Skip network map calculation when client serial matches current

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
Merge branch 'main' into feat/network-map-serial
2026-06-07 16:39:55 +00:00 · 2026-01-27 23:03:43 +03:00 · 2025-12-18 15:59:53 +01:00 · 2025-12-18 15:27:49 +01:00 · 2025-12-15 10:34:48 +01:00 · 2025-12-15 10:28:25 +01:00
264 changed files with 18556 additions and 4853 deletions
--- a/.githooks/pre-push
+++ b/.githooks/pre-push
@@ -0,0 +1,11 @@
 #!/bin/bash
 echo "Running pre-push hook..."
 if ! make lint; then
    echo ""
    echo "Hint: To push without verification, run:"
    echo "  git push --no-verify"
    exit 1
 fi
 echo "All checks passed!"
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -3,40 +3,108 @@ name: Check License Dependencies
 on:
  push:
    branches: [ main ]
    paths:
      - 'go.mod'
      - 'go.sum'
      - '.github/workflows/check-license-dependencies.yml'
  pull_request:
    paths:
      - 'go.mod'
      - 'go.sum'
      - '.github/workflows/check-license-dependencies.yml'
 jobs:
-  check-dependencies:
+  check-internal-dependencies:
    name: Check Internal AGPL Dependencies
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Check for problematic license dependencies
        run: |
          echo "Checking for dependencies on management/, signal/, and relay/ packages..."
          echo ""
          # Find all directories except the problematic ones and system dirs
          FOUND_ISSUES=0
          while IFS= read -r dir; do
            echo "=== Checking $dir ==="
            # Search for problematic imports, excluding test files
            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
            if [ -n "$RESULTS" ]; then
              echo "❌ Found problematic dependencies:"
              echo "$RESULTS"
              FOUND_ISSUES=1
            else
              echo "✓ No problematic dependencies found"
            fi
          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)
          echo ""
          if [ $FOUND_ISSUES -eq 1 ]; then
            echo "❌ Found dependencies on management/, signal/, or relay/ packages"
            echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
            exit 1
          else
            echo ""
            echo "✅ All internal license dependencies are clean"
          fi
  check-external-licenses:
    name: Check External GPL/AGPL Licenses
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
-    - name: Check for problematic license dependencies
+    - name: Set up Go
      uses: actions/setup-go@v5
      with:
        go-version-file: 'go.mod'
        cache: true
    - name: Install go-licenses
      run: go install github.com/google/go-licenses@v1.6.0
    - name: Check for GPL/AGPL licensed dependencies
      run: |
-        echo "Checking for dependencies on management/, signal/, and relay/ packages..."
+        echo "Checking for GPL/AGPL/LGPL licensed dependencies..."
        echo ""
-        # Find all directories except the problematic ones and system dirs
+        # Check all Go packages for copyleft licenses, excluding internal netbird packages
-        FOUND_ISSUES=0
+        COPYLEFT_DEPS=$(go-licenses report ./... 2>/dev/null | grep -E 'GPL|AGPL|LGPL' | grep -v 'github.com/netbirdio/netbird/' || true)
-        while IFS= read -r dir; do
+
-          echo "=== Checking $dir ==="
+        if [ -n "$COPYLEFT_DEPS" ]; then
-          # Search for problematic imports, excluding test files
+          echo "Found copyleft licensed dependencies:"
-          RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+          echo "$COPYLEFT_DEPS"
-          if [ -n "$RESULTS" ]; then
+          echo ""
-            echo "❌ Found problematic dependencies:"
+
-            echo "$RESULTS"
+          # Filter out dependencies that are only pulled in by internal AGPL packages
-            FOUND_ISSUES=1
+          INCOMPATIBLE=""
-          else
+          while IFS=',' read -r package url license; do
-            echo "✓ No problematic dependencies found"
+            if echo "$license" | grep -qE 'GPL-[0-9]|AGPL-[0-9]|LGPL-[0-9]'; then
              # Find ALL packages that import this GPL package using go list
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
              # Check if any importer is NOT in management/signal/relay
              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\)" | head -1)
              if [ -n "$BSD_IMPORTER" ]; then
                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
                INCOMPATIBLE="${INCOMPATIBLE}${package},${url},${license}\n"
              else
                echo "✓ $package ($license) is only used by internal AGPL packages - OK"
              fi
            fi
          done <<< "$COPYLEFT_DEPS"
          if [ -n "$INCOMPATIBLE" ]; then
            echo ""
            echo "❌ INCOMPATIBLE licenses found that are used by BSD-licensed code:"
            echo -e "$INCOMPATIBLE"
            exit 1
          fi
        done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)
        echo ""
        if [ $FOUND_ISSUES -eq 1 ]; then
          echo "❌ Found dependencies on management/, signal/, or relay/ packages"
          echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
          exit 1
        else
          echo "✅ All license dependencies are clean"
        fi
        echo "✅ All external license dependencies are compatible with BSD-3-Clause"
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -15,13 +15,14 @@ jobs:
    name: "Client / Unit"
    runs-on: macos-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Cache Go modules
        uses: actions/cache@v4
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -25,7 +25,7 @@ jobs:
          release: "14.2"
          prepare: |
            pkg install -y curl pkgconf xorg
-            GO_TARBALL="go1.23.12.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.24.10.freebsd-amd64.tar.gz"
            GO_URL="https://go.dev/dl/$GO_TARBALL"
            curl -vLO "$GO_URL"
            tar -C /usr/local -vxzf "$GO_TARBALL"            
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -30,7 +30,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Get Go environment
@@ -106,15 +106,15 @@ jobs:
        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -151,15 +151,15 @@ jobs:
    needs: [ build-cache ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        id: go-env
        run: |
@@ -200,7 +200,7 @@ jobs:
            -e GOCACHE=${CONTAINER_GOCACHE} \
            -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
            -e CONTAINER=${CONTAINER} \
-            golang:1.23-alpine \
+            golang:1.24-alpine \
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
@@ -220,15 +220,15 @@ jobs:
            raceFlag: "-race"
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install dependencies
        if: steps.cache.outputs.cache-hit != 'true'
        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
@@ -270,15 +270,15 @@ jobs:
        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install dependencies
        if: steps.cache.outputs.cache-hit != 'true'
        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
@@ -321,15 +321,15 @@ jobs:
        store: [ 'sqlite', 'postgres', 'mysql' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -408,15 +408,16 @@ jobs:
            -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml \
            -p 9090:9090 \
            prom/prometheus
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version: "1.23.x"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -497,15 +498,15 @@ jobs:
            -p 9090:9090 \
            prom/prometheus
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
@@ -561,15 +562,15 @@ jobs:
        store: [ 'sqlite', 'postgres']
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -24,7 +24,7 @@ jobs:
        uses: actions/setup-go@v5
        id: go
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Get Go environment
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -46,7 +46,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
          cache: false
      - name: Install dependencies
        if: matrix.os == 'ubuntu-latest'
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -20,7 +20,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
      - name: Setup Android SDK
        uses: android-actions/setup-android@v3
        with:
@@ -39,7 +39,7 @@ jobs:
      - name: Setup NDK
        run: /usr/local/lib/android/sdk/cmdline-tools/7.0/bin/sdkmanager --install "ndk;23.1.7779620"
      - name: install gomobile
-        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20251113184115-a159579294ab
      - name: gomobile init
        run: gomobile init
      - name: build android netbird lib
@@ -56,9 +56,9 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
      - name: install gomobile
-        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20251113184115-a159579294ab
      - name: gomobile init
        run: gomobile init
      - name: build iOS netbird lib
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ concurrency:
 jobs:
  release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest-m
    env:
      flags: ""
    steps:
@@ -40,7 +40,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23"
+          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
        uses: actions/cache@v4
@@ -136,7 +136,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23"
+          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
        uses: actions/cache@v4
@@ -200,7 +200,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23"
+          go-version-file: "go.mod"
          cache: false
      - name: Cache Go modules
        uses: actions/cache@v4
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -67,10 +67,13 @@ jobs:
      - name: Install curl
        run: sudo apt-get install -y curl
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
      - name: Cache Go modules
        uses: actions/cache@v4
@@ -80,9 +83,6 @@ jobs:
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup MySQL privileges
        if: matrix.store == 'mysql'
        run: |
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -20,7 +20,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: Install golangci-lint
@@ -45,7 +45,7 @@ jobs:
      - name: Install Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.23.x"
+          go-version-file: "go.mod"
      - name: Build Wasm client
        run: GOOS=js GOARCH=wasm go build -o netbird.wasm ./client/wasm/cmd
        env:
@@ -60,8 +60,8 @@ jobs:
          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
-          if [ ${SIZE} -gt 52428800 ]; then
+          if [ ${SIZE} -gt 57671680 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 50MB limit!"
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 55MB limit!"
            exit 1
          fi
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -136,6 +136,14 @@ checked out and set up:
   go mod tidy
   ```
 6. Configure Git hooks for automatic linting:
   ```bash
   make setup-hooks
   ```
   This will configure Git to run linting automatically before each push, helping catch issues early.
 ### Dev Container Support
 If you prefer using a dev container for development, NetBird now includes support for dev containers. 
--- a/27
+++ b/27
@@ -0,0 +1,27 @@
 .PHONY: lint lint-all lint-install setup-hooks
 GOLANGCI_LINT := $(shell pwd)/bin/golangci-lint
 # Install golangci-lint locally if needed
 $(GOLANGCI_LINT):
 	@echo "Installing golangci-lint..."
 	@mkdir -p ./bin
 	@GOBIN=$(shell pwd)/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
 # Lint only changed files (fast, for pre-push)
 lint: $(GOLANGCI_LINT)
 	@echo "Running lint on changed files..."
 	@$(GOLANGCI_LINT) run --new-from-rev=origin/main --timeout=2m
 # Lint entire codebase (slow, matches CI)
 lint-all: $(GOLANGCI_LINT)
 	@echo "Running lint on all files..."
 	@$(GOLANGCI_LINT) run --timeout=12m
 # Just install the linter
 lint-install: $(GOLANGCI_LINT)
 # Setup git hooks for all developers
 setup-hooks:
 	@git config core.hooksPath .githooks
 	@chmod +x .githooks/pre-push
 	@echo "✅ Git hooks configured! Pre-push will now run 'make lint'"
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -4,10 +4,13 @@ package android
 import (
 	"context"
 	"fmt"
 	"os"
 	"slices"
 	"sync"
 	"golang.org/x/exp/maps"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/iface/device"
@@ -16,10 +19,13 @@ import (
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 // ConnectionListener export internal Listener for mobile
@@ -62,17 +68,18 @@ type Client struct {
 	deviceName            string
 	uiVersion             string
 	networkChangeListener listener.NetworkChangeListener
 	stateFile             string
 	connectClient *internal.ConnectClient
 }
 // NewClient instantiate a new Client
-func NewClient(cfgFile string, androidSDKVersion int, deviceName string, uiVersion string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
+func NewClient(platformFiles PlatformFiles, androidSDKVersion int, deviceName string, uiVersion string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
 	execWorkaround(androidSDKVersion)
 	net.SetAndroidProtectSocketFn(tunAdapter.ProtectSocket)
 	return &Client{
-		cfgFile:               cfgFile,
+		cfgFile:               platformFiles.ConfigurationFilePath(),
 		deviceName:            deviceName,
 		uiVersion:             uiVersion,
 		tunAdapter:            tunAdapter,
@@ -80,11 +87,12 @@ func NewClient(cfgFile string, androidSDKVersion int, deviceName string, uiVersi
 		recorder:              peer.NewRecorder(""),
 		ctxCancelLock:         &sync.Mutex{},
 		networkChangeListener: networkChangeListener,
 		stateFile:             platformFiles.StateFilePath(),
 	}
 }
 // Run start the internal client. It is a blocker function
-func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsReadyListener, envList *EnvList) error {
+func (c *Client) Run(urlOpener URLOpener, isAndroidTV bool, dns *DNSList, dnsReadyListener DnsReadyListener, envList *EnvList) error {
 	exportEnvList(envList)
 	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
@@ -107,7 +115,7 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 	c.ctxCancelLock.Unlock()
 	auth := NewAuthWithConfig(ctx, cfg)
-	err = auth.login(urlOpener)
+	err = auth.login(urlOpener, isAndroidTV)
 	if err != nil {
 		return err
 	}
@@ -115,7 +123,7 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
+	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, c.stateFile)
 }
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -142,7 +150,7 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
+	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, c.stateFile)
 }
 // Stop the internal client and free the resources
@@ -156,6 +164,19 @@ func (c *Client) Stop() {
 	c.ctxCancel()
 }
 func (c *Client) RenewTun(fd int) error {
 	if c.connectClient == nil {
 		return fmt.Errorf("engine not running")
 	}
 	e := c.connectClient.Engine()
 	if e == nil {
 		return fmt.Errorf("engine not initialized")
 	}
 	return e.RenewTun(fd)
 }
 // SetTraceLogLevel configure the logger to trace level
 func (c *Client) SetTraceLogLevel() {
 	log.SetLevel(log.TraceLevel)
@@ -177,6 +198,7 @@ func (c *Client) PeersList() *PeerInfoArray {
 			p.IP,
 			p.FQDN,
 			p.ConnStatus.String(),
 			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi
 	}
@@ -201,31 +223,43 @@ func (c *Client) Networks() *NetworkArray {
 		return nil
 	}
 	routeSelector := routeManager.GetRouteSelector()
 	if routeSelector == nil {
 		log.Error("could not get route selector")
 		return nil
 	}
 	networkArray := &NetworkArray{
 		items: make([]Network, 0),
 	}
 	resolvedDomains := c.recorder.GetResolvedDomainsStates()
 	for id, routes := range routeManager.GetClientRoutesWithNetID() {
 		if len(routes) == 0 {
 			continue
 		}
 		r := routes[0]
 		domains := c.getNetworkDomainsFromRoute(r, resolvedDomains)
 		netStr := r.Network.String()
 		if r.IsDynamic() {
 			netStr = r.Domains.SafeString()
 		}
-		peer, err := c.recorder.GetPeer(routes[0].Peer)
+		routePeer, err := c.recorder.GetPeer(routes[0].Peer)
 		if err != nil {
 			log.Errorf("could not get peer info for %s: %v", routes[0].Peer, err)
 			continue
 		}
 		network := Network{
-			Name:    string(id),
+			Name:       string(id),
-			Network: netStr,
+			Network:    netStr,
-			Peer:    peer.FQDN,
+			Peer:       routePeer.FQDN,
-			Status:  peer.ConnStatus.String(),
+			Status:     routePeer.ConnStatus.String(),
 			IsSelected: routeSelector.IsSelected(id),
 			Domains:    domains,
 		}
 		networkArray.Add(network)
 	}
@@ -253,6 +287,69 @@ func (c *Client) RemoveConnectionListener() {
 	c.recorder.RemoveConnectionListener()
 }
 func (c *Client) toggleRoute(command routeCommand) error {
 	return command.toggleRoute()
 }
 func (c *Client) getRouteManager() (routemanager.Manager, error) {
 	client := c.connectClient
 	if client == nil {
 		return nil, fmt.Errorf("not connected")
 	}
 	engine := client.Engine()
 	if engine == nil {
 		return nil, fmt.Errorf("engine is not running")
 	}
 	manager := engine.GetRouteManager()
 	if manager == nil {
 		return nil, fmt.Errorf("could not get route manager")
 	}
 	return manager, nil
 }
 func (c *Client) SelectRoute(route string) error {
 	manager, err := c.getRouteManager()
 	if err != nil {
 		return err
 	}
 	return c.toggleRoute(selectRouteCommand{route: route, manager: manager})
 }
 func (c *Client) DeselectRoute(route string) error {
 	manager, err := c.getRouteManager()
 	if err != nil {
 		return err
 	}
 	return c.toggleRoute(deselectRouteCommand{route: route, manager: manager})
 }
 // getNetworkDomainsFromRoute extracts domains from a route and enriches each domain
 // with its resolved IP addresses from the provided resolvedDomains map.
 func (c *Client) getNetworkDomainsFromRoute(route *route.Route, resolvedDomains map[domain.Domain]peer.ResolvedDomainInfo) NetworkDomains {
 	domains := NetworkDomains{}
 	for _, d := range route.Domains {
 		networkDomain := NetworkDomain{
 			Address: d.SafeString(),
 		}
 		if info, exists := resolvedDomains[d]; exists {
 			for _, prefix := range info.Prefixes {
 				networkDomain.addResolvedIP(prefix.Addr().String())
 			}
 		}
 		domains.Add(&networkDomain)
 	}
 	return domains
 }
 func exportEnvList(list *EnvList) {
 	if list == nil {
 		return
--- a/client/android/login.go
+++ b/client/android/login.go
@@ -32,7 +32,7 @@ type ErrListener interface {
 // URLOpener it is a callback interface. The Open function will be triggered if
 // the backend want to show an url for the user
 type URLOpener interface {
-	Open(string)
+	Open(url string, userCode string)
 	OnLoginSuccess()
 }
@@ -148,9 +148,9 @@ func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string
 }
 // Login try register the client on the server
-func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener) {
+func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener, isAndroidTV bool) {
 	go func() {
-		err := a.login(urlOpener)
+		err := a.login(urlOpener, isAndroidTV)
 		if err != nil {
 			resultListener.OnError(err)
 		} else {
@@ -159,7 +159,7 @@ func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener) {
 	}()
 }
-func (a *Auth) login(urlOpener URLOpener) error {
+func (a *Auth) login(urlOpener URLOpener, isAndroidTV bool) error {
 	var needsLogin bool
 	// check if we need to generate JWT token
@@ -173,7 +173,7 @@ func (a *Auth) login(urlOpener URLOpener) error {
 	jwtToken := ""
 	if needsLogin {
-		tokenInfo, err := a.foregroundGetTokenInfo(urlOpener)
+		tokenInfo, err := a.foregroundGetTokenInfo(urlOpener, isAndroidTV)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
@@ -199,8 +199,8 @@ func (a *Auth) login(urlOpener URLOpener) error {
 	return nil
 }
-func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*auth.TokenInfo, error) {
+func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener, isAndroidTV bool) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false)
+	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false, isAndroidTV, "")
 	if err != nil {
 		return nil, err
 	}
@@ -210,7 +210,7 @@ func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*auth.TokenInfo, err
 		return nil, fmt.Errorf("getting a request OAuth flow info failed: %v", err)
 	}
-	go urlOpener.Open(flowInfo.VerificationURIComplete)
+	go urlOpener.Open(flowInfo.VerificationURIComplete, flowInfo.UserCode)
 	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
 	waitCTX, cancel := context.WithTimeout(a.ctx, waitTimeout)
--- a/client/android/network_domains.go
+++ b/client/android/network_domains.go
@@ -0,0 +1,56 @@
 //go:build android
 package android
 import "fmt"
 type ResolvedIPs struct {
 	resolvedIPs []string
 }
 func (r *ResolvedIPs) Add(ipAddress string) {
 	r.resolvedIPs = append(r.resolvedIPs, ipAddress)
 }
 func (r *ResolvedIPs) Get(i int) (string, error) {
 	if i < 0 || i >= len(r.resolvedIPs) {
 		return "", fmt.Errorf("%d is out of range", i)
 	}
 	return r.resolvedIPs[i], nil
 }
 func (r *ResolvedIPs) Size() int {
 	return len(r.resolvedIPs)
 }
 type NetworkDomain struct {
 	Address     string
 	resolvedIPs ResolvedIPs
 }
 func (d *NetworkDomain) addResolvedIP(resolvedIP string) {
 	d.resolvedIPs.Add(resolvedIP)
 }
 func (d *NetworkDomain) GetResolvedIPs() *ResolvedIPs {
 	return &d.resolvedIPs
 }
 type NetworkDomains struct {
 	domains []*NetworkDomain
 }
 func (n *NetworkDomains) Add(domain *NetworkDomain) {
 	n.domains = append(n.domains, domain)
 }
 func (n *NetworkDomains) Get(i int) (*NetworkDomain, error) {
 	if i < 0 || i >= len(n.domains) {
 		return nil, fmt.Errorf("%d is out of range", i)
 	}
 	return n.domains[i], nil
 }
 func (n *NetworkDomains) Size() int {
 	return len(n.domains)
 }
--- a/client/android/networks.go
+++ b/client/android/networks.go
@@ -3,10 +3,16 @@
 package android
 type Network struct {
-	Name    string
+	Name       string
-	Network string
+	Network    string
-	Peer    string
+	Peer       string
-	Status  string
+	Status     string
 	IsSelected bool
 	Domains    NetworkDomains
 }
 func (n Network) GetNetworkDomains() *NetworkDomains {
 	return &n.Domains
 }
 type NetworkArray struct {
--- a/client/android/peer_notifier.go
+++ b/client/android/peer_notifier.go
@@ -1,3 +1,5 @@
 //go:build android
 package android
 // PeerInfo describe information about the peers. It designed for the UI usage
@@ -5,6 +7,11 @@ type PeerInfo struct {
 	IP         string
 	FQDN       string
 	ConnStatus string // Todo replace to enum
 	Routes     PeerRoutes
 }
 func (p *PeerInfo) GetPeerRoutes() *PeerRoutes {
 	return &p.Routes
 }
 // PeerInfoArray is a wrapper of []PeerInfo
--- a/client/android/peer_routes.go
+++ b/client/android/peer_routes.go
@@ -0,0 +1,20 @@
 //go:build android
 package android
 import "fmt"
 type PeerRoutes struct {
 	routes []string
 }
 func (p *PeerRoutes) Get(i int) (string, error) {
 	if i < 0 || i >= len(p.routes) {
 		return "", fmt.Errorf("%d is out of range", i)
 	}
 	return p.routes[i], nil
 }
 func (p *PeerRoutes) Size() int {
 	return len(p.routes)
 }
--- a/client/android/platform_files.go
+++ b/client/android/platform_files.go
@@ -0,0 +1,10 @@
 //go:build android
 package android
 // PlatformFiles groups paths to files used internally by the engine that can't be created/modified
 // at their default locations due to android OS restrictions.
 type PlatformFiles interface {
 	ConfigurationFilePath() string
 	StateFilePath() string
 }
--- a/client/android/route_command.go
+++ b/client/android/route_command.go
@@ -0,0 +1,67 @@
 //go:build android
 package android
 import (
 	"fmt"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/route"
 )
 func executeRouteToggle(id string, manager routemanager.Manager,
 	operationName string,
 	routeOperation func(routes []route.NetID, allRoutes []route.NetID) error) error {
 	netID := route.NetID(id)
 	routes := []route.NetID{netID}
 	log.Debugf("%s with id: %s", operationName, id)
 	if err := routeOperation(routes, maps.Keys(manager.GetClientRoutesWithNetID())); err != nil {
 		log.Debugf("error when %s: %s", operationName, err)
 		return fmt.Errorf("error %s: %w", operationName, err)
 	}
 	manager.TriggerSelection(manager.GetClientRoutes())
 	return nil
 }
 type routeCommand interface {
 	toggleRoute() error
 }
 type selectRouteCommand struct {
 	route   string
 	manager routemanager.Manager
 }
 func (s selectRouteCommand) toggleRoute() error {
 	routeSelector := s.manager.GetRouteSelector()
 	if routeSelector == nil {
 		return fmt.Errorf("no route selector available")
 	}
 	routeOperation := func(routes []route.NetID, allRoutes []route.NetID) error {
 		return routeSelector.SelectRoutes(routes, true, allRoutes)
 	}
 	return executeRouteToggle(s.route, s.manager, "selecting route", routeOperation)
 }
 type deselectRouteCommand struct {
 	route   string
 	manager routemanager.Manager
 }
 func (d deselectRouteCommand) toggleRoute() error {
 	routeSelector := d.manager.GetRouteSelector()
 	if routeSelector == nil {
 		return fmt.Errorf("no route selector available")
 	}
 	return executeRouteToggle(d.route, d.manager, "deselecting route", routeSelector.DeselectRoutes)
 }
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -4,14 +4,12 @@ import (
 	"context"
 	"fmt"
 	"os"
 	"os/exec"
 	"os/user"
 	"runtime"
 	"strings"
 	"time"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
@@ -106,6 +104,13 @@ func doDaemonLogin(ctx context.Context, cmd *cobra.Command, providedSetupKey str
 		Username:            &username,
 	}
 	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
 		loginRequest.Hint = &profileState.Email
 	}
 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
 		loginRequest.OptionalPreSharedKey = &preSharedKey
 	}
@@ -241,7 +246,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 		return fmt.Errorf("read config file %s: %v", configFilePath, err)
 	}
-	err = foregroundLogin(ctx, cmd, config, setupKey)
+	err = foregroundLogin(ctx, cmd, config, setupKey, activeProf.Name)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -269,7 +274,7 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 	return nil
 }
-func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey string) error {
+func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
 	needsLogin := false
 	err := WithBackOff(func() error {
@@ -286,7 +291,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	jwtToken := ""
 	if setupKey == "" && needsLogin {
-		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config)
+		tokenInfo, err := foregroundGetTokenInfo(ctx, cmd, config, profileName)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
@@ -315,8 +320,17 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 	return nil
 }
-func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config) (*auth.TokenInfo, error) {
+func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, profileName string) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop())
+	hint := ""
 	pm := profilemanager.NewProfileManager()
 	profileState, err := pm.GetProfileState(profileName)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
 		hint = profileState.Email
 	}
 	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop(), false, hint)
 	if err != nil {
 		return nil, err
 	}
@@ -357,21 +371,13 @@ func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBro
 	cmd.Println("")
 	if !noBrowser {
-		if err := openBrowser(verificationURIComplete); err != nil {
+		if err := util.OpenBrowser(verificationURIComplete); err != nil {
 			cmd.Println("\nAlternatively, you may want to use a setup key, see:\n\n" +
 				"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
 		}
 	}
 }
 // openBrowser opens the URL in a browser, respecting the BROWSER environment variable.
 func openBrowser(url string) error {
 	if browser := os.Getenv("BROWSER"); browser != "" {
 		return exec.Command(browser, url).Start()
 	}
 	return open.Run(url)
 }
 // isUnixRunningDesktop checks if a Linux OS is running desktop environment
 func isUnixRunningDesktop() bool {
 	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -259,6 +259,7 @@ func isServiceRunning() (bool, error) {
 }
 const (
 	networkdConf        = "/etc/systemd/networkd.conf"
 	networkdConfDir     = "/etc/systemd/networkd.conf.d"
 	networkdConfFile    = "/etc/systemd/networkd.conf.d/99-netbird.conf"
 	networkdConfContent = `# Created by NetBird to prevent systemd-networkd from removing
@@ -273,12 +274,16 @@ ManageForeignRoutingPolicyRules=no
 // configureSystemdNetworkd creates a drop-in configuration file to prevent
 // systemd-networkd from removing NetBird's routes and policy rules.
 func configureSystemdNetworkd() error {
-	parentDir := filepath.Dir(networkdConfDir)
+	if _, err := os.Stat(networkdConf); os.IsNotExist(err) {
-	if _, err := os.Stat(parentDir); os.IsNotExist(err) {
+		log.Debug("systemd-networkd not in use, skipping configuration")
 		log.Debug("systemd networkd.conf.d parent directory does not exist, skipping configuration")
 		return nil
 	}
 	// nolint:gosec // standard networkd permissions
 	if err := os.MkdirAll(networkdConfDir, 0755); err != nil {
 		return fmt.Errorf("create networkd.conf.d directory: %w", err)
 	}
 	// nolint:gosec // standard networkd permissions
 	if err := os.WriteFile(networkdConfFile, []byte(networkdConfContent), 0644); err != nil {
 		return fmt.Errorf("write networkd configuration: %w", err)
--- a/client/cmd/ssh.go
+++ b/client/cmd/ssh.go
@@ -14,7 +14,9 @@ import (
 	"strings"
 	"syscall"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/ssh"
 	"github.com/netbirdio/netbird/client/internal"
 	sshclient "github.com/netbirdio/netbird/client/ssh/client"
@@ -34,6 +36,7 @@ const (
 	enableSSHLocalPortForwardFlag  = "enable-ssh-local-port-forwarding"
 	enableSSHRemotePortForwardFlag = "enable-ssh-remote-port-forwarding"
 	disableSSHAuthFlag             = "disable-ssh-auth"
 	sshJWTCacheTTLFlag             = "ssh-jwt-cache-ttl"
 )
 var (
@@ -47,6 +50,8 @@ var (
 	knownHostsFile        string
 	identityFile          string
 	skipCachedToken       bool
 	requestPTY            bool
 	sshNoBrowser          bool
 )
 var (
@@ -56,6 +61,7 @@ var (
 	enableSSHLocalPortForward  bool
 	enableSSHRemotePortForward bool
 	disableSSHAuth             bool
 	sshJWTCacheTTL             int
 )
 func init() {
@@ -65,14 +71,18 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&enableSSHLocalPortForward, enableSSHLocalPortForwardFlag, false, "Enable local port forwarding for SSH server")
 	upCmd.PersistentFlags().BoolVar(&enableSSHRemotePortForward, enableSSHRemotePortForwardFlag, false, "Enable remote port forwarding for SSH server")
 	upCmd.PersistentFlags().BoolVar(&disableSSHAuth, disableSSHAuthFlag, false, "Disable SSH authentication")
 	upCmd.PersistentFlags().IntVar(&sshJWTCacheTTL, sshJWTCacheTTLFlag, 0, "SSH JWT token cache TTL in seconds (0=disabled)")
 	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", sshserver.DefaultSSHPort, "Remote SSH port")
 	sshCmd.PersistentFlags().StringVarP(&username, "user", "u", "", sshUsernameDesc)
 	sshCmd.PersistentFlags().StringVar(&username, "login", "", sshUsernameDesc+" (alias for --user)")
 	sshCmd.PersistentFlags().BoolVarP(&requestPTY, "tty", "t", false, "Force pseudo-terminal allocation")
 	sshCmd.PersistentFlags().BoolVar(&strictHostKeyChecking, "strict-host-key-checking", true, "Enable strict host key checking (default: true)")
 	sshCmd.PersistentFlags().StringVarP(&knownHostsFile, "known-hosts", "o", "", "Path to known_hosts file (default: ~/.ssh/known_hosts)")
-	sshCmd.PersistentFlags().StringVarP(&identityFile, "identity", "i", "", "Path to SSH private key file")
+	sshCmd.PersistentFlags().StringVarP(&identityFile, "identity", "i", "", "Path to SSH private key file (deprecated)")
 	_ = sshCmd.PersistentFlags().MarkDeprecated("identity", "this flag is no longer used")
 	sshCmd.PersistentFlags().BoolVar(&skipCachedToken, "no-cache", false, "Skip cached JWT token and force fresh authentication")
 	sshCmd.PersistentFlags().BoolVar(&sshNoBrowser, noBrowserFlag, false, noBrowserDesc)
 	sshCmd.PersistentFlags().StringArrayP("L", "L", []string{}, "Local port forwarding [bind_address:]port:host:hostport")
 	sshCmd.PersistentFlags().StringArrayP("R", "R", []string{}, "Remote port forwarding [bind_address:]port:host:hostport")
@@ -97,9 +107,9 @@ SSH Options:
  -p, --port int                       Remote SSH port (default 22)
  -u, --user string                    SSH username
      --login string                   SSH username (alias for --user)
  -t, --tty                            Force pseudo-terminal allocation
      --strict-host-key-checking       Enable strict host key checking (default: true)
  -o, --known-hosts string             Path to known_hosts file
  -i, --identity string                Path to SSH private key file
 Examples:
  netbird ssh peer-hostname
@@ -107,8 +117,10 @@ Examples:
  netbird ssh --login root peer-hostname
  netbird ssh peer-hostname ls -la
  netbird ssh peer-hostname whoami
-  netbird ssh -L 8080:localhost:80 peer-hostname    # Local port forwarding
+  netbird ssh -t peer-hostname tmux                  # Force PTY for tmux/screen
-  netbird ssh -R 9090:localhost:3000 peer-hostname  # Remote port forwarding
+  netbird ssh -t peer-hostname sudo -i               # Force PTY for interactive sudo
  netbird ssh -L 8080:localhost:80 peer-hostname     # Local port forwarding
  netbird ssh -R 9090:localhost:3000 peer-hostname   # Remote port forwarding
  netbird ssh -L "*:8080:localhost:80" peer-hostname # Bind to all interfaces
  netbird ssh -L 8080:/tmp/socket peer-hostname      # Unix socket forwarding`,
 	DisableFlagParsing: true,
@@ -143,10 +155,10 @@ func sshFn(cmd *cobra.Command, args []string) error {
 	signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
 	sshctx, cancel := context.WithCancel(ctx)
 	errCh := make(chan error, 1)
 	go func() {
 		if err := runSSH(sshctx, host, cmd); err != nil {
-			cmd.Printf("Error: %v\n", err)
+			errCh <- err
 			os.Exit(1)
 		}
 		cancel()
 	}()
@@ -154,6 +166,10 @@ func sshFn(cmd *cobra.Command, args []string) error {
 	select {
 	case <-sig:
 		cancel()
 		<-sshctx.Done()
 		return nil
 	case err := <-errCh:
 		return err
 	case <-sshctx.Done():
 	}
@@ -171,6 +187,21 @@ func getEnvOrDefault(flagName, defaultValue string) string {
 	return defaultValue
 }
 // getBoolEnvOrDefault checks for boolean environment variables with WT_ and NB_ prefixes
 func getBoolEnvOrDefault(flagName string, defaultValue bool) bool {
 	if envValue := os.Getenv("WT_" + flagName); envValue != "" {
 		if parsed, err := strconv.ParseBool(envValue); err == nil {
 			return parsed
 		}
 	}
 	if envValue := os.Getenv("NB_" + flagName); envValue != "" {
 		if parsed, err := strconv.ParseBool(envValue); err == nil {
 			return parsed
 		}
 	}
 	return defaultValue
 }
 // resetSSHGlobals sets SSH globals to their default values
 func resetSSHGlobals() {
 	port = sshserver.DefaultSSHPort
@@ -182,6 +213,7 @@ func resetSSHGlobals() {
 	strictHostKeyChecking = true
 	knownHostsFile = ""
 	identityFile = ""
 	sshNoBrowser = false
 }
 // parseCustomSSHFlags extracts -L, -R flags and returns filtered args
@@ -351,10 +383,12 @@ type sshFlags struct {
 	Port                  int
 	Username              string
 	Login                 string
 	RequestPTY            bool
 	StrictHostKeyChecking bool
 	KnownHostsFile        string
 	IdentityFile          string
 	SkipCachedToken       bool
 	NoBrowser             bool
 	ConfigPath            string
 	LogLevel              string
 	LocalForwards         []string
@@ -366,6 +400,7 @@ type sshFlags struct {
 func createSSHFlagSet() (*flag.FlagSet, *sshFlags) {
 	defaultConfigPath := getEnvOrDefault("CONFIG", configPath)
 	defaultLogLevel := getEnvOrDefault("LOG_LEVEL", logLevel)
 	defaultNoBrowser := getBoolEnvOrDefault("NO_BROWSER", false)
 	fs := flag.NewFlagSet("ssh-flags", flag.ContinueOnError)
 	fs.SetOutput(nil)
@@ -373,22 +408,25 @@ func createSSHFlagSet() (*flag.FlagSet, *sshFlags) {
 	flags := &sshFlags{}
 	fs.IntVar(&flags.Port, "p", sshserver.DefaultSSHPort, "SSH port")
-	fs.Int("port", sshserver.DefaultSSHPort, "SSH port")
+	fs.IntVar(&flags.Port, "port", sshserver.DefaultSSHPort, "SSH port")
 	fs.StringVar(&flags.Username, "u", "", sshUsernameDesc)
-	fs.String("user", "", sshUsernameDesc)
+	fs.StringVar(&flags.Username, "user", "", sshUsernameDesc)
 	fs.StringVar(&flags.Login, "login", "", sshUsernameDesc+" (alias for --user)")
 	fs.BoolVar(&flags.RequestPTY, "t", false, "Force pseudo-terminal allocation")
 	fs.BoolVar(&flags.RequestPTY, "tty", false, "Force pseudo-terminal allocation")
 	fs.BoolVar(&flags.StrictHostKeyChecking, "strict-host-key-checking", true, "Enable strict host key checking")
 	fs.StringVar(&flags.KnownHostsFile, "o", "", "Path to known_hosts file")
-	fs.String("known-hosts", "", "Path to known_hosts file")
+	fs.StringVar(&flags.KnownHostsFile, "known-hosts", "", "Path to known_hosts file")
 	fs.StringVar(&flags.IdentityFile, "i", "", "Path to SSH private key file")
-	fs.String("identity", "", "Path to SSH private key file")
+	fs.StringVar(&flags.IdentityFile, "identity", "", "Path to SSH private key file")
 	fs.BoolVar(&flags.SkipCachedToken, "no-cache", false, "Skip cached JWT token and force fresh authentication")
 	fs.BoolVar(&flags.NoBrowser, "no-browser", defaultNoBrowser, noBrowserDesc)
 	fs.StringVar(&flags.ConfigPath, "c", defaultConfigPath, "Netbird config file location")
-	fs.String("config", defaultConfigPath, "Netbird config file location")
+	fs.StringVar(&flags.ConfigPath, "config", defaultConfigPath, "Netbird config file location")
 	fs.StringVar(&flags.LogLevel, "l", defaultLogLevel, "sets Netbird log level")
-	fs.String("log-level", defaultLogLevel, "sets Netbird log level")
+	fs.StringVar(&flags.LogLevel, "log-level", defaultLogLevel, "sets Netbird log level")
 	return fs, flags
 }
@@ -409,7 +447,10 @@ func validateSSHArgsWithoutFlagParsing(_ *cobra.Command, args []string) error {
 	fs, flags := createSSHFlagSet()
 	if err := fs.Parse(filteredArgs); err != nil {
-		return parseHostnameAndCommand(filteredArgs)
+		if errors.Is(err, flag.ErrHelp) {
 			return nil
 		}
 		return err
 	}
 	remaining := fs.Args()
@@ -424,10 +465,12 @@ func validateSSHArgsWithoutFlagParsing(_ *cobra.Command, args []string) error {
 		username = flags.Login
 	}
 	requestPTY = flags.RequestPTY
 	strictHostKeyChecking = flags.StrictHostKeyChecking
 	knownHostsFile = flags.KnownHostsFile
 	identityFile = flags.IdentityFile
 	skipCachedToken = flags.SkipCachedToken
 	sshNoBrowser = flags.NoBrowser
 	if flags.ConfigPath != getEnvOrDefault("CONFIG", configPath) {
 		configPath = flags.ConfigPath
@@ -487,6 +530,7 @@ func runSSH(ctx context.Context, addr string, cmd *cobra.Command) error {
 		DaemonAddr:         daemonAddr,
 		SkipCachedToken:    skipCachedToken,
 		InsecureSkipVerify: !strictHostKeyChecking,
 		NoBrowser:          sshNoBrowser,
 	})
 	if err != nil {
@@ -520,10 +564,29 @@ func runSSH(ctx context.Context, addr string, cmd *cobra.Command) error {
 // executeSSHCommand executes a command over SSH.
 func executeSSHCommand(ctx context.Context, c *sshclient.Client, command string) error {
-	if err := c.ExecuteCommandWithIO(ctx, command); err != nil {
+	var err error
 	if requestPTY {
 		err = c.ExecuteCommandWithPTY(ctx, command)
 	} else {
 		err = c.ExecuteCommandWithIO(ctx, command)
 	}
 	if err != nil {
 		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
 			return nil
 		}
 		var exitErr *ssh.ExitError
 		if errors.As(err, &exitErr) {
 			os.Exit(exitErr.ExitStatus())
 		}
 		var exitMissingErr *ssh.ExitMissingError
 		if errors.As(err, &exitMissingErr) {
 			log.Debugf("Remote command exited without exit status: %v", err)
 			return nil
 		}
 		return fmt.Errorf("execute command: %w", err)
 	}
 	return nil
@@ -535,6 +598,13 @@ func openSSHTerminal(ctx context.Context, c *sshclient.Client) error {
 		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
 			return nil
 		}
 		var exitMissingErr *ssh.ExitMissingError
 		if errors.As(err, &exitMissingErr) {
 			log.Debugf("Remote terminal exited without exit status: %v", err)
 			return nil
 		}
 		return fmt.Errorf("open terminal: %w", err)
 	}
 	return nil
@@ -702,7 +772,9 @@ func sshProxyFn(cmd *cobra.Command, args []string) error {
 	if firstLogFile := util.FindFirstLogPath(logFiles); firstLogFile != "" && firstLogFile != defaultLogFile {
 		logOutput = firstLogFile
 	}
-	if err := util.InitLog(logLevel, logOutput); err != nil {
+
 	proxyLogLevel := getEnvOrDefault("LOG_LEVEL", logLevel)
 	if err := util.InitLog(proxyLogLevel, logOutput); err != nil {
 		return fmt.Errorf("init log: %w", err)
 	}
@@ -714,10 +786,23 @@ func sshProxyFn(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("invalid port: %s", portStr)
 	}
-	proxy, err := sshproxy.New(daemonAddr, host, port, cmd.ErrOrStderr())
+	// Check env var for browser setting since this command is invoked via SSH ProxyCommand
 	// where command-line flags cannot be passed. Default is to open browser.
 	noBrowser := getBoolEnvOrDefault("NO_BROWSER", false)
 	var browserOpener func(string) error
 	if !noBrowser {
 		browserOpener = util.OpenBrowser
 	}
 	proxy, err := sshproxy.New(daemonAddr, host, port, cmd.ErrOrStderr(), browserOpener)
 	if err != nil {
 		return fmt.Errorf("create SSH proxy: %w", err)
 	}
 	defer func() {
 		if err := proxy.Close(); err != nil {
 			log.Debugf("close SSH proxy: %v", err)
 		}
 	}()
 	if err := proxy.Connect(cmd.Context()); err != nil {
 		return fmt.Errorf("SSH proxy: %w", err)
@@ -736,7 +821,8 @@ var sshDetectCmd = &cobra.Command{
 }
 func sshDetectFn(cmd *cobra.Command, args []string) error {
-	if err := util.InitLog(logLevel, "console"); err != nil {
+	detectLogLevel := getEnvOrDefault("LOG_LEVEL", logLevel)
 	if err := util.InitLog(detectLogLevel, "console"); err != nil {
 		os.Exit(detection.ServerTypeRegular.ExitCode())
 	}
@@ -745,15 +831,21 @@ func sshDetectFn(cmd *cobra.Command, args []string) error {
 	port, err := strconv.Atoi(portStr)
 	if err != nil {
 		log.Debugf("invalid port %q: %v", portStr, err)
 		os.Exit(detection.ServerTypeRegular.ExitCode())
 	}
-	dialer := &net.Dialer{Timeout: detection.Timeout}
+	ctx, cancel := context.WithTimeout(cmd.Context(), detection.DefaultTimeout)
-	serverType, err := detection.DetectSSHServerType(cmd.Context(), dialer, host, port)
+
 	dialer := &net.Dialer{}
 	serverType, err := detection.DetectSSHServerType(ctx, dialer, host, port)
 	if err != nil {
 		log.Debugf("SSH server detection failed: %v", err)
 		cancel()
 		os.Exit(detection.ServerTypeRegular.ExitCode())
 	}
 	cancel()
 	os.Exit(serverType.ExitCode())
 	return nil
 }
--- a/client/cmd/ssh_sftp_windows.go
+++ b/client/cmd/ssh_sftp_windows.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"os"
 	"os/user"
 	"strings"
 	"github.com/pkg/sftp"
 	log "github.com/sirupsen/logrus"
@@ -51,7 +52,7 @@ func sftpMainDirect(cmd *cobra.Command) error {
 		if windowsDomain != "" {
 			expectedUsername = fmt.Sprintf(`%s\%s`, windowsDomain, windowsUsername)
 		}
-		if currentUser.Username != expectedUsername && currentUser.Username != windowsUsername {
+		if !strings.EqualFold(currentUser.Username, expectedUsername) && !strings.EqualFold(currentUser.Username, windowsUsername) {
 			cmd.PrintErrf("user switching failed\n")
 			os.Exit(sshserver.ExitCodeValidationFail)
 		}
--- a/client/cmd/ssh_test.go
+++ b/client/cmd/ssh_test.go
@@ -667,3 +667,51 @@ func TestSSHCommand_ParameterIsolation(t *testing.T) {
 		})
 	}
 }
 func TestSSHCommand_InvalidFlagRejection(t *testing.T) {
 	// Test that invalid flags are properly rejected and not misinterpreted as hostnames
 	tests := []struct {
 		name        string
 		args        []string
 		description string
 	}{
 		{
 			name:        "invalid long flag before hostname",
 			args:        []string{"--invalid-flag", "hostname"},
 			description: "Invalid flag should return parse error, not treat flag as hostname",
 		},
 		{
 			name:        "invalid short flag before hostname",
 			args:        []string{"-x", "hostname"},
 			description: "Invalid short flag should return parse error",
 		},
 		{
 			name:        "invalid flag with value before hostname",
 			args:        []string{"--invalid-option=value", "hostname"},
 			description: "Invalid flag with value should return parse error",
 		},
 		{
 			name:        "typo in known flag",
 			args:        []string{"--por", "2222", "hostname"},
 			description: "Typo in flag name should return parse error (not silently ignored)",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Reset global variables
 			host = ""
 			username = ""
 			port = 22
 			command = ""
 			err := validateSSHArgsWithoutFlagParsing(sshCmd, tt.args)
 			// Should return an error for invalid flags
 			assert.Error(t, err, tt.description)
 			// Should not have set host to the invalid flag
 			assert.NotEqual(t, tt.args[0], host, "Invalid flag should not be interpreted as hostname")
 		})
 	}
 }
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -109,7 +109,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	case yamlFlag:
 		statusOutputString, err = nbstatus.ParseToYAML(outputInformationHolder)
 	default:
-		statusOutputString = nbstatus.ParseGeneralSummary(outputInformationHolder, false, false, false)
+		statusOutputString = nbstatus.ParseGeneralSummary(outputInformationHolder, false, false, false, false)
 	}
 	if err != nil {
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -13,6 +13,12 @@ import (
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/management/internals/server/config"
@@ -20,8 +26,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/peers"
 	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -84,7 +88,6 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	}
 	t.Cleanup(cleanUp)
 	peersUpdateManager := mgmt.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, nil
@@ -110,13 +113,21 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		Return(&types.Settings{}, nil).
 		AnyTimes()
-	accountManager, err := mgmt.BuildManager(context.Background(), config, store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	ctx := context.Background()
 	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := mgmt.NewAccountRequestBuffer(ctx, store)
 	networkMapController := controller.NewController(ctx, store, metrics, updateManager, requestBuffer, mgmt.MockIntegratedValidator{}, settingsMockManager, "netbird.cloud", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersmanager), config)
 	accountManager, err := mgmt.BuildManager(context.Background(), config, store, networkMapController, nil, "", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}
-	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &mgmt.MockIntegratedValidator{})
+	if err != nil {
 		t.Fatal(err)
 	}
 	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &mgmt.MockIntegratedValidator{}, networkMapController)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -185,7 +185,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 	_, _ = profilemanager.UpdateOldManagementURL(ctx, config, configFilePath)
-	err = foregroundLogin(ctx, cmd, config, providedSetupKey)
+	err = foregroundLogin(ctx, cmd, config, providedSetupKey, activeProf.Name)
 	if err != nil {
 		return fmt.Errorf("foreground login failed: %v", err)
 	}
@@ -286,6 +286,13 @@ func doDaemonUp(ctx context.Context, cmd *cobra.Command, client proto.DaemonServ
 	loginRequest.ProfileName = &activeProf.Name
 	loginRequest.Username = &username
 	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 	} else if profileState.Email != "" {
 		loginRequest.Hint = &profileState.Email
 	}
 	var loginErr error
 	var loginResp *proto.LoginResponse
@@ -355,14 +362,18 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 		req.EnableSSHSFTP = &enableSSHSFTP
 	}
 	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
-		req.EnableSSHLocalPortForward = &enableSSHLocalPortForward
+		req.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
 	}
 	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
-		req.EnableSSHRemotePortForward = &enableSSHRemotePortForward
+		req.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
 	}
 	if cmd.Flag(disableSSHAuthFlag).Changed {
 		req.DisableSSHAuth = &disableSSHAuth
 	}
 	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
 		sshJWTCacheTTL32 := int32(sshJWTCacheTTL)
 		req.SshJWTCacheTTL = &sshJWTCacheTTL32
 	}
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			log.Errorf("parse interface name: %v", err)
@@ -467,6 +478,10 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.DisableSSHAuth = &disableSSHAuth
 	}
 	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
 		ic.SSHJWTCacheTTL = &sshJWTCacheTTL
 	}
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			return nil, err
@@ -587,6 +602,11 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.DisableSSHAuth = &disableSSHAuth
 	}
 	if cmd.Flag(sshJWTCacheTTLFlag).Changed {
 		sshJWTCacheTTL32 := int32(sshJWTCacheTTL)
 		loginRequest.SshJWTCacheTTL = &sshJWTCacheTTL32
 	}
 	if cmd.Flag(disableAutoConnectFlag).Changed {
 		loginRequest.DisableAutoConnect = &autoConnectDisabled
 	}
--- a/client/firewall/iptables/acl_linux.go
+++ b/client/firewall/iptables/acl_linux.go
@@ -1,13 +1,14 @@
 package iptables
 import (
 	"errors"
 	"fmt"
 	"net"
 	"slices"
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/uuid"
-	"github.com/nadoo/ipset"
+	ipset "github.com/lrh3321/ipset-go"
 	log "github.com/sirupsen/logrus"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -40,19 +41,13 @@ type aclManager struct {
 }
 func newAclManager(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*aclManager, error) {
-	m := &aclManager{
+	return &aclManager{
 		iptablesClient:  iptablesClient,
 		wgIface:         wgIface,
 		entries:         make(map[string][][]string),
 		optionalEntries: make(map[string][]entry),
 		ipsetStore:      newIpsetStore(),
-	}
+	}, nil
 	if err := ipset.Init(); err != nil {
 		return nil, fmt.Errorf("init ipset: %w", err)
 	}
 	return m, nil
 }
 func (m *aclManager) init(stateManager *statemanager.Manager) error {
@@ -98,8 +93,8 @@ func (m *aclManager) AddPeerFiltering(
 	specs = append(specs, "-j", actionToStr(action))
 	if ipsetName != "" {
 		if ipList, ipsetExists := m.ipsetStore.ipset(ipsetName); ipsetExists {
-			if err := ipset.Add(ipsetName, ip.String()); err != nil {
+			if err := m.addToIPSet(ipsetName, ip); err != nil {
-				return nil, fmt.Errorf("failed to add IP to ipset: %w", err)
+				return nil, fmt.Errorf("add IP to ipset: %w", err)
 			}
 			// if ruleset already exists it means we already have the firewall rule
 			// so we need to update IPs in the ruleset and return new fw.Rule object for ACL manager.
@@ -113,14 +108,18 @@ func (m *aclManager) AddPeerFiltering(
 			}}, nil
 		}
-		if err := ipset.Flush(ipsetName); err != nil {
+		if err := m.flushIPSet(ipsetName); err != nil {
-			log.Errorf("flush ipset %s before use it: %s", ipsetName, err)
+			if errors.Is(err, ipset.ErrSetNotExist) {
 				log.Debugf("flush ipset %s before use: %v", ipsetName, err)
 			} else {
 				log.Errorf("flush ipset %s before use: %v", ipsetName, err)
 			}
 		}
-		if err := ipset.Create(ipsetName); err != nil {
+		if err := m.createIPSet(ipsetName); err != nil {
-			return nil, fmt.Errorf("failed to create ipset: %w", err)
+			return nil, fmt.Errorf("create ipset: %w", err)
 		}
-		if err := ipset.Add(ipsetName, ip.String()); err != nil {
+		if err := m.addToIPSet(ipsetName, ip); err != nil {
-			return nil, fmt.Errorf("failed to add IP to ipset: %w", err)
+			return nil, fmt.Errorf("add IP to ipset: %w", err)
 		}
 		ipList := newIpList(ip.String())
@@ -172,11 +171,16 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		return fmt.Errorf("invalid rule type")
 	}
 	shouldDestroyIpset := false
 	if ipsetList, ok := m.ipsetStore.ipset(r.ipsetName); ok {
 		// delete IP from ruleset IPs list and ipset
 		if _, ok := ipsetList.ips[r.ip]; ok {
-			if err := ipset.Del(r.ipsetName, r.ip); err != nil {
+			ip := net.ParseIP(r.ip)
-				return fmt.Errorf("failed to delete ip from ipset: %w", err)
+			if ip == nil {
 				return fmt.Errorf("parse IP %s", r.ip)
 			}
 			if err := m.delFromIPSet(r.ipsetName, ip); err != nil {
 				return fmt.Errorf("delete ip from ipset: %w", err)
 			}
 			delete(ipsetList.ips, r.ip)
 		}
@@ -190,10 +194,7 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		// we delete last IP from the set, that means we need to delete
 		// set itself and associated firewall rule too
 		m.ipsetStore.deleteIpset(r.ipsetName)
-
+		shouldDestroyIpset = true
 		if err := ipset.Destroy(r.ipsetName); err != nil {
 			log.Errorf("delete empty ipset: %v", err)
 		}
 	}
 	if err := m.iptablesClient.Delete(tableName, r.chain, r.specs...); err != nil {
@@ -206,6 +207,16 @@ func (m *aclManager) DeletePeerRule(rule firewall.Rule) error {
 		}
 	}
 	if shouldDestroyIpset {
 		if err := m.destroyIPSet(r.ipsetName); err != nil {
 			if errors.Is(err, ipset.ErrBusy) || errors.Is(err, ipset.ErrSetNotExist) {
 				log.Debugf("destroy empty ipset: %v", err)
 			} else {
 				log.Errorf("destroy empty ipset: %v", err)
 			}
 		}
 	}
 	m.updateState()
 	return nil
@@ -264,11 +275,19 @@ func (m *aclManager) cleanChains() error {
 	}
 	for _, ipsetName := range m.ipsetStore.ipsetNames() {
-		if err := ipset.Flush(ipsetName); err != nil {
+		if err := m.flushIPSet(ipsetName); err != nil {
-			log.Errorf("flush ipset %q during reset: %v", ipsetName, err)
+			if errors.Is(err, ipset.ErrSetNotExist) {
 				log.Debugf("flush ipset %q during reset: %v", ipsetName, err)
 			} else {
 				log.Errorf("flush ipset %q during reset: %v", ipsetName, err)
 			}
 		}
-		if err := ipset.Destroy(ipsetName); err != nil {
+		if err := m.destroyIPSet(ipsetName); err != nil {
-			log.Errorf("delete ipset %q during reset: %v", ipsetName, err)
+			if errors.Is(err, ipset.ErrBusy) || errors.Is(err, ipset.ErrSetNotExist) {
 				log.Debugf("destroy ipset %q during reset: %v", ipsetName, err)
 			} else {
 				log.Errorf("destroy ipset %q during reset: %v", ipsetName, err)
 			}
 		}
 		m.ipsetStore.deleteIpset(ipsetName)
 	}
@@ -368,8 +387,8 @@ func (m *aclManager) updateState() {
 // filterRuleSpecs returns the specs of a filtering rule
 func filterRuleSpecs(ip net.IP, protocol string, sPort, dPort *firewall.Port, action firewall.Action, ipsetName string) (specs []string) {
 	matchByIP := true
-	// don't use IP matching if IP is ip 0.0.0.0
+	// don't use IP matching if IP is 0.0.0.0
-	if ip.String() == "0.0.0.0" {
+	if ip.IsUnspecified() {
 		matchByIP = false
 	}
@@ -416,3 +435,61 @@ func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action fi
 		return ipsetName + actionSuffix
 	}
 }
 func (m *aclManager) createIPSet(name string) error {
 	opts := ipset.CreateOptions{
 		Replace: true,
 	}
 	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
 		return fmt.Errorf("create ipset %s: %w", name, err)
 	}
 	log.Debugf("created ipset %s with type hash:net", name)
 	return nil
 }
 func (m *aclManager) addToIPSet(name string, ip net.IP) error {
 	cidr := uint8(32)
 	if ip.To4() == nil {
 		cidr = 128
 	}
 	entry := &ipset.Entry{
 		IP:      ip,
 		CIDR:    cidr,
 		Replace: true,
 	}
 	if err := ipset.Add(name, entry); err != nil {
 		return fmt.Errorf("add IP to ipset %s: %w", name, err)
 	}
 	return nil
 }
 func (m *aclManager) delFromIPSet(name string, ip net.IP) error {
 	cidr := uint8(32)
 	if ip.To4() == nil {
 		cidr = 128
 	}
 	entry := &ipset.Entry{
 		IP:   ip,
 		CIDR: cidr,
 	}
 	if err := ipset.Del(name, entry); err != nil {
 		return fmt.Errorf("delete IP from ipset %s: %w", name, err)
 	}
 	return nil
 }
 func (m *aclManager) flushIPSet(name string) error {
 	return ipset.Flush(name)
 }
 func (m *aclManager) destroyIPSet(name string) error {
 	return ipset.Destroy(name)
 }
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -10,7 +10,7 @@ import (
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/hashicorp/go-multierror"
-	"github.com/nadoo/ipset"
+	ipset "github.com/lrh3321/ipset-go"
 	log "github.com/sirupsen/logrus"
 	nberrors "github.com/netbirdio/netbird/client/errors"
@@ -107,10 +107,6 @@ func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint1
 		},
 	)
 	if err := ipset.Init(); err != nil {
 		return nil, fmt.Errorf("init ipset: %w", err)
 	}
 	return r, nil
 }
@@ -232,12 +228,12 @@ func (r *router) findSets(rule []string) []string {
 }
 func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
-	if err := ipset.Create(setName, ipset.OptTimeout(0)); err != nil {
+	if err := r.createIPSet(setName); err != nil {
 		return fmt.Errorf("create set %s: %w", setName, err)
 	}
 	for _, prefix := range sources {
-		if err := ipset.AddPrefix(setName, prefix); err != nil {
+		if err := r.addPrefixToIPSet(setName, prefix); err != nil {
 			return fmt.Errorf("add element to set %s: %w", setName, err)
 		}
 	}
@@ -246,7 +242,7 @@ func (r *router) createIpSet(setName string, sources []netip.Prefix) error {
 }
 func (r *router) deleteIpSet(setName string) error {
-	if err := ipset.Destroy(setName); err != nil {
+	if err := r.destroyIPSet(setName); err != nil {
 		return fmt.Errorf("destroy set %s: %w", setName, err)
 	}
@@ -915,8 +911,8 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 			log.Tracef("skipping IPv6 prefix %s: IPv6 support not yet implemented", prefix)
 			continue
 		}
-		if err := ipset.AddPrefix(set.HashedName(), prefix); err != nil {
+		if err := r.addPrefixToIPSet(set.HashedName(), prefix); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("increment ipset counter: %w", err))
+			merr = multierror.Append(merr, fmt.Errorf("add prefix to ipset: %w", err))
 		}
 	}
 	if merr == nil {
@@ -993,3 +989,37 @@ func applyPort(flag string, port *firewall.Port) []string {
 	return []string{flag, strconv.Itoa(int(port.Values[0]))}
 }
 func (r *router) createIPSet(name string) error {
 	opts := ipset.CreateOptions{
 		Replace: true,
 	}
 	if err := ipset.Create(name, ipset.TypeHashNet, opts); err != nil {
 		return fmt.Errorf("create ipset %s: %w", name, err)
 	}
 	log.Debugf("created ipset %s with type hash:net", name)
 	return nil
 }
 func (r *router) addPrefixToIPSet(name string, prefix netip.Prefix) error {
 	addr := prefix.Addr()
 	ip := addr.AsSlice()
 	entry := &ipset.Entry{
 		IP:      ip,
 		CIDR:    uint8(prefix.Bits()),
 		Replace: true,
 	}
 	if err := ipset.Add(name, entry); err != nil {
 		return fmt.Errorf("add prefix to ipset %s: %w", name, err)
 	}
 	return nil
 }
 func (r *router) destroyIPSet(name string) error {
 	return ipset.Destroy(name)
 }
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -27,7 +27,11 @@ import (
 )
 const (
-	tableNat               = "nat"
+	tableNat      = "nat"
 	tableMangle   = "mangle"
 	tableRaw      = "raw"
 	tableSecurity = "security"
 	chainNameNatPrerouting = "PREROUTING"
 	chainNameRoutingFw     = "netbird-rt-fwd"
 	chainNameRoutingNat    = "netbird-rt-postrouting"
@@ -91,11 +95,7 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*rou
 	var err error
 	r.filterTable, err = r.loadFilterTable()
 	if err != nil {
-		if errors.Is(err, errFilterTableNotFound) {
+		log.Debugf("ip filter table not found: %v", err)
 			log.Warnf("table 'filter' not found for forward rules")
 		} else {
 			return nil, fmt.Errorf("load filter table: %w", err)
 		}
 	}
 	return r, nil
@@ -175,7 +175,7 @@ func (r *router) removeNatPreroutingRules() error {
 func (r *router) loadFilterTable() (*nftables.Table, error) {
 	tables, err := r.conn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
-		return nil, fmt.Errorf("unable to list tables: %v", err)
+		return nil, fmt.Errorf("list tables: %w", err)
 	}
 	for _, table := range tables {
@@ -187,14 +187,39 @@ func (r *router) loadFilterTable() (*nftables.Table, error) {
 	return nil, errFilterTableNotFound
 }
 func hookName(hook *nftables.ChainHook) string {
 	if hook == nil {
 		return "unknown"
 	}
 	switch *hook {
 	case *nftables.ChainHookForward:
 		return chainNameForward
 	case *nftables.ChainHookInput:
 		return chainNameInput
 	default:
 		return fmt.Sprintf("hook(%d)", *hook)
 	}
 }
 func familyName(family nftables.TableFamily) string {
 	switch family {
 	case nftables.TableFamilyIPv4:
 		return "ip"
 	case nftables.TableFamilyIPv6:
 		return "ip6"
 	case nftables.TableFamilyINet:
 		return "inet"
 	default:
 		return fmt.Sprintf("family(%d)", family)
 	}
 }
 func (r *router) createContainers() error {
 	r.chains[chainNameRoutingFw] = r.conn.AddChain(&nftables.Chain{
 		Name:  chainNameRoutingFw,
 		Table: r.workTable,
 	})
 	insertReturnTrafficRule(r.conn, r.workTable, r.chains[chainNameRoutingFw])
 	prio := *nftables.ChainPriorityNATSource - 1
 	r.chains[chainNameRoutingNat] = r.conn.AddChain(&nftables.Chain{
 		Name:     chainNameRoutingNat,
@@ -236,9 +261,12 @@ func (r *router) createContainers() error {
 		Type:     nftables.ChainTypeFilter,
 	})
-	// Add the single NAT rule that matches on mark
+	insertReturnTrafficRule(r.conn, r.workTable, r.chains[chainNameRoutingFw])
-	if err := r.addPostroutingRules(); err != nil {
+
-		return fmt.Errorf("add single nat rule: %v", err)
+	r.addPostroutingRules()
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf("initialize tables: %v", err)
 	}
 	if err := r.addMSSClampingRules(); err != nil {
@@ -250,11 +278,7 @@ func (r *router) createContainers() error {
 	}
 	if err := r.refreshRulesMap(); err != nil {
-		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
+		log.Errorf("failed to refresh rules: %s", err)
 	}
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf("initialize tables: %v", err)
 	}
 	return nil
@@ -695,7 +719,7 @@ func (r *router) addNatRule(pair firewall.RouterPair) error {
 }
 // addPostroutingRules adds the masquerade rules
-func (r *router) addPostroutingRules() error {
+func (r *router) addPostroutingRules() {
 	// First masquerade rule for traffic coming in from WireGuard interface
 	exprs := []expr.Any{
 		// Match on the first fwmark
@@ -761,8 +785,6 @@ func (r *router) addPostroutingRules() error {
 		Chain: r.chains[chainNameRoutingNat],
 		Exprs: exprs2,
 	})
 	return nil
 }
 // addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
@@ -839,7 +861,7 @@ func (r *router) addMSSClampingRules() error {
 		Exprs: exprsOut,
 	})
-	return nil
+	return r.conn.Flush()
 }
 // addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
@@ -939,8 +961,21 @@ func (r *router) RemoveAllLegacyRouteRules() error {
 // In case the FORWARD policy is set to "drop", we add an established/related rule to allow return traffic for the inbound rule.
 // This method also adds INPUT chain rules to allow traffic to the local interface.
 func (r *router) acceptForwardRules() error {
 	var merr *multierror.Error
 	if err := r.acceptFilterTableRules(); err != nil {
 		merr = multierror.Append(merr, err)
 	}
 	if err := r.acceptExternalChainsRules(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("add accept rules to external chains: %w", err))
 	}
 	return nberrors.FormatErrorOrNil(merr)
 }
 func (r *router) acceptFilterTableRules() error {
 	if r.filterTable == nil {
 		log.Debugf("table 'filter' not found for forward rules, skipping accept rules")
 		return nil
 	}
@@ -953,11 +988,11 @@ func (r *router) acceptForwardRules() error {
 	// Try iptables first and fallback to nftables if iptables is not available
 	ipt, err := iptables.New()
 	if err != nil {
-		// filter table exists but iptables is not
+		// iptables is not available but the filter table exists
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
 		fw = "nftables"
-		return r.acceptFilterRulesNftables()
+		return r.acceptFilterRulesNftables(r.filterTable)
 	}
 	return r.acceptFilterRulesIptables(ipt)
@@ -968,7 +1003,7 @@ func (r *router) acceptFilterRulesIptables(ipt *iptables.IPTables) error {
 	for _, rule := range r.getAcceptForwardRules() {
 		if err := ipt.Insert("filter", chainNameForward, 1, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("add iptables forward rule: %v", err))
+			merr = multierror.Append(merr, fmt.Errorf("add iptables forward rule: %v", err))
 		} else {
 			log.Debugf("added iptables forward rule: %v", rule)
 		}
@@ -976,7 +1011,7 @@ func (r *router) acceptFilterRulesIptables(ipt *iptables.IPTables) error {
 	inputRule := r.getAcceptInputRule()
 	if err := ipt.Insert("filter", chainNameInput, 1, inputRule...); err != nil {
-		merr = multierror.Append(err, fmt.Errorf("add iptables input rule: %v", err))
+		merr = multierror.Append(merr, fmt.Errorf("add iptables input rule: %v", err))
 	} else {
 		log.Debugf("added iptables input rule: %v", inputRule)
 	}
@@ -996,18 +1031,70 @@ func (r *router) getAcceptInputRule() []string {
 	return []string{"-i", r.wgIface.Name(), "-j", "ACCEPT"}
 }
-func (r *router) acceptFilterRulesNftables() error {
+// acceptFilterRulesNftables adds accept rules to the ip filter table using nftables.
 // This is used when iptables is not available.
 func (r *router) acceptFilterRulesNftables(table *nftables.Table) error {
 	intf := ifname(r.wgIface.Name())
 	forwardChain := &nftables.Chain{
 		Name:     chainNameForward,
 		Table:    table,
 		Type:     nftables.ChainTypeFilter,
 		Hooknum:  nftables.ChainHookForward,
 		Priority: nftables.ChainPriorityFilter,
 	}
 	r.insertForwardAcceptRules(forwardChain, intf)
 	inputChain := &nftables.Chain{
 		Name:     chainNameInput,
 		Table:    table,
 		Type:     nftables.ChainTypeFilter,
 		Hooknum:  nftables.ChainHookInput,
 		Priority: nftables.ChainPriorityFilter,
 	}
 	r.insertInputAcceptRule(inputChain, intf)
 	return r.conn.Flush()
 }
 // acceptExternalChainsRules adds accept rules to external chains (non-netbird, non-iptables tables).
 // It dynamically finds chains at call time to handle chains that may have been created after startup.
 func (r *router) acceptExternalChainsRules() error {
 	chains := r.findExternalChains()
 	if len(chains) == 0 {
 		return nil
 	}
 	intf := ifname(r.wgIface.Name())
 	for _, chain := range chains {
 		if chain.Hooknum == nil {
 			log.Debugf("skipping external chain %s/%s: hooknum is nil", chain.Table.Name, chain.Name)
 			continue
 		}
 		log.Debugf("adding accept rules to external %s chain: %s %s/%s",
 			hookName(chain.Hooknum), familyName(chain.Table.Family), chain.Table.Name, chain.Name)
 		switch *chain.Hooknum {
 		case *nftables.ChainHookForward:
 			r.insertForwardAcceptRules(chain, intf)
 		case *nftables.ChainHookInput:
 			r.insertInputAcceptRule(chain, intf)
 		}
 	}
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf("flush external chain rules: %w", err)
 	}
 	return nil
 }
 func (r *router) insertForwardAcceptRules(chain *nftables.Chain, intf []byte) {
 	iifRule := &nftables.Rule{
-		Table: r.filterTable,
+		Table: chain.Table,
-		Chain: &nftables.Chain{
+		Chain: chain,
 			Name:     chainNameForward,
 			Table:    r.filterTable,
 			Type:     nftables.ChainTypeFilter,
 			Hooknum:  nftables.ChainHookForward,
 			Priority: nftables.ChainPriorityFilter,
 		},
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
 			&expr.Cmp{
@@ -1030,30 +1117,19 @@ func (r *router) acceptFilterRulesNftables() error {
 			Data:     intf,
 		},
 	}
 	oifRule := &nftables.Rule{
-		Table: r.filterTable,
+		Table:    chain.Table,
-		Chain: &nftables.Chain{
+		Chain:    chain,
 			Name:     chainNameForward,
 			Table:    r.filterTable,
 			Type:     nftables.ChainTypeFilter,
 			Hooknum:  nftables.ChainHookForward,
 			Priority: nftables.ChainPriorityFilter,
 		},
 		Exprs:    append(oifExprs, getEstablishedExprs(2)...),
 		UserData: []byte(userDataAcceptForwardRuleOif),
 	}
 	r.conn.InsertRule(oifRule)
 }
 func (r *router) insertInputAcceptRule(chain *nftables.Chain, intf []byte) {
 	inputRule := &nftables.Rule{
-		Table: r.filterTable,
+		Table: chain.Table,
-		Chain: &nftables.Chain{
+		Chain: chain,
 			Name:     chainNameInput,
 			Table:    r.filterTable,
 			Type:     nftables.ChainTypeFilter,
 			Hooknum:  nftables.ChainHookInput,
 			Priority: nftables.ChainPriorityFilter,
 		},
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
 			&expr.Cmp{
@@ -1067,32 +1143,44 @@ func (r *router) acceptFilterRulesNftables() error {
 		UserData: []byte(userDataAcceptInputRule),
 	}
 	r.conn.InsertRule(inputRule)
 	return nil
 }
 func (r *router) removeAcceptFilterRules() error {
 	var merr *multierror.Error
 	if err := r.removeFilterTableRules(); err != nil {
 		merr = multierror.Append(merr, err)
 	}
 	if err := r.removeExternalChainsRules(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("remove external chain rules: %w", err))
 	}
 	return nberrors.FormatErrorOrNil(merr)
 }
 func (r *router) removeFilterTableRules() error {
 	if r.filterTable == nil {
 		return nil
 	}
 	ipt, err := iptables.New()
 	if err != nil {
-		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
+		log.Debugf("iptables not available, using nftables to remove filter rules: %v", err)
-		return r.removeAcceptFilterRulesNftables()
+		return r.removeAcceptRulesFromTable(r.filterTable)
 	}
 	return r.removeAcceptFilterRulesIptables(ipt)
 }
-func (r *router) removeAcceptFilterRulesNftables() error {
+func (r *router) removeAcceptRulesFromTable(table *nftables.Table) error {
-	chains, err := r.conn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
+	chains, err := r.conn.ListChainsOfTableFamily(table.Family)
 	if err != nil {
 		return fmt.Errorf("list chains: %v", err)
 	}
 	for _, chain := range chains {
-		if chain.Table.Name != r.filterTable.Name {
+		if chain.Table.Name != table.Name {
 			continue
 		}
@@ -1100,27 +1188,101 @@ func (r *router) removeAcceptFilterRulesNftables() error {
 			continue
 		}
-		rules, err := r.conn.GetRules(r.filterTable, chain)
+		if err := r.removeAcceptRulesFromChain(table, chain); err != nil {
 			return err
 		}
 	}
 	return r.conn.Flush()
 }
 func (r *router) removeAcceptRulesFromChain(table *nftables.Table, chain *nftables.Chain) error {
 	rules, err := r.conn.GetRules(table, chain)
 	if err != nil {
 		return fmt.Errorf("get rules from %s/%s: %v", table.Name, chain.Name, err)
 	}
 	for _, rule := range rules {
 		if bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleIif)) ||
 			bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) ||
 			bytes.Equal(rule.UserData, []byte(userDataAcceptInputRule)) {
 			if err := r.conn.DelRule(rule); err != nil {
 				return fmt.Errorf("delete rule from %s/%s: %v", table.Name, chain.Name, err)
 			}
 		}
 	}
 	return nil
 }
 // removeExternalChainsRules removes our accept rules from all external chains.
 // This is deterministic - it scans for chains at removal time rather than relying on saved state,
 // ensuring cleanup works even after a crash or if chains changed.
 func (r *router) removeExternalChainsRules() error {
 	chains := r.findExternalChains()
 	if len(chains) == 0 {
 		return nil
 	}
 	for _, chain := range chains {
 		if err := r.removeAcceptRulesFromChain(chain.Table, chain); err != nil {
 			log.Warnf("remove rules from external chain %s/%s: %v", chain.Table.Name, chain.Name, err)
 		}
 	}
 	return r.conn.Flush()
 }
 // findExternalChains scans for chains from non-netbird tables that have FORWARD or INPUT hooks.
 // This is used both at startup (to know where to add rules) and at cleanup (to ensure deterministic removal).
 func (r *router) findExternalChains() []*nftables.Chain {
 	var chains []*nftables.Chain
 	families := []nftables.TableFamily{nftables.TableFamilyIPv4, nftables.TableFamilyINet}
 	for _, family := range families {
 		allChains, err := r.conn.ListChainsOfTableFamily(family)
 		if err != nil {
-			return fmt.Errorf("get rules: %v", err)
+			log.Debugf("list chains for family %d: %v", family, err)
 			continue
 		}
-		for _, rule := range rules {
+		for _, chain := range allChains {
-			if bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleIif)) ||
+			if r.isExternalChain(chain) {
-				bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) ||
+				chains = append(chains, chain)
 				bytes.Equal(rule.UserData, []byte(userDataAcceptInputRule)) {
 				if err := r.conn.DelRule(rule); err != nil {
 					return fmt.Errorf("delete rule: %v", err)
 				}
 			}
 		}
 	}
-	if err := r.conn.Flush(); err != nil {
+	return chains
-		return fmt.Errorf(flushError, err)
+}
 func (r *router) isExternalChain(chain *nftables.Chain) bool {
 	if r.workTable != nil && chain.Table.Name == r.workTable.Name {
 		return false
 	}
-	return nil
+	// Skip all iptables-managed tables in the ip family
 	if chain.Table.Family == nftables.TableFamilyIPv4 && isIptablesTable(chain.Table.Name) {
 		return false
 	}
 	if chain.Type != nftables.ChainTypeFilter {
 		return false
 	}
 	if chain.Hooknum == nil {
 		return false
 	}
 	return *chain.Hooknum == *nftables.ChainHookForward || *chain.Hooknum == *nftables.ChainHookInput
 }
 func isIptablesTable(name string) bool {
 	switch name {
 	case tableNameFilter, tableNat, tableMangle, tableRaw, tableSecurity:
 		return true
 	}
 	return false
 }
 func (r *router) removeAcceptFilterRulesIptables(ipt *iptables.IPTables) error {
@@ -1128,13 +1290,13 @@ func (r *router) removeAcceptFilterRulesIptables(ipt *iptables.IPTables) error {
 	for _, rule := range r.getAcceptForwardRules() {
 		if err := ipt.DeleteIfExists("filter", chainNameForward, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("remove iptables forward rule: %v", err))
+			merr = multierror.Append(merr, fmt.Errorf("remove iptables forward rule: %v", err))
 		}
 	}
 	inputRule := r.getAcceptInputRule()
 	if err := ipt.DeleteIfExists("filter", chainNameInput, inputRule...); err != nil {
-		merr = multierror.Append(err, fmt.Errorf("remove iptables input rule: %v", err))
+		merr = multierror.Append(merr, fmt.Errorf("remove iptables input rule: %v", err))
 	}
 	return nberrors.FormatErrorOrNil(merr)
@@ -1196,7 +1358,7 @@ func (r *router) refreshRulesMap() error {
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			return fmt.Errorf(" unable to list rules: %v", err)
+			return fmt.Errorf("list rules: %w", err)
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
--- a/client/grpc/dialer.go
+++ b/client/grpc/dialer.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"runtime"
 	"time"
@@ -12,7 +11,6 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/connectivity"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
@@ -20,9 +18,6 @@ import (
 	"github.com/netbirdio/netbird/util/embeddedroots"
 )
 // ErrConnectionShutdown indicates that the connection entered shutdown state before becoming ready
 var ErrConnectionShutdown = errors.New("connection shutdown before ready")
 // Backoff returns a backoff configuration for gRPC calls
 func Backoff(ctx context.Context) backoff.BackOff {
 	b := backoff.NewExponentialBackOff()
@@ -31,26 +26,6 @@ func Backoff(ctx context.Context) backoff.BackOff {
 	return backoff.WithContext(b, ctx)
 }
 // waitForConnectionReady blocks until the connection becomes ready or fails.
 // Returns an error if the connection times out, is cancelled, or enters shutdown state.
 func waitForConnectionReady(ctx context.Context, conn *grpc.ClientConn) error {
 	conn.Connect()
 	state := conn.GetState()
 	for state != connectivity.Ready && state != connectivity.Shutdown {
 		if !conn.WaitForStateChange(ctx, state) {
 			return fmt.Errorf("wait state change from %s: %w", state, ctx.Err())
 		}
 		state = conn.GetState()
 	}
 	if state == connectivity.Shutdown {
 		return ErrConnectionShutdown
 	}
 	return nil
 }
 // CreateConnection creates a gRPC client connection with the appropriate transport options.
 // The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
 func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string) (*grpc.ClientConn, error) {
@@ -68,25 +43,22 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 		}))
 	}
-	conn, err := grpc.NewClient(
+	connCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
 	conn, err := grpc.DialContext(
 		connCtx,
 		addr,
 		transportOption,
 		WithCustomDialer(tlsEnabled, component),
 		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    30 * time.Second,
 			Timeout: 10 * time.Second,
 		}),
 	)
 	if err != nil {
-		return nil, fmt.Errorf("new client: %w", err)
+		return nil, fmt.Errorf("dial context: %w", err)
 	}
 	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
 	if err := waitForConnectionReady(ctx, conn); err != nil {
 		_ = conn.Close()
 		return nil, err
 	}
 	return conn, nil
--- a/client/iface/device/device_android.go
+++ b/client/iface/device/device_android.go
@@ -3,6 +3,7 @@
 package device
 import (
 	"fmt"
 	"strings"
 	log "github.com/sirupsen/logrus"
@@ -19,11 +20,12 @@ import (
 // WGTunDevice ignore the WGTunDevice interface on Android because the creation of the tun device is different on this platform
 type WGTunDevice struct {
-	address    wgaddr.Address
+	address wgaddr.Address
-	port       int
+	port    int
-	key        string
+	key     string
-	mtu        uint16
+	mtu     uint16
-	iceBind    *bind.ICEBind
+	iceBind *bind.ICEBind
 	// todo: review if we can eliminate the TunAdapter
 	tunAdapter TunAdapter
 	disableDNS bool
@@ -32,17 +34,19 @@ type WGTunDevice struct {
 	filteredDevice *FilteredDevice
 	udpMux         *udpmux.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 	renewableTun   *RenewableTUN
 }
 func NewTunDevice(address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
 	return &WGTunDevice{
-		address:    address,
+		address:      address,
-		port:       port,
+		port:         port,
-		key:        key,
+		key:          key,
-		mtu:        mtu,
+		mtu:          mtu,
-		iceBind:    iceBind,
+		iceBind:      iceBind,
-		tunAdapter: tunAdapter,
+		tunAdapter:   tunAdapter,
-		disableDNS: disableDNS,
+		disableDNS:   disableDNS,
 		renewableTun: NewRenewableTUN(),
 	}
 }
@@ -65,14 +69,17 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 		return nil, err
 	}
-	tunDevice, name, err := tun.CreateUnmonitoredTUNFromFD(fd)
+	unmonitoredTUN, name, err := tun.CreateUnmonitoredTUNFromFD(fd)
 	if err != nil {
 		_ = unix.Close(fd)
 		log.Errorf("failed to create Android interface: %s", err)
 		return nil, err
 	}
 	t.renewableTun.AddDevice(unmonitoredTUN)
 	t.name = name
-	t.filteredDevice = newDeviceFilter(tunDevice)
+	t.filteredDevice = newDeviceFilter(t.renewableTun)
 	log.Debugf("attaching to interface %v", name)
 	t.device = device.NewDevice(t.filteredDevice, t.iceBind, device.NewLogger(wgLogLevel(), "[netbird] "))
@@ -104,6 +111,23 @@ func (t *WGTunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 	return udpMux, nil
 }
 func (t *WGTunDevice) RenewTun(fd int) error {
 	if t.device == nil {
 		return fmt.Errorf("device not initialized")
 	}
 	unmonitoredTUN, _, err := tun.CreateUnmonitoredTUNFromFD(fd)
 	if err != nil {
 		_ = unix.Close(fd)
 		log.Errorf("failed to renew Android interface: %s", err)
 		return err
 	}
 	t.renewableTun.AddDevice(unmonitoredTUN)
 	return nil
 }
 func (t *WGTunDevice) UpdateAddr(addr wgaddr.Address) error {
 	// todo implement
 	return nil
--- a/client/iface/device/device_netstack_android.go
+++ b/client/iface/device/device_netstack_android.go
@@ -2,6 +2,13 @@
 package device
 import "fmt"
 func (t *TunNetstackDevice) Create(routes []string, dns string, searchDomains []string) (WGConfigurer, error) {
 	return t.create()
 }
 func (t *TunNetstackDevice) RenewTun(fd int) error {
 	// Doesn't make sense in Android for Netstack.
 	return fmt.Errorf("this function has not been implemented in Netstack for Android")
 }
--- a/client/iface/device/renewable_tun.go
+++ b/client/iface/device/renewable_tun.go
@@ -0,0 +1,309 @@
 //go:build android
 package device
 import (
 	"io"
 	"os"
 	"sync"
 	"sync/atomic"
 	"time"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun"
 )
 // closeAwareDevice wraps a tun.Device along with a flag
 // indicating whether its Close method was called.
 //
 // It also redirects tun.Device's Events() to a separate goroutine
 // and closes it when Close is called.
 //
 // The WaitGroup and CloseOnce fields are used to ensure that the
 // goroutine is awaited and closed only once.
 type closeAwareDevice struct {
 	isClosed atomic.Bool
 	tun.Device
 	closeEventCh chan struct{}
 	wg           sync.WaitGroup
 	closeOnce    sync.Once
 }
 func newClosableDevice(tunDevice tun.Device) *closeAwareDevice {
 	return &closeAwareDevice{
 		Device:       tunDevice,
 		isClosed:     atomic.Bool{},
 		closeEventCh: make(chan struct{}),
 	}
 }
 // redirectEvents redirects the Events() method of the underlying tun.Device
 // to the given channel (RenewableTUN's events channel).
 func (c *closeAwareDevice) redirectEvents(out chan tun.Event) {
 	c.wg.Add(1)
 	go func() {
 		defer c.wg.Done()
 		for {
 			select {
 			case ev, ok := <-c.Device.Events():
 				if !ok {
 					return
 				}
 				if ev == tun.EventDown {
 					continue
 				}
 				select {
 				case out <- ev:
 				case <-c.closeEventCh:
 					return
 				}
 			case <-c.closeEventCh:
 				return
 			}
 		}
 	}()
 }
 // Close calls the underlying Device's Close method
 // after setting isClosed to true.
 func (c *closeAwareDevice) Close() (err error) {
 	c.closeOnce.Do(func() {
 		c.isClosed.Store(true)
 		close(c.closeEventCh)
 		err = c.Device.Close()
 		c.wg.Wait()
 	})
 	return err
 }
 func (c *closeAwareDevice) IsClosed() bool {
 	return c.isClosed.Load()
 }
 type RenewableTUN struct {
 	devices []*closeAwareDevice
 	mu      sync.Mutex
 	cond    *sync.Cond
 	events  chan tun.Event
 	closed  atomic.Bool
 }
 func NewRenewableTUN() *RenewableTUN {
 	r := &RenewableTUN{
 		devices: make([]*closeAwareDevice, 0),
 		mu:      sync.Mutex{},
 		events:  make(chan tun.Event, 16),
 	}
 	r.cond = sync.NewCond(&r.mu)
 	return r
 }
 func (r *RenewableTUN) File() *os.File {
 	for {
 		dev := r.peekLast()
 		if dev == nil {
 			if !r.waitForDevice() {
 				return nil
 			}
 			continue
 		}
 		file := dev.File()
 		if dev.IsClosed() {
 			time.Sleep(1 * time.Millisecond)
 			continue
 		}
 		return file
 	}
 }
 // Read reads from an underlying tun.Device kept in the r.devices slice.
 // If no device is available, it waits for one to be added via AddDevice().
 //
 // On error, it retries reading from the newest device instead of returning the error
 // if the device is closed; if not, it propagates the error.
 func (r *RenewableTUN) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
 	for {
 		dev := r.peekLast()
 		if dev == nil {
 			// wait until AddDevice() signals a new device via cond.Broadcast()
 			if !r.waitForDevice() { // returns false if the renewable TUN itself is closed
 				return 0, io.EOF
 			}
 			continue
 		}
 		n, err = dev.Read(bufs, sizes, offset)
 		if err == nil {
 			return n, nil
 		}
 		// swap in progress; retry on the newest instead of returning the error
 		if dev.IsClosed() {
 			time.Sleep(1 * time.Millisecond)
 			continue
 		}
 		return n, err // propagate non-swap error
 	}
 }
 // Write writes to underlying tun.Device kept in the r.devices slice.
 // If no device is available, it waits for one to be added via AddDevice().
 //
 // On error, it retries writing to the newest device instead of returning the error
 // if the device is closed; if not, it propagates the error.
 func (r *RenewableTUN) Write(bufs [][]byte, offset int) (int, error) {
 	for {
 		dev := r.peekLast()
 		if dev == nil {
 			if !r.waitForDevice() {
 				return 0, io.EOF
 			}
 			continue
 		}
 		n, err := dev.Write(bufs, offset)
 		if err == nil {
 			return n, nil
 		}
 		if dev.IsClosed() {
 			time.Sleep(1 * time.Millisecond)
 			continue
 		}
 		return n, err
 	}
 }
 func (r *RenewableTUN) MTU() (int, error) {
 	for {
 		dev := r.peekLast()
 		if dev == nil {
 			if !r.waitForDevice() {
 				return 0, io.EOF
 			}
 			continue
 		}
 		mtu, err := dev.MTU()
 		if err == nil {
 			return mtu, nil
 		}
 		if dev.IsClosed() {
 			time.Sleep(1 * time.Millisecond)
 			continue
 		}
 		return 0, err
 	}
 }
 func (r *RenewableTUN) Name() (string, error) {
 	for {
 		dev := r.peekLast()
 		if dev == nil {
 			if !r.waitForDevice() {
 				return "", io.EOF
 			}
 			continue
 		}
 		name, err := dev.Name()
 		if err == nil {
 			return name, nil
 		}
 		if dev.IsClosed() {
 			time.Sleep(1 * time.Millisecond)
 			continue
 		}
 		return "", err
 	}
 }
 // Events returns a channel that is fed events from the underlying tun.Device's events channel
 // once it is added.
 func (r *RenewableTUN) Events() <-chan tun.Event {
 	return r.events
 }
 func (r *RenewableTUN) Close() error {
 	// Attempts to set the RenewableTUN closed flag to true.
 	// If it's already true, returns immediately.
 	if !r.closed.CompareAndSwap(false, true) {
 		return nil // already closed: idempotent
 	}
 	r.mu.Lock()
 	devices := r.devices
 	r.devices = nil
 	r.cond.Broadcast()
 	r.mu.Unlock()
 	var lastErr error
 	log.Debugf("closing %d devices", len(devices))
 	for _, device := range devices {
 		if err := device.Close(); err != nil {
 			log.Debugf("error closing a device: %v", err)
 			lastErr = err
 		}
 	}
 	close(r.events)
 	return lastErr
 }
 func (r *RenewableTUN) BatchSize() int {
 	return 1
 }
 func (r *RenewableTUN) AddDevice(device tun.Device) {
 	r.mu.Lock()
 	if r.closed.Load() {
 		r.mu.Unlock()
 		_ = device.Close()
 		return
 	}
 	var toClose *closeAwareDevice
 	if len(r.devices) > 0 {
 		toClose = r.devices[len(r.devices)-1]
 	}
 	cad := newClosableDevice(device)
 	cad.redirectEvents(r.events)
 	r.devices = []*closeAwareDevice{cad}
 	r.cond.Broadcast()
 	r.mu.Unlock()
 	if toClose != nil {
 		if err := toClose.Close(); err != nil {
 			log.Debugf("error closing last device: %v", err)
 		}
 	}
 }
 func (r *RenewableTUN) waitForDevice() bool {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 	for len(r.devices) == 0 && !r.closed.Load() {
 		r.cond.Wait()
 	}
 	return !r.closed.Load()
 }
 func (r *RenewableTUN) peekLast() *closeAwareDevice {
 	r.mu.Lock()
 	defer r.mu.Unlock()
 	if len(r.devices) == 0 {
 		return nil
 	}
 	return r.devices[len(r.devices)-1]
 }
--- a/client/iface/device_android.go
+++ b/client/iface/device_android.go
@@ -21,5 +21,6 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
 	RenewTun(fd int) error
 	GetICEBind() device.EndpointManager
 }
--- a/client/iface/iface_create.go
+++ b/client/iface/iface_create.go
@@ -24,3 +24,7 @@ func (w *WGIface) Create() error {
 func (w *WGIface) CreateOnAndroid([]string, string, []string) error {
 	return fmt.Errorf("this function has not implemented on non mobile")
 }
 func (w *WGIface) RenewTun(fd int) error {
 	return fmt.Errorf("this function has not been implemented on non-android")
 }
--- a/client/iface/iface_create_android.go
+++ b/client/iface/iface_create_android.go
@@ -6,6 +6,7 @@ import (
 // CreateOnAndroid creates a new Wireguard interface, sets a given IP and brings it up.
 // Will reuse an existing one.
 // todo: review does this function really necessary or can we merge it with iOS
 func (w *WGIface) CreateOnAndroid(routes []string, dns string, searchDomains []string) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
@@ -22,3 +23,9 @@ func (w *WGIface) CreateOnAndroid(routes []string, dns string, searchDomains []s
 func (w *WGIface) Create() error {
 	return fmt.Errorf("this function has not implemented on this platform")
 }
 func (w *WGIface) RenewTun(fd int) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 	return w.tun.RenewTun(fd)
 }
--- a/client/iface/iface_create_darwin.go
+++ b/client/iface/iface_create_darwin.go
@@ -39,3 +39,7 @@ func (w *WGIface) Create() error {
 func (w *WGIface) CreateOnAndroid([]string, string, []string) error {
 	return fmt.Errorf("this function has not implemented on this platform")
 }
 func (w *WGIface) RenewTun(fd int) error {
 	return fmt.Errorf("this function has not been implemented on this platform")
 }
--- a/client/iface/iface_test.go
+++ b/client/iface/iface_test.go
@@ -1,6 +1,7 @@
 package iface
 import (
 	"context"
 	"fmt"
 	"net"
 	"net/netip"
@@ -9,13 +10,13 @@ import (
 	"time"
 	"github.com/google/uuid"
 	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )
 // keep darwin compatibility
@@ -40,7 +41,7 @@ func TestWGIface_UpdateAddr(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	addr := "100.64.0.1/8"
 	wgPort := 33100
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -123,7 +124,7 @@ func getIfaceAddrs(ifaceName string) ([]net.Addr, error) {
 func Test_CreateInterface(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+1)
 	wgIP := "10.99.99.1/32"
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -166,7 +167,7 @@ func Test_Close(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+2)
 	wgIP := "10.99.99.2/32"
 	wgPort := 33100
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -211,7 +212,7 @@ func TestRecreation(t *testing.T) {
 			ifaceName := fmt.Sprintf("utun%d", WgIntNumber+2)
 			wgIP := "10.99.99.2/32"
 			wgPort := 33100
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -284,7 +285,7 @@ func Test_ConfigureInterface(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+3)
 	wgIP := "10.99.99.5/30"
 	wgPort := 33100
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -339,7 +340,7 @@ func Test_ConfigureInterface(t *testing.T) {
 func Test_UpdatePeer(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	wgIP := "10.99.99.9/30"
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -409,7 +410,7 @@ func Test_UpdatePeer(t *testing.T) {
 func Test_RemovePeer(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	wgIP := "10.99.99.13/30"
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -471,7 +472,7 @@ func Test_ConnectPeers(t *testing.T) {
 	peer2wgPort := 33200
 	keepAlive := 1 * time.Second
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -514,7 +515,7 @@ func Test_ConnectPeers(t *testing.T) {
 	guid = fmt.Sprintf("{%s}", uuid.New().String())
 	device.CustomWindowsGUIDString = strings.ToLower(guid)
-	newNet, err = stdnet.NewNet()
+	newNet, err = stdnet.NewNet(context.Background(), nil)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/iface/udpmux/mux.go
+++ b/client/iface/udpmux/mux.go
@@ -1,6 +1,7 @@
 package udpmux
 import (
 	"context"
 	"fmt"
 	"io"
 	"net"
@@ -12,8 +13,9 @@ import (
 	"github.com/pion/logging"
 	"github.com/pion/stun/v3"
 	"github.com/pion/transport/v3"
 	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )
 /*
@@ -199,7 +201,7 @@ func (m *SingleSocketUDPMux) updateLocalAddresses() {
 		if len(networks) > 0 {
 			if m.params.Net == nil {
 				var err error
-				if m.params.Net, err = stdnet.NewNet(); err != nil {
+				if m.params.Net, err = stdnet.NewNet(context.Background(), nil); err != nil {
 					m.params.Logger.Errorf("failed to get create network: %v", err)
 				}
 			}
--- a/client/internal/auth/device_flow.go
+++ b/client/internal/auth/device_flow.go
@@ -128,9 +128,34 @@ func (d *DeviceAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlow
 		deviceCode.VerificationURIComplete = deviceCode.VerificationURI
 	}
 	if d.providerConfig.LoginHint != "" {
 		deviceCode.VerificationURIComplete = appendLoginHint(deviceCode.VerificationURIComplete, d.providerConfig.LoginHint)
 		if deviceCode.VerificationURI != "" {
 			deviceCode.VerificationURI = appendLoginHint(deviceCode.VerificationURI, d.providerConfig.LoginHint)
 		}
 	}
 	return deviceCode, err
 }
 func appendLoginHint(uri, loginHint string) string {
 	if uri == "" || loginHint == "" {
 		return uri
 	}
 	parsedURL, err := url.Parse(uri)
 	if err != nil {
 		log.Debugf("failed to parse verification URI for login_hint: %v", err)
 		return uri
 	}
 	query := parsedURL.Query()
 	query.Set("login_hint", loginHint)
 	parsedURL.RawQuery = query.Encode()
 	return parsedURL.String()
 }
 func (d *DeviceAuthorizationFlow) requestToken(info AuthFlowInfo) (TokenRequestResponse, error) {
 	form := url.Values{}
 	form.Add("client_id", d.providerConfig.ClientID)
--- a/client/internal/auth/oauth.go
+++ b/client/internal/auth/oauth.go
@@ -60,38 +60,45 @@ func (t TokenInfo) GetTokenToUse() string {
 	return t.AccessToken
 }
 func shouldUseDeviceFlow(force bool, isUnixDesktopClient bool) bool {
 	return force || (runtime.GOOS == "linux" || runtime.GOOS == "freebsd") && !isUnixDesktopClient
 }
 // NewOAuthFlow initializes and returns the appropriate OAuth flow based on the management configuration
 //
 // It starts by initializing the PKCE.If this process fails, it resorts to the Device Code Flow,
 // and if that also fails, the authentication process is deemed unsuccessful
 //
 // On Linux distros without desktop environment support, it only tries to initialize the Device Code Flow
-func NewOAuthFlow(ctx context.Context, config *profilemanager.Config, isUnixDesktopClient bool) (OAuthFlow, error) {
+// forceDeviceCodeFlow can be used to skip PKCE and go directly to Device Code Flow (e.g., for Android TV)
-	if (runtime.GOOS == "linux" || runtime.GOOS == "freebsd") && !isUnixDesktopClient {
+func NewOAuthFlow(ctx context.Context, config *profilemanager.Config, isUnixDesktopClient bool, forceDeviceCodeFlow bool, hint string) (OAuthFlow, error) {
-		return authenticateWithDeviceCodeFlow(ctx, config)
+	if shouldUseDeviceFlow(forceDeviceCodeFlow, isUnixDesktopClient) {
 		return authenticateWithDeviceCodeFlow(ctx, config, hint)
 	}
-	pkceFlow, err := authenticateWithPKCEFlow(ctx, config)
+	pkceFlow, err := authenticateWithPKCEFlow(ctx, config, hint)
 	if err != nil {
 		// fallback to device code flow
 		log.Debugf("failed to initialize pkce authentication with error: %v\n", err)
 		log.Debug("falling back to device code flow")
-		return authenticateWithDeviceCodeFlow(ctx, config)
+		return authenticateWithDeviceCodeFlow(ctx, config, hint)
 	}
 	return pkceFlow, nil
 }
 // authenticateWithPKCEFlow initializes the Proof Key for Code Exchange flow auth flow
-func authenticateWithPKCEFlow(ctx context.Context, config *profilemanager.Config) (OAuthFlow, error) {
+func authenticateWithPKCEFlow(ctx context.Context, config *profilemanager.Config, hint string) (OAuthFlow, error) {
 	pkceFlowInfo, err := internal.GetPKCEAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL, config.ClientCertKeyPair)
 	if err != nil {
 		return nil, fmt.Errorf("getting pkce authorization flow info failed with error: %v", err)
 	}
 	pkceFlowInfo.ProviderConfig.LoginHint = hint
 	return NewPKCEAuthorizationFlow(pkceFlowInfo.ProviderConfig)
 }
 // authenticateWithDeviceCodeFlow initializes the Device Code auth Flow
-func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.Config) (OAuthFlow, error) {
+func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.Config, hint string) (OAuthFlow, error) {
 	deviceFlowInfo, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
 	if err != nil {
 		switch s, ok := gstatus.FromError(err); {
@@ -107,5 +114,7 @@ func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.
 		}
 	}
 	deviceFlowInfo.ProviderConfig.LoginHint = hint
 	return NewDeviceAuthorizationFlow(deviceFlowInfo.ProviderConfig)
 }
--- a/client/internal/auth/pkce_flow.go
+++ b/client/internal/auth/pkce_flow.go
@@ -13,6 +13,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
 	"time"
@@ -21,6 +22,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/templates"
 	"github.com/netbirdio/netbird/shared/management/client/common"
 )
 var _ OAuthFlow = &PKCEAuthorizationFlow{}
@@ -46,9 +48,10 @@ type PKCEAuthorizationFlow struct {
 func NewPKCEAuthorizationFlow(config internal.PKCEAuthProviderConfig) (*PKCEAuthorizationFlow, error) {
 	var availableRedirectURL string
-	// find the first available redirect URL
+	excludedRanges := getSystemExcludedPortRanges()
 	for _, redirectURL := range config.RedirectURLs {
-		if !isRedirectURLPortUsed(redirectURL) {
+		if !isRedirectURLPortUsed(redirectURL, excludedRanges) {
 			availableRedirectURL = redirectURL
 			break
 		}
@@ -102,13 +105,16 @@ func (p *PKCEAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowIn
 		oauth2.SetAuthURLParam("audience", p.providerConfig.Audience),
 	}
 	if !p.providerConfig.DisablePromptLogin {
-		if p.providerConfig.LoginFlag.IsPromptLogin() {
+		switch p.providerConfig.LoginFlag {
 		case common.LoginFlagPromptLogin:
 			params = append(params, oauth2.SetAuthURLParam("prompt", "login"))
-		}
+		case common.LoginFlagMaxAge0:
 		if p.providerConfig.LoginFlag.IsMaxAge0Login() {
 			params = append(params, oauth2.SetAuthURLParam("max_age", "0"))
 		}
 	}
 	if p.providerConfig.LoginHint != "" {
 		params = append(params, oauth2.SetAuthURLParam("login_hint", p.providerConfig.LoginHint))
 	}
 	authURL := p.oAuthConfig.AuthCodeURL(state, params...)
@@ -189,17 +195,20 @@ func (p *PKCEAuthorizationFlow) handleRequest(req *http.Request) (*oauth2.Token,
 	if authError := query.Get(queryError); authError != "" {
 		authErrorDesc := query.Get(queryErrorDesc)
-		return nil, fmt.Errorf("%s.%s", authError, authErrorDesc)
+		if authErrorDesc != "" {
 			return nil, fmt.Errorf("authentication failed: %s", authErrorDesc)
 		}
 		return nil, fmt.Errorf("authentication failed: %s", authError)
 	}
 	// Prevent timing attacks on the state
 	if state := query.Get(queryState); subtle.ConstantTimeCompare([]byte(p.state), []byte(state)) == 0 {
-		return nil, fmt.Errorf("invalid state")
+		return nil, fmt.Errorf("authentication failed: Invalid state")
 	}
 	code := query.Get(queryCode)
 	if code == "" {
-		return nil, fmt.Errorf("missing code")
+		return nil, fmt.Errorf("authentication failed: missing code")
 	}
 	return p.oAuthConfig.Exchange(
@@ -228,7 +237,7 @@ func (p *PKCEAuthorizationFlow) parseOAuthToken(token *oauth2.Token) (TokenInfo,
 	}
 	if err := isValidAccessToken(tokenInfo.GetTokenToUse(), audience); err != nil {
-		return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+		return TokenInfo{}, fmt.Errorf("authentication failed: invalid access token - %w", err)
 	}
 	email, err := parseEmailFromIDToken(tokenInfo.IDToken)
@@ -276,15 +285,22 @@ func createCodeChallenge(codeVerifier string) string {
 	return base64.RawURLEncoding.EncodeToString(sha2[:])
 }
-// isRedirectURLPortUsed checks if the port used in the redirect URL is in use.
+// isRedirectURLPortUsed checks if the port used in the redirect URL is in use or excluded on Windows.
-func isRedirectURLPortUsed(redirectURL string) bool {
+func isRedirectURLPortUsed(redirectURL string, excludedRanges []excludedPortRange) bool {
 	parsedURL, err := url.Parse(redirectURL)
 	if err != nil {
 		log.Errorf("failed to parse redirect URL: %v", err)
 		return true
 	}
-	addr := fmt.Sprintf(":%s", parsedURL.Port())
+	port := parsedURL.Port()
 	if isPortInExcludedRange(port, excludedRanges) {
 		log.Warnf("port %s is in Windows excluded port range, skipping", port)
 		return true
 	}
 	addr := fmt.Sprintf(":%s", port)
 	conn, err := net.DialTimeout("tcp", addr, 3*time.Second)
 	if err != nil {
 		return false
@@ -298,6 +314,33 @@ func isRedirectURLPortUsed(redirectURL string) bool {
 	return true
 }
 // excludedPortRange represents a range of excluded ports.
 type excludedPortRange struct {
 	start int
 	end   int
 }
 // isPortInExcludedRange checks if the given port is in any of the excluded ranges.
 func isPortInExcludedRange(port string, excludedRanges []excludedPortRange) bool {
 	if len(excludedRanges) == 0 {
 		return false
 	}
 	portNum, err := strconv.Atoi(port)
 	if err != nil {
 		log.Debugf("invalid port number %s: %v", port, err)
 		return false
 	}
 	for _, r := range excludedRanges {
 		if portNum >= r.start && portNum <= r.end {
 			return true
 		}
 	}
 	return false
 }
 func renderPKCEFlowTmpl(w http.ResponseWriter, authError error) {
 	tmpl, err := template.New("pkce-auth-flow").Parse(templates.PKCEAuthMsgTmpl)
 	if err != nil {
--- a/client/internal/auth/pkce_flow_other.go
+++ b/client/internal/auth/pkce_flow_other.go
@@ -0,0 +1,8 @@
 //go:build !windows
 package auth
 // getSystemExcludedPortRanges returns nil on non-Windows platforms.
 func getSystemExcludedPortRanges() []excludedPortRange {
 	return nil
 }
--- a/client/internal/auth/pkce_flow_test.go
+++ b/client/internal/auth/pkce_flow_test.go
@@ -2,8 +2,11 @@ package auth
 import (
 	"context"
 	"fmt"
 	"net"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/internal"
@@ -20,22 +23,28 @@ func TestPromptLogin(t *testing.T) {
 		name               string
 		loginFlag          mgm.LoginFlag
 		disablePromptLogin bool
-		expect             string
+		expectContains     []string
 	}{
 		{
-			name:      "Prompt login",
+			name:           "Prompt login",
-			loginFlag: mgm.LoginFlagPrompt,
+			loginFlag:      mgm.LoginFlagPromptLogin,
-			expect:    promptLogin,
+			expectContains: []string{promptLogin},
 		},
 		{
-			name:      "Max age 0 login",
+			name:           "Max age 0",
-			loginFlag: mgm.LoginFlagMaxAge0,
+			loginFlag:      mgm.LoginFlagMaxAge0,
-			expect:    maxAge0,
+			expectContains: []string{maxAge0},
 		},
 		{
 			name:               "Disable prompt login",
-			loginFlag:          mgm.LoginFlagPrompt,
+			loginFlag:          mgm.LoginFlagPromptLogin,
 			disablePromptLogin: true,
 			expectContains:     []string{},
 		},
 		{
 			name:           "None flag should not add parameters",
 			loginFlag:      mgm.LoginFlagNone,
 			expectContains: []string{},
 		},
 	}
@@ -50,6 +59,7 @@ func TestPromptLogin(t *testing.T) {
 				RedirectURLs:          []string{"http://127.0.0.1:33992/"},
 				UseIDToken:            true,
 				LoginFlag:             tc.loginFlag,
 				DisablePromptLogin:    tc.disablePromptLogin,
 			}
 			pkce, err := NewPKCEAuthorizationFlow(config)
 			if err != nil {
@@ -60,12 +70,153 @@ func TestPromptLogin(t *testing.T) {
 				t.Fatalf("Failed to request auth info: %v", err)
 			}
-			if !tc.disablePromptLogin {
+			for _, expected := range tc.expectContains {
-				require.Contains(t, authInfo.VerificationURIComplete, tc.expect)
+				require.Contains(t, authInfo.VerificationURIComplete, expected)
 			} else {
 				require.Contains(t, authInfo.VerificationURIComplete, promptLogin)
 				require.NotContains(t, authInfo.VerificationURIComplete, maxAge0)
 			}
 		})
 	}
 }
 func TestIsPortInExcludedRange(t *testing.T) {
 	tests := []struct {
 		name            string
 		port            string
 		excludedRanges  []excludedPortRange
 		expectedBlocked bool
 	}{
 		{
 			name:            "Port in excluded range",
 			port:            "8080",
 			excludedRanges:  []excludedPortRange{{start: 8000, end: 8100}},
 			expectedBlocked: true,
 		},
 		{
 			name:            "Port at start of range",
 			port:            "8000",
 			excludedRanges:  []excludedPortRange{{start: 8000, end: 8100}},
 			expectedBlocked: true,
 		},
 		{
 			name:            "Port at end of range",
 			port:            "8100",
 			excludedRanges:  []excludedPortRange{{start: 8000, end: 8100}},
 			expectedBlocked: true,
 		},
 		{
 			name:            "Port before range",
 			port:            "7999",
 			excludedRanges:  []excludedPortRange{{start: 8000, end: 8100}},
 			expectedBlocked: false,
 		},
 		{
 			name:            "Port after range",
 			port:            "8101",
 			excludedRanges:  []excludedPortRange{{start: 8000, end: 8100}},
 			expectedBlocked: false,
 		},
 		{
 			name:            "Empty excluded ranges",
 			port:            "8080",
 			excludedRanges:  []excludedPortRange{},
 			expectedBlocked: false,
 		},
 		{
 			name:            "Nil excluded ranges",
 			port:            "8080",
 			excludedRanges:  nil,
 			expectedBlocked: false,
 		},
 		{
 			name: "Multiple ranges - port in second range",
 			port: "9050",
 			excludedRanges: []excludedPortRange{
 				{start: 8000, end: 8100},
 				{start: 9000, end: 9100},
 			},
 			expectedBlocked: true,
 		},
 		{
 			name: "Multiple ranges - port not in any range",
 			port: "8500",
 			excludedRanges: []excludedPortRange{
 				{start: 8000, end: 8100},
 				{start: 9000, end: 9100},
 			},
 			expectedBlocked: false,
 		},
 		{
 			name:            "Invalid port string",
 			port:            "invalid",
 			excludedRanges:  []excludedPortRange{{start: 8000, end: 8100}},
 			expectedBlocked: false,
 		},
 		{
 			name:            "Empty port string",
 			port:            "",
 			excludedRanges:  []excludedPortRange{{start: 8000, end: 8100}},
 			expectedBlocked: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := isPortInExcludedRange(tt.port, tt.excludedRanges)
 			assert.Equal(t, tt.expectedBlocked, result, "Port exclusion check mismatch")
 		})
 	}
 }
 func TestIsRedirectURLPortUsed(t *testing.T) {
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	require.NoError(t, err)
 	defer func() {
 		_ = listener.Close()
 	}()
 	usedPort := listener.Addr().(*net.TCPAddr).Port
 	tests := []struct {
 		name           string
 		redirectURL    string
 		excludedRanges []excludedPortRange
 		expectedUsed   bool
 	}{
 		{
 			name:           "Port in excluded range",
 			redirectURL:    "http://127.0.0.1:8080/",
 			excludedRanges: []excludedPortRange{{start: 8000, end: 8100}},
 			expectedUsed:   true,
 		},
 		{
 			name:           "Port actually in use",
 			redirectURL:    fmt.Sprintf("http://127.0.0.1:%d/", usedPort),
 			excludedRanges: nil,
 			expectedUsed:   true,
 		},
 		{
 			name:           "Port not in use and not excluded",
 			redirectURL:    "http://127.0.0.1:65432/",
 			excludedRanges: nil,
 			expectedUsed:   false,
 		},
 		{
 			name:           "Invalid URL without port",
 			redirectURL:    "not-a-valid-url",
 			excludedRanges: nil,
 			expectedUsed:   false,
 		},
 		{
 			name:           "Port excluded even if not in use",
 			redirectURL:    "http://127.0.0.1:8050/",
 			excludedRanges: []excludedPortRange{{start: 8000, end: 8100}},
 			expectedUsed:   true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			result := isRedirectURLPortUsed(tt.redirectURL, tt.excludedRanges)
 			assert.Equal(t, tt.expectedUsed, result, "Port usage check mismatch")
 		})
 	}
 }
--- a/client/internal/auth/pkce_flow_windows.go
+++ b/client/internal/auth/pkce_flow_windows.go
@@ -0,0 +1,86 @@
 //go:build windows
 package auth
 import (
 	"bufio"
 	"fmt"
 	"os/exec"
 	"strconv"
 	"strings"
 	log "github.com/sirupsen/logrus"
 )
 // getSystemExcludedPortRanges retrieves the excluded port ranges from Windows using netsh.
 func getSystemExcludedPortRanges() []excludedPortRange {
 	ranges, err := getExcludedPortRangesFromNetsh()
 	if err != nil {
 		log.Debugf("failed to get Windows excluded port ranges: %v", err)
 		return nil
 	}
 	return ranges
 }
 // getExcludedPortRangesFromNetsh retrieves excluded port ranges using netsh command.
 func getExcludedPortRangesFromNetsh() ([]excludedPortRange, error) {
 	cmd := exec.Command("netsh", "interface", "ipv4", "show", "excludedportrange", "protocol=tcp")
 	output, err := cmd.Output()
 	if err != nil {
 		return nil, fmt.Errorf("netsh command: %w", err)
 	}
 	return parseExcludedPortRanges(string(output))
 }
 // parseExcludedPortRanges parses the output of the netsh command to extract port ranges.
 func parseExcludedPortRanges(output string) ([]excludedPortRange, error) {
 	var ranges []excludedPortRange
 	scanner := bufio.NewScanner(strings.NewReader(output))
 	foundHeader := false
 	for scanner.Scan() {
 		line := strings.TrimSpace(scanner.Text())
 		if strings.Contains(line, "Start Port") && strings.Contains(line, "End Port") {
 			foundHeader = true
 			continue
 		}
 		if !foundHeader {
 			continue
 		}
 		if strings.Contains(line, "----------") {
 			continue
 		}
 		if line == "" {
 			continue
 		}
 		fields := strings.Fields(line)
 		if len(fields) < 2 {
 			continue
 		}
 		startPort, err := strconv.Atoi(fields[0])
 		if err != nil {
 			continue
 		}
 		endPort, err := strconv.Atoi(fields[1])
 		if err != nil {
 			continue
 		}
 		ranges = append(ranges, excludedPortRange{start: startPort, end: endPort})
 	}
 	if err := scanner.Err(); err != nil {
 		return nil, fmt.Errorf("scan output: %w", err)
 	}
 	return ranges, nil
 }
--- a/client/internal/auth/pkce_flow_windows_test.go
+++ b/client/internal/auth/pkce_flow_windows_test.go
@@ -0,0 +1,116 @@
 //go:build windows
 package auth
 import (
 	"fmt"
 	"net"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/internal"
 )
 func TestParseExcludedPortRanges(t *testing.T) {
 	tests := []struct {
 		name           string
 		netshOutput    string
 		expectedRanges []excludedPortRange
 		expectError    bool
 	}{
 		{
 			name: "Valid netsh output with multiple ranges",
 			netshOutput: `
 Protocol tcp Dynamic Port Range
 ---------------------------------
 Start Port      : 49152
 Number of Ports : 16384
 Protocol tcp Excluded Port Ranges
 ---------------------------------
 Start Port    End Port
 ----------    --------
     5357        5357      *
    50000       50059      *
 `,
 			expectedRanges: []excludedPortRange{
 				{start: 5357, end: 5357},
 				{start: 50000, end: 50059},
 			},
 			expectError: false,
 		},
 		{
 			name: "Empty output",
 			netshOutput: `
 Protocol tcp Dynamic Port Range
 ---------------------------------
 Start Port      : 49152
 Number of Ports : 16384
 `,
 			expectedRanges: nil,
 			expectError:    false,
 		},
 		{
 			name: "Single range",
 			netshOutput: `
 Protocol tcp Excluded Port Ranges
 ---------------------------------
 Start Port    End Port
 ----------    --------
     8080        8090
 `,
 			expectedRanges: []excludedPortRange{
 				{start: 8080, end: 8090},
 			},
 			expectError: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ranges, err := parseExcludedPortRanges(tt.netshOutput)
 			if tt.expectError {
 				assert.Error(t, err)
 			} else {
 				require.NoError(t, err)
 				assert.Equal(t, tt.expectedRanges, ranges)
 			}
 		})
 	}
 }
 func TestNewPKCEAuthorizationFlow_WithActualExcludedPorts(t *testing.T) {
 	ranges := getSystemExcludedPortRanges()
 	t.Logf("Found %d excluded port ranges on this system", len(ranges))
 	listener1, err := net.Listen("tcp", "127.0.0.1:0")
 	require.NoError(t, err)
 	defer func() {
 		_ = listener1.Close()
 	}()
 	usedPort1 := listener1.Addr().(*net.TCPAddr).Port
 	availablePort := 65432
 	config := internal.PKCEAuthProviderConfig{
 		ClientID:              "test-client-id",
 		Audience:              "test-audience",
 		TokenEndpoint:         "https://test-token-endpoint.com/token",
 		Scope:                 "openid email profile",
 		AuthorizationEndpoint: "https://test-auth-endpoint.com/authorize",
 		RedirectURLs: []string{
 			fmt.Sprintf("http://127.0.0.1:%d/", usedPort1),
 			fmt.Sprintf("http://127.0.0.1:%d/", availablePort),
 		},
 		UseIDToken: true,
 	}
 	flow, err := NewPKCEAuthorizationFlow(config)
 	require.NoError(t, err)
 	require.NotNil(t, flow)
 	assert.Contains(t, flow.oAuthConfig.RedirectURL, fmt.Sprintf(":%d", availablePort),
 		"Should skip port in use and select available port")
 }
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -74,6 +74,7 @@ func (c *ConnectClient) RunOnAndroid(
 	networkChangeListener listener.NetworkChangeListener,
 	dnsAddresses []netip.AddrPort,
 	dnsReadyListener dns.ReadyListener,
 	stateFilePath string,
 ) error {
 	// in case of non Android os these variables will be nil
 	mobileDependency := MobileDependency{
@@ -82,6 +83,7 @@ func (c *ConnectClient) RunOnAndroid(
 		NetworkChangeListener: networkChangeListener,
 		HostDNSAddresses:      dnsAddresses,
 		DnsReadyListener:      dnsReadyListener,
 		StateFilePath:         stateFilePath,
 	}
 	return c.run(mobileDependency, nil)
 }
@@ -271,11 +273,12 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		checks := loginResp.GetChecks()
 		c.engineMutex.Lock()
-		c.engine = NewEngine(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, checks)
+		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, checks)
-		c.engine.SetSyncResponsePersistence(c.persistSyncResponse)
+		engine.SetSyncResponsePersistence(c.persistSyncResponse)
 		c.engine = engine
 		c.engineMutex.Unlock()
-		if err := c.engine.Start(loginResp.GetNetbirdConfig(), c.config.ManagementURL); err != nil {
+		if err := engine.Start(loginResp.GetNetbirdConfig(), c.config.ManagementURL); err != nil {
 			log.Errorf("error while starting Netbird Connection Engine: %s", err)
 			return wrapErr(err)
 		}
@@ -291,12 +294,14 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		<-engineCtx.Done()
 		c.engineMutex.Lock()
 		engine := c.engine
 		c.engine = nil
 		c.engineMutex.Unlock()
-		if engine != nil && engine.wgInterface != nil {
+		// todo: consider to remove this condition. Is not thread safe.
 		// We should always call Stop(), but we need to verify that it is idempotent
 		if engine.wgInterface != nil {
 			log.Infof("ensuring %s is removed, Netbird engine context cancelled", engine.wgInterface.Name())
 			if err := engine.Stop(); err != nil {
 				log.Errorf("Failed to stop engine: %v", err)
 			}
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -44,6 +44,8 @@ interfaces.txt: Anonymized network interface information, if --system-info flag
 ip_rules.txt: Detailed IP routing rules in tabular format including priority, source, destination, interfaces, table, and action information (Linux only), if --system-info flag was provided.
 iptables.txt: Anonymized iptables rules with packet counters, if --system-info flag was provided.
 nftables.txt: Anonymized nftables rules with packet counters, if --system-info flag was provided.
 resolv.conf: DNS resolver configuration from /etc/resolv.conf (Unix systems only), if --system-info flag was provided.
 scutil_dns.txt: DNS configuration from scutil --dns (macOS only), if --system-info flag was provided.
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
 config.txt: Anonymized configuration information of the NetBird client.
 network_map.json: Anonymized sync response containing peer configurations, routes, DNS settings, and firewall rules.
@@ -184,6 +186,20 @@ The ip_rules.txt file contains detailed IP routing rule information:
 The table format provides comprehensive visibility into the IP routing decision process, including how traffic is directed to different routing tables based on various criteria. This is valuable for troubleshooting advanced routing configurations and policy-based routing.
 For anonymized rules, IP addresses and prefixes are replaced as described above. Interface names are anonymized using string anonymization. Table names, actions, and other non-sensitive information remain unchanged.
 DNS Configuration
 The debug bundle includes platform-specific DNS configuration files:
 resolv.conf (Unix systems):
 - Contains DNS resolver configuration from /etc/resolv.conf
 - Includes nameserver entries, search domains, and resolver options
 - All IP addresses and domain names are anonymized following the same rules as other files
 scutil_dns.txt (macOS only):
 - Contains detailed DNS configuration from scutil --dns
 - Shows DNS configuration for all network interfaces
 - Includes search domains, nameservers, and DNS resolver settings
 - All IP addresses and domain names are anonymized
 `
 const (
@@ -357,6 +373,10 @@ func (g *BundleGenerator) addSystemInfo() {
 	if err := g.addFirewallRules(); err != nil {
 		log.Errorf("failed to add firewall rules to debug bundle: %v", err)
 	}
 	if err := g.addDNSInfo(); err != nil {
 		log.Errorf("failed to add DNS info to debug bundle: %v", err)
 	}
 }
 func (g *BundleGenerator) addReadme() error {
--- a/client/internal/debug/debug_darwin.go
+++ b/client/internal/debug/debug_darwin.go
@@ -0,0 +1,53 @@
 //go:build darwin && !ios
 package debug
 import (
 	"bytes"
 	"context"
 	"fmt"
 	"os/exec"
 	"strings"
 	"time"
 	log "github.com/sirupsen/logrus"
 )
 // addDNSInfo collects and adds DNS configuration information to the archive
 func (g *BundleGenerator) addDNSInfo() error {
 	if err := g.addResolvConf(); err != nil {
 		log.Errorf("failed to add resolv.conf: %v", err)
 	}
 	if err := g.addScutilDNS(); err != nil {
 		log.Errorf("failed to add scutil DNS output: %v", err)
 	}
 	return nil
 }
 func (g *BundleGenerator) addScutilDNS() error {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
 	cmd := exec.CommandContext(ctx, "scutil", "--dns")
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		return fmt.Errorf("execute scutil --dns: %w", err)
 	}
 	if len(bytes.TrimSpace(output)) == 0 {
 		return fmt.Errorf("no scutil DNS output")
 	}
 	content := string(output)
 	if g.anonymize {
 		content = g.anonymizer.AnonymizeString(content)
 	}
 	if err := g.addFileToZip(strings.NewReader(content), "scutil_dns.txt"); err != nil {
 		return fmt.Errorf("add scutil DNS output to zip: %w", err)
 	}
 	return nil
 }
--- a/client/internal/debug/debug_mobile.go
+++ b/client/internal/debug/debug_mobile.go
@@ -5,3 +5,7 @@ package debug
 func (g *BundleGenerator) addRoutes() error {
 	return nil
 }
 func (g *BundleGenerator) addDNSInfo() error {
 	return nil
 }
--- a/client/internal/debug/debug_nondarwin.go
+++ b/client/internal/debug/debug_nondarwin.go
@@ -0,0 +1,16 @@
 //go:build unix && !darwin && !android
 package debug
 import (
 	log "github.com/sirupsen/logrus"
 )
 // addDNSInfo collects and adds DNS configuration information to the archive
 func (g *BundleGenerator) addDNSInfo() error {
 	if err := g.addResolvConf(); err != nil {
 		log.Errorf("failed to add resolv.conf: %v", err)
 	}
 	return nil
 }
--- a/client/internal/debug/debug_nonunix.go
+++ b/client/internal/debug/debug_nonunix.go
@@ -0,0 +1,7 @@
 //go:build !unix
 package debug
 func (g *BundleGenerator) addDNSInfo() error {
 	return nil
 }
--- a/client/internal/debug/debug_unix.go
+++ b/client/internal/debug/debug_unix.go
@@ -0,0 +1,29 @@
 //go:build unix && !android
 package debug
 import (
 	"fmt"
 	"os"
 	"strings"
 )
 const resolvConfPath = "/etc/resolv.conf"
 func (g *BundleGenerator) addResolvConf() error {
 	data, err := os.ReadFile(resolvConfPath)
 	if err != nil {
 		return fmt.Errorf("read %s: %w", resolvConfPath, err)
 	}
 	content := string(data)
 	if g.anonymize {
 		content = g.anonymizer.AnonymizeString(content)
 	}
 	if err := g.addFileToZip(strings.NewReader(content), "resolv.conf"); err != nil {
 		return fmt.Errorf("add resolv.conf to zip: %w", err)
 	}
 	return nil
 }
--- a/client/internal/device_auth.go
+++ b/client/internal/device_auth.go
@@ -38,6 +38,8 @@ type DeviceAuthProviderConfig struct {
 	Scope string
 	// UseIDToken indicates if the id token should be used for authentication
 	UseIDToken bool
 	// LoginHint is used to pre-fill the email/username field during authentication
 	LoginHint string
 }
 // GetDeviceAuthorizationFlowInfo initialize a DeviceAuthorizationFlow instance and return with it
--- a/client/internal/dns.go
+++ b/client/internal/dns.go
@@ -76,6 +76,9 @@ func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.Simple
 	var records []nbdns.SimpleRecord
 	for _, zone := range config.CustomZones {
 		if zone.SkipPTRProcess {
 			continue
 		}
 		for _, record := range zone.Records {
 			if record.Type != int(dns.TypeA) {
 				continue
@@ -106,8 +109,9 @@ func addReverseZone(config *nbdns.Config, network netip.Prefix) {
 	records := collectPTRRecords(config, network)
 	reverseZone := nbdns.CustomZone{
-		Domain:  zoneName,
+		Domain:               zoneName,
-		Records: records,
+		Records:              records,
 		SearchDomainDisabled: true,
 	}
 	config.CustomZones = append(config.CustomZones, reverseZone)
--- a/client/internal/dns/host.go
+++ b/client/internal/dns/host.go
@@ -11,11 +11,6 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 )
 const (
 	ipv4ReverseZone = ".in-addr.arpa."
 	ipv6ReverseZone = ".ip6.arpa."
 )
 type hostManager interface {
 	applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error
 	restoreHostDNS() error
@@ -110,10 +105,9 @@ func dnsConfigToHostDNSConfig(dnsConfig nbdns.Config, ip netip.Addr, port int) H
 	}
 	for _, customZone := range dnsConfig.CustomZones {
 		matchOnly := strings.HasSuffix(customZone.Domain, ipv4ReverseZone) || strings.HasSuffix(customZone.Domain, ipv6ReverseZone)
 		config.Domains = append(config.Domains, DomainConfig{
 			Domain:    strings.ToLower(dns.Fqdn(customZone.Domain)),
-			MatchOnly: matchOnly,
+			MatchOnly: customZone.SearchDomainDisabled,
 		})
 	}
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -335,7 +335,7 @@ func TestUpdateDNSServer(t *testing.T) {
 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			privKey, _ := wgtypes.GenerateKey()
-			newNet, err := stdnet.NewNet(nil)
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -434,7 +434,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	defer t.Setenv("NB_WG_KERNEL_DISABLED", ov)
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	newNet, err := stdnet.NewNet([]string{"utun2301"})
+	newNet, err := stdnet.NewNet(context.Background(), []string{"utun2301"})
 	if err != nil {
 		t.Errorf("create stdnet: %v", err)
 		return
@@ -915,7 +915,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 	defer t.Setenv("NB_WG_KERNEL_DISABLED", ov)
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	newNet, err := stdnet.NewNet([]string{"utun2301"})
+	newNet, err := stdnet.NewNet(context.Background(), []string{"utun2301"})
 	if err != nil {
 		t.Fatalf("create stdnet: %v", err)
 		return nil, err
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -197,7 +197,7 @@ func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.Add
 		timeoutMsg += " " + peerInfo
 	}
 	timeoutMsg += fmt.Sprintf(" - error: %v", err)
-	logger.Warnf(timeoutMsg)
+	logger.Warn(timeoutMsg)
 }
 func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, t time.Duration, logger *log.Entry) bool {
--- a/client/internal/dnsfwd/forwarder.go
+++ b/client/internal/dnsfwd/forwarder.go
@@ -234,6 +234,11 @@ func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) *dns
 		return nil
 	}
 	// Unmap IPv4-mapped IPv6 addresses that some resolvers may return
 	for i, ip := range ips {
 		ips[i] = ip.Unmap()
 	}
 	f.updateInternalState(ips, mostSpecificResId, matchingEntries)
 	f.addIPsToResponse(resp, domain, ips)
 	f.cache.set(domain, question.Qtype, ips)
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -255,7 +255,7 @@ func NewEngine(
 	sm := profilemanager.NewServiceManager("")
 	path := sm.GetStatePath()
-	if runtime.GOOS == "ios" {
+	if runtime.GOOS == "ios" || runtime.GOOS == "android" {
 		if !fileExists(mobileDep.StateFilePath) {
 			err := createFile(mobileDep.StateFilePath)
 			if err != nil {
@@ -280,7 +280,6 @@ func (e *Engine) Stop() error {
 		return nil
 	}
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 	if e.connMgr != nil {
 		e.connMgr.Close()
@@ -298,9 +297,6 @@ func (e *Engine) Stop() error {
 	e.cleanupSSHConfig()
 	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
 	e.stopDNSServer()
 	if e.ingressGatewayMgr != nil {
 		if err := e.ingressGatewayMgr.Close(); err != nil {
 			log.Warnf("failed to cleanup forward rules: %v", err)
@@ -308,24 +304,29 @@ func (e *Engine) Stop() error {
 		e.ingressGatewayMgr = nil
 	}
 	e.stopDNSForwarder()
 	if e.routeManager != nil {
 		e.routeManager.Stop(e.stateManager)
 	}
 	if e.srWatcher != nil {
 		e.srWatcher.Close()
 	}
 	log.Info("cleaning up status recorder states")
 	e.statusRecorder.ReplaceOfflinePeers([]peer.State{})
 	e.statusRecorder.UpdateDNSStates([]peer.NSGroupState{})
 	e.statusRecorder.UpdateRelayStates([]relay.ProbeResult{})
 	if err := e.removeAllPeers(); err != nil {
-		return fmt.Errorf("failed to remove all peers: %s", err)
+		log.Errorf("failed to remove all peers: %s", err)
 	}
 	if e.routeManager != nil {
 		e.routeManager.Stop(e.stateManager)
 	}
 	e.stopDNSForwarder()
 	// stop/restore DNS after peers are closed but before interface goes down
 	// so dbus and friends don't complain because of a missing interface
 	e.stopDNSServer()
 	if e.cancel != nil {
 		e.cancel()
 	}
@@ -337,16 +338,18 @@ func (e *Engine) Stop() error {
 		e.flowManager.Close()
 	}
-	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	stateCtx, stateCancel := context.WithTimeout(context.Background(), 3*time.Second)
-	defer cancel()
+	defer stateCancel()
-	if err := e.stateManager.Stop(ctx); err != nil {
+	if err := e.stateManager.Stop(stateCtx); err != nil {
-		return fmt.Errorf("failed to stop state manager: %w", err)
+		log.Errorf("failed to stop state manager: %v", err)
 	}
 	if err := e.stateManager.PersistState(context.Background()); err != nil {
 		log.Errorf("failed to persist state: %v", err)
 	}
 	e.syncMsgMux.Unlock()
 	timeout := e.calculateShutdownTimeout()
 	log.Debugf("waiting for goroutines to finish with timeout: %v", timeout)
 	shutdownCtx, cancel := context.WithTimeout(context.Background(), timeout)
@@ -432,8 +435,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		if err != nil {
 			return fmt.Errorf("create rosenpass manager: %w", err)
 		}
-		err := e.rpManager.Run()
+		if err := e.rpManager.Run(); err != nil {
 		if err != nil {
 			return fmt.Errorf("run rosenpass manager: %w", err)
 		}
 	}
@@ -485,6 +487,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	}
 	if err := e.createFirewall(); err != nil {
 		e.close()
 		return err
 	}
@@ -750,6 +753,11 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 	// Check context INSIDE lock to ensure atomicity with shutdown
 	if e.ctx.Err() != nil {
 		return e.ctx.Err()
 	}
 	if update.GetNetbirdConfig() != nil {
 		wCfg := update.GetNetbirdConfig()
 		err := e.updateTURNs(wCfg.GetTurns())
@@ -789,7 +797,7 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	}
 	nm := update.GetNetworkMap()
-	if nm == nil {
+	if nm == nil || update.SkipNetworkMapUpdate {
 		return nil
 	}
@@ -955,7 +963,7 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.DisableSSHAuth,
 		)
-		err = e.mgmClient.Sync(e.ctx, info, e.handleSync)
+		err = e.mgmClient.Sync(e.ctx, info, e.networkSerial, e.handleSync)
 		if err != nil {
 			// happens if management is unavailable for a long time.
 			// We want to cancel the operation of the whole client
@@ -1192,6 +1200,7 @@ func toRouteDomains(myPubKey string, routes []*route.Route) []*dnsfwd.ForwarderE
 }
 func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network netip.Prefix) nbdns.Config {
 	//nolint
 	forwarderPort := uint16(protoDNSConfig.GetForwarderPort())
 	if forwarderPort == 0 {
 		forwarderPort = nbdns.ForwarderClientPort
@@ -1206,7 +1215,9 @@ func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network netip.Prefix) nbdns
 	for _, zone := range protoDNSConfig.GetCustomZones() {
 		dnsZone := nbdns.CustomZone{
-			Domain: zone.GetDomain(),
+			Domain:               zone.GetDomain(),
 			SearchDomainDisabled: zone.GetSearchDomainDisabled(),
 			SkipPTRProcess:       zone.GetSkipPTRProcess(),
 		}
 		for _, record := range zone.Records {
 			dnsRecord := nbdns.SimpleRecord{
@@ -1366,6 +1377,11 @@ func (e *Engine) receiveSignalEvents() {
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()
 			// Check context INSIDE lock to ensure atomicity with shutdown
 			if e.ctx.Err() != nil {
 				return e.ctx.Err()
 			}
 			conn, ok := e.peerStore.PeerConn(msg.Key)
 			if !ok {
 				return fmt.Errorf("wrongly addressed message %s", msg.Key)
@@ -1830,6 +1846,18 @@ func (e *Engine) GetWgAddr() netip.Addr {
 	return e.wgInterface.Address().IP
 }
 func (e *Engine) RenewTun(fd int) error {
 	e.syncMsgMux.Lock()
 	wgInterface := e.wgInterface
 	e.syncMsgMux.Unlock()
 	if wgInterface == nil {
 		return fmt.Errorf("wireguard interface not initialized")
 	}
 	return wgInterface.RenewTun(fd)
 }
 // updateDNSForwarder start or stop the DNS forwarder based on the domains and the feature flag
 func (e *Engine) updateDNSForwarder(
 	enabled bool,
--- a/client/internal/engine_ssh.go
+++ b/client/internal/engine_ssh.go
@@ -19,6 +19,7 @@ import (
 type sshServer interface {
 	Start(ctx context.Context, addr netip.AddrPort) error
 	Stop() error
 	GetStatus() (bool, []sshserver.SessionInfo)
 }
 func (e *Engine) setupSSHPortRedirection() error {
@@ -234,7 +235,17 @@ func (e *Engine) startSSHServer(jwtConfig *sshserver.JWTConfig) error {
 	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
 		server.SetNetstackNet(netstackNet)
 	}
 	e.configureSSHServer(server)
 	if err := server.Start(e.ctx, listenAddr); err != nil {
 		return fmt.Errorf("start SSH server: %w", err)
 	}
 	e.sshServer = server
 	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
 		if registrar, ok := e.firewall.(interface {
 			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
 		}); ok {
@@ -243,17 +254,10 @@ func (e *Engine) startSSHServer(jwtConfig *sshserver.JWTConfig) error {
 		}
 	}
 	e.configureSSHServer(server)
 	e.sshServer = server
 	if err := e.setupSSHPortRedirection(); err != nil {
 		log.Warnf("failed to setup SSH port redirection: %v", err)
 	}
 	if err := server.Start(e.ctx, listenAddr); err != nil {
 		return fmt.Errorf("start SSH server: %w", err)
 	}
 	return nil
 }
@@ -336,3 +340,16 @@ func (e *Engine) stopSSHServer() error {
 	}
 	return nil
 }
 // GetSSHServerStatus returns the SSH server status and active sessions
 func (e *Engine) GetSSHServerStatus() (enabled bool, sessions []sshserver.SessionInfo) {
 	e.syncMsgMux.Lock()
 	sshServer := e.sshServer
 	e.syncMsgMux.Unlock()
 	if sshServer == nil {
 		return false, nil
 	}
 	return sshServer.GetStatus()
 }
--- a/client/internal/engine_stdnet.go
+++ b/client/internal/engine_stdnet.go
@@ -7,5 +7,5 @@ import (
 )
 func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNet(e.config.IFaceBlackList)
+	return stdnet.NewNet(e.clientCtx, e.config.IFaceBlackList)
 }
--- a/client/internal/engine_stdnet_android.go
+++ b/client/internal/engine_stdnet_android.go
@@ -3,5 +3,5 @@ package internal
 import "github.com/netbirdio/netbird/client/internal/stdnet"
 func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(e.mobileDep.IFaceDiscover, e.config.IFaceBlackList)
+	return stdnet.NewNetWithDiscover(e.clientCtx, e.mobileDep.IFaceDiscover, e.config.IFaceBlackList)
 }
--- a/client/internal/engine_sync_test.go
+++ b/client/internal/engine_sync_test.go
@@ -0,0 +1,79 @@
 package internal
 import (
    "context"
    "testing"
    "golang.zx2c4.com/wireguard/wgctrl/wgtypes"
    "github.com/netbirdio/netbird/client/iface"
    "github.com/netbirdio/netbird/client/internal/peer"
    "github.com/netbirdio/netbird/shared/management/client"
    mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 )
 // Ensures handleSync exits early when SkipNetworkMapUpdate is true
 func TestEngine_HandleSync_SkipNetworkMapUpdate(t *testing.T) {
    key, err := wgtypes.GeneratePrivateKey()
    if err != nil {
        t.Fatal(err)
    }
    ctx, cancel := context.WithCancel(context.Background())
    defer cancel()
    engine := NewEngine(ctx, cancel, nil, &client.MockClient{}, nil, &EngineConfig{
        WgIfaceName:  "utun199",
        WgAddr:       "100.70.0.1/24",
        WgPrivateKey: key,
        WgPort:       33100,
        MTU:          iface.DefaultMTU,
    }, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
    engine.ctx = ctx
    // Precondition
    if engine.networkSerial != 0 {
        t.Fatalf("unexpected initial serial: %d", engine.networkSerial)
    }
    resp := &mgmtProto.SyncResponse{
        NetworkMap: &mgmtProto.NetworkMap{Serial: 42},
        SkipNetworkMapUpdate: true,
    }
    if err := engine.handleSync(resp); err != nil {
        t.Fatalf("handleSync returned error: %v", err)
    }
    if engine.networkSerial != 0 {
        t.Fatalf("networkSerial changed despite SkipNetworkMapUpdate; got %d, want 0", engine.networkSerial)
    }
 }
 // Ensures handleSync exits early when NetworkMap is nil
 func TestEngine_HandleSync_NilNetworkMap(t *testing.T) {
    key, err := wgtypes.GeneratePrivateKey()
    if err != nil {
        t.Fatal(err)
    }
    ctx, cancel := context.WithCancel(context.Background())
    defer cancel()
    engine := NewEngine(ctx, cancel, nil, &client.MockClient{}, nil, &EngineConfig{
        WgIfaceName:  "utun198",
        WgAddr:       "100.70.0.2/24",
        WgPrivateKey: key,
        WgPort:       33101,
        MTU:          iface.DefaultMTU,
    }, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
    engine.ctx = ctx
    resp := &mgmtProto.SyncResponse{NetworkMap: nil}
    if err := engine.handleSync(resp); err != nil {
        t.Fatalf("handleSync returned error: %v", err)
    }
 }
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -14,7 +14,6 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/google/uuid"
 	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -25,11 +24,18 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/controller"
 	"github.com/netbirdio/netbird/management/internals/controllers/network_map/update_channel"
 	"github.com/netbirdio/netbird/management/internals/modules/peers"
 	"github.com/netbirdio/netbird/management/internals/modules/peers/ephemeral/manager"
 	nbgrpc "github.com/netbirdio/netbird/management/internals/shared/grpc"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/configurer"
@@ -49,7 +55,6 @@ import (
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/peers"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -105,6 +110,10 @@ type MockWGIface struct {
 	LastActivitiesFunc         func() map[string]monotime.Time
 }
 func (m *MockWGIface) RenewTun(_ int) error {
 	return nil
 }
 func (m *MockWGIface) RemoveEndpointAddress(_ string) error {
 	return nil
 }
@@ -622,7 +631,7 @@ func TestEngine_Sync(t *testing.T) {
 	// feed updates to Engine via mocked Management client
 	updates := make(chan *mgmtProto.SyncResponse)
 	defer close(updates)
-	syncFunc := func(ctx context.Context, info *system.Info, msgHandler func(msg *mgmtProto.SyncResponse) error) error {
+	syncFunc := func(ctx context.Context, info *system.Info, networkSerial uint64, msgHandler func(msg *mgmtProto.SyncResponse) error) error {
 		for msg := range updates {
 			err := msgHandler(msg)
 			if err != nil {
@@ -805,7 +814,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				MTU:          iface.DefaultMTU,
 			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -1008,7 +1017,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -1590,7 +1599,6 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	}
 	t.Cleanup(cleanUp)
 	peersUpdateManager := server.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, "", err
@@ -1618,13 +1626,19 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	groupsManager := groups.NewManagerMock()
-	accountManager, err := server.BuildManager(context.Background(), config, store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	updateManager := update_channel.NewPeersUpdateManager(metrics)
 	requestBuffer := server.NewAccountRequestBuffer(context.Background(), store)
 	networkMapController := controller.NewController(context.Background(), store, metrics, updateManager, requestBuffer, server.MockIntegratedValidator{}, settingsMockManager, "netbird.selfhosted", port_forwarding.NewControllerMock(), manager.NewEphemeralManager(store, peersManager), config)
 	accountManager, err := server.BuildManager(context.Background(), config, store, networkMapController, nil, "", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
 	}
-	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
+	secretsManager, err := nbgrpc.NewTimeBasedAuthSecretsManager(updateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &server.MockIntegratedValidator{})
+	if err != nil {
 		return nil, "", err
 	}
 	mgmtServer, err := nbgrpc.NewServer(config, accountManager, settingsMockManager, secretsManager, nil, nil, &server.MockIntegratedValidator{}, networkMapController)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/iface_common.go
+++ b/client/internal/iface_common.go
@@ -20,6 +20,7 @@ import (
 type wgIfaceBase interface {
 	Create() error
 	CreateOnAndroid(routeRange []string, ip string, domains []string) error
 	RenewTun(fd int) error
 	IsUserspaceBind() bool
 	Name() string
 	Address() wgaddr.Address
--- a/client/internal/peer/guard/ice_monitor.go
+++ b/client/internal/peer/guard/ice_monitor.go
@@ -78,7 +78,7 @@ func (cm *ICEMonitor) Start(ctx context.Context, onChanged func()) {
 func (cm *ICEMonitor) handleCandidateTick(ctx context.Context, ufrag string, pwd string) (bool, error) {
 	log.Debugf("Gathering ICE candidates")
-	agent, err := icemaker.NewAgent(cm.iFaceDiscover, cm.iceConfig, candidateTypesP2P(), ufrag, pwd)
+	agent, err := icemaker.NewAgent(ctx, cm.iFaceDiscover, cm.iceConfig, candidateTypesP2P(), ufrag, pwd)
 	if err != nil {
 		return false, fmt.Errorf("create ICE agent: %w", err)
 	}
--- a/client/internal/peer/ice/agent.go
+++ b/client/internal/peer/ice/agent.go
@@ -1,6 +1,7 @@
 package ice
 import (
 	"context"
 	"sync"
 	"time"
@@ -22,6 +23,8 @@ const (
 	iceFailedTimeoutDefault       = 6 * time.Second
 	// iceRelayAcceptanceMinWaitDefault is the same as in the Pion ICE package
 	iceRelayAcceptanceMinWaitDefault = 2 * time.Second
 	// iceAgentCloseTimeout is the maximum time to wait for ICE agent close to complete
 	iceAgentCloseTimeout = 3 * time.Second
 )
 type ThreadSafeAgent struct {
@@ -32,18 +35,28 @@ type ThreadSafeAgent struct {
 func (a *ThreadSafeAgent) Close() error {
 	var err error
 	a.once.Do(func() {
-		err = a.Agent.Close()
+		done := make(chan error, 1)
 		go func() {
 			done <- a.Agent.Close()
 		}()
 		select {
 		case err = <-done:
 		case <-time.After(iceAgentCloseTimeout):
 			log.Warnf("ICE agent close timed out after %v, proceeding with cleanup", iceAgentCloseTimeout)
 			err = nil
 		}
 	})
 	return err
 }
-func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
+func NewAgent(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
 	iceFailedTimeout := iceFailedTimeout()
 	iceRelayAcceptanceMinWait := iceRelayAcceptanceMinWait()
-	transportNet, err := newStdNet(iFaceDiscover, config.InterfaceBlackList)
+	transportNet, err := newStdNet(ctx, iFaceDiscover, config.InterfaceBlackList)
 	if err != nil {
 		log.Errorf("failed to create pion's stdnet: %s", err)
 	}
--- a/client/internal/peer/ice/stdnet.go
+++ b/client/internal/peer/ice/stdnet.go
@@ -3,9 +3,11 @@
 package ice
 import (
 	"context"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )
-func newStdNet(_ stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
+func newStdNet(ctx context.Context, _ stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
-	return stdnet.NewNet(ifaceBlacklist)
+	return stdnet.NewNet(ctx, ifaceBlacklist)
 }
--- a/client/internal/peer/ice/stdnet_android.go
+++ b/client/internal/peer/ice/stdnet_android.go
@@ -1,7 +1,11 @@
 package ice
-import "github.com/netbirdio/netbird/client/internal/stdnet"
+import (
 	"context"
-func newStdNet(iFaceDiscover stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
+	"github.com/netbirdio/netbird/client/internal/stdnet"
-	return stdnet.NewNetWithDiscover(iFaceDiscover, ifaceBlacklist)
+)
 func newStdNet(ctx context.Context, iFaceDiscover stdnet.ExternalIFaceDiscover, ifaceBlacklist []string) (*stdnet.Net, error) {
 	return stdnet.NewNetWithDiscover(ctx, iFaceDiscover, ifaceBlacklist)
 }
--- a/client/internal/peer/worker_ice.go
+++ b/client/internal/peer/worker_ice.go
@@ -209,7 +209,7 @@ func (w *WorkerICE) Close() {
 }
 func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*icemaker.ThreadSafeAgent, error) {
-	agent, err := icemaker.NewAgent(w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
+	agent, err := icemaker.NewAgent(w.ctx, w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
 	if err != nil {
 		return nil, fmt.Errorf("create agent: %w", err)
 	}
@@ -411,7 +411,7 @@ func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dia
 func (w *WorkerICE) turnAgentDial(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
 	if isController(w.config) {
-		return w.agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		return agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	} else {
 		return agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	}
--- a/client/internal/pkce_auth.go
+++ b/client/internal/pkce_auth.go
@@ -44,6 +44,8 @@ type PKCEAuthProviderConfig struct {
 	DisablePromptLogin bool
 	// LoginFlag is used to configure the PKCE flow login behavior
 	LoginFlag common.LoginFlag
 	// LoginHint is used to pre-fill the email/username field during authentication
 	LoginHint string
 }
 // GetPKCEAuthorizationFlowInfo initialize a PKCEAuthorizationFlow instance and return with it
--- a/client/internal/profilemanager/config.go
+++ b/client/internal/profilemanager/config.go
@@ -55,6 +55,7 @@ type ConfigInput struct {
 	EnableSSHLocalPortForwarding  *bool
 	EnableSSHRemotePortForwarding *bool
 	DisableSSHAuth                *bool
 	SSHJWTCacheTTL                *int
 	NATExternalIPs                []string
 	CustomDNSAddress              []byte
 	RosenpassEnabled              *bool
@@ -104,6 +105,7 @@ type Config struct {
 	EnableSSHLocalPortForwarding  *bool
 	EnableSSHRemotePortForwarding *bool
 	DisableSSHAuth                *bool
 	SSHJWTCacheTTL                *int
 	DisableClientRoutes bool
 	DisableServerRoutes bool
@@ -436,6 +438,12 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 	if input.SSHJWTCacheTTL != nil && input.SSHJWTCacheTTL != config.SSHJWTCacheTTL {
 		log.Infof("updating SSH JWT cache TTL to %d seconds", *input.SSHJWTCacheTTL)
 		config.SSHJWTCacheTTL = input.SSHJWTCacheTTL
 		updated = true
 	}
 	if input.DNSRouteInterval != nil && *input.DNSRouteInterval != config.DNSRouteInterval {
 		log.Infof("updating DNS route interval to %s (old value %s)",
 			input.DNSRouteInterval.String(), config.DNSRouteInterval.String())
--- a/client/internal/profilemanager/profilemanager.go
+++ b/client/internal/profilemanager/profilemanager.go
@@ -132,3 +132,21 @@ func (pm *ProfileManager) setActiveProfileState(profileName string) error {
 	return nil
 }
 // GetLoginHint retrieves the email from the active profile to use as login_hint.
 func GetLoginHint() string {
 	pm := NewProfileManager()
 	activeProf, err := pm.GetActiveProfile()
 	if err != nil {
 		log.Debugf("failed to get active profile for login hint: %v", err)
 		return ""
 	}
 	profileState, err := pm.GetProfileState(activeProf.Name)
 	if err != nil {
 		log.Debugf("failed to get profile state for login hint: %v", err)
 		return ""
 	}
 	return profileState.Email
 }
--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -197,7 +197,7 @@ func (p *StunTurnProbe) probeSTUN(ctx context.Context, uri *stun.URI) (addr stri
 		}
 	}()
-	net, err := stdnet.NewNet(nil)
+	net, err := stdnet.NewNet(ctx, nil)
 	if err != nil {
 		probeErr = fmt.Errorf("new net: %w", err)
 		return
@@ -286,7 +286,7 @@ func (p *StunTurnProbe) probeTURN(ctx context.Context, uri *stun.URI) (addr stri
 		}
 	}()
-	net, err := stdnet.NewNet(nil)
+	net, err := stdnet.NewNet(ctx, nil)
 	if err != nil {
 		probeErr = fmt.Errorf("new net: %w", err)
 		return
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -24,7 +24,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/routemanager/client"
@@ -39,6 +38,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	nbnet "github.com/netbirdio/netbird/client/net"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	"github.com/netbirdio/netbird/version"
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -6,7 +6,7 @@ import (
 	"net/netip"
 	"testing"
-	"github.com/pion/transport/v3/stdnet"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"github.com/stretchr/testify/require"
@@ -403,7 +403,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			peerPrivateKey, _ := wgtypes.GeneratePrivateKey()
-			newNet, err := stdnet.NewNet()
+			newNet, err := stdnet.NewNet(context.Background(), nil)
 			if err != nil {
 				t.Fatal(err)
 			}
--- a/client/internal/routemanager/systemops/systemops_generic_test.go
+++ b/client/internal/routemanager/systemops/systemops_generic_test.go
@@ -15,7 +15,7 @@ import (
 	"syscall"
 	"testing"
-	"github.com/pion/transport/v3/stdnet"
+	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -436,7 +436,7 @@ func createWGInterface(t *testing.T, interfaceName, ipAddressCIDR string, listen
 	peerPrivateKey, err := wgtypes.GeneratePrivateKey()
 	require.NoError(t, err)
-	newNet, err := stdnet.NewNet()
+	newNet, err := stdnet.NewNet(context.Background(), nil)
 	require.NoError(t, err)
 	opts := iface.WGIFaceOpts{
--- a/client/internal/sleep/detector_darwin.go
+++ b/client/internal/sleep/detector_darwin.go
@@ -0,0 +1,218 @@
 //go:build darwin && !ios
 package sleep
 /*
 #cgo LDFLAGS: -framework IOKit -framework CoreFoundation
 #include <IOKit/pwr_mgt/IOPMLib.h>
 #include <IOKit/IOMessage.h>
 #include <CoreFoundation/CoreFoundation.h>
 extern void sleepCallbackBridge();
 extern void poweredOnCallbackBridge();
 extern void suspendedCallbackBridge();
 extern void resumedCallbackBridge();
 // C global variables for IOKit state
 static IONotificationPortRef g_notifyPortRef = NULL;
 static io_object_t g_notifierObject = 0;
 static io_object_t g_generalInterestNotifier = 0;
 static io_connect_t g_rootPort = 0;
 static CFRunLoopRef g_runLoop = NULL;
 static void sleepCallback(void* refCon, io_service_t service, natural_t messageType, void* messageArgument) {
 	switch (messageType) {
 		case kIOMessageSystemWillSleep:
 			sleepCallbackBridge();
 			IOAllowPowerChange(g_rootPort, (long)messageArgument);
 			break;
        case kIOMessageSystemHasPoweredOn:
          	poweredOnCallbackBridge();
          	break;
        case kIOMessageServiceIsSuspended:
 			suspendedCallbackBridge();
 			break;
 		case kIOMessageServiceIsResumed:
 			resumedCallbackBridge();
 			break;
 		default:
 			break;
 	}
 }
 static void registerNotifications() {
 	g_rootPort = IORegisterForSystemPower(
 		NULL,
 		&g_notifyPortRef,
 		(IOServiceInterestCallback)sleepCallback,
 		&g_notifierObject
 	);
 	if (g_rootPort == 0) {
 		return;
 	}
 	CFRunLoopAddSource(CFRunLoopGetCurrent(),
 		IONotificationPortGetRunLoopSource(g_notifyPortRef),
 		kCFRunLoopCommonModes);
 	g_runLoop = CFRunLoopGetCurrent();
 	CFRunLoopRun();
 }
 static void unregisterNotifications() {
 	CFRunLoopRemoveSource(g_runLoop,
 		IONotificationPortGetRunLoopSource(g_notifyPortRef),
 		kCFRunLoopCommonModes);
 	IODeregisterForSystemPower(&g_notifierObject);
 	IOServiceClose(g_rootPort);
 	IONotificationPortDestroy(g_notifyPortRef);
 	CFRunLoopStop(g_runLoop);
 	g_notifyPortRef = NULL;
 	g_notifierObject = 0;
 	g_rootPort = 0;
 	g_runLoop = NULL;
 }
 */
 import "C"
 import (
 	"context"
 	"fmt"
 	"runtime"
 	"sync"
 	"time"
 	log "github.com/sirupsen/logrus"
 )
 var (
 	serviceRegistry   = make(map[*Detector]struct{})
 	serviceRegistryMu sync.Mutex
 )
 //export sleepCallbackBridge
 func sleepCallbackBridge() {
 	log.Info("sleepCallbackBridge event triggered")
 	serviceRegistryMu.Lock()
 	defer serviceRegistryMu.Unlock()
 	for svc := range serviceRegistry {
 		svc.triggerCallback(EventTypeSleep)
 	}
 }
 //export resumedCallbackBridge
 func resumedCallbackBridge() {
 	log.Info("resumedCallbackBridge event triggered")
 }
 //export suspendedCallbackBridge
 func suspendedCallbackBridge() {
 	log.Info("suspendedCallbackBridge event triggered")
 }
 //export poweredOnCallbackBridge
 func poweredOnCallbackBridge() {
 	log.Info("poweredOnCallbackBridge event triggered")
 	serviceRegistryMu.Lock()
 	defer serviceRegistryMu.Unlock()
 	for svc := range serviceRegistry {
 		svc.triggerCallback(EventTypeWakeUp)
 	}
 }
 type Detector struct {
 	callback func(event EventType)
 	ctx      context.Context
 	cancel   context.CancelFunc
 }
 func NewDetector() (*Detector, error) {
 	return &Detector{}, nil
 }
 func (d *Detector) Register(callback func(event EventType)) error {
 	serviceRegistryMu.Lock()
 	defer serviceRegistryMu.Unlock()
 	if _, exists := serviceRegistry[d]; exists {
 		return fmt.Errorf("detector service already registered")
 	}
 	d.callback = callback
 	d.ctx, d.cancel = context.WithCancel(context.Background())
 	if len(serviceRegistry) > 0 {
 		serviceRegistry[d] = struct{}{}
 		return nil
 	}
 	serviceRegistry[d] = struct{}{}
 	// CFRunLoop must run on a single fixed OS thread
 	go func() {
 		runtime.LockOSThread()
 		defer runtime.UnlockOSThread()
 		C.registerNotifications()
 	}()
 	log.Info("sleep detection service started on macOS")
 	return nil
 }
 // Deregister removes the detector. When the last detector is removed, IOKit registration is torn down
 // and the runloop is stopped and cleaned up.
 func (d *Detector) Deregister() error {
 	serviceRegistryMu.Lock()
 	defer serviceRegistryMu.Unlock()
 	_, exists := serviceRegistry[d]
 	if !exists {
 		return nil
 	}
 	// cancel and remove this detector
 	d.cancel()
 	delete(serviceRegistry, d)
 	// If other Detectors still exist, leave IOKit running
 	if len(serviceRegistry) > 0 {
 		return nil
 	}
 	log.Info("sleep detection service stopping (deregister)")
 	// Deregister IOKit notifications, stop runloop, and free resources
 	C.unregisterNotifications()
 	return nil
 }
 func (d *Detector) triggerCallback(event EventType) {
 	doneChan := make(chan struct{})
 	timeout := time.NewTimer(500 * time.Millisecond)
 	defer timeout.Stop()
 	cb := d.callback
 	go func(callback func(event EventType)) {
 		log.Info("sleep detection event fired")
 		callback(event)
 		close(doneChan)
 	}(cb)
 	select {
 	case <-doneChan:
 	case <-d.ctx.Done():
 	case <-timeout.C:
 		log.Warnf("sleep callback timed out")
 	}
 }
--- a/client/internal/sleep/detector_notsupported.go
+++ b/client/internal/sleep/detector_notsupported.go
@@ -0,0 +1,9 @@
 //go:build !darwin || ios
 package sleep
 import "fmt"
 func NewDetector() (detector, error) {
 	return nil, fmt.Errorf("sleep not supported on this platform")
 }
--- a/client/internal/sleep/service.go
+++ b/client/internal/sleep/service.go
@@ -0,0 +1,37 @@
 package sleep
 var (
 	EventTypeUnknown EventType = 0
 	EventTypeSleep   EventType = 1
 	EventTypeWakeUp  EventType = 2
 )
 type EventType int
 type detector interface {
 	Register(callback func(eventType EventType)) error
 	Deregister() error
 }
 type Service struct {
 	detector detector
 }
 func New() (*Service, error) {
 	d, err := NewDetector()
 	if err != nil {
 		return nil, err
 	}
 	return &Service{
 		detector: d,
 	}, nil
 }
 func (s *Service) Register(callback func(eventType EventType)) error {
 	return s.detector.Register(callback)
 }
 func (s *Service) Deregister() error {
 	return s.detector.Deregister()
 }
--- a/client/internal/stdnet/stdnet.go
+++ b/client/internal/stdnet/stdnet.go
@@ -4,17 +4,28 @@
 package stdnet
 import (
 	"context"
 	"errors"
 	"fmt"
 	"net"
 	"net/netip"
 	"slices"
 	"strconv"
 	"sync"
 	"time"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/pion/transport/v3"
 	"github.com/pion/transport/v3/stdnet"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 )
-const updateInterval = 30 * time.Second
+const (
 	updateInterval    = 30 * time.Second
 	dnsResolveTimeout = 30 * time.Second
 )
 var errNoSuitableAddress = errors.New("no suitable address found")
 // Net is an implementation of the net.Net interface
 // based on functions of the standard net package.
@@ -28,12 +39,19 @@ type Net struct {
 	// mu is shared between interfaces and lastUpdate
 	mu sync.Mutex
 	// ctx is the context for network operations that supports cancellation
 	ctx context.Context
 }
 // NewNetWithDiscover creates a new StdNet instance.
-func NewNetWithDiscover(iFaceDiscover ExternalIFaceDiscover, disallowList []string) (*Net, error) {
+func NewNetWithDiscover(ctx context.Context, iFaceDiscover ExternalIFaceDiscover, disallowList []string) (*Net, error) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
 	n := &Net{
 		interfaceFilter: InterfaceFilter(disallowList),
 		ctx:             ctx,
 	}
 	// current ExternalIFaceDiscover implement in android-client https://github.dev/netbirdio/android-client
 	// so in android cli use pionDiscover
@@ -46,14 +64,64 @@ func NewNetWithDiscover(iFaceDiscover ExternalIFaceDiscover, disallowList []stri
 }
 // NewNet creates a new StdNet instance.
-func NewNet(disallowList []string) (*Net, error) {
+func NewNet(ctx context.Context, disallowList []string) (*Net, error) {
 	if ctx == nil {
 		ctx = context.Background()
 	}
 	n := &Net{
 		iFaceDiscover:   pionDiscover{},
 		interfaceFilter: InterfaceFilter(disallowList),
 		ctx:             ctx,
 	}
 	return n, n.UpdateInterfaces()
 }
 // resolveAddr performs DNS resolution with context support and timeout.
 func (n *Net) resolveAddr(network, address string) (netip.AddrPort, error) {
 	host, portStr, err := net.SplitHostPort(address)
 	if err != nil {
 		return netip.AddrPort{}, err
 	}
 	port, err := strconv.Atoi(portStr)
 	if err != nil {
 		return netip.AddrPort{}, fmt.Errorf("invalid port: %w", err)
 	}
 	if port < 0 || port > 65535 {
 		return netip.AddrPort{}, fmt.Errorf("invalid port: %d", port)
 	}
 	ipNet := "ip"
 	switch network {
 	case "tcp4", "udp4":
 		ipNet = "ip4"
 	case "tcp6", "udp6":
 		ipNet = "ip6"
 	}
 	if host == "" {
 		addr := netip.IPv4Unspecified()
 		if ipNet == "ip6" {
 			addr = netip.IPv6Unspecified()
 		}
 		return netip.AddrPortFrom(addr, uint16(port)), nil
 	}
 	ctx, cancel := context.WithTimeout(n.ctx, dnsResolveTimeout)
 	defer cancel()
 	addrs, err := net.DefaultResolver.LookupNetIP(ctx, ipNet, host)
 	if err != nil {
 		return netip.AddrPort{}, err
 	}
 	if len(addrs) == 0 {
 		return netip.AddrPort{}, errNoSuitableAddress
 	}
 	return netip.AddrPortFrom(addrs[0], uint16(port)), nil
 }
 // UpdateInterfaces updates the internal list of network interfaces
 // and associated addresses filtering them by name.
 // The interfaces are discovered by an external iFaceDiscover function or by a default discoverer if the external one
@@ -137,3 +205,39 @@ func (n *Net) filterInterfaces(interfaces []*transport.Interface) []*transport.I
 	}
 	return result
 }
 // ResolveUDPAddr resolves UDP addresses with context support and timeout.
 func (n *Net) ResolveUDPAddr(network, address string) (*net.UDPAddr, error) {
 	switch network {
 	case "udp", "udp4", "udp6":
 	case "":
 		network = "udp"
 	default:
 		return nil, &net.OpError{Op: "resolve", Net: network, Err: net.UnknownNetworkError(network)}
 	}
 	addrPort, err := n.resolveAddr(network, address)
 	if err != nil {
 		return nil, &net.OpError{Op: "resolve", Net: network, Addr: &net.UDPAddr{IP: nil}, Err: err}
 	}
 	return net.UDPAddrFromAddrPort(addrPort), nil
 }
 // ResolveTCPAddr resolves TCP addresses with context support and timeout.
 func (n *Net) ResolveTCPAddr(network, address string) (*net.TCPAddr, error) {
 	switch network {
 	case "tcp", "tcp4", "tcp6":
 	case "":
 		network = "tcp"
 	default:
 		return nil, &net.OpError{Op: "resolve", Net: network, Err: net.UnknownNetworkError(network)}
 	}
 	addrPort, err := n.resolveAddr(network, address)
 	if err != nil {
 		return nil, &net.OpError{Op: "resolve", Net: network, Addr: &net.TCPAddr{IP: nil}, Err: err}
 	}
 	return net.TCPAddrFromAddrPort(addrPort), nil
 }
--- a/client/internal/templates/pkce-auth-msg.html
+++ b/client/internal/templates/pkce-auth-msg.html
--- a/client/internal/templates/pkce_auth_msg_test.go
+++ b/client/internal/templates/pkce_auth_msg_test.go
@@ -0,0 +1,299 @@
 package templates
 import (
 	"html/template"
 	"os"
 	"path/filepath"
 	"testing"
 )
 func TestPKCEAuthMsgTemplate(t *testing.T) {
 	tests := []struct {
 		name                 string
 		data                 map[string]string
 		outputFile           string
 		expectedTitle        string
 		expectedInContent    []string
 		notExpectedInContent []string
 	}{
 		{
 			name: "error_state",
 			data: map[string]string{
 				"Error": "authentication failed: invalid state",
 			},
 			outputFile:    "pkce-auth-error.html",
 			expectedTitle: "Login Failed",
 			expectedInContent: []string{
 				"authentication failed: invalid state",
 				"Login Failed",
 			},
 			notExpectedInContent: []string{
 				"Login Successful",
 				"Your device is now registered and logged in to NetBird",
 			},
 		},
 		{
 			name: "success_state",
 			data: map[string]string{
 				// No error field means success
 			},
 			outputFile:    "pkce-auth-success.html",
 			expectedTitle: "Login Successful",
 			expectedInContent: []string{
 				"Login Successful",
 				"Your device is now registered and logged in to NetBird. You can now close this window.",
 			},
 			notExpectedInContent: []string{
 				"Login Failed",
 			},
 		},
 		{
 			name: "error_state_timeout",
 			data: map[string]string{
 				"Error": "authentication timeout: request expired after 5 minutes",
 			},
 			outputFile:    "pkce-auth-timeout.html",
 			expectedTitle: "Login Failed",
 			expectedInContent: []string{
 				"authentication timeout: request expired after 5 minutes",
 				"Login Failed",
 			},
 			notExpectedInContent: []string{
 				"Login Successful",
 				"Your device is now registered and logged in to NetBird",
 			},
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			// Parse the template
 			tmpl, err := template.New("pkce-auth-msg").Parse(PKCEAuthMsgTmpl)
 			if err != nil {
 				t.Fatalf("Failed to parse template: %v", err)
 			}
 			// Create temp directory for this test
 			tempDir := t.TempDir()
 			outputPath := filepath.Join(tempDir, tt.outputFile)
 			// Create output file
 			file, err := os.Create(outputPath)
 			if err != nil {
 				t.Fatalf("Failed to create output file: %v", err)
 			}
 			// Execute the template
 			if err := tmpl.Execute(file, tt.data); err != nil {
 				file.Close()
 				t.Fatalf("Failed to execute template: %v", err)
 			}
 			file.Close()
 			t.Logf("Generated test output: %s", outputPath)
 			// Read the generated file
 			content, err := os.ReadFile(outputPath)
 			if err != nil {
 				t.Fatalf("Failed to read output file: %v", err)
 			}
 			contentStr := string(content)
 			// Verify file has content
 			if len(contentStr) == 0 {
 				t.Error("Output file is empty")
 			}
 			// Verify basic HTML structure
 			basicElements := []string{
 				"<!DOCTYPE html>",
 				"<html",
 				"<head>",
 				"<body>",
 				"NetBird",
 			}
 			for _, elem := range basicElements {
 				if !contains(contentStr, elem) {
 					t.Errorf("Expected HTML to contain '%s', but it was not found", elem)
 				}
 			}
 			// Verify expected title
 			if !contains(contentStr, tt.expectedTitle) {
 				t.Errorf("Expected HTML to contain title '%s', but it was not found", tt.expectedTitle)
 			}
 			// Verify expected content is present
 			for _, expected := range tt.expectedInContent {
 				if !contains(contentStr, expected) {
 					t.Errorf("Expected HTML to contain '%s', but it was not found", expected)
 				}
 			}
 			// Verify unexpected content is not present
 			for _, notExpected := range tt.notExpectedInContent {
 				if contains(contentStr, notExpected) {
 					t.Errorf("Expected HTML to NOT contain '%s', but it was found", notExpected)
 				}
 			}
 		})
 	}
 }
 func TestPKCEAuthMsgTemplateValidation(t *testing.T) {
 	// Test that the template can be parsed without errors
 	tmpl, err := template.New("pkce-auth-msg").Parse(PKCEAuthMsgTmpl)
 	if err != nil {
 		t.Fatalf("Template parsing failed: %v", err)
 	}
 	// Test with empty data
 	t.Run("empty_data", func(t *testing.T) {
 		tempDir := t.TempDir()
 		outputPath := filepath.Join(tempDir, "empty-data.html")
 		file, err := os.Create(outputPath)
 		if err != nil {
 			t.Fatalf("Failed to create output file: %v", err)
 		}
 		defer file.Close()
 		if err := tmpl.Execute(file, nil); err != nil {
 			t.Errorf("Template execution with nil data failed: %v", err)
 		}
 	})
 	// Test with error data
 	t.Run("with_error", func(t *testing.T) {
 		tempDir := t.TempDir()
 		outputPath := filepath.Join(tempDir, "with-error.html")
 		file, err := os.Create(outputPath)
 		if err != nil {
 			t.Fatalf("Failed to create output file: %v", err)
 		}
 		defer file.Close()
 		data := map[string]string{
 			"Error": "test error message",
 		}
 		if err := tmpl.Execute(file, data); err != nil {
 			t.Errorf("Template execution with error data failed: %v", err)
 		}
 	})
 }
 func TestPKCEAuthMsgTemplateContent(t *testing.T) {
 	// Test that the template contains expected elements
 	tmpl, err := template.New("pkce-auth-msg").Parse(PKCEAuthMsgTmpl)
 	if err != nil {
 		t.Fatalf("Template parsing failed: %v", err)
 	}
 	t.Run("success_content", func(t *testing.T) {
 		tempDir := t.TempDir()
 		outputPath := filepath.Join(tempDir, "success.html")
 		file, err := os.Create(outputPath)
 		if err != nil {
 			t.Fatalf("Failed to create output file: %v", err)
 		}
 		defer file.Close()
 		data := map[string]string{}
 		if err := tmpl.Execute(file, data); err != nil {
 			t.Fatalf("Template execution failed: %v", err)
 		}
 		// Read the file and verify it contains expected content
 		content, err := os.ReadFile(outputPath)
 		if err != nil {
 			t.Fatalf("Failed to read output file: %v", err)
 		}
 		// Check for success indicators
 		contentStr := string(content)
 		if len(contentStr) == 0 {
 			t.Error("Generated HTML is empty")
 		}
 		// Basic HTML structure checks
 		requiredElements := []string{
 			"<!DOCTYPE html>",
 			"<html",
 			"<head>",
 			"<body>",
 			"Login Successful",
 			"NetBird",
 		}
 		for _, elem := range requiredElements {
 			if !contains(contentStr, elem) {
 				t.Errorf("Expected HTML to contain '%s', but it was not found", elem)
 			}
 		}
 	})
 	t.Run("error_content", func(t *testing.T) {
 		tempDir := t.TempDir()
 		outputPath := filepath.Join(tempDir, "error.html")
 		file, err := os.Create(outputPath)
 		if err != nil {
 			t.Fatalf("Failed to create output file: %v", err)
 		}
 		defer file.Close()
 		errorMsg := "test error message"
 		data := map[string]string{
 			"Error": errorMsg,
 		}
 		if err := tmpl.Execute(file, data); err != nil {
 			t.Fatalf("Template execution failed: %v", err)
 		}
 		// Read the file and verify it contains expected content
 		content, err := os.ReadFile(outputPath)
 		if err != nil {
 			t.Fatalf("Failed to read output file: %v", err)
 		}
 		// Check for error indicators
 		contentStr := string(content)
 		if len(contentStr) == 0 {
 			t.Error("Generated HTML is empty")
 		}
 		// Basic HTML structure checks
 		requiredElements := []string{
 			"<!DOCTYPE html>",
 			"<html",
 			"<head>",
 			"<body>",
 			"Login Failed",
 			errorMsg,
 		}
 		for _, elem := range requiredElements {
 			if !contains(contentStr, elem) {
 				t.Errorf("Expected HTML to contain '%s', but it was not found", elem)
 			}
 		}
 	})
 }
 func contains(s, substr string) bool {
 	return len(s) >= len(substr) && (s == substr || len(substr) == 0 ||
 		(len(s) > 0 && len(substr) > 0 && containsHelper(s, substr)))
 }
 func containsHelper(s, substr string) bool {
 	for i := 0; i <= len(s)-len(substr); i++ {
 		if s[i:i+len(substr)] == substr {
 			return true
 		}
 	}
 	return false
 }
--- a/client/ios/NetBirdSDK/client.go
+++ b/client/ios/NetBirdSDK/client.go
@@ -1,9 +1,12 @@
 //go:build ios
 package NetBirdSDK
 import (
 	"context"
 	"fmt"
 	"net/netip"
 	"os"
 	"sort"
 	"strings"
 	"sync"
@@ -90,7 +93,8 @@ func NewClient(cfgFile, stateFile, deviceName string, osVersion string, osName s
 }
 // Run start the internal client. It is a blocker function
-func (c *Client) Run(fd int32, interfaceName string) error {
+func (c *Client) Run(fd int32, interfaceName string, envList *EnvList) error {
 	exportEnvList(envList)
 	log.Infof("Starting NetBird client")
 	log.Debugf("Tunnel uses interface: %s", interfaceName)
 	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
@@ -228,7 +232,7 @@ func (c *Client) LoginForMobile() string {
 		ConfigPath: c.cfgFile,
 	})
-	oAuthFlow, err := auth.NewOAuthFlow(ctx, cfg, false)
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, cfg, false, false, "")
 	if err != nil {
 		return err.Error()
 	}
@@ -433,3 +437,19 @@ func toNetIDs(routes []string) []route.NetID {
 	}
 	return netIDs
 }
 func exportEnvList(list *EnvList) {
 	if list == nil {
 		return
 	}
 	for k, v := range list.AllItems() {
 		log.Debugf("Env variable %s's value is currently: %s", k, os.Getenv(k))
 		log.Debugf("Setting env variable %s: %s", k, v)
 		if err := os.Setenv(k, v); err != nil {
 			log.Errorf("could not set env variable %s: %v", k, err)
 		} else {
 			log.Debugf("Env variable %s was set successfully", k)
 		}
 	}
 }
--- a/client/ios/NetBirdSDK/env_list.go
+++ b/client/ios/NetBirdSDK/env_list.go
@@ -0,0 +1,34 @@
 //go:build ios
 package NetBirdSDK
 import "github.com/netbirdio/netbird/client/internal/peer"
 // EnvList is an exported struct to be bound by gomobile
 type EnvList struct {
 	data map[string]string
 }
 // NewEnvList creates a new EnvList
 func NewEnvList() *EnvList {
 	return &EnvList{data: make(map[string]string)}
 }
 // Put adds a key-value pair
 func (el *EnvList) Put(key, value string) {
 	el.data[key] = value
 }
 // Get retrieves a value by key
 func (el *EnvList) Get(key string) string {
 	return el.data[key]
 }
 func (el *EnvList) AllItems() map[string]string {
 	return el.data
 }
 // GetEnvKeyNBForceRelay Exports the environment variable for the iOS client
 func GetEnvKeyNBForceRelay() string {
 	return peer.EnvKeyNBForceRelay
 }
--- a/client/ios/NetBirdSDK/gomobile.go
+++ b/client/ios/NetBirdSDK/gomobile.go
@@ -1,3 +1,5 @@
 //go:build ios
 package NetBirdSDK
 import _ "golang.org/x/mobile/bind"
--- a/client/ios/NetBirdSDK/logger.go
+++ b/client/ios/NetBirdSDK/logger.go
@@ -1,3 +1,5 @@
 //go:build ios
 package NetBirdSDK
 import (
--- a/client/ios/NetBirdSDK/login.go
+++ b/client/ios/NetBirdSDK/login.go
@@ -1,3 +1,5 @@
 //go:build ios
 package NetBirdSDK
 import (
--- a/client/ios/NetBirdSDK/peer_notifier.go
+++ b/client/ios/NetBirdSDK/peer_notifier.go
@@ -1,3 +1,5 @@
 //go:build ios
 package NetBirdSDK
 // PeerInfo describe information about the peers. It designed for the UI usage
--- a/client/ios/NetBirdSDK/preferences.go
+++ b/client/ios/NetBirdSDK/preferences.go
@@ -1,3 +1,5 @@
 //go:build ios
 package NetBirdSDK
 import (
--- a/client/ios/NetBirdSDK/preferences_test.go
+++ b/client/ios/NetBirdSDK/preferences_test.go
@@ -1,3 +1,5 @@
 //go:build ios
 package NetBirdSDK
 import (
--- a/client/ios/NetBirdSDK/routes.go
+++ b/client/ios/NetBirdSDK/routes.go
@@ -1,3 +1,5 @@
 //go:build ios
 package NetBirdSDK
 // RoutesSelectionInfoCollection made for Java layer to get non default types as collection
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -24,7 +24,7 @@ service DaemonService {
  // Status of the service.
  rpc Status(StatusRequest) returns (StatusResponse) {}
-  // Down engine work in the daemon.
+  // Down stops engine work in the daemon.
  rpc Down(DownRequest) returns (DownResponse) {}
  // GetConfig of the daemon.
@@ -90,12 +90,29 @@ service DaemonService {
  // RequestJWTAuth initiates JWT authentication flow for SSH
  rpc RequestJWTAuth(RequestJWTAuthRequest) returns (RequestJWTAuthResponse) {}
-  
+
  // WaitJWTToken waits for JWT authentication completion
  rpc WaitJWTToken(WaitJWTTokenRequest) returns (WaitJWTTokenResponse) {}
  rpc NotifyOSLifecycle(OSLifecycleRequest) returns(OSLifecycleResponse) {}
 }
 message OSLifecycleRequest {
  // avoid collision with loglevel enum
  enum CycleType {
    UNKNOWN = 0;
    SLEEP = 1;
    WAKEUP = 2;
  }
  CycleType type = 1;
 }
 message OSLifecycleResponse {}
 message LoginRequest {
  // setupKey netbird setup key.
  string setupKey = 1;
@@ -168,11 +185,15 @@ message LoginRequest {
  optional int64 mtu = 32;
-  optional bool enableSSHRoot = 33;
+  // hint is used to pre-fill the email/username field during SSO authentication
-  optional bool enableSSHSFTP = 34;
+  optional string hint = 33;
-  optional bool enableSSHLocalPortForwarding = 35;
+
-  optional bool enableSSHRemotePortForwarding = 36;
+  optional bool enableSSHRoot = 34;
-  optional bool disableSSHAuth = 37;
+  optional bool enableSSHSFTP = 35;
  optional bool enableSSHLocalPortForwarding = 36;
  optional bool enableSSHRemotePortForwarding = 37;
  optional bool disableSSHAuth = 38;
  optional int32 sshJWTCacheTTL = 39;
 }
 message LoginResponse {
@@ -202,7 +223,7 @@ message StatusRequest{
  bool getFullPeerStatus = 1;
  bool shouldRunProbes = 2;
  // the UI do not using this yet, but CLIs could use it to wait until the status is ready
-  optional bool waitForReady     = 3;
+  optional bool waitForReady = 3;
 }
 message StatusResponse{
@@ -277,6 +298,8 @@ message GetConfigResponse {
  bool enableSSHRemotePortForwarding = 23;
  bool disableSSHAuth = 25;
  int32 sshJWTCacheTTL = 26;
 }
 // PeerState contains the latest state of a peer
@@ -340,6 +363,20 @@ message NSGroupState {
  string error = 4;
 }
 // SSHSessionInfo contains information about an active SSH session
 message SSHSessionInfo {
  string username = 1;
  string remoteAddress = 2;
  string command = 3;
  string jwtUsername = 4;
 }
 // SSHServerState contains the latest state of the SSH server
 message SSHServerState {
  bool enabled = 1;
  repeated SSHSessionInfo sessions = 2;
 }
 // FullStatus contains the full state held by the Status instance
 message FullStatus {
  ManagementState managementState = 1;
@@ -353,6 +390,7 @@ message FullStatus {
  repeated SystemEvent events = 7;
  bool lazyConnectionEnabled = 9;
  SSHServerState sshServerState = 10;
 }
 // Networks
@@ -619,9 +657,10 @@ message SetConfigRequest {
  optional bool enableSSHRoot = 29;
  optional bool enableSSHSFTP = 30;
-  optional bool enableSSHLocalPortForward = 31;
+  optional bool enableSSHLocalPortForwarding = 31;
-  optional bool enableSSHRemotePortForward = 32;
+  optional bool enableSSHRemotePortForwarding = 32;
  optional bool disableSSHAuth = 33;
  optional int32 sshJWTCacheTTL = 34;
 }
 message SetConfigResponse{}
@@ -694,6 +733,8 @@ message GetPeerSSHHostKeyResponse {
 // RequestJWTAuthRequest for initiating JWT authentication flow
 message RequestJWTAuthRequest {
  // hint for OIDC login_hint parameter (typically email address)
  optional string hint = 1;
 }
 // RequestJWTAuthResponse contains authentication flow information
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -27,7 +27,7 @@ type DaemonServiceClient interface {
 	Up(ctx context.Context, in *UpRequest, opts ...grpc.CallOption) (*UpResponse, error)
 	// Status of the service.
 	Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error)
-	// Down engine work in the daemon.
+	// Down stops engine work in the daemon.
 	Down(ctx context.Context, in *DownRequest, opts ...grpc.CallOption) (*DownResponse, error)
 	// GetConfig of the daemon.
 	GetConfig(ctx context.Context, in *GetConfigRequest, opts ...grpc.CallOption) (*GetConfigResponse, error)
@@ -70,6 +70,7 @@ type DaemonServiceClient interface {
 	RequestJWTAuth(ctx context.Context, in *RequestJWTAuthRequest, opts ...grpc.CallOption) (*RequestJWTAuthResponse, error)
 	// WaitJWTToken waits for JWT authentication completion
 	WaitJWTToken(ctx context.Context, in *WaitJWTTokenRequest, opts ...grpc.CallOption) (*WaitJWTTokenResponse, error)
 	NotifyOSLifecycle(ctx context.Context, in *OSLifecycleRequest, opts ...grpc.CallOption) (*OSLifecycleResponse, error)
 }
 type daemonServiceClient struct {
@@ -382,6 +383,15 @@ func (c *daemonServiceClient) WaitJWTToken(ctx context.Context, in *WaitJWTToken
 	return out, nil
 }
 func (c *daemonServiceClient) NotifyOSLifecycle(ctx context.Context, in *OSLifecycleRequest, opts ...grpc.CallOption) (*OSLifecycleResponse, error) {
 	out := new(OSLifecycleResponse)
 	err := c.cc.Invoke(ctx, "/daemon.DaemonService/NotifyOSLifecycle", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
 // for forward compatibility
@@ -395,7 +405,7 @@ type DaemonServiceServer interface {
 	Up(context.Context, *UpRequest) (*UpResponse, error)
 	// Status of the service.
 	Status(context.Context, *StatusRequest) (*StatusResponse, error)
-	// Down engine work in the daemon.
+	// Down stops engine work in the daemon.
 	Down(context.Context, *DownRequest) (*DownResponse, error)
 	// GetConfig of the daemon.
 	GetConfig(context.Context, *GetConfigRequest) (*GetConfigResponse, error)
@@ -438,6 +448,7 @@ type DaemonServiceServer interface {
 	RequestJWTAuth(context.Context, *RequestJWTAuthRequest) (*RequestJWTAuthResponse, error)
 	// WaitJWTToken waits for JWT authentication completion
 	WaitJWTToken(context.Context, *WaitJWTTokenRequest) (*WaitJWTTokenResponse, error)
 	NotifyOSLifecycle(context.Context, *OSLifecycleRequest) (*OSLifecycleResponse, error)
 	mustEmbedUnimplementedDaemonServiceServer()
 }
@@ -538,6 +549,9 @@ func (UnimplementedDaemonServiceServer) RequestJWTAuth(context.Context, *Request
 func (UnimplementedDaemonServiceServer) WaitJWTToken(context.Context, *WaitJWTTokenRequest) (*WaitJWTTokenResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method WaitJWTToken not implemented")
 }
 func (UnimplementedDaemonServiceServer) NotifyOSLifecycle(context.Context, *OSLifecycleRequest) (*OSLifecycleResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method NotifyOSLifecycle not implemented")
 }
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
 // UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -1112,6 +1126,24 @@ func _DaemonService_WaitJWTToken_Handler(srv interface{}, ctx context.Context, d
 	return interceptor(ctx, in, info, handler)
 }
 func _DaemonService_NotifyOSLifecycle_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(OSLifecycleRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
 		return srv.(DaemonServiceServer).NotifyOSLifecycle(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
 		FullMethod: "/daemon.DaemonService/NotifyOSLifecycle",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(DaemonServiceServer).NotifyOSLifecycle(ctx, req.(*OSLifecycleRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
 // DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -1239,6 +1271,10 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "WaitJWTToken",
 			Handler:    _DaemonService_WaitJWTToken_Handler,
 		},
 		{
 			MethodName: "NotifyOSLifecycle",
 			Handler:    _DaemonService_NotifyOSLifecycle_Handler,
 		},
 	},
 	Streams: []grpc.StreamDesc{
 		{
--- a/client/server/jwt_cache.go
+++ b/client/server/jwt_cache.go
@@ -37,13 +37,18 @@ func (c *jwtCache) store(token string, maxAge time.Duration) {
 	c.expiresAt = time.Now().Add(maxAge)
-	c.timer = time.AfterFunc(maxAge, func() {
+	var timer *time.Timer
 	timer = time.AfterFunc(maxAge, func() {
 		c.mu.Lock()
 		defer c.mu.Unlock()
 		if c.timer != timer {
 			return
 		}
 		c.cleanup()
 		c.timer = nil
 		log.Debugf("JWT token cache expired after %v, securely wiped from memory", maxAge)
 	})
 	c.timer = timer
 }
 func (c *jwtCache) get() (string, bool) {
@@ -70,4 +75,5 @@ func (c *jwtCache) cleanup() {
 	if c.enclave != nil {
 		c.enclave = nil
 	}
 	c.expiresAt = time.Time{}
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
bcmmbaga	72513d7522	Skip network map calculation when client serial matches current Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2026-01-27 23:03:43 +03:00
Zoltan Papp	a1f1bf1f19	Merge branch 'main' into feat/network-map-serial	2025-12-18 15:59:53 +01:00
Zoltan Papp	b5dec3df39	Track network serial in engine	2025-12-18 15:27:49 +01:00
Zoltan Papp	447cd287f5	[ci] Add local lint setup with pre-push hook to catch issues early (#4925 ) * Add local lint setup with pre-push hook to catch issues early Developers can now catch lint issues before pushing, reducing CI failures and iteration time. The setup uses golangci-lint locally with the same configuration as CI. Setup: - Run `make setup-hooks` once after cloning - Pre-push hook automatically lints changed files (~90s) - Use `make lint` to manually check changed files - Use `make lint-all` to run full CI-equivalent lint The Makefile auto-installs golangci-lint to ./bin/ using go install to match the Go version in go.mod, avoiding version compatibility issues. --------- Co-authored-by: mlsmaycon <mlsmaycon@gmail.com>	2025-12-15 10:34:48 +01:00
Zoltan Papp	5748bdd64e	Add health-check agent recognition to avoid error logs (#4917 ) Health-check connections now send a properly formatted auth message with a well-known peer ID instead of immediately closing. The server recognizes this peer ID and handles the connection gracefully with a debug log instead of error logs.	2025-12-15 10:28:25 +01:00
Diego Romar	08f31fbcb3	[iOS] Add force relay connection on iOS (#4928 ) * [ios] Add a bogus test to check iOS behavior when setting environment variables * [ios] Revert "Add a bogus test to check iOS behavior when setting environment variables" This reverts commit 90ca01105a6b0f4471aac07a63fc95e5d4eaef9b. * [ios] Add EnvList struct to export and import environment variables * [ios] Add envList parameter to the iOS Client Run method * [ios] Add some debug logging to exportEnvVarList * Add "//go:build ios" to client/ios/NetBirdSDK files	2025-12-12 14:29:58 -03:00
Bethuel Mmbaga	932c02eaab	[management] Approve all pending peers when peer approval is disabled (#4806 )	2025-12-12 18:49:57 +03:00
Pascal Fischer	abcbde26f9	[management] remove context from store methods (#4940 )	2025-12-11 21:45:47 +01:00
Pascal Fischer	90e3b8009f	[management] Fix sync metrics (#4939 )	2025-12-11 20:11:12 +01:00
Pascal Fischer	94d34dc0c5	[management] monitoring updates (#4937 )	2025-12-11 18:29:15 +01:00
Pascal Fischer	44851e06fb	[management] cleanup logs (#4933 )	2025-12-10 19:26:51 +01:00
Viktor Liu	3f4f825ec1	[client] Fix DNS forwarder returning broken records on 4 to 6 mapped IP addresses (#4887 )	2025-12-05 17:42:49 +01:00
Viktor Liu	f538e6e9ae	[client] Use setsid to avoid the parent process from being killed via HUP by login (#4900 )	2025-12-05 03:29:27 +01:00
Maycon Santos	cb6b086164	[client] Reorder subsystem shutdown so peer removal goes first (#4914 ) Remove peers before DNS and routes	2025-12-04 21:01:22 +01:00
Zoltan Papp	71b6855e09	[client] Fix engine shutdown deadlock and sync-signal message handling races (#4891 ) * Fix engine shutdown deadlock and message handling races - Release syncMsgMux before waiting for shutdownWg to prevent deadlock - Check context inside lock in handleSync and receiveSignalEvents - Prevents nil pointer access when messages arrive during engine stop	2025-12-04 19:51:50 +01:00
Viktor Liu	9bdc4908fb	[client] Passthrough all non-NetBird chains to prevent them from dropping NetBird traffic (#4899 )	2025-12-04 19:16:38 +01:00
Bethuel Mmbaga	031ab11178	[client] Remove select account prompt (#4912 ) Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>	2025-12-04 14:57:29 +01:00
Zoltan Papp	d2e48d4f5e	[relay] Use instanceURL instead of Exposed address. (#4905 ) Replaces string-based exposed address handling with URL-based InstanceURL() (type url.URL) across relay/server and relay/healthcheck; adds SchemeREL/SchemeRELS constants; updates getInstanceURL to return *url.URL with scheme and TLS validation; adjusts WS dialing and health-check logic to use URL fields.	2025-12-03 18:42:53 +01:00
Bethuel Mmbaga	27dd97c9c4	[management] Add support to disable geolocation service (#4901 )	2025-12-03 14:45:59 +03:00
Maycon Santos	e87b4ace11	[client] Add sleep state tracking to handle wakeup/sleep events reliably (#4894 ) Adds a new NotifyOSLifecycle RPC and server handler to centralize OS sleep/wake handling, introduces Server.sleepTriggeredDown for coordination, updates client UI to call the new RPC, and adjusts the internal sleep event enum zero-value semantics.	2025-12-03 11:53:39 +01:00
Pascal Fischer	a232cf614c	[management] record pat usage metrics (#4888 )	2025-12-02 18:31:59 +01:00
Maycon Santos	a293f760af	[client] Add conditional peer removal logic during shutdown (#4897 )	2025-12-02 16:30:15 +01:00
Pascal Fischer	10e9cf8c62	[management] update management integrations (#4895 )	2025-12-02 14:13:01 +01:00
Pascal Fischer	7193bd2da7	[management] Refactor network map controller (#4789 )	2025-12-02 12:34:28 +01:00
Bethuel Mmbaga	52948ccd61	[management] Add user created activity event (#4893 )	2025-12-02 14:17:59 +03:00
Fahri Shihab	4b77359042	[management] Groups API with name query parameter (#4831 )	2025-12-01 16:57:42 +01:00
Zoltan Papp	387d43bcc1	[client, management] Add OAuth select_account prompt support to PKCE flow (#4880 ) * Add OAuth select_account prompt support to PKCE flow Extends LoginFlag enum with select_account options to enable multi-account selection during authentication. This allows users to choose which account to use when multiple accounts have active sessions with the identity provider. The new flags are backward compatible - existing LoginFlag values (0=prompt login, 1=max_age=0) retain their original behavior.	2025-12-01 14:25:52 +01:00
Zoltan Papp	e47d815dd2	Fix IsAnotherProcessRunning (#4858 ) Compare the exact process name rather than searching for a substring of the full path	2025-12-01 14:16:03 +01:00
shuuri-labs	cb83b7c0d3	[relay] use exposed address for healthcheck TLS validation (#4872 ) * fix(relay): use exposed address for healthcheck TLS validation Healthcheck was using listen address (0.0.0.0) instead of exposed address (domain name) for certificate validation, causing validation to always fail. Now correctly uses the exposed address where the TLS certificate is valid, matching real client connection behavior. * - store exposedAddress directly in Relay struct instead of parsing on every call - remove unused parseHostPort() function - remove unused ListenAddress() method from ServiceChecker interface - improve error logging with address context * [relay/healthcheck] Remove QUIC health check logic, update WebSocket validation flow Refactored health check logic by removing QUIC-specific connection validation and simplifying logic for WebSocket protocol. Adjusted certificate validation flow and improved handling of exposed addresses. * [relay/healthcheck] Fix certificate validation status during health check --------- Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>	2025-11-28 21:53:53 +01:00
Zoltan Papp	ddcd182859	[client] Sleep detection on macOS (#4859 ) A macOS-specific sleep detection mechanism using IOKit and CoreFoundation via cgo is introduced, with a fallback implementation for unsupported platforms. A public Service wrapper provides an event-driven API translating system sleep/wake events into gRPC calls. The UI client integrates sleep detection to manage connectivity state based on system sleep status.	2025-11-28 17:26:22 +01:00
Maycon Santos	aca0398105	[client] Add excluded port range handling for PKCE flow (#4853 )	2025-11-26 16:07:45 +01:00
Viktor Liu	02200d790b	[client] Open browser for ssh automatically (#4838 )	2025-11-26 16:06:47 +01:00
Bethuel Mmbaga	f31bba87b4	[management] Preserve validator settings on account settings update (#4862 )	2025-11-26 17:07:44 +03:00
shuuri-labs	7285fef0f0	feat: Add support for displaying device code (UserCode) on Android TV SSO flow (#4800 ) - Modified URLOpener interface to pass userCode alongside URL in login.go - added ability to force device auth flow	2025-11-25 15:51:16 +01:00
Maycon Santos	20973063d8	[client] Support disable search domain for custom zones (#4826 ) Two new boolean flags, SearchDomainDisabled and SkipPTRProcess, are added to CustomZone and its protobuf; they are propagated through the engine to DNS host logic. Host matching now uses SearchDomainDisabled directly, and PTR collection skips zones with SkipPTRProcess; reverse zones are initialized with SearchDomainDisabled: true.	2025-11-24 17:50:08 +01:00
Aziz Hasanain	ba2e9b6d88	[management] Fix SSH JWT issuer derivation for IDPs with path components (#4844 )	2025-11-24 12:12:51 +01:00
Viktor Liu	131d7a3694	[client] Make mss clamping optional for nftables (#4843 )	2025-11-22 18:57:07 +01:00
Maycon Santos	290fe2d8b9	[client/management/signal/relay] Update go.mod to use Go 1.24.10 and upgrade x/crypto dependencies (#4828 ) Upgrade Go toolchain and golang.org/x/* deps to 1.24.10, standardize GitHub Actions to derive Go version from go.mod and adjust checkout ordering, raise WASM size limit to 55 MB, update FreeBSD tarball and gomobile refs, fix a few format-string/logging calls, treat usernames ending with $ as system accounts, and add Windows tests.	2025-11-22 10:10:18 +01:00
Vlad	7fb1a2fe31	[management] removed TestBufferUpdateAccountPeers because it was incorrect (#4839 )	2025-11-22 01:23:33 +01:00
Diego Romar	32146e576d	[android] allow selection/deselection of network resources on android peers (#4607 )	2025-11-21 13:36:33 +01:00
Viktor Liu	1311364397	[client] Increase ssh detection timeout (#4827 )	2025-11-20 17:09:22 +01:00
Maycon Santos	68f56b797d	[management] Add native ssh port rule on 22 (#4810 ) Implements feature-aware firewall rule expansion: derives peer-supported features (native SSH, portRanges) from peer version, prefers explicit Ports over PortRanges when expanding, conditionally appends a native SSH (22022) rule when policy and peer support allow, and adds helpers plus tests for SSH expansion behavior.	2025-11-19 13:16:47 +01:00
Pascal Fischer	3351b38434	[management] pass config to controller (#4807 )	2025-11-19 11:52:18 +01:00
Pascal Fischer	05cbead39b	[management] Fix direct peer networks route (#4802 )	2025-11-18 17:15:57 +01:00
Viktor Liu	60f4d5f9b0	[client] Revert migrate deprecated grpc client code #4805	2025-11-18 12:41:17 +01:00
Vlad	4eeb2d8deb	[management] added exception on not appending route firewall rules if we have all wildcard (#4801 )	2025-11-17 18:20:30 +01:00
Viktor Liu	d71a82769c	[client,management] Rewrite the SSH feature (#4015 )	2025-11-17 17:10:41 +01:00
Misha Bragin	0d79301141	Update client login success page (#4797 )	2025-11-17 15:28:20 +01:00
Viktor Liu	e4b41d0ad7	[client] Replace ipset lib (#4777 ) * Replace ipset lib * Update .github/workflows/check-license-dependencies.yml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> * Ignore internal licenses * Ignore dependencies from AGPL code * Use exported errors * Use fixed version --------- Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>	2025-11-14 00:25:00 +01:00
Viktor Liu	9cc9462cd5	[client] Use stdnet with a context to avoid DNS deadlocks (#4781 )	2025-11-13 20:16:45 +01:00
Diego Romar	3176b53968	[client] Add quick actions window (#4717 ) * Open quick settings window if netbird-ui is already running * [client-ui] fix connection status comparison * [client-ui] modularize quick actions code * [client-ui] add netbird-disconnected logo * [client-ui] change quickactions UI It now displays the NetBird logo and a single button with a round icon * [client-ui] add hint message to quick actions screen This also updates fyne to v2.7.0 * [client-ui] remove unnecessary default clause * [client-ui] remove commented code * [client-ui] remove unused dependency * [client-ui] close quick actions on connection change * [client-ui] add function to get image from embed resources * [client] Return error when calling sendShowWindowSignal from Windows * [client-ui] Add commentary on empty OnTapped function for toggleConnectionButton * [client-ui] Fix tests * [client-ui] Add context to menuUpClick call * [client-ui] Pass serviceClient app as parameter To use its clipboard rather than the window's when showing the upload success dialog * [client-ui] Replace for select with for range chan * [client-ui] Replace settings change listener channel Settings now accept a function callback * [client-ui] Add missing iconAboutDisconnected to icons_windows.go * [client] Add quick actions signal handler for Windows with named events * [client] Run go mod tidy * [client] Remove line break * [client] Log unexpected status in separate function * [client-ui] Refactor quick actions window To address racing conditions, it also replaces usage of pause and resume channels with an atomic bool. * [client-ui] use derived context from ServiceClient * [client] Update signal_windows log message Also, format error when trying to set event on sendShowWindowSignal * go mod tidy * [client-ui] Add struct to pass fewer parameters to applyQuickActionsUiState function * [client] Add missing import --------- Co-authored-by: Viktor Liu <viktor@netbird.io>	2025-11-13 10:25:19 -03:00
Viktor Liu	27957036c9	[client] Fix shutdown blocking on stuck ICE agent close (#4780 )	2025-11-13 13:24:51 +01:00
Pascal Fischer	6fb568728f	[management] Removed policy posture checks on original peer (#4779 ) Co-authored-by: crn4 <vladimir@netbird.io>	2025-11-13 12:51:03 +01:00
Pascal Fischer	cc97cffff1	[management] move network map logic into new design (#4774 )	2025-11-13 12:09:46 +01:00
Zoltan Papp	c28275611b	Fix agent reference (#4776 )	2025-11-11 13:59:32 +01:00
Vlad	56f169eede	[management] fix pg db deadlock after app panic (#4772 )	2025-11-10 23:43:08 +01:00
Viktor Liu	07cf9d5895	[client] Create networkd.conf.d if it doesn't exist (#4764 )	2025-11-08 10:54:37 +01:00
Pascal Fischer	7df49e249d	[management ] remove timing logs (#4761 )	2025-11-07 20:14:52 +01:00
Pascal Fischer	dbfc8a52c9	[management] remove GLOBAL when disabling foreign keys on mysql (#4615 )	2025-11-07 16:03:14 +01:00
Vlad	98ddac07bf	[management] remove toAll firewall rule (#4725 )	2025-11-07 15:50:58 +01:00
Pascal Fischer	48475ddc05	[management] add pat rate limiting (#4741 )	2025-11-07 15:50:18 +01:00
Vlad	6aa4ba7af4	[management] incremental network map builder (#4753 )	2025-11-07 10:44:46 +01:00
dependabot[bot]	2e16c9914a	[management] Bump github.com/containerd/containerd from 1.7.27 to 1.7.29 (#4756 ) Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.27 to 1.7.29. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](https://github.com/containerd/containerd/compare/v1.7.27...v1.7.29) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-version: 1.7.29 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-11-06 19:01:44 +03:00
Pascal Fischer	5c29d395b2	[management] activity events on group updates (#4750 )	2025-11-06 12:51:14 +01:00
Viktor Liu	229e0038ee	[client] Add dns config to debug bundle (#4704 )	2025-11-05 17:30:17 +01:00
Viktor Liu	75327d9519	[client] Add login_hint to oidc flows (#4724 )	2025-11-05 17:00:20 +01:00
Hakan Sariman	20f5f00635	[client] Add unit tests for engine synchronization and Info flag copying - Introduced tests for the Engine's handleSync method to verify behavior when SkipNetworkMapUpdate is true and when NetworkMap is nil. - Added a test for the Info struct to ensure correct copying of flag values from one instance to another, while preserving unrelated fields.	2025-10-17 10:03:07 +03:00
Hakan Sariman	fc141cf3a3	[client] Refactor lastNetworkMapSerial handling in GrpcClient - Removed atomic operations for lastNetworkMapSerial and replaced them with mutex-based methods for thread-safe access.	2025-09-29 18:49:23 +07:00
Hakan Sariman	d0c65fa08e	[client] Add skipNetworkMapUpdate field to SyncResponse for conditional updates	2025-09-29 18:28:14 +07:00
Hakan Sariman	f241bfa339	Refactor flag setting in Info struct to use CopyFlagsFrom method	2025-09-29 15:38:35 +07:00
Hakan Sariman	4b2cd97d5f	[client] Enhance SyncRequest with NetworkMap serial tracking - Added `networkMapSerial` field to `SyncRequest` for tracking the last known network map serial number. - Updated `GrpcClient` to store and utilize the last network map serial during sync operations, optimizing synchronization processes. - Improved handling of system info updates to ensure accurate metadata is sent with sync requests.	2025-09-25 19:28:35 +07:00