Revert WG changes and use the local proxy

Update wireguard-go
Close turn connection
2026-04-16 23:36:39 +00:00 · 2024-04-23 16:07:40 +02:00 · 2024-04-22 19:13:07 +02:00 · 2024-04-18 15:59:50 +02:00 · 2024-04-16 16:01:25 +02:00 · 2024-04-15 14:12:24 +02:00
151 changed files with 6137 additions and 2504 deletions
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -32,6 +32,9 @@ jobs:
          restore-keys: |
            macos-go-

+      - name: Install libpcap
+        run: brew install libpcap
+
      - name: Install modules
        run: go mod tidy

--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -14,8 +14,8 @@ jobs:
  test:
    strategy:
      matrix:
-        arch: ['386','amd64']
-        store: ['jsonfile', 'sqlite']
+        arch: [ '386','amd64' ]
+        store: [ 'jsonfile', 'sqlite' ]
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
@@ -36,7 +36,11 @@ jobs:
        uses: actions/checkout@v3

      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386

      - name: Install modules
        run: go mod tidy
@@ -67,7 +71,7 @@ jobs:
        uses: actions/checkout@v3

      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev

      - name: Install modules
        run: go mod tidy
@@ -82,7 +86,7 @@ jobs:
        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock

      - name: Generate RouteManager Test bin
-        run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin ./client/internal/routemanager/...
+        run: CGO_ENABLED=1 go test -c -o routemanager-testing.bin -tags netgo -ldflags '-w -extldflags "-static -ldbus-1 -lpcap"' ./client/internal/routemanager/...

      - name: Generate nftables Manager Test bin
        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
@@ -109,7 +113,7 @@ jobs:

      - name: Run Engine tests in docker with file store
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="jsonfile" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
-      
+
      - name: Run Engine tests in docker with sqlite store
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="sqlite" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1

--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -44,10 +44,9 @@ jobs:

      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=C:\Users\runneradmin\go\pkg\mod
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=C:\Users\runneradmin\AppData\Local\go-build
-      - run: "[Environment]::SetEnvironmentVariable('NETBIRD_STORE_ENGINE', 'jsonfile', 'Machine')"

      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 5m -p 1 ./... > test-out.txt 2>&1"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 10m -p 1 ./... > test-out.txt 2>&1"
      - name: test output
        if: ${{ always() }}
        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -40,7 +40,7 @@ jobs:
          cache: false
      - name: Install dependencies
        if: matrix.os == 'ubuntu-latest'
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
--- a/README.md
+++ b/README.md
@@ -40,11 +40,12 @@

 **Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

-**Secure.** NetBird enables secure remote access by applying granular access policies, while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.
+**Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.

 ### Open-Source Network Security in a Single Platform

-![download (2)](https://github.com/netbirdio/netbird/assets/700848/16210ac2-7265-44c1-8d4e-8fae85534dac)
+![image](https://github.com/netbirdio/netbird/assets/700848/c0d7bae4-3301-499a-bb4e-5e4a225bf35f)
+

 ### Key features

@@ -76,7 +77,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird
 - **Public domain** name pointing to the VM.

 **Software requirements:**
- Docker installed on the VM with the docker compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
+- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
 - [jq](https://jqlang.github.io/jq/) installed. In most distributions
  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
 - [curl](https://curl.se/) installed.
@@ -93,9 +94,9 @@ export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbird
 -  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
 -  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
 -  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
-  Connection candidates are discovered with a help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
+-  Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
 -  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
+-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
 
 [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.

@@ -119,7 +120,7 @@ In November 2022, NetBird joined the [StartUpSecure program](https://www.forschu
 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)

 ### Testimonials
-We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g. giving a star or a contribution).
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).

 ### Legal
 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"net/http"
+	_ "net/http/pprof"
 	"os"
 	"os/signal"
 	"path"
@@ -34,6 +36,7 @@ const (
 	wireguardPortFlag       = "wireguard-port"
 	disableAutoConnectFlag  = "disable-auto-connect"
 	serverSSHAllowedFlag    = "allow-server-ssh"
+	extraIFaceBlackListFlag = "extra-iface-blacklist"
 )

 var (
@@ -63,6 +66,7 @@ var (
 	wireguardPort           uint16
 	serviceName             string
 	autoConnectDisabled     bool
+	extraIFaceBlackList     []string
 	rootCmd                 = &cobra.Command{
 		Use:          "netbird",
 		Short:        "",
@@ -143,6 +147,13 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
 	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
+
+	go func() {
+		// Start the HTTP server on port 8080
+		http.ListenAndServe("localhost:8080", nil)
+	}()
+
+	// Your application code here
 }

 // SetupCloseHandler handles SIGTERM signal and exits with success
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -64,6 +64,10 @@ var installCmd = &cobra.Command{
 			}
 		}

+		if runtime.GOOS == "windows" {
+			svcConfig.Option["OnFailure"] = "restart"
+		}
+
 		ctx, cancel := context.WithCancel(cmd.Context())

 		s, err := newSVC(newProgram(ctx, cancel), svcConfig)
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -34,6 +34,7 @@ type peerStateDetailOutput struct {
 	LastWireguardHandshake time.Time        `json:"lastWireguardHandshake" yaml:"lastWireguardHandshake"`
 	TransferReceived       int64            `json:"transferReceived" yaml:"transferReceived"`
 	TransferSent           int64            `json:"transferSent" yaml:"transferSent"`
+	Latency                time.Duration    `json:"latency" yaml:"latency"`
 	RosenpassEnabled       bool             `json:"quantumResistance" yaml:"quantumResistance"`
 	Routes                 []string         `json:"routes" yaml:"routes"`
 }
@@ -376,6 +377,7 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 			LastWireguardHandshake: lastHandshake,
 			TransferReceived:       transferReceived,
 			TransferSent:           transferSent,
+			Latency:                pbPeerState.GetLatency().AsDuration(),
 			RosenpassEnabled:       pbPeerState.GetRosenpassEnabled(),
 			Routes:                 pbPeerState.GetRoutes(),
 		}
@@ -638,7 +640,8 @@ func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bo
 				"  Last WireGuard handshake: %s\n"+
 				"  Transfer status (received/sent) %s/%s\n"+
 				"  Quantum resistance: %s\n"+
-				"  Routes: %s\n",
+				"  Routes: %s\n"+
+				"  Latency: %s\n",
 			peerState.FQDN,
 			peerState.IP,
 			peerState.PubKey,
@@ -655,6 +658,7 @@ func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bo
 			toIEC(peerState.TransferSent),
 			rosenpassEnabledStatus,
 			routes,
+			peerState.Latency.String(),
 		)

 		peersString += peerString
--- a/client/cmd/status_test.go
+++ b/client/cmd/status_test.go
@@ -8,6 +8,7 @@ import (

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/netbirdio/netbird/client/proto"
@@ -45,6 +46,7 @@ var resp = &proto.StatusResponse{
 				Routes: []string{
 					"10.1.0.0/24",
 				},
+				Latency: durationpb.New(time.Duration(10000000)),
 			},
 			{
 				IP:                         "192.168.178.102",
@@ -61,6 +63,7 @@ var resp = &proto.StatusResponse{
 				LastWireguardHandshake:     timestamppb.New(time.Date(2002, time.Month(2), 2, 2, 2, 3, 0, time.UTC)),
 				BytesRx:                    2000,
 				BytesTx:                    1000,
+				Latency:                    durationpb.New(time.Duration(10000000)),
 			},
 		},
 		ManagementState: &proto.ManagementState{
@@ -147,6 +150,7 @@ var overview = statusOutputOverview{
 				Routes: []string{
 					"10.1.0.0/24",
 				},
+				Latency: time.Duration(10000000),
 			},
 			{
 				IP:               "192.168.178.102",
@@ -167,6 +171,7 @@ var overview = statusOutputOverview{
 				LastWireguardHandshake: time.Date(2002, 2, 2, 2, 2, 3, 0, time.UTC),
 				TransferReceived:       2000,
 				TransferSent:           1000,
+				Latency:                time.Duration(10000000),
 			},
 		},
 	},
@@ -288,6 +293,7 @@ func TestParsingToJSON(t *testing.T) {
                "lastWireguardHandshake": "2001-01-01T01:01:02Z",
                "transferReceived": 200,
                "transferSent": 100,
+				"latency": 10000000,
                "quantumResistance": false,
                "routes": [
                  "10.1.0.0/24"
@@ -312,6 +318,7 @@ func TestParsingToJSON(t *testing.T) {
                "lastWireguardHandshake": "2002-02-02T02:02:03Z",
                "transferReceived": 2000,
                "transferSent": 1000,
+				"latency": 10000000,
                "quantumResistance": false,
                "routes": null
              }
@@ -409,6 +416,7 @@ func TestParsingToYAML(t *testing.T) {
          lastWireguardHandshake: 2001-01-01T01:01:02Z
          transferReceived: 200
          transferSent: 100
+          latency: 10ms
          quantumResistance: false
          routes:
            - 10.1.0.0/24
@@ -428,6 +436,7 @@ func TestParsingToYAML(t *testing.T) {
          lastWireguardHandshake: 2002-02-02T02:02:03Z
          transferReceived: 2000
          transferSent: 1000
+          latency: 10ms
          quantumResistance: false
          routes: []
 cliVersion: development
@@ -496,6 +505,7 @@ func TestParsingToDetail(t *testing.T) {
  Transfer status (received/sent) 200 B/100 B
  Quantum resistance: false
  Routes: 10.1.0.0/24
+  Latency: 10ms

 peer-2.awesome-domain.com:
  NetBird IP: 192.168.178.102
@@ -511,6 +521,7 @@ func TestParsingToDetail(t *testing.T) {
  Transfer status (received/sent) 2.0 KiB/1000 B
  Quantum resistance: false
  Routes: -
+  Latency: 10ms

 Daemon version: 0.14.1
 CLI version: development
--- a/client/cmd/testutil.go
+++ b/client/cmd/testutil.go
@@ -13,6 +13,7 @@ import (

 	"google.golang.org/grpc"

+	"github.com/netbirdio/management-integrations/integrations"
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
@@ -78,7 +79,8 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 	if err != nil {
 		return nil, nil
 	}
-	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "", eventStore, nil, false)
+	iv, _ := integrations.NewIntegratedValidator(eventStore)
+	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -40,6 +40,7 @@ func init() {
 	upCmd.PersistentFlags().BoolVarP(&foregroundMode, "foreground-mode", "F", false, "start service in foreground")
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "Wireguard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "Wireguard interface listening port")
+	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
 }

 func upFunc(cmd *cobra.Command, args []string) error {
@@ -83,11 +84,12 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	}

 	ic := internal.ConfigInput{
-		ManagementURL:    managementURL,
-		AdminURL:         adminURL,
-		ConfigPath:       configPath,
-		NATExternalIPs:   natExternalIPs,
-		CustomDNSAddress: customDNSAddressConverted,
+		ManagementURL:       managementURL,
+		AdminURL:            adminURL,
+		ConfigPath:          configPath,
+		NATExternalIPs:      natExternalIPs,
+		CustomDNSAddress:    customDNSAddressConverted,
+		ExtraIFaceBlackList: extraIFaceBlackList,
 	}

 	if cmd.Flag(enableRosenpassFlag).Changed {
@@ -149,7 +151,6 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 }

 func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
-
 	customDNSAddressConverted, err := parseCustomDNSAddress(cmd.Flag(dnsResolverAddress).Changed)
 	if err != nil {
 		return err
@@ -190,6 +191,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		CustomDNSAddress:     customDNSAddressConverted,
 		IsLinuxDesktopClient: isLinuxRunningDesktop(),
 		Hostname:             hostName,
+		ExtraIFaceBlacklist:  extraIFaceBlackList,
 	}

 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -143,7 +143,7 @@ func (m *Manager) AllowNetbird() error {
 	}

 	if rule := m.detectAllowNetbirdRule(rules); rule != nil {
-		log.Debugf("allow netbird rule already exists: %v", rule)
+		log.Debugf("allow netbird rule already exists: %#v", rule)
 		return nil
 	}

--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -30,8 +30,10 @@ const (
 	DefaultAdminURL = "https://app.netbird.io:443"
 )

-var defaultInterfaceBlacklist = []string{iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
-	"Tailscale", "tailscale", "docker", "veth", "br-", "lo"}
+var defaultInterfaceBlacklist = []string{
+	iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
+	"Tailscale", "tailscale", "docker", "veth", "br-", "lo",
+}

 // ConfigInput carries configuration changes to the client
 type ConfigInput struct {
@@ -47,6 +49,7 @@ type ConfigInput struct {
 	InterfaceName       *string
 	WireguardPort       *int
 	DisableAutoConnect  *bool
+	ExtraIFaceBlackList []string
 }

 // Config Configuration type
@@ -220,7 +223,8 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 		config.AdminURL = newURL
 	}

-	config.IFaceBlackList = defaultInterfaceBlacklist
+	// nolint:gocritic
+	config.IFaceBlackList = append(defaultInterfaceBlacklist, input.ExtraIFaceBlackList...)
 	return config, nil
 }

@@ -320,6 +324,13 @@ func update(input ConfigInput) (*Config, error) {
 		refresh = true
 	}

+	if len(input.ExtraIFaceBlackList) > 0 {
+		for _, iFace := range util.SliceDiff(input.ExtraIFaceBlackList, config.IFaceBlackList) {
+			config.IFaceBlackList = append(config.IFaceBlackList, iFace)
+			refresh = true
+		}
+	}
+
 	if refresh {
 		// since we have new management URL, we need to update config file
 		if err := util.WriteJson(input.ConfigPath, config); err != nil {
@@ -384,7 +395,6 @@ func configFileIsExists(path string) bool {
 // If it can switch, then it updates the config and returns a new one. Otherwise, it returns the provided config.
 // The check is performed only for the NetBird's managed version.
 func UpdateOldManagementURL(ctx context.Context, config *Config, configPath string) (*Config, error) {
-
 	defaultManagementURL, err := parseURL("Management URL", DefaultManagementURL)
 	if err != nil {
 		return nil, err
--- a/client/internal/config_test.go
+++ b/client/internal/config_test.go
@@ -18,7 +18,6 @@ func TestGetConfig(t *testing.T) {
 	config, err := UpdateOrCreateConfig(ConfigInput{
 		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
 	})
-
 	if err != nil {
 		return
 	}
@@ -86,6 +85,26 @@ func TestGetConfig(t *testing.T) {
 	assert.Equal(t, readConf.(*Config).ManagementURL.String(), newManagementURL)
 }

+func TestExtraIFaceBlackList(t *testing.T) {
+	extraIFaceBlackList := []string{"eth1"}
+	path := filepath.Join(t.TempDir(), "config.json")
+	config, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath:          path,
+		ExtraIFaceBlackList: extraIFaceBlackList,
+	})
+	if err != nil {
+		return
+	}
+
+	assert.Contains(t, config.IFaceBlackList, "eth1")
+	readConf, err := util.ReadJson(path, config)
+	if err != nil {
+		return
+	}
+
+	assert.Contains(t, readConf.(*Config).IFaceBlackList, "eth1")
+}
+
 func TestHiddenPreSharedKey(t *testing.T) {
 	hidden := "**********"
 	samplePreSharedKey := "mysecretpresharedkey"
@@ -111,7 +130,6 @@ func TestHiddenPreSharedKey(t *testing.T) {
 				ConfigPath:   cfgFile,
 				PreSharedKey: tt.preSharedKey,
 			})
-
 			if err != nil {
 				t.Fatalf("failed to get cfg: %s", err)
 			}
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"runtime"
+	"runtime/debug"
 	"strings"
 	"time"

@@ -93,7 +95,13 @@ func runClient(
 	relayProbe *Probe,
 	wgProbe *Probe,
 ) error {
-	log.Infof("starting NetBird client version %s", version.NetbirdVersion())
+	defer func() {
+		if r := recover(); r != nil {
+			log.Panicf("Panic occurred: %v, stack trace: %s", r, string(debug.Stack()))
+		}
+	}()
+
+	log.Infof("starting NetBird client version %s on %s/%s", version.NetbirdVersion(), runtime.GOOS, runtime.GOARCH)

 	// Check if client was not shut down in a clean way and restore DNS config if required.
 	// Otherwise, we might not be able to connect to the management server to retrieve new config.
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -278,9 +278,15 @@ func (s *DefaultServer) SearchDomains() []string {
 // ProbeAvailability tests each upstream group's servers for availability
 // and deactivates the group if no server responds
 func (s *DefaultServer) ProbeAvailability() {
+	var wg sync.WaitGroup
 	for _, mux := range s.dnsMuxMap {
-		mux.probeAvailability()
+		wg.Add(1)
+		go func(mux handlerWithStop) {
+			defer wg.Done()
+			mux.probeAvailability()
+		}(mux)
 	}
+	wg.Wait()
 }

 func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -750,6 +750,11 @@ func TestDNSPermanent_matchOnly(t *testing.T) {
 						NSType: nbdns.UDPNameServerType,
 						Port:   53,
 					},
+					{
+						IP:     netip.MustParseAddr("9.9.9.9"),
+						NSType: nbdns.UDPNameServerType,
+						Port:   53,
+					},
 				},
 				Domains: []string{"customdomain.com"},
 				Primary: false,
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -93,6 +93,10 @@ type Engine struct {
 	mgmClient mgm.Client
 	// peerConns is a map that holds all the peers that are known to this peer
 	peerConns map[string]*peer.Conn
+
+	beforePeerHook peer.BeforeAddPeerHookFunc
+	afterPeerHook  peer.AfterRemovePeerHookFunc
+
 	// rpManager is a Rosenpass manager
 	rpManager *rosenpass.Manager

@@ -134,6 +138,7 @@ type Engine struct {
 	signalProbe *Probe
 	relayProbe  *Probe
 	wgProbe     *Probe
+	turnRelay   *relay.PermanentTurn
 }

 // Peer is an instance of the Connection Peer
@@ -195,7 +200,7 @@ func NewEngineWithProbes(
 		networkSerial:  0,
 		sshServerFunc:  nbssh.DefaultSSHServer,
 		statusRecorder: statusRecorder,
-		wgProxyFactory: wgproxy.NewFactory(config.WgPort),
+		wgProxyFactory: &wgproxy.Factory{},
 		mgmProbe:       mgmProbe,
 		signalProbe:    signalProbe,
 		relayProbe:     relayProbe,
@@ -230,8 +235,8 @@ func (e *Engine) Start() error {

 	wgIface, err := e.newWgIface()
 	if err != nil {
-		log.Errorf("failed creating wireguard interface instance %s: [%s]", e.config.WgIfaceName, err.Error())
-		return err
+		log.Errorf("failed creating wireguard interface instance %s: [%s]", e.config.WgIfaceName, err)
+		return fmt.Errorf("new wg interface: %w", err)
 	}
 	e.wgInterface = wgIface

@@ -244,29 +249,37 @@ func (e *Engine) Start() error {
 		}
 		e.rpManager, err = rosenpass.NewManager(e.config.PreSharedKey, e.config.WgIfaceName)
 		if err != nil {
-			return err
+			return fmt.Errorf("create rosenpass manager: %w", err)
 		}
 		err := e.rpManager.Run()
 		if err != nil {
-			return err
+			return fmt.Errorf("run rosenpass manager: %w", err)
 		}
 	}

 	initialRoutes, dnsServer, err := e.newDnsServer()
 	if err != nil {
 		e.close()
-		return err
+		return fmt.Errorf("create dns server: %w", err)
 	}
 	e.dnsServer = dnsServer

 	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder, initialRoutes)
+	beforePeerHook, afterPeerHook, err := e.routeManager.Init()
+	if err != nil {
+		log.Errorf("Failed to initialize route manager: %s", err)
+	} else {
+		e.beforePeerHook = beforePeerHook
+		e.afterPeerHook = afterPeerHook
+	}
+
 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)

 	err = e.wgInterfaceCreate()
 	if err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
 		e.close()
-		return err
+		return fmt.Errorf("create wg interface: %w", err)
 	}

 	e.firewall, err = firewall.NewFirewall(e.ctx, e.wgInterface)
@@ -278,7 +291,7 @@ func (e *Engine) Start() error {
 		err = e.routeManager.EnableServerRouter(e.firewall)
 		if err != nil {
 			e.close()
-			return err
+			return fmt.Errorf("enable server router: %w", err)
 		}
 	}

@@ -286,7 +299,7 @@ func (e *Engine) Start() error {
 	if err != nil {
 		log.Errorf("failed to pull up wgInterface [%s]: %s", e.wgInterface.Name(), err.Error())
 		e.close()
-		return err
+		return fmt.Errorf("up wg interface: %w", err)
 	}

 	if e.firewall != nil {
@@ -296,7 +309,7 @@ func (e *Engine) Start() error {
 	err = e.dnsServer.Initialize()
 	if err != nil {
 		e.close()
-		return err
+		return fmt.Errorf("initialize dns server: %w", err)
 	}

 	e.receiveSignalEvents()
@@ -440,10 +453,19 @@ func SignalOfferAnswer(offerAnswer peer.OfferAnswer, myKey wgtypes.Key, remoteKe
 		t = sProto.Body_OFFER
 	}

-	msg, err := signal.MarshalCredential(myKey, offerAnswer.WgListenPort, remoteKey, &signal.Credential{
-		UFrag: offerAnswer.IceCredentials.UFrag,
-		Pwd:   offerAnswer.IceCredentials.Pwd,
-	}, t, offerAnswer.RosenpassPubKey, offerAnswer.RosenpassAddr)
+	msg, err := signal.MarshalCredential(
+		myKey,
+		offerAnswer.WgListenPort,
+		remoteKey, &signal.Credential{
+			UFrag: offerAnswer.IceCredentials.UFrag,
+			Pwd:   offerAnswer.IceCredentials.Pwd,
+		},
+		t,
+		offerAnswer.RosenpassPubKey,
+		offerAnswer.RosenpassAddr,
+		offerAnswer.RelayedAddr.String(),
+		offerAnswer.RemoteAddr.String(),
+	)
 	if err != nil {
 		return err
 	}
@@ -471,6 +493,14 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 			return err
 		}

+		turnRelay := relay.NewPermanentTurn(e.STUNs[0], e.TURNs[0])
+		err = turnRelay.Open()
+		if err != nil {
+			return fmt.Errorf("faile to open turn relay: %w", err)
+		}
+		e.turnRelay = turnRelay
+		//e.wgInterface.SetRelayConn(e.turnRelay.RelayConn())
+
 		// todo update signal
 	}

@@ -609,6 +639,7 @@ func (e *Engine) updateTURNs(turns []*mgmProto.ProtectedHostConfig) error {
 	var newTURNs []*stun.URI
 	log.Debugf("got TURNs update from Management Service, updating")
 	for _, turn := range turns {
+		log.Debugf("-----updated Turn %v, %s, %s", turn.HostConfig.Uri, turn.User, turn.Password)
 		url, err := stun.ParseURI(turn.HostConfig.Uri)
 		if err != nil {
 			return err
@@ -698,15 +729,16 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}

-	// Test received (upstream) servers for availability right away instead of upon usage.
-	// If no server of a server group responds this will disable the respective handler and retry later.
-	e.dnsServer.ProbeAvailability()
-
 	if e.acl != nil {
 		e.acl.ApplyFiltering(networkMap)
 	}
+
 	e.networkSerial = serial

+	// Test received (upstream) servers for availability right away instead of upon usage.
+	// If no server of a server group responds this will disable the respective handler and retry later.
+	e.dnsServer.ProbeAvailability()
+
 	return nil
 }

@@ -781,6 +813,7 @@ func (e *Engine) updateOfflinePeers(offlinePeers []*mgmProto.RemotePeerConfig) {
 			FQDN:             offlinePeer.GetFqdn(),
 			ConnStatus:       peer.StatusDisconnected,
 			ConnStatusUpdate: time.Now(),
+			Mux:              new(sync.RWMutex),
 		}
 	}
 	e.statusRecorder.ReplaceOfflinePeers(replacement)
@@ -804,10 +837,15 @@ func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 	if _, ok := e.peerConns[peerKey]; !ok {
 		conn, err := e.createPeerConn(peerKey, strings.Join(peerIPs, ","))
 		if err != nil {
-			return err
+			return fmt.Errorf("create peer connection: %w", err)
 		}
 		e.peerConns[peerKey] = conn

+		if e.beforePeerHook != nil && e.afterPeerHook != nil {
+			conn.AddBeforeAddPeerHook(e.beforePeerHook)
+			conn.AddAfterRemovePeerHook(e.afterPeerHook)
+		}
+
 		err = e.statusRecorder.AddPeer(peerKey, peerConfig.Fqdn)
 		if err != nil {
 			log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
@@ -915,7 +953,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 		RosenpassAddr:        e.getRosenpassAddr(),
 	}

-	peerConn, err := peer.NewConn(config, e.statusRecorder, e.wgProxyFactory, e.mobileDep.TunAdapter, e.mobileDep.IFaceDiscover)
+	peerConn, err := peer.NewConn(config, e.statusRecorder, e.wgProxyFactory, e.mobileDep.TunAdapter, e.mobileDep.IFaceDiscover, e.turnRelay)
 	if err != nil {
 		return nil, err
 	}
@@ -981,6 +1019,17 @@ func (e *Engine) receiveSignalEvents() {
 					rosenpassPubKey = msg.GetBody().GetRosenpassConfig().GetRosenpassPubKey()
 					rosenpassAddr = msg.GetBody().GetRosenpassConfig().GetRosenpassServerAddr()
 				}
+
+				relayedAddr, err := net.ResolveUDPAddr("udp", msg.GetBody().GetRelay().GetRelayedAddress())
+				if err != nil {
+					return err
+				}
+
+				remoteAddr, err := net.ResolveUDPAddr("udp", msg.GetBody().GetRelay().GetSrvRefAddress())
+				if err != nil {
+					return err
+				}
+
 				conn.OnRemoteOffer(peer.OfferAnswer{
 					IceCredentials: peer.IceCredentials{
 						UFrag: remoteCred.UFrag,
@@ -990,6 +1039,8 @@ func (e *Engine) receiveSignalEvents() {
 					Version:         msg.GetBody().GetNetBirdVersion(),
 					RosenpassPubKey: rosenpassPubKey,
 					RosenpassAddr:   rosenpassAddr,
+					RelayedAddr:     relayedAddr,
+					RemoteAddr:      remoteAddr,
 				})
 			case sProto.Body_ANSWER:
 				remoteCred, err := signal.UnMarshalCredential(msg)
@@ -1005,6 +1056,17 @@ func (e *Engine) receiveSignalEvents() {
 					rosenpassPubKey = msg.GetBody().GetRosenpassConfig().GetRosenpassPubKey()
 					rosenpassAddr = msg.GetBody().GetRosenpassConfig().GetRosenpassServerAddr()
 				}
+
+				relayedAddr, err := net.ResolveUDPAddr("udp", msg.GetBody().GetRelay().GetRelayedAddress())
+				if err != nil {
+					return err
+				}
+
+				remoteAddr, err := net.ResolveUDPAddr("udp", msg.GetBody().GetRelay().GetSrvRefAddress())
+				if err != nil {
+					return err
+				}
+
 				conn.OnRemoteAnswer(peer.OfferAnswer{
 					IceCredentials: peer.IceCredentials{
 						UFrag: remoteCred.UFrag,
@@ -1014,6 +1076,8 @@ func (e *Engine) receiveSignalEvents() {
 					Version:         msg.GetBody().GetNetBirdVersion(),
 					RosenpassPubKey: rosenpassPubKey,
 					RosenpassAddr:   rosenpassAddr,
+					RelayedAddr:     relayedAddr,
+					RemoteAddr:      remoteAddr,
 				})
 			case sProto.Body_CANDIDATE:
 				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
@@ -1024,7 +1088,6 @@ func (e *Engine) receiveSignalEvents() {
 				conn.OnRemoteCandidate(candidate)
 			case sProto.Body_MODE:
 			}
-
 			return nil
 		})
 		if err != nil {
@@ -1096,11 +1159,17 @@ func (e *Engine) close() {
 		log.Errorf("failed closing ebpf proxy: %s", err)
 	}

+	e.turnRelay.Close()
+
 	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
 	if e.dnsServer != nil {
 		e.dnsServer.Stop()
 	}

+	if e.routeManager != nil {
+		e.routeManager.Stop()
+	}
+
 	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
 	if e.wgInterface != nil {
 		if err := e.wgInterface.Close(); err != nil {
@@ -1115,10 +1184,6 @@ func (e *Engine) close() {
 		}
 	}

-	if e.routeManager != nil {
-		e.routeManager.Stop()
-	}
-
 	if e.firewall != nil {
 		err := e.firewall.Reset()
 		if err != nil {
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -21,6 +21,7 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"

+	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
@@ -70,10 +71,10 @@ func TestEngine_SSH(t *testing.T) {
 	defer cancel()

 	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
-		WgIfaceName:  "utun101",
-		WgAddr:       "100.64.0.1/24",
-		WgPrivateKey: key,
-		WgPort:       33100,
+		WgIfaceName:      "utun101",
+		WgAddr:           "100.64.0.1/24",
+		WgPrivateKey:     key,
+		WgPort:           33100,
 		ServerSSHAllowed: true,
 	}, MobileDependency{}, peer.NewRecorder("https://mgm"))

@@ -1050,7 +1051,8 @@ func startManagement(dataDir string) (*grpc.Server, string, error) {
 	if err != nil {
 		return nil, "", err
 	}
-	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "", "", eventStore, nil, false)
+	ia, _ := integrations.NewIntegratedValidator(eventStore)
+	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"runtime"
 	"strings"
 	"sync"
 	"time"
@@ -14,18 +13,22 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

+	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/internal/wgproxy"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/iface/bind"
 	signal "github.com/netbirdio/netbird/signal/client"
 	sProto "github.com/netbirdio/netbird/signal/proto"
+	nbnet "github.com/netbirdio/netbird/util/net"
 	"github.com/netbirdio/netbird/version"
 )

 const (
 	iceKeepAliveDefault           = 4 * time.Second
 	iceDisconnectedTimeoutDefault = 6 * time.Second
+	// iceRelayAcceptanceMinWaitDefault is the same as in the Pion ICE package
+	iceRelayAcceptanceMinWaitDefault = 2 * time.Second

 	defaultWgKeepAlive = 25 * time.Second
 )
@@ -90,6 +93,10 @@ type OfferAnswer struct {
 	// RosenpassAddr is the Rosenpass server address (IP:port) of the remote peer when receiving this message
 	// This value is the local Rosenpass server address when sending the message
 	RosenpassAddr string
+
+	// Turn Relay
+	RelayedAddr net.Addr
+	RemoteAddr  net.Addr
 }

 // IceCredentials ICE protocol credentials struct
@@ -98,6 +105,9 @@ type IceCredentials struct {
 	Pwd   string
 }

+type BeforeAddPeerHookFunc func(connID nbnet.ConnectionID, IP net.IP) error
+type AfterRemovePeerHookFunc func(connID nbnet.ConnectionID) error
+
 type Conn struct {
 	config ConnConfig
 	mu     sync.Mutex
@@ -125,7 +135,7 @@ type Conn struct {
 	statusRecorder *Status

 	wgProxyFactory *wgproxy.Factory
-	wgProxy        wgproxy.Proxy
+	wgProxy        *wgproxy.WGUserSpaceProxy

 	remoteModeCh chan ModeMessage
 	meta         meta
@@ -133,6 +143,13 @@ type Conn struct {
 	adapter        iface.TunAdapter
 	iFaceDiscover  stdnet.ExternalIFaceDiscover
 	sentExtraSrflx bool
+
+	remoteEndpoint *net.UDPAddr
+
+	connID               nbnet.ConnectionID
+	beforeAddPeerHooks   []BeforeAddPeerHookFunc
+	afterRemovePeerHooks []AfterRemovePeerHookFunc
+	turnRelay            *relay.PermanentTurn
 }

 // meta holds meta information about a connection
@@ -163,7 +180,7 @@ func (conn *Conn) UpdateStunTurn(turnStun []*stun.URI) {

 // NewConn creates a new not opened Conn to the remote peer.
 // To establish a connection run Conn.Open
-func NewConn(config ConnConfig, statusRecorder *Status, wgProxyFactory *wgproxy.Factory, adapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) (*Conn, error) {
+func NewConn(config ConnConfig, statusRecorder *Status, wgProxyFactory *wgproxy.Factory, adapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover, turnRelay *relay.PermanentTurn) (*Conn, error) {
 	return &Conn{
 		config:         config,
 		mu:             sync.Mutex{},
@@ -176,6 +193,7 @@ func NewConn(config ConnConfig, statusRecorder *Status, wgProxyFactory *wgproxy.
 		wgProxyFactory: wgProxyFactory,
 		adapter:        adapter,
 		iFaceDiscover:  iFaceDiscover,
+		turnRelay:      turnRelay,
 	}, nil
 }

@@ -193,20 +211,22 @@ func (conn *Conn) reCreateAgent() error {

 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
+	iceRelayAcceptanceMinWait := iceRelayAcceptanceMinWait()

 	agentConfig := &ice.AgentConfig{
-		MulticastDNSMode:    ice.MulticastDNSModeDisabled,
-		NetworkTypes:        []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
-		Urls:                conn.config.StunTurn,
-		CandidateTypes:      conn.candidateTypes(),
-		FailedTimeout:       &failedTimeout,
-		InterfaceFilter:     stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
-		UDPMux:              conn.config.UDPMux,
-		UDPMuxSrflx:         conn.config.UDPMuxSrflx,
-		NAT1To1IPs:          conn.config.NATExternalIPs,
-		Net:                 transportNet,
-		DisconnectedTimeout: &iceDisconnectedTimeout,
-		KeepaliveInterval:   &iceKeepAlive,
+		MulticastDNSMode:       ice.MulticastDNSModeDisabled,
+		NetworkTypes:           []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
+		Urls:                   conn.config.StunTurn,
+		CandidateTypes:         []ice.CandidateType{},
+		FailedTimeout:          &failedTimeout,
+		InterfaceFilter:        stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
+		UDPMux:                 conn.config.UDPMux,
+		UDPMuxSrflx:            conn.config.UDPMuxSrflx,
+		NAT1To1IPs:             conn.config.NATExternalIPs,
+		Net:                    transportNet,
+		DisconnectedTimeout:    &iceDisconnectedTimeout,
+		KeepaliveInterval:      &iceKeepAlive,
+		RelayAcceptanceMinWait: &iceRelayAcceptanceMinWait,
 	}

 	if conn.config.DisableIPv6Discovery {
@@ -214,7 +234,6 @@ func (conn *Conn) reCreateAgent() error {
 	}

 	conn.agent, err = ice.NewAgent(agentConfig)
-
 	if err != nil {
 		return err
 	}
@@ -234,18 +253,18 @@ func (conn *Conn) reCreateAgent() error {
 		return err
 	}

-	return nil
-}
+	err = conn.agent.OnSuccessfulSelectedPairBindingResponse(func(p *ice.CandidatePair) {
+		err := conn.statusRecorder.UpdateLatency(conn.config.Key, p.Latency())
+		if err != nil {
+			log.Debugf("failed to update latency for peer %s: %s", conn.config.Key, err)
+			return
+		}
+	})
+	if err != nil {
+		return fmt.Errorf("failed setting binding response callback: %w", err)
+	}

-func (conn *Conn) candidateTypes() []ice.CandidateType {
-	if hasICEForceRelayConn() {
-		return []ice.CandidateType{ice.CandidateTypeRelay}
-	}
-	// TODO: remove this once we have refactored userspace proxy into the bind package
-	if runtime.GOOS == "ios" {
-		return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive}
-	}
-	return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
+	return nil
 }

 // Open opens connection to the remote peer starting ICE candidate gathering process.
@@ -259,6 +278,7 @@ func (conn *Conn) Open() error {
 		IP:               strings.Split(conn.config.WgConfig.AllowedIps, "/")[0],
 		ConnStatusUpdate: time.Now(),
 		ConnStatus:       conn.status,
+		Mux:              new(sync.RWMutex),
 	}
 	err := conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -318,44 +338,62 @@ func (conn *Conn) Open() error {
 		PubKey:           conn.config.Key,
 		ConnStatus:       conn.status,
 		ConnStatusUpdate: time.Now(),
+		Mux:              new(sync.RWMutex),
 	}
 	err = conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
 		log.Warnf("error while updating the state of peer %s,err: %v", conn.config.Key, err)
 	}

-	err = conn.agent.GatherCandidates()
-	if err != nil {
-		return err
-	}
-
-	// will block until connection succeeded
-	// but it won't release if ICE Agent went into Disconnected or Failed state,
-	// so we have to cancel it with the provided context once agent detected a broken connection
-	isControlling := conn.config.LocalKey > conn.config.Key
-	var remoteConn *ice.Conn
+	isControlling := conn.config.LocalKey < conn.config.Key
 	if isControlling {
-		remoteConn, err = conn.agent.Dial(conn.ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		log.Debugf("send punchole to: %s", remoteOfferAnswer.RemoteAddr.String())
+		err = conn.turnRelay.PunchHole(remoteOfferAnswer.RemoteAddr)
+		if err != nil {
+			log.Errorf("failed to punch hole: %v", err)
+		}
+
+		addr, ok := remoteOfferAnswer.RemoteAddr.(*net.UDPAddr)
+		if !ok {
+			return fmt.Errorf("failed to cast addr to udp addr")
+		}
+		addr.Port = remoteOfferAnswer.WgListenPort
+
+		conn.wgProxy = wgproxy.NewWGUserSpaceProxy(conn.config.LocalWgPort)
+		myNetConn := NewMyNetConn(conn.turnRelay.RelayConn(), addr)
+		endpoint, err := conn.wgProxy.AddTurnConn(myNetConn)
+		if err != nil {
+			return err
+		}
+		proxyedAddr, _ := net.ResolveUDPAddr(endpoint.Network(), endpoint.String())
+
+		log.Debugf("---- use this peer's tunr connection: %s", addr)
+		err = conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, proxyedAddr, conn.config.WgConfig.PreSharedKey)
+		if err != nil {
+			if conn.wgProxy != nil {
+				_ = conn.wgProxy.CloseConn()
+			}
+			// todo close
+			return err
+		}
 	} else {
-		remoteConn, err = conn.agent.Accept(conn.ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
-	}
-	if err != nil {
-		return err
-	}
+		addr, ok := remoteOfferAnswer.RelayedAddr.(*net.UDPAddr)
+		if !ok {
+			return fmt.Errorf("failed to cast addr to udp addr")
+		}
+		log.Debugf("---- use remote peer tunr connection: %s", addr)

-	// dynamically set remote WireGuard port is other side specified a different one from the default one
-	remoteWgPort := iface.DefaultWgPort
-	if remoteOfferAnswer.WgListenPort != 0 {
-		remoteWgPort = remoteOfferAnswer.WgListenPort
-	}
-	// the ice connection has been established successfully so we are ready to start the proxy
-	remoteAddr, err := conn.configureConnection(remoteConn, remoteWgPort, remoteOfferAnswer.RosenpassPubKey,
-		remoteOfferAnswer.RosenpassAddr)
-	if err != nil {
-		return err
-	}
+		err := conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, addr, conn.config.WgConfig.PreSharedKey)
+		if err != nil {
+			if conn.wgProxy != nil {
+				_ = conn.wgProxy.CloseConn()
+			}
+			// todo close
+			return err
+		}

-	log.Infof("connected to peer %s, endpoint address: %s", conn.config.Key, remoteAddr.String())
+		log.Infof("connected to peer %s, endpoint address: %s", conn.config.Key, addr.String())
+	}

 	// wait until connection disconnected or has been closed externally (upper layer, e.g. engine)
 	select {
@@ -372,33 +410,33 @@ func isRelayCandidate(candidate ice.Candidate) bool {
 	return candidate.Type() == ice.CandidateTypeRelay
 }

+func (conn *Conn) AddBeforeAddPeerHook(hook BeforeAddPeerHookFunc) {
+	conn.beforeAddPeerHooks = append(conn.beforeAddPeerHooks, hook)
+}
+
+func (conn *Conn) AddAfterRemovePeerHook(hook AfterRemovePeerHookFunc) {
+	conn.afterRemovePeerHooks = append(conn.afterRemovePeerHooks, hook)
+}
+
 // configureConnection starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
 func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, remoteRosenpassPubKey []byte, remoteRosenpassAddr string) (net.Addr, error) {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

-	pair, err := conn.agent.GetSelectedCandidatePair()
-	if err != nil {
-		return nil, err
-	}
-
 	var endpoint net.Addr
-	if isRelayCandidate(pair.Local) {
-		log.Debugf("setup relay connection")
-		conn.wgProxy = conn.wgProxyFactory.GetProxy()
-		endpoint, err = conn.wgProxy.AddTurnConn(remoteConn)
-		if err != nil {
-			return nil, err
+	endpoint = remoteConn.RemoteAddr()
+	endpointUdpAddr, _ := net.ResolveUDPAddr(endpoint.Network(), endpoint.String())
+	conn.remoteEndpoint = endpointUdpAddr
+	log.Debugf("Conn resolved IP for %s: %s", endpoint, endpointUdpAddr.IP)
+
+	conn.connID = nbnet.GenerateConnID()
+	for _, hook := range conn.beforeAddPeerHooks {
+		if err := hook(conn.connID, endpointUdpAddr.IP); err != nil {
+			log.Errorf("Before add peer hook failed: %v", err)
 		}
-	} else {
-		// To support old version's with direct mode we attempt to punch an additional role with the remote WireGuard port
-		go conn.punchRemoteWGPort(pair, remoteWgPort)
-		endpoint = remoteConn.RemoteAddr()
 	}

-	endpointUdpAddr, _ := net.ResolveUDPAddr(endpoint.Network(), endpoint.String())
-
-	err = conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, endpointUdpAddr, conn.config.WgConfig.PreSharedKey)
+	err := conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, endpointUdpAddr, conn.config.WgConfig.PreSharedKey)
 	if err != nil {
 		if conn.wgProxy != nil {
 			_ = conn.wgProxy.CloseConn()
@@ -407,30 +445,33 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 	}

 	conn.status = StatusConnected
-	rosenpassEnabled := false
-	if remoteRosenpassPubKey != nil {
-		rosenpassEnabled = true
-	}
+	/*
+		rosenpassEnabled := false
+		if remoteRosenpassPubKey != nil {
+			rosenpassEnabled = true
+		}

-	peerState := State{
-		PubKey:                     conn.config.Key,
-		ConnStatus:                 conn.status,
-		ConnStatusUpdate:           time.Now(),
-		LocalIceCandidateType:      pair.Local.Type().String(),
-		RemoteIceCandidateType:     pair.Remote.Type().String(),
-		LocalIceCandidateEndpoint:  fmt.Sprintf("%s:%d", pair.Local.Address(), pair.Local.Port()),
-		RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Local.Port()),
-		Direct:                     !isRelayCandidate(pair.Local),
-		RosenpassEnabled:           rosenpassEnabled,
-	}
-	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
-		peerState.Relayed = true
-	}
+			peerState := State{
+				PubKey:                     conn.config.Key,
+				ConnStatus:                 conn.status,
+				ConnStatusUpdate:           time.Now(),
+				LocalIceCandidateType:      pair.Local.Type().String(),
+				RemoteIceCandidateType:     pair.Remote.Type().String(),
+				LocalIceCandidateEndpoint:  fmt.Sprintf("%s:%d", pair.Local.Address(), pair.Local.Port()),
+				RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Local.Port()),
+				Direct:                     !isRelayCandidate(pair.Local),
+				RosenpassEnabled:           rosenpassEnabled,
+				Mux:                        new(sync.RWMutex),
+			}
+			if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
+				peerState.Relayed = true
+			}

-	err = conn.statusRecorder.UpdatePeerState(peerState)
-	if err != nil {
-		log.Warnf("unable to save peer's state, got error: %v", err)
-	}
+			err = conn.statusRecorder.UpdatePeerState(peerState)
+			if err != nil {
+				log.Warnf("unable to save peer's state, got error: %v", err)
+			}
+	*/

 	_, ipNet, err := net.ParseCIDR(conn.config.WgConfig.AllowedIps)
 	if err != nil {
@@ -488,6 +529,15 @@ func (conn *Conn) cleanup() error {
 	// todo: is it problem if we try to remove a peer what is never existed?
 	err3 = conn.config.WgConfig.WgInterface.RemovePeer(conn.config.WgConfig.RemoteKey)

+	if conn.connID != "" {
+		for _, hook := range conn.afterRemovePeerHooks {
+			if err := hook(conn.connID); err != nil {
+				log.Errorf("After remove peer hook failed: %v", err)
+			}
+		}
+	}
+	conn.connID = ""
+
 	if conn.notifyDisconnected != nil {
 		conn.notifyDisconnected()
 		conn.notifyDisconnected = nil
@@ -503,6 +553,7 @@ func (conn *Conn) cleanup() error {
 		PubKey:           conn.config.Key,
 		ConnStatus:       conn.status,
 		ConnStatusUpdate: time.Now(),
+		Mux:              new(sync.RWMutex),
 	}
 	err := conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -622,6 +673,8 @@ func (conn *Conn) sendAnswer() error {
 		Version:         version.NetbirdVersion(),
 		RosenpassPubKey: conn.config.RosenpassPubKey,
 		RosenpassAddr:   conn.config.RosenpassAddr,
+		RelayedAddr:     conn.turnRelay.RelayedAddress(),
+		RemoteAddr:      conn.turnRelay.SrvRefAddr(),
 	})
 	if err != nil {
 		return err
@@ -645,6 +698,8 @@ func (conn *Conn) sendOffer() error {
 		Version:         version.NetbirdVersion(),
 		RosenpassPubKey: conn.config.RosenpassPubKey,
 		RosenpassAddr:   conn.config.RosenpassAddr,
+		RelayedAddr:     conn.turnRelay.RelayedAddress(),
+		RemoteAddr:      conn.turnRelay.SrvRefAddr(),
 	})
 	if err != nil {
 		return err
@@ -684,6 +739,10 @@ func (conn *Conn) Status() ConnStatus {
 	return conn.status
 }

+func (conn *Conn) OnRemoteRelayRequest(relayedAddr string, remoteIP string) {
+
+}
+
 // OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
 // doesn't block, discards the message if connection wasn't ready
 func (conn *Conn) OnRemoteOffer(offer OfferAnswer) bool {
--- a/client/internal/peer/env_config.go
+++ b/client/internal/peer/env_config.go
@@ -10,9 +10,10 @@ import (
 )

 const (
-	envICEKeepAliveIntervalSec   = "NB_ICE_KEEP_ALIVE_INTERVAL_SEC"
-	envICEDisconnectedTimeoutSec = "NB_ICE_DISCONNECTED_TIMEOUT_SEC"
-	envICEForceRelayConn         = "NB_ICE_FORCE_RELAY_CONN"
+	envICEKeepAliveIntervalSec      = "NB_ICE_KEEP_ALIVE_INTERVAL_SEC"
+	envICEDisconnectedTimeoutSec    = "NB_ICE_DISCONNECTED_TIMEOUT_SEC"
+	envICERelayAcceptanceMinWaitSec = "NB_ICE_RELAY_ACCEPTANCE_MIN_WAIT_SEC"
+	envICEForceRelayConn            = "NB_ICE_FORCE_RELAY_CONN"
 )

 func iceKeepAlive() time.Duration {
@@ -21,7 +22,7 @@ func iceKeepAlive() time.Duration {
 		return iceKeepAliveDefault
 	}

-	log.Debugf("setting ICE keep alive interval to %s seconds", keepAliveEnv)
+	log.Infof("setting ICE keep alive interval to %s seconds", keepAliveEnv)
 	keepAliveEnvSec, err := strconv.Atoi(keepAliveEnv)
 	if err != nil {
 		log.Warnf("invalid value %s set for %s, using default %v", keepAliveEnv, envICEKeepAliveIntervalSec, iceKeepAliveDefault)
@@ -37,7 +38,7 @@ func iceDisconnectedTimeout() time.Duration {
 		return iceDisconnectedTimeoutDefault
 	}

-	log.Debugf("setting ICE disconnected timeout to %s seconds", disconnectedTimeoutEnv)
+	log.Infof("setting ICE disconnected timeout to %s seconds", disconnectedTimeoutEnv)
 	disconnectedTimeoutSec, err := strconv.Atoi(disconnectedTimeoutEnv)
 	if err != nil {
 		log.Warnf("invalid value %s set for %s, using default %v", disconnectedTimeoutEnv, envICEDisconnectedTimeoutSec, iceDisconnectedTimeoutDefault)
@@ -47,6 +48,22 @@ func iceDisconnectedTimeout() time.Duration {
 	return time.Duration(disconnectedTimeoutSec) * time.Second
 }

+func iceRelayAcceptanceMinWait() time.Duration {
+	iceRelayAcceptanceMinWaitEnv := os.Getenv(envICERelayAcceptanceMinWaitSec)
+	if iceRelayAcceptanceMinWaitEnv == "" {
+		return iceRelayAcceptanceMinWaitDefault
+	}
+
+	log.Infof("setting ICE relay acceptance min wait to %s seconds", iceRelayAcceptanceMinWaitEnv)
+	disconnectedTimeoutSec, err := strconv.Atoi(iceRelayAcceptanceMinWaitEnv)
+	if err != nil {
+		log.Warnf("invalid value %s set for %s, using default %v", iceRelayAcceptanceMinWaitEnv, envICERelayAcceptanceMinWaitSec, iceRelayAcceptanceMinWaitDefault)
+		return iceRelayAcceptanceMinWaitDefault
+	}
+
+	return time.Duration(disconnectedTimeoutSec) * time.Second
+}
+
 func hasICEForceRelayConn() bool {
 	disconnectedTimeoutEnv := os.Getenv(envICEForceRelayConn)
 	return strings.ToLower(disconnectedTimeoutEnv) == "true"
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -14,6 +14,7 @@ import (

 // State contains the latest state of a peer
 type State struct {
+	Mux                        *sync.RWMutex
 	IP                         string
 	PubKey                     string
 	FQDN                       string
@@ -28,8 +29,40 @@ type State struct {
 	LastWireguardHandshake     time.Time
 	BytesTx                    int64
 	BytesRx                    int64
+	Latency                    time.Duration
 	RosenpassEnabled           bool
-	Routes                     map[string]struct{}
+	routes                     map[string]struct{}
+}
+
+// AddRoute add a single route to routes map
+func (s *State) AddRoute(network string) {
+	s.Mux.Lock()
+	if s.routes == nil {
+		s.routes = make(map[string]struct{})
+	}
+	s.routes[network] = struct{}{}
+	s.Mux.Unlock()
+}
+
+// SetRoutes set state routes
+func (s *State) SetRoutes(routes map[string]struct{}) {
+	s.Mux.Lock()
+	s.routes = routes
+	s.Mux.Unlock()
+}
+
+// DeleteRoute removes a route from the network amp
+func (s *State) DeleteRoute(network string) {
+	s.Mux.Lock()
+	delete(s.routes, network)
+	s.Mux.Unlock()
+}
+
+// GetRoutes return routes map
+func (s *State) GetRoutes() map[string]struct{} {
+	s.Mux.RLock()
+	defer s.Mux.RUnlock()
+	return s.routes
 }

 // LocalPeerState contains the latest state of the local peer
@@ -142,6 +175,7 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string) error {
 		PubKey:     peerPubKey,
 		ConnStatus: StatusDisconnected,
 		FQDN:       fqdn,
+		Mux:        new(sync.RWMutex),
 	}
 	d.peerListChangedForNotification = true
 	return nil
@@ -188,8 +222,8 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 		peerState.IP = receivedState.IP
 	}

-	if receivedState.Routes != nil {
-		peerState.Routes = receivedState.Routes
+	if receivedState.GetRoutes() != nil {
+		peerState.SetRoutes(receivedState.GetRoutes())
 	}

 	skipNotification := shouldSkipNotify(receivedState, peerState)
@@ -410,6 +444,22 @@ func (d *Status) GetManagementState() ManagementState {
 	}
 }

+func (d *Status) UpdateLatency(pubKey string, latency time.Duration) error {
+	if latency <= 0 {
+		return nil
+	}
+
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	peerState, ok := d.peers[pubKey]
+	if !ok {
+		return errors.New("peer doesn't exist")
+	}
+	peerState.Latency = latency
+	d.peers[pubKey] = peerState
+	return nil
+}
+
 // IsLoginRequired determines if a peer's login has expired.
 func (d *Status) IsLoginRequired() bool {
 	d.mux.Lock()
@@ -423,7 +473,6 @@ func (d *Status) IsLoginRequired() bool {
 	s, ok := gstatus.FromError(d.managementError)
 	if ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 		return true
-
 	}
 	return false
 }
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -3,6 +3,7 @@ package peer
 import (
 	"errors"
 	"testing"
+	"sync"

 	"github.com/stretchr/testify/assert"
 )
@@ -42,6 +43,7 @@ func TestUpdatePeerState(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -62,6 +64,7 @@ func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -80,6 +83,7 @@ func TestGetPeerStateChangeNotifierLogic(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -104,6 +108,7 @@ func TestRemovePeer(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
--- a/client/internal/peer/writer.go
+++ b/client/internal/peer/writer.go
@@ -0,0 +1,52 @@
+package peer
+
+import (
+	"net"
+	"time"
+)
+
+type MyNetConn struct {
+	remoteConn net.PacketConn
+	remoteAddr net.Addr
+}
+
+func NewMyNetConn(remoteConn net.PacketConn, remoteAddr net.Addr) net.Conn {
+	return &MyNetConn{
+		remoteConn: remoteConn,
+		remoteAddr: remoteAddr,
+	}
+}
+
+func (m *MyNetConn) Read(b []byte) (n int, err error) {
+	n, _, err = m.remoteConn.ReadFrom(b)
+	return
+}
+
+func (m *MyNetConn) Write(b []byte) (n int, err error) {
+	n, err = m.remoteConn.WriteTo(b, m.remoteAddr)
+	return
+}
+
+func (m *MyNetConn) Close() error {
+	return m.remoteConn.Close()
+}
+
+func (m *MyNetConn) LocalAddr() net.Addr {
+	return m.remoteConn.LocalAddr()
+}
+
+func (m *MyNetConn) RemoteAddr() net.Addr {
+	return m.remoteAddr
+}
+
+func (m *MyNetConn) SetDeadline(t time.Time) error {
+	return m.remoteConn.SetDeadline(t)
+}
+
+func (m *MyNetConn) SetReadDeadline(t time.Time) error {
+	return m.remoteConn.SetReadDeadline(t)
+}
+
+func (m *MyNetConn) SetWriteDeadline(t time.Time) error {
+	return m.remoteConn.SetWriteDeadline(t)
+}
--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -10,6 +10,9 @@ import (
 	"github.com/pion/stun/v2"
 	"github.com/pion/turn/v3"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 // ProbeResult holds the info about the result of a relay probe request
@@ -27,7 +30,15 @@ func ProbeSTUN(ctx context.Context, uri *stun.URI) (addr string, probeErr error)
 		}
 	}()

-	client, err := stun.DialURI(uri, &stun.DialConfig{})
+	net, err := stdnet.NewNet(nil)
+	if err != nil {
+		probeErr = fmt.Errorf("new net: %w", err)
+		return
+	}
+
+	client, err := stun.DialURI(uri, &stun.DialConfig{
+		Net: net,
+	})
 	if err != nil {
 		probeErr = fmt.Errorf("dial: %w", err)
 		return
@@ -85,14 +96,13 @@ func ProbeTURN(ctx context.Context, uri *stun.URI) (addr string, probeErr error)
 	switch uri.Proto {
 	case stun.ProtoTypeUDP:
 		var err error
-		conn, err = net.ListenPacket("udp", "")
+		conn, err = nbnet.NewListener().ListenPacket(ctx, "udp", "")
 		if err != nil {
 			probeErr = fmt.Errorf("listen: %w", err)
 			return
 		}
 	case stun.ProtoTypeTCP:
-		dialer := net.Dialer{}
-		tcpConn, err := dialer.DialContext(ctx, "tcp", turnServerAddr)
+		tcpConn, err := nbnet.NewDialer().DialContext(ctx, "tcp", turnServerAddr)
 		if err != nil {
 			probeErr = fmt.Errorf("dial: %w", err)
 			return
@@ -109,12 +119,18 @@ func ProbeTURN(ctx context.Context, uri *stun.URI) (addr string, probeErr error)
 		}
 	}()

+	net, err := stdnet.NewNet(nil)
+	if err != nil {
+		probeErr = fmt.Errorf("new net: %w", err)
+		return
+	}
 	cfg := &turn.ClientConfig{
 		STUNServerAddr: turnServerAddr,
 		TURNServerAddr: turnServerAddr,
 		Conn:           conn,
 		Username:       uri.Username,
 		Password:       uri.Password,
+		Net:            net,
 	}
 	client, err := turn.NewClient(cfg)
 	if err != nil {
--- a/client/internal/relay/turn.go
+++ b/client/internal/relay/turn.go
@@ -0,0 +1,152 @@
+package relay
+
+import (
+	"fmt"
+	"math"
+	"net"
+	"sync"
+
+	"github.com/pion/logging"
+	"github.com/pion/stun/v2"
+	"github.com/pion/turn/v3"
+	log "github.com/sirupsen/logrus"
+)
+
+type PermanentTurn struct {
+	stunURI *stun.URI
+	turnURI *stun.URI
+
+	stunConn             net.PacketConn
+	turnClient           *turn.Client
+	turnClientListenLock sync.Mutex
+	relayConn            net.PacketConn // represents the remote socket.
+	srvReflexiveAddress  *net.UDPAddr
+}
+
+func NewPermanentTurn(stunURL, turnURL *stun.URI) *PermanentTurn {
+	return &PermanentTurn{
+		stunURI: stunURL,
+		turnURI: turnURL,
+	}
+}
+
+func (r *PermanentTurn) Open() error {
+	log.Debugf("Opening permanent turn connection")
+	stunConn, err := net.ListenPacket("udp4", "0.0.0.0:0")
+	if err != nil {
+		return err
+	}
+	r.stunConn = stunConn
+
+	cfg := &turn.ClientConfig{
+		STUNServerAddr: toURL(r.stunURI),
+		TURNServerAddr: toURL(r.turnURI),
+		Conn:           stunConn,
+		Username:       r.turnURI.Username,
+		Password:       r.turnURI.Password,
+		LoggerFactory:  logging.NewDefaultLoggerFactory(),
+	}
+
+	client, err := turn.NewClient(cfg)
+	if err != nil {
+		log.Errorf("failed to create turn client: %v", err)
+		return err
+	}
+	r.turnClient = client
+	err = r.turnClient.Listen()
+	if err != nil {
+		log.Errorf("failed to listen: %v", err)
+	}
+	//r.listen()
+
+	relayConn, err := client.Allocate()
+	if err != nil {
+		log.Errorf("failed to allocate relay connection: %v", err)
+		return err
+	}
+	r.relayConn = relayConn
+
+	srvReflexiveAddress, err := r.discoverPublicIP()
+	if err != nil {
+		log.Errorf("failed to discover public IP: %v", err)
+		return err
+	}
+	r.srvReflexiveAddress = srvReflexiveAddress
+	return nil
+}
+
+func (r *PermanentTurn) RelayedAddress() net.Addr {
+	return r.relayConn.LocalAddr()
+}
+
+func (r *PermanentTurn) SrvRefAddr() net.Addr {
+	return r.srvReflexiveAddress
+}
+
+func (r *PermanentTurn) PunchHole(mappedAddr net.Addr) error {
+	_, err := r.relayConn.WriteTo([]byte("Hello"), mappedAddr)
+	return err
+}
+
+func (r *PermanentTurn) RelayConn() net.PacketConn {
+	return r.relayConn
+}
+
+func (r *PermanentTurn) Close() {
+	r.turnClient.Close()
+
+	err := r.relayConn.Close()
+	if err != nil {
+		log.Errorf("failed to close relayConn: %s", err.Error())
+	}
+
+	err = r.stunConn.Close()
+	if err != nil {
+		log.Errorf("failed to close stunConn: %s", err.Error())
+	}
+}
+
+func (r *PermanentTurn) discoverPublicIP() (*net.UDPAddr, error) {
+	addr, err := r.turnClient.SendBindingRequest()
+	if err != nil {
+		log.Errorf("failed to send binding request: %v", err)
+		return nil, err
+
+	}
+
+	udpAddr, ok := addr.(*net.UDPAddr)
+	if !ok {
+		return nil, fmt.Errorf("failed to cast addr to udp addr")
+	}
+
+	return udpAddr, nil
+}
+
+func (r *PermanentTurn) listen() {
+	if !r.turnClientListenLock.TryLock() {
+		return
+	}
+
+	go func() {
+		defer r.turnClientListenLock.Unlock()
+
+		buf := make([]byte, math.MaxUint16)
+		for {
+			n, from, err := r.stunConn.ReadFrom(buf)
+			if err != nil {
+				log.Errorf("Failed to read from stun conn. Exiting loop %v", err)
+				break
+			}
+
+			_, err = r.turnClient.HandleInbound(buf[:n], from)
+			if err != nil {
+				log.Errorf("Failed to handle inbound turn message: %s. Exiting loop", err)
+				break
+			}
+		}
+	}()
+}
+
+func toURL(uri *stun.URI) string {
+	return fmt.Sprintf("%s:%d", uri.Host, uri.Port)
+}
--- a/client/internal/relay/turn_test.go
+++ b/client/internal/relay/turn_test.go
@@ -0,0 +1,36 @@
+package relay
+
+import (
+	"os"
+	"testing"
+
+	"github.com/pion/stun/v2"
+
+	"github.com/netbirdio/netbird/util"
+)
+
+func TestMain(m *testing.M) {
+	_ = util.InitLog("trace", "console")
+	code := m.Run()
+	os.Exit(code)
+}
+
+func TestNewPermanentTurn(t *testing.T) {
+	turnURI, err := stun.ParseURI("turns:turn.netbird.io:443?transport=tcp")
+	if err != nil {
+		t.Errorf("failed to parse stun url: %v", err)
+	}
+	turnURI.Username = "1713006060"
+	turnURI.Password = "pO5Pfx15luZ92mW+FHPa6/LtJ7Y="
+
+	stunURI, err := stun.ParseURI("stun:stun.netbird.io:5555")
+	if err != nil {
+		t.Errorf("failed to parse stun url: %v", err)
+	}
+	turnRelay := NewPermanentTurn(stunURI, turnURI)
+	err = turnRelay.Open()
+	if err != nil {
+		t.Errorf("failed to open turn relay: %v", err)
+	}
+
+}
--- a/client/internal/routemanager/client.go
+++ b/client/internal/routemanager/client.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
+	"time"

 	log "github.com/sirupsen/logrus"

@@ -18,6 +19,7 @@ type routerPeerStatus struct {
 	connected bool
 	relayed   bool
 	direct    bool
+	latency   time.Duration
 }

 type routesUpdate struct {
@@ -41,6 +43,7 @@ type clientNetwork struct {

 func newClientNetworkWatcher(ctx context.Context, wgInterface *iface.WGIface, statusRecorder *peer.Status, network netip.Prefix) *clientNetwork {
 	ctx, cancel := context.WithCancel(ctx)
+
 	client := &clientNetwork{
 		ctx:                 ctx,
 		stop:                cancel,
@@ -67,14 +70,29 @@ func (c *clientNetwork) getRouterPeerStatuses() map[string]routerPeerStatus {
 			connected: peerStatus.ConnStatus == peer.StatusConnected,
 			relayed:   peerStatus.Relayed,
 			direct:    peerStatus.Direct,
+			latency:   peerStatus.Latency,
 		}
 	}
 	return routePeerStatuses
 }

+// getBestRouteFromStatuses determines the most optimal route from the available routes
+// within a clientNetwork, taking into account peer connection status, route metrics, and
+// preference for non-relayed and direct connections.
+//
+// It follows these prioritization rules:
+// * Connected peers: Only routes with connected peers are considered.
+// * Metric: Routes with lower metrics (better) are prioritized.
+// * Non-relayed: Routes without relays are preferred.
+// * Direct connections: Routes with direct peer connections are favored.
+// * Stability: In case of equal scores, the currently active route (if any) is maintained.
+// * Latency: Routes with lower latency are prioritized.
+//
+// It returns the ID of the selected optimal route.
 func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]routerPeerStatus) string {
 	chosen := ""
-	chosenScore := 0
+	chosenScore := float64(0)
+	currScore := float64(0)

 	currID := ""
 	if c.chosenRoute != nil {
@@ -82,7 +100,7 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 	}

 	for _, r := range c.routes {
-		tempScore := 0
+		tempScore := float64(0)
 		peerStatus, found := routePeerStatuses[r.ID]
 		if !found || !peerStatus.connected {
 			continue
@@ -90,9 +108,18 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro

 		if r.Metric < route.MaxMetric {
 			metricDiff := route.MaxMetric - r.Metric
-			tempScore = metricDiff * 10
+			tempScore = float64(metricDiff) * 10
 		}

+		// in some temporal cases, latency can be 0, so we set it to 1s to not block but try to avoid this route
+		latency := time.Second
+		if peerStatus.latency != 0 {
+			latency = peerStatus.latency
+		} else {
+			log.Warnf("peer %s has 0 latency", r.Peer)
+		}
+		tempScore += 1 - latency.Seconds()
+
 		if !peerStatus.relayed {
 			tempScore++
 		}
@@ -101,7 +128,7 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 			tempScore++
 		}

-		if tempScore > chosenScore || (tempScore == chosenScore && r.ID == currID) {
+		if tempScore > chosenScore || (tempScore == chosenScore && chosen == "") {
 			chosen = r.ID
 			chosenScore = tempScore
 		}
@@ -110,18 +137,26 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 			chosen = r.ID
 			chosenScore = tempScore
 		}
+
+		if r.ID == currID {
+			currScore = tempScore
+		}
 	}

-	if chosen == "" {
+	switch {
+	case chosen == "":
 		var peers []string
 		for _, r := range c.routes {
 			peers = append(peers, r.Peer)
 		}

 		log.Warnf("the network %s has not been assigned a routing peer as no peers from the list %s are currently connected", c.network, peers)
-
-	} else if chosen != currID {
-		log.Infof("new chosen route is %s with peer %s with score %d for network %s", chosen, c.routes[chosen].Peer, chosenScore, c.network)
+	case chosen != currID:
+		if currScore != 0 && currScore < chosenScore+0.1 {
+			return currID
+		} else {
+			log.Infof("new chosen route is %s with peer %s with score %f for network %s", chosen, c.routes[chosen].Peer, chosenScore, c.network)
+		}
 	}

 	return chosen
@@ -158,10 +193,10 @@ func (c *clientNetwork) startPeersStatusChangeWatcher() {
 func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {
 	state, err := c.statusRecorder.GetPeer(peerKey)
 	if err != nil {
-		return err
+		return fmt.Errorf("get peer state: %v", err)
 	}

-	delete(state.Routes, c.network.String())
+	state.DeleteRoute(c.network.String())
 	if err := c.statusRecorder.UpdatePeerState(state); err != nil {
 		log.Warnf("Failed to update peer state: %v", err)
 	}
@@ -172,7 +207,7 @@ func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {

 	err = c.wgInterface.RemoveAllowedIP(peerKey, c.network.String())
 	if err != nil {
-		return fmt.Errorf("couldn't remove allowed IP %s removed for peer %s, err: %v",
+		return fmt.Errorf("remove allowed IP %s removed for peer %s, err: %v",
 			c.network, c.chosenRoute.Peer, err)
 	}
 	return nil
@@ -180,30 +215,26 @@ func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {

 func (c *clientNetwork) removeRouteFromPeerAndSystem() error {
 	if c.chosenRoute != nil {
-		err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer)
-		if err != nil {
-			return err
+		if err := removeVPNRoute(c.network, c.wgInterface.Name()); err != nil {
+			return fmt.Errorf("remove route %s from system, err: %v", c.network, err)
 		}
-		err = removeFromRouteTableIfNonSystem(c.network, c.wgInterface.Address().IP.String())
-		if err != nil {
-			return fmt.Errorf("couldn't remove route %s from system, err: %v",
-				c.network, err)
+
+		if err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer); err != nil {
+			return fmt.Errorf("remove route: %v", err)
 		}
 	}
 	return nil
 }

 func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
-
-	var err error
-
 	routerPeerStatuses := c.getRouterPeerStatuses()

 	chosen := c.getBestRouteFromStatuses(routerPeerStatuses)
+
+	// If no route is chosen, remove the route from the peer and system
 	if chosen == "" {
-		err = c.removeRouteFromPeerAndSystem()
-		if err != nil {
-			return err
+		if err := c.removeRouteFromPeerAndSystem(); err != nil {
+			return fmt.Errorf("remove route from peer and system: %v", err)
 		}

 		c.chosenRoute = nil
@@ -211,6 +242,7 @@ func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
 		return nil
 	}

+	// If the chosen route is the same as the current route, do nothing
 	if c.chosenRoute != nil && c.chosenRoute.ID == chosen {
 		if c.chosenRoute.IsEqual(c.routes[chosen]) {
 			return nil
@@ -218,13 +250,13 @@ func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
 	}

 	if c.chosenRoute != nil {
-		err = c.removeRouteFromWireguardPeer(c.chosenRoute.Peer)
-		if err != nil {
-			return err
+		// If a previous route exists, remove it from the peer
+		if err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer); err != nil {
+			return fmt.Errorf("remove route from peer: %v", err)
 		}
 	} else {
-		err = addToRouteTableIfNoExists(c.network, c.wgInterface.Address().IP.String())
-		if err != nil {
+		// otherwise add the route to the system
+		if err := addVPNRoute(c.network, c.wgInterface.Name()); err != nil {
 			return fmt.Errorf("route %s couldn't be added for peer %s, err: %v",
 				c.network.String(), c.wgInterface.Address().IP.String(), err)
 		}
@@ -236,17 +268,13 @@ func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
 	if err != nil {
 		log.Errorf("Failed to get peer state: %v", err)
 	} else {
-		if state.Routes == nil {
-			state.Routes = map[string]struct{}{}
-		}
-		state.Routes[c.network.String()] = struct{}{}
+		state.AddRoute(c.network.String())
 		if err := c.statusRecorder.UpdatePeerState(state); err != nil {
 			log.Warnf("Failed to update peer state: %v", err)
 		}
 	}

-	err = c.wgInterface.AddAllowedIP(c.chosenRoute.Peer, c.network.String())
-	if err != nil {
+	if err := c.wgInterface.AddAllowedIP(c.chosenRoute.Peer, c.network.String()); err != nil {
 		log.Errorf("couldn't add allowed IP %s added for peer %s, err: %v",
 			c.network, c.chosenRoute.Peer, err)
 	}
@@ -287,21 +315,21 @@ func (c *clientNetwork) peersStateAndUpdateWatcher() {
 			log.Debugf("stopping watcher for network %s", c.network)
 			err := c.removeRouteFromPeerAndSystem()
 			if err != nil {
-				log.Error(err)
+				log.Errorf("Couldn't remove route from peer and system for network %s: %v", c.network, err)
 			}
 			return
 		case <-c.peerStateUpdate:
 			err := c.recalculateRouteAndUpdatePeerAndSystem()
 			if err != nil {
-				log.Error(err)
+				log.Errorf("Couldn't recalculate route and update peer and system: %v", err)
 			}
 		case update := <-c.routeUpdate:
 			if update.updateSerial < c.updateSerial {
-				log.Warnf("received a routes update with smaller serial number, ignoring it")
+				log.Warnf("Received a routes update with smaller serial number, ignoring it")
 				continue
 			}

-			log.Debugf("received a new client network route update for %s", c.network)
+			log.Debugf("Received a new client network route update for %s", c.network)

 			c.handleUpdate(update)

@@ -309,7 +337,7 @@ func (c *clientNetwork) peersStateAndUpdateWatcher() {

 			err := c.recalculateRouteAndUpdatePeerAndSystem()
 			if err != nil {
-				log.Error(err)
+				log.Errorf("Couldn't recalculate route and update peer and system for network %s: %v", c.network, err)
 			}

 			c.startPeersStatusChangeWatcher()
--- a/client/internal/routemanager/client_test.go
+++ b/client/internal/routemanager/client_test.go
@@ -3,6 +3,7 @@ package routemanager
 import (
 	"net/netip"
 	"testing"
+	"time"

 	"github.com/netbirdio/netbird/route"
 )
@@ -13,7 +14,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 		name            string
 		statuses        map[string]routerPeerStatus
 		expectedRouteID string
-		currentRoute    *route.Route
+		currentRoute    string
 		existingRoutes  map[string]*route.Route
 	}{
 		{
@@ -32,7 +33,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
@@ -51,7 +52,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
@@ -70,7 +71,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
@@ -89,7 +90,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "",
 		},
 		{
@@ -118,7 +119,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer2",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
@@ -147,7 +148,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer2",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
@@ -176,18 +177,141 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer2",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
+		{
+			name: "multiple connected peers with different latencies",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					latency:   300 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "should ignore routes with latency 0",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					latency:   0 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "current route with similar score and similar but slightly worse latency should not change",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   12 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "route1",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "current chosen route doesn't exist anymore",
+			statuses: map[string]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   20 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[string]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "routeDoesntExistAnymore",
+			expectedRouteID: "route2",
+		},
 	}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			currentRoute := &route.Route{
+				ID: "routeDoesntExistAnymore",
+			}
+			if tc.currentRoute != "" {
+				currentRoute = tc.existingRoutes[tc.currentRoute]
+			}
+
 			// create new clientNetwork
 			client := &clientNetwork{
 				network:     netip.MustParsePrefix("192.168.0.0/24"),
 				routes:      tc.existingRoutes,
-				chosenRoute: tc.currentRoute,
+				chosenRoute: currentRoute,
 			}

 			chosenRoute := client.getBestRouteFromStatuses(tc.statuses)
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -2,6 +2,10 @@ package routemanager

 import (
 	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"net/url"
 	"runtime"
 	"sync"

@@ -15,8 +19,14 @@ import (
 	"github.com/netbirdio/netbird/version"
 )

+var defaultv4 = netip.PrefixFrom(netip.IPv4Unspecified(), 0)
+
+// nolint:unused
+var defaultv6 = netip.PrefixFrom(netip.IPv6Unspecified(), 0)
+
 // Manager is a route manager interface
 type Manager interface {
+	Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error)
 	UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) error
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
@@ -56,6 +66,24 @@ func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface,
 	return dm
 }

+// Init sets up the routing
+func (m *DefaultManager) Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	if err := cleanupRouting(); err != nil {
+		log.Warnf("Failed cleaning up routing: %v", err)
+	}
+
+	mgmtAddress := m.statusRecorder.GetManagementState().URL
+	signalAddress := m.statusRecorder.GetSignalState().URL
+	ips := resolveURLsToIPs([]string{mgmtAddress, signalAddress})
+
+	beforePeerHook, afterPeerHook, err := setupRouting(ips, m.wgInterface)
+	if err != nil {
+		return nil, nil, fmt.Errorf("setup routing: %w", err)
+	}
+	log.Info("Routing setup complete")
+	return beforePeerHook, afterPeerHook, nil
+}
+
 func (m *DefaultManager) EnableServerRouter(firewall firewall.Manager) error {
 	var err error
 	m.serverRouter, err = newServerRouter(m.ctx, m.wgInterface, firewall, m.statusRecorder)
@@ -71,10 +99,15 @@ func (m *DefaultManager) Stop() {
 	if m.serverRouter != nil {
 		m.serverRouter.cleanUp()
 	}
+	if err := cleanupRouting(); err != nil {
+		log.Errorf("Error cleaning up routing: %v", err)
+	} else {
+		log.Info("Routing cleanup complete")
+	}
 	m.ctx = nil
 }

-// UpdateRoutes compares received routes with existing routes and remove, update or add them to the client and server maps
+// UpdateRoutes compares received routes with existing routes and removes, updates or adds them to the client and server maps
 func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) error {
 	select {
 	case <-m.ctx.Done():
@@ -92,7 +125,7 @@ func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Ro
 		if m.serverRouter != nil {
 			err := m.serverRouter.updateRoutes(newServerRoutesMap)
 			if err != nil {
-				return err
+				return fmt.Errorf("update routes: %w", err)
 			}
 		}

@@ -157,11 +190,7 @@ func (m *DefaultManager) classifiesRoutes(newRoutes []*route.Route) (map[string]
 	for _, newRoute := range newRoutes {
 		networkID := route.GetHAUniqueID(newRoute)
 		if !ownNetworkIDs[networkID] {
-			// if prefix is too small, lets assume is a possible default route which is not yet supported
-			// we skip this route management
-			if newRoute.Network.Bits() < minRangeBits {
-				log.Errorf("this agent version: %s, doesn't support default routes, received %s, skipping this route",
-					version.NetbirdVersion(), newRoute.Network)
+			if !isPrefixSupported(newRoute.Network) {
 				continue
 			}
 			newClientRoutesIDMap[networkID] = append(newClientRoutesIDMap[networkID], newRoute)
@@ -179,3 +208,38 @@ func (m *DefaultManager) clientRoutes(initialRoutes []*route.Route) []*route.Rou
 	}
 	return rs
 }
+
+func isPrefixSupported(prefix netip.Prefix) bool {
+	switch runtime.GOOS {
+	case "linux", "windows", "darwin":
+		return true
+	}
+
+	// If prefix is too small, lets assume it is a possible default prefix which is not yet supported
+	// we skip this prefix management
+	if prefix.Bits() <= minRangeBits {
+		log.Warnf("This agent version: %s, doesn't support default routes, received %s, skipping this prefix",
+			version.NetbirdVersion(), prefix)
+		return false
+	}
+	return true
+}
+
+// resolveURLsToIPs takes a slice of URLs, resolves them to IP addresses and returns a slice of IPs.
+func resolveURLsToIPs(urls []string) []net.IP {
+	var ips []net.IP
+	for _, rawurl := range urls {
+		u, err := url.Parse(rawurl)
+		if err != nil {
+			log.Errorf("Failed to parse url %s: %v", rawurl, err)
+			continue
+		}
+		ipAddrs, err := net.LookupIP(u.Hostname())
+		if err != nil {
+			log.Errorf("Failed to resolve host %s: %v", u.Hostname(), err)
+			continue
+		}
+		ips = append(ips, ipAddrs...)
+	}
+	return ips
+}
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -28,13 +28,14 @@ const remotePeerKey2 = "remote1"

 func TestManagerUpdateRoutes(t *testing.T) {
 	testCases := []struct {
-		name                          string
-		inputInitRoutes               []*route.Route
-		inputRoutes                   []*route.Route
-		inputSerial                   uint64
-		removeSrvRouter               bool
-		serverRoutesExpected          int
-		clientNetworkWatchersExpected int
+		name                                 string
+		inputInitRoutes                      []*route.Route
+		inputRoutes                          []*route.Route
+		inputSerial                          uint64
+		removeSrvRouter                      bool
+		serverRoutesExpected                 int
+		clientNetworkWatchersExpected        int
+		clientNetworkWatchersExpectedAllowed int
 	}{
 		{
 			name:            "Should create 2 client networks",
@@ -200,8 +201,9 @@ func TestManagerUpdateRoutes(t *testing.T) {
 					Enabled:     true,
 				},
 			},
-			inputSerial:                   1,
-			clientNetworkWatchersExpected: 0,
+			inputSerial:                          1,
+			clientNetworkWatchersExpected:        0,
+			clientNetworkWatchersExpectedAllowed: 1,
 		},
 		{
 			name: "Remove 1 Client Route",
@@ -415,6 +417,10 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			statusRecorder := peer.NewRecorder("https://mgm")
 			ctx := context.TODO()
 			routeManager := NewManager(ctx, localPeerKey, wgInterface, statusRecorder, nil)
+
+			_, _, err = routeManager.Init()
+
+			require.NoError(t, err, "should init route manager")
 			defer routeManager.Stop()

 			if testCase.removeSrvRouter {
@@ -429,7 +435,11 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			err = routeManager.UpdateRoutes(testCase.inputSerial+uint64(len(testCase.inputInitRoutes)), testCase.inputRoutes)
 			require.NoError(t, err, "should update routes")

-			require.Len(t, routeManager.clientNetworks, testCase.clientNetworkWatchersExpected, "client networks size should match")
+			expectedWatchers := testCase.clientNetworkWatchersExpected
+			if (runtime.GOOS == "linux" || runtime.GOOS == "windows" || runtime.GOOS == "darwin") && testCase.clientNetworkWatchersExpectedAllowed != 0 {
+				expectedWatchers = testCase.clientNetworkWatchersExpectedAllowed
+			}
+			require.Len(t, routeManager.clientNetworks, expectedWatchers, "client networks size should match")

 			if runtime.GOOS == "linux" && routeManager.serverRouter != nil {
 				sr := routeManager.serverRouter.(*defaultServerRouter)
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -6,6 +6,7 @@ import (

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
 )
@@ -16,6 +17,10 @@ type MockManager struct {
 	StopFunc         func()
 }

+func (m *MockManager) Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	return nil, nil, nil
+}
+
 // InitialRouteRange mock implementation of InitialRouteRange from Manager interface
 func (m *MockManager) InitialRouteRange() []string {
 	return nil
--- a/client/internal/routemanager/routemanager.go
+++ b/client/internal/routemanager/routemanager.go
@@ -0,0 +1,126 @@
+//go:build !android && !ios
+
+package routemanager
+
+import (
+	"errors"
+	"fmt"
+	"net/netip"
+	"sync"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+type ref struct {
+	count   int
+	nexthop netip.Addr
+	intf    string
+}
+
+type RouteManager struct {
+	// refCountMap keeps track of the reference ref for prefixes
+	refCountMap map[netip.Prefix]ref
+	// prefixMap keeps track of the prefixes associated with a connection ID for removal
+	prefixMap   map[nbnet.ConnectionID][]netip.Prefix
+	addRoute    AddRouteFunc
+	removeRoute RemoveRouteFunc
+	mutex       sync.Mutex
+}
+
+type AddRouteFunc func(prefix netip.Prefix) (nexthop netip.Addr, intf string, err error)
+type RemoveRouteFunc func(prefix netip.Prefix, nexthop netip.Addr, intf string) error
+
+func NewRouteManager(addRoute AddRouteFunc, removeRoute RemoveRouteFunc) *RouteManager {
+	// TODO: read initial routing table into refCountMap
+	return &RouteManager{
+		refCountMap: map[netip.Prefix]ref{},
+		prefixMap:   map[nbnet.ConnectionID][]netip.Prefix{},
+		addRoute:    addRoute,
+		removeRoute: removeRoute,
+	}
+}
+
+func (rm *RouteManager) AddRouteRef(connID nbnet.ConnectionID, prefix netip.Prefix) error {
+	rm.mutex.Lock()
+	defer rm.mutex.Unlock()
+
+	ref := rm.refCountMap[prefix]
+	log.Debugf("Increasing route ref count %d for prefix %s", ref.count, prefix)
+
+	// Add route to the system, only if it's a new prefix
+	if ref.count == 0 {
+		log.Debugf("Adding route for prefix %s", prefix)
+		nexthop, intf, err := rm.addRoute(prefix)
+		if errors.Is(err, ErrRouteNotFound) {
+			return nil
+		}
+		if errors.Is(err, ErrRouteNotAllowed) {
+			log.Debugf("Adding route for prefix %s: %s", prefix, err)
+		}
+		if err != nil {
+			return fmt.Errorf("failed to add route for prefix %s: %w", prefix, err)
+		}
+		ref.nexthop = nexthop
+		ref.intf = intf
+	}
+
+	ref.count++
+	rm.refCountMap[prefix] = ref
+	rm.prefixMap[connID] = append(rm.prefixMap[connID], prefix)
+
+	return nil
+}
+
+func (rm *RouteManager) RemoveRouteRef(connID nbnet.ConnectionID) error {
+	rm.mutex.Lock()
+	defer rm.mutex.Unlock()
+
+	prefixes, ok := rm.prefixMap[connID]
+	if !ok {
+		log.Debugf("No prefixes found for connection ID %s", connID)
+		return nil
+	}
+
+	var result *multierror.Error
+	for _, prefix := range prefixes {
+		ref := rm.refCountMap[prefix]
+		log.Debugf("Decreasing route ref count %d for prefix %s", ref.count, prefix)
+		if ref.count == 1 {
+			log.Debugf("Removing route for prefix %s", prefix)
+			// TODO: don't fail if the route is not found
+			if err := rm.removeRoute(prefix, ref.nexthop, ref.intf); err != nil {
+				result = multierror.Append(result, fmt.Errorf("remove route for prefix %s: %w", prefix, err))
+				continue
+			}
+			delete(rm.refCountMap, prefix)
+		} else {
+			ref.count--
+			rm.refCountMap[prefix] = ref
+		}
+	}
+	delete(rm.prefixMap, connID)
+
+	return result.ErrorOrNil()
+}
+
+// Flush removes all references and routes from the system
+func (rm *RouteManager) Flush() error {
+	rm.mutex.Lock()
+	defer rm.mutex.Unlock()
+
+	var result *multierror.Error
+	for prefix := range rm.refCountMap {
+		log.Debugf("Removing route for prefix %s", prefix)
+		ref := rm.refCountMap[prefix]
+		if err := rm.removeRoute(prefix, ref.nexthop, ref.intf); err != nil {
+			result = multierror.Append(result, fmt.Errorf("remove route for prefix %s: %w", prefix, err))
+		}
+	}
+	rm.refCountMap = map[netip.Prefix]ref{}
+	rm.prefixMap = map[nbnet.ConnectionID][]netip.Prefix{}
+
+	return result.ErrorOrNil()
+}
--- a/client/internal/routemanager/server_nonandroid.go
+++ b/client/internal/routemanager/server_nonandroid.go
@@ -4,6 +4,7 @@ package routemanager

 import (
 	"context"
+	"fmt"
 	"net/netip"
 	"sync"

@@ -48,7 +49,7 @@ func (m *defaultServerRouter) updateRoutes(routesMap map[string]*route.Route) er
 		oldRoute := m.routes[routeID]
 		err := m.removeFromServerNetwork(oldRoute)
 		if err != nil {
-			log.Errorf("unable to remove route id: %s, network %s, from server, got: %v",
+			log.Errorf("Unable to remove route id: %s, network %s, from server, got: %v",
 				oldRoute.ID, oldRoute.Network, err)
 		}
 		delete(m.routes, routeID)
@@ -62,7 +63,7 @@ func (m *defaultServerRouter) updateRoutes(routesMap map[string]*route.Route) er

 		err := m.addToServerNetwork(newRoute)
 		if err != nil {
-			log.Errorf("unable to add route %s from server, got: %v", newRoute.ID, err)
+			log.Errorf("Unable to add route %s from server, got: %v", newRoute.ID, err)
 			continue
 		}
 		m.routes[id] = newRoute
@@ -81,15 +82,22 @@ func (m *defaultServerRouter) updateRoutes(routesMap map[string]*route.Route) er
 func (m *defaultServerRouter) removeFromServerNetwork(route *route.Route) error {
 	select {
 	case <-m.ctx.Done():
-		log.Infof("not removing from server network because context is done")
+		log.Infof("Not removing from server network because context is done")
 		return m.ctx.Err()
 	default:
 		m.mux.Lock()
 		defer m.mux.Unlock()
-		err := m.firewall.RemoveRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), route))
+
+		routerPair, err := routeToRouterPair(m.wgInterface.Address().Masked().String(), route)
 		if err != nil {
-			return err
+			return fmt.Errorf("parse prefix: %w", err)
 		}
+
+		err = m.firewall.RemoveRoutingRules(routerPair)
+		if err != nil {
+			return fmt.Errorf("remove routing rules: %w", err)
+		}
+
 		delete(m.routes, route.ID)

 		state := m.statusRecorder.GetLocalPeerState()
@@ -103,15 +111,22 @@ func (m *defaultServerRouter) removeFromServerNetwork(route *route.Route) error
 func (m *defaultServerRouter) addToServerNetwork(route *route.Route) error {
 	select {
 	case <-m.ctx.Done():
-		log.Infof("not adding to server network because context is done")
+		log.Infof("Not adding to server network because context is done")
 		return m.ctx.Err()
 	default:
 		m.mux.Lock()
 		defer m.mux.Unlock()
-		err := m.firewall.InsertRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), route))
+
+		routerPair, err := routeToRouterPair(m.wgInterface.Address().Masked().String(), route)
 		if err != nil {
-			return err
+			return fmt.Errorf("parse prefix: %w", err)
 		}
+
+		err = m.firewall.InsertRoutingRules(routerPair)
+		if err != nil {
+			return fmt.Errorf("insert routing rules: %w", err)
+		}
+
 		m.routes[route.ID] = route

 		state := m.statusRecorder.GetLocalPeerState()
@@ -129,23 +144,33 @@ func (m *defaultServerRouter) cleanUp() {
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	for _, r := range m.routes {
-		err := m.firewall.RemoveRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), r))
+		routerPair, err := routeToRouterPair(m.wgInterface.Address().Masked().String(), r)
 		if err != nil {
-			log.Warnf("failed to remove clean up route: %s", r.ID)
+			log.Errorf("Failed to convert route to router pair: %v", err)
+			continue
+		}
+
+		err = m.firewall.RemoveRoutingRules(routerPair)
+		if err != nil {
+			log.Errorf("Failed to remove cleanup route: %v", err)
 		}

-		state := m.statusRecorder.GetLocalPeerState()
-		state.Routes = nil
-		m.statusRecorder.UpdateLocalPeerState(state)
 	}
+
+	state := m.statusRecorder.GetLocalPeerState()
+	state.Routes = nil
+	m.statusRecorder.UpdateLocalPeerState(state)
 }

-func routeToRouterPair(source string, route *route.Route) firewall.RouterPair {
-	parsed := netip.MustParsePrefix(source).Masked()
+func routeToRouterPair(source string, route *route.Route) (firewall.RouterPair, error) {
+	parsed, err := netip.ParsePrefix(source)
+	if err != nil {
+		return firewall.RouterPair{}, err
+	}
 	return firewall.RouterPair{
 		ID:          route.ID,
 		Source:      parsed.String(),
 		Destination: route.Network.Masked().String(),
 		Masquerade:  route.Masquerade,
-	}
+	}, nil
 }
--- a/client/internal/routemanager/systemops.go
+++ b/client/internal/routemanager/systemops.go
@@ -0,0 +1,428 @@
+//go:build !android && !ios
+
+package routemanager
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"runtime"
+	"strconv"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/libp2p/go-netroute"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+var splitDefaultv4_1 = netip.PrefixFrom(netip.IPv4Unspecified(), 1)
+var splitDefaultv4_2 = netip.PrefixFrom(netip.AddrFrom4([4]byte{128}), 1)
+var splitDefaultv6_1 = netip.PrefixFrom(netip.IPv6Unspecified(), 1)
+var splitDefaultv6_2 = netip.PrefixFrom(netip.AddrFrom16([16]byte{0x80}), 1)
+
+var ErrRouteNotFound = errors.New("route not found")
+var ErrRouteNotAllowed = errors.New("route not allowed")
+
+// TODO: fix: for default our wg address now appears as the default gw
+func addRouteForCurrentDefaultGateway(prefix netip.Prefix) error {
+	addr := netip.IPv4Unspecified()
+	if prefix.Addr().Is6() {
+		addr = netip.IPv6Unspecified()
+	}
+
+	defaultGateway, _, err := getNextHop(addr)
+	if err != nil && !errors.Is(err, ErrRouteNotFound) {
+		return fmt.Errorf("get existing route gateway: %s", err)
+	}
+
+	if !prefix.Contains(defaultGateway) {
+		log.Debugf("Skipping adding a new route for gateway %s because it is not in the network %s", defaultGateway, prefix)
+		return nil
+	}
+
+	gatewayPrefix := netip.PrefixFrom(defaultGateway, 32)
+	if defaultGateway.Is6() {
+		gatewayPrefix = netip.PrefixFrom(defaultGateway, 128)
+	}
+
+	ok, err := existsInRouteTable(gatewayPrefix)
+	if err != nil {
+		return fmt.Errorf("unable to check if there is an existing route for gateway %s. error: %s", gatewayPrefix, err)
+	}
+
+	if ok {
+		log.Debugf("Skipping adding a new route for gateway %s because it already exists", gatewayPrefix)
+		return nil
+	}
+
+	var exitIntf string
+	gatewayHop, intf, err := getNextHop(defaultGateway)
+	if err != nil && !errors.Is(err, ErrRouteNotFound) {
+		return fmt.Errorf("unable to get the next hop for the default gateway address. error: %s", err)
+	}
+	if intf != nil {
+		exitIntf = intf.Name
+	}
+
+	log.Debugf("Adding a new route for gateway %s with next hop %s", gatewayPrefix, gatewayHop)
+	return addToRouteTable(gatewayPrefix, gatewayHop, exitIntf)
+}
+
+func getNextHop(ip netip.Addr) (netip.Addr, *net.Interface, error) {
+	r, err := netroute.New()
+	if err != nil {
+		return netip.Addr{}, nil, fmt.Errorf("new netroute: %w", err)
+	}
+	intf, gateway, preferredSrc, err := r.Route(ip.AsSlice())
+	if err != nil {
+		log.Warnf("Failed to get route for %s: %v", ip, err)
+		return netip.Addr{}, nil, ErrRouteNotFound
+	}
+
+	log.Debugf("Route for %s: interface %v, nexthop %v, preferred source %v", ip, intf, gateway, preferredSrc)
+	if gateway == nil {
+		if preferredSrc == nil {
+			return netip.Addr{}, nil, ErrRouteNotFound
+		}
+		log.Debugf("No next hop found for ip %s, using preferred source %s", ip, preferredSrc)
+
+		addr, err := ipToAddr(preferredSrc, intf)
+		if err != nil {
+			return netip.Addr{}, nil, fmt.Errorf("convert preferred source to address: %w", err)
+		}
+		return addr.Unmap(), intf, nil
+	}
+
+	addr, err := ipToAddr(gateway, intf)
+	if err != nil {
+		return netip.Addr{}, nil, fmt.Errorf("convert gateway to address: %w", err)
+	}
+
+	return addr, intf, nil
+}
+
+// converts a net.IP to a netip.Addr including the zone based on the passed interface
+func ipToAddr(ip net.IP, intf *net.Interface) (netip.Addr, error) {
+	addr, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		return netip.Addr{}, fmt.Errorf("failed to convert IP address to netip.Addr: %s", ip)
+	}
+
+	if intf != nil && (addr.IsLinkLocalMulticast() || addr.IsLinkLocalUnicast()) {
+		log.Tracef("Adding zone %s to address %s", intf.Name, addr)
+		if runtime.GOOS == "windows" {
+			addr = addr.WithZone(strconv.Itoa(intf.Index))
+		} else {
+			addr = addr.WithZone(intf.Name)
+		}
+	}
+
+	return addr.Unmap(), nil
+}
+
+func existsInRouteTable(prefix netip.Prefix) (bool, error) {
+	routes, err := getRoutesFromTable()
+	if err != nil {
+		return false, fmt.Errorf("get routes from table: %w", err)
+	}
+	for _, tableRoute := range routes {
+		if tableRoute == prefix {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func isSubRange(prefix netip.Prefix) (bool, error) {
+	routes, err := getRoutesFromTable()
+	if err != nil {
+		return false, fmt.Errorf("get routes from table: %w", err)
+	}
+	for _, tableRoute := range routes {
+		if tableRoute.Bits() > minRangeBits && tableRoute.Contains(prefix.Addr()) && tableRoute.Bits() < prefix.Bits() {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// addRouteToNonVPNIntf adds a new route to the routing table for the given prefix and returns the next hop and interface.
+// If the next hop or interface is pointing to the VPN interface, it will return the initial values.
+func addRouteToNonVPNIntf(
+	prefix netip.Prefix,
+	vpnIntf *iface.WGIface,
+	initialNextHop netip.Addr,
+	initialIntf *net.Interface,
+) (netip.Addr, string, error) {
+	addr := prefix.Addr()
+	switch {
+	case addr.IsLoopback(),
+		addr.IsLinkLocalUnicast(),
+		addr.IsLinkLocalMulticast(),
+		addr.IsInterfaceLocalMulticast(),
+		addr.IsUnspecified(),
+		addr.IsMulticast():
+
+		return netip.Addr{}, "", ErrRouteNotAllowed
+	}
+
+	// Determine the exit interface and next hop for the prefix, so we can add a specific route
+	nexthop, intf, err := getNextHop(addr)
+	if err != nil {
+		return netip.Addr{}, "", fmt.Errorf("get next hop: %w", err)
+	}
+
+	log.Debugf("Found next hop %s for prefix %s with interface %v", nexthop, prefix, intf)
+	exitNextHop := nexthop
+	var exitIntf string
+	if intf != nil {
+		exitIntf = intf.Name
+	}
+
+	vpnAddr, ok := netip.AddrFromSlice(vpnIntf.Address().IP)
+	if !ok {
+		return netip.Addr{}, "", fmt.Errorf("failed to convert vpn address to netip.Addr")
+	}
+
+	// if next hop is the VPN address or the interface is the VPN interface, we should use the initial values
+	if exitNextHop == vpnAddr || exitIntf == vpnIntf.Name() {
+		log.Debugf("Route for prefix %s is pointing to the VPN interface", prefix)
+		exitNextHop = initialNextHop
+		if initialIntf != nil {
+			exitIntf = initialIntf.Name
+		}
+	}
+
+	log.Debugf("Adding a new route for prefix %s with next hop %s", prefix, exitNextHop)
+	if err := addToRouteTable(prefix, exitNextHop, exitIntf); err != nil {
+		return netip.Addr{}, "", fmt.Errorf("add route to table: %w", err)
+	}
+
+	return exitNextHop, exitIntf, nil
+}
+
+// genericAddVPNRoute adds a new route to the vpn interface, it splits the default prefix
+// in two /1 prefixes to avoid replacing the existing default route
+func genericAddVPNRoute(prefix netip.Prefix, intf string) error {
+	if prefix == defaultv4 {
+		if err := addToRouteTable(splitDefaultv4_1, netip.Addr{}, intf); err != nil {
+			return err
+		}
+		if err := addToRouteTable(splitDefaultv4_2, netip.Addr{}, intf); err != nil {
+			if err2 := removeFromRouteTable(splitDefaultv4_1, netip.Addr{}, intf); err2 != nil {
+				log.Warnf("Failed to rollback route addition: %s", err2)
+			}
+			return err
+		}
+
+		// TODO: remove once IPv6 is supported on the interface
+		if err := addToRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
+			return fmt.Errorf("add unreachable route split 1: %w", err)
+		}
+		if err := addToRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
+			if err2 := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err2 != nil {
+				log.Warnf("Failed to rollback route addition: %s", err2)
+			}
+			return fmt.Errorf("add unreachable route split 2: %w", err)
+		}
+
+		return nil
+	} else if prefix == defaultv6 {
+		if err := addToRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
+			return fmt.Errorf("add unreachable route split 1: %w", err)
+		}
+		if err := addToRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
+			if err2 := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err2 != nil {
+				log.Warnf("Failed to rollback route addition: %s", err2)
+			}
+			return fmt.Errorf("add unreachable route split 2: %w", err)
+		}
+
+		return nil
+	}
+
+	return addNonExistingRoute(prefix, intf)
+}
+
+// addNonExistingRoute adds a new route to the vpn interface if it doesn't exist in the current routing table
+func addNonExistingRoute(prefix netip.Prefix, intf string) error {
+	ok, err := existsInRouteTable(prefix)
+	if err != nil {
+		return fmt.Errorf("exists in route table: %w", err)
+	}
+	if ok {
+		log.Warnf("Skipping adding a new route for network %s because it already exists", prefix)
+		return nil
+	}
+
+	ok, err = isSubRange(prefix)
+	if err != nil {
+		return fmt.Errorf("sub range: %w", err)
+	}
+
+	if ok {
+		err := addRouteForCurrentDefaultGateway(prefix)
+		if err != nil {
+			log.Warnf("Unable to add route for current default gateway route. Will proceed without it. error: %s", err)
+		}
+	}
+
+	return addToRouteTable(prefix, netip.Addr{}, intf)
+}
+
+// genericRemoveVPNRoute removes the route from the vpn interface. If a default prefix is given,
+// it will remove the split /1 prefixes
+func genericRemoveVPNRoute(prefix netip.Prefix, intf string) error {
+	if prefix == defaultv4 {
+		var result *multierror.Error
+		if err := removeFromRouteTable(splitDefaultv4_1, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+		if err := removeFromRouteTable(splitDefaultv4_2, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+
+		// TODO: remove once IPv6 is supported on the interface
+		if err := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+		if err := removeFromRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+
+		return result.ErrorOrNil()
+	} else if prefix == defaultv6 {
+		var result *multierror.Error
+		if err := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+		if err := removeFromRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+
+		return result.ErrorOrNil()
+	}
+
+	return removeFromRouteTable(prefix, netip.Addr{}, intf)
+}
+
+func getPrefixFromIP(ip net.IP) (*netip.Prefix, error) {
+	addr, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		return nil, fmt.Errorf("parse IP address: %s", ip)
+	}
+	addr = addr.Unmap()
+
+	var prefixLength int
+	switch {
+	case addr.Is4():
+		prefixLength = 32
+	case addr.Is6():
+		prefixLength = 128
+	default:
+		return nil, fmt.Errorf("invalid IP address: %s", addr)
+	}
+
+	prefix := netip.PrefixFrom(addr, prefixLength)
+	return &prefix, nil
+}
+
+func setupRoutingWithRouteManager(routeManager **RouteManager, initAddresses []net.IP, wgIface *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	initialNextHopV4, initialIntfV4, err := getNextHop(netip.IPv4Unspecified())
+	if err != nil && !errors.Is(err, ErrRouteNotFound) {
+		log.Errorf("Unable to get initial v4 default next hop: %v", err)
+	}
+	initialNextHopV6, initialIntfV6, err := getNextHop(netip.IPv6Unspecified())
+	if err != nil && !errors.Is(err, ErrRouteNotFound) {
+		log.Errorf("Unable to get initial v6 default next hop: %v", err)
+	}
+
+	*routeManager = NewRouteManager(
+		func(prefix netip.Prefix) (netip.Addr, string, error) {
+			addr := prefix.Addr()
+			nexthop, intf := initialNextHopV4, initialIntfV4
+			if addr.Is6() {
+				nexthop, intf = initialNextHopV6, initialIntfV6
+			}
+			return addRouteToNonVPNIntf(prefix, wgIface, nexthop, intf)
+		},
+		removeFromRouteTable,
+	)
+
+	return setupHooks(*routeManager, initAddresses)
+}
+
+func cleanupRoutingWithRouteManager(routeManager *RouteManager) error {
+	if routeManager == nil {
+		return nil
+	}
+
+	// TODO: Remove hooks selectively
+	nbnet.RemoveDialerHooks()
+	nbnet.RemoveListenerHooks()
+
+	if err := routeManager.Flush(); err != nil {
+		return fmt.Errorf("flush route manager: %w", err)
+	}
+
+	return nil
+}
+
+func setupHooks(routeManager *RouteManager, initAddresses []net.IP) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	beforeHook := func(connID nbnet.ConnectionID, ip net.IP) error {
+		prefix, err := getPrefixFromIP(ip)
+		if err != nil {
+			return fmt.Errorf("convert ip to prefix: %w", err)
+		}
+
+		if err := routeManager.AddRouteRef(connID, *prefix); err != nil {
+			return fmt.Errorf("adding route reference: %v", err)
+		}
+
+		return nil
+	}
+	afterHook := func(connID nbnet.ConnectionID) error {
+		if err := routeManager.RemoveRouteRef(connID); err != nil {
+			return fmt.Errorf("remove route reference: %w", err)
+		}
+
+		return nil
+	}
+
+	for _, ip := range initAddresses {
+		if err := beforeHook("init", ip); err != nil {
+			log.Errorf("Failed to add route reference: %v", err)
+		}
+	}
+
+	nbnet.AddDialerHook(func(ctx context.Context, connID nbnet.ConnectionID, resolvedIPs []net.IPAddr) error {
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+
+		var result *multierror.Error
+		for _, ip := range resolvedIPs {
+			result = multierror.Append(result, beforeHook(connID, ip.IP))
+		}
+		return result.ErrorOrNil()
+	})
+
+	nbnet.AddDialerCloseHook(func(connID nbnet.ConnectionID, conn *net.Conn) error {
+		return afterHook(connID)
+	})
+
+	nbnet.AddListenerWriteHook(func(connID nbnet.ConnectionID, ip *net.IPAddr, data []byte) error {
+		return beforeHook(connID, ip.IP)
+	})
+
+	nbnet.AddListenerCloseHook(func(connID nbnet.ConnectionID, conn net.PacketConn) error {
+		return afterHook(connID)
+	})
+
+	return beforeHook, afterHook, nil
+}
--- a/client/internal/routemanager/systemops_android.go
+++ b/client/internal/routemanager/systemops_android.go
@@ -1,13 +1,33 @@
 package routemanager

 import (
+	"net"
 	"net/netip"
+	"runtime"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
 )

-func addToRouteTableIfNoExists(prefix netip.Prefix, addr string) error {
+func setupRouting([]net.IP, *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	return nil, nil, nil
+}
+
+func cleanupRouting() error {
 	return nil
 }

-func removeFromRouteTableIfNonSystem(prefix netip.Prefix, addr string) error {
+func enableIPForwarding() error {
+	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
+	return nil
+}
+
+func addVPNRoute(netip.Prefix, string) error {
+	return nil
+}
+
+func removeVPNRoute(netip.Prefix, string) error {
 	return nil
 }
--- a/client/internal/routemanager/systemops_bsd.go
+++ b/client/internal/routemanager/systemops_bsd.go
@@ -1,5 +1,4 @@
 //go:build darwin || dragonfly || freebsd || netbsd || openbsd
-// +build darwin dragonfly freebsd netbsd openbsd

 package routemanager

@@ -9,6 +8,7 @@ import (
 	"net/netip"
 	"syscall"

+	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/route"
 )

@@ -52,16 +52,24 @@ func getRoutesFromTable() ([]netip.Prefix, error) {
 			continue
 		}

+		if len(m.Addrs) < 3 {
+			log.Warnf("Unexpected RIB message Addrs: %v", m.Addrs)
+			continue
+		}
+
 		addr, ok := toNetIPAddr(m.Addrs[0])
 		if !ok {
 			continue
 		}

-		mask, ok := toNetIPMASK(m.Addrs[2])
-		if !ok {
-			continue
+		cidr := 32
+		if mask := m.Addrs[2]; mask != nil {
+			cidr, ok = toCIDR(mask)
+			if !ok {
+				log.Debugf("Unexpected RIB message Addrs[2]: %v", mask)
+				continue
+			}
 		}
-		cidr, _ := mask.Size()

 		routePrefix := netip.PrefixFrom(addr, cidr)
 		if routePrefix.IsValid() {
@@ -74,20 +82,19 @@ func getRoutesFromTable() ([]netip.Prefix, error) {
 func toNetIPAddr(a route.Addr) (netip.Addr, bool) {
 	switch t := a.(type) {
 	case *route.Inet4Addr:
-		ip := net.IPv4(t.IP[0], t.IP[1], t.IP[2], t.IP[3])
-		addr := netip.MustParseAddr(ip.String())
-		return addr, true
+		return netip.AddrFrom4(t.IP), true
 	default:
 		return netip.Addr{}, false
 	}
 }

-func toNetIPMASK(a route.Addr) (net.IPMask, bool) {
+func toCIDR(a route.Addr) (int, bool) {
 	switch t := a.(type) {
 	case *route.Inet4Addr:
 		mask := net.IPv4Mask(t.IP[0], t.IP[1], t.IP[2], t.IP[3])
-		return mask, true
+		cidr, _ := mask.Size()
+		return cidr, true
 	default:
-		return nil, false
+		return 0, false
 	}
 }
--- a/client/internal/routemanager/systemops_darwin.go
+++ b/client/internal/routemanager/systemops_darwin.go
@@ -0,0 +1,89 @@
+//go:build darwin && !ios
+
+package routemanager
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
+)
+
+var routeManager *RouteManager
+
+func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
+}
+
+func cleanupRouting() error {
+	return cleanupRoutingWithRouteManager(routeManager)
+}
+
+func addToRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf string) error {
+	return routeCmd("add", prefix, nexthop, intf)
+}
+
+func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf string) error {
+	return routeCmd("delete", prefix, nexthop, intf)
+}
+
+func routeCmd(action string, prefix netip.Prefix, nexthop netip.Addr, intf string) error {
+	inet := "-inet"
+	network := prefix.String()
+	if prefix.IsSingleIP() {
+		network = prefix.Addr().String()
+	}
+	if prefix.Addr().Is6() {
+		inet = "-inet6"
+		// Special case for IPv6 split default route, pointing to the wg interface fails
+		// TODO: Remove once we have IPv6 support on the interface
+		if prefix.Bits() == 1 {
+			intf = "lo0"
+		}
+	}
+
+	args := []string{"-n", action, inet, network}
+	if nexthop.IsValid() {
+		args = append(args, nexthop.Unmap().String())
+	} else if intf != "" {
+		args = append(args, "-interface", intf)
+	}
+
+	if err := retryRouteCmd(args); err != nil {
+		return fmt.Errorf("failed to %s route for %s: %w", action, prefix, err)
+	}
+	return nil
+}
+
+func retryRouteCmd(args []string) error {
+	operation := func() error {
+		out, err := exec.Command("route", args...).CombinedOutput()
+		log.Tracef("route %s: %s", strings.Join(args, " "), out)
+		// https://github.com/golang/go/issues/45736
+		if err != nil && strings.Contains(string(out), "sysctl: cannot allocate memory") {
+			return err
+		} else if err != nil {
+			return backoff.Permanent(err)
+		}
+		return nil
+	}
+
+	expBackOff := backoff.NewExponentialBackOff()
+	expBackOff.InitialInterval = 50 * time.Millisecond
+	expBackOff.MaxInterval = 500 * time.Millisecond
+	expBackOff.MaxElapsedTime = 1 * time.Second
+
+	err := backoff.Retry(operation, expBackOff)
+	if err != nil {
+		return fmt.Errorf("route cmd retry failed: %w", err)
+	}
+	return nil
+}
--- a/client/internal/routemanager/systemops_darwin_test.go
+++ b/client/internal/routemanager/systemops_darwin_test.go
@@ -0,0 +1,138 @@
+//go:build !ios
+
+package routemanager
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"os/exec"
+	"regexp"
+	"sync"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var expectedVPNint = "utun100"
+var expectedExternalInt = "lo0"
+var expectedInternalInt = "lo0"
+
+func init() {
+	testCases = append(testCases, []testCase{
+		{
+			name:              "To more specific route without custom dialer via vpn",
+			destination:       "10.10.0.2:53",
+			expectedInterface: expectedVPNint,
+			dialer:            &net.Dialer{},
+			expectedPacket:    createPacketExpectation("100.64.0.1", 12345, "10.10.0.2", 53),
+		},
+	}...)
+}
+
+func TestConcurrentRoutes(t *testing.T) {
+	baseIP := netip.MustParseAddr("192.0.2.0")
+	intf := "lo0"
+
+	var wg sync.WaitGroup
+	for i := 0; i < 1024; i++ {
+		wg.Add(1)
+		go func(ip netip.Addr) {
+			defer wg.Done()
+			prefix := netip.PrefixFrom(ip, 32)
+			if err := addToRouteTable(prefix, netip.Addr{}, intf); err != nil {
+				t.Errorf("Failed to add route for %s: %v", prefix, err)
+			}
+		}(baseIP)
+		baseIP = baseIP.Next()
+	}
+
+	wg.Wait()
+
+	baseIP = netip.MustParseAddr("192.0.2.0")
+
+	for i := 0; i < 1024; i++ {
+		wg.Add(1)
+		go func(ip netip.Addr) {
+			defer wg.Done()
+			prefix := netip.PrefixFrom(ip, 32)
+			if err := removeFromRouteTable(prefix, netip.Addr{}, intf); err != nil {
+				t.Errorf("Failed to remove route for %s: %v", prefix, err)
+			}
+		}(baseIP)
+		baseIP = baseIP.Next()
+	}
+
+	wg.Wait()
+}
+
+func createAndSetupDummyInterface(t *testing.T, intf string, ipAddressCIDR string) string {
+	t.Helper()
+
+	err := exec.Command("ifconfig", intf, "alias", ipAddressCIDR).Run()
+	require.NoError(t, err, "Failed to create loopback alias")
+
+	t.Cleanup(func() {
+		err := exec.Command("ifconfig", intf, ipAddressCIDR, "-alias").Run()
+		assert.NoError(t, err, "Failed to remove loopback alias")
+	})
+
+	return "lo0"
+}
+
+func addDummyRoute(t *testing.T, dstCIDR string, gw net.IP, _ string) {
+	t.Helper()
+
+	var originalNexthop net.IP
+	if dstCIDR == "0.0.0.0/0" {
+		var err error
+		originalNexthop, err = fetchOriginalGateway()
+		if err != nil {
+			t.Logf("Failed to fetch original gateway: %v", err)
+		}
+
+		if output, err := exec.Command("route", "delete", "-net", dstCIDR).CombinedOutput(); err != nil {
+			t.Logf("Failed to delete route: %v, output: %s", err, output)
+		}
+	}
+
+	t.Cleanup(func() {
+		if originalNexthop != nil {
+			err := exec.Command("route", "add", "-net", dstCIDR, originalNexthop.String()).Run()
+			assert.NoError(t, err, "Failed to restore original route")
+		}
+	})
+
+	err := exec.Command("route", "add", "-net", dstCIDR, gw.String()).Run()
+	require.NoError(t, err, "Failed to add route")
+
+	t.Cleanup(func() {
+		err := exec.Command("route", "delete", "-net", dstCIDR).Run()
+		assert.NoError(t, err, "Failed to remove route")
+	})
+}
+
+func fetchOriginalGateway() (net.IP, error) {
+	output, err := exec.Command("route", "-n", "get", "default").CombinedOutput()
+	if err != nil {
+		return nil, err
+	}
+
+	matches := regexp.MustCompile(`gateway: (\S+)`).FindStringSubmatch(string(output))
+	if len(matches) == 0 {
+		return nil, fmt.Errorf("gateway not found")
+	}
+
+	return net.ParseIP(matches[1]), nil
+}
+
+func setupDummyInterfacesAndRoutes(t *testing.T) {
+	t.Helper()
+
+	defaultDummy := createAndSetupDummyInterface(t, expectedExternalInt, "192.168.0.1/24")
+	addDummyRoute(t, "0.0.0.0/0", net.IPv4(192, 168, 0, 1), defaultDummy)
+
+	otherDummy := createAndSetupDummyInterface(t, expectedInternalInt, "192.168.1.1/24")
+	addDummyRoute(t, "10.0.0.0/8", net.IPv4(192, 168, 1, 1), otherDummy)
+}
--- a/client/internal/routemanager/systemops_ios.go
+++ b/client/internal/routemanager/systemops_ios.go
@@ -1,15 +1,33 @@
-//go:build ios
-
 package routemanager

 import (
+	"net"
 	"net/netip"
+	"runtime"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
 )

-func addToRouteTableIfNoExists(prefix netip.Prefix, addr string) error {
+func setupRouting([]net.IP, *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	return nil, nil, nil
+}
+
+func cleanupRouting() error {
 	return nil
 }

-func removeFromRouteTableIfNonSystem(prefix netip.Prefix, addr string) error {
+func enableIPForwarding() error {
+	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
+	return nil
+}
+
+func addVPNRoute(netip.Prefix, string) error {
+	return nil
+}
+
+func removeVPNRoute(netip.Prefix, string) error {
 	return nil
 }
--- a/client/internal/routemanager/systemops_linux.go
+++ b/client/internal/routemanager/systemops_linux.go
@@ -3,142 +3,342 @@
 package routemanager

 import (
+	"bufio"
+	"context"
+	"errors"
+	"fmt"
 	"net"
 	"net/netip"
 	"os"
 	"syscall"
-	"unsafe"
+	"time"

+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

-// Pulled from http://man7.org/linux/man-pages/man7/rtnetlink.7.html
-// See the section on RTM_NEWROUTE, specifically 'struct rtmsg'.
-type routeInfoInMemory struct {
-	Family byte
-	DstLen byte
-	SrcLen byte
-	TOS    byte
+const (
+	// NetbirdVPNTableID is the ID of the custom routing table used by Netbird.
+	NetbirdVPNTableID = 0x1BD0
+	// NetbirdVPNTableName is the name of the custom routing table used by Netbird.
+	NetbirdVPNTableName = "netbird"

-	Table    byte
-	Protocol byte
-	Scope    byte
-	Type     byte
+	// rtTablesPath is the path to the file containing the routing table names.
+	rtTablesPath = "/etc/iproute2/rt_tables"

-	Flags uint32
+	// ipv4ForwardingPath is the path to the file containing the IP forwarding setting.
+	ipv4ForwardingPath = "/proc/sys/net/ipv4/ip_forward"
+)
+
+var ErrTableIDExists = errors.New("ID exists with different name")
+
+var routeManager = &RouteManager{}
+var isLegacy = os.Getenv("NB_USE_LEGACY_ROUTING") == "true"
+
+type ruleParams struct {
+	fwmark         int
+	tableID        int
+	family         int
+	priority       int
+	invert         bool
+	suppressPrefix int
+	description    string
 }

-const ipv4ForwardingPath = "/proc/sys/net/ipv4/ip_forward"
+func getSetupRules() []ruleParams {
+	return []ruleParams{
+		{nbnet.NetbirdFwmark, NetbirdVPNTableID, netlink.FAMILY_V4, -1, true, -1, "rule v4 netbird"},
+		{nbnet.NetbirdFwmark, NetbirdVPNTableID, netlink.FAMILY_V6, -1, true, -1, "rule v6 netbird"},
+		{-1, syscall.RT_TABLE_MAIN, netlink.FAMILY_V4, -1, false, 0, "rule with suppress prefixlen v4"},
+		{-1, syscall.RT_TABLE_MAIN, netlink.FAMILY_V6, -1, false, 0, "rule with suppress prefixlen v6"},
+	}
+}

-func addToRouteTable(prefix netip.Prefix, addr string) error {
-	_, ipNet, err := net.ParseCIDR(prefix.String())
-	if err != nil {
-		return err
+// setupRouting establishes the routing configuration for the VPN, including essential rules
+// to ensure proper traffic flow for management, locally configured routes, and VPN traffic.
+//
+// Rule 1 (Main Route Precedence): Safeguards locally installed routes by giving them precedence over
+// potential routes received and configured for the VPN.  This rule is skipped for the default route and routes
+// that are not in the main table.
+//
+// Rule 2 (VPN Traffic Routing): Directs all remaining traffic to the 'NetbirdVPNTableID' custom routing table.
+// This table is where a default route or other specific routes received from the management server are configured,
+// enabling VPN connectivity.
+//
+// The rules are inserted in reverse order, as rules are added from the bottom up in the rule list.
+func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (_ peer.BeforeAddPeerHookFunc, _ peer.AfterRemovePeerHookFunc, err error) {
+	if isLegacy {
+		log.Infof("Using legacy routing setup")
+		return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
 	}

-	addrMask := "/32"
-	if prefix.Addr().Unmap().Is6() {
-		addrMask = "/128"
+	if err = addRoutingTableName(); err != nil {
+		log.Errorf("Error adding routing table name: %v", err)
 	}

-	ip, _, err := net.ParseCIDR(addr + addrMask)
-	if err != nil {
-		return err
+	defer func() {
+		if err != nil {
+			if cleanErr := cleanupRouting(); cleanErr != nil {
+				log.Errorf("Error cleaning up routing: %v", cleanErr)
+			}
+		}
+	}()
+
+	rules := getSetupRules()
+	for _, rule := range rules {
+		if err := addRule(rule); err != nil {
+			if errors.Is(err, syscall.EOPNOTSUPP) {
+				log.Warnf("Rule operations are not supported, falling back to the legacy routing setup")
+				isLegacy = true
+				return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
+			}
+			return nil, nil, fmt.Errorf("%s: %w", rule.description, err)
+		}
 	}

-	route := &netlink.Route{
-		Scope: netlink.SCOPE_UNIVERSE,
-		Dst:   ipNet,
-		Gw:    ip,
+	return nil, nil, nil
+}
+
+// cleanupRouting performs a thorough cleanup of the routing configuration established by 'setupRouting'.
+// It systematically removes the three rules and any associated routing table entries to ensure a clean state.
+// The function uses error aggregation to report any errors encountered during the cleanup process.
+func cleanupRouting() error {
+	if isLegacy {
+		return cleanupRoutingWithRouteManager(routeManager)
 	}

-	err = netlink.RouteAdd(route)
-	if err != nil {
-		return err
+	var result *multierror.Error
+
+	if err := flushRoutes(NetbirdVPNTableID, netlink.FAMILY_V4); err != nil {
+		result = multierror.Append(result, fmt.Errorf("flush routes v4: %w", err))
+	}
+	if err := flushRoutes(NetbirdVPNTableID, netlink.FAMILY_V6); err != nil {
+		result = multierror.Append(result, fmt.Errorf("flush routes v6: %w", err))
 	}

+	rules := getSetupRules()
+	for _, rule := range rules {
+		if err := removeAllRules(rule); err != nil && !errors.Is(err, syscall.EOPNOTSUPP) {
+			result = multierror.Append(result, fmt.Errorf("%s: %w", rule.description, err))
+		}
+	}
+
+	return result.ErrorOrNil()
+}
+
+func addToRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf string) error {
+	return addRoute(prefix, nexthop, intf, syscall.RT_TABLE_MAIN)
+}
+
+func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf string) error {
+	return removeRoute(prefix, nexthop, intf, syscall.RT_TABLE_MAIN)
+}
+
+func addVPNRoute(prefix netip.Prefix, intf string) error {
+	if isLegacy {
+		return genericAddVPNRoute(prefix, intf)
+	}
+
+	// No need to check if routes exist as main table takes precedence over the VPN table via Rule 1
+
+	// TODO remove this once we have ipv6 support
+	if prefix == defaultv4 {
+		if err := addUnreachableRoute(defaultv6, NetbirdVPNTableID); err != nil {
+			return fmt.Errorf("add blackhole: %w", err)
+		}
+	}
+	if err := addRoute(prefix, netip.Addr{}, intf, NetbirdVPNTableID); err != nil {
+		return fmt.Errorf("add route: %w", err)
+	}
 	return nil
 }

-func removeFromRouteTable(prefix netip.Prefix, addr string) error {
-	_, ipNet, err := net.ParseCIDR(prefix.String())
-	if err != nil {
-		return err
+func removeVPNRoute(prefix netip.Prefix, intf string) error {
+	if isLegacy {
+		return genericRemoveVPNRoute(prefix, intf)
 	}

-	addrMask := "/32"
-	if prefix.Addr().Unmap().Is6() {
-		addrMask = "/128"
+	// TODO remove this once we have ipv6 support
+	if prefix == defaultv4 {
+		if err := removeUnreachableRoute(defaultv6, NetbirdVPNTableID); err != nil {
+			return fmt.Errorf("remove unreachable route: %w", err)
+		}
 	}
-
-	ip, _, err := net.ParseCIDR(addr + addrMask)
-	if err != nil {
-		return err
+	if err := removeRoute(prefix, netip.Addr{}, intf, NetbirdVPNTableID); err != nil {
+		return fmt.Errorf("remove route: %w", err)
 	}
-
-	route := &netlink.Route{
-		Scope: netlink.SCOPE_UNIVERSE,
-		Dst:   ipNet,
-		Gw:    ip,
-	}
-
-	err = netlink.RouteDel(route)
-	if err != nil {
-		return err
-	}
-
 	return nil
 }

 func getRoutesFromTable() ([]netip.Prefix, error) {
-	tab, err := syscall.NetlinkRIB(syscall.RTM_GETROUTE, syscall.AF_UNSPEC)
+	v4Routes, err := getRoutes(syscall.RT_TABLE_MAIN, netlink.FAMILY_V4)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("get v4 routes: %w", err)
 	}
-	msgs, err := syscall.ParseNetlinkMessage(tab)
+	v6Routes, err := getRoutes(syscall.RT_TABLE_MAIN, netlink.FAMILY_V6)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("get v6 routes: %w", err)
+
 	}
+	return append(v4Routes, v6Routes...), nil
+}
+
+// getRoutes fetches routes from a specific routing table identified by tableID.
+func getRoutes(tableID, family int) ([]netip.Prefix, error) {
 	var prefixList []netip.Prefix
-loop:
-	for _, m := range msgs {
-		switch m.Header.Type {
-		case syscall.NLMSG_DONE:
-			break loop
-		case syscall.RTM_NEWROUTE:
-			rt := (*routeInfoInMemory)(unsafe.Pointer(&m.Data[0]))
-			msg := m
-			attrs, err := syscall.ParseNetlinkRouteAttr(&msg)
-			if err != nil {
-				return nil, err
-			}
-			if rt.Family != syscall.AF_INET {
-				continue loop
+
+	routes, err := netlink.RouteListFiltered(family, &netlink.Route{Table: tableID}, netlink.RT_FILTER_TABLE)
+	if err != nil {
+		return nil, fmt.Errorf("list routes from table %d: %v", tableID, err)
+	}
+
+	for _, route := range routes {
+		if route.Dst != nil {
+			addr, ok := netip.AddrFromSlice(route.Dst.IP)
+			if !ok {
+				return nil, fmt.Errorf("parse route destination IP: %v", route.Dst.IP)
 			}

-			for _, attr := range attrs {
-				if attr.Attr.Type == syscall.RTA_DST {
-					addr, ok := netip.AddrFromSlice(attr.Value)
-					if !ok {
-						continue
-					}
-					mask := net.CIDRMask(int(rt.DstLen), len(attr.Value)*8)
-					cidr, _ := mask.Size()
-					routePrefix := netip.PrefixFrom(addr, cidr)
-					if routePrefix.IsValid() && routePrefix.Addr().Is4() {
-						prefixList = append(prefixList, routePrefix)
-					}
-				}
+			ones, _ := route.Dst.Mask.Size()
+
+			prefix := netip.PrefixFrom(addr, ones)
+			if prefix.IsValid() {
+				prefixList = append(prefixList, prefix)
 			}
 		}
 	}
+
 	return prefixList, nil
 }

+// addRoute adds a route to a specific routing table identified by tableID.
+func addRoute(prefix netip.Prefix, addr netip.Addr, intf string, tableID int) error {
+	route := &netlink.Route{
+		Scope:  netlink.SCOPE_UNIVERSE,
+		Table:  tableID,
+		Family: getAddressFamily(prefix),
+	}
+
+	_, ipNet, err := net.ParseCIDR(prefix.String())
+	if err != nil {
+		return fmt.Errorf("parse prefix %s: %w", prefix, err)
+	}
+	route.Dst = ipNet
+
+	if err := addNextHop(addr, intf, route); err != nil {
+		return fmt.Errorf("add gateway and device: %w", err)
+	}
+
+	if err := netlink.RouteAdd(route); err != nil && !errors.Is(err, syscall.EEXIST) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("netlink add route: %w", err)
+	}
+
+	return nil
+}
+
+// addUnreachableRoute adds an unreachable route for the specified IP family and routing table.
+// ipFamily should be netlink.FAMILY_V4 for IPv4 or netlink.FAMILY_V6 for IPv6.
+// tableID specifies the routing table to which the unreachable route will be added.
+func addUnreachableRoute(prefix netip.Prefix, tableID int) error {
+	_, ipNet, err := net.ParseCIDR(prefix.String())
+	if err != nil {
+		return fmt.Errorf("parse prefix %s: %w", prefix, err)
+	}
+
+	route := &netlink.Route{
+		Type:   syscall.RTN_UNREACHABLE,
+		Table:  tableID,
+		Family: getAddressFamily(prefix),
+		Dst:    ipNet,
+	}
+
+	if err := netlink.RouteAdd(route); err != nil && !errors.Is(err, syscall.EEXIST) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("netlink add unreachable route: %w", err)
+	}
+
+	return nil
+}
+
+func removeUnreachableRoute(prefix netip.Prefix, tableID int) error {
+	_, ipNet, err := net.ParseCIDR(prefix.String())
+	if err != nil {
+		return fmt.Errorf("parse prefix %s: %w", prefix, err)
+	}
+
+	route := &netlink.Route{
+		Type:   syscall.RTN_UNREACHABLE,
+		Table:  tableID,
+		Family: getAddressFamily(prefix),
+		Dst:    ipNet,
+	}
+
+	if err := netlink.RouteDel(route); err != nil && !errors.Is(err, syscall.ESRCH) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("netlink remove unreachable route: %w", err)
+	}
+
+	return nil
+
+}
+
+// removeRoute removes a route from a specific routing table identified by tableID.
+func removeRoute(prefix netip.Prefix, addr netip.Addr, intf string, tableID int) error {
+	_, ipNet, err := net.ParseCIDR(prefix.String())
+	if err != nil {
+		return fmt.Errorf("parse prefix %s: %w", prefix, err)
+	}
+
+	route := &netlink.Route{
+		Scope:  netlink.SCOPE_UNIVERSE,
+		Table:  tableID,
+		Family: getAddressFamily(prefix),
+		Dst:    ipNet,
+	}
+
+	if err := addNextHop(addr, intf, route); err != nil {
+		return fmt.Errorf("add gateway and device: %w", err)
+	}
+
+	if err := netlink.RouteDel(route); err != nil && !errors.Is(err, syscall.ESRCH) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("netlink remove route: %w", err)
+	}
+
+	return nil
+}
+
+func flushRoutes(tableID, family int) error {
+	routes, err := netlink.RouteListFiltered(family, &netlink.Route{Table: tableID}, netlink.RT_FILTER_TABLE)
+	if err != nil {
+		return fmt.Errorf("list routes from table %d: %w", tableID, err)
+	}
+
+	var result *multierror.Error
+	for i := range routes {
+		route := routes[i]
+		// unreachable default routes don't come back with Dst set
+		if route.Gw == nil && route.Src == nil && route.Dst == nil {
+			if family == netlink.FAMILY_V4 {
+				routes[i].Dst = &net.IPNet{IP: net.IPv4zero, Mask: net.CIDRMask(0, 32)}
+			} else {
+				routes[i].Dst = &net.IPNet{IP: net.IPv6zero, Mask: net.CIDRMask(0, 128)}
+			}
+		}
+		if err := netlink.RouteDel(&routes[i]); err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
+			result = multierror.Append(result, fmt.Errorf("failed to delete route %v from table %d: %w", routes[i], tableID, err))
+		}
+	}
+
+	return result.ErrorOrNil()
+}
+
 func enableIPForwarding() error {
 	bytes, err := os.ReadFile(ipv4ForwardingPath)
 	if err != nil {
-		return err
+		return fmt.Errorf("read file %s: %w", ipv4ForwardingPath, err)
 	}

 	// check if it is already enabled
@@ -147,5 +347,165 @@ func enableIPForwarding() error {
 		return nil
 	}

-	return os.WriteFile(ipv4ForwardingPath, []byte("1"), 0644) //nolint:gosec
+	//nolint:gosec
+	if err := os.WriteFile(ipv4ForwardingPath, []byte("1"), 0644); err != nil {
+		return fmt.Errorf("write file %s: %w", ipv4ForwardingPath, err)
+	}
+	return nil
+}
+
+// entryExists checks if the specified ID or name already exists in the rt_tables file
+// and verifies if existing names start with "netbird_".
+func entryExists(file *os.File, id int) (bool, error) {
+	if _, err := file.Seek(0, 0); err != nil {
+		return false, fmt.Errorf("seek rt_tables: %w", err)
+	}
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		line := scanner.Text()
+		var existingID int
+		var existingName string
+		if _, err := fmt.Sscanf(line, "%d %s\n", &existingID, &existingName); err == nil {
+			if existingID == id {
+				if existingName != NetbirdVPNTableName {
+					return true, ErrTableIDExists
+				}
+				return true, nil
+			}
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return false, fmt.Errorf("scan rt_tables: %w", err)
+	}
+	return false, nil
+}
+
+// addRoutingTableName adds human-readable names for custom routing tables.
+func addRoutingTableName() error {
+	file, err := os.Open(rtTablesPath)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil
+		}
+		return fmt.Errorf("open rt_tables: %w", err)
+	}
+	defer func() {
+		if err := file.Close(); err != nil {
+			log.Errorf("Error closing rt_tables: %v", err)
+		}
+	}()
+
+	exists, err := entryExists(file, NetbirdVPNTableID)
+	if err != nil {
+		return fmt.Errorf("verify entry %d, %s: %w", NetbirdVPNTableID, NetbirdVPNTableName, err)
+	}
+	if exists {
+		return nil
+	}
+
+	// Reopen the file in append mode to add new entries
+	if err := file.Close(); err != nil {
+		log.Errorf("Error closing rt_tables before appending: %v", err)
+	}
+	file, err = os.OpenFile(rtTablesPath, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0644)
+	if err != nil {
+		return fmt.Errorf("open rt_tables for appending: %w", err)
+	}
+
+	if _, err := file.WriteString(fmt.Sprintf("\n%d\t%s\n", NetbirdVPNTableID, NetbirdVPNTableName)); err != nil {
+		return fmt.Errorf("append entry to rt_tables: %w", err)
+	}
+
+	return nil
+}
+
+// addRule adds a routing rule to a specific routing table identified by tableID.
+func addRule(params ruleParams) error {
+	rule := netlink.NewRule()
+	rule.Table = params.tableID
+	rule.Mark = params.fwmark
+	rule.Family = params.family
+	rule.Priority = params.priority
+	rule.Invert = params.invert
+	rule.SuppressPrefixlen = params.suppressPrefix
+
+	if err := netlink.RuleAdd(rule); err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("add routing rule: %w", err)
+	}
+
+	return nil
+}
+
+// removeRule removes a routing rule from a specific routing table identified by tableID.
+func removeRule(params ruleParams) error {
+	rule := netlink.NewRule()
+	rule.Table = params.tableID
+	rule.Mark = params.fwmark
+	rule.Family = params.family
+	rule.Invert = params.invert
+	rule.Priority = params.priority
+	rule.SuppressPrefixlen = params.suppressPrefix
+
+	if err := netlink.RuleDel(rule); err != nil {
+		return fmt.Errorf("remove routing rule: %w", err)
+	}
+
+	return nil
+}
+
+func removeAllRules(params ruleParams) error {
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	done := make(chan error, 1)
+	go func() {
+		for {
+			if ctx.Err() != nil {
+				done <- ctx.Err()
+				return
+			}
+			if err := removeRule(params); err != nil {
+				if errors.Is(err, syscall.ENOENT) || errors.Is(err, syscall.EAFNOSUPPORT) {
+					done <- nil
+					return
+				}
+				done <- err
+				return
+			}
+		}
+	}()
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case err := <-done:
+		return err
+	}
+}
+
+// addNextHop adds the gateway and device to the route.
+func addNextHop(addr netip.Addr, intf string, route *netlink.Route) error {
+	if addr.IsValid() {
+		route.Gw = addr.AsSlice()
+		if intf == "" {
+			intf = addr.Zone()
+		}
+	}
+
+	if intf != "" {
+		link, err := netlink.LinkByName(intf)
+		if err != nil {
+			return fmt.Errorf("set interface %s: %w", intf, err)
+		}
+		route.LinkIndex = link.Attrs().Index
+	}
+
+	return nil
+}
+
+func getAddressFamily(prefix netip.Prefix) int {
+	if prefix.Addr().Is4() {
+		return netlink.FAMILY_V4
+	}
+	return netlink.FAMILY_V6
 }
--- a/client/internal/routemanager/systemops_linux_test.go
+++ b/client/internal/routemanager/systemops_linux_test.go
@@ -0,0 +1,207 @@
+//go:build !android
+
+package routemanager
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"strings"
+	"syscall"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"github.com/vishvananda/netlink"
+)
+
+var expectedVPNint = "wgtest0"
+var expectedLoopbackInt = "lo"
+var expectedExternalInt = "dummyext0"
+var expectedInternalInt = "dummyint0"
+
+func init() {
+	testCases = append(testCases, []testCase{
+		{
+			name:              "To more specific route without custom dialer via physical interface",
+			destination:       "10.10.0.2:53",
+			expectedInterface: expectedInternalInt,
+			dialer:            &net.Dialer{},
+			expectedPacket:    createPacketExpectation("192.168.1.1", 12345, "10.10.0.2", 53),
+		},
+		{
+			name:              "To more specific route (local) without custom dialer via physical interface",
+			destination:       "127.0.10.1:53",
+			expectedInterface: expectedLoopbackInt,
+			dialer:            &net.Dialer{},
+			expectedPacket:    createPacketExpectation("127.0.0.1", 12345, "127.0.10.1", 53),
+		},
+	}...)
+}
+
+func TestEntryExists(t *testing.T) {
+	tempDir := t.TempDir()
+	tempFilePath := fmt.Sprintf("%s/rt_tables", tempDir)
+
+	content := []string{
+		"1000 reserved",
+		fmt.Sprintf("%d %s", NetbirdVPNTableID, NetbirdVPNTableName),
+		"9999 other_table",
+	}
+	require.NoError(t, os.WriteFile(tempFilePath, []byte(strings.Join(content, "\n")), 0644))
+
+	file, err := os.Open(tempFilePath)
+	require.NoError(t, err)
+	defer func() {
+		assert.NoError(t, file.Close())
+	}()
+
+	tests := []struct {
+		name        string
+		id          int
+		shouldExist bool
+		err         error
+	}{
+		{
+			name:        "ExistsWithNetbirdPrefix",
+			id:          7120,
+			shouldExist: true,
+			err:         nil,
+		},
+		{
+			name:        "ExistsWithDifferentName",
+			id:          1000,
+			shouldExist: true,
+			err:         ErrTableIDExists,
+		},
+		{
+			name:        "DoesNotExist",
+			id:          1234,
+			shouldExist: false,
+			err:         nil,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			exists, err := entryExists(file, tc.id)
+			if tc.err != nil {
+				assert.ErrorIs(t, err, tc.err)
+			} else {
+				assert.NoError(t, err)
+			}
+			assert.Equal(t, tc.shouldExist, exists)
+		})
+	}
+}
+
+func createAndSetupDummyInterface(t *testing.T, interfaceName, ipAddressCIDR string) string {
+	t.Helper()
+
+	dummy := &netlink.Dummy{LinkAttrs: netlink.LinkAttrs{Name: interfaceName}}
+	err := netlink.LinkDel(dummy)
+	if err != nil && !errors.Is(err, syscall.EINVAL) {
+		t.Logf("Failed to delete dummy interface: %v", err)
+	}
+
+	err = netlink.LinkAdd(dummy)
+	require.NoError(t, err)
+
+	err = netlink.LinkSetUp(dummy)
+	require.NoError(t, err)
+
+	if ipAddressCIDR != "" {
+		addr, err := netlink.ParseAddr(ipAddressCIDR)
+		require.NoError(t, err)
+		err = netlink.AddrAdd(dummy, addr)
+		require.NoError(t, err)
+	}
+
+	t.Cleanup(func() {
+		err := netlink.LinkDel(dummy)
+		assert.NoError(t, err)
+	})
+
+	return dummy.Name
+}
+
+func addDummyRoute(t *testing.T, dstCIDR string, gw net.IP, intf string) {
+	t.Helper()
+
+	_, dstIPNet, err := net.ParseCIDR(dstCIDR)
+	require.NoError(t, err)
+
+	// Handle existing routes with metric 0
+	var originalNexthop net.IP
+	var originalLinkIndex int
+	if dstIPNet.String() == "0.0.0.0/0" {
+		var err error
+		originalNexthop, originalLinkIndex, err = fetchOriginalGateway(netlink.FAMILY_V4)
+		if err != nil && !errors.Is(err, ErrRouteNotFound) {
+			t.Logf("Failed to fetch original gateway: %v", err)
+		}
+
+		if originalNexthop != nil {
+			err = netlink.RouteDel(&netlink.Route{Dst: dstIPNet, Priority: 0})
+			switch {
+			case err != nil && !errors.Is(err, syscall.ESRCH):
+				t.Logf("Failed to delete route: %v", err)
+			case err == nil:
+				t.Cleanup(func() {
+					err := netlink.RouteAdd(&netlink.Route{Dst: dstIPNet, Gw: originalNexthop, LinkIndex: originalLinkIndex, Priority: 0})
+					if err != nil && !errors.Is(err, syscall.EEXIST) {
+						t.Fatalf("Failed to add route: %v", err)
+					}
+				})
+			default:
+				t.Logf("Failed to delete route: %v", err)
+			}
+		}
+	}
+
+	link, err := netlink.LinkByName(intf)
+	require.NoError(t, err)
+	linkIndex := link.Attrs().Index
+
+	route := &netlink.Route{
+		Dst:       dstIPNet,
+		Gw:        gw,
+		LinkIndex: linkIndex,
+	}
+	err = netlink.RouteDel(route)
+	if err != nil && !errors.Is(err, syscall.ESRCH) {
+		t.Logf("Failed to delete route: %v", err)
+	}
+
+	err = netlink.RouteAdd(route)
+	if err != nil && !errors.Is(err, syscall.EEXIST) {
+		t.Fatalf("Failed to add route: %v", err)
+	}
+	require.NoError(t, err)
+}
+
+func fetchOriginalGateway(family int) (net.IP, int, error) {
+	routes, err := netlink.RouteList(nil, family)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	for _, route := range routes {
+		if route.Dst == nil && route.Priority == 0 {
+			return route.Gw, route.LinkIndex, nil
+		}
+	}
+
+	return nil, 0, ErrRouteNotFound
+}
+
+func setupDummyInterfacesAndRoutes(t *testing.T) {
+	t.Helper()
+
+	defaultDummy := createAndSetupDummyInterface(t, "dummyext0", "192.168.0.1/24")
+	addDummyRoute(t, "0.0.0.0/0", net.IPv4(192, 168, 0, 1), defaultDummy)
+
+	otherDummy := createAndSetupDummyInterface(t, "dummyint0", "192.168.1.1/24")
+	addDummyRoute(t, "10.0.0.0/8", net.IPv4(192, 168, 1, 1), otherDummy)
+}
--- a/client/internal/routemanager/systemops_nonandroid.go
+++ b/client/internal/routemanager/systemops_nonandroid.go
@@ -1,120 +0,0 @@
-//go:build !android && !ios
-
-package routemanager
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-
-	"github.com/libp2p/go-netroute"
-	log "github.com/sirupsen/logrus"
-)
-
-var errRouteNotFound = fmt.Errorf("route not found")
-
-func addToRouteTableIfNoExists(prefix netip.Prefix, addr string) error {
-	ok, err := existsInRouteTable(prefix)
-	if err != nil {
-		return err
-	}
-	if ok {
-		log.Warnf("skipping adding a new route for network %s because it already exists", prefix)
-		return nil
-	}
-
-	ok, err = isSubRange(prefix)
-	if err != nil {
-		return err
-	}
-
-	if ok {
-		err := addRouteForCurrentDefaultGateway(prefix)
-		if err != nil {
-			log.Warnf("unable to add route for current default gateway route. Will proceed without it. error: %s", err)
-		}
-	}
-
-	return addToRouteTable(prefix, addr)
-}
-
-func addRouteForCurrentDefaultGateway(prefix netip.Prefix) error {
-	defaultGateway, err := getExistingRIBRouteGateway(netip.MustParsePrefix("0.0.0.0/0"))
-	if err != nil && err != errRouteNotFound {
-		return err
-	}
-
-	addr := netip.MustParseAddr(defaultGateway.String())
-
-	if !prefix.Contains(addr) {
-		log.Debugf("skipping adding a new route for gateway %s because it is not in the network %s", addr, prefix)
-		return nil
-	}
-
-	gatewayPrefix := netip.PrefixFrom(addr, 32)
-
-	ok, err := existsInRouteTable(gatewayPrefix)
-	if err != nil {
-		return fmt.Errorf("unable to check if there is an existing route for gateway %s. error: %s", gatewayPrefix, err)
-	}
-
-	if ok {
-		log.Debugf("skipping adding a new route for gateway %s because it already exists", gatewayPrefix)
-		return nil
-	}
-
-	gatewayHop, err := getExistingRIBRouteGateway(gatewayPrefix)
-	if err != nil && err != errRouteNotFound {
-		return fmt.Errorf("unable to get the next hop for the default gateway address. error: %s", err)
-	}
-	log.Debugf("adding a new route for gateway %s with next hop %s", gatewayPrefix, gatewayHop)
-	return addToRouteTable(gatewayPrefix, gatewayHop.String())
-}
-
-func existsInRouteTable(prefix netip.Prefix) (bool, error) {
-	routes, err := getRoutesFromTable()
-	if err != nil {
-		return false, err
-	}
-	for _, tableRoute := range routes {
-		if tableRoute == prefix {
-			return true, nil
-		}
-	}
-	return false, nil
-}
-
-func isSubRange(prefix netip.Prefix) (bool, error) {
-	routes, err := getRoutesFromTable()
-	if err != nil {
-		return false, err
-	}
-	for _, tableRoute := range routes {
-		if tableRoute.Bits() > minRangeBits && tableRoute.Contains(prefix.Addr()) && tableRoute.Bits() < prefix.Bits() {
-			return true, nil
-		}
-	}
-	return false, nil
-}
-
-func removeFromRouteTableIfNonSystem(prefix netip.Prefix, addr string) error {
-	return removeFromRouteTable(prefix, addr)
-}
-
-func getExistingRIBRouteGateway(prefix netip.Prefix) (net.IP, error) {
-	r, err := netroute.New()
-	if err != nil {
-		return nil, err
-	}
-	_, gateway, preferredSrc, err := r.Route(prefix.Addr().AsSlice())
-	if err != nil {
-		log.Errorf("getting routes returned an error: %v", err)
-		return nil, errRouteNotFound
-	}
-
-	if gateway == nil {
-		return preferredSrc, nil
-	}
-
-	return gateway, nil
-}
--- a/client/internal/routemanager/systemops_nonlinux.go
+++ b/client/internal/routemanager/systemops_nonlinux.go
@@ -1,41 +1,23 @@
-//go:build !linux
-// +build !linux
+//go:build !linux && !ios

 package routemanager

 import (
 	"net/netip"
-	"os/exec"
 	"runtime"

 	log "github.com/sirupsen/logrus"
 )

-func addToRouteTable(prefix netip.Prefix, addr string) error {
-	cmd := exec.Command("route", "add", prefix.String(), addr)
-	out, err := cmd.Output()
-	if err != nil {
-		return err
-	}
-	log.Debugf(string(out))
-	return nil
-}
-
-func removeFromRouteTable(prefix netip.Prefix, addr string) error {
-	args := []string{"delete", prefix.String()}
-	if runtime.GOOS == "darwin" {
-		args = append(args, addr)
-	}
-	cmd := exec.Command("route", args...)
-	out, err := cmd.Output()
-	if err != nil {
-		return err
-	}
-	log.Debugf(string(out))
-	return nil
-}
-
 func enableIPForwarding() error {
-	log.Infof("enable IP forwarding is not implemented on %s", runtime.GOOS)
+	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
 	return nil
 }
+
+func addVPNRoute(prefix netip.Prefix, intf string) error {
+	return genericAddVPNRoute(prefix, intf)
+}
+
+func removeVPNRoute(prefix netip.Prefix, intf string) error {
+	return genericRemoveVPNRoute(prefix, intf)
+}
--- a/client/internal/routemanager/systemops_nonandroid_test.go
+++ b/client/internal/routemanager/systemops_nonandroid_test.go
@@ -1,24 +1,32 @@
-//go:build !android
+//go:build !android && !ios

 package routemanager

 import (
 	"bytes"
+	"context"
 	"fmt"
 	"net"
 	"net/netip"
 	"os"
+	"runtime"
 	"strings"
 	"testing"

 	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/netbirdio/netbird/iface"
 )

+type dialer interface {
+	Dial(network, address string) (net.Conn, error)
+	DialContext(ctx context.Context, network, address string) (net.Conn, error)
+}
+
 func TestAddRemoveRoutes(t *testing.T) {
 	testCases := []struct {
 		name                   string
@@ -53,27 +61,30 @@ func TestAddRemoveRoutes(t *testing.T) {

 			err = wgInterface.Create()
 			require.NoError(t, err, "should create testing wireguard interface")
+			_, _, err = setupRouting(nil, nil)
+			require.NoError(t, err)
+			t.Cleanup(func() {
+				assert.NoError(t, cleanupRouting())
+			})

-			err = addToRouteTableIfNoExists(testCase.prefix, wgInterface.Address().IP.String())
-			require.NoError(t, err, "addToRouteTableIfNoExists should not return err")
+			err = genericAddVPNRoute(testCase.prefix, wgInterface.Name())
+			require.NoError(t, err, "genericAddVPNRoute should not return err")

-			prefixGateway, err := getExistingRIBRouteGateway(testCase.prefix)
-			require.NoError(t, err, "getExistingRIBRouteGateway should not return err")
 			if testCase.shouldRouteToWireguard {
-				require.Equal(t, wgInterface.Address().IP.String(), prefixGateway.String(), "route should point to wireguard interface IP")
+				assertWGOutInterface(t, testCase.prefix, wgInterface, false)
 			} else {
-				require.NotEqual(t, wgInterface.Address().IP.String(), prefixGateway.String(), "route should point to a different interface")
+				assertWGOutInterface(t, testCase.prefix, wgInterface, true)
 			}
 			exists, err := existsInRouteTable(testCase.prefix)
 			require.NoError(t, err, "existsInRouteTable should not return err")
 			if exists && testCase.shouldRouteToWireguard {
-				err = removeFromRouteTableIfNonSystem(testCase.prefix, wgInterface.Address().IP.String())
-				require.NoError(t, err, "removeFromRouteTableIfNonSystem should not return err")
+				err = genericRemoveVPNRoute(testCase.prefix, wgInterface.Name())
+				require.NoError(t, err, "genericRemoveVPNRoute should not return err")

-				prefixGateway, err = getExistingRIBRouteGateway(testCase.prefix)
-				require.NoError(t, err, "getExistingRIBRouteGateway should not return err")
+				prefixGateway, _, err := getNextHop(testCase.prefix.Addr())
+				require.NoError(t, err, "getNextHop should not return err")

-				internetGateway, err := getExistingRIBRouteGateway(netip.MustParsePrefix("0.0.0.0/0"))
+				internetGateway, _, err := getNextHop(netip.MustParseAddr("0.0.0.0"))
 				require.NoError(t, err)

 				if testCase.shouldBeRemoved {
@@ -86,12 +97,12 @@ func TestAddRemoveRoutes(t *testing.T) {
 	}
 }

-func TestGetExistingRIBRouteGateway(t *testing.T) {
-	gateway, err := getExistingRIBRouteGateway(netip.MustParsePrefix("0.0.0.0/0"))
+func TestGetNextHop(t *testing.T) {
+	gateway, _, err := getNextHop(netip.MustParseAddr("0.0.0.0"))
 	if err != nil {
 		t.Fatal("shouldn't return error when fetching the gateway: ", err)
 	}
-	if gateway == nil {
+	if !gateway.IsValid() {
 		t.Fatal("should return a gateway")
 	}
 	addresses, err := net.InterfaceAddrs()
@@ -113,11 +124,11 @@ func TestGetExistingRIBRouteGateway(t *testing.T) {
 		}
 	}

-	localIP, err := getExistingRIBRouteGateway(testingPrefix)
+	localIP, _, err := getNextHop(testingPrefix.Addr())
 	if err != nil {
 		t.Fatal("shouldn't return error: ", err)
 	}
-	if localIP == nil {
+	if !localIP.IsValid() {
 		t.Fatal("should return a gateway for local network")
 	}
 	if localIP.String() == gateway.String() {
@@ -128,8 +139,8 @@ func TestGetExistingRIBRouteGateway(t *testing.T) {
 	}
 }

-func TestAddExistAndRemoveRouteNonAndroid(t *testing.T) {
-	defaultGateway, err := getExistingRIBRouteGateway(netip.MustParsePrefix("0.0.0.0/0"))
+func TestAddExistAndRemoveRoute(t *testing.T) {
+	defaultGateway, _, err := getNextHop(netip.MustParseAddr("0.0.0.0"))
 	t.Log("defaultGateway: ", defaultGateway)
 	if err != nil {
 		t.Fatal("shouldn't return error when fetching the gateway: ", err)
@@ -189,16 +200,14 @@ func TestAddExistAndRemoveRouteNonAndroid(t *testing.T) {
 			err = wgInterface.Create()
 			require.NoError(t, err, "should create testing wireguard interface")

-			MockAddr := wgInterface.Address().IP.String()
-
 			// Prepare the environment
 			if testCase.preExistingPrefix.IsValid() {
-				err := addToRouteTableIfNoExists(testCase.preExistingPrefix, MockAddr)
+				err := genericAddVPNRoute(testCase.preExistingPrefix, wgInterface.Name())
 				require.NoError(t, err, "should not return err when adding pre-existing route")
 			}

 			// Add the route
-			err = addToRouteTableIfNoExists(testCase.prefix, MockAddr)
+			err = genericAddVPNRoute(testCase.prefix, wgInterface.Name())
 			require.NoError(t, err, "should not return err when adding route")

 			if testCase.shouldAddRoute {
@@ -208,7 +217,7 @@ func TestAddExistAndRemoveRouteNonAndroid(t *testing.T) {
 				require.True(t, ok, "route should exist")

 				// remove route again if added
-				err = removeFromRouteTableIfNonSystem(testCase.prefix, MockAddr)
+				err = genericRemoveVPNRoute(testCase.prefix, wgInterface.Name())
 				require.NoError(t, err, "should not return err")
 			}

@@ -217,6 +226,7 @@ func TestAddExistAndRemoveRouteNonAndroid(t *testing.T) {
 			ok, err := existsInRouteTable(testCase.prefix)
 			t.Log("Buffer string: ", buf.String())
 			require.NoError(t, err, "should not return err")
+
 			if !strings.Contains(buf.String(), "because it already exists") {
 				require.False(t, ok, "route should not exist")
 			}
@@ -224,31 +234,6 @@ func TestAddExistAndRemoveRouteNonAndroid(t *testing.T) {
 	}
 }

-func TestExistsInRouteTable(t *testing.T) {
-	addresses, err := net.InterfaceAddrs()
-	if err != nil {
-		t.Fatal("shouldn't return error when fetching interface addresses: ", err)
-	}
-
-	var addressPrefixes []netip.Prefix
-	for _, address := range addresses {
-		p := netip.MustParsePrefix(address.String())
-		if p.Addr().Is4() {
-			addressPrefixes = append(addressPrefixes, p.Masked())
-		}
-	}
-
-	for _, prefix := range addressPrefixes {
-		exists, err := existsInRouteTable(prefix)
-		if err != nil {
-			t.Fatal("shouldn't return error when checking if address exists in route table: ", err)
-		}
-		if !exists {
-			t.Fatalf("address %s should exist in route table", prefix)
-		}
-	}
-}
-
 func TestIsSubRange(t *testing.T) {
 	addresses, err := net.InterfaceAddrs()
 	if err != nil {
@@ -286,3 +271,132 @@ func TestIsSubRange(t *testing.T) {
 		}
 	}
 }
+
+func TestExistsInRouteTable(t *testing.T) {
+	addresses, err := net.InterfaceAddrs()
+	if err != nil {
+		t.Fatal("shouldn't return error when fetching interface addresses: ", err)
+	}
+
+	var addressPrefixes []netip.Prefix
+	for _, address := range addresses {
+		p := netip.MustParsePrefix(address.String())
+		if p.Addr().Is6() {
+			continue
+		}
+		// Windows sometimes has hidden interface link local addrs that don't turn up on any interface
+		if runtime.GOOS == "windows" && p.Addr().IsLinkLocalUnicast() {
+			continue
+		}
+		// Linux loopback 127/8 is in the local table, not in the main table and always takes precedence
+		if runtime.GOOS == "linux" && p.Addr().IsLoopback() {
+			continue
+		}
+
+		addressPrefixes = append(addressPrefixes, p.Masked())
+	}
+
+	for _, prefix := range addressPrefixes {
+		exists, err := existsInRouteTable(prefix)
+		if err != nil {
+			t.Fatal("shouldn't return error when checking if address exists in route table: ", err)
+		}
+		if !exists {
+			t.Fatalf("address %s should exist in route table", prefix)
+		}
+	}
+}
+
+func createWGInterface(t *testing.T, interfaceName, ipAddressCIDR string, listenPort int) *iface.WGIface {
+	t.Helper()
+
+	peerPrivateKey, err := wgtypes.GeneratePrivateKey()
+	require.NoError(t, err)
+
+	newNet, err := stdnet.NewNet()
+	require.NoError(t, err)
+
+	wgInterface, err := iface.NewWGIFace(interfaceName, ipAddressCIDR, listenPort, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil)
+	require.NoError(t, err, "should create testing WireGuard interface")
+
+	err = wgInterface.Create()
+	require.NoError(t, err, "should create testing WireGuard interface")
+
+	t.Cleanup(func() {
+		wgInterface.Close()
+	})
+
+	return wgInterface
+}
+
+func setupTestEnv(t *testing.T) {
+	t.Helper()
+
+	setupDummyInterfacesAndRoutes(t)
+
+	wgIface := createWGInterface(t, expectedVPNint, "100.64.0.1/24", 51820)
+	t.Cleanup(func() {
+		assert.NoError(t, wgIface.Close())
+	})
+
+	_, _, err := setupRouting(nil, wgIface)
+	require.NoError(t, err, "setupRouting should not return err")
+	t.Cleanup(func() {
+		assert.NoError(t, cleanupRouting())
+	})
+
+	// default route exists in main table and vpn table
+	err = addVPNRoute(netip.MustParsePrefix("0.0.0.0/0"), wgIface.Name())
+	require.NoError(t, err, "addVPNRoute should not return err")
+	t.Cleanup(func() {
+		err = removeVPNRoute(netip.MustParsePrefix("0.0.0.0/0"), wgIface.Name())
+		assert.NoError(t, err, "removeVPNRoute should not return err")
+	})
+
+	// 10.0.0.0/8 route exists in main table and vpn table
+	err = addVPNRoute(netip.MustParsePrefix("10.0.0.0/8"), wgIface.Name())
+	require.NoError(t, err, "addVPNRoute should not return err")
+	t.Cleanup(func() {
+		err = removeVPNRoute(netip.MustParsePrefix("10.0.0.0/8"), wgIface.Name())
+		assert.NoError(t, err, "removeVPNRoute should not return err")
+	})
+
+	// 10.10.0.0/24 more specific route exists in vpn table
+	err = addVPNRoute(netip.MustParsePrefix("10.10.0.0/24"), wgIface.Name())
+	require.NoError(t, err, "addVPNRoute should not return err")
+	t.Cleanup(func() {
+		err = removeVPNRoute(netip.MustParsePrefix("10.10.0.0/24"), wgIface.Name())
+		assert.NoError(t, err, "removeVPNRoute should not return err")
+	})
+
+	// 127.0.10.0/24 more specific route exists in vpn table
+	err = addVPNRoute(netip.MustParsePrefix("127.0.10.0/24"), wgIface.Name())
+	require.NoError(t, err, "addVPNRoute should not return err")
+	t.Cleanup(func() {
+		err = removeVPNRoute(netip.MustParsePrefix("127.0.10.0/24"), wgIface.Name())
+		assert.NoError(t, err, "removeVPNRoute should not return err")
+	})
+
+	// unique route in vpn table
+	err = addVPNRoute(netip.MustParsePrefix("172.16.0.0/12"), wgIface.Name())
+	require.NoError(t, err, "addVPNRoute should not return err")
+	t.Cleanup(func() {
+		err = removeVPNRoute(netip.MustParsePrefix("172.16.0.0/12"), wgIface.Name())
+		assert.NoError(t, err, "removeVPNRoute should not return err")
+	})
+}
+
+func assertWGOutInterface(t *testing.T, prefix netip.Prefix, wgIface *iface.WGIface, invert bool) {
+	t.Helper()
+	if runtime.GOOS == "linux" && prefix.Addr().IsLoopback() {
+		return
+	}
+
+	prefixGateway, _, err := getNextHop(prefix.Addr())
+	require.NoError(t, err, "getNextHop should not return err")
+	if invert {
+		assert.NotEqual(t, wgIface.Address().IP.String(), prefixGateway.String(), "route should not point to wireguard interface IP")
+	} else {
+		assert.Equal(t, wgIface.Address().IP.String(), prefixGateway.String(), "route should point to wireguard interface IP")
+	}
+}
--- a/client/internal/routemanager/systemops_unix_test.go
+++ b/client/internal/routemanager/systemops_unix_test.go
@@ -0,0 +1,234 @@
+//go:build (linux && !android) || (darwin && !ios) || freebsd || openbsd || netbsd || dragonfly
+
+package routemanager
+
+import (
+	"fmt"
+	"net"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/gopacket/gopacket"
+	"github.com/gopacket/gopacket/layers"
+	"github.com/gopacket/gopacket/pcap"
+	"github.com/miekg/dns"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+type PacketExpectation struct {
+	SrcIP   net.IP
+	DstIP   net.IP
+	SrcPort int
+	DstPort int
+	UDP     bool
+	TCP     bool
+}
+
+type testCase struct {
+	name              string
+	destination       string
+	expectedInterface string
+	dialer            dialer
+	expectedPacket    PacketExpectation
+}
+
+var testCases = []testCase{
+	{
+		name:              "To external host without custom dialer via vpn",
+		destination:       "192.0.2.1:53",
+		expectedInterface: expectedVPNint,
+		dialer:            &net.Dialer{},
+		expectedPacket:    createPacketExpectation("100.64.0.1", 12345, "192.0.2.1", 53),
+	},
+	{
+		name:              "To external host with custom dialer via physical interface",
+		destination:       "192.0.2.1:53",
+		expectedInterface: expectedExternalInt,
+		dialer:            nbnet.NewDialer(),
+		expectedPacket:    createPacketExpectation("192.168.0.1", 12345, "192.0.2.1", 53),
+	},
+
+	{
+		name:              "To duplicate internal route with custom dialer via physical interface",
+		destination:       "10.0.0.2:53",
+		expectedInterface: expectedInternalInt,
+		dialer:            nbnet.NewDialer(),
+		expectedPacket:    createPacketExpectation("192.168.1.1", 12345, "10.0.0.2", 53),
+	},
+	{
+		name:              "To duplicate internal route without custom dialer via physical interface", // local route takes precedence
+		destination:       "10.0.0.2:53",
+		expectedInterface: expectedInternalInt,
+		dialer:            &net.Dialer{},
+		expectedPacket:    createPacketExpectation("192.168.1.1", 12345, "10.0.0.2", 53),
+	},
+
+	{
+		name:              "To unique vpn route with custom dialer via physical interface",
+		destination:       "172.16.0.2:53",
+		expectedInterface: expectedExternalInt,
+		dialer:            nbnet.NewDialer(),
+		expectedPacket:    createPacketExpectation("192.168.0.1", 12345, "172.16.0.2", 53),
+	},
+	{
+		name:              "To unique vpn route without custom dialer via vpn",
+		destination:       "172.16.0.2:53",
+		expectedInterface: expectedVPNint,
+		dialer:            &net.Dialer{},
+		expectedPacket:    createPacketExpectation("100.64.0.1", 12345, "172.16.0.2", 53),
+	},
+}
+
+func TestRouting(t *testing.T) {
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			setupTestEnv(t)
+
+			filter := createBPFFilter(tc.destination)
+			handle := startPacketCapture(t, tc.expectedInterface, filter)
+
+			sendTestPacket(t, tc.destination, tc.expectedPacket.SrcPort, tc.dialer)
+
+			packetSource := gopacket.NewPacketSource(handle, handle.LinkType())
+			packet, err := packetSource.NextPacket()
+			require.NoError(t, err)
+
+			verifyPacket(t, packet, tc.expectedPacket)
+		})
+	}
+}
+
+func createPacketExpectation(srcIP string, srcPort int, dstIP string, dstPort int) PacketExpectation {
+	return PacketExpectation{
+		SrcIP:   net.ParseIP(srcIP),
+		DstIP:   net.ParseIP(dstIP),
+		SrcPort: srcPort,
+		DstPort: dstPort,
+		UDP:     true,
+	}
+}
+
+func startPacketCapture(t *testing.T, intf, filter string) *pcap.Handle {
+	t.Helper()
+
+	inactive, err := pcap.NewInactiveHandle(intf)
+	require.NoError(t, err, "Failed to create inactive pcap handle")
+	defer inactive.CleanUp()
+
+	err = inactive.SetSnapLen(1600)
+	require.NoError(t, err, "Failed to set snap length on inactive handle")
+
+	err = inactive.SetTimeout(time.Second * 10)
+	require.NoError(t, err, "Failed to set timeout on inactive handle")
+
+	err = inactive.SetImmediateMode(true)
+	require.NoError(t, err, "Failed to set immediate mode on inactive handle")
+
+	handle, err := inactive.Activate()
+	require.NoError(t, err, "Failed to activate pcap handle")
+	t.Cleanup(handle.Close)
+
+	err = handle.SetBPFFilter(filter)
+	require.NoError(t, err, "Failed to set BPF filter")
+
+	return handle
+}
+
+func sendTestPacket(t *testing.T, destination string, sourcePort int, dialer dialer) {
+	t.Helper()
+
+	if dialer == nil {
+		dialer = &net.Dialer{}
+	}
+
+	if sourcePort != 0 {
+		localUDPAddr := &net.UDPAddr{
+			IP:   net.IPv4zero,
+			Port: sourcePort,
+		}
+		switch dialer := dialer.(type) {
+		case *nbnet.Dialer:
+			dialer.LocalAddr = localUDPAddr
+		case *net.Dialer:
+			dialer.LocalAddr = localUDPAddr
+		default:
+			t.Fatal("Unsupported dialer type")
+		}
+	}
+
+	msg := new(dns.Msg)
+	msg.Id = dns.Id()
+	msg.RecursionDesired = true
+	msg.Question = []dns.Question{
+		{Name: "example.com.", Qtype: dns.TypeA, Qclass: dns.ClassINET},
+	}
+
+	conn, err := dialer.Dial("udp", destination)
+	require.NoError(t, err, "Failed to dial UDP")
+	defer conn.Close()
+
+	data, err := msg.Pack()
+	require.NoError(t, err, "Failed to pack DNS message")
+
+	_, err = conn.Write(data)
+	if err != nil {
+		if strings.Contains(err.Error(), "required key not available") {
+			t.Logf("Ignoring WireGuard key error: %v", err)
+			return
+		}
+		t.Fatalf("Failed to send DNS query: %v", err)
+	}
+}
+
+func createBPFFilter(destination string) string {
+	host, port, err := net.SplitHostPort(destination)
+	if err != nil {
+		return fmt.Sprintf("udp and dst host %s and dst port %s", host, port)
+	}
+	return "udp"
+}
+
+func verifyPacket(t *testing.T, packet gopacket.Packet, exp PacketExpectation) {
+	t.Helper()
+
+	ipLayer := packet.Layer(layers.LayerTypeIPv4)
+	require.NotNil(t, ipLayer, "Expected IPv4 layer not found in packet")
+
+	ip, ok := ipLayer.(*layers.IPv4)
+	require.True(t, ok, "Failed to cast to IPv4 layer")
+
+	// Convert both source and destination IP addresses to 16-byte representation
+	expectedSrcIP := exp.SrcIP.To16()
+	actualSrcIP := ip.SrcIP.To16()
+	assert.Equal(t, expectedSrcIP, actualSrcIP, "Source IP mismatch")
+
+	expectedDstIP := exp.DstIP.To16()
+	actualDstIP := ip.DstIP.To16()
+	assert.Equal(t, expectedDstIP, actualDstIP, "Destination IP mismatch")
+
+	if exp.UDP {
+		udpLayer := packet.Layer(layers.LayerTypeUDP)
+		require.NotNil(t, udpLayer, "Expected UDP layer not found in packet")
+
+		udp, ok := udpLayer.(*layers.UDP)
+		require.True(t, ok, "Failed to cast to UDP layer")
+
+		assert.Equal(t, layers.UDPPort(exp.SrcPort), udp.SrcPort, "UDP source port mismatch")
+		assert.Equal(t, layers.UDPPort(exp.DstPort), udp.DstPort, "UDP destination port mismatch")
+	}
+
+	if exp.TCP {
+		tcpLayer := packet.Layer(layers.LayerTypeTCP)
+		require.NotNil(t, tcpLayer, "Expected TCP layer not found in packet")
+
+		tcp, ok := tcpLayer.(*layers.TCP)
+		require.True(t, ok, "Failed to cast to TCP layer")
+
+		assert.Equal(t, layers.TCPPort(exp.SrcPort), tcp.SrcPort, "TCP source port mismatch")
+		assert.Equal(t, layers.TCPPort(exp.DstPort), tcp.DstPort, "TCP destination port mismatch")
+	}
+}
--- a/client/internal/routemanager/systemops_windows.go
+++ b/client/internal/routemanager/systemops_windows.go
@@ -1,13 +1,19 @@
 //go:build windows
-// +build windows

 package routemanager

 import (
+	"fmt"
 	"net"
 	"net/netip"
+	"os/exec"
+	"strings"

+	log "github.com/sirupsen/logrus"
 	"github.com/yusufpapurcu/wmi"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
 )

 type Win32_IP4RouteTable struct {
@@ -15,23 +21,35 @@ type Win32_IP4RouteTable struct {
 	Mask        string
 }

+var routeManager *RouteManager
+
+func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
+}
+
+func cleanupRouting() error {
+	return cleanupRoutingWithRouteManager(routeManager)
+}
+
 func getRoutesFromTable() ([]netip.Prefix, error) {
 	var routes []Win32_IP4RouteTable
 	query := "SELECT Destination, Mask FROM Win32_IP4RouteTable"

 	err := wmi.Query(query, &routes)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("get routes: %w", err)
 	}

 	var prefixList []netip.Prefix
 	for _, route := range routes {
 		addr, err := netip.ParseAddr(route.Destination)
 		if err != nil {
+			log.Warnf("Unable to parse route destination %s: %v", route.Destination, err)
 			continue
 		}
 		maskSlice := net.ParseIP(route.Mask).To4()
 		if maskSlice == nil {
+			log.Warnf("Unable to parse route mask %s", route.Mask)
 			continue
 		}
 		mask := net.IPv4Mask(maskSlice[0], maskSlice[1], maskSlice[2], maskSlice[3])
@@ -44,3 +62,86 @@ func getRoutesFromTable() ([]netip.Prefix, error) {
 	}
 	return prefixList, nil
 }
+
+func addRoutePowershell(prefix netip.Prefix, nexthop netip.Addr, intf, intfIdx string) error {
+	destinationPrefix := prefix.String()
+	psCmd := "New-NetRoute"
+
+	addressFamily := "IPv4"
+	if prefix.Addr().Is6() {
+		addressFamily = "IPv6"
+	}
+
+	script := fmt.Sprintf(
+		`%s -AddressFamily "%s" -DestinationPrefix "%s" -Confirm:$False -ErrorAction Stop`,
+		psCmd, addressFamily, destinationPrefix,
+	)
+
+	if intfIdx != "" {
+		script = fmt.Sprintf(
+			`%s -InterfaceIndex %s`, script, intfIdx,
+		)
+	} else {
+		script = fmt.Sprintf(
+			`%s -InterfaceAlias "%s"`, script, intf,
+		)
+	}
+
+	if nexthop.IsValid() {
+		script = fmt.Sprintf(
+			`%s -NextHop "%s"`, script, nexthop,
+		)
+	}
+
+	out, err := exec.Command("powershell", "-Command", script).CombinedOutput()
+	log.Tracef("PowerShell %s: %s", script, string(out))
+
+	if err != nil {
+		return fmt.Errorf("PowerShell add route: %w", err)
+	}
+
+	return nil
+}
+
+func addRouteCmd(prefix netip.Prefix, nexthop netip.Addr, _ string) error {
+	args := []string{"add", prefix.String(), nexthop.Unmap().String()}
+
+	out, err := exec.Command("route", args...).CombinedOutput()
+
+	log.Tracef("route %s: %s", strings.Join(args, " "), out)
+	if err != nil {
+		return fmt.Errorf("route add: %w", err)
+	}
+
+	return nil
+}
+
+func addToRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf string) error {
+	var intfIdx string
+	if nexthop.Zone() != "" {
+		intfIdx = nexthop.Zone()
+		nexthop.WithZone("")
+	}
+
+	// Powershell doesn't support adding routes without an interface but allows to add interface by name
+	if intf != "" || intfIdx != "" {
+		return addRoutePowershell(prefix, nexthop, intf, intfIdx)
+	}
+	return addRouteCmd(prefix, nexthop, intf)
+}
+
+func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, _ string) error {
+	args := []string{"delete", prefix.String()}
+	if nexthop.IsValid() {
+		nexthop.WithZone("")
+		args = append(args, nexthop.Unmap().String())
+	}
+
+	out, err := exec.Command("route", args...).CombinedOutput()
+	log.Tracef("route %s: %s", strings.Join(args, " "), out)
+
+	if err != nil {
+		return fmt.Errorf("remove route: %w", err)
+	}
+	return nil
+}
--- a/client/internal/routemanager/systemops_windows_test.go
+++ b/client/internal/routemanager/systemops_windows_test.go
@@ -0,0 +1,289 @@
+package routemanager
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"os/exec"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+var expectedExtInt = "Ethernet1"
+
+type RouteInfo struct {
+	NextHop        string `json:"nexthop"`
+	InterfaceAlias string `json:"interfacealias"`
+	RouteMetric    int    `json:"routemetric"`
+}
+
+type FindNetRouteOutput struct {
+	IPAddress         string `json:"IPAddress"`
+	InterfaceIndex    int    `json:"InterfaceIndex"`
+	InterfaceAlias    string `json:"InterfaceAlias"`
+	AddressFamily     int    `json:"AddressFamily"`
+	NextHop           string `json:"NextHop"`
+	DestinationPrefix string `json:"DestinationPrefix"`
+}
+
+type testCase struct {
+	name               string
+	destination        string
+	expectedSourceIP   string
+	expectedDestPrefix string
+	expectedNextHop    string
+	expectedInterface  string
+	dialer             dialer
+}
+
+var expectedVPNint = "wgtest0"
+
+var testCases = []testCase{
+	{
+		name:               "To external host without custom dialer via vpn",
+		destination:        "192.0.2.1:53",
+		expectedSourceIP:   "100.64.0.1",
+		expectedDestPrefix: "128.0.0.0/1",
+		expectedNextHop:    "0.0.0.0",
+		expectedInterface:  "wgtest0",
+		dialer:             &net.Dialer{},
+	},
+	{
+		name:               "To external host with custom dialer via physical interface",
+		destination:        "192.0.2.1:53",
+		expectedDestPrefix: "192.0.2.1/32",
+		expectedInterface:  expectedExtInt,
+		dialer:             nbnet.NewDialer(),
+	},
+
+	{
+		name:               "To duplicate internal route with custom dialer via physical interface",
+		destination:        "10.0.0.2:53",
+		expectedDestPrefix: "10.0.0.2/32",
+		expectedInterface:  expectedExtInt,
+		dialer:             nbnet.NewDialer(),
+	},
+	{
+		name:               "To duplicate internal route without custom dialer via physical interface", // local route takes precedence
+		destination:        "10.0.0.2:53",
+		expectedSourceIP:   "10.0.0.1",
+		expectedDestPrefix: "10.0.0.0/8",
+		expectedNextHop:    "0.0.0.0",
+		expectedInterface:  "Loopback Pseudo-Interface 1",
+		dialer:             &net.Dialer{},
+	},
+
+	{
+		name:               "To unique vpn route with custom dialer via physical interface",
+		destination:        "172.16.0.2:53",
+		expectedDestPrefix: "172.16.0.2/32",
+		expectedInterface:  expectedExtInt,
+		dialer:             nbnet.NewDialer(),
+	},
+	{
+		name:               "To unique vpn route without custom dialer via vpn",
+		destination:        "172.16.0.2:53",
+		expectedSourceIP:   "100.64.0.1",
+		expectedDestPrefix: "172.16.0.0/12",
+		expectedNextHop:    "0.0.0.0",
+		expectedInterface:  "wgtest0",
+		dialer:             &net.Dialer{},
+	},
+
+	{
+		name:               "To more specific route without custom dialer via vpn interface",
+		destination:        "10.10.0.2:53",
+		expectedSourceIP:   "100.64.0.1",
+		expectedDestPrefix: "10.10.0.0/24",
+		expectedNextHop:    "0.0.0.0",
+		expectedInterface:  "wgtest0",
+		dialer:             &net.Dialer{},
+	},
+
+	{
+		name:               "To more specific route (local) without custom dialer via physical interface",
+		destination:        "127.0.10.2:53",
+		expectedSourceIP:   "10.0.0.1",
+		expectedDestPrefix: "127.0.0.0/8",
+		expectedNextHop:    "0.0.0.0",
+		expectedInterface:  "Loopback Pseudo-Interface 1",
+		dialer:             &net.Dialer{},
+	},
+}
+
+func TestRouting(t *testing.T) {
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			setupTestEnv(t)
+
+			route, err := fetchOriginalGateway()
+			require.NoError(t, err, "Failed to fetch original gateway")
+			ip, err := fetchInterfaceIP(route.InterfaceAlias)
+			require.NoError(t, err, "Failed to fetch interface IP")
+
+			output := testRoute(t, tc.destination, tc.dialer)
+			if tc.expectedInterface == expectedExtInt {
+				verifyOutput(t, output, ip, tc.expectedDestPrefix, route.NextHop, route.InterfaceAlias)
+			} else {
+				verifyOutput(t, output, tc.expectedSourceIP, tc.expectedDestPrefix, tc.expectedNextHop, tc.expectedInterface)
+			}
+		})
+	}
+}
+
+// fetchInterfaceIP fetches the IPv4 address of the specified interface.
+func fetchInterfaceIP(interfaceAlias string) (string, error) {
+	script := fmt.Sprintf(`Get-NetIPAddress -InterfaceAlias "%s" | Where-Object AddressFamily -eq 2 | Select-Object -ExpandProperty IPAddress`, interfaceAlias)
+	out, err := exec.Command("powershell", "-Command", script).Output()
+	if err != nil {
+		return "", fmt.Errorf("failed to execute Get-NetIPAddress: %w", err)
+	}
+
+	ip := strings.TrimSpace(string(out))
+	return ip, nil
+}
+
+func testRoute(t *testing.T, destination string, dialer dialer) *FindNetRouteOutput {
+	t.Helper()
+
+	ctx, cancel := context.WithTimeout(context.Background(), 1*time.Second)
+	defer cancel()
+
+	conn, err := dialer.DialContext(ctx, "udp", destination)
+	require.NoError(t, err, "Failed to dial destination")
+	defer func() {
+		err := conn.Close()
+		assert.NoError(t, err, "Failed to close connection")
+	}()
+
+	host, _, err := net.SplitHostPort(destination)
+	require.NoError(t, err)
+
+	script := fmt.Sprintf(`Find-NetRoute -RemoteIPAddress "%s" | Select-Object -Property IPAddress, InterfaceIndex, InterfaceAlias, AddressFamily, NextHop, DestinationPrefix | ConvertTo-Json`, host)
+
+	out, err := exec.Command("powershell", "-Command", script).Output()
+	require.NoError(t, err, "Failed to execute Find-NetRoute")
+
+	var outputs []FindNetRouteOutput
+	err = json.Unmarshal(out, &outputs)
+	require.NoError(t, err, "Failed to parse JSON outputs from Find-NetRoute")
+
+	require.Greater(t, len(outputs), 0, "No route found for destination")
+	combinedOutput := combineOutputs(outputs)
+
+	return combinedOutput
+}
+
+func createAndSetupDummyInterface(t *testing.T, interfaceName, ipAddressCIDR string) string {
+	t.Helper()
+
+	ip, ipNet, err := net.ParseCIDR(ipAddressCIDR)
+	require.NoError(t, err)
+	subnetMaskSize, _ := ipNet.Mask.Size()
+	script := fmt.Sprintf(`New-NetIPAddress -InterfaceAlias "%s" -IPAddress "%s" -PrefixLength %d -PolicyStore ActiveStore -Confirm:$False`, interfaceName, ip.String(), subnetMaskSize)
+	_, err = exec.Command("powershell", "-Command", script).CombinedOutput()
+	require.NoError(t, err, "Failed to assign IP address to loopback adapter")
+
+	// Wait for the IP address to be applied
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+	err = waitForIPAddress(ctx, interfaceName, ip.String())
+	require.NoError(t, err, "IP address not applied within timeout")
+
+	t.Cleanup(func() {
+		script = fmt.Sprintf(`Remove-NetIPAddress -InterfaceAlias "%s" -IPAddress "%s" -Confirm:$False`, interfaceName, ip.String())
+		_, err = exec.Command("powershell", "-Command", script).CombinedOutput()
+		require.NoError(t, err, "Failed to remove IP address from loopback adapter")
+	})
+
+	return interfaceName
+}
+
+func fetchOriginalGateway() (*RouteInfo, error) {
+	cmd := exec.Command("powershell", "-Command", "Get-NetRoute -DestinationPrefix 0.0.0.0/0 | Select-Object NextHop, RouteMetric, InterfaceAlias | ConvertTo-Json")
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute Get-NetRoute: %w", err)
+	}
+
+	var routeInfo RouteInfo
+	err = json.Unmarshal(output, &routeInfo)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse JSON output: %w", err)
+	}
+
+	return &routeInfo, nil
+}
+
+func verifyOutput(t *testing.T, output *FindNetRouteOutput, sourceIP, destPrefix, nextHop, intf string) {
+	t.Helper()
+
+	assert.Equal(t, sourceIP, output.IPAddress, "Source IP mismatch")
+	assert.Equal(t, destPrefix, output.DestinationPrefix, "Destination prefix mismatch")
+	assert.Equal(t, nextHop, output.NextHop, "Next hop mismatch")
+	assert.Equal(t, intf, output.InterfaceAlias, "Interface mismatch")
+}
+
+func waitForIPAddress(ctx context.Context, interfaceAlias, expectedIPAddress string) error {
+	ticker := time.NewTicker(1 * time.Second)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+			out, err := exec.Command("powershell", "-Command", fmt.Sprintf(`Get-NetIPAddress -InterfaceAlias "%s" | Select-Object -ExpandProperty IPAddress`, interfaceAlias)).CombinedOutput()
+			if err != nil {
+				return err
+			}
+
+			ipAddresses := strings.Split(strings.TrimSpace(string(out)), "\n")
+			for _, ip := range ipAddresses {
+				if strings.TrimSpace(ip) == expectedIPAddress {
+					return nil
+				}
+			}
+		}
+	}
+}
+
+func combineOutputs(outputs []FindNetRouteOutput) *FindNetRouteOutput {
+	var combined FindNetRouteOutput
+
+	for _, output := range outputs {
+		if output.IPAddress != "" {
+			combined.IPAddress = output.IPAddress
+		}
+		if output.InterfaceIndex != 0 {
+			combined.InterfaceIndex = output.InterfaceIndex
+		}
+		if output.InterfaceAlias != "" {
+			combined.InterfaceAlias = output.InterfaceAlias
+		}
+		if output.AddressFamily != 0 {
+			combined.AddressFamily = output.AddressFamily
+		}
+		if output.NextHop != "" {
+			combined.NextHop = output.NextHop
+		}
+		if output.DestinationPrefix != "" {
+			combined.DestinationPrefix = output.DestinationPrefix
+		}
+	}
+
+	return &combined
+}
+
+func setupDummyInterfacesAndRoutes(t *testing.T) {
+	t.Helper()
+
+	createAndSetupDummyInterface(t, "Loopback Pseudo-Interface 1", "10.0.0.1/8")
+}
--- a/client/internal/stdnet/dialer.go
+++ b/client/internal/stdnet/dialer.go
@@ -0,0 +1,24 @@
+package stdnet
+
+import (
+	"net"
+
+	"github.com/pion/transport/v3"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+// Dial connects to the address on the named network.
+func (n *Net) Dial(network, address string) (net.Conn, error) {
+	return nbnet.NewDialer().Dial(network, address)
+}
+
+// DialUDP connects to the address on the named UDP network.
+func (n *Net) DialUDP(network string, laddr, raddr *net.UDPAddr) (transport.UDPConn, error) {
+	return nbnet.DialUDP(network, laddr, raddr)
+}
+
+// DialTCP connects to the address on the named TCP network.
+func (n *Net) DialTCP(network string, laddr, raddr *net.TCPAddr) (transport.TCPConn, error) {
+	return nbnet.DialTCP(network, laddr, raddr)
+}
--- a/client/internal/stdnet/listener.go
+++ b/client/internal/stdnet/listener.go
@@ -0,0 +1,20 @@
+package stdnet
+
+import (
+	"context"
+	"net"
+
+	"github.com/pion/transport/v3"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+// ListenPacket listens for incoming packets on the given network and address.
+func (n *Net) ListenPacket(network, address string) (net.PacketConn, error) {
+	return nbnet.NewListener().ListenPacket(context.Background(), network, address)
+}
+
+// ListenUDP acts like ListenPacket for UDP networks.
+func (n *Net) ListenUDP(network string, locAddr *net.UDPAddr) (transport.UDPConn, error) {
+	return nbnet.ListenUDP(network, locAddr)
+}
--- a/client/internal/wgproxy/proxy_ebpf.go
+++ b/client/internal/wgproxy/proxy_ebpf.go
@@ -12,10 +12,12 @@ import (

 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
+	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/internal/ebpf"
 	ebpfMgr "github.com/netbirdio/netbird/client/internal/ebpf/manager"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 // WGEBPFProxy definition for proxy with EBPF support
@@ -28,7 +30,7 @@ type WGEBPFProxy struct {
 	turnConnMutex sync.Mutex

 	rawConn net.PacketConn
-	conn    *net.UDPConn
+	conn    transport.UDPConn
 }

 // NewWGEBPFProxy create new WGEBPFProxy instance
@@ -66,7 +68,7 @@ func (p *WGEBPFProxy) Listen() error {
 		IP:   net.ParseIP("127.0.0.1"),
 	}

-	p.conn, err = net.ListenUDP("udp", &addr)
+	conn, err := nbnet.ListenUDP("udp", &addr)
 	if err != nil {
 		cErr := p.Free()
 		if cErr != nil {
@@ -74,6 +76,7 @@ func (p *WGEBPFProxy) Listen() error {
 		}
 		return err
 	}
+	p.conn = conn

 	go p.proxyToRemote()
 	log.Infof("local wg proxy listening on: %d", wgPorxyPort)
@@ -208,20 +211,41 @@ generatePort:
 }

 func (p *WGEBPFProxy) prepareSenderRawSocket() (net.PacketConn, error) {
+	// Create a raw socket.
 	fd, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_RAW, syscall.IPPROTO_RAW)
 	if err != nil {
-		return nil, err
-	}
-	err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_HDRINCL, 1)
-	if err != nil {
-		return nil, err
-	}
-	err = syscall.SetsockoptString(fd, syscall.SOL_SOCKET, syscall.SO_BINDTODEVICE, "lo")
-	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("creating raw socket failed: %w", err)
 	}

-	return net.FilePacketConn(os.NewFile(uintptr(fd), fmt.Sprintf("fd %d", fd)))
+	// Set the IP_HDRINCL option on the socket to tell the kernel that headers are included in the packet.
+	err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_HDRINCL, 1)
+	if err != nil {
+		return nil, fmt.Errorf("setting IP_HDRINCL failed: %w", err)
+	}
+
+	// Bind the socket to the "lo" interface.
+	err = syscall.SetsockoptString(fd, syscall.SOL_SOCKET, syscall.SO_BINDTODEVICE, "lo")
+	if err != nil {
+		return nil, fmt.Errorf("binding to lo interface failed: %w", err)
+	}
+
+	// Set the fwmark on the socket.
+	err = syscall.SetsockoptInt(fd, syscall.SOL_SOCKET, syscall.SO_MARK, nbnet.NetbirdFwmark)
+	if err != nil {
+		return nil, fmt.Errorf("setting fwmark failed: %w", err)
+	}
+
+	// Convert the file descriptor to a PacketConn.
+	file := os.NewFile(uintptr(fd), fmt.Sprintf("fd %d", fd))
+	if file == nil {
+		return nil, fmt.Errorf("converting fd to file failed")
+	}
+	packetConn, err := net.FilePacketConn(file)
+	if err != nil {
+		return nil, fmt.Errorf("converting file to packet conn failed: %w", err)
+	}
+
+	return packetConn, nil
 }

 func (p *WGEBPFProxy) sendPkg(data []byte, port uint16) error {
--- a/client/internal/wgproxy/proxy_userspace.go
+++ b/client/internal/wgproxy/proxy_userspace.go
@@ -6,6 +6,8 @@ import (
 	"net"

 	log "github.com/sirupsen/logrus"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 // WGUserSpaceProxy proxies
@@ -33,7 +35,7 @@ func (p *WGUserSpaceProxy) AddTurnConn(remoteConn net.Conn) (net.Addr, error) {
 	p.remoteConn = remoteConn

 	var err error
-	p.localConn, err = net.Dial("udp", fmt.Sprintf(":%d", p.localWGListenPort))
+	p.localConn, err = nbnet.NewDialer().Dial("udp", fmt.Sprintf(":%d", p.localWGListenPort))
 	if err != nil {
 		log.Errorf("failed dialing to local Wireguard port %s", err)
 		return nil, err
@@ -74,7 +76,8 @@ func (p *WGUserSpaceProxy) proxyToRemote() {
 				continue
 			}

-			_, err = p.remoteConn.Write(buf[:n])
+			log.Debugf("read from local conn %d bytes and forward to relay", n)
+			n, err = p.remoteConn.Write(buf[:n])
 			if err != nil {
 				continue
 			}
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
@@ -1,16 +1,17 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.26.0
-// 	protoc        v3.12.4
+// 	protoc        v4.24.3
 // source: daemon.proto

 package proto

 import (
-	_ "github.com/golang/protobuf/protoc-gen-go/descriptor"
-	timestamp "github.com/golang/protobuf/ptypes/timestamp"
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	_ "google.golang.org/protobuf/types/descriptorpb"
+	durationpb "google.golang.org/protobuf/types/known/durationpb"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
 )
@@ -43,17 +44,18 @@ type LoginRequest struct {
 	// cleanNATExternalIPs clean map list of external IPs.
 	// This is needed because the generated code
 	// omits initialized empty slices due to omitempty tags
-	CleanNATExternalIPs  bool    `protobuf:"varint,6,opt,name=cleanNATExternalIPs,proto3" json:"cleanNATExternalIPs,omitempty"`
-	CustomDNSAddress     []byte  `protobuf:"bytes,7,opt,name=customDNSAddress,proto3" json:"customDNSAddress,omitempty"`
-	IsLinuxDesktopClient bool    `protobuf:"varint,8,opt,name=isLinuxDesktopClient,proto3" json:"isLinuxDesktopClient,omitempty"`
-	Hostname             string  `protobuf:"bytes,9,opt,name=hostname,proto3" json:"hostname,omitempty"`
-	RosenpassEnabled     *bool   `protobuf:"varint,10,opt,name=rosenpassEnabled,proto3,oneof" json:"rosenpassEnabled,omitempty"`
-	InterfaceName        *string `protobuf:"bytes,11,opt,name=interfaceName,proto3,oneof" json:"interfaceName,omitempty"`
-	WireguardPort        *int64  `protobuf:"varint,12,opt,name=wireguardPort,proto3,oneof" json:"wireguardPort,omitempty"`
-	OptionalPreSharedKey *string `protobuf:"bytes,13,opt,name=optionalPreSharedKey,proto3,oneof" json:"optionalPreSharedKey,omitempty"`
-	DisableAutoConnect   *bool   `protobuf:"varint,14,opt,name=disableAutoConnect,proto3,oneof" json:"disableAutoConnect,omitempty"`
-	ServerSSHAllowed     *bool   `protobuf:"varint,15,opt,name=serverSSHAllowed,proto3,oneof" json:"serverSSHAllowed,omitempty"`
-	RosenpassPermissive  *bool   `protobuf:"varint,16,opt,name=rosenpassPermissive,proto3,oneof" json:"rosenpassPermissive,omitempty"`
+	CleanNATExternalIPs  bool     `protobuf:"varint,6,opt,name=cleanNATExternalIPs,proto3" json:"cleanNATExternalIPs,omitempty"`
+	CustomDNSAddress     []byte   `protobuf:"bytes,7,opt,name=customDNSAddress,proto3" json:"customDNSAddress,omitempty"`
+	IsLinuxDesktopClient bool     `protobuf:"varint,8,opt,name=isLinuxDesktopClient,proto3" json:"isLinuxDesktopClient,omitempty"`
+	Hostname             string   `protobuf:"bytes,9,opt,name=hostname,proto3" json:"hostname,omitempty"`
+	RosenpassEnabled     *bool    `protobuf:"varint,10,opt,name=rosenpassEnabled,proto3,oneof" json:"rosenpassEnabled,omitempty"`
+	InterfaceName        *string  `protobuf:"bytes,11,opt,name=interfaceName,proto3,oneof" json:"interfaceName,omitempty"`
+	WireguardPort        *int64   `protobuf:"varint,12,opt,name=wireguardPort,proto3,oneof" json:"wireguardPort,omitempty"`
+	OptionalPreSharedKey *string  `protobuf:"bytes,13,opt,name=optionalPreSharedKey,proto3,oneof" json:"optionalPreSharedKey,omitempty"`
+	DisableAutoConnect   *bool    `protobuf:"varint,14,opt,name=disableAutoConnect,proto3,oneof" json:"disableAutoConnect,omitempty"`
+	ServerSSHAllowed     *bool    `protobuf:"varint,15,opt,name=serverSSHAllowed,proto3,oneof" json:"serverSSHAllowed,omitempty"`
+	RosenpassPermissive  *bool    `protobuf:"varint,16,opt,name=rosenpassPermissive,proto3,oneof" json:"rosenpassPermissive,omitempty"`
+	ExtraIFaceBlacklist  []string `protobuf:"bytes,17,rep,name=extraIFaceBlacklist,proto3" json:"extraIFaceBlacklist,omitempty"`
 }

 func (x *LoginRequest) Reset() {
@@ -201,6 +203,13 @@ func (x *LoginRequest) GetRosenpassPermissive() bool {
 	return false
 }

+func (x *LoginRequest) GetExtraIFaceBlacklist() []string {
+	if x != nil {
+		return x.ExtraIFaceBlacklist
+	}
+	return nil
+}
+
 type LoginResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -757,22 +766,23 @@ type PeerState struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	IP                         string               `protobuf:"bytes,1,opt,name=IP,proto3" json:"IP,omitempty"`
-	PubKey                     string               `protobuf:"bytes,2,opt,name=pubKey,proto3" json:"pubKey,omitempty"`
-	ConnStatus                 string               `protobuf:"bytes,3,opt,name=connStatus,proto3" json:"connStatus,omitempty"`
-	ConnStatusUpdate           *timestamp.Timestamp `protobuf:"bytes,4,opt,name=connStatusUpdate,proto3" json:"connStatusUpdate,omitempty"`
-	Relayed                    bool                 `protobuf:"varint,5,opt,name=relayed,proto3" json:"relayed,omitempty"`
-	Direct                     bool                 `protobuf:"varint,6,opt,name=direct,proto3" json:"direct,omitempty"`
-	LocalIceCandidateType      string               `protobuf:"bytes,7,opt,name=localIceCandidateType,proto3" json:"localIceCandidateType,omitempty"`
-	RemoteIceCandidateType     string               `protobuf:"bytes,8,opt,name=remoteIceCandidateType,proto3" json:"remoteIceCandidateType,omitempty"`
-	Fqdn                       string               `protobuf:"bytes,9,opt,name=fqdn,proto3" json:"fqdn,omitempty"`
-	LocalIceCandidateEndpoint  string               `protobuf:"bytes,10,opt,name=localIceCandidateEndpoint,proto3" json:"localIceCandidateEndpoint,omitempty"`
-	RemoteIceCandidateEndpoint string               `protobuf:"bytes,11,opt,name=remoteIceCandidateEndpoint,proto3" json:"remoteIceCandidateEndpoint,omitempty"`
-	LastWireguardHandshake     *timestamp.Timestamp `protobuf:"bytes,12,opt,name=lastWireguardHandshake,proto3" json:"lastWireguardHandshake,omitempty"`
-	BytesRx                    int64                `protobuf:"varint,13,opt,name=bytesRx,proto3" json:"bytesRx,omitempty"`
-	BytesTx                    int64                `protobuf:"varint,14,opt,name=bytesTx,proto3" json:"bytesTx,omitempty"`
-	RosenpassEnabled           bool                 `protobuf:"varint,15,opt,name=rosenpassEnabled,proto3" json:"rosenpassEnabled,omitempty"`
-	Routes                     []string             `protobuf:"bytes,16,rep,name=routes,proto3" json:"routes,omitempty"`
+	IP                         string                 `protobuf:"bytes,1,opt,name=IP,proto3" json:"IP,omitempty"`
+	PubKey                     string                 `protobuf:"bytes,2,opt,name=pubKey,proto3" json:"pubKey,omitempty"`
+	ConnStatus                 string                 `protobuf:"bytes,3,opt,name=connStatus,proto3" json:"connStatus,omitempty"`
+	ConnStatusUpdate           *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=connStatusUpdate,proto3" json:"connStatusUpdate,omitempty"`
+	Relayed                    bool                   `protobuf:"varint,5,opt,name=relayed,proto3" json:"relayed,omitempty"`
+	Direct                     bool                   `protobuf:"varint,6,opt,name=direct,proto3" json:"direct,omitempty"`
+	LocalIceCandidateType      string                 `protobuf:"bytes,7,opt,name=localIceCandidateType,proto3" json:"localIceCandidateType,omitempty"`
+	RemoteIceCandidateType     string                 `protobuf:"bytes,8,opt,name=remoteIceCandidateType,proto3" json:"remoteIceCandidateType,omitempty"`
+	Fqdn                       string                 `protobuf:"bytes,9,opt,name=fqdn,proto3" json:"fqdn,omitempty"`
+	LocalIceCandidateEndpoint  string                 `protobuf:"bytes,10,opt,name=localIceCandidateEndpoint,proto3" json:"localIceCandidateEndpoint,omitempty"`
+	RemoteIceCandidateEndpoint string                 `protobuf:"bytes,11,opt,name=remoteIceCandidateEndpoint,proto3" json:"remoteIceCandidateEndpoint,omitempty"`
+	LastWireguardHandshake     *timestamppb.Timestamp `protobuf:"bytes,12,opt,name=lastWireguardHandshake,proto3" json:"lastWireguardHandshake,omitempty"`
+	BytesRx                    int64                  `protobuf:"varint,13,opt,name=bytesRx,proto3" json:"bytesRx,omitempty"`
+	BytesTx                    int64                  `protobuf:"varint,14,opt,name=bytesTx,proto3" json:"bytesTx,omitempty"`
+	RosenpassEnabled           bool                   `protobuf:"varint,15,opt,name=rosenpassEnabled,proto3" json:"rosenpassEnabled,omitempty"`
+	Routes                     []string               `protobuf:"bytes,16,rep,name=routes,proto3" json:"routes,omitempty"`
+	Latency                    *durationpb.Duration   `protobuf:"bytes,17,opt,name=latency,proto3" json:"latency,omitempty"`
 }

 func (x *PeerState) Reset() {
@@ -828,7 +838,7 @@ func (x *PeerState) GetConnStatus() string {
 	return ""
 }

-func (x *PeerState) GetConnStatusUpdate() *timestamp.Timestamp {
+func (x *PeerState) GetConnStatusUpdate() *timestamppb.Timestamp {
 	if x != nil {
 		return x.ConnStatusUpdate
 	}
@@ -884,7 +894,7 @@ func (x *PeerState) GetRemoteIceCandidateEndpoint() string {
 	return ""
 }

-func (x *PeerState) GetLastWireguardHandshake() *timestamp.Timestamp {
+func (x *PeerState) GetLastWireguardHandshake() *timestamppb.Timestamp {
 	if x != nil {
 		return x.LastWireguardHandshake
 	}
@@ -919,6 +929,13 @@ func (x *PeerState) GetRoutes() []string {
 	return nil
 }

+func (x *PeerState) GetLatency() *durationpb.Duration {
+	if x != nil {
+		return x.Latency
+	}
+	return nil
+}
+
 // LocalPeerState contains the latest state of the local peer
 type LocalPeerState struct {
 	state         protoimpl.MessageState
@@ -1374,7 +1391,9 @@ var file_daemon_proto_rawDesc = []byte{
 	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
 	0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65,
 	0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74,
-	0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xdd, 0x06, 0x0a, 0x0c, 0x4c, 0x6f,
+	0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75, 0x72, 0x61, 0x74,
+	0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x8f, 0x07, 0x0a, 0x0c, 0x4c, 0x6f,
 	0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65,
 	0x74, 0x75, 0x70, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65,
 	0x74, 0x75, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x26, 0x0a, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61,
@@ -1419,189 +1438,195 @@ var file_daemon_proto_rawDesc = []byte{
 	0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
 	0x69, 0x76, 0x65, 0x18, 0x10, 0x20, 0x01, 0x28, 0x08, 0x48, 0x06, 0x52, 0x13, 0x72, 0x6f, 0x73,
 	0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x76, 0x65,
-	0x88, 0x01, 0x01, 0x42, 0x13, 0x0a, 0x11, 0x5f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73,
-	0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x69, 0x6e, 0x74,
-	0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x77,
-	0x69, 0x72, 0x65, 0x67, 0x75, 0x61, 0x72, 0x64, 0x50, 0x6f, 0x72, 0x74, 0x42, 0x17, 0x0a, 0x15,
-	0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x50, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72,
-	0x65, 0x64, 0x4b, 0x65, 0x79, 0x42, 0x15, 0x0a, 0x13, 0x5f, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c,
-	0x65, 0x41, 0x75, 0x74, 0x6f, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x42, 0x13, 0x0a, 0x11,
-	0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x53, 0x48, 0x41, 0x6c, 0x6c, 0x6f, 0x77, 0x65,
-	0x64, 0x42, 0x16, 0x0a, 0x14, 0x5f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x50,
-	0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x76, 0x65, 0x22, 0xb5, 0x01, 0x0a, 0x0d, 0x4c, 0x6f,
-	0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a, 0x0d, 0x6e,
-	0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01,
-	0x28, 0x08, 0x52, 0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69,
-	0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x12, 0x28, 0x0a,
-	0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x12, 0x38, 0x0a, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66,
-	0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65,
-	0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69,
-	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d, 0x70, 0x6c, 0x65, 0x74,
-	0x65, 0x22, 0x4d, 0x0a, 0x13, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69,
-	0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72,
-	0x43, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72,
-	0x43, 0x6f, 0x64, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65,
-	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65,
-	0x22, 0x16, 0x0a, 0x14, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x0b, 0x0a, 0x09, 0x55, 0x70, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0c, 0x0a, 0x0a, 0x55, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x3d, 0x0a, 0x0d, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x12, 0x2c, 0x0a, 0x11, 0x67, 0x65, 0x74, 0x46, 0x75, 0x6c, 0x6c, 0x50,
-	0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52,
-	0x11, 0x67, 0x65, 0x74, 0x46, 0x75, 0x6c, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74,
-	0x75, 0x73, 0x22, 0x82, 0x01, 0x0a, 0x0e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x32, 0x0a,
-	0x0a, 0x66, 0x75, 0x6c, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x12, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x46, 0x75, 0x6c, 0x6c, 0x53,
-	0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x0a, 0x66, 0x75, 0x6c, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x75,
-	0x73, 0x12, 0x24, 0x0a, 0x0d, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x56, 0x65, 0x72, 0x73, 0x69,
-	0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e,
-	0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x0d, 0x0a, 0x0b, 0x44, 0x6f, 0x77, 0x6e, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0e, 0x0a, 0x0c, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x12, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xb3, 0x01, 0x0a, 0x11, 0x47,
-	0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x12, 0x24, 0x0a, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72,
-	0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
-	0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x46, 0x69, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x66,
-	0x69, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6c, 0x6f, 0x67, 0x46, 0x69, 0x6c,
-	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6c, 0x6f, 0x67, 0x46, 0x69, 0x6c, 0x65,
-	0x12, 0x22, 0x0a, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79,
-	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65,
-	0x64, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c,
-	0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55, 0x52, 0x4c,
-	0x22, 0x99, 0x05, 0x0a, 0x09, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0e,
-	0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16,
-	0x0a, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
-	0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x6e, 0x53, 0x74,
-	0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f, 0x6e, 0x6e,
-	0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x46, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x6e, 0x53, 0x74,
-	0x61, 0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x10, 0x63, 0x6f,
-	0x6e, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x12, 0x18,
-	0x0a, 0x07, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52,
-	0x07, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x65, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69, 0x72, 0x65,
-	0x63, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x64, 0x69, 0x72, 0x65, 0x63, 0x74,
-	0x12, 0x34, 0x0a, 0x15, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x63, 0x65, 0x43, 0x61, 0x6e, 0x64,
-	0x69, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x15, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x63, 0x65, 0x43, 0x61, 0x6e, 0x64, 0x69, 0x64, 0x61,
-	0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x36, 0x0a, 0x16, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65,
+	0x88, 0x01, 0x01, 0x12, 0x30, 0x0a, 0x13, 0x65, 0x78, 0x74, 0x72, 0x61, 0x49, 0x46, 0x61, 0x63,
+	0x65, 0x42, 0x6c, 0x61, 0x63, 0x6b, 0x6c, 0x69, 0x73, 0x74, 0x18, 0x11, 0x20, 0x03, 0x28, 0x09,
+	0x52, 0x13, 0x65, 0x78, 0x74, 0x72, 0x61, 0x49, 0x46, 0x61, 0x63, 0x65, 0x42, 0x6c, 0x61, 0x63,
+	0x6b, 0x6c, 0x69, 0x73, 0x74, 0x42, 0x13, 0x0a, 0x11, 0x5f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70,
+	0x61, 0x73, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x69,
+	0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x42, 0x10, 0x0a, 0x0e,
+	0x5f, 0x77, 0x69, 0x72, 0x65, 0x67, 0x75, 0x61, 0x72, 0x64, 0x50, 0x6f, 0x72, 0x74, 0x42, 0x17,
+	0x0a, 0x15, 0x5f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x61, 0x6c, 0x50, 0x72, 0x65, 0x53, 0x68,
+	0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x42, 0x15, 0x0a, 0x13, 0x5f, 0x64, 0x69, 0x73, 0x61,
+	0x62, 0x6c, 0x65, 0x41, 0x75, 0x74, 0x6f, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x42, 0x13,
+	0x0a, 0x11, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x53, 0x53, 0x48, 0x41, 0x6c, 0x6c, 0x6f,
+	0x77, 0x65, 0x64, 0x42, 0x16, 0x0a, 0x14, 0x5f, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73,
+	0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x76, 0x65, 0x22, 0xb5, 0x01, 0x0a, 0x0d,
+	0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x24, 0x0a,
+	0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x6e, 0x65, 0x65, 0x64, 0x73, 0x53, 0x53, 0x4f, 0x4c, 0x6f,
+	0x67, 0x69, 0x6e, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73, 0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x12,
+	0x28, 0x0a, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55,
+	0x52, 0x49, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x76, 0x65, 0x72, 0x69, 0x66, 0x69,
+	0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x12, 0x38, 0x0a, 0x17, 0x76, 0x65, 0x72,
+	0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d, 0x70,
+	0x6c, 0x65, 0x74, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x17, 0x76, 0x65, 0x72, 0x69,
+	0x66, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x52, 0x49, 0x43, 0x6f, 0x6d, 0x70, 0x6c,
+	0x65, 0x74, 0x65, 0x22, 0x4d, 0x0a, 0x13, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f,
+	0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x75, 0x73,
+	0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x75, 0x73,
+	0x65, 0x72, 0x43, 0x6f, 0x64, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61,
+	0x6d, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61,
+	0x6d, 0x65, 0x22, 0x16, 0x0a, 0x14, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67,
+	0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x0b, 0x0a, 0x09, 0x55, 0x70,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0c, 0x0a, 0x0a, 0x55, 0x70, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x3d, 0x0a, 0x0d, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x2c, 0x0a, 0x11, 0x67, 0x65, 0x74, 0x46, 0x75, 0x6c,
+	0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x08, 0x52, 0x11, 0x67, 0x65, 0x74, 0x46, 0x75, 0x6c, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x22, 0x82, 0x01, 0x0a, 0x0e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75,
+	0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12,
+	0x32, 0x0a, 0x0a, 0x66, 0x75, 0x6c, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x46, 0x75, 0x6c,
+	0x6c, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x0a, 0x66, 0x75, 0x6c, 0x6c, 0x53, 0x74, 0x61,
+	0x74, 0x75, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x56, 0x65, 0x72,
+	0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x64, 0x61, 0x65, 0x6d,
+	0x6f, 0x6e, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x0d, 0x0a, 0x0b, 0x44, 0x6f, 0x77,
+	0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0e, 0x0a, 0x0c, 0x44, 0x6f, 0x77, 0x6e,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x12, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xb3, 0x01, 0x0a,
+	0x11, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x12, 0x24, 0x0a, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x55, 0x72, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f,
+	0x6e, 0x66, 0x69, 0x67, 0x46, 0x69, 0x6c, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x6c, 0x6f, 0x67, 0x46,
+	0x69, 0x6c, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6c, 0x6f, 0x67, 0x46, 0x69,
+	0x6c, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61, 0x72, 0x65, 0x64, 0x4b,
+	0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x53, 0x68, 0x61,
+	0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x1a, 0x0a, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55,
+	0x52, 0x4c, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x61, 0x64, 0x6d, 0x69, 0x6e, 0x55,
+	0x52, 0x4c, 0x22, 0xce, 0x05, 0x0a, 0x09, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65,
+	0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50,
+	0x12, 0x16, 0x0a, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x63, 0x6f, 0x6e, 0x6e,
+	0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x63, 0x6f,
+	0x6e, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x46, 0x0a, 0x10, 0x63, 0x6f, 0x6e, 0x6e,
+	0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x18, 0x04, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x10,
+	0x63, 0x6f, 0x6e, 0x6e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65,
+	0x12, 0x18, 0x0a, 0x07, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28,
+	0x08, 0x52, 0x07, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x65, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x64, 0x69,
+	0x72, 0x65, 0x63, 0x74, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x06, 0x64, 0x69, 0x72, 0x65,
+	0x63, 0x74, 0x12, 0x34, 0x0a, 0x15, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x63, 0x65, 0x43, 0x61,
+	0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x18, 0x07, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x15, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x63, 0x65, 0x43, 0x61, 0x6e, 0x64, 0x69,
+	0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x36, 0x0a, 0x16, 0x72, 0x65, 0x6d, 0x6f,
+	0x74, 0x65, 0x49, 0x63, 0x65, 0x43, 0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79,
+	0x70, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65,
 	0x49, 0x63, 0x65, 0x43, 0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65,
-	0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x16, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x49, 0x63,
-	0x65, 0x43, 0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x12,
-	0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x66, 0x71,
-	0x64, 0x6e, 0x12, 0x3c, 0x0a, 0x19, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x63, 0x65, 0x43, 0x61,
-	0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18,
-	0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x19, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x63, 0x65, 0x43,
+	0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x18, 0x09, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
+	0x66, 0x71, 0x64, 0x6e, 0x12, 0x3c, 0x0a, 0x19, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x63, 0x65,
+	0x43, 0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e,
+	0x74, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x19, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x49, 0x63,
+	0x65, 0x43, 0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69,
+	0x6e, 0x74, 0x12, 0x3e, 0x0a, 0x1a, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x49, 0x63, 0x65, 0x43,
 	0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
-	0x12, 0x3e, 0x0a, 0x1a, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x49, 0x63, 0x65, 0x43, 0x61, 0x6e,
-	0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x0b,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x1a, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x49, 0x63, 0x65, 0x43,
-	0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74,
-	0x12, 0x52, 0x0a, 0x16, 0x6c, 0x61, 0x73, 0x74, 0x57, 0x69, 0x72, 0x65, 0x67, 0x75, 0x61, 0x72,
-	0x64, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x16, 0x6c, 0x61,
-	0x73, 0x74, 0x57, 0x69, 0x72, 0x65, 0x67, 0x75, 0x61, 0x72, 0x64, 0x48, 0x61, 0x6e, 0x64, 0x73,
-	0x68, 0x61, 0x6b, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x52, 0x78, 0x18,
-	0x0d, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x52, 0x78, 0x12, 0x18,
-	0x0a, 0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x54, 0x78, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x03, 0x52,
-	0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x54, 0x78, 0x12, 0x2a, 0x0a, 0x10, 0x72, 0x6f, 0x73, 0x65,
-	0x6e, 0x70, 0x61, 0x73, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x0f, 0x20, 0x01,
-	0x28, 0x08, 0x52, 0x10, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x45, 0x6e, 0x61,
-	0x62, 0x6c, 0x65, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x10,
-	0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0xec, 0x01, 0x0a,
-	0x0e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12,
-	0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12,
-	0x16, 0x0a, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x28, 0x0a, 0x0f, 0x6b, 0x65, 0x72, 0x6e, 0x65,
-	0x6c, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08,
-	0x52, 0x0f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63,
-	0x65, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x04, 0x66, 0x71, 0x64, 0x6e, 0x12, 0x2a, 0x0a, 0x10, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61,
-	0x73, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52,
-	0x10, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65,
-	0x64, 0x12, 0x30, 0x0a, 0x13, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x65,
-	0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x76, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13,
-	0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73,
-	0x69, 0x76, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x07, 0x20,
-	0x03, 0x28, 0x09, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x53, 0x0a, 0x0b, 0x53,
-	0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x52,
+	0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x1a, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x49, 0x63,
+	0x65, 0x43, 0x61, 0x6e, 0x64, 0x69, 0x64, 0x61, 0x74, 0x65, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69,
+	0x6e, 0x74, 0x12, 0x52, 0x0a, 0x16, 0x6c, 0x61, 0x73, 0x74, 0x57, 0x69, 0x72, 0x65, 0x67, 0x75,
+	0x61, 0x72, 0x64, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x18, 0x0c, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x16,
+	0x6c, 0x61, 0x73, 0x74, 0x57, 0x69, 0x72, 0x65, 0x67, 0x75, 0x61, 0x72, 0x64, 0x48, 0x61, 0x6e,
+	0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x52,
+	0x78, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x03, 0x52, 0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x52, 0x78,
+	0x12, 0x18, 0x0a, 0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x54, 0x78, 0x18, 0x0e, 0x20, 0x01, 0x28,
+	0x03, 0x52, 0x07, 0x62, 0x79, 0x74, 0x65, 0x73, 0x54, 0x78, 0x12, 0x2a, 0x0a, 0x10, 0x72, 0x6f,
+	0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x0f,
+	0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x45,
+	0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73,
+	0x18, 0x10, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x33,
+	0x0a, 0x07, 0x6c, 0x61, 0x74, 0x65, 0x6e, 0x63, 0x79, 0x18, 0x11, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
+	0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x6c, 0x61, 0x74, 0x65,
+	0x6e, 0x63, 0x79, 0x22, 0xec, 0x01, 0x0a, 0x0e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65,
+	0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x49, 0x50, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x02, 0x49, 0x50, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x28,
+	0x0a, 0x0f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63,
+	0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0f, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x49,
+	0x6e, 0x74, 0x65, 0x72, 0x66, 0x61, 0x63, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x66, 0x71, 0x64, 0x6e,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x66, 0x71, 0x64, 0x6e, 0x12, 0x2a, 0x0a, 0x10,
+	0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64,
+	0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x10, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73,
+	0x73, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x30, 0x0a, 0x13, 0x72, 0x6f, 0x73, 0x65,
+	0x6e, 0x70, 0x61, 0x73, 0x73, 0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x76, 0x65, 0x18,
+	0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x13, 0x72, 0x6f, 0x73, 0x65, 0x6e, 0x70, 0x61, 0x73, 0x73,
+	0x50, 0x65, 0x72, 0x6d, 0x69, 0x73, 0x73, 0x69, 0x76, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x6f,
+	0x75, 0x74, 0x65, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74,
+	0x65, 0x73, 0x22, 0x53, 0x0a, 0x0b, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74,
+	0x65, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x52, 0x4c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03,
+	0x55, 0x52, 0x4c, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65,
+	0x64, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x57, 0x0a, 0x0f, 0x4d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x52,
 	0x4c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x55, 0x52, 0x4c, 0x12, 0x1c, 0x0a, 0x09,
 	0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52,
 	0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x65, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72,
 	0x72, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72,
-	0x22, 0x57, 0x0a, 0x0f, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74,
-	0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x52, 0x4c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x03, 0x55, 0x52, 0x4c, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74,
-	0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63,
-	0x74, 0x65, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x52, 0x0a, 0x0a, 0x52, 0x65, 0x6c,
-	0x61, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x55, 0x52, 0x49, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x55, 0x52, 0x49, 0x12, 0x1c, 0x0a, 0x09, 0x61, 0x76, 0x61,
-	0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x61, 0x76,
-	0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0x72, 0x0a,
-	0x0c, 0x4e, 0x53, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x18, 0x0a,
-	0x07, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07,
-	0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69,
-	0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e,
-	0x73, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x65,
-	0x72, 0x72, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f,
-	0x72, 0x22, 0xd2, 0x02, 0x0a, 0x0a, 0x46, 0x75, 0x6c, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73,
-	0x12, 0x41, 0x0a, 0x0f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74,
-	0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x64, 0x61, 0x65, 0x6d,
-	0x6f, 0x6e, 0x2e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61,
-	0x74, 0x65, 0x52, 0x0f, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74,
-	0x61, 0x74, 0x65, 0x12, 0x35, 0x0a, 0x0b, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61,
-	0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f,
-	0x6e, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0b, 0x73,
-	0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x3e, 0x0a, 0x0e, 0x6c, 0x6f,
-	0x63, 0x61, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x16, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x63, 0x61,
-	0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0e, 0x6c, 0x6f, 0x63, 0x61,
-	0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x27, 0x0a, 0x05, 0x70, 0x65,
-	0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x64, 0x61, 0x65, 0x6d,
-	0x6f, 0x6e, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x70, 0x65,
-	0x65, 0x72, 0x73, 0x12, 0x2a, 0x0a, 0x06, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x73, 0x18, 0x05, 0x20,
-	0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x52, 0x65, 0x6c,
-	0x61, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x06, 0x72, 0x65, 0x6c, 0x61, 0x79, 0x73, 0x12,
-	0x35, 0x0a, 0x0b, 0x64, 0x6e, 0x73, 0x5f, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x06,
-	0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x53,
-	0x47, 0x72, 0x6f, 0x75, 0x70, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0a, 0x64, 0x6e, 0x73, 0x53,
-	0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x32, 0xf7, 0x02, 0x0a, 0x0d, 0x44, 0x61, 0x65, 0x6d, 0x6f,
-	0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x36, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69,
-	0x6e, 0x12, 0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e,
-	0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
-	0x12, 0x4b, 0x0a, 0x0c, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e,
-	0x12, 0x1b, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53,
-	0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e,
-	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f,
-	0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x2d, 0x0a,
-	0x02, 0x55, 0x70, 0x12, 0x11, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e,
-	0x55, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x06,
-	0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x15, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e,
-	0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e,
-	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x04, 0x44, 0x6f, 0x77, 0x6e, 0x12,
-	0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x44, 0x6f,
-	0x77, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x42, 0x0a, 0x09,
-	0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x18, 0x2e, 0x64, 0x61, 0x65, 0x6d,
-	0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00,
-	0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
+	0x22, 0x52, 0x0a, 0x0a, 0x52, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x10,
+	0x0a, 0x03, 0x55, 0x52, 0x49, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x55, 0x52, 0x49,
+	0x12, 0x1c, 0x0a, 0x09, 0x61, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x08, 0x52, 0x09, 0x61, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x14,
+	0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x65,
+	0x72, 0x72, 0x6f, 0x72, 0x22, 0x72, 0x0a, 0x0c, 0x4e, 0x53, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x53,
+	0x74, 0x61, 0x74, 0x65, 0x12, 0x18, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x18,
+	0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x12, 0x18,
+	0x0a, 0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52,
+	0x07, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x73, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62,
+	0x6c, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c,
+	0x65, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x05, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x22, 0xd2, 0x02, 0x0a, 0x0a, 0x46, 0x75, 0x6c,
+	0x6c, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x41, 0x0a, 0x0f, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b,
+	0x32, 0x17, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x0f, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x35, 0x0a, 0x0b, 0x73, 0x69,
+	0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53,
+	0x74, 0x61, 0x74, 0x65, 0x52, 0x0b, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x53, 0x74, 0x61, 0x74,
+	0x65, 0x12, 0x3e, 0x0a, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74,
+	0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x64, 0x61, 0x65, 0x6d,
+	0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74,
+	0x65, 0x52, 0x0e, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74,
+	0x65, 0x12, 0x27, 0x0a, 0x05, 0x70, 0x65, 0x65, 0x72, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b,
+	0x32, 0x11, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74,
+	0x61, 0x74, 0x65, 0x52, 0x05, 0x70, 0x65, 0x65, 0x72, 0x73, 0x12, 0x2a, 0x0a, 0x06, 0x72, 0x65,
+	0x6c, 0x61, 0x79, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x12, 0x2e, 0x64, 0x61, 0x65,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x52, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x06,
+	0x72, 0x65, 0x6c, 0x61, 0x79, 0x73, 0x12, 0x35, 0x0a, 0x0b, 0x64, 0x6e, 0x73, 0x5f, 0x73, 0x65,
+	0x72, 0x76, 0x65, 0x72, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x64, 0x61,
+	0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x53, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x53, 0x74, 0x61, 0x74,
+	0x65, 0x52, 0x0a, 0x64, 0x6e, 0x73, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x73, 0x32, 0xf7, 0x02,
+	0x0a, 0x0d, 0x44, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12,
+	0x36, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f,
+	0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15,
+	0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x4b, 0x0a, 0x0c, 0x57, 0x61, 0x69, 0x74, 0x53,
+	0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1b, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e,
+	0x2e, 0x57, 0x61, 0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x1c, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x57, 0x61,
+	0x69, 0x74, 0x53, 0x53, 0x4f, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
+	0x73, 0x65, 0x22, 0x00, 0x12, 0x2d, 0x0a, 0x02, 0x55, 0x70, 0x12, 0x11, 0x2e, 0x64, 0x61, 0x65,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e,
+	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x00, 0x12, 0x39, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x15, 0x2e,
+	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33,
+	0x0a, 0x04, 0x44, 0x6f, 0x77, 0x6e, 0x12, 0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e,
+	0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x64, 0x61,
+	0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x00, 0x12, 0x42, 0x0a, 0x09, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x12, 0x18, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x19, 0x2e, 0x64, 0x61, 0x65,
+	0x6d, 0x6f, 0x6e, 0x2e, 0x47, 0x65, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -1618,54 +1643,56 @@ func file_daemon_proto_rawDescGZIP() []byte {

 var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 19)
 var file_daemon_proto_goTypes = []interface{}{
-	(*LoginRequest)(nil),         // 0: daemon.LoginRequest
-	(*LoginResponse)(nil),        // 1: daemon.LoginResponse
-	(*WaitSSOLoginRequest)(nil),  // 2: daemon.WaitSSOLoginRequest
-	(*WaitSSOLoginResponse)(nil), // 3: daemon.WaitSSOLoginResponse
-	(*UpRequest)(nil),            // 4: daemon.UpRequest
-	(*UpResponse)(nil),           // 5: daemon.UpResponse
-	(*StatusRequest)(nil),        // 6: daemon.StatusRequest
-	(*StatusResponse)(nil),       // 7: daemon.StatusResponse
-	(*DownRequest)(nil),          // 8: daemon.DownRequest
-	(*DownResponse)(nil),         // 9: daemon.DownResponse
-	(*GetConfigRequest)(nil),     // 10: daemon.GetConfigRequest
-	(*GetConfigResponse)(nil),    // 11: daemon.GetConfigResponse
-	(*PeerState)(nil),            // 12: daemon.PeerState
-	(*LocalPeerState)(nil),       // 13: daemon.LocalPeerState
-	(*SignalState)(nil),          // 14: daemon.SignalState
-	(*ManagementState)(nil),      // 15: daemon.ManagementState
-	(*RelayState)(nil),           // 16: daemon.RelayState
-	(*NSGroupState)(nil),         // 17: daemon.NSGroupState
-	(*FullStatus)(nil),           // 18: daemon.FullStatus
-	(*timestamp.Timestamp)(nil),  // 19: google.protobuf.Timestamp
+	(*LoginRequest)(nil),          // 0: daemon.LoginRequest
+	(*LoginResponse)(nil),         // 1: daemon.LoginResponse
+	(*WaitSSOLoginRequest)(nil),   // 2: daemon.WaitSSOLoginRequest
+	(*WaitSSOLoginResponse)(nil),  // 3: daemon.WaitSSOLoginResponse
+	(*UpRequest)(nil),             // 4: daemon.UpRequest
+	(*UpResponse)(nil),            // 5: daemon.UpResponse
+	(*StatusRequest)(nil),         // 6: daemon.StatusRequest
+	(*StatusResponse)(nil),        // 7: daemon.StatusResponse
+	(*DownRequest)(nil),           // 8: daemon.DownRequest
+	(*DownResponse)(nil),          // 9: daemon.DownResponse
+	(*GetConfigRequest)(nil),      // 10: daemon.GetConfigRequest
+	(*GetConfigResponse)(nil),     // 11: daemon.GetConfigResponse
+	(*PeerState)(nil),             // 12: daemon.PeerState
+	(*LocalPeerState)(nil),        // 13: daemon.LocalPeerState
+	(*SignalState)(nil),           // 14: daemon.SignalState
+	(*ManagementState)(nil),       // 15: daemon.ManagementState
+	(*RelayState)(nil),            // 16: daemon.RelayState
+	(*NSGroupState)(nil),          // 17: daemon.NSGroupState
+	(*FullStatus)(nil),            // 18: daemon.FullStatus
+	(*timestamppb.Timestamp)(nil), // 19: google.protobuf.Timestamp
+	(*durationpb.Duration)(nil),   // 20: google.protobuf.Duration
 }
 var file_daemon_proto_depIdxs = []int32{
 	18, // 0: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
 	19, // 1: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
 	19, // 2: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
-	15, // 3: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
-	14, // 4: daemon.FullStatus.signalState:type_name -> daemon.SignalState
-	13, // 5: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
-	12, // 6: daemon.FullStatus.peers:type_name -> daemon.PeerState
-	16, // 7: daemon.FullStatus.relays:type_name -> daemon.RelayState
-	17, // 8: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
-	0,  // 9: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
-	2,  // 10: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
-	4,  // 11: daemon.DaemonService.Up:input_type -> daemon.UpRequest
-	6,  // 12: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
-	8,  // 13: daemon.DaemonService.Down:input_type -> daemon.DownRequest
-	10, // 14: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
-	1,  // 15: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	3,  // 16: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	5,  // 17: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	7,  // 18: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	9,  // 19: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	11, // 20: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	15, // [15:21] is the sub-list for method output_type
-	9,  // [9:15] is the sub-list for method input_type
-	9,  // [9:9] is the sub-list for extension type_name
-	9,  // [9:9] is the sub-list for extension extendee
-	0,  // [0:9] is the sub-list for field type_name
+	20, // 3: daemon.PeerState.latency:type_name -> google.protobuf.Duration
+	15, // 4: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
+	14, // 5: daemon.FullStatus.signalState:type_name -> daemon.SignalState
+	13, // 6: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
+	12, // 7: daemon.FullStatus.peers:type_name -> daemon.PeerState
+	16, // 8: daemon.FullStatus.relays:type_name -> daemon.RelayState
+	17, // 9: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
+	0,  // 10: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
+	2,  // 11: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
+	4,  // 12: daemon.DaemonService.Up:input_type -> daemon.UpRequest
+	6,  // 13: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
+	8,  // 14: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	10, // 15: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
+	1,  // 16: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	3,  // 17: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	5,  // 18: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	7,  // 19: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	9,  // 20: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	11, // 21: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	16, // [16:22] is the sub-list for method output_type
+	10, // [10:16] is the sub-list for method input_type
+	10, // [10:10] is the sub-list for extension type_name
+	10, // [10:10] is the sub-list for extension extendee
+	0,  // [0:10] is the sub-list for field type_name
 }

 func init() { file_daemon_proto_init() }
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -2,6 +2,7 @@ syntax = "proto3";

 import "google/protobuf/descriptor.proto";
 import "google/protobuf/timestamp.proto";
+import "google/protobuf/duration.proto";

 option go_package = "/proto";

@@ -69,6 +70,8 @@ message LoginRequest {
  optional bool serverSSHAllowed = 15;

  optional bool rosenpassPermissive = 16;
+
+  repeated string extraIFaceBlacklist = 17;
 }

 message LoginResponse {
@@ -142,6 +145,7 @@ message PeerState {
  int64 bytesTx = 14;
  bool rosenpassEnabled = 15;
  repeated string routes = 16;
+  google.protobuf.Duration latency = 17;
 }

 // LocalPeerState contains the latest state of the local peer
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -13,6 +13,8 @@ import (
 	"github.com/cenkalti/backoff/v4"
 	"golang.org/x/exp/maps"

+	"google.golang.org/protobuf/types/known/durationpb"
+
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/system"

@@ -150,7 +152,8 @@ func (s *Server) Start() error {
 // mechanism to keep the client connected even when the connection is lost.
 // we cancel retry if the client receive a stop or down command, or if disable auto connect is configured.
 func (s *Server) connectWithRetryRuns(ctx context.Context, config *internal.Config, statusRecorder *peer.Status,
-	mgmProbe *internal.Probe, signalProbe *internal.Probe, relayProbe *internal.Probe, wgProbe *internal.Probe) {
+	mgmProbe *internal.Probe, signalProbe *internal.Probe, relayProbe *internal.Probe, wgProbe *internal.Probe,
+) {
 	backOff := getConnectWithBackoff(ctx)
 	retryStarted := false

@@ -349,6 +352,11 @@ func (s *Server) Login(callerCtx context.Context, msg *proto.LoginRequest) (*pro
 		s.latestConfigInput.WireguardPort = &port
 	}

+	if len(msg.ExtraIFaceBlacklist) > 0 {
+		inputConfig.ExtraIFaceBlackList = msg.ExtraIFaceBlacklist
+		s.latestConfigInput.ExtraIFaceBlackList = msg.ExtraIFaceBlacklist
+	}
+
 	s.mutex.Unlock()

 	if msg.OptionalPreSharedKey != nil {
@@ -710,7 +718,8 @@ func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 			BytesRx:                    peerState.BytesRx,
 			BytesTx:                    peerState.BytesTx,
 			RosenpassEnabled:           peerState.RosenpassEnabled,
-			Routes:                     maps.Keys(peerState.Routes),
+			Routes:                     maps.Keys(peerState.GetRoutes()),
+			Latency:                    durationpb.New(peerState.Latency),
 		}
 		pbFullStatus.Peers = append(pbFullStatus.Peers, pbPeerState)
 	}
--- a/client/server/server_test.go
+++ b/client/server/server_test.go
@@ -2,6 +2,7 @@ package server

 import (
 	"context"
+	"github.com/netbirdio/management-integrations/integrations"
 	"net"
 	"testing"
 	"time"
@@ -114,7 +115,8 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	if err != nil {
 		return nil, "", err
 	}
-	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "", "", eventStore, nil, false)
+	ia, _ := integrations.NewIntegratedValidator(eventStore)
+	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/system/detect_cloud/detect.go
+++ b/client/system/detect_cloud/detect.go
@@ -25,8 +25,6 @@ func Detect(ctx context.Context) string {
 		detectDigitalOcean,
 		detectGCP,
 		detectOracle,
-		detectIBMCloud,
-		detectSoftlayer,
 		detectVultr,
 	}

--- a/client/system/detect_cloud/gcp.go
+++ b/client/system/detect_cloud/gcp.go
@@ -6,7 +6,7 @@ import (
 )

 func detectGCP(ctx context.Context) string {
-	req, err := http.NewRequestWithContext(ctx, "GET", "http://metadata.google.internal", nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", "http://169.254.169.254", nil)
 	if err != nil {
 		return ""
 	}
--- a/client/system/detect_cloud/ibmcloud.go
+++ b/client/system/detect_cloud/ibmcloud.go
@@ -1,54 +0,0 @@
-package detect_cloud
-
-import (
-	"context"
-	"net/http"
-)
-
-func detectIBMCloud(ctx context.Context) string {
-	v1ResultChan := make(chan bool, 1)
-	v2ResultChan := make(chan bool, 1)
-
-	go func() {
-		v1ResultChan <- detectIBMSecure(ctx)
-	}()
-
-	go func() {
-		v2ResultChan <- detectIBM(ctx)
-	}()
-
-	v1Result, v2Result := <-v1ResultChan, <-v2ResultChan
-
-	if v1Result || v2Result {
-		return "IBM Cloud"
-	}
-	return ""
-}
-
-func detectIBMSecure(ctx context.Context) bool {
-	req, err := http.NewRequestWithContext(ctx, "PUT", "https://api.metadata.cloud.ibm.com/instance_identity/v1/token", nil)
-	if err != nil {
-		return false
-	}
-
-	resp, err := hc.Do(req)
-	if err != nil {
-		return false
-	}
-	defer resp.Body.Close()
-	return resp.StatusCode == http.StatusOK
-}
-
-func detectIBM(ctx context.Context) bool {
-	req, err := http.NewRequestWithContext(ctx, "PUT", "http://api.metadata.cloud.ibm.com/instance_identity/v1/token", nil)
-	if err != nil {
-		return false
-	}
-
-	resp, err := hc.Do(req)
-	if err != nil {
-		return false
-	}
-	defer resp.Body.Close()
-	return resp.StatusCode == http.StatusOK
-}
--- a/client/system/detect_cloud/softlayer.go
+++ b/client/system/detect_cloud/softlayer.go
@@ -1,25 +0,0 @@
-package detect_cloud
-
-import (
-	"context"
-	"net/http"
-)
-
-func detectSoftlayer(ctx context.Context) string {
-	req, err := http.NewRequestWithContext(ctx, "GET", "https://api.service.softlayer.com/rest/v3/SoftLayer_Resource_Metadata/UserMetadata.txt", nil)
-	if err != nil {
-		return ""
-	}
-
-	resp, err := hc.Do(req)
-	if err != nil {
-		return ""
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode == http.StatusOK {
-		// Since SoftLayer was acquired by IBM, we should return "IBM Cloud"
-		return "IBM Cloud"
-	}
-	return ""
-}
--- a/client/system/info_linux.go
+++ b/client/system/info_linux.go
@@ -120,5 +120,5 @@ func _getReleaseInfo() string {
 func sysInfo() (serialNumber string, productName string, manufacturer string) {
 	var si sysinfo.SysInfo
 	si.GetSysInfo()
-	return si.Product.Version, si.Product.Name, si.Product.Vendor
+	return si.Chassis.Serial, si.Product.Name, si.Product.Vendor
 }
--- a/go.mod
+++ b/go.mod
@@ -10,7 +10,7 @@ require (
 	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.3
-	github.com/google/uuid v1.3.1
+	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.0
 	github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7
 	github.com/onsi/ginkgo v1.16.5
@@ -21,8 +21,8 @@ require (
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.1.1-0.20211118161826-650dca95af54
-	golang.org/x/crypto v0.17.0
-	golang.org/x/sys v0.15.0
+	golang.org/x/crypto v0.18.0
+	golang.org/x/sys v0.16.0
 	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	golang.zx2c4.com/wireguard/windows v0.5.3
@@ -46,20 +46,21 @@ require (
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.5.9
 	github.com/google/gopacket v1.1.19
+	github.com/google/martian/v3 v3.0.0
 	github.com/google/nftables v0.0.0-20220808154552-2eca00135732
+	github.com/gopacket/gopacket v1.1.1
 	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.2-0.20240212192251-757544f21357
-	github.com/hashicorp/go-multierror v1.1.0
+	github.com/hashicorp/go-multierror v1.1.1
 	github.com/hashicorp/go-secure-stdlib/base62 v0.1.2
 	github.com/hashicorp/go-version v1.6.0
-	github.com/libp2p/go-netroute v0.2.0
+	github.com/libp2p/go-netroute v0.2.1
 	github.com/magiconair/properties v1.8.5
 	github.com/mattn/go-sqlite3 v1.14.19
 	github.com/mdlayher/socket v0.4.1
 	github.com/miekg/dns v1.1.43
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/nadoo/ipset v0.5.0
-	github.com/netbirdio/management-integrations/additions v0.0.0-20240212121739-8ea8c89a4552
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20240212121739-8ea8c89a4552
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20240326083846-3682438fca98
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
@@ -81,10 +82,10 @@ require (
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20230725093048-515e97ebf090
 	golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028
-	golang.org/x/net v0.17.0
+	golang.org/x/net v0.20.0
 	golang.org/x/oauth2 v0.8.0
 	golang.org/x/sync v0.3.0
-	golang.org/x/term v0.15.0
+	golang.org/x/term v0.16.0
 	google.golang.org/api v0.126.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/sqlite v1.5.3
@@ -123,7 +124,6 @@ require (
 	github.com/google/s2a-go v0.1.4 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
 	github.com/googleapis/gax-go/v2 v2.10.0 // indirect
-	github.com/gopacket/gopacket v1.1.1 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -137,10 +137,10 @@ require (
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
 	github.com/pegasus-kv/thrift v0.13.0 // indirect
-	github.com/pion/dtls/v2 v2.2.7 // indirect
-	github.com/pion/mdns v0.0.9 // indirect
+	github.com/pion/dtls/v2 v2.2.10 // indirect
+	github.com/pion/mdns v0.0.12 // indirect
 	github.com/pion/randutil v0.1.0 // indirect
-	github.com/pion/transport/v2 v2.2.1 // indirect
+	github.com/pion/transport/v2 v2.2.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
@@ -172,6 +172,8 @@ replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-2023

 replace github.com/getlantern/systray => github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949

-replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20240105182236-6c340dd55aed
+replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-20240422165616-c6832bb477d5

 replace github.com/cloudflare/circl => github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6
+
+replace github.com/pion/ice/v3 => github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e
--- a/go.sum
+++ b/go.sum
@@ -255,6 +255,7 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/google/gopacket v1.1.19 h1:ves8RnFZPGiFnTS0uPQStjwru6uO6h+nlr9j6fL7kF8=
 github.com/google/gopacket v1.1.19/go.mod h1:iJ8V8n6KS+z2U1A8pUwu8bW5SyEMkXJB8Yo/Vo+TKTo=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/martian/v3 v3.0.0 h1:pMen7vLs8nvgEYhywH3KDWJIJTeEr2ULsVWHWYHQyBs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/nftables v0.0.0-20220808154552-2eca00135732 h1:csc7dT82JiSLvq4aMyQMIQDL7986NH6Wxf/QrvOj55A=
 github.com/google/nftables v0.0.0-20220808154552-2eca00135732/go.mod h1:b97ulCCFipUC+kSin+zygkvUVpx0vyIAwxXFdY3PlNc=
@@ -271,8 +272,8 @@ github.com/google/s2a-go v0.1.4 h1:1kZ/sQM3srePvKs3tXAvQzo66XfcReoqFpIpIccE7Oc=
 github.com/google/s2a-go v0.1.4/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.3.1 h1:KjJaJ9iWZ3jOFZIf1Lqf4laDRCasjl0BCmnEGxkdLb4=
-github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k=
 github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
@@ -291,8 +292,8 @@ github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.0.2-0.20240212192251-757544f2
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
-github.com/hashicorp/go-multierror v1.1.0 h1:B9UzwGQJehnUY1yNrnwREHc3fGbC2xefo8g4TbElacI=
-github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2 h1:ET4pqyjiGmY09R5y+rSd70J2w45CtbWDNvGqWp/R3Ng=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.2/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
 github.com/hashicorp/go-uuid v1.0.2 h1:cfejS+Tpcp13yd5nYHWDI6qVCny6wyX2Mt5SGur2IGE=
@@ -344,8 +345,8 @@ github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdAPozLkw=
-github.com/libp2p/go-netroute v0.2.0 h1:0FpsbsvuSnAhXFnCY0VLFbJOzaK0VnP0r1QT/o4nWRE=
-github.com/libp2p/go-netroute v0.2.0/go.mod h1:Vio7LTzZ+6hoT4CMZi5/6CpY3Snzh2vgZhWgxMNwlQI=
+github.com/libp2p/go-netroute v0.2.1 h1:V8kVrpD8GK0Riv15/7VN6RbUQ3URNZVosw7H2v9tksU=
+github.com/libp2p/go-netroute v0.2.1/go.mod h1:hraioZr0fhBjG0ZRXJJ6Zj2IVEVNx6tDTFQfSmcq7mQ=
 github.com/lucor/goinfo v0.0.0-20210802170112-c078a2b0f08b/go.mod h1:PRq09yoB+Q2OJReAmwzKivcYyremnibWGbK7WfftHzc=
 github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
@@ -380,16 +381,17 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/nadoo/ipset v0.5.0 h1:5GJUAuZ7ITQQQGne5J96AmFjRtI8Avlbk6CabzYWVUc=
 github.com/nadoo/ipset v0.5.0/go.mod h1:rYF5DQLRGGoQ8ZSWeK+6eX5amAuPqwFkWjhQlEITGJQ=
-github.com/netbirdio/management-integrations/additions v0.0.0-20240212121739-8ea8c89a4552 h1:yzcQKizAK9YufCHMMCIsr467Dw/OU/4xyHbWizGb1E4=
-github.com/netbirdio/management-integrations/additions v0.0.0-20240212121739-8ea8c89a4552/go.mod h1:31FhBNvQ+riHEIu6LSTmqr8IeuSIsGfQffqV4LFmbwA=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20240212121739-8ea8c89a4552 h1:OFlzVZtkXCoJsfDKrMigFpuad8ZXTm8epq6x27K0irA=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20240212121739-8ea8c89a4552/go.mod h1:B0nMS3es77gOvPYhc0K91fAzTkQLi/jRq5TffUN3klM=
+github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e h1:PURA50S8u4mF6RrkYYCAvvPCixhqqEiEy3Ej6avh04c=
+github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e/go.mod h1:YMLU7qbKfVjmEv7EoZPIVEI+kNYxWCdPK3VS0BU+U4Q=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20240326083846-3682438fca98 h1:i6AtenTLu/CqhTmj0g1K/GWkkpMJMhQM6Vjs46x25nA=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20240326083846-3682438fca98/go.mod h1:kxks50DrZnhW+oRTdHOkVOJbcTcyo766am8RBugo+Yc=
 github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0 h1:hirFRfx3grVA/9eEyjME5/z3nxdJlN9kfQpvWWPk32g=
 github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949 h1:xbWM9BU6mwZZLHxEjxIX/V8Hv3HurQt4mReIE4mY4DM=
 github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949/go.mod h1:AecygODWIsBquJCJFop8MEQcJbWFfw/1yWbVabNgpCM=
 github.com/netbirdio/wireguard-go v0.0.0-20240105182236-6c340dd55aed h1:t0UADZUJDaaZgfKrt8JUPrOLL9Mg/ryjP85RAH53qgs=
 github.com/netbirdio/wireguard-go v0.0.0-20240105182236-6c340dd55aed/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
+github.com/netbirdio/wireguard-go v0.0.0-20240422165616-c6832bb477d5/go.mod h1:tkCQ4FQXmpAgYVh++1cq16/dH4QJtmvpRv19DWGAHSA=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
@@ -423,20 +425,20 @@ github.com/pegasus-kv/thrift v0.13.0 h1:4ESwaNoHImfbHa9RUGJiJZ4hrxorihZHk5aarYwY
 github.com/pegasus-kv/thrift v0.13.0/go.mod h1:Gl9NT/WHG6ABm6NsrbfE8LiJN0sAyneCrvB4qN4NPqQ=
 github.com/pelletier/go-toml/v2 v2.0.9 h1:uH2qQXheeefCCkuBBSLi7jCiSmj3VRh2+Goq2N7Xxu0=
 github.com/pelletier/go-toml/v2 v2.0.9/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
-github.com/pion/dtls/v2 v2.2.7 h1:cSUBsETxepsCSFSxC3mc/aDo14qQLMSL+O6IjG28yV8=
 github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s=
-github.com/pion/ice/v3 v3.0.2 h1:dNQnKsjLvOWz+PaI4tw1VnLYTp9adihC1HIASFGajmI=
-github.com/pion/ice/v3 v3.0.2/go.mod h1:q3BDzTsxbqP0ySMSHrFuw2MYGUx/AC3WQfRGC5F/0Is=
+github.com/pion/dtls/v2 v2.2.10 h1:u2Axk+FyIR1VFTPurktB+1zoEPGIW3bmyj3LEFrXjAA=
+github.com/pion/dtls/v2 v2.2.10/go.mod h1:d9SYc9fch0CqK90mRk1dC7AkzzpwJj6u2GU3u+9pqFE=
 github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
 github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms=
-github.com/pion/mdns v0.0.9 h1:7Ue5KZsqq8EuqStnpPWV33vYYEH0+skdDN5L7EiEsI4=
-github.com/pion/mdns v0.0.9/go.mod h1:2JA5exfxwzXiCihmxpTKgFUpiQws2MnipoPK09vecIc=
+github.com/pion/mdns v0.0.12 h1:CiMYlY+O0azojWDmxdNr7ADGrnZ+V6Ilfner+6mSVK8=
+github.com/pion/mdns v0.0.12/go.mod h1:VExJjv8to/6Wqm1FXK+Ii/Z9tsVk/F5sD/N70cnYFbk=
 github.com/pion/randutil v0.1.0 h1:CFG1UdESneORglEsnimhUjf33Rwjubwj6xfiOXBa3mA=
 github.com/pion/randutil v0.1.0/go.mod h1:XcJrSMMbbMRhASFVOlj/5hQial/Y8oH/HVo7TBZq+j8=
 github.com/pion/stun/v2 v2.0.0 h1:A5+wXKLAypxQri59+tmQKVs7+l6mMM+3d+eER9ifRU0=
 github.com/pion/stun/v2 v2.0.0/go.mod h1:22qRSh08fSEttYUmJZGlriq9+03jtVmXNODgLccj8GQ=
-github.com/pion/transport/v2 v2.2.1 h1:7qYnCBlpgSJNYMbLCKuSY9KbQdBFoETvPNETv0y4N7c=
 github.com/pion/transport/v2 v2.2.1/go.mod h1:cXXWavvCnFF6McHTft3DWS9iic2Mftcz1Aq29pGcU5g=
+github.com/pion/transport/v2 v2.2.4 h1:41JJK6DZQYSeVLxILA2+F4ZkKb4Xd/tFJZRFZQ9QAlo=
+github.com/pion/transport/v2 v2.2.4/go.mod h1:q2U/tf9FEfnSBGSW6w5Qp5PFWRLRj3NjLhCCgpRK4p0=
 github.com/pion/transport/v3 v3.0.1 h1:gDTlPJwROfSfz6QfSi0ZmeCSkFcnWWiiR9ES0ouANiM=
 github.com/pion/transport/v3 v3.0.1/go.mod h1:UY7kiITrlMv7/IKgd5eTUcaahZx5oUN3l9SzK5f5xE0=
 github.com/pion/turn/v3 v3.0.1 h1:wLi7BTQr6/Q20R0vt/lHbjv6y4GChFtC33nkYbasoT8=
@@ -580,10 +582,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
-golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k=
-golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -660,7 +660,6 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
-golang.org/x/net v0.0.0-20210423184538-5f58ad60dda6/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -671,9 +670,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
-golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
-golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
-golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
+golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
+golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -748,7 +746,6 @@ golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210426080607-c94f62235c83/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -765,20 +762,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
-golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
-golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
-golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
-golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4=
-golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
+golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
+golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -792,7 +785,6 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
--- a/iface/address.go
+++ b/iface/address.go
@@ -23,6 +23,24 @@ func parseWGAddress(address string) (WGAddress, error) {
 	}, nil
 }

+// Masked returns the WGAddress with the IP address part masked according to its network mask.
+func (addr WGAddress) Masked() WGAddress {
+	ip := addr.IP.To4()
+	if ip == nil {
+		ip = addr.IP.To16()
+	}
+
+	maskedIP := make(net.IP, len(ip))
+	for i := range ip {
+		maskedIP[i] = ip[i] & addr.Network.Mask[i]
+	}
+
+	return WGAddress{
+		IP:      maskedIP,
+		Network: addr.Network,
+	}
+}
+
 func (addr WGAddress) String() string {
 	maskSize, _ := addr.Network.Mask.Size()
 	return fmt.Sprintf("%s/%d", addr.IP.String(), maskSize)
--- a/iface/bind/bind.go
+++ b/iface/bind/bind.go
@@ -13,14 +13,6 @@ import (
 	wgConn "golang.zx2c4.com/wireguard/conn"
 )

-type receiverCreator struct {
-	iceBind *ICEBind
-}
-
-func (rc receiverCreator) CreateIPv4ReceiverFn(msgPool *sync.Pool, pc *ipv4.PacketConn, conn *net.UDPConn) wgConn.ReceiveFunc {
-	return rc.iceBind.createIPv4ReceiverFn(msgPool, pc, conn)
-}
-
 type ICEBind struct {
 	*wgConn.StdNetBind

@@ -28,6 +20,8 @@ type ICEBind struct {

 	transportNet transport.Net
 	udpMux       *UniversalUDPMuxDefault
+
+	receiverCreator *receiverCreator
 }

 func NewICEBind(transportNet transport.Net) *ICEBind {
@@ -35,9 +29,9 @@ func NewICEBind(transportNet transport.Net) *ICEBind {
 		transportNet: transportNet,
 	}

-	rc := receiverCreator{
-		ib,
-	}
+	rc := newReceiverCreator(ib)
+	ib.receiverCreator = rc
+
 	ib.StdNetBind = wgConn.NewStdNetBindWithReceiverCreator(rc)
 	return ib
 }
@@ -53,7 +47,11 @@ func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
 	return s.udpMux, nil
 }

-func (s *ICEBind) createIPv4ReceiverFn(ipv4MsgsPool *sync.Pool, pc *ipv4.PacketConn, conn *net.UDPConn) wgConn.ReceiveFunc {
+func (s *ICEBind) SetTurnConn(conn interface{}) {
+	s.receiverCreator.setTurnConn(conn)
+}
+
+func (s *ICEBind) createIPv4ReceiverFn(ipv4MsgsPool *sync.Pool, pc *ipv4.PacketConn, conn *net.UDPConn, netConn net.PacketConn) wgConn.ReceiveFunc {
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()

--- a/iface/bind/receiver_creator.go
+++ b/iface/bind/receiver_creator.go
@@ -0,0 +1,38 @@
+package bind
+
+import (
+	"net"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/ipv4"
+	wgConn "golang.zx2c4.com/wireguard/conn"
+)
+
+type receiverCreator struct {
+	iceBind   *ICEBind
+	relayConn net.PacketConn
+}
+
+func newReceiverCreator(iceBind *ICEBind) *receiverCreator {
+	return &receiverCreator{
+		iceBind: iceBind,
+	}
+}
+
+func (rc *receiverCreator) CreateIPv4ReceiverFn(msgPool *sync.Pool, pc *ipv4.PacketConn, conn *net.UDPConn) wgConn.ReceiveFunc {
+	return rc.iceBind.createIPv4ReceiverFn(msgPool, pc, conn, nil)
+}
+
+func (rc *receiverCreator) CreateRelayReceiverFn(msgPool *sync.Pool) wgConn.ReceiveFunc {
+	if rc.relayConn == nil {
+		log.Debugf("-------rc.conn is nil")
+		return nil
+	}
+	return rc.iceBind.createIPv4ReceiverFn(msgPool, nil, nil, rc.relayConn)
+}
+
+func (rc *receiverCreator) setTurnConn(relayConn interface{}) {
+	log.Debug("------ SET TURN CONN")
+	rc.relayConn = relayConn.(net.PacketConn)
+}
--- a/iface/iface.go
+++ b/iface/iface.go
@@ -150,3 +150,10 @@ func (w *WGIface) GetDevice() *DeviceWrapper {
 func (w *WGIface) GetStats(peerKey string) (WGStats, error) {
 	return w.configurer.getStats(peerKey)
 }
+
+func (w *WGIface) SetRelayConn(conn interface{}) {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	w.tun.SetTurnConn(conn)
+}
--- a/iface/module_linux.go
+++ b/iface/module_linux.go
@@ -85,23 +85,27 @@ func tunModuleIsLoaded() bool {

 // WireGuardModuleIsLoaded check if we can load WireGuard mod (linux only)
 func WireGuardModuleIsLoaded() bool {
+	return false

-	if os.Getenv(envDisableWireGuardKernel) == "true" {
-		log.Debugf("WireGuard kernel module disabled because the %s env is set to true", envDisableWireGuardKernel)
-		return false
-	}
+	/*
+		if os.Getenv(envDisableWireGuardKernel) == "true" {
+			log.Debugf("WireGuard kernel module disabled because the %s env is set to true", envDisableWireGuardKernel)
+			return false
+		}

-	if canCreateFakeWireGuardInterface() {
-		return true
-	}
+		if canCreateFakeWireGuardInterface() {
+			return true
+		}

-	loaded, err := tryToLoadModule("wireguard")
-	if err != nil {
-		log.Info(err)
-		return false
-	}
+		loaded, err := tryToLoadModule("wireguard")
+		if err != nil {
+			log.Info(err)
+			return false
+		}

-	return loaded
+		return loaded
+
+	*/
 }

 func canCreateFakeWireGuardInterface() bool {
--- a/iface/tun.go
+++ b/iface/tun.go
@@ -15,4 +15,5 @@ type wgTunDevice interface {
 	DeviceName() string
 	Close() error
 	Wrapper() *DeviceWrapper // todo eliminate this function
+	SetTurnConn(conn interface{})
 }
--- a/iface/tun_kernel_linux.go
+++ b/iface/tun_kernel_linux.go
@@ -31,6 +31,11 @@ type tunKernelDevice struct {
 	udpMux     *bind.UniversalUDPMuxDefault
 }

+func (t *tunKernelDevice) SetTurnConn(interface{}) {
+	//TODO implement me
+	panic("implement me")
+}
+
 func newTunDevice(name string, address WGAddress, wgPort int, key string, mtu int, transportNet transport.Net) wgTunDevice {
 	ctx, cancel := context.WithCancel(context.Background())
 	return &tunKernelDevice{
--- a/iface/tun_netstack.go
+++ b/iface/tun_netstack.go
@@ -30,6 +30,11 @@ type tunNetstackDevice struct {
 	configurer wgConfigurer
 }

+func (t *tunNetstackDevice) SetTurnConn(interface{}) {
+	//TODO implement me
+	panic("implement me")
+}
+
 func newTunNetstackDevice(name string, address WGAddress, wgPort int, key string, mtu int, transportNet transport.Net, listenAddress string) wgTunDevice {
 	return &tunNetstackDevice{
 		name:          name,
--- a/iface/tun_usp_linux.go
+++ b/iface/tun_usp_linux.go
@@ -54,7 +54,7 @@ func (t *tunUSPDevice) Create() (wgConfigurer, error) {
 	t.device = device.NewDevice(
 		t.wrapper,
 		t.iceBind,
-		device.NewLogger(device.LogLevelSilent, "[netbird] "),
+		device.NewLogger(device.LogLevelError, "[netbird] "),
 	)

 	err = t.assignAddr()
@@ -70,6 +70,7 @@ func (t *tunUSPDevice) Create() (wgConfigurer, error) {
 		t.configurer.close()
 		return nil, err
 	}
+	log.Debugf("configuration done")
 	return t.configurer, nil
 }

@@ -125,6 +126,14 @@ func (t *tunUSPDevice) Wrapper() *DeviceWrapper {
 	return t.wrapper
 }

+func (t *tunUSPDevice) SetTurnConn(conn interface{}) {
+	t.iceBind.SetTurnConn(conn)
+	err := t.device.BindUpdate()
+	if err != nil {
+		log.Errorf("failed to update bind: %v", err)
+	}
+}
+
 // assignAddr Adds IP address to the tunnel interface
 func (t *tunUSPDevice) assignAddr() error {
 	link := newWGLink(t.name)
--- a/iface/wg_configurer_kernel.go
+++ b/iface/wg_configurer_kernel.go
@@ -10,6 +10,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 type wgKernelConfigurer struct {
@@ -29,7 +31,7 @@ func (c *wgKernelConfigurer) configureInterface(privateKey string, port int) err
 	if err != nil {
 		return err
 	}
-	fwmark := 0
+	fwmark := nbnet.NetbirdFwmark
 	config := wgtypes.Config{
 		PrivateKey:   &key,
 		ReplacePeers: true,
--- a/iface/wg_configurer_usp.go
+++ b/iface/wg_configurer_usp.go
@@ -13,6 +13,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 type wgUSPConfigurer struct {
@@ -37,7 +39,7 @@ func (c *wgUSPConfigurer) configureInterface(privateKey string, port int) error
 	if err != nil {
 		return err
 	}
-	fwmark := 0
+	fwmark := getFwmark()
 	config := wgtypes.Config{
 		PrivateKey:   &key,
 		ReplacePeers: true,
@@ -345,3 +347,10 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 	}
 	return sb.String()
 }
+
+func getFwmark() int {
+	if runtime.GOOS == "linux" {
+		return nbnet.NetbirdFwmark
+	}
+	return 0
+}
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@@ -58,6 +58,7 @@ services:
    command: [
      "--port", "443",
      "--log-file", "console",
+      "--log-level", "info",
      "--disable-anonymous-metrics=$NETBIRD_DISABLE_ANONYMOUS_METRICS",
      "--single-account-mode-domain=$NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN",
      "--dns-domain=$NETBIRD_MGMT_DNS_DOMAIN"
--- a/infrastructure_files/docker-compose.yml.tmpl.traefik
+++ b/infrastructure_files/docker-compose.yml.tmpl.traefik
@@ -2,7 +2,7 @@ version: "3"
 services:
  #UI dashboard
  dashboard:
-    image: wiretrustee/dashboard:$NETBIRD_DASHBOARD_TAG
+    image: netbirdio/dashboard:$NETBIRD_DASHBOARD_TAG
    restart: unless-stopped
    #ports:
    #  - 80:80
--- a/management/client/client_test.go
+++ b/management/client/client_test.go
@@ -3,6 +3,7 @@ package client
 import (
 	"context"
 	"net"
+	"os"
 	"path/filepath"
 	"sync"
 	"testing"
@@ -15,6 +16,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"

+	"github.com/netbirdio/management-integrations/integrations"
 	"github.com/netbirdio/netbird/encryption"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	mgmt "github.com/netbirdio/netbird/management/server"
@@ -30,6 +32,12 @@ import (

 const ValidKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"

+func TestMain(m *testing.M) {
+	_ = util.InitLog("debug", "console")
+	code := m.Run()
+	os.Exit(code)
+}
+
 func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 	t.Helper()
 	level, _ := log.ParseLevel("debug")
@@ -60,7 +68,8 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {

 	peersUpdateManager := mgmt.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
-	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "", eventStore, nil, false)
+	ia, _ := integrations.NewIntegratedValidator(eventStore)
+	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/management/client/grpc.go
+++ b/management/client/grpc.go
@@ -24,6 +24,7 @@ import (
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/management/proto"
+	nbgrpc "github.com/netbirdio/netbird/util/grpc"
 )

 const ConnectTimeout = 10 * time.Second
@@ -57,6 +58,7 @@ func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsE
 		mgmCtx,
 		addr,
 		transportOption,
+		nbgrpc.WithCustomDialer(),
 		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    30 * time.Second,
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -31,6 +31,7 @@ import (
 	"google.golang.org/grpc/keepalive"

 	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
+
 	"github.com/netbirdio/management-integrations/integrations"

 	"github.com/netbirdio/netbird/encryption"
@@ -172,8 +173,12 @@ var (
 				log.Infof("geo location service has been initialized from %s", config.Datadir)
 			}

+			integratedPeerValidator, err := integrations.NewIntegratedValidator(eventStore)
+			if err != nil {
+				return fmt.Errorf("failed to initialize integrated peer validator: %v", err)
+			}
 			accountManager, err := server.BuildManager(store, peersUpdateManager, idpManager, mgmtSingleAccModeDomain,
-				dnsDomain, eventStore, geo, userDeleteFromIDPEnabled)
+				dnsDomain, eventStore, geo, userDeleteFromIDPEnabled, integratedPeerValidator)
 			if err != nil {
 				return fmt.Errorf("failed to build default manager: %v", err)
 			}
@@ -323,6 +328,7 @@ var (
 			SetupCloseHandler()

 			<-stopCh
+			integratedPeerValidator.Stop()
 			if geo != nil {
 				_ = geo.Stop()
 			}
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -21,14 +21,15 @@ import (
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"

-	"github.com/netbirdio/management-integrations/additions"
-
 	"github.com/netbirdio/netbird/base62"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/geolocation"
+	nbgroup "github.com/netbirdio/netbird/management/server/group"
 	"github.com/netbirdio/netbird/management/server/idp"
+	"github.com/netbirdio/netbird/management/server/integrated_validator"
+	"github.com/netbirdio/netbird/management/server/integration_reference"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/posture"
@@ -40,9 +41,6 @@ const (
 	PublicCategory             = "public"
 	PrivateCategory            = "private"
 	UnknownCategory            = "unknown"
-	GroupIssuedAPI             = "api"
-	GroupIssuedJWT             = "jwt"
-	GroupIssuedIntegration     = "integration"
 	CacheExpirationMax         = 7 * 24 * 3600 * time.Second // 7 days
 	CacheExpirationMin         = 3 * 24 * 3600 * time.Second // 3 days
 	DefaultPeerLoginExpiration = 24 * time.Hour
@@ -88,11 +86,12 @@ type AccountManager interface {
 	GetAllPATs(accountID string, initiatorUserID string, targetUserID string) ([]*PersonalAccessToken, error)
 	UpdatePeerSSHKey(peerID string, sshKey string) error
 	GetUsersFromAccount(accountID, userID string) ([]*UserInfo, error)
-	GetGroup(accountId, groupID string) (*Group, error)
-	GetGroupByName(groupName, accountID string) (*Group, error)
-	SaveGroup(accountID, userID string, group *Group) error
+	GetGroup(accountId, groupID, userID string) (*nbgroup.Group, error)
+	GetAllGroups(accountID, userID string) ([]*nbgroup.Group, error)
+	GetGroupByName(groupName, accountID string) (*nbgroup.Group, error)
+	SaveGroup(accountID, userID string, group *nbgroup.Group) error
 	DeleteGroup(accountId, userId, groupID string) error
-	ListGroups(accountId string) ([]*Group, error)
+	ListGroups(accountId string) ([]*nbgroup.Group, error)
 	GroupAddPeer(accountId, groupID, peerID string) error
 	GroupDeletePeer(accountId, groupID, peerID string) error
 	GetPolicy(accountID, policyID, userID string) (*Policy, error)
@@ -126,6 +125,9 @@ type AccountManager interface {
 	DeletePostureChecks(accountID, postureChecksID, userID string) error
 	ListPostureChecks(accountID, userID string) ([]*posture.Checks, error)
 	GetIdpManager() idp.Manager
+	UpdateIntegratedValidatorGroups(accountID string, userID string, groups []string) error
+	GroupValidation(accountId string, groups []string) (bool, error)
+	GetValidatedPeers(account *Account) (map[string]struct{}, error)
 }

 type DefaultAccountManager struct {
@@ -154,6 +156,8 @@ type DefaultAccountManager struct {

 	// userDeleteFromIDPEnabled allows to delete user from IDP when user is deleted from account
 	userDeleteFromIDPEnabled bool
+
+	integratedPeerValidator integrated_validator.IntegratedValidator
 }

 // Settings represents Account settings structure that can be modified via API and Dashboard
@@ -165,6 +169,9 @@ type Settings struct {
 	// Applies to all peers that have Peer.LoginExpirationEnabled set to true.
 	PeerLoginExpiration time.Duration

+	// RegularUsersViewBlocked allows to block regular users from viewing even their own peers and some UI elements
+	RegularUsersViewBlocked bool
+
 	// GroupsPropagationEnabled allows to propagate auto groups from the user to the peer
 	GroupsPropagationEnabled bool

@@ -191,6 +198,7 @@ func (s *Settings) Copy() *Settings {
 		JWTGroupsClaimName:         s.JWTGroupsClaimName,
 		GroupsPropagationEnabled:   s.GroupsPropagationEnabled,
 		JWTAllowGroups:             s.JWTAllowGroups,
+		RegularUsersViewBlocked:    s.RegularUsersViewBlocked,
 	}
 	if s.Extra != nil {
 		settings.Extra = s.Extra.Copy()
@@ -216,8 +224,8 @@ type Account struct {
 	PeersG                 []nbpeer.Peer                     `json:"-" gorm:"foreignKey:AccountID;references:id"`
 	Users                  map[string]*User                  `gorm:"-"`
 	UsersG                 []User                            `json:"-" gorm:"foreignKey:AccountID;references:id"`
-	Groups                 map[string]*Group                 `gorm:"-"`
-	GroupsG                []Group                           `json:"-" gorm:"foreignKey:AccountID;references:id"`
+	Groups                 map[string]*nbgroup.Group         `gorm:"-"`
+	GroupsG                []nbgroup.Group                   `json:"-" gorm:"foreignKey:AccountID;references:id"`
 	Policies               []*Policy                         `gorm:"foreignKey:AccountID;references:id"`
 	Routes                 map[string]*route.Route           `gorm:"-"`
 	RoutesG                []route.Route                     `json:"-" gorm:"foreignKey:AccountID;references:id"`
@@ -227,24 +235,26 @@ type Account struct {
 	PostureChecks          []*posture.Checks                 `gorm:"foreignKey:AccountID;references:id"`
 	// Settings is a dictionary of Account settings
 	Settings *Settings `gorm:"embedded;embeddedPrefix:settings_"`
-	// deprecated on store and api level
-	Rules  map[string]*Rule `json:"-" gorm:"-"`
-	RulesG []Rule           `json:"-" gorm:"-"`
+}
+
+type UserPermissions struct {
+	DashboardView string `json:"dashboard_view"`
 }

 type UserInfo struct {
-	ID                   string               `json:"id"`
-	Email                string               `json:"email"`
-	Name                 string               `json:"name"`
-	Role                 string               `json:"role"`
-	AutoGroups           []string             `json:"auto_groups"`
-	Status               string               `json:"-"`
-	IsServiceUser        bool                 `json:"is_service_user"`
-	IsBlocked            bool                 `json:"is_blocked"`
-	NonDeletable         bool                 `json:"non_deletable"`
-	LastLogin            time.Time            `json:"last_login"`
-	Issued               string               `json:"issued"`
-	IntegrationReference IntegrationReference `json:"-"`
+	ID                   string                                     `json:"id"`
+	Email                string                                     `json:"email"`
+	Name                 string                                     `json:"name"`
+	Role                 string                                     `json:"role"`
+	AutoGroups           []string                                   `json:"auto_groups"`
+	Status               string                                     `json:"-"`
+	IsServiceUser        bool                                       `json:"is_service_user"`
+	IsBlocked            bool                                       `json:"is_blocked"`
+	NonDeletable         bool                                       `json:"non_deletable"`
+	LastLogin            time.Time                                  `json:"last_login"`
+	Issued               string                                     `json:"issued"`
+	IntegrationReference integration_reference.IntegrationReference `json:"-"`
+	Permissions          UserPermissions                            `json:"permissions"`
 }

 // getRoutesToSync returns the enabled routes for the peer ID and the routes
@@ -268,7 +278,7 @@ func (a *Account) getRoutesToSync(peerID string, aclPeers []*nbpeer.Peer) []*rou
 	return routes
 }

-// filterRoutesByHAMembership filters and returns a list of routes that don't share the same HA route membership
+// filterRoutesFromPeersOfSameHAGroup filters and returns a list of routes that don't share the same HA route membership
 func (a *Account) filterRoutesFromPeersOfSameHAGroup(routes []*route.Route, peerMemberships lookupMap) []*route.Route {
 	var filteredRoutes []*route.Route
 	for _, r := range routes {
@@ -368,25 +378,26 @@ func (a *Account) GetRoutesByPrefix(prefix netip.Prefix) []*route.Route {
 }

 // GetGroup returns a group by ID if exists, nil otherwise
-func (a *Account) GetGroup(groupID string) *Group {
+func (a *Account) GetGroup(groupID string) *nbgroup.Group {
 	return a.Groups[groupID]
 }

 // GetPeerNetworkMap returns a group by ID if exists, nil otherwise
-func (a *Account) GetPeerNetworkMap(peerID, dnsDomain string) *NetworkMap {
+func (a *Account) GetPeerNetworkMap(peerID, dnsDomain string, validatedPeersMap map[string]struct{}) *NetworkMap {
 	peer := a.Peers[peerID]
 	if peer == nil {
 		return &NetworkMap{
 			Network: a.Network.Copy(),
 		}
 	}
-	validatedPeers := additions.ValidatePeers([]*nbpeer.Peer{peer})
-	if len(validatedPeers) == 0 {
+
+	if _, ok := validatedPeersMap[peerID]; !ok {
 		return &NetworkMap{
 			Network: a.Network.Copy(),
 		}
 	}
-	aclPeers, firewallRules := a.getPeerConnectionResources(peerID)
+
+	aclPeers, firewallRules := a.getPeerConnectionResources(peerID, validatedPeersMap)
 	// exclude expired peers
 	var peersToConnect []*nbpeer.Peer
 	var expiredPeers []*nbpeer.Peer
@@ -559,6 +570,16 @@ func (a *Account) FindUser(userID string) (*User, error) {
 	return user, nil
 }

+// FindGroupByName looks for a given group in the Account by name or returns error if the group wasn't found.
+func (a *Account) FindGroupByName(groupName string) (*nbgroup.Group, error) {
+	for _, group := range a.Groups {
+		if group.Name == groupName {
+			return group, nil
+		}
+	}
+	return nil, status.Errorf(status.NotFound, "group %s not found", groupName)
+}
+
 // FindSetupKey looks for a given SetupKey in the Account or returns error if it wasn't found.
 func (a *Account) FindSetupKey(setupKey string) (*SetupKey, error) {
 	key := a.SetupKeys[setupKey]
@@ -569,6 +590,20 @@ func (a *Account) FindSetupKey(setupKey string) (*SetupKey, error) {
 	return key, nil
 }

+// GetPeerGroupsList return with the list of groups ID.
+func (a *Account) GetPeerGroupsList(peerID string) []string {
+	var grps []string
+	for groupID, group := range a.Groups {
+		for _, id := range group.Peers {
+			if id == peerID {
+				grps = append(grps, groupID)
+				break
+			}
+		}
+	}
+	return grps
+}
+
 func (a *Account) getUserGroups(userID string) ([]string, error) {
 	user, err := a.FindUser(userID)
 	if err != nil {
@@ -646,7 +681,7 @@ func (a *Account) Copy() *Account {
 		setupKeys[id] = key.Copy()
 	}

-	groups := map[string]*Group{}
+	groups := map[string]*nbgroup.Group{}
 	for id, group := range a.Groups {
 		groups[id] = group.Copy()
 	}
@@ -699,7 +734,7 @@ func (a *Account) Copy() *Account {
 	}
 }

-func (a *Account) GetGroupAll() (*Group, error) {
+func (a *Account) GetGroupAll() (*nbgroup.Group, error) {
 	for _, g := range a.Groups {
 		if g.Name == "All" {
 			return g, nil
@@ -720,7 +755,7 @@ func (a *Account) SetJWTGroups(userID string, groupsNames []string) bool {
 		return false
 	}

-	existedGroupsByName := make(map[string]*Group)
+	existedGroupsByName := make(map[string]*nbgroup.Group)
 	for _, group := range a.Groups {
 		existedGroupsByName[group.Name] = group
 	}
@@ -729,7 +764,7 @@ func (a *Account) SetJWTGroups(userID string, groupsNames []string) bool {
 	removed := 0
 	jwtAutoGroups := make(map[string]struct{})
 	for i, id := range user.AutoGroups {
-		if group, ok := a.Groups[id]; ok && group.Issued == GroupIssuedJWT {
+		if group, ok := a.Groups[id]; ok && group.Issued == nbgroup.GroupIssuedJWT {
 			jwtAutoGroups[group.Name] = struct{}{}
 			user.AutoGroups = append(user.AutoGroups[:i-removed], user.AutoGroups[i-removed+1:]...)
 			removed++
@@ -742,15 +777,15 @@ func (a *Account) SetJWTGroups(userID string, groupsNames []string) bool {
 	for _, name := range groupsNames {
 		group, ok := existedGroupsByName[name]
 		if !ok {
-			group = &Group{
+			group = &nbgroup.Group{
 				ID:     xid.New().String(),
 				Name:   name,
-				Issued: GroupIssuedJWT,
+				Issued: nbgroup.GroupIssuedJWT,
 			}
 			a.Groups[group.ID] = group
 		}
 		// only JWT groups will be synced
-		if group.Issued == GroupIssuedJWT {
+		if group.Issued == nbgroup.GroupIssuedJWT {
 			user.AutoGroups = append(user.AutoGroups, group.ID)
 			if _, ok := jwtAutoGroups[name]; !ok {
 				modified = true
@@ -823,6 +858,7 @@ func (a *Account) UserGroupsRemoveFromPeers(userID string, groups ...string) {
 func BuildManager(store Store, peersUpdateManager *PeersUpdateManager, idpManager idp.Manager,
 	singleAccountModeDomain string, dnsDomain string, eventStore activity.Store, geo *geolocation.Geolocation,
 	userDeleteFromIDPEnabled bool,
+	integratedPeerValidator integrated_validator.IntegratedValidator,
 ) (*DefaultAccountManager, error) {
 	am := &DefaultAccountManager{
 		Store:                    store,
@@ -836,6 +872,7 @@ func BuildManager(store Store, peersUpdateManager *PeersUpdateManager, idpManage
 		eventStore:               eventStore,
 		peerLoginExpiry:          NewDefaultScheduler(),
 		userDeleteFromIDPEnabled: userDeleteFromIDPEnabled,
+		integratedPeerValidator:  integratedPeerValidator,
 	}
 	allAccounts := store.GetAllAccounts()
 	// enable single account mode only if configured by user and number of existing accounts is not grater than 1
@@ -892,6 +929,8 @@ func BuildManager(store Store, peersUpdateManager *PeersUpdateManager, idpManage
 		}()
 	}

+	am.integratedPeerValidator.SetPeerInvalidationListener(am.onPeersInvalidated)
+
 	return am, nil
 }

@@ -934,7 +973,7 @@ func (am *DefaultAccountManager) UpdateAccountSettings(accountID, userID string,
 		return nil, status.Errorf(status.PermissionDenied, "user is not allowed to update account")
 	}

-	err = additions.ValidateExtraSettings(newSettings.Extra, account.Settings.Extra, account.Peers, userID, accountID, am.eventStore)
+	err = am.integratedPeerValidator.ValidateExtraSettings(newSettings.Extra, account.Settings.Extra, account.Peers, userID, accountID)
 	if err != nil {
 		return nil, err
 	}
@@ -1081,7 +1120,7 @@ func (am *DefaultAccountManager) DeleteAccount(accountID, userID string) error {
 		return status.Errorf(status.PermissionDenied, "user is not allowed to delete account")
 	}

-	if user.Id != account.CreatedBy {
+	if user.Role != UserRoleOwner {
 		return status.Errorf(status.PermissionDenied, "user is not allowed to delete account. Only account owner can delete account")
 	}
 	for _, otherUser := range account.Users {
@@ -1361,16 +1400,21 @@ func (am *DefaultAccountManager) removeUserFromCache(accountID, userID string) e
 func (am *DefaultAccountManager) updateAccountDomainAttributes(account *Account, claims jwtclaims.AuthorizationClaims,
 	primaryDomain bool,
 ) error {
-	account.IsDomainPrimaryAccount = primaryDomain

-	lowerDomain := strings.ToLower(claims.Domain)
-	userObj := account.Users[claims.UserId]
-	if account.Domain != lowerDomain && userObj.Role == UserRoleAdmin {
-		account.Domain = lowerDomain
-	}
-	// prevent updating category for different domain until admin logs in
-	if account.Domain == lowerDomain {
-		account.DomainCategory = claims.DomainCategory
+	if claims.Domain != "" {
+		account.IsDomainPrimaryAccount = primaryDomain
+
+		lowerDomain := strings.ToLower(claims.Domain)
+		userObj := account.Users[claims.UserId]
+		if account.Domain != lowerDomain && userObj.Role == UserRoleAdmin {
+			account.Domain = lowerDomain
+		}
+		// prevent updating category for different domain until admin logs in
+		if account.Domain == lowerDomain {
+			account.DomainCategory = claims.DomainCategory
+		}
+	} else {
+		log.Errorf("claims don't contain a valid domain, skipping domain attributes update. Received claims: %v", claims)
 	}

 	err := am.Store.SaveAccount(account)
@@ -1579,7 +1623,7 @@ func (am *DefaultAccountManager) GetAccountFromToken(claims jwtclaims.Authorizat
 		// We override incoming domain claims to group users under a single account.
 		claims.Domain = am.singleAccountModeDomain
 		claims.DomainCategory = PrivateCategory
-		log.Infof("overriding JWT Domain and DomainCategory claims since single account mode is enabled")
+		log.Debugf("overriding JWT Domain and DomainCategory claims since single account mode is enabled")
 	}

 	newAcc, err := am.getAccountWithAuthorizationClaims(claims)
@@ -1804,18 +1848,27 @@ func (am *DefaultAccountManager) CheckUserAccessByJWTGroups(claims jwtclaims.Aut
 	return nil
 }

+func (am *DefaultAccountManager) onPeersInvalidated(accountID string) {
+	updatedAccount, err := am.Store.GetAccount(accountID)
+	if err != nil {
+		log.Errorf("failed to get account %s: %v", accountID, err)
+		return
+	}
+	am.updateAccountPeers(updatedAccount)
+}
+
 // addAllGroup to account object if it doesn't exist
 func addAllGroup(account *Account) error {
 	if len(account.Groups) == 0 {
-		allGroup := &Group{
+		allGroup := &nbgroup.Group{
 			ID:     xid.New().String(),
 			Name:   "All",
-			Issued: GroupIssuedAPI,
+			Issued: nbgroup.GroupIssuedAPI,
 		}
 		for _, peer := range account.Peers {
 			allGroup.Peers = append(allGroup.Peers, peer.ID)
 		}
-		account.Groups = map[string]*Group{allGroup.ID: allGroup}
+		account.Groups = map[string]*nbgroup.Group{allGroup.ID: allGroup}

 		id := xid.New().String()

@@ -1876,6 +1929,7 @@ func newAccountWithId(accountID, userID, domain string) *Account {
 			PeerLoginExpirationEnabled: true,
 			PeerLoginExpiration:        DefaultPeerLoginExpiration,
 			GroupsPropagationEnabled:   true,
+			RegularUsersViewBlocked:    true,
 		},
 	}

--- a/management/server/account/account.go
+++ b/management/server/account/account.go
@@ -3,11 +3,17 @@ package account
 type ExtraSettings struct {
 	// PeerApprovalEnabled enables or disables the need for peers bo be approved by an administrator
 	PeerApprovalEnabled bool
+
+	// IntegratedValidatorGroups list of group IDs to be used with integrated approval configurations
+	IntegratedValidatorGroups []string `gorm:"serializer:json"`
 }

 // Copy copies the ExtraSettings struct
 func (e *ExtraSettings) Copy() *ExtraSettings {
+	var cpGroup []string
+
 	return &ExtraSettings{
-		PeerApprovalEnabled: e.PeerApprovalEnabled,
+		PeerApprovalEnabled:       e.PeerApprovalEnabled,
+		IntegratedValidatorGroups: append(cpGroup, e.IntegratedValidatorGroups...),
 	}
 }
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -12,20 +12,57 @@ import (
 	"time"

 	"github.com/golang-jwt/jwt"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/server/activity"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/route"
-
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

+	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/server/account"
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/group"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/route"
 )

+type MocIntegratedValidator struct {
+}
+
+func (a MocIntegratedValidator) ValidateExtraSettings(newExtraSettings *account.ExtraSettings, oldExtraSettings *account.ExtraSettings, peers map[string]*nbpeer.Peer, userID string, accountID string) error {
+	return nil
+}
+
+func (a MocIntegratedValidator) ValidatePeer(update *nbpeer.Peer, peer *nbpeer.Peer, userID string, accountID string, dnsDomain string, peersGroup []string, extraSettings *account.ExtraSettings) (*nbpeer.Peer, error) {
+	return update, nil
+}
+func (a MocIntegratedValidator) GetValidatedPeers(accountID string, groups map[string]*group.Group, peers map[string]*nbpeer.Peer, extraSettings *account.ExtraSettings) (map[string]struct{}, error) {
+	validatedPeers := make(map[string]struct{})
+	for _, peer := range peers {
+		validatedPeers[peer.ID] = struct{}{}
+	}
+	return validatedPeers, nil
+}
+
+func (MocIntegratedValidator) PreparePeer(accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *account.ExtraSettings) *nbpeer.Peer {
+	return peer
+}
+
+func (MocIntegratedValidator) IsNotValidPeer(accountID string, peer *nbpeer.Peer, peersGroup []string, extraSettings *account.ExtraSettings) (bool, bool) {
+	return false, false
+}
+
+func (MocIntegratedValidator) PeerDeleted(_, _ string) error {
+	return nil
+}
+
+func (MocIntegratedValidator) SetPeerInvalidationListener(func(accountID string)) {
+
+}
+
+func (MocIntegratedValidator) Stop() {
+}
+
 func verifyCanAddPeerToAccount(t *testing.T, manager AccountManager, account *Account, userID string) {
 	t.Helper()
 	peer := &nbpeer.Peer{
@@ -367,7 +404,12 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 			account.Groups[all.ID].Peers = append(account.Groups[all.ID].Peers, peer.ID)
 		}

-		networkMap := account.GetPeerNetworkMap(testCase.peerID, "netbird.io")
+		validatedPeers := map[string]struct{}{}
+		for p := range account.Peers {
+			validatedPeers[p] = struct{}{}
+		}
+
+		networkMap := account.GetPeerNetworkMap(testCase.peerID, "netbird.io", validatedPeers)
 		assert.Len(t, networkMap.Peers, len(testCase.expectedPeers))
 		assert.Len(t, networkMap.OfflinePeers, len(testCase.expectedOfflinePeers))
 	}
@@ -667,7 +709,7 @@ func TestDefaultAccountManager_GetGroupsFromTheToken(t *testing.T) {
 		require.NoError(t, err, "get account by token failed")
 		require.Len(t, account.Groups, 3, "groups should be added to the account")

-		groupsByNames := map[string]*Group{}
+		groupsByNames := map[string]*group.Group{}
 		for _, g := range account.Groups {
 			groupsByNames[g.Name] = g
 		}
@@ -675,12 +717,12 @@ func TestDefaultAccountManager_GetGroupsFromTheToken(t *testing.T) {
 		g1, ok := groupsByNames["group1"]
 		require.True(t, ok, "group1 should be added to the account")
 		require.Equal(t, g1.Name, "group1", "group1 name should match")
-		require.Equal(t, g1.Issued, GroupIssuedJWT, "group1 issued should match")
+		require.Equal(t, g1.Issued, group.GroupIssuedJWT, "group1 issued should match")

 		g2, ok := groupsByNames["group2"]
 		require.True(t, ok, "group2 should be added to the account")
 		require.Equal(t, g2.Name, "group2", "group2 name should match")
-		require.Equal(t, g2.Issued, GroupIssuedJWT, "group2 issued should match")
+		require.Equal(t, g2.Issued, group.GroupIssuedJWT, "group2 issued should match")
 	})
 }

@@ -800,7 +842,7 @@ func TestAccountManager_SetOrUpdateDomain(t *testing.T) {
 		t.Fatalf("expected to create an account for a user %s", userId)
 	}

-	if account.Domain != domain {
+	if account != nil && account.Domain != domain {
 		t.Errorf("setting account domain failed, expected %s, got %s", domain, account.Domain)
 	}

@@ -815,7 +857,7 @@ func TestAccountManager_SetOrUpdateDomain(t *testing.T) {
 		t.Fatalf("expected to get an account for a user %s", userId)
 	}

-	if account.Domain != domain {
+	if account != nil && account.Domain != domain {
 		t.Errorf("updating domain. expected %s got %s", domain, account.Domain)
 	}
 }
@@ -835,13 +877,12 @@ func TestAccountManager_GetAccountByUserOrAccountId(t *testing.T) {
 	}
 	if account == nil {
 		t.Fatalf("expected to create an account for a user %s", userId)
+		return
 	}

-	accountId := account.Id
-
-	_, err = manager.GetAccountByUserOrAccountID("", accountId, "")
+	_, err = manager.GetAccountByUserOrAccountID("", account.Id, "")
 	if err != nil {
-		t.Errorf("expected to get existing account after creation using userid, no account was found for a account %s", accountId)
+		t.Errorf("expected to get existing account after creation using userid, no account was found for a account %s", account.Id)
 	}

 	_, err = manager.GetAccountByUserOrAccountID("", "", "")
@@ -1124,7 +1165,7 @@ func TestAccountManager_NetworkUpdates(t *testing.T) {
 	updMsg := manager.peersUpdateManager.CreateChannel(peer1.ID)
 	defer manager.peersUpdateManager.CloseChannel(peer1.ID)

-	group := Group{
+	group := group.Group{
 		ID:    "group-id",
 		Name:  "GroupA",
 		Peers: []string{peer1.ID, peer2.ID, peer3.ID},
@@ -1417,7 +1458,7 @@ func TestAccount_GetRoutesToSync(t *testing.T) {
 		Peers: map[string]*nbpeer.Peer{
 			"peer-1": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-2": {Key: "peer-2", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-3": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}},
 		},
-		Groups: map[string]*Group{"group1": {ID: "group1", Peers: []string{"peer-1", "peer-2"}}},
+		Groups: map[string]*group.Group{"group1": {ID: "group1", Peers: []string{"peer-1", "peer-2"}}},
 		Routes: map[string]*route.Route{
 			"route-1": {
 				ID:          "route-1",
@@ -1518,7 +1559,7 @@ func TestAccount_Copy(t *testing.T) {
 				},
 			},
 		},
-		Groups: map[string]*Group{
+		Groups: map[string]*group.Group{
 			"group1": {
 				ID:    "group1",
 				Peers: []string{"peer1"},
@@ -2112,8 +2153,8 @@ func TestAccount_SetJWTGroups(t *testing.T) {
 			"peer4": {ID: "peer4", Key: "key4", UserID: "user2"},
 			"peer5": {ID: "peer5", Key: "key5", UserID: "user2"},
 		},
-		Groups: map[string]*Group{
-			"group1": {ID: "group1", Name: "group1", Issued: GroupIssuedAPI, Peers: []string{}},
+		Groups: map[string]*group.Group{
+			"group1": {ID: "group1", Name: "group1", Issued: group.GroupIssuedAPI, Peers: []string{}},
 		},
 		Settings: &Settings{GroupsPropagationEnabled: true},
 		Users: map[string]*User{
@@ -2160,10 +2201,10 @@ func TestAccount_UserGroupsAddToPeers(t *testing.T) {
 			"peer4": {ID: "peer4", Key: "key4", UserID: "user2"},
 			"peer5": {ID: "peer5", Key: "key5", UserID: "user2"},
 		},
-		Groups: map[string]*Group{
-			"group1": {ID: "group1", Name: "group1", Issued: GroupIssuedAPI, Peers: []string{}},
-			"group2": {ID: "group2", Name: "group2", Issued: GroupIssuedAPI, Peers: []string{}},
-			"group3": {ID: "group3", Name: "group3", Issued: GroupIssuedAPI, Peers: []string{}},
+		Groups: map[string]*group.Group{
+			"group1": {ID: "group1", Name: "group1", Issued: group.GroupIssuedAPI, Peers: []string{}},
+			"group2": {ID: "group2", Name: "group2", Issued: group.GroupIssuedAPI, Peers: []string{}},
+			"group3": {ID: "group3", Name: "group3", Issued: group.GroupIssuedAPI, Peers: []string{}},
 		},
 		Users: map[string]*User{"user1": {Id: "user1"}, "user2": {Id: "user2"}},
 	}
@@ -2196,10 +2237,10 @@ func TestAccount_UserGroupsRemoveFromPeers(t *testing.T) {
 			"peer4": {ID: "peer4", Key: "key4", UserID: "user2"},
 			"peer5": {ID: "peer5", Key: "key5", UserID: "user2"},
 		},
-		Groups: map[string]*Group{
-			"group1": {ID: "group1", Name: "group1", Issued: GroupIssuedAPI, Peers: []string{"peer1", "peer2", "peer3"}},
-			"group2": {ID: "group2", Name: "group2", Issued: GroupIssuedAPI, Peers: []string{"peer1", "peer2", "peer3", "peer4", "peer5"}},
-			"group3": {ID: "group3", Name: "group3", Issued: GroupIssuedAPI, Peers: []string{"peer4", "peer5"}},
+		Groups: map[string]*group.Group{
+			"group1": {ID: "group1", Name: "group1", Issued: group.GroupIssuedAPI, Peers: []string{"peer1", "peer2", "peer3"}},
+			"group2": {ID: "group2", Name: "group2", Issued: group.GroupIssuedAPI, Peers: []string{"peer1", "peer2", "peer3", "peer4", "peer5"}},
+			"group3": {ID: "group3", Name: "group3", Issued: group.GroupIssuedAPI, Peers: []string{"peer4", "peer5"}},
 		},
 		Users: map[string]*User{"user1": {Id: "user1"}, "user2": {Id: "user2"}},
 	}
@@ -2223,7 +2264,7 @@ func createManager(t *testing.T) (*DefaultAccountManager, error) {
 		return nil, err
 	}
 	eventStore := &activity.InMemoryEventStore{}
-	return BuildManager(store, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false)
+	return BuildManager(store, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{})
 }

 func createStore(t *testing.T) (Store, error) {
--- a/management/server/dns_test.go
+++ b/management/server/dns_test.go
@@ -8,6 +8,7 @@ import (

 	"github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/group"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 )
@@ -193,7 +194,7 @@ func createDNSManager(t *testing.T) (*DefaultAccountManager, error) {
 		return nil, err
 	}
 	eventStore := &activity.InMemoryEventStore{}
-	return BuildManager(store, NewPeersUpdateManager(nil), nil, "", "netbird.test", eventStore, nil, false)
+	return BuildManager(store, NewPeersUpdateManager(nil), nil, "", "netbird.test", eventStore, nil, false, MocIntegratedValidator{})
 }

 func createDNSStore(t *testing.T) (Store, error) {
@@ -278,13 +279,13 @@ func initTestDNSAccount(t *testing.T, am *DefaultAccountManager) (*Account, erro
 		return nil, err
 	}

-	newGroup1 := &Group{
+	newGroup1 := &group.Group{
 		ID:    dnsGroup1ID,
 		Peers: []string{peer1.ID},
 		Name:  dnsGroup1ID,
 	}

-	newGroup2 := &Group{
+	newGroup2 := &group.Group{
 		ID:   dnsGroup2ID,
 		Name: dnsGroup2ID,
 	}
--- a/management/server/ephemeral.go
+++ b/management/server/ephemeral.go
@@ -165,7 +165,7 @@ func (e *EphemeralManager) cleanup() {
 		log.Debugf("delete ephemeral peer: %s", id)
 		err := e.accountManager.DeletePeer(p.account.Id, id, activity.SystemInitiator)
 		if err != nil {
-			log.Tracef("failed to delete ephemeral peer: %s", err)
+			log.Errorf("failed to delete ephemeral peer: %s", err)
 		}
 	}
 }
--- a/management/server/file_store.go
+++ b/management/server/file_store.go
@@ -10,6 +10,7 @@ import (
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"

+	nbgroup "github.com/netbirdio/netbird/management/server/group"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/management/server/telemetry"
@@ -170,7 +171,7 @@ func restore(file string) (*FileStore, error) {
 		// Set API as issuer for groups which has not this field
 		for _, group := range account.Groups {
 			if group.Issued == "" {
-				group.Issued = GroupIssuedAPI
+				group.Issued = nbgroup.GroupIssuedAPI
 			}
 		}

--- a/management/server/file_store_test.go
+++ b/management/server/file_store_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	"github.com/netbirdio/netbird/management/server/group"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/util"
 )
@@ -188,7 +189,7 @@ func TestStore(t *testing.T) {
 		Name:     "peer name",
 		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
 	}
-	account.Groups["all"] = &Group{
+	account.Groups["all"] = &group.Group{
 		ID:    "all",
 		Name:  "all",
 		Peers: []string{"testpeer"},
@@ -258,18 +259,6 @@ func TestStore(t *testing.T) {
 		t.Errorf("failed to restore a FileStore file - missing Group all")
 	}

-	if restoredAccount.Rules["all"] == nil {
-		t.Errorf("failed to restore a FileStore file - missing Rule all")
-		return
-	}
-
-	if restoredAccount.Rules["dmz"] == nil {
-		t.Errorf("failed to restore a FileStore file - missing Rule dmz")
-		return
-	}
-	assert.Equal(t, account.Rules["all"], restoredAccount.Rules["all"], "failed to restore a FileStore file - missing Rule all")
-	assert.Equal(t, account.Rules["dmz"], restoredAccount.Rules["dmz"], "failed to restore a FileStore file - missing Rule dmz")
-
 	if len(restoredAccount.Policies) != 2 {
 		t.Errorf("failed to restore a FileStore file - missing Policies")
 		return
@@ -332,7 +321,7 @@ func TestRestoreGroups_Migration(t *testing.T) {

 	// create default group
 	account := store.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"]
-	account.Groups = map[string]*Group{
+	account.Groups = map[string]*group.Group{
 		"cfefqs706sqkneg59g3g": {
 			ID:   "cfefqs706sqkneg59g3g",
 			Name: "All",
@@ -348,7 +337,7 @@ func TestRestoreGroups_Migration(t *testing.T) {
 	account = store.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"]

 	require.Contains(t, account.Groups, "cfefqs706sqkneg59g3g", "failed to restore a FileStore file - missing Account Groups")
-	require.Equal(t, GroupIssuedAPI, account.Groups["cfefqs706sqkneg59g3g"].Issued, "default group should has API issued mark")
+	require.Equal(t, group.GroupIssuedAPI, account.Groups["cfefqs706sqkneg59g3g"].Issued, "default group should has API issued mark")
 }

 func TestGetAccountByPrivateDomain(t *testing.T) {
@@ -396,6 +385,7 @@ func TestFileStore_GetAccount(t *testing.T) {
 	expected := accounts.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"]
 	if expected == nil {
 		t.Fatalf("expected account doesn't exist")
+		return
 	}

 	account, err := store.GetAccount(expected.Id)
@@ -411,7 +401,6 @@ func TestFileStore_GetAccount(t *testing.T) {
 	assert.Len(t, account.Peers, len(expected.Peers))
 	assert.Len(t, account.Users, len(expected.Users))
 	assert.Len(t, account.SetupKeys, len(expected.SetupKeys))
-	assert.Len(t, account.Rules, len(expected.Rules))
 	assert.Len(t, account.Routes, len(expected.Routes))
 	assert.Len(t, account.NameServerGroups, len(expected.NameServerGroups))
 }
--- a/management/server/group.go
+++ b/management/server/group.go
@@ -3,9 +3,11 @@ package server
 import (
 	"fmt"

+	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/server/activity"
+	nbgroup "github.com/netbirdio/netbird/management/server/group"
 	"github.com/netbirdio/netbird/management/server/status"
 )

@@ -18,45 +20,8 @@ func (e *GroupLinkError) Error() string {
 	return fmt.Sprintf("group has been linked to %s: %s", e.Resource, e.Name)
 }

-// Group of the peers for ACL
-type Group struct {
-	// ID of the group
-	ID string
-
-	// AccountID is a reference to Account that this object belongs
-	AccountID string `json:"-" gorm:"index"`
-
-	// Name visible in the UI
-	Name string
-
-	// Issued of the group
-	Issued string
-
-	// Peers list of the group
-	Peers []string `gorm:"serializer:json"`
-
-	IntegrationReference IntegrationReference `gorm:"embedded;embeddedPrefix:integration_ref_"`
-}
-
-// EventMeta returns activity event meta related to the group
-func (g *Group) EventMeta() map[string]any {
-	return map[string]any{"name": g.Name}
-}
-
-func (g *Group) Copy() *Group {
-	group := &Group{
-		ID:                   g.ID,
-		Name:                 g.Name,
-		Issued:               g.Issued,
-		Peers:                make([]string, len(g.Peers)),
-		IntegrationReference: g.IntegrationReference,
-	}
-	copy(group.Peers, g.Peers)
-	return group
-}
-
 // GetGroup object of the peers
-func (am *DefaultAccountManager) GetGroup(accountID, groupID string) (*Group, error) {
+func (am *DefaultAccountManager) GetGroup(accountID, groupID, userID string) (*nbgroup.Group, error) {
 	unlock := am.Store.AcquireAccountLock(accountID)
 	defer unlock()

@@ -65,6 +30,15 @@ func (am *DefaultAccountManager) GetGroup(accountID, groupID string) (*Group, er
 		return nil, err
 	}

+	user, err := account.FindUser(userID)
+	if err != nil {
+		return nil, err
+	}
+
+	if !user.HasAdminPower() && !user.IsServiceUser && account.Settings.RegularUsersViewBlocked {
+		return nil, status.Errorf(status.PermissionDenied, "groups are blocked for users")
+	}
+
 	group, ok := account.Groups[groupID]
 	if ok {
 		return group, nil
@@ -73,8 +47,8 @@ func (am *DefaultAccountManager) GetGroup(accountID, groupID string) (*Group, er
 	return nil, status.Errorf(status.NotFound, "group with ID %s not found", groupID)
 }

-// GetGroupByName filters all groups in an account by name and returns the one with the most peers
-func (am *DefaultAccountManager) GetGroupByName(groupName, accountID string) (*Group, error) {
+// GetAllGroups returns all groups in an account
+func (am *DefaultAccountManager) GetAllGroups(accountID string, userID string) ([]*nbgroup.Group, error) {
 	unlock := am.Store.AcquireAccountLock(accountID)
 	defer unlock()

@@ -83,7 +57,34 @@ func (am *DefaultAccountManager) GetGroupByName(groupName, accountID string) (*G
 		return nil, err
 	}

-	matchingGroups := make([]*Group, 0)
+	user, err := account.FindUser(userID)
+	if err != nil {
+		return nil, err
+	}
+
+	if !user.HasAdminPower() && !user.IsServiceUser && account.Settings.RegularUsersViewBlocked {
+		return nil, status.Errorf(status.PermissionDenied, "groups are blocked for users")
+	}
+
+	groups := make([]*nbgroup.Group, 0, len(account.Groups))
+	for _, item := range account.Groups {
+		groups = append(groups, item)
+	}
+
+	return groups, nil
+}
+
+// GetGroupByName filters all groups in an account by name and returns the one with the most peers
+func (am *DefaultAccountManager) GetGroupByName(groupName, accountID string) (*nbgroup.Group, error) {
+	unlock := am.Store.AcquireAccountLock(accountID)
+	defer unlock()
+
+	account, err := am.Store.GetAccount(accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	matchingGroups := make([]*nbgroup.Group, 0)
 	for _, group := range account.Groups {
 		if group.Name == groupName {
 			matchingGroups = append(matchingGroups, group)
@@ -95,7 +96,7 @@ func (am *DefaultAccountManager) GetGroupByName(groupName, accountID string) (*G
 	}

 	maxPeers := -1
-	var groupWithMostPeers *Group
+	var groupWithMostPeers *nbgroup.Group
 	for i, group := range matchingGroups {
 		if len(group.Peers) > maxPeers {
 			maxPeers = len(group.Peers)
@@ -107,7 +108,7 @@ func (am *DefaultAccountManager) GetGroupByName(groupName, accountID string) (*G
 }

 // SaveGroup object of the peers
-func (am *DefaultAccountManager) SaveGroup(accountID, userID string, newGroup *Group) error {
+func (am *DefaultAccountManager) SaveGroup(accountID, userID string, newGroup *nbgroup.Group) error {
 	unlock := am.Store.AcquireAccountLock(accountID)
 	defer unlock()

@@ -116,6 +117,29 @@ func (am *DefaultAccountManager) SaveGroup(accountID, userID string, newGroup *G
 		return err
 	}

+	if newGroup.ID == "" && newGroup.Issued != nbgroup.GroupIssuedAPI {
+		return status.Errorf(status.InvalidArgument, "%s group without ID set", newGroup.Issued)
+	}
+
+	if newGroup.ID == "" && newGroup.Issued == nbgroup.GroupIssuedAPI {
+
+		existingGroup, err := account.FindGroupByName(newGroup.Name)
+		if err != nil {
+			s, ok := status.FromError(err)
+			if !ok || s.ErrorType != status.NotFound {
+				return err
+			}
+		}
+
+		// avoid duplicate groups only for the API issued groups. Integration or JWT groups can be duplicated as they are
+		// coming from the IdP that we don't have control of.
+		if existingGroup != nil {
+			return status.Errorf(status.AlreadyExists, "group with name %s already exists", newGroup.Name)
+		}
+
+		newGroup.ID = xid.New().String()
+	}
+
 	for _, peerID := range newGroup.Peers {
 		if account.Peers[peerID] == nil {
 			return status.Errorf(status.InvalidArgument, "peer with ID \"%s\" not found", peerID)
@@ -204,7 +228,7 @@ func (am *DefaultAccountManager) DeleteGroup(accountId, userId, groupID string)
 	}

 	// disable a deleting integration group if the initiator is not an admin service user
-	if g.Issued == GroupIssuedIntegration {
+	if g.Issued == nbgroup.GroupIssuedIntegration {
 		executingUser := account.Users[userId]
 		if executingUser == nil {
 			return status.Errorf(status.NotFound, "user not found")
@@ -274,6 +298,15 @@ func (am *DefaultAccountManager) DeleteGroup(accountId, userId, groupID string)
 		}
 	}

+	// check integrated peer validator groups
+	if account.Settings.Extra != nil {
+		for _, integratedPeerValidatorGroups := range account.Settings.Extra.IntegratedValidatorGroups {
+			if groupID == integratedPeerValidatorGroups {
+				return &GroupLinkError{"integrated validator", g.Name}
+			}
+		}
+	}
+
 	delete(account.Groups, groupID)

 	account.Network.IncSerial()
@@ -289,7 +322,7 @@ func (am *DefaultAccountManager) DeleteGroup(accountId, userId, groupID string)
 }

 // ListGroups objects of the peers
-func (am *DefaultAccountManager) ListGroups(accountID string) ([]*Group, error) {
+func (am *DefaultAccountManager) ListGroups(accountID string) ([]*nbgroup.Group, error) {
 	unlock := am.Store.AcquireAccountLock(accountID)
 	defer unlock()

@@ -298,7 +331,7 @@ func (am *DefaultAccountManager) ListGroups(accountID string) ([]*Group, error)
 		return nil, err
 	}

-	groups := make([]*Group, 0, len(account.Groups))
+	groups := make([]*nbgroup.Group, 0, len(account.Groups))
 	for _, item := range account.Groups {
 		groups = append(groups, item)
 	}
--- a/management/server/group/group.go
+++ b/management/server/group/group.go
@@ -0,0 +1,46 @@
+package group
+
+import "github.com/netbirdio/netbird/management/server/integration_reference"
+
+const (
+	GroupIssuedAPI         = "api"
+	GroupIssuedJWT         = "jwt"
+	GroupIssuedIntegration = "integration"
+)
+
+// Group of the peers for ACL
+type Group struct {
+	// ID of the group
+	ID string
+
+	// AccountID is a reference to Account that this object belongs
+	AccountID string `json:"-" gorm:"index"`
+
+	// Name visible in the UI
+	Name string
+
+	// Issued defines how this group was created (enum of "api", "integration" or "jwt")
+	Issued string
+
+	// Peers list of the group
+	Peers []string `gorm:"serializer:json"`
+
+	IntegrationReference integration_reference.IntegrationReference `gorm:"embedded;embeddedPrefix:integration_ref_"`
+}
+
+// EventMeta returns activity event meta related to the group
+func (g *Group) EventMeta() map[string]any {
+	return map[string]any{"name": g.Name}
+}
+
+func (g *Group) Copy() *Group {
+	group := &Group{
+		ID:                   g.ID,
+		Name:                 g.Name,
+		Issued:               g.Issued,
+		Peers:                make([]string, len(g.Peers)),
+		IntegrationReference: g.IntegrationReference,
+	}
+	copy(group.Peers, g.Peers)
+	return group
+}
--- a/management/server/group_test.go
+++ b/management/server/group_test.go
@@ -5,6 +5,7 @@ import (
 	"testing"

 	nbdns "github.com/netbirdio/netbird/dns"
+	nbgroup "github.com/netbirdio/netbird/management/server/group"
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/route"
 )
@@ -13,6 +14,41 @@ const (
 	groupAdminUserID = "testingAdminUser"
 )

+func TestDefaultAccountManager_CreateGroup(t *testing.T) {
+	am, err := createManager(t)
+	if err != nil {
+		t.Error("failed to create account manager")
+	}
+
+	account, err := initTestGroupAccount(am)
+	if err != nil {
+		t.Error("failed to init testing account")
+	}
+	for _, group := range account.Groups {
+		group.Issued = nbgroup.GroupIssuedIntegration
+		err = am.SaveGroup(account.Id, groupAdminUserID, group)
+		if err != nil {
+			t.Errorf("should allow to create %s groups", nbgroup.GroupIssuedIntegration)
+		}
+	}
+
+	for _, group := range account.Groups {
+		group.Issued = nbgroup.GroupIssuedJWT
+		err = am.SaveGroup(account.Id, groupAdminUserID, group)
+		if err != nil {
+			t.Errorf("should allow to create %s groups", nbgroup.GroupIssuedJWT)
+		}
+	}
+	for _, group := range account.Groups {
+		group.Issued = nbgroup.GroupIssuedAPI
+		group.ID = ""
+		err = am.SaveGroup(account.Id, groupAdminUserID, group)
+		if err == nil {
+			t.Errorf("should not create api group with the same name, %s", group.Name)
+		}
+	}
+}
+
 func TestDefaultAccountManager_DeleteGroup(t *testing.T) {
 	am, err := createManager(t)
 	if err != nil {
@@ -94,51 +130,51 @@ func initTestGroupAccount(am *DefaultAccountManager) (*Account, error) {
 	accountID := "testingAcc"
 	domain := "example.com"

-	groupForRoute := &Group{
+	groupForRoute := &nbgroup.Group{
 		ID:        "grp-for-route",
 		AccountID: "account-id",
 		Name:      "Group for route",
-		Issued:    GroupIssuedAPI,
+		Issued:    nbgroup.GroupIssuedAPI,
 		Peers:     make([]string, 0),
 	}

-	groupForNameServerGroups := &Group{
+	groupForNameServerGroups := &nbgroup.Group{
 		ID:        "grp-for-name-server-grp",
 		AccountID: "account-id",
 		Name:      "Group for name server groups",
-		Issued:    GroupIssuedAPI,
+		Issued:    nbgroup.GroupIssuedAPI,
 		Peers:     make([]string, 0),
 	}

-	groupForPolicies := &Group{
+	groupForPolicies := &nbgroup.Group{
 		ID:        "grp-for-policies",
 		AccountID: "account-id",
 		Name:      "Group for policies",
-		Issued:    GroupIssuedAPI,
+		Issued:    nbgroup.GroupIssuedAPI,
 		Peers:     make([]string, 0),
 	}

-	groupForSetupKeys := &Group{
+	groupForSetupKeys := &nbgroup.Group{
 		ID:        "grp-for-keys",
 		AccountID: "account-id",
 		Name:      "Group for setup keys",
-		Issued:    GroupIssuedAPI,
+		Issued:    nbgroup.GroupIssuedAPI,
 		Peers:     make([]string, 0),
 	}

-	groupForUsers := &Group{
+	groupForUsers := &nbgroup.Group{
 		ID:        "grp-for-users",
 		AccountID: "account-id",
 		Name:      "Group for users",
-		Issued:    GroupIssuedAPI,
+		Issued:    nbgroup.GroupIssuedAPI,
 		Peers:     make([]string, 0),
 	}

-	groupForIntegration := &Group{
+	groupForIntegration := &nbgroup.Group{
 		ID:        "grp-for-integration",
 		AccountID: "account-id",
-		Name:      "Group for users",
-		Issued:    GroupIssuedIntegration,
+		Name:      "Group for users integration",
+		Issued:    nbgroup.GroupIssuedIntegration,
 		Peers:     make([]string, 0),
 	}

--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -343,10 +343,18 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 	userID := ""
 	// JWT token is not always provided, it is fine for userID to be empty cuz it might be that peer is already registered,
 	// or it uses a setup key to register.
+
 	if loginReq.GetJwtToken() != "" {
-		userID, err = s.validateToken(loginReq.GetJwtToken())
+		for i := 0; i < 3; i++ {
+			userID, err = s.validateToken(loginReq.GetJwtToken())
+			if err == nil {
+				break
+			}
+			log.Warnf("failed validating JWT token sent from peer %s with error %v. "+
+				"Trying again as it may be due to the IdP cache issue", peerKey, err)
+			time.Sleep(200 * time.Millisecond)
+		}
 		if err != nil {
-			log.Warnf("failed validating JWT token sent from peer %s", peerKey)
 			return nil, err
 		}
 	}
@@ -361,6 +369,7 @@ func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*p
 		Meta:            extractPeerMeta(loginReq),
 		UserID:          userID,
 		SetupKey:        loginReq.GetSetupKey(),
+		ConnectionIP:    realIP,
 	})

 	if err != nil {
--- a/management/server/http/accounts_handler.go
+++ b/management/server/http/accounts_handler.go
@@ -76,6 +76,7 @@ func (h *AccountsHandler) UpdateAccount(w http.ResponseWriter, r *http.Request)
 	settings := &server.Settings{
 		PeerLoginExpirationEnabled: req.Settings.PeerLoginExpirationEnabled,
 		PeerLoginExpiration:        time.Duration(float64(time.Second.Nanoseconds()) * float64(req.Settings.PeerLoginExpiration)),
+		RegularUsersViewBlocked:    req.Settings.RegularUsersViewBlocked,
 	}

 	if req.Settings.Extra != nil {
@@ -143,6 +144,7 @@ func toAccountResponse(account *server.Account) *api.Account {
 		JwtGroupsEnabled:           &account.Settings.JWTGroupsEnabled,
 		JwtGroupsClaimName:         &account.Settings.JWTGroupsClaimName,
 		JwtAllowGroups:             &jwtAllowGroups,
+		RegularUsersViewBlocked:    account.Settings.RegularUsersViewBlocked,
 	}

 	if account.Settings.Extra != nil {
--- a/management/server/http/accounts_handler_test.go
+++ b/management/server/http/accounts_handler_test.go
@@ -69,6 +69,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 		Settings: &server.Settings{
 			PeerLoginExpirationEnabled: false,
 			PeerLoginExpiration:        time.Hour,
+			RegularUsersViewBlocked:    true,
 		},
 	}, adminUser)

@@ -96,6 +97,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				JwtGroupsClaimName:         sr(""),
 				JwtGroupsEnabled:           br(false),
 				JwtAllowGroups:             &[]string{},
+				RegularUsersViewBlocked:    true,
 			},
 			expectedArray: true,
 			expectedID:    accountID,
@@ -114,6 +116,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				JwtGroupsClaimName:         sr(""),
 				JwtGroupsEnabled:           br(false),
 				JwtAllowGroups:             &[]string{},
+				RegularUsersViewBlocked:    false,
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -123,7 +126,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": false,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"roles\",\"jwt_allow_groups\":[\"test\"]}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": false,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"roles\",\"jwt_allow_groups\":[\"test\"],\"regular_users_view_blocked\":true}}"),
 			expectedStatus: http.StatusOK,
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:        15552000,
@@ -132,6 +135,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				JwtGroupsClaimName:         sr("roles"),
 				JwtGroupsEnabled:           br(true),
 				JwtAllowGroups:             &[]string{"test"},
+				RegularUsersViewBlocked:    true,
 			},
 			expectedArray: false,
 			expectedID:    accountID,
@@ -141,7 +145,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 554400,\"peer_login_expiration_enabled\": true,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"groups\",\"groups_propagation_enabled\":true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 554400,\"peer_login_expiration_enabled\": true,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"groups\",\"groups_propagation_enabled\":true,\"regular_users_view_blocked\":true}}"),
 			expectedStatus: http.StatusOK,
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:        554400,
@@ -150,6 +154,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 				JwtGroupsClaimName:         sr("groups"),
 				JwtGroupsEnabled:           br(true),
 				JwtAllowGroups:             &[]string{},
+				RegularUsersViewBlocked:    true,
 			},
 			expectedArray: false,
 			expectedID:    accountID,
--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -17,8 +17,6 @@ tags:
    description: Interact with and view information about setup keys.
  - name: Groups
    description: Interact with and view information about groups.
-  - name: Rules
-    description: Interact with and view information about rules.
  - name: Policies
    description: Interact with and view information about policies.
  - name: Posture Checks
@@ -56,6 +54,10 @@ components:
          description: Period of time after which peer login expires (seconds).
          type: integer
          example: 43200
+        regular_users_view_blocked:
+          description: Allows blocking regular users from viewing parts of the system.
+          type: boolean
+          example: true
        groups_propagation_enabled:
          description: Allows propagate the new user auto groups to peers that belongs to the user
          type: boolean
@@ -79,6 +81,7 @@ components:
      required:
        - peer_login_expiration_enabled
        - peer_login_expiration
+        - regular_users_view_blocked
    AccountExtraSettings:
      type: object
      properties:
@@ -146,6 +149,8 @@ components:
          description: How user was issued by API or Integration
          type: string
          example: api
+        permissions:
+            $ref: '#/components/schemas/UserPermissions'
      required:
        - id
        - email
@@ -154,6 +159,14 @@ components:
        - auto_groups
        - status
        - is_blocked
+    UserPermissions:
+      type: object
+      properties:
+        dashboard_view:
+          description: User's permission to view the dashboard
+          type: string
+          enum: [ "limited", "blocked", "full" ]
+          example: limited
    UserRequest:
      type: object
      properties:
@@ -342,6 +355,7 @@ components:
            - user_id
            - version
            - ui_version
+            - approval_required
    AccessiblePeer:
      allOf:
        - $ref: '#/components/schemas/PeerMinimum'
@@ -587,8 +601,9 @@ components:
          type: integer
          example: 2
        issued:
-          description: How group was issued by API or from JWT token
+          description: How the group was issued (api, integration, jwt)
          type: string
+          enum: ["api", "integration", "jwt"]
          example: api
      required:
        - id
@@ -621,73 +636,6 @@ components:
                $ref: '#/components/schemas/PeerMinimum'
          required:
            - peers
-    RuleMinimum:
-      type: object
-      properties:
-        name:
-          description: Rule name identifier
-          type: string
-          example: Default
-        description:
-          description: Rule friendly description
-          type: string
-          example: This is a default rule that allows connections between all the resources
-        disabled:
-          description: Rules status
-          type: boolean
-          example: false
-        flow:
-          description: Rule flow, currently, only "bidirect" for bi-directional traffic is accepted
-          type: string
-          example: bidirect
-      required:
-        - name
-        - description
-        - disabled
-        - flow
-    RuleRequest:
-      allOf:
-        - $ref: '#/components/schemas/RuleMinimum'
-        - type: object
-          properties:
-            sources:
-              type: array
-              description: List of source group IDs
-              items:
-                type: string
-                example: "ch8i4ug6lnn4g9hqv7m1"
-            destinations:
-              type: array
-              description: List of destination group IDs
-              items:
-                type: string
-                example: "ch8i4ug6lnn4g9hqv7m0"
-    Rule:
-      allOf:
-        - type: object
-          properties:
-            id:
-              description: Rule ID
-              type: string
-              example: ch8i4ug6lnn4g9hqv7mg
-          required:
-            - id
-        - $ref: '#/components/schemas/RuleMinimum'
-        - type: object
-          properties:
-            sources:
-              description: Rule source group IDs
-              type: array
-              items:
-                $ref: '#/components/schemas/GroupMinimum'
-            destinations:
-              description: Rule destination group IDs
-              type: array
-              items:
-                $ref: '#/components/schemas/GroupMinimum'
-          required:
-            - sources
-            - destinations
    PolicyRuleMinimum:
      type: object
      properties:
@@ -1315,7 +1263,7 @@ paths:
  /api/accounts/{accountId}:
    delete:
      summary: Delete an Account
-      description: Deletes an account and all its resources. Only administrators and account owners can delete accounts.
+      description: Deletes an account and all its resources. Only account owners can delete accounts.
      tags: [ Accounts ]
      security:
        - BearerAuth: [ ]
@@ -2035,147 +1983,6 @@ paths:
          "$ref": "#/components/responses/forbidden"
        '500':
          "$ref": "#/components/responses/internal_error"
-  /api/rules:
-    get:
-      summary: List all Rules
-      description: Returns a list of all rules. This will be deprecated in favour of `/api/policies`.
-      tags: [ Rules ]
-      deprecated: true
-      security:
-        - BearerAuth: [ ]
-        - TokenAuth: [ ]
-      responses:
-        '200':
-          description: A JSON Array of Rules
-          content:
-            application/json:
-              schema:
-                type: array
-                items:
-                  $ref: '#/components/schemas/Rule'
-        '400':
-          "$ref": "#/components/responses/bad_request"
-        '401':
-          "$ref": "#/components/responses/requires_authentication"
-        '403':
-          "$ref": "#/components/responses/forbidden"
-        '500':
-          "$ref": "#/components/responses/internal_error"
-    post:
-      summary: Create a Rule
-      description: Creates a rule. This will be deprecated in favour of `/api/policies`.
-      deprecated: true
-      tags: [ Rules ]
-      security:
-        - BearerAuth: [ ]
-        - TokenAuth: [ ]
-      requestBody:
-        description: New Rule request
-        content:
-          'application/json':
-            schema:
-              $ref: '#/components/schemas/RuleRequest'
-      responses:
-        '200':
-          description: A Rule Object
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/Rule'
-  /api/rules/{ruleId}:
-    get:
-      summary: Retrieve a Rule
-      description: Get information about a rules. This will be deprecated in favour of `/api/policies/{policyID}`.
-      deprecated: true
-      tags: [ Rules ]
-      security:
-        - BearerAuth: [ ]
-        - TokenAuth: [ ]
-      parameters:
-        - in: path
-          name: ruleId
-          required: true
-          schema:
-            type: string
-          description: The unique identifier of a rule
-      responses:
-        '200':
-          description: A Rule object
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/Rule'
-        '400':
-          "$ref": "#/components/responses/bad_request"
-        '401':
-          "$ref": "#/components/responses/requires_authentication"
-        '403':
-          "$ref": "#/components/responses/forbidden"
-        '500':
-          "$ref": "#/components/responses/internal_error"
-    put:
-      summary: Update a Rule
-      description: Update/Replace a rule. This will be deprecated in favour of `/api/policies/{policyID}`.
-      deprecated: true
-      tags: [ Rules ]
-      security:
-        - BearerAuth: [ ]
-        - TokenAuth: [ ]
-      parameters:
-        - in: path
-          name: ruleId
-          required: true
-          schema:
-            type: string
-          description: The unique identifier of a rule
-      requestBody:
-        description: Update Rule request
-        content:
-          'application/json':
-            schema:
-              $ref: '#/components/schemas/RuleRequest'
-      responses:
-        '200':
-          description: A Rule object
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/Rule'
-        '400':
-          "$ref": "#/components/responses/bad_request"
-        '401':
-          "$ref": "#/components/responses/requires_authentication"
-        '403':
-          "$ref": "#/components/responses/forbidden"
-        '500':
-          "$ref": "#/components/responses/internal_error"
-    delete:
-      summary: Delete a Rule
-      description: Delete a rule. This will be deprecated in favour of `/api/policies/{policyID}`.
-      deprecated: true
-      tags: [ Rules ]
-      security:
-        - BearerAuth: [ ]
-        - TokenAuth: [ ]
-      parameters:
-        - in: path
-          name: ruleId
-          required: true
-          schema:
-            type: string
-          description: The unique identifier of a rule
-      responses:
-        '200':
-          description: Delete status code
-          content: { }
-        '400':
-          "$ref": "#/components/responses/bad_request"
-        '401':
-          "$ref": "#/components/responses/requires_authentication"
-        '403':
-          "$ref": "#/components/responses/forbidden"
-        '500':
-          "$ref": "#/components/responses/internal_error"
  /api/policies:
    get:
      summary: List all Policies
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -69,6 +69,20 @@ const (
 	GeoLocationCheckActionDeny  GeoLocationCheckAction = "deny"
 )

+// Defines values for GroupIssued.
+const (
+	GroupIssuedApi         GroupIssued = "api"
+	GroupIssuedIntegration GroupIssued = "integration"
+	GroupIssuedJwt         GroupIssued = "jwt"
+)
+
+// Defines values for GroupMinimumIssued.
+const (
+	GroupMinimumIssuedApi         GroupMinimumIssued = "api"
+	GroupMinimumIssuedIntegration GroupMinimumIssued = "integration"
+	GroupMinimumIssuedJwt         GroupMinimumIssued = "jwt"
+)
+
 // Defines values for NameserverNsType.
 const (
 	NameserverNsTypeUdp NameserverNsType = "udp"
@@ -129,6 +143,13 @@ const (
 	UserStatusInvited UserStatus = "invited"
 )

+// Defines values for UserPermissionsDashboardView.
+const (
+	UserPermissionsDashboardViewBlocked UserPermissionsDashboardView = "blocked"
+	UserPermissionsDashboardViewFull    UserPermissionsDashboardView = "full"
+	UserPermissionsDashboardViewLimited UserPermissionsDashboardView = "limited"
+)
+
 // AccessiblePeer defines model for AccessiblePeer.
 type AccessiblePeer struct {
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
@@ -186,6 +207,9 @@ type AccountSettings struct {

 	// PeerLoginExpirationEnabled Enables or disables peer login expiration globally. After peer's login has expired the user has to log in (authenticate). Applies only to peers that were added by a user (interactive SSO login).
 	PeerLoginExpirationEnabled bool `json:"peer_login_expiration_enabled"`
+
+	// RegularUsersViewBlocked Allows blocking regular users from viewing parts of the system.
+	RegularUsersViewBlocked bool `json:"regular_users_view_blocked"`
 }

 // Checks List of objects that perform the actual checks
@@ -283,8 +307,8 @@ type Group struct {
 	// Id Group ID
 	Id string `json:"id"`

-	// Issued How group was issued by API or from JWT token
-	Issued *string `json:"issued,omitempty"`
+	// Issued How the group was issued (api, integration, jwt)
+	Issued *GroupIssued `json:"issued,omitempty"`

 	// Name Group Name identifier
 	Name string `json:"name"`
@@ -296,13 +320,16 @@ type Group struct {
 	PeersCount int `json:"peers_count"`
 }

+// GroupIssued How the group was issued (api, integration, jwt)
+type GroupIssued string
+
 // GroupMinimum defines model for GroupMinimum.
 type GroupMinimum struct {
 	// Id Group ID
 	Id string `json:"id"`

-	// Issued How group was issued by API or from JWT token
-	Issued *string `json:"issued,omitempty"`
+	// Issued How the group was issued (api, integration, jwt)
+	Issued *GroupMinimumIssued `json:"issued,omitempty"`

 	// Name Group Name identifier
 	Name string `json:"name"`
@@ -311,6 +338,9 @@ type GroupMinimum struct {
 	PeersCount int `json:"peers_count"`
 }

+// GroupMinimumIssued How the group was issued (api, integration, jwt)
+type GroupMinimumIssued string
+
 // GroupRequest defines model for GroupRequest.
 type GroupRequest struct {
 	// Name Group name identifier
@@ -440,7 +470,7 @@ type Peer struct {
 	AccessiblePeers []AccessiblePeer `json:"accessible_peers"`

 	// ApprovalRequired (Cloud only) Indicates whether peer needs approval
-	ApprovalRequired *bool `json:"approval_required,omitempty"`
+	ApprovalRequired bool `json:"approval_required"`

 	// CityName Commonly used English name of the city
 	CityName CityName `json:"city_name"`
@@ -509,7 +539,7 @@ type Peer struct {
 // PeerBase defines model for PeerBase.
 type PeerBase struct {
 	// ApprovalRequired (Cloud only) Indicates whether peer needs approval
-	ApprovalRequired *bool `json:"approval_required,omitempty"`
+	ApprovalRequired bool `json:"approval_required"`

 	// CityName Commonly used English name of the city
 	CityName CityName `json:"city_name"`
@@ -581,7 +611,7 @@ type PeerBatch struct {
 	AccessiblePeersCount int `json:"accessible_peers_count"`

 	// ApprovalRequired (Cloud only) Indicates whether peer needs approval
-	ApprovalRequired *bool `json:"approval_required,omitempty"`
+	ApprovalRequired bool `json:"approval_required"`

 	// CityName Commonly used English name of the city
 	CityName CityName `json:"city_name"`
@@ -976,66 +1006,6 @@ type RouteRequest struct {
 	PeerGroups *[]string `json:"peer_groups,omitempty"`
 }

-// Rule defines model for Rule.
-type Rule struct {
-	// Description Rule friendly description
-	Description string `json:"description"`
-
-	// Destinations Rule destination group IDs
-	Destinations []GroupMinimum `json:"destinations"`
-
-	// Disabled Rules status
-	Disabled bool `json:"disabled"`
-
-	// Flow Rule flow, currently, only "bidirect" for bi-directional traffic is accepted
-	Flow string `json:"flow"`
-
-	// Id Rule ID
-	Id string `json:"id"`
-
-	// Name Rule name identifier
-	Name string `json:"name"`
-
-	// Sources Rule source group IDs
-	Sources []GroupMinimum `json:"sources"`
-}
-
-// RuleMinimum defines model for RuleMinimum.
-type RuleMinimum struct {
-	// Description Rule friendly description
-	Description string `json:"description"`
-
-	// Disabled Rules status
-	Disabled bool `json:"disabled"`
-
-	// Flow Rule flow, currently, only "bidirect" for bi-directional traffic is accepted
-	Flow string `json:"flow"`
-
-	// Name Rule name identifier
-	Name string `json:"name"`
-}
-
-// RuleRequest defines model for RuleRequest.
-type RuleRequest struct {
-	// Description Rule friendly description
-	Description string `json:"description"`
-
-	// Destinations List of destination group IDs
-	Destinations *[]string `json:"destinations,omitempty"`
-
-	// Disabled Rules status
-	Disabled bool `json:"disabled"`
-
-	// Flow Rule flow, currently, only "bidirect" for bi-directional traffic is accepted
-	Flow string `json:"flow"`
-
-	// Name Rule name identifier
-	Name string `json:"name"`
-
-	// Sources List of source group IDs
-	Sources *[]string `json:"sources,omitempty"`
-}
-
 // SetupKey defines model for SetupKey.
 type SetupKey struct {
 	// AutoGroups List of group IDs to auto-assign to peers registered with this key
@@ -1132,7 +1102,8 @@ type User struct {
 	LastLogin *time.Time `json:"last_login,omitempty"`

 	// Name User's name from idp provider
-	Name string `json:"name"`
+	Name        string           `json:"name"`
+	Permissions *UserPermissions `json:"permissions,omitempty"`

 	// Role User's NetBird account role
 	Role string `json:"role"`
@@ -1162,6 +1133,15 @@ type UserCreateRequest struct {
 	Role string `json:"role"`
 }

+// UserPermissions defines model for UserPermissions.
+type UserPermissions struct {
+	// DashboardView User's permission to view the dashboard
+	DashboardView *UserPermissionsDashboardView `json:"dashboard_view,omitempty"`
+}
+
+// UserPermissionsDashboardView User's permission to view the dashboard
+type UserPermissionsDashboardView string
+
 // UserRequest defines model for UserRequest.
 type UserRequest struct {
 	// AutoGroups Group IDs to auto-assign to peers registered by this user
@@ -1219,12 +1199,6 @@ type PostApiRoutesJSONRequestBody = RouteRequest
 // PutApiRoutesRouteIdJSONRequestBody defines body for PutApiRoutesRouteId for application/json ContentType.
 type PutApiRoutesRouteIdJSONRequestBody = RouteRequest

-// PostApiRulesJSONRequestBody defines body for PostApiRules for application/json ContentType.
-type PostApiRulesJSONRequestBody = RuleRequest
-
-// PutApiRulesRuleIdJSONRequestBody defines body for PutApiRulesRuleId for application/json ContentType.
-type PutApiRulesRuleIdJSONRequestBody = RuleRequest
-
 // PostApiSetupKeysJSONRequestBody defines body for PostApiSetupKeys for application/json ContentType.
 type PostApiSetupKeysJSONRequestBody = SetupKeyRequest

--- a/management/server/http/groups_handler.go
+++ b/management/server/http/groups_handler.go
@@ -4,17 +4,15 @@ import (
 	"encoding/json"
 	"net/http"

-	"github.com/netbirdio/netbird/management/server/http/api"
-	"github.com/netbirdio/netbird/management/server/http/util"
-	"github.com/netbirdio/netbird/management/server/status"
-
-	"github.com/rs/xid"
-
-	"github.com/netbirdio/netbird/management/server"
-	"github.com/netbirdio/netbird/management/server/jwtclaims"
-
 	"github.com/gorilla/mux"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/management/server"
+	nbgroup "github.com/netbirdio/netbird/management/server/group"
+	"github.com/netbirdio/netbird/management/server/http/api"
+	"github.com/netbirdio/netbird/management/server/http/util"
+	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	"github.com/netbirdio/netbird/management/server/status"
 )

 // GroupsHandler is a handler that returns groups of the account
@@ -37,19 +35,25 @@ func NewGroupsHandler(accountManager server.AccountManager, authCfg AuthCfg) *Gr
 // GetAllGroups list for the account
 func (h *GroupsHandler) GetAllGroups(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
-	account, _, err := h.accountManager.GetAccountFromToken(claims)
+	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
 		log.Error(err)
 		http.Redirect(w, r, "/", http.StatusInternalServerError)
 		return
 	}

-	var groups []*api.Group
-	for _, g := range account.Groups {
-		groups = append(groups, toGroupResponse(account, g))
+	groups, err := h.accountManager.GetAllGroups(account.Id, user.Id)
+	if err != nil {
+		util.WriteError(err, w)
+		return
 	}

-	util.WriteJSONObject(w, groups)
+	groupsResponse := make([]*api.Group, 0, len(groups))
+	for _, group := range groups {
+		groupsResponse = append(groupsResponse, toGroupResponse(account, group))
+	}
+
+	util.WriteJSONObject(w, groupsResponse)
 }

 // UpdateGroup handles update to a group identified by a given ID
@@ -106,7 +110,7 @@ func (h *GroupsHandler) UpdateGroup(w http.ResponseWriter, r *http.Request) {
 	} else {
 		peers = *req.Peers
 	}
-	group := server.Group{
+	group := nbgroup.Group{
 		ID:                   groupID,
 		Name:                 req.Name,
 		Peers:                peers,
@@ -150,11 +154,10 @@ func (h *GroupsHandler) CreateGroup(w http.ResponseWriter, r *http.Request) {
 	} else {
 		peers = *req.Peers
 	}
-	group := server.Group{
-		ID:     xid.New().String(),
+	group := nbgroup.Group{
 		Name:   req.Name,
 		Peers:  peers,
-		Issued: server.GroupIssuedAPI,
+		Issued: nbgroup.GroupIssuedAPI,
 	}

 	err = h.accountManager.SaveGroup(account.Id, user.Id, &group)
@@ -210,7 +213,7 @@ func (h *GroupsHandler) DeleteGroup(w http.ResponseWriter, r *http.Request) {
 // GetGroup returns a group
 func (h *GroupsHandler) GetGroup(w http.ResponseWriter, r *http.Request) {
 	claims := h.claimsExtractor.FromRequestContext(r)
-	account, _, err := h.accountManager.GetAccountFromToken(claims)
+	account, user, err := h.accountManager.GetAccountFromToken(claims)
 	if err != nil {
 		util.WriteError(err, w)
 		return
@@ -224,7 +227,7 @@ func (h *GroupsHandler) GetGroup(w http.ResponseWriter, r *http.Request) {
 			return
 		}

-		group, err := h.accountManager.GetGroup(account.Id, groupID)
+		group, err := h.accountManager.GetGroup(account.Id, groupID, user.Id)
 		if err != nil {
 			util.WriteError(err, w)
 			return
@@ -237,12 +240,12 @@ func (h *GroupsHandler) GetGroup(w http.ResponseWriter, r *http.Request) {
 	}
 }

-func toGroupResponse(account *server.Account, group *server.Group) *api.Group {
+func toGroupResponse(account *server.Account, group *nbgroup.Group) *api.Group {
 	cache := make(map[string]api.PeerMinimum)
 	gr := api.Group{
 		Id:     group.ID,
 		Name:   group.Name,
-		Issued: &group.Issued,
+		Issued: (*api.GroupIssued)(&group.Issued),
 	}

 	for _, pid := range group.Peers {
--- a/management/server/http/groups_handler_test.go
+++ b/management/server/http/groups_handler_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/magiconair/properties/assert"

 	"github.com/netbirdio/netbird/management/server"
+	nbgroup "github.com/netbirdio/netbird/management/server/group"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
@@ -28,30 +29,30 @@ var TestPeers = map[string]*nbpeer.Peer{
 	"B": {Key: "B", ID: "peer-B-ID", IP: net.ParseIP("200.200.200.200")},
 }

-func initGroupTestData(user *server.User, groups ...*server.Group) *GroupsHandler {
+func initGroupTestData(user *server.User, _ ...*nbgroup.Group) *GroupsHandler {
 	return &GroupsHandler{
 		accountManager: &mock_server.MockAccountManager{
-			SaveGroupFunc: func(accountID, userID string, group *server.Group) error {
+			SaveGroupFunc: func(accountID, userID string, group *nbgroup.Group) error {
 				if !strings.HasPrefix(group.ID, "id-") {
 					group.ID = "id-was-set"
 				}
 				return nil
 			},
-			GetGroupFunc: func(_, groupID string) (*server.Group, error) {
+			GetGroupFunc: func(_, groupID, _ string) (*nbgroup.Group, error) {
 				if groupID != "idofthegroup" {
 					return nil, status.Errorf(status.NotFound, "not found")
 				}
 				if groupID == "id-jwt-group" {
-					return &server.Group{
+					return &nbgroup.Group{
 						ID:     "id-jwt-group",
 						Name:   "Default Group",
-						Issued: server.GroupIssuedJWT,
+						Issued: nbgroup.GroupIssuedJWT,
 					}, nil
 				}
-				return &server.Group{
+				return &nbgroup.Group{
 					ID:     "idofthegroup",
 					Name:   "Group",
-					Issued: server.GroupIssuedAPI,
+					Issued: nbgroup.GroupIssuedAPI,
 				}, nil
 			},
 			GetAccountFromTokenFunc: func(claims jwtclaims.AuthorizationClaims) (*server.Account, *server.User, error) {
@@ -62,10 +63,10 @@ func initGroupTestData(user *server.User, groups ...*server.Group) *GroupsHandle
 					Users: map[string]*server.User{
 						user.Id: user,
 					},
-					Groups: map[string]*server.Group{
-						"id-jwt-group": {ID: "id-jwt-group", Name: "From JWT", Issued: server.GroupIssuedJWT},
-						"id-existed":   {ID: "id-existed", Peers: []string{"A", "B"}, Issued: server.GroupIssuedAPI},
-						"id-all":       {ID: "id-all", Name: "All", Issued: server.GroupIssuedAPI},
+					Groups: map[string]*nbgroup.Group{
+						"id-jwt-group": {ID: "id-jwt-group", Name: "From JWT", Issued: nbgroup.GroupIssuedJWT},
+						"id-existed":   {ID: "id-existed", Peers: []string{"A", "B"}, Issued: nbgroup.GroupIssuedAPI},
+						"id-all":       {ID: "id-all", Name: "All", Issued: nbgroup.GroupIssuedAPI},
 					},
 				}, user, nil
 			},
@@ -118,7 +119,7 @@ func TestGetGroup(t *testing.T) {
 		},
 	}

-	group := &server.Group{
+	group := &nbgroup.Group{
 		ID:   "idofthegroup",
 		Name: "Group",
 	}
@@ -153,7 +154,7 @@ func TestGetGroup(t *testing.T) {
 				t.Fatalf("I don't know what I expected; %v", err)
 			}

-			got := &server.Group{}
+			got := &nbgroup.Group{}
 			if err = json.Unmarshal(content, &got); err != nil {
 				t.Fatalf("Sent content is not in correct json format; %v", err)
 			}
@@ -187,7 +188,7 @@ func TestWriteGroup(t *testing.T) {
 			expectedGroup: &api.Group{
 				Id:     "id-was-set",
 				Name:   "Default POSTed Group",
-				Issued: &groupIssuedAPI,
+				Issued: (*api.GroupIssued)(&groupIssuedAPI),
 			},
 		},
 		{
@@ -209,7 +210,7 @@ func TestWriteGroup(t *testing.T) {
 			expectedGroup: &api.Group{
 				Id:     "id-existed",
 				Name:   "Default POSTed Group",
-				Issued: &groupIssuedAPI,
+				Issued: (*api.GroupIssued)(&groupIssuedAPI),
 			},
 		},
 		{
@@ -240,7 +241,7 @@ func TestWriteGroup(t *testing.T) {
 			expectedGroup: &api.Group{
 				Id:     "id-jwt-group",
 				Name:   "changed",
-				Issued: &groupIssuedJWT,
+				Issued: (*api.GroupIssued)(&groupIssuedJWT),
 			},
 		},
 	}
--- a/management/server/http/handler.go
+++ b/management/server/http/handler.go
@@ -9,7 +9,6 @@ import (
 	"github.com/rs/cors"

 	"github.com/netbirdio/management-integrations/integrations"
-
 	s "github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/geolocation"
 	"github.com/netbirdio/netbird/management/server/http/middleware"
@@ -85,7 +84,6 @@ func APIHandler(ctx context.Context, accountManager s.AccountManager, LocationMa
 	api.addUsersEndpoint()
 	api.addUsersTokensEndpoint()
 	api.addSetupKeysEndpoint()
-	api.addRulesEndpoint()
 	api.addPoliciesEndpoint()
 	api.addGroupsEndpoint()
 	api.addRoutesEndpoint()
@@ -158,15 +156,6 @@ func (apiHandler *apiHandler) addSetupKeysEndpoint() {
 	apiHandler.Router.HandleFunc("/setup-keys/{keyId}", keysHandler.UpdateSetupKey).Methods("PUT", "OPTIONS")
 }

-func (apiHandler *apiHandler) addRulesEndpoint() {
-	rulesHandler := NewRulesHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
-	apiHandler.Router.HandleFunc("/rules", rulesHandler.GetAllRules).Methods("GET", "OPTIONS")
-	apiHandler.Router.HandleFunc("/rules", rulesHandler.CreateRule).Methods("POST", "OPTIONS")
-	apiHandler.Router.HandleFunc("/rules/{ruleId}", rulesHandler.UpdateRule).Methods("PUT", "OPTIONS")
-	apiHandler.Router.HandleFunc("/rules/{ruleId}", rulesHandler.GetRule).Methods("GET", "OPTIONS")
-	apiHandler.Router.HandleFunc("/rules/{ruleId}", rulesHandler.DeleteRule).Methods("DELETE", "OPTIONS")
-}
-
 func (apiHandler *apiHandler) addPoliciesEndpoint() {
 	policiesHandler := NewPoliciesHandler(apiHandler.AccountManager, apiHandler.AuthCfg)
 	apiHandler.Router.HandleFunc("/policies", policiesHandler.GetAllPolicies).Methods("GET", "OPTIONS")
--- a/management/server/http/peers_handler.go
+++ b/management/server/http/peers_handler.go
@@ -6,8 +6,10 @@ import (
 	"net/http"

 	"github.com/gorilla/mux"
+	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/server"
+	nbgroup "github.com/netbirdio/netbird/management/server/group"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
@@ -61,10 +63,18 @@ func (h *PeersHandler) getPeer(account *server.Account, peerID, userID string, w

 	groupsInfo := toGroupsInfo(account.Groups, peer.ID)

-	netMap := account.GetPeerNetworkMap(peerID, h.accountManager.GetDNSDomain())
+	validPeers, err := h.accountManager.GetValidatedPeers(account)
+	if err != nil {
+		log.Errorf("failed to list appreoved peers: %v", err)
+		util.WriteError(fmt.Errorf("internal error"), w)
+		return
+	}
+
+	netMap := account.GetPeerNetworkMap(peerID, h.accountManager.GetDNSDomain(), validPeers)
 	accessiblePeers := toAccessiblePeers(netMap, dnsDomain)

-	util.WriteJSONObject(w, toSinglePeerResponse(peerToReturn, groupsInfo, dnsDomain, accessiblePeers))
+	_, valid := validPeers[peer.ID]
+	util.WriteJSONObject(w, toSinglePeerResponse(peerToReturn, groupsInfo, dnsDomain, accessiblePeers, valid))
 }

 func (h *PeersHandler) updatePeer(account *server.Account, user *server.User, peerID string, w http.ResponseWriter, r *http.Request) {
@@ -75,11 +85,18 @@ func (h *PeersHandler) updatePeer(account *server.Account, user *server.User, pe
 		return
 	}

-	update := &nbpeer.Peer{ID: peerID, SSHEnabled: req.SshEnabled, Name: req.Name,
-		LoginExpirationEnabled: req.LoginExpirationEnabled}
+	update := &nbpeer.Peer{
+		ID:                     peerID,
+		SSHEnabled:             req.SshEnabled,
+		Name:                   req.Name,
+		LoginExpirationEnabled: req.LoginExpirationEnabled,
+	}

 	if req.ApprovalRequired != nil {
-		update.Status = &nbpeer.PeerStatus{RequiresApproval: *req.ApprovalRequired}
+		// todo: looks like that we reset all status property, is it right?
+		update.Status = &nbpeer.PeerStatus{
+			RequiresApproval: *req.ApprovalRequired,
+		}
 	}

 	peer, err := h.accountManager.UpdatePeer(account.Id, user.Id, update)
@@ -91,15 +108,24 @@ func (h *PeersHandler) updatePeer(account *server.Account, user *server.User, pe

 	groupMinimumInfo := toGroupsInfo(account.Groups, peer.ID)

-	netMap := account.GetPeerNetworkMap(peerID, h.accountManager.GetDNSDomain())
+	validPeers, err := h.accountManager.GetValidatedPeers(account)
+	if err != nil {
+		log.Errorf("failed to list appreoved peers: %v", err)
+		util.WriteError(fmt.Errorf("internal error"), w)
+		return
+	}
+	netMap := account.GetPeerNetworkMap(peerID, h.accountManager.GetDNSDomain(), validPeers)
 	accessiblePeers := toAccessiblePeers(netMap, dnsDomain)

-	util.WriteJSONObject(w, toSinglePeerResponse(peer, groupMinimumInfo, dnsDomain, accessiblePeers))
+	_, valid := validPeers[peer.ID]
+
+	util.WriteJSONObject(w, toSinglePeerResponse(peer, groupMinimumInfo, dnsDomain, accessiblePeers, valid))
 }

 func (h *PeersHandler) deletePeer(accountID, userID string, peerID string, w http.ResponseWriter) {
 	err := h.accountManager.DeletePeer(accountID, peerID, userID)
 	if err != nil {
+		log.Errorf("failed to delete peer: %v", err)
 		util.WriteError(err, w)
 		return
 	}
@@ -138,46 +164,68 @@ func (h *PeersHandler) HandlePeer(w http.ResponseWriter, r *http.Request) {

 // GetAllPeers returns a list of all peers associated with a provided account
 func (h *PeersHandler) GetAllPeers(w http.ResponseWriter, r *http.Request) {
-	switch r.Method {
-	case http.MethodGet:
-		claims := h.claimsExtractor.FromRequestContext(r)
-		account, user, err := h.accountManager.GetAccountFromToken(claims)
-		if err != nil {
-			util.WriteError(err, w)
-			return
-		}
-
-		peers, err := h.accountManager.GetPeers(account.Id, user.Id)
-		if err != nil {
-			util.WriteError(err, w)
-			return
-		}
-
-		dnsDomain := h.accountManager.GetDNSDomain()
-
-		respBody := make([]*api.PeerBatch, 0, len(peers))
-		for _, peer := range peers {
-			peerToReturn, err := h.checkPeerStatus(peer)
-			if err != nil {
-				util.WriteError(err, w)
-				return
-			}
-			groupMinimumInfo := toGroupsInfo(account.Groups, peer.ID)
-
-			accessiblePeerNumbers := h.accessiblePeersNumber(account, peer.ID)
-
-			respBody = append(respBody, toPeerListItemResponse(peerToReturn, groupMinimumInfo, dnsDomain, accessiblePeerNumbers))
-		}
-		util.WriteJSONObject(w, respBody)
-		return
-	default:
+	if r.Method != http.MethodGet {
 		util.WriteError(status.Errorf(status.NotFound, "unknown METHOD"), w)
+		return
 	}
+
+	claims := h.claimsExtractor.FromRequestContext(r)
+	account, user, err := h.accountManager.GetAccountFromToken(claims)
+	if err != nil {
+		util.WriteError(err, w)
+		return
+	}
+
+	peers, err := h.accountManager.GetPeers(account.Id, user.Id)
+	if err != nil {
+		util.WriteError(err, w)
+		return
+	}
+
+	dnsDomain := h.accountManager.GetDNSDomain()
+
+	respBody := make([]*api.PeerBatch, 0, len(peers))
+	for _, peer := range peers {
+		peerToReturn, err := h.checkPeerStatus(peer)
+		if err != nil {
+			util.WriteError(err, w)
+			return
+		}
+		groupMinimumInfo := toGroupsInfo(account.Groups, peer.ID)
+
+		accessiblePeerNumbers, _ := h.accessiblePeersNumber(account, peer.ID)
+
+		respBody = append(respBody, toPeerListItemResponse(peerToReturn, groupMinimumInfo, dnsDomain, accessiblePeerNumbers))
+	}
+
+	validPeersMap, err := h.accountManager.GetValidatedPeers(account)
+	if err != nil {
+		log.Errorf("failed to list appreoved peers: %v", err)
+		util.WriteError(fmt.Errorf("internal error"), w)
+		return
+	}
+	h.setApprovalRequiredFlag(respBody, validPeersMap)
+
+	util.WriteJSONObject(w, respBody)
 }

-func (h *PeersHandler) accessiblePeersNumber(account *server.Account, peerID string) int {
-	netMap := account.GetPeerNetworkMap(peerID, h.accountManager.GetDNSDomain())
-	return len(netMap.Peers) + len(netMap.OfflinePeers)
+func (h *PeersHandler) accessiblePeersNumber(account *server.Account, peerID string) (int, error) {
+	validatedPeersMap, err := h.accountManager.GetValidatedPeers(account)
+	if err != nil {
+		return 0, err
+	}
+
+	netMap := account.GetPeerNetworkMap(peerID, h.accountManager.GetDNSDomain(), validatedPeersMap)
+	return len(netMap.Peers) + len(netMap.OfflinePeers), nil
+}
+
+func (h *PeersHandler) setApprovalRequiredFlag(respBody []*api.PeerBatch, approvedPeersMap map[string]struct{}) {
+	for _, peer := range respBody {
+		_, ok := approvedPeersMap[peer.Id]
+		if !ok {
+			peer.ApprovalRequired = true
+		}
+	}
 }

 func toAccessiblePeers(netMap *server.NetworkMap, dnsDomain string) []api.AccessiblePeer {
@@ -206,7 +254,7 @@ func toAccessiblePeers(netMap *server.NetworkMap, dnsDomain string) []api.Access
 	return accessiblePeers
 }

-func toGroupsInfo(groups map[string]*server.Group, peerID string) []api.GroupMinimum {
+func toGroupsInfo(groups map[string]*nbgroup.Group, peerID string) []api.GroupMinimum {
 	var groupsInfo []api.GroupMinimum
 	groupsChecked := make(map[string]struct{})
 	for _, group := range groups {
@@ -230,7 +278,7 @@ func toGroupsInfo(groups map[string]*server.Group, peerID string) []api.GroupMin
 	return groupsInfo
 }

-func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, accessiblePeer []api.AccessiblePeer) *api.Peer {
+func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, accessiblePeer []api.AccessiblePeer, approved bool) *api.Peer {
 	osVersion := peer.Meta.OSVersion
 	if osVersion == "" {
 		osVersion = peer.Meta.Core
@@ -257,7 +305,7 @@ func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsD
 		LastLogin:              peer.LastLogin,
 		LoginExpired:           peer.Status.LoginExpired,
 		AccessiblePeers:        accessiblePeer,
-		ApprovalRequired:       &peer.Status.RequiresApproval,
+		ApprovalRequired:       !approved,
 		CountryCode:            peer.Location.CountryCode,
 		CityName:               peer.Location.CityName,
 	}
@@ -290,7 +338,6 @@ func toPeerListItemResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dn
 		LastLogin:              peer.LastLogin,
 		LoginExpired:           peer.Status.LoginExpired,
 		AccessiblePeersCount:   accessiblePeersCount,
-		ApprovalRequired:       &peer.Status.RequiresApproval,
 		CountryCode:            peer.Location.CountryCode,
 		CityName:               peer.Location.CityName,
 	}
--- a/management/server/http/peers_handler_test.go
+++ b/management/server/http/peers_handler_test.go
@@ -55,6 +55,9 @@ func initTestMetaData(peers ...*nbpeer.Peer) *PeersHandler {
 			GetPeersFunc: func(accountID, userID string) ([]*nbpeer.Peer, error) {
 				return peers, nil
 			},
+			GetDNSDomainFunc: func() string {
+				return "netbird.selfhosted"
+			},
 			GetAccountFromTokenFunc: func(claims jwtclaims.AuthorizationClaims) (*server.Account, *server.User, error) {
 				user := server.NewAdminUser("test_user")
 				return &server.Account{
--- a/management/server/http/policies_handler_test.go
+++ b/management/server/http/policies_handler_test.go
@@ -3,13 +3,13 @@ package http
 import (
 	"bytes"
 	"encoding/json"
-	"fmt"
 	"io"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"

+	nbgroup "github.com/netbirdio/netbird/management/server/group"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/status"

@@ -44,24 +44,6 @@ func initPoliciesTestData(policies ...*server.Policy) *Policies {
 				}
 				return nil
 			},
-			SaveRuleFunc: func(_, _ string, rule *server.Rule) error {
-				if !strings.HasPrefix(rule.ID, "id-") {
-					rule.ID = "id-was-set"
-				}
-				return nil
-			},
-			GetRuleFunc: func(_, ruleID, _ string) (*server.Rule, error) {
-				if ruleID != "idoftherule" {
-					return nil, fmt.Errorf("not found")
-				}
-				return &server.Rule{
-					ID:          "idoftherule",
-					Name:        "Rule",
-					Source:      []string{"idofsrcrule"},
-					Destination: []string{"idofdestrule"},
-					Flow:        server.TrafficFlowBidirect,
-				}, nil
-			},
 			GetAccountFromTokenFunc: func(claims jwtclaims.AuthorizationClaims) (*server.Account, *server.User, error) {
 				user := server.NewAdminUser("test_user")
 				return &server.Account{
@@ -70,7 +52,7 @@ func initPoliciesTestData(policies ...*server.Policy) *Policies {
 					Policies: []*server.Policy{
 						{ID: "id-existed"},
 					},
-					Groups: map[string]*server.Group{
+					Groups: map[string]*nbgroup.Group{
 						"F": {ID: "F"},
 						"G": {ID: "G"},
 					},
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Zoltán Papp	3cb519c650	Revert WG changes and use the local proxy	2024-04-23 16:07:40 +02:00
Zoltán Papp	318d379658	Update wireguard-go	2024-04-22 19:13:07 +02:00
Zoltán Papp	b68a02acee	Close turn connection Without it the WG can not exit from the read loop	2024-04-18 15:59:50 +02:00
Zoltán Papp	b5c4802bb9	Apply new receiver functions	2024-04-16 16:01:25 +02:00
Zoltán Papp	28a9a2ef87	Move receiverCreator to new file	2024-04-15 14:12:24 +02:00
Zoltán Papp	b355c34b63	Configure wg with proper address	2024-04-12 18:29:35 +02:00
Zoltán Papp	d67f766b2e	Initial code	2024-04-12 17:38:31 +02:00
Carlos Hernandez	76702c8a09	Add safe read/write to route map (#1760 )	2024-04-11 22:12:23 +02:00
Viktor Liu	061f673a4f	Don't use the custom dialer as non-root (#1823 )	2024-04-11 15:29:03 +02:00
Zoltan Papp	9505805313	Rename variable (#1829 )	2024-04-11 14:08:03 +02:00
Maycon Santos	704c67dec8	Allow owners that did not create the account to delete it (#1825 ) Sometimes the Owner role will be passed to new users, and they need to be able to delete the account	2024-04-11 10:02:51 +02:00
pascal-fischer	3ed2f08f3c	Add latency based routing (#1732 ) Now that we have the latency between peers available we can use this data to consider when choosing the best route. This way the route with the routing peer with the lower latency will be preferred over others with the same target network.	2024-04-09 21:20:02 +02:00
Maycon Santos	4c83408f27	Add log-level to the management's docker service command (#1820 )	2024-04-09 21:00:43 +02:00
Viktor Liu	90bd39c740	Log panics (#1818 )	2024-04-09 20:27:27 +02:00
Maycon Santos	dd0cf41147	Auto restart Windows agent daemon service (#1819 ) This enables auto restart of the windows agent daemon service on event of failure	2024-04-09 20:10:59 +02:00
pascal-fischer	22b2caffc6	Remove dns based cloud detection (#1812 ) * remove dns based cloud checks * remove dns based cloud checks	2024-04-09 19:01:31 +02:00
Viktor Liu	c1f66d1354	Retry macOS route command (#1817 )	2024-04-09 15:27:19 +02:00
Viktor Liu	ac0fe6025b	Fix routing issues with MacOS (#1815 ) * Handle zones properly * Use host routes for single IPs * Add GOOS and GOARCH to startup log * Log powershell command	2024-04-09 13:25:14 +02:00
verytrap	c28657710a	Fix function names in comments (#1816 ) Signed-off-by: verytrap <wangqiuyue@outlook.com>	2024-04-09 13:18:38 +02:00
Maycon Santos	3875c29f6b	Revert "Rollback new routing functionality (#1805 )" (#1813 ) This reverts commit `9f32ccd453`.	2024-04-08 18:56:52 +02:00
Viktor Liu	9f32ccd453	Rollback new routing functionality (#1805 )	2024-04-05 20:38:49 +02:00
trax	1d1d057e7d	Change the dashboard image pull from wiretrustee to netbirdio (#1804 )	2024-04-05 13:51:28 +02:00
Viktor Liu	3461b1bb90	Expect correct conn type (#1801 )	2024-04-05 00:10:32 +02:00
Viktor Liu	3d2a2377c6	Don't return errors on disallowed routes (#1792 )	2024-04-03 19:06:04 +02:00
Viktor Liu	25f5f26527	Timeout rule removing loop and catch IPv6 unsupported error in loop (#1791 )	2024-04-03 18:57:50 +02:00
Viktor Liu	bb0d5c5baf	Linux legacy routing (#1774 ) * Add Linux legacy routing if ip rule functionality is not available * Ignore exclusion route errors if host has no route * Exclude iOS from route manager * Also retrieve IPv6 routes * Ignore loopback addresses not being in the main table * Ignore "not supported" errors on cleanup * Fix regression in ListenUDP not using fwmarks	2024-04-03 18:04:22 +02:00
Viktor Liu	7938295190	Feature/exit nodes - Windows and macOS support (#1726 )	2024-04-03 11:11:46 +02:00
rqi14	9af532fe71	Get scope from endpoint url instead of hardcoding (#1770 )	2024-04-02 13:43:57 +02:00
Vilian Gerdzhikov	23a1473797	Fix grammar in readme (#1778 )	2024-04-02 10:08:58 +02:00
Misha Bragin	9c2dc05df1	Eval/higher timeouts (#1776 )	2024-03-31 19:39:52 +02:00
Misha Bragin	40d56e5d29	Update network security image (#1765 )	2024-03-28 18:43:32 +01:00
Viktor Liu	fd23d0c28f	Don't block on failed routing setup (#1768 )	2024-03-28 18:12:25 +01:00
Viktor Liu	4fff93a1f2	Ignore unsupported address families (#1766 )	2024-03-28 13:06:54 +01:00
Misha Bragin	22beac1b1b	Fix invalid token due to the cache race (#1763 )	2024-03-28 12:33:56 +01:00
Jeremy Wu	bd7a65d798	support to configure extra blacklist of iface in "up" command (#1734 ) Support to configure extra blacklist of iface in "up" command	2024-03-28 09:56:41 +01:00
Zoltan Papp	2d76b058fc	Feature/peer validator (#1553 ) Follow up management-integrations changes move groups to separated packages to avoid circle dependencies save location information in Login action	2024-03-27 18:48:48 +01:00
pascal-fischer	ea2d060f93	Add limited dashboard view (#1738 )	2024-03-27 16:11:45 +01:00
Zoltan Papp	68b377a28c	Collect chassis.serial (#1748 )	2024-03-26 15:33:01 +01:00
pascal-fischer	af50eb350f	Change log level for JWT override message of single account mode (#1747 )	2024-03-25 14:25:26 +01:00
Viktor Liu	2475473227	Support client default routes for Linux (#1667 ) All routes are now installed in a custom netbird routing table. Management and wireguard traffic is now marked with a custom fwmark. When the mark is present the traffic is routed via the main routing table, bypassing the VPN. When the mark is absent the traffic is routed via the netbird routing table, if: - there's no match in the main routing table - it would match the default route in the routing table IPv6 traffic is blocked when a default route IPv4 route is configured to avoid leakage.	2024-03-21 16:49:28 +01:00
pascal-fischer	846871913d	Add latency checks to peer connection and status output (#1725 ) * adding peer healthcheck * generate proto file * fix return in udp mux and replace with continue * use ice agent for latency checks * fix status output * remove some logs * fix status test * revert bind and ebpf code * fix error handling on binding response callback * extend error handling on binding response callback --------- Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>	2024-03-20 11:18:34 +01:00
Viktor Liu	6cba9c0818	Remove context niling (#1729 )	2024-03-19 12:32:07 +01:00
Maycon Santos	f0672b87bc	Add missing dns domain to tests to avoid verbose test logs (#1724 )	2024-03-18 12:25:01 +01:00
Maycon Santos	9b0fe2c8e5	Validate authentik issuer url (#1723 ) * Validate authentik issuer url * test issuer * adjust test times on windows	2024-03-18 10:12:46 +01:00
Misha Bragin	abd57d1191	Avoid creating duplicate groups with the same name (#1579 ) Avoid creating groups with the same name via API calls. JWT and integrations still allowed to register groups with duplicated names	2024-03-17 11:13:39 +01:00
Maycon Santos	416f04c27a	Unblock ACL apply filtering because of dns probes (#1711 ) moved the e.dnsServer.ProbeAvailability() to run after ACL apply filtering run the probes in parallel	2024-03-15 18:57:18 +01:00
Maycon Santos	fc7c1e397f	Disable force jsonfile variable (#1611 ) This enables windows management tests Added another DNS server to the dns server tests	2024-03-15 10:50:02 +01:00
Aaron Turner	52a3ac6b06	Add support for inviting/deleting users via Zitadel (#1572 ) This fixes the "Invite User" button in Dashboard v2.0.0 and enables the usage of the --user-delete-from-idp flag for Zitadel. Unlike the NetBird SaaS solution, we rely on Zitadel to send the emails on our behalf.	2024-03-15 10:32:51 +01:00
Yury Gargay	0b3b50c705	Remove deprecated Rules API endpoints (#1523 )	2024-03-14 21:31:21 +01:00
Maycon Santos	042141db06	Update account attributes only when there is a domain (#1701 ) add log for when a domain is not present	2024-03-14 14:17:22 +01:00