chore: cleanup

2026-04-17 15:56:39 +00:00 · 2021-11-20 23:04:45 +01:00 · 2021-11-17 19:33:23 +01:00 · 2021-11-16 14:59:37 +01:00 · 2021-11-16 14:36:24 +01:00 · 2021-11-15 22:08:44 +01:00
154 changed files with 13476 additions and 1878 deletions
--- a/.github/workflows/golang-test.yml
+++ b/.github/workflows/golang-test.yml
@@ -18,7 +18,7 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Test
-        run: GOBIN=$(which go) && sudo --preserve-env=GOROOT $GOBIN test ./...
+        run: GOBIN=$(which go) && sudo --preserve-env=GOROOT $GOBIN test -p 1 ./...

  test_build:
    strategy:
@@ -46,5 +46,14 @@ jobs:
      - name: Install modules
        run: go mod tidy

-      - name: run build
-        run: GOOS=${{ matrix.os }} go build .
+      - name: run build client
+        run: GOOS=${{ matrix.os }} go build .
+        working-directory: client
+
+      - name: run build management
+        run: GOOS=${{ matrix.os }} go build .
+        working-directory: management
+
+      - name: run build signal
+        run: GOOS=${{ matrix.os }} go build .
+        working-directory: signal
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -11,4 +11,6 @@ jobs:
    steps:
      - uses: actions/checkout@v2
      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v2
+        uses: golangci/golangci-lint-action@v2
+
+
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -49,4 +49,17 @@ jobs:
          version: latest
          args: release --rm-dist
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+
+      -
+        name: Trigger Windows binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: Sign windows bin and installer
+          repo: wiretrustee/windows-sign-pipeline
+          ref: v0.0.1
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,8 @@
 .idea
-*.iml
+*.iml
+dist/
+.env
+conf.json
+http-cmds.sh
+infrastructure_files/management.json
+infrastructure_files/docker-compose.yml
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -1,6 +1,9 @@
 project_name: wiretrustee
 builds:
-  - env: [CGO_ENABLED=0]
+  - id: wiretrustee
+    dir: client
+    binary: wiretrustee
+    env: [CGO_ENABLED=0]

    goos:
      - linux
@@ -10,38 +13,85 @@ builds:
      - arm
      - amd64
      - arm64
+      - mips
+    gomips:
+      - hardfloat
+      - softfloat
    ignore:
-      - goos: darwin
-        goarch: arm64
      - goos: windows
        goarch: arm64
      - goos: windows
        goarch: arm
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
      - load_wintun_from_rsrc
+
+  - id: wiretrustee-mgmt
+    dir: management
+    env: [CGO_ENABLED=0]
+    binary: wiretrustee-mgmt
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+  - id: wiretrustee-signal
+    dir: signal
+    env: [CGO_ENABLED=0]
+    binary: wiretrustee-signal
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+      - arm
+    ldflags:
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+archives:
+  - builds:
+      - wiretrustee
 nfpms:
-  - maintainer: Wiretrustee <wiretrustee@wiretrustee.com>
-    description: Wiretrustee project.
+  - maintainer: Wiretrustee <dev@wiretrustee.com>
+    description: Wiretrustee client.
    homepage: https://wiretrustee.com/
+    id: deb
+    builds:
+      - wiretrustee
    formats:
      - deb
-      - rpm
-    contents:
-      - src: release_files/wiretrustee.service
-        dst: /lib/systemd/system/wiretrustee.service
-
-      - src: release_files/wiretrustee.json
-        dst: /etc/wiretrustee/wiretrustee.json
-        type: "config|noreplace"

    scripts:
      postinstall: "release_files/post_install.sh"
+      preremove: "release_files/pre_remove.sh"
+
+  - maintainer: Wiretrustee <dev@wiretrustee.com>
+    description: Wiretrustee client.
+    homepage: https://wiretrustee.com/
+    id: rpm
+    builds:
+      - wiretrustee
+    formats:
+      - rpm
+
+    scripts:
+      postinstall: "release_files/post_install.sh"
+      preremove: "release_files/pre_remove.sh"
 dockers:
  - image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64
+      - wiretrustee/wiretrustee:{{ .Version }}-amd64
+    ids:
+      - wiretrustee
    goarch: amd64
-    use_buildx: true
-    dockerfile: Dockerfile
+    use: buildx
+    dockerfile: client/Dockerfile
    build_flag_templates:
      - "--platform=linux/amd64"
      - "--label=org.opencontainers.image.created={{.Date}}"
@@ -51,10 +101,150 @@ dockers:
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=maintainer=wiretrustee@wiretrustee.com"
  - image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8
+      - wiretrustee/wiretrustee:{{ .Version }}-arm64v8
+    ids:
+      - wiretrustee
    goarch: arm64
-    use_buildx: true
-    dockerfile: Dockerfile
+    use: buildx
+    dockerfile: client/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/wiretrustee:{{ .Version }}-arm
+    ids:
+      - wiretrustee
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: client/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/signal:{{ .Version }}-amd64
+    ids:
+      - wiretrustee-signal
+    goarch: amd64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/signal:{{ .Version }}-arm64v8
+    ids:
+      - wiretrustee-signal
+    goarch: arm64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/signal:{{ .Version }}-arm
+    ids:
+      - wiretrustee-signal
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-amd64
+    ids:
+      - wiretrustee-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-arm64v8
+    ids:
+      - wiretrustee-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-arm
+    ids:
+      - wiretrustee-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-debug-amd64
+    ids:
+      - wiretrustee-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-debug-arm64v8
+    ids:
+      - wiretrustee-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
    build_flag_templates:
      - "--platform=linux/arm64"
      - "--label=org.opencontainers.image.created={{.Date}}"
@@ -64,13 +254,93 @@ dockers:
      - "--label=org.opencontainers.image.version={{.Version}}"
      - "--label=maintainer=wiretrustee@wiretrustee.com"

+  - image_templates:
+      - wiretrustee/management:{{ .Version }}-debug-arm
+    ids:
+      - wiretrustee-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=wiretrustee@wiretrustee.com"
 docker_manifests:
-  - name_template: wiretrustee/wiretrustee:signal-{{ .Version }}
+  - name_template: wiretrustee/wiretrustee:{{ .Version }}
    image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64
+      - wiretrustee/wiretrustee:{{ .Version }}-arm64v8
+      - wiretrustee/wiretrustee:{{ .Version }}-arm
+      - wiretrustee/wiretrustee:{{ .Version }}-amd64

-  - name_template: wiretrustee/wiretrustee:signal-latest
+  - name_template: wiretrustee/wiretrustee:latest
    image_templates:
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-arm64v8
-      - wiretrustee/wiretrustee:signal-{{ .Version }}-amd64
+      - wiretrustee/wiretrustee:{{ .Version }}-arm64v8
+      - wiretrustee/wiretrustee:{{ .Version }}-arm
+      - wiretrustee/wiretrustee:{{ .Version }}-amd64
+
+  - name_template: wiretrustee/signal:{{ .Version }}
+    image_templates:
+      - wiretrustee/signal:{{ .Version }}-arm64v8
+      - wiretrustee/signal:{{ .Version }}-arm
+      - wiretrustee/signal:{{ .Version }}-amd64
+
+  - name_template: wiretrustee/signal:latest
+    image_templates:
+      - wiretrustee/signal:{{ .Version }}-arm64v8
+      - wiretrustee/signal:{{ .Version }}-arm
+      - wiretrustee/signal:{{ .Version }}-amd64
+
+  - name_template: wiretrustee/management:{{ .Version }}
+    image_templates:
+      - wiretrustee/management:{{ .Version }}-arm64v8
+      - wiretrustee/management:{{ .Version }}-arm
+      - wiretrustee/management:{{ .Version }}-amd64
+
+  - name_template: wiretrustee/management:latest
+    image_templates:
+      - wiretrustee/management:{{ .Version }}-arm64v8
+      - wiretrustee/management:{{ .Version }}-arm
+      - wiretrustee/management:{{ .Version }}-amd64
+
+  - name_template: wiretrustee/management:debug-latest
+    image_templates:
+      - wiretrustee/management:{{ .Version }}-debug-arm64v8
+      - wiretrustee/management:{{ .Version }}-debug-arm
+      - wiretrustee/management:{{ .Version }}-debug-amd64
+
+brews:
+  -
+    tap:
+      owner: wiretrustee
+      name: homebrew-client
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    commit_author:
+      name: Wiretrustee
+      email: wiretrustee@wiretrustee.com
+    description: Wiretrustee project.
+    download_strategy: CurlDownloadStrategy
+    homepage: https://wiretrustee.com/
+    license: "BSD3"
+    test: |
+      system "#{bin}/{{ .ProjectName	}} -h"
+
+uploads:
+  - name: debian
+    ids:
+    - deb
+    mode: archive
+    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
+    username: dev@wiretrustee.com
+    method: PUT
+  - name: yum
+    ids:
+      - rpm
+    mode: archive
+    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
+    username: dev@wiretrustee.com
+    method: PUT
--- a/5
+++ b/5
@@ -1,5 +0,0 @@
-FROM gcr.io/distroless/base:debug
-EXPOSE 10000
-ENTRYPOINT [ "/go/bin/wiretrustee","signal" ]
-CMD ["--log-level","DEBUG"]
-COPY wiretrustee /go/bin/wiretrustee
--- a/README.md
+++ b/README.md
@@ -1,173 +1,203 @@
-# Wiretrustee
+<div align="center">

-A WireGuard®-based mesh network that connects your devices into a single private network.
+<p align="center">
+  <img width="250" src="docs/media/logo-full.png"/>
+</p>

-### Why using Wiretrustee?
+  <p>
+    <img src="https://img.shields.io/badge/license-BSD--3-blue" />
+    <img src="https://img.shields.io/docker/pulls/wiretrustee/management" />
+    <img src="https://badgen.net/badge/Open%20Source%3F/Yes%21/blue?icon=github" />
+  </p>
+</div>
+
+<p align="center">
+<strong>
+  Start using Wiretrustee at <a href="https://app.wiretrustee.com/">app.wiretrustee.com</a>
+  <br/>
+  See <a href="docs/README.md">Documentation</a>
+  <br/>
+   Join our <a href="https://join.slack.com/t/wiretrustee/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">Slack channel</a>
+  <br/>
+ 
+</strong>
+</p>
+
+<br>
+
+**Wiretrustee is an open-source VPN platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.**
+
+It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, vpn gateways, and so forth.
+
+There is no centralized VPN server with Wiretrustee - your computers, devices, machines, and servers connect to each other directly over a fast encrypted tunnel.
+
+**Wiretrustee automates Wireguard-based networks, offering a management layer with:**
+* Centralized Peer IP management with a neat UI dashboard.
+* Automatic Peer discovery and configuration.
+* UDP hole punching to establish peer-to-peer connections behind NAT, firewall, and without a public static IP.
+* Connection relay fallback in case a peer-to-peer connection is not possible.
+* Multitenancy (coming soon).
+* Client application SSO with MFA (coming soon).
+* Access Controls (coming soon).
+* Activity Monitoring (coming soon).
+
+### Secure peer-to-peer VPN in minutes
+<p float="left" align="middle">
+  <img src="docs/media/peerA.gif" width="400"/> 
+  <img src="docs/media/peerB.gif" width="400"/>
+</p>
+
+**Note**: The `main` branch may be in an *unstable or even broken state* during development. For stable versions, see [releases](https://github.com/wiretrustee/wiretrustee/releases).
+
+Hosted demo version: 
+[https://app.wiretrustee.com/](https://app.wiretrustee.com/peers). 
+
+[UI Dashboard Repo](https://github.com/wiretrustee/wiretrustee-dashboard)

-* Connect multiple devices to each other via a secure peer-to-peer Wireguard VPN tunnel. At home, the office, or anywhere else.
-* No need to open ports and expose public IPs on the device.
-* Automatically reconnects in case of network failures or switches.
-* Automatic NAT traversal.
-* Relay server fallback in case of an unsuccessful peer-to-peer connection.
-* Private key never leaves your device.
-* Works on ARM devices (e.g. Raspberry Pi).

 ### A bit on Wiretrustee internals
+* Wiretrustee features a Management Service that offers peer IP management and network updates distribution (e.g. when new peer joins the network).
 * Wiretrustee uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between devices.
-* A connection session negotiation between peers is achieved with the Wiretrustee Signalling server [signal](signal/)
-* Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them.
-  The routing of the messages on a Signalling server is based on public Wireguard keys. 
+* Peers negotiate connection through [Signal Service](signal/).
+* Signal Service uses public Wireguard keys to route messages between peers.
+  Contents of the messages sent between peers through the signaling server are encrypted with Wireguard keys, making it impossible to inspect them.
 * Occasionally, the NAT-traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT).
-  For that matter, there is support for a relay server fallback (TURN) and a secure Wireguard tunnel is established via TURN server.
+  When this occurs the system falls back to relay server (TURN), and a secure Wireguard tunnel is established via TURN server.
  [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in Wiretrustee setups.

-### What Wiretrustee is not doing:
-* Wireguard key management. In consequence, you need to generate peer keys and specify them on Wiretrustee initialization step. This feature is on the roadmap.
-* Peer address management. You have to specify a unique peer local address (e.g. 10.30.30.1/24) when configuring Wiretrustee. This feature is on the roadmap.
-
 ### Product Roadmap
 - [Public Roadmap](https://github.com/wiretrustee/wiretrustee/projects/2)
 - [Public Roadmap Progress Tracking](https://github.com/wiretrustee/wiretrustee/projects/1)

 ### Client Installation
 #### Linux
-1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases)   
-2. Download the latest release (**Switch VERSION to the latest**):

-**Debian packages**
-```shell
-wget https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_linux_amd64.deb
-```
-3. Install the package
-```shell
-sudo dpkg -i wiretrustee_<VERSION>_linux_amd64.deb
-```
-**Fedora/Centos packages**
-```shell
-wget https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_linux_amd64.rpm
-```
-3. Install the package
-```shell
-sudo rpm -i wiretrustee_<VERSION>_linux_amd64.rpm
-```
+**APT/Debian**
+1. Add the repository:
+    ```shell
+    sudo apt-get update
+    sudo apt-get install ca-certificates curl gnupg -y
+    curl -L https://pkgs.wiretrustee.com/debian/public.key | sudo apt-key add -
+    echo 'deb https://pkgs.wiretrustee.com/debian stable main' | sudo tee /etc/apt/sources.list.d/wiretrustee.list
+    ```
+2. Install the package
+    ```shell
+    sudo apt-get update
+    sudo apt-get install wiretrustee
+    ```
+**RPM/Red hat**
+1. Add the repository:
+    ```shell
+    cat <<EOF | sudo tee /etc/yum.repos.d/wiretrustee.repo
+    [Wiretrustee]
+    name=Wiretrustee
+    baseurl=https://pkgs.wiretrustee.com/yum/
+    enabled=1
+    gpgcheck=0
+    gpgkey=https://pkgs.wiretrustee.com/yum/repodata/repomd.xml.key
+    repo_gpgcheck=1
+    EOF
+    ```
+2. Install the package
+    ```shell
+    sudo yum install wiretrustee
+    ```
 #### MACOS
+**Brew install**
+1. Download and install Brew at https://brew.sh/
+2. Install the client
+  ```shell
+  brew install wiretrustee/client/wiretrustee
+  ```
+**Installation from binary**
 1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases/latest)
 2. Download the latest release (**Switch VERSION to the latest**):
-```shell
-curl -o ./wiretrustee_<VERSION>_darwin_amd64.tar.gz https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_darwin_amd64.tar.gz
-```
+  ```shell
+  curl -o ./wiretrustee_<VERSION>_darwin_amd64.tar.gz https://github.com/wiretrustee/wiretrustee/releases/download/v<VERSION>/wiretrustee_<VERSION>_darwin_amd64.tar.gz
+  ```
 3. Decompress
-```shell
-tar xcf ./wiretrustee_<VERSION>_darwin_amd64.tar.gz
-sudo mv wiretrusee /usr/local/bin/wiretrustee
-chmod +x /usr/local/bin/wiretrustee
-```
+  ```shell
+  tar xcf ./wiretrustee_<VERSION>_darwin_amd64.tar.gz
+  sudo mv wiretrusee /usr/local/bin/wiretrustee
+  chmod +x /usr/local/bin/wiretrustee
+  ```
 After that you may need to add /usr/local/bin in your MAC's PATH environment variable:
-````shell
-export PATH=$PATH:/usr/local/bin
-````
+  ````shell
+  export PATH=$PATH:/usr/local/bin
+  ````

 #### Windows
 1. Checkout Wiretrustee [releases](https://github.com/wiretrustee/wiretrustee/releases/latest)
-2. Download the latest Windows release ```wiretrustee_<VERSION>_windows_amd64.tar.gz``` (**Switch VERSION to the latest**):
-3. Decompress and move to a more fixed path in your system
-4. Open Powershell
-5. For Windows systems, we can use the service command to configure Wiretrustee as a service by running the following commands in Powershell:
-````shell
-cd C:\path\to\wiretrustee\bin
-.\wiretrustee.exe service --help
-.\wiretrustee.exe service install # This will prompt for administrator permissions in order to install a new service
-````
-> You may need to run Powershell as Administrator
-6. After installing you can follow the [Client Configuration](#Client-Configuration) steps.
-7. To uninstall the service simple run the command above with the uninstall flag:
-````shell
-.\wiretrustee.exe service uninstall
-````
+2. Download the latest Windows release installer ```wiretrustee_installer_<VERSION>_windows_amd64.exe``` (**Switch VERSION to the latest**):
+3. Proceed with installation steps
+4. This will install the client in the C:\\Program Files\\Wiretrustee and add the client service
+5. After installing, you can follow the [Client Configuration](#Client-Configuration) steps.
+> To uninstall the client and service, you can use Add/Remove programs

 ### Client Configuration
-1. Initialize Wiretrustee:
+1. Login to the Management Service. You need to have a `setup key` in hand (see ).

 For **Unix** systems:
+  ```shell
+  sudo wiretrustee up --setup-key <SETUP KEY>
+  ```
+For  **Windows** systems, start powershell as administrator and:
+  ```shell
+  wiretrustee up --setup-key <SETUP KEY>
+   ```
+For **Docker**, you can run with the following command:
 ```shell
-sudo wiretrustee init \
- --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 \
- --turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468  \
- --signalAddr signal.wiretrustee.com:10000  \
- --wgLocalAddr 10.30.30.1/24  \
- --log-level info
+docker run --network host --privileged --rm -d -e WT_SETUP_KEY=<SETUP KEY> -v wiretrustee-client:/etc/wiretrustee wiretrustee/wiretrustee:<TAG>
 ```
-For  **Windows** systems:
-```shell
-.\wiretrustee.exe init `
- --stunURLs stun:stun.wiretrustee.com:3468,stun:stun.l.google.com:19302 `
- --turnURLs <TURN User>:<TURN password>@turn:stun.wiretrustee.com:3468  `
- --signalAddr signal.wiretrustee.com:10000  `
- --wgLocalAddr 10.30.30.1/24  `
- --log-level info
- ```
- 
-It is important to mention that the ```wgLocalAddr``` parameter has to be unique across your network.
-E.g. if you have Peer A with ```wgLocalAddr=10.30.30.1/24``` then another Peer B can have ```wgLocalAddr=10.30.30.2/24```
+> TAG > 0.3.0 version

-If for some reason, you already have a generated Wireguard key, you can specify it with the ```--wgKey``` parameter. 
-If not specified, then a new one will be generated, and its corresponding public key will be output to the log.
-A new config will be generated and stored under ```/etc/wiretrustee/config.json```
+Alternatively, if you are hosting your own Management Service provide `--management-url` property pointing to your Management Service:
+  ```shell
+  sudo wiretrustee up --setup-key <SETUP KEY> --management-url https://localhost:33073
+  ```

-2. Add a peer to connect to.
-   
-For **Unix** systems:
-```shell
-sudo wiretrustee add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
-```
-For  **Windows** systems:
-```shell
-.\wiretrustee.exe add-peer --allowedIPs 10.30.30.2/32 --key '<REMOTE PEER WIREUARD PUBLIC KEY>'
-```
-3. Restart Wiretrustee to reload changes
-For **MACOS** you will just start the service:
-````shell
-sudo wiretrustee up --log-level info 
-# or
-sudo wiretrustee up --log-level info & # to run it in background
-````   
+> You could also omit `--setup-key` property. In this case the tool will prompt it the key.
+
+
+2. Check your IP:
+  For **MACOS** you will just start the service:
+  ````shell
+  sudo ipconfig getifaddr utun100
+  ````   
 For **Linux** systems:
-```shell
-sudo systemctl restart wiretrustee.service
-sudo systemctl status wiretrustee.service 
-```
+  ```shell
+  ip addr show wt0
+  ```
 For **Windows** systems:
-```shell
-.\wiretrustee.exe service start
-```
-> You may need to run Powershell as Administrator
-### Running the Signal service
-After installing the application, you can run the signal using the command below:
-````shell
-/usr/local/bin/wiretrustee signal --log-level INFO
-````
-This will launch the Signal server on port 10000, in case you want to change the port, use the flag --port.
-#### Docker image
-We have packed the Signal server into docker image. You can pull the image from Docker Hub and execute it with the following commands:
-````shell
-docker pull wiretrustee/wiretrustee:signal-latest
-docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest
-````
-The default log-level is set to INFO, if you need you can change it using by updating the docker cmd as followed:
-````shell
-docker run -d --name wiretrustee-signal -p 10000:10000 wiretrustee/wiretrustee:signal-latest --log-level DEBUG
-````
+  ```shell
+  netsh interface ip show config name="wt0"
+  ```

-### Running Signal and Coturn
-Under infrastructure_files we have a docker-compose example to run both, Wiretrustee Signal server and an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration. 
+3. Repeat on other machines.  
+
+### Running Dashboard, Management, Signal and Coturn
+Wiretrustee uses [Auth0](https://auth0.com) for user authentication and authorization, therefore you will need to create a free account 
+and configure Auth0 variables in the compose file (dashboard) and in the management config file.
+We chose Auth0 to "outsource" the user management part of our platform because we believe that implementing a proper user auth is not a trivial task and requires significant amount of time to make it right. We focused on connectivity instead.
+It is worth mentioning that dependency to Auth0 is the only one that cannot be self-hosted.
+
+Configuring Wiretrustee Auth0 integration:
+- check [How to run](https://github.com/wiretrustee/wiretrustee-dashboard#how-to-run) to obtain Auth0 environment variables for UI Dashboard
+- set these variables in the [environment section of the docker-compose file](https://github.com/wiretrustee/wiretrustee/blob/main/infrastructure_files/docker-compose.yml)
+- check [Auth0 Golang API Guide](https://auth0.com/docs/quickstart/backend/golang) to obtain ```AuthIssuer```, ```AuthAudience```, and ```AuthKeysLocation```
+- set these properties in the [management config files](https://github.com/wiretrustee/wiretrustee/blob/main/infrastructure_files/management.json#L33)
+
+
+Under infrastructure_files we have a docker-compose example to run Dashboard, Wiretrustee Management and Signal services, plus an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration. 
 You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to **proper credentials**.

-The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#Running the Signal service) and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn).
+The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#running-the-signal-service), the management in [Management](./management/README.md), and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn).

 > Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.

-Also, if you have an SSL certificate you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation
+Also, if you have an SSL certificate for Coturn, you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation
 to generate one from [Let’s Encrypt](https://letsencrypt.org/), or, we found that the example provided by [BigBlueButton](https://docs.bigbluebutton.org/2.2/setup-turn-server.html#generating-tls-certificates) covers the basics to configure Coturn with Let's Encrypt certs. 
+> The Wiretrustee Management service can generate and maintain the certificates automatically, all you need to do is run the servicein a host  with a public IP, configure a valid DNS record pointing to that IP and uncomment the 443 ports and command lines in the docker-compose.yml file.

 Simple docker-composer execution:
 ````shell
@@ -178,6 +208,7 @@ You can check logs by running:
 ````shell
 cd infrastructure_files
 docker-compose logs signal
+docker-compose logs management
 docker-compose logs coturn
 ````
 If you need to stop the services, run the following:
--- a/browser/Makefile
+++ b/browser/Makefile
@@ -0,0 +1,3 @@
+run:
+	GOOS=js GOARCH=wasm go build -o assets/client.wasm ./client/
+	go run main.go
--- a/browser/assets/index.html
+++ b/browser/assets/index.html
@@ -0,0 +1,34 @@
+<html>
+<head>
+    <meta charset="utf-8"/>
+    <script src="wasm_exec.js"></script>
+    <script>
+        const go = new Go();
+        WebAssembly.instantiateStreaming(fetch("client.wasm"), go.importObject).then((result) => {
+            go.run(result.instance);
+        });
+    </script>
+</head>
+<body>
+<form>
+    <input type=button value="Generate Public Key" onclick='generateWireguardKey()'>
+    </p>
+    <label for="wgPrivateKey">Wireguard private key:</label>
+    <input id="wgPrivateKey" type=input size="50" value="qJi7zSrgdokeoXE27fbca2hvMlgg1NQIW6KbrTJhhmc=">
+    </p>
+    <label for="publicKey">Wireguard Public Key:</label>
+    <input id="publicKey" type=input size="50" value="6M9O7PRhKMEOiboBp9cX6rNrLBevtHX7H0O2FMXUkFI=">
+    <p/>
+    <label for="wgIp">Wireguard private IP:</label>
+    <input id="wgIp" type=input size="50" value="10.0.0.2/24">
+    <p/>
+    <label for="peerKey">Wireguard Peer Public key:</label>
+    <input id="peerKey" type=input size="50" value="RFuT84MDhIvmgQndwMkxQPjG195poq713EMJZv1XPEw=">
+    <p/>
+    <label for="peerAllowedIPs">Wireguard Peer AllowedIPs:</label>
+    <input id="peerAllowedIPs" type=input size="50" value="Paste other peer AllowedIPs">
+    <p/>
+    <input type=button value="start" onclick='connect()'>
+</form>
+</body>
+</html>
--- a/browser/assets/wasm_exec.js
+++ b/browser/assets/wasm_exec.js
@@ -0,0 +1,636 @@
+// Copyright 2018 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+(() => {
+	// Map multiple JavaScript environments to a single common API,
+	// preferring web standards over Node.js API.
+	//
+	// Environments considered:
+	// - Browsers
+	// - Node.js
+	// - Electron
+	// - Parcel
+	// - Webpack
+
+	if (typeof global !== "undefined") {
+		// global already exists
+	} else if (typeof window !== "undefined") {
+		window.global = window;
+	} else if (typeof self !== "undefined") {
+		self.global = self;
+	} else {
+		throw new Error("cannot export Go (neither global, window nor self is defined)");
+	}
+
+	if (!global.require && typeof require !== "undefined") {
+		global.require = require;
+	}
+
+	if (!global.fs && global.require) {
+		const fs = require("fs");
+		if (typeof fs === "object" && fs !== null && Object.keys(fs).length !== 0) {
+			global.fs = fs;
+		}
+	}
+
+	const enosys = () => {
+		const err = new Error("not implemented");
+		err.code = "ENOSYS";
+		return err;
+	};
+
+	if (!global.fs) {
+		let outputBuf = "";
+		global.fs = {
+			constants: { O_WRONLY: -1, O_RDWR: -1, O_CREAT: -1, O_TRUNC: -1, O_APPEND: -1, O_EXCL: -1 }, // unused
+			writeSync(fd, buf) {
+				outputBuf += decoder.decode(buf);
+				const nl = outputBuf.lastIndexOf("\n");
+				if (nl != -1) {
+					console.log(outputBuf.substr(0, nl));
+					outputBuf = outputBuf.substr(nl + 1);
+				}
+				return buf.length;
+			},
+			write(fd, buf, offset, length, position, callback) {
+				if (offset !== 0 || length !== buf.length || position !== null) {
+					callback(enosys());
+					return;
+				}
+				const n = this.writeSync(fd, buf);
+				callback(null, n);
+			},
+			chmod(path, mode, callback) { callback(enosys()); },
+			chown(path, uid, gid, callback) { callback(enosys()); },
+			close(fd, callback) { callback(enosys()); },
+			fchmod(fd, mode, callback) { callback(enosys()); },
+			fchown(fd, uid, gid, callback) { callback(enosys()); },
+			fstat(fd, callback) { callback(enosys()); },
+			fsync(fd, callback) { callback(null); },
+			ftruncate(fd, length, callback) { callback(enosys()); },
+			lchown(path, uid, gid, callback) { callback(enosys()); },
+			link(path, link, callback) { callback(enosys()); },
+			lstat(path, callback) { callback(enosys()); },
+			mkdir(path, perm, callback) { callback(enosys()); },
+			open(path, flags, mode, callback) { callback(enosys()); },
+			read(fd, buffer, offset, length, position, callback) { callback(enosys()); },
+			readdir(path, callback) { callback(enosys()); },
+			readlink(path, callback) { callback(enosys()); },
+			rename(from, to, callback) { callback(enosys()); },
+			rmdir(path, callback) { callback(enosys()); },
+			stat(path, callback) { callback(enosys()); },
+			symlink(path, link, callback) { callback(enosys()); },
+			truncate(path, length, callback) { callback(enosys()); },
+			unlink(path, callback) { callback(enosys()); },
+			utimes(path, atime, mtime, callback) { callback(enosys()); },
+		};
+	}
+
+	if (!global.process) {
+		global.process = {
+			getuid() { return -1; },
+			getgid() { return -1; },
+			geteuid() { return -1; },
+			getegid() { return -1; },
+			getgroups() { throw enosys(); },
+			pid: -1,
+			ppid: -1,
+			umask() { throw enosys(); },
+			cwd() { throw enosys(); },
+			chdir() { throw enosys(); },
+		}
+	}
+
+	if (!global.crypto && global.require) {
+		const nodeCrypto = require("crypto");
+		global.crypto = {
+			getRandomValues(b) {
+				nodeCrypto.randomFillSync(b);
+			},
+		};
+	}
+	if (!global.crypto) {
+		throw new Error("global.crypto is not available, polyfill required (getRandomValues only)");
+	}
+
+	if (!global.performance) {
+		global.performance = {
+			now() {
+				const [sec, nsec] = process.hrtime();
+				return sec * 1000 + nsec / 1000000;
+			},
+		};
+	}
+
+	if (!global.TextEncoder && global.require) {
+		global.TextEncoder = require("util").TextEncoder;
+	}
+	if (!global.TextEncoder) {
+		throw new Error("global.TextEncoder is not available, polyfill required");
+	}
+
+	if (!global.TextDecoder && global.require) {
+		global.TextDecoder = require("util").TextDecoder;
+	}
+	if (!global.TextDecoder) {
+		throw new Error("global.TextDecoder is not available, polyfill required");
+	}
+
+	// End of polyfills for common API.
+
+	const encoder = new TextEncoder("utf-8");
+	const decoder = new TextDecoder("utf-8");
+
+	global.Go = class {
+		constructor() {
+			this.argv = ["js"];
+			this.env = {};
+			this.exit = (code) => {
+				if (code !== 0) {
+					console.warn("exit code:", code);
+				}
+			};
+			this._exitPromise = new Promise((resolve) => {
+				this._resolveExitPromise = resolve;
+			});
+			this._pendingEvent = null;
+			this._scheduledTimeouts = new Map();
+			this._nextCallbackTimeoutID = 1;
+
+			const setInt64 = (addr, v) => {
+				this.mem.setUint32(addr + 0, v, true);
+				this.mem.setUint32(addr + 4, Math.floor(v / 4294967296), true);
+			}
+
+			const getInt64 = (addr) => {
+				const low = this.mem.getUint32(addr + 0, true);
+				const high = this.mem.getInt32(addr + 4, true);
+				return low + high * 4294967296;
+			}
+
+			const loadValue = (addr) => {
+				const f = this.mem.getFloat64(addr, true);
+				if (f === 0) {
+					return undefined;
+				}
+				if (!isNaN(f)) {
+					return f;
+				}
+
+				const id = this.mem.getUint32(addr, true);
+				return this._values[id];
+			}
+
+			const storeValue = (addr, v) => {
+				const nanHead = 0x7FF80000;
+
+				if (typeof v === "number" && v !== 0) {
+					if (isNaN(v)) {
+						this.mem.setUint32(addr + 4, nanHead, true);
+						this.mem.setUint32(addr, 0, true);
+						return;
+					}
+					this.mem.setFloat64(addr, v, true);
+					return;
+				}
+
+				if (v === undefined) {
+					this.mem.setFloat64(addr, 0, true);
+					return;
+				}
+
+				let id = this._ids.get(v);
+				if (id === undefined) {
+					id = this._idPool.pop();
+					if (id === undefined) {
+						id = this._values.length;
+					}
+					this._values[id] = v;
+					this._goRefCounts[id] = 0;
+					this._ids.set(v, id);
+				}
+				this._goRefCounts[id]++;
+				let typeFlag = 0;
+				switch (typeof v) {
+					case "object":
+						if (v !== null) {
+							typeFlag = 1;
+						}
+						break;
+					case "string":
+						typeFlag = 2;
+						break;
+					case "symbol":
+						typeFlag = 3;
+						break;
+					case "function":
+						typeFlag = 4;
+						break;
+				}
+				this.mem.setUint32(addr + 4, nanHead | typeFlag, true);
+				this.mem.setUint32(addr, id, true);
+			}
+
+			const loadSlice = (addr) => {
+				const array = getInt64(addr + 0);
+				const len = getInt64(addr + 8);
+				return new Uint8Array(this._inst.exports.mem.buffer, array, len);
+			}
+
+			const loadSliceOfValues = (addr) => {
+				const array = getInt64(addr + 0);
+				const len = getInt64(addr + 8);
+				const a = new Array(len);
+				for (let i = 0; i < len; i++) {
+					a[i] = loadValue(array + i * 8);
+				}
+				return a;
+			}
+
+			const loadString = (addr) => {
+				const saddr = getInt64(addr + 0);
+				const len = getInt64(addr + 8);
+				return decoder.decode(new DataView(this._inst.exports.mem.buffer, saddr, len));
+			}
+
+			const timeOrigin = Date.now() - performance.now();
+			this.importObject = {
+				go: {
+					// Go's SP does not change as long as no Go code is running. Some operations (e.g. calls, getters and setters)
+					// may synchronously trigger a Go event handler. This makes Go code get executed in the middle of the imported
+					// function. A goroutine can switch to a new stack if the current stack is too small (see morestack function).
+					// This changes the SP, thus we have to update the SP used by the imported function.
+
+					// func wasmExit(code int32)
+					"runtime.wasmExit": (sp) => {
+						sp >>>= 0;
+						const code = this.mem.getInt32(sp + 8, true);
+						this.exited = true;
+						delete this._inst;
+						delete this._values;
+						delete this._goRefCounts;
+						delete this._ids;
+						delete this._idPool;
+						this.exit(code);
+					},
+
+					// func wasmWrite(fd uintptr, p unsafe.Pointer, n int32)
+					"runtime.wasmWrite": (sp) => {
+						sp >>>= 0;
+						const fd = getInt64(sp + 8);
+						const p = getInt64(sp + 16);
+						const n = this.mem.getInt32(sp + 24, true);
+						fs.writeSync(fd, new Uint8Array(this._inst.exports.mem.buffer, p, n));
+					},
+
+					// func resetMemoryDataView()
+					"runtime.resetMemoryDataView": (sp) => {
+						sp >>>= 0;
+						this.mem = new DataView(this._inst.exports.mem.buffer);
+					},
+
+					// func nanotime1() int64
+					"runtime.nanotime1": (sp) => {
+						sp >>>= 0;
+						setInt64(sp + 8, (timeOrigin + performance.now()) * 1000000);
+					},
+
+					// func walltime() (sec int64, nsec int32)
+					"runtime.walltime": (sp) => {
+						sp >>>= 0;
+						const msec = (new Date).getTime();
+						setInt64(sp + 8, msec / 1000);
+						this.mem.setInt32(sp + 16, (msec % 1000) * 1000000, true);
+					},
+
+					// func scheduleTimeoutEvent(delay int64) int32
+					"runtime.scheduleTimeoutEvent": (sp) => {
+						sp >>>= 0;
+						const id = this._nextCallbackTimeoutID;
+						this._nextCallbackTimeoutID++;
+						this._scheduledTimeouts.set(id, setTimeout(
+							() => {
+								this._resume();
+								while (this._scheduledTimeouts.has(id)) {
+									// for some reason Go failed to register the timeout event, log and try again
+									// (temporary workaround for https://github.com/golang/go/issues/28975)
+									console.warn("scheduleTimeoutEvent: missed timeout event");
+									this._resume();
+								}
+							},
+							getInt64(sp + 8) + 1, // setTimeout has been seen to fire up to 1 millisecond early
+						));
+						this.mem.setInt32(sp + 16, id, true);
+					},
+
+					// func clearTimeoutEvent(id int32)
+					"runtime.clearTimeoutEvent": (sp) => {
+						sp >>>= 0;
+						const id = this.mem.getInt32(sp + 8, true);
+						clearTimeout(this._scheduledTimeouts.get(id));
+						this._scheduledTimeouts.delete(id);
+					},
+
+					// func getRandomData(r []byte)
+					"runtime.getRandomData": (sp) => {
+						sp >>>= 0;
+						crypto.getRandomValues(loadSlice(sp + 8));
+					},
+
+					// func finalizeRef(v ref)
+					"syscall/js.finalizeRef": (sp) => {
+						sp >>>= 0;
+						const id = this.mem.getUint32(sp + 8, true);
+						this._goRefCounts[id]--;
+						if (this._goRefCounts[id] === 0) {
+							const v = this._values[id];
+							this._values[id] = null;
+							this._ids.delete(v);
+							this._idPool.push(id);
+						}
+					},
+
+					// func stringVal(value string) ref
+					"syscall/js.stringVal": (sp) => {
+						sp >>>= 0;
+						storeValue(sp + 24, loadString(sp + 8));
+					},
+
+					// func valueGet(v ref, p string) ref
+					"syscall/js.valueGet": (sp) => {
+						sp >>>= 0;
+						const result = Reflect.get(loadValue(sp + 8), loadString(sp + 16));
+						sp = this._inst.exports.getsp() >>> 0; // see comment above
+						storeValue(sp + 32, result);
+					},
+
+					// func valueSet(v ref, p string, x ref)
+					"syscall/js.valueSet": (sp) => {
+						sp >>>= 0;
+						Reflect.set(loadValue(sp + 8), loadString(sp + 16), loadValue(sp + 32));
+					},
+
+					// func valueDelete(v ref, p string)
+					"syscall/js.valueDelete": (sp) => {
+						sp >>>= 0;
+						Reflect.deleteProperty(loadValue(sp + 8), loadString(sp + 16));
+					},
+
+					// func valueIndex(v ref, i int) ref
+					"syscall/js.valueIndex": (sp) => {
+						sp >>>= 0;
+						storeValue(sp + 24, Reflect.get(loadValue(sp + 8), getInt64(sp + 16)));
+					},
+
+					// valueSetIndex(v ref, i int, x ref)
+					"syscall/js.valueSetIndex": (sp) => {
+						sp >>>= 0;
+						Reflect.set(loadValue(sp + 8), getInt64(sp + 16), loadValue(sp + 24));
+					},
+
+					// func valueCall(v ref, m string, args []ref) (ref, bool)
+					"syscall/js.valueCall": (sp) => {
+						sp >>>= 0;
+						try {
+							const v = loadValue(sp + 8);
+							const m = Reflect.get(v, loadString(sp + 16));
+							const args = loadSliceOfValues(sp + 32);
+							const result = Reflect.apply(m, v, args);
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 56, result);
+							this.mem.setUint8(sp + 64, 1);
+						} catch (err) {
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 56, err);
+							this.mem.setUint8(sp + 64, 0);
+						}
+					},
+
+					// func valueInvoke(v ref, args []ref) (ref, bool)
+					"syscall/js.valueInvoke": (sp) => {
+						sp >>>= 0;
+						try {
+							const v = loadValue(sp + 8);
+							const args = loadSliceOfValues(sp + 16);
+							const result = Reflect.apply(v, undefined, args);
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 40, result);
+							this.mem.setUint8(sp + 48, 1);
+						} catch (err) {
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 40, err);
+							this.mem.setUint8(sp + 48, 0);
+						}
+					},
+
+					// func valueNew(v ref, args []ref) (ref, bool)
+					"syscall/js.valueNew": (sp) => {
+						sp >>>= 0;
+						try {
+							const v = loadValue(sp + 8);
+							const args = loadSliceOfValues(sp + 16);
+							const result = Reflect.construct(v, args);
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 40, result);
+							this.mem.setUint8(sp + 48, 1);
+						} catch (err) {
+							sp = this._inst.exports.getsp() >>> 0; // see comment above
+							storeValue(sp + 40, err);
+							this.mem.setUint8(sp + 48, 0);
+						}
+					},
+
+					// func valueLength(v ref) int
+					"syscall/js.valueLength": (sp) => {
+						sp >>>= 0;
+						setInt64(sp + 16, parseInt(loadValue(sp + 8).length));
+					},
+
+					// valuePrepareString(v ref) (ref, int)
+					"syscall/js.valuePrepareString": (sp) => {
+						sp >>>= 0;
+						const str = encoder.encode(String(loadValue(sp + 8)));
+						storeValue(sp + 16, str);
+						setInt64(sp + 24, str.length);
+					},
+
+					// valueLoadString(v ref, b []byte)
+					"syscall/js.valueLoadString": (sp) => {
+						sp >>>= 0;
+						const str = loadValue(sp + 8);
+						loadSlice(sp + 16).set(str);
+					},
+
+					// func valueInstanceOf(v ref, t ref) bool
+					"syscall/js.valueInstanceOf": (sp) => {
+						sp >>>= 0;
+						this.mem.setUint8(sp + 24, (loadValue(sp + 8) instanceof loadValue(sp + 16)) ? 1 : 0);
+					},
+
+					// func copyBytesToGo(dst []byte, src ref) (int, bool)
+					"syscall/js.copyBytesToGo": (sp) => {
+						sp >>>= 0;
+						const dst = loadSlice(sp + 8);
+						const src = loadValue(sp + 32);
+						if (!(src instanceof Uint8Array || src instanceof Uint8ClampedArray)) {
+							this.mem.setUint8(sp + 48, 0);
+							return;
+						}
+						const toCopy = src.subarray(0, dst.length);
+						dst.set(toCopy);
+						setInt64(sp + 40, toCopy.length);
+						this.mem.setUint8(sp + 48, 1);
+					},
+
+					// func copyBytesToJS(dst ref, src []byte) (int, bool)
+					"syscall/js.copyBytesToJS": (sp) => {
+						sp >>>= 0;
+						const dst = loadValue(sp + 8);
+						const src = loadSlice(sp + 16);
+						if (!(dst instanceof Uint8Array || dst instanceof Uint8ClampedArray)) {
+							this.mem.setUint8(sp + 48, 0);
+							return;
+						}
+						const toCopy = src.subarray(0, dst.length);
+						dst.set(toCopy);
+						setInt64(sp + 40, toCopy.length);
+						this.mem.setUint8(sp + 48, 1);
+					},
+
+					"debug": (value) => {
+						console.log(value);
+					},
+				}
+			};
+		}
+
+		async run(instance) {
+			if (!(instance instanceof WebAssembly.Instance)) {
+				throw new Error("Go.run: WebAssembly.Instance expected");
+			}
+			this._inst = instance;
+			this.mem = new DataView(this._inst.exports.mem.buffer);
+			this._values = [ // JS values that Go currently has references to, indexed by reference id
+				NaN,
+				0,
+				null,
+				true,
+				false,
+				global,
+				this,
+			];
+			this._goRefCounts = new Array(this._values.length).fill(Infinity); // number of references that Go has to a JS value, indexed by reference id
+			this._ids = new Map([ // mapping from JS values to reference ids
+				[0, 1],
+				[null, 2],
+				[true, 3],
+				[false, 4],
+				[global, 5],
+				[this, 6],
+			]);
+			this._idPool = [];   // unused ids that have been garbage collected
+			this.exited = false; // whether the Go program has exited
+
+			// Pass command line arguments and environment variables to WebAssembly by writing them to the linear memory.
+			let offset = 4096;
+
+			const strPtr = (str) => {
+				const ptr = offset;
+				const bytes = encoder.encode(str + "\0");
+				new Uint8Array(this.mem.buffer, offset, bytes.length).set(bytes);
+				offset += bytes.length;
+				if (offset % 8 !== 0) {
+					offset += 8 - (offset % 8);
+				}
+				return ptr;
+			};
+
+			const argc = this.argv.length;
+
+			const argvPtrs = [];
+			this.argv.forEach((arg) => {
+				argvPtrs.push(strPtr(arg));
+			});
+			argvPtrs.push(0);
+
+			const keys = Object.keys(this.env).sort();
+			keys.forEach((key) => {
+				argvPtrs.push(strPtr(`${key}=${this.env[key]}`));
+			});
+			argvPtrs.push(0);
+
+			const argv = offset;
+			argvPtrs.forEach((ptr) => {
+				this.mem.setUint32(offset, ptr, true);
+				this.mem.setUint32(offset + 4, 0, true);
+				offset += 8;
+			});
+
+			// The linker guarantees global data starts from at least wasmMinDataAddr.
+			// Keep in sync with cmd/link/internal/ld/data.go:wasmMinDataAddr.
+			const wasmMinDataAddr = 4096 + 4096;
+			if (offset >= wasmMinDataAddr) {
+				throw new Error("command line too long");
+			}
+
+			this._inst.exports.run(argc, argv);
+			if (this.exited) {
+				this._resolveExitPromise();
+			}
+			await this._exitPromise;
+		}
+
+		_resume() {
+			if (this.exited) {
+				throw new Error("Go program has already exited");
+			}
+			this._inst.exports.resume();
+			if (this.exited) {
+				this._resolveExitPromise();
+			}
+		}
+
+		_makeFuncWrapper(id) {
+			const go = this;
+			return function () {
+				const event = { id: id, this: this, args: arguments };
+				go._pendingEvent = event;
+				go._resume();
+				return event.result;
+			};
+		}
+	}
+
+	if (
+		typeof module !== "undefined" &&
+		global.require &&
+		global.require.main === module &&
+		global.process &&
+		global.process.versions &&
+		!global.process.versions.electron
+	) {
+		if (process.argv.length < 3) {
+			console.error("usage: go_js_wasm_exec [wasm binary] [arguments]");
+			process.exit(1);
+		}
+
+		const go = new Go();
+		go.argv = process.argv.slice(2);
+		go.env = Object.assign({ TMPDIR: require("os").tmpdir() }, process.env);
+		go.exit = process.exit;
+		WebAssembly.instantiate(fs.readFileSync(process.argv[2]), go.importObject).then((result) => {
+			process.on("exit", (code) => { // Node.js exits if no event handler is pending
+				if (code === 0 && !go.exited) {
+					// deadlock, make Go print error and stack traces
+					go._pendingEvent = { id: 0 };
+					go._resume();
+				}
+			});
+			return go.run(result.instance);
+		}).catch((err) => {
+			console.error(err);
+			process.exit(1);
+		});
+	}
+})();
--- a/browser/client/client.go
+++ b/browser/client/client.go
@@ -0,0 +1,88 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/hex"
+	"fmt"
+	"github.com/wiretrustee/wiretrustee/browser/conn"
+	"github.com/wiretrustee/wiretrustee/signal/client"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"time"
+)
+
+//my private key qJi7zSrgdokeoXE27fbca2hvMlgg1NQIW6KbrTJhhmc=
+//remote private key KLuBc6tM/NRV1071bfPiNUxZmMhGBCXfxoDg+A+J7ns=
+func main() {
+
+	key, err := wgtypes.ParseKey("qJi7zSrgdokeoXE27fbca2hvMlgg1NQIW6KbrTJhhmc=")
+	if err != nil {
+		panic(err)
+	}
+
+	log.Printf("my public key: %s", key.PublicKey().String())
+
+	remoteKey, err := wgtypes.ParseKey("RFuT84MDhIvmgQndwMkxQPjG195poq713EMJZv1XPEw=")
+
+	if err != nil {
+		panic(err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+	defer cancel()
+
+	signal, err := client.NewWebsocketClient(ctx, "ws://localhost:80/signal", key)
+
+	time.Sleep(5 * time.Second)
+
+	tun, tnet, err := netstack.CreateNetTUN(
+		[]net.IP{net.ParseIP("1s00.0.2.2")},
+		[]net.IP{net.ParseIP("8.8.8.8")},
+		1420)
+
+	b := conn.NewWebRTCBind("chann-1", signal, key.PublicKey().String(), remoteKey.String())
+	dev := device.NewDevice(tun, b, device.NewLogger(device.LogLevelVerbose, ""))
+
+	err = dev.IpcSet(fmt.Sprintf("private_key=%s\npublic_key=%s\npersistent_keepalive_interval=5\nendpoint=webrtc://datachannel\nallowed_ip=0.0.0.0/0",
+		hex.EncodeToString(key[:]),
+		hex.EncodeToString(remoteKey[:]),
+	))
+
+	dev.Up()
+
+	if err != nil {
+		panic(err)
+	}
+
+	client := http.Client{
+		Transport: &http.Transport{
+			DialContext: tnet.DialContext,
+		},
+	}
+	time.Sleep(5 * time.Second)
+
+	//go func() {
+	log.Printf("request")
+	req, _ := http.NewRequest("POST", "http://100.0.2.1", bytes.NewBufferString("fdffffffffffffffffffffffffffffffdsdfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"))
+	req.Header.Set("js.fetch:mode", "no-cors")
+	resp, err := client.Do(req)
+	if err != nil {
+		log.Panic(err)
+	}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Panic(err)
+	}
+	log.Printf(string(body))
+	log.Printf(resp.Status)
+	//}()
+
+	select {}
+
+}
--- a/browser/conn/bind_webrtc.go
+++ b/browser/conn/bind_webrtc.go
@@ -0,0 +1,347 @@
+package conn
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"github.com/pion/webrtc/v3"
+	signal "github.com/wiretrustee/wiretrustee/signal/client"
+	"github.com/wiretrustee/wiretrustee/signal/proto"
+	"golang.zx2c4.com/wireguard/conn"
+	"log"
+	"net"
+	"sync"
+	"time"
+)
+
+const initDataChannelName = "wiretrustee-init"
+
+func (*WebRTCBind) makeReceive(dcConn net.Conn) conn.ReceiveFunc {
+	return func(buff []byte) (int, conn.Endpoint, error) {
+		n, err := dcConn.Read(buff)
+		if err != nil {
+			return 0, nil, err
+		}
+		//addr := dcConn.RemoteAddr().(DataChannelAddr)
+		return n, &WebRTCEndpoint{}, err
+	}
+}
+
+// WebRTCBind is an implementation of Wireguard Bind interface backed by WebRTC data channel
+type WebRTCBind struct {
+	id        string
+	pc        *webrtc.PeerConnection
+	conn      net.Conn
+	incoming  chan *webrtc.DataChannel
+	mu        sync.Mutex
+	signal    signal.Client
+	key       string
+	remoteKey string
+	closeCond *Cond
+	closeErr  error
+}
+
+func NewWebRTCBind(id string, signal signal.Client, pubKey string, remotePubKey string) conn.Bind {
+
+	return &WebRTCBind{
+		id:        id,
+		pc:        nil,
+		conn:      nil,
+		signal:    signal,
+		mu:        sync.Mutex{},
+		key:       pubKey,
+		remoteKey: remotePubKey,
+		closeCond: NewCond(),
+		incoming:  make(chan *webrtc.DataChannel, 1),
+	}
+}
+
+// acceptDC accepts a datachannel over opened WebRTC connection and wraps it into net.Conn
+// blocks until channel was successfully opened
+func (bind *WebRTCBind) acceptDC() (stream net.Conn, err error) {
+	for dc := range bind.incoming {
+		if dc.Label() == initDataChannelName {
+			continue
+		}
+		stream, err := WrapDataChannel(dc)
+		if err != nil {
+			dc.Close()
+			return nil, err
+		}
+		log.Printf("accepted datachannel connection %s", dc.Label())
+
+		return stream, nil
+	}
+	return nil, context.Canceled
+}
+
+// openDC creates datachannel over opened WebRTC connection and wraps it into net.Conn
+// blocks until channel was successfully opened
+func (bind *WebRTCBind) openDC() (stream net.Conn, err error) {
+	dc, err := bind.pc.CreateDataChannel(bind.id, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to open RTCDataChannel: %w", err)
+	}
+
+	stream, err = WrapDataChannel(dc)
+	if err != nil {
+		dc.Close()
+		return nil, err
+	}
+
+	log.Printf("opened datachannel connection %s", dc.Label())
+	return stream, err
+}
+
+func newPeerConnection() (*webrtc.PeerConnection, error) {
+	config := webrtc.Configuration{
+		ICEServers: []webrtc.ICEServer{
+			{
+				URLs: []string{"stun:stun.l.google.com:19302"},
+			},
+		},
+	}
+	pc, err := webrtc.NewPeerConnection(config)
+	if err != nil {
+		return nil, err
+	}
+
+	return pc, nil
+}
+
+func (bind *WebRTCBind) Open(port uint16) (fns []conn.ReceiveFunc, actualPort uint16, err error) {
+
+	log.Printf("opening WebRTCBind connection")
+	connected := NewCond()
+	bind.pc, err = newPeerConnection()
+	if err != nil {
+		bind.pc.Close()
+		return nil, 0, err
+	}
+	bind.pc.OnICEConnectionStateChange(func(state webrtc.ICEConnectionState) {
+		switch state {
+		case webrtc.ICEConnectionStateConnected:
+			connected.Signal()
+		case webrtc.ICEConnectionStateClosed:
+			log.Printf("WebRTC connection closed")
+			//TODO
+		}
+	})
+
+	bind.pc.OnDataChannel(func(dc *webrtc.DataChannel) {
+		log.Printf("received channel %s %v", dc.Label(), dc)
+		bind.incoming <- dc
+	})
+
+	controlling := bind.key < bind.remoteKey
+	// decision who is creating an offer
+	if controlling {
+		_, err = bind.pc.CreateDataChannel(initDataChannelName, nil)
+		if err != nil {
+			return nil, 0, err
+		}
+
+		offer, err := bind.pc.CreateOffer(nil)
+		if err != nil {
+			return nil, 0, err
+		}
+
+		if err := bind.pc.SetLocalDescription(offer); err != nil {
+			return nil, 0, err
+		}
+
+		// Create channel that is blocked until ICE Gathering is complete
+		gatherComplete := webrtc.GatheringCompletePromise(bind.pc)
+		select {
+		case <-gatherComplete:
+		case <-bind.closeCond.C:
+			return nil, 0, fmt.Errorf("closed while waiting for WebRTC candidates")
+		}
+		log.Printf("candidates gathered")
+
+		err = bind.signal.Send(&proto.Message{
+			Key:       bind.key,
+			RemoteKey: bind.remoteKey,
+			Body: &proto.Body{
+				Type:    proto.Body_OFFER,
+				Payload: Encode(bind.pc.LocalDescription()),
+			},
+		})
+		if err != nil {
+			return nil, 0, err
+		}
+
+		log.Printf("sent an offer to a remote peer")
+
+		//answerCh := make(chan webrtc.SessionDescription, 1)
+
+		go bind.signal.Receive(func(msg *proto.Message) error {
+			log.Printf("received a message from %v -> %v", msg.RemoteKey, msg.Body.Payload)
+			if msg.GetBody().Type == proto.Body_ANSWER {
+				log.Printf("received answer")
+				err := setRemoteDescription(bind.pc, msg.GetBody().GetPayload())
+				if err != nil {
+					log.Printf("%v", err)
+					return err
+				}
+			}
+			return nil
+		})
+
+	} else {
+		gatherComplete := webrtc.GatheringCompletePromise(bind.pc)
+
+		go bind.signal.Receive(func(msg *proto.Message) error {
+			log.Printf("received a message from %v -> %v", msg.RemoteKey, msg.Body.Payload)
+			if msg.GetBody().Type == proto.Body_OFFER {
+				log.Printf("received offer")
+
+				err = setRemoteDescription(bind.pc, msg.GetBody().GetPayload())
+				if err != nil {
+					log.Printf("%v", err)
+					return err
+				}
+
+				sdp, err := bind.pc.CreateAnswer(nil)
+				if err != nil {
+					log.Printf("%v", err)
+					return err
+				}
+
+				if err := bind.pc.SetLocalDescription(sdp); err != nil {
+					log.Printf("%v", err)
+					return err
+				}
+
+				select {
+				case <-gatherComplete:
+				case <-bind.closeCond.C:
+					return nil
+				}
+
+				log.Printf("candidates gathered")
+
+				err = bind.signal.Send(&proto.Message{
+					Key:       bind.key,
+					RemoteKey: bind.remoteKey,
+					Body: &proto.Body{
+						Type:    proto.Body_ANSWER,
+						Payload: Encode(bind.pc.LocalDescription()),
+					},
+				})
+				if err != nil {
+					return err
+				}
+
+				log.Printf("sent an answer to a remote peer")
+			}
+			return nil
+		})
+	}
+
+	select {
+	case <-time.After(10 * time.Second):
+		return nil, 0, fmt.Errorf("failed to connect in time: %w", err)
+	case <-connected.C:
+	}
+	log.Printf("WebRTC connection has opened successfully")
+
+	//once WebRTC has been established we can now create a datachannel and resume
+	var dcConn net.Conn
+	if controlling {
+		dcConn, err = bind.openDC()
+		if err != nil {
+			return nil, 0, err
+		}
+	} else {
+		dcConn, err = bind.acceptDC()
+		if err != nil {
+			return nil, 0, err
+		}
+	}
+	bind.conn = dcConn
+	fns = append(fns, bind.makeReceive(bind.conn))
+	return fns, 0, nil
+
+}
+
+func setRemoteDescription(pc *webrtc.PeerConnection, payload string) error {
+	descr, err := Decode(payload)
+	if err != nil {
+		return err
+	}
+	err = pc.SetRemoteDescription(*descr)
+	if err != nil {
+		return err
+	}
+
+	log.Printf("parsed SDP %s", descr.SDP)
+
+	return nil
+}
+func Decode(in string) (*webrtc.SessionDescription, error) {
+	descr := &webrtc.SessionDescription{}
+	err := json.Unmarshal([]byte(in), descr)
+	if err != nil {
+		return nil, err
+	}
+
+	return descr, nil
+}
+
+func Encode(obj interface{}) string {
+	b, err := json.Marshal(obj)
+	if err != nil {
+		panic(err)
+	}
+
+	return string(b)
+}
+
+func (*WebRTCBind) Close() error {
+	return nil
+}
+
+func (*WebRTCBind) SetMark(mark uint32) error {
+	return nil
+}
+
+func (bind *WebRTCBind) Send(b []byte, ep conn.Endpoint) error {
+	n, err := bind.conn.Write(b)
+	if err != nil {
+		return err
+	}
+	log.Printf("wrote %d bytes", n)
+	return nil
+}
+
+func (*WebRTCBind) ParseEndpoint(s string) (conn.Endpoint, error) {
+	log.Printf("peer endpoint %s", s)
+	return &WebRTCEndpoint{}, nil
+}
+
+// WebRTCEndpoint is an implementation of Wireguard's Endpoint interface backed by WebRTC
+type WebRTCEndpoint DataChannelAddr
+
+func (e *WebRTCEndpoint) ClearSrc() {
+
+}
+func (e *WebRTCEndpoint) SrcToString() string {
+	return ""
+}
+func (e *WebRTCEndpoint) DstToString() string {
+	return (*DataChannelAddr)(e).String()
+}
+func (e *WebRTCEndpoint) DstToBytes() []byte {
+	port := 31234
+	out := net.IP{127, 0, 0, 1}
+	out = append(out, byte(port&0xff))
+	out = append(out, byte((port>>8)&0xff))
+	return out
+}
+func (e *WebRTCEndpoint) DstIP() net.IP {
+	return net.IP{127, 0, 0, 1}
+}
+func (e *WebRTCEndpoint) SrcIP() net.IP {
+	return nil
+}
--- a/browser/conn/cond.go
+++ b/browser/conn/cond.go
@@ -0,0 +1,34 @@
+package conn
+
+// credits to https://github.com/rtctunnel/rtctunnel
+
+import "sync"
+
+// A Cond is a condition variable like sync.Cond, but using a channel so we can use select.
+type Cond struct {
+	once sync.Once
+	C    chan struct{}
+}
+
+// NewCond creates a new condition variable.
+func NewCond() *Cond {
+	return &Cond{C: make(chan struct{})}
+}
+
+// Do runs f if the condition hasn't been signaled yet. Afterwards it will be signaled.
+func (c *Cond) Do(f func()) {
+	c.once.Do(func() {
+		f()
+		close(c.C)
+	})
+}
+
+// Signal closes the condition variable channel.
+func (c *Cond) Signal() {
+	c.Do(func() {})
+}
+
+// Wait waits for the condition variable channel to close.
+func (c *Cond) Wait() {
+	<-c.C
+}
--- a/browser/conn/conn.go
+++ b/browser/conn/conn.go
@@ -0,0 +1,220 @@
+package conn
+
+// credits to https://github.com/rtctunnel/rtctunnel
+
+import (
+	"context"
+	"errors"
+	"github.com/pion/webrtc/v3"
+	"io"
+	"log"
+	"net"
+	"time"
+)
+
+var ErrClosedByPeer = errors.New("closed by peer")
+
+type DataChannelAddr struct{}
+
+func (addr DataChannelAddr) Network() string {
+	return "webrtc"
+}
+
+func (addr DataChannelAddr) String() string {
+	return "webrtc://datachannel"
+}
+
+// A DataChannelConn implements the net.Conn interface over a webrtc data channel
+type DataChannelConn struct {
+	dc *webrtc.DataChannel
+	rr ContextReadCloser
+	rw ContextWriteCloser
+
+	openCond  *Cond
+	closeCond *Cond
+	closeErr  error
+}
+
+// WrapDataChannel wraps an rtc data channel and implements the net.Conn
+// interface
+func WrapDataChannel(rtcDataChannel *webrtc.DataChannel) (*DataChannelConn, error) {
+	rr, rw := io.Pipe()
+
+	conn := &DataChannelConn{
+		dc: rtcDataChannel,
+		rr: ContextReadCloser{Context: context.Background(), ReadCloser: rr},
+		rw: ContextWriteCloser{Context: context.Background(), WriteCloser: rw},
+
+		openCond:  NewCond(),
+		closeCond: NewCond(),
+	}
+	conn.dc.OnClose(func() {
+		_ = conn.closeWithError(ErrClosedByPeer)
+	})
+	conn.dc.OnOpen(func() {
+		// for reasons I don't understand, when opened the data channel is not immediately available for use
+		time.Sleep(50 * time.Millisecond)
+		conn.openCond.Signal()
+	})
+	conn.dc.OnMessage(func(msg webrtc.DataChannelMessage) {
+		log.Printf("received message from data channel %d", len(msg.Data))
+		if rw != nil {
+			_, err := rw.Write(msg.Data)
+			if err != nil {
+				_ = conn.closeWithError(err)
+				rw = nil
+			}
+		}
+	})
+
+	select {
+	case <-conn.closeCond.C:
+		err := conn.closeErr
+		if err == nil {
+			err = errors.New("datachannel closed for unknown reasons")
+		}
+		return nil, err
+	case <-conn.openCond.C:
+	}
+
+	return conn, nil
+}
+
+func (dc *DataChannelConn) Read(b []byte) (n int, err error) {
+	return dc.rr.Read(b)
+}
+
+func (dc *DataChannelConn) Write(b []byte) (n int, err error) {
+	log.Printf("writing buffer of size %d", len(b))
+	err = dc.dc.Send(b)
+	if err != nil {
+		return 0, err
+	}
+	return len(b), nil
+}
+
+func (dc *DataChannelConn) Close() error {
+	return dc.closeWithError(nil)
+}
+
+func (dc *DataChannelConn) LocalAddr() net.Addr {
+	return DataChannelAddr{}
+}
+
+func (dc *DataChannelConn) RemoteAddr() net.Addr {
+	return DataChannelAddr{}
+}
+
+func (dc *DataChannelConn) SetDeadline(t time.Time) error {
+	var err error
+	if e := dc.SetReadDeadline(t); e != nil {
+		err = e
+	}
+	if e := dc.SetWriteDeadline(t); e != nil {
+		err = e
+	}
+	return err
+}
+
+func (dc *DataChannelConn) SetReadDeadline(t time.Time) error {
+	return dc.rr.SetReadDeadline(t)
+}
+
+func (dc *DataChannelConn) SetWriteDeadline(t time.Time) error {
+	return dc.rw.SetWriteDeadline(t)
+}
+
+func (dc *DataChannelConn) closeWithError(err error) error {
+	dc.closeCond.Do(func() {
+		e := dc.rr.Close()
+		if err == nil {
+			err = e
+		}
+		e = dc.rw.Close()
+		if err == nil {
+			err = e
+		}
+		e = dc.dc.Close()
+		if err == nil {
+			err = e
+		}
+		dc.closeErr = err
+	})
+	return err
+}
+
+type ContextReadCloser struct {
+	context.Context
+	io.ReadCloser
+	cancel func()
+}
+
+func (cr ContextReadCloser) Close() error {
+	err := cr.ReadCloser.Close()
+	if cr.cancel != nil {
+		cr.cancel()
+		cr.cancel = nil
+	}
+	return err
+}
+
+func (cr ContextReadCloser) SetReadDeadline(t time.Time) error {
+	if cr.cancel != nil {
+		cr.cancel()
+		cr.cancel = nil
+	}
+	cr.Context, cr.cancel = context.WithDeadline(context.Background(), t)
+	return nil
+}
+
+func (cr ContextReadCloser) Read(p []byte) (n int, err error) {
+	done := make(chan struct{})
+	go func() {
+		n, err = cr.ReadCloser.Read(p)
+		close(done)
+	}()
+	select {
+	case <-done:
+		return n, err
+	case <-cr.Context.Done():
+		return 0, cr.Context.Err()
+	}
+}
+
+type ContextWriteCloser struct {
+	context.Context
+	io.WriteCloser
+	cancel func()
+}
+
+func (cw ContextWriteCloser) Close() error {
+	err := cw.WriteCloser.Close()
+	if cw.cancel != nil {
+		cw.cancel()
+		cw.cancel = nil
+	}
+	return err
+}
+
+func (cw ContextWriteCloser) SetWriteDeadline(t time.Time) error {
+	if cw.cancel != nil {
+		cw.cancel()
+		cw.cancel = nil
+	}
+	cw.Context, cw.cancel = context.WithDeadline(context.Background(), t)
+	return nil
+}
+
+func (cw ContextWriteCloser) Write(p []byte) (n int, err error) {
+	done := make(chan struct{})
+	go func() {
+		n, err = cw.WriteCloser.Write(p)
+		close(done)
+	}()
+	select {
+	case <-done:
+		return n, err
+	case <-cw.Context.Done():
+		return 0, cw.Context.Err()
+	}
+}
--- a/browser/main.go
+++ b/browser/main.go
@@ -0,0 +1,18 @@
+package main
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+)
+
+func main() {
+	log.Print("listening on http://localhost:9090")
+	err := http.ListenAndServe(":9090", http.FileServer(http.Dir("./assets")))
+	//err := http.ListenAndServe(":9090", http.FileServer(http.Dir("/home/braginini/Documents/projects/my/wiretrustee/rtctunnel/examples/browser-http/dist")))
+
+	if err != nil {
+		fmt.Println("Failed to start server", err)
+		return
+	}
+}
--- a/browser/server/server.go
+++ b/browser/server/server.go
@@ -0,0 +1,123 @@
+package main
+
+import (
+	"context"
+	"encoding/hex"
+	"flag"
+	"fmt"
+	"github.com/wiretrustee/wiretrustee/browser/conn"
+	"github.com/wiretrustee/wiretrustee/signal/client"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"time"
+)
+
+//my private key qJi7zSrgdokeoXE27fbca2hvMlgg1NQIW6KbrTJhhmc=
+//remote private key KLuBc6tM/NRV1071bfPiNUxZmMhGBCXfxoDg+A+J7ns=
+//./server --key KLuBc6tM/NRV1071bfPiNUxZmMhGBCXfxoDg+A+J7ns= --remote-key 6M9O7PRhKMEOiboBp9cX6rNrLBevtHX7H0O2FMXUkFI= --signal-endpoint ws://0.0.0.0:80/signal --ip 100.0.2.1 --remote-ip 100.0.2.2
+func main() {
+
+	keyFlag := flag.String("key", "", "a Wireguard private key")
+	remoteKeyFlag := flag.String("remote-key", "", "a Wireguard remote peer public key")
+	signalEndpoint := flag.String("signal-endpoint", "ws://apitest.wiretrustee.com:80/signal", "a Signal service Websocket endpoint")
+	cl := flag.Bool("client", false, "indicates whether the program is a client")
+	ip := flag.String("ip", "", "Wireguard IP")
+	remoteIP := flag.String("remote-ip", "", "Wireguard IP")
+
+	flag.Parse()
+
+	key, err := wgtypes.ParseKey(*keyFlag)
+	if err != nil {
+		panic(err)
+	}
+
+	log.Printf("my public key: %s", key.PublicKey().String())
+
+	remoteKey, err := wgtypes.ParseKey(*remoteKeyFlag)
+
+	if err != nil {
+		panic(err)
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute)
+	defer cancel()
+
+	signal, err := client.NewWebsocketClient(ctx, *signalEndpoint, key)
+
+	time.Sleep(5 * time.Second)
+
+	tun, tnet, err := netstack.CreateNetTUN(
+		[]net.IP{net.ParseIP(*ip)},
+		[]net.IP{net.ParseIP("8.8.8.8")},
+		1420)
+
+	b := conn.NewWebRTCBind("chann-1", signal, key.PublicKey().String(), remoteKey.String())
+	dev := device.NewDevice(tun, b, device.NewLogger(device.LogLevelVerbose, ""))
+	allowedIPs := *remoteIP + "/32"
+	if *cl {
+		allowedIPs = "0.0.0.0/0"
+	}
+	err = dev.IpcSet(fmt.Sprintf("private_key=%s\npublic_key=%s\npersistent_keepalive_interval=100\nendpoint=webrtc://datachannel\nallowed_ip=%s",
+		hex.EncodeToString(key[:]),
+		hex.EncodeToString(remoteKey[:]),
+		allowedIPs,
+	))
+
+	dev.Up()
+
+	if err != nil {
+		panic(err)
+	}
+
+	client := http.Client{
+		Transport: &http.Transport{
+			DialContext: tnet.DialContext,
+		},
+	}
+	time.Sleep(2 * time.Second)
+
+	if *cl {
+
+		req, _ := http.NewRequest("GET", "http://"+*remoteIP, nil)
+
+		//req.Header.Set("js.fetch:mode", "no-cors")
+		resp, err := client.Do(req)
+		if err != nil {
+			log.Panic(err)
+		}
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			log.Panic(err)
+		}
+		log.Printf(string(body))
+		log.Printf(resp.Status)
+
+	} else {
+		listener, err := tnet.ListenTCP(&net.TCPAddr{Port: 80})
+		if err != nil {
+			log.Panicln(err)
+		}
+		http.HandleFunc("/", func(writer http.ResponseWriter, request *http.Request) {
+			writer.Header().Set("Access-Control-Allow-Origin", "*")
+			writer.Header().Set("Access-Control-Allow-Headers", "Content-Type")
+			if (*request).Method == "OPTIONS" {
+				return
+			}
+
+			log.Printf("> %s - %s - %s", request.RemoteAddr, request.URL.String(), request.UserAgent())
+			io.WriteString(writer, "HELOOOOOOOOOOOOOOOOOOOO")
+		})
+		err = http.Serve(listener, nil)
+		if err != nil {
+			log.Panicln(err)
+		}
+	}
+
+	select {}
+
+}
--- a/browser/test/test.go
+++ b/browser/test/test.go
@@ -0,0 +1,60 @@
+package main
+
+import (
+	"encoding/hex"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"time"
+
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun/netstack"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+func main() {
+	tun, tnet, err := netstack.CreateNetTUN(
+		[]net.IP{net.ParseIP("10.100.0.2")},
+		[]net.IP{net.ParseIP("8.8.8.8")},
+		1420)
+	if err != nil {
+		log.Panic(err)
+	}
+
+	clientKey, _ := wgtypes.ParseKey("WI+uoQD9jGi+nyifmFwmswQu5r0uWFH31WeSmfU0snI=")
+	publicServerkey, _ := wgtypes.ParseKey("Xp2HRQ1AJ1WbSrHV1NNHAIcmirLUjUh9jz3K3n4OcgQ=")
+	fmt.Printf(clientKey.PublicKey().String())
+
+	dev := device.NewDevice(tun, conn.NewDefaultBind(), device.NewLogger(device.LogLevelVerbose, ""))
+
+	err = dev.IpcSet(fmt.Sprintf("private_key=%s\npublic_key=%s\npersistent_keepalive_interval=1\nendpoint=65.21.255.241:51820\nallowed_ip=0.0.0.0/0",
+		hex.EncodeToString(clientKey[:]),
+		hex.EncodeToString(publicServerkey[:]),
+	))
+	if err != nil {
+		log.Panic(err)
+	}
+	err = dev.Up()
+	if err != nil {
+		log.Panic(err)
+	}
+
+	client := http.Client{
+		Transport: &http.Transport{
+			DialContext: tnet.DialContext,
+		},
+	}
+	resp, err := client.Get("https://httpbin.org/ip")
+	if err != nil {
+		log.Panic(err)
+	}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Panic(err)
+	}
+	log.Println(string(body))
+	time.Sleep(30 * time.Second)
+}
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -0,0 +1,4 @@
+FROM gcr.io/distroless/base:debug
+ENV WT_LOG_FILE=console
+ENTRYPOINT [ "/go/bin/wiretrustee","up"]
+COPY wiretrustee /go/bin/wiretrustee
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -0,0 +1,153 @@
+package cmd
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"github.com/google/uuid"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	mgm "github.com/wiretrustee/wiretrustee/management/client"
+	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
+	"github.com/wiretrustee/wiretrustee/util"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"os"
+)
+
+var (
+	loginCmd = &cobra.Command{
+		Use:   "login",
+		Short: "login to the Wiretrustee Management Service (first run)",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			SetFlagsFromEnvVars()
+
+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Errorf("failed initializing log %v", err)
+				return err
+			}
+
+			config, err := internal.GetConfig(managementURL, configPath)
+			if err != nil {
+				log.Errorf("failed getting config %s %v", configPath, err)
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+
+			//validate our peer's Wireguard PRIVATE key
+			myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+			if err != nil {
+				log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+
+			ctx := context.Background()
+
+			mgmTlsEnabled := false
+			if config.ManagementURL.Scheme == "https" {
+				mgmTlsEnabled = true
+			}
+
+			log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
+			mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+			if err != nil {
+				log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+			log.Debugf("connected to anagement Service %s", config.ManagementURL.String())
+
+			serverKey, err := mgmClient.GetServerPublicKey()
+			if err != nil {
+				log.Errorf("failed while getting Management Service public key: %v", err)
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+
+			_, err = loginPeer(*serverKey, mgmClient, setupKey)
+			if err != nil {
+				log.Errorf("failed logging-in peer on Management Service : %v", err)
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+
+			err = mgmClient.Close()
+			if err != nil {
+				log.Errorf("failed closing Management Service client: %v", err)
+				//os.Exit(ExitSetupFailed)
+				return err
+			}
+
+			return nil
+		},
+	}
+)
+
+// loginPeer attempts to login to Management Service. If peer wasn't registered, tries the registration flow.
+func loginPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string) (*mgmProto.LoginResponse, error) {
+
+	loginResp, err := client.Login(serverPublicKey)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			log.Debugf("peer registration required")
+			return registerPeer(serverPublicKey, client, setupKey)
+		} else {
+			return nil, err
+		}
+	}
+
+	log.Info("peer has successfully logged-in to Management Service")
+
+	return loginResp, nil
+}
+
+// registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
+// Otherwise tries to register with the provided setupKey via command line.
+func registerPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string) (*mgmProto.LoginResponse, error) {
+
+	var err error
+	if setupKey == "" {
+		setupKey, err = promptPeerSetupKey()
+		if err != nil {
+			log.Errorf("failed getting setup key from user: %s", err)
+			return nil, err
+		}
+	}
+
+	validSetupKey, err := uuid.Parse(setupKey)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Debugf("sending peer registration request to Management Service")
+	loginResp, err := client.Register(serverPublicKey, validSetupKey.String())
+	if err != nil {
+		log.Errorf("failed registering peer %v", err)
+		return nil, err
+	}
+
+	log.Infof("peer has been successfully registered on Management Service")
+
+	return loginResp, nil
+}
+
+// promptPeerSetupKey prompts user to enter Setup Key
+func promptPeerSetupKey() (string, error) {
+	fmt.Print("Enter setup key: ")
+
+	s := bufio.NewScanner(os.Stdin)
+	for s.Scan() {
+		input := s.Text()
+		if input != "" {
+			return input, nil
+		}
+		fmt.Println("Specified key is empty, try again:")
+
+	}
+
+	return "", s.Err()
+}
--- a/client/cmd/login_test.go
+++ b/client/cmd/login_test.go
@@ -0,0 +1,69 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/util"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+var mgmAddr string
+
+func TestLogin_Start(t *testing.T) {
+	config := &mgmt.Config{}
+	_, err := util.ReadJson("../testdata/management.json", config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testDir := t.TempDir()
+	config.Datadir = testDir
+	err = util.CopyFileContents("../testdata/store.json", filepath.Join(testDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, listener := startManagement(config, t)
+	mgmAddr = listener.Addr().String()
+}
+
+func TestLogin(t *testing.T) {
+
+	tempDir := t.TempDir()
+	confPath := tempDir + "/config.json"
+	mgmtURL := fmt.Sprintf("http://%s", mgmAddr)
+	rootCmd.SetArgs([]string{
+		"login",
+		"--config",
+		confPath,
+		"--setup-key",
+		strings.ToUpper("a2c8e62b-38f5-4553-b31e-dd66c696cebb"),
+		"--management-url",
+		mgmtURL,
+	})
+	err := rootCmd.Execute()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// validate generated config
+	actualConf := &internal.Config{}
+	_, err = util.ReadJson(confPath, actualConf)
+	if err != nil {
+		t.Errorf("expected proper config file written, got broken %v", err)
+	}
+
+	if actualConf.ManagementURL.String() != mgmtURL {
+		t.Errorf("expected management URL %s got %s", mgmtURL, actualConf.ManagementURL.String())
+	}
+
+	if actualConf.WgIface != iface.WgInterfaceDefault {
+		t.Errorf("expected WgIface %s got %s", iface.WgInterfaceDefault, actualConf.WgIface)
+	}
+
+	if len(actualConf.PrivateKey) == 0 {
+		t.Errorf("expected non empty Private key, got empty")
+	}
+}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -0,0 +1,99 @@
+package cmd
+
+import (
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	"os"
+	"os/signal"
+	"runtime"
+	"strings"
+	"syscall"
+)
+
+var (
+	configPath        string
+	defaultConfigPath string
+	logLevel          string
+	defaultLogFile    string
+	logFile           string
+	managementURL     string
+	setupKey          string
+	rootCmd           = &cobra.Command{
+		Use:   "wiretrustee",
+		Short: "",
+		Long:  "",
+	}
+
+	// Execution control channel for stopCh signal
+	stopCh    chan int
+	cleanupCh chan struct{}
+)
+
+// Execute executes the root command.
+func Execute() error {
+	return rootCmd.Execute()
+}
+func init() {
+
+	stopCh = make(chan int)
+	cleanupCh = make(chan struct{})
+
+	defaultConfigPath = "/etc/wiretrustee/config.json"
+	defaultLogFile = "/var/log/wiretrustee/client.log"
+	if runtime.GOOS == "windows" {
+		defaultConfigPath = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "config.json"
+		defaultLogFile = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "client.log"
+	}
+
+	rootCmd.PersistentFlags().StringVar(&managementURL, "management-url", "", fmt.Sprintf("Management Service URL [http|https]://[host]:[port] (default \"%s\")", internal.ManagementURLDefault().String()))
+	rootCmd.PersistentFlags().StringVar(&configPath, "config", defaultConfigPath, "Wiretrustee config file location")
+	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "sets Wiretrustee log level")
+	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Wiretrustee log path. If console is specified the the log will be output to stdout")
+	rootCmd.PersistentFlags().StringVar(&setupKey, "setup-key", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
+	rootCmd.AddCommand(serviceCmd)
+	rootCmd.AddCommand(upCmd)
+	rootCmd.AddCommand(loginCmd)
+	rootCmd.AddCommand(versionCmd)
+	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
+	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service
+}
+
+// SetupCloseHandler handles SIGTERM signal and exits with success
+func SetupCloseHandler() {
+	c := make(chan os.Signal, 1)
+	signal.Notify(c, os.Interrupt, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		for range c {
+			log.Info("shutdown signal received")
+			stopCh <- 0
+		}
+	}()
+}
+
+// SetFlagsFromEnvVars reads and updates flag values from environment variables with prefix WT_
+func SetFlagsFromEnvVars() {
+	flags := rootCmd.PersistentFlags()
+	flags.VisitAll(func(f *pflag.Flag) {
+
+		envVar := FlagNameToEnvVar(f.Name)
+
+		if value, present := os.LookupEnv(envVar); present {
+			err := flags.Set(f.Name, value)
+			if err != nil {
+				log.Infof("unable to configure flag %s using variable %s, err: %v", f.Name, envVar, err)
+			}
+		}
+	})
+}
+
+// FlagNameToEnvVar converts flag name to environment var name adding a prefix,
+// replacing dashes and making all uppercase (e.g. setup-keys is converted to WT_SETUP_KEYS)
+func FlagNameToEnvVar(f string) string {
+	prefix := "WT_"
+	parsed := strings.ReplaceAll(f, "-", "_")
+	upper := strings.ToUpper(parsed)
+	return prefix + upper
+}
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -11,8 +11,6 @@ type program struct {
 	args []string
 }

-var logger service.Logger
-
 func newSVCConfig() *service.Config {
 	return &service.Config{
 		Name:        "wiretrustee",
@@ -27,11 +25,6 @@ func newSVC(prg *program, conf *service.Config) (service.Service, error) {
 		log.Fatal(err)
 		return nil, err
 	}
-	logger, err = s.Logger(nil)
-	if err != nil {
-		log.Fatal(err)
-		return nil, err
-	}
 	return s, nil
 }

@@ -39,10 +32,5 @@ var (
 	serviceCmd = &cobra.Command{
 		Use:   "service",
 		Short: "manages wiretrustee service",
-		//Run: func(cmd *cobra.Command, args []string) {
-		//},
 	}
 )
-
-func init() {
-}
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -2,18 +2,37 @@ package cmd

 import (
 	"github.com/kardianos/service"
+	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/util"
+	"time"
 )

-func (p *program) Start(s service.Service) error {
+func (p *program) Start(service.Service) error {
+
 	// Start should not block. Do the actual work async.
-	logger.Info("Starting service") //nolint
-	go upCmd.Run(p.cmd, p.args)
+	log.Info("starting service") //nolint
+	go func() {
+		err := runClient()
+		if err != nil {
+			log.Errorf("stopped Wiretrustee client app due to error: %v", err)
+			return
+		}
+	}()
 	return nil
 }

-func (p *program) Stop(s service.Service) error {
-	stopUP <- 1
+func (p *program) Stop(service.Service) error {
+	go func() {
+		stopCh <- 1
+	}()
+
+	select {
+	case <-cleanupCh:
+	case <-time.After(time.Second * 10):
+		log.Warnf("failed waiting for service cleanup, terminating")
+	}
+	log.Info("stopped Wiretrustee service") //nolint
 	return nil
 }

@@ -22,6 +41,15 @@ var (
 		Use:   "run",
 		Short: "runs wiretrustee as service",
 		Run: func(cmd *cobra.Command, args []string) {
+			SetFlagsFromEnvVars()
+
+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Errorf("failed initializing log %v", err)
+				return
+			}
+
+			SetupCloseHandler()

 			prg := &program{
 				cmd:  cmd,
@@ -47,19 +75,26 @@ var (
 	startCmd = &cobra.Command{
 		Use:   "start",
 		Short: "starts wiretrustee service",
-		Run: func(cmd *cobra.Command, args []string) {
+		RunE: func(cmd *cobra.Command, args []string) error {
+			SetFlagsFromEnvVars()

+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Errorf("failed initializing log %v", err)
+				return err
+			}
 			s, err := newSVC(&program{}, newSVCConfig())
 			if err != nil {
 				cmd.PrintErrln(err)
-				return
+				return err
 			}
 			err = s.Start()
 			if err != nil {
 				cmd.PrintErrln(err)
-				return
+				return err
 			}
-			cmd.Printf("Wiretrustee service has been started")
+			cmd.Println("Wiretrustee service has been started")
+			return nil
 		},
 	}
 )
@@ -69,7 +104,12 @@ var (
 		Use:   "stop",
 		Short: "stops wiretrustee service",
 		Run: func(cmd *cobra.Command, args []string) {
+			SetFlagsFromEnvVars()

+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Errorf("failed initializing log %v", err)
+			}
 			s, err := newSVC(&program{}, newSVCConfig())
 			if err != nil {
 				cmd.PrintErrln(err)
@@ -80,7 +120,7 @@ var (
 				cmd.PrintErrln(err)
 				return
 			}
-			cmd.Printf("Wiretrustee service has been stopped")
+			cmd.Println("Wiretrustee service has been stopped")
 		},
 	}
 )
@@ -90,7 +130,12 @@ var (
 		Use:   "restart",
 		Short: "restarts wiretrustee service",
 		Run: func(cmd *cobra.Command, args []string) {
+			SetFlagsFromEnvVars()

+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Errorf("failed initializing log %v", err)
+			}
 			s, err := newSVC(&program{}, newSVCConfig())
 			if err != nil {
 				cmd.PrintErrln(err)
@@ -101,10 +146,7 @@ var (
 				cmd.PrintErrln(err)
 				return
 			}
-			cmd.Printf("Wiretrustee service has been restarted")
+			cmd.Println("Wiretrustee service has been restarted")
 		},
 	}
 )
-
-func init() {
-}
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -9,7 +9,8 @@ var (
 	installCmd = &cobra.Command{
 		Use:   "install",
 		Short: "installs wiretrustee service",
-		Run: func(cmd *cobra.Command, args []string) {
+		RunE: func(cmd *cobra.Command, args []string) error {
+			SetFlagsFromEnvVars()

 			svcConfig := newSVCConfig()

@@ -30,15 +31,16 @@ var (
 			s, err := newSVC(&program{}, svcConfig)
 			if err != nil {
 				cmd.PrintErrln(err)
-				return
+				return err
 			}

 			err = s.Install()
 			if err != nil {
 				cmd.PrintErrln(err)
-				return
+				return err
 			}
-			cmd.Printf("Wiretrustee service has been installed")
+			cmd.Println("Wiretrustee service has been installed")
+			return nil
 		},
 	}
 )
@@ -48,6 +50,7 @@ var (
 		Use:   "uninstall",
 		Short: "uninstalls wiretrustee service from system",
 		Run: func(cmd *cobra.Command, args []string) {
+			SetFlagsFromEnvVars()

 			s, err := newSVC(&program{}, newSVCConfig())
 			if err != nil {
@@ -60,10 +63,7 @@ var (
 				cmd.PrintErrln(err)
 				return
 			}
-			cmd.Printf("Wiretrustee has been uninstalled")
+			cmd.Println("Wiretrustee has been uninstalled")
 		},
 	}
 )
-
-func init() {
-}
--- a/client/cmd/testutil.go
+++ b/client/cmd/testutil.go
@@ -0,0 +1,57 @@
+package cmd
+
+import (
+	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
+	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/signal/peer"
+	sigProto "github.com/wiretrustee/wiretrustee/signal/proto"
+	sig "github.com/wiretrustee/wiretrustee/signal/server"
+	"google.golang.org/grpc"
+	"net"
+	"testing"
+)
+
+func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+	sigProto.RegisterSignalExchangeServer(s, sig.NewServer(peer.NewRegistry()))
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			panic(err)
+		}
+	}()
+
+	return s, lis
+}
+
+func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+	store, err := mgmt.NewStore(config.Datadir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	peersUpdateManager := mgmt.NewPeersUpdateManager()
+	accountManager := mgmt.NewManager(store, peersUpdateManager)
+	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
+	if err != nil {
+		t.Fatal(err)
+	}
+	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			t.Error(err)
+			return
+		}
+	}()
+
+	return s, lis
+}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -0,0 +1,225 @@
+package cmd
+
+import (
+	"context"
+	"github.com/cenkalti/backoff/v4"
+	"github.com/kardianos/service"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	mgm "github.com/wiretrustee/wiretrustee/management/client"
+	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
+	signal "github.com/wiretrustee/wiretrustee/signal/client"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"time"
+)
+
+var (
+	upCmd = &cobra.Command{
+		Use:   "up",
+		Short: "install, login and start wiretrustee client",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			SetFlagsFromEnvVars()
+			err := loginCmd.RunE(cmd, args)
+			if err != nil {
+				return err
+			}
+			if logFile == "console" {
+				return runClient()
+			}
+
+			s, err := newSVC(&program{}, newSVCConfig())
+			if err != nil {
+				cmd.PrintErrln(err)
+				return err
+			}
+
+			srvStatus, err := s.Status()
+			if err != nil {
+				if err == service.ErrNotInstalled {
+					log.Infof("%s. Installing it now", err.Error())
+					e := installCmd.RunE(cmd, args)
+					if e != nil {
+						return e
+					}
+				} else {
+					log.Warnf("failed retrieving service status: %v", err)
+				}
+			}
+			if srvStatus == service.StatusRunning {
+				stopCmd.Run(cmd, args)
+			}
+			return startCmd.RunE(cmd, args)
+		},
+	}
+)
+
+// createEngineConfig converts configuration received from Management Service to EngineConfig
+func createEngineConfig(key wgtypes.Key, config *internal.Config, peerConfig *mgmProto.PeerConfig) (*internal.EngineConfig, error) {
+	iFaceBlackList := make(map[string]struct{})
+	for i := 0; i < len(config.IFaceBlackList); i += 2 {
+		iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
+	}
+
+	return &internal.EngineConfig{
+		WgIface:        config.WgIface,
+		WgAddr:         peerConfig.Address,
+		IFaceBlackList: iFaceBlackList,
+		WgPrivateKey:   key,
+	}, nil
+}
+
+// connectToSignal creates Signal Service client and established a connection
+func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig, ourPrivateKey wgtypes.Key) (signal.Client, error) {
+	var sigTLSEnabled bool
+	if wtConfig.Signal.Protocol == mgmProto.HostConfig_HTTPS {
+		sigTLSEnabled = true
+	} else {
+		sigTLSEnabled = false
+	}
+
+	signalClient, err := signal.NewClient(ctx, wtConfig.Signal.Uri, ourPrivateKey, sigTLSEnabled)
+	if err != nil {
+		log.Errorf("error while connecting to the Signal Exchange Service %s: %s", wtConfig.Signal.Uri, err)
+		return nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
+	}
+
+	return signalClient, nil
+}
+
+// connectToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
+func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.Client, *mgmProto.LoginResponse, error) {
+	log.Debugf("connecting to management server %s", managementAddr)
+	client, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err)
+	}
+	log.Debugf("connected to management server %s", managementAddr)
+
+	serverPublicKey, err := client.GetServerPublicKey()
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
+	}
+
+	loginResp, err := client.Login(*serverPublicKey)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			log.Error("peer registration required. Please run wiretrustee login command first")
+			return nil, nil, err
+		} else {
+			return nil, nil, err
+		}
+	}
+
+	log.Debugf("peer logged in to Management Service %s", managementAddr)
+
+	return client, loginResp, nil
+}
+
+func runClient() error {
+	var backOff = &backoff.ExponentialBackOff{
+		InitialInterval:     time.Second,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         10 * time.Second,
+		MaxElapsedTime:      24 * 3 * time.Hour, //stop the client after 3 days trying (must be a huge problem, e.g permission denied)
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}
+
+	operation := func() error {
+
+		config, err := internal.ReadConfig(managementURL, configPath)
+		if err != nil {
+			log.Errorf("failed reading config %s %v", configPath, err)
+			return err
+		}
+
+		//validate our peer's Wireguard PRIVATE key
+		myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+		if err != nil {
+			log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+			return err
+		}
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+
+		mgmTlsEnabled := false
+		if config.ManagementURL.Scheme == "https" {
+			mgmTlsEnabled = true
+		}
+
+		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Wiretrustee config
+		mgmClient, loginResp, err := connectToManagement(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+		if err != nil {
+			log.Warn(err)
+			return err
+		}
+
+		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
+		signalClient, err := connectToSignal(ctx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
+		if err != nil {
+			log.Error(err)
+			return err
+		}
+
+		peerConfig := loginResp.GetPeerConfig()
+
+		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
+		if err != nil {
+			log.Error(err)
+			return err
+		}
+
+		// create start the Wiretrustee Engine that will connect to the Signal and Management streams and manage connections to remote peers.
+		engine := internal.NewEngine(signalClient, mgmClient, engineConfig, cancel, ctx)
+		err = engine.Start()
+		if err != nil {
+			log.Errorf("error while starting Wiretrustee Connection Engine: %s", err)
+			return err
+		}
+
+		log.Print("Wiretrustee engine started, my IP is: ", peerConfig.Address)
+
+		select {
+		case <-stopCh:
+		case <-ctx.Done():
+		}
+
+		backOff.Reset()
+
+		err = mgmClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Management Service client %v", err)
+			return err
+		}
+		err = signalClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Signal Service client %v", err)
+			return err
+		}
+
+		err = engine.Stop()
+		if err != nil {
+			log.Errorf("failed stopping engine %v", err)
+			return err
+		}
+
+		go func() {
+			cleanupCh <- struct{}{}
+		}()
+
+		log.Info("stopped Wiretrustee client")
+
+		return ctx.Err()
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		log.Errorf("exiting client retry loop due to unrecoverable error: %s", err)
+		return err
+	}
+	return nil
+}
--- a/client/cmd/up_test.go
+++ b/client/cmd/up_test.go
@@ -0,0 +1,82 @@
+package cmd
+
+import (
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/util"
+	"net/url"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+var signalAddr string
+
+func TestUp_Start(t *testing.T) {
+	config := &mgmt.Config{}
+	_, err := util.ReadJson("../testdata/management.json", config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testDir := t.TempDir()
+	config.Datadir = testDir
+	err = util.CopyFileContents("../testdata/store.json", filepath.Join(testDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, signalLis := startSignal(t)
+	signalAddr = signalLis.Addr().String()
+	config.Signal.URI = signalAddr
+
+	_, mgmLis := startManagement(config, t)
+	mgmAddr = mgmLis.Addr().String()
+
+}
+
+func TestUp(t *testing.T) {
+
+	defer iface.Close()
+
+	tempDir := t.TempDir()
+	confPath := tempDir + "/config.json"
+	mgmtURL, err := url.Parse("http://" + mgmAddr)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rootCmd.SetArgs([]string{
+		"up",
+		"--config",
+		confPath,
+		"--setup-key",
+		"A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
+		"--management-url",
+		mgmtURL.String(),
+		"--log-file",
+		"console",
+	})
+	go func() {
+		err = rootCmd.Execute()
+		if err != nil {
+			t.Errorf("expected no error while running up command, got %v", err)
+		}
+	}()
+
+	exists := false
+	for start := time.Now(); time.Since(start) < 15*time.Second; {
+		e, err := iface.Exists(iface.WgInterfaceDefault)
+		if err != nil {
+			continue
+		}
+		if *e {
+			exists = true
+			break
+		}
+
+	}
+
+	if !exists {
+		t.Errorf("expected wireguard interface %s to be created", iface.WgInterfaceDefault)
+	}
+}
--- a/client/cmd/version.go
+++ b/client/cmd/version.go
@@ -0,0 +1,14 @@
+package cmd
+
+import "github.com/spf13/cobra"
+
+var (
+	Version    string
+	versionCmd = &cobra.Command{
+		Use:   "version",
+		Short: "prints wiretrustee version",
+		Run: func(cmd *cobra.Command, args []string) {
+			cmd.Println(Version)
+		},
+	}
+)
--- a/client/installer.nsis
+++ b/client/installer.nsis
@@ -0,0 +1,119 @@
+!define APP_NAME "Wiretrustee"
+!define COMP_NAME "Wiretrustee"
+!define WEB_SITE "wiretrustee.com"
+!define VERSION $%APPVER%
+!define COPYRIGHT "Wiretrustee Authors, 2021"
+!define DESCRIPTION "A WireGuard®-based mesh network that connects your devices into a single private network"
+!define INSTALLER_NAME "wiretrustee-installer.exe"
+!define MAIN_APP_EXE "Wiretrustee"
+!define ICON "ui\\wiretrustee.ico"
+!define BANNER "ui\\banner.bmp"
+!define LICENSE_DATA "..\\LICENSE"
+
+!define INSTALL_DIR "$PROGRAMFILES64\${APP_NAME}"
+!define INSTALL_TYPE "SetShellVarContext all"
+!define REG_ROOT "HKLM"
+!define REG_APP_PATH "Software\Microsoft\Windows\CurrentVersion\App Paths\${MAIN_APP_EXE}"
+!define UNINSTALL_PATH "Software\Microsoft\Windows\CurrentVersion\Uninstall\${APP_NAME}"
+Unicode True
+
+######################################################################
+
+VIProductVersion  "${VERSION}"
+VIAddVersionKey "ProductName"  "${APP_NAME}"
+VIAddVersionKey "CompanyName"  "${COMP_NAME}"
+VIAddVersionKey "LegalCopyright"  "${COPYRIGHT}"
+VIAddVersionKey "FileDescription"  "${DESCRIPTION}"
+VIAddVersionKey "FileVersion"  "${VERSION}"
+
+######################################################################
+
+SetCompressor /SOLID Lzma
+Name "${APP_NAME}"
+Caption "${APP_NAME}"
+OutFile "..\\${INSTALLER_NAME}"
+BrandingText "${APP_NAME}"
+InstallDirRegKey "${REG_ROOT}" "${REG_APP_PATH}" ""
+InstallDir "${INSTALL_DIR}"
+LicenseData "${LICENSE_DATA}"
+ShowInstDetails Show
+
+######################################################################
+
+!define MUI_ICON "${ICON}"
+!define MUI_UNICON "${ICON}"
+!define MUI_WELCOMEFINISHPAGE_BITMAP "${BANNER}"
+!define MUI_UNWELCOMEFINISHPAGE_BITMAP "${BANNER}"
+
+######################################################################
+
+!include "MUI2.nsh"
+
+!define MUI_ABORTWARNING
+!define MUI_UNABORTWARNING
+
+!insertmacro MUI_PAGE_WELCOME
+
+!insertmacro MUI_PAGE_LICENSE "${LICENSE_DATA}"
+
+!insertmacro MUI_PAGE_DIRECTORY
+
+!insertmacro MUI_PAGE_INSTFILES
+
+!insertmacro MUI_PAGE_FINISH
+
+!insertmacro MUI_UNPAGE_CONFIRM
+
+!insertmacro MUI_UNPAGE_INSTFILES
+
+!insertmacro MUI_UNPAGE_FINISH
+
+!insertmacro MUI_LANGUAGE "English"
+
+######################################################################
+
+Section -MainProgram
+	${INSTALL_TYPE}
+	SetOverwrite ifnewer
+	SetOutPath "$INSTDIR"
+	File /r "..\\dist\\wiretrustee_windows_amd64\\"
+
+SectionEnd
+
+######################################################################
+
+Section -Icons_Reg
+SetOutPath "$INSTDIR"
+WriteUninstaller "$INSTDIR\wiretrustee_uninstall.exe"
+
+WriteRegStr ${REG_ROOT} "${REG_APP_PATH}" "" "$INSTDIR\${MAIN_APP_EXE}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayName" "${APP_NAME}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "UninstallString" "$INSTDIR\wiretrustee_uninstall.exe"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayIcon" "$INSTDIR\${MAIN_APP_EXE}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "DisplayVersion" "${VERSION}"
+WriteRegStr ${REG_ROOT} "${UNINSTALL_PATH}"  "Publisher" "${COMP_NAME}"
+
+EnVar::SetHKLM
+EnVar::AddValueEx "path" "$INSTDIR"
+
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service install'
+# sleep a bit for visibility
+Sleep 1000
+SectionEnd
+
+######################################################################
+
+Section Uninstall
+${INSTALL_TYPE}
+
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service stop'
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
+# wait the service uninstall take unblock the executable
+Sleep 3000
+RmDir /r "$INSTDIR"
+
+DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
+DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
+EnVar::SetHKLM
+EnVar::DeleteValue "path" "$INSTDIR"
+SectionEnd
--- a/client/internal/cond.go
+++ b/client/internal/cond.go
@@ -1,4 +1,4 @@
-package connection
+package internal

 import "sync"

--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -0,0 +1,113 @@
+package internal
+
+import (
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	"github.com/wiretrustee/wiretrustee/util"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net/url"
+	"os"
+)
+
+var managementURLDefault *url.URL
+
+func ManagementURLDefault() *url.URL {
+	return managementURLDefault
+}
+
+func init() {
+	managementURL, err := parseManagementURL("https://api.wiretrustee.com:33073")
+	if err != nil {
+		panic(err)
+	}
+	managementURLDefault = managementURL
+}
+
+// Config Configuration type
+type Config struct {
+	// Wireguard private key of local peer
+	PrivateKey     string
+	ManagementURL  *url.URL
+	WgIface        string
+	IFaceBlackList []string
+}
+
+//createNewConfig creates a new config generating a new Wireguard key and saving to file
+func createNewConfig(managementURL string, configPath string) (*Config, error) {
+	wgKey := generateKey()
+	config := &Config{PrivateKey: wgKey, WgIface: iface.WgInterfaceDefault, IFaceBlackList: []string{}}
+	if managementURL != "" {
+		URL, err := parseManagementURL(managementURL)
+		if err != nil {
+			return nil, err
+		}
+		config.ManagementURL = URL
+	} else {
+		config.ManagementURL = managementURLDefault
+	}
+
+	config.IFaceBlackList = []string{iface.WgInterfaceDefault, "tun0"}
+
+	err := util.WriteJson(configPath, config)
+	if err != nil {
+		return nil, err
+	}
+
+	return config, nil
+}
+
+func parseManagementURL(managementURL string) (*url.URL, error) {
+
+	parsedMgmtURL, err := url.ParseRequestURI(managementURL)
+	if err != nil {
+		log.Errorf("failed parsing management URL %s: [%s]", managementURL, err.Error())
+		return nil, err
+	}
+
+	if !(parsedMgmtURL.Scheme == "https" || parsedMgmtURL.Scheme == "http") {
+		return nil, fmt.Errorf("invalid Management Service URL provided %s. Supported format [http|https]://[host]:[port]", managementURL)
+	}
+
+	return parsedMgmtURL, err
+
+}
+
+// ReadConfig reads existing config. In case provided managementURL is not empty overrides the read property
+func ReadConfig(managementURL string, configPath string) (*Config, error) {
+	config := &Config{}
+	_, err := util.ReadJson(configPath, config)
+	if err != nil {
+		return nil, err
+	}
+
+	if managementURL != "" {
+		URL, err := parseManagementURL(managementURL)
+		if err != nil {
+			return nil, err
+		}
+		config.ManagementURL = URL
+	}
+
+	return config, err
+}
+
+// GetConfig reads existing config or generates a new one
+func GetConfig(managementURL string, configPath string) (*Config, error) {
+
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		log.Infof("generating new config %s", configPath)
+		return createNewConfig(managementURL, configPath)
+	} else {
+		return ReadConfig(managementURL, configPath)
+	}
+}
+
+// generateKey generates a new Wireguard private key
+func generateKey() string {
+	key, err := wgtypes.GenerateKey()
+	if err != nil {
+		panic(err)
+	}
+	return key.String()
+}
--- a/client/internal/connection.go
+++ b/client/internal/connection.go
@@ -1,4 +1,4 @@
-package connection
+package internal

 import (
 	"context"
@@ -7,6 +7,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/iface"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net"
 	"sync"
 	"time"
 )
@@ -14,8 +15,36 @@ import (
 var (
 	// DefaultWgKeepAlive default Wireguard keep alive constant
 	DefaultWgKeepAlive = 20 * time.Second
+	privateIPBlocks    []*net.IPNet
 )

+type Status string
+
+const (
+	StatusConnected    Status = "Connected"
+	StatusConnecting   Status = "Connecting"
+	StatusDisconnected Status = "Disconnected"
+)
+
+func init() {
+	for _, cidr := range []string{
+		"127.0.0.0/8",    // IPv4 loopback
+		"10.0.0.0/8",     // RFC1918
+		"172.16.0.0/12",  // RFC1918
+		"192.168.0.0/16", // RFC1918
+		"169.254.0.0/16", // RFC3927 link-local
+		"::1/128",        // IPv6 loopback
+		"fe80::/10",      // IPv6 link-local
+		"fc00::/7",       // IPv6 unique local addr
+	} {
+		_, block, err := net.ParseCIDR(cidr)
+		if err != nil {
+			panic(fmt.Errorf("parse error on %q: %v", cidr, err))
+		}
+		privateIPBlocks = append(privateIPBlocks, block)
+	}
+}
+
 // ConnConfig Connection configuration struct
 type ConnConfig struct {
 	// Local Wireguard listening address  e.g. 127.0.0.1:51820
@@ -66,6 +95,8 @@ type Connection struct {
 	closeCond *Cond

 	remoteAuthCond sync.Once
+
+	Status Status
 }

 // NewConnection Creates a new connection and sets handling functions for signal protocol
@@ -85,6 +116,7 @@ func NewConnection(config ConnConfig,
 		connected:         NewCond(),
 		agent:             nil,
 		wgProxy:           NewWgProxy(config.WgIface, config.RemoteWgKey.String(), config.WgAllowedIPs, config.WgListenAddr),
+		Status:            StatusDisconnected,
 	}
 }

@@ -95,8 +127,9 @@ func (conn *Connection) Open(timeout time.Duration) error {
 	// create an ice.Agent that will be responsible for negotiating and establishing actual peer-to-peer connection
 	a, err := ice.NewAgent(&ice.AgentConfig{
 		// MulticastDNSMode: ice.MulticastDNSModeQueryAndGather,
-		NetworkTypes: []ice.NetworkType{ice.NetworkTypeUDP4},
-		Urls:         conn.Config.StunTurnURLS,
+		NetworkTypes:   []ice.NetworkType{ice.NetworkTypeUDP4},
+		Urls:           conn.Config.StunTurnURLS,
+		CandidateTypes: []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
 		InterfaceFilter: func(s string) bool {
 			if conn.Config.iFaceBlackList == nil {
 				return true
@@ -105,12 +138,18 @@ func (conn *Connection) Open(timeout time.Duration) error {
 			return !ok
 		},
 	})
-	conn.agent = a
-
 	if err != nil {
 		return err
 	}

+	conn.agent = a
+	defer func() {
+		err := conn.agent.Close()
+		if err != nil {
+			return
+		}
+	}()
+
 	err = conn.listenOnLocalCandidates()
 	if err != nil {
 		return err
@@ -126,13 +165,14 @@ func (conn *Connection) Open(timeout time.Duration) error {
 		return err
 	}

-	log.Infof("trying to connect to peer %s", conn.Config.RemoteWgKey.String())
+	conn.Status = StatusConnecting
+	log.Debugf("trying to connect to peer %s", conn.Config.RemoteWgKey.String())

 	// wait until credentials have been sent from the remote peer (will arrive via a signal server)
 	select {
 	case remoteAuth := <-conn.remoteAuthChannel:

-		log.Infof("got a connection confirmation from peer %s", conn.Config.RemoteWgKey.String())
+		log.Debugf("got a connection confirmation from peer %s", conn.Config.RemoteWgKey.String())

 		err = conn.agent.GatherCandidates()
 		if err != nil {
@@ -140,50 +180,105 @@ func (conn *Connection) Open(timeout time.Duration) error {
 		}

 		isControlling := conn.Config.WgKey.PublicKey().String() > conn.Config.RemoteWgKey.String()
-		remoteConn, err := conn.openConnectionToRemote(isControlling, remoteAuth)
+		var remoteConn *ice.Conn
+		remoteConn, err = conn.openConnectionToRemote(isControlling, remoteAuth)
 		if err != nil {
 			log.Errorf("failed establishing connection with the remote peer %s %s", conn.Config.RemoteWgKey.String(), err)
 			return err
 		}

-		pair, err := conn.agent.GetSelectedCandidatePair()
+		var pair *ice.CandidatePair
+		pair, err = conn.agent.GetSelectedCandidatePair()
 		if err != nil {
 			return err
 		}
-		// in case the remote peer is in the local network we don't need a Wireguard proxy, direct communication is possible.
-		if pair.Local.Type() == ice.CandidateTypeHost && pair.Remote.Type() == ice.CandidateTypeHost {
-			log.Debugf("remote peer %s is in the local network with an address %s", conn.Config.RemoteWgKey.String(), pair.Remote.Address())
+
+		useProxy := useProxy(pair)
+
+		// in case the remote peer is in the local network or one of the peers has public static IP -> no need for a Wireguard proxy, direct communication is possible.
+		if !useProxy {
+			log.Debugf("it is possible to establish a direct connection (without proxy) to peer %s - my addr: %s, remote addr: %s", conn.Config.RemoteWgKey.String(), pair.Local, pair.Remote)
 			err = conn.wgProxy.StartLocal(fmt.Sprintf("%s:%d", pair.Remote.Address(), iface.WgPort))
 			if err != nil {
 				return err
 			}
+
 		} else {
+			log.Debugf("establishing secure tunnel to peer %s via selected candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
 			err = conn.wgProxy.Start(remoteConn)
 			if err != nil {
 				return err
 			}
 		}

-		log.Infof("opened connection to peer %s", conn.Config.RemoteWgKey.String())
+		relayed := pair.Remote.Type() == ice.CandidateTypeRelay || pair.Local.Type() == ice.CandidateTypeRelay
+
+		conn.Status = StatusConnected
+		log.Infof("opened connection to peer %s [localProxy=%v, relayed=%v]", conn.Config.RemoteWgKey.String(), useProxy, relayed)
+	case <-conn.closeCond.C:
+		conn.Status = StatusDisconnected
+		return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String())
 	case <-time.After(timeout):
-		err := conn.Close()
+		err = conn.Close()
 		if err != nil {
 			log.Warnf("error while closing connection to peer %s -> %s", conn.Config.RemoteWgKey.String(), err.Error())
 		}
+		conn.Status = StatusDisconnected
 		return fmt.Errorf("timeout of %vs exceeded while waiting for the remote peer %s", timeout.Seconds(), conn.Config.RemoteWgKey.String())
 	}

 	// wait until connection has been closed
 	<-conn.closeCond.C
+	conn.Status = StatusDisconnected
 	return fmt.Errorf("connection to peer %s has been closed", conn.Config.RemoteWgKey.String())
 }

+func isPublicIP(ip net.IP) bool {
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() {
+		return false
+	}
+
+	for _, block := range privateIPBlocks {
+		if block.Contains(ip) {
+			return false
+		}
+	}
+	return true
+}
+
+//useProxy determines whether a direct connection (without a go proxy) is possible
+//There are 3 cases: one of the peers has a public IP or both peers are in the same private network
+//Please note, that this check happens when peers were already able to ping each other with ICE layer.
+func useProxy(pair *ice.CandidatePair) bool {
+	remoteIP := net.ParseIP(pair.Remote.Address())
+	myIp := net.ParseIP(pair.Local.Address())
+	remoteIsPublic := isPublicIP(remoteIP)
+	myIsPublic := isPublicIP(myIp)
+
+	//one of the hosts has a public IP
+	if remoteIsPublic && pair.Remote.Type() == ice.CandidateTypeHost {
+		return false
+	}
+	if myIsPublic && pair.Local.Type() == ice.CandidateTypeHost {
+		return false
+	}
+
+	if pair.Local.Type() == ice.CandidateTypeHost && pair.Remote.Type() == ice.CandidateTypeHost {
+		if !remoteIsPublic && !myIsPublic {
+			//both hosts are in the same private network
+			return false
+		}
+	}
+
+	return true
+}
+
 // Close Closes a peer connection
 func (conn *Connection) Close() error {
 	var err error
 	conn.closeCond.Do(func() {

-		log.Warnf("closing connection to peer %s", conn.Config.RemoteWgKey.String())
+		log.Debugf("closing connection to peer %s", conn.Config.RemoteWgKey.String())

 		if a := conn.agent; a != nil {
 			e := a.Close()
@@ -311,7 +406,7 @@ func (conn *Connection) listenOnConnectionStateChanges() error {
 				log.Errorf("failed selecting active ICE candidate pair %s", err)
 				return
 			}
-			log.Infof("will connect to peer %s via a selected connnection candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
+			log.Debugf("ICE connected to peer %s via a selected connnection candidate pair %s", conn.Config.RemoteWgKey.String(), pair)
 		} else if state == ice.ConnectionStateDisconnected || state == ice.ConnectionStateFailed {
 			err := conn.Close()
 			if err != nil {
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -0,0 +1,496 @@
+package internal
+
+import (
+	"context"
+	"fmt"
+	"github.com/cenkalti/backoff/v4"
+	"github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgm "github.com/wiretrustee/wiretrustee/management/client"
+	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
+	signal "github.com/wiretrustee/wiretrustee/signal/client"
+	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"strings"
+	"sync"
+	"time"
+)
+
+// PeerConnectionTimeout is a timeout of an initial connection attempt to a remote peer.
+// E.g. this peer will wait PeerConnectionTimeout for the remote peer to respond, if not successful then it will retry the connection attempt.
+const PeerConnectionTimeout = 40 * time.Second
+
+// EngineConfig is a config for the Engine
+type EngineConfig struct {
+	WgIface string
+	// WgAddr is a Wireguard local address (Wiretrustee Network IP)
+	WgAddr string
+	// WgPrivateKey is a Wireguard private key of our peer (it MUST never leave the machine)
+	WgPrivateKey wgtypes.Key
+	// IFaceBlackList is a list of network interfaces to ignore when discovering connection candidates (ICE related)
+	IFaceBlackList map[string]struct{}
+}
+
+// Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
+type Engine struct {
+	// signal is a Signal Service client
+	signal signal.Client
+	// mgmClient is a Management Service client
+	mgmClient *mgm.Client
+	// conns is a collection of remote peer connections indexed by local public key of the remote peers
+	conns map[string]*Connection
+
+	// peerMux is used to sync peer operations (e.g. open connection, peer removal)
+	peerMux *sync.Mutex
+	// syncMsgMux is used to guarantee sequential Management Service message processing
+	syncMsgMux *sync.Mutex
+
+	config *EngineConfig
+
+	// wgPort is a Wireguard local listen port
+	wgPort int
+
+	// STUNs is a list of STUN servers used by ICE
+	STUNs []*ice.URL
+	// TURNs is a list of STUN servers used by ICE
+	TURNs []*ice.URL
+
+	cancel context.CancelFunc
+
+	ctx context.Context
+}
+
+// Peer is an instance of the Connection Peer
+type Peer struct {
+	WgPubKey     string
+	WgAllowedIps string
+}
+
+// NewEngine creates a new Connection Engine
+func NewEngine(signalClient signal.Client, mgmClient *mgm.Client, config *EngineConfig, cancel context.CancelFunc, ctx context.Context) *Engine {
+	return &Engine{
+		signal:     signalClient,
+		mgmClient:  mgmClient,
+		conns:      map[string]*Connection{},
+		peerMux:    &sync.Mutex{},
+		syncMsgMux: &sync.Mutex{},
+		config:     config,
+		STUNs:      []*ice.URL{},
+		TURNs:      []*ice.URL{},
+		cancel:     cancel,
+		ctx:        ctx,
+	}
+}
+
+func (e *Engine) Stop() error {
+	err := e.removeAllPeerConnections()
+	if err != nil {
+		return err
+	}
+
+	log.Debugf("removing Wiretrustee interface %s", e.config.WgIface)
+	err = iface.Close()
+	if err != nil {
+		log.Errorf("failed closing Wiretrustee interface %s %v", e.config.WgIface, err)
+		return err
+	}
+
+	log.Infof("stopped Wiretrustee Engine")
+
+	return nil
+}
+
+// Start creates a new Wireguard tunnel interface and listens to events from Signal and Management services
+// Connections to remote peers are not established here.
+// However, they will be established once an event with a list of peers to connect to will be received from Management Service
+func (e *Engine) Start() error {
+
+	wgIface := e.config.WgIface
+	wgAddr := e.config.WgAddr
+	myPrivateKey := e.config.WgPrivateKey
+
+	err := iface.Create(wgIface, wgAddr)
+	if err != nil {
+		log.Errorf("failed creating interface %s: [%s]", wgIface, err.Error())
+		return err
+	}
+
+	err = iface.Configure(wgIface, myPrivateKey.String())
+	if err != nil {
+		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIface, err.Error())
+		return err
+	}
+
+	port, err := iface.GetListenPort(wgIface)
+	if err != nil {
+		log.Errorf("failed getting Wireguard listen port [%s]: %s", wgIface, err.Error())
+		return err
+	}
+	e.wgPort = *port
+
+	e.receiveSignalEvents()
+	e.receiveManagementEvents()
+
+	return nil
+}
+
+// initializePeer peer agent attempt to open connection
+func (e *Engine) initializePeer(peer Peer) {
+	var backOff = backoff.WithContext(&backoff.ExponentialBackOff{
+		InitialInterval:     backoff.DefaultInitialInterval,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         5 * time.Second,
+		MaxElapsedTime:      0, //never stop
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}, e.ctx)
+
+	operation := func() error {
+
+		if e.signal.GetStatus() != signal.StreamConnected {
+			return fmt.Errorf("not opening connection to peer because Signal is unavailable")
+		}
+
+		_, err := e.openPeerConnection(e.wgPort, e.config.WgPrivateKey, peer)
+		e.peerMux.Lock()
+		defer e.peerMux.Unlock()
+		if _, ok := e.conns[peer.WgPubKey]; !ok {
+			log.Debugf("removed connection attempt to peer: %v, not retrying", peer.WgPubKey)
+			return nil
+		}
+
+		if err != nil {
+			log.Debugf("retrying connection because of error: %s", err.Error())
+			return err
+		}
+		return nil
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		// should actually never happen
+		panic(err)
+	}
+}
+
+func (e *Engine) removePeerConnections(peers []string) error {
+	e.peerMux.Lock()
+	defer e.peerMux.Unlock()
+	for _, peer := range peers {
+		err := e.removePeerConnection(peer)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (e *Engine) removeAllPeerConnections() error {
+	log.Debugf("removing all peer connections")
+	e.peerMux.Lock()
+	defer e.peerMux.Unlock()
+	for peer := range e.conns {
+		err := e.removePeerConnection(peer)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// removePeerConnection closes existing peer connection and removes peer
+func (e *Engine) removePeerConnection(peerKey string) error {
+	conn, exists := e.conns[peerKey]
+	if exists && conn != nil {
+		delete(e.conns, peerKey)
+		return conn.Close()
+	}
+	log.Infof("removed connection to peer %s", peerKey)
+	return nil
+}
+
+// GetPeerConnectionStatus returns a connection Status or nil if peer connection wasn't found
+func (e *Engine) GetPeerConnectionStatus(peerKey string) *Status {
+	e.peerMux.Lock()
+	defer e.peerMux.Unlock()
+
+	conn, exists := e.conns[peerKey]
+	if exists && conn != nil {
+		return &conn.Status
+	}
+
+	return nil
+}
+
+// openPeerConnection opens a new remote peer connection
+func (e *Engine) openPeerConnection(wgPort int, myKey wgtypes.Key, peer Peer) (*Connection, error) {
+	e.peerMux.Lock()
+
+	remoteKey, _ := wgtypes.ParseKey(peer.WgPubKey)
+	connConfig := &ConnConfig{
+		WgListenAddr:   fmt.Sprintf("127.0.0.1:%d", wgPort),
+		WgPeerIP:       e.config.WgAddr,
+		WgIface:        e.config.WgIface,
+		WgAllowedIPs:   peer.WgAllowedIps,
+		WgKey:          myKey,
+		RemoteWgKey:    remoteKey,
+		StunTurnURLS:   append(e.STUNs, e.TURNs...),
+		iFaceBlackList: e.config.IFaceBlackList,
+	}
+
+	signalOffer := func(uFrag string, pwd string) error {
+		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, false)
+	}
+
+	signalAnswer := func(uFrag string, pwd string) error {
+		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, true)
+	}
+	signalCandidate := func(candidate ice.Candidate) error {
+		return signalCandidate(candidate, myKey, remoteKey, e.signal)
+	}
+	conn := NewConnection(*connConfig, signalCandidate, signalOffer, signalAnswer)
+	e.conns[remoteKey.String()] = conn
+	e.peerMux.Unlock()
+
+	// blocks until the connection is open (or timeout)
+	err := conn.Open(PeerConnectionTimeout)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client) error {
+	err := s.Send(&sProto.Message{
+		Key:       myKey.PublicKey().String(),
+		RemoteKey: remoteKey.String(),
+		Body: &sProto.Body{
+			Type:    sProto.Body_CANDIDATE,
+			Payload: candidate.Marshal(),
+		},
+	})
+	if err != nil {
+		log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err)
+		//todo ??
+		return err
+	}
+
+	return nil
+}
+
+func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client, isAnswer bool) error {
+
+	var t sProto.Body_Type
+	if isAnswer {
+		t = sProto.Body_ANSWER
+	} else {
+		t = sProto.Body_OFFER
+	}
+
+	msg, err := signal.MarshalCredential(myKey, remoteKey, &signal.Credential{
+		UFrag: uFrag,
+		Pwd:   pwd}, t)
+	if err != nil {
+		return err
+	}
+	err = s.Send(msg)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
+// E.g. when a new peer has been registered and we are allowed to connect to it.
+func (e *Engine) receiveManagementEvents() {
+	go func() {
+		err := e.mgmClient.Sync(func(update *mgmProto.SyncResponse) error {
+			e.syncMsgMux.Lock()
+			defer e.syncMsgMux.Unlock()
+
+			if update.GetWiretrusteeConfig() != nil {
+				err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
+				if err != nil {
+					return err
+				}
+
+				err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
+				if err != nil {
+					return err
+				}
+
+				//todo update signal
+			}
+
+			if update.GetRemotePeers() != nil || update.GetRemotePeersIsEmpty() {
+				// empty arrays are serialized by protobuf to null, but for our case empty array is a valid state.
+				err := e.updatePeers(update.GetRemotePeers())
+				if err != nil {
+					return err
+				}
+			}
+
+			return nil
+		})
+		if err != nil {
+			// happens if management is unavailable for a long time.
+			// We want to cancel the operation of the whole client
+			e.cancel()
+			return
+		}
+		log.Debugf("stopped receiving updates from Management Service")
+	}()
+	log.Debugf("connecting to Management Service updates stream")
+}
+
+func (e *Engine) updateSTUNs(stuns []*mgmProto.HostConfig) error {
+	if len(stuns) == 0 {
+		return nil
+	}
+	var newSTUNs []*ice.URL
+	log.Debugf("got STUNs update from Management Service, updating")
+	for _, stun := range stuns {
+		url, err := ice.ParseURL(stun.Uri)
+		if err != nil {
+			return err
+		}
+		newSTUNs = append(newSTUNs, url)
+	}
+	e.STUNs = newSTUNs
+
+	return nil
+}
+
+func (e *Engine) updateTURNs(turns []*mgmProto.ProtectedHostConfig) error {
+	if len(turns) == 0 {
+		return nil
+	}
+	var newTURNs []*ice.URL
+	log.Debugf("got TURNs update from Management Service, updating")
+	for _, turn := range turns {
+		url, err := ice.ParseURL(turn.HostConfig.Uri)
+		if err != nil {
+			return err
+		}
+		url.Username = turn.User
+		url.Password = turn.Password
+		newTURNs = append(newTURNs, url)
+	}
+	e.TURNs = newTURNs
+
+	return nil
+}
+
+func (e *Engine) updatePeers(remotePeers []*mgmProto.RemotePeerConfig) error {
+	log.Debugf("got peers update from Management Service, updating")
+	remotePeerMap := make(map[string]struct{})
+	for _, peer := range remotePeers {
+		remotePeerMap[peer.GetWgPubKey()] = struct{}{}
+	}
+
+	//remove peers that are no longer available for us
+	toRemove := []string{}
+	for p := range e.conns {
+		if _, ok := remotePeerMap[p]; !ok {
+			toRemove = append(toRemove, p)
+		}
+	}
+	err := e.removePeerConnections(toRemove)
+	if err != nil {
+		return err
+	}
+
+	// add new peers
+	for _, peer := range remotePeers {
+		peerKey := peer.GetWgPubKey()
+		peerIPs := peer.GetAllowedIps()
+		if _, ok := e.conns[peerKey]; !ok {
+			go e.initializePeer(Peer{
+				WgPubKey:     peerKey,
+				WgAllowedIps: strings.Join(peerIPs, ","),
+			})
+		}
+
+	}
+	return nil
+}
+
+// receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
+func (e *Engine) receiveSignalEvents() {
+
+	go func() {
+		// connect to a stream of messages coming from the signal server
+		err := e.signal.Receive(func(msg *sProto.Message) error {
+
+			e.syncMsgMux.Lock()
+			defer e.syncMsgMux.Unlock()
+
+			conn := e.conns[msg.Key]
+			if conn == nil {
+				return fmt.Errorf("wrongly addressed message %s", msg.Key)
+			}
+
+			if conn.Config.RemoteWgKey.String() != msg.Key {
+				return fmt.Errorf("unknown peer %s", msg.Key)
+			}
+
+			switch msg.GetBody().Type {
+			case sProto.Body_OFFER:
+				remoteCred, err := signal.UnMarshalCredential(msg)
+				if err != nil {
+					return err
+				}
+				err = conn.OnOffer(IceCredentials{
+					uFrag: remoteCred.UFrag,
+					pwd:   remoteCred.Pwd,
+				})
+
+				if err != nil {
+					return err
+				}
+
+				return nil
+			case sProto.Body_ANSWER:
+				remoteCred, err := signal.UnMarshalCredential(msg)
+				if err != nil {
+					return err
+				}
+				err = conn.OnAnswer(IceCredentials{
+					uFrag: remoteCred.UFrag,
+					pwd:   remoteCred.Pwd,
+				})
+
+				if err != nil {
+					return err
+				}
+
+			case sProto.Body_CANDIDATE:
+
+				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
+				if err != nil {
+					log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
+					return err
+				}
+
+				err = conn.OnRemoteCandidate(candidate)
+				if err != nil {
+					log.Errorf("error handling CANDIATE from %s", msg.Key)
+					return err
+				}
+			}
+
+			return nil
+		})
+		if err != nil {
+			// happens if signal is unavailable for a long time.
+			// We want to cancel the operation of the whole client
+			e.cancel()
+			return
+		}
+	}()
+
+	e.signal.WaitStreamConnected()
+}
--- a/client/internal/wgproxy.go
+++ b/client/internal/wgproxy.go
@@ -1,4 +1,4 @@
-package connection
+package internal

 import (
 	ice "github.com/pion/ice/v2"
@@ -38,10 +38,15 @@ func (p *WgProxy) Close() error {
 			return err
 		}
 	}
+	err := iface.RemovePeer(p.iface, p.remoteKey)
+	if err != nil {
+		return err
+	}

 	return nil
 }

+// StartLocal configure the interface with a peer using a direct IP:Port endpoint to the remote host
 func (p *WgProxy) StartLocal(host string) error {
 	err := iface.UpdatePeer(p.iface, p.remoteKey, p.allowedIps, DefaultWgKeepAlive, host)
 	if err != nil {
@@ -82,7 +87,7 @@ func (p *WgProxy) proxyToRemotePeer(remoteConn *ice.Conn) {
 	for {
 		select {
 		case <-p.close:
-			log.Infof("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
+			log.Debugf("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
 			return
 		default:
 			n, err := p.wgConn.Read(buf)
@@ -108,7 +113,7 @@ func (p *WgProxy) proxyToLocalWireguard(remoteConn *ice.Conn) {
 	for {
 		select {
 		case <-p.close:
-			log.Infof("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
+			log.Debugf("stopped proxying from remote peer %s due to closed connection", p.remoteKey)
 			return
 		default:
 			n, err := remoteConn.Read(buf)
--- a/client/main.go
+++ b/client/main.go
@@ -0,0 +1,16 @@
+package main
+
+import (
+	"github.com/wiretrustee/wiretrustee/client/cmd"
+	"os"
+)
+
+var version = "development"
+
+func main() {
+
+	cmd.Version = version
+	if err := cmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
--- a/client/manifest.xml
+++ b/client/manifest.xml
--- a/client/resources.rc
+++ b/client/resources.rc
--- a/client/resources_windows_amd64.syso
+++ b/client/resources_windows_amd64.syso
--- a/client/system/info.go
+++ b/client/system/info.go
@@ -0,0 +1,14 @@
+package system
+
+//Info is an object that contains machine information
+// Most of the code is taken from https://github.com/matishsiao/goInfo
+type Info struct {
+	GoOS      string
+	Kernel    string
+	Core      string
+	Platform  string
+	OS        string
+	OSVersion string
+	Hostname  string
+	CPUs      int
+}
--- a/client/system/info_darwin.go
+++ b/client/system/info_darwin.go
@@ -0,0 +1,39 @@
+package system
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+)
+
+func GetInfo() *Info {
+	out := _getInfo()
+	for strings.Contains(out, "broken pipe") {
+		out = _getInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+	osStr := strings.Replace(out, "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	osInfo := strings.Split(osStr, " ")
+	gio := &Info{Kernel: osInfo[0], OSVersion: osInfo[1], Core: osInfo[1], Platform: osInfo[2], OS: osInfo[0], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	return gio
+}
+
+func _getInfo() string {
+	cmd := exec.Command("uname", "-srm")
+	cmd.Stdin = strings.NewReader("some input")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getInfo:", err)
+	}
+	return out.String()
+}
--- a/client/system/info_freebsd.go
+++ b/client/system/info_freebsd.go
@@ -0,0 +1,39 @@
+package system
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+)
+
+func GetInfo() *Info {
+	out := _getInfo()
+	for strings.Contains(out, "broken pipe") {
+		out = _getInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+	osStr := strings.Replace(out, "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	osInfo := strings.Split(osStr, " ")
+	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: runtime.GOARCH, OS: osInfo[2], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	return gio
+}
+
+func _getInfo() string {
+	cmd := exec.Command("uname", "-sri")
+	cmd.Stdin = strings.NewReader("some input")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getInfo:", err)
+	}
+	return out.String()
+}
--- a/client/system/info_linux.go
+++ b/client/system/info_linux.go
@@ -0,0 +1,76 @@
+package system
+
+import (
+	"bytes"
+	"fmt"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+	"time"
+)
+
+func GetInfo() *Info {
+	info := _getInfo()
+	for strings.Contains(info, "broken pipe") {
+		info = _getInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+
+	releaseInfo := _getReleaseInfo()
+	for strings.Contains(info, "broken pipe") {
+		releaseInfo = _getReleaseInfo()
+		time.Sleep(500 * time.Millisecond)
+	}
+
+	osRelease := strings.Split(releaseInfo, "\n")
+	var osName string
+	var osVer string
+	for _, s := range osRelease {
+		if strings.HasPrefix(s, "NAME=") {
+			osName = strings.Split(s, "=")[1]
+			osName = strings.ReplaceAll(osName, "\"", "")
+		} else if strings.HasPrefix(s, "VERSION_ID=") {
+			osVer = strings.Split(s, "=")[1]
+			osVer = strings.ReplaceAll(osVer, "\"", "")
+		}
+	}
+
+	osStr := strings.Replace(info, "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	osInfo := strings.Split(osStr, " ")
+	if osName == "" {
+		osName = osInfo[3]
+	}
+	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: osInfo[2], OS: osName, OSVersion: osVer, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	return gio
+}
+
+func _getInfo() string {
+	cmd := exec.Command("uname", "-srio")
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getInfo:", err)
+	}
+	return out.String()
+}
+
+func _getReleaseInfo() string {
+	cmd := exec.Command("cat", "/etc/os-release")
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		fmt.Println("getReleaseInfo:", err)
+	}
+	return out.String()
+}
--- a/client/system/info_windows.go
+++ b/client/system/info_windows.go
@@ -0,0 +1,35 @@
+package system
+
+import (
+	"bytes"
+	"os"
+	"os/exec"
+	"runtime"
+	"strings"
+)
+
+func GetInfo() *Info {
+	cmd := exec.Command("cmd", "ver")
+	cmd.Stdin = strings.NewReader("some")
+	var out bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &out
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		panic(err)
+	}
+	osStr := strings.Replace(out.String(), "\n", "", -1)
+	osStr = strings.Replace(osStr, "\r\n", "", -1)
+	tmp1 := strings.Index(osStr, "[Version")
+	tmp2 := strings.Index(osStr, "]")
+	var ver string
+	if tmp1 == -1 || tmp2 == -1 {
+		ver = "unknown"
+	} else {
+		ver = osStr[tmp1+9 : tmp2]
+	}
+	gio := &Info{Kernel: "windows", OSVersion: ver, Core: ver, Platform: "unknown", OS: "windows", GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	gio.Hostname, _ = os.Hostname()
+	return gio
+}
--- a/client/testdata/management.json
+++ b/client/testdata/management.json
@@ -0,0 +1,37 @@
+{
+    "Stuns": [
+        {
+            "Proto": "udp",
+            "URI": "stun:stun.wiretrustee.com:3468",
+            "Username": "",
+            "Password": null
+        }
+    ],
+    "TURNConfig": {
+        "Turns": [
+            {
+                "Proto": "udp",
+                "URI": "turn:stun.wiretrustee.com:3468",
+                "Username": "some_user",
+                "Password": "c29tZV9wYXNzd29yZA=="
+            }
+        ],
+        "CredentialsTTL": "1h",
+        "Secret": "c29tZV9wYXNzd29yZA==",
+        "TimeBasedCredentials": true
+    },
+    "Signal": {
+        "Proto": "http",
+        "URI": "signal.wiretrustee.com:10000",
+        "Username": "",
+        "Password": null
+    },
+    "DataDir": "",
+    "HttpConfig": {
+        "LetsEncryptDomain": "<PASTE YOUR LET'S ENCRYPT DOMAIN HERE>",
+        "Address": "0.0.0.0:33071",
+        "AuthIssuer": "<PASTE YOUR AUTH0 ISSUER HERE>,",
+        "AuthAudience": "<PASTE YOUR AUTH0 AUDIENCE HERE>",
+        "AuthKeysLocation": "<PASTE YOUR AUTH0 PUBLIC JWT KEYS LOCATION HERE>"
+    }
+}
--- a/client/testdata/store.json
+++ b/client/testdata/store.json
@@ -0,0 +1,27 @@
+{
+    "Accounts": {
+        "bf1c8084-ba50-4ce7-9439-34653001fc3b": {
+            "Id": "bf1c8084-ba50-4ce7-9439-34653001fc3b",
+            "SetupKeys": {
+                "A2C8E62B-38F5-4553-B31E-DD66C696CEBB": {
+                    "Key": "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
+                    "Name": "Default key",
+                    "Type": "reusable",
+                    "CreatedAt": "2021-08-19T20:46:20.005936822+02:00",
+                    "ExpiresAt": "2321-09-18T20:46:20.005936822+02:00",
+                    "Revoked": false,
+                    "UsedTimes": 0
+                }
+            },
+            "Network": {
+                "Id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
+                "Net": {
+                    "IP": "100.64.0.0",
+                    "Mask": "/8AAAA=="
+                },
+                "Dns": null
+            },
+            "Peers": {}
+        }
+    }
+}
--- a/client/ui/banner.bmp
+++ b/client/ui/banner.bmp
--- a/client/ui/wiretrustee.ico
+++ b/client/ui/wiretrustee.ico
--- a/cmd/addpeer.go
+++ b/cmd/addpeer.go
@@ -1,45 +0,0 @@
-package cmd
-
-import (
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/wiretrustee/wiretrustee/connection"
-	"os"
-)
-
-var (
-	key        string
-	allowedIPs string
-
-	addPeerCmd = &cobra.Command{
-		Use:   "add-peer",
-		Short: "add remote peer",
-		Run: func(cmd *cobra.Command, args []string) {
-			InitLog(logLevel)
-
-			if _, err := os.Stat(configPath); os.IsNotExist(err) {
-				log.Error("config doesn't exist, please run 'wiretrustee init' first")
-				os.Exit(ExitSetupFailed)
-			}
-
-			config, _ := Read(configPath)
-			config.Peers = append(config.Peers, connection.Peer{
-				WgPubKey:     key,
-				WgAllowedIps: allowedIPs,
-			})
-
-			err := config.Write(configPath)
-			if err != nil {
-				log.Errorf("failed writing config to %s: %s", config, err.Error())
-				os.Exit(ExitSetupFailed)
-			}
-		},
-	}
-)
-
-func init() {
-	addPeerCmd.PersistentFlags().StringVar(&key, "key", "", "Wireguard public key of the remote peer")
-	addPeerCmd.PersistentFlags().StringVar(&allowedIPs, "allowedIPs", "", "Wireguard Allowed IPs for the remote peer, e.g 10.30.30.2/32")
-	addPeerCmd.MarkPersistentFlagRequired("key")        //nolint
-	addPeerCmd.MarkPersistentFlagRequired("allowedIPs") //nolint
-}
--- a/cmd/config.go
+++ b/cmd/config.go
@@ -1,69 +0,0 @@
-package cmd
-
-import (
-	"encoding/json"
-	ice "github.com/pion/ice/v2"
-	"github.com/wiretrustee/wiretrustee/connection"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-)
-
-// Config Configuration type
-type Config struct {
-	// Wireguard private key of local peer
-	PrivateKey   string
-	Peers        []connection.Peer
-	StunTurnURLs []*ice.URL
-	// host:port of the signal server
-	SignalAddr     string
-	WgAddr         string
-	WgIface        string
-	IFaceBlackList []string
-}
-
-//Write writes configPath to a file
-func (cfg *Config) Write(path string) error {
-
-	if path == defaultConfigPath {
-		configDir := filepath.Dir(path)
-		err := os.MkdirAll(configDir, 0750)
-		if err != nil {
-			return err
-		}
-	}
-
-	bs, err := json.Marshal(cfg)
-	if err != nil {
-		return err
-	}
-
-	err = ioutil.WriteFile(path, bs, 0600)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-//Read reads configPath from a file
-func Read(path string) (*Config, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	bs, err := ioutil.ReadAll(f)
-	if err != nil {
-		return nil, err
-	}
-
-	var cfg Config
-	err = json.Unmarshal(bs, &cfg)
-	if err != nil {
-		return nil, err
-	}
-
-	return &cfg, nil
-}
--- a/cmd/init.go
+++ b/cmd/init.go
@@ -1,125 +0,0 @@
-package cmd
-
-import (
-	ice "github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"os"
-	"strings"
-)
-
-var (
-	wgKey       string
-	wgInterface string
-	wgLocalAddr string
-	signalAddr  string
-	stunURLs    string
-	turnURLs    string
-
-	initCmd = &cobra.Command{
-		Use:   "init",
-		Short: "init wiretrustee",
-		Run: func(cmd *cobra.Command, args []string) {
-			InitLog(logLevel)
-
-			if _, err := os.Stat(configPath); !os.IsNotExist(err) {
-				log.Warnf("config already exists under path %s", configPath)
-				os.Exit(ExitSetupFailed)
-			}
-
-			if wgKey == "" {
-				wgKey = generateKey()
-				log.Warnf("there was no Wireguard private key specified, a new Wireguard key has been generated")
-			}
-
-			parsedKey, err := wgtypes.ParseKey(wgKey)
-			if err != nil {
-				log.Errorf("invalid Wireguard private key %s", wgKey)
-				os.Exit(ExitSetupFailed)
-			}
-
-			log.Infof("my public Wireguard key is %s", parsedKey.PublicKey().String())
-
-			var stunTurnURLs []*ice.URL
-			stuns := strings.Split(stunURLs, ",")
-			for _, url := range stuns {
-
-				parsedURL, err := ice.ParseURL(url)
-				if err != nil {
-					log.Errorf("failed parsing STUN URL %s: %s", url, err.Error())
-					os.Exit(ExitSetupFailed)
-				}
-				stunTurnURLs = append(stunTurnURLs, parsedURL)
-			}
-
-			turns := strings.Split(turnURLs, ",")
-			for _, url := range turns {
-
-				var urlToParse string
-				var user string
-				var pwd string
-				//extract user:password from user:password@proto:host:port
-				urlSplit := strings.Split(url, "@")
-				if len(urlSplit) == 2 {
-					urlToParse = urlSplit[1]
-					credential := strings.Split(urlSplit[0], ":")
-					user = credential[0]
-					pwd = credential[1]
-				} else {
-					urlToParse = url
-				}
-
-				parsedURL, err := ice.ParseURL(urlToParse)
-				if err != nil {
-					log.Errorf("failed parsing TURN URL %s: %s", url, err.Error())
-					os.Exit(ExitSetupFailed)
-				}
-				parsedURL.Username = user
-				parsedURL.Password = pwd
-				stunTurnURLs = append(stunTurnURLs, parsedURL)
-			}
-
-			config := &Config{
-				PrivateKey:   wgKey,
-				Peers:        nil,
-				StunTurnURLs: stunTurnURLs,
-				SignalAddr:   signalAddr,
-				WgAddr:       wgLocalAddr,
-				WgIface:      wgInterface,
-			}
-
-			err = config.Write(configPath)
-			if err != nil {
-				log.Errorf("failed writing config to %s: %s", config, err.Error())
-				os.Exit(ExitSetupFailed)
-			}
-
-			log.Infof("a new config has been generated and written to %s", configPath)
-		},
-	}
-)
-
-func init() {
-	initCmd.PersistentFlags().StringVar(&wgKey, "wgKey", "", "Wireguard private key, if not specified a new one will be generated")
-	initCmd.PersistentFlags().StringVar(&wgInterface, "wgInterface", "wiretrustee0", "Wireguard interface name, e.g. wiretreustee0 or wg0")
-	initCmd.PersistentFlags().StringVar(&wgLocalAddr, "wgLocalAddr", "", "Wireguard local address, e.g. 10.30.30.1/24")
-	initCmd.PersistentFlags().StringVar(&signalAddr, "signalAddr", "", "Signal server address, e.g. signal.wiretrustee.com:10000")
-	initCmd.PersistentFlags().StringVar(&stunURLs, "stunURLs", "", "Comma separated STUN server URLs: protocol:host:port, e.g. stun:stun.l.google.com:19302,stun:stun1.l.google.com:19302")
-	//todo user:password@protocol:host:port not the best way to pass TURN credentials, do it according to https://tools.ietf.org/html/rfc7065 E.g. use oauth
-	initCmd.PersistentFlags().StringVar(&turnURLs, "turnURLs", "", "Comma separated TURN server URLs: user:password@protocol:host:port, e.g. user:password@turn:stun.wiretrustee.com:3468")
-	//initCmd.MarkPersistentFlagRequired("configPath")
-	initCmd.MarkPersistentFlagRequired("wgLocalAddr") //nolint
-	initCmd.MarkPersistentFlagRequired("signalAddr")  //nolint
-	initCmd.MarkPersistentFlagRequired("stunURLs")    //nolint
-	initCmd.MarkPersistentFlagRequired("turnURLs")    //nolint
-}
-
-// generateKey generates a new Wireguard private key
-func generateKey() string {
-	key, err := wgtypes.GenerateKey()
-	if err != nil {
-		panic(err)
-	}
-	return key.String()
-}
--- a/cmd/service_test.go
+++ b/cmd/service_test.go
@@ -1,131 +0,0 @@
-package cmd
-
-import (
-	"bytes"
-	"github.com/kardianos/service"
-	"io/ioutil"
-	"testing"
-)
-
-func Test_ServiceInstallCMD(t *testing.T) {
-	b := bytes.NewBufferString("")
-	rootCmd.SetOut(b)
-	rootCmd.SetErr(b)
-	rootCmd.SetArgs([]string{
-		"service",
-		"install",
-		"--config",
-		"/tmp/config.json",
-	})
-	err := rootCmd.Execute()
-	if err != nil {
-		t.Fatal(err)
-	}
-	out, err := ioutil.ReadAll(b)
-	if err != nil {
-		t.Fatal(err)
-	}
-	expectedMSG := "Wiretrustee service has been installed"
-	if string(out) != expectedMSG {
-		t.Fatalf("expected \"%s\" got \"%s\"", expectedMSG, string(out))
-	}
-}
-
-func Test_ServiceStartCMD(t *testing.T) {
-	b := bytes.NewBufferString("")
-	rootCmd.SetOut(b)
-	rootCmd.SetErr(b)
-	rootCmd.SetArgs([]string{"service", "start"})
-	err := rootCmd.Execute()
-	if err != nil {
-		t.Fatal(err)
-	}
-	out, err := ioutil.ReadAll(b)
-	if err != nil {
-		t.Fatal(err)
-	}
-	expectedMSG := "Wiretrustee service has been started"
-	if string(out) != expectedMSG {
-		t.Fatalf("expected \"%s\" got \"%s\"", expectedMSG, string(out))
-	}
-}
-
-func Test_ServiceRunCMD(t *testing.T) {
-	rootCmd.SetArgs([]string{
-		"init",
-		"--stunURLs",
-		"stun:stun.wiretrustee.com:3468",
-		"--signalAddr",
-		"signal.wiretrustee.com:10000",
-		"--turnURLs",
-		"foo:bar@turn:stun.wiretrustee.com:3468",
-		"--wgInterface",
-		"utun99",
-		"--wgLocalAddr",
-		"10.100.100.1/24",
-		"--config",
-		"/tmp/config.json",
-	})
-	err := rootCmd.Execute()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	rootCmd.ResetFlags()
-	rootCmd.SetArgs([]string{"service", "start"})
-	err = rootCmd.Execute()
-	if err != nil {
-		t.Fatal(err)
-	}
-	s, err := newSVC(&program{}, newSVCConfig())
-	if err != nil {
-		t.Fatal(err)
-	}
-	status, err := s.Status()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if status != service.StatusRunning {
-		t.Fatalf("expected running status of \"%d\" got \"%d\"", service.StatusRunning, status)
-	}
-}
-
-func Test_ServiceStopCMD(t *testing.T) {
-	b := bytes.NewBufferString("")
-	rootCmd.SetOut(b)
-	rootCmd.SetErr(b)
-	rootCmd.SetArgs([]string{"service", "stop"})
-	err := rootCmd.Execute()
-	if err != nil {
-		t.Fatal(err)
-	}
-	out, err := ioutil.ReadAll(b)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	expectedMSG := "Wiretrustee service has been stopped"
-	if string(out) != expectedMSG {
-		t.Fatalf("expected \"%s\" got \"%s\"", expectedMSG, string(out))
-	}
-}
-
-func Test_ServiceUninstallCMD(t *testing.T) {
-	b := bytes.NewBufferString("")
-	rootCmd.SetOut(b)
-	rootCmd.SetErr(b)
-	rootCmd.SetArgs([]string{"service", "uninstall"})
-	err := rootCmd.Execute()
-	if err != nil {
-		t.Fatal(err)
-	}
-	out, err := ioutil.ReadAll(b)
-	if err != nil {
-		t.Fatal(err)
-	}
-	expectedMSG := "Wiretrustee has been uninstalled"
-	if string(out) != expectedMSG {
-		t.Fatalf("expected \"%s\" got \"%s\"", expectedMSG, string(out))
-	}
-}
--- a/cmd/signal.go
+++ b/cmd/signal.go
@@ -1,47 +0,0 @@
-package cmd
-
-import (
-	"flag"
-	"fmt"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	sig "github.com/wiretrustee/wiretrustee/signal"
-	sigProto "github.com/wiretrustee/wiretrustee/signal/proto"
-	"google.golang.org/grpc"
-	"net"
-)
-
-var (
-	port int
-
-	signalCmd = &cobra.Command{
-		Use:   "signal",
-		Short: "start Wiretrustee Signal Server",
-		Run: func(cmd *cobra.Command, args []string) {
-			flag.Parse()
-
-			lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
-			if err != nil {
-				log.Fatalf("failed to listen: %v", err)
-			}
-
-			if err != nil {
-				log.Fatalf("failed to listen: %v", err)
-			}
-			var opts []grpc.ServerOption
-			grpcServer := grpc.NewServer(opts...)
-			sigProto.RegisterSignalExchangeServer(grpcServer, sig.NewServer())
-			log.Printf("started server: localhost:%v", port)
-			if err := grpcServer.Serve(lis); err != nil {
-				log.Fatalf("failed to serve: %v", err)
-			}
-
-			SetupCloseHandler()
-			select {}
-		},
-	}
-)
-
-func init() {
-	signalCmd.PersistentFlags().IntVar(&port, "port", 10000, "Server port to listen on (e.g. 10000)")
-}
--- a/cmd/up.go
+++ b/cmd/up.go
@@ -1,62 +0,0 @@
-package cmd
-
-import (
-	"context"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/wiretrustee/wiretrustee/connection"
-	sig "github.com/wiretrustee/wiretrustee/signal"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"os"
-)
-
-var (
-	upCmd = &cobra.Command{
-		Use:   "up",
-		Short: "start wiretrustee",
-		Run: func(cmd *cobra.Command, args []string) {
-			InitLog(logLevel)
-
-			config, _ := Read(configPath)
-
-			myKey, err := wgtypes.ParseKey(config.PrivateKey)
-			if err != nil {
-				log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
-				os.Exit(ExitSetupFailed)
-			}
-
-			ctx := context.Background()
-			signalClient, err := sig.NewClient(ctx, config.SignalAddr, myKey)
-			if err != nil {
-				log.Errorf("error while connecting to the Signal Exchange Service %s: %s", config.SignalAddr, err)
-				os.Exit(ExitSetupFailed)
-			}
-			//todo proper close handling
-			defer func() { signalClient.Close() }()
-
-			iFaceBlackList := make(map[string]struct{})
-			for i := 0; i < len(config.IFaceBlackList); i += 2 {
-				iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
-			}
-			engine := connection.NewEngine(signalClient, config.StunTurnURLs, config.WgIface, config.WgAddr, iFaceBlackList)
-
-			err = engine.Start(myKey, config.Peers)
-			if err != nil {
-				log.Errorf("error while starting the engine: %s", err)
-				os.Exit(ExitSetupFailed)
-			}
-			//signalClient.WaitConnected()
-
-			SetupCloseHandler()
-			<-stopUP
-			log.Println("Receive signal to stop running")
-		},
-	}
-)
-
-// Execution control channel for stopUP signal
-var stopUP chan int
-
-func init() {
-	stopUP = make(chan int)
-}
--- a/connection/engine.go
+++ b/connection/engine.go
@@ -1,247 +0,0 @@
-package connection
-
-import (
-	"fmt"
-	"github.com/cenkalti/backoff/v4"
-	ice "github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/wiretrustee/wiretrustee/iface"
-	"github.com/wiretrustee/wiretrustee/signal"
-	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"time"
-)
-
-// Engine is an instance of the Connection Engine
-type Engine struct {
-	// a list of STUN and TURN servers
-	stunsTurns []*ice.URL
-	// signal server client
-	signal *signal.Client
-	// peer agents indexed by local public key of the remote peers
-	conns map[string]*Connection
-	// Wireguard interface
-	wgIface string
-	// Wireguard local address
-	wgIP string
-	// Network Interfaces to ignore
-	iFaceBlackList map[string]struct{}
-}
-
-// Peer is an instance of the Connection Peer
-type Peer struct {
-	WgPubKey     string
-	WgAllowedIps string
-}
-
-// NewEngine creates a new Connection Engine
-func NewEngine(signal *signal.Client, stunsTurns []*ice.URL, wgIface string, wgAddr string,
-	iFaceBlackList map[string]struct{}) *Engine {
-	return &Engine{
-		stunsTurns:     stunsTurns,
-		signal:         signal,
-		wgIface:        wgIface,
-		wgIP:           wgAddr,
-		conns:          map[string]*Connection{},
-		iFaceBlackList: iFaceBlackList,
-	}
-}
-
-// Start creates a new tunnel interface and listens to signals from the Signal service.
-// It also creates an Go routine to handle each peer communication from the config file
-func (e *Engine) Start(myKey wgtypes.Key, peers []Peer) error {
-
-	err := iface.Create(e.wgIface, e.wgIP)
-	if err != nil {
-		log.Errorf("error while creating interface %s: [%s]", e.wgIface, err.Error())
-		return err
-	}
-
-	err = iface.Configure(e.wgIface, myKey.String())
-	if err != nil {
-		log.Errorf("error while configuring Wireguard interface [%s]: %s", e.wgIface, err.Error())
-		return err
-	}
-
-	wgPort, err := iface.GetListenPort(e.wgIface)
-	if err != nil {
-		log.Errorf("error while getting Wireguard interface port [%s]: %s", e.wgIface, err.Error())
-		return err
-	}
-
-	e.receiveSignal()
-
-	// initialize peer agents
-	for _, peer := range peers {
-
-		peer := peer
-		go func() {
-			var backOff = &backoff.ExponentialBackOff{
-				InitialInterval:     backoff.DefaultInitialInterval,
-				RandomizationFactor: backoff.DefaultRandomizationFactor,
-				Multiplier:          backoff.DefaultMultiplier,
-				MaxInterval:         5 * time.Second,
-				MaxElapsedTime:      time.Duration(0), //never stop
-				Stop:                backoff.Stop,
-				Clock:               backoff.SystemClock,
-			}
-			operation := func() error {
-				_, err := e.openPeerConnection(*wgPort, myKey, peer)
-				if err != nil {
-					log.Warnln("retrying connection because of error: ", err.Error())
-					e.conns[peer.WgPubKey] = nil
-					return err
-				}
-				backOff.Reset()
-				return nil
-			}
-
-			err = backoff.Retry(operation, backOff)
-			if err != nil {
-				// should actually never happen
-				panic(err)
-			}
-		}()
-	}
-	return nil
-}
-
-func (e *Engine) openPeerConnection(wgPort int, myKey wgtypes.Key, peer Peer) (*Connection, error) {
-
-	remoteKey, _ := wgtypes.ParseKey(peer.WgPubKey)
-	connConfig := &ConnConfig{
-		WgListenAddr:   fmt.Sprintf("127.0.0.1:%d", wgPort),
-		WgPeerIP:       e.wgIP,
-		WgIface:        e.wgIface,
-		WgAllowedIPs:   peer.WgAllowedIps,
-		WgKey:          myKey,
-		RemoteWgKey:    remoteKey,
-		StunTurnURLS:   e.stunsTurns,
-		iFaceBlackList: e.iFaceBlackList,
-	}
-
-	signalOffer := func(uFrag string, pwd string) error {
-		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, false)
-	}
-
-	signalAnswer := func(uFrag string, pwd string) error {
-		return signalAuth(uFrag, pwd, myKey, remoteKey, e.signal, true)
-	}
-	signalCandidate := func(candidate ice.Candidate) error {
-		return signalCandidate(candidate, myKey, remoteKey, e.signal)
-	}
-
-	conn := NewConnection(*connConfig, signalCandidate, signalOffer, signalAnswer)
-	e.conns[remoteKey.String()] = conn
-	// blocks until the connection is open (or timeout)
-	err := conn.Open(60 * time.Second)
-	if err != nil {
-		return nil, err
-	}
-	return conn, nil
-}
-
-func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client) error {
-	err := s.Send(&sProto.Message{
-		Key:       myKey.PublicKey().String(),
-		RemoteKey: remoteKey.String(),
-		Body: &sProto.Body{
-			Type:    sProto.Body_CANDIDATE,
-			Payload: candidate.Marshal(),
-		},
-	})
-	if err != nil {
-		log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err)
-		//todo ??
-		return err
-	}
-
-	return nil
-}
-
-func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client, isAnswer bool) error {
-
-	var t sProto.Body_Type
-	if isAnswer {
-		t = sProto.Body_ANSWER
-	} else {
-		t = sProto.Body_OFFER
-	}
-
-	msg, err := signal.MarshalCredential(myKey, remoteKey, &signal.Credential{
-		UFrag: uFrag,
-		Pwd:   pwd}, t)
-	if err != nil {
-		return err
-	}
-	err = s.Send(msg)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (e *Engine) receiveSignal() {
-	// connect to a stream of messages coming from the signal server
-	e.signal.Receive(func(msg *sProto.Message) error {
-
-		conn := e.conns[msg.Key]
-		if conn == nil {
-			return fmt.Errorf("wrongly addressed message %s", msg.Key)
-		}
-
-		if conn.Config.RemoteWgKey.String() != msg.Key {
-			return fmt.Errorf("unknown peer %s", msg.Key)
-		}
-
-		switch msg.GetBody().Type {
-		case sProto.Body_OFFER:
-			remoteCred, err := signal.UnMarshalCredential(msg)
-			if err != nil {
-				return err
-			}
-			err = conn.OnOffer(IceCredentials{
-				uFrag: remoteCred.UFrag,
-				pwd:   remoteCred.Pwd,
-			})
-
-			if err != nil {
-				return err
-			}
-
-			return nil
-		case sProto.Body_ANSWER:
-			remoteCred, err := signal.UnMarshalCredential(msg)
-			if err != nil {
-				return err
-			}
-			err = conn.OnAnswer(IceCredentials{
-				uFrag: remoteCred.UFrag,
-				pwd:   remoteCred.Pwd,
-			})
-
-			if err != nil {
-				return err
-			}
-
-		case sProto.Body_CANDIDATE:
-
-			candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
-			if err != nil {
-				log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
-				return err
-			}
-
-			err = conn.OnRemoteCandidate(candidate)
-			if err != nil {
-				log.Errorf("error handling CANDIATE from %s", msg.Key)
-				return err
-			}
-		}
-
-		return nil
-	})
-
-	e.signal.WaitConnected()
-}
--- a/docs/README.md
+++ b/docs/README.md
@@ -0,0 +1,104 @@
+### Table of contents
+
+* [About Wiretrustee](#about-wiretrustee)
+* [Why Wireguard with Wiretrustee?](#why-wireguard-with-wiretrustee)
+* [Wiretrustee vs. Traditional VPN](#wiretrustee-vs-traditional-vpn)
+* [High-level technology overview](#high-level-technology-overview)
+* [Getting started](#getting-started)
+
+### About Wiretrustee
+
+Wiretrustee is an open-source VPN platform built on top of [WireGuard®](https://www.wireguard.com/) making it easy to create secure private networks for your organization or home.
+
+It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, vpn gateways, and so forth.
+
+There is no centralized VPN server with Wiretrustee - your computers, devices, machines, and servers connect to each other directly over a fast encrypted tunnel.
+
+It literally takes less than 5 minutes to provision a secure peer-to-peer VPN with Wiretrustee. Check our [Quickstart Guide Video](https://www.youtube.com/watch?v=cWTsGUJAUaU) to see the setup in action.
+
+### Why Wireguard with Wiretrustee?
+
+WireGuard is a modern and extremely fast VPN tunnel utilizing state-of-the-art [cryptography](https://www.wireguard.com/protocol/)
+and Wiretrustee uses Wireguard to establish a secure tunnel between machines.
+
+Built with simplicity in mind, Wireguard ensures that traffic between two machines is encrypted and flowing, however, it requires a few things to be done beforehand.
+
+First, in order to connect, the machines have to be configured.
+On each machine, you need to generate private and public keys and prepare a WireGuard configuration file.
+The configuration also includes a private IP address that should be unique per machine.
+
+Secondly, to accept the incoming traffic, the machines have to trust each other.
+The generated public keys have to be pre-shared on the machines.
+This works similarly to SSH with its authorised_keys file.
+
+Lastly, the connectivity between the machines has to be ensured.
+To make machines reach one another, you are required to set a WireGuard endpoint property which indicates the IP address and port of the remote machine to connect to.
+On many occasions, machines are hidden behind firewalls and NAT devices,
+meaning that you may need to configure a port forwarding or open holes in your firewall to ensure the machines are reachable.
+
+The undertakings mentioned above might not be complicated if you have just a few machines, but the complexity grows as the number of machines increases.
+
+Wiretrustee simplifies the setup by automatically generating private and public keys, assigning unique private IP addresses, and takes care of sharing public keys between the machines.
+It is worth mentioning that the private key never leaves the machine.
+So only the machine that owns the key can decrypt traffic addressed to it.
+The same applies also to the relayed traffic mentioned below.
+
+Furthermore, Wiretrustee ensures connectivity by leveraging advanced [NAT traversal techniques](https://en.wikipedia.org/wiki/NAT_traversal)
+and removing the necessity of port forwarding, opening holes in the firewall, and having a public static IP address.  
+In cases when a direct peer-to-peer connection isn't possible, all traffic is relayed securely between peers.
+Wiretrustee also monitors the connection health and restarts broken connections.
+
+There are a few more things that we are working on to make secure private networks simple. A few examples are ACLs, MFA and activity monitoring.
+
+Check out the WireGuard [Quick Start](https://www.wireguard.com/quickstart/) guide to learn more about configuring "plain" WireGuard without Wiretrustee.
+
+### Wiretrustee vs. Traditional VPN
+
+In the traditional VPN model, everything converges on a centralized, protected network where all the clients are connecting to a central VPN server.
+
+An increasing amount of connections can easily overload the VPN server.
+Even a short downtime of a server can cause expensive system disruptions, and a remote team's inability to work.
+
+Centralized VPNs imply all the traffic going through the central server causing network delays and increased traffic usage.
+
+Such systems require an experienced team to set up and maintain.
+Configuring firewalls, setting up NATs, SSO integration, and managing access control lists can be a nightmare.
+
+Traditional centralized VPNs are often compared to a [castle-and-moat](https://en.wikipedia.org/wiki/Moat) model
+in which once accessed, user is trusted and can access critical infrastructure and resources without any restrictions.
+
+Wiretrustee decentralizes networks using direct point-to-point connections, as opposed to traditional models.
+Consequently, network performance is increased since traffic flows directly between the machines bypassing VPN servers or gateways.
+To achieve this, Wiretrustee client applications employ signalling servers to find other machines and negotiate connections.
+These are similar to the signaling servers used in [WebRTC](https://developer.mozilla.org/en-US/docs/Web/API/WebRTC_API/Signaling_and_video_calling#the_signaling_server)
+
+Thanks to [NAT traversal techniques](https://en.wikipedia.org/wiki/NAT_traversal),
+outlined in the [Why not just Wireguard?](#why-wireguard-with-wiretrustee) section above,
+Wiretrustee installation doesn't require complex network and firewall configuration.
+It just works, minimising the maintenance effort.
+
+Finally, each machine or device in the Wiretrustee network verifies incoming connections accepting only the trusted ones.
+This is ensured by Wireguard's [Crypto Routing concept](https://www.wireguard.com/#cryptokey-routing).
+
+### High-level technology overview
+In essence, Wiretrustee is an open source platform consisting of a collection of systems, responsible for handling peer-to-peer connections, tunneling and network management (IP, keys, ACLs, etc).
+
+<p align="center">
+    <img src="media/high-level-dia.png" alt="high-level-dia" width="781"/>
+</p>
+
+Wiretrustee uses open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn),
+and [software](https://github.com/wiretrustee/wiretrustee) developed by Wiretrustee authors to make it all work together.
+
+To learn more about Wiretrustee architecture, please refer to the [architecture section](../docs/architecture.md).
+
+### Getting Started
+
+There are 2 ways of getting started with Wiretrustee:
+- use Cloud Managed version
+- self-hosting
+
+We recommend starting with the cloud managed version hosted at [app.wiretrustee.com](https://app.wiretrustee.com) - the quickest way to get familiar with the system.
+See [Quickstart Guide](../docs/quickstart.md) for instructions.
+
+If you don't want to use the managed version, check out our [Self-hosting Guide](../docs/self-hosting.md).
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -0,0 +1,2 @@
+### Architecture
+TODO
--- a/docs/media/add-peer.png
+++ b/docs/media/add-peer.png
--- a/docs/media/auth.png
+++ b/docs/media/auth.png
--- a/docs/media/empty-peers.png
+++ b/docs/media/empty-peers.png
--- a/docs/media/high-level-dia.png
+++ b/docs/media/high-level-dia.png
--- a/docs/media/logo-full.png
+++ b/docs/media/logo-full.png
--- a/docs/media/logo.png
+++ b/docs/media/logo.png
--- a/docs/media/peerA.gif
+++ b/docs/media/peerA.gif
--- a/docs/media/peerB.gif
+++ b/docs/media/peerB.gif
--- a/docs/media/peers.gif
+++ b/docs/media/peers.gif
--- a/docs/media/peers.png
+++ b/docs/media/peers.png
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -0,0 +1,41 @@
+## Quickstart guide (Cloud Managed version)
+Step-by-step video guide on YouTube:
+
+[![IMAGE ALT TEXT](https://img.youtube.com/vi/cWTsGUJAUaU/0.jpg)](https://youtu.be/cWTsGUJAUaU "Wiretrustee - secure private network in less than 5 minutes")
+
+This guide describes how to create secure VPN and connect 2 machines peer-to-peer.
+
+One machine is a Raspberry Pi Compute Module 4 hosted at home (Peer A), and the other one is a regular Ubuntu server running in the Data Center (Peer B).
+Both machines are running Linux (Raspbian and Ubuntu respectively), but you could also use Mac or Windows operating systems.
+
+1. Sign-up at [https://app.wiretrustee.com/](https://app.wiretrustee.com/peers)
+
+    You can use your email and password to sign-up or any available social login option (e.g., GitHub account)
+    
+    <img src="media/auth.png" alt="auth" width="350"/>
+
+2. After a successful login you will be redirected to the ```Peers``` screen which is empty because you don't have any peers yet.
+   
+    Click ```Add peer``` to add a new machine.
+    
+    <img src="media/empty-peers.png" alt="empty-peers" width="700"/>
+    
+3.  Choose a setup key which will be used to associate your new machine with your account (in our case it is ```Default key```).
+
+    Choose your machine operating system (in our case it is ```Linux```) and proceed with the installation steps on the machine.
+
+    <img src="media/add-peer.png" alt="add-peer" width="700"/>    
+
+4. Repeat #3 for the 2nd machine.
+5. Return to ```Peers``` and you should notice 2 new machines with status ```Connected```
+   
+    <img src="media/peers.png" alt="peers" width="700"/>
+
+6. To test the connection you could try pinging devices:
+   
+    On Peer A:
+    ```ping 100.64.0.2```
+    
+    On Peer B:
+    ```ping 100.64.0.1```
+7. Done! You now have a secure peer-to-peer VPN configured.
--- a/docs/self-hosting.md
+++ b/docs/self-hosting.md
@@ -0,0 +1,96 @@
+### Self-hosting
+Wiretrustee is an open-source platform that can be self-hosted on your servers.
+
+It relies on components developed by Wiretrustee Authors [Management Service](https://github.com/wiretrustee/wiretrustee/tree/main/management), [Management UI Dashboard](https://github.com/wiretrustee/wiretrustee-dashboard), [Signal Service](https://github.com/wiretrustee/wiretrustee/tree/main/signal), 
+a 3rd party open-source STUN/TURN service [Coturn](https://github.com/coturn/coturn) and a 3rd party service [Auth0](https://auth0.com/).
+
+All the components can be self-hosted except for the Auth0 service.
+We chose Auth0 to "outsource" the user management part of the platform because we believe that implementing a proper user auth requires significant amount of time to make it right. 
+We focused on connectivity instead.
+
+If you would like to learn more about the architecture please refer to the [Wiretrustee Architecture section](architecture.md).
+
+### Step-by-step video guide on YouTube:
+
+[![IMAGE ALT TEXT](https://img.youtube.com/vi/Ofpgx5WhT0k/0.jpg)](https://youtu.be/Ofpgx5WhT0k "Wiretrustee Self-Hosting Guide")
+
+### Requirements
+
+- Virtual machine offered by any cloud provider (e.g., AWS, DigitalOcean, Hetzner, Google Cloud, Azure ...). 
+- Any Linux OS.
+- Docker Compose installed (see [Install Docker Compose](https://docs.docker.com/compose/install/)).
+- Domain name pointing to the public IP address of your server.
+- Open ports ```443, 33071, 33073, 10000, 3478``` (Dashboard, Management HTTP API, Management gRpc API, Signal gRpc, Coturn STUN/TURN respectively) on your server.
+- Maybe a cup of coffee or tea :)
+
+### Step-by-step guide
+
+For this tutorial we will be using domain ```test.wiretrustee.com``` which points to our Ubuntu 20.04 machine hosted at Hetzner.
+
+1. Create Auth0 account at [auth0.com](https://auth0.com/).
+2. Login to your server, clone Wiretrustee repository:
+   
+   ```bash 
+   git clone https://github.com/wiretrustee/wiretrustee.git wiretrustee/
+   ```
+   
+   and switch to the ```wiretrustee/infrastructure_files/``` folder that contains docker compose file:
+   
+   ```bash 
+   cd wiretrustee/infrastructure_files/
+   ```
+3. Prepare configuration files.
+   
+   To simplify the setup we have prepared a script to substitute required properties in the [docker-compose.yml.tmpl](../infrastructure_files/docker-compose.yml.tmpl) and [management.json.tmpl](../infrastructure_files/management.json.tmpl) files.
+   
+   The [setup.env](../infrastructure_files/setup.env) file contains the following properties that have to be filled:
+   
+   ```bash
+   # e.g. app.mydomain.com
+   WIRETRUSTEE_DOMAIN=""
+   # e.g. dev-24vkclam.us.auth0.com
+   WIRETRUSTEE_AUTH0_DOMAIN=""
+   # e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
+   WIRETRUSTEE_AUTH0_CLIENT_ID=""
+   # e.g. https://app.mydomain.com/
+   WIRETRUSTEE_AUTH0_AUDIENCE=""
+   # e.g. hello@mydomain.com
+   WIRETRUSTEE_LETSENCRYPT_EMAIL=""
+   ```
+   
+   Please follow the steps to get the values.
+
+4. Configure ```WIRETRUSTEE_AUTH0_DOMAIN``` ```WIRETRUSTEE_AUTH0_CLIENT_ID``` ```WIRETRUSTEE_AUTH0_AUDIENCE``` properties.          
+   
+   * To obtain these, please use [Auth0 React SDK Guide](https://auth0.com/docs/quickstart/spa/react/01-login#configure-auth0) up until "Install the Auth0 React SDK".
+   
+      :grey_exclamation: Use ```https://YOUR DOMAIN``` as ````Allowed Callback URLs````, ```Allowed Logout URLs```, ```Allowed Web Origins``` and ```Allowed Origins (CORS)```
+   * set the variables in the ```setup.env```
+5. Configure ```WIRETRUSTEE_AUTH0_AUDIENCE``` property. 
+   
+   * Check [Auth0 Golang API Guide](https://auth0.com/docs/quickstart/backend/golang) to obtain AuthAudience.
+   * set the property in the ```setup.env``` file.
+6. Configure ```WIRETRUSTEE_LETSENCRYPT_EMAIL``` property.
+   
+   This can be any email address. [Let's Encrypt](https://letsencrypt.org/) will create an account while generating a new certificate.    
+
+7. Make sure all the properties set in the ```setup.env``` file and run: 
+   
+    ```bash
+    ./configure.sh
+    ```
+   
+   This will export all the properties as environment variables and generate ```docker-compose.yml``` and ```management.json``` files substituting required variables.
+
+8. Run docker compose:
+
+   ```bash
+   docker-compose up -d
+   ```
+9. Optionally check the logs by running: 
+        
+    ```bash
+    docker-compose logs signal
+    docker-compose logs management
+    docker-compose logs coturn
+    docker-compose logs dashboard
--- a/encryption/encryption.go
+++ b/encryption/encryption.go
@@ -1,4 +1,4 @@
-package signal
+package encryption

 import (
 	"crypto/rand"
@@ -7,9 +7,7 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )

-// As set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service.
-// We want to make sure that the Connection Candidates and other irrelevant (to the Signal Exchange)
-// information can't be read anywhere else but the Peer the message is being sent to.
+// A set of tools to encrypt/decrypt messages being sent through the Signal Exchange Service or Management Service
 // These tools use Golang crypto package (Curve25519, XSalsa20 and Poly1305 to encrypt and authenticate)
 // Wireguard keys are used for encryption

--- a/encryption/encryption_suite_test.go
+++ b/encryption/encryption_suite_test.go
@@ -0,0 +1,13 @@
+package encryption_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"testing"
+)
+
+func TestManagement(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Management Service Suite")
+}
--- a/encryption/encryption_test.go
+++ b/encryption/encryption_test.go
@@ -0,0 +1,60 @@
+package encryption_test
+
+import (
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/wiretrustee/wiretrustee/encryption"
+	"github.com/wiretrustee/wiretrustee/encryption/testprotos"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+const ()
+
+var _ = Describe("Encryption", func() {
+
+	var (
+		encryptionKey wgtypes.Key
+		decryptionKey wgtypes.Key
+	)
+
+	BeforeEach(func() {
+		var err error
+		encryptionKey, err = wgtypes.GenerateKey()
+		Expect(err).NotTo(HaveOccurred())
+		decryptionKey, err = wgtypes.GenerateKey()
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	Context("decrypting a plain message", func() {
+		Context("when it was encrypted with Wireguard keys", func() {
+			Specify("should be successful", func() {
+				msg := "message"
+				encryptedMsg, err := encryption.Encrypt([]byte(msg), decryptionKey.PublicKey(), encryptionKey)
+				Expect(err).NotTo(HaveOccurred())
+
+				decryptedMsg, err := encryption.Decrypt(encryptedMsg, encryptionKey.PublicKey(), decryptionKey)
+				Expect(err).NotTo(HaveOccurred())
+
+				Expect(string(decryptedMsg)).To(BeEquivalentTo(msg))
+			})
+		})
+	})
+
+	Context("decrypting a protobuf message", func() {
+		Context("when it was encrypted with Wireguard keys", func() {
+			Specify("should be successful", func() {
+
+				protoMsg := &testprotos.TestMessage{Body: "message"}
+				encryptedMsg, err := encryption.EncryptMessage(decryptionKey.PublicKey(), encryptionKey, protoMsg)
+				Expect(err).NotTo(HaveOccurred())
+
+				decryptedMsg := &testprotos.TestMessage{}
+				err = encryption.DecryptMessage(encryptionKey.PublicKey(), decryptionKey, encryptedMsg, decryptedMsg)
+				Expect(err).NotTo(HaveOccurred())
+
+				Expect(decryptedMsg.GetBody()).To(BeEquivalentTo(protoMsg.GetBody()))
+			})
+		})
+	})
+
+})
--- a/encryption/letsencrypt.go
+++ b/encryption/letsencrypt.go
@@ -0,0 +1,30 @@
+package encryption
+
+import (
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/crypto/acme/autocert"
+	"os"
+	"path/filepath"
+)
+
+// CreateCertManager wraps common logic of generating Let's encrypt certificate.
+func CreateCertManager(datadir string, letsencryptDomain string) *autocert.Manager {
+	certDir := filepath.Join(datadir, "letsencrypt")
+
+	if _, err := os.Stat(certDir); os.IsNotExist(err) {
+		err = os.MkdirAll(certDir, os.ModeDir)
+		if err != nil {
+			log.Fatalf("failed creating Let's encrypt certdir: %s: %v", certDir, err)
+		}
+	}
+
+	log.Infof("running with Let's encrypt with domain %s. Cert will be stored in %s", letsencryptDomain, certDir)
+
+	certManager := &autocert.Manager{
+		Prompt:     autocert.AcceptTOS,
+		Cache:      autocert.DirCache(certDir),
+		HostPolicy: autocert.HostWhitelist(letsencryptDomain),
+	}
+
+	return certManager
+}
--- a/encryption/message.go
+++ b/encryption/message.go
@@ -0,0 +1,40 @@
+package encryption
+
+import (
+	pb "github.com/golang/protobuf/proto" //nolint
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+// EncryptMessage encrypts a body of the given protobuf Message
+func EncryptMessage(remotePubKey wgtypes.Key, ourPrivateKey wgtypes.Key, message pb.Message) ([]byte, error) {
+	byteResp, err := pb.Marshal(message)
+	if err != nil {
+		log.Errorf("failed marshalling message %v", err)
+		return nil, err
+	}
+
+	encryptedBytes, err := Encrypt(byteResp, remotePubKey, ourPrivateKey)
+	if err != nil {
+		log.Errorf("failed encrypting SyncResponse %v", err)
+		return nil, err
+	}
+
+	return encryptedBytes, nil
+}
+
+// DecryptMessage decrypts an encrypted message into given protobuf Message
+func DecryptMessage(remotePubKey wgtypes.Key, ourPrivateKey wgtypes.Key, encryptedMessage []byte, message pb.Message) error {
+	decrypted, err := Decrypt(encryptedMessage, remotePubKey, ourPrivateKey)
+	if err != nil {
+		log.Warnf("error while decrypting Sync request message from peer %s", remotePubKey.String())
+		return err
+	}
+
+	err = pb.Unmarshal(decrypted, message)
+	if err != nil {
+		log.Warnf("error while umarshalling Sync request message from peer %s", remotePubKey.String())
+		return err
+	}
+	return nil
+}
--- a/encryption/testprotos/generate.sh
+++ b/encryption/testprotos/generate.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+protoc -I testprotos/ testprotos/testproto.proto --go_out=.
--- a/encryption/testprotos/testproto.pb.go
+++ b/encryption/testprotos/testproto.pb.go
@@ -0,0 +1,142 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.26.0
+// 	protoc        v3.12.4
+// source: testproto.proto
+
+package testprotos
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type TestMessage struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Body string `protobuf:"bytes,1,opt,name=body,proto3" json:"body,omitempty"`
+}
+
+func (x *TestMessage) Reset() {
+	*x = TestMessage{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_testproto_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *TestMessage) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*TestMessage) ProtoMessage() {}
+
+func (x *TestMessage) ProtoReflect() protoreflect.Message {
+	mi := &file_testproto_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use TestMessage.ProtoReflect.Descriptor instead.
+func (*TestMessage) Descriptor() ([]byte, []int) {
+	return file_testproto_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *TestMessage) GetBody() string {
+	if x != nil {
+		return x.Body
+	}
+	return ""
+}
+
+var File_testproto_proto protoreflect.FileDescriptor
+
+var file_testproto_proto_rawDesc = []byte{
+	0x0a, 0x0f, 0x74, 0x65, 0x73, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x12, 0x0a, 0x74, 0x65, 0x73, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x73, 0x22, 0x21, 0x0a,
+	0x0b, 0x54, 0x65, 0x73, 0x74, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x12, 0x0a, 0x04,
+	0x62, 0x6f, 0x64, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x62, 0x6f, 0x64, 0x79,
+	0x42, 0x0d, 0x5a, 0x0b, 0x2f, 0x74, 0x65, 0x73, 0x74, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x73, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_testproto_proto_rawDescOnce sync.Once
+	file_testproto_proto_rawDescData = file_testproto_proto_rawDesc
+)
+
+func file_testproto_proto_rawDescGZIP() []byte {
+	file_testproto_proto_rawDescOnce.Do(func() {
+		file_testproto_proto_rawDescData = protoimpl.X.CompressGZIP(file_testproto_proto_rawDescData)
+	})
+	return file_testproto_proto_rawDescData
+}
+
+var file_testproto_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_testproto_proto_goTypes = []interface{}{
+	(*TestMessage)(nil), // 0: testprotos.TestMessage
+}
+var file_testproto_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_testproto_proto_init() }
+func file_testproto_proto_init() {
+	if File_testproto_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_testproto_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*TestMessage); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_testproto_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_testproto_proto_goTypes,
+		DependencyIndexes: file_testproto_proto_depIdxs,
+		MessageInfos:      file_testproto_proto_msgTypes,
+	}.Build()
+	File_testproto_proto = out.File
+	file_testproto_proto_rawDesc = nil
+	file_testproto_proto_goTypes = nil
+	file_testproto_proto_depIdxs = nil
+}
--- a/encryption/testprotos/testproto.proto
+++ b/encryption/testprotos/testproto.proto
@@ -0,0 +1,9 @@
+syntax = "proto3";
+
+option go_package = "/testprotos";
+
+package testprotos;
+
+message TestMessage {
+  string body = 1;
+}
--- a/go.mod
+++ b/go.mod
@@ -4,18 +4,29 @@ go 1.16

 require (
 	github.com/cenkalti/backoff/v4 v4.1.0
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.2
-	github.com/kardianos/service v1.2.0
+	github.com/google/uuid v1.3.0
+	github.com/gorilla/mux v1.8.0
+	github.com/gorilla/websocket v1.4.2
+	github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.13.0
-	github.com/pion/ice/v2 v2.1.7
+	github.com/pion/ice/v2 v2.1.13
+	github.com/pion/webrtc/v3 v3.1.7
+	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.7.0
 	github.com/spf13/cobra v1.1.3
+	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.1.0
-	golang.org/x/crypto v0.0.0-20210506145944-38f3c27a63bf
-	golang.org/x/sys v0.0.0-20210510120138-977fb7262007
-	golang.zx2c4.com/wireguard v0.0.0-20210604143328-f9b48a961cd2
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210506160403-92e472f520a5
-	golang.zx2c4.com/wireguard/windows v0.3.14
-	google.golang.org/grpc v1.32.0
+	golang.org/x/crypto v0.0.0-20210921155107-089bfa567519
+	golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359
+	golang.zx2c4.com/wireguard v0.0.0-20211026125340-e42c6c4bc2d0
+	golang.zx2c4.com/wireguard/tun/netstack v0.0.0-20211026125340-e42c6c4bc2d0
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c
+	golang.zx2c4.com/wireguard/windows v0.4.5
+	google.golang.org/grpc v1.39.0-dev.0.20210518002758-2713b77e8526
+	google.golang.org/protobuf v1.26.0
+	gopkg.in/natefinch/lumberjack.v2 v2.0.0
+	nhooyr.io/websocket v1.8.7
 )
--- a/go.sum
+++ b/go.sum
--- a/iface/iface.go
+++ b/iface/iface.go
@@ -13,10 +13,13 @@ import (

 const (
 	defaultMTU = 1280
-	WgPort     = 51820
 )

-var tunIface tun.Device
+var (
+	tunIface tun.Device
+	// todo check after move the WgPort constant to the client
+	WgPort = 51820
+)

 // CreateWithUserspace Creates a new Wireguard interface, using wireguard-go userspace implementation
 func CreateWithUserspace(iface string, address string) error {
@@ -41,8 +44,8 @@ func CreateWithUserspace(iface string, address string) error {
 		for {
 			uapiConn, err := uapi.Accept()
 			if err != nil {
-				log.Debugln(err)
-				return
+				log.Debugln("uapi Accept failed with error: ", err)
+				continue
 			}
 			go tunDevice.IpcHandle(uapiConn)
 		}
@@ -57,13 +60,45 @@ func CreateWithUserspace(iface string, address string) error {
 	return nil
 }

-// ConfigureWithKeyGen Extends the functionality of Configure(iface string, privateKey string) by generating a new Wireguard private key
-func ConfigureWithKeyGen(iface string) (*wgtypes.Key, error) {
-	key, err := wgtypes.GeneratePrivateKey()
+// configure peer for the wireguard device
+func configureDevice(iface string, config wgtypes.Config) error {
+	wg, err := wgctrl.New()
+	if err != nil {
+		return err
+	}
+	defer wg.Close()
+
+	_, err = wg.Device(iface)
+	if err != nil {
+		return err
+	}
+	log.Debugf("got Wireguard device %s", iface)
+
+	return wg.ConfigureDevice(iface, config)
+}
+
+// Exists checks whether specified Wireguard device exists or not
+func Exists(iface string) (*bool, error) {
+	wg, err := wgctrl.New()
 	if err != nil {
 		return nil, err
 	}
-	return &key, Configure(iface, key.String())
+	defer wg.Close()
+
+	devices, err := wg.Devices()
+	if err != nil {
+		return nil, err
+	}
+
+	var exists bool
+	for _, d := range devices {
+		if d.Name == iface {
+			exists = true
+			return &exists, nil
+		}
+	}
+	exists = false
+	return &exists, nil
 }

 // Configure configures a Wireguard interface
@@ -71,11 +106,6 @@ func ConfigureWithKeyGen(iface string) (*wgtypes.Key, error) {
 func Configure(iface string, privateKey string) error {

 	log.Debugf("configuring Wireguard interface %s", iface)
-	wg, err := wgctrl.New()
-	if err != nil {
-		return err
-	}
-	defer wg.Close()

 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
@@ -84,18 +114,14 @@ func Configure(iface string, privateKey string) error {
 	}
 	fwmark := 0
 	p := WgPort
-	cfg := wgtypes.Config{
+	config := wgtypes.Config{
 		PrivateKey:   &key,
 		ReplacePeers: false,
 		FirewallMark: &fwmark,
 		ListenPort:   &p,
 	}
-	err = wg.ConfigureDevice(iface, cfg)
-	if err != nil {
-		return err
-	}

-	return nil
+	return configureDevice(iface, config)
 }

 // GetListenPort returns the listening port of the Wireguard endpoint
@@ -118,55 +144,12 @@ func GetListenPort(iface string) (*int, error) {
 	return &d.ListenPort, nil
 }

-// UpdateListenPort updates a Wireguard interface listen port
-func UpdateListenPort(iface string, newPort int) error {
-	log.Debugf("updating Wireguard listen port of interface %s, new port %d", iface, newPort)
-
-	//discover Wireguard current configuration
-	wg, err := wgctrl.New()
-	if err != nil {
-		return err
-	}
-	defer wg.Close()
-
-	_, err = wg.Device(iface)
-	if err != nil {
-		return err
-	}
-	log.Debugf("got Wireguard device %s", iface)
-
-	config := wgtypes.Config{
-		ListenPort:   &newPort,
-		ReplacePeers: false,
-	}
-	err = wg.ConfigureDevice(iface, config)
-	if err != nil {
-		return err
-	}
-
-	log.Debugf("updated Wireguard listen port of interface %s, new port %d", iface, newPort)
-
-	return nil
-}
-
 // UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
 // Endpoint is optional
 func UpdatePeer(iface string, peerKey string, allowedIps string, keepAlive time.Duration, endpoint string) error {

 	log.Debugf("updating interface %s peer %s: endpoint %s ", iface, peerKey, endpoint)

-	wg, err := wgctrl.New()
-	if err != nil {
-		return err
-	}
-	defer wg.Close()
-
-	_, err = wg.Device(iface)
-	if err != nil {
-		return err
-	}
-	log.Debugf("got Wireguard device %s", iface)
-
 	//parse allowed ips
 	_, ipNet, err := net.ParseCIDR(allowedIps)
 	if err != nil {
@@ -177,20 +160,18 @@ func UpdatePeer(iface string, peerKey string, allowedIps string, keepAlive time.
 	if err != nil {
 		return err
 	}
-	peers := make([]wgtypes.PeerConfig, 0)
 	peer := wgtypes.PeerConfig{
 		PublicKey:                   peerKeyParsed,
 		ReplaceAllowedIPs:           true,
 		AllowedIPs:                  []net.IPNet{*ipNet},
 		PersistentKeepaliveInterval: &keepAlive,
 	}
-	peers = append(peers, peer)

 	config := wgtypes.Config{
-		ReplacePeers: false,
-		Peers:        peers,
+		Peers: []wgtypes.PeerConfig{peer},
 	}
-	err = wg.ConfigureDevice(iface, config)
+
+	err = configureDevice(iface, config)
 	if err != nil {
 		return err
 	}
@@ -208,18 +189,6 @@ func UpdatePeerEndpoint(iface string, peerKey string, newEndpoint string) error

 	log.Debugf("updating peer %s endpoint %s ", peerKey, newEndpoint)

-	wg, err := wgctrl.New()
-	if err != nil {
-		return err
-	}
-	defer wg.Close()
-
-	_, err = wg.Device(iface)
-	if err != nil {
-		return err
-	}
-	log.Debugf("got Wireguard device %s", iface)
-
 	peerAddr, err := net.ResolveUDPAddr("udp4", newEndpoint)
 	if err != nil {
 		return err
@@ -231,23 +200,41 @@ func UpdatePeerEndpoint(iface string, peerKey string, newEndpoint string) error
 	if err != nil {
 		return err
 	}
-	peers := make([]wgtypes.PeerConfig, 0)
+
 	peer := wgtypes.PeerConfig{
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		UpdateOnly:        true,
 		Endpoint:          peerAddr,
 	}
-	peers = append(peers, peer)
-
 	config := wgtypes.Config{
-		ReplacePeers: false,
-		Peers:        peers,
+		Peers: []wgtypes.PeerConfig{peer},
 	}
-	err = wg.ConfigureDevice(iface, config)
+	return configureDevice(iface, config)
+}
+
+// RemovePeer removes a Wireguard Peer from the interface iface
+func RemovePeer(iface string, peerKey string) error {
+	log.Debugf("Removing peer %s from interface %s ", peerKey, iface)
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
 	}

-	return nil
+	peer := wgtypes.PeerConfig{
+		PublicKey: peerKeyParsed,
+		Remove:    true,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+
+	return configureDevice(iface, config)
+}
+
+// Closes the User Space tunnel interface
+func CloseWithUserspace() error {
+	return tunIface.Close()
 }
--- a/iface/iface_darwin.go
+++ b/iface/iface_darwin.go
@@ -3,6 +3,7 @@ package iface
 import (
 	log "github.com/sirupsen/logrus"
 	"net"
+	"os"
 	"os/exec"
 	"strings"
 )
@@ -37,3 +38,26 @@ func addRoute(iface string, ipNet *net.IPNet) error {
 	}
 	return nil
 }
+
+// Closes the tunnel interface
+func Close() error {
+	name, err := tunIface.Name()
+	if err != nil {
+		return err
+	}
+
+	sockPath := "/var/run/wireguard/" + name + ".sock"
+
+	err = CloseWithUserspace()
+	if err != nil {
+		return err
+	}
+
+	if _, err := os.Stat(sockPath); err == nil {
+		err = os.Remove(sockPath)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
--- a/iface/iface_linux.go
+++ b/iface/iface_linux.go
@@ -1,8 +1,10 @@
 package iface

 import (
+	"fmt"
 	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
+	"golang.zx2c4.com/wireguard/wgctrl"
 	"os"
 )

@@ -28,29 +30,40 @@ func CreateWithKernel(iface string, address string) error {
 		attrs: &attrs,
 	}

+	// check if interface exists
+	l, err := netlink.LinkByName(iface)
+	if err != nil {
+		switch err.(type) {
+		case netlink.LinkNotFoundError:
+			break
+		default:
+			return err
+		}
+	}
+
+	// remove if interface exists
+	if l != nil {
+		err = netlink.LinkDel(&link)
+		if err != nil {
+			return err
+		}
+	}
+
 	log.Debugf("adding device: %s", iface)
-	err := netlink.LinkAdd(&link)
+	err = netlink.LinkAdd(&link)
 	if os.IsExist(err) {
 		log.Infof("interface %s already exists. Will reuse.", iface)
 	} else if err != nil {
 		return err
 	}

-	log.Debugf("adding address %s to interface: %s", address, iface)
-	addr, _ := netlink.ParseAddr(address)
-	err = netlink.AddrAdd(&link, addr)
-	if os.IsExist(err) {
-		log.Infof("interface %s already has the address: %s", iface, address)
-	} else if err != nil {
-		return err
-	}
 	err = assignAddr(address, iface)
 	if err != nil {
 		return err
 	}

 	// todo do a discovery
-	log.Debugf("setting MTU: %s", iface)
+	log.Debugf("setting MTU: %d interface: %s", defaultMTU, iface)
 	err = netlink.LinkSetMTU(&link, defaultMTU)
 	if err != nil {
 		log.Errorf("error setting MTU on interface: %s", iface)
@@ -77,6 +90,20 @@ func assignAddr(address, name string) error {
 		attrs: &attrs,
 	}

+	//delete existing addresses
+	list, err := netlink.AddrList(&link, 0)
+	if err != nil {
+		return err
+	}
+	if len(list) > 0 {
+		for _, a := range list {
+			err = netlink.AddrDel(&link, &a)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
 	log.Debugf("adding address %s to interface: %s", address, attrs.Name)
 	addr, _ := netlink.ParseAddr(address)
 	err = netlink.AddrAdd(&link, addr)
@@ -103,3 +130,39 @@ func (w *wgLink) Attrs() *netlink.LinkAttrs {
 func (w *wgLink) Type() string {
 	return "wireguard"
 }
+
+// Closes the tunnel interface
+func Close() error {
+
+	if tunIface != nil {
+		return CloseWithUserspace()
+	} else {
+		var iface = ""
+		wg, err := wgctrl.New()
+		if err != nil {
+			return err
+		}
+		defer wg.Close()
+		devList, err := wg.Devices()
+		if err != nil {
+			return err
+		}
+		for _, wgDev := range devList {
+			// todo check after move the WgPort constant to the client
+			if wgDev.ListenPort == WgPort {
+				iface = wgDev.Name
+				break
+			}
+		}
+		if iface == "" {
+			return fmt.Errorf("Wireguard Interface not found")
+		}
+		attrs := netlink.NewLinkAttrs()
+		attrs.Name = iface
+
+		link := wgLink{
+			attrs: &attrs,
+		}
+		return netlink.LinkDel(&link)
+	}
+}
--- a/iface/iface_test.go
+++ b/iface/iface_test.go
@@ -0,0 +1,272 @@
+package iface
+
+import (
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net"
+	"testing"
+	"time"
+)
+
+// keep darwin compability
+const (
+	key        = "0PMI6OkB5JmB+Jj/iWWHekuQRx+bipZirWCWKFXexHc="
+	peerPubKey = "Ok0mC0qlJyXEPKh2UFIpsI2jG0L7LRpC3sLAusSJ5CQ="
+)
+
+func init() {
+	log.SetLevel(log.DebugLevel)
+}
+
+//
+func Test_CreateInterface(t *testing.T) {
+	ifaceName := "utun999"
+	wgIP := "10.99.99.1/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+	wg, err := wgctrl.New()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	d, err := wg.Device(ifaceName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// todo move the WgPort constant to the client
+	WgPort = d.ListenPort
+}
+func Test_ConfigureInterface(t *testing.T) {
+	ifaceName := "utun1000"
+	wgIP := "10.99.99.10/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	err = Configure(ifaceName, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	wg, err := wgctrl.New()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	wgDevice, err := wg.Device(ifaceName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if wgDevice.PrivateKey.String() != key {
+		t.Fatalf("Private keys don't match after configure: %s != %s", key, wgDevice.PrivateKey.String())
+	}
+}
+
+func Test_UpdatePeer(t *testing.T) {
+	ifaceName := "utun1001"
+	wgIP := "10.99.99.20/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+	err = Configure(ifaceName, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keepAlive := 15 * time.Second
+	allowedIP := "10.99.99.2/32"
+	endpoint := "127.0.0.1:9900"
+	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer, err := getPeer(ifaceName, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if peer.PersistentKeepaliveInterval != keepAlive {
+		t.Fatal("configured peer with mismatched keepalive interval value")
+	}
+
+	resolvedEndpoint, err := net.ResolveUDPAddr("udp", endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if peer.Endpoint.String() != resolvedEndpoint.String() {
+		t.Fatal("configured peer with mismatched endpoint")
+	}
+
+	var foundAllowedIP bool
+	for _, aip := range peer.AllowedIPs {
+		if aip.String() == allowedIP {
+			foundAllowedIP = true
+			break
+		}
+	}
+	if !foundAllowedIP {
+		t.Fatal("configured peer with mismatched Allowed IPs")
+	}
+}
+
+func Test_UpdatePeerEndpoint(t *testing.T) {
+	ifaceName := "utun1002"
+	wgIP := "10.99.99.30/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+	err = Configure(ifaceName, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keepAlive := 15 * time.Second
+	allowedIP := "10.99.99.2/32"
+	endpoint := "127.0.0.1:9900"
+	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	newEndpoint := "127.0.0.1:9999"
+	err = UpdatePeerEndpoint(ifaceName, peerPubKey, newEndpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	peer, err := getPeer(ifaceName, t)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if peer.Endpoint.String() != newEndpoint {
+		t.Fatal("configured peer with mismatched endpoint")
+	}
+}
+
+func Test_RemovePeer(t *testing.T) {
+	ifaceName := "utun1003"
+	wgIP := "10.99.99.40/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+	err = Configure(ifaceName, key)
+	if err != nil {
+		t.Fatal(err)
+	}
+	keepAlive := 15 * time.Second
+	allowedIP := "10.99.99.2/32"
+	endpoint := "127.0.0.1:9900"
+	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = RemovePeer(ifaceName, peerPubKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = getPeer(ifaceName, t)
+	if err.Error() != "peer not found" {
+		t.Fatal(err)
+	}
+}
+func Test_Close(t *testing.T) {
+	ifaceName := "utun1004"
+	wgIP := "10.99.99.50/24"
+	err := Create(ifaceName, wgIP)
+	if err != nil {
+		t.Fatal(err)
+	}
+	wg, err := wgctrl.New()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	d, err := wg.Device(ifaceName)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// todo move the WgPort constant to the client
+	WgPort = d.ListenPort
+	err = Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+func getPeer(ifaceName string, t *testing.T) (wgtypes.Peer, error) {
+	emptyPeer := wgtypes.Peer{}
+	wg, err := wgctrl.New()
+	if err != nil {
+		return emptyPeer, err
+	}
+	defer func() {
+		err = wg.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	wgDevice, err := wg.Device(ifaceName)
+	if err != nil {
+		return emptyPeer, err
+	}
+	for _, peer := range wgDevice.Peers {
+		if peer.PublicKey.String() == peerPubKey {
+			return peer, nil
+		}
+	}
+	return emptyPeer, fmt.Errorf("peer not found")
+}
--- a/iface/iface_windows.go
+++ b/iface/iface_windows.go
@@ -39,3 +39,8 @@ func assignAddr(address string, ifaceName string) error {
 func getUAPI(iface string) (net.Listener, error) {
 	return ipc.UAPIListen(iface)
 }
+
+// Closes the tunnel interface
+func Close() error {
+	return CloseWithUserspace()
+}
--- a/iface/ifacename.go
+++ b/iface/ifacename.go
@@ -0,0 +1,6 @@
+// +build linux windows
+
+package iface
+
+// WgInterfaceDefault is a default interface name of Wiretrustee
+const WgInterfaceDefault = "wt0"
--- a/iface/ifacename_darwin.go
+++ b/iface/ifacename_darwin.go
@@ -0,0 +1,6 @@
+// +build darwin
+
+package iface
+
+// WgInterfaceDefault is a default interface name of Wiretrustee
+const WgInterfaceDefault = "utun100"
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+unset $(grep -v '^#' ./setup.env | sed -E 's/(.*)=.*/\1/' | xargs)
+export $(grep -v '^#' ./setup.env | xargs)
+
+envsubst < docker-compose.yml.tmpl > docker-compose.yml
+envsubst < management.json.tmpl > management.json
--- a/infrastructure_files/docker-compose.yml
+++ b/infrastructure_files/docker-compose.yml
@@ -1,19 +0,0 @@
-version: "3"
-services:
-  # Signal
-  signal:
-    image: wiretrustee/wiretrustee:signal-latest
-    restart: unless-stopped
-    ports:
-      - 10000:10000
-
-  # Coturn
-  coturn:
-    image: coturn/coturn
-    restart: unless-stopped
-    domainname: stun.wiretrustee.com
-    volumes:
-      - ./turnserver.conf:/etc/turnserver.conf:ro
-#      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
-#      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
-    network_mode: host
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@@ -0,0 +1,61 @@
+version: "3"
+services:
+  #UI dashboard
+  dashboard:
+    image: wiretrustee/dashboard:main
+    restart: unless-stopped
+    ports:
+      - 80:80
+      - 443:443
+    environment:
+      - AUTH0_DOMAIN=$WIRETRUSTEE_AUTH0_DOMAIN
+      - AUTH0_CLIENT_ID=$WIRETRUSTEE_AUTH0_CLIENT_ID
+      - AUTH0_AUDIENCE=$WIRETRUSTEE_AUTH0_AUDIENCE
+      - WIRETRUSTEE_MGMT_API_ENDPOINT=https://$WIRETRUSTEE_DOMAIN:33071
+      - NGINX_SSL_PORT=443
+      - LETSENCRYPT_DOMAIN=$WIRETRUSTEE_DOMAIN
+      - LETSENCRYPT_EMAIL=$WIRETRUSTEE_LETSENCRYPT_EMAIL
+    volumes:
+      - /var/lib/wiretrustee/dashboard/letsencrypt:/etc/letsencrypt/
+  # Signal
+  signal:
+    image: wiretrustee/signal:latest
+    restart: unless-stopped
+    volumes:
+      - wiretrustee-signal:/var/lib/wiretrustee
+    #      - /var/log/wiretrustee/signal.log:/var/log/wiretrustee/signal.log
+    ports:
+      - 10000:10000
+  #     # port and command for Let's Encrypt validation
+  #      - 443:443
+  #    command: ["--letsencrypt-domain", "$WIRETRUSTEE_DOMAIN", "--log-file", "console"]
+  # Management
+  management:
+    image: wiretrustee/management:latest
+    restart: unless-stopped
+    depends_on:
+      - dashboard
+    volumes:
+      - wiretrustee-mgmt:/var/lib/wiretrustee
+      - /var/lib/wiretrustee/dashboard/letsencrypt:/etc/letsencrypt:ro
+      - ./management.json:/etc/wiretrustee/management.json
+    #      - /var/log/wiretrustee/management.log:/var/log/wiretrustee/management.log
+    ports:
+      - 33073:33073 #gRPC port
+      - 33071:33071 #HTTP port
+  #     # port and command for Let's Encrypt validation
+  #      - 443:443
+  #    command: ["--letsencrypt-domain", "$WIRETRUSTEE_DOMAIN", "--log-file", "console"]
+  # Coturn
+  coturn:
+    image: coturn/coturn
+    restart: unless-stopped
+    domainname: <YOUR DOMAIN>
+    volumes:
+      - ./turnserver.conf:/etc/turnserver.conf:ro
+    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
+    #      - ./cert.pem:/etc/coturn/certs/cert.pem:ro
+    network_mode: host
+volumes:
+  wiretrustee-mgmt:
+  wiretrustee-signal:
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -0,0 +1,39 @@
+{
+    "Stuns": [
+        {
+            "Proto": "udp",
+            "URI": "stun:$WIRETRUSTEE_DOMAIN:3478",
+            "Username": "",
+            "Password": null
+        }
+    ],
+    "TURNConfig": {
+        "Turns": [
+            {
+                "Proto": "udp",
+                "URI": "turn:$WIRETRUSTEE_DOMAIN:3478",
+                "Username": "",
+                "Password": null
+            }
+        ],
+        "CredentialsTTL": "12h",
+        "Secret": "secret",
+        "TimeBasedCredentials": false
+    },
+    "Signal": {
+        "Proto": "http",
+        "URI": "$WIRETRUSTEE_DOMAIN:10000",
+        "Username": "",
+        "Password": null
+    },
+    "Datadir": "",
+    "HttpConfig": {
+        "LetsEncryptDomain": "",
+        "CertFile":"/etc/letsencrypt/live/$WIRETRUSTEE_DOMAIN/fullchain.pem",
+        "CertKey":"/etc/letsencrypt/live/$WIRETRUSTEE_DOMAIN/privkey.pem",
+        "Address": "0.0.0.0:33071",
+        "AuthIssuer": "https://$WIRETRUSTEE_AUTH0_DOMAIN/",
+        "AuthAudience": "$WIRETRUSTEE_AUTH0_AUDIENCE",
+        "AuthKeysLocation": "https://$WIRETRUSTEE_AUTH0_DOMAIN/.well-known/jwks.json"
+    }
+}
--- a/infrastructure_files/setup.env
+++ b/infrastructure_files/setup.env
@@ -0,0 +1,10 @@
+# e.g. app.mydomain.com
+WIRETRUSTEE_DOMAIN=""
+# e.g. dev-24vkclam.us.auth0.com
+WIRETRUSTEE_AUTH0_DOMAIN=""
+# e.g. 61u3JMXRO0oOevc7gCkZLCwePQvT4lL0
+WIRETRUSTEE_AUTH0_CLIENT_ID=""
+# e.g. https://app.mydomain.com/
+WIRETRUSTEE_AUTH0_AUDIENCE=""
+# e.g. hello@mydomain.com
+WIRETRUSTEE_LETSENCRYPT_EMAIL=""
--- a/management/Dockerfile
+++ b/management/Dockerfile
@@ -0,0 +1,4 @@
+FROM gcr.io/distroless/base
+ENTRYPOINT [ "/go/bin/wiretrustee-mgmt","management"]
+CMD ["--log-file", "console"]
+COPY wiretrustee-mgmt /go/bin/wiretrustee-mgmt
--- a/management/Dockerfile.debug
+++ b/management/Dockerfile.debug
@@ -0,0 +1,4 @@
+FROM gcr.io/distroless/base:debug
+ENTRYPOINT [ "/go/bin/wiretrustee-mgmt","management","--log-level","debug"]
+CMD ["--log-file", "console"]
+COPY wiretrustee-mgmt /go/bin/wiretrustee-mgmt
--- a/management/README.md
+++ b/management/README.md
@@ -0,0 +1,113 @@
+# Wiretrustee Management Server
+Wiretrustee management server will control and synchronize peers configuration within your wiretrustee account and network.
+
+## Command Options
+The CLI accepts the command **management** with the following options:
+```shell
+start Wiretrustee Management Server
+
+Usage:
+  wiretrustee-mgmt management [flags]
+
+Flags:
+      --datadir string              server data directory location (default "/var/lib/wiretrustee/")
+  -h, --help                        help for management
+      --letsencrypt-domain string   a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS
+      --port int                    server port to listen on (default 33073)
+      --cert-file string            Location of your SSL certificate. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect
+      --cert-key string             Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect
+Global Flags:
+      --config string      Wiretrustee config file location to write new config to (default "/etc/wiretrustee/config.json")
+      --log-level string    (default "info")
+      --log-file string    sets Wiretrustee log path. If console is specified the the log will be output to stdout (default "/var/log/wiretrustee/management.log")
+```
+## Run Management service (Docker)
+
+You can run service in 2 modes - with TLS or without (not recommended).
+
+### Run with TLS (Let's Encrypt). 
+By specifying the **--letsencrypt-domain** the daemon will handle SSL certificate request and configuration.
+
+In the following example ```33073``` is the management service **default** port, and ```443``` will be used as port for Let's Encrypt challenge and HTTP API.
+> The server where you are running a container has to have a public IP (for Let's Encrypt certificate challenge).
+
+Replace <YOUR-DOMAIN> with your server's public domain (e.g. mydomain.com or subdomain sub.mydomain.com).
+
+```bash
+# create a volume
+docker volume create wiretrustee-mgmt
+# run the docker container
+docker run -d --name wiretrustee-management \
+-p 33073:33073  \
+-p 443:443  \
+-v wiretrustee-mgmt:/var/lib/wiretrustee  \
+-v ./config.json:/etc/wiretrustee/config.json  \
+wiretrustee/management:latest \
+--letsencrypt-domain <YOUR-DOMAIN>
+```
+> An example of config.json can be found here [config.json](../infrastructure_files/config.json)
+
+Trigger Let's encrypt certificate generation:
+```bash
+curl https://<YOUR-DOMAIN>
+```
+
+The certificate will be persisted in the ```datadir/letsencrypt/``` folder (e.g. ```/var/lib/wiretrustee/letsencrypt/```) inside the container.
+
+Make sure that the ```datadir``` is mapped to some folder on a host machine. In case you used the volume command, you can run the following to retrieve the Mountpoint:
+```shell
+docker volume inspect wiretrustee-mgmt
+[
+    {
+        "CreatedAt": "2021-07-25T20:45:28Z",
+        "Driver": "local",
+        "Labels": {},
+        "Mountpoint": "/var/lib/docker/volumes/mgmt/_data",
+        "Name": "wiretrustee-mgmt",
+        "Options": {},
+        "Scope": "local"
+    }
+]
+```
+Consequent restarts of the container will pick up previously generated certificate so there is no need to trigger certificate generation with the ```curl``` command on every restart.
+
+### Run without TLS.
+
+```bash
+# create a volume
+docker volume create wiretrustee-mgmt
+# run the docker container
+docker run -d --name wiretrustee-management \
+-p 33073:33073  \
+-v wiretrustee-mgmt:/var/lib/wiretrustee  \
+-v ./config.json:/etc/wiretrustee/config.json  \
+wiretrustee/management:latest
+```
+### Debug tag
+We also publish a docker image with the debug tag which has the log-level set to default, plus it uses the ```gcr.io/distroless/base:debug``` image that can be used with docker exec in order to run some commands in the Management container.
+```shell
+shell $ docker run -d --name wiretrustee-management-debug \
+-p 33073:33073  \
+-v wiretrustee-mgmt:/var/lib/wiretrustee  \
+-v ./config.json:/etc/wiretrustee/config.json  \
+wiretrustee/management:debug-latest
+
+shell $ docker exec -ti wiretrustee-management-debug /bin/sh
+container-shell $ 
+```
+## For development purposes:
+
+Install golang gRpc tools:
+```bash
+#!/bin/bash
+go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
+```
+
+Generate gRpc code:
+
+```bash
+#!/bin/bash
+protoc -I proto/ proto/management.proto --go_out=. --go-grpc_out=.
+```
+
--- a/management/client/client.go
+++ b/management/client/client.go
@@ -0,0 +1,252 @@
+package client
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/client/system"
+	"github.com/wiretrustee/wiretrustee/encryption"
+	"github.com/wiretrustee/wiretrustee/management/proto"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/connectivity"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/keepalive"
+	"io"
+	"time"
+)
+
+type Client struct {
+	key        wgtypes.Key
+	realClient proto.ManagementServiceClient
+	ctx        context.Context
+	conn       *grpc.ClientConn
+}
+
+// NewClient creates a new client to Management service
+func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*Client, error) {
+
+	transportOption := grpc.WithInsecure()
+
+	if tlsEnabled {
+		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+	}
+
+	mgmCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
+	defer cancel()
+	conn, err := grpc.DialContext(
+		mgmCtx,
+		addr,
+		transportOption,
+		grpc.WithBlock(),
+		grpc.WithKeepaliveParams(keepalive.ClientParameters{
+			Time:    15 * time.Second,
+			Timeout: 10 * time.Second,
+		}))
+
+	if err != nil {
+		log.Errorf("failed creating connection to Management Service %v", err)
+		return nil, err
+	}
+
+	realClient := proto.NewManagementServiceClient(conn)
+
+	return &Client{
+		key:        ourPrivateKey,
+		realClient: realClient,
+		ctx:        ctx,
+		conn:       conn,
+	}, nil
+}
+
+// Close closes connection to the Management Service
+func (c *Client) Close() error {
+	return c.conn.Close()
+}
+
+//defaultBackoff is a basic backoff mechanism for general issues
+func defaultBackoff(ctx context.Context) backoff.BackOff {
+	return backoff.WithContext(&backoff.ExponentialBackOff{
+		InitialInterval:     800 * time.Millisecond,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         10 * time.Second,
+		MaxElapsedTime:      12 * time.Hour, //stop after 12 hours of trying, the error will be propagated to the general retry of the client
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}, ctx)
+}
+
+// ready indicates whether the client is okay and ready to be used
+// for now it just checks whether gRPC connection to the service is ready
+func (c *Client) ready() bool {
+	return c.conn.GetState() == connectivity.Ready
+}
+
+// Sync wraps the real client's Sync endpoint call and takes care of retries and encryption/decryption of messages
+// Blocking request. The result will be sent via msgHandler callback function
+func (c *Client) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
+
+	var backOff = defaultBackoff(c.ctx)
+
+	operation := func() error {
+
+		log.Debugf("management connection state %v", c.conn.GetState())
+
+		if !c.ready() {
+			return fmt.Errorf("no connection to management")
+		}
+
+		// todo we already have it since we did the Login, maybe cache it locally?
+		serverPubKey, err := c.GetServerPublicKey()
+		if err != nil {
+			log.Errorf("failed getting Management Service public key: %s", err)
+			return err
+		}
+
+		stream, err := c.connectToStream(*serverPubKey)
+		if err != nil {
+			log.Errorf("failed to open Management Service stream: %s", err)
+			return err
+		}
+
+		log.Infof("connected to the Management Service stream")
+
+		// blocking until error
+		err = c.receiveEvents(stream, *serverPubKey, msgHandler)
+		if err != nil {
+			backOff.Reset()
+			return err
+		}
+
+		return nil
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		log.Warnf("exiting Management Service connection retry loop due to unrecoverable error: %s", err)
+		return err
+	}
+
+	return nil
+}
+
+func (c *Client) connectToStream(serverPubKey wgtypes.Key) (proto.ManagementService_SyncClient, error) {
+	req := &proto.SyncRequest{}
+
+	myPrivateKey := c.key
+	myPublicKey := myPrivateKey.PublicKey()
+
+	encryptedReq, err := encryption.EncryptMessage(serverPubKey, myPrivateKey, req)
+	if err != nil {
+		log.Errorf("failed encrypting message: %s", err)
+		return nil, err
+	}
+
+	syncReq := &proto.EncryptedMessage{WgPubKey: myPublicKey.String(), Body: encryptedReq}
+	return c.realClient.Sync(c.ctx, syncReq)
+}
+
+func (c *Client) receiveEvents(stream proto.ManagementService_SyncClient, serverPubKey wgtypes.Key, msgHandler func(msg *proto.SyncResponse) error) error {
+	for {
+		update, err := stream.Recv()
+		if err == io.EOF {
+			log.Errorf("Management stream has been closed by server: %s", err)
+			return err
+		}
+		if err != nil {
+			log.Warnf("disconnected from Management Service sync stream: %v", err)
+			return err
+		}
+
+		log.Debugf("got an update message from Management Service")
+		decryptedResp := &proto.SyncResponse{}
+		err = encryption.DecryptMessage(serverPubKey, c.key, update.Body, decryptedResp)
+		if err != nil {
+			log.Errorf("failed decrypting update message from Management Service: %s", err)
+			return err
+		}
+
+		err = msgHandler(decryptedResp)
+		if err != nil {
+			log.Errorf("failed handling an update message received from Management Service: %v", err.Error())
+			return err
+		}
+	}
+}
+
+// GetServerPublicKey returns server Wireguard public key (used later for encrypting messages sent to the server)
+func (c *Client) GetServerPublicKey() (*wgtypes.Key, error) {
+	if !c.ready() {
+		return nil, fmt.Errorf("no connection to management")
+	}
+
+	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second) //todo make a general setting
+	defer cancel()
+	resp, err := c.realClient.GetServerKey(mgmCtx, &proto.Empty{})
+	if err != nil {
+		return nil, err
+	}
+
+	serverKey, err := wgtypes.ParseKey(resp.Key)
+	if err != nil {
+		return nil, err
+	}
+
+	return &serverKey, nil
+}
+
+func (c *Client) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*proto.LoginResponse, error) {
+	if !c.ready() {
+		return nil, fmt.Errorf("no connection to management")
+	}
+	loginReq, err := encryption.EncryptMessage(serverKey, c.key, req)
+	if err != nil {
+		log.Errorf("failed to encrypt message: %s", err)
+		return nil, err
+	}
+	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second) //todo make a general setting
+	defer cancel()
+	resp, err := c.realClient.Login(mgmCtx, &proto.EncryptedMessage{
+		WgPubKey: c.key.PublicKey().String(),
+		Body:     loginReq,
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	loginResp := &proto.LoginResponse{}
+	err = encryption.DecryptMessage(serverKey, c.key, resp.Body, loginResp)
+	if err != nil {
+		log.Errorf("failed to decrypt registration message: %s", err)
+		return nil, err
+	}
+
+	return loginResp, nil
+}
+
+// Register registers peer on Management Server. It actually calls a Login endpoint with a provided setup key
+// Takes care of encrypting and decrypting messages.
+// This method will also collect system info and send it with the request (e.g. hostname, os, etc)
+func (c *Client) Register(serverKey wgtypes.Key, setupKey string) (*proto.LoginResponse, error) {
+	gi := system.GetInfo()
+	meta := &proto.PeerSystemMeta{
+		Hostname:           gi.Hostname,
+		GoOS:               gi.GoOS,
+		OS:                 gi.OS,
+		Core:               gi.OSVersion,
+		Platform:           gi.Platform,
+		Kernel:             gi.Kernel,
+		WiretrusteeVersion: "",
+	}
+	log.Debugf("detected system %v", meta)
+	return c.login(serverKey, &proto.LoginRequest{SetupKey: setupKey, Meta: meta})
+}
+
+// Login attempts login to Management Server. Takes care of encrypting and decrypting messages.
+func (c *Client) Login(serverKey wgtypes.Key) (*proto.LoginResponse, error) {
+	return c.login(serverKey, &proto.LoginRequest{})
+}
--- a/management/client/client_test.go
+++ b/management/client/client_test.go
@@ -0,0 +1,179 @@
+package client
+
+import (
+	"context"
+	log "github.com/sirupsen/logrus"
+	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
+	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/util"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"net"
+	"path/filepath"
+	"testing"
+	"time"
+)
+
+var tested *Client
+var serverAddr string
+
+const ValidKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
+
+func Test_Start(t *testing.T) {
+	level, _ := log.ParseLevel("debug")
+	log.SetLevel(level)
+
+	testKey, err := wgtypes.GenerateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	testDir := t.TempDir()
+	ctx := context.Background()
+	config := &mgmt.Config{}
+	_, err = util.ReadJson("../server/testdata/management.json", config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	config.Datadir = testDir
+	err = util.CopyFileContents("../server/testdata/store.json", filepath.Join(testDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, listener := startManagement(config, t)
+	serverAddr = listener.Addr().String()
+	tested, err = NewClient(ctx, serverAddr, testKey, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+	store, err := mgmt.NewStore(config.Datadir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	peersUpdateManager := mgmt.NewPeersUpdateManager()
+	accountManager := mgmt.NewManager(store, peersUpdateManager)
+	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
+	if err != nil {
+		t.Fatal(err)
+	}
+	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			t.Error(err)
+			return
+		}
+	}()
+
+	return s, lis
+}
+
+func TestClient_GetServerPublicKey(t *testing.T) {
+
+	key, err := tested.GetServerPublicKey()
+	if err != nil {
+		t.Error(err)
+	}
+
+	if key == nil {
+		t.Error("expecting non nil server key got nil")
+	}
+}
+
+func TestClient_LoginUnregistered_ShouldThrow_401(t *testing.T) {
+	key, err := tested.GetServerPublicKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = tested.Login(*key)
+	if err == nil {
+		t.Error("expecting err on unregistered login, got nil")
+	}
+	if s, ok := status.FromError(err); !ok || s.Code() != codes.PermissionDenied {
+		t.Errorf("expecting err code %d denied on on unregistered login got %d", codes.PermissionDenied, s.Code())
+	}
+}
+
+func TestClient_LoginRegistered(t *testing.T) {
+	key, err := tested.GetServerPublicKey()
+	if err != nil {
+		t.Error(err)
+	}
+	resp, err := tested.Register(*key, ValidKey)
+	if err != nil {
+		t.Error(err)
+	}
+
+	if resp == nil {
+		t.Error("expecting non nil response, got nil")
+	}
+}
+
+func TestClient_Sync(t *testing.T) {
+	serverKey, err := tested.GetServerPublicKey()
+	if err != nil {
+		t.Error(err)
+	}
+
+	_, err = tested.Register(*serverKey, ValidKey)
+	if err != nil {
+		t.Error(err)
+	}
+
+	// create and register second peer (we should receive on Sync request)
+	remoteKey, err := wgtypes.GenerateKey()
+	if err != nil {
+		t.Error(err)
+	}
+	remoteClient, err := NewClient(context.TODO(), serverAddr, remoteKey, false)
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = remoteClient.Register(*serverKey, ValidKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ch := make(chan *mgmtProto.SyncResponse, 1)
+
+	go func() {
+		err = tested.Sync(func(msg *mgmtProto.SyncResponse) error {
+			ch <- msg
+			return nil
+		})
+		if err != nil {
+			return
+		}
+	}()
+
+	select {
+	case resp := <-ch:
+		if resp.GetPeerConfig() == nil {
+			t.Error("expecting non nil PeerConfig got nil")
+		}
+		if resp.GetWiretrusteeConfig() == nil {
+			t.Error("expecting non nil WiretrusteeConfig got nil")
+		}
+		if len(resp.GetRemotePeers()) != 1 {
+			t.Errorf("expecting RemotePeers size %d got %d", 1, len(resp.GetRemotePeers()))
+		}
+		if resp.GetRemotePeersIsEmpty() == true {
+			t.Error("expecting RemotePeers property to be false, got true")
+		}
+		if resp.GetRemotePeers()[0].GetWgPubKey() != remoteKey.PublicKey().String() {
+			t.Errorf("expecting RemotePeer public key %s got %s", remoteKey.PublicKey().String(), resp.GetRemotePeers()[0].GetWgPubKey())
+		}
+	case <-time.After(3 * time.Second):
+		t.Error("timeout waiting for test to finish")
+	}
+}
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -0,0 +1,187 @@
+package cmd
+
+import (
+	"context"
+	"crypto/tls"
+	"flag"
+	"fmt"
+	"github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/management/server/http"
+	"github.com/wiretrustee/wiretrustee/util"
+	"net"
+	"os"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/encryption"
+	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/keepalive"
+)
+
+var (
+	mgmtPort              int
+	mgmtDataDir           string
+	mgmtConfig            string
+	mgmtLetsencryptDomain string
+	certFile              string
+	certKey               string
+
+	kaep = keepalive.EnforcementPolicy{
+		MinTime:             15 * time.Second,
+		PermitWithoutStream: true,
+	}
+
+	kasp = keepalive.ServerParameters{
+		MaxConnectionIdle:     15 * time.Second,
+		MaxConnectionAgeGrace: 5 * time.Second,
+		Time:                  5 * time.Second,
+		Timeout:               2 * time.Second,
+	}
+
+	mgmtCmd = &cobra.Command{
+		Use:   "management",
+		Short: "start Wiretrustee Management Server",
+		Run: func(cmd *cobra.Command, args []string) {
+			flag.Parse()
+			err := util.InitLog(logLevel, logFile)
+			if err != nil {
+				log.Fatalf("failed initializing log %v", err)
+			}
+
+			config, err := loadConfig()
+			if err != nil {
+				log.Fatalf("failed reading provided config file: %s: %v", mgmtConfig, err)
+			}
+
+			if _, err = os.Stat(config.Datadir); os.IsNotExist(err) {
+				err = os.MkdirAll(config.Datadir, os.ModeDir)
+				if err != nil {
+					log.Fatalf("failed creating datadir: %s: %v", config.Datadir, err)
+				}
+			}
+
+			store, err := server.NewStore(config.Datadir)
+			if err != nil {
+				log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
+			}
+			peersUpdateManager := server.NewPeersUpdateManager()
+			accountManager := server.NewManager(store, peersUpdateManager)
+
+			var opts []grpc.ServerOption
+
+			var httpServer *http.Server
+			if config.HttpConfig.LetsEncryptDomain != "" {
+				//automatically generate a new certificate with Let's Encrypt
+				certManager := encryption.CreateCertManager(config.Datadir, config.HttpConfig.LetsEncryptDomain)
+				transportCredentials := credentials.NewTLS(certManager.TLSConfig())
+				opts = append(opts, grpc.Creds(transportCredentials))
+
+				httpServer = http.NewHttpsServer(config.HttpConfig, certManager, accountManager)
+			} else if config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "" {
+				//use provided certificate
+				tlsConfig, err := loadTLSConfig(config.HttpConfig.CertFile, config.HttpConfig.CertKey)
+				if err != nil {
+					log.Fatal("cannot load TLS credentials: ", err)
+				}
+				transportCredentials := credentials.NewTLS(tlsConfig)
+				opts = append(opts, grpc.Creds(transportCredentials))
+				httpServer = http.NewHttpsServerWithTLSConfig(config.HttpConfig, tlsConfig, accountManager)
+			} else {
+				//start server without SSL
+				httpServer = http.NewHttpServer(config.HttpConfig, accountManager)
+			}
+
+			opts = append(opts, grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
+			grpcServer := grpc.NewServer(opts...)
+			turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
+			server, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager)
+			if err != nil {
+				log.Fatalf("failed creating new server: %v", err)
+			}
+			mgmtProto.RegisterManagementServiceServer(grpcServer, server)
+			log.Printf("started server: localhost:%v", mgmtPort)
+
+			lis, err := net.Listen("tcp", fmt.Sprintf(":%d", mgmtPort))
+			if err != nil {
+				log.Fatalf("failed to listen: %v", err)
+			}
+
+			go func() {
+				if err = grpcServer.Serve(lis); err != nil {
+					log.Fatalf("failed to serve gRpc server: %v", err)
+				}
+			}()
+
+			go func() {
+				err = httpServer.Start()
+				if err != nil {
+					log.Fatalf("failed to serve http server: %v", err)
+				}
+			}()
+
+			SetupCloseHandler()
+			<-stopCh
+			log.Println("Receive signal to stop running Management server")
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer cancel()
+			err = httpServer.Stop(ctx)
+			if err != nil {
+				log.Fatalf("failed stopping the http server %v", err)
+			}
+
+			grpcServer.Stop()
+		},
+	}
+)
+
+func loadConfig() (*server.Config, error) {
+	config := &server.Config{}
+	_, err := util.ReadJson(mgmtConfig, config)
+	if err != nil {
+		return nil, err
+	}
+	if mgmtLetsencryptDomain != "" {
+		config.HttpConfig.LetsEncryptDomain = mgmtLetsencryptDomain
+	}
+	if mgmtDataDir != "" {
+		config.Datadir = mgmtDataDir
+	}
+
+	if certKey != "" && certFile != "" {
+		config.HttpConfig.CertFile = certFile
+		config.HttpConfig.CertKey = certKey
+	}
+
+	return config, err
+}
+
+func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) {
+	// Load server's certificate and private key
+	serverCert, err := tls.LoadX509KeyPair(certFile, certKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// Create the credentials and return it
+	config := &tls.Config{
+		Certificates: []tls.Certificate{serverCert},
+		ClientAuth:   tls.NoClientCert,
+	}
+
+	return config, nil
+}
+
+func init() {
+	mgmtCmd.Flags().IntVar(&mgmtPort, "port", 33073, "server port to listen on")
+	mgmtCmd.Flags().StringVar(&mgmtDataDir, "datadir", "/var/lib/wiretrustee/", "server data directory location")
+	mgmtCmd.Flags().StringVar(&mgmtConfig, "config", "/etc/wiretrustee/management.json", "Wiretrustee config file location. Config params specified via command line (e.g. datadir) have a precedence over configuration from this file")
+	mgmtCmd.Flags().StringVar(&mgmtLetsencryptDomain, "letsencrypt-domain", "", "a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS")
+	mgmtCmd.Flags().StringVar(&certFile, "cert-file", "", "Location of your SSL certificate. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect")
+	mgmtCmd.Flags().StringVar(&certKey, "cert-key", "", "Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect")
+
+	rootCmd.MarkFlagRequired("config") //nolint
+
+}
--- a/management/cmd/root.go
+++ b/management/cmd/root.go
@@ -2,7 +2,6 @@ package cmd

 import (
 	"fmt"
-	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"os"
 	"os/signal"
@@ -18,12 +17,17 @@ var (
 	configPath        string
 	defaultConfigPath string
 	logLevel          string
+	defaultLogFile    string
+	logFile           string

 	rootCmd = &cobra.Command{
-		Use:   "wiretrustee",
+		Use:   "wiretrustee-mgmt",
 		Short: "",
 		Long:  "",
 	}
+
+	// Execution control channel for stopCh signal
+	stopCh chan int
 )

 // Execute executes the root command.
@@ -31,19 +35,19 @@ func Execute() error {
 	return rootCmd.Execute()
 }
 func init() {
-	defaultConfigPath = "/etc/wiretrustee/config.json"
+
+	stopCh = make(chan int)
+
+	defaultConfigPath = "/etc/wiretrustee/management.json"
+	defaultLogFile = "/var/log/wiretrustee/management.log"
 	if runtime.GOOS == "windows" {
-		defaultConfigPath = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "config.json"
+		defaultConfigPath = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "management.json"
+		defaultLogFile = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "management.log"
 	}
 	rootCmd.PersistentFlags().StringVar(&configPath, "config", defaultConfigPath, "Wiretrustee config file location to write new config to")
 	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "")
-	rootCmd.AddCommand(initCmd)
-	rootCmd.AddCommand(addPeerCmd)
-	rootCmd.AddCommand(upCmd)
-	rootCmd.AddCommand(signalCmd)
-	rootCmd.AddCommand(serviceCmd)
-	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
-	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service
+	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Wiretrustee log path. If console is specified the the log will be output to stdout")
+	rootCmd.AddCommand(mgmtCmd)
 }

 // SetupCloseHandler handles SIGTERM signal and exits with success
@@ -53,17 +57,7 @@ func SetupCloseHandler() {
 	go func() {
 		for range c {
 			fmt.Println("\r- Ctrl+C pressed in Terminal")
-			stopUP <- 0
+			stopCh <- 0
 		}
 	}()
 }
-
-// InitLog parses and sets log-level input
-func InitLog(logLevel string) {
-	level, err := log.ParseLevel(logLevel)
-	if err != nil {
-		log.Errorf("Failed parsing log-level %s: %s", logLevel, err)
-		os.Exit(ExitSetupFailed)
-	}
-	log.SetLevel(level)
-}
--- a/management/main.go
+++ b/management/main.go
@@ -0,0 +1,12 @@
+package main
+
+import (
+	"github.com/wiretrustee/wiretrustee/management/cmd"
+	"os"
+)
+
+func main() {
+	if err := cmd.Execute(); err != nil {
+		os.Exit(1)
+	}
+}
--- a/management/proto/generate.sh
+++ b/management/proto/generate.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
+protoc -I proto/ proto/management.proto --go_out=. --go-grpc_out=.
--- a/management/proto/management.pb.go
+++ b/management/proto/management.pb.go
--- a/Show More
+++ b/Show More