",
-					},
-				},
-			},
-			{
-				Mapping: []*proto.ProxyMapping{
-					{
-						Type:      proto.ProxyMappingUpdateType_UPDATE_TYPE_CREATED,
-						Id:        "svc-2",
-						AccountId: "acct-2",
-						AuthToken: "token-2",
-					},
-				},
-			},
-		},
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	// Unblock the parked apply on teardown via ctx (CreateProxyPeer returns
-	// ctx.Err()), so the wedged loop goroutine unwinds before embed.New —
-	// avoiding any dependency on collaborators this test deliberately leaves
-	// nil. The deadlock is fully proven before this fires.
-	t.Cleanup(cancel)
-
-	loopDone := make(chan struct{})
-	syncDone := false
-	go func() {
-		defer close(loopDone)
-		_ = s.handleMappingStream(ctx, stream, &syncDone, time.Time{})
-	}()
-
-	// The loop must reach the blocking apply for the first batch.
-	select {
-	case <-mgmt.entered:
-	case <-time.After(2 * time.Second):
-		t.Fatal("receive loop never reached CreateProxyPeer for the first batch")
-	}
-
-	// THE DEADLOCK: while the first batch is parked in CreateProxyPeer, the
-	// single-threaded loop cannot advance. The second batch is never pulled,
-	// even though it is already available on the stream. Give it ample time.
-	// deliveredCount is atomic; syncDone is intentionally not read here because
-	// the loop goroutine owns it (reading it from the test would race).
-	time.Sleep(500 * time.Millisecond)
-	assert.Equal(t, int32(1), stream.deliveredCount(),
-		"loop must NOT consume the second batch while the first is blocked in apply — proxy is stuck")
-
-	select {
-	case <-loopDone:
-		t.Fatal("receive loop returned while it should be wedged in apply")
-	default:
-		// Still wedged, as expected.
-	}
-}
-
-// TestMappingStream_StallsWhenRemoveBlocks proves the deadlock for the REMOVE
-// path observed in production: a mapping remove tears down the account's last
-// embedded client via netbird.RemovePeer -> client.Stop -> Engine.Stop, whose
-// jobExecutorWG.Wait() is unbounded. Because the receive loop is single-
-// threaded, a blocked remove wedges the loop: no further mapping updates of any
-// kind (create/modify/remove) are applied, while management keeps sending them
-// successfully (no send error, no channel-full). Matches the reported symptom:
-// the last log line is a remove that stops a client, then silence.
-func TestMappingStream_StallsWhenRemoveBlocks(t *testing.T) {
-	logger := log.New()
-	logger.SetLevel(log.PanicLevel)
-
-	enteredRemove := make(chan struct{})
-	blockRemove := make(chan struct{})
-	var once sync.Once
-
-	s := &Server{
-		Logger:       logger,
-		mgmtClient:   noopProxyClient{},
-		routerReady:  closedChan(),
-		lastMappings: make(map[types.ServiceID]*proto.ProxyMapping),
-		// Stand in for netbird.RemovePeer -> client.Stop hanging on
-		// Engine.Stop's unbounded jobExecutorWG.Wait(). Only the first remove
-		// blocks; later removes return immediately so the recovery assertion
-		// can observe the loop advancing.
-		removePeer: func(ctx context.Context, _ types.AccountID, _ roundtrip.ServiceKey) error {
-			first := false
-			once.Do(func() {
-				first = true
-				close(enteredRemove)
-			})
-			if !first {
-				return nil
-			}
-			select {
-			case <-blockRemove:
-			case <-ctx.Done():
-			}
-			return nil
-		},
-	}
-
-	// Batch 1 removes a service (blocks in teardown). Batch 2 is a later update
-	// that must never be applied while the remove is wedged.
-	stream := &gatedMappingStream{
-		messages: []*proto.GetMappingUpdateResponse{
-			{
-				Mapping: []*proto.ProxyMapping{
-					{Type: proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED, Id: "svc-1", AccountId: "acct-1"},
-				},
-			},
-			{
-				Mapping: []*proto.ProxyMapping{
-					{Type: proto.ProxyMappingUpdateType_UPDATE_TYPE_REMOVED, Id: "svc-2", AccountId: "acct-1"},
-				},
-			},
-		},
-	}
-
-	loopDone := make(chan struct{})
-	syncDone := false
-	go func() {
-		defer close(loopDone)
-		_ = s.handleMappingStream(context.Background(), stream, &syncDone, time.Time{})
-	}()
-
-	select {
-	case <-enteredRemove:
-	case <-time.After(2 * time.Second):
-		t.Fatal("receive loop never reached the blocking remove for the first batch")
-	}
-
-	// THE DEADLOCK: the loop is parked in the blocked remove and cannot advance.
-	// syncDone is owned by the loop goroutine, so it is not read here.
-	time.Sleep(500 * time.Millisecond)
-	assert.Equal(t, int32(1), stream.deliveredCount(),
-		"loop must NOT consume the second batch while the first remove is blocked — proxy is stuck")
-
-	select {
-	case <-loopDone:
-		t.Fatal("receive loop returned while it should be wedged on the remove")
-	default:
-	}
-
-	// Unblock and confirm the wedge was solely the blocked remove: the loop
-	// then advances and consumes the next batch.
-	close(blockRemove)
-	assert.Eventually(t, func() bool {
-		return stream.deliveredCount() >= 2
-	}, 2*time.Second, 5*time.Millisecond,
-		"once the remove unblocks, the loop must advance and consume the next batch")
-}

proxy/server.go

@@ -118,9 +118,6 @@ type Server struct {
 	// The mapping worker waits on this before processing updates.
 	routerReady chan struct{}
 
-	// removePeer defaults to netbird.RemovePeer; overridable in tests.
-	removePeer func(ctx context.Context, accountID types.AccountID, key roundtrip.ServiceKey) error
-
 	// inbound, when non-nil, manages per-account inbound listeners. Set by
 	// initPrivateInbound only when Private is true so the standalone
 	// proxy keeps its zero-overhead default path.
@@ -230,10 +227,6 @@ type Server struct {
 	// Zero means no cap (the proxy honors whatever management sends).
 	// Set via NB_PROXY_MAX_SESSION_IDLE_TIMEOUT for shared deployments.
 	MaxSessionIdleTimeout time.Duration
-	// MappingBatchWatchdog bounds how long a single mapping batch may spend
-	// in processMappings before the receive loop reconnects to resync.
-	// Zero uses defaultMappingBatchWatchdog.
-	MappingBatchWatchdog time.Duration
 }
 
 // clampIdleTimeout returns d capped to MaxSessionIdleTimeout when configured.
@@ -1179,30 +1172,24 @@ func (s *Server) newManagementMappingWorker(ctx context.Context, client proto.Pr
 			s.healthChecker.SetManagementConnected(false)
 		}
 
-		connected := false
-		onConnected := func() { connected = true }
-
 		var streamErr error
 		if syncSupported {
-			streamErr = s.trySyncMappings(ctx, client, &initialSyncDone, onConnected)
+			streamErr = s.trySyncMappings(ctx, client, &initialSyncDone)
 			if isSyncUnimplemented(streamErr) {
 				syncSupported = false
 				s.Logger.Info("management does not support SyncMappings, falling back to GetMappingUpdate")
-				streamErr = s.tryGetMappingUpdate(ctx, client, &initialSyncDone, onConnected)
+				streamErr = s.tryGetMappingUpdate(ctx, client, &initialSyncDone)
 			}
 		} else {
-			streamErr = s.tryGetMappingUpdate(ctx, client, &initialSyncDone, onConnected)
+			streamErr = s.tryGetMappingUpdate(ctx, client, &initialSyncDone)
 		}
 
 		if s.healthChecker != nil {
 			s.healthChecker.SetManagementConnected(false)
 		}
 
-		// Reset backoff only when a stream actually connected, so immediate
-		// connect failures still back off instead of spinning.
-		if connected {
-			bo.Reset()
-		}
+		// Stream established — reset backoff so the next failure retries quickly.
+		bo.Reset()
 
 		if streamErr == nil {
 			return fmt.Errorf("stream closed by server")
@@ -1234,7 +1221,7 @@ func (s *Server) proxyCapabilities() *proto.ProxyCapabilities {
 	}
 }
 
-func (s *Server) tryGetMappingUpdate(ctx context.Context, client proto.ProxyServiceClient, initialSyncDone *bool, onConnected func()) error {
+func (s *Server) tryGetMappingUpdate(ctx context.Context, client proto.ProxyServiceClient, initialSyncDone *bool) error {
 	connectTime := time.Now()
 	mappingClient, err := client.GetMappingUpdate(ctx, &proto.GetMappingUpdateRequest{
 		ProxyId:      s.ID,
@@ -1247,7 +1234,6 @@ func (s *Server) tryGetMappingUpdate(ctx context.Context, client proto.ProxyServ
 		return fmt.Errorf("create mapping stream: %w", err)
 	}
 
-	onConnected()
 	if s.healthChecker != nil {
 		s.healthChecker.SetManagementConnected(true)
 	}
@@ -1256,7 +1242,7 @@ func (s *Server) tryGetMappingUpdate(ctx context.Context, client proto.ProxyServ
 	return s.handleMappingStream(ctx, mappingClient, initialSyncDone, connectTime)
 }
 
-func (s *Server) trySyncMappings(ctx context.Context, client proto.ProxyServiceClient, initialSyncDone *bool, onConnected func()) error {
+func (s *Server) trySyncMappings(ctx context.Context, client proto.ProxyServiceClient, initialSyncDone *bool) error {
 	connectTime := time.Now()
 	stream, err := client.SyncMappings(ctx)
 	if err != nil {
@@ -1277,7 +1263,6 @@ func (s *Server) trySyncMappings(ctx context.Context, client proto.ProxyServiceC
 		return fmt.Errorf("send sync init: %w", err)
 	}
 
-	onConnected()
 	if s.healthChecker != nil {
 		s.healthChecker.SetManagementConnected(true)
 	}
@@ -1322,9 +1307,7 @@ func (s *Server) handleSyncMappingsStream(ctx context.Context, stream proto.Prox
 
 			batchStart := time.Now()
 			s.Logger.Debug("Received mapping update, starting processing")
-			if err := s.processMappingsGuarded(ctx, msg.GetMapping()); err != nil {
-				return err
-			}
+			s.processMappings(ctx, msg.GetMapping())
 			s.Logger.Debug("Processing mapping update completed")
 			tracker.recordBatch(ctx, s, msg.GetMapping(), msg.GetInitialSyncComplete(), batchStart)
 
@@ -1408,9 +1391,7 @@ func (s *Server) handleMappingStream(ctx context.Context, mappingClient proto.Pr
 
 			batchStart := time.Now()
 			s.Logger.Debug("Received mapping update, starting processing")
-			if err := s.processMappingsGuarded(ctx, msg.GetMapping()); err != nil {
-				return err
-			}
+			s.processMappings(ctx, msg.GetMapping())
 			s.Logger.Debug("Processing mapping update completed")
 			tracker.recordBatch(ctx, s, msg.GetMapping(), msg.GetInitialSyncComplete(), batchStart)
 		}
@@ -1475,44 +1456,6 @@ func redactMappingForLog(m *proto.ProxyMapping) *proto.ProxyMapping {
 	return c
 }
 
-const defaultMappingBatchWatchdog = 2 * time.Minute
-
-// mappingBatchWatchdog returns the configured batch watchdog or the default.
-func (s *Server) mappingBatchWatchdog() time.Duration {
-	if s.MappingBatchWatchdog > 0 {
-		return s.MappingBatchWatchdog
-	}
-	return defaultMappingBatchWatchdog
-}
-
-// processMappingsGuarded applies a batch under a watchdog, returning an error
-// if processing exceeds the watchdog so the caller reconnects and resyncs
-// instead of wedging silently.
-func (s *Server) processMappingsGuarded(ctx context.Context, mappings []*proto.ProxyMapping) error {
-	batchCtx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
-	done := make(chan struct{})
-	go func() {
-		defer close(done)
-		s.processMappings(batchCtx, mappings)
-	}()
-
-	watchdog := s.mappingBatchWatchdog()
-	timer := time.NewTimer(watchdog)
-	defer timer.Stop()
-
-	select {
-	case <-done:
-		return nil
-	case <-ctx.Done():
-		return ctx.Err()
-	case <-timer.C:
-		s.Logger.Errorf("processing mapping batch exceeded %s, cancelling and reconnecting to resync", watchdog)
-		return fmt.Errorf("mapping batch processing stalled after %s", watchdog)
-	}
-}
-
 func (s *Server) processMappings(ctx context.Context, mappings []*proto.ProxyMapping) {
 	debug := s.Logger != nil && s.Logger.IsLevelEnabled(log.DebugLevel)
 	for _, mapping := range mappings {
@@ -2008,11 +1951,7 @@ func (s *Server) updateMapping(ctx context.Context, mapping *proto.ProxyMapping)
 func (s *Server) removeMapping(ctx context.Context, mapping *proto.ProxyMapping) {
 	accountID := types.AccountID(mapping.GetAccountId())
 	svcKey := s.serviceKeyForMapping(mapping)
-	removePeer := s.removePeer
-	if removePeer == nil {
-		removePeer = s.netbird.RemovePeer
-	}
-	if err := removePeer(ctx, accountID, svcKey); err != nil {
+	if err := s.netbird.RemovePeer(ctx, accountID, svcKey); err != nil {
 		s.Logger.WithFields(log.Fields{
 			"account_id": accountID,
 			"service_id": mapping.GetId(),

release_files/install.sh

@@ -417,30 +417,15 @@ if type uname >/dev/null 2>&1; then
               # Check the availability of a compatible package manager
               if check_use_bin_variable; then
                   PACKAGE_MANAGER="bin"
-              elif [ -e /run/ostree-booted ]; then
-                  if [ -x "$(command -v rpm-ostree)" ]; then
-                      PACKAGE_MANAGER="rpm-ostree"
-                      echo "The installation will be performed using rpm-ostree package manager"
-                  elif [ -x "$(command -v bootc)" ]; then
-                      echo "Detected bootc system without rpm-ostree." >&2
-                      echo "NetBird cannot be installed via package manager on this system." >&2
-                      echo "Options:" >&2
-                      echo "  1. Install via Distrobox (instructions in the installation docs)" >&2
-                      echo "  2. Rebuild your base image with rpm-ostree included" >&2
-                      echo "  3. Bake NetBird into your Containerfile" >&2
-                      exit 1
-                  else
-                      echo "Detected ostree-booted system without rpm-ostree or bootc." >&2
-                      echo "NetBird cannot be installed automatically on this atomic system." >&2
-                      echo "Please install NetBird by rebuilding your base image or use a supported package manager." >&2
-                      exit 1
-                  fi
               elif [ -x "$(command -v apt-get)" ]; then
                   PACKAGE_MANAGER="apt"
                   echo "The installation will be performed using apt package manager"
               elif [ -x "$(command -v dnf)" ]; then
                   PACKAGE_MANAGER="dnf"
                   echo "The installation will be performed using dnf package manager"
+              elif [ -x "$(command -v rpm-ostree)" ]; then
+                  PACKAGE_MANAGER="rpm-ostree"
+                  echo "The installation will be performed using rpm-ostree package manager"
               elif [ -x "$(command -v yum)" ]; then
                   PACKAGE_MANAGER="yum"
                   echo "The installation will be performed using yum package manager"

shared/context/keys.go

@@ -6,5 +6,4 @@ const (
 	RoleKey      = "role"
 	UserIDKey    = "userID"
 	PeerIDKey    = "peerID"
-	UserAgentKey = "userAgent"
 )

shared/management/http/api/openapi.yml

@@ -5107,63 +5107,31 @@ components:
   responses:
     not_found:
       description: Resource not found
-      headers:
-        X-Request-Id:
-          $ref: '#/components/headers/X-Request-Id'
       content: { }
     validation_failed_simple:
       description: Validation failed
-      headers:
-        X-Request-Id:
-          $ref: '#/components/headers/X-Request-Id'
       content: { }
     bad_request:
       description: Bad Request
-      headers:
-        X-Request-Id:
-          $ref: '#/components/headers/X-Request-Id'
       content: { }
     internal_error:
       description: Internal Server Error
-      headers:
-        X-Request-Id:
-          $ref: '#/components/headers/X-Request-Id'
       content: { }
     validation_failed:
       description: Validation failed
-      headers:
-        X-Request-Id:
-          $ref: '#/components/headers/X-Request-Id'
       content: { }
     forbidden:
       description: Forbidden
-      headers:
-        X-Request-Id:
-          $ref: '#/components/headers/X-Request-Id'
       content: { }
     requires_authentication:
       description: Requires authentication
-      headers:
-        X-Request-Id:
-          $ref: '#/components/headers/X-Request-Id'
       content: { }
     conflict:
       description: Conflict
-      headers:
-        X-Request-Id:
-          $ref: '#/components/headers/X-Request-Id'
       content:
         application/json:
           schema:
             $ref: '#/components/schemas/ErrorResponse'
-  headers:
-    X-Request-Id:
-      description: |
-        Unique identifier assigned to the request by the server and set on every
-        response. Useful for correlating client requests with server-side logs.
-      schema:
-        type: string
-        example: cot7r4n3l3vh3qj4qveg
   securitySchemes:
     BearerAuth:
       type: http

shared/relay/client/client.go

@@ -9,14 +9,12 @@ import (
 	"net/url"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 
 	auth "github.com/netbirdio/netbird/shared/relay/auth/hmac"
 	"github.com/netbirdio/netbird/shared/relay/client/dialer"
-	netErr "github.com/netbirdio/netbird/shared/relay/client/dialer/net"
 	"github.com/netbirdio/netbird/shared/relay/healthcheck"
 	"github.com/netbirdio/netbird/shared/relay/messages"
 )
@@ -174,19 +172,6 @@ type Client struct {
 	stateSubscription *PeersStateSubscription
 
 	mtu uint16
-
-	// transportFallback, when set, records datagram-too-large failures so a
-	// datagram-sized transport is avoided on subsequent connects. Shared via
-	// the manager.
-	transportFallback *transportFallback
-	// datagramFallbackTriggered guards a single fallback per connection so a
-	// burst of oversized datagrams triggers one reconnect, not many.
-	datagramFallbackTriggered atomic.Bool
-}
-
-// SetTransportFallback wires the shared datagram-transport fallback tracker.
-func (c *Client) SetTransportFallback(tf *transportFallback) {
-	c.transportFallback = tf
 }
 
 // NewClient creates a new client for the relay server. The client is not connected to the server until the Connect
@@ -376,13 +361,12 @@ func (c *Client) Close() error {
 }
 
 func (c *Client) connect(ctx context.Context) (*RelayAddr, error) {
-	mode := transportModeFromEnv()
-	dialers := c.getDialers(mode)
+	dialers := c.getDialers()
 
 	var conn net.Conn
 	if c.serverIP.IsValid() {
 		var err error
-		conn, err = c.dialRaceDirect(ctx, mode, dialers)
+		conn, err = c.dialRaceDirect(ctx, dialers)
 		if err != nil {
 			c.log.Infof("dial via server IP %s failed, falling back to FQDN: %v", c.serverIP, err)
 			conn = nil
@@ -391,9 +375,6 @@ func (c *Client) connect(ctx context.Context) (*RelayAddr, error) {
 
 	if conn == nil {
 		rd := dialer.NewRaceDial(c.log, dialer.DefaultConnectionTimeout, c.connectionURL, dialers...)
-		if mode.sequential() {
-			rd.WithSequential()
-		}
 		var err error
 		conn, err = rd.Dial(ctx)
 		if err != nil {
@@ -401,7 +382,6 @@ func (c *Client) connect(ctx context.Context) (*RelayAddr, error) {
 		}
 	}
 	c.relayConn = conn
-	c.datagramFallbackTriggered.Store(false)
 
 	instanceURL, err := c.handShake(ctx)
 	if err != nil {
@@ -416,7 +396,7 @@ func (c *Client) connect(ctx context.Context) (*RelayAddr, error) {
 }
 
 // dialRaceDirect dials c.serverIP, preserving the original FQDN as the TLS ServerName for SNI.
-func (c *Client) dialRaceDirect(ctx context.Context, mode TransportMode, dialers []dialer.DialeFn) (net.Conn, error) {
+func (c *Client) dialRaceDirect(ctx context.Context, dialers []dialer.DialeFn) (net.Conn, error) {
 	directURL, serverName, err := substituteHost(c.connectionURL, c.serverIP)
 	if err != nil {
 		return nil, fmt.Errorf("substitute host: %w", err)
@@ -426,9 +406,6 @@ func (c *Client) dialRaceDirect(ctx context.Context, mode TransportMode, dialers
 
 	rd := dialer.NewRaceDial(c.log, dialer.DefaultConnectionTimeout, directURL, dialers...).
 		WithServerName(serverName)
-	if mode.sequential() {
-		rd.WithSequential()
-	}
 	return rd.Dial(ctx)
 }
 
@@ -654,53 +631,13 @@ func (c *Client) writeTo(containerRef *connContainer, dstID messages.PeerID, pay
 	}
 
 	// the write always return with 0 length because the underling does not support the size feedback.
-	conn := c.relayConn
-	_, err = conn.Write(msg)
+	_, err = c.relayConn.Write(msg)
 	if err != nil {
-		if errors.Is(err, netErr.ErrDatagramTooLarge) {
-			c.onDatagramTooLarge(conn, err)
-		} else {
-			c.log.Errorf("failed to write transport message: %s", err)
-		}
+		c.log.Errorf("failed to write transport message: %s", err)
 	}
 	return len(payload), err
 }
 
-// onDatagramTooLarge reacts to a datagram rejected as too large for the path.
-// When a non-datagram transport is available, it records a fallback for this
-// server and closes the connection so the reconnect avoids datagram-sized
-// transports. A single fallback is triggered per connection regardless of how
-// many oversized datagrams arrive. cause carries the datagram size and budget.
-func (c *Client) onDatagramTooLarge(conn net.Conn, cause error) {
-	// Handle one oversized datagram per connection; a burst triggers a single
-	// fallback (and a single log line), not many.
-	if !c.datagramFallbackTriggered.CompareAndSwap(false, true) {
-		return
-	}
-
-	// If the selected mode offers no non-datagram transport (e.g. pinned to a
-	// datagram-sized transport), reconnecting would just re-fail, so leave the
-	// connection up rather than loop.
-	if len(nonDatagramSized(c.baseDialers(transportModeFromEnv()))) == 0 {
-		c.log.Warnf("%s, but no non-datagram transport is available, not falling back", cause)
-		return
-	}
-
-	// Without the shared tracker a reconnect would just select the same
-	// transport again and re-fail, so leave the connection up rather than loop.
-	if c.transportFallback == nil {
-		c.log.Debugf("%s, but no transport fallback configured, leaving connection up", cause)
-		return
-	}
-
-	window := c.transportFallback.recordFailure(c.connectionURL)
-	c.log.Warnf("%s, avoiding datagram-sized transport for %s", cause, window)
-
-	if err := conn.Close(); err != nil {
-		c.log.Debugf("close relay connection for transport fallback: %s", err)
-	}
-}
-
 func (c *Client) listenForStopEvents(ctx context.Context, hc *healthcheck.Receiver, conn net.Conn, internalStopFlag *internalStopFlag) {
 	for {
 		select {

shared/relay/client/dialer/capability.go

@@ -1,18 +0,0 @@
-package dialer
-
-// DatagramSized is implemented by dialers whose connections carry each write in
-// a single datagram, so a write can be rejected when it exceeds the path's
-// datagram budget (e.g. QUIC). Transports without this capability (e.g.
-// WebSocket over TCP) impose no per-write size limit, so the relay client can
-// fall back to them when a datagram-sized transport rejects a write as too
-// large. The capability is advertised per dialer rather than hardcoded, so a
-// new transport only needs to declare whether it is datagram-sized.
-type DatagramSized interface {
-	DatagramSized()
-}
-
-// IsDatagramSized reports whether d produces datagram-sized connections.
-func IsDatagramSized(d DialeFn) bool {
-	_, ok := d.(DatagramSized)
-	return ok
-}

shared/relay/client/dialer/net/err.go

@@ -4,9 +4,4 @@ import "errors"
 
 var (
 	ErrClosedByServer = errors.New("closed by server")
-
-	// ErrDatagramTooLarge is returned when a transport message exceeds the
-	// QUIC datagram size the path to the relay can carry. The relay client
-	// treats it as a signal to fall back to a non-datagram transport.
-	ErrDatagramTooLarge = errors.New("datagram frame too large")
 )

shared/relay/client/dialer/quic/conn.go

@@ -8,6 +8,7 @@ import (
 	"time"
 
 	"github.com/quic-go/quic-go"
+	log "github.com/sirupsen/logrus"
 
 	netErr "github.com/netbirdio/netbird/shared/relay/client/dialer/net"
 )
@@ -51,8 +52,11 @@ func (c *Conn) Read(b []byte) (n int, err error) {
 }
 
 func (c *Conn) Write(b []byte) (int, error) {
-	if err := c.session.SendDatagram(b); err != nil {
-		return 0, c.writeErrHandling(err, len(b))
+	err := c.session.SendDatagram(b)
+	if err != nil {
+		err = c.remoteCloseErrHandling(err)
+		log.Errorf("failed to write to QUIC stream: %v", err)
+		return 0, err
 	}
 	return len(b), nil
 }
@@ -91,15 +95,3 @@ func (c *Conn) remoteCloseErrHandling(err error) error {
 	}
 	return err
 }
-
-// writeErrHandling normalizes SendDatagram errors. A datagram that exceeds the
-// path's QUIC packet budget is mapped to ErrDatagramTooLarge (annotated with the
-// datagram size and path budget) so the relay client can fall back to a
-// non-datagram transport.
-func (c *Conn) writeErrHandling(err error, size int) error {
-	var tooLarge *quic.DatagramTooLargeError
-	if errors.As(err, &tooLarge) {
-		return fmt.Errorf("%w: %d byte datagram over path budget %d", netErr.ErrDatagramTooLarge, size, tooLarge.MaxDatagramPayloadSize)
-	}
-	return c.remoteCloseErrHandling(err)
-}

shared/relay/client/dialer/quic/quic.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/quic-go/quic-go"
-	"github.com/quic-go/quic-go/logging"
 	log "github.com/sirupsen/logrus"
 
 	nbnet "github.com/netbirdio/netbird/client/net"
@@ -24,12 +23,6 @@ func (d Dialer) Protocol() string {
 	return Network
 }
 
-// DatagramSized marks QUIC as a datagram-sized transport: relay traffic is
-// carried in QUIC DATAGRAM frames, which must fit a single packet.
-func (d Dialer) DatagramSized() {
-	// Intentional marker method; presence is the capability signal.
-}
-
 func (d Dialer) Dial(ctx context.Context, address, serverName string) (net.Conn, error) {
 	quicURL, err := prepareURL(address)
 	if err != nil {
@@ -54,7 +47,6 @@ func (d Dialer) Dial(ctx context.Context, address, serverName string) (net.Conn,
 		MaxIdleTimeout:    4 * time.Minute,
 		EnableDatagrams:   true,
 		InitialPacketSize: nbRelay.QUICInitialPacketSize,
-		Tracer:            connectionTracer(quicURL),
 	}
 
 	udpConn, err := nbnet.ListenUDP("udp", &net.UDPAddr{Port: 0})
@@ -82,28 +74,6 @@ func (d Dialer) Dial(ctx context.Context, address, serverName string) (net.Conn,
 	return conn, nil
 }
 
-// connectionTracer returns a QUIC tracer that logs the DPLPMTUD result and the
-// reason a relay connection closed, so the path MTU settled on and teardown
-// cause are visible in logs. Lines carry the relay address as a structured
-// field, matching the rest of the relay client logging.
-func connectionTracer(addr string) func(context.Context, logging.Perspective, quic.ConnectionID) *logging.ConnectionTracer {
-	relayLog := log.WithField("relay", addr)
-	return func(context.Context, logging.Perspective, quic.ConnectionID) *logging.ConnectionTracer {
-		return &logging.ConnectionTracer{
-			UpdatedMTU: func(mtu logging.ByteCount, done bool) {
-				if done {
-					relayLog.Infof("QUIC path MTU settled at %d", mtu)
-					return
-				}
-				relayLog.Debugf("QUIC path MTU probing at %d", mtu)
-			},
-			ClosedConnection: func(err error) {
-				relayLog.Debugf("QUIC connection closed: %v", err)
-			},
-		}
-	}
-}
-
 func prepareURL(address string) (string, error) {
 	var host string
 	var defaultPort string

shared/relay/client/dialer/race_dialer.go

@@ -32,7 +32,6 @@ type RaceDial struct {
 	serverName        string
 	dialerFns         []DialeFn
 	connectionTimeout time.Duration
-	sequential        bool
 }
 
 func NewRaceDial(log *log.Entry, connectionTimeout time.Duration, serverURL string, dialerFns ...DialeFn) *RaceDial {
@@ -54,21 +53,7 @@ func (r *RaceDial) WithServerName(serverName string) *RaceDial {
 	return r
 }
 
-// WithSequential makes Dial try the dialers in order, falling back to the next
-// only when one fails to connect, instead of racing them concurrently.
-//
-// Mutates the receiver and is not safe for concurrent reconfiguration; a
-// RaceDial is intended to be constructed per dial and discarded.
-func (r *RaceDial) WithSequential() *RaceDial {
-	r.sequential = true
-	return r
-}
-
 func (r *RaceDial) Dial(ctx context.Context) (net.Conn, error) {
-	if r.sequential {
-		return r.dialSequential(ctx)
-	}
-
 	connChan := make(chan dialResult, len(r.dialerFns))
 	winnerConn := make(chan net.Conn, 1)
 	abortCtx, abort := context.WithCancel(ctx)
@@ -87,30 +72,6 @@ func (r *RaceDial) Dial(ctx context.Context) (net.Conn, error) {
 	return conn, nil
 }
 
-// dialSequential tries each dialer in order, returning the first connection and
-// falling back to the next on failure.
-func (r *RaceDial) dialSequential(ctx context.Context) (net.Conn, error) {
-	for _, dfn := range r.dialerFns {
-		if err := ctx.Err(); err != nil {
-			return nil, err
-		}
-		attemptCtx, cancel := context.WithTimeout(ctx, r.connectionTimeout)
-		r.log.Infof("dialing Relay server via %s", dfn.Protocol())
-		conn, err := dfn.Dial(attemptCtx, r.serverURL, r.serverName)
-		cancel()
-		if err != nil {
-			if errors.Is(err, context.Canceled) {
-				return nil, err
-			}
-			r.log.Errorf("failed to dial via %s: %s", dfn.Protocol(), err)
-			continue
-		}
-		r.log.Infof("successfully dialed via: %s", dfn.Protocol())
-		return conn, nil
-	}
-	return nil, errors.New("failed to dial to Relay server on any protocol")
-}
-
 func (r *RaceDial) dial(dfn DialeFn, abortCtx context.Context, connChan chan dialResult) {
 	ctx, cancel := context.WithTimeout(abortCtx, r.connectionTimeout)
 	defer cancel()

shared/relay/client/dialer/race_dialer_test.go

@@ -250,66 +250,3 @@ func TestRaceDialFirstSuccessfulDialerWins(t *testing.T) {
 		}
 	}
 }
-
-func TestRaceDialSequentialFallback(t *testing.T) {
-	logger := logrus.NewEntry(logrus.New())
-	serverURL := "test.server.com"
-
-	var firstDialed, secondDialed bool
-	preferred := &MockDialer{
-		protocolStr: "quic",
-		dialFunc: func(ctx context.Context, address string) (net.Conn, error) {
-			firstDialed = true
-			return nil, errors.New("quic unreachable")
-		},
-	}
-	fallbackConn := &MockConn{remoteAddr: &MockAddr{network: "ws"}}
-	fallback := &MockDialer{
-		protocolStr: "ws",
-		dialFunc: func(ctx context.Context, address string) (net.Conn, error) {
-			secondDialed = true
-			return fallbackConn, nil
-		},
-	}
-
-	rd := NewRaceDial(logger, DefaultConnectionTimeout, serverURL, preferred, fallback).WithSequential()
-	conn, err := rd.Dial(context.Background())
-	if err != nil {
-		t.Fatalf("expected fallback to succeed, got %v", err)
-	}
-	if conn != fallbackConn {
-		t.Errorf("expected fallback connection, got %v", conn)
-	}
-	if !firstDialed || !secondDialed {
-		t.Errorf("expected both dialers attempted in order, first=%v second=%v", firstDialed, secondDialed)
-	}
-}
-
-func TestRaceDialSequentialPreferredWins(t *testing.T) {
-	logger := logrus.NewEntry(logrus.New())
-	serverURL := "test.server.com"
-
-	preferredConn := &MockConn{remoteAddr: &MockAddr{network: "quic"}}
-	preferred := &MockDialer{
-		protocolStr: "quic",
-		dialFunc: func(ctx context.Context, address string) (net.Conn, error) {
-			return preferredConn, nil
-		},
-	}
-	fallback := &MockDialer{
-		protocolStr: "ws",
-		dialFunc: func(ctx context.Context, address string) (net.Conn, error) {
-			t.Errorf("fallback dialer must not be tried when preferred succeeds")
-			return nil, errors.New("should not happen")
-		},
-	}
-
-	rd := NewRaceDial(logger, DefaultConnectionTimeout, serverURL, preferred, fallback).WithSequential()
-	conn, err := rd.Dial(context.Background())
-	if err != nil {
-		t.Fatalf("expected preferred to succeed, got %v", err)
-	}
-	if conn != preferredConn {
-		t.Errorf("expected preferred connection, got %v", conn)
-	}
-}

shared/relay/client/dialers_generic.go

@@ -9,42 +9,11 @@ import (
 	"github.com/netbirdio/netbird/shared/relay/client/dialer/ws"
 )
 
-// getDialers returns the ordered dialers for connecting to the relay server. It
-// applies the datagram fallback generically: if this server recently rejected a
-// datagram-sized transport, those dialers are dropped, leaving the rest.
-func (c *Client) getDialers(mode TransportMode) []dialer.DialeFn {
-	dialers := c.baseDialers(mode)
-
-	if c.transportFallback != nil && c.transportFallback.avoidDatagramSized(c.connectionURL) {
-		if filtered := nonDatagramSized(dialers); len(filtered) > 0 {
-			c.log.Infof("relay recently rejected a datagram-sized transport, avoiding it")
-			return filtered
-		}
-	}
-	return dialers
-}
-
-// baseDialers returns the ordered dialers for the mode, before any datagram
-// fallback filtering. For racing modes (auto) the order is irrelevant; for
-// prefer modes the first entry is tried before falling back to the second.
-func (c *Client) baseDialers(mode TransportMode) []dialer.DialeFn {
-	switch mode {
-	case TransportModeWS:
-		c.log.Infof("%s=ws, using WebSocket transport", EnvRelayTransport)
-		return []dialer.DialeFn{ws.Dialer{}}
-	case TransportModeQUIC:
-		c.log.Infof("%s=quic, using QUIC transport", EnvRelayTransport)
-		return []dialer.DialeFn{quic.Dialer{}}
-	}
-
-	all := []dialer.DialeFn{quic.Dialer{}, ws.Dialer{}}
-	if mode == TransportModePreferWS {
-		all = []dialer.DialeFn{ws.Dialer{}, quic.Dialer{}}
-	}
-
+// getDialers returns the list of dialers to use for connecting to the relay server.
+func (c *Client) getDialers() []dialer.DialeFn {
 	if c.mtu > 0 && c.mtu > iface.DefaultMTU {
-		c.log.Infof("MTU %d exceeds default (%d), avoiding datagram-sized transports", c.mtu, iface.DefaultMTU)
-		return nonDatagramSized(all)
+		c.log.Infof("MTU %d exceeds default (%d), forcing WebSocket transport to avoid DATAGRAM frame size issues", c.mtu, iface.DefaultMTU)
+		return []dialer.DialeFn{ws.Dialer{}}
 	}
-	return all
+	return []dialer.DialeFn{quic.Dialer{}, ws.Dialer{}}
 }

shared/relay/client/dialers_generic_test.go

@@ -1,101 +0,0 @@
-//go:build !js
-
-package client
-
-import (
-	"os"
-	"testing"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/shared/relay/client/dialer"
-	netErr "github.com/netbirdio/netbird/shared/relay/client/dialer/net"
-	"github.com/netbirdio/netbird/shared/relay/client/dialer/quic"
-	"github.com/netbirdio/netbird/shared/relay/client/dialer/ws"
-)
-
-// TestDatagramSizedCapability locks the capability the generic fallback relies
-// on: QUIC is datagram-sized, WebSocket is not.
-func TestDatagramSizedCapability(t *testing.T) {
-	assert.True(t, dialer.IsDatagramSized(quic.Dialer{}), "QUIC must advertise datagram-sized")
-	assert.False(t, dialer.IsDatagramSized(ws.Dialer{}), "WebSocket must not advertise datagram-sized")
-}
-
-func protocols(dialers []dialer.DialeFn) []string {
-	out := make([]string, len(dialers))
-	for i, d := range dialers {
-		out[i] = d.Protocol()
-	}
-	return out
-}
-
-func TestGetDialers(t *testing.T) {
-	const url = "rels://relay.example:443"
-
-	tests := []struct {
-		name     string
-		mode     string
-		mtu      uint16
-		preferWS bool
-		want     []string
-	}{
-		{name: "auto races quic and ws", mode: "auto", mtu: iface.DefaultMTU, want: []string{"quic", "WS"}},
-		{name: "ws pinned", mode: "ws", mtu: iface.DefaultMTU, want: []string{"WS"}},
-		{name: "quic pinned", mode: "quic", mtu: iface.DefaultMTU, want: []string{"quic"}},
-		{name: "prefer-quic orders quic first", mode: "prefer-quic", mtu: iface.DefaultMTU, want: []string{"quic", "WS"}},
-		{name: "prefer-ws orders ws first", mode: "prefer-ws", mtu: iface.DefaultMTU, want: []string{"WS", "quic"}},
-		{name: "mtu above default forces ws", mode: "auto", mtu: iface.DefaultMTU + 100, want: []string{"WS"}},
-		{name: "sticky fallback forces ws in auto", mode: "auto", mtu: iface.DefaultMTU, preferWS: true, want: []string{"WS"}},
-		{name: "sticky fallback forces ws in prefer-quic", mode: "prefer-quic", mtu: iface.DefaultMTU, preferWS: true, want: []string{"WS"}},
-		{name: "quic pin overrides sticky fallback", mode: "quic", mtu: iface.DefaultMTU, preferWS: true, want: []string{"quic"}},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Setenv(EnvRelayTransport, tc.mode)
-			if tc.mode == "" {
-				os.Unsetenv(EnvRelayTransport)
-			}
-
-			tf := newTransportFallback()
-			if tc.preferWS {
-				tf.recordFailure(url)
-			}
-
-			c := &Client{
-				log:               log.WithField("test", t.Name()),
-				connectionURL:     url,
-				mtu:               tc.mtu,
-				transportFallback: tf,
-			}
-
-			assert.Equal(t, tc.want, protocols(c.getDialers(transportModeFromEnv())))
-		})
-	}
-}
-
-// TestStickyFallbackAfterDatagramTooLarge verifies the full chain: an oversized
-// datagram records a fallback that makes the next dial pick WebSocket, the way a
-// reconnect would after the connection is closed.
-func TestStickyFallbackAfterDatagramTooLarge(t *testing.T) {
-	const url = "rels://relay.example:443"
-	t.Setenv(EnvRelayTransport, string(TransportModeAuto))
-
-	c := &Client{
-		log:               log.WithField("test", t.Name()),
-		connectionURL:     url,
-		mtu:               iface.DefaultMTU,
-		transportFallback: newTransportFallback(),
-	}
-
-	// First dial races both transports.
-	assert.Equal(t, []string{"quic", "WS"}, protocols(c.getDialers(transportModeFromEnv())))
-
-	// An oversized datagram records the fallback for this server.
-	c.onDatagramTooLarge(&closeTrackingConn{}, netErr.ErrDatagramTooLarge)
-
-	// The reconnect now sticks to WebSocket.
-	assert.Equal(t, []string{"WS"}, protocols(c.getDialers(transportModeFromEnv())))
-}

shared/relay/client/dialers_js.go

@@ -7,11 +7,7 @@ import (
 	"github.com/netbirdio/netbird/shared/relay/client/dialer/ws"
 )
 
-func (c *Client) getDialers(_ TransportMode) []dialer.DialeFn {
+func (c *Client) getDialers() []dialer.DialeFn {
 	// JS/WASM build only uses WebSocket transport
 	return []dialer.DialeFn{ws.Dialer{}}
 }
-
-func (c *Client) baseDialers(_ TransportMode) []dialer.DialeFn {
-	return []dialer.DialeFn{ws.Dialer{}}
-}

shared/relay/client/manager.go

@@ -79,30 +79,23 @@ type Manager struct {
 
 	cleanupInterval      time.Duration
 	keepUnusedServerTime time.Duration
-
-	// transportFallback is shared across home and foreign relay clients so a
-	// datagram-too-large failure makes that server avoid datagram-sized transports across reconnects.
-	transportFallback *transportFallback
 }
 
 // NewManager creates a new manager instance.
 // The serverURL address can be empty. In this case, the manager will not serve.
 func NewManager(ctx context.Context, serverURLs []string, peerID string, mtu uint16, opts ...ManagerOption) *Manager {
 	tokenStore := &relayAuth.TokenStore{}
-	tf := newTransportFallback()
 
 	m := &Manager{
-		ctx:               ctx,
-		peerID:            peerID,
-		tokenStore:        tokenStore,
-		mtu:               mtu,
-		transportFallback: tf,
+		ctx:        ctx,
+		peerID:     peerID,
+		tokenStore: tokenStore,
+		mtu:        mtu,
 		serverPicker: &ServerPicker{
 			TokenStore:        tokenStore,
 			PeerID:            peerID,
 			MTU:               mtu,
 			ConnectionTimeout: defaultConnectionTimeout,
-			TransportFallback: tf,
 		},
 		relayClients:            make(map[string]*RelayTrack),
 		onDisconnectedListeners: make(map[string]*list.List),
@@ -294,7 +287,6 @@ func (m *Manager) openConnVia(ctx context.Context, serverAddress, peerKey string
 	m.relayClientsMutex.Unlock()
 
 	relayClient := NewClientWithServerIP(serverAddress, serverIP, m.tokenStore, m.peerID, m.mtu)
-	relayClient.SetTransportFallback(m.transportFallback)
 	err := relayClient.Connect(m.ctx)
 	if err != nil {
 		rt.err = err

shared/relay/client/picker.go

@@ -29,7 +29,6 @@ type ServerPicker struct {
 	PeerID            string
 	MTU               uint16
 	ConnectionTimeout time.Duration
-	TransportFallback *transportFallback
 }
 
 func (sp *ServerPicker) PickServer(parentCtx context.Context) (*Client, error) {
@@ -71,7 +70,6 @@ func (sp *ServerPicker) PickServer(parentCtx context.Context) (*Client, error) {
 func (sp *ServerPicker) startConnection(ctx context.Context, resultChan chan connResult, url string) {
 	log.Infof("try to connecting to relay server: %s", url)
 	relayClient := NewClient(url, sp.TokenStore, sp.PeerID, sp.MTU)
-	relayClient.SetTransportFallback(sp.TransportFallback)
 	err := relayClient.Connect(ctx)
 	resultChan <- connResult{
 		RelayClient: relayClient,

shared/relay/client/transport.go

@@ -1,129 +0,0 @@
-package client
-
-import (
-	"os"
-	"strings"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/shared/relay/client/dialer"
-)
-
-// EnvRelayTransport pins the relay transport. Valid values: "auto" (default,
-// race QUIC and WebSocket), "quic" (QUIC only), "ws" (WebSocket only),
-// "prefer-quic" / "prefer-ws" (try the preferred transport first, fall back to
-// the other only if it fails to connect; no race). The prefer modes trade a
-// slower connect when the preferred transport is blackholed for deterministic
-// transport selection.
-const EnvRelayTransport = "NB_RELAY_TRANSPORT"
-
-const (
-	// transportFallbackBase is the initial window a relay server avoids
-	// datagram-sized transports after a datagram is rejected as too large.
-	transportFallbackBase = 10 * time.Minute
-	// transportFallbackMax caps the pinned window when failures repeat.
-	transportFallbackMax = 60 * time.Minute
-)
-
-// TransportMode selects which relay dialers are used.
-type TransportMode string
-
-const (
-	TransportModeAuto       TransportMode = "auto"
-	TransportModeQUIC       TransportMode = "quic"
-	TransportModeWS         TransportMode = "ws"
-	TransportModePreferQUIC TransportMode = "prefer-quic"
-	TransportModePreferWS   TransportMode = "prefer-ws"
-)
-
-// transportModeFromEnv reads EnvRelayTransport, defaulting to auto for an empty
-// or unrecognized value.
-func transportModeFromEnv() TransportMode {
-	switch TransportMode(strings.ToLower(strings.TrimSpace(os.Getenv(EnvRelayTransport)))) {
-	case "", TransportModeAuto:
-		return TransportModeAuto
-	case TransportModeQUIC:
-		return TransportModeQUIC
-	case TransportModeWS:
-		return TransportModeWS
-	case TransportModePreferQUIC:
-		return TransportModePreferQUIC
-	case TransportModePreferWS:
-		return TransportModePreferWS
-	default:
-		log.Warnf("invalid %s value %q, using %q", EnvRelayTransport, os.Getenv(EnvRelayTransport), TransportModeAuto)
-		return TransportModeAuto
-	}
-}
-
-// sequential reports whether the mode tries dialers in order with fallback
-// instead of racing them concurrently.
-func (m TransportMode) sequential() bool {
-	return m == TransportModePreferQUIC || m == TransportModePreferWS
-}
-
-// transportFallback tracks relay servers that have rejected a datagram-sized
-// transport (a write too large for the path) and should temporarily avoid such
-// transports. It is shared across the relay manager so the preference survives
-// client recreation (foreign relay clients are evicted and rebuilt on
-// disconnect). Entries are keyed by server URL and expire after a window that
-// grows on repeated failures.
-type transportFallback struct {
-	mu      sync.Mutex
-	entries map[string]*fallbackEntry
-}
-
-type fallbackEntry struct {
-	until    time.Time
-	duration time.Duration
-}
-
-func newTransportFallback() *transportFallback {
-	return &transportFallback{entries: make(map[string]*fallbackEntry)}
-}
-
-// avoidDatagramSized reports whether serverURL is currently within a window
-// where datagram-sized transports should be avoided.
-func (f *transportFallback) avoidDatagramSized(serverURL string) bool {
-	f.mu.Lock()
-	defer f.mu.Unlock()
-	e := f.entries[serverURL]
-	return e != nil && time.Now().Before(e.until)
-}
-
-// recordFailure makes serverURL avoid datagram-sized transports for a window:
-// transportFallbackBase on the first failure, doubling up to transportFallbackMax
-// when a datagram transport fails again after a previous window expired. It
-// returns the active window duration.
-func (f *transportFallback) recordFailure(serverURL string) time.Duration {
-	f.mu.Lock()
-	defer f.mu.Unlock()
-
-	now := time.Now()
-	e := f.entries[serverURL]
-	switch {
-	case e == nil:
-		e = &fallbackEntry{duration: transportFallbackBase}
-		f.entries[serverURL] = e
-	case now.Before(e.until):
-		return time.Until(e.until)
-	default:
-		e.duration = min(e.duration*2, transportFallbackMax)
-	}
-	e.until = now.Add(e.duration)
-	return e.duration
-}
-
-// nonDatagramSized returns the dialers from in that are not datagram-sized,
-// preserving order.
-func nonDatagramSized(in []dialer.DialeFn) []dialer.DialeFn {
-	out := make([]dialer.DialeFn, 0, len(in))
-	for _, d := range in {
-		if !dialer.IsDatagramSized(d) {
-			out = append(out, d)
-		}
-	}
-	return out
-}

shared/relay/client/transport_test.go

@@ -1,140 +0,0 @@
-package client
-
-import (
-	"net"
-	"os"
-	"testing"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	netErr "github.com/netbirdio/netbird/shared/relay/client/dialer/net"
-)
-
-// closeTrackingConn records whether Close was called; only Close is exercised.
-type closeTrackingConn struct {
-	net.Conn
-	closed bool
-}
-
-func (c *closeTrackingConn) Close() error {
-	c.closed = true
-	return nil
-}
-
-func TestTransportModeFromEnv(t *testing.T) {
-	tests := []struct {
-		value string
-		want  TransportMode
-	}{
-		{"", TransportModeAuto},
-		{"auto", TransportModeAuto},
-		{"quic", TransportModeQUIC},
-		{"QUIC", TransportModeQUIC},
-		{"ws", TransportModeWS},
-		{" Ws ", TransportModeWS},
-		{"prefer-quic", TransportModePreferQUIC},
-		{"prefer-ws", TransportModePreferWS},
-		{"garbage", TransportModeAuto},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.value, func(t *testing.T) {
-			t.Setenv(EnvRelayTransport, tc.value)
-			if tc.value == "" {
-				os.Unsetenv(EnvRelayTransport)
-			}
-			assert.Equal(t, tc.want, transportModeFromEnv())
-		})
-	}
-}
-
-func TestTransportFallbackRecordAndExpiry(t *testing.T) {
-	const url = "rels://relay.example:443"
-	f := newTransportFallback()
-
-	assert.False(t, f.avoidDatagramSized(url), "no fallback recorded yet")
-
-	d := f.recordFailure(url)
-	assert.Equal(t, transportFallbackBase, d, "first failure pins for the base window")
-	assert.True(t, f.avoidDatagramSized(url), "datagram-sized transport avoided within the window")
-
-	// A second failure while still inside the window must not grow the window.
-	d = f.recordFailure(url)
-	assert.LessOrEqual(t, d, transportFallbackBase, "still within the active window")
-	require.NotNil(t, f.entries[url])
-	assert.Equal(t, transportFallbackBase, f.entries[url].duration, "duration unchanged inside window")
-
-	// Expire the window: datagram-sized transport allowed again.
-	f.entries[url].until = time.Now().Add(-time.Second)
-	assert.False(t, f.avoidDatagramSized(url), "window expired, datagram-sized transport allowed")
-}
-
-func TestTransportFallbackGrowsOnRepeat(t *testing.T) {
-	const url = "rels://relay.example:443"
-	f := newTransportFallback()
-
-	want := transportFallbackBase
-	for i := range 6 {
-		d := f.recordFailure(url)
-		assert.Equal(t, want, d, "window after %d expiries", i)
-
-		// expire the window so the next failure is treated as a repeat
-		f.entries[url].until = time.Now().Add(-time.Second)
-
-		want = min(want*2, transportFallbackMax)
-	}
-
-	assert.Equal(t, transportFallbackMax, f.entries[url].duration, "window caps at the max")
-}
-
-func TestOnDatagramTooLargeAuto(t *testing.T) {
-	const url = "rels://relay.example:443"
-	t.Setenv(EnvRelayTransport, string(TransportModeAuto))
-
-	tf := newTransportFallback()
-	c := &Client{
-		log:               log.WithField("test", t.Name()),
-		connectionURL:     url,
-		transportFallback: tf,
-	}
-	conn := &closeTrackingConn{}
-
-	c.onDatagramTooLarge(conn, netErr.ErrDatagramTooLarge)
-
-	assert.True(t, conn.closed, "connection closed to force reconnect")
-	assert.True(t, tf.avoidDatagramSized(url), "fallback recorded for the server")
-
-	// A second oversized datagram on the same connection must not re-close.
-	conn.closed = false
-	c.onDatagramTooLarge(conn, netErr.ErrDatagramTooLarge)
-	assert.False(t, conn.closed, "single fallback per connection")
-}
-
-func TestOnDatagramTooLargeQUICPinned(t *testing.T) {
-	const url = "rels://relay.example:443"
-	t.Setenv(EnvRelayTransport, string(TransportModeQUIC))
-
-	tf := newTransportFallback()
-	c := &Client{
-		log:               log.WithField("test", t.Name()),
-		connectionURL:     url,
-		transportFallback: tf,
-	}
-	conn := &closeTrackingConn{}
-
-	c.onDatagramTooLarge(conn, netErr.ErrDatagramTooLarge)
-
-	assert.False(t, conn.closed, "QUIC pin keeps the connection, no fallback redial")
-	assert.False(t, tf.avoidDatagramSized(url), "QUIC pin records no fallback")
-}
-
-func TestTransportFallbackPerServer(t *testing.T) {
-	f := newTransportFallback()
-	f.recordFailure("rels://a.example:443")
-
-	assert.True(t, f.avoidDatagramSized("rels://a.example:443"))
-	assert.False(t, f.avoidDatagramSized("rels://b.example:443"), "fallback is scoped to one server")
-}