chore: cleanup

2026-04-16 15:26:40 +00:00 · 2021-11-20 23:04:45 +01:00 · 2021-11-17 19:33:23 +01:00 · 2021-11-16 14:59:37 +01:00 · 2021-11-16 14:36:24 +01:00 · 2021-11-15 22:08:44 +01:00
159 changed files with 15329 additions and 1739 deletions
--- a/.github/workflows/golang-test.yml
+++ b/.github/workflows/golang-test.yml
@@ -0,0 +1,59 @@
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+name: Test
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [1.16.x]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Test
+        run: GOBIN=$(which go) && sudo --preserve-env=GOROOT $GOBIN test -p 1 ./...
+
+  test_build:
+    strategy:
+      matrix:
+        os: [ windows, linux, darwin ]
+        go-version: [1.16.x]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Cache Go modules
+        uses: actions/cache@v1
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: run build client
+        run: GOOS=${{ matrix.os }} go build .
+        working-directory: client
+
+      - name: run build management
+        run: GOOS=${{ matrix.os }} go build .
+        working-directory: management
+
+      - name: run build signal
+        run: GOOS=${{ matrix.os }} go build .
+        working-directory: signal
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -0,0 +1,16 @@
+name: golangci-lint
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  golangci:
+    name: lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v2
+
+
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -49,4 +49,17 @@ jobs:
          version: latest
          args: release --rm-dist
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+
+      -
+        name: Trigger Windows binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: Sign windows bin and installer
+          repo: wiretrustee/windows-sign-pipeline
+          ref: v0.0.1
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,8 @@
 .idea
-*.iml
+*.iml
+dist/
+.env
+conf.json
+http-cmds.sh
+infrastructure_files/management.json
+infrastructure_files/docker-compose.yml
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,39 +1,97 @@
 project_name: wiretrustee
 builds:
-  - env: [CGO_ENABLED=0]
+  - id: wiretrustee
+    dir: client
+    binary: wiretrustee
+    env: [CGO_ENABLED=0]
+
    goos:
      - linux
      - darwin
+      - windows
    goarch:
      - arm
      - amd64
      - arm64
+      - mips
+    gomips:
+      - hardfloat
+      - softfloat
    ignore:
-      - goos: darwin
+      - goos: windows
        goarch: arm64
+      - goos: windows
+        goarch: arm
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+    tags:
+      - load_wintun_from_rsrc
+
+  - id: wiretrustee-mgmt
+    dir: management
+    env: [CGO_ENABLED=0]
+    binary: wiretrustee-mgmt
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+  - id: wiretrustee-signal
+    dir: signal
+    env: [CGO_ENABLED=0]
+    binary: wiretrustee-signal
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+archives:
+  - builds:
+      - wiretrustee
 nfpms:
-  - maintainer: Wiretrustee <wiretrustee@wiretrustee.com>
-    description: Wiretrustee project.
+  - maintainer: Wiretrustee <dev@wiretrustee.com>
+    description: Wiretrustee client.
    homepage: https://wiretrustee.com/
+    id: deb
+    builds:
+      - wiretrustee
    formats:
      - deb
-      - rpm
-    contents:
-      - src: release_files/wiretrustee.service
-        dst: /lib/systemd/system/wiretrustee.service
-
-      - src: release_files/wiretrustee.json
-        dst: /etc/wiretrustee/wiretrustee.json
-        type: "config|noreplace"

    scripts:
      postinstall: "release_files/post_install.sh"
+      preremove: "release_files/pre_remove.sh"
+
+  - maintainer: Wiretrustee <dev@wiretrustee.com>
+    description: Wiretrustee client.
+    homepage: https://wiretrustee.com/
+    id: rpm
+    builds:
+      - wiretrustee
+    formats:
+      - rpm
+
+    scripts:
+      postinstall: "release_files/post_install.sh"
+      preremove: "release_files/pre_remove.sh"
 dockers:
  - image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64
+      - wiretrustee/wiretrustee:{{ .Version }}-amd64
+    ids:
+      - wiretrustee
    goarch: amd64
-    use_buildx: true
-    dockerfile: Dockerfile
+    use: buildx
+    dockerfile: client/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
@@ -43,10 +101,150 @@ dockers:
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=maintainer=wiretrustee@wiretrustee.com"
  - image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8
+      - wiretrustee/wiretrustee:{{ .Version }}-arm64v8
+    ids:
+      - wiretrustee
    goarch: arm64
-    use_buildx: true
-    dockerfile: Dockerfile
+    use: buildx
+    dockerfile: client/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/wiretrustee:{{ .Version }}-arm
+    ids:
+      - wiretrustee
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: client/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/signal:{{ .Version }}-amd64
+    ids:
+      - wiretrustee-signal
+    goarch: amd64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/signal:{{ .Version }}-arm64v8
+    ids:
+      - wiretrustee-signal
+    goarch: arm64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/signal:{{ .Version }}-arm
+    ids:
+      - wiretrustee-signal
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-amd64
+    ids:
+      - wiretrustee-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-arm64v8
+    ids:
+      - wiretrustee-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-arm
+    ids:
+      - wiretrustee-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-debug-amd64
+    ids:
+      - wiretrustee-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-debug-arm64v8
+    ids:
+      - wiretrustee-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
@@ -56,13 +254,93 @@ dockers:
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=maintainer=wiretrustee@wiretrustee.com"

+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-debug-arm
+    ids:
+      - wiretrustee-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
 docker_manifests:
-  - name_template: wiretrustee/wiretrustee:signal-{{ .Version }}
+  - name_template: wiretrustee/wiretrustee:{{ .Version }}
    image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64
+      - wiretrustee/wiretrustee:{{ .Version }}-arm64v8
+      - wiretrustee/wiretrustee:{{ .Version }}-arm
+      - wiretrustee/wiretrustee:{{ .Version }}-amd64

-  - name_template: wiretrustee/wiretrustee:signal-latest
+  - name_template: wiretrustee/wiretrustee:latest
    image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64
+      - wiretrustee/wiretrustee:{{ .Version }}-arm64v8
+      - wiretrustee/wiretrustee:{{ .Version }}-arm
+      - wiretrustee/wiretrustee:{{ .Version }}-amd64
+
+  - name_template: wiretrustee/signal:{{ .Version }}
+    image_templates:
+      - wiretrustee/signal:{{ .Version }}-arm64v8
+      - wiretrustee/signal:{{ .Version }}-arm
+      - wiretrustee/signal:{{ .Version }}-amd64
+
+  - name_template: wiretrustee/signal:latest
+    image_templates:
+      - wiretrustee/signal:{{ .Version }}-arm64v8
+      - wiretrustee/signal:{{ .Version }}-arm
+      - wiretrustee/signal:{{ .Version }}-amd64
+
+  - name_template: wiretrustee/management:{{ .Version }}
+    image_templates:
+      - wiretrustee/management:{{ .Version }}-arm64v8
+      - wiretrustee/management:{{ .Version }}-arm
+      - wiretrustee/management:{{ .Version }}-amd64
+
+  - name_template: wiretrustee/management:latest
+    image_templates:
+      - wiretrustee/management:{{ .Version }}-arm64v8
+      - wiretrustee/management:{{ .Version }}-arm
+      - wiretrustee/management:{{ .Version }}-amd64
+
+  - name_template: wiretrustee/management:debug-latest
+    image_templates:
+      - wiretrustee/management:{{ .Version }}-debug-arm64v8
+      - wiretrustee/management:{{ .Version }}-debug-arm
+      - wiretrustee/management:{{ .Version }}-debug-amd64
+
+brews:
+  -
+    tap:
+      owner: wiretrustee
+      name: homebrew-client
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    commit_author:
+      name: Wiretrustee
+      email: wiretrustee@wiretrustee.com
+    description: Wiretrustee project.
+    download_strategy: CurlDownloadStrategy
+    homepage: https://wiretrustee.com/
+    license: "BSD3"
+    test: |
+      system "#{bin}/{{ .ProjectName	}} -h"
+
+uploads:
+  - name: debian
+    ids:
+    - deb
+    mode: archive
+    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
+    username: dev@wiretrustee.com
+    method: PUT
+  - name: yum
+    ids:
+      - rpm
+    mode: archive
+    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
+    username: dev@wiretrustee.com
+    method: PUT
--- a/5
+++ b/5
@@ -1,5 +0,0 @@
-FROM gcr.io/distroless/base:debug
-EXPOSE 10000
-ENTRYPOINT [ "/go/bin/wiretrustee","signal" ]
-CMD ["--log-level","DEBUG"]
-COPY wiretrustee /go/bin/wiretrustee
--- a/README.md
+++ b/README.md
@@ -1,83 +1,223 @@
-# Wiretrustee
+<div align="center">

-A WireGuard®-based mesh network that connects your devices into a single private network.
+<p align="center">
+  <img width="250" src="docs/media/logo-full.png"/>
+</p>

-### Why using Wiretrustee?
+  <p>
+    <img src="https://img.shields.io/badge/license-BSD--3-blue" />
+    <img src="https://img.shields.io/docker/pulls/wiretrustee/management" />
+    <img src="https://badgen.net/badge/Open%20Source%3F/Yes%21/blue?icon=github" />
+  </p>
+</div>
+
+<p align="center">
+<strong>
+  Start using Wiretrustee at <a href="https://app.wiretrustee.com/">app.wiretrustee.com</a>
+  <br/>
+  See <a href="docs/README.md">Documentation</a>
+  <br/>
+   Join our <a href="https://join.slack.com/t/wiretrustee/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">Slack channel</a>
+  <br/>
+ 
+</strong>
+</p>
+
+<br>
+
+**Wiretrustee is an open-source VPN platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.**
+
+It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, vpn gateways, and so forth.
+
+There is no centralized VPN server with Wiretrustee - your computers, devices, machines, and servers connect to each other directly over a fast encrypted tunnel.
+
+**Wiretrustee automates Wireguard-based networks, offering a management layer with:**
+* Centralized Peer IP management with a neat UI dashboard.
+* Automatic Peer discovery and configuration.
+* UDP hole punching to establish peer-to-peer connections behind NAT, firewall, and without a public static IP.
+* Connection relay fallback in case a peer-to-peer connection is not possible.
+* Multitenancy (coming soon).
+* Client application SSO with MFA (coming soon).
+* Access Controls (coming soon).
+* Activity Monitoring (coming soon).
+
+### Secure peer-to-peer VPN in minutes
+<p float="left" align="middle">
+  <img src="docs/media/peerA.gif" width="400"/> 
+  <img src="docs/media/peerB.gif" width="400"/>
+</p>
+
+**Note**: The `main` branch may be in an *unstable or even broken state* during development. For stable versions, see [releases](https://github.com/wiretrustee/wiretrustee/releases).
+
+Hosted demo version: 
+[https://app.wiretrustee.com/](https://app.wiretrustee.com/peers). 
+
+[UI Dashboard Repo](https://github.com/wiretrustee/wiretrustee-dashboard)

-* Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else.
-* No need to open ports and expose public IPs on the device.
-* Automatically reconnects in case of network failures or switches.
-* Automatic NAT traversal.
-* Relay server fallback in case of an unsuccessful peer-to-peer connection.
-* Private key never leaves your device.
-* Works on ARM devices (e.g. Raspberry Pi).

 ### A bit on Wiretrustee internals
+* Wiretrustee features a Management Service that offers peer IP management and network updates distribution (e.g. when new peer joins the network).
 * Wiretrustee uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between devices.
-* A connection session negotiation between peers is achieved with the Wiretrustee Signalling server [signal](signal/)
-* Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them.
-  The routing of the messages on a Signalling server is based on public Wireguard keys. 
+* Peers negotiate connection through [Signal Service](signal/).
+* Signal Service uses public Wireguard keys to route messages between peers.
+  Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them.
 * Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT).
-  For that matter, there is support for a relay server fallback (TURN) and a secure Wireguard tunnel is established via TURN server.
+  When this occurs the system falls back to relay server (TURN), and a secure Wireguard tunnel is established via TURN server.
  [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in Wiretrustee setups.

-### What Wiretrustee is not doing:
-* Wireguard key management. In consequence, you need to generate peer keys and specify them on Wiretrustee initialization step.
-* Peer address management. You have to specify a unique peer local address (e.g. 10.30.30.1/24) when configuring Wiretrustee
+### Product Roadmap
+- [Public Roadmap](https://github.com/wiretrustee/wiretrustee/projects/2)
+- [Public Roadmap Progress Tracking](https://github.com/wiretrustee/wiretrustee/projects/1)

 ### Client Installation
-1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases)   
-2. Download the latest release:
-```shell
-wget https://github.com/wiretrustee/wiretrustee/releases/download/v0.0.4/wiretrustee_0.0.4_linux_amd64.rpm
-```
-3. Install the package
-```shell
-sudo dpkg -i wiretrustee_0.0.4_linux_amd64.deb
-```
+#### Linux
+
+**APT/Debian**
+1. Add the repository:
+    ```shell
+    sudo apt-get update
+    sudo apt-get install ca-certificates curl gnupg -y
+    curl -L https://pkgs.wiretrustee.com/debian/public.key | sudo apt-key add -
+    echo 'deb https://pkgs.wiretrustee.com/debian stable main' | sudo tee /etc/apt/sources.list.d/wiretrustee.list
+    ```
+2. Install the package
+    ```shell
+    sudo apt-get update
+    sudo apt-get install wiretrustee
+    ```
+**RPM/Red hat**
+1. Add the repository:
+    ```shell
+    cat <<EOF | sudo tee /etc/yum.repos.d/wiretrustee.repo
+    [Wiretrustee]
+    name=Wiretrustee
+    baseurl=https://pkgs.wiretrustee.com/yum/
+    enabled=1
+    gpgcheck=0
+    gpgkey=https://pkgs.wiretrustee.com/yum/repodata/repomd.xml.key
+    repo_gpgcheck=1
+    EOF
+    ```
+2. Install the package
+    ```shell
+    sudo yum install wiretrustee
+    ```
+#### MACOS
+**Brew install**
+1. Download and install Brew at https://brew.sh/
+2. Install the client
+  ```shell
+  brew install wiretrustee/client/wiretrustee
+  ```
+**Installation from binary**
+1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases/latest)
+2. Download the latest release (**Switch VERSION to the latest**):
+  ```shell
+  curl -o ./wiretrustee_<VERSION>_darwin_amd64.tar.gz https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_darwin_amd64.tar.gz
+  ```
+3. Decompress
+  ```shell
+  tar xcf ./wiretrustee_<VERSION>_darwin_amd64.tar.gz
+  sudo mv wiretrusee /usr/local/bin/wiretrustee
+  chmod +x /usr/local/bin/wiretrustee
+  ```
+After that you may need to add /usr/local/bin in your MAC's PATH environment variable:
+  ````shell
+  export PATH=$PATH:/usr/local/bin
+  ````
+
+#### Windows
+1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases/latest)
+2. Download the latest Windows release installer ```wiretrustee_installer_<VERSION>_windows_amd64.exe``` (**Switch VERSION to the latest**):
+3. Proceed with installation steps
+4. This will install the client in the C:\\Program Files\\Wiretrustee and add the client service
+5. After installing, you can follow the [Client Configuration](#Client-Configuration) steps.
+> To uninstall the client and service, you can use Add/Remove programs
+
 ### Client Configuration
-1. Initialize Wiretrustee:
-```shell
-sudo wiretrustee init \
- --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 \
- --turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468  \
- --signalAddr signal.wiretrustee.com:10000  \
- --wgLocalAddr 10.30.30.1/24  \
- --log-level info
-```
-It is important to mention that the ```wgLocalAddr``` parameter has to be unique across your network.
-E.g. if you have Peer A with ```wgLocalAddr=10.30.30.1/24``` then another Peer B can have ```wgLocalAddr=10.30.30.2/24```
+1. Login to the Management Service. You need to have a `setup key` in hand (see ).

-If for some reason, you already have a generated Wireguard key, you can specify it with the ```--wgKey``` parameter. 
-If not specified, then a new one will be generated, and its corresponding public key will be output to the log.
-A new config will be generated and stored under ```/etc/wiretrustee/config.json```
-
-2. Add a peer to connect to. 
+For **Unix** systems:
+  ```shell
+  sudo wiretrustee up --setup-key <SETUP KEY>
+  ```
+For  **Windows** systems, start powershell as administrator and:
+  ```shell
+  wiretrustee up --setup-key <SETUP KEY>
+   ```
+For **Docker**, you can run with the following command:
 ```shell
-sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
+docker run --network host --privileged --rm -d -e WT_SETUP_KEY=<SETUP KEY> -v wiretrustee-client:/etc/wiretrustee wiretrustee/wiretrustee:<TAG>
 ```
+> TAG > 0.3.0 version

-3. Restart Wiretrustee to reload changes
-```shell
-sudo systemctl restart wiretrustee.service
-sudo systemctl status wiretrustee.service 
-```
-### Running the Signal service
-After installing the application, you can run the signal using the command below:
+Alternatively, if you are hosting your own Management Service provide `--management-url` property pointing to your Management Service:
+  ```shell
+  sudo wiretrustee up --setup-key <SETUP KEY> --management-url https://localhost:33073
+  ```
+
+> You could also omit `--setup-key` property. In this case the tool will prompt it the key.
+
+
+2. Check your IP:
+  For **MACOS** you will just start the service:
+  ````shell
+  sudo ipconfig getifaddr utun100
+  ````   
+For **Linux** systems:
+  ```shell
+  ip addr show wt0
+  ```
+For **Windows** systems:
+  ```shell
+  netsh interface ip show config name="wt0"
+  ```
+
+3. Repeat on other machines.  
+
+### Running Dashboard, Management, Signal and Coturn
+Wiretrustee uses [Auth0](https://auth0.com) for user authentication and authorization, therefore you will need to create a free account 
+and configure Auth0 variables in the compose file (dashboard) and in the management config file.
+We chose Auth0 to "outsource" the user management part of our platform because we believe that implementing a proper user auth is not a trivial task and requires significant amount of time to make it right. We focused on connectivity instead.
+It is worth mentioning that dependency to Auth0 is the only one that cannot be self-hosted.
+
+Configuring Wiretrustee Auth0 integration:
+- check [How to run](https://github.com/wiretrustee/wiretrustee-dashboard#how-to-run) to obtain Auth0 environment variables for UI Dashboard
+- set these variables in the [environment section of the docker-compose file](https://github.com/wiretrustee/wiretrustee/blob/main/infrastructure_files/docker-compose.yml)
+- check [Auth0 Golang API Guide](https://auth0.com/docs/quickstart/backend/golang) to obtain ```AuthIssuer```, ```AuthAudience```, and ```AuthKeysLocation```
+- set these properties in the [management config files](https://github.com/wiretrustee/wiretrustee/blob/main/infrastructure_files/management.json#L33)
+
+
+Under infrastructure_files we have a docker-compose example to run Dashboard, Wiretrustee Management and Signal services, plus an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration. 
+You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to **proper credentials**.
+
+The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#running-the-signal-service), the management in [Management](./management/README.md), and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn).
+
+> Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.
+
+Also, if you have an SSL certificate for Coturn, you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation
+to generate one from [Let’s Encrypt](https://letsencrypt.org/), or, we found that the example provided by [BigBlueButton](https://docs.bigbluebutton.org/2.2/setup-turn-server.html#generating-tls-certificates) covers the basics to configure Coturn with Let's Encrypt certs. 
+> The Wiretrustee Management service can generate and maintain the certificates automatically, all you need to do is run the servicein a host  with a public IP, configure a valid DNS record pointing to that IP and uncomment the 443 ports and command lines in the docker-compose.yml file.
+
+Simple docker-composer execution:
 ````shell
-/usr/local/bin/wiretrustee signal --log-level INFO
+cd infrastructure_files
+docker-compose up -d
 ````
-This will launch the signal service on port 10000, in case you want to change the port, use the flag --port.
-#### Docker image
-We have packed the signal into docker images. You can pull the images from the Docker Hub and execute it with the following commands:
+You can check logs by running:
 ````shell
-docker pull wiretrustee/wiretrustee:signal-latest
-docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest
+cd infrastructure_files
+docker-compose logs signal
+docker-compose logs management
+docker-compose logs coturn
 ````
-The default log-level is set to INFO, if you need you can change it using by updating the docker cmd as followed:
+If you need to stop the services, run the following:
 ````shell
-docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest --log-level DEBUG
+cd infrastructure_files
+docker-compose down
 ````
-### Roadmap
-* Android app
- 
+
+
+### Legal
+ [WireGuard](https://wireguard.com/) is a registered trademark of Jason A. Donenfeld.
+
--- a/browser/Makefile
+++ b/browser/Makefile
@@ -0,0 +1,3 @@
+run:
+	GOOS=js GOARCH=wasm go build -o assets/client.wasm ./client/
+	go run main.go
--- a/browser/assets/index.html
+++ b/browser/assets/index.html
@@ -0,0 +1,34 @@
+<html>
+<head>
+    <meta charset="utf-8"/>
+    <script src="wasm_exec.js"></script>
+    <script>
+        const go = new Go();
+        WebAssembly.instantiateStreaming(fetch("client.wasm"), go.importObject).then((result) => {
+            go.run(result.instance);
+        });
+    </script>
+</head>
+<body>
+<form>
+    <input type=button value="Generate Public Key" onclick='generateWireguardKey()'>
+    </p>
+    <label for="wgPrivateKey">Wireguard private key:</label>
+    <input id="wgPrivateKey" type=input size="50" value="qJi7zSrgdokeoXE27fbca2hvMlgg1NQIW6KbrTJhhmc=">
+    </p>
+    <label for="publicKey">Wireguard Public Key:</label>
+    <input id="publicKey" type=input size="50" value="6M9O7PRhKMEOiboBp9cX6rNrLBevtHX7H0O2FMXUkFI=">
+    <p/>
+    <label for="wgIp">Wireguard private IP:</label>
+    <input id="wgIp" type=input size="50" value="10.0.0.2/24">
+    <p/>
+    <label for="peerKey">Wireguard Peer Public key:</label>
+    <input id="peerKey" type=input size="50" value="RFuT84MDhIvmgQndwMkxQPjG195poq713EMJZv1XPEw=">
+    <p/>
+    <label for="peerAllowedIPs">Wireguard Peer AllowedIPs:</label>
+    <input id="peerAllowedIPs" type=input size="50" value="Paste other peer AllowedIPs">
+    <p/>
+    <input type=button value="start" onclick='connect()'>
+</form>
+</body>
+</html>
--- a/browser/assets/wasm_exec.js
+++ b/browser/assets/wasm_exec.js
@@ -0,0 +1,636 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+(() => {
+	// Map multiple JavaScript environments to a single common API,
+	// preferring web standards over Node.js API.
+	//
+	// Environments considered:
+	// - Browsers
+	// - Node.js
+	// - Electron
+	// - Parcel
+	// - Webpack
+
+	if (typeof global !== "undefined") {
+		// global already exists
+	} else if (typeof window !== "undefined") {
+		window.global = window;
+	} else if (typeof self !== "undefined") {
+		self.global = self;
+	} else {
+		throw new Error("cannot export Go (neither global, window nor self is defined)");
+	}
+
+	if (!global.require && typeof require !== "undefined") {
+		global.require = require;
+	}
+
+	if (!global.fs && global.require) {
+		const fs = require("fs");
+		if (typeof fs === "object" && fs !== null && Object.keys(fs).length !== 0) {
+			global.fs = fs;
+		}
+	}
+
+	const enosys = () => {
+		const err = new Error("not implemented");
+		err.code = "ENOSYS";
+		return err;
+	};
+
+	if (!global.fs) {
+		let outputBuf = "";
+		global.fs = {
+			constants: { O_WRONLY: -1, O_RDWR: -1, O_CREAT: -1, O_TRUNC: -1, O_APPEND: -1, O_EXCL: -1 }, // unused
+			writeSync(fd, buf) {
+				outputBuf += decoder.decode(buf);
+				const nl = outputBuf.lastIndexOf("\n");
+				if (nl != -1) {
+					console.log(outputBuf.substr(0, nl));
+					outputBuf = outputBuf.substr(nl + 1);
+				}
+				return buf.length;
+			},
+			write(fd, buf, offset, length, position, callback) {
+				if (offset !== 0 || length !== buf.length || position !== null) {
+					callback(enosys());
+					return;
+				}
+				const n = this.writeSync(fd, buf);
+				callback(null, n);
+			},
+			chmod(path, mode, callback) { callback(enosys()); },
+			chown(path, uid, gid, callback) { callback(enosys()); },
+			close(fd, callback) { callback(enosys()); },
+			fchmod(fd, mode, callback) { callback(enosys()); },
+			fchown(fd, uid, gid, callback) { callback(enosys()); },
+			fstat(fd, callback) { callback(enosys()); },
+			fsync(fd, callback) { callback(null); },
+			ftruncate(fd, length, callback) { callback(enosys()); },
+			lchown(path, uid, gid, callback) { callback(enosys()); },
+			link(path, link, callback) { callback(enosys()); },
+			lstat(path, callback) { callback(enosys()); },
+			mkdir(path, perm, callback) { callback(enosys()); },
+			open(path, flags, mode, callback) { callback(enosys()); },
+			read(fd, buffer, offset, length, position, callback) { callback(enosys()); },
+			readdir(path, callback) { callback(enosys()); },
+			readlink(path, callback) { callback(enosys()); },
+			rename(from, to, callback) { callback(enosys()); },
+			rmdir(path, callback) { callback(enosys()); },
+			stat(path, callback) { callback(enosys()); },
+			symlink(path, link, callback) { callback(enosys()); },
+			truncate(path, length, callback) { callback(enosys()); },
+			unlink(path, callback) { callback(enosys()); },
+			utimes(path, atime, mtime, callback) { callback(enosys()); },
+		};
+	}
+
+	if (!global.process) {
+		global.process = {
+			getuid() { return -1; },
+			getgid() { return -1; },
+			geteuid() { return -1; },
+			getegid() { return -1; },
+			getgroups() { throw enosys(); },
+			pid: -1,
+			ppid: -1,
+			umask() { throw enosys(); },
+			cwd() { throw enosys(); },
+			chdir() { throw enosys(); },
+		}
+	}
+
+	if (!global.crypto && global.require) {
+		const nodeCrypto = require("crypto");
+		global.crypto = {
+			getRandomValues(b) {
+				nodeCrypto.randomFillSync(b);
+			},
+		};
+	}
+	if (!global.crypto) {
+		throw new Error("global.crypto is not available, polyfill required (getRandomValues only)");
+	}
+
+	if (!global.performance) {
+		global.performance = {
+			now() {
+				const [sec, nsec] = process.hrtime();
+				return sec * 1000 + nsec / 1000000;
+			},
+		};
+	}
+
+	if (!global.TextEncoder && global.require) {
+		global.TextEncoder = require("util").TextEncoder;
+	}
+	if (!global.TextEncoder) {
+		throw new Error("global.TextEncoder is not available, polyfill required");
+	}
+
+	if (!global.TextDecoder && global.require) {
+		global.TextDecoder = require("util").TextDecoder;
+	}
+	if (!global.TextDecoder) {
+		throw new Error("global.TextDecoder is not available, polyfill required");
+	}
+
+	// End of polyfills for common API.
+
+	const encoder = new TextEncoder("utf-8");
+	const decoder = new TextDecoder("utf-8");
+
+	global.Go = class {
+		constructor() {
+			this.argv = ["js"];
+			this.env = {};
+			this.exit = (code) => {
+				if (code !== 0) {
+					console.warn("exit code:", code);
+				}
+			};
+			this._exitPromise = new Promise((resolve) => {
+				this._resolveExitPromise = resolve;
+			});
+			this._pendingEvent = null;
+			this._scheduledTimeouts = new Map();
+			this._nextCallbackTimeoutID = 1;
+
+			const setInt64 = (addr, v) => {
+				this.mem.setUint32(addr + 0, v, true);
+				this.mem.setUint32(addr + 4, Math.floor(v / 4294967296), true);
+			}
+
+			const getInt64 = (addr) => {
+				const low = this.mem.getUint32(addr + 0, true);
+				const high = this.mem.getInt32(addr + 4, true);
+				return low + high * 4294967296;
+			}
+
+			const loadValue = (addr) => {
+				const f = this.mem.getFloat64(addr, true);
+				if (f === 0) {
+					return undefined;
+				}
+				if (!isNaN(f)) {
+					return f;
+				}
+
+				const id = this.mem.getUint32(addr, true);
+				return this._values[id];
+			}
+
+			const storeValue = (addr, v) => {
+				const nanHead = 0x7FF80000;
+
+				if (typeof v === "number" && v !== 0) {
+					if (isNaN(v)) {
+						this.mem.setUint32(addr + 4, nanHead, true);
+						this.mem.setUint32(addr, 0, true);
+						return;
+					}
+					this.mem.setFloat64(addr, v, true);
+					return;
+				}
+
+				if (v === undefined) {
+					this.mem.setFloat64(addr, 0, true);
+					return;
+				}
+
+				let id = this._ids.get(v);
+				if (id === undefined) {
+					id = this._idPool.pop();
+					if (id === undefined) {
+						id = this._values.length;
+					}
+					this._values[id] = v;
+					this._goRefCounts[id] = 0;
+					this._ids.set(v, id);
+				}
+				this._goRefCounts[id]++;
+				let typeFlag = 0;
+				switch (typeof v) {
+					case "object":
+						if (v !== null) {
+							typeFlag = 1;
+						}
+						break;
+					case "string":
+						typeFlag = 2;
+						break;
+					case "symbol":
+						typeFlag = 3;
+						break;
+					case "function":
+						typeFlag = 4;
+						break;
+				}
+				this.mem.setUint32(addr + 4, nanHead | typeFlag, true);
+				this.mem.setUint32(addr, id, true);
+			}
+
+			const loadSlice = (addr) => {
+				const array = getInt64(addr + 0);
+				const len = getInt64(addr + 8);
+				return new Uint8Array(this._inst.exports.mem.buffer, array, len);
+			}
+
+			const loadSliceOfValues = (addr) => {
+				const array = getInt64(addr + 0);
+				const len = getInt64(addr + 8);
+				const a = new Array(len);
+				for (let i = 0; i < len; i++) {
+					a[i] = loadValue(array + i * 8);
+				}
+				return a;
+			}
+
+			const loadString = (addr) => {
+				const saddr = getInt64(addr + 0);
+				const len = getInt64(addr + 8);
+				return decoder.decode(new DataView(this._inst.exports.mem.buffer, saddr, len));
+			}
+
+			const timeOrigin = Date.now() - performance.now();
+			this.importObject = {
+				go: {
+					// Go's SP does not change as long as no Go code is running. Some operations (e.g. calls, getters and setters)
+					// may synchronously trigger a Go event handler. This makes Go code get executed in the middle of the imported
+					// function. A goroutine can switch to a new stack if the current stack is too small (see morestack function).
+					// This changes the SP, thus we have to update the SP used by the imported function.
+
+					// func wasmExit(code int32)
+					"runtime.wasmExit": (sp) => {
+						sp >>>= 0;
+						const code = this.mem.getInt32(sp + 8, true);
+						this.exited = true;
+						delete this._inst;
+						delete this._values;
+						delete this._goRefCounts;
+						delete this._ids;
+						delete this._idPool;
+						this.exit(code);
+					},
+
+					// func wasmWrite(fd uintptr, p unsafe.Pointer, n int32)
+					"runtime.wasmWrite": (sp) => {
+						sp >>>= 0;
+						const fd = getInt64(sp + 8);
+						const p = getInt64(sp + 16);
+						const n = this.mem.getInt32(sp + 24, true);
+						fs.writeSync(fd, new Uint8Array(this._inst.exports.mem.buffer, p, n));
+					},
+
+					// func resetMemoryDataView()
+					"runtime.resetMemoryDataView": (sp) => {
+						sp >>>= 0;
+						this.mem = new DataView(this._inst.exports.mem.buffer);
+					},
+
+					// func nanotime1() int64
+					"runtime.nanotime1": (sp) => {
+						sp >>>= 0;
+						setInt64(sp + 8, (timeOrigin + performance.now()) * 1000000);
+					},
+
+					// func walltime() (sec int64, nsec int32)
+					"runtime.walltime": (sp) => {
+						sp >>>= 0;
+						const msec = (new Date).getTime();
+						setInt64(sp + 8, msec / 1000);
+						this.mem.setInt32(sp + 16, (msec % 1000) * 1000000, true);
+					},
+
+					// func scheduleTimeoutEvent(delay int64) int32
+					"runtime.scheduleTimeoutEvent": (sp) => {
+						sp >>>= 0;
+						const id = this._nextCallbackTimeoutID;
+						this._nextCallbackTimeoutID++;
+						this._scheduledTimeouts.set(id, setTimeout(
+							() => {
+								this._resume();
+								while (this._scheduledTimeouts.has(id)) {
+									// for some reason Go failed to register the timeout event, log and try again
+									// (temporary workaround for https://github.com/golang/go/issues/28975)
+									console.warn("scheduleTimeoutEvent: missed timeout event");
+									this._resume();
+								}
+							},
+							getInt64(sp + 8) + 1, // setTimeout has been seen to fire up to 1 millisecond early
+						));
+						this.mem.setInt32(sp + 16, id, true);
+					},
+
+					// func clearTimeoutEvent(id int32)
+					"runtime.clearTimeoutEvent": (sp) => {
+						sp >>>= 0;
+						const id = this.mem.getInt32(sp + 8, true);
+						clearTimeout(this._scheduledTimeouts.get(id));
+						this._scheduledTimeouts.delete(id);
+					},
+
+					// func getRandomData(r []byte)
+					"runtime.getRandomData": (sp) => {
+						sp >>>= 0;
+						crypto.getRandomValues(loadSlice(sp + 8));
+					},
+
+					// func finalizeRef(v ref)
+					"syscall/js.finalizeRef": (sp) => {
+						sp >>>= 0;
+						const id = this.mem.getUint32(sp + 8, true);
+						this._goRefCounts[id]--;
+						if (this._goRefCounts[id] === 0) {
+							const v = this._values[id];
+							this._values[id] = null;
+							this._ids.delete(v);
+							this._idPool.push(id);
+						}
+					},
+
+					// func stringVal(value string) ref
+					"syscall/js.stringVal": (sp) => {
+						sp >>>= 0;
+						storeValue(sp + 24, loadString(sp + 8));
+					},
+
+					// func valueGet(v ref, p string) ref
+					"syscall/js.valueGet": (sp) => {
+						sp >>>= 0;
+						const result = Reflect.get(loadValue(sp + 8), loadString(sp + 16));
+						sp = this._inst.exports.getsp() >>> 0; // see comment above
+						storeValue(sp + 32, result);
+					},
+
+					// func valueSet(v ref, p string, x ref)
+					"syscall/js.valueSet": (sp) => {
+						sp >>>= 0;
+						Reflect.set(loadValue(sp + 8), loadString(sp + 16), loadValue(sp + 32));
+					},
+
+					// func valueDelete(v ref, p string)
+					"syscall/js.valueDelete": (sp) => {
+						sp >>>= 0;
+						Reflect.deleteProperty(loadValue(sp + 8), loadString(sp + 16));
+					},
+
+					// func valueIndex(v ref, i int) ref
+					"syscall/js.valueIndex": (sp) => {
+						sp >>>= 0;
+						storeValue(sp + 24, Reflect.get(loadValue(sp + 8), getInt64(sp + 16)));
+					},
+
+					// valueSetIndex(v ref, i int, x ref)
+					"syscall/js.valueSetIndex": (sp) => {
+						sp >>>= 0;
+						Reflect.set(loadValue(sp + 8), getInt64(sp + 16), loadValue(sp + 24));
+					},
+
+					// func valueCall(v ref, m string, args []ref) (ref, bool)
+					"syscall/js.valueCall": (sp) => {
+						sp >>>= 0;
+						try {
+							const v = loadValue(sp + 8);
+							const m = Reflect.get(v, loadString(sp + 16));
+							const args = loadSliceOfValues(sp + 32);
+							const result = Reflect.apply(m, v, args);
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 56, result);
+							this.mem.setUint8(sp + 64, 1);
+						} catch (err) {
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 56, err);
+							this.mem.setUint8(sp + 64, 0);
+						}
+					},
+
+					// func valueInvoke(v ref, args []ref) (ref, bool)
+					"syscall/js.valueInvoke": (sp) => {
+						sp >>>= 0;
+						try {
+							const v = loadValue(sp + 8);
+							const args = loadSliceOfValues(sp + 16);
+							const result = Reflect.apply(v, undefined, args);
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 40, result);
+							this.mem.setUint8(sp + 48, 1);
+						} catch (err) {
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 40, err);
+							this.mem.setUint8(sp + 48, 0);
+						}
+					},
+
+					// func valueNew(v ref, args []ref) (ref, bool)
+					"syscall/js.valueNew": (sp) => {
+						sp >>>= 0;
+						try {
+							const v = loadValue(sp + 8);
+							const args = loadSliceOfValues(sp + 16);
+							const result = Reflect.construct(v, args);
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 40, result);
+							this.mem.setUint8(sp + 48, 1);
+						} catch (err) {
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 40, err);
+							this.mem.setUint8(sp + 48, 0);
+						}
+					},
+
+					// func valueLength(v ref) int
+					"syscall/js.valueLength": (sp) => {
+						sp >>>= 0;
+						setInt64(sp + 16, parseInt(loadValue(sp + 8).length));
+					},
+
+					// valuePrepareString(v ref) (ref, int)
+					"syscall/js.valuePrepareString": (sp) => {
+						sp >>>= 0;
+						const str = encoder.encode(String(loadValue(sp + 8)));
+						storeValue(sp + 16, str);
+						setInt64(sp + 24, str.length);
+					},
+
+					// valueLoadString(v ref, b []byte)
+					"syscall/js.valueLoadString": (sp) => {
+						sp >>>= 0;
+						const str = loadValue(sp + 8);
+						loadSlice(sp + 16).set(str);
+					},
+
+					// func valueInstanceOf(v ref, t ref) bool
+					"syscall/js.valueInstanceOf": (sp) => {
+						sp >>>= 0;
+						this.mem.setUint8(sp + 24, (loadValue(sp + 8) instanceof loadValue(sp + 16)) ? 1 : 0);
+					},
+
+					// func copyBytesToGo(dst []byte, src ref) (int, bool)
+					"syscall/js.copyBytesToGo": (sp) => {
+						sp >>>= 0;
+						const dst = loadSlice(sp + 8);
+						const src = loadValue(sp + 32);
+						if (!(src instanceof Uint8Array || src instanceof Uint8ClampedArray)) {
+							this.mem.setUint8(sp + 48, 0);
+							return;
+						}
+						const toCopy = src.subarray(0, dst.length);
+						dst.set(toCopy);
+						setInt64(sp + 40, toCopy.length);
+						this.mem.setUint8(sp + 48, 1);
+					},
+
+					// func copyBytesToJS(dst ref, src []byte) (int, bool)
+					"syscall/js.copyBytesToJS": (sp) => {
+						sp >>>= 0;
+						const dst = loadValue(sp + 8);
+						const src = loadSlice(sp + 16);
+						if (!(dst instanceof Uint8Array || dst instanceof Uint8ClampedArray)) {
+							this.mem.setUint8(sp + 48, 0);
+							return;
+						}
+						const toCopy = src.subarray(0, dst.length);
+						dst.set(toCopy);
+						setInt64(sp + 40, toCopy.length);
+						this.mem.setUint8(sp + 48, 1);
+					},
+
+					"debug": (value) => {
+						console.log(value);
+					},
+				}
+			};
+		}
+
+		async run(instance) {
+			if (!(instance instanceof WebAssembly.Instance)) {
+				throw new Error("Go.run: WebAssembly.Instance expected");
+			}
+			this._inst = instance;
+			this.mem = new DataView(this._inst.exports.mem.buffer);
+			this._values = [ // JS values that Go currently has references to, indexed by reference id
+				NaN,
+				0,
+				null,
+				true,
+				false,
+				global,
+				this,
+			];
+			this._goRefCounts = new Array(this._values.length).fill(Infinity); // number of references that Go has to a JS value, indexed by reference id
+			this._ids = new Map([ // mapping from JS values to reference ids
+				[0, 1],
+				[null, 2],
+				[true, 3],
+				[false, 4],
+				[global, 5],
+				[this, 6],
+			]);
+			this._idPool = [];   // unused ids that have been garbage collected
+			this.exited = false; // whether the Go program has exited
+
+			// Pass command line arguments and environment variables to WebAssembly by writing them to the linear memory.
+			let offset = 4096;
+
+			const strPtr = (str) => {
+				const ptr = offset;
+				const bytes = encoder.encode(str + "\0");
+				new Uint8Array(this.mem.buffer, offset, bytes.length).set(bytes);
+				offset += bytes.length;
+				if (offset % 8 !== 0) {
+					offset += 8 - (offset % 8);
+				}
+				return ptr;
+			};
+
+			const argc = this.argv.length;
+
+			const argvPtrs = [];
+			this.argv.forEach((arg) => {
+				argvPtrs.push(strPtr(arg));
+			});
+			argvPtrs.push(0);
+
+			const keys = Object.keys(this.env).sort();
+			keys.forEach((key) => {
+				argvPtrs.push(strPtr(`${key}=${this.env[key]}`));
+			});
+			argvPtrs.push(0);
+
+			const argv = offset;
+			argvPtrs.forEach((ptr) => {
+				this.mem.setUint32(offset, ptr, true);
+				this.mem.setUint32(offset + 4, 0, true);
+				offset += 8;
+			});
+
+			// The linker guarantees global data starts from at least wasmMinDataAddr.
+			// Keep in sync with cmd/link/internal/ld/data.go:wasmMinDataAddr.
+			const wasmMinDataAddr = 4096 + 4096;
+			if (offset >= wasmMinDataAddr) {
+				throw new Error("command line too long");
+			}
+
+			this._inst.exports.run(argc, argv);
+			if (this.exited) {
+				this._resolveExitPromise();
+			}
+			await this._exitPromise;
+		}
+
+		_resume() {
+			if (this.exited) {
+				throw new Error("Go program has already exited");
+			}
+			this._inst.exports.resume();
+			if (this.exited) {
+				this._resolveExitPromise();
+			}
+		}
+
+		_makeFuncWrapper(id) {
+			const go = this;
+			return function () {
+				const event = { id: id, this: this, args: arguments };
+				go._pendingEvent = event;
+				go._resume();
+				return event.result;
+			};
+		}
+	}
+
+	if (
+		typeof module !== "undefined" &&
+		global.require &&
+		global.require.main === module &&
+		global.process &&
+		global.process.versions &&
+		!global.process.versions.electron
+	) {
+		if (process.argv.length < 3) {
+			console.error("usage: go_js_wasm_exec [wasm binary] [arguments]");
+			process.exit(1);
+		}
+
+		const go = new Go();
+		go.argv = process.argv.slice(2);
+		go.env = Object.assign({ TMPDIR: require("os").tmpdir() }, process.env);
+		go.exit = process.exit;
+		WebAssembly.instantiate(fs.readFileSync(process.argv[2]), go.importObject).then((result) => {
+			process.on("exit", (code) => { // Node.js exits if no event handler is pending
+				if (code === 0 && !go.exited) {
+					// deadlock, make Go print error and stack traces
+					go._pendingEvent = { id: 0 };
+					go._resume();
+				}
+			});
+			return go.run(result.instance);
+		}).catch((err) => {
+			console.error(err);
+			process.exit(1);
+		});
+	}
+})();
--- a/browser/client/client.go
+++ b/browser/client/client.go
@@ -0,0 +1,88 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/hex"
+	"fmt"
+	"github.com/wiretrustee/wiretrustee/browser/conn"
+	"github.com/wiretrustee/wiretrustee/signal/client"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"time"
+)
+
+//my private key qJi7zSrgdokeoXE27fbca2hvMlgg1NQIW6KbrTJhhmc=
+//remote private key KLuBc6tM/NRV1071bfPiNUxZmMhGBCXfxoDg+A+J7ns=
+func main() {
+
+	key, err := wgtypes.ParseKey("qJi7zSrgdokeoXE27fbca2hvMlgg1NQIW6KbrTJhhmc=")
+	if err != nil {
+		panic(err)
+	}
+
+	log.Printf("my public key: %s", key.PublicKey().String())
+
+	remoteKey, err := wgtypes.ParseKey("RFuT84MDhIvmgQndwMkxQPjG195poq713EMJZv1XPEw=")
+
+	if err != nil {
+		panic(err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+	defer cancel()
+
+	signal, err := client.NewWebsocketClient(ctx, "ws://localhost:80/signal", key)
+
+	time.Sleep(5 * time.Second)
+
+	tun, tnet, err := netstack.CreateNetTUN(
+		[]net.IP{net.ParseIP("1s00.0.2.2")},
+		[]net.IP{net.ParseIP("8.8.8.8")},
+		1420)
+
+	b := conn.NewWebRTCBind("chann-1", signal, key.PublicKey().String(), remoteKey.String())
+	dev := device.NewDevice(tun, b, device.NewLogger(device.LogLevelVerbose, ""))
+
+	err = dev.IpcSet(fmt.Sprintf("private_key=%s\npublic_key=%s\npersistent_keepalive_interval=5\nendpoint=webrtc://datachannel\nallowed_ip=0.0.0.0/0",
+		hex.EncodeToString(key[:]),
+		hex.EncodeToString(remoteKey[:]),
+	))
+
+	dev.Up()
+
+	if err != nil {
+		panic(err)
+	}
+
+	client := http.Client{
+		Transport: &http.Transport{
+			DialContext: tnet.DialContext,
+		},
+	}
+	time.Sleep(5 * time.Second)
+
+	//go func() {
+	log.Printf("request")
+	req, _ := http.NewRequest("POST", "http://100.0.2.1", bytes.NewBufferString("fdffffffffffffffffffffffffffffffdsdfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"))
+	req.Header.Set("js.fetch:mode", "no-cors")
+	resp, err := client.Do(req)
+	if err != nil {
+		log.Panic(err)
+	}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Panic(err)
+	}
+	log.Printf(string(body))
+	log.Printf(resp.Status)
+	//}()
+
+	select {}
+
+}
--- a/browser/conn/bind_webrtc.go
+++ b/browser/conn/bind_webrtc.go
@@ -0,0 +1,347 @@
+package conn
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/pion/webrtc/v3"
+	signal "github.com/wiretrustee/wiretrustee/signal/client"
+	"github.com/wiretrustee/wiretrustee/signal/proto"
+	"golang.zx2c4.com/wireguard/conn"
+	"log"
+	"net"
+	"sync"
+	"time"
+)
+
+const initDataChannelName = "wiretrustee-init"
+
+func (*WebRTCBind) makeReceive(dcConn net.Conn) conn.ReceiveFunc {
+	return func(buff []byte) (int, conn.Endpoint, error) {
+		n, err := dcConn.Read(buff)
+		if err != nil {
+			return 0, nil, err
+		}
+		//addr := dcConn.RemoteAddr().(DataChannelAddr)
+		return n, &WebRTCEndpoint{}, err
+	}
+}
+
+// WebRTCBind is an implementation of Wireguard Bind interface backed by WebRTC data channel
+type WebRTCBind struct {
+	id        string
+	pc        *webrtc.PeerConnection
+	conn      net.Conn
+	incoming  chan *webrtc.DataChannel
+	mu        sync.Mutex
+	signal    signal.Client
+	key       string
+	remoteKey string
+	closeCond *Cond
+	closeErr  error
+}
+
+func NewWebRTCBind(id string, signal signal.Client, pubKey string, remotePubKey string) conn.Bind {
+
+	return &WebRTCBind{
+		id:        id,
+		pc:        nil,
+		conn:      nil,
+		signal:    signal,
+		mu:        sync.Mutex{},
+		key:       pubKey,
+		remoteKey: remotePubKey,
+		closeCond: NewCond(),
+		incoming:  make(chan *webrtc.DataChannel, 1),
+	}
+}
+
+// acceptDC accepts a datachannel over opened WebRTC connection and wraps it into net.Conn
+// blocks until channel was successfully opened
+func (bind *WebRTCBind) acceptDC() (stream net.Conn, err error) {
+	for dc := range bind.incoming {
+		if dc.Label() == initDataChannelName {
+			continue
+		}
+		stream, err := WrapDataChannel(dc)
+		if err != nil {
+			dc.Close()
+			return nil, err
+		}
+		log.Printf("accepted datachannel connection %s", dc.Label())
+
+		return stream, nil
+	}
+	return nil, context.Canceled
+}
+
+// openDC creates datachannel over opened WebRTC connection and wraps it into net.Conn
+// blocks until channel was successfully opened
+func (bind *WebRTCBind) openDC() (stream net.Conn, err error) {
+	dc, err := bind.pc.CreateDataChannel(bind.id, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open RTCDataChannel: %w", err)
+	}
+
+	stream, err = WrapDataChannel(dc)
+	if err != nil {
+		dc.Close()
+		return nil, err
+	}
+
+	log.Printf("opened datachannel connection %s", dc.Label())
+	return stream, err
+}
+
+func newPeerConnection() (*webrtc.PeerConnection, error) {
+	config := webrtc.Configuration{
+		ICEServers: []webrtc.ICEServer{
+			{
+				URLs: []string{"stun:stun.l.google.com:19302"},
+			},
+		},
+	}
+	pc, err := webrtc.NewPeerConnection(config)
+	if err != nil {
+		return nil, err
+	}
+
+	return pc, nil
+}
+
+func (bind *WebRTCBind) Open(port uint16) (fns []conn.ReceiveFunc, actualPort uint16, err error) {
+
+	log.Printf("opening WebRTCBind connection")
+	connected := NewCond()
+	bind.pc, err = newPeerConnection()
+	if err != nil {
+		bind.pc.Close()
+		return nil, 0, err
+	}
+	bind.pc.OnICEConnectionStateChange(func(state webrtc.ICEConnectionState) {
+		switch state {
+		case webrtc.ICEConnectionStateConnected:
+			connected.Signal()
+		case webrtc.ICEConnectionStateClosed:
+			log.Printf("WebRTC connection closed")
+			//TODO
+		}
+	})
+
+	bind.pc.OnDataChannel(func(dc *webrtc.DataChannel) {
+		log.Printf("received channel %s %v", dc.Label(), dc)
+		bind.incoming <- dc
+	})
+
+	controlling := bind.key < bind.remoteKey
+	// decision who is creating an offer
+	if controlling {
+		_, err = bind.pc.CreateDataChannel(initDataChannelName, nil)
+		if err != nil {
+			return nil, 0, err
+		}
+
+		offer, err := bind.pc.CreateOffer(nil)
+		if err != nil {
+			return nil, 0, err
+		}
+
+		if err := bind.pc.SetLocalDescription(offer); err != nil {
+			return nil, 0, err
+		}
+
+		// Create channel that is blocked until ICE Gathering is complete
+		gatherComplete := webrtc.GatheringCompletePromise(bind.pc)
+		select {
+		case <-gatherComplete:
+		case <-bind.closeCond.C:
+			return nil, 0, fmt.Errorf("closed while waiting for WebRTC candidates")
+		}
+		log.Printf("candidates gathered")
+
+		err = bind.signal.Send(&proto.Message{
+			Key:       bind.key,
+			RemoteKey: bind.remoteKey,
+			Body: &proto.Body{
+				Type:    proto.Body_OFFER,
+				Payload: Encode(bind.pc.LocalDescription()),
+			},
+		})
+		if err != nil {
+			return nil, 0, err
+		}
+
+		log.Printf("sent an offer to a remote peer")
+
+		//answerCh := make(chan webrtc.SessionDescription, 1)
+
+		go bind.signal.Receive(func(msg *proto.Message) error {
+			log.Printf("received a message from %v -> %v", msg.RemoteKey, msg.Body.Payload)
+			if msg.GetBody().Type == proto.Body_ANSWER {
+				log.Printf("received answer")
+				err := setRemoteDescription(bind.pc, msg.GetBody().GetPayload())
+				if err != nil {
+					log.Printf("%v", err)
+					return err
+				}
+			}
+			return nil
+		})
+
+	} else {
+		gatherComplete := webrtc.GatheringCompletePromise(bind.pc)
+
+		go bind.signal.Receive(func(msg *proto.Message) error {
+			log.Printf("received a message from %v -> %v", msg.RemoteKey, msg.Body.Payload)
+			if msg.GetBody().Type == proto.Body_OFFER {
+				log.Printf("received offer")
+
+				err = setRemoteDescription(bind.pc, msg.GetBody().GetPayload())
+				if err != nil {
+					log.Printf("%v", err)
+					return err
+				}
+
+				sdp, err := bind.pc.CreateAnswer(nil)
+				if err != nil {
+					log.Printf("%v", err)
+					return err
+				}
+
+				if err := bind.pc.SetLocalDescription(sdp); err != nil {
+					log.Printf("%v", err)
+					return err
+				}
+
+				select {
+				case <-gatherComplete:
+				case <-bind.closeCond.C:
+					return nil
+				}
+
+				log.Printf("candidates gathered")
+
+				err = bind.signal.Send(&proto.Message{
+					Key:       bind.key,
+					RemoteKey: bind.remoteKey,
+					Body: &proto.Body{
+						Type:    proto.Body_ANSWER,
+						Payload: Encode(bind.pc.LocalDescription()),
+					},
+				})
+				if err != nil {
+					return err
+				}
+
+				log.Printf("sent an answer to a remote peer")
+			}
+			return nil
+		})
+	}
+
+	select {
+	case <-time.After(10 * time.Second):
+		return nil, 0, fmt.Errorf("failed to connect in time: %w", err)
+	case <-connected.C:
+	}
+	log.Printf("WebRTC connection has opened successfully")
+
+	//once WebRTC has been established we can now create a datachannel and resume
+	var dcConn net.Conn
+	if controlling {
+		dcConn, err = bind.openDC()
+		if err != nil {
+			return nil, 0, err
+		}
+	} else {
+		dcConn, err = bind.acceptDC()
+		if err != nil {
+			return nil, 0, err
+		}
+	}
+	bind.conn = dcConn
+	fns = append(fns, bind.makeReceive(bind.conn))
+	return fns, 0, nil
+
+}
+
+func setRemoteDescription(pc *webrtc.PeerConnection, payload string) error {
+	descr, err := Decode(payload)
+	if err != nil {
+		return err
+	}
+	err = pc.SetRemoteDescription(*descr)
+	if err != nil {
+		return err
+	}
+
+	log.Printf("parsed SDP %s", descr.SDP)
+
+	return nil
+}
+func Decode(in string) (*webrtc.SessionDescription, error) {
+	descr := &webrtc.SessionDescription{}
+	err := json.Unmarshal([]byte(in), descr)
+	if err != nil {
+		return nil, err
+	}
+
+	return descr, nil
+}
+
+func Encode(obj interface{}) string {
+	b, err := json.Marshal(obj)
+	if err != nil {
+		panic(err)
+	}
+
+	return string(b)
+}
+
+func (*WebRTCBind) Close() error {
+	return nil
+}
+
+func (*WebRTCBind) SetMark(mark uint32) error {
+	return nil
+}
+
+func (bind *WebRTCBind) Send(b []byte, ep conn.Endpoint) error {
+	n, err := bind.conn.Write(b)
+	if err != nil {
+		return err
+	}
+	log.Printf("wrote %d bytes", n)
+	return nil
+}
+
+func (*WebRTCBind) ParseEndpoint(s string) (conn.Endpoint, error) {
+	log.Printf("peer endpoint %s", s)
+	return &WebRTCEndpoint{}, nil
+}
+
+// WebRTCEndpoint is an implementation of Wireguard's Endpoint interface backed by WebRTC
+type WebRTCEndpoint DataChannelAddr
+
+func (e *WebRTCEndpoint) ClearSrc() {
+
+}
+func (e *WebRTCEndpoint) SrcToString() string {
+	return ""
+}
+func (e *WebRTCEndpoint) DstToString() string {
+	return (*DataChannelAddr)(e).String()
+}
+func (e *WebRTCEndpoint) DstToBytes() []byte {
+	port := 31234
+	out := net.IP{127, 0, 0, 1}
+	out = append(out, byte(port&0xff))
+	out = append(out, byte((port>>8)&0xff))
+	return out
+}
+func (e *WebRTCEndpoint) DstIP() net.IP {
+	return net.IP{127, 0, 0, 1}
+}
+func (e *WebRTCEndpoint) SrcIP() net.IP {
+	return nil
+}
--- a/browser/conn/cond.go
+++ b/browser/conn/cond.go
@@ -0,0 +1,34 @@
+package conn
+
+// credits to https://github.com/rtctunnel/rtctunnel
+
+import "sync"
+
+// A Cond is a condition variable like sync.Cond, but using a channel so we can use select.
+type Cond struct {
+	once sync.Once
+	C    chan struct{}
+}
+
+// NewCond creates a new condition variable.
+func NewCond() *Cond {
+	return &Cond{C: make(chan struct{})}
+}
+
+// Do runs f if the condition hasn't been signaled yet. Afterwards it will be signaled.
+func (c *Cond) Do(f func()) {
+	c.once.Do(func() {
+		f()
+		close(c.C)
+	})
+}
+
+// Signal closes the condition variable channel.
+func (c *Cond) Signal() {
+	c.Do(func() {})
+}
+
+// Wait waits for the condition variable channel to close.
+func (c *Cond) Wait() {
+	<-c.C
+}
--- a/browser/conn/conn.go
+++ b/browser/conn/conn.go
@@ -0,0 +1,220 @@
+package conn
+
+// credits to https://github.com/rtctunnel/rtctunnel
+
+import (
+	"context"
+	"errors"
+	"github.com/pion/webrtc/v3"
+	"io"
+	"log"
+	"net"
+	"time"
+)
+
+var ErrClosedByPeer = errors.New("closed by peer")
+
+type DataChannelAddr struct{}
+
+func (addr DataChannelAddr) Network() string {
+	return "webrtc"
+}
+
+func (addr DataChannelAddr) String() string {
+	return "webrtc://datachannel"
+}
+
+// A DataChannelConn implements the net.Conn interface over a webrtc data channel
+type DataChannelConn struct {
+	dc *webrtc.DataChannel
+	rr ContextReadCloser
+	rw ContextWriteCloser
+
+	openCond  *Cond
+	closeCond *Cond
+	closeErr  error
+}
+
+// WrapDataChannel wraps an rtc data channel and implements the net.Conn
+// interface
+func WrapDataChannel(rtcDataChannel *webrtc.DataChannel) (*DataChannelConn, error) {
+	rr, rw := io.Pipe()
+
+	conn := &DataChannelConn{
+		dc: rtcDataChannel,
+		rr: ContextReadCloser{Context: context.Background(), ReadCloser: rr},
+		rw: ContextWriteCloser{Context: context.Background(), WriteCloser: rw},
+
+		openCond:  NewCond(),
+		closeCond: NewCond(),
+	}
+	conn.dc.OnClose(func() {
+		_ = conn.closeWithError(ErrClosedByPeer)
+	})
+	conn.dc.OnOpen(func() {
+		// for reasons I don't understand, when opened the data channel is not immediately available for use
+		time.Sleep(50 * time.Millisecond)
+		conn.openCond.Signal()
+	})
+	conn.dc.OnMessage(func(msg webrtc.DataChannelMessage) {
+		log.Printf("received message from data channel %d", len(msg.Data))
+		if rw != nil {
+			_, err := rw.Write(msg.Data)
+			if err != nil {
+				_ = conn.closeWithError(err)
+				rw = nil
+			}
+		}
+	})
+
+	select {
+	case <-conn.closeCond.C:
+		err := conn.closeErr
+		if err == nil {
+			err = errors.New("datachannel closed for unknown reasons")
+		}
+		return nil, err
+	case <-conn.openCond.C:
+	}
+
+	return conn, nil
+}
+
+func (dc *DataChannelConn) Read(b []byte) (n int, err error) {
+	return dc.rr.Read(b)
+}
+
+func (dc *DataChannelConn) Write(b []byte) (n int, err error) {
+	log.Printf("writing buffer of size %d", len(b))
+	err = dc.dc.Send(b)
+	if err != nil {
+		return 0, err
+	}
+	return len(b), nil
+}
+
+func (dc *DataChannelConn) Close() error {
+	return dc.closeWithError(nil)
+}
+
+func (dc *DataChannelConn) LocalAddr() net.Addr {
+	return DataChannelAddr{}
+}
+
+func (dc *DataChannelConn) RemoteAddr() net.Addr {
+	return DataChannelAddr{}
+}
+
+func (dc *DataChannelConn) SetDeadline(t time.Time) error {
+	var err error
+	if e := dc.SetReadDeadline(t); e != nil {
+		err = e
+	}
+	if e := dc.SetWriteDeadline(t); e != nil {
+		err = e
+	}
+	return err
+}
+
+func (dc *DataChannelConn) SetReadDeadline(t time.Time) error {
+	return dc.rr.SetReadDeadline(t)
+}
+
+func (dc *DataChannelConn) SetWriteDeadline(t time.Time) error {
+	return dc.rw.SetWriteDeadline(t)
+}
+
+func (dc *DataChannelConn) closeWithError(err error) error {
+	dc.closeCond.Do(func() {
+		e := dc.rr.Close()
+		if err == nil {
+			err = e
+		}
+		e = dc.rw.Close()
+		if err == nil {
+			err = e
+		}
+		e = dc.dc.Close()
+		if err == nil {
+			err = e
+		}
+		dc.closeErr = err
+	})
+	return err
+}
+
+type ContextReadCloser struct {
+	context.Context
+	io.ReadCloser
+	cancel func()
+}
+
+func (cr ContextReadCloser) Close() error {
+	err := cr.ReadCloser.Close()
+	if cr.cancel != nil {
+		cr.cancel()
+		cr.cancel = nil
+	}
+	return err
+}
+
+func (cr ContextReadCloser) SetReadDeadline(t time.Time) error {
+	if cr.cancel != nil {
+		cr.cancel()
+		cr.cancel = nil
+	}
+	cr.Context, cr.cancel = context.WithDeadline(context.Background(), t)
+	return nil
+}
+
+func (cr ContextReadCloser) Read(p []byte) (n int, err error) {
+	done := make(chan struct{})
+	go func() {
+		n, err = cr.ReadCloser.Read(p)
+		close(done)
+	}()
+	select {
+	case <-done:
+		return n, err
+	case <-cr.Context.Done():
+		return 0, cr.Context.Err()
+	}
+}
+
+type ContextWriteCloser struct {
+	context.Context
+	io.WriteCloser
+	cancel func()
+}
+
+func (cw ContextWriteCloser) Close() error {
+	err := cw.WriteCloser.Close()
+	if cw.cancel != nil {
+		cw.cancel()
+		cw.cancel = nil
+	}
+	return err
+}
+
+func (cw ContextWriteCloser) SetWriteDeadline(t time.Time) error {
+	if cw.cancel != nil {
+		cw.cancel()
+		cw.cancel = nil
+	}
+	cw.Context, cw.cancel = context.WithDeadline(context.Background(), t)
+	return nil
+}
+
+func (cw ContextWriteCloser) Write(p []byte) (n int, err error) {
+	done := make(chan struct{})
+	go func() {
+		n, err = cw.WriteCloser.Write(p)
+		close(done)
+	}()
+	select {
+	case <-done:
+		return n, err
+	case <-cw.Context.Done():
+		return 0, cw.Context.Err()
+	}
+}
--- a/browser/main.go
+++ b/browser/main.go
@@ -0,0 +1,18 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+)
+
+func main() {
+	log.Print("listening on http://localhost:9090")
+	err := http.ListenAndServe(":9090", http.FileServer(http.Dir("./assets")))
+	//err := http.ListenAndServe(":9090", http.FileServer(http.Dir("/home/braginini/Documents/projects/my/wiretrustee/rtctunnel/examples/browser-http/dist")))
+
+	if err != nil {
+		fmt.Println("Failed to start server", err)
+		return
+	}
+}
--- a/browser/server/server.go
+++ b/browser/server/server.go
@@ -0,0 +1,123 @@
+package main
+
+import (
+	"context"
+	"encoding/hex"
+	"flag"
+	"fmt"
+	"github.com/wiretrustee/wiretrustee/browser/conn"
+	"github.com/wiretrustee/wiretrustee/signal/client"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"time"
+)
+
+//my private key qJi7zSrgdokeoXE27fbca2hvMlgg1NQIW6KbrTJhhmc=
+//remote private key KLuBc6tM/NRV1071bfPiNUxZmMhGBCXfxoDg+A+J7ns=
+//./server --key KLuBc6tM/NRV1071bfPiNUxZmMhGBCXfxoDg+A+J7ns= --remote-key 6M9O7PRhKMEOiboBp9cX6rNrLBevtHX7H0O2FMXUkFI= --signal-endpoint ws://0.0.0.0:80/signal --ip 100.0.2.1 --remote-ip 100.0.2.2
+func main() {
+
+	keyFlag := flag.String("key", "", "a Wireguard private key")
+	remoteKeyFlag := flag.String("remote-key", "", "a Wireguard remote peer public key")
+	signalEndpoint := flag.String("signal-endpoint", "ws://apitest.wiretrustee.com:80/signal", "a Signal service Websocket endpoint")
+	cl := flag.Bool("client", false, "indicates whether the program is a client")
+	ip := flag.String("ip", "", "Wireguard IP")
+	remoteIP := flag.String("remote-ip", "", "Wireguard IP")
+
+	flag.Parse()
+
+	key, err := wgtypes.ParseKey(*keyFlag)
+	if err != nil {
+		panic(err)
+	}
+
+	log.Printf("my public key: %s", key.PublicKey().String())
+
+	remoteKey, err := wgtypes.ParseKey(*remoteKeyFlag)
+
+	if err != nil {
+		panic(err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+	defer cancel()
+
+	signal, err := client.NewWebsocketClient(ctx, *signalEndpoint, key)
+
+	time.Sleep(5 * time.Second)
+
+	tun, tnet, err := netstack.CreateNetTUN(
+		[]net.IP{net.ParseIP(*ip)},
+		[]net.IP{net.ParseIP("8.8.8.8")},
+		1420)
+
+	b := conn.NewWebRTCBind("chann-1", signal, key.PublicKey().String(), remoteKey.String())
+	dev := device.NewDevice(tun, b, device.NewLogger(device.LogLevelVerbose, ""))
+	allowedIPs := *remoteIP + "/32"
+	if *cl {
+		allowedIPs = "0.0.0.0/0"
+	}
+	err = dev.IpcSet(fmt.Sprintf("private_key=%s\npublic_key=%s\npersistent_keepalive_interval=100\nendpoint=webrtc://datachannel\nallowed_ip=%s",
+		hex.EncodeToString(key[:]),
+		hex.EncodeToString(remoteKey[:]),
+		allowedIPs,
+	))
+
+	dev.Up()
+
+	if err != nil {
+		panic(err)
+	}
+
+	client := http.Client{
+		Transport: &http.Transport{
+			DialContext: tnet.DialContext,
+		},
+	}
+	time.Sleep(2 * time.Second)
+
+	if *cl {
+
+		req, _ := http.NewRequest("GET", "http://"+*remoteIP, nil)
+
+		//req.Header.Set("js.fetch:mode", "no-cors")
+		resp, err := client.Do(req)
+		if err != nil {
+			log.Panic(err)
+		}
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			log.Panic(err)
+		}
+		log.Printf(string(body))
+		log.Printf(resp.Status)
+
+	} else {
+		listener, err := tnet.ListenTCP(&net.TCPAddr{Port: 80})
+		if err != nil {
+			log.Panicln(err)
+		}
+		http.HandleFunc("/", func(writer http.ResponseWriter, request *http.Request) {
+			writer.Header().Set("Access-Control-Allow-Origin", "*")
+			writer.Header().Set("Access-Control-Allow-Headers", "Content-Type")
+			if (*request).Method == "OPTIONS" {
+				return
+			}
+
+			log.Printf("> %s - %s - %s", request.RemoteAddr, request.URL.String(), request.UserAgent())
+			io.WriteString(writer, "HELOOOOOOOOOOOOOOOOOOOO")
+		})
+		err = http.Serve(listener, nil)
+		if err != nil {
+			log.Panicln(err)
+		}
+	}
+
+	select {}
+
+}
--- a/browser/test/test.go
+++ b/browser/test/test.go
@@ -0,0 +1,60 @@
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"time"
+
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+func main() {
+	tun, tnet, err := netstack.CreateNetTUN(
+		[]net.IP{net.ParseIP("10.100.0.2")},
+		[]net.IP{net.ParseIP("8.8.8.8")},
+		1420)
+	if err != nil {
+		log.Panic(err)
+	}
+
+	clientKey, _ := wgtypes.ParseKey("WI+uoQD9jGi+nyifmFwmswQu5r0uWFH31WeSmfU0snI=")
+	publicServerkey, _ := wgtypes.ParseKey("Xp2HRQ1AJ1WbSrHV1NNHAIcmirLUjUh9jz3K3n4OcgQ=")
+	fmt.Printf(clientKey.PublicKey().String())
+
+	dev := device.NewDevice(tun, conn.NewDefaultBind(), device.NewLogger(device.LogLevelVerbose, ""))
+
+	err = dev.IpcSet(fmt.Sprintf("private_key=%s\npublic_key=%s\npersistent_keepalive_interval=1\nendpoint=65.21.255.241:51820\nallowed_ip=0.0.0.0/0",
+		hex.EncodeToString(clientKey[:]),
+		hex.EncodeToString(publicServerkey[:]),
+	))
+	if err != nil {
+		log.Panic(err)
+	}
+	err = dev.Up()
+	if err != nil {
+		log.Panic(err)
+	}
+
+	client := http.Client{
+		Transport: &http.Transport{
+			DialContext: tnet.DialContext,
+		},
+	}
+	resp, err := client.Get("https://httpbin.org/ip")
+	if err != nil {
+		log.Panic(err)
+	}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Panic(err)
+	}
+	log.Println(string(body))
+	time.Sleep(30 * time.Second)
+}
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -0,0 +1,4 @@
+FROM gcr.io/distroless/base:debug
+ENV WT_LOG_FILE=console
+ENTRYPOINT [ "/go/bin/wiretrustee","up"]
+COPY wiretrustee /go/bin/wiretrustee
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -0,0 +1,153 @@
+package cmd
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"github.com/google/uuid"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	mgm "github.com/wiretrustee/wiretrustee/management/client"
+	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
+	"github.com/wiretrustee/wiretrustee/util"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"os"
+)
+
+var (
+	loginCmd = &cobra.Command{
+		Use:   "login",
+		Short: "login to the Wiretrustee Management Service (first run)",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			SetFlagsFromEnvVars()
+
+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Errorf("failed initializing log %v", err)
+				return err
+			}
+
+			config, err := internal.GetConfig(managementURL, configPath)
+			if err != nil {
+				log.Errorf("failed getting config %s %v", configPath, err)
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+
+			//validate our peer's Wireguard PRIVATE key
+			myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+			if err != nil {
+				log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+
+			ctx := context.Background()
+
+			mgmTlsEnabled := false
+			if config.ManagementURL.Scheme == "https" {
+				mgmTlsEnabled = true
+			}
+
+			log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
+			mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+			if err != nil {
+				log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+			log.Debugf("connected to anagement Service %s", config.ManagementURL.String())
+
+			serverKey, err := mgmClient.GetServerPublicKey()
+			if err != nil {
+				log.Errorf("failed while getting Management Service public key: %v", err)
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+
+			_, err = loginPeer(*serverKey, mgmClient, setupKey)
+			if err != nil {
+				log.Errorf("failed logging-in peer on Management Service : %v", err)
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+
+			err = mgmClient.Close()
+			if err != nil {
+				log.Errorf("failed closing Management Service client: %v", err)
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+
+			return nil
+		},
+	}
+)
+
+// loginPeer attempts to login to Management Service. If peer wasn't registered, tries the registration flow.
+func loginPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string) (*mgmProto.LoginResponse, error) {
+
+	loginResp, err := client.Login(serverPublicKey)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			log.Debugf("peer registration required")
+			return registerPeer(serverPublicKey, client, setupKey)
+		} else {
+			return nil, err
+		}
+	}
+
+	log.Info("peer has successfully logged-in to Management Service")
+
+	return loginResp, nil
+}
+
+// registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
+// Otherwise tries to register with the provided setupKey via command line.
+func registerPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string) (*mgmProto.LoginResponse, error) {
+
+	var err error
+	if setupKey == "" {
+		setupKey, err = promptPeerSetupKey()
+		if err != nil {
+			log.Errorf("failed getting setup key from user: %s", err)
+			return nil, err
+		}
+	}
+
+	validSetupKey, err := uuid.Parse(setupKey)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Debugf("sending peer registration request to Management Service")
+	loginResp, err := client.Register(serverPublicKey, validSetupKey.String())
+	if err != nil {
+		log.Errorf("failed registering peer %v", err)
+		return nil, err
+	}
+
+	log.Infof("peer has been successfully registered on Management Service")
+
+	return loginResp, nil
+}
+
+// promptPeerSetupKey prompts user to enter Setup Key
+func promptPeerSetupKey() (string, error) {
+	fmt.Print("Enter setup key: ")
+
+	s := bufio.NewScanner(os.Stdin)
+	for s.Scan() {
+		input := s.Text()
+		if input != "" {
+			return input, nil
+		}
+		fmt.Println("Specified key is empty, try again:")
+
+	}
+
+	return "", s.Err()
+}
--- a/client/cmd/login_test.go
+++ b/client/cmd/login_test.go
@@ -0,0 +1,69 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/util"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+var mgmAddr string
+
+func TestLogin_Start(t *testing.T) {
+	config := &mgmt.Config{}
+	_, err := util.ReadJson("../testdata/management.json", config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testDir := t.TempDir()
+	config.Datadir = testDir
+	err = util.CopyFileContents("../testdata/store.json", filepath.Join(testDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, listener := startManagement(config, t)
+	mgmAddr = listener.Addr().String()
+}
+
+func TestLogin(t *testing.T) {
+
+	tempDir := t.TempDir()
+	confPath := tempDir + "/config.json"
+	mgmtURL := fmt.Sprintf("http://%s", mgmAddr)
+	rootCmd.SetArgs([]string{
+		"login",
+		"--config",
+		confPath,
+		"--setup-key",
+		strings.ToUpper("a2c8e62b-38f5-4553-b31e-dd66c696cebb"),
+		"--management-url",
+		mgmtURL,
+	})
+	err := rootCmd.Execute()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// validate generated config
+	actualConf := &internal.Config{}
+	_, err = util.ReadJson(confPath, actualConf)
+	if err != nil {
+		t.Errorf("expected proper config file written, got broken %v", err)
+	}
+
+	if actualConf.ManagementURL.String() != mgmtURL {
+		t.Errorf("expected management URL %s got %s", mgmtURL, actualConf.ManagementURL.String())
+	}
+
+	if actualConf.WgIface != iface.WgInterfaceDefault {
+		t.Errorf("expected WgIface %s got %s", iface.WgInterfaceDefault, actualConf.WgIface)
+	}
+
+	if len(actualConf.PrivateKey) == 0 {
+		t.Errorf("expected non empty Private key, got empty")
+	}
+}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -0,0 +1,99 @@
+package cmd
+
+import (
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	"os"
+	"os/signal"
+	"runtime"
+	"strings"
+	"syscall"
+)
+
+var (
+	configPath        string
+	defaultConfigPath string
+	logLevel          string
+	defaultLogFile    string
+	logFile           string
+	managementURL     string
+	setupKey          string
+	rootCmd           = &cobra.Command{
+		Use:   "wiretrustee",
+		Short: "",
+		Long:  "",
+	}
+
+	// Execution control channel for stopCh signal
+	stopCh    chan int
+	cleanupCh chan struct{}
+)
+
+// Execute executes the root command.
+func Execute() error {
+	return rootCmd.Execute()
+}
+func init() {
+
+	stopCh = make(chan int)
+	cleanupCh = make(chan struct{})
+
+	defaultConfigPath = "/etc/wiretrustee/config.json"
+	defaultLogFile = "/var/log/wiretrustee/client.log"
+	if runtime.GOOS == "windows" {
+		defaultConfigPath = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "config.json"
+		defaultLogFile = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "client.log"
+	}
+
+	rootCmd.PersistentFlags().StringVar(&managementURL, "management-url", "", fmt.Sprintf("Management Service URL [http|https]://[host]:[port] (default \"%s\")", internal.ManagementURLDefault().String()))
+	rootCmd.PersistentFlags().StringVar(&configPath, "config", defaultConfigPath, "Wiretrustee config file location")
+	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "sets Wiretrustee log level")
+	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Wiretrustee log path. If console is specified the the log will be output to stdout")
+	rootCmd.PersistentFlags().StringVar(&setupKey, "setup-key", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
+	rootCmd.AddCommand(serviceCmd)
+	rootCmd.AddCommand(upCmd)
+	rootCmd.AddCommand(loginCmd)
+	rootCmd.AddCommand(versionCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
+	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service
+}
+
+// SetupCloseHandler handles SIGTERM signal and exits with success
+func SetupCloseHandler() {
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		for range c {
+			log.Info("shutdown signal received")
+			stopCh <- 0
+		}
+	}()
+}
+
+// SetFlagsFromEnvVars reads and updates flag values from environment variables with prefix WT_
+func SetFlagsFromEnvVars() {
+	flags := rootCmd.PersistentFlags()
+	flags.VisitAll(func(f *pflag.Flag) {
+
+		envVar := FlagNameToEnvVar(f.Name)
+
+		if value, present := os.LookupEnv(envVar); present {
+			err := flags.Set(f.Name, value)
+			if err != nil {
+				log.Infof("unable to configure flag %s using variable %s, err: %v", f.Name, envVar, err)
+			}
+		}
+	})
+}
+
+// FlagNameToEnvVar converts flag name to environment var name adding a prefix,
+// replacing dashes and making all uppercase (e.g. setup-keys is converted to WT_SETUP_KEYS)
+func FlagNameToEnvVar(f string) string {
+	prefix := "WT_"
+	parsed := strings.ReplaceAll(f, "-", "_")
+	upper := strings.ToUpper(parsed)
+	return prefix + upper
+}
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -0,0 +1,36 @@
+package cmd
+
+import (
+	"github.com/kardianos/service"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+type program struct {
+	cmd  *cobra.Command
+	args []string
+}
+
+func newSVCConfig() *service.Config {
+	return &service.Config{
+		Name:        "wiretrustee",
+		DisplayName: "Wiretrustee",
+		Description: "A WireGuard-based mesh network that connects your devices into a single private network.",
+	}
+}
+
+func newSVC(prg *program, conf *service.Config) (service.Service, error) {
+	s, err := service.New(prg, conf)
+	if err != nil {
+		log.Fatal(err)
+		return nil, err
+	}
+	return s, nil
+}
+
+var (
+	serviceCmd = &cobra.Command{
+		Use:   "service",
+		Short: "manages wiretrustee service",
+	}
+)
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -0,0 +1,152 @@
+package cmd
+
+import (
+	"github.com/kardianos/service"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/util"
+	"time"
+)
+
+func (p *program) Start(service.Service) error {
+
+	// Start should not block. Do the actual work async.
+	log.Info("starting service") //nolint
+	go func() {
+		err := runClient()
+		if err != nil {
+			log.Errorf("stopped Wiretrustee client app due to error: %v", err)
+			return
+		}
+	}()
+	return nil
+}
+
+func (p *program) Stop(service.Service) error {
+	go func() {
+		stopCh <- 1
+	}()
+
+	select {
+	case <-cleanupCh:
+	case <-time.After(time.Second * 10):
+		log.Warnf("failed waiting for service cleanup, terminating")
+	}
+	log.Info("stopped Wiretrustee service") //nolint
+	return nil
+}
+
+var (
+	runCmd = &cobra.Command{
+		Use:   "run",
+		Short: "runs wiretrustee as service",
+		Run: func(cmd *cobra.Command, args []string) {
+			SetFlagsFromEnvVars()
+
+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Errorf("failed initializing log %v", err)
+				return
+			}
+
+			SetupCloseHandler()
+
+			prg := &program{
+				cmd:  cmd,
+				args: args,
+			}
+
+			s, err := newSVC(prg, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			err = s.Run()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			cmd.Printf("Wiretrustee service is running")
+		},
+	}
+)
+
+var (
+	startCmd = &cobra.Command{
+		Use:   "start",
+		Short: "starts wiretrustee service",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			SetFlagsFromEnvVars()
+
+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Errorf("failed initializing log %v", err)
+				return err
+			}
+			s, err := newSVC(&program{}, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return err
+			}
+			err = s.Start()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return err
+			}
+			cmd.Println("Wiretrustee service has been started")
+			return nil
+		},
+	}
+)
+
+var (
+	stopCmd = &cobra.Command{
+		Use:   "stop",
+		Short: "stops wiretrustee service",
+		Run: func(cmd *cobra.Command, args []string) {
+			SetFlagsFromEnvVars()
+
+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Errorf("failed initializing log %v", err)
+			}
+			s, err := newSVC(&program{}, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			err = s.Stop()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			cmd.Println("Wiretrustee service has been stopped")
+		},
+	}
+)
+
+var (
+	restartCmd = &cobra.Command{
+		Use:   "restart",
+		Short: "restarts wiretrustee service",
+		Run: func(cmd *cobra.Command, args []string) {
+			SetFlagsFromEnvVars()
+
+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Errorf("failed initializing log %v", err)
+			}
+			s, err := newSVC(&program{}, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			err = s.Restart()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			cmd.Println("Wiretrustee service has been restarted")
+		},
+	}
+)
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -0,0 +1,69 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+	"runtime"
+)
+
+var (
+	installCmd = &cobra.Command{
+		Use:   "install",
+		Short: "installs wiretrustee service",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			SetFlagsFromEnvVars()
+
+			svcConfig := newSVCConfig()
+
+			svcConfig.Arguments = []string{
+				"service",
+				"run",
+				"--config",
+				configPath,
+				"--log-level",
+				logLevel,
+			}
+
+			if runtime.GOOS == "linux" {
+				// Respected only by systemd systems
+				svcConfig.Dependencies = []string{"After=network.target syslog.target"}
+			}
+
+			s, err := newSVC(&program{}, svcConfig)
+			if err != nil {
+				cmd.PrintErrln(err)
+				return err
+			}
+
+			err = s.Install()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return err
+			}
+			cmd.Println("Wiretrustee service has been installed")
+			return nil
+		},
+	}
+)
+
+var (
+	uninstallCmd = &cobra.Command{
+		Use:   "uninstall",
+		Short: "uninstalls wiretrustee service from system",
+		Run: func(cmd *cobra.Command, args []string) {
+			SetFlagsFromEnvVars()
+
+			s, err := newSVC(&program{}, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+
+			err = s.Uninstall()
+			if err != nil {
+				cmd.PrintErrln(err)
+				return
+			}
+			cmd.Println("Wiretrustee has been uninstalled")
+		},
+	}
+)
--- a/client/cmd/testutil.go
+++ b/client/cmd/testutil.go
@@ -0,0 +1,57 @@
+package cmd
+
+import (
+	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
+	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/signal/peer"
+	sigProto "github.com/wiretrustee/wiretrustee/signal/proto"
+	sig "github.com/wiretrustee/wiretrustee/signal/server"
+	"google.golang.org/grpc"
+	"net"
+	"testing"
+)
+
+func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+	sigProto.RegisterSignalExchangeServer(s, sig.NewServer(peer.NewRegistry()))
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			panic(err)
+		}
+	}()
+
+	return s, lis
+}
+
+func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+	store, err := mgmt.NewStore(config.Datadir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	peersUpdateManager := mgmt.NewPeersUpdateManager()
+	accountManager := mgmt.NewManager(store, peersUpdateManager)
+	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
+	if err != nil {
+		t.Fatal(err)
+	}
+	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			t.Error(err)
+			return
+		}
+	}()
+
+	return s, lis
+}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -0,0 +1,225 @@
+package cmd
+
+import (
+	"context"
+	"github.com/cenkalti/backoff/v4"
+	"github.com/kardianos/service"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	mgm "github.com/wiretrustee/wiretrustee/management/client"
+	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
+	signal "github.com/wiretrustee/wiretrustee/signal/client"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"time"
+)
+
+var (
+	upCmd = &cobra.Command{
+		Use:   "up",
+		Short: "install, login and start wiretrustee client",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			SetFlagsFromEnvVars()
+			err := loginCmd.RunE(cmd, args)
+			if err != nil {
+				return err
+			}
+			if logFile == "console" {
+				return runClient()
+			}
+
+			s, err := newSVC(&program{}, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return err
+			}
+
+			srvStatus, err := s.Status()
+			if err != nil {
+				if err == service.ErrNotInstalled {
+					log.Infof("%s. Installing it now", err.Error())
+					e := installCmd.RunE(cmd, args)
+					if e != nil {
+						return e
+					}
+				} else {
+					log.Warnf("failed retrieving service status: %v", err)
+				}
+			}
+			if srvStatus == service.StatusRunning {
+				stopCmd.Run(cmd, args)
+			}
+			return startCmd.RunE(cmd, args)
+		},
+	}
+)
+
+// createEngineConfig converts configuration received from Management Service to EngineConfig
+func createEngineConfig(key wgtypes.Key, config *internal.Config, peerConfig *mgmProto.PeerConfig) (*internal.EngineConfig, error) {
+	iFaceBlackList := make(map[string]struct{})
+	for i := 0; i < len(config.IFaceBlackList); i += 2 {
+		iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
+	}
+
+	return &internal.EngineConfig{
+		WgIface:        config.WgIface,
+		WgAddr:         peerConfig.Address,
+		IFaceBlackList: iFaceBlackList,
+		WgPrivateKey:   key,
+	}, nil
+}
+
+// connectToSignal creates Signal Service client and established a connection
+func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig, ourPrivateKey wgtypes.Key) (signal.Client, error) {
+	var sigTLSEnabled bool
+	if wtConfig.Signal.Protocol == mgmProto.HostConfig_HTTPS {
+		sigTLSEnabled = true
+	} else {
+		sigTLSEnabled = false
+	}
+
+	signalClient, err := signal.NewClient(ctx, wtConfig.Signal.Uri, ourPrivateKey, sigTLSEnabled)
+	if err != nil {
+		log.Errorf("error while connecting to the Signal Exchange Service %s: %s", wtConfig.Signal.Uri, err)
+		return nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
+	}
+
+	return signalClient, nil
+}
+
+// connectToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
+func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.Client, *mgmProto.LoginResponse, error) {
+	log.Debugf("connecting to management server %s", managementAddr)
+	client, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err)
+	}
+	log.Debugf("connected to management server %s", managementAddr)
+
+	serverPublicKey, err := client.GetServerPublicKey()
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
+	}
+
+	loginResp, err := client.Login(*serverPublicKey)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			log.Error("peer registration required. Please run wiretrustee login command first")
+			return nil, nil, err
+		} else {
+			return nil, nil, err
+		}
+	}
+
+	log.Debugf("peer logged in to Management Service %s", managementAddr)
+
+	return client, loginResp, nil
+}
+
+func runClient() error {
+	var backOff = &backoff.ExponentialBackOff{
+		InitialInterval:     time.Second,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         10 * time.Second,
+		MaxElapsedTime:      24 * 3 * time.Hour, //stop the client after 3 days trying (must be a huge problem, e.g permission denied)
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}
+
+	operation := func() error {
+
+		config, err := internal.ReadConfig(managementURL, configPath)
+		if err != nil {
+			log.Errorf("failed reading config %s %v", configPath, err)
+			return err
+		}
+
+		//validate our peer's Wireguard PRIVATE key
+		myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+		if err != nil {
+			log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+			return err
+		}
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+
+		mgmTlsEnabled := false
+		if config.ManagementURL.Scheme == "https" {
+			mgmTlsEnabled = true
+		}
+
+		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Wiretrustee config
+		mgmClient, loginResp, err := connectToManagement(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+		if err != nil {
+			log.Warn(err)
+			return err
+		}
+
+		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
+		signalClient, err := connectToSignal(ctx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
+		if err != nil {
+			log.Error(err)
+			return err
+		}
+
+		peerConfig := loginResp.GetPeerConfig()
+
+		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
+		if err != nil {
+			log.Error(err)
+			return err
+		}
+
+		// create start the Wiretrustee Engine that will connect to the Signal and Management streams and manage connections to remote peers.
+		engine := internal.NewEngine(signalClient, mgmClient, engineConfig, cancel, ctx)
+		err = engine.Start()
+		if err != nil {
+			log.Errorf("error while starting Wiretrustee Connection Engine: %s", err)
+			return err
+		}
+
+		log.Print("Wiretrustee engine started, my IP is: ", peerConfig.Address)
+
+		select {
+		case <-stopCh:
+		case <-ctx.Done():
+		}
+
+		backOff.Reset()
+
+		err = mgmClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Management Service client %v", err)
+			return err
+		}
+		err = signalClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Signal Service client %v", err)
+			return err
+		}
+
+		err = engine.Stop()
+		if err != nil {
+			log.Errorf("failed stopping engine %v", err)
+			return err
+		}
+
+		go func() {
+			cleanupCh <- struct{}{}
+		}()
+
+		log.Info("stopped Wiretrustee client")
+
+		return ctx.Err()
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		log.Errorf("exiting client retry loop due to unrecoverable error: %s", err)
+		return err
+	}
+	return nil
+}
--- a/client/cmd/up_test.go
+++ b/client/cmd/up_test.go
@@ -0,0 +1,82 @@
+package cmd
+
+import (
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/util"
+	"net/url"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+var signalAddr string
+
+func TestUp_Start(t *testing.T) {
+	config := &mgmt.Config{}
+	_, err := util.ReadJson("../testdata/management.json", config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testDir := t.TempDir()
+	config.Datadir = testDir
+	err = util.CopyFileContents("../testdata/store.json", filepath.Join(testDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, signalLis := startSignal(t)
+	signalAddr = signalLis.Addr().String()
+	config.Signal.URI = signalAddr
+
+	_, mgmLis := startManagement(config, t)
+	mgmAddr = mgmLis.Addr().String()
+
+}
+
+func TestUp(t *testing.T) {
+
+	defer iface.Close()
+
+	tempDir := t.TempDir()
+	confPath := tempDir + "/config.json"
+	mgmtURL, err := url.Parse("http://" + mgmAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rootCmd.SetArgs([]string{
+		"up",
+		"--config",
+		confPath,
+		"--setup-key",
+		"A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
+		"--management-url",
+		mgmtURL.String(),
+		"--log-file",
+		"console",
+	})
+	go func() {
+		err = rootCmd.Execute()
+		if err != nil {
+			t.Errorf("expected no error while running up command, got %v", err)
+		}
+	}()
+
+	exists := false
+	for start := time.Now(); time.Since(start) < 15*time.Second; {
+		e, err := iface.Exists(iface.WgInterfaceDefault)
+		if err != nil {
+			continue
+		}
+		if *e {
+			exists = true
+			break
+		}
+
+	}
+
+	if !exists {
+		t.Errorf("expected wireguard interface %s to be created", iface.WgInterfaceDefault)
+	}
+}
--- a/client/cmd/version.go
+++ b/client/cmd/version.go
@@ -0,0 +1,14 @@
+package cmd
+
+import "github.com/spf13/cobra"
+
+var (
+	Version    string
+	versionCmd = &cobra.Command{
+		Use:   "version",
+		Short: "prints wiretrustee version",
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Println(Version)
+		},
+	}
+)
--- a/client/installer.nsis
+++ b/client/installer.nsis
@@ -0,0 +1,119 @@
+!define APP_NAME "Wiretrustee"
+!define COMP_NAME "Wiretrustee"
+!define WEB_SITE "wiretrustee.com"
+!define VERSION $%APPVER%
+!define COPYRIGHT "Wiretrustee Authors, 2021"
+!define DESCRIPTION "A WireGuard®-based mesh network that connects your devices into a single private network"
+!define INSTALLER_NAME "wiretrustee-installer.exe"
+!define MAIN_APP_EXE "Wiretrustee"
+!define ICON "ui\\wiretrustee.ico"
+!define BANNER "ui\\banner.bmp"
+!define LICENSE_DATA "..\\LICENSE"
+
+!define INSTALL_DIR "$PROGRAMFILES64\${APP_NAME}"
+!define INSTALL_TYPE "SetShellVarContext all"
+!define REG_ROOT "HKLM"
+!define REG_APP_PATH "Software\Microsoft\Windows\CurrentVersion\App Paths\${MAIN_APP_EXE}"
+!define UNINSTALL_PATH "Software\Microsoft\Windows\CurrentVersion\Uninstall\${APP_NAME}"
+Unicode True
+
+######################################################################
+
+VIProductVersion  "${VERSION}"
+VIAddVersionKey "ProductName"  "${APP_NAME}"
+VIAddVersionKey "CompanyName"  "${COMP_NAME}"
+VIAddVersionKey "LegalCopyright"  "${COPYRIGHT}"
+VIAddVersionKey "FileDescription"  "${DESCRIPTION}"
+VIAddVersionKey "FileVersion"  "${VERSION}"
+
+######################################################################
+
+SetCompressor /SOLID Lzma
+Name "${APP_NAME}"
+Caption "${APP_NAME}"
+OutFile "..\\${INSTALLER_NAME}"
+BrandingText "${APP_NAME}"
+InstallDirRegKey "${REG_ROOT}" "${REG_APP_PATH}" ""
+InstallDir "${INSTALL_DIR}"
+LicenseData "${LICENSE_DATA}"
+ShowInstDetails Show
+
+######################################################################
+
+!define MUI_ICON "${ICON}"
+!define MUI_UNICON "${ICON}"
+!define MUI_WELCOMEFINISHPAGE_BITMAP "${BANNER}"
+!define MUI_UNWELCOMEFINISHPAGE_BITMAP "${BANNER}"
+
+######################################################################
+
+!include "MUI2.nsh"
+
+!define MUI_ABORTWARNING
+!define MUI_UNABORTWARNING
+
+!insertmacro MUI_PAGE_WELCOME
+
+!insertmacro MUI_PAGE_LICENSE "${LICENSE_DATA}"
+
+!insertmacro MUI_PAGE_DIRECTORY
+
+!insertmacro MUI_PAGE_INSTFILES
+
+!insertmacro MUI_PAGE_FINISH
+
+!insertmacro MUI_UNPAGE_CONFIRM
+
+!insertmacro MUI_UNPAGE_INSTFILES
+
+!insertmacro MUI_UNPAGE_FINISH
+
+!insertmacro MUI_LANGUAGE "English"
+
+######################################################################
+
+Section -MainProgram
+	${INSTALL_TYPE}
+	SetOverwrite ifnewer
+	SetOutPath "$INSTDIR"
+	File /r "..\\dist\\wiretrustee_windows_amd64\\"
+
+SectionEnd
+
+######################################################################
+
+Section -Icons_Reg
+SetOutPath "$INSTDIR"
+WriteUninstaller "$INSTDIR\wiretrustee_uninstall.exe"
+
+WriteRegStr ${REG_ROOT} "${REG_APP_PATH}" "" "$INSTDIR\${MAIN_APP_EXE}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayName" "${APP_NAME}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "UninstallString" "$INSTDIR\wiretrustee_uninstall.exe"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayIcon" "$INSTDIR\${MAIN_APP_EXE}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayVersion" "${VERSION}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"
+
+EnVar::SetHKLM
+EnVar::AddValueEx "path" "$INSTDIR"
+
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service install'
+# sleep a bit for visibility
+Sleep 1000
+SectionEnd
+
+######################################################################
+
+Section Uninstall
+${INSTALL_TYPE}
+
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service stop'
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
+# wait the service uninstall take unblock the executable
+Sleep 3000
+RmDir /r "$INSTDIR"
+
+DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
+DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
+EnVar::SetHKLM
+EnVar::DeleteValue "path" "$INSTDIR"
+SectionEnd
--- a/client/internal/cond.go
+++ b/client/internal/cond.go
@@ -1,4 +1,4 @@
-package connection
+package internal

 import "sync"

--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -0,0 +1,113 @@
+package internal
+
+import (
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	"github.com/wiretrustee/wiretrustee/util"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net/url"
+	"os"
+)
+
+var managementURLDefault *url.URL
+
+func ManagementURLDefault() *url.URL {
+	return managementURLDefault
+}
+
+func init() {
+	managementURL, err := parseManagementURL("https://api.wiretrustee.com:33073")
+	if err != nil {
+		panic(err)
+	}
+	managementURLDefault = managementURL
+}
+
+// Config Configuration type
+type Config struct {
+	// Wireguard private key of local peer
+	PrivateKey     string
+	ManagementURL  *url.URL
+	WgIface        string
+	IFaceBlackList []string
+}
+
+//createNewConfig creates a new config generating a new Wireguard key and saving to file
+func createNewConfig(managementURL string, configPath string) (*Config, error) {
+	wgKey := generateKey()
+	config := &Config{PrivateKey: wgKey, WgIface: iface.WgInterfaceDefault, IFaceBlackList: []string{}}
+	if managementURL != "" {
+		URL, err := parseManagementURL(managementURL)
+		if err != nil {
+			return nil, err
+		}
+		config.ManagementURL = URL
+	} else {
+		config.ManagementURL = managementURLDefault
+	}
+
+	config.IFaceBlackList = []string{iface.WgInterfaceDefault, "tun0"}
+
+	err := util.WriteJson(configPath, config)
+	if err != nil {
+		return nil, err
+	}
+
+	return config, nil
+}
+
+func parseManagementURL(managementURL string) (*url.URL, error) {
+
+	parsedMgmtURL, err := url.ParseRequestURI(managementURL)
+	if err != nil {
+		log.Errorf("failed parsing management URL %s: [%s]", managementURL, err.Error())
+		return nil, err
+	}
+
+	if !(parsedMgmtURL.Scheme == "https" || parsedMgmtURL.Scheme == "http") {
+		return nil, fmt.Errorf("invalid Management Service URL provided %s. Supported format [http|https]://[host]:[port]", managementURL)
+	}
+
+	return parsedMgmtURL, err
+
+}
+
+// ReadConfig reads existing config. In case provided managementURL is not empty overrides the read property
+func ReadConfig(managementURL string, configPath string) (*Config, error) {
+	config := &Config{}
+	_, err := util.ReadJson(configPath, config)
+	if err != nil {
+		return nil, err
+	}
+
+	if managementURL != "" {
+		URL, err := parseManagementURL(managementURL)
+		if err != nil {
+			return nil, err
+		}
+		config.ManagementURL = URL
+	}
+
+	return config, err
+}
+
+// GetConfig reads existing config or generates a new one
+func GetConfig(managementURL string, configPath string) (*Config, error) {
+
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		log.Infof("generating new config %s", configPath)
+		return createNewConfig(managementURL, configPath)
+	} else {
+		return ReadConfig(managementURL, configPath)
+	}
+}
+
+// generateKey generates a new Wireguard private key
+func generateKey() string {
+	key, err := wgtypes.GenerateKey()
+	if err != nil {
+		panic(err)
+	}
+	return key.String()
+}
--- a/client/internal/connection.go
+++ b/client/internal/connection.go
@@ -1,24 +1,56 @@
-package connection
+package internal

 import (
 	"context"
 	"fmt"
-	"github.com/pion/ice/v2"
+	ice "github.com/pion/ice/v2"
 	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net"
 	"sync"
 	"time"
 )

 var (
+	// DefaultWgKeepAlive default Wireguard keep alive constant
 	DefaultWgKeepAlive = 20 * time.Second
+	privateIPBlocks    []*net.IPNet
 )

+type Status string
+
+const (
+	StatusConnected    Status = "Connected"
+	StatusConnecting   Status = "Connecting"
+	StatusDisconnected Status = "Disconnected"
+)
+
+func init() {
+	for _, cidr := range []string{
+		"127.0.0.0/8",    // IPv4 loopback
+		"10.0.0.0/8",     // RFC1918
+		"172.16.0.0/12",  // RFC1918
+		"192.168.0.0/16", // RFC1918
+		"169.254.0.0/16", // RFC3927 link-local
+		"::1/128",        // IPv6 loopback
+		"fe80::/10",      // IPv6 link-local
+		"fc00::/7",       // IPv6 unique local addr
+	} {
+		_, block, err := net.ParseCIDR(cidr)
+		if err != nil {
+			panic(fmt.Errorf("parse error on %q: %v", cidr, err))
+		}
+		privateIPBlocks = append(privateIPBlocks, block)
+	}
+}
+
+// ConnConfig Connection configuration struct
 type ConnConfig struct {
 	// Local Wireguard listening address  e.g. 127.0.0.1:51820
 	WgListenAddr string
 	// A Local Wireguard Peer IP address in CIDR notation e.g. 10.30.30.1/24
-	WgPeerIp string
+	WgPeerIP string
 	// Local Wireguard Interface name (e.g. wg0)
 	WgIface string
 	// Wireguard allowed IPs (e.g. 10.30.30.2/32)
@@ -33,11 +65,13 @@ type ConnConfig struct {
 	iFaceBlackList map[string]struct{}
 }

+// IceCredentials ICE protocol credentials struct
 type IceCredentials struct {
 	uFrag string
 	pwd   string
 }

+// Connection Holds information about a connection and handles signal protocol
 type Connection struct {
 	Config ConnConfig
 	// signalCandidate is a handler function to signal remote peer about local connection candidate
@@ -61,8 +95,11 @@ type Connection struct {
 	closeCond *Cond

 	remoteAuthCond sync.Once
+
+	Status Status
 }

+// NewConnection Creates a new connection and sets handling functions for signal protocol
 func NewConnection(config ConnConfig,
 	signalCandidate func(candidate ice.Candidate) error,
 	signalOffer func(uFrag string, pwd string) error,
@@ -79,6 +116,7 @@ func NewConnection(config ConnConfig,
 		connected:         NewCond(),
 		agent:             nil,
 		wgProxy:           NewWgProxy(config.WgIface, config.RemoteWgKey.String(), config.WgAllowedIPs, config.WgListenAddr),
+		Status:            StatusDisconnected,
 	}
 }

@@ -88,8 +126,10 @@ func (conn *Connection) Open(timeout time.Duration) error {

 	// create an ice.Agent that will be responsible for negotiating and establishing actual peer-to-peer connection
 	a, err := ice.NewAgent(&ice.AgentConfig{
-		NetworkTypes: []ice.NetworkType{ice.NetworkTypeUDP4},
-		Urls:         conn.Config.StunTurnURLS,
+		// MulticastDNSMode: ice.MulticastDNSModeQueryAndGather,
+		NetworkTypes:   []ice.NetworkType{ice.NetworkTypeUDP4},
+		Urls:           conn.Config.StunTurnURLS,
+		CandidateTypes: []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
 		InterfaceFilter: func(s string) bool {
 			if conn.Config.iFaceBlackList == nil {
 				return true
@@ -98,12 +138,18 @@ func (conn *Connection) Open(timeout time.Duration) error {
 			return !ok
 		},
 	})
-	conn.agent = a
-
 	if err != nil {
 		return err
 	}

+	conn.agent = a
+	defer func() {
+		err := conn.agent.Close()
+		if err != nil {
+			return
+		}
+	}()
+
 	err = conn.listenOnLocalCandidates()
 	if err != nil {
 		return err
@@ -119,13 +165,14 @@ func (conn *Connection) Open(timeout time.Duration) error {
 		return err
 	}

-	log.Infof("trying to connect to peer %s", conn.Config.RemoteWgKey.String())
+	conn.Status = StatusConnecting
+	log.Debugf("trying to connect to peer %s", conn.Config.RemoteWgKey.String())

 	// wait until credentials have been sent from the remote peer (will arrive via a signal server)
 	select {
 	case remoteAuth := <-conn.remoteAuthChannel:

-		log.Infof("got a connection confirmation from peer %s", conn.Config.RemoteWgKey.String())
+		log.Debugf("got a connection confirmation from peer %s", conn.Config.RemoteWgKey.String())

 		err = conn.agent.GatherCandidates()
 		if err != nil {
@@ -133,38 +180,105 @@ func (conn *Connection) Open(timeout time.Duration) error {
 		}

 		isControlling := conn.Config.WgKey.PublicKey().String() > conn.Config.RemoteWgKey.String()
-		remoteConn, err := conn.openConnectionToRemote(isControlling, remoteAuth)
+		var remoteConn *ice.Conn
+		remoteConn, err = conn.openConnectionToRemote(isControlling, remoteAuth)
 		if err != nil {
 			log.Errorf("failed establishing connection with the remote peer %s %s", conn.Config.RemoteWgKey.String(), err)
 			return err
 		}

-		err = conn.wgProxy.Start(remoteConn)
+		var pair *ice.CandidatePair
+		pair, err = conn.agent.GetSelectedCandidatePair()
 		if err != nil {
 			return err
 		}

-		log.Infof("opened connection to peer %s", conn.Config.RemoteWgKey.String())
+		useProxy := useProxy(pair)
+
+		// in case the remote peer is in the local network or one of the peers has public static IP -> no need for a Wireguard proxy, direct communication is possible.
+		if !useProxy {
+			log.Debugf("it is possible to establish a direct connection (without proxy) to peer %s - my addr: %s, remote addr: %s", conn.Config.RemoteWgKey.String(), pair.Local, pair.Remote)
+			err = conn.wgProxy.StartLocal(fmt.Sprintf("%s:%d", pair.Remote.Address(), iface.WgPort))
+			if err != nil {
+				return err
+			}
+
+		} else {
+			log.Debugf("establishing secure tunnel to peer %s via selected candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
+			err = conn.wgProxy.Start(remoteConn)
+			if err != nil {
+				return err
+			}
+		}
+
+		relayed := pair.Remote.Type() == ice.CandidateTypeRelay || pair.Local.Type() == ice.CandidateTypeRelay
+
+		conn.Status = StatusConnected
+		log.Infof("opened connection to peer %s [localProxy=%v, relayed=%v]", conn.Config.RemoteWgKey.String(), useProxy, relayed)
+	case <-conn.closeCond.C:
+		conn.Status = StatusDisconnected
+		return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String())
 	case <-time.After(timeout):
-		err := conn.Close()
+		err = conn.Close()
 		if err != nil {
 			log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error())
 		}
+		conn.Status = StatusDisconnected
 		return fmt.Errorf("timeout of %vs exceeded while waiting for the remote peer %s", timeout.Seconds(), conn.Config.RemoteWgKey.String())
 	}

 	// wait until connection has been closed
-	select {
-	case <-conn.closeCond.C:
-		return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String())
-	}
+	<-conn.closeCond.C
+	conn.Status = StatusDisconnected
+	return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String())
 }

+func isPublicIP(ip net.IP) bool {
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+		return false
+	}
+
+	for _, block := range privateIPBlocks {
+		if block.Contains(ip) {
+			return false
+		}
+	}
+	return true
+}
+
+//useProxy determines whether a direct connection (without a go proxy) is possible
+//There are 3 cases: one of the peers has a public IP or both peers are in the same private network
+//Please note, that this check happens when peers were already able to ping each other with ICE layer.
+func useProxy(pair *ice.CandidatePair) bool {
+	remoteIP := net.ParseIP(pair.Remote.Address())
+	myIp := net.ParseIP(pair.Local.Address())
+	remoteIsPublic := isPublicIP(remoteIP)
+	myIsPublic := isPublicIP(myIp)
+
+	//one of the hosts has a public IP
+	if remoteIsPublic && pair.Remote.Type() == ice.CandidateTypeHost {
+		return false
+	}
+	if myIsPublic && pair.Local.Type() == ice.CandidateTypeHost {
+		return false
+	}
+
+	if pair.Local.Type() == ice.CandidateTypeHost && pair.Remote.Type() == ice.CandidateTypeHost {
+		if !remoteIsPublic && !myIsPublic {
+			//both hosts are in the same private network
+			return false
+		}
+	}
+
+	return true
+}
+
+// Close Closes a peer connection
 func (conn *Connection) Close() error {
 	var err error
 	conn.closeCond.Do(func() {

-		log.Warnf("closing connection to peer %s", conn.Config.RemoteWgKey.String())
+		log.Debugf("closing connection to peer %s", conn.Config.RemoteWgKey.String())

 		if a := conn.agent; a != nil {
 			e := a.Close()
@@ -185,6 +299,7 @@ func (conn *Connection) Close() error {
 	return err
 }

+// OnAnswer Handles the answer from the other peer
 func (conn *Connection) OnAnswer(remoteAuth IceCredentials) error {

 	conn.remoteAuthCond.Do(func() {
@@ -194,23 +309,25 @@ func (conn *Connection) OnAnswer(remoteAuth IceCredentials) error {
 	return nil
 }

+// OnOffer Handles the offer from the other peer
 func (conn *Connection) OnOffer(remoteAuth IceCredentials) error {

 	conn.remoteAuthCond.Do(func() {
 		log.Debugf("OnOffer from peer %s", conn.Config.RemoteWgKey.String())
 		conn.remoteAuthChannel <- remoteAuth
 		uFrag, pwd, err := conn.agent.GetLocalUserCredentials()
-		if err != nil {
+		if err != nil { //nolint
 		}

 		err = conn.signalAnswer(uFrag, pwd)
-		if err != nil {
+		if err != nil { //nolint
 		}
 	})

 	return nil
 }

+// OnRemoteCandidate Handles remote candidate provided by the peer.
 func (conn *Connection) OnRemoteCandidate(candidate ice.Candidate) error {

 	log.Debugf("onRemoteCandidate from peer %s -> %s", conn.Config.RemoteWgKey.String(), candidate.String())
@@ -289,9 +406,8 @@ func (conn *Connection) listenOnConnectionStateChanges() error {
 				log.Errorf("failed selecting active ICE candidate pair %s", err)
 				return
 			}
-			log.Infof("will connect to peer %s via a selected connnection candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
+			log.Debugf("ICE connected to peer %s via a selected connnection candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
 		} else if state == ice.ConnectionStateDisconnected || state == ice.ConnectionStateFailed {
-			// todo do we really wanna have a connection restart within connection itself? Think of moving it outside
 			err := conn.Close()
 			if err != nil {
 				log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error())
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -0,0 +1,496 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	"github.com/cenkalti/backoff/v4"
+	"github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgm "github.com/wiretrustee/wiretrustee/management/client"
+	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
+	signal "github.com/wiretrustee/wiretrustee/signal/client"
+	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"strings"
+	"sync"
+	"time"
+)
+
+// PeerConnectionTimeout is a timeout of an initial connection attempt to a remote peer.
+// E.g. this peer will wait PeerConnectionTimeout for the remote peer to respond, if not successful then it will retry the connection attempt.
+const PeerConnectionTimeout = 40 * time.Second
+
+// EngineConfig is a config for the Engine
+type EngineConfig struct {
+	WgIface string
+	// WgAddr is a Wireguard local address (Wiretrustee Network IP)
+	WgAddr string
+	// WgPrivateKey is a Wireguard private key of our peer (it MUST never leave the machine)
+	WgPrivateKey wgtypes.Key
+	// IFaceBlackList is a list of network interfaces to ignore when discovering connection candidates (ICE related)
+	IFaceBlackList map[string]struct{}
+}
+
+// Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
+type Engine struct {
+	// signal is a Signal Service client
+	signal signal.Client
+	// mgmClient is a Management Service client
+	mgmClient *mgm.Client
+	// conns is a collection of remote peer connections indexed by local public key of the remote peers
+	conns map[string]*Connection
+
+	// peerMux is used to sync peer operations (e.g. open connection, peer removal)
+	peerMux *sync.Mutex
+	// syncMsgMux is used to guarantee sequential Management Service message processing
+	syncMsgMux *sync.Mutex
+
+	config *EngineConfig
+
+	// wgPort is a Wireguard local listen port
+	wgPort int
+
+	// STUNs is a list of STUN servers used by ICE
+	STUNs []*ice.URL
+	// TURNs is a list of STUN servers used by ICE
+	TURNs []*ice.URL
+
+	cancel context.CancelFunc
+
+	ctx context.Context
+}
+
+// Peer is an instance of the Connection Peer
+type Peer struct {
+	WgPubKey     string
+	WgAllowedIps string
+}
+
+// NewEngine creates a new Connection Engine
+func NewEngine(signalClient signal.Client, mgmClient *mgm.Client, config *EngineConfig, cancel context.CancelFunc, ctx context.Context) *Engine {
+	return &Engine{
+		signal:     signalClient,
+		mgmClient:  mgmClient,
+		conns:      map[string]*Connection{},
+		peerMux:    &sync.Mutex{},
+		syncMsgMux: &sync.Mutex{},
+		config:     config,
+		STUNs:      []*ice.URL{},
+		TURNs:      []*ice.URL{},
+		cancel:     cancel,
+		ctx:        ctx,
+	}
+}
+
+func (e *Engine) Stop() error {
+	err := e.removeAllPeerConnections()
+	if err != nil {
+		return err
+	}
+
+	log.Debugf("removing Wiretrustee interface %s", e.config.WgIface)
+	err = iface.Close()
+	if err != nil {
+		log.Errorf("failed closing Wiretrustee interface %s %v", e.config.WgIface, err)
+		return err
+	}
+
+	log.Infof("stopped Wiretrustee Engine")
+
+	return nil
+}
+
+// Start creates a new Wireguard tunnel interface and listens to events from Signal and Management services
+// Connections to remote peers are not established here.
+// However, they will be established once an event with a list of peers to connect to will be received from Management Service
+func (e *Engine) Start() error {
+
+	wgIface := e.config.WgIface
+	wgAddr := e.config.WgAddr
+	myPrivateKey := e.config.WgPrivateKey
+
+	err := iface.Create(wgIface, wgAddr)
+	if err != nil {
+		log.Errorf("failed creating interface %s: [%s]", wgIface, err.Error())
+		return err
+	}
+
+	err = iface.Configure(wgIface, myPrivateKey.String())
+	if err != nil {
+		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIface, err.Error())
+		return err
+	}
+
+	port, err := iface.GetListenPort(wgIface)
+	if err != nil {
+		log.Errorf("failed getting Wireguard listen port [%s]: %s", wgIface, err.Error())
+		return err
+	}
+	e.wgPort = *port
+
+	e.receiveSignalEvents()
+	e.receiveManagementEvents()
+
+	return nil
+}
+
+// initializePeer peer agent attempt to open connection
+func (e *Engine) initializePeer(peer Peer) {
+	var backOff = backoff.WithContext(&backoff.ExponentialBackOff{
+		InitialInterval:     backoff.DefaultInitialInterval,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         5 * time.Second,
+		MaxElapsedTime:      0, //never stop
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}, e.ctx)
+
+	operation := func() error {
+
+		if e.signal.GetStatus() != signal.StreamConnected {
+			return fmt.Errorf("not opening connection to peer because Signal is unavailable")
+		}
+
+		_, err := e.openPeerConnection(e.wgPort, e.config.WgPrivateKey, peer)
+		e.peerMux.Lock()
+		defer e.peerMux.Unlock()
+		if _, ok := e.conns[peer.WgPubKey]; !ok {
+			log.Debugf("removed connection attempt to peer: %v, not retrying", peer.WgPubKey)
+			return nil
+		}
+
+		if err != nil {
+			log.Debugf("retrying connection because of error: %s", err.Error())
+			return err
+		}
+		return nil
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		// should actually never happen
+		panic(err)
+	}
+}
+
+func (e *Engine) removePeerConnections(peers []string) error {
+	e.peerMux.Lock()
+	defer e.peerMux.Unlock()
+	for _, peer := range peers {
+		err := e.removePeerConnection(peer)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (e *Engine) removeAllPeerConnections() error {
+	log.Debugf("removing all peer connections")
+	e.peerMux.Lock()
+	defer e.peerMux.Unlock()
+	for peer := range e.conns {
+		err := e.removePeerConnection(peer)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// removePeerConnection closes existing peer connection and removes peer
+func (e *Engine) removePeerConnection(peerKey string) error {
+	conn, exists := e.conns[peerKey]
+	if exists && conn != nil {
+		delete(e.conns, peerKey)
+		return conn.Close()
+	}
+	log.Infof("removed connection to peer %s", peerKey)
+	return nil
+}
+
+// GetPeerConnectionStatus returns a connection Status or nil if peer connection wasn't found
+func (e *Engine) GetPeerConnectionStatus(peerKey string) *Status {
+	e.peerMux.Lock()
+	defer e.peerMux.Unlock()
+
+	conn, exists := e.conns[peerKey]
+	if exists && conn != nil {
+		return &conn.Status
+	}
+
+	return nil
+}
+
+// openPeerConnection opens a new remote peer connection
+func (e *Engine) openPeerConnection(wgPort int, myKey wgtypes.Key, peer Peer) (*Connection, error) {
+	e.peerMux.Lock()
+
+	remoteKey, _ := wgtypes.ParseKey(peer.WgPubKey)
+	connConfig := &ConnConfig{
+		WgListenAddr:   fmt.Sprintf("127.0.0.1:%d", wgPort),
+		WgPeerIP:       e.config.WgAddr,
+		WgIface:        e.config.WgIface,
+		WgAllowedIPs:   peer.WgAllowedIps,
+		WgKey:          myKey,
+		RemoteWgKey:    remoteKey,
+		StunTurnURLS:   append(e.STUNs, e.TURNs...),
+		iFaceBlackList: e.config.IFaceBlackList,
+	}
+
+	signalOffer := func(uFrag string, pwd string) error {
+		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, false)
+	}
+
+	signalAnswer := func(uFrag string, pwd string) error {
+		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, true)
+	}
+	signalCandidate := func(candidate ice.Candidate) error {
+		return signalCandidate(candidate, myKey, remoteKey, e.signal)
+	}
+	conn := NewConnection(*connConfig, signalCandidate, signalOffer, signalAnswer)
+	e.conns[remoteKey.String()] = conn
+	e.peerMux.Unlock()
+
+	// blocks until the connection is open (or timeout)
+	err := conn.Open(PeerConnectionTimeout)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client) error {
+	err := s.Send(&sProto.Message{
+		Key:       myKey.PublicKey().String(),
+		RemoteKey: remoteKey.String(),
+		Body: &sProto.Body{
+			Type:    sProto.Body_CANDIDATE,
+			Payload: candidate.Marshal(),
+		},
+	})
+	if err != nil {
+		log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err)
+		//todo ??
+		return err
+	}
+
+	return nil
+}
+
+func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client, isAnswer bool) error {
+
+	var t sProto.Body_Type
+	if isAnswer {
+		t = sProto.Body_ANSWER
+	} else {
+		t = sProto.Body_OFFER
+	}
+
+	msg, err := signal.MarshalCredential(myKey, remoteKey, &signal.Credential{
+		UFrag: uFrag,
+		Pwd:   pwd}, t)
+	if err != nil {
+		return err
+	}
+	err = s.Send(msg)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
+// E.g. when a new peer has been registered and we are allowed to connect to it.
+func (e *Engine) receiveManagementEvents() {
+	go func() {
+		err := e.mgmClient.Sync(func(update *mgmProto.SyncResponse) error {
+			e.syncMsgMux.Lock()
+			defer e.syncMsgMux.Unlock()
+
+			if update.GetWiretrusteeConfig() != nil {
+				err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
+				if err != nil {
+					return err
+				}
+
+				err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
+				if err != nil {
+					return err
+				}
+
+				//todo update signal
+			}
+
+			if update.GetRemotePeers() != nil || update.GetRemotePeersIsEmpty() {
+				// empty arrays are serialized by protobuf to null, but for our case empty array is a valid state.
+				err := e.updatePeers(update.GetRemotePeers())
+				if err != nil {
+					return err
+				}
+			}
+
+			return nil
+		})
+		if err != nil {
+			// happens if management is unavailable for a long time.
+			// We want to cancel the operation of the whole client
+			e.cancel()
+			return
+		}
+		log.Debugf("stopped receiving updates from Management Service")
+	}()
+	log.Debugf("connecting to Management Service updates stream")
+}
+
+func (e *Engine) updateSTUNs(stuns []*mgmProto.HostConfig) error {
+	if len(stuns) == 0 {
+		return nil
+	}
+	var newSTUNs []*ice.URL
+	log.Debugf("got STUNs update from Management Service, updating")
+	for _, stun := range stuns {
+		url, err := ice.ParseURL(stun.Uri)
+		if err != nil {
+			return err
+		}
+		newSTUNs = append(newSTUNs, url)
+	}
+	e.STUNs = newSTUNs
+
+	return nil
+}
+
+func (e *Engine) updateTURNs(turns []*mgmProto.ProtectedHostConfig) error {
+	if len(turns) == 0 {
+		return nil
+	}
+	var newTURNs []*ice.URL
+	log.Debugf("got TURNs update from Management Service, updating")
+	for _, turn := range turns {
+		url, err := ice.ParseURL(turn.HostConfig.Uri)
+		if err != nil {
+			return err
+		}
+		url.Username = turn.User
+		url.Password = turn.Password
+		newTURNs = append(newTURNs, url)
+	}
+	e.TURNs = newTURNs
+
+	return nil
+}
+
+func (e *Engine) updatePeers(remotePeers []*mgmProto.RemotePeerConfig) error {
+	log.Debugf("got peers update from Management Service, updating")
+	remotePeerMap := make(map[string]struct{})
+	for _, peer := range remotePeers {
+		remotePeerMap[peer.GetWgPubKey()] = struct{}{}
+	}
+
+	//remove peers that are no longer available for us
+	toRemove := []string{}
+	for p := range e.conns {
+		if _, ok := remotePeerMap[p]; !ok {
+			toRemove = append(toRemove, p)
+		}
+	}
+	err := e.removePeerConnections(toRemove)
+	if err != nil {
+		return err
+	}
+
+	// add new peers
+	for _, peer := range remotePeers {
+		peerKey := peer.GetWgPubKey()
+		peerIPs := peer.GetAllowedIps()
+		if _, ok := e.conns[peerKey]; !ok {
+			go e.initializePeer(Peer{
+				WgPubKey:     peerKey,
+				WgAllowedIps: strings.Join(peerIPs, ","),
+			})
+		}
+
+	}
+	return nil
+}
+
+// receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
+func (e *Engine) receiveSignalEvents() {
+
+	go func() {
+		// connect to a stream of messages coming from the signal server
+		err := e.signal.Receive(func(msg *sProto.Message) error {
+
+			e.syncMsgMux.Lock()
+			defer e.syncMsgMux.Unlock()
+
+			conn := e.conns[msg.Key]
+			if conn == nil {
+				return fmt.Errorf("wrongly addressed message %s", msg.Key)
+			}
+
+			if conn.Config.RemoteWgKey.String() != msg.Key {
+				return fmt.Errorf("unknown peer %s", msg.Key)
+			}
+
+			switch msg.GetBody().Type {
+			case sProto.Body_OFFER:
+				remoteCred, err := signal.UnMarshalCredential(msg)
+				if err != nil {
+					return err
+				}
+				err = conn.OnOffer(IceCredentials{
+					uFrag: remoteCred.UFrag,
+					pwd:   remoteCred.Pwd,
+				})
+
+				if err != nil {
+					return err
+				}
+
+				return nil
+			case sProto.Body_ANSWER:
+				remoteCred, err := signal.UnMarshalCredential(msg)
+				if err != nil {
+					return err
+				}
+				err = conn.OnAnswer(IceCredentials{
+					uFrag: remoteCred.UFrag,
+					pwd:   remoteCred.Pwd,
+				})
+
+				if err != nil {
+					return err
+				}
+
+			case sProto.Body_CANDIDATE:
+
+				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
+				if err != nil {
+					log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
+					return err
+				}
+
+				err = conn.OnRemoteCandidate(candidate)
+				if err != nil {
+					log.Errorf("error handling CANDIATE from %s", msg.Key)
+					return err
+				}
+			}
+
+			return nil
+		})
+		if err != nil {
+			// happens if signal is unavailable for a long time.
+			// We want to cancel the operation of the whole client
+			e.cancel()
+			return
+		}
+	}()
+
+	e.signal.WaitStreamConnected()
+}
--- a/client/internal/wgproxy.go
+++ b/client/internal/wgproxy.go
@@ -1,12 +1,13 @@
-package connection
+package internal

 import (
-	"github.com/pion/ice/v2"
+	ice "github.com/pion/ice/v2"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/iface"
 	"net"
 )

+// WgProxy an instance of an instance of the Connection Wireguard Proxy
 type WgProxy struct {
 	iface      string
 	remoteKey  string
@@ -16,6 +17,7 @@ type WgProxy struct {
 	wgConn     net.Conn
 }

+// NewWgProxy creates a new Connection Wireguard Proxy
 func NewWgProxy(iface string, remoteKey string, allowedIps string, wgAddr string) *WgProxy {
 	return &WgProxy{
 		iface:      iface,
@@ -26,6 +28,7 @@ func NewWgProxy(iface string, remoteKey string, allowedIps string, wgAddr string
 	}
 }

+// Close closes the proxy
 func (p *WgProxy) Close() error {

 	close(p.close)
@@ -35,10 +38,25 @@ func (p *WgProxy) Close() error {
 			return err
 		}
 	}
+	err := iface.RemovePeer(p.iface, p.remoteKey)
+	if err != nil {
+		return err
+	}

 	return nil
 }

+// StartLocal configure the interface with a peer using a direct IP:Port endpoint to the remote host
+func (p *WgProxy) StartLocal(host string) error {
+	err := iface.UpdatePeer(p.iface, p.remoteKey, p.allowedIps, DefaultWgKeepAlive, host)
+	if err != nil {
+		log.Errorf("error while configuring Wireguard peer [%s] %s", p.remoteKey, err.Error())
+		return err
+	}
+	return nil
+}
+
+// Start starts a new proxy using the ICE connection
 func (p *WgProxy) Start(remoteConn *ice.Conn) error {

 	wgConn, err := net.Dial("udp", p.wgAddr)
@@ -69,7 +87,7 @@ func (p *WgProxy) proxyToRemotePeer(remoteConn *ice.Conn) {
 	for {
 		select {
 		case <-p.close:
-			log.Infof("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
+			log.Debugf("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
 			return
 		default:
 			n, err := p.wgConn.Read(buf)
@@ -78,9 +96,10 @@ func (p *WgProxy) proxyToRemotePeer(remoteConn *ice.Conn) {
 				continue
 			}

-			n, err = remoteConn.Write(buf[:n])
+			_, err = remoteConn.Write(buf[:n])
 			if err != nil {
 				//log.Warnln("failed writing to remote peer: ", err.Error())
+				continue
 			}
 		}
 	}
@@ -94,17 +113,19 @@ func (p *WgProxy) proxyToLocalWireguard(remoteConn *ice.Conn) {
 	for {
 		select {
 		case <-p.close:
-			log.Infof("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
+			log.Debugf("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
 			return
 		default:
 			n, err := remoteConn.Read(buf)
 			if err != nil {
 				//log.Errorf("failed reading from remote connection %s", err)
+				continue
 			}

-			n, err = p.wgConn.Write(buf[:n])
+			_, err = p.wgConn.Write(buf[:n])
 			if err != nil {
 				//log.Errorf("failed writing to local Wireguard instance %s", err)
+				continue
 			}
 		}
 	}
--- a/client/main.go
+++ b/client/main.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"github.com/wiretrustee/wiretrustee/client/cmd"
+	"os"
+)
+
+var version = "development"
+
+func main() {
+
+	cmd.Version = version
+	if err := cmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
--- a/client/manifest.xml
+++ b/client/manifest.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
+    <assemblyIdentity
+            version="0.0.0.1"
+            processorArchitecture="*"
+            name="wiretrustee.exe"
+            type="win32"
+    />
+    <description>Wiretrustee application</description>
+    <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
+        <security>
+            <requestedPrivileges>
+                <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
+            </requestedPrivileges>
+        </security>
+    </trustInfo>
+</assembly>
--- a/client/resources.rc
+++ b/client/resources.rc
@@ -0,0 +1,9 @@
+#include <windows.h>
+
+#pragma code_page(65001) // UTF-8
+
+#define STRINGIZE(x) #x
+#define EXPAND(x) STRINGIZE(x)
+CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST manifest.xml
+wintun.dll RCDATA wintun.dll
+
--- a/client/resources_windows_amd64.syso
+++ b/client/resources_windows_amd64.syso
--- a/client/system/info.go
+++ b/client/system/info.go
@@ -0,0 +1,14 @@
+package system
+
+//Info is an object that contains machine information
+// Most of the code is taken from https://github.com/matishsiao/goInfo
+type Info struct {
+	GoOS      string
+	Kernel    string
+	Core      string
+	Platform  string
+	OS        string
+	OSVersion string
+	Hostname  string
+	CPUs      int
+}
--- a/client/system/info_darwin.go
+++ b/client/system/info_darwin.go
@@ -0,0 +1,39 @@
+package system
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+)
+
+func GetInfo() *Info {
+	out := _getInfo()
+	for strings.Contains(out, "broken pipe") {
+		out = _getInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+	osStr := strings.Replace(out, "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	osInfo := strings.Split(osStr, " ")
+	gio := &Info{Kernel: osInfo[0], OSVersion: osInfo[1], Core: osInfo[1], Platform: osInfo[2], OS: osInfo[0], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	return gio
+}
+
+func _getInfo() string {
+	cmd := exec.Command("uname", "-srm")
+	cmd.Stdin = strings.NewReader("some input")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getInfo:", err)
+	}
+	return out.String()
+}
--- a/client/system/info_freebsd.go
+++ b/client/system/info_freebsd.go
@@ -0,0 +1,39 @@
+package system
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+)
+
+func GetInfo() *Info {
+	out := _getInfo()
+	for strings.Contains(out, "broken pipe") {
+		out = _getInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+	osStr := strings.Replace(out, "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	osInfo := strings.Split(osStr, " ")
+	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: runtime.GOARCH, OS: osInfo[2], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	return gio
+}
+
+func _getInfo() string {
+	cmd := exec.Command("uname", "-sri")
+	cmd.Stdin = strings.NewReader("some input")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getInfo:", err)
+	}
+	return out.String()
+}
--- a/client/system/info_linux.go
+++ b/client/system/info_linux.go
@@ -0,0 +1,76 @@
+package system
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+)
+
+func GetInfo() *Info {
+	info := _getInfo()
+	for strings.Contains(info, "broken pipe") {
+		info = _getInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+
+	releaseInfo := _getReleaseInfo()
+	for strings.Contains(info, "broken pipe") {
+		releaseInfo = _getReleaseInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+
+	osRelease := strings.Split(releaseInfo, "\n")
+	var osName string
+	var osVer string
+	for _, s := range osRelease {
+		if strings.HasPrefix(s, "NAME=") {
+			osName = strings.Split(s, "=")[1]
+			osName = strings.ReplaceAll(osName, "\"", "")
+		} else if strings.HasPrefix(s, "VERSION_ID=") {
+			osVer = strings.Split(s, "=")[1]
+			osVer = strings.ReplaceAll(osVer, "\"", "")
+		}
+	}
+
+	osStr := strings.Replace(info, "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	osInfo := strings.Split(osStr, " ")
+	if osName == "" {
+		osName = osInfo[3]
+	}
+	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: osInfo[2], OS: osName, OSVersion: osVer, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	return gio
+}
+
+func _getInfo() string {
+	cmd := exec.Command("uname", "-srio")
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getInfo:", err)
+	}
+	return out.String()
+}
+
+func _getReleaseInfo() string {
+	cmd := exec.Command("cat", "/etc/os-release")
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getReleaseInfo:", err)
+	}
+	return out.String()
+}
--- a/client/system/info_windows.go
+++ b/client/system/info_windows.go
@@ -0,0 +1,35 @@
+package system
+
+import (
+	"bytes"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+)
+
+func GetInfo() *Info {
+	cmd := exec.Command("cmd", "ver")
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		panic(err)
+	}
+	osStr := strings.Replace(out.String(), "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	tmp1 := strings.Index(osStr, "[Version")
+	tmp2 := strings.Index(osStr, "]")
+	var ver string
+	if tmp1 == -1 || tmp2 == -1 {
+		ver = "unknown"
+	} else {
+		ver = osStr[tmp1+9 : tmp2]
+	}
+	gio := &Info{Kernel: "windows", OSVersion: ver, Core: ver, Platform: "unknown", OS: "windows", GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	return gio
+}
--- a/client/testdata/management.json
+++ b/client/testdata/management.json
@@ -0,0 +1,37 @@
+{
+    "Stuns": [
+        {
+            "Proto": "udp",
+            "URI": "stun:stun.wiretrustee.com:3468",
+            "Username": "",
+            "Password": null
+        }
+    ],
+    "TURNConfig": {
+        "Turns": [
+            {
+                "Proto": "udp",
+                "URI": "turn:stun.wiretrustee.com:3468",
+                "Username": "some_user",
+                "Password": "c29tZV9wYXNzd29yZA=="
+            }
+        ],
+        "CredentialsTTL": "1h",
+        "Secret": "c29tZV9wYXNzd29yZA==",
+        "TimeBasedCredentials": true
+    },
+    "Signal": {
+        "Proto": "http",
+        "URI": "signal.wiretrustee.com:10000",
+        "Username": "",
+        "Password": null
+    },
+    "DataDir": "",
+    "HttpConfig": {
+        "LetsEncryptDomain": "<PASTE YOUR LET'S ENCRYPT DOMAIN HERE>",
+        "Address": "0.0.0.0:33071",
+        "AuthIssuer": "<PASTE YOUR AUTH0 ISSUER HERE>,",
+        "AuthAudience": "<PASTE YOUR AUTH0 AUDIENCE HERE>",
+        "AuthKeysLocation": "<PASTE YOUR AUTH0 PUBLIC JWT KEYS LOCATION HERE>"
+    }
+}
--- a/client/testdata/store.json
+++ b/client/testdata/store.json
@@ -0,0 +1,27 @@
+{
+    "Accounts": {
+        "bf1c8084-ba50-4ce7-9439-34653001fc3b": {
+            "Id": "bf1c8084-ba50-4ce7-9439-34653001fc3b",
+            "SetupKeys": {
+                "A2C8E62B-38F5-4553-B31E-DD66C696CEBB": {
+                    "Key": "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
+                    "Name": "Default key",
+                    "Type": "reusable",
+                    "CreatedAt": "2021-08-19T20:46:20.005936822+02:00",
+                    "ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
+                    "Revoked": false,
+                    "UsedTimes": 0
+                }
+            },
+            "Network": {
+                "Id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
+                "Net": {
+                    "IP": "100.64.0.0",
+                    "Mask": "/8AAAA=="
+                },
+                "Dns": null
+            },
+            "Peers": {}
+        }
+    }
+}
--- a/client/ui/banner.bmp
+++ b/client/ui/banner.bmp
--- a/client/ui/wiretrustee.ico
+++ b/client/ui/wiretrustee.ico
--- a/cmd/addpeer.go
+++ b/cmd/addpeer.go
@@ -1,45 +0,0 @@
-package cmd
-
-import (
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/wiretrustee/wiretrustee/connection"
-	"os"
-)
-
-var (
-	key        string
-	allowedIPs string
-
-	addPeerCmd = &cobra.Command{
-		Use:   "add-peer",
-		Short: "add remote peer",
-		Run: func(cmd *cobra.Command, args []string) {
-			InitLog(logLevel)
-
-			if _, err := os.Stat(configPath); os.IsNotExist(err) {
-				log.Error("config doesn't exist, please run 'wiretrustee init' first")
-				os.Exit(ExitSetupFailed)
-			}
-
-			config, _ := Read(configPath)
-			config.Peers = append(config.Peers, connection.Peer{
-				WgPubKey:     key,
-				WgAllowedIps: allowedIPs,
-			})
-
-			err := config.Write(configPath)
-			if err != nil {
-				log.Errorf("failed writing config to %s: %s", config, err.Error())
-				os.Exit(ExitSetupFailed)
-			}
-		},
-	}
-)
-
-func init() {
-	addPeerCmd.PersistentFlags().StringVar(&key, "key", "", "Wireguard public key of the remote peer")
-	addPeerCmd.PersistentFlags().StringVar(&allowedIPs, "allowedIPs", "", "Wireguard Allowed IPs for the remote peer, e.g 10.30.30.2/32")
-	addPeerCmd.MarkPersistentFlagRequired("key")
-	addPeerCmd.MarkPersistentFlagRequired("allowedIPs")
-}
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -1,58 +0,0 @@
-package cmd
-
-import (
-	"encoding/json"
-	"github.com/pion/ice/v2"
-	"github.com/wiretrustee/wiretrustee/connection"
-	"io/ioutil"
-	"os"
-)
-
-type Config struct {
-	// Wireguard private key of local peer
-	PrivateKey   string
-	Peers        []connection.Peer
-	StunTurnURLs []*ice.URL
-	// host:port of the signal server
-	SignalAddr     string
-	WgAddr         string
-	WgIface        string
-	IFaceBlackList []string
-}
-
-//Write writes configPath to a file
-func (cfg *Config) Write(path string) error {
-	bs, err := json.Marshal(cfg)
-	if err != nil {
-		return err
-	}
-
-	err = ioutil.WriteFile(path, bs, 0600)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-//Read reads configPath from a file
-func Read(path string) (*Config, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	bs, err := ioutil.ReadAll(f)
-	if err != nil {
-		return nil, err
-	}
-
-	var cfg Config
-	err = json.Unmarshal(bs, &cfg)
-	if err != nil {
-		return nil, err
-	}
-
-	return &cfg, nil
-}
--- a/cmd/init.go
+++ b/cmd/init.go
@@ -1,125 +0,0 @@
-package cmd
-
-import (
-	"github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"os"
-	"strings"
-)
-
-var (
-	wgKey       string
-	wgInterface string
-	wgLocalAddr string
-	signalAddr  string
-	stunURLs    string
-	turnURLs    string
-
-	initCmd = &cobra.Command{
-		Use:   "init",
-		Short: "init wiretrustee",
-		Run: func(cmd *cobra.Command, args []string) {
-			InitLog(logLevel)
-
-			if _, err := os.Stat(configPath); !os.IsNotExist(err) {
-				log.Warnf("config already exists under path %s", configPath)
-				os.Exit(ExitSetupFailed)
-			}
-
-			if wgKey == "" {
-				wgKey = generateKey()
-				log.Warnf("there was no Wireguard private key specified, a new Wireguard key has been generated")
-			}
-
-			parsedKey, err := wgtypes.ParseKey(wgKey)
-			if err != nil {
-				log.Errorf("invalid Wireguard private key %s", wgKey)
-				os.Exit(ExitSetupFailed)
-			}
-
-			log.Infof("my public Wireguard key is %s", parsedKey.PublicKey().String())
-
-			var stunTurnURLs []*ice.URL
-			stuns := strings.Split(stunURLs, ",")
-			for _, url := range stuns {
-
-				parsedURL, err := ice.ParseURL(url)
-				if err != nil {
-					log.Errorf("failed parsing STUN URL %s: %s", url, err.Error())
-					os.Exit(ExitSetupFailed)
-				}
-				stunTurnURLs = append(stunTurnURLs, parsedURL)
-			}
-
-			turns := strings.Split(turnURLs, ",")
-			for _, url := range turns {
-
-				var urlToParse string
-				var user string
-				var pwd string
-				//extract user:password from user:password@proto:host:port
-				urlSplit := strings.Split(url, "@")
-				if len(urlSplit) == 2 {
-					urlToParse = urlSplit[1]
-					credential := strings.Split(urlSplit[0], ":")
-					user = credential[0]
-					pwd = credential[1]
-				} else {
-					urlToParse = url
-				}
-
-				parsedURL, err := ice.ParseURL(urlToParse)
-				if err != nil {
-					log.Errorf("failed parsing TURN URL %s: %s", url, err.Error())
-					os.Exit(ExitSetupFailed)
-				}
-				parsedURL.Username = user
-				parsedURL.Password = pwd
-				stunTurnURLs = append(stunTurnURLs, parsedURL)
-			}
-
-			config := &Config{
-				PrivateKey:   wgKey,
-				Peers:        nil,
-				StunTurnURLs: stunTurnURLs,
-				SignalAddr:   signalAddr,
-				WgAddr:       wgLocalAddr,
-				WgIface:      wgInterface,
-			}
-
-			err = config.Write(configPath)
-			if err != nil {
-				log.Errorf("failed writing config to %s: %s", config, err.Error())
-				os.Exit(ExitSetupFailed)
-			}
-
-			log.Infof("a new config has been generated and written to %s", configPath)
-		},
-	}
-)
-
-func init() {
-	initCmd.PersistentFlags().StringVar(&wgKey, "wgKey", "", "Wireguard private key, if not specified a new one will be generated")
-	initCmd.PersistentFlags().StringVar(&wgInterface, "wgInterface", "wiretrustee0", "Wireguard interface name, e.g. wiretreustee0 or wg0")
-	initCmd.PersistentFlags().StringVar(&wgLocalAddr, "wgLocalAddr", "", "Wireguard local address, e.g. 10.30.30.1/24")
-	initCmd.PersistentFlags().StringVar(&signalAddr, "signalAddr", "", "Signal server address, e.g. signal.wiretrustee.com:10000")
-	initCmd.PersistentFlags().StringVar(&stunURLs, "stunURLs", "", "Comma separated STUN server URLs: protocol:host:port, e.g. stun:stun.l.google.com:19302,stun:stun1.l.google.com:19302")
-	//todo user:password@protocol:host:port not the best way to pass TURN credentials, do it according to https://tools.ietf.org/html/rfc7065 E.g. use oauth
-	initCmd.PersistentFlags().StringVar(&turnURLs, "turnURLs", "", "Comma separated TURN server URLs: user:password@protocol:host:port, e.g. user:password@turn:stun.wiretrustee.com:3468")
-	//initCmd.MarkPersistentFlagRequired("configPath")
-	initCmd.MarkPersistentFlagRequired("wgLocalAddr")
-	initCmd.MarkPersistentFlagRequired("signalAddr")
-	initCmd.MarkPersistentFlagRequired("stunURLs")
-	initCmd.MarkPersistentFlagRequired("turnURLs")
-}
-
-// generateKey generates a new Wireguard private key
-func generateKey() string {
-	key, err := wgtypes.GenerateKey()
-	if err != nil {
-		panic(err)
-	}
-	return key.String()
-}
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -1,56 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"os"
-	"os/signal"
-	"syscall"
-)
-
-const (
-	ExitSetupFailed = 1
-)
-
-var (
-	configPath string
-	logLevel   string
-
-	rootCmd = &cobra.Command{
-		Use:   "wiretrustee",
-		Short: "",
-		Long:  "",
-	}
-)
-
-// Execute executes the root command.
-func Execute() error {
-	return rootCmd.Execute()
-}
-
-func init() {
-	rootCmd.PersistentFlags().StringVar(&configPath, "config", "/etc/wiretrustee/config.json", "Wiretrustee config file location to write new config to")
-	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "")
-	rootCmd.AddCommand(initCmd)
-	rootCmd.AddCommand(addPeerCmd)
-	rootCmd.AddCommand(upCmd)
-	rootCmd.AddCommand(signalCmd)
-}
-
-func SetupCloseHandler() {
-	c := make(chan os.Signal)
-	signal.Notify(c, os.Interrupt, syscall.SIGTERM)
-	<-c
-	fmt.Println("\r- Ctrl+C pressed in Terminal")
-	os.Exit(0)
-}
-
-func InitLog(logLevel string) {
-	level, err := log.ParseLevel(logLevel)
-	if err != nil {
-		log.Errorf("efailed parsing log-level %s: %s", logLevel, err)
-		os.Exit(ExitSetupFailed)
-	}
-	log.SetLevel(level)
-}
--- a/cmd/signal.go
+++ b/cmd/signal.go
@@ -1,46 +0,0 @@
-package cmd
-
-import (
-	"flag"
-	"fmt"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	sig "github.com/wiretrustee/wiretrustee/signal"
-	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
-	"google.golang.org/grpc"
-	"net"
-)
-
-var (
-	port int
-
-	signalCmd = &cobra.Command{
-		Use:   "signal",
-		Short: "start Wiretrustee Signal Server",
-		Run: func(cmd *cobra.Command, args []string) {
-			flag.Parse()
-
-			lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
-			if err != nil {
-				log.Fatalf("failed to listen: %v", err)
-			}
-
-			if err != nil {
-				log.Fatalf("failed to listen: %v", err)
-			}
-			var opts []grpc.ServerOption
-			grpcServer := grpc.NewServer(opts...)
-			sProto.RegisterSignalExchangeServer(grpcServer, sig.NewServer())
-			log.Printf("started server: localhost:%v", port)
-			if err := grpcServer.Serve(lis); err != nil {
-				log.Fatalf("failed to serve: %v", err)
-			}
-
-			SetupCloseHandler()
-		},
-	}
-)
-
-func init() {
-	signalCmd.PersistentFlags().IntVar(&port, "port", 10000, "Server port to listen on (e.g. 10000)")
-}
--- a/cmd/up.go
+++ b/cmd/up.go
@@ -1,57 +0,0 @@
-package cmd
-
-import (
-	"context"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/wiretrustee/wiretrustee/connection"
-	sig "github.com/wiretrustee/wiretrustee/signal"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"os"
-)
-
-func toByte32(key wgtypes.Key) *[32]byte {
-	return (*[32]byte)(&key)
-}
-
-var (
-	upCmd = &cobra.Command{
-		Use:   "up",
-		Short: "start wiretrustee",
-		Run: func(cmd *cobra.Command, args []string) {
-			InitLog(logLevel)
-
-			config, _ := Read(configPath)
-
-			myKey, err := wgtypes.ParseKey(config.PrivateKey)
-			if err != nil {
-				log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
-				os.Exit(ExitSetupFailed)
-			}
-
-			ctx := context.Background()
-			signalClient, err := sig.NewClient(config.SignalAddr, myKey, ctx)
-			if err != nil {
-				log.Errorf("error while connecting to the Signal Exchange Service %s: %s", config.SignalAddr, err)
-				os.Exit(ExitSetupFailed)
-			}
-			//todo proper close handling
-			defer func() { signalClient.Close() }()
-
-			iFaceBlackList := make(map[string]struct{})
-			for i := 0; i < len(config.IFaceBlackList); i += 2 {
-				iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
-			}
-			engine := connection.NewEngine(signalClient, config.StunTurnURLs, config.WgIface, config.WgAddr, iFaceBlackList)
-
-			err = engine.Start(myKey, config.Peers)
-
-			//signalClient.WaitConnected()
-
-			SetupCloseHandler()
-		},
-	}
-)
-
-func init() {
-}
--- a/connection/engine.go
+++ b/connection/engine.go
@@ -1,240 +0,0 @@
-package connection
-
-import (
-	"fmt"
-	"github.com/cenkalti/backoff/v4"
-	"github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/wiretrustee/wiretrustee/iface"
-	"github.com/wiretrustee/wiretrustee/signal"
-	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"time"
-)
-
-type Engine struct {
-	// a list of STUN and TURN servers
-	stunsTurns []*ice.URL
-	// signal server client
-	signal *signal.Client
-	// peer agents indexed by local public key of the remote peers
-	conns map[string]*Connection
-	// Wireguard interface
-	wgIface string
-	// Wireguard local address
-	wgIp string
-
-	iFaceBlackList map[string]struct{}
-}
-
-type Peer struct {
-	WgPubKey     string
-	WgAllowedIps string
-}
-
-func NewEngine(signal *signal.Client, stunsTurns []*ice.URL, wgIface string, wgAddr string,
-	iFaceBlackList map[string]struct{}) *Engine {
-	return &Engine{
-		stunsTurns:     stunsTurns,
-		signal:         signal,
-		wgIface:        wgIface,
-		wgIp:           wgAddr,
-		conns:          map[string]*Connection{},
-		iFaceBlackList: iFaceBlackList,
-	}
-}
-
-func (e *Engine) Start(myKey wgtypes.Key, peers []Peer) error {
-
-	err := iface.Create(e.wgIface, e.wgIp)
-	if err != nil {
-		log.Errorf("error while creating interface %s: [%s]", e.wgIface, err.Error())
-		return err
-	}
-
-	err = iface.Configure(e.wgIface, myKey.String())
-	if err != nil {
-		log.Errorf("error while configuring Wireguard interface [%s]: %s", e.wgIface, err.Error())
-		return err
-	}
-
-	wgPort, err := iface.GetListenPort(e.wgIface)
-	if err != nil {
-		log.Errorf("error while getting Wireguard interface port [%s]: %s", e.wgIface, err.Error())
-		return err
-	}
-
-	e.receiveSignal()
-
-	// initialize peer agents
-	for _, peer := range peers {
-
-		peer := peer
-		go func() {
-			var backOff = &backoff.ExponentialBackOff{
-				InitialInterval:     backoff.DefaultInitialInterval,
-				RandomizationFactor: backoff.DefaultRandomizationFactor,
-				Multiplier:          backoff.DefaultMultiplier,
-				MaxInterval:         5 * time.Second,
-				MaxElapsedTime:      time.Duration(0), //never stop
-				Stop:                backoff.Stop,
-				Clock:               backoff.SystemClock,
-			}
-			operation := func() error {
-				_, err := e.openPeerConnection(*wgPort, myKey, peer)
-				if err != nil {
-					log.Warnln("retrying connection because of error: ", err.Error())
-					e.conns[peer.WgPubKey] = nil
-					return err
-				}
-				backOff.Reset()
-				return nil
-			}
-
-			err = backoff.Retry(operation, backOff)
-			if err != nil {
-				// should actually never happen
-				panic(err)
-			}
-		}()
-	}
-	return nil
-}
-
-func (e *Engine) openPeerConnection(wgPort int, myKey wgtypes.Key, peer Peer) (*Connection, error) {
-
-	remoteKey, _ := wgtypes.ParseKey(peer.WgPubKey)
-	connConfig := &ConnConfig{
-		WgListenAddr:   fmt.Sprintf("127.0.0.1:%d", wgPort),
-		WgPeerIp:       e.wgIp,
-		WgIface:        e.wgIface,
-		WgAllowedIPs:   peer.WgAllowedIps,
-		WgKey:          myKey,
-		RemoteWgKey:    remoteKey,
-		StunTurnURLS:   e.stunsTurns,
-		iFaceBlackList: e.iFaceBlackList,
-	}
-
-	signalOffer := func(uFrag string, pwd string) error {
-		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, false)
-	}
-
-	signalAnswer := func(uFrag string, pwd string) error {
-		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, true)
-	}
-	signalCandidate := func(candidate ice.Candidate) error {
-		return signalCandidate(candidate, myKey, remoteKey, e.signal)
-	}
-
-	conn := NewConnection(*connConfig, signalCandidate, signalOffer, signalAnswer)
-	e.conns[remoteKey.String()] = conn
-	// blocks until the connection is open (or timeout)
-	err := conn.Open(60 * time.Second)
-	if err != nil {
-		return nil, err
-	}
-	return conn, nil
-}
-
-func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client) error {
-	err := s.Send(&sProto.Message{
-		Key:       myKey.PublicKey().String(),
-		RemoteKey: remoteKey.String(),
-		Body: &sProto.Body{
-			Type:    sProto.Body_CANDIDATE,
-			Payload: candidate.Marshal(),
-		},
-	})
-	if err != nil {
-		log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err)
-		//todo ??
-		return err
-	}
-
-	return nil
-}
-
-func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client, isAnswer bool) error {
-
-	var t sProto.Body_Type
-	if isAnswer {
-		t = sProto.Body_ANSWER
-	} else {
-		t = sProto.Body_OFFER
-	}
-
-	msg, err := signal.MarshalCredential(myKey, remoteKey, &signal.Credential{
-		UFrag: uFrag,
-		Pwd:   pwd}, t)
-
-	err = s.Send(msg)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (e *Engine) receiveSignal() {
-	// connect to a stream of messages coming from the signal server
-	e.signal.Receive(func(msg *sProto.Message) error {
-
-		conn := e.conns[msg.Key]
-		if conn == nil {
-			return fmt.Errorf("wrongly addressed message %s", msg.Key)
-		}
-
-		if conn.Config.RemoteWgKey.String() != msg.Key {
-			return fmt.Errorf("unknown peer %s", msg.Key)
-		}
-
-		switch msg.GetBody().Type {
-		case sProto.Body_OFFER:
-			remoteCred, err := signal.UnMarshalCredential(msg)
-			if err != nil {
-				return err
-			}
-			err = conn.OnOffer(IceCredentials{
-				uFrag: remoteCred.UFrag,
-				pwd:   remoteCred.Pwd,
-			})
-
-			if err != nil {
-				return err
-			}
-
-			return nil
-		case sProto.Body_ANSWER:
-			remoteCred, err := signal.UnMarshalCredential(msg)
-			if err != nil {
-				return err
-			}
-			err = conn.OnAnswer(IceCredentials{
-				uFrag: remoteCred.UFrag,
-				pwd:   remoteCred.Pwd,
-			})
-
-			if err != nil {
-				return err
-			}
-
-		case sProto.Body_CANDIDATE:
-
-			candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
-			if err != nil {
-				log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
-				return err
-			}
-
-			err = conn.OnRemoteCandidate(candidate)
-			if err != nil {
-				log.Errorf("error handling CANDIATE from %s", msg.Key)
-				return err
-			}
-		}
-
-		return nil
-	})
-
-	e.signal.WaitConnected()
-}
--- a/docs/README.md
+++ b/docs/README.md
@@ -0,0 +1,104 @@
+### Table of contents
+
+* [About Wiretrustee](#about-wiretrustee)
+* [Why Wireguard with Wiretrustee?](#why-wireguard-with-wiretrustee)
+* [Wiretrustee vs. Traditional VPN](#wiretrustee-vs-traditional-vpn)
+* [High-level technology overview](#high-level-technology-overview)
+* [Getting started](#getting-started)
+
+### About Wiretrustee
+
+Wiretrustee is an open-source VPN platform built on top of [WireGuard®](https://www.wireguard.com/) making it easy to create secure private networks for your organization or home.
+
+It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, vpn gateways, and so forth.
+
+There is no centralized VPN server with Wiretrustee - your computers, devices, machines, and servers connect to each other directly over a fast encrypted tunnel.
+
+It literally takes less than 5 minutes to provision a secure peer-to-peer VPN with Wiretrustee. Check our [Quickstart Guide Video](https://www.youtube.com/watch?v=cWTsGUJAUaU) to see the setup in action.
+
+### Why Wireguard with Wiretrustee?
+
+WireGuard is a modern and extremely fast VPN tunnel utilizing state-of-the-art [cryptography](https://www.wireguard.com/protocol/)
+and Wiretrustee uses Wireguard to establish a secure tunnel between machines.
+
+Built with simplicity in mind, Wireguard ensures that traffic between two machines is encrypted and flowing, however, it requires a few things to be done beforehand.
+
+First, in order to connect, the machines have to be configured.
+On each machine, you need to generate private and public keys and prepare a WireGuard configuration file.
+The configuration also includes a private IP address that should be unique per machine.
+
+Secondly, to accept the incoming traffic, the machines have to trust each other.
+The generated public keys have to be pre-shared on the machines.
+This works similarly to SSH with its authorised_keys file.
+
+Lastly, the connectivity between the machines has to be ensured.
+To make machines reach one another, you are required to set a WireGuard endpoint property which indicates the IP address and port of the remote machine to connect to.
+On many occasions, machines are hidden behind firewalls and NAT devices,
+meaning that you may need to configure a port forwarding or open holes in your firewall to ensure the machines are reachable.
+
+The undertakings mentioned above might not be complicated if you have just a few machines, but the complexity grows as the number of machines increases.
+
+Wiretrustee simplifies the setup by automatically generating private and public keys, assigning unique private IP addresses, and takes care of sharing public keys between the machines.
+It is worth mentioning that the private key never leaves the machine.
+So only the machine that owns the key can decrypt traffic addressed to it.
+The same applies also to the relayed traffic mentioned below.
+
+Furthermore, Wiretrustee ensures connectivity by leveraging advanced [NAT traversal techniques](https://en.wikipedia.org/wiki/NAT_traversal)
+and removing the necessity of port forwarding, opening holes in the firewall, and having a public static IP address.  
+In cases when a direct peer-to-peer connection isn't possible, all traffic is relayed securely between peers.
+Wiretrustee also monitors the connection health and restarts broken connections.
+
+There are a few more things that we are working on to make secure private networks simple. A few examples are ACLs, MFA and activity monitoring.
+
+Check out the WireGuard [Quick Start](https://www.wireguard.com/quickstart/) guide to learn more about configuring "plain" WireGuard without Wiretrustee.
+
+### Wiretrustee vs. Traditional VPN
+
+In the traditional VPN model, everything converges on a centralized, protected network where all the clients are connecting to a central VPN server.
+
+An increasing amount of connections can easily overload the VPN server.
+Even a short downtime of a server can cause expensive system disruptions, and a remote team's inability to work.
+
+Centralized VPNs imply all the traffic going through the central server causing network delays and increased traffic usage.
+
+Such systems require an experienced team to set up and maintain.
+Configuring firewalls, setting up NATs, SSO integration, and managing access control lists can be a nightmare.
+
+Traditional centralized VPNs are often compared to a [castle-and-moat](https://en.wikipedia.org/wiki/Moat) model
+in which once accessed, user is trusted and can access critical infrastructure and resources without any restrictions.
+
+Wiretrustee decentralizes networks using direct point-to-point connections, as opposed to traditional models.
+Consequently, network performance is increased since traffic flows directly between the machines bypassing VPN servers or gateways.
+To achieve this, Wiretrustee client applications employ signalling servers to find other machines and negotiate connections.
+These are similar to the signaling servers used in [WebRTC](https://developer.mozilla.org/en-US/docs/Web/API/WebRTC_API/Signaling_and_video_calling#the_signaling_server)
+
+Thanks to [NAT traversal techniques](https://en.wikipedia.org/wiki/NAT_traversal),
+outlined in the [Why not just Wireguard?](#why-wireguard-with-wiretrustee) section above,
+Wiretrustee installation doesn't require complex network and firewall configuration.
+It just works, minimising the maintenance effort.
+
+Finally, each machine or device in the Wiretrustee network verifies incoming connections accepting only the trusted ones.
+This is ensured by Wireguard's [Crypto Routing concept](https://www.wireguard.com/#cryptokey-routing).
+
+### High-level technology overview
+In essence, Wiretrustee is an open source platform consisting of a collection of systems, responsible for handling peer-to-peer connections, tunneling and network management (IP, keys, ACLs, etc).
+
+<p align="center">
+    <img src="media/high-level-dia.png" alt="high-level-dia" width="781"/>
+</p>
+
+Wiretrustee uses open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn),
+and [software](https://github.com/wiretrustee/wiretrustee) developed by Wiretrustee authors to make it all work together.
+
+To learn more about Wiretrustee architecture, please refer to the [architecture section](../docs/architecture.md).
+
+### Getting Started
+
+There are 2 ways of getting started with Wiretrustee:
+- use Cloud Managed version
+- self-hosting
+
+We recommend starting with the cloud managed version hosted at [app.wiretrustee.com](https://app.wiretrustee.com) - the quickest way to get familiar with the system.
+See [Quickstart Guide](../docs/quickstart.md) for instructions.
+
+If you don't want to use the managed version, check out our [Self-hosting Guide](../docs/self-hosting.md).
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -0,0 +1,2 @@
+### Architecture
+TODO
--- a/docs/media/add-peer.png
+++ b/docs/media/add-peer.png
--- a/docs/media/auth.png
+++ b/docs/media/auth.png
--- a/docs/media/empty-peers.png
+++ b/docs/media/empty-peers.png
--- a/docs/media/high-level-dia.png
+++ b/docs/media/high-level-dia.png
--- a/docs/media/logo-full.png
+++ b/docs/media/logo-full.png
--- a/docs/media/logo.png
+++ b/docs/media/logo.png
--- a/docs/media/peerA.gif
+++ b/docs/media/peerA.gif
--- a/docs/media/peerB.gif
+++ b/docs/media/peerB.gif
--- a/docs/media/peers.gif
+++ b/docs/media/peers.gif
--- a/docs/media/peers.png
+++ b/docs/media/peers.png
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -0,0 +1,41 @@
+## Quickstart guide (Cloud Managed version)
+Step-by-step video guide on YouTube:
+
+[![IMAGE ALT TEXT](https://img.youtube.com/vi/cWTsGUJAUaU/0.jpg)](https://youtu.be/cWTsGUJAUaU "Wiretrustee - secure private network in less than 5 minutes")
+
+This guide describes how to create secure VPN and connect 2 machines peer-to-peer.
+
+One machine is a Raspberry Pi Compute Module 4 hosted at home (Peer A), and the other one is a regular Ubuntu server running in the Data Center (Peer B).
+Both machines are running Linux (Raspbian and Ubuntu respectively), but you could also use Mac or Windows operating systems.
+
+1. Sign-up at [https://app.wiretrustee.com/](https://app.wiretrustee.com/peers)
+
+    You can use your email and password to sign-up or any available social login option (e.g., GitHub account)
+    
+    <img src="media/auth.png" alt="auth" width="350"/>
+
+2. After a successful login you will be redirected to the ```Peers``` screen which is empty because you don't have any peers yet.
+   
+    Click ```Add peer``` to add a new machine.
+    
+    <img src="media/empty-peers.png" alt="empty-peers" width="700"/>
+    
+3.  Choose a setup key which will be used to associate your new machine with your account (in our case it is ```Default key```).
+
+    Choose your machine operating system (in our case it is ```Linux```) and proceed with the installation steps on the machine.
+
+    <img src="media/add-peer.png" alt="add-peer" width="700"/>    
+
+4. Repeat #3 for the 2nd machine.
+5. Return to ```Peers``` and you should notice 2 new machines with status ```Connected```
+   
+    <img src="media/peers.png" alt="peers" width="700"/>
+
+6. To test the connection you could try pinging devices:
+   
+    On Peer A:
+    ```ping 100.64.0.2```
+    
+    On Peer B:
+    ```ping 100.64.0.1```
+7. Done! You now have a secure peer-to-peer VPN configured.
--- a/docs/self-hosting.md
+++ b/docs/self-hosting.md
@@ -0,0 +1,96 @@
+### Self-hosting
+Wiretrustee is an open-source platform that can be self-hosted on your servers.
+
+It relies on components developed by Wiretrustee Authors [Management Service](https://github.com/wiretrustee/wiretrustee/tree/main/management), [Management UI Dashboard](https://github.com/wiretrustee/wiretrustee-dashboard), [Signal Service](https://github.com/wiretrustee/wiretrustee/tree/main/signal), 
+a 3rd party open-source STUN/TURN service [Coturn](https://github.com/coturn/coturn) and a 3rd party service [Auth0](https://auth0.com/).
+
+All the components can be self-hosted except for the Auth0 service.
+We chose Auth0 to "outsource" the user management part of the platform because we believe that implementing a proper user auth requires significant amount of time to make it right. 
+We focused on connectivity instead.
+
+If you would like to learn more about the architecture please refer to the [Wiretrustee Architecture section](architecture.md).
+
+### Step-by-step video guide on YouTube:
+
+[![IMAGE ALT TEXT](https://img.youtube.com/vi/Ofpgx5WhT0k/0.jpg)](https://youtu.be/Ofpgx5WhT0k "Wiretrustee Self-Hosting Guide")
+
+### Requirements
+
+- Virtual machine offered by any cloud provider (e.g., AWS, DigitalOcean, Hetzner, Google Cloud, Azure ...). 
+- Any Linux OS.
+- Docker Compose installed (see [Install Docker Compose](https://docs.docker.com/compose/install/)).
+- Domain name pointing to the public IP address of your server.
+- Open ports ```443, 33071, 33073, 10000, 3478``` (Dashboard, Management HTTP API, Management gRpc API, Signal gRpc, Coturn STUN/TURN respectively) on your server.
+- Maybe a cup of coffee or tea :)
+
+### Step-by-step guide
+
+For this tutorial we will be using domain ```test.wiretrustee.com``` which points to our Ubuntu 20.04 machine hosted at Hetzner.
+
+1. Create Auth0 account at [auth0.com](https://auth0.com/).
+2. Login to your server, clone Wiretrustee repository:
+   
+   ```bash 
+   git clone https://github.com/wiretrustee/wiretrustee.git wiretrustee/
+   ```
+   
+   and switch to the ```wiretrustee/infrastructure_files/``` folder that contains docker compose file:
+   
+   ```bash 
+   cd wiretrustee/infrastructure_files/
+   ```
+3. Prepare configuration files.
+   
+   To simplify the setup we have prepared a script to substitute required properties in the [docker-compose.yml.tmpl](../infrastructure_files/docker-compose.yml.tmpl) and [management.json.tmpl](../infrastructure_files/management.json.tmpl) files.
+   
+   The [setup.env](../infrastructure_files/setup.env) file contains the following properties that have to be filled:
+   
+   ```bash
+   # e.g. app.mydomain.com
+   WIRETRUSTEE_DOMAIN=""
+   # e.g. dev-24vkclam.us.auth0.com
+   WIRETRUSTEE_AUTH0_DOMAIN=""
+   # e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
+   WIRETRUSTEE_AUTH0_CLIENT_ID=""
+   # e.g. https://app.mydomain.com/
+   WIRETRUSTEE_AUTH0_AUDIENCE=""
+   # e.g. hello@mydomain.com
+   WIRETRUSTEE_LETSENCRYPT_EMAIL=""
+   ```
+   
+   Please follow the steps to get the values.
+
+4. Configure ```WIRETRUSTEE_AUTH0_DOMAIN``` ```WIRETRUSTEE_AUTH0_CLIENT_ID``` ```WIRETRUSTEE_AUTH0_AUDIENCE``` properties.          
+   
+   * To obtain these, please use [Auth0 React SDK Guide](https://auth0.com/docs/quickstart/spa/react/01-login#configure-auth0) up until "Install the Auth0 React SDK".
+   
+      :grey_exclamation: Use ```https://YOUR DOMAIN``` as ````Allowed Callback URLs````, ```Allowed Logout URLs```, ```Allowed Web Origins``` and ```Allowed Origins (CORS)```
+   * set the variables in the ```setup.env```
+5. Configure ```WIRETRUSTEE_AUTH0_AUDIENCE``` property. 
+   
+   * Check [Auth0 Golang API Guide](https://auth0.com/docs/quickstart/backend/golang) to obtain AuthAudience.
+   * set the property in the ```setup.env``` file.
+6. Configure ```WIRETRUSTEE_LETSENCRYPT_EMAIL``` property.
+   
+   This can be any email address. [Let's Encrypt](https://letsencrypt.org/) will create an account while generating a new certificate.    
+
+7. Make sure all the properties set in the ```setup.env``` file and run: 
+   
+    ```bash
+    ./configure.sh
+    ```
+   
+   This will export all the properties as environment variables and generate ```docker-compose.yml``` and ```management.json``` files substituting required variables.
+
+8. Run docker compose:
+
+   ```bash
+   docker-compose up -d
+   ```
+9. Optionally check the logs by running: 
+        
+    ```bash
+    docker-compose logs signal
+    docker-compose logs management
+    docker-compose logs coturn
+    docker-compose logs dashboard
--- a/encryption/encryption.go
+++ b/encryption/encryption.go
@@ -1,4 +1,4 @@
-package signal
+package encryption

 import (
 	"crypto/rand"
@@ -7,31 +7,29 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )

-// As set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service.
-// We want to make sure that the Connection Candidates and other irrelevant (to the Signal Exchange)
-// information can't be read anywhere else but the Peer the message is being sent to.
+// A set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service or Management Service
 // These tools use Golang crypto package (Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate)
 // Wireguard keys are used for encryption

-// Encrypts a message using local Wireguard private key and remote peer's public key.
-func Encrypt(msg []byte, peersPublicKey wgtypes.Key, privateKey wgtypes.Key) ([]byte, error) {
+// Encrypt encrypts a message using local Wireguard private key and remote peer's public key.
+func Encrypt(msg []byte, peerPublicKey wgtypes.Key, privateKey wgtypes.Key) ([]byte, error) {
 	nonce, err := genNonce()
 	if err != nil {
 		return nil, err
 	}
-	return box.Seal(nonce[:], msg, nonce, toByte32(peersPublicKey), toByte32(privateKey)), nil
+	return box.Seal(nonce[:], msg, nonce, toByte32(peerPublicKey), toByte32(privateKey)), nil
 }

-// Decrypts a message that has been encrypted by the remote peer using Wireguard private key and remote peer's public key.
-func Decrypt(encryptedMsg []byte, peersPublicKey wgtypes.Key, privateKey wgtypes.Key) ([]byte, error) {
+// Decrypt decrypts a message that has been encrypted by the remote peer using Wireguard private key and remote peer's public key.
+func Decrypt(encryptedMsg []byte, peerPublicKey wgtypes.Key, privateKey wgtypes.Key) ([]byte, error) {
 	nonce, err := genNonce()
 	if err != nil {
 		return nil, err
 	}
 	copy(nonce[:], encryptedMsg[:24])
-	opened, ok := box.Open(nil, encryptedMsg[24:], nonce, toByte32(peersPublicKey), toByte32(privateKey))
+	opened, ok := box.Open(nil, encryptedMsg[24:], nonce, toByte32(peerPublicKey), toByte32(privateKey))
 	if !ok {
-		return nil, fmt.Errorf("failed to decrypt message from peer %s", peersPublicKey.String())
+		return nil, fmt.Errorf("failed to decrypt message from peer %s", peerPublicKey.String())
 	}

 	return opened, nil
--- a/encryption/encryption_suite_test.go
+++ b/encryption/encryption_suite_test.go
@@ -0,0 +1,13 @@
+package encryption_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestManagement(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Management Service Suite")
+}
--- a/encryption/encryption_test.go
+++ b/encryption/encryption_test.go
@@ -0,0 +1,60 @@
+package encryption_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/wiretrustee/wiretrustee/encryption"
+	"github.com/wiretrustee/wiretrustee/encryption/testprotos"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+const ()
+
+var _ = Describe("Encryption", func() {
+
+	var (
+		encryptionKey wgtypes.Key
+		decryptionKey wgtypes.Key
+	)
+
+	BeforeEach(func() {
+		var err error
+		encryptionKey, err = wgtypes.GenerateKey()
+		Expect(err).NotTo(HaveOccurred())
+		decryptionKey, err = wgtypes.GenerateKey()
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	Context("decrypting a plain message", func() {
+		Context("when it was encrypted with Wireguard keys", func() {
+			Specify("should be successful", func() {
+				msg := "message"
+				encryptedMsg, err := encryption.Encrypt([]byte(msg), decryptionKey.PublicKey(), encryptionKey)
+				Expect(err).NotTo(HaveOccurred())
+
+				decryptedMsg, err := encryption.Decrypt(encryptedMsg, encryptionKey.PublicKey(), decryptionKey)
+				Expect(err).NotTo(HaveOccurred())
+
+				Expect(string(decryptedMsg)).To(BeEquivalentTo(msg))
+			})
+		})
+	})
+
+	Context("decrypting a protobuf message", func() {
+		Context("when it was encrypted with Wireguard keys", func() {
+			Specify("should be successful", func() {
+
+				protoMsg := &testprotos.TestMessage{Body: "message"}
+				encryptedMsg, err := encryption.EncryptMessage(decryptionKey.PublicKey(), encryptionKey, protoMsg)
+				Expect(err).NotTo(HaveOccurred())
+
+				decryptedMsg := &testprotos.TestMessage{}
+				err = encryption.DecryptMessage(encryptionKey.PublicKey(), decryptionKey, encryptedMsg, decryptedMsg)
+				Expect(err).NotTo(HaveOccurred())
+
+				Expect(decryptedMsg.GetBody()).To(BeEquivalentTo(protoMsg.GetBody()))
+			})
+		})
+	})
+
+})
--- a/encryption/letsencrypt.go
+++ b/encryption/letsencrypt.go
@@ -0,0 +1,30 @@
+package encryption
+
+import (
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/crypto/acme/autocert"
+	"os"
+	"path/filepath"
+)
+
+// CreateCertManager wraps common logic of generating Let's encrypt certificate.
+func CreateCertManager(datadir string, letsencryptDomain string) *autocert.Manager {
+	certDir := filepath.Join(datadir, "letsencrypt")
+
+	if _, err := os.Stat(certDir); os.IsNotExist(err) {
+		err = os.MkdirAll(certDir, os.ModeDir)
+		if err != nil {
+			log.Fatalf("failed creating Let's encrypt certdir: %s: %v", certDir, err)
+		}
+	}
+
+	log.Infof("running with Let's encrypt with domain %s. Cert will be stored in %s", letsencryptDomain, certDir)
+
+	certManager := &autocert.Manager{
+		Prompt:     autocert.AcceptTOS,
+		Cache:      autocert.DirCache(certDir),
+		HostPolicy: autocert.HostWhitelist(letsencryptDomain),
+	}
+
+	return certManager
+}
--- a/encryption/message.go
+++ b/encryption/message.go
@@ -0,0 +1,40 @@
+package encryption
+
+import (
+	pb "github.com/golang/protobuf/proto" //nolint
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+// EncryptMessage encrypts a body of the given protobuf Message
+func EncryptMessage(remotePubKey wgtypes.Key, ourPrivateKey wgtypes.Key, message pb.Message) ([]byte, error) {
+	byteResp, err := pb.Marshal(message)
+	if err != nil {
+		log.Errorf("failed marshalling message %v", err)
+		return nil, err
+	}
+
+	encryptedBytes, err := Encrypt(byteResp, remotePubKey, ourPrivateKey)
+	if err != nil {
+		log.Errorf("failed encrypting SyncResponse %v", err)
+		return nil, err
+	}
+
+	return encryptedBytes, nil
+}
+
+// DecryptMessage decrypts an encrypted message into given protobuf Message
+func DecryptMessage(remotePubKey wgtypes.Key, ourPrivateKey wgtypes.Key, encryptedMessage []byte, message pb.Message) error {
+	decrypted, err := Decrypt(encryptedMessage, remotePubKey, ourPrivateKey)
+	if err != nil {
+		log.Warnf("error while decrypting Sync request message from peer %s", remotePubKey.String())
+		return err
+	}
+
+	err = pb.Unmarshal(decrypted, message)
+	if err != nil {
+		log.Warnf("error while umarshalling Sync request message from peer %s", remotePubKey.String())
+		return err
+	}
+	return nil
+}
--- a/encryption/testprotos/generate.sh
+++ b/encryption/testprotos/generate.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+protoc -I testprotos/ testprotos/testproto.proto --go_out=.
--- a/encryption/testprotos/testproto.pb.go
+++ b/encryption/testprotos/testproto.pb.go
@@ -0,0 +1,142 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.26.0
+// 	protoc        v3.12.4
+// source: testproto.proto
+
+package testprotos
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type TestMessage struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Body string `protobuf:"bytes,1,opt,name=body,proto3" json:"body,omitempty"`
+}
+
+func (x *TestMessage) Reset() {
+	*x = TestMessage{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_testproto_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *TestMessage) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*TestMessage) ProtoMessage() {}
+
+func (x *TestMessage) ProtoReflect() protoreflect.Message {
+	mi := &file_testproto_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use TestMessage.ProtoReflect.Descriptor instead.
+func (*TestMessage) Descriptor() ([]byte, []int) {
+	return file_testproto_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *TestMessage) GetBody() string {
+	if x != nil {
+		return x.Body
+	}
+	return ""
+}
+
+var File_testproto_proto protoreflect.FileDescriptor
+
+var file_testproto_proto_rawDesc = []byte{
+	0x0a, 0x0f, 0x74, 0x65, 0x73, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x12, 0x0a, 0x74, 0x65, 0x73, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x73, 0x22, 0x21, 0x0a,
+	0x0b, 0x54, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x12, 0x0a, 0x04,
+	0x62, 0x6f, 0x64, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x62, 0x6f, 0x64, 0x79,
+	0x42, 0x0d, 0x5a, 0x0b, 0x2f, 0x74, 0x65, 0x73, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x73, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_testproto_proto_rawDescOnce sync.Once
+	file_testproto_proto_rawDescData = file_testproto_proto_rawDesc
+)
+
+func file_testproto_proto_rawDescGZIP() []byte {
+	file_testproto_proto_rawDescOnce.Do(func() {
+		file_testproto_proto_rawDescData = protoimpl.X.CompressGZIP(file_testproto_proto_rawDescData)
+	})
+	return file_testproto_proto_rawDescData
+}
+
+var file_testproto_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_testproto_proto_goTypes = []interface{}{
+	(*TestMessage)(nil), // 0: testprotos.TestMessage
+}
+var file_testproto_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_testproto_proto_init() }
+func file_testproto_proto_init() {
+	if File_testproto_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_testproto_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*TestMessage); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_testproto_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_testproto_proto_goTypes,
+		DependencyIndexes: file_testproto_proto_depIdxs,
+		MessageInfos:      file_testproto_proto_msgTypes,
+	}.Build()
+	File_testproto_proto = out.File
+	file_testproto_proto_rawDesc = nil
+	file_testproto_proto_goTypes = nil
+	file_testproto_proto_depIdxs = nil
+}
--- a/encryption/testprotos/testproto.proto
+++ b/encryption/testprotos/testproto.proto
@@ -0,0 +1,9 @@
+syntax = "proto3";
+
+option go_package = "/testprotos";
+
+package testprotos;
+
+message TestMessage {
+  string body = 1;
+}
--- a/go.mod
+++ b/go.mod
@@ -4,15 +4,29 @@ go 1.16

 require (
 	github.com/cenkalti/backoff/v4 v4.1.0
-	github.com/golang/protobuf v1.4.3
-	github.com/google/nftables v0.0.0-20201230142148-715e31cb3c31
-	github.com/pion/ice/v2 v2.1.7
+	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang/protobuf v1.5.2
+	github.com/google/uuid v1.3.0
+	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/websocket v1.4.2
+	github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7
+	github.com/onsi/ginkgo v1.16.4
+	github.com/onsi/gomega v1.13.0
+	github.com/pion/ice/v2 v2.1.13
+	github.com/pion/webrtc/v3 v3.1.7
+	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.7.0
 	github.com/spf13/cobra v1.1.3
+	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.1.0
-	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df
-	golang.org/x/crypto v0.0.0-20210322153248-0c34fe9e7dc2
-	golang.zx2c4.com/wireguard v0.0.20201118
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20200609130330-bd2cb7843e1b
-	google.golang.org/grpc v1.32.0
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
+	golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359
+	golang.zx2c4.com/wireguard v0.0.0-20211026125340-e42c6c4bc2d0
+	golang.zx2c4.com/wireguard/tun/netstack v0.0.0-20211026125340-e42c6c4bc2d0
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c
+	golang.zx2c4.com/wireguard/windows v0.4.5
+	google.golang.org/grpc v1.39.0-dev.0.20210518002758-2713b77e8526
+	google.golang.org/protobuf v1.26.0
+	gopkg.in/natefinch/lumberjack.v2 v2.0.0
+	nhooyr.io/websocket v1.8.7
 )
--- a/go.sum
+++ b/go.sum
--- a/iface/iface.go
+++ b/iface/iface.go
@@ -2,9 +2,8 @@ package iface

 import (
 	log "github.com/sirupsen/logrus"
-	"github.com/vishvananda/netlink"
+	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -16,90 +15,116 @@ const (
 	defaultMTU = 1280
 )

-// Saves tun device object - is it required?
-var tunIface tun.Device
+var (
+	tunIface tun.Device
+	// todo check after move the WgPort constant to the client
+	WgPort = 51820
+)

-// Create Creates a new Wireguard interface, sets a given IP and brings it up.
-// Will reuse an existing one.
-func Create(iface string, address string) error {
+// CreateWithUserspace Creates a new Wireguard interface, using wireguard-go userspace implementation
+func CreateWithUserspace(iface string, address string) error {
 	var err error
-
 	tunIface, err = tun.CreateTUN(iface, defaultMTU)
 	if err != nil {
 		return err
 	}

 	// We need to create a wireguard-go device and listen to configuration requests
-	tunDevice := device.NewDevice(tunIface, device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
-	tunDevice.Up()
-	tunSock, err := ipc.UAPIOpen(iface)
+	tunDevice := device.NewDevice(tunIface, conn.NewDefaultBind(), device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
+	err = tunDevice.Up()
 	if err != nil {
 		return err
 	}
-	uapi, err := ipc.UAPIListen(iface, tunSock)
+	uapi, err := getUAPI(iface)
 	if err != nil {
 		return err
 	}

 	go func() {
 		for {
-			conn, err := uapi.Accept()
+			uapiConn, err := uapi.Accept()
 			if err != nil {
-				log.Debugln(err)
-				return
+				log.Debugln("uapi Accept failed with error: ", err)
+				continue
 			}
-			go tunDevice.IpcHandle(conn)
+			go tunDevice.IpcHandle(uapiConn)
 		}
 	}()

 	log.Debugln("UAPI listener started")

-	err = assignAddr(iface, address)
+	err = assignAddr(address, iface)
 	if err != nil {
 		return err
 	}
 	return nil
 }

-// Extends the functionality of Configure(iface string, privateKey string) by generating a new Wireguard private key
-func ConfigureWithKeyGen(iface string) (*wgtypes.Key, error) {
-	key, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		return nil, err
-	}
-	return &key, Configure(iface, key.String())
-}
-
-// Configures a Wireguard interface
-// The interface must exist before calling this method (e.g. call interface.Create() before)
-func Configure(iface string, privateKey string) error {
-
-	log.Debugf("configuring Wireguard interface %s", iface)
+// configure peer for the wireguard device
+func configureDevice(iface string, config wgtypes.Config) error {
 	wg, err := wgctrl.New()
 	if err != nil {
 		return err
 	}
 	defer wg.Close()

+	_, err = wg.Device(iface)
+	if err != nil {
+		return err
+	}
+	log.Debugf("got Wireguard device %s", iface)
+
+	return wg.ConfigureDevice(iface, config)
+}
+
+// Exists checks whether specified Wireguard device exists or not
+func Exists(iface string) (*bool, error) {
+	wg, err := wgctrl.New()
+	if err != nil {
+		return nil, err
+	}
+	defer wg.Close()
+
+	devices, err := wg.Devices()
+	if err != nil {
+		return nil, err
+	}
+
+	var exists bool
+	for _, d := range devices {
+		if d.Name == iface {
+			exists = true
+			return &exists, nil
+		}
+	}
+	exists = false
+	return &exists, nil
+}
+
+// Configure configures a Wireguard interface
+// The interface must exist before calling this method (e.g. call interface.Create() before)
+func Configure(iface string, privateKey string) error {
+
+	log.Debugf("configuring Wireguard interface %s", iface)
+
 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
 	if err != nil {
 		return err
 	}
 	fwmark := 0
-	cfg := wgtypes.Config{
+	p := WgPort
+	config := wgtypes.Config{
 		PrivateKey:   &key,
 		ReplacePeers: false,
 		FirewallMark: &fwmark,
-	}
-	err = wg.ConfigureDevice(iface, cfg)
-	if err != nil {
-		return err
+		ListenPort:   &p,
 	}

-	return nil
+	return configureDevice(iface, config)
 }

+// GetListenPort returns the listening port of the Wireguard endpoint
 func GetListenPort(iface string) (*int, error) {
 	log.Debugf("getting Wireguard listen port of interface %s", iface)

@@ -114,88 +139,39 @@ func GetListenPort(iface string) (*int, error) {
 	if err != nil {
 		return nil, err
 	}
-	log.Debugf("got Wireguard device listen port %s, %d", iface, &d.ListenPort)
+	log.Debugf("got Wireguard device listen port %s, %d", iface, d.ListenPort)

 	return &d.ListenPort, nil
 }

-// Updates a Wireguard interface listen port
-func UpdateListenPort(iface string, newPort int) error {
-	log.Debugf("updating Wireguard listen port of interface %s, new port %d", iface, newPort)
-
-	//discover Wireguard current configuration
-	wg, err := wgctrl.New()
-	if err != nil {
-		return err
-	}
-	defer wg.Close()
-
-	_, err = wg.Device(iface)
-	if err != nil {
-		return err
-	}
-	log.Debugf("got Wireguard device %s", iface)
-
-	config := wgtypes.Config{
-		ListenPort:   &newPort,
-		ReplacePeers: false,
-	}
-	err = wg.ConfigureDevice(iface, config)
-	if err != nil {
-		return err
-	}
-
-	log.Debugf("updated Wireguard listen port of interface %s, new port %d", iface, newPort)
-
-	return nil
-}
-
-func ifname(n string) []byte {
-	b := make([]byte, 16)
-	copy(b, []byte(n+"\x00"))
-	return b
-}
-
-// Updates existing Wireguard Peer or creates a new one if doesn't exist
+// UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
 // Endpoint is optional
 func UpdatePeer(iface string, peerKey string, allowedIps string, keepAlive time.Duration, endpoint string) error {

 	log.Debugf("updating interface %s peer %s: endpoint %s ", iface, peerKey, endpoint)

-	wg, err := wgctrl.New()
-	if err != nil {
-		return err
-	}
-	defer wg.Close()
-
-	_, err = wg.Device(iface)
-	if err != nil {
-		return err
-	}
-	log.Debugf("got Wireguard device %s", iface)
-
 	//parse allowed ips
-	ipNet, err := netlink.ParseIPNet(allowedIps)
+	_, ipNet, err := net.ParseCIDR(allowedIps)
 	if err != nil {
 		return err
 	}

 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-
-	peers := make([]wgtypes.PeerConfig, 0)
+	if err != nil {
+		return err
+	}
 	peer := wgtypes.PeerConfig{
 		PublicKey:                   peerKeyParsed,
 		ReplaceAllowedIPs:           true,
 		AllowedIPs:                  []net.IPNet{*ipNet},
 		PersistentKeepaliveInterval: &keepAlive,
 	}
-	peers = append(peers, peer)

 	config := wgtypes.Config{
-		ReplacePeers: false,
-		Peers:        peers,
+		Peers: []wgtypes.PeerConfig{peer},
 	}
-	err = wg.ConfigureDevice(iface, config)
+
+	err = configureDevice(iface, config)
 	if err != nil {
 		return err
 	}
@@ -207,24 +183,12 @@ func UpdatePeer(iface string, peerKey string, allowedIps string, keepAlive time.
 	return nil
 }

-// Updates a Wireguard interface Peer with the new endpoint
+// UpdatePeerEndpoint updates a Wireguard interface Peer with the new endpoint
 // Used when NAT hole punching was successful and an update of the remote peer endpoint is required
 func UpdatePeerEndpoint(iface string, peerKey string, newEndpoint string) error {

 	log.Debugf("updating peer %s endpoint %s ", peerKey, newEndpoint)

-	wg, err := wgctrl.New()
-	if err != nil {
-		return err
-	}
-	defer wg.Close()
-
-	_, err = wg.Device(iface)
-	if err != nil {
-		return err
-	}
-	log.Debugf("got Wireguard device %s", iface)
-
 	peerAddr, err := net.ResolveUDPAddr("udp4", newEndpoint)
 	if err != nil {
 		return err
@@ -233,35 +197,44 @@ func UpdatePeerEndpoint(iface string, peerKey string, newEndpoint string) error
 	log.Debugf("parsed peer endpoint [%s]", peerAddr.String())

 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	peers := make([]wgtypes.PeerConfig, 0)
+	if err != nil {
+		return err
+	}
+
 	peer := wgtypes.PeerConfig{
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		UpdateOnly:        true,
 		Endpoint:          peerAddr,
 	}
-	peers = append(peers, peer)
-
 	config := wgtypes.Config{
-		ReplacePeers: false,
-		Peers:        peers,
+		Peers: []wgtypes.PeerConfig{peer},
 	}
-	err = wg.ConfigureDevice(iface, config)
+	return configureDevice(iface, config)
+}
+
+// RemovePeer removes a Wireguard Peer from the interface iface
+func RemovePeer(iface string, peerKey string) error {
+	log.Debugf("Removing peer %s from interface %s ", peerKey, iface)
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
 	}

-	return nil
+	peer := wgtypes.PeerConfig{
+		PublicKey: peerKeyParsed,
+		Remove:    true,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+
+	return configureDevice(iface, config)
 }

-type wgLink struct {
-	attrs *netlink.LinkAttrs
-}
-
-func (w *wgLink) Attrs() *netlink.LinkAttrs {
-	return w.attrs
-}
-
-func (w *wgLink) Type() string {
-	return "wireguard"
+// Closes the User Space tunnel interface
+func CloseWithUserspace() error {
+	return tunIface.Close()
 }
--- a/iface/iface_darwin.go
+++ b/iface/iface_darwin.go
@@ -3,24 +3,26 @@ package iface
 import (
 	log "github.com/sirupsen/logrus"
 	"net"
+	"os"
 	"os/exec"
 	"strings"
 )

-const (
-	interfacePrefix = "utun"
-)
+// Create Creates a new Wireguard interface, sets a given IP and brings it up.
+func Create(iface string, address string) error {
+	return CreateWithUserspace(iface, address)
+}

 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
-func assignAddr(iface string, address string) error {
+func assignAddr(address string, ifaceName string) error {
 	ip := strings.Split(address, "/")
-	cmd := exec.Command("ifconfig", iface, "inet", address, ip[0])
+	cmd := exec.Command("ifconfig", ifaceName, "inet", address, ip[0])
 	if out, err := cmd.CombinedOutput(); err != nil {
-		log.Infoln("Command: %v failed with output %s and error: ", cmd.String(), out)
+		log.Infof("Command: %v failed with output %s and error: ", cmd.String(), out)
 		return err
 	}
 	_, resolvedNet, err := net.ParseCIDR(address)
-	err = addRoute(iface, resolvedNet)
+	err = addRoute(ifaceName, resolvedNet)
 	if err != nil {
 		log.Infoln("Adding route failed with error:", err)
 	}
@@ -36,3 +38,26 @@ func addRoute(iface string, ipNet *net.IPNet) error {
 	}
 	return nil
 }
+
+// Closes the tunnel interface
+func Close() error {
+	name, err := tunIface.Name()
+	if err != nil {
+		return err
+	}
+
+	sockPath := "/var/run/wireguard/" + name + ".sock"
+
+	err = CloseWithUserspace()
+	if err != nil {
+		return err
+	}
+
+	if _, err := os.Stat(sockPath); err == nil {
+		err = os.Remove(sockPath)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/iface/iface_linux.go
+++ b/iface/iface_linux.go
@@ -1,17 +1,28 @@
 package iface

 import (
+	"fmt"
 	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
+	"golang.zx2c4.com/wireguard/wgctrl"
 	"os"
 )

-const (
-	interfacePrefix = "wg"
-)
+// Create Creates a new Wireguard interface, sets a given IP and brings it up.
+// Will reuse an existing one.
+func Create(iface string, address string) error {

-// assignAddr Adds IP address to the tunnel interface
-func assignAddr(iface string, address string) error {
+	if WireguardModExists() {
+		log.Debug("using kernel Wireguard module")
+		return CreateWithKernel(iface, address)
+	} else {
+		return CreateWithUserspace(iface, address)
+	}
+}
+
+// CreateWithKernel Creates a new Wireguard interface using kernel Wireguard module.
+// Works for Linux and offers much better network performance
+func CreateWithKernel(iface string, address string) error {
 	attrs := netlink.NewLinkAttrs()
 	attrs.Name = iface

@@ -19,11 +30,85 @@ func assignAddr(iface string, address string) error {
 		attrs: &attrs,
 	}

-	log.Debugf("adding address %s to interface: %s", address, iface)
-	addr, _ := netlink.ParseAddr(address)
-	err := netlink.AddrAdd(&link, addr)
+	// check if interface exists
+	l, err := netlink.LinkByName(iface)
+	if err != nil {
+		switch err.(type) {
+		case netlink.LinkNotFoundError:
+			break
+		default:
+			return err
+		}
+	}
+
+	// remove if interface exists
+	if l != nil {
+		err = netlink.LinkDel(&link)
+		if err != nil {
+			return err
+		}
+	}
+
+	log.Debugf("adding device: %s", iface)
+	err = netlink.LinkAdd(&link)
 	if os.IsExist(err) {
-		log.Infof("interface %s already has the address: %s", iface, address)
+		log.Infof("interface %s already exists. Will reuse.", iface)
+	} else if err != nil {
+		return err
+	}
+
+	err = assignAddr(address, iface)
+	if err != nil {
+		return err
+	}
+
+	// todo do a discovery
+	log.Debugf("setting MTU: %d interface: %s", defaultMTU, iface)
+	err = netlink.LinkSetMTU(&link, defaultMTU)
+	if err != nil {
+		log.Errorf("error setting MTU on interface: %s", iface)
+		return err
+	}
+
+	log.Debugf("bringing up interface: %s", iface)
+	err = netlink.LinkSetUp(&link)
+	if err != nil {
+		log.Errorf("error bringing up interface: %s", iface)
+		return err
+	}
+
+	return nil
+}
+
+// assignAddr Adds IP address to the tunnel interface
+func assignAddr(address, name string) error {
+	var err error
+	attrs := netlink.NewLinkAttrs()
+	attrs.Name = name
+
+	link := wgLink{
+		attrs: &attrs,
+	}
+
+	//delete existing addresses
+	list, err := netlink.AddrList(&link, 0)
+	if err != nil {
+		return err
+	}
+	if len(list) > 0 {
+		for _, a := range list {
+			err = netlink.AddrDel(&link, &a)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	log.Debugf("adding address %s to interface: %s", address, attrs.Name)
+	addr, _ := netlink.ParseAddr(address)
+	err = netlink.AddrAdd(&link, addr)
+	if os.IsExist(err) {
+		log.Infof("interface %s already has the address: %s", attrs.Name, address)
 	} else if err != nil {
 		return err
 	}
@@ -31,3 +116,53 @@ func assignAddr(iface string, address string) error {
 	err = netlink.LinkSetUp(&link)
 	return err
 }
+
+type wgLink struct {
+	attrs *netlink.LinkAttrs
+}
+
+// Attrs returns the Wireguard's default attributes
+func (w *wgLink) Attrs() *netlink.LinkAttrs {
+	return w.attrs
+}
+
+// Type returns the interface type
+func (w *wgLink) Type() string {
+	return "wireguard"
+}
+
+// Closes the tunnel interface
+func Close() error {
+
+	if tunIface != nil {
+		return CloseWithUserspace()
+	} else {
+		var iface = ""
+		wg, err := wgctrl.New()
+		if err != nil {
+			return err
+		}
+		defer wg.Close()
+		devList, err := wg.Devices()
+		if err != nil {
+			return err
+		}
+		for _, wgDev := range devList {
+			// todo check after move the WgPort constant to the client
+			if wgDev.ListenPort == WgPort {
+				iface = wgDev.Name
+				break
+			}
+		}
+		if iface == "" {
+			return fmt.Errorf("Wireguard Interface not found")
+		}
+		attrs := netlink.NewLinkAttrs()
+		attrs.Name = iface
+
+		link := wgLink{
+			attrs: &attrs,
+		}
+		return netlink.LinkDel(&link)
+	}
+}
--- a/iface/iface_test.go
+++ b/iface/iface_test.go
@@ -0,0 +1,272 @@
+package iface
+
+import (
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net"
+	"testing"
+	"time"
+)
+
+// keep darwin compability
+const (
+	key        = "0PMI6OkB5JmB+Jj/iWWHekuQRx+bipZirWCWKFXexHc="
+	peerPubKey = "Ok0mC0qlJyXEPKh2UFIpsI2jG0L7LRpC3sLAusSJ5CQ="
+)
+
+func init() {
+	log.SetLevel(log.DebugLevel)
+}
+
+//
+func Test_CreateInterface(t *testing.T) {
+	ifaceName := "utun999"
+	wgIP := "10.99.99.1/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+	wg, err := wgctrl.New()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	d, err := wg.Device(ifaceName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// todo move the WgPort constant to the client
+	WgPort = d.ListenPort
+}
+func Test_ConfigureInterface(t *testing.T) {
+	ifaceName := "utun1000"
+	wgIP := "10.99.99.10/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	err = Configure(ifaceName, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	wg, err := wgctrl.New()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	wgDevice, err := wg.Device(ifaceName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if wgDevice.PrivateKey.String() != key {
+		t.Fatalf("Private keys don't match after configure: %s != %s", key, wgDevice.PrivateKey.String())
+	}
+}
+
+func Test_UpdatePeer(t *testing.T) {
+	ifaceName := "utun1001"
+	wgIP := "10.99.99.20/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+	err = Configure(ifaceName, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keepAlive := 15 * time.Second
+	allowedIP := "10.99.99.2/32"
+	endpoint := "127.0.0.1:9900"
+	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer, err := getPeer(ifaceName, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if peer.PersistentKeepaliveInterval != keepAlive {
+		t.Fatal("configured peer with mismatched keepalive interval value")
+	}
+
+	resolvedEndpoint, err := net.ResolveUDPAddr("udp", endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if peer.Endpoint.String() != resolvedEndpoint.String() {
+		t.Fatal("configured peer with mismatched endpoint")
+	}
+
+	var foundAllowedIP bool
+	for _, aip := range peer.AllowedIPs {
+		if aip.String() == allowedIP {
+			foundAllowedIP = true
+			break
+		}
+	}
+	if !foundAllowedIP {
+		t.Fatal("configured peer with mismatched Allowed IPs")
+	}
+}
+
+func Test_UpdatePeerEndpoint(t *testing.T) {
+	ifaceName := "utun1002"
+	wgIP := "10.99.99.30/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+	err = Configure(ifaceName, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keepAlive := 15 * time.Second
+	allowedIP := "10.99.99.2/32"
+	endpoint := "127.0.0.1:9900"
+	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	newEndpoint := "127.0.0.1:9999"
+	err = UpdatePeerEndpoint(ifaceName, peerPubKey, newEndpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	peer, err := getPeer(ifaceName, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if peer.Endpoint.String() != newEndpoint {
+		t.Fatal("configured peer with mismatched endpoint")
+	}
+}
+
+func Test_RemovePeer(t *testing.T) {
+	ifaceName := "utun1003"
+	wgIP := "10.99.99.40/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+	err = Configure(ifaceName, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keepAlive := 15 * time.Second
+	allowedIP := "10.99.99.2/32"
+	endpoint := "127.0.0.1:9900"
+	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = RemovePeer(ifaceName, peerPubKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = getPeer(ifaceName, t)
+	if err.Error() != "peer not found" {
+		t.Fatal(err)
+	}
+}
+func Test_Close(t *testing.T) {
+	ifaceName := "utun1004"
+	wgIP := "10.99.99.50/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	wg, err := wgctrl.New()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	d, err := wg.Device(ifaceName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// todo move the WgPort constant to the client
+	WgPort = d.ListenPort
+	err = Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+func getPeer(ifaceName string, t *testing.T) (wgtypes.Peer, error) {
+	emptyPeer := wgtypes.Peer{}
+	wg, err := wgctrl.New()
+	if err != nil {
+		return emptyPeer, err
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	wgDevice, err := wg.Device(ifaceName)
+	if err != nil {
+		return emptyPeer, err
+	}
+	for _, peer := range wgDevice.Peers {
+		if peer.PublicKey.String() == peerPubKey {
+			return peer, nil
+		}
+	}
+	return emptyPeer, fmt.Errorf("peer not found")
+}
--- a/iface/iface_unix.go
+++ b/iface/iface_unix.go
@@ -0,0 +1,17 @@
+// +build linux darwin
+
+package iface
+
+import (
+	"golang.zx2c4.com/wireguard/ipc"
+	"net"
+)
+
+// getUAPI returns a Listener
+func getUAPI(iface string) (net.Listener, error) {
+	tunSock, err := ipc.UAPIOpen(iface)
+	if err != nil {
+		return nil, err
+	}
+	return ipc.UAPIListen(iface, tunSock)
+}
--- a/iface/iface_windows.go
+++ b/iface/iface_windows.go
@@ -0,0 +1,46 @@
+package iface
+
+import (
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/ipc"
+	"golang.zx2c4.com/wireguard/tun"
+	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
+	"net"
+)
+
+// Create Creates a new Wireguard interface, sets a given IP and brings it up.
+func Create(iface string, address string) error {
+	return CreateWithUserspace(iface, address)
+}
+
+// assignAddr Adds IP address to the tunnel interface and network route based on the range provided
+func assignAddr(address string, ifaceName string) error {
+
+	nativeTunDevice := tunIface.(*tun.NativeTun)
+	luid := winipcfg.LUID(nativeTunDevice.LUID())
+
+	ip, ipnet, _ := net.ParseCIDR(address)
+
+	log.Debugf("adding address %s to interface: %s", address, ifaceName)
+	err := luid.SetIPAddresses([]net.IPNet{{ip, ipnet.Mask}})
+	if err != nil {
+		return err
+	}
+
+	log.Debugf("adding Routes to interface: %s", ifaceName)
+	err = luid.SetRoutes([]*winipcfg.RouteData{{*ipnet, ipnet.IP, 0}})
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// getUAPI returns a Listener
+func getUAPI(iface string) (net.Listener, error) {
+	return ipc.UAPIListen(iface)
+}
+
+// Closes the tunnel interface
+func Close() error {
+	return CloseWithUserspace()
+}
--- a/iface/ifacename.go
+++ b/iface/ifacename.go
@@ -0,0 +1,6 @@
+// +build linux windows
+
+package iface
+
+// WgInterfaceDefault is a default interface name of Wiretrustee
+const WgInterfaceDefault = "wt0"
--- a/iface/ifacename_darwin.go
+++ b/iface/ifacename_darwin.go
@@ -0,0 +1,6 @@
+// +build darwin
+
+package iface
+
+// WgInterfaceDefault is a default interface name of Wiretrustee
+const WgInterfaceDefault = "utun100"
--- a/iface/mod.go
+++ b/iface/mod.go
@@ -0,0 +1,144 @@
+// +build linux
+
+package iface
+
+// Holds logic to check existence of Wireguard kernel module
+// Copied from https://github.com/paultag/go-modprobe
+
+import (
+	"debug/elf"
+	"fmt"
+	"golang.org/x/sys/unix"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+var (
+	// get the root directory for the kernel modules. If this line panics,
+	// it's because getModuleRoot has failed to get the uname of the running
+	// kernel (likely a non-POSIX system, but maybe a broken kernel?)
+	moduleRoot = getModuleRoot()
+)
+
+// Get the module root (/lib/modules/$(uname -r)/)
+func getModuleRoot() string {
+	uname := unix.Utsname{}
+	if err := unix.Uname(&uname); err != nil {
+		panic(err)
+	}
+
+	i := 0
+	for ; uname.Release[i] != 0; i++ {
+	}
+
+	return filepath.Join(
+		"/lib/modules",
+		string(uname.Release[:i]),
+	)
+}
+
+// modName will, given a file descriptor to a Kernel Module (.ko file), parse the
+// binary to get the module name. For instance, given a handle to the file at
+// `kernel/drivers/usb/gadget/legacy/g_ether.ko`, return `g_ether`.
+func modName(file *os.File) (string, error) {
+	f, err := elf.NewFile(file)
+	if err != nil {
+		return "", err
+	}
+
+	syms, err := f.Symbols()
+	if err != nil {
+		return "", err
+	}
+
+	for _, sym := range syms {
+		if strings.Compare(sym.Name, "__this_module") == 0 {
+			section := f.Sections[sym.Section]
+			data, err := section.Data()
+			if err != nil {
+				return "", err
+			}
+
+			if len(data) < 25 {
+				return "", fmt.Errorf("modprobe: data is short, __this_module is '%s'", data)
+			}
+
+			data = data[24:]
+			i := 0
+			for ; data[i] != 0x00; i++ {
+			}
+			return string(data[:i]), nil
+		}
+	}
+
+	return "", fmt.Errorf("No name found. Is this a .ko or just an ELF?")
+}
+
+// Open every single kernel module under the root, and parse the ELF headers to
+// extract the module name.
+func elfMap(root string) (map[string]string, error) {
+	ret := map[string]string{}
+
+	err := filepath.Walk(
+		root,
+		func(path string, info os.FileInfo, err error) error {
+
+			if err != nil {
+				// skip broken files
+				return nil
+			}
+
+			if !info.Mode().IsRegular() {
+				return nil
+			}
+			fd, err := os.Open(path)
+			if err != nil {
+				return err
+			}
+			defer fd.Close()
+			name, err := modName(fd)
+			if err != nil {
+				/* For now, let's just ignore that and avoid adding to it */
+				return nil
+			}
+
+			ret[name] = path
+			return nil
+		})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return ret, nil
+}
+
+// Open every single kernel module under the kernel module directory
+// (/lib/modules/$(uname -r)/), and parse the ELF headers to extract the
+// module name.
+func generateMap() (map[string]string, error) {
+	return elfMap(moduleRoot)
+}
+
+// WireguardModExists returns true if Wireguard kernel module exists.
+func WireguardModExists() bool {
+	_, err := resolveModName("wireguard")
+	return err == nil
+}
+
+// resolveModName will, given a module name (such as `wireguard`) return an absolute
+// path to the .ko that provides that module.
+func resolveModName(name string) (string, error) {
+	paths, err := generateMap()
+	if err != nil {
+		return "", err
+	}
+
+	fsPath := paths[name]
+	if !strings.HasPrefix(fsPath, moduleRoot) {
+		return "", fmt.Errorf("module isn't in the module directory")
+	}
+
+	return fsPath, nil
+}
--- a/iface/nat_linux.go
+++ b/iface/nat_linux.go
@@ -1,85 +0,0 @@
-package iface
-
-import (
-	"github.com/google/nftables"
-	"github.com/google/nftables/expr"
-	log "github.com/sirupsen/logrus"
-	"github.com/vishvananda/netns"
-	"io/ioutil"
-)
-
-// Configure routing and IP masquerading
-//todo more docs on what exactly happens here and why it is needed
-func ConfigureNAT(primaryIface string) error {
-	log.Debugf("adding NAT / IP masquerading using nftables")
-	ns, err := netns.Get()
-	if err != nil {
-		return err
-	}
-
-	conn := nftables.Conn{NetNS: int(ns)}
-
-	log.Debugf("flushing nftable rulesets")
-	conn.FlushRuleset()
-
-	log.Debugf("setting up nftable rules for ip masquerading")
-
-	nat := conn.AddTable(&nftables.Table{
-		Family: nftables.TableFamilyIPv4,
-		Name:   "nat",
-	})
-
-	conn.AddChain(&nftables.Chain{
-		Name:     "prerouting",
-		Table:    nat,
-		Type:     nftables.ChainTypeNAT,
-		Hooknum:  nftables.ChainHookPrerouting,
-		Priority: nftables.ChainPriorityFilter,
-	})
-
-	post := conn.AddChain(&nftables.Chain{
-		Name:     "postrouting",
-		Table:    nat,
-		Type:     nftables.ChainTypeNAT,
-		Hooknum:  nftables.ChainHookPostrouting,
-		Priority: nftables.ChainPriorityNATSource,
-	})
-
-	conn.AddRule(&nftables.Rule{
-		Table: nat,
-		Chain: post,
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyOIFNAME, Register: 1},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     ifname(primaryIface),
-			},
-			&expr.Masq{},
-		},
-	})
-
-	if err := conn.Flush(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-// Enables IP forwarding system property.
-// Mostly used when you setup one peer as a VPN server.
-func EnableIPForward() error {
-	f := "/proc/sys/net/ipv4/ip_forward"
-
-	content, err := ioutil.ReadFile(f)
-	if err != nil {
-		return err
-	}
-
-	if string(content) == "0\n" {
-		log.Info("enabling IP Forward")
-		return ioutil.WriteFile(f, []byte("1"), 0600)
-	}
-
-	return nil
-}
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+unset $(grep -v '^#' ./setup.env | sed -E 's/(.*)=.*/\1/' | xargs)
+export $(grep -v '^#' ./setup.env | xargs)
+
+envsubst < docker-compose.yml.tmpl > docker-compose.yml
+envsubst < management.json.tmpl > management.json
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@@ -0,0 +1,61 @@
+version: "3"
+services:
+  #UI dashboard
+  dashboard:
+    image: wiretrustee/dashboard:main
+    restart: unless-stopped
+    ports:
+      - 80:80
+      - 443:443
+    environment:
+      - AUTH0_DOMAIN=$WIRETRUSTEE_AUTH0_DOMAIN
+      - AUTH0_CLIENT_ID=$WIRETRUSTEE_AUTH0_CLIENT_ID
+      - AUTH0_AUDIENCE=$WIRETRUSTEE_AUTH0_AUDIENCE
+      - WIRETRUSTEE_MGMT_API_ENDPOINT=https://$WIRETRUSTEE_DOMAIN:33071
+      - NGINX_SSL_PORT=443
+      - LETSENCRYPT_DOMAIN=$WIRETRUSTEE_DOMAIN
+      - LETSENCRYPT_EMAIL=$WIRETRUSTEE_LETSENCRYPT_EMAIL
+    volumes:
+      - /var/lib/wiretrustee/dashboard/letsencrypt:/etc/letsencrypt/
+  # Signal
+  signal:
+    image: wiretrustee/signal:latest
+    restart: unless-stopped
+    volumes:
+      - wiretrustee-signal:/var/lib/wiretrustee
+    #      - /var/log/wiretrustee/signal.log:/var/log/wiretrustee/signal.log
+    ports:
+      - 10000:10000
+  #     # port and command for Let's Encrypt validation
+  #      - 443:443
+  #    command: ["--letsencrypt-domain", "$WIRETRUSTEE_DOMAIN", "--log-file", "console"]
+  # Management
+  management:
+    image: wiretrustee/management:latest
+    restart: unless-stopped
+    depends_on:
+      - dashboard
+    volumes:
+      - wiretrustee-mgmt:/var/lib/wiretrustee
+      - /var/lib/wiretrustee/dashboard/letsencrypt:/etc/letsencrypt:ro
+      - ./management.json:/etc/wiretrustee/management.json
+    #      - /var/log/wiretrustee/management.log:/var/log/wiretrustee/management.log
+    ports:
+      - 33073:33073 #gRPC port
+      - 33071:33071 #HTTP port
+  #     # port and command for Let's Encrypt validation
+  #      - 443:443
+  #    command: ["--letsencrypt-domain", "$WIRETRUSTEE_DOMAIN", "--log-file", "console"]
+  # Coturn
+  coturn:
+    image: coturn/coturn
+    restart: unless-stopped
+    domainname: <YOUR DOMAIN>
+    volumes:
+      - ./turnserver.conf:/etc/turnserver.conf:ro
+    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
+    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
+    network_mode: host
+volumes:
+  wiretrustee-mgmt:
+  wiretrustee-signal:
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -0,0 +1,39 @@
+{
+    "Stuns": [
+        {
+            "Proto": "udp",
+            "URI": "stun:$WIRETRUSTEE_DOMAIN:3478",
+            "Username": "",
+            "Password": null
+        }
+    ],
+    "TURNConfig": {
+        "Turns": [
+            {
+                "Proto": "udp",
+                "URI": "turn:$WIRETRUSTEE_DOMAIN:3478",
+                "Username": "",
+                "Password": null
+            }
+        ],
+        "CredentialsTTL": "12h",
+        "Secret": "secret",
+        "TimeBasedCredentials": false
+    },
+    "Signal": {
+        "Proto": "http",
+        "URI": "$WIRETRUSTEE_DOMAIN:10000",
+        "Username": "",
+        "Password": null
+    },
+    "Datadir": "",
+    "HttpConfig": {
+        "LetsEncryptDomain": "",
+        "CertFile":"/etc/letsencrypt/live/$WIRETRUSTEE_DOMAIN/fullchain.pem",
+        "CertKey":"/etc/letsencrypt/live/$WIRETRUSTEE_DOMAIN/privkey.pem",
+        "Address": "0.0.0.0:33071",
+        "AuthIssuer": "https://$WIRETRUSTEE_AUTH0_DOMAIN/",
+        "AuthAudience": "$WIRETRUSTEE_AUTH0_AUDIENCE",
+        "AuthKeysLocation": "https://$WIRETRUSTEE_AUTH0_DOMAIN/.well-known/jwks.json"
+    }
+}
--- a/infrastructure_files/setup.env
+++ b/infrastructure_files/setup.env
@@ -0,0 +1,10 @@
+# e.g. app.mydomain.com
+WIRETRUSTEE_DOMAIN=""
+# e.g. dev-24vkclam.us.auth0.com
+WIRETRUSTEE_AUTH0_DOMAIN=""
+# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
+WIRETRUSTEE_AUTH0_CLIENT_ID=""
+# e.g. https://app.mydomain.com/
+WIRETRUSTEE_AUTH0_AUDIENCE=""
+# e.g. hello@mydomain.com
+WIRETRUSTEE_LETSENCRYPT_EMAIL=""
--- a/infrastructure_files/turnserver.conf
+++ b/infrastructure_files/turnserver.conf
@@ -0,0 +1,724 @@
+# Coturn TURN SERVER configuration file
+#
+# Boolean values note: where a boolean value is supposed to be used,
+# you can use '0', 'off', 'no', 'false', or 'f' as 'false,
+# and you can use '1', 'on', 'yes', 'true', or 't' as 'true'
+# If the value is missing, then it means 'true' by default.
+#
+
+# Listener interface device (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#listening-device=eth0
+
+# TURN listener port for UDP and TCP (Default: 3478).
+# Note: actually, TLS & DTLS sessions can connect to the
+# "plain" TCP & UDP port(s), too - if allowed by configuration.
+#
+listening-port=3478
+
+# TURN listener port for TLS (Default: 5349).
+# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
+# port(s), too - if allowed by configuration. The TURN server
+# "automatically" recognizes the type of traffic. Actually, two listening
+# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
+# functionality; but Coturn keeps both endpoints to satisfy the RFC 5766 specs.
+# For secure TCP connections, Coturn currently supports SSL version 3 and
+# TLS version 1.0, 1.1 and 1.2.
+# For secure UDP connections, Coturn supports DTLS version 1.
+#
+tls-listening-port=5349
+
+# Alternative listening port for UDP and TCP listeners;
+# default (or zero) value means "listening port plus one".
+# This is needed for RFC 5780 support
+# (STUN extension specs, NAT behavior discovery). The TURN Server
+# supports RFC 5780 only if it is started with more than one
+# listening IP address of the same family (IPv4 or IPv6).
+# RFC 5780 is supported only by UDP protocol, other protocols
+# are listening to that endpoint only for "symmetry".
+#
+#alt-listening-port=0
+
+# Alternative listening port for TLS and DTLS protocols.
+# Default (or zero) value means "TLS listening port plus one".
+#
+#alt-tls-listening-port=0
+
+# Some network setups will require using a TCP reverse proxy in front
+# of the STUN server. If the proxy port option is set a single listener
+# is started on the given port that accepts connections using the
+# haproxy proxy protocol v2.
+# (https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt)
+#
+#tcp-proxy-port=5555
+
+# Listener IP address of relay server. Multiple listeners can be specified.
+# If no IP(s) specified in the config file or in the command line options,
+# then all IPv4 and IPv6 system IPs will be used for listening.
+#
+#listening-ip=172.17.19.101
+#listening-ip=10.207.21.238
+#listening-ip=2607:f0d0:1002:51::4
+
+# Auxiliary STUN/TURN server listening endpoint.
+# Aux servers have almost full TURN and STUN functionality.
+# The (minor) limitations are:
+#
+# 1) Auxiliary servers do not have alternative ports and
+# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
+#
+# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
+#
+# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
+#
+# There may be multiple aux-server options, each will be used for listening
+# to client requests.
+#
+#aux-server=172.17.19.110:33478
+#aux-server=[2607:f0d0:1002:51::4]:33478
+
+# (recommended for older Linuxes only)
+# Automatically balance UDP traffic over auxiliary servers (if configured).
+# The load balancing is using the ALTERNATE-SERVER mechanism.
+# The TURN client must support 300 ALTERNATE-SERVER response for this
+# functionality.
+#
+#udp-self-balance
+
+# Relay interface device for relay sockets (optional, Linux only).
+# NOT RECOMMENDED.
+#
+#relay-device=eth1
+
+# Relay address (the local IP address that will be used to relay the
+# packets to the peer).
+# Multiple relay addresses may be used.
+# The same IP(s) can be used as both listening IP(s) and relay IP(s).
+#
+# If no relay IP(s) specified, then the turnserver will apply the default
+# policy: it will decide itself which relay addresses to be used, and it
+# will always be using the client socket IP address as the relay IP address
+# of the TURN session (if the requested relay address family is the same
+# as the family of the client socket).
+#
+#relay-ip=172.17.19.105
+#relay-ip=2607:f0d0:1002:51::5
+
+# For Amazon EC2 users:
+#
+# TURN Server public/private address mapping, if the server is behind NAT.
+# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
+# as relay IP address of all allocations. This scenario works only in a simple case
+# when one single relay address is be used, and no RFC5780 functionality is required.
+# That single relay address must be mapped by NAT to the 'external' IP.
+# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
+# For that 'external' IP, NAT must forward ports directly (relayed port 12345
+# must be always mapped to the same 'external' port 12345).
+#
+# In more complex case when more than one IP address is involved,
+# that option must be used several times, each entry must
+# have form "-X <public-ip/private-ip>", to map all involved addresses.
+# RFC5780 NAT discovery STUN functionality will work correctly,
+# if the addresses are mapped properly, even when the TURN server itself
+# is behind A NAT.
+#
+# By default, this value is empty, and no address mapping is used.
+#
+# external-ip=193.224.22.37
+#
+#OR:
+#
+#external-ip=60.70.80.91/172.17.19.101
+#external-ip=60.70.80.92/172.17.19.102
+
+
+# Number of the relay threads to handle the established connections
+# (in addition to authentication thread and the listener thread).
+# If explicitly set to 0 then application runs relay process in a
+# single thread, in the same thread with the listener process
+# (the authentication thread will still be a separate thread).
+#
+# If this parameter is not set, then the default OS-dependent
+# thread pattern algorithm will be employed. Usually the default
+# algorithm is optimal, so you have to change this option
+# if you want to make some fine tweaks.
+#
+# In the older systems (Linux kernel before 3.9),
+# the number of UDP threads is always one thread per network listening
+# endpoint - including the auxiliary endpoints - unless 0 (zero) or
+# 1 (one) value is set.
+#
+#relay-threads=0
+
+# Lower and upper bounds of the UDP relay endpoints:
+# (default values are 49152 and 65535)
+#
+min-port=49152
+max-port=65535
+
+# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
+# By default the verbose mode is off.
+verbose
+
+# Uncomment to run TURN server in 'extra' verbose mode.
+# This mode is very annoying and produces lots of output.
+# Not recommended under normal circumstances.
+#
+#Verbose
+
+# Uncomment to use fingerprints in the TURN messages.
+# By default the fingerprints are off.
+#
+fingerprint
+
+# Uncomment to use long-term credential mechanism.
+# By default no credentials mechanism is used (any user allowed).
+#
+lt-cred-mech
+
+# This option is the opposite of lt-cred-mech.
+# (TURN Server with no-auth option allows anonymous access).
+# If neither option is defined, and no users are defined,
+# then no-auth is default. If at least one user is defined,
+# in this file, in command line or in usersdb file, then
+# lt-cred-mech is default.
+#
+#no-auth
+
+# TURN REST API flag.
+# (Time Limited Long Term Credential)
+# Flag that sets a special authorization option that is based upon authentication secret.
+#
+# This feature's purpose is to support "TURN Server REST API", see
+# "TURN REST API" link in the project's page
+# https://github.com/coturn/coturn/
+#
+# This option is used with timestamp:
+#
+# usercombo -> "timestamp:userid"
+# turn user -> usercombo
+# turn password -> base64(hmac(secret key, usercombo))
+#
+# This allows TURN credentials to be accounted for a specific user id.
+# If you don't have a suitable id, then the timestamp alone can be used.
+# This option is enabled by turning on secret-based authentication.
+# The actual value of the secret is defined either by the option static-auth-secret,
+# or can be found in the turn_secret table in the database (see below).
+#
+# Read more about it:
+#  - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
+#  - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
+#
+# Be aware that use-auth-secret overrides some parts of lt-cred-mech.
+# The use-auth-secret feature depends internally on lt-cred-mech, so if you set
+# this option then it automatically enables lt-cred-mech internally
+# as if you had enabled both.
+#
+# Note that you can use only one auth mechanism at the same time! This is because,
+# both mechanisms conduct username and password validation in different ways.
+#
+# Use either lt-cred-mech or use-auth-secret in the conf
+# to avoid any confusion.
+#
+#use-auth-secret
+
+# 'Static' authentication secret value (a string) for TURN REST API only.
+# If not set, then the turn server
+# will try to use the 'dynamic' value in the turn_secret table
+# in the user database (if present). The database-stored  value can be changed on-the-fly
+# by a separate program, so this is why that mode is considered 'dynamic'.
+#
+#static-auth-secret=north
+
+# Server name used for
+# the oAuth authentication purposes.
+# The default value is the realm name.
+#
+# server-name=stun.wiretrustee.com
+
+# Flag that allows oAuth authentication.
+#
+#oauth
+
+# 'Static' user accounts for the long term credentials mechanism, only.
+# This option cannot be used with TURN REST API.
+# 'Static' user accounts are NOT dynamically checked by the turnserver process,
+# so they can NOT be changed while the turnserver is running.
+#
+#user=username1:key1
+#user=username2:key2
+# OR:
+user=username1:password1
+#user=username2:password2
+#
+# Keys must be generated by turnadmin utility. The key value depends
+# on user name, realm, and password:
+#
+# Example:
+# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
+# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
+# ('0x' in the beginning of the key is what differentiates the key from
+# password. If it has 0x then it is a key, otherwise it is a password).
+#
+# The corresponding user account entry in the config file will be:
+#
+#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
+# Or, equivalently, with open clear password (less secure):
+#user=ninefingers:youhavetoberealistic
+#
+
+# SQLite database file name.
+#
+# The default file name is /var/db/turndb or /usr/local/var/db/turndb or
+# /var/lib/turn/turndb.
+#
+#userdb=/var/db/turndb
+
+# PostgreSQL database connection string in the case that you are using PostgreSQL
+# as the user database.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
+# versions connection string format, see
+# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
+# for 9.x and newer connection string formats.
+#
+#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
+
+# MySQL database connection string in the case that you are using MySQL
+# as the user database.
+# This database can be used for the long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+#
+# Optional connection string parameters for the secure communications (SSL):
+# ca, capath, cert, key, cipher
+# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
+# command options description).
+#
+# Use the string format below (space separated parameters, all optional):
+#
+# mysql-userdb="host=mysql dbname=coturn user=coturn password=CHANGE_ME port=3306 connect_timeout=10 read_timeout=10"
+
+# If you want to use an encrypted password in the MySQL connection string,
+# then set the MySQL password encryption secret key file with this option.
+#
+# Warning: If this option is set, then the mysql password must be set in "mysql-userdb" in an encrypted format!
+# If you want to use a cleartext password then do not set this option!
+#
+# This is the file path for the aes encrypted secret key used for password encryption.
+#
+#secret-key-file=/path/
+
+# MongoDB database connection string in the case that you are using MongoDB
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
+#
+#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
+
+# Redis database connection string in the case that you are using Redis
+# as the user database.
+# This database can be used for long-term credential mechanism
+# and it can store the secret value for secret-based timed authentication in TURN REST API.
+# Use the string format below (space separated parameters, all optional):
+#
+#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
+# This database keeps allocations status information, and it can be also used for publishing
+# and delivering traffic and allocation event notifications.
+# The connection string has the same parameters as redis-userdb connection string.
+# Use the string format below (space separated parameters, all optional):
+#
+#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
+
+# The default realm to be used for the users when no explicit
+# origin/realm relationship is found in the database, or if the TURN
+# server is not using any database (just the commands-line settings
+# and the userdb file). Must be used with long-term credentials
+# mechanism or with TURN REST API.
+#
+# Note: If the default realm is not specified, then realm falls back to the host domain name.
+#       If the domain name string is empty, or set to '(None)', then it is initialized as an empty string.
+#
+realm=wiretrustee.com
+# This flag sets the origin consistency
+# check. Across the session, all requests must have the same
+# main ORIGIN attribute value (if the ORIGIN was
+# initially used by the session).
+#
+#check-origin-consistency
+
+# Per-user allocation quota.
+# default value is 0 (no quota, unlimited number of sessions per user).
+# This option can also be set through the database, for a particular realm.
+#
+#user-quota=0
+
+# Total allocation quota.
+# default value is 0 (no quota).
+# This option can also be set through the database, for a particular realm.
+#
+#total-quota=0
+
+# Max bytes-per-second bandwidth a TURN session is allowed to handle
+# (input and output network streams are treated separately). Anything above
+# that limit will be dropped or temporarily suppressed (within
+# the available buffer limits).
+# This option can also be set through the database, for a particular realm.
+#
+#max-bps=0
+
+#
+# Maximum server capacity.
+# Total bytes-per-second bandwidth the TURN server is allowed to allocate
+# for the sessions, combined (input and output network streams are treated separately).
+#
+# bps-capacity=0
+
+# Uncomment if no UDP client listener is desired.
+# By default UDP client listener is always started.
+#
+#no-udp
+
+# Uncomment if no TCP client listener is desired.
+# By default TCP client listener is always started.
+#
+#no-tcp
+
+# Uncomment if no TLS client listener is desired.
+# By default TLS client listener is always started.
+#
+#no-tls
+
+# Uncomment if no DTLS client listener is desired.
+# By default DTLS client listener is always started.
+#
+#no-dtls
+
+# Uncomment if no UDP relay endpoints are allowed.
+# By default UDP relay endpoints are enabled (like in RFC 5766).
+#
+#no-udp-relay
+
+# Uncomment if no TCP relay endpoints are allowed.
+# By default TCP relay endpoints are enabled (like in RFC 6062).
+#
+#no-tcp-relay
+
+# Uncomment if extra security is desired,
+# with nonce value having a limited lifetime.
+# The nonce value is unique for a session.
+# Set this option to limit the nonce lifetime.
+# Set it to 0 for unlimited lifetime.
+# It defaults to 600 secs (10 min) if no value is provided. After that delay,
+# the client will get 438 error and will have to re-authenticate itself.
+#
+#stale-nonce=600
+
+# Uncomment if you want to set the maximum allocation
+# time before it has to be refreshed.
+# Default is 3600s.
+#
+#max-allocate-lifetime=3600
+
+
+# Uncomment to set the lifetime for the channel.
+# Default value is 600 secs (10 minutes).
+# This value MUST not be changed for production purposes.
+#
+#channel-lifetime=600
+
+# Uncomment to set the permission lifetime.
+# Default to 300 secs (5 minutes).
+# In production this value MUST not be changed,
+# however it can be useful for test purposes.
+#
+#permission-lifetime=300
+
+# Certificate file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+#
+cert=/etc/coturn/certs/cert.pem
+
+# Private key file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+#
+pkey=/etc/coturn/private/privkey.pem
+
+# Private key file password, if it is in encoded format.
+# This option has no default value.
+#
+#pkey-pwd=...
+
+# Allowed OpenSSL cipher list for TLS/DTLS connections.
+# Default value is "DEFAULT".
+#
+#cipher-list="DEFAULT"
+
+# CA file in OpenSSL format.
+# Forces TURN server to verify the client SSL certificates.
+# By default this is not set: there is no default value and the client
+# certificate is not checked.
+#
+# Example:
+#CA-file=/etc/ssh/id_rsa.cert
+
+# Curve name for EC ciphers, if supported by OpenSSL
+# library (TLS and DTLS). The default value is prime256v1,
+# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
+# an optimal curve will be automatically calculated, if not defined
+# by this option.
+#
+#ec-curve-name=prime256v1
+
+# Use 566 bits predefined DH TLS key. Default size of the key is 2066.
+#
+#dh566
+
+# Use 1066 bits predefined DH TLS key. Default size of the key is 2066.
+#
+#dh1066
+
+# Use custom DH TLS key, stored in PEM format in the file.
+# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
+#
+#dh-file=<DH-PEM-file-name>
+
+# Flag to prevent stdout log messages.
+# By default, all log messages go to both stdout and to
+# the configured log file. With this option everything will
+# go to the configured log only (unless the log file itself is stdout).
+#
+#no-stdout-log
+
+# Option to set the log file name.
+# By default, the turnserver tries to open a log file in
+# /var/log, /var/tmp, /tmp and the current directory
+# (Whichever file open operation succeeds first will be used).
+# With this option you can set the definite log file name.
+# The special names are "stdout" and "-" - they will force everything
+# to the stdout. Also, the "syslog" name will force everything to
+# the system log (syslog).
+# In the runtime, the logfile can be reset with the SIGHUP signal
+# to the turnserver process.
+#
+log-file=stdout
+
+# Option to redirect all log output into system log (syslog).
+#
+# syslog
+
+# This flag means that no log file rollover will be used, and the log file
+# name will be constructed as-is, without PID and date appendage.
+# This option can be used, for example, together with the logrotate tool.
+#
+#simple-log
+
+# Option to set the "redirection" mode. The value of this option
+# will be the address of the alternate server for UDP & TCP service in the form of
+# <ip>[:<port>]. The server will send this value in the attribute
+# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
+# Client will receive only values with the same address family
+# as the client network endpoint address family.
+# See RFC 5389 and RFC 5766 for the description of ALTERNATE-SERVER functionality.
+# The client must use the obtained value for subsequent TURN communications.
+# If more than one --alternate-server option is provided, then the functionality
+# can be more accurately described as "load-balancing" than a mere "redirection".
+# If the port number is omitted, then the default port
+# number 3478 for the UDP/TCP protocols will be used.
+# Colon (:) characters in IPv6 addresses may conflict with the syntax of
+# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
+# in square brackets in such resource identifiers, for example:
+# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
+# Multiple alternate servers can be set. They will be used in the
+# round-robin manner. All servers in the pool are considered of equal weight and
+# the load will be distributed equally. For example, if you have 4 alternate servers,
+# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
+# address can be used more than one time with the alternate-server option, so this
+# can emulate "weighting" of the servers.
+#
+# Examples:
+#alternate-server=1.2.3.4:5678
+#alternate-server=11.22.33.44:56789
+#alternate-server=5.6.7.8
+#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to set alternative server for TLS & DTLS services in form of
+# <ip>:<port>. If the port number is omitted, then the default port
+# number 5349 for the TLS/DTLS protocols will be used. See the previous
+# option for the functionality description.
+#
+# Examples:
+#tls-alternate-server=1.2.3.4:5678
+#tls-alternate-server=11.22.33.44:56789
+#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
+
+# Option to suppress TURN functionality, only STUN requests will be processed.
+# Run as STUN server only, all TURN requests will be ignored.
+# By default, this option is NOT set.
+#
+#stun-only
+
+# Option to hide software version. Enhance security when used in production.
+# Revealing the specific software version of the agent through the
+# SOFTWARE attribute might allow them to become more vulnerable to
+# attacks against software that is known to contain security holes.
+# Implementers SHOULD make usage of the SOFTWARE attribute a
+# configurable option (https://tools.ietf.org/html/rfc5389#section-16.1.2)
+#
+no-software-attribute
+
+# Option to suppress STUN functionality, only TURN requests will be processed.
+# Run as TURN server only, all STUN requests will be ignored.
+# By default, this option is NOT set.
+#
+#no-stun
+
+# This is the timestamp/username separator symbol (character) in TURN REST API.
+# The default value is ':'.
+# rest-api-separator=:
+
+# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
+# This is an extra security measure.
+#
+# (To avoid any security issue that allowing loopback access may raise,
+# the no-loopback-peers option is replaced by allow-loopback-peers.)
+#
+# Allow it only for testing in a development environment!
+# In production it adds a possible security vulnerability, so for security reasons
+# it is not allowed using it together with empty cli-password.
+#
+#allow-loopback-peers
+
+# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
+# This is an extra security measure.
+#
+#no-multicast-peers
+
+# Option to set the max time, in seconds, allowed for full allocation establishment.
+# Default is 60 seconds.
+#
+#max-allocate-timeout=60
+
+# Option to allow or ban specific ip addresses or ranges of ip addresses.
+# If an ip address is specified as both allowed and denied, then the ip address is
+# considered to be allowed. This is useful when you wish to ban a range of ip
+# addresses, except for a few specific ips within that range.
+#
+# This can be used when you do not want users of the turn server to be able to access
+# machines reachable by the turn server, but would otherwise be unreachable from the
+# internet (e.g. when the turn server is sitting behind a NAT)
+#
+# Examples:
+# denied-peer-ip=83.166.64.0-83.166.95.255
+# allowed-peer-ip=83.166.68.45
+
+# File name to store the pid of the process.
+# Default is /var/run/turnserver.pid (if superuser account is used) or
+# /var/tmp/turnserver.pid .
+#
+pidfile="/var/tmp/turnserver.pid"
+
+# Require authentication of the STUN Binding request.
+# By default, the clients are allowed anonymous access to the STUN Binding functionality.
+#
+#secure-stun
+
+# Mobility with ICE (MICE) specs support.
+#
+#mobility
+
+# Allocate Address Family according
+# If enabled then TURN server allocates address family according  the TURN
+# Client <=> Server communication address family.
+# (By default Coturn works according RFC 6156.)
+# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
+#
+#keep-address-family
+
+
+# User name to run the process. After the initialization, the turnserver process
+# will attempt to change the current user ID to that user.
+#
+#proc-user=<user-name>
+
+# Group name to run the process. After the initialization, the turnserver process
+# will attempt to change the current group ID to that group.
+#
+#proc-group=<group-name>
+
+# Turn OFF the CLI support.
+# By default it is always ON.
+# See also options cli-ip and cli-port.
+#
+no-cli
+
+#Local system IP address to be used for CLI server endpoint. Default value
+# is 127.0.0.1.
+#
+# cli-ip=127.0.0.1
+
+# CLI server port. Default is 5766.
+#
+# cli-port=5766
+
+# CLI access password. Default is empty (no password).
+# For the security reasons, it is recommended that you use the encrypted
+# form of the password (see the -P command in the turnadmin utility).
+#
+# Secure form for password 'qwerty':
+#
+#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
+#
+# Or unsecure form for the same password:
+#
+# cli-password=CHANGE_ME
+
+# Enable Web-admin support on https. By default it is Disabled.
+# If it is enabled it also enables a http a simple static banner page
+# with a small reminder that the admin page is available only on https.
+#
+#web-admin
+
+# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
+#
+#web-admin-ip=127.0.0.1
+
+# Web-admin server port. Default is 8080.
+#
+#web-admin-port=8080
+
+# Web-admin server listen on STUN/TURN worker threads
+# By default it is disabled for security resons! (Not recommended in any production environment!)
+#
+#web-admin-listen-on-workers
+
+# Server relay. NON-STANDARD AND DANGEROUS OPTION.
+# Only for those applications when you want to run
+# server applications on the relay endpoints.
+# This option eliminates the IP permissions check on
+# the packets incoming to the relay endpoints.
+#
+#server-relay
+
+# Maximum number of output sessions in ps CLI command.
+# This value can be changed on-the-fly in CLI. The default value is 256.
+#
+#cli-max-output-sessions
+
+# Set network engine type for the process (for internal purposes).
+#
+#ne=[1|2|3]
+
+# Do not allow an TLS/DTLS version of protocol
+#
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2
--- a/management/Dockerfile
+++ b/management/Dockerfile
@@ -0,0 +1,4 @@
+FROM gcr.io/distroless/base
+ENTRYPOINT [ "/go/bin/wiretrustee-mgmt","management"]
+CMD ["--log-file", "console"]
+COPY wiretrustee-mgmt /go/bin/wiretrustee-mgmt
--- a/management/Dockerfile.debug
+++ b/management/Dockerfile.debug
@@ -0,0 +1,4 @@
+FROM gcr.io/distroless/base:debug
+ENTRYPOINT [ "/go/bin/wiretrustee-mgmt","management","--log-level","debug"]
+CMD ["--log-file", "console"]
+COPY wiretrustee-mgmt /go/bin/wiretrustee-mgmt
--- a/management/README.md
+++ b/management/README.md
@@ -0,0 +1,113 @@
+# Wiretrustee Management Server
+Wiretrustee management server will control and synchronize peers configuration within your wiretrustee account and network.
+
+## Command Options
+The CLI accepts the command **management** with the following options:
+```shell
+start Wiretrustee Management Server
+
+Usage:
+  wiretrustee-mgmt management [flags]
+
+Flags:
+      --datadir string              server data directory location (default "/var/lib/wiretrustee/")
+  -h, --help                        help for management
+      --letsencrypt-domain string   a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS
+      --port int                    server port to listen on (default 33073)
+      --cert-file string            Location of your SSL certificate. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect
+      --cert-key string             Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect
+Global Flags:
+      --config string      Wiretrustee config file location to write new config to (default "/etc/wiretrustee/config.json")
+      --log-level string    (default "info")
+      --log-file string    sets Wiretrustee log path. If console is specified the the log will be output to stdout (default "/var/log/wiretrustee/management.log")
+```
+## Run Management service (Docker)
+
+You can run service in 2 modes - with TLS or without (not recommended).
+
+### Run with TLS (Let's Encrypt). 
+By specifying the **--letsencrypt-domain** the daemon will handle SSL certificate request and configuration.
+
+In the following example ```33073``` is the management service **default** port, and ```443``` will be used as port for Let's Encrypt challenge and HTTP API.
+> The server where you are running a container has to have a public IP (for Let's Encrypt certificate challenge).
+
+Replace <YOUR-DOMAIN> with your server's public domain (e.g. mydomain.com or subdomain sub.mydomain.com).
+
+```bash
+# create a volume
+docker volume create wiretrustee-mgmt
+# run the docker container
+docker run -d --name wiretrustee-management \
+-p 33073:33073  \
+-p 443:443  \
+-v wiretrustee-mgmt:/var/lib/wiretrustee  \
+-v ./config.json:/etc/wiretrustee/config.json  \
+wiretrustee/management:latest \
+--letsencrypt-domain <YOUR-DOMAIN>
+```
+> An example of config.json can be found here [config.json](../infrastructure_files/config.json)
+
+Trigger Let's encrypt certificate generation:
+```bash
+curl https://<YOUR-DOMAIN>
+```
+
+The certificate will be persisted in the ```datadir/letsencrypt/``` folder (e.g. ```/var/lib/wiretrustee/letsencrypt/```) inside the container.
+
+Make sure that the ```datadir``` is mapped to some folder on a host machine. In case you used the volume command, you can run the following to retrieve the Mountpoint:
+```shell
+docker volume inspect wiretrustee-mgmt
+[
+    {
+        "CreatedAt": "2021-07-25T20:45:28Z",
+        "Driver": "local",
+        "Labels": {},
+        "Mountpoint": "/var/lib/docker/volumes/mgmt/_data",
+        "Name": "wiretrustee-mgmt",
+        "Options": {},
+        "Scope": "local"
+    }
+]
+```
+Consequent restarts of the container will pick up previously generated certificate so there is no need to trigger certificate generation with the ```curl``` command on every restart.
+
+### Run without TLS.
+
+```bash
+# create a volume
+docker volume create wiretrustee-mgmt
+# run the docker container
+docker run -d --name wiretrustee-management \
+-p 33073:33073  \
+-v wiretrustee-mgmt:/var/lib/wiretrustee  \
+-v ./config.json:/etc/wiretrustee/config.json  \
+wiretrustee/management:latest
+```
+### Debug tag
+We also publish a docker image with the debug tag which has the log-level set to default, plus it uses the ```gcr.io/distroless/base:debug``` image that can be used with docker exec in order to run some commands in the Management container.
+```shell
+shell $ docker run -d --name wiretrustee-management-debug \
+-p 33073:33073  \
+-v wiretrustee-mgmt:/var/lib/wiretrustee  \
+-v ./config.json:/etc/wiretrustee/config.json  \
+wiretrustee/management:debug-latest
+
+shell $ docker exec -ti wiretrustee-management-debug /bin/sh
+container-shell $ 
+```
+## For development purposes:
+
+Install golang gRpc tools:
+```bash
+#!/bin/bash
+go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
+```
+
+Generate gRpc code:
+
+```bash
+#!/bin/bash
+protoc -I proto/ proto/management.proto --go_out=. --go-grpc_out=.
+```
+
--- a/management/client/client.go
+++ b/management/client/client.go
@@ -0,0 +1,252 @@
+package client
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/client/system"
+	"github.com/wiretrustee/wiretrustee/encryption"
+	"github.com/wiretrustee/wiretrustee/management/proto"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/connectivity"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/keepalive"
+	"io"
+	"time"
+)
+
+type Client struct {
+	key        wgtypes.Key
+	realClient proto.ManagementServiceClient
+	ctx        context.Context
+	conn       *grpc.ClientConn
+}
+
+// NewClient creates a new client to Management service
+func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*Client, error) {
+
+	transportOption := grpc.WithInsecure()
+
+	if tlsEnabled {
+		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+	}
+
+	mgmCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+	conn, err := grpc.DialContext(
+		mgmCtx,
+		addr,
+		transportOption,
+		grpc.WithBlock(),
+		grpc.WithKeepaliveParams(keepalive.ClientParameters{
+			Time:    15 * time.Second,
+			Timeout: 10 * time.Second,
+		}))
+
+	if err != nil {
+		log.Errorf("failed creating connection to Management Service %v", err)
+		return nil, err
+	}
+
+	realClient := proto.NewManagementServiceClient(conn)
+
+	return &Client{
+		key:        ourPrivateKey,
+		realClient: realClient,
+		ctx:        ctx,
+		conn:       conn,
+	}, nil
+}
+
+// Close closes connection to the Management Service
+func (c *Client) Close() error {
+	return c.conn.Close()
+}
+
+//defaultBackoff is a basic backoff mechanism for general issues
+func defaultBackoff(ctx context.Context) backoff.BackOff {
+	return backoff.WithContext(&backoff.ExponentialBackOff{
+		InitialInterval:     800 * time.Millisecond,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         10 * time.Second,
+		MaxElapsedTime:      12 * time.Hour, //stop after 12 hours of trying, the error will be propagated to the general retry of the client
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}, ctx)
+}
+
+// ready indicates whether the client is okay and ready to be used
+// for now it just checks whether gRPC connection to the service is ready
+func (c *Client) ready() bool {
+	return c.conn.GetState() == connectivity.Ready
+}
+
+// Sync wraps the real client's Sync endpoint call and takes care of retries and encryption/decryption of messages
+// Blocking request. The result will be sent via msgHandler callback function
+func (c *Client) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
+
+	var backOff = defaultBackoff(c.ctx)
+
+	operation := func() error {
+
+		log.Debugf("management connection state %v", c.conn.GetState())
+
+		if !c.ready() {
+			return fmt.Errorf("no connection to management")
+		}
+
+		// todo we already have it since we did the Login, maybe cache it locally?
+		serverPubKey, err := c.GetServerPublicKey()
+		if err != nil {
+			log.Errorf("failed getting Management Service public key: %s", err)
+			return err
+		}
+
+		stream, err := c.connectToStream(*serverPubKey)
+		if err != nil {
+			log.Errorf("failed to open Management Service stream: %s", err)
+			return err
+		}
+
+		log.Infof("connected to the Management Service stream")
+
+		// blocking until error
+		err = c.receiveEvents(stream, *serverPubKey, msgHandler)
+		if err != nil {
+			backOff.Reset()
+			return err
+		}
+
+		return nil
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		log.Warnf("exiting Management Service connection retry loop due to unrecoverable error: %s", err)
+		return err
+	}
+
+	return nil
+}
+
+func (c *Client) connectToStream(serverPubKey wgtypes.Key) (proto.ManagementService_SyncClient, error) {
+	req := &proto.SyncRequest{}
+
+	myPrivateKey := c.key
+	myPublicKey := myPrivateKey.PublicKey()
+
+	encryptedReq, err := encryption.EncryptMessage(serverPubKey, myPrivateKey, req)
+	if err != nil {
+		log.Errorf("failed encrypting message: %s", err)
+		return nil, err
+	}
+
+	syncReq := &proto.EncryptedMessage{WgPubKey: myPublicKey.String(), Body: encryptedReq}
+	return c.realClient.Sync(c.ctx, syncReq)
+}
+
+func (c *Client) receiveEvents(stream proto.ManagementService_SyncClient, serverPubKey wgtypes.Key, msgHandler func(msg *proto.SyncResponse) error) error {
+	for {
+		update, err := stream.Recv()
+		if err == io.EOF {
+			log.Errorf("Management stream has been closed by server: %s", err)
+			return err
+		}
+		if err != nil {
+			log.Warnf("disconnected from Management Service sync stream: %v", err)
+			return err
+		}
+
+		log.Debugf("got an update message from Management Service")
+		decryptedResp := &proto.SyncResponse{}
+		err = encryption.DecryptMessage(serverPubKey, c.key, update.Body, decryptedResp)
+		if err != nil {
+			log.Errorf("failed decrypting update message from Management Service: %s", err)
+			return err
+		}
+
+		err = msgHandler(decryptedResp)
+		if err != nil {
+			log.Errorf("failed handling an update message received from Management Service: %v", err.Error())
+			return err
+		}
+	}
+}
+
+// GetServerPublicKey returns server Wireguard public key (used later for encrypting messages sent to the server)
+func (c *Client) GetServerPublicKey() (*wgtypes.Key, error) {
+	if !c.ready() {
+		return nil, fmt.Errorf("no connection to management")
+	}
+
+	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second) //todo make a general setting
+	defer cancel()
+	resp, err := c.realClient.GetServerKey(mgmCtx, &proto.Empty{})
+	if err != nil {
+		return nil, err
+	}
+
+	serverKey, err := wgtypes.ParseKey(resp.Key)
+	if err != nil {
+		return nil, err
+	}
+
+	return &serverKey, nil
+}
+
+func (c *Client) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*proto.LoginResponse, error) {
+	if !c.ready() {
+		return nil, fmt.Errorf("no connection to management")
+	}
+	loginReq, err := encryption.EncryptMessage(serverKey, c.key, req)
+	if err != nil {
+		log.Errorf("failed to encrypt message: %s", err)
+		return nil, err
+	}
+	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second) //todo make a general setting
+	defer cancel()
+	resp, err := c.realClient.Login(mgmCtx, &proto.EncryptedMessage{
+		WgPubKey: c.key.PublicKey().String(),
+		Body:     loginReq,
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	loginResp := &proto.LoginResponse{}
+	err = encryption.DecryptMessage(serverKey, c.key, resp.Body, loginResp)
+	if err != nil {
+		log.Errorf("failed to decrypt registration message: %s", err)
+		return nil, err
+	}
+
+	return loginResp, nil
+}
+
+// Register registers peer on Management Server. It actually calls a Login endpoint with a provided setup key
+// Takes care of encrypting and decrypting messages.
+// This method will also collect system info and send it with the request (e.g. hostname, os, etc)
+func (c *Client) Register(serverKey wgtypes.Key, setupKey string) (*proto.LoginResponse, error) {
+	gi := system.GetInfo()
+	meta := &proto.PeerSystemMeta{
+		Hostname:           gi.Hostname,
+		GoOS:               gi.GoOS,
+		OS:                 gi.OS,
+		Core:               gi.OSVersion,
+		Platform:           gi.Platform,
+		Kernel:             gi.Kernel,
+		WiretrusteeVersion: "",
+	}
+	log.Debugf("detected system %v", meta)
+	return c.login(serverKey, &proto.LoginRequest{SetupKey: setupKey, Meta: meta})
+}
+
+// Login attempts login to Management Server. Takes care of encrypting and decrypting messages.
+func (c *Client) Login(serverKey wgtypes.Key) (*proto.LoginResponse, error) {
+	return c.login(serverKey, &proto.LoginRequest{})
+}
--- a/management/client/client_test.go
+++ b/management/client/client_test.go
@@ -0,0 +1,179 @@
+package client
+
+import (
+	"context"
+	log "github.com/sirupsen/logrus"
+	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
+	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/util"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"net"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+var tested *Client
+var serverAddr string
+
+const ValidKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
+
+func Test_Start(t *testing.T) {
+	level, _ := log.ParseLevel("debug")
+	log.SetLevel(level)
+
+	testKey, err := wgtypes.GenerateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	testDir := t.TempDir()
+	ctx := context.Background()
+	config := &mgmt.Config{}
+	_, err = util.ReadJson("../server/testdata/management.json", config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	config.Datadir = testDir
+	err = util.CopyFileContents("../server/testdata/store.json", filepath.Join(testDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, listener := startManagement(config, t)
+	serverAddr = listener.Addr().String()
+	tested, err = NewClient(ctx, serverAddr, testKey, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+	store, err := mgmt.NewStore(config.Datadir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	peersUpdateManager := mgmt.NewPeersUpdateManager()
+	accountManager := mgmt.NewManager(store, peersUpdateManager)
+	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
+	if err != nil {
+		t.Fatal(err)
+	}
+	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			t.Error(err)
+			return
+		}
+	}()
+
+	return s, lis
+}
+
+func TestClient_GetServerPublicKey(t *testing.T) {
+
+	key, err := tested.GetServerPublicKey()
+	if err != nil {
+		t.Error(err)
+	}
+
+	if key == nil {
+		t.Error("expecting non nil server key got nil")
+	}
+}
+
+func TestClient_LoginUnregistered_ShouldThrow_401(t *testing.T) {
+	key, err := tested.GetServerPublicKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = tested.Login(*key)
+	if err == nil {
+		t.Error("expecting err on unregistered login, got nil")
+	}
+	if s, ok := status.FromError(err); !ok || s.Code() != codes.PermissionDenied {
+		t.Errorf("expecting err code %d denied on on unregistered login got %d", codes.PermissionDenied, s.Code())
+	}
+}
+
+func TestClient_LoginRegistered(t *testing.T) {
+	key, err := tested.GetServerPublicKey()
+	if err != nil {
+		t.Error(err)
+	}
+	resp, err := tested.Register(*key, ValidKey)
+	if err != nil {
+		t.Error(err)
+	}
+
+	if resp == nil {
+		t.Error("expecting non nil response, got nil")
+	}
+}
+
+func TestClient_Sync(t *testing.T) {
+	serverKey, err := tested.GetServerPublicKey()
+	if err != nil {
+		t.Error(err)
+	}
+
+	_, err = tested.Register(*serverKey, ValidKey)
+	if err != nil {
+		t.Error(err)
+	}
+
+	// create and register second peer (we should receive on Sync request)
+	remoteKey, err := wgtypes.GenerateKey()
+	if err != nil {
+		t.Error(err)
+	}
+	remoteClient, err := NewClient(context.TODO(), serverAddr, remoteKey, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = remoteClient.Register(*serverKey, ValidKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ch := make(chan *mgmtProto.SyncResponse, 1)
+
+	go func() {
+		err = tested.Sync(func(msg *mgmtProto.SyncResponse) error {
+			ch <- msg
+			return nil
+		})
+		if err != nil {
+			return
+		}
+	}()
+
+	select {
+	case resp := <-ch:
+		if resp.GetPeerConfig() == nil {
+			t.Error("expecting non nil PeerConfig got nil")
+		}
+		if resp.GetWiretrusteeConfig() == nil {
+			t.Error("expecting non nil WiretrusteeConfig got nil")
+		}
+		if len(resp.GetRemotePeers()) != 1 {
+			t.Errorf("expecting RemotePeers size %d got %d", 1, len(resp.GetRemotePeers()))
+		}
+		if resp.GetRemotePeersIsEmpty() == true {
+			t.Error("expecting RemotePeers property to be false, got true")
+		}
+		if resp.GetRemotePeers()[0].GetWgPubKey() != remoteKey.PublicKey().String() {
+			t.Errorf("expecting RemotePeer public key %s got %s", remoteKey.PublicKey().String(), resp.GetRemotePeers()[0].GetWgPubKey())
+		}
+	case <-time.After(3 * time.Second):
+		t.Error("timeout waiting for test to finish")
+	}
+}
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -0,0 +1,187 @@
+package cmd
+
+import (
+	"context"
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/management/server/http"
+	"github.com/wiretrustee/wiretrustee/util"
+	"net"
+	"os"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/encryption"
+	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/keepalive"
+)
+
+var (
+	mgmtPort              int
+	mgmtDataDir           string
+	mgmtConfig            string
+	mgmtLetsencryptDomain string
+	certFile              string
+	certKey               string
+
+	kaep = keepalive.EnforcementPolicy{
+		MinTime:             15 * time.Second,
+		PermitWithoutStream: true,
+	}
+
+	kasp = keepalive.ServerParameters{
+		MaxConnectionIdle:     15 * time.Second,
+		MaxConnectionAgeGrace: 5 * time.Second,
+		Time:                  5 * time.Second,
+		Timeout:               2 * time.Second,
+	}
+
+	mgmtCmd = &cobra.Command{
+		Use:   "management",
+		Short: "start Wiretrustee Management Server",
+		Run: func(cmd *cobra.Command, args []string) {
+			flag.Parse()
+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Fatalf("failed initializing log %v", err)
+			}
+
+			config, err := loadConfig()
+			if err != nil {
+				log.Fatalf("failed reading provided config file: %s: %v", mgmtConfig, err)
+			}
+
+			if _, err = os.Stat(config.Datadir); os.IsNotExist(err) {
+				err = os.MkdirAll(config.Datadir, os.ModeDir)
+				if err != nil {
+					log.Fatalf("failed creating datadir: %s: %v", config.Datadir, err)
+				}
+			}
+
+			store, err := server.NewStore(config.Datadir)
+			if err != nil {
+				log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
+			}
+			peersUpdateManager := server.NewPeersUpdateManager()
+			accountManager := server.NewManager(store, peersUpdateManager)
+
+			var opts []grpc.ServerOption
+
+			var httpServer *http.Server
+			if config.HttpConfig.LetsEncryptDomain != "" {
+				//automatically generate a new certificate with Let's Encrypt
+				certManager := encryption.CreateCertManager(config.Datadir, config.HttpConfig.LetsEncryptDomain)
+				transportCredentials := credentials.NewTLS(certManager.TLSConfig())
+				opts = append(opts, grpc.Creds(transportCredentials))
+
+				httpServer = http.NewHttpsServer(config.HttpConfig, certManager, accountManager)
+			} else if config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "" {
+				//use provided certificate
+				tlsConfig, err := loadTLSConfig(config.HttpConfig.CertFile, config.HttpConfig.CertKey)
+				if err != nil {
+					log.Fatal("cannot load TLS credentials: ", err)
+				}
+				transportCredentials := credentials.NewTLS(tlsConfig)
+				opts = append(opts, grpc.Creds(transportCredentials))
+				httpServer = http.NewHttpsServerWithTLSConfig(config.HttpConfig, tlsConfig, accountManager)
+			} else {
+				//start server without SSL
+				httpServer = http.NewHttpServer(config.HttpConfig, accountManager)
+			}
+
+			opts = append(opts, grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
+			grpcServer := grpc.NewServer(opts...)
+			turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+			server, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager)
+			if err != nil {
+				log.Fatalf("failed creating new server: %v", err)
+			}
+			mgmtProto.RegisterManagementServiceServer(grpcServer, server)
+			log.Printf("started server: localhost:%v", mgmtPort)
+
+			lis, err := net.Listen("tcp", fmt.Sprintf(":%d", mgmtPort))
+			if err != nil {
+				log.Fatalf("failed to listen: %v", err)
+			}
+
+			go func() {
+				if err = grpcServer.Serve(lis); err != nil {
+					log.Fatalf("failed to serve gRpc server: %v", err)
+				}
+			}()
+
+			go func() {
+				err = httpServer.Start()
+				if err != nil {
+					log.Fatalf("failed to serve http server: %v", err)
+				}
+			}()
+
+			SetupCloseHandler()
+			<-stopCh
+			log.Println("Receive signal to stop running Management server")
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer cancel()
+			err = httpServer.Stop(ctx)
+			if err != nil {
+				log.Fatalf("failed stopping the http server %v", err)
+			}
+
+			grpcServer.Stop()
+		},
+	}
+)
+
+func loadConfig() (*server.Config, error) {
+	config := &server.Config{}
+	_, err := util.ReadJson(mgmtConfig, config)
+	if err != nil {
+		return nil, err
+	}
+	if mgmtLetsencryptDomain != "" {
+		config.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
+	}
+	if mgmtDataDir != "" {
+		config.Datadir = mgmtDataDir
+	}
+
+	if certKey != "" && certFile != "" {
+		config.HttpConfig.CertFile = certFile
+		config.HttpConfig.CertKey = certKey
+	}
+
+	return config, err
+}
+
+func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) {
+	// Load server's certificate and private key
+	serverCert, err := tls.LoadX509KeyPair(certFile, certKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create the credentials and return it
+	config := &tls.Config{
+		Certificates: []tls.Certificate{serverCert},
+		ClientAuth:   tls.NoClientCert,
+	}
+
+	return config, nil
+}
+
+func init() {
+	mgmtCmd.Flags().IntVar(&mgmtPort, "port", 33073, "server port to listen on")
+	mgmtCmd.Flags().StringVar(&mgmtDataDir, "datadir", "/var/lib/wiretrustee/", "server data directory location")
+	mgmtCmd.Flags().StringVar(&mgmtConfig, "config", "/etc/wiretrustee/management.json", "Wiretrustee config file location. Config params specified via command line (e.g. datadir) have a precedence over configuration from this file")
+	mgmtCmd.Flags().StringVar(&mgmtLetsencryptDomain, "letsencrypt-domain", "", "a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS")
+	mgmtCmd.Flags().StringVar(&certFile, "cert-file", "", "Location of your SSL certificate. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect")
+	mgmtCmd.Flags().StringVar(&certKey, "cert-key", "", "Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect")
+
+	rootCmd.MarkFlagRequired("config") //nolint
+
+}
--- a/management/cmd/root.go
+++ b/management/cmd/root.go
@@ -0,0 +1,63 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/spf13/cobra"
+	"os"
+	"os/signal"
+	"runtime"
+)
+
+const (
+	// ExitSetupFailed defines exit code
+	ExitSetupFailed = 1
+)
+
+var (
+	configPath        string
+	defaultConfigPath string
+	logLevel          string
+	defaultLogFile    string
+	logFile           string
+
+	rootCmd = &cobra.Command{
+		Use:   "wiretrustee-mgmt",
+		Short: "",
+		Long:  "",
+	}
+
+	// Execution control channel for stopCh signal
+	stopCh chan int
+)
+
+// Execute executes the root command.
+func Execute() error {
+	return rootCmd.Execute()
+}
+func init() {
+
+	stopCh = make(chan int)
+
+	defaultConfigPath = "/etc/wiretrustee/management.json"
+	defaultLogFile = "/var/log/wiretrustee/management.log"
+	if runtime.GOOS == "windows" {
+		defaultConfigPath = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "management.json"
+		defaultLogFile = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "management.log"
+	}
+	rootCmd.PersistentFlags().StringVar(&configPath, "config", defaultConfigPath, "Wiretrustee config file location to write new config to")
+	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "")
+	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Wiretrustee log path. If console is specified the the log will be output to stdout")
+	rootCmd.AddCommand(mgmtCmd)
+}
+
+// SetupCloseHandler handles SIGTERM signal and exits with success
+func SetupCloseHandler() {
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, os.Interrupt)
+	go func() {
+		for range c {
+			fmt.Println("\r- Ctrl+C pressed in Terminal")
+			stopCh <- 0
+		}
+	}()
+}
--- a/Show More
+++ b/Show More