Add timeout to debug bundle upload on Android

Use a 2-minute context timeout instead of context.Background() to prevent the upload from blocking indefinitely.
Add DebugBundle method with PlatformFiles fallback
2026-04-19 16:56:39 +00:00 · 2026-04-14 19:52:07 +02:00 · 2026-04-14 19:19:35 +02:00 · 2026-04-14 18:50:25 +02:00 · 2026-04-14 18:38:26 +02:00 · 2026-04-13 16:23:57 +02:00
764 changed files with 114315 additions and 6106 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1,6 @@
 .env
 .env.*
 *.pem
 *.key
 *.crt
 *.p12
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,14 @@
 blank_issues_enabled: true
 contact_links:
  - name: Community Support
    url: https://forum.netbird.io/
    about: Community support forum
  - name: Cloud Support
    url: https://docs.netbird.io/help/report-bug-issues
    about: Contact us for support
  - name: Client/Connection Troubleshooting
    url: https://docs.netbird.io/help/troubleshooting-client
    about: See our client troubleshooting guide for help addressing common issues
  - name: Self-host Troubleshooting
    url: https://docs.netbird.io/selfhosted/troubleshooting
    about: See our self-host troubleshooting guide for help addressing common issues
--- a/.github/workflows/check-license-dependencies.yml
+++ b/.github/workflows/check-license-dependencies.yml
@@ -23,7 +23,7 @@ jobs:
      - name: Check for problematic license dependencies
        run: |
-          echo "Checking for dependencies on management/, signal/, and relay/ packages..."
+          echo "Checking for dependencies on management/, signal/, relay/, and proxy/ packages..."
          echo ""
          # Find all directories except the problematic ones and system dirs
@@ -31,7 +31,7 @@ jobs:
          while IFS= read -r dir; do
            echo "=== Checking $dir ==="
            # Search for problematic imports, excluding test files
-            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+            RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" | grep -v "tools/idp-migrate/" || true)
            if [ -n "$RESULTS" ]; then
              echo "❌ Found problematic dependencies:"
              echo "$RESULTS"
@@ -39,11 +39,11 @@ jobs:
            else
              echo "✓ No problematic dependencies found"
            fi
-          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)
+          done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name "proxy" -not -name "combined" -not -name ".git*" | sort)
          echo ""
          if [ $FOUND_ISSUES -eq 1 ]; then
-            echo "❌ Found dependencies on management/, signal/, or relay/ packages"
+            echo "❌ Found dependencies on management/, signal/, relay/, or proxy/ packages"
            echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
            exit 1
          else
@@ -88,7 +88,7 @@ jobs:
              IMPORTERS=$(go list -json -deps ./... 2>/dev/null | jq -r "select(.Imports[]? == \"$package\") | .ImportPath")
              # Check if any importer is NOT in management/signal/relay
-              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\)" | head -1)
+              BSD_IMPORTER=$(echo "$IMPORTERS" | grep -v "github.com/netbirdio/netbird/\(management\|signal\|relay\|proxy\|combined\|tools/idp-migrate\)" | head -1)
              if [ -n "$BSD_IMPORTER" ]; then
                echo "❌ $package ($license) is imported by BSD-licensed code: $BSD_IMPORTER"
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -43,5 +43,5 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
--- a/.github/workflows/golang-test-freebsd.yml
+++ b/.github/workflows/golang-test-freebsd.yml
@@ -46,6 +46,5 @@ jobs:
            time go test -timeout 1m -failfast ./client/iface/...
            time go test -timeout 1m -failfast ./route/...
            time go test -timeout 1m -failfast ./sharedsock/...
            time go test -timeout 1m -failfast ./signal/...
            time go test -timeout 1m -failfast ./util/...
            time go test -timeout 1m -failfast ./version/...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -97,6 +97,16 @@ jobs:
        working-directory: relay
        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .
      - name: Build combined
        if: steps.cache.outputs.cache-hit != 'true'
        working-directory: combined
        run: CGO_ENABLED=1 go build .
      - name: Build combined 386
        if: steps.cache.outputs.cache-hit != 'true'
        working-directory: combined
        run: CGO_ENABLED=1 GOARCH=386 go build -o combined-386 .
  test:
    name: "Client / Unit"
    needs: [build-cache]
@@ -144,7 +154,7 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined)
  test_client_on_docker:
    name: "Client (Docker) / Unit"
@@ -204,7 +214,7 @@ jobs:
            sh -c ' \
              apk update; apk add --no-cache \
                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
-              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /proxy -e /combined -e /client/ui -e /upload-server)
            '
  test_relay:
@@ -261,6 +271,53 @@ jobs:
            -exec 'sudo' \
            -timeout 10m -p 1 ./relay/... ./shared/relay/...
  test_proxy:
    name: "Proxy / Unit"
    needs: [build-cache]
    strategy:
      fail-fast: false
      matrix:
        arch: [ '386','amd64' ]
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Install Go
        uses: actions/setup-go@v5
        with:
          go-version-file: "go.mod"
          cache: false
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y gcc-multilib g++-multilib libc6-dev-i386
      - name: Get Go environment
        run: |
          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV
      - name: Cache Go modules
        uses: actions/cache/restore@v4
        with:
          path: |
            ${{ env.cache }}
            ${{ env.modcache }}
          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-gotest-cache-
      - name: Install modules
        run: go mod tidy
      - name: check git status
        run: git --no-pager diff --exit-code
      - name: Test
        run: |
          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
          go test -timeout 10m -p 1 ./proxy/...
  test_signal:
    name: "Signal / Unit"
    needs: [build-cache]
@@ -352,12 +409,19 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: docker login for root user
        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
        env:
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
      - name: download mysql image
        if: matrix.store == 'mysql'
        run: docker pull mlsmaycon/warmed-mysql:8
@@ -440,15 +504,18 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: download mysql image
+      - name: docker login for root user
-        if: matrix.store == 'mysql'
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        run: docker pull mlsmaycon/warmed-mysql:8
+        env:
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
      - name: Test
        run: |
@@ -529,15 +596,18 @@ jobs:
        run: git --no-pager diff --exit-code
      - name: Login to Docker hub
-        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: download mysql image
+      - name: docker login for root user
-        if: matrix.store == 'mysql'
+        if: github.event.pull_request && github.event.pull_request.head.repo && github.event.pull_request.head.repo.full_name == '' || github.repository == github.event.pull_request.head.repo.full_name || !github.head_ref
-        run: docker pull mlsmaycon/warmed-mysql:8
+        env:
          DOCKER_USER: ${{ secrets.DOCKER_USER }}
          DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
        run: echo "$DOCKER_TOKEN" | sudo docker login --username "$DOCKER_USER" --password-stdin
      - name: Test
        run: |
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -63,10 +63,15 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV
+      - name: Generate test script
        run: |
          $packages = go list ./... | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' } | Where-Object { $_ -notmatch '/proxy' } | Where-Object { $_ -notmatch '/combined' }
          $goExe = "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe"
          $cmd = "$goExe test -tags=devcert -timeout 10m -p 1 $($packages -join ' ') > test-out.txt 2>&1"
          Set-Content -Path "${{ github.workspace }}\run-tests.cmd" -Value $cmd
      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "${{ github.workspace }}\run-tests.cmd"
      - name: test output
        if: ${{ always() }}
        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,8 +19,8 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros,ans,deriver,te,userA
-          skip: go.mod,go.sum
+          skip: go.mod,go.sum,**/proxy/web/**
  golangci:
    strategy:
      fail-fast: false
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -0,0 +1,51 @@
 name: PR Title Check
 on:
  pull_request:
    types: [opened, edited, synchronize, reopened]
 jobs:
  check-title:
    runs-on: ubuntu-latest
    steps:
      - name: Validate PR title prefix
        uses: actions/github-script@v7
        with:
          script: |
            const title = context.payload.pull_request.title;
            const allowedTags = [
              'management',
              'client',
              'signal',
              'proxy',
              'relay',
              'misc',
              'infrastructure',
              'self-hosted',
              'doc',
            ];
            const pattern = /^\[([^\]]+)\]\s+.+/;
            const match = title.match(pattern);
            if (!match) {
              core.setFailed(
                `PR title must start with a tag in brackets.\n` +
                `Example: [client] fix something\n` +
                `Allowed tags: ${allowedTags.join(', ')}`
              );
              return;
            }
            const tags = match[1].split(',').map(t => t.trim().toLowerCase());
            const invalid = tags.filter(t => !allowedTags.includes(t));
            if (invalid.length > 0) {
              core.setFailed(
                `Invalid tag(s): ${invalid.join(', ')}\n` +
                `Allowed tags: ${allowedTags.join(', ')}`
              );
              return;
            }
            console.log(`Valid PR title tags: [${tags.join(', ')}]`);
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,8 +9,8 @@ on:
  pull_request:
 env:
-  SIGN_PIPE_VER: "v0.1.0"
+  SIGN_PIPE_VER: "v0.1.1"
-  GORELEASER_VER: "v2.3.2"
+  GORELEASER_VER: "v2.14.3"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
@@ -160,7 +160,7 @@ jobs:
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Log in to the GitHub container registry
-        if: github.event_name != 'pull_request'
+        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
@@ -169,6 +169,14 @@ jobs:
      - name: Install OS build dependencies
        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
      - name: Decode GPG signing key
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        env:
          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
        run: |
          echo "$GPG_RPM_PRIVATE_KEY" | base64 -d > /tmp/gpg-rpm-signing-key.asc
          echo "GPG_RPM_KEY_FILE=/tmp/gpg-rpm-signing-key.asc" >> $GITHUB_ENV
      - name: Install goversioninfo
        run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
      - name: Generate windows syso amd64
@@ -176,6 +184,7 @@ jobs:
      - name: Generate windows syso arm64
        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
      - name: Run GoReleaser
        id: goreleaser
        uses: goreleaser/goreleaser-action@v4
        with:
          version: ${{ env.GORELEASER_VER }}
@@ -185,6 +194,55 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
          NFPM_NETBIRD_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
      - name: Verify RPM signatures
        run: |
          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
            dnf install -y -q rpm-sign curl >/dev/null 2>&1
            curl -sSL https://pkgs.netbird.io/yum/repodata/repomd.xml.key -o /tmp/rpm-pub.key
            rpm --import /tmp/rpm-pub.key
            echo "=== Verifying RPM signatures ==="
            for rpm_file in /dist/*amd64*.rpm; do
              [ -f "$rpm_file" ] || continue
              echo "--- $(basename $rpm_file) ---"
              rpm -K "$rpm_file"
            done
          '
      - name: Clean up GPG key
        if: always()
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: Tag and push images (amd64 only)
        if: |
          (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
          (github.event_name == 'push' && github.ref == 'refs/heads/main')
        run: |
          resolve_tags() {
            if [[ "${{ github.event_name }}" == "pull_request" ]]; then
              echo "pr-${{ github.event.pull_request.number }}"
            else
              echo "main sha-$(git rev-parse --short HEAD)"
            fi
          }
          tag_and_push() {
            local src="$1" img_name tag dst
            img_name="${src%%:*}"
            for tag in $(resolve_tags); do
              dst="${img_name}:${tag}"
              echo "Tagging ${src} -> ${dst}"
              docker tag "$src" "$dst"
              docker push "$dst"
            done
          }
          export -f tag_and_push resolve_tags
          echo '${{ steps.goreleaser.outputs.artifacts }}' | \
            jq -r '.[] | select(.type == "Docker Image") | select(.goarch == "amd64") | .name' | \
            grep '^ghcr.io/' | while read -r SRC; do
              tag_and_push "$SRC"
            done
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
@@ -251,6 +309,14 @@ jobs:
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64
      - name: Decode GPG signing key
        if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
        env:
          GPG_RPM_PRIVATE_KEY: ${{ secrets.GPG_RPM_PRIVATE_KEY }}
        run: |
          echo "$GPG_RPM_PRIVATE_KEY" | base64 -d > /tmp/gpg-rpm-signing-key.asc
          echo "GPG_RPM_KEY_FILE=/tmp/gpg-rpm-signing-key.asc" >> $GITHUB_ENV
      - name: Install LLVM-MinGW for ARM64 cross-compilation
        run: |
          cd /tmp
@@ -275,6 +341,24 @@ jobs:
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          GPG_RPM_KEY_FILE: ${{ env.GPG_RPM_KEY_FILE }}
          NFPM_NETBIRD_UI_RPM_PASSPHRASE: ${{ secrets.GPG_RPM_PASSPHRASE }}
      - name: Verify RPM signatures
        run: |
          docker run --rm -v $(pwd)/dist:/dist fedora:41 bash -c '
            dnf install -y -q rpm-sign curl >/dev/null 2>&1
            curl -sSL https://pkgs.netbird.io/yum/repodata/repomd.xml.key -o /tmp/rpm-pub.key
            rpm --import /tmp/rpm-pub.key
            echo "=== Verifying RPM signatures ==="
            for rpm_file in /dist/*.rpm; do
              [ -f "$rpm_file" ] || continue
              echo "--- $(basename $rpm_file) ---"
              rpm -K "$rpm_file"
            done
          '
      - name: Clean up GPG key
        if: always()
        run: rm -f /tmp/gpg-rpm-signing-key.asc
      - name: upload non tags for debug purposes
        uses: actions/upload-artifact@v4
        with:
--- a/.github/workflows/wasm-build-validation.yml
+++ b/.github/workflows/wasm-build-validation.yml
@@ -61,8 +61,8 @@ jobs:
          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
-          if [ ${SIZE} -gt 57671680 ]; then
+          if [ ${SIZE} -gt 58720256 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 55MB limit!"
+            echo "Wasm binary size (${SIZE_MB}MB) exceeds 56MB limit!"
            exit 1
          fi
--- a/.gitignore
+++ b/.gitignore
@@ -2,6 +2,7 @@
 .run
 *.iml
 dist/
 !proxy/web/dist/
 bin/
 .env
 conf.json
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -106,6 +106,26 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
  - id: netbird-server
    dir: combined
    env:
      - CGO_ENABLED=1
      - >-
        {{- if eq .Runtime.Goos "linux" }}
          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
        {{- end }}
    binary: netbird-server
    goos:
      - linux
    goarch:
      - amd64
      - arm64
      - arm
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
  - id: netbird-upload
    dir: upload-server
    env: [CGO_ENABLED=0]
@@ -120,6 +140,40 @@ builds:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
  - id: netbird-proxy
    dir: proxy/cmd/proxy
    env: [CGO_ENABLED=0]
    binary: netbird-proxy
    goos:
      - linux
    goarch:
      - amd64
      - arm64
      - arm
    ldflags:
      - -s -w -X main.Version={{.Version}} -X main.Commit={{.Commit}} -X main.BuildDate={{.CommitDate}}
    mod_timestamp: "{{ .CommitTimestamp }}"
  - id: netbird-idp-migrate
    dir: tools/idp-migrate
    env:
      - CGO_ENABLED=1
      - >-
        {{- if eq .Runtime.Goos "linux" }}
          {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
          {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
        {{- end }}
    binary: netbird-idp-migrate
    goos:
      - linux
    goarch:
      - amd64
      - arm64
      - arm
    ldflags:
      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: "{{ .CommitTimestamp }}"
 universal_binaries:
  - id: netbird
@@ -132,18 +186,22 @@ archives:
      - netbird-wasm
    name_template: "{{ .ProjectName }}_{{ .Version }}"
    format: binary
  - id: netbird-idp-migrate
    builds:
      - netbird-idp-migrate
    name_template: "netbird-idp-migrate_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
 nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    id: netbird-deb
+    license: BSD-3-Clause
    id: netbird_deb
    bindir: /usr/bin
    builds:
      - netbird
    formats:
      - deb
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
@@ -151,16 +209,19 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
-    id: netbird-rpm
+    license: BSD-3-Clause
    id: netbird_rpm
    bindir: /usr/bin
    builds:
      - netbird
    formats:
      - rpm
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
    rpm:
      signature:
        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
 dockers:
  - image_templates:
      - netbirdio/netbird:{{ .Version }}-amd64
@@ -520,6 +581,104 @@ dockers:
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/netbird-server:{{ .Version }}-amd64
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
    ids:
      - netbird-server
    goarch: amd64
    use: buildx
    dockerfile: combined/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
    ids:
      - netbird-server
    goarch: arm64
    use: buildx
    dockerfile: combined/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
    ids:
      - netbird-server
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: combined/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-amd64
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
    ids:
      - netbird-proxy
    goarch: amd64
    use: buildx
    dockerfile: proxy/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
    ids:
      - netbird-proxy
    goarch: arm64
    use: buildx
    dockerfile: proxy/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
  - image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
    ids:
      - netbird-proxy
    goarch: arm
    goarm: 6
    use: buildx
    dockerfile: proxy/Dockerfile
    build_flag_templates:
      - "--platform=linux/arm"
      - "--label=org.opencontainers.image.created={{.Date}}"
      - "--label=org.opencontainers.image.title={{.ProjectName}}"
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
      - "--label=maintainer=dev@netbird.io"
 docker_manifests:
  - name_template: netbirdio/netbird:{{ .Version }}
    image_templates:
@@ -598,6 +757,18 @@ docker_manifests:
      - netbirdio/upload:{{ .Version }}-arm
      - netbirdio/upload:{{ .Version }}-amd64
  - name_template: netbirdio/netbird-server:{{ .Version }}
    image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm64v8
      - netbirdio/netbird-server:{{ .Version }}-arm
      - netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: netbirdio/netbird-server:latest
    image_templates:
      - netbirdio/netbird-server:{{ .Version }}-arm64v8
      - netbirdio/netbird-server:{{ .Version }}-arm
      - netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
@@ -675,6 +846,43 @@ docker_manifests:
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird-server:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/netbird-server:latest
    image_templates:
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-arm
      - ghcr.io/netbirdio/netbird-server:{{ .Version }}-amd64
  - name_template: netbirdio/reverse-proxy:{{ .Version }}
    image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - netbirdio/reverse-proxy:{{ .Version }}-arm
      - netbirdio/reverse-proxy:{{ .Version }}-amd64
  - name_template: netbirdio/reverse-proxy:latest
    image_templates:
      - netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - netbirdio/reverse-proxy:{{ .Version }}-arm
      - netbirdio/reverse-proxy:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/reverse-proxy:{{ .Version }}
    image_templates:
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
  - name_template: ghcr.io/netbirdio/reverse-proxy:latest
    image_templates:
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm64v8
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-arm
      - ghcr.io/netbirdio/reverse-proxy:{{ .Version }}-amd64
 brews:
  - ids:
      - default
@@ -695,7 +903,7 @@ brews:
 uploads:
  - name: debian
    ids:
-      - netbird-deb
+      - netbird_deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -703,7 +911,7 @@ uploads:
  - name: yum
    ids:
-      - netbird-rpm
+      - netbird_rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -61,7 +61,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
-    id: netbird-ui-deb
+    id: netbird_ui_deb
    package_name: netbird-ui
    builds:
      - netbird-ui
@@ -80,7 +80,7 @@ nfpms:
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client UI.
    homepage: https://netbird.io/
-    id: netbird-ui-rpm
+    id: netbird_ui_rpm
    package_name: netbird-ui
    builds:
      - netbird-ui
@@ -95,11 +95,14 @@ nfpms:
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
    rpm:
      signature:
        key_file: '{{ if index .Env "GPG_RPM_KEY_FILE" }}{{ .Env.GPG_RPM_KEY_FILE }}{{ end }}'
 uploads:
  - name: debian
    ids:
-      - netbird-ui-deb
+      - netbird_ui_deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -107,7 +110,7 @@ uploads:
  - name: yum
    ids:
-      - netbird-ui-rpm
+      - netbird_ui_rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
--- a/CONTRIBUTOR_LICENSE_AGREEMENT.md
+++ b/CONTRIBUTOR_LICENSE_AGREEMENT.md
@@ -1,7 +1,7 @@
 ##  Contributor License Agreement
 This Contributor License Agreement (referred to as the "Agreement") is entered into by the individual 
-submitting this Agreement and NetBird GmbH, c/o Max-Beer-Straße 2-4 Münzstraße 12 10178 Berlin, Germany, 
+submitting this Agreement and NetBird GmbH, Brunnenstraße 196, 10119 Berlin, Germany, 
 referred to as "NetBird" (collectively, the "Parties"). The Agreement outlines the terms and conditions 
 under which NetBird may utilize software contributions provided by the Contributor for inclusion in 
 its software development projects. By submitting this Agreement, the Contributor confirms their acceptance 
--- a/2
+++ b/2
@@ -1,4 +1,4 @@
-This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/ and relay/.
+This BSD‑3‑Clause license applies to all parts of the repository except for the directories management/, signal/, relay/ and combined/.
 Those directories are licensed under the GNU Affero General Public License version 3.0 (AGPLv3). See the respective LICENSE files inside each directory.
 BSD 3-Clause License
--- a/README.md
+++ b/README.md
@@ -60,8 +60,8 @@
 https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
-### NetBird on Lawrence Systems (Video)
+### Self-Host NetBird (Video)
-[![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)
+[![Watch the video](https://img.youtube.com/vi/bZAgpT6nzaQ/0.jpg)](https://youtu.be/bZAgpT6nzaQ)
 ### Key features
@@ -126,6 +126,7 @@ See a complete [architecture overview](https://docs.netbird.io/about-netbird/how
 ### Community projects
 -  [NetBird installer script](https://github.com/physk/netbird-installer)
 -  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)
 -  [netbird-tui](https://github.com/n0pashkov/netbird-tui) — terminal UI for managing NetBird peers, routes, and settings
 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
    bash \
@@ -17,8 +17,7 @@ ENV \
    NETBIRD_BIN="/usr/local/bin/netbird" \
    NB_LOG_FILE="console,/var/log/netbird/client.log" \
    NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
    NB_ENTRYPOINT_LOGIN_TIMEOUT="5"
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
--- a/client/Dockerfile-rootless
+++ b/client/Dockerfile-rootless
@@ -23,8 +23,7 @@ ENV \
    NB_DAEMON_ADDR="unix:///var/lib/netbird/netbird.sock" \
    NB_LOG_FILE="console,/var/lib/netbird/client.log" \
    NB_DISABLE_DNS="true" \
-    NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
+    NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -8,6 +8,7 @@ import (
 	"os"
 	"slices"
 	"sync"
 	"time"
 	"golang.org/x/exp/maps"
@@ -15,6 +16,7 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -26,6 +28,7 @@ import (
 	"github.com/netbirdio/netbird/formatter"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	types "github.com/netbirdio/netbird/upload-server/types"
 )
 // ConnectionListener export internal Listener for mobile
@@ -69,6 +72,8 @@ type Client struct {
 	networkChangeListener listener.NetworkChangeListener
 	connectClient *internal.ConnectClient
 	config        *profilemanager.Config
 	cacheDir      string
 }
 // NewClient instantiate a new Client
@@ -93,6 +98,7 @@ func (c *Client) Run(platformFiles PlatformFiles, urlOpener URLOpener, isAndroid
 	cfgFile := platformFiles.ConfigurationFilePath()
 	stateFile := platformFiles.StateFilePath()
 	cacheDir := platformFiles.CacheDir()
 	log.Infof("Starting client with config: %s, state: %s", cfgFile, stateFile)
@@ -124,8 +130,10 @@ func (c *Client) Run(platformFiles PlatformFiles, urlOpener URLOpener, isAndroid
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, false)
+	c.config = cfg
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
+	c.cacheDir = cacheDir
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile, cacheDir)
 }
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -135,6 +143,7 @@ func (c *Client) RunWithoutLogin(platformFiles PlatformFiles, dns *DNSList, dnsR
 	cfgFile := platformFiles.ConfigurationFilePath()
 	stateFile := platformFiles.StateFilePath()
 	cacheDir := platformFiles.CacheDir()
 	log.Infof("Starting client without login with config: %s, state: %s", cfgFile, stateFile)
@@ -157,8 +166,10 @@ func (c *Client) RunWithoutLogin(platformFiles PlatformFiles, dns *DNSList, dnsR
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, false)
+	c.config = cfg
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile)
+	c.cacheDir = cacheDir
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener, stateFile, cacheDir)
 }
 // Stop the internal client and free the resources
@@ -185,6 +196,74 @@ func (c *Client) RenewTun(fd int) error {
 	return e.RenewTun(fd)
 }
 // DebugBundle generates a debug bundle, uploads it, and returns the upload key.
 // It works both with and without a running engine.
 func (c *Client) DebugBundle(platformFiles PlatformFiles, anonymize bool) (string, error) {
 	cfg := c.config
 	cacheDir := c.cacheDir
 	// If the engine hasn't been started, load config from disk
 	if cfg == nil {
 		var err error
 		cfg, err = profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 			ConfigPath: platformFiles.ConfigurationFilePath(),
 		})
 		if err != nil {
 			return "", fmt.Errorf("load config: %w", err)
 		}
 		cacheDir = platformFiles.CacheDir()
 	}
 	deps := debug.GeneratorDependencies{
 		InternalConfig: cfg,
 		StatusRecorder: c.recorder,
 		TempDir:        cacheDir,
 	}
 	if c.connectClient != nil {
 		resp, err := c.connectClient.GetLatestSyncResponse()
 		if err != nil {
 			log.Warnf("get latest sync response: %v", err)
 		}
 		deps.SyncResponse = resp
 		if e := c.connectClient.Engine(); e != nil {
 			if cm := e.GetClientMetrics(); cm != nil {
 				deps.ClientMetrics = cm
 			}
 		}
 	}
 	bundleGenerator := debug.NewBundleGenerator(
 		deps,
 		debug.BundleConfig{
 			Anonymize:         anonymize,
 			IncludeSystemInfo: true,
 		},
 	)
 	path, err := bundleGenerator.Generate()
 	if err != nil {
 		return "", fmt.Errorf("generate debug bundle: %w", err)
 	}
 	defer func() {
 		if err := os.Remove(path); err != nil {
 			log.Errorf("failed to remove debug bundle file: %v", err)
 		}
 	}()
 	uploadCtx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
 	defer cancel()
 	key, err := debug.UploadDebugBundle(uploadCtx, types.DefaultBundleURL, cfg.ManagementURL.String(), path)
 	if err != nil {
 		return "", fmt.Errorf("upload debug bundle: %w", err)
 	}
 	log.Infof("debug bundle uploaded with key %s", key)
 	return key, nil
 }
 // SetTraceLogLevel configure the logger to trace level
 func (c *Client) SetTraceLogLevel() {
 	log.SetLevel(log.TraceLevel)
@@ -205,7 +284,7 @@ func (c *Client) PeersList() *PeerInfoArray {
 		pi := PeerInfo{
 			p.IP,
 			p.FQDN,
-			p.ConnStatus.String(),
+			int(p.ConnStatus),
 			PeerRoutes{routes: maps.Keys(p.GetRoutes())},
 		}
 		peerInfos[n] = pi
--- a/client/android/env_list.go
+++ b/client/android/env_list.go
@@ -1,10 +1,19 @@
 package android
-import "github.com/netbirdio/netbird/client/internal/peer"
+import (
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	"github.com/netbirdio/netbird/client/internal/peer"
 )
 var (
-	// EnvKeyNBForceRelay Exported for Android java client
+	// EnvKeyNBForceRelay Exported for Android java client to force relay connections
 	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
 	// EnvKeyNBLazyConn Exported for Android java client to configure lazy connection
 	EnvKeyNBLazyConn = lazyconn.EnvEnableLazyConn
 	// EnvKeyNBInactivityThreshold Exported for Android java client to configure connection inactivity threshold
 	EnvKeyNBInactivityThreshold = lazyconn.EnvInactivityThreshold
 )
 // EnvList wraps a Go map for export to Java
--- a/client/android/login.go
+++ b/client/android/login.go
@@ -3,15 +3,7 @@ package android
 import (
 	"context"
 	"fmt"
 	"time"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 	"github.com/netbirdio/netbird/client/cmd"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
@@ -84,34 +76,21 @@ func (a *Auth) SaveConfigIfSSOSupported(listener SSOListener) {
 }
 func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
-	supportsSSO := true
+	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
-	err := a.withBackOff(a.ctx, func() (err error) {
+	if err != nil {
-		_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL, nil)
+		return false, fmt.Errorf("failed to create auth client: %v", err)
-		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
+	}
-			_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+	defer authClient.Close()
 			s, ok := gstatus.FromError(err)
 			if !ok {
 				return err
 			}
 			if s.Code() == codes.NotFound || s.Code() == codes.Unimplemented {
 				supportsSSO = false
 				err = nil
 			}
-			return err
+	supportsSSO, err := authClient.IsSSOSupported(a.ctx)
-		}
+	if err != nil {
-
+		return false, fmt.Errorf("failed to check SSO support: %v", err)
-		return err
+	}
 	})
 	if !supportsSSO {
 		return false, nil
 	}
 	if err != nil {
 		return false, fmt.Errorf("backoff cycle failed: %v", err)
 	}
 	err = profilemanager.WriteOutConfig(a.cfgPath, a.config)
 	return true, err
 }
@@ -129,19 +108,17 @@ func (a *Auth) LoginWithSetupKeyAndSaveConfig(resultListener ErrListener, setupK
 }
 func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string) error {
 	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
 	if err != nil {
 		return fmt.Errorf("failed to create auth client: %v", err)
 	}
 	defer authClient.Close()
 	//nolint
 	ctxWithValues := context.WithValue(a.ctx, system.DeviceNameCtxKey, deviceName)
-
+	err, _ = authClient.Login(ctxWithValues, setupKey, "")
 	err := a.withBackOff(a.ctx, func() error {
 		backoffErr := internal.Login(ctxWithValues, a.config, setupKey, "")
 		if s, ok := gstatus.FromError(backoffErr); ok && (s.Code() == codes.PermissionDenied) {
 			// we got an answer from management, exit backoff earlier
 			return backoff.Permanent(backoffErr)
 		}
 		return backoffErr
 	})
 	if err != nil {
-		return fmt.Errorf("backoff cycle failed: %v", err)
+		return fmt.Errorf("login failed: %v", err)
 	}
 	return profilemanager.WriteOutConfig(a.cfgPath, a.config)
@@ -160,49 +137,41 @@ func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener, isAndroidT
 }
 func (a *Auth) login(urlOpener URLOpener, isAndroidTV bool) error {
-	var needsLogin bool
+	authClient, err := auth.NewAuth(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config)
 	if err != nil {
 		return fmt.Errorf("failed to create auth client: %v", err)
 	}
 	defer authClient.Close()
 	// check if we need to generate JWT token
-	err := a.withBackOff(a.ctx, func() (err error) {
+	needsLogin, err := authClient.IsLoginRequired(a.ctx)
 		needsLogin, err = internal.IsLoginRequired(a.ctx, a.config)
 		return
 	})
 	if err != nil {
-		return fmt.Errorf("backoff cycle failed: %v", err)
+		return fmt.Errorf("failed to check login requirement: %v", err)
 	}
 	jwtToken := ""
 	if needsLogin {
-		tokenInfo, err := a.foregroundGetTokenInfo(urlOpener, isAndroidTV)
+		tokenInfo, err := a.foregroundGetTokenInfo(authClient, urlOpener, isAndroidTV)
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
 		jwtToken = tokenInfo.GetTokenToUse()
 	}
-	err = a.withBackOff(a.ctx, func() error {
+	err, _ = authClient.Login(a.ctx, "", jwtToken)
 		err := internal.Login(a.ctx, a.config, "", jwtToken)
 		if err == nil {
 			go urlOpener.OnLoginSuccess()
 		}
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 			return nil
 		}
 		return err
 	})
 	if err != nil {
-		return fmt.Errorf("backoff cycle failed: %v", err)
+		return fmt.Errorf("login failed: %v", err)
 	}
 	go urlOpener.OnLoginSuccess()
 	return nil
 }
-func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener, isAndroidTV bool) (*auth.TokenInfo, error) {
+func (a *Auth) foregroundGetTokenInfo(authClient *auth.Auth, urlOpener URLOpener, isAndroidTV bool) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(a.ctx, a.config, false, isAndroidTV, "")
+	oAuthFlow, err := authClient.GetOAuthFlow(a.ctx, isAndroidTV)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to get OAuth flow: %v", err)
 	}
 	flowInfo, err := oAuthFlow.RequestAuthInfo(context.TODO())
@@ -212,22 +181,10 @@ func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener, isAndroidTV bool) (*a
 	go urlOpener.Open(flowInfo.VerificationURIComplete, flowInfo.UserCode)
-	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
+	tokenInfo, err := oAuthFlow.WaitToken(a.ctx, flowInfo)
 	waitCTX, cancel := context.WithTimeout(a.ctx, waitTimeout)
 	defer cancel()
 	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}
 	return &tokenInfo, nil
 }
 func (a *Auth) withBackOff(ctx context.Context, bf func() error) error {
 	return backoff.RetryNotify(
 		bf,
 		backoff.WithContext(cmd.CLIBackOffSettings, ctx),
 		func(err error, duration time.Duration) {
 			log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
 		})
 }
--- a/client/android/peer_notifier.go
+++ b/client/android/peer_notifier.go
@@ -2,11 +2,20 @@
 package android
 import "github.com/netbirdio/netbird/client/internal/peer"
 // Connection status constants exported via gomobile.
 const (
 	ConnStatusIdle       = int(peer.StatusIdle)
 	ConnStatusConnecting = int(peer.StatusConnecting)
 	ConnStatusConnected  = int(peer.StatusConnected)
 )
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
 	IP         string
 	FQDN       string
-	ConnStatus string // Todo replace to enum
+	ConnStatus int
 	Routes     PeerRoutes
 }
--- a/client/android/platform_files.go
+++ b/client/android/platform_files.go
@@ -7,4 +7,5 @@ package android
 type PlatformFiles interface {
 	ConfigurationFilePath() string
 	StateFilePath() string
 	CacheDir() string
 }
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -181,10 +181,11 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if stateWasDown {
 		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
+			cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
 		} else {
 			cmd.Println("netbird up")
 			time.Sleep(time.Second * 10)
 		}
 		cmd.Println("netbird up")
 		time.Sleep(time.Second * 10)
 	}
 	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
@@ -198,10 +199,13 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level set to trace.")
 	}
 	needsRestoreUp := false
 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
+		cmd.PrintErrf("Failed to bring service down: %v\n", status.Convert(err).Message())
 	} else {
 		needsRestoreUp = !stateWasDown
 		cmd.Println("netbird down")
 	}
 	cmd.Println("netbird down")
 	time.Sleep(1 * time.Second)
@@ -209,13 +213,15 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if _, err := client.SetSyncResponsePersistence(cmd.Context(), &proto.SetSyncResponsePersistenceRequest{
 		Enabled: true,
 	}); err != nil {
-		return fmt.Errorf("failed to enable sync response persistence: %v", status.Convert(err).Message())
+		cmd.PrintErrf("Failed to enable sync response persistence: %v\n", status.Convert(err).Message())
 	}
 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
+		cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
 	} else {
 		needsRestoreUp = false
 		cmd.Println("netbird up")
 	}
 	cmd.Println("netbird up")
 	time.Sleep(3 * time.Second)
@@ -261,18 +267,28 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
 	if needsRestoreUp {
 		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
 			cmd.PrintErrf("Failed to restore service up state: %v\n", status.Convert(err).Message())
 		} else {
 			cmd.Println("netbird up (restored)")
 		}
 	}
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
-			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
+			cmd.PrintErrf("Failed to restore service down state: %v\n", status.Convert(err).Message())
 		} else {
 			cmd.Println("netbird down")
 		}
 		cmd.Println("netbird down")
 	}
 	if !initialLevelTrace {
 		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
-			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
+			cmd.PrintErrf("Failed to restore log level: %v\n", status.Convert(err).Message())
 		} else {
 			cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 		}
 		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
 	}
 	cmd.Printf("Local file:\n%s\n", resp.GetPath())
--- a/client/cmd/expose.go
+++ b/client/cmd/expose.go
@@ -0,0 +1,287 @@
 package cmd
 import (
 	"context"
 	"errors"
 	"fmt"
 	"io"
 	"os"
 	"os/signal"
 	"regexp"
 	"strconv"
 	"strings"
 	"syscall"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
 	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/util"
 )
 var pinRegexp = regexp.MustCompile(`^\d{6}$`)
 var (
 	exposePin          string
 	exposePassword     string
 	exposeUserGroups   []string
 	exposeDomain       string
 	exposeNamePrefix   string
 	exposeProtocol     string
 	exposeExternalPort uint16
 )
 var exposeCmd = &cobra.Command{
 	Use:   "expose <port>",
 	Short: "Expose a local port via the NetBird reverse proxy",
 	Args:  cobra.ExactArgs(1),
 	Example: `  netbird expose --with-password safe-pass 8080
  netbird expose --protocol tcp 5432
  netbird expose --protocol tcp --with-external-port 5433 5432
  netbird expose --protocol tls --with-custom-domain tls.example.com 4443`,
 	RunE: exposeFn,
 }
 func init() {
 	exposeCmd.Flags().StringVar(&exposePin, "with-pin", "", "Protect the exposed service with a 6-digit PIN (e.g. --with-pin 123456)")
 	exposeCmd.Flags().StringVar(&exposePassword, "with-password", "", "Protect the exposed service with a password (e.g. --with-password my-secret)")
 	exposeCmd.Flags().StringSliceVar(&exposeUserGroups, "with-user-groups", nil, "Restrict access to specific user groups with SSO (e.g. --with-user-groups devops,Backend)")
 	exposeCmd.Flags().StringVar(&exposeDomain, "with-custom-domain", "", "Custom domain for the exposed service, must be configured to your account (e.g. --with-custom-domain myapp.example.com)")
 	exposeCmd.Flags().StringVar(&exposeNamePrefix, "with-name-prefix", "", "Prefix for the generated service name (e.g. --with-name-prefix my-app)")
 	exposeCmd.Flags().StringVar(&exposeProtocol, "protocol", "http", "Protocol to use: http, https, tcp, udp, or tls (e.g. --protocol tcp)")
 	exposeCmd.Flags().Uint16Var(&exposeExternalPort, "with-external-port", 0, "Public-facing external port on the proxy cluster (defaults to the target port for L4)")
 }
 // isClusterProtocol returns true for L4/TLS protocols that reject HTTP-style auth flags.
 func isClusterProtocol(protocol string) bool {
 	switch strings.ToLower(protocol) {
 	case "tcp", "udp", "tls":
 		return true
 	default:
 		return false
 	}
 }
 // isPortBasedProtocol returns true for pure port-based protocols (TCP/UDP)
 // where domain display doesn't apply. TLS uses SNI so it has a domain.
 func isPortBasedProtocol(protocol string) bool {
 	switch strings.ToLower(protocol) {
 	case "tcp", "udp":
 		return true
 	default:
 		return false
 	}
 }
 // extractPort returns the port portion of a URL like "tcp://host:12345", or
 // falls back to the given default formatted as a string.
 func extractPort(serviceURL string, fallback uint16) string {
 	u := serviceURL
 	if idx := strings.Index(u, "://"); idx != -1 {
 		u = u[idx+3:]
 	}
 	if i := strings.LastIndex(u, ":"); i != -1 {
 		if p := u[i+1:]; p != "" {
 			return p
 		}
 	}
 	return strconv.FormatUint(uint64(fallback), 10)
 }
 // resolveExternalPort returns the effective external port, defaulting to the target port.
 func resolveExternalPort(targetPort uint64) uint16 {
 	if exposeExternalPort != 0 {
 		return exposeExternalPort
 	}
 	return uint16(targetPort)
 }
 func validateExposeFlags(cmd *cobra.Command, portStr string) (uint64, error) {
 	port, err := strconv.ParseUint(portStr, 10, 32)
 	if err != nil {
 		return 0, fmt.Errorf("invalid port number: %s", portStr)
 	}
 	if port == 0 || port > 65535 {
 		return 0, fmt.Errorf("invalid port number: must be between 1 and 65535")
 	}
 	if !isProtocolValid(exposeProtocol) {
 		return 0, fmt.Errorf("unsupported protocol %q: must be http, https, tcp, udp, or tls", exposeProtocol)
 	}
 	if isClusterProtocol(exposeProtocol) {
 		if exposePin != "" || exposePassword != "" || len(exposeUserGroups) > 0 {
 			return 0, fmt.Errorf("auth flags (--with-pin, --with-password, --with-user-groups) are not supported for %s protocol", exposeProtocol)
 		}
 	} else if cmd.Flags().Changed("with-external-port") {
 		return 0, fmt.Errorf("--with-external-port is not supported for %s protocol", exposeProtocol)
 	}
 	if exposePin != "" && !pinRegexp.MatchString(exposePin) {
 		return 0, fmt.Errorf("invalid pin: must be exactly 6 digits")
 	}
 	if cmd.Flags().Changed("with-password") && exposePassword == "" {
 		return 0, fmt.Errorf("password cannot be empty")
 	}
 	if cmd.Flags().Changed("with-user-groups") && len(exposeUserGroups) == 0 {
 		return 0, fmt.Errorf("user groups cannot be empty")
 	}
 	return port, nil
 }
 func isProtocolValid(exposeProtocol string) bool {
 	switch strings.ToLower(exposeProtocol) {
 	case "http", "https", "tcp", "udp", "tls":
 		return true
 	default:
 		return false
 	}
 }
 func exposeFn(cmd *cobra.Command, args []string) error {
 	SetFlagsFromEnvVars(rootCmd)
 	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
 		log.Errorf("failed initializing log %v", err)
 		return err
 	}
 	cmd.Root().SilenceUsage = false
 	port, err := validateExposeFlags(cmd, args[0])
 	if err != nil {
 		return err
 	}
 	cmd.Root().SilenceUsage = true
 	ctx, cancel := context.WithCancel(cmd.Context())
 	defer cancel()
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
 	go func() {
 		<-sigCh
 		cancel()
 	}()
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		return fmt.Errorf("connect to daemon: %w", err)
 	}
 	defer func() {
 		if err := conn.Close(); err != nil {
 			log.Debugf("failed to close daemon connection: %v", err)
 		}
 	}()
 	client := proto.NewDaemonServiceClient(conn)
 	protocol, err := toExposeProtocol(exposeProtocol)
 	if err != nil {
 		return err
 	}
 	req := &proto.ExposeServiceRequest{
 		Port:       uint32(port),
 		Protocol:   protocol,
 		Pin:        exposePin,
 		Password:   exposePassword,
 		UserGroups: exposeUserGroups,
 		Domain:     exposeDomain,
 		NamePrefix: exposeNamePrefix,
 	}
 	if isClusterProtocol(exposeProtocol) {
 		req.ListenPort = uint32(resolveExternalPort(port))
 	}
 	stream, err := client.ExposeService(ctx, req)
 	if err != nil {
 		return fmt.Errorf("expose service: %v", status.Convert(err).Message())
 	}
 	if err := handleExposeReady(cmd, stream, port); err != nil {
 		return err
 	}
 	return waitForExposeEvents(cmd, ctx, stream)
 }
 func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
 	p, err := expose.ParseProtocolType(exposeProtocol)
 	if err != nil {
 		return 0, fmt.Errorf("invalid protocol: %w", err)
 	}
 	switch p {
 	case expose.ProtocolHTTP:
 		return proto.ExposeProtocol_EXPOSE_HTTP, nil
 	case expose.ProtocolHTTPS:
 		return proto.ExposeProtocol_EXPOSE_HTTPS, nil
 	case expose.ProtocolTCP:
 		return proto.ExposeProtocol_EXPOSE_TCP, nil
 	case expose.ProtocolUDP:
 		return proto.ExposeProtocol_EXPOSE_UDP, nil
 	case expose.ProtocolTLS:
 		return proto.ExposeProtocol_EXPOSE_TLS, nil
 	default:
 		return 0, fmt.Errorf("unhandled protocol type: %d", p)
 	}
 }
 func handleExposeReady(cmd *cobra.Command, stream proto.DaemonService_ExposeServiceClient, port uint64) error {
 	event, err := stream.Recv()
 	if err != nil {
 		return fmt.Errorf("receive expose event: %v", status.Convert(err).Message())
 	}
 	ready, ok := event.Event.(*proto.ExposeServiceEvent_Ready)
 	if !ok {
 		return fmt.Errorf("unexpected expose event: %T", event.Event)
 	}
 	printExposeReady(cmd, ready.Ready, port)
 	return nil
 }
 func printExposeReady(cmd *cobra.Command, r *proto.ExposeServiceReady, port uint64) {
 	cmd.Println("Service exposed successfully!")
 	cmd.Printf("  Name:     %s\n", r.ServiceName)
 	if r.ServiceUrl != "" {
 		cmd.Printf("  URL:      %s\n", r.ServiceUrl)
 	}
 	if r.Domain != "" && !isPortBasedProtocol(exposeProtocol) {
 		cmd.Printf("  Domain:   %s\n", r.Domain)
 	}
 	cmd.Printf("  Protocol: %s\n", exposeProtocol)
 	cmd.Printf("  Internal: %d\n", port)
 	if isClusterProtocol(exposeProtocol) {
 		cmd.Printf("  External: %s\n", extractPort(r.ServiceUrl, resolveExternalPort(port)))
 	}
 	if r.PortAutoAssigned && exposeExternalPort != 0 {
 		cmd.Printf("\n  Note: requested port %d was reassigned\n", exposeExternalPort)
 	}
 	cmd.Println()
 	cmd.Println("Press Ctrl+C to stop exposing.")
 }
 func waitForExposeEvents(cmd *cobra.Command, ctx context.Context, stream proto.DaemonService_ExposeServiceClient) error {
 	for {
 		_, err := stream.Recv()
 		if err != nil {
 			if ctx.Err() != nil {
 				cmd.Println("\nService stopped.")
 				//nolint:nilerr
 				return nil
 			}
 			if errors.Is(err, io.EOF) {
 				return fmt.Errorf("connection to daemon closed unexpectedly")
 			}
 			return fmt.Errorf("stream error: %w", err)
 		}
 	}
 }
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -7,7 +7,6 @@ import (
 	"os/user"
 	"runtime"
 	"strings"
 	"time"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -277,18 +276,15 @@ func handleSSOLogin(ctx context.Context, cmd *cobra.Command, loginResp *proto.Lo
 }
 func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profilemanager.Config, setupKey, profileName string) error {
-	needsLogin := false
+	authClient, err := auth.NewAuth(ctx, config.PrivateKey, config.ManagementURL, config)
 	err := WithBackOff(func() error {
 		err := internal.Login(ctx, config, "", "")
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 			needsLogin = true
 			return nil
 		}
 		return err
 	})
 	if err != nil {
-		return fmt.Errorf("backoff cycle failed: %v", err)
+		return fmt.Errorf("failed to create auth client: %v", err)
 	}
 	defer authClient.Close()
 	needsLogin, err := authClient.IsLoginRequired(ctx)
 	if err != nil {
 		return fmt.Errorf("check login required: %v", err)
 	}
 	jwtToken := ""
@@ -300,23 +296,9 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *profileman
 		jwtToken = tokenInfo.GetTokenToUse()
 	}
-	var lastError error
+	err, _ = authClient.Login(ctx, setupKey, jwtToken)
 	err = WithBackOff(func() error {
 		err := internal.Login(ctx, config, setupKey, jwtToken)
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 			lastError = err
 			return nil
 		}
 		return err
 	})
 	if lastError != nil {
 		return fmt.Errorf("login failed: %v", lastError)
 	}
 	if err != nil {
-		return fmt.Errorf("backoff cycle failed: %v", err)
+		return fmt.Errorf("login failed: %v", err)
 	}
 	return nil
@@ -344,11 +326,7 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *pro
 	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode, noBrowser)
-	waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
+	tokenInfo, err := oAuthFlow.WaitToken(context.TODO(), flowInfo)
 	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout)
 	defer c()
 	tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
 	}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -22,6 +22,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 	daddr "github.com/netbirdio/netbird/client/internal/daemonaddr"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
@@ -80,6 +81,15 @@ var (
 		Short:        "",
 		Long:         "",
 		SilenceUsage: true,
 		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
 			SetFlagsFromEnvVars(cmd.Root())
 			// Don't resolve for service commands — they create the socket, not connect to it.
 			if !isServiceCmd(cmd) {
 				daemonAddr = daddr.ResolveUnixDaemonAddr(daemonAddr)
 			}
 			return nil
 		},
 	}
 )
@@ -144,6 +154,7 @@ func init() {
 	rootCmd.AddCommand(forwardingRulesCmd)
 	rootCmd.AddCommand(debugCmd)
 	rootCmd.AddCommand(profileCmd)
 	rootCmd.AddCommand(exposeCmd)
 	networksCMD.AddCommand(routesListCmd)
 	networksCMD.AddCommand(routesSelectCmd, routesDeselectCmd)
@@ -385,7 +396,6 @@ func migrateToNetbird(oldPath, newPath string) bool {
 }
 func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
 	SetFlagsFromEnvVars(rootCmd)
 	cmd.SetOut(cmd.OutOrStdout())
 	conn, err := DialClientGRPCServer(cmd.Context(), daemonAddr)
@@ -398,3 +408,13 @@ func getClient(cmd *cobra.Command) (*grpc.ClientConn, error) {
 	return conn, nil
 }
 // isServiceCmd returns true if cmd is the "service" command or a child of it.
 func isServiceCmd(cmd *cobra.Command) bool {
 	for c := cmd; c != nil; c = c.Parent() {
 		if c.Name() == "service" {
 			return true
 		}
 	}
 	return false
 }
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -41,7 +41,7 @@ func init() {
 		defaultServiceName = "Netbird"
 	}
-	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -103,7 +103,7 @@ func (p *program) Stop(srv service.Service) error {
 // Common setup for service control commands
 func setupServiceControlCommand(cmd *cobra.Command, ctx context.Context, cancel context.CancelFunc) (service.Service, error) {
-	SetFlagsFromEnvVars(rootCmd)
+	// rootCmd env vars are already applied by PersistentPreRunE.
 	SetFlagsFromEnvVars(serviceCmd)
 	cmd.SetOut(cmd.OutOrStdout())
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -119,6 +119,10 @@ var installCmd = &cobra.Command{
 			return err
 		}
 		if err := loadAndApplyServiceParams(cmd); err != nil {
 			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
 		}
 		svcConfig, err := createServiceConfigForInstall()
 		if err != nil {
 			return err
@@ -136,6 +140,10 @@ var installCmd = &cobra.Command{
 			return fmt.Errorf("install service: %w", err)
 		}
 		if err := saveServiceParams(currentServiceParams()); err != nil {
 			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
 		}
 		cmd.Println("NetBird service has been installed")
 		return nil
 	},
@@ -187,6 +195,10 @@ This command will temporarily stop the service, update its configuration, and re
 			return err
 		}
 		if err := loadAndApplyServiceParams(cmd); err != nil {
 			cmd.PrintErrf("Warning: failed to load saved service params: %v\n", err)
 		}
 		wasRunning, err := isServiceRunning()
 		if err != nil && !errors.Is(err, ErrGetServiceStatus) {
 			return fmt.Errorf("check service status: %w", err)
@@ -222,6 +234,10 @@ This command will temporarily stop the service, update its configuration, and re
 			return fmt.Errorf("install service with new config: %w", err)
 		}
 		if err := saveServiceParams(currentServiceParams()); err != nil {
 			cmd.PrintErrf("Warning: failed to save service params: %v\n", err)
 		}
 		if wasRunning {
 			cmd.Println("Starting NetBird service...")
 			if err := s.Start(); err != nil {
--- a/client/cmd/service_params.go
+++ b/client/cmd/service_params.go
@@ -0,0 +1,201 @@
 //go:build !ios && !android
 package cmd
 import (
 	"context"
 	"encoding/json"
 	"fmt"
 	"maps"
 	"os"
 	"path/filepath"
 	"github.com/spf13/cobra"
 	"github.com/netbirdio/netbird/client/configs"
 	"github.com/netbirdio/netbird/util"
 )
 const serviceParamsFile = "service.json"
 // serviceParams holds install-time service parameters that persist across
 // uninstall/reinstall cycles. Saved to <stateDir>/service.json.
 type serviceParams struct {
 	LogLevel              string            `json:"log_level"`
 	DaemonAddr            string            `json:"daemon_addr"`
 	ManagementURL         string            `json:"management_url,omitempty"`
 	ConfigPath            string            `json:"config_path,omitempty"`
 	LogFiles              []string          `json:"log_files,omitempty"`
 	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
 // serviceParamsPath returns the path to the service params file.
 func serviceParamsPath() string {
 	return filepath.Join(configs.StateDir, serviceParamsFile)
 }
 // loadServiceParams reads saved service parameters from disk.
 // Returns nil with no error if the file does not exist.
 func loadServiceParams() (*serviceParams, error) {
 	path := serviceParamsPath()
 	data, err := os.ReadFile(path)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return nil, nil //nolint:nilnil
 		}
 		return nil, fmt.Errorf("read service params %s: %w", path, err)
 	}
 	var params serviceParams
 	if err := json.Unmarshal(data, &params); err != nil {
 		return nil, fmt.Errorf("parse service params %s: %w", path, err)
 	}
 	return &params, nil
 }
 // saveServiceParams writes current service parameters to disk atomically
 // with restricted permissions.
 func saveServiceParams(params *serviceParams) error {
 	path := serviceParamsPath()
 	if err := util.WriteJsonWithRestrictedPermission(context.Background(), path, params); err != nil {
 		return fmt.Errorf("save service params: %w", err)
 	}
 	return nil
 }
 // currentServiceParams captures the current state of all package-level
 // variables into a serviceParams struct.
 func currentServiceParams() *serviceParams {
 	params := &serviceParams{
 		LogLevel:              logLevel,
 		DaemonAddr:            daemonAddr,
 		ManagementURL:         managementURL,
 		ConfigPath:            configPath,
 		LogFiles:              logFiles,
 		DisableProfiles:       profilesDisabled,
 		DisableUpdateSettings: updateSettingsDisabled,
 	}
 	if len(serviceEnvVars) > 0 {
 		parsed, err := parseServiceEnvVars(serviceEnvVars)
 		if err == nil && len(parsed) > 0 {
 			params.ServiceEnvVars = parsed
 		}
 	}
 	return params
 }
 // loadAndApplyServiceParams loads saved params from disk and applies them
 // to any flags that were not explicitly set.
 func loadAndApplyServiceParams(cmd *cobra.Command) error {
 	params, err := loadServiceParams()
 	if err != nil {
 		return err
 	}
 	applyServiceParams(cmd, params)
 	return nil
 }
 // applyServiceParams merges saved parameters into package-level variables
 // for any flag that was not explicitly set by the user (via CLI or env var).
 // Flags that were Changed() are left untouched.
 func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 	if params == nil {
 		return
 	}
 	// For fields with non-empty defaults (log-level, daemon-addr), keep the
 	// != "" guard so that an older service.json missing the field doesn't
 	// clobber the default with an empty string.
 	if !rootCmd.PersistentFlags().Changed("log-level") && params.LogLevel != "" {
 		logLevel = params.LogLevel
 	}
 	if !rootCmd.PersistentFlags().Changed("daemon-addr") && params.DaemonAddr != "" {
 		daemonAddr = params.DaemonAddr
 	}
 	// For optional fields where empty means "use default", always apply so
 	// that an explicit clear (--management-url "") persists across reinstalls.
 	if !rootCmd.PersistentFlags().Changed("management-url") {
 		managementURL = params.ManagementURL
 	}
 	if !rootCmd.PersistentFlags().Changed("config") {
 		configPath = params.ConfigPath
 	}
 	if !rootCmd.PersistentFlags().Changed("log-file") {
 		logFiles = params.LogFiles
 	}
 	if !serviceCmd.PersistentFlags().Changed("disable-profiles") {
 		profilesDisabled = params.DisableProfiles
 	}
 	if !serviceCmd.PersistentFlags().Changed("disable-update-settings") {
 		updateSettingsDisabled = params.DisableUpdateSettings
 	}
 	applyServiceEnvParams(cmd, params)
 }
 // applyServiceEnvParams merges saved service environment variables.
 // If --service-env was explicitly set, explicit values win on key conflict
 // but saved keys not in the explicit set are carried over.
 // If --service-env was not set, saved env vars are used entirely.
 func applyServiceEnvParams(cmd *cobra.Command, params *serviceParams) {
 	if len(params.ServiceEnvVars) == 0 {
 		return
 	}
 	if !cmd.Flags().Changed("service-env") {
 		// No explicit env vars: rebuild serviceEnvVars from saved params.
 		serviceEnvVars = envMapToSlice(params.ServiceEnvVars)
 		return
 	}
 	// Explicit env vars were provided: merge saved values underneath.
 	explicit, err := parseServiceEnvVars(serviceEnvVars)
 	if err != nil {
 		cmd.PrintErrf("Warning: parse explicit service env vars for merge: %v\n", err)
 		return
 	}
 	merged := make(map[string]string, len(params.ServiceEnvVars)+len(explicit))
 	maps.Copy(merged, params.ServiceEnvVars)
 	maps.Copy(merged, explicit) // explicit wins on conflict
 	serviceEnvVars = envMapToSlice(merged)
 }
 var resetParamsCmd = &cobra.Command{
 	Use:   "reset-params",
 	Short: "Remove saved service install parameters",
 	Long:  "Removes the saved service.json file so the next install uses default parameters.",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		path := serviceParamsPath()
 		if err := os.Remove(path); err != nil {
 			if os.IsNotExist(err) {
 				cmd.Println("No saved service parameters found")
 				return nil
 			}
 			return fmt.Errorf("remove service params: %w", err)
 		}
 		cmd.Printf("Removed saved service parameters (%s)\n", path)
 		return nil
 	},
 }
 // envMapToSlice converts a map of env vars to a KEY=VALUE slice.
 func envMapToSlice(m map[string]string) []string {
 	s := make([]string, 0, len(m))
 	for k, v := range m {
 		s = append(s, k+"="+v)
 	}
 	return s
 }
--- a/client/cmd/service_params_test.go
+++ b/client/cmd/service_params_test.go
@@ -0,0 +1,523 @@
 //go:build !ios && !android
 package cmd
 import (
 	"encoding/json"
 	"go/ast"
 	"go/parser"
 	"go/token"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/configs"
 )
 func TestServiceParamsPath(t *testing.T) {
 	original := configs.StateDir
 	t.Cleanup(func() { configs.StateDir = original })
 	configs.StateDir = "/var/lib/netbird"
 	assert.Equal(t, filepath.Join("/var/lib/netbird", "service.json"), serviceParamsPath())
 	configs.StateDir = "/custom/state"
 	assert.Equal(t, filepath.Join("/custom/state", "service.json"), serviceParamsPath())
 }
 func TestSaveAndLoadServiceParams(t *testing.T) {
 	tmpDir := t.TempDir()
 	original := configs.StateDir
 	t.Cleanup(func() { configs.StateDir = original })
 	configs.StateDir = tmpDir
 	params := &serviceParams{
 		LogLevel:              "debug",
 		DaemonAddr:            "unix:///var/run/netbird.sock",
 		ManagementURL:         "https://my.server.com",
 		ConfigPath:            "/etc/netbird/config.json",
 		LogFiles:              []string{"/var/log/netbird/client.log", "console"},
 		DisableProfiles:       true,
 		DisableUpdateSettings: false,
 		ServiceEnvVars:        map[string]string{"NB_LOG_FORMAT": "json", "CUSTOM": "val"},
 	}
 	err := saveServiceParams(params)
 	require.NoError(t, err)
 	// Verify the file exists and is valid JSON.
 	data, err := os.ReadFile(filepath.Join(tmpDir, "service.json"))
 	require.NoError(t, err)
 	assert.True(t, json.Valid(data))
 	loaded, err := loadServiceParams()
 	require.NoError(t, err)
 	require.NotNil(t, loaded)
 	assert.Equal(t, params.LogLevel, loaded.LogLevel)
 	assert.Equal(t, params.DaemonAddr, loaded.DaemonAddr)
 	assert.Equal(t, params.ManagementURL, loaded.ManagementURL)
 	assert.Equal(t, params.ConfigPath, loaded.ConfigPath)
 	assert.Equal(t, params.LogFiles, loaded.LogFiles)
 	assert.Equal(t, params.DisableProfiles, loaded.DisableProfiles)
 	assert.Equal(t, params.DisableUpdateSettings, loaded.DisableUpdateSettings)
 	assert.Equal(t, params.ServiceEnvVars, loaded.ServiceEnvVars)
 }
 func TestLoadServiceParams_FileNotExists(t *testing.T) {
 	tmpDir := t.TempDir()
 	original := configs.StateDir
 	t.Cleanup(func() { configs.StateDir = original })
 	configs.StateDir = tmpDir
 	params, err := loadServiceParams()
 	assert.NoError(t, err)
 	assert.Nil(t, params)
 }
 func TestLoadServiceParams_InvalidJSON(t *testing.T) {
 	tmpDir := t.TempDir()
 	original := configs.StateDir
 	t.Cleanup(func() { configs.StateDir = original })
 	configs.StateDir = tmpDir
 	err := os.WriteFile(filepath.Join(tmpDir, "service.json"), []byte("not json"), 0600)
 	require.NoError(t, err)
 	params, err := loadServiceParams()
 	assert.Error(t, err)
 	assert.Nil(t, params)
 }
 func TestCurrentServiceParams(t *testing.T) {
 	origLogLevel := logLevel
 	origDaemonAddr := daemonAddr
 	origManagementURL := managementURL
 	origConfigPath := configPath
 	origLogFiles := logFiles
 	origProfilesDisabled := profilesDisabled
 	origUpdateSettingsDisabled := updateSettingsDisabled
 	origServiceEnvVars := serviceEnvVars
 	t.Cleanup(func() {
 		logLevel = origLogLevel
 		daemonAddr = origDaemonAddr
 		managementURL = origManagementURL
 		configPath = origConfigPath
 		logFiles = origLogFiles
 		profilesDisabled = origProfilesDisabled
 		updateSettingsDisabled = origUpdateSettingsDisabled
 		serviceEnvVars = origServiceEnvVars
 	})
 	logLevel = "trace"
 	daemonAddr = "tcp://127.0.0.1:9999"
 	managementURL = "https://mgmt.example.com"
 	configPath = "/tmp/test-config.json"
 	logFiles = []string{"/tmp/test.log"}
 	profilesDisabled = true
 	updateSettingsDisabled = true
 	serviceEnvVars = []string{"FOO=bar", "BAZ=qux"}
 	params := currentServiceParams()
 	assert.Equal(t, "trace", params.LogLevel)
 	assert.Equal(t, "tcp://127.0.0.1:9999", params.DaemonAddr)
 	assert.Equal(t, "https://mgmt.example.com", params.ManagementURL)
 	assert.Equal(t, "/tmp/test-config.json", params.ConfigPath)
 	assert.Equal(t, []string{"/tmp/test.log"}, params.LogFiles)
 	assert.True(t, params.DisableProfiles)
 	assert.True(t, params.DisableUpdateSettings)
 	assert.Equal(t, map[string]string{"FOO": "bar", "BAZ": "qux"}, params.ServiceEnvVars)
 }
 func TestApplyServiceParams_OnlyUnchangedFlags(t *testing.T) {
 	origLogLevel := logLevel
 	origDaemonAddr := daemonAddr
 	origManagementURL := managementURL
 	origConfigPath := configPath
 	origLogFiles := logFiles
 	origProfilesDisabled := profilesDisabled
 	origUpdateSettingsDisabled := updateSettingsDisabled
 	origServiceEnvVars := serviceEnvVars
 	t.Cleanup(func() {
 		logLevel = origLogLevel
 		daemonAddr = origDaemonAddr
 		managementURL = origManagementURL
 		configPath = origConfigPath
 		logFiles = origLogFiles
 		profilesDisabled = origProfilesDisabled
 		updateSettingsDisabled = origUpdateSettingsDisabled
 		serviceEnvVars = origServiceEnvVars
 	})
 	// Reset all flags to defaults.
 	logLevel = "info"
 	daemonAddr = "unix:///var/run/netbird.sock"
 	managementURL = ""
 	configPath = "/etc/netbird/config.json"
 	logFiles = []string{"/var/log/netbird/client.log"}
 	profilesDisabled = false
 	updateSettingsDisabled = false
 	serviceEnvVars = nil
 	// Reset Changed state on all relevant flags.
 	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
 		f.Changed = false
 	})
 	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
 		f.Changed = false
 	})
 	// Simulate user explicitly setting --log-level via CLI.
 	logLevel = "warn"
 	require.NoError(t, rootCmd.PersistentFlags().Set("log-level", "warn"))
 	saved := &serviceParams{
 		LogLevel:              "debug",
 		DaemonAddr:            "tcp://127.0.0.1:5555",
 		ManagementURL:         "https://saved.example.com",
 		ConfigPath:            "/saved/config.json",
 		LogFiles:              []string{"/saved/client.log"},
 		DisableProfiles:       true,
 		DisableUpdateSettings: true,
 		ServiceEnvVars:        map[string]string{"SAVED_KEY": "saved_val"},
 	}
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	applyServiceParams(cmd, saved)
 	// log-level was Changed, so it should keep "warn", not use saved "debug".
 	assert.Equal(t, "warn", logLevel)
 	// All other fields were not Changed, so they should use saved values.
 	assert.Equal(t, "tcp://127.0.0.1:5555", daemonAddr)
 	assert.Equal(t, "https://saved.example.com", managementURL)
 	assert.Equal(t, "/saved/config.json", configPath)
 	assert.Equal(t, []string{"/saved/client.log"}, logFiles)
 	assert.True(t, profilesDisabled)
 	assert.True(t, updateSettingsDisabled)
 	assert.Equal(t, []string{"SAVED_KEY=saved_val"}, serviceEnvVars)
 }
 func TestApplyServiceParams_BooleanRevertToFalse(t *testing.T) {
 	origProfilesDisabled := profilesDisabled
 	origUpdateSettingsDisabled := updateSettingsDisabled
 	t.Cleanup(func() {
 		profilesDisabled = origProfilesDisabled
 		updateSettingsDisabled = origUpdateSettingsDisabled
 	})
 	// Simulate current state where booleans are true (e.g. set by previous install).
 	profilesDisabled = true
 	updateSettingsDisabled = true
 	// Reset Changed state so flags appear unset.
 	serviceCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
 		f.Changed = false
 	})
 	// Saved params have both as false.
 	saved := &serviceParams{
 		DisableProfiles:       false,
 		DisableUpdateSettings: false,
 	}
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	applyServiceParams(cmd, saved)
 	assert.False(t, profilesDisabled, "saved false should override current true")
 	assert.False(t, updateSettingsDisabled, "saved false should override current true")
 }
 func TestApplyServiceParams_ClearManagementURL(t *testing.T) {
 	origManagementURL := managementURL
 	t.Cleanup(func() { managementURL = origManagementURL })
 	managementURL = "https://leftover.example.com"
 	// Simulate saved params where management URL was explicitly cleared.
 	saved := &serviceParams{
 		LogLevel:   "info",
 		DaemonAddr: "unix:///var/run/netbird.sock",
 		// ManagementURL intentionally empty: was cleared with --management-url "".
 	}
 	rootCmd.PersistentFlags().VisitAll(func(f *pflag.Flag) {
 		f.Changed = false
 	})
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	applyServiceParams(cmd, saved)
 	assert.Equal(t, "", managementURL, "saved empty management URL should clear the current value")
 }
 func TestApplyServiceParams_NilParams(t *testing.T) {
 	origLogLevel := logLevel
 	t.Cleanup(func() { logLevel = origLogLevel })
 	logLevel = "info"
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	// Should be a no-op.
 	applyServiceParams(cmd, nil)
 	assert.Equal(t, "info", logLevel)
 }
 func TestApplyServiceEnvParams_MergeExplicitAndSaved(t *testing.T) {
 	origServiceEnvVars := serviceEnvVars
 	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
 	// Set up a command with --service-env marked as Changed.
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	require.NoError(t, cmd.Flags().Set("service-env", "EXPLICIT=yes,OVERLAP=explicit"))
 	serviceEnvVars = []string{"EXPLICIT=yes", "OVERLAP=explicit"}
 	saved := &serviceParams{
 		ServiceEnvVars: map[string]string{
 			"SAVED":   "val",
 			"OVERLAP": "saved",
 		},
 	}
 	applyServiceEnvParams(cmd, saved)
 	// Parse result for easier assertion.
 	result, err := parseServiceEnvVars(serviceEnvVars)
 	require.NoError(t, err)
 	assert.Equal(t, "yes", result["EXPLICIT"])
 	assert.Equal(t, "val", result["SAVED"])
 	// Explicit wins on conflict.
 	assert.Equal(t, "explicit", result["OVERLAP"])
 }
 func TestApplyServiceEnvParams_NotChanged(t *testing.T) {
 	origServiceEnvVars := serviceEnvVars
 	t.Cleanup(func() { serviceEnvVars = origServiceEnvVars })
 	serviceEnvVars = nil
 	cmd := &cobra.Command{}
 	cmd.Flags().StringSlice("service-env", nil, "")
 	saved := &serviceParams{
 		ServiceEnvVars: map[string]string{"FROM_SAVED": "val"},
 	}
 	applyServiceEnvParams(cmd, saved)
 	result, err := parseServiceEnvVars(serviceEnvVars)
 	require.NoError(t, err)
 	assert.Equal(t, map[string]string{"FROM_SAVED": "val"}, result)
 }
 // TestServiceParams_FieldsCoveredInFunctions ensures that all serviceParams fields are
 // referenced in both currentServiceParams() and applyServiceParams(). If a new field is
 // added to serviceParams but not wired into these functions, this test fails.
 func TestServiceParams_FieldsCoveredInFunctions(t *testing.T) {
 	fset := token.NewFileSet()
 	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
 	require.NoError(t, err)
 	// Collect all JSON field names from the serviceParams struct.
 	structFields := extractStructJSONFields(t, file, "serviceParams")
 	require.NotEmpty(t, structFields, "failed to find serviceParams struct fields")
 	// Collect field names referenced in currentServiceParams and applyServiceParams.
 	currentFields := extractFuncFieldRefs(t, file, "currentServiceParams", structFields)
 	applyFields := extractFuncFieldRefs(t, file, "applyServiceParams", structFields)
 	// applyServiceEnvParams handles ServiceEnvVars indirectly.
 	applyEnvFields := extractFuncFieldRefs(t, file, "applyServiceEnvParams", structFields)
 	for k, v := range applyEnvFields {
 		applyFields[k] = v
 	}
 	for _, field := range structFields {
 		assert.Contains(t, currentFields, field,
 			"serviceParams field %q is not captured in currentServiceParams()", field)
 		assert.Contains(t, applyFields, field,
 			"serviceParams field %q is not restored in applyServiceParams()/applyServiceEnvParams()", field)
 	}
 }
 // TestServiceParams_BuildArgsCoversAllFlags ensures that buildServiceArguments references
 // all serviceParams fields that should become CLI args. ServiceEnvVars is excluded because
 // it flows through newSVCConfig() EnvVars, not CLI args.
 func TestServiceParams_BuildArgsCoversAllFlags(t *testing.T) {
 	fset := token.NewFileSet()
 	file, err := parser.ParseFile(fset, "service_params.go", nil, 0)
 	require.NoError(t, err)
 	structFields := extractStructJSONFields(t, file, "serviceParams")
 	require.NotEmpty(t, structFields)
 	installerFile, err := parser.ParseFile(fset, "service_installer.go", nil, 0)
 	require.NoError(t, err)
 	// Fields that are handled outside of buildServiceArguments (env vars go through newSVCConfig).
 	fieldsNotInArgs := map[string]bool{
 		"ServiceEnvVars": true,
 	}
 	buildFields := extractFuncGlobalRefs(t, installerFile, "buildServiceArguments")
 	// Forward: every struct field must appear in buildServiceArguments.
 	for _, field := range structFields {
 		if fieldsNotInArgs[field] {
 			continue
 		}
 		globalVar := fieldToGlobalVar(field)
 		assert.Contains(t, buildFields, globalVar,
 			"serviceParams field %q (global %q) is not referenced in buildServiceArguments()", field, globalVar)
 	}
 	// Reverse: every service-related global used in buildServiceArguments must
 	// have a corresponding serviceParams field. This catches a developer adding
 	// a new flag to buildServiceArguments without adding it to the struct.
 	globalToField := make(map[string]string, len(structFields))
 	for _, field := range structFields {
 		globalToField[fieldToGlobalVar(field)] = field
 	}
 	// Identifiers in buildServiceArguments that are not service params
 	// (builtins, boilerplate, loop variables).
 	nonParamGlobals := map[string]bool{
 		"args": true, "append": true, "string": true, "_": true,
 		"logFile": true, // range variable over logFiles
 	}
 	for ref := range buildFields {
 		if nonParamGlobals[ref] {
 			continue
 		}
 		_, inStruct := globalToField[ref]
 		assert.True(t, inStruct,
 			"buildServiceArguments() references global %q which has no corresponding serviceParams field", ref)
 	}
 }
 // extractStructJSONFields returns field names from a named struct type.
 func extractStructJSONFields(t *testing.T, file *ast.File, structName string) []string {
 	t.Helper()
 	var fields []string
 	ast.Inspect(file, func(n ast.Node) bool {
 		ts, ok := n.(*ast.TypeSpec)
 		if !ok || ts.Name.Name != structName {
 			return true
 		}
 		st, ok := ts.Type.(*ast.StructType)
 		if !ok {
 			return false
 		}
 		for _, f := range st.Fields.List {
 			if len(f.Names) > 0 {
 				fields = append(fields, f.Names[0].Name)
 			}
 		}
 		return false
 	})
 	return fields
 }
 // extractFuncFieldRefs returns which of the given field names appear inside the
 // named function, either as selector expressions (params.FieldName) or as
 // composite literal keys (&serviceParams{FieldName: ...}).
 func extractFuncFieldRefs(t *testing.T, file *ast.File, funcName string, fields []string) map[string]bool {
 	t.Helper()
 	fieldSet := make(map[string]bool, len(fields))
 	for _, f := range fields {
 		fieldSet[f] = true
 	}
 	found := make(map[string]bool)
 	fn := findFuncDecl(file, funcName)
 	require.NotNil(t, fn, "function %s not found", funcName)
 	ast.Inspect(fn.Body, func(n ast.Node) bool {
 		switch v := n.(type) {
 		case *ast.SelectorExpr:
 			if fieldSet[v.Sel.Name] {
 				found[v.Sel.Name] = true
 			}
 		case *ast.KeyValueExpr:
 			if ident, ok := v.Key.(*ast.Ident); ok && fieldSet[ident.Name] {
 				found[ident.Name] = true
 			}
 		}
 		return true
 	})
 	return found
 }
 // extractFuncGlobalRefs returns all identifier names referenced in the named function body.
 func extractFuncGlobalRefs(t *testing.T, file *ast.File, funcName string) map[string]bool {
 	t.Helper()
 	fn := findFuncDecl(file, funcName)
 	require.NotNil(t, fn, "function %s not found", funcName)
 	refs := make(map[string]bool)
 	ast.Inspect(fn.Body, func(n ast.Node) bool {
 		if ident, ok := n.(*ast.Ident); ok {
 			refs[ident.Name] = true
 		}
 		return true
 	})
 	return refs
 }
 func findFuncDecl(file *ast.File, name string) *ast.FuncDecl {
 	for _, decl := range file.Decls {
 		fn, ok := decl.(*ast.FuncDecl)
 		if ok && fn.Name.Name == name {
 			return fn
 		}
 	}
 	return nil
 }
 // fieldToGlobalVar maps serviceParams field names to the package-level variable
 // names used in buildServiceArguments and applyServiceParams.
 func fieldToGlobalVar(field string) string {
 	m := map[string]string{
 		"LogLevel":              "logLevel",
 		"DaemonAddr":            "daemonAddr",
 		"ManagementURL":         "managementURL",
 		"ConfigPath":            "configPath",
 		"LogFiles":              "logFiles",
 		"DisableProfiles":       "profilesDisabled",
 		"DisableUpdateSettings": "updateSettingsDisabled",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}
 	if v, ok := m[field]; ok {
 		return v
 	}
 	// Default: lowercase first letter.
 	return strings.ToLower(field[:1]) + field[1:]
 }
 func TestEnvMapToSlice(t *testing.T) {
 	m := map[string]string{"A": "1", "B": "2"}
 	s := envMapToSlice(m)
 	assert.Len(t, s, 2)
 	assert.Contains(t, s, "A=1")
 	assert.Contains(t, s, "B=2")
 }
 func TestEnvMapToSlice_Empty(t *testing.T) {
 	s := envMapToSlice(map[string]string{})
 	assert.Empty(t, s)
 }
--- a/client/cmd/service_test.go
+++ b/client/cmd/service_test.go
@@ -4,7 +4,9 @@ import (
 	"context"
 	"fmt"
 	"os"
 	"os/signal"
 	"runtime"
 	"syscall"
 	"testing"
 	"time"
@@ -13,6 +15,22 @@ import (
 	"github.com/stretchr/testify/require"
 )
 // TestMain intercepts when this test binary is run as a daemon subprocess.
 // On FreeBSD, the rc.d service script runs the binary via daemon(8) -r with
 // "service run ..." arguments. Since the test binary can't handle cobra CLI
 // args, it exits immediately, causing daemon -r to respawn rapidly until
 // hitting the rate limit and exiting. This makes service restart unreliable.
 // Blocking here keeps the subprocess alive until the init system sends SIGTERM.
 func TestMain(m *testing.M) {
 	if len(os.Args) > 2 && os.Args[1] == "service" && os.Args[2] == "run" {
 		sig := make(chan os.Signal, 1)
 		signal.Notify(sig, syscall.SIGTERM, os.Interrupt)
 		<-sig
 		return
 	}
 	os.Exit(m.Run())
 }
 const (
 	serviceStartTimeout = 10 * time.Second
 	serviceStopTimeout  = 5 * time.Second
@@ -79,6 +97,34 @@ func TestServiceLifecycle(t *testing.T) {
 	logLevel = "info"
 	daemonAddr = fmt.Sprintf("unix://%s/netbird-test.sock", tempDir)
 	// Ensure cleanup even if a subtest fails and Stop/Uninstall subtests don't run.
 	t.Cleanup(func() {
 		cfg, err := newSVCConfig()
 		if err != nil {
 			t.Errorf("cleanup: create service config: %v", err)
 			return
 		}
 		ctxSvc, cancel := context.WithCancel(context.Background())
 		defer cancel()
 		s, err := newSVC(newProgram(ctxSvc, cancel), cfg)
 		if err != nil {
 			t.Errorf("cleanup: create service: %v", err)
 			return
 		}
 		// If the subtests already cleaned up, there's nothing to do.
 		if _, err := s.Status(); err != nil {
 			return
 		}
 		if err := s.Stop(); err != nil {
 			t.Errorf("cleanup: stop service: %v", err)
 		}
 		if err := s.Uninstall(); err != nil {
 			t.Errorf("cleanup: uninstall service: %v", err)
 		}
 	})
 	ctx := context.Background()
 	t.Run("Install", func(t *testing.T) {
--- a/client/cmd/signer/artifactkey.go
+++ b/client/cmd/signer/artifactkey.go
@@ -7,7 +7,7 @@ import (
 	"github.com/spf13/cobra"
-	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
+	"github.com/netbirdio/netbird/client/internal/updater/reposign"
 )
 var (
--- a/client/cmd/signer/artifactsign.go
+++ b/client/cmd/signer/artifactsign.go
@@ -6,7 +6,7 @@ import (
 	"github.com/spf13/cobra"
-	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
+	"github.com/netbirdio/netbird/client/internal/updater/reposign"
 )
 const (
--- a/client/cmd/signer/revocation.go
+++ b/client/cmd/signer/revocation.go
@@ -7,7 +7,7 @@ import (
 	"github.com/spf13/cobra"
-	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
+	"github.com/netbirdio/netbird/client/internal/updater/reposign"
 )
 const (
--- a/client/cmd/signer/rootkey.go
+++ b/client/cmd/signer/rootkey.go
@@ -7,7 +7,7 @@ import (
 	"github.com/spf13/cobra"
-	"github.com/netbirdio/netbird/client/internal/updatemanager/reposign"
+	"github.com/netbirdio/netbird/client/internal/updater/reposign"
 )
 var (
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -28,6 +28,7 @@ var (
 	ipsFilterMap         map[string]struct{}
 	prefixNamesFilterMap map[string]struct{}
 	connectionTypeFilter string
 	checkFlag            string
 )
 var statusCmd = &cobra.Command{
@@ -49,6 +50,7 @@ func init() {
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
 	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
 	statusCmd.PersistentFlags().StringVar(&connectionTypeFilter, "filter-by-connection-type", "", "filters the detailed output by connection type (P2P|Relayed), e.g., --filter-by-connection-type P2P")
 	statusCmd.PersistentFlags().StringVar(&checkFlag, "check", "", "run a health check and exit with code 0 on success, 1 on failure (live|ready|startup)")
 }
 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -56,6 +58,10 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	cmd.SetOut(cmd.OutOrStdout())
 	if checkFlag != "" {
 		return runHealthCheck(cmd)
 	}
 	err := parseFilters()
 	if err != nil {
 		return err
@@ -68,15 +74,17 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	ctx := internal.CtxInitState(cmd.Context())
-	resp, err := getStatus(ctx, false)
+	resp, err := getStatus(ctx, true, false)
 	if err != nil {
 		return err
 	}
 	status := resp.GetStatus()
-	if status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
+	needsAuth := status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
-		status == string(internal.StatusSessionExpired) {
+		status == string(internal.StatusSessionExpired)
 	if needsAuth && !jsonFlag && !yamlFlag {
 		cmd.Printf("Daemon status: %s\n\n"+
 			"Run UP command to log in with SSO (interactive login):\n\n"+
 			" netbird up \n\n"+
@@ -99,7 +107,17 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		profName = activeProf.Name
 	}
-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), anonymizeFlag, resp.GetDaemonVersion(), statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
+	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), nbstatus.ConvertOptions{
 		Anonymize:            anonymizeFlag,
 		DaemonVersion:        resp.GetDaemonVersion(),
 		DaemonStatus:         nbstatus.ParseDaemonStatus(status),
 		StatusFilter:         statusFilter,
 		PrefixNamesFilter:    prefixNamesFilter,
 		PrefixNamesFilterMap: prefixNamesFilterMap,
 		IPsFilter:            ipsFilterMap,
 		ConnectionTypeFilter: connectionTypeFilter,
 		ProfileName:          profName,
 	})
 	var statusOutputString string
 	switch {
 	case detailFlag:
@@ -121,7 +139,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }
-func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
+func getStatus(ctx context.Context, fullPeerStatus bool, shouldRunProbes bool) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		//nolint
@@ -131,7 +149,7 @@ func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse
 	}
 	defer conn.Close()
-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: shouldRunProbes})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: fullPeerStatus, ShouldRunProbes: shouldRunProbes})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}
@@ -185,6 +203,83 @@ func enableDetailFlagWhenFilterFlag() {
 	}
 }
 func runHealthCheck(cmd *cobra.Command) error {
 	check := strings.ToLower(checkFlag)
 	switch check {
 	case "live", "ready", "startup":
 	default:
 		return fmt.Errorf("unknown check %q, must be one of: live, ready, startup", checkFlag)
 	}
 	if err := util.InitLog(logLevel, util.LogConsole); err != nil {
 		return fmt.Errorf("init log: %w", err)
 	}
 	ctx := internal.CtxInitState(cmd.Context())
 	isStartup := check == "startup"
 	resp, err := getStatus(ctx, isStartup, false)
 	if err != nil {
 		return err
 	}
 	switch check {
 	case "live":
 		return nil
 	case "ready":
 		return checkReadiness(resp)
 	case "startup":
 		return checkStartup(resp)
 	default:
 		return nil
 	}
 }
 func checkReadiness(resp *proto.StatusResponse) error {
 	daemonStatus := internal.StatusType(resp.GetStatus())
 	switch daemonStatus {
 	case internal.StatusIdle, internal.StatusConnecting, internal.StatusConnected:
 		return nil
 	case internal.StatusNeedsLogin, internal.StatusLoginFailed, internal.StatusSessionExpired:
 		return fmt.Errorf("readiness check: daemon status is %s", daemonStatus)
 	default:
 		return fmt.Errorf("readiness check: unexpected daemon status %q", daemonStatus)
 	}
 }
 func checkStartup(resp *proto.StatusResponse) error {
 	fullStatus := resp.GetFullStatus()
 	if fullStatus == nil {
 		return fmt.Errorf("startup check: no full status available")
 	}
 	if !fullStatus.GetManagementState().GetConnected() {
 		return fmt.Errorf("startup check: management not connected")
 	}
 	if !fullStatus.GetSignalState().GetConnected() {
 		return fmt.Errorf("startup check: signal not connected")
 	}
 	var relayCount, relaysConnected int
 	for _, r := range fullStatus.GetRelays() {
 		uri := r.GetURI()
 		if !strings.HasPrefix(uri, "rel://") && !strings.HasPrefix(uri, "rels://") {
 			continue
 		}
 		relayCount++
 		if r.GetAvailable() {
 			relaysConnected++
 		}
 	}
 	if relayCount > 0 && relaysConnected == 0 {
 		return fmt.Errorf("startup check: no relay servers available (0/%d connected)", relayCount)
 	}
 	return nil
 }
 func parseInterfaceIP(interfaceIP string) string {
 	ip, _, err := net.ParseCIDR(interfaceIP)
 	if err != nil {
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -197,7 +197,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 	r := peer.NewRecorder(config.ManagementURL.String())
 	r.GetFullStatus()
-	connectClient := internal.NewConnectClient(ctx, config, r, false)
+	connectClient := internal.NewConnectClient(ctx, config, r)
 	SetupDebugHandler(ctx, config, r, connectClient, "")
 	return connectClient.Run(nil, util.FindFirstLogPath(logFiles))
--- a/client/cmd/update_supported.go
+++ b/client/cmd/update_supported.go
@@ -11,7 +11,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"github.com/netbirdio/netbird/client/internal/updatemanager/installer"
+	"github.com/netbirdio/netbird/client/internal/updater/installer"
 	"github.com/netbirdio/netbird/util"
 )
--- a/client/embed/embed.go
+++ b/client/embed/embed.go
@@ -14,12 +14,15 @@ import (
 	"github.com/sirupsen/logrus"
 	wgnetstack "golang.zx2c4.com/wireguard/tun/netstack"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	sshcommon "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )
@@ -30,6 +33,14 @@ var (
 	ErrConfigNotInitialized = errors.New("config not initialized")
 )
 const (
 	// PeerStatusConnected indicates the peer is in connected state.
 	PeerStatusConnected = peer.StatusConnected
 )
 // PeerConnStatus is a peer's connection status.
 type PeerConnStatus = peer.ConnStatus
 // Client manages a netbird embedded client instance.
 type Client struct {
 	deviceName string
@@ -68,6 +79,18 @@ type Options struct {
 	StatePath string
 	// DisableClientRoutes disables the client routes
 	DisableClientRoutes bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
 	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
 	WireguardPort *int
 	// MTU is the MTU for the WireGuard interface.
 	// Valid values are in the range 576..8192 bytes.
 	// If non-nil, this value overrides any value stored in the config file.
 	// If nil, the existing config MTU (if non-zero) is preserved; otherwise it defaults to 1280.
 	// Set to a higher value (e.g. 1400) if carrying QUIC or other protocols that require larger datagrams.
 	MTU *uint16
 	// DNSLabels defines additional DNS labels configured in the peer.
 	DNSLabels []string
 }
 // validateCredentials checks that exactly one credential type is provided
@@ -99,6 +122,12 @@ func New(opts Options) (*Client, error) {
 		return nil, err
 	}
 	if opts.MTU != nil {
 		if err := iface.ValidateMTU(*opts.MTU); err != nil {
 			return nil, fmt.Errorf("invalid MTU: %w", err)
 		}
 	}
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -127,15 +156,24 @@ func New(opts Options) (*Client, error) {
 		}
 	}
 	var err error
 	var parsedLabels domain.List
 	if parsedLabels, err = domain.FromStringList(opts.DNSLabels); err != nil {
 		return nil, fmt.Errorf("invalid dns labels: %w", err)
 	}
 	t := true
 	var config *profilemanager.Config
 	var err error
 	input := profilemanager.ConfigInput{
 		ConfigPath:          opts.ConfigPath,
 		ManagementURL:       opts.ManagementURL,
 		PreSharedKey:        &opts.PreSharedKey,
 		DisableServerRoutes: &t,
 		DisableClientRoutes: &opts.DisableClientRoutes,
 		BlockInbound:        &opts.BlockInbound,
 		WireguardPort:       opts.WireguardPort,
 		MTU:                 opts.MTU,
 		DNSLabels:           parsedLabels,
 	}
 	if opts.ConfigPath != "" {
 		config, err = profilemanager.UpdateOrCreateConfig(input)
@@ -155,6 +193,7 @@ func New(opts Options) (*Client, error) {
 		setupKey:   opts.SetupKey,
 		jwtToken:   opts.JWTToken,
 		config:     config,
 		recorder:   peer.NewRecorder(config.ManagementURL.String()),
 	}, nil
 }
@@ -176,13 +215,17 @@ func (c *Client) Start(startCtx context.Context) error {
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-	if err := internal.Login(ctx, c.config, c.setupKey, c.jwtToken); err != nil {
+
 	authClient, err := auth.NewAuth(ctx, c.config.PrivateKey, c.config.ManagementURL, c.config)
 	if err != nil {
 		return fmt.Errorf("create auth client: %w", err)
 	}
 	defer authClient.Close()
 	if err, _ := authClient.Login(ctx, c.setupKey, c.jwtToken); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
-
+	client := internal.NewConnectClient(ctx, c.config, c.recorder)
 	recorder := peer.NewRecorder(c.config.ManagementURL.String())
 	c.recorder = recorder
 	client := internal.NewConnectClient(ctx, c.config, recorder, false)
 	client.SetSyncResponsePersistence(true)
 	// either startup error (permanent backoff err) or nil err (successful engine up)
@@ -332,17 +375,38 @@ func (c *Client) NewHTTPClient() *http.Client {
 	}
 }
 // Expose exposes a local service via the NetBird reverse proxy, making it accessible through a public URL.
 // It returns an ExposeSession. Call Wait on the session to keep it alive.
 func (c *Client) Expose(ctx context.Context, req ExposeRequest) (*ExposeSession, error) {
 	engine, err := c.getEngine()
 	if err != nil {
 		return nil, err
 	}
 	mgr := engine.GetExposeManager()
 	if mgr == nil {
 		return nil, fmt.Errorf("expose manager not available")
 	}
 	resp, err := mgr.Expose(ctx, req)
 	if err != nil {
 		return nil, fmt.Errorf("expose: %w", err)
 	}
 	return &ExposeSession{
 		Domain:      resp.Domain,
 		ServiceName: resp.ServiceName,
 		ServiceURL:  resp.ServiceURL,
 		mgr:         mgr,
 	}, nil
 }
 // Status returns the current status of the client.
 func (c *Client) Status() (peer.FullStatus, error) {
 	c.mu.Lock()
 	recorder := c.recorder
 	connect := c.connect
 	c.mu.Unlock()
 	if recorder == nil {
 		return peer.FullStatus{}, errors.New("client not started")
 	}
 	if connect != nil {
 		engine := connect.Engine()
 		if engine != nil {
@@ -350,7 +414,7 @@ func (c *Client) Status() (peer.FullStatus, error) {
 		}
 	}
-	return recorder.GetFullStatus(), nil
+	return c.recorder.GetFullStatus(), nil
 }
 // GetLatestSyncResponse returns the latest sync response from the management server.
--- a/client/embed/expose.go
+++ b/client/embed/expose.go
@@ -0,0 +1,45 @@
 package embed
 import (
 	"context"
 	"errors"
 	"github.com/netbirdio/netbird/client/internal/expose"
 )
 const (
 	// ExposeProtocolHTTP exposes the service as HTTP.
 	ExposeProtocolHTTP = expose.ProtocolHTTP
 	// ExposeProtocolHTTPS exposes the service as HTTPS.
 	ExposeProtocolHTTPS = expose.ProtocolHTTPS
 	// ExposeProtocolTCP exposes the service as TCP.
 	ExposeProtocolTCP = expose.ProtocolTCP
 	// ExposeProtocolUDP exposes the service as UDP.
 	ExposeProtocolUDP = expose.ProtocolUDP
 	// ExposeProtocolTLS exposes the service as TLS.
 	ExposeProtocolTLS = expose.ProtocolTLS
 )
 // ExposeRequest is a request to expose a local service via the NetBird reverse proxy.
 type ExposeRequest = expose.Request
 // ExposeProtocolType represents the protocol used for exposing a service.
 type ExposeProtocolType = expose.ProtocolType
 // ExposeSession represents an active expose session. Use Wait to block until the session ends.
 type ExposeSession struct {
 	Domain      string
 	ServiceName string
 	ServiceURL  string
 	mgr *expose.Manager
 }
 // Wait blocks while keeping the expose session alive.
 // It returns when ctx is cancelled or a keep-alive error occurs, then terminates the session.
 func (s *ExposeSession) Wait(ctx context.Context) error {
 	if s == nil || s.mgr == nil {
 		return errors.New("expose session is not initialized")
 	}
 	return s.mgr.KeepAlive(ctx, s.Domain)
 }
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -6,6 +6,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
 	"strconv"
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/nftables"
@@ -35,20 +36,34 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 type FWType int
 func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
-	// on the linux system we try to user nftables or iptables
+	// We run in userspace mode and force userspace firewall was requested. We don't attempt native firewall.
-	// in any case, because we need to allow netbird interface traffic
+	if iface.IsUserspaceBind() && forceUserspaceFirewall() {
-	// so we use AllowNetbird traffic from these firewall managers
+		log.Info("forcing userspace firewall")
-	// for the userspace packet filtering firewall
+		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}
 	// Use native firewall for either kernel or userspace, the interface appears identical to netfilter
 	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)
 	// Kernel cannot fall back to anything else, need to return error
 	if !iface.IsUserspaceBind() {
 		return fm, err
 	}
 	// Fall back to the userspace packet filter if native is unavailable
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
 		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}
-	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
+
 	// Native firewall handles packet filtering, but the userspace WireGuard bind
 	// needs a device filter for DNS interception hooks. Install a minimal
 	// hooks-only filter that passes all traffic through to the kernel firewall.
 	if err := iface.SetFilter(&uspfilter.HooksFilter{}); err != nil {
 		log.Warnf("failed to set hooks filter, DNS via memory hooks will not work: %v", err)
 	}
 	return fm, nil
 }
 func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
@@ -160,3 +175,17 @@ func isIptablesClientAvailable(client *iptables.IPTables) bool {
 	_, err := client.ListChains("filter")
 	return err == nil
 }
 func forceUserspaceFirewall() bool {
 	val := os.Getenv(EnvForceUserspaceFirewall)
 	if val == "" {
 		return false
 	}
 	force, err := strconv.ParseBool(val)
 	if err != nil {
 		log.Warnf("failed to parse %s: %v", EnvForceUserspaceFirewall, err)
 		return false
 	}
 	return force
 }
--- a/client/firewall/iface.go
+++ b/client/firewall/iface.go
@@ -7,6 +7,12 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 // EnvForceUserspaceFirewall forces the use of the userspace packet filter even when
 // native iptables/nftables is available. This only applies when the WireGuard interface
 // runs in userspace mode. When set, peer ACLs are handled by USPFilter instead of
 // kernel netfilter rules.
 const EnvForceUserspaceFirewall = "NB_FORCE_USERSPACE_FIREWALL"
 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
 	Name() string
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -23,16 +23,16 @@ type Manager struct {
 	wgIface iFaceMapper
-	ipv4Client *iptables.IPTables
+	ipv4Client   *iptables.IPTables
-	aclMgr     *aclManager
+	aclMgr       *aclManager
-	router     *router
+	router       *router
 	rawSupported bool
 }
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
 	IsUserspaceBind() bool
 }
 // Create iptables firewall manager
@@ -63,10 +63,9 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	state := &ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:       m.wgIface.Name(),
+			NameStr:   m.wgIface.Name(),
-			WGAddress:     m.wgIface.Address(),
+			WGAddress: m.wgIface.Address(),
-			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:       m.router.mtu,
 			MTU:           m.router.mtu,
 		},
 	}
 	stateManager.RegisterState(state)
@@ -83,6 +82,10 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		return fmt.Errorf("acl manager init: %w", err)
 	}
 	if err := m.initNoTrackChain(); err != nil {
 		log.Warnf("raw table not available, notrack rules will be disabled: %v", err)
 	}
 	// persist early to ensure cleanup of chains
 	go func() {
 		if err := stateManager.PersistState(context.Background()); err != nil {
@@ -177,6 +180,10 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	var merr *multierror.Error
 	if err := m.cleanupNoTrackChain(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("cleanup notrack chain: %w", err))
 	}
 	if err := m.aclMgr.Reset(); err != nil {
 		merr = multierror.Append(merr, fmt.Errorf("reset acl manager: %w", err))
 	}
@@ -194,12 +201,10 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nberrors.FormatErrorOrNil(merr)
 }
-// AllowNetbird allows netbird interface traffic
+// AllowNetbird allows netbird interface traffic.
 // This is called when USPFilter wraps the native firewall, adding blanket accept
 // rules so that packet filtering is handled in userspace instead of by netfilter.
 func (m *Manager) AllowNetbird() error {
 	if !m.wgIface.IsUserspaceBind() {
 		return nil
 	}
 	_, err := m.AddPeerFiltering(
 		nil,
 		net.IP{0, 0, 0, 0},
@@ -277,6 +282,150 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
 func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
 func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 const (
 	chainNameRaw = "NETBIRD-RAW"
 	chainOUTPUT  = "OUTPUT"
 	tableRaw     = "raw"
 )
 // SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
 // This prevents conntrack from tracking WireGuard proxy traffic on loopback, which
 // can interfere with MASQUERADE rules (e.g., from container runtimes like Podman/netavark).
 //
 // Traffic flows that need NOTRACK:
 //
 //  1. Egress: WireGuard -> fake endpoint (before eBPF rewrite)
 //     src=127.0.0.1:wgPort -> dst=127.0.0.1:fakePort
 //     Matched by: sport=wgPort
 //
 //  2. Egress: Proxy -> WireGuard (via raw socket)
 //     src=127.0.0.1:fakePort -> dst=127.0.0.1:wgPort
 //     Matched by: dport=wgPort
 //
 //  3. Ingress: Packets to WireGuard
 //     dst=127.0.0.1:wgPort
 //     Matched by: dport=wgPort
 //
 //  4. Ingress: Packets to proxy (after eBPF rewrite)
 //     dst=127.0.0.1:proxyPort
 //     Matched by: dport=proxyPort
 //
 // Rules are cleaned up when the firewall manager is closed.
 func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	if !m.rawSupported {
 		return fmt.Errorf("raw table not available")
 	}
 	wgPortStr := fmt.Sprintf("%d", wgPort)
 	proxyPortStr := fmt.Sprintf("%d", proxyPort)
 	// Egress rules: match outgoing loopback UDP packets
 	outputRuleSport := []string{"-o", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--sport", wgPortStr, "-j", "NOTRACK"}
 	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, outputRuleSport...); err != nil {
 		return fmt.Errorf("add output sport notrack rule: %w", err)
 	}
 	outputRuleDport := []string{"-o", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", wgPortStr, "-j", "NOTRACK"}
 	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, outputRuleDport...); err != nil {
 		return fmt.Errorf("add output dport notrack rule: %w", err)
 	}
 	// Ingress rules: match incoming loopback UDP packets
 	preroutingRuleWg := []string{"-i", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", wgPortStr, "-j", "NOTRACK"}
 	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, preroutingRuleWg...); err != nil {
 		return fmt.Errorf("add prerouting wg notrack rule: %w", err)
 	}
 	preroutingRuleProxy := []string{"-i", "lo", "-s", "127.0.0.1", "-d", "127.0.0.1", "-p", "udp", "--dport", proxyPortStr, "-j", "NOTRACK"}
 	if err := m.ipv4Client.AppendUnique(tableRaw, chainNameRaw, preroutingRuleProxy...); err != nil {
 		return fmt.Errorf("add prerouting proxy notrack rule: %w", err)
 	}
 	log.Debugf("set up ebpf proxy notrack rules for ports %d,%d", proxyPort, wgPort)
 	return nil
 }
 func (m *Manager) initNoTrackChain() error {
 	if err := m.cleanupNoTrackChain(); err != nil {
 		log.Debugf("cleanup notrack chain: %v", err)
 	}
 	if err := m.ipv4Client.NewChain(tableRaw, chainNameRaw); err != nil {
 		return fmt.Errorf("create chain: %w", err)
 	}
 	jumpRule := []string{"-j", chainNameRaw}
 	if err := m.ipv4Client.InsertUnique(tableRaw, chainOUTPUT, 1, jumpRule...); err != nil {
 		if delErr := m.ipv4Client.DeleteChain(tableRaw, chainNameRaw); delErr != nil {
 			log.Debugf("delete orphan chain: %v", delErr)
 		}
 		return fmt.Errorf("add output jump rule: %w", err)
 	}
 	if err := m.ipv4Client.InsertUnique(tableRaw, chainPREROUTING, 1, jumpRule...); err != nil {
 		if delErr := m.ipv4Client.DeleteIfExists(tableRaw, chainOUTPUT, jumpRule...); delErr != nil {
 			log.Debugf("delete output jump rule: %v", delErr)
 		}
 		if delErr := m.ipv4Client.DeleteChain(tableRaw, chainNameRaw); delErr != nil {
 			log.Debugf("delete orphan chain: %v", delErr)
 		}
 		return fmt.Errorf("add prerouting jump rule: %w", err)
 	}
 	m.rawSupported = true
 	return nil
 }
 func (m *Manager) cleanupNoTrackChain() error {
 	exists, err := m.ipv4Client.ChainExists(tableRaw, chainNameRaw)
 	if err != nil {
 		if !m.rawSupported {
 			return nil
 		}
 		return fmt.Errorf("check chain exists: %w", err)
 	}
 	if !exists {
 		return nil
 	}
 	jumpRule := []string{"-j", chainNameRaw}
 	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainOUTPUT, jumpRule...); err != nil {
 		return fmt.Errorf("remove output jump rule: %w", err)
 	}
 	if err := m.ipv4Client.DeleteIfExists(tableRaw, chainPREROUTING, jumpRule...); err != nil {
 		return fmt.Errorf("remove prerouting jump rule: %w", err)
 	}
 	if err := m.ipv4Client.ClearAndDeleteChain(tableRaw, chainNameRaw); err != nil {
 		return fmt.Errorf("clear and delete chain: %w", err)
 	}
 	m.rawSupported = false
 	return nil
 }
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -47,8 +47,6 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }
 func (i *iFaceMock) IsUserspaceBind() bool { return false }
 func TestIptablesManager(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -36,6 +36,7 @@ const (
 	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
 	chainRTPRE              = "NETBIRD-RT-PRE"
 	chainRTRDR              = "NETBIRD-RT-RDR"
 	chainNATOutput          = "NETBIRD-NAT-OUTPUT"
 	chainRTMSSCLAMP         = "NETBIRD-RT-MSSCLAMP"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"
@@ -43,6 +44,7 @@ const (
 	jumpManglePre  = "jump-mangle-pre"
 	jumpNatPre     = "jump-nat-pre"
 	jumpNatPost    = "jump-nat-post"
 	jumpNatOutput  = "jump-nat-output"
 	jumpMSSClamp   = "jump-mss-clamp"
 	markManglePre  = "mark-mangle-pre"
 	markManglePost = "mark-mangle-post"
@@ -387,6 +389,14 @@ func (r *router) cleanUpDefaultForwardRules() error {
 	}
 	log.Debug("flushing routing related tables")
 	// Remove jump rules from built-in chains before deleting custom chains,
 	// otherwise the chain deletion fails with "device or resource busy".
 	jumpRule := []string{"-j", chainNATOutput}
 	if err := r.iptablesClient.Delete(tableNat, "OUTPUT", jumpRule...); err != nil {
 		log.Debugf("clean OUTPUT jump rule: %v", err)
 	}
 	for _, chainInfo := range []struct {
 		chain string
 		table string
@@ -396,6 +406,7 @@ func (r *router) cleanUpDefaultForwardRules() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
 		{chainNATOutput, tableNat},
 		{chainRTMSSCLAMP, tableMangle},
 	} {
 		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
@@ -970,6 +981,81 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto
 	return nil
 }
 // ensureNATOutputChain lazily creates the OUTPUT NAT chain and jump rule on first use.
 func (r *router) ensureNATOutputChain() error {
 	if _, exists := r.rules[jumpNatOutput]; exists {
 		return nil
 	}
 	chainExists, err := r.iptablesClient.ChainExists(tableNat, chainNATOutput)
 	if err != nil {
 		return fmt.Errorf("check chain %s: %w", chainNATOutput, err)
 	}
 	if !chainExists {
 		if err := r.iptablesClient.NewChain(tableNat, chainNATOutput); err != nil {
 			return fmt.Errorf("create chain %s: %w", chainNATOutput, err)
 		}
 	}
 	jumpRule := []string{"-j", chainNATOutput}
 	if err := r.iptablesClient.Insert(tableNat, "OUTPUT", 1, jumpRule...); err != nil {
 		if !chainExists {
 			if delErr := r.iptablesClient.ClearAndDeleteChain(tableNat, chainNATOutput); delErr != nil {
 				log.Warnf("failed to rollback chain %s: %v", chainNATOutput, delErr)
 			}
 		}
 		return fmt.Errorf("add OUTPUT jump rule: %w", err)
 	}
 	r.rules[jumpNatOutput] = jumpRule
 	r.updateState()
 	return nil
 }
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
 func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 	if _, exists := r.rules[ruleID]; exists {
 		return nil
 	}
 	if err := r.ensureNATOutputChain(); err != nil {
 		return err
 	}
 	dnatRule := []string{
 		"-p", strings.ToLower(string(protocol)),
 		"--dport", strconv.Itoa(int(sourcePort)),
 		"-d", localAddr.String(),
 		"-j", "DNAT",
 		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
 	}
 	if err := r.iptablesClient.Append(tableNat, chainNATOutput, dnatRule...); err != nil {
 		return fmt.Errorf("add output DNAT rule: %w", err)
 	}
 	r.rules[ruleID] = dnatRule
 	r.updateState()
 	return nil
 }
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
 func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 	if dnatRule, exists := r.rules[ruleID]; exists {
 		if err := r.iptablesClient.Delete(tableNat, chainNATOutput, dnatRule...); err != nil {
 			return fmt.Errorf("delete output DNAT rule: %w", err)
 		}
 		delete(r.rules, ruleID)
 	}
 	r.updateState()
 	return nil
 }
 func applyPort(flag string, port *firewall.Port) []string {
 	if port == nil {
 		return nil
--- a/client/firewall/iptables/state_linux.go
+++ b/client/firewall/iptables/state_linux.go
@@ -9,10 +9,9 @@ import (
 )
 type InterfaceState struct {
-	NameStr       string         `json:"name"`
+	NameStr   string         `json:"name"`
-	WGAddress     wgaddr.Address `json:"wg_address"`
+	WGAddress wgaddr.Address `json:"wg_address"`
-	UserspaceBind bool           `json:"userspace_bind"`
+	MTU       uint16         `json:"mtu"`
 	MTU           uint16         `json:"mtu"`
 }
 func (i *InterfaceState) Name() string {
@@ -23,10 +22,6 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }
 func (i *InterfaceState) IsUserspaceBind() bool {
 	return i.UserspaceBind
 }
 type ShutdownState struct {
 	sync.Mutex
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -168,6 +168,18 @@ type Manager interface {
 	// RemoveInboundDNAT removes inbound DNAT rule
 	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 	// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
 	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
 	AddOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 	// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
 	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
 	RemoveOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 	// SetupEBPFProxyNoTrack creates static notrack rules for eBPF proxy loopback traffic.
 	// This prevents conntrack from interfering with WireGuard proxy communication.
 	SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error
 }
 func GenKey(format string, pair RouterPair) string {
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -12,6 +12,7 @@ import (
 	"github.com/google/nftables/binaryutil"
 	"github.com/google/nftables/expr"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
@@ -39,7 +40,6 @@ func getTableName() string {
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
 	IsUserspaceBind() bool
 }
 // Manager of iptables firewall
@@ -48,8 +48,10 @@ type Manager struct {
 	rConn   *nftables.Conn
 	wgIface iFaceMapper
-	router     *router
+	router                 *router
-	aclManager *AclManager
+	aclManager             *AclManager
 	notrackOutputChain     *nftables.Chain
 	notrackPreroutingChain *nftables.Chain
 }
 // Create nftables firewall manager
@@ -91,6 +93,10 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 		return fmt.Errorf("acl manager init: %w", err)
 	}
 	if err := m.initNoTrackChains(workTable); err != nil {
 		log.Warnf("raw priority chains not available, notrack rules will be disabled: %v", err)
 	}
 	stateManager.RegisterState(&ShutdownState{})
 	// We only need to record minimal interface state for potential recreation.
@@ -99,10 +105,9 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	// cleanup using Close() without needing to store specific rules.
 	if err := stateManager.UpdateState(&ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:       m.wgIface.Name(),
+			NameStr:   m.wgIface.Name(),
-			WGAddress:     m.wgIface.Address(),
+			WGAddress: m.wgIface.Address(),
-			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:       m.router.mtu,
 			MTU:           m.router.mtu,
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -198,12 +203,10 @@ func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	return m.router.RemoveNatRule(pair)
 }
-// AllowNetbird allows netbird interface traffic
+// AllowNetbird allows netbird interface traffic.
 // This is called when USPFilter wraps the native firewall, adding blanket accept
 // rules so that packet filtering is handled in userspace instead of by netfilter.
 func (m *Manager) AllowNetbird() error {
 	if !m.wgIface.IsUserspaceBind() {
 		return nil
 	}
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -288,7 +291,15 @@ func (m *Manager) Flush() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	return m.aclManager.Flush()
+	if err := m.aclManager.Flush(); err != nil {
 		return err
 	}
 	if err := m.refreshNoTrackChains(); err != nil {
 		log.Errorf("failed to refresh notrack chains: %v", err)
 	}
 	return nil
 }
 // AddDNATRule adds a DNAT rule
@@ -331,6 +342,192 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
 func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
 func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 const (
 	chainNameRawOutput     = "netbird-raw-out"
 	chainNameRawPrerouting = "netbird-raw-pre"
 )
 // SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
 // This prevents conntrack from tracking WireGuard proxy traffic on loopback, which
 // can interfere with MASQUERADE rules (e.g., from container runtimes like Podman/netavark).
 //
 // Traffic flows that need NOTRACK:
 //
 //  1. Egress: WireGuard -> fake endpoint (before eBPF rewrite)
 //     src=127.0.0.1:wgPort -> dst=127.0.0.1:fakePort
 //     Matched by: sport=wgPort
 //
 //  2. Egress: Proxy -> WireGuard (via raw socket)
 //     src=127.0.0.1:fakePort -> dst=127.0.0.1:wgPort
 //     Matched by: dport=wgPort
 //
 //  3. Ingress: Packets to WireGuard
 //     dst=127.0.0.1:wgPort
 //     Matched by: dport=wgPort
 //
 //  4. Ingress: Packets to proxy (after eBPF rewrite)
 //     dst=127.0.0.1:proxyPort
 //     Matched by: dport=proxyPort
 //
 // Rules are cleaned up when the firewall manager is closed.
 func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 	if m.notrackOutputChain == nil || m.notrackPreroutingChain == nil {
 		return fmt.Errorf("notrack chains not initialized")
 	}
 	proxyPortBytes := binaryutil.BigEndian.PutUint16(proxyPort)
 	wgPortBytes := binaryutil.BigEndian.PutUint16(wgPort)
 	loopback := []byte{127, 0, 0, 1}
 	// Egress rules: match outgoing loopback UDP packets
 	m.rConn.AddRule(&nftables.Rule{
 		Table: m.notrackOutputChain.Table,
 		Chain: m.notrackOutputChain,
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 0, Len: 2},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // sport=wgPort
 			&expr.Counter{},
 			&expr.Notrack{},
 		},
 	})
 	m.rConn.AddRule(&nftables.Rule{
 		Table: m.notrackOutputChain.Table,
 		Chain: m.notrackOutputChain,
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // dport=wgPort
 			&expr.Counter{},
 			&expr.Notrack{},
 		},
 	})
 	// Ingress rules: match incoming loopback UDP packets
 	m.rConn.AddRule(&nftables.Rule{
 		Table: m.notrackPreroutingChain.Table,
 		Chain: m.notrackPreroutingChain,
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: wgPortBytes}, // dport=wgPort
 			&expr.Counter{},
 			&expr.Notrack{},
 		},
 	})
 	m.rConn.AddRule(&nftables.Rule{
 		Table: m.notrackPreroutingChain.Table,
 		Chain: m.notrackPreroutingChain,
 		Exprs: []expr.Any{
 			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifname("lo")},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 12, Len: 4}, // saddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseNetworkHeader, Offset: 16, Len: 4}, // daddr
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: loopback},
 			&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{unix.IPPROTO_UDP}},
 			&expr.Payload{DestRegister: 1, Base: expr.PayloadBaseTransportHeader, Offset: 2, Len: 2},
 			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: proxyPortBytes}, // dport=proxyPort
 			&expr.Counter{},
 			&expr.Notrack{},
 		},
 	})
 	if err := m.rConn.Flush(); err != nil {
 		return fmt.Errorf("flush notrack rules: %w", err)
 	}
 	log.Debugf("set up ebpf proxy notrack rules for ports %d,%d", proxyPort, wgPort)
 	return nil
 }
 func (m *Manager) initNoTrackChains(table *nftables.Table) error {
 	m.notrackOutputChain = m.rConn.AddChain(&nftables.Chain{
 		Name:     chainNameRawOutput,
 		Table:    table,
 		Type:     nftables.ChainTypeFilter,
 		Hooknum:  nftables.ChainHookOutput,
 		Priority: nftables.ChainPriorityRaw,
 	})
 	m.notrackPreroutingChain = m.rConn.AddChain(&nftables.Chain{
 		Name:     chainNameRawPrerouting,
 		Table:    table,
 		Type:     nftables.ChainTypeFilter,
 		Hooknum:  nftables.ChainHookPrerouting,
 		Priority: nftables.ChainPriorityRaw,
 	})
 	if err := m.rConn.Flush(); err != nil {
 		return fmt.Errorf("flush chain creation: %w", err)
 	}
 	return nil
 }
 func (m *Manager) refreshNoTrackChains() error {
 	chains, err := m.rConn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return fmt.Errorf("list chains: %w", err)
 	}
 	tableName := getTableName()
 	for _, c := range chains {
 		if c.Table.Name != tableName {
 			continue
 		}
 		switch c.Name {
 		case chainNameRawOutput:
 			m.notrackOutputChain = c
 		case chainNameRawPrerouting:
 			m.notrackPreroutingChain = c
 		}
 	}
 	return nil
 }
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -52,8 +52,6 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }
 func (i *iFaceMock) IsUserspaceBind() bool { return false }
 func TestNftablesManager(t *testing.T) {
 	// just check on the local interface
--- a/client/firewall/nftables/router_linux.go
+++ b/client/firewall/nftables/router_linux.go
@@ -36,6 +36,7 @@ const (
 	chainNameRoutingFw     = "netbird-rt-fwd"
 	chainNameRoutingNat    = "netbird-rt-postrouting"
 	chainNameRoutingRdr    = "netbird-rt-redirect"
 	chainNameNATOutput     = "netbird-nat-output"
 	chainNameForward       = "FORWARD"
 	chainNameMangleForward = "netbird-mangle-forward"
@@ -483,7 +484,12 @@ func (r *router) DeleteRouteRule(rule firewall.Rule) error {
 	}
 	if nftRule.Handle == 0 {
-		return fmt.Errorf("route rule %s has no handle", ruleKey)
+		log.Warnf("route rule %s has no handle, removing stale entry", ruleKey)
 		if err := r.decrementSetCounter(nftRule); err != nil {
 			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
 		}
 		delete(r.rules, ruleKey)
 		return nil
 	}
 	if err := r.deleteNftRule(nftRule, ruleKey); err != nil {
@@ -660,13 +666,32 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 	}
 	if err := r.conn.Flush(); err != nil {
-		// TODO: rollback ipset counter
+		r.rollbackRules(pair)
-		return fmt.Errorf("insert rules for %s: %v", pair.Destination, err)
+		return fmt.Errorf("insert rules for %s: %w", pair.Destination, err)
 	}
 	return nil
 }
 // rollbackRules cleans up unflushed rules and their set counters after a flush failure.
 func (r *router) rollbackRules(pair firewall.RouterPair) {
 	keys := []string{
 		firewall.GenKey(firewall.ForwardingFormat, pair),
 		firewall.GenKey(firewall.PreroutingFormat, pair),
 		firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair)),
 	}
 	for _, key := range keys {
 		rule, ok := r.rules[key]
 		if !ok {
 			continue
 		}
 		if err := r.decrementSetCounter(rule); err != nil {
 			log.Warnf("rollback set counter for %s: %v", key, err)
 		}
 		delete(r.rules, key)
 	}
 }
 // addNatRule inserts a nftables rule to the conn client flush queue
 func (r *router) addNatRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -928,18 +953,30 @@ func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 func (r *router) removeLegacyRouteRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.ForwardingFormat, pair)
-	if rule, exists := r.rules[ruleKey]; exists {
+	rule, exists := r.rules[ruleKey]
-		if err := r.conn.DelRule(rule); err != nil {
+	if !exists {
-			return fmt.Errorf("remove legacy forwarding rule %s -> %s: %v", pair.Source, pair.Destination, err)
+		return nil
-		}
+	}
 		log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
 		delete(r.rules, ruleKey)
 	if rule.Handle == 0 {
 		log.Warnf("legacy forwarding rule %s has no handle, removing stale entry", ruleKey)
 		if err := r.decrementSetCounter(rule); err != nil {
-			return fmt.Errorf("decrement set counter: %w", err)
+			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
 		}
 		delete(r.rules, ruleKey)
 		return nil
 	}
 	if err := r.conn.DelRule(rule); err != nil {
 		return fmt.Errorf("remove legacy forwarding rule %s -> %s: %w", pair.Source, pair.Destination, err)
 	}
 	log.Debugf("removed legacy forwarding rule %s -> %s", pair.Source, pair.Destination)
 	delete(r.rules, ruleKey)
 	if err := r.decrementSetCounter(rule); err != nil {
 		return fmt.Errorf("decrement set counter: %w", err)
 	}
 	return nil
@@ -1329,65 +1366,89 @@ func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
 	var merr *multierror.Error
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
-			return fmt.Errorf("remove prerouting rule: %w", err)
+			merr = multierror.Append(merr, fmt.Errorf("remove prerouting rule: %w", err))
 		}
 		if err := r.removeNatRule(firewall.GetInversePair(pair)); err != nil {
-			return fmt.Errorf("remove inverse prerouting rule: %w", err)
+			merr = multierror.Append(merr, fmt.Errorf("remove inverse prerouting rule: %w", err))
 		}
 	}
 	if err := r.removeLegacyRouteRule(pair); err != nil {
-		return fmt.Errorf("remove legacy routing rule: %w", err)
+		merr = multierror.Append(merr, fmt.Errorf("remove legacy routing rule: %w", err))
 	}
 	// Set counters are decremented in the sub-methods above before flush. If flush fails,
 	// counters will be off until the next successful removal or refresh cycle.
 	if err := r.conn.Flush(); err != nil {
-		// TODO: rollback set counter
+		merr = multierror.Append(merr, fmt.Errorf("flush remove nat rules %s: %w", pair.Destination, err))
 		return fmt.Errorf("remove nat rules rule %s: %v", pair.Destination, err)
 	}
-	return nil
+	return nberrors.FormatErrorOrNil(merr)
 }
 func (r *router) removeNatRule(pair firewall.RouterPair) error {
 	ruleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
-	if rule, exists := r.rules[ruleKey]; exists {
+	rule, exists := r.rules[ruleKey]
-		if err := r.conn.DelRule(rule); err != nil {
+	if !exists {
 			return fmt.Errorf("remove prerouting rule %s -> %s: %v", pair.Source, pair.Destination, err)
 		}
 		log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
 		delete(r.rules, ruleKey)
 		if err := r.decrementSetCounter(rule); err != nil {
 			return fmt.Errorf("decrement set counter: %w", err)
 		}
 	} else {
 		log.Debugf("prerouting rule %s not found", ruleKey)
 		return nil
 	}
 	if rule.Handle == 0 {
 		log.Warnf("prerouting rule %s has no handle, removing stale entry", ruleKey)
 		if err := r.decrementSetCounter(rule); err != nil {
 			log.Warnf("decrement set counter for stale rule %s: %v", ruleKey, err)
 		}
 		delete(r.rules, ruleKey)
 		return nil
 	}
 	if err := r.conn.DelRule(rule); err != nil {
 		return fmt.Errorf("remove prerouting rule %s -> %s: %w", pair.Source, pair.Destination, err)
 	}
 	log.Debugf("removed prerouting rule %s -> %s", pair.Source, pair.Destination)
 	delete(r.rules, ruleKey)
 	if err := r.decrementSetCounter(rule); err != nil {
 		return fmt.Errorf("decrement set counter: %w", err)
 	}
 	return nil
 }
-// refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
+// refreshRulesMap rebuilds the rule map from the kernel. This removes stale entries
-// duplicates and to get missing attributes that we don't have when adding new rules
+// (e.g. from failed flushes) and updates handles for all existing rules.
 func (r *router) refreshRulesMap() error {
 	var merr *multierror.Error
 	newRules := make(map[string]*nftables.Rule)
 	for _, chain := range r.chains {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
-			return fmt.Errorf("list rules: %w", err)
+			merr = multierror.Append(merr, fmt.Errorf("list rules for chain %s: %w", chain.Name, err))
 			// preserve existing entries for this chain since we can't verify their state
 			for k, v := range r.rules {
 				if v.Chain != nil && v.Chain.Name == chain.Name {
 					newRules[k] = v
 				}
 			}
 			continue
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
-				r.rules[string(rule.UserData)] = rule
+				newRules[string(rule.UserData)] = rule
 			}
 		}
 	}
-	return nil
+	r.rules = newRules
 	return nberrors.FormatErrorOrNil(merr)
 }
 func (r *router) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
@@ -1629,20 +1690,34 @@ func (r *router) DeleteDNATRule(rule firewall.Rule) error {
 	}
 	var merr *multierror.Error
 	var needsFlush bool
 	if dnatRule, exists := r.rules[ruleKey+dnatSuffix]; exists {
-		if err := r.conn.DelRule(dnatRule); err != nil {
+		if dnatRule.Handle == 0 {
 			log.Warnf("dnat rule %s has no handle, removing stale entry", ruleKey+dnatSuffix)
 			delete(r.rules, ruleKey+dnatSuffix)
 		} else if err := r.conn.DelRule(dnatRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete dnat rule: %w", err))
 		} else {
 			needsFlush = true
 		}
 	}
 	if masqRule, exists := r.rules[ruleKey+snatSuffix]; exists {
-		if err := r.conn.DelRule(masqRule); err != nil {
+		if masqRule.Handle == 0 {
 			log.Warnf("snat rule %s has no handle, removing stale entry", ruleKey+snatSuffix)
 			delete(r.rules, ruleKey+snatSuffix)
 		} else if err := r.conn.DelRule(masqRule); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("delete snat rule: %w", err))
 		} else {
 			needsFlush = true
 		}
 	}
-	if err := r.conn.Flush(); err != nil {
+	if needsFlush {
-		merr = multierror.Append(merr, fmt.Errorf(flushError, err))
+		if err := r.conn.Flush(); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf(flushError, err))
 		}
 	}
 	if merr == nil {
@@ -1757,16 +1832,149 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto
 	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-	if rule, exists := r.rules[ruleID]; exists {
+	rule, exists := r.rules[ruleID]
-		if err := r.conn.DelRule(rule); err != nil {
+	if !exists {
-			return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
+		return nil
 		}
 		if err := r.conn.Flush(); err != nil {
 			return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
 		}
 		delete(r.rules, ruleID)
 	}
 	if rule.Handle == 0 {
 		log.Warnf("inbound DNAT rule %s has no handle, removing stale entry", ruleID)
 		delete(r.rules, ruleID)
 		return nil
 	}
 	if err := r.conn.DelRule(rule); err != nil {
 		return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
 	}
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
 	}
 	delete(r.rules, ruleID)
 	return nil
 }
 // ensureNATOutputChain lazily creates the OUTPUT NAT chain on first use.
 func (r *router) ensureNATOutputChain() error {
 	if _, exists := r.chains[chainNameNATOutput]; exists {
 		return nil
 	}
 	r.chains[chainNameNATOutput] = r.conn.AddChain(&nftables.Chain{
 		Name:     chainNameNATOutput,
 		Table:    r.workTable,
 		Hooknum:  nftables.ChainHookOutput,
 		Priority: nftables.ChainPriorityNATDest,
 		Type:     nftables.ChainTypeNAT,
 	})
 	if err := r.conn.Flush(); err != nil {
 		delete(r.chains, chainNameNATOutput)
 		return fmt.Errorf("create NAT output chain: %w", err)
 	}
 	return nil
 }
 // AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
 func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 	if _, exists := r.rules[ruleID]; exists {
 		return nil
 	}
 	if err := r.ensureNATOutputChain(); err != nil {
 		return err
 	}
 	protoNum, err := protoToInt(protocol)
 	if err != nil {
 		return fmt.Errorf("convert protocol to number: %w", err)
 	}
 	exprs := []expr.Any{
 		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 1,
 			Data:     []byte{protoNum},
 		},
 		&expr.Payload{
 			DestRegister: 2,
 			Base:         expr.PayloadBaseTransportHeader,
 			Offset:       2,
 			Len:          2,
 		},
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 2,
 			Data:     binaryutil.BigEndian.PutUint16(sourcePort),
 		},
 	}
 	exprs = append(exprs, applyPrefix(netip.PrefixFrom(localAddr, 32), false)...)
 	exprs = append(exprs,
 		&expr.Immediate{
 			Register: 1,
 			Data:     localAddr.AsSlice(),
 		},
 		&expr.Immediate{
 			Register: 2,
 			Data:     binaryutil.BigEndian.PutUint16(targetPort),
 		},
 		&expr.NAT{
 			Type:        expr.NATTypeDestNAT,
 			Family:      uint32(nftables.TableFamilyIPv4),
 			RegAddrMin:  1,
 			RegProtoMin: 2,
 		},
 	)
 	dnatRule := &nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameNATOutput],
 		Exprs:    exprs,
 		UserData: []byte(ruleID),
 	}
 	r.conn.AddRule(dnatRule)
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf("add output DNAT rule: %w", err)
 	}
 	r.rules[ruleID] = dnatRule
 	return nil
 }
 // RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
 func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
 	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
 	rule, exists := r.rules[ruleID]
 	if !exists {
 		return nil
 	}
 	if rule.Handle == 0 {
 		log.Warnf("output DNAT rule %s has no handle, removing stale entry", ruleID)
 		delete(r.rules, ruleID)
 		return nil
 	}
 	if err := r.conn.DelRule(rule); err != nil {
 		return fmt.Errorf("delete output DNAT rule %s: %w", ruleID, err)
 	}
 	if err := r.conn.Flush(); err != nil {
 		return fmt.Errorf("flush delete output DNAT rule: %w", err)
 	}
 	delete(r.rules, ruleID)
 	return nil
 }
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -18,6 +18,7 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
 )
 const (
@@ -719,3 +720,137 @@ func deleteWorkTable() {
 		}
 	}
 }
 func TestRouter_RefreshRulesMap_RemovesStaleEntries(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
 	}
 	workTable, err := createWorkTable()
 	require.NoError(t, err)
 	defer deleteWorkTable()
 	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, r.init(workTable))
 	defer func() { require.NoError(t, r.Reset()) }()
 	// Add a real rule to the kernel
 	ruleKey, err := r.AddRouteFiltering(
 		nil,
 		[]netip.Prefix{netip.MustParsePrefix("192.168.1.0/24")},
 		firewall.Network{Prefix: netip.MustParsePrefix("10.0.0.0/24")},
 		firewall.ProtocolTCP,
 		nil,
 		&firewall.Port{Values: []uint16{80}},
 		firewall.ActionAccept,
 	)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, r.DeleteRouteRule(ruleKey))
 	})
 	// Inject a stale entry with Handle=0 (simulates store-before-flush failure)
 	staleKey := "stale-rule-that-does-not-exist"
 	r.rules[staleKey] = &nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameRoutingFw],
 		Handle:   0,
 		UserData: []byte(staleKey),
 	}
 	require.Contains(t, r.rules, staleKey, "stale entry should be in map before refresh")
 	err = r.refreshRulesMap()
 	require.NoError(t, err)
 	assert.NotContains(t, r.rules, staleKey, "stale entry should be removed after refresh")
 	realRule, ok := r.rules[ruleKey.ID()]
 	assert.True(t, ok, "real rule should still exist after refresh")
 	assert.NotZero(t, realRule.Handle, "real rule should have a valid handle")
 }
 func TestRouter_DeleteRouteRule_StaleHandle(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
 	}
 	workTable, err := createWorkTable()
 	require.NoError(t, err)
 	defer deleteWorkTable()
 	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, r.init(workTable))
 	defer func() { require.NoError(t, r.Reset()) }()
 	// Inject a stale entry with Handle=0
 	staleKey := "stale-route-rule"
 	r.rules[staleKey] = &nftables.Rule{
 		Table:    r.workTable,
 		Chain:    r.chains[chainNameRoutingFw],
 		Handle:   0,
 		UserData: []byte(staleKey),
 	}
 	// DeleteRouteRule should not return an error for stale handles
 	err = r.DeleteRouteRule(id.RuleID(staleKey))
 	assert.NoError(t, err, "deleting a stale rule should not error")
 	assert.NotContains(t, r.rules, staleKey, "stale entry should be cleaned up")
 }
 func TestRouter_AddNatRule_WithStaleEntry(t *testing.T) {
 	if check() != NFTABLES {
 		t.Skip("nftables not supported on this system")
 	}
 	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	pair := firewall.RouterPair{
 		ID:          "staletest",
 		Source:      firewall.Network{Prefix: netip.MustParsePrefix("100.100.100.1/32")},
 		Destination: firewall.Network{Prefix: netip.MustParsePrefix("100.100.200.0/24")},
 		Masquerade:  true,
 	}
 	rtr := manager.router
 	// First add succeeds
 	err = rtr.AddNatRule(pair)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, rtr.RemoveNatRule(pair))
 	})
 	// Corrupt the handle to simulate stale state
 	natRuleKey := firewall.GenKey(firewall.PreroutingFormat, pair)
 	if rule, exists := rtr.rules[natRuleKey]; exists {
 		rule.Handle = 0
 	}
 	inverseKey := firewall.GenKey(firewall.PreroutingFormat, firewall.GetInversePair(pair))
 	if rule, exists := rtr.rules[inverseKey]; exists {
 		rule.Handle = 0
 	}
 	// Adding the same rule again should succeed despite stale handles
 	err = rtr.AddNatRule(pair)
 	assert.NoError(t, err, "AddNatRule should succeed even with stale entries")
 	// Verify rules exist in kernel
 	rules, err := rtr.conn.GetRules(rtr.workTable, rtr.chains[chainNameManglePrerouting])
 	require.NoError(t, err)
 	found := 0
 	for _, rule := range rules {
 		if len(rule.UserData) > 0 && string(rule.UserData) == natRuleKey {
 			found++
 		}
 	}
 	assert.Equal(t, 1, found, "NAT rule should exist in kernel")
 }
--- a/client/firewall/nftables/state_linux.go
+++ b/client/firewall/nftables/state_linux.go
@@ -8,10 +8,9 @@ import (
 )
 type InterfaceState struct {
-	NameStr       string         `json:"name"`
+	NameStr   string         `json:"name"`
-	WGAddress     wgaddr.Address `json:"wg_address"`
+	WGAddress wgaddr.Address `json:"wg_address"`
-	UserspaceBind bool           `json:"userspace_bind"`
+	MTU       uint16         `json:"mtu"`
 	MTU           uint16         `json:"mtu"`
 }
 func (i *InterfaceState) Name() string {
@@ -22,10 +21,6 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }
 func (i *InterfaceState) IsUserspaceBind() bool {
 	return i.UserspaceBind
 }
 type ShutdownState struct {
 	InterfaceState *InterfaceState `json:"interface_state,omitempty"`
 }
--- a/client/firewall/uspfilter/allow_netbird.go
+++ b/client/firewall/uspfilter/allow_netbird.go
@@ -3,12 +3,6 @@
 package uspfilter
 import (
 	"context"
 	"net/netip"
 	"time"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -17,33 +11,7 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.resetState()
 	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
 	m.incomingRules = make(map[netip.Addr]RuleSet)
 	if m.udpTracker != nil {
 		m.udpTracker.Close()
 	}
 	if m.icmpTracker != nil {
 		m.icmpTracker.Close()
 	}
 	if m.tcpTracker != nil {
 		m.tcpTracker.Close()
 	}
 	if fwder := m.forwarder.Load(); fwder != nil {
 		fwder.Stop()
 	}
 	if m.logger != nil {
 		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 		defer cancel()
 		if err := m.logger.Stop(ctx); err != nil {
 			log.Errorf("failed to shutdown logger: %v", err)
 		}
 	}
 	if m.nativeFirewall != nil {
 		return m.nativeFirewall.Close(stateManager)
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -1,12 +1,9 @@
 package uspfilter
 import (
 	"context"
 	"fmt"
 	"net/netip"
 	"os/exec"
 	"syscall"
 	"time"
 	log "github.com/sirupsen/logrus"
@@ -26,33 +23,7 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.resetState()
 	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
 	m.incomingRules = make(map[netip.Addr]RuleSet)
 	if m.udpTracker != nil {
 		m.udpTracker.Close()
 	}
 	if m.icmpTracker != nil {
 		m.icmpTracker.Close()
 	}
 	if m.tcpTracker != nil {
 		m.tcpTracker.Close()
 	}
 	if fwder := m.forwarder.Load(); fwder != nil {
 		fwder.Stop()
 	}
 	if m.logger != nil {
 		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 		defer cancel()
 		if err := m.logger.Stop(ctx); err != nil {
 			log.Errorf("failed to shutdown logger: %v", err)
 		}
 	}
 	if !isWindowsFirewallReachable() {
 		return nil
--- a/client/firewall/uspfilter/common/hooks.go
+++ b/client/firewall/uspfilter/common/hooks.go
@@ -0,0 +1,37 @@
 package common
 import (
 	"net/netip"
 	"sync/atomic"
 )
 // PacketHook stores a registered hook for a specific IP:port.
 type PacketHook struct {
 	IP   netip.Addr
 	Port uint16
 	Fn   func([]byte) bool
 }
 // HookMatches checks if a packet's destination matches the hook and invokes it.
 func HookMatches(h *PacketHook, dstIP netip.Addr, dport uint16, packetData []byte) bool {
 	if h == nil {
 		return false
 	}
 	if h.IP == dstIP && h.Port == dport {
 		return h.Fn(packetData)
 	}
 	return false
 }
 // SetHook atomically stores a hook, handling nil removal.
 func SetHook(ptr *atomic.Pointer[PacketHook], ip netip.Addr, dPort uint16, hook func([]byte) bool) {
 	if hook == nil {
 		ptr.Store(nil)
 		return
 	}
 	ptr.Store(&PacketHook{
 		IP:   ip,
 		Port: dPort,
 		Fn:   hook,
 	})
 }
--- a/client/firewall/uspfilter/conntrack/tcp.go
+++ b/client/firewall/uspfilter/conntrack/tcp.go
@@ -115,6 +115,17 @@ func (t *TCPConnTrack) IsTombstone() bool {
 	return t.tombstone.Load()
 }
 // IsSupersededBy returns true if this connection should be replaced by a new one
 // carrying the given flags. Tombstoned connections are always superseded; TIME-WAIT
 // connections are superseded by a pure SYN (a new connection attempt for the same
 // four-tuple, as contemplated by RFC 1122 §4.2.2.13 and RFC 6191).
 func (t *TCPConnTrack) IsSupersededBy(flags uint8) bool {
 	if t.tombstone.Load() {
 		return true
 	}
 	return flags&TCPSyn != 0 && flags&TCPAck == 0 && TCPState(t.state.Load()) == TCPStateTimeWait
 }
 // SetTombstone safely marks the connection for deletion
 func (t *TCPConnTrack) SetTombstone() {
 	t.tombstone.Store(true)
@@ -169,7 +180,7 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
-	if exists {
+	if exists && !conn.IsSupersededBy(flags) {
 		t.updateState(key, conn, flags, direction, size)
 		return key, uint16(conn.DNATOrigPort.Load()), true
 	}
@@ -241,7 +252,7 @@ func (t *TCPTracker) IsValidInbound(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 	conn, exists := t.connections[key]
 	t.mutex.RUnlock()
-	if !exists || conn.IsTombstone() {
+	if !exists || conn.IsSupersededBy(flags) {
 		return false
 	}
--- a/client/firewall/uspfilter/conntrack/tcp_test.go
+++ b/client/firewall/uspfilter/conntrack/tcp_test.go
@@ -485,6 +485,261 @@ func TestTCPAbnormalSequences(t *testing.T) {
 	})
 }
 // TestTCPPortReuseTombstone verifies that a new connection on a port with a
 // tombstoned (closed) conntrack entry is properly tracked. Without the fix,
 // updateIfExists treats tombstoned entries as live, causing track() to skip
 // creating a new connection. The subsequent SYN-ACK then fails IsValidInbound
 // because the entry is tombstoned, and the response packet gets dropped by ACL.
 func TestTCPPortReuseTombstone(t *testing.T) {
 	srcIP := netip.MustParseAddr("100.64.0.1")
 	dstIP := netip.MustParseAddr("100.64.0.2")
 	srcPort := uint16(12345)
 	dstPort := uint16(80)
 	t.Run("Outbound port reuse after graceful close", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish and gracefully close a connection (server-initiated close)
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		// Server sends FIN
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
 		require.True(t, valid)
 		// Client sends FIN-ACK
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
 		// Server sends final ACK
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		require.True(t, valid)
 		// Connection should be tombstoned
 		conn := tracker.connections[key]
 		require.NotNil(t, conn, "old connection should still be in map")
 		require.True(t, conn.IsTombstone(), "old connection should be tombstoned")
 		// Now reuse the same port for a new connection
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
 		// The old tombstoned entry should be replaced with a new one
 		newConn := tracker.connections[key]
 		require.NotNil(t, newConn, "new connection should exist")
 		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
 		require.Equal(t, TCPStateSynSent, newConn.GetState())
 		// SYN-ACK for the new connection should be valid
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
 		require.True(t, valid, "SYN-ACK for new connection on reused port should be accepted")
 		require.Equal(t, TCPStateEstablished, newConn.GetState())
 		// Data transfer should work
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 100)
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPPush|TCPAck, 500)
 		require.True(t, valid, "data should be allowed on new connection")
 	})
 	t.Run("Outbound port reuse after RST", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish and RST a connection
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPRst|TCPAck, 0)
 		require.True(t, valid)
 		conn := tracker.connections[key]
 		require.True(t, conn.IsTombstone(), "RST connection should be tombstoned")
 		// Reuse the same port
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
 		newConn := tracker.connections[key]
 		require.NotNil(t, newConn)
 		require.False(t, newConn.IsTombstone())
 		require.Equal(t, TCPStateSynSent, newConn.GetState())
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
 		require.True(t, valid, "SYN-ACK should be accepted after RST tombstone")
 	})
 	t.Run("Inbound port reuse after close", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		clientIP := srcIP
 		serverIP := dstIP
 		clientPort := srcPort
 		serverPort := dstPort
 		key := ConnKey{SrcIP: clientIP, DstIP: serverIP, SrcPort: clientPort, DstPort: serverPort}
 		// Inbound connection: client SYN → server SYN-ACK → client ACK
 		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
 		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
 		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
 		conn := tracker.connections[key]
 		require.Equal(t, TCPStateEstablished, conn.GetState())
 		// Server-initiated close to reach Closed/tombstoned:
 		// Server FIN (opposite dir) → CloseWait
 		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPFin|TCPAck, 100)
 		require.Equal(t, TCPStateCloseWait, conn.GetState())
 		// Client FIN-ACK (same dir as conn) → LastAck
 		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPFin|TCPAck, nil, 100, 0)
 		require.Equal(t, TCPStateLastAck, conn.GetState())
 		// Server final ACK (opposite dir) → Closed → tombstoned
 		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
 		require.True(t, conn.IsTombstone())
 		// New inbound connection on same ports
 		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
 		newConn := tracker.connections[key]
 		require.NotNil(t, newConn)
 		require.False(t, newConn.IsTombstone())
 		require.Equal(t, TCPStateSynReceived, newConn.GetState())
 		// Complete handshake: server SYN-ACK, then client ACK
 		tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
 		tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
 		require.Equal(t, TCPStateEstablished, newConn.GetState())
 	})
 	t.Run("Late ACK on tombstoned connection is harmless", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish and close via passive close (server-initiated FIN → Closed → tombstoned)
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0) // CloseWait
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)  // LastAck
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)        // Closed
 		conn := tracker.connections[key]
 		require.True(t, conn.IsTombstone())
 		// Late ACK should be rejected (tombstoned)
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		require.False(t, valid, "late ACK on tombstoned connection should be rejected")
 		// Late outbound ACK should not create a new connection (not a SYN)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
 		require.True(t, tracker.connections[key].IsTombstone(), "late outbound ACK should not replace tombstoned entry")
 	})
 }
 func TestTCPPortReuseTimeWait(t *testing.T) {
 	srcIP := netip.MustParseAddr("100.64.0.1")
 	dstIP := netip.MustParseAddr("100.64.0.2")
 	srcPort := uint16(12345)
 	dstPort := uint16(80)
 	t.Run("Outbound port reuse during TIME-WAIT (active close)", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish connection
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		// Active close: client (outbound initiator) sends FIN first
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
 		conn := tracker.connections[key]
 		require.Equal(t, TCPStateFinWait1, conn.GetState())
 		// Server ACKs the FIN
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		require.True(t, valid)
 		require.Equal(t, TCPStateFinWait2, conn.GetState())
 		// Server sends its own FIN
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
 		require.True(t, valid)
 		require.Equal(t, TCPStateTimeWait, conn.GetState())
 		// Client sends final ACK (TIME-WAIT stays, not tombstoned)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
 		require.False(t, conn.IsTombstone(), "TIME-WAIT should not be tombstoned")
 		// New outbound SYN on the same port (port reuse during TIME-WAIT)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPSyn, 100)
 		// Per RFC 1122/6191, new SYN during TIME-WAIT should start a new connection
 		newConn := tracker.connections[key]
 		require.NotNil(t, newConn, "new connection should exist")
 		require.False(t, newConn.IsTombstone(), "new connection should not be tombstoned")
 		require.Equal(t, TCPStateSynSent, newConn.GetState(), "new connection should be in SYN-SENT")
 		// SYN-ACK for new connection should be valid
 		valid = tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn|TCPAck, 100)
 		require.True(t, valid, "SYN-ACK for new connection should be accepted")
 		require.Equal(t, TCPStateEstablished, newConn.GetState())
 	})
 	t.Run("Inbound SYN during TIME-WAIT falls through to normal tracking", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish outbound connection and close via active close → TIME-WAIT
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
 		conn := tracker.connections[key]
 		require.Equal(t, TCPStateTimeWait, conn.GetState())
 		// Inbound SYN on same ports during TIME-WAIT: IsValidInbound returns false
 		// so the filter falls through to ACL check + TrackInbound (which creates
 		// a new connection via track() → updateIfExists skips TIME-WAIT for SYN)
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, 0)
 		require.False(t, valid, "inbound SYN during TIME-WAIT should fail conntrack validation")
 		// Simulate what the filter does next: TrackInbound via the normal path
 		tracker.TrackInbound(dstIP, srcIP, dstPort, srcPort, TCPSyn, nil, 100, 0)
 		// The new inbound connection uses the inverted key (dst→src becomes src→dst in track)
 		invertedKey := ConnKey{SrcIP: dstIP, DstIP: srcIP, SrcPort: dstPort, DstPort: srcPort}
 		newConn := tracker.connections[invertedKey]
 		require.NotNil(t, newConn, "new inbound connection should be tracked")
 		require.Equal(t, TCPStateSynReceived, newConn.GetState())
 		require.False(t, newConn.IsTombstone())
 	})
 	t.Run("Late retransmit during TIME-WAIT still allowed", func(t *testing.T) {
 		tracker := NewTCPTracker(DefaultTCPTimeout, logger, flowLogger)
 		defer tracker.Close()
 		key := ConnKey{SrcIP: srcIP, DstIP: dstIP, SrcPort: srcPort, DstPort: dstPort}
 		// Establish and active close → TIME-WAIT
 		establishConnection(t, tracker, srcIP, dstIP, srcPort, dstPort)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPFin|TCPAck, 0)
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPFin|TCPAck, 0)
 		tracker.TrackOutbound(srcIP, dstIP, srcPort, dstPort, TCPAck, 0)
 		conn := tracker.connections[key]
 		require.Equal(t, TCPStateTimeWait, conn.GetState())
 		// Late ACK retransmits during TIME-WAIT should still be accepted
 		valid := tracker.IsValidInbound(dstIP, srcIP, dstPort, srcPort, TCPAck, 0)
 		require.True(t, valid, "retransmitted ACK during TIME-WAIT should be accepted")
 	})
 }
 func TestTCPTimeoutHandling(t *testing.T) {
 	// Create tracker with a very short timeout for testing
 	shortTimeout := 100 * time.Millisecond
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -1,6 +1,7 @@
 package uspfilter
 import (
 	"context"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -12,11 +13,13 @@ import (
 	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/exp/maps"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
@@ -24,6 +27,7 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -89,6 +93,7 @@ type Manager struct {
 	incomingDenyRules map[netip.Addr]RuleSet
 	incomingRules     map[netip.Addr]RuleSet
 	routeRules        RouteRules
 	routeRulesMap     map[nbid.RuleID]*RouteRule
 	decoders          sync.Pool
 	wgIface           common.IFaceMapper
 	nativeFirewall    firewall.Manager
@@ -135,6 +140,10 @@ type Manager struct {
 	mtu             uint16
 	mssClampValue   uint16
 	mssClampEnabled bool
 	// Only one hook per protocol is supported. Outbound direction only.
 	udpHookOut atomic.Pointer[common.PacketHook]
 	tcpHookOut atomic.Pointer[common.PacketHook]
 }
 // decoder for packages
@@ -229,6 +238,7 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		flowLogger:          flowLogger,
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
 		routeRulesMap:       make(map[nbid.RuleID]*RouteRule),
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
 		netstackServices:    make(map[serviceKey]struct{}),
@@ -480,11 +490,15 @@ func (m *Manager) addRouteFiltering(
 		return m.nativeFirewall.AddRouteFiltering(id, sources, destination, proto, sPort, dPort, action)
 	}
-	ruleID := uuid.New().String()
+	ruleKey := nbid.GenerateRouteRuleKey(sources, destination, proto, sPort, dPort, action)
 	if existingRule, ok := m.routeRulesMap[ruleKey]; ok {
 		return existingRule, nil
 	}
 	rule := RouteRule{
 		// TODO: consolidate these IDs
-		id:         ruleID,
+		id:         string(ruleKey),
 		mgmtId:     id,
 		sources:    sources,
 		dstSet:     destination.Set,
@@ -499,6 +513,7 @@ func (m *Manager) addRouteFiltering(
 	m.routeRules = append(m.routeRules, &rule)
 	m.routeRules.Sort()
 	m.routeRulesMap[ruleKey] = &rule
 	return &rule, nil
 }
@@ -515,15 +530,20 @@ func (m *Manager) deleteRouteRule(rule firewall.Rule) error {
 		return m.nativeFirewall.DeleteRouteRule(rule)
 	}
-	ruleID := rule.ID()
+	ruleKey := nbid.RuleID(rule.ID())
 	if _, ok := m.routeRulesMap[ruleKey]; !ok {
 		return fmt.Errorf("route rule not found: %s", ruleKey)
 	}
 	idx := slices.IndexFunc(m.routeRules, func(r *RouteRule) bool {
-		return r.id == ruleID
+		return r.id == string(ruleKey)
 	})
 	if idx < 0 {
-		return fmt.Errorf("route rule not found: %s", ruleID)
+		return fmt.Errorf("route rule not found in slice: %s", ruleKey)
 	}
 	m.routeRules = slices.Delete(m.routeRules, idx, idx+1)
 	delete(m.routeRulesMap, ruleKey)
 	return nil
 }
@@ -570,6 +590,50 @@ func (m *Manager) SetLegacyManagement(isLegacy bool) error {
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }
 // resetState clears all firewall rules and closes connection trackers.
 // Must be called with m.mutex held.
 func (m *Manager) resetState() {
 	maps.Clear(m.outgoingRules)
 	maps.Clear(m.incomingDenyRules)
 	maps.Clear(m.incomingRules)
 	maps.Clear(m.routeRulesMap)
 	m.routeRules = m.routeRules[:0]
 	m.udpHookOut.Store(nil)
 	m.tcpHookOut.Store(nil)
 	if m.udpTracker != nil {
 		m.udpTracker.Close()
 	}
 	if m.icmpTracker != nil {
 		m.icmpTracker.Close()
 	}
 	if m.tcpTracker != nil {
 		m.tcpTracker.Close()
 	}
 	if fwder := m.forwarder.Load(); fwder != nil {
 		fwder.Stop()
 	}
 	if m.logger != nil {
 		ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
 		defer cancel()
 		if err := m.logger.Stop(ctx); err != nil {
 			log.Errorf("failed to shutdown logger: %v", err)
 		}
 	}
 }
 // SetupEBPFProxyNoTrack creates notrack rules for eBPF proxy loopback traffic.
 func (m *Manager) SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error {
 	if m.nativeFirewall == nil {
 		return nil
 	}
 	return m.nativeFirewall.SetupEBPFProxyNoTrack(proxyPort, wgPort)
 }
 // UpdateSet updates the rule destinations associated with the given set
 // by merging the existing prefixes with the new ones, then deduplicating.
 func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
@@ -655,6 +719,9 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 			return true
 		}
 	case layers.LayerTypeTCP:
 		if m.tcpHooksDrop(uint16(d.tcp.DstPort), dstIP, packetData) {
 			return true
 		}
 		// Clamp MSS on all TCP SYN packets, including those from local IPs.
 		// SNATed routed traffic may appear as local IP but still requires clamping.
 		if m.mssClampEnabled {
@@ -837,39 +904,12 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 	d.dnatOrigPort = 0
 }
 // udpHooksDrop checks if any UDP hooks should drop the packet
 func (m *Manager) udpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	m.mutex.RLock()
+	return common.HookMatches(m.udpHookOut.Load(), dstIP, dport, packetData)
-	defer m.mutex.RUnlock()
+}
-	// Check specific destination IP first
+func (m *Manager) tcpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	if rules, exists := m.outgoingRules[dstIP]; exists {
+	return common.HookMatches(m.tcpHookOut.Load(), dstIP, dport, packetData)
 		for _, rule := range rules {
 			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
 				return rule.udpHook(packetData)
 			}
 		}
 	}
 	// Check IPv4 unspecified address
 	if rules, exists := m.outgoingRules[netip.IPv4Unspecified()]; exists {
 		for _, rule := range rules {
 			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
 				return rule.udpHook(packetData)
 			}
 		}
 	}
 	// Check IPv6 unspecified address
 	if rules, exists := m.outgoingRules[netip.IPv6Unspecified()]; exists {
 		for _, rule := range rules {
 			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
 				return rule.udpHook(packetData)
 			}
 		}
 	}
 	return false
 }
 // filterInbound implements filtering logic for incoming packets.
@@ -1220,12 +1260,6 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 				return rule.mgmtId, rule.drop, true
 			}
 		case layers.LayerTypeUDP:
 			// if rule has UDP hook (and if we are here we match this rule)
 			// we ignore rule.drop and call this hook
 			if rule.udpHook != nil {
 				return rule.mgmtId, rule.udpHook(packetData), true
 			}
 			if portsMatch(rule.sPort, uint16(d.udp.SrcPort)) && portsMatch(rule.dPort, uint16(d.udp.DstPort)) {
 				return rule.mgmtId, rule.drop, true
 			}
@@ -1284,65 +1318,14 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 	return sourceMatched
 }
-// AddUDPPacketHook calls hook when UDP packet from given direction matched
+// SetUDPPacketHook sets the outbound UDP packet hook. Pass nil hook to remove.
-//
+func (m *Manager) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-// Hook function returns flag which indicates should be the matched package dropped or not
+	common.SetHook(&m.udpHookOut, ip, dPort, hook)
 func (m *Manager) AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook func(packet []byte) bool) string {
 	r := PeerRule{
 		id:         uuid.New().String(),
 		ip:         ip,
 		protoLayer: layers.LayerTypeUDP,
 		dPort:      &firewall.Port{Values: []uint16{dPort}},
 		ipLayer:    layers.LayerTypeIPv6,
 		udpHook:    hook,
 	}
 	if ip.Is4() {
 		r.ipLayer = layers.LayerTypeIPv4
 	}
 	m.mutex.Lock()
 	if in {
 		// Incoming UDP hooks are stored in allow rules map
 		if _, ok := m.incomingRules[r.ip]; !ok {
 			m.incomingRules[r.ip] = make(map[string]PeerRule)
 		}
 		m.incomingRules[r.ip][r.id] = r
 	} else {
 		if _, ok := m.outgoingRules[r.ip]; !ok {
 			m.outgoingRules[r.ip] = make(map[string]PeerRule)
 		}
 		m.outgoingRules[r.ip][r.id] = r
 	}
 	m.mutex.Unlock()
 	return r.id
 }
-// RemovePacketHook removes packet hook by given ID
+// SetTCPPacketHook sets the outbound TCP packet hook. Pass nil hook to remove.
-func (m *Manager) RemovePacketHook(hookID string) error {
+func (m *Manager) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	m.mutex.Lock()
+	common.SetHook(&m.tcpHookOut, ip, dPort, hook)
 	defer m.mutex.Unlock()
 	// Check incoming hooks (stored in allow rules)
 	for _, arr := range m.incomingRules {
 		for _, r := range arr {
 			if r.id == hookID {
 				delete(arr, r.id)
 				return nil
 			}
 		}
 	}
 	// Check outgoing hooks
 	for _, arr := range m.outgoingRules {
 		for _, r := range arr {
 			if r.id == hookID {
 				delete(arr, r.id)
 				return nil
 			}
 		}
 	}
 	return fmt.Errorf("hook with given id not found")
 }
 // SetLogLevel sets the log level for the firewall manager
--- a/client/firewall/uspfilter/filter_routeacl_test.go
+++ b/client/firewall/uspfilter/filter_routeacl_test.go
@@ -0,0 +1,376 @@
 package uspfilter
 import (
 	"net/netip"
 	"testing"
 	"github.com/golang/mock/gomock"
 	"github.com/google/gopacket/layers"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	wgdevice "golang.zx2c4.com/wireguard/device"
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 // TestAddRouteFilteringReturnsExistingRule verifies that adding the same route
 // filtering rule twice returns the same rule ID (idempotent behavior).
 func TestAddRouteFilteringReturnsExistingRule(t *testing.T) {
 	manager := setupTestManager(t)
 	sources := []netip.Prefix{
 		netip.MustParsePrefix("100.64.1.0/24"),
 		netip.MustParsePrefix("100.64.2.0/24"),
 	}
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
 	// Add rule first time
 	rule1, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	require.NotNil(t, rule1)
 	// Add the same rule again
 	rule2, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	require.NotNil(t, rule2)
 	// These should be the same (idempotent) like nftables/iptables implementations
 	assert.Equal(t, rule1.ID(), rule2.ID(),
 		"Adding the same rule twice should return the same rule ID (idempotent)")
 	manager.mutex.RLock()
 	ruleCount := len(manager.routeRules)
 	manager.mutex.RUnlock()
 	assert.Equal(t, 2, ruleCount,
 		"Should have exactly 2 rules (1 user rule + 1 block rule)")
 }
 // TestAddRouteFilteringDifferentRulesGetDifferentIDs verifies that rules with
 // different parameters get distinct IDs.
 func TestAddRouteFilteringDifferentRulesGetDifferentIDs(t *testing.T) {
 	manager := setupTestManager(t)
 	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
 	// Add first rule
 	rule1, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")},
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	// Add different rule (different destination)
 	rule2, err := manager.AddRouteFiltering(
 		[]byte("policy-2"),
 		sources,
 		fw.Network{Prefix: netip.MustParsePrefix("192.168.2.0/24")}, // Different!
 		fw.ProtocolTCP,
 		nil,
 		&fw.Port{Values: []uint16{443}},
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	assert.NotEqual(t, rule1.ID(), rule2.ID(),
 		"Different rules should have different IDs")
 	manager.mutex.RLock()
 	ruleCount := len(manager.routeRules)
 	manager.mutex.RUnlock()
 	assert.Equal(t, 3, ruleCount, "Should have 3 rules (2 user rules + 1 block rule)")
 }
 // TestRouteRuleUpdateDoesNotCauseGap verifies that re-adding the same route
 // rule during a network map update does not disrupt existing traffic.
 func TestRouteRuleUpdateDoesNotCauseGap(t *testing.T) {
 	manager := setupTestManager(t)
 	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
 	rule1, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	srcIP := netip.MustParseAddr("100.64.1.5")
 	dstIP := netip.MustParseAddr("192.168.1.10")
 	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
 	require.True(t, pass, "Traffic should pass with rule in place")
 	// Re-add same rule (simulates network map update)
 	rule2, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	// Idempotent IDs mean rule1.ID() == rule2.ID(), so the ACL manager
 	// won't delete rule1 during cleanup. If IDs differed, deleting rule1
 	// would remove the only matching rule and cause a traffic gap.
 	if rule1.ID() != rule2.ID() {
 		err = manager.DeleteRouteRule(rule1)
 		require.NoError(t, err)
 	}
 	_, passAfter := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
 	assert.True(t, passAfter,
 		"Traffic should still pass after rule update - no gap should occur")
 }
 // TestBlockInvalidRoutedIdempotent verifies that blockInvalidRouted creates
 // exactly one drop rule for the WireGuard network prefix, and calling it again
 // returns the same rule without duplicating.
 func TestBlockInvalidRoutedIdempotent(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	dev := mocks.NewMockDevice(ctrl)
 	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
 	wgNet := netip.MustParsePrefix("100.64.0.1/16")
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
 				IP:      wgNet.Addr(),
 				Network: wgNet,
 			}
 		},
 		GetDeviceFunc: func() *device.FilteredDevice {
 			return &device.FilteredDevice{Device: dev}
 		},
 		GetWGDeviceFunc: func() *wgdevice.Device {
 			return &wgdevice.Device{}
 		},
 	}
 	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	// Call blockInvalidRouted directly multiple times
 	rule1, err := manager.blockInvalidRouted(ifaceMock)
 	require.NoError(t, err)
 	require.NotNil(t, rule1)
 	rule2, err := manager.blockInvalidRouted(ifaceMock)
 	require.NoError(t, err)
 	require.NotNil(t, rule2)
 	rule3, err := manager.blockInvalidRouted(ifaceMock)
 	require.NoError(t, err)
 	require.NotNil(t, rule3)
 	// All should return the same rule
 	assert.Equal(t, rule1.ID(), rule2.ID(), "Second call should return same rule")
 	assert.Equal(t, rule2.ID(), rule3.ID(), "Third call should return same rule")
 	// Should have exactly 1 route rule
 	manager.mutex.RLock()
 	ruleCount := len(manager.routeRules)
 	manager.mutex.RUnlock()
 	assert.Equal(t, 1, ruleCount, "Should have exactly 1 block rule after 3 calls")
 	// Verify the rule blocks traffic to the WG network
 	srcIP := netip.MustParseAddr("10.0.0.1")
 	dstIP := netip.MustParseAddr("100.64.0.50")
 	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 80)
 	assert.False(t, pass, "Block rule should deny traffic to WG prefix")
 }
 // TestBlockRuleNotAccumulatedOnRepeatedEnableRouting verifies that calling
 // EnableRouting multiple times (as happens on each route update) does not
 // accumulate duplicate block rules in the routeRules slice.
 func TestBlockRuleNotAccumulatedOnRepeatedEnableRouting(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	dev := mocks.NewMockDevice(ctrl)
 	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
 	wgNet := netip.MustParsePrefix("100.64.0.1/16")
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
 				IP:      wgNet.Addr(),
 				Network: wgNet,
 			}
 		},
 		GetDeviceFunc: func() *device.FilteredDevice {
 			return &device.FilteredDevice{Device: dev}
 		},
 		GetWGDeviceFunc: func() *wgdevice.Device {
 			return &wgdevice.Device{}
 		},
 	}
 	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	// Call EnableRouting multiple times (simulating repeated route updates)
 	for i := 0; i < 5; i++ {
 		require.NoError(t, manager.EnableRouting())
 	}
 	manager.mutex.RLock()
 	ruleCount := len(manager.routeRules)
 	manager.mutex.RUnlock()
 	assert.Equal(t, 1, ruleCount,
 		"Repeated EnableRouting should not accumulate block rules")
 }
 // TestRouteRuleCountStableAcrossUpdates verifies that adding the same route
 // rule multiple times does not create duplicate entries.
 func TestRouteRuleCountStableAcrossUpdates(t *testing.T) {
 	manager := setupTestManager(t)
 	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
 	// Simulate 5 network map updates with the same route rule
 	for i := 0; i < 5; i++ {
 		rule, err := manager.AddRouteFiltering(
 			[]byte("policy-1"),
 			sources,
 			destination,
 			fw.ProtocolTCP,
 			nil,
 			&fw.Port{Values: []uint16{443}},
 			fw.ActionAccept,
 		)
 		require.NoError(t, err)
 		require.NotNil(t, rule)
 	}
 	manager.mutex.RLock()
 	ruleCount := len(manager.routeRules)
 	manager.mutex.RUnlock()
 	assert.Equal(t, 2, ruleCount,
 		"Should have exactly 2 rules (1 user rule + 1 block rule) after 5 updates")
 }
 // TestDeleteRouteRuleAfterIdempotentAdd verifies that deleting a route rule
 // after adding it multiple times works correctly.
 func TestDeleteRouteRuleAfterIdempotentAdd(t *testing.T) {
 	manager := setupTestManager(t)
 	sources := []netip.Prefix{netip.MustParsePrefix("100.64.1.0/24")}
 	destination := fw.Network{Prefix: netip.MustParsePrefix("192.168.1.0/24")}
 	// Add same rule twice
 	rule1, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	rule2, err := manager.AddRouteFiltering(
 		[]byte("policy-1"),
 		sources,
 		destination,
 		fw.ProtocolTCP,
 		nil,
 		nil,
 		fw.ActionAccept,
 	)
 	require.NoError(t, err)
 	require.Equal(t, rule1.ID(), rule2.ID(), "Should return same rule ID")
 	// Delete using first reference
 	err = manager.DeleteRouteRule(rule1)
 	require.NoError(t, err)
 	// Verify traffic no longer passes
 	srcIP := netip.MustParseAddr("100.64.1.5")
 	dstIP := netip.MustParseAddr("192.168.1.10")
 	_, pass := manager.routeACLsPass(srcIP, dstIP, layers.LayerTypeTCP, 12345, 443)
 	assert.False(t, pass, "Traffic should not pass after rule deletion")
 }
 func setupTestManager(t *testing.T) *Manager {
 	t.Helper()
 	ctrl := gomock.NewController(t)
 	dev := mocks.NewMockDevice(ctrl)
 	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
 	wgNet := netip.MustParsePrefix("100.64.0.1/16")
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
 				IP:      wgNet.Addr(),
 				Network: wgNet,
 			}
 		},
 		GetDeviceFunc: func() *device.FilteredDevice {
 			return &device.FilteredDevice{Device: dev}
 		},
 		GetWGDeviceFunc: func() *wgdevice.Device {
 			return &wgdevice.Device{}
 		},
 	}
 	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.EnableRouting())
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
 	})
 	return manager
 }
--- a/client/firewall/uspfilter/filter_test.go
+++ b/client/firewall/uspfilter/filter_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	wgdevice "golang.zx2c4.com/wireguard/device"
@@ -186,81 +187,204 @@ func TestManagerDeleteRule(t *testing.T) {
 	}
 }
-func TestAddUDPPacketHook(t *testing.T) {
+func TestSetUDPPacketHook(t *testing.T) {
-	tests := []struct {
+	manager, err := Create(&IFaceMock{
-		name       string
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		in         bool
+	}, false, flowLogger, nbiface.DefaultMTU)
-		expDir     fw.RuleDirection
+	require.NoError(t, err)
-		ip         netip.Addr
+	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
-		dPort      uint16
+
-		hook       func([]byte) bool
+	var called bool
-		expectedID string
+	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, func([]byte) bool {
-	}{
+		called = true
-		{
+		return true
-			name:   "Test Outgoing UDP Packet Hook",
+	})
-			in:     false,
+
-			expDir: fw.RuleDirectionOUT,
+	h := manager.udpHookOut.Load()
-			ip:     netip.MustParseAddr("10.168.0.1"),
+	require.NotNil(t, h)
-			dPort:  8000,
+	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.IP)
-			hook:   func([]byte) bool { return true },
+	assert.Equal(t, uint16(8000), h.Port)
-		},
+	assert.True(t, h.Fn(nil))
-		{
+	assert.True(t, called)
-			name:   "Test Incoming UDP Packet Hook",
+
-			in:     true,
+	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, nil)
-			expDir: fw.RuleDirectionIN,
+	assert.Nil(t, manager.udpHookOut.Load())
-			ip:     netip.MustParseAddr("::1"),
+}
-			dPort:  9000,
+
-			hook:   func([]byte) bool { return false },
+func TestSetTCPPacketHook(t *testing.T) {
-		},
+	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
 	var called bool
 	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, func([]byte) bool {
 		called = true
 		return true
 	})
 	h := manager.tcpHookOut.Load()
 	require.NotNil(t, h)
 	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.IP)
 	assert.Equal(t, uint16(53), h.Port)
 	assert.True(t, h.Fn(nil))
 	assert.True(t, called)
 	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, nil)
 	assert.Nil(t, manager.tcpHookOut.Load())
 }
 // TestPeerRuleLifecycleDenyRules verifies that deny rules are correctly added
 // to the deny map and can be cleanly deleted without leaving orphans.
 func TestPeerRuleLifecycleDenyRules(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
-	for _, tt := range tests {
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-		t.Run(tt.name, func(t *testing.T) {
+	require.NoError(t, err)
-			manager, err := Create(&IFaceMock{
+	defer func() {
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
+		require.NoError(t, m.Close(nil))
-			}, false, flowLogger, nbiface.DefaultMTU)
+	}()
 			require.NoError(t, err)
-			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)
+	ip := net.ParseIP("192.168.1.1")
 	addr := netip.MustParseAddr("192.168.1.1")
-			var addedRule PeerRule
+	// Add multiple deny rules for different ports
-			if tt.in {
+	rule1, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-				// Incoming UDP hooks are stored in allow rules map
+		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
-				if len(manager.incomingRules[tt.ip]) != 1 {
+	require.NoError(t, err)
 					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules[tt.ip]))
 					return
 				}
 				for _, rule := range manager.incomingRules[tt.ip] {
 					addedRule = rule
 				}
 			} else {
 				if len(manager.outgoingRules[tt.ip]) != 1 {
 					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules[tt.ip]))
 					return
 				}
 				for _, rule := range manager.outgoingRules[tt.ip] {
 					addedRule = rule
 				}
 			}
-			if tt.ip.Compare(addedRule.ip) != 0 {
+	rule2, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
-				t.Errorf("expected ip %s, got %s", tt.ip, addedRule.ip)
+		&fw.Port{Values: []uint16{80}}, fw.ActionDrop, "")
-				return
+	require.NoError(t, err)
-			}
+
-			if tt.dPort != addedRule.dPort.Values[0] {
+	m.mutex.RLock()
-				t.Errorf("expected dPort %d, got %d", tt.dPort, addedRule.dPort.Values[0])
+	denyCount := len(m.incomingDenyRules[addr])
-				return
+	m.mutex.RUnlock()
-			}
+	require.Equal(t, 2, denyCount, "Should have exactly 2 deny rules")
-			if layers.LayerTypeUDP != addedRule.protoLayer {
+
-				t.Errorf("expected protoLayer %s, got %s", layers.LayerTypeUDP, addedRule.protoLayer)
+	// Delete the first deny rule
-				return
+	err = m.DeletePeerRule(rule1[0])
-			}
+	require.NoError(t, err)
-			if addedRule.udpHook == nil {
+
-				t.Errorf("expected udpHook to be set")
+	m.mutex.RLock()
-				return
+	denyCount = len(m.incomingDenyRules[addr])
-			}
+	m.mutex.RUnlock()
-		})
+	require.Equal(t, 1, denyCount, "Should have 1 deny rule after deleting first")
 	// Delete the second deny rule
 	err = m.DeletePeerRule(rule2[0])
 	require.NoError(t, err)
 	m.mutex.RLock()
 	_, exists := m.incomingDenyRules[addr]
 	m.mutex.RUnlock()
 	require.False(t, exists, "Deny rules IP entry should be cleaned up when empty")
 }
 // TestPeerRuleAddAndDeleteDontLeak verifies that repeatedly adding and deleting
 // peer rules (simulating network map updates) does not leak rules in the maps.
 func TestPeerRuleAddAndDeleteDontLeak(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, m.Close(nil))
 	}()
 	ip := net.ParseIP("192.168.1.1")
 	addr := netip.MustParseAddr("192.168.1.1")
 	// Simulate 10 network map updates: add rule, delete old, add new
 	for i := 0; i < 10; i++ {
 		// Add a deny rule
 		rules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
 			&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
 		require.NoError(t, err)
 		// Add an allow rule
 		allowRules, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
 			&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
 		require.NoError(t, err)
 		// Delete them (simulating ACL manager cleanup)
 		for _, r := range rules {
 			require.NoError(t, m.DeletePeerRule(r))
 		}
 		for _, r := range allowRules {
 			require.NoError(t, m.DeletePeerRule(r))
 		}
 	}
 	m.mutex.RLock()
 	denyCount := len(m.incomingDenyRules[addr])
 	allowCount := len(m.incomingRules[addr])
 	m.mutex.RUnlock()
 	require.Equal(t, 0, denyCount, "No deny rules should remain after cleanup")
 	require.Equal(t, 0, allowCount, "No allow rules should remain after cleanup")
 }
 // TestMixedAllowDenyRulesSameIP verifies that allow and deny rules for the same
 // IP are stored in separate maps and don't interfere with each other.
 func TestMixedAllowDenyRulesSameIP(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, m.Close(nil))
 	}()
 	ip := net.ParseIP("192.168.1.1")
 	// Add allow rule for port 80
 	allowRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
 		&fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
 	require.NoError(t, err)
 	// Add deny rule for port 22
 	denyRule, err := m.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil,
 		&fw.Port{Values: []uint16{22}}, fw.ActionDrop, "")
 	require.NoError(t, err)
 	addr := netip.MustParseAddr("192.168.1.1")
 	m.mutex.RLock()
 	allowCount := len(m.incomingRules[addr])
 	denyCount := len(m.incomingDenyRules[addr])
 	m.mutex.RUnlock()
 	require.Equal(t, 1, allowCount, "Should have 1 allow rule")
 	require.Equal(t, 1, denyCount, "Should have 1 deny rule")
 	// Delete allow rule should not affect deny rule
 	err = m.DeletePeerRule(allowRule[0])
 	require.NoError(t, err)
 	m.mutex.RLock()
 	denyCountAfter := len(m.incomingDenyRules[addr])
 	m.mutex.RUnlock()
 	require.Equal(t, 1, denyCountAfter, "Deny rule should still exist after deleting allow rule")
 	// Delete deny rule
 	err = m.DeletePeerRule(denyRule[0])
 	require.NoError(t, err)
 	m.mutex.RLock()
 	_, denyExists := m.incomingDenyRules[addr]
 	_, allowExists := m.incomingRules[addr]
 	m.mutex.RUnlock()
 	require.False(t, denyExists, "Deny rules should be empty")
 	require.False(t, allowExists, "Allow rules should be empty")
 }
 func TestManagerReset(t *testing.T) {
@@ -378,39 +502,12 @@ func TestRemovePacketHook(t *testing.T) {
 		require.NoError(t, manager.Close(nil))
 	}()
-	// Add a UDP packet hook
+	manager.SetUDPPacketHook(netip.MustParseAddr("192.168.0.1"), 8080, func([]byte) bool { return true })
 	hookFunc := func(data []byte) bool { return true }
 	hookID := manager.AddUDPPacketHook(false, netip.MustParseAddr("192.168.0.1"), 8080, hookFunc)
-	// Assert the hook is added by finding it in the manager's outgoing rules
+	require.NotNil(t, manager.udpHookOut.Load(), "hook should be registered")
 	found := false
 	for _, arr := range manager.outgoingRules {
 		for _, rule := range arr {
 			if rule.id == hookID {
 				found = true
 				break
 			}
 		}
 	}
-	if !found {
+	manager.SetUDPPacketHook(netip.MustParseAddr("192.168.0.1"), 8080, nil)
-		t.Fatalf("The hook was not added properly.")
+	assert.Nil(t, manager.udpHookOut.Load(), "hook should be removed")
 	}
 	// Now remove the packet hook
 	err = manager.RemovePacketHook(hookID)
 	if err != nil {
 		t.Fatalf("Failed to remove hook: %s", err)
 	}
 	// Assert the hook is removed by checking it in the manager's outgoing rules
 	for _, arr := range manager.outgoingRules {
 		for _, rule := range arr {
 			if rule.id == hookID {
 				t.Fatalf("The hook was not removed properly.")
 			}
 		}
 	}
 }
 func TestProcessOutgoingHooks(t *testing.T) {
@@ -440,8 +537,7 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	}
 	hookCalled := false
-	hookID := manager.AddUDPPacketHook(
+	manager.SetUDPPacketHook(
 		false,
 		netip.MustParseAddr("100.10.0.100"),
 		53,
 		func([]byte) bool {
@@ -449,7 +545,6 @@ func TestProcessOutgoingHooks(t *testing.T) {
 			return true
 		},
 	)
 	require.NotEmpty(t, hookID)
 	// Create test UDP packet
 	ipv4 := &layers.IPv4{
--- a/client/firewall/uspfilter/hooks_filter.go
+++ b/client/firewall/uspfilter/hooks_filter.go
@@ -0,0 +1,90 @@
 package uspfilter
 import (
 	"encoding/binary"
 	"net/netip"
 	"sync/atomic"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
 const (
 	ipv4HeaderMinLen = 20
 	ipv4ProtoOffset  = 9
 	ipv4FlagsOffset  = 6
 	ipv4DstOffset    = 16
 	ipProtoUDP       = 17
 	ipProtoTCP       = 6
 	ipv4FragOffMask  = 0x1fff
 	// dstPortOffset is the offset of the destination port within a UDP or TCP header.
 	dstPortOffset = 2
 )
 // HooksFilter is a minimal packet filter that only handles outbound DNS hooks.
 // It is installed on the WireGuard interface when the userspace bind is active
 // but a full firewall filter (Manager) is not needed because a native kernel
 // firewall (nftables/iptables) handles packet filtering.
 type HooksFilter struct {
 	udpHook atomic.Pointer[common.PacketHook]
 	tcpHook atomic.Pointer[common.PacketHook]
 }
 var _ device.PacketFilter = (*HooksFilter)(nil)
 // FilterOutbound checks outbound packets for DNS hook matches.
 // Only IPv4 packets matching the registered hook IP:port are intercepted.
 // IPv6 and non-IP packets pass through unconditionally.
 func (f *HooksFilter) FilterOutbound(packetData []byte, _ int) bool {
 	if len(packetData) < ipv4HeaderMinLen {
 		return false
 	}
 	// Only process IPv4 packets, let everything else pass through.
 	if packetData[0]>>4 != 4 {
 		return false
 	}
 	ihl := int(packetData[0]&0x0f) * 4
 	if ihl < ipv4HeaderMinLen || len(packetData) < ihl+4 {
 		return false
 	}
 	// Skip non-first fragments: they don't carry L4 headers.
 	flagsAndOffset := binary.BigEndian.Uint16(packetData[ipv4FlagsOffset : ipv4FlagsOffset+2])
 	if flagsAndOffset&ipv4FragOffMask != 0 {
 		return false
 	}
 	dstIP, ok := netip.AddrFromSlice(packetData[ipv4DstOffset : ipv4DstOffset+4])
 	if !ok {
 		return false
 	}
 	proto := packetData[ipv4ProtoOffset]
 	dstPort := binary.BigEndian.Uint16(packetData[ihl+dstPortOffset : ihl+dstPortOffset+2])
 	switch proto {
 	case ipProtoUDP:
 		return common.HookMatches(f.udpHook.Load(), dstIP, dstPort, packetData)
 	case ipProtoTCP:
 		return common.HookMatches(f.tcpHook.Load(), dstIP, dstPort, packetData)
 	default:
 		return false
 	}
 }
 // FilterInbound allows all inbound packets (native firewall handles filtering).
 func (f *HooksFilter) FilterInbound([]byte, int) bool {
 	return false
 }
 // SetUDPPacketHook registers the UDP packet hook.
 func (f *HooksFilter) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func([]byte) bool) {
 	common.SetHook(&f.udpHook, ip, dPort, hook)
 }
 // SetTCPPacketHook registers the TCP packet hook.
 func (f *HooksFilter) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func([]byte) bool) {
 	common.SetHook(&f.tcpHook, ip, dPort, hook)
 }
--- a/client/firewall/uspfilter/localip.go
+++ b/client/firewall/uspfilter/localip.go
@@ -144,6 +144,8 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	if err != nil {
 		log.Warnf("failed to get interfaces: %v", err)
 	} else {
 		// TODO: filter out down interfaces (net.FlagUp). Also handle the reverse
 		// case where an interface comes up between refreshes.
 		for _, intf := range interfaces {
 			m.processInterface(intf, &newIPv4Bitmap, ipv4Set, &ipv4Addresses)
 		}
--- a/client/firewall/uspfilter/log/log.go
+++ b/client/firewall/uspfilter/log/log.go
@@ -5,6 +5,8 @@ import (
 	"context"
 	"fmt"
 	"io"
 	"os"
 	"strconv"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -16,9 +18,18 @@ const (
 	maxBatchSize         = 1024 * 16
 	maxMessageSize       = 1024 * 2
 	defaultFlushInterval = 2 * time.Second
-	logChannelSize       = 1000
+	defaultLogChanSize   = 1000
 )
 func getLogChannelSize() int {
 	if v := os.Getenv("NB_USPFILTER_LOG_BUFFER"); v != "" {
 		if n, err := strconv.Atoi(v); err == nil && n > 0 {
 			return n
 		}
 	}
 	return defaultLogChanSize
 }
 type Level uint32
 const (
@@ -69,7 +80,7 @@ type Logger struct {
 func NewFromLogrus(logrusLogger *log.Logger) *Logger {
 	l := &Logger{
 		output:     logrusLogger.Out,
-		msgChannel: make(chan logMessage, logChannelSize),
+		msgChannel: make(chan logMessage, getLogChannelSize()),
 		shutdown:   make(chan struct{}),
 		bufPool: sync.Pool{
 			New: func() any {
--- a/client/firewall/uspfilter/nat.go
+++ b/client/firewall/uspfilter/nat.go
@@ -358,9 +358,9 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	// Fast path for IPv4 addresses (4 bytes) - most common case
 	if len(oldBytes) == 4 && len(newBytes) == 4 {
 		sum += uint32(^binary.BigEndian.Uint16(oldBytes[0:2]))
-		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4]))
+		sum += uint32(^binary.BigEndian.Uint16(oldBytes[2:4])) //nolint:gosec // length checked above
 		sum += uint32(binary.BigEndian.Uint16(newBytes[0:2]))
-		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4]))
+		sum += uint32(binary.BigEndian.Uint16(newBytes[2:4])) //nolint:gosec // length checked above
 	} else {
 		// Fallback for other lengths
 		for i := 0; i < len(oldBytes)-1; i += 2 {
@@ -421,6 +421,7 @@ func (m *Manager) addPortRedirection(targetIP netip.Addr, protocol gopacket.Laye
 }
 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
 // TODO: also delegate to nativeFirewall when available for kernel WG mode
 func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	var layerType gopacket.LayerType
 	switch protocol {
@@ -466,6 +467,22 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	return m.removePortRedirection(localAddr, layerType, sourcePort, targetPort)
 }
 // AddOutputDNAT delegates to the native firewall if available.
 func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	if m.nativeFirewall == nil {
 		return fmt.Errorf("output DNAT not supported without native firewall")
 	}
 	return m.nativeFirewall.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // RemoveOutputDNAT delegates to the native firewall if available.
 func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	if m.nativeFirewall == nil {
 		return nil
 	}
 	return m.nativeFirewall.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 // translateInboundPortDNAT applies port-specific DNAT translation to inbound packets.
 func (m *Manager) translateInboundPortDNAT(packetData []byte, d *decoder, srcIP, dstIP netip.Addr) bool {
 	if !m.portDNATEnabled.Load() {
--- a/client/firewall/uspfilter/rule.go
+++ b/client/firewall/uspfilter/rule.go
@@ -18,9 +18,7 @@ type PeerRule struct {
 	protoLayer gopacket.LayerType
 	sPort      *firewall.Port
 	dPort      *firewall.Port
-	drop       bool
+	drop bool
 	udpHook func([]byte) bool
 }
 // ID returns the rule id
--- a/client/firewall/uspfilter/tracer_test.go
+++ b/client/firewall/uspfilter/tracer_test.go
@@ -399,21 +399,17 @@ func TestTracePacket(t *testing.T) {
 		{
 			name: "UDPTraffic_WithHook",
 			setup: func(m *Manager) {
-				hookFunc := func([]byte) bool {
+				m.SetUDPPacketHook(netip.MustParseAddr("100.10.255.254"), 53, func([]byte) bool {
-					return true
+					return true // drop (intercepted by hook)
-				}
+				})
 				m.AddUDPPacketHook(true, netip.MustParseAddr("1.1.1.1"), 53, hookFunc)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("1.1.1.1", "100.10.0.100", "udp", 12345, 53, fw.RuleDirectionIN)
+				return createPacketBuilder("100.10.0.100", "100.10.255.254", "udp", 12345, 53, fw.RuleDirectionOUT)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
+				StageOutbound1to1NAT,
-				StageInbound1to1NAT,
+				StageOutboundPortReverse,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
 				StageCompleted,
 			},
 			expectedAllow: false,
--- a/client/grpc/dialer.go
+++ b/client/grpc/dialer.go
@@ -28,7 +28,7 @@ func Backoff(ctx context.Context) backoff.BackOff {
 // CreateConnection creates a gRPC client connection with the appropriate transport options.
 // The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
-func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string) (*grpc.ClientConn, error) {
+func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string, extraOpts ...grpc.DialOption) (*grpc.ClientConn, error) {
 	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	// for js, the outer websocket layer takes care of tls
 	if tlsEnabled && runtime.GOOS != "js" {
@@ -46,9 +46,7 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 	connCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
 	defer cancel()
-	conn, err := grpc.DialContext(
+	opts := []grpc.DialOption{
 		connCtx,
 		addr,
 		transportOption,
 		WithCustomDialer(tlsEnabled, component),
 		grpc.WithBlock(),
@@ -56,7 +54,10 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 			Time:    30 * time.Second,
 			Timeout: 10 * time.Second,
 		}),
-	)
+	}
 	opts = append(opts, extraOpts...)
 	conn, err := grpc.DialContext(connCtx, addr, opts...)
 	if err != nil {
 		return nil, fmt.Errorf("dial context: %w", err)
 	}
--- a/client/iface/configurer/uapi.go
+++ b/client/iface/configurer/uapi.go
@@ -5,20 +5,18 @@ package configurer
 import (
 	"net"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/ipc"
 )
 func openUAPI(deviceName string) (net.Listener, error) {
 	uapiSock, err := ipc.UAPIOpen(deviceName)
 	if err != nil {
 		log.Errorf("failed to open uapi socket: %v", err)
 		return nil, err
 	}
 	listener, err := ipc.UAPIListen(deviceName, uapiSock)
 	if err != nil {
-		log.Errorf("failed to listen on uapi socket: %v", err)
+		_ = uapiSock.Close()
 		return nil, err
 	}
--- a/client/iface/configurer/usp.go
+++ b/client/iface/configurer/usp.go
@@ -54,6 +54,14 @@ func NewUSPConfigurer(device *device.Device, deviceName string, activityRecorder
 	return wgCfg
 }
 func NewUSPConfigurerNoUAPI(device *device.Device, deviceName string, activityRecorder *bind.ActivityRecorder) *WGUSPConfigurer {
 	return &WGUSPConfigurer{
 		device:           device,
 		deviceName:       deviceName,
 		activityRecorder: activityRecorder,
 	}
 }
 func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error {
 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
@@ -558,7 +566,7 @@ func parseStatus(deviceName, ipcStr string) (*Stats, error) {
 				continue
 			}
-			host, portStr, err := net.SplitHostPort(strings.Trim(val, "[]"))
+			host, portStr, err := net.SplitHostPort(val)
 			if err != nil {
 				log.Errorf("failed to parse endpoint: %v", err)
 				continue
--- a/client/iface/device/device_filter.go
+++ b/client/iface/device/device_filter.go
@@ -15,22 +15,26 @@ type PacketFilter interface {
 	// FilterInbound filter incoming packets from external sources to host
 	FilterInbound(packetData []byte, size int) bool
-	// AddUDPPacketHook calls hook when UDP packet from given direction matched
+	// SetUDPPacketHook registers a hook for outbound UDP packets matching the given IP and port.
-	//
+	// Hook function returns true if the packet should be dropped.
-	// Hook function returns flag which indicates should be the matched package dropped or not.
+	// Only one UDP hook is supported; calling again replaces the previous hook.
-	// Hook function receives raw network packet data as argument.
+	// Pass nil hook to remove.
-	AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook func(packet []byte) bool) string
+	SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool)
-	// RemovePacketHook removes hook by ID
+	// SetTCPPacketHook registers a hook for outbound TCP packets matching the given IP and port.
-	RemovePacketHook(hookID string) error
+	// Hook function returns true if the packet should be dropped.
 	// Only one TCP hook is supported; calling again replaces the previous hook.
 	// Pass nil hook to remove.
 	SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool)
 }
 // FilteredDevice to override Read or Write of packets
 type FilteredDevice struct {
 	tun.Device
-	filter PacketFilter
+	filter    PacketFilter
-	mutex  sync.RWMutex
+	mutex     sync.RWMutex
 	closeOnce sync.Once
 }
 // newDeviceFilter constructor function
@@ -40,6 +44,20 @@ func newDeviceFilter(device tun.Device) *FilteredDevice {
 	}
 }
 // Close closes the underlying tun device exactly once.
 // wireguard-go's netTun.Close() panics on double-close due to a bare close(channel),
 // and multiple code paths can trigger Close on the same device.
 func (d *FilteredDevice) Close() error {
 	var err error
 	d.closeOnce.Do(func() {
 		err = d.Device.Close()
 	})
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // Read wraps read method with filtering feature
 func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, err error) {
 	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {
--- a/client/iface/device/device_netstack.go
+++ b/client/iface/device/device_netstack.go
@@ -79,10 +79,12 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurerNoUAPI(t.device, t.name, t.bind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
-		_ = tunIface.Close()
+		if cErr := tunIface.Close(); cErr != nil {
 			log.Debugf("failed to close tun device: %v", cErr)
 		}
 		return nil, fmt.Errorf("error configuring interface: %s", err)
 	}
--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -18,6 +18,7 @@ import (
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
@@ -50,6 +51,7 @@ func ValidateMTU(mtu uint16) error {
 type wgProxyFactory interface {
 	GetProxy() wgproxy.Proxy
 	GetProxyPort() uint16
 	Free() error
 }
@@ -80,6 +82,12 @@ func (w *WGIface) GetProxy() wgproxy.Proxy {
 	return w.wgProxyFactory.GetProxy()
 }
 // GetProxyPort returns the proxy port used by the WireGuard proxy.
 // Returns 0 if no proxy port is used (e.g., for userspace WireGuard).
 func (w *WGIface) GetProxyPort() uint16 {
 	return w.wgProxyFactory.GetProxyPort()
 }
 // GetBind returns the EndpointManager userspace bind mode.
 func (w *WGIface) GetBind() device.EndpointManager {
 	w.mu.Lock()
@@ -221,6 +229,10 @@ func (w *WGIface) Close() error {
 		result = multierror.Append(result, fmt.Errorf("failed to close wireguard interface %s: %w", w.Name(), err))
 	}
 	if nbnetstack.IsEnabled() {
 		return errors.FormatErrorOrNil(result)
 	}
 	if err := w.waitUntilRemoved(); err != nil {
 		log.Warnf("failed to remove WireGuard interface %s: %v", w.Name(), err)
 		if err := w.Destroy(); err != nil {
--- a/client/iface/mocks/filter.go
+++ b/client/iface/mocks/filter.go
@@ -34,18 +34,28 @@ func (m *MockPacketFilter) EXPECT() *MockPacketFilterMockRecorder {
 	return m.recorder
 }
-// AddUDPPacketHook mocks base method.
+// SetUDPPacketHook mocks base method.
-func (m *MockPacketFilter) AddUDPPacketHook(arg0 bool, arg1 netip.Addr, arg2 uint16, arg3 func([]byte) bool) string {
+func (m *MockPacketFilter) SetUDPPacketHook(arg0 netip.Addr, arg1 uint16, arg2 func([]byte) bool) {
 	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "AddUDPPacketHook", arg0, arg1, arg2, arg3)
+	m.ctrl.Call(m, "SetUDPPacketHook", arg0, arg1, arg2)
 	ret0, _ := ret[0].(string)
 	return ret0
 }
-// AddUDPPacketHook indicates an expected call of AddUDPPacketHook.
+// SetUDPPacketHook indicates an expected call of SetUDPPacketHook.
-func (mr *MockPacketFilterMockRecorder) AddUDPPacketHook(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+func (mr *MockPacketFilterMockRecorder) SetUDPPacketHook(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).AddUDPPacketHook), arg0, arg1, arg2, arg3)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).SetUDPPacketHook), arg0, arg1, arg2)
 }
 // SetTCPPacketHook mocks base method.
 func (m *MockPacketFilter) SetTCPPacketHook(arg0 netip.Addr, arg1 uint16, arg2 func([]byte) bool) {
 	m.ctrl.T.Helper()
 	m.ctrl.Call(m, "SetTCPPacketHook", arg0, arg1, arg2)
 }
 // SetTCPPacketHook indicates an expected call of SetTCPPacketHook.
 func (mr *MockPacketFilterMockRecorder) SetTCPPacketHook(arg0, arg1, arg2 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetTCPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).SetTCPPacketHook), arg0, arg1, arg2)
 }
 // FilterInbound mocks base method.
@@ -75,17 +85,3 @@ func (mr *MockPacketFilterMockRecorder) FilterOutbound(arg0 interface{}, arg1 an
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterOutbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterOutbound), arg0, arg1)
 }
 // RemovePacketHook mocks base method.
 func (m *MockPacketFilter) RemovePacketHook(arg0 string) error {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "RemovePacketHook", arg0)
 	ret0, _ := ret[0].(error)
 	return ret0
 }
 // RemovePacketHook indicates an expected call of RemovePacketHook.
 func (mr *MockPacketFilterMockRecorder) RemovePacketHook(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePacketHook", reflect.TypeOf((*MockPacketFilter)(nil).RemovePacketHook), arg0)
 }
--- a/client/iface/mocks/iface/mocks/filter.go
+++ b/client/iface/mocks/iface/mocks/filter.go
@@ -1,87 +0,0 @@
 // Code generated by MockGen. DO NOT EDIT.
 // Source: github.com/netbirdio/netbird/client/iface (interfaces: PacketFilter)
 // Package mocks is a generated GoMock package.
 package mocks
 import (
 	net "net"
 	reflect "reflect"
 	gomock "github.com/golang/mock/gomock"
 )
 // MockPacketFilter is a mock of PacketFilter interface.
 type MockPacketFilter struct {
 	ctrl     *gomock.Controller
 	recorder *MockPacketFilterMockRecorder
 }
 // MockPacketFilterMockRecorder is the mock recorder for MockPacketFilter.
 type MockPacketFilterMockRecorder struct {
 	mock *MockPacketFilter
 }
 // NewMockPacketFilter creates a new mock instance.
 func NewMockPacketFilter(ctrl *gomock.Controller) *MockPacketFilter {
 	mock := &MockPacketFilter{ctrl: ctrl}
 	mock.recorder = &MockPacketFilterMockRecorder{mock}
 	return mock
 }
 // EXPECT returns an object that allows the caller to indicate expected use.
 func (m *MockPacketFilter) EXPECT() *MockPacketFilterMockRecorder {
 	return m.recorder
 }
 // AddUDPPacketHook mocks base method.
 func (m *MockPacketFilter) AddUDPPacketHook(arg0 bool, arg1 net.IP, arg2 uint16, arg3 func(*net.UDPAddr, []byte) bool) {
 	m.ctrl.T.Helper()
 	m.ctrl.Call(m, "AddUDPPacketHook", arg0, arg1, arg2, arg3)
 }
 // AddUDPPacketHook indicates an expected call of AddUDPPacketHook.
 func (mr *MockPacketFilterMockRecorder) AddUDPPacketHook(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).AddUDPPacketHook), arg0, arg1, arg2, arg3)
 }
 // FilterInbound mocks base method.
 func (m *MockPacketFilter) FilterInbound(arg0 []byte) bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "FilterInbound", arg0)
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 // FilterInbound indicates an expected call of FilterInbound.
 func (mr *MockPacketFilterMockRecorder) FilterInbound(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterInbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterInbound), arg0)
 }
 // FilterOutbound mocks base method.
 func (m *MockPacketFilter) FilterOutbound(arg0 []byte) bool {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "FilterOutbound", arg0)
 	ret0, _ := ret[0].(bool)
 	return ret0
 }
 // FilterOutbound indicates an expected call of FilterOutbound.
 func (mr *MockPacketFilterMockRecorder) FilterOutbound(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterOutbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterOutbound), arg0)
 }
 // SetNetwork mocks base method.
 func (m *MockPacketFilter) SetNetwork(arg0 *net.IPNet) {
 	m.ctrl.T.Helper()
 	m.ctrl.Call(m, "SetNetwork", arg0)
 }
 // SetNetwork indicates an expected call of SetNetwork.
 func (mr *MockPacketFilterMockRecorder) SetNetwork(arg0 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetwork", reflect.TypeOf((*MockPacketFilter)(nil).SetNetwork), arg0)
 }
--- a/client/iface/netstack/tun.go
+++ b/client/iface/netstack/tun.go
@@ -66,7 +66,7 @@ func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
 		}
 	}()
-	return nsTunDev, tunNet, nil
+	return t.tundev, tunNet, nil
 }
 func (t *NetStackTun) Close() error {
--- a/client/iface/wgproxy/bind/proxy.go
+++ b/client/iface/wgproxy/bind/proxy.go
@@ -114,21 +114,21 @@ func (p *ProxyBind) Pause() {
 }
 func (p *ProxyBind) RedirectAs(endpoint *net.UDPAddr) {
 	ep, err := addrToEndpoint(endpoint)
 	if err != nil {
 		log.Errorf("failed to start package redirection: %v", err)
 		return
 	}
 	p.pausedCond.L.Lock()
 	p.paused = false
-	p.wgCurrentUsed = addrToEndpoint(endpoint)
+	p.wgCurrentUsed = ep
 	p.pausedCond.Signal()
 	p.pausedCond.L.Unlock()
 }
 func addrToEndpoint(addr *net.UDPAddr) *bind.Endpoint {
 	ip, _ := netip.AddrFromSlice(addr.IP.To4())
 	addrPort := netip.AddrPortFrom(ip, uint16(addr.Port))
 	return &bind.Endpoint{AddrPort: addrPort}
 }
 func (p *ProxyBind) CloseConn() error {
 	if p.cancel == nil {
 		return fmt.Errorf("proxy not started")
@@ -212,3 +212,16 @@ func fakeAddress(peerAddress *net.UDPAddr) (*netip.AddrPort, error) {
 	netipAddr := netip.AddrPortFrom(fakeIP, uint16(peerAddress.Port))
 	return &netipAddr, nil
 }
 func addrToEndpoint(addr *net.UDPAddr) (*bind.Endpoint, error) {
 	if addr == nil {
 		return nil, fmt.Errorf("invalid address")
 	}
 	ip, ok := netip.AddrFromSlice(addr.IP)
 	if !ok {
 		return nil, fmt.Errorf("convert %s to netip.Addr", addr)
 	}
 	addrPort := netip.AddrPortFrom(ip.Unmap(), uint16(addr.Port))
 	return &bind.Endpoint{AddrPort: addrPort}, nil
 }
--- a/client/iface/wgproxy/ebpf/proxy.go
+++ b/client/iface/wgproxy/ebpf/proxy.go
@@ -8,8 +8,6 @@ import (
 	"net"
 	"sync"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/hashicorp/go-multierror"
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
@@ -26,13 +24,10 @@ const (
 	loopbackAddr = "127.0.0.1"
 )
 var (
 	localHostNetIP = net.ParseIP("127.0.0.1")
 )
 // WGEBPFProxy definition for proxy with EBPF support
 type WGEBPFProxy struct {
 	localWGListenPort int
 	proxyPort         int
 	mtu               uint16
 	ebpfManager   ebpfMgr.Manager
@@ -40,7 +35,8 @@ type WGEBPFProxy struct {
 	turnConnMutex sync.Mutex
 	lastUsedPort uint16
-	rawConn      net.PacketConn
+	rawConnIPv4  net.PacketConn
 	rawConnIPv6  net.PacketConn
 	conn         transport.UDPConn
 	ctx       context.Context
@@ -62,23 +58,39 @@ func NewWGEBPFProxy(wgPort int, mtu uint16) *WGEBPFProxy {
 // Listen load ebpf program and listen the proxy
 func (p *WGEBPFProxy) Listen() error {
 	pl := portLookup{}
-	wgPorxyPort, err := pl.searchFreePort()
+	proxyPort, err := pl.searchFreePort()
 	if err != nil {
 		return err
 	}
 	p.proxyPort = proxyPort
 	// Prepare IPv4 raw socket (required)
 	p.rawConnIPv4, err = rawsocket.PrepareSenderRawSocketIPv4()
 	if err != nil {
 		return err
 	}
-	p.rawConn, err = rawsocket.PrepareSenderRawSocket()
+	// Prepare IPv6 raw socket (optional)
 	p.rawConnIPv6, err = rawsocket.PrepareSenderRawSocketIPv6()
 	if err != nil {
-		return err
+		log.Warnf("failed to prepare IPv6 raw socket, continuing with IPv4 only: %v", err)
 	}
-	err = p.ebpfManager.LoadWgProxy(wgPorxyPort, p.localWGListenPort)
+	err = p.ebpfManager.LoadWgProxy(proxyPort, p.localWGListenPort)
 	if err != nil {
 		if closeErr := p.rawConnIPv4.Close(); closeErr != nil {
 			log.Warnf("failed to close IPv4 raw socket: %v", closeErr)
 		}
 		if p.rawConnIPv6 != nil {
 			if closeErr := p.rawConnIPv6.Close(); closeErr != nil {
 				log.Warnf("failed to close IPv6 raw socket: %v", closeErr)
 			}
 		}
 		return err
 	}
 	addr := net.UDPAddr{
-		Port: wgPorxyPort,
+		Port: proxyPort,
 		IP:   net.ParseIP(loopbackAddr),
 	}
@@ -94,7 +106,7 @@ func (p *WGEBPFProxy) Listen() error {
 	p.conn = conn
 	go p.proxyToRemote()
-	log.Infof("local wg proxy listening on: %d", wgPorxyPort)
+	log.Infof("local wg proxy listening on: %d", proxyPort)
 	return nil
 }
@@ -135,12 +147,25 @@ func (p *WGEBPFProxy) Free() error {
 		result = multierror.Append(result, err)
 	}
-	if err := p.rawConn.Close(); err != nil {
+	if p.rawConnIPv4 != nil {
-		result = multierror.Append(result, err)
+		if err := p.rawConnIPv4.Close(); err != nil {
 			result = multierror.Append(result, err)
 		}
 	}
 	if p.rawConnIPv6 != nil {
 		if err := p.rawConnIPv6.Close(); err != nil {
 			result = multierror.Append(result, err)
 		}
 	}
 	return nberrors.FormatErrorOrNil(result)
 }
 // GetProxyPort returns the proxy listening port.
 func (p *WGEBPFProxy) GetProxyPort() uint16 {
 	return uint16(p.proxyPort)
 }
 // proxyToRemote read messages from local WireGuard interface and forward it to remote conn
 // From this go routine has only one instance.
 func (p *WGEBPFProxy) proxyToRemote() {
@@ -216,34 +241,3 @@ generatePort:
 	}
 	return p.lastUsedPort, nil
 }
 func (p *WGEBPFProxy) sendPkg(data []byte, endpointAddr *net.UDPAddr) error {
 	payload := gopacket.Payload(data)
 	ipH := &layers.IPv4{
 		DstIP:    localHostNetIP,
 		SrcIP:    endpointAddr.IP,
 		Version:  4,
 		TTL:      64,
 		Protocol: layers.IPProtocolUDP,
 	}
 	udpH := &layers.UDP{
 		SrcPort: layers.UDPPort(endpointAddr.Port),
 		DstPort: layers.UDPPort(p.localWGListenPort),
 	}
 	err := udpH.SetNetworkLayerForChecksum(ipH)
 	if err != nil {
 		return fmt.Errorf("set network layer for checksum: %w", err)
 	}
 	layerBuffer := gopacket.NewSerializeBuffer()
 	err = gopacket.SerializeLayers(layerBuffer, gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}, ipH, udpH, payload)
 	if err != nil {
 		return fmt.Errorf("serialize layers: %w", err)
 	}
 	if _, err = p.rawConn.WriteTo(layerBuffer.Bytes(), &net.IPAddr{IP: localHostNetIP}); err != nil {
 		return fmt.Errorf("write to raw conn: %w", err)
 	}
 	return nil
 }
--- a/client/iface/wgproxy/ebpf/wrapper.go
+++ b/client/iface/wgproxy/ebpf/wrapper.go
@@ -10,12 +10,89 @@ import (
 	"net"
 	"sync"
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 var (
 	errIPv6ConnNotAvailable = errors.New("IPv6 endpoint but rawConnIPv6 is not available")
 	errIPv4ConnNotAvailable = errors.New("IPv4 endpoint but rawConnIPv4 is not available")
 	localHostNetIPv4 = net.ParseIP("127.0.0.1")
 	localHostNetIPv6 = net.ParseIP("::1")
 	serializeOpts = gopacket.SerializeOptions{
 		ComputeChecksums: true,
 		FixLengths:       true,
 	}
 )
 // PacketHeaders holds pre-created headers and buffers for efficient packet sending
 type PacketHeaders struct {
 	ipH           gopacket.SerializableLayer
 	udpH          *layers.UDP
 	layerBuffer   gopacket.SerializeBuffer
 	localHostAddr net.IP
 	isIPv4        bool
 }
 func NewPacketHeaders(localWGListenPort int, endpoint *net.UDPAddr) (*PacketHeaders, error) {
 	var ipH gopacket.SerializableLayer
 	var networkLayer gopacket.NetworkLayer
 	var localHostAddr net.IP
 	var isIPv4 bool
 	// Check if source address is IPv4 or IPv6
 	if endpoint.IP.To4() != nil {
 		// IPv4 path
 		ipv4 := &layers.IPv4{
 			DstIP:    localHostNetIPv4,
 			SrcIP:    endpoint.IP,
 			Version:  4,
 			TTL:      64,
 			Protocol: layers.IPProtocolUDP,
 		}
 		ipH = ipv4
 		networkLayer = ipv4
 		localHostAddr = localHostNetIPv4
 		isIPv4 = true
 	} else {
 		// IPv6 path
 		ipv6 := &layers.IPv6{
 			DstIP:      localHostNetIPv6,
 			SrcIP:      endpoint.IP,
 			Version:    6,
 			HopLimit:   64,
 			NextHeader: layers.IPProtocolUDP,
 		}
 		ipH = ipv6
 		networkLayer = ipv6
 		localHostAddr = localHostNetIPv6
 		isIPv4 = false
 	}
 	udpH := &layers.UDP{
 		SrcPort: layers.UDPPort(endpoint.Port),
 		DstPort: layers.UDPPort(localWGListenPort),
 	}
 	if err := udpH.SetNetworkLayerForChecksum(networkLayer); err != nil {
 		return nil, fmt.Errorf("set network layer for checksum: %w", err)
 	}
 	return &PacketHeaders{
 		ipH:           ipH,
 		udpH:          udpH,
 		layerBuffer:   gopacket.NewSerializeBuffer(),
 		localHostAddr: localHostAddr,
 		isIPv4:        isIPv4,
 	}, nil
 }
 // ProxyWrapper help to keep the remoteConn instance for net.Conn.Close function call
 type ProxyWrapper struct {
 	wgeBPFProxy *WGEBPFProxy
@@ -24,8 +101,10 @@ type ProxyWrapper struct {
 	ctx        context.Context
 	cancel     context.CancelFunc
-	wgRelayedEndpointAddr     *net.UDPAddr
+	wgRelayedEndpointAddr *net.UDPAddr
-	wgEndpointCurrentUsedAddr *net.UDPAddr
+	headers               *PacketHeaders
 	headerCurrentUsed     *PacketHeaders
 	rawConn               net.PacketConn
 	paused     bool
 	pausedCond *sync.Cond
@@ -41,15 +120,32 @@ func NewProxyWrapper(proxy *WGEBPFProxy) *ProxyWrapper {
 		closeListener: listener.NewCloseListener(),
 	}
 }
-func (p *ProxyWrapper) AddTurnConn(ctx context.Context, endpoint *net.UDPAddr, remoteConn net.Conn) error {
+
 func (p *ProxyWrapper) AddTurnConn(ctx context.Context, _ *net.UDPAddr, remoteConn net.Conn) error {
 	addr, err := p.wgeBPFProxy.AddTurnConn(remoteConn)
 	if err != nil {
 		return fmt.Errorf("add turn conn: %w", err)
 	}
 	headers, err := NewPacketHeaders(p.wgeBPFProxy.localWGListenPort, addr)
 	if err != nil {
 		return fmt.Errorf("create packet sender: %w", err)
 	}
 	// Check if required raw connection is available
 	if !headers.isIPv4 && p.wgeBPFProxy.rawConnIPv6 == nil {
 		return errIPv6ConnNotAvailable
 	}
 	if headers.isIPv4 && p.wgeBPFProxy.rawConnIPv4 == nil {
 		return errIPv4ConnNotAvailable
 	}
 	p.remoteConn = remoteConn
 	p.ctx, p.cancel = context.WithCancel(ctx)
 	p.wgRelayedEndpointAddr = addr
-	return err
+	p.headers = headers
 	p.rawConn = p.selectRawConn(headers)
 	return nil
 }
 func (p *ProxyWrapper) EndpointAddr() *net.UDPAddr {
@@ -68,7 +164,8 @@ func (p *ProxyWrapper) Work() {
 	p.pausedCond.L.Lock()
 	p.paused = false
-	p.wgEndpointCurrentUsedAddr = p.wgRelayedEndpointAddr
+	p.headerCurrentUsed = p.headers
 	p.rawConn = p.selectRawConn(p.headerCurrentUsed)
 	if !p.isStarted {
 		p.isStarted = true
@@ -91,10 +188,32 @@ func (p *ProxyWrapper) Pause() {
 }
 func (p *ProxyWrapper) RedirectAs(endpoint *net.UDPAddr) {
 	if endpoint == nil || endpoint.IP == nil {
 		log.Errorf("failed to start package redirection, endpoint is nil")
 		return
 	}
 	header, err := NewPacketHeaders(p.wgeBPFProxy.localWGListenPort, endpoint)
 	if err != nil {
 		log.Errorf("failed to create packet headers: %s", err)
 		return
 	}
 	// Check if required raw connection is available
 	if !header.isIPv4 && p.wgeBPFProxy.rawConnIPv6 == nil {
 		log.Error(errIPv6ConnNotAvailable)
 		return
 	}
 	if header.isIPv4 && p.wgeBPFProxy.rawConnIPv4 == nil {
 		log.Error(errIPv4ConnNotAvailable)
 		return
 	}
 	p.pausedCond.L.Lock()
 	p.paused = false
-	p.wgEndpointCurrentUsedAddr = endpoint
+	p.headerCurrentUsed = header
 	p.rawConn = p.selectRawConn(header)
 	p.pausedCond.Signal()
 	p.pausedCond.L.Unlock()
@@ -136,7 +255,7 @@ func (p *ProxyWrapper) proxyToLocal(ctx context.Context) {
 			p.pausedCond.Wait()
 		}
-		err = p.wgeBPFProxy.sendPkg(buf[:n], p.wgEndpointCurrentUsedAddr)
+		err = p.sendPkg(buf[:n], p.headerCurrentUsed)
 		p.pausedCond.L.Unlock()
 		if err != nil {
@@ -162,3 +281,29 @@ func (p *ProxyWrapper) readFromRemote(ctx context.Context, buf []byte) (int, err
 	}
 	return n, nil
 }
 func (p *ProxyWrapper) sendPkg(data []byte, header *PacketHeaders) error {
 	defer func() {
 		if err := header.layerBuffer.Clear(); err != nil {
 			log.Errorf("failed to clear layer buffer: %s", err)
 		}
 	}()
 	payload := gopacket.Payload(data)
 	if err := gopacket.SerializeLayers(header.layerBuffer, serializeOpts, header.ipH, header.udpH, payload); err != nil {
 		return fmt.Errorf("serialize layers: %w", err)
 	}
 	if _, err := p.rawConn.WriteTo(header.layerBuffer.Bytes(), &net.IPAddr{IP: header.localHostAddr}); err != nil {
 		return fmt.Errorf("write to raw conn: %w", err)
 	}
 	return nil
 }
 func (p *ProxyWrapper) selectRawConn(header *PacketHeaders) net.PacketConn {
 	if header.isIPv4 {
 		return p.wgeBPFProxy.rawConnIPv4
 	}
 	return p.wgeBPFProxy.rawConnIPv6
 }
--- a/client/iface/wgproxy/factory_kernel.go
+++ b/client/iface/wgproxy/factory_kernel.go
@@ -54,6 +54,14 @@ func (w *KernelFactory) GetProxy() Proxy {
 	return ebpf.NewProxyWrapper(w.ebpfProxy)
 }
 // GetProxyPort returns the eBPF proxy port, or 0 if eBPF is not active.
 func (w *KernelFactory) GetProxyPort() uint16 {
 	if w.ebpfProxy == nil {
 		return 0
 	}
 	return w.ebpfProxy.GetProxyPort()
 }
 func (w *KernelFactory) Free() error {
 	if w.ebpfProxy == nil {
 		return nil
--- a/client/iface/wgproxy/factory_usp.go
+++ b/client/iface/wgproxy/factory_usp.go
@@ -24,6 +24,11 @@ func (w *USPFactory) GetProxy() Proxy {
 	return proxyBind.NewProxyBind(w.bind, w.mtu)
 }
 // GetProxyPort returns 0 as userspace WireGuard doesn't use a separate proxy port.
 func (w *USPFactory) GetProxyPort() uint16 {
 	return 0
 }
 func (w *USPFactory) Free() error {
 	return nil
 }
--- a/client/iface/wgproxy/rawsocket/rawsocket.go
+++ b/client/iface/wgproxy/rawsocket/rawsocket.go
@@ -8,43 +8,87 @@ import (
 	"os"
 	"syscall"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
-func PrepareSenderRawSocket() (net.PacketConn, error) {
+// PrepareSenderRawSocketIPv4 creates and configures a raw socket for sending IPv4 packets
 func PrepareSenderRawSocketIPv4() (net.PacketConn, error) {
 	return prepareSenderRawSocket(syscall.AF_INET, true)
 }
 // PrepareSenderRawSocketIPv6 creates and configures a raw socket for sending IPv6 packets
 func PrepareSenderRawSocketIPv6() (net.PacketConn, error) {
 	return prepareSenderRawSocket(syscall.AF_INET6, false)
 }
 func prepareSenderRawSocket(family int, isIPv4 bool) (net.PacketConn, error) {
 	// Create a raw socket.
-	fd, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_RAW, syscall.IPPROTO_RAW)
+	fd, err := syscall.Socket(family, syscall.SOCK_RAW, syscall.IPPROTO_RAW)
 	if err != nil {
 		return nil, fmt.Errorf("creating raw socket failed: %w", err)
 	}
-	// Set the IP_HDRINCL option on the socket to tell the kernel that headers are included in the packet.
+	// Set the header include option on the socket to tell the kernel that headers are included in the packet.
-	err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_HDRINCL, 1)
+	// For IPv4, we need to set IP_HDRINCL. For IPv6, we need to set IPV6_HDRINCL to accept application-provided IPv6 headers.
-	if err != nil {
+	if isIPv4 {
-		return nil, fmt.Errorf("setting IP_HDRINCL failed: %w", err)
+		err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, unix.IP_HDRINCL, 1)
 		if err != nil {
 			if closeErr := syscall.Close(fd); closeErr != nil {
 				log.Warnf("failed to close raw socket fd: %v", closeErr)
 			}
 			return nil, fmt.Errorf("setting IP_HDRINCL failed: %w", err)
 		}
 	} else {
 		err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IPV6, unix.IPV6_HDRINCL, 1)
 		if err != nil {
 			if closeErr := syscall.Close(fd); closeErr != nil {
 				log.Warnf("failed to close raw socket fd: %v", closeErr)
 			}
 			return nil, fmt.Errorf("setting IPV6_HDRINCL failed: %w", err)
 		}
 	}
 	// Bind the socket to the "lo" interface.
 	err = syscall.SetsockoptString(fd, syscall.SOL_SOCKET, syscall.SO_BINDTODEVICE, "lo")
 	if err != nil {
 		if closeErr := syscall.Close(fd); closeErr != nil {
 			log.Warnf("failed to close raw socket fd: %v", closeErr)
 		}
 		return nil, fmt.Errorf("binding to lo interface failed: %w", err)
 	}
 	// Set the fwmark on the socket.
 	err = nbnet.SetSocketOpt(fd)
 	if err != nil {
 		if closeErr := syscall.Close(fd); closeErr != nil {
 			log.Warnf("failed to close raw socket fd: %v", closeErr)
 		}
 		return nil, fmt.Errorf("setting fwmark failed: %w", err)
 	}
 	// Convert the file descriptor to a PacketConn.
 	file := os.NewFile(uintptr(fd), fmt.Sprintf("fd %d", fd))
 	if file == nil {
 		if closeErr := syscall.Close(fd); closeErr != nil {
 			log.Warnf("failed to close raw socket fd: %v", closeErr)
 		}
 		return nil, fmt.Errorf("converting fd to file failed")
 	}
 	packetConn, err := net.FilePacketConn(file)
 	if err != nil {
 		if closeErr := file.Close(); closeErr != nil {
 			log.Warnf("failed to close file: %v", closeErr)
 		}
 		return nil, fmt.Errorf("converting file to packet conn failed: %w", err)
 	}
 	// Close the original file to release the FD (net.FilePacketConn duplicates it)
 	if closeErr := file.Close(); closeErr != nil {
 		log.Warnf("failed to close file after creating packet conn: %v", closeErr)
 	}
 	return packetConn, nil
 }
--- a/client/iface/wgproxy/redirect_test.go
+++ b/client/iface/wgproxy/redirect_test.go
@@ -0,0 +1,353 @@
 //go:build linux && !android
 package wgproxy
 import (
 	"context"
 	"net"
 	"testing"
 	"time"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/ebpf"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/udp"
 )
 // compareUDPAddr compares two UDP addresses, ignoring IPv6 zone IDs
 // IPv6 link-local addresses include zone IDs (e.g., fe80::1%lo) which we should ignore
 func compareUDPAddr(addr1, addr2 net.Addr) bool {
 	udpAddr1, ok1 := addr1.(*net.UDPAddr)
 	udpAddr2, ok2 := addr2.(*net.UDPAddr)
 	if !ok1 || !ok2 {
 		return addr1.String() == addr2.String()
 	}
 	// Compare IP and Port, ignoring zone
 	return udpAddr1.IP.Equal(udpAddr2.IP) && udpAddr1.Port == udpAddr2.Port
 }
 // TestRedirectAs_eBPF_IPv4 tests RedirectAs with eBPF proxy using IPv4 addresses
 func TestRedirectAs_eBPF_IPv4(t *testing.T) {
 	wgPort := 51850
 	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, 1280)
 	if err := ebpfProxy.Listen(); err != nil {
 		t.Fatalf("failed to initialize ebpf proxy: %v", err)
 	}
 	defer func() {
 		if err := ebpfProxy.Free(); err != nil {
 			t.Errorf("failed to free ebpf proxy: %v", err)
 		}
 	}()
 	proxy := ebpf.NewProxyWrapper(ebpfProxy)
 	// NetBird UDP address of the remote peer
 	nbAddr := &net.UDPAddr{
 		IP:   net.ParseIP("100.108.111.177"),
 		Port: 38746,
 	}
 	p2pEndpoint := &net.UDPAddr{
 		IP:   net.ParseIP("192.168.0.56"),
 		Port: 51820,
 	}
 	testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint)
 }
 // TestRedirectAs_eBPF_IPv6 tests RedirectAs with eBPF proxy using IPv6 addresses
 func TestRedirectAs_eBPF_IPv6(t *testing.T) {
 	wgPort := 51851
 	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, 1280)
 	if err := ebpfProxy.Listen(); err != nil {
 		t.Fatalf("failed to initialize ebpf proxy: %v", err)
 	}
 	defer func() {
 		if err := ebpfProxy.Free(); err != nil {
 			t.Errorf("failed to free ebpf proxy: %v", err)
 		}
 	}()
 	proxy := ebpf.NewProxyWrapper(ebpfProxy)
 	// NetBird UDP address of the remote peer
 	nbAddr := &net.UDPAddr{
 		IP:   net.ParseIP("100.108.111.177"),
 		Port: 38746,
 	}
 	p2pEndpoint := &net.UDPAddr{
 		IP:   net.ParseIP("fe80::56"),
 		Port: 51820,
 	}
 	testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint)
 }
 // TestRedirectAs_UDP_IPv4 tests RedirectAs with UDP proxy using IPv4 addresses
 func TestRedirectAs_UDP_IPv4(t *testing.T) {
 	wgPort := 51852
 	proxy := udp.NewWGUDPProxy(wgPort, 1280)
 	// NetBird UDP address of the remote peer
 	nbAddr := &net.UDPAddr{
 		IP:   net.ParseIP("100.108.111.177"),
 		Port: 38746,
 	}
 	p2pEndpoint := &net.UDPAddr{
 		IP:   net.ParseIP("192.168.0.56"),
 		Port: 51820,
 	}
 	testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint)
 }
 // TestRedirectAs_UDP_IPv6 tests RedirectAs with UDP proxy using IPv6 addresses
 func TestRedirectAs_UDP_IPv6(t *testing.T) {
 	wgPort := 51853
 	proxy := udp.NewWGUDPProxy(wgPort, 1280)
 	// NetBird UDP address of the remote peer
 	nbAddr := &net.UDPAddr{
 		IP:   net.ParseIP("100.108.111.177"),
 		Port: 38746,
 	}
 	p2pEndpoint := &net.UDPAddr{
 		IP:   net.ParseIP("fe80::56"),
 		Port: 51820,
 	}
 	testRedirectAs(t, proxy, wgPort, nbAddr, p2pEndpoint)
 }
 // testRedirectAs is a helper function that tests the RedirectAs functionality
 // It verifies that:
 // 1. Initial traffic from relay connection works
 // 2. After calling RedirectAs, packets appear to come from the p2p endpoint
 // 3. Multiple packets are correctly redirected with the new source address
 func testRedirectAs(t *testing.T, proxy Proxy, wgPort int, nbAddr, p2pEndpoint *net.UDPAddr) {
 	t.Helper()
 	ctx := context.Background()
 	// Create WireGuard listeners on both IPv4 and IPv6 to support both P2P connection types
 	// In reality, WireGuard binds to a port and receives from both IPv4 and IPv6
 	wgListener4, err := net.ListenUDP("udp4", &net.UDPAddr{
 		IP:   net.ParseIP("127.0.0.1"),
 		Port: wgPort,
 	})
 	if err != nil {
 		t.Fatalf("failed to create IPv4 WireGuard listener: %v", err)
 	}
 	defer wgListener4.Close()
 	wgListener6, err := net.ListenUDP("udp6", &net.UDPAddr{
 		IP:   net.ParseIP("::1"),
 		Port: wgPort,
 	})
 	if err != nil {
 		t.Fatalf("failed to create IPv6 WireGuard listener: %v", err)
 	}
 	defer wgListener6.Close()
 	// Determine which listener to use based on the NetBird address IP version
 	// (this is where initial traffic will come from before RedirectAs is called)
 	var wgListener *net.UDPConn
 	if p2pEndpoint.IP.To4() == nil {
 		wgListener = wgListener6
 	} else {
 		wgListener = wgListener4
 	}
 	// Create relay server and connection
 	relayServer, err := net.ListenUDP("udp", &net.UDPAddr{
 		IP:   net.ParseIP("127.0.0.1"),
 		Port: 0, // Random port
 	})
 	if err != nil {
 		t.Fatalf("failed to create relay server: %v", err)
 	}
 	defer relayServer.Close()
 	relayConn, err := net.Dial("udp", relayServer.LocalAddr().String())
 	if err != nil {
 		t.Fatalf("failed to create relay connection: %v", err)
 	}
 	defer relayConn.Close()
 	// Add TURN connection to proxy
 	if err := proxy.AddTurnConn(ctx, nbAddr, relayConn); err != nil {
 		t.Fatalf("failed to add TURN connection: %v", err)
 	}
 	defer func() {
 		if err := proxy.CloseConn(); err != nil {
 			t.Errorf("failed to close proxy connection: %v", err)
 		}
 	}()
 	// Start the proxy
 	proxy.Work()
 	// Phase 1: Test initial relay traffic
 	msgFromRelay := []byte("hello from relay")
 	if _, err := relayServer.WriteTo(msgFromRelay, relayConn.LocalAddr()); err != nil {
 		t.Fatalf("failed to write to relay server: %v", err)
 	}
 	// Set read deadline to avoid hanging
 	if err := wgListener4.SetReadDeadline(time.Now().Add(2 * time.Second)); err != nil {
 		t.Fatalf("failed to set read deadline: %v", err)
 	}
 	buf := make([]byte, 1024)
 	n, _, err := wgListener4.ReadFrom(buf)
 	if err != nil {
 		t.Fatalf("failed to read from WireGuard listener: %v", err)
 	}
 	if n != len(msgFromRelay) {
 		t.Errorf("expected %d bytes, got %d", len(msgFromRelay), n)
 	}
 	if string(buf[:n]) != string(msgFromRelay) {
 		t.Errorf("expected message %q, got %q", msgFromRelay, buf[:n])
 	}
 	// Phase 2: Redirect to p2p endpoint
 	proxy.RedirectAs(p2pEndpoint)
 	// Give the proxy a moment to process the redirect
 	time.Sleep(100 * time.Millisecond)
 	// Phase 3: Test redirected traffic
 	redirectedMessages := [][]byte{
 		[]byte("redirected message 1"),
 		[]byte("redirected message 2"),
 		[]byte("redirected message 3"),
 	}
 	for i, msg := range redirectedMessages {
 		if _, err := relayServer.WriteTo(msg, relayConn.LocalAddr()); err != nil {
 			t.Fatalf("failed to write redirected message %d: %v", i+1, err)
 		}
 		if err := wgListener.SetReadDeadline(time.Now().Add(2 * time.Second)); err != nil {
 			t.Fatalf("failed to set read deadline: %v", err)
 		}
 		n, srcAddr, err := wgListener.ReadFrom(buf)
 		if err != nil {
 			t.Fatalf("failed to read redirected message %d: %v", i+1, err)
 		}
 		// Verify message content
 		if string(buf[:n]) != string(msg) {
 			t.Errorf("message %d: expected %q, got %q", i+1, msg, buf[:n])
 		}
 		// Verify source address matches p2p endpoint (this is the key test)
 		// Use compareUDPAddr to ignore IPv6 zone IDs
 		if !compareUDPAddr(srcAddr, p2pEndpoint) {
 			t.Errorf("message %d: expected source address %s, got %s",
 				i+1, p2pEndpoint.String(), srcAddr.String())
 		}
 	}
 }
 // TestRedirectAs_Multiple_Switches tests switching between multiple endpoints
 func TestRedirectAs_Multiple_Switches(t *testing.T) {
 	wgPort := 51856
 	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, 1280)
 	if err := ebpfProxy.Listen(); err != nil {
 		t.Fatalf("failed to initialize ebpf proxy: %v", err)
 	}
 	defer func() {
 		if err := ebpfProxy.Free(); err != nil {
 			t.Errorf("failed to free ebpf proxy: %v", err)
 		}
 	}()
 	proxy := ebpf.NewProxyWrapper(ebpfProxy)
 	ctx := context.Background()
 	// Create WireGuard listener
 	wgListener, err := net.ListenUDP("udp4", &net.UDPAddr{
 		IP:   net.ParseIP("127.0.0.1"),
 		Port: wgPort,
 	})
 	if err != nil {
 		t.Fatalf("failed to create WireGuard listener: %v", err)
 	}
 	defer wgListener.Close()
 	// Create relay server and connection
 	relayServer, err := net.ListenUDP("udp", &net.UDPAddr{
 		IP:   net.ParseIP("127.0.0.1"),
 		Port: 0,
 	})
 	if err != nil {
 		t.Fatalf("failed to create relay server: %v", err)
 	}
 	defer relayServer.Close()
 	relayConn, err := net.Dial("udp", relayServer.LocalAddr().String())
 	if err != nil {
 		t.Fatalf("failed to create relay connection: %v", err)
 	}
 	defer relayConn.Close()
 	nbAddr := &net.UDPAddr{
 		IP:   net.ParseIP("100.108.111.177"),
 		Port: 38746,
 	}
 	if err := proxy.AddTurnConn(ctx, nbAddr, relayConn); err != nil {
 		t.Fatalf("failed to add TURN connection: %v", err)
 	}
 	defer func() {
 		if err := proxy.CloseConn(); err != nil {
 			t.Errorf("failed to close proxy connection: %v", err)
 		}
 	}()
 	proxy.Work()
 	// Test switching between multiple endpoints - using addresses in local subnet
 	endpoints := []*net.UDPAddr{
 		{IP: net.ParseIP("192.168.0.100"), Port: 51820},
 		{IP: net.ParseIP("192.168.0.101"), Port: 51821},
 		{IP: net.ParseIP("192.168.0.102"), Port: 51822},
 	}
 	for i, endpoint := range endpoints {
 		proxy.RedirectAs(endpoint)
 		time.Sleep(100 * time.Millisecond)
 		msg := []byte("test message")
 		if _, err := relayServer.WriteTo(msg, relayConn.LocalAddr()); err != nil {
 			t.Fatalf("failed to write message for endpoint %d: %v", i, err)
 		}
 		buf := make([]byte, 1024)
 		if err := wgListener.SetReadDeadline(time.Now().Add(2 * time.Second)); err != nil {
 			t.Fatalf("failed to set read deadline: %v", err)
 		}
 		n, srcAddr, err := wgListener.ReadFrom(buf)
 		if err != nil {
 			t.Fatalf("failed to read message for endpoint %d: %v", i, err)
 		}
 		if string(buf[:n]) != string(msg) {
 			t.Errorf("endpoint %d: expected message %q, got %q", i, msg, buf[:n])
 		}
 		if !compareUDPAddr(srcAddr, endpoint) {
 			t.Errorf("endpoint %d: expected source %s, got %s",
 				i, endpoint.String(), srcAddr.String())
 		}
 	}
 }
--- a/client/iface/wgproxy/udp/proxy.go
+++ b/client/iface/wgproxy/udp/proxy.go
@@ -56,7 +56,7 @@ func NewWGUDPProxy(wgPort int, mtu uint16) *WGUDPProxy {
 // the connection is complete, an error is returned. Once successfully
 // connected, any expiration of the context will not affect the
 // connection.
-func (p *WGUDPProxy) AddTurnConn(ctx context.Context, endpoint *net.UDPAddr, remoteConn net.Conn) error {
+func (p *WGUDPProxy) AddTurnConn(ctx context.Context, _ *net.UDPAddr, remoteConn net.Conn) error {
 	dialer := net.Dialer{}
 	localConn, err := dialer.DialContext(ctx, "udp", fmt.Sprintf(":%d", p.localWGListenPort))
 	if err != nil {
--- a/client/iface/wgproxy/udp/rawsocket.go
+++ b/client/iface/wgproxy/udp/rawsocket.go
@@ -19,37 +19,56 @@ var (
 		FixLengths:       true,
 	}
-	localHostNetIPAddr = &net.IPAddr{
+	localHostNetIPAddrV4 = &net.IPAddr{
 		IP: net.ParseIP("127.0.0.1"),
 	}
 	localHostNetIPAddrV6 = &net.IPAddr{
 		IP: net.ParseIP("::1"),
 	}
 )
 type SrcFaker struct {
 	srcAddr *net.UDPAddr
-	rawSocket   net.PacketConn
+	rawSocket     net.PacketConn
-	ipH         gopacket.SerializableLayer
+	ipH           gopacket.SerializableLayer
-	udpH        gopacket.SerializableLayer
+	udpH          gopacket.SerializableLayer
-	layerBuffer gopacket.SerializeBuffer
+	layerBuffer   gopacket.SerializeBuffer
 	localHostAddr *net.IPAddr
 }
 func NewSrcFaker(dstPort int, srcAddr *net.UDPAddr) (*SrcFaker, error) {
-	rawSocket, err := rawsocket.PrepareSenderRawSocket()
+	// Create only the raw socket for the address family we need
 	var rawSocket net.PacketConn
 	var err error
 	var localHostAddr *net.IPAddr
 	if srcAddr.IP.To4() != nil {
 		rawSocket, err = rawsocket.PrepareSenderRawSocketIPv4()
 		localHostAddr = localHostNetIPAddrV4
 	} else {
 		rawSocket, err = rawsocket.PrepareSenderRawSocketIPv6()
 		localHostAddr = localHostNetIPAddrV6
 	}
 	if err != nil {
 		return nil, err
 	}
 	ipH, udpH, err := prepareHeaders(dstPort, srcAddr)
 	if err != nil {
 		if closeErr := rawSocket.Close(); closeErr != nil {
 			log.Warnf("failed to close raw socket: %v", closeErr)
 		}
 		return nil, err
 	}
 	f := &SrcFaker{
-		srcAddr:     srcAddr,
+		srcAddr:       srcAddr,
-		rawSocket:   rawSocket,
+		rawSocket:     rawSocket,
-		ipH:         ipH,
+		ipH:           ipH,
-		udpH:        udpH,
+		udpH:          udpH,
-		layerBuffer: gopacket.NewSerializeBuffer(),
+		layerBuffer:   gopacket.NewSerializeBuffer(),
 		localHostAddr: localHostAddr,
 	}
 	return f, nil
@@ -72,7 +91,7 @@ func (f *SrcFaker) SendPkg(data []byte) (int, error) {
 	if err != nil {
 		return 0, fmt.Errorf("serialize layers: %w", err)
 	}
-	n, err := f.rawSocket.WriteTo(f.layerBuffer.Bytes(), localHostNetIPAddr)
+	n, err := f.rawSocket.WriteTo(f.layerBuffer.Bytes(), f.localHostAddr)
 	if err != nil {
 		return 0, fmt.Errorf("write to raw conn: %w", err)
 	}
@@ -80,19 +99,40 @@ func (f *SrcFaker) SendPkg(data []byte) (int, error) {
 }
 func prepareHeaders(dstPort int, srcAddr *net.UDPAddr) (gopacket.SerializableLayer, gopacket.SerializableLayer, error) {
-	ipH := &layers.IPv4{
+	var ipH gopacket.SerializableLayer
-		DstIP:    net.ParseIP("127.0.0.1"),
+	var networkLayer gopacket.NetworkLayer
-		SrcIP:    srcAddr.IP,
+
-		Version:  4,
+	// Check if source IP is IPv4 or IPv6
-		TTL:      64,
+	if srcAddr.IP.To4() != nil {
-		Protocol: layers.IPProtocolUDP,
+		// IPv4
 		ipv4 := &layers.IPv4{
 			DstIP:    localHostNetIPAddrV4.IP,
 			SrcIP:    srcAddr.IP,
 			Version:  4,
 			TTL:      64,
 			Protocol: layers.IPProtocolUDP,
 		}
 		ipH = ipv4
 		networkLayer = ipv4
 	} else {
 		// IPv6
 		ipv6 := &layers.IPv6{
 			DstIP:      localHostNetIPAddrV6.IP,
 			SrcIP:      srcAddr.IP,
 			Version:    6,
 			HopLimit:   64,
 			NextHeader: layers.IPProtocolUDP,
 		}
 		ipH = ipv6
 		networkLayer = ipv6
 	}
 	udpH := &layers.UDP{
 		SrcPort: layers.UDPPort(srcAddr.Port),
 		DstPort: layers.UDPPort(dstPort), // dst is the localhost WireGuard port
 	}
-	err := udpH.SetNetworkLayerForChecksum(ipH)
+	err := udpH.SetNetworkLayerForChecksum(networkLayer)
 	if err != nil {
 		return nil, nil, fmt.Errorf("set network layer for checksum: %w", err)
 	}
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -19,6 +19,9 @@ import (
 var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()
 func TestDefaultManager(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
 	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 	networkMap := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
 			{
@@ -135,6 +138,7 @@ func TestDefaultManager(t *testing.T) {
 func TestDefaultManagerStateless(t *testing.T) {
 	// stateless currently only in userspace, so we have to disable kernel
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
 	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 	t.Setenv("NB_DISABLE_CONNTRACK", "true")
 	networkMap := &mgmProto.NetworkMap{
@@ -189,6 +193,215 @@ func TestDefaultManagerStateless(t *testing.T) {
 	})
 }
 // TestDenyRulesNotAccumulatedOnRepeatedApply verifies that applying the same
 // deny rules repeatedly does not accumulate duplicate rules in the uspfilter.
 // This tests the full ACL manager -> uspfilter integration.
 func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
 	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 	networkMap := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
 			{
 				PeerIP:    "10.93.0.1",
 				Direction: mgmProto.RuleDirection_IN,
 				Action:    mgmProto.RuleAction_DROP,
 				Protocol:  mgmProto.RuleProtocol_TCP,
 				Port:      "22",
 			},
 			{
 				PeerIP:    "10.93.0.2",
 				Direction: mgmProto.RuleDirection_IN,
 				Action:    mgmProto.RuleAction_DROP,
 				Protocol:  mgmProto.RuleProtocol_TCP,
 				Port:      "80",
 			},
 			{
 				PeerIP:    "10.93.0.3",
 				Direction: mgmProto.RuleDirection_IN,
 				Action:    mgmProto.RuleAction_ACCEPT,
 				Protocol:  mgmProto.RuleProtocol_TCP,
 				Port:      "443",
 			},
 		},
 		FirewallRulesIsEmpty: false,
 	}
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
 	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
 	ifaceMock.EXPECT().SetFilter(gomock.Any())
 	network := netip.MustParsePrefix("172.0.0.1/32")
 	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
 	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
 		IP:      network.Addr(),
 		Network: network,
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, fw.Close(nil))
 	}()
 	acl := NewDefaultManager(fw)
 	// Apply the same rules 5 times (simulating repeated network map updates)
 	for i := 0; i < 5; i++ {
 		acl.ApplyFiltering(networkMap, false)
 	}
 	// The ACL manager should track exactly 3 rule pairs (2 deny + 1 accept inbound)
 	assert.Equal(t, 3, len(acl.peerRulesPairs),
 		"Should have exactly 3 rule pairs after 5 identical updates")
 }
 // TestDenyRulesCleanedUpOnRemoval verifies that deny rules are properly cleaned
 // up when they're removed from the network map in a subsequent update.
 func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
 	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
 	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
 	ifaceMock.EXPECT().SetFilter(gomock.Any())
 	network := netip.MustParsePrefix("172.0.0.1/32")
 	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
 	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
 		IP:      network.Addr(),
 		Network: network,
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, fw.Close(nil))
 	}()
 	acl := NewDefaultManager(fw)
 	// First update: add deny and accept rules
 	networkMap1 := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
 			{
 				PeerIP:    "10.93.0.1",
 				Direction: mgmProto.RuleDirection_IN,
 				Action:    mgmProto.RuleAction_DROP,
 				Protocol:  mgmProto.RuleProtocol_TCP,
 				Port:      "22",
 			},
 			{
 				PeerIP:    "10.93.0.2",
 				Direction: mgmProto.RuleDirection_IN,
 				Action:    mgmProto.RuleAction_ACCEPT,
 				Protocol:  mgmProto.RuleProtocol_TCP,
 				Port:      "443",
 			},
 		},
 		FirewallRulesIsEmpty: false,
 	}
 	acl.ApplyFiltering(networkMap1, false)
 	assert.Equal(t, 2, len(acl.peerRulesPairs), "Should have 2 rules after first update")
 	// Second update: remove the deny rule, keep only accept
 	networkMap2 := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
 			{
 				PeerIP:    "10.93.0.2",
 				Direction: mgmProto.RuleDirection_IN,
 				Action:    mgmProto.RuleAction_ACCEPT,
 				Protocol:  mgmProto.RuleProtocol_TCP,
 				Port:      "443",
 			},
 		},
 		FirewallRulesIsEmpty: false,
 	}
 	acl.ApplyFiltering(networkMap2, false)
 	assert.Equal(t, 1, len(acl.peerRulesPairs),
 		"Should have 1 rule after removing deny rule")
 	// Third update: remove all rules
 	networkMap3 := &mgmProto.NetworkMap{
 		FirewallRules:        []*mgmProto.FirewallRule{},
 		FirewallRulesIsEmpty: true,
 	}
 	acl.ApplyFiltering(networkMap3, false)
 	assert.Equal(t, 0, len(acl.peerRulesPairs),
 		"Should have 0 rules after removing all rules")
 }
 // TestRuleUpdateChangingAction verifies that when a rule's action changes from
 // accept to deny (or vice versa), the old rule is properly removed and the new
 // one added without leaking.
 func TestRuleUpdateChangingAction(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
 	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
 	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
 	ifaceMock.EXPECT().SetFilter(gomock.Any())
 	network := netip.MustParsePrefix("172.0.0.1/32")
 	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
 	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
 		IP:      network.Addr(),
 		Network: network,
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, fw.Close(nil))
 	}()
 	acl := NewDefaultManager(fw)
 	// First update: accept rule
 	networkMap := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
 			{
 				PeerIP:    "10.93.0.1",
 				Direction: mgmProto.RuleDirection_IN,
 				Action:    mgmProto.RuleAction_ACCEPT,
 				Protocol:  mgmProto.RuleProtocol_TCP,
 				Port:      "22",
 			},
 		},
 		FirewallRulesIsEmpty: false,
 	}
 	acl.ApplyFiltering(networkMap, false)
 	assert.Equal(t, 1, len(acl.peerRulesPairs))
 	// Second update: change to deny (same IP/port/proto, different action)
 	networkMap.FirewallRules = []*mgmProto.FirewallRule{
 		{
 			PeerIP:    "10.93.0.1",
 			Direction: mgmProto.RuleDirection_IN,
 			Action:    mgmProto.RuleAction_DROP,
 			Protocol:  mgmProto.RuleProtocol_TCP,
 			Port:      "22",
 		},
 	}
 	acl.ApplyFiltering(networkMap, false)
 	// Should still have exactly 1 rule (the old accept removed, new deny added)
 	assert.Equal(t, 1, len(acl.peerRulesPairs),
 		"Changing action should result in exactly 1 rule, not 2")
 }
 func TestPortInfoEmpty(t *testing.T) {
 	tests := []struct {
 		name     string
--- a/client/internal/auth/auth.go
+++ b/client/internal/auth/auth.go
@@ -0,0 +1,475 @@
 package auth
 import (
 	"context"
 	"net/url"
 	"sync"
 	"time"
 	"github.com/cenkalti/backoff/v4"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	"github.com/netbirdio/netbird/shared/management/client/common"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )
 // Auth manages authentication operations with the management server
 // It maintains a long-lived connection and automatically handles reconnection with backoff
 type Auth struct {
 	mutex         sync.RWMutex
 	client        *mgm.GrpcClient
 	config        *profilemanager.Config
 	privateKey    wgtypes.Key
 	mgmURL        *url.URL
 	mgmTLSEnabled bool
 }
 // NewAuth creates a new Auth instance that manages authentication flows
 // It establishes a connection to the management server that will be reused for all operations
 // The connection is automatically recreated with backoff if it becomes disconnected
 func NewAuth(ctx context.Context, privateKey string, mgmURL *url.URL, config *profilemanager.Config) (*Auth, error) {
 	// Validate WireGuard private key
 	myPrivateKey, err := wgtypes.ParseKey(privateKey)
 	if err != nil {
 		return nil, err
 	}
 	// Determine TLS setting based on URL scheme
 	mgmTLSEnabled := mgmURL.Scheme == "https"
 	log.Debugf("connecting to Management Service %s", mgmURL.String())
 	mgmClient, err := mgm.NewClient(ctx, mgmURL.Host, myPrivateKey, mgmTLSEnabled)
 	if err != nil {
 		log.Errorf("failed connecting to Management Service %s: %v", mgmURL.String(), err)
 		return nil, err
 	}
 	log.Debugf("connected to the Management service %s", mgmURL.String())
 	return &Auth{
 		client:        mgmClient,
 		config:        config,
 		privateKey:    myPrivateKey,
 		mgmURL:        mgmURL,
 		mgmTLSEnabled: mgmTLSEnabled,
 	}, nil
 }
 // Close closes the management client connection
 func (a *Auth) Close() error {
 	a.mutex.Lock()
 	defer a.mutex.Unlock()
 	if a.client == nil {
 		return nil
 	}
 	return a.client.Close()
 }
 // IsSSOSupported checks if the management server supports SSO by attempting to retrieve auth flow configurations.
 // Returns true if either PKCE or Device authorization flow is supported, false otherwise.
 // This function encapsulates the SSO detection logic to avoid exposing gRPC error codes to upper layers.
 // Automatically retries with backoff and reconnection on connection errors.
 func (a *Auth) IsSSOSupported(ctx context.Context) (bool, error) {
 	var supportsSSO bool
 	err := a.withRetry(ctx, func(client *mgm.GrpcClient) error {
 		// Try PKCE flow first
 		_, err := a.getPKCEFlow(client)
 		if err == nil {
 			supportsSSO = true
 			return nil
 		}
 		// Check if PKCE is not supported
 		if s, ok := status.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
 			// PKCE not supported, try Device flow
 			_, err = a.getDeviceFlow(client)
 			if err == nil {
 				supportsSSO = true
 				return nil
 			}
 			// Check if Device flow is also not supported
 			if s, ok := status.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
 				// Neither PKCE nor Device flow is supported
 				supportsSSO = false
 				return nil
 			}
 			// Device flow check returned an error other than NotFound/Unimplemented
 			return err
 		}
 		// PKCE flow check returned an error other than NotFound/Unimplemented
 		return err
 	})
 	return supportsSSO, err
 }
 // GetOAuthFlow returns an OAuth flow (PKCE or Device) using the existing management connection
 // This avoids creating a new connection to the management server
 func (a *Auth) GetOAuthFlow(ctx context.Context, forceDeviceAuth bool) (OAuthFlow, error) {
 	var flow OAuthFlow
 	var err error
 	err = a.withRetry(ctx, func(client *mgm.GrpcClient) error {
 		if forceDeviceAuth {
 			flow, err = a.getDeviceFlow(client)
 			return err
 		}
 		// Try PKCE flow first
 		flow, err = a.getPKCEFlow(client)
 		if err != nil {
 			// If PKCE not supported, try Device flow
 			if s, ok := status.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
 				flow, err = a.getDeviceFlow(client)
 				return err
 			}
 			return err
 		}
 		return nil
 	})
 	return flow, err
 }
 // IsLoginRequired checks if login is required by attempting to authenticate with the server
 // Automatically retries with backoff and reconnection on connection errors.
 func (a *Auth) IsLoginRequired(ctx context.Context) (bool, error) {
 	pubSSHKey, err := ssh.GeneratePublicKey([]byte(a.config.SSHKey))
 	if err != nil {
 		return false, err
 	}
 	var needsLogin bool
 	err = a.withRetry(ctx, func(client *mgm.GrpcClient) error {
 		err := a.doMgmLogin(client, ctx, pubSSHKey)
 		if isLoginNeeded(err) {
 			needsLogin = true
 			return nil
 		}
 		needsLogin = false
 		return err
 	})
 	return needsLogin, err
 }
 // Login attempts to log in or register the client with the management server
 // Returns error and a boolean indicating if it's an authentication error (permission denied) that should stop retries.
 // Automatically retries with backoff and reconnection on connection errors.
 func (a *Auth) Login(ctx context.Context, setupKey string, jwtToken string) (error, bool) {
 	pubSSHKey, err := ssh.GeneratePublicKey([]byte(a.config.SSHKey))
 	if err != nil {
 		return err, false
 	}
 	var isAuthError bool
 	err = a.withRetry(ctx, func(client *mgm.GrpcClient) error {
 		err := a.doMgmLogin(client, ctx, pubSSHKey)
 		if isRegistrationNeeded(err) {
 			log.Debugf("peer registration required")
 			_, err = a.registerPeer(client, ctx, setupKey, jwtToken, pubSSHKey)
 			if err != nil {
 				isAuthError = isPermissionDenied(err)
 				return err
 			}
 		} else if err != nil {
 			isAuthError = isPermissionDenied(err)
 			return err
 		}
 		isAuthError = false
 		return nil
 	})
 	return err, isAuthError
 }
 // getPKCEFlow retrieves PKCE authorization flow configuration and creates a flow instance
 func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, error) {
 	protoFlow, err := client.GetPKCEAuthorizationFlow()
 	if err != nil {
 		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
 			log.Warnf("server couldn't find pkce flow, contact admin: %v", err)
 			return nil, err
 		}
 		log.Errorf("failed to retrieve pkce flow: %v", err)
 		return nil, err
 	}
 	protoConfig := protoFlow.GetProviderConfig()
 	config := &PKCEAuthProviderConfig{
 		Audience:              protoConfig.GetAudience(),
 		ClientID:              protoConfig.GetClientID(),
 		ClientSecret:          protoConfig.GetClientSecret(), //nolint:staticcheck
 		TokenEndpoint:         protoConfig.GetTokenEndpoint(),
 		AuthorizationEndpoint: protoConfig.GetAuthorizationEndpoint(),
 		Scope:                 protoConfig.GetScope(),
 		RedirectURLs:          protoConfig.GetRedirectURLs(),
 		UseIDToken:            protoConfig.GetUseIDToken(),
 		ClientCertPair:        a.config.ClientCertKeyPair,
 		DisablePromptLogin:    protoConfig.GetDisablePromptLogin(),
 		LoginFlag:             common.LoginFlag(protoConfig.GetLoginFlag()),
 	}
 	if err := validatePKCEConfig(config); err != nil {
 		return nil, err
 	}
 	flow, err := NewPKCEAuthorizationFlow(*config)
 	if err != nil {
 		return nil, err
 	}
 	return flow, nil
 }
 // getDeviceFlow retrieves device authorization flow configuration and creates a flow instance
 func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow, error) {
 	protoFlow, err := client.GetDeviceAuthorizationFlow()
 	if err != nil {
 		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
 			log.Warnf("server couldn't find device flow, contact admin: %v", err)
 			return nil, err
 		}
 		log.Errorf("failed to retrieve device flow: %v", err)
 		return nil, err
 	}
 	protoConfig := protoFlow.GetProviderConfig()
 	config := &DeviceAuthProviderConfig{
 		Audience:           protoConfig.GetAudience(),
 		ClientID:           protoConfig.GetClientID(),
 		ClientSecret:       protoConfig.GetClientSecret(), //nolint:staticcheck
 		Domain:             protoConfig.Domain,
 		TokenEndpoint:      protoConfig.GetTokenEndpoint(),
 		DeviceAuthEndpoint: protoConfig.GetDeviceAuthEndpoint(),
 		Scope:              protoConfig.GetScope(),
 		UseIDToken:         protoConfig.GetUseIDToken(),
 	}
 	// Keep compatibility with older management versions
 	if config.Scope == "" {
 		config.Scope = "openid"
 	}
 	if err := validateDeviceAuthConfig(config); err != nil {
 		return nil, err
 	}
 	flow, err := NewDeviceAuthorizationFlow(*config)
 	if err != nil {
 		return nil, err
 	}
 	return flow, nil
 }
 // doMgmLogin performs the actual login operation with the management service
 func (a *Auth) doMgmLogin(client *mgm.GrpcClient, ctx context.Context, pubSSHKey []byte) error {
 	sysInfo := system.GetInfo(ctx)
 	a.setSystemInfoFlags(sysInfo)
 	_, err := client.Login(sysInfo, pubSSHKey, a.config.DNSLabels)
 	return err
 }
 // registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
 // Otherwise tries to register with the provided setupKey via command line.
 func (a *Auth) registerPeer(client *mgm.GrpcClient, ctx context.Context, setupKey string, jwtToken string, pubSSHKey []byte) (*mgmProto.LoginResponse, error) {
 	validSetupKey, err := uuid.Parse(setupKey)
 	if err != nil && jwtToken == "" {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid setup-key or no sso information provided, err: %v", err)
 	}
 	log.Debugf("sending peer registration request to Management Service")
 	info := system.GetInfo(ctx)
 	a.setSystemInfoFlags(info)
 	loginResp, err := client.Register(validSetupKey.String(), jwtToken, info, pubSSHKey, a.config.DNSLabels)
 	if err != nil {
 		log.Errorf("failed registering peer %v", err)
 		return nil, err
 	}
 	log.Infof("peer has been successfully registered on Management Service")
 	return loginResp, nil
 }
 // setSystemInfoFlags sets all configuration flags on the provided system info
 func (a *Auth) setSystemInfoFlags(info *system.Info) {
 	info.SetFlags(
 		a.config.RosenpassEnabled,
 		a.config.RosenpassPermissive,
 		a.config.ServerSSHAllowed,
 		a.config.DisableClientRoutes,
 		a.config.DisableServerRoutes,
 		a.config.DisableDNS,
 		a.config.DisableFirewall,
 		a.config.BlockLANAccess,
 		a.config.BlockInbound,
 		a.config.LazyConnectionEnabled,
 		a.config.EnableSSHRoot,
 		a.config.EnableSSHSFTP,
 		a.config.EnableSSHLocalPortForwarding,
 		a.config.EnableSSHRemotePortForwarding,
 		a.config.DisableSSHAuth,
 	)
 }
 // reconnect closes the current connection and creates a new one
 // It checks if the brokenClient is still the current client before reconnecting
 // to avoid multiple threads reconnecting unnecessarily
 func (a *Auth) reconnect(ctx context.Context, brokenClient *mgm.GrpcClient) error {
 	a.mutex.Lock()
 	defer a.mutex.Unlock()
 	// Double-check: if client has already been replaced by another thread, skip reconnection
 	if a.client != brokenClient {
 		log.Debugf("client already reconnected by another thread, skipping")
 		return nil
 	}
 	// Create new connection FIRST, before closing the old one
 	// This ensures a.client is never nil, preventing panics in other threads
 	log.Debugf("reconnecting to Management Service %s", a.mgmURL.String())
 	mgmClient, err := mgm.NewClient(ctx, a.mgmURL.Host, a.privateKey, a.mgmTLSEnabled)
 	if err != nil {
 		log.Errorf("failed reconnecting to Management Service %s: %v", a.mgmURL.String(), err)
 		// Keep the old client if reconnection fails
 		return err
 	}
 	// Close old connection AFTER new one is successfully created
 	oldClient := a.client
 	a.client = mgmClient
 	if oldClient != nil {
 		if err := oldClient.Close(); err != nil {
 			log.Debugf("error closing old connection: %v", err)
 		}
 	}
 	log.Debugf("successfully reconnected to Management service %s", a.mgmURL.String())
 	return nil
 }
 // isConnectionError checks if the error is a connection-related error that should trigger reconnection
 func isConnectionError(err error) bool {
 	if err == nil {
 		return false
 	}
 	s, ok := status.FromError(err)
 	if !ok {
 		return false
 	}
 	// These error codes indicate connection issues
 	return s.Code() == codes.Unavailable ||
 		s.Code() == codes.DeadlineExceeded ||
 		s.Code() == codes.Canceled ||
 		s.Code() == codes.Internal
 }
 // withRetry wraps an operation with exponential backoff retry logic
 // It automatically reconnects on connection errors
 func (a *Auth) withRetry(ctx context.Context, operation func(client *mgm.GrpcClient) error) error {
 	backoffSettings := &backoff.ExponentialBackOff{
 		InitialInterval:     500 * time.Millisecond,
 		RandomizationFactor: 0.5,
 		Multiplier:          1.5,
 		MaxInterval:         10 * time.Second,
 		MaxElapsedTime:      2 * time.Minute,
 		Stop:                backoff.Stop,
 		Clock:               backoff.SystemClock,
 	}
 	backoffSettings.Reset()
 	return backoff.RetryNotify(
 		func() error {
 			// Capture the client BEFORE the operation to ensure we track the correct client
 			a.mutex.RLock()
 			currentClient := a.client
 			a.mutex.RUnlock()
 			if currentClient == nil {
 				return status.Errorf(codes.Unavailable, "client is not initialized")
 			}
 			// Execute operation with the captured client
 			err := operation(currentClient)
 			if err == nil {
 				return nil
 			}
 			// If it's a connection error, attempt reconnection using the client that was actually used
 			if isConnectionError(err) {
 				log.Warnf("connection error detected, attempting reconnection: %v", err)
 				if reconnectErr := a.reconnect(ctx, currentClient); reconnectErr != nil {
 					log.Errorf("reconnection failed: %v", reconnectErr)
 					return reconnectErr
 				}
 				// Return the original error to trigger retry with the new connection
 				return err
 			}
 			// For authentication errors, don't retry
 			if isAuthenticationError(err) {
 				return backoff.Permanent(err)
 			}
 			return err
 		},
 		backoff.WithContext(backoffSettings, ctx),
 		func(err error, duration time.Duration) {
 			log.Warnf("operation failed, retrying in %v: %v", duration, err)
 		},
 	)
 }
 // isAuthenticationError checks if the error is an authentication-related error that should not be retried.
 // Returns true if the error is InvalidArgument or PermissionDenied, indicating that retrying won't help.
 func isAuthenticationError(err error) bool {
 	if err == nil {
 		return false
 	}
 	s, ok := status.FromError(err)
 	if !ok {
 		return false
 	}
 	return s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied
 }
 // isPermissionDenied checks if the error is a PermissionDenied error.
 // This is used to determine if early exit from backoff is needed (e.g., when the server responded but denied access).
 func isPermissionDenied(err error) bool {
 	if err == nil {
 		return false
 	}
 	s, ok := status.FromError(err)
 	if !ok {
 		return false
 	}
 	return s.Code() == codes.PermissionDenied
 }
 func isLoginNeeded(err error) bool {
 	return isAuthenticationError(err)
 }
 func isRegistrationNeeded(err error) bool {
 	return isPermissionDenied(err)
 }
--- a/client/internal/auth/device_flow.go
+++ b/client/internal/auth/device_flow.go
@@ -15,7 +15,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/util/embeddedroots"
 )
@@ -26,12 +25,56 @@ const (
 var _ OAuthFlow = &DeviceAuthorizationFlow{}
 // DeviceAuthProviderConfig has all attributes needed to initiate a device authorization flow
 type DeviceAuthProviderConfig struct {
 	// ClientID An IDP application client id
 	ClientID string
 	// ClientSecret An IDP application client secret
 	ClientSecret string
 	// Domain An IDP API domain
 	// Deprecated. Use OIDCConfigEndpoint instead
 	Domain string
 	// Audience An Audience for to authorization validation
 	Audience string
 	// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
 	TokenEndpoint string
 	// DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code
 	DeviceAuthEndpoint string
 	// Scopes provides the scopes to be included in the token request
 	Scope string
 	// UseIDToken indicates if the id token should be used for authentication
 	UseIDToken bool
 	// LoginHint is used to pre-fill the email/username field during authentication
 	LoginHint string
 }
 // validateDeviceAuthConfig validates device authorization provider configuration
 func validateDeviceAuthConfig(config *DeviceAuthProviderConfig) error {
 	errorMsgFormat := "invalid provider configuration received from management: %s value is empty. Contact your NetBird administrator"
 	if config.Audience == "" {
 		return fmt.Errorf(errorMsgFormat, "Audience")
 	}
 	if config.ClientID == "" {
 		return fmt.Errorf(errorMsgFormat, "Client ID")
 	}
 	if config.TokenEndpoint == "" {
 		return fmt.Errorf(errorMsgFormat, "Token Endpoint")
 	}
 	if config.DeviceAuthEndpoint == "" {
 		return fmt.Errorf(errorMsgFormat, "Device Auth Endpoint")
 	}
 	if config.Scope == "" {
 		return fmt.Errorf(errorMsgFormat, "Device Auth Scopes")
 	}
 	return nil
 }
 // DeviceAuthorizationFlow implements the OAuthFlow interface,
 // for the Device Authorization Flow.
 type DeviceAuthorizationFlow struct {
-	providerConfig internal.DeviceAuthProviderConfig
+	providerConfig DeviceAuthProviderConfig
-
+	HTTPClient     HTTPClient
 	HTTPClient HTTPClient
 }
 // RequestDeviceCodePayload used for request device code payload for auth0
@@ -57,7 +100,7 @@ type TokenRequestResponse struct {
 }
 // NewDeviceAuthorizationFlow returns device authorization flow client
-func NewDeviceAuthorizationFlow(config internal.DeviceAuthProviderConfig) (*DeviceAuthorizationFlow, error) {
+func NewDeviceAuthorizationFlow(config DeviceAuthProviderConfig) (*DeviceAuthorizationFlow, error) {
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5
@@ -89,6 +132,11 @@ func (d *DeviceAuthorizationFlow) GetClientID(ctx context.Context) string {
 	return d.providerConfig.ClientID
 }
 // SetLoginHint sets the login hint for the device authorization flow
 func (d *DeviceAuthorizationFlow) SetLoginHint(hint string) {
 	d.providerConfig.LoginHint = hint
 }
 // RequestAuthInfo requests a device code login flow information from Hosted
 func (d *DeviceAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowInfo, error) {
 	form := url.Values{}
@@ -199,14 +247,22 @@ func (d *DeviceAuthorizationFlow) requestToken(info AuthFlowInfo) (TokenRequestR
 }
 // WaitToken waits user's login and authorize the app. Once the user's authorize
-// it retrieves the access token from Hosted's endpoint and validates it before returning
+// it retrieves the access token from Hosted's endpoint and validates it before returning.
 // The method creates a timeout context internally based on info.ExpiresIn.
 func (d *DeviceAuthorizationFlow) WaitToken(ctx context.Context, info AuthFlowInfo) (TokenInfo, error) {
 	// Create timeout context based on flow expiration
 	timeout := time.Duration(info.ExpiresIn) * time.Second
 	waitCtx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 	interval := time.Duration(info.Interval) * time.Second
 	ticker := time.NewTicker(interval)
 	defer ticker.Stop()
 	for {
 		select {
-		case <-ctx.Done():
+		case <-waitCtx.Done():
-			return TokenInfo{}, ctx.Err()
+			return TokenInfo{}, waitCtx.Err()
 		case <-ticker.C:
 			tokenResponse, err := d.requestToken(info)
--- a/client/internal/auth/device_flow_test.go
+++ b/client/internal/auth/device_flow_test.go
@@ -12,8 +12,6 @@ import (
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/internal"
 )
 type mockHTTPClient struct {
@@ -115,18 +113,19 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 				err:     testCase.inputReqError,
 			}
-			deviceFlow := &DeviceAuthorizationFlow{
+			config := DeviceAuthProviderConfig{
-				providerConfig: internal.DeviceAuthProviderConfig{
+				Audience:           expectedAudience,
-					Audience:           expectedAudience,
+				ClientID:           expectedClientID,
-					ClientID:           expectedClientID,
+				Scope:              expectedScope,
-					Scope:              expectedScope,
+				TokenEndpoint:      "test.hosted.com/token",
-					TokenEndpoint:      "test.hosted.com/token",
+				DeviceAuthEndpoint: "test.hosted.com/device/auth",
-					DeviceAuthEndpoint: "test.hosted.com/device/auth",
+				UseIDToken:         false,
 					UseIDToken:         false,
 				},
 				HTTPClient: &httpClient,
 			}
 			deviceFlow, err := NewDeviceAuthorizationFlow(config)
 			require.NoError(t, err, "creating device flow should not fail")
 			deviceFlow.HTTPClient = &httpClient
 			authInfo, err := deviceFlow.RequestAuthInfo(context.TODO())
 			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
@@ -280,18 +279,19 @@ func TestHosted_WaitToken(t *testing.T) {
 				countResBody: testCase.inputCountResBody,
 			}
-			deviceFlow := DeviceAuthorizationFlow{
+			config := DeviceAuthProviderConfig{
-				providerConfig: internal.DeviceAuthProviderConfig{
+				Audience:           testCase.inputAudience,
-					Audience:           testCase.inputAudience,
+				ClientID:           clientID,
-					ClientID:           clientID,
+				TokenEndpoint:      "test.hosted.com/token",
-					TokenEndpoint:      "test.hosted.com/token",
+				DeviceAuthEndpoint: "test.hosted.com/device/auth",
-					DeviceAuthEndpoint: "test.hosted.com/device/auth",
+				Scope:              "openid",
-					Scope:              "openid",
+				UseIDToken:         false,
 					UseIDToken:         false,
 				},
 				HTTPClient: &httpClient,
 			}
 			deviceFlow, err := NewDeviceAuthorizationFlow(config)
 			require.NoError(t, err, "creating device flow should not fail")
 			deviceFlow.HTTPClient = &httpClient
 			ctx, cancel := context.WithTimeout(context.TODO(), testCase.inputTimeout)
 			defer cancel()
 			tokenInfo, err := deviceFlow.WaitToken(ctx, testCase.inputInfo)
--- a/client/internal/auth/oauth.go
+++ b/client/internal/auth/oauth.go
@@ -10,7 +10,6 @@ import (
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 )
@@ -87,19 +86,33 @@ func NewOAuthFlow(ctx context.Context, config *profilemanager.Config, isUnixDesk
 // authenticateWithPKCEFlow initializes the Proof Key for Code Exchange flow auth flow
 func authenticateWithPKCEFlow(ctx context.Context, config *profilemanager.Config, hint string) (OAuthFlow, error) {
-	pkceFlowInfo, err := internal.GetPKCEAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL, config.ClientCertKeyPair)
+	authClient, err := NewAuth(ctx, config.PrivateKey, config.ManagementURL, config)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create auth client: %v", err)
 	}
 	defer authClient.Close()
 	pkceFlowInfo, err := authClient.getPKCEFlow(authClient.client)
 	if err != nil {
 		return nil, fmt.Errorf("getting pkce authorization flow info failed with error: %v", err)
 	}
-	pkceFlowInfo.ProviderConfig.LoginHint = hint
+	if hint != "" {
 		pkceFlowInfo.SetLoginHint(hint)
 	}
-	return NewPKCEAuthorizationFlow(pkceFlowInfo.ProviderConfig)
+	return pkceFlowInfo, nil
 }
 // authenticateWithDeviceCodeFlow initializes the Device Code auth Flow
 func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.Config, hint string) (OAuthFlow, error) {
-	deviceFlowInfo, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
+	authClient, err := NewAuth(ctx, config.PrivateKey, config.ManagementURL, config)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create auth client: %v", err)
 	}
 	defer authClient.Close()
 	deviceFlowInfo, err := authClient.getDeviceFlow(authClient.client)
 	if err != nil {
 		switch s, ok := gstatus.FromError(err); {
 		case ok && s.Code() == codes.NotFound:
@@ -114,7 +127,9 @@ func authenticateWithDeviceCodeFlow(ctx context.Context, config *profilemanager.
 		}
 	}
-	deviceFlowInfo.ProviderConfig.LoginHint = hint
+	if hint != "" {
 		deviceFlowInfo.SetLoginHint(hint)
 	}
-	return NewDeviceAuthorizationFlow(deviceFlowInfo.ProviderConfig)
+	return deviceFlowInfo, nil
 }
--- a/client/internal/auth/pkce_flow.go
+++ b/client/internal/auth/pkce_flow.go
@@ -20,7 +20,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/templates"
 	"github.com/netbirdio/netbird/shared/management/client/common"
 )
@@ -35,17 +34,67 @@ const (
 	defaultPKCETimeoutSeconds = 300
 )
 // PKCEAuthProviderConfig has all attributes needed to initiate PKCE authorization flow
 type PKCEAuthProviderConfig struct {
 	// ClientID An IDP application client id
 	ClientID string
 	// ClientSecret An IDP application client secret
 	ClientSecret string
 	// Audience An Audience for to authorization validation
 	Audience string
 	// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
 	TokenEndpoint string
 	// AuthorizationEndpoint is the endpoint of an IDP manager where clients can obtain authorization code
 	AuthorizationEndpoint string
 	// Scopes provides the scopes to be included in the token request
 	Scope string
 	// RedirectURL handles authorization code from IDP manager
 	RedirectURLs []string
 	// UseIDToken indicates if the id token should be used for authentication
 	UseIDToken bool
 	// ClientCertPair is used for mTLS authentication to the IDP
 	ClientCertPair *tls.Certificate
 	// DisablePromptLogin makes the PKCE flow to not prompt the user for login
 	DisablePromptLogin bool
 	// LoginFlag is used to configure the PKCE flow login behavior
 	LoginFlag common.LoginFlag
 	// LoginHint is used to pre-fill the email/username field during authentication
 	LoginHint string
 }
 // validatePKCEConfig validates PKCE provider configuration
 func validatePKCEConfig(config *PKCEAuthProviderConfig) error {
 	errorMsgFormat := "invalid provider configuration received from management: %s value is empty. Contact your NetBird administrator"
 	if config.ClientID == "" {
 		return fmt.Errorf(errorMsgFormat, "Client ID")
 	}
 	if config.TokenEndpoint == "" {
 		return fmt.Errorf(errorMsgFormat, "Token Endpoint")
 	}
 	if config.AuthorizationEndpoint == "" {
 		return fmt.Errorf(errorMsgFormat, "Authorization Auth Endpoint")
 	}
 	if config.Scope == "" {
 		return fmt.Errorf(errorMsgFormat, "PKCE Auth Scopes")
 	}
 	if config.RedirectURLs == nil {
 		return fmt.Errorf(errorMsgFormat, "PKCE Redirect URLs")
 	}
 	return nil
 }
 // PKCEAuthorizationFlow implements the OAuthFlow interface for
 // the Authorization Code Flow with PKCE.
 type PKCEAuthorizationFlow struct {
-	providerConfig internal.PKCEAuthProviderConfig
+	providerConfig PKCEAuthProviderConfig
 	state          string
 	codeVerifier   string
 	oAuthConfig    *oauth2.Config
 }
 // NewPKCEAuthorizationFlow returns new PKCE authorization code flow.
-func NewPKCEAuthorizationFlow(config internal.PKCEAuthProviderConfig) (*PKCEAuthorizationFlow, error) {
+func NewPKCEAuthorizationFlow(config PKCEAuthProviderConfig) (*PKCEAuthorizationFlow, error) {
 	var availableRedirectURL string
 	excludedRanges := getSystemExcludedPortRanges()
@@ -124,10 +173,21 @@ func (p *PKCEAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowIn
 	}, nil
 }
 // SetLoginHint sets the login hint for the PKCE authorization flow
 func (p *PKCEAuthorizationFlow) SetLoginHint(hint string) {
 	p.providerConfig.LoginHint = hint
 }
 // WaitToken waits for the OAuth token in the PKCE Authorization Flow.
 // It starts an HTTP server to receive the OAuth token callback and waits for the token or an error.
 // Once the token is received, it is converted to TokenInfo and validated before returning.
-func (p *PKCEAuthorizationFlow) WaitToken(ctx context.Context, _ AuthFlowInfo) (TokenInfo, error) {
+// The method creates a timeout context internally based on info.ExpiresIn.
 func (p *PKCEAuthorizationFlow) WaitToken(ctx context.Context, info AuthFlowInfo) (TokenInfo, error) {
 	// Create timeout context based on flow expiration
 	timeout := time.Duration(info.ExpiresIn) * time.Second
 	waitCtx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
 	tokenChan := make(chan *oauth2.Token, 1)
 	errChan := make(chan error, 1)
@@ -138,7 +198,7 @@ func (p *PKCEAuthorizationFlow) WaitToken(ctx context.Context, _ AuthFlowInfo) (
 	server := &http.Server{Addr: fmt.Sprintf(":%s", parsedURL.Port())}
 	defer func() {
-		shutdownCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+		shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 		defer cancel()
 		if err := server.Shutdown(shutdownCtx); err != nil {
@@ -149,8 +209,8 @@ func (p *PKCEAuthorizationFlow) WaitToken(ctx context.Context, _ AuthFlowInfo) (
 	go p.startServer(server, tokenChan, errChan)
 	select {
-	case <-ctx.Done():
+	case <-waitCtx.Done():
-		return TokenInfo{}, ctx.Err()
+		return TokenInfo{}, waitCtx.Err()
 	case token := <-tokenChan:
 		return p.parseOAuthToken(token)
 	case err := <-errChan:
--- a/client/internal/auth/pkce_flow_test.go
+++ b/client/internal/auth/pkce_flow_test.go
@@ -9,7 +9,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/internal"
 	mgm "github.com/netbirdio/netbird/shared/management/client/common"
 )
@@ -50,7 +49,7 @@ func TestPromptLogin(t *testing.T) {
 	for _, tc := range tt {
 		t.Run(tc.name, func(t *testing.T) {
-			config := internal.PKCEAuthProviderConfig{
+			config := PKCEAuthProviderConfig{
 				ClientID:              "test-client-id",
 				Audience:              "test-audience",
 				TokenEndpoint:         "https://test-token-endpoint.com/token",
--- a/client/internal/auth/pkce_flow_windows_test.go
+++ b/client/internal/auth/pkce_flow_windows_test.go
@@ -9,8 +9,6 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/netbirdio/netbird/client/internal"
 )
 func TestParseExcludedPortRanges(t *testing.T) {
@@ -95,7 +93,7 @@ func TestNewPKCEAuthorizationFlow_WithActualExcludedPorts(t *testing.T) {
 	availablePort := 65432
-	config := internal.PKCEAuthProviderConfig{
+	config := PKCEAuthProviderConfig{
 		ClientID:              "test-client-id",
 		Audience:              "test-audience",
 		TokenEndpoint:         "https://test-token-endpoint.com/token",
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -20,14 +20,16 @@ import (
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/metrics"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/client/internal/updatemanager"
+	"github.com/netbirdio/netbird/client/internal/updater"
-	"github.com/netbirdio/netbird/client/internal/updatemanager/installer"
+	"github.com/netbirdio/netbird/client/internal/updater/installer"
 	nbnet "github.com/netbirdio/netbird/client/net"
 	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ssh"
@@ -42,14 +44,19 @@ import (
 	"github.com/netbirdio/netbird/version"
 )
-type ConnectClient struct {
+// androidRunOverride is set on Android to inject mobile dependencies
-	ctx                 context.Context
+// when using embed.Client (which calls Run() with empty MobileDependency).
-	config              *profilemanager.Config
+var androidRunOverride func(c *ConnectClient, runningChan chan struct{}, logPath string) error
 	statusRecorder      *peer.Status
 	doInitialAutoUpdate bool
-	engine      *Engine
+type ConnectClient struct {
-	engineMutex sync.Mutex
+	ctx            context.Context
 	config         *profilemanager.Config
 	statusRecorder *peer.Status
 	engine        *Engine
 	engineMutex   sync.Mutex
 	clientMetrics *metrics.ClientMetrics
 	updateManager *updater.Manager
 	persistSyncResponse bool
 }
@@ -58,19 +65,24 @@ func NewConnectClient(
 	ctx context.Context,
 	config *profilemanager.Config,
 	statusRecorder *peer.Status,
 	doInitalAutoUpdate bool,
 ) *ConnectClient {
 	return &ConnectClient{
-		ctx:                 ctx,
+		ctx:            ctx,
-		config:              config,
+		config:         config,
-		statusRecorder:      statusRecorder,
+		statusRecorder: statusRecorder,
-		doInitialAutoUpdate: doInitalAutoUpdate,
+		engineMutex:    sync.Mutex{},
 		engineMutex:         sync.Mutex{},
 	}
 }
 func (c *ConnectClient) SetUpdateManager(um *updater.Manager) {
 	c.updateManager = um
 }
 // Run with main logic.
 func (c *ConnectClient) Run(runningChan chan struct{}, logPath string) error {
 	if androidRunOverride != nil {
 		return androidRunOverride(c, runningChan, logPath)
 	}
 	return c.run(MobileDependency{}, runningChan, logPath)
 }
@@ -82,6 +94,7 @@ func (c *ConnectClient) RunOnAndroid(
 	dnsAddresses []netip.AddrPort,
 	dnsReadyListener dns.ReadyListener,
 	stateFilePath string,
 	cacheDir string,
 ) error {
 	// in case of non Android os these variables will be nil
 	mobileDependency := MobileDependency{
@@ -91,6 +104,7 @@ func (c *ConnectClient) RunOnAndroid(
 		HostDNSAddresses:      dnsAddresses,
 		DnsReadyListener:      dnsReadyListener,
 		StateFilePath:         stateFilePath,
 		TempDir:               cacheDir,
 	}
 	return c.run(mobileDependency, nil, "")
 }
@@ -99,6 +113,7 @@ func (c *ConnectClient) RunOniOS(
 	fileDescriptor int32,
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
 	dnsAddresses []netip.AddrPort,
 	stateFilePath string,
 ) error {
 	// Set GC percent to 5% to reduce memory usage as iOS only allows 50MB of memory for the extension.
@@ -108,6 +123,7 @@ func (c *ConnectClient) RunOniOS(
 		FileDescriptor:        fileDescriptor,
 		NetworkChangeListener: networkChangeListener,
 		DnsManager:            dnsManager,
 		HostDNSAddresses:      dnsAddresses,
 		StateFilePath:         stateFilePath,
 	}
 	return c.run(mobileDependency, nil, "")
@@ -130,10 +146,34 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		}
 	}()
 	// Stop metrics push on exit
 	defer func() {
 		if c.clientMetrics != nil {
 			c.clientMetrics.StopPush()
 		}
 	}()
 	log.Infof("starting NetBird client version %s on %s/%s", version.NetbirdVersion(), runtime.GOOS, runtime.GOARCH)
 	nbnet.Init()
 	// Initialize metrics once at startup (always active for debug bundles)
 	if c.clientMetrics == nil {
 		agentInfo := metrics.AgentInfo{
 			DeploymentType: metrics.DeploymentTypeUnknown,
 			Version:        version.NetbirdVersion(),
 			OS:             runtime.GOOS,
 			Arch:           runtime.GOARCH,
 		}
 		c.clientMetrics = metrics.NewClientMetrics(agentInfo)
 		log.Debugf("initialized client metrics")
 		// Start metrics push if enabled (uses daemon context, persists across engine restarts)
 		if metrics.IsMetricsPushEnabled() {
 			c.clientMetrics.StartPush(c.ctx, metrics.PushConfigFromEnv())
 		}
 	}
 	backOff := &backoff.ExponentialBackOff{
 		InitialInterval:     time.Second,
 		RandomizationFactor: 1,
@@ -186,14 +226,13 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 	stateManager := statemanager.New(path)
 	stateManager.RegisterState(&sshconfig.ShutdownState{})
-	updateManager, err := updatemanager.NewManager(c.statusRecorder, stateManager)
+	if c.updateManager != nil {
-	if err == nil {
+		c.updateManager.CheckUpdateSuccess(c.ctx)
-		updateManager.CheckUpdateSuccess(c.ctx)
+	}
-		inst := installer.New()
+	inst := installer.New()
-		if err := inst.CleanUpInstallerFiles(); err != nil {
+	if err := inst.CleanUpInstallerFiles(); err != nil {
-			log.Errorf("failed to clean up temporary installer file: %v", err)
+		log.Errorf("failed to clean up temporary installer file: %v", err)
 		}
 	}
 	defer c.statusRecorder.ClientStop()
@@ -221,6 +260,16 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		mgmNotifier := statusRecorderToMgmConnStateNotifier(c.statusRecorder)
 		mgmClient.SetConnStateListener(mgmNotifier)
 		// Update metrics with actual deployment type after connection
 		deploymentType := metrics.DetermineDeploymentType(mgmClient.GetServerURL())
 		agentInfo := metrics.AgentInfo{
 			DeploymentType: deploymentType,
 			Version:        version.NetbirdVersion(),
 			OS:             runtime.GOOS,
 			Arch:           runtime.GOARCH,
 		}
 		c.clientMetrics.UpdateAgentInfo(agentInfo, myPrivateKey.PublicKey().String())
 		log.Debugf("connected to the Management service %s", c.config.ManagementURL.Host)
 		defer func() {
 			if err = mgmClient.Close(); err != nil {
@@ -229,8 +278,10 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		}()
 		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Netbird config
 		loginStarted := time.Now()
 		loginResp, err := loginToManagement(engineCtx, mgmClient, publicSSHKey, c.config)
 		if err != nil {
 			c.clientMetrics.RecordLoginDuration(engineCtx, time.Since(loginStarted), false)
 			log.Debug(err)
 			if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
 				state.Set(StatusNeedsLogin)
@@ -239,12 +290,13 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			}
 			return wrapErr(err)
 		}
 		c.clientMetrics.RecordLoginDuration(engineCtx, time.Since(loginStarted), true)
 		c.statusRecorder.MarkManagementConnected()
 		localPeerState := peer.LocalPeerState{
 			IP:              loginResp.GetPeerConfig().GetAddress(),
 			PubKey:          myPrivateKey.PublicKey().String(),
-			KernelInterface: device.WireGuardModuleIsLoaded(),
+			KernelInterface: device.WireGuardModuleIsLoaded() && !netstack.IsEnabled(),
 			FQDN:            loginResp.GetPeerConfig().GetFqdn(),
 		}
 		c.statusRecorder.UpdateLocalPeerState(localPeerState)
@@ -288,6 +340,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			log.Error(err)
 			return wrapErr(err)
 		}
 		engineConfig.TempDir = mobileDependency.TempDir
 		relayManager := relayClient.NewManager(engineCtx, relayURLs, myPrivateKey.PublicKey().String(), engineConfig.MTU)
 		c.statusRecorder.SetRelayMgr(relayManager)
@@ -307,7 +360,16 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		checks := loginResp.GetChecks()
 		c.engineMutex.Lock()
-		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, checks, stateManager)
+		engine := NewEngine(engineCtx, cancel, engineConfig, EngineServices{
 			SignalClient:   signalClient,
 			MgmClient:      mgmClient,
 			RelayManager:   relayManager,
 			StatusRecorder: c.statusRecorder,
 			Checks:         checks,
 			StateManager:   stateManager,
 			UpdateManager:  c.updateManager,
 			ClientMetrics:  c.clientMetrics,
 		}, mobileDependency)
 		engine.SetSyncResponsePersistence(c.persistSyncResponse)
 		c.engine = engine
 		c.engineMutex.Unlock()
@@ -317,21 +379,15 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 			return wrapErr(err)
 		}
 		if loginResp.PeerConfig != nil && loginResp.PeerConfig.AutoUpdate != nil {
 			// AutoUpdate will be true when the user click on "Connect" menu on the UI
 			if c.doInitialAutoUpdate {
 				log.Infof("start engine by ui, run auto-update check")
 				c.engine.InitialUpdateHandling(loginResp.PeerConfig.AutoUpdate)
 				c.doInitialAutoUpdate = false
 			}
 		}
 		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)
 		if runningChan != nil {
-			close(runningChan)
+			select {
-			runningChan = nil
+			case <-runningChan:
 			default:
 				close(runningChan)
 			}
 		}
 		<-engineCtx.Done()
@@ -566,12 +622,6 @@ func connectToSignal(ctx context.Context, wtConfig *mgmProto.NetbirdConfig, ourP
 // loginToManagement creates Management ServiceDependencies client, establishes a connection, logs-in and gets a global Netbird config (signal, turn, stun hosts, etc)
 func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte, config *profilemanager.Config) (*mgmProto.LoginResponse, error) {
 	serverPublicKey, err := client.GetServerPublicKey()
 	if err != nil {
 		return nil, gstatus.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
 	}
 	sysInfo := system.GetInfo(ctx)
 	sysInfo.SetFlags(
 		config.RosenpassEnabled,
@@ -590,12 +640,7 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.EnableSSHRemotePortForwarding,
 		config.DisableSSHAuth,
 	)
-	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey, config.DNSLabels)
+	return client.Login(sysInfo, pubSSHKey, config.DNSLabels)
 	if err != nil {
 		return nil, err
 	}
 	return loginResp, nil
 }
 func statusRecorderToMgmConnStateNotifier(statusRecorder *peer.Status) mgm.ConnStateNotifier {
--- a/client/internal/connect_android_default.go
+++ b/client/internal/connect_android_default.go
@@ -0,0 +1,73 @@
 //go:build android
 package internal
 import (
 	"net/netip"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )
 // noopIFaceDiscover is a stub ExternalIFaceDiscover for embed.Client on Android.
 // It returns an empty interface list, which means ICE P2P candidates won't be
 // discovered — connections will fall back to relay. Applications that need P2P
 // should provide a real implementation via runOnAndroidEmbed that uses
 // Android's ConnectivityManager to enumerate network interfaces.
 type noopIFaceDiscover struct{}
 func (noopIFaceDiscover) IFaces() (string, error) {
 	// Return empty JSON array — no local interfaces advertised for ICE.
 	// This is intentional: without Android's ConnectivityManager, we cannot
 	// reliably enumerate interfaces (netlink is restricted on Android 11+).
 	// Relay connections still work; only P2P hole-punching is disabled.
 	return "[]", nil
 }
 // noopNetworkChangeListener is a stub for embed.Client on Android.
 // Network change events are ignored since the embed client manages its own
 // reconnection logic via the engine's built-in retry mechanism.
 type noopNetworkChangeListener struct{}
 func (noopNetworkChangeListener) OnNetworkChanged(string) {
 	// No-op: embed.Client relies on the engine's internal reconnection
 	// logic rather than OS-level network change notifications.
 }
 func (noopNetworkChangeListener) SetInterfaceIP(string) {
 	// No-op: in netstack mode, the overlay IP is managed by the userspace
 	// network stack, not by OS-level interface configuration.
 }
 // noopDnsReadyListener is a stub for embed.Client on Android.
 // DNS readiness notifications are not needed in netstack/embed mode
 // since system DNS is disabled and DNS resolution happens externally.
 type noopDnsReadyListener struct{}
 func (noopDnsReadyListener) OnReady() {
 	// No-op: embed.Client does not need DNS readiness notifications.
 	// System DNS is disabled in netstack mode.
 }
 var _ stdnet.ExternalIFaceDiscover = noopIFaceDiscover{}
 var _ listener.NetworkChangeListener = noopNetworkChangeListener{}
 var _ dns.ReadyListener = noopDnsReadyListener{}
 func init() {
 	// Wire up the default override so embed.Client.Start() works on Android
 	// with netstack mode. Provides complete no-op stubs for all mobile
 	// dependencies so the engine's existing Android code paths work unchanged.
 	// Applications that need P2P ICE or real DNS should replace this by
 	// setting androidRunOverride before calling Start().
 	androidRunOverride = func(c *ConnectClient, runningChan chan struct{}, logPath string) error {
 		return c.runOnAndroidEmbed(
 			noopIFaceDiscover{},
 			noopNetworkChangeListener{},
 			[]netip.AddrPort{},
 			noopDnsReadyListener{},
 			runningChan,
 			logPath,
 		)
 	}
 }
--- a/client/internal/connect_android_embed.go
+++ b/client/internal/connect_android_embed.go
@@ -0,0 +1,32 @@
 //go:build android
 package internal
 import (
 	"net/netip"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 )
 // runOnAndroidEmbed is like RunOnAndroid but accepts a runningChan
 // so embed.Client.Start() can detect when the engine is ready.
 // It provides complete MobileDependency so the engine's existing
 // Android code paths work unchanged.
 func (c *ConnectClient) runOnAndroidEmbed(
 	iFaceDiscover stdnet.ExternalIFaceDiscover,
 	networkChangeListener listener.NetworkChangeListener,
 	dnsAddresses []netip.AddrPort,
 	dnsReadyListener dns.ReadyListener,
 	runningChan chan struct{},
 	logPath string,
 ) error {
 	mobileDependency := MobileDependency{
 		IFaceDiscover:         iFaceDiscover,
 		NetworkChangeListener: networkChangeListener,
 		HostDNSAddresses:      dnsAddresses,
 		DnsReadyListener:      dnsReadyListener,
 	}
 	return c.run(mobileDependency, runningChan, logPath)
 }
--- a/client/internal/daemonaddr/resolve.go
+++ b/client/internal/daemonaddr/resolve.go
@@ -0,0 +1,60 @@
 //go:build !windows && !ios && !android
 package daemonaddr
 import (
 	"os"
 	"path/filepath"
 	"strings"
 	log "github.com/sirupsen/logrus"
 )
 var scanDir = "/var/run/netbird"
 // setScanDir overrides the scan directory (used by tests).
 func setScanDir(dir string) {
 	scanDir = dir
 }
 // ResolveUnixDaemonAddr checks whether the default Unix socket exists and, if not,
 // scans /var/run/netbird/ for a single .sock file to use instead. This handles the
 // mismatch between the netbird@.service template (which places the socket under
 // /var/run/netbird/<instance>.sock) and the CLI default (/var/run/netbird.sock).
 func ResolveUnixDaemonAddr(addr string) string {
 	if !strings.HasPrefix(addr, "unix://") {
 		return addr
 	}
 	sockPath := strings.TrimPrefix(addr, "unix://")
 	if _, err := os.Stat(sockPath); err == nil {
 		return addr
 	}
 	entries, err := os.ReadDir(scanDir)
 	if err != nil {
 		return addr
 	}
 	var found []string
 	for _, e := range entries {
 		if e.IsDir() {
 			continue
 		}
 		if strings.HasSuffix(e.Name(), ".sock") {
 			found = append(found, filepath.Join(scanDir, e.Name()))
 		}
 	}
 	switch len(found) {
 	case 1:
 		resolved := "unix://" + found[0]
 		log.Debugf("Default daemon socket not found, using discovered socket: %s", resolved)
 		return resolved
 	case 0:
 		return addr
 	default:
 		log.Warnf("Default daemon socket not found and multiple sockets discovered in %s; pass --daemon-addr explicitly", scanDir)
 		return addr
 	}
 }
--- a/client/internal/daemonaddr/resolve_stub.go
+++ b/client/internal/daemonaddr/resolve_stub.go
@@ -0,0 +1,8 @@
 //go:build windows || ios || android
 package daemonaddr
 // ResolveUnixDaemonAddr is a no-op on platforms that don't use Unix sockets.
 func ResolveUnixDaemonAddr(addr string) string {
 	return addr
 }
--- a/Show More
+++ b/Show More