Handle user delete (#1113)

Implement user deletion across all IDP-ss. Expires all user peers
when the user is deleted. Users are permanently removed from a local
store, but in IDP, we remove Netbird attributes for the user
untilUserDeleteFromIDPEnabled setting is not enabled.

To test, an admin user should remove any additional users.

Until the UI incorporates this feature, use a curl DELETE request
targeting the /users/<USER_ID> management endpoint. Note that this
request only removes user attributes and doesn't trigger a delete
from the IDP.

To enable user removal from the IdP, set UserDeleteFromIDPEnabled
to true in account settings. Until we have a UI for this, make this
change directly in the store file.

Store the deleted email addresses in encrypted in activity store.

.github/workflows/android-build-validation.yml

@@ -0,0 +1,41 @@
+name: Android build validation
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: "1.20.x"
+      - name: Setup Android SDK
+        uses: android-actions/setup-android@v2
+      - name: NDK Cache
+        id: ndk-cache
+        uses: actions/cache@v3
+        with:
+          path: /usr/local/lib/android/sdk/ndk
+          key: ndk-cache-23.1.7779620
+      - name: Setup NDK
+        run: /usr/local/lib/android/sdk/tools/bin/sdkmanager --install "ndk;23.1.7779620"
+      - name: install gomobile
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20230531173138-3c911d8e3eda
+      - name: gomobile init
+        run: gomobile init
+      - name: build android nebtird lib
+        run: PATH=$PATH:$(go env GOPATH) gomobile bind -o $GITHUB_WORKSPACE/netbird.aar -javapkg=io.netbird.gomobile -ldflags="-X golang.zx2c4.com/wireguard/ipc.socketDirectory=/data/data/io.netbird.client/cache/wireguard -X github.com/netbirdio/netbird/version.version=buildtest"  $GITHUB_WORKSPACE/client/android
+        env:
+          CGO_ENABLED: 0
+          ANDROID_NDK_HOME: /usr/local/lib/android/sdk/ndk/23.1.7779620

.github/workflows/golang-test-darwin.yml

@@ -15,14 +15,14 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: "1.20.x"
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Cache Go modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
           key: macos-go-${{ hashFiles('**/go.sum') }}

.github/workflows/golang-test-linux.yml

@@ -18,13 +18,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: "1.20.x"
 
 
       - name: Cache Go modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -32,7 +32,7 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib
@@ -47,13 +47,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: "1.20.x"
 
 
       - name: Cache Go modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -61,7 +61,7 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev

.github/workflows/golangci-lint.yml

@@ -8,14 +8,13 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout code
+        uses: actions/checkout@v3
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: "1.20.x"
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v3
-        with:
-          args: --timeout=6m

.github/workflows/install-script-test.yml

@@ -0,0 +1,36 @@
+name: Test installation
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - "release_files/install.sh"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+jobs:
+  test-install-script:
+    strategy:
+      max-parallel: 2
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        skip_ui_mode: [true, false]
+        install_binary: [true, false]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: run install script
+        env:
+          SKIP_UI_APP: ${{ matrix.skip_ui_mode }}
+          USE_BIN_INSTALL: ${{ matrix.install_binary }}
+          GITHUB_TOKEN: ${{ secrets.RO_API_CALLER_TOKEN }}
+        run: |
+          [ "$SKIP_UI_APP" == "false" ] && export XDG_CURRENT_DESKTOP="none"
+          cat release_files/install.sh | sh -x
+
+      - name: check cli binary
+        run: command -v netbird

.github/workflows/install-test-darwin.yml

@@ -1,60 +0,0 @@
-name: Test installation Darwin
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    paths:
-      - "release_files/install.sh"
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-jobs:
-  install-cli-only:
-    runs-on: macos-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Rename brew package
-        if: ${{ matrix.check_bin_install }}
-        run: mv /opt/homebrew/bin/brew /opt/homebrew/bin/brew.bak
-
-      - name: Run install script
-        run: |
-          sh ./release_files/install.sh
-        env:
-          SKIP_UI_APP: true
-
-      - name: Run tests
-        run: |
-          if ! command -v netbird &> /dev/null; then
-            echo "Error: netbird is not installed"
-            exit 1
-          fi
-  install-all:
-    runs-on: macos-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Rename brew package
-        if: ${{ matrix.check_bin_install }}
-        run: mv /opt/homebrew/bin/brew /opt/homebrew/bin/brew.bak
-
-      - name: Run install script
-        run: |
-          sh ./release_files/install.sh
-
-      - name: Run tests
-        run: |
-          if ! command -v netbird &> /dev/null; then
-              echo "Error: netbird is not installed"
-              exit 1
-          fi
-
-          if [[ $(mdfind "kMDItemContentType == 'com.apple.application-bundle' && kMDItemFSName == '*NetBird UI.app'") ]]; then
-            echo "Error: NetBird UI is not installed"
-            exit 1
-          fi

.github/workflows/install-test-linux.yml

@@ -1,38 +0,0 @@
-name: Test installation Linux
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    paths:
-      - "release_files/install.sh"
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-jobs:
-  install-cli-only:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        check_bin_install: [true, false]
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Rename apt package
-        if: ${{ matrix.check_bin_install }}
-        run: |
-          sudo mv /usr/bin/apt /usr/bin/apt.bak
-          sudo mv /usr/bin/apt-get /usr/bin/apt-get.bak
-
-      - name: Run install script
-        run: |
-          sh ./release_files/install.sh
-
-      - name: Run tests
-        run: |
-          if ! command -v netbird &> /dev/null; then
-            echo "Error: netbird is not installed"
-            exit 1
-          fi

.github/workflows/release.yml

@@ -7,9 +7,19 @@ on:
     branches:
       - main
   pull_request:
+    paths:
+      - 'go.mod'
+      - 'go.sum'
+      - '.goreleaser.yml'
+      - '.goreleaser_ui.yaml'
+      - '.goreleaser_ui_darwin.yaml'
+      - '.github/workflows/release.yml'
+      - 'release_files/**'
+      - '**/Dockerfile'
+      - '**/Dockerfile.*'
 
 env:
-  SIGN_PIPE_VER: "v0.0.8"
+  SIGN_PIPE_VER: "v0.0.9"
   GORELEASER_VER: "v1.14.1"
 
 concurrency:
@@ -19,20 +29,24 @@ concurrency:
 jobs:
   release:
     runs-on: ubuntu-latest
+    env:
+      flags: ""
     steps:
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0 # It is required for GoReleaser to work properly
       -
         name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: "1.20"
       -
         name: Cache Go modules
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -46,10 +60,10 @@ jobs:
         run: git --no-pager diff --exit-code
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       -
         name: Login to Docker hub
         if: github.event_name != 'pull_request'
@@ -72,10 +86,10 @@ jobs:
         run: rsrc -arch 386 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_386.syso
       -
         name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v4
         with:
           version: ${{ env.GORELEASER_VER }}
-          args: release --rm-dist
+          args: release --rm-dist ${{ env.flags }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
@@ -83,7 +97,7 @@ jobs:
           UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
       -
         name: upload non tags for debug purposes
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: release
           path: dist/
@@ -92,17 +106,19 @@ jobs:
   release_ui:
     runs-on: ubuntu-latest
     steps:
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0 # It is required for GoReleaser to work properly
 
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: "1.20"
       - name: Cache Go modules
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-ui-go-${{ hashFiles('**/go.sum') }}
@@ -122,17 +138,17 @@ jobs:
       - name: Generate windows rsrc
         run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/ui/manifest.xml -o client/ui/resources_windows_amd64.syso
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v4
         with:
           version: ${{ env.GORELEASER_VER }}
-          args: release --config .goreleaser_ui.yaml --rm-dist
+          args: release --config .goreleaser_ui.yaml --rm-dist ${{ env.flags }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
           UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
           UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
       - name: upload non tags for debug purposes
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: release-ui
           path: dist/
@@ -141,19 +157,21 @@ jobs:
   release_ui_darwin:
     runs-on: macos-11
     steps:
+      - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
+        run: echo "flags=--snapshot" >> $GITHUB_ENV
       -
         name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0 # It is required for GoReleaser to work properly
       -
         name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: "1.20"
       -
         name: Cache Go modules
-        uses: actions/cache@v1
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-ui-go-${{ hashFiles('**/go.sum') }}
@@ -165,15 +183,15 @@ jobs:
       -
         name: Run GoReleaser
         id: goreleaser
-        uses: goreleaser/goreleaser-action@v2
+        uses: goreleaser/goreleaser-action@v4
         with:
           version: ${{ env.GORELEASER_VER }}
-          args: release --config .goreleaser_ui_darwin.yaml --rm-dist
+          args: release --config .goreleaser_ui_darwin.yaml --rm-dist ${{ env.flags }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       -
         name: upload non tags for debug purposes
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: release-ui-darwin
           path: dist/

.github/workflows/test-infrastructure-files.yml

@@ -1,18 +1,20 @@
-name: Test Docker Compose Linux
+name: Test Infrastructure files
 
 on:
   push:
     branches:
       - main
   pull_request:
-
+    paths:
+      - 'infrastructure_files/**'
+      - '.github/workflows/test-infrastructure-files.yml'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
   cancel-in-progress: true
 
 jobs:
-  test:
+  test-docker-compose:
     runs-on: ubuntu-latest
     steps:
       - name: Install jq
@@ -22,12 +24,12 @@ jobs:
         run: sudo apt-get install -y curl
 
       - name: Install Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v4
         with:
           go-version: "1.20.x"
 
       - name: Cache Go modules
-        uses: actions/cache@v2
+        uses: actions/cache@v3
         with:
           path: ~/go/pkg/mod
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
@@ -35,7 +37,7 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: cp setup.env
         run: cp infrastructure_files/tests/setup.env infrastructure_files/
@@ -78,6 +80,7 @@ jobs:
           CI_NETBIRD_MGMT_IDP: "none"
           CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
           CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
+          CI_NETBIRD_SIGNAL_PORT: 12345
 
         run: |
           grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
@@ -89,6 +92,7 @@ jobs:
           grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "$CI_NETBIRD_DOMAIN:33073"
           grep AUTH_REDIRECT_URI docker-compose.yml | grep $CI_NETBIRD_AUTH_REDIRECT_URI
           grep AUTH_SILENT_REDIRECT_URI docker-compose.yml | egrep 'AUTH_SILENT_REDIRECT_URI=$'
+          grep $CI_NETBIRD_SIGNAL_PORT docker-compose.yml | grep ':80'
           grep LETSENCRYPT_DOMAIN docker-compose.yml | egrep 'LETSENCRYPT_DOMAIN=$'
           grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
           grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
@@ -118,6 +122,31 @@ jobs:
 
       - name: test running containers
         run: |
-          count=$(docker compose ps --format json | jq '.[] | select(.Project | contains("infrastructure_files")) | .State' | grep -c running)
+          count=$(docker compose ps --format json | jq '. | select(.Name | contains("infrastructure_files")) | .State' | grep -c running)
           test $count -eq 4
         working-directory: infrastructure_files
+
+  test-getting-started-script:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: run script
+        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
+
+      - name: test Caddy file gen
+        run: test -f Caddyfile
+      - name: test docker-compose file gen
+        run: test -f docker-compose.yml
+      - name: test management.json file gen
+        run: test -f management.json
+      - name: test turnserver.conf file gen
+        run: test -f turnserver.conf
+      - name: test zitadel.env file gen
+        run: test -f zitadel.env
+      - name: test dashboard.env file gen
+        run: test -f dashboard.env

.gitignore

@@ -19,3 +19,4 @@ client/.distfiles/
 infrastructure_files/setup.env
 infrastructure_files/setup-*.env
 .vscode
+.DS_Store

.golangci.yaml

@@ -0,0 +1,54 @@
+run:
+  # Timeout for analysis, e.g. 30s, 5m.
+  # Default: 1m
+  timeout: 6m
+
+# This file contains only configs which differ from defaults.
+# All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml
+linters-settings:
+  errcheck:
+    # Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
+    # Such cases aren't reported by default.
+    # Default: false
+    check-type-assertions: false
+
+  govet:
+    # Enable all analyzers.
+    # Default: false
+    enable-all: false
+    enable:
+      - nilness
+
+linters:
+  disable-all: true
+  enable:
+    ## enabled by default
+    - errcheck # checking for unchecked errors, these unchecked errors can be critical bugs in some cases
+    - gosimple # specializes in simplifying a code
+    - govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string
+    - ineffassign # detects when assignments to existing variables are not used
+    - staticcheck # is a go vet on steroids, applying a ton of static analysis checks
+    - typecheck # like the front-end of a Go compiler, parses and type-checks Go code
+    - unused # checks for unused constants, variables, functions and types
+    ## disable by default but the have interesting results so lets add them
+    - bodyclose # checks whether HTTP response body is closed successfully
+    - nilerr # finds the code that returns nil even if it checks that the error is not nil
+    - nilnil # checks that there is no simultaneous return of nil error and an invalid value
+    - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
+    - wastedassign # wastedassign finds wasted assignment statements
+issues:
+  # Maximum count of issues with the same text.
+  # Set to 0 to disable.
+  # Default: 3
+  max-same-issues: 5
+
+  exclude-rules:
+    - path: sharedsock/filter.go
+      linters:
+      - unused
+    - path: client/firewall/iptables/rule.go
+      linters:
+      - unused
+    - path: mock.go
+      linters:
+      - nilnil

.goreleaser.yaml

@@ -377,3 +377,13 @@ uploads:
     target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
     username: dev@wiretrustee.com
     method: PUT
+
+checksum:
+  extra_files:
+    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
+    - glob: ./release_files/install.sh
+
+release:
+  extra_files:
+    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
+    - glob: ./release_files/install.sh

README.md

@@ -1,6 +1,6 @@
 <p align="center">
- <strong>:hatching_chick: New Release! Peer expiration.</strong>
+ <strong>:hatching_chick: New Release! Self-hosting in under 5 min.</strong>
-  <a href="https://github.com/netbirdio/netbird/releases">
+  <a href="https://github.com/netbirdio/netbird#quickstart-with-self-hosted-netbird">
        Learn more
      </a>   
 </p>
@@ -24,7 +24,7 @@
 
 <p align="center">
 <strong>
-  Start using NetBird at <a href="https://app.netbird.io/">app.netbird.io</a>
+  Start using NetBird at <a href="https://netbird.io/pricing">netbird.io</a>
   <br/>
   See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
@@ -36,47 +36,62 @@
 
 <br>
 
-**NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.**
+**NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**
 
-It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
+**Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
 
-NetBird uses [NAT traversal techniques](https://en.wikipedia.org/wiki/Interactive_Connectivity_Establishment) to automatically create an overlay peer-to-peer network connecting machines regardless of location (home, office, data center, container, cloud, or edge environments), unifying virtual private network management experience.
+**Secure.** NetBird enables secure remote access by applying granular access policies, while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.
-
-**Key features:**
-- \[x] Automatic IP allocation and network management with a Web UI ([separate repo](https://github.com/netbirdio/dashboard))
-- \[x] Automatic WireGuard peer (machine) discovery and configuration.
-- \[x] Encrypted peer-to-peer connections without a central VPN gateway.
-- \[x] Connection relay fallback in case a peer-to-peer connection is not possible.
-- \[x] Desktop client applications for Linux, MacOS, and Windows (systray).
-- \[x] Multiuser support - sharing network between multiple users.
-- \[x] SSO and MFA support. 
-- \[x] Multicloud and hybrid-cloud support.
-- \[x] Kernel WireGuard usage when possible.
-- \[x] Access Controls - groups & rules.
-- \[x] Remote SSH access without managing SSH keys.
-- \[x] Network Routes.  
-- \[x] Private DNS.
-- \[x] Network Activity Monitoring.
-
-**Coming soon:**
--  \[ ] Mobile clients.
 
 ### Secure peer-to-peer VPN with SSO and MFA in minutes
 
 https://user-images.githubusercontent.com/700848/197345890-2e2cded5-7b7a-436f-a444-94e80dd24f46.mov
 
-**Note**: The `main` branch may be in an *unstable or even broken state* during development. 
+### Key features
-For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
 
-### Start using NetBird
+| Connectivity                             	                        | Management                                 	                             | Automation                                    	                            | Platforms    	                        |
--  Hosted version: [https://app.netbird.io/](https://app.netbird.io/).
+|-------------------------------------------------------------------|--------------------------------------------------------------------------|----------------------------------------------------------------------------|---------------------------------------|
--  See our documentation for [Quickstart Guide](https://docs.netbird.io/how-to/getting-started).
+| <ul><li> - \[x] Kernel WireGuard </ul></li>                   	   | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                           	      | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                	     | <ul><li> - \[x] Linux </ul></li>    	 |
--  If you are looking to self-host NetBird, check our [Self-Hosting Guide](https://docs.netbird.io/selfhosted/selfhosted-guide).
+| <ul><li> - \[x] Peer-to-peer connections </ul></li>             	 | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>  	      | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li>  	     | <ul><li> - \[x] Mac </ul></li>      	 |
--  Step-by-step [Installation Guide](https://docs.netbird.io/how-to/getting-started#installation) for different platforms.
+| <ul><li> - \[x] Peer-to-peer encryption </ul></li>              	 | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>                       	      | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>              	 | <ul><li> - \[x] Windows </ul></li>  	 |
--  Web UI [repository](https://github.com/netbirdio/dashboard).
+| <ul><li> - \[x] Connection relay fallback </ul></li>            	 | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>                      	      | <ul><li> - \[x] IdP groups sync with JWT </ul></li> 	                      | <ul><li> - \[x] Android </ul></li>  	 |
--  5 min [demo video](https://youtu.be/Tu9tPsUWaY0) on YouTube.
+| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li>  	         | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>      	        | 	                                                                          | <ul><li> - \[ ] iOS </ul></li>      	 |
+| <ul><li> - \[x] NAT traversal with BPF </ul></li>                 | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>                            	      | 	                                                                          | <ul><li> - \[x] Docker </ul></li>   	 |
+|                                                                   | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li>                      	      | 	                                                                          | <ul><li> - \[x] OpenWRT </ul></li>  	 |
+| 	                                                                 | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                       	      | 	                                                                          | 	                                     |
+| 	                                                                 | <ul><li> - \[x] SSH access management </ul></li>                       	 | 	                                                                          | 	                                     |
 
 
+### Quickstart with NetBird Cloud
+
+- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
+- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
+- Check NetBird [admin UI](https://app.netbird.io/).
+- Add more machines.
+
+### Quickstart with self-hosted NetBird
+
+> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
+Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.
+
+**Infrastructure requirements:**
+- A Linux VM with at least **1CPU** and **2GB** of memory.
+- The VM should be publicly accessible on TCP ports **80** and **443** and UDP ports: **3478**, **49152-65535**.
+- **Public domain** name pointing to the VM.
+
+**Software requirements:**
+- Docker installed on the VM with the docker compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
+- [jq](https://jqlang.github.io/jq/) installed. In most distributions
+  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
+- [curl](https://curl.se/) installed.
+  Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`
+
+**Steps**
+- Download and run the installation script:
+```bash
+export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
+```
+- Once finished, you can manage the resources via `docker-compose`
+
 ### A bit on NetBird internals
 -  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
 -  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
@@ -88,18 +103,18 @@ For stable versions, see [releases](https://github.com/netbirdio/netbird/release
 [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.
 
 <p float="left" align="middle">
-  <img src="https://netbird.io/docs/img/architecture/high-level-dia.png" width="700"/>
+  <img src="https://docs.netbird.io/docs-static/img/architecture/high-level-dia.png" width="700"/>
 </p>
 
 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.
 
-### Roadmap
--  [Public Roadmap](https://github.com/netbirdio/netbird/projects/2)
-
 ### Community projects
 -  [NetBird on OpenWRT](https://github.com/messense/openwrt-netbird)
 -  [NetBird installer script](https://github.com/physk/netbird-installer)
 
+**Note**: The `main` branch may be in an *unstable or even broken state* during development.
+For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
+
 ### Support acknowledgement
 
 In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.
@@ -107,7 +122,7 @@ In November 2022, NetBird joined the [StartUpSecure program](https://www.forschu
 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)
 
 ### Testimonials
-We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), and [Coturn](https://github.com/coturn/coturn). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g. giving a star or a contribution).
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g. giving a star or a contribution).
 
 ### Legal
  _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.

base62/base62.go

@@ -18,10 +18,9 @@ func Encode(num uint32) string {
 	}
 
 	var encoded strings.Builder
-	remainder := uint32(0)
 
 	for num > 0 {
-		remainder = num % base
+		remainder := num % base
 		encoded.WriteByte(alphabet[remainder])
 		num /= base
 	}

client/Dockerfile

@@ -1,7 +1,5 @@
-FROM gcr.io/distroless/base:debug
+FROM alpine:3
+RUN apk add --no-cache ca-certificates iptables ip6tables
 ENV NB_FOREGROUND_MODE=true
-ENV PATH=/sbin:/usr/sbin:/bin:/usr/bin:/busybox
-SHELL ["/busybox/sh","-c"]
-RUN sed -i -E 's/(^root:.+)\/sbin\/nologin/\1\/busybox\/sh/g' /etc/passwd
 ENTRYPOINT [ "/go/bin/netbird","up"]
 COPY netbird /go/bin/netbird

client/android/client.go

@@ -55,7 +55,6 @@ type Client struct {
 	ctxCancelLock *sync.Mutex
 	deviceName    string
 	routeListener routemanager.RouteListener
-	onHostDnsFn   func([]string)
 }
 
 // NewClient instantiate a new Client
@@ -97,7 +96,30 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.onHostDnsFn = func([]string) {}
+	return internal.RunClientMobile(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.routeListener, dns.items, dnsReadyListener)
+}
+
+// RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
+// In this case make no sense handle registration steps.
+func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener) error {
+	cfg, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
+		ConfigPath: c.cfgFile,
+	})
+	if err != nil {
+		return err
+	}
+	c.recorder.UpdateManagementAddress(cfg.ManagementURL.String())
+
+	var ctx context.Context
+	//nolint
+	ctxWithValues := context.WithValue(context.Background(), system.DeviceNameCtxKey, c.deviceName)
+	c.ctxCancelLock.Lock()
+	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
+	defer c.ctxCancel()
+	c.ctxCancelLock.Unlock()
+
+	// todo do not throw error in case of cancelled context
+	ctx = internal.CtxInitState(ctx)
 	return internal.RunClientMobile(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.routeListener, dns.items, dnsReadyListener)
 }
 

client/android/login.go

@@ -84,10 +84,14 @@ func (a *Auth) SaveConfigIfSSOSupported(listener SSOListener) {
 func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
 	supportsSSO := true
 	err := a.withBackOff(a.ctx, func() (err error) {
-		_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+		_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
-		if s, ok := gstatus.FromError(err); ok && s.Code() == codes.NotFound {
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.NotFound || s.Code() == codes.Unimplemented) {
-			_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+			_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
-			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.NotFound {
+			s, ok := gstatus.FromError(err)
+			if !ok {
+				return err
+			}
+			if s.Code() == codes.NotFound || s.Code() == codes.Unimplemented {
 				supportsSSO = false
 				err = nil
 			}

client/cmd/login.go

@@ -3,21 +3,19 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"github.com/netbirdio/netbird/client/internal/auth"
 	"strings"
 	"time"
 
 	"github.com/skratchdot/open-golang/open"
+	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 
-	"github.com/netbirdio/netbird/util"
-
-	"github.com/spf13/cobra"
-
 	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/system"
+	"github.com/netbirdio/netbird/util"
 )
 
 var loginCmd = &cobra.Command{
@@ -191,17 +189,16 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 
 func openURL(cmd *cobra.Command, verificationURIComplete, userCode string) {
 	var codeMsg string
-	if userCode != "" {
+	if userCode != "" && !strings.Contains(verificationURIComplete, userCode) {
-		if !strings.Contains(verificationURIComplete, userCode) {
+		codeMsg = fmt.Sprintf("and enter the code %s to authenticate.", userCode)
-			codeMsg = fmt.Sprintf("and enter the code %s to authenticate.", userCode)
-		}
 	}
 
-	err := open.Run(verificationURIComplete)
+	cmd.Println("Please do the SSO login in your browser. \n" +
-	cmd.Printf("Please do the SSO login in your browser. \n" +
 		"If your browser didn't open automatically, use this URL to log in:\n\n" +
-		" " + verificationURIComplete + " " + codeMsg + " \n\n")
+		verificationURIComplete + " " + codeMsg)
-	if err != nil {
+	cmd.Println("")
-		cmd.Printf("Alternatively, you may want to use a setup key, see:\n\n https://www.netbird.io/docs/overview/setup-keys\n")
+	if err := open.Run(verificationURIComplete); err != nil {
+		cmd.Println("\nAlternatively, you may want to use a setup key, see:\n\n" +
+			"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
 	}
 }

client/cmd/status.go

@@ -109,9 +109,9 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 
 	ctx := internal.CtxInitState(context.Background())
 
-	resp, _ := getStatus(ctx, cmd)
+	resp, err := getStatus(ctx, cmd)
 	if err != nil {
-		return nil
+		return err
 	}
 
 	if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
@@ -120,7 +120,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 			" netbird up \n\n"+
 			"If you are running a self-hosted version and no SSO provider has been configured in your Management Server,\n"+
 			"you can use a setup-key:\n\n netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>\n\n"+
-			"More info: https://www.netbird.io/docs/overview/setup-keys\n\n",
+			"More info: https://docs.netbird.io/how-to/register-machines-using-setup-keys\n\n",
 			resp.GetStatus(),
 		)
 		return nil
@@ -133,7 +133,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 
 	outputInformationHolder := convertToStatusOutputOverview(resp)
 
-	statusOutputString := ""
+	var statusOutputString string
 	switch {
 	case detailFlag:
 		statusOutputString = parseToFullDetailSummary(outputInformationHolder)

client/cmd/testutil.go

@@ -76,12 +76,12 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 		return nil, nil
 	}
 	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "",
-		eventStore)
+		eventStore, false)
 	if err != nil {
 		t.Fatal(err)
 	}
 	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
-	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager, nil)
+	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}

client/firewall/firewall.go

@@ -40,6 +40,9 @@ const (
 // It declares methods which handle actions required by the
 // Netbird client for ACL and routing functionality
 type Manager interface {
+	// AllowNetbird allows netbird interface traffic
+	AllowNetbird() error
+
 	// AddFiltering rule to the firewall
 	//
 	// If comment argument is empty firewall manager should set

client/firewall/iptables/manager_linux.go

@@ -44,6 +44,7 @@ type Manager struct {
 type iFaceMapper interface {
 	Name() string
 	Address() iface.WGAddress
+	IsUserspaceBind() bool
 }
 
 type ruleset struct {
@@ -52,7 +53,7 @@ type ruleset struct {
 }
 
 // Create iptables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
+func Create(wgIface iFaceMapper, ipv6Supported bool) (*Manager, error) {
 	m := &Manager{
 		wgIface: wgIface,
 		inputDefaultRuleSpecs: []string{
@@ -62,26 +63,26 @@ func Create(wgIface iFaceMapper) (*Manager, error) {
 		rulesets: make(map[string]ruleset),
 	}
 
-	if err := ipset.Init(); err != nil {
+	err := ipset.Init()
+	if err != nil {
 		return nil, fmt.Errorf("init ipset: %w", err)
 	}
 
 	// init clients for booth ipv4 and ipv6
-	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	m.ipv4Client, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("iptables is not installed in the system or not supported")
 	}
-	if isIptablesClientAvailable(ipv4Client) {
+
-		m.ipv4Client = ipv4Client
+	if ipv6Supported {
+		m.ipv6Client, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
+		if err != nil {
+			log.Warnf("ip6tables is not installed in the system or not supported: %v. Access rules for this protocol won't be applied.", err)
+		}
 	}
 
-	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	if m.ipv4Client == nil && m.ipv6Client == nil {
-	if err != nil {
+		return nil, fmt.Errorf("iptables is not installed in the system or not enough permissions to use it")
-		log.Errorf("ip6tables is not installed in the system or not supported: %v", err)
-	} else {
-		if isIptablesClientAvailable(ipv6Client) {
-			m.ipv6Client = ipv6Client
-		}
 	}
 
 	if err := m.Reset(); err != nil {
@@ -90,11 +91,6 @@ func Create(wgIface iFaceMapper) (*Manager, error) {
 	return m, nil
 }
 
-func isIptablesClientAvailable(client *iptables.IPTables) bool {
-	_, err := client.ListChains("filter")
-	return err == nil
-}
-
 // AddFiltering rule to the firewall
 //
 // If comment is empty rule ID is used as comment
@@ -276,6 +272,38 @@ func (m *Manager) Reset() error {
 	return nil
 }
 
+// AllowNetbird allows netbird interface traffic
+func (m *Manager) AllowNetbird() error {
+	if m.wgIface.IsUserspaceBind() {
+		_, err := m.AddFiltering(
+			net.ParseIP("0.0.0.0"),
+			"all",
+			nil,
+			nil,
+			fw.RuleDirectionIN,
+			fw.ActionAccept,
+			"",
+			"allow netbird interface traffic",
+		)
+		if err != nil {
+			return fmt.Errorf("failed to allow netbird interface traffic: %w", err)
+		}
+		_, err = m.AddFiltering(
+			net.ParseIP("0.0.0.0"),
+			"all",
+			nil,
+			nil,
+			fw.RuleDirectionOUT,
+			fw.ActionAccept,
+			"",
+			"allow netbird interface traffic",
+		)
+		return err
+	}
+
+	return nil
+}
+
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }
 
@@ -406,7 +434,7 @@ func (m *Manager) client(ip net.IP) (*iptables.IPTables, error) {
 			return nil, fmt.Errorf("failed to create default drop all in netbird input chain: %w", err)
 		}
 
-		if err := client.AppendUnique("filter", "INPUT", m.inputDefaultRuleSpecs...); err != nil {
+		if err := client.Insert("filter", "INPUT", 1, m.inputDefaultRuleSpecs...); err != nil {
 			return nil, fmt.Errorf("failed to create input chain jump rule: %w", err)
 		}
 

client/firewall/iptables/manager_linux_test.go

@@ -33,6 +33,8 @@ func (i *iFaceMock) Address() iface.WGAddress {
 	panic("AddressFunc is not set")
 }
 
+func (i *iFaceMock) IsUserspaceBind() bool { return false }
+
 func TestIptablesManager(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)
@@ -53,7 +55,7 @@ func TestIptablesManager(t *testing.T) {
 	}
 
 	// just check on the local interface
-	manager, err := Create(mock)
+	manager, err := Create(mock, true)
 	require.NoError(t, err)
 
 	time.Sleep(time.Second)
@@ -141,7 +143,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	}
 
 	// just check on the local interface
-	manager, err := Create(mock)
+	manager, err := Create(mock, true)
 	require.NoError(t, err)
 
 	time.Sleep(time.Second)
@@ -229,7 +231,7 @@ func TestIptablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock)
+			manager, err := Create(mock, true)
 			require.NoError(t, err)
 			time.Sleep(time.Second)
 

client/firewall/nftables/manager_linux.go

@@ -29,6 +29,8 @@ const (
 
 	// FilterOutputChainName is the name of the chain that is used for filtering outgoing packets
 	FilterOutputChainName = "netbird-acl-output-filter"
+
+	AllowNetbirdInputRuleID = "allow Netbird incoming traffic"
 )
 
 var anyIP = []byte{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
@@ -379,7 +381,7 @@ func (m *Manager) chain(
 		if c != nil {
 			return c, nil
 		}
-		return m.createChainIfNotExists(tf, name, hook, priority, cType)
+		return m.createChainIfNotExists(tf, FilterTableName, name, hook, priority, cType)
 	}
 
 	if ip.To4() != nil {
@@ -399,13 +401,20 @@ func (m *Manager) chain(
 }
 
 // table returns the table for the given family of the IP address
-func (m *Manager) table(family nftables.TableFamily) (*nftables.Table, error) {
+func (m *Manager) table(
+	family nftables.TableFamily, tableName string,
+) (*nftables.Table, error) {
+	// we cache access to Netbird ACL table only
+	if tableName != FilterTableName {
+		return m.createTableIfNotExists(nftables.TableFamilyIPv4, tableName)
+	}
+
 	if family == nftables.TableFamilyIPv4 {
 		if m.tableIPv4 != nil {
 			return m.tableIPv4, nil
 		}
 
-		table, err := m.createTableIfNotExists(nftables.TableFamilyIPv4)
+		table, err := m.createTableIfNotExists(nftables.TableFamilyIPv4, tableName)
 		if err != nil {
 			return nil, err
 		}
@@ -417,7 +426,7 @@ func (m *Manager) table(family nftables.TableFamily) (*nftables.Table, error) {
 		return m.tableIPv6, nil
 	}
 
-	table, err := m.createTableIfNotExists(nftables.TableFamilyIPv6)
+	table, err := m.createTableIfNotExists(nftables.TableFamilyIPv6, tableName)
 	if err != nil {
 		return nil, err
 	}
@@ -425,19 +434,21 @@ func (m *Manager) table(family nftables.TableFamily) (*nftables.Table, error) {
 	return m.tableIPv6, nil
 }
 
-func (m *Manager) createTableIfNotExists(family nftables.TableFamily) (*nftables.Table, error) {
+func (m *Manager) createTableIfNotExists(
+	family nftables.TableFamily, tableName string,
+) (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(family)
 	if err != nil {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}
 
 	for _, t := range tables {
-		if t.Name == FilterTableName {
+		if t.Name == tableName {
 			return t, nil
 		}
 	}
 
-	table := m.rConn.AddTable(&nftables.Table{Name: FilterTableName, Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv4})
 	if err := m.rConn.Flush(); err != nil {
 		return nil, err
 	}
@@ -446,12 +457,13 @@ func (m *Manager) createTableIfNotExists(family nftables.TableFamily) (*nftables
 
 func (m *Manager) createChainIfNotExists(
 	family nftables.TableFamily,
+	tableName string,
 	name string,
 	hooknum nftables.ChainHook,
 	priority nftables.ChainPriority,
 	chainType nftables.ChainType,
 ) (*nftables.Chain, error) {
-	table, err := m.table(family)
+	table, err := m.table(family, tableName)
 	if err != nil {
 		return nil, err
 	}
@@ -638,6 +650,22 @@ func (m *Manager) Reset() error {
 		return fmt.Errorf("list of chains: %w", err)
 	}
 	for _, c := range chains {
+		// delete Netbird allow input traffic rule if it exists
+		if c.Table.Name == "filter" && c.Name == "INPUT" {
+			rules, err := m.rConn.GetRules(c.Table, c)
+			if err != nil {
+				log.Errorf("get rules for chain %q: %v", c.Name, err)
+				continue
+			}
+			for _, r := range rules {
+				if bytes.Equal(r.UserData, []byte(AllowNetbirdInputRuleID)) {
+					if err := m.rConn.DelRule(r); err != nil {
+						log.Errorf("delete rule: %v", err)
+					}
+				}
+			}
+		}
+
 		if c.Name == FilterInputChainName || c.Name == FilterOutputChainName {
 			m.rConn.DelChain(c)
 		}
@@ -702,6 +730,53 @@ func (m *Manager) Flush() error {
 	return nil
 }
 
+// AllowNetbird allows netbird interface traffic
+func (m *Manager) AllowNetbird() error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	tf := nftables.TableFamilyIPv4
+	if m.wgIface.Address().IP.To4() == nil {
+		tf = nftables.TableFamilyIPv6
+	}
+
+	chains, err := m.rConn.ListChainsOfTableFamily(tf)
+	if err != nil {
+		return fmt.Errorf("list of chains: %w", err)
+	}
+
+	var chain *nftables.Chain
+	for _, c := range chains {
+		if c.Table.Name == "filter" && c.Name == "INPUT" {
+			chain = c
+			break
+		}
+	}
+
+	if chain == nil {
+		log.Debugf("chain INPUT not found. Skiping add allow netbird rule")
+		return nil
+	}
+
+	rules, err := m.rConn.GetRules(chain.Table, chain)
+	if err != nil {
+		return fmt.Errorf("failed to get rules for the INPUT chain: %v", err)
+	}
+
+	if rule := m.detectAllowNetbirdRule(rules); rule != nil {
+		log.Debugf("allow netbird rule already exists: %v", rule)
+		return nil
+	}
+
+	m.applyAllowNetbirdRules(chain)
+
+	err = m.rConn.Flush()
+	if err != nil {
+		return fmt.Errorf("failed to flush allow input netbird rules: %v", err)
+	}
+	return nil
+}
+
 func (m *Manager) flushWithBackoff() (err error) {
 	backoff := 4
 	backoffTime := 1000 * time.Millisecond
@@ -745,6 +820,44 @@ func (m *Manager) refreshRuleHandles(table *nftables.Table, chain *nftables.Chai
 	return nil
 }
 
+func (m *Manager) applyAllowNetbirdRules(chain *nftables.Chain) {
+	rule := &nftables.Rule{
+		Table: chain.Table,
+		Chain: chain,
+		Exprs: []expr.Any{
+			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     ifname(m.wgIface.Name()),
+			},
+			&expr.Verdict{
+				Kind: expr.VerdictAccept,
+			},
+		},
+		UserData: []byte(AllowNetbirdInputRuleID),
+	}
+	_ = m.rConn.InsertRule(rule)
+}
+
+func (m *Manager) detectAllowNetbirdRule(existedRules []*nftables.Rule) *nftables.Rule {
+	ifName := ifname(m.wgIface.Name())
+	for _, rule := range existedRules {
+		if rule.Table.Name == "filter" && rule.Chain.Name == "INPUT" {
+			if len(rule.Exprs) < 4 {
+				if e, ok := rule.Exprs[0].(*expr.Meta); !ok || e.Key != expr.MetaKeyIIFNAME {
+					continue
+				}
+				if e, ok := rule.Exprs[1].(*expr.Cmp); !ok || e.Op != expr.CmpOpEq || !bytes.Equal(e.Data, ifName) {
+					continue
+				}
+				return rule
+			}
+		}
+	}
+	return nil
+}
+
 func encodePort(port fw.Port) []byte {
 	bs := make([]byte, 2)
 	binary.BigEndian.PutUint16(bs, uint16(port.Values[0]))

client/firewall/uspfilter/allow_netbird.go

@@ -0,0 +1,19 @@
+//go:build !windows && !linux
+
+package uspfilter
+
+// Reset firewall to the default state
+func (m *Manager) Reset() error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	m.outgoingRules = make(map[string]RuleSet)
+	m.incomingRules = make(map[string]RuleSet)
+
+	return nil
+}
+
+// AllowNetbird allows netbird interface traffic
+func (m *Manager) AllowNetbird() error {
+	return nil
+}

client/firewall/uspfilter/allow_netbird_linux.go

@@ -0,0 +1,21 @@
+package uspfilter
+
+// AllowNetbird allows netbird interface traffic
+func (m *Manager) AllowNetbird() error {
+	return nil
+}
+
+// Reset firewall to the default state
+func (m *Manager) Reset() error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	m.outgoingRules = make(map[string]RuleSet)
+	m.incomingRules = make(map[string]RuleSet)
+
+	if m.resetHook != nil {
+		return m.resetHook()
+	}
+
+	return nil
+}

client/firewall/uspfilter/allow_netbird_windows.go

@@ -0,0 +1,91 @@
+package uspfilter
+
+import (
+	"errors"
+	"fmt"
+	"os/exec"
+	"strings"
+	"syscall"
+)
+
+type action string
+
+const (
+	addRule    action = "add"
+	deleteRule action = "delete"
+
+	firewallRuleName     = "Netbird"
+	noRulesMatchCriteria = "No rules match the specified criteria"
+)
+
+// Reset firewall to the default state
+func (m *Manager) Reset() error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	m.outgoingRules = make(map[string]RuleSet)
+	m.incomingRules = make(map[string]RuleSet)
+
+	if err := manageFirewallRule(firewallRuleName, deleteRule); err != nil {
+		return fmt.Errorf("couldn't remove windows firewall: %w", err)
+	}
+
+	return nil
+}
+
+// AllowNetbird allows netbird interface traffic
+func (m *Manager) AllowNetbird() error {
+	return manageFirewallRule(firewallRuleName,
+		addRule,
+		"dir=in",
+		"enable=yes",
+		"action=allow",
+		"profile=any",
+		"localip="+m.wgIface.Address().IP.String(),
+	)
+}
+
+func manageFirewallRule(ruleName string, action action, args ...string) error {
+	active, err := isFirewallRuleActive(ruleName)
+	if err != nil {
+		return err
+	}
+
+	if (action == addRule && !active) || (action == deleteRule && active) {
+		baseArgs := []string{"advfirewall", "firewall", string(action), "rule", "name=" + ruleName}
+		args := append(baseArgs, args...)
+
+		cmd := exec.Command("netsh", args...)
+		cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
+		return cmd.Run()
+	}
+
+	return nil
+}
+
+func isFirewallRuleActive(ruleName string) (bool, error) {
+	args := []string{"advfirewall", "firewall", "show", "rule", "name=" + ruleName}
+
+	cmd := exec.Command("netsh", args...)
+	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
+	output, err := cmd.Output()
+	if err != nil {
+		var exitError *exec.ExitError
+		if errors.As(err, &exitError) {
+			// if the firewall rule is not active, we expect last exit code to be 1
+			exitStatus := exitError.Sys().(syscall.WaitStatus).ExitStatus()
+			if exitStatus == 1 {
+				if strings.Contains(string(output), noRulesMatchCriteria) {
+					return false, nil
+				}
+			}
+		}
+		return false, err
+	}
+
+	if strings.Contains(string(output), noRulesMatchCriteria) {
+		return false, nil
+	}
+
+	return true, nil
+}

client/firewall/uspfilter/uspfilter.go

@@ -19,6 +19,7 @@ const layerTypeAll = 0
 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
 	SetFilter(iface.PacketFilter) error
+	Address() iface.WGAddress
 }
 
 // RuleSet is a set of rules grouped by a string key
@@ -30,6 +31,8 @@ type Manager struct {
 	incomingRules map[string]RuleSet
 	wgNetwork     *net.IPNet
 	decoders      sync.Pool
+	wgIface       IFaceMapper
+	resetHook func() error
 
 	mutex sync.RWMutex
 }
@@ -65,6 +68,7 @@ func Create(iface IFaceMapper) (*Manager, error) {
 		},
 		outgoingRules: make(map[string]RuleSet),
 		incomingRules: make(map[string]RuleSet),
+		wgIface:       iface,
 	}
 
 	if err := iface.SetFilter(m); err != nil {
@@ -171,17 +175,6 @@ func (m *Manager) DeleteRule(rule fw.Rule) error {
 	return nil
 }
 
-// Reset firewall to the default state
-func (m *Manager) Reset() error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	m.outgoingRules = make(map[string]RuleSet)
-	m.incomingRules = make(map[string]RuleSet)
-
-	return nil
-}
-
 // Flush doesn't need to be implemented for this manager
 func (m *Manager) Flush() error { return nil }
 
@@ -375,3 +368,8 @@ func (m *Manager) RemovePacketHook(hookID string) error {
 	}
 	return fmt.Errorf("hook with given id not found")
 }
+
+// SetResetHook which will be executed in the end of Reset method
+func (m *Manager) SetResetHook(hook func() error) {
+	m.resetHook = hook
+}

client/firewall/uspfilter/uspfilter_test.go

@@ -16,6 +16,7 @@ import (
 
 type IFaceMock struct {
 	SetFilterFunc func(iface.PacketFilter) error
+	AddressFunc   func() iface.WGAddress
 }
 
 func (i *IFaceMock) SetFilter(iface iface.PacketFilter) error {
@@ -25,6 +26,13 @@ func (i *IFaceMock) SetFilter(iface iface.PacketFilter) error {
 	return i.SetFilterFunc(iface)
 }
 
+func (i *IFaceMock) Address() iface.WGAddress {
+	if i.AddressFunc == nil {
+		return iface.WGAddress{}
+	}
+	return i.AddressFunc()
+}
+
 func TestManagerCreate(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(iface.PacketFilter) error { return nil },

client/internal/acl/manager.go

@@ -146,12 +146,11 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
 		// if this rule is member of rule selection with more than DefaultIPsCountForSet
 		// it's IP address can be used in the ipset for firewall manager which supports it
 		ipset := ipsetByRuleSelectors[d.getRuleGroupingSelector(r)]
-		ipsetName := ""
 		if ipset.name == "" {
 			d.ipsetCounter++
 			ipset.name = fmt.Sprintf("nb%07d", d.ipsetCounter)
 		}
-		ipsetName = ipset.name
+		ipsetName := ipset.name
 		pairID, rulePair, err := d.protoRuleToFirewallRule(r, ipsetName)
 		if err != nil {
 			log.Errorf("failed to apply firewall rule: %+v, %v", r, err)

client/internal/acl/manager_create.go

@@ -1,4 +1,4 @@
-//go:build !linux
+//go:build !linux || android
 
 package acl
 
@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"runtime"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
 )
 
@@ -17,6 +19,9 @@ func Create(iface IFaceMapper) (manager *DefaultManager, err error) {
 		if err != nil {
 			return nil, err
 		}
+		if err := fm.AllowNetbird(); err != nil {
+			log.Errorf("failed to allow netbird interface traffic: %v", err)
+		}
 		return newDefaultManager(fm), nil
 	}
 	return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)

client/internal/acl/manager_create_linux.go

@@ -1,3 +1,5 @@
+//go:build !android
+
 package acl
 
 import (
@@ -7,26 +9,68 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/iptables"
 	"github.com/netbirdio/netbird/client/firewall/nftables"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
+	"github.com/netbirdio/netbird/client/internal/checkfw"
 )
 
 // Create creates a firewall manager instance for the Linux
-func Create(iface IFaceMapper) (manager *DefaultManager, err error) {
+func Create(iface IFaceMapper) (*DefaultManager, error) {
+	// on the linux system we try to user nftables or iptables
+	// in any case, because we need to allow netbird interface traffic
+	// so we use AllowNetbird traffic from these firewall managers
+	// for the userspace packet filtering firewall
 	var fm firewall.Manager
+	var err error
+
+	checkResult := checkfw.Check()
+	switch checkResult {
+	case checkfw.IPTABLES, checkfw.IPTABLESWITHV6:
+		log.Debug("creating an iptables firewall manager for access control")
+		ipv6Supported := checkResult == checkfw.IPTABLESWITHV6
+		if fm, err = iptables.Create(iface, ipv6Supported); err != nil {
+			log.Infof("failed to create iptables manager for access control: %s", err)
+		}
+	case checkfw.NFTABLES:
+		log.Debug("creating an nftables firewall manager for access control")
+		if fm, err = nftables.Create(iface); err != nil {
+			log.Debugf("failed to create nftables manager for access control: %s", err)
+		}
+	}
+
+	var resetHookForUserspace func() error
+	if fm != nil && err == nil {
+		// err shadowing is used here, to ignore this error
+		if err := fm.AllowNetbird(); err != nil {
+			log.Errorf("failed to allow netbird interface traffic: %v", err)
+		}
+		resetHookForUserspace = fm.Reset
+	}
+
 	if iface.IsUserspaceBind() {
 		// use userspace packet filtering firewall
-		if fm, err = uspfilter.Create(iface); err != nil {
+		usfm, err := uspfilter.Create(iface)
+		if err != nil {
 			log.Debugf("failed to create userspace filtering firewall: %s", err)
 			return nil, err
 		}
-	} else {
+
-		if fm, err = nftables.Create(iface); err != nil {
+		// set kernel space firewall Reset as hook for userspace firewall
-			log.Debugf("failed to create nftables manager: %s", err)
+		// manager Reset method, to clean up
-			// fallback to iptables
+		if resetHookForUserspace != nil {
-			if fm, err = iptables.Create(iface); err != nil {
+			usfm.SetResetHook(resetHookForUserspace)
-				log.Errorf("failed to create iptables manager: %s", err)
-				return nil, err
-			}
 		}
+
+		// to be consistent for any future extensions.
+		// ignore this error
+		if err := usfm.AllowNetbird(); err != nil {
+			log.Errorf("failed to allow netbird interface traffic: %v", err)
+		}
+		fm = usfm
+	}
+
+	if fm == nil || err != nil {
+		log.Errorf("failed to create firewall manager: %s", err)
+		// no firewall manager found or initialized correctly
+		return nil, err
 	}
 
 	return newDefaultManager(fm), nil

client/internal/acl/manager_test.go

@@ -1,11 +1,13 @@
 package acl
 
 import (
+	"net"
 	"testing"
 
 	"github.com/golang/mock/gomock"
 
 	"github.com/netbirdio/netbird/client/internal/acl/mocks"
+	"github.com/netbirdio/netbird/iface"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 )
 
@@ -32,13 +34,22 @@ func TestDefaultManager(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 
-	iface := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	iface.EXPECT().IsUserspaceBind().Return(true)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true)
-	// iface.EXPECT().Name().Return("lo")
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	iface.EXPECT().SetFilter(gomock.Any())
+	ip, network, err := net.ParseCIDR("172.0.0.1/32")
+	if err != nil {
+		t.Fatalf("failed to parse IP address: %v", err)
+	}
+
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(iface.WGAddress{
+		IP:      ip,
+		Network: network,
+	}).AnyTimes()
 
 	// we receive one rule from the management so for testing purposes ignore it
-	acl, err := Create(iface)
+	acl, err := Create(ifaceMock)
 	if err != nil {
 		t.Errorf("create ACL manager: %v", err)
 		return
@@ -311,13 +322,22 @@ func TestDefaultManagerEnableSSHRules(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 
-	iface := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	iface.EXPECT().IsUserspaceBind().Return(true)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true)
-	// iface.EXPECT().Name().Return("lo")
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	iface.EXPECT().SetFilter(gomock.Any())
+	ip, network, err := net.ParseCIDR("172.0.0.1/32")
+	if err != nil {
+		t.Fatalf("failed to parse IP address: %v", err)
+	}
+
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(iface.WGAddress{
+		IP:      ip,
+		Network: network,
+	}).AnyTimes()
 
 	// we receive one rule from the management so for testing purposes ignore it
-	acl, err := Create(iface)
+	acl, err := Create(ifaceMock)
 	if err != nil {
 		t.Errorf("create ACL manager: %v", err)
 		return

client/internal/auth/oauth.go

@@ -4,8 +4,8 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"runtime"
 
-	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
 
@@ -57,34 +57,50 @@ func (t TokenInfo) GetTokenToUse() string {
 	return t.AccessToken
 }
 
-// NewOAuthFlow initializes and returns the appropriate OAuth flow based on the management configuration.
+// NewOAuthFlow initializes and returns the appropriate OAuth flow based on the management configuration
+//
+// It starts by initializing the PKCE.If this process fails, it resorts to the Device Code Flow,
+// and if that also fails, the authentication process is deemed unsuccessful
+//
+// On Linux distros without desktop environment support, it only tries to initialize the Device Code Flow
 func NewOAuthFlow(ctx context.Context, config *internal.Config) (OAuthFlow, error) {
-	log.Debug("getting device authorization flow info")
+	if runtime.GOOS == "linux" && !isLinuxRunningDesktop() {
-
+		return authenticateWithDeviceCodeFlow(ctx, config)
-	// Try to initialize the Device Authorization Flow
-	deviceFlowInfo, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
-	if err == nil {
-		return NewDeviceAuthorizationFlow(deviceFlowInfo.ProviderConfig)
 	}
 
-	log.Debugf("getting device authorization flow info failed with error: %v", err)
+	pkceFlow, err := authenticateWithPKCEFlow(ctx, config)
-	log.Debugf("falling back to pkce authorization flow info")
+	if err != nil {
+		// fallback to device code flow
+		return authenticateWithDeviceCodeFlow(ctx, config)
+	}
+	return pkceFlow, nil
+}
 
-	// If Device Authorization Flow failed, try the PKCE Authorization Flow
+// authenticateWithPKCEFlow initializes the Proof Key for Code Exchange flow auth flow
+func authenticateWithPKCEFlow(ctx context.Context, config *internal.Config) (OAuthFlow, error) {
 	pkceFlowInfo, err := internal.GetPKCEAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
+	if err != nil {
+		return nil, fmt.Errorf("getting pkce authorization flow info failed with error: %v", err)
+	}
+	return NewPKCEAuthorizationFlow(pkceFlowInfo.ProviderConfig)
+}
+
+// authenticateWithDeviceCodeFlow initializes the Device Code auth Flow
+func authenticateWithDeviceCodeFlow(ctx context.Context, config *internal.Config) (OAuthFlow, error) {
+	deviceFlowInfo, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
 	if err != nil {
 		s, ok := gstatus.FromError(err)
 		if ok && s.Code() == codes.NotFound {
 			return nil, fmt.Errorf("no SSO provider returned from management. " +
-				"If you are using hosting Netbird see documentation at " +
+				"Please proceed with setting up this device using setup keys " +
-				"https://github.com/netbirdio/netbird/tree/main/management for details")
+				"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
 		} else if ok && s.Code() == codes.Unimplemented {
 			return nil, fmt.Errorf("the management server, %s, does not support SSO providers, "+
 				"please update your server or use Setup Keys to login", config.ManagementURL)
 		} else {
-			return nil, fmt.Errorf("getting pkce authorization flow info failed with error: %v", err)
+			return nil, fmt.Errorf("getting device authorization flow info failed with error: %v", err)
 		}
 	}
 
-	return NewPKCEAuthorizationFlow(pkceFlowInfo.ProviderConfig)
+	return NewDeviceAuthorizationFlow(deviceFlowInfo.ProviderConfig)
 }

client/internal/auth/pkce_flow.go

@@ -5,6 +5,7 @@ import (
 	"crypto/sha256"
 	"crypto/subtle"
 	"encoding/base64"
+	"errors"
 	"fmt"
 	"html/template"
 	"net"
@@ -25,6 +26,8 @@ var _ OAuthFlow = &PKCEAuthorizationFlow{}
 const (
 	queryState                = "state"
 	queryCode                 = "code"
+	queryError                = "error"
+	queryErrorDesc            = "error_description"
 	defaultPKCETimeoutSeconds = 300
 )
 
@@ -76,7 +79,7 @@ func (p *PKCEAuthorizationFlow) GetClientID(_ context.Context) string {
 }
 
 // RequestAuthInfo requests a authorization code login flow information.
-func (p *PKCEAuthorizationFlow) RequestAuthInfo(_ context.Context) (AuthFlowInfo, error) {
+func (p *PKCEAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowInfo, error) {
 	state, err := randomBytesInHex(24)
 	if err != nil {
 		return AuthFlowInfo{}, fmt.Errorf("could not generate random state: %v", err)
@@ -110,71 +113,79 @@ func (p *PKCEAuthorizationFlow) WaitToken(ctx context.Context, _ AuthFlowInfo) (
 	tokenChan := make(chan *oauth2.Token, 1)
 	errChan := make(chan error, 1)
 
-	go p.startServer(tokenChan, errChan)
+	parsedURL, err := url.Parse(p.oAuthConfig.RedirectURL)
+	if err != nil {
+		return TokenInfo{}, fmt.Errorf("failed to parse redirect URL: %v", err)
+	}
+
+	server := &http.Server{Addr: fmt.Sprintf(":%s", parsedURL.Port())}
+	defer func() {
+		shutdownCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+		defer cancel()
+
+		if err := server.Shutdown(shutdownCtx); err != nil {
+			log.Errorf("failed to close the server: %v", err)
+		}
+	}()
+
+	go p.startServer(server, tokenChan, errChan)
 
 	select {
 	case <-ctx.Done():
 		return TokenInfo{}, ctx.Err()
 	case token := <-tokenChan:
-		return p.handleOAuthToken(token)
+		return p.parseOAuthToken(token)
 	case err := <-errChan:
 		return TokenInfo{}, err
 	}
 }
 
-func (p *PKCEAuthorizationFlow) startServer(tokenChan chan<- *oauth2.Token, errChan chan<- error) {
+func (p *PKCEAuthorizationFlow) startServer(server *http.Server, tokenChan chan<- *oauth2.Token, errChan chan<- error) {
-	parsedURL, err := url.Parse(p.oAuthConfig.RedirectURL)
+	mux := http.NewServeMux()
-	if err != nil {
+	mux.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
-		errChan <- fmt.Errorf("failed to parse redirect URL: %v", err)
+		token, err := p.handleRequest(req)
-		return
-	}
-	port := parsedURL.Port()
-
-	server := http.Server{Addr: fmt.Sprintf(":%s", port)}
-	defer func() {
-		if err := server.Shutdown(context.Background()); err != nil {
-			log.Errorf("error while shutting down pkce flow server: %v", err)
-		}
-	}()
-
-	http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
-		tokenValidatorFunc := func() (*oauth2.Token, error) {
-			query := req.URL.Query()
-
-			state := query.Get(queryState)
-			// Prevent timing attacks on state
-			if subtle.ConstantTimeCompare([]byte(p.state), []byte(state)) == 0 {
-				return nil, fmt.Errorf("invalid state")
-			}
-
-			code := query.Get(queryCode)
-			if code == "" {
-				return nil, fmt.Errorf("missing code")
-			}
-
-			return p.oAuthConfig.Exchange(
-				req.Context(),
-				code,
-				oauth2.SetAuthURLParam("code_verifier", p.codeVerifier),
-			)
-		}
-
-		token, err := tokenValidatorFunc()
 		if err != nil {
-			errChan <- fmt.Errorf("PKCE authorization flow failed: %v", err)
 			renderPKCEFlowTmpl(w, err)
+			errChan <- fmt.Errorf("PKCE authorization flow failed: %v", err)
+			return
 		}
 
-		tokenChan <- token
 		renderPKCEFlowTmpl(w, nil)
+		tokenChan <- token
 	})
 
-	if err := server.ListenAndServe(); err != nil {
+	server.Handler = mux
+	if err := server.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
 		errChan <- err
 	}
 }
 
-func (p *PKCEAuthorizationFlow) handleOAuthToken(token *oauth2.Token) (TokenInfo, error) {
+func (p *PKCEAuthorizationFlow) handleRequest(req *http.Request) (*oauth2.Token, error) {
+	query := req.URL.Query()
+
+	if authError := query.Get(queryError); authError != "" {
+		authErrorDesc := query.Get(queryErrorDesc)
+		return nil, fmt.Errorf("%s.%s", authError, authErrorDesc)
+	}
+
+	// Prevent timing attacks on the state
+	if state := query.Get(queryState); subtle.ConstantTimeCompare([]byte(p.state), []byte(state)) == 0 {
+		return nil, fmt.Errorf("invalid state")
+	}
+
+	code := query.Get(queryCode)
+	if code == "" {
+		return nil, fmt.Errorf("missing code")
+	}
+
+	return p.oAuthConfig.Exchange(
+		req.Context(),
+		code,
+		oauth2.SetAuthURLParam("code_verifier", p.codeVerifier),
+	)
+}
+
+func (p *PKCEAuthorizationFlow) parseOAuthToken(token *oauth2.Token) (TokenInfo, error) {
 	tokenInfo := TokenInfo{
 		AccessToken:  token.AccessToken,
 		RefreshToken: token.RefreshToken,

client/internal/auth/util.go

@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"os"
 	"reflect"
 	"strings"
 )
@@ -60,3 +61,8 @@ func isValidAccessToken(token string, audience string) error {
 
 	return fmt.Errorf("invalid JWT token audience field")
 }
+
+// isLinuxRunningDesktop checks if a Linux OS is running desktop environment
+func isLinuxRunningDesktop() bool {
+	return os.Getenv("DESKTOP_SESSION") != "" || os.Getenv("XDG_CURRENT_DESKTOP") != ""
+}

client/internal/checkfw/check.go

@@ -0,0 +1,3 @@
+//go:build !linux || android
+
+package checkfw

client/internal/checkfw/check_linux.go

@@ -0,0 +1,56 @@
+//go:build !android
+
+package checkfw
+
+import (
+	"os"
+
+	"github.com/coreos/go-iptables/iptables"
+	"github.com/google/nftables"
+)
+
+const (
+	// UNKNOWN is the default value for the firewall type for unknown firewall type
+	UNKNOWN FWType = iota
+	// IPTABLES is the value for the iptables firewall type
+	IPTABLES
+	// IPTABLESWITHV6 is the value for the iptables firewall type with ipv6
+	IPTABLESWITHV6
+	// NFTABLES is the value for the nftables firewall type
+	NFTABLES
+)
+
+// SKIP_NFTABLES_ENV is the environment variable to skip nftables check
+const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
+
+// FWType is the type for the firewall type
+type FWType int
+
+// Check returns the firewall type based on common lib checks. It returns UNKNOWN if no firewall is found.
+func Check() FWType {
+	nf := nftables.Conn{}
+	if _, err := nf.ListChains(); err == nil && os.Getenv(SKIP_NFTABLES_ENV) != "true" {
+		return NFTABLES
+	}
+
+	ip, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if err == nil {
+		if isIptablesClientAvailable(ip) {
+			ipSupport := IPTABLES
+			ipv6, ip6Err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+			if ip6Err == nil {
+				if isIptablesClientAvailable(ipv6) {
+					ipSupport = IPTABLESWITHV6
+				}
+			}
+			return ipSupport
+		}
+	}
+
+	return UNKNOWN
+}
+
+func isIptablesClientAvailable(client *iptables.IPTables) bool {
+	_, err := client.ListChains("filter")
+	return err == nil
+}

client/internal/config_test.go

@@ -23,9 +23,6 @@ func TestGetConfig(t *testing.T) {
 	assert.Equal(t, config.ManagementURL.String(), DefaultManagementURL)
 	assert.Equal(t, config.AdminURL.String(), DefaultAdminURL)
 
-	if err != nil {
-		return
-	}
 	managementURL := "https://test.management.url:33071"
 	adminURL := "https://app.admin.url:443"
 	path := filepath.Join(t.TempDir(), "config.json")

client/internal/connect.go

@@ -179,8 +179,6 @@ func runClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 		log.Print("Netbird engine started, my IP is: ", peerConfig.Address)
 		state.Set(StatusConnected)
 
-		statusRecorder.ClientStart()
-
 		<-engineCtx.Done()
 		statusRecorder.ClientTeardown()
 
@@ -201,6 +199,7 @@ func runClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 		return nil
 	}
 
+	statusRecorder.ClientStart()
 	err = backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)

client/internal/dns/file_linux.go

@@ -15,7 +15,8 @@ const (
 	fileGeneratedResolvConfSearchBeginContent = "search "
 	fileGeneratedResolvConfContentFormat      = fileGeneratedResolvConfContentHeader +
 		"\n# If needed you can restore the original file by copying back %s\n\nnameserver %s\n" +
-		fileGeneratedResolvConfSearchBeginContent + "%s\n"
+		fileGeneratedResolvConfSearchBeginContent + "%s\n\n" +
+		"%s\n"
 )
 
 const (
@@ -91,7 +92,12 @@ func (f *fileConfigurator) applyDNSConfig(config hostDNSConfig) error {
 		searchDomains += " " + dConf.domain
 		appendedDomains++
 	}
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)
+
+	originalContent, err := os.ReadFile(fileDefaultResolvConfBackupLocation)
+	if err != nil {
+		log.Errorf("Could not read existing resolv.conf")
+	}
+	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains, string(originalContent))
 	err = writeDNSConfig(content, defaultResolvConfPath, f.originalPerms)
 	if err != nil {
 		err = f.restore()

client/internal/dns/host_darwin.go

@@ -182,12 +182,11 @@ func (s *systemConfigurator) addDNSState(state, domains, dnsServer string, port
 }
 
 func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error {
-	primaryServiceKey := s.getPrimaryService()
+	primaryServiceKey, existingNameserver := s.getPrimaryService()
 	if primaryServiceKey == "" {
 		return fmt.Errorf("couldn't find the primary service key")
 	}
-
+	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port, existingNameserver)
-	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port)
 	if err != nil {
 		return err
 	}
@@ -196,27 +195,32 @@ func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error
 	return nil
 }
 
-func (s *systemConfigurator) getPrimaryService() string {
+func (s *systemConfigurator) getPrimaryService() (string, string) {
 	line := buildCommandLine("show", globalIPv4State, "")
 	stdinCommands := wrapCommand(line)
 	b, err := runSystemConfigCommand(stdinCommands)
 	if err != nil {
 		log.Error("got error while sending the command: ", err)
-		return ""
+		return "", ""
 	}
 	scanner := bufio.NewScanner(bytes.NewReader(b))
+	primaryService := ""
+	router := ""
 	for scanner.Scan() {
 		text := scanner.Text()
 		if strings.Contains(text, "PrimaryService") {
-			return strings.TrimSpace(strings.Split(text, ":")[1])
+			primaryService = strings.TrimSpace(strings.Split(text, ":")[1])
+		}
+		if strings.Contains(text, "Router") {
+			router = strings.TrimSpace(strings.Split(text, ":")[1])
 		}
 	}
-	return ""
+	return primaryService, router
 }
 
-func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int) error {
+func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int, existingDNSServer string) error {
 	lines := buildAddCommandLine(keySupplementalMatchDomainsNoSearch, digitSymbol+strconv.Itoa(0))
-	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer)
+	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer+" "+existingDNSServer)
 	lines += buildAddCommandLine(keyServerPort, digitSymbol+strconv.Itoa(port))
 	addDomainCommand := buildCreateStateWithOperation(setupKey, lines)
 	stdinCommands := wrapCommand(addDomainCommand)

client/internal/dns/resolvconf_linux.go

@@ -4,6 +4,7 @@ package dns
 
 import (
 	"fmt"
+	"os"
 	"os/exec"
 	"strings"
 
@@ -59,7 +60,11 @@ func (r *resolvconf) applyDNSConfig(config hostDNSConfig) error {
 		appendedDomains++
 	}
 
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)
+	originalContent, err := os.ReadFile(fileDefaultResolvConfBackupLocation)
+	if err != nil {
+		log.Errorf("Could not read existing resolv.conf")
+	}
+	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains, string(originalContent))
 
 	err = r.applyConfig(content)
 	if err != nil {

client/internal/dns/server.go

@@ -238,7 +238,7 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	hostUpdate := s.currentConfig
 	if s.service.RuntimePort() != defaultPort && !s.hostManager.supportCustomPort() {
 		log.Warnf("the DNS manager of this peer doesn't support custom port. Disabling primary DNS setup. " +
-			"Learn more at: https://netbird.io/docs/how-to-guides/nameservers#local-resolver")
+			"Learn more at: https://docs.netbird.io/how-to/manage-dns-in-your-network#local-resolver")
 		hostUpdate.routeAll = false
 	}
 

client/internal/dns/server_test.go

@@ -777,7 +777,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 	newNet, err := stdnet.NewNet(nil)
 	if err != nil {
 		t.Fatalf("create stdnet: %v", err)
-		return nil, nil
+		return nil, err
 	}
 
 	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.2/24", iface.DefaultMTU, nil, newNet)

client/internal/dns/service_listener.go

@@ -11,6 +11,9 @@ import (
 
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/ebpf"
+	ebpfMgr "github.com/netbirdio/netbird/client/internal/ebpf/manager"
 )
 
 const (
@@ -24,10 +27,11 @@ type serviceViaListener struct {
 	dnsMux            *dns.ServeMux
 	customAddr        *netip.AddrPort
 	server            *dns.Server
-	runtimeIP         string
+	listenIP          string
-	runtimePort       int
+	listenPort        int
 	listenerIsRunning bool
 	listenerFlagLock  sync.Mutex
+	ebpfService       ebpfMgr.Manager
 }
 
 func newServiceViaListener(wgIface WGIface, customAddr *netip.AddrPort) *serviceViaListener {
@@ -43,6 +47,7 @@ func newServiceViaListener(wgIface WGIface, customAddr *netip.AddrPort) *service
 			UDPSize: 65535,
 		},
 	}
+
 	return s
 }
 
@@ -55,13 +60,21 @@ func (s *serviceViaListener) Listen() error {
 	}
 
 	var err error
-	s.runtimeIP, s.runtimePort, err = s.evalRuntimeAddress()
+	s.listenIP, s.listenPort, err = s.evalListenAddress()
 	if err != nil {
 		log.Errorf("failed to eval runtime address: %s", err)
 		return err
 	}
-	s.server.Addr = fmt.Sprintf("%s:%d", s.runtimeIP, s.runtimePort)
+	s.server.Addr = fmt.Sprintf("%s:%d", s.listenIP, s.listenPort)
 
+	if s.shouldApplyPortFwd() {
+		s.ebpfService = ebpf.GetEbpfManagerInstance()
+		err = s.ebpfService.LoadDNSFwd(s.listenIP, s.listenPort)
+		if err != nil {
+			log.Warnf("failed to load DNS port forwarder, custom port may not work well on some Linux operating systems: %s", err)
+			s.ebpfService = nil
+		}
+	}
 	log.Debugf("starting dns on %s", s.server.Addr)
 	go func() {
 		s.setListenerStatus(true)
@@ -69,9 +82,10 @@ func (s *serviceViaListener) Listen() error {
 
 		err := s.server.ListenAndServe()
 		if err != nil {
-			log.Errorf("dns server running with %d port returned an error: %v. Will not retry", s.runtimePort, err)
+			log.Errorf("dns server running with %d port returned an error: %v. Will not retry", s.listenPort, err)
 		}
 	}()
+
 	return nil
 }
 
@@ -90,6 +104,13 @@ func (s *serviceViaListener) Stop() {
 	if err != nil {
 		log.Errorf("stopping dns server listener returned an error: %v", err)
 	}
+
+	if s.ebpfService != nil {
+		err = s.ebpfService.FreeDNSFwd()
+		if err != nil {
+			log.Errorf("stopping traffic forwarder returned an error: %v", err)
+		}
+	}
 }
 
 func (s *serviceViaListener) RegisterMux(pattern string, handler dns.Handler) {
@@ -101,11 +122,18 @@ func (s *serviceViaListener) DeregisterMux(pattern string) {
 }
 
 func (s *serviceViaListener) RuntimePort() int {
-	return s.runtimePort
+	s.listenerFlagLock.Lock()
+	defer s.listenerFlagLock.Unlock()
+
+	if s.ebpfService != nil {
+		return defaultPort
+	} else {
+		return s.listenPort
+	}
 }
 
 func (s *serviceViaListener) RuntimeIP() string {
-	return s.runtimeIP
+	return s.listenIP
 }
 
 func (s *serviceViaListener) setListenerStatus(running bool) {
@@ -136,10 +164,30 @@ func (s *serviceViaListener) getFirstListenerAvailable() (string, int, error) {
 	return "", 0, fmt.Errorf("unable to find an unused ip and port combination. IPs tested: %v and ports %v", ips, ports)
 }
 
-func (s *serviceViaListener) evalRuntimeAddress() (string, int, error) {
+func (s *serviceViaListener) evalListenAddress() (string, int, error) {
 	if s.customAddr != nil {
 		return s.customAddr.Addr().String(), int(s.customAddr.Port()), nil
 	}
 
 	return s.getFirstListenerAvailable()
 }
+
+// shouldApplyPortFwd decides whether to apply eBPF program to capture DNS traffic on port 53.
+// This is needed because on some operating systems if we start a DNS server not on a default port 53, the domain name
+// resolution won't work.
+// So, in case we are running on Linux and picked a non-default port (53) we should fall back to the eBPF solution that will capture
+// traffic on port 53 and forward it to a local DNS server running on 5053.
+func (s *serviceViaListener) shouldApplyPortFwd() bool {
+	if runtime.GOOS != "linux" {
+		return false
+	}
+
+	if s.customAddr != nil {
+		return false
+	}
+
+	if s.listenPort == defaultPort {
+		return false
+	}
+	return true
+}

client/internal/ebpf/ebpf/bpf_bpfeb.go

@@ -54,14 +54,17 @@ type bpfSpecs struct {
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfProgramSpecs struct {
-	XdpProgFunc *ebpf.ProgramSpec `ebpf:"xdp_prog_func"`
+	NbXdpProg *ebpf.ProgramSpec `ebpf:"nb_xdp_prog"`
 }
 
 // bpfMapSpecs contains maps before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfMapSpecs struct {
-	XdpPortMap *ebpf.MapSpec `ebpf:"xdp_port_map"`
+	NbFeatures           *ebpf.MapSpec `ebpf:"nb_features"`
+	NbMapDnsIp           *ebpf.MapSpec `ebpf:"nb_map_dns_ip"`
+	NbMapDnsPort         *ebpf.MapSpec `ebpf:"nb_map_dns_port"`
+	NbWgProxySettingsMap *ebpf.MapSpec `ebpf:"nb_wg_proxy_settings_map"`
 }
 
 // bpfObjects contains all objects after they have been loaded into the kernel.
@@ -83,12 +86,18 @@ func (o *bpfObjects) Close() error {
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfMaps struct {
-	XdpPortMap *ebpf.Map `ebpf:"xdp_port_map"`
+	NbFeatures           *ebpf.Map `ebpf:"nb_features"`
+	NbMapDnsIp           *ebpf.Map `ebpf:"nb_map_dns_ip"`
+	NbMapDnsPort         *ebpf.Map `ebpf:"nb_map_dns_port"`
+	NbWgProxySettingsMap *ebpf.Map `ebpf:"nb_wg_proxy_settings_map"`
 }
 
 func (m *bpfMaps) Close() error {
 	return _BpfClose(
-		m.XdpPortMap,
+		m.NbFeatures,
+		m.NbMapDnsIp,
+		m.NbMapDnsPort,
+		m.NbWgProxySettingsMap,
 	)
 }
 
@@ -96,12 +105,12 @@ func (m *bpfMaps) Close() error {
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfPrograms struct {
-	XdpProgFunc *ebpf.Program `ebpf:"xdp_prog_func"`
+	NbXdpProg *ebpf.Program `ebpf:"nb_xdp_prog"`
 }
 
 func (p *bpfPrograms) Close() error {
 	return _BpfClose(
-		p.XdpProgFunc,
+		p.NbXdpProg,
 	)
 }
 

client/internal/ebpf/ebpf/bpf_bpfel.go

@@ -54,14 +54,17 @@ type bpfSpecs struct {
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfProgramSpecs struct {
-	XdpProgFunc *ebpf.ProgramSpec `ebpf:"xdp_prog_func"`
+	NbXdpProg *ebpf.ProgramSpec `ebpf:"nb_xdp_prog"`
 }
 
 // bpfMapSpecs contains maps before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfMapSpecs struct {
-	XdpPortMap *ebpf.MapSpec `ebpf:"xdp_port_map"`
+	NbFeatures           *ebpf.MapSpec `ebpf:"nb_features"`
+	NbMapDnsIp           *ebpf.MapSpec `ebpf:"nb_map_dns_ip"`
+	NbMapDnsPort         *ebpf.MapSpec `ebpf:"nb_map_dns_port"`
+	NbWgProxySettingsMap *ebpf.MapSpec `ebpf:"nb_wg_proxy_settings_map"`
 }
 
 // bpfObjects contains all objects after they have been loaded into the kernel.
@@ -83,12 +86,18 @@ func (o *bpfObjects) Close() error {
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfMaps struct {
-	XdpPortMap *ebpf.Map `ebpf:"xdp_port_map"`
+	NbFeatures           *ebpf.Map `ebpf:"nb_features"`
+	NbMapDnsIp           *ebpf.Map `ebpf:"nb_map_dns_ip"`
+	NbMapDnsPort         *ebpf.Map `ebpf:"nb_map_dns_port"`
+	NbWgProxySettingsMap *ebpf.Map `ebpf:"nb_wg_proxy_settings_map"`
 }
 
 func (m *bpfMaps) Close() error {
 	return _BpfClose(
-		m.XdpPortMap,
+		m.NbFeatures,
+		m.NbMapDnsIp,
+		m.NbMapDnsPort,
+		m.NbWgProxySettingsMap,
 	)
 }
 
@@ -96,12 +105,12 @@ func (m *bpfMaps) Close() error {
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfPrograms struct {
-	XdpProgFunc *ebpf.Program `ebpf:"xdp_prog_func"`
+	NbXdpProg *ebpf.Program `ebpf:"nb_xdp_prog"`
 }
 
 func (p *bpfPrograms) Close() error {
 	return _BpfClose(
-		p.XdpProgFunc,
+		p.NbXdpProg,
 	)
 }
 

client/internal/ebpf/ebpf/dns_fwd_linux.go

@@ -0,0 +1,51 @@
+package ebpf
+
+import (
+	"encoding/binary"
+	"net"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	mapKeyDNSIP   uint32 = 0
+	mapKeyDNSPort uint32 = 1
+)
+
+func (tf *GeneralManager) LoadDNSFwd(ip string, dnsPort int) error {
+	log.Debugf("load ebpf DNS forwarder: address: %s:%d", ip, dnsPort)
+	tf.lock.Lock()
+	defer tf.lock.Unlock()
+
+	err := tf.loadXdp()
+	if err != nil {
+		return err
+	}
+
+	err = tf.bpfObjs.NbMapDnsIp.Put(mapKeyDNSIP, ip2int(ip))
+	if err != nil {
+		return err
+	}
+
+	err = tf.bpfObjs.NbMapDnsPort.Put(mapKeyDNSPort, uint16(dnsPort))
+	if err != nil {
+		return err
+	}
+
+	tf.setFeatureFlag(featureFlagDnsForwarder)
+	err = tf.bpfObjs.NbFeatures.Put(mapKeyFeatures, tf.featureFlags)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (tf *GeneralManager) FreeDNSFwd() error {
+	log.Debugf("free ebpf DNS forwarder")
+	return tf.unsetFeatureFlag(featureFlagDnsForwarder)
+}
+
+func ip2int(ipString string) uint32 {
+	ip := net.ParseIP(ipString)
+	return binary.BigEndian.Uint32(ip.To4())
+}

client/internal/ebpf/ebpf/manager_linux.go

@@ -0,0 +1,116 @@
+package ebpf
+
+import (
+	_ "embed"
+	"net"
+	"sync"
+
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/rlimit"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/ebpf/manager"
+)
+
+const (
+	mapKeyFeatures uint32 = 0
+
+	featureFlagWGProxy      = 0b00000001
+	featureFlagDnsForwarder = 0b00000010
+)
+
+var (
+	singleton     manager.Manager
+	singletonLock = &sync.Mutex{}
+)
+
+// required packages libbpf-dev, libc6-dev-i386-amd64-cross
+
+// GeneralManager is used to load multiple eBPF programs with a custom check (if then) done in prog.c
+// The manager simply adds a feature (byte) of each program to a map that is shared between the userspace and kernel.
+// When packet arrives, the C code checks for each feature (if it is set) and executes each enabled program (e.g., dns_fwd.c and wg_proxy.c).
+//
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang-14 bpf src/prog.c -- -I /usr/x86_64-linux-gnu/include
+type GeneralManager struct {
+	lock         sync.Mutex
+	link         link.Link
+	featureFlags uint16
+	bpfObjs      bpfObjects
+}
+
+// GetEbpfManagerInstance return a static eBpf Manager instance
+func GetEbpfManagerInstance() manager.Manager {
+	singletonLock.Lock()
+	defer singletonLock.Unlock()
+	if singleton != nil {
+		return singleton
+	}
+	singleton = &GeneralManager{}
+	return singleton
+}
+
+func (tf *GeneralManager) setFeatureFlag(feature uint16) {
+	tf.featureFlags = tf.featureFlags | feature
+}
+
+func (tf *GeneralManager) loadXdp() error {
+	if tf.link != nil {
+		return nil
+	}
+	// it required for Docker
+	err := rlimit.RemoveMemlock()
+	if err != nil {
+		return err
+	}
+
+	iFace, err := net.InterfaceByName("lo")
+	if err != nil {
+		return err
+	}
+
+	// load pre-compiled programs into the kernel.
+	err = loadBpfObjects(&tf.bpfObjs, nil)
+	if err != nil {
+		return err
+	}
+
+	tf.link, err = link.AttachXDP(link.XDPOptions{
+		Program:   tf.bpfObjs.NbXdpProg,
+		Interface: iFace.Index,
+	})
+
+	if err != nil {
+		_ = tf.bpfObjs.Close()
+		tf.link = nil
+		return err
+	}
+	return nil
+}
+
+func (tf *GeneralManager) unsetFeatureFlag(feature uint16) error {
+	tf.lock.Lock()
+	defer tf.lock.Unlock()
+	tf.featureFlags &^= feature
+
+	if tf.link == nil {
+		return nil
+	}
+
+	if tf.featureFlags == 0 {
+		return tf.close()
+	}
+
+	return tf.bpfObjs.NbFeatures.Put(mapKeyFeatures, tf.featureFlags)
+}
+
+func (tf *GeneralManager) close() error {
+	log.Debugf("detach ebpf program ")
+	err := tf.bpfObjs.Close()
+	if err != nil {
+		log.Warnf("failed to close eBpf objects: %s", err)
+	}
+
+	err = tf.link.Close()
+	tf.link = nil
+	return err
+}

client/internal/ebpf/ebpf/manager_linux_test.go

@@ -0,0 +1,40 @@
+package ebpf
+
+import (
+	"testing"
+)
+
+func TestManager_setFeatureFlag(t *testing.T) {
+	mgr := GeneralManager{}
+	mgr.setFeatureFlag(featureFlagWGProxy)
+	if mgr.featureFlags != 1 {
+		t.Errorf("invalid faeture state")
+	}
+
+	mgr.setFeatureFlag(featureFlagDnsForwarder)
+	if mgr.featureFlags != 3 {
+		t.Errorf("invalid faeture state")
+	}
+}
+
+func TestManager_unsetFeatureFlag(t *testing.T) {
+	mgr := GeneralManager{}
+	mgr.setFeatureFlag(featureFlagWGProxy)
+	mgr.setFeatureFlag(featureFlagDnsForwarder)
+
+	err := mgr.unsetFeatureFlag(featureFlagWGProxy)
+	if err != nil {
+		t.Errorf("unexpected error: %s", err)
+	}
+	if mgr.featureFlags != 2 {
+		t.Errorf("invalid faeture state, expected: %d, got: %d", 2, mgr.featureFlags)
+	}
+
+	err = mgr.unsetFeatureFlag(featureFlagDnsForwarder)
+	if err != nil {
+		t.Errorf("unexpected error: %s", err)
+	}
+	if mgr.featureFlags != 0 {
+		t.Errorf("invalid faeture state, expected: %d, got: %d", 0, mgr.featureFlags)
+	}
+}

client/internal/ebpf/ebpf/src/dns_fwd.c

@@ -0,0 +1,64 @@
+const __u32 map_key_dns_ip = 0;
+const __u32 map_key_dns_port = 1;
+
+struct bpf_map_def SEC("maps") nb_map_dns_ip = {
+	.type = BPF_MAP_TYPE_ARRAY,
+	.key_size = sizeof(__u32),
+	.value_size = sizeof(__u32),
+	.max_entries = 10,
+};
+
+struct bpf_map_def SEC("maps") nb_map_dns_port = {
+	.type = BPF_MAP_TYPE_ARRAY,
+	.key_size = sizeof(__u32),
+	.value_size = sizeof(__u16),
+	.max_entries = 10,
+};
+
+__be32 dns_ip = 0;
+__be16 dns_port = 0;
+
+// 13568 is 53 in big endian
+__be16 GENERAL_DNS_PORT = 13568;
+
+bool read_settings() {
+    __u16 *port_value;
+    __u32 *ip_value;
+
+    // read dns ip
+    ip_value = bpf_map_lookup_elem(&nb_map_dns_ip, &map_key_dns_ip);
+    if(!ip_value) {
+        return false;
+    }
+    dns_ip = htonl(*ip_value);
+
+    // read dns port
+    port_value = bpf_map_lookup_elem(&nb_map_dns_port, &map_key_dns_port);
+    if (!port_value) {
+        return false;
+    }
+    dns_port = htons(*port_value);
+    return true;
+}
+
+int xdp_dns_fwd(struct iphdr  *ip, struct udphdr *udp) {
+    if (dns_port == 0) {
+        if(!read_settings()){
+            return XDP_PASS;
+        }
+        bpf_printk("dns port: %d", ntohs(dns_port));
+        bpf_printk("dns ip: %d", ntohl(dns_ip));
+    }
+
+    if (udp->dest == GENERAL_DNS_PORT && ip->daddr == dns_ip) {
+        udp->dest = dns_port;
+        return XDP_PASS;
+    }
+
+    if (udp->source == dns_port && ip->saddr == dns_ip) {
+        udp->source = GENERAL_DNS_PORT;
+        return XDP_PASS;
+    }
+
+    return XDP_PASS;
+}

client/internal/ebpf/ebpf/src/prog.c

@@ -0,0 +1,66 @@
+#include <stdbool.h>
+#include <linux/if_ether.h> // ETH_P_IP
+#include <linux/udp.h>
+#include <linux/ip.h>
+#include <netinet/in.h>
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include "dns_fwd.c"
+#include "wg_proxy.c"
+
+#define bpf_printk(fmt, ...)                                                   \
+  ({                                                                           \
+    char ____fmt[] = fmt;                                                      \
+    bpf_trace_printk(____fmt, sizeof(____fmt), ##__VA_ARGS__);                 \
+  })
+
+const __u16 flag_feature_wg_proxy = 0b01;
+const __u16 flag_feature_dns_fwd = 0b10;
+
+const __u32 map_key_features = 0;
+struct bpf_map_def SEC("maps") nb_features = {
+	.type = BPF_MAP_TYPE_ARRAY,
+	.key_size = sizeof(__u32),
+	.value_size = sizeof(__u16),
+	.max_entries = 10,
+};
+
+SEC("xdp")
+int nb_xdp_prog(struct xdp_md *ctx) {
+    __u16 *features;
+    features = bpf_map_lookup_elem(&nb_features, &map_key_features);
+    if (!features) {
+        return XDP_PASS;
+    }
+
+    void *data     = (void *)(long)ctx->data;
+    void *data_end = (void *)(long)ctx->data_end;
+    struct ethhdr *eth = data;
+    struct iphdr  *ip  = (data + sizeof(struct ethhdr));
+    struct udphdr *udp = (data + sizeof(struct ethhdr) + sizeof(struct iphdr));
+
+    // return early if not enough data
+    if (data + sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) > data_end){
+        return XDP_PASS;
+    }
+
+    // skip non IPv4 packages
+    if (eth->h_proto != htons(ETH_P_IP)) {
+       return XDP_PASS;
+    }
+
+    // skip non UPD packages
+    if (ip->protocol != IPPROTO_UDP) {
+       return XDP_PASS;
+    }
+
+    if (*features & flag_feature_dns_fwd) {
+        xdp_dns_fwd(ip, udp);
+    }
+
+    if (*features & flag_feature_wg_proxy) {
+        xdp_wg_proxy(ip, udp);
+    }
+    return XDP_PASS;
+}
+char _license[] SEC("license") = "GPL";

client/internal/ebpf/ebpf/src/wg_proxy.c

@@ -0,0 +1,54 @@
+const __u32 map_key_proxy_port = 0;
+const __u32 map_key_wg_port = 1;
+
+struct bpf_map_def SEC("maps") nb_wg_proxy_settings_map = {
+	.type = BPF_MAP_TYPE_ARRAY,
+	.key_size = sizeof(__u32),
+	.value_size = sizeof(__u16),
+	.max_entries = 10,
+};
+
+__u16 proxy_port = 0;
+__u16 wg_port = 0;
+
+bool read_port_settings() {
+    __u16 *value;
+    value = bpf_map_lookup_elem(&nb_wg_proxy_settings_map, &map_key_proxy_port);
+    if (!value) {
+        return false;
+    }
+
+    proxy_port = *value;
+
+    value = bpf_map_lookup_elem(&nb_wg_proxy_settings_map, &map_key_wg_port);
+    if (!value) {
+        return false;
+    }
+    wg_port = htons(*value);
+
+    return true;
+}
+
+int xdp_wg_proxy(struct iphdr  *ip, struct udphdr *udp) {
+    if (proxy_port == 0 || wg_port == 0) {
+        if (!read_port_settings()){
+            return XDP_PASS;
+        }
+        bpf_printk("proxy port: %d, wg port: %d", proxy_port, wg_port);
+    }
+
+    // 2130706433 = 127.0.0.1
+    if (ip->daddr != htonl(2130706433)) {
+        return XDP_PASS;
+    }
+
+    if (udp->source != wg_port){
+        return XDP_PASS;
+    }
+
+    __be16 new_src_port = udp->dest;
+    __be16 new_dst_port = htons(proxy_port);
+    udp->dest = new_dst_port;
+    udp->source = new_src_port;
+	return XDP_PASS;
+}

client/internal/ebpf/ebpf/wg_proxy_linux.go

@@ -0,0 +1,41 @@
+package ebpf
+
+import log "github.com/sirupsen/logrus"
+
+const (
+	mapKeyProxyPort uint32 = 0
+	mapKeyWgPort    uint32 = 1
+)
+
+func (tf *GeneralManager) LoadWgProxy(proxyPort, wgPort int) error {
+	log.Debugf("load ebpf WG proxy")
+	tf.lock.Lock()
+	defer tf.lock.Unlock()
+
+	err := tf.loadXdp()
+	if err != nil {
+		return err
+	}
+
+	err = tf.bpfObjs.NbWgProxySettingsMap.Put(mapKeyProxyPort, uint16(proxyPort))
+	if err != nil {
+		return err
+	}
+
+	err = tf.bpfObjs.NbWgProxySettingsMap.Put(mapKeyWgPort, uint16(wgPort))
+	if err != nil {
+		return err
+	}
+
+	tf.setFeatureFlag(featureFlagWGProxy)
+	err = tf.bpfObjs.NbFeatures.Put(mapKeyFeatures, tf.featureFlags)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func (tf *GeneralManager) FreeWGProxy() error {
+	log.Debugf("free ebpf WG proxy")
+	return tf.unsetFeatureFlag(featureFlagWGProxy)
+}

client/internal/ebpf/instantiater_linux.go

@@ -0,0 +1,15 @@
+//go:build !android
+
+package ebpf
+
+import (
+	"github.com/netbirdio/netbird/client/internal/ebpf/ebpf"
+	"github.com/netbirdio/netbird/client/internal/ebpf/manager"
+)
+
+// GetEbpfManagerInstance is a wrapper function. This encapsulation is required because if the code import the internal
+// ebpf package the Go compiler will include the object files. But it is not supported on Android. It can cause instant
+// panic on older Android version.
+func GetEbpfManagerInstance() manager.Manager {
+	return ebpf.GetEbpfManagerInstance()
+}

client/internal/ebpf/instantiater_nonlinux.go

@@ -0,0 +1,10 @@
+//go:build !linux || android
+
+package ebpf
+
+import "github.com/netbirdio/netbird/client/internal/ebpf/manager"
+
+// GetEbpfManagerInstance return error because ebpf is not supported on all os
+func GetEbpfManagerInstance() manager.Manager {
+	panic("unsupported os")
+}

client/internal/ebpf/manager/manager.go

@@ -0,0 +1,9 @@
+package manager
+
+// Manager is used to load multiple eBPF programs. E.g., current DNS programs and WireGuard proxy
+type Manager interface {
+	LoadDNSFwd(ip string, dnsPort int) error
+	FreeDNSFwd() error
+	LoadWgProxy(proxyPort, wgPort int) error
+	FreeWGProxy() error
+}

client/internal/engine.go

@@ -992,14 +992,12 @@ func (e *Engine) parseNATExternalIPMappings() []string {
 			log.Warnf("invalid external IP, %s, ignoring external IP mapping '%s'", external, mapping)
 			break
 		}
-		if externalIP != nil {
+		mappedIP := externalIP.String()
-			mappedIP := externalIP.String()
+		if internalIP != nil {
-			if internalIP != nil {
+			mappedIP = mappedIP + "/" + internalIP.String()
-				mappedIP = mappedIP + "/" + internalIP.String()
-			}
-			mappedIPs = append(mappedIPs, mappedIP)
-			log.Infof("parsed external IP mapping of '%s' as '%s'", mapping, mappedIP)
 		}
+		mappedIPs = append(mappedIPs, mappedIP)
+		log.Infof("parsed external IP mapping of '%s' as '%s'", mapping, mappedIP)
 	}
 	if len(mappedIPs) != len(e.config.NATExternalIPs) {
 		log.Warnf("one or more external IP mappings failed to parse, ignoring all mappings")

client/internal/engine_test.go

@@ -1046,15 +1046,15 @@ func startManagement(dataDir string) (*grpc.Server, string, error) {
 	peersUpdateManager := server.NewPeersUpdateManager()
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
-		return nil, "", nil
+		return nil, "", err
 	}
 	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "", "",
-		eventStore)
+		eventStore, false)
 	if err != nil {
 		return nil, "", err
 	}
 	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
-	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager, nil)
+	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager, nil, nil)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/peer/notifier.go

@@ -17,6 +17,7 @@ type notifier struct {
 	listener           Listener
 	currentClientState bool
 	lastNotification   int
+	lastNumberOfPeers  int
 }
 
 func newNotifier() *notifier {
@@ -29,6 +30,7 @@ func (n *notifier) setListener(listener Listener) {
 
 	n.serverStateLock.Lock()
 	n.notifyListener(listener, n.lastNotification)
+	listener.OnPeersListChanged(n.lastNumberOfPeers)
 	n.serverStateLock.Unlock()
 
 	n.listener = listener
@@ -59,7 +61,7 @@ func (n *notifier) clientStart() {
 	n.serverStateLock.Lock()
 	defer n.serverStateLock.Unlock()
 	n.currentClientState = true
-	n.lastNotification = stateConnected
+	n.lastNotification = stateConnecting
 	n.notify(n.lastNotification)
 }
 
@@ -112,7 +114,7 @@ func (n *notifier) calculateState(managementConn, signalConn bool) int {
 		return stateConnected
 	}
 
-	if !managementConn && !signalConn {
+	if !managementConn && !signalConn && !n.currentClientState {
 		return stateDisconnected
 	}
 
@@ -124,6 +126,7 @@ func (n *notifier) calculateState(managementConn, signalConn bool) int {
 }
 
 func (n *notifier) peerListChanged(numOfPeers int) {
+	n.lastNumberOfPeers = numOfPeers
 	n.listenersLock.Lock()
 	defer n.listenersLock.Unlock()
 	if n.listener == nil {

client/internal/peer/status.go

@@ -353,9 +353,13 @@ func (d *Status) onConnectionChanged() {
 }
 
 func (d *Status) notifyPeerListChanged() {
-	d.notifier.peerListChanged(len(d.peers) + len(d.offlinePeers))
+	d.notifier.peerListChanged(d.numOfPeers())
 }
 
 func (d *Status) notifyAddressChanged() {
 	d.notifier.localAddressChanged(d.localPeer.FQDN, d.localPeer.IP)
 }
+
+func (d *Status) numOfPeers() int {
+	return len(d.peers) + len(d.offlinePeers)
+}

client/internal/routemanager/client.go

@@ -155,7 +155,10 @@ func (c *clientNetwork) startPeersStatusChangeWatcher() {
 
 func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {
 	state, err := c.statusRecorder.GetPeer(peerKey)
-	if err != nil || state.ConnStatus != peer.StatusConnected {
+	if err != nil {
+		return err
+	}
+	if state.ConnStatus != peer.StatusConnected {
 		return nil
 	}
 

client/internal/routemanager/firewall_linux.go

@@ -7,6 +7,8 @@ import (
 	"fmt"
 
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/checkfw"
 )
 
 const (
@@ -26,15 +28,20 @@ func genKey(format string, input string) string {
 	return fmt.Sprintf(format, input)
 }
 
-// NewFirewall if supported, returns an iptables manager, otherwise returns a nftables manager
+// newFirewall if supported, returns an iptables manager, otherwise returns a nftables manager
-func NewFirewall(parentCTX context.Context) firewallManager {
+func newFirewall(parentCTX context.Context) (firewallManager, error) {
-	manager, err := newNFTablesManager(parentCTX)
+	checkResult := checkfw.Check()
-	if err == nil {
+	switch checkResult {
-		log.Debugf("nftables firewall manager will be used")
+	case checkfw.IPTABLES, checkfw.IPTABLESWITHV6:
-		return manager
+		log.Debug("creating an iptables firewall manager for route rules")
+		ipv6Supported := checkResult == checkfw.IPTABLESWITHV6
+		return newIptablesManager(parentCTX, ipv6Supported)
+	case checkfw.NFTABLES:
+		log.Info("creating an nftables firewall manager for route rules")
+		return newNFTablesManager(parentCTX), nil
 	}
-	log.Debugf("fallback to iptables firewall manager: %s", err)
+
-	return newIptablesManager(parentCTX)
+	return nil, fmt.Errorf("couldn't initialize nftables or iptables clients. Using a dummy firewall manager for route rules")
 }
 
 func getInPair(pair routerPair) routerPair {

client/internal/routemanager/firewall_nonlinux.go

@@ -3,24 +3,13 @@
 
 package routemanager
 
-import "context"
+import (
+	"context"
+	"fmt"
+	"runtime"
+)
 
-type unimplementedFirewall struct{}
+// newFirewall returns a nil manager
-
+func newFirewall(context.Context) (firewallManager, error) {
-func (unimplementedFirewall) RestoreOrCreateContainers() error {
+	return nil, fmt.Errorf("firewall not supported on %s", runtime.GOOS)
-	return nil
-}
-func (unimplementedFirewall) InsertRoutingRules(pair routerPair) error {
-	return nil
-}
-func (unimplementedFirewall) RemoveRoutingRules(pair routerPair) error {
-	return nil
-}
-
-func (unimplementedFirewall) CleanRoutingRules() {
-}
-
-// NewFirewall returns an unimplemented Firewall manager
-func NewFirewall(parentCtx context.Context) firewallManager {
-	return unimplementedFirewall{}
 }

client/internal/routemanager/iptables_linux.go

@@ -49,26 +49,28 @@ type iptablesManager struct {
 	mux        sync.Mutex
 }
 
-func newIptablesManager(parentCtx context.Context) *iptablesManager {
+func newIptablesManager(parentCtx context.Context, ipv6Supported bool) (*iptablesManager, error) {
-	ctx, cancel := context.WithCancel(parentCtx)
+	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	ipv4Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if err != nil {
-	if !isIptablesClientAvailable(ipv4Client) {
+		return nil, fmt.Errorf("failed to initialize iptables for ipv4: %s", err)
-		log.Infof("iptables is missing for ipv4")
-		ipv4Client = nil
-	}
-	ipv6Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv6)
-	if !isIptablesClientAvailable(ipv6Client) {
-		log.Infof("iptables is missing for ipv6")
-		ipv6Client = nil
 	}
 
-	return &iptablesManager{
+	ctx, cancel := context.WithCancel(parentCtx)
+	manager := &iptablesManager{
 		ctx:        ctx,
 		stop:       cancel,
 		ipv4Client: ipv4Client,
-		ipv6Client: ipv6Client,
 		rules:      make(map[string]map[string][]string),
 	}
+
+	if ipv6Supported {
+		manager.ipv6Client, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
+		if err != nil {
+			log.Warnf("failed to initialize iptables for ipv6: %s. Routes for this protocol won't be applied.", err)
+		}
+	}
+
+	return manager, nil
 }
 
 // CleanRoutingRules cleans existing iptables resources that we created by the agent
@@ -391,6 +393,10 @@ func (i *iptablesManager) insertRoutingRule(keyFormat, table, chain, jump string
 		ipVersion = ipv6
 	}
 
+	if iptablesClient == nil {
+		return fmt.Errorf("unable to insert iptables routing rules. Iptables client is not initialized")
+	}
+
 	ruleKey := genKey(keyFormat, pair.ID)
 	rule := genRuleSpec(jump, ruleKey, pair.source, pair.destination)
 	existingRule, found := i.rules[ipVersion][ruleKey]
@@ -455,6 +461,10 @@ func (i *iptablesManager) removeRoutingRule(keyFormat, table, chain string, pair
 		ipVersion = ipv6
 	}
 
+	if iptablesClient == nil {
+		return fmt.Errorf("unable to remove iptables routing rules. Iptables client is not initialized")
+	}
+
 	ruleKey := genKey(keyFormat, pair.ID)
 	existingRule, found := i.rules[ipVersion][ruleKey]
 	if found {
@@ -475,8 +485,3 @@ func getIptablesRuleType(table string) string {
 	}
 	return ruleType
 }
-
-func isIptablesClientAvailable(client *iptables.IPTables) bool {
-	_, err := client.ListChains("filter")
-	return err == nil
-}

client/internal/routemanager/iptables_linux_test.go

@@ -16,11 +16,12 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 		t.SkipNow()
 	}
 
-	manager := newIptablesManager(context.TODO())
+	manager, err := newIptablesManager(context.TODO(), true)
+	require.NoError(t, err, "should return a valid iptables manager")
 
 	defer manager.CleanRoutingRules()
 
-	err := manager.RestoreOrCreateContainers()
+	err = manager.RestoreOrCreateContainers()
 	require.NoError(t, err, "shouldn't return error")
 
 	require.Len(t, manager.rules, 2, "should have created maps for ipv4 and ipv6")

client/internal/routemanager/manager.go

@@ -27,7 +27,7 @@ type DefaultManager struct {
 	stop           context.CancelFunc
 	mux            sync.Mutex
 	clientNetworks map[string]*clientNetwork
-	serverRouter   *serverRouter
+	serverRouter   serverRouter
 	statusRecorder *peer.Status
 	wgInterface    *iface.WGIface
 	pubKey         string
@@ -36,13 +36,17 @@ type DefaultManager struct {
 
 // NewManager returns a new route manager
 func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface, statusRecorder *peer.Status, initialRoutes []*route.Route) *DefaultManager {
-	mCTX, cancel := context.WithCancel(ctx)
+	srvRouter, err := newServerRouter(ctx, wgInterface)
+	if err != nil {
+		log.Errorf("server router is not supported: %s", err)
+	}
 
+	mCTX, cancel := context.WithCancel(ctx)
 	dm := &DefaultManager{
 		ctx:            mCTX,
 		stop:           cancel,
 		clientNetworks: make(map[string]*clientNetwork),
-		serverRouter:   newServerRouter(ctx, wgInterface),
+		serverRouter:   srvRouter,
 		statusRecorder: statusRecorder,
 		wgInterface:    wgInterface,
 		pubKey:         pubKey,
@@ -59,7 +63,9 @@ func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface,
 // Stop stops the manager watchers and clean firewall rules
 func (m *DefaultManager) Stop() {
 	m.stop()
-	m.serverRouter.cleanUp()
+	if m.serverRouter != nil {
+		m.serverRouter.cleanUp()
+	}
 	m.ctx = nil
 }
 
@@ -77,9 +83,12 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro
 
 		m.updateClientNetworks(updateSerial, newClientRoutesIDMap)
 		m.notifier.onNewRoutes(newClientRoutesIDMap)
-		err := m.serverRouter.updateRoutes(newServerRoutesMap)
+
-		if err != nil {
+		if m.serverRouter != nil {
-			return err
+			err := m.serverRouter.updateRoutes(newServerRoutesMap)
+			if err != nil {
+				return err
+			}
 		}
 
 		return nil

client/internal/routemanager/manager_test.go

@@ -3,11 +3,12 @@ package routemanager
 import (
 	"context"
 	"fmt"
-	"github.com/pion/transport/v2/stdnet"
 	"net/netip"
 	"runtime"
 	"testing"
 
+	"github.com/pion/transport/v2/stdnet"
+
 	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/client/internal/peer"
@@ -30,7 +31,7 @@ func TestManagerUpdateRoutes(t *testing.T) {
 		inputInitRoutes               []*route.Route
 		inputRoutes                   []*route.Route
 		inputSerial                   uint64
-		shouldCheckServerRoutes       bool
+		removeSrvRouter               bool
 		serverRoutesExpected          int
 		clientNetworkWatchersExpected int
 	}{
@@ -87,7 +88,6 @@ func TestManagerUpdateRoutes(t *testing.T) {
 				},
 			},
 			inputSerial:                   1,
-			shouldCheckServerRoutes:       runtime.GOOS == "linux",
 			serverRoutesExpected:          2,
 			clientNetworkWatchersExpected: 0,
 		},
@@ -116,10 +116,38 @@ func TestManagerUpdateRoutes(t *testing.T) {
 				},
 			},
 			inputSerial:                   1,
-			shouldCheckServerRoutes:       runtime.GOOS == "linux",
 			serverRoutesExpected:          1,
 			clientNetworkWatchersExpected: 1,
 		},
+		{
+			name: "Should Create 1 Route For Client and Skip Server Route On Empty Server Router",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("100.64.30.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.9.9/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			removeSrvRouter:               true,
+			serverRoutesExpected:          0,
+			clientNetworkWatchersExpected: 1,
+		},
 		{
 			name: "Should Create 1 HA Route and 1 Standalone",
 			inputRoutes: []*route.Route{
@@ -174,25 +202,6 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			inputSerial:                   1,
 			clientNetworkWatchersExpected: 0,
 		},
-		{
-			name: "No Server Routes Should Be Added To Non Linux",
-			inputRoutes: []*route.Route{
-				{
-					ID:          "a",
-					NetID:       "routeA",
-					Peer:        localPeerKey,
-					Network:     netip.MustParsePrefix("1.2.3.4/32"),
-					NetworkType: route.IPv4Network,
-					Metric:      9999,
-					Masquerade:  false,
-					Enabled:     true,
-				},
-			},
-			inputSerial:                   1,
-			shouldCheckServerRoutes:       runtime.GOOS != "linux",
-			serverRoutesExpected:          0,
-			clientNetworkWatchersExpected: 0,
-		},
 		{
 			name: "Remove 1 Client Route",
 			inputInitRoutes: []*route.Route{
@@ -335,7 +344,6 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			},
 			inputRoutes:                   []*route.Route{},
 			inputSerial:                   1,
-			shouldCheckServerRoutes:       true,
 			serverRoutesExpected:          0,
 			clientNetworkWatchersExpected: 0,
 		},
@@ -384,7 +392,6 @@ func TestManagerUpdateRoutes(t *testing.T) {
 				},
 			},
 			inputSerial:                   1,
-			shouldCheckServerRoutes:       runtime.GOOS == "linux",
 			serverRoutesExpected:          2,
 			clientNetworkWatchersExpected: 1,
 		},
@@ -409,6 +416,10 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			routeManager := NewManager(ctx, localPeerKey, wgInterface, statusRecorder, nil)
 			defer routeManager.Stop()
 
+			if testCase.removeSrvRouter {
+				routeManager.serverRouter = nil
+			}
+
 			if len(testCase.inputInitRoutes) > 0 {
 				err = routeManager.UpdateRoutes(testCase.inputSerial, testCase.inputRoutes)
 				require.NoError(t, err, "should update routes with init routes")
@@ -419,8 +430,9 @@ func TestManagerUpdateRoutes(t *testing.T) {
 
 			require.Len(t, routeManager.clientNetworks, testCase.clientNetworkWatchersExpected, "client networks size should match")
 
-			if testCase.shouldCheckServerRoutes {
+			if runtime.GOOS == "linux" && routeManager.serverRouter != nil {
-				require.Len(t, routeManager.serverRouter.routes, testCase.serverRoutesExpected, "server networks size should match")
+				sr := routeManager.serverRouter.(*defaultServerRouter)
+				require.Len(t, sr.routes, testCase.serverRoutesExpected, "server networks size should match")
 			}
 		})
 	}

client/internal/routemanager/nftables_linux.go

@@ -86,10 +86,10 @@ type nftablesManager struct {
 	mux                 sync.Mutex
 }
 
-func newNFTablesManager(parentCtx context.Context) (*nftablesManager, error) {
+func newNFTablesManager(parentCtx context.Context) *nftablesManager {
 	ctx, cancel := context.WithCancel(parentCtx)
 
-	mgr := &nftablesManager{
+	return &nftablesManager{
 		ctx:                 ctx,
 		stop:                cancel,
 		conn:                &nftables.Conn{},
@@ -97,18 +97,6 @@ func newNFTablesManager(parentCtx context.Context) (*nftablesManager, error) {
 		rules:               make(map[string]*nftables.Rule),
 		defaultForwardRules: make([]*nftables.Rule, 2),
 	}
-
-	err := mgr.isSupported()
-	if err != nil {
-		return nil, err
-	}
-
-	err = mgr.readFilterTable()
-	if err != nil {
-		return nil, err
-	}
-
-	return mgr, nil
 }
 
 // CleanRoutingRules cleans existing nftables rules from the system
@@ -147,6 +135,10 @@ func (n *nftablesManager) RestoreOrCreateContainers() error {
 	}
 
 	for _, table := range tables {
+		if table.Name == "filter" {
+			n.filterTable = table
+			continue
+		}
 		if table.Name == nftablesTable {
 			if table.Family == nftables.TableFamilyIPv4 {
 				n.tableIPv4 = table
@@ -259,21 +251,6 @@ func (n *nftablesManager) refreshRulesMap() error {
 	return nil
 }
 
-func (n *nftablesManager) readFilterTable() error {
-	tables, err := n.conn.ListTables()
-	if err != nil {
-		return err
-	}
-
-	for _, t := range tables {
-		if t.Name == "filter" {
-			n.filterTable = t
-			return nil
-		}
-	}
-	return nil
-}
-
 func (n *nftablesManager) eraseDefaultForwardRule() error {
 	if n.defaultForwardRules[0] == nil {
 		return nil
@@ -544,14 +521,6 @@ func (n *nftablesManager) removeRoutingRule(format string, pair routerPair) erro
 	return nil
 }
 
-func (n *nftablesManager) isSupported() error {
-	_, err := n.conn.ListChains()
-	if err != nil {
-		return fmt.Errorf("nftables is not supported: %s", err)
-	}
-	return nil
-}
-
 // getPayloadDirectives get expression directives based on ip version and direction
 func getPayloadDirectives(direction string, isIPv4 bool, isIPv6 bool) (uint32, uint32, []byte) {
 	switch {

client/internal/routemanager/nftables_linux_test.go

@@ -10,20 +10,23 @@ import (
 	"github.com/google/nftables/expr"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal/checkfw"
 )
 
 func TestNftablesManager_RestoreOrCreateContainers(t *testing.T) {
 
-	manager, err := newNFTablesManager(context.TODO())
+	if checkfw.Check() != checkfw.NFTABLES {
-	if err != nil {
+		t.Skip("nftables not supported on this OS")
-		t.Fatalf("failed to create nftables manager: %s", err)
 	}
 
+	manager := newNFTablesManager(context.TODO())
+
 	nftablesTestingClient := &nftables.Conn{}
 
 	defer manager.CleanRoutingRules()
 
-	err = manager.RestoreOrCreateContainers()
+	err := manager.RestoreOrCreateContainers()
 	require.NoError(t, err, "shouldn't return error")
 
 	require.Len(t, manager.chains, 2, "should have created chains for ipv4 and ipv6")
@@ -126,19 +129,19 @@ func TestNftablesManager_RestoreOrCreateContainers(t *testing.T) {
 }
 
 func TestNftablesManager_InsertRoutingRules(t *testing.T) {
+	if checkfw.Check() != checkfw.NFTABLES {
+		t.Skip("nftables not supported on this OS")
+	}
 
 	for _, testCase := range insertRuleTestCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			manager, err := newNFTablesManager(context.TODO())
+			manager := newNFTablesManager(context.TODO())
-			if err != nil {
-				t.Fatalf("failed to create nftables manager: %s", err)
-			}
 
 			nftablesTestingClient := &nftables.Conn{}
 
 			defer manager.CleanRoutingRules()
 
-			err = manager.RestoreOrCreateContainers()
+			err := manager.RestoreOrCreateContainers()
 			require.NoError(t, err, "shouldn't return error")
 
 			err = manager.InsertRoutingRules(testCase.inputPair)
@@ -226,19 +229,19 @@ func TestNftablesManager_InsertRoutingRules(t *testing.T) {
 }
 
 func TestNftablesManager_RemoveRoutingRules(t *testing.T) {
+	if checkfw.Check() != checkfw.NFTABLES {
+		t.Skip("nftables not supported on this OS")
+	}
 
 	for _, testCase := range removeRuleTestCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			manager, err := newNFTablesManager(context.TODO())
+			manager := newNFTablesManager(context.TODO())
-			if err != nil {
-				t.Fatalf("failed to create nftables manager: %s", err)
-			}
 
 			nftablesTestingClient := &nftables.Conn{}
 
 			defer manager.CleanRoutingRules()
 
-			err = manager.RestoreOrCreateContainers()
+			err := manager.RestoreOrCreateContainers()
 			require.NoError(t, err, "shouldn't return error")
 
 			table := manager.tableIPv4

client/internal/routemanager/server.go

@@ -0,0 +1,9 @@
+package routemanager
+
+import "github.com/netbirdio/netbird/route"
+
+type serverRouter interface {
+	updateRoutes(map[string]*route.Route) error
+	removeFromServerNetwork(*route.Route) error
+	cleanUp()
+}

client/internal/routemanager/server_android.go

@@ -2,20 +2,11 @@ package routemanager
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/route"
 )
 
-type serverRouter struct {
+func newServerRouter(context.Context, *iface.WGIface) (serverRouter, error) {
+	return nil, fmt.Errorf("server route not supported on this os")
 }
-
-func newServerRouter(ctx context.Context, wgInterface *iface.WGIface) *serverRouter {
-	return &serverRouter{}
-}
-
-func (r *serverRouter) updateRoutes(routesMap map[string]*route.Route) error {
-	return nil
-}
-
-func (r *serverRouter) cleanUp() {}

client/internal/routemanager/server_nonandroid.go

@@ -13,7 +13,7 @@ import (
 	"github.com/netbirdio/netbird/route"
 )
 
-type serverRouter struct {
+type defaultServerRouter struct {
 	mux         sync.Mutex
 	ctx         context.Context
 	routes      map[string]*route.Route
@@ -21,16 +21,21 @@ type serverRouter struct {
 	wgInterface *iface.WGIface
 }
 
-func newServerRouter(ctx context.Context, wgInterface *iface.WGIface) *serverRouter {
+func newServerRouter(ctx context.Context, wgInterface *iface.WGIface) (serverRouter, error) {
-	return &serverRouter{
+	firewall, err := newFirewall(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return &defaultServerRouter{
 		ctx:         ctx,
 		routes:      make(map[string]*route.Route),
-		firewall:    NewFirewall(ctx),
+		firewall:    firewall,
 		wgInterface: wgInterface,
-	}
+	}, nil
 }
 
-func (m *serverRouter) updateRoutes(routesMap map[string]*route.Route) error {
+func (m *defaultServerRouter) updateRoutes(routesMap map[string]*route.Route) error {
 	serverRoutesToRemove := make([]string, 0)
 
 	if len(routesMap) > 0 {
@@ -81,7 +86,7 @@ func (m *serverRouter) updateRoutes(routesMap map[string]*route.Route) error {
 	return nil
 }
 
-func (m *serverRouter) removeFromServerNetwork(route *route.Route) error {
+func (m *defaultServerRouter) removeFromServerNetwork(route *route.Route) error {
 	select {
 	case <-m.ctx.Done():
 		log.Infof("not removing from server network because context is done")
@@ -98,7 +103,7 @@ func (m *serverRouter) removeFromServerNetwork(route *route.Route) error {
 	}
 }
 
-func (m *serverRouter) addToServerNetwork(route *route.Route) error {
+func (m *defaultServerRouter) addToServerNetwork(route *route.Route) error {
 	select {
 	case <-m.ctx.Done():
 		log.Infof("not adding to server network because context is done")
@@ -115,6 +120,6 @@ func (m *serverRouter) addToServerNetwork(route *route.Route) error {
 	}
 }
 
-func (m *serverRouter) cleanUp() {
+func (m *defaultServerRouter) cleanUp() {
 	m.firewall.CleanRoutingRules()
 }

client/internal/stdnet/filter.go

@@ -20,7 +20,7 @@ func InterfaceFilter(disallowList []string) func(string) bool {
 
 		for _, s := range disallowList {
 			if strings.HasPrefix(iFace, s) {
-				log.Debugf("ignoring interface %s - it is not allowed", iFace)
+				log.Tracef("ignoring interface %s - it is not allowed", iFace)
 				return false
 			}
 		}

client/internal/wgproxy/ebpf/loader.go

@@ -1,84 +0,0 @@
-//go:build linux && !android
-
-package ebpf
-
-import (
-	_ "embed"
-	"net"
-
-	"github.com/cilium/ebpf/link"
-	"github.com/cilium/ebpf/rlimit"
-)
-
-const (
-	mapKeyProxyPort uint32 = 0
-	mapKeyWgPort    uint32 = 1
-)
-
-//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang-14 bpf src/portreplace.c --
-
-// EBPF is a wrapper for eBPF program
-type EBPF struct {
-	link link.Link
-}
-
-// NewEBPF create new EBPF instance
-func NewEBPF() *EBPF {
-	return &EBPF{}
-}
-
-// Load load ebpf program
-func (l *EBPF) Load(proxyPort, wgPort int) error {
-	// it required for Docker
-	err := rlimit.RemoveMemlock()
-	if err != nil {
-		return err
-	}
-
-	ifce, err := net.InterfaceByName("lo")
-	if err != nil {
-		return err
-	}
-
-	// Load pre-compiled programs into the kernel.
-	objs := bpfObjects{}
-	err = loadBpfObjects(&objs, nil)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		_ = objs.Close()
-	}()
-
-	err = objs.XdpPortMap.Put(mapKeyProxyPort, uint16(proxyPort))
-	if err != nil {
-		return err
-	}
-
-	err = objs.XdpPortMap.Put(mapKeyWgPort, uint16(wgPort))
-	if err != nil {
-		return err
-	}
-
-	defer func() {
-		_ = objs.XdpPortMap.Close()
-	}()
-
-	l.link, err = link.AttachXDP(link.XDPOptions{
-		Program:   objs.XdpProgFunc,
-		Interface: ifce.Index,
-	})
-	if err != nil {
-		return err
-	}
-
-	return err
-}
-
-// Free free ebpf program
-func (l *EBPF) Free() error {
-	if l.link != nil {
-		return l.link.Close()
-	}
-	return nil
-}

client/internal/wgproxy/ebpf/loader_test.go

@@ -1,18 +0,0 @@
-//go:build linux
-
-package ebpf
-
-import (
-	"testing"
-)
-
-func Test_newEBPF(t *testing.T) {
-	ebpf := NewEBPF()
-	err := ebpf.Load(1234, 51892)
-	defer func() {
-		_ = ebpf.Free()
-	}()
-	if err != nil {
-		t.Errorf("%s", err)
-	}
-}

client/internal/wgproxy/ebpf/src/portreplace.c

@@ -1,90 +0,0 @@
-#include <stdbool.h>
-#include <linux/if_ether.h> // ETH_P_IP
-#include <linux/udp.h>
-#include <linux/ip.h>
-#include <netinet/in.h>
-#include <linux/bpf.h>
-#include <bpf/bpf_helpers.h>
-
-#define bpf_printk(fmt, ...)                                                   \
-  ({                                                                           \
-    char ____fmt[] = fmt;                                                      \
-    bpf_trace_printk(____fmt, sizeof(____fmt), ##__VA_ARGS__);                 \
-  })
-
-const __u32 map_key_proxy_port = 0;
-const __u32 map_key_wg_port = 1;
-
-struct bpf_map_def SEC("maps") xdp_port_map = {
-	.type = BPF_MAP_TYPE_ARRAY,
-	.key_size = sizeof(__u32),
-	.value_size = sizeof(__u16),
-	.max_entries = 10,
-};
-
-__u16 proxy_port = 0;
-__u16 wg_port = 0;
-
-bool read_port_settings() {
-    __u16 *value;
-    value = bpf_map_lookup_elem(&xdp_port_map, &map_key_proxy_port);
-    if(!value) {
-        return false;
-    }
-
-    proxy_port = *value;
-
-    value = bpf_map_lookup_elem(&xdp_port_map, &map_key_wg_port);
-    if(!value) {
-        return false;
-    }
-    wg_port = *value;
-
-    return true;
-}
-
-SEC("xdp")
-int xdp_prog_func(struct xdp_md *ctx) {
-    if(proxy_port == 0 || wg_port == 0) {
-        if(!read_port_settings()){
-            return XDP_PASS;
-        }
-        bpf_printk("proxy port: %d, wg port: %d", proxy_port, wg_port);
-    }
-
-	void *data     = (void *)(long)ctx->data;
-	void *data_end = (void *)(long)ctx->data_end;
-	struct ethhdr *eth = data;
-    struct iphdr  *ip   = (data + sizeof(struct ethhdr));
-    struct udphdr *udp = (data + sizeof(struct ethhdr) + sizeof(struct iphdr));
-
-    // return early if not enough data
-    if (data + sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) > data_end){
-        return XDP_PASS;
-    }
-
-    // skip non IPv4 packages
-    if (eth->h_proto != htons(ETH_P_IP)) {
-       return XDP_PASS;
-    }
-
-    if (ip->protocol != IPPROTO_UDP) {
-       return XDP_PASS;
-    }
-
-    // 2130706433 = 127.0.0.1
-    if (ip->daddr != htonl(2130706433)) {
-        return XDP_PASS;
-    }
-
-    if (udp->source != htons(wg_port)){
-        return XDP_PASS;
-    }
-
-    __be16 new_src_port = udp->dest;
-    __be16 new_dst_port = htons(proxy_port);
-    udp->dest = new_dst_port;
-    udp->source = new_src_port;
-	return XDP_PASS;
-}
-char _license[] SEC("license") = "GPL";

client/internal/wgproxy/factory.go

@@ -14,7 +14,7 @@ func (w *Factory) GetProxy() Proxy {
 
 func (w *Factory) Free() error {
 	if w.ebpfProxy != nil {
-		return w.ebpfProxy.CloseConn()
+		return w.ebpfProxy.Free()
 	}
 	return nil
 }

client/internal/wgproxy/factory_linux.go

@@ -12,7 +12,7 @@ func NewFactory(wgPort int) *Factory {
 	ebpfProxy := NewWGEBPFProxy(wgPort)
 	err := ebpfProxy.Listen()
 	if err != nil {
-		log.Errorf("failed to initialize ebpf proxy: %s", err)
+		log.Warnf("failed to initialize ebpf proxy, fallback to user space proxy: %s", err)
 		return f
 	}
 

client/internal/wgproxy/proxy_ebpf.go

@@ -12,15 +12,15 @@ import (
 
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
-
 	log "github.com/sirupsen/logrus"
 
-	ebpf2 "github.com/netbirdio/netbird/client/internal/wgproxy/ebpf"
+	"github.com/netbirdio/netbird/client/internal/ebpf"
+	ebpfMgr "github.com/netbirdio/netbird/client/internal/ebpf/manager"
 )
 
 // WGEBPFProxy definition for proxy with EBPF support
 type WGEBPFProxy struct {
-	ebpf              *ebpf2.EBPF
+	ebpfManager       ebpfMgr.Manager
 	lastUsedPort      uint16
 	localWGListenPort int
 
@@ -36,7 +36,7 @@ func NewWGEBPFProxy(wgPort int) *WGEBPFProxy {
 	log.Debugf("instantiate ebpf proxy")
 	wgProxy := &WGEBPFProxy{
 		localWGListenPort: wgPort,
-		ebpf:              ebpf2.NewEBPF(),
+		ebpfManager:       ebpf.GetEbpfManagerInstance(),
 		lastUsedPort:      0,
 		turnConnStore:     make(map[uint16]net.Conn),
 	}
@@ -56,7 +56,7 @@ func (p *WGEBPFProxy) Listen() error {
 		return err
 	}
 
-	err = p.ebpf.Load(wgPorxyPort, p.localWGListenPort)
+	err = p.ebpfManager.LoadWgProxy(wgPorxyPort, p.localWGListenPort)
 	if err != nil {
 		return err
 	}
@@ -69,7 +69,7 @@ func (p *WGEBPFProxy) Listen() error {
 	p.conn, err = net.ListenUDP("udp", &addr)
 	if err != nil {
 		cErr := p.Free()
-		if err != nil {
+		if cErr != nil {
 			log.Errorf("failed to close the wgproxy: %s", cErr)
 		}
 		return err
@@ -104,12 +104,13 @@ func (p *WGEBPFProxy) CloseConn() error {
 
 // Free resources
 func (p *WGEBPFProxy) Free() error {
+	log.Debugf("free up ebpf wg proxy")
 	var err1, err2, err3 error
 	if p.conn != nil {
 		err1 = p.conn.Close()
 	}
 
-	err2 = p.ebpf.Free()
+	err2 = p.ebpfManager.FreeWGProxy()
 	if p.rawConn != nil {
 		err3 = p.rawConn.Close()
 	}
@@ -134,6 +135,7 @@ func (p *WGEBPFProxy) proxyToLocal(endpointPort uint16, remoteConn net.Conn) {
 				log.Errorf("failed to read from turn conn (endpoint: :%d): %s", endpointPort, err)
 			}
 			p.removeTurnConn(endpointPort)
+			log.Infof("stop forward turn packages to port: %d. error: %s", endpointPort, err)
 			return
 		}
 		err = p.sendPkg(buf[:n], endpointPort)
@@ -153,9 +155,11 @@ func (p *WGEBPFProxy) proxyToRemote() {
 			return
 		}
 
+		p.turnConnMutex.Lock()
 		conn, ok := p.turnConnStore[uint16(addr.Port)]
+		p.turnConnMutex.Unlock()
 		if !ok {
-			log.Errorf("turn conn not found by port: %d", addr.Port)
+			log.Infof("turn conn not found by port: %d", addr.Port)
 			continue
 		}
 

client/internal/wgproxy/proxy_userspace.go

@@ -20,6 +20,7 @@ type WGUserSpaceProxy struct {
 
 // NewWGUserSpaceProxy instantiate a user space WireGuard proxy
 func NewWGUserSpaceProxy(wgPort int) *WGUserSpaceProxy {
+	log.Debugf("instantiate new userspace proxy")
 	p := &WGUserSpaceProxy{
 		localWGListenPort: wgPort,
 	}

client/netbird.wxs

@@ -0,0 +1,77 @@
+<Wix
+	xmlns="http://wixtoolset.org/schemas/v4/wxs">
+	<Package Name="NetBird" Version="$(env.NETBIRD_VERSION)" Manufacturer="Wiretrustee UG (haftungsbeschreankt)" Language="1033" UpgradeCode="6456ec4e-3ad6-4b9b-a2be-98e81cb21ccf"
+        InstallerVersion="500" Compressed="yes"  Codepage="utf-8" >
+
+		<MediaTemplate EmbedCab="yes" />
+
+		<Feature Id="NetbirdFeature" Title="Netbird" Level="1">
+			<ComponentGroupRef Id="NetbirdFilesComponent" />
+		</Feature>
+
+		<MajorUpgrade AllowSameVersionUpgrades='yes' DowngradeErrorMessage="A newer version of [ProductName] is already installed. Setup will now exit."/>
+
+		<StandardDirectory Id="ProgramFiles64Folder">
+			<Directory Id="NetbirdInstallDir" Name="Netbird">
+				<Component Id="NetbirdFiles" Guid="db3165de-cc6e-4922-8396-9d892950e23e" Bitness="always64">
+					<File ProcessorArchitecture="x64" Source=".\dist\netbird_windows_amd64\netbird.exe" KeyPath="yes" />
+					<File ProcessorArchitecture="x64" Source=".\dist\netbird_windows_amd64\netbird-ui.exe">
+						<Shortcut Id="NetbirdDesktopShortcut" Directory="DesktopFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon" />
+						<Shortcut Id="NetbirdStartMenuShortcut" Directory="StartMenuFolder" Name="NetBird" WorkingDirectory="NetbirdInstallDir" Icon="NetbirdIcon" />
+					</File>
+					<File ProcessorArchitecture="x64" Source=".\dist\netbird_windows_amd64\wintun.dll" />
+
+					<ServiceInstall
+                                     Id="NetBirdService"
+                                     Name="NetBird"
+                                     DisplayName="NetBird"
+                                     Description="A WireGuard-based mesh network that connects your devices into a single private network."
+                                     Start="auto" Type="ownProcess"
+                                     ErrorControl="normal"
+                                     Account="LocalSystem"
+                                     Vital="yes"
+                                     Interactive="no"
+                                     Arguments='service run config [CommonAppDataFolder]Netbird\config.json log-level info'
+                        />
+					<ServiceControl Id="NetBirdService" Name="NetBird" Start="install" Stop="both" Remove="uninstall" Wait="yes" />
+
+					<Environment Id="UpdatePath" Name="PATH" Value="[NetbirdInstallDir]" Part="last" Action="set" System="yes" />
+
+				</Component>
+			</Directory>
+		</StandardDirectory>
+
+		<ComponentGroup Id="NetbirdFilesComponent">
+			<ComponentRef Id="NetbirdFiles" />
+		</ComponentGroup>
+
+		<Property Id="cmd" Value="cmd.exe"/>
+
+		<CustomAction Id="KillDaemon"
+                      ExeCommand='/c "taskkill /im netbird.exe"'
+                      Execute="deferred"
+                      Property="cmd"
+                      Impersonate="no"
+                      Return="ignore"
+            />
+
+		<CustomAction Id="KillUI"
+                      ExeCommand='/c "taskkill /im netbird-ui.exe"'
+                      Execute="deferred"
+                      Property="cmd"
+                      Impersonate="no"
+                      Return="ignore"
+            />
+
+		<InstallExecuteSequence>
+			<!-- For Uninstallation -->
+			<Custom Action="KillDaemon" Before="RemoveFiles" Condition="Installed"/>
+			<Custom Action="KillUI" After="KillDaemon" Condition="Installed"/>
+		</InstallExecuteSequence>
+
+		<!-- Icons -->
+		<Icon Id="NetbirdIcon" SourceFile=".\client\ui\netbird.ico" />
+		<Property Id="ARPPRODUCTICON" Value="NetbirdIcon" />
+
+	</Package>
+</Wix>

client/server/server.go

@@ -3,10 +3,11 @@ package server
 import (
 	"context"
 	"fmt"
-	"github.com/netbirdio/netbird/client/internal/auth"
 	"sync"
 	"time"
 
+	"github.com/netbirdio/netbird/client/internal/auth"
+
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
@@ -315,7 +316,7 @@ func (s *Server) WaitSSOLogin(callerCtx context.Context, msg *proto.WaitSSOLogin
 	tokenInfo, err := s.oauthAuthFlow.flow.WaitToken(waitCTX, flowInfo)
 	if err != nil {
 		if err == context.Canceled {
-			return nil, nil
+			return nil, nil //nolint:nilnil
 		}
 		s.mutex.Lock()
 		s.oauthAuthFlow.expiresAt = time.Now()

dns/nameserver.go

@@ -130,16 +130,22 @@ func ParseNameServerURL(nsURL string) (NameServer, error) {
 
 // Copy copies a nameserver group object
 func (g *NameServerGroup) Copy() *NameServerGroup {
-	return &NameServerGroup{
+	nsGroup := &NameServerGroup{
 		ID:          g.ID,
 		Name:        g.Name,
 		Description: g.Description,
-		NameServers: g.NameServers,
+		NameServers: make([]NameServer, len(g.NameServers)),
-		Groups:      g.Groups,
+		Groups:      make([]string, len(g.Groups)),
 		Enabled:     g.Enabled,
 		Primary:     g.Primary,
-		Domains:     g.Domains,
+		Domains:     make([]string, len(g.Domains)),
 	}
+
+	copy(nsGroup.NameServers, g.NameServers)
+	copy(nsGroup.Groups, g.Groups)
+	copy(nsGroup.Domains, g.Domains)
+
+	return nsGroup
 }
 
 // IsEqual compares one nameserver group with the other

go.mod

@@ -31,7 +31,7 @@ require (
 	fyne.io/fyne/v2 v2.1.4
 	github.com/c-robinson/iplib v1.0.3
 	github.com/cilium/ebpf v0.10.0
-	github.com/coreos/go-iptables v0.6.0
+	github.com/coreos/go-iptables v0.7.0
 	github.com/creack/pty v1.1.18
 	github.com/eko/gocache/v3 v3.1.1
 	github.com/getlantern/systray v1.2.1

go.sum

@@ -131,8 +131,8 @@ github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcD
 github.com/coocood/freecache v1.2.1 h1:/v1CqMq45NFH9mp/Pt142reundeBM0dVUD3osQBeu/U=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
-github.com/coreos/go-iptables v0.6.0 h1:is9qnZMPYjLd8LYqmm/qlE+wwEgJIkTYdhV3rfZo4jk=
+github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
-github.com/coreos/go-iptables v0.6.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
+github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=

iface/iface.go

@@ -112,7 +112,7 @@ func (w *WGIface) Close() error {
 	return w.tun.Close()
 }
 
-// SetFilter sets packet filters for the userspace impelemntation
+// SetFilter sets packet filters for the userspace implementation
 func (w *WGIface) SetFilter(filter PacketFilter) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()

iface/module_linux.go

@@ -161,7 +161,7 @@ func getModulePath(name string) (string, error) {
 			}
 			if err != nil {
 				// skip broken files
-				return nil
+				return nil //nolint:nilerr
 			}
 
 			if !info.Type().IsRegular() {

iface/wg_configurer_nonandroid.go

@@ -146,9 +146,6 @@ func (c *wGConfigurer) removeAllowedIP(peerKey string, allowedIP string) error {
 		}
 	}
 
-	if err != nil {
-		return err
-	}
 	peer := wgtypes.PeerConfig{
 		PublicKey:         peerKeyParsed,
 		UpdateOnly:        true,

infrastructure_files/configure.sh

@@ -168,4 +168,4 @@ env | grep NETBIRD
 
 envsubst <docker-compose.yml.tmpl >docker-compose.yml
 envsubst <management.json.tmpl >management.json
-envsubst <turnserver.conf.tmpl >turnserver.conf
+envsubst <turnserver.conf.tmpl >turnserver.conf

infrastructure_files/docker-compose.yml.tmpl

@@ -36,7 +36,7 @@ services:
     volumes:
       - $SIGNAL_VOLUMENAME:/var/lib/netbird
     ports:
-      - 10000:80
+      - $NETBIRD_SIGNAL_PORT:80
   #      # port and command for Let's Encrypt validation
   #      - 443:443
   #    command: ["--letsencrypt-domain", "$NETBIRD_LETSENCRYPT_DOMAIN", "--log-file", "console"]

infrastructure_files/getting-started-with-zitadel.sh

@@ -0,0 +1,777 @@
+#!/bin/bash
+
+set -e
+
+handle_request_command_status() {
+  PARSED_RESPONSE=$1
+  FUNCTION_NAME=$2
+  RESPONSE=$3
+  if [[ $PARSED_RESPONSE -ne 0 ]]; then
+    echo "ERROR calling $FUNCTION_NAME:" $(echo "$RESPONSE" | jq -r '.message') > /dev/stderr
+    exit 1
+  fi
+}
+
+handle_zitadel_request_response() {
+  PARSED_RESPONSE=$1
+  FUNCTION_NAME=$2
+  RESPONSE=$3
+  if [[ $PARSED_RESPONSE == "null" ]]; then
+    echo "ERROR calling $FUNCTION_NAME:" $(echo "$RESPONSE" | jq -r '.message') > /dev/stderr
+    exit 1
+  fi
+  sleep 1
+}
+
+check_docker_compose() {
+  if command -v docker-compose &> /dev/null
+  then
+      echo "docker-compose"
+      return
+  fi
+  if docker compose --help &> /dev/null
+  then
+      echo "docker compose"
+      return
+  fi
+
+  echo "docker-compose is not installed or not in PATH. Please follow the steps from the official guide: https://docs.docker.com/engine/install/" > /dev/stderr
+  exit 1
+}
+
+check_jq() {
+  if ! command -v jq &> /dev/null
+  then
+    echo "jq is not installed or not in PATH, please install with your package manager. e.g. sudo apt install jq" > /dev/stderr
+    exit 1
+  fi
+}
+
+wait_crdb() {
+  set +e
+  while true; do
+    if $DOCKER_COMPOSE_COMMAND exec -T crdb curl -sf -o /dev/null 'http://localhost:8080/health?ready=1'; then
+      break
+    fi
+    echo -n " ."
+    sleep 5
+  done
+  echo " done"
+  set -e
+}
+
+init_crdb() {
+  echo -e "\nInitializing Zitadel's CockroachDB\n\n"
+  $DOCKER_COMPOSE_COMMAND up -d crdb
+  echo ""
+  # shellcheck disable=SC2028
+  echo -n "Waiting cockroachDB  to become ready "
+  wait_crdb
+  $DOCKER_COMPOSE_COMMAND exec -T crdb /bin/bash -c "cp /cockroach/certs/* /zitadel-certs/ && cockroach cert create-client --overwrite --certs-dir /zitadel-certs/ --ca-key /zitadel-certs/ca.key zitadel_user && chown -R 1000:1000 /zitadel-certs/"
+  handle_request_command_status $? "init_crdb failed" ""
+}
+
+get_main_ip_address() {
+  if [[ "$OSTYPE" == "darwin"* ]]; then
+    interface=$(route -n get default | grep 'interface:' | awk '{print $2}')
+    ip_address=$(ifconfig "$interface" | grep 'inet ' | awk '{print $2}')
+  else
+    interface=$(ip route | grep default | awk '{print $5}' | head -n 1)
+    ip_address=$(ip addr show "$interface" | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)
+  fi
+
+  echo "$ip_address"
+}
+
+wait_pat() {
+  PAT_PATH=$1
+  set +e
+  while true; do
+    if [[ -f "$PAT_PATH" ]]; then
+      break
+    fi
+    echo -n " ."
+    sleep 1
+  done
+  echo " done"
+  set -e
+}
+
+wait_api() {
+    INSTANCE_URL=$1
+    PAT=$2
+    set +e
+    while true; do
+      curl -s --fail -o /dev/null "$INSTANCE_URL/auth/v1/users/me" -H "Authorization: Bearer $PAT"
+      if [[ $? -eq 0 ]]; then
+        break
+      fi
+      echo -n " ."
+      sleep 1
+    done
+    echo " done"
+    set -e
+}
+
+create_new_project() {
+  INSTANCE_URL=$1
+  PAT=$2
+  PROJECT_NAME="NETBIRD"
+
+  RESPONSE=$(
+    curl -sS -X POST "$INSTANCE_URL/management/v1/projects" \
+      -H "Authorization: Bearer $PAT" \
+      -H "Content-Type: application/json" \
+      -d '{"name": "'"$PROJECT_NAME"'"}'
+  )
+  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.id')
+  handle_zitadel_request_response "$PARSED_RESPONSE" "create_new_project" "$RESPONSE"
+  echo "$PARSED_RESPONSE"
+}
+
+create_new_application() {
+  INSTANCE_URL=$1
+  PAT=$2
+  APPLICATION_NAME=$3
+  BASE_REDIRECT_URL1=$4
+  BASE_REDIRECT_URL2=$5
+  LOGOUT_URL=$6
+  ZITADEL_DEV_MODE=$7
+
+  RESPONSE=$(
+    curl -sS -X POST "$INSTANCE_URL/management/v1/projects/$PROJECT_ID/apps/oidc" \
+      -H "Authorization: Bearer $PAT" \
+      -H "Content-Type: application/json" \
+      -d '{
+    "name": "'"$APPLICATION_NAME"'",
+    "redirectUris": [
+      "'"$BASE_REDIRECT_URL1"'",
+      "'"$BASE_REDIRECT_URL2"'"
+    ],
+    "postLogoutRedirectUris": [
+       "'"$LOGOUT_URL"'"
+    ],
+    "RESPONSETypes": [
+      "OIDC_RESPONSE_TYPE_CODE"
+    ],
+    "grantTypes": [
+      "OIDC_GRANT_TYPE_AUTHORIZATION_CODE",
+      "OIDC_GRANT_TYPE_REFRESH_TOKEN"
+    ],
+    "appType": "OIDC_APP_TYPE_USER_AGENT",
+    "authMethodType": "OIDC_AUTH_METHOD_TYPE_NONE",
+    "version": "OIDC_VERSION_1_0",
+    "devMode": '"$ZITADEL_DEV_MODE"',
+    "accessTokenType": "OIDC_TOKEN_TYPE_JWT",
+    "accessTokenRoleAssertion": true,
+    "skipNativeAppSuccessPage": true
+  }'
+  )
+
+  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.clientId')
+  handle_zitadel_request_response "$PARSED_RESPONSE" "create_new_application" "$RESPONSE"
+  echo "$PARSED_RESPONSE"
+}
+
+create_service_user() {
+  INSTANCE_URL=$1
+  PAT=$2
+
+  RESPONSE=$(
+    curl -sS -X POST "$INSTANCE_URL/management/v1/users/machine" \
+      -H "Authorization: Bearer $PAT" \
+      -H "Content-Type: application/json" \
+      -d '{
+            "userName": "netbird-service-account",
+            "name": "Netbird Service Account",
+            "description": "Netbird Service Account for IDP management",
+            "accessTokenType": "ACCESS_TOKEN_TYPE_JWT"
+      }'
+  )
+  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.userId')
+  handle_zitadel_request_response "$PARSED_RESPONSE" "create_service_user" "$RESPONSE"
+  echo "$PARSED_RESPONSE"
+}
+
+create_service_user_secret() {
+  INSTANCE_URL=$1
+  PAT=$2
+  USER_ID=$3
+
+  RESPONSE=$(
+    curl -sS -X PUT "$INSTANCE_URL/management/v1/users/$USER_ID/secret" \
+      -H "Authorization: Bearer $PAT" \
+      -H "Content-Type: application/json" \
+      -d '{}'
+  )
+  SERVICE_USER_CLIENT_ID=$(echo "$RESPONSE" | jq -r '.clientId')
+  handle_zitadel_request_response "$SERVICE_USER_CLIENT_ID" "create_service_user_secret_id" "$RESPONSE"
+  SERVICE_USER_CLIENT_SECRET=$(echo "$RESPONSE" | jq -r '.clientSecret')
+  handle_zitadel_request_response "$SERVICE_USER_CLIENT_SECRET" "create_service_user_secret" "$RESPONSE"
+}
+
+add_organization_user_manager() {
+  INSTANCE_URL=$1
+  PAT=$2
+  USER_ID=$3
+
+  RESPONSE=$(
+    curl -sS -X POST "$INSTANCE_URL/management/v1/orgs/me/members" \
+      -H "Authorization: Bearer $PAT" \
+      -H "Content-Type: application/json" \
+      -d '{
+            "userId": "'"$USER_ID"'",
+            "roles": [
+              "ORG_USER_MANAGER"
+            ]
+      }'
+  )
+  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.details.creationDate')
+  handle_zitadel_request_response "$PARSED_RESPONSE" "add_organization_user_manager" "$RESPONSE"
+  echo "$PARSED_RESPONSE"
+}
+
+create_admin_user() {
+    INSTANCE_URL=$1
+    PAT=$2
+    USERNAME=$3
+    PASSWORD=$4
+    RESPONSE=$(
+        curl -sS -X POST "$INSTANCE_URL/management/v1/users/human/_import" \
+          -H "Authorization: Bearer $PAT" \
+          -H "Content-Type: application/json" \
+          -d '{
+                "userName": "'"$USERNAME"'",
+                "profile": {
+                  "firstName": "Zitadel",
+                  "lastName": "Admin"
+                },
+                "email": {
+                  "email": "'"$USERNAME"'",
+                  "isEmailVerified": true
+                },
+                "password": "'"$PASSWORD"'",
+                "passwordChangeRequired": true
+          }'
+      )
+      PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.userId')
+      handle_zitadel_request_response "$PARSED_RESPONSE" "create_admin_user" "$RESPONSE"
+      echo "$PARSED_RESPONSE"
+}
+
+add_instance_admin() {
+  INSTANCE_URL=$1
+  PAT=$2
+  USER_ID=$3
+
+  RESPONSE=$(
+    curl -sS -X POST "$INSTANCE_URL/admin/v1/members" \
+      -H "Authorization: Bearer $PAT" \
+      -H "Content-Type: application/json" \
+      -d '{
+            "userId": "'"$USER_ID"'",
+            "roles": [
+              "IAM_OWNER"
+            ]
+      }'
+  )
+  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.details.creationDate')
+  handle_zitadel_request_response "$PARSED_RESPONSE" "add_instance_admin" "$RESPONSE"
+  echo "$PARSED_RESPONSE"
+}
+
+delete_auto_service_user() {
+  INSTANCE_URL=$1
+  PAT=$2
+
+  RESPONSE=$(
+    curl -sS -X GET "$INSTANCE_URL/auth/v1/users/me" \
+      -H "Authorization: Bearer $PAT" \
+      -H "Content-Type: application/json" \
+  )
+  USER_ID=$(echo "$RESPONSE" | jq -r '.user.id')
+  handle_zitadel_request_response "$USER_ID" "delete_auto_service_user_get_user" "$RESPONSE"
+
+  RESPONSE=$(
+      curl -sS -X DELETE "$INSTANCE_URL/admin/v1/members/$USER_ID" \
+        -H "Authorization: Bearer $PAT" \
+        -H "Content-Type: application/json" \
+  )
+  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.details.changeDate')
+  handle_zitadel_request_response "$PARSED_RESPONSE" "delete_auto_service_user_remove_instance_permissions" "$RESPONSE"
+
+  RESPONSE=$(
+      curl -sS -X DELETE "$INSTANCE_URL/management/v1/orgs/me/members/$USER_ID" \
+        -H "Authorization: Bearer $PAT" \
+        -H "Content-Type: application/json" \
+  )
+  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.details.changeDate')
+  handle_zitadel_request_response "$PARSED_RESPONSE" "delete_auto_service_user_remove_org_permissions" "$RESPONSE"
+  echo "$PARSED_RESPONSE"
+}
+
+init_zitadel() {
+  echo -e "\nInitializing Zitadel with NetBird's applications\n"
+  INSTANCE_URL="$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT"
+
+  TOKEN_PATH=./machinekey/zitadel-admin-sa.token
+
+  echo -n "Waiting for Zitadel's PAT to be created "
+  wait_pat "$TOKEN_PATH"
+  echo "Reading Zitadel PAT"
+  PAT=$(cat $TOKEN_PATH)
+  if [ "$PAT" = "null" ]; then
+    echo "Failed requesting getting Zitadel PAT"
+    exit 1
+  fi
+
+  echo -n "Waiting for Zitadel to become ready "
+  wait_api "$INSTANCE_URL" "$PAT"
+
+  #  create the zitadel project
+  echo "Creating new zitadel project"
+  PROJECT_ID=$(create_new_project "$INSTANCE_URL" "$PAT")
+
+  ZITADEL_DEV_MODE=false
+  BASE_REDIRECT_URL=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN
+  if [[ $NETBIRD_HTTP_PROTOCOL == "http" ]]; then
+    ZITADEL_DEV_MODE=true
+  fi
+
+  # create zitadel spa applications
+  echo "Creating new Zitadel SPA Dashboard application"
+  DASHBOARD_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Dashboard" "$BASE_REDIRECT_URL/nb-auth" "$BASE_REDIRECT_URL/nb-silent-auth" "$BASE_REDIRECT_URL/" "$ZITADEL_DEV_MODE")
+
+  echo "Creating new Zitadel SPA Cli application"
+  CLI_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Cli" "http://localhost:53000/" "http://localhost:54000/" "http://localhost:53000/" "true")
+
+  MACHINE_USER_ID=$(create_service_user "$INSTANCE_URL" "$PAT")
+
+  SERVICE_USER_CLIENT_ID="null"
+  SERVICE_USER_CLIENT_SECRET="null"
+
+  create_service_user_secret "$INSTANCE_URL" "$PAT" "$MACHINE_USER_ID"
+
+  DATE=$(add_organization_user_manager "$INSTANCE_URL" "$PAT" "$MACHINE_USER_ID")
+
+  ZITADEL_ADMIN_USERNAME="admin@$NETBIRD_DOMAIN"
+  ZITADEL_ADMIN_PASSWORD="$(openssl rand -base64 32 | sed 's/=//g')@"
+
+  HUMAN_USER_ID=$(create_admin_user "$INSTANCE_URL" "$PAT" "$ZITADEL_ADMIN_USERNAME" "$ZITADEL_ADMIN_PASSWORD")
+
+  DATE="null"
+
+  DATE=$(add_instance_admin "$INSTANCE_URL" "$PAT" "$HUMAN_USER_ID")
+
+  DATE="null"
+  DATE=$(delete_auto_service_user "$INSTANCE_URL" "$PAT")
+  if [ "$DATE" = "null" ]; then
+      echo "Failed deleting auto service user"
+      echo "Please remove it manually"
+  fi
+
+  export NETBIRD_AUTH_CLIENT_ID=$DASHBOARD_APPLICATION_CLIENT_ID
+  export NETBIRD_AUTH_CLIENT_ID_CLI=$CLI_APPLICATION_CLIENT_ID
+  export NETBIRD_IDP_MGMT_CLIENT_ID=$SERVICE_USER_CLIENT_ID
+  export NETBIRD_IDP_MGMT_CLIENT_SECRET=$SERVICE_USER_CLIENT_SECRET
+  export ZITADEL_ADMIN_USERNAME
+  export ZITADEL_ADMIN_PASSWORD
+}
+
+check_nb_domain() {
+  DOMAIN=$1
+  if [ "$DOMAIN-x" == "-x" ]; then
+    echo "The NETBIRD_DOMAIN variable cannot be empty." > /dev/stderr
+    return 1
+  fi
+
+  if [ "$DOMAIN" == "netbird.example.com" ]; then
+    echo "The NETBIRD_DOMAIN cannot be netbird.example.com" > /dev/stderr
+    retrun 1
+  fi
+  return 0
+}
+
+read_nb_domain() {
+  READ_NETBIRD_DOMAIN=""
+  echo -n "Enter the domain you want to use for NetBird (e.g. netbird.my-domain.com): " > /dev/stderr
+  read -r READ_NETBIRD_DOMAIN < /dev/tty
+  if ! check_nb_domain "$READ_NETBIRD_DOMAIN"; then
+    read_nb_domain
+  fi
+  echo "$READ_NETBIRD_DOMAIN"
+}
+
+initEnvironment() {
+  CADDY_SECURE_DOMAIN=""
+  ZITADEL_EXTERNALSECURE="false"
+  ZITADEL_TLS_MODE="disabled"
+  ZITADEL_MASTERKEY="$(openssl rand -base64 32 | head -c 32)"
+  NETBIRD_PORT=80
+  NETBIRD_HTTP_PROTOCOL="http"
+  TURN_USER="self"
+  TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
+  TURN_MIN_PORT=49152
+  TURN_MAX_PORT=65535
+
+  if ! check_nb_domain "$NETBIRD_DOMAIN"; then
+    NETBIRD_DOMAIN=$(read_nb_domain)
+  fi
+
+  if [ "$NETBIRD_DOMAIN" == "use-ip" ]; then
+    NETBIRD_DOMAIN=$(get_main_ip_address)
+  else
+    ZITADEL_EXTERNALSECURE="true"
+    ZITADEL_TLS_MODE="external"
+    NETBIRD_PORT=443
+    CADDY_SECURE_DOMAIN=", $NETBIRD_DOMAIN:$NETBIRD_PORT"
+    NETBIRD_HTTP_PROTOCOL="https"
+  fi
+
+  if [[ "$OSTYPE" == "darwin"* ]]; then
+      ZIDATE_TOKEN_EXPIRATION_DATE=$(date -u -v+30M "+%Y-%m-%dT%H:%M:%SZ")
+  else
+      ZIDATE_TOKEN_EXPIRATION_DATE=$(date -u -d "+30 minutes" "+%Y-%m-%dT%H:%M:%SZ")
+  fi
+
+  check_jq
+
+  DOCKER_COMPOSE_COMMAND=$(check_docker_compose)
+
+  if [ -f zitadel.env ]; then
+    echo "Generated files already exist, if you want to reinitialize the environment, please remove them first."
+    echo "You can use the following commands:"
+    echo "  $DOCKER_COMPOSE_COMMAND down --volumes # to remove all containers and volumes"
+    echo "  rm -f docker-compose.yml Caddyfile zitadel.env dashboard.env machinekey/zitadel-admin-sa.token turnserver.conf management.json"
+    echo "Be aware that this will remove all data from the database, and you will have to reconfigure the dashboard."
+    exit 1
+  fi
+
+  echo Rendering initial files...
+  renderDockerCompose > docker-compose.yml
+  renderCaddyfile > Caddyfile
+  renderZitadelEnv > zitadel.env
+  echo "" > dashboard.env
+  echo "" > turnserver.conf
+  echo "" > management.json
+
+  mkdir -p machinekey
+  chmod 777 machinekey
+
+  init_crdb
+
+  echo -e "\nStarting Zidatel IDP for user management\n\n"
+  $DOCKER_COMPOSE_COMMAND up -d caddy zitadel
+  init_zitadel
+
+  echo -e "\nRendering NetBird files...\n"
+  renderTurnServerConf > turnserver.conf
+  renderManagementJson > management.json
+  renderDashboardEnv > dashboard.env
+
+  echo -e "\nStarting NetBird services\n"
+  $DOCKER_COMPOSE_COMMAND up -d
+  echo -e "\nDone!\n"
+  echo "You can access the NetBird dashboard at $NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT"
+  echo "Login with the following credentials:"
+  echo "Username: $ZITADEL_ADMIN_USERNAME" | tee .env
+  echo "Password: $ZITADEL_ADMIN_PASSWORD" | tee -a .env
+}
+
+renderCaddyfile() {
+  cat <<EOF
+{
+  debug
+	servers :80,:443 {
+    protocols h1 h2c
+  }
+}
+
+(security_headers) {
+    header * {
+        # enable HSTS
+        # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#strict-transport-security-hsts
+        # NOTE: Read carefully how this header works before using it.
+        # If the HSTS header is misconfigured or if there is a problem with
+        # the SSL/TLS certificate being used, legitimate users might be unable
+        # to access the website. For example, if the HSTS header is set to a
+        # very long duration and the SSL/TLS certificate expires or is revoked,
+        # legitimate users might be unable to access the website until
+        # the HSTS header duration has expired.
+        # The recommended value for the max-age is 2 year (63072000 seconds).
+        # But we are using 1 hour (3600 seconds) for testing purposes
+        # and ensure that the website is working properly before setting
+        # to two years.
+
+        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
+
+        # disable clients from sniffing the media type
+        # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-content-type-options
+        X-Content-Type-Options "nosniff"
+
+        # clickjacking protection
+        # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-frame-options
+        X-Frame-Options "DENY"
+
+        # xss protection
+        # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#x-xss-protection
+        X-XSS-Protection "1; mode=block"
+
+        # Remove -Server header, which is an information leak
+        # Remove Caddy from Headers
+        -Server
+
+        # keep referrer data off of HTTP connections
+        # https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#referrer-policy
+        Referrer-Policy strict-origin-when-cross-origin
+    }
+}
+
+:80${CADDY_SECURE_DOMAIN} {
+    import security_headers
+    # Signal
+    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
+    # Management
+    reverse_proxy /api/* management:80
+    reverse_proxy /management.ManagementService/* h2c://management:80
+    # Zitadel
+    reverse_proxy /zitadel.admin.v1.AdminService/* h2c://zitadel:8080
+    reverse_proxy /admin/v1/* h2c://zitadel:8080
+    reverse_proxy /zitadel.auth.v1.AuthService/* h2c://zitadel:8080
+    reverse_proxy /auth/v1/* h2c://zitadel:8080
+    reverse_proxy /zitadel.management.v1.ManagementService/* h2c://zitadel:8080
+    reverse_proxy /management/v1/* h2c://zitadel:8080
+    reverse_proxy /zitadel.system.v1.SystemService/* h2c://zitadel:8080
+    reverse_proxy /system/v1/* h2c://zitadel:8080
+    reverse_proxy /assets/v1/* h2c://zitadel:8080
+    reverse_proxy /ui/* h2c://zitadel:8080
+    reverse_proxy /oidc/v1/* h2c://zitadel:8080
+    reverse_proxy /saml/v2/* h2c://zitadel:8080
+    reverse_proxy /oauth/v2/* h2c://zitadel:8080
+    reverse_proxy /.well-known/openid-configuration h2c://zitadel:8080
+    reverse_proxy /openapi/* h2c://zitadel:8080
+    reverse_proxy /debug/* h2c://zitadel:8080
+    # Dashboard
+    reverse_proxy /* dashboard:80
+}
+EOF
+}
+
+renderTurnServerConf() {
+  cat <<EOF
+listening-port=3478
+tls-listening-port=5349
+min-port=$TURN_MIN_PORT
+max-port=$TURN_MAX_PORT
+fingerprint
+lt-cred-mech
+user=$TURN_USER:$TURN_PASSWORD
+realm=wiretrustee.com
+cert=/etc/coturn/certs/cert.pem
+pkey=/etc/coturn/private/privkey.pem
+log-file=stdout
+no-software-attribute
+pidfile="/var/tmp/turnserver.pid"
+no-cli
+EOF
+}
+
+renderManagementJson() {
+  cat <<EOF
+{
+    "Stuns": [
+        {
+            "Proto": "udp",
+            "URI": "stun:$NETBIRD_DOMAIN:3478"
+        }
+    ],
+    "TURNConfig": {
+        "Turns": [
+            {
+                "Proto": "udp",
+                "URI": "turn:$NETBIRD_DOMAIN:3478",
+                "Username": "$TURN_USER",
+                "Password": "$TURN_PASSWORD"
+            }
+        ],
+        "TimeBasedCredentials": false
+    },
+    "Signal": {
+        "Proto": "$NETBIRD_HTTP_PROTOCOL",
+        "URI": "$NETBIRD_DOMAIN:$NETBIRD_PORT"
+    },
+    "HttpConfig": {
+        "AuthIssuer": "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN",
+        "AuthAudience": "$NETBIRD_AUTH_CLIENT_ID",
+        "OIDCConfigEndpoint":"$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/.well-known/openid-configuration"
+    },
+    "IdpManagerConfig": {
+        "ManagerType": "zitadel",
+        "ClientConfig": {
+            "Issuer": "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT",
+            "TokenEndpoint": "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT/oauth/v2/token",
+            "ClientID": "$NETBIRD_IDP_MGMT_CLIENT_ID",
+            "ClientSecret": "$NETBIRD_IDP_MGMT_CLIENT_SECRET",
+            "GrantType": "client_credentials"
+        },
+        "ExtraConfig": {
+            "ManagementEndpoint": "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT/management/v1"
+        }
+     },
+    "PKCEAuthorizationFlow": {
+        "ProviderConfig": {
+            "Audience": "$NETBIRD_AUTH_CLIENT_ID_CLI",
+            "ClientID": "$NETBIRD_AUTH_CLIENT_ID_CLI",
+            "Scope": "openid profile email offline_access",
+            "RedirectURLs": ["http://localhost:53000/","http://localhost:54000/"]
+        }
+    }
+}
+EOF
+}
+
+renderDashboardEnv() {
+  cat <<EOF
+# Endpoints
+NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT
+NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT
+# OIDC
+AUTH_AUDIENCE=$NETBIRD_AUTH_CLIENT_ID
+AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
+AUTH_AUTHORITY=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT
+USE_AUTH0=false
+AUTH_SUPPORTED_SCOPES="openid profile email offline_access"
+AUTH_REDIRECT_URI=/nb-auth
+AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
+# SSL
+NGINX_SSL_PORT=443
+# Letsencrypt
+LETSENCRYPT_DOMAIN=none
+EOF
+}
+
+renderZitadelEnv() {
+  cat <<EOF
+ZITADEL_LOG_LEVEL=debug
+ZITADEL_MASTERKEY=$ZITADEL_MASTERKEY
+ZITADEL_DATABASE_COCKROACH_HOST=crdb
+ZITADEL_DATABASE_COCKROACH_USER_USERNAME=zitadel_user
+ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE=verify-full
+ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT="/crdb-certs/ca.crt"
+ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT="/crdb-certs/client.zitadel_user.crt"
+ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY="/crdb-certs/client.zitadel_user.key"
+ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_MODE=verify-full
+ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT="/crdb-certs/ca.crt"
+ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT="/crdb-certs/client.root.crt"
+ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY="/crdb-certs/client.root.key"
+ZITADEL_EXTERNALSECURE=$ZITADEL_EXTERNALSECURE
+ZITADEL_TLS_ENABLED="false"
+ZITADEL_EXTERNALPORT=$NETBIRD_PORT
+ZITADEL_EXTERNALDOMAIN=$NETBIRD_DOMAIN
+ZITADEL_FIRSTINSTANCE_PATPATH=/machinekey/zitadel-admin-sa.token
+ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa
+ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin
+ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_SCOPES=openid
+ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE=$ZIDATE_TOKEN_EXPIRATION_DATE
+EOF
+}
+
+renderDockerCompose() {
+  cat <<EOF
+version: "3.4"
+services:
+  # Caddy reverse proxy
+  caddy:
+    image: caddy
+    restart: unless-stopped
+    networks: [ netbird ]
+    ports:
+      - '443:443'
+      - '80:80'
+      - '8080:8080'
+    volumes:
+      - netbird_caddy_data:/data
+      - ./Caddyfile:/etc/caddy/Caddyfile
+  #UI dashboard
+  dashboard:
+    image: wiretrustee/dashboard:latest
+    restart: unless-stopped
+    networks: [netbird]
+    env_file:
+      - ./dashboard.env
+  # Signal
+  signal:
+    image: netbirdio/signal:latest
+    restart: unless-stopped
+    networks: [netbird]
+  # Management
+  management:
+    image: netbirdio/management:latest
+    restart: unless-stopped
+    networks: [netbird]
+    volumes:
+      - netbird_management:/var/lib/netbird
+      - ./management.json:/etc/netbird/management.json
+    command: [
+      "--port", "80",
+      "--log-file", "console",
+      "--log-level", "info",
+      "--disable-anonymous-metrics=false",
+      "--single-account-mode-domain=netbird.selfhosted",
+      "--dns-domain=netbird.selfhosted",
+      "--idp-sign-key-refresh-enabled",
+    ]
+  # Coturn, AKA relay server
+  coturn:
+    image: coturn/coturn
+    restart: unless-stopped
+    domainname: netbird.relay.selfhosted
+    volumes:
+      - ./turnserver.conf:/etc/turnserver.conf:ro
+    network_mode: host
+    command:
+      - -c /etc/turnserver.conf
+  # Zitadel - identity provider
+  zitadel:
+    restart: 'always'
+    networks: [netbird]
+    image: 'ghcr.io/zitadel/zitadel:v2.31.3'
+    command: 'start-from-init --masterkeyFromEnv --tlsMode $ZITADEL_TLS_MODE'
+    env_file:
+      - ./zitadel.env
+    depends_on:
+      crdb:
+        condition: 'service_healthy'
+    volumes:
+      - ./machinekey:/machinekey
+      - netbird_zitadel_certs:/crdb-certs:ro
+  # CockroachDB for zitadel
+  crdb:
+    restart: 'always'
+    networks: [netbird]
+    image: 'cockroachdb/cockroach:v22.2.2'
+    command: 'start-single-node --advertise-addr crdb'
+    volumes:
+      - netbird_crdb_data:/cockroach/cockroach-data
+      - netbird_crdb_certs:/cockroach/certs
+      - netbird_zitadel_certs:/zitadel-certs
+    healthcheck:
+      test: [ "CMD", "curl", "-f", "http://localhost:8080/health?ready=1" ]
+      interval: '10s'
+      timeout: '30s'
+      retries: 5
+      start_period: '20s'
+
+volumes:
+  netbird_management:
+  netbird_caddy_data:
+  netbird_crdb_data:
+  netbird_crdb_certs:
+  netbird_zitadel_certs:
+
+networks:
+  netbird:
+EOF
+}
+
+initEnvironment

infrastructure_files/tests/setup.env

@@ -21,4 +21,5 @@ NETBIRD_AUTH_USER_ID_CLAIM="email"
 NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid email"
 NETBIRD_MGMT_IDP=$CI_NETBIRD_MGMT_IDP
 NETBIRD_IDP_MGMT_CLIENT_ID=$CI_NETBIRD_IDP_MGMT_CLIENT_ID
-NETBIRD_IDP_MGMT_CLIENT_SECRET=$CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
+NETBIRD_IDP_MGMT_CLIENT_SECRET=$CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
+NETBIRD_SIGNAL_PORT=12345

infrastructure_files/zitadel.sh

@@ -1,122 +0,0 @@
-#!/bin/bash
-
-set -e
-
-request_jwt_token() {
-  INSTANCE_URL=$1
-  BODY="grant_type=client_credentials&scope=urn:zitadel:iam:org:project:id:zitadel:aud&client_id=$ZITADEL_CLIENT_ID&client_secret=$ZITADEL_CLIENT_SECRET"
-
-  RESPONSE=$(
-    curl -X POST "$INSTANCE_URL/oauth/v2/token" \
-      -H "Content-Type: application/x-www-form-urlencoded" \
-      -d "$BODY"
-  )
-  echo "$RESPONSE" | jq -r '.access_token'
-}
-
-create_new_project() {
-  INSTANCE_URL=$1
-  ACCESS_TOKEN=$2
-  PROJECT_NAME="NETBIRD"
-
-  RESPONSE=$(
-    curl -X POST "$INSTANCE_URL/management/v1/projects" \
-      -H "Authorization: Bearer $ACCESS_TOKEN" \
-      -H "Content-Type: application/json" \
-      -d '{"name": "'"$PROJECT_NAME"'"}'
-  )
-  echo "$RESPONSE" | jq -r '.id'
-}
-
-create_new_application() {
-  INSTANCE_URL=$1
-  ACCESS_TOKEN=$2
-  APPLICATION_NAME="netbird"
-
-  RESPONSE=$(
-    curl -X POST "$INSTANCE_URL/management/v1/projects/$PROJECT_ID/apps/oidc" \
-      -H "Authorization: Bearer $ACCESS_TOKEN" \
-      -H "Content-Type: application/json" \
-      -d '{
-    "name": "'"$APPLICATION_NAME"'",
-    "redirectUris": [
-      "'"$BASE_REDIRECT_URL"'/auth"
-    ],
-    "RESPONSETypes": [
-      "OIDC_RESPONSE_TYPE_CODE"
-    ],
-    "grantTypes": [
-      "OIDC_GRANT_TYPE_AUTHORIZATION_CODE",
-      "OIDC_GRANT_TYPE_REFRESH_TOKEN"
-    ],
-    "appType": "OIDC_APP_TYPE_USER_AGENT",
-    "authMethodType": "OIDC_AUTH_METHOD_TYPE_NONE",
-    "postLogoutRedirectUris": [
-      "'"$BASE_REDIRECT_URL"'/silent-auth"
-    ],
-    "version": "OIDC_VERSION_1_0",
-    "devMode": '"$ZITADEL_DEV_MODE"',
-    "accessTokenType": "OIDC_TOKEN_TYPE_JWT",
-    "accessTokenRoleAssertion": true,
-    "skipNativeAppSuccessPage": true
-  }'
-  )
-  echo "$RESPONSE" | jq -r '.clientId'
-}
-
-configure_zitadel_instance() {
-  # extract zitadel instance url
-  INSTANCE_URL=$(echo "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" | sed 's/\/\.well-known\/openid-configuration//')
-  DOC_URL="https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-zitadel#step-4-create-a-service-user"
-
-  echo ""
-  printf "configuring zitadel instance: $INSTANCE_URL \n \
-  before proceeding, please create a new service account for authorization by following the instructions (step 4 and 5
-  ) in the documentation at %s\n" "$DOC_URL"
-  echo "Please ensure that the new service account has 'Org Owner' permission in order for this to work."
-  echo ""
-
-  read -n 1 -s -r -p "press any key to continue..."
-  echo ""
-
-  # prompt the user to enter service account clientID
-  echo ""
-  read -r -p "enter service account ClientId: " ZITADEL_CLIENT_ID
-  echo ""
-
-  # Prompt the user to enter service account clientSecret
-  read -r -p "enter service account ClientSecret: " ZITADEL_CLIENT_SECRET
-  echo ""
-
-  # get an access token from zitadel
-  echo "retrieving access token from zitadel"
-  ACCESS_TOKEN=$(request_jwt_token "$INSTANCE_URL")
-  if [ "$ACCESS_TOKEN" = "null" ]; then
-    echo "failed requesting access token"
-    exit 1
-  fi
-
-  #  create the zitadel project
-  echo "creating new zitadel project"
-  PROJECT_ID=$(create_new_project "$INSTANCE_URL" "$ACCESS_TOKEN")
-  if [ "$PROJECT_ID" = "null" ]; then
-    echo "failed creating new zitadel project"
-    exit 1
-  fi
-
-  ZITADEL_DEV_MODE=false
-  if [[ $NETBIRD_DOMAIN == *"localhost"* ]]; then
-    BASE_REDIRECT_URL="http://$NETBIRD_DOMAIN"
-    ZITADEL_DEV_MODE=true
-  else
-    BASE_REDIRECT_URL="https://$NETBIRD_DOMAIN"
-  fi
-
-  # create zitadel spa application
-  echo "creating new zitadel spa application"
-  APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$ACCESS_TOKEN")
-  if [ "$APPLICATION_CLIENT_ID" = "null" ]; then
-    echo "failed creating new zitadel spa application"
-    exit 1
-  fi
-}

management/client/client_test.go

@@ -61,12 +61,12 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 	peersUpdateManager := mgmt.NewPeersUpdateManager()
 	eventStore := &activity.InMemoryEventStore{}
 	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "",
-		eventStore)
+		eventStore, false)
 	if err != nil {
 		t.Fatal(err)
 	}
 	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
-	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager, nil)
+	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}