Translate usernames to UPN format for domain login

Bumps [github.com/quic-go/quic-go](https://github.com/quic-go/quic-go) from 0.48.2 to 0.49.1.
- [Release notes](https://github.com/quic-go/quic-go/releases)
- [Commits](https://github.com/quic-go/quic-go/compare/v0.48.2...v0.49.1)

---
updated-dependencies:
- dependency-name: github.com/quic-go/quic-go
  dependency-version: 0.49.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/check-license-dependencies.yml

@@ -15,27 +15,28 @@ jobs:
     - name: Check for problematic license dependencies
       run: |
         echo "Checking for dependencies on management/, signal/, and relay/ packages..."
+        echo ""
 
         # Find all directories except the problematic ones and system dirs
         FOUND_ISSUES=0
-        find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort | while read dir; do
+        while IFS= read -r dir; do
           echo "=== Checking $dir ==="
           # Search for problematic imports, excluding test files
-          RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
-          if [ ! -z "$RESULTS" ]; then
+          RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+          if [ -n "$RESULTS" ]; then
             echo "❌ Found problematic dependencies:"
             echo "$RESULTS"
             FOUND_ISSUES=1
           else
             echo "✓ No problematic dependencies found"
           fi
-        done
+        done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)
+
+        echo ""
         if [ $FOUND_ISSUES -eq 1 ]; then
-          echo ""
           echo "❌ Found dependencies on management/, signal/, or relay/ packages"
-          echo "These packages will change license and should not be imported by client or shared code"
+          echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
           exit 1
         else
-          echo ""
           echo "✅ All license dependencies are clean"
         fi

client/android/client.go

@@ -17,9 +17,9 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
+	"github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/client/net"
 )
 
 // ConnectionListener export internal Listener for mobile

client/android/preferences.go

@@ -201,6 +201,94 @@ func (p *Preferences) SetServerSSHAllowed(allowed bool) {
 	p.configInput.ServerSSHAllowed = &allowed
 }
 
+// GetEnableSSHRoot reads SSH root login setting from config file
+func (p *Preferences) GetEnableSSHRoot() (bool, error) {
+	if p.configInput.EnableSSHRoot != nil {
+		return *p.configInput.EnableSSHRoot, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHRoot == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHRoot, err
+}
+
+// SetEnableSSHRoot stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHRoot(enabled bool) {
+	p.configInput.EnableSSHRoot = &enabled
+}
+
+// GetEnableSSHSFTP reads SSH SFTP setting from config file
+func (p *Preferences) GetEnableSSHSFTP() (bool, error) {
+	if p.configInput.EnableSSHSFTP != nil {
+		return *p.configInput.EnableSSHSFTP, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHSFTP == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHSFTP, err
+}
+
+// SetEnableSSHSFTP stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHSFTP(enabled bool) {
+	p.configInput.EnableSSHSFTP = &enabled
+}
+
+// GetEnableSSHLocalPortForwarding reads SSH local port forwarding setting from config file
+func (p *Preferences) GetEnableSSHLocalPortForwarding() (bool, error) {
+	if p.configInput.EnableSSHLocalPortForwarding != nil {
+		return *p.configInput.EnableSSHLocalPortForwarding, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHLocalPortForwarding == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHLocalPortForwarding, err
+}
+
+// SetEnableSSHLocalPortForwarding stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHLocalPortForwarding(enabled bool) {
+	p.configInput.EnableSSHLocalPortForwarding = &enabled
+}
+
+// GetEnableSSHRemotePortForwarding reads SSH remote port forwarding setting from config file
+func (p *Preferences) GetEnableSSHRemotePortForwarding() (bool, error) {
+	if p.configInput.EnableSSHRemotePortForwarding != nil {
+		return *p.configInput.EnableSSHRemotePortForwarding, nil
+	}
+
+	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.EnableSSHRemotePortForwarding == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.EnableSSHRemotePortForwarding, err
+}
+
+// SetEnableSSHRemotePortForwarding stores the given value and waits for commit
+func (p *Preferences) SetEnableSSHRemotePortForwarding(enabled bool) {
+	p.configInput.EnableSSHRemotePortForwarding = &enabled
+}
+
 // GetBlockInbound reads block inbound setting from config file
 func (p *Preferences) GetBlockInbound() (bool, error) {
 	if p.configInput.BlockInbound != nil {

client/cmd/root.go

@@ -35,7 +35,6 @@ const (
 	wireguardPortFlag        = "wireguard-port"
 	networkMonitorFlag       = "network-monitor"
 	disableAutoConnectFlag   = "disable-auto-connect"
-	serverSSHAllowedFlag     = "allow-server-ssh"
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	enableLazyConnectionFlag = "enable-lazy-connection"
@@ -64,7 +63,6 @@ var (
 	customDNSAddress        string
 	rosenpassEnabled        bool
 	rosenpassPermissive     bool
-	serverSSHAllowed        bool
 	interfaceName           string
 	wireguardPort           uint16
 	networkMonitor          bool
@@ -176,7 +174,6 @@ func init() {
 	)
 	upCmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "[Experimental] Enable Rosenpass feature. If enabled, the connection will be post-quantum secured via Rosenpass.")
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
-	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
 	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand. Note: this setting may be overridden by management configuration.")
 

client/cmd/service_installer.go

@@ -10,6 +10,8 @@ import (
 	"path/filepath"
 	"runtime"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/kardianos/service"
 	"github.com/spf13/cobra"
 
@@ -81,6 +83,10 @@ func configurePlatformSpecificSettings(svcConfig *service.Config) error {
 				svcConfig.Option["LogDirectory"] = dir
 			}
 		}
+
+		if err := configureSystemdNetworkd(); err != nil {
+			log.Warnf("failed to configure systemd-networkd: %v", err)
+		}
 	}
 
 	if runtime.GOOS == "windows" {
@@ -160,6 +166,12 @@ var uninstallCmd = &cobra.Command{
 			return fmt.Errorf("uninstall service: %w", err)
 		}
 
+		if runtime.GOOS == "linux" {
+			if err := cleanupSystemdNetworkd(); err != nil {
+				log.Warnf("failed to cleanup systemd-networkd configuration: %v", err)
+			}
+		}
+
 		cmd.Println("NetBird service has been uninstalled")
 		return nil
 	},
@@ -245,3 +257,45 @@ func isServiceRunning() (bool, error) {
 
 	return status == service.StatusRunning, nil
 }
+
+const (
+	networkdConfDir     = "/etc/systemd/networkd.conf.d"
+	networkdConfFile    = "/etc/systemd/networkd.conf.d/99-netbird.conf"
+	networkdConfContent = `# Created by NetBird to prevent systemd-networkd from removing
+# routes and policy rules managed by NetBird.
+
+[Network]
+ManageForeignRoutes=no
+ManageForeignRoutingPolicyRules=no
+`
+)
+
+// configureSystemdNetworkd creates a drop-in configuration file to prevent
+// systemd-networkd from removing NetBird's routes and policy rules.
+func configureSystemdNetworkd() error {
+	parentDir := filepath.Dir(networkdConfDir)
+	if _, err := os.Stat(parentDir); os.IsNotExist(err) {
+		log.Debug("systemd networkd.conf.d parent directory does not exist, skipping configuration")
+		return nil
+	}
+
+	// nolint:gosec // standard networkd permissions
+	if err := os.WriteFile(networkdConfFile, []byte(networkdConfContent), 0644); err != nil {
+		return fmt.Errorf("write networkd configuration: %w", err)
+	}
+
+	return nil
+}
+
+// cleanupSystemdNetworkd removes the NetBird systemd-networkd configuration file.
+func cleanupSystemdNetworkd() error {
+	if _, err := os.Stat(networkdConfFile); os.IsNotExist(err) {
+		return nil
+	}
+
+	if err := os.Remove(networkdConfFile); err != nil {
+		return fmt.Errorf("remove networkd configuration: %w", err)
+	}
+
+	return nil
+}

client/cmd/ssh.go

@@ -3,125 +3,757 @@ package cmd
 import (
 	"context"
 	"errors"
+	"flag"
 	"fmt"
+	"net"
 	"os"
 	"os/signal"
+	"os/user"
+	"slices"
+	"strconv"
 	"strings"
 	"syscall"
 
 	"github.com/spf13/cobra"
 
 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	nbssh "github.com/netbirdio/netbird/client/ssh"
+	sshclient "github.com/netbirdio/netbird/client/ssh/client"
+	"github.com/netbirdio/netbird/client/ssh/detection"
+	sshproxy "github.com/netbirdio/netbird/client/ssh/proxy"
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
 	"github.com/netbirdio/netbird/util"
 )
 
-var (
-	port     int
-	userName = "root"
-	host     string
+const (
+	sshUsernameDesc      = "SSH username"
+	hostArgumentRequired = "host argument required"
+
+	serverSSHAllowedFlag           = "allow-server-ssh"
+	enableSSHRootFlag              = "enable-ssh-root"
+	enableSSHSFTPFlag              = "enable-ssh-sftp"
+	enableSSHLocalPortForwardFlag  = "enable-ssh-local-port-forwarding"
+	enableSSHRemotePortForwardFlag = "enable-ssh-remote-port-forwarding"
+	disableSSHAuthFlag             = "disable-ssh-auth"
 )
 
-var sshCmd = &cobra.Command{
-	Use: "ssh [user@]host",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return errors.New("requires a host argument")
-		}
+var (
+	port                  int
+	username              string
+	host                  string
+	command               string
+	localForwards         []string
+	remoteForwards        []string
+	strictHostKeyChecking bool
+	knownHostsFile        string
+	identityFile          string
+	skipCachedToken       bool
+)
 
-		split := strings.Split(args[0], "@")
-		if len(split) == 2 {
-			userName = split[0]
-			host = split[1]
-		} else {
-			host = args[0]
-		}
+var (
+	serverSSHAllowed           bool
+	enableSSHRoot              bool
+	enableSSHSFTP              bool
+	enableSSHLocalPortForward  bool
+	enableSSHRemotePortForward bool
+	disableSSHAuth             bool
+)
 
-		return nil
-	},
-	Short: "Connect to a remote SSH server",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
-		SetFlagsFromEnvVars(cmd)
+func init() {
+	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer")
+	upCmd.PersistentFlags().BoolVar(&enableSSHRoot, enableSSHRootFlag, false, "Enable root login for SSH server")
+	upCmd.PersistentFlags().BoolVar(&enableSSHSFTP, enableSSHSFTPFlag, false, "Enable SFTP subsystem for SSH server")
+	upCmd.PersistentFlags().BoolVar(&enableSSHLocalPortForward, enableSSHLocalPortForwardFlag, false, "Enable local port forwarding for SSH server")
+	upCmd.PersistentFlags().BoolVar(&enableSSHRemotePortForward, enableSSHRemotePortForwardFlag, false, "Enable remote port forwarding for SSH server")
+	upCmd.PersistentFlags().BoolVar(&disableSSHAuth, disableSSHAuthFlag, false, "Disable SSH authentication")
 
-		cmd.SetOut(cmd.OutOrStdout())
+	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", sshserver.DefaultSSHPort, "Remote SSH port")
+	sshCmd.PersistentFlags().StringVarP(&username, "user", "u", "", sshUsernameDesc)
+	sshCmd.PersistentFlags().StringVar(&username, "login", "", sshUsernameDesc+" (alias for --user)")
+	sshCmd.PersistentFlags().BoolVar(&strictHostKeyChecking, "strict-host-key-checking", true, "Enable strict host key checking (default: true)")
+	sshCmd.PersistentFlags().StringVarP(&knownHostsFile, "known-hosts", "o", "", "Path to known_hosts file (default: ~/.ssh/known_hosts)")
+	sshCmd.PersistentFlags().StringVarP(&identityFile, "identity", "i", "", "Path to SSH private key file")
+	sshCmd.PersistentFlags().BoolVar(&skipCachedToken, "no-cache", false, "Skip cached JWT token and force fresh authentication")
 
-		err := util.InitLog(logLevel, util.LogConsole)
-		if err != nil {
-			return fmt.Errorf("failed initializing log %v", err)
-		}
+	sshCmd.PersistentFlags().StringArrayP("L", "L", []string{}, "Local port forwarding [bind_address:]port:host:hostport")
+	sshCmd.PersistentFlags().StringArrayP("R", "R", []string{}, "Remote port forwarding [bind_address:]port:host:hostport")
 
-		if !util.IsAdmin() {
-			cmd.Printf("error: you must have Administrator privileges to run this command\n")
-			return nil
-		}
-
-		ctx := internal.CtxInitState(cmd.Context())
-
-		sm := profilemanager.NewServiceManager(configPath)
-		activeProf, err := sm.GetActiveProfileState()
-		if err != nil {
-			return fmt.Errorf("get active profile: %v", err)
-		}
-		profPath, err := activeProf.FilePath()
-		if err != nil {
-			return fmt.Errorf("get active profile path: %v", err)
-		}
-
-		config, err := profilemanager.ReadConfig(profPath)
-		if err != nil {
-			return fmt.Errorf("read profile config: %v", err)
-		}
-
-		sig := make(chan os.Signal, 1)
-		signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
-		sshctx, cancel := context.WithCancel(ctx)
-
-		go func() {
-			// blocking
-			if err := runSSH(sshctx, host, []byte(config.SSHKey), cmd); err != nil {
-				cmd.Printf("Error: %v\n", err)
-				os.Exit(1)
-			}
-			cancel()
-		}()
-
-		select {
-		case <-sig:
-			cancel()
-		case <-sshctx.Done():
-		}
-
-		return nil
-	},
+	sshCmd.AddCommand(sshSftpCmd)
+	sshCmd.AddCommand(sshProxyCmd)
+	sshCmd.AddCommand(sshDetectCmd)
 }
 
-func runSSH(ctx context.Context, addr string, pemKey []byte, cmd *cobra.Command) error {
-	c, err := nbssh.DialWithKey(fmt.Sprintf("%s:%d", addr, port), userName, pemKey)
-	if err != nil {
-		cmd.Printf("Error: %v\n", err)
-		cmd.Printf("Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer" +
-			"\nYou can verify the connection by running:\n\n" +
-			" netbird status\n\n")
-		return err
-	}
-	go func() {
-		<-ctx.Done()
-		err = c.Close()
-		if err != nil {
-			return
+var sshCmd = &cobra.Command{
+	Use:   "ssh [flags] [user@]host [command]",
+	Short: "Connect to a NetBird peer via SSH",
+	Long: `Connect to a NetBird peer using SSH with support for port forwarding.
+
+Port Forwarding:
+  -L [bind_address:]port:host:hostport   Local port forwarding
+  -L [bind_address:]port:/path/to/socket Local port forwarding to Unix socket
+  -R [bind_address:]port:host:hostport   Remote port forwarding
+  -R [bind_address:]port:/path/to/socket Remote port forwarding to Unix socket
+
+SSH Options:
+  -p, --port int                       Remote SSH port (default 22)
+  -u, --user string                    SSH username
+      --login string                   SSH username (alias for --user)
+      --strict-host-key-checking       Enable strict host key checking (default: true)
+  -o, --known-hosts string             Path to known_hosts file
+  -i, --identity string                Path to SSH private key file
+
+Examples:
+  netbird ssh peer-hostname
+  netbird ssh root@peer-hostname
+  netbird ssh --login root peer-hostname
+  netbird ssh peer-hostname ls -la
+  netbird ssh peer-hostname whoami
+  netbird ssh -L 8080:localhost:80 peer-hostname    # Local port forwarding
+  netbird ssh -R 9090:localhost:3000 peer-hostname  # Remote port forwarding
+  netbird ssh -L "*:8080:localhost:80" peer-hostname # Bind to all interfaces
+  netbird ssh -L 8080:/tmp/socket peer-hostname      # Unix socket forwarding`,
+	DisableFlagParsing: true,
+	Args:               validateSSHArgsWithoutFlagParsing,
+	RunE:               sshFn,
+	Aliases:            []string{"ssh"},
+}
+
+func sshFn(cmd *cobra.Command, args []string) error {
+	for _, arg := range args {
+		if arg == "-h" || arg == "--help" {
+			return cmd.Help()
 		}
+	}
+
+	SetFlagsFromEnvVars(rootCmd)
+	SetFlagsFromEnvVars(cmd)
+
+	cmd.SetOut(cmd.OutOrStdout())
+
+	logOutput := "console"
+	if firstLogFile := util.FindFirstLogPath(logFiles); firstLogFile != "" && firstLogFile != defaultLogFile {
+		logOutput = firstLogFile
+	}
+	if err := util.InitLog(logLevel, logOutput); err != nil {
+		return fmt.Errorf("init log: %w", err)
+	}
+
+	ctx := internal.CtxInitState(cmd.Context())
+
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
+	sshctx, cancel := context.WithCancel(ctx)
+
+	go func() {
+		if err := runSSH(sshctx, host, cmd); err != nil {
+			cmd.Printf("Error: %v\n", err)
+			os.Exit(1)
+		}
+		cancel()
 	}()
 
-	err = c.OpenTerminal()
-	if err != nil {
-		return err
+	select {
+	case <-sig:
+		cancel()
+	case <-sshctx.Done():
 	}
 
 	return nil
 }
 
-func init() {
-	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", nbssh.DefaultSSHPort, "Sets remote SSH port. Defaults to "+fmt.Sprint(nbssh.DefaultSSHPort))
+// getEnvOrDefault checks for environment variables with WT_ and NB_ prefixes
+func getEnvOrDefault(flagName, defaultValue string) string {
+	if envValue := os.Getenv("WT_" + flagName); envValue != "" {
+		return envValue
+	}
+	if envValue := os.Getenv("NB_" + flagName); envValue != "" {
+		return envValue
+	}
+	return defaultValue
+}
+
+// resetSSHGlobals sets SSH globals to their default values
+func resetSSHGlobals() {
+	port = sshserver.DefaultSSHPort
+	username = ""
+	host = ""
+	command = ""
+	localForwards = nil
+	remoteForwards = nil
+	strictHostKeyChecking = true
+	knownHostsFile = ""
+	identityFile = ""
+}
+
+// parseCustomSSHFlags extracts -L, -R flags and returns filtered args
+func parseCustomSSHFlags(args []string) ([]string, []string, []string) {
+	var localForwardFlags []string
+	var remoteForwardFlags []string
+	var filteredArgs []string
+
+	for i := 0; i < len(args); i++ {
+		arg := args[i]
+		switch {
+		case strings.HasPrefix(arg, "-L"):
+			localForwardFlags, i = parseForwardFlag(arg, args, i, localForwardFlags)
+		case strings.HasPrefix(arg, "-R"):
+			remoteForwardFlags, i = parseForwardFlag(arg, args, i, remoteForwardFlags)
+		default:
+			filteredArgs = append(filteredArgs, arg)
+		}
+	}
+
+	return filteredArgs, localForwardFlags, remoteForwardFlags
+}
+
+func parseForwardFlag(arg string, args []string, i int, flags []string) ([]string, int) {
+	if arg == "-L" || arg == "-R" {
+		if i+1 < len(args) {
+			flags = append(flags, args[i+1])
+			i++
+		}
+	} else if len(arg) > 2 {
+		flags = append(flags, arg[2:])
+	}
+	return flags, i
+}
+
+// extractGlobalFlags parses global flags that were passed before 'ssh' command
+func extractGlobalFlags(args []string) {
+	sshPos := findSSHCommandPosition(args)
+	if sshPos == -1 {
+		return
+	}
+
+	globalArgs := args[:sshPos]
+	parseGlobalArgs(globalArgs)
+}
+
+// findSSHCommandPosition locates the 'ssh' command in the argument list
+func findSSHCommandPosition(args []string) int {
+	for i, arg := range args {
+		if arg == "ssh" {
+			return i
+		}
+	}
+	return -1
+}
+
+const (
+	configFlag   = "config"
+	logLevelFlag = "log-level"
+	logFileFlag  = "log-file"
+)
+
+// parseGlobalArgs processes the global arguments and sets the corresponding variables
+func parseGlobalArgs(globalArgs []string) {
+	flagHandlers := map[string]func(string){
+		configFlag:   func(value string) { configPath = value },
+		logLevelFlag: func(value string) { logLevel = value },
+		logFileFlag: func(value string) {
+			if !slices.Contains(logFiles, value) {
+				logFiles = append(logFiles, value)
+			}
+		},
+	}
+
+	shortFlags := map[string]string{
+		"c": configFlag,
+		"l": logLevelFlag,
+	}
+
+	for i := 0; i < len(globalArgs); i++ {
+		arg := globalArgs[i]
+
+		if handled, nextIndex := parseFlag(arg, globalArgs, i, flagHandlers, shortFlags); handled {
+			i = nextIndex
+		}
+	}
+}
+
+// parseFlag handles generic flag parsing for both long and short forms
+func parseFlag(arg string, args []string, currentIndex int, flagHandlers map[string]func(string), shortFlags map[string]string) (bool, int) {
+	if parsedValue, found := parseEqualsFormat(arg, flagHandlers, shortFlags); found {
+		flagHandlers[parsedValue.flagName](parsedValue.value)
+		return true, currentIndex
+	}
+
+	if parsedValue, found := parseSpacedFormat(arg, args, currentIndex, flagHandlers, shortFlags); found {
+		flagHandlers[parsedValue.flagName](parsedValue.value)
+		return true, currentIndex + 1
+	}
+
+	return false, currentIndex
+}
+
+type parsedFlag struct {
+	flagName string
+	value    string
+}
+
+// parseEqualsFormat handles --flag=value and -f=value formats
+func parseEqualsFormat(arg string, flagHandlers map[string]func(string), shortFlags map[string]string) (parsedFlag, bool) {
+	if !strings.Contains(arg, "=") {
+		return parsedFlag{}, false
+	}
+
+	parts := strings.SplitN(arg, "=", 2)
+	if len(parts) != 2 {
+		return parsedFlag{}, false
+	}
+
+	if strings.HasPrefix(parts[0], "--") {
+		flagName := strings.TrimPrefix(parts[0], "--")
+		if _, exists := flagHandlers[flagName]; exists {
+			return parsedFlag{flagName: flagName, value: parts[1]}, true
+		}
+	}
+
+	if strings.HasPrefix(parts[0], "-") && len(parts[0]) == 2 {
+		shortFlag := strings.TrimPrefix(parts[0], "-")
+		if longFlag, exists := shortFlags[shortFlag]; exists {
+			if _, exists := flagHandlers[longFlag]; exists {
+				return parsedFlag{flagName: longFlag, value: parts[1]}, true
+			}
+		}
+	}
+
+	return parsedFlag{}, false
+}
+
+// parseSpacedFormat handles --flag value and -f value formats
+func parseSpacedFormat(arg string, args []string, currentIndex int, flagHandlers map[string]func(string), shortFlags map[string]string) (parsedFlag, bool) {
+	if currentIndex+1 >= len(args) {
+		return parsedFlag{}, false
+	}
+
+	if strings.HasPrefix(arg, "--") {
+		flagName := strings.TrimPrefix(arg, "--")
+		if _, exists := flagHandlers[flagName]; exists {
+			return parsedFlag{flagName: flagName, value: args[currentIndex+1]}, true
+		}
+	}
+
+	if strings.HasPrefix(arg, "-") && len(arg) == 2 {
+		shortFlag := strings.TrimPrefix(arg, "-")
+		if longFlag, exists := shortFlags[shortFlag]; exists {
+			if _, exists := flagHandlers[longFlag]; exists {
+				return parsedFlag{flagName: longFlag, value: args[currentIndex+1]}, true
+			}
+		}
+	}
+
+	return parsedFlag{}, false
+}
+
+// createSSHFlagSet creates and configures the flag set for SSH command parsing
+// sshFlags contains all SSH-related flags and parameters
+type sshFlags struct {
+	Port                  int
+	Username              string
+	Login                 string
+	StrictHostKeyChecking bool
+	KnownHostsFile        string
+	IdentityFile          string
+	SkipCachedToken       bool
+	ConfigPath            string
+	LogLevel              string
+	LocalForwards         []string
+	RemoteForwards        []string
+	Host                  string
+	Command               string
+}
+
+func createSSHFlagSet() (*flag.FlagSet, *sshFlags) {
+	defaultConfigPath := getEnvOrDefault("CONFIG", configPath)
+	defaultLogLevel := getEnvOrDefault("LOG_LEVEL", logLevel)
+
+	fs := flag.NewFlagSet("ssh-flags", flag.ContinueOnError)
+	fs.SetOutput(nil)
+
+	flags := &sshFlags{}
+
+	fs.IntVar(&flags.Port, "p", sshserver.DefaultSSHPort, "SSH port")
+	fs.Int("port", sshserver.DefaultSSHPort, "SSH port")
+	fs.StringVar(&flags.Username, "u", "", sshUsernameDesc)
+	fs.String("user", "", sshUsernameDesc)
+	fs.StringVar(&flags.Login, "login", "", sshUsernameDesc+" (alias for --user)")
+
+	fs.BoolVar(&flags.StrictHostKeyChecking, "strict-host-key-checking", true, "Enable strict host key checking")
+	fs.StringVar(&flags.KnownHostsFile, "o", "", "Path to known_hosts file")
+	fs.String("known-hosts", "", "Path to known_hosts file")
+	fs.StringVar(&flags.IdentityFile, "i", "", "Path to SSH private key file")
+	fs.String("identity", "", "Path to SSH private key file")
+	fs.BoolVar(&flags.SkipCachedToken, "no-cache", false, "Skip cached JWT token and force fresh authentication")
+
+	fs.StringVar(&flags.ConfigPath, "c", defaultConfigPath, "Netbird config file location")
+	fs.String("config", defaultConfigPath, "Netbird config file location")
+	fs.StringVar(&flags.LogLevel, "l", defaultLogLevel, "sets Netbird log level")
+	fs.String("log-level", defaultLogLevel, "sets Netbird log level")
+
+	return fs, flags
+}
+
+func validateSSHArgsWithoutFlagParsing(_ *cobra.Command, args []string) error {
+	if len(args) < 1 {
+		return errors.New(hostArgumentRequired)
+	}
+
+	resetSSHGlobals()
+
+	if len(os.Args) > 2 {
+		extractGlobalFlags(os.Args[1:])
+	}
+
+	filteredArgs, localForwardFlags, remoteForwardFlags := parseCustomSSHFlags(args)
+
+	fs, flags := createSSHFlagSet()
+
+	if err := fs.Parse(filteredArgs); err != nil {
+		return parseHostnameAndCommand(filteredArgs)
+	}
+
+	remaining := fs.Args()
+	if len(remaining) < 1 {
+		return errors.New(hostArgumentRequired)
+	}
+
+	port = flags.Port
+	if flags.Username != "" {
+		username = flags.Username
+	} else if flags.Login != "" {
+		username = flags.Login
+	}
+
+	strictHostKeyChecking = flags.StrictHostKeyChecking
+	knownHostsFile = flags.KnownHostsFile
+	identityFile = flags.IdentityFile
+	skipCachedToken = flags.SkipCachedToken
+
+	if flags.ConfigPath != getEnvOrDefault("CONFIG", configPath) {
+		configPath = flags.ConfigPath
+	}
+	if flags.LogLevel != getEnvOrDefault("LOG_LEVEL", logLevel) {
+		logLevel = flags.LogLevel
+	}
+
+	localForwards = localForwardFlags
+	remoteForwards = remoteForwardFlags
+
+	return parseHostnameAndCommand(remaining)
+}
+
+func parseHostnameAndCommand(args []string) error {
+	if len(args) < 1 {
+		return errors.New(hostArgumentRequired)
+	}
+
+	arg := args[0]
+	if strings.Contains(arg, "@") {
+		parts := strings.SplitN(arg, "@", 2)
+		if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
+			return errors.New("invalid user@host format")
+		}
+		if username == "" {
+			username = parts[0]
+		}
+		host = parts[1]
+	} else {
+		host = arg
+	}
+
+	if username == "" {
+		if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
+			username = sudoUser
+		} else if currentUser, err := user.Current(); err == nil {
+			username = currentUser.Username
+		} else {
+			username = "root"
+		}
+	}
+
+	// Everything after hostname becomes the command
+	if len(args) > 1 {
+		command = strings.Join(args[1:], " ")
+	}
+
+	return nil
+}
+
+func runSSH(ctx context.Context, addr string, cmd *cobra.Command) error {
+	target := fmt.Sprintf("%s:%d", addr, port)
+	c, err := sshclient.Dial(ctx, target, username, sshclient.DialOptions{
+		KnownHostsFile:     knownHostsFile,
+		IdentityFile:       identityFile,
+		DaemonAddr:         daemonAddr,
+		SkipCachedToken:    skipCachedToken,
+		InsecureSkipVerify: !strictHostKeyChecking,
+	})
+
+	if err != nil {
+		cmd.Printf("Failed to connect to %s@%s\n", username, target)
+		cmd.Printf("\nTroubleshooting steps:\n")
+		cmd.Printf("  1. Check peer connectivity: netbird status -d\n")
+		cmd.Printf("  2. Verify SSH server is enabled on the peer\n")
+		cmd.Printf("  3. Ensure correct hostname/IP is used\n")
+		return fmt.Errorf("dial %s: %w", target, err)
+	}
+
+	sshCtx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	go func() {
+		<-sshCtx.Done()
+		if err := c.Close(); err != nil {
+			cmd.Printf("Error closing SSH connection: %v\n", err)
+		}
+	}()
+
+	if err := startPortForwarding(sshCtx, c, cmd); err != nil {
+		return fmt.Errorf("start port forwarding: %w", err)
+	}
+
+	if command != "" {
+		return executeSSHCommand(sshCtx, c, command)
+	}
+	return openSSHTerminal(sshCtx, c)
+}
+
+// executeSSHCommand executes a command over SSH.
+func executeSSHCommand(ctx context.Context, c *sshclient.Client, command string) error {
+	if err := c.ExecuteCommandWithIO(ctx, command); err != nil {
+		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+			return nil
+		}
+		return fmt.Errorf("execute command: %w", err)
+	}
+	return nil
+}
+
+// openSSHTerminal opens an interactive SSH terminal.
+func openSSHTerminal(ctx context.Context, c *sshclient.Client) error {
+	if err := c.OpenTerminal(ctx); err != nil {
+		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
+			return nil
+		}
+		return fmt.Errorf("open terminal: %w", err)
+	}
+	return nil
+}
+
+// startPortForwarding starts local and remote port forwarding based on command line flags
+func startPortForwarding(ctx context.Context, c *sshclient.Client, cmd *cobra.Command) error {
+	for _, forward := range localForwards {
+		if err := parseAndStartLocalForward(ctx, c, forward, cmd); err != nil {
+			return fmt.Errorf("local port forward %s: %w", forward, err)
+		}
+	}
+
+	for _, forward := range remoteForwards {
+		if err := parseAndStartRemoteForward(ctx, c, forward, cmd); err != nil {
+			return fmt.Errorf("remote port forward %s: %w", forward, err)
+		}
+	}
+
+	return nil
+}
+
+// parseAndStartLocalForward parses and starts a local port forward (-L)
+func parseAndStartLocalForward(ctx context.Context, c *sshclient.Client, forward string, cmd *cobra.Command) error {
+	localAddr, remoteAddr, err := parsePortForwardSpec(forward)
+	if err != nil {
+		return err
+	}
+
+	cmd.Printf("Local port forwarding: %s -> %s\n", localAddr, remoteAddr)
+
+	go func() {
+		if err := c.LocalPortForward(ctx, localAddr, remoteAddr); err != nil && !errors.Is(err, context.Canceled) {
+			cmd.Printf("Local port forward error: %v\n", err)
+		}
+	}()
+
+	return nil
+}
+
+// parseAndStartRemoteForward parses and starts a remote port forward (-R)
+func parseAndStartRemoteForward(ctx context.Context, c *sshclient.Client, forward string, cmd *cobra.Command) error {
+	remoteAddr, localAddr, err := parsePortForwardSpec(forward)
+	if err != nil {
+		return err
+	}
+
+	cmd.Printf("Remote port forwarding: %s -> %s\n", remoteAddr, localAddr)
+
+	go func() {
+		if err := c.RemotePortForward(ctx, remoteAddr, localAddr); err != nil && !errors.Is(err, context.Canceled) {
+			cmd.Printf("Remote port forward error: %v\n", err)
+		}
+	}()
+
+	return nil
+}
+
+// parsePortForwardSpec parses port forward specifications like "8080:localhost:80" or "[::1]:8080:localhost:80".
+// Also supports Unix sockets like "8080:/tmp/socket" or "127.0.0.1:8080:/tmp/socket".
+func parsePortForwardSpec(spec string) (string, string, error) {
+	// Support formats:
+	// port:host:hostport  -> localhost:port -> host:hostport
+	// host:port:host:hostport  -> host:port -> host:hostport
+	// [host]:port:host:hostport -> [host]:port -> host:hostport
+	// port:unix_socket_path -> localhost:port -> unix_socket_path
+	// host:port:unix_socket_path -> host:port -> unix_socket_path
+
+	if strings.HasPrefix(spec, "[") && strings.Contains(spec, "]:") {
+		return parseIPv6ForwardSpec(spec)
+	}
+
+	parts := strings.Split(spec, ":")
+	if len(parts) < 2 {
+		return "", "", fmt.Errorf("invalid port forward specification: %s (expected format: [local_host:]local_port:remote_target)", spec)
+	}
+
+	switch len(parts) {
+	case 2:
+		return parseTwoPartForwardSpec(parts, spec)
+	case 3:
+		return parseThreePartForwardSpec(parts)
+	case 4:
+		return parseFourPartForwardSpec(parts)
+	default:
+		return "", "", fmt.Errorf("invalid port forward specification: %s", spec)
+	}
+}
+
+// parseTwoPartForwardSpec handles "port:unix_socket" format.
+func parseTwoPartForwardSpec(parts []string, spec string) (string, string, error) {
+	if isUnixSocket(parts[1]) {
+		localAddr := "localhost:" + parts[0]
+		remoteAddr := parts[1]
+		return localAddr, remoteAddr, nil
+	}
+	return "", "", fmt.Errorf("invalid port forward specification: %s (expected format: [local_host:]local_port:remote_host:remote_port or [local_host:]local_port:unix_socket)", spec)
+}
+
+// parseThreePartForwardSpec handles "port:host:hostport" or "host:port:unix_socket" formats.
+func parseThreePartForwardSpec(parts []string) (string, string, error) {
+	if isUnixSocket(parts[2]) {
+		localHost := normalizeLocalHost(parts[0])
+		localAddr := localHost + ":" + parts[1]
+		remoteAddr := parts[2]
+		return localAddr, remoteAddr, nil
+	}
+	localAddr := "localhost:" + parts[0]
+	remoteAddr := parts[1] + ":" + parts[2]
+	return localAddr, remoteAddr, nil
+}
+
+// parseFourPartForwardSpec handles "host:port:host:hostport" format.
+func parseFourPartForwardSpec(parts []string) (string, string, error) {
+	localHost := normalizeLocalHost(parts[0])
+	localAddr := localHost + ":" + parts[1]
+	remoteAddr := parts[2] + ":" + parts[3]
+	return localAddr, remoteAddr, nil
+}
+
+// parseIPv6ForwardSpec handles "[host]:port:host:hostport" format.
+func parseIPv6ForwardSpec(spec string) (string, string, error) {
+	idx := strings.Index(spec, "]:")
+	if idx == -1 {
+		return "", "", fmt.Errorf("invalid IPv6 port forward specification: %s", spec)
+	}
+
+	ipv6Host := spec[:idx+1]
+	remaining := spec[idx+2:]
+
+	parts := strings.Split(remaining, ":")
+	if len(parts) != 3 {
+		return "", "", fmt.Errorf("invalid IPv6 port forward specification: %s (expected [ipv6]:port:host:hostport)", spec)
+	}
+
+	localAddr := ipv6Host + ":" + parts[0]
+	remoteAddr := parts[1] + ":" + parts[2]
+	return localAddr, remoteAddr, nil
+}
+
+// isUnixSocket checks if a path is a Unix socket path.
+func isUnixSocket(path string) bool {
+	return strings.HasPrefix(path, "/") || strings.HasPrefix(path, "./")
+}
+
+// normalizeLocalHost converts "*" to "0.0.0.0" for binding to all interfaces.
+func normalizeLocalHost(host string) string {
+	if host == "*" {
+		return "0.0.0.0"
+	}
+	return host
+}
+
+var sshProxyCmd = &cobra.Command{
+	Use:    "proxy <host> <port>",
+	Short:  "Internal SSH proxy for native SSH client integration",
+	Long:   "Internal command used by SSH ProxyCommand to handle JWT authentication",
+	Hidden: true,
+	Args:   cobra.ExactArgs(2),
+	RunE:   sshProxyFn,
+}
+
+func sshProxyFn(cmd *cobra.Command, args []string) error {
+	logOutput := "console"
+	if firstLogFile := util.FindFirstLogPath(logFiles); firstLogFile != "" && firstLogFile != defaultLogFile {
+		logOutput = firstLogFile
+	}
+	if err := util.InitLog(logLevel, logOutput); err != nil {
+		return fmt.Errorf("init log: %w", err)
+	}
+
+	host := args[0]
+	portStr := args[1]
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return fmt.Errorf("invalid port: %s", portStr)
+	}
+
+	proxy, err := sshproxy.New(daemonAddr, host, port, cmd.ErrOrStderr())
+	if err != nil {
+		return fmt.Errorf("create SSH proxy: %w", err)
+	}
+
+	if err := proxy.Connect(cmd.Context()); err != nil {
+		return fmt.Errorf("SSH proxy: %w", err)
+	}
+
+	return nil
+}
+
+var sshDetectCmd = &cobra.Command{
+	Use:    "detect <host> <port>",
+	Short:  "Detect if a host is running NetBird SSH",
+	Long:   "Internal command used by SSH Match exec to detect NetBird SSH servers. Exit codes: 0=JWT, 1=no-JWT, 2=regular SSH",
+	Hidden: true,
+	Args:   cobra.ExactArgs(2),
+	RunE:   sshDetectFn,
+}
+
+func sshDetectFn(cmd *cobra.Command, args []string) error {
+	if err := util.InitLog(logLevel, "console"); err != nil {
+		os.Exit(detection.ServerTypeRegular.ExitCode())
+	}
+
+	host := args[0]
+	portStr := args[1]
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		os.Exit(detection.ServerTypeRegular.ExitCode())
+	}
+
+	dialer := &net.Dialer{Timeout: detection.Timeout}
+	serverType, err := detection.DetectSSHServerType(cmd.Context(), dialer, host, port)
+	if err != nil {
+		os.Exit(detection.ServerTypeRegular.ExitCode())
+	}
+
+	os.Exit(serverType.ExitCode())
+	return nil
 }

client/cmd/ssh_exec_unix.go

@@ -0,0 +1,74 @@
+//go:build unix
+
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/spf13/cobra"
+
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
+)
+
+var (
+	sshExecUID        uint32
+	sshExecGID        uint32
+	sshExecGroups     []uint
+	sshExecWorkingDir string
+	sshExecShell      string
+	sshExecCommand    string
+	sshExecPTY        bool
+)
+
+// sshExecCmd represents the hidden ssh exec subcommand for privilege dropping
+var sshExecCmd = &cobra.Command{
+	Use:    "exec",
+	Short:  "Internal SSH execution with privilege dropping (hidden)",
+	Hidden: true,
+	RunE:   runSSHExec,
+}
+
+func init() {
+	sshExecCmd.Flags().Uint32Var(&sshExecUID, "uid", 0, "Target user ID")
+	sshExecCmd.Flags().Uint32Var(&sshExecGID, "gid", 0, "Target group ID")
+	sshExecCmd.Flags().UintSliceVar(&sshExecGroups, "groups", nil, "Supplementary group IDs (can be repeated)")
+	sshExecCmd.Flags().StringVar(&sshExecWorkingDir, "working-dir", "", "Working directory")
+	sshExecCmd.Flags().StringVar(&sshExecShell, "shell", "/bin/sh", "Shell to execute")
+	sshExecCmd.Flags().BoolVar(&sshExecPTY, "pty", false, "Request PTY (will fail as executor doesn't support PTY)")
+	sshExecCmd.Flags().StringVar(&sshExecCommand, "cmd", "", "Command to execute")
+
+	if err := sshExecCmd.MarkFlagRequired("uid"); err != nil {
+		_, _ = fmt.Fprintf(os.Stderr, "failed to mark uid flag as required: %v\n", err)
+		os.Exit(1)
+	}
+	if err := sshExecCmd.MarkFlagRequired("gid"); err != nil {
+		_, _ = fmt.Fprintf(os.Stderr, "failed to mark gid flag as required: %v\n", err)
+		os.Exit(1)
+	}
+
+	sshCmd.AddCommand(sshExecCmd)
+}
+
+// runSSHExec handles the SSH exec subcommand execution.
+func runSSHExec(cmd *cobra.Command, _ []string) error {
+	privilegeDropper := sshserver.NewPrivilegeDropper()
+
+	var groups []uint32
+	for _, groupInt := range sshExecGroups {
+		groups = append(groups, uint32(groupInt))
+	}
+
+	config := sshserver.ExecutorConfig{
+		UID:        sshExecUID,
+		GID:        sshExecGID,
+		Groups:     groups,
+		WorkingDir: sshExecWorkingDir,
+		Shell:      sshExecShell,
+		Command:    sshExecCommand,
+		PTY:        sshExecPTY,
+	}
+
+	privilegeDropper.ExecuteWithPrivilegeDrop(cmd.Context(), config)
+	return nil
+}

client/cmd/ssh_sftp_unix.go

@@ -0,0 +1,94 @@
+//go:build unix
+
+package cmd
+
+import (
+	"errors"
+	"io"
+	"os"
+
+	"github.com/pkg/sftp"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
+)
+
+var (
+	sftpUID        uint32
+	sftpGID        uint32
+	sftpGroupsInt  []uint
+	sftpWorkingDir string
+)
+
+var sshSftpCmd = &cobra.Command{
+	Use:    "sftp",
+	Short:  "SFTP server with privilege dropping (internal use)",
+	Hidden: true,
+	RunE:   sftpMain,
+}
+
+func init() {
+	sshSftpCmd.Flags().Uint32Var(&sftpUID, "uid", 0, "Target user ID")
+	sshSftpCmd.Flags().Uint32Var(&sftpGID, "gid", 0, "Target group ID")
+	sshSftpCmd.Flags().UintSliceVar(&sftpGroupsInt, "groups", nil, "Supplementary group IDs (can be repeated)")
+	sshSftpCmd.Flags().StringVar(&sftpWorkingDir, "working-dir", "", "Working directory")
+}
+
+func sftpMain(cmd *cobra.Command, _ []string) error {
+	privilegeDropper := sshserver.NewPrivilegeDropper()
+
+	var groups []uint32
+	for _, groupInt := range sftpGroupsInt {
+		groups = append(groups, uint32(groupInt))
+	}
+
+	config := sshserver.ExecutorConfig{
+		UID:        sftpUID,
+		GID:        sftpGID,
+		Groups:     groups,
+		WorkingDir: sftpWorkingDir,
+		Shell:      "",
+		Command:    "",
+	}
+
+	log.Tracef("dropping privileges for SFTP to UID=%d, GID=%d, groups=%v", config.UID, config.GID, config.Groups)
+
+	if err := privilegeDropper.DropPrivileges(config.UID, config.GID, config.Groups); err != nil {
+		cmd.PrintErrf("privilege drop failed: %v\n", err)
+		os.Exit(sshserver.ExitCodePrivilegeDropFail)
+	}
+
+	if config.WorkingDir != "" {
+		if err := os.Chdir(config.WorkingDir); err != nil {
+			cmd.PrintErrf("failed to change to working directory %s: %v\n", config.WorkingDir, err)
+		}
+	}
+
+	sftpServer, err := sftp.NewServer(struct {
+		io.Reader
+		io.WriteCloser
+	}{
+		Reader:      os.Stdin,
+		WriteCloser: os.Stdout,
+	})
+	if err != nil {
+		cmd.PrintErrf("SFTP server creation failed: %v\n", err)
+		os.Exit(sshserver.ExitCodeShellExecFail)
+	}
+
+	log.Tracef("starting SFTP server with dropped privileges")
+	if err := sftpServer.Serve(); err != nil && !errors.Is(err, io.EOF) {
+		cmd.PrintErrf("SFTP server error: %v\n", err)
+		if closeErr := sftpServer.Close(); closeErr != nil {
+			cmd.PrintErrf("SFTP server close error: %v\n", closeErr)
+		}
+		os.Exit(sshserver.ExitCodeShellExecFail)
+	}
+
+	if closeErr := sftpServer.Close(); closeErr != nil {
+		cmd.PrintErrf("SFTP server close error: %v\n", closeErr)
+	}
+	os.Exit(sshserver.ExitCodeSuccess)
+	return nil
+}

client/cmd/ssh_sftp_windows.go

@@ -0,0 +1,93 @@
+//go:build windows
+
+package cmd
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/user"
+
+	"github.com/pkg/sftp"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
+)
+
+var (
+	sftpWorkingDir  string
+	windowsUsername string
+	windowsDomain   string
+)
+
+var sshSftpCmd = &cobra.Command{
+	Use:    "sftp",
+	Short:  "SFTP server with user switching for Windows (internal use)",
+	Hidden: true,
+	RunE:   sftpMain,
+}
+
+func init() {
+	sshSftpCmd.Flags().StringVar(&sftpWorkingDir, "working-dir", "", "Working directory")
+	sshSftpCmd.Flags().StringVar(&windowsUsername, "windows-username", "", "Windows username for user switching")
+	sshSftpCmd.Flags().StringVar(&windowsDomain, "windows-domain", "", "Windows domain for user switching")
+}
+
+func sftpMain(cmd *cobra.Command, _ []string) error {
+	return sftpMainDirect(cmd)
+}
+
+func sftpMainDirect(cmd *cobra.Command) error {
+	currentUser, err := user.Current()
+	if err != nil {
+		cmd.PrintErrf("failed to get current user: %v\n", err)
+		os.Exit(sshserver.ExitCodeValidationFail)
+	}
+
+	if windowsUsername != "" {
+		expectedUsername := windowsUsername
+		if windowsDomain != "" {
+			expectedUsername = fmt.Sprintf(`%s\%s`, windowsDomain, windowsUsername)
+		}
+		if currentUser.Username != expectedUsername && currentUser.Username != windowsUsername {
+			cmd.PrintErrf("user switching failed\n")
+			os.Exit(sshserver.ExitCodeValidationFail)
+		}
+	}
+
+	log.Debugf("SFTP process running as: %s (UID: %s, Name: %s)", currentUser.Username, currentUser.Uid, currentUser.Name)
+
+	if sftpWorkingDir != "" {
+		if err := os.Chdir(sftpWorkingDir); err != nil {
+			cmd.PrintErrf("failed to change to working directory %s: %v\n", sftpWorkingDir, err)
+		}
+	}
+
+	sftpServer, err := sftp.NewServer(struct {
+		io.Reader
+		io.WriteCloser
+	}{
+		Reader:      os.Stdin,
+		WriteCloser: os.Stdout,
+	})
+	if err != nil {
+		cmd.PrintErrf("SFTP server creation failed: %v\n", err)
+		os.Exit(sshserver.ExitCodeShellExecFail)
+	}
+
+	log.Debugf("starting SFTP server")
+	exitCode := sshserver.ExitCodeSuccess
+	if err := sftpServer.Serve(); err != nil && !errors.Is(err, io.EOF) {
+		cmd.PrintErrf("SFTP server error: %v\n", err)
+		exitCode = sshserver.ExitCodeShellExecFail
+	}
+
+	if err := sftpServer.Close(); err != nil {
+		log.Debugf("SFTP server close error: %v", err)
+	}
+
+	os.Exit(exitCode)
+	return nil
+}

client/cmd/ssh_test.go

@@ -0,0 +1,669 @@
+package cmd
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestSSHCommand_FlagParsing(t *testing.T) {
+	tests := []struct {
+		name         string
+		args         []string
+		expectedHost string
+		expectedUser string
+		expectedPort int
+		expectedCmd  string
+		expectError  bool
+	}{
+		{
+			name:         "basic host",
+			args:         []string{"hostname"},
+			expectedHost: "hostname",
+			expectedUser: "",
+			expectedPort: 22,
+			expectedCmd:  "",
+		},
+		{
+			name:         "user@host format",
+			args:         []string{"user@hostname"},
+			expectedHost: "hostname",
+			expectedUser: "user",
+			expectedPort: 22,
+			expectedCmd:  "",
+		},
+		{
+			name:         "host with command",
+			args:         []string{"hostname", "echo", "hello"},
+			expectedHost: "hostname",
+			expectedUser: "",
+			expectedPort: 22,
+			expectedCmd:  "echo hello",
+		},
+		{
+			name:         "command with flags should be preserved",
+			args:         []string{"hostname", "ls", "-la", "/tmp"},
+			expectedHost: "hostname",
+			expectedUser: "",
+			expectedPort: 22,
+			expectedCmd:  "ls -la /tmp",
+		},
+		{
+			name:         "double dash separator",
+			args:         []string{"hostname", "--", "ls", "-la"},
+			expectedHost: "hostname",
+			expectedUser: "",
+			expectedPort: 22,
+			expectedCmd:  "-- ls -la",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			// Mock command for testing
+			cmd := sshCmd
+			cmd.SetArgs(tt.args)
+
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+			assert.Equal(t, tt.expectedHost, host, "host mismatch")
+			if tt.expectedUser != "" {
+				assert.Equal(t, tt.expectedUser, username, "username mismatch")
+			}
+			assert.Equal(t, tt.expectedPort, port, "port mismatch")
+			assert.Equal(t, tt.expectedCmd, command, "command mismatch")
+		})
+	}
+}
+
+func TestSSHCommand_FlagConflictPrevention(t *testing.T) {
+	// Test that SSH flags don't conflict with command flags
+	tests := []struct {
+		name        string
+		args        []string
+		expectedCmd string
+		description string
+	}{
+		{
+			name:        "ls with -la flags",
+			args:        []string{"hostname", "ls", "-la"},
+			expectedCmd: "ls -la",
+			description: "ls flags should be passed to remote command",
+		},
+		{
+			name:        "grep with -r flag",
+			args:        []string{"hostname", "grep", "-r", "pattern", "/path"},
+			expectedCmd: "grep -r pattern /path",
+			description: "grep flags should be passed to remote command",
+		},
+		{
+			name:        "ps with aux flags",
+			args:        []string{"hostname", "ps", "aux"},
+			expectedCmd: "ps aux",
+			description: "ps flags should be passed to remote command",
+		},
+		{
+			name:        "command with double dash",
+			args:        []string{"hostname", "--", "ls", "-la"},
+			expectedCmd: "-- ls -la",
+			description: "double dash should be preserved in command",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+
+			assert.Equal(t, tt.expectedCmd, command, tt.description)
+		})
+	}
+}
+
+func TestSSHCommand_NonInteractiveExecution(t *testing.T) {
+	// Test that commands with arguments should execute the command and exit,
+	// not drop to an interactive shell
+	tests := []struct {
+		name        string
+		args        []string
+		expectedCmd string
+		shouldExit  bool
+		description string
+	}{
+		{
+			name:        "ls command should execute and exit",
+			args:        []string{"hostname", "ls"},
+			expectedCmd: "ls",
+			shouldExit:  true,
+			description: "ls command should execute and exit, not drop to shell",
+		},
+		{
+			name:        "ls with flags should execute and exit",
+			args:        []string{"hostname", "ls", "-la"},
+			expectedCmd: "ls -la",
+			shouldExit:  true,
+			description: "ls with flags should execute and exit, not drop to shell",
+		},
+		{
+			name:        "pwd command should execute and exit",
+			args:        []string{"hostname", "pwd"},
+			expectedCmd: "pwd",
+			shouldExit:  true,
+			description: "pwd command should execute and exit, not drop to shell",
+		},
+		{
+			name:        "echo command should execute and exit",
+			args:        []string{"hostname", "echo", "hello"},
+			expectedCmd: "echo hello",
+			shouldExit:  true,
+			description: "echo command should execute and exit, not drop to shell",
+		},
+		{
+			name:        "no command should open shell",
+			args:        []string{"hostname"},
+			expectedCmd: "",
+			shouldExit:  false,
+			description: "no command should open interactive shell",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+
+			assert.Equal(t, tt.expectedCmd, command, tt.description)
+
+			// When command is present, it should execute the command and exit
+			// When command is empty, it should open interactive shell
+			hasCommand := command != ""
+			assert.Equal(t, tt.shouldExit, hasCommand, "Command presence should match expected behavior")
+		})
+	}
+}
+
+func TestSSHCommand_FlagHandling(t *testing.T) {
+	// Test that flags after hostname are not parsed by netbird but passed to SSH command
+	tests := []struct {
+		name         string
+		args         []string
+		expectedHost string
+		expectedCmd  string
+		expectError  bool
+		description  string
+	}{
+		{
+			name:         "ls with -la flag should not be parsed by netbird",
+			args:         []string{"debian2", "ls", "-la"},
+			expectedHost: "debian2",
+			expectedCmd:  "ls -la",
+			expectError:  false,
+			description:  "ls -la should be passed as SSH command, not parsed as netbird flags",
+		},
+		{
+			name:         "command with netbird-like flags should be passed through",
+			args:         []string{"hostname", "echo", "--help"},
+			expectedHost: "hostname",
+			expectedCmd:  "echo --help",
+			expectError:  false,
+			description:  "--help should be passed to echo, not parsed by netbird",
+		},
+		{
+			name:         "command with -p flag should not conflict with SSH port flag",
+			args:         []string{"hostname", "ps", "-p", "1234"},
+			expectedHost: "hostname",
+			expectedCmd:  "ps -p 1234",
+			expectError:  false,
+			description:  "ps -p should be passed to ps command, not parsed as port",
+		},
+		{
+			name:         "tar with flags should be passed through",
+			args:         []string{"hostname", "tar", "-czf", "backup.tar.gz", "/home"},
+			expectedHost: "hostname",
+			expectedCmd:  "tar -czf backup.tar.gz /home",
+			expectError:  false,
+			description:  "tar flags should be passed to tar command",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+			assert.Equal(t, tt.expectedHost, host, "host mismatch")
+			assert.Equal(t, tt.expectedCmd, command, tt.description)
+		})
+	}
+}
+
+func TestSSHCommand_RegressionFlagParsing(t *testing.T) {
+	// Regression test for the specific issue: "sudo ./netbird ssh debian2 ls -la"
+	// should not parse -la as netbird flags but pass them to the SSH command
+	tests := []struct {
+		name         string
+		args         []string
+		expectedHost string
+		expectedCmd  string
+		expectError  bool
+		description  string
+	}{
+		{
+			name:         "original issue: ls -la should be preserved",
+			args:         []string{"debian2", "ls", "-la"},
+			expectedHost: "debian2",
+			expectedCmd:  "ls -la",
+			expectError:  false,
+			description:  "The original failing case should now work",
+		},
+		{
+			name:         "ls -l should be preserved",
+			args:         []string{"hostname", "ls", "-l"},
+			expectedHost: "hostname",
+			expectedCmd:  "ls -l",
+			expectError:  false,
+			description:  "Single letter flags should be preserved",
+		},
+		{
+			name:         "SSH port flag should work",
+			args:         []string{"-p", "2222", "hostname", "ls", "-la"},
+			expectedHost: "hostname",
+			expectedCmd:  "ls -la",
+			expectError:  false,
+			description:  "SSH -p flag should be parsed, command flags preserved",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+			assert.Equal(t, tt.expectedHost, host, "host mismatch")
+			assert.Equal(t, tt.expectedCmd, command, tt.description)
+
+			// Check port for the test case with -p flag
+			if len(tt.args) > 0 && tt.args[0] == "-p" {
+				assert.Equal(t, 2222, port, "port should be parsed from -p flag")
+			}
+		})
+	}
+}
+
+func TestSSHCommand_PortForwardingFlagParsing(t *testing.T) {
+	tests := []struct {
+		name           string
+		args           []string
+		expectedHost   string
+		expectedLocal  []string
+		expectedRemote []string
+		expectError    bool
+		description    string
+	}{
+		{
+			name:           "local port forwarding -L",
+			args:           []string{"-L", "8080:localhost:80", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80"},
+			expectedRemote: []string{},
+			expectError:    false,
+			description:    "Single -L flag should be parsed correctly",
+		},
+		{
+			name:           "remote port forwarding -R",
+			args:           []string{"-R", "8080:localhost:80", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{},
+			expectedRemote: []string{"8080:localhost:80"},
+			expectError:    false,
+			description:    "Single -R flag should be parsed correctly",
+		},
+		{
+			name:           "multiple local port forwards",
+			args:           []string{"-L", "8080:localhost:80", "-L", "9090:localhost:443", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80", "9090:localhost:443"},
+			expectedRemote: []string{},
+			expectError:    false,
+			description:    "Multiple -L flags should be parsed correctly",
+		},
+		{
+			name:           "multiple remote port forwards",
+			args:           []string{"-R", "8080:localhost:80", "-R", "9090:localhost:443", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{},
+			expectedRemote: []string{"8080:localhost:80", "9090:localhost:443"},
+			expectError:    false,
+			description:    "Multiple -R flags should be parsed correctly",
+		},
+		{
+			name:           "mixed local and remote forwards",
+			args:           []string{"-L", "8080:localhost:80", "-R", "9090:localhost:443", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80"},
+			expectedRemote: []string{"9090:localhost:443"},
+			expectError:    false,
+			description:    "Mixed -L and -R flags should be parsed correctly",
+		},
+		{
+			name:           "port forwarding with bind address",
+			args:           []string{"-L", "127.0.0.1:8080:localhost:80", "hostname"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"127.0.0.1:8080:localhost:80"},
+			expectedRemote: []string{},
+			expectError:    false,
+			description:    "Port forwarding with bind address should work",
+		},
+		{
+			name:           "port forwarding with command",
+			args:           []string{"-L", "8080:localhost:80", "hostname", "ls", "-la"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80"},
+			expectedRemote: []string{},
+			expectError:    false,
+			description:    "Port forwarding with command should work",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+			localForwards = nil
+			remoteForwards = nil
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+			assert.Equal(t, tt.expectedHost, host, "host mismatch")
+			// Handle nil vs empty slice comparison
+			if len(tt.expectedLocal) == 0 {
+				assert.True(t, len(localForwards) == 0, tt.description+" - local forwards should be empty")
+			} else {
+				assert.Equal(t, tt.expectedLocal, localForwards, tt.description+" - local forwards")
+			}
+			if len(tt.expectedRemote) == 0 {
+				assert.True(t, len(remoteForwards) == 0, tt.description+" - remote forwards should be empty")
+			} else {
+				assert.Equal(t, tt.expectedRemote, remoteForwards, tt.description+" - remote forwards")
+			}
+		})
+	}
+}
+
+func TestParsePortForward(t *testing.T) {
+	tests := []struct {
+		name           string
+		spec           string
+		expectedLocal  string
+		expectedRemote string
+		expectError    bool
+		description    string
+	}{
+		{
+			name:           "simple port forward",
+			spec:           "8080:localhost:80",
+			expectedLocal:  "localhost:8080",
+			expectedRemote: "localhost:80",
+			expectError:    false,
+			description:    "Simple port:host:port format should work",
+		},
+		{
+			name:           "port forward with bind address",
+			spec:           "127.0.0.1:8080:localhost:80",
+			expectedLocal:  "127.0.0.1:8080",
+			expectedRemote: "localhost:80",
+			expectError:    false,
+			description:    "bind_address:port:host:port format should work",
+		},
+		{
+			name:           "port forward to different host",
+			spec:           "8080:example.com:443",
+			expectedLocal:  "localhost:8080",
+			expectedRemote: "example.com:443",
+			expectError:    false,
+			description:    "Forwarding to different host should work",
+		},
+		{
+			name:        "port forward with IPv6 (needs bracket support)",
+			spec:        "::1:8080:localhost:80",
+			expectError: true,
+			description: "IPv6 without brackets fails as expected (feature to implement)",
+		},
+		{
+			name:        "invalid format - too few parts",
+			spec:        "8080:localhost",
+			expectError: true,
+			description: "Invalid format with too few parts should fail",
+		},
+		{
+			name:        "invalid format - too many parts",
+			spec:        "127.0.0.1:8080:localhost:80:extra",
+			expectError: true,
+			description: "Invalid format with too many parts should fail",
+		},
+		{
+			name:        "empty spec",
+			spec:        "",
+			expectError: true,
+			description: "Empty spec should fail",
+		},
+		{
+			name:           "unix socket local forward",
+			spec:           "8080:/tmp/socket",
+			expectedLocal:  "localhost:8080",
+			expectedRemote: "/tmp/socket",
+			expectError:    false,
+			description:    "Unix socket forwarding should work",
+		},
+		{
+			name:           "unix socket with bind address",
+			spec:           "127.0.0.1:8080:/tmp/socket",
+			expectedLocal:  "127.0.0.1:8080",
+			expectedRemote: "/tmp/socket",
+			expectError:    false,
+			description:    "Unix socket with bind address should work",
+		},
+		{
+			name:           "wildcard bind all interfaces",
+			spec:           "*:8080:localhost:80",
+			expectedLocal:  "0.0.0.0:8080",
+			expectedRemote: "localhost:80",
+			expectError:    false,
+			description:    "Wildcard * should bind to all interfaces (0.0.0.0)",
+		},
+		{
+			name:           "wildcard for port only",
+			spec:           "8080:*:80",
+			expectedLocal:  "localhost:8080",
+			expectedRemote: "*:80",
+			expectError:    false,
+			description:    "Wildcard in remote host should be preserved",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			localAddr, remoteAddr, err := parsePortForwardSpec(tt.spec)
+
+			if tt.expectError {
+				assert.Error(t, err, tt.description)
+				return
+			}
+
+			require.NoError(t, err, tt.description)
+			assert.Equal(t, tt.expectedLocal, localAddr, tt.description+" - local address")
+			assert.Equal(t, tt.expectedRemote, remoteAddr, tt.description+" - remote address")
+		})
+	}
+}
+
+func TestSSHCommand_IntegrationPortForwarding(t *testing.T) {
+	// Integration test for port forwarding with the actual SSH command implementation
+	tests := []struct {
+		name           string
+		args           []string
+		expectedHost   string
+		expectedLocal  []string
+		expectedRemote []string
+		expectedCmd    string
+		description    string
+	}{
+		{
+			name:           "local forward with command",
+			args:           []string{"-L", "8080:localhost:80", "hostname", "echo", "test"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80"},
+			expectedRemote: []string{},
+			expectedCmd:    "echo test",
+			description:    "Local forwarding should work with commands",
+		},
+		{
+			name:           "remote forward with command",
+			args:           []string{"-R", "8080:localhost:80", "hostname", "ls", "-la"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{},
+			expectedRemote: []string{"8080:localhost:80"},
+			expectedCmd:    "ls -la",
+			description:    "Remote forwarding should work with commands",
+		},
+		{
+			name:           "multiple forwards with user and command",
+			args:           []string{"-L", "8080:localhost:80", "-R", "9090:localhost:443", "user@hostname", "ps", "aux"},
+			expectedHost:   "hostname",
+			expectedLocal:  []string{"8080:localhost:80"},
+			expectedRemote: []string{"9090:localhost:443"},
+			expectedCmd:    "ps aux",
+			description:    "Complex case with multiple forwards, user, and command",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset global variables
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+			localForwards = nil
+			remoteForwards = nil
+
+			cmd := sshCmd
+			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
+			require.NoError(t, err, "SSH args validation should succeed for valid input")
+
+			assert.Equal(t, tt.expectedHost, host, "host mismatch")
+			// Handle nil vs empty slice comparison
+			if len(tt.expectedLocal) == 0 {
+				assert.True(t, len(localForwards) == 0, tt.description+" - local forwards should be empty")
+			} else {
+				assert.Equal(t, tt.expectedLocal, localForwards, tt.description+" - local forwards")
+			}
+			if len(tt.expectedRemote) == 0 {
+				assert.True(t, len(remoteForwards) == 0, tt.description+" - remote forwards should be empty")
+			} else {
+				assert.Equal(t, tt.expectedRemote, remoteForwards, tt.description+" - remote forwards")
+			}
+			assert.Equal(t, tt.expectedCmd, command, tt.description+" - command")
+		})
+	}
+}
+
+func TestSSHCommand_ParameterIsolation(t *testing.T) {
+	tests := []struct {
+		name        string
+		args        []string
+		expectedCmd string
+	}{
+		{
+			name:        "cmd flag passed as command",
+			args:        []string{"hostname", "--cmd", "echo test"},
+			expectedCmd: "--cmd echo test",
+		},
+		{
+			name:        "uid flag passed as command",
+			args:        []string{"hostname", "--uid", "1000"},
+			expectedCmd: "--uid 1000",
+		},
+		{
+			name:        "shell flag passed as command",
+			args:        []string{"hostname", "--shell", "/bin/bash"},
+			expectedCmd: "--shell /bin/bash",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			host = ""
+			username = ""
+			port = 22
+			command = ""
+
+			err := validateSSHArgsWithoutFlagParsing(sshCmd, tt.args)
+			require.NoError(t, err)
+
+			assert.Equal(t, "hostname", host)
+			assert.Equal(t, tt.expectedCmd, command)
+		})
+	}
+}

client/cmd/testutil_test.go

@@ -110,7 +110,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		Return(&types.Settings{}, nil).
 		AnyTimes()
 
-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := mgmt.BuildManager(context.Background(), config, store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -348,6 +348,21 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		req.ServerSSHAllowed = &serverSSHAllowed
 	}
+	if cmd.Flag(enableSSHRootFlag).Changed {
+		req.EnableSSHRoot = &enableSSHRoot
+	}
+	if cmd.Flag(enableSSHSFTPFlag).Changed {
+		req.EnableSSHSFTP = &enableSSHSFTP
+	}
+	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
+		req.EnableSSHLocalPortForward = &enableSSHLocalPortForward
+	}
+	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
+		req.EnableSSHRemotePortForward = &enableSSHRemotePortForward
+	}
+	if cmd.Flag(disableSSHAuthFlag).Changed {
+		req.DisableSSHAuth = &disableSSHAuth
+	}
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			log.Errorf("parse interface name: %v", err)
@@ -432,6 +447,26 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.ServerSSHAllowed = &serverSSHAllowed
 	}
 
+	if cmd.Flag(enableSSHRootFlag).Changed {
+		ic.EnableSSHRoot = &enableSSHRoot
+	}
+
+	if cmd.Flag(enableSSHSFTPFlag).Changed {
+		ic.EnableSSHSFTP = &enableSSHSFTP
+	}
+
+	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
+		ic.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
+	}
+
+	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
+		ic.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
+	}
+
+	if cmd.Flag(disableSSHAuthFlag).Changed {
+		ic.DisableSSHAuth = &disableSSHAuth
+	}
+
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			return nil, err
@@ -532,6 +567,26 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.ServerSSHAllowed = &serverSSHAllowed
 	}
 
+	if cmd.Flag(enableSSHRootFlag).Changed {
+		loginRequest.EnableSSHRoot = &enableSSHRoot
+	}
+
+	if cmd.Flag(enableSSHSFTPFlag).Changed {
+		loginRequest.EnableSSHSFTP = &enableSSHSFTP
+	}
+
+	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
+		loginRequest.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
+	}
+
+	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
+		loginRequest.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
+	}
+
+	if cmd.Flag(disableSSHAuthFlag).Changed {
+		loginRequest.DisableSSHAuth = &disableSSHAuth
+	}
+
 	if cmd.Flag(disableAutoConnectFlag).Changed {
 		loginRequest.DisableAutoConnect = &autoConnectDisabled
 	}

client/embed/embed.go

@@ -18,12 +18,16 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	sshcommon "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 )
 
-var ErrClientAlreadyStarted = errors.New("client already started")
-var ErrClientNotStarted = errors.New("client not started")
-var ErrConfigNotInitialized = errors.New("config not initialized")
+var (
+	ErrClientAlreadyStarted = errors.New("client already started")
+	ErrClientNotStarted     = errors.New("client not started")
+	ErrEngineNotStarted     = errors.New("engine not started")
+	ErrConfigNotInitialized = errors.New("config not initialized")
+)
 
 // Client manages a netbird embedded client instance.
 type Client struct {
@@ -238,17 +242,9 @@ func (c *Client) GetConfig() (profilemanager.Config, error) {
 // Dial dials a network address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
-	c.mu.Lock()
-	connect := c.connect
-	if connect == nil {
-		c.mu.Unlock()
-		return nil, ErrClientNotStarted
-	}
-	c.mu.Unlock()
-
-	engine := connect.Engine()
-	if engine == nil {
-		return nil, errors.New("engine not started")
+	engine, err := c.getEngine()
+	if err != nil {
+		return nil, err
 	}
 
 	nsnet, err := engine.GetNet()
@@ -259,6 +255,11 @@ func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return nsnet.DialContext(ctx, network, address)
 }
 
+// DialContext dials a network address in the netbird network with context
+func (c *Client) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	return c.Dial(ctx, network, address)
+}
+
 // ListenTCP listens on the given address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenTCP(address string) (net.Listener, error) {
@@ -314,18 +315,47 @@ func (c *Client) NewHTTPClient() *http.Client {
 	}
 }
 
-func (c *Client) getNet() (*wgnetstack.Net, netip.Addr, error) {
+// VerifySSHHostKey verifies an SSH host key against stored peer keys.
+// Returns nil if the key matches, ErrPeerNotFound if peer is not in network,
+// ErrNoStoredKey if peer has no stored key, or an error for verification failures.
+func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
+	engine, err := c.getEngine()
+	if err != nil {
+		return err
+	}
+
+	storedKey, found := engine.GetPeerSSHKey(peerAddress)
+	if !found {
+		return sshcommon.ErrPeerNotFound
+	}
+
+	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
+}
+
+// getEngine safely retrieves the engine from the client with proper locking.
+// Returns ErrClientNotStarted if the client is not started.
+// Returns ErrEngineNotStarted if the engine is not available.
+func (c *Client) getEngine() (*internal.Engine, error) {
 	c.mu.Lock()
 	connect := c.connect
-	if connect == nil {
-		c.mu.Unlock()
-		return nil, netip.Addr{}, errors.New("client not started")
-	}
 	c.mu.Unlock()
 
+	if connect == nil {
+		return nil, ErrClientNotStarted
+	}
+
 	engine := connect.Engine()
 	if engine == nil {
-		return nil, netip.Addr{}, errors.New("engine not started")
+		return nil, ErrEngineNotStarted
+	}
+
+	return engine, nil
+}
+
+func (c *Client) getNet() (*wgnetstack.Net, netip.Addr, error) {
+	engine, err := c.getEngine()
+	if err != nil {
+		return nil, netip.Addr{}, err
 	}
 
 	addr, err := engine.Address()

client/firewall/create.go

@@ -15,13 +15,13 @@ import (
 )
 
 // NewFirewall creates a firewall manager instance
-func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
 	if !iface.IsUserspaceBind() {
 		return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
 	}
 
 	// use userspace packet filtering firewall
-	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger)
+	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
 	if err != nil {
 		return nil, err
 	}

client/firewall/create_linux.go

@@ -34,12 +34,12 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 // FWType is the type for the firewall type
 type FWType int
 
-func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
 	// on the linux system we try to user nftables or iptables
 	// in any case, because we need to allow netbird interface traffic
 	// so we use AllowNetbird traffic from these firewall managers
 	// for the userspace packet filtering firewall
-	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes)
+	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)
 
 	if !iface.IsUserspaceBind() {
 		return fm, err
@@ -48,11 +48,11 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogg
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
 	}
-	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger)
+	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
 }
 
-func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool) (firewall.Manager, error) {
-	fm, err := createFW(iface)
+func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
+	fm, err := createFW(iface, mtu)
 	if err != nil {
 		return nil, fmt.Errorf("create firewall: %s", err)
 	}
@@ -64,26 +64,26 @@ func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager,
 	return fm, nil
 }
 
-func createFW(iface IFaceMapper) (firewall.Manager, error) {
+func createFW(iface IFaceMapper, mtu uint16) (firewall.Manager, error) {
 	switch check() {
 	case IPTABLES:
 		log.Info("creating an iptables firewall manager")
-		return nbiptables.Create(iface)
+		return nbiptables.Create(iface, mtu)
 	case NFTABLES:
 		log.Info("creating an nftables firewall manager")
-		return nbnftables.Create(iface)
+		return nbnftables.Create(iface, mtu)
 	default:
 		log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
 		return nil, errors.New("no firewall manager found")
 	}
 }
 
-func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (firewall.Manager, error) {
+func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (firewall.Manager, error) {
 	var errUsp error
 	if fm != nil {
-		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger)
+		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
 	} else {
-		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger)
+		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
 	}
 
 	if errUsp != nil {

client/firewall/iptables/manager_linux.go

@@ -36,7 +36,7 @@ type iFaceMapper interface {
 }
 
 // Create iptables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
+func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("init iptables: %w", err)
@@ -47,7 +47,7 @@ func Create(wgIface iFaceMapper) (*Manager, error) {
 		ipv4Client: iptablesClient,
 	}
 
-	m.router, err = newRouter(iptablesClient, wgIface)
+	m.router, err = newRouter(iptablesClient, wgIface, mtu)
 	if err != nil {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
@@ -66,6 +66,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 			NameStr:       m.wgIface.Name(),
 			WGAddress:     m.wgIface.Address(),
 			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}
 	stateManager.RegisterState(state)

client/firewall/iptables/manager_linux_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -53,7 +54,7 @@ func TestIptablesManager(t *testing.T) {
 	require.NoError(t, err)
 
 	// just check on the local interface
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -114,7 +115,7 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)
 
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -198,7 +199,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	}
 
 	// just check on the local interface
-	manager, err := Create(mock)
+	manager, err := Create(mock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -264,7 +265,7 @@ func TestIptablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock)
+			manager, err := Create(mock, iface.DefaultMTU)
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second)

client/firewall/iptables/router_linux.go

@@ -30,17 +30,20 @@ const (
 
 	chainPOSTROUTING        = "POSTROUTING"
 	chainPREROUTING         = "PREROUTING"
+	chainFORWARD            = "FORWARD"
 	chainRTNAT              = "NETBIRD-RT-NAT"
 	chainRTFWDIN            = "NETBIRD-RT-FWD-IN"
 	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
 	chainRTPRE              = "NETBIRD-RT-PRE"
 	chainRTRDR              = "NETBIRD-RT-RDR"
+	chainRTMSSCLAMP         = "NETBIRD-RT-MSSCLAMP"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"
 
 	jumpManglePre  = "jump-mangle-pre"
 	jumpNatPre     = "jump-nat-pre"
 	jumpNatPost    = "jump-nat-post"
+	jumpMSSClamp   = "jump-mss-clamp"
 	markManglePre  = "mark-mangle-pre"
 	markManglePost = "mark-mangle-post"
 	matchSet       = "--match-set"
@@ -48,6 +51,9 @@ const (
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
 	fwdSuffix  = "_fwd"
+
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
 )
 
 type ruleInfo struct {
@@ -77,16 +83,18 @@ type router struct {
 	ipsetCounter     *ipsetCounter
 	wgIface          iFaceMapper
 	legacyManagement bool
+	mtu              uint16
 
 	stateManager *statemanager.Manager
 	ipFwdState   *ipfwdstate.IPForwardingState
 }
 
-func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router, error) {
+func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint16) (*router, error) {
 	r := &router{
 		iptablesClient: iptablesClient,
 		rules:          make(map[string][]string),
 		wgIface:        wgIface,
+		mtu:            mtu,
 		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}
 
@@ -392,6 +400,7 @@ func (r *router) cleanUpDefaultForwardRules() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
+		{chainRTMSSCLAMP, tableMangle},
 	} {
 		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
 		if err != nil {
@@ -416,6 +425,7 @@ func (r *router) createContainers() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
+		{chainRTMSSCLAMP, tableMangle},
 	} {
 		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
 			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
@@ -438,6 +448,10 @@ func (r *router) createContainers() error {
 		return fmt.Errorf("add jump rules: %w", err)
 	}
 
+	if err := r.addMSSClampingRules(); err != nil {
+		log.Errorf("failed to add MSS clamping rules: %s", err)
+	}
+
 	return nil
 }
 
@@ -518,6 +532,35 @@ func (r *router) addPostroutingRules() error {
 	return nil
 }
 
+// addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
+// TODO: Add IPv6 support
+func (r *router) addMSSClampingRules() error {
+	mss := r.mtu - ipTCPHeaderMinSize
+
+	// Add jump rule from FORWARD chain in mangle table to our custom chain
+	jumpRule := []string{
+		"-j", chainRTMSSCLAMP,
+	}
+	if err := r.iptablesClient.Insert(tableMangle, chainFORWARD, 1, jumpRule...); err != nil {
+		return fmt.Errorf("add jump to MSS clamp chain: %w", err)
+	}
+	r.rules[jumpMSSClamp] = jumpRule
+
+	ruleOut := []string{
+		"-o", r.wgIface.Name(),
+		"-p", "tcp",
+		"--tcp-flags", "SYN,RST", "SYN",
+		"-j", "TCPMSS",
+		"--set-mss", fmt.Sprintf("%d", mss),
+	}
+	if err := r.iptablesClient.Append(tableMangle, chainRTMSSCLAMP, ruleOut...); err != nil {
+		return fmt.Errorf("add outbound MSS clamp rule: %w", err)
+	}
+	r.rules["mss-clamp-out"] = ruleOut
+
+	return nil
+}
+
 func (r *router) insertEstablishedRule(chain string) error {
 	establishedRule := getConntrackEstablished()
 
@@ -558,7 +601,7 @@ func (r *router) addJumpRules() error {
 }
 
 func (r *router) cleanJumpRules() error {
-	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre} {
+	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre, jumpMSSClamp} {
 		if rule, exists := r.rules[ruleKey]; exists {
 			var table, chain string
 			switch ruleKey {
@@ -571,6 +614,9 @@ func (r *router) cleanJumpRules() error {
 			case jumpNatPre:
 				table = tableNat
 				chain = chainPREROUTING
+			case jumpMSSClamp:
+				table = tableMangle
+				chain = chainFORWARD
 			default:
 				return fmt.Errorf("unknown jump rule: %s", ruleKey)
 			}

client/firewall/iptables/router_linux_test.go

@@ -14,6 +14,7 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
+	"github.com/netbirdio/netbird/client/iface"
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
@@ -30,7 +31,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "failed to init iptables client")
 
-	manager, err := newRouter(iptablesClient, ifaceMock)
+	manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "should return a valid iptables manager")
 	require.NoError(t, manager.init(nil))
 
@@ -38,7 +39,6 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 		assert.NoError(t, manager.Reset(), "shouldn't return error")
 	}()
 
-	// Now 5 rules:
 	// 1. established rule forward in
 	// 2. estbalished rule forward out
 	// 3. jump rule to POST nat chain
@@ -48,7 +48,9 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	// 7. static return masquerade rule
 	// 8. mangle prerouting mark rule
 	// 9. mangle postrouting mark rule
-	require.Len(t, manager.rules, 9, "should have created rules map")
+	// 10. jump rule to MSS clamping chain
+	// 11. MSS clamping rule for outbound traffic
+	require.Len(t, manager.rules, 11, "should have created rules map")
 
 	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, "-j", chainRTNAT)
 	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPOSTROUTING)
@@ -82,7 +84,7 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 			require.NoError(t, err, "failed to init iptables client")
 
-			manager, err := newRouter(iptablesClient, ifaceMock)
+			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
 
@@ -155,7 +157,7 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 		t.Run(testCase.Name, func(t *testing.T) {
 			iptablesClient, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 
-			manager, err := newRouter(iptablesClient, ifaceMock)
+			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
 			defer func() {
@@ -217,7 +219,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "Failed to create iptables client")
 
-	r, err := newRouter(iptablesClient, ifaceMock)
+	r, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "Failed to create router manager")
 	require.NoError(t, r.init(nil))
 

client/firewall/iptables/state_linux.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"sync"
 
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -11,6 +12,7 @@ type InterfaceState struct {
 	NameStr       string         `json:"name"`
 	WGAddress     wgaddr.Address `json:"wg_address"`
 	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }
 
 func (i *InterfaceState) Name() string {
@@ -42,7 +44,11 @@ func (s *ShutdownState) Name() string {
 }
 
 func (s *ShutdownState) Cleanup() error {
-	ipt, err := Create(s.InterfaceState)
+	mtu := s.InterfaceState.MTU
+	if mtu == 0 {
+		mtu = iface.DefaultMTU
+	}
+	ipt, err := Create(s.InterfaceState, mtu)
 	if err != nil {
 		return fmt.Errorf("create iptables manager: %w", err)
 	}

client/firewall/manager/firewall.go

@@ -100,6 +100,9 @@ type Manager interface {
 	//
 	// If comment argument is empty firewall manager should set
 	// rule ID as comment for the rule
+	//
+	// Note: Callers should call Flush() after adding rules to ensure
+	// they are applied to the kernel and rule handles are refreshed.
 	AddPeerFiltering(
 		id []byte,
 		ip net.IP,

client/firewall/nftables/acl_linux.go

@@ -29,8 +29,6 @@ const (
 	chainNameForwardFilter     = "netbird-acl-forward-filter"
 	chainNameManglePrerouting  = "netbird-mangle-prerouting"
 	chainNameManglePostrouting = "netbird-mangle-postrouting"
-
-	allowNetbirdInputRuleID = "allow Netbird incoming traffic"
 )
 
 const flushError = "flush: %w"
@@ -195,25 +193,6 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 // createDefaultAllowRules creates default allow rules for the input and output chains
 func (m *AclManager) createDefaultAllowRules() error {
 	expIn := []expr.Any{
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       12,
-			Len:          4,
-		},
-		// mask
-		&expr.Bitwise{
-			SourceRegister: 1,
-			DestRegister:   1,
-			Len:            4,
-			Mask:           []byte{0, 0, 0, 0},
-			Xor:            []byte{0, 0, 0, 0},
-		},
-		// net address
-		&expr.Cmp{
-			Register: 1,
-			Data:     []byte{0, 0, 0, 0},
-		},
 		&expr.Verdict{
 			Kind: expr.VerdictAccept,
 		},
@@ -258,7 +237,7 @@ func (m *AclManager) addIOFiltering(
 	action firewall.Action,
 	ipset *nftables.Set,
 ) (*Rule, error) {
-	ruleId := generatePeerRuleId(ip, sPort, dPort, action, ipset)
+	ruleId := generatePeerRuleId(ip, proto, sPort, dPort, action, ipset)
 	if r, ok := m.rules[ruleId]; ok {
 		return &Rule{
 			nftRule:    r.nftRule,
@@ -357,11 +336,12 @@ func (m *AclManager) addIOFiltering(
 	}
 
 	if err := m.rConn.Flush(); err != nil {
-		return nil, fmt.Errorf(flushError, err)
+		return nil, fmt.Errorf("flush input rule %s: %v", ruleId, err)
 	}
 
 	ruleStruct := &Rule{
-		nftRule:    nftRule,
+		nftRule: nftRule,
+		// best effort mangle rule
 		mangleRule: m.createPreroutingRule(expressions, userData),
 		nftSet:     ipset,
 		ruleID:     ruleId,
@@ -420,12 +400,19 @@ func (m *AclManager) createPreroutingRule(expressions []expr.Any, userData []byt
 		},
 	)
 
-	return m.rConn.AddRule(&nftables.Rule{
+	nfRule := m.rConn.AddRule(&nftables.Rule{
 		Table:    m.workTable,
 		Chain:    m.chainPrerouting,
 		Exprs:    preroutingExprs,
 		UserData: userData,
 	})
+
+	if err := m.rConn.Flush(); err != nil {
+		log.Errorf("failed to flush mangle rule %s: %v", string(userData), err)
+		return nil
+	}
+
+	return nfRule
 }
 
 func (m *AclManager) createDefaultChains() (err error) {
@@ -697,8 +684,8 @@ func (m *AclManager) refreshRuleHandles(chain *nftables.Chain, mangle bool) erro
 	return nil
 }
 
-func generatePeerRuleId(ip net.IP, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
-	rulesetID := ":"
+func generatePeerRuleId(ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
+	rulesetID := ":" + string(proto) + ":"
 	if sPort != nil {
 		rulesetID += sPort.String()
 	}

client/firewall/nftables/manager_linux.go

@@ -1,11 +1,11 @@
 package nftables
 
 import (
-	"bytes"
 	"context"
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
 	"sync"
 
 	"github.com/google/nftables"
@@ -19,13 +19,22 @@ import (
 )
 
 const (
-	// tableNameNetbird is the name of the table that is used for filtering by the Netbird client
+	// tableNameNetbird is the default name of the table that is used for filtering by the Netbird client
 	tableNameNetbird = "netbird"
+	// envTableName is the environment variable to override the table name
+	envTableName = "NB_NFTABLES_TABLE"
 
 	tableNameFilter = "filter"
 	chainNameInput  = "INPUT"
 )
 
+func getTableName() string {
+	if name := os.Getenv(envTableName); name != "" {
+		return name
+	}
+	return tableNameNetbird
+}
+
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
@@ -44,16 +53,16 @@ type Manager struct {
 }
 
 // Create nftables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
+func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 	m := &Manager{
 		rConn:   &nftables.Conn{},
 		wgIface: wgIface,
 	}
 
-	workTable := &nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4}
+	workTable := &nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4}
 
 	var err error
-	m.router, err = newRouter(workTable, wgIface)
+	m.router, err = newRouter(workTable, wgIface, mtu)
 	if err != nil {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
@@ -93,6 +102,7 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 			NameStr:       m.wgIface.Name(),
 			WGAddress:     m.wgIface.Address(),
 			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -197,44 +207,11 @@ func (m *Manager) AllowNetbird() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	err := m.aclManager.createDefaultAllowRules()
-	if err != nil {
-		return fmt.Errorf("failed to create default allow rules: %v", err)
+	if err := m.aclManager.createDefaultAllowRules(); err != nil {
+		return fmt.Errorf("create default allow rules: %w", err)
 	}
-
-	chains, err := m.rConn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
-	if err != nil {
-		return fmt.Errorf("list of chains: %w", err)
-	}
-
-	var chain *nftables.Chain
-	for _, c := range chains {
-		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
-			chain = c
-			break
-		}
-	}
-
-	if chain == nil {
-		log.Debugf("chain INPUT not found. Skipping add allow netbird rule")
-		return nil
-	}
-
-	rules, err := m.rConn.GetRules(chain.Table, chain)
-	if err != nil {
-		return fmt.Errorf("failed to get rules for the INPUT chain: %v", err)
-	}
-
-	if rule := m.detectAllowNetbirdRule(rules); rule != nil {
-		log.Debugf("allow netbird rule already exists: %v", rule)
-		return nil
-	}
-
-	m.applyAllowNetbirdRules(chain)
-
-	err = m.rConn.Flush()
-	if err != nil {
-		return fmt.Errorf("failed to flush allow input netbird rules: %v", err)
+	if err := m.rConn.Flush(); err != nil {
+		return fmt.Errorf("flush allow input netbird rules: %w", err)
 	}
 
 	return nil
@@ -250,10 +227,6 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	if err := m.resetNetbirdInputRules(); err != nil {
-		return fmt.Errorf("reset netbird input rules: %v", err)
-	}
-
 	if err := m.router.Reset(); err != nil {
 		return fmt.Errorf("reset router: %v", err)
 	}
@@ -273,49 +246,15 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nil
 }
 
-func (m *Manager) resetNetbirdInputRules() error {
-	chains, err := m.rConn.ListChains()
-	if err != nil {
-		return fmt.Errorf("list chains: %w", err)
-	}
-
-	m.deleteNetbirdInputRules(chains)
-
-	return nil
-}
-
-func (m *Manager) deleteNetbirdInputRules(chains []*nftables.Chain) {
-	for _, c := range chains {
-		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
-			rules, err := m.rConn.GetRules(c.Table, c)
-			if err != nil {
-				log.Errorf("get rules for chain %q: %v", c.Name, err)
-				continue
-			}
-
-			m.deleteMatchingRules(rules)
-		}
-	}
-}
-
-func (m *Manager) deleteMatchingRules(rules []*nftables.Rule) {
-	for _, r := range rules {
-		if bytes.Equal(r.UserData, []byte(allowNetbirdInputRuleID)) {
-			if err := m.rConn.DelRule(r); err != nil {
-				log.Errorf("delete rule: %v", err)
-			}
-		}
-	}
-}
-
 func (m *Manager) cleanupNetbirdTables() error {
 	tables, err := m.rConn.ListTables()
 	if err != nil {
 		return fmt.Errorf("list tables: %w", err)
 	}
 
+	tableName := getTableName()
 	for _, t := range tables {
-		if t.Name == tableNameNetbird {
+		if t.Name == tableName {
 			m.rConn.DelTable(t)
 		}
 	}
@@ -398,55 +337,18 @@ func (m *Manager) createWorkTable() (*nftables.Table, error) {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}
 
+	tableName := getTableName()
 	for _, t := range tables {
-		if t.Name == tableNameNetbird {
+		if t.Name == tableName {
 			m.rConn.DelTable(t)
 		}
 	}
 
-	table := m.rConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4})
 	err = m.rConn.Flush()
 	return table, err
 }
 
-func (m *Manager) applyAllowNetbirdRules(chain *nftables.Chain) {
-	rule := &nftables.Rule{
-		Table: chain.Table,
-		Chain: chain,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     ifname(m.wgIface.Name()),
-			},
-			&expr.Verdict{
-				Kind: expr.VerdictAccept,
-			},
-		},
-		UserData: []byte(allowNetbirdInputRuleID),
-	}
-	_ = m.rConn.InsertRule(rule)
-}
-
-func (m *Manager) detectAllowNetbirdRule(existedRules []*nftables.Rule) *nftables.Rule {
-	ifName := ifname(m.wgIface.Name())
-	for _, rule := range existedRules {
-		if rule.Table.Name == tableNameFilter && rule.Chain.Name == chainNameInput {
-			if len(rule.Exprs) < 4 {
-				if e, ok := rule.Exprs[0].(*expr.Meta); !ok || e.Key != expr.MetaKeyIIFNAME {
-					continue
-				}
-				if e, ok := rule.Exprs[1].(*expr.Cmp); !ok || e.Op != expr.CmpOpEq || !bytes.Equal(e.Data, ifName) {
-					continue
-				}
-				return rule
-			}
-		}
-	}
-	return nil
-}
-
 func insertReturnTrafficRule(conn *nftables.Conn, table *nftables.Table, chain *nftables.Chain) {
 	rule := &nftables.Rule{
 		Table: table,

client/firewall/nftables/manager_linux_test.go

@@ -16,6 +16,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -56,7 +57,7 @@ func (i *iFaceMock) IsUserspaceBind() bool { return false }
 func TestNftablesManager(t *testing.T) {
 
 	// just check on the local interface
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 	time.Sleep(time.Second * 3)
@@ -168,7 +169,7 @@ func TestNftablesManager(t *testing.T) {
 func TestNftablesManagerRuleOrder(t *testing.T) {
 	// This test verifies rule insertion order in nftables peer ACLs
 	// We add accept rule first, then deny rule to test ordering behavior
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -261,7 +262,7 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock)
+			manager, err := Create(mock, iface.DefaultMTU)
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second * 3)
@@ -345,7 +346,7 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	stdout, stderr := runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 
-	manager, err := Create(ifaceMock)
+	manager, err := Create(ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "failed to create manager")
 	require.NoError(t, manager.Init(nil))
 

client/firewall/nftables/router_linux.go

@@ -16,6 +16,7 @@ import (
 	"github.com/google/nftables/xt"
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -32,12 +33,17 @@ const (
 	chainNameRoutingNat    = "netbird-rt-postrouting"
 	chainNameRoutingRdr    = "netbird-rt-redirect"
 	chainNameForward       = "FORWARD"
+	chainNameMangleForward = "netbird-mangle-forward"
 
 	userDataAcceptForwardRuleIif = "frwacceptiif"
 	userDataAcceptForwardRuleOif = "frwacceptoif"
+	userDataAcceptInputRule      = "inputaccept"
 
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
+
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
 )
 
 const refreshRulesMapError = "refresh rules map: %w"
@@ -63,9 +69,10 @@ type router struct {
 	wgIface          iFaceMapper
 	ipFwdState       *ipfwdstate.IPForwardingState
 	legacyManagement bool
+	mtu              uint16
 }
 
-func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error) {
+func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*router, error) {
 	r := &router{
 		conn:       &nftables.Conn{},
 		workTable:  workTable,
@@ -73,6 +80,7 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error)
 		rules:      make(map[string]*nftables.Rule),
 		wgIface:    wgIface,
 		ipFwdState: ipfwdstate.NewIPForwardingState(),
+		mtu:        mtu,
 	}
 
 	r.ipsetCounter = refcounter.New(
@@ -96,8 +104,8 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error)
 func (r *router) init(workTable *nftables.Table) error {
 	r.workTable = workTable
 
-	if err := r.removeAcceptForwardRules(); err != nil {
-		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
+	if err := r.removeAcceptFilterRules(); err != nil {
+		log.Errorf("failed to clean up rules from filter table: %s", err)
 	}
 
 	if err := r.createContainers(); err != nil {
@@ -111,15 +119,15 @@ func (r *router) init(workTable *nftables.Table) error {
 	return nil
 }
 
-// Reset cleans existing nftables default forward rules from the system
+// Reset cleans existing nftables filter table rules from the system
 func (r *router) Reset() error {
 	// clear without deleting the ipsets, the nf table will be deleted by the caller
 	r.ipsetCounter.Clear()
 
 	var merr *multierror.Error
 
-	if err := r.removeAcceptForwardRules(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove accept forward rules: %w", err))
+	if err := r.removeAcceptFilterRules(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove accept filter rules: %w", err))
 	}
 
 	if err := r.removeNatPreroutingRules(); err != nil {
@@ -220,11 +228,23 @@ func (r *router) createContainers() error {
 		Type:     nftables.ChainTypeFilter,
 	})
 
+	r.chains[chainNameMangleForward] = r.conn.AddChain(&nftables.Chain{
+		Name:     chainNameMangleForward,
+		Table:    r.workTable,
+		Hooknum:  nftables.ChainHookForward,
+		Priority: nftables.ChainPriorityMangle,
+		Type:     nftables.ChainTypeFilter,
+	})
+
 	// Add the single NAT rule that matches on mark
 	if err := r.addPostroutingRules(); err != nil {
 		return fmt.Errorf("add single nat rule: %v", err)
 	}
 
+	if err := r.addMSSClampingRules(); err != nil {
+		log.Errorf("failed to add MSS clamping rules: %s", err)
+	}
+
 	if err := r.acceptForwardRules(); err != nil {
 		log.Errorf("failed to add accept rules for the forward chain: %s", err)
 	}
@@ -745,6 +765,83 @@ func (r *router) addPostroutingRules() error {
 	return nil
 }
 
+// addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
+// TODO: Add IPv6 support
+func (r *router) addMSSClampingRules() error {
+	mss := r.mtu - ipTCPHeaderMinSize
+
+	exprsOut := []expr.Any{
+		&expr.Meta{
+			Key:      expr.MetaKeyOIFNAME,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname(r.wgIface.Name()),
+		},
+		&expr.Meta{
+			Key:      expr.MetaKeyL4PROTO,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     []byte{unix.IPPROTO_TCP},
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseTransportHeader,
+			Offset:       13,
+			Len:          1,
+		},
+		&expr.Bitwise{
+			DestRegister:   1,
+			SourceRegister: 1,
+			Len:            1,
+			Mask:           []byte{0x02},
+			Xor:            []byte{0x00},
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpNeq,
+			Register: 1,
+			Data:     []byte{0x00},
+		},
+		&expr.Counter{},
+		&expr.Exthdr{
+			DestRegister: 1,
+			Type:         2,
+			Offset:       2,
+			Len:          2,
+			Op:           expr.ExthdrOpTcpopt,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpGt,
+			Register: 1,
+			Data:     binaryutil.BigEndian.PutUint16(uint16(mss)),
+		},
+		&expr.Immediate{
+			Register: 1,
+			Data:     binaryutil.BigEndian.PutUint16(uint16(mss)),
+		},
+		&expr.Exthdr{
+			SourceRegister: 1,
+			Type:           2,
+			Offset:         2,
+			Len:            2,
+			Op:             expr.ExthdrOpTcpopt,
+		},
+	}
+
+	r.conn.AddRule(&nftables.Rule{
+		Table: r.workTable,
+		Chain: r.chains[chainNameMangleForward],
+		Exprs: exprsOut,
+	})
+
+	return nil
+}
+
 // addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
 func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -840,6 +937,7 @@ func (r *router) RemoveAllLegacyRouteRules() error {
 // that our traffic is not dropped by existing rules there.
 // The existing FORWARD rules/policies decide outbound traffic towards our interface.
 // In case the FORWARD policy is set to "drop", we add an established/related rule to allow return traffic for the inbound rule.
+// This method also adds INPUT chain rules to allow traffic to the local interface.
 func (r *router) acceptForwardRules() error {
 	if r.filterTable == nil {
 		log.Debugf("table 'filter' not found for forward rules, skipping accept rules")
@@ -849,7 +947,7 @@ func (r *router) acceptForwardRules() error {
 	fw := "iptables"
 
 	defer func() {
-		log.Debugf("Used %s to add accept forward rules", fw)
+		log.Debugf("Used %s to add accept forward and input rules", fw)
 	}()
 
 	// Try iptables first and fallback to nftables if iptables is not available
@@ -859,22 +957,30 @@ func (r *router) acceptForwardRules() error {
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
 
 		fw = "nftables"
-		return r.acceptForwardRulesNftables()
+		return r.acceptFilterRulesNftables()
 	}
 
-	return r.acceptForwardRulesIptables(ipt)
+	return r.acceptFilterRulesIptables(ipt)
 }
 
-func (r *router) acceptForwardRulesIptables(ipt *iptables.IPTables) error {
+func (r *router) acceptFilterRulesIptables(ipt *iptables.IPTables) error {
 	var merr *multierror.Error
+
 	for _, rule := range r.getAcceptForwardRules() {
 		if err := ipt.Insert("filter", chainNameForward, 1, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("add iptables rule: %v", err))
+			merr = multierror.Append(err, fmt.Errorf("add iptables forward rule: %v", err))
 		} else {
-			log.Debugf("added iptables rule: %v", rule)
+			log.Debugf("added iptables forward rule: %v", rule)
 		}
 	}
 
+	inputRule := r.getAcceptInputRule()
+	if err := ipt.Insert("filter", chainNameInput, 1, inputRule...); err != nil {
+		merr = multierror.Append(err, fmt.Errorf("add iptables input rule: %v", err))
+	} else {
+		log.Debugf("added iptables input rule: %v", inputRule)
+	}
+
 	return nberrors.FormatErrorOrNil(merr)
 }
 
@@ -886,10 +992,13 @@ func (r *router) getAcceptForwardRules() [][]string {
 	}
 }
 
-func (r *router) acceptForwardRulesNftables() error {
+func (r *router) getAcceptInputRule() []string {
+	return []string{"-i", r.wgIface.Name(), "-j", "ACCEPT"}
+}
+
+func (r *router) acceptFilterRulesNftables() error {
 	intf := ifname(r.wgIface.Name())
 
-	// Rule for incoming interface (iif) with counter
 	iifRule := &nftables.Rule{
 		Table: r.filterTable,
 		Chain: &nftables.Chain{
@@ -922,11 +1031,10 @@ func (r *router) acceptForwardRulesNftables() error {
 		},
 	}
 
-	// Rule for outgoing interface (oif) with counter
 	oifRule := &nftables.Rule{
 		Table: r.filterTable,
 		Chain: &nftables.Chain{
-			Name:     "FORWARD",
+			Name:     chainNameForward,
 			Table:    r.filterTable,
 			Type:     nftables.ChainTypeFilter,
 			Hooknum:  nftables.ChainHookForward,
@@ -935,35 +1043,60 @@ func (r *router) acceptForwardRulesNftables() error {
 		Exprs:    append(oifExprs, getEstablishedExprs(2)...),
 		UserData: []byte(userDataAcceptForwardRuleOif),
 	}
-
 	r.conn.InsertRule(oifRule)
 
+	inputRule := &nftables.Rule{
+		Table: r.filterTable,
+		Chain: &nftables.Chain{
+			Name:     chainNameInput,
+			Table:    r.filterTable,
+			Type:     nftables.ChainTypeFilter,
+			Hooknum:  nftables.ChainHookInput,
+			Priority: nftables.ChainPriorityFilter,
+		},
+		Exprs: []expr.Any{
+			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     intf,
+			},
+			&expr.Counter{},
+			&expr.Verdict{Kind: expr.VerdictAccept},
+		},
+		UserData: []byte(userDataAcceptInputRule),
+	}
+	r.conn.InsertRule(inputRule)
+
 	return nil
 }
 
-func (r *router) removeAcceptForwardRules() error {
+func (r *router) removeAcceptFilterRules() error {
 	if r.filterTable == nil {
 		return nil
 	}
 
-	// Try iptables first and fallback to nftables if iptables is not available
 	ipt, err := iptables.New()
 	if err != nil {
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
-		return r.removeAcceptForwardRulesNftables()
+		return r.removeAcceptFilterRulesNftables()
 	}
 
-	return r.removeAcceptForwardRulesIptables(ipt)
+	return r.removeAcceptFilterRulesIptables(ipt)
 }
 
-func (r *router) removeAcceptForwardRulesNftables() error {
+func (r *router) removeAcceptFilterRulesNftables() error {
 	chains, err := r.conn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return fmt.Errorf("list chains: %v", err)
 	}
 
 	for _, chain := range chains {
-		if chain.Table.Name != r.filterTable.Name || chain.Name != chainNameForward {
+		if chain.Table.Name != r.filterTable.Name {
+			continue
+		}
+
+		if chain.Name != chainNameForward && chain.Name != chainNameInput {
 			continue
 		}
 
@@ -974,7 +1107,8 @@ func (r *router) removeAcceptForwardRulesNftables() error {
 
 		for _, rule := range rules {
 			if bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleIif)) ||
-				bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) {
+				bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) ||
+				bytes.Equal(rule.UserData, []byte(userDataAcceptInputRule)) {
 				if err := r.conn.DelRule(rule); err != nil {
 					return fmt.Errorf("delete rule: %v", err)
 				}
@@ -989,14 +1123,20 @@ func (r *router) removeAcceptForwardRulesNftables() error {
 	return nil
 }
 
-func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error {
+func (r *router) removeAcceptFilterRulesIptables(ipt *iptables.IPTables) error {
 	var merr *multierror.Error
+
 	for _, rule := range r.getAcceptForwardRules() {
 		if err := ipt.DeleteIfExists("filter", chainNameForward, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("remove iptables rule: %v", err))
+			merr = multierror.Append(err, fmt.Errorf("remove iptables forward rule: %v", err))
 		}
 	}
 
+	inputRule := r.getAcceptInputRule()
+	if err := ipt.DeleteIfExists("filter", chainNameInput, inputRule...); err != nil {
+		merr = multierror.Append(err, fmt.Errorf("remove iptables input rule: %v", err))
+	}
+
 	return nberrors.FormatErrorOrNil(merr)
 }
 

client/firewall/nftables/router_linux_test.go

@@ -17,6 +17,7 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
+	"github.com/netbirdio/netbird/client/iface"
 )
 
 const (
@@ -36,7 +37,7 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 	for _, testCase := range test.InsertRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
 			// need fw manager to init both acl mgr and router for all chains to be present
-			manager, err := Create(ifaceMock)
+			manager, err := Create(ifaceMock, iface.DefaultMTU)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
 			})
@@ -125,7 +126,7 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {
 
 	for _, testCase := range test.RemoveRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			manager, err := Create(ifaceMock)
+			manager, err := Create(ifaceMock, iface.DefaultMTU)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
 			})
@@ -197,7 +198,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 
 	defer deleteWorkTable()
 
-	r, err := newRouter(workTable, ifaceMock)
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "Failed to create router")
 	require.NoError(t, r.init(workTable))
 
@@ -364,7 +365,7 @@ func TestNftablesCreateIpSet(t *testing.T) {
 
 	defer deleteWorkTable()
 
-	r, err := newRouter(workTable, ifaceMock)
+	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
 	require.NoError(t, err, "Failed to create router")
 	require.NoError(t, r.init(workTable))
 

client/firewall/nftables/state_linux.go

@@ -3,6 +3,7 @@ package nftables
 import (
 	"fmt"
 
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -10,6 +11,7 @@ type InterfaceState struct {
 	NameStr       string         `json:"name"`
 	WGAddress     wgaddr.Address `json:"wg_address"`
 	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }
 
 func (i *InterfaceState) Name() string {
@@ -33,7 +35,11 @@ func (s *ShutdownState) Name() string {
 }
 
 func (s *ShutdownState) Cleanup() error {
-	nft, err := Create(s.InterfaceState)
+	mtu := s.InterfaceState.MTU
+	if mtu == 0 {
+		mtu = iface.DefaultMTU
+	}
+	nft, err := Create(s.InterfaceState, mtu)
 	if err != nil {
 		return fmt.Errorf("create nftables manager: %w", err)
 	}

client/firewall/uspfilter/filter.go

@@ -1,6 +1,7 @@
 package uspfilter
 
 import (
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"net"
@@ -27,7 +28,18 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
-const layerTypeAll = 0
+const (
+	layerTypeAll = 0
+
+	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
+	ipTCPHeaderMinSize = 40
+)
+
+// serviceKey represents a protocol/port combination for netstack service registry
+type serviceKey struct {
+	protocol gopacket.LayerType
+	port     uint16
+}
 
 const (
 	// EnvDisableConntrack disables the stateful filter, replies to outbound traffic won't be allowed.
@@ -36,6 +48,9 @@ const (
 	// EnvDisableUserspaceRouting disables userspace routing, to-be-routed packets will be dropped.
 	EnvDisableUserspaceRouting = "NB_DISABLE_USERSPACE_ROUTING"
 
+	// EnvDisableMSSClamping disables TCP MSS clamping for forwarded traffic.
+	EnvDisableMSSClamping = "NB_DISABLE_MSS_CLAMPING"
+
 	// EnvForceUserspaceRouter forces userspace routing even if native routing is available.
 	EnvForceUserspaceRouter = "NB_FORCE_USERSPACE_ROUTER"
 
@@ -113,6 +128,13 @@ type Manager struct {
 	portDNATEnabled atomic.Bool
 	portDNATRules   []portDNATRule
 	portDNATMutex   sync.RWMutex
+
+	netstackServices     map[serviceKey]struct{}
+	netstackServiceMutex sync.RWMutex
+
+	mtu             uint16
+	mssClampValue   uint16
+	mssClampEnabled bool
 }
 
 // decoder for packages
@@ -131,16 +153,16 @@ type decoder struct {
 }
 
 // Create userspace firewall manager constructor
-func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
-	return create(iface, nil, disableServerRoutes, flowLogger)
+func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
+	return create(iface, nil, disableServerRoutes, flowLogger, mtu)
 }
 
-func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
+func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
 	if nativeFirewall == nil {
 		return nil, errors.New("native firewall is nil")
 	}
 
-	mgr, err := create(iface, nativeFirewall, disableServerRoutes, flowLogger)
+	mgr, err := create(iface, nativeFirewall, disableServerRoutes, flowLogger, mtu)
 	if err != nil {
 		return nil, err
 	}
@@ -148,8 +170,8 @@ func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.
 	return mgr, nil
 }
 
-func parseCreateEnv() (bool, bool) {
-	var disableConntrack, enableLocalForwarding bool
+func parseCreateEnv() (bool, bool, bool) {
+	var disableConntrack, enableLocalForwarding, disableMSSClamping bool
 	var err error
 	if val := os.Getenv(EnvDisableConntrack); val != "" {
 		disableConntrack, err = strconv.ParseBool(val)
@@ -168,12 +190,18 @@ func parseCreateEnv() (bool, bool) {
 			log.Warnf("failed to parse %s: %v", EnvEnableLocalForwarding, err)
 		}
 	}
+	if val := os.Getenv(EnvDisableMSSClamping); val != "" {
+		disableMSSClamping, err = strconv.ParseBool(val)
+		if err != nil {
+			log.Warnf("failed to parse %s: %v", EnvDisableMSSClamping, err)
+		}
+	}
 
-	return disableConntrack, enableLocalForwarding
+	return disableConntrack, enableLocalForwarding, disableMSSClamping
 }
 
-func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
-	disableConntrack, enableLocalForwarding := parseCreateEnv()
+func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
+	disableConntrack, enableLocalForwarding, disableMSSClamping := parseCreateEnv()
 
 	m := &Manager{
 		decoders: sync.Pool{
@@ -203,13 +231,18 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		localForwarding:     enableLocalForwarding,
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
 		portDNATRules:       []portDNATRule{},
+		netstackServices:    make(map[serviceKey]struct{}),
+		mtu:                 mtu,
 	}
 	m.routingEnabled.Store(false)
 
+	if !disableMSSClamping {
+		m.mssClampEnabled = true
+		m.mssClampValue = mtu - ipTCPHeaderMinSize
+	}
 	if err := m.localipmanager.UpdateLocalIPs(iface); err != nil {
 		return nil, fmt.Errorf("update local IPs: %w", err)
 	}
-
 	if disableConntrack {
 		log.Info("conntrack is disabled")
 	} else {
@@ -217,14 +250,11 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout, m.logger, flowLogger)
 		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout, m.logger, flowLogger)
 	}
-
-	// netstack needs the forwarder for local traffic
 	if m.netstack && m.localForwarding {
 		if err := m.initForwarder(); err != nil {
 			log.Errorf("failed to initialize forwarder: %v", err)
 		}
 	}
-
 	if err := iface.SetFilter(m); err != nil {
 		return nil, fmt.Errorf("set filter: %w", err)
 	}
@@ -327,7 +357,7 @@ func (m *Manager) initForwarder() error {
 		return errors.New("forwarding not supported")
 	}
 
-	forwarder, err := forwarder.New(m.wgIface, m.logger, m.flowLogger, m.netstack)
+	forwarder, err := forwarder.New(m.wgIface, m.logger, m.flowLogger, m.netstack, m.mtu)
 	if err != nil {
 		m.routingEnabled.Store(false)
 		return fmt.Errorf("create forwarder: %w", err)
@@ -633,8 +663,17 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 		return false
 	}
 
-	if d.decoded[1] == layers.LayerTypeUDP && m.udpHooksDrop(uint16(d.udp.DstPort), dstIP, packetData) {
-		return true
+	switch d.decoded[1] {
+	case layers.LayerTypeUDP:
+		if m.udpHooksDrop(uint16(d.udp.DstPort), dstIP, packetData) {
+			return true
+		}
+	case layers.LayerTypeTCP:
+		// Clamp MSS on all TCP SYN packets, including those from local IPs.
+		// SNATed routed traffic may appear as local IP but still requires clamping.
+		if m.mssClampEnabled {
+			m.clampTCPMSS(packetData, d)
+		}
 	}
 
 	m.trackOutbound(d, srcIP, dstIP, packetData, size)
@@ -681,6 +720,97 @@ func getTCPFlags(tcp *layers.TCP) uint8 {
 	return flags
 }
 
+// clampTCPMSS clamps the TCP MSS option in SYN and SYN-ACK packets to prevent fragmentation.
+// Both sides advertise their MSS during connection establishment, so we need to clamp both.
+func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
+	if !d.tcp.SYN {
+		return false
+	}
+	if len(d.tcp.Options) == 0 {
+		return false
+	}
+
+	mssOptionIndex := -1
+	var currentMSS uint16
+	for i, opt := range d.tcp.Options {
+		if opt.OptionType == layers.TCPOptionKindMSS && len(opt.OptionData) == 2 {
+			currentMSS = binary.BigEndian.Uint16(opt.OptionData)
+			if currentMSS > m.mssClampValue {
+				mssOptionIndex = i
+				break
+			}
+		}
+	}
+
+	if mssOptionIndex == -1 {
+		return false
+	}
+
+	ipHeaderSize := int(d.ip4.IHL) * 4
+	if ipHeaderSize < 20 {
+		return false
+	}
+
+	if !m.updateMSSOption(packetData, d, mssOptionIndex, ipHeaderSize) {
+		return false
+	}
+
+	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, m.mssClampValue)
+	return true
+}
+
+func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex, ipHeaderSize int) bool {
+	tcpHeaderStart := ipHeaderSize
+	tcpOptionsStart := tcpHeaderStart + 20
+
+	optOffset := tcpOptionsStart
+	for j := 0; j < mssOptionIndex; j++ {
+		switch d.tcp.Options[j].OptionType {
+		case layers.TCPOptionKindEndList, layers.TCPOptionKindNop:
+			optOffset++
+		default:
+			optOffset += 2 + len(d.tcp.Options[j].OptionData)
+		}
+	}
+
+	mssValueOffset := optOffset + 2
+	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], m.mssClampValue)
+
+	m.recalculateTCPChecksum(packetData, d, tcpHeaderStart)
+	return true
+}
+
+func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeaderStart int) {
+	tcpLayer := packetData[tcpHeaderStart:]
+	tcpLength := len(packetData) - tcpHeaderStart
+
+	tcpLayer[16] = 0
+	tcpLayer[17] = 0
+
+	var pseudoSum uint32
+	pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
+	pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
+	pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
+	pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
+	pseudoSum += uint32(d.ip4.Protocol)
+	pseudoSum += uint32(tcpLength)
+
+	var sum uint32 = pseudoSum
+	for i := 0; i < tcpLength-1; i += 2 {
+		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
+	}
+	if tcpLength%2 == 1 {
+		sum += uint32(tcpLayer[tcpLength-1]) << 8
+	}
+
+	for sum > 0xFFFF {
+		sum = (sum & 0xFFFF) + (sum >> 16)
+	}
+
+	checksum := ^uint16(sum)
+	binary.BigEndian.PutUint16(tcpLayer[16:18], checksum)
+}
+
 func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) {
 	transport := d.decoded[1]
 	switch transport {
@@ -838,9 +968,7 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		return true
 	}
 
-	// If requested we pass local traffic to internal interfaces to the forwarder.
-	// netstack doesn't have an interface to forward packets to the native stack so we always need to use the forwarder.
-	if m.localForwarding && (m.netstack || dstIP != m.wgIface.Address().IP) {
+	if m.shouldForward(d, dstIP) {
 		return m.handleForwardedLocalTraffic(packetData)
 	}
 
@@ -1274,3 +1402,86 @@ func (m *Manager) DisableRouting() error {
 
 	return nil
 }
+
+// RegisterNetstackService registers a service as listening on the netstack for the given protocol and port
+func (m *Manager) RegisterNetstackService(protocol nftypes.Protocol, port uint16) {
+	m.netstackServiceMutex.Lock()
+	defer m.netstackServiceMutex.Unlock()
+	layerType := m.protocolToLayerType(protocol)
+	key := serviceKey{protocol: layerType, port: port}
+	m.netstackServices[key] = struct{}{}
+	m.logger.Debug3("RegisterNetstackService: registered %s:%d (layerType=%s)", protocol, port, layerType)
+	m.logger.Debug1("RegisterNetstackService: current registry size: %d", len(m.netstackServices))
+}
+
+// UnregisterNetstackService removes a service from the netstack registry
+func (m *Manager) UnregisterNetstackService(protocol nftypes.Protocol, port uint16) {
+	m.netstackServiceMutex.Lock()
+	defer m.netstackServiceMutex.Unlock()
+	layerType := m.protocolToLayerType(protocol)
+	key := serviceKey{protocol: layerType, port: port}
+	delete(m.netstackServices, key)
+	m.logger.Debug2("Unregistered netstack service on protocol %s port %d", protocol, port)
+}
+
+// protocolToLayerType converts nftypes.Protocol to gopacket.LayerType for internal use
+func (m *Manager) protocolToLayerType(protocol nftypes.Protocol) gopacket.LayerType {
+	switch protocol {
+	case nftypes.TCP:
+		return layers.LayerTypeTCP
+	case nftypes.UDP:
+		return layers.LayerTypeUDP
+	case nftypes.ICMP:
+		return layers.LayerTypeICMPv4
+	default:
+		return gopacket.LayerType(0) // Invalid/unknown
+	}
+}
+
+// shouldForward determines if a packet should be forwarded to the forwarder.
+// The forwarder handles routing packets to the native OS network stack.
+// Returns true if packet should go to the forwarder, false if it should go to netstack listeners or the native stack directly.
+func (m *Manager) shouldForward(d *decoder, dstIP netip.Addr) bool {
+	// not enabled, never forward
+	if !m.localForwarding {
+		return false
+	}
+
+	// netstack always needs to forward because it's lacking a native interface
+	// exception for registered netstack services, those should go to netstack listeners
+	if m.netstack {
+		return !m.hasMatchingNetstackService(d)
+	}
+
+	// traffic to our other local interfaces (not NetBird IP) - always forward
+	if dstIP != m.wgIface.Address().IP {
+		return true
+	}
+
+	// traffic to our NetBird IP, not netstack mode - send to netstack listeners
+	return false
+}
+
+// hasMatchingNetstackService checks if there's a registered netstack service for this packet
+func (m *Manager) hasMatchingNetstackService(d *decoder) bool {
+	if len(d.decoded) < 2 {
+		return false
+	}
+
+	var dstPort uint16
+	switch d.decoded[1] {
+	case layers.LayerTypeTCP:
+		dstPort = uint16(d.tcp.DstPort)
+	case layers.LayerTypeUDP:
+		dstPort = uint16(d.udp.DstPort)
+	default:
+		return false
+	}
+
+	key := serviceKey{protocol: d.decoded[1], port: dstPort}
+	m.netstackServiceMutex.RLock()
+	_, exists := m.netstackServices[key]
+	m.netstackServiceMutex.RUnlock()
+
+	return exists
+}

client/firewall/uspfilter/filter_bench_test.go

@@ -17,6 +17,7 @@ import (
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
 
@@ -169,7 +170,7 @@ func BenchmarkCoreFiltering(b *testing.B) {
 				// Create manager and basic setup
 				manager, _ := Create(&IFaceMock{
 					SetFilterFunc: func(device.PacketFilter) error { return nil },
-				}, false, flowLogger)
+				}, false, flowLogger, iface.DefaultMTU)
 				defer b.Cleanup(func() {
 					require.NoError(b, manager.Close(nil))
 				})
@@ -209,7 +210,7 @@ func BenchmarkStateScaling(b *testing.B) {
 		b.Run(fmt.Sprintf("conns_%d", count), func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -252,7 +253,7 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -410,7 +411,7 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -537,7 +538,7 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -620,7 +621,7 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -731,7 +732,7 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -811,7 +812,7 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -896,38 +897,6 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 	}
 }
 
-// generateTCPPacketWithFlags creates a TCP packet with specific flags
-func generateTCPPacketWithFlags(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort, flags uint16) []byte {
-	b.Helper()
-
-	ipv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    srcIP,
-		DstIP:    dstIP,
-		Protocol: layers.IPProtocolTCP,
-	}
-
-	tcp := &layers.TCP{
-		SrcPort: layers.TCPPort(srcPort),
-		DstPort: layers.TCPPort(dstPort),
-	}
-
-	// Set TCP flags
-	tcp.SYN = (flags & uint16(conntrack.TCPSyn)) != 0
-	tcp.ACK = (flags & uint16(conntrack.TCPAck)) != 0
-	tcp.PSH = (flags & uint16(conntrack.TCPPush)) != 0
-	tcp.RST = (flags & uint16(conntrack.TCPRst)) != 0
-	tcp.FIN = (flags & uint16(conntrack.TCPFin)) != 0
-
-	require.NoError(b, tcp.SetNetworkLayerForChecksum(ipv4))
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
-	require.NoError(b, gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test")))
-	return buf.Bytes()
-}
-
 func BenchmarkRouteACLs(b *testing.B) {
 	manager := setupRoutedManager(b, "10.10.0.100/16")
 
@@ -990,3 +959,231 @@ func BenchmarkRouteACLs(b *testing.B) {
 		}
 	}
 }
+
+// BenchmarkMSSClamping benchmarks the MSS clamping impact on filterOutbound.
+// This shows the overhead difference between the common case (non-SYN packets, fast path)
+// and the rare case (SYN packets that need clamping, expensive path).
+func BenchmarkMSSClamping(b *testing.B) {
+	scenarios := []struct {
+		name        string
+		description string
+		genPacket   func(*testing.B, net.IP, net.IP) []byte
+		frequency   string
+	}{
+		{
+			name:        "syn_needs_clamp",
+			description: "SYN packet needing MSS clamping",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+			frequency: "~0.1% of traffic - EXPENSIVE",
+		},
+		{
+			name:        "syn_no_clamp_needed",
+			description: "SYN packet with already-small MSS",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1200)
+			},
+			frequency: "~0.05% of traffic",
+		},
+		{
+			name:        "tcp_ack",
+			description: "Non-SYN TCP packet (ACK, data transfer)",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+			frequency: "~60-70% of traffic - FAST PATH",
+		},
+		{
+			name:        "tcp_psh_ack",
+			description: "TCP data packet (PSH+ACK)",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPPush|conntrack.TCPAck))
+			},
+			frequency: "~10-20% of traffic - FAST PATH",
+		},
+		{
+			name:        "udp",
+			description: "UDP packet",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generatePacket(b, src, dst, 12345, 80, layers.IPProtocolUDP)
+			},
+			frequency: "~20-30% of traffic - FAST PATH",
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, iface.DefaultMTU)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			manager.mssClampEnabled = true
+			manager.mssClampValue = 1240
+
+			srcIP := net.ParseIP("100.64.0.2")
+			dstIP := net.ParseIP("8.8.8.8")
+			packet := sc.genPacket(b, srcIP, dstIP)
+
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.filterOutbound(packet, len(packet))
+			}
+		})
+	}
+}
+
+// BenchmarkMSSClampingOverhead compares overhead of MSS clamping enabled vs disabled
+// for the common case (non-SYN TCP packets).
+func BenchmarkMSSClampingOverhead(b *testing.B) {
+	scenarios := []struct {
+		name      string
+		enabled   bool
+		genPacket func(*testing.B, net.IP, net.IP) []byte
+	}{
+		{
+			name:    "disabled_tcp_ack",
+			enabled: false,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+		},
+		{
+			name:    "enabled_tcp_ack",
+			enabled: true,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+		},
+		{
+			name:    "disabled_syn_needs_clamp",
+			enabled: false,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+		},
+		{
+			name:    "enabled_syn_needs_clamp",
+			enabled: true,
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, iface.DefaultMTU)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			manager.mssClampEnabled = sc.enabled
+			if sc.enabled {
+				manager.mssClampValue = 1240
+			}
+
+			srcIP := net.ParseIP("100.64.0.2")
+			dstIP := net.ParseIP("8.8.8.8")
+			packet := sc.genPacket(b, srcIP, dstIP)
+
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.filterOutbound(packet, len(packet))
+			}
+		})
+	}
+}
+
+// BenchmarkMSSClampingMemory measures memory allocations for common vs rare cases
+func BenchmarkMSSClampingMemory(b *testing.B) {
+	scenarios := []struct {
+		name      string
+		genPacket func(*testing.B, net.IP, net.IP) []byte
+	}{
+		{
+			name: "tcp_ack_fast_path",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
+			},
+		},
+		{
+			name: "syn_needs_clamp",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
+			},
+		},
+		{
+			name: "udp_fast_path",
+			genPacket: func(b *testing.B, src, dst net.IP) []byte {
+				return generatePacket(b, src, dst, 12345, 80, layers.IPProtocolUDP)
+			},
+		},
+	}
+
+	for _, sc := range scenarios {
+		b.Run(sc.name, func(b *testing.B) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, iface.DefaultMTU)
+			require.NoError(b, err)
+			defer func() {
+				require.NoError(b, manager.Close(nil))
+			}()
+
+			manager.mssClampEnabled = true
+			manager.mssClampValue = 1240
+
+			srcIP := net.ParseIP("100.64.0.2")
+			dstIP := net.ParseIP("8.8.8.8")
+			packet := sc.genPacket(b, srcIP, dstIP)
+
+			b.ReportAllocs()
+			b.ResetTimer()
+			for i := 0; i < b.N; i++ {
+				manager.filterOutbound(packet, len(packet))
+			}
+		})
+	}
+}
+
+func generateSYNPacketNoMSS(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort uint16) []byte {
+	b.Helper()
+
+	ip := &layers.IPv4{
+		Version:  4,
+		IHL:      5,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcp := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		SYN:     true,
+		Seq:     1000,
+		Window:  65535,
+	}
+
+	require.NoError(b, tcp.SetNetworkLayerForChecksum(ip))
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{
+		FixLengths:       true,
+		ComputeChecksums: true,
+	}
+
+	require.NoError(b, gopacket.SerializeLayers(buf, opts, ip, tcp, gopacket.Payload([]byte{})))
+	return buf.Bytes()
+}

client/firewall/uspfilter/filter_filter_test.go

@@ -12,6 +12,7 @@ import (
 	wgdevice "golang.zx2c4.com/wireguard/device"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
@@ -31,7 +32,7 @@ func TestPeerACLFiltering(t *testing.T) {
 		},
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	require.NotNil(t, manager)
 
@@ -616,7 +617,7 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 		},
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(tb, err)
 	require.NoError(tb, manager.EnableRouting())
 	require.NotNil(tb, manager)
@@ -1462,7 +1463,7 @@ func TestRouteACLSet(t *testing.T) {
 		},
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))

client/firewall/uspfilter/filter_test.go

@@ -1,6 +1,7 @@
 package uspfilter
 
 import (
+	"encoding/binary"
 	"fmt"
 	"net"
 	"net/netip"
@@ -17,9 +18,11 @@ import (
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/log"
+	nbiface "github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/netflow"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
@@ -66,7 +69,7 @@ func TestManagerCreate(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -86,7 +89,7 @@ func TestManagerAddPeerFiltering(t *testing.T) {
 		},
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -119,7 +122,7 @@ func TestManagerDeleteRule(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -215,7 +218,7 @@ func TestAddUDPPacketHook(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, nbiface.DefaultMTU)
 			require.NoError(t, err)
 
 			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)
@@ -265,7 +268,7 @@ func TestManagerReset(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -304,7 +307,7 @@ func TestNotMatchByIP(t *testing.T) {
 		},
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger)
+	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -367,7 +370,7 @@ func TestRemovePacketHook(t *testing.T) {
 	}
 
 	// creating manager instance
-	manager, err := Create(iface, false, flowLogger)
+	manager, err := Create(iface, false, flowLogger, nbiface.DefaultMTU)
 	if err != nil {
 		t.Fatalf("Failed to create Manager: %s", err)
 	}
@@ -413,7 +416,7 @@ func TestRemovePacketHook(t *testing.T) {
 func TestProcessOutgoingHooks(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 
 	manager.udpTracker.Close()
@@ -495,7 +498,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 			ifaceMock := &IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
 			}
-			manager, err := Create(ifaceMock, false, flowLogger)
+			manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 			require.NoError(t, err)
 			time.Sleep(time.Second)
 
@@ -522,7 +525,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 
 	manager.udpTracker.Close() // Close the existing tracker
@@ -729,7 +732,7 @@ func TestUpdateSetMerge(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -815,7 +818,7 @@ func TestUpdateSetDeduplication(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger)
+	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -923,3 +926,327 @@ func TestUpdateSetDeduplication(t *testing.T) {
 		require.Equal(t, tc.expected, isAllowed, tc.desc)
 	}
 }
+
+func TestMSSClamping(t *testing.T) {
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+		AddressFunc: func() wgaddr.Address {
+			return wgaddr.Address{
+				IP:      netip.MustParseAddr("100.10.0.100"),
+				Network: netip.MustParsePrefix("100.10.0.0/16"),
+			}
+		},
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, 1280)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	require.True(t, manager.mssClampEnabled, "MSS clamping should be enabled by default")
+	expectedMSSValue := uint16(1280 - ipTCPHeaderMinSize)
+	require.Equal(t, expectedMSSValue, manager.mssClampValue, "MSS clamp value should be MTU - 40")
+
+	err = manager.UpdateLocalIPs()
+	require.NoError(t, err)
+
+	srcIP := net.ParseIP("100.10.0.2")
+	dstIP := net.ParseIP("8.8.8.8")
+
+	t.Run("SYN packet with high MSS gets clamped", func(t *testing.T) {
+		highMSS := uint16(1460)
+		packet := generateSYNPacketWithMSS(t, srcIP, dstIP, 12345, 80, highMSS)
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
+		require.Equal(t, uint8(layers.TCPOptionKindMSS), uint8(d.tcp.Options[0].OptionType))
+		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
+		require.Equal(t, expectedMSSValue, actualMSS, "MSS should be clamped to MTU - 40")
+	})
+
+	t.Run("SYN packet with low MSS unchanged", func(t *testing.T) {
+		lowMSS := uint16(1200)
+		packet := generateSYNPacketWithMSS(t, srcIP, dstIP, 12345, 80, lowMSS)
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
+		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
+		require.Equal(t, lowMSS, actualMSS, "Low MSS should not be modified")
+	})
+
+	t.Run("SYN-ACK packet gets clamped", func(t *testing.T) {
+		highMSS := uint16(1460)
+		packet := generateSYNACKPacketWithMSS(t, srcIP, dstIP, 12345, 80, highMSS)
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
+		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
+		require.Equal(t, expectedMSSValue, actualMSS, "MSS in SYN-ACK should be clamped")
+	})
+
+	t.Run("Non-SYN packet unchanged", func(t *testing.T) {
+		packet := generateTCPPacketWithFlags(t, srcIP, dstIP, 12345, 80, uint16(conntrack.TCPAck))
+
+		manager.filterOutbound(packet, len(packet))
+
+		d := parsePacket(t, packet)
+		require.Empty(t, d.tcp.Options, "ACK packet should have no options")
+	})
+}
+
+func generateSYNPacketWithMSS(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, mss uint16) []byte {
+	tb.Helper()
+
+	ipLayer := &layers.IPv4{
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcpLayer := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		SYN:     true,
+		Window:  65535,
+		Options: []layers.TCPOption{
+			{
+				OptionType:   layers.TCPOptionKindMSS,
+				OptionLength: 4,
+				OptionData:   binary.BigEndian.AppendUint16(nil, mss),
+			},
+		},
+	}
+	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
+	require.NoError(tb, err)
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
+	require.NoError(tb, err)
+
+	return buf.Bytes()
+}
+
+func generateSYNACKPacketWithMSS(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, mss uint16) []byte {
+	tb.Helper()
+
+	ipLayer := &layers.IPv4{
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcpLayer := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		SYN:     true,
+		ACK:     true,
+		Window:  65535,
+		Options: []layers.TCPOption{
+			{
+				OptionType:   layers.TCPOptionKindMSS,
+				OptionLength: 4,
+				OptionData:   binary.BigEndian.AppendUint16(nil, mss),
+			},
+		},
+	}
+	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
+	require.NoError(tb, err)
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
+	require.NoError(tb, err)
+
+	return buf.Bytes()
+}
+
+func generateTCPPacketWithFlags(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, flags uint16) []byte {
+	tb.Helper()
+
+	ipLayer := &layers.IPv4{
+		Version:  4,
+		TTL:      64,
+		Protocol: layers.IPProtocolTCP,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+	}
+
+	tcpLayer := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+		Window:  65535,
+	}
+
+	if flags&uint16(conntrack.TCPSyn) != 0 {
+		tcpLayer.SYN = true
+	}
+	if flags&uint16(conntrack.TCPAck) != 0 {
+		tcpLayer.ACK = true
+	}
+	if flags&uint16(conntrack.TCPFin) != 0 {
+		tcpLayer.FIN = true
+	}
+	if flags&uint16(conntrack.TCPRst) != 0 {
+		tcpLayer.RST = true
+	}
+	if flags&uint16(conntrack.TCPPush) != 0 {
+		tcpLayer.PSH = true
+	}
+
+	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
+	require.NoError(tb, err)
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
+	require.NoError(tb, err)
+
+	return buf.Bytes()
+}
+
+func TestShouldForward(t *testing.T) {
+	// Set up test addresses
+	wgIP := netip.MustParseAddr("100.10.0.1")
+	otherIP := netip.MustParseAddr("100.10.0.2")
+
+	// Create test manager with mock interface
+	ifaceMock := &IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}
+	// Set the mock to return our test WG IP
+	ifaceMock.AddressFunc = func() wgaddr.Address {
+		return wgaddr.Address{IP: wgIP, Network: netip.PrefixFrom(wgIP, 24)}
+	}
+
+	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	// Helper to create decoder with TCP packet
+	createTCPDecoder := func(dstPort uint16) *decoder {
+		ipv4 := &layers.IPv4{
+			Version:  4,
+			Protocol: layers.IPProtocolTCP,
+			SrcIP:    net.ParseIP("192.168.1.100"),
+			DstIP:    wgIP.AsSlice(),
+		}
+		tcp := &layers.TCP{
+			SrcPort: 54321,
+			DstPort: layers.TCPPort(dstPort),
+		}
+
+		err := tcp.SetNetworkLayerForChecksum(ipv4)
+		require.NoError(t, err)
+
+		buf := gopacket.NewSerializeBuffer()
+		opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+		err = gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test"))
+		require.NoError(t, err)
+
+		d := &decoder{
+			decoded: []gopacket.LayerType{},
+		}
+		d.parser = gopacket.NewDecodingLayerParser(
+			layers.LayerTypeIPv4,
+			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
+		)
+		d.parser.IgnoreUnsupported = true
+
+		err = d.parser.DecodeLayers(buf.Bytes(), &d.decoded)
+		require.NoError(t, err)
+
+		return d
+	}
+
+	tests := []struct {
+		name              string
+		localForwarding   bool
+		netstack          bool
+		dstIP             netip.Addr
+		serviceRegistered bool
+		servicePort       uint16
+		expected          bool
+		description       string
+	}{
+		{
+			name:            "no local forwarding",
+			localForwarding: false,
+			netstack:        true,
+			dstIP:           wgIP,
+			expected:        false,
+			description:     "should never forward when local forwarding disabled",
+		},
+		{
+			name:            "traffic to other local interface",
+			localForwarding: true,
+			netstack:        false,
+			dstIP:           otherIP,
+			expected:        true,
+			description:     "should forward traffic to our other local interfaces (not NetBird IP)",
+		},
+		{
+			name:            "traffic to NetBird IP, no netstack",
+			localForwarding: true,
+			netstack:        false,
+			dstIP:           wgIP,
+			expected:        false,
+			description:     "should send to netstack listeners (final return false path)",
+		},
+		{
+			name:            "traffic to our IP, netstack mode, no service",
+			localForwarding: true,
+			netstack:        true,
+			dstIP:           wgIP,
+			expected:        true,
+			description:     "should forward when in netstack mode with no matching service",
+		},
+		{
+			name:              "traffic to our IP, netstack mode, with service",
+			localForwarding:   true,
+			netstack:          true,
+			dstIP:             wgIP,
+			serviceRegistered: true,
+			servicePort:       22,
+			expected:          false,
+			description:       "should send to netstack listeners when service is registered",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Configure manager
+			manager.localForwarding = tt.localForwarding
+			manager.netstack = tt.netstack
+
+			// Register service if needed
+			if tt.serviceRegistered {
+				manager.RegisterNetstackService(nftypes.TCP, tt.servicePort)
+				defer manager.UnregisterNetstackService(nftypes.TCP, tt.servicePort)
+			}
+
+			// Create decoder for the test
+			decoder := createTCPDecoder(tt.servicePort)
+			if !tt.serviceRegistered {
+				decoder = createTCPDecoder(8080) // Use non-registered port
+			}
+
+			// Test the method
+			result := manager.shouldForward(decoder, tt.dstIP)
+			require.Equal(t, tt.expected, result, tt.description)
+		})
+	}
+}

client/firewall/uspfilter/forwarder/forwarder.go

@@ -45,7 +45,7 @@ type Forwarder struct {
 	netstack     bool
 }
 
-func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool) (*Forwarder, error) {
+func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
 	s := stack.New(stack.Options{
 		NetworkProtocols: []stack.NetworkProtocolFactory{ipv4.NewProtocol},
 		TransportProtocols: []stack.TransportProtocolFactory{
@@ -56,10 +56,6 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		HandleLocal: false,
 	})
 
-	mtu, err := iface.GetDevice().MTU()
-	if err != nil {
-		return nil, fmt.Errorf("get MTU: %w", err)
-	}
 	nicID := tcpip.NICID(1)
 	endpoint := &endpoint{
 		logger: logger,
@@ -68,7 +64,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	}
 
 	if err := s.CreateNIC(nicID, endpoint); err != nil {
-		return nil, fmt.Errorf("failed to create NIC: %v", err)
+		return nil, fmt.Errorf("create NIC: %v", err)
 	}
 
 	protoAddr := tcpip.ProtocolAddress{

client/firewall/uspfilter/forwarder/udp.go

@@ -49,7 +49,7 @@ type idleConn struct {
 	conn *udpPacketConn
 }
 
-func newUDPForwarder(mtu int, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *udpForwarder {
+func newUDPForwarder(mtu uint16, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *udpForwarder {
 	ctx, cancel := context.WithCancel(context.Background())
 	f := &udpForwarder{
 		logger:     logger,

client/firewall/uspfilter/nat_bench_test.go

@@ -12,6 +12,7 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
 
@@ -65,7 +66,7 @@ func BenchmarkDNATTranslation(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
@@ -125,7 +126,7 @@ func BenchmarkDNATTranslation(b *testing.B) {
 func BenchmarkDNATConcurrency(b *testing.B) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(b, err)
 	defer func() {
 		require.NoError(b, manager.Close(nil))
@@ -197,7 +198,7 @@ func BenchmarkDNATScaling(b *testing.B) {
 		b.Run(fmt.Sprintf("mappings_%d", count), func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
@@ -309,7 +310,7 @@ func BenchmarkChecksumUpdate(b *testing.B) {
 func BenchmarkDNATMemoryAllocations(b *testing.B) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(b, err)
 	defer func() {
 		require.NoError(b, manager.Close(nil))
@@ -472,7 +473,7 @@ func BenchmarkPortDNAT(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger)
+			}, false, flowLogger, iface.DefaultMTU)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))

client/firewall/uspfilter/nat_stateful_test.go

@@ -0,0 +1,85 @@
+package uspfilter
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/google/gopacket/layers"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/iface/device"
+)
+
+// TestPortDNATBasic tests basic port DNAT functionality
+func TestPortDNATBasic(t *testing.T) {
+	manager, err := Create(&IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	// Define peer IPs
+	peerA := netip.MustParseAddr("100.10.0.50")
+	peerB := netip.MustParseAddr("100.10.0.51")
+
+	// Add SSH port redirection rule for peer B (the target)
+	err = manager.addPortRedirection(peerB, layers.LayerTypeTCP, 22, 22022)
+	require.NoError(t, err)
+
+	// Scenario: Peer A connects to Peer B on port 22 (should get NAT)
+	packetAtoB := generateDNATTestPacket(t, peerA, peerB, layers.IPProtocolTCP, 54321, 22)
+	d := parsePacket(t, packetAtoB)
+	translatedAtoB := manager.translateInboundPortDNAT(packetAtoB, d, peerA, peerB)
+	require.True(t, translatedAtoB, "Peer A to Peer B should be translated (NAT applied)")
+
+	// Verify port was translated to 22022
+	d = parsePacket(t, packetAtoB)
+	require.Equal(t, uint16(22022), uint16(d.tcp.DstPort), "Port should be rewritten to 22022")
+
+	// Scenario: Return traffic from Peer B to Peer A should NOT be translated
+	// (prevents double NAT - original port stored in conntrack)
+	returnPacket := generateDNATTestPacket(t, peerB, peerA, layers.IPProtocolTCP, 22022, 54321)
+	d2 := parsePacket(t, returnPacket)
+	translatedReturn := manager.translateInboundPortDNAT(returnPacket, d2, peerB, peerA)
+	require.False(t, translatedReturn, "Return traffic from same IP should not be translated")
+}
+
+// TestPortDNATMultipleRules tests multiple port DNAT rules
+func TestPortDNATMultipleRules(t *testing.T) {
+	manager, err := Create(&IFaceMock{
+		SetFilterFunc: func(device.PacketFilter) error { return nil },
+	}, false, flowLogger, iface.DefaultMTU)
+	require.NoError(t, err)
+	defer func() {
+		require.NoError(t, manager.Close(nil))
+	}()
+
+	// Define peer IPs
+	peerA := netip.MustParseAddr("100.10.0.50")
+	peerB := netip.MustParseAddr("100.10.0.51")
+
+	// Add SSH port redirection rules for both peers
+	err = manager.addPortRedirection(peerA, layers.LayerTypeTCP, 22, 22022)
+	require.NoError(t, err)
+	err = manager.addPortRedirection(peerB, layers.LayerTypeTCP, 22, 22022)
+	require.NoError(t, err)
+
+	// Test traffic to peer B gets translated
+	packetToB := generateDNATTestPacket(t, peerA, peerB, layers.IPProtocolTCP, 54321, 22)
+	d1 := parsePacket(t, packetToB)
+	translatedToB := manager.translateInboundPortDNAT(packetToB, d1, peerA, peerB)
+	require.True(t, translatedToB, "Traffic to peer B should be translated")
+	d1 = parsePacket(t, packetToB)
+	require.Equal(t, uint16(22022), uint16(d1.tcp.DstPort), "Port should be 22022")
+
+	// Test traffic to peer A gets translated
+	packetToA := generateDNATTestPacket(t, peerB, peerA, layers.IPProtocolTCP, 54322, 22)
+	d2 := parsePacket(t, packetToA)
+	translatedToA := manager.translateInboundPortDNAT(packetToA, d2, peerB, peerA)
+	require.True(t, translatedToA, "Traffic to peer A should be translated")
+	d2 = parsePacket(t, packetToA)
+	require.Equal(t, uint16(22022), uint16(d2.tcp.DstPort), "Port should be 22022")
+}

client/firewall/uspfilter/nat_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
 
@@ -16,7 +17,7 @@ import (
 func TestDNATTranslationCorrectness(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -100,7 +101,7 @@ func parsePacket(t testing.TB, packetData []byte) *decoder {
 func TestDNATMappingManagement(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -148,7 +149,7 @@ func TestDNATMappingManagement(t *testing.T) {
 func TestInboundPortDNAT(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -198,7 +199,7 @@ func TestInboundPortDNAT(t *testing.T) {
 func TestInboundPortDNATNegative(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger)
+	}, false, flowLogger, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))

client/firewall/uspfilter/tracer_test.go

@@ -10,6 +10,7 @@ import (
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -44,7 +45,7 @@ func TestTracePacket(t *testing.T) {
 			},
 		}
 
-		m, err := Create(ifaceMock, false, flowLogger)
+		m, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
 		require.NoError(t, err)
 
 		if !statefulMode {

client/grpc/dialer.go

@@ -4,12 +4,15 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
+	"fmt"
 	"runtime"
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/connectivity"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
@@ -17,6 +20,9 @@ import (
 	"github.com/netbirdio/netbird/util/embeddedroots"
 )
 
+// ErrConnectionShutdown indicates that the connection entered shutdown state before becoming ready
+var ErrConnectionShutdown = errors.New("connection shutdown before ready")
+
 // Backoff returns a backoff configuration for gRPC calls
 func Backoff(ctx context.Context) backoff.BackOff {
 	b := backoff.NewExponentialBackOff()
@@ -25,6 +31,26 @@ func Backoff(ctx context.Context) backoff.BackOff {
 	return backoff.WithContext(b, ctx)
 }
 
+// waitForConnectionReady blocks until the connection becomes ready or fails.
+// Returns an error if the connection times out, is cancelled, or enters shutdown state.
+func waitForConnectionReady(ctx context.Context, conn *grpc.ClientConn) error {
+	conn.Connect()
+
+	state := conn.GetState()
+	for state != connectivity.Ready && state != connectivity.Shutdown {
+		if !conn.WaitForStateChange(ctx, state) {
+			return fmt.Errorf("wait state change from %s: %w", state, ctx.Err())
+		}
+		state = conn.GetState()
+	}
+
+	if state == connectivity.Shutdown {
+		return ErrConnectionShutdown
+	}
+
+	return nil
+}
+
 // CreateConnection creates a gRPC client connection with the appropriate transport options.
 // The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
 func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string) (*grpc.ClientConn, error) {
@@ -42,22 +68,24 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 		}))
 	}
 
-	connCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
-	defer cancel()
-
-	conn, err := grpc.DialContext(
-		connCtx,
+	conn, err := grpc.NewClient(
 		addr,
 		transportOption,
 		WithCustomDialer(tlsEnabled, component),
-		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    30 * time.Second,
 			Timeout: 10 * time.Second,
 		}),
 	)
 	if err != nil {
-		log.Printf("DialContext error: %v", err)
+		return nil, fmt.Errorf("new client: %w", err)
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	if err := waitForConnectionReady(ctx, conn); err != nil {
+		_ = conn.Close()
 		return nil, err
 	}
 

client/grpc/dialer_generic.go

@@ -18,7 +18,7 @@ import (
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
-func WithCustomDialer(tlsEnabled bool, component string) grpc.DialOption {
+func WithCustomDialer(_ bool, _ string) grpc.DialOption {
 	return grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
 		if runtime.GOOS == "linux" {
 			currentUser, err := user.Current()
@@ -36,7 +36,6 @@ func WithCustomDialer(tlsEnabled bool, component string) grpc.DialOption {
 
 		conn, err := nbnet.NewDialer().DialContext(ctx, "tcp", addr)
 		if err != nil {
-			log.Errorf("Failed to dial: %s", err)
 			return nil, fmt.Errorf("nbnet.NewDialer().DialContext: %w", err)
 		}
 		return conn, nil

client/internal/acl/manager.go

@@ -17,7 +17,6 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
-	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )
@@ -83,22 +82,6 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 	rules := networkMap.FirewallRules
 
-	enableSSH := networkMap.PeerConfig != nil &&
-		networkMap.PeerConfig.SshConfig != nil &&
-		networkMap.PeerConfig.SshConfig.SshEnabled
-
-	// If SSH enabled, add default firewall rule which accepts connection to any peer
-	// in the network by SSH (TCP port defined by ssh.DefaultSSHPort).
-	if enableSSH {
-		rules = append(rules, &mgmProto.FirewallRule{
-			PeerIP:    "0.0.0.0",
-			Direction: mgmProto.RuleDirection_IN,
-			Action:    mgmProto.RuleAction_ACCEPT,
-			Protocol:  mgmProto.RuleProtocol_TCP,
-			Port:      strconv.Itoa(ssh.DefaultSSHPort),
-		})
-	}
-
 	// if we got empty rules list but management not set networkMap.FirewallRulesIsEmpty flag
 	// we have old version of management without rules handling, we should allow all traffic
 	if len(networkMap.FirewallRules) == 0 && !networkMap.FirewallRulesIsEmpty {

client/internal/acl/manager_test.go

@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl/mocks"
 	"github.com/netbirdio/netbird/client/internal/netflow"
@@ -52,7 +53,7 @@ func TestDefaultManager(t *testing.T) {
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		err = fw.Close(nil)
@@ -170,7 +171,7 @@ func TestDefaultManagerStateless(t *testing.T) {
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
 	require.NoError(t, err)
 	defer func() {
 		err = fw.Close(nil)
@@ -271,70 +272,3 @@ func TestPortInfoEmpty(t *testing.T) {
 		})
 	}
 }
-
-func TestDefaultManagerEnableSSHRules(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		PeerConfig: &mgmProto.PeerConfig{
-			SshConfig: &mgmProto.SSHConfig{
-				SshEnabled: true,
-			},
-		},
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{AllowedIps: []string{"10.93.0.1"}},
-			{AllowedIps: []string{"10.93.0.2"}},
-			{AllowedIps: []string{"10.93.0.3"}},
-		},
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_UDP,
-			},
-		},
-	}
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
-	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
-
-	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
-	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
-		Network: network,
-	}).AnyTimes()
-	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
-
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
-	require.NoError(t, err)
-	defer func() {
-		err = fw.Close(nil)
-		require.NoError(t, err)
-	}()
-
-	acl := NewDefaultManager(fw)
-
-	acl.ApplyFiltering(networkMap, false)
-
-	expectedRules := 3
-	if fw.IsStateful() {
-		expectedRules = 3 // 2 inbound rules + SSH rule
-	}
-	assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
-}

client/internal/connect.go

@@ -25,6 +25,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
+	nbnet "github.com/netbirdio/netbird/client/net"
 	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
@@ -34,7 +35,6 @@ import (
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/util"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/version"
 )
 
@@ -289,15 +289,18 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		}
 
 		<-engineCtx.Done()
+
 		c.engineMutex.Lock()
-		if c.engine != nil && c.engine.wgInterface != nil {
-			log.Infof("ensuring %s is removed, Netbird engine context cancelled", c.engine.wgInterface.Name())
-			if err := c.engine.Stop(); err != nil {
+		engine := c.engine
+		c.engine = nil
+		c.engineMutex.Unlock()
+
+		if engine != nil && engine.wgInterface != nil {
+			log.Infof("ensuring %s is removed, Netbird engine context cancelled", engine.wgInterface.Name())
+			if err := engine.Stop(); err != nil {
 				log.Errorf("Failed to stop engine: %v", err)
 			}
-			c.engine = nil
 		}
-		c.engineMutex.Unlock()
 		c.statusRecorder.ClientTeardown()
 
 		backOff.Reset()
@@ -382,19 +385,12 @@ func (c *ConnectClient) Status() StatusType {
 }
 
 func (c *ConnectClient) Stop() error {
-	if c == nil {
-		return nil
+	engine := c.Engine()
+	if engine != nil {
+		if err := engine.Stop(); err != nil {
+			return fmt.Errorf("stop engine: %w", err)
+		}
 	}
-	c.engineMutex.Lock()
-	defer c.engineMutex.Unlock()
-
-	if c.engine == nil {
-		return nil
-	}
-	if err := c.engine.Stop(); err != nil {
-		return fmt.Errorf("stop engine: %w", err)
-	}
-
 	return nil
 }
 
@@ -420,20 +416,25 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		nm = *config.NetworkMonitor
 	}
 	engineConf := &EngineConfig{
-		WgIfaceName:          config.WgIface,
-		WgAddr:               peerConfig.Address,
-		IFaceBlackList:       config.IFaceBlackList,
-		DisableIPv6Discovery: config.DisableIPv6Discovery,
-		WgPrivateKey:         key,
-		WgPort:               config.WgPort,
-		NetworkMonitor:       nm,
-		SSHKey:               []byte(config.SSHKey),
-		NATExternalIPs:       config.NATExternalIPs,
-		CustomDNSAddress:     config.CustomDNSAddress,
-		RosenpassEnabled:     config.RosenpassEnabled,
-		RosenpassPermissive:  config.RosenpassPermissive,
-		ServerSSHAllowed:     util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
-		DNSRouteInterval:     config.DNSRouteInterval,
+		WgIfaceName:                   config.WgIface,
+		WgAddr:                        peerConfig.Address,
+		IFaceBlackList:                config.IFaceBlackList,
+		DisableIPv6Discovery:          config.DisableIPv6Discovery,
+		WgPrivateKey:                  key,
+		WgPort:                        config.WgPort,
+		NetworkMonitor:                nm,
+		SSHKey:                        []byte(config.SSHKey),
+		NATExternalIPs:                config.NATExternalIPs,
+		CustomDNSAddress:              config.CustomDNSAddress,
+		RosenpassEnabled:              config.RosenpassEnabled,
+		RosenpassPermissive:           config.RosenpassPermissive,
+		ServerSSHAllowed:              util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
+		EnableSSHRoot:                 config.EnableSSHRoot,
+		EnableSSHSFTP:                 config.EnableSSHSFTP,
+		EnableSSHLocalPortForwarding:  config.EnableSSHLocalPortForwarding,
+		EnableSSHRemotePortForwarding: config.EnableSSHRemotePortForwarding,
+		DisableSSHAuth:                config.DisableSSHAuth,
+		DNSRouteInterval:              config.DNSRouteInterval,
 
 		DisableClientRoutes: config.DisableClientRoutes,
 		DisableServerRoutes: config.DisableServerRoutes || config.BlockInbound,
@@ -519,6 +520,11 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.BlockLANAccess,
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
+		config.EnableSSHRoot,
+		config.EnableSSHSFTP,
+		config.EnableSSHLocalPortForwarding,
+		config.EnableSSHRemotePortForwarding,
+		config.DisableSSHAuth,
 	)
 	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey, config.DNSLabels)
 	if err != nil {

client/internal/debug/debug.go

@@ -433,6 +433,18 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	if g.internalConfig.ServerSSHAllowed != nil {
 		configContent.WriteString(fmt.Sprintf("ServerSSHAllowed: %v\n", *g.internalConfig.ServerSSHAllowed))
 	}
+	if g.internalConfig.EnableSSHRoot != nil {
+		configContent.WriteString(fmt.Sprintf("EnableSSHRoot: %v\n", *g.internalConfig.EnableSSHRoot))
+	}
+	if g.internalConfig.EnableSSHSFTP != nil {
+		configContent.WriteString(fmt.Sprintf("EnableSSHSFTP: %v\n", *g.internalConfig.EnableSSHSFTP))
+	}
+	if g.internalConfig.EnableSSHLocalPortForwarding != nil {
+		configContent.WriteString(fmt.Sprintf("EnableSSHLocalPortForwarding: %v\n", *g.internalConfig.EnableSSHLocalPortForwarding))
+	}
+	if g.internalConfig.EnableSSHRemotePortForwarding != nil {
+		configContent.WriteString(fmt.Sprintf("EnableSSHRemotePortForwarding: %v\n", *g.internalConfig.EnableSSHRemotePortForwarding))
+	}
 
 	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
 	configContent.WriteString(fmt.Sprintf("DisableServerRoutes: %v\n", g.internalConfig.DisableServerRoutes))

client/internal/dns/server.go

@@ -65,8 +65,9 @@ type hostManagerWithOriginalNS interface {
 
 // DefaultServer dns server object
 type DefaultServer struct {
-	ctx       context.Context
-	ctxCancel context.CancelFunc
+	ctx        context.Context
+	ctxCancel  context.CancelFunc
+	shutdownWg sync.WaitGroup
 	// disableSys disables system DNS management (e.g., /etc/resolv.conf updates) while keeping the DNS service running.
 	// This is different from ServiceEnable=false from management which completely disables the DNS service.
 	disableSys         bool
@@ -318,6 +319,7 @@ func (s *DefaultServer) DnsIP() netip.Addr {
 // Stop stops the server
 func (s *DefaultServer) Stop() {
 	s.ctxCancel()
+	s.shutdownWg.Wait()
 
 	s.mux.Lock()
 	defer s.mux.Unlock()
@@ -507,8 +509,9 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 
 	s.applyHostConfig()
 
+	s.shutdownWg.Add(1)
 	go func() {
-		// persist dns state right away
+		defer s.shutdownWg.Done()
 		if err := s.stateManager.PersistState(s.ctx); err != nil {
 			log.Errorf("Failed to persist dns state: %v", err)
 		}

client/internal/dns/server_test.go

@@ -944,7 +944,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 		return nil, err
 	}
 
-	pf, err := uspfilter.Create(wgIface, false, flowLogger)
+	pf, err := uspfilter.Create(wgIface, false, flowLogger, iface.DefaultMTU)
 	if err != nil {
 		t.Fatalf("failed to create uspfilter: %v", err)
 		return nil, err

client/internal/dnsfwd/cache_test.go

@@ -83,4 +83,3 @@ func TestCacheMiss(t *testing.T) {
 		t.Fatalf("expected cache miss, got=%v ok=%v", got, ok)
 	}
 }
-

client/internal/dnsfwd/forwarder.go

@@ -14,6 +14,7 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -33,7 +34,7 @@ type firewaller interface {
 }
 
 type DNSForwarder struct {
-	listenAddress  string
+	listenAddress  netip.AddrPort
 	ttl            uint32
 	statusRecorder *peer.Status
 
@@ -47,9 +48,11 @@ type DNSForwarder struct {
 	firewall   firewaller
 	resolver   resolver
 	cache      *cache
+
+	wgIface wgIface
 }
 
-func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, statusRecorder *peer.Status) *DNSForwarder {
+func NewDNSForwarder(listenAddress netip.AddrPort, ttl uint32, firewall firewaller, statusRecorder *peer.Status, wgIface wgIface) *DNSForwarder {
 	log.Debugf("creating DNS forwarder with listen_address=%s ttl=%d", listenAddress, ttl)
 	return &DNSForwarder{
 		listenAddress:  listenAddress,
@@ -58,30 +61,46 @@ func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, stat
 		statusRecorder: statusRecorder,
 		resolver:       net.DefaultResolver,
 		cache:          newCache(),
+		wgIface:        wgIface,
 	}
 }
 
 func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
-	log.Infof("starting DNS forwarder on address=%s", f.listenAddress)
+	var netstackNet *netstack.Net
+	if f.wgIface != nil {
+		netstackNet = f.wgIface.GetNet()
+	}
+
+	addrDesc := f.listenAddress.String()
+	if netstackNet != nil {
+		addrDesc = fmt.Sprintf("netstack %s", f.listenAddress)
+	}
+	log.Infof("starting DNS forwarder on address=%s", addrDesc)
+
+	udpLn, err := f.createUDPListener(netstackNet)
+	if err != nil {
+		return fmt.Errorf("create UDP listener: %w", err)
+	}
+
+	tcpLn, err := f.createTCPListener(netstackNet)
+	if err != nil {
+		return fmt.Errorf("create TCP listener: %w", err)
+	}
 
-	// UDP server
 	mux := dns.NewServeMux()
 	f.mux = mux
 	mux.HandleFunc(".", f.handleDNSQueryUDP)
 	f.dnsServer = &dns.Server{
-		Addr:    f.listenAddress,
-		Net:     "udp",
-		Handler: mux,
+		PacketConn: udpLn,
+		Handler:    mux,
 	}
 
-	// TCP server
 	tcpMux := dns.NewServeMux()
 	f.tcpMux = tcpMux
 	tcpMux.HandleFunc(".", f.handleDNSQueryTCP)
 	f.tcpServer = &dns.Server{
-		Addr:    f.listenAddress,
-		Net:     "tcp",
-		Handler: tcpMux,
+		Listener: tcpLn,
+		Handler:  tcpMux,
 	}
 
 	f.UpdateDomains(entries)
@@ -89,18 +108,33 @@ func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
 	errCh := make(chan error, 2)
 
 	go func() {
-		log.Infof("DNS UDP listener running on %s", f.listenAddress)
-		errCh <- f.dnsServer.ListenAndServe()
+		log.Infof("DNS UDP listener running on %s", addrDesc)
+		errCh <- f.dnsServer.ActivateAndServe()
 	}()
 	go func() {
-		log.Infof("DNS TCP listener running on %s", f.listenAddress)
-		errCh <- f.tcpServer.ListenAndServe()
+		log.Infof("DNS TCP listener running on %s", addrDesc)
+		errCh <- f.tcpServer.ActivateAndServe()
 	}()
 
-	// return the first error we get (e.g. bind failure or shutdown)
 	return <-errCh
 }
 
+func (f *DNSForwarder) createUDPListener(netstackNet *netstack.Net) (net.PacketConn, error) {
+	if netstackNet != nil {
+		return netstackNet.ListenUDPAddrPort(f.listenAddress)
+	}
+
+	return net.ListenUDP("udp", net.UDPAddrFromAddrPort(f.listenAddress))
+}
+
+func (f *DNSForwarder) createTCPListener(netstackNet *netstack.Net) (net.Listener, error) {
+	if netstackNet != nil {
+		return netstackNet.ListenTCPAddrPort(f.listenAddress)
+	}
+
+	return net.ListenTCP("tcp", net.TCPAddrFromAddrPort(f.listenAddress))
+}
+
 func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()

client/internal/dnsfwd/forwarder_test.go

@@ -297,7 +297,7 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 				mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn(tt.queryDomain)).Return([]netip.Addr{fakeIP}, nil)
 			}
 
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 			forwarder.resolver = mockResolver
 
 			d, err := domain.FromString(tt.configuredDomain)
@@ -402,7 +402,7 @@ func TestDNSForwarder_FirewallSetUpdates(t *testing.T) {
 			mockResolver := &MockResolver{}
 
 			// Set up forwarder
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 			forwarder.resolver = mockResolver
 
 			// Create entries and track sets
@@ -489,7 +489,7 @@ func TestDNSForwarder_MultipleIPsInSingleUpdate(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}
 
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	// Configure a single domain
@@ -584,7 +584,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 
 			d, err := domain.FromString(tt.configured)
 			require.NoError(t, err)
@@ -616,7 +616,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 func TestDNSForwarder_TCPTruncation(t *testing.T) {
 	// Test that large UDP responses are truncated with TC bit set
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	d, _ := domain.FromString("example.com")
@@ -652,7 +652,7 @@ func TestDNSForwarder_TCPTruncation(t *testing.T) {
 // a subsequent upstream failure still returns a successful response from cache.
 func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	d, err := domain.FromString("example.com")
@@ -696,7 +696,7 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 // Verifies that cache normalization works across casing and trailing dot variations.
 func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	d, err := domain.FromString("ExAmPlE.CoM")
@@ -742,7 +742,7 @@ func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}
 
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	// Set up complex overlapping patterns
@@ -804,7 +804,7 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}
 
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
 	forwarder.resolver = mockResolver
 
 	d, err := domain.FromString("example.com")
@@ -925,7 +925,7 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 
 func TestDNSForwarder_EmptyQuery(t *testing.T) {
 	// Test handling of malformed query with no questions
-	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
+	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
 
 	query := &dns.Msg{}
 	// Don't set any question

client/internal/dnsfwd/manager.go

@@ -10,9 +10,12 @@ import (
 
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
@@ -24,6 +27,12 @@ const (
 	envServerPort = "NB_DNS_FORWARDER_PORT"
 )
 
+// wgIface defines the interface for WireGuard interface operations needed by the DNS forwarder.
+type wgIface interface {
+	GetNet() *netstack.Net
+	Address() wgaddr.Address
+}
+
 // ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
 type ForwarderEntry struct {
 	Domain domain.Domain
@@ -34,7 +43,7 @@ type ForwarderEntry struct {
 type Manager struct {
 	firewall       firewall.Manager
 	statusRecorder *peer.Status
-	localAddr      netip.Addr
+	wgIface        wgIface
 	serverPort     uint16
 
 	fwRules      []firewall.Rule
@@ -42,7 +51,7 @@ type Manager struct {
 	dnsForwarder *DNSForwarder
 }
 
-func NewManager(fw firewall.Manager, statusRecorder *peer.Status, localAddr netip.Addr) *Manager {
+func NewManager(fw firewall.Manager, statusRecorder *peer.Status, wgIface wgIface) *Manager {
 	serverPort := nbdns.ForwarderServerPort
 	if envPort := os.Getenv(envServerPort); envPort != "" {
 		if port, err := strconv.ParseUint(envPort, 10, 16); err == nil && port > 0 {
@@ -56,7 +65,7 @@ func NewManager(fw firewall.Manager, statusRecorder *peer.Status, localAddr neti
 	return &Manager{
 		firewall:       fw,
 		statusRecorder: statusRecorder,
-		localAddr:      localAddr,
+		wgIface:        wgIface,
 		serverPort:     serverPort,
 	}
 }
@@ -71,21 +80,25 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}
 
-	if m.localAddr.IsValid() && m.firewall != nil {
-		if err := m.firewall.AddInboundDNAT(m.localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+	localAddr := m.wgIface.Address().IP
+
+	if localAddr.IsValid() && m.firewall != nil {
+		if err := m.firewall.AddInboundDNAT(localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			log.Warnf("failed to add DNS UDP DNAT rule: %v", err)
 		} else {
-			log.Infof("added DNS UDP DNAT rule: %s:%d -> %s:%d", m.localAddr, nbdns.ForwarderClientPort, m.localAddr, m.serverPort)
+			log.Infof("added DNS UDP DNAT rule: %s:%d -> %s:%d", localAddr, nbdns.ForwarderClientPort, localAddr, m.serverPort)
 		}
 
-		if err := m.firewall.AddInboundDNAT(m.localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+		if err := m.firewall.AddInboundDNAT(localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			log.Warnf("failed to add DNS TCP DNAT rule: %v", err)
 		} else {
-			log.Infof("added DNS TCP DNAT rule: %s:%d -> %s:%d", m.localAddr, nbdns.ForwarderClientPort, m.localAddr, m.serverPort)
+			log.Infof("added DNS TCP DNAT rule: %s:%d -> %s:%d", localAddr, nbdns.ForwarderClientPort, localAddr, m.serverPort)
 		}
 	}
 
-	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", m.serverPort), dnsTTL, m.firewall, m.statusRecorder)
+	listenAddress := netip.AddrPortFrom(localAddr, m.serverPort)
+	m.dnsForwarder = NewDNSForwarder(listenAddress, dnsTTL, m.firewall, m.statusRecorder, m.wgIface)
+
 	go func() {
 		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
 			// todo handle close error if it is exists
@@ -111,16 +124,19 @@ func (m *Manager) Stop(ctx context.Context) error {
 
 	var mErr *multierror.Error
 
-	if m.localAddr.IsValid() && m.firewall != nil {
-		if err := m.firewall.RemoveInboundDNAT(m.localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+	localAddr := m.wgIface.Address().IP
+	if localAddr.IsValid() && m.firewall != nil {
+		if err := m.firewall.RemoveInboundDNAT(localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			mErr = multierror.Append(mErr, fmt.Errorf("remove DNS UDP DNAT rule: %w", err))
 		}
 
-		if err := m.firewall.RemoveInboundDNAT(m.localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
+		if err := m.firewall.RemoveInboundDNAT(localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
 			mErr = multierror.Append(mErr, fmt.Errorf("remove DNS TCP DNAT rule: %w", err))
 		}
 	}
 
+	m.unregisterNetstackServices()
+
 	if err := m.dropDNSFirewall(); err != nil {
 		mErr = multierror.Append(mErr, err)
 	}
@@ -145,21 +161,50 @@ func (m *Manager) allowDNSFirewall() error {
 
 	dnsRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolUDP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
-		log.Errorf("failed to add allow DNS router rules, err: %v", err)
-		return err
+		return fmt.Errorf("add udp firewall rule: %w", err)
 	}
-	m.fwRules = dnsRules
 
 	tcpRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolTCP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
-		log.Errorf("failed to add allow DNS router rules, err: %v", err)
-		return err
+		return fmt.Errorf("add tcp firewall rule: %w", err)
 	}
+
+	if err := m.firewall.Flush(); err != nil {
+		return fmt.Errorf("flush: %w", err)
+	}
+
+	m.fwRules = dnsRules
 	m.tcpRules = tcpRules
 
+	m.registerNetstackServices()
+
 	return nil
 }
 
+func (m *Manager) registerNetstackServices() {
+	if netstackNet := m.wgIface.GetNet(); netstackNet != nil {
+		if registrar, ok := m.firewall.(interface {
+			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.RegisterNetstackService(nftypes.TCP, m.serverPort)
+			registrar.RegisterNetstackService(nftypes.UDP, m.serverPort)
+			log.Debugf("registered DNS forwarder service with netstack for UDP/TCP:%d", m.serverPort)
+		}
+	}
+}
+
+func (m *Manager) unregisterNetstackServices() {
+	if netstackNet := m.wgIface.GetNet(); netstackNet != nil {
+		if registrar, ok := m.firewall.(interface {
+			UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.UnregisterNetstackService(nftypes.TCP, m.serverPort)
+			registrar.UnregisterNetstackService(nftypes.UDP, m.serverPort)
+			log.Debugf("unregistered DNS forwarder service with netstack for UDP/TCP:%d", m.serverPort)
+		}
+	}
+}
+
 func (m *Manager) dropDNSFirewall() error {
 	var mErr *multierror.Error
 	for _, rule := range m.fwRules {

client/internal/engine.go

@@ -9,7 +9,6 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
-	"reflect"
 	"runtime"
 	"slices"
 	"sort"
@@ -30,7 +29,6 @@ import (
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
-	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
@@ -51,10 +49,10 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	cProto "github.com/netbirdio/netbird/client/proto"
+	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 
-	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
@@ -115,7 +113,12 @@ type EngineConfig struct {
 	RosenpassEnabled    bool
 	RosenpassPermissive bool
 
-	ServerSSHAllowed bool
+	ServerSSHAllowed              bool
+	EnableSSHRoot                 *bool
+	EnableSSHSFTP                 *bool
+	EnableSSHLocalPortForwarding  *bool
+	EnableSSHRemotePortForwarding *bool
+	DisableSSHAuth                *bool
 
 	DNSRouteInterval time.Duration
 
@@ -173,8 +176,7 @@ type Engine struct {
 
 	networkMonitor *networkmonitor.NetworkMonitor
 
-	sshServerFunc func(hostKeyPEM []byte, addr string) (nbssh.Server, error)
-	sshServer     nbssh.Server
+	sshServer sshServer
 
 	statusRecorder *peer.Status
 
@@ -200,8 +202,10 @@ type Engine struct {
 	flowManager         nftypes.FlowManager
 
 	// WireGuard interface monitor
-	wgIfaceMonitor   *WGIfaceMonitor
-	wgIfaceMonitorWg sync.WaitGroup
+	wgIfaceMonitor *WGIfaceMonitor
+
+	// shutdownWg tracks all long-running goroutines to ensure clean shutdown
+	shutdownWg sync.WaitGroup
 
 	probeStunTurn *relay.StunTurnProbe
 }
@@ -242,7 +246,6 @@ func NewEngine(
 		STUNs:          []*stun.URI{},
 		TURNs:          []*stun.URI{},
 		networkSerial:  0,
-		sshServerFunc:  nbssh.DefaultSSHServer,
 		statusRecorder: statusRecorder,
 		checks:         checks,
 		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
@@ -264,6 +267,7 @@ func NewEngine(
 		path = mobileDep.StateFilePath
 	}
 	engine.stateManager = statemanager.New(path)
+	engine.stateManager.RegisterState(&sshconfig.ShutdownState{})
 
 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
 	return engine
@@ -288,6 +292,12 @@ func (e *Engine) Stop() error {
 	}
 	log.Info("Network monitor: stopped")
 
+	if err := e.stopSSHServer(); err != nil {
+		log.Warnf("failed to stop SSH server: %v", err)
+	}
+
+	e.cleanupSSHConfig()
+
 	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
 	e.stopDNSServer()
 
@@ -298,17 +308,12 @@ func (e *Engine) Stop() error {
 		e.ingressGatewayMgr = nil
 	}
 
+	e.stopDNSForwarder()
+
 	if e.routeManager != nil {
 		e.routeManager.Stop(e.stateManager)
 	}
 
-	if e.dnsForwardMgr != nil {
-		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-			log.Errorf("failed to stop DNS forward: %v", err)
-		}
-		e.dnsForwardMgr = nil
-	}
-
 	if e.srWatcher != nil {
 		e.srWatcher.Close()
 	}
@@ -325,10 +330,6 @@ func (e *Engine) Stop() error {
 		e.cancel()
 	}
 
-	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
-	// Removing peers happens in the conn.Close() asynchronously
-	time.Sleep(500 * time.Millisecond)
-
 	e.close()
 
 	// stop flow manager after wg interface is gone
@@ -336,8 +337,6 @@ func (e *Engine) Stop() error {
 		e.flowManager.Close()
 	}
 
-	log.Infof("stopped Netbird Engine")
-
 	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
 	defer cancel()
 
@@ -348,12 +347,52 @@ func (e *Engine) Stop() error {
 		log.Errorf("failed to persist state: %v", err)
 	}
 
-	// Stop WireGuard interface monitor and wait for it to exit
-	e.wgIfaceMonitorWg.Wait()
+	timeout := e.calculateShutdownTimeout()
+	log.Debugf("waiting for goroutines to finish with timeout: %v", timeout)
+	shutdownCtx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+
+	if err := waitWithContext(shutdownCtx, &e.shutdownWg); err != nil {
+		log.Warnf("shutdown timeout exceeded after %v, some goroutines may still be running", timeout)
+	}
+
+	log.Infof("stopped Netbird Engine")
 
 	return nil
 }
 
+// calculateShutdownTimeout returns shutdown timeout: 10s base + 100ms per peer, capped at 30s.
+func (e *Engine) calculateShutdownTimeout() time.Duration {
+	peerCount := len(e.peerStore.PeersPubKey())
+
+	baseTimeout := 10 * time.Second
+	perPeerTimeout := time.Duration(peerCount) * 100 * time.Millisecond
+	timeout := baseTimeout + perPeerTimeout
+
+	maxTimeout := 30 * time.Second
+	if timeout > maxTimeout {
+		timeout = maxTimeout
+	}
+
+	return timeout
+}
+
+// waitWithContext waits for WaitGroup with timeout, returns ctx.Err() on timeout.
+func waitWithContext(ctx context.Context, wg *sync.WaitGroup) error {
+	done := make(chan struct{})
+	go func() {
+		wg.Wait()
+		close(done)
+	}()
+
+	select {
+	case <-done:
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
 // Start creates a new WireGuard tunnel interface and listens to events from Signal and Management services
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
@@ -483,14 +522,14 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 
 	// monitor WireGuard interface lifecycle and restart engine on changes
 	e.wgIfaceMonitor = NewWGIfaceMonitor()
-	e.wgIfaceMonitorWg.Add(1)
+	e.shutdownWg.Add(1)
 
 	go func() {
-		defer e.wgIfaceMonitorWg.Done()
+		defer e.shutdownWg.Done()
 
 		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, e.wgInterface.Name()); shouldRestart {
 			log.Infof("WireGuard interface monitor: %s, restarting engine", err)
-			e.restartEngine()
+			e.triggerClientRestart()
 		} else if err != nil {
 			log.Warnf("WireGuard interface monitor: %s", err)
 		}
@@ -506,7 +545,7 @@ func (e *Engine) createFirewall() error {
 	}
 
 	var err error
-	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes)
+	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes, e.config.MTU)
 	if err != nil || e.firewall == nil {
 		log.Errorf("failed creating firewall manager: %s", err)
 		return nil
@@ -670,14 +709,10 @@ func (e *Engine) removeAllPeers() error {
 	return nil
 }
 
-// removePeer closes an existing peer connection, removes a peer, and clears authorized key of the SSH server
+// removePeer closes an existing peer connection and removes a peer
 func (e *Engine) removePeer(peerKey string) error {
 	log.Debugf("removing peer from engine %s", peerKey)
 
-	if !isNil(e.sshServer) {
-		e.sshServer.RemoveAuthorizedKey(peerKey)
-	}
-
 	e.connMgr.RemovePeerConn(peerKey)
 
 	err := e.statusRecorder.RemovePeer(peerKey)
@@ -849,6 +884,11 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 		e.config.BlockLANAccess,
 		e.config.BlockInbound,
 		e.config.LazyConnectionEnabled,
+		e.config.EnableSSHRoot,
+		e.config.EnableSSHSFTP,
+		e.config.EnableSSHLocalPortForwarding,
+		e.config.EnableSSHRemotePortForwarding,
+		e.config.DisableSSHAuth,
 	)
 
 	if err := e.mgmClient.SyncMeta(info); err != nil {
@@ -858,65 +898,6 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 	return nil
 }
 
-func isNil(server nbssh.Server) bool {
-	return server == nil || reflect.ValueOf(server).IsNil()
-}
-
-func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
-	if e.config.BlockInbound {
-		log.Infof("SSH server is disabled because inbound connections are blocked")
-		return nil
-	}
-
-	if !e.config.ServerSSHAllowed {
-		log.Info("SSH server is not enabled")
-		return nil
-	}
-
-	if sshConf.GetSshEnabled() {
-		if runtime.GOOS == "windows" {
-			log.Warnf("running SSH server on %s is not supported", runtime.GOOS)
-			return nil
-		}
-		// start SSH server if it wasn't running
-		if isNil(e.sshServer) {
-			listenAddr := fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort)
-			if nbnetstack.IsEnabled() {
-				listenAddr = fmt.Sprintf("127.0.0.1:%d", nbssh.DefaultSSHPort)
-			}
-			// nil sshServer means it has not yet been started
-			var err error
-			e.sshServer, err = e.sshServerFunc(e.config.SSHKey, listenAddr)
-
-			if err != nil {
-				return fmt.Errorf("create ssh server: %w", err)
-			}
-			go func() {
-				// blocking
-				err = e.sshServer.Start()
-				if err != nil {
-					// will throw error when we stop it even if it is a graceful stop
-					log.Debugf("stopped SSH server with error %v", err)
-				}
-				e.syncMsgMux.Lock()
-				defer e.syncMsgMux.Unlock()
-				e.sshServer = nil
-				log.Infof("stopped SSH server")
-			}()
-		} else {
-			log.Debugf("SSH server is already running")
-		}
-	} else if !isNil(e.sshServer) {
-		// Disable SSH server request, so stop it if it was running
-		err := e.sshServer.Stop()
-		if err != nil {
-			log.Warnf("failed to stop SSH server %v", err)
-		}
-		e.sshServer = nil
-	}
-	return nil
-}
-
 func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	if e.wgInterface == nil {
 		return errors.New("wireguard interface is not initialized")
@@ -929,8 +910,7 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	}
 
 	if conf.GetSshConfig() != nil {
-		err := e.updateSSH(conf.GetSshConfig())
-		if err != nil {
+		if err := e.updateSSH(conf.GetSshConfig()); err != nil {
 			log.Warnf("failed handling SSH server setup: %v", err)
 		}
 	}
@@ -949,7 +929,9 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 // receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
 // E.g. when a new peer has been registered and we are allowed to connect to it.
 func (e *Engine) receiveManagementEvents() {
+	e.shutdownWg.Add(1)
 	go func() {
+		defer e.shutdownWg.Done()
 		info, err := system.GetInfoWithChecks(e.ctx, e.checks)
 		if err != nil {
 			log.Warnf("failed to get system info with checks: %v", err)
@@ -966,6 +948,11 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.BlockLANAccess,
 			e.config.BlockInbound,
 			e.config.LazyConnectionEnabled,
+			e.config.EnableSSHRoot,
+			e.config.EnableSSHSFTP,
+			e.config.EnableSSHLocalPortForwarding,
+			e.config.EnableSSHRemotePortForwarding,
+			e.config.DisableSSHAuth,
 		)
 
 		err = e.mgmClient.Sync(e.ctx, info, e.handleSync)
@@ -1124,16 +1111,10 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 
 		e.statusRecorder.FinishPeerListModifications()
 
-		// update SSHServer by adding remote peer SSH keys
-		if !isNil(e.sshServer) {
-			for _, config := range networkMap.GetRemotePeers() {
-				if config.GetSshConfig() != nil && config.GetSshConfig().GetSshPubKey() != nil {
-					err := e.sshServer.AddAuthorizedKey(config.WgPubKey, string(config.GetSshConfig().GetSshPubKey()))
-					if err != nil {
-						log.Warnf("failed adding authorized key to SSH DefaultServer %v", err)
-					}
-				}
-			}
+		e.updatePeerSSHHostKeys(networkMap.GetRemotePeers())
+
+		if err := e.updateSSHClientConfig(networkMap.GetRemotePeers()); err != nil {
+			log.Warnf("failed to update SSH client config: %v", err)
 		}
 	}
 
@@ -1377,7 +1358,9 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 
 // receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
 func (e *Engine) receiveSignalEvents() {
+	e.shutdownWg.Add(1)
 	go func() {
+		defer e.shutdownWg.Done()
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
 			e.syncMsgMux.Lock()
@@ -1494,13 +1477,6 @@ func (e *Engine) close() {
 		e.statusRecorder.SetWgIface(nil)
 	}
 
-	if !isNil(e.sshServer) {
-		err := e.sshServer.Stop()
-		if err != nil {
-			log.Warnf("failed stopping the SSH server: %v", err)
-		}
-	}
-
 	if e.firewall != nil {
 		err := e.firewall.Close(e.stateManager)
 		if err != nil {
@@ -1531,6 +1507,11 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, err
 		e.config.BlockLANAccess,
 		e.config.BlockInbound,
 		e.config.LazyConnectionEnabled,
+		e.config.EnableSSHRoot,
+		e.config.EnableSSHSFTP,
+		e.config.EnableSSHLocalPortForwarding,
+		e.config.EnableSSHRemotePortForwarding,
+		e.config.DisableSSHAuth,
 	)
 
 	netMap, err := e.mgmClient.GetNetworkMap(info)
@@ -1730,8 +1711,10 @@ func (e *Engine) RunHealthProbes(waitForResult bool) bool {
 	return allHealthy
 }
 
-// restartEngine restarts the engine by cancelling the client context
-func (e *Engine) restartEngine() {
+// triggerClientRestart triggers a full client restart by cancelling the client context.
+// Note: This does NOT just restart the engine - it cancels the entire client context,
+// which causes the connect client's retry loop to create a completely new engine.
+func (e *Engine) triggerClientRestart() {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 
@@ -1753,7 +1736,9 @@ func (e *Engine) startNetworkMonitor() {
 	}
 
 	e.networkMonitor = networkmonitor.New()
+	e.shutdownWg.Add(1)
 	go func() {
+		defer e.shutdownWg.Done()
 		if err := e.networkMonitor.Listen(e.ctx); err != nil {
 			if errors.Is(err, context.Canceled) {
 				log.Infof("network monitor stopped")
@@ -1763,8 +1748,8 @@ func (e *Engine) startNetworkMonitor() {
 			return
 		}
 
-		log.Infof("Network monitor: detected network change, restarting engine")
-		e.restartEngine()
+		log.Infof("Network monitor: detected network change, triggering client restart")
+		e.triggerClientRestart()
 	}()
 }
 
@@ -1855,38 +1840,46 @@ func (e *Engine) updateDNSForwarder(
 	}
 
 	if !enabled {
-		if e.dnsForwardMgr == nil {
-			return
-		}
-		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-			log.Errorf("failed to stop DNS forward: %v", err)
-		}
+		e.stopDNSForwarder()
 		return
 	}
 
 	if len(fwdEntries) > 0 {
 		if e.dnsForwardMgr == nil {
-			localAddr := e.wgInterface.Address().IP
-			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, localAddr)
-
-			if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
-				log.Errorf("failed to start DNS forward: %v", err)
-				e.dnsForwardMgr = nil
-			}
-
-			log.Infof("started domain router service with %d entries", len(fwdEntries))
+			e.startDNSForwarder(fwdEntries)
 		} else {
 			e.dnsForwardMgr.UpdateDomains(fwdEntries)
 		}
 	} else if e.dnsForwardMgr != nil {
 		log.Infof("disable domain router service")
-		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-			log.Errorf("failed to stop DNS forward: %v", err)
-		}
-		e.dnsForwardMgr = nil
+		e.stopDNSForwarder()
 	}
 }
 
+func (e *Engine) startDNSForwarder(fwdEntries []*dnsfwd.ForwarderEntry) {
+	e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, e.wgInterface)
+
+	if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
+		log.Errorf("failed to start DNS forward: %v", err)
+		e.dnsForwardMgr = nil
+		return
+	}
+
+	log.Infof("started domain router service with %d entries", len(fwdEntries))
+}
+
+func (e *Engine) stopDNSForwarder() {
+	if e.dnsForwardMgr == nil {
+		return
+	}
+
+	if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+		log.Errorf("failed to stop DNS forward: %v", err)
+	}
+
+	e.dnsForwardMgr = nil
+}
+
 func (e *Engine) GetNet() (*netstack.Net, error) {
 	e.syncMsgMux.Lock()
 	intf := e.wgInterface

client/internal/engine_ssh.go

@@ -0,0 +1,338 @@
+package internal
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/netip"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+
+	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
+	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
+	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
+	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+)
+
+type sshServer interface {
+	Start(ctx context.Context, addr netip.AddrPort) error
+	Stop() error
+}
+
+func (e *Engine) setupSSHPortRedirection() error {
+	if e.firewall == nil || e.wgInterface == nil {
+		return nil
+	}
+
+	localAddr := e.wgInterface.Address().IP
+	if !localAddr.IsValid() {
+		return errors.New("invalid local NetBird address")
+	}
+
+	if err := e.firewall.AddInboundDNAT(localAddr, firewallManager.ProtocolTCP, 22, 22022); err != nil {
+		return fmt.Errorf("add SSH port redirection: %w", err)
+	}
+	log.Infof("SSH port redirection enabled: %s:22 -> %s:22022", localAddr, localAddr)
+
+	return nil
+}
+
+func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
+	if e.config.BlockInbound {
+		log.Info("SSH server is disabled because inbound connections are blocked")
+		return e.stopSSHServer()
+	}
+
+	if !e.config.ServerSSHAllowed {
+		log.Info("SSH server is disabled in config")
+		return e.stopSSHServer()
+	}
+
+	if !sshConf.GetSshEnabled() {
+		if e.config.ServerSSHAllowed {
+			log.Info("SSH server is locally allowed but disabled by management server")
+		}
+		return e.stopSSHServer()
+	}
+
+	if e.sshServer != nil {
+		log.Debug("SSH server is already running")
+		return nil
+	}
+
+	if e.config.DisableSSHAuth != nil && *e.config.DisableSSHAuth {
+		log.Info("starting SSH server without JWT authentication (authentication disabled by config)")
+		return e.startSSHServer(nil)
+	}
+
+	if protoJWT := sshConf.GetJwtConfig(); protoJWT != nil {
+		jwtConfig := &sshserver.JWTConfig{
+			Issuer:       protoJWT.GetIssuer(),
+			Audience:     protoJWT.GetAudience(),
+			KeysLocation: protoJWT.GetKeysLocation(),
+			MaxTokenAge:  protoJWT.GetMaxTokenAge(),
+		}
+
+		return e.startSSHServer(jwtConfig)
+	}
+
+	return errors.New("SSH server requires valid JWT configuration")
+}
+
+// updateSSHClientConfig updates the SSH client configuration with peer information
+func (e *Engine) updateSSHClientConfig(remotePeers []*mgmProto.RemotePeerConfig) error {
+	peerInfo := e.extractPeerSSHInfo(remotePeers)
+	if len(peerInfo) == 0 {
+		log.Debug("no SSH-enabled peers found, skipping SSH config update")
+		return nil
+	}
+
+	configMgr := sshconfig.New()
+	if err := configMgr.SetupSSHClientConfig(peerInfo); err != nil {
+		log.Warnf("failed to update SSH client config: %v", err)
+		return nil // Don't fail engine startup on SSH config issues
+	}
+
+	log.Debugf("updated SSH client config with %d peers", len(peerInfo))
+
+	if err := e.stateManager.UpdateState(&sshconfig.ShutdownState{
+		SSHConfigDir:  configMgr.GetSSHConfigDir(),
+		SSHConfigFile: configMgr.GetSSHConfigFile(),
+	}); err != nil {
+		log.Warnf("failed to update SSH config state: %v", err)
+	}
+
+	return nil
+}
+
+// extractPeerSSHInfo extracts SSH information from peer configurations
+func (e *Engine) extractPeerSSHInfo(remotePeers []*mgmProto.RemotePeerConfig) []sshconfig.PeerSSHInfo {
+	var peerInfo []sshconfig.PeerSSHInfo
+
+	for _, peerConfig := range remotePeers {
+		if peerConfig.GetSshConfig() == nil {
+			continue
+		}
+
+		sshPubKeyBytes := peerConfig.GetSshConfig().GetSshPubKey()
+		if len(sshPubKeyBytes) == 0 {
+			continue
+		}
+
+		peerIP := e.extractPeerIP(peerConfig)
+		hostname := e.extractHostname(peerConfig)
+
+		peerInfo = append(peerInfo, sshconfig.PeerSSHInfo{
+			Hostname: hostname,
+			IP:       peerIP,
+			FQDN:     peerConfig.GetFqdn(),
+		})
+	}
+
+	return peerInfo
+}
+
+// extractPeerIP extracts IP address from peer's allowed IPs
+func (e *Engine) extractPeerIP(peerConfig *mgmProto.RemotePeerConfig) string {
+	if len(peerConfig.GetAllowedIps()) == 0 {
+		return ""
+	}
+
+	if prefix, err := netip.ParsePrefix(peerConfig.GetAllowedIps()[0]); err == nil {
+		return prefix.Addr().String()
+	}
+	return ""
+}
+
+// extractHostname extracts short hostname from FQDN
+func (e *Engine) extractHostname(peerConfig *mgmProto.RemotePeerConfig) string {
+	fqdn := peerConfig.GetFqdn()
+	if fqdn == "" {
+		return ""
+	}
+
+	parts := strings.Split(fqdn, ".")
+	if len(parts) > 0 && parts[0] != "" {
+		return parts[0]
+	}
+	return ""
+}
+
+// updatePeerSSHHostKeys updates peer SSH host keys in the status recorder for daemon API access
+func (e *Engine) updatePeerSSHHostKeys(remotePeers []*mgmProto.RemotePeerConfig) {
+	for _, peerConfig := range remotePeers {
+		if peerConfig.GetSshConfig() == nil {
+			continue
+		}
+
+		sshPubKeyBytes := peerConfig.GetSshConfig().GetSshPubKey()
+		if len(sshPubKeyBytes) == 0 {
+			continue
+		}
+
+		if err := e.statusRecorder.UpdatePeerSSHHostKey(peerConfig.GetWgPubKey(), sshPubKeyBytes); err != nil {
+			log.Warnf("failed to update SSH host key for peer %s: %v", peerConfig.GetWgPubKey(), err)
+		}
+	}
+
+	log.Debugf("updated peer SSH host keys for daemon API access")
+}
+
+// GetPeerSSHKey returns the SSH host key for a specific peer by IP or FQDN
+func (e *Engine) GetPeerSSHKey(peerAddress string) ([]byte, bool) {
+	e.syncMsgMux.Lock()
+	statusRecorder := e.statusRecorder
+	e.syncMsgMux.Unlock()
+
+	if statusRecorder == nil {
+		return nil, false
+	}
+
+	fullStatus := statusRecorder.GetFullStatus()
+	for _, peerState := range fullStatus.Peers {
+		if peerState.IP == peerAddress || peerState.FQDN == peerAddress {
+			if len(peerState.SSHHostKey) > 0 {
+				return peerState.SSHHostKey, true
+			}
+			return nil, false
+		}
+	}
+
+	return nil, false
+}
+
+// cleanupSSHConfig removes NetBird SSH client configuration on shutdown
+func (e *Engine) cleanupSSHConfig() {
+	configMgr := sshconfig.New()
+
+	if err := configMgr.RemoveSSHClientConfig(); err != nil {
+		log.Warnf("failed to remove SSH client config: %v", err)
+	} else {
+		log.Debugf("SSH client config cleanup completed")
+	}
+}
+
+// startSSHServer initializes and starts the SSH server with proper configuration.
+func (e *Engine) startSSHServer(jwtConfig *sshserver.JWTConfig) error {
+	if e.wgInterface == nil {
+		return errors.New("wg interface not initialized")
+	}
+
+	serverConfig := &sshserver.Config{
+		HostKeyPEM: e.config.SSHKey,
+		JWT:        jwtConfig,
+	}
+	server := sshserver.New(serverConfig)
+
+	wgAddr := e.wgInterface.Address()
+	server.SetNetworkValidation(wgAddr)
+
+	netbirdIP := wgAddr.IP
+	listenAddr := netip.AddrPortFrom(netbirdIP, sshserver.InternalSSHPort)
+
+	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
+		server.SetNetstackNet(netstackNet)
+
+		if registrar, ok := e.firewall.(interface {
+			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.RegisterNetstackService(nftypes.TCP, sshserver.InternalSSHPort)
+			log.Debugf("registered SSH service with netstack for TCP:%d", sshserver.InternalSSHPort)
+		}
+	}
+
+	e.configureSSHServer(server)
+	e.sshServer = server
+
+	if err := e.setupSSHPortRedirection(); err != nil {
+		log.Warnf("failed to setup SSH port redirection: %v", err)
+	}
+
+	if err := server.Start(e.ctx, listenAddr); err != nil {
+		return fmt.Errorf("start SSH server: %w", err)
+	}
+
+	return nil
+}
+
+// configureSSHServer applies SSH configuration options to the server.
+func (e *Engine) configureSSHServer(server *sshserver.Server) {
+	if e.config.EnableSSHRoot != nil && *e.config.EnableSSHRoot {
+		server.SetAllowRootLogin(true)
+		log.Info("SSH root login enabled")
+	} else {
+		server.SetAllowRootLogin(false)
+		log.Info("SSH root login disabled (default)")
+	}
+
+	if e.config.EnableSSHSFTP != nil && *e.config.EnableSSHSFTP {
+		server.SetAllowSFTP(true)
+		log.Info("SSH SFTP subsystem enabled")
+	} else {
+		server.SetAllowSFTP(false)
+		log.Info("SSH SFTP subsystem disabled (default)")
+	}
+
+	if e.config.EnableSSHLocalPortForwarding != nil && *e.config.EnableSSHLocalPortForwarding {
+		server.SetAllowLocalPortForwarding(true)
+		log.Info("SSH local port forwarding enabled")
+	} else {
+		server.SetAllowLocalPortForwarding(false)
+		log.Info("SSH local port forwarding disabled (default)")
+	}
+
+	if e.config.EnableSSHRemotePortForwarding != nil && *e.config.EnableSSHRemotePortForwarding {
+		server.SetAllowRemotePortForwarding(true)
+		log.Info("SSH remote port forwarding enabled")
+	} else {
+		server.SetAllowRemotePortForwarding(false)
+		log.Info("SSH remote port forwarding disabled (default)")
+	}
+}
+
+func (e *Engine) cleanupSSHPortRedirection() error {
+	if e.firewall == nil || e.wgInterface == nil {
+		return nil
+	}
+
+	localAddr := e.wgInterface.Address().IP
+	if !localAddr.IsValid() {
+		return errors.New("invalid local NetBird address")
+	}
+
+	if err := e.firewall.RemoveInboundDNAT(localAddr, firewallManager.ProtocolTCP, 22, 22022); err != nil {
+		return fmt.Errorf("remove SSH port redirection: %w", err)
+	}
+	log.Debugf("SSH port redirection removed: %s:22 -> %s:22022", localAddr, localAddr)
+
+	return nil
+}
+
+func (e *Engine) stopSSHServer() error {
+	if e.sshServer == nil {
+		return nil
+	}
+
+	if err := e.cleanupSSHPortRedirection(); err != nil {
+		log.Warnf("failed to cleanup SSH port redirection: %v", err)
+	}
+
+	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
+		if registrar, ok := e.firewall.(interface {
+			UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
+		}); ok {
+			registrar.UnregisterNetstackService(nftypes.TCP, sshserver.InternalSSHPort)
+			log.Debugf("unregistered SSH service from netstack for TCP:%d", sshserver.InternalSSHPort)
+		}
+	}
+
+	log.Info("stopping SSH server")
+	err := e.sshServer.Stop()
+	e.sshServer = nil
+	if err != nil {
+		return fmt.Errorf("stop: %w", err)
+	}
+	return nil
+}

client/internal/engine_test.go

@@ -43,7 +43,7 @@ import (
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/ssh"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server"
@@ -211,11 +211,13 @@ func TestMain(m *testing.M) {
 }
 
 func TestEngine_SSH(t *testing.T) {
-	if runtime.GOOS == "windows" {
-		t.Skip("skipping TestEngine_SSH")
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		t.Fatal(err)
+		return
 	}
 
-	key, err := wgtypes.GeneratePrivateKey()
+	sshKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -237,6 +239,7 @@ func TestEngine_SSH(t *testing.T) {
 			WgPort:           33100,
 			ServerSSHAllowed: true,
 			MTU:              iface.DefaultMTU,
+			SSHKey:           sshKey,
 		},
 		MobileDependency{},
 		peer.NewRecorder("https://mgm"),
@@ -247,35 +250,8 @@ func TestEngine_SSH(t *testing.T) {
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
 	}
 
-	var sshKeysAdded []string
-	var sshPeersRemoved []string
-
-	sshCtx, cancel := context.WithCancel(context.Background())
-
-	engine.sshServerFunc = func(hostKeyPEM []byte, addr string) (ssh.Server, error) {
-		return &ssh.MockServer{
-			Ctx: sshCtx,
-			StopFunc: func() error {
-				cancel()
-				return nil
-			},
-			StartFunc: func() error {
-				<-ctx.Done()
-				return ctx.Err()
-			},
-			AddAuthorizedKeyFunc: func(peer, newKey string) error {
-				sshKeysAdded = append(sshKeysAdded, newKey)
-				return nil
-			},
-			RemoveAuthorizedKeyFunc: func(peer string) {
-				sshPeersRemoved = append(sshPeersRemoved, peer)
-			},
-		}, nil
-	}
 	err = engine.Start(nil, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	defer func() {
 		err := engine.Stop()
@@ -301,9 +277,7 @@ func TestEngine_SSH(t *testing.T) {
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	assert.Nil(t, engine.sshServer)
 
@@ -311,19 +285,24 @@ func TestEngine_SSH(t *testing.T) {
 	networkMap = &mgmtProto.NetworkMap{
 		Serial: 7,
 		PeerConfig: &mgmtProto.PeerConfig{Address: "100.64.0.1/24",
-			SshConfig: &mgmtProto.SSHConfig{SshEnabled: true}},
+			SshConfig: &mgmtProto.SSHConfig{
+				SshEnabled: true,
+				JwtConfig: &mgmtProto.JWTConfig{
+					Issuer:       "test-issuer",
+					Audience:     "test-audience",
+					KeysLocation: "test-keys",
+					MaxTokenAge:  3600,
+				},
+			}},
 		RemotePeers:        []*mgmtProto.RemotePeerConfig{peerWithSSH},
 		RemotePeersIsEmpty: false,
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	time.Sleep(250 * time.Millisecond)
 	assert.NotNil(t, engine.sshServer)
-	assert.Contains(t, sshKeysAdded, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFATYCqaQw/9id1Qkq3n16JYhDhXraI6Pc1fgB8ynEfQ")
 
 	// now remove peer
 	networkMap = &mgmtProto.NetworkMap{
@@ -333,13 +312,10 @@ func TestEngine_SSH(t *testing.T) {
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	// time.Sleep(250 * time.Millisecond)
 	assert.NotNil(t, engine.sshServer)
-	assert.Contains(t, sshPeersRemoved, "MNHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=")
 
 	// now disable SSH server
 	networkMap = &mgmtProto.NetworkMap{
@@ -351,12 +327,70 @@ func TestEngine_SSH(t *testing.T) {
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	assert.Nil(t, engine.sshServer)
+}
 
+func TestEngine_SSHUpdateLogic(t *testing.T) {
+	// Test that SSH server start/stop logic works based on config
+	engine := &Engine{
+		config: &EngineConfig{
+			ServerSSHAllowed: false, // Start with SSH disabled
+		},
+		syncMsgMux: &sync.Mutex{},
+	}
+
+	// Test SSH disabled config
+	sshConfig := &mgmtProto.SSHConfig{SshEnabled: false}
+	err := engine.updateSSH(sshConfig)
+	assert.NoError(t, err)
+	assert.Nil(t, engine.sshServer)
+
+	// Test inbound blocked
+	engine.config.BlockInbound = true
+	err = engine.updateSSH(&mgmtProto.SSHConfig{SshEnabled: true})
+	assert.NoError(t, err)
+	assert.Nil(t, engine.sshServer)
+	engine.config.BlockInbound = false
+
+	// Test with server SSH not allowed
+	err = engine.updateSSH(&mgmtProto.SSHConfig{SshEnabled: true})
+	assert.NoError(t, err)
+	assert.Nil(t, engine.sshServer)
+}
+
+func TestEngine_SSHServerConsistency(t *testing.T) {
+
+	t.Run("server set only on successful creation", func(t *testing.T) {
+		engine := &Engine{
+			config: &EngineConfig{
+				ServerSSHAllowed: true,
+				SSHKey:           []byte("test-key"),
+			},
+			syncMsgMux: &sync.Mutex{},
+		}
+
+		engine.wgInterface = nil
+
+		err := engine.updateSSH(&mgmtProto.SSHConfig{SshEnabled: true})
+
+		assert.Error(t, err)
+		assert.Nil(t, engine.sshServer)
+	})
+
+	t.Run("cleanup handles nil gracefully", func(t *testing.T) {
+		engine := &Engine{
+			config: &EngineConfig{
+				ServerSSHAllowed: false,
+			},
+			syncMsgMux: &sync.Mutex{},
+		}
+
+		err := engine.stopSSHServer()
+		assert.NoError(t, err)
+		assert.Nil(t, engine.sshServer)
+	})
 }
 
 func TestEngine_UpdateNetworkMap(t *testing.T) {
@@ -1584,7 +1618,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 
 	groupsManager := groups.NewManagerMock()
 
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	accountManager, err := server.BuildManager(context.Background(), config, store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/login.go

@@ -124,6 +124,11 @@ func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte
 		config.BlockLANAccess,
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
+		config.EnableSSHRoot,
+		config.EnableSSHSFTP,
+		config.EnableSSHLocalPortForwarding,
+		config.EnableSSHRemotePortForwarding,
+		config.DisableSSHAuth,
 	)
 	loginResp, err := mgmClient.Login(*serverKey, sysInfo, pubSSHKey, config.DNSLabels)
 	return serverKey, loginResp, err
@@ -150,6 +155,11 @@ func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.
 		config.BlockLANAccess,
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
+		config.EnableSSHRoot,
+		config.EnableSSHSFTP,
+		config.EnableSSHLocalPortForwarding,
+		config.EnableSSHRemotePortForwarding,
+		config.DisableSSHAuth,
 	)
 	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey, config.DNSLabels)
 	if err != nil {

client/internal/netflow/manager.go

@@ -24,6 +24,7 @@ import (
 // Manager handles netflow tracking and logging
 type Manager struct {
 	mux            sync.Mutex
+	shutdownWg     sync.WaitGroup
 	logger         nftypes.FlowLogger
 	flowConfig     *nftypes.FlowConfig
 	conntrack      nftypes.ConnTracker
@@ -105,8 +106,15 @@ func (m *Manager) resetClient() error {
 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel
 
-	go m.receiveACKs(ctx, flowClient)
-	go m.startSender(ctx)
+	m.shutdownWg.Add(2)
+	go func() {
+		defer m.shutdownWg.Done()
+		m.receiveACKs(ctx, flowClient)
+	}()
+	go func() {
+		defer m.shutdownWg.Done()
+		m.startSender(ctx)
+	}()
 
 	return nil
 }
@@ -176,11 +184,12 @@ func (m *Manager) Update(update *nftypes.FlowConfig) error {
 // Close cleans up all resources
 func (m *Manager) Close() {
 	m.mux.Lock()
-	defer m.mux.Unlock()
-
 	if err := m.disableFlow(); err != nil {
 		log.Warnf("failed to disable flow manager: %v", err)
 	}
+	m.mux.Unlock()
+
+	m.shutdownWg.Wait()
 }
 
 // GetLogger returns the flow logger

client/internal/networkmonitor/check_change_bsd.go

@@ -1,4 +1,4 @@
-//go:build (darwin && !ios) || dragonfly || freebsd || netbsd || openbsd
+//go:build dragonfly || freebsd || netbsd || openbsd
 
 package networkmonitor
 
@@ -6,21 +6,19 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"syscall"
-	"unsafe"
 
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"
 
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )
 
 func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
-	fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
+	fd, err := prepareFd()
 	if err != nil {
 		return fmt.Errorf("open routing socket: %v", err)
 	}
+
 	defer func() {
 		err := unix.Close(fd)
 		if err != nil && !errors.Is(err, unix.EBADF) {
@@ -28,72 +26,5 @@ func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) er
 		}
 	}()
 
-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-			buf := make([]byte, 2048)
-			n, err := unix.Read(fd, buf)
-			if err != nil {
-				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
-					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
-				}
-				continue
-			}
-			if n < unix.SizeofRtMsghdr {
-				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
-				continue
-			}
-
-			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
-
-			switch msg.Type {
-			// handle route changes
-			case unix.RTM_ADD, syscall.RTM_DELETE:
-				route, err := parseRouteMessage(buf[:n])
-				if err != nil {
-					log.Debugf("Network monitor: error parsing routing message: %v", err)
-					continue
-				}
-
-				if route.Dst.Bits() != 0 {
-					continue
-				}
-
-				intf := "<nil>"
-				if route.Interface != nil {
-					intf = route.Interface.Name
-				}
-				switch msg.Type {
-				case unix.RTM_ADD:
-					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
-					return nil
-				case unix.RTM_DELETE:
-					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
-						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
-						return nil
-					}
-				}
-			}
-		}
-	}
-}
-
-func parseRouteMessage(buf []byte) (*systemops.Route, error) {
-	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
-	if err != nil {
-		return nil, fmt.Errorf("parse RIB: %v", err)
-	}
-
-	if len(msgs) != 1 {
-		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
-	}
-
-	msg, ok := msgs[0].(*route.RouteMessage)
-	if !ok {
-		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
-	}
-
-	return systemops.MsgToRoute(msg)
+	return routeCheck(ctx, fd, nexthopv4, nexthopv6)
 }

client/internal/networkmonitor/check_change_common.go

@@ -0,0 +1,92 @@
+//go:build dragonfly || freebsd || netbsd || openbsd || darwin
+
+package networkmonitor
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"syscall"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/route"
+	"golang.org/x/sys/unix"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
+)
+
+func prepareFd() (int, error) {
+	return unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
+}
+
+func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Nexthop) error {
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			buf := make([]byte, 2048)
+			n, err := unix.Read(fd, buf)
+			if err != nil {
+				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
+					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
+				}
+				continue
+			}
+			if n < unix.SizeofRtMsghdr {
+				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
+				continue
+			}
+
+			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
+
+			switch msg.Type {
+			// handle route changes
+			case unix.RTM_ADD, syscall.RTM_DELETE:
+				route, err := parseRouteMessage(buf[:n])
+				if err != nil {
+					log.Debugf("Network monitor: error parsing routing message: %v", err)
+					continue
+				}
+
+				if route.Dst.Bits() != 0 {
+					continue
+				}
+
+				intf := "<nil>"
+				if route.Interface != nil {
+					intf = route.Interface.Name
+				}
+				switch msg.Type {
+				case unix.RTM_ADD:
+					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
+					return nil
+				case unix.RTM_DELETE:
+					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
+						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+						return nil
+					}
+				}
+			}
+		}
+	}
+}
+
+func parseRouteMessage(buf []byte) (*systemops.Route, error) {
+	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
+	if err != nil {
+		return nil, fmt.Errorf("parse RIB: %v", err)
+	}
+
+	if len(msgs) != 1 {
+		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
+	}
+
+	msg, ok := msgs[0].(*route.RouteMessage)
+	if !ok {
+		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
+	}
+
+	return systemops.MsgToRoute(msg)
+}

client/internal/networkmonitor/check_change_darwin.go

@@ -0,0 +1,149 @@
+//go:build darwin && !ios
+
+package networkmonitor
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"hash/fnv"
+	"os/exec"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
+)
+
+// todo: refactor to not use static functions
+
+func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
+	fd, err := prepareFd()
+	if err != nil {
+		return fmt.Errorf("open routing socket: %v", err)
+	}
+
+	defer func() {
+		if err := unix.Close(fd); err != nil {
+			if !errors.Is(err, unix.EBADF) {
+				log.Warnf("Network monitor: failed to close routing socket: %v", err)
+			}
+		}
+	}()
+
+	routeChanged := make(chan struct{})
+	go func() {
+		_ = routeCheck(ctx, fd, nexthopv4, nexthopv6)
+		close(routeChanged)
+	}()
+
+	wakeUp := make(chan struct{})
+	go func() {
+		wakeUpListen(ctx)
+		close(wakeUp)
+	}()
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-routeChanged:
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		log.Infof("route change detected")
+		return nil
+	case <-wakeUp:
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+		log.Infof("wakeup detected")
+		return nil
+	}
+}
+
+func wakeUpListen(ctx context.Context) {
+	log.Infof("start to watch for system wakeups")
+	var (
+		initialHash uint32
+		err         error
+	)
+
+	// Keep retrying until initial sysctl succeeds or context is canceled
+	for {
+		select {
+		case <-ctx.Done():
+			log.Info("exit from wakeUpListen initial hash detection due to context cancellation")
+			return
+		default:
+			initialHash, err = readSleepTimeHash()
+			if err != nil {
+				log.Errorf("failed to detect initial sleep time: %v", err)
+				select {
+				case <-ctx.Done():
+					log.Info("exit from wakeUpListen initial hash detection due to context cancellation")
+					return
+				case <-time.After(3 * time.Second):
+					continue
+				}
+			}
+			log.Debugf("initial wakeup hash: %d", initialHash)
+			break
+		}
+		break
+	}
+
+	ticker := time.NewTicker(5 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			log.Info("context canceled, stopping wakeUpListen")
+			return
+
+		case <-ticker.C:
+			newHash, err := readSleepTimeHash()
+			if err != nil {
+				log.Errorf("failed to read sleep time hash: %v", err)
+				continue
+			}
+
+			if newHash == initialHash {
+				log.Tracef("no wakeup detected")
+				continue
+			}
+
+			upOut, err := exec.Command("uptime").Output()
+			if err != nil {
+				log.Errorf("failed to run uptime command: %v", err)
+				upOut = []byte("unknown")
+			}
+			log.Infof("Wakeup detected: %d -> %d, uptime: %s", initialHash, newHash, upOut)
+			return
+		}
+	}
+}
+
+func readSleepTimeHash() (uint32, error) {
+	cmd := exec.Command("sysctl", "kern.sleeptime")
+	out, err := cmd.Output()
+	if err != nil {
+		return 0, fmt.Errorf("failed to run sysctl: %w", err)
+	}
+
+	h, err := hash(out)
+	if err != nil {
+		return 0, fmt.Errorf("failed to compute hash: %w", err)
+	}
+
+	return h, nil
+}
+
+func hash(data []byte) (uint32, error) {
+	hasher := fnv.New32a() // Create a new 32-bit FNV-1a hasher
+	if _, err := hasher.Write(data); err != nil {
+		return 0, err
+	}
+	return hasher.Sum32(), nil
+}

client/internal/networkmonitor/monitor.go

@@ -88,6 +88,7 @@ func (nw *NetworkMonitor) Listen(ctx context.Context) (err error) {
 	event := make(chan struct{}, 1)
 	go nw.checkChanges(ctx, event, nexthop4, nexthop6)
 
+	log.Infof("start watching for network changes")
 	// debounce changes
 	timer := time.NewTimer(0)
 	timer.Stop()

client/internal/peer/conn.go

@@ -666,7 +666,7 @@ func (conn *Conn) isConnectedOnAllWay() (connected bool) {
 		}
 	}()
 
-	if conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
+	if runtime.GOOS != "js" && conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
 		return false
 	}
 

client/internal/peer/env.go

@@ -2,6 +2,7 @@ package peer
 
 import (
 	"os"
+	"runtime"
 	"strings"
 )
 
@@ -10,5 +11,8 @@ const (
 )
 
 func isForceRelayed() bool {
+	if runtime.GOOS == "js" {
+		return true
+	}
 	return strings.EqualFold(os.Getenv(EnvKeyNBForceRelay), "true")
 }

client/internal/peer/guard/sr_watcher.go

@@ -19,11 +19,10 @@ type SRWatcher struct {
 	signalClient chNotifier
 	relayManager chNotifier
 
-	listeners     map[chan struct{}]struct{}
-	mu            sync.Mutex
-	iFaceDiscover stdnet.ExternalIFaceDiscover
-	iceConfig     ice.Config
-
+	listeners        map[chan struct{}]struct{}
+	mu               sync.Mutex
+	iFaceDiscover    stdnet.ExternalIFaceDiscover
+	iceConfig        ice.Config
 	cancelIceMonitor context.CancelFunc
 }
 

client/internal/peer/status.go

@@ -21,9 +21,9 @@ import (
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
-	"github.com/netbirdio/netbird/route"
 )
 
 const eventQueueSize = 10
@@ -67,6 +67,7 @@ type State struct {
 	BytesRx                    int64
 	Latency                    time.Duration
 	RosenpassEnabled           bool
+	SSHHostKey                 []byte
 	routes                     map[string]struct{}
 }
 
@@ -572,6 +573,22 @@ func (d *Status) UpdatePeerFQDN(peerPubKey, fqdn string) error {
 	return nil
 }
 
+// UpdatePeerSSHHostKey updates peer's SSH host key
+func (d *Status) UpdatePeerSSHHostKey(peerPubKey string, sshHostKey []byte) error {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	peerState, ok := d.peers[peerPubKey]
+	if !ok {
+		return errors.New("peer doesn't exist")
+	}
+
+	peerState.SSHHostKey = sshHostKey
+	d.peers[peerPubKey] = peerState
+
+	return nil
+}
+
 // FinishPeerListModifications this event invoke the notification
 func (d *Status) FinishPeerListModifications() {
 	d.mux.Lock()

client/internal/profilemanager/config.go

@@ -44,24 +44,29 @@ var DefaultInterfaceBlacklist = []string{
 
 // ConfigInput carries configuration changes to the client
 type ConfigInput struct {
-	ManagementURL       string
-	AdminURL            string
-	ConfigPath          string
-	StateFilePath       string
-	PreSharedKey        *string
-	ServerSSHAllowed    *bool
-	NATExternalIPs      []string
-	CustomDNSAddress    []byte
-	RosenpassEnabled    *bool
-	RosenpassPermissive *bool
-	InterfaceName       *string
-	WireguardPort       *int
-	NetworkMonitor      *bool
-	DisableAutoConnect  *bool
-	ExtraIFaceBlackList []string
-	DNSRouteInterval    *time.Duration
-	ClientCertPath      string
-	ClientCertKeyPath   string
+	ManagementURL                 string
+	AdminURL                      string
+	ConfigPath                    string
+	StateFilePath                 string
+	PreSharedKey                  *string
+	ServerSSHAllowed              *bool
+	EnableSSHRoot                 *bool
+	EnableSSHSFTP                 *bool
+	EnableSSHLocalPortForwarding  *bool
+	EnableSSHRemotePortForwarding *bool
+	DisableSSHAuth                *bool
+	NATExternalIPs                []string
+	CustomDNSAddress              []byte
+	RosenpassEnabled              *bool
+	RosenpassPermissive           *bool
+	InterfaceName                 *string
+	WireguardPort                 *int
+	NetworkMonitor                *bool
+	DisableAutoConnect            *bool
+	ExtraIFaceBlackList           []string
+	DNSRouteInterval              *time.Duration
+	ClientCertPath                string
+	ClientCertKeyPath             string
 
 	DisableClientRoutes *bool
 	DisableServerRoutes *bool
@@ -82,18 +87,23 @@ type ConfigInput struct {
 // Config Configuration type
 type Config struct {
 	// Wireguard private key of local peer
-	PrivateKey           string
-	PreSharedKey         string
-	ManagementURL        *url.URL
-	AdminURL             *url.URL
-	WgIface              string
-	WgPort               int
-	NetworkMonitor       *bool
-	IFaceBlackList       []string
-	DisableIPv6Discovery bool
-	RosenpassEnabled     bool
-	RosenpassPermissive  bool
-	ServerSSHAllowed     *bool
+	PrivateKey                    string
+	PreSharedKey                  string
+	ManagementURL                 *url.URL
+	AdminURL                      *url.URL
+	WgIface                       string
+	WgPort                        int
+	NetworkMonitor                *bool
+	IFaceBlackList                []string
+	DisableIPv6Discovery          bool
+	RosenpassEnabled              bool
+	RosenpassPermissive           bool
+	ServerSSHAllowed              *bool
+	EnableSSHRoot                 *bool
+	EnableSSHSFTP                 *bool
+	EnableSSHLocalPortForwarding  *bool
+	EnableSSHRemotePortForwarding *bool
+	DisableSSHAuth                *bool
 
 	DisableClientRoutes bool
 	DisableServerRoutes bool
@@ -376,6 +386,56 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
+	if input.EnableSSHRoot != nil && input.EnableSSHRoot != config.EnableSSHRoot {
+		if *input.EnableSSHRoot {
+			log.Infof("enabling SSH root login")
+		} else {
+			log.Infof("disabling SSH root login")
+		}
+		config.EnableSSHRoot = input.EnableSSHRoot
+		updated = true
+	}
+
+	if input.EnableSSHSFTP != nil && input.EnableSSHSFTP != config.EnableSSHSFTP {
+		if *input.EnableSSHSFTP {
+			log.Infof("enabling SSH SFTP subsystem")
+		} else {
+			log.Infof("disabling SSH SFTP subsystem")
+		}
+		config.EnableSSHSFTP = input.EnableSSHSFTP
+		updated = true
+	}
+
+	if input.EnableSSHLocalPortForwarding != nil && input.EnableSSHLocalPortForwarding != config.EnableSSHLocalPortForwarding {
+		if *input.EnableSSHLocalPortForwarding {
+			log.Infof("enabling SSH local port forwarding")
+		} else {
+			log.Infof("disabling SSH local port forwarding")
+		}
+		config.EnableSSHLocalPortForwarding = input.EnableSSHLocalPortForwarding
+		updated = true
+	}
+
+	if input.EnableSSHRemotePortForwarding != nil && input.EnableSSHRemotePortForwarding != config.EnableSSHRemotePortForwarding {
+		if *input.EnableSSHRemotePortForwarding {
+			log.Infof("enabling SSH remote port forwarding")
+		} else {
+			log.Infof("disabling SSH remote port forwarding")
+		}
+		config.EnableSSHRemotePortForwarding = input.EnableSSHRemotePortForwarding
+		updated = true
+	}
+
+	if input.DisableSSHAuth != nil && input.DisableSSHAuth != config.DisableSSHAuth {
+		if *input.DisableSSHAuth {
+			log.Infof("disabling SSH authentication")
+		} else {
+			log.Infof("enabling SSH authentication")
+		}
+		config.DisableSSHAuth = input.DisableSSHAuth
+		updated = true
+	}
+
 	if input.DNSRouteInterval != nil && *input.DNSRouteInterval != config.DNSRouteInterval {
 		log.Infof("updating DNS route interval to %s (old value %s)",
 			input.DNSRouteInterval.String(), config.DNSRouteInterval.String())

client/internal/profilemanager/config_test.go

@@ -193,10 +193,10 @@ func TestWireguardPortZeroExplicit(t *testing.T) {
 
 func TestWireguardPortDefaultVsExplicit(t *testing.T) {
 	tests := []struct {
-		name           string
-		wireguardPort  *int
-		expectedPort   int
-		description    string
+		name          string
+		wireguardPort *int
+		expectedPort  int
+		description   string
 	}{
 		{
 			name:          "no port specified uses default",

client/internal/routemanager/dynamic/route.go

@@ -18,8 +18,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/routemanager/util"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 const (

client/internal/routemanager/manager.go

@@ -81,6 +81,7 @@ type DefaultManager struct {
 	ctx                  context.Context
 	stop                 context.CancelFunc
 	mux                  sync.Mutex
+	shutdownWg           sync.WaitGroup
 	clientNetworks       map[route.HAUniqueID]*client.Watcher
 	routeSelector        *routeselector.RouteSelector
 	serverRouter         *server.Router
@@ -283,6 +284,7 @@ func (m *DefaultManager) SetDNSForwarderPort(port uint16) {
 // Stop stops the manager watchers and clean firewall rules
 func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 	m.stop()
+	m.shutdownWg.Wait()
 	if m.serverRouter != nil {
 		m.serverRouter.CleanUp()
 	}
@@ -485,7 +487,11 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 		}
 		clientNetworkWatcher := client.NewWatcher(config)
 		m.clientNetworks[id] = clientNetworkWatcher
-		go clientNetworkWatcher.Start()
+		m.shutdownWg.Add(1)
+		go func() {
+			defer m.shutdownWg.Done()
+			clientNetworkWatcher.Start()
+		}()
 		clientNetworkWatcher.SendUpdate(client.RoutesUpdate{Routes: routes})
 	}
 
@@ -527,7 +533,11 @@ func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks rout
 			}
 			clientNetworkWatcher = client.NewWatcher(config)
 			m.clientNetworks[id] = clientNetworkWatcher
-			go clientNetworkWatcher.Start()
+			m.shutdownWg.Add(1)
+			go func() {
+				defer m.shutdownWg.Done()
+				clientNetworkWatcher.Start()
+			}()
 		}
 		update := client.RoutesUpdate{
 			UpdateSerial: updateSerial,

client/internal/routeselector/routeselector.go

@@ -9,8 +9,6 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"golang.org/x/exp/maps"
 
-	log "github.com/sirupsen/logrus"
-
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/route"
 )
@@ -128,13 +126,11 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	defer rs.mu.RUnlock()
 
 	if rs.deselectAll {
-		log.Debugf("Route %s not selected (deselect all)", routeID)
 		return false
 	}
 
 	_, deselected := rs.deselectedRoutes[routeID]
 	isSelected := !deselected
-	log.Debugf("Route %s selection status: %v (deselected: %v)", routeID, isSelected, deselected)
 	return isSelected
 }
 

client/ios/NetBirdSDK/client.go

@@ -20,8 +20,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 // ConnectionListener export internal Listener for mobile

client/net/conn.go

@@ -17,8 +17,7 @@ type Conn struct {
 	ID hooks.ConnectionID
 }
 
-// Close overrides the net.Conn Close method to execute all registered hooks after closing the connection
-// Close overrides the net.Conn Close method to execute all registered hooks before closing the connection.
+// Close overrides the net.Conn Close method to execute all registered hooks after closing the connection.
 func (c *Conn) Close() error {
 	return closeConn(c.ID, c.Conn)
 }
@@ -29,7 +28,7 @@ type TCPConn struct {
 	ID hooks.ConnectionID
 }
 
-// Close overrides the net.TCPConn Close method to execute all registered hooks before closing the connection.
+// Close overrides the net.TCPConn Close method to execute all registered hooks after closing the connection.
 func (c *TCPConn) Close() error {
 	return closeConn(c.ID, c.TCPConn)
 }
@@ -37,13 +36,16 @@ func (c *TCPConn) Close() error {
 // closeConn is a helper function to close connections and execute close hooks.
 func closeConn(id hooks.ConnectionID, conn io.Closer) error {
 	err := conn.Close()
+	cleanupConnID(id)
+	return err
+}
 
+// cleanupConnID executes close hooks for a connection ID.
+func cleanupConnID(id hooks.ConnectionID) {
 	closeHooks := hooks.GetCloseHooks()
 	for _, hook := range closeHooks {
 		if err := hook(id); err != nil {
 			log.Errorf("Error executing close hook: %v", err)
 		}
 	}
-
-	return err
 }

client/net/dial.go

@@ -74,7 +74,6 @@ func DialTCP(network string, laddr, raddr *net.TCPAddr) (transport.TCPConn, erro
 		}
 		return &TCPConn{TCPConn: tcpConn, ID: c.ID}, nil
 	}
-
 	if err := conn.Close(); err != nil {
 		log.Errorf("failed to close connection: %v", err)
 	}

client/net/dialer_dial.go

@@ -30,6 +30,7 @@ func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.
 
 	conn, err := d.Dialer.DialContext(ctx, network, address)
 	if err != nil {
+		cleanupConnID(connID)
 		return nil, fmt.Errorf("d.Dialer.DialContext: %w", err)
 	}
 
@@ -64,7 +65,7 @@ func callDialerHooks(ctx context.Context, connID hooks.ConnectionID, address str
 
 	ips, err := resolver.LookupIPAddr(ctx, host)
 	if err != nil {
-		return fmt.Errorf("failed to resolve address %s: %w", address, err)
+		return fmt.Errorf("resolve address %s: %w", address, err)
 	}
 
 	log.Debugf("Dialer resolved IPs for %s: %v", address, ips)

client/net/listener_listen.go

@@ -48,7 +48,7 @@ func (c *PacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
 	return c.PacketConn.WriteTo(b, addr)
 }
 
-// Close overrides the net.PacketConn Close method to execute all registered hooks before closing the connection.
+// Close overrides the net.PacketConn Close method to execute all registered hooks after closing the connection.
 func (c *PacketConn) Close() error {
 	defer c.seenAddrs.Clear()
 	return closeConn(c.ID, c.PacketConn)
@@ -69,7 +69,7 @@ func (c *UDPConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
 	return c.UDPConn.WriteTo(b, addr)
 }
 
-// Close overrides the net.UDPConn Close method to execute all registered hooks before closing the connection.
+// Close overrides the net.UDPConn Close method to execute all registered hooks after closing the connection.
 func (c *UDPConn) Close() error {
 	defer c.seenAddrs.Clear()
 	return closeConn(c.ID, c.UDPConn)

client/proto/daemon.pb.go

@@ -273,14 +273,19 @@ type LoginRequest struct {
 	// cleanDNSLabels clean map list of DNS labels.
 	// This is needed because the generated code
 	// omits initialized empty slices due to omitempty tags
-	CleanDNSLabels        bool    `protobuf:"varint,27,opt,name=cleanDNSLabels,proto3" json:"cleanDNSLabels,omitempty"`
-	LazyConnectionEnabled *bool   `protobuf:"varint,28,opt,name=lazyConnectionEnabled,proto3,oneof" json:"lazyConnectionEnabled,omitempty"`
-	BlockInbound          *bool   `protobuf:"varint,29,opt,name=block_inbound,json=blockInbound,proto3,oneof" json:"block_inbound,omitempty"`
-	ProfileName           *string `protobuf:"bytes,30,opt,name=profileName,proto3,oneof" json:"profileName,omitempty"`
-	Username              *string `protobuf:"bytes,31,opt,name=username,proto3,oneof" json:"username,omitempty"`
-	Mtu                   *int64  `protobuf:"varint,32,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
-	unknownFields         protoimpl.UnknownFields
-	sizeCache             protoimpl.SizeCache
+	CleanDNSLabels                bool    `protobuf:"varint,27,opt,name=cleanDNSLabels,proto3" json:"cleanDNSLabels,omitempty"`
+	LazyConnectionEnabled         *bool   `protobuf:"varint,28,opt,name=lazyConnectionEnabled,proto3,oneof" json:"lazyConnectionEnabled,omitempty"`
+	BlockInbound                  *bool   `protobuf:"varint,29,opt,name=block_inbound,json=blockInbound,proto3,oneof" json:"block_inbound,omitempty"`
+	ProfileName                   *string `protobuf:"bytes,30,opt,name=profileName,proto3,oneof" json:"profileName,omitempty"`
+	Username                      *string `protobuf:"bytes,31,opt,name=username,proto3,oneof" json:"username,omitempty"`
+	Mtu                           *int64  `protobuf:"varint,32,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
+	EnableSSHRoot                 *bool   `protobuf:"varint,33,opt,name=enableSSHRoot,proto3,oneof" json:"enableSSHRoot,omitempty"`
+	EnableSSHSFTP                 *bool   `protobuf:"varint,34,opt,name=enableSSHSFTP,proto3,oneof" json:"enableSSHSFTP,omitempty"`
+	EnableSSHLocalPortForwarding  *bool   `protobuf:"varint,35,opt,name=enableSSHLocalPortForwarding,proto3,oneof" json:"enableSSHLocalPortForwarding,omitempty"`
+	EnableSSHRemotePortForwarding *bool   `protobuf:"varint,36,opt,name=enableSSHRemotePortForwarding,proto3,oneof" json:"enableSSHRemotePortForwarding,omitempty"`
+	DisableSSHAuth                *bool   `protobuf:"varint,37,opt,name=disableSSHAuth,proto3,oneof" json:"disableSSHAuth,omitempty"`
+	unknownFields                 protoimpl.UnknownFields
+	sizeCache                     protoimpl.SizeCache
 }
 
 func (x *LoginRequest) Reset() {
@@ -538,6 +543,41 @@ func (x *LoginRequest) GetMtu() int64 {
 	return 0
 }
 
+func (x *LoginRequest) GetEnableSSHRoot() bool {
+	if x != nil && x.EnableSSHRoot != nil {
+		return *x.EnableSSHRoot
+	}
+	return false
+}
+
+func (x *LoginRequest) GetEnableSSHSFTP() bool {
+	if x != nil && x.EnableSSHSFTP != nil {
+		return *x.EnableSSHSFTP
+	}
+	return false
+}
+
+func (x *LoginRequest) GetEnableSSHLocalPortForwarding() bool {
+	if x != nil && x.EnableSSHLocalPortForwarding != nil {
+		return *x.EnableSSHLocalPortForwarding
+	}
+	return false
+}
+
+func (x *LoginRequest) GetEnableSSHRemotePortForwarding() bool {
+	if x != nil && x.EnableSSHRemotePortForwarding != nil {
+		return *x.EnableSSHRemotePortForwarding
+	}
+	return false
+}
+
+func (x *LoginRequest) GetDisableSSHAuth() bool {
+	if x != nil && x.DisableSSHAuth != nil {
+		return *x.DisableSSHAuth
+	}
+	return false
+}
+
 type LoginResponse struct {
 	state                   protoimpl.MessageState `protogen:"open.v1"`
 	NeedsSSOLogin           bool                   `protobuf:"varint,1,opt,name=needsSSOLogin,proto3" json:"needsSSOLogin,omitempty"`
@@ -1048,24 +1088,29 @@ type GetConfigResponse struct {
 	// preSharedKey settings value.
 	PreSharedKey string `protobuf:"bytes,4,opt,name=preSharedKey,proto3" json:"preSharedKey,omitempty"`
 	// adminURL settings value.
-	AdminURL              string `protobuf:"bytes,5,opt,name=adminURL,proto3" json:"adminURL,omitempty"`
-	InterfaceName         string `protobuf:"bytes,6,opt,name=interfaceName,proto3" json:"interfaceName,omitempty"`
-	WireguardPort         int64  `protobuf:"varint,7,opt,name=wireguardPort,proto3" json:"wireguardPort,omitempty"`
-	Mtu                   int64  `protobuf:"varint,8,opt,name=mtu,proto3" json:"mtu,omitempty"`
-	DisableAutoConnect    bool   `protobuf:"varint,9,opt,name=disableAutoConnect,proto3" json:"disableAutoConnect,omitempty"`
-	ServerSSHAllowed      bool   `protobuf:"varint,10,opt,name=serverSSHAllowed,proto3" json:"serverSSHAllowed,omitempty"`
-	RosenpassEnabled      bool   `protobuf:"varint,11,opt,name=rosenpassEnabled,proto3" json:"rosenpassEnabled,omitempty"`
-	RosenpassPermissive   bool   `protobuf:"varint,12,opt,name=rosenpassPermissive,proto3" json:"rosenpassPermissive,omitempty"`
-	DisableNotifications  bool   `protobuf:"varint,13,opt,name=disable_notifications,json=disableNotifications,proto3" json:"disable_notifications,omitempty"`
-	LazyConnectionEnabled bool   `protobuf:"varint,14,opt,name=lazyConnectionEnabled,proto3" json:"lazyConnectionEnabled,omitempty"`
-	BlockInbound          bool   `protobuf:"varint,15,opt,name=blockInbound,proto3" json:"blockInbound,omitempty"`
-	NetworkMonitor        bool   `protobuf:"varint,16,opt,name=networkMonitor,proto3" json:"networkMonitor,omitempty"`
-	DisableDns            bool   `protobuf:"varint,17,opt,name=disable_dns,json=disableDns,proto3" json:"disable_dns,omitempty"`
-	DisableClientRoutes   bool   `protobuf:"varint,18,opt,name=disable_client_routes,json=disableClientRoutes,proto3" json:"disable_client_routes,omitempty"`
-	DisableServerRoutes   bool   `protobuf:"varint,19,opt,name=disable_server_routes,json=disableServerRoutes,proto3" json:"disable_server_routes,omitempty"`
-	BlockLanAccess        bool   `protobuf:"varint,20,opt,name=block_lan_access,json=blockLanAccess,proto3" json:"block_lan_access,omitempty"`
-	unknownFields         protoimpl.UnknownFields
-	sizeCache             protoimpl.SizeCache
+	AdminURL                      string `protobuf:"bytes,5,opt,name=adminURL,proto3" json:"adminURL,omitempty"`
+	InterfaceName                 string `protobuf:"bytes,6,opt,name=interfaceName,proto3" json:"interfaceName,omitempty"`
+	WireguardPort                 int64  `protobuf:"varint,7,opt,name=wireguardPort,proto3" json:"wireguardPort,omitempty"`
+	Mtu                           int64  `protobuf:"varint,8,opt,name=mtu,proto3" json:"mtu,omitempty"`
+	DisableAutoConnect            bool   `protobuf:"varint,9,opt,name=disableAutoConnect,proto3" json:"disableAutoConnect,omitempty"`
+	ServerSSHAllowed              bool   `protobuf:"varint,10,opt,name=serverSSHAllowed,proto3" json:"serverSSHAllowed,omitempty"`
+	RosenpassEnabled              bool   `protobuf:"varint,11,opt,name=rosenpassEnabled,proto3" json:"rosenpassEnabled,omitempty"`
+	RosenpassPermissive           bool   `protobuf:"varint,12,opt,name=rosenpassPermissive,proto3" json:"rosenpassPermissive,omitempty"`
+	DisableNotifications          bool   `protobuf:"varint,13,opt,name=disable_notifications,json=disableNotifications,proto3" json:"disable_notifications,omitempty"`
+	LazyConnectionEnabled         bool   `protobuf:"varint,14,opt,name=lazyConnectionEnabled,proto3" json:"lazyConnectionEnabled,omitempty"`
+	BlockInbound                  bool   `protobuf:"varint,15,opt,name=blockInbound,proto3" json:"blockInbound,omitempty"`
+	NetworkMonitor                bool   `protobuf:"varint,16,opt,name=networkMonitor,proto3" json:"networkMonitor,omitempty"`
+	DisableDns                    bool   `protobuf:"varint,17,opt,name=disable_dns,json=disableDns,proto3" json:"disable_dns,omitempty"`
+	DisableClientRoutes           bool   `protobuf:"varint,18,opt,name=disable_client_routes,json=disableClientRoutes,proto3" json:"disable_client_routes,omitempty"`
+	DisableServerRoutes           bool   `protobuf:"varint,19,opt,name=disable_server_routes,json=disableServerRoutes,proto3" json:"disable_server_routes,omitempty"`
+	BlockLanAccess                bool   `protobuf:"varint,20,opt,name=block_lan_access,json=blockLanAccess,proto3" json:"block_lan_access,omitempty"`
+	EnableSSHRoot                 bool   `protobuf:"varint,21,opt,name=enableSSHRoot,proto3" json:"enableSSHRoot,omitempty"`
+	EnableSSHSFTP                 bool   `protobuf:"varint,24,opt,name=enableSSHSFTP,proto3" json:"enableSSHSFTP,omitempty"`
+	EnableSSHLocalPortForwarding  bool   `protobuf:"varint,22,opt,name=enableSSHLocalPortForwarding,proto3" json:"enableSSHLocalPortForwarding,omitempty"`
+	EnableSSHRemotePortForwarding bool   `protobuf:"varint,23,opt,name=enableSSHRemotePortForwarding,proto3" json:"enableSSHRemotePortForwarding,omitempty"`
+	DisableSSHAuth                bool   `protobuf:"varint,25,opt,name=disableSSHAuth,proto3" json:"disableSSHAuth,omitempty"`
+	unknownFields                 protoimpl.UnknownFields
+	sizeCache                     protoimpl.SizeCache
 }
 
 func (x *GetConfigResponse) Reset() {
@@ -1238,6 +1283,41 @@ func (x *GetConfigResponse) GetBlockLanAccess() bool {
 	return false
 }
 
+func (x *GetConfigResponse) GetEnableSSHRoot() bool {
+	if x != nil {
+		return x.EnableSSHRoot
+	}
+	return false
+}
+
+func (x *GetConfigResponse) GetEnableSSHSFTP() bool {
+	if x != nil {
+		return x.EnableSSHSFTP
+	}
+	return false
+}
+
+func (x *GetConfigResponse) GetEnableSSHLocalPortForwarding() bool {
+	if x != nil {
+		return x.EnableSSHLocalPortForwarding
+	}
+	return false
+}
+
+func (x *GetConfigResponse) GetEnableSSHRemotePortForwarding() bool {
+	if x != nil {
+		return x.EnableSSHRemotePortForwarding
+	}
+	return false
+}
+
+func (x *GetConfigResponse) GetDisableSSHAuth() bool {
+	if x != nil {
+		return x.DisableSSHAuth
+	}
+	return false
+}
+
 // PeerState contains the latest state of a peer
 type PeerState struct {
 	state                      protoimpl.MessageState `protogen:"open.v1"`
@@ -1258,6 +1338,7 @@ type PeerState struct {
 	Networks                   []string               `protobuf:"bytes,16,rep,name=networks,proto3" json:"networks,omitempty"`
 	Latency                    *durationpb.Duration   `protobuf:"bytes,17,opt,name=latency,proto3" json:"latency,omitempty"`
 	RelayAddress               string                 `protobuf:"bytes,18,opt,name=relayAddress,proto3" json:"relayAddress,omitempty"`
+	SshHostKey                 []byte                 `protobuf:"bytes,19,opt,name=sshHostKey,proto3" json:"sshHostKey,omitempty"`
 	unknownFields              protoimpl.UnknownFields
 	sizeCache                  protoimpl.SizeCache
 }
@@ -1411,6 +1492,13 @@ func (x *PeerState) GetRelayAddress() string {
 	return ""
 }
 
+func (x *PeerState) GetSshHostKey() []byte {
+	if x != nil {
+		return x.SshHostKey
+	}
+	return nil
+}
+
 // LocalPeerState contains the latest state of the local peer
 type LocalPeerState struct {
 	state               protoimpl.MessageState `protogen:"open.v1"`
@@ -3702,11 +3790,16 @@ type SetConfigRequest struct {
 	ExtraIFaceBlacklist   []string `protobuf:"bytes,24,rep,name=extraIFaceBlacklist,proto3" json:"extraIFaceBlacklist,omitempty"`
 	DnsLabels             []string `protobuf:"bytes,25,rep,name=dns_labels,json=dnsLabels,proto3" json:"dns_labels,omitempty"`
 	// cleanDNSLabels clean map list of DNS labels.
-	CleanDNSLabels   bool                 `protobuf:"varint,26,opt,name=cleanDNSLabels,proto3" json:"cleanDNSLabels,omitempty"`
-	DnsRouteInterval *durationpb.Duration `protobuf:"bytes,27,opt,name=dnsRouteInterval,proto3,oneof" json:"dnsRouteInterval,omitempty"`
-	Mtu              *int64               `protobuf:"varint,28,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
-	unknownFields    protoimpl.UnknownFields
-	sizeCache        protoimpl.SizeCache
+	CleanDNSLabels             bool                 `protobuf:"varint,26,opt,name=cleanDNSLabels,proto3" json:"cleanDNSLabels,omitempty"`
+	DnsRouteInterval           *durationpb.Duration `protobuf:"bytes,27,opt,name=dnsRouteInterval,proto3,oneof" json:"dnsRouteInterval,omitempty"`
+	Mtu                        *int64               `protobuf:"varint,28,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
+	EnableSSHRoot              *bool                `protobuf:"varint,29,opt,name=enableSSHRoot,proto3,oneof" json:"enableSSHRoot,omitempty"`
+	EnableSSHSFTP              *bool                `protobuf:"varint,30,opt,name=enableSSHSFTP,proto3,oneof" json:"enableSSHSFTP,omitempty"`
+	EnableSSHLocalPortForward  *bool                `protobuf:"varint,31,opt,name=enableSSHLocalPortForward,proto3,oneof" json:"enableSSHLocalPortForward,omitempty"`
+	EnableSSHRemotePortForward *bool                `protobuf:"varint,32,opt,name=enableSSHRemotePortForward,proto3,oneof" json:"enableSSHRemotePortForward,omitempty"`
+	DisableSSHAuth             *bool                `protobuf:"varint,33,opt,name=disableSSHAuth,proto3,oneof" json:"disableSSHAuth,omitempty"`
+	unknownFields              protoimpl.UnknownFields
+	sizeCache                  protoimpl.SizeCache
 }
 
 func (x *SetConfigRequest) Reset() {
@@ -3935,6 +4028,41 @@ func (x *SetConfigRequest) GetMtu() int64 {
 	return 0
 }
 
+func (x *SetConfigRequest) GetEnableSSHRoot() bool {
+	if x != nil && x.EnableSSHRoot != nil {
+		return *x.EnableSSHRoot
+	}
+	return false
+}
+
+func (x *SetConfigRequest) GetEnableSSHSFTP() bool {
+	if x != nil && x.EnableSSHSFTP != nil {
+		return *x.EnableSSHSFTP
+	}
+	return false
+}
+
+func (x *SetConfigRequest) GetEnableSSHLocalPortForward() bool {
+	if x != nil && x.EnableSSHLocalPortForward != nil {
+		return *x.EnableSSHLocalPortForward
+	}
+	return false
+}
+
+func (x *SetConfigRequest) GetEnableSSHRemotePortForward() bool {
+	if x != nil && x.EnableSSHRemotePortForward != nil {
+		return *x.EnableSSHRemotePortForward
+	}
+	return false
+}
+
+func (x *SetConfigRequest) GetDisableSSHAuth() bool {
+	if x != nil && x.DisableSSHAuth != nil {
+		return *x.DisableSSHAuth
+	}
+	return false
+}
+
 type SetConfigResponse struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
@@ -4551,6 +4679,381 @@ func (x *GetFeaturesResponse) GetDisableUpdateSettings() bool {
 	return false
 }
 
+// GetPeerSSHHostKeyRequest for retrieving SSH host key for a specific peer
+type GetPeerSSHHostKeyRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// peer IP address or FQDN to get SSH host key for
+	PeerAddress   string `protobuf:"bytes,1,opt,name=peerAddress,proto3" json:"peerAddress,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GetPeerSSHHostKeyRequest) Reset() {
+	*x = GetPeerSSHHostKeyRequest{}
+	mi := &file_daemon_proto_msgTypes[69]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GetPeerSSHHostKeyRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetPeerSSHHostKeyRequest) ProtoMessage() {}
+
+func (x *GetPeerSSHHostKeyRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[69]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetPeerSSHHostKeyRequest.ProtoReflect.Descriptor instead.
+func (*GetPeerSSHHostKeyRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{69}
+}
+
+func (x *GetPeerSSHHostKeyRequest) GetPeerAddress() string {
+	if x != nil {
+		return x.PeerAddress
+	}
+	return ""
+}
+
+// GetPeerSSHHostKeyResponse contains the SSH host key for the requested peer
+type GetPeerSSHHostKeyResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// SSH host key in SSH public key format (e.g., "ssh-ed25519 AAAAC3... hostname")
+	SshHostKey []byte `protobuf:"bytes,1,opt,name=sshHostKey,proto3" json:"sshHostKey,omitempty"`
+	// peer IP address
+	PeerIP string `protobuf:"bytes,2,opt,name=peerIP,proto3" json:"peerIP,omitempty"`
+	// peer FQDN
+	PeerFQDN string `protobuf:"bytes,3,opt,name=peerFQDN,proto3" json:"peerFQDN,omitempty"`
+	// indicates if the SSH host key was found
+	Found         bool `protobuf:"varint,4,opt,name=found,proto3" json:"found,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GetPeerSSHHostKeyResponse) Reset() {
+	*x = GetPeerSSHHostKeyResponse{}
+	mi := &file_daemon_proto_msgTypes[70]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GetPeerSSHHostKeyResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetPeerSSHHostKeyResponse) ProtoMessage() {}
+
+func (x *GetPeerSSHHostKeyResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[70]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetPeerSSHHostKeyResponse.ProtoReflect.Descriptor instead.
+func (*GetPeerSSHHostKeyResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{70}
+}
+
+func (x *GetPeerSSHHostKeyResponse) GetSshHostKey() []byte {
+	if x != nil {
+		return x.SshHostKey
+	}
+	return nil
+}
+
+func (x *GetPeerSSHHostKeyResponse) GetPeerIP() string {
+	if x != nil {
+		return x.PeerIP
+	}
+	return ""
+}
+
+func (x *GetPeerSSHHostKeyResponse) GetPeerFQDN() string {
+	if x != nil {
+		return x.PeerFQDN
+	}
+	return ""
+}
+
+func (x *GetPeerSSHHostKeyResponse) GetFound() bool {
+	if x != nil {
+		return x.Found
+	}
+	return false
+}
+
+// RequestJWTAuthRequest for initiating JWT authentication flow
+type RequestJWTAuthRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RequestJWTAuthRequest) Reset() {
+	*x = RequestJWTAuthRequest{}
+	mi := &file_daemon_proto_msgTypes[71]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RequestJWTAuthRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RequestJWTAuthRequest) ProtoMessage() {}
+
+func (x *RequestJWTAuthRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[71]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RequestJWTAuthRequest.ProtoReflect.Descriptor instead.
+func (*RequestJWTAuthRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{71}
+}
+
+// RequestJWTAuthResponse contains authentication flow information
+type RequestJWTAuthResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// verification URI for user authentication
+	VerificationURI string `protobuf:"bytes,1,opt,name=verificationURI,proto3" json:"verificationURI,omitempty"`
+	// complete verification URI (with embedded user code)
+	VerificationURIComplete string `protobuf:"bytes,2,opt,name=verificationURIComplete,proto3" json:"verificationURIComplete,omitempty"`
+	// user code to enter on verification URI
+	UserCode string `protobuf:"bytes,3,opt,name=userCode,proto3" json:"userCode,omitempty"`
+	// device code for polling
+	DeviceCode string `protobuf:"bytes,4,opt,name=deviceCode,proto3" json:"deviceCode,omitempty"`
+	// expiration time in seconds
+	ExpiresIn int64 `protobuf:"varint,5,opt,name=expiresIn,proto3" json:"expiresIn,omitempty"`
+	// if a cached token is available, it will be returned here
+	CachedToken string `protobuf:"bytes,6,opt,name=cachedToken,proto3" json:"cachedToken,omitempty"`
+	// maximum age of JWT tokens in seconds (from management server)
+	MaxTokenAge   int64 `protobuf:"varint,7,opt,name=maxTokenAge,proto3" json:"maxTokenAge,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *RequestJWTAuthResponse) Reset() {
+	*x = RequestJWTAuthResponse{}
+	mi := &file_daemon_proto_msgTypes[72]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *RequestJWTAuthResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RequestJWTAuthResponse) ProtoMessage() {}
+
+func (x *RequestJWTAuthResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[72]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RequestJWTAuthResponse.ProtoReflect.Descriptor instead.
+func (*RequestJWTAuthResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{72}
+}
+
+func (x *RequestJWTAuthResponse) GetVerificationURI() string {
+	if x != nil {
+		return x.VerificationURI
+	}
+	return ""
+}
+
+func (x *RequestJWTAuthResponse) GetVerificationURIComplete() string {
+	if x != nil {
+		return x.VerificationURIComplete
+	}
+	return ""
+}
+
+func (x *RequestJWTAuthResponse) GetUserCode() string {
+	if x != nil {
+		return x.UserCode
+	}
+	return ""
+}
+
+func (x *RequestJWTAuthResponse) GetDeviceCode() string {
+	if x != nil {
+		return x.DeviceCode
+	}
+	return ""
+}
+
+func (x *RequestJWTAuthResponse) GetExpiresIn() int64 {
+	if x != nil {
+		return x.ExpiresIn
+	}
+	return 0
+}
+
+func (x *RequestJWTAuthResponse) GetCachedToken() string {
+	if x != nil {
+		return x.CachedToken
+	}
+	return ""
+}
+
+func (x *RequestJWTAuthResponse) GetMaxTokenAge() int64 {
+	if x != nil {
+		return x.MaxTokenAge
+	}
+	return 0
+}
+
+// WaitJWTTokenRequest for waiting for authentication completion
+type WaitJWTTokenRequest struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// device code from RequestJWTAuthResponse
+	DeviceCode string `protobuf:"bytes,1,opt,name=deviceCode,proto3" json:"deviceCode,omitempty"`
+	// user code for verification
+	UserCode      string `protobuf:"bytes,2,opt,name=userCode,proto3" json:"userCode,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *WaitJWTTokenRequest) Reset() {
+	*x = WaitJWTTokenRequest{}
+	mi := &file_daemon_proto_msgTypes[73]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *WaitJWTTokenRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WaitJWTTokenRequest) ProtoMessage() {}
+
+func (x *WaitJWTTokenRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[73]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WaitJWTTokenRequest.ProtoReflect.Descriptor instead.
+func (*WaitJWTTokenRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{73}
+}
+
+func (x *WaitJWTTokenRequest) GetDeviceCode() string {
+	if x != nil {
+		return x.DeviceCode
+	}
+	return ""
+}
+
+func (x *WaitJWTTokenRequest) GetUserCode() string {
+	if x != nil {
+		return x.UserCode
+	}
+	return ""
+}
+
+// WaitJWTTokenResponse contains the JWT token after authentication
+type WaitJWTTokenResponse struct {
+	state protoimpl.MessageState `protogen:"open.v1"`
+	// JWT token (access token or ID token)
+	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
+	// token type (e.g., "Bearer")
+	TokenType string `protobuf:"bytes,2,opt,name=tokenType,proto3" json:"tokenType,omitempty"`
+	// expiration time in seconds
+	ExpiresIn     int64 `protobuf:"varint,3,opt,name=expiresIn,proto3" json:"expiresIn,omitempty"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *WaitJWTTokenResponse) Reset() {
+	*x = WaitJWTTokenResponse{}
+	mi := &file_daemon_proto_msgTypes[74]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *WaitJWTTokenResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*WaitJWTTokenResponse) ProtoMessage() {}
+
+func (x *WaitJWTTokenResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[74]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use WaitJWTTokenResponse.ProtoReflect.Descriptor instead.
+func (*WaitJWTTokenResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{74}
+}
+
+func (x *WaitJWTTokenResponse) GetToken() string {
+	if x != nil {
+		return x.Token
+	}
+	return ""
+}
+
+func (x *WaitJWTTokenResponse) GetTokenType() string {
+	if x != nil {
+		return x.TokenType
+	}
+	return ""
+}
+
+func (x *WaitJWTTokenResponse) GetExpiresIn() int64 {
+	if x != nil {
+		return x.ExpiresIn
+	}
+	return 0
+}
+
 type PortInfo_Range struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Start         uint32                 `protobuf:"varint,1,opt,name=start,proto3" json:"start,omitempty"`
@@ -4561,7 +5064,7 @@ type PortInfo_Range struct {
 
 func (x *PortInfo_Range) Reset() {
 	*x = PortInfo_Range{}
-	mi := &file_daemon_proto_msgTypes[70]
+	mi := &file_daemon_proto_msgTypes[76]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -4573,7 +5076,7 @@ func (x *PortInfo_Range) String() string {
 func (*PortInfo_Range) ProtoMessage() {}
 
 func (x *PortInfo_Range) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[70]
+	mi := &file_daemon_proto_msgTypes[76]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -4608,7 +5111,7 @@ var File_daemon_proto protoreflect.FileDescriptor
 const file_daemon_proto_rawDesc = "" +
 	"\n" +
 	"\fdaemon.proto\x12\x06daemon\x1a google/protobuf/descriptor.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1egoogle/protobuf/duration.proto\"\x0e\n" +
-	"\fEmptyRequest\"\xc3\x0e\n" +
+	"\fEmptyRequest\"\xd4\x11\n" +
 	"\fLoginRequest\x12\x1a\n" +
 	"\bsetupKey\x18\x01 \x01(\tR\bsetupKey\x12&\n" +
 	"\fpreSharedKey\x18\x02 \x01(\tB\x02\x18\x01R\fpreSharedKey\x12$\n" +
@@ -4645,7 +5148,12 @@ const file_daemon_proto_rawDesc = "" +
 	"\rblock_inbound\x18\x1d \x01(\bH\x10R\fblockInbound\x88\x01\x01\x12%\n" +
 	"\vprofileName\x18\x1e \x01(\tH\x11R\vprofileName\x88\x01\x01\x12\x1f\n" +
 	"\busername\x18\x1f \x01(\tH\x12R\busername\x88\x01\x01\x12\x15\n" +
-	"\x03mtu\x18  \x01(\x03H\x13R\x03mtu\x88\x01\x01B\x13\n" +
+	"\x03mtu\x18  \x01(\x03H\x13R\x03mtu\x88\x01\x01\x12)\n" +
+	"\renableSSHRoot\x18! \x01(\bH\x14R\renableSSHRoot\x88\x01\x01\x12)\n" +
+	"\renableSSHSFTP\x18\" \x01(\bH\x15R\renableSSHSFTP\x88\x01\x01\x12G\n" +
+	"\x1cenableSSHLocalPortForwarding\x18# \x01(\bH\x16R\x1cenableSSHLocalPortForwarding\x88\x01\x01\x12I\n" +
+	"\x1denableSSHRemotePortForwarding\x18$ \x01(\bH\x17R\x1denableSSHRemotePortForwarding\x88\x01\x01\x12+\n" +
+	"\x0edisableSSHAuth\x18% \x01(\bH\x18R\x0edisableSSHAuth\x88\x01\x01B\x13\n" +
 	"\x11_rosenpassEnabledB\x10\n" +
 	"\x0e_interfaceNameB\x10\n" +
 	"\x0e_wireguardPortB\x17\n" +
@@ -4665,7 +5173,12 @@ const file_daemon_proto_rawDesc = "" +
 	"\x0e_block_inboundB\x0e\n" +
 	"\f_profileNameB\v\n" +
 	"\t_usernameB\x06\n" +
-	"\x04_mtu\"\xb5\x01\n" +
+	"\x04_mtuB\x10\n" +
+	"\x0e_enableSSHRootB\x10\n" +
+	"\x0e_enableSSHSFTPB\x1f\n" +
+	"\x1d_enableSSHLocalPortForwardingB \n" +
+	"\x1e_enableSSHRemotePortForwardingB\x11\n" +
+	"\x0f_disableSSHAuth\"\xb5\x01\n" +
 	"\rLoginResponse\x12$\n" +
 	"\rneedsSSOLogin\x18\x01 \x01(\bR\rneedsSSOLogin\x12\x1a\n" +
 	"\buserCode\x18\x02 \x01(\tR\buserCode\x12(\n" +
@@ -4698,7 +5211,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\fDownResponse\"P\n" +
 	"\x10GetConfigRequest\x12 \n" +
 	"\vprofileName\x18\x01 \x01(\tR\vprofileName\x12\x1a\n" +
-	"\busername\x18\x02 \x01(\tR\busername\"\xb5\x06\n" +
+	"\busername\x18\x02 \x01(\tR\busername\"\xb3\b\n" +
 	"\x11GetConfigResponse\x12$\n" +
 	"\rmanagementUrl\x18\x01 \x01(\tR\rmanagementUrl\x12\x1e\n" +
 	"\n" +
@@ -4723,7 +5236,12 @@ const file_daemon_proto_rawDesc = "" +
 	"disableDns\x122\n" +
 	"\x15disable_client_routes\x18\x12 \x01(\bR\x13disableClientRoutes\x122\n" +
 	"\x15disable_server_routes\x18\x13 \x01(\bR\x13disableServerRoutes\x12(\n" +
-	"\x10block_lan_access\x18\x14 \x01(\bR\x0eblockLanAccess\"\xde\x05\n" +
+	"\x10block_lan_access\x18\x14 \x01(\bR\x0eblockLanAccess\x12$\n" +
+	"\renableSSHRoot\x18\x15 \x01(\bR\renableSSHRoot\x12$\n" +
+	"\renableSSHSFTP\x18\x18 \x01(\bR\renableSSHSFTP\x12B\n" +
+	"\x1cenableSSHLocalPortForwarding\x18\x16 \x01(\bR\x1cenableSSHLocalPortForwarding\x12D\n" +
+	"\x1denableSSHRemotePortForwarding\x18\x17 \x01(\bR\x1denableSSHRemotePortForwarding\x12&\n" +
+	"\x0edisableSSHAuth\x18\x19 \x01(\bR\x0edisableSSHAuth\"\xfe\x05\n" +
 	"\tPeerState\x12\x0e\n" +
 	"\x02IP\x18\x01 \x01(\tR\x02IP\x12\x16\n" +
 	"\x06pubKey\x18\x02 \x01(\tR\x06pubKey\x12\x1e\n" +
@@ -4744,7 +5262,10 @@ const file_daemon_proto_rawDesc = "" +
 	"\x10rosenpassEnabled\x18\x0f \x01(\bR\x10rosenpassEnabled\x12\x1a\n" +
 	"\bnetworks\x18\x10 \x03(\tR\bnetworks\x123\n" +
 	"\alatency\x18\x11 \x01(\v2\x19.google.protobuf.DurationR\alatency\x12\"\n" +
-	"\frelayAddress\x18\x12 \x01(\tR\frelayAddress\"\xf0\x01\n" +
+	"\frelayAddress\x18\x12 \x01(\tR\frelayAddress\x12\x1e\n" +
+	"\n" +
+	"sshHostKey\x18\x13 \x01(\fR\n" +
+	"sshHostKey\"\xf0\x01\n" +
 	"\x0eLocalPeerState\x12\x0e\n" +
 	"\x02IP\x18\x01 \x01(\tR\x02IP\x12\x16\n" +
 	"\x06pubKey\x18\x02 \x01(\tR\x06pubKey\x12(\n" +
@@ -4923,7 +5444,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\busername\x18\x02 \x01(\tH\x01R\busername\x88\x01\x01B\x0e\n" +
 	"\f_profileNameB\v\n" +
 	"\t_username\"\x17\n" +
-	"\x15SwitchProfileResponse\"\x8e\r\n" +
+	"\x15SwitchProfileResponse\"\x8d\x10\n" +
 	"\x10SetConfigRequest\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12 \n" +
 	"\vprofileName\x18\x02 \x01(\tR\vprofileName\x12$\n" +
@@ -4956,7 +5477,12 @@ const file_daemon_proto_rawDesc = "" +
 	"dns_labels\x18\x19 \x03(\tR\tdnsLabels\x12&\n" +
 	"\x0ecleanDNSLabels\x18\x1a \x01(\bR\x0ecleanDNSLabels\x12J\n" +
 	"\x10dnsRouteInterval\x18\x1b \x01(\v2\x19.google.protobuf.DurationH\x10R\x10dnsRouteInterval\x88\x01\x01\x12\x15\n" +
-	"\x03mtu\x18\x1c \x01(\x03H\x11R\x03mtu\x88\x01\x01B\x13\n" +
+	"\x03mtu\x18\x1c \x01(\x03H\x11R\x03mtu\x88\x01\x01\x12)\n" +
+	"\renableSSHRoot\x18\x1d \x01(\bH\x12R\renableSSHRoot\x88\x01\x01\x12)\n" +
+	"\renableSSHSFTP\x18\x1e \x01(\bH\x13R\renableSSHSFTP\x88\x01\x01\x12A\n" +
+	"\x19enableSSHLocalPortForward\x18\x1f \x01(\bH\x14R\x19enableSSHLocalPortForward\x88\x01\x01\x12C\n" +
+	"\x1aenableSSHRemotePortForward\x18  \x01(\bH\x15R\x1aenableSSHRemotePortForward\x88\x01\x01\x12+\n" +
+	"\x0edisableSSHAuth\x18! \x01(\bH\x16R\x0edisableSSHAuth\x88\x01\x01B\x13\n" +
 	"\x11_rosenpassEnabledB\x10\n" +
 	"\x0e_interfaceNameB\x10\n" +
 	"\x0e_wireguardPortB\x17\n" +
@@ -4974,7 +5500,12 @@ const file_daemon_proto_rawDesc = "" +
 	"\x16_lazyConnectionEnabledB\x10\n" +
 	"\x0e_block_inboundB\x13\n" +
 	"\x11_dnsRouteIntervalB\x06\n" +
-	"\x04_mtu\"\x13\n" +
+	"\x04_mtuB\x10\n" +
+	"\x0e_enableSSHRootB\x10\n" +
+	"\x0e_enableSSHSFTPB\x1c\n" +
+	"\x1a_enableSSHLocalPortForwardB\x1d\n" +
+	"\x1b_enableSSHRemotePortForwardB\x11\n" +
+	"\x0f_disableSSHAuth\"\x13\n" +
 	"\x11SetConfigResponse\"Q\n" +
 	"\x11AddProfileRequest\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12 \n" +
@@ -5004,7 +5535,36 @@ const file_daemon_proto_rawDesc = "" +
 	"\x12GetFeaturesRequest\"x\n" +
 	"\x13GetFeaturesResponse\x12)\n" +
 	"\x10disable_profiles\x18\x01 \x01(\bR\x0fdisableProfiles\x126\n" +
-	"\x17disable_update_settings\x18\x02 \x01(\bR\x15disableUpdateSettings*b\n" +
+	"\x17disable_update_settings\x18\x02 \x01(\bR\x15disableUpdateSettings\"<\n" +
+	"\x18GetPeerSSHHostKeyRequest\x12 \n" +
+	"\vpeerAddress\x18\x01 \x01(\tR\vpeerAddress\"\x85\x01\n" +
+	"\x19GetPeerSSHHostKeyResponse\x12\x1e\n" +
+	"\n" +
+	"sshHostKey\x18\x01 \x01(\fR\n" +
+	"sshHostKey\x12\x16\n" +
+	"\x06peerIP\x18\x02 \x01(\tR\x06peerIP\x12\x1a\n" +
+	"\bpeerFQDN\x18\x03 \x01(\tR\bpeerFQDN\x12\x14\n" +
+	"\x05found\x18\x04 \x01(\bR\x05found\"\x17\n" +
+	"\x15RequestJWTAuthRequest\"\x9a\x02\n" +
+	"\x16RequestJWTAuthResponse\x12(\n" +
+	"\x0fverificationURI\x18\x01 \x01(\tR\x0fverificationURI\x128\n" +
+	"\x17verificationURIComplete\x18\x02 \x01(\tR\x17verificationURIComplete\x12\x1a\n" +
+	"\buserCode\x18\x03 \x01(\tR\buserCode\x12\x1e\n" +
+	"\n" +
+	"deviceCode\x18\x04 \x01(\tR\n" +
+	"deviceCode\x12\x1c\n" +
+	"\texpiresIn\x18\x05 \x01(\x03R\texpiresIn\x12 \n" +
+	"\vcachedToken\x18\x06 \x01(\tR\vcachedToken\x12 \n" +
+	"\vmaxTokenAge\x18\a \x01(\x03R\vmaxTokenAge\"Q\n" +
+	"\x13WaitJWTTokenRequest\x12\x1e\n" +
+	"\n" +
+	"deviceCode\x18\x01 \x01(\tR\n" +
+	"deviceCode\x12\x1a\n" +
+	"\buserCode\x18\x02 \x01(\tR\buserCode\"h\n" +
+	"\x14WaitJWTTokenResponse\x12\x14\n" +
+	"\x05token\x18\x01 \x01(\tR\x05token\x12\x1c\n" +
+	"\ttokenType\x18\x02 \x01(\tR\ttokenType\x12\x1c\n" +
+	"\texpiresIn\x18\x03 \x01(\x03R\texpiresIn*b\n" +
 	"\bLogLevel\x12\v\n" +
 	"\aUNKNOWN\x10\x00\x12\t\n" +
 	"\x05PANIC\x10\x01\x12\t\n" +
@@ -5013,7 +5573,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x04WARN\x10\x04\x12\b\n" +
 	"\x04INFO\x10\x05\x12\t\n" +
 	"\x05DEBUG\x10\x06\x12\t\n" +
-	"\x05TRACE\x10\a2\x8f\x10\n" +
+	"\x05TRACE\x10\a2\x8b\x12\n" +
 	"\rDaemonService\x126\n" +
 	"\x05Login\x12\x14.daemon.LoginRequest\x1a\x15.daemon.LoginResponse\"\x00\x12K\n" +
 	"\fWaitSSOLogin\x12\x1b.daemon.WaitSSOLoginRequest\x1a\x1c.daemon.WaitSSOLoginResponse\"\x00\x12-\n" +
@@ -5045,7 +5605,10 @@ const file_daemon_proto_rawDesc = "" +
 	"\fListProfiles\x12\x1b.daemon.ListProfilesRequest\x1a\x1c.daemon.ListProfilesResponse\"\x00\x12W\n" +
 	"\x10GetActiveProfile\x12\x1f.daemon.GetActiveProfileRequest\x1a .daemon.GetActiveProfileResponse\"\x00\x129\n" +
 	"\x06Logout\x12\x15.daemon.LogoutRequest\x1a\x16.daemon.LogoutResponse\"\x00\x12H\n" +
-	"\vGetFeatures\x12\x1a.daemon.GetFeaturesRequest\x1a\x1b.daemon.GetFeaturesResponse\"\x00B\bZ\x06/protob\x06proto3"
+	"\vGetFeatures\x12\x1a.daemon.GetFeaturesRequest\x1a\x1b.daemon.GetFeaturesResponse\"\x00\x12Z\n" +
+	"\x11GetPeerSSHHostKey\x12 .daemon.GetPeerSSHHostKeyRequest\x1a!.daemon.GetPeerSSHHostKeyResponse\"\x00\x12Q\n" +
+	"\x0eRequestJWTAuth\x12\x1d.daemon.RequestJWTAuthRequest\x1a\x1e.daemon.RequestJWTAuthResponse\"\x00\x12K\n" +
+	"\fWaitJWTToken\x12\x1b.daemon.WaitJWTTokenRequest\x1a\x1c.daemon.WaitJWTTokenResponse\"\x00B\bZ\x06/protob\x06proto3"
 
 var (
 	file_daemon_proto_rawDescOnce sync.Once
@@ -5060,7 +5623,7 @@ func file_daemon_proto_rawDescGZIP() []byte {
 }
 
 var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 72)
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 78)
 var file_daemon_proto_goTypes = []any{
 	(LogLevel)(0),                              // 0: daemon.LogLevel
 	(SystemEvent_Severity)(0),                  // 1: daemon.SystemEvent.Severity
@@ -5134,18 +5697,24 @@ var file_daemon_proto_goTypes = []any{
 	(*LogoutResponse)(nil),                     // 69: daemon.LogoutResponse
 	(*GetFeaturesRequest)(nil),                 // 70: daemon.GetFeaturesRequest
 	(*GetFeaturesResponse)(nil),                // 71: daemon.GetFeaturesResponse
-	nil,                                        // 72: daemon.Network.ResolvedIPsEntry
-	(*PortInfo_Range)(nil),                     // 73: daemon.PortInfo.Range
-	nil,                                        // 74: daemon.SystemEvent.MetadataEntry
-	(*durationpb.Duration)(nil),                // 75: google.protobuf.Duration
-	(*timestamppb.Timestamp)(nil),              // 76: google.protobuf.Timestamp
+	(*GetPeerSSHHostKeyRequest)(nil),           // 72: daemon.GetPeerSSHHostKeyRequest
+	(*GetPeerSSHHostKeyResponse)(nil),          // 73: daemon.GetPeerSSHHostKeyResponse
+	(*RequestJWTAuthRequest)(nil),              // 74: daemon.RequestJWTAuthRequest
+	(*RequestJWTAuthResponse)(nil),             // 75: daemon.RequestJWTAuthResponse
+	(*WaitJWTTokenRequest)(nil),                // 76: daemon.WaitJWTTokenRequest
+	(*WaitJWTTokenResponse)(nil),               // 77: daemon.WaitJWTTokenResponse
+	nil,                                        // 78: daemon.Network.ResolvedIPsEntry
+	(*PortInfo_Range)(nil),                     // 79: daemon.PortInfo.Range
+	nil,                                        // 80: daemon.SystemEvent.MetadataEntry
+	(*durationpb.Duration)(nil),                // 81: google.protobuf.Duration
+	(*timestamppb.Timestamp)(nil),              // 82: google.protobuf.Timestamp
 }
 var file_daemon_proto_depIdxs = []int32{
-	75, // 0: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	81, // 0: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
 	22, // 1: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
-	76, // 2: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
-	76, // 3: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
-	75, // 4: daemon.PeerState.latency:type_name -> google.protobuf.Duration
+	82, // 2: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
+	82, // 3: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
+	81, // 4: daemon.PeerState.latency:type_name -> google.protobuf.Duration
 	19, // 5: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
 	18, // 6: daemon.FullStatus.signalState:type_name -> daemon.SignalState
 	17, // 7: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
@@ -5154,8 +5723,8 @@ var file_daemon_proto_depIdxs = []int32{
 	21, // 10: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
 	52, // 11: daemon.FullStatus.events:type_name -> daemon.SystemEvent
 	28, // 12: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
-	72, // 13: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
-	73, // 14: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
+	78, // 13: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
+	79, // 14: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
 	29, // 15: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
 	29, // 16: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
 	30, // 17: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
@@ -5166,10 +5735,10 @@ var file_daemon_proto_depIdxs = []int32{
 	49, // 22: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
 	1,  // 23: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
 	2,  // 24: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
-	76, // 25: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
-	74, // 26: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
+	82, // 25: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
+	80, // 26: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
 	52, // 27: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
-	75, // 28: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	81, // 28: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
 	65, // 29: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
 	27, // 30: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
 	4,  // 31: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
@@ -5200,36 +5769,42 @@ var file_daemon_proto_depIdxs = []int32{
 	66, // 56: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
 	68, // 57: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
 	70, // 58: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
-	5,  // 59: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	7,  // 60: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	9,  // 61: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	11, // 62: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	13, // 63: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	15, // 64: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	24, // 65: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
-	26, // 66: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
-	26, // 67: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
-	31, // 68: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
-	33, // 69: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
-	35, // 70: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
-	37, // 71: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
-	40, // 72: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
-	42, // 73: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
-	44, // 74: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
-	46, // 75: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
-	50, // 76: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
-	52, // 77: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
-	54, // 78: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
-	56, // 79: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
-	58, // 80: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
-	60, // 81: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
-	62, // 82: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
-	64, // 83: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
-	67, // 84: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
-	69, // 85: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
-	71, // 86: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
-	59, // [59:87] is the sub-list for method output_type
-	31, // [31:59] is the sub-list for method input_type
+	72, // 59: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
+	74, // 60: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
+	76, // 61: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
+	5,  // 62: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	7,  // 63: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	9,  // 64: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	11, // 65: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	13, // 66: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	15, // 67: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	24, // 68: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
+	26, // 69: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
+	26, // 70: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
+	31, // 71: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
+	33, // 72: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
+	35, // 73: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
+	37, // 74: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
+	40, // 75: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
+	42, // 76: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
+	44, // 77: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
+	46, // 78: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
+	50, // 79: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
+	52, // 80: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
+	54, // 81: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
+	56, // 82: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
+	58, // 83: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
+	60, // 84: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
+	62, // 85: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
+	64, // 86: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
+	67, // 87: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
+	69, // 88: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
+	71, // 89: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
+	73, // 90: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
+	75, // 91: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
+	77, // 92: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
+	62, // [62:93] is the sub-list for method output_type
+	31, // [31:62] is the sub-list for method input_type
 	31, // [31:31] is the sub-list for extension type_name
 	31, // [31:31] is the sub-list for extension extendee
 	0,  // [0:31] is the sub-list for field type_name
@@ -5258,7 +5833,7 @@ func file_daemon_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_proto_rawDesc), len(file_daemon_proto_rawDesc)),
 			NumEnums:      3,
-			NumMessages:   72,
+			NumMessages:   78,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

client/proto/daemon.proto

@@ -84,6 +84,15 @@ service DaemonService {
   rpc Logout(LogoutRequest) returns (LogoutResponse) {}
 
   rpc GetFeatures(GetFeaturesRequest) returns (GetFeaturesResponse) {}
+
+  // GetPeerSSHHostKey retrieves SSH host key for a specific peer
+  rpc GetPeerSSHHostKey(GetPeerSSHHostKeyRequest) returns (GetPeerSSHHostKeyResponse) {}
+
+  // RequestJWTAuth initiates JWT authentication flow for SSH
+  rpc RequestJWTAuth(RequestJWTAuthRequest) returns (RequestJWTAuthResponse) {}
+  
+  // WaitJWTToken waits for JWT authentication completion
+  rpc WaitJWTToken(WaitJWTTokenRequest) returns (WaitJWTTokenResponse) {}
 }
 
 
@@ -158,6 +167,12 @@ message LoginRequest {
   optional string username = 31;
 
   optional int64 mtu = 32;
+
+  optional bool enableSSHRoot = 33;
+  optional bool enableSSHSFTP = 34;
+  optional bool enableSSHLocalPortForwarding = 35;
+  optional bool enableSSHRemotePortForwarding = 36;
+  optional bool disableSSHAuth = 37;
 }
 
 message LoginResponse {
@@ -185,7 +200,7 @@ message UpResponse {}
 
 message StatusRequest{
   bool getFullPeerStatus = 1;
-  bool shouldRunProbes   = 2;
+  bool shouldRunProbes = 2;
   // the UI do not using this yet, but CLIs could use it to wait until the status is ready
   optional bool waitForReady     = 3;
 }
@@ -252,6 +267,16 @@ message GetConfigResponse {
   bool disable_server_routes = 19;
 
   bool block_lan_access = 20;
+
+  bool enableSSHRoot = 21;
+
+  bool enableSSHSFTP = 24;
+
+  bool enableSSHLocalPortForwarding = 22;
+
+  bool enableSSHRemotePortForwarding = 23;
+
+  bool disableSSHAuth = 25;
 }
 
 // PeerState contains the latest state of a peer
@@ -273,6 +298,7 @@ message PeerState {
   repeated string networks = 16;
   google.protobuf.Duration latency = 17;
   string relayAddress = 18;
+  bytes sshHostKey = 19;
 }
 
 // LocalPeerState contains the latest state of the local peer
@@ -540,56 +566,62 @@ message SwitchProfileRequest {
 message SwitchProfileResponse {}
 
 message SetConfigRequest {
-    string username = 1;
-    string profileName = 2;
-    // managementUrl to authenticate.
-    string managementUrl = 3;
+  string username = 1;
+  string profileName = 2;
+  // managementUrl to authenticate.
+  string managementUrl = 3;
 
-    // adminUrl to manage keys.
-    string adminURL = 4;
+  // adminUrl to manage keys.
+  string adminURL = 4;
 
-    optional bool rosenpassEnabled = 5;
+  optional bool rosenpassEnabled = 5;
 
-    optional string interfaceName = 6;
+  optional string interfaceName = 6;
 
-    optional int64 wireguardPort = 7;
+  optional int64 wireguardPort = 7;
 
-    optional string optionalPreSharedKey = 8;
+  optional string optionalPreSharedKey = 8;
 
-    optional bool disableAutoConnect = 9;
+  optional bool disableAutoConnect = 9;
 
-    optional bool serverSSHAllowed = 10;
+  optional bool serverSSHAllowed = 10;
 
-    optional bool rosenpassPermissive = 11;
+  optional bool rosenpassPermissive = 11;
 
-    optional bool networkMonitor = 12;
+  optional bool networkMonitor = 12;
 
-    optional bool disable_client_routes = 13;
-    optional bool disable_server_routes = 14;
-    optional bool disable_dns = 15;
-    optional bool disable_firewall = 16;
-    optional bool block_lan_access = 17;
+  optional bool disable_client_routes = 13;
+  optional bool disable_server_routes = 14;
+  optional bool disable_dns = 15;
+  optional bool disable_firewall = 16;
+  optional bool block_lan_access = 17;
 
-    optional bool disable_notifications = 18;
+  optional bool disable_notifications = 18;
 
-    optional bool lazyConnectionEnabled = 19;
+  optional bool lazyConnectionEnabled = 19;
 
-    optional bool block_inbound = 20;
+  optional bool block_inbound = 20;
 
-    repeated string natExternalIPs = 21;
-    bool cleanNATExternalIPs = 22;
+  repeated string natExternalIPs = 21;
+  bool cleanNATExternalIPs = 22;
 
-    bytes customDNSAddress = 23;
+  bytes customDNSAddress = 23;
 
-    repeated string extraIFaceBlacklist = 24;
+  repeated string extraIFaceBlacklist = 24;
 
-    repeated string dns_labels = 25;
-    // cleanDNSLabels clean map list of DNS labels.
-    bool cleanDNSLabels = 26;
+  repeated string dns_labels = 25;
+  // cleanDNSLabels clean map list of DNS labels.
+  bool cleanDNSLabels = 26;
 
-    optional google.protobuf.Duration dnsRouteInterval = 27;
+  optional google.protobuf.Duration dnsRouteInterval = 27;
 
-    optional int64 mtu = 28;
+  optional int64 mtu = 28;
+
+  optional bool enableSSHRoot = 29;
+  optional bool enableSSHSFTP = 30;
+  optional bool enableSSHLocalPortForward = 31;
+  optional bool enableSSHRemotePortForward = 32;
+  optional bool disableSSHAuth = 33;
 }
 
 message SetConfigResponse{}
@@ -641,3 +673,61 @@ message GetFeaturesResponse{
   bool disable_profiles = 1;
   bool disable_update_settings = 2;
 }
+
+// GetPeerSSHHostKeyRequest for retrieving SSH host key for a specific peer
+message GetPeerSSHHostKeyRequest {
+  // peer IP address or FQDN to get SSH host key for
+  string peerAddress = 1;
+}
+
+// GetPeerSSHHostKeyResponse contains the SSH host key for the requested peer
+message GetPeerSSHHostKeyResponse {
+  // SSH host key in SSH public key format (e.g., "ssh-ed25519 AAAAC3... hostname")
+  bytes sshHostKey = 1;
+  // peer IP address
+  string peerIP = 2;
+  // peer FQDN
+  string peerFQDN = 3;
+  // indicates if the SSH host key was found
+  bool found = 4;
+}
+
+// RequestJWTAuthRequest for initiating JWT authentication flow
+message RequestJWTAuthRequest {
+}
+
+// RequestJWTAuthResponse contains authentication flow information
+message RequestJWTAuthResponse {
+  // verification URI for user authentication
+  string verificationURI = 1;
+  // complete verification URI (with embedded user code)
+  string verificationURIComplete = 2;
+  // user code to enter on verification URI
+  string userCode = 3;
+  // device code for polling
+  string deviceCode = 4;
+  // expiration time in seconds
+  int64 expiresIn = 5;
+  // if a cached token is available, it will be returned here
+  string cachedToken = 6;
+  // maximum age of JWT tokens in seconds (from management server)
+  int64 maxTokenAge = 7;
+}
+
+// WaitJWTTokenRequest for waiting for authentication completion
+message WaitJWTTokenRequest {
+  // device code from RequestJWTAuthResponse
+  string deviceCode = 1;
+  // user code for verification
+  string userCode = 2;
+}
+
+// WaitJWTTokenResponse contains the JWT token after authentication
+message WaitJWTTokenResponse {
+  // JWT token (access token or ID token)
+  string token = 1;
+  // token type (e.g., "Bearer")
+  string tokenType = 2;
+  // expiration time in seconds
+  int64 expiresIn = 3;
+}

client/proto/daemon_grpc.pb.go

@@ -64,6 +64,12 @@ type DaemonServiceClient interface {
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error)
 	GetFeatures(ctx context.Context, in *GetFeaturesRequest, opts ...grpc.CallOption) (*GetFeaturesResponse, error)
+	// GetPeerSSHHostKey retrieves SSH host key for a specific peer
+	GetPeerSSHHostKey(ctx context.Context, in *GetPeerSSHHostKeyRequest, opts ...grpc.CallOption) (*GetPeerSSHHostKeyResponse, error)
+	// RequestJWTAuth initiates JWT authentication flow for SSH
+	RequestJWTAuth(ctx context.Context, in *RequestJWTAuthRequest, opts ...grpc.CallOption) (*RequestJWTAuthResponse, error)
+	// WaitJWTToken waits for JWT authentication completion
+	WaitJWTToken(ctx context.Context, in *WaitJWTTokenRequest, opts ...grpc.CallOption) (*WaitJWTTokenResponse, error)
 }
 
 type daemonServiceClient struct {
@@ -349,6 +355,33 @@ func (c *daemonServiceClient) GetFeatures(ctx context.Context, in *GetFeaturesRe
 	return out, nil
 }
 
+func (c *daemonServiceClient) GetPeerSSHHostKey(ctx context.Context, in *GetPeerSSHHostKeyRequest, opts ...grpc.CallOption) (*GetPeerSSHHostKeyResponse, error) {
+	out := new(GetPeerSSHHostKeyResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetPeerSSHHostKey", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) RequestJWTAuth(ctx context.Context, in *RequestJWTAuthRequest, opts ...grpc.CallOption) (*RequestJWTAuthResponse, error) {
+	out := new(RequestJWTAuthResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/RequestJWTAuth", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) WaitJWTToken(ctx context.Context, in *WaitJWTTokenRequest, opts ...grpc.CallOption) (*WaitJWTTokenResponse, error) {
+	out := new(WaitJWTTokenResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/WaitJWTToken", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
 // for forward compatibility
@@ -399,6 +432,12 @@ type DaemonServiceServer interface {
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(context.Context, *LogoutRequest) (*LogoutResponse, error)
 	GetFeatures(context.Context, *GetFeaturesRequest) (*GetFeaturesResponse, error)
+	// GetPeerSSHHostKey retrieves SSH host key for a specific peer
+	GetPeerSSHHostKey(context.Context, *GetPeerSSHHostKeyRequest) (*GetPeerSSHHostKeyResponse, error)
+	// RequestJWTAuth initiates JWT authentication flow for SSH
+	RequestJWTAuth(context.Context, *RequestJWTAuthRequest) (*RequestJWTAuthResponse, error)
+	// WaitJWTToken waits for JWT authentication completion
+	WaitJWTToken(context.Context, *WaitJWTTokenRequest) (*WaitJWTTokenResponse, error)
 	mustEmbedUnimplementedDaemonServiceServer()
 }
 
@@ -490,6 +529,15 @@ func (UnimplementedDaemonServiceServer) Logout(context.Context, *LogoutRequest)
 func (UnimplementedDaemonServiceServer) GetFeatures(context.Context, *GetFeaturesRequest) (*GetFeaturesResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetFeatures not implemented")
 }
+func (UnimplementedDaemonServiceServer) GetPeerSSHHostKey(context.Context, *GetPeerSSHHostKeyRequest) (*GetPeerSSHHostKeyResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetPeerSSHHostKey not implemented")
+}
+func (UnimplementedDaemonServiceServer) RequestJWTAuth(context.Context, *RequestJWTAuthRequest) (*RequestJWTAuthResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RequestJWTAuth not implemented")
+}
+func (UnimplementedDaemonServiceServer) WaitJWTToken(context.Context, *WaitJWTTokenRequest) (*WaitJWTTokenResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method WaitJWTToken not implemented")
+}
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
 
 // UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -1010,6 +1058,60 @@ func _DaemonService_GetFeatures_Handler(srv interface{}, ctx context.Context, de
 	return interceptor(ctx, in, info, handler)
 }
 
+func _DaemonService_GetPeerSSHHostKey_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetPeerSSHHostKeyRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).GetPeerSSHHostKey(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/GetPeerSSHHostKey",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).GetPeerSSHHostKey(ctx, req.(*GetPeerSSHHostKeyRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_RequestJWTAuth_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RequestJWTAuthRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).RequestJWTAuth(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/RequestJWTAuth",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).RequestJWTAuth(ctx, req.(*RequestJWTAuthRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_WaitJWTToken_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(WaitJWTTokenRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).WaitJWTToken(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/WaitJWTToken",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).WaitJWTToken(ctx, req.(*WaitJWTTokenRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -1125,6 +1227,18 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetFeatures",
 			Handler:    _DaemonService_GetFeatures_Handler,
 		},
+		{
+			MethodName: "GetPeerSSHHostKey",
+			Handler:    _DaemonService_GetPeerSSHHostKey_Handler,
+		},
+		{
+			MethodName: "RequestJWTAuth",
+			Handler:    _DaemonService_RequestJWTAuth_Handler,
+		},
+		{
+			MethodName: "WaitJWTToken",
+			Handler:    _DaemonService_WaitJWTToken_Handler,
+		},
 	},
 	Streams: []grpc.StreamDesc{
 		{

client/server/jwt_cache.go

@@ -0,0 +1,73 @@
+package server
+
+import (
+	"sync"
+	"time"
+
+	"github.com/awnumar/memguard"
+	log "github.com/sirupsen/logrus"
+)
+
+type jwtCache struct {
+	mu           sync.RWMutex
+	enclave      *memguard.Enclave
+	expiresAt    time.Time
+	timer        *time.Timer
+	maxTokenSize int
+}
+
+func newJWTCache() *jwtCache {
+	return &jwtCache{
+		maxTokenSize: 8192,
+	}
+}
+
+func (c *jwtCache) store(token string, maxAge time.Duration) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	c.cleanup()
+
+	if c.timer != nil {
+		c.timer.Stop()
+	}
+
+	tokenBytes := []byte(token)
+	c.enclave = memguard.NewEnclave(tokenBytes)
+
+	c.expiresAt = time.Now().Add(maxAge)
+
+	c.timer = time.AfterFunc(maxAge, func() {
+		c.mu.Lock()
+		defer c.mu.Unlock()
+		c.cleanup()
+		c.timer = nil
+		log.Debugf("JWT token cache expired after %v, securely wiped from memory", maxAge)
+	})
+}
+
+func (c *jwtCache) get() (string, bool) {
+	c.mu.RLock()
+	defer c.mu.RUnlock()
+
+	if c.enclave == nil || time.Now().After(c.expiresAt) {
+		return "", false
+	}
+
+	buffer, err := c.enclave.Open()
+	if err != nil {
+		log.Debugf("Failed to open JWT token enclave: %v", err)
+		return "", false
+	}
+	defer buffer.Destroy()
+
+	token := string(buffer.Bytes())
+	return token, true
+}
+
+// cleanup destroys the secure enclave, must be called with lock held
+func (c *jwtCache) cleanup() {
+	if c.enclave != nil {
+		c.enclave = nil
+	}
+}

client/server/network.go

@@ -11,8 +11,8 @@ import (
 	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 type selectRoute struct {

client/server/server.go

@@ -46,6 +46,9 @@ const (
 	defaultMaxRetryTime     = 14 * 24 * time.Hour
 	defaultRetryMultiplier  = 1.7
 
+	// JWT token cache TTL for the client daemon
+	defaultJWTCacheTTL = 5 * time.Minute
+
 	errRestoreResidualState   = "failed to restore residual state: %v"
 	errProfilesDisabled       = "profiles are disabled, you cannot use this feature without profiles enabled"
 	errUpdateSettingsDisabled = "update settings are disabled, you cannot use this feature without update settings enabled"
@@ -81,6 +84,8 @@ type Server struct {
 	profileManager         *profilemanager.ServiceManager
 	profilesDisabled       bool
 	updateSettingsDisabled bool
+
+	jwtCache *jwtCache
 }
 
 type oauthAuthFlow struct {
@@ -100,6 +105,7 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 		profileManager:         profilemanager.NewServiceManager(configFile),
 		profilesDisabled:       profilesDisabled,
 		updateSettingsDisabled: updateSettingsDisabled,
+		jwtCache:               newJWTCache(),
 	}
 }
 
@@ -373,6 +379,13 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	config.DisableNotifications = msg.DisableNotifications
 	config.LazyConnectionEnabled = msg.LazyConnectionEnabled
 	config.BlockInbound = msg.BlockInbound
+	config.EnableSSHRoot = msg.EnableSSHRoot
+	config.EnableSSHSFTP = msg.EnableSSHSFTP
+	config.EnableSSHLocalPortForwarding = msg.EnableSSHLocalPortForward
+	config.EnableSSHRemotePortForwarding = msg.EnableSSHRemotePortForward
+	if msg.DisableSSHAuth != nil {
+		config.DisableSSHAuth = msg.DisableSSHAuth
+	}
 
 	if msg.Mtu != nil {
 		mtu := uint16(*msg.Mtu)
@@ -489,7 +502,7 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 			return nil, err
 		}
 
-		if s.oauthAuthFlow.flow != nil && s.oauthAuthFlow.flow.GetClientID(ctx) == oAuthFlow.GetClientID(context.TODO()) {
+		if s.oauthAuthFlow.flow != nil && s.oauthAuthFlow.flow.GetClientID(ctx) == oAuthFlow.GetClientID(ctx) {
 			if s.oauthAuthFlow.expiresAt.After(time.Now().Add(90 * time.Second)) {
 				log.Debugf("using previous oauth flow info")
 				return &proto.LoginResponse{
@@ -506,7 +519,7 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 			}
 		}
 
-		authInfo, err := oAuthFlow.RequestAuthInfo(context.TODO())
+		authInfo, err := oAuthFlow.RequestAuthInfo(ctx)
 		if err != nil {
 			log.Errorf("getting a request OAuth flow failed: %v", err)
 			return nil, err
@@ -1067,6 +1080,189 @@ func (s *Server) Status(
 	return &statusResponse, nil
 }
 
+// GetPeerSSHHostKey retrieves SSH host key for a specific peer
+func (s *Server) GetPeerSSHHostKey(
+	ctx context.Context,
+	req *proto.GetPeerSSHHostKeyRequest,
+) (*proto.GetPeerSSHHostKeyResponse, error) {
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	s.mutex.Lock()
+	connectClient := s.connectClient
+	statusRecorder := s.statusRecorder
+	s.mutex.Unlock()
+
+	if connectClient == nil {
+		return nil, errors.New("client not initialized")
+	}
+
+	engine := connectClient.Engine()
+	if engine == nil {
+		return nil, errors.New("engine not started")
+	}
+
+	peerAddress := req.GetPeerAddress()
+	hostKey, found := engine.GetPeerSSHKey(peerAddress)
+
+	response := &proto.GetPeerSSHHostKeyResponse{
+		Found: found,
+	}
+
+	if !found {
+		return response, nil
+	}
+
+	response.SshHostKey = hostKey
+
+	if statusRecorder == nil {
+		return response, nil
+	}
+
+	fullStatus := statusRecorder.GetFullStatus()
+	for _, peerState := range fullStatus.Peers {
+		if peerState.IP == peerAddress || peerState.FQDN == peerAddress {
+			response.PeerIP = peerState.IP
+			response.PeerFQDN = peerState.FQDN
+			break
+		}
+	}
+
+	return response, nil
+}
+
+// getJWTCacheTTL returns the JWT cache TTL from environment variable or default
+// NB_SSH_JWT_CACHE_TTL=0 disables caching
+// NB_SSH_JWT_CACHE_TTL=<seconds> sets custom cache TTL
+func getJWTCacheTTL() time.Duration {
+	envValue := os.Getenv("NB_SSH_JWT_CACHE_TTL")
+	if envValue == "" {
+		return defaultJWTCacheTTL
+	}
+
+	seconds, err := strconv.Atoi(envValue)
+	if err != nil {
+		log.Warnf("invalid NB_SSH_JWT_CACHE_TTL value %s, using default: %v", envValue, defaultJWTCacheTTL)
+		return defaultJWTCacheTTL
+	}
+
+	if seconds == 0 {
+		log.Info("SSH JWT cache disabled via NB_SSH_JWT_CACHE_TTL=0")
+		return 0
+	}
+
+	ttl := time.Duration(seconds) * time.Second
+	log.Infof("SSH JWT cache TTL set to %v via NB_SSH_JWT_CACHE_TTL", ttl)
+	return ttl
+}
+
+// RequestJWTAuth initiates JWT authentication flow for SSH
+func (s *Server) RequestJWTAuth(
+	ctx context.Context,
+	_ *proto.RequestJWTAuthRequest,
+) (*proto.RequestJWTAuthResponse, error) {
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	s.mutex.Lock()
+	config := s.config
+	s.mutex.Unlock()
+
+	if config == nil {
+		return nil, gstatus.Errorf(codes.FailedPrecondition, "client is not configured")
+	}
+
+	jwtCacheTTL := getJWTCacheTTL()
+	if jwtCacheTTL > 0 {
+		if cachedToken, found := s.jwtCache.get(); found {
+			log.Debugf("JWT token found in cache, returning cached token for SSH authentication")
+
+			return &proto.RequestJWTAuthResponse{
+				CachedToken: cachedToken,
+				MaxTokenAge: int64(jwtCacheTTL.Seconds()),
+			}, nil
+		}
+	}
+
+	isDesktop := isUnixRunningDesktop()
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isDesktop)
+	if err != nil {
+		return nil, gstatus.Errorf(codes.Internal, "failed to create OAuth flow: %v", err)
+	}
+
+	authInfo, err := oAuthFlow.RequestAuthInfo(ctx)
+	if err != nil {
+		return nil, gstatus.Errorf(codes.Internal, "failed to request auth info: %v", err)
+	}
+
+	s.mutex.Lock()
+	s.oauthAuthFlow.flow = oAuthFlow
+	s.oauthAuthFlow.info = authInfo
+	s.oauthAuthFlow.expiresAt = time.Now().Add(time.Duration(authInfo.ExpiresIn) * time.Second)
+	s.mutex.Unlock()
+
+	return &proto.RequestJWTAuthResponse{
+		VerificationURI:         authInfo.VerificationURI,
+		VerificationURIComplete: authInfo.VerificationURIComplete,
+		UserCode:                authInfo.UserCode,
+		DeviceCode:              authInfo.DeviceCode,
+		ExpiresIn:               int64(authInfo.ExpiresIn),
+		MaxTokenAge:             int64(jwtCacheTTL.Seconds()),
+	}, nil
+}
+
+// WaitJWTToken waits for JWT authentication completion
+func (s *Server) WaitJWTToken(
+	ctx context.Context,
+	req *proto.WaitJWTTokenRequest,
+) (*proto.WaitJWTTokenResponse, error) {
+	if ctx.Err() != nil {
+		return nil, ctx.Err()
+	}
+
+	s.mutex.Lock()
+	oAuthFlow := s.oauthAuthFlow.flow
+	authInfo := s.oauthAuthFlow.info
+	s.mutex.Unlock()
+
+	if oAuthFlow == nil || authInfo.DeviceCode != req.DeviceCode {
+		return nil, gstatus.Errorf(codes.InvalidArgument, "invalid device code or no active auth flow")
+	}
+
+	tokenInfo, err := oAuthFlow.WaitToken(ctx, authInfo)
+	if err != nil {
+		return nil, gstatus.Errorf(codes.Internal, "failed to get token: %v", err)
+	}
+
+	token := tokenInfo.GetTokenToUse()
+
+	jwtCacheTTL := getJWTCacheTTL()
+	if jwtCacheTTL > 0 {
+		s.jwtCache.store(token, jwtCacheTTL)
+		log.Debugf("JWT token cached for SSH authentication, TTL: %v", jwtCacheTTL)
+	} else {
+		log.Debug("JWT caching disabled, not storing token")
+	}
+
+	s.mutex.Lock()
+	s.oauthAuthFlow = oauthAuthFlow{}
+	s.mutex.Unlock()
+	return &proto.WaitJWTTokenResponse{
+		Token:     tokenInfo.GetTokenToUse(),
+		TokenType: tokenInfo.TokenType,
+		ExpiresIn: int64(tokenInfo.ExpiresIn),
+	}, nil
+}
+
+func isUnixRunningDesktop() bool {
+	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {
+		return false
+	}
+	return os.Getenv("DESKTOP_SESSION") != "" || os.Getenv("XDG_CURRENT_DESKTOP") != ""
+}
+
 func (s *Server) runProbes(waitForProbeResult bool) {
 	if s.connectClient == nil {
 		return
@@ -1132,25 +1328,55 @@ func (s *Server) GetConfig(ctx context.Context, req *proto.GetConfigRequest) (*p
 	disableServerRoutes := cfg.DisableServerRoutes
 	blockLANAccess := cfg.BlockLANAccess
 
+	enableSSHRoot := false
+	if s.config.EnableSSHRoot != nil {
+		enableSSHRoot = *s.config.EnableSSHRoot
+	}
+
+	enableSSHSFTP := false
+	if s.config.EnableSSHSFTP != nil {
+		enableSSHSFTP = *s.config.EnableSSHSFTP
+	}
+
+	enableSSHLocalPortForwarding := false
+	if s.config.EnableSSHLocalPortForwarding != nil {
+		enableSSHLocalPortForwarding = *s.config.EnableSSHLocalPortForwarding
+	}
+
+	enableSSHRemotePortForwarding := false
+	if s.config.EnableSSHRemotePortForwarding != nil {
+		enableSSHRemotePortForwarding = *s.config.EnableSSHRemotePortForwarding
+	}
+
+	disableSSHAuth := false
+	if s.config.DisableSSHAuth != nil {
+		disableSSHAuth = *s.config.DisableSSHAuth
+	}
+
 	return &proto.GetConfigResponse{
-		ManagementUrl:         managementURL.String(),
-		PreSharedKey:          preSharedKey,
-		AdminURL:              adminURL.String(),
-		InterfaceName:         cfg.WgIface,
-		WireguardPort:         int64(cfg.WgPort),
-		Mtu:                   int64(cfg.MTU),
-		DisableAutoConnect:    cfg.DisableAutoConnect,
-		ServerSSHAllowed:      *cfg.ServerSSHAllowed,
-		RosenpassEnabled:      cfg.RosenpassEnabled,
-		RosenpassPermissive:   cfg.RosenpassPermissive,
-		LazyConnectionEnabled: cfg.LazyConnectionEnabled,
-		BlockInbound:          cfg.BlockInbound,
-		DisableNotifications:  disableNotifications,
-		NetworkMonitor:        networkMonitor,
-		DisableDns:            disableDNS,
-		DisableClientRoutes:   disableClientRoutes,
-		DisableServerRoutes:   disableServerRoutes,
-		BlockLanAccess:        blockLANAccess,
+		ManagementUrl:                 managementURL.String(),
+		PreSharedKey:                  preSharedKey,
+		AdminURL:                      adminURL.String(),
+		InterfaceName:                 cfg.WgIface,
+		WireguardPort:                 int64(cfg.WgPort),
+		Mtu:                           int64(cfg.MTU),
+		DisableAutoConnect:            cfg.DisableAutoConnect,
+		ServerSSHAllowed:              *cfg.ServerSSHAllowed,
+		RosenpassEnabled:              cfg.RosenpassEnabled,
+		RosenpassPermissive:           cfg.RosenpassPermissive,
+		LazyConnectionEnabled:         cfg.LazyConnectionEnabled,
+		BlockInbound:                  cfg.BlockInbound,
+		DisableNotifications:          disableNotifications,
+		NetworkMonitor:                networkMonitor,
+		DisableDns:                    disableDNS,
+		DisableClientRoutes:           disableClientRoutes,
+		DisableServerRoutes:           disableServerRoutes,
+		BlockLanAccess:                blockLANAccess,
+		EnableSSHRoot:                 enableSSHRoot,
+		EnableSSHSFTP:                 enableSSHSFTP,
+		EnableSSHLocalPortForwarding:  enableSSHLocalPortForwarding,
+		EnableSSHRemotePortForwarding: enableSSHRemotePortForwarding,
+		DisableSSHAuth:                disableSSHAuth,
 	}, nil
 }
 
@@ -1381,6 +1607,7 @@ func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 			RosenpassEnabled:           peerState.RosenpassEnabled,
 			Networks:                   maps.Keys(peerState.GetRoutes()),
 			Latency:                    durationpb.New(peerState.Latency),
+			SshHostKey:                 peerState.SSHHostKey,
 		}
 		pbFullStatus.Peers = append(pbFullStatus.Peers, pbPeerState)
 	}

client/server/server_test.go

@@ -311,7 +311,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	settingsMockManager := settings.NewMockManager(ctrl)
 	groupsManager := groups.NewManagerMock()
 
-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := server.BuildManager(context.Background(), config, store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		return nil, "", err
 	}

client/server/setconfig_test.go

@@ -167,30 +167,35 @@ func verifyAllFieldsCovered(t *testing.T, req *proto.SetConfigRequest) {
 	}
 
 	expectedFields := map[string]bool{
-		"ManagementUrl":         true,
-		"AdminURL":              true,
-		"RosenpassEnabled":      true,
-		"RosenpassPermissive":   true,
-		"ServerSSHAllowed":      true,
-		"InterfaceName":         true,
-		"WireguardPort":         true,
-		"OptionalPreSharedKey":  true,
-		"DisableAutoConnect":    true,
-		"NetworkMonitor":        true,
-		"DisableClientRoutes":   true,
-		"DisableServerRoutes":   true,
-		"DisableDns":            true,
-		"DisableFirewall":       true,
-		"BlockLanAccess":        true,
-		"DisableNotifications":  true,
-		"LazyConnectionEnabled": true,
-		"BlockInbound":          true,
-		"NatExternalIPs":        true,
-		"CustomDNSAddress":      true,
-		"ExtraIFaceBlacklist":   true,
-		"DnsLabels":             true,
-		"DnsRouteInterval":      true,
-		"Mtu":                   true,
+		"ManagementUrl":              true,
+		"AdminURL":                   true,
+		"RosenpassEnabled":           true,
+		"RosenpassPermissive":        true,
+		"ServerSSHAllowed":           true,
+		"InterfaceName":              true,
+		"WireguardPort":              true,
+		"OptionalPreSharedKey":       true,
+		"DisableAutoConnect":         true,
+		"NetworkMonitor":             true,
+		"DisableClientRoutes":        true,
+		"DisableServerRoutes":        true,
+		"DisableDns":                 true,
+		"DisableFirewall":            true,
+		"BlockLanAccess":             true,
+		"DisableNotifications":       true,
+		"LazyConnectionEnabled":      true,
+		"BlockInbound":               true,
+		"NatExternalIPs":             true,
+		"CustomDNSAddress":           true,
+		"ExtraIFaceBlacklist":        true,
+		"DnsLabels":                  true,
+		"DnsRouteInterval":           true,
+		"Mtu":                        true,
+		"EnableSSHRoot":              true,
+		"EnableSSHSFTP":              true,
+		"EnableSSHLocalPortForward":  true,
+		"EnableSSHRemotePortForward": true,
+		"DisableSSHAuth":             true,
 	}
 
 	val := reflect.ValueOf(req).Elem()
@@ -221,29 +226,34 @@ func TestCLIFlags_MappedToSetConfig(t *testing.T) {
 	// Map of CLI flag names to their corresponding SetConfigRequest field names.
 	// This map must be updated when adding new config-related CLI flags.
 	flagToField := map[string]string{
-		"management-url":         "ManagementUrl",
-		"admin-url":              "AdminURL",
-		"enable-rosenpass":       "RosenpassEnabled",
-		"rosenpass-permissive":   "RosenpassPermissive",
-		"allow-server-ssh":       "ServerSSHAllowed",
-		"interface-name":         "InterfaceName",
-		"wireguard-port":         "WireguardPort",
-		"preshared-key":          "OptionalPreSharedKey",
-		"disable-auto-connect":   "DisableAutoConnect",
-		"network-monitor":        "NetworkMonitor",
-		"disable-client-routes":  "DisableClientRoutes",
-		"disable-server-routes":  "DisableServerRoutes",
-		"disable-dns":            "DisableDns",
-		"disable-firewall":       "DisableFirewall",
-		"block-lan-access":       "BlockLanAccess",
-		"block-inbound":          "BlockInbound",
-		"enable-lazy-connection": "LazyConnectionEnabled",
-		"external-ip-map":        "NatExternalIPs",
-		"dns-resolver-address":   "CustomDNSAddress",
-		"extra-iface-blacklist":  "ExtraIFaceBlacklist",
-		"extra-dns-labels":       "DnsLabels",
-		"dns-router-interval":    "DnsRouteInterval",
-		"mtu":                    "Mtu",
+		"management-url":                    "ManagementUrl",
+		"admin-url":                         "AdminURL",
+		"enable-rosenpass":                  "RosenpassEnabled",
+		"rosenpass-permissive":              "RosenpassPermissive",
+		"allow-server-ssh":                  "ServerSSHAllowed",
+		"interface-name":                    "InterfaceName",
+		"wireguard-port":                    "WireguardPort",
+		"preshared-key":                     "OptionalPreSharedKey",
+		"disable-auto-connect":              "DisableAutoConnect",
+		"network-monitor":                   "NetworkMonitor",
+		"disable-client-routes":             "DisableClientRoutes",
+		"disable-server-routes":             "DisableServerRoutes",
+		"disable-dns":                       "DisableDns",
+		"disable-firewall":                  "DisableFirewall",
+		"block-lan-access":                  "BlockLanAccess",
+		"block-inbound":                     "BlockInbound",
+		"enable-lazy-connection":            "LazyConnectionEnabled",
+		"external-ip-map":                   "NatExternalIPs",
+		"dns-resolver-address":              "CustomDNSAddress",
+		"extra-iface-blacklist":             "ExtraIFaceBlacklist",
+		"extra-dns-labels":                  "DnsLabels",
+		"dns-router-interval":               "DnsRouteInterval",
+		"mtu":                               "Mtu",
+		"enable-ssh-root":                   "EnableSSHRoot",
+		"enable-ssh-sftp":                   "EnableSSHSFTP",
+		"enable-ssh-local-port-forwarding":  "EnableSSHLocalPortForward",
+		"enable-ssh-remote-port-forwarding": "EnableSSHRemotePortForward",
+		"disable-ssh-auth":                  "DisableSSHAuth",
 	}
 
 	// SetConfigRequest fields that don't have CLI flags (settable only via UI or other means).

client/server/state_generic.go

@@ -6,9 +6,11 @@ import (
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/client/ssh/config"
 )
 
 func registerStates(mgr *statemanager.Manager) {
 	mgr.RegisterState(&dns.ShutdownState{})
 	mgr.RegisterState(&systemops.ShutdownState{})
+	mgr.RegisterState(&config.ShutdownState{})
 }

client/server/state_linux.go

@@ -8,6 +8,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/client/ssh/config"
 )
 
 func registerStates(mgr *statemanager.Manager) {
@@ -15,4 +16,5 @@ func registerStates(mgr *statemanager.Manager) {
 	mgr.RegisterState(&systemops.ShutdownState{})
 	mgr.RegisterState(&nftables.ShutdownState{})
 	mgr.RegisterState(&iptables.ShutdownState{})
+	mgr.RegisterState(&config.ShutdownState{})
 }

client/ssh/client.go

@@ -1,118 +0,0 @@
-//go:build !js
-
-package ssh
-
-import (
-	"fmt"
-	"net"
-	"os"
-	"time"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/term"
-)
-
-// Client wraps crypto/ssh Client to simplify usage
-type Client struct {
-	client *ssh.Client
-}
-
-// Close closes the wrapped SSH Client
-func (c *Client) Close() error {
-	return c.client.Close()
-}
-
-// OpenTerminal starts an interactive terminal session with the remote SSH server
-func (c *Client) OpenTerminal() error {
-	session, err := c.client.NewSession()
-	if err != nil {
-		return fmt.Errorf("failed to open new session: %v", err)
-	}
-	defer func() {
-		err := session.Close()
-		if err != nil {
-			return
-		}
-	}()
-
-	fd := int(os.Stdout.Fd())
-	state, err := term.MakeRaw(fd)
-	if err != nil {
-		return fmt.Errorf("failed to run raw terminal: %s", err)
-	}
-	defer func() {
-		err := term.Restore(fd, state)
-		if err != nil {
-			return
-		}
-	}()
-
-	w, h, err := term.GetSize(fd)
-	if err != nil {
-		return fmt.Errorf("terminal get size: %s", err)
-	}
-
-	modes := ssh.TerminalModes{
-		ssh.ECHO:          1,
-		ssh.TTY_OP_ISPEED: 14400,
-		ssh.TTY_OP_OSPEED: 14400,
-	}
-
-	terminal := os.Getenv("TERM")
-	if terminal == "" {
-		terminal = "xterm-256color"
-	}
-	if err := session.RequestPty(terminal, h, w, modes); err != nil {
-		return fmt.Errorf("failed requesting pty session with xterm: %s", err)
-	}
-
-	session.Stdout = os.Stdout
-	session.Stderr = os.Stderr
-	session.Stdin = os.Stdin
-
-	if err := session.Shell(); err != nil {
-		return fmt.Errorf("failed to start login shell on the remote host: %s", err)
-	}
-
-	if err := session.Wait(); err != nil {
-		if e, ok := err.(*ssh.ExitError); ok {
-			if e.ExitStatus() == 130 {
-				return nil
-			}
-		}
-		return fmt.Errorf("failed running SSH session: %s", err)
-	}
-
-	return nil
-}
-
-// DialWithKey connects to the remote SSH server with a provided private key file (PEM).
-func DialWithKey(addr, user string, privateKey []byte) (*Client, error) {
-
-	signer, err := ssh.ParsePrivateKey(privateKey)
-	if err != nil {
-		return nil, err
-	}
-
-	config := &ssh.ClientConfig{
-		User:    user,
-		Timeout: 5 * time.Second,
-		Auth: []ssh.AuthMethod{
-			ssh.PublicKeys(signer),
-		},
-		HostKeyCallback: ssh.HostKeyCallback(func(hostname string, remote net.Addr, key ssh.PublicKey) error { return nil }),
-	}
-
-	return Dial("tcp", addr, config)
-}
-
-// Dial connects to the remote SSH server.
-func Dial(network, addr string, config *ssh.ClientConfig) (*Client, error) {
-	client, err := ssh.Dial(network, addr, config)
-	if err != nil {
-		return nil, err
-	}
-	return &Client{
-		client: client,
-	}, nil
-}

client/ssh/client/client.go

@@ -0,0 +1,692 @@
+package client
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/crypto/ssh/knownhosts"
+	"golang.org/x/term"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/netbirdio/netbird/client/proto"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
+	"github.com/netbirdio/netbird/client/ssh/detection"
+)
+
+const (
+	// DefaultDaemonAddr is the default address for the NetBird daemon
+	DefaultDaemonAddr = "unix:///var/run/netbird.sock"
+	// DefaultDaemonAddrWindows is the default address for the NetBird daemon on Windows
+	DefaultDaemonAddrWindows = "tcp://127.0.0.1:41731"
+)
+
+// Client wraps crypto/ssh Client for simplified SSH operations
+type Client struct {
+	client        *ssh.Client
+	terminalState *term.State
+	terminalFd    int
+
+	windowsStdoutMode uint32 // nolint:unused
+	windowsStdinMode  uint32 // nolint:unused
+}
+
+func (c *Client) Close() error {
+	return c.client.Close()
+}
+
+func (c *Client) OpenTerminal(ctx context.Context) error {
+	session, err := c.client.NewSession()
+	if err != nil {
+		return fmt.Errorf("new session: %w", err)
+	}
+	defer func() {
+		if err := session.Close(); err != nil {
+			log.Debugf("session close error: %v", err)
+		}
+	}()
+
+	if err := c.setupTerminalMode(ctx, session); err != nil {
+		return err
+	}
+
+	c.setupSessionIO(session)
+
+	if err := session.Shell(); err != nil {
+		return fmt.Errorf("start shell: %w", err)
+	}
+
+	return c.waitForSession(ctx, session)
+}
+
+// setupSessionIO connects session streams to local terminal
+func (c *Client) setupSessionIO(session *ssh.Session) {
+	session.Stdout = os.Stdout
+	session.Stderr = os.Stderr
+	session.Stdin = os.Stdin
+}
+
+// waitForSession waits for the session to complete with context cancellation
+func (c *Client) waitForSession(ctx context.Context, session *ssh.Session) error {
+	done := make(chan error, 1)
+	go func() {
+		done <- session.Wait()
+	}()
+
+	defer c.restoreTerminal()
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case err := <-done:
+		return c.handleSessionError(err)
+	}
+}
+
+// handleSessionError processes session termination errors
+func (c *Client) handleSessionError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	var e *ssh.ExitError
+	var em *ssh.ExitMissingError
+	if !errors.As(err, &e) && !errors.As(err, &em) {
+		return fmt.Errorf("session wait: %w", err)
+	}
+
+	return nil
+}
+
+// restoreTerminal restores the terminal to its original state
+func (c *Client) restoreTerminal() {
+	if c.terminalState != nil {
+		_ = term.Restore(c.terminalFd, c.terminalState)
+		c.terminalState = nil
+		c.terminalFd = 0
+	}
+
+	if err := c.restoreWindowsConsoleState(); err != nil {
+		log.Debugf("restore Windows console state: %v", err)
+	}
+}
+
+// ExecuteCommand executes a command on the remote host and returns the output
+func (c *Client) ExecuteCommand(ctx context.Context, command string) ([]byte, error) {
+	session, cleanup, err := c.createSession(ctx)
+	if err != nil {
+		return nil, err
+	}
+	defer cleanup()
+
+	output, err := session.CombinedOutput(command)
+	if err != nil {
+		var e *ssh.ExitError
+		var em *ssh.ExitMissingError
+		if !errors.As(err, &e) && !errors.As(err, &em) {
+			return output, fmt.Errorf("execute command: %w", err)
+		}
+	}
+
+	return output, nil
+}
+
+// ExecuteCommandWithIO executes a command with interactive I/O connected to local terminal
+func (c *Client) ExecuteCommandWithIO(ctx context.Context, command string) error {
+	session, cleanup, err := c.createSession(ctx)
+	if err != nil {
+		return fmt.Errorf("create session: %w", err)
+	}
+	defer cleanup()
+
+	c.setupSessionIO(session)
+
+	if err := session.Start(command); err != nil {
+		return fmt.Errorf("start command: %w", err)
+	}
+
+	done := make(chan error, 1)
+	go func() {
+		done <- session.Wait()
+	}()
+
+	select {
+	case <-ctx.Done():
+		_ = session.Signal(ssh.SIGTERM)
+		select {
+		case <-done:
+			return ctx.Err()
+		case <-time.After(100 * time.Millisecond):
+			return ctx.Err()
+		}
+	case err := <-done:
+		return c.handleCommandError(err)
+	}
+}
+
+// ExecuteCommandWithPTY executes a command with a pseudo-terminal for interactive sessions
+func (c *Client) ExecuteCommandWithPTY(ctx context.Context, command string) error {
+	session, cleanup, err := c.createSession(ctx)
+	if err != nil {
+		return fmt.Errorf("create session: %w", err)
+	}
+	defer cleanup()
+
+	if err := c.setupTerminalMode(ctx, session); err != nil {
+		return fmt.Errorf("setup terminal mode: %w", err)
+	}
+
+	c.setupSessionIO(session)
+
+	if err := session.Start(command); err != nil {
+		return fmt.Errorf("start command: %w", err)
+	}
+
+	defer c.restoreTerminal()
+
+	done := make(chan error, 1)
+	go func() {
+		done <- session.Wait()
+	}()
+
+	select {
+	case <-ctx.Done():
+		_ = session.Signal(ssh.SIGTERM)
+		select {
+		case <-done:
+			return ctx.Err()
+		case <-time.After(100 * time.Millisecond):
+			return ctx.Err()
+		}
+	case err := <-done:
+		return c.handleCommandError(err)
+	}
+}
+
+// handleCommandError processes command execution errors, treating exit codes as normal
+func (c *Client) handleCommandError(err error) error {
+	if err == nil {
+		return nil
+	}
+
+	var e *ssh.ExitError
+	var em *ssh.ExitMissingError
+	if !errors.As(err, &e) && !errors.As(err, &em) {
+		return fmt.Errorf("execute command: %w", err)
+	}
+
+	return nil
+}
+
+// setupContextCancellation sets up context cancellation for a session
+func (c *Client) setupContextCancellation(ctx context.Context, session *ssh.Session) func() {
+	done := make(chan struct{})
+	go func() {
+		select {
+		case <-ctx.Done():
+			_ = session.Signal(ssh.SIGTERM)
+			_ = session.Close()
+		case <-done:
+		}
+	}()
+	return func() { close(done) }
+}
+
+// createSession creates a new SSH session with context cancellation setup
+func (c *Client) createSession(ctx context.Context) (*ssh.Session, func(), error) {
+	session, err := c.client.NewSession()
+	if err != nil {
+		return nil, nil, fmt.Errorf("new session: %w", err)
+	}
+
+	cancel := c.setupContextCancellation(ctx, session)
+	cleanup := func() {
+		cancel()
+		_ = session.Close()
+	}
+
+	return session, cleanup, nil
+}
+
+// getDefaultDaemonAddr returns the daemon address from environment or default for the OS
+func getDefaultDaemonAddr() string {
+	if addr := os.Getenv("NB_DAEMON_ADDR"); addr != "" {
+		return addr
+	}
+	if runtime.GOOS == "windows" {
+		return DefaultDaemonAddrWindows
+	}
+	return DefaultDaemonAddr
+}
+
+// DialOptions contains options for SSH connections
+type DialOptions struct {
+	KnownHostsFile     string
+	IdentityFile       string
+	DaemonAddr         string
+	SkipCachedToken    bool
+	InsecureSkipVerify bool
+}
+
+// Dial connects to the given ssh server with specified options
+func Dial(ctx context.Context, addr, user string, opts DialOptions) (*Client, error) {
+	hostKeyCallback, err := createHostKeyCallback(opts)
+	if err != nil {
+		return nil, fmt.Errorf("create host key callback: %w", err)
+	}
+
+	config := &ssh.ClientConfig{
+		User:            user,
+		Timeout:         30 * time.Second,
+		HostKeyCallback: hostKeyCallback,
+	}
+
+	if opts.IdentityFile != "" {
+		authMethod, err := createSSHKeyAuth(opts.IdentityFile)
+		if err != nil {
+			return nil, fmt.Errorf("create SSH key auth: %w", err)
+		}
+		config.Auth = append(config.Auth, authMethod)
+	}
+
+	daemonAddr := opts.DaemonAddr
+	if daemonAddr == "" {
+		daemonAddr = getDefaultDaemonAddr()
+	}
+
+	return dialWithJWT(ctx, "tcp", addr, config, daemonAddr, opts.SkipCachedToken)
+}
+
+// dialSSH establishes an SSH connection without JWT authentication
+func dialSSH(ctx context.Context, network, addr string, config *ssh.ClientConfig) (*Client, error) {
+	dialer := &net.Dialer{}
+	conn, err := dialer.DialContext(ctx, network, addr)
+	if err != nil {
+		return nil, fmt.Errorf("dial %s: %w", addr, err)
+	}
+
+	clientConn, chans, reqs, err := ssh.NewClientConn(conn, addr, config)
+	if err != nil {
+		if closeErr := conn.Close(); closeErr != nil {
+			log.Debugf("connection close after handshake failure: %v", closeErr)
+		}
+		return nil, fmt.Errorf("ssh handshake: %w", err)
+	}
+
+	client := ssh.NewClient(clientConn, chans, reqs)
+	return &Client{
+		client: client,
+	}, nil
+}
+
+// dialWithJWT establishes an SSH connection with optional JWT authentication based on server detection
+func dialWithJWT(ctx context.Context, network, addr string, config *ssh.ClientConfig, daemonAddr string, skipCache bool) (*Client, error) {
+	host, portStr, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, fmt.Errorf("parse address %s: %w", addr, err)
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return nil, fmt.Errorf("parse port %s: %w", portStr, err)
+	}
+
+	dialer := &net.Dialer{Timeout: detection.Timeout}
+	serverType, err := detection.DetectSSHServerType(ctx, dialer, host, port)
+	if err != nil {
+		return nil, fmt.Errorf("SSH server detection failed: %w", err)
+	}
+
+	if !serverType.RequiresJWT() {
+		return dialSSH(ctx, network, addr, config)
+	}
+
+	jwtCtx, cancel := context.WithTimeout(ctx, config.Timeout)
+	defer cancel()
+
+	jwtToken, err := requestJWTToken(jwtCtx, daemonAddr, skipCache)
+	if err != nil {
+		return nil, fmt.Errorf("request JWT token: %w", err)
+	}
+
+	configWithJWT := nbssh.AddJWTAuth(config, jwtToken)
+	return dialSSH(ctx, network, addr, configWithJWT)
+}
+
+// requestJWTToken requests a JWT token from the NetBird daemon
+func requestJWTToken(ctx context.Context, daemonAddr string, skipCache bool) (string, error) {
+	conn, err := connectToDaemon(daemonAddr)
+	if err != nil {
+		return "", fmt.Errorf("connect to daemon: %w", err)
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	return nbssh.RequestJWTToken(ctx, client, os.Stdout, os.Stderr, !skipCache)
+}
+
+// verifyHostKeyViaDaemon verifies SSH host key by querying the NetBird daemon
+func verifyHostKeyViaDaemon(hostname string, remote net.Addr, key ssh.PublicKey, daemonAddr string) error {
+	conn, err := connectToDaemon(daemonAddr)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Debugf("daemon connection close error: %v", err)
+		}
+	}()
+
+	client := proto.NewDaemonServiceClient(conn)
+	verifier := nbssh.NewDaemonHostKeyVerifier(client)
+	callback := nbssh.CreateHostKeyCallback(verifier)
+	return callback(hostname, remote, key)
+}
+
+func connectToDaemon(daemonAddr string) (*grpc.ClientConn, error) {
+	addr := strings.TrimPrefix(daemonAddr, "tcp://")
+
+	conn, err := grpc.NewClient(
+		addr,
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+	if err != nil {
+		log.Debugf("failed to create gRPC client for NetBird daemon at %s: %v", daemonAddr, err)
+		return nil, fmt.Errorf("failed to connect to NetBird daemon: %w", err)
+	}
+
+	return conn, nil
+}
+
+// getKnownHostsFiles returns paths to known_hosts files in order of preference
+func getKnownHostsFiles() []string {
+	var files []string
+
+	// User's known_hosts file (highest priority)
+	if homeDir, err := os.UserHomeDir(); err == nil {
+		userKnownHosts := filepath.Join(homeDir, ".ssh", "known_hosts")
+		files = append(files, userKnownHosts)
+	}
+
+	// NetBird managed known_hosts files
+	if runtime.GOOS == "windows" {
+		programData := os.Getenv("PROGRAMDATA")
+		if programData == "" {
+			programData = `C:\ProgramData`
+		}
+		netbirdKnownHosts := filepath.Join(programData, "ssh", "ssh_known_hosts.d", "99-netbird")
+		files = append(files, netbirdKnownHosts)
+	} else {
+		files = append(files, "/etc/ssh/ssh_known_hosts.d/99-netbird")
+		files = append(files, "/etc/ssh/ssh_known_hosts")
+	}
+
+	return files
+}
+
+// createHostKeyCallback creates a host key verification callback
+func createHostKeyCallback(opts DialOptions) (ssh.HostKeyCallback, error) {
+	if opts.InsecureSkipVerify {
+		return ssh.InsecureIgnoreHostKey(), nil // #nosec G106 - User explicitly requested insecure mode
+	}
+
+	return func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+		if err := tryDaemonVerification(hostname, remote, key, opts.DaemonAddr); err == nil {
+			return nil
+		}
+		return tryKnownHostsVerification(hostname, remote, key, opts.KnownHostsFile)
+	}, nil
+}
+
+func tryDaemonVerification(hostname string, remote net.Addr, key ssh.PublicKey, daemonAddr string) error {
+	if daemonAddr == "" {
+		return fmt.Errorf("no daemon address")
+	}
+	return verifyHostKeyViaDaemon(hostname, remote, key, daemonAddr)
+}
+
+func tryKnownHostsVerification(hostname string, remote net.Addr, key ssh.PublicKey, knownHostsFile string) error {
+	knownHostsFiles := getKnownHostsFilesList(knownHostsFile)
+	hostKeyCallbacks := buildHostKeyCallbacks(knownHostsFiles)
+
+	for _, callback := range hostKeyCallbacks {
+		if err := callback(hostname, remote, key); err == nil {
+			return nil
+		}
+	}
+	return fmt.Errorf("host key verification failed: key not found in NetBird daemon or any known_hosts file")
+}
+
+func getKnownHostsFilesList(knownHostsFile string) []string {
+	if knownHostsFile != "" {
+		return []string{knownHostsFile}
+	}
+	return getKnownHostsFiles()
+}
+
+func buildHostKeyCallbacks(knownHostsFiles []string) []ssh.HostKeyCallback {
+	var hostKeyCallbacks []ssh.HostKeyCallback
+	for _, file := range knownHostsFiles {
+		if callback, err := knownhosts.New(file); err == nil {
+			hostKeyCallbacks = append(hostKeyCallbacks, callback)
+		}
+	}
+	return hostKeyCallbacks
+}
+
+// createSSHKeyAuth creates SSH key authentication from a private key file
+func createSSHKeyAuth(keyFile string) (ssh.AuthMethod, error) {
+	keyData, err := os.ReadFile(keyFile)
+	if err != nil {
+		return nil, fmt.Errorf("read SSH key file %s: %w", keyFile, err)
+	}
+
+	signer, err := ssh.ParsePrivateKey(keyData)
+	if err != nil {
+		return nil, fmt.Errorf("parse SSH private key: %w", err)
+	}
+
+	return ssh.PublicKeys(signer), nil
+}
+
+// LocalPortForward sets up local port forwarding, binding to localAddr and forwarding to remoteAddr
+func (c *Client) LocalPortForward(ctx context.Context, localAddr, remoteAddr string) error {
+	localListener, err := net.Listen("tcp", localAddr)
+	if err != nil {
+		return fmt.Errorf("listen on %s: %w", localAddr, err)
+	}
+
+	go func() {
+		defer func() {
+			if err := localListener.Close(); err != nil {
+				log.Debugf("local listener close error: %v", err)
+			}
+		}()
+		for {
+			localConn, err := localListener.Accept()
+			if err != nil {
+				if ctx.Err() != nil {
+					return
+				}
+				continue
+			}
+
+			go c.handleLocalForward(localConn, remoteAddr)
+		}
+	}()
+
+	<-ctx.Done()
+	return ctx.Err()
+}
+
+// handleLocalForward handles a single local port forwarding connection
+func (c *Client) handleLocalForward(localConn net.Conn, remoteAddr string) {
+	defer func() {
+		if err := localConn.Close(); err != nil {
+			log.Debugf("local connection close error: %v", err)
+		}
+	}()
+
+	channel, err := c.client.Dial("tcp", remoteAddr)
+	if err != nil {
+		if strings.Contains(err.Error(), "administratively prohibited") {
+			_, _ = fmt.Fprintf(os.Stderr, "channel open failed: administratively prohibited: port forwarding is disabled\n")
+		} else {
+			log.Debugf("local port forwarding to %s failed: %v", remoteAddr, err)
+		}
+		return
+	}
+	defer func() {
+		if err := channel.Close(); err != nil {
+			log.Debugf("remote channel close error: %v", err)
+		}
+	}()
+
+	go func() {
+		if _, err := io.Copy(channel, localConn); err != nil {
+			log.Debugf("local forward copy error (local->remote): %v", err)
+		}
+	}()
+
+	if _, err := io.Copy(localConn, channel); err != nil {
+		log.Debugf("local forward copy error (remote->local): %v", err)
+	}
+}
+
+// RemotePortForward sets up remote port forwarding, binding on remote and forwarding to localAddr
+func (c *Client) RemotePortForward(ctx context.Context, remoteAddr, localAddr string) error {
+	host, port, err := c.parseRemoteAddress(remoteAddr)
+	if err != nil {
+		return fmt.Errorf("parse remote address: %w", err)
+	}
+
+	req := c.buildTCPIPForwardRequest(host, port)
+	if err := c.sendTCPIPForwardRequest(req); err != nil {
+		return fmt.Errorf("setup remote forward: %w", err)
+	}
+
+	go c.handleRemoteForwardChannels(ctx, localAddr)
+
+	<-ctx.Done()
+
+	if err := c.cancelTCPIPForwardRequest(req); err != nil {
+		return fmt.Errorf("cancel tcpip-forward: %w", err)
+	}
+	return ctx.Err()
+}
+
+// parseRemoteAddress parses host and port from remote address string
+func (c *Client) parseRemoteAddress(remoteAddr string) (string, uint32, error) {
+	host, portStr, err := net.SplitHostPort(remoteAddr)
+	if err != nil {
+		return "", 0, fmt.Errorf("parse remote address %s: %w", remoteAddr, err)
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return "", 0, fmt.Errorf("parse remote port %s: %w", portStr, err)
+	}
+
+	return host, uint32(port), nil
+}
+
+// buildTCPIPForwardRequest creates a tcpip-forward request message
+func (c *Client) buildTCPIPForwardRequest(host string, port uint32) tcpipForwardMsg {
+	return tcpipForwardMsg{
+		Host: host,
+		Port: port,
+	}
+}
+
+// sendTCPIPForwardRequest sends the tcpip-forward request to establish remote port forwarding
+func (c *Client) sendTCPIPForwardRequest(req tcpipForwardMsg) error {
+	ok, _, err := c.client.SendRequest("tcpip-forward", true, ssh.Marshal(&req))
+	if err != nil {
+		return fmt.Errorf("send tcpip-forward request: %w", err)
+	}
+	if !ok {
+		return fmt.Errorf("remote port forwarding denied by server (check if --allow-ssh-remote-port-forwarding is enabled)")
+	}
+	return nil
+}
+
+// cancelTCPIPForwardRequest cancels the tcpip-forward request
+func (c *Client) cancelTCPIPForwardRequest(req tcpipForwardMsg) error {
+	_, _, err := c.client.SendRequest("cancel-tcpip-forward", true, ssh.Marshal(&req))
+	if err != nil {
+		return fmt.Errorf("send cancel-tcpip-forward request: %w", err)
+	}
+	return nil
+}
+
+// handleRemoteForwardChannels handles incoming forwarded-tcpip channels
+func (c *Client) handleRemoteForwardChannels(ctx context.Context, localAddr string) {
+	// Get the channel once - subsequent calls return nil!
+	channelRequests := c.client.HandleChannelOpen("forwarded-tcpip")
+	if channelRequests == nil {
+		log.Debugf("forwarded-tcpip channel type already being handled")
+		return
+	}
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case newChan := <-channelRequests:
+			if newChan != nil {
+				go c.handleRemoteForwardChannel(newChan, localAddr)
+			}
+		}
+	}
+}
+
+// handleRemoteForwardChannel handles a single forwarded-tcpip channel
+func (c *Client) handleRemoteForwardChannel(newChan ssh.NewChannel, localAddr string) {
+	channel, reqs, err := newChan.Accept()
+	if err != nil {
+		return
+	}
+	defer func() {
+		if err := channel.Close(); err != nil {
+			log.Debugf("remote channel close error: %v", err)
+		}
+	}()
+
+	go ssh.DiscardRequests(reqs)
+
+	localConn, err := net.Dial("tcp", localAddr)
+	if err != nil {
+		return
+	}
+	defer func() {
+		if err := localConn.Close(); err != nil {
+			log.Debugf("local connection close error: %v", err)
+		}
+	}()
+
+	go func() {
+		if _, err := io.Copy(localConn, channel); err != nil {
+			log.Debugf("remote forward copy error (remote->local): %v", err)
+		}
+	}()
+
+	if _, err := io.Copy(channel, localConn); err != nil {
+		log.Debugf("remote forward copy error (local->remote): %v", err)
+	}
+}
+
+// tcpipForwardMsg represents the structure for tcpip-forward requests
+type tcpipForwardMsg struct {
+	Host string
+	Port uint32
+}

client/ssh/client/client_test.go

@@ -0,0 +1,512 @@
+package client
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/user"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	cryptossh "golang.org/x/crypto/ssh"
+
+	"github.com/netbirdio/netbird/client/ssh"
+	sshserver "github.com/netbirdio/netbird/client/ssh/server"
+	"github.com/netbirdio/netbird/client/ssh/testutil"
+)
+
+// TestMain handles package-level setup and cleanup
+func TestMain(m *testing.M) {
+	// Guard against infinite recursion when test binary is called as "netbird ssh exec"
+	// This happens when running tests as non-privileged user with fallback
+	if len(os.Args) > 2 && os.Args[1] == "ssh" && os.Args[2] == "exec" {
+		// Just exit with error to break the recursion
+		fmt.Fprintf(os.Stderr, "Test binary called as 'ssh exec' - preventing infinite recursion\n")
+		os.Exit(1)
+	}
+
+	// Run tests
+	code := m.Run()
+
+	// Cleanup any created test users
+	testutil.CleanupTestUsers()
+
+	os.Exit(code)
+}
+
+func TestSSHClient_DialWithKey(t *testing.T) {
+	// Generate host key for server
+	hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
+	require.NoError(t, err)
+
+	// Create and start server
+	serverConfig := &sshserver.Config{
+		HostKeyPEM: hostKey,
+		JWT:        nil,
+	}
+	server := sshserver.New(serverConfig)
+	server.SetAllowRootLogin(true) // Allow root/admin login for tests
+
+	serverAddr := sshserver.StartTestServer(t, server)
+	defer func() {
+		err := server.Stop()
+		require.NoError(t, err)
+	}()
+
+	// Test Dial
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	currentUser := testutil.GetTestUsername(t)
+	client, err := Dial(ctx, serverAddr, currentUser, DialOptions{
+		InsecureSkipVerify: true,
+	})
+	require.NoError(t, err)
+	defer func() {
+		err := client.Close()
+		assert.NoError(t, err)
+	}()
+
+	// Verify client is connected
+	assert.NotNil(t, client.client)
+}
+
+func TestSSHClient_CommandExecution(t *testing.T) {
+	if runtime.GOOS == "windows" && testutil.IsCI() {
+		t.Skip("Skipping Windows command execution tests in CI due to S4U authentication issues")
+	}
+
+	server, _, client := setupTestSSHServerAndClient(t)
+	defer func() {
+		err := server.Stop()
+		require.NoError(t, err)
+	}()
+	defer func() {
+		err := client.Close()
+		assert.NoError(t, err)
+	}()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	t.Run("ExecuteCommand captures output", func(t *testing.T) {
+		output, err := client.ExecuteCommand(ctx, "echo hello")
+		assert.NoError(t, err)
+		assert.Contains(t, string(output), "hello")
+	})
+
+	t.Run("ExecuteCommandWithIO streams output", func(t *testing.T) {
+		err := client.ExecuteCommandWithIO(ctx, "echo world")
+		assert.NoError(t, err)
+	})
+
+	t.Run("commands with flags work", func(t *testing.T) {
+		output, err := client.ExecuteCommand(ctx, "echo -n test_flag")
+		assert.NoError(t, err)
+		assert.Equal(t, "test_flag", strings.TrimSpace(string(output)))
+	})
+
+	t.Run("non-zero exit codes don't return errors", func(t *testing.T) {
+		var testCmd string
+		if runtime.GOOS == "windows" {
+			testCmd = "echo hello | Select-String notfound"
+		} else {
+			testCmd = "echo 'hello' | grep 'notfound'"
+		}
+		_, err := client.ExecuteCommand(ctx, testCmd)
+		assert.NoError(t, err)
+	})
+}
+
+func TestSSHClient_ConnectionHandling(t *testing.T) {
+	server, serverAddr, _ := setupTestSSHServerAndClient(t)
+	defer func() {
+		err := server.Stop()
+		require.NoError(t, err)
+	}()
+
+	// Generate client key for multiple connections
+
+	const numClients = 3
+	clients := make([]*Client, numClients)
+
+	for i := 0; i < numClients; i++ {
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		currentUser := testutil.GetTestUsername(t)
+		client, err := Dial(ctx, serverAddr, fmt.Sprintf("%s-%d", currentUser, i), DialOptions{
+			InsecureSkipVerify: true,
+		})
+		cancel()
+		require.NoError(t, err, "Client %d should connect successfully", i)
+		clients[i] = client
+	}
+
+	for i, client := range clients {
+		err := client.Close()
+		assert.NoError(t, err, "Client %d should close without error", i)
+	}
+}
+
+func TestSSHClient_ContextCancellation(t *testing.T) {
+	server, serverAddr, _ := setupTestSSHServerAndClient(t)
+	defer func() {
+		err := server.Stop()
+		require.NoError(t, err)
+	}()
+
+	t.Run("connection with short timeout", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.Background(), 1*time.Millisecond)
+		defer cancel()
+
+		currentUser := testutil.GetTestUsername(t)
+		_, err := Dial(ctx, serverAddr, currentUser, DialOptions{
+			InsecureSkipVerify: true,
+		})
+		if err != nil {
+			// Check for actual timeout-related errors rather than string matching
+			assert.True(t,
+				errors.Is(err, context.DeadlineExceeded) ||
+					errors.Is(err, context.Canceled) ||
+					strings.Contains(err.Error(), "timeout"),
+				"Expected timeout-related error, got: %v", err)
+		}
+	})
+
+	t.Run("command execution cancellation", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		currentUser := testutil.GetTestUsername(t)
+		client, err := Dial(ctx, serverAddr, currentUser, DialOptions{
+			InsecureSkipVerify: true,
+		})
+		require.NoError(t, err)
+		defer func() {
+			if err := client.Close(); err != nil {
+				t.Logf("client close error: %v", err)
+			}
+		}()
+
+		cmdCtx, cmdCancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+		defer cmdCancel()
+
+		err = client.ExecuteCommandWithPTY(cmdCtx, "sleep 10")
+		if err != nil {
+			var exitMissingErr *cryptossh.ExitMissingError
+			isValidCancellation := errors.Is(err, context.DeadlineExceeded) ||
+				errors.Is(err, context.Canceled) ||
+				errors.As(err, &exitMissingErr)
+			assert.True(t, isValidCancellation, "Should handle command cancellation properly")
+		}
+	})
+}
+
+func TestSSHClient_NoAuthMode(t *testing.T) {
+	hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
+	require.NoError(t, err)
+
+	serverConfig := &sshserver.Config{
+		HostKeyPEM: hostKey,
+		JWT:        nil,
+	}
+	server := sshserver.New(serverConfig)
+	server.SetAllowRootLogin(true) // Allow root/admin login for tests
+
+	serverAddr := sshserver.StartTestServer(t, server)
+	defer func() {
+		err := server.Stop()
+		require.NoError(t, err)
+	}()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	currentUser := testutil.GetTestUsername(t)
+
+	t.Run("any key succeeds in no-auth mode", func(t *testing.T) {
+		client, err := Dial(ctx, serverAddr, currentUser, DialOptions{
+			InsecureSkipVerify: true,
+		})
+		assert.NoError(t, err)
+		if client != nil {
+			require.NoError(t, client.Close(), "Client should close without error")
+		}
+	})
+}
+
+func TestSSHClient_TerminalState(t *testing.T) {
+	server, _, client := setupTestSSHServerAndClient(t)
+	defer func() {
+		err := server.Stop()
+		require.NoError(t, err)
+	}()
+	defer func() {
+		err := client.Close()
+		assert.NoError(t, err)
+	}()
+
+	assert.Nil(t, client.terminalState)
+	assert.Equal(t, 0, client.terminalFd)
+
+	client.restoreTerminal()
+	assert.Nil(t, client.terminalState)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 50*time.Millisecond)
+	defer cancel()
+
+	err := client.OpenTerminal(ctx)
+	// In test environment without a real terminal, this may complete quickly or timeout
+	// Both behaviors are acceptable for testing terminal state management
+	if err != nil {
+		if runtime.GOOS == "windows" {
+			assert.True(t,
+				strings.Contains(err.Error(), "context deadline exceeded") ||
+					strings.Contains(err.Error(), "console"),
+				"Should timeout or have console error on Windows")
+		} else {
+			// On Unix systems in test environment, we may get various errors
+			// including timeouts or terminal-related errors
+			assert.True(t,
+				strings.Contains(err.Error(), "context deadline exceeded") ||
+					strings.Contains(err.Error(), "terminal") ||
+					strings.Contains(err.Error(), "pty"),
+				"Expected timeout or terminal-related error, got: %v", err)
+		}
+	}
+}
+
+func setupTestSSHServerAndClient(t *testing.T) (*sshserver.Server, string, *Client) {
+	hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
+	require.NoError(t, err)
+
+	serverConfig := &sshserver.Config{
+		HostKeyPEM: hostKey,
+		JWT:        nil,
+	}
+	server := sshserver.New(serverConfig)
+	server.SetAllowRootLogin(true) // Allow root/admin login for tests
+
+	serverAddr := sshserver.StartTestServer(t, server)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	currentUser := testutil.GetTestUsername(t)
+	client, err := Dial(ctx, serverAddr, currentUser, DialOptions{
+		InsecureSkipVerify: true,
+	})
+	require.NoError(t, err)
+
+	return server, serverAddr, client
+}
+
+func TestSSHClient_PortForwarding(t *testing.T) {
+	server, _, client := setupTestSSHServerAndClient(t)
+	defer func() {
+		err := server.Stop()
+		require.NoError(t, err)
+	}()
+	defer func() {
+		err := client.Close()
+		assert.NoError(t, err)
+	}()
+
+	t.Run("local forwarding times out gracefully", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.Background(), 100*time.Millisecond)
+		defer cancel()
+
+		err := client.LocalPortForward(ctx, "127.0.0.1:0", "127.0.0.1:8080")
+		assert.Error(t, err)
+		assert.True(t,
+			errors.Is(err, context.DeadlineExceeded) ||
+				errors.Is(err, context.Canceled) ||
+				strings.Contains(err.Error(), "connection"),
+			"Expected context or connection error")
+	})
+
+	t.Run("remote forwarding denied", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+		defer cancel()
+
+		err := client.RemotePortForward(ctx, "127.0.0.1:0", "127.0.0.1:8080")
+		assert.Error(t, err)
+		assert.True(t,
+			strings.Contains(err.Error(), "denied") ||
+				strings.Contains(err.Error(), "disabled"),
+			"Should be denied by default")
+	})
+
+	t.Run("invalid addresses fail", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+		defer cancel()
+
+		err := client.LocalPortForward(ctx, "invalid:address", "127.0.0.1:8080")
+		assert.Error(t, err)
+
+		err = client.LocalPortForward(ctx, "127.0.0.1:0", "invalid:address")
+		assert.Error(t, err)
+	})
+}
+
+func TestSSHClient_PortForwardingDataTransfer(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping data transfer test in short mode")
+	}
+
+	hostKey, err := ssh.GeneratePrivateKey(ssh.ED25519)
+	require.NoError(t, err)
+
+	serverConfig := &sshserver.Config{
+		HostKeyPEM: hostKey,
+		JWT:        nil,
+	}
+	server := sshserver.New(serverConfig)
+	server.SetAllowLocalPortForwarding(true)
+	server.SetAllowRootLogin(true) // Allow root/admin login for tests
+
+	serverAddr := sshserver.StartTestServer(t, server)
+	defer func() {
+		err := server.Stop()
+		require.NoError(t, err)
+	}()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	// Port forwarding requires the actual current user, not test user
+	realUser, err := getRealCurrentUser()
+	require.NoError(t, err)
+
+	// Skip if running as system account that can't do port forwarding
+	if testutil.IsSystemAccount(realUser) {
+		t.Skipf("Skipping port forwarding test - running as system account: %s", realUser)
+	}
+
+	client, err := Dial(ctx, serverAddr, realUser, DialOptions{
+		InsecureSkipVerify: true, // Skip host key verification for test
+	})
+	require.NoError(t, err)
+	defer func() {
+		if err := client.Close(); err != nil {
+			t.Logf("client close error: %v", err)
+		}
+	}()
+
+	testServer, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer func() {
+		if err := testServer.Close(); err != nil {
+			t.Logf("test server close error: %v", err)
+		}
+	}()
+
+	testServerAddr := testServer.Addr().String()
+	expectedResponse := "Hello, World!"
+
+	go func() {
+		for {
+			conn, err := testServer.Accept()
+			if err != nil {
+				return
+			}
+			go func(c net.Conn) {
+				defer func() {
+					if err := c.Close(); err != nil {
+						t.Logf("connection close error: %v", err)
+					}
+				}()
+				buf := make([]byte, 1024)
+				if _, err := c.Read(buf); err != nil {
+					t.Logf("connection read error: %v", err)
+					return
+				}
+				if _, err := c.Write([]byte(expectedResponse)); err != nil {
+					t.Logf("connection write error: %v", err)
+				}
+			}(conn)
+		}
+	}()
+
+	localListener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	localAddr := localListener.Addr().String()
+	if err := localListener.Close(); err != nil {
+		t.Logf("local listener close error: %v", err)
+	}
+
+	ctx, cancel = context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	go func() {
+		err := client.LocalPortForward(ctx, localAddr, testServerAddr)
+		if err != nil && !errors.Is(err, context.Canceled) {
+			if isWindowsPrivilegeError(err) {
+				t.Logf("Port forward failed due to Windows privilege restrictions: %v", err)
+			} else {
+				t.Logf("Port forward error: %v", err)
+			}
+		}
+	}()
+
+	time.Sleep(100 * time.Millisecond)
+
+	conn, err := net.DialTimeout("tcp", localAddr, 2*time.Second)
+	require.NoError(t, err)
+	defer func() {
+		if err := conn.Close(); err != nil {
+			t.Logf("connection close error: %v", err)
+		}
+	}()
+
+	_, err = conn.Write([]byte("test"))
+	require.NoError(t, err)
+
+	if err := conn.SetReadDeadline(time.Now().Add(2 * time.Second)); err != nil {
+		t.Logf("set read deadline error: %v", err)
+	}
+	response := make([]byte, len(expectedResponse))
+	n, err := io.ReadFull(conn, response)
+	require.NoError(t, err)
+	assert.Equal(t, len(expectedResponse), n)
+	assert.Equal(t, expectedResponse, string(response))
+}
+
+// getRealCurrentUser returns the actual current user (not test user) for features like port forwarding
+func getRealCurrentUser() (string, error) {
+	if runtime.GOOS == "windows" {
+		if currentUser, err := user.Current(); err == nil {
+			return currentUser.Username, nil
+		}
+	}
+
+	if username := os.Getenv("USER"); username != "" {
+		return username, nil
+	}
+
+	if currentUser, err := user.Current(); err == nil {
+		return currentUser.Username, nil
+	}
+
+	return "", fmt.Errorf("unable to determine current user")
+}
+
+// isWindowsPrivilegeError checks if an error is related to Windows privilege restrictions
+func isWindowsPrivilegeError(err error) bool {
+	if err == nil {
+		return false
+	}
+
+	errStr := strings.ToLower(err.Error())
+	return strings.Contains(errStr, "ntstatus=0xc0000062") || // STATUS_PRIVILEGE_NOT_HELD
+		strings.Contains(errStr, "0xc0000041") || // STATUS_PRIVILEGE_NOT_HELD (LsaRegisterLogonProcess)
+		strings.Contains(errStr, "0xc0000062") || // STATUS_PRIVILEGE_NOT_HELD (LsaLogonUser)
+		strings.Contains(errStr, "privilege") ||
+		strings.Contains(errStr, "access denied") ||
+		strings.Contains(errStr, "user authentication failed")
+}

client/ssh/client/terminal_unix.go

@@ -0,0 +1,135 @@
+//go:build !windows
+
+package client
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/signal"
+	"syscall"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/crypto/ssh"
+	"golang.org/x/term"
+)
+
+func (c *Client) setupTerminalMode(ctx context.Context, session *ssh.Session) error {
+	fd := int(os.Stdout.Fd())
+
+	if !term.IsTerminal(fd) {
+		return c.setupNonTerminalMode(ctx, session)
+	}
+
+	state, err := term.MakeRaw(fd)
+	if err != nil {
+		return c.setupNonTerminalMode(ctx, session)
+	}
+
+	c.terminalState = state
+	c.terminalFd = fd
+
+	sigChan := make(chan os.Signal, 1)
+	signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT)
+
+	go func() {
+		defer signal.Stop(sigChan)
+		select {
+		case <-ctx.Done():
+			if err := term.Restore(fd, state); err != nil {
+				log.Debugf("restore terminal state: %v", err)
+			}
+		case sig := <-sigChan:
+			if err := term.Restore(fd, state); err != nil {
+				log.Debugf("restore terminal state: %v", err)
+			}
+			signal.Reset(sig)
+			s, ok := sig.(syscall.Signal)
+			if !ok {
+				log.Debugf("signal %v is not a syscall.Signal: %T", sig, sig)
+				return
+			}
+			if err := syscall.Kill(syscall.Getpid(), s); err != nil {
+				log.Debugf("kill process with signal %v: %v", s, err)
+			}
+		}
+	}()
+
+	return c.setupTerminal(session, fd)
+}
+
+func (c *Client) setupNonTerminalMode(_ context.Context, session *ssh.Session) error {
+	w, h := 80, 24
+
+	modes := ssh.TerminalModes{
+		ssh.ECHO:          1,
+		ssh.TTY_OP_ISPEED: 14400,
+		ssh.TTY_OP_OSPEED: 14400,
+	}
+
+	terminal := os.Getenv("TERM")
+	if terminal == "" {
+		terminal = "xterm-256color"
+	}
+
+	if err := session.RequestPty(terminal, h, w, modes); err != nil {
+		return fmt.Errorf("request pty: %w", err)
+	}
+
+	return nil
+}
+
+// restoreWindowsConsoleState is a no-op on Unix systems
+func (c *Client) restoreWindowsConsoleState() error {
+	return nil
+}
+
+func (c *Client) setupTerminal(session *ssh.Session, fd int) error {
+	w, h, err := term.GetSize(fd)
+	if err != nil {
+		return fmt.Errorf("get terminal size: %w", err)
+	}
+
+	modes := ssh.TerminalModes{
+		ssh.ECHO:          1,
+		ssh.TTY_OP_ISPEED: 14400,
+		ssh.TTY_OP_OSPEED: 14400,
+		// Ctrl+C
+		ssh.VINTR: 3,
+		// Ctrl+\
+		ssh.VQUIT: 28,
+		// Backspace
+		ssh.VERASE: 127,
+		// Ctrl+U
+		ssh.VKILL: 21,
+		// Ctrl+D
+		ssh.VEOF:  4,
+		ssh.VEOL:  0,
+		ssh.VEOL2: 0,
+		// Ctrl+Q
+		ssh.VSTART: 17,
+		// Ctrl+S
+		ssh.VSTOP: 19,
+		// Ctrl+Z
+		ssh.VSUSP: 26,
+		// Ctrl+O
+		ssh.VDISCARD: 15,
+		// Ctrl+R
+		ssh.VREPRINT: 18,
+		// Ctrl+W
+		ssh.VWERASE: 23,
+		// Ctrl+V
+		ssh.VLNEXT: 22,
+	}
+
+	terminal := os.Getenv("TERM")
+	if terminal == "" {
+		terminal = "xterm-256color"
+	}
+
+	if err := session.RequestPty(terminal, h, w, modes); err != nil {
+		return fmt.Errorf("request pty: %w", err)
+	}
+
+	return nil
+}

client/ssh/client/terminal_windows.go

@@ -0,0 +1,259 @@
+package client
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"os"
+	"syscall"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/crypto/ssh"
+)
+
+const (
+	enableProcessedInput            = 0x0001
+	enableLineInput                 = 0x0002
+	enableEchoInput                 = 0x0004 // Input mode: ENABLE_ECHO_INPUT
+	enableVirtualTerminalProcessing = 0x0004 // Output mode: ENABLE_VIRTUAL_TERMINAL_PROCESSING (same value, different mode)
+	enableVirtualTerminalInput      = 0x0200
+)
+
+var (
+	kernel32                       = syscall.NewLazyDLL("kernel32.dll")
+	procGetConsoleMode             = kernel32.NewProc("GetConsoleMode")
+	procSetConsoleMode             = kernel32.NewProc("SetConsoleMode")
+	procGetConsoleScreenBufferInfo = kernel32.NewProc("GetConsoleScreenBufferInfo")
+)
+
+// ConsoleUnavailableError indicates that Windows console handles are not available
+// (e.g., in CI environments where stdout/stdin are redirected)
+type ConsoleUnavailableError struct {
+	Operation string
+	Err       error
+}
+
+func (e *ConsoleUnavailableError) Error() string {
+	return fmt.Sprintf("console unavailable for %s: %v", e.Operation, e.Err)
+}
+
+func (e *ConsoleUnavailableError) Unwrap() error {
+	return e.Err
+}
+
+type coord struct {
+	x, y int16
+}
+
+type smallRect struct {
+	left, top, right, bottom int16
+}
+
+type consoleScreenBufferInfo struct {
+	size              coord
+	cursorPosition    coord
+	attributes        uint16
+	window            smallRect
+	maximumWindowSize coord
+}
+
+func (c *Client) setupTerminalMode(_ context.Context, session *ssh.Session) error {
+	if err := c.saveWindowsConsoleState(); err != nil {
+		var consoleErr *ConsoleUnavailableError
+		if errors.As(err, &consoleErr) {
+			log.Debugf("console unavailable, continuing with defaults: %v", err)
+			c.terminalFd = 0
+		} else {
+			return fmt.Errorf("save console state: %w", err)
+		}
+	}
+
+	if err := c.enableWindowsVirtualTerminal(); err != nil {
+		var consoleErr *ConsoleUnavailableError
+		if errors.As(err, &consoleErr) {
+			log.Debugf("virtual terminal unavailable: %v", err)
+		} else {
+			return fmt.Errorf("failed to enable virtual terminal: %w", err)
+		}
+	}
+
+	w, h := c.getWindowsConsoleSize()
+
+	modes := ssh.TerminalModes{
+		ssh.ECHO:          1,
+		ssh.TTY_OP_ISPEED: 14400,
+		ssh.TTY_OP_OSPEED: 14400,
+		ssh.ICRNL:         1,
+		ssh.OPOST:         1,
+		ssh.ONLCR:         1,
+		ssh.ISIG:          1,
+		ssh.ICANON:        1,
+		ssh.VINTR:         3,   // Ctrl+C
+		ssh.VQUIT:         28,  // Ctrl+\
+		ssh.VERASE:        127, // Backspace
+		ssh.VKILL:         21,  // Ctrl+U
+		ssh.VEOF:          4,   // Ctrl+D
+		ssh.VEOL:          0,
+		ssh.VEOL2:         0,
+		ssh.VSTART:        17, // Ctrl+Q
+		ssh.VSTOP:         19, // Ctrl+S
+		ssh.VSUSP:         26, // Ctrl+Z
+		ssh.VDISCARD:      15, // Ctrl+O
+		ssh.VWERASE:       23, // Ctrl+W
+		ssh.VLNEXT:        22, // Ctrl+V
+		ssh.VREPRINT:      18, // Ctrl+R
+	}
+
+	return session.RequestPty("xterm-256color", h, w, modes)
+}
+
+func (c *Client) saveWindowsConsoleState() error {
+	defer func() {
+		if r := recover(); r != nil {
+			log.Debugf("panic in saveWindowsConsoleState: %v", r)
+		}
+	}()
+
+	stdout := syscall.Handle(os.Stdout.Fd())
+	stdin := syscall.Handle(os.Stdin.Fd())
+
+	var stdoutMode, stdinMode uint32
+
+	ret, _, err := procGetConsoleMode.Call(uintptr(stdout), uintptr(unsafe.Pointer(&stdoutMode)))
+	if ret == 0 {
+		log.Debugf("failed to get stdout console mode: %v", err)
+		return &ConsoleUnavailableError{
+			Operation: "get stdout console mode",
+			Err:       err,
+		}
+	}
+
+	ret, _, err = procGetConsoleMode.Call(uintptr(stdin), uintptr(unsafe.Pointer(&stdinMode)))
+	if ret == 0 {
+		log.Debugf("failed to get stdin console mode: %v", err)
+		return &ConsoleUnavailableError{
+			Operation: "get stdin console mode",
+			Err:       err,
+		}
+	}
+
+	c.terminalFd = 1
+	c.windowsStdoutMode = stdoutMode
+	c.windowsStdinMode = stdinMode
+
+	log.Debugf("saved Windows console state - stdout: 0x%04x, stdin: 0x%04x", stdoutMode, stdinMode)
+	return nil
+}
+
+func (c *Client) enableWindowsVirtualTerminal() (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("panic in enableWindowsVirtualTerminal: %v", r)
+		}
+	}()
+
+	stdout := syscall.Handle(os.Stdout.Fd())
+	stdin := syscall.Handle(os.Stdin.Fd())
+	var mode uint32
+
+	ret, _, winErr := procGetConsoleMode.Call(uintptr(stdout), uintptr(unsafe.Pointer(&mode)))
+	if ret == 0 {
+		return &ConsoleUnavailableError{
+			Operation: "get stdout console mode for VT",
+			Err:       winErr,
+		}
+	}
+
+	mode |= enableVirtualTerminalProcessing
+	ret, _, winErr = procSetConsoleMode.Call(uintptr(stdout), uintptr(mode))
+	if ret == 0 {
+		return &ConsoleUnavailableError{
+			Operation: "enable virtual terminal processing",
+			Err:       winErr,
+		}
+	}
+
+	ret, _, winErr = procGetConsoleMode.Call(uintptr(stdin), uintptr(unsafe.Pointer(&mode)))
+	if ret == 0 {
+		return &ConsoleUnavailableError{
+			Operation: "get stdin console mode for VT",
+			Err:       winErr,
+		}
+	}
+
+	mode &= ^uint32(enableLineInput | enableEchoInput | enableProcessedInput)
+	mode |= enableVirtualTerminalInput
+	ret, _, winErr = procSetConsoleMode.Call(uintptr(stdin), uintptr(mode))
+	if ret == 0 {
+		return &ConsoleUnavailableError{
+			Operation: "set stdin raw mode",
+			Err:       winErr,
+		}
+	}
+
+	log.Debugf("enabled Windows virtual terminal processing")
+	return nil
+}
+
+func (c *Client) getWindowsConsoleSize() (int, int) {
+	defer func() {
+		if r := recover(); r != nil {
+			log.Debugf("panic in getWindowsConsoleSize: %v", r)
+		}
+	}()
+
+	stdout := syscall.Handle(os.Stdout.Fd())
+	var csbi consoleScreenBufferInfo
+
+	ret, _, err := procGetConsoleScreenBufferInfo.Call(uintptr(stdout), uintptr(unsafe.Pointer(&csbi)))
+	if ret == 0 {
+		log.Debugf("failed to get console buffer info, using defaults: %v", err)
+		return 80, 24
+	}
+
+	width := int(csbi.window.right - csbi.window.left + 1)
+	height := int(csbi.window.bottom - csbi.window.top + 1)
+
+	log.Debugf("Windows console size: %dx%d", width, height)
+	return width, height
+}
+
+func (c *Client) restoreWindowsConsoleState() error {
+	var err error
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("panic in restoreWindowsConsoleState: %v", r)
+		}
+	}()
+
+	if c.terminalFd != 1 {
+		return nil
+	}
+
+	stdout := syscall.Handle(os.Stdout.Fd())
+	stdin := syscall.Handle(os.Stdin.Fd())
+
+	ret, _, winErr := procSetConsoleMode.Call(uintptr(stdout), uintptr(c.windowsStdoutMode))
+	if ret == 0 {
+		log.Debugf("failed to restore stdout console mode: %v", winErr)
+		if err == nil {
+			err = fmt.Errorf("restore stdout console mode: %w", winErr)
+		}
+	}
+
+	ret, _, winErr = procSetConsoleMode.Call(uintptr(stdin), uintptr(c.windowsStdinMode))
+	if ret == 0 {
+		log.Debugf("failed to restore stdin console mode: %v", winErr)
+		if err == nil {
+			err = fmt.Errorf("restore stdin console mode: %w", winErr)
+		}
+	}
+
+	c.terminalFd = 0
+	c.windowsStdoutMode = 0
+	c.windowsStdinMode = 0
+
+	log.Debugf("restored Windows console state")
+	return err
+}

client/ssh/common.go

@@ -0,0 +1,167 @@
+package ssh
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/crypto/ssh"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+const (
+	NetBirdSSHConfigFile = "99-netbird.conf"
+
+	UnixSSHConfigDir    = "/etc/ssh/ssh_config.d"
+	WindowsSSHConfigDir = "ssh/ssh_config.d"
+)
+
+var (
+	// ErrPeerNotFound indicates the peer was not found in the network
+	ErrPeerNotFound = errors.New("peer not found in network")
+	// ErrNoStoredKey indicates the peer has no stored SSH host key
+	ErrNoStoredKey = errors.New("peer has no stored SSH host key")
+)
+
+// HostKeyVerifier provides SSH host key verification
+type HostKeyVerifier interface {
+	VerifySSHHostKey(peerAddress string, key []byte) error
+}
+
+// DaemonHostKeyVerifier implements HostKeyVerifier using the NetBird daemon
+type DaemonHostKeyVerifier struct {
+	client proto.DaemonServiceClient
+}
+
+// NewDaemonHostKeyVerifier creates a new daemon-based host key verifier
+func NewDaemonHostKeyVerifier(client proto.DaemonServiceClient) *DaemonHostKeyVerifier {
+	return &DaemonHostKeyVerifier{
+		client: client,
+	}
+}
+
+// VerifySSHHostKey verifies an SSH host key by querying the NetBird daemon
+func (d *DaemonHostKeyVerifier) VerifySSHHostKey(peerAddress string, presentedKey []byte) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	response, err := d.client.GetPeerSSHHostKey(ctx, &proto.GetPeerSSHHostKeyRequest{
+		PeerAddress: peerAddress,
+	})
+	if err != nil {
+		return err
+	}
+
+	if !response.GetFound() {
+		return ErrPeerNotFound
+	}
+
+	storedKeyData := response.GetSshHostKey()
+
+	return VerifyHostKey(storedKeyData, presentedKey, peerAddress)
+}
+
+// RequestJWTToken requests or retrieves a JWT token for SSH authentication
+func RequestJWTToken(ctx context.Context, client proto.DaemonServiceClient, stdout, stderr io.Writer, useCache bool) (string, error) {
+	authResponse, err := client.RequestJWTAuth(ctx, &proto.RequestJWTAuthRequest{})
+	if err != nil {
+		return "", fmt.Errorf("request JWT auth: %w", err)
+	}
+
+	if useCache && authResponse.CachedToken != "" {
+		log.Debug("Using cached authentication token")
+		return authResponse.CachedToken, nil
+	}
+
+	if stderr != nil {
+		_, _ = fmt.Fprintln(stderr, "SSH authentication required.")
+		_, _ = fmt.Fprintf(stderr, "Please visit: %s\n", authResponse.VerificationURIComplete)
+		if authResponse.UserCode != "" {
+			_, _ = fmt.Fprintf(stderr, "Or visit: %s and enter code: %s\n", authResponse.VerificationURI, authResponse.UserCode)
+		}
+		_, _ = fmt.Fprintln(stderr, "Waiting for authentication...")
+	}
+
+	tokenResponse, err := client.WaitJWTToken(ctx, &proto.WaitJWTTokenRequest{
+		DeviceCode: authResponse.DeviceCode,
+		UserCode:   authResponse.UserCode,
+	})
+	if err != nil {
+		return "", fmt.Errorf("wait for JWT token: %w", err)
+	}
+
+	if stdout != nil {
+		_, _ = fmt.Fprintln(stdout, "Authentication successful!")
+	}
+	return tokenResponse.Token, nil
+}
+
+// VerifyHostKey verifies an SSH host key against stored peer key data.
+// Returns nil only if the presented key matches the stored key.
+// Returns ErrNoStoredKey if storedKeyData is empty.
+// Returns an error if the keys don't match or if parsing fails.
+func VerifyHostKey(storedKeyData []byte, presentedKey []byte, peerAddress string) error {
+	if len(storedKeyData) == 0 {
+		return ErrNoStoredKey
+	}
+
+	storedPubKey, _, _, _, err := ssh.ParseAuthorizedKey(storedKeyData)
+	if err != nil {
+		return fmt.Errorf("parse stored SSH key for %s: %w", peerAddress, err)
+	}
+
+	if !bytes.Equal(presentedKey, storedPubKey.Marshal()) {
+		return fmt.Errorf("SSH host key mismatch for %s", peerAddress)
+	}
+
+	return nil
+}
+
+// AddJWTAuth prepends JWT password authentication to existing auth methods.
+// This ensures JWT auth is tried first while preserving any existing auth methods.
+func AddJWTAuth(config *ssh.ClientConfig, jwtToken string) *ssh.ClientConfig {
+	configWithJWT := *config
+	configWithJWT.Auth = append([]ssh.AuthMethod{ssh.Password(jwtToken)}, config.Auth...)
+	return &configWithJWT
+}
+
+// CreateHostKeyCallback creates an SSH host key verification callback using the provided verifier.
+// It tries multiple addresses (hostname, IP) for the peer before failing.
+func CreateHostKeyCallback(verifier HostKeyVerifier) ssh.HostKeyCallback {
+	return func(hostname string, remote net.Addr, key ssh.PublicKey) error {
+		addresses := buildAddressList(hostname, remote)
+		presentedKey := key.Marshal()
+
+		for _, addr := range addresses {
+			if err := verifier.VerifySSHHostKey(addr, presentedKey); err != nil {
+				if errors.Is(err, ErrPeerNotFound) {
+					// Try other addresses for this peer
+					continue
+				}
+				return err
+			}
+			// Verified
+			return nil
+		}
+
+		return fmt.Errorf("SSH host key verification failed: peer %s not found in network", hostname)
+	}
+}
+
+// buildAddressList creates a list of addresses to check for host key verification.
+// It includes the original hostname and extracts the host part from the remote address if different.
+func buildAddressList(hostname string, remote net.Addr) []string {
+	addresses := []string{hostname}
+	if host, _, err := net.SplitHostPort(remote.String()); err == nil {
+		if host != hostname {
+			addresses = append(addresses, host)
+		}
+	}
+	return addresses
+}

client/ssh/config/manager.go

@@ -0,0 +1,282 @@
+package config
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	nbssh "github.com/netbirdio/netbird/client/ssh"
+)
+
+const (
+	EnvDisableSSHConfig = "NB_DISABLE_SSH_CONFIG"
+
+	EnvForceSSHConfig = "NB_FORCE_SSH_CONFIG"
+
+	MaxPeersForSSHConfig = 200
+
+	fileWriteTimeout = 2 * time.Second
+)
+
+func isSSHConfigDisabled() bool {
+	value := os.Getenv(EnvDisableSSHConfig)
+	if value == "" {
+		return false
+	}
+
+	disabled, err := strconv.ParseBool(value)
+	if err != nil {
+		return true
+	}
+	return disabled
+}
+
+func isSSHConfigForced() bool {
+	value := os.Getenv(EnvForceSSHConfig)
+	if value == "" {
+		return false
+	}
+
+	forced, err := strconv.ParseBool(value)
+	if err != nil {
+		return true
+	}
+	return forced
+}
+
+// shouldGenerateSSHConfig checks if SSH config should be generated based on peer count
+func shouldGenerateSSHConfig(peerCount int) bool {
+	if isSSHConfigDisabled() {
+		return false
+	}
+
+	if isSSHConfigForced() {
+		return true
+	}
+
+	return peerCount <= MaxPeersForSSHConfig
+}
+
+// writeFileWithTimeout writes data to a file with a timeout
+func writeFileWithTimeout(filename string, data []byte, perm os.FileMode) error {
+	ctx, cancel := context.WithTimeout(context.Background(), fileWriteTimeout)
+	defer cancel()
+
+	done := make(chan error, 1)
+	go func() {
+		done <- os.WriteFile(filename, data, perm)
+	}()
+
+	select {
+	case err := <-done:
+		return err
+	case <-ctx.Done():
+		return fmt.Errorf("file write timeout after %v: %s", fileWriteTimeout, filename)
+	}
+}
+
+// Manager handles SSH client configuration for NetBird peers
+type Manager struct {
+	sshConfigDir  string
+	sshConfigFile string
+}
+
+// PeerSSHInfo represents a peer's SSH configuration information
+type PeerSSHInfo struct {
+	Hostname string
+	IP       string
+	FQDN     string
+}
+
+// New creates a new SSH config manager
+func New() *Manager {
+	sshConfigDir := getSystemSSHConfigDir()
+	return &Manager{
+		sshConfigDir:  sshConfigDir,
+		sshConfigFile: nbssh.NetBirdSSHConfigFile,
+	}
+}
+
+// getSystemSSHConfigDir returns platform-specific SSH configuration directory
+func getSystemSSHConfigDir() string {
+	if runtime.GOOS == "windows" {
+		return getWindowsSSHConfigDir()
+	}
+	return nbssh.UnixSSHConfigDir
+}
+
+func getWindowsSSHConfigDir() string {
+	programData := os.Getenv("PROGRAMDATA")
+	if programData == "" {
+		programData = `C:\ProgramData`
+	}
+	return filepath.Join(programData, nbssh.WindowsSSHConfigDir)
+}
+
+// SetupSSHClientConfig creates SSH client configuration for NetBird peers
+func (m *Manager) SetupSSHClientConfig(peers []PeerSSHInfo) error {
+	if !shouldGenerateSSHConfig(len(peers)) {
+		m.logSkipReason(len(peers))
+		return nil
+	}
+
+	sshConfig, err := m.buildSSHConfig(peers)
+	if err != nil {
+		return fmt.Errorf("build SSH config: %w", err)
+	}
+	return m.writeSSHConfig(sshConfig)
+}
+
+func (m *Manager) logSkipReason(peerCount int) {
+	if isSSHConfigDisabled() {
+		log.Debugf("SSH config management disabled via %s", EnvDisableSSHConfig)
+	} else {
+		log.Infof("SSH config generation skipped: too many peers (%d > %d). Use %s=true to force.",
+			peerCount, MaxPeersForSSHConfig, EnvForceSSHConfig)
+	}
+}
+
+func (m *Manager) buildSSHConfig(peers []PeerSSHInfo) (string, error) {
+	sshConfig := m.buildConfigHeader()
+
+	var allHostPatterns []string
+	for _, peer := range peers {
+		hostPatterns := m.buildHostPatterns(peer)
+		allHostPatterns = append(allHostPatterns, hostPatterns...)
+	}
+
+	if len(allHostPatterns) > 0 {
+		peerConfig, err := m.buildPeerConfig(allHostPatterns)
+		if err != nil {
+			return "", err
+		}
+		sshConfig += peerConfig
+	}
+
+	return sshConfig, nil
+}
+
+func (m *Manager) buildConfigHeader() string {
+	return "# NetBird SSH client configuration\n" +
+		"# Generated automatically - do not edit manually\n" +
+		"#\n" +
+		"# To disable SSH config management, use:\n" +
+		"#   netbird service reconfigure --service-env NB_DISABLE_SSH_CONFIG=true\n" +
+		"#\n\n"
+}
+
+func (m *Manager) buildPeerConfig(allHostPatterns []string) (string, error) {
+	uniquePatterns := make(map[string]bool)
+	var deduplicatedPatterns []string
+	for _, pattern := range allHostPatterns {
+		if !uniquePatterns[pattern] {
+			uniquePatterns[pattern] = true
+			deduplicatedPatterns = append(deduplicatedPatterns, pattern)
+		}
+	}
+
+	execPath, err := m.getNetBirdExecutablePath()
+	if err != nil {
+		return "", fmt.Errorf("get NetBird executable path: %w", err)
+	}
+
+	hostLine := strings.Join(deduplicatedPatterns, " ")
+	config := fmt.Sprintf("Host %s\n", hostLine)
+
+	if runtime.GOOS == "windows" {
+		config += fmt.Sprintf("    Match exec \"%s ssh detect %%h %%p\"\n", execPath)
+	} else {
+		config += fmt.Sprintf("    Match exec \"%s ssh detect %%h %%p 2>/dev/null\"\n", execPath)
+	}
+	config += "        PreferredAuthentications password,publickey,keyboard-interactive\n"
+	config += "        PasswordAuthentication yes\n"
+	config += "        PubkeyAuthentication yes\n"
+	config += "        BatchMode no\n"
+	config += fmt.Sprintf("        ProxyCommand %s ssh proxy %%h %%p\n", execPath)
+	config += "        StrictHostKeyChecking no\n"
+
+	if runtime.GOOS == "windows" {
+		config += "        UserKnownHostsFile NUL\n"
+	} else {
+		config += "        UserKnownHostsFile /dev/null\n"
+	}
+
+	config += "        CheckHostIP no\n"
+	config += "        LogLevel ERROR\n\n"
+
+	return config, nil
+}
+
+func (m *Manager) buildHostPatterns(peer PeerSSHInfo) []string {
+	var hostPatterns []string
+	if peer.IP != "" {
+		hostPatterns = append(hostPatterns, peer.IP)
+	}
+	if peer.FQDN != "" {
+		hostPatterns = append(hostPatterns, peer.FQDN)
+	}
+	if peer.Hostname != "" && peer.Hostname != peer.FQDN {
+		hostPatterns = append(hostPatterns, peer.Hostname)
+	}
+	return hostPatterns
+}
+
+func (m *Manager) writeSSHConfig(sshConfig string) error {
+	sshConfigPath := filepath.Join(m.sshConfigDir, m.sshConfigFile)
+
+	if err := os.MkdirAll(m.sshConfigDir, 0755); err != nil {
+		return fmt.Errorf("create SSH config directory %s: %w", m.sshConfigDir, err)
+	}
+
+	if err := writeFileWithTimeout(sshConfigPath, []byte(sshConfig), 0644); err != nil {
+		return fmt.Errorf("write SSH config file %s: %w", sshConfigPath, err)
+	}
+
+	log.Infof("Created NetBird SSH client config: %s", sshConfigPath)
+	return nil
+}
+
+// RemoveSSHClientConfig removes NetBird SSH configuration
+func (m *Manager) RemoveSSHClientConfig() error {
+	sshConfigPath := filepath.Join(m.sshConfigDir, m.sshConfigFile)
+	err := os.Remove(sshConfigPath)
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove SSH config %s: %w", sshConfigPath, err)
+	}
+	if err == nil {
+		log.Infof("Removed NetBird SSH config: %s", sshConfigPath)
+	}
+	return nil
+}
+
+func (m *Manager) getNetBirdExecutablePath() (string, error) {
+	execPath, err := os.Executable()
+	if err != nil {
+		return "", fmt.Errorf("retrieve executable path: %w", err)
+	}
+
+	realPath, err := filepath.EvalSymlinks(execPath)
+	if err != nil {
+		log.Debugf("symlink resolution failed: %v", err)
+		return execPath, nil
+	}
+
+	return realPath, nil
+}
+
+// GetSSHConfigDir returns the SSH config directory path
+func (m *Manager) GetSSHConfigDir() string {
+	return m.sshConfigDir
+}
+
+// GetSSHConfigFile returns the SSH config file name
+func (m *Manager) GetSSHConfigFile() string {
+	return m.sshConfigFile
+}

client/ssh/config/manager_test.go

@@ -0,0 +1,159 @@
+package config
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestManager_SetupSSHClientConfig(t *testing.T) {
+	// Create temporary directory for test
+	tempDir, err := os.MkdirTemp("", "netbird-ssh-config-test")
+	require.NoError(t, err)
+	defer func() { assert.NoError(t, os.RemoveAll(tempDir)) }()
+
+	// Override manager paths to use temp directory
+	manager := &Manager{
+		sshConfigDir:  filepath.Join(tempDir, "ssh_config.d"),
+		sshConfigFile: "99-netbird.conf",
+	}
+
+	// Test SSH config generation with peers
+	peers := []PeerSSHInfo{
+		{
+			Hostname: "peer1",
+			IP:       "100.125.1.1",
+			FQDN:     "peer1.nb.internal",
+		},
+		{
+			Hostname: "peer2",
+			IP:       "100.125.1.2",
+			FQDN:     "peer2.nb.internal",
+		},
+	}
+
+	err = manager.SetupSSHClientConfig(peers)
+	require.NoError(t, err)
+
+	// Read generated config
+	configPath := filepath.Join(manager.sshConfigDir, manager.sshConfigFile)
+	content, err := os.ReadFile(configPath)
+	require.NoError(t, err)
+
+	configStr := string(content)
+
+	// Verify the basic SSH config structure exists
+	assert.Contains(t, configStr, "# NetBird SSH client configuration")
+	assert.Contains(t, configStr, "Generated automatically - do not edit manually")
+
+	// Check that peer hostnames are included
+	assert.Contains(t, configStr, "100.125.1.1")
+	assert.Contains(t, configStr, "100.125.1.2")
+	assert.Contains(t, configStr, "peer1.nb.internal")
+	assert.Contains(t, configStr, "peer2.nb.internal")
+
+	// Check platform-specific UserKnownHostsFile
+	if runtime.GOOS == "windows" {
+		assert.Contains(t, configStr, "UserKnownHostsFile NUL")
+	} else {
+		assert.Contains(t, configStr, "UserKnownHostsFile /dev/null")
+	}
+}
+
+func TestGetSystemSSHConfigDir(t *testing.T) {
+	configDir := getSystemSSHConfigDir()
+
+	// Path should not be empty
+	assert.NotEmpty(t, configDir)
+
+	// Should be an absolute path
+	assert.True(t, filepath.IsAbs(configDir))
+
+	// On Unix systems, should start with /etc
+	// On Windows, should contain ProgramData
+	if runtime.GOOS == "windows" {
+		assert.Contains(t, strings.ToLower(configDir), "programdata")
+	} else {
+		assert.Contains(t, configDir, "/etc/ssh")
+	}
+}
+
+func TestManager_PeerLimit(t *testing.T) {
+	// Create temporary directory for test
+	tempDir, err := os.MkdirTemp("", "netbird-ssh-config-test")
+	require.NoError(t, err)
+	defer func() { assert.NoError(t, os.RemoveAll(tempDir)) }()
+
+	// Override manager paths to use temp directory
+	manager := &Manager{
+		sshConfigDir:  filepath.Join(tempDir, "ssh_config.d"),
+		sshConfigFile: "99-netbird.conf",
+	}
+
+	// Generate many peers (more than limit)
+	var peers []PeerSSHInfo
+	for i := 0; i < MaxPeersForSSHConfig+10; i++ {
+		peers = append(peers, PeerSSHInfo{
+			Hostname: fmt.Sprintf("peer%d", i),
+			IP:       fmt.Sprintf("100.125.1.%d", i%254+1),
+			FQDN:     fmt.Sprintf("peer%d.nb.internal", i),
+		})
+	}
+
+	// Test that SSH config generation is skipped when too many peers
+	err = manager.SetupSSHClientConfig(peers)
+	require.NoError(t, err)
+
+	// Config should not be created due to peer limit
+	configPath := filepath.Join(manager.sshConfigDir, manager.sshConfigFile)
+	_, err = os.Stat(configPath)
+	assert.True(t, os.IsNotExist(err), "SSH config should not be created with too many peers")
+}
+
+func TestManager_ForcedSSHConfig(t *testing.T) {
+	// Set force environment variable
+	t.Setenv(EnvForceSSHConfig, "true")
+
+	// Create temporary directory for test
+	tempDir, err := os.MkdirTemp("", "netbird-ssh-config-test")
+	require.NoError(t, err)
+	defer func() { assert.NoError(t, os.RemoveAll(tempDir)) }()
+
+	// Override manager paths to use temp directory
+	manager := &Manager{
+		sshConfigDir:  filepath.Join(tempDir, "ssh_config.d"),
+		sshConfigFile: "99-netbird.conf",
+	}
+
+	// Generate many peers (more than limit)
+	var peers []PeerSSHInfo
+	for i := 0; i < MaxPeersForSSHConfig+10; i++ {
+		peers = append(peers, PeerSSHInfo{
+			Hostname: fmt.Sprintf("peer%d", i),
+			IP:       fmt.Sprintf("100.125.1.%d", i%254+1),
+			FQDN:     fmt.Sprintf("peer%d.nb.internal", i),
+		})
+	}
+
+	// Test that SSH config generation is forced despite many peers
+	err = manager.SetupSSHClientConfig(peers)
+	require.NoError(t, err)
+
+	// Config should be created despite peer limit due to force flag
+	configPath := filepath.Join(manager.sshConfigDir, manager.sshConfigFile)
+	_, err = os.Stat(configPath)
+	require.NoError(t, err, "SSH config should be created when forced")
+
+	// Verify config contains peer hostnames
+	content, err := os.ReadFile(configPath)
+	require.NoError(t, err)
+	configStr := string(content)
+	assert.Contains(t, configStr, "peer0.nb.internal")
+	assert.Contains(t, configStr, "peer1.nb.internal")
+}

client/ssh/config/shutdown_state.go

@@ -0,0 +1,22 @@
+package config
+
+// ShutdownState represents SSH configuration state that needs to be cleaned up.
+type ShutdownState struct {
+	SSHConfigDir  string
+	SSHConfigFile string
+}
+
+// Name returns the state name for the state manager.
+func (s *ShutdownState) Name() string {
+	return "ssh_config_state"
+}
+
+// Cleanup removes SSH client configuration files.
+func (s *ShutdownState) Cleanup() error {
+	manager := &Manager{
+		sshConfigDir:  s.SSHConfigDir,
+		sshConfigFile: s.SSHConfigFile,
+	}
+
+	return manager.RemoveSSHClientConfig()
+}

client/ssh/detection/detection.go

@@ -0,0 +1,99 @@
+package detection
+
+import (
+	"bufio"
+	"context"
+	"net"
+	"strconv"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	// ServerIdentifier is the base response for NetBird SSH servers
+	ServerIdentifier = "NetBird-SSH-Server"
+	// ProxyIdentifier is the base response for NetBird SSH proxy
+	ProxyIdentifier = "NetBird-SSH-Proxy"
+	// JWTRequiredMarker is appended to responses when JWT is required
+	JWTRequiredMarker = "NetBird-JWT-Required"
+
+	// Timeout is the timeout for SSH server detection
+	Timeout = 5 * time.Second
+)
+
+type ServerType string
+
+const (
+	ServerTypeNetBirdJWT   ServerType = "netbird-jwt"
+	ServerTypeNetBirdNoJWT ServerType = "netbird-no-jwt"
+	ServerTypeRegular      ServerType = "regular"
+)
+
+// Dialer provides network connection capabilities
+type Dialer interface {
+	DialContext(ctx context.Context, network, address string) (net.Conn, error)
+}
+
+// RequiresJWT checks if the server type requires JWT authentication
+func (s ServerType) RequiresJWT() bool {
+	return s == ServerTypeNetBirdJWT
+}
+
+// ExitCode returns the exit code for the detect command
+func (s ServerType) ExitCode() int {
+	switch s {
+	case ServerTypeNetBirdJWT:
+		return 0
+	case ServerTypeNetBirdNoJWT:
+		return 1
+	case ServerTypeRegular:
+		return 2
+	default:
+		return 2
+	}
+}
+
+// DetectSSHServerType detects SSH server type using the provided dialer
+func DetectSSHServerType(ctx context.Context, dialer Dialer, host string, port int) (ServerType, error) {
+	targetAddr := net.JoinHostPort(host, strconv.Itoa(port))
+
+	conn, err := dialer.DialContext(ctx, "tcp", targetAddr)
+	if err != nil {
+		log.Debugf("SSH connection failed for detection: %v", err)
+		return ServerTypeRegular, nil
+	}
+	defer conn.Close()
+
+	if err := conn.SetReadDeadline(time.Now().Add(Timeout)); err != nil {
+		log.Debugf("set read deadline: %v", err)
+		return ServerTypeRegular, nil
+	}
+
+	reader := bufio.NewReader(conn)
+	serverBanner, err := reader.ReadString('\n')
+	if err != nil {
+		log.Debugf("read SSH banner: %v", err)
+		return ServerTypeRegular, nil
+	}
+
+	serverBanner = strings.TrimSpace(serverBanner)
+	log.Debugf("SSH server banner: %s", serverBanner)
+
+	if !strings.HasPrefix(serverBanner, "SSH-") {
+		log.Debugf("Invalid SSH banner")
+		return ServerTypeRegular, nil
+	}
+
+	if !strings.Contains(serverBanner, ServerIdentifier) {
+		log.Debugf("Server banner does not contain identifier '%s'", ServerIdentifier)
+		return ServerTypeRegular, nil
+	}
+
+	if strings.Contains(serverBanner, JWTRequiredMarker) {
+		return ServerTypeNetBirdJWT, nil
+	}
+
+	return ServerTypeNetBirdNoJWT, nil
+}

client/ssh/login.go

@@ -1,53 +0,0 @@
-//go:build !js
-
-package ssh
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"os"
-	"os/exec"
-	"runtime"
-
-	"github.com/netbirdio/netbird/util"
-)
-
-func isRoot() bool {
-	return os.Geteuid() == 0
-}
-
-func getLoginCmd(user string, remoteAddr net.Addr) (loginPath string, args []string, err error) {
-	if !isRoot() {
-		shell := getUserShell(user)
-		if shell == "" {
-			shell = "/bin/sh"
-		}
-
-		return shell, []string{"-l"}, nil
-	}
-
-	loginPath, err = exec.LookPath("login")
-	if err != nil {
-		return "", nil, err
-	}
-
-	addrPort, err := netip.ParseAddrPort(remoteAddr.String())
-	if err != nil {
-		return "", nil, err
-	}
-
-	switch runtime.GOOS {
-	case "linux":
-		if util.FileExists("/etc/arch-release") && !util.FileExists("/etc/pam.d/remote") {
-			return loginPath, []string{"-f", user, "-p"}, nil
-		}
-		return loginPath, []string{"-f", user, "-h", addrPort.Addr().String(), "-p"}, nil
-	case "darwin":
-		return loginPath, []string{"-fp", "-h", addrPort.Addr().String(), user}, nil
-	case "freebsd":
-		return loginPath, []string{"-f", user, "-h", addrPort.Addr().String(), "-p"}, nil
-	default:
-		return "", nil, fmt.Errorf("unsupported platform: %s", runtime.GOOS)
-	}
-}

client/ssh/lookup.go

@@ -1,14 +0,0 @@
-//go:build !darwin
-// +build !darwin
-
-package ssh
-
-import "os/user"
-
-func userNameLookup(username string) (*user.User, error) {
-	if username == "" || (username == "root" && !isRoot()) {
-		return user.Current()
-	}
-
-	return user.Lookup(username)
-}

client/ssh/lookup_darwin.go

@@ -1,51 +0,0 @@
-//go:build darwin
-// +build darwin
-
-package ssh
-
-import (
-	"bytes"
-	"fmt"
-	"os/exec"
-	"os/user"
-	"strings"
-)
-
-func userNameLookup(username string) (*user.User, error) {
-	if username == "" || (username == "root" && !isRoot()) {
-		return user.Current()
-	}
-
-	var userObject *user.User
-	userObject, err := user.Lookup(username)
-	if err != nil && err.Error() == user.UnknownUserError(username).Error() {
-		return idUserNameLookup(username)
-	} else if err != nil {
-		return nil, err
-	}
-
-	return userObject, nil
-}
-
-func idUserNameLookup(username string) (*user.User, error) {
-	cmd := exec.Command("id", "-P", username)
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return nil, fmt.Errorf("error while retrieving user with id -P command, error: %v", err)
-	}
-	colon := ":"
-
-	if !bytes.Contains(out, []byte(username+colon)) {
-		return nil, fmt.Errorf("unable to find user in returned string")
-	}
-	// netbird:********:501:20::0:0:netbird:/Users/netbird:/bin/zsh
-	parts := strings.SplitN(string(out), colon, 10)
-	userObject := &user.User{
-		Username: parts[0],
-		Uid:      parts[2],
-		Gid:      parts[3],
-		Name:     parts[7],
-		HomeDir:  parts[8],
-	}
-	return userObject, nil
-}

client/ssh/proxy/proxy.go

@@ -0,0 +1,369 @@
+package proxy
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/gliderlabs/ssh"
+	log "github.com/sirupsen/logrus"
+	cryptossh "golang.org/x/crypto/ssh"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/netbirdio/netbird/client/proto"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
+	"github.com/netbirdio/netbird/client/ssh/detection"
+	"github.com/netbirdio/netbird/version"
+)
+
+const (
+	// sshConnectionTimeout is the timeout for SSH TCP connection establishment
+	sshConnectionTimeout = 120 * time.Second
+	// sshHandshakeTimeout is the timeout for SSH handshake completion
+	sshHandshakeTimeout = 30 * time.Second
+
+	jwtAuthErrorMsg = "JWT authentication: %w"
+)
+
+type SSHProxy struct {
+	daemonAddr   string
+	targetHost   string
+	targetPort   int
+	stderr       io.Writer
+	daemonClient proto.DaemonServiceClient
+}
+
+func New(daemonAddr, targetHost string, targetPort int, stderr io.Writer) (*SSHProxy, error) {
+	grpcAddr := strings.TrimPrefix(daemonAddr, "tcp://")
+	grpcConn, err := grpc.NewClient(grpcAddr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	if err != nil {
+		return nil, fmt.Errorf("connect to daemon: %w", err)
+	}
+
+	return &SSHProxy{
+		daemonAddr:   daemonAddr,
+		targetHost:   targetHost,
+		targetPort:   targetPort,
+		stderr:       stderr,
+		daemonClient: proto.NewDaemonServiceClient(grpcConn),
+	}, nil
+}
+
+func (p *SSHProxy) Connect(ctx context.Context) error {
+	jwtToken, err := nbssh.RequestJWTToken(ctx, p.daemonClient, nil, p.stderr, true)
+	if err != nil {
+		return fmt.Errorf(jwtAuthErrorMsg, err)
+	}
+
+	return p.runProxySSHServer(ctx, jwtToken)
+}
+
+func (p *SSHProxy) runProxySSHServer(ctx context.Context, jwtToken string) error {
+	serverVersion := fmt.Sprintf("%s-%s", detection.ProxyIdentifier, version.NetbirdVersion())
+
+	sshServer := &ssh.Server{
+		Handler: func(s ssh.Session) {
+			p.handleSSHSession(ctx, s, jwtToken)
+		},
+		ChannelHandlers: map[string]ssh.ChannelHandler{
+			"session":      ssh.DefaultSessionHandler,
+			"direct-tcpip": p.directTCPIPHandler,
+		},
+		SubsystemHandlers: map[string]ssh.SubsystemHandler{
+			"sftp": func(s ssh.Session) {
+				p.sftpSubsystemHandler(s, jwtToken)
+			},
+		},
+		RequestHandlers: map[string]ssh.RequestHandler{
+			"tcpip-forward":        p.tcpipForwardHandler,
+			"cancel-tcpip-forward": p.cancelTcpipForwardHandler,
+		},
+		Version: serverVersion,
+	}
+
+	hostKey, err := generateHostKey()
+	if err != nil {
+		return fmt.Errorf("generate host key: %w", err)
+	}
+	sshServer.HostSigners = []ssh.Signer{hostKey}
+
+	conn := &stdioConn{
+		stdin:  os.Stdin,
+		stdout: os.Stdout,
+	}
+
+	sshServer.HandleConn(conn)
+
+	return nil
+}
+
+func (p *SSHProxy) handleSSHSession(ctx context.Context, session ssh.Session, jwtToken string) {
+	targetAddr := net.JoinHostPort(p.targetHost, strconv.Itoa(p.targetPort))
+
+	sshClient, err := p.dialBackend(ctx, targetAddr, session.User(), jwtToken)
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "SSH connection to NetBird server failed: %v\n", err)
+		return
+	}
+	defer func() { _ = sshClient.Close() }()
+
+	serverSession, err := sshClient.NewSession()
+	if err != nil {
+		_, _ = fmt.Fprintf(p.stderr, "create server session: %v\n", err)
+		return
+	}
+	defer func() { _ = serverSession.Close() }()
+
+	serverSession.Stdin = session
+	serverSession.Stdout = session
+	serverSession.Stderr = session.Stderr()
+
+	ptyReq, winCh, isPty := session.Pty()
+	if isPty {
+		if err := serverSession.RequestPty(ptyReq.Term, ptyReq.Window.Width, ptyReq.Window.Height, nil); err != nil {
+			log.Debugf("PTY request to backend: %v", err)
+		}
+
+		go func() {
+			for win := range winCh {
+				if err := serverSession.WindowChange(win.Height, win.Width); err != nil {
+					log.Debugf("window change: %v", err)
+				}
+			}
+		}()
+	}
+
+	if len(session.Command()) > 0 {
+		if err := serverSession.Run(strings.Join(session.Command(), " ")); err != nil {
+			log.Debugf("run command: %v", err)
+		}
+		return
+	}
+
+	if err = serverSession.Shell(); err != nil {
+		log.Debugf("start shell: %v", err)
+		return
+	}
+	if err := serverSession.Wait(); err != nil {
+		log.Debugf("session wait: %v", err)
+	}
+}
+
+func generateHostKey() (ssh.Signer, error) {
+	keyPEM, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
+	if err != nil {
+		return nil, fmt.Errorf("generate ED25519 key: %w", err)
+	}
+
+	signer, err := cryptossh.ParsePrivateKey(keyPEM)
+	if err != nil {
+		return nil, fmt.Errorf("parse private key: %w", err)
+	}
+
+	return signer, nil
+}
+
+type stdioConn struct {
+	stdin  io.Reader
+	stdout io.Writer
+	closed bool
+	mu     sync.Mutex
+}
+
+func (c *stdioConn) Read(b []byte) (n int, err error) {
+	c.mu.Lock()
+	if c.closed {
+		c.mu.Unlock()
+		return 0, io.EOF
+	}
+	c.mu.Unlock()
+	return c.stdin.Read(b)
+}
+
+func (c *stdioConn) Write(b []byte) (n int, err error) {
+	c.mu.Lock()
+	if c.closed {
+		c.mu.Unlock()
+		return 0, io.ErrClosedPipe
+	}
+	c.mu.Unlock()
+	return c.stdout.Write(b)
+}
+
+func (c *stdioConn) Close() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.closed = true
+	return nil
+}
+
+func (c *stdioConn) LocalAddr() net.Addr {
+	return &net.UnixAddr{Name: "stdio", Net: "unix"}
+}
+
+func (c *stdioConn) RemoteAddr() net.Addr {
+	return &net.UnixAddr{Name: "stdio", Net: "unix"}
+}
+
+func (c *stdioConn) SetDeadline(_ time.Time) error {
+	return nil
+}
+
+func (c *stdioConn) SetReadDeadline(_ time.Time) error {
+	return nil
+}
+
+func (c *stdioConn) SetWriteDeadline(_ time.Time) error {
+	return nil
+}
+
+func (p *SSHProxy) directTCPIPHandler(_ *ssh.Server, _ *cryptossh.ServerConn, newChan cryptossh.NewChannel, _ ssh.Context) {
+	_ = newChan.Reject(cryptossh.Prohibited, "port forwarding not supported in proxy")
+}
+
+func (p *SSHProxy) sftpSubsystemHandler(s ssh.Session, jwtToken string) {
+	ctx, cancel := context.WithCancel(s.Context())
+	defer cancel()
+
+	targetAddr := net.JoinHostPort(p.targetHost, strconv.Itoa(p.targetPort))
+
+	sshClient, err := p.dialBackend(ctx, targetAddr, s.User(), jwtToken)
+	if err != nil {
+		_, _ = fmt.Fprintf(s, "SSH connection failed: %v\n", err)
+		_ = s.Exit(1)
+		return
+	}
+	defer func() {
+		if err := sshClient.Close(); err != nil {
+			log.Debugf("close SSH client: %v", err)
+		}
+	}()
+
+	serverSession, err := sshClient.NewSession()
+	if err != nil {
+		_, _ = fmt.Fprintf(s, "create server session: %v\n", err)
+		_ = s.Exit(1)
+		return
+	}
+	defer func() {
+		if err := serverSession.Close(); err != nil {
+			log.Debugf("close server session: %v", err)
+		}
+	}()
+
+	stdin, stdout, err := p.setupSFTPPipes(serverSession)
+	if err != nil {
+		log.Debugf("setup SFTP pipes: %v", err)
+		_ = s.Exit(1)
+		return
+	}
+
+	if err := serverSession.RequestSubsystem("sftp"); err != nil {
+		_, _ = fmt.Fprintf(s, "SFTP subsystem request failed: %v\n", err)
+		_ = s.Exit(1)
+		return
+	}
+
+	p.runSFTPBridge(ctx, s, stdin, stdout, serverSession)
+}
+
+func (p *SSHProxy) setupSFTPPipes(serverSession *cryptossh.Session) (io.WriteCloser, io.Reader, error) {
+	stdin, err := serverSession.StdinPipe()
+	if err != nil {
+		return nil, nil, fmt.Errorf("get stdin pipe: %w", err)
+	}
+
+	stdout, err := serverSession.StdoutPipe()
+	if err != nil {
+		return nil, nil, fmt.Errorf("get stdout pipe: %w", err)
+	}
+
+	return stdin, stdout, nil
+}
+
+func (p *SSHProxy) runSFTPBridge(ctx context.Context, s ssh.Session, stdin io.WriteCloser, stdout io.Reader, serverSession *cryptossh.Session) {
+	copyErrCh := make(chan error, 2)
+
+	go func() {
+		_, err := io.Copy(stdin, s)
+		if err != nil {
+			log.Debugf("SFTP client to server copy: %v", err)
+		}
+		if err := stdin.Close(); err != nil {
+			log.Debugf("close stdin: %v", err)
+		}
+		copyErrCh <- err
+	}()
+
+	go func() {
+		_, err := io.Copy(s, stdout)
+		if err != nil {
+			log.Debugf("SFTP server to client copy: %v", err)
+		}
+		copyErrCh <- err
+	}()
+
+	go func() {
+		<-ctx.Done()
+		if err := serverSession.Close(); err != nil {
+			log.Debugf("force close server session on context cancellation: %v", err)
+		}
+	}()
+
+	for i := 0; i < 2; i++ {
+		if err := <-copyErrCh; err != nil && !errors.Is(err, io.EOF) {
+			log.Debugf("SFTP copy error: %v", err)
+		}
+	}
+
+	if err := serverSession.Wait(); err != nil {
+		log.Debugf("SFTP session ended: %v", err)
+	}
+}
+
+func (p *SSHProxy) tcpipForwardHandler(_ ssh.Context, _ *ssh.Server, _ *cryptossh.Request) (bool, []byte) {
+	return false, []byte("port forwarding not supported in proxy")
+}
+
+func (p *SSHProxy) cancelTcpipForwardHandler(_ ssh.Context, _ *ssh.Server, _ *cryptossh.Request) (bool, []byte) {
+	return true, nil
+}
+
+func (p *SSHProxy) dialBackend(ctx context.Context, addr, user, jwtToken string) (*cryptossh.Client, error) {
+	config := &cryptossh.ClientConfig{
+		User:            user,
+		Auth:            []cryptossh.AuthMethod{cryptossh.Password(jwtToken)},
+		Timeout:         sshHandshakeTimeout,
+		HostKeyCallback: p.verifyHostKey,
+	}
+
+	dialer := &net.Dialer{
+		Timeout: sshConnectionTimeout,
+	}
+	conn, err := dialer.DialContext(ctx, "tcp", addr)
+	if err != nil {
+		return nil, fmt.Errorf("connect to server: %w", err)
+	}
+
+	clientConn, chans, reqs, err := cryptossh.NewClientConn(conn, addr, config)
+	if err != nil {
+		_ = conn.Close()
+		return nil, fmt.Errorf("SSH handshake: %w", err)
+	}
+
+	return cryptossh.NewClient(clientConn, chans, reqs), nil
+}
+
+func (p *SSHProxy) verifyHostKey(hostname string, remote net.Addr, key cryptossh.PublicKey) error {
+	verifier := nbssh.NewDaemonHostKeyVerifier(p.daemonClient)
+	callback := nbssh.CreateHostKeyCallback(verifier)
+	return callback(hostname, remote, key)
+}

client/ssh/proxy/proxy_test.go

@@ -0,0 +1,367 @@
+package proxy
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"math/big"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"runtime"
+	"strconv"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	cryptossh "golang.org/x/crypto/ssh"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/netbirdio/netbird/client/proto"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
+	"github.com/netbirdio/netbird/client/ssh/server"
+	"github.com/netbirdio/netbird/client/ssh/testutil"
+	nbjwt "github.com/netbirdio/netbird/shared/auth/jwt"
+)
+
+func TestMain(m *testing.M) {
+	if len(os.Args) > 2 && os.Args[1] == "ssh" {
+		if os.Args[2] == "exec" {
+			if len(os.Args) > 3 {
+				cmd := os.Args[3]
+				if cmd == "echo" && len(os.Args) > 4 {
+					fmt.Fprintln(os.Stdout, os.Args[4])
+					os.Exit(0)
+				}
+			}
+			fmt.Fprintf(os.Stderr, "Test binary called as 'ssh exec' with args: %v - preventing infinite recursion\n", os.Args)
+			os.Exit(1)
+		}
+	}
+
+	code := m.Run()
+
+	testutil.CleanupTestUsers()
+
+	os.Exit(code)
+}
+
+func TestSSHProxy_verifyHostKey(t *testing.T) {
+	t.Run("calls daemon to verify host key", func(t *testing.T) {
+		mockDaemon := startMockDaemon(t)
+		defer mockDaemon.stop()
+
+		grpcConn, err := grpc.NewClient(mockDaemon.addr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+		require.NoError(t, err)
+		defer func() { _ = grpcConn.Close() }()
+
+		proxy := &SSHProxy{
+			daemonAddr:   mockDaemon.addr,
+			daemonClient: proto.NewDaemonServiceClient(grpcConn),
+		}
+
+		testKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
+		require.NoError(t, err)
+		testPubKey, err := nbssh.GeneratePublicKey(testKey)
+		require.NoError(t, err)
+
+		mockDaemon.setHostKey("test-host", testPubKey)
+
+		err = proxy.verifyHostKey("test-host", &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 22}, mustParsePublicKey(t, testPubKey))
+		assert.NoError(t, err)
+	})
+
+	t.Run("rejects unknown host key", func(t *testing.T) {
+		mockDaemon := startMockDaemon(t)
+		defer mockDaemon.stop()
+
+		grpcConn, err := grpc.NewClient(mockDaemon.addr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+		require.NoError(t, err)
+		defer func() { _ = grpcConn.Close() }()
+
+		proxy := &SSHProxy{
+			daemonAddr:   mockDaemon.addr,
+			daemonClient: proto.NewDaemonServiceClient(grpcConn),
+		}
+
+		unknownKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
+		require.NoError(t, err)
+		unknownPubKey, err := nbssh.GeneratePublicKey(unknownKey)
+		require.NoError(t, err)
+
+		err = proxy.verifyHostKey("unknown-host", &net.TCPAddr{IP: net.ParseIP("127.0.0.1"), Port: 22}, mustParsePublicKey(t, unknownPubKey))
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "peer unknown-host not found in network")
+	})
+}
+
+func TestSSHProxy_Connect(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping integration test in short mode")
+	}
+
+	// TODO: Windows test times out - user switching and command execution tested on Linux
+	if runtime.GOOS == "windows" {
+		t.Skip("Skipping on Windows - covered by Linux tests")
+	}
+
+	const (
+		issuer   = "https://test-issuer.example.com"
+		audience = "test-audience"
+	)
+
+	jwksServer, privateKey, jwksURL := setupJWKSServer(t)
+	defer jwksServer.Close()
+
+	hostKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
+	require.NoError(t, err)
+	hostPubKey, err := nbssh.GeneratePublicKey(hostKey)
+	require.NoError(t, err)
+
+	serverConfig := &server.Config{
+		HostKeyPEM: hostKey,
+		JWT: &server.JWTConfig{
+			Issuer:       issuer,
+			Audience:     audience,
+			KeysLocation: jwksURL,
+		},
+	}
+	sshServer := server.New(serverConfig)
+	sshServer.SetAllowRootLogin(true)
+
+	sshServerAddr := server.StartTestServer(t, sshServer)
+	defer func() { _ = sshServer.Stop() }()
+
+	mockDaemon := startMockDaemon(t)
+	defer mockDaemon.stop()
+
+	host, portStr, err := net.SplitHostPort(sshServerAddr)
+	require.NoError(t, err)
+	port, err := strconv.Atoi(portStr)
+	require.NoError(t, err)
+
+	mockDaemon.setHostKey(host, hostPubKey)
+
+	validToken := generateValidJWT(t, privateKey, issuer, audience)
+	mockDaemon.setJWTToken(validToken)
+
+	proxyInstance, err := New(mockDaemon.addr, host, port, nil)
+	require.NoError(t, err)
+
+	clientConn, proxyConn := net.Pipe()
+	defer func() { _ = clientConn.Close() }()
+
+	origStdin := os.Stdin
+	origStdout := os.Stdout
+	defer func() {
+		os.Stdin = origStdin
+		os.Stdout = origStdout
+	}()
+
+	stdinReader, stdinWriter, err := os.Pipe()
+	require.NoError(t, err)
+	stdoutReader, stdoutWriter, err := os.Pipe()
+	require.NoError(t, err)
+
+	os.Stdin = stdinReader
+	os.Stdout = stdoutWriter
+
+	go func() {
+		_, _ = io.Copy(stdinWriter, proxyConn)
+	}()
+	go func() {
+		_, _ = io.Copy(proxyConn, stdoutReader)
+	}()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	connectErrCh := make(chan error, 1)
+	go func() {
+		connectErrCh <- proxyInstance.Connect(ctx)
+	}()
+
+	sshConfig := &cryptossh.ClientConfig{
+		User:            testutil.GetTestUsername(t),
+		Auth:            []cryptossh.AuthMethod{},
+		HostKeyCallback: cryptossh.InsecureIgnoreHostKey(),
+		Timeout:         3 * time.Second,
+	}
+
+	sshClientConn, chans, reqs, err := cryptossh.NewClientConn(clientConn, "test", sshConfig)
+	require.NoError(t, err, "Should connect to proxy server")
+	defer func() { _ = sshClientConn.Close() }()
+
+	sshClient := cryptossh.NewClient(sshClientConn, chans, reqs)
+
+	session, err := sshClient.NewSession()
+	require.NoError(t, err, "Should create session through full proxy to backend")
+
+	outputCh := make(chan []byte, 1)
+	errCh := make(chan error, 1)
+	go func() {
+		output, err := session.Output("echo hello-from-proxy")
+		outputCh <- output
+		errCh <- err
+	}()
+
+	select {
+	case output := <-outputCh:
+		err := <-errCh
+		require.NoError(t, err, "Command should execute successfully through proxy")
+		assert.Contains(t, string(output), "hello-from-proxy", "Should receive command output through proxy")
+	case <-time.After(3 * time.Second):
+		t.Fatal("Command execution timed out")
+	}
+
+	_ = session.Close()
+	_ = sshClient.Close()
+	_ = clientConn.Close()
+	cancel()
+}
+
+type mockDaemonServer struct {
+	proto.UnimplementedDaemonServiceServer
+	hostKeys map[string][]byte
+	jwtToken string
+}
+
+func (m *mockDaemonServer) GetPeerSSHHostKey(ctx context.Context, req *proto.GetPeerSSHHostKeyRequest) (*proto.GetPeerSSHHostKeyResponse, error) {
+	key, found := m.hostKeys[req.PeerAddress]
+	return &proto.GetPeerSSHHostKeyResponse{
+		Found:      found,
+		SshHostKey: key,
+	}, nil
+}
+
+func (m *mockDaemonServer) RequestJWTAuth(ctx context.Context, req *proto.RequestJWTAuthRequest) (*proto.RequestJWTAuthResponse, error) {
+	return &proto.RequestJWTAuthResponse{
+		CachedToken: m.jwtToken,
+	}, nil
+}
+
+func (m *mockDaemonServer) WaitJWTToken(ctx context.Context, req *proto.WaitJWTTokenRequest) (*proto.WaitJWTTokenResponse, error) {
+	return &proto.WaitJWTTokenResponse{
+		Token: m.jwtToken,
+	}, nil
+}
+
+type mockDaemon struct {
+	addr   string
+	server *grpc.Server
+	impl   *mockDaemonServer
+}
+
+func startMockDaemon(t *testing.T) *mockDaemon {
+	t.Helper()
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	impl := &mockDaemonServer{
+		hostKeys: make(map[string][]byte),
+		jwtToken: "test-jwt-token",
+	}
+
+	grpcServer := grpc.NewServer()
+	proto.RegisterDaemonServiceServer(grpcServer, impl)
+
+	go func() {
+		_ = grpcServer.Serve(listener)
+	}()
+
+	return &mockDaemon{
+		addr:   listener.Addr().String(),
+		server: grpcServer,
+		impl:   impl,
+	}
+}
+
+func (m *mockDaemon) setHostKey(addr string, pubKey []byte) {
+	m.impl.hostKeys[addr] = pubKey
+}
+
+func (m *mockDaemon) setJWTToken(token string) {
+	m.impl.jwtToken = token
+}
+
+func (m *mockDaemon) stop() {
+	if m.server != nil {
+		m.server.Stop()
+	}
+}
+
+func mustParsePublicKey(t *testing.T, pubKeyBytes []byte) cryptossh.PublicKey {
+	t.Helper()
+	pubKey, _, _, _, err := cryptossh.ParseAuthorizedKey(pubKeyBytes)
+	require.NoError(t, err)
+	return pubKey
+}
+
+func setupJWKSServer(t *testing.T) (*httptest.Server, *rsa.PrivateKey, string) {
+	t.Helper()
+	privateKey, jwksJSON := generateTestJWKS(t)
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		if _, err := w.Write(jwksJSON); err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+	}))
+
+	return server, privateKey, server.URL
+}
+
+func generateTestJWKS(t *testing.T) (*rsa.PrivateKey, []byte) {
+	t.Helper()
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	publicKey := &privateKey.PublicKey
+	n := publicKey.N.Bytes()
+	e := publicKey.E
+
+	jwk := nbjwt.JSONWebKey{
+		Kty: "RSA",
+		Kid: "test-key-id",
+		Use: "sig",
+		N:   base64.RawURLEncoding.EncodeToString(n),
+		E:   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(e)).Bytes()),
+	}
+
+	jwks := nbjwt.Jwks{
+		Keys: []nbjwt.JSONWebKey{jwk},
+	}
+
+	jwksJSON, err := json.Marshal(jwks)
+	require.NoError(t, err)
+
+	return privateKey, jwksJSON
+}
+
+func generateValidJWT(t *testing.T, privateKey *rsa.PrivateKey, issuer, audience string) string {
+	t.Helper()
+	claims := jwt.MapClaims{
+		"iss": issuer,
+		"aud": audience,
+		"sub": "test-user",
+		"exp": time.Now().Add(time.Hour).Unix(),
+		"iat": time.Now().Unix(),
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	token.Header["kid"] = "test-key-id"
+
+	tokenString, err := token.SignedString(privateKey)
+	require.NoError(t, err)
+
+	return tokenString
+}

client/ssh/server.go

@@ -1,280 +0,0 @@
-//go:build !js
-
-package ssh
-
-import (
-	"fmt"
-	"io"
-	"net"
-	"os"
-	"os/exec"
-	"os/user"
-	"runtime"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/creack/pty"
-	"github.com/gliderlabs/ssh"
-	log "github.com/sirupsen/logrus"
-)
-
-// DefaultSSHPort is the default SSH port of the NetBird's embedded SSH server
-const DefaultSSHPort = 44338
-
-// TerminalTimeout is the timeout for terminal session to be ready
-const TerminalTimeout = 10 * time.Second
-
-// TerminalBackoffDelay is the delay between terminal session readiness checks
-const TerminalBackoffDelay = 500 * time.Millisecond
-
-// DefaultSSHServer is a function that creates DefaultServer
-func DefaultSSHServer(hostKeyPEM []byte, addr string) (Server, error) {
-	return newDefaultServer(hostKeyPEM, addr)
-}
-
-// Server is an interface of SSH server
-type Server interface {
-	// Stop stops SSH server.
-	Stop() error
-	// Start starts SSH server. Blocking
-	Start() error
-	// RemoveAuthorizedKey removes SSH key of a given peer from the authorized keys
-	RemoveAuthorizedKey(peer string)
-	// AddAuthorizedKey add a given peer key to server authorized keys
-	AddAuthorizedKey(peer, newKey string) error
-}
-
-// DefaultServer is the embedded NetBird SSH server
-type DefaultServer struct {
-	listener net.Listener
-	// authorizedKeys is ssh pub key indexed by peer WireGuard public key
-	authorizedKeys map[string]ssh.PublicKey
-	mu             sync.Mutex
-	hostKeyPEM     []byte
-	sessions       []ssh.Session
-}
-
-// newDefaultServer creates new server with provided host key
-func newDefaultServer(hostKeyPEM []byte, addr string) (*DefaultServer, error) {
-	ln, err := net.Listen("tcp", addr)
-	if err != nil {
-		return nil, err
-	}
-	allowedKeys := make(map[string]ssh.PublicKey)
-	return &DefaultServer{listener: ln, mu: sync.Mutex{}, hostKeyPEM: hostKeyPEM, authorizedKeys: allowedKeys, sessions: make([]ssh.Session, 0)}, nil
-}
-
-// RemoveAuthorizedKey removes SSH key of a given peer from the authorized keys
-func (srv *DefaultServer) RemoveAuthorizedKey(peer string) {
-	srv.mu.Lock()
-	defer srv.mu.Unlock()
-
-	delete(srv.authorizedKeys, peer)
-}
-
-// AddAuthorizedKey add a given peer key to server authorized keys
-func (srv *DefaultServer) AddAuthorizedKey(peer, newKey string) error {
-	srv.mu.Lock()
-	defer srv.mu.Unlock()
-
-	parsedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(newKey))
-	if err != nil {
-		return err
-	}
-
-	srv.authorizedKeys[peer] = parsedKey
-	return nil
-}
-
-// Stop stops SSH server.
-func (srv *DefaultServer) Stop() error {
-	srv.mu.Lock()
-	defer srv.mu.Unlock()
-	err := srv.listener.Close()
-	if err != nil {
-		return err
-	}
-	for _, session := range srv.sessions {
-		err := session.Close()
-		if err != nil {
-			log.Warnf("failed closing SSH session from %v", err)
-		}
-	}
-
-	return nil
-}
-
-func (srv *DefaultServer) publicKeyHandler(ctx ssh.Context, key ssh.PublicKey) bool {
-	srv.mu.Lock()
-	defer srv.mu.Unlock()
-
-	for _, allowed := range srv.authorizedKeys {
-		if ssh.KeysEqual(allowed, key) {
-			return true
-		}
-	}
-
-	return false
-}
-
-func prepareUserEnv(user *user.User, shell string) []string {
-	return []string{
-		fmt.Sprint("SHELL=" + shell),
-		fmt.Sprint("USER=" + user.Username),
-		fmt.Sprint("HOME=" + user.HomeDir),
-	}
-}
-
-func acceptEnv(s string) bool {
-	split := strings.Split(s, "=")
-	if len(split) != 2 {
-		return false
-	}
-	return split[0] == "TERM" || split[0] == "LANG" || strings.HasPrefix(split[0], "LC_")
-}
-
-// sessionHandler handles SSH session post auth
-func (srv *DefaultServer) sessionHandler(session ssh.Session) {
-	srv.mu.Lock()
-	srv.sessions = append(srv.sessions, session)
-	srv.mu.Unlock()
-
-	defer func() {
-		err := session.Close()
-		if err != nil {
-			return
-		}
-	}()
-
-	log.Infof("Establishing SSH session for %s from host %s", session.User(), session.RemoteAddr().String())
-
-	localUser, err := userNameLookup(session.User())
-	if err != nil {
-		_, err = fmt.Fprintf(session, "remote SSH server couldn't find local user %s\n", session.User()) //nolint
-		err = session.Exit(1)
-		if err != nil {
-			return
-		}
-		log.Warnf("failed SSH session from %v, user %s", session.RemoteAddr(), session.User())
-		return
-	}
-
-	ptyReq, winCh, isPty := session.Pty()
-	if isPty {
-		loginCmd, loginArgs, err := getLoginCmd(localUser.Username, session.RemoteAddr())
-		if err != nil {
-			log.Warnf("failed logging-in user %s from remote IP %s", localUser.Username, session.RemoteAddr().String())
-			return
-		}
-		cmd := exec.Command(loginCmd, loginArgs...)
-		go func() {
-			<-session.Context().Done()
-			if cmd.Process == nil {
-				return
-			}
-			err := cmd.Process.Kill()
-			if err != nil {
-				log.Debugf("failed killing SSH process %v", err)
-				return
-			}
-		}()
-		cmd.Dir = localUser.HomeDir
-		cmd.Env = append(cmd.Env, fmt.Sprintf("TERM=%s", ptyReq.Term))
-		cmd.Env = append(cmd.Env, prepareUserEnv(localUser, getUserShell(localUser.Uid))...)
-		for _, v := range session.Environ() {
-			if acceptEnv(v) {
-				cmd.Env = append(cmd.Env, v)
-			}
-		}
-
-		log.Debugf("Login command: %s", cmd.String())
-		file, err := pty.Start(cmd)
-		if err != nil {
-			log.Errorf("failed starting SSH server: %v", err)
-		}
-
-		go func() {
-			for win := range winCh {
-				setWinSize(file, win.Width, win.Height)
-			}
-		}()
-
-		srv.stdInOut(file, session)
-
-		err = cmd.Wait()
-		if err != nil {
-			return
-		}
-	} else {
-		_, err := io.WriteString(session, "only PTY is supported.\n")
-		if err != nil {
-			return
-		}
-		err = session.Exit(1)
-		if err != nil {
-			return
-		}
-	}
-	log.Debugf("SSH session ended")
-}
-
-func (srv *DefaultServer) stdInOut(file *os.File, session ssh.Session) {
-	go func() {
-		// stdin
-		_, err := io.Copy(file, session)
-		if err != nil {
-			_ = session.Exit(1)
-			return
-		}
-	}()
-
-	// AWS Linux 2 machines need some time to open the terminal so we need to wait for it
-	timer := time.NewTimer(TerminalTimeout)
-	for {
-		select {
-		case <-timer.C:
-			_, _ = session.Write([]byte("Reached timeout while opening connection\n"))
-			_ = session.Exit(1)
-			return
-		default:
-			// stdout
-			writtenBytes, err := io.Copy(session, file)
-			if err != nil && writtenBytes != 0 {
-				_ = session.Exit(0)
-				return
-			}
-			time.Sleep(TerminalBackoffDelay)
-		}
-	}
-}
-
-// Start starts SSH server. Blocking
-func (srv *DefaultServer) Start() error {
-	log.Infof("starting SSH server on addr: %s", srv.listener.Addr().String())
-
-	publicKeyOption := ssh.PublicKeyAuth(srv.publicKeyHandler)
-	hostKeyPEM := ssh.HostKeyPEM(srv.hostKeyPEM)
-	err := ssh.Serve(srv.listener, srv.sessionHandler, publicKeyOption, hostKeyPEM)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func getUserShell(userID string) string {
-	if runtime.GOOS == "linux" {
-		output, _ := exec.Command("getent", "passwd", userID).Output()
-		line := strings.SplitN(string(output), ":", 10)
-		if len(line) > 6 {
-			return strings.TrimSpace(line[6])
-		}
-	}
-
-	shell := os.Getenv("SHELL")
-	if shell == "" {
-		shell = "/bin/sh"
-	}
-	return shell
-}

client/ssh/server/command_execution.go

@@ -0,0 +1,178 @@
+package server
+
+import (
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"time"
+
+	"github.com/gliderlabs/ssh"
+	log "github.com/sirupsen/logrus"
+)
+
+// handleCommand executes an SSH command with privilege validation
+func (s *Server) handleCommand(logger *log.Entry, session ssh.Session, privilegeResult PrivilegeCheckResult, winCh <-chan ssh.Window) {
+	hasPty := winCh != nil
+
+	commandType := "command"
+	if hasPty {
+		commandType = "Pty command"
+	}
+
+	logger.Infof("executing %s: %s", commandType, safeLogCommand(session.Command()))
+
+	execCmd, err := s.createCommand(privilegeResult, session, hasPty)
+	if err != nil {
+		logger.Errorf("%s creation failed: %v", commandType, err)
+
+		errorMsg := fmt.Sprintf("Cannot create %s - platform may not support user switching", commandType)
+		if hasPty {
+			errorMsg += " with Pty"
+		}
+		errorMsg += "\n"
+
+		if _, writeErr := fmt.Fprint(session.Stderr(), errorMsg); writeErr != nil {
+			logger.Debugf(errWriteSession, writeErr)
+		}
+		if err := session.Exit(1); err != nil {
+			logSessionExitError(logger, err)
+		}
+		return
+	}
+
+	if s.executeCommand(logger, session, execCmd) {
+		logger.Debugf("%s execution completed", commandType)
+	}
+}
+
+func (s *Server) createCommand(privilegeResult PrivilegeCheckResult, session ssh.Session, hasPty bool) (*exec.Cmd, error) {
+	localUser := privilegeResult.User
+
+	// Try su first for system integration (PAM/audit) when privileged
+	cmd, err := s.createSuCommand(session, localUser, hasPty)
+	if err != nil || privilegeResult.UsedFallback {
+		log.Debugf("su command failed, falling back to executor: %v", err)
+		cmd, err = s.createExecutorCommand(session, localUser, hasPty)
+	}
+
+	if err != nil {
+		return nil, fmt.Errorf("create command with privileges: %w", err)
+	}
+
+	cmd.Env = s.prepareCommandEnv(localUser, session)
+	return cmd, nil
+}
+
+// executeCommand executes the command and handles I/O and exit codes
+func (s *Server) executeCommand(logger *log.Entry, session ssh.Session, execCmd *exec.Cmd) bool {
+	s.setupProcessGroup(execCmd)
+
+	stdinPipe, err := execCmd.StdinPipe()
+	if err != nil {
+		logger.Errorf("create stdin pipe: %v", err)
+		if err := session.Exit(1); err != nil {
+			logSessionExitError(logger, err)
+		}
+		return false
+	}
+
+	execCmd.Stdout = session
+	execCmd.Stderr = session
+
+	if execCmd.Dir != "" {
+		if _, err := os.Stat(execCmd.Dir); err != nil {
+			logger.Warnf("working directory does not exist: %s (%v)", execCmd.Dir, err)
+			execCmd.Dir = "/"
+		}
+	}
+
+	if err := execCmd.Start(); err != nil {
+		logger.Errorf("command start failed: %v", err)
+		// no user message for exec failure, just exit
+		if err := session.Exit(1); err != nil {
+			logSessionExitError(logger, err)
+		}
+		return false
+	}
+
+	go s.handleCommandIO(logger, stdinPipe, session)
+	return s.waitForCommandCleanup(logger, session, execCmd)
+}
+
+// handleCommandIO manages stdin/stdout copying in a goroutine
+func (s *Server) handleCommandIO(logger *log.Entry, stdinPipe io.WriteCloser, session ssh.Session) {
+	defer func() {
+		if err := stdinPipe.Close(); err != nil {
+			logger.Debugf("stdin pipe close error: %v", err)
+		}
+	}()
+	if _, err := io.Copy(stdinPipe, session); err != nil {
+		logger.Debugf("stdin copy error: %v", err)
+	}
+}
+
+// waitForCommandCleanup waits for command completion with session disconnect handling
+func (s *Server) waitForCommandCleanup(logger *log.Entry, session ssh.Session, execCmd *exec.Cmd) bool {
+	ctx := session.Context()
+	done := make(chan error, 1)
+	go func() {
+		done <- execCmd.Wait()
+	}()
+
+	select {
+	case <-ctx.Done():
+		logger.Debugf("session cancelled, terminating command")
+		s.killProcessGroup(execCmd)
+
+		select {
+		case err := <-done:
+			logger.Tracef("command terminated after session cancellation: %v", err)
+		case <-time.After(5 * time.Second):
+			logger.Warnf("command did not terminate within 5 seconds after session cancellation")
+		}
+
+		if err := session.Exit(130); err != nil {
+			logSessionExitError(logger, err)
+		}
+		return false
+
+	case err := <-done:
+		return s.handleCommandCompletion(logger, session, err)
+	}
+}
+
+// handleCommandCompletion handles command completion
+func (s *Server) handleCommandCompletion(logger *log.Entry, session ssh.Session, err error) bool {
+	if err != nil {
+		logger.Debugf("command execution failed: %v", err)
+		s.handleSessionExit(session, err, logger)
+		return false
+	}
+
+	s.handleSessionExit(session, nil, logger)
+	return true
+}
+
+// handleSessionExit handles command errors and sets appropriate exit codes
+func (s *Server) handleSessionExit(session ssh.Session, err error, logger *log.Entry) {
+	if err == nil {
+		if err := session.Exit(0); err != nil {
+			logSessionExitError(logger, err)
+		}
+		return
+	}
+
+	var exitError *exec.ExitError
+	if errors.As(err, &exitError) {
+		if err := session.Exit(exitError.ExitCode()); err != nil {
+			logSessionExitError(logger, err)
+		}
+	} else {
+		logger.Debugf("non-exit error in command execution: %v", err)
+		if err := session.Exit(1); err != nil {
+			logSessionExitError(logger, err)
+		}
+	}
+}

client/ssh/server/command_execution_js.go

@@ -0,0 +1,36 @@
+//go:build js
+
+package server
+
+import (
+	"errors"
+	"os/exec"
+	"os/user"
+
+	"github.com/gliderlabs/ssh"
+)
+
+var errNotSupported = errors.New("SSH server command execution not supported on WASM/JS platform")
+
+// createSuCommand is not supported on JS/WASM
+func (s *Server) createSuCommand(_ ssh.Session, _ *user.User, _ bool) (*exec.Cmd, error) {
+	return nil, errNotSupported
+}
+
+// createExecutorCommand is not supported on JS/WASM
+func (s *Server) createExecutorCommand(_ ssh.Session, _ *user.User, _ bool) (*exec.Cmd, error) {
+	return nil, errNotSupported
+}
+
+// prepareCommandEnv is not supported on JS/WASM
+func (s *Server) prepareCommandEnv(_ *user.User, _ ssh.Session) []string {
+	return nil
+}
+
+// setupProcessGroup is not supported on JS/WASM
+func (s *Server) setupProcessGroup(_ *exec.Cmd) {
+}
+
+// killProcessGroup is not supported on JS/WASM
+func (s *Server) killProcessGroup(_ *exec.Cmd) {
+}