Remove default protocol for migrated rules policy

.github/workflows/golang-test-darwin.yml

@@ -6,10 +6,6 @@ on:
       - main
   pull_request:
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
 jobs:
   test:
     runs-on: macos-latest

.github/workflows/golang-test-linux.yml

@@ -6,10 +6,6 @@ on:
       - main
   pull_request:
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
 jobs:
   test:
     strategy:
@@ -70,7 +66,7 @@ jobs:
         run: go mod tidy
 
       - name: Generate Iface Test bin
-        run: go test -c -o iface-testing.bin ./iface/
+        run: go test -c -o iface-testing.bin ./iface/...
 
       - name: Generate RouteManager Test bin
         run: go test -c -o routemanager-testing.bin ./client/internal/routemanager/...

.github/workflows/golang-test-windows.yml

@@ -6,45 +6,47 @@ on:
       - main
   pull_request:
 
-env:
-  downloadPath: '${{ github.workspace }}\temp'
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
 jobs:
+  pre:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - run: bash -x wireguard_nt.sh
+        working-directory: client
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: syso
+          path: client/*.syso
+          retention-days: 1
+
   test:
+    needs: pre
     runs-on: windows-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
 
       - name: Install Go
-        uses: actions/setup-go@v4
-        id: go
+        uses: actions/setup-go@v2
         with:
           go-version: 1.19.x
 
-      - name: Download wintun
-        uses: carlosperate/download-file-action@v2
-        id: download-wintun
+      - uses: actions/cache@v2
         with:
-          file-url: https://www.wintun.net/builds/wintun-0.14.1.zip
-          file-name: wintun.zip
-          location: ${{ env.downloadPath }}
-          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+          path: |
+            %LocalAppData%\go-build
+            ~\go\pkg\mod
+            ~\AppData\Local\go-build
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
 
-      - name: Decompressing wintun files
-        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+      - uses: actions/download-artifact@v2
+        with:
+          name: syso
+          path: iface\
 
-      - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'
-
-      - run: choco install -y sysinternals
-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=C:\Users\runneradmin\go\pkg\mod
-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=C:\Users\runneradmin\AppData\Local\go-build
-
-      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 5m -p 1 ./... > test-out.txt 2>&1"
-      - name: test output
-        if: ${{ always() }}
-        run: Get-Content test-out.txt
+      - name: Test
+        run: go test -tags=load_wgnt_from_rsrc -timeout 5m -p 1 ./...

.github/workflows/golangci-lint.yml

@@ -1,8 +1,5 @@
 name: golangci-lint
 on: [pull_request]
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
 jobs:
   golangci:
     name: lint

.github/workflows/install-test-darwin.yml

@@ -1,60 +0,0 @@
-name: Test installation Darwin
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    paths:
-      - "release_files/install.sh"
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-jobs:
-  install-cli-only:
-    runs-on: macos-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Rename brew package
-        if: ${{ matrix.check_bin_install }}
-        run: mv /opt/homebrew/bin/brew /opt/homebrew/bin/brew.bak
-
-      - name: Run install script
-        run: |
-          sh ./release_files/install.sh
-        env:
-          SKIP_UI_APP: true
-
-      - name: Run tests
-        run: |
-          if ! command -v netbird &> /dev/null; then
-            echo "Error: netbird is not installed"
-            exit 1
-          fi
-  install-all:
-    runs-on: macos-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Rename brew package
-        if: ${{ matrix.check_bin_install }}
-        run: mv /opt/homebrew/bin/brew /opt/homebrew/bin/brew.bak
-
-      - name: Run install script
-        run: |
-          sh ./release_files/install.sh
-
-      - name: Run tests
-        run: |
-          if ! command -v netbird &> /dev/null; then
-              echo "Error: netbird is not installed"
-              exit 1
-          fi
-
-          if [[ $(mdfind "kMDItemContentType == 'com.apple.application-bundle' && kMDItemFSName == '*NetBird UI.app'") ]]; then
-            echo "Error: NetBird UI is not installed"
-            exit 1
-          fi

.github/workflows/install-test-linux.yml

@@ -1,38 +0,0 @@
-name: Test installation Linux
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    paths:
-      - "release_files/install.sh"
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-jobs:
-  install-cli-only:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        check_bin_install: [true, false]
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Rename apt package
-        if: ${{ matrix.check_bin_install }}
-        run: |
-          sudo mv /usr/bin/apt /usr/bin/apt.bak
-          sudo mv /usr/bin/apt-get /usr/bin/apt-get.bak
-
-      - name: Run install script
-        run: |
-          sh ./release_files/install.sh
-
-      - name: Run tests
-        run: |
-          if ! command -v netbird &> /dev/null; then
-            echo "Error: netbird is not installed"
-            exit 1
-          fi

.github/workflows/release.yml

@@ -9,13 +9,9 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.6"
+  SIGN_PIPE_VER: "v0.0.5"
   GORELEASER_VER: "v1.14.1"
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -25,6 +21,10 @@ jobs:
         uses: actions/checkout@v2
         with:
           fetch-depth: 0 # It is required for GoReleaser to work properly
+
+      - name: Generate syso with DLL
+        run: bash -x wireguard_nt.sh
+        working-directory: client
       -
         name: Set up Go
         uses: actions/setup-go@v2
@@ -59,17 +59,6 @@ jobs:
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Install OS build dependencies
         run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
-
-      - name: Install rsrc
-        run: go install github.com/akavel/rsrc@v0.10.2
-      - name: Generate windows rsrc amd64
-        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_amd64.syso
-      - name: Generate windows rsrc arm64
-        run: rsrc -arch arm64 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_arm64.syso
-      - name: Generate windows rsrc arm
-        run: rsrc -arch arm -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_arm.syso
-      - name: Generate windows rsrc 386
-        run: rsrc -arch 386 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_386.syso
       -
         name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2

.github/workflows/test-docker-compose-linux.yml

@@ -6,10 +6,6 @@ on:
       - main
   pull_request:
 
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
 jobs:
   test:
     runs-on: ubuntu-latest
@@ -63,11 +59,6 @@ jobs:
           CI_NETBIRD_AUTH_TOKEN_ENDPOINT: https://example.eu.auth0.com/oauth/token
           CI_NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT: https://example.eu.auth0.com/oauth/device/code
           CI_NETBIRD_AUTH_REDIRECT_URI: "/peers"
-          CI_NETBIRD_TOKEN_SOURCE: "idToken"
-          CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
-          CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
-          CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE: "openid email"
-
         run: |
           grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
           grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
@@ -77,12 +68,6 @@ jobs:
           grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "$CI_NETBIRD_DOMAIN:33073"
           grep AUTH_REDIRECT_URI docker-compose.yml | grep $CI_NETBIRD_AUTH_REDIRECT_URI
           grep AUTH_SILENT_REDIRECT_URI docker-compose.yml | egrep 'AUTH_SILENT_REDIRECT_URI=$'
-          grep LETSENCRYPT_DOMAIN docker-compose.yml | egrep 'LETSENCRYPT_DOMAIN=$'
-          grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
-          grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
-          grep -A 1 ProviderConfig management.json | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
-          grep Scope management.json | grep "$CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE"
-          grep UseIDToken management.json | grep false
 
       - name: run docker compose up
         working-directory: infrastructure_files

client/android/client.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
 	"github.com/netbirdio/netbird/iface"
@@ -24,11 +23,6 @@ type TunAdapter interface {
 	iface.TunAdapter
 }
 
-// IFaceDiscover export internal IFaceDiscover for mobile
-type IFaceDiscover interface {
-	stdnet.ExternalIFaceDiscover
-}
-
 func init() {
 	formatter.SetLogcatFormatter(log.StandardLogger())
 }
@@ -37,7 +31,6 @@ func init() {
 type Client struct {
 	cfgFile       string
 	tunAdapter    iface.TunAdapter
-	iFaceDiscover IFaceDiscover
 	recorder      *peer.Status
 	ctxCancel     context.CancelFunc
 	ctxCancelLock *sync.Mutex
@@ -45,7 +38,7 @@ type Client struct {
 }
 
 // NewClient instantiate a new Client
-func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover) *Client {
+func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter) *Client {
 	lvl, _ := log.ParseLevel("trace")
 	log.SetLevel(lvl)
 
@@ -53,7 +46,6 @@ func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover
 		cfgFile:       cfgFile,
 		deviceName:    deviceName,
 		tunAdapter:    tunAdapter,
-		iFaceDiscover: iFaceDiscover,
 		recorder:      peer.NewRecorder(""),
 		ctxCancelLock: &sync.Mutex{},
 	}
@@ -78,14 +70,14 @@ func (c *Client) Run(urlOpener URLOpener) error {
 	c.ctxCancelLock.Unlock()
 
 	auth := NewAuthWithConfig(ctx, cfg)
-	err = auth.login(urlOpener)
+	err = auth.Login(urlOpener)
 	if err != nil {
 		return err
 	}
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	return internal.RunClient(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover)
+	return internal.RunClient(ctx, cfg, c.recorder, c.tunAdapter)
 }
 
 // Stop the internal client and free the resources
@@ -118,12 +110,12 @@ func (c *Client) PeersList() *PeerInfoArray {
 	return &PeerInfoArray{items: peerInfos}
 }
 
-// SetConnectionListener set the network connection listener
-func (c *Client) SetConnectionListener(listener ConnectionListener) {
-	c.recorder.SetConnectionListener(listener)
+// AddConnectionListener add new network connection listener
+func (c *Client) AddConnectionListener(listener ConnectionListener) {
+	c.recorder.AddConnectionListener(listener)
 }
 
 // RemoveConnectionListener remove connection listener
-func (c *Client) RemoveConnectionListener() {
-	c.recorder.RemoveConnectionListener()
+func (c *Client) RemoveConnectionListener(listener ConnectionListener) {
+	c.recorder.RemoveConnectionListener(listener)
 }

client/android/login.go

@@ -3,32 +3,16 @@ package android
 import (
 	"context"
 	"fmt"
+	"github.com/cenkalti/backoff/v4"
+	"github.com/netbirdio/netbird/client/cmd"
 	"time"
 
-	"github.com/cenkalti/backoff/v4"
-
+	"github.com/netbirdio/netbird/client/internal"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/cmd"
-	"github.com/netbirdio/netbird/client/system"
-
-	"github.com/netbirdio/netbird/client/internal"
 )
 
-// SSOListener is async listener for mobile framework
-type SSOListener interface {
-	OnSuccess(bool)
-	OnError(error)
-}
-
-// ErrListener is async listener for mobile framework
-type ErrListener interface {
-	OnSuccess()
-	OnError(error)
-}
-
 // URLOpener it is a callback interface. The Open function will be triggered if
 // the backend want to show an url for the user
 type URLOpener interface {
@@ -68,66 +52,32 @@ func NewAuthWithConfig(ctx context.Context, config *internal.Config) *Auth {
 	}
 }
 
-// SaveConfigIfSSOSupported test the connectivity with the management server by retrieving the server device flow info.
-// If it returns a flow info than save the configuration and return true. If it gets a codes.NotFound, it means that SSO
-// is not supported and returns false without saving the configuration. For other errors return false.
-func (a *Auth) SaveConfigIfSSOSupported(listener SSOListener) {
-	go func() {
-		sso, err := a.saveConfigIfSSOSupported()
-		if err != nil {
-			listener.OnError(err)
-		} else {
-			listener.OnSuccess(sso)
-		}
-	}()
-}
-
-func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
-	supportsSSO := true
+// LoginAndSaveConfigIfSSOSupported test the connectivity with the management server.
+// If the SSO is supported than save the configuration. Return with the SSO login is supported or not.
+func (a *Auth) LoginAndSaveConfigIfSSOSupported() (bool, error) {
+	var needsLogin bool
 	err := a.withBackOff(a.ctx, func() (err error) {
-		_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
-		if s, ok := gstatus.FromError(err); ok && s.Code() == codes.NotFound {
-			supportsSSO = false
-			err = nil
-		}
-		return err
+		needsLogin, err = internal.IsLoginRequired(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config.SSHKey)
+		return
 	})
-
-	if !supportsSSO {
-		return false, nil
-	}
-
 	if err != nil {
 		return false, fmt.Errorf("backoff cycle failed: %v", err)
 	}
-
+	if !needsLogin {
+		return false, nil
+	}
 	err = internal.WriteOutConfig(a.cfgPath, a.config)
-	return true, err
+	return needsLogin, err
 }
 
 // LoginWithSetupKeyAndSaveConfig test the connectivity with the management server with the setup key.
-func (a *Auth) LoginWithSetupKeyAndSaveConfig(resultListener ErrListener, setupKey string, deviceName string) {
-	go func() {
-		err := a.loginWithSetupKeyAndSaveConfig(setupKey, deviceName)
-		if err != nil {
-			resultListener.OnError(err)
-		} else {
-			resultListener.OnSuccess()
-		}
-	}()
-}
-
-func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string) error {
-	//nolint
-	ctxWithValues := context.WithValue(a.ctx, system.DeviceNameCtxKey, deviceName)
-
+func (a *Auth) LoginWithSetupKeyAndSaveConfig(setupKey string) error {
 	err := a.withBackOff(a.ctx, func() error {
-		backoffErr := internal.Login(ctxWithValues, a.config, setupKey, "")
-		if s, ok := gstatus.FromError(backoffErr); ok && (s.Code() == codes.PermissionDenied) {
-			// we got an answer from management, exit backoff earlier
-			return backoff.Permanent(backoffErr)
+		err := internal.Login(a.ctx, a.config, setupKey, "")
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			return nil
 		}
-		return backoffErr
+		return err
 	})
 	if err != nil {
 		return fmt.Errorf("backoff cycle failed: %v", err)
@@ -137,18 +87,7 @@ func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string
 }
 
 // Login try register the client on the server
-func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener) {
-	go func() {
-		err := a.login(urlOpener)
-		if err != nil {
-			resultListener.OnError(err)
-		} else {
-			resultListener.OnSuccess()
-		}
-	}()
-}
-
-func (a *Auth) login(urlOpener URLOpener) error {
+func (a *Auth) Login(urlOpener URLOpener) error {
 	var needsLogin bool
 
 	// check if we need to generate JWT token
@@ -166,7 +105,7 @@ func (a *Auth) login(urlOpener URLOpener) error {
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
-		jwtToken = tokenInfo.GetTokenToUse()
+		jwtToken = tokenInfo.AccessToken
 	}
 
 	err = a.withBackOff(a.ctx, func() error {
@@ -199,7 +138,12 @@ func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*internal.TokenInfo,
 		}
 	}
 
-	hostedClient := internal.NewHostedDeviceFlow(providerConfig.ProviderConfig)
+	hostedClient := internal.NewHostedDeviceFlow(
+		providerConfig.ProviderConfig.Audience,
+		providerConfig.ProviderConfig.ClientID,
+		providerConfig.ProviderConfig.TokenEndpoint,
+		providerConfig.ProviderConfig.DeviceAuthEndpoint,
+	)
 
 	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
 	if err != nil {

client/cmd/login.go

@@ -135,7 +135,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.C
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
-		jwtToken = tokenInfo.GetTokenToUse()
+		jwtToken = tokenInfo.AccessToken
 	}
 
 	err = WithBackOff(func() error {
@@ -172,7 +172,12 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 		}
 	}
 
-	hostedClient := internal.NewHostedDeviceFlow(providerConfig.ProviderConfig)
+	hostedClient := internal.NewHostedDeviceFlow(
+		providerConfig.ProviderConfig.Audience,
+		providerConfig.ProviderConfig.ClientID,
+		providerConfig.ProviderConfig.TokenEndpoint,
+		providerConfig.ProviderConfig.DeviceAuthEndpoint,
+	)
 
 	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
 	if err != nil {

client/cmd/up.go

@@ -94,7 +94,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	var cancel context.CancelFunc
 	ctx, cancel = context.WithCancel(ctx)
 	SetupCloseHandler(ctx, cancel)
-	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()), nil, nil)
+	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()), nil)
 }
 
 func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {

client/firewall/firewall.go

@@ -39,8 +39,12 @@ const (
 // Netbird client for ACL and routing functionality
 type Manager interface {
 	// AddFiltering rule to the firewall
+	//
+	// If comment argument is empty firewall manager should set
+	// rule ID as comment for the rule
 	AddFiltering(
 		ip net.IP,
+		proto Protocol,
 		port *Port,
 		direction Direction,
 		action Action,

client/firewall/iptables/manager_linux.go

@@ -10,6 +10,7 @@ import (
 	"github.com/google/uuid"
 
 	fw "github.com/netbirdio/netbird/client/firewall"
+	log "github.com/sirupsen/logrus"
 )
 
 const (
@@ -17,17 +18,33 @@ const (
 	ChainFilterName = "NETBIRD-ACL"
 )
 
+// jumpNetbirdDefaultRule always added by manager to the input chain for all trafic from the Netbird interface
+var jumpNetbirdDefaultRule = []string{
+	"-j", ChainFilterName, "-m", "comment", "--comment", "Netbird traffic chain jump"}
+
+// pingSupportDefaultRule always added by the manager to the Netbird ACL chain
+var pingSupportDefaultRule = []string{
+	"-p", "icmp", "--icmp-type", "echo-request", "-j",
+	"ACCEPT", "-m", "comment", "--comment", "Allow pings from the Netbird Devices"}
+
+// dropAllDefaultRule in the Netbird chain
+var dropAllDefaultRule = []string{"-j", "DROP"}
+
 // Manager of iptables firewall
 type Manager struct {
 	mutex sync.Mutex
 
 	ipv4Client *iptables.IPTables
 	ipv6Client *iptables.IPTables
+
+	wgIfaceName string
 }
 
 // Create iptables firewall manager
-func Create() (*Manager, error) {
-	m := &Manager{}
+func Create(wgIfaceName string) (*Manager, error) {
+	m := &Manager{
+		wgIfaceName: wgIfaceName,
+	}
 
 	// init clients for booth ipv4 and ipv6
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
@@ -38,20 +55,23 @@ func Create() (*Manager, error) {
 
 	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
 	if err != nil {
-		return nil, fmt.Errorf("ip6tables is not installed in the system or not supported")
+		log.Errorf("ip6tables is not installed in the system or not supported")
+	} else {
+		m.ipv6Client = ipv6Client
 	}
-	m.ipv6Client = ipv6Client
 
 	if err := m.Reset(); err != nil {
-		return nil, fmt.Errorf("failed to reset firewall: %s", err)
+		return nil, fmt.Errorf("failed to reset firewall: %v", err)
 	}
-
 	return m, nil
 }
 
 // AddFiltering rule to the firewall
+//
+// If comment is empty rule ID is used as comment
 func (m *Manager) AddFiltering(
 	ip net.IP,
+	protocol fw.Protocol,
 	port *fw.Port,
 	direction fw.Direction,
 	action fw.Action,
@@ -59,45 +79,64 @@ func (m *Manager) AddFiltering(
 ) (fw.Rule, error) {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
-	client := m.client(ip)
-	ok, err := client.ChainExists("filter", ChainFilterName)
+
+	client, err := m.client(ip)
 	if err != nil {
-		return nil, fmt.Errorf("failed to check if chain exists: %s", err)
-	}
-	if !ok {
-		if err := client.NewChain("filter", ChainFilterName); err != nil {
-			return nil, fmt.Errorf("failed to create chain: %s", err)
-		}
-	}
-	if port == nil || port.Values == nil || (port.IsRange && len(port.Values) != 2) {
-		return nil, fmt.Errorf("invalid port definition")
-	}
-	pv := strconv.Itoa(port.Values[0])
-	if port.IsRange {
-		pv += ":" + strconv.Itoa(port.Values[1])
-	}
-	specs := m.filterRuleSpecs("filter", ChainFilterName, ip, pv, direction, action, comment)
-	if err := client.AppendUnique("filter", ChainFilterName, specs...); err != nil {
 		return nil, err
 	}
-	rule := &Rule{
-		id:    uuid.New().String(),
-		specs: specs,
-		v6:    ip.To4() == nil,
+
+	var portValue string
+	if port != nil && port.Values != nil {
+		// TODO: we support only one port per rule in current implementation of ACLs
+		portValue = strconv.Itoa(port.Values[0])
 	}
-	return rule, nil
+
+	ruleID := uuid.New().String()
+	if comment == "" {
+		comment = ruleID
+	}
+
+	specs := m.filterRuleSpecs(
+		"filter",
+		ChainFilterName,
+		ip,
+		string(protocol),
+		portValue,
+		direction,
+		action,
+		comment,
+	)
+
+	ok, err := client.Exists("filter", ChainFilterName, specs...)
+	if err != nil {
+		return nil, fmt.Errorf("check is rule already exists: %w", err)
+	}
+	if ok {
+		return nil, fmt.Errorf("rule already exists")
+	}
+
+	if err := client.Insert("filter", ChainFilterName, 1, specs...); err != nil {
+		return nil, err
+	}
+
+	return &Rule{id: ruleID, specs: specs, v6: ip.To4() == nil}, nil
 }
 
 // DeleteRule from the firewall by rule definition
 func (m *Manager) DeleteRule(rule fw.Rule) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
+
 	r, ok := rule.(*Rule)
 	if !ok {
 		return fmt.Errorf("invalid rule type")
 	}
+
 	client := m.ipv4Client
 	if r.v6 {
+		if m.ipv6Client == nil {
+			return fmt.Errorf("ipv6 is not supported")
+		}
 		client = m.ipv6Client
 	}
 	return client.Delete("filter", ChainFilterName, r.specs...)
@@ -107,11 +146,14 @@ func (m *Manager) DeleteRule(rule fw.Rule) error {
 func (m *Manager) Reset() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
+
 	if err := m.reset(m.ipv4Client, "filter", ChainFilterName); err != nil {
 		return fmt.Errorf("clean ipv4 firewall ACL chain: %w", err)
 	}
-	if err := m.reset(m.ipv6Client, "filter", ChainFilterName); err != nil {
-		return fmt.Errorf("clean ipv6 firewall ACL chain: %w", err)
+	if m.ipv6Client != nil {
+		if err := m.reset(m.ipv6Client, "filter", ChainFilterName); err != nil {
+			return fmt.Errorf("clean ipv6 firewall ACL chain: %w", err)
+		}
 	}
 	return nil
 }
@@ -125,31 +167,79 @@ func (m *Manager) reset(client *iptables.IPTables, table, chain string) error {
 	if !ok {
 		return nil
 	}
-	if err := client.ClearChain(table, ChainFilterName); err != nil {
-		return fmt.Errorf("failed to clear chain: %w", err)
+
+	specs := append([]string{"-i", m.wgIfaceName}, jumpNetbirdDefaultRule...)
+	if err := client.Delete("filter", "INPUT", specs...); err != nil {
+		return fmt.Errorf("failed to delete default rule: %w", err)
 	}
-	return client.DeleteChain(table, ChainFilterName)
+
+	return client.ClearAndDeleteChain(table, chain)
 }
 
 // filterRuleSpecs returns the specs of a filtering rule
 func (m *Manager) filterRuleSpecs(
-	table string, chain string, ip net.IP, port string,
+	table string, chain string, ip net.IP, protocol string, port string,
 	direction fw.Direction, action fw.Action, comment string,
 ) (specs []string) {
-	if direction == fw.DirectionSrc {
+	switch direction {
+	case fw.DirectionSrc:
 		specs = append(specs, "-s", ip.String())
+	case fw.DirectionDst:
+		specs = append(specs, "-d", ip.String())
+	}
+	if protocol != "" {
+		specs = append(specs, "-p", protocol)
+	}
+	if port != "" {
+		specs = append(specs, "--dport", port)
 	}
-	specs = append(specs, "-p", "tcp", "--dport", port)
 	specs = append(specs, "-j", m.actionToStr(action))
 	return append(specs, "-m", "comment", "--comment", comment)
 }
 
-// client returns corresponding iptables client for the given ip
-func (m *Manager) client(ip net.IP) *iptables.IPTables {
+// rawClient returns corresponding iptables client for the given ip
+func (m *Manager) rawClient(ip net.IP) (*iptables.IPTables, error) {
 	if ip.To4() != nil {
-		return m.ipv4Client
+		return m.ipv4Client, nil
 	}
-	return m.ipv6Client
+	if m.ipv6Client == nil {
+		return nil, fmt.Errorf("ipv6 is not supported")
+	}
+	return m.ipv6Client, nil
+}
+
+// client returns client with initialized chain and default rules
+func (m *Manager) client(ip net.IP) (*iptables.IPTables, error) {
+	client, err := m.rawClient(ip)
+	if err != nil {
+		return nil, err
+	}
+
+	ok, err := client.ChainExists("filter", ChainFilterName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if chain exists: %w", err)
+	}
+
+	if !ok {
+		if err := client.NewChain("filter", ChainFilterName); err != nil {
+			return nil, fmt.Errorf("failed to create chain: %w", err)
+		}
+
+		if err := client.AppendUnique("filter", ChainFilterName, pingSupportDefaultRule...); err != nil {
+			return nil, fmt.Errorf("failed to create default ping allow rule: %w", err)
+		}
+
+		if err := client.AppendUnique("filter", ChainFilterName, dropAllDefaultRule...); err != nil {
+			return nil, fmt.Errorf("failed to create default drop all in netbird chain: %w", err)
+		}
+
+		specs := append([]string{"-i", m.wgIfaceName}, jumpNetbirdDefaultRule...)
+		if err := client.AppendUnique("filter", "INPUT", specs...); err != nil {
+			return nil, fmt.Errorf("failed to create chain: %w", err)
+		}
+
+	}
+	return client, nil
 }
 
 func (m *Manager) actionToStr(action fw.Action) string {

client/firewall/iptables/manager_linux_test.go

@@ -14,7 +14,8 @@ func TestNewManager(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	manager, err := Create()
+	// just check on the local interface
+	manager, err := Create("lo")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -22,10 +23,11 @@ func TestNewManager(t *testing.T) {
 	var rule1 fw.Rule
 	t.Run("add first rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.2")
-		port := &fw.Port{Proto: fw.PortProtocolTCP, Values: []int{8080}}
-		rule1, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTP traffic")
+		port := &fw.Port{Values: []int{8080}}
+		rule1, err = manager.AddFiltering(ip, "tcp", port, fw.DirectionDst, fw.ActionAccept, "accept HTTP traffic")
 		if err != nil {
 			t.Errorf("failed to add rule: %v", err)
+			return
 		}
 
 		checkRuleSpecs(t, ipv4Client, true, rule1.(*Rule).specs...)
@@ -35,13 +37,13 @@ func TestNewManager(t *testing.T) {
 	t.Run("add second rule", func(t *testing.T) {
 		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
-			Proto:  fw.PortProtocolTCP,
 			Values: []int{8043: 8046},
 		}
 		rule2, err = manager.AddFiltering(
-			ip, port, fw.DirectionDst, fw.ActionAccept, "accept HTTPS traffic from ports range")
+			ip, "tcp", port, fw.DirectionDst, fw.ActionAccept, "accept HTTPS traffic from ports range")
 		if err != nil {
 			t.Errorf("failed to add rule: %v", err)
+			return
 		}
 
 		checkRuleSpecs(t, ipv4Client, true, rule2.(*Rule).specs...)
@@ -58,6 +60,7 @@ func TestNewManager(t *testing.T) {
 	t.Run("delete second rule", func(t *testing.T) {
 		if err := manager.DeleteRule(rule2); err != nil {
 			t.Errorf("failed to delete rule: %v", err)
+			return
 		}
 
 		checkRuleSpecs(t, ipv4Client, false, rule2.(*Rule).specs...)
@@ -66,19 +69,22 @@ func TestNewManager(t *testing.T) {
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
 		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{Proto: fw.PortProtocolUDP, Values: []int{5353}}
-		_, err = manager.AddFiltering(ip, port, fw.DirectionDst, fw.ActionAccept, "accept Fake DNS traffic")
+		port := &fw.Port{Values: []int{5353}}
+		_, err = manager.AddFiltering(ip, "udp", port, fw.DirectionDst, fw.ActionAccept, "accept Fake DNS traffic")
 		if err != nil {
 			t.Errorf("failed to add rule: %v", err)
+			return
 		}
 
 		if err := manager.Reset(); err != nil {
 			t.Errorf("failed to reset: %v", err)
+			return
 		}
 
 		ok, err := ipv4Client.ChainExists("filter", ChainFilterName)
 		if err != nil {
 			t.Errorf("failed to drop chain: %v", err)
+			return
 		}
 
 		if ok {

client/firewall/port.go

@@ -1,14 +1,17 @@
 package firewall
 
-// PortProtocol is the protocol of the port
-type PortProtocol string
+// Protocol is the protocol of the port
+type Protocol string
 
 const (
-	// PortProtocolTCP is the TCP protocol
-	PortProtocolTCP PortProtocol = "tcp"
+	// ProtocolTCP is the TCP protocol
+	ProtocolTCP Protocol = "tcp"
 
-	// PortProtocolUDP is the UDP protocol
-	PortProtocolUDP PortProtocol = "udp"
+	// ProtocolUDP is the UDP protocol
+	ProtocolUDP Protocol = "udp"
+
+	// ProtocolICMP is the ICMP protocol
+	ProtocolICMP Protocol = "icmp"
 )
 
 // Port of the address for firewall rule
@@ -18,7 +21,4 @@ type Port struct {
 
 	// Values contains one value for single port, multiple values for the list of ports, or two values for the range of ports
 	Values []int
-
-	// Proto is the protocol of the port
-	Proto PortProtocol
 }

client/installer.nsis

@@ -193,7 +193,6 @@ ExecWait `taskkill /im ${UI_APP_EXE}.exe`
 Sleep 3000
 Delete "$INSTDIR\${UI_APP_EXE}"
 Delete "$INSTDIR\${MAIN_APP_EXE}"
-Delete "$INSTDIR\wintun.dll"
 RmDir /r "$INSTDIR"
 
 SetShellVarContext current

client/internal/config.go

@@ -27,7 +27,7 @@ const (
 )
 
 var defaultInterfaceBlacklist = []string{iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
-	"Tailscale", "tailscale", "docker", "veth", "br-", "lo"}
+	"Tailscale", "tailscale", "docker", "veth", "br-"}
 
 // ConfigInput carries configuration changes to the client
 type ConfigInput struct {

client/internal/connect.go

@@ -13,7 +13,6 @@ import (
 	gstatus "google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/iface"
@@ -23,7 +22,7 @@ import (
 )
 
 // RunClient with main logic.
-func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status, tunAdapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) error {
+func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status, tunAdapter iface.TunAdapter) error {
 	backOff := &backoff.ExponentialBackOff{
 		InitialInterval:     time.Second,
 		RandomizationFactor: 1,
@@ -59,6 +58,9 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 		return err
 	}
 
+	statusRecorder.MarkManagementDisconnected()
+
+	statusRecorder.ClientStart()
 	defer statusRecorder.ClientStop()
 	operation := func() error {
 		// if context cancelled we not start new backoff cycle
@@ -79,12 +81,12 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 
 		log.Debugf("conecting to the Management service %s", config.ManagementURL.Host)
 		mgmClient, err := mgm.NewClient(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
-		if err != nil {
-			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
-		}
 		mgmNotifier := statusRecorderToMgmConnStateNotifier(statusRecorder)
 		mgmClient.SetConnStateListener(mgmNotifier)
 
+		if err != nil {
+			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
+		}
 		log.Debugf("connected to the Management service %s", config.ManagementURL.Host)
 		defer func() {
 			err = mgmClient.Close()
@@ -108,7 +110,7 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 		localPeerState := peer.LocalPeerState{
 			IP:              loginResp.GetPeerConfig().GetAddress(),
 			PubKey:          myPrivateKey.PublicKey().String(),
-			KernelInterface: iface.WireGuardModuleIsLoaded(),
+			KernelInterface: iface.WireguardModuleIsLoaded(),
 			FQDN:            loginResp.GetPeerConfig().GetFqdn(),
 		}
 
@@ -144,7 +146,7 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 
 		peerConfig := loginResp.GetPeerConfig()
 
-		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig, tunAdapter, iFaceDiscover)
+		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig, tunAdapter)
 		if err != nil {
 			log.Error(err)
 			return wrapErr(err)
@@ -160,10 +162,7 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 		log.Print("Netbird engine started, my IP is: ", peerConfig.Address)
 		state.Set(StatusConnected)
 
-		statusRecorder.ClientStart()
-
 		<-engineCtx.Done()
-		statusRecorder.ClientTeardown()
 
 		backOff.Reset()
 
@@ -194,13 +193,12 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 }
 
 // createEngineConfig converts configuration received from Management Service to EngineConfig
-func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig, tunAdapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) (*EngineConfig, error) {
+func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig, tunAdapter iface.TunAdapter) (*EngineConfig, error) {
 
 	engineConf := &EngineConfig{
 		WgIfaceName:          config.WgIface,
 		WgAddr:               peerConfig.Address,
 		TunAdapter:           tunAdapter,
-		IFaceDiscover:        iFaceDiscover,
 		IFaceBlackList:       config.IFaceBlackList,
 		DisableIPv6Discovery: config.DisableIPv6Discovery,
 		WgPrivateKey:         key,

client/internal/device_auth.go

@@ -34,10 +34,6 @@ type ProviderConfig struct {
 	TokenEndpoint string
 	// DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code
 	DeviceAuthEndpoint string
-	// Scopes provides the scopes to be included in the token request
-	Scope string
-	// UseIDToken indicates if the id token should be used for authentication
-	UseIDToken bool
 }
 
 // GetDeviceAuthorizationFlowInfo initialize a DeviceAuthorizationFlow instance and return with it
@@ -95,16 +91,9 @@ func GetDeviceAuthorizationFlowInfo(ctx context.Context, privateKey string, mgmU
 			Domain:             protoDeviceAuthorizationFlow.GetProviderConfig().Domain,
 			TokenEndpoint:      protoDeviceAuthorizationFlow.GetProviderConfig().GetTokenEndpoint(),
 			DeviceAuthEndpoint: protoDeviceAuthorizationFlow.GetProviderConfig().GetDeviceAuthEndpoint(),
-			Scope:              protoDeviceAuthorizationFlow.GetProviderConfig().GetScope(),
-			UseIDToken:         protoDeviceAuthorizationFlow.GetProviderConfig().GetUseIDToken(),
 		},
 	}
 
-	// keep compatibility with older management versions
-	if deviceAuthorizationFlow.ProviderConfig.Scope == "" {
-		deviceAuthorizationFlow.ProviderConfig.Scope = "openid"
-	}
-
 	err = isProviderConfigValid(deviceAuthorizationFlow.ProviderConfig)
 	if err != nil {
 		return DeviceAuthorizationFlow{}, err
@@ -127,8 +116,5 @@ func isProviderConfigValid(config ProviderConfig) error {
 	if config.DeviceAuthEndpoint == "" {
 		return fmt.Errorf(errorMSGFormat, "Device Auth Endpoint")
 	}
-	if config.Scope == "" {
-		return fmt.Errorf(errorMSGFormat, "Device Auth Scopes")
-	}
 	return nil
 }

client/internal/dns/server_test.go

@@ -9,10 +9,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-
 	"github.com/miekg/dns"
-
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
 )
@@ -202,11 +199,7 @@ func TestUpdateDNSServer(t *testing.T) {
 
 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			newNet, err := stdnet.NewNet(nil)
-			if err != nil {
-				t.Fatal(err)
-			}
-			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), iface.DefaultMTU, nil, newNet)
+			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), iface.DefaultMTU, nil)
 			if err != nil {
 				t.Fatal(err)
 			}

client/internal/engine.go

@@ -8,6 +8,7 @@ import (
 	"net/netip"
 	"reflect"
 	"runtime"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -16,10 +17,11 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/firewall"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/proxy"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
 	nbssh "github.com/netbirdio/netbird/client/ssh"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
@@ -49,8 +51,6 @@ type EngineConfig struct {
 	// TunAdapter is option. It is necessary for mobile version.
 	TunAdapter iface.TunAdapter
 
-	IFaceDiscover stdnet.ExternalIFaceDiscover
-
 	// WgAddr is a Wireguard local address (Netbird Network IP)
 	WgAddr string
 
@@ -114,7 +114,9 @@ type Engine struct {
 
 	statusRecorder *peer.Status
 
-	routeManager routemanager.Manager
+	routeManager    routemanager.Manager
+	firewallManager firewall.Manager
+	firewallRules   map[string]firewall.Rule
 
 	dnsServer dns.Server
 }
@@ -165,79 +167,72 @@ func (e *Engine) Stop() error {
 	return nil
 }
 
-// Start creates a new WireGuard tunnel interface and listens to events from Signal and Management services
+// Start creates a new Wireguard tunnel interface and listens to events from Signal and Management services
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
 func (e *Engine) Start() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 
-	wgIFaceName := e.config.WgIfaceName
+	wgIfaceName := e.config.WgIfaceName
 	wgAddr := e.config.WgAddr
 	myPrivateKey := e.config.WgPrivateKey
 	var err error
-	transportNet, err := e.newStdNet()
+
+	e.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, e.config.TunAdapter)
 	if err != nil {
-		log.Warnf("failed to create pion's stdnet: %s", err)
-	}
-	e.wgInterface, err = iface.NewWGIFace(wgIFaceName, wgAddr, iface.DefaultMTU, e.config.TunAdapter, transportNet)
-	if err != nil {
-		log.Errorf("failed creating wireguard interface instance %s: [%s]", wgIFaceName, err.Error())
+		log.Errorf("failed creating wireguard interface instance %s: [%s]", wgIfaceName, err.Error())
 		return err
 	}
 
+	networkName := "udp"
+	if e.config.DisableIPv6Discovery {
+		networkName = "udp4"
+	}
+
+	e.udpMuxConn, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxPort})
+	if err != nil {
+		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
+		e.close()
+		return err
+	}
+
+	e.udpMuxConnSrflx, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
+	if err != nil {
+		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
+		e.close()
+		return err
+	}
+
+	e.udpMux = ice.NewUDPMuxDefault(ice.UDPMuxParams{UDPConn: e.udpMuxConn})
+	e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx})
+
 	err = e.wgInterface.Create()
 	if err != nil {
-		log.Errorf("failed creating tunnel interface %s: [%s]", wgIFaceName, err.Error())
+		log.Errorf("failed creating tunnel interface %s: [%s]", wgIfaceName, err.Error())
 		e.close()
 		return err
 	}
 
 	err = e.wgInterface.Configure(myPrivateKey.String(), e.config.WgPort)
 	if err != nil {
-		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIFaceName, err.Error())
+		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIfaceName, err.Error())
 		e.close()
 		return err
 	}
 
-	if e.wgInterface.IsUserspaceBind() {
-		iceBind := e.wgInterface.GetBind()
-		udpMux, err := iceBind.GetICEMux()
-		if err != nil {
-			e.close()
-			return err
-		}
-		e.udpMux = udpMux.UDPMuxDefault
-		e.udpMuxSrflx = udpMux
-		log.Infof("using userspace bind mode %s", udpMux.LocalAddr().String())
-	} else {
-		networkName := "udp"
-		if e.config.DisableIPv6Discovery {
-			networkName = "udp4"
-		}
-		e.udpMuxConn, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxPort})
-		if err != nil {
-			log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
-			e.close()
-			return err
-		}
-		udpMuxParams := ice.UDPMuxParams{
-			UDPConn: e.udpMuxConn,
-			Net:     transportNet,
-		}
-		e.udpMux = ice.NewUDPMuxDefault(udpMuxParams)
-
-		e.udpMuxConnSrflx, err = net.ListenUDP(networkName, &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
-		if err != nil {
-			log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
-			e.close()
-			return err
-		}
-		e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx, Net: transportNet})
-	}
-
 	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder)
 
+	e.firewallManager, err = buildFirewallManager(wgIfaceName)
+	if err != nil {
+		log.Errorf("failed to create firewall manager, ACL policy will not work: %s", err.Error())
+	} else {
+		if err := e.firewallManager.Reset(); err != nil {
+			log.Tracef("failed to reset firewall manager on the start: %v", err.Error())
+		}
+	}
+	e.firewallRules = make(map[string]firewall.Rule)
+
 	if e.dnsServer == nil {
 		// todo fix custom address
 		dnsServer, err := dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress)
@@ -504,7 +499,7 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	e.statusRecorder.UpdateLocalPeerState(peer.LocalPeerState{
 		IP:              e.config.WgAddr,
 		PubKey:          e.config.WgPrivateKey.PublicKey().String(),
-		KernelInterface: iface.WireGuardModuleIsLoaded(),
+		KernelInterface: iface.WireguardModuleIsLoaded(),
 		FQDN:            conf.GetFqdn(),
 	})
 
@@ -641,6 +636,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}
 
+	e.applyFirewallRules(networkMap.FirewallRules)
 	e.networkSerial = serial
 	return nil
 }
@@ -808,6 +804,14 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 	stunTurn = append(stunTurn, e.STUNs...)
 	stunTurn = append(stunTurn, e.TURNs...)
 
+	proxyConfig := proxy.Config{
+		RemoteKey:    pubKey,
+		WgListenAddr: fmt.Sprintf("127.0.0.1:%d", e.config.WgPort),
+		WgInterface:  e.wgInterface,
+		AllowedIps:   allowedIPs,
+		PreSharedKey: e.config.PreSharedKey,
+	}
+
 	// randomize connection timeout
 	timeout := time.Duration(rand.Intn(PeerConnectionTimeoutMax-PeerConnectionTimeoutMin)+PeerConnectionTimeoutMin) * time.Millisecond
 	config := peer.ConnConfig{
@@ -819,12 +823,12 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 		Timeout:              timeout,
 		UDPMux:               e.udpMux,
 		UDPMuxSrflx:          e.udpMuxSrflx,
+		ProxyConfig:          proxyConfig,
 		LocalWgPort:          e.config.WgPort,
 		NATExternalIPs:       e.parseNATExternalIPMappings(),
-		AllowedIPs:           allowedIPs,
 	}
 
-	peerConn, err := peer.NewConn(config, e.wgInterface, e.statusRecorder, e.config.TunAdapter, e.config.IFaceDiscover)
+	peerConn, err := peer.NewConn(config, e.statusRecorder)
 	if err != nil {
 		return nil, err
 	}
@@ -1006,6 +1010,12 @@ func (e *Engine) close() {
 		}
 	}
 
+	if e.udpMuxSrflx != nil {
+		if err := e.udpMuxSrflx.Close(); err != nil {
+			log.Debugf("close server reflexive udp mux: %v", err)
+		}
+	}
+
 	if e.udpMuxConn != nil {
 		if err := e.udpMuxConn.Close(); err != nil {
 			log.Debugf("close udp mux connection: %v", err)
@@ -1033,6 +1043,92 @@ func (e *Engine) close() {
 		e.dnsServer.Stop()
 	}
 
+	if e.firewallManager != nil {
+		if err := e.firewallManager.Reset(); err != nil {
+			log.Warnf("failed resetting firewall: %v", err)
+		}
+	}
+}
+
+// applyFirewallRules to the local firewall manager processed by ACL policy.
+func (e *Engine) applyFirewallRules(rules []*mgmProto.FirewallRule) {
+	if e.firewallManager == nil {
+		log.Debug("firewall manager is not supported, skipping firewall rules")
+		return
+	}
+
+	for ruleID, rule := range e.firewallRules {
+		if err := e.firewallManager.DeleteRule(rule); err != nil {
+			log.Errorf("failed to delete firewall rule: %v", err)
+			continue
+		}
+		delete(e.firewallRules, ruleID)
+	}
+
+	for _, r := range rules {
+		if rule := e.protoRuleToFirewallRule(r); rule == nil {
+			log.Errorf("failed to apply firewall rule: %v", r)
+		}
+	}
+}
+
+func (e *Engine) protoRuleToFirewallRule(r *mgmProto.FirewallRule) firewall.Rule {
+	ip := net.ParseIP(r.PeerIP)
+	if ip == nil {
+		log.Error("invalid IP address, skipping firewall rule")
+		return nil
+	}
+
+	var port *firewall.Port
+	if r.Port != "" {
+		split := strings.Split(r.Port, "/")
+		// port can be empty, so ignore conversion error
+		value, _ := strconv.Atoi(split[0])
+		port = &firewall.Port{}
+		if value != 0 {
+			port.Values = []int{value}
+		}
+	}
+
+	var protocol firewall.Protocol
+	switch r.Protocol {
+	case "tcp":
+		protocol = firewall.ProtocolTCP
+	case "udp":
+		protocol = firewall.ProtocolUDP
+	case "icmp":
+		protocol = firewall.ProtocolICMP
+	}
+
+	var direction firewall.Direction
+	switch r.Direction {
+	case "src":
+		direction = firewall.DirectionSrc
+	case "dst":
+		direction = firewall.DirectionDst
+	default:
+		log.Error("invalid direction, skipping firewall rule")
+		return nil
+	}
+
+	var action firewall.Action
+	switch r.Action {
+	case "accept":
+		action = firewall.ActionAccept
+	case "drop":
+		action = firewall.ActionDrop
+	default:
+		log.Error("invalid action, skipping firewall rule")
+		return nil
+	}
+
+	rule, err := e.firewallManager.AddFiltering(ip, protocol, port, direction, action, "")
+	if err != nil {
+		log.Errorf("failed to add firewall rule: %v", err)
+		return nil
+	}
+	e.firewallRules[rule.GetRuleID()] = rule
+	return rule
 }
 
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {

client/internal/engine_stdnet.go

@@ -1,11 +0,0 @@
-//go:build !android
-
-package internal
-
-import (
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-)
-
-func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNet(e.config.IFaceBlackList)
-}

client/internal/engine_stdnet_android.go

@@ -1,7 +0,0 @@
-package internal
-
-import "github.com/netbirdio/netbird/client/internal/stdnet"
-
-func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(e.config.IFaceDiscover, e.config.IFaceBlackList)
-}

client/internal/engine_test.go

@@ -3,11 +3,10 @@ package internal
 import (
 	"context"
 	"fmt"
-	"github.com/netbirdio/netbird/iface/bind"
-	"github.com/pion/transport/v2/stdnet"
 	"net"
 	"net/netip"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -22,6 +21,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"
 
+	"github.com/netbirdio/netbird/client/firewall"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
@@ -30,6 +30,7 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/iface"
 	mgmt "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
@@ -209,23 +210,11 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		WgPrivateKey: key,
 		WgPort:       33100,
 	}, peer.NewRecorder("https://mgm"))
-	newNet, err := stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
-	}
-	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", iface.DefaultMTU, nil, newNet)
-	if err != nil {
-		t.Fatal(err)
-	}
+	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", iface.DefaultMTU, nil)
 	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), engine.wgInterface, engine.statusRecorder)
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
 	}
-	conn, err := net.ListenUDP("udp4", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn})
 
 	type testCase struct {
 		name       string
@@ -563,11 +552,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				WgPrivateKey: key,
 				WgPort:       33100,
 			}, peer.NewRecorder("https://mgm"))
-			newNet, err := stdnet.NewNet()
-			if err != nil {
-				t.Fatal(err)
-			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil, newNet)
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil)
 			assert.NoError(t, err, "shouldn't return error")
 			input := struct {
 				inputSerial uint64
@@ -732,11 +717,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 				WgPrivateKey: key,
 				WgPort:       33100,
 			}, peer.NewRecorder("https://mgm"))
-			newNet, err := stdnet.NewNet()
-			if err != nil {
-				t.Fatal(err)
-			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil, newNet)
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil)
 			assert.NoError(t, err, "shouldn't return error")
 
 			mockRouteManager := &routemanager.MockManager{
@@ -960,6 +941,139 @@ func Test_ParseNATExternalIPMappings(t *testing.T) {
 	}
 }
 
+func TestEngine_firewallManager(t *testing.T) {
+	// TODO: enable when other platform will be added
+	if runtime.GOOS != "linux" {
+		t.Skipf("firewall manager not supported in the: %s", runtime.GOOS)
+		return
+	}
+
+	if _, err := exec.LookPath("iptables"); err != nil {
+		t.Skipf("iptables not found: %v", err)
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(CtxInitState(context.Background()), 10*time.Second)
+	defer cancel()
+
+	dir := t.TempDir()
+
+	err := util.CopyFileContents("../testdata/store.json", filepath.Join(dir, "store.json"))
+	if err != nil {
+		t.Errorf("copy temporary store file: %v", err)
+	}
+
+	sigServer, signalAddr, err := startSignal()
+	if err != nil {
+		t.Errorf("start signal server: %v", err)
+		return
+	}
+	defer sigServer.GracefulStop()
+
+	mgmtServer, mgmtAddr, err := startManagement(dir)
+	if err != nil {
+		t.Errorf("start management server: %v", err)
+		return
+	}
+	defer mgmtServer.GracefulStop()
+
+	setupKey := "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
+
+	engine, err := createEngine(ctx, cancel, setupKey, 0, mgmtAddr, signalAddr)
+	if err != nil {
+		t.Errorf("create engine: %v", err)
+		return
+	}
+	engine.dnsServer = &dns.MockServer{}
+
+	if err := engine.Start(); err != nil {
+		t.Logf("start engine: %v", err)
+		return
+	}
+
+	defer func() {
+		if err := engine.mgmClient.Close(); err != nil {
+			t.Logf("close management client: %v", err)
+		}
+
+		if err := engine.Stop(); err != nil {
+			t.Logf("stop engine: %v", err)
+		}
+	}()
+
+	// wait 2 seconds until all management and signal processing will be finished
+	time.Sleep(2 * time.Second)
+
+	if engine.firewallManager == nil {
+		t.Errorf("firewall manager is nil")
+		return
+	}
+
+	fwRules := []*mgmProto.FirewallRule{
+		{
+			PeerID:    "test",
+			PeerIP:    "10.93.0.1",
+			Direction: "dst",
+			Action:    "accept",
+			Protocol:  "tcp",
+			Port:      "80",
+		},
+		{
+			PeerID:    "test2",
+			PeerIP:    "10.93.0.2",
+			Direction: "dst",
+			Action:    "drop",
+			Protocol:  "udp",
+			Port:      "53",
+		},
+	}
+
+	// we receive one rule from the management so for testing purposes ignore it
+	engine.firewallRules = make(map[string]firewall.Rule)
+
+	t.Run("apply firewall rules", func(t *testing.T) {
+		engine.applyFirewallRules(fwRules)
+
+		if len(engine.firewallRules) != 2 {
+			t.Errorf("firewall rules not applied: %v", engine.firewallRules)
+			return
+		}
+	})
+
+	t.Run("add extra rules", func(t *testing.T) {
+		// remove first rule
+		fwRules = fwRules[1:]
+		fwRules = append(fwRules, &mgmtProto.FirewallRule{
+			PeerID:    "test3",
+			PeerIP:    "10.93.0.3",
+			Direction: "src",
+			Action:    "drop",
+			Protocol:  "icmp",
+		})
+
+		existedRulesID := map[string]struct{}{}
+		for id := range engine.firewallRules {
+			existedRulesID[id] = struct{}{}
+		}
+
+		engine.applyFirewallRules(fwRules)
+
+		// we should have one old and one new rule in the existed rules
+		if len(engine.firewallRules) != 2 {
+			t.Errorf("firewall rules not applied")
+			return
+		}
+
+		// check that old rules was removed
+		for id := range existedRulesID {
+			if _, ok := engine.firewallRules[id]; ok {
+				t.Errorf("old rule was not removed")
+				return
+			}
+		}
+	})
+}
+
 func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int, mgmtAddr string, signalAddr string) (*Engine, error) {
 	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {

client/internal/firewall.go

@@ -0,0 +1,14 @@
+//go:build !linux
+
+package internal
+
+import (
+	"fmt"
+	"runtime"
+
+	"github.com/netbirdio/netbird/client/firewall"
+)
+
+func buildFirewallManager(wgIfaceName string) (fw firewall.Manager, err error) {
+	return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
+}

client/internal/firewall_linux.go

@@ -0,0 +1,18 @@
+package internal
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/firewall/iptables"
+)
+
+// buildFirewallManager creates a firewall manager instance for the Linux
+func buildFirewallManager(wgIfaceName string) (firewall.Manager, error) {
+	fw, err := iptables.Create(wgIfaceName)
+	if err != nil {
+		log.Debugf("failed to create iptables manager: %s", err)
+		return nil, err
+	}
+	return fw, nil
+}

client/internal/oauth.go

@@ -35,6 +35,15 @@ type DeviceAuthInfo struct {
 	Interval                int    `json:"interval"`
 }
 
+// TokenInfo holds information of issued access token
+type TokenInfo struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	IDToken      string `json:"id_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
 // HostedGrantType grant type for device flow on Hosted
 const (
 	HostedGrantType    = "urn:ietf:params:oauth:grant-type:device_code"
@@ -43,7 +52,16 @@ const (
 
 // Hosted client
 type Hosted struct {
-	providerConfig ProviderConfig
+	// Hosted API Audience for validation
+	Audience string
+	// Hosted Native application client id
+	ClientID string
+	// Hosted Native application request scope
+	Scope string
+	// TokenEndpoint to request access token
+	TokenEndpoint string
+	// DeviceAuthEndpoint to request device authorization code
+	DeviceAuthEndpoint string
 
 	HTTPClient HTTPClient
 }
@@ -52,7 +70,7 @@ type Hosted struct {
 type RequestDeviceCodePayload struct {
 	Audience string `json:"audience"`
 	ClientID string `json:"client_id"`
-	Scope    string `json:"scope"`
+	Scope 	 string `json:"scope"`
 }
 
 // TokenRequestPayload used for requesting the auth0 token
@@ -75,26 +93,8 @@ type Claims struct {
 	Audience interface{} `json:"aud"`
 }
 
-// TokenInfo holds information of issued access token
-type TokenInfo struct {
-	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
-	IDToken      string `json:"id_token"`
-	TokenType    string `json:"token_type"`
-	ExpiresIn    int    `json:"expires_in"`
-	UseIDToken   bool   `json:"-"`
-}
-
-// GetTokenToUse returns either the access or id token based on UseIDToken field
-func (t TokenInfo) GetTokenToUse() string {
-	if t.UseIDToken {
-		return t.IDToken
-	}
-	return t.AccessToken
-}
-
 // NewHostedDeviceFlow returns an Hosted OAuth client
-func NewHostedDeviceFlow(config ProviderConfig) *Hosted {
+func NewHostedDeviceFlow(audience string, clientID string, tokenEndpoint string, deviceAuthEndpoint string) *Hosted {
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5
 
@@ -104,23 +104,27 @@ func NewHostedDeviceFlow(config ProviderConfig) *Hosted {
 	}
 
 	return &Hosted{
-		providerConfig: config,
-		HTTPClient:     httpClient,
+		Audience:           audience,
+		ClientID:           clientID,
+		Scope:              "openid",
+		TokenEndpoint:      tokenEndpoint,
+		HTTPClient:         httpClient,
+		DeviceAuthEndpoint: deviceAuthEndpoint,
 	}
 }
 
 // GetClientID returns the provider client id
 func (h *Hosted) GetClientID(ctx context.Context) string {
-	return h.providerConfig.ClientID
+	return h.ClientID
 }
 
 // RequestDeviceCode requests a device code login flow information from Hosted
 func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error) {
 	form := url.Values{}
-	form.Add("client_id", h.providerConfig.ClientID)
-	form.Add("audience", h.providerConfig.Audience)
-	form.Add("scope", h.providerConfig.Scope)
-	req, err := http.NewRequest("POST", h.providerConfig.DeviceAuthEndpoint,
+	form.Add("client_id", h.ClientID)
+	form.Add("audience", h.Audience)
+	form.Add("scope", h.Scope)
+	req, err := http.NewRequest("POST", h.DeviceAuthEndpoint,
 		strings.NewReader(form.Encode()))
 	if err != nil {
 		return DeviceAuthInfo{}, fmt.Errorf("creating request failed with error: %v", err)
@@ -153,10 +157,10 @@ func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
 
 func (h *Hosted) requestToken(info DeviceAuthInfo) (TokenRequestResponse, error) {
 	form := url.Values{}
-	form.Add("client_id", h.providerConfig.ClientID)
+	form.Add("client_id", h.ClientID)
 	form.Add("grant_type", HostedGrantType)
 	form.Add("device_code", info.DeviceCode)
-	req, err := http.NewRequest("POST", h.providerConfig.TokenEndpoint, strings.NewReader(form.Encode()))
+	req, err := http.NewRequest("POST", h.TokenEndpoint, strings.NewReader(form.Encode()))
 	if err != nil {
 		return TokenRequestResponse{}, fmt.Errorf("failed to create request access token: %v", err)
 	}
@@ -221,20 +225,18 @@ func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo,
 				return TokenInfo{}, fmt.Errorf(tokenResponse.ErrorDescription)
 			}
 
+			err = isValidAccessToken(tokenResponse.AccessToken, h.Audience)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+			}
+
 			tokenInfo := TokenInfo{
 				AccessToken:  tokenResponse.AccessToken,
 				TokenType:    tokenResponse.TokenType,
 				RefreshToken: tokenResponse.RefreshToken,
 				IDToken:      tokenResponse.IDToken,
 				ExpiresIn:    tokenResponse.ExpiresIn,
-				UseIDToken:   h.providerConfig.UseIDToken,
 			}
-
-			err = isValidAccessToken(tokenInfo.GetTokenToUse(), h.providerConfig.Audience)
-			if err != nil {
-				return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
-			}
-
 			return tokenInfo, err
 		}
 	}

client/internal/oauth_test.go

@@ -3,15 +3,14 @@ package internal
 import (
 	"context"
 	"fmt"
+	"github.com/golang-jwt/jwt"
+	"github.com/stretchr/testify/require"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
 	"time"
-
-	"github.com/golang-jwt/jwt"
-	"github.com/stretchr/testify/require"
 )
 
 type mockHTTPClient struct {
@@ -114,15 +113,12 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 			}
 
 			hosted := Hosted{
-				providerConfig: ProviderConfig{
-					Audience:           expectedAudience,
-					ClientID:           expectedClientID,
-					Scope:              expectedScope,
-					TokenEndpoint:      "test.hosted.com/token",
-					DeviceAuthEndpoint: "test.hosted.com/device/auth",
-					UseIDToken:         false,
-				},
-				HTTPClient: &httpClient,
+				Audience:           expectedAudience,
+				ClientID:           expectedClientID,
+				Scope:              expectedScope,
+				TokenEndpoint:      "test.hosted.com/token",
+				DeviceAuthEndpoint: "test.hosted.com/device/auth",
+				HTTPClient:         &httpClient,
 			}
 
 			authInfo, err := hosted.RequestDeviceCode(context.TODO())
@@ -279,15 +275,12 @@ func TestHosted_WaitToken(t *testing.T) {
 			}
 
 			hosted := Hosted{
-				providerConfig: ProviderConfig{
-					Audience:           testCase.inputAudience,
-					ClientID:           clientID,
-					TokenEndpoint:      "test.hosted.com/token",
-					DeviceAuthEndpoint: "test.hosted.com/device/auth",
-					Scope:              "openid",
-					UseIDToken:         false,
-				},
-				HTTPClient: &httpClient}
+				Audience:           testCase.inputAudience,
+				ClientID:           clientID,
+				TokenEndpoint:      "test.hosted.com/token",
+				DeviceAuthEndpoint: "test.hosted.com/device/auth",
+				HTTPClient:         &httpClient,
+			}
 
 			ctx, cancel := context.WithTimeout(context.TODO(), testCase.inputTimeout)
 			defer cancel()

client/internal/peer/conn.go

@@ -9,14 +9,15 @@ import (
 	"time"
 
 	"github.com/pion/ice/v2"
+	"github.com/pion/transport/v2/stdnet"
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl"
 
 	"github.com/netbirdio/netbird/client/internal/proxy"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/version"
 	signal "github.com/netbirdio/netbird/signal/client"
 	sProto "github.com/netbirdio/netbird/signal/proto"
-	"github.com/netbirdio/netbird/version"
 )
 
 // ConnConfig is a peer Connection configuration
@@ -37,14 +38,14 @@ type ConnConfig struct {
 
 	Timeout time.Duration
 
+	ProxyConfig proxy.Config
+
 	UDPMux      ice.UDPMux
 	UDPMuxSrflx ice.UniversalUDPMux
 
 	LocalWgPort int
 
 	NATExternalIPs []string
-
-	AllowedIPs string
 }
 
 // OfferAnswer represents a session establishment offer or answer
@@ -92,10 +93,6 @@ type Conn struct {
 	proxy        proxy.Proxy
 	remoteModeCh chan ModeMessage
 	meta         meta
-
-	wgIface       *iface.WGIface
-	adapter       iface.TunAdapter
-	iFaceDiscover stdnet.ExternalIFaceDiscover
 }
 
 // meta holds meta information about a connection
@@ -121,7 +118,7 @@ func (conn *Conn) UpdateConf(conf ConnConfig) {
 
 // NewConn creates a new not opened Conn to the remote peer.
 // To establish a connection run Conn.Open
-func NewConn(config ConnConfig, wgIface *iface.WGIface, statusRecorder *Status, adapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) (*Conn, error) {
+func NewConn(config ConnConfig, statusRecorder *Status) (*Conn, error) {
 	return &Conn{
 		config:         config,
 		mu:             sync.Mutex{},
@@ -131,20 +128,41 @@ func NewConn(config ConnConfig, wgIface *iface.WGIface, statusRecorder *Status,
 		remoteAnswerCh: make(chan OfferAnswer),
 		statusRecorder: statusRecorder,
 		remoteModeCh:   make(chan ModeMessage, 1),
-		adapter:        adapter,
-		iFaceDiscover:  iFaceDiscover,
-		wgIface:        wgIface,
 	}, nil
 }
 
+// interfaceFilter is a function passed to ICE Agent to filter out not allowed interfaces
+// to avoid building tunnel over them
+func interfaceFilter(blackList []string) func(string) bool {
+
+	return func(iFace string) bool {
+		for _, s := range blackList {
+			if strings.HasPrefix(iFace, s) {
+				log.Debugf("ignoring interface %s - it is not allowed", iFace)
+				return false
+			}
+		}
+		// look for unlisted WireGuard interfaces
+		wg, err := wgctrl.New()
+		if err != nil {
+			log.Debugf("trying to create a wgctrl client failed with: %v", err)
+			return true
+		}
+		defer func() {
+			_ = wg.Close()
+		}()
+
+		_, err = wg.Device(iFace)
+		return err != nil
+	}
+}
+
 func (conn *Conn) reCreateAgent() error {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()
 
 	failedTimeout := 6 * time.Second
-
-	var err error
-	transportNet, err := conn.newStdNet()
+	transportNet, err := stdnet.NewNet()
 	if err != nil {
 		log.Warnf("failed to create pion's stdnet: %s", err)
 	}
@@ -154,7 +172,7 @@ func (conn *Conn) reCreateAgent() error {
 		Urls:             conn.config.StunTurn,
 		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
 		FailedTimeout:    &failedTimeout,
-		InterfaceFilter:  stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
+		InterfaceFilter:  interfaceFilter(conn.config.InterfaceBlackList),
 		UDPMux:           conn.config.UDPMux,
 		UDPMuxSrflx:      conn.config.UDPMuxSrflx,
 		NAT1To1IPs:       conn.config.NATExternalIPs,
@@ -197,7 +215,7 @@ func (conn *Conn) Open() error {
 
 	peerState := State{PubKey: conn.config.Key}
 
-	peerState.IP = strings.Split(conn.config.AllowedIPs, "/")[0]
+	peerState.IP = strings.Split(conn.config.ProxyConfig.AllowedIps, "/")[0]
 	peerState.ConnStatusUpdate = time.Now()
 	peerState.ConnStatus = conn.status
 
@@ -294,7 +312,7 @@ func (conn *Conn) Open() error {
 		return err
 	}
 
-	if conn.proxy.Type() == proxy.TypeDirectNoProxy {
+	if conn.proxy.Type() == proxy.TypeNoProxy {
 		host, _, _ := net.SplitHostPort(remoteConn.LocalAddr().String())
 		rhost, _, _ := net.SplitHostPort(remoteConn.RemoteAddr().String())
 		// direct Wireguard connection
@@ -316,21 +334,14 @@ func (conn *Conn) Open() error {
 
 // useProxy determines whether a direct connection (without a go proxy) is possible
 //
-// There are 3 cases:
+// There are 2 cases:
 //
 // * When neither candidate is from hard nat and one of the peers has a public IP
 //
 // * both peers are in the same private network
 //
-// * Local peer uses userspace interface with bind.ICEBind and is not relayed
-//
 // Please note, that this check happens when peers were already able to ping each other using ICE layer.
-func shouldUseProxy(pair *ice.CandidatePair, userspaceBind bool) bool {
-
-	if !isRelayCandidate(pair.Local) && userspaceBind {
-		return false
-	}
-
+func shouldUseProxy(pair *ice.CandidatePair) bool {
 	if !isHardNATCandidate(pair.Local) && isHostCandidateWithPublicIP(pair.Remote) {
 		return false
 	}
@@ -339,37 +350,13 @@ func shouldUseProxy(pair *ice.CandidatePair, userspaceBind bool) bool {
 		return false
 	}
 
-	if isHostCandidateWithPrivateIP(pair.Local) && isHostCandidateWithPrivateIP(pair.Remote) && isSameNetworkPrefix(pair) {
+	if isHostCandidateWithPrivateIP(pair.Local) && isHostCandidateWithPrivateIP(pair.Remote) {
 		return false
 	}
 
 	return true
 }
 
-func isSameNetworkPrefix(pair *ice.CandidatePair) bool {
-
-	localIPStr, _, err := net.SplitHostPort(pair.Local.Address())
-	if err != nil {
-		return false
-	}
-	remoteIPStr, _, err := net.SplitHostPort(pair.Remote.Address())
-	if err != nil {
-		return false
-	}
-	localIP := net.ParseIP(localIPStr)
-	remoteIP := net.ParseIP(remoteIPStr)
-	if localIP == nil || remoteIP == nil {
-		return false
-	}
-	// only consider /16 networks
-	mask := net.IPMask{255, 255, 0, 0}
-	return localIP.Mask(mask).Equal(remoteIP.Mask(mask))
-}
-
-func isRelayCandidate(candidate ice.Candidate) bool {
-	return candidate.Type() == ice.CandidateTypeRelay
-}
-
 func isHardNATCandidate(candidate ice.Candidate) bool {
 	return candidate.Type() == ice.CandidateTypeRelay || candidate.Type() == ice.CandidateTypePeerReflexive
 }
@@ -418,7 +405,7 @@ func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
 		peerState.Relayed = true
 	}
-	peerState.Direct = p.Type() == proxy.TypeDirectNoProxy
+	peerState.Direct = p.Type() == proxy.TypeNoProxy
 
 	err = conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -429,7 +416,8 @@ func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 }
 
 func (conn *Conn) getProxyWithMessageExchange(pair *ice.CandidatePair, remoteWgPort int) proxy.Proxy {
-	useProxy := shouldUseProxy(pair, conn.wgIface.IsUserspaceBind())
+
+	useProxy := shouldUseProxy(pair)
 	localDirectMode := !useProxy
 	remoteDirectMode := localDirectMode
 
@@ -439,17 +427,13 @@ func (conn *Conn) getProxyWithMessageExchange(pair *ice.CandidatePair, remoteWgP
 		remoteDirectMode = conn.receiveRemoteDirectMode()
 	}
 
-	if conn.wgIface.IsUserspaceBind() && localDirectMode {
-		return proxy.NewNoProxy(conn.config.ProxyConfig)
-	}
-
 	if localDirectMode && remoteDirectMode {
-		//wgInterface *iface.WGIface, remoteKey string, allowedIps string, preSharedKey *wgtypes.Key, remoteWgPort int)
-		return proxy.NewDirectNoProxy(conn.wgIface, conn.config.Key, conn.config.AllowedIPs, remoteWgPort)
+		log.Debugf("using WireGuard direct mode with peer %s", conn.config.Key)
+		return proxy.NewNoProxy(conn.config.ProxyConfig, remoteWgPort)
 	}
 
 	log.Debugf("falling back to local proxy mode with peer %s", conn.config.Key)
-	return proxy.NewWireGuardProxy(conn.config.ProxyConfig)
+	return proxy.NewWireguardProxy(conn.config.ProxyConfig)
 }
 
 func (conn *Conn) sendLocalDirectMode(localMode bool) {

client/internal/peer/conn_test.go

@@ -1,7 +1,6 @@
 package peer
 
 import (
-	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"sync"
 	"testing"
 	"time"
@@ -29,7 +28,7 @@ func TestNewConn_interfaceFilter(t *testing.T) {
 	ignore := []string{iface.WgInterfaceDefault, "tun0", "zt", "ZeroTier", "utun", "wg", "ts",
 		"Tailscale", "tailscale"}
 
-	filter := stdnet.InterfaceFilter(ignore)
+	filter := interfaceFilter(ignore)
 
 	for _, s := range ignore {
 		assert.Equal(t, filter(s), false)
@@ -38,7 +37,7 @@ func TestNewConn_interfaceFilter(t *testing.T) {
 }
 
 func TestConn_GetKey(t *testing.T) {
-	conn, err := NewConn(connConf, nil, nil, nil)
+	conn, err := NewConn(connConf, nil)
 	if err != nil {
 		return
 	}
@@ -50,7 +49,7 @@ func TestConn_GetKey(t *testing.T) {
 
 func TestConn_OnRemoteOffer(t *testing.T) {
 
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"))
 	if err != nil {
 		return
 	}
@@ -84,7 +83,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 
 func TestConn_OnRemoteAnswer(t *testing.T) {
 
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"))
 	if err != nil {
 		return
 	}
@@ -117,7 +116,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 }
 func TestConn_Status(t *testing.T) {
 
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"))
 	if err != nil {
 		return
 	}
@@ -144,7 +143,7 @@ func TestConn_Status(t *testing.T) {
 
 func TestConn_Close(t *testing.T) {
 
-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
+	conn, err := NewConn(connConf, NewRecorder("https://mgm"))
 	if err != nil {
 		return
 	}
@@ -203,13 +202,12 @@ func TestConn_ShouldUseProxy(t *testing.T) {
 	}
 	privateHostCandidate := &mockICECandidate{
 		AddressFunc: func() string {
-			return "10.0.0.1:44576"
+			return "10.0.0.1"
 		},
 		TypeFunc: func() ice.CandidateType {
 			return ice.CandidateTypeHost
 		},
 	}
-
 	srflxCandidate := &mockICECandidate{
 		AddressFunc: func() string {
 			return "1.1.1.1"
@@ -326,7 +324,7 @@ func TestConn_ShouldUseProxy(t *testing.T) {
 
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			result := shouldUseProxy(testCase.candatePair, false)
+			result := shouldUseProxy(testCase.candatePair)
 			if result != testCase.expected {
 				t.Errorf("got a different result. Expected %t Got %t", testCase.expected, result)
 			}
@@ -367,7 +365,7 @@ func TestGetProxyWithMessageExchange(t *testing.T) {
 			},
 			inputDirectModeSupport: true,
 			inputRemoteModeMessage: true,
-			expected:               proxy.TypeWireGuard,
+			expected:               proxy.TypeWireguard,
 		},
 		{
 			name: "Should Result In Using Wireguard Proxy When Remote Eval Is Use Proxy",
@@ -377,7 +375,7 @@ func TestGetProxyWithMessageExchange(t *testing.T) {
 			},
 			inputDirectModeSupport: true,
 			inputRemoteModeMessage: false,
-			expected:               proxy.TypeWireGuard,
+			expected:               proxy.TypeWireguard,
 		},
 		{
 			name: "Should Result In Using Wireguard Proxy When Remote Direct Mode Support Is False And Local Eval Is Use Proxy",
@@ -387,7 +385,7 @@ func TestGetProxyWithMessageExchange(t *testing.T) {
 			},
 			inputDirectModeSupport: false,
 			inputRemoteModeMessage: false,
-			expected:               proxy.TypeWireGuard,
+			expected:               proxy.TypeWireguard,
 		},
 		{
 			name: "Should Result In Using Direct When Remote Direct Mode Support Is False And Local Eval Is No Use Proxy",
@@ -397,7 +395,7 @@ func TestGetProxyWithMessageExchange(t *testing.T) {
 			},
 			inputDirectModeSupport: false,
 			inputRemoteModeMessage: false,
-			expected:               proxy.TypeDirectNoProxy,
+			expected:               proxy.TypeNoProxy,
 		},
 		{
 			name: "Should Result In Using Direct When Local And Remote Eval Is No Proxy",
@@ -407,13 +405,13 @@ func TestGetProxyWithMessageExchange(t *testing.T) {
 			},
 			inputDirectModeSupport: true,
 			inputRemoteModeMessage: true,
-			expected:               proxy.TypeDirectNoProxy,
+			expected:               proxy.TypeNoProxy,
 		},
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			g := errgroup.Group{}
-			conn, err := NewConn(connConf, nil, nil, nil)
+			conn, err := NewConn(connConf, nil)
 			if err != nil {
 				t.Fatal(err)
 			}

client/internal/peer/listener.go

@@ -5,7 +5,5 @@ type Listener interface {
 	OnConnected()
 	OnDisconnected()
 	OnConnecting()
-	OnDisconnecting()
-	OnAddressChanged(string, string)
 	OnPeersListChanged(int)
 }

client/internal/peer/notifier.go

@@ -8,135 +8,117 @@ const (
 	stateDisconnected = iota
 	stateConnected
 	stateConnecting
-	stateDisconnecting
 )
 
 type notifier struct {
 	serverStateLock    sync.Mutex
 	listenersLock      sync.Mutex
-	listener           Listener
+	listeners          map[Listener]struct{}
+	currentServerState bool
 	currentClientState bool
 	lastNotification   int
 }
 
 func newNotifier() *notifier {
-	return &notifier{}
+	return &notifier{
+		listeners: make(map[Listener]struct{}),
+	}
 }
 
-func (n *notifier) setListener(listener Listener) {
+func (n *notifier) addListener(listener Listener) {
 	n.listenersLock.Lock()
 	defer n.listenersLock.Unlock()
 
 	n.serverStateLock.Lock()
-	n.notifyListener(listener, n.lastNotification)
+	go n.notifyListener(listener, n.lastNotification)
 	n.serverStateLock.Unlock()
-
-	n.listener = listener
+	n.listeners[listener] = struct{}{}
 }
 
-func (n *notifier) removeListener() {
+func (n *notifier) removeListener(listener Listener) {
 	n.listenersLock.Lock()
 	defer n.listenersLock.Unlock()
-	n.listener = nil
+	delete(n.listeners, listener)
 }
 
 func (n *notifier) updateServerStates(mgmState bool, signalState bool) {
 	n.serverStateLock.Lock()
 	defer n.serverStateLock.Unlock()
 
-	calculatedState := n.calculateState(mgmState, signalState)
+	var newState bool
+	if mgmState && signalState {
+		newState = true
+	} else {
+		newState = false
+	}
 
-	if !n.isServerStateChanged(calculatedState) {
+	if !n.isServerStateChanged(newState) {
 		return
 	}
 
-	n.lastNotification = calculatedState
+	n.currentServerState = newState
+	n.lastNotification = n.calculateState(newState, n.currentClientState)
 
-	n.notify(n.lastNotification)
+	go n.notifyAll(n.lastNotification)
 }
 
 func (n *notifier) clientStart() {
 	n.serverStateLock.Lock()
 	defer n.serverStateLock.Unlock()
 	n.currentClientState = true
-	n.lastNotification = stateConnected
-	n.notify(n.lastNotification)
+	n.lastNotification = n.calculateState(n.currentServerState, true)
+	go n.notifyAll(n.lastNotification)
 }
 
 func (n *notifier) clientStop() {
 	n.serverStateLock.Lock()
 	defer n.serverStateLock.Unlock()
 	n.currentClientState = false
-	n.lastNotification = stateDisconnected
-	n.notify(n.lastNotification)
+	n.lastNotification = n.calculateState(n.currentServerState, false)
+	go n.notifyAll(n.lastNotification)
 }
 
-func (n *notifier) clientTearDown() {
-	n.serverStateLock.Lock()
-	defer n.serverStateLock.Unlock()
-	n.currentClientState = false
-	n.lastNotification = stateDisconnecting
-	n.notify(n.lastNotification)
+func (n *notifier) isServerStateChanged(newState bool) bool {
+	return n.currentServerState != newState
 }
 
-func (n *notifier) isServerStateChanged(newState int) bool {
-	return n.lastNotification != newState
-}
-
-func (n *notifier) notify(state int) {
+func (n *notifier) notifyAll(state int) {
 	n.listenersLock.Lock()
 	defer n.listenersLock.Unlock()
-	if n.listener == nil {
-		return
+
+	for l := range n.listeners {
+		n.notifyListener(l, state)
 	}
-	n.notifyListener(n.listener, state)
 }
 
 func (n *notifier) notifyListener(l Listener, state int) {
-	go func() {
-		switch state {
-		case stateDisconnected:
-			l.OnDisconnected()
-		case stateConnected:
-			l.OnConnected()
-		case stateConnecting:
-			l.OnConnecting()
-		case stateDisconnecting:
-			l.OnDisconnecting()
-		}
-	}()
+	switch state {
+	case stateDisconnected:
+		l.OnDisconnected()
+	case stateConnected:
+		l.OnConnected()
+	case stateConnecting:
+		l.OnConnecting()
+	}
 }
 
-func (n *notifier) calculateState(managementConn, signalConn bool) int {
-	if managementConn && signalConn {
+func (n *notifier) calculateState(serverState bool, clientState bool) int {
+	if serverState && clientState {
 		return stateConnected
 	}
 
-	if !managementConn && !signalConn {
+	if !clientState {
 		return stateDisconnected
 	}
 
-	if n.lastNotification == stateDisconnecting {
-		return stateDisconnecting
-	}
-
 	return stateConnecting
 }
 
 func (n *notifier) peerListChanged(numOfPeers int) {
 	n.listenersLock.Lock()
 	defer n.listenersLock.Unlock()
-	if n.listener == nil {
-		return
-	}
-	n.listener.OnPeersListChanged(numOfPeers)
-}
 
-func (n *notifier) localAddressChanged(fqdn, address string) {
-	n.listenersLock.Lock()
-	defer n.listenersLock.Unlock()
-	if n.listener == nil {
-		return
+	for l := range n.listeners {
+		l.OnPeersListChanged(numOfPeers)
 	}
-	n.listener.OnAddressChanged(fqdn, address)
 }

client/internal/peer/notifier_test.go

@@ -1,97 +1,32 @@
 package peer
 
 import (
-	"sync"
 	"testing"
 )
 
-type mocListener struct {
-	lastState int
-	wg        sync.WaitGroup
-	peers     int
-}
-
-func (l *mocListener) OnConnected() {
-	l.lastState = stateConnected
-	l.wg.Done()
-}
-func (l *mocListener) OnDisconnected() {
-	l.lastState = stateDisconnected
-	l.wg.Done()
-}
-func (l *mocListener) OnConnecting() {
-	l.lastState = stateConnecting
-	l.wg.Done()
-}
-func (l *mocListener) OnDisconnecting() {
-	l.lastState = stateDisconnecting
-	l.wg.Done()
-}
-
-func (l *mocListener) OnAddressChanged(host, addr string) {
-
-}
-func (l *mocListener) OnPeersListChanged(size int) {
-	l.peers = size
-}
-
-func (l *mocListener) setWaiter() {
-	l.wg.Add(1)
-}
-
-func (l *mocListener) wait() {
-	l.wg.Wait()
-}
-
 func Test_notifier_serverState(t *testing.T) {
 
 	type scenario struct {
 		name        string
-		expected    int
+		expected    bool
 		mgmState    bool
 		signalState bool
 	}
 	scenarios := []scenario{
-		{"connected", stateConnected, true, true},
-		{"mgm down", stateConnecting, false, true},
-		{"signal down", stateConnecting, true, false},
-		{"disconnected", stateDisconnected, false, false},
+		{"connected", true, true, true},
+		{"mgm down", false, false, true},
+		{"signal down", false, true, false},
+		{"disconnected", false, false, false},
 	}
 
 	for _, tt := range scenarios {
 		t.Run(tt.name, func(t *testing.T) {
 			n := newNotifier()
 			n.updateServerStates(tt.mgmState, tt.signalState)
-			if n.lastNotification != tt.expected {
-				t.Errorf("invalid serverstate: %d, expected: %d", n.lastNotification, tt.expected)
+			if n.currentServerState != tt.expected {
+				t.Errorf("invalid serverstate: %t, expected: %t", n.currentServerState, tt.expected)
 			}
+
 		})
 	}
 }
-
-func Test_notifier_SetListener(t *testing.T) {
-	listener := &mocListener{}
-	listener.setWaiter()
-
-	n := newNotifier()
-	n.lastNotification = stateConnecting
-	n.setListener(listener)
-	listener.wait()
-	if listener.lastState != n.lastNotification {
-		t.Errorf("invalid state: %d, expected: %d", listener.lastState, n.lastNotification)
-	}
-}
-
-func Test_notifier_RemoveListener(t *testing.T) {
-	listener := &mocListener{}
-	listener.setWaiter()
-	n := newNotifier()
-	n.lastNotification = stateConnecting
-	n.setListener(listener)
-	n.removeListener()
-	n.peerListChanged(1)
-
-	if listener.peers != 0 {
-		t.Errorf("invalid state: %d", listener.peers)
-	}
-}

client/internal/peer/status.go

@@ -190,7 +190,6 @@ func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
 	defer d.mux.Unlock()
 
 	d.localPeer = localPeerState
-	d.notifyAddressChanged()
 }
 
 // CleanLocalPeerState cleans local peer status
@@ -199,7 +198,6 @@ func (d *Status) CleanLocalPeerState() {
 	defer d.mux.Unlock()
 
 	d.localPeer = LocalPeerState{}
-	d.notifyAddressChanged()
 }
 
 // MarkManagementDisconnected sets ManagementState to disconnected
@@ -217,7 +215,7 @@ func (d *Status) MarkManagementConnected() {
 	defer d.mux.Unlock()
 	defer d.onConnectionChanged()
 
-	d.managementState = true
+    d.managementState = true
 }
 
 // UpdateSignalAddress update the address of the signal server
@@ -240,7 +238,7 @@ func (d *Status) MarkSignalDisconnected() {
 	defer d.mux.Unlock()
 	defer d.onConnectionChanged()
 
-	d.signalState = false
+    d.signalState = false
 }
 
 // MarkSignalConnected sets SignalState to connected
@@ -288,19 +286,14 @@ func (d *Status) ClientStop() {
 	d.notifier.clientStop()
 }
 
-// ClientTeardown will notify all listeners about the service is under teardown
-func (d *Status) ClientTeardown() {
-	d.notifier.clientTearDown()
+// AddConnectionListener add a listener to the notifier
+func (d *Status) AddConnectionListener(listener Listener) {
+	d.notifier.addListener(listener)
 }
 
-// SetConnectionListener set a listener to the notifier
-func (d *Status) SetConnectionListener(listener Listener) {
-	d.notifier.setListener(listener)
-}
-
-// RemoveConnectionListener remove the listener from the notifier
-func (d *Status) RemoveConnectionListener() {
-	d.notifier.removeListener()
+// RemoveConnectionListener remove a listener from the notifier
+func (d *Status) RemoveConnectionListener(listener Listener) {
+	d.notifier.removeListener(listener)
 }
 
 func (d *Status) onConnectionChanged() {
@@ -310,7 +303,3 @@ func (d *Status) onConnectionChanged() {
 func (d *Status) notifyPeerListChanged() {
 	d.notifier.peerListChanged(len(d.peers))
 }
-
-func (d *Status) notifyAddressChanged() {
-	d.notifier.localAddressChanged(d.localPeer.FQDN, d.localPeer.IP)
-}

client/internal/peer/stdnet.go

@@ -1,11 +0,0 @@
-//go:build !android
-
-package peer
-
-import (
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-)
-
-func (conn *Conn) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNet(conn.config.InterfaceBlackList)
-}

client/internal/peer/stdnet_android.go

@@ -1,7 +0,0 @@
-package peer
-
-import "github.com/netbirdio/netbird/client/internal/stdnet"
-
-func (conn *Conn) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(conn.iFaceDiscover, conn.config.InterfaceBlackList)
-}

client/internal/proxy/direct.go

@@ -1,67 +0,0 @@
-package proxy
-
-import (
-	"net"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/iface"
-)
-
-// DirectNoProxy is used when there is no need for a proxy between ICE and WireGuard.
-// This is possible in either of these cases:
-// - peers are in the same local network
-// - one of the peers has a public static IP (host)
-// DirectNoProxy will just update remote peer with a remote host and fixed WireGuard port (r.g. 51820).
-// In order DirectNoProxy to work, WireGuard port has to be fixed for the time being.
-type DirectNoProxy struct {
-	wgInterface *iface.WGIface
-
-	remoteKey  string
-	allowedIps string
-
-	// RemoteWgListenPort is a WireGuard port of a remote peer.
-	// It is used instead of the hardcoded 51820 port.
-	remoteWgListenPort int
-}
-
-// NewDirectNoProxy creates a new DirectNoProxy with a provided config and remote peer's WireGuard listen port
-func NewDirectNoProxy(wgInterface *iface.WGIface, remoteKey string, allowedIps string, remoteWgPort int) *DirectNoProxy {
-	return &DirectNoProxy{
-		wgInterface:        wgInterface,
-		remoteKey:          remoteKey,
-		allowedIps:         allowedIps,
-		remoteWgListenPort: remoteWgPort}
-}
-
-// Close removes peer from the WireGuard interface
-func (p *DirectNoProxy) Close() error {
-	err := p.wgInterface.RemovePeer(p.remoteKey)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// Start just updates WireGuard peer with the remote IP and default WireGuard port
-func (p *DirectNoProxy) Start(remoteConn net.Conn) error {
-
-	log.Debugf("using DirectNoProxy while connecting to peer %s", p.remoteKey)
-	addr, err := net.ResolveUDPAddr("udp", remoteConn.RemoteAddr().String())
-	if err != nil {
-		return err
-	}
-	addr.Port = p.remoteWgListenPort
-	err = p.wgInterface.UpdatePeer(p.remoteKey, p.allowedIps, addr)
-
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// Type returns the type of this proxy
-func (p *DirectNoProxy) Type() Type {
-	return TypeDirectNoProxy
-}

client/internal/proxy/noproxy.go

@@ -5,18 +5,24 @@ import (
 	"net"
 )
 
-// NoProxy is used just to configure WireGuard without any local proxy in between.
-// Used when the WireGuard interface is userspace and uses bind.ICEBind
+// NoProxy is used when there is no need for a proxy between ICE and Wireguard.
+// This is possible in either of these cases:
+// - peers are in the same local network
+// - one of the peers has a public static IP (host)
+// NoProxy will just update remote peer with a remote host and fixed Wireguard port (r.g. 51820).
+// In order NoProxy to work, Wireguard port has to be fixed for the time being.
 type NoProxy struct {
 	config Config
+	// RemoteWgListenPort is a WireGuard port of a remote peer.
+	// It is used instead of the hardcoded 51820 port.
+	RemoteWgListenPort int
 }
 
-// NewNoProxy creates a new NoProxy with a provided config
-func NewNoProxy(config Config) *NoProxy {
-	return &NoProxy{config: config}
+// NewNoProxy creates a new NoProxy with a provided config and remote peer's WireGuard listen port
+func NewNoProxy(config Config, remoteWgPort int) *NoProxy {
+	return &NoProxy{config: config, RemoteWgListenPort: remoteWgPort}
 }
 
-// Close removes peer from the WireGuard interface
 func (p *NoProxy) Close() error {
 	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
 	if err != nil {
@@ -25,16 +31,23 @@ func (p *NoProxy) Close() error {
 	return nil
 }
 
-// Start just updates WireGuard peer with the remote address
+// Start just updates Wireguard peer with the remote IP and default Wireguard port
 func (p *NoProxy) Start(remoteConn net.Conn) error {
 
-	log.Debugf("using NoProxy to connect to peer %s at %s", p.config.RemoteKey, remoteConn.RemoteAddr().String())
+	log.Debugf("using NoProxy while connecting to peer %s", p.config.RemoteKey)
 	addr, err := net.ResolveUDPAddr("udp", remoteConn.RemoteAddr().String())
 	if err != nil {
 		return err
 	}
-	return p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+	addr.Port = p.RemoteWgListenPort
+	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
 		addr, p.config.PreSharedKey)
+
+	if err != nil {
+		return err
+	}
+
+	return nil
 }
 
 func (p *NoProxy) Type() Type {

client/internal/proxy/proxy.go

@@ -1,19 +1,31 @@
 package proxy
 
 import (
+	"github.com/netbirdio/netbird/iface"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"io"
 	"net"
+	"time"
 )
 
+const DefaultWgKeepAlive = 25 * time.Second
+
 type Type string
 
 const (
-	TypeDirectNoProxy Type = "DirectNoProxy"
-	TypeWireGuard     Type = "WireGuard"
-	TypeDummy         Type = "Dummy"
-	TypeNoProxy       Type = "NoProxy"
+	TypeNoProxy   Type = "NoProxy"
+	TypeWireguard Type = "Wireguard"
+	TypeDummy     Type = "Dummy"
 )
 
+type Config struct {
+	WgListenAddr string
+	RemoteKey    string
+	WgInterface  *iface.WGIface
+	AllowedIps   string
+	PreSharedKey *wgtypes.Key
+}
+
 type Proxy interface {
 	io.Closer
 	// Start creates a local remoteConn and starts proxying data from/to remoteConn

client/internal/proxy/wireguard.go

@@ -6,8 +6,8 @@ import (
 	"net"
 )
 
-// WireGuardProxy proxies
-type WireGuardProxy struct {
+// WireguardProxy proxies
+type WireguardProxy struct {
 	ctx    context.Context
 	cancel context.CancelFunc
 
@@ -17,13 +17,13 @@ type WireGuardProxy struct {
 	localConn  net.Conn
 }
 
-func NewWireGuardProxy(config Config) *WireGuardProxy {
-	p := &WireGuardProxy{config: config}
+func NewWireguardProxy(config Config) *WireguardProxy {
+	p := &WireguardProxy{config: config}
 	p.ctx, p.cancel = context.WithCancel(context.Background())
 	return p
 }
 
-func (p *WireGuardProxy) updateEndpoint() error {
+func (p *WireguardProxy) updateEndpoint() error {
 	udpAddr, err := net.ResolveUDPAddr(p.localConn.LocalAddr().Network(), p.localConn.LocalAddr().String())
 	if err != nil {
 		return err
@@ -38,7 +38,7 @@ func (p *WireGuardProxy) updateEndpoint() error {
 	return nil
 }
 
-func (p *WireGuardProxy) Start(remoteConn net.Conn) error {
+func (p *WireguardProxy) Start(remoteConn net.Conn) error {
 	p.remoteConn = remoteConn
 
 	var err error
@@ -60,7 +60,7 @@ func (p *WireGuardProxy) Start(remoteConn net.Conn) error {
 	return nil
 }
 
-func (p *WireGuardProxy) Close() error {
+func (p *WireguardProxy) Close() error {
 	p.cancel()
 	if c := p.localConn; c != nil {
 		err := p.localConn.Close()
@@ -77,7 +77,7 @@ func (p *WireGuardProxy) Close() error {
 
 // proxyToRemote proxies everything from Wireguard to the RemoteKey peer
 // blocks
-func (p *WireGuardProxy) proxyToRemote() {
+func (p *WireguardProxy) proxyToRemote() {
 
 	buf := make([]byte, 1500)
 	for {
@@ -101,7 +101,7 @@ func (p *WireGuardProxy) proxyToRemote() {
 
 // proxyToLocal proxies everything from the RemoteKey peer to local Wireguard
 // blocks
-func (p *WireGuardProxy) proxyToLocal() {
+func (p *WireguardProxy) proxyToLocal() {
 
 	buf := make([]byte, 1500)
 	for {
@@ -123,6 +123,6 @@ func (p *WireGuardProxy) proxyToLocal() {
 	}
 }
 
-func (p *WireGuardProxy) Type() Type {
-	return TypeWireGuard
+func (p *WireguardProxy) Type() Type {
+	return TypeWireguard
 }

client/internal/routemanager/manager_test.go

@@ -3,7 +3,6 @@ package routemanager
 import (
 	"context"
 	"fmt"
-	"github.com/pion/transport/v2/stdnet"
 	"net/netip"
 	"runtime"
 	"testing"
@@ -392,11 +391,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 
 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			newNet, err := stdnet.NewNet()
-			if err != nil {
-				t.Fatal(err)
-			}
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", iface.DefaultMTU, nil, newNet)
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", iface.DefaultMTU, nil)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()
 

client/internal/routemanager/systemops_test.go

@@ -3,7 +3,6 @@ package routemanager
 import (
 	"fmt"
 	"github.com/netbirdio/netbird/iface"
-	"github.com/pion/transport/v2/stdnet"
 	"github.com/stretchr/testify/require"
 	"net"
 	"net/netip"
@@ -33,11 +32,7 @@ func TestAddRemoveRoutes(t *testing.T) {
 
 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			newNet, err := stdnet.NewNet()
-			if err != nil {
-				t.Fatal(err)
-			}
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", iface.DefaultMTU, nil, newNet)
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun53%d", n), "100.65.75.2/24", iface.DefaultMTU, nil)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()
 

client/internal/stdnet/discover.go

@@ -1,14 +0,0 @@
-package stdnet
-
-import "github.com/pion/transport/v2"
-
-// ExternalIFaceDiscover provide an option for external services (mobile)
-// to collect network interface information
-type ExternalIFaceDiscover interface {
-	// IFaces return with the description of the interfaces
-	IFaces() (string, error)
-}
-
-type iFaceDiscover interface {
-	iFaces() ([]*transport.Interface, error)
-}

client/internal/stdnet/discover_mobile.go

@@ -1,95 +0,0 @@
-package stdnet
-
-import (
-	"fmt"
-	"net"
-	"strings"
-
-	"github.com/pion/transport/v2"
-	log "github.com/sirupsen/logrus"
-)
-
-type mobileIFaceDiscover struct {
-	externalDiscover ExternalIFaceDiscover
-}
-
-func newMobileIFaceDiscover(externalDiscover ExternalIFaceDiscover) *mobileIFaceDiscover {
-	return &mobileIFaceDiscover{
-		externalDiscover: externalDiscover,
-	}
-}
-
-func (m *mobileIFaceDiscover) iFaces() ([]*transport.Interface, error) {
-	ifacesString, err := m.externalDiscover.IFaces()
-	if err != nil {
-		return nil, err
-	}
-	interfaces := m.parseInterfacesString(ifacesString)
-	return interfaces, nil
-}
-
-func (m *mobileIFaceDiscover) parseInterfacesString(interfaces string) []*transport.Interface {
-	ifs := []*transport.Interface{}
-
-	for _, iface := range strings.Split(interfaces, "\n") {
-		if strings.TrimSpace(iface) == "" {
-			continue
-		}
-
-		fields := strings.Split(iface, "|")
-		if len(fields) != 2 {
-			log.Warnf("parseInterfacesString: unable to split %q", iface)
-			continue
-		}
-
-		var name string
-		var index, mtu int
-		var up, broadcast, loopback, pointToPoint, multicast bool
-		_, err := fmt.Sscanf(fields[0], "%s %d %d %t %t %t %t %t",
-			&name, &index, &mtu, &up, &broadcast, &loopback, &pointToPoint, &multicast)
-		if err != nil {
-			log.Warnf("parseInterfacesString: unable to parse %q: %v", iface, err)
-			continue
-		}
-
-		newIf := net.Interface{
-			Name:  name,
-			Index: index,
-			MTU:   mtu,
-		}
-		if up {
-			newIf.Flags |= net.FlagUp
-		}
-		if broadcast {
-			newIf.Flags |= net.FlagBroadcast
-		}
-		if loopback {
-			newIf.Flags |= net.FlagLoopback
-		}
-		if pointToPoint {
-			newIf.Flags |= net.FlagPointToPoint
-		}
-		if multicast {
-			newIf.Flags |= net.FlagMulticast
-		}
-
-		ifc := transport.NewInterface(newIf)
-
-		addrs := strings.Trim(fields[1], " \n")
-		foundAddress := false
-		for _, addr := range strings.Split(addrs, " ") {
-			ip, ipNet, err := net.ParseCIDR(addr)
-			if err != nil {
-				log.Warnf("%s", err)
-				continue
-			}
-			ipNet.IP = ip
-			ifc.AddAddress(ipNet)
-			foundAddress = true
-		}
-		if foundAddress {
-			ifs = append(ifs, ifc)
-		}
-	}
-	return ifs
-}

client/internal/stdnet/discover_mobile_test.go

@@ -1,68 +0,0 @@
-package stdnet
-
-import (
-	"fmt"
-	"testing"
-)
-
-func Test_parseInterfacesString(t *testing.T) {
-	testData := []struct {
-		name         string
-		index        int
-		mtu          int
-		up           bool
-		broadcast    bool
-		loopBack     bool
-		pointToPoint bool
-		multicast    bool
-		addr         string
-	}{
-		{"wlan0", 30, 1500, true, true, false, false, true, "10.1.10.131/24"},
-		{"rmnet0", 30, 1500, true, true, false, false, true, "192.168.0.56/24"},
-		{"rmnet_data1", 30, 1500, true, true, false, false, true, "fec0::118c:faf7:8d97:3cb2/64"},
-	}
-
-	var exampleString string
-	for _, d := range testData {
-		exampleString = fmt.Sprintf("%s\n%s %d %d %t %t %t %t %t | %s", exampleString,
-			d.name,
-			d.index,
-			d.mtu,
-			d.up,
-			d.broadcast,
-			d.loopBack,
-			d.pointToPoint,
-			d.multicast,
-			d.addr)
-	}
-
-	d := mobileIFaceDiscover{}
-	nets := d.parseInterfacesString(exampleString)
-	if len(nets) == 0 {
-		t.Fatalf("failed to parse interfaces")
-	}
-
-	for i, net := range nets {
-		if net.MTU != testData[i].mtu {
-			t.Errorf("invalid mtu: %d, expected: %d", net.MTU, testData[0].mtu)
-
-		}
-
-		if net.Interface.Name != testData[i].name {
-			t.Errorf("invalid interface name: %s, expected: %s", net.Interface.Name, testData[i].name)
-		}
-
-		addr, err := net.Addrs()
-		if err != nil {
-			t.Fatal(err)
-		}
-
-		if len(addr) == 0 {
-			t.Errorf("invalid address parsing")
-		}
-
-		if addr[0].String() != testData[i].addr {
-			t.Errorf("invalid address: %s, expected: %s", addr[0].String(), testData[i].addr)
-		}
-	}
-}

client/internal/stdnet/discover_pion.go

@@ -1,36 +0,0 @@
-package stdnet
-
-import (
-	"net"
-
-	"github.com/pion/transport/v2"
-)
-
-type pionDiscover struct {
-}
-
-func (d pionDiscover) iFaces() ([]*transport.Interface, error) {
-	ifs := []*transport.Interface{}
-
-	oifs, err := net.Interfaces()
-	if err != nil {
-		return nil, err
-	}
-
-	for _, oif := range oifs {
-		ifc := transport.NewInterface(oif)
-
-		addrs, err := oif.Addrs()
-		if err != nil {
-			return nil, err
-		}
-
-		for _, addr := range addrs {
-			ifc.AddAddress(addr)
-		}
-
-		ifs = append(ifs, ifc)
-	}
-
-	return ifs, nil
-}

client/internal/stdnet/filter.go

@@ -1,40 +0,0 @@
-package stdnet
-
-import (
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl"
-)
-
-// InterfaceFilter is a function passed to ICE Agent to filter out not allowed interfaces
-// to avoid building tunnel over them.
-func InterfaceFilter(disallowList []string) func(string) bool {
-
-	return func(iFace string) bool {
-
-		if strings.HasPrefix(iFace, "lo") {
-			// hardcoded loopback check to support already installed agents
-			return false
-		}
-
-		for _, s := range disallowList {
-			if strings.HasPrefix(iFace, s) {
-				log.Debugf("ignoring interface %s - it is not allowed", iFace)
-				return false
-			}
-		}
-		// look for unlisted WireGuard interfaces
-		wg, err := wgctrl.New()
-		if err != nil {
-			log.Debugf("trying to create a wgctrl client failed with: %v", err)
-			return true
-		}
-		defer func() {
-			_ = wg.Close()
-		}()
-
-		_, err = wg.Device(iFace)
-		return err != nil
-	}
-}

client/internal/stdnet/stdnet.go

@@ -1,97 +0,0 @@
-// Package stdnet is an extension of the pion's stdnet.
-// With it the list of the interface can come from external source.
-// More info: https://github.com/golang/go/issues/40569
-package stdnet
-
-import (
-	"fmt"
-
-	"github.com/pion/transport/v2"
-	"github.com/pion/transport/v2/stdnet"
-)
-
-// Net is an implementation of the net.Net interface
-// based on functions of the standard net package.
-type Net struct {
-	stdnet.Net
-	interfaces    []*transport.Interface
-	iFaceDiscover iFaceDiscover
-	// interfaceFilter should return true if the given interfaceName is allowed
-	interfaceFilter func(interfaceName string) bool
-}
-
-// NewNetWithDiscover creates a new StdNet instance.
-func NewNetWithDiscover(iFaceDiscover ExternalIFaceDiscover, disallowList []string) (*Net, error) {
-	n := &Net{
-		iFaceDiscover:   newMobileIFaceDiscover(iFaceDiscover),
-		interfaceFilter: InterfaceFilter(disallowList),
-	}
-	return n, n.UpdateInterfaces()
-}
-
-// NewNet creates a new StdNet instance.
-func NewNet(disallowList []string) (*Net, error) {
-	n := &Net{
-		iFaceDiscover:   pionDiscover{},
-		interfaceFilter: InterfaceFilter(disallowList),
-	}
-	return n, n.UpdateInterfaces()
-}
-
-// UpdateInterfaces updates the internal list of network interfaces
-// and associated addresses filtering them by name.
-// The interfaces are discovered by an external iFaceDiscover function or by a default discoverer if the external one
-// wasn't specified.
-func (n *Net) UpdateInterfaces() (err error) {
-	allIfaces, err := n.iFaceDiscover.iFaces()
-	if err != nil {
-		return err
-	}
-	n.interfaces = n.filterInterfaces(allIfaces)
-	return nil
-}
-
-// Interfaces returns a slice of interfaces which are available on the
-// system
-func (n *Net) Interfaces() ([]*transport.Interface, error) {
-	return n.interfaces, nil
-}
-
-// InterfaceByIndex returns the interface specified by index.
-//
-// On Solaris, it returns one of the logical network interfaces
-// sharing the logical data link; for more precision use
-// InterfaceByName.
-func (n *Net) InterfaceByIndex(index int) (*transport.Interface, error) {
-	for _, ifc := range n.interfaces {
-		if ifc.Index == index {
-			return ifc, nil
-		}
-	}
-
-	return nil, fmt.Errorf("%w: index=%d", transport.ErrInterfaceNotFound, index)
-}
-
-// InterfaceByName returns the interface specified by name.
-func (n *Net) InterfaceByName(name string) (*transport.Interface, error) {
-	for _, ifc := range n.interfaces {
-		if ifc.Name == name {
-			return ifc, nil
-		}
-	}
-
-	return nil, fmt.Errorf("%w: %s", transport.ErrInterfaceNotFound, name)
-}
-
-func (n *Net) filterInterfaces(interfaces []*transport.Interface) []*transport.Interface {
-	if n.interfaceFilter == nil {
-		return interfaces
-	}
-	result := []*transport.Interface{}
-	for _, iface := range interfaces {
-		if n.interfaceFilter(iface.Name) {
-			result = append(result, iface)
-		}
-	}
-	return result
-}

client/resources.rc

@@ -6,4 +6,4 @@
 #define EXPAND(x) STRINGIZE(x)
 CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST manifest.xml
 7 ICON ui/netbird.ico
-wintun.dll RCDATA wintun.dll
+wireguard.dll RCDATA wireguard.dll

client/server/server.go

@@ -78,7 +78,7 @@ func (s *Server) Start() error {
 	// on failure we return error to retry
 	config, err := internal.UpdateConfig(s.latestConfigInput)
 	if errorStatus, ok := gstatus.FromError(err); ok && errorStatus.Code() == codes.NotFound {
-		s.config, err = internal.UpdateOrCreateConfig(s.latestConfigInput)
+		config, err = internal.UpdateOrCreateConfig(s.latestConfigInput)
 		if err != nil {
 			log.Warnf("unable to create configuration file: %v", err)
 			return err
@@ -102,7 +102,7 @@ func (s *Server) Start() error {
 	}
 
 	go func() {
-		if err := internal.RunClient(ctx, config, s.statusRecorder, nil, nil); err != nil {
+		if err := internal.RunClient(ctx, config, s.statusRecorder, nil); err != nil {
 			log.Errorf("init connections: %v", err)
 		}
 	}()
@@ -223,7 +223,12 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 			}
 		}
 
-		hostedClient := internal.NewHostedDeviceFlow(providerConfig.ProviderConfig)
+		hostedClient := internal.NewHostedDeviceFlow(
+			providerConfig.ProviderConfig.Audience,
+			providerConfig.ProviderConfig.ClientID,
+			providerConfig.ProviderConfig.TokenEndpoint,
+			providerConfig.ProviderConfig.DeviceAuthEndpoint,
+		)
 
 		if s.oauthAuthFlow.client != nil && s.oauthAuthFlow.client.GetClientID(ctx) == hostedClient.GetClientID(context.TODO()) {
 			if s.oauthAuthFlow.expiresAt.After(time.Now().Add(90 * time.Second)) {
@@ -339,7 +344,7 @@ func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLogin
 	s.oauthAuthFlow.expiresAt = time.Now()
 	s.mutex.Unlock()
 
-	if loginStatus, err := s.loginAttempt(ctx, "", tokenInfo.GetTokenToUse()); err != nil {
+	if loginStatus, err := s.loginAttempt(ctx, "", tokenInfo.AccessToken); err != nil {
 		state.Set(loginStatus)
 		return nil, err
 	}
@@ -389,7 +394,7 @@ func (s *Server) Up(callerCtx context.Context, _ *proto.UpRequest) (*proto.UpRes
 	}
 
 	go func() {
-		if err := internal.RunClient(ctx, s.config, s.statusRecorder, nil, nil); err != nil {
+		if err := internal.RunClient(ctx, s.config, s.statusRecorder, nil); err != nil {
 			log.Errorf("run client connection: %v", err)
 			return
 		}

client/system/info_android.go

@@ -34,7 +34,7 @@ func GetInfo(ctx context.Context) *Info {
 func extractDeviceName(ctx context.Context) string {
 	v, ok := ctx.Value(DeviceNameCtxKey).(string)
 	if !ok {
-		return "android"
+		return ""
 	}
 	return v
 }

client/wireguard_nt.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+ldir=$PWD
+tmp_dir_path=$ldir/.distfiles
+winnt=wireguard-nt.zip
+download_file_path=$tmp_dir_path/$winnt
+download_url=https://download.wireguard.com/wireguard-nt/wireguard-nt-0.10.1.zip
+download_sha=772c0b1463d8d2212716f43f06f4594d880dea4f735165bd68e388fc41b81605
+
+function resources_windows(){
+  cmd=$1
+  arch=$2
+  out=$3
+  docker run -i --rm -v $PWD:$PWD -w $PWD mstorsjo/llvm-mingw:latest $cmd -O coff -c 65001 -I $tmp_dir_path/wireguard-nt/bin/$arch -i resources.rc -o $out
+}
+
+mkdir -p $tmp_dir_path
+curl -L#o $download_file_path.unverified $download_url
+echo "$download_sha  $download_file_path.unverified" | sha256sum -c
+mv $download_file_path.unverified $download_file_path
+
+mkdir -p .deps
+unzip $download_file_path -d $tmp_dir_path
+
+resources_windows i686-w64-mingw32-windres x86 resources_windows_386.syso
+resources_windows aarch64-w64-mingw32-windres arm64 resources_windows_arm64.syso
+resources_windows x86_64-w64-mingw32-windres amd64 resources_windows_amd64.syso

encryption/encryption.go

@@ -3,13 +3,10 @@ package encryption
 import (
 	"crypto/rand"
 	"fmt"
-
 	"golang.org/x/crypto/nacl/box"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
-const nonceSize = 24
-
 // A set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service or Management Service
 // These tools use Golang crypto package (Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate)
 // Wireguard keys are used for encryption
@@ -29,11 +26,8 @@ func Decrypt(encryptedMsg []byte, peerPublicKey wgtypes.Key, privateKey wgtypes.
 	if err != nil {
 		return nil, err
 	}
-	if len(encryptedMsg) < nonceSize {
-		return nil, fmt.Errorf("invalid encrypted message lenght")
-	}
-	copy(nonce[:], encryptedMsg[:nonceSize])
-	opened, ok := box.Open(nil, encryptedMsg[nonceSize:], nonce, toByte32(peerPublicKey), toByte32(privateKey))
+	copy(nonce[:], encryptedMsg[:24])
+	opened, ok := box.Open(nil, encryptedMsg[24:], nonce, toByte32(peerPublicKey), toByte32(privateKey))
 	if !ok {
 		return nil, fmt.Errorf("failed to decrypt message from peer %s", peerPublicKey.String())
 	}
@@ -42,8 +36,8 @@ func Decrypt(encryptedMsg []byte, peerPublicKey wgtypes.Key, privateKey wgtypes.
 }
 
 // Generates nonce of size 24
-func genNonce() (*[nonceSize]byte, error) {
-	var nonce [nonceSize]byte
+func genNonce() (*[24]byte, error) {
+	var nonce [24]byte
 	if _, err := rand.Read(nonce[:]); err != nil {
 		return nil, err
 	}

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/vishvananda/netlink v1.1.0
 	golang.org/x/crypto v0.7.0
 	golang.org/x/sys v0.6.0
-	golang.zx2c4.com/wireguard v0.0.0-20230223181233-21636207a675
+	golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de
 	golang.zx2c4.com/wireguard/windows v0.5.1
 	google.golang.org/grpc v1.52.3
@@ -37,7 +37,6 @@ require (
 	github.com/getlantern/systray v1.2.1
 	github.com/gliderlabs/ssh v0.3.4
 	github.com/godbus/dbus/v5 v5.1.0
-	github.com/google/go-cmp v0.5.9
 	github.com/google/nftables v0.0.0-20220808154552-2eca00135732
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
 	github.com/hashicorp/go-version v1.6.0
@@ -48,8 +47,6 @@ require (
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/open-policy-agent/opa v0.49.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
-	github.com/pion/logging v0.2.2
-	github.com/pion/stun v0.4.0
 	github.com/pion/transport/v2 v2.0.2
 	github.com/prometheus/client_golang v1.14.0
 	github.com/rs/xid v1.3.0
@@ -58,7 +55,6 @@ require (
 	go.opentelemetry.io/otel/exporters/prometheus v0.33.0
 	go.opentelemetry.io/otel/metric v0.33.0
 	go.opentelemetry.io/otel/sdk/metric v0.33.0
-	golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf
 	golang.org/x/net v0.8.0
 	golang.org/x/sync v0.1.0
 	golang.org/x/term v0.6.0
@@ -93,6 +89,7 @@ require (
 	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/goki/freetype v0.0.0-20181231101311-fa8a33aabaff // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/gopacket v1.1.19 // indirect
 	github.com/hashicorp/go-uuid v1.0.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -105,8 +102,10 @@ require (
 	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
 	github.com/pegasus-kv/thrift v0.13.0 // indirect
 	github.com/pion/dtls/v2 v2.2.6 // indirect
+	github.com/pion/logging v0.2.2 // indirect
 	github.com/pion/mdns v0.0.7 // indirect
 	github.com/pion/randutil v0.1.0 // indirect
+	github.com/pion/stun v0.4.0 // indirect
 	github.com/pion/turn/v2 v2.1.0 // indirect
 	github.com/pion/udp/v2 v2.0.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -127,10 +126,12 @@ require (
 	go.opentelemetry.io/otel v1.11.1 // indirect
 	go.opentelemetry.io/otel/sdk v1.11.1 // indirect
 	go.opentelemetry.io/otel/trace v1.11.1 // indirect
+	golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf // indirect
 	golang.org/x/image v0.0.0-20200430140353-33d19683fad8 // indirect
 	golang.org/x/mod v0.8.0 // indirect
 	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
+	golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect

go.sum

@@ -881,12 +881,13 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d h1:9+v0G0naRhLPOJEeJOL6NuXTtAHHwmkyZlgQJ0XcQ8I=
 golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d/go.mod h1:5yyfuiqVIJ7t+3MqrpTQ+QqRkMWiESiyDvPNvKYCecg=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
 golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard v0.0.0-20211129173154-2dd424e2d808/go.mod h1:TjUWrnD5ATh7bFvmm/ALEJZQ4ivKbETb6pmyj1vUoNI=
-golang.zx2c4.com/wireguard v0.0.0-20230223181233-21636207a675 h1:/J/RVnr7ng4fWPRH3xa4WtBJ1Jp+Auu4YNLmGiPv5QU=
-golang.zx2c4.com/wireguard v0.0.0-20230223181233-21636207a675/go.mod h1:whfbyDBt09xhCYQWtO2+3UVjlaq6/9hDZrjg2ZE6SyA=
+golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434 h1:3zl8RkJNQ8wfPRomwv/6DBbH2Ut6dgMaWTxM0ZunWnE=
+golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434/go.mod h1:TjUWrnD5ATh7bFvmm/ALEJZQ4ivKbETb6pmyj1vUoNI=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de h1:qDZ+lyO5jC9RNJ7ANJA0GWXk3pSn0Fu5SlcAIlgw+6w=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de/go.mod h1:Q2XNgour4QSkFj0BWCkVlW0HWJwQgNMsMahpSlI0Eno=
 golang.zx2c4.com/wireguard/windows v0.5.1 h1:OnYw96PF+CsIMrqWo5QP3Q59q5hY1rFErk/yN3cS+JQ=

iface/bind/bind.go

@@ -1,208 +0,0 @@
-package bind
-
-import (
-	"errors"
-	"fmt"
-	"github.com/pion/stun"
-	"github.com/pion/transport/v2"
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
-	"net"
-	"net/netip"
-	"sync"
-	"syscall"
-)
-
-// ICEBind is the userspace implementation of WireGuard's conn.Bind interface using ice.UDPMux of the pion/ice library
-type ICEBind struct {
-	// below fields, initialized on open
-	sharedConn net.PacketConn
-	udpMux     *UniversalUDPMuxDefault
-
-	// below are fields initialized on creation
-	transportNet transport.Net
-	mu           sync.Mutex
-}
-
-// NewICEBind create a new instance of ICEBind with a given transportNet and an interfaceFilter function.
-// The interfaceFilter function is used to exclude interfaces from hole punching (the IPs of that interfaces won't be used as connection candidates)
-// The transportNet can be nil.
-func NewICEBind(transportNet transport.Net) *ICEBind {
-	return &ICEBind{
-		transportNet: transportNet,
-		mu:           sync.Mutex{},
-	}
-}
-
-// GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (b *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.udpMux == nil {
-		return nil, fmt.Errorf("ICEBind has not been initialized yet")
-	}
-
-	return b.udpMux, nil
-}
-
-// Open creates a WireGuard socket and an instance of UDPMux that is used to glue up ICE and WireGuard for hole punching
-func (b *ICEBind) Open(uport uint16) ([]conn.ReceiveFunc, uint16, error) {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	if b.sharedConn != nil {
-		return nil, 0, conn.ErrBindAlreadyOpen
-	}
-
-	ipv4Conn, _, err := listenNet("udp4", int(uport))
-	if err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
-		return nil, 0, err
-	}
-	b.sharedConn = ipv4Conn
-	b.udpMux = NewUniversalUDPMuxDefault(UniversalUDPMuxParams{UDPConn: b.sharedConn, Net: b.transportNet})
-
-	portAddr1, err := netip.ParseAddrPort(ipv4Conn.LocalAddr().String())
-	if err != nil {
-		return nil, 0, err
-	}
-
-	log.Infof("opened ICEBind on %s", ipv4Conn.LocalAddr().String())
-
-	return []conn.ReceiveFunc{
-			b.makeReceiveIPv4(b.sharedConn),
-		},
-		portAddr1.Port(), nil
-}
-
-func listenNet(network string, port int) (*net.UDPConn, int, error) {
-	conn, err := net.ListenUDP(network, &net.UDPAddr{Port: port})
-	if err != nil {
-		return nil, 0, err
-	}
-
-	// Retrieve port.
-	laddr := conn.LocalAddr()
-	uaddr, err := net.ResolveUDPAddr(
-		laddr.Network(),
-		laddr.String(),
-	)
-	if err != nil {
-		return nil, 0, err
-	}
-	return conn, uaddr.Port, nil
-}
-
-func parseSTUNMessage(raw []byte) (*stun.Message, error) {
-	msg := &stun.Message{
-		Raw: append([]byte{}, raw...),
-	}
-	if err := msg.Decode(); err != nil {
-		return nil, err
-	}
-
-	return msg, nil
-}
-
-func (b *ICEBind) makeReceiveIPv4(c net.PacketConn) conn.ReceiveFunc {
-	return func(buff []byte) (int, conn.Endpoint, error) {
-		n, endpoint, err := c.ReadFrom(buff)
-		if err != nil {
-			return 0, nil, err
-		}
-		e, err := netip.ParseAddrPort(endpoint.String())
-		if err != nil {
-			return 0, nil, err
-		}
-		if !stun.IsMessage(buff[:20]) {
-			// WireGuard traffic
-			return n, (conn.StdNetEndpoint)(netip.AddrPortFrom(e.Addr(), e.Port())), nil
-		}
-
-		msg, err := parseSTUNMessage(buff[:n])
-		if err != nil {
-			return 0, nil, err
-		}
-
-		err = b.udpMux.HandleSTUNMessage(msg, endpoint)
-		if err != nil {
-			log.Warnf("failed to handle packet")
-		}
-
-		// discard packets because they are STUN related
-		return 0, nil, nil //todo proper return
-	}
-}
-
-// Close closes the WireGuard socket and UDPMux
-func (b *ICEBind) Close() error {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	var err1, err2 error
-	if b.sharedConn != nil {
-		c := b.sharedConn
-		b.sharedConn = nil
-		err1 = c.Close()
-	}
-
-	if b.udpMux != nil {
-		m := b.udpMux
-		b.udpMux = nil
-		err2 = m.Close()
-	}
-
-	if err1 != nil {
-		return err1
-	}
-
-	return err2
-}
-
-// SetMark sets the mark for each packet sent through this Bind.
-// This mark is passed to the kernel as the socket option SO_MARK.
-func (b *ICEBind) SetMark(mark uint32) error {
-	return nil
-}
-
-// Send bytes to the remote endpoint (peer)
-func (b *ICEBind) Send(buff []byte, endpoint conn.Endpoint) error {
-
-	nend, ok := endpoint.(conn.StdNetEndpoint)
-	if !ok {
-		return conn.ErrWrongEndpointType
-	}
-	addrPort := netip.AddrPort(nend)
-	_, err := b.sharedConn.WriteTo(buff, &net.UDPAddr{
-		IP:   addrPort.Addr().AsSlice(),
-		Port: int(addrPort.Port()),
-		Zone: addrPort.Addr().Zone(),
-	})
-	return err
-}
-
-// ParseEndpoint creates a new endpoint from a string.
-func (b *ICEBind) ParseEndpoint(s string) (ep conn.Endpoint, err error) {
-	e, err := netip.ParseAddrPort(s)
-	return asEndpoint(e), err
-}
-
-// endpointPool contains a re-usable set of mapping from netip.AddrPort to Endpoint.
-// This exists to reduce allocations: Putting a netip.AddrPort in an Endpoint allocates,
-// but Endpoints are immutable, so we can re-use them.
-var endpointPool = sync.Pool{
-	New: func() any {
-		return make(map[netip.AddrPort]conn.Endpoint)
-	},
-}
-
-// asEndpoint returns an Endpoint containing ap.
-func asEndpoint(ap netip.AddrPort) conn.Endpoint {
-	m := endpointPool.Get().(map[netip.AddrPort]conn.Endpoint)
-	defer endpointPool.Put(m)
-	e, ok := m[ap]
-	if !ok {
-		e = conn.Endpoint(conn.StdNetEndpoint(ap))
-		m[ap] = e
-	}
-	return e
-}

iface/bind/udp_mux.go

@@ -1,444 +0,0 @@
-package bind
-
-import (
-	"fmt"
-	"github.com/pion/ice/v2"
-	"github.com/pion/stun"
-	"github.com/pion/transport/v2/stdnet"
-	log "github.com/sirupsen/logrus"
-	"io"
-	"net"
-	"strings"
-	"sync"
-
-	"github.com/pion/logging"
-	"github.com/pion/transport/v2"
-)
-
-/*
- Most of this code was copied from https://github.com/pion/ice and modified to fulfill NetBird's requirements
-*/
-
-const receiveMTU = 8192
-
-// UDPMuxDefault is an implementation of the interface
-type UDPMuxDefault struct {
-	params UDPMuxParams
-
-	closedChan chan struct{}
-	closeOnce  sync.Once
-
-	// connsIPv4 and connsIPv6 are maps of all udpMuxedConn indexed by ufrag|network|candidateType
-	connsIPv4, connsIPv6 map[string]*udpMuxedConn
-
-	addressMapMu sync.RWMutex
-	addressMap   map[string][]*udpMuxedConn
-
-	// buffer pool to recycle buffers for net.UDPAddr encodes/decodes
-	pool *sync.Pool
-
-	mu sync.Mutex
-
-	// for UDP connection listen at unspecified address
-	localAddrsForUnspecified []net.Addr
-}
-
-const maxAddrSize = 512
-
-// UDPMuxParams are parameters for UDPMux.
-type UDPMuxParams struct {
-	Logger  logging.LeveledLogger
-	UDPConn net.PacketConn
-
-	// Required for gathering local addresses
-	// in case a un UDPConn is passed which does not
-	// bind to a specific local address.
-	Net             transport.Net
-	InterfaceFilter func(interfaceName string) bool
-}
-
-func localInterfaces(n transport.Net, interfaceFilter func(string) bool, ipFilter func(net.IP) bool, networkTypes []ice.NetworkType, includeLoopback bool) ([]net.IP, error) { //nolint:gocognit
-	ips := []net.IP{}
-	ifaces, err := n.Interfaces()
-	if err != nil {
-		return ips, err
-	}
-
-	var IPv4Requested, IPv6Requested bool
-	for _, typ := range networkTypes {
-		if typ.IsIPv4() {
-			IPv4Requested = true
-		}
-
-		if typ.IsIPv6() {
-			IPv6Requested = true
-		}
-	}
-
-	for _, iface := range ifaces {
-		if iface.Flags&net.FlagUp == 0 {
-			continue // interface down
-		}
-		if (iface.Flags&net.FlagLoopback != 0) && !includeLoopback {
-			continue // loopback interface
-		}
-
-		if interfaceFilter != nil && !interfaceFilter(iface.Name) {
-			continue
-		}
-
-		addrs, err := iface.Addrs()
-		if err != nil {
-			continue
-		}
-
-		for _, addr := range addrs {
-			var ip net.IP
-			switch addr := addr.(type) {
-			case *net.IPNet:
-				ip = addr.IP
-			case *net.IPAddr:
-				ip = addr.IP
-			}
-			if ip == nil || (ip.IsLoopback() && !includeLoopback) {
-				continue
-			}
-
-			if ipv4 := ip.To4(); ipv4 == nil {
-				if !IPv6Requested {
-					continue
-				} else if !isSupportedIPv6(ip) {
-					continue
-				}
-			} else if !IPv4Requested {
-				continue
-			}
-
-			if ipFilter != nil && !ipFilter(ip) {
-				continue
-			}
-
-			ips = append(ips, ip)
-		}
-	}
-	return ips, nil
-}
-
-// The conditions of invalidation written below are defined in
-// https://tools.ietf.org/html/rfc8445#section-5.1.1.1
-func isSupportedIPv6(ip net.IP) bool {
-	if len(ip) != net.IPv6len ||
-		isZeros(ip[0:12]) || // !(IPv4-compatible IPv6)
-		ip[0] == 0xfe && ip[1]&0xc0 == 0xc0 || // !(IPv6 site-local unicast)
-		ip.IsLinkLocalUnicast() ||
-		ip.IsLinkLocalMulticast() {
-		return false
-	}
-	return true
-}
-
-func isZeros(ip net.IP) bool {
-	for i := 0; i < len(ip); i++ {
-		if ip[i] != 0 {
-			return false
-		}
-	}
-	return true
-}
-
-// NewUDPMuxDefault creates an implementation of UDPMux
-func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
-	if params.Logger == nil {
-		params.Logger = logging.NewDefaultLoggerFactory().NewLogger("ice")
-	}
-
-	var localAddrsForUnspecified []net.Addr
-	if addr, ok := params.UDPConn.LocalAddr().(*net.UDPAddr); !ok {
-		params.Logger.Errorf("LocalAddr is not a net.UDPAddr, got %T", params.UDPConn.LocalAddr())
-	} else if ok && addr.IP.IsUnspecified() {
-		// For unspecified addresses, the correct behavior is to return errListenUnspecified, but
-		// it will break the applications that are already using unspecified UDP connection
-		// with UDPMuxDefault, so print a warn log and create a local address list for mux.
-		params.Logger.Warn("UDPMuxDefault should not listening on unspecified address, use NewMultiUDPMuxFromPort instead")
-		var networks []ice.NetworkType
-		switch {
-		case addr.IP.To4() != nil:
-			networks = []ice.NetworkType{ice.NetworkTypeUDP4}
-
-		case addr.IP.To16() != nil:
-			networks = []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6}
-
-		default:
-			params.Logger.Errorf("LocalAddr expected IPV4 or IPV6, got %T", params.UDPConn.LocalAddr())
-		}
-		if len(networks) > 0 {
-			if params.Net == nil {
-				var err error
-				if params.Net, err = stdnet.NewNet(); err != nil {
-					params.Logger.Errorf("failed to get create network: %v", err)
-				}
-			}
-
-			ips, err := localInterfaces(params.Net, params.InterfaceFilter, nil, networks, true)
-			if err == nil {
-				for _, ip := range ips {
-					localAddrsForUnspecified = append(localAddrsForUnspecified, &net.UDPAddr{IP: ip, Port: addr.Port})
-				}
-			} else {
-				params.Logger.Errorf("failed to get local interfaces for unspecified addr: %v", err)
-			}
-		}
-	}
-
-	return &UDPMuxDefault{
-		addressMap: map[string][]*udpMuxedConn{},
-		params:     params,
-		connsIPv4:  make(map[string]*udpMuxedConn),
-		connsIPv6:  make(map[string]*udpMuxedConn),
-		closedChan: make(chan struct{}, 1),
-		pool: &sync.Pool{
-			New: func() interface{} {
-				// big enough buffer to fit both packet and address
-				return newBufferHolder(receiveMTU + maxAddrSize)
-			},
-		},
-		localAddrsForUnspecified: localAddrsForUnspecified,
-	}
-}
-
-// LocalAddr returns the listening address of this UDPMuxDefault
-func (m *UDPMuxDefault) LocalAddr() net.Addr {
-	return m.params.UDPConn.LocalAddr()
-}
-
-// GetListenAddresses returns the list of addresses that this mux is listening on
-func (m *UDPMuxDefault) GetListenAddresses() []net.Addr {
-	if len(m.localAddrsForUnspecified) > 0 {
-		return m.localAddrsForUnspecified
-	}
-
-	return []net.Addr{m.LocalAddr()}
-}
-
-// GetConn returns a PacketConn given the connection's ufrag and network address
-// creates the connection if an existing one can't be found
-func (m *UDPMuxDefault) GetConn(ufrag string, addr net.Addr) (net.PacketConn, error) {
-
-	var isIPv6 bool
-	if udpAddr, _ := addr.(*net.UDPAddr); udpAddr != nil && udpAddr.IP.To4() == nil {
-		isIPv6 = true
-	}
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	if m.IsClosed() {
-		return nil, io.ErrClosedPipe
-	}
-
-	if conn, ok := m.getConn(ufrag, isIPv6); ok {
-		return conn, nil
-	}
-
-	c := m.createMuxedConn(ufrag)
-	go func() {
-		<-c.CloseChannel()
-		m.RemoveConnByUfrag(ufrag)
-	}()
-
-	if isIPv6 {
-		m.connsIPv6[ufrag] = c
-	} else {
-		m.connsIPv4[ufrag] = c
-	}
-
-	return c, nil
-}
-
-// RemoveConnByUfrag stops and removes the muxed packet connection
-func (m *UDPMuxDefault) RemoveConnByUfrag(ufrag string) {
-	removedConns := make([]*udpMuxedConn, 0, 2)
-
-	// Keep lock section small to avoid deadlock with conn lock
-	m.mu.Lock()
-	if c, ok := m.connsIPv4[ufrag]; ok {
-		delete(m.connsIPv4, ufrag)
-		removedConns = append(removedConns, c)
-	}
-	if c, ok := m.connsIPv6[ufrag]; ok {
-		delete(m.connsIPv6, ufrag)
-		removedConns = append(removedConns, c)
-	}
-	m.mu.Unlock()
-
-	if len(removedConns) == 0 {
-		// No need to lock if no connection was found
-		return
-	}
-
-	m.addressMapMu.Lock()
-	defer m.addressMapMu.Unlock()
-
-	for _, c := range removedConns {
-		addresses := c.getAddresses()
-		for _, addr := range addresses {
-			if connList, ok := m.addressMap[addr]; ok {
-				var newList []*udpMuxedConn
-				for _, conn := range connList {
-					if conn.params.Key != ufrag {
-						newList = append(newList, conn)
-					}
-				}
-				m.addressMap[addr] = newList
-			}
-		}
-	}
-}
-
-// IsClosed returns true if the mux had been closed
-func (m *UDPMuxDefault) IsClosed() bool {
-	select {
-	case <-m.closedChan:
-		return true
-	default:
-		return false
-	}
-}
-
-// Close the mux, no further connections could be created
-func (m *UDPMuxDefault) Close() error {
-	var err error
-	m.closeOnce.Do(func() {
-		m.mu.Lock()
-		defer m.mu.Unlock()
-
-		for _, c := range m.connsIPv4 {
-			_ = c.Close()
-		}
-		for _, c := range m.connsIPv6 {
-			_ = c.Close()
-		}
-
-		m.connsIPv4 = make(map[string]*udpMuxedConn)
-		m.connsIPv6 = make(map[string]*udpMuxedConn)
-
-		close(m.closedChan)
-
-		_ = m.params.UDPConn.Close()
-	})
-	return err
-}
-
-func (m *UDPMuxDefault) writeTo(buf []byte, rAddr net.Addr) (n int, err error) {
-	return m.params.UDPConn.WriteTo(buf, rAddr)
-}
-
-func (m *UDPMuxDefault) registerConnForAddress(conn *udpMuxedConn, addr string) {
-	if m.IsClosed() {
-		return
-	}
-
-	m.addressMapMu.Lock()
-	defer m.addressMapMu.Unlock()
-
-	existing, ok := m.addressMap[addr]
-	if !ok {
-		existing = []*udpMuxedConn{}
-	}
-	existing = append(existing, conn)
-	m.addressMap[addr] = existing
-
-	log.Debugf("ICE: registered %s for %s", addr, conn.params.Key)
-}
-
-func (m *UDPMuxDefault) createMuxedConn(key string) *udpMuxedConn {
-	c := newUDPMuxedConn(&udpMuxedConnParams{
-		Mux:       m,
-		Key:       key,
-		AddrPool:  m.pool,
-		LocalAddr: m.LocalAddr(),
-		Logger:    m.params.Logger,
-	})
-	return c
-}
-
-// HandleSTUNMessage handles STUN packets and forwards them to underlying pion/ice library
-func (m *UDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
-
-	remoteAddr, ok := addr.(*net.UDPAddr)
-	if !ok {
-		return fmt.Errorf("underlying PacketConn did not return a UDPAddr")
-	}
-
-	// If we have already seen this address dispatch to the appropriate destination
-	// If you are using the same socket for the Host and SRFLX candidates, it might be that there are more than one
-	// muxed connection - one for the SRFLX candidate and the other one for the HOST one.
-	// We will then forward STUN packets to each of these connections.
-	m.addressMapMu.Lock()
-	var destinationConnList []*udpMuxedConn
-	if storedConns, ok := m.addressMap[addr.String()]; ok {
-		destinationConnList = append(destinationConnList, storedConns...)
-	}
-	m.addressMapMu.Unlock()
-
-	var isIPv6 bool
-	if udpAddr, _ := addr.(*net.UDPAddr); udpAddr != nil && udpAddr.IP.To4() == nil {
-		isIPv6 = true
-	}
-
-	// This block is needed to discover Peer Reflexive Candidates for which we don't know the Endpoint upfront.
-	// However, we can take a username attribute from the STUN message which contains ufrag.
-	// We can use ufrag to identify the destination conn to route packet to.
-	attr, stunAttrErr := msg.Get(stun.AttrUsername)
-	if stunAttrErr == nil {
-		ufrag := strings.Split(string(attr), ":")[0]
-
-		m.mu.Lock()
-		destinationConn := m.connsIPv4[ufrag]
-		if isIPv6 {
-			destinationConn = m.connsIPv6[ufrag]
-		}
-
-		if destinationConn != nil {
-			exists := false
-			for _, conn := range destinationConnList {
-				if conn.params.Key == destinationConn.params.Key {
-					exists = true
-					break
-				}
-			}
-			if !exists {
-				destinationConnList = append(destinationConnList, destinationConn)
-			}
-		}
-		m.mu.Unlock()
-	}
-
-	// Forward STUN packets to each destination connections even thought the STUN packet might not belong there.
-	// It will be discarded by the further ICE candidate logic if so.
-	for _, conn := range destinationConnList {
-		if err := conn.writePacket(msg.Raw, remoteAddr); err != nil {
-			log.Errorf("could not write packet: %v", err)
-		}
-	}
-
-	return nil
-}
-
-func (m *UDPMuxDefault) getConn(ufrag string, isIPv6 bool) (val *udpMuxedConn, ok bool) {
-	if isIPv6 {
-		val, ok = m.connsIPv6[ufrag]
-	} else {
-		val, ok = m.connsIPv4[ufrag]
-	}
-	return
-}
-
-type bufferHolder struct {
-	buf []byte
-}
-
-func newBufferHolder(size int) *bufferHolder {
-	return &bufferHolder{
-		buf: make([]byte, size),
-	}
-}

iface/bind/udp_mux_universal.go

@@ -1,253 +0,0 @@
-package bind
-
-/*
- Most of this code was copied from https://github.com/pion/ice and modified to fulfill NetBird's requirements.
-*/
-
-import (
-	"fmt"
-	log "github.com/sirupsen/logrus"
-	"net"
-	"time"
-
-	"github.com/pion/logging"
-	"github.com/pion/stun"
-	"github.com/pion/transport/v2"
-)
-
-// UniversalUDPMuxDefault handles STUN and TURN servers packets by wrapping the original UDPConn
-// It then passes packets to the UDPMux that does the actual connection muxing.
-type UniversalUDPMuxDefault struct {
-	*UDPMuxDefault
-	params UniversalUDPMuxParams
-
-	// since we have a shared socket, for srflx candidates it makes sense to have a shared mapped address across all the agents
-	// stun.XORMappedAddress indexed by the STUN server addr
-	xorMappedMap map[string]*xorMapped
-}
-
-// UniversalUDPMuxParams are parameters for UniversalUDPMux server reflexive.
-type UniversalUDPMuxParams struct {
-	Logger                logging.LeveledLogger
-	UDPConn               net.PacketConn
-	XORMappedAddrCacheTTL time.Duration
-	Net                   transport.Net
-}
-
-// NewUniversalUDPMuxDefault creates an implementation of UniversalUDPMux embedding UDPMux
-func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDefault {
-	if params.Logger == nil {
-		params.Logger = logging.NewDefaultLoggerFactory().NewLogger("ice")
-	}
-	if params.XORMappedAddrCacheTTL == 0 {
-		params.XORMappedAddrCacheTTL = time.Second * 25
-	}
-
-	m := &UniversalUDPMuxDefault{
-		params:       params,
-		xorMappedMap: make(map[string]*xorMapped),
-	}
-
-	// wrap UDP connection, process server reflexive messages
-	// before they are passed to the UDPMux connection handler (connWorker)
-	m.params.UDPConn = &udpConn{
-		PacketConn: params.UDPConn,
-		mux:        m,
-		logger:     params.Logger,
-	}
-
-	// embed UDPMux
-	udpMuxParams := UDPMuxParams{
-		Logger:  params.Logger,
-		UDPConn: m.params.UDPConn,
-		Net:     m.params.Net,
-	}
-	m.UDPMuxDefault = NewUDPMuxDefault(udpMuxParams)
-
-	return m
-}
-
-// udpConn is a wrapper around UDPMux conn that overrides ReadFrom and handles STUN/TURN packets
-type udpConn struct {
-	net.PacketConn
-	mux    *UniversalUDPMuxDefault
-	logger logging.LeveledLogger
-}
-
-// GetListenAddresses returns the listen addr of this UDP
-func (m *UniversalUDPMuxDefault) GetListenAddresses() []net.Addr {
-	return []net.Addr{m.LocalAddr()}
-}
-
-// GetRelayedAddr creates relayed connection to the given TURN service and returns the relayed addr.
-// Not implemented yet.
-func (m *UniversalUDPMuxDefault) GetRelayedAddr(turnAddr net.Addr, deadline time.Duration) (*net.Addr, error) {
-	return nil, fmt.Errorf("not implemented yet")
-}
-
-// GetConnForURL add uniques to the muxed connection by concatenating ufrag and URL (e.g. STUN URL) to be able to support multiple STUN/TURN servers
-// and return a unique connection per server.
-func (m *UniversalUDPMuxDefault) GetConnForURL(ufrag string, url string, addr net.Addr) (net.PacketConn, error) {
-	return m.UDPMuxDefault.GetConn(fmt.Sprintf("%s%s", ufrag, url), addr)
-}
-
-// HandleSTUNMessage discovers STUN packets that carry a XOR mapped address from a STUN server.
-// All other STUN packets will be forwarded to the UDPMux
-func (m *UniversalUDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
-
-	udpAddr, ok := addr.(*net.UDPAddr)
-	if !ok {
-		// message about this err will be logged in the UDPMux
-		return nil
-	}
-
-	if m.isXORMappedResponse(msg, udpAddr.String()) {
-		err := m.handleXORMappedResponse(udpAddr, msg)
-		if err != nil {
-			log.Debugf("%s: %v", fmt.Errorf("failed to get XOR-MAPPED-ADDRESS response"), err)
-			return nil
-		}
-		return nil
-	}
-	return m.UDPMuxDefault.HandleSTUNMessage(msg, addr)
-}
-
-// isXORMappedResponse indicates whether the message is a XORMappedAddress and is coming from the known STUN server.
-func (m *UniversalUDPMuxDefault) isXORMappedResponse(msg *stun.Message, stunAddr string) bool {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	// check first if it is a STUN server address because remote peer can also send similar messages but as a BindingSuccess
-	_, ok := m.xorMappedMap[stunAddr]
-	_, err := msg.Get(stun.AttrXORMappedAddress)
-	return err == nil && ok
-}
-
-// handleXORMappedResponse parses response from the STUN server, extracts XORMappedAddress attribute
-// and set the mapped address for the server
-func (m *UniversalUDPMuxDefault) handleXORMappedResponse(stunAddr *net.UDPAddr, msg *stun.Message) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	mappedAddr, ok := m.xorMappedMap[stunAddr.String()]
-	if !ok {
-		return fmt.Errorf("no XOR address mapping")
-	}
-
-	var addr stun.XORMappedAddress
-	if err := addr.GetFrom(msg); err != nil {
-		return err
-	}
-
-	m.xorMappedMap[stunAddr.String()] = mappedAddr
-	mappedAddr.SetAddr(&addr)
-
-	return nil
-}
-
-// GetXORMappedAddr returns *stun.XORMappedAddress if already present for a given STUN server.
-// Makes a STUN binding request to discover mapped address otherwise.
-// Blocks until the stun.XORMappedAddress has been discovered or deadline.
-// Method is safe for concurrent use.
-func (m *UniversalUDPMuxDefault) GetXORMappedAddr(serverAddr net.Addr, deadline time.Duration) (*stun.XORMappedAddress, error) {
-	m.mu.Lock()
-	mappedAddr, ok := m.xorMappedMap[serverAddr.String()]
-	// if we already have a mapping for this STUN server (address already received)
-	// and if it is not too old we return it without making a new request to STUN server
-	if ok {
-		if mappedAddr.expired() {
-			mappedAddr.closeWaiters()
-			delete(m.xorMappedMap, serverAddr.String())
-			ok = false
-		} else if mappedAddr.pending() {
-			ok = false
-		}
-	}
-	m.mu.Unlock()
-	if ok {
-		return mappedAddr.addr, nil
-	}
-
-	// otherwise, make a STUN request to discover the address
-	// or wait for already sent request to complete
-	waitAddrReceived, err := m.sendStun(serverAddr)
-	if err != nil {
-		return nil, fmt.Errorf("%s: %s", "failed to send STUN packet", err)
-	}
-
-	// block until response was handled by the connWorker routine and XORMappedAddress was updated
-	select {
-	case <-waitAddrReceived:
-		// when channel closed, addr was obtained
-		m.mu.Lock()
-		mappedAddr := *m.xorMappedMap[serverAddr.String()]
-		m.mu.Unlock()
-		if mappedAddr.addr == nil {
-			return nil, fmt.Errorf("no XOR address mapping")
-		}
-		return mappedAddr.addr, nil
-	case <-time.After(deadline):
-		return nil, fmt.Errorf("timeout while waiting for XORMappedAddr")
-	}
-}
-
-// sendStun sends a STUN request via UDP conn.
-//
-// The returned channel is closed when the STUN response has been received.
-// Method is safe for concurrent use.
-func (m *UniversalUDPMuxDefault) sendStun(serverAddr net.Addr) (chan struct{}, error) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	// if record present in the map, we already sent a STUN request,
-	// just wait when waitAddrReceived will be closed
-	addrMap, ok := m.xorMappedMap[serverAddr.String()]
-	if !ok {
-		addrMap = &xorMapped{
-			expiresAt:        time.Now().Add(m.params.XORMappedAddrCacheTTL),
-			waitAddrReceived: make(chan struct{}),
-		}
-		m.xorMappedMap[serverAddr.String()] = addrMap
-	}
-
-	req, err := stun.Build(stun.BindingRequest, stun.TransactionID)
-	if err != nil {
-		return nil, err
-	}
-
-	if _, err = m.params.UDPConn.WriteTo(req.Raw, serverAddr); err != nil {
-		return nil, err
-	}
-
-	return addrMap.waitAddrReceived, nil
-}
-
-type xorMapped struct {
-	addr             *stun.XORMappedAddress
-	waitAddrReceived chan struct{}
-	expiresAt        time.Time
-}
-
-func (a *xorMapped) closeWaiters() {
-	select {
-	case <-a.waitAddrReceived:
-		// notify was close, ok, that means we received duplicate response
-		// just exit
-		break
-	default:
-		// notify tha twe have a new addr
-		close(a.waitAddrReceived)
-	}
-}
-
-func (a *xorMapped) pending() bool {
-	return a.addr == nil
-}
-
-func (a *xorMapped) expired() bool {
-	return a.expiresAt.Before(time.Now())
-}
-
-func (a *xorMapped) SetAddr(addr *stun.XORMappedAddress) {
-	a.addr = addr
-	a.closeWaiters()
-}

iface/bind/udp_muxed_conn.go

@@ -1,233 +0,0 @@
-package bind
-
-/*
- Most of this code was copied from https://github.com/pion/ice and modified to fulfill NetBird's requirements
-*/
-
-import (
-	"encoding/binary"
-	"io"
-	"net"
-	"sync"
-	"time"
-
-	"github.com/pion/logging"
-	"github.com/pion/transport/v2/packetio"
-)
-
-type udpMuxedConnParams struct {
-	Mux       *UDPMuxDefault
-	AddrPool  *sync.Pool
-	Key       string
-	LocalAddr net.Addr
-	Logger    logging.LeveledLogger
-}
-
-// udpMuxedConn represents a logical packet conn for a single remote as identified by ufrag
-type udpMuxedConn struct {
-	params *udpMuxedConnParams
-	// remote addresses that we have sent to on this conn
-	addresses []string
-
-	// channel holding incoming packets
-	buf        *packetio.Buffer
-	closedChan chan struct{}
-	closeOnce  sync.Once
-	mu         sync.Mutex
-}
-
-func newUDPMuxedConn(params *udpMuxedConnParams) *udpMuxedConn {
-	p := &udpMuxedConn{
-		params:     params,
-		buf:        packetio.NewBuffer(),
-		closedChan: make(chan struct{}),
-	}
-
-	return p
-}
-
-func (c *udpMuxedConn) ReadFrom(b []byte) (n int, rAddr net.Addr, err error) {
-	buf := c.params.AddrPool.Get().(*bufferHolder) //nolint:forcetypeassert
-	defer c.params.AddrPool.Put(buf)
-
-	// read address
-	total, err := c.buf.Read(buf.buf)
-	if err != nil {
-		return 0, nil, err
-	}
-
-	dataLen := int(binary.LittleEndian.Uint16(buf.buf[:2]))
-	if dataLen > total || dataLen > len(b) {
-		return 0, nil, io.ErrShortBuffer
-	}
-
-	// read data and then address
-	offset := 2
-	copy(b, buf.buf[offset:offset+dataLen])
-	offset += dataLen
-
-	// read address len & decode address
-	addrLen := int(binary.LittleEndian.Uint16(buf.buf[offset : offset+2]))
-	offset += 2
-
-	if rAddr, err = decodeUDPAddr(buf.buf[offset : offset+addrLen]); err != nil {
-		return 0, nil, err
-	}
-
-	return dataLen, rAddr, nil
-}
-
-func (c *udpMuxedConn) WriteTo(buf []byte, rAddr net.Addr) (n int, err error) {
-	if c.isClosed() {
-		return 0, io.ErrClosedPipe
-	}
-	// each time we write to a new address, we'll register it with the mux
-	addr := rAddr.String()
-	if !c.containsAddress(addr) {
-		c.addAddress(addr)
-	}
-
-	return c.params.Mux.writeTo(buf, rAddr)
-}
-
-func (c *udpMuxedConn) LocalAddr() net.Addr {
-	return c.params.LocalAddr
-}
-
-func (c *udpMuxedConn) SetDeadline(tm time.Time) error {
-	return nil
-}
-
-func (c *udpMuxedConn) SetReadDeadline(tm time.Time) error {
-	return nil
-}
-
-func (c *udpMuxedConn) SetWriteDeadline(tm time.Time) error {
-	return nil
-}
-
-func (c *udpMuxedConn) CloseChannel() <-chan struct{} {
-	return c.closedChan
-}
-
-func (c *udpMuxedConn) Close() error {
-	var err error
-	c.closeOnce.Do(func() {
-		err = c.buf.Close()
-		close(c.closedChan)
-	})
-	return err
-}
-
-func (c *udpMuxedConn) isClosed() bool {
-	select {
-	case <-c.closedChan:
-		return true
-	default:
-		return false
-	}
-}
-
-func (c *udpMuxedConn) getAddresses() []string {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	addresses := make([]string, len(c.addresses))
-	copy(addresses, c.addresses)
-	return addresses
-}
-
-func (c *udpMuxedConn) addAddress(addr string) {
-	c.mu.Lock()
-	c.addresses = append(c.addresses, addr)
-	c.mu.Unlock()
-
-	// map it on mux
-	c.params.Mux.registerConnForAddress(c, addr)
-}
-
-func (c *udpMuxedConn) containsAddress(addr string) bool {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	for _, a := range c.addresses {
-		if addr == a {
-			return true
-		}
-	}
-	return false
-}
-
-func (c *udpMuxedConn) writePacket(data []byte, addr *net.UDPAddr) error {
-	// write two packets, address and data
-	buf := c.params.AddrPool.Get().(*bufferHolder) //nolint:forcetypeassert
-	defer c.params.AddrPool.Put(buf)
-
-	// format of buffer | data len | data bytes | addr len | addr bytes |
-	if len(buf.buf) < len(data)+maxAddrSize {
-		return io.ErrShortBuffer
-	}
-	// data len
-	binary.LittleEndian.PutUint16(buf.buf, uint16(len(data)))
-	offset := 2
-
-	// data
-	copy(buf.buf[offset:], data)
-	offset += len(data)
-
-	// write address first, leaving room for its length
-	n, err := encodeUDPAddr(addr, buf.buf[offset+2:])
-	if err != nil {
-		return err
-	}
-	total := offset + n + 2
-
-	// address len
-	binary.LittleEndian.PutUint16(buf.buf[offset:], uint16(n))
-
-	if _, err := c.buf.Write(buf.buf[:total]); err != nil {
-		return err
-	}
-	return nil
-}
-
-func encodeUDPAddr(addr *net.UDPAddr, buf []byte) (int, error) {
-	ipData, err := addr.IP.MarshalText()
-	if err != nil {
-		return 0, err
-	}
-	total := 2 + len(ipData) + 2 + len(addr.Zone)
-	if total > len(buf) {
-		return 0, io.ErrShortBuffer
-	}
-
-	binary.LittleEndian.PutUint16(buf, uint16(len(ipData)))
-	offset := 2
-	n := copy(buf[offset:], ipData)
-	offset += n
-	binary.LittleEndian.PutUint16(buf[offset:], uint16(addr.Port))
-	offset += 2
-	copy(buf[offset:], addr.Zone)
-	return total, nil
-}
-
-func decodeUDPAddr(buf []byte) (*net.UDPAddr, error) {
-	addr := net.UDPAddr{}
-
-	offset := 0
-	ipLen := int(binary.LittleEndian.Uint16(buf[:2]))
-	offset += 2
-	// basic bounds checking
-	if ipLen+offset > len(buf) {
-		return nil, io.ErrShortBuffer
-	}
-	if err := addr.IP.UnmarshalText(buf[offset : offset+ipLen]); err != nil {
-		return nil, err
-	}
-	offset += ipLen
-	addr.Port = int(binary.LittleEndian.Uint16(buf[offset : offset+2]))
-	offset += 2
-	zone := make([]byte, len(buf[offset:]))
-	copy(zone, buf[offset:])
-	addr.Zone = string(zone)
-
-	return &addr, nil
-}

iface/iface.go

@@ -5,34 +5,20 @@ import (
 	"sync"
 	"time"
 
-	"github.com/netbirdio/netbird/iface/bind"
-
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
 const (
 	DefaultMTU    = 1280
 	DefaultWgPort = 51820
-
-	defaultWgKeepAlive = 25 * time.Second
 )
 
 // WGIface represents a interface instance
 type WGIface struct {
-	tun           *tunDevice
-	configurer    wGConfigurer
-	mu            sync.Mutex
-	userspaceBind bool
-}
-
-// IsUserspaceBind indicates whether this interfaces is userspace with bind.ICEBind
-func (w *WGIface) IsUserspaceBind() bool {
-	return w.userspaceBind
-}
-
-// GetBind returns a userspace implementation of WireGuard Bind interface
-func (w *WGIface) GetBind() *bind.ICEBind {
-	return w.tun.iceBind
+	tun        *tunDevice
+	configurer wGConfigurer
+	mu         sync.Mutex
 }
 
 // Create creates a new Wireguard interface, sets a given IP and brings it up.
@@ -40,7 +26,7 @@ func (w *WGIface) GetBind() *bind.ICEBind {
 func (w *WGIface) Create() error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
-	log.Debugf("create WireGuard interface %s", w.tun.DeviceName())
+	log.Debugf("create Wireguard interface %s", w.tun.DeviceName())
 	return w.tun.Create()
 }
 
@@ -78,12 +64,12 @@ func (w *WGIface) UpdateAddr(newAddr string) error {
 
 // UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
 // Endpoint is optional
-func (w *WGIface) UpdatePeer(peerKey string, allowedIps string, endpoint *net.UDPAddr) error {
+func (w *WGIface) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
 	log.Debugf("updating interface %s peer %s: endpoint %s ", w.tun.DeviceName(), peerKey, endpoint)
-	return w.configurer.updatePeer(peerKey, allowedIps, endpoint)
+	return w.configurer.updatePeer(peerKey, allowedIps, keepAlive, endpoint, preSharedKey)
 }
 
 // RemovePeer removes a Wireguard Peer from the interface iface

iface/iface_android.go

@@ -1,28 +1,22 @@
 package iface
 
-import (
-	"sync"
+import "sync"
 
-	"github.com/pion/transport/v2"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(iFaceName string, address string, mtu int, preSharedKey *wgtypes.Key, tunAdapter TunAdapter, transportNet transport.Net) (*WGIface, error) {
-	wgIFace := &WGIface{
+// NewWGIFace Creates a new Wireguard interface instance
+func NewWGIFace(ifaceName string, address string, mtu int, tunAdapter TunAdapter) (*WGIface, error) {
+	wgIface := &WGIface{
 		mu: sync.Mutex{},
 	}
 
 	wgAddress, err := parseWGAddress(address)
 	if err != nil {
-		return wgIFace, err
+		return wgIface, err
 	}
 
-	tun := newTunDevice(wgAddress, mtu, tunAdapter, transportNet)
-	wgIFace.tun = tun
+	tun := newTunDevice(wgAddress, mtu, tunAdapter)
+	wgIface.tun = tun
 
-	wgIFace.configurer = newWGConfigurer(tun, preSharedKey)
+	wgIface.configurer = newWGConfigurer(tun)
 
-	wgIFace.userspaceBind = !WireGuardModuleIsLoaded()
-
-	return wgIFace, nil
+	return wgIface, nil
 }

iface/iface_nonandroid.go

@@ -2,27 +2,21 @@
 
 package iface
 
-import (
-	"github.com/pion/transport/v2"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+import "sync"
 
-	"sync"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(iFaceName string, address string, mtu int, preSharedKey *wgtypes.Key, tunAdapter TunAdapter, transportNet transport.Net) (*WGIface, error) {
-	wgIFace := &WGIface{
+// NewWGIFace Creates a new Wireguard interface instance
+func NewWGIFace(ifaceName string, address string, mtu int, tunAdapter TunAdapter) (*WGIface, error) {
+	wgIface := &WGIface{
 		mu: sync.Mutex{},
 	}
 
 	wgAddress, err := parseWGAddress(address)
 	if err != nil {
-		return wgIFace, err
+		return wgIface, err
 	}
 
-	wgIFace.tun = newTunDevice(iFaceName, wgAddress, mtu, transportNet)
+	wgIface.tun = newTunDevice(ifaceName, wgAddress, mtu)
 
-	wgIFace.configurer = newWGConfigurer(iFaceName, preSharedKey)
-	wgIFace.userspaceBind = !WireGuardModuleIsLoaded()
-	return wgIFace, nil
+	wgIface.configurer = newWGConfigurer(ifaceName)
+	return wgIface, nil
 }

iface/iface_test.go

@@ -2,7 +2,6 @@ package iface
 
 import (
 	"fmt"
-	"github.com/pion/transport/v2/stdnet"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"golang.zx2c4.com/wireguard/wgctrl"
@@ -33,12 +32,7 @@ func init() {
 func TestWGIface_UpdateAddr(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	addr := "100.64.0.1/8"
-	newNet, err := stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	iface, err := NewWGIFace(ifaceName, addr, DefaultMTU, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, addr, DefaultMTU, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -98,11 +92,7 @@ func getIfaceAddrs(ifaceName string) ([]net.Addr, error) {
 func Test_CreateInterface(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+1)
 	wgIP := "10.99.99.1/32"
-	newNet, err := stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
-	}
-	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -131,11 +121,7 @@ func Test_CreateInterface(t *testing.T) {
 func Test_Close(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+2)
 	wgIP := "10.99.99.2/32"
-	newNet, err := stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
-	}
-	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -163,11 +149,7 @@ func Test_Close(t *testing.T) {
 func Test_ConfigureInterface(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+3)
 	wgIP := "10.99.99.5/30"
-	newNet, err := stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
-	}
-	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -214,11 +196,7 @@ func Test_ConfigureInterface(t *testing.T) {
 func Test_UpdatePeer(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	wgIP := "10.99.99.9/30"
-	newNet, err := stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
-	}
-	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -277,11 +255,7 @@ func Test_UpdatePeer(t *testing.T) {
 func Test_RemovePeer(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
 	wgIP := "10.99.99.13/30"
-	newNet, err := stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
-	}
-	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil, newNet)
+	iface, err := NewWGIFace(ifaceName, wgIP, DefaultMTU, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -330,11 +304,8 @@ func Test_ConnectPeers(t *testing.T) {
 	peer2Key, _ := wgtypes.GeneratePrivateKey()
 
 	keepAlive := 1 * time.Second
-	newNet, err := stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
-	}
-	iface1, err := NewWGIFace(peer1ifaceName, peer1wgIP, DefaultMTU, nil, newNet)
+
+	iface1, err := NewWGIFace(peer1ifaceName, peer1wgIP, DefaultMTU, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -351,11 +322,7 @@ func Test_ConnectPeers(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	newNet, err = stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
-	}
-	iface2, err := NewWGIFace(peer2ifaceName, peer2wgIP, DefaultMTU, nil, newNet)
+	iface2, err := NewWGIFace(peer2ifaceName, peer2wgIP, DefaultMTU, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

iface/ipc_parser_android.go

@@ -33,7 +33,7 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 
 		if p.PresharedKey != nil {
 			preSharedHexKey := hex.EncodeToString(p.PresharedKey[:])
-			sb.WriteString(fmt.Sprintf("preshared_key=%s\n", preSharedHexKey))
+			sb.WriteString(fmt.Sprintf("public_key=%s\n", preSharedHexKey))
 		}
 
 		if p.Remove {

iface/module.go

@@ -3,7 +3,7 @@
 
 package iface
 
-// WireGuardModuleIsLoaded check if we can load WireGuard mod (linux only)
-func WireGuardModuleIsLoaded() bool {
+// WireguardModuleIsLoaded check if we can load wireguard mod (linux only)
+func WireguardModuleIsLoaded() bool {
 	return false
 }

iface/module_linux.go

@@ -33,7 +33,6 @@ const (
 	loading
 	live
 	inuse
-	envDisableWireGuardKernel = "NB_WG_KERNEL_DISABLED"
 )
 
 type module struct {
@@ -82,15 +81,9 @@ func tunModuleIsLoaded() bool {
 	return tunLoaded
 }
 
-// WireGuardModuleIsLoaded check if we can load WireGuard mod (linux only)
-func WireGuardModuleIsLoaded() bool {
-
-	if os.Getenv(envDisableWireGuardKernel) == "true" {
-		log.Debugf("WireGuard kernel module disabled because the %s env is set to true", envDisableWireGuardKernel)
-		return false
-	}
-
-	if canCreateFakeWireGuardInterface() {
+// WireguardModuleIsLoaded check if we can load wireguard mod (linux only)
+func WireguardModuleIsLoaded() bool {
+	if canCreateFakeWireguardInterface() {
 		return true
 	}
 
@@ -103,7 +96,7 @@ func WireGuardModuleIsLoaded() bool {
 	return loaded
 }
 
-func canCreateFakeWireGuardInterface() bool {
+func canCreateFakeWireguardInterface() bool {
 	link := newWGLink("mustnotexist")
 
 	// We willingly try to create a device with an invalid

iface/tun_android.go

@@ -1,12 +1,11 @@
 package iface
 
 import (
-	"github.com/netbirdio/netbird/iface/bind"
-	"github.com/pion/transport/v2"
 	"net"
 
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
+	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
@@ -17,19 +16,17 @@ type tunDevice struct {
 	mtu        int
 	tunAdapter TunAdapter
 
-	fd      int
-	name    string
-	device  *device.Device
-	uapi    net.Listener
-	iceBind *bind.ICEBind
+	fd     int
+	name   string
+	device *device.Device
+	uapi   net.Listener
 }
 
-func newTunDevice(address WGAddress, mtu int, tunAdapter TunAdapter, transportNet transport.Net) *tunDevice {
+func newTunDevice(address WGAddress, mtu int, tunAdapter TunAdapter) *tunDevice {
 	return &tunDevice{
 		address:    address,
 		mtu:        mtu,
 		tunAdapter: tunAdapter,
-		iceBind:    bind.NewICEBind(transportNet),
 	}
 }
 
@@ -49,7 +46,7 @@ func (t *tunDevice) Create() error {
 	t.name = name
 
 	log.Debugf("attaching to interface %v", name)
-	t.device = device.NewDevice(tunDevice, t.iceBind, device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
+	t.device = device.NewDevice(tunDevice, conn.NewStdNetBind(), device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
 	t.device.DisableSomeRoamingForBrokenMobileSemantics()
 
 	log.Debugf("create uapi")

iface/tun_linux.go

@@ -11,7 +11,7 @@ import (
 )
 
 func (c *tunDevice) Create() error {
-	if WireGuardModuleIsLoaded() {
+	if WireguardModuleIsLoaded() {
 		log.Info("using kernel WireGuard")
 		return c.createWithKernel()
 	}
@@ -30,7 +30,7 @@ func (c *tunDevice) Create() error {
 
 }
 
-// createWithKernel Creates a new WireGuard interface using kernel WireGuard module.
+// createWithKernel Creates a new Wireguard interface using kernel Wireguard module.
 // Works for Linux and offers much better network performance
 func (c *tunDevice) createWithKernel() error {
 

iface/tun_unix.go

@@ -3,12 +3,11 @@
 package iface
 
 import (
-	"github.com/netbirdio/netbird/iface/bind"
-	"github.com/pion/transport/v2"
 	"net"
 	"os"
 
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
@@ -19,15 +18,13 @@ type tunDevice struct {
 	address      WGAddress
 	mtu          int
 	netInterface NetInterface
-	iceBind      *bind.ICEBind
 }
 
-func newTunDevice(name string, address WGAddress, mtu int, transportNet transport.Net) *tunDevice {
+func newTunDevice(name string, address WGAddress, mtu int) *tunDevice {
 	return &tunDevice{
 		name:    name,
 		address: address,
 		mtu:     mtu,
-		iceBind: bind.NewICEBind(transportNet),
 	}
 }
 
@@ -72,7 +69,7 @@ func (c *tunDevice) createWithUserspace() (NetInterface, error) {
 	}
 
 	// We need to create a wireguard-go device and listen to configuration requests
-	tunDevice := device.NewDevice(tunIface, c.iceBind, device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
+	tunDevice := device.NewDevice(tunIface, conn.NewDefaultBind(), device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
 	err = tunDevice.Up()
 	if err != nil {
 		return tunIface, err

iface/tun_windows.go

@@ -2,32 +2,26 @@ package iface
 
 import (
 	"fmt"
-	"github.com/netbirdio/netbird/iface/bind"
-	"github.com/pion/transport/v2"
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/ipc"
-	"golang.zx2c4.com/wireguard/tun"
-	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"net"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/windows/driver"
 )
 
 type tunDevice struct {
 	name         string
 	address      WGAddress
 	netInterface NetInterface
-	uapi         net.Listener
-	iceBind      *bind.ICEBind
-	mtu          int
 }
 
-func newTunDevice(name string, address WGAddress, mtu int, transportNet transport.Net) *tunDevice {
-	return &tunDevice{name: name, address: address, iceBind: bind.NewICEBind(transportNet), mtu: mtu}
+func newTunDevice(name string, address WGAddress, mtu int) *tunDevice {
+	return &tunDevice{name: name, address: address}
 }
 
 func (c *tunDevice) Create() error {
 	var err error
-	c.netInterface, err = c.createWithUserspace()
+	c.netInterface, err = c.createAdapter()
 	if err != nil {
 		return err
 	}
@@ -35,41 +29,6 @@ func (c *tunDevice) Create() error {
 	return c.assignAddr()
 }
 
-// createWithUserspace Creates a new WireGuard interface, using wireguard-go userspace implementation
-func (c *tunDevice) createWithUserspace() (NetInterface, error) {
-
-	tunIface, err := tun.CreateTUN(c.name, c.mtu)
-	if err != nil {
-		return nil, err
-	}
-	// We need to create a wireguard-go device and listen to configuration requests
-	tunDevice := device.NewDevice(tunIface, c.iceBind, device.NewLogger(device.LogLevelSilent, "[netbird] "))
-	err = tunDevice.Up()
-	if err != nil {
-		return tunIface, err
-	}
-
-	uapi, err := c.getUAPI(c.name)
-	if err != nil {
-		return nil, err
-	}
-	c.uapi = uapi
-
-	go func() {
-		for {
-			uapiConn, uapiErr := uapi.Accept()
-			if uapiErr != nil {
-				log.Traceln("uapi accept failed with error: ", uapiErr)
-				continue
-			}
-			go tunDevice.IpcHandle(uapiConn)
-		}
-	}()
-
-	log.Debugln("UAPI listener started")
-	return tunIface, nil
-}
-
 func (c *tunDevice) UpdateAddr(address WGAddress) error {
 	c.address = address
 	return c.assignAddr()
@@ -84,28 +43,19 @@ func (c *tunDevice) DeviceName() string {
 }
 
 func (c *tunDevice) Close() error {
-	var err1, err2 error
-	if c.netInterface != nil {
-		err1 = c.netInterface.Close()
+	if c.netInterface == nil {
+		return nil
 	}
 
-	if c.uapi != nil {
-		err2 = c.uapi.Close()
-	}
-
-	if err1 != nil {
-		return err1
-	}
-
-	return err2
+	return c.netInterface.Close()
 }
 
 func (c *tunDevice) getInterfaceGUIDString() (string, error) {
 	if c.netInterface == nil {
 		return "", fmt.Errorf("interface has not been initialized yet")
 	}
-	windowsDevice := c.netInterface.(*tun.NativeTun)
-	luid := winipcfg.LUID(windowsDevice.LUID())
+	windowsDevice := c.netInterface.(*driver.Adapter)
+	luid := windowsDevice.LUID()
 	guid, err := luid.GUID()
 	if err != nil {
 		return "", err
@@ -113,15 +63,31 @@ func (c *tunDevice) getInterfaceGUIDString() (string, error) {
 	return guid.String(), nil
 }
 
-// assignAddr Adds IP address to the tunnel interface and network route based on the range provided
-func (c *tunDevice) assignAddr() error {
-	tunDev := c.netInterface.(*tun.NativeTun)
-	luid := winipcfg.LUID(tunDev.LUID())
-	log.Debugf("adding address %s to interface: %s", c.address.IP, c.name)
-	return luid.SetIPAddresses([]net.IPNet{{c.address.IP, c.address.Network.Mask}})
+func (c *tunDevice) createAdapter() (NetInterface, error) {
+	WintunStaticRequestedGUID, _ := windows.GenerateGUID()
+	adapter, err := driver.CreateAdapter(c.name, "WireGuard", &WintunStaticRequestedGUID)
+	if err != nil {
+		err = fmt.Errorf("error creating adapter: %w", err)
+		return nil, err
+	}
+	err = adapter.SetAdapterState(driver.AdapterStateUp)
+	if err != nil {
+		return adapter, err
+	}
+	state, _ := adapter.LUID().GUID()
+	log.Debugln("device guid: ", state.String())
+	return adapter, nil
 }
 
-// getUAPI returns a Listener
-func (c *tunDevice) getUAPI(iface string) (net.Listener, error) {
-	return ipc.UAPIListen(iface)
+// assignAddr Adds IP address to the tunnel interface and network route based on the range provided
+func (c *tunDevice) assignAddr() error {
+	luid := c.netInterface.(*driver.Adapter).LUID()
+
+	log.Debugf("adding address %s to interface: %s", c.address.IP, c.name)
+	err := luid.SetIPAddresses([]net.IPNet{{c.address.IP, c.address.Network.Mask}})
+	if err != nil {
+		return err
+	}
+
+	return nil
 }

iface/wg_configurer_android.go

@@ -3,6 +3,7 @@ package iface
 import (
 	"errors"
 	"net"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 
@@ -14,14 +15,12 @@ var (
 )
 
 type wGConfigurer struct {
-	tunDevice    *tunDevice
-	preSharedKey *wgtypes.Key
+	tunDevice *tunDevice
 }
 
-func newWGConfigurer(tunDevice *tunDevice, preSharedKey *wgtypes.Key) wGConfigurer {
+func newWGConfigurer(tunDevice *tunDevice) wGConfigurer {
 	return wGConfigurer{
-		tunDevice:    tunDevice,
-		preSharedKey: preSharedKey,
+		tunDevice: tunDevice,
 	}
 }
 
@@ -42,7 +41,7 @@ func (c *wGConfigurer) configureInterface(privateKey string, port int) error {
 	return c.tunDevice.Device().IpcSet(toWgUserspaceString(config))
 }
 
-func (c *wGConfigurer) updatePeer(peerKey string, allowedIps string, endpoint *net.UDPAddr) error {
+func (c *wGConfigurer) updatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	//parse allowed ips
 	_, ipNet, err := net.ParseCIDR(allowedIps)
 	if err != nil {
@@ -53,13 +52,12 @@ func (c *wGConfigurer) updatePeer(peerKey string, allowedIps string, endpoint *n
 	if err != nil {
 		return err
 	}
-	keepalive := defaultWgKeepAlive
 	peer := wgtypes.PeerConfig{
 		PublicKey:                   peerKeyParsed,
 		ReplaceAllowedIPs:           true,
 		AllowedIPs:                  []net.IPNet{*ipNet},
 		PersistentKeepaliveInterval: &keepAlive,
-		PresharedKey:                c.preSharedKey,
+		PresharedKey:                preSharedKey,
 		Endpoint:                    endpoint,
 	}
 

iface/wg_configurer_nonandroid.go

@@ -5,6 +5,7 @@ package iface
 import (
 	"fmt"
 	"net"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl"
@@ -12,14 +13,12 @@ import (
 )
 
 type wGConfigurer struct {
-	deviceName   string
-	preSharedKey *wgtypes.Key
+	deviceName string
 }
 
-func newWGConfigurer(deviceName string, preSharedKey *wgtypes.Key) wGConfigurer {
+func newWGConfigurer(deviceName string) wGConfigurer {
 	return wGConfigurer{
-		deviceName:   deviceName,
-		preSharedKey: preSharedKey,
+		deviceName: deviceName,
 	}
 }
 
@@ -44,7 +43,7 @@ func (c *wGConfigurer) configureInterface(privateKey string, port int) error {
 	return nil
 }
 
-func (c *wGConfigurer) updatePeer(peerKey string, allowedIps string, endpoint *net.UDPAddr) error {
+func (c *wGConfigurer) updatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	//parse allowed ips
 	_, ipNet, err := net.ParseCIDR(allowedIps)
 	if err != nil {
@@ -55,13 +54,12 @@ func (c *wGConfigurer) updatePeer(peerKey string, allowedIps string, endpoint *n
 	if err != nil {
 		return err
 	}
-	keepalive := defaultWgKeepAlive
 	peer := wgtypes.PeerConfig{
 		PublicKey:                   peerKeyParsed,
 		ReplaceAllowedIPs:           true,
 		AllowedIPs:                  []net.IPNet{*ipNet},
-		PersistentKeepaliveInterval: &keepalive,
-		PresharedKey:                c.preSharedKey,
+		PersistentKeepaliveInterval: &keepAlive,
+		PresharedKey:                preSharedKey,
 		Endpoint:                    endpoint,
 	}
 

infrastructure_files/base.setup.env

@@ -3,31 +3,26 @@
 # Management API
 
 # Management API port
-NETBIRD_MGMT_API_PORT=${NETBIRD_MGMT_API_PORT:-33073}
+NETBIRD_MGMT_API_PORT=33073
 # Management API endpoint address, used by the Dashboard
 NETBIRD_MGMT_API_ENDPOINT=https://$NETBIRD_DOMAIN:$NETBIRD_MGMT_API_PORT
 # Management Certficate file path. These are generated by the Dashboard container
-NETBIRD_LETSENCRYPT_DOMAIN=$NETBIRD_DOMAIN
-NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/fullchain.pem"
+NETBIRD_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$NETBIRD_DOMAIN/fullchain.pem"
 # Management Certficate key file path.
-NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAIN/privkey.pem"
+NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_DOMAIN/privkey.pem"
 # By default Management single account mode is enabled and domain set to $NETBIRD_DOMAIN, you may want to set this to your user's email domain
 NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=$NETBIRD_DOMAIN
 NETBIRD_MGMT_DNS_DOMAIN=${NETBIRD_MGMT_DNS_DOMAIN:-netbird.selfhosted}
-
-# Signal
-NETBIRD_SIGNAL_PROTOCOL="http"
-NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT:-10000}
-
 # Turn credentials
+
 # User
 TURN_USER=self
 # Password. If empty, the configure.sh will generate one with openssl
 TURN_PASSWORD=
 # Min port
-TURN_MIN_PORT=${TURN_MIN_PORT:-49152}
+TURN_MIN_PORT=49152
 # Max port
-TURN_MAX_PORT=${TURN_MAX_PORT:-65535}
+TURN_MAX_PORT=65535
 
 VOLUME_PREFIX="netbird-"
 MGMT_VOLUMESUFFIX="mgmt"
@@ -35,13 +30,8 @@ SIGNAL_VOLUMESUFFIX="signal"
 LETSENCRYPT_VOLUMESUFFIX="letsencrypt"
 
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
-NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=${NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE:-$NETBIRD_AUTH_AUDIENCE}
-NETBIRD_AUTH_DEVICE_AUTH_SCOPE=${NETBIRD_AUTH_DEVICE_AUTH_SCOPE:-openid}
-NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=${NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN:-false}
-
 
 NETBIRD_DISABLE_ANONYMOUS_METRICS=${NETBIRD_DISABLE_ANONYMOUS_METRICS:-false}
-NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}
 
 # exports
 export NETBIRD_DOMAIN
@@ -54,7 +44,6 @@ export NETBIRD_AUTH_JWT_CERTS
 export NETBIRD_LETSENCRYPT_EMAIL
 export NETBIRD_MGMT_API_PORT
 export NETBIRD_MGMT_API_ENDPOINT
-export NETBIRD_LETSENCRYPT_DOMAIN
 export NETBIRD_MGMT_API_CERT_FILE
 export NETBIRD_MGMT_API_CERT_KEY_FILE
 export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER
@@ -72,11 +61,4 @@ export SIGNAL_VOLUMESUFFIX
 export LETSENCRYPT_VOLUMESUFFIX
 export NETBIRD_DISABLE_ANONYMOUS_METRICS
 export NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN
-export NETBIRD_MGMT_DNS_DOMAIN
-export NETBIRD_SIGNAL_PROTOCOL
-export NETBIRD_SIGNAL_PORT
-export NETBIRD_AUTH_USER_ID_CLAIM
-export NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
-export NETBIRD_TOKEN_SOURCE
-export NETBIRD_AUTH_DEVICE_AUTH_SCOPE
-export NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN
+export NETBIRD_MGMT_DNS_DOMAIN

infrastructure_files/configure.sh

@@ -121,30 +121,6 @@ if [[ ! -z "${NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID}" ]]; then
     export NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="hosted"
 fi
 
-# Check if letsencrypt was disabled
-if [[ "$NETBIRD_DISABLE_LETSENCRYPT" == "true" ]]
-then
-  export NETBIRD_DASHBOARD_ENDPOINT="https://$NETBIRD_DOMAIN:443"
-  export NETBIRD_SIGNAL_ENDPOINT="https://$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT"
-
-  echo "Letsencrypt was disabled, the Https-endpoints cannot be used anymore"
-  echo " and a reverse-proxy with Https needs to be placed in front of netbird!"
-  echo "The following forwards have to be setup:"
-  echo "- $NETBIRD_DASHBOARD_ENDPOINT -http-> dashboard:80"
-  echo "- $NETBIRD_MGMT_API_ENDPOINT/api -http-> management:$NETBIRD_MGMT_API_PORT"
-  echo "- $NETBIRD_MGMT_API_ENDPOINT/management.ManagementService/ -grpc-> management:$NETBIRD_MGMT_API_PORT"
-  echo "- $NETBIRD_SIGNAL_ENDPOINT/signalexchange.SignalExchange/ -grpc-> signal:80"
-  echo "You most likely also have to change NETBIRD_MGMT_API_ENDPOINT in base.setup.env and port-mappings in docker-compose.yml.tmpl and rerun this script."
-  echo " The target of the forwards depends on your setup. Beware of the gRPC protocol instead of http for management and signal!"
-  echo "You are also free to remove any occurences of the Letsencrypt-volume $LETSENCRYPT_VOLUMENAME"
-  echo ""
-
-  export NETBIRD_SIGNAL_PROTOCOL="https"
-  unset NETBIRD_LETSENCRYPT_DOMAIN
-  unset NETBIRD_MGMT_API_CERT_FILE
-  unset NETBIRD_MGMT_API_CERT_KEY_FILE
-fi
-
 env | grep NETBIRD
 
 envsubst < docker-compose.yml.tmpl > docker-compose.yml

infrastructure_files/docker-compose.yml.tmpl

@@ -8,26 +8,20 @@ services:
       - 80:80
       - 443:443
     environment:
-      # Endpoints
-      - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
-      - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
-      # OIDC
       - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
       - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
       - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY
       - USE_AUTH0=$NETBIRD_USE_AUTH0
       - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
+      - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
+      - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
+      - NGINX_SSL_PORT=443
+      - LETSENCRYPT_DOMAIN=$NETBIRD_DOMAIN
+      - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL
       - AUTH_REDIRECT_URI=$NETBIRD_AUTH_REDIRECT_URI
       - AUTH_SILENT_REDIRECT_URI=$NETBIRD_AUTH_SILENT_REDIRECT_URI
-      - NETBIRD_TOKEN_SOURCE=$NETBIRD_TOKEN_SOURCE
-      # SSL
-      - NGINX_SSL_PORT=443
-      # Letsencrypt
-      - LETSENCRYPT_DOMAIN=$NETBIRD_LETSENCRYPT_DOMAIN
-      - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL
     volumes:
       - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt/
-
   # Signal
   signal:
     image: netbirdio/signal:latest
@@ -38,8 +32,7 @@ services:
       - 10000:80
   #      # port and command for Let's Encrypt validation
   #      - 443:443
-  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
-
+  #    command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"]
   # Management
   management:
     image: netbirdio/management:latest
@@ -53,15 +46,8 @@ services:
     ports:
       - $NETBIRD_MGMT_API_PORT:443 #API port
   #    # command for Let's Encrypt validation without dashboard container
-  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
-    command: [
-      "--port", "443",
-      "--log-file", "console",
-      "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS",
-      "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN",
-      "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"
-      ]
-
+  #    command: ["--letsencrypt-domain", "$NETBIRD_DOMAIN", "--log-file", "console"]
+    command: ["--port", "443", "--log-file", "console", "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS", "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN", "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"]
   # Coturn
   coturn:
     image: coturn/coturn
@@ -74,7 +60,6 @@ services:
     network_mode: host
     command:
       - -c /etc/turnserver.conf
-
 volumes:
   $MGMT_VOLUMENAME:
   $SIGNAL_VOLUMENAME:

infrastructure_files/docker-compose.yml.tmpl.traefik

@@ -1,99 +0,0 @@
-version: "3"
-services:
-  #UI dashboard
-  dashboard:
-    image: wiretrustee/dashboard:latest
-    restart: unless-stopped
-    #ports:
-    #  - 80:80
-    #  - 443:443
-    environment:
-      # Endpoints
-      - NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
-      - NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_MGMT_API_ENDPOINT
-      # OIDC
-      - AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
-      - AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
-      - AUTH_AUTHORITY=$NETBIRD_AUTH_AUTHORITY
-      - USE_AUTH0=$NETBIRD_USE_AUTH0
-      - AUTH_SUPPORTED_SCOPES=$NETBIRD_AUTH_SUPPORTED_SCOPES
-      - AUTH_REDIRECT_URI=$NETBIRD_AUTH_REDIRECT_URI
-      - AUTH_SILENT_REDIRECT_URI=$NETBIRD_AUTH_SILENT_REDIRECT_URI
-      # SSL
-      - NGINX_SSL_PORT=443
-      # Letsencrypt
-      - LETSENCRYPT_DOMAIN=$NETBIRD_LETSENCRYPT_DOMAIN
-      - LETSENCRYPT_EMAIL=$NETBIRD_LETSENCRYPT_EMAIL
-    volumes:
-      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt/
-    labels:
-    - traefik.enable=true
-    - traefik.http.routers.netbird-dashboard.rule=Host(`$NETBIRD_DOMAIN`)
-    - traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
-
-  # Signal
-  signal:
-    image: netbirdio/signal:latest
-    restart: unless-stopped
-    volumes:
-      - $SIGNAL_VOLUMENAME:/var/lib/netbird
-    #ports:
-    #  - 10000:80
-  #      # port and command for Let's Encrypt validation
-  #      - 443:443
-  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
-    labels:
-    - traefik.enable=true
-    - traefik.http.routers.netbird-signal.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/signalexchange.SignalExchange/`)
-    - traefik.http.services.netbird-signal.loadbalancer.server.port=80
-    - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
-
-  # Management
-  management:
-    image: netbirdio/management:latest
-    restart: unless-stopped
-    depends_on:
-      - dashboard
-    volumes:
-      - $MGMT_VOLUMENAME:/var/lib/netbird
-      - $LETSENCRYPT_VOLUMENAME:/etc/letsencrypt:ro
-      - ./management.json:/etc/netbird/management.json
-    #ports:
-    #  - $NETBIRD_MGMT_API_PORT:443 #API port
-  #    # command for Let's Encrypt validation without dashboard container
-  #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]
-    command: [
-      "--port", "443",
-      "--log-file", "console",
-      "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS",
-      "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN",
-      "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"
-      ]
-    labels:
-    - traefik.enable=true
-    - traefik.http.routers.netbird-api.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/api`)
-    - traefik.http.routers.netbird-api.service=netbird-api
-    - traefik.http.services.netbird-api.loadbalancer.server.port=443
-
-    - traefik.http.routers.netbird-management.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/management.ManagementService/`)
-    - traefik.http.routers.netbird-management.service=netbird-management
-    - traefik.http.services.netbird-management.loadbalancer.server.port=443
-    - traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c
-
-  # Coturn
-  coturn:
-    image: coturn/coturn
-    restart: unless-stopped
-    domainname: $NETBIRD_DOMAIN
-    volumes:
-      - ./turnserver.conf:/etc/turnserver.conf:ro
-    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
-    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
-    network_mode: host
-    command:
-      - -c /etc/turnserver.conf
-
-volumes:
-  $MGMT_VOLUMENAME:
-  $SIGNAL_VOLUMENAME:
-  $LETSENCRYPT_VOLUMENAME:

infrastructure_files/management.json.tmpl

@@ -21,8 +21,8 @@
         "TimeBasedCredentials": false
     },
     "Signal": {
-        "Proto": "$NETBIRD_SIGNAL_PROTOCOL",
-        "URI": "$NETBIRD_DOMAIN:$NETBIRD_SIGNAL_PORT",
+        "Proto": "http",
+        "URI": "$NETBIRD_DOMAIN:10000",
         "Username": "",
         "Password": null
     },
@@ -43,13 +43,11 @@
     "DeviceAuthorizationFlow": {
         "Provider": "$NETBIRD_AUTH_DEVICE_AUTH_PROVIDER",
         "ProviderConfig": {
-          "Audience": "$NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE",
+          "Audience": "$NETBIRD_AUTH_AUDIENCE",
           "Domain": "$NETBIRD_AUTH0_DOMAIN",
           "ClientID": "$NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID",
           "TokenEndpoint": "$NETBIRD_AUTH_TOKEN_ENDPOINT",
-          "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT",
-          "Scope": "$NETBIRD_AUTH_DEVICE_AUTH_SCOPE",
-          "UseIDToken": $NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN
+          "DeviceAuthEndpoint": "$NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT"
          }
     }
 }

infrastructure_files/setup.env.example

@@ -2,11 +2,7 @@
 ##
 # Dashboard domain. e.g. app.mydomain.com
 NETBIRD_DOMAIN=""
-
-# -------------------------------------------
-# OIDC
-#  e.g., https://example.eu.auth0.com/.well-known/openid-configuration
-# -------------------------------------------
+# OIDC configuration e.g., https://example.eu.auth0.com/.well-known/openid-configuration
 NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT=""
 NETBIRD_AUTH_AUDIENCE=""
 # e.g. netbird-client
@@ -17,30 +13,14 @@ NETBIRD_AUTH_CLIENT_ID=""
 NETBIRD_USE_AUTH0="false"
 NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
 NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
-# Some IDPs requires different audience, scopes and to use id token for device authorization flow
-# you can customize here:
-NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
-NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
-NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
-
+# e.g. hello@mydomain.com
+NETBIRD_LETSENCRYPT_EMAIL=""
 # if your IDP provider doesn't support fragmented URIs, configure custom
 # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
 # NETBIRD_AUTH_REDIRECT_URI="/peers"
 # NETBIRD_AUTH_SILENT_REDIRECT_URI="/add-peers"
-# Updates the preference to use id tokens instead of access token on dashboard
-# Okta and Gitlab IDPs can benefit from this
-# NETBIRD_TOKEN_SOURCE="idToken"
-
-# -------------------------------------------
-# Letsencrypt
-# -------------------------------------------
-# Disable letsencrypt
-#  if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
-NETBIRD_DISABLE_LETSENCRYPT=false
-# e.g. hello@mydomain.com
-NETBIRD_LETSENCRYPT_EMAIL=""
 
 # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
 NETBIRD_DISABLE_ANONYMOUS_METRICS=false
 # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
-NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
+NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted

infrastructure_files/tests/setup.env

@@ -11,9 +11,4 @@ NETBIRD_USE_AUTH0=$CI_NETBIRD_USE_AUTH0
 NETBIRD_AUTH_AUDIENCE=$CI_NETBIRD_AUTH_AUDIENCE
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""
-NETBIRD_AUTH_REDIRECT_URI="/peers"
-NETBIRD_DISABLE_LETSENCRYPT=true
-NETBIRD_TOKEN_SOURCE="idToken"
-NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="super"
-NETBIRD_AUTH_USER_ID_CLAIM="email"
-NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid email"
+NETBIRD_AUTH_REDIRECT_URI="/peers"

management/client/grpc.go

@@ -20,7 +20,6 @@ import (
 	"google.golang.org/grpc/keepalive"
 
 	"github.com/cenkalti/backoff/v4"
-
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/management/proto"
@@ -145,19 +144,15 @@ func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error
 		// blocking until error
 		err = c.receiveEvents(stream, *serverPubKey, msgHandler)
 		if err != nil {
-			s, _ := gstatus.FromError(err)
-			switch s.Code() {
-			case codes.PermissionDenied:
+			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.PermissionDenied {
 				return backoff.Permanent(err) // unrecoverable error, propagate to the upper layer
-			case codes.Canceled:
-				log.Debugf("management connection context has been canceled, this usually indicates shutdown")
-				return nil
-			default:
-				backOff.Reset() // reset backoff counter after successful connection
-				c.notifyDisconnected()
-				log.Warnf("disconnected from the Management service but will retry silently. Reason: %v", err)
-				return err
 			}
+			// we need this reset because after a successful connection and a consequent error, backoff lib doesn't
+			// reset times and next try will start with a long delay
+			backOff.Reset()
+			c.notifyDisconnected()
+			log.Warnf("disconnected from the Management service but will retry silently. Reason: %v", err)
+			return err
 		}
 
 		return nil

management/cmd/management.go

@@ -19,28 +19,25 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/miekg/dns"
+	"github.com/netbirdio/netbird/management/server/activity/sqlite"
+	httpapi "github.com/netbirdio/netbird/management/server/http"
+	"github.com/netbirdio/netbird/management/server/metrics"
+	"github.com/netbirdio/netbird/management/server/telemetry"
 	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
 
-	"github.com/netbirdio/netbird/management/server/activity/sqlite"
-	httpapi "github.com/netbirdio/netbird/management/server/http"
-	"github.com/netbirdio/netbird/management/server/jwtclaims"
-	"github.com/netbirdio/netbird/management/server/metrics"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/util"
 
+	"github.com/netbirdio/netbird/encryption"
+	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/keepalive"
-
-	"github.com/netbirdio/netbird/encryption"
-	mgmtProto "github.com/netbirdio/netbird/management/proto"
 )
 
 // ManagementLegacyPort is the port that was used before by the Management gRPC server.
@@ -182,22 +179,13 @@ var (
 				tlsEnabled = true
 			}
 
-			jwtValidator, err := jwtclaims.NewJWTValidator(
-				config.HttpConfig.AuthIssuer,
-				config.GetAuthAudiences(),
-				config.HttpConfig.AuthKeysLocation,
-			)
-			if err != nil {
-				return fmt.Errorf("failed creating JWT validator: %v", err)
-			}
-
 			httpAPIAuthCfg := httpapi.AuthCfg{
 				Issuer:       config.HttpConfig.AuthIssuer,
 				Audience:     config.HttpConfig.AuthAudience,
 				UserIDClaim:  config.HttpConfig.AuthUserIDClaim,
 				KeysLocation: config.HttpConfig.AuthKeysLocation,
 			}
-			httpAPIHandler, err := httpapi.APIHandler(accountManager, *jwtValidator, appMetrics, httpAPIAuthCfg)
+			httpAPIHandler, err := httpapi.APIHandler(accountManager, appMetrics, httpAPIAuthCfg)
 			if err != nil {
 				return fmt.Errorf("failed creating HTTP API handler: %v", err)
 			}
@@ -417,10 +405,6 @@ func loadMgmtConfig(mgmtConfigPath string) (*server.Config, error) {
 			log.Infof("overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: %s, previously configured value: %s",
 				u.Host, config.DeviceAuthorizationFlow.ProviderConfig.Domain)
 			config.DeviceAuthorizationFlow.ProviderConfig.Domain = u.Host
-
-			if config.DeviceAuthorizationFlow.ProviderConfig.Scope == "" {
-				config.DeviceAuthorizationFlow.ProviderConfig.Scope = server.DefaultDeviceAuthFlowScope
-			}
 		}
 	}
 

management/proto/management.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
-// 	protoc        v3.21.9
+// 	protoc        v3.21.0
 // source: management.proto
 
 package proto
@@ -995,6 +995,8 @@ type NetworkMap struct {
 	DNSConfig *DNSConfig `protobuf:"bytes,6,opt,name=DNSConfig,proto3" json:"DNSConfig,omitempty"`
 	// RemotePeerConfig represents a list of remote peers that the receiver can connect to
 	OfflinePeers []*RemotePeerConfig `protobuf:"bytes,7,rep,name=offlinePeers,proto3" json:"offlinePeers,omitempty"`
+	// FirewallRule represents a list of firewall rules to be applied to peer
+	FirewallRules []*FirewallRule `protobuf:"bytes,8,rep,name=FirewallRules,proto3" json:"FirewallRules,omitempty"`
 }
 
 func (x *NetworkMap) Reset() {
@@ -1078,6 +1080,13 @@ func (x *NetworkMap) GetOfflinePeers() []*RemotePeerConfig {
 	return nil
 }
 
+func (x *NetworkMap) GetFirewallRules() []*FirewallRule {
+	if x != nil {
+		return x.FirewallRules
+	}
+	return nil
+}
+
 // RemotePeerConfig represents a configuration of a remote peer.
 // The properties are used to configure WireGuard Peers sections
 type RemotePeerConfig struct {
@@ -1331,10 +1340,6 @@ type ProviderConfig struct {
 	DeviceAuthEndpoint string `protobuf:"bytes,5,opt,name=DeviceAuthEndpoint,proto3" json:"DeviceAuthEndpoint,omitempty"`
 	// TokenEndpoint is an endpoint to request auth token.
 	TokenEndpoint string `protobuf:"bytes,6,opt,name=TokenEndpoint,proto3" json:"TokenEndpoint,omitempty"`
-	// Scopes provides the scopes to be included in the token request
-	Scope string `protobuf:"bytes,7,opt,name=Scope,proto3" json:"Scope,omitempty"`
-	// UseIDToken indicates if the id token should be used for authentication
-	UseIDToken bool `protobuf:"varint,8,opt,name=UseIDToken,proto3" json:"UseIDToken,omitempty"`
 }
 
 func (x *ProviderConfig) Reset() {
@@ -1411,20 +1416,6 @@ func (x *ProviderConfig) GetTokenEndpoint() string {
 	return ""
 }
 
-func (x *ProviderConfig) GetScope() string {
-	if x != nil {
-		return x.Scope
-	}
-	return ""
-}
-
-func (x *ProviderConfig) GetUseIDToken() bool {
-	if x != nil {
-		return x.UseIDToken
-	}
-	return false
-}
-
 // Route represents a route.Route object
 type Route struct {
 	state         protoimpl.MessageState
@@ -1849,6 +1840,94 @@ func (x *NameServer) GetPort() int64 {
 	return 0
 }
 
+// FirewallRule represents a firewall rule
+type FirewallRule struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	PeerID    string `protobuf:"bytes,1,opt,name=PeerID,proto3" json:"PeerID,omitempty"`
+	PeerIP    string `protobuf:"bytes,2,opt,name=PeerIP,proto3" json:"PeerIP,omitempty"`
+	Direction string `protobuf:"bytes,3,opt,name=Direction,proto3" json:"Direction,omitempty"`
+	Action    string `protobuf:"bytes,4,opt,name=Action,proto3" json:"Action,omitempty"`
+	Protocol  string `protobuf:"bytes,5,opt,name=Protocol,proto3" json:"Protocol,omitempty"`
+	Port      string `protobuf:"bytes,6,opt,name=Port,proto3" json:"Port,omitempty"`
+}
+
+func (x *FirewallRule) Reset() {
+	*x = FirewallRule{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_management_proto_msgTypes[25]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *FirewallRule) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*FirewallRule) ProtoMessage() {}
+
+func (x *FirewallRule) ProtoReflect() protoreflect.Message {
+	mi := &file_management_proto_msgTypes[25]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use FirewallRule.ProtoReflect.Descriptor instead.
+func (*FirewallRule) Descriptor() ([]byte, []int) {
+	return file_management_proto_rawDescGZIP(), []int{25}
+}
+
+func (x *FirewallRule) GetPeerID() string {
+	if x != nil {
+		return x.PeerID
+	}
+	return ""
+}
+
+func (x *FirewallRule) GetPeerIP() string {
+	if x != nil {
+		return x.PeerIP
+	}
+	return ""
+}
+
+func (x *FirewallRule) GetDirection() string {
+	if x != nil {
+		return x.Direction
+	}
+	return ""
+}
+
+func (x *FirewallRule) GetAction() string {
+	if x != nil {
+		return x.Action
+	}
+	return ""
+}
+
+func (x *FirewallRule) GetProtocol() string {
+	if x != nil {
+		return x.Protocol
+	}
+	return ""
+}
+
+func (x *FirewallRule) GetPort() string {
+	if x != nil {
+		return x.Port
+	}
+	return ""
+}
+
 var File_management_proto protoreflect.FileDescriptor
 
 var file_management_proto_rawDesc = []byte{
@@ -1966,7 +2045,7 @@ var file_management_proto_rawDesc = []byte{
 	0x28, 0x0b, 0x32, 0x15, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
 	0x53, 0x53, 0x48, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x09, 0x73, 0x73, 0x68, 0x43, 0x6f,
 	0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x18, 0x04, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x22, 0xee, 0x02, 0x0a, 0x0a, 0x4e, 0x65, 0x74,
+	0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x22, 0xae, 0x03, 0x0a, 0x0a, 0x4e, 0x65, 0x74,
 	0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x12, 0x16, 0x0a, 0x06, 0x53, 0x65, 0x72, 0x69, 0x61,
 	0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x53, 0x65, 0x72, 0x69, 0x61, 0x6c, 0x12,
 	0x36, 0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20,
@@ -1989,7 +2068,11 @@ var file_management_proto_rawDesc = []byte{
 	0x6e, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e,
 	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74,
 	0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0c, 0x6f, 0x66, 0x66,
-	0x6c, 0x69, 0x6e, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x22, 0x97, 0x01, 0x0a, 0x10, 0x52, 0x65,
+	0x6c, 0x69, 0x6e, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x12, 0x3e, 0x0a, 0x0d, 0x46, 0x69, 0x72,
+	0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x18, 0x08, 0x20, 0x03, 0x28, 0x0b,
+	0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x46, 0x69,
+	0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x52, 0x0d, 0x46, 0x69, 0x72, 0x65,
+	0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x73, 0x22, 0x97, 0x01, 0x0a, 0x10, 0x52, 0x65,
 	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a,
 	0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x6c,
@@ -2018,7 +2101,7 @@ var file_management_proto_rawDesc = []byte{
 	0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0e, 0x50, 0x72, 0x6f, 0x76,
 	0x69, 0x64, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x16, 0x0a, 0x08, 0x70, 0x72,
 	0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x0a, 0x0a, 0x06, 0x48, 0x4f, 0x53, 0x54, 0x45, 0x44,
-	0x10, 0x00, 0x22, 0x90, 0x02, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43,
+	0x10, 0x00, 0x22, 0xda, 0x01, 0x0a, 0x0e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x43,
 	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49,
 	0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x49,
 	0x44, 0x12, 0x22, 0x0a, 0x0c, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x72, 0x65,
@@ -2031,84 +2114,91 @@ var file_management_proto_rawDesc = []byte{
 	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74,
 	0x68, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x24, 0x0a, 0x0d, 0x54, 0x6f, 0x6b,
 	0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12,
-	0x14, 0x0a, 0x05, 0x53, 0x63, 0x6f, 0x70, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
-	0x53, 0x63, 0x6f, 0x70, 0x65, 0x12, 0x1e, 0x0a, 0x0a, 0x55, 0x73, 0x65, 0x49, 0x44, 0x54, 0x6f,
-	0x6b, 0x65, 0x6e, 0x18, 0x08, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x55, 0x73, 0x65, 0x49, 0x44,
-	0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x22, 0xb5, 0x01, 0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12,
-	0x0e, 0x0a, 0x02, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x44, 0x12,
-	0x18, 0x0a, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x07, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x12, 0x20, 0x0a, 0x0b, 0x4e, 0x65, 0x74,
-	0x77, 0x6f, 0x72, 0x6b, 0x54, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b,
-	0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50,
-	0x65, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x65, 0x65, 0x72, 0x12,
-	0x16, 0x0a, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52,
-	0x06, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x12, 0x1e, 0x0a, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75,
-	0x65, 0x72, 0x61, 0x64, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x4d, 0x61, 0x73,
-	0x71, 0x75, 0x65, 0x72, 0x61, 0x64, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44,
-	0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x22, 0xb4, 0x01,
-	0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x24, 0x0a, 0x0d, 0x53,
-	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x08, 0x52, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61, 0x62, 0x6c,
-	0x65, 0x12, 0x47, 0x0a, 0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47,
-	0x72, 0x6f, 0x75, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72,
-	0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x52, 0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x12, 0x38, 0x0a, 0x0b, 0x43, 0x75,
-	0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x75, 0x73,
-	0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x52, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a,
-	0x6f, 0x6e, 0x65, 0x73, 0x22, 0x58, 0x0a, 0x0a, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f,
-	0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x06, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x32, 0x0a, 0x07, 0x52, 0x65,
-	0x63, 0x6f, 0x72, 0x64, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x52,
-	0x65, 0x63, 0x6f, 0x72, 0x64, 0x52, 0x07, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x22, 0x74,
-	0x0a, 0x0c, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x12, 0x12,
-	0x0a, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x4e, 0x61,
-	0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03,
-	0x52, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x12, 0x10, 0x0a, 0x03,
-	0x54, 0x54, 0x4c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x03, 0x54, 0x54, 0x4c, 0x12, 0x14,
-	0x0a, 0x05, 0x52, 0x44, 0x61, 0x74, 0x61, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x52,
-	0x44, 0x61, 0x74, 0x61, 0x22, 0x7f, 0x0a, 0x0f, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76,
-	0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x12, 0x38, 0x0a, 0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x53,
-	0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65,
-	0x72, 0x76, 0x65, 0x72, 0x52, 0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x73, 0x12, 0x18, 0x0a, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x08, 0x52, 0x07, 0x50, 0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x44,
-	0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x44, 0x6f,
-	0x6d, 0x61, 0x69, 0x6e, 0x73, 0x22, 0x48, 0x0a, 0x0a, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72,
-	0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x4e, 0x53, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x03, 0x52, 0x06, 0x4e, 0x53, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50,
-	0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x32,
-	0xf7, 0x02, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72,
-	0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d,
+	0x52, 0x0d, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x22,
+	0xb5, 0x01, 0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x44, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x44, 0x12, 0x18, 0x0a, 0x07, 0x4e, 0x65, 0x74,
+	0x77, 0x6f, 0x72, 0x6b, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x4e, 0x65, 0x74, 0x77,
+	0x6f, 0x72, 0x6b, 0x12, 0x20, 0x0a, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x54, 0x79,
+	0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0b, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72,
+	0x6b, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x65, 0x65, 0x72, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x65, 0x65, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x4d, 0x65, 0x74,
+	0x72, 0x69, 0x63, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4d, 0x65, 0x74, 0x72, 0x69,
+	0x63, 0x12, 0x1e, 0x0a, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64, 0x65, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x4d, 0x61, 0x73, 0x71, 0x75, 0x65, 0x72, 0x61, 0x64,
+	0x65, 0x12, 0x14, 0x0a, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x05, 0x4e, 0x65, 0x74, 0x49, 0x44, 0x22, 0xb4, 0x01, 0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x24, 0x0a, 0x0d, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+	0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x53, 0x65,
+	0x72, 0x76, 0x69, 0x63, 0x65, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x47, 0x0a, 0x10, 0x4e,
+	0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x18,
+	0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f,
+	0x75, 0x70, 0x52, 0x10, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72,
+	0x6f, 0x75, 0x70, 0x73, 0x12, 0x38, 0x0a, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f,
+	0x6e, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e,
+	0x65, 0x52, 0x0b, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x73, 0x22, 0x58,
+	0x0a, 0x0a, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5a, 0x6f, 0x6e, 0x65, 0x12, 0x16, 0x0a, 0x06,
+	0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x44, 0x6f,
+	0x6d, 0x61, 0x69, 0x6e, 0x12, 0x32, 0x0a, 0x07, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x18,
+	0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x53, 0x69, 0x6d, 0x70, 0x6c, 0x65, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x52,
+	0x07, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x73, 0x22, 0x74, 0x0a, 0x0c, 0x53, 0x69, 0x6d, 0x70,
+	0x6c, 0x65, 0x52, 0x65, 0x63, 0x6f, 0x72, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x4e, 0x61, 0x6d, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04,
+	0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x04, 0x54, 0x79, 0x70, 0x65,
+	0x12, 0x14, 0x0a, 0x05, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x05, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x54, 0x54, 0x4c, 0x18, 0x04, 0x20,
+	0x01, 0x28, 0x03, 0x52, 0x03, 0x54, 0x54, 0x4c, 0x12, 0x14, 0x0a, 0x05, 0x52, 0x44, 0x61, 0x74,
+	0x61, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x52, 0x44, 0x61, 0x74, 0x61, 0x22, 0x7f,
+	0x0a, 0x0f, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x47, 0x72, 0x6f, 0x75,
+	0x70, 0x12, 0x38, 0x0a, 0x0b, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73,
+	0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x52, 0x0b,
+	0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x50,
+	0x72, 0x69, 0x6d, 0x61, 0x72, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x50, 0x72,
+	0x69, 0x6d, 0x61, 0x72, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73,
+	0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x22,
+	0x48, 0x0a, 0x0a, 0x4e, 0x61, 0x6d, 0x65, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x12, 0x0e, 0x0a,
+	0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a,
+	0x06, 0x4e, 0x53, 0x54, 0x79, 0x70, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x03, 0x52, 0x06, 0x4e,
+	0x53, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20,
+	0x01, 0x28, 0x03, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74, 0x22, 0xa4, 0x01, 0x0a, 0x0c, 0x46, 0x69,
+	0x72, 0x65, 0x77, 0x61, 0x6c, 0x6c, 0x52, 0x75, 0x6c, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x50, 0x65,
+	0x65, 0x72, 0x49, 0x44, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x50, 0x65, 0x65, 0x72,
+	0x49, 0x44, 0x12, 0x16, 0x0a, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x06, 0x50, 0x65, 0x65, 0x72, 0x49, 0x50, 0x12, 0x1c, 0x0a, 0x09, 0x44, 0x69,
+	0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x44,
+	0x69, 0x72, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x16, 0x0a, 0x06, 0x41, 0x63, 0x74, 0x69,
+	0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e,
+	0x12, 0x1a, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x05, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x12, 0x0a, 0x04,
+	0x50, 0x6f, 0x72, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x50, 0x6f, 0x72, 0x74,
+	0x32, 0xf7, 0x02, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53,
+	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12,
+	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79,
+	0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a,
+	0x04, 0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73,
+	0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67,
+	0x65, 0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48,
+	0x65, 0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x5a,
+	0x0a, 0x1a, 0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f,
+	0x72, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d,
 	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
-	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04,
-	0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
-	0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65,
-	0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x12, 0x5a, 0x0a,
-	0x1a, 0x47, 0x65, 0x74, 0x44, 0x65, 0x76, 0x69, 0x63, 0x65, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72,
-	0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x46, 0x6c, 0x6f, 0x77, 0x12, 0x1c, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74,
-	0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
-	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
-	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72,
-	0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65,
+	0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -2124,7 +2214,7 @@ func file_management_proto_rawDescGZIP() []byte {
 }
 
 var file_management_proto_enumTypes = make([]protoimpl.EnumInfo, 2)
-var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 25)
+var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 26)
 var file_management_proto_goTypes = []interface{}{
 	(HostConfig_Protocol)(0),               // 0: management.HostConfig.Protocol
 	(DeviceAuthorizationFlowProvider)(0),   // 1: management.DeviceAuthorizationFlow.provider
@@ -2153,7 +2243,8 @@ var file_management_proto_goTypes = []interface{}{
 	(*SimpleRecord)(nil),                   // 24: management.SimpleRecord
 	(*NameServerGroup)(nil),                // 25: management.NameServerGroup
 	(*NameServer)(nil),                     // 26: management.NameServer
-	(*timestamppb.Timestamp)(nil),          // 27: google.protobuf.Timestamp
+	(*FirewallRule)(nil),                   // 27: management.FirewallRule
+	(*timestamppb.Timestamp)(nil),          // 28: google.protobuf.Timestamp
 }
 var file_management_proto_depIdxs = []int32{
 	11, // 0: management.SyncResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
@@ -2164,7 +2255,7 @@ var file_management_proto_depIdxs = []int32{
 	6,  // 5: management.LoginRequest.peerKeys:type_name -> management.PeerKeys
 	11, // 6: management.LoginResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
 	14, // 7: management.LoginResponse.peerConfig:type_name -> management.PeerConfig
-	27, // 8: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
+	28, // 8: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
 	12, // 9: management.WiretrusteeConfig.stuns:type_name -> management.HostConfig
 	13, // 10: management.WiretrusteeConfig.turns:type_name -> management.ProtectedHostConfig
 	12, // 11: management.WiretrusteeConfig.signal:type_name -> management.HostConfig
@@ -2176,28 +2267,29 @@ var file_management_proto_depIdxs = []int32{
 	21, // 17: management.NetworkMap.Routes:type_name -> management.Route
 	22, // 18: management.NetworkMap.DNSConfig:type_name -> management.DNSConfig
 	16, // 19: management.NetworkMap.offlinePeers:type_name -> management.RemotePeerConfig
-	17, // 20: management.RemotePeerConfig.sshConfig:type_name -> management.SSHConfig
-	1,  // 21: management.DeviceAuthorizationFlow.Provider:type_name -> management.DeviceAuthorizationFlow.provider
-	20, // 22: management.DeviceAuthorizationFlow.ProviderConfig:type_name -> management.ProviderConfig
-	25, // 23: management.DNSConfig.NameServerGroups:type_name -> management.NameServerGroup
-	23, // 24: management.DNSConfig.CustomZones:type_name -> management.CustomZone
-	24, // 25: management.CustomZone.Records:type_name -> management.SimpleRecord
-	26, // 26: management.NameServerGroup.NameServers:type_name -> management.NameServer
-	2,  // 27: management.ManagementService.Login:input_type -> management.EncryptedMessage
-	2,  // 28: management.ManagementService.Sync:input_type -> management.EncryptedMessage
-	10, // 29: management.ManagementService.GetServerKey:input_type -> management.Empty
-	10, // 30: management.ManagementService.isHealthy:input_type -> management.Empty
-	2,  // 31: management.ManagementService.GetDeviceAuthorizationFlow:input_type -> management.EncryptedMessage
-	2,  // 32: management.ManagementService.Login:output_type -> management.EncryptedMessage
-	2,  // 33: management.ManagementService.Sync:output_type -> management.EncryptedMessage
-	9,  // 34: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
-	10, // 35: management.ManagementService.isHealthy:output_type -> management.Empty
-	2,  // 36: management.ManagementService.GetDeviceAuthorizationFlow:output_type -> management.EncryptedMessage
-	32, // [32:37] is the sub-list for method output_type
-	27, // [27:32] is the sub-list for method input_type
-	27, // [27:27] is the sub-list for extension type_name
-	27, // [27:27] is the sub-list for extension extendee
-	0,  // [0:27] is the sub-list for field type_name
+	27, // 20: management.NetworkMap.FirewallRules:type_name -> management.FirewallRule
+	17, // 21: management.RemotePeerConfig.sshConfig:type_name -> management.SSHConfig
+	1,  // 22: management.DeviceAuthorizationFlow.Provider:type_name -> management.DeviceAuthorizationFlow.provider
+	20, // 23: management.DeviceAuthorizationFlow.ProviderConfig:type_name -> management.ProviderConfig
+	25, // 24: management.DNSConfig.NameServerGroups:type_name -> management.NameServerGroup
+	23, // 25: management.DNSConfig.CustomZones:type_name -> management.CustomZone
+	24, // 26: management.CustomZone.Records:type_name -> management.SimpleRecord
+	26, // 27: management.NameServerGroup.NameServers:type_name -> management.NameServer
+	2,  // 28: management.ManagementService.Login:input_type -> management.EncryptedMessage
+	2,  // 29: management.ManagementService.Sync:input_type -> management.EncryptedMessage
+	10, // 30: management.ManagementService.GetServerKey:input_type -> management.Empty
+	10, // 31: management.ManagementService.isHealthy:input_type -> management.Empty
+	2,  // 32: management.ManagementService.GetDeviceAuthorizationFlow:input_type -> management.EncryptedMessage
+	2,  // 33: management.ManagementService.Login:output_type -> management.EncryptedMessage
+	2,  // 34: management.ManagementService.Sync:output_type -> management.EncryptedMessage
+	9,  // 35: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
+	10, // 36: management.ManagementService.isHealthy:output_type -> management.Empty
+	2,  // 37: management.ManagementService.GetDeviceAuthorizationFlow:output_type -> management.EncryptedMessage
+	33, // [33:38] is the sub-list for method output_type
+	28, // [28:33] is the sub-list for method input_type
+	28, // [28:28] is the sub-list for extension type_name
+	28, // [28:28] is the sub-list for extension extendee
+	0,  // [0:28] is the sub-list for field type_name
 }
 
 func init() { file_management_proto_init() }
@@ -2506,6 +2598,18 @@ func file_management_proto_init() {
 				return nil
 			}
 		}
+		file_management_proto_msgTypes[25].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*FirewallRule); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -2513,7 +2617,7 @@ func file_management_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_management_proto_rawDesc,
 			NumEnums:      2,
-			NumMessages:   25,
+			NumMessages:   26,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

management/proto/management.proto

@@ -186,6 +186,9 @@ message NetworkMap {
 
   // RemotePeerConfig represents a list of remote peers that the receiver can connect to
   repeated RemotePeerConfig offlinePeers = 7;
+
+  // FirewallRule represents a list of firewall rules to be applied to peer
+  repeated FirewallRule FirewallRules = 8;
 }
 
 // RemotePeerConfig represents a configuration of a remote peer.
@@ -246,10 +249,6 @@ message ProviderConfig {
   string DeviceAuthEndpoint = 5;
   // TokenEndpoint is an endpoint to request auth token.
   string TokenEndpoint = 6;
-  // Scopes provides the scopes to be included in the token request
-  string Scope = 7;
-  // UseIDToken indicates if the id token should be used for authentication
-  bool UseIDToken = 8;
 }
 
 // Route represents a route.Route object
@@ -297,4 +296,14 @@ message NameServer {
   string IP = 1;
   int64  NSType = 2;
   int64  Port = 3;
-}
+}
+
+// FirewallRule represents a firewall rule
+message FirewallRule {
+  string PeerID = 1;
+  string PeerIP = 2;
+  string Direction = 3;
+  string Action = 4;
+  string Protocol = 5;
+  string Port = 6;
+}

management/server/account.go

@@ -2,10 +2,7 @@ package server
 
 import (
 	"context"
-	"crypto/sha256"
-	b64 "encoding/base64"
 	"fmt"
-	"hash/crc32"
 	"math/rand"
 	"net"
 	"net/netip"
@@ -15,19 +12,17 @@ import (
 	"sync"
 	"time"
 
-	"codeberg.org/ac/base62"
 	"github.com/eko/gocache/v3/cache"
 	cacheStore "github.com/eko/gocache/v3/store"
-	gocache "github.com/patrickmn/go-cache"
-	"github.com/rs/xid"
-	log "github.com/sirupsen/logrus"
-
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/route"
+	gocache "github.com/patrickmn/go-cache"
+	"github.com/rs/xid"
+	log "github.com/sirupsen/logrus"
 )
 
 const (
@@ -55,8 +50,6 @@ type AccountManager interface {
 	GetSetupKey(accountID, userID, keyID string) (*SetupKey, error)
 	GetAccountByUserOrAccountID(userID, accountID, domain string) (*Account, error)
 	GetAccountFromToken(claims jwtclaims.AuthorizationClaims) (*Account, *User, error)
-	GetAccountFromPAT(pat string) (*Account, *User, *PersonalAccessToken, error)
-	MarkPATUsed(tokenID string) error
 	IsUserAdmin(claims jwtclaims.AuthorizationClaims) (bool, error)
 	AccountExists(accountId string) (*bool, error)
 	GetPeerByKey(peerKey string) (*Peer, error)
@@ -68,10 +61,6 @@ type AccountManager interface {
 	GetNetworkMap(peerID string) (*NetworkMap, error)
 	GetPeerNetwork(peerID string) (*Network, error)
 	AddPeer(setupKey, userID string, peer *Peer) (*Peer, *NetworkMap, error)
-	CreatePAT(accountID string, executingUserID string, targetUserID string, tokenName string, expiresIn int) (*PersonalAccessTokenGenerated, error)
-	DeletePAT(accountID string, executingUserID string, targetUserID string, tokenID string) error
-	GetPAT(accountID string, executingUserID string, targetUserID string, tokenID string) (*PersonalAccessToken, error)
-	GetAllPATs(accountID string, executingUserID string, targetUserID string) ([]*PersonalAccessToken, error)
 	UpdatePeerSSHKey(peerID string, sshKey string) error
 	GetUsersFromAccount(accountID, userID string) ([]*UserInfo, error)
 	GetGroup(accountId, groupID string) (*Group, error)
@@ -283,7 +272,7 @@ func (a *Account) GetGroup(groupID string) *Group {
 
 // GetPeerNetworkMap returns a group by ID if exists, nil otherwise
 func (a *Account) GetPeerNetworkMap(peerID, dnsDomain string) *NetworkMap {
-	aclPeers, _ := a.getPeersByPolicy(peerID)
+	aclPeers, firewallRules := a.getPeersByPolicy(peerID)
 	// exclude expired peers
 	var peersToConnect []*Peer
 	var expiredPeers []*Peer
@@ -314,11 +303,12 @@ func (a *Account) GetPeerNetworkMap(peerID, dnsDomain string) *NetworkMap {
 	}
 
 	return &NetworkMap{
-		Peers:        peersToConnect,
-		Network:      a.Network.Copy(),
-		Routes:       routesUpdate,
-		DNSConfig:    dnsUpdate,
-		OfflinePeers: expiredPeers,
+		Peers:         peersToConnect,
+		Network:       a.Network.Copy(),
+		Routes:        routesUpdate,
+		DNSConfig:     dnsUpdate,
+		OfflinePeers:  expiredPeers,
+		FirewallRules: firewallRules,
 	}
 }
 
@@ -362,11 +352,11 @@ func (a *Account) GetNextPeerExpiration() (time.Duration, bool) {
 	return *nextExpiry, true
 }
 
-// GetPeersWithExpiration returns a list of peers that have Peer.LoginExpirationEnabled set to true and that were added by a user
+// GetPeersWithExpiration returns a list of peers that have Peer.LoginExpirationEnabled set to true
 func (a *Account) GetPeersWithExpiration() []*Peer {
 	peers := make([]*Peer, 0)
 	for _, peer := range a.Peers {
-		if peer.LoginExpirationEnabled && peer.AddedWithSSOLogin() {
+		if peer.LoginExpirationEnabled {
 			peers = append(peers, peer)
 		}
 	}
@@ -1123,87 +1113,6 @@ func (am *DefaultAccountManager) redeemInvite(account *Account, userID string) e
 	return nil
 }
 
-// MarkPATUsed marks a personal access token as used
-func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
-	unlock := am.Store.AcquireGlobalLock()
-
-	user, err := am.Store.GetUserByTokenID(tokenID)
-	if err != nil {
-		return err
-	}
-
-	account, err := am.Store.GetAccountByUser(user.Id)
-	if err != nil {
-		return err
-	}
-
-	unlock()
-	unlock = am.Store.AcquireAccountLock(account.Id)
-	defer unlock()
-
-	account, err = am.Store.GetAccountByUser(user.Id)
-	if err != nil {
-		return err
-	}
-
-	pat, ok := account.Users[user.Id].PATs[tokenID]
-	if !ok {
-		return fmt.Errorf("token not found")
-	}
-
-	pat.LastUsed = time.Now().UTC()
-
-	return am.Store.SaveAccount(account)
-}
-
-// GetAccountFromPAT returns Account and User associated with a personal access token
-func (am *DefaultAccountManager) GetAccountFromPAT(token string) (*Account, *User, *PersonalAccessToken, error) {
-	if len(token) != PATLength {
-		return nil, nil, nil, fmt.Errorf("token has wrong length")
-	}
-
-	prefix := token[:len(PATPrefix)]
-	if prefix != PATPrefix {
-		return nil, nil, nil, fmt.Errorf("token has wrong prefix")
-	}
-	secret := token[len(PATPrefix) : len(PATPrefix)+PATSecretLength]
-	encodedChecksum := token[len(PATPrefix)+PATSecretLength : len(PATPrefix)+PATSecretLength+PATChecksumLength]
-
-	verificationChecksum, err := base62.Decode(encodedChecksum)
-	if err != nil {
-		return nil, nil, nil, fmt.Errorf("token checksum decoding failed: %w", err)
-	}
-
-	secretChecksum := crc32.ChecksumIEEE([]byte(secret))
-	if secretChecksum != verificationChecksum {
-		return nil, nil, nil, fmt.Errorf("token checksum does not match")
-	}
-
-	hashedToken := sha256.Sum256([]byte(token))
-	encodedHashedToken := b64.StdEncoding.EncodeToString(hashedToken[:])
-	tokenID, err := am.Store.GetTokenIDByHashedToken(encodedHashedToken)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	user, err := am.Store.GetUserByTokenID(tokenID)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	account, err := am.Store.GetAccountByUser(user.Id)
-	if err != nil {
-		return nil, nil, nil, err
-	}
-
-	pat := user.PATs[tokenID]
-	if pat == nil {
-		return nil, nil, nil, fmt.Errorf("personal access token not found")
-	}
-
-	return account, user, pat, nil
-}
-
 // GetAccountFromToken returns an account associated with this token
 func (am *DefaultAccountManager) GetAccountFromToken(claims jwtclaims.AuthorizationClaims) (*Account, *User, error) {
 	if claims.UserId == "" {

management/server/account_test.go

@@ -1,8 +1,6 @@
 package server
 
 import (
-	"crypto/sha256"
-	b64 "encoding/base64"
 	"fmt"
 	"net"
 	"reflect"
@@ -127,12 +125,12 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 					Name:     peerID1,
 					DNSLabel: peerID1,
 					Status: &PeerStatus{
-						LastSeen:     time.Now().UTC(),
+						LastSeen:     time.Now(),
 						Connected:    false,
 						LoginExpired: true,
 					},
 					UserID:    userID,
-					LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+					LastLogin: time.Now().Add(-time.Hour * 24 * 30 * 30),
 				},
 				"peer-2": {
 					ID:       peerID2,
@@ -141,12 +139,12 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 					Name:     peerID2,
 					DNSLabel: peerID2,
 					Status: &PeerStatus{
-						LastSeen:     time.Now().UTC(),
+						LastSeen:     time.Now(),
 						Connected:    false,
 						LoginExpired: false,
 					},
 					UserID:                 userID,
-					LastLogin:              time.Now().UTC(),
+					LastLogin:              time.Now(),
 					LoginExpirationEnabled: true,
 				},
 			},
@@ -165,12 +163,12 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 					Name:     peerID1,
 					DNSLabel: peerID1,
 					Status: &PeerStatus{
-						LastSeen:     time.Now().UTC(),
+						LastSeen:     time.Now(),
 						Connected:    false,
 						LoginExpired: true,
 					},
 					UserID:                 userID,
-					LastLogin:              time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+					LastLogin:              time.Now().Add(-time.Hour * 24 * 30 * 30),
 					LoginExpirationEnabled: true,
 				},
 				"peer-2": {
@@ -180,12 +178,12 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 					Name:     peerID2,
 					DNSLabel: peerID2,
 					Status: &PeerStatus{
-						LastSeen:     time.Now().UTC(),
+						LastSeen:     time.Now(),
 						Connected:    false,
 						LoginExpired: true,
 					},
 					UserID:                 userID,
-					LastLogin:              time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+					LastLogin:              time.Now().Add(-time.Hour * 24 * 30 * 30),
 					LoginExpirationEnabled: true,
 				},
 			},
@@ -460,79 +458,6 @@ func TestDefaultAccountManager_GetAccountFromToken(t *testing.T) {
 	}
 }
 
-func TestAccountManager_GetAccountFromPAT(t *testing.T) {
-	store := newStore(t)
-	account := newAccountWithId("account_id", "testuser", "")
-
-	token := "nbp_9999EUDNdkeusjentDLSJEn1902u84390W6W"
-	hashedToken := sha256.Sum256([]byte(token))
-	encodedHashedToken := b64.StdEncoding.EncodeToString(hashedToken[:])
-	account.Users["someUser"] = &User{
-		Id: "someUser",
-		PATs: map[string]*PersonalAccessToken{
-			"tokenId": {
-				ID:          "tokenId",
-				HashedToken: encodedHashedToken,
-			},
-		},
-	}
-	err := store.SaveAccount(account)
-	if err != nil {
-		t.Fatalf("Error when saving account: %s", err)
-	}
-
-	am := DefaultAccountManager{
-		Store: store,
-	}
-
-	account, user, pat, err := am.GetAccountFromPAT(token)
-	if err != nil {
-		t.Fatalf("Error when getting Account from PAT: %s", err)
-	}
-
-	assert.Equal(t, "account_id", account.Id)
-	assert.Equal(t, "someUser", user.Id)
-	assert.Equal(t, account.Users["someUser"].PATs["tokenId"], pat)
-}
-
-func TestDefaultAccountManager_MarkPATUsed(t *testing.T) {
-	store := newStore(t)
-	account := newAccountWithId("account_id", "testuser", "")
-
-	token := "nbp_9999EUDNdkeusjentDLSJEn1902u84390W6W"
-	hashedToken := sha256.Sum256([]byte(token))
-	encodedHashedToken := b64.StdEncoding.EncodeToString(hashedToken[:])
-	account.Users["someUser"] = &User{
-		Id: "someUser",
-		PATs: map[string]*PersonalAccessToken{
-			"tokenId": {
-				ID:          "tokenId",
-				HashedToken: encodedHashedToken,
-				LastUsed:    time.Time{},
-			},
-		},
-	}
-	err := store.SaveAccount(account)
-	if err != nil {
-		t.Fatalf("Error when saving account: %s", err)
-	}
-
-	am := DefaultAccountManager{
-		Store: store,
-	}
-
-	err = am.MarkPATUsed("tokenId")
-	if err != nil {
-		t.Fatalf("Error when marking PAT used: %s", err)
-	}
-
-	account, err = am.Store.GetAccount("account_id")
-	if err != nil {
-		t.Fatalf("Error when getting account: %s", err)
-	}
-	assert.True(t, !account.Users["someUser"].PATs["tokenId"].LastUsed.IsZero())
-}
-
 func TestAccountManager_PrivateAccount(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
@@ -1283,15 +1208,15 @@ func TestAccount_Copy(t *testing.T) {
 				Id:         "user1",
 				Role:       UserRoleAdmin,
 				AutoGroups: []string{"group1"},
-				PATs: map[string]*PersonalAccessToken{
-					"pat1": {
+				PATs: []PersonalAccessToken{
+					{
 						ID:             "pat1",
-						Name:           "First PAT",
+						Description:    "First PAT",
 						HashedToken:    "SoMeHaShEdToKeN",
-						ExpirationDate: time.Now().UTC().AddDate(0, 0, 7),
+						ExpirationDate: time.Now().AddDate(0, 0, 7),
 						CreatedBy:      "user1",
-						CreatedAt:      time.Now().UTC(),
-						LastUsed:       time.Now().UTC(),
+						CreatedAt:      time.Now(),
+						LastUsed:       time.Now(),
 					},
 				},
 			},
@@ -1569,22 +1494,22 @@ func TestAccount_GetExpiredPeers(t *testing.T) {
 					ID:                     "peer-1",
 					LoginExpirationEnabled: true,
 					Status: &PeerStatus{
-						LastSeen:     time.Now().UTC(),
+						LastSeen:     time.Now(),
 						Connected:    true,
 						LoginExpired: false,
 					},
-					LastLogin: time.Now().UTC().Add(-30 * time.Minute),
+					LastLogin: time.Now().Add(-30 * time.Minute),
 					UserID:    userID,
 				},
 				"peer-2": {
 					ID:                     "peer-2",
 					LoginExpirationEnabled: true,
 					Status: &PeerStatus{
-						LastSeen:     time.Now().UTC(),
+						LastSeen:     time.Now(),
 						Connected:    true,
 						LoginExpired: false,
 					},
-					LastLogin: time.Now().UTC().Add(-2 * time.Hour),
+					LastLogin: time.Now().Add(-2 * time.Hour),
 					UserID:    userID,
 				},
 
@@ -1592,11 +1517,11 @@ func TestAccount_GetExpiredPeers(t *testing.T) {
 					ID:                     "peer-3",
 					LoginExpirationEnabled: true,
 					Status: &PeerStatus{
-						LastSeen:     time.Now().UTC(),
+						LastSeen:     time.Now(),
 						Connected:    true,
 						LoginExpired: false,
 					},
-					LastLogin: time.Now().UTC().Add(-1 * time.Hour),
+					LastLogin: time.Now().Add(-1 * time.Hour),
 					UserID:    userID,
 				},
 			},
@@ -1646,11 +1571,9 @@ func TestAccount_GetPeersWithExpiration(t *testing.T) {
 			peers: map[string]*Peer{
 				"peer-1": {
 					LoginExpirationEnabled: false,
-					UserID:                 userID,
 				},
 				"peer-2": {
 					LoginExpirationEnabled: false,
-					UserID:                 userID,
 				},
 			},
 			expectedPeers: map[string]struct{}{},
@@ -1661,11 +1584,9 @@ func TestAccount_GetPeersWithExpiration(t *testing.T) {
 				"peer-1": {
 					ID:                     "peer-1",
 					LoginExpirationEnabled: true,
-					UserID:                 userID,
 				},
 				"peer-2": {
 					LoginExpirationEnabled: false,
-					UserID:                 userID,
 				},
 			},
 			expectedPeers: map[string]struct{}{
@@ -1725,14 +1646,12 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 						Connected: false,
 					},
 					LoginExpirationEnabled: true,
-					UserID:                 userID,
 				},
 				"peer-2": {
 					Status: &PeerStatus{
 						Connected: true,
 					},
 					LoginExpirationEnabled: false,
-					UserID:                 userID,
 				},
 			},
 			expiration:             time.Second,
@@ -1748,14 +1667,12 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 						Connected: true,
 					},
 					LoginExpirationEnabled: false,
-					UserID:                 userID,
 				},
 				"peer-2": {
 					Status: &PeerStatus{
 						Connected: true,
 					},
 					LoginExpirationEnabled: false,
-					UserID:                 userID,
 				},
 			},
 			expiration:             time.Second,
@@ -1772,7 +1689,6 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 						LoginExpired: true,
 					},
 					LoginExpirationEnabled: true,
-					UserID:                 userID,
 				},
 				"peer-2": {
 					Status: &PeerStatus{
@@ -1780,7 +1696,6 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 						LoginExpired: true,
 					},
 					LoginExpirationEnabled: true,
-					UserID:                 userID,
 				},
 			},
 			expiration:             time.Second,
@@ -1797,8 +1712,7 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 						LoginExpired: false,
 					},
 					LoginExpirationEnabled: true,
-					LastLogin:              time.Now().UTC(),
-					UserID:                 userID,
+					LastLogin:              time.Now(),
 				},
 				"peer-2": {
 					Status: &PeerStatus{
@@ -1806,7 +1720,6 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 						LoginExpired: true,
 					},
 					LoginExpirationEnabled: true,
-					UserID:                 userID,
 				},
 			},
 			expiration:             time.Minute,
@@ -1814,31 +1727,6 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 			expectedNextRun:        true,
 			expectedNextExpiration: expectedNextExpiration,
 		},
-		{
-			name: "Peers added with setup keys, no expiration",
-			peers: map[string]*Peer{
-				"peer-1": {
-					Status: &PeerStatus{
-						Connected:    true,
-						LoginExpired: false,
-					},
-					LoginExpirationEnabled: true,
-					SetupKey:               "key",
-				},
-				"peer-2": {
-					Status: &PeerStatus{
-						Connected:    true,
-						LoginExpired: false,
-					},
-					LoginExpirationEnabled: true,
-					SetupKey:               "key",
-				},
-			},
-			expiration:             time.Second,
-			expirationEnabled:      false,
-			expectedNextRun:        false,
-			expectedNextExpiration: time.Duration(0),
-		},
 	}
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {

management/server/activity/codes.go

@@ -83,10 +83,6 @@ const (
 	AccountPeerLoginExpirationDisabled
 	// AccountPeerLoginExpirationDurationUpdated indicates that a user updated peer login expiration duration for the account
 	AccountPeerLoginExpirationDurationUpdated
-	// PersonalAccessTokenCreated indicates that a user created a personal access token
-	PersonalAccessTokenCreated
-	// PersonalAccessTokenDeleted indicates that a user deleted a personal access token
-	PersonalAccessTokenDeleted
 )
 
 const (
@@ -172,10 +168,6 @@ const (
 	AccountPeerLoginExpirationDisabledMessage string = "Peer login expiration disabled for the account"
 	// AccountPeerLoginExpirationDurationUpdatedMessage is a human-readable text message of the AccountPeerLoginExpirationDurationUpdated activity
 	AccountPeerLoginExpirationDurationUpdatedMessage string = "Peer login expiration duration updated"
-	// PersonalAccessTokenCreatedMessage is a human-readable text message of the PersonalAccessTokenCreated activity
-	PersonalAccessTokenCreatedMessage string = "Personal access token created"
-	// PersonalAccessTokenDeletedMessage is a human-readable text message of the PersonalAccessTokenDeleted activity
-	PersonalAccessTokenDeletedMessage string = "Personal access token deleted"
 )
 
 // Activity that triggered an Event
@@ -266,10 +258,6 @@ func (a Activity) Message() string {
 		return AccountPeerLoginExpirationDisabledMessage
 	case AccountPeerLoginExpirationDurationUpdated:
 		return AccountPeerLoginExpirationDurationUpdatedMessage
-	case PersonalAccessTokenCreated:
-		return PersonalAccessTokenCreatedMessage
-	case PersonalAccessTokenDeleted:
-		return PersonalAccessTokenDeletedMessage
 	default:
 		return "UNKNOWN_ACTIVITY"
 	}
@@ -360,10 +348,6 @@ func (a Activity) StringCode() string {
 		return "account.setting.peer.login.expiration.enable"
 	case AccountPeerLoginExpirationDisabled:
 		return "account.setting.peer.login.expiration.disable"
-	case PersonalAccessTokenCreated:
-		return "personal.access.token.create"
-	case PersonalAccessTokenDeleted:
-		return "personal.access.token.delete"
 	default:
 		return "UNKNOWN_ACTIVITY"
 	}

management/server/activity/sqlite/sqlite_test.go

@@ -2,12 +2,10 @@ package sqlite
 
 import (
 	"fmt"
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/stretchr/testify/assert"
 	"testing"
 	"time"
-
-	"github.com/stretchr/testify/assert"
-
-	"github.com/netbirdio/netbird/management/server/activity"
 )
 
 func TestNewSQLiteStore(t *testing.T) {
@@ -17,13 +15,13 @@ func TestNewSQLiteStore(t *testing.T) {
 		t.Fatal(err)
 		return
 	}
-	defer store.Close() //nolint
+        defer store.Close() //nolint
 
 	accountID := "account_1"
 
 	for i := 0; i < 10; i++ {
 		_, err = store.Save(&activity.Event{
-			Timestamp:   time.Now().UTC(),
+			Timestamp:   time.Now(),
 			Activity:    activity.PeerAddedByUser,
 			InitiatorID: "user_" + fmt.Sprint(i),
 			TargetID:    "peer_" + fmt.Sprint(i),

management/server/config.go

@@ -24,11 +24,6 @@ const (
 	NONE  Provider = "none"
 )
 
-const (
-	// DefaultDeviceAuthFlowScope defines the bare minimum scope to request in the device authorization flow
-	DefaultDeviceAuthFlowScope string = "openid"
-)
-
 // Config of the Management service
 type Config struct {
 	Stuns      []*Host
@@ -44,17 +39,6 @@ type Config struct {
 	DeviceAuthorizationFlow *DeviceAuthorizationFlow
 }
 
-// GetAuthAudiences returns the audience from the http config and device authorization flow config
-func (c Config) GetAuthAudiences() []string {
-	audiences := []string{c.HttpConfig.AuthAudience}
-
-	if c.DeviceAuthorizationFlow != nil && c.DeviceAuthorizationFlow.ProviderConfig.Audience != "" {
-		audiences = append(audiences, c.DeviceAuthorizationFlow.ProviderConfig.Audience)
-	}
-
-	return audiences
-}
-
 // TURNConfig is a config of the TURNCredentialsManager
 type TURNConfig struct {
 	TimeBasedCredentials bool
@@ -114,10 +98,6 @@ type ProviderConfig struct {
 	TokenEndpoint string
 	// DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code
 	DeviceAuthEndpoint string
-	// Scopes provides the scopes to be included in the token request
-	Scope string
-	// UseIDToken indicates if the id token should be used for authentication
-	UseIDToken bool
 }
 
 // validateURL validates input http url

management/server/event.go

@@ -2,11 +2,9 @@ package server
 
 import (
 	"fmt"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
 	"github.com/netbirdio/netbird/management/server/activity"
+	log "github.com/sirupsen/logrus"
+	"time"
 )
 
 // GetEvents returns a list of activity events of an account
@@ -41,7 +39,7 @@ func (am *DefaultAccountManager) storeEvent(initiatorID, targetID, accountID str
 
 	go func() {
 		_, err := am.eventStore.Save(&activity.Event{
-			Timestamp:   time.Now().UTC(),
+			Timestamp:   time.Now(),
 			Activity:    activityID,
 			InitiatorID: initiatorID,
 			TargetID:    targetID,
@@ -49,7 +47,7 @@ func (am *DefaultAccountManager) storeEvent(initiatorID, targetID, accountID str
 			Meta:        meta,
 		})
 		if err != nil {
-			// todo add metric
+			//todo add metric
 			log.Errorf("received an error while storing an activity event, error: %s", err)
 		}
 	}()

management/server/event_test.go

@@ -1,19 +1,17 @@
 package server
 
 import (
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/stretchr/testify/assert"
 	"testing"
 	"time"
-
-	"github.com/stretchr/testify/assert"
-
-	"github.com/netbirdio/netbird/management/server/activity"
 )
 
 func generateAndStoreEvents(t *testing.T, manager *DefaultAccountManager, typ activity.Activity, initiatorID, targetID,
 	accountID string, count int) {
 	for i := 0; i < count; i++ {
 		_, err := manager.eventStore.Save(&activity.Event{
-			Timestamp:   time.Now().UTC(),
+			Timestamp:   time.Now(),
 			Activity:    typ,
 			InitiatorID: initiatorID,
 			TargetID:    targetID,

management/server/file_store.go

@@ -7,11 +7,10 @@ import (
 	"sync"
 	"time"
 
+	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/management/server/status"
-
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -26,8 +25,6 @@ type FileStore struct {
 	PeerID2AccountID        map[string]string `json:"-"`
 	UserID2AccountID        map[string]string `json:"-"`
 	PrivateDomain2AccountID map[string]string `json:"-"`
-	HashedPAT2TokenID       map[string]string `json:"-"`
-	TokenID2UserID          map[string]string `json:"-"`
 	InstallationID          string
 
 	// mutex to synchronise Store read/write operations
@@ -60,8 +57,6 @@ func restore(file string) (*FileStore, error) {
 			UserID2AccountID:        make(map[string]string),
 			PrivateDomain2AccountID: make(map[string]string),
 			PeerID2AccountID:        make(map[string]string),
-			HashedPAT2TokenID:       make(map[string]string),
-			TokenID2UserID:          make(map[string]string),
 			storeFile:               file,
 		}
 
@@ -85,8 +80,6 @@ func restore(file string) (*FileStore, error) {
 	store.UserID2AccountID = make(map[string]string)
 	store.PrivateDomain2AccountID = make(map[string]string)
 	store.PeerID2AccountID = make(map[string]string)
-	store.HashedPAT2TokenID = make(map[string]string)
-	store.TokenID2UserID = make(map[string]string)
 
 	for accountID, account := range store.Accounts {
 		if account.Settings == nil {
@@ -110,10 +103,9 @@ func restore(file string) (*FileStore, error) {
 		}
 		for _, user := range account.Users {
 			store.UserID2AccountID[user.Id] = accountID
-			for _, pat := range user.PATs {
-				store.TokenID2UserID[pat.ID] = user.Id
-				store.HashedPAT2TokenID[pat.HashedToken] = pat.ID
-			}
+		}
+		for _, user := range account.Users {
+			store.UserID2AccountID[user.Id] = accountID
 		}
 
 		if account.Domain != "" && account.DomainCategory == PrivateCategory &&
@@ -121,25 +113,15 @@ func restore(file string) (*FileStore, error) {
 			store.PrivateDomain2AccountID[account.Domain] = accountID
 		}
 
-		// TODO: policy query generated from the Go template and rule object.
-		//       We need to refactor this part to avoid using templating for policies queries building
-		//       and drop this migration part.
-		policies := make(map[string]int, len(account.Policies))
-		for i, policy := range account.Policies {
-			policies[policy.ID] = i
-		}
-		if account.Policies == nil {
+		// if no policies are defined, that means we need to migrate Rules to policies
+		if len(account.Policies) == 0 {
 			account.Policies = make([]*Policy, 0)
-		}
-		for _, rule := range account.Rules {
-			policy, err := RuleToPolicy(rule)
-			if err != nil {
-				log.Errorf("unable to migrate rule to policy: %v", err)
-				continue
-			}
-			if i, ok := policies[policy.ID]; ok {
-				account.Policies[i] = policy
-			} else {
+			for _, rule := range account.Rules {
+				policy, err := RuleToPolicy(rule)
+				if err != nil {
+					log.Errorf("unable to migrate rule to policy: %v", err)
+					continue
+				}
 				account.Policies = append(account.Policies, policy)
 			}
 		}
@@ -173,7 +155,7 @@ func restore(file string) (*FileStore, error) {
 		for key, peer := range account.Peers {
 			// set LastLogin for the peers that were onboarded before the peer login expiration feature
 			if peer.LastLogin.IsZero() {
-				peer.LastLogin = time.Now().UTC()
+				peer.LastLogin = time.Now()
 			}
 			if peer.ID != "" {
 				continue
@@ -276,10 +258,6 @@ func (s *FileStore) SaveAccount(account *Account) error {
 
 	for _, user := range accountCopy.Users {
 		s.UserID2AccountID[user.Id] = accountCopy.Id
-		for _, pat := range user.PATs {
-			s.TokenID2UserID[pat.ID] = user.Id
-			s.HashedPAT2TokenID[pat.HashedToken] = pat.ID
-		}
 	}
 
 	if accountCopy.DomainCategory == PrivateCategory && accountCopy.IsDomainPrimaryAccount {
@@ -298,33 +276,13 @@ func (s *FileStore) SaveAccount(account *Account) error {
 	return s.persist(s.storeFile)
 }
 
-// DeleteHashedPAT2TokenIDIndex removes an entry from the indexing map HashedPAT2TokenID
-func (s *FileStore) DeleteHashedPAT2TokenIDIndex(hashedToken string) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	delete(s.HashedPAT2TokenID, hashedToken)
-
-	return s.persist(s.storeFile)
-}
-
-// DeleteTokenID2UserIDIndex removes an entry from the indexing map TokenID2UserID
-func (s *FileStore) DeleteTokenID2UserIDIndex(tokenID string) error {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	delete(s.TokenID2UserID, tokenID)
-
-	return s.persist(s.storeFile)
-}
-
 // GetAccountByPrivateDomain returns account by private domain
 func (s *FileStore) GetAccountByPrivateDomain(domain string) (*Account, error) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
 
-	accountID, ok := s.PrivateDomain2AccountID[strings.ToLower(domain)]
-	if !ok {
+	accountID, accountIDFound := s.PrivateDomain2AccountID[strings.ToLower(domain)]
+	if !accountIDFound {
 		return nil, status.Errorf(status.NotFound, "account not found: provided domain is not registered or is not private")
 	}
 
@@ -341,8 +299,8 @@ func (s *FileStore) GetAccountBySetupKey(setupKey string) (*Account, error) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
 
-	accountID, ok := s.SetupKeyID2AccountID[strings.ToUpper(setupKey)]
-	if !ok {
+	accountID, accountIDFound := s.SetupKeyID2AccountID[strings.ToUpper(setupKey)]
+	if !accountIDFound {
 		return nil, status.Errorf(status.NotFound, "account not found: provided setup key doesn't exists")
 	}
 
@@ -354,42 +312,6 @@ func (s *FileStore) GetAccountBySetupKey(setupKey string) (*Account, error) {
 	return account.Copy(), nil
 }
 
-// GetTokenIDByHashedToken returns the id of a personal access token by its hashed secret
-func (s *FileStore) GetTokenIDByHashedToken(token string) (string, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	tokenID, ok := s.HashedPAT2TokenID[token]
-	if !ok {
-		return "", status.Errorf(status.NotFound, "tokenID not found: provided token doesn't exists")
-	}
-
-	return tokenID, nil
-}
-
-// GetUserByTokenID returns a User object a tokenID belongs to
-func (s *FileStore) GetUserByTokenID(tokenID string) (*User, error) {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-
-	userID, ok := s.TokenID2UserID[tokenID]
-	if !ok {
-		return nil, status.Errorf(status.NotFound, "user not found: provided tokenID doesn't exists")
-	}
-
-	accountID, ok := s.UserID2AccountID[userID]
-	if !ok {
-		return nil, status.Errorf(status.NotFound, "accountID not found: provided userID doesn't exists")
-	}
-
-	account, err := s.getAccount(accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	return account.Users[userID].Copy(), nil
-}
-
 // GetAllAccounts returns all accounts
 func (s *FileStore) GetAllAccounts() (all []*Account) {
 	s.mux.Lock()
@@ -403,8 +325,8 @@ func (s *FileStore) GetAllAccounts() (all []*Account) {
 
 // getAccount returns a reference to the Account. Should not return a copy.
 func (s *FileStore) getAccount(accountID string) (*Account, error) {
-	account, ok := s.Accounts[accountID]
-	if !ok {
+	account, accountFound := s.Accounts[accountID]
+	if !accountFound {
 		return nil, status.Errorf(status.NotFound, "account not found")
 	}
 
@@ -429,8 +351,8 @@ func (s *FileStore) GetAccountByUser(userID string) (*Account, error) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
 
-	accountID, ok := s.UserID2AccountID[userID]
-	if !ok {
+	accountID, accountIDFound := s.UserID2AccountID[userID]
+	if !accountIDFound {
 		return nil, status.Errorf(status.NotFound, "account not found")
 	}
 
@@ -447,8 +369,8 @@ func (s *FileStore) GetAccountByPeerID(peerID string) (*Account, error) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
 
-	accountID, ok := s.PeerID2AccountID[peerID]
-	if !ok {
+	accountID, accountIDFound := s.PeerID2AccountID[peerID]
+	if !accountIDFound {
 		return nil, status.Errorf(status.NotFound, "provided peer ID doesn't exists %s", peerID)
 	}
 
@@ -473,8 +395,8 @@ func (s *FileStore) GetAccountByPeerPubKey(peerKey string) (*Account, error) {
 	s.mux.Lock()
 	defer s.mux.Unlock()
 
-	accountID, ok := s.PeerKeyID2AccountID[peerKey]
-	if !ok {
+	accountID, accountIDFound := s.PeerKeyID2AccountID[peerKey]
+	if !accountIDFound {
 		return nil, status.Errorf(status.NotFound, "provided peer key doesn't exists %s", peerKey)
 	}
 

management/server/file_store_test.go

@@ -1,16 +1,14 @@
 package server
 
 import (
-	"crypto/sha256"
 	"net"
 	"path/filepath"
 	"testing"
 	"time"
 
+	"github.com/netbirdio/netbird/util"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/util"
 )
 
 type accounts struct {
@@ -73,14 +71,6 @@ func TestNewStore(t *testing.T) {
 	if store.UserID2AccountID == nil || len(store.UserID2AccountID) != 0 {
 		t.Errorf("expected to create a new empty UserID2AccountID map when creating a new FileStore")
 	}
-
-	if store.HashedPAT2TokenID == nil || len(store.HashedPAT2TokenID) != 0 {
-		t.Errorf("expected to create a new empty HashedPAT2TokenID map when creating a new FileStore")
-	}
-
-	if store.TokenID2UserID == nil || len(store.TokenID2UserID) != 0 {
-		t.Errorf("expected to create a new empty TokenID2UserID map when creating a new FileStore")
-	}
 }
 
 func TestSaveAccount(t *testing.T) {
@@ -95,7 +85,7 @@ func TestSaveAccount(t *testing.T) {
 		IP:       net.IP{127, 0, 0, 1},
 		Meta:     PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
+		Status:   &PeerStatus{Connected: true, LastSeen: time.Now()},
 	}
 
 	// SaveAccount should trigger persist
@@ -131,7 +121,7 @@ func TestStore(t *testing.T) {
 		IP:       net.IP{127, 0, 0, 1},
 		Meta:     PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
+		Status:   &PeerStatus{Connected: true, LastSeen: time.Now()},
 	}
 	account.Groups["all"] = &Group{
 		ID:    "all",
@@ -249,17 +239,11 @@ func TestRestore(t *testing.T) {
 
 	require.NotNil(t, account.SetupKeys["A2C8E62B-38F5-4553-B31E-DD66C696CEBB"], "failed to restore a FileStore file - missing Account SetupKey A2C8E62B-38F5-4553-B31E-DD66C696CEBB")
 
-	require.NotNil(t, account.Users["f4f6d672-63fb-11ec-90d6-0242ac120003"].PATs["9dj38s35-63fb-11ec-90d6-0242ac120003"], "failed to restore a FileStore wrong PATs length")
-
 	require.Len(t, store.UserID2AccountID, 2, "failed to restore a FileStore wrong UserID2AccountID mapping length")
 
 	require.Len(t, store.SetupKeyID2AccountID, 1, "failed to restore a FileStore wrong SetupKeyID2AccountID mapping length")
 
 	require.Len(t, store.PrivateDomain2AccountID, 1, "failed to restore a FileStore wrong PrivateDomain2AccountID mapping length")
-
-	require.Len(t, store.HashedPAT2TokenID, 1, "failed to restore a FileStore wrong HashedPAT2TokenID mapping length")
-
-	require.Len(t, store.TokenID2UserID, 1, "failed to restore a FileStore wrong TokenID2UserID mapping length")
 }
 
 func TestRestorePolicies_Migration(t *testing.T) {
@@ -364,137 +348,6 @@ func TestFileStore_GetAccount(t *testing.T) {
 	assert.Len(t, account.NameServerGroups, len(expected.NameServerGroups))
 }
 
-func TestFileStore_GetTokenIDByHashedToken(t *testing.T) {
-	storeDir := t.TempDir()
-	storeFile := filepath.Join(storeDir, "store.json")
-	err := util.CopyFileContents("testdata/store.json", storeFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	accounts := &accounts{}
-	_, err = util.ReadJson(storeFile, accounts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(storeDir)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	hashedToken := accounts.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"].Users["f4f6d672-63fb-11ec-90d6-0242ac120003"].PATs["9dj38s35-63fb-11ec-90d6-0242ac120003"].HashedToken
-	tokenID, err := store.GetTokenIDByHashedToken(hashedToken)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	expectedTokenID := accounts.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"].Users["f4f6d672-63fb-11ec-90d6-0242ac120003"].PATs["9dj38s35-63fb-11ec-90d6-0242ac120003"].ID
-	assert.Equal(t, expectedTokenID, tokenID)
-}
-
-func TestFileStore_DeleteHashedPAT2TokenIDIndex(t *testing.T) {
-	store := newStore(t)
-	store.HashedPAT2TokenID["someHashedToken"] = "someTokenId"
-
-	err := store.DeleteHashedPAT2TokenIDIndex("someHashedToken")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assert.Empty(t, store.HashedPAT2TokenID["someHashedToken"])
-}
-
-func TestFileStore_DeleteTokenID2UserIDIndex(t *testing.T) {
-	store := newStore(t)
-	store.TokenID2UserID["someTokenId"] = "someUserId"
-
-	err := store.DeleteTokenID2UserIDIndex("someTokenId")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assert.Empty(t, store.TokenID2UserID["someTokenId"])
-}
-
-func TestFileStore_GetTokenIDByHashedToken_Failure(t *testing.T) {
-	storeDir := t.TempDir()
-	storeFile := filepath.Join(storeDir, "store.json")
-	err := util.CopyFileContents("testdata/store.json", storeFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	accounts := &accounts{}
-	_, err = util.ReadJson(storeFile, accounts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(storeDir)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	wrongToken := sha256.Sum256([]byte("someNotValidTokenThatFails1234"))
-	_, err = store.GetTokenIDByHashedToken(string(wrongToken[:]))
-
-	assert.Error(t, err, "GetTokenIDByHashedToken should throw error if token invalid")
-}
-
-func TestFileStore_GetUserByTokenID(t *testing.T) {
-	storeDir := t.TempDir()
-	storeFile := filepath.Join(storeDir, "store.json")
-	err := util.CopyFileContents("testdata/store.json", storeFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	accounts := &accounts{}
-	_, err = util.ReadJson(storeFile, accounts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(storeDir)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	tokenID := accounts.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"].Users["f4f6d672-63fb-11ec-90d6-0242ac120003"].PATs["9dj38s35-63fb-11ec-90d6-0242ac120003"].ID
-	user, err := store.GetUserByTokenID(tokenID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assert.Equal(t, "f4f6d672-63fb-11ec-90d6-0242ac120003", user.Id)
-}
-
-func TestFileStore_GetUserByTokenID_Failure(t *testing.T) {
-	storeDir := t.TempDir()
-	storeFile := filepath.Join(storeDir, "store.json")
-	err := util.CopyFileContents("testdata/store.json", storeFile)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	accounts := &accounts{}
-	_, err = util.ReadJson(storeFile, accounts)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	store, err := NewFileStore(storeDir)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	wrongTokenID := "someNonExistingTokenID"
-	_, err = store.GetUserByTokenID(wrongTokenID)
-
-	assert.Error(t, err, "GetUserByTokenID should throw error if tokenID invalid")
-}
-
 func TestFileStore_SavePeerStatus(t *testing.T) {
 	storeDir := t.TempDir()
 
@@ -514,7 +367,7 @@ func TestFileStore_SavePeerStatus(t *testing.T) {
 	}
 
 	// save status of non-existing peer
-	newStatus := PeerStatus{Connected: true, LastSeen: time.Now().UTC()}
+	newStatus := PeerStatus{Connected: true, LastSeen: time.Now()}
 	err = store.SavePeerStatus(account.Id, "non-existing-peer", newStatus)
 	assert.Error(t, err)
 
@@ -526,7 +379,7 @@ func TestFileStore_SavePeerStatus(t *testing.T) {
 		IP:       net.IP{127, 0, 0, 1},
 		Meta:     PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
+		Status:   &PeerStatus{Connected: false, LastSeen: time.Now()},
 	}
 
 	err = store.SaveAccount(account)

management/server/grpcserver.go

@@ -3,25 +3,24 @@ package server
 import (
 	"context"
 	"fmt"
+	pb "github.com/golang/protobuf/proto" //nolint
 	"strings"
 	"time"
 
-	pb "github.com/golang/protobuf/proto" // nolint
-
 	"github.com/netbirdio/netbird/management/server/telemetry"
 
+	"github.com/netbirdio/netbird/management/server/http/middleware"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 
 	"github.com/golang/protobuf/ptypes/timestamp"
+	"github.com/netbirdio/netbird/encryption"
+	"github.com/netbirdio/netbird/management/proto"
+	internalStatus "github.com/netbirdio/netbird/management/server/status"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	gRPCPeer "google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/encryption"
-	"github.com/netbirdio/netbird/management/proto"
-	internalStatus "github.com/netbirdio/netbird/management/server/status"
 )
 
 // GRPCServer an instance of a Management gRPC API server
@@ -32,7 +31,7 @@ type GRPCServer struct {
 	peersUpdateManager     *PeersUpdateManager
 	config                 *Config
 	turnCredentialsManager TURNCredentialsManager
-	jwtValidator           *jwtclaims.JWTValidator
+	jwtMiddleware          *middleware.JWTMiddleware
 	jwtClaimsExtractor     *jwtclaims.ClaimsExtractor
 	appMetrics             telemetry.AppMetrics
 }
@@ -46,12 +45,12 @@ func NewServer(config *Config, accountManager AccountManager, peersUpdateManager
 		return nil, err
 	}
 
-	var jwtValidator *jwtclaims.JWTValidator
+	var jwtMiddleware *middleware.JWTMiddleware
 
 	if config.HttpConfig != nil && config.HttpConfig.AuthIssuer != "" && config.HttpConfig.AuthAudience != "" && validateURL(config.HttpConfig.AuthKeysLocation) {
-		jwtValidator, err = jwtclaims.NewJWTValidator(
+		jwtMiddleware, err = middleware.NewJwtMiddleware(
 			config.HttpConfig.AuthIssuer,
-			config.GetAuthAudiences(),
+			config.HttpConfig.AuthAudience,
 			config.HttpConfig.AuthKeysLocation)
 		if err != nil {
 			return nil, status.Errorf(codes.Internal, "unable to create new jwt middleware, err: %v", err)
@@ -87,7 +86,7 @@ func NewServer(config *Config, accountManager AccountManager, peersUpdateManager
 		accountManager:         accountManager,
 		config:                 config,
 		turnCredentialsManager: turnCredentialsManager,
-		jwtValidator:           jwtValidator,
+		jwtMiddleware:          jwtMiddleware,
 		jwtClaimsExtractor:     jwtClaimsExtractor,
 		appMetrics:             appMetrics,
 	}, nil
@@ -188,11 +187,11 @@ func (s *GRPCServer) cancelPeerRoutines(peer *Peer) {
 }
 
 func (s *GRPCServer) validateToken(jwtToken string) (string, error) {
-	if s.jwtValidator == nil {
-		return "", status.Error(codes.Internal, "no jwt validator set")
+	if s.jwtMiddleware == nil {
+		return "", status.Error(codes.Internal, "no jwt middleware set")
 	}
 
-	token, err := s.jwtValidator.ValidateAndParse(jwtToken)
+	token, err := s.jwtMiddleware.ValidateAndParse(jwtToken)
 	if err != nil {
 		return "", status.Errorf(codes.InvalidArgument, "invalid jwt token, err: %v", err)
 	}
@@ -223,7 +222,6 @@ func mapError(err error) error {
 		default:
 		}
 	}
-	log.Errorf("got an unhandled error: %s", err)
 	return status.Errorf(codes.Internal, "failed handling request")
 }
 
@@ -422,6 +420,8 @@ func toSyncResponse(config *Config, peer *Peer, turnCredentials *TURNCredentials
 
 	offlinePeers := toRemotePeerConfig(networkMap.OfflinePeers, dnsName)
 
+	firewallRules := toProtocolFirewallRules(networkMap.FirewallRules)
+
 	return &proto.SyncResponse{
 		WiretrusteeConfig:  wtConfig,
 		PeerConfig:         pConfig,
@@ -435,6 +435,7 @@ func toSyncResponse(config *Config, peer *Peer, turnCredentials *TURNCredentials
 			RemotePeersIsEmpty: len(remotePeers) == 0,
 			Routes:             routesUpdate,
 			DNSConfig:          dnsUpdate,
+			FirewallRules:      firewallRules,
 		},
 	}
 }
@@ -510,8 +511,6 @@ func (s *GRPCServer) GetDeviceAuthorizationFlow(ctx context.Context, req *proto.
 			Audience:           s.config.DeviceAuthorizationFlow.ProviderConfig.Audience,
 			DeviceAuthEndpoint: s.config.DeviceAuthorizationFlow.ProviderConfig.DeviceAuthEndpoint,
 			TokenEndpoint:      s.config.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint,
-			Scope:              s.config.DeviceAuthorizationFlow.ProviderConfig.Scope,
-			UseIDToken:         s.config.DeviceAuthorizationFlow.ProviderConfig.UseIDToken,
 		},
 	}
 

management/server/http/api/openapi.yml

@@ -6,8 +6,6 @@ info:
 tags:
   - name: Users
     description: Interact with and view information about users.
-  - name: Tokens
-    description: Interact with and view information about tokens.
   - name: Peers
     description: Interact with and view information about peers.
   - name: Setup Keys
@@ -286,59 +284,6 @@ components:
         - revoked
         - auto_groups
         - usage_limit
-    PersonalAccessToken:
-      type: object
-      properties:
-        id:
-          description: ID of a token
-          type: string
-        name:
-          description: Name of the token
-          type: string
-        expiration_date:
-          description: Date the token expires
-          type: string
-          format: date-time
-        created_by:
-          description: User ID of the user who created the token
-          type: string
-        created_at:
-          description: Date the token was created
-          type: string
-          format: date-time
-        last_used:
-          description: Date the token was last used
-          type: string
-          format: date-time
-      required:
-        - id
-        - name
-        - expiration_date
-        - created_by
-        - created_at
-    PersonalAccessTokenGenerated:
-      type: object
-      properties:
-        plain_token:
-          description: Plain text representation of the generated token
-          type: string
-        personal_access_token:
-          $ref: '#/components/schemas/PersonalAccessToken'
-      required:
-        - plain_token
-        - personal_access_token
-    PersonalAccessTokenRequest:
-      type: object
-      properties:
-        name:
-          description: Name of the token
-          type: string
-        expires_in:
-          description: Expiration in days
-          type: integer
-      required:
-        - name
-        - expires_in
     GroupMinimum:
       type: object
       properties:
@@ -903,133 +848,6 @@ paths:
           "$ref": "#/components/responses/forbidden"
         '500':
           "$ref": "#/components/responses/internal_error"
-  /api/users/{userId}/tokens:
-    get:
-      summary: Returns a list of all tokens for a user
-      tags: [ Tokens ]
-      security:
-        - BearerAuth: []
-      parameters:
-        - in: path
-          name: userId
-          required: true
-          schema:
-            type: string
-          description: The User ID
-      responses:
-        '200':
-          description: A JSON Array of PersonalAccessTokens
-          content:
-            application/json:
-              schema:
-                type: array
-                items:
-                  $ref: '#/components/schemas/PersonalAccessToken'
-        '400':
-          "$ref": "#/components/responses/bad_request"
-        '401':
-          "$ref": "#/components/responses/requires_authentication"
-        '403':
-          "$ref": "#/components/responses/forbidden"
-        '500':
-          "$ref": "#/components/responses/internal_error"
-    post:
-      summary: Create a new token
-      tags: [ Tokens ]
-      security:
-        - BearerAuth: [ ]
-      parameters:
-        - in: path
-          name: userId
-          required: true
-          schema:
-            type: string
-          description: The User ID
-      requestBody:
-        description: PersonalAccessToken create parameters
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/PersonalAccessTokenRequest'
-      responses:
-        '200':
-          description: The token in plain text
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/PersonalAccessTokenGenerated'
-        '400':
-          "$ref": "#/components/responses/bad_request"
-        '401':
-          "$ref": "#/components/responses/requires_authentication"
-        '403':
-          "$ref": "#/components/responses/forbidden"
-        '500':
-          "$ref": "#/components/responses/internal_error"
-  /api/users/{userId}/tokens/{tokenId}:
-    get:
-      summary: Returns a specific token
-      tags: [ Tokens ]
-      security:
-        - BearerAuth: [ ]
-      parameters:
-        - in: path
-          name: userId
-          required: true
-          schema:
-            type: string
-          description: The User ID
-        - in: path
-          name: tokenId
-          required: true
-          schema:
-            type: string
-          description: The Token ID
-      responses:
-        '200':
-          description: A PersonalAccessTokens Object
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/PersonalAccessToken'
-        '400':
-          "$ref": "#/components/responses/bad_request"
-        '401':
-          "$ref": "#/components/responses/requires_authentication"
-        '403':
-          "$ref": "#/components/responses/forbidden"
-        '500':
-          "$ref": "#/components/responses/internal_error"
-    delete:
-      summary: Delete a token
-      tags: [ Tokens ]
-      security:
-        - BearerAuth: [ ]
-      parameters:
-        - in: path
-          name: userId
-          required: true
-          schema:
-            type: string
-          description: The User ID
-        - in: path
-          name: tokenId
-          required: true
-          schema:
-            type: string
-          description: The Token ID
-      responses:
-        '200':
-          description: Delete status code
-          content: { }
-        '400':
-          "$ref": "#/components/responses/bad_request"
-        '401':
-          "$ref": "#/components/responses/requires_authentication"
-        '403':
-          "$ref": "#/components/responses/forbidden"
-        '500':
-          "$ref": "#/components/responses/internal_error"
   /api/peers:
     get:
       summary: Returns a list of all peers

management/server/http/api/types.gen.go

@@ -379,44 +379,6 @@ type PeerMinimum struct {
 	Name string `json:"name"`
 }
 
-// PersonalAccessToken defines model for PersonalAccessToken.
-type PersonalAccessToken struct {
-	// CreatedAt Date the token was created
-	CreatedAt time.Time `json:"created_at"`
-
-	// CreatedBy User ID of the user who created the token
-	CreatedBy string `json:"created_by"`
-
-	// ExpirationDate Date the token expires
-	ExpirationDate time.Time `json:"expiration_date"`
-
-	// Id ID of a token
-	Id string `json:"id"`
-
-	// LastUsed Date the token was last used
-	LastUsed *time.Time `json:"last_used,omitempty"`
-
-	// Name Name of the token
-	Name string `json:"name"`
-}
-
-// PersonalAccessTokenGenerated defines model for PersonalAccessTokenGenerated.
-type PersonalAccessTokenGenerated struct {
-	PersonalAccessToken PersonalAccessToken `json:"personal_access_token"`
-
-	// PlainToken Plain text representation of the generated token
-	PlainToken string `json:"plain_token"`
-}
-
-// PersonalAccessTokenRequest defines model for PersonalAccessTokenRequest.
-type PersonalAccessTokenRequest struct {
-	// ExpiresIn Expiration in days
-	ExpiresIn int `json:"expires_in"`
-
-	// Name Name of the token
-	Name string `json:"name"`
-}
-
 // Policy defines model for Policy.
 type Policy struct {
 	// Description Policy friendly description
@@ -846,6 +808,3 @@ type PostApiUsersJSONRequestBody = UserCreateRequest
 
 // PutApiUsersIdJSONRequestBody defines body for PutApiUsersId for application/json ContentType.
 type PutApiUsersIdJSONRequestBody = UserRequest
-
-// PostApiUsersUserIdTokensJSONRequestBody defines body for PostApiUsersUserIdTokens for application/json ContentType.
-type PostApiUsersUserIdTokensJSONRequestBody = PersonalAccessTokenRequest

management/server/http/events_handler_test.go

@@ -54,7 +54,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	ID := uint64(1)
 	events := make([]*activity.Event, 0)
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.PeerAddedByUser,
 		ID:          ID,
 		InitiatorID: userID,
@@ -64,7 +64,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.UserJoined,
 		ID:          ID,
 		InitiatorID: userID,
@@ -74,7 +74,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.GroupCreated,
 		ID:          ID,
 		InitiatorID: userID,
@@ -84,7 +84,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.SetupKeyUpdated,
 		ID:          ID,
 		InitiatorID: userID,
@@ -94,7 +94,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.SetupKeyUpdated,
 		ID:          ID,
 		InitiatorID: userID,
@@ -104,7 +104,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.SetupKeyRevoked,
 		ID:          ID,
 		InitiatorID: userID,
@@ -114,7 +114,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.SetupKeyOverused,
 		ID:          ID,
 		InitiatorID: userID,
@@ -124,7 +124,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.SetupKeyCreated,
 		ID:          ID,
 		InitiatorID: userID,
@@ -134,7 +134,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.RuleAdded,
 		ID:          ID,
 		InitiatorID: userID,
@@ -144,7 +144,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.RuleRemoved,
 		ID:          ID,
 		InitiatorID: userID,
@@ -154,7 +154,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.RuleUpdated,
 		ID:          ID,
 		InitiatorID: userID,
@@ -164,7 +164,7 @@ func generateEvents(accountID, userID string) []*activity.Event {
 	})
 	ID++
 	events = append(events, &activity.Event{
-		Timestamp:   time.Now().UTC(),
+		Timestamp:   time.Now(),
 		Activity:    activity.PeerAddedWithSetupKey,
 		ID:          ID,
 		InitiatorID: userID,

management/server/http/groups_handler.go

@@ -300,7 +300,7 @@ func (h *GroupsHandler) DeleteGroup(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	util.WriteJSONObject(w, emptyObject{})
+	util.WriteJSONObject(w, "")
 }
 
 // GetGroup returns a group

management/server/http/handler.go

@@ -8,7 +8,6 @@ import (
 
 	s "github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/http/middleware"
-	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 )
 
@@ -26,17 +25,15 @@ type apiHandler struct {
 	AuthCfg        AuthCfg
 }
 
-// EmptyObject is an empty struct used to return empty JSON object
-type emptyObject struct {
-}
-
 // APIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func APIHandler(accountManager s.AccountManager, jwtValidator jwtclaims.JWTValidator, appMetrics telemetry.AppMetrics, authCfg AuthCfg) (http.Handler, error) {
-	authMiddleware := middleware.NewAuthMiddleware(
-		accountManager.GetAccountFromPAT,
-		jwtValidator.ValidateAndParse,
-		accountManager.MarkPATUsed,
-		authCfg.Audience)
+func APIHandler(accountManager s.AccountManager, appMetrics telemetry.AppMetrics, authCfg AuthCfg) (http.Handler, error) {
+	jwtMiddleware, err := middleware.NewJwtMiddleware(
+		authCfg.Issuer,
+		authCfg.Audience,
+		authCfg.KeysLocation)
+	if err != nil {
+		return nil, err
+	}
 
 	corsMiddleware := cors.AllowAll()
 
@@ -49,7 +46,7 @@ func APIHandler(accountManager s.AccountManager, jwtValidator jwtclaims.JWTValid
 	metricsMiddleware := appMetrics.HTTPMiddleware()
 
 	router := rootRouter.PathPrefix("/api").Subrouter()
-	router.Use(metricsMiddleware.Handler, corsMiddleware.Handler, authMiddleware.Handler, acMiddleware.Handler)
+	router.Use(metricsMiddleware.Handler, corsMiddleware.Handler, jwtMiddleware.Handler, acMiddleware.Handler)
 
 	api := apiHandler{
 		Router:         router,
@@ -60,7 +57,6 @@ func APIHandler(accountManager s.AccountManager, jwtValidator jwtclaims.JWTValid
 	api.addAccountsEndpoint()
 	api.addPeersEndpoint()
 	api.addUsersEndpoint()
-	api.addUsersTokensEndpoint()
 	api.addSetupKeysEndpoint()
 	api.addRulesEndpoint()
 	api.addPoliciesEndpoint()
@@ -70,7 +66,7 @@ func APIHandler(accountManager s.AccountManager, jwtValidator jwtclaims.JWTValid
 	api.addDNSSettingEndpoint()
 	api.addEventsEndpoint()
 
-	err := api.Router.Walk(func(route *mux.Route, _ *mux.Router, _ []*mux.Route) error {
+	err = api.Router.Walk(func(route *mux.Route, _ *mux.Router, _ []*mux.Route) error {
 		methods, err := route.GetMethods()
 		if err != nil {
 			return err
@@ -114,14 +110,6 @@ func (apiHandler *apiHandler) addUsersEndpoint() {
 	apiHandler.Router.HandleFunc("/users", userHandler.CreateUser).Methods("POST", "OPTIONS")
 }
 
-func (apiHandler *apiHandler) addUsersTokensEndpoint() {
-	tokenHandler := NewPATsHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
-	apiHandler.Router.HandleFunc("/users/{userId}/tokens", tokenHandler.GetAllTokens).Methods("GET", "OPTIONS")
-	apiHandler.Router.HandleFunc("/users/{userId}/tokens", tokenHandler.CreateToken).Methods("POST", "OPTIONS")
-	apiHandler.Router.HandleFunc("/users/{userId}/tokens/{tokenId}", tokenHandler.GetToken).Methods("GET", "OPTIONS")
-	apiHandler.Router.HandleFunc("/users/{userId}/tokens/{tokenId}", tokenHandler.DeleteToken).Methods("DELETE", "OPTIONS")
-}
-
 func (apiHandler *apiHandler) addSetupKeysEndpoint() {
 	keysHandler := NewSetupKeysHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
 	apiHandler.Router.HandleFunc("/setup-keys", keysHandler.GetAllSetupKeys).Methods("GET", "OPTIONS")

management/server/http/middleware/access_control.go

@@ -2,9 +2,6 @@ package middleware
 
 import (
 	"net/http"
-	"regexp"
-
-	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/status"
@@ -42,22 +39,10 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {
 			util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)
 			return
 		}
+
 		if !ok {
 			switch r.Method {
 			case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:
-
-				ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path)
-				if err != nil {
-					log.Debugf("Regex failed")
-					util.WriteError(status.Errorf(status.Internal, ""), w)
-					return
-				}
-				if ok {
-					log.Debugf("Valid Path")
-					h.ServeHTTP(w, r)
-					return
-				}
-
 				util.WriteError(status.Errorf(status.PermissionDenied, "only admin can perform this operation"), w)
 				return
 			}