Include users' own activity in active users calculation

Using time.Ticker allows us to avoid recursive calls that may end up in schedule running and possible deadlock if no routine is listening for cancel calls

.github/ISSUE_TEMPLATE/bug-issue-report.md

@@ -2,7 +2,7 @@
 name: Bug/Issue report
 about: Create a report to help us improve
 title: ''
-labels: ['triage']
+labels: ['triage-needed']
 assignees: ''
 
 ---

.github/workflows/golang-test-darwin.yml

@@ -35,5 +35,8 @@ jobs:
       - name: Install modules
         run: go mod tidy
 
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
       - name: Test
         run: NETBIRD_STORE_ENGINE=${{ matrix.store }} go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 ./...

.github/workflows/golang-test-linux.yml

@@ -41,6 +41,9 @@ jobs:
       - name: Install modules
         run: go mod tidy
 
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
       - name: Test
         run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 ./...
 
@@ -69,6 +72,9 @@ jobs:
       - name: Install modules
         run: go mod tidy
 
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
       - name: Generate Iface Test bin
         run: CGO_ENABLED=0 go test -c -o iface-testing.bin ./iface/
 

.github/workflows/release.yml

@@ -190,6 +190,9 @@ jobs:
       -
         name: Install modules
         run: go mod tidy
+      - 
+        name: check git status
+        run: git --no-pager diff --exit-code
       -
         name: Run GoReleaser
         id: goreleaser

.github/workflows/test-infrastructure-files.yml

@@ -127,6 +127,9 @@ jobs:
       - name: Install modules
         run: go mod tidy
 
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
       - name: Build management binary
         working-directory: management
         run: CGO_ENABLED=1 go build -o netbird-mgmt main.go
@@ -159,6 +162,13 @@ jobs:
           test $count -eq 4
         working-directory: infrastructure_files/artifacts
 
+      - name: test geolocation databases
+        working-directory: infrastructure_files/artifacts
+        run: |
+          sleep 30
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i GeoLite2-City.mmdb
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i geonames.db
+
   test-getting-started-script:
     runs-on: ubuntu-latest
     steps:
@@ -186,3 +196,16 @@ jobs:
         run: test -f zitadel.env
       - name: test dashboard.env file gen
         run: test -f dashboard.env
+  test-download-geolite2-script:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y unzip sqlite3
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: test script
+        run: bash -x infrastructure_files/download-geolite2.sh
+      - name: test mmdb file exists
+        run: test -f GeoLite2-City.mmdb
+      - name: test geonames file exists
+        run: test -f geonames.db

.golangci.yaml

@@ -63,6 +63,14 @@ linters-settings:
     enable:
       - nilness
 
+  revive:
+    rules:
+      - name: exported
+        severity: warning
+        disabled: false
+        arguments:
+          - "checkPrivateReceivers"
+          - "sayRepetitiveInsteadOfStutters"
   tenv:
     # The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures.
     # Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked.
@@ -93,6 +101,7 @@ linters:
     - nilerr # finds the code that returns nil even if it checks that the error is not nil
     - nilnil # checks that there is no simultaneous return of nil error and an invalid value
     - predeclared # predeclared finds code that shadows one of Go's predeclared identifiers
+    - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
     - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
     - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
     - wastedassign # wastedassign finds wasted assignment statements

.goreleaser_ui.yaml

@@ -54,7 +54,7 @@ nfpms:
     contents:
       - src: client/ui/netbird.desktop
         dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/netbird-systemtray-default.png
+      - src: client/ui/netbird-systemtray-connected.png
         dst: /usr/share/pixmaps/netbird.png
     dependencies:
       - netbird
@@ -71,7 +71,7 @@ nfpms:
     contents:
       - src: client/ui/netbird.desktop
         dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/netbird-systemtray-default.png
+      - src: client/ui/netbird-systemtray-connected.png
         dst: /usr/share/pixmaps/netbird.png
     dependencies:
       - netbird

README.md

@@ -1,6 +1,6 @@
 <p align="center">
- <strong>:hatching_chick: New Release! Self-hosting in under 5 min.</strong>
-  <a href="https://github.com/netbirdio/netbird#quickstart-with-self-hosted-netbird">
+ <strong>:hatching_chick: New Release! Device Posture Checks.</strong>
+  <a href="https://docs.netbird.io/how-to/manage-posture-checks">
        Learn more
      </a>   
 </p>
@@ -42,25 +42,22 @@
 
 **Secure.** NetBird enables secure remote access by applying granular access policies, while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.
 
-### Secure peer-to-peer VPN with SSO and MFA in minutes
+### Open-Source Network Security in a Single Platform
 
-https://user-images.githubusercontent.com/700848/197345890-2e2cded5-7b7a-436f-a444-94e80dd24f46.mov
+![download (2)](https://github.com/netbirdio/netbird/assets/700848/16210ac2-7265-44c1-8d4e-8fae85534dac)
 
 ### Key features
 
-| Connectivity                             	                                                                                      | Management                                 	                             | Automation                                    	                            | Platforms    	                        |
-|---------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|----------------------------------------------------------------------------|---------------------------------------|
-| <ul><li> - \[x] Kernel WireGuard </ul></li>                   	                                                                 | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                           	      | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                	     | <ul><li> - \[x] Linux </ul></li>    	 |
-| <ul><li> - \[x] Peer-to-peer connections </ul></li>             	                                                               | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>  	      | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li>  	     | <ul><li> - \[x] Mac </ul></li>      	 |
-| <ul><li> - \[x] Peer-to-peer encryption </ul></li>              	                                                               | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>                       	      | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>              	 | <ul><li> - \[x] Windows </ul></li>  	 |
-| <ul><li> - \[x] Connection relay fallback </ul></li>            	                                                               | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>                      	      | <ul><li> - \[x] IdP groups sync with JWT </ul></li> 	                      | <ul><li> - \[x] Android </ul></li>  	 |
-| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li>  	 | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>      	        | 	                                                                          | <ul><li> - \[x] iOS </ul></li>      	 |
-| <ul><li> - \[x] NAT traversal with BPF </ul></li>                                                                               | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>                            	      | 	                                                                          | <ul><li> - \[x] Docker </ul></li>   	 |
-| <ul><li> - \[x] Post-quantum-secure connection through [Rosenpass](https://rosenpass.eu) </ul></li>                             | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li>                      	      | 	                                                                          | <ul><li> - \[x] OpenWRT </ul></li>  	 |
-| 	                                                                                                                               | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                       	      | 	                                                                          | 	                                     |
-| 	                                                                                                                               | <ul><li> - \[x] SSH access management </ul></li>                       	 | 	                                                                          | 	                                     |
-
-
+| Connectivity                                                                                                                 | Management                                                                                               | Security                                                                                                                              | Automation                                                                                                                               | Platforms                                                                               |
+|------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+| <ul><li> - \[x] Kernel WireGuard </ul></li>                                                                                  | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                        | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>           | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                                                     | <ul><li> - \[x] Linux </ul></li>                                                        |
+| <ul><li> - \[x] Peer-to-peer connections </ul></li>                                                                          | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>                                         | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>                    | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li> | <ul><li> - \[x] Mac </ul></li>                                                          |
+| <ul><li> - \[x] Connection relay fallback </ul></li>                                                                         | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>     | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                     | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>                    | <ul><li> - \[x] Windows </ul></li>                                                      |
+| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li> | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>      | <ul><li> - \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) </ul></li>                              | <ul><li> - \[x] IdP groups sync with JWT </ul></li>                                                                                      | <ul><li> - \[x] Android </ul></li>                                                      |
+| <ul><li> - \[x] NAT traversal with BPF </ul></li>                                                                            | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li> | <ul><li> -  \[x] Peer-to-peer encryption </ul></li>                                                                                   |                                                                                                                                          | <ul><li> - \[x] iOS </ul></li>                                                          |
+|                                                                                                                              |                                                                                                          | <ul><li> - \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) </ul></li> |                                                                                                                                          | <ul><li> - \[x] OpenWRT </ul></li>                                                      |
+|                                                                                                                              |                                                                                                          | <ui><li> - \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ul></li>           |                                                                                                                                          | <ul><li> - \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) </ul></li> |
+|                                                                                                                              |                                                                                                          |                                                                                                                                       |                                                                                                                                          | <ul><li> - \[x] Docker </ul></li>                                                       |
 ### Quickstart with NetBird Cloud
 
 - Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)

client/android/client.go

@@ -79,6 +79,7 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 		return err
 	}
 	c.recorder.UpdateManagementAddress(cfg.ManagementURL.String())
+	c.recorder.UpdateRosenpass(cfg.RosenpassEnabled, cfg.RosenpassPermissive)
 
 	var ctx context.Context
 	//nolint
@@ -109,6 +110,7 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 		return err
 	}
 	c.recorder.UpdateManagementAddress(cfg.ManagementURL.String())
+	c.recorder.UpdateRosenpass(cfg.RosenpassEnabled, cfg.RosenpassPermissive)
 
 	var ctx context.Context
 	//nolint

client/cmd/status.go

@@ -34,6 +34,7 @@ type peerStateDetailOutput struct {
 	LastWireguardHandshake time.Time        `json:"lastWireguardHandshake" yaml:"lastWireguardHandshake"`
 	TransferReceived       int64            `json:"transferReceived" yaml:"transferReceived"`
 	TransferSent           int64            `json:"transferSent" yaml:"transferSent"`
+	RosenpassEnabled       bool             `json:"quantumResistance" yaml:"quantumResistance"`
 }
 
 type peersStateOutput struct {
@@ -72,16 +73,18 @@ type iceCandidateType struct {
 }
 
 type statusOutputOverview struct {
-	Peers           peersStateOutput      `json:"peers" yaml:"peers"`
-	CliVersion      string                `json:"cliVersion" yaml:"cliVersion"`
-	DaemonVersion   string                `json:"daemonVersion" yaml:"daemonVersion"`
-	ManagementState managementStateOutput `json:"management" yaml:"management"`
-	SignalState     signalStateOutput     `json:"signal" yaml:"signal"`
-	Relays          relayStateOutput      `json:"relays" yaml:"relays"`
-	IP              string                `json:"netbirdIp" yaml:"netbirdIp"`
-	PubKey          string                `json:"publicKey" yaml:"publicKey"`
-	KernelInterface bool                  `json:"usesKernelInterface" yaml:"usesKernelInterface"`
-	FQDN            string                `json:"fqdn" yaml:"fqdn"`
+	Peers               peersStateOutput      `json:"peers" yaml:"peers"`
+	CliVersion          string                `json:"cliVersion" yaml:"cliVersion"`
+	DaemonVersion       string                `json:"daemonVersion" yaml:"daemonVersion"`
+	ManagementState     managementStateOutput `json:"management" yaml:"management"`
+	SignalState         signalStateOutput     `json:"signal" yaml:"signal"`
+	Relays              relayStateOutput      `json:"relays" yaml:"relays"`
+	IP                  string                `json:"netbirdIp" yaml:"netbirdIp"`
+	PubKey              string                `json:"publicKey" yaml:"publicKey"`
+	KernelInterface     bool                  `json:"usesKernelInterface" yaml:"usesKernelInterface"`
+	FQDN                string                `json:"fqdn" yaml:"fqdn"`
+	RosenpassEnabled    bool                  `json:"quantumResistance" yaml:"quantumResistance"`
+	RosenpassPermissive bool                  `json:"quantumResistancePermissive" yaml:"quantumResistancePermissive"`
 }
 
 var (
@@ -253,16 +256,18 @@ func convertToStatusOutputOverview(resp *proto.StatusResponse) statusOutputOverv
 	peersOverview := mapPeers(resp.GetFullStatus().GetPeers())
 
 	overview := statusOutputOverview{
-		Peers:           peersOverview,
-		CliVersion:      version.NetbirdVersion(),
-		DaemonVersion:   resp.GetDaemonVersion(),
-		ManagementState: managementOverview,
-		SignalState:     signalOverview,
-		Relays:          relayOverview,
-		IP:              pbFullStatus.GetLocalPeerState().GetIP(),
-		PubKey:          pbFullStatus.GetLocalPeerState().GetPubKey(),
-		KernelInterface: pbFullStatus.GetLocalPeerState().GetKernelInterface(),
-		FQDN:            pbFullStatus.GetLocalPeerState().GetFqdn(),
+		Peers:               peersOverview,
+		CliVersion:          version.NetbirdVersion(),
+		DaemonVersion:       resp.GetDaemonVersion(),
+		ManagementState:     managementOverview,
+		SignalState:         signalOverview,
+		Relays:              relayOverview,
+		IP:                  pbFullStatus.GetLocalPeerState().GetIP(),
+		PubKey:              pbFullStatus.GetLocalPeerState().GetPubKey(),
+		KernelInterface:     pbFullStatus.GetLocalPeerState().GetKernelInterface(),
+		FQDN:                pbFullStatus.GetLocalPeerState().GetFqdn(),
+		RosenpassEnabled:    pbFullStatus.GetLocalPeerState().GetRosenpassEnabled(),
+		RosenpassPermissive: pbFullStatus.GetLocalPeerState().GetRosenpassPermissive(),
 	}
 
 	return overview
@@ -346,6 +351,7 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 			LastWireguardHandshake: lastHandshake,
 			TransferReceived:       transferReceived,
 			TransferSent:           transferSent,
+			RosenpassEnabled:       pbPeerState.GetRosenpassEnabled(),
 		}
 
 		peersStateDetail = append(peersStateDetail, peerState)
@@ -451,6 +457,14 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 
 	peersCountString := fmt.Sprintf("%d/%d Connected", overview.Peers.Connected, overview.Peers.Total)
 
+	rosenpassEnabledStatus := "false"
+	if overview.RosenpassEnabled {
+		rosenpassEnabledStatus = "true"
+		if overview.RosenpassPermissive {
+			rosenpassEnabledStatus = "true (permissive)" //nolint:gosec
+		}
+	}
+
 	summary := fmt.Sprintf(
 		"Daemon version: %s\n"+
 			"CLI version: %s\n"+
@@ -460,6 +474,7 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 			"FQDN: %s\n"+
 			"NetBird IP: %s\n"+
 			"Interface type: %s\n"+
+			"Quantum resistance: %s\n"+
 			"Peers count: %s\n",
 		overview.DaemonVersion,
 		version.NetbirdVersion(),
@@ -469,13 +484,14 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 		overview.FQDN,
 		interfaceIP,
 		interfaceTypeString,
+		rosenpassEnabledStatus,
 		peersCountString,
 	)
 	return summary
 }
 
 func parseToFullDetailSummary(overview statusOutputOverview) string {
-	parsedPeersString := parsePeers(overview.Peers)
+	parsedPeersString := parsePeers(overview.Peers, overview.RosenpassEnabled, overview.RosenpassPermissive)
 	summary := parseGeneralSummary(overview, true, true)
 
 	return fmt.Sprintf(
@@ -487,7 +503,7 @@ func parseToFullDetailSummary(overview statusOutputOverview) string {
 	)
 }
 
-func parsePeers(peers peersStateOutput) string {
+func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bool) string {
 	var (
 		peersString = ""
 	)
@@ -518,9 +534,26 @@ func parsePeers(peers peersStateOutput) string {
 			lastStatusUpdate = peerState.LastStatusUpdate.Format("2006-01-02 15:04:05")
 		}
 
-		lastWireguardHandshake := "-"
+		lastWireGuardHandshake := "-"
 		if !peerState.LastWireguardHandshake.IsZero() && peerState.LastWireguardHandshake != time.Unix(0, 0) {
-			lastWireguardHandshake = peerState.LastWireguardHandshake.Format("2006-01-02 15:04:05")
+			lastWireGuardHandshake = peerState.LastWireguardHandshake.Format("2006-01-02 15:04:05")
+		}
+
+		rosenpassEnabledStatus := "false"
+		if rosenpassEnabled {
+			if peerState.RosenpassEnabled {
+				rosenpassEnabledStatus = "true"
+			} else {
+				if rosenpassPermissive {
+					rosenpassEnabledStatus = "false (remote didn't enable quantum resistance)"
+				} else {
+					rosenpassEnabledStatus = "false (connection won't work without a permissive mode)"
+				}
+			}
+		} else {
+			if peerState.RosenpassEnabled {
+				rosenpassEnabledStatus = "false (connection might not work without a remote permissive mode)"
+			}
 		}
 
 		peerString := fmt.Sprintf(
@@ -534,8 +567,9 @@ func parsePeers(peers peersStateOutput) string {
 				"  ICE candidate (Local/Remote): %s/%s\n"+
 				"  ICE candidate endpoints (Local/Remote): %s/%s\n"+
 				"  Last connection update: %s\n"+
-				"  Last Wireguard handshake: %s\n"+
-				"  Transfer status (received/sent) %s/%s\n",
+				"  Last WireGuard handshake: %s\n"+
+				"  Transfer status (received/sent) %s/%s\n"+
+				"  Quantum resistance: %s\n",
 			peerState.FQDN,
 			peerState.IP,
 			peerState.PubKey,
@@ -547,9 +581,10 @@ func parsePeers(peers peersStateOutput) string {
 			localICEEndpoint,
 			remoteICEEndpoint,
 			lastStatusUpdate,
-			lastWireguardHandshake,
+			lastWireGuardHandshake,
 			toIEC(peerState.TransferReceived),
 			toIEC(peerState.TransferSent),
+			rosenpassEnabledStatus,
 		)
 
 		peersString += peerString

client/cmd/status_test.go

@@ -231,7 +231,8 @@ func TestParsingToJSON(t *testing.T) {
                 },
                 "lastWireguardHandshake": "2001-01-01T01:01:02Z",
                 "transferReceived": 200,
-                "transferSent": 100
+                "transferSent": 100,
+				"quantumResistance":false
               },
               {
                 "fqdn": "peer-2.awesome-domain.com",
@@ -251,7 +252,8 @@ func TestParsingToJSON(t *testing.T) {
                 },
                 "lastWireguardHandshake": "2002-02-02T02:02:03Z",
                 "transferReceived": 2000,
-                "transferSent": 1000
+                "transferSent": 1000,
+				"quantumResistance":false
               }
             ]
           },
@@ -286,7 +288,9 @@ func TestParsingToJSON(t *testing.T) {
           "netbirdIp": "192.168.178.100/16",
           "publicKey": "Some-Pub-Key",
           "usesKernelInterface": true,
-          "fqdn": "some-localhost.awesome-domain.com"
+          "fqdn": "some-localhost.awesome-domain.com",
+          "quantumResistance":false,
+          "quantumResistancePermissive":false
         }`
 	// @formatter:on
 
@@ -320,6 +324,7 @@ func TestParsingToYAML(t *testing.T) {
           lastWireguardHandshake: 2001-01-01T01:01:02Z
           transferReceived: 200
           transferSent: 100
+          quantumResistance: false
         - fqdn: peer-2.awesome-domain.com
           netbirdIp: 192.168.178.102
           publicKey: Pubkey2
@@ -336,6 +341,7 @@ func TestParsingToYAML(t *testing.T) {
           lastWireguardHandshake: 2002-02-02T02:02:03Z
           transferReceived: 2000
           transferSent: 1000
+          quantumResistance: false
 cliVersion: development
 daemonVersion: 0.14.1
 management:
@@ -360,6 +366,8 @@ netbirdIp: 192.168.178.100/16
 publicKey: Some-Pub-Key
 usesKernelInterface: true
 fqdn: some-localhost.awesome-domain.com
+quantumResistance: false
+quantumResistancePermissive: false
 `
 
 	assert.Equal(t, expectedYAML, yaml)
@@ -380,8 +388,9 @@ func TestParsingToDetail(t *testing.T) {
   ICE candidate (Local/Remote): -/-
   ICE candidate endpoints (Local/Remote): -/-
   Last connection update: 2001-01-01 01:01:01
-  Last Wireguard handshake: 2001-01-01 01:01:02
+  Last WireGuard handshake: 2001-01-01 01:01:02
   Transfer status (received/sent) 200 B/100 B
+  Quantum resistance: false
 
  peer-2.awesome-domain.com:
   NetBird IP: 192.168.178.102
@@ -393,8 +402,9 @@ func TestParsingToDetail(t *testing.T) {
   ICE candidate (Local/Remote): relay/prflx
   ICE candidate endpoints (Local/Remote): 10.0.0.1:10001/10.0.10.1:10002
   Last connection update: 2002-02-02 02:02:02
-  Last Wireguard handshake: 2002-02-02 02:02:03
+  Last WireGuard handshake: 2002-02-02 02:02:03
   Transfer status (received/sent) 2.0 KiB/1000 B
+  Quantum resistance: false
 
 Daemon version: 0.14.1
 CLI version: development
@@ -406,6 +416,7 @@ Relays:
 FQDN: some-localhost.awesome-domain.com
 NetBird IP: 192.168.178.100/16
 Interface type: Kernel
+Quantum resistance: false
 Peers count: 2/2 Connected
 `
 
@@ -424,6 +435,7 @@ Relays: 1/2 Available
 FQDN: some-localhost.awesome-domain.com
 NetBird IP: 192.168.178.100/16
 Interface type: Kernel
+Quantum resistance: false
 Peers count: 2/2 Connected
 `
 

client/internal/auth/oauth.go

@@ -26,7 +26,7 @@ type HTTPClient interface {
 }
 
 // AuthFlowInfo holds information for the OAuth 2.0  authorization flow
-type AuthFlowInfo struct {
+type AuthFlowInfo struct { //nolint:revive
 	DeviceCode              string `json:"device_code"`
 	UserCode                string `json:"user_code"`
 	VerificationURI         string `json:"verification_uri"`

client/internal/dns/file_linux.go

@@ -8,6 +8,7 @@ import (
 	"net/netip"
 	"os"
 	"strings"
+	"time"
 
 	log "github.com/sirupsen/logrus"
 )
@@ -23,10 +24,16 @@ const (
 	fileMaxNumberOfSearchDomains = 6
 )
 
+const (
+	dnsFailoverTimeout  = 4 * time.Second
+	dnsFailoverAttempts = 1
+)
+
 type fileConfigurator struct {
 	repair *repair
 
-	originalPerms os.FileMode
+	originalPerms  os.FileMode
+	nbNameserverIP string
 }
 
 func newFileConfigurator() (hostManager, error) {
@@ -64,7 +71,7 @@ func (f *fileConfigurator) applyDNSConfig(config HostDNSConfig) error {
 	}
 
 	nbSearchDomains := searchDomains(config)
-	nbNameserverIP := config.ServerIP
+	f.nbNameserverIP = config.ServerIP
 
 	resolvConf, err := parseBackupResolvConf()
 	if err != nil {
@@ -73,11 +80,11 @@ func (f *fileConfigurator) applyDNSConfig(config HostDNSConfig) error {
 
 	f.repair.stopWatchFileChanges()
 
-	err = f.updateConfig(nbSearchDomains, nbNameserverIP, resolvConf)
+	err = f.updateConfig(nbSearchDomains, f.nbNameserverIP, resolvConf)
 	if err != nil {
 		return err
 	}
-	f.repair.watchFileChanges(nbSearchDomains, nbNameserverIP)
+	f.repair.watchFileChanges(nbSearchDomains, f.nbNameserverIP)
 	return nil
 }
 
@@ -85,10 +92,11 @@ func (f *fileConfigurator) updateConfig(nbSearchDomains []string, nbNameserverIP
 	searchDomainList := mergeSearchDomains(nbSearchDomains, cfg.searchDomains)
 	nameServers := generateNsList(nbNameserverIP, cfg)
 
+	options := prepareOptionsWithTimeout(cfg.others, int(dnsFailoverTimeout.Seconds()), dnsFailoverAttempts)
 	buf := prepareResolvConfContent(
 		searchDomainList,
 		nameServers,
-		cfg.others)
+		options)
 
 	log.Debugf("creating managed file %s", defaultResolvConfPath)
 	err := os.WriteFile(defaultResolvConfPath, buf.Bytes(), f.originalPerms)
@@ -131,7 +139,12 @@ func (f *fileConfigurator) backup() error {
 }
 
 func (f *fileConfigurator) restore() error {
-	err := copyFile(fileDefaultResolvConfBackupLocation, defaultResolvConfPath)
+	err := removeFirstNbNameserver(fileDefaultResolvConfBackupLocation, f.nbNameserverIP)
+	if err != nil {
+		log.Errorf("Failed to remove netbird nameserver from %s on backup restore: %s", fileDefaultResolvConfBackupLocation, err)
+	}
+
+	err = copyFile(fileDefaultResolvConfBackupLocation, defaultResolvConfPath)
 	if err != nil {
 		return fmt.Errorf("restoring %s from %s: %w", defaultResolvConfPath, fileDefaultResolvConfBackupLocation, err)
 	}
@@ -157,7 +170,7 @@ func (f *fileConfigurator) restoreUncleanShutdownDNS(storedDNSAddress *netip.Add
 	currentDNSAddress, err := netip.ParseAddr(resolvConf.nameServers[0])
 	// not a valid first nameserver -> restore
 	if err != nil {
-		log.Errorf("restoring unclean shutdown: parse dns address %s failed: %s", resolvConf.nameServers[1], err)
+		log.Errorf("restoring unclean shutdown: parse dns address %s failed: %s", resolvConf.nameServers[0], err)
 		return restoreResolvConfFile()
 	}
 

client/internal/dns/file_parser_linux.go

@@ -5,6 +5,7 @@ package dns
 import (
 	"fmt"
 	"os"
+	"regexp"
 	"strings"
 
 	log "github.com/sirupsen/logrus"
@@ -14,6 +15,9 @@ const (
 	defaultResolvConfPath = "/etc/resolv.conf"
 )
 
+var timeoutRegex = regexp.MustCompile(`timeout:\d+`)
+var attemptsRegex = regexp.MustCompile(`attempts:\d+`)
+
 type resolvConf struct {
 	nameServers   []string
 	searchDomains []string
@@ -103,3 +107,62 @@ func parseResolvConfFile(resolvConfFile string) (*resolvConf, error) {
 	}
 	return rconf, nil
 }
+
+// prepareOptionsWithTimeout appends timeout to existing options if it doesn't exist,
+// otherwise it adds a new option with timeout and attempts.
+func prepareOptionsWithTimeout(input []string, timeout int, attempts int) []string {
+	configs := make([]string, len(input))
+	copy(configs, input)
+
+	for i, config := range configs {
+		if strings.HasPrefix(config, "options") {
+			config = strings.ReplaceAll(config, "rotate", "")
+			config = strings.Join(strings.Fields(config), " ")
+
+			if strings.Contains(config, "timeout:") {
+				config = timeoutRegex.ReplaceAllString(config, fmt.Sprintf("timeout:%d", timeout))
+			} else {
+				config = strings.Replace(config, "options ", fmt.Sprintf("options timeout:%d ", timeout), 1)
+			}
+
+			if strings.Contains(config, "attempts:") {
+				config = attemptsRegex.ReplaceAllString(config, fmt.Sprintf("attempts:%d", attempts))
+			} else {
+				config = strings.Replace(config, "options ", fmt.Sprintf("options attempts:%d ", attempts), 1)
+			}
+
+			configs[i] = config
+			return configs
+		}
+	}
+
+	return append(configs, fmt.Sprintf("options timeout:%d attempts:%d", timeout, attempts))
+}
+
+// removeFirstNbNameserver removes the given nameserver from the given file if it is in the first position
+// and writes the file back to the original location
+func removeFirstNbNameserver(filename, nameserverIP string) error {
+	resolvConf, err := parseResolvConfFile(filename)
+	if err != nil {
+		return fmt.Errorf("parse backup resolv.conf: %w", err)
+	}
+	content, err := os.ReadFile(filename)
+	if err != nil {
+		return fmt.Errorf("read %s: %w", filename, err)
+	}
+
+	if len(resolvConf.nameServers) > 1 && resolvConf.nameServers[0] == nameserverIP {
+		newContent := strings.Replace(string(content), fmt.Sprintf("nameserver %s\n", nameserverIP), "", 1)
+
+		stat, err := os.Stat(filename)
+		if err != nil {
+			return fmt.Errorf("stat %s: %w", filename, err)
+		}
+		if err := os.WriteFile(filename, []byte(newContent), stat.Mode()); err != nil {
+			return fmt.Errorf("write %s: %w", filename, err)
+		}
+
+	}
+
+	return nil
+}

client/internal/dns/file_parser_linux_test.go

@@ -6,6 +6,8 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func Test_parseResolvConf(t *testing.T) {
@@ -172,3 +174,131 @@ nameserver 192.168.0.1
 		t.Errorf("unexpected resolv.conf content: %v", cfg)
 	}
 }
+
+func TestPrepareOptionsWithTimeout(t *testing.T) {
+	tests := []struct {
+		name     string
+		others   []string
+		timeout  int
+		attempts int
+		expected []string
+	}{
+		{
+			name:     "Append new options with timeout and attempts",
+			others:   []string{"some config"},
+			timeout:  2,
+			attempts: 2,
+			expected: []string{"some config", "options timeout:2 attempts:2"},
+		},
+		{
+			name:     "Modify existing options to exclude rotate and include timeout and attempts",
+			others:   []string{"some config", "options rotate someother"},
+			timeout:  3,
+			attempts: 2,
+			expected: []string{"some config", "options attempts:2 timeout:3 someother"},
+		},
+		{
+			name:     "Existing options with timeout and attempts are updated",
+			others:   []string{"some config", "options timeout:4 attempts:3"},
+			timeout:  5,
+			attempts: 4,
+			expected: []string{"some config", "options timeout:5 attempts:4"},
+		},
+		{
+			name:     "Modify existing options, add missing attempts before timeout",
+			others:   []string{"some config", "options timeout:4"},
+			timeout:  4,
+			attempts: 3,
+			expected: []string{"some config", "options attempts:3 timeout:4"},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := prepareOptionsWithTimeout(tc.others, tc.timeout, tc.attempts)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}
+
+func TestRemoveFirstNbNameserver(t *testing.T) {
+	testCases := []struct {
+		name       string
+		content    string
+		ipToRemove string
+		expected   string
+	}{
+		{
+			name: "Unrelated nameservers with comments and options",
+			content: `# This is a comment
+options rotate
+nameserver 1.1.1.1
+# Another comment
+nameserver 8.8.4.4
+search example.com`,
+			ipToRemove: "9.9.9.9",
+			expected: `# This is a comment
+options rotate
+nameserver 1.1.1.1
+# Another comment
+nameserver 8.8.4.4
+search example.com`,
+		},
+		{
+			name: "First nameserver matches",
+			content: `search example.com
+nameserver 9.9.9.9
+# oof, a comment
+nameserver 8.8.4.4
+options attempts:5`,
+			ipToRemove: "9.9.9.9",
+			expected: `search example.com
+# oof, a comment
+nameserver 8.8.4.4
+options attempts:5`,
+		},
+		{
+			name: "Target IP not the first nameserver",
+			// nolint:dupword
+			content: `# Comment about the first nameserver
+nameserver 8.8.4.4
+# Comment before our target
+nameserver 9.9.9.9
+options timeout:2`,
+			ipToRemove: "9.9.9.9",
+			// nolint:dupword
+			expected: `# Comment about the first nameserver
+nameserver 8.8.4.4
+# Comment before our target
+nameserver 9.9.9.9
+options timeout:2`,
+		},
+		{
+			name: "Only nameserver matches",
+			content: `options debug
+nameserver 9.9.9.9
+search localdomain`,
+			ipToRemove: "9.9.9.9",
+			expected: `options debug
+nameserver 9.9.9.9
+search localdomain`,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+			tempFile := filepath.Join(tempDir, "resolv.conf")
+			err := os.WriteFile(tempFile, []byte(tc.content), 0644)
+			assert.NoError(t, err)
+
+			err = removeFirstNbNameserver(tempFile, tc.ipToRemove)
+			assert.NoError(t, err)
+
+			content, err := os.ReadFile(tempFile)
+			assert.NoError(t, err)
+
+			assert.Equal(t, tc.expected, string(content), "The resulting content should match the expected output.")
+		})
+	}
+}

client/internal/dns/host_linux.go

@@ -65,7 +65,7 @@ func newHostManager(wgInterface string) (hostManager, error) {
 		return nil, err
 	}
 
-	log.Debugf("discovered mode is: %s", osManager)
+	log.Infof("System DNS manager discovered: %s", osManager)
 	return newHostManagerFromType(wgInterface, osManager)
 }
 

client/internal/dns/resolvconf_linux.go

@@ -53,10 +53,12 @@ func (r *resolvconf) applyDNSConfig(config HostDNSConfig) error {
 	searchDomainList := searchDomains(config)
 	searchDomainList = mergeSearchDomains(searchDomainList, r.originalSearchDomains)
 
+	options := prepareOptionsWithTimeout(r.othersConfigs, int(dnsFailoverTimeout.Seconds()), dnsFailoverAttempts)
+
 	buf := prepareResolvConfContent(
 		searchDomainList,
 		append([]string{config.ServerIP}, r.originalNameServers...),
-		r.othersConfigs)
+		options)
 
 	// create a backup for unclean shutdown detection before the resolv.conf is changed
 	if err := createUncleanShutdownIndicator(defaultResolvConfPath, resolvConfManager, config.ServerIP); err != nil {

client/internal/engine.go

@@ -1286,7 +1286,7 @@ func (e *Engine) receiveProbeEvents() {
 					log.Debugf("failed to get wg stats for peer %s: %s", key, err)
 				}
 				// wgStats could be zero value, in which case we just reset the stats
-				if err := e.statusRecorder.UpdateWireguardPeerState(key, wgStats); err != nil {
+				if err := e.statusRecorder.UpdateWireGuardPeerState(key, wgStats); err != nil {
 					log.Debugf("failed to update wg stats for peer %s: %s", key, err)
 				}
 			}

client/internal/peer/conn.go

@@ -407,6 +407,10 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 	}
 
 	conn.status = StatusConnected
+	rosenpassEnabled := false
+	if remoteRosenpassPubKey != nil {
+		rosenpassEnabled = true
+	}
 
 	peerState := State{
 		PubKey:                     conn.config.Key,
@@ -417,6 +421,7 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 		LocalIceCandidateEndpoint:  fmt.Sprintf("%s:%d", pair.Local.Address(), pair.Local.Port()),
 		RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Local.Port()),
 		Direct:                     !isRelayCandidate(pair.Local),
+		RosenpassEnabled:           rosenpassEnabled,
 	}
 	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
 		peerState.Relayed = true
@@ -505,7 +510,7 @@ func (conn *Conn) cleanup() error {
 		// todo rethink status updates
 		log.Debugf("error while updating peer's %s state, err: %v", conn.config.Key, err)
 	}
-	if err := conn.statusRecorder.UpdateWireguardPeerState(conn.config.Key, iface.WGStats{}); err != nil {
+	if err := conn.statusRecorder.UpdateWireGuardPeerState(conn.config.Key, iface.WGStats{}); err != nil {
 		log.Debugf("failed to reset wireguard stats for peer %s: %s", conn.config.Key, err)
 	}
 

client/internal/peer/status.go

@@ -25,6 +25,7 @@ type State struct {
 	LastWireguardHandshake     time.Time
 	BytesTx                    int64
 	BytesRx                    int64
+	RosenpassEnabled           bool
 }
 
 // LocalPeerState contains the latest state of the local peer
@@ -49,30 +50,39 @@ type ManagementState struct {
 	Error     error
 }
 
+// RosenpassState contains the latest state of the Rosenpass configuration
+type RosenpassState struct {
+	Enabled    bool
+	Permissive bool
+}
+
 // FullStatus contains the full state held by the Status instance
 type FullStatus struct {
 	Peers           []State
 	ManagementState ManagementState
 	SignalState     SignalState
 	LocalPeerState  LocalPeerState
+	RosenpassState  RosenpassState
 	Relays          []relay.ProbeResult
 }
 
 // Status holds a state of peers, signal, management connections and relays
 type Status struct {
-	mux             sync.Mutex
-	peers           map[string]State
-	changeNotify    map[string]chan struct{}
-	signalState     bool
-	signalError     error
-	managementState bool
-	managementError error
-	relayStates     []relay.ProbeResult
-	localPeer       LocalPeerState
-	offlinePeers    []State
-	mgmAddress      string
-	signalAddress   string
-	notifier        *notifier
+	mux                 sync.Mutex
+	peers               map[string]State
+	changeNotify        map[string]chan struct{}
+	signalState         bool
+	signalError         error
+	managementState     bool
+	managementError     error
+	relayStates         []relay.ProbeResult
+	localPeer           LocalPeerState
+	offlinePeers        []State
+	mgmAddress          string
+	signalAddress       string
+	notifier            *notifier
+	rosenpassEnabled    bool
+	rosenpassPermissive bool
 
 	// To reduce the number of notification invocation this bool will be true when need to call the notification
 	// Some Peer actions mostly used by in a batch when the network map has been synchronized. In these type of events
@@ -172,6 +182,7 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 		peerState.RemoteIceCandidateType = receivedState.RemoteIceCandidateType
 		peerState.LocalIceCandidateEndpoint = receivedState.LocalIceCandidateEndpoint
 		peerState.RemoteIceCandidateEndpoint = receivedState.RemoteIceCandidateEndpoint
+		peerState.RosenpassEnabled = receivedState.RosenpassEnabled
 	}
 
 	d.peers[receivedState.PubKey] = peerState
@@ -190,8 +201,8 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 	return nil
 }
 
-// UpdateWireguardPeerState updates the wireguard bits of the peer state
-func (d *Status) UpdateWireguardPeerState(pubKey string, wgStats iface.WGStats) error {
+// UpdateWireGuardPeerState updates the WireGuard bits of the peer state
+func (d *Status) UpdateWireGuardPeerState(pubKey string, wgStats iface.WGStats) error {
 	d.mux.Lock()
 	defer d.mux.Unlock()
 
@@ -316,6 +327,14 @@ func (d *Status) UpdateManagementAddress(mgmAddress string) {
 	d.mgmAddress = mgmAddress
 }
 
+// UpdateRosenpass update the Rosenpass configuration
+func (d *Status) UpdateRosenpass(rosenpassEnabled, rosenpassPermissive bool) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.rosenpassPermissive = rosenpassPermissive
+	d.rosenpassEnabled = rosenpassEnabled
+}
+
 // MarkSignalDisconnected sets SignalState to disconnected
 func (d *Status) MarkSignalDisconnected(err error) {
 	d.mux.Lock()
@@ -342,6 +361,13 @@ func (d *Status) UpdateRelayStates(relayResults []relay.ProbeResult) {
 	d.relayStates = relayResults
 }
 
+func (d *Status) GetRosenpassState() RosenpassState {
+	return RosenpassState{
+		d.rosenpassEnabled,
+		d.rosenpassPermissive,
+	}
+}
+
 func (d *Status) GetManagementState() ManagementState {
 	return ManagementState{
 		d.mgmAddress,
@@ -372,6 +398,7 @@ func (d *Status) GetFullStatus() FullStatus {
 		SignalState:     d.GetSignalState(),
 		LocalPeerState:  d.localPeer,
 		Relays:          d.GetRelayStates(),
+		RosenpassState:  d.GetRosenpassState(),
 	}
 
 	for _, status := range d.peers {

client/ios/NetBirdSDK/client.go

@@ -82,6 +82,7 @@ func (c *Client) Run(fd int32, interfaceName string) error {
 		return err
 	}
 	c.recorder.UpdateManagementAddress(cfg.ManagementURL.String())
+	c.recorder.UpdateRosenpass(cfg.RosenpassEnabled, cfg.RosenpassPermissive)
 
 	var ctx context.Context
 	//nolint

client/proto/daemon.pb.go

@@ -1,16 +1,16 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
-// 	protoc        v4.24.3
+// 	protoc        v3.12.4
 // source: daemon.proto
 
 package proto
 
 import (
+	_ "github.com/golang/protobuf/protoc-gen-go/descriptor"
+	timestamp "github.com/golang/protobuf/ptypes/timestamp"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
-	_ "google.golang.org/protobuf/types/descriptorpb"
-	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
 )
@@ -757,20 +757,21 @@ type PeerState struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	IP                         string                 `protobuf:"bytes,1,opt,name=IP,proto3" json:"IP,omitempty"`
-	PubKey                     string                 `protobuf:"bytes,2,opt,name=pubKey,proto3" json:"pubKey,omitempty"`
-	ConnStatus                 string                 `protobuf:"bytes,3,opt,name=connStatus,proto3" json:"connStatus,omitempty"`
-	ConnStatusUpdate           *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=connStatusUpdate,proto3" json:"connStatusUpdate,omitempty"`
-	Relayed                    bool                   `protobuf:"varint,5,opt,name=relayed,proto3" json:"relayed,omitempty"`
-	Direct                     bool                   `protobuf:"varint,6,opt,name=direct,proto3" json:"direct,omitempty"`
-	LocalIceCandidateType      string                 `protobuf:"bytes,7,opt,name=localIceCandidateType,proto3" json:"localIceCandidateType,omitempty"`
-	RemoteIceCandidateType     string                 `protobuf:"bytes,8,opt,name=remoteIceCandidateType,proto3" json:"remoteIceCandidateType,omitempty"`
-	Fqdn                       string                 `protobuf:"bytes,9,opt,name=fqdn,proto3" json:"fqdn,omitempty"`
-	LocalIceCandidateEndpoint  string                 `protobuf:"bytes,10,opt,name=localIceCandidateEndpoint,proto3" json:"localIceCandidateEndpoint,omitempty"`
-	RemoteIceCandidateEndpoint string                 `protobuf:"bytes,11,opt,name=remoteIceCandidateEndpoint,proto3" json:"remoteIceCandidateEndpoint,omitempty"`
-	LastWireguardHandshake     *timestamppb.Timestamp `protobuf:"bytes,12,opt,name=lastWireguardHandshake,proto3" json:"lastWireguardHandshake,omitempty"`
-	BytesRx                    int64                  `protobuf:"varint,13,opt,name=bytesRx,proto3" json:"bytesRx,omitempty"`
-	BytesTx                    int64                  `protobuf:"varint,14,opt,name=bytesTx,proto3" json:"bytesTx,omitempty"`
+	IP                         string               `protobuf:"bytes,1,opt,name=IP,proto3" json:"IP,omitempty"`
+	PubKey                     string               `protobuf:"bytes,2,opt,name=pubKey,proto3" json:"pubKey,omitempty"`
+	ConnStatus                 string               `protobuf:"bytes,3,opt,name=connStatus,proto3" json:"connStatus,omitempty"`
+	ConnStatusUpdate           *timestamp.Timestamp `protobuf:"bytes,4,opt,name=connStatusUpdate,proto3" json:"connStatusUpdate,omitempty"`
+	Relayed                    bool                 `protobuf:"varint,5,opt,name=relayed,proto3" json:"relayed,omitempty"`
+	Direct                     bool                 `protobuf:"varint,6,opt,name=direct,proto3" json:"direct,omitempty"`
+	LocalIceCandidateType      string               `protobuf:"bytes,7,opt,name=localIceCandidateType,proto3" json:"localIceCandidateType,omitempty"`
+	RemoteIceCandidateType     string               `protobuf:"bytes,8,opt,name=remoteIceCandidateType,proto3" json:"remoteIceCandidateType,omitempty"`
+	Fqdn                       string               `protobuf:"bytes,9,opt,name=fqdn,proto3" json:"fqdn,omitempty"`
+	LocalIceCandidateEndpoint  string               `protobuf:"bytes,10,opt,name=localIceCandidateEndpoint,proto3" json:"localIceCandidateEndpoint,omitempty"`
+	RemoteIceCandidateEndpoint string               `protobuf:"bytes,11,opt,name=remoteIceCandidateEndpoint,proto3" json:"remoteIceCandidateEndpoint,omitempty"`
+	LastWireguardHandshake     *timestamp.Timestamp `protobuf:"bytes,12,opt,name=lastWireguardHandshake,proto3" json:"lastWireguardHandshake,omitempty"`
+	BytesRx                    int64                `protobuf:"varint,13,opt,name=bytesRx,proto3" json:"bytesRx,omitempty"`
+	BytesTx                    int64                `protobuf:"varint,14,opt,name=bytesTx,proto3" json:"bytesTx,omitempty"`
+	RosenpassEnabled           bool                 `protobuf:"varint,15,opt,name=rosenpassEnabled,proto3" json:"rosenpassEnabled,omitempty"`
 }
 
 func (x *PeerState) Reset() {
@@ -826,7 +827,7 @@ func (x *PeerState) GetConnStatus() string {
 	return ""
 }
 
-func (x *PeerState) GetConnStatusUpdate() *timestamppb.Timestamp {
+func (x *PeerState) GetConnStatusUpdate() *timestamp.Timestamp {
 	if x != nil {
 		return x.ConnStatusUpdate
 	}
@@ -882,7 +883,7 @@ func (x *PeerState) GetRemoteIceCandidateEndpoint() string {
 	return ""
 }
 
-func (x *PeerState) GetLastWireguardHandshake() *timestamppb.Timestamp {
+func (x *PeerState) GetLastWireguardHandshake() *timestamp.Timestamp {
 	if x != nil {
 		return x.LastWireguardHandshake
 	}
@@ -903,16 +904,25 @@ func (x *PeerState) GetBytesTx() int64 {
 	return 0
 }
 
+func (x *PeerState) GetRosenpassEnabled() bool {
+	if x != nil {
+		return x.RosenpassEnabled
+	}
+	return false
+}
+
 // LocalPeerState contains the latest state of the local peer
 type LocalPeerState struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	IP              string `protobuf:"bytes,1,opt,name=IP,proto3" json:"IP,omitempty"`
-	PubKey          string `protobuf:"bytes,2,opt,name=pubKey,proto3" json:"pubKey,omitempty"`
-	KernelInterface bool   `protobuf:"varint,3,opt,name=kernelInterface,proto3" json:"kernelInterface,omitempty"`
-	Fqdn            string `protobuf:"bytes,4,opt,name=fqdn,proto3" json:"fqdn,omitempty"`
+	IP                  string `protobuf:"bytes,1,opt,name=IP,proto3" json:"IP,omitempty"`
+	PubKey              string `protobuf:"bytes,2,opt,name=pubKey,proto3" json:"pubKey,omitempty"`
+	KernelInterface     bool   `protobuf:"varint,3,opt,name=kernelInterface,proto3" json:"kernelInterface,omitempty"`
+	Fqdn                string `protobuf:"bytes,4,opt,name=fqdn,proto3" json:"fqdn,omitempty"`
+	RosenpassEnabled    bool   `protobuf:"varint,5,opt,name=rosenpassEnabled,proto3" json:"rosenpassEnabled,omitempty"`
+	RosenpassPermissive bool   `protobuf:"varint,6,opt,name=rosenpassPermissive,proto3" json:"rosenpassPermissive,omitempty"`
 }
 
 func (x *LocalPeerState) Reset() {
@@ -975,6 +985,20 @@ func (x *LocalPeerState) GetFqdn() string {
 	return ""
 }
 
+func (x *LocalPeerState) GetRosenpassEnabled() bool {
+	if x != nil {
+		return x.RosenpassEnabled
+	}
+	return false
+}
+
+func (x *LocalPeerState) GetRosenpassPermissive() bool {
+	if x != nil {
+		return x.RosenpassPermissive
+	}
+	return false
+}
+
 // SignalState contains the latest state of a signal connection
 type SignalState struct {
 	state         protoimpl.MessageState
@@ -1356,7 +1380,7 @@ var file_daemon_proto_rawDesc = []byte{
 	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65,
 	0x64, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c,
 	0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c,
-	0x22, 0xd5, 0x04, 0x0a, 0x09, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0e,
+	0x22, 0x81, 0x05, 0x0a, 0x09, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0e,
 	0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16,
 	0x0a, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
 	0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x6e, 0x53, 0x74,
@@ -1393,73 +1417,82 @@ var file_daemon_proto_rawDesc = []byte{
 	0x68, 0x61, 0x6b, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x52, 0x78, 0x18,
 	0x0d, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x52, 0x78, 0x12, 0x18,
 	0x0a, 0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x54, 0x78, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x03, 0x52,
-	0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x54, 0x78, 0x22, 0x76, 0x0a, 0x0e, 0x4c, 0x6f, 0x63, 0x61,
-	0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50,
-	0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x75,
-	0x62, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x75, 0x62, 0x4b,
-	0x65, 0x79, 0x12, 0x28, 0x0a, 0x0f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x49, 0x6e, 0x74, 0x65,
-	0x72, 0x66, 0x61, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x6b, 0x65, 0x72,
-	0x6e, 0x65, 0x6c, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04,
-	0x66, 0x71, 0x64, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e,
-	0x22, 0x53, 0x0a, 0x0b, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12,
-	0x10, 0x0a, 0x03, 0x55, 0x52, 0x4c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x55, 0x52,
-	0x4c, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x18, 0x02,
-	0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x12,
-	0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05,
-	0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x57, 0x0a, 0x0f, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x52, 0x4c, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x55, 0x52, 0x4c, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x6f,
-	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x63,
-	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f,
-	0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x52,
-	0x0a, 0x0a, 0x52, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03,
-	0x55, 0x52, 0x49, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x55, 0x52, 0x49, 0x12, 0x1c,
-	0x0a, 0x09, 0x61, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x08, 0x52, 0x09, 0x61, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x14, 0x0a, 0x05,
-	0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72,
-	0x6f, 0x72, 0x22, 0x9b, 0x02, 0x0a, 0x0a, 0x46, 0x75, 0x6c, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x75,
-	0x73, 0x12, 0x41, 0x0a, 0x0f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53,
-	0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x64, 0x61, 0x65,
-	0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74,
-	0x61, 0x74, 0x65, 0x52, 0x0f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53,
-	0x74, 0x61, 0x74, 0x65, 0x12, 0x35, 0x0a, 0x0b, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74,
-	0x61, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d,
-	0x6f, 0x6e, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0b,
-	0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x3e, 0x0a, 0x0e, 0x6c,
-	0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20,
-	0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x63,
-	0x61, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0e, 0x6c, 0x6f, 0x63,
-	0x61, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x27, 0x0a, 0x05, 0x70,
-	0x65, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x64, 0x61, 0x65,
-	0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x70,
-	0x65, 0x65, 0x72, 0x73, 0x12, 0x2a, 0x0a, 0x06, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x73, 0x18, 0x05,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x52, 0x65,
-	0x6c, 0x61, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x06, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x73,
-	0x32, 0xf7, 0x02, 0x0a, 0x0d, 0x44, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69,
-	0x63, 0x65, 0x12, 0x36, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x14, 0x2e, 0x64, 0x61,
-	0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x1a, 0x15, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x0c, 0x57, 0x61,
-	0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1b, 0x2e, 0x64, 0x61, 0x65,
-	0x6d, 0x6f, 0x6e, 0x2e, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e,
-	0x2e, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x2d, 0x0a, 0x02, 0x55, 0x70, 0x12, 0x11, 0x2e,
-	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x12, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73,
-	0x12, 0x15, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e,
-	0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x00, 0x12, 0x33, 0x0a, 0x04, 0x44, 0x6f, 0x77, 0x6e, 0x12, 0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d,
-	0x6f, 0x6e, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14,
-	0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x42, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x12, 0x18, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e,
-	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x54, 0x78, 0x12, 0x2a, 0x0a, 0x10, 0x72, 0x6f, 0x73, 0x65,
+	0x6e, 0x70, 0x61, 0x73, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x0f, 0x20, 0x01,
+	0x28, 0x08, 0x52, 0x10, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x45, 0x6e, 0x61,
+	0x62, 0x6c, 0x65, 0x64, 0x22, 0xd4, 0x01, 0x0a, 0x0e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65,
+	0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65,
+	0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12,
+	0x28, 0x0a, 0x0f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61,
+	0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c,
+	0x49, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64,
+	0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x12, 0x2a, 0x0a,
+	0x10, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65,
+	0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61,
+	0x73, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x30, 0x0a, 0x13, 0x72, 0x6f, 0x73,
+	0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x76, 0x65,
+	0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73,
+	0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x76, 0x65, 0x22, 0x53, 0x0a, 0x0b, 0x53,
+	0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x52,
+	0x4c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x55, 0x52, 0x4c, 0x12, 0x1c, 0x0a, 0x09,
+	0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52,
+	0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72,
+	0x72, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72,
+	0x22, 0x57, 0x0a, 0x0f, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74,
+	0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x52, 0x4c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x03, 0x55, 0x52, 0x4c, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74,
+	0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
+	0x74, 0x65, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x52, 0x0a, 0x0a, 0x52, 0x65, 0x6c,
+	0x61, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x52, 0x49, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x55, 0x52, 0x49, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x76, 0x61,
+	0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x61, 0x76,
+	0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x9b, 0x02,
+	0x0a, 0x0a, 0x46, 0x75, 0x6c, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x41, 0x0a, 0x0f,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18,
+	0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0f,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12,
+	0x35, 0x0a, 0x0b, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x69,
+	0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0b, 0x73, 0x69, 0x67, 0x6e, 0x61,
+	0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x3e, 0x0a, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x50,
+	0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16,
+	0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65,
+	0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65,
+	0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x27, 0x0a, 0x05, 0x70, 0x65, 0x65, 0x72, 0x73, 0x18,
+	0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x50,
+	0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x70, 0x65, 0x65, 0x72, 0x73, 0x12,
+	0x2a, 0x0a, 0x06, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x12, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x52, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x74,
+	0x61, 0x74, 0x65, 0x52, 0x06, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x73, 0x32, 0xf7, 0x02, 0x0a, 0x0d,
+	0x44, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x36, 0x0a,
+	0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e,
+	0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15, 0x2e, 0x64,
+	0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x0c, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f,
+	0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1b, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x57,
+	0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x57, 0x61, 0x69, 0x74,
+	0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x00, 0x12, 0x2d, 0x0a, 0x02, 0x55, 0x70, 0x12, 0x11, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f,
+	0x6e, 0x2e, 0x55, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x64, 0x61,
+	0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x00, 0x12, 0x39, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x15, 0x2e, 0x64, 0x61,
+	0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x16, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x74,
+	0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x04,
+	0x44, 0x6f, 0x77, 0x6e, 0x12, 0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x44, 0x6f,
+	0x77, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d,
+	0x6f, 0x6e, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x00, 0x12, 0x42, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x18,
+	0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f,
+	0x6e, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
+	0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -1476,25 +1509,25 @@ func file_daemon_proto_rawDescGZIP() []byte {
 
 var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 18)
 var file_daemon_proto_goTypes = []interface{}{
-	(*LoginRequest)(nil),          // 0: daemon.LoginRequest
-	(*LoginResponse)(nil),         // 1: daemon.LoginResponse
-	(*WaitSSOLoginRequest)(nil),   // 2: daemon.WaitSSOLoginRequest
-	(*WaitSSOLoginResponse)(nil),  // 3: daemon.WaitSSOLoginResponse
-	(*UpRequest)(nil),             // 4: daemon.UpRequest
-	(*UpResponse)(nil),            // 5: daemon.UpResponse
-	(*StatusRequest)(nil),         // 6: daemon.StatusRequest
-	(*StatusResponse)(nil),        // 7: daemon.StatusResponse
-	(*DownRequest)(nil),           // 8: daemon.DownRequest
-	(*DownResponse)(nil),          // 9: daemon.DownResponse
-	(*GetConfigRequest)(nil),      // 10: daemon.GetConfigRequest
-	(*GetConfigResponse)(nil),     // 11: daemon.GetConfigResponse
-	(*PeerState)(nil),             // 12: daemon.PeerState
-	(*LocalPeerState)(nil),        // 13: daemon.LocalPeerState
-	(*SignalState)(nil),           // 14: daemon.SignalState
-	(*ManagementState)(nil),       // 15: daemon.ManagementState
-	(*RelayState)(nil),            // 16: daemon.RelayState
-	(*FullStatus)(nil),            // 17: daemon.FullStatus
-	(*timestamppb.Timestamp)(nil), // 18: google.protobuf.Timestamp
+	(*LoginRequest)(nil),         // 0: daemon.LoginRequest
+	(*LoginResponse)(nil),        // 1: daemon.LoginResponse
+	(*WaitSSOLoginRequest)(nil),  // 2: daemon.WaitSSOLoginRequest
+	(*WaitSSOLoginResponse)(nil), // 3: daemon.WaitSSOLoginResponse
+	(*UpRequest)(nil),            // 4: daemon.UpRequest
+	(*UpResponse)(nil),           // 5: daemon.UpResponse
+	(*StatusRequest)(nil),        // 6: daemon.StatusRequest
+	(*StatusResponse)(nil),       // 7: daemon.StatusResponse
+	(*DownRequest)(nil),          // 8: daemon.DownRequest
+	(*DownResponse)(nil),         // 9: daemon.DownResponse
+	(*GetConfigRequest)(nil),     // 10: daemon.GetConfigRequest
+	(*GetConfigResponse)(nil),    // 11: daemon.GetConfigResponse
+	(*PeerState)(nil),            // 12: daemon.PeerState
+	(*LocalPeerState)(nil),       // 13: daemon.LocalPeerState
+	(*SignalState)(nil),          // 14: daemon.SignalState
+	(*ManagementState)(nil),      // 15: daemon.ManagementState
+	(*RelayState)(nil),           // 16: daemon.RelayState
+	(*FullStatus)(nil),           // 17: daemon.FullStatus
+	(*timestamp.Timestamp)(nil),  // 18: google.protobuf.Timestamp
 }
 var file_daemon_proto_depIdxs = []int32{
 	17, // 0: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus

client/proto/daemon.proto

@@ -34,7 +34,7 @@ message LoginRequest {
 
   // This is the old PreSharedKey field which will be deprecated in favor of optionalPreSharedKey field that is defined as optional
   // to allow clearing of preshared key while being able to persist in the config file.
-  string preSharedKey = 2 [deprecated=true];
+  string preSharedKey = 2 [deprecated = true];
 
   // managementUrl to authenticate.
   string managementUrl = 3;
@@ -140,6 +140,7 @@ message PeerState {
   google.protobuf.Timestamp lastWireguardHandshake = 12;
   int64 bytesRx = 13;
   int64 bytesTx = 14;
+  bool rosenpassEnabled = 15;
 }
 
 // LocalPeerState contains the latest state of the local peer
@@ -148,6 +149,8 @@ message LocalPeerState {
   string pubKey = 2;
   bool  kernelInterface = 3;
   string fqdn = 4;
+  bool rosenpassEnabled = 5;
+  bool rosenpassPermissive = 6;
 }
 
 // SignalState contains the latest state of a signal connection

client/server/server.go

@@ -112,9 +112,9 @@ func (s *Server) Start() error {
 
 	if s.statusRecorder == nil {
 		s.statusRecorder = peer.NewRecorder(config.ManagementURL.String())
-	} else {
-		s.statusRecorder.UpdateManagementAddress(config.ManagementURL.String())
 	}
+	s.statusRecorder.UpdateManagementAddress(config.ManagementURL.String())
+	s.statusRecorder.UpdateRosenpass(config.RosenpassEnabled, config.RosenpassPermissive)
 
 	if !config.DisableAutoConnect {
 		go func() {
@@ -433,9 +433,9 @@ func (s *Server) Up(callerCtx context.Context, _ *proto.UpRequest) (*proto.UpRes
 
 	if s.statusRecorder == nil {
 		s.statusRecorder = peer.NewRecorder(s.config.ManagementURL.String())
-	} else {
-		s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	}
+	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
+	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)
 
 	go func() {
 		if err := internal.RunClientWithProbes(ctx, s.config, s.statusRecorder, s.mgmProbe, s.signalProbe, s.relayProbe, s.wgProbe); err != nil {
@@ -479,9 +479,9 @@ func (s *Server) Status(
 
 	if s.statusRecorder == nil {
 		s.statusRecorder = peer.NewRecorder(s.config.ManagementURL.String())
-	} else {
-		s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	}
+	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
+	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)
 
 	if msg.GetFullPeerStatus {
 		s.runProbes()
@@ -567,6 +567,8 @@ func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 	pbFullStatus.LocalPeerState.PubKey = fullStatus.LocalPeerState.PubKey
 	pbFullStatus.LocalPeerState.KernelInterface = fullStatus.LocalPeerState.KernelInterface
 	pbFullStatus.LocalPeerState.Fqdn = fullStatus.LocalPeerState.FQDN
+	pbFullStatus.LocalPeerState.RosenpassPermissive = fullStatus.RosenpassState.Permissive
+	pbFullStatus.LocalPeerState.RosenpassEnabled = fullStatus.RosenpassState.Enabled
 
 	for _, peerState := range fullStatus.Peers {
 		pbPeerState := &proto.PeerState{
@@ -584,6 +586,7 @@ func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 			LastWireguardHandshake:     timestamppb.New(peerState.LastWireguardHandshake),
 			BytesRx:                    peerState.BytesRx,
 			BytesTx:                    peerState.BytesTx,
+			RosenpassEnabled:           peerState.RosenpassEnabled,
 		}
 		pbFullStatus.Peers = append(pbFullStatus.Peers, pbPeerState)
 	}

client/ui/client_ui.go

@@ -61,7 +61,7 @@ func main() {
 
 	flag.Parse()
 
-	a := app.New()
+	a := app.NewWithID("NetBird")
 	a.SetIcon(fyne.NewStaticResource("netbird", iconDisconnectedPNG))
 
 	client := newServiceClient(daemonAddr, a, showSettings)
@@ -82,17 +82,23 @@ var iconConnectedICO []byte
 //go:embed netbird-systemtray-connected.png
 var iconConnectedPNG []byte
 
-//go:embed netbird-systemtray-default.ico
+//go:embed netbird-systemtray-disconnected.ico
 var iconDisconnectedICO []byte
 
-//go:embed netbird-systemtray-default.png
+//go:embed netbird-systemtray-disconnected.png
 var iconDisconnectedPNG []byte
 
-//go:embed netbird-systemtray-update.ico
-var iconUpdateICO []byte
+//go:embed netbird-systemtray-update-disconnected.ico
+var iconUpdateDisconnectedICO []byte
 
-//go:embed netbird-systemtray-update.png
-var iconUpdatePNG []byte
+//go:embed netbird-systemtray-update-disconnected.png
+var iconUpdateDisconnectedPNG []byte
+
+//go:embed netbird-systemtray-update-connected.ico
+var iconUpdateConnectedICO []byte
+
+//go:embed netbird-systemtray-update-connected.png
+var iconUpdateConnectedPNG []byte
 
 //go:embed netbird-systemtray-update-cloud.ico
 var iconUpdateCloudICO []byte
@@ -105,10 +111,11 @@ type serviceClient struct {
 	addr string
 	conn proto.DaemonServiceClient
 
-	icConnected    []byte
-	icDisconnected []byte
-	icUpdate       []byte
-	icUpdateCloud  []byte
+	icConnected          []byte
+	icDisconnected       []byte
+	icUpdateConnected    []byte
+	icUpdateDisconnected []byte
+	icUpdateCloud        []byte
 
 	// systray menu items
 	mStatus        *systray.MenuItem
@@ -123,9 +130,10 @@ type serviceClient struct {
 	mQuit          *systray.MenuItem
 
 	// application with main windows.
-	app          fyne.App
-	wSettings    fyne.Window
-	showSettings bool
+	app              fyne.App
+	wSettings        fyne.Window
+	showSettings     bool
+	sendNotification bool
 
 	// input elements for settings form
 	iMngURL       *widget.Entry
@@ -139,6 +147,7 @@ type serviceClient struct {
 	preSharedKey  string
 	adminURL      string
 
+	connected            bool
 	update               *version.Update
 	daemonVersion        string
 	updateIndicationLock sync.Mutex
@@ -150,9 +159,10 @@ type serviceClient struct {
 // This constructor also builds the UI elements for the settings window.
 func newServiceClient(addr string, a fyne.App, showSettings bool) *serviceClient {
 	s := &serviceClient{
-		ctx:  context.Background(),
-		addr: addr,
-		app:  a,
+		ctx:              context.Background(),
+		addr:             addr,
+		app:              a,
+		sendNotification: false,
 
 		showSettings: showSettings,
 		update:       version.NewUpdate(),
@@ -161,13 +171,15 @@ func newServiceClient(addr string, a fyne.App, showSettings bool) *serviceClient
 	if runtime.GOOS == "windows" {
 		s.icConnected = iconConnectedICO
 		s.icDisconnected = iconDisconnectedICO
-		s.icUpdate = iconUpdateICO
+		s.icUpdateConnected = iconUpdateConnectedICO
+		s.icUpdateDisconnected = iconUpdateDisconnectedICO
 		s.icUpdateCloud = iconUpdateCloudICO
 
 	} else {
 		s.icConnected = iconConnectedPNG
 		s.icDisconnected = iconDisconnectedPNG
-		s.icUpdate = iconUpdatePNG
+		s.icUpdateConnected = iconUpdateConnectedPNG
+		s.icUpdateDisconnected = iconUpdateDisconnectedPNG
 		s.icUpdateCloud = iconUpdateCloudPNG
 	}
 
@@ -367,9 +379,18 @@ func (s *serviceClient) updateStatus() error {
 		s.updateIndicationLock.Lock()
 		defer s.updateIndicationLock.Unlock()
 
+		// notify the user when the session has expired
+		if status.Status == string(internal.StatusNeedsLogin) {
+			s.onSessionExpire()
+		}
+
 		var systrayIconState bool
 		if status.Status == string(internal.StatusConnected) && !s.mUp.Disabled() {
-			if !s.isUpdateIconActive {
+			s.connected = true
+			s.sendNotification = true
+			if s.isUpdateIconActive {
+				systray.SetIcon(s.icUpdateConnected)
+			} else {
 				systray.SetIcon(s.icConnected)
 			}
 			systray.SetTooltip("NetBird (Connected)")
@@ -378,7 +399,10 @@ func (s *serviceClient) updateStatus() error {
 			s.mDown.Enable()
 			systrayIconState = true
 		} else if status.Status != string(internal.StatusConnected) && s.mUp.Disabled() {
-			if !s.isUpdateIconActive {
+			s.connected = false
+			if s.isUpdateIconActive {
+				systray.SetIcon(s.icUpdateDisconnected)
+			} else {
 				systray.SetIcon(s.icDisconnected)
 			}
 			systray.SetTooltip("NetBird (Disconnected)")
@@ -605,10 +629,30 @@ func (s *serviceClient) onUpdateAvailable() {
 	defer s.updateIndicationLock.Unlock()
 
 	s.mUpdate.Show()
-	s.mAbout.SetIcon(s.icUpdateCloud)
-
 	s.isUpdateIconActive = true
-	systray.SetIcon(s.icUpdate)
+
+	if s.connected {
+		systray.SetIcon(s.icUpdateConnected)
+	} else {
+		systray.SetIcon(s.icUpdateDisconnected)
+	}
+}
+
+// onSessionExpire sends a notification to the user when the session expires.
+func (s *serviceClient) onSessionExpire() {
+	if s.sendNotification {
+		title := "Connection session expired"
+		if runtime.GOOS == "darwin" {
+			title = "NetBird connection session expired"
+		}
+		s.app.SendNotification(
+			fyne.NewNotification(
+				title,
+				"Please re-authenticate to connect to the network",
+			),
+		)
+		s.sendNotification = false
+	}
 }
 
 func openURL(url string) error {

go.mod

@@ -57,8 +57,8 @@ require (
 	github.com/miekg/dns v1.1.43
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/nadoo/ipset v0.5.0
-	github.com/netbirdio/management-integrations/additions v0.0.0-20240118163419-8a7c87accb22
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20240118163419-8a7c87accb22
+	github.com/netbirdio/management-integrations/additions v0.0.0-20240212121739-8ea8c89a4552
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20240212121739-8ea8c89a4552
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible

go.sum

@@ -376,10 +376,10 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/nadoo/ipset v0.5.0 h1:5GJUAuZ7ITQQQGne5J96AmFjRtI8Avlbk6CabzYWVUc=
 github.com/nadoo/ipset v0.5.0/go.mod h1:rYF5DQLRGGoQ8ZSWeK+6eX5amAuPqwFkWjhQlEITGJQ=
-github.com/netbirdio/management-integrations/additions v0.0.0-20240118163419-8a7c87accb22 h1:XTiNnVB6OEwung8WIiGJNzOTLVefuSzAA/cu+6Sst8A=
-github.com/netbirdio/management-integrations/additions v0.0.0-20240118163419-8a7c87accb22/go.mod h1:31FhBNvQ+riHEIu6LSTmqr8IeuSIsGfQffqV4LFmbwA=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20240118163419-8a7c87accb22 h1:FNc4p8RS/gFm5jlmvUFWC4/5YxPDWejYyqEBVziFZwo=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20240118163419-8a7c87accb22/go.mod h1:B0nMS3es77gOvPYhc0K91fAzTkQLi/jRq5TffUN3klM=
+github.com/netbirdio/management-integrations/additions v0.0.0-20240212121739-8ea8c89a4552 h1:yzcQKizAK9YufCHMMCIsr467Dw/OU/4xyHbWizGb1E4=
+github.com/netbirdio/management-integrations/additions v0.0.0-20240212121739-8ea8c89a4552/go.mod h1:31FhBNvQ+riHEIu6LSTmqr8IeuSIsGfQffqV4LFmbwA=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20240212121739-8ea8c89a4552 h1:OFlzVZtkXCoJsfDKrMigFpuad8ZXTm8epq6x27K0irA=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20240212121739-8ea8c89a4552/go.mod h1:B0nMS3es77gOvPYhc0K91fAzTkQLi/jRq5TffUN3klM=
 github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0 h1:hirFRfx3grVA/9eEyjME5/z3nxdJlN9kfQpvWWPk32g=
 github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949 h1:xbWM9BU6mwZZLHxEjxIX/V8Hv3HurQt4mReIE4mY4DM=

iface/netstack/tun.go

@@ -8,7 +8,7 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 )
 
-type NetStackTun struct {
+type NetStackTun struct { //nolint:revive
 	address       string
 	mtu           int
 	listenAddress string

infrastructure_files/base.setup.env

@@ -62,7 +62,7 @@ NETBIRD_DASH_AUTH_USE_AUDIENCE=${NETBIRD_DASH_AUTH_USE_AUDIENCE:-true}
 NETBIRD_DASH_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
 
 # Store config
-NETBIRD_STORE_CONFIG_ENGINE=${NETBIRD_STORE_CONFIG_ENGINE:-"jsonfile"}
+NETBIRD_STORE_CONFIG_ENGINE=${NETBIRD_STORE_CONFIG_ENGINE:-"sqlite"}
 
 # Image tags
 NETBIRD_DASHBOARD_TAG=${NETBIRD_DASHBOARD_TAG:-"latest"}

infrastructure_files/download-geolite2.sh

@@ -1,20 +1,5 @@
 #!/bin/bash
 
-# set $MM_ACCOUNT_ID and $MM_LICENSE_KEY when calling this script
-# see https://dev.maxmind.com/geoip/updating-databases#directly-downloading-databases
-
-# Check if MM_ACCOUNT_ID is set
-if [ -z "$MM_ACCOUNT_ID" ]; then
-    echo "MM_ACCOUNT_ID is not set. Please set the environment variable."
-    exit 1
-fi
-
-# Check if MM_LICENSE_KEY is set
-if [ -z "$MM_LICENSE_KEY" ]; then
-    echo "MM_LICENSE_KEY is not set. Please set the environment variable."
-    exit 1
-fi
-
 # to install sha256sum on mac: brew install coreutils
 if ! command -v sha256sum &> /dev/null
 then
@@ -28,15 +13,20 @@ then
     exit 1
 fi
 
-download_geolite_mmdb() {
-  DATABASE_URL="https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz"
-  SIGNATURE_URL="https://download.maxmind.com/geoip/databases/GeoLite2-City/download?suffix=tar.gz.sha256"
+if ! command -v unzip &> /dev/null
+then
+    echo "unzip is not installed or not in PATH, please install with your package manager. e.g. sudo apt install unzip" > /dev/stderr
+    exit 1
+fi
 
+download_geolite_mmdb() {
+  DATABASE_URL="https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City/download?suffix=tar.gz"
+  SIGNATURE_URL="https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City/download?suffix=tar.gz.sha256"
   # Download the database and signature files
-  echo "Downloading mmdb database file..."
-  DATABASE_FILE=$(curl -s -u "$MM_ACCOUNT_ID":"$MM_LICENSE_KEY" -L -O -J "$DATABASE_URL" -w "%{filename_effective}")
   echo "Downloading mmdb signature file..."
-  SIGNATURE_FILE=$(curl -s -u "$MM_ACCOUNT_ID":"$MM_LICENSE_KEY" -L -O -J "$SIGNATURE_URL" -w "%{filename_effective}")
+  SIGNATURE_FILE=$(curl -s  -L -O -J "$SIGNATURE_URL" -w "%{filename_effective}")
+  echo "Downloading mmdb database file..."
+  DATABASE_FILE=$(curl -s  -L -O -J "$DATABASE_URL" -w "%{filename_effective}")
 
   # Verify the signature
   echo "Verifying signature..."
@@ -53,33 +43,31 @@ download_geolite_mmdb() {
   mkdir -p "$EXTRACTION_DIR"
   tar -xzvf "$DATABASE_FILE" > /dev/null 2>&1
 
-  # Create a SHA256 signature file
   MMDB_FILE="GeoLite2-City.mmdb"
-  cd "$EXTRACTION_DIR"
-  sha256sum "$MMDB_FILE" > "$MMDB_FILE.sha256"
-  echo "SHA256 signature created for $MMDB_FILE."
-  cd - > /dev/null 2>&1
+  cp "$EXTRACTION_DIR"/"$MMDB_FILE" $MMDB_FILE
 
   # Remove downloaded files
+  rm -r "$EXTRACTION_DIR"
   rm "$DATABASE_FILE" "$SIGNATURE_FILE"
 
   # Done. Print next steps
+  echo ""
   echo "Process completed successfully."
-  echo "Now you can place $EXTRACTION_DIR/$MMDB_FILE to 'datadir' of management service."
-  echo -e "Example:\n\tdocker compose cp $EXTRACTION_DIR/$MMDB_FILE management:/var/lib/netbird/"
+  echo "Now you can place $MMDB_FILE to 'datadir' of management service."
+  echo -e "Example:\n\tdocker compose cp $MMDB_FILE management:/var/lib/netbird/"
 }
 
 
 download_geolite_csv_and_create_sqlite_db() {
-  DATABASE_URL="https://download.maxmind.com/geoip/databases/GeoLite2-City-CSV/download?suffix=zip"
-  SIGNATURE_URL="https://download.maxmind.com/geoip/databases/GeoLite2-City-CSV/download?suffix=zip.sha256"
+  DATABASE_URL="https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City-CSV/download?suffix=zip"
+  SIGNATURE_URL="https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City-CSV/download?suffix=zip.sha256"
 
 
   # Download the database file
-  echo "Downloading csv database file..."
-  DATABASE_FILE=$(curl -s -u "$MM_ACCOUNT_ID":"$MM_LICENSE_KEY" -L -O -J "$DATABASE_URL" -w "%{filename_effective}")
   echo "Downloading csv signature file..."
-  SIGNATURE_FILE=$(curl -s -u "$MM_ACCOUNT_ID":"$MM_LICENSE_KEY" -L -O -J "$SIGNATURE_URL" -w "%{filename_effective}")
+  SIGNATURE_FILE=$(curl -s  -L -O -J "$SIGNATURE_URL" -w "%{filename_effective}")
+  echo "Downloading csv database file..."
+  DATABASE_FILE=$(curl -s  -L -O -J "$DATABASE_URL" -w "%{filename_effective}")
 
   # Verify the signature
   echo "Verifying signature..."
@@ -107,12 +95,15 @@ EOF
   # Remove downloaded and extracted files
   rm -r -r "$EXTRACTION_DIR"
   rm  "$DATABASE_FILE" "$SIGNATURE_FILE"
-
+  echo ""
   echo "SQLite database '$DB_NAME' created successfully."
   echo "Now you can place $DB_NAME to 'datadir' of management service."
   echo -e "Example:\n\tdocker compose cp $DB_NAME management:/var/lib/netbird/"
 }
 
 download_geolite_mmdb
-echo ""
-download_geolite_csv_and_create_sqlite_db
+echo -e "\n\n"
+download_geolite_csv_and_create_sqlite_db
+echo -e "\n\n"
+echo "After copying the database files to the management service. You can restart the management service with:"
+echo -e "Example:\n\tdocker compose restart management"

infrastructure_files/getting-started-with-zitadel.sh

@@ -137,6 +137,13 @@ create_new_application() {
   BASE_REDIRECT_URL2=$5
   LOGOUT_URL=$6
   ZITADEL_DEV_MODE=$7
+  DEVICE_CODE=$8
+
+  if [[ $DEVICE_CODE == "true" ]]; then
+    GRANT_TYPES='["OIDC_GRANT_TYPE_AUTHORIZATION_CODE","OIDC_GRANT_TYPE_DEVICE_CODE","OIDC_GRANT_TYPE_REFRESH_TOKEN"]'
+  else
+    GRANT_TYPES='["OIDC_GRANT_TYPE_AUTHORIZATION_CODE","OIDC_GRANT_TYPE_REFRESH_TOKEN"]'
+  fi
 
   RESPONSE=$(
     curl -sS -X POST "$INSTANCE_URL/management/v1/projects/$PROJECT_ID/apps/oidc" \
@@ -154,10 +161,7 @@ create_new_application() {
     "RESPONSETypes": [
       "OIDC_RESPONSE_TYPE_CODE"
     ],
-    "grantTypes": [
-      "OIDC_GRANT_TYPE_AUTHORIZATION_CODE",
-      "OIDC_GRANT_TYPE_REFRESH_TOKEN"
-    ],
+    "grantTypes": '"$GRANT_TYPES"',
     "appType": "OIDC_APP_TYPE_USER_AGENT",
     "authMethodType": "OIDC_AUTH_METHOD_TYPE_NONE",
     "version": "OIDC_VERSION_1_0",
@@ -340,10 +344,10 @@ init_zitadel() {
 
   # create zitadel spa applications
   echo "Creating new Zitadel SPA Dashboard application"
-  DASHBOARD_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Dashboard" "$BASE_REDIRECT_URL/nb-auth" "$BASE_REDIRECT_URL/nb-silent-auth" "$BASE_REDIRECT_URL/" "$ZITADEL_DEV_MODE")
+  DASHBOARD_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Dashboard" "$BASE_REDIRECT_URL/nb-auth" "$BASE_REDIRECT_URL/nb-silent-auth" "$BASE_REDIRECT_URL/" "$ZITADEL_DEV_MODE" "false")
 
   echo "Creating new Zitadel SPA Cli application"
-  CLI_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Cli" "http://localhost:53000/" "http://localhost:54000/" "http://localhost:53000/" "true")
+  CLI_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Cli" "http://localhost:53000/" "http://localhost:54000/" "http://localhost:53000/" "true" "true")
 
   MACHINE_USER_ID=$(create_service_user "$INSTANCE_URL" "$PAT")
 
@@ -561,6 +565,8 @@ renderCaddyfile() {
     reverse_proxy /.well-known/openid-configuration h2c://zitadel:8080
     reverse_proxy /openapi/* h2c://zitadel:8080
     reverse_proxy /debug/* h2c://zitadel:8080
+    reverse_proxy /device/* h2c://zitadel:8080
+    reverse_proxy /device h2c://zitadel:8080
     # Dashboard
     reverse_proxy /* dashboard:80
 }
@@ -629,6 +635,14 @@ renderManagementJson() {
             "ManagementEndpoint": "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/management/v1"
         }
      },
+   "DeviceAuthorizationFlow": {
+       "Provider": "hosted",
+       "ProviderConfig": {
+           "Audience": "$NETBIRD_AUTH_CLIENT_ID_CLI",
+           "ClientID": "$NETBIRD_AUTH_CLIENT_ID_CLI",
+           "Scope": "openid"
+       }
+     },
     "PKCEAuthorizationFlow": {
         "ProviderConfig": {
             "Audience": "$NETBIRD_AUTH_CLIENT_ID_CLI",

infrastructure_files/management.json.tmpl

@@ -26,6 +26,13 @@
         "Username": "",
         "Password": null
     },
+    "ReverseProxy": {
+        "TrustedHTTPProxies": [],
+        "TrustedHTTPProxiesCount": 0,
+        "TrustedPeers": [
+             "0.0.0.0/0"
+        ]
+    },
     "Datadir": "",
     "DataStoreEncryptionKey": "$NETBIRD_DATASTORE_ENC_KEY",
     "StoreConfig": {

infrastructure_files/nginx.tmpl.conf

@@ -46,6 +46,7 @@ server {
     proxy_set_header        X-Scheme $scheme;
     proxy_set_header        X-Forwarded-Proto https;
     proxy_set_header        X-Forwarded-Host $host;
+    grpc_set_header         X-Forwarded-For $proxy_add_x_forwarded_for;
 
     # Proxy dashboard
     location / {

management/client/client_test.go

@@ -363,10 +363,11 @@ func Test_SystemMetaDataFromClient(t *testing.T) {
 		WiretrusteeVersion: info.WiretrusteeVersion,
 		KernelVersion:      info.KernelVersion,
 
-		NetworkAddresses:   protoNetAddr,
-		SysSerialNumber:    info.SystemSerialNumber,
-		SysProductName:     info.SystemProductName,
-		SysManufacturer:    info.SystemManufacturer,
+		NetworkAddresses: protoNetAddr,
+		SysSerialNumber:  info.SystemSerialNumber,
+		SysProductName:   info.SystemProductName,
+		SysManufacturer:  info.SystemManufacturer,
+		Environment:      &mgmtProto.Environment{Cloud: info.Environment.Cloud, Platform: info.Environment.Platform},
 	}
 
 	assert.Equal(t, ValidKey, actualValidKey)
@@ -407,7 +408,9 @@ func isEqual(a, b *mgmtProto.PeerSystemMeta) bool {
 		a.GetUiVersion() == b.GetUiVersion() &&
 		a.GetSysSerialNumber() == b.GetSysSerialNumber() &&
 		a.GetSysProductName() == b.GetSysProductName() &&
-		a.GetSysManufacturer() == b.GetSysManufacturer()
+		a.GetSysManufacturer() == b.GetSysManufacturer() &&
+		a.GetEnvironment().Cloud == b.GetEnvironment().Cloud &&
+		a.GetEnvironment().Platform == b.GetEnvironment().Platform
 }
 
 func Test_GetDeviceAuthorizationFlow(t *testing.T) {

management/client/grpc.go

@@ -26,6 +26,8 @@ import (
 	"github.com/netbirdio/netbird/management/proto"
 )
 
+const ConnectTimeout = 10 * time.Second
+
 // ConnStateNotifier is a wrapper interface of the status recorders
 type ConnStateNotifier interface {
 	MarkManagementDisconnected(error)
@@ -49,7 +51,7 @@ func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsE
 		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
 	}
 
-	mgmCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	mgmCtx, cancel := context.WithTimeout(ctx, ConnectTimeout)
 	defer cancel()
 	conn, err := grpc.DialContext(
 		mgmCtx,
@@ -318,7 +320,7 @@ func (c *GrpcClient) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*pro
 		log.Errorf("failed to encrypt message: %s", err)
 		return nil, err
 	}
-	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second)
+	mgmCtx, cancel := context.WithTimeout(c.ctx, ConnectTimeout)
 	defer cancel()
 	resp, err := c.realClient.Login(mgmCtx, &proto.EncryptedMessage{
 		WgPubKey: c.key.PublicKey().String(),
@@ -474,5 +476,9 @@ func infoToMetaData(info *system.Info) *proto.PeerSystemMeta {
 		SysSerialNumber:    info.SystemSerialNumber,
 		SysManufacturer:    info.SystemManufacturer,
 		SysProductName:     info.SystemProductName,
+		Environment: &proto.Environment{
+			Cloud:    info.Environment.Cloud,
+			Platform: info.Environment.Platform,
+		},
 	}
 }

management/cmd/management.go

@@ -43,6 +43,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/metrics"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
 )
 
 // ManagementLegacyPort is the port that was used before by the Management gRPC server.
@@ -166,7 +167,7 @@ var (
 
 			geo, err := geolocation.NewGeolocation(config.Datadir)
 			if err != nil {
-				log.Warnf("could not initialize geo location service, we proceed without geo support")
+				log.Warnf("could not initialize geo location service: %v, we proceed without geo support", err)
 			} else {
 				log.Infof("geo location service has been initialized from %s", config.Datadir)
 			}
@@ -242,7 +243,10 @@ var (
 				UserIDClaim:  config.HttpConfig.AuthUserIDClaim,
 				KeysLocation: config.HttpConfig.AuthKeysLocation,
 			}
-			httpAPIHandler, err := httpapi.APIHandler(accountManager, geo, *jwtValidator, appMetrics, httpAPIAuthCfg)
+
+			ctx, cancel := context.WithCancel(cmd.Context())
+			defer cancel()
+			httpAPIHandler, err := httpapi.APIHandler(ctx, accountManager, geo, *jwtValidator, appMetrics, httpAPIAuthCfg)
 			if err != nil {
 				return fmt.Errorf("failed creating HTTP API handler: %v", err)
 			}
@@ -264,8 +268,6 @@ var (
 			}
 
 			if !disableMetrics {
-				ctx, cancel := context.WithCancel(context.Background())
-				defer cancel()
 				idpManager := "disabled"
 				if config.IdpManagerConfig != nil && config.IdpManagerConfig.ManagerType != "" {
 					idpManager = config.IdpManagerConfig.ManagerType
@@ -314,6 +316,7 @@ var (
 				}
 			}
 
+			log.Infof("management server version %s", version.NetbirdVersion())
 			log.Infof("running HTTP server and gRPC server on the same port: %s", listener.Addr().String())
 			serveGRPCWithHTTP(listener, rootHandler, tlsEnabled)
 

management/proto/management.proto

@@ -92,6 +92,14 @@ message PeerKeys {
   bytes wgPubKey = 2;
 }
 
+// Environment is part of the PeerSystemMeta and describes the environment the agent is running in.
+message Environment {
+  // cloud is the cloud provider the agent is running in if applicable.
+  string cloud = 1;
+  // platform is the platform the agent is running on if applicable.
+  string platform = 2;
+}
+
 // PeerSystemMeta is machine meta data like OS and version.
 message PeerSystemMeta {
   string hostname = 1;
@@ -108,6 +116,7 @@ message PeerSystemMeta {
   string sysSerialNumber = 12;
   string sysProductName = 13;
   string sysManufacturer = 14;
+  Environment environment = 15;
 }
 
 message LoginResponse {

management/server/account.go

@@ -72,6 +72,7 @@ type AccountManager interface {
 	CheckUserAccessByJWTGroups(claims jwtclaims.AuthorizationClaims) error
 	GetAccountFromPAT(pat string) (*Account, *User, *PersonalAccessToken, error)
 	DeleteAccount(accountID, userID string) error
+	GetUsage(ctx context.Context, accountID string, start time.Time, end time.Time) (*AccountUsageStats, error)
 	MarkPATUsed(tokenID string) error
 	GetUser(claims jwtclaims.AuthorizationClaims) (*User, error)
 	ListUsers(accountID string) ([]*User, error)
@@ -110,7 +111,7 @@ type AccountManager interface {
 	DeleteNameServerGroup(accountID, nsGroupID, userID string) error
 	ListNameServerGroups(accountID string, userID string) ([]*nbdns.NameServerGroup, error)
 	GetDNSDomain() string
-	StoreEvent(initiatorID, targetID, accountID string, activityID activity.Activity, meta map[string]any)
+	StoreEvent(initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any)
 	GetEvents(accountID, userID string) ([]*activity.Event, error)
 	GetDNSSettings(accountID string, userID string) (*DNSSettings, error)
 	SaveDNSSettings(accountID string, userID string, dnsSettingsToSave *DNSSettings) error
@@ -125,6 +126,7 @@ type AccountManager interface {
 	SavePostureChecks(accountID, userID string, postureChecks *posture.Checks) error
 	DeletePostureChecks(accountID, postureChecksID, userID string) error
 	ListPostureChecks(accountID, userID string) ([]*posture.Checks, error)
+	GetIdpManager() idp.Manager
 }
 
 type DefaultAccountManager struct {
@@ -204,6 +206,7 @@ type Account struct {
 
 	// User.Id it was created by
 	CreatedBy              string
+	CreatedAt              time.Time
 	Domain                 string `gorm:"index"`
 	DomainCategory         string
 	IsDomainPrimaryAccount bool
@@ -230,6 +233,14 @@ type Account struct {
 	RulesG []Rule           `json:"-" gorm:"-"`
 }
 
+// AccountUsageStats represents the current usage statistics for an account
+type AccountUsageStats struct {
+	ActiveUsers int64 `json:"active_users"`
+	TotalUsers  int64 `json:"total_users"`
+	ActivePeers int64 `json:"active_peers"`
+	TotalPeers  int64 `json:"total_peers"`
+}
+
 type UserInfo struct {
 	ID                   string               `json:"id"`
 	Email                string               `json:"email"`
@@ -674,6 +685,7 @@ func (a *Account) Copy() *Account {
 	return &Account{
 		Id:                     a.Id,
 		CreatedBy:              a.CreatedBy,
+		CreatedAt:              a.CreatedAt,
 		Domain:                 a.Domain,
 		DomainCategory:         a.DomainCategory,
 		IsDomainPrimaryAccount: a.IsDomainPrimaryAccount,
@@ -891,6 +903,10 @@ func (am *DefaultAccountManager) GetExternalCacheManager() ExternalCacheManager
 	return am.externalCacheManager
 }
 
+func (am *DefaultAccountManager) GetIdpManager() idp.Manager {
+	return am.idpManager
+}
+
 // UpdateAccountSettings updates Account settings.
 // Only users with role UserRoleAdmin can update the account.
 // User that performs the update has to belong to the account.
@@ -908,12 +924,7 @@ func (am *DefaultAccountManager) UpdateAccountSettings(accountID, userID string,
 	unlock := am.Store.AcquireAccountLock(accountID)
 	defer unlock()
 
-	account, err := am.Store.GetAccountByUser(userID)
-	if err != nil {
-		return nil, err
-	}
-
-	err = additions.ValidateExtraSettings(newSettings.Extra, account.Settings.Extra, account.Peers, userID, accountID, am.eventStore)
+	account, err := am.Store.GetAccount(accountID)
 	if err != nil {
 		return nil, err
 	}
@@ -927,6 +938,11 @@ func (am *DefaultAccountManager) UpdateAccountSettings(accountID, userID string,
 		return nil, status.Errorf(status.PermissionDenied, "user is not allowed to update account")
 	}
 
+	err = additions.ValidateExtraSettings(newSettings.Extra, account.Settings.Extra, account.Peers, userID, accountID, am.eventStore)
+	if err != nil {
+		return nil, err
+	}
+
 	oldSettings := account.Settings
 	if oldSettings.PeerLoginExpirationEnabled != newSettings.PeerLoginExpirationEnabled {
 		event := activity.AccountPeerLoginExpirationEnabled
@@ -1105,8 +1121,20 @@ func (am *DefaultAccountManager) DeleteAccount(accountID, userID string) error {
 	return nil
 }
 
+// GetUsage returns the usage stats for the given account.
+// This cannot be used to calculate usage stats for a period in the past as it relies on peers' last seen time.
+func (am *DefaultAccountManager) GetUsage(ctx context.Context, accountID string, start time.Time, end time.Time) (*AccountUsageStats, error) {
+	usageStats, err := am.Store.CalculateUsageStats(ctx, accountID, start, end)
+	if err != nil {
+		return nil, fmt.Errorf("failed to calculate usage stats: %w", err)
+	}
+
+	return usageStats, nil
+}
+
 // GetAccountByUserOrAccountID looks for an account by user or accountID, if no account is provided and
 // userID doesn't have an account associated with it, one account is created
+// domain is used to create a new account if no account is found
 func (am *DefaultAccountManager) GetAccountByUserOrAccountID(userID, accountID, domain string) (*Account, error) {
 	if accountID != "" {
 		return am.Store.GetAccount(accountID)
@@ -1791,7 +1819,7 @@ func (am *DefaultAccountManager) CheckUserAccessByJWTGroups(claims jwtclaims.Aut
 	return nil
 }
 
-// addAllGroup to account object if it doesn't exists
+// addAllGroup to account object if it doesn't exist
 func addAllGroup(account *Account) error {
 	if len(account.Groups) == 0 {
 		allGroup := &Group{
@@ -1849,6 +1877,7 @@ func newAccountWithId(accountID, userID, domain string) *Account {
 
 	acc := &Account{
 		Id:               accountID,
+		CreatedAt:        time.Now().UTC(),
 		SetupKeys:        setupKeys,
 		Network:          network,
 		Peers:            peers,

management/server/account_test.go

@@ -94,6 +94,10 @@ func verifyNewAccountHasDefaultFields(t *testing.T, account *Account, createdBy
 		t.Errorf("expecting newly created account to be created by user %s, got %s", createdBy, account.CreatedBy)
 	}
 
+	if account.CreatedAt.IsZero() {
+		t.Errorf("expecting newly created account to have a non-zero creation time")
+	}
+
 	if account.Domain != domain {
 		t.Errorf("expecting newly created account to have domain %s, got %s", domain, account.Domain)
 	}
@@ -1473,6 +1477,7 @@ func TestAccount_Copy(t *testing.T) {
 	account := &Account{
 		Id:                     "account1",
 		CreatedBy:              "tester",
+		CreatedAt:              time.Now().UTC(),
 		Domain:                 "test.com",
 		DomainCategory:         "public",
 		IsDomainPrimaryAccount: true,

management/server/activity/codes.go

@@ -1,12 +1,14 @@
 package activity
 
+import "maps"
+
 // Activity that triggered an Event
 type Activity int
 
 // Code is an activity string representation
 type Code struct {
-	message string
-	code    string
+	Message string
+	Code    string
 }
 
 const (
@@ -207,7 +209,7 @@ var activityMap = map[Activity]Code{
 // StringCode returns a string code of the activity
 func (a Activity) StringCode() string {
 	if code, ok := activityMap[a]; ok {
-		return code.code
+		return code.Code
 	}
 	return "UNKNOWN_ACTIVITY"
 }
@@ -215,7 +217,12 @@ func (a Activity) StringCode() string {
 // Message returns a string representation of an activity
 func (a Activity) Message() string {
 	if code, ok := activityMap[a]; ok {
-		return code.message
+		return code.Message
 	}
 	return "UNKNOWN_ACTIVITY"
 }
+
+// RegisterActivityMap adds new codes to the activity map
+func RegisterActivityMap(codes map[Activity]Code) {
+	maps.Copy(activityMap, codes)
+}

management/server/activity/event.go

@@ -8,12 +8,18 @@ const (
 	SystemInitiator = "sys"
 )
 
+// ActivityDescriber is an interface that describes an activity
+type ActivityDescriber interface { //nolint:revive
+	StringCode() string
+	Message() string
+}
+
 // Event represents a network/system activity event.
 type Event struct {
 	// Timestamp of the event
 	Timestamp time.Time
 	// Activity that was performed during the event
-	Activity Activity
+	Activity ActivityDescriber
 	// ID of the event (can be empty, meaning that it wasn't yet generated)
 	ID uint64
 	// InitiatorID is the ID of an object that initiated the event (e.g., a user)

management/server/event.go

@@ -54,8 +54,7 @@ func (am *DefaultAccountManager) GetEvents(accountID, userID string) ([]*activit
 	return filtered, nil
 }
 
-func (am *DefaultAccountManager) StoreEvent(initiatorID, targetID, accountID string, activityID activity.Activity,
-	meta map[string]any) {
+func (am *DefaultAccountManager) StoreEvent(initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 
 	go func() {
 		_, err := am.eventStore.Save(&activity.Event{

management/server/file_store.go

@@ -1,6 +1,8 @@
 package server
 
 import (
+	"context"
+	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
@@ -662,3 +664,45 @@ func (s *FileStore) Close() error {
 func (s *FileStore) GetStoreEngine() StoreEngine {
 	return FileStoreEngine
 }
+
+// CalculateUsageStats returns the usage stats for an account
+// start and end are inclusive.
+func (s *FileStore) CalculateUsageStats(_ context.Context, accountID string, start time.Time, end time.Time) (*AccountUsageStats, error) {
+	s.mux.Lock()
+	defer s.mux.Unlock()
+
+	account, exists := s.Accounts[accountID]
+	if !exists {
+		return nil, fmt.Errorf("account not found")
+	}
+
+	stats := &AccountUsageStats{}
+
+	activeUsers := make(map[string]struct{})
+	for userID, user := range account.Users {
+		if user.LastLogin.After(start) && user.LastLogin.Before(end) && !user.IsServiceUser {
+			activeUsers[userID] = struct{}{}
+		}
+
+		if !user.IsServiceUser {
+			stats.TotalUsers++
+		}
+	}
+
+	for _, peer := range account.Peers {
+		if peer.Status.LastSeen.After(start) && peer.Status.LastSeen.Before(end) {
+			stats.ActivePeers++
+
+			// service users don't have peers, but we check regardless.
+			if _, exists := account.Users[peer.UserID]; exists && !account.Users[peer.UserID].IsServiceUser {
+				activeUsers[peer.UserID] = struct{}{}
+			}
+		}
+	}
+
+	stats.ActiveUsers = int64(len(activeUsers))
+
+	stats.TotalPeers = int64(len(account.Peers))
+
+	return stats, nil
+}

management/server/file_store_test.go

@@ -1,6 +1,7 @@
 package server
 
 import (
+	"context"
 	"crypto/sha256"
 	"net"
 	"path/filepath"
@@ -657,3 +658,32 @@ func newStore(t *testing.T) *FileStore {
 
 	return store
 }
+
+func TestFileStore_CalculateUsageStats(t *testing.T) {
+	storeDir := t.TempDir()
+
+	err := util.CopyFileContents("testdata/store_stats.json", filepath.Join(storeDir, "store.json"))
+	require.NoError(t, err)
+
+	store, err := NewFileStore(storeDir, nil)
+	require.NoError(t, err)
+
+	startDate := time.Date(2024, time.February, 1, 0, 0, 0, 0, time.UTC)
+	endDate := startDate.AddDate(0, 1, 0).Add(-time.Nanosecond)
+
+	stats1, err := store.CalculateUsageStats(context.TODO(), "account-1", startDate, endDate)
+	require.NoError(t, err)
+
+	assert.Equal(t, int64(3), stats1.ActiveUsers)
+	assert.Equal(t, int64(5), stats1.TotalUsers)
+	assert.Equal(t, int64(3), stats1.ActivePeers)
+	assert.Equal(t, int64(8), stats1.TotalPeers)
+
+	stats2, err := store.CalculateUsageStats(context.TODO(), "account-2", startDate, endDate)
+	require.NoError(t, err)
+
+	assert.Equal(t, int64(2), stats2.ActiveUsers)
+	assert.Equal(t, int64(2), stats2.TotalUsers)
+	assert.Equal(t, int64(1), stats2.ActivePeers)
+	assert.Equal(t, int64(2), stats2.TotalPeers)
+}

management/server/geolocation/database.go

@@ -0,0 +1,210 @@
+package geolocation
+
+import (
+	"encoding/csv"
+	"fmt"
+	"io"
+	"net/url"
+	"os"
+	"path"
+	"strconv"
+
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+)
+
+const (
+	geoLiteCityTarGZURL     = "https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City/download?suffix=tar.gz"
+	geoLiteCityZipURL       = "https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City-CSV/download?suffix=zip"
+	geoLiteCitySha256TarURL = "https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City/download?suffix=tar.gz.sha256"
+	geoLiteCitySha256ZipURL = "https://pkgs.netbird.io/geolocation-dbs/GeoLite2-City-CSV/download?suffix=zip.sha256"
+)
+
+// loadGeolocationDatabases loads the MaxMind databases.
+func loadGeolocationDatabases(dataDir string) error {
+	files := []string{MMDBFileName, GeoSqliteDBFile}
+	for _, file := range files {
+		exists, _ := fileExists(path.Join(dataDir, file))
+		if exists {
+			continue
+		}
+
+		switch file {
+		case MMDBFileName:
+			extractFunc := func(src string, dst string) error {
+				if err := decompressTarGzFile(src, dst); err != nil {
+					return err
+				}
+				return copyFile(path.Join(dst, MMDBFileName), path.Join(dataDir, MMDBFileName))
+			}
+			if err := loadDatabase(
+				geoLiteCitySha256TarURL,
+				geoLiteCityTarGZURL,
+				extractFunc,
+			); err != nil {
+				return err
+			}
+
+		case GeoSqliteDBFile:
+			extractFunc := func(src string, dst string) error {
+				if err := decompressZipFile(src, dst); err != nil {
+					return err
+				}
+				extractedCsvFile := path.Join(dst, "GeoLite2-City-Locations-en.csv")
+				return importCsvToSqlite(dataDir, extractedCsvFile)
+			}
+
+			if err := loadDatabase(
+				geoLiteCitySha256ZipURL,
+				geoLiteCityZipURL,
+				extractFunc,
+			); err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
+// loadDatabase downloads a file from the specified URL and verifies its checksum.
+// It then calls the extract function to perform additional processing on the extracted files.
+func loadDatabase(checksumURL string, fileURL string, extractFunc func(src string, dst string) error) error {
+	temp, err := os.MkdirTemp(os.TempDir(), "geolite")
+	if err != nil {
+		return err
+	}
+	defer os.RemoveAll(temp)
+
+	checksumFile := path.Join(temp, getDatabaseFileName(checksumURL))
+	err = downloadFile(checksumURL, checksumFile)
+	if err != nil {
+		return err
+	}
+
+	sha256sum, err := loadChecksumFromFile(checksumFile)
+	if err != nil {
+		return err
+	}
+
+	dbFile := path.Join(temp, getDatabaseFileName(fileURL))
+	err = downloadFile(fileURL, dbFile)
+	if err != nil {
+		return err
+	}
+
+	if err := verifyChecksum(dbFile, sha256sum); err != nil {
+		return err
+	}
+
+	return extractFunc(dbFile, temp)
+}
+
+// importCsvToSqlite imports a CSV file into a SQLite database.
+func importCsvToSqlite(dataDir string, csvFile string) error {
+	geonames, err := loadGeonamesCsv(csvFile)
+	if err != nil {
+		return err
+	}
+
+	db, err := gorm.Open(sqlite.Open(path.Join(dataDir, GeoSqliteDBFile)), &gorm.Config{
+		Logger:          logger.Default.LogMode(logger.Silent),
+		CreateBatchSize: 1000,
+		PrepareStmt:     true,
+	})
+	if err != nil {
+		return err
+	}
+	defer func() {
+		sql, err := db.DB()
+		if err != nil {
+			return
+		}
+		sql.Close()
+	}()
+
+	if err := db.AutoMigrate(&GeoNames{}); err != nil {
+		return err
+	}
+
+	return db.Create(geonames).Error
+}
+
+func loadGeonamesCsv(filepath string) ([]GeoNames, error) {
+	f, err := os.Open(filepath)
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	reader := csv.NewReader(f)
+	records, err := reader.ReadAll()
+	if err != nil {
+		return nil, err
+	}
+
+	var geoNames []GeoNames
+	for index, record := range records {
+		if index == 0 {
+			continue
+		}
+		geoNameID, err := strconv.Atoi(record[0])
+		if err != nil {
+			return nil, err
+		}
+
+		geoName := GeoNames{
+			GeoNameID:           geoNameID,
+			LocaleCode:          record[1],
+			ContinentCode:       record[2],
+			ContinentName:       record[3],
+			CountryIsoCode:      record[4],
+			CountryName:         record[5],
+			Subdivision1IsoCode: record[6],
+			Subdivision1Name:    record[7],
+			Subdivision2IsoCode: record[8],
+			Subdivision2Name:    record[9],
+			CityName:            record[10],
+			MetroCode:           record[11],
+			TimeZone:            record[12],
+			IsInEuropeanUnion:   record[13],
+		}
+		geoNames = append(geoNames, geoName)
+	}
+
+	return geoNames, nil
+}
+
+// getDatabaseFileName extracts the file name from a given URL string.
+func getDatabaseFileName(urlStr string) string {
+	u, err := url.Parse(urlStr)
+	if err != nil {
+		panic(err)
+	}
+
+	ext := u.Query().Get("suffix")
+	fileName := fmt.Sprintf("%s.%s", path.Base(u.Path), ext)
+	return fileName
+}
+
+// copyFile performs a file copy operation from the source file to the destination.
+func copyFile(src string, dst string) error {
+	srcFile, err := os.Open(src)
+	if err != nil {
+		return err
+	}
+	defer srcFile.Close()
+
+	dstFile, err := os.Create(dst)
+	if err != nil {
+		return err
+	}
+	defer dstFile.Close()
+
+	_, err = io.Copy(dstFile, srcFile)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

management/server/geolocation/geolocation.go

@@ -2,9 +2,7 @@ package geolocation
 
 import (
 	"bytes"
-	"crypto/sha256"
 	"fmt"
-	"io"
 	"net"
 	"os"
 	"path"
@@ -54,20 +52,23 @@ type Country struct {
 	CountryName    string
 }
 
-func NewGeolocation(datadir string) (*Geolocation, error) {
-	mmdbPath := path.Join(datadir, MMDBFileName)
+func NewGeolocation(dataDir string) (*Geolocation, error) {
+	if err := loadGeolocationDatabases(dataDir); err != nil {
+		return nil, fmt.Errorf("failed to load MaxMind databases: %v", err)
+	}
 
+	mmdbPath := path.Join(dataDir, MMDBFileName)
 	db, err := openDB(mmdbPath)
 	if err != nil {
 		return nil, err
 	}
 
-	sha256sum, err := getSha256sum(mmdbPath)
+	sha256sum, err := calculateFileSHA256(mmdbPath)
 	if err != nil {
 		return nil, err
 	}
 
-	locationDB, err := NewSqliteStore(datadir)
+	locationDB, err := NewSqliteStore(dataDir)
 	if err != nil {
 		return nil, err
 	}
@@ -104,21 +105,6 @@ func openDB(mmdbPath string) (*maxminddb.Reader, error) {
 	return db, nil
 }
 
-func getSha256sum(mmdbPath string) ([]byte, error) {
-	f, err := os.Open(mmdbPath)
-	if err != nil {
-		return nil, err
-	}
-	defer f.Close()
-
-	h := sha256.New()
-	if _, err := io.Copy(h, f); err != nil {
-		return nil, err
-	}
-
-	return h.Sum(nil), nil
-}
-
 func (gl *Geolocation) Lookup(ip net.IP) (*Record, error) {
 	gl.mux.RLock()
 	defer gl.mux.RUnlock()
@@ -189,7 +175,7 @@ func (gl *Geolocation) reloader() {
 				log.Errorf("geonames db reload failed: %s", err)
 			}
 
-			newSha256sum1, err := getSha256sum(gl.mmdbPath)
+			newSha256sum1, err := calculateFileSHA256(gl.mmdbPath)
 			if err != nil {
 				log.Errorf("failed to calculate sha256 sum for '%s': %s", gl.mmdbPath, err)
 				continue
@@ -198,7 +184,7 @@ func (gl *Geolocation) reloader() {
 				// we check sum twice just to avoid possible case when we reload during update of the file
 				// considering the frequency of file update (few times a week) checking sum twice should be enough
 				time.Sleep(50 * time.Millisecond)
-				newSha256sum2, err := getSha256sum(gl.mmdbPath)
+				newSha256sum2, err := calculateFileSHA256(gl.mmdbPath)
 				if err != nil {
 					log.Errorf("failed to calculate sha256 sum for '%s': %s", gl.mmdbPath, err)
 					continue

management/server/geolocation/store.go

@@ -20,6 +20,27 @@ const (
 	GeoSqliteDBFile = "geonames.db"
 )
 
+type GeoNames struct {
+	GeoNameID           int    `gorm:"column:geoname_id"`
+	LocaleCode          string `gorm:"column:locale_code"`
+	ContinentCode       string `gorm:"column:continent_code"`
+	ContinentName       string `gorm:"column:continent_name"`
+	CountryIsoCode      string `gorm:"column:country_iso_code"`
+	CountryName         string `gorm:"column:country_name"`
+	Subdivision1IsoCode string `gorm:"column:subdivision_1_iso_code"`
+	Subdivision1Name    string `gorm:"column:subdivision_1_name"`
+	Subdivision2IsoCode string `gorm:"column:subdivision_2_iso_code"`
+	Subdivision2Name    string `gorm:"column:subdivision_2_name"`
+	CityName            string `gorm:"column:city_name"`
+	MetroCode           string `gorm:"column:metro_code"`
+	TimeZone            string `gorm:"column:time_zone"`
+	IsInEuropeanUnion   string `gorm:"column:is_in_european_union"`
+}
+
+func (*GeoNames) TableName() string {
+	return "geonames"
+}
+
 // SqliteStore represents a location storage backed by a Sqlite DB.
 type SqliteStore struct {
 	db        *gorm.DB
@@ -37,7 +58,7 @@ func NewSqliteStore(dataDir string) (*SqliteStore, error) {
 		return nil, err
 	}
 
-	sha256sum, err := getSha256sum(file)
+	sha256sum, err := calculateFileSHA256(file)
 	if err != nil {
 		return nil, err
 	}
@@ -60,7 +81,7 @@ func (s *SqliteStore) GetAllCountries() ([]Country, error) {
 	}
 
 	var countries []Country
-	result := s.db.Table("geonames").
+	result := s.db.Model(&GeoNames{}).
 		Select("country_iso_code", "country_name").
 		Group("country_name").
 		Scan(&countries)
@@ -81,7 +102,7 @@ func (s *SqliteStore) GetCitiesByCountry(countryISOCode string) ([]City, error)
 	}
 
 	var cities []City
-	result := s.db.Table("geonames").
+	result := s.db.Model(&GeoNames{}).
 		Select("geoname_id", "city_name").
 		Where("country_iso_code = ?", countryISOCode).
 		Group("city_name").
@@ -98,7 +119,7 @@ func (s *SqliteStore) reload() error {
 	s.mux.Lock()
 	defer s.mux.Unlock()
 
-	newSha256sum1, err := getSha256sum(s.filePath)
+	newSha256sum1, err := calculateFileSHA256(s.filePath)
 	if err != nil {
 		log.Errorf("failed to calculate sha256 sum for '%s': %s", s.filePath, err)
 	}
@@ -107,7 +128,7 @@ func (s *SqliteStore) reload() error {
 		// we check sum twice just to avoid possible case when we reload during update of the file
 		// considering the frequency of file update (few times a week) checking sum twice should be enough
 		time.Sleep(50 * time.Millisecond)
-		newSha256sum2, err := getSha256sum(s.filePath)
+		newSha256sum2, err := calculateFileSHA256(s.filePath)
 		if err != nil {
 			return fmt.Errorf("failed to calculate sha256 sum for '%s': %s", s.filePath, err)
 		}

management/server/geolocation/utils.go

@@ -0,0 +1,176 @@
+package geolocation
+
+import (
+	"archive/tar"
+	"archive/zip"
+	"bufio"
+	"bytes"
+	"compress/gzip"
+	"crypto/sha256"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path"
+	"strings"
+)
+
+// decompressTarGzFile decompresses a .tar.gz file.
+func decompressTarGzFile(filepath, destDir string) error {
+	file, err := os.Open(filepath)
+	if err != nil {
+		return err
+	}
+	defer file.Close()
+
+	gzipReader, err := gzip.NewReader(file)
+	if err != nil {
+		return err
+	}
+	defer gzipReader.Close()
+
+	tarReader := tar.NewReader(gzipReader)
+
+	for {
+		header, err := tarReader.Next()
+		if err != nil {
+			if errors.Is(err, io.EOF) {
+				break
+			}
+			return err
+		}
+
+		if header.Typeflag == tar.TypeReg {
+			outFile, err := os.Create(path.Join(destDir, path.Base(header.Name)))
+			if err != nil {
+				return err
+			}
+
+			_, err = io.Copy(outFile, tarReader) // #nosec G110
+			outFile.Close()
+			if err != nil {
+				return err
+			}
+		}
+
+	}
+
+	return nil
+}
+
+// decompressZipFile decompresses a .zip file.
+func decompressZipFile(filepath, destDir string) error {
+	r, err := zip.OpenReader(filepath)
+	if err != nil {
+		return err
+	}
+	defer r.Close()
+
+	for _, f := range r.File {
+		if f.FileInfo().IsDir() {
+			continue
+		}
+
+		outFile, err := os.Create(path.Join(destDir, path.Base(f.Name)))
+		if err != nil {
+			return err
+		}
+
+		rc, err := f.Open()
+		if err != nil {
+			outFile.Close()
+			return err
+		}
+
+		_, err = io.Copy(outFile, rc) // #nosec G110
+		outFile.Close()
+		rc.Close()
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// calculateFileSHA256 calculates the SHA256 checksum of a file.
+func calculateFileSHA256(filepath string) ([]byte, error) {
+	file, err := os.Open(filepath)
+	if err != nil {
+		return nil, err
+	}
+	defer file.Close()
+
+	h := sha256.New()
+	if _, err := io.Copy(h, file); err != nil {
+		return nil, err
+	}
+
+	return h.Sum(nil), nil
+}
+
+// loadChecksumFromFile loads the first checksum from a file.
+func loadChecksumFromFile(filepath string) (string, error) {
+	file, err := os.Open(filepath)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	scanner := bufio.NewScanner(file)
+	if scanner.Scan() {
+		parts := strings.Fields(scanner.Text())
+		if len(parts) > 0 {
+			return parts[0], nil
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return "", err
+	}
+
+	return "", nil
+}
+
+// verifyChecksum compares the calculated SHA256 checksum of a file against the expected checksum.
+func verifyChecksum(filepath, expectedChecksum string) error {
+	calculatedChecksum, err := calculateFileSHA256(filepath)
+
+	fileCheckSum := fmt.Sprintf("%x", calculatedChecksum)
+	if err != nil {
+		return err
+	}
+
+	if fileCheckSum != expectedChecksum {
+		return fmt.Errorf("checksum mismatch: expected %s, got %s", expectedChecksum, fileCheckSum)
+	}
+
+	return nil
+}
+
+// downloadFile downloads a file from a URL and saves it to a local file path.
+func downloadFile(url, filepath string) error {
+	resp, err := http.Get(url)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	bodyBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("unexpected error occurred while downloading the file: %s", string(bodyBytes))
+	}
+
+	out, err := os.Create(filepath)
+	if err != nil {
+		return err
+	}
+	defer out.Close()
+
+	_, err = io.Copy(out, bytes.NewBuffer(bodyBytes))
+	return err
+}

management/server/grpcserver.go

@@ -288,6 +288,10 @@ func extractPeerMeta(loginReq *proto.LoginRequest) nbpeer.PeerSystemMeta {
 		SystemSerialNumber: loginReq.GetMeta().GetSysSerialNumber(),
 		SystemProductName:  loginReq.GetMeta().GetSysProductName(),
 		SystemManufacturer: loginReq.GetMeta().GetSysManufacturer(),
+		Environment: nbpeer.Environment{
+			Cloud:    loginReq.GetMeta().GetEnvironment().GetCloud(),
+			Platform: loginReq.GetMeta().GetEnvironment().GetPlatform(),
+		},
 	}
 }
 

management/server/http/api/openapi.yml

@@ -121,7 +121,7 @@ components:
           description: Last time this user performed a login to the dashboard
           type: string
           format: date-time
-          example: 2023-05-05T09:00:35.477782Z
+          example: "2023-05-05T09:00:35.477782Z"
         auto_groups:
           description: Group IDs to auto-assign to peers registered by this user
           type: array
@@ -259,7 +259,7 @@ components:
               description: Last time peer connected to Netbird's management service
               type: string
               format: date-time
-              example: 2023-05-05T10:05:26.420578Z
+              example: "2023-05-05T10:05:26.420578Z"
             os:
               description: Peer's operating system and version
               type: string
@@ -313,7 +313,7 @@ components:
               description: Last time this peer performed log in (authentication). E.g., user authenticated.
               type: string
               format: date-time
-              example: 2023-05-05T09:00:35.477782Z
+              example: "2023-05-05T09:00:35.477782Z"
             approval_required:
               description: (Cloud only) Indicates whether peer needs approval
               type: boolean
@@ -405,7 +405,7 @@ components:
           description: Setup Key expiration date
           type: string
           format: date-time
-          example: 2023-06-01T14:47:22.291057Z
+          example: "2023-06-01T14:47:22.291057Z"
         type:
           description: Setup key type, one-off for single time usage and reusable
           type: string
@@ -426,7 +426,7 @@ components:
           description: Setup key last usage date
           type: string
           format: date-time
-          example: 2023-05-05T09:00:35.477782Z
+          example: "2023-05-05T09:00:35.477782Z"
         state:
           description: Setup key status, "valid", "overused","expired" or "revoked"
           type: string
@@ -441,7 +441,7 @@ components:
           description: Setup key last update date
           type: string
           format: date-time
-          example: 2023-05-05T09:00:35.477782Z
+          example: "2023-05-05T09:00:35.477782Z"
         usage_limit:
           description: A number of times this key can be used. The value of 0 indicates the unlimited usage.
           type: integer
@@ -522,7 +522,7 @@ components:
           description: Date the token expires
           type: string
           format: date-time
-          example: 2023-05-05T14:38:28.977616Z
+          example: "2023-05-05T14:38:28.977616Z"
         created_by:
           description: User ID of the user who created the token
           type: string
@@ -531,12 +531,12 @@ components:
           description: Date the token was created
           type: string
           format: date-time
-          example: 2023-05-02T14:48:20.465209Z
+          example: "2023-05-02T14:48:20.465209Z"
         last_used:
           description: Date the token was last used
           type: string
           format: date-time
-          example: 2023-05-04T12:45:25.9723616Z
+          example: "2023-05-04T12:45:25.9723616Z"
       required:
         - id
         - name
@@ -862,6 +862,8 @@ components:
           $ref: '#/components/schemas/OSVersionCheck'
         geo_location_check:
           $ref: '#/components/schemas/GeoLocationCheck'
+        peer_network_range_check:
+          $ref: '#/components/schemas/PeerNetworkRangeCheck'
     NBVersionCheck:
       description: Posture check for the version of NetBird
       type: object
@@ -932,6 +934,24 @@ components:
       required:
         - locations
         - action
+    PeerNetworkRangeCheck:
+      description: Posture check for allow or deny access based on peer local network addresses
+      type: object
+      properties:
+        ranges:
+          description: List of peer network ranges in CIDR notation
+          type: array
+          items:
+            type: string
+            example: ["192.168.1.0/24", "10.0.0.0/8", "2001:db8:1234:1a00::/56"]
+        action:
+          description: Action to take upon policy match
+          type: string
+          enum: [ "allow", "deny" ]
+          example: "allow"
+      required:
+        - ranges
+        - action
     Location:
       description: Describe geographical location information
       type: object
@@ -959,7 +979,7 @@ components:
           type: string
           example: "Germany"
         country_code:
-            $ref: '#/components/schemas/CountryCode'
+          $ref: '#/components/schemas/CountryCode'
       required:
         - country_name
         - country_code
@@ -1177,7 +1197,7 @@ components:
           description: The date and time when the event occurred
           type: string
           format: date-time
-          example: 2023-05-05T10:04:37.473542Z
+          example: "2023-05-05T10:04:37.473542Z"
         activity:
           description: The activity that occurred during the event
           type: string

management/server/http/api/types.gen.go

@@ -74,6 +74,12 @@ const (
 	NameserverNsTypeUdp NameserverNsType = "udp"
 )
 
+// Defines values for PeerNetworkRangeCheckAction.
+const (
+	PeerNetworkRangeCheckActionAllow PeerNetworkRangeCheckAction = "allow"
+	PeerNetworkRangeCheckActionDeny  PeerNetworkRangeCheckAction = "deny"
+)
+
 // Defines values for PolicyRuleAction.
 const (
 	PolicyRuleActionAccept PolicyRuleAction = "accept"
@@ -186,10 +192,15 @@ type AccountSettings struct {
 type Checks struct {
 	// GeoLocationCheck Posture check for geo location
 	GeoLocationCheck *GeoLocationCheck `json:"geo_location_check,omitempty"`
-	NbVersionCheck   *NBVersionCheck   `json:"nb_version_check,omitempty"`
+
+	// NbVersionCheck Posture check for the version of operating system
+	NbVersionCheck *NBVersionCheck `json:"nb_version_check,omitempty"`
 
 	// OsVersionCheck Posture check for the version of operating system
 	OsVersionCheck *OSVersionCheck `json:"os_version_check,omitempty"`
+
+	// PeerNetworkRangeCheck Posture check for allow or deny access based on peer local network addresses
+	PeerNetworkRangeCheck *PeerNetworkRangeCheck `json:"peer_network_range_check,omitempty"`
 }
 
 // City Describe city geographical location information
@@ -324,13 +335,13 @@ type MinKernelVersionCheck struct {
 	MinKernelVersion string `json:"min_kernel_version"`
 }
 
-// MinVersionCheck defines model for MinVersionCheck.
+// MinVersionCheck Posture check for the version of operating system
 type MinVersionCheck struct {
 	// MinVersion Minimum acceptable version
 	MinVersion string `json:"min_version"`
 }
 
-// NBVersionCheck defines model for NBVersionCheck.
+// NBVersionCheck Posture check for the version of operating system
 type NBVersionCheck = MinVersionCheck
 
 // Nameserver defines model for Nameserver.
@@ -407,9 +418,14 @@ type NameserverGroupRequest struct {
 
 // OSVersionCheck Posture check for the version of operating system
 type OSVersionCheck struct {
+	// Android Posture check for the version of operating system
 	Android *MinVersionCheck `json:"android,omitempty"`
-	Darwin  *MinVersionCheck `json:"darwin,omitempty"`
-	Ios     *MinVersionCheck `json:"ios,omitempty"`
+
+	// Darwin Posture check for the version of operating system
+	Darwin *MinVersionCheck `json:"darwin,omitempty"`
+
+	// Ios Posture check for the version of operating system
+	Ios *MinVersionCheck `json:"ios,omitempty"`
 
 	// Linux Posture check with the kernel version
 	Linux *MinKernelVersionCheck `json:"linux,omitempty"`
@@ -427,22 +443,22 @@ type Peer struct {
 	ApprovalRequired *bool `json:"approval_required,omitempty"`
 
 	// CityName Commonly used English name of the city
-	CityName *CityName `json:"city_name,omitempty"`
+	CityName CityName `json:"city_name"`
 
 	// Connected Peer to Management connection status
 	Connected bool `json:"connected"`
 
 	// ConnectionIp Peer's public connection IP address
-	ConnectionIp *string `json:"connection_ip,omitempty"`
+	ConnectionIp string `json:"connection_ip"`
 
 	// CountryCode 2-letter ISO 3166-1 alpha-2 code that represents the country
-	CountryCode *CountryCode `json:"country_code,omitempty"`
+	CountryCode CountryCode `json:"country_code"`
 
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`
 
 	// GeonameId Unique identifier from the GeoNames database for a specific geographical location.
-	GeonameId *int `json:"geoname_id,omitempty"`
+	GeonameId int `json:"geoname_id"`
 
 	// Groups Groups that the peer belongs to
 	Groups []GroupMinimum `json:"groups"`
@@ -457,7 +473,7 @@ type Peer struct {
 	Ip string `json:"ip"`
 
 	// KernelVersion Peer's operating system kernel version
-	KernelVersion *string `json:"kernel_version,omitempty"`
+	KernelVersion string `json:"kernel_version"`
 
 	// LastLogin Last time this peer performed log in (authentication). E.g., user authenticated.
 	LastLogin time.Time `json:"last_login"`
@@ -481,10 +497,10 @@ type Peer struct {
 	SshEnabled bool `json:"ssh_enabled"`
 
 	// UiVersion Peer's desktop UI version
-	UiVersion *string `json:"ui_version,omitempty"`
+	UiVersion string `json:"ui_version"`
 
 	// UserId User ID of the user that enrolled this peer
-	UserId *string `json:"user_id,omitempty"`
+	UserId string `json:"user_id"`
 
 	// Version Peer's daemon or cli version
 	Version string `json:"version"`
@@ -496,22 +512,22 @@ type PeerBase struct {
 	ApprovalRequired *bool `json:"approval_required,omitempty"`
 
 	// CityName Commonly used English name of the city
-	CityName *CityName `json:"city_name,omitempty"`
+	CityName CityName `json:"city_name"`
 
 	// Connected Peer to Management connection status
 	Connected bool `json:"connected"`
 
 	// ConnectionIp Peer's public connection IP address
-	ConnectionIp *string `json:"connection_ip,omitempty"`
+	ConnectionIp string `json:"connection_ip"`
 
 	// CountryCode 2-letter ISO 3166-1 alpha-2 code that represents the country
-	CountryCode *CountryCode `json:"country_code,omitempty"`
+	CountryCode CountryCode `json:"country_code"`
 
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`
 
 	// GeonameId Unique identifier from the GeoNames database for a specific geographical location.
-	GeonameId *int `json:"geoname_id,omitempty"`
+	GeonameId int `json:"geoname_id"`
 
 	// Groups Groups that the peer belongs to
 	Groups []GroupMinimum `json:"groups"`
@@ -526,7 +542,7 @@ type PeerBase struct {
 	Ip string `json:"ip"`
 
 	// KernelVersion Peer's operating system kernel version
-	KernelVersion *string `json:"kernel_version,omitempty"`
+	KernelVersion string `json:"kernel_version"`
 
 	// LastLogin Last time this peer performed log in (authentication). E.g., user authenticated.
 	LastLogin time.Time `json:"last_login"`
@@ -550,10 +566,10 @@ type PeerBase struct {
 	SshEnabled bool `json:"ssh_enabled"`
 
 	// UiVersion Peer's desktop UI version
-	UiVersion *string `json:"ui_version,omitempty"`
+	UiVersion string `json:"ui_version"`
 
 	// UserId User ID of the user that enrolled this peer
-	UserId *string `json:"user_id,omitempty"`
+	UserId string `json:"user_id"`
 
 	// Version Peer's daemon or cli version
 	Version string `json:"version"`
@@ -568,22 +584,22 @@ type PeerBatch struct {
 	ApprovalRequired *bool `json:"approval_required,omitempty"`
 
 	// CityName Commonly used English name of the city
-	CityName *CityName `json:"city_name,omitempty"`
+	CityName CityName `json:"city_name"`
 
 	// Connected Peer to Management connection status
 	Connected bool `json:"connected"`
 
 	// ConnectionIp Peer's public connection IP address
-	ConnectionIp *string `json:"connection_ip,omitempty"`
+	ConnectionIp string `json:"connection_ip"`
 
 	// CountryCode 2-letter ISO 3166-1 alpha-2 code that represents the country
-	CountryCode *CountryCode `json:"country_code,omitempty"`
+	CountryCode CountryCode `json:"country_code"`
 
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`
 
 	// GeonameId Unique identifier from the GeoNames database for a specific geographical location.
-	GeonameId *int `json:"geoname_id,omitempty"`
+	GeonameId int `json:"geoname_id"`
 
 	// Groups Groups that the peer belongs to
 	Groups []GroupMinimum `json:"groups"`
@@ -598,7 +614,7 @@ type PeerBatch struct {
 	Ip string `json:"ip"`
 
 	// KernelVersion Peer's operating system kernel version
-	KernelVersion *string `json:"kernel_version,omitempty"`
+	KernelVersion string `json:"kernel_version"`
 
 	// LastLogin Last time this peer performed log in (authentication). E.g., user authenticated.
 	LastLogin time.Time `json:"last_login"`
@@ -622,10 +638,10 @@ type PeerBatch struct {
 	SshEnabled bool `json:"ssh_enabled"`
 
 	// UiVersion Peer's desktop UI version
-	UiVersion *string `json:"ui_version,omitempty"`
+	UiVersion string `json:"ui_version"`
 
 	// UserId User ID of the user that enrolled this peer
-	UserId *string `json:"user_id,omitempty"`
+	UserId string `json:"user_id"`
 
 	// Version Peer's daemon or cli version
 	Version string `json:"version"`
@@ -640,6 +656,18 @@ type PeerMinimum struct {
 	Name string `json:"name"`
 }
 
+// PeerNetworkRangeCheck Posture check for allow or deny access based on peer local network addresses
+type PeerNetworkRangeCheck struct {
+	// Action Action to take upon policy match
+	Action PeerNetworkRangeCheckAction `json:"action"`
+
+	// Ranges List of peer network ranges in CIDR notation
+	Ranges []string `json:"ranges"`
+}
+
+// PeerNetworkRangeCheckAction Action to take upon policy match
+type PeerNetworkRangeCheckAction string
+
 // PeerRequest defines model for PeerRequest.
 type PeerRequest struct {
 	// ApprovalRequired (Cloud only) Indicates whether peer needs approval

management/server/http/handler.go

@@ -1,6 +1,8 @@
 package http
 
 import (
+	"context"
+	"fmt"
 	"net/http"
 
 	"github.com/gorilla/mux"
@@ -15,6 +17,8 @@ import (
 	"github.com/netbirdio/netbird/management/server/telemetry"
 )
 
+const apiPrefix = "/api"
+
 // AuthCfg contains parameters for authentication middleware
 type AuthCfg struct {
 	Issuer       string
@@ -35,7 +39,7 @@ type emptyObject struct {
 }
 
 // APIHandler creates the Management service HTTP API handler registering all the available endpoints.
-func APIHandler(accountManager s.AccountManager, LocationManager *geolocation.Geolocation, jwtValidator jwtclaims.JWTValidator, appMetrics telemetry.AppMetrics, authCfg AuthCfg) (http.Handler, error) {
+func APIHandler(ctx context.Context, accountManager s.AccountManager, LocationManager *geolocation.Geolocation, jwtValidator jwtclaims.JWTValidator, appMetrics telemetry.AppMetrics, authCfg AuthCfg) (http.Handler, error) {
 	claimsExtractor := jwtclaims.NewClaimsExtractor(
 		jwtclaims.WithAudience(authCfg.Audience),
 		jwtclaims.WithUserIDClaim(authCfg.UserIDClaim),
@@ -61,7 +65,8 @@ func APIHandler(accountManager s.AccountManager, LocationManager *geolocation.Ge
 	rootRouter := mux.NewRouter()
 	metricsMiddleware := appMetrics.HTTPMiddleware()
 
-	router := rootRouter.PathPrefix("/api").Subrouter()
+	prefix := apiPrefix
+	router := rootRouter.PathPrefix(prefix).Subrouter()
 	router.Use(metricsMiddleware.Handler, corsMiddleware.Handler, authMiddleware.Handler, acMiddleware.Handler)
 
 	api := apiHandler{
@@ -71,7 +76,10 @@ func APIHandler(accountManager s.AccountManager, LocationManager *geolocation.Ge
 		AuthCfg:            authCfg,
 	}
 
-	integrations.RegisterHandlers(api.Router, accountManager, claimsExtractor)
+	if _, err := integrations.RegisterHandlers(ctx, prefix, api.Router, accountManager, claimsExtractor); err != nil {
+		return nil, fmt.Errorf("register integrations endpoints: %w", err)
+	}
+
 	api.addAccountsEndpoint()
 	api.addPeersEndpoint()
 	api.addUsersEndpoint()

management/server/http/middleware/access_control.go

@@ -7,6 +7,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/status"
 
@@ -36,9 +37,13 @@ func NewAccessControl(audience, userIDClaim string, getUser GetUser) *AccessCont
 var tokenPathRegexp = regexp.MustCompile(`^.*/api/users/.*/tokens.*$`)
 
 // Handler method of the middleware which forbids all modify requests for non admin users
-// It also adds
 func (a *AccessControl) Handler(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		if bypass.ShouldBypass(r.URL.Path, h, w, r) {
+			return
+		}
+
 		claims := a.claimsExtract.FromRequestContext(r)
 
 		user, err := a.getUser(claims)

management/server/http/middleware/auth_middleware.go

@@ -12,6 +12,7 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/status"
@@ -66,6 +67,11 @@ func NewAuthMiddleware(getAccountFromPAT GetAccountFromPATFunc, validateAndParse
 // Handler method of the middleware which authenticates a user either by JWT claims or by PAT
 func (m *AuthMiddleware) Handler(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		if bypass.ShouldBypass(r.URL.Path, h, w, r) {
+			return
+		}
+
 		auth := strings.Split(r.Header.Get("Authorization"), " ")
 		authType := strings.ToLower(auth[0])
 

management/server/http/middleware/auth_middleware_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/golang-jwt/jwt"
 
 	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 )
 
@@ -88,39 +89,68 @@ func mockCheckUserAccessByJWTGroups(claims jwtclaims.AuthorizationClaims) error
 func TestAuthMiddleware_Handler(t *testing.T) {
 	tt := []struct {
 		name               string
+		path               string
 		authHeader         string
 		expectedStatusCode int
+		shouldBypassAuth   bool
 	}{
 		{
 			name:               "Valid PAT Token",
+			path:               "/test",
 			authHeader:         "Token " + PAT,
 			expectedStatusCode: 200,
 		},
 		{
 			name:               "Invalid PAT Token",
+			path:               "/test",
 			authHeader:         "Token " + wrongToken,
 			expectedStatusCode: 401,
 		},
 		{
 			name:               "Fallback to PAT Token",
+			path:               "/test",
 			authHeader:         "Bearer " + PAT,
 			expectedStatusCode: 200,
 		},
 		{
 			name:               "Valid JWT Token",
+			path:               "/test",
 			authHeader:         "Bearer " + JWT,
 			expectedStatusCode: 200,
 		},
 		{
 			name:               "Invalid JWT Token",
+			path:               "/test",
 			authHeader:         "Bearer " + wrongToken,
 			expectedStatusCode: 401,
 		},
 		{
 			name:               "Basic Auth",
+			path:               "/test",
 			authHeader:         "Basic  " + PAT,
 			expectedStatusCode: 401,
 		},
+		{
+			name:               "Webhook Path Bypass",
+			path:               "/webhook",
+			authHeader:         "",
+			expectedStatusCode: 200,
+			shouldBypassAuth:   true,
+		},
+		{
+			name:               "Webhook Path Bypass with Subpath",
+			path:               "/webhook/test",
+			authHeader:         "",
+			expectedStatusCode: 200,
+			shouldBypassAuth:   true,
+		},
+		{
+			name:               "Different Webhook Path",
+			path:               "/webhooktest",
+			authHeader:         "",
+			expectedStatusCode: 401,
+			shouldBypassAuth:   false,
+		},
 	}
 
 	nextHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -146,7 +176,14 @@ func TestAuthMiddleware_Handler(t *testing.T) {
 
 	for _, tc := range tt {
 		t.Run(tc.name, func(t *testing.T) {
-			req := httptest.NewRequest("GET", "http://testing", nil)
+			if tc.shouldBypassAuth {
+				err := bypass.AddBypassPath(tc.path)
+				if err != nil {
+					t.Fatalf("failed to add bypass path: %v", err)
+				}
+			}
+
+			req := httptest.NewRequest("GET", "http://testing"+tc.path, nil)
 			req.Header.Set("Authorization", tc.authHeader)
 			rec := httptest.NewRecorder()
 
@@ -159,5 +196,4 @@ func TestAuthMiddleware_Handler(t *testing.T) {
 			}
 		})
 	}
-
 }

management/server/http/middleware/bypass/bypass.go

@@ -0,0 +1,74 @@
+package bypass
+
+import (
+	"fmt"
+	"net/http"
+	"path"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+)
+
+var byPassMutex sync.RWMutex
+
+// bypassPaths is a set of paths that should bypass middleware.
+var bypassPaths = make(map[string]struct{})
+
+// AddBypassPath adds an exact path to the list of paths that bypass middleware.
+// Paths can include wildcards, such as /api/*. Paths are matched using path.Match.
+// Returns an error if the path has invalid pattern.
+func AddBypassPath(path string) error {
+	byPassMutex.Lock()
+	defer byPassMutex.Unlock()
+	if err := validatePath(path); err != nil {
+		return fmt.Errorf("validate: %w", err)
+	}
+	bypassPaths[path] = struct{}{}
+	return nil
+}
+
+// RemovePath removes a path from the list of paths that bypass middleware.
+func RemovePath(path string) {
+	byPassMutex.Lock()
+	defer byPassMutex.Unlock()
+	delete(bypassPaths, path)
+}
+
+// GetList returns a list of all bypass paths.
+func GetList() []string {
+	byPassMutex.RLock()
+	defer byPassMutex.RUnlock()
+
+	list := make([]string, 0, len(bypassPaths))
+	for k := range bypassPaths {
+		list = append(list, k)
+	}
+
+	return list
+}
+
+// ShouldBypass checks if the request path is one of the auth bypass paths and returns true if the middleware should be bypassed.
+// This can be used to bypass authz/authn middlewares for certain paths, such as webhooks that implement their own authentication.
+func ShouldBypass(requestPath string, h http.Handler, w http.ResponseWriter, r *http.Request) bool {
+	byPassMutex.RLock()
+	defer byPassMutex.RUnlock()
+
+	for bypassPath := range bypassPaths {
+		matched, err := path.Match(bypassPath, requestPath)
+		if err != nil {
+			log.Errorf("Error matching path %s with %s from %s: %v", bypassPath, requestPath, GetList(), err)
+			continue
+		}
+		if matched {
+			h.ServeHTTP(w, r)
+			return true
+		}
+	}
+
+	return false
+}
+
+func validatePath(p string) error {
+	_, err := path.Match(p, "")
+	return err
+}

management/server/http/middleware/bypass/bypass_test.go

@@ -0,0 +1,131 @@
+package bypass_test
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/management/server/http/middleware/bypass"
+)
+
+func TestGetList(t *testing.T) {
+	bypassPaths := []string{"/path1", "/path2", "/path3"}
+
+	for _, path := range bypassPaths {
+		err := bypass.AddBypassPath(path)
+		require.NoError(t, err, "Adding bypass path should not fail")
+	}
+
+	list := bypass.GetList()
+
+	assert.ElementsMatch(t, bypassPaths, list, "Bypass path list did not match expected paths")
+}
+
+func TestAuthBypass(t *testing.T) {
+	dummyHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	tests := []struct {
+		name           string
+		pathToAdd      string
+		pathToRemove   string
+		testPath       string
+		expectBypass   bool
+		expectHTTPCode int
+	}{
+		{
+			name:           "Path added to bypass",
+			pathToAdd:      "/bypass",
+			testPath:       "/bypass",
+			expectBypass:   true,
+			expectHTTPCode: http.StatusOK,
+		},
+		{
+			name:           "Wildcard path added to bypass",
+			pathToAdd:      "/bypass/*",
+			testPath:       "/bypass/extra",
+			expectBypass:   true,
+			expectHTTPCode: http.StatusOK,
+		},
+		{
+			name:           "Path not added to bypass",
+			testPath:       "/no-bypass",
+			expectBypass:   false,
+			expectHTTPCode: http.StatusOK,
+		},
+		{
+			name:           "Path removed from bypass",
+			pathToAdd:      "/remove-bypass",
+			pathToRemove:   "/remove-bypass",
+			testPath:       "/remove-bypass",
+			expectBypass:   false,
+			expectHTTPCode: http.StatusOK,
+		},
+		{
+			name:           "Exact path matches bypass",
+			pathToAdd:      "/webhook",
+			testPath:       "/webhook",
+			expectBypass:   true,
+			expectHTTPCode: http.StatusOK,
+		},
+		{
+			name:           "Subpath does not match bypass",
+			pathToAdd:      "/webhook",
+			testPath:       "/webhook/extra",
+			expectBypass:   false,
+			expectHTTPCode: http.StatusOK,
+		},
+		{
+			name:           "Wildcard subpath does not match bypass",
+			pathToAdd:      "/webhook/*",
+			testPath:       "/webhook/extra/path",
+			expectBypass:   false,
+			expectHTTPCode: http.StatusOK,
+		},
+		{
+			name:           "Similar path does not match bypass",
+			pathToAdd:      "/webhook",
+			testPath:       "/webhooking",
+			expectBypass:   false,
+			expectHTTPCode: http.StatusOK,
+		},
+		{
+			name:           "Prefix path does not match bypass",
+			pathToAdd:      "/webhook",
+			testPath:       "/web",
+			expectBypass:   false,
+			expectHTTPCode: http.StatusOK,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.pathToAdd != "" {
+				err := bypass.AddBypassPath(tc.pathToAdd)
+				require.NoError(t, err, "Adding bypass path should not fail")
+				defer bypass.RemovePath(tc.pathToAdd)
+			}
+
+			if tc.pathToRemove != "" {
+				bypass.RemovePath(tc.pathToRemove)
+			}
+
+			request, err := http.NewRequest("GET", tc.testPath, nil)
+			require.NoError(t, err, "Creating request should not fail")
+
+			recorder := httptest.NewRecorder()
+
+			bypassed := bypass.ShouldBypass(tc.testPath, dummyHandler, recorder, request)
+
+			assert.Equal(t, tc.expectBypass, bypassed, "Bypass check did not match expectation")
+
+			if tc.expectBypass {
+				assert.Equal(t, tc.expectHTTPCode, recorder.Code, "HTTP status code did not match expectation for bypassed path")
+			}
+		})
+	}
+}

management/server/http/peers_handler.go

@@ -3,7 +3,6 @@ package http
 import (
 	"encoding/json"
 	"fmt"
-	"net"
 	"net/http"
 
 	"github.com/gorilla/mux"
@@ -231,44 +230,36 @@ func toGroupsInfo(groups map[string]*server.Group, peerID string) []api.GroupMin
 	return groupsInfo
 }
 
-func connectionIPoString(ip net.IP) *string {
-	publicIP := ""
-	if ip != nil {
-		publicIP = ip.String()
-	}
-	return &publicIP
-}
-
 func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, accessiblePeer []api.AccessiblePeer) *api.Peer {
 	osVersion := peer.Meta.OSVersion
 	if osVersion == "" {
 		osVersion = peer.Meta.Core
 	}
-	geonameID := int(peer.Location.GeoNameID)
+
 	return &api.Peer{
 		Id:                     peer.ID,
 		Name:                   peer.Name,
 		Ip:                     peer.IP.String(),
-		ConnectionIp:           connectionIPoString(peer.Location.ConnectionIP),
+		ConnectionIp:           peer.Location.ConnectionIP.String(),
 		Connected:              peer.Status.Connected,
 		LastSeen:               peer.Status.LastSeen,
 		Os:                     fmt.Sprintf("%s %s", peer.Meta.OS, osVersion),
-		KernelVersion:          &peer.Meta.KernelVersion,
-		GeonameId:              &geonameID,
+		KernelVersion:          peer.Meta.KernelVersion,
+		GeonameId:              int(peer.Location.GeoNameID),
 		Version:                peer.Meta.WtVersion,
 		Groups:                 groupsInfo,
 		SshEnabled:             peer.SSHEnabled,
 		Hostname:               peer.Meta.Hostname,
-		UserId:                 &peer.UserID,
-		UiVersion:              &peer.Meta.UIVersion,
+		UserId:                 peer.UserID,
+		UiVersion:              peer.Meta.UIVersion,
 		DnsLabel:               fqdn(peer, dnsDomain),
 		LoginExpirationEnabled: peer.LoginExpirationEnabled,
 		LastLogin:              peer.LastLogin,
 		LoginExpired:           peer.Status.LoginExpired,
 		AccessiblePeers:        accessiblePeer,
 		ApprovalRequired:       &peer.Status.RequiresApproval,
-		CountryCode:            &peer.Location.CountryCode,
-		CityName:               &peer.Location.CityName,
+		CountryCode:            peer.Location.CountryCode,
+		CityName:               peer.Location.CityName,
 	}
 }
 
@@ -277,31 +268,31 @@ func toPeerListItemResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dn
 	if osVersion == "" {
 		osVersion = peer.Meta.Core
 	}
-	geonameID := int(peer.Location.GeoNameID)
+
 	return &api.PeerBatch{
 		Id:                     peer.ID,
 		Name:                   peer.Name,
 		Ip:                     peer.IP.String(),
-		ConnectionIp:           connectionIPoString(peer.Location.ConnectionIP),
+		ConnectionIp:           peer.Location.ConnectionIP.String(),
 		Connected:              peer.Status.Connected,
 		LastSeen:               peer.Status.LastSeen,
 		Os:                     fmt.Sprintf("%s %s", peer.Meta.OS, osVersion),
-		KernelVersion:          &peer.Meta.KernelVersion,
-		GeonameId:              &geonameID,
+		KernelVersion:          peer.Meta.KernelVersion,
+		GeonameId:              int(peer.Location.GeoNameID),
 		Version:                peer.Meta.WtVersion,
 		Groups:                 groupsInfo,
 		SshEnabled:             peer.SSHEnabled,
 		Hostname:               peer.Meta.Hostname,
-		UserId:                 &peer.UserID,
-		UiVersion:              &peer.Meta.UIVersion,
+		UserId:                 peer.UserID,
+		UiVersion:              peer.Meta.UIVersion,
 		DnsLabel:               fqdn(peer, dnsDomain),
 		LoginExpirationEnabled: peer.LoginExpirationEnabled,
 		LastLogin:              peer.LastLogin,
 		LoginExpired:           peer.Status.LoginExpired,
 		AccessiblePeersCount:   accessiblePeersCount,
 		ApprovalRequired:       &peer.Status.RequiresApproval,
-		CountryCode:            &peer.Location.CountryCode,
-		CityName:               &peer.Location.CityName,
+		CountryCode:            peer.Location.CountryCode,
+		CityName:               peer.Location.CityName,
 	}
 }
 

management/server/http/posture_checks_handler.go

@@ -3,6 +3,7 @@ package http
 import (
 	"encoding/json"
 	"net/http"
+	"net/netip"
 	"regexp"
 	"slices"
 
@@ -212,6 +213,14 @@ func (p *PostureChecksHandler) savePostureChecks(
 		postureChecks.Checks.GeoLocationCheck = toPostureGeoLocationCheck(geoLocationCheck)
 	}
 
+	if peerNetworkRangeCheck := req.Checks.PeerNetworkRangeCheck; peerNetworkRangeCheck != nil {
+		postureChecks.Checks.PeerNetworkRangeCheck, err = toPeerNetworkRangeCheck(peerNetworkRangeCheck)
+		if err != nil {
+			util.WriteError(status.Errorf(status.InvalidArgument, "invalid network prefix"), w)
+			return
+		}
+	}
+
 	if err := p.accountManager.SavePostureChecks(account.Id, user.Id, &postureChecks); err != nil {
 		util.WriteError(err, w)
 		return
@@ -226,7 +235,7 @@ func validatePostureChecksUpdate(req api.PostureCheckUpdate) error {
 	}
 
 	if req.Checks == nil || (req.Checks.NbVersionCheck == nil && req.Checks.OsVersionCheck == nil &&
-		req.Checks.GeoLocationCheck == nil) {
+		req.Checks.GeoLocationCheck == nil && req.Checks.PeerNetworkRangeCheck == nil) {
 		return status.Errorf(status.InvalidArgument, "posture checks shouldn't be empty")
 	}
 
@@ -267,7 +276,20 @@ func validatePostureChecksUpdate(req api.PostureCheckUpdate) error {
 				return status.Errorf(status.InvalidArgument, "country code must be 2 letters (ISO 3166-1 alpha-2 format)")
 			}
 		}
+	}
 
+	if peerNetworkRangeCheck := req.Checks.PeerNetworkRangeCheck; peerNetworkRangeCheck != nil {
+		if peerNetworkRangeCheck.Action == "" {
+			return status.Errorf(status.InvalidArgument, "action for peer network range check shouldn't be empty")
+		}
+
+		allowedActions := []api.PeerNetworkRangeCheckAction{api.PeerNetworkRangeCheckActionAllow, api.PeerNetworkRangeCheckActionDeny}
+		if !slices.Contains(allowedActions, peerNetworkRangeCheck.Action) {
+			return status.Errorf(status.InvalidArgument, "action for peer network range check is not valid value")
+		}
+		if len(peerNetworkRangeCheck.Ranges) == 0 {
+			return status.Errorf(status.InvalidArgument, "network ranges for peer network range check shouldn't be empty")
+		}
 	}
 
 	return nil
@@ -296,6 +318,10 @@ func toPostureChecksResponse(postureChecks *posture.Checks) *api.PostureCheck {
 		checks.GeoLocationCheck = toGeoLocationCheckResponse(postureChecks.Checks.GeoLocationCheck)
 	}
 
+	if postureChecks.Checks.PeerNetworkRangeCheck != nil {
+		checks.PeerNetworkRangeCheck = toPeerNetworkRangeCheckResponse(postureChecks.Checks.PeerNetworkRangeCheck)
+	}
+
 	return &api.PostureCheck{
 		Id:          postureChecks.ID,
 		Name:        postureChecks.Name,
@@ -342,3 +368,31 @@ func toPostureGeoLocationCheck(apiGeoLocationCheck *api.GeoLocationCheck) *postu
 		Locations: locations,
 	}
 }
+
+func toPeerNetworkRangeCheckResponse(check *posture.PeerNetworkRangeCheck) *api.PeerNetworkRangeCheck {
+	netPrefixes := make([]string, 0, len(check.Ranges))
+	for _, netPrefix := range check.Ranges {
+		netPrefixes = append(netPrefixes, netPrefix.String())
+	}
+
+	return &api.PeerNetworkRangeCheck{
+		Ranges: netPrefixes,
+		Action: api.PeerNetworkRangeCheckAction(check.Action),
+	}
+}
+
+func toPeerNetworkRangeCheck(check *api.PeerNetworkRangeCheck) (*posture.PeerNetworkRangeCheck, error) {
+	prefixes := make([]netip.Prefix, 0)
+	for _, prefix := range check.Ranges {
+		parsedPrefix, err := netip.ParsePrefix(prefix)
+		if err != nil {
+			return nil, err
+		}
+		prefixes = append(prefixes, parsedPrefix)
+	}
+
+	return &posture.PeerNetworkRangeCheck{
+		Ranges: prefixes,
+		Action: string(check.Action),
+	}, nil
+}

management/server/http/posture_checks_handler_test.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"net/netip"
 	"strings"
 	"testing"
 
@@ -122,7 +123,19 @@ func TestGetPostureCheck(t *testing.T) {
 						CityName:    "Berlin",
 					},
 				},
-				Action: posture.GeoLocationActionAllow,
+				Action: posture.CheckActionAllow,
+			},
+		},
+	}
+	privateNetworkCheck := &posture.Checks{
+		ID:   "privateNetworkPostureCheck",
+		Name: "privateNetwork",
+		Checks: posture.ChecksDefinition{
+			PeerNetworkRangeCheck: &posture.PeerNetworkRangeCheck{
+				Ranges: []netip.Prefix{
+					netip.MustParsePrefix("192.168.0.0/24"),
+				},
+				Action: posture.CheckActionAllow,
 			},
 		},
 	}
@@ -156,6 +169,13 @@ func TestGetPostureCheck(t *testing.T) {
 			checkName:      geoPostureCheck.Name,
 			expectedStatus: http.StatusOK,
 		},
+		{
+			name:           "GetPostureCheck PrivateNetwork OK",
+			expectedBody:   true,
+			id:             privateNetworkCheck.ID,
+			checkName:      privateNetworkCheck.Name,
+			expectedStatus: http.StatusOK,
+		},
 		{
 			name:           "GetPostureCheck Not Found",
 			id:             "not-exists",
@@ -163,7 +183,7 @@ func TestGetPostureCheck(t *testing.T) {
 		},
 	}
 
-	p := initPostureChecksTestData(postureCheck, osPostureCheck, geoPostureCheck)
+	p := initPostureChecksTestData(postureCheck, osPostureCheck, geoPostureCheck, privateNetworkCheck)
 
 	for _, tc := range tt {
 		t.Run(tc.name, func(t *testing.T) {
@@ -354,6 +374,39 @@ func TestPostureCheckUpdate(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:        "Create Posture Checks Peer Network Range",
+			requestType: http.MethodPost,
+			requestPath: "/api/posture-checks",
+			requestBody: bytes.NewBuffer(
+				[]byte(`{
+					"name": "default",
+					"description": "default",
+					"checks": {
+						"peer_network_range_check": {
+							"action": "allow",
+							"ranges": [
+								"10.0.0.0/8"
+							]
+						}
+					}
+					}`)),
+			expectedStatus: http.StatusOK,
+			expectedBody:   true,
+			expectedPostureCheck: &api.PostureCheck{
+				Id:          "postureCheck",
+				Name:        "default",
+				Description: str("default"),
+				Checks: api.Checks{
+					PeerNetworkRangeCheck: &api.PeerNetworkRangeCheck{
+						Ranges: []string{
+							"10.0.0.0/8",
+						},
+						Action: api.PeerNetworkRangeCheckActionAllow,
+					},
+				},
+			},
+		},
 		{
 			name:        "Create Posture Checks Geo Location with No geolocation DB",
 			requestType: http.MethodPost,
@@ -661,6 +714,38 @@ func TestPostureCheckUpdate(t *testing.T) {
 			expectedStatus: http.StatusBadRequest,
 			expectedBody:   false,
 		},
+		{
+			name:        "Update Posture Checks Peer Network Range",
+			requestType: http.MethodPut,
+			requestPath: "/api/posture-checks/peerNetworkRangePostureCheck",
+			requestBody: bytes.NewBuffer(
+				[]byte(`{
+					"name": "default",
+					"checks": {
+						"peer_network_range_check": {
+							"action": "deny",
+							"ranges": [
+								"192.168.1.0/24"
+							]
+						}
+					}
+					}`)),
+			expectedStatus: http.StatusOK,
+			expectedBody:   true,
+			expectedPostureCheck: &api.PostureCheck{
+				Id:          "postureCheck",
+				Name:        "default",
+				Description: str(""),
+				Checks: api.Checks{
+					PeerNetworkRangeCheck: &api.PeerNetworkRangeCheck{
+						Ranges: []string{
+							"192.168.1.0/24",
+						},
+						Action: api.PeerNetworkRangeCheckActionDeny,
+					},
+				},
+			},
+		},
 	}
 
 	p := initPostureChecksTestData(&posture.Checks{
@@ -694,7 +779,19 @@ func TestPostureCheckUpdate(t *testing.T) {
 							CityName:    "Berlin",
 						},
 					},
-					Action: posture.GeoLocationActionDeny,
+					Action: posture.CheckActionDeny,
+				},
+			},
+		},
+		&posture.Checks{
+			ID:   "peerNetworkRangePostureCheck",
+			Name: "peerNetworkRange",
+			Checks: posture.ChecksDefinition{
+				PeerNetworkRangeCheck: &posture.PeerNetworkRangeCheck{
+					Ranges: []netip.Prefix{
+						netip.MustParsePrefix("192.168.0.0/24"),
+					},
+					Action: posture.CheckActionAllow,
 				},
 			},
 		},
@@ -793,4 +890,51 @@ func TestPostureCheck_validatePostureChecksUpdate(t *testing.T) {
 	}
 	err = validatePostureChecksUpdate(api.PostureCheckUpdate{Name: "Default", Checks: &api.Checks{OsVersionCheck: &osVersionCheck}})
 	assert.NoError(t, err)
+
+	// valid peer network range check
+	peerNetworkRangeCheck := api.PeerNetworkRangeCheck{
+		Action: api.PeerNetworkRangeCheckActionAllow,
+		Ranges: []string{
+			"192.168.1.0/24", "10.0.0.0/8",
+		},
+	}
+	err = validatePostureChecksUpdate(
+		api.PostureCheckUpdate{
+			Name: "Default",
+			Checks: &api.Checks{
+				PeerNetworkRangeCheck: &peerNetworkRangeCheck,
+			},
+		},
+	)
+	assert.NoError(t, err)
+
+	// invalid peer network range check
+	peerNetworkRangeCheck = api.PeerNetworkRangeCheck{
+		Action: api.PeerNetworkRangeCheckActionDeny,
+		Ranges: []string{},
+	}
+	err = validatePostureChecksUpdate(
+		api.PostureCheckUpdate{
+			Name: "Default",
+			Checks: &api.Checks{
+				PeerNetworkRangeCheck: &peerNetworkRangeCheck,
+			},
+		},
+	)
+	assert.Error(t, err)
+
+	// invalid peer network range check
+	peerNetworkRangeCheck = api.PeerNetworkRangeCheck{
+		Action: "unknownAction",
+		Ranges: []string{},
+	}
+	err = validatePostureChecksUpdate(
+		api.PostureCheckUpdate{
+			Name: "Default",
+			Checks: &api.Checks{
+				PeerNetworkRangeCheck: &peerNetworkRangeCheck,
+			},
+		},
+	)
+	assert.Error(t, err)
 }

management/server/idp/auth0.go

@@ -114,6 +114,22 @@ type auth0Profile struct {
 	LastLogin     string `json:"last_login"`
 }
 
+// Connections represents a single Auth0 connection
+// https://auth0.com/docs/api/management/v2/connections/get-connections
+type Connection struct {
+	Id                 string            `json:"id"`
+	Name               string            `json:"name"`
+	DisplayName        string            `json:"display_name"`
+	IsDomainConnection bool              `json:"is_domain_connection"`
+	Realms             []string          `json:"realms"`
+	Metadata           map[string]string `json:"metadata"`
+	Options            ConnectionOptions `json:"options"`
+}
+
+type ConnectionOptions struct {
+	DomainAliases []string `json:"domain_aliases"`
+}
+
 // NewAuth0Manager creates a new instance of the Auth0Manager
 func NewAuth0Manager(config Auth0ClientConfig, appMetrics telemetry.AppMetrics) (*Auth0Manager, error) {
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
@@ -581,13 +597,13 @@ func (am *Auth0Manager) GetAllAccounts() (map[string][]*UserData, error) {
 
 	body, err := io.ReadAll(jobResp.Body)
 	if err != nil {
-		log.Debugf("Coudln't read export job response; %v", err)
+		log.Debugf("Couldn't read export job response; %v", err)
 		return nil, err
 	}
 
 	err = am.helper.Unmarshal(body, &exportJobResp)
 	if err != nil {
-		log.Debugf("Coudln't unmarshal export job response; %v", err)
+		log.Debugf("Couldn't unmarshal export job response; %v", err)
 		return nil, err
 	}
 
@@ -635,7 +651,7 @@ func (am *Auth0Manager) GetUserByEmail(email string) ([]*UserData, error) {
 
 	err = am.helper.Unmarshal(body, &userResp)
 	if err != nil {
-		log.Debugf("Coudln't unmarshal export job response; %v", err)
+		log.Debugf("Couldn't unmarshal export job response; %v", err)
 		return nil, err
 	}
 
@@ -684,13 +700,13 @@ func (am *Auth0Manager) CreateUser(email, name, accountID, invitedByEmail string
 
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		log.Debugf("Coudln't read export job response; %v", err)
+		log.Debugf("Couldn't read export job response; %v", err)
 		return nil, err
 	}
 
 	err = am.helper.Unmarshal(body, &createResp)
 	if err != nil {
-		log.Debugf("Coudln't unmarshal export job response; %v", err)
+		log.Debugf("Couldn't unmarshal export job response; %v", err)
 		return nil, err
 	}
 
@@ -777,6 +793,56 @@ func (am *Auth0Manager) DeleteUser(userID string) error {
 	return nil
 }
 
+// GetAllConnections returns detailed list of all connections filtered by given params.
+// Note this method is not part of the IDP Manager interface as this is Auth0 specific.
+func (am *Auth0Manager) GetAllConnections(strategy []string) ([]Connection, error) {
+	var connections []Connection
+
+	q := make(url.Values)
+	q.Set("strategy", strings.Join(strategy, ","))
+
+	req, err := am.createRequest(http.MethodGet, "/api/v2/connections?"+q.Encode(), nil)
+	if err != nil {
+		return connections, err
+	}
+
+	resp, err := am.httpClient.Do(req)
+	if err != nil {
+		log.Debugf("execute get connections request: %v", err)
+		if am.appMetrics != nil {
+			am.appMetrics.IDPMetrics().CountRequestError()
+		}
+		return connections, err
+	}
+
+	defer func() {
+		err = resp.Body.Close()
+		if err != nil {
+			log.Errorf("close get connections request body: %v", err)
+		}
+	}()
+	if resp.StatusCode != 200 {
+		if am.appMetrics != nil {
+			am.appMetrics.IDPMetrics().CountRequestStatusError()
+		}
+		return connections, fmt.Errorf("unable to get connections, statusCode %d", resp.StatusCode)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Debugf("Couldn't read get connections response; %v", err)
+		return connections, err
+	}
+
+	err = am.helper.Unmarshal(body, &connections)
+	if err != nil {
+		log.Debugf("Couldn't unmarshal get connection response; %v", err)
+		return connections, err
+	}
+
+	return connections, err
+}
+
 // checkExportJobStatus checks the status of the job created at CreateExportUsersJob.
 // If the status is "completed", then return the downloadLink
 func (am *Auth0Manager) checkExportJobStatus(jobID string) (bool, string, error) {

management/server/mock_server/account_mock.go

@@ -1,6 +1,7 @@
 package mock_server
 
 import (
+	"context"
 	"net"
 	"time"
 
@@ -10,6 +11,7 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
@@ -75,7 +77,7 @@ type MockAccountManager struct {
 	CheckUserAccessByJWTGroupsFunc  func(claims jwtclaims.AuthorizationClaims) error
 	DeleteAccountFunc               func(accountID, userID string) error
 	GetDNSDomainFunc                func() string
-	StoreEventFunc                  func(initiatorID, targetID, accountID string, activityID activity.Activity, meta map[string]any)
+	StoreEventFunc                  func(initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any)
 	GetEventsFunc                   func(accountID, userID string) ([]*activity.Event, error)
 	GetDNSSettingsFunc              func(accountID, userID string) (*server.DNSSettings, error)
 	SaveDNSSettingsFunc             func(accountID, userID string, dnsSettingsToSave *server.DNSSettings) error
@@ -91,6 +93,8 @@ type MockAccountManager struct {
 	SavePostureChecksFunc           func(accountID, userID string, postureChecks *posture.Checks) error
 	DeletePostureChecksFunc         func(accountID, postureChecksID, userID string) error
 	ListPostureChecksFunc           func(accountID, userID string) ([]*posture.Checks, error)
+	GetUsageFunc                    func(ctx context.Context, accountID string, start, end time.Time) (*server.AccountUsageStats, error)
+	GetIdpManagerFunc               func() idp.Manager
 }
 
 // GetUsersFromAccount mock implementation of GetUsersFromAccount from server.AccountManager interface
@@ -646,7 +650,7 @@ func (am *MockAccountManager) GetAllConnectedPeers() (map[string]struct{}, error
 	return nil, status.Errorf(codes.Unimplemented, "method GetAllConnectedPeers is not implemented")
 }
 
-// HasconnectedChannel mocks HasConnectedChannel of the AccountManager interface
+// HasConnectedChannel mocks HasConnectedChannel of the AccountManager interface
 func (am *MockAccountManager) HasConnectedChannel(peerID string) bool {
 	if am.HasConnectedChannelFunc != nil {
 		return am.HasConnectedChannelFunc(peerID)
@@ -655,7 +659,7 @@ func (am *MockAccountManager) HasConnectedChannel(peerID string) bool {
 }
 
 // StoreEvent mocks StoreEvent of the AccountManager interface
-func (am *MockAccountManager) StoreEvent(initiatorID, targetID, accountID string, activityID activity.Activity, meta map[string]any) {
+func (am *MockAccountManager) StoreEvent(initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any) {
 	if am.StoreEventFunc != nil {
 		am.StoreEventFunc(initiatorID, targetID, accountID, activityID, meta)
 	}
@@ -702,3 +706,19 @@ func (am *MockAccountManager) ListPostureChecks(accountID, userID string) ([]*po
 	}
 	return nil, status.Errorf(codes.Unimplemented, "method ListPostureChecks is not implemented")
 }
+
+// GetUsage mocks GetUsage of the AccountManager interface
+func (am *MockAccountManager) GetUsage(ctx context.Context, accountID string, start time.Time, end time.Time) (*server.AccountUsageStats, error) {
+	if am.GetUsageFunc != nil {
+		return am.GetUsageFunc(ctx, accountID, start, end)
+	}
+	return nil, status.Errorf(codes.Unimplemented, "method GetUsage is not implemented")
+}
+
+// GetIdpManager mocks GetIdpManager of the AccountManager interface
+func (am *MockAccountManager) GetIdpManager() idp.Manager {
+	if am.GetIdpManagerFunc != nil {
+		return am.GetIdpManagerFunc()
+	}
+	return nil
+}

management/server/peer.go

@@ -410,6 +410,8 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *nbpeer.P
 		return nil, nil, err
 	}
 
+	registrationTime := time.Now().UTC()
+
 	newPeer := &nbpeer.Peer{
 		ID:                     xid.New().String(),
 		Key:                    peer.Key,
@@ -419,10 +421,11 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *nbpeer.P
 		Name:                   peer.Meta.Hostname,
 		DNSLabel:               newLabel,
 		UserID:                 userID,
-		Status:                 &nbpeer.PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
+		Status:                 &nbpeer.PeerStatus{Connected: false, LastSeen: registrationTime},
 		SSHEnabled:             false,
 		SSHKey:                 peer.SSHKey,
-		LastLogin:              time.Now().UTC(),
+		LastLogin:              registrationTime,
+		CreatedAt:              registrationTime,
 		LoginExpirationEnabled: addedByUser,
 		Ephemeral:              ephemeral,
 	}

management/server/peer/peer.go

@@ -40,13 +40,15 @@ type Peer struct {
 	LoginExpirationEnabled bool
 	// LastLogin the time when peer performed last login operation
 	LastLogin time.Time
+	// CreatedAt records the time the peer was created
+	CreatedAt time.Time
 	// Indicate ephemeral peer attribute
 	Ephemeral bool
 	// Geo location based on connection IP
 	Location Location `gorm:"embedded;embeddedPrefix:location_"`
 }
 
-type PeerStatus struct {
+type PeerStatus struct { //nolint:revive
 	// LastSeen is the last time peer was connected to the management service
 	LastSeen time.Time
 	// Connected indicates whether peer is connected to the management service or not
@@ -71,8 +73,14 @@ type NetworkAddress struct {
 	Mac   string
 }
 
+// Environment is a system environment information
+type Environment struct {
+	Cloud    string
+	Platform string
+}
+
 // PeerSystemMeta is a metadata of a Peer machine system
-type PeerSystemMeta struct {
+type PeerSystemMeta struct { //nolint:revive
 	Hostname           string
 	GoOS               string
 	Kernel             string
@@ -87,6 +95,7 @@ type PeerSystemMeta struct {
 	SystemSerialNumber string
 	SystemProductName  string
 	SystemManufacturer string
+	Environment        Environment `gorm:"serializer:json"`
 }
 
 func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {
@@ -119,7 +128,9 @@ func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {
 		p.UIVersion == other.UIVersion &&
 		p.SystemSerialNumber == other.SystemSerialNumber &&
 		p.SystemProductName == other.SystemProductName &&
-		p.SystemManufacturer == other.SystemManufacturer
+		p.SystemManufacturer == other.SystemManufacturer &&
+		p.Environment.Cloud == other.Environment.Cloud &&
+		p.Environment.Platform == other.Environment.Platform
 }
 
 // AddedWithSSOLogin indicates whether this peer has been added with an SSO login by a user.
@@ -148,6 +159,7 @@ func (p *Peer) Copy() *Peer {
 		SSHEnabled:             p.SSHEnabled,
 		LoginExpirationEnabled: p.LoginExpirationEnabled,
 		LastLogin:              p.LastLogin,
+		CreatedAt:              p.CreatedAt,
 		Ephemeral:              p.Ephemeral,
 		Location:               p.Location,
 	}
@@ -204,7 +216,7 @@ func (p *Peer) FQDN(dnsDomain string) string {
 
 // EventMeta returns activity event meta related to the peer
 func (p *Peer) EventMeta(dnsDomain string) map[string]any {
-	return map[string]any{"name": p.Name, "fqdn": p.FQDN(dnsDomain), "ip": p.IP}
+	return map[string]any{"name": p.Name, "fqdn": p.FQDN(dnsDomain), "ip": p.IP, "created_at": p.CreatedAt}
 }
 
 // Copy PeerStatus

management/server/posture/checks.go

@@ -2,6 +2,7 @@ package posture
 
 import (
 	"fmt"
+	"net/netip"
 
 	"github.com/hashicorp/go-version"
 
@@ -9,9 +10,13 @@ import (
 )
 
 const (
-	NBVersionCheckName   = "NBVersionCheck"
-	OSVersionCheckName   = "OSVersionCheck"
-	GeoLocationCheckName = "GeoLocationCheck"
+	NBVersionCheckName        = "NBVersionCheck"
+	OSVersionCheckName        = "OSVersionCheck"
+	GeoLocationCheckName      = "GeoLocationCheck"
+	PeerNetworkRangeCheckName = "PeerNetworkRangeCheck"
+
+	CheckActionAllow string = "allow"
+	CheckActionDeny  string = "deny"
 )
 
 // Check represents an interface for performing a check on a peer.
@@ -39,9 +44,10 @@ type Checks struct {
 
 // ChecksDefinition contains definition of actual check
 type ChecksDefinition struct {
-	NBVersionCheck   *NBVersionCheck   `json:",omitempty"`
-	OSVersionCheck   *OSVersionCheck   `json:",omitempty"`
-	GeoLocationCheck *GeoLocationCheck `json:",omitempty"`
+	NBVersionCheck        *NBVersionCheck        `json:",omitempty"`
+	OSVersionCheck        *OSVersionCheck        `json:",omitempty"`
+	GeoLocationCheck      *GeoLocationCheck      `json:",omitempty"`
+	PeerNetworkRangeCheck *PeerNetworkRangeCheck `json:",omitempty"`
 }
 
 // Copy returns a copy of a checks definition.
@@ -54,7 +60,7 @@ func (cd ChecksDefinition) Copy() ChecksDefinition {
 	}
 	if cd.OSVersionCheck != nil {
 		cdCopy.OSVersionCheck = &OSVersionCheck{}
-		osCheck := cdCopy.OSVersionCheck
+		osCheck := cd.OSVersionCheck
 		if osCheck.Android != nil {
 			cdCopy.OSVersionCheck.Android = &MinVersionCheck{MinVersion: osCheck.Android.MinVersion}
 		}
@@ -79,6 +85,14 @@ func (cd ChecksDefinition) Copy() ChecksDefinition {
 		}
 		copy(cdCopy.GeoLocationCheck.Locations, geoCheck.Locations)
 	}
+	if cd.PeerNetworkRangeCheck != nil {
+		peerNetRangeCheck := cd.PeerNetworkRangeCheck
+		cdCopy.PeerNetworkRangeCheck = &PeerNetworkRangeCheck{
+			Action: peerNetRangeCheck.Action,
+			Ranges: make([]netip.Prefix, len(peerNetRangeCheck.Ranges)),
+		}
+		copy(cdCopy.PeerNetworkRangeCheck.Ranges, peerNetRangeCheck.Ranges)
+	}
 	return cdCopy
 }
 
@@ -116,6 +130,9 @@ func (pc *Checks) GetChecks() []Check {
 	if pc.Checks.GeoLocationCheck != nil {
 		checks = append(checks, pc.Checks.GeoLocationCheck)
 	}
+	if pc.Checks.PeerNetworkRangeCheck != nil {
+		checks = append(checks, pc.Checks.PeerNetworkRangeCheck)
+	}
 	return checks
 }
 

management/server/posture/checks_test.go

@@ -2,6 +2,7 @@ package posture
 
 import (
 	"encoding/json"
+	"net/netip"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -216,3 +217,62 @@ func TestChecks_Validate(t *testing.T) {
 		})
 	}
 }
+
+func TestChecks_Copy(t *testing.T) {
+	check := &Checks{
+		ID:          "1",
+		Name:        "default",
+		Description: "description",
+		AccountID:   "accountID",
+		Checks: ChecksDefinition{
+			NBVersionCheck: &NBVersionCheck{
+				MinVersion: "0.25.0",
+			},
+			OSVersionCheck: &OSVersionCheck{
+				Android: &MinVersionCheck{
+					MinVersion: "13",
+				},
+				Darwin: &MinVersionCheck{
+					MinVersion: "14.2.0",
+				},
+				Ios: &MinVersionCheck{
+					MinVersion: "17.3.0",
+				},
+				Linux: &MinKernelVersionCheck{
+					MinKernelVersion: "6.5.11-linuxkit",
+				},
+				Windows: &MinKernelVersionCheck{
+					MinKernelVersion: "10.0.14393",
+				},
+			},
+			GeoLocationCheck: &GeoLocationCheck{
+				Locations: []Location{
+					{
+						CountryCode: "DE",
+						CityName:    "Berlin",
+					},
+				},
+				Action: CheckActionAllow,
+			},
+			PeerNetworkRangeCheck: &PeerNetworkRangeCheck{
+				Ranges: []netip.Prefix{
+					netip.MustParsePrefix("192.168.0.0/24"),
+					netip.MustParsePrefix("10.0.0.0/8"),
+				},
+				Action: CheckActionDeny,
+			},
+		},
+	}
+	checkCopy := check.Copy()
+
+	assert.Equal(t, check.ID, checkCopy.ID)
+	assert.Equal(t, check.Name, checkCopy.Name)
+	assert.Equal(t, check.Description, checkCopy.Description)
+	assert.Equal(t, check.AccountID, checkCopy.AccountID)
+	assert.Equal(t, check.Checks.Copy(), checkCopy.Checks.Copy())
+	assert.ElementsMatch(t, check.GetChecks(), checkCopy.GetChecks())
+
+	// Updating the original check should not take effect on copy
+	check.Name = "name"
+	assert.NotSame(t, check, checkCopy)
+}

management/server/posture/geo_location.go

@@ -6,11 +6,6 @@ import (
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 )
 
-const (
-	GeoLocationActionAllow string = "allow"
-	GeoLocationActionDeny  string = "deny"
-)
-
 type Location struct {
 	// CountryCode 2-letter ISO 3166-1 alpha-2 code that represents the country
 	CountryCode string
@@ -39,9 +34,9 @@ func (g *GeoLocationCheck) Check(peer nbpeer.Peer) (bool, error) {
 		if loc.CountryCode == peer.Location.CountryCode {
 			if loc.CityName == "" || loc.CityName == peer.Location.CityName {
 				switch g.Action {
-				case GeoLocationActionDeny:
+				case CheckActionDeny:
 					return false, nil
-				case GeoLocationActionAllow:
+				case CheckActionAllow:
 					return true, nil
 				default:
 					return false, fmt.Errorf("invalid geo location action: %s", g.Action)
@@ -51,11 +46,11 @@ func (g *GeoLocationCheck) Check(peer nbpeer.Peer) (bool, error) {
 	}
 	// At this point, no location in the list matches the peer's location
 	// For action deny and no location match, allow the peer
-	if g.Action == GeoLocationActionDeny {
+	if g.Action == CheckActionDeny {
 		return true, nil
 	}
 	// For action allow and no location match, deny the peer
-	if g.Action == GeoLocationActionAllow {
+	if g.Action == CheckActionAllow {
 		return false, nil
 	}
 

management/server/posture/geo_location_test.go

@@ -35,7 +35,7 @@ func TestGeoLocationCheck_Check(t *testing.T) {
 						CityName:    "Berlin",
 					},
 				},
-				Action: GeoLocationActionAllow,
+				Action: CheckActionAllow,
 			},
 			wantErr: false,
 			isValid: true,
@@ -54,7 +54,7 @@ func TestGeoLocationCheck_Check(t *testing.T) {
 						CountryCode: "DE",
 					},
 				},
-				Action: GeoLocationActionAllow,
+				Action: CheckActionAllow,
 			},
 			wantErr: false,
 			isValid: true,
@@ -78,7 +78,7 @@ func TestGeoLocationCheck_Check(t *testing.T) {
 						CityName:    "Los Angeles",
 					},
 				},
-				Action: GeoLocationActionAllow,
+				Action: CheckActionAllow,
 			},
 			wantErr: false,
 			isValid: false,
@@ -97,7 +97,7 @@ func TestGeoLocationCheck_Check(t *testing.T) {
 						CountryCode: "US",
 					},
 				},
-				Action: GeoLocationActionAllow,
+				Action: CheckActionAllow,
 			},
 			wantErr: false,
 			isValid: false,
@@ -121,7 +121,7 @@ func TestGeoLocationCheck_Check(t *testing.T) {
 						CityName:    "Los Angeles",
 					},
 				},
-				Action: GeoLocationActionDeny,
+				Action: CheckActionDeny,
 			},
 			wantErr: false,
 			isValid: false,
@@ -143,7 +143,7 @@ func TestGeoLocationCheck_Check(t *testing.T) {
 						CountryCode: "US",
 					},
 				},
-				Action: GeoLocationActionDeny,
+				Action: CheckActionDeny,
 			},
 			wantErr: false,
 			isValid: false,
@@ -167,7 +167,7 @@ func TestGeoLocationCheck_Check(t *testing.T) {
 						CityName:    "Los Angeles",
 					},
 				},
-				Action: GeoLocationActionDeny,
+				Action: CheckActionDeny,
 			},
 			wantErr: false,
 			isValid: true,
@@ -187,7 +187,7 @@ func TestGeoLocationCheck_Check(t *testing.T) {
 						CityName:    "Los Angeles",
 					},
 				},
-				Action: GeoLocationActionDeny,
+				Action: CheckActionDeny,
 			},
 			wantErr: false,
 			isValid: true,
@@ -202,7 +202,7 @@ func TestGeoLocationCheck_Check(t *testing.T) {
 						CityName:    "Berlin",
 					},
 				},
-				Action: GeoLocationActionAllow,
+				Action: CheckActionAllow,
 			},
 			wantErr: true,
 			isValid: false,
@@ -217,7 +217,7 @@ func TestGeoLocationCheck_Check(t *testing.T) {
 						CityName:    "Berlin",
 					},
 				},
-				Action: GeoLocationActionDeny,
+				Action: CheckActionDeny,
 			},
 			wantErr: true,
 			isValid: false,

management/server/posture/network.go

@@ -0,0 +1,54 @@
+package posture
+
+import (
+	"fmt"
+	"net/netip"
+	"slices"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+)
+
+type PeerNetworkRangeCheck struct {
+	Action string
+	Ranges []netip.Prefix `gorm:"serializer:json"`
+}
+
+var _ Check = (*PeerNetworkRangeCheck)(nil)
+
+func (p *PeerNetworkRangeCheck) Check(peer nbpeer.Peer) (bool, error) {
+	if len(peer.Meta.NetworkAddresses) == 0 {
+		return false, fmt.Errorf("peer's does not contain peer network range addresses")
+	}
+
+	maskedPrefixes := make([]netip.Prefix, 0, len(p.Ranges))
+	for _, prefix := range p.Ranges {
+		maskedPrefixes = append(maskedPrefixes, prefix.Masked())
+	}
+
+	for _, peerNetAddr := range peer.Meta.NetworkAddresses {
+		peerMaskedPrefix := peerNetAddr.NetIP.Masked()
+		if slices.Contains(maskedPrefixes, peerMaskedPrefix) {
+			switch p.Action {
+			case CheckActionDeny:
+				return false, nil
+			case CheckActionAllow:
+				return true, nil
+			default:
+				return false, fmt.Errorf("invalid peer network range check action: %s", p.Action)
+			}
+		}
+	}
+
+	if p.Action == CheckActionDeny {
+		return true, nil
+	}
+	if p.Action == CheckActionAllow {
+		return false, nil
+	}
+
+	return false, fmt.Errorf("invalid peer network range check action: %s", p.Action)
+}
+
+func (p *PeerNetworkRangeCheck) Name() string {
+	return PeerNetworkRangeCheckName
+}

management/server/posture/network_test.go

@@ -0,0 +1,149 @@
+package posture
+
+import (
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+)
+
+func TestPeerNetworkRangeCheck_Check(t *testing.T) {
+	tests := []struct {
+		name    string
+		check   PeerNetworkRangeCheck
+		peer    nbpeer.Peer
+		wantErr bool
+		isValid bool
+	}{
+		{
+			name: "Peer networks range matches the allowed range",
+			check: PeerNetworkRangeCheck{
+				Action: CheckActionAllow,
+				Ranges: []netip.Prefix{
+					netip.MustParsePrefix("192.168.0.0/24"),
+					netip.MustParsePrefix("10.0.0.0/8"),
+				},
+			},
+			peer: nbpeer.Peer{
+				Meta: nbpeer.PeerSystemMeta{
+					NetworkAddresses: []nbpeer.NetworkAddress{
+						{
+							NetIP: netip.MustParsePrefix("192.168.0.123/24"),
+						},
+						{
+							NetIP: netip.MustParsePrefix("fe80::6089:eaff:fe0c:232f/64"),
+						},
+					},
+				},
+			},
+			wantErr: false,
+			isValid: true,
+		},
+		{
+			name: "Peer networks range doesn't matches the allowed range",
+			check: PeerNetworkRangeCheck{
+				Action: CheckActionAllow,
+				Ranges: []netip.Prefix{
+					netip.MustParsePrefix("192.168.0.0/24"),
+					netip.MustParsePrefix("10.0.0.0/8"),
+				},
+			},
+			peer: nbpeer.Peer{
+				Meta: nbpeer.PeerSystemMeta{
+					NetworkAddresses: []nbpeer.NetworkAddress{
+						{
+							NetIP: netip.MustParsePrefix("198.19.249.3/24"),
+						},
+					},
+				},
+			},
+			wantErr: false,
+			isValid: false,
+		},
+		{
+			name: "Peer with no network range in the allow range",
+			check: PeerNetworkRangeCheck{
+				Action: CheckActionAllow,
+				Ranges: []netip.Prefix{
+					netip.MustParsePrefix("192.168.0.0/16"),
+					netip.MustParsePrefix("10.0.0.0/8"),
+				},
+			},
+			peer:    nbpeer.Peer{},
+			wantErr: true,
+			isValid: false,
+		},
+		{
+			name: "Peer networks range matches the denied range",
+			check: PeerNetworkRangeCheck{
+				Action: CheckActionDeny,
+				Ranges: []netip.Prefix{
+					netip.MustParsePrefix("192.168.0.0/24"),
+					netip.MustParsePrefix("10.0.0.0/8"),
+				},
+			},
+			peer: nbpeer.Peer{
+				Meta: nbpeer.PeerSystemMeta{
+					NetworkAddresses: []nbpeer.NetworkAddress{
+						{
+							NetIP: netip.MustParsePrefix("192.168.0.123/24"),
+						},
+						{
+							NetIP: netip.MustParsePrefix("fe80::6089:eaff:fe0c:232f/64"),
+						},
+					},
+				},
+			},
+			wantErr: false,
+			isValid: false,
+		},
+		{
+			name: "Peer networks range doesn't matches the denied range",
+			check: PeerNetworkRangeCheck{
+				Action: CheckActionDeny,
+				Ranges: []netip.Prefix{
+					netip.MustParsePrefix("192.168.0.0/24"),
+					netip.MustParsePrefix("10.0.0.0/8"),
+				},
+			},
+			peer: nbpeer.Peer{
+				Meta: nbpeer.PeerSystemMeta{
+					NetworkAddresses: []nbpeer.NetworkAddress{
+						{
+							NetIP: netip.MustParsePrefix("198.19.249.3/24"),
+						},
+					},
+				},
+			},
+			wantErr: false,
+			isValid: true,
+		},
+		{
+			name: "Peer with no networks range in the denied range",
+			check: PeerNetworkRangeCheck{
+				Action: CheckActionDeny,
+				Ranges: []netip.Prefix{
+					netip.MustParsePrefix("192.168.0.0/16"),
+					netip.MustParsePrefix("10.0.0.0/8"),
+				},
+			},
+			peer:    nbpeer.Peer{},
+			wantErr: true,
+			isValid: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			isValid, err := tt.check.Check(tt.peer)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+			assert.Equal(t, tt.isValid, isValid)
+		})
+	}
+}

management/server/scheduler.go

@@ -1,9 +1,10 @@
 package server
 
 import (
-	log "github.com/sirupsen/logrus"
 	"sync"
 	"time"
+
+	log "github.com/sirupsen/logrus"
 )
 
 // Scheduler is an interface which implementations can schedule and cancel jobs
@@ -55,14 +56,8 @@ func (wm *DefaultScheduler) cancel(ID string) bool {
 	cancel, ok := wm.jobs[ID]
 	if ok {
 		delete(wm.jobs, ID)
-		select {
-		case cancel <- struct{}{}:
-			log.Debugf("cancelled scheduled job %s", ID)
-		default:
-			log.Warnf("couldn't cancel job %s because there was no routine listening on the cancel event", ID)
-			return false
-		}
-
+		close(cancel)
+		log.Debugf("cancelled scheduled job %s", ID)
 	}
 	return ok
 }
@@ -90,25 +85,41 @@ func (wm *DefaultScheduler) Schedule(in time.Duration, ID string, job func() (ne
 		return
 	}
 
+	ticker := time.NewTicker(in)
+
 	wm.jobs[ID] = cancel
 	log.Debugf("scheduled a job %s to run in %s. There are %d total jobs scheduled.", ID, in.String(), len(wm.jobs))
 	go func() {
-		select {
-		case <-time.After(in):
-			log.Debugf("time to do a scheduled job %s", ID)
-			runIn, reschedule := job()
-			wm.mu.Lock()
-			defer wm.mu.Unlock()
-			delete(wm.jobs, ID)
-			if reschedule {
-				go wm.Schedule(runIn, ID, job)
+		for {
+			select {
+			case <-ticker.C:
+				select {
+				case <-cancel:
+					log.Debugf("scheduled job %s was canceled, stop timer", ID)
+					ticker.Stop()
+					return
+				default:
+					log.Debugf("time to do a scheduled job %s", ID)
+				}
+				runIn, reschedule := job()
+				if !reschedule {
+					wm.mu.Lock()
+					defer wm.mu.Unlock()
+					delete(wm.jobs, ID)
+					log.Debugf("job %s is not scheduled to run again", ID)
+					ticker.Stop()
+					return
+				}
+				// we need this comparison to avoid resetting the ticker with the same duration and missing the current elapsesed time
+				if runIn != in {
+					ticker.Reset(runIn)
+				}
+			case <-cancel:
+				log.Debugf("job %s was canceled, stopping timer", ID)
+				ticker.Stop()
+				return
 			}
-		case <-cancel:
-			log.Debugf("stopped scheduled job %s ", ID)
-			wm.mu.Lock()
-			defer wm.mu.Unlock()
-			delete(wm.jobs, ID)
-			return
 		}
+
 	}()
 }

management/server/scheduler_test.go

@@ -2,11 +2,12 @@ package server
 
 import (
 	"fmt"
-	"github.com/stretchr/testify/assert"
 	"math/rand"
 	"sync"
 	"testing"
 	"time"
+
+	"github.com/stretchr/testify/assert"
 )
 
 func TestScheduler_Performance(t *testing.T) {
@@ -36,15 +37,24 @@ func TestScheduler_Cancel(t *testing.T) {
 	jobID1 := "test-scheduler-job-1"
 	jobID2 := "test-scheduler-job-2"
 	scheduler := NewDefaultScheduler()
-	scheduler.Schedule(2*time.Second, jobID1, func() (nextRunIn time.Duration, reschedule bool) {
-		return 0, false
+	tChan := make(chan struct{})
+	p := []string{jobID1, jobID2}
+	scheduler.Schedule(2*time.Millisecond, jobID1, func() (nextRunIn time.Duration, reschedule bool) {
+		tt := p[0]
+		<-tChan
+		t.Logf("job %s", tt)
+		return 2 * time.Millisecond, true
 	})
-	scheduler.Schedule(2*time.Second, jobID2, func() (nextRunIn time.Duration, reschedule bool) {
-		return 0, false
+	scheduler.Schedule(2*time.Millisecond, jobID2, func() (nextRunIn time.Duration, reschedule bool) {
+		return 2 * time.Millisecond, true
 	})
 
+	time.Sleep(4 * time.Millisecond)
 	assert.Len(t, scheduler.jobs, 2)
 	scheduler.Cancel([]string{jobID1})
+	close(tChan)
+	p = []string{}
+	time.Sleep(4 * time.Millisecond)
 	assert.Len(t, scheduler.jobs, 1)
 	assert.NotNil(t, scheduler.jobs[jobID2])
 }

management/server/sqlite_store.go

@@ -1,6 +1,8 @@
 package server
 
 import (
+	"context"
+	"fmt"
 	"path/filepath"
 	"runtime"
 	"strings"
@@ -483,11 +485,11 @@ func (s *SqliteStore) SaveUserLastLogin(accountID, userID string, lastLogin time
 	return s.db.Save(user).Error
 }
 
-// Close is noop in Sqlite
+// Close closes the underlying DB connection
 func (s *SqliteStore) Close() error {
 	sql, err := s.db.DB()
 	if err != nil {
-		return err
+		return fmt.Errorf("get db: %w", err)
 	}
 	return sql.Close()
 }
@@ -496,3 +498,51 @@ func (s *SqliteStore) Close() error {
 func (s *SqliteStore) GetStoreEngine() StoreEngine {
 	return SqliteStoreEngine
 }
+
+// CalculateUsageStats returns the usage stats for an account
+// start and end are inclusive.
+func (s *SqliteStore) CalculateUsageStats(ctx context.Context, accountID string, start time.Time, end time.Time) (*AccountUsageStats, error) {
+	stats := &AccountUsageStats{}
+
+	err := s.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
+		err := tx.Raw(`
+			SELECT COUNT(DISTINCT user_id) FROM (
+				SELECT id as user_id FROM users WHERE account_id = ? AND last_login BETWEEN ? AND ? AND is_service_user = ?
+				UNION
+				SELECT user_id FROM peers WHERE account_id = ? AND peer_status_last_seen BETWEEN ? AND ?
+			) AS combined`, accountID, start, end, false, accountID, start, end).Scan(&stats.ActiveUsers).Error
+
+		if err != nil {
+			return fmt.Errorf("get active users: %w", err)
+		}
+
+		err = tx.Model(&User{}).
+			Where("account_id = ? AND is_service_user = ?", accountID, false).
+			Count(&stats.TotalUsers).Error
+		if err != nil {
+			return fmt.Errorf("get total users: %w", err)
+		}
+
+		err = tx.Model(&nbpeer.Peer{}).
+			Where("account_id = ? AND peer_status_last_seen BETWEEN ? AND ?", accountID, start, end).
+			Count(&stats.ActivePeers).Error
+		if err != nil {
+			return fmt.Errorf("get active peers: %w", err)
+		}
+
+		err = tx.Model(&nbpeer.Peer{}).
+			Where("account_id = ?", accountID).
+			Count(&stats.TotalPeers).Error
+		if err != nil {
+			return fmt.Errorf("get total peers: %w", err)
+		}
+
+		return nil
+	})
+
+	if err != nil {
+		return nil, fmt.Errorf("transaction: %w", err)
+	}
+
+	return stats, nil
+}

management/server/sqlite_store_test.go

@@ -1,6 +1,7 @@
 package server
 
 import (
+	"context"
 	"fmt"
 	"net"
 	"path/filepath"
@@ -346,3 +347,29 @@ func newAccount(store Store, id int) error {
 
 	return store.SaveAccount(account)
 }
+
+func TestSqliteStore_CalculateUsageStats(t *testing.T) {
+	store := newSqliteStoreFromFile(t, "testdata/store_stats.json")
+	t.Cleanup(func() {
+		require.NoError(t, store.Close())
+	})
+
+	startDate := time.Date(2024, time.February, 1, 0, 0, 0, 0, time.UTC)
+	endDate := startDate.AddDate(0, 1, 0).Add(-time.Nanosecond)
+
+	stats1, err := store.CalculateUsageStats(context.TODO(), "account-1", startDate, endDate)
+	require.NoError(t, err)
+
+	assert.Equal(t, int64(3), stats1.ActiveUsers)
+	assert.Equal(t, int64(5), stats1.TotalUsers)
+	assert.Equal(t, int64(3), stats1.ActivePeers)
+	assert.Equal(t, int64(8), stats1.TotalPeers)
+
+	stats2, err := store.CalculateUsageStats(context.TODO(), "account-2", startDate, endDate)
+	require.NoError(t, err)
+
+	assert.Equal(t, int64(2), stats2.ActiveUsers)
+	assert.Equal(t, int64(2), stats2.TotalUsers)
+	assert.Equal(t, int64(1), stats2.ActivePeers)
+	assert.Equal(t, int64(2), stats2.TotalPeers)
+}

management/server/status/error.go

@@ -1,6 +1,7 @@
 package status
 
 import (
+	"errors"
 	"fmt"
 )
 
@@ -68,7 +69,8 @@ func FromError(err error) (s *Error, ok bool) {
 	if err == nil {
 		return nil, true
 	}
-	if e, ok := err.(*Error); ok {
+	var e *Error
+	if errors.As(err, &e) {
 		return e, true
 	}
 	return nil, false

management/server/store.go

@@ -1,6 +1,7 @@
 package server
 
 import (
+	"context"
 	"fmt"
 	"os"
 	"path/filepath"
@@ -41,6 +42,7 @@ type Store interface {
 	// GetStoreEngine should return StoreEngine of the current store implementation.
 	// This is also a method of metrics.DataSource interface.
 	GetStoreEngine() StoreEngine
+	CalculateUsageStats(ctx context.Context, accountID string, start time.Time, end time.Time) (*AccountUsageStats, error)
 }
 
 type StoreEngine string
@@ -109,6 +111,6 @@ func NewStoreFromJson(dataDir string, metrics telemetry.AppMetrics) (Store, erro
 	case SqliteStoreEngine:
 		return NewSqliteStoreFromFileStore(fstore, dataDir, metrics)
 	default:
-		return nil, fmt.Errorf("unsupported store engine %s", kind)
+		return NewSqliteStoreFromFileStore(fstore, dataDir, metrics)
 	}
 }

management/server/testdata/store_stats.json

@@ -0,0 +1,184 @@
+{
+  "Accounts": {
+    "account-1": {
+      "Id": "account-1",
+      "Domain": "example.com",
+      "Network": {
+        "Id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
+        "Net": {
+          "IP": "100.64.0.0",
+          "Mask": "//8AAA=="
+        },
+        "Dns": null
+      },
+      "Users": {
+        "user-1-account-1": {
+          "Id": "user-1-account-1",
+          "LastLogin": "2023-01-15T00:00:00Z"
+        },
+        "user-2-account-1": {
+          "Id": "user-2-account-1",
+          "LastLogin": "2024-01-02T00:00:00Z"
+        },
+        "user-3-account-1": {
+          "Id": "user-3-account-1",
+          "LastLogin": "2024-02-05T00:00:00Z"
+        },
+        "user-4-account-1": {
+          "Id": "user-4-account-1",
+          "LastLogin": "2024-01-20T00:00:00Z"
+        },
+        "user-5-account-1": {
+          "Id": "user-5-account-1",
+          "IsServiceUser": true,
+          "LastLogin": "2024-02-15T00:00:00Z"
+        },
+        "user-6-account-1": {
+          "Id": "user-6-account-1",
+          "LastLogin": "2024-02-10T00:00:00Z"
+        }
+      },
+      "Peers": {
+        "peer-1-account-1": {
+          "ID": "peer-1-account-1",
+          "UserID": "user-1-account-1",
+          "Status": {
+            "LastSeen": "2024-01-01T00:00:00Z"
+          },
+          "Name": "Peer One",
+          "Meta": {
+            "Hostname": "peer1-host"
+          }
+        },
+        "peer-2-account-1": {
+          "ID": "peer-2-account-1",
+          "UserID": "user-2-account-1",
+          "Status": {
+            "LastSeen": "2024-02-29T23:59:59Z"
+          },
+          "Name": "Peer Two",
+          "Meta": {
+            "Hostname": "peer2-host"
+          }
+        },
+        "peer-3-account-1": {
+          "ID": "peer-3-account-1",
+          "UserID": "user-2-account-1",
+          "Status": {
+            "LastSeen": "2024-02-01T12:00:00Z"
+          },
+          "Name": "Peer Three",
+          "Meta": {
+            "Hostname": "peer3-host"
+          }
+        },
+        "peer-4-account-1": {
+          "ID": "peer-4-account-1",
+          "UserID": "user-3-account-1",
+          "Status": {
+            "LastSeen": "2024-02-08T12:00:00Z"
+          },
+          "Name": "Peer Four",
+          "Meta": {
+            "Hostname": "peer4-host"
+          }
+        },
+        "peer-5-account-1": {
+          "ID": "peer-5-account-1",
+          "UserID": "user-3-account-1",
+          "Status": {
+            "LastSeen": "2023-06-01T12:00:00Z"
+          },
+          "Name": "Peer Five",
+          "Meta": {
+            "Hostname": "peer5-host"
+          }
+        },
+        "peer-6-account-1": {
+          "ID": "peer-6-account-1",
+          "UserID": "user-4-account-1",
+          "Status": {
+            "LastSeen": "2024-01-31T23:59:59Z"
+          },
+          "Name": "Peer Six",
+          "Meta": {
+            "Hostname": "peer6-host"
+          }
+        },
+        "peer-7-account-1": {
+          "ID": "peer-7-account-1",
+          "UserID": "user-4-account-1",
+          "Status": {
+            "LastSeen": "2024-03-01T00:00:00Z"
+          },
+          "Name": "Peer Seven",
+          "Meta": {
+            "Hostname": "peer7-host"
+          }
+        },
+        "peer-8-account-1": {
+          "ID": "peer-8-account-1",
+          "UserID": "user-6-account-1",
+          "Status": {
+            "LastSeen": "2024-01-01T00:00:00Z"
+          },
+          "Name": "Peer Eight",
+          "Meta": {
+            "Hostname": "peer8-host"
+          }
+        }
+      }
+    },
+    "account-2": {
+      "Id": "account-2",
+      "Domain": "example.org",
+      "Network": {
+        "Id": "af1c8024-ha40-4ce2-9418-34653101fc3c",
+        "Net": {
+          "IP": "100.64.0.0",
+          "Mask": "//8AAA=="
+        },
+        "Dns": null
+      },
+      "Users": {
+        "user-1-account-2": {
+          "Id": "user-1-account-2",
+          "LastLogin": "2023-12-15T00:00:00Z"
+        },
+        "user-2-account-2": {
+          "Id": "user-2-account-2",
+          "LastLogin": "2024-02-28T00:00:00Z"
+        },
+        "user-3-account-2": {
+          "Id": "user-3-account-2",
+          "IsServiceUser": true,
+          "LastLogin": "2024-01-30T00:00:00Z"
+        }
+      },
+      "Peers": {
+        "peer-1-account-2": {
+          "ID": "peer-1-account-2",
+          "UserID": "user-1-account-2",
+          "Status": {
+            "LastSeen": "2023-08-30T12:00:00Z"
+          },
+          "Name": "Peer One",
+          "Meta": {
+            "Hostname": "peer1-host"
+          }
+        },
+        "peer-2-account-2": {
+          "ID": "peer-2-account-2",
+          "UserID": "user-1-account-2",
+          "Status": {
+            "LastSeen": "2024-02-08T12:00:00Z"
+          },
+          "Name": "Peer Two",
+          "Meta": {
+            "Hostname": "peer2-host"
+          }
+        }
+      }
+    }
+  }
+}

management/server/user.go

@@ -85,6 +85,8 @@ type User struct {
 	Blocked bool
 	// LastLogin is the last time the user logged in to IdP
 	LastLogin time.Time
+	// CreatedAt records the time the user was created
+	CreatedAt time.Time
 
 	// Issued of the user
 	Issued string `gorm:"default:api"`
@@ -173,6 +175,7 @@ func (u *User) Copy() *User {
 		PATs:                 pats,
 		Blocked:              u.Blocked,
 		LastLogin:            u.LastLogin,
+		CreatedAt:            u.CreatedAt,
 		Issued:               u.Issued,
 		IntegrationReference: u.IntegrationReference,
 	}
@@ -188,6 +191,7 @@ func NewUser(id string, role UserRole, isServiceUser bool, nonDeletable bool, se
 		ServiceUserName: serviceUserName,
 		AutoGroups:      autoGroups,
 		Issued:          issued,
+		CreatedAt:       time.Now().UTC(),
 	}
 }
 
@@ -338,6 +342,7 @@ func (am *DefaultAccountManager) inviteNewUser(accountID, userID string, invite
 		AutoGroups:           invite.AutoGroups,
 		Issued:               invite.Issued,
 		IntegrationReference: invite.IntegrationReference,
+		CreatedAt:            time.Now().UTC(),
 	}
 	account.Users[idpUser.ID] = newUser
 
@@ -414,7 +419,7 @@ func (am *DefaultAccountManager) ListUsers(accountID string) ([]*User, error) {
 }
 
 func (am *DefaultAccountManager) deleteServiceUser(account *Account, initiatorUserID string, targetUser *User) {
-	meta := map[string]any{"name": targetUser.ServiceUserName}
+	meta := map[string]any{"name": targetUser.ServiceUserName, "created_at": targetUser.CreatedAt}
 	am.StoreEvent(initiatorUserID, targetUser.Id, account.Id, activity.ServiceUserDeleted, meta)
 	delete(account.Users, targetUser.Id)
 }
@@ -494,13 +499,23 @@ func (am *DefaultAccountManager) deleteRegularUser(account *Account, initiatorUs
 		return err
 	}
 
+	u, err := account.FindUser(targetUserID)
+	if err != nil {
+		log.Errorf("failed to find user %s for deletion, this should never happen: %s", targetUserID, err)
+	}
+
+	var tuCreatedAt time.Time
+	if u != nil {
+		tuCreatedAt = u.CreatedAt
+	}
+
 	delete(account.Users, targetUserID)
 	err = am.Store.SaveAccount(account)
 	if err != nil {
 		return err
 	}
 
-	meta := map[string]any{"name": tuName, "email": tuEmail}
+	meta := map[string]any{"name": tuName, "email": tuEmail, "created_at": tuCreatedAt}
 	am.StoreEvent(initiatorUserID, targetUserID, account.Id, activity.UserDeleted, meta)
 
 	am.updateAccountPeers(account)

management/server/user_test.go

@@ -273,7 +273,8 @@ func TestUser_Copy(t *testing.T) {
 			},
 		},
 		Blocked:   false,
-		LastLogin: time.Now(),
+		LastLogin: time.Now().UTC(),
+		CreatedAt: time.Now().UTC(),
 		Issued:    "test",
 		IntegrationReference: IntegrationReference{
 			ID:              0,

signal/client/grpc.go

@@ -21,11 +21,10 @@ import (
 	"google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/encryption"
+	"github.com/netbirdio/netbird/management/client"
 	"github.com/netbirdio/netbird/signal/proto"
 )
 
-const defaultSendTimeout = 5 * time.Second
-
 // ConnStateNotifier is a wrapper interface of the status recorder
 type ConnStateNotifier interface {
 	MarkSignalDisconnected(error)
@@ -71,7 +70,7 @@ func NewClient(ctx context.Context, addr string, key wgtypes.Key, tlsEnabled boo
 		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
 	}
 
-	sigCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	sigCtx, cancel := context.WithTimeout(ctx, client.ConnectTimeout)
 	defer cancel()
 	conn, err := grpc.DialContext(
 		sigCtx,
@@ -353,7 +352,7 @@ func (c *GrpcClient) Send(msg *proto.Message) error {
 		return err
 	}
 
-	attemptTimeout := defaultSendTimeout
+	attemptTimeout := client.ConnectTimeout
 
 	for attempt := 0; attempt < 4; attempt++ {
 		if attempt > 1 {

signal/cmd/run.go

@@ -4,7 +4,6 @@ import (
 	"errors"
 	"flag"
 	"fmt"
-	"golang.org/x/crypto/acme/autocert"
 	"io"
 	"io/fs"
 	"net"
@@ -14,10 +13,14 @@ import (
 	"strings"
 	"time"
 
+	"golang.org/x/crypto/acme/autocert"
+
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/signal/proto"
 	"github.com/netbirdio/netbird/signal/server"
 	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc"
@@ -129,6 +132,7 @@ var (
 				log.Infof("running gRPC server: %s", grpcListener.Addr().String())
 			}
 
+			log.Infof("signal server version %s", version.NetbirdVersion())
 			log.Infof("started Signal Service")
 
 			SetupCloseHandler()