Revert "Add UI binary to windows installer (#283 )"

This reverts commit 9ec4ea8e03.
Add UI binary to windows installer (#283 )
2026-04-17 15:56:39 +00:00 · 2022-03-23 09:15:06 +01:00 · 2022-03-23 09:13:57 +01:00 · 2022-03-08 16:14:00 +01:00 · 2022-03-08 16:10:44 +01:00 · 2022-03-08 14:47:55 +01:00
119 changed files with 7714 additions and 2273 deletions
--- a/.github/workflows/golang-test-build.yml
+++ b/.github/workflows/golang-test-build.yml
@@ -1,9 +1,5 @@
-on:
-  push:
-    branches:
-      - main
-  pull_request:
 name: Test Build On Platforms
+on: [pull_request]
 jobs:
  test_build:
    strategy:
@@ -21,15 +17,15 @@ jobs:
          go-version: ${{ matrix.go-version }}

      - name: Cache Go modules
-        uses: actions/cache@v1
+        uses: actions/cache@v2
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go-test-${{ matrix.os }}-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            ${{ runner.os }}-go-test-${{ matrix.os }}

      - name: Install modules
-        run: go mod tidy
+        run: GOOS=${{ matrix.os }} go mod tidy

      - name: run build client
        run: GOOS=${{ matrix.os }} go build .
@@ -41,4 +37,4 @@ jobs:

      - name: run build signal
        run: GOOS=${{ matrix.os }} go build .
-        working-directory: signal
+        working-directory: signal
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -0,0 +1,29 @@
+name: Test Code Darwin
+on: [push,pull_request]
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [1.17.x]
+    runs-on: macos-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: macos-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            macos-go-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: Test
+        run: GOBIN=$(which go) && sudo --preserve-env=GOROOT $GOBIN test ./...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -1,9 +1,5 @@
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-name: Test Code
+name: Test Code Linux
+on: [push,pull_request]
 jobs:
  test:
    strategy:
@@ -27,7 +23,20 @@ jobs:
          $(whoami) soft     nofile         65535
          $(whoami) hard     nofile         65535
          EOF
+
+      - name: Cache Go modules
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
      - name: Checkout code
        uses: actions/checkout@v2
+
+      - name: Install modules
+        run: go mod tidy
+
      - name: Test
-        run: GOBIN=$(which go) && sudo --preserve-env=GOROOT $GOBIN test -p 1 ./...
+        run: GOBIN=$(which go) && sudo --preserve-env=GOROOT $GOBIN test ./...
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -0,0 +1,51 @@
+name: Test Code Windows
+on: [push,pull_request]
+jobs:
+  pre:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - run: bash -x wireguard_nt.sh
+        working-directory: client
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: syso
+          path: client/*.syso
+          retention-days: 1
+
+  test:
+    needs: pre
+    strategy:
+      matrix:
+        go-version: [1.17.x]
+    runs-on: windows-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - uses: actions/cache@v2
+        with:
+          path: |
+            %LocalAppData%\go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - uses: actions/download-artifact@v2
+        with:
+          name: syso
+          path: iface\
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: Test
+        run: go test -tags=load_wgnt_from_rsrc ./...
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -1,9 +1,5 @@
 name: golangci-lint
-on:
-  push:
-    branches:
-      - main
-  pull_request:
+on: [pull_request]
 jobs:
  golangci:
    name: lint
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,10 @@ jobs:
        uses: actions/checkout@v2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
+
+      - name: Generate syso with DLL
+        run: bash -x wireguard_nt.sh
+        working-directory: client
      -
        name: Set up Go
        uses: actions/setup-go@v2
@@ -60,6 +64,6 @@ jobs:
        with:
          workflow: Sign windows bin and installer
          repo: wiretrustee/windows-sign-pipeline
-          ref: v0.0.1
+          ref: v0.0.2
          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
+          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.gitignore
+++ b/.gitignore
@@ -5,4 +5,6 @@ dist/
 conf.json
 http-cmds.sh
 infrastructure_files/management.json
-infrastructure_files/docker-compose.yml
+infrastructure_files/docker-compose.yml
+*.syso
+client/.distfiles/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -23,10 +23,10 @@ builds:
      - goos: windows
        goarch: arm
    ldflags:
-      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/wiretrustee/wiretrustee/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
-      - load_wintun_from_rsrc
+      - load_wgnt_from_rsrc

  - id: wiretrustee-mgmt
    dir: management
--- a/1
+++ b/1
@@ -1,2 +1,3 @@
 Mikhail Bragin (https://github.com/braginini)
 Maycon Santos (https://github.com/mlsmaycon)
+Wiretrustee UG (haftungsbeschränkt)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,132 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+dev@wiretrustee.com.
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 BSD 3-Clause License

-Copyright (c) 2021 Wiretrustee AUTHORS
+Copyright (c) 2022 Wiretrustee UG (haftungsbeschränkt) & AUTHORS

 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

--- a/README.md
+++ b/README.md
@@ -5,12 +5,26 @@
 </p>

  <p>
-    <img src="https://img.shields.io/badge/license-BSD--3-blue" />
-    <img src="https://img.shields.io/docker/pulls/wiretrustee/management" />
+     <a href="https://github.com/wiretrustee/wiretrustee/blob/main/LICENSE">
+       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
+     </a> 
+     <a href="https://hub.docker.com/r/wiretrustee/wiretrustee/tags">
+        <img src="https://img.shields.io/docker/pulls/wiretrustee/wiretrustee" />
+     </a>  
    <img src="https://badgen.net/badge/Open%20Source%3F/Yes%21/blue?icon=github" />
+    <br>
+    <a href="https://www.codacy.com/gh/wiretrustee/wiretrustee/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=wiretrustee/wiretrustee&amp;utm_campaign=Badge_Grade"><img src="https://app.codacy.com/project/badge/Grade/d366de2c9d8b4cf982da27f8f5831809"/></a>
+     <a href="https://goreportcard.com/report/wiretrustee/wiretrustee">
+        <img src="https://goreportcard.com/badge/github.com/wiretrustee/wiretrustee?style=flat-square" />
+     </a>
+    <br>
+    <a href="https://join.slack.com/t/wiretrustee/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">
+        <img src="https://img.shields.io/badge/slack-@wiretrustee-red.svg?logo=slack"/>
+     </a>    
  </p>
 </div>

+
 <p align="center">
 <strong>
  Start using Wiretrustee at <a href="https://app.wiretrustee.com/">app.wiretrustee.com</a>
@@ -31,7 +45,7 @@ It requires zero configuration effort leaving behind the hassle of opening ports

 **Wiretrustee automates Wireguard-based networks, offering a management layer with:**
 * Centralized Peer IP management with a UI dashboard.
-* Encrypted peer-to-peet connections without a centralized VPN gateway.
+* Encrypted peer-to-peer connections without a centralized VPN gateway.
 * Automatic Peer discovery and configuration.
 * UDP hole punching to establish peer-to-peer connections behind NAT, firewall, and without a public static IP.
 * Connection relay fallback in case a peer-to-peer connection is not possible.
@@ -39,7 +53,7 @@ It requires zero configuration effort leaving behind the hassle of opening ports
 * Client application SSO with MFA (coming soon).
 * Access Controls (coming soon).
 * Activity Monitoring (coming soon).
-* Private DNS (coming baoon)
+* Private DNS (coming soon)

 ### Secure peer-to-peer VPN in minutes
 <p float="left" align="middle">
@@ -49,7 +63,7 @@ It requires zero configuration effort leaving behind the hassle of opening ports

 **Note**: The `main` branch may be in an *unstable or even broken state* during development. For stable versions, see [releases](https://github.com/wiretrustee/wiretrustee/releases).

-Hosted demo version: 
+Hosted version: 
 [https://app.wiretrustee.com/](https://app.wiretrustee.com/peers). 

 [UI Dashboard Repo](https://github.com/wiretrustee/wiretrustee-dashboard)
@@ -159,7 +173,7 @@ Alternatively, if you are hosting your own Management Service provide `--managem
  sudo wiretrustee up --setup-key <SETUP KEY> --management-url https://localhost:33073
  ```

-> You could also omit `--setup-key` property. In this case the tool will prompt it the key.
+> You could also omit the `--setup-key` property. In this case, the tool will prompt for the key.


 2. Check your IP:
@@ -179,46 +193,7 @@ For **Windows** systems:
 3. Repeat on other machines.  

 ### Running Dashboard, Management, Signal and Coturn
-Wiretrustee uses [Auth0](https://auth0.com) for user authentication and authorization, therefore you will need to create a free account 
-and configure Auth0 variables in the compose file (dashboard) and in the management config file.
-We chose Auth0 to "outsource" the user management part of our platform because we believe that implementing a proper user auth is not a trivial task and requires significant amount of time to make it right. We focused on connectivity instead.
-It is worth mentioning that dependency to Auth0 is the only one that cannot be self-hosted.
-
-Configuring Wiretrustee Auth0 integration:
- check [How to run](https://github.com/wiretrustee/wiretrustee-dashboard#how-to-run) to obtain Auth0 environment variables for UI Dashboard
- set these variables in the [environment section of the docker-compose file](https://github.com/wiretrustee/wiretrustee/blob/main/infrastructure_files/docker-compose.yml)
- check [Auth0 Golang API Guide](https://auth0.com/docs/quickstart/backend/golang) to obtain ```AuthIssuer```, ```AuthAudience```, and ```AuthKeysLocation```
- set these properties in the [management config files](https://github.com/wiretrustee/wiretrustee/blob/main/infrastructure_files/management.json#L33)
-
-
-Under infrastructure_files we have a docker-compose example to run Dashboard, Wiretrustee Management and Signal services, plus an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration. 
-You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to **proper credentials**.
-
-The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#running-the-signal-service), the management in [Management](./management/README.md), and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn).
-
-> Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.
-
-Also, if you have an SSL certificate for Coturn, you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation
-to generate one from [Let’s Encrypt](https://letsencrypt.org/), or, we found that the example provided by [BigBlueButton](https://docs.bigbluebutton.org/2.2/setup-turn-server.html#generating-tls-certificates) covers the basics to configure Coturn with Let's Encrypt certs. 
-> The Wiretrustee Management service can generate and maintain the certificates automatically, all you need to do is run the servicein a host  with a public IP, configure a valid DNS record pointing to that IP and uncomment the 443 ports and command lines in the docker-compose.yml file.
-
-Simple docker-composer execution:
-````shell
-cd infrastructure_files
-docker-compose up -d
-````
-You can check logs by running:
-````shell
-cd infrastructure_files
-docker-compose logs signal
-docker-compose logs management
-docker-compose logs coturn
-````
-If you need to stop the services, run the following:
-````shell
-cd infrastructure_files
-docker-compose down
-````
+See [Self-Hosting Guide](https://docs.wiretrustee.com/getting-started/self-hosting)


 ### Legal
--- a/client/cmd/down.go
+++ b/client/cmd/down.go
@@ -0,0 +1,37 @@
+package cmd
+
+import (
+	"context"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"github.com/wiretrustee/wiretrustee/client/proto"
+)
+
+var downCmd = &cobra.Command{
+	Use:   "down",
+	Short: "down wiretrustee connections",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*3)
+		defer cancel()
+
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			log.Errorf("failed to connect to service CLI interface %v", err)
+			return err
+		}
+		defer conn.Close()
+
+		daemonClient := proto.NewDaemonServiceClient(conn)
+
+		if _, err := daemonClient.Down(ctx, &proto.DownRequest{}); err != nil {
+			log.Errorf("call service down method: %v", err)
+			return err
+		}
+		return nil
+	},
+}
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -1,147 +1,66 @@
 package cmd

 import (
-	"bufio"
 	"context"
 	"fmt"
-	"github.com/google/uuid"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+
 	"github.com/wiretrustee/wiretrustee/client/internal"
-	mgm "github.com/wiretrustee/wiretrustee/management/client"
-	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
-	"github.com/wiretrustee/wiretrustee/util"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-	"os"
+	"github.com/wiretrustee/wiretrustee/client/proto"
 )

-var (
-	loginCmd = &cobra.Command{
-		Use:   "login",
-		Short: "login to the Wiretrustee Management Service (first run)",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars()
-
-			err := util.InitLog(logLevel, logFile)
-			if err != nil {
-				log.Errorf("failed initializing log %v", err)
-				return err
-			}
+var loginCmd = &cobra.Command{
+	Use:   "login",
+	Short: "login to the Wiretrustee Management Service (first run)",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+		ctx := internal.CtxInitState(context.Background())

+		// workaround to run without service
+		if logFile == "console" {
 			config, err := internal.GetConfig(managementURL, configPath, preSharedKey)
 			if err != nil {
-				log.Errorf("failed getting config %s %v", configPath, err)
+				log.Errorf("get config file: %v", err)
 				return err
 			}
-
-			//validate our peer's Wireguard PRIVATE key
-			myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+			err = WithBackOff(func() error {
+				return internal.Login(ctx, config, setupKey)
+			})
 			if err != nil {
-				log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
-				return err
+				log.Errorf("backoff cycle failed: %v", err)
 			}
-
-			ctx := context.Background()
-
-			mgmTlsEnabled := false
-			if config.ManagementURL.Scheme == "https" {
-				mgmTlsEnabled = true
-			}
-
-			log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
-			mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
-			if err != nil {
-				log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
-				return err
-			}
-			log.Debugf("connected to anagement Service %s", config.ManagementURL.String())
-
-			serverKey, err := mgmClient.GetServerPublicKey()
-			if err != nil {
-				log.Errorf("failed while getting Management Service public key: %v", err)
-				return err
-			}
-
-			_, err = loginPeer(*serverKey, mgmClient, setupKey)
-			if err != nil {
-				log.Errorf("failed logging-in peer on Management Service : %v", err)
-				return err
-			}
-
-			err = mgmClient.Close()
-			if err != nil {
-				log.Errorf("failed closing Management Service client: %v", err)
-				return err
-			}
-
-			return nil
-		},
-	}
-)
-
-// loginPeer attempts to login to Management Service. If peer wasn't registered, tries the registration flow.
-func loginPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string) (*mgmProto.LoginResponse, error) {
-
-	loginResp, err := client.Login(serverPublicKey)
-	if err != nil {
-		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
-			log.Debugf("peer registration required")
-			return registerPeer(serverPublicKey, client, setupKey)
-		} else {
-			return nil, err
+			return err
 		}
-	}

-	log.Info("peer has successfully logged-in to Management Service")
+		if setupKey == "" {
+			log.Error("setup key can't be empty")
+			return fmt.Errorf("empty setup key")
+		}

-	return loginResp, nil
-}
-
-// registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
-// Otherwise tries to register with the provided setupKey via command line.
-func registerPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string) (*mgmProto.LoginResponse, error) {
-
-	var err error
-	if setupKey == "" {
-		setupKey, err = promptPeerSetupKey()
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
 		if err != nil {
-			log.Errorf("failed getting setup key from user: %s", err)
-			return nil, err
+			log.Errorf("failed to connect to service CLI interface %v", err)
+			return err
 		}
-	}
+		defer conn.Close()

-	validSetupKey, err := uuid.Parse(setupKey)
-	if err != nil {
-		return nil, err
-	}
-
-	log.Debugf("sending peer registration request to Management Service")
-	loginResp, err := client.Register(serverPublicKey, validSetupKey.String())
-	if err != nil {
-		log.Errorf("failed registering peer %v", err)
-		return nil, err
-	}
-
-	log.Infof("peer has been successfully registered on Management Service")
-
-	return loginResp, nil
-}
-
-// promptPeerSetupKey prompts user to enter Setup Key
-func promptPeerSetupKey() (string, error) {
-	fmt.Print("Enter setup key: ")
-
-	s := bufio.NewScanner(os.Stdin)
-	for s.Scan() {
-		input := s.Text()
-		if input != "" {
-			return input, nil
+		request := proto.LoginRequest{
+			SetupKey:      setupKey,
+			PresharedKey:  preSharedKey,
+			ManagementUrl: managementURL,
 		}
-		fmt.Println("Specified key is empty, try again:")
-
-	}
-
-	return "", s.Err()
+		client := proto.NewDaemonServiceClient(conn)
+		err = WithBackOff(func() error {
+			if _, err := client.Login(ctx, &request); err != nil {
+				log.Errorf("try login: %v", err)
+			}
+			return err
+		})
+		if err != nil {
+			log.Errorf("backoff cycle failed: %v", err)
+		}
+		return err
+	},
 }
--- a/client/cmd/login_test.go
+++ b/client/cmd/login_test.go
@@ -2,13 +2,14 @@ package cmd

 import (
 	"fmt"
+	"path/filepath"
+	"strings"
+	"testing"
+
 	"github.com/wiretrustee/wiretrustee/client/internal"
 	"github.com/wiretrustee/wiretrustee/iface"
 	mgmt "github.com/wiretrustee/wiretrustee/management/server"
 	"github.com/wiretrustee/wiretrustee/util"
-	"path/filepath"
-	"strings"
-	"testing"
 )

 var mgmAddr string
@@ -25,12 +26,11 @@ func TestLogin_Start(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, listener := startManagement(config, t)
+	_, listener := startManagement(t, config)
 	mgmAddr = listener.Addr().String()
 }

 func TestLogin(t *testing.T) {
-
 	tempDir := t.TempDir()
 	confPath := tempDir + "/config.json"
 	mgmtURL := fmt.Sprintf("http://%s", mgmAddr)
@@ -38,6 +38,8 @@ func TestLogin(t *testing.T) {
 		"login",
 		"--config",
 		confPath,
+		"--log-file",
+		"console",
 		"--setup-key",
 		strings.ToUpper("a2c8e62b-38f5-4553-b31e-dd66c696cebb"),
 		"--management-url",
@@ -60,7 +62,7 @@ func TestLogin(t *testing.T) {
 	}

 	if actualConf.WgIface != iface.WgInterfaceDefault {
-		t.Errorf("expected WgIface %s got %s", iface.WgInterfaceDefault, actualConf.WgIface)
+		t.Errorf("expected WgIfaceName %s got %s", iface.WgInterfaceDefault, actualConf.WgIface)
 	}

 	if len(actualConf.PrivateKey) == 0 {
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -1,16 +1,23 @@
 package cmd

 import (
+	"context"
 	"fmt"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-	"github.com/spf13/pflag"
-	"github.com/wiretrustee/wiretrustee/client/internal"
 	"os"
 	"os/signal"
 	"runtime"
 	"strings"
 	"syscall"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/wiretrustee/wiretrustee/client/internal"
 )

 var (
@@ -19,6 +26,7 @@ var (
 	logLevel          string
 	defaultLogFile    string
 	logFile           string
+	daemonAddr        string
 	managementURL     string
 	setupKey          string
 	preSharedKey      string
@@ -37,8 +45,8 @@ var (
 func Execute() error {
 	return rootCmd.Execute()
 }
-func init() {

+func init() {
 	stopCh = make(chan int)
 	cleanupCh = make(chan struct{})

@@ -49,6 +57,11 @@ func init() {
 		defaultLogFile = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "client.log"
 	}

+	defaultDaemonAddr := "unix:///var/run/wiretrustee.sock"
+	if runtime.GOOS == "windows" {
+		defaultDaemonAddr = "tcp://127.0.0.1:41731"
+	}
+	rootCmd.PersistentFlags().StringVar(&daemonAddr, "daemon-addr", defaultDaemonAddr, "Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
 	rootCmd.PersistentFlags().StringVar(&managementURL, "management-url", "", fmt.Sprintf("Management Service URL [http|https]://[host]:[port] (default \"%s\")", internal.ManagementURLDefault().String()))
 	rootCmd.PersistentFlags().StringVar(&configPath, "config", defaultConfigPath, "Wiretrustee config file location")
 	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "sets Wiretrustee log level")
@@ -57,6 +70,8 @@ func init() {
 	rootCmd.PersistentFlags().StringVar(&preSharedKey, "preshared-key", "", "Sets Wireguard PreSharedKey property. If set, then only peers that have the same key can communicate.")
 	rootCmd.AddCommand(serviceCmd)
 	rootCmd.AddCommand(upCmd)
+	rootCmd.AddCommand(downCmd)
+	rootCmd.AddCommand(statusCmd)
 	rootCmd.AddCommand(loginCmd)
 	rootCmd.AddCommand(versionCmd)
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
@@ -79,7 +94,6 @@ func SetupCloseHandler() {
 func SetFlagsFromEnvVars() {
 	flags := rootCmd.PersistentFlags()
 	flags.VisitAll(func(f *pflag.Flag) {
-
 		envVar := FlagNameToEnvVar(f.Name)

 		if value, present := os.LookupEnv(envVar); present {
@@ -99,3 +113,34 @@ func FlagNameToEnvVar(f string) string {
 	upper := strings.ToUpper(parsed)
 	return prefix + upper
 }
+
+// DialClientGRPCServer returns client connection to the dameno server.
+func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, error) {
+	ctx, cancel := context.WithTimeout(ctx, time.Second*3)
+	defer cancel()
+
+	return grpc.DialContext(
+		ctx,
+		strings.TrimPrefix(addr, "tcp://"),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithBlock(),
+	)
+}
+
+// WithBackOff execute function in backoff cycle.
+func WithBackOff(bf func() error) error {
+	return backoff.RetryNotify(bf, CLIBackOffSettings, func(err error, duration time.Duration) {
+		log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
+	})
+}
+
+// CLIBackOffSettings is default backoff settings for CLI commands.
+var CLIBackOffSettings = &backoff.ExponentialBackOff{
+	InitialInterval:     time.Second,
+	RandomizationFactor: backoff.DefaultRandomizationFactor,
+	Multiplier:          backoff.DefaultMultiplier,
+	MaxInterval:         10 * time.Second,
+	MaxElapsedTime:      30 * time.Second,
+	Stop:                backoff.Stop,
+	Clock:               backoff.SystemClock,
+}
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -1,14 +1,30 @@
 package cmd

 import (
+	"context"
+
 	"github.com/kardianos/service"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+
+	"github.com/wiretrustee/wiretrustee/client/internal"
 )

 type program struct {
-	cmd  *cobra.Command
-	args []string
+	ctx    context.Context
+	cmd    *cobra.Command
+	args   []string
+	serv   *grpc.Server
+}
+
+func newProgram(cmd *cobra.Command, args []string) *program {
+	ctx := internal.CtxInitState(cmd.Context())
+	return &program{
+		ctx:  ctx,
+		cmd:  cmd,
+		args: args,
+	}
 }

 func newSVCConfig() *service.Config {
@@ -28,9 +44,8 @@ func newSVC(prg *program, conf *service.Config) (service.Service, error) {
 	return s, nil
 }

-var (
-	serviceCmd = &cobra.Command{
-		Use:   "service",
-		Short: "manages wiretrustee service",
-	}
-)
+var serviceCmd = &cobra.Command{
+	Use:   "service",
+	Short: "manages wiretrustee service",
+}
+
--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -1,23 +1,60 @@
 package cmd

 import (
+	"net"
+	"os"
+	"strings"
+	"time"
+
 	"github.com/kardianos/service"
 	log "github.com/sirupsen/logrus"
+
 	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/client/proto"
+	"github.com/wiretrustee/wiretrustee/client/server"
 	"github.com/wiretrustee/wiretrustee/util"
-	"time"
+	"google.golang.org/grpc"
 )

-func (p *program) Start(service.Service) error {
-
+func (p *program) Start(svc service.Service) error {
 	// Start should not block. Do the actual work async.
 	log.Info("starting service") //nolint
 	go func() {
-		err := runClient()
-		if err != nil {
-			log.Errorf("stopped Wiretrustee client app due to error: %v", err)
+		// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
+		p.serv = grpc.NewServer()
+
+		split := strings.Split(daemonAddr, "://")
+		switch split[0] {
+		case "unix":
+			// cleanup failed close
+			stat, err := os.Stat(split[1])
+			if err == nil && !stat.IsDir() {
+				if err := os.Remove(split[1]); err != nil {
+					log.Debugf("remove socket file: %v", err)
+				}
+			}
+		case "tcp":
+		default:
+			log.Errorf("unsupported daemon address protocol: %v", split[0])
 			return
 		}
+
+		listen, err := net.Listen(split[0], split[1])
+		if err != nil {
+			log.Fatalf("failed to listen daemon interface: %v", err)
+		}
+		defer listen.Close()
+
+		serverInstance := server.New(p.ctx, managementURL, configPath, stopCh, cleanupCh)
+		if err := serverInstance.Start(); err != nil {
+			log.Fatalf("failed start daemon: %v", err)
+		}
+		proto.RegisterDaemonServiceServer(p.serv, serverInstance)
+
+		log.Printf("started daemon server: %v", split[1])
+		if err := p.serv.Serve(listen); err != nil {
+			log.Errorf("failed to serve daemon requests: %v", err)
+		}
 	}()
 	return nil
 }
@@ -27,6 +64,11 @@ func (p *program) Stop(service.Service) error {
 		stopCh <- 1
 	}()

+	// stop CLI daemon service
+	if p.serv != nil {
+		p.serv.GracefulStop()
+	}
+
 	select {
 	case <-cleanupCh:
 	case <-time.After(time.Second * 10):
@@ -36,117 +78,104 @@ func (p *program) Stop(service.Service) error {
 	return nil
 }

-var (
-	runCmd = &cobra.Command{
-		Use:   "run",
-		Short: "runs wiretrustee as service",
-		Run: func(cmd *cobra.Command, args []string) {
-			SetFlagsFromEnvVars()
+var runCmd = &cobra.Command{
+	Use:   "run",
+	Short: "runs wiretrustee as service",
+	Run: func(cmd *cobra.Command, args []string) {
+		SetFlagsFromEnvVars()

-			err := util.InitLog(logLevel, logFile)
-			if err != nil {
-				log.Errorf("failed initializing log %v", err)
-				return
-			}
+		err := util.InitLog(logLevel, logFile)
+		if err != nil {
+			log.Errorf("failed initializing log %v", err)
+			return
+		}

-			SetupCloseHandler()
+		SetupCloseHandler()

-			prg := &program{
-				cmd:  cmd,
-				args: args,
-			}
+		s, err := newSVC(newProgram(cmd, args), newSVCConfig())
+		if err != nil {
+			cmd.PrintErrln(err)
+			return
+		}
+		err = s.Run()
+		if err != nil {
+			cmd.PrintErrln(err)
+			return
+		}
+		cmd.Printf("Wiretrustee service is running")
+	},
+}

-			s, err := newSVC(prg, newSVCConfig())
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			err = s.Run()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			cmd.Printf("Wiretrustee service is running")
-		},
-	}
-)
+var startCmd = &cobra.Command{
+	Use:   "start",
+	Short: "starts wiretrustee service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()

-var (
-	startCmd = &cobra.Command{
-		Use:   "start",
-		Short: "starts wiretrustee service",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars()
+		err := util.InitLog(logLevel, logFile)
+		if err != nil {
+			log.Errorf("failed initializing log %v", err)
+			return err
+		}
+		s, err := newSVC(newProgram(cmd, args), newSVCConfig())
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+		err = s.Start()
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+		cmd.Println("Wiretrustee service has been started")
+		return nil
+	},
+}

-			err := util.InitLog(logLevel, logFile)
-			if err != nil {
-				log.Errorf("failed initializing log %v", err)
-				return err
-			}
-			s, err := newSVC(&program{}, newSVCConfig())
-			if err != nil {
-				cmd.PrintErrln(err)
-				return err
-			}
-			err = s.Start()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return err
-			}
-			cmd.Println("Wiretrustee service has been started")
-			return nil
-		},
-	}
-)
+var stopCmd = &cobra.Command{
+	Use:   "stop",
+	Short: "stops wiretrustee service",
+	Run: func(cmd *cobra.Command, args []string) {
+		SetFlagsFromEnvVars()

-var (
-	stopCmd = &cobra.Command{
-		Use:   "stop",
-		Short: "stops wiretrustee service",
-		Run: func(cmd *cobra.Command, args []string) {
-			SetFlagsFromEnvVars()
+		err := util.InitLog(logLevel, logFile)
+		if err != nil {
+			log.Errorf("failed initializing log %v", err)
+		}
+		s, err := newSVC(newProgram(cmd, args), newSVCConfig())
+		if err != nil {
+			cmd.PrintErrln(err)
+			return
+		}
+		err = s.Stop()
+		if err != nil {
+			cmd.PrintErrln(err)
+			return
+		}
+		cmd.Println("Wiretrustee service has been stopped")
+	},
+}

-			err := util.InitLog(logLevel, logFile)
-			if err != nil {
-				log.Errorf("failed initializing log %v", err)
-			}
-			s, err := newSVC(&program{}, newSVCConfig())
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			err = s.Stop()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			cmd.Println("Wiretrustee service has been stopped")
-		},
-	}
-)
+var restartCmd = &cobra.Command{
+	Use:   "restart",
+	Short: "restarts wiretrustee service",
+	Run: func(cmd *cobra.Command, args []string) {
+		SetFlagsFromEnvVars()

-var (
-	restartCmd = &cobra.Command{
-		Use:   "restart",
-		Short: "restarts wiretrustee service",
-		Run: func(cmd *cobra.Command, args []string) {
-			SetFlagsFromEnvVars()
-
-			err := util.InitLog(logLevel, logFile)
-			if err != nil {
-				log.Errorf("failed initializing log %v", err)
-			}
-			s, err := newSVC(&program{}, newSVCConfig())
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			err = s.Restart()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			cmd.Println("Wiretrustee service has been restarted")
-		},
-	}
-)
+		err := util.InitLog(logLevel, logFile)
+		if err != nil {
+			log.Errorf("failed initializing log %v", err)
+		}
+		s, err := newSVC(newProgram(cmd, args), newSVCConfig())
+		if err != nil {
+			cmd.PrintErrln(err)
+			return
+		}
+		err = s.Restart()
+		if err != nil {
+			cmd.PrintErrln(err)
+			return
+		}
+		cmd.Println("Wiretrustee service has been restarted")
+	},
+}
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -1,69 +1,67 @@
 package cmd

 import (
-	"github.com/spf13/cobra"
 	"runtime"
+
+	"github.com/spf13/cobra"
 )

-var (
-	installCmd = &cobra.Command{
-		Use:   "install",
-		Short: "installs wiretrustee service",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars()
+var installCmd = &cobra.Command{
+	Use:   "install",
+	Short: "installs wiretrustee service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()

-			svcConfig := newSVCConfig()
+		svcConfig := newSVCConfig()

-			svcConfig.Arguments = []string{
-				"service",
-				"run",
-				"--config",
-				configPath,
-				"--log-level",
-				logLevel,
-			}
+		svcConfig.Arguments = []string{
+			"service",
+			"run",
+			"--config",
+			configPath,
+			"--log-level",
+			logLevel,
+		}

-			if runtime.GOOS == "linux" {
-				// Respected only by systemd systems
-				svcConfig.Dependencies = []string{"After=network.target syslog.target"}
-			}
+		if runtime.GOOS == "linux" {
+			// Respected only by systemd systems
+			svcConfig.Dependencies = []string{"After=network.target syslog.target"}
+		}

-			s, err := newSVC(&program{}, svcConfig)
-			if err != nil {
-				cmd.PrintErrln(err)
-				return err
-			}
+		s, err := newSVC(newProgram(cmd, args), svcConfig)
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}

-			err = s.Install()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return err
-			}
-			cmd.Println("Wiretrustee service has been installed")
-			return nil
-		},
-	}
-)
+		err = s.Install()
+		if err != nil {
+			cmd.PrintErrln(err)
+			return err
+		}
+		cmd.Println("Wiretrustee service has been installed")
+		return nil
+	},
+}

-var (
-	uninstallCmd = &cobra.Command{
-		Use:   "uninstall",
-		Short: "uninstalls wiretrustee service from system",
-		Run: func(cmd *cobra.Command, args []string) {
-			SetFlagsFromEnvVars()
+var uninstallCmd = &cobra.Command{
+	Use:   "uninstall",
+	Short: "uninstalls wiretrustee service from system",
+	Run: func(cmd *cobra.Command, args []string) {
+		SetFlagsFromEnvVars()

-			s, err := newSVC(&program{}, newSVCConfig())
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
+		s, err := newSVC(newProgram(cmd, args), newSVCConfig())
+		if err != nil {
+			cmd.PrintErrln(err)
+			return
+		}
+
+		err = s.Uninstall()
+		if err != nil {
+			cmd.PrintErrln(err)
+			return
+		}
+		cmd.Println("Wiretrustee has been uninstalled")
+	},
+}

-			err = s.Uninstall()
-			if err != nil {
-				cmd.PrintErrln(err)
-				return
-			}
-			cmd.Println("Wiretrustee has been uninstalled")
-		},
-	}
-)
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -0,0 +1,37 @@
+package cmd
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	"github.com/wiretrustee/wiretrustee/client/proto"
+)
+
+var statusCmd = &cobra.Command{
+	Use:   "status",
+	Short: "status of the Wiretrustee Service",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+		ctx := internal.CtxInitState(context.Background())
+
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			log.Errorf("failed to connect to service CLI interface %v", err)
+			return err
+		}
+		defer conn.Close()
+
+		resp, err := proto.NewDaemonServiceClient(conn).Status(cmd.Context(), &proto.StatusRequest{})
+		if err != nil {
+			log.Errorf("status failed: %v", status.Convert(err).Message())
+			return nil
+		}
+
+		log.Infof("status: %v", resp.Status)
+		return nil
+	},
+}
--- a/client/cmd/testutil.go
+++ b/client/cmd/testutil.go
@@ -1,13 +1,18 @@
 package cmd

 import (
+	"context"
+	"net"
+	"testing"
+	"time"
+
+	clientProto "github.com/wiretrustee/wiretrustee/client/proto"
+	client "github.com/wiretrustee/wiretrustee/client/server"
 	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
 	mgmt "github.com/wiretrustee/wiretrustee/management/server"
 	sigProto "github.com/wiretrustee/wiretrustee/signal/proto"
 	sig "github.com/wiretrustee/wiretrustee/signal/server"
 	"google.golang.org/grpc"
-	"net"
-	"testing"
 )

 func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
@@ -26,7 +31,7 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 	return s, lis
 }

-func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Listener) {
+func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Listener) {
 	lis, err := net.Listen("tcp", ":0")
 	if err != nil {
 		t.Fatal(err)
@@ -38,7 +43,7 @@ func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Liste
 	}

 	peersUpdateManager := mgmt.NewPeersUpdateManager()
-	accountManager := mgmt.NewManager(store, peersUpdateManager)
+	accountManager := mgmt.NewManager(store, peersUpdateManager, nil)
 	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
 	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
 	if err != nil {
@@ -48,9 +53,40 @@ func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Liste
 	go func() {
 		if err := s.Serve(lis); err != nil {
 			t.Error(err)
-			return
 		}
 	}()

 	return s, lis
 }
+
+func startClientDaemon(
+	t *testing.T, ctx context.Context, managementURL, configPath string,
+	stopCh chan int, cleanupCh chan<- struct{},
+) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	s := grpc.NewServer()
+
+	server := client.New(
+		ctx,
+		managementURL,
+		configPath,
+		stopCh,
+		cleanupCh,
+	)
+	if err := server.Start(); err != nil {
+		t.Fatal(err)
+	}
+	clientProto.RegisterDaemonServiceServer(s, server)
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			t.Error(err)
+		}
+	}()
+
+	time.Sleep(time.Second)
+
+	return s, lis
+}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -1,236 +1,78 @@
 package cmd

 import (
-	"context"
-	"github.com/cenkalti/backoff/v4"
-	"github.com/kardianos/service"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+
 	"github.com/wiretrustee/wiretrustee/client/internal"
-	mgm "github.com/wiretrustee/wiretrustee/management/client"
-	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
-	signal "github.com/wiretrustee/wiretrustee/signal/client"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-	"time"
+	"github.com/wiretrustee/wiretrustee/client/proto"
 )

-var (
-	upCmd = &cobra.Command{
-		Use:   "up",
-		Short: "install, login and start wiretrustee client",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			SetFlagsFromEnvVars()
-			err := loginCmd.RunE(cmd, args)
+var upCmd = &cobra.Command{
+	Use:   "up",
+	Short: "install, login and start wiretrustee client",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()
+		ctx := internal.CtxInitState(cmd.Context())
+
+		// workaround to run without service
+		if logFile == "console" {
+			config, err := internal.GetConfig(managementURL, configPath, preSharedKey)
 			if err != nil {
+				log.Errorf("get config file: %v", err)
 				return err
 			}
-			if logFile == "console" {
-				return runClient()
-			}
-
-			s, err := newSVC(&program{}, newSVCConfig())
+			err = WithBackOff(func() error {
+				return internal.Login(ctx, config, setupKey)
+			})
 			if err != nil {
-				cmd.PrintErrln(err)
+				log.Errorf("backoff cycle failed: %v", err)
 				return err
 			}

-			srvStatus, err := s.Status()
-			if err != nil {
-				if err == service.ErrNotInstalled {
-					log.Infof("%s. Installing it now", err.Error())
-					e := installCmd.RunE(cmd, args)
-					if e != nil {
-						return e
-					}
-				} else {
-					log.Warnf("failed retrieving service status: %v", err)
-				}
-			}
-			if srvStatus == service.StatusRunning {
-				stopCmd.Run(cmd, args)
-			}
-			return startCmd.RunE(cmd, args)
-		},
-	}
-)
-
-// createEngineConfig converts configuration received from Management Service to EngineConfig
-func createEngineConfig(key wgtypes.Key, config *internal.Config, peerConfig *mgmProto.PeerConfig) (*internal.EngineConfig, error) {
-	iFaceBlackList := make(map[string]struct{})
-	for i := 0; i < len(config.IFaceBlackList); i += 2 {
-		iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
-	}
-
-	engineConf := &internal.EngineConfig{
-		WgIface:        config.WgIface,
-		WgAddr:         peerConfig.Address,
-		IFaceBlackList: iFaceBlackList,
-		WgPrivateKey:   key,
-		WgPort:         internal.WgPort,
-	}
-
-	if config.PreSharedKey != "" {
-		preSharedKey, err := wgtypes.ParseKey(config.PreSharedKey)
-		if err != nil {
-			return nil, err
+			SetupCloseHandler()
+			return internal.RunClient(ctx, config, stopCh, cleanupCh)
 		}
-		engineConf.PreSharedKey = &preSharedKey
-	}

-	return engineConf, nil
-}
-
-// connectToSignal creates Signal Service client and established a connection
-func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig, ourPrivateKey wgtypes.Key) (*signal.Client, error) {
-	var sigTLSEnabled bool
-	if wtConfig.Signal.Protocol == mgmProto.HostConfig_HTTPS {
-		sigTLSEnabled = true
-	} else {
-		sigTLSEnabled = false
-	}
-
-	signalClient, err := signal.NewClient(ctx, wtConfig.Signal.Uri, ourPrivateKey, sigTLSEnabled)
-	if err != nil {
-		log.Errorf("error while connecting to the Signal Exchange Service %s: %s", wtConfig.Signal.Uri, err)
-		return nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
-	}
-
-	return signalClient, nil
-}
-
-// connectToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
-func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.Client, *mgmProto.LoginResponse, error) {
-	log.Debugf("connecting to management server %s", managementAddr)
-	client, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
-	if err != nil {
-		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err)
-	}
-	log.Debugf("connected to management server %s", managementAddr)
-
-	serverPublicKey, err := client.GetServerPublicKey()
-	if err != nil {
-		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
-	}
-
-	loginResp, err := client.Login(*serverPublicKey)
-	if err != nil {
-		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
-			log.Error("peer registration required. Please run wiretrustee login command first")
-			return nil, nil, err
-		} else {
-			return nil, nil, err
-		}
-	}
-
-	log.Debugf("peer logged in to Management Service %s", managementAddr)
-
-	return client, loginResp, nil
-}
-
-func runClient() error {
-	var backOff = &backoff.ExponentialBackOff{
-		InitialInterval:     time.Second,
-		RandomizationFactor: backoff.DefaultRandomizationFactor,
-		Multiplier:          backoff.DefaultMultiplier,
-		MaxInterval:         10 * time.Second,
-		MaxElapsedTime:      24 * 3 * time.Hour, //stop the client after 3 days trying (must be a huge problem, e.g permission denied)
-		Stop:                backoff.Stop,
-		Clock:               backoff.SystemClock,
-	}
-
-	operation := func() error {
-
-		config, err := internal.ReadConfig(managementURL, configPath)
-		if err != nil {
-			log.Errorf("failed reading config %s %v", configPath, err)
-			return err
-		}
-
-		//validate our peer's Wireguard PRIVATE key
-		myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
-		if err != nil {
-			log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
-			return err
-		}
-		ctx, cancel := context.WithCancel(context.Background())
-		defer cancel()
-
-		mgmTlsEnabled := false
-		if config.ManagementURL.Scheme == "https" {
-			mgmTlsEnabled = true
-		}
-
-		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Wiretrustee config
-		mgmClient, loginResp, err := connectToManagement(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
-		if err != nil {
-			log.Warn(err)
-			return err
-		}
-
-		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
-		signalClient, err := connectToSignal(ctx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
-		if err != nil {
-			log.Error(err)
-			return err
-		}
-
-		peerConfig := loginResp.GetPeerConfig()
-
-		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
-		if err != nil {
-			log.Error(err)
-			return err
-		}
-
-		// create start the Wiretrustee Engine that will connect to the Signal and Management streams and manage connections to remote peers.
-		engine := internal.NewEngine(signalClient, mgmClient, engineConfig, cancel, ctx)
-		err = engine.Start()
-		if err != nil {
-			log.Errorf("error while starting Wiretrustee Connection Engine: %s", err)
-			return err
-		}
-
-		log.Print("Wiretrustee engine started, my IP is: ", peerConfig.Address)
-
-		select {
-		case <-stopCh:
-		case <-ctx.Done():
-		}
-
-		backOff.Reset()
-
-		err = mgmClient.Close()
-		if err != nil {
-			log.Errorf("failed closing Management Service client %v", err)
-			return err
-		}
-		err = signalClient.Close()
-		if err != nil {
-			log.Errorf("failed closing Signal Service client %v", err)
-			return err
-		}
-
-		err = engine.Stop()
-		if err != nil {
-			log.Errorf("failed stopping engine %v", err)
-			return err
-		}
-
-		go func() {
-			cleanupCh <- struct{}{}
-		}()
-
-		log.Info("stopped Wiretrustee client")
-
-		return ctx.Err()
-	}
-
-	err := backoff.Retry(operation, backOff)
-	if err != nil {
-		log.Errorf("exiting client retry loop due to unrecoverable error: %s", err)
-		return err
-	}
-	return nil
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			log.Errorf("failed to connect to service CLI interface %v", err)
+			return err
+		}
+		defer conn.Close()
+
+		daemonClient := proto.NewDaemonServiceClient(conn)
+
+		loginRequest := proto.LoginRequest{
+			SetupKey:      setupKey,
+			PresharedKey:  preSharedKey,
+			ManagementUrl: managementURL,
+		}
+		err = WithBackOff(func() error {
+			_, err := daemonClient.Login(ctx, &loginRequest)
+			return err
+		})
+		if err != nil {
+			log.Errorf("backoff cycle failed: %v", err)
+			return err
+		}
+
+		status, err := daemonClient.Status(ctx, &proto.StatusRequest{})
+		if err != nil {
+			log.Errorf("get status: %v", err)
+			return err
+		}
+
+		if status.Status != string(internal.StatusIdle) {
+			log.Warnf("already connected")
+			return nil
+		}
+
+		if _, err := daemonClient.Up(ctx, &proto.UpRequest{}); err != nil {
+			log.Errorf("call service up method: %v", err)
+			return err
+		}
+
+		return nil
+	},
 }
--- a/client/cmd/up_daemon_test.go
+++ b/client/cmd/up_daemon_test.go
@@ -0,0 +1,98 @@
+package cmd
+
+import (
+	"context"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/util"
+)
+
+func TestUpDaemon_Start(t *testing.T) {
+	config := &mgmt.Config{}
+	_, err := util.ReadJson("../testdata/management.json", config)
+	if err != nil {
+		t.Fatal(err)
+	}
+	testDir := t.TempDir()
+	config.Datadir = testDir
+	err = util.CopyFileContents("../testdata/store.json", filepath.Join(testDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, signalLis := startSignal(t)
+	signalAddr = signalLis.Addr().String()
+	config.Signal.URI = signalAddr
+
+	_, mgmLis := startManagement(t, config)
+	mgmAddr = mgmLis.Addr().String()
+}
+
+func TestUpDaemon(t *testing.T) {
+	tempDir := t.TempDir()
+	confPath := tempDir + "/config.json"
+
+	stopCh = make(chan int, 1)
+	cleanupCh = make(chan struct{}, 1)
+
+	ctx := internal.CtxInitState(context.Background())
+	state := internal.CtxGetState(ctx)
+
+	_, cliLis := startClientDaemon(t, ctx, "http://"+mgmAddr, confPath, stopCh, cleanupCh)
+
+	cliAddr = cliLis.Addr().String()
+
+	daemonAddr = "tcp://" + cliAddr
+	rootCmd.SetArgs([]string{
+		"login",
+		"--daemon-addr", "tcp://" + cliAddr,
+		"--setup-key", "A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
+		"--log-file", "",
+	})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	time.Sleep(time.Second * 3)
+	if status, err := state.Status(); err != nil && status != internal.StatusIdle {
+		t.Errorf("wrong status after login: %s, %v", internal.StatusIdle, err)
+		return
+	}
+
+	rootCmd.SetArgs([]string{
+		"up",
+		"--daemon-addr", "tcp://" + cliAddr,
+		"--log-file", "",
+	})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	time.Sleep(time.Second * 3)
+	if status, err := state.Status(); err != nil && status != internal.StatusConnected {
+		t.Errorf("wrong status after connect: %s, %v", status, err)
+		return
+	}
+
+	rootCmd.SetArgs([]string{
+		"status",
+		"--daemon-addr", "tcp://" + cliAddr,
+	})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	time.Sleep(time.Second * 3)
+
+	rootCmd.SetErr(nil)
+	rootCmd.SetArgs([]string{"down", "--daemon-addr", "tcp://" + cliAddr})
+	if err := rootCmd.Execute(); err != nil {
+		t.Errorf("expected no error while running up command, got %v", err)
+		return
+	}
+	// we can't check status here, because context already canceled
+}
--- a/client/cmd/up_test.go
+++ b/client/cmd/up_test.go
@@ -1,16 +1,20 @@
 package cmd

 import (
-	"github.com/wiretrustee/wiretrustee/iface"
-	mgmt "github.com/wiretrustee/wiretrustee/management/server"
-	"github.com/wiretrustee/wiretrustee/util"
 	"net/url"
 	"path/filepath"
 	"testing"
 	"time"
+
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/util"
 )

-var signalAddr string
+var (
+	signalAddr string
+	cliAddr    string
+)

 func TestUp_Start(t *testing.T) {
 	config := &mgmt.Config{}
@@ -29,15 +33,11 @@ func TestUp_Start(t *testing.T) {
 	signalAddr = signalLis.Addr().String()
 	config.Signal.URI = signalAddr

-	_, mgmLis := startManagement(config, t)
+	_, mgmLis := startManagement(t, config)
 	mgmAddr = mgmLis.Addr().String()
-
 }

 func TestUp(t *testing.T) {
-
-	defer iface.Close("wt0")
-
 	tempDir := t.TempDir()
 	confPath := tempDir + "/config.json"
 	mgmtURL, err := url.Parse("http://" + mgmAddr)
@@ -53,30 +53,36 @@ func TestUp(t *testing.T) {
 		"A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
 		"--management-url",
 		mgmtURL.String(),
+		"--log-level",
+		"debug",
 		"--log-file",
 		"console",
 	})
+
 	go func() {
-		err = rootCmd.Execute()
-		if err != nil {
+		if err := rootCmd.Execute(); err != nil {
 			t.Errorf("expected no error while running up command, got %v", err)
 		}
 	}()
+	time.Sleep(time.Second * 2)

-	exists := false
-	for start := time.Now(); time.Since(start) < 15*time.Second; {
+	timeout := 15 * time.Second
+	timeoutChannel := time.After(timeout)
+	for {
+		select {
+		case <-timeoutChannel:
+			t.Fatalf("expected wireguard interface %s to be created before %s", iface.WgInterfaceDefault, timeout.String())
+		default:
+		}
 		e, err := iface.Exists(iface.WgInterfaceDefault)
 		if err != nil {
 			continue
 		}
+		if err != nil {
+			continue
+		}
 		if *e {
-			exists = true
 			break
 		}
-
-	}
-
-	if !exists {
-		t.Errorf("expected wireguard interface %s to be created", iface.WgInterfaceDefault)
 	}
 }
--- a/client/cmd/version.go
+++ b/client/cmd/version.go
@@ -1,14 +1,16 @@
 package cmd

-import "github.com/spf13/cobra"
+import (
+	"github.com/spf13/cobra"
+	"github.com/wiretrustee/wiretrustee/client/system"
+)

 var (
-	Version    string
 	versionCmd = &cobra.Command{
 		Use:   "version",
 		Short: "prints wiretrustee version",
 		Run: func(cmd *cobra.Command, args []string) {
-			cmd.Println(Version)
+			cmd.Println(system.WiretrusteeVersion())
 		},
 	}
 )
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -110,7 +110,7 @@ func GetConfig(managementURL string, configPath string, preSharedKey string) (*C

 // generateKey generates a new Wireguard private key
 func generateKey() string {
-	key, err := wgtypes.GenerateKey()
+	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		panic(err)
 	}
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -0,0 +1,210 @@
+package internal
+
+import (
+	"context"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	mgm "github.com/wiretrustee/wiretrustee/management/client"
+	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
+	signal "github.com/wiretrustee/wiretrustee/signal/client"
+
+	"github.com/cenkalti/backoff/v4"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+// RunClient with main logic.
+func RunClient(
+	ctx context.Context, config *Config, stopCh <-chan int, cleanupCh chan<- struct{},
+) error {
+	backOff := &backoff.ExponentialBackOff{
+		InitialInterval:     time.Second,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         10 * time.Second,
+		MaxElapsedTime:      24 * 3 * time.Hour, // stop the client after 3 days trying (must be a huge problem, e.g permission denied)
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}
+
+	state := CtxGetState(ctx)
+	defer state.Set(StatusIdle)
+
+	wrapErr := state.Wrap
+	operation := func() error {
+		// if context cancelled we not start new backoff cycle
+		select {
+		case <-ctx.Done():
+			return nil
+		default:
+		}
+
+		state.Set(StatusConnecting)
+		// validate our peer's Wireguard PRIVATE key
+		myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+		if err != nil {
+			log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+			return wrapErr(err)
+		}
+
+		var mgmTlsEnabled bool
+		if config.ManagementURL.Scheme == "https" {
+			mgmTlsEnabled = true
+		}
+
+		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Wiretrustee config
+		mgmClient, loginResp, err := connectToManagement(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+		if err != nil {
+			log.Warn(err)
+			return wrapErr(err)
+		}
+
+		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
+		signalClient, err := connectToSignal(ctx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
+		if err != nil {
+			log.Error(err)
+			return wrapErr(err)
+		}
+
+		peerConfig := loginResp.GetPeerConfig()
+
+		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
+		if err != nil {
+			log.Error(err)
+			return wrapErr(err)
+		}
+
+		ctx, cancel := context.WithCancel(ctx)
+		defer cancel()
+
+		engine := NewEngine(ctx, cancel, signalClient, mgmClient, engineConfig)
+		err = engine.Start()
+		if err != nil {
+			log.Errorf("error while starting Wiretrustee Connection Engine: %s", err)
+			return wrapErr(err)
+		}
+
+		log.Print("Wiretrustee engine started, my IP is: ", peerConfig.Address)
+		state.Set(StatusConnected)
+
+		select {
+		case <-stopCh:
+		case <-ctx.Done():
+		}
+
+		backOff.Reset()
+
+		err = mgmClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Management Service client %v", err)
+			return wrapErr(err)
+		}
+		err = signalClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Signal Service client %v", err)
+			return wrapErr(err)
+		}
+
+		err = engine.Stop()
+		if err != nil {
+			log.Errorf("failed stopping engine %v", err)
+			return wrapErr(err)
+		}
+
+		go func() {
+			cleanupCh <- struct{}{}
+		}()
+
+		log.Info("stopped Wiretrustee client")
+
+		if _, err := state.Status(); err == ErrResetConnection {
+			return err
+		}
+
+		return nil
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		log.Errorf("exiting client retry loop due to unrecoverable error: %s", err)
+		return err
+	}
+	return nil
+}
+
+// createEngineConfig converts configuration received from Management Service to EngineConfig
+func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
+	iFaceBlackList := make(map[string]struct{})
+	for i := 0; i < len(config.IFaceBlackList); i += 2 {
+		iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
+	}
+
+	engineConf := &EngineConfig{
+		WgIfaceName:    config.WgIface,
+		WgAddr:         peerConfig.Address,
+		IFaceBlackList: iFaceBlackList,
+		WgPrivateKey:   key,
+		WgPort:         iface.DefaultWgPort,
+	}
+
+	if config.PreSharedKey != "" {
+		preSharedKey, err := wgtypes.ParseKey(config.PreSharedKey)
+		if err != nil {
+			return nil, err
+		}
+		engineConf.PreSharedKey = &preSharedKey
+	}
+
+	return engineConf, nil
+}
+
+// connectToSignal creates Signal Service client and established a connection
+func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig, ourPrivateKey wgtypes.Key) (*signal.GrpcClient, error) {
+	var sigTLSEnabled bool
+	if wtConfig.Signal.Protocol == mgmProto.HostConfig_HTTPS {
+		sigTLSEnabled = true
+	} else {
+		sigTLSEnabled = false
+	}
+
+	signalClient, err := signal.NewClient(ctx, wtConfig.Signal.Uri, ourPrivateKey, sigTLSEnabled)
+	if err != nil {
+		log.Errorf("error while connecting to the Signal Exchange Service %s: %s", wtConfig.Signal.Uri, err)
+		return nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
+	}
+
+	return signalClient, nil
+}
+
+// connectToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
+func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.GrpcClient, *mgmProto.LoginResponse, error) {
+	log.Debugf("connecting to management server %s", managementAddr)
+	client, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err)
+	}
+	log.Debugf("connected to management server %s", managementAddr)
+
+	serverPublicKey, err := client.GetServerPublicKey()
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
+	}
+
+	loginResp, err := client.Login(*serverPublicKey)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			log.Error("peer registration required. Please run wiretrustee login command first")
+			return nil, nil, err
+		} else {
+			return nil, nil, err
+		}
+	}
+
+	log.Debugf("peer logged in to Management Service %s", managementAddr)
+
+	return client, loginResp, nil
+}
+
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -3,6 +3,12 @@ package internal
 import (
 	"context"
 	"fmt"
+	"math/rand"
+	"net"
+	"strings"
+	"sync"
+	"time"
+
 	"github.com/pion/ice/v2"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/client/internal/peer"
@@ -12,40 +18,50 @@ import (
 	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
 	signal "github.com/wiretrustee/wiretrustee/signal/client"
 	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
+	"github.com/wiretrustee/wiretrustee/util"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"math/rand"
-	"strings"
-	"sync"
-	"time"
 )

 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
-// E.g. this peer will wait PeerConnectionTimeoutMax for the remote peer to respond, if not successful then it will retry the connection attempt.
-const PeerConnectionTimeoutMax = 45000 //ms
-const PeerConnectionTimeoutMin = 30000 //ms
+// E.g. this peer will wait PeerConnectionTimeoutMax for the remote peer to respond,
+// if not successful then it will retry the connection attempt.
+// Todo pass timeout at EnginConfig
+const (
+	PeerConnectionTimeoutMax = 45000 // ms
+	PeerConnectionTimeoutMin = 30000 // ms
+)

-const WgPort = 51820
+var ErrResetConnection = fmt.Errorf("reset connection")

 // EngineConfig is a config for the Engine
 type EngineConfig struct {
-	WgPort  int
-	WgIface string
+	WgPort      int
+	WgIfaceName string
+
 	// WgAddr is a Wireguard local address (Wiretrustee Network IP)
 	WgAddr string
+
 	// WgPrivateKey is a Wireguard private key of our peer (it MUST never leave the machine)
 	WgPrivateKey wgtypes.Key
+
 	// IFaceBlackList is a list of network interfaces to ignore when discovering connection candidates (ICE related)
 	IFaceBlackList map[string]struct{}

 	PreSharedKey *wgtypes.Key
+
+	// UDPMuxPort default value 0 - the system will pick an available port
+	UDPMuxPort int
+
+	// UDPMuxSrflxPort default value 0 - the system will pick an available port
+	UDPMuxSrflxPort int
 }

 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
 type Engine struct {
 	// signal is a Signal Service client
-	signal *signal.Client
+	signal signal.Client
 	// mgmClient is a Management Service client
-	mgmClient *mgm.Client
+	mgmClient mgm.Client
 	// peerConns is a map that holds all the peers that are known to this peer
 	peerConns map[string]*peer.Conn

@@ -61,6 +77,16 @@ type Engine struct {
 	cancel context.CancelFunc

 	ctx context.Context
+
+	wgInterface iface.WGIface
+
+	udpMux          ice.UDPMux
+	udpMuxSrflx     ice.UniversalUDPMux
+	udpMuxConn      *net.UDPConn
+	udpMuxConnSrflx *net.UDPConn
+
+	// networkSerial is the latest Serial (state ID) of the network sent by the Management service
+	networkSerial uint64
 }

 // Peer is an instance of the Connection Peer
@@ -70,17 +96,21 @@ type Peer struct {
 }

 // NewEngine creates a new Connection Engine
-func NewEngine(signalClient *signal.Client, mgmClient *mgm.Client, config *EngineConfig, cancel context.CancelFunc, ctx context.Context) *Engine {
+func NewEngine(
+	ctx context.Context, cancel context.CancelFunc,
+	signalClient signal.Client, mgmClient mgm.Client, config *EngineConfig,
+) *Engine {
 	return &Engine{
-		signal:     signalClient,
-		mgmClient:  mgmClient,
-		peerConns:  map[string]*peer.Conn{},
-		syncMsgMux: &sync.Mutex{},
-		config:     config,
-		STUNs:      []*ice.URL{},
-		TURNs:      []*ice.URL{},
-		cancel:     cancel,
-		ctx:        ctx,
+		ctx:           ctx,
+		cancel:        cancel,
+		signal:        signalClient,
+		mgmClient:     mgmClient,
+		peerConns:     map[string]*peer.Conn{},
+		syncMsgMux:    &sync.Mutex{},
+		config:        config,
+		STUNs:         []*ice.URL{},
+		TURNs:         []*ice.URL{},
+		networkSerial: 0,
 	}
 }

@@ -88,16 +118,42 @@ func (e *Engine) Stop() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

-	err := e.removeAllPeerConnections()
+	err := e.removeAllPeers()
 	if err != nil {
 		return err
 	}

-	log.Debugf("removing Wiretrustee interface %s", e.config.WgIface)
-	err = iface.Close(e.config.WgIface)
-	if err != nil {
-		log.Errorf("failed closing Wiretrustee interface %s %v", e.config.WgIface, err)
-		return err
+	log.Debugf("removing Wiretrustee interface %s", e.config.WgIfaceName)
+	if e.wgInterface.Interface != nil {
+		err = e.wgInterface.Close()
+		if err != nil {
+			log.Errorf("failed closing Wiretrustee interface %s %v", e.config.WgIfaceName, err)
+			return err
+		}
+	}
+
+	if e.udpMux != nil {
+		if err := e.udpMux.Close(); err != nil {
+			log.Debugf("close udp mux: %v", err)
+		}
+	}
+
+	if e.udpMuxSrflx != nil {
+		if err := e.udpMuxSrflx.Close(); err != nil {
+			log.Debugf("close server reflexive udp mux: %v", err)
+		}
+	}
+
+	if e.udpMuxConn != nil {
+		if err := e.udpMuxConn.Close(); err != nil {
+			log.Debugf("close udp mux connection: %v", err)
+		}
+	}
+
+	if e.udpMuxConnSrflx != nil {
+		if err := e.udpMuxConnSrflx.Close(); err != nil {
+			log.Debugf("close server reflexive udp mux connection: %v", err)
+		}
 	}

 	log.Infof("stopped Wiretrustee Engine")
@@ -112,19 +168,41 @@ func (e *Engine) Start() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

-	wgIface := e.config.WgIface
+	wgIfaceName := e.config.WgIfaceName
 	wgAddr := e.config.WgAddr
 	myPrivateKey := e.config.WgPrivateKey
+	var err error

-	err := iface.Create(wgIface, wgAddr)
+	e.wgInterface, err = iface.NewWGIface(wgIfaceName, wgAddr, iface.DefaultMTU)
 	if err != nil {
-		log.Errorf("failed creating interface %s: [%s]", wgIface, err.Error())
+		log.Errorf("failed creating wireguard interface instance %s: [%s]", wgIfaceName, err.Error())
 		return err
 	}

-	err = iface.Configure(wgIface, myPrivateKey.String(), e.config.WgPort)
+	e.udpMuxConn, err = net.ListenUDP("udp4", &net.UDPAddr{Port: e.config.UDPMuxPort})
 	if err != nil {
-		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIface, err.Error())
+		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
+		return err
+	}
+
+	e.udpMuxConnSrflx, err = net.ListenUDP("udp4", &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
+	if err != nil {
+		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
+		return err
+	}
+
+	e.udpMux = ice.NewUDPMuxDefault(ice.UDPMuxParams{UDPConn: e.udpMuxConn})
+	e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx})
+
+	err = e.wgInterface.Create()
+	if err != nil {
+		log.Errorf("failed creating tunnel interface %s: [%s]", wgIfaceName, err.Error())
+		return err
+	}
+
+	err = e.wgInterface.Configure(myPrivateKey.String(), e.config.WgPort)
+	if err != nil {
+		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIfaceName, err.Error())
 		return err
 	}

@@ -134,8 +212,21 @@ func (e *Engine) Start() error {
 	return nil
 }

-func (e *Engine) removePeers(peers []string) error {
-	for _, p := range peers {
+// removePeers finds and removes peers that do not exist anymore in the network map received from the Management Service
+func (e *Engine) removePeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
+	currentPeers := make([]string, 0, len(e.peerConns))
+	for p := range e.peerConns {
+		currentPeers = append(currentPeers, p)
+	}
+
+	newPeers := make([]string, 0, len(peersUpdate))
+	for _, p := range peersUpdate {
+		newPeers = append(newPeers, p.GetWgPubKey())
+	}
+
+	toRemove := util.SliceDiff(currentPeers, newPeers)
+
+	for _, p := range toRemove {
 		err := e.removePeer(p)
 		if err != nil {
 			return err
@@ -145,7 +236,7 @@ func (e *Engine) removePeers(peers []string) error {
 	return nil
 }

-func (e *Engine) removeAllPeerConnections() error {
+func (e *Engine) removeAllPeers() error {
 	log.Debugf("removing all peer connections")
 	for p := range e.peerConns {
 		err := e.removePeer(p)
@@ -162,14 +253,21 @@ func (e *Engine) removePeer(peerKey string) error {
 	conn, exists := e.peerConns[peerKey]
 	if exists {
 		delete(e.peerConns, peerKey)
-		return conn.Close()
+		err := conn.Close()
+		if err != nil {
+			switch err.(type) {
+			case *peer.ConnectionAlreadyClosedError:
+				return nil
+			default:
+				return err
+			}
+		}
 	}
 	return nil
 }

 // GetPeerConnectionStatus returns a connection Status or nil if peer connection wasn't found
 func (e *Engine) GetPeerConnectionStatus(peerKey string) peer.ConnStatus {
-
 	conn, exists := e.peerConns[peerKey]
 	if exists && conn != nil {
 		return conn.Status()
@@ -178,6 +276,17 @@ func (e *Engine) GetPeerConnectionStatus(peerKey string) peer.ConnStatus {
 	return -1
 }

+func (e *Engine) GetPeers() []string {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	peers := []string{}
+	for s := range e.peerConns {
+		peers = append(peers, s)
+	}
+	return peers
+}
+
 // GetConnectedPeers returns a connection Status or nil if peer connection wasn't found
 func (e *Engine) GetConnectedPeers() []string {
 	e.syncMsgMux.Lock()
@@ -193,7 +302,7 @@ func (e *Engine) GetConnectedPeers() []string {
 	return peers
 }

-func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client) error {
+func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client) error {
 	err := s.Send(&sProto.Message{
 		Key:       myKey.PublicKey().String(),
 		RemoteKey: remoteKey.String(),
@@ -204,15 +313,14 @@ func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtyp
 	})
 	if err != nil {
 		log.Errorf("failed signaling candidate to the remote peer %s %s", remoteKey.String(), err)
-		//todo ??
+		// todo ??
 		return err
 	}

 	return nil
 }

-func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client, isAnswer bool) error {
-
+func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client, isAnswer bool) error {
 	var t sProto.Body_Type
 	if isAnswer {
 		t = sProto.Body_ANSWER
@@ -222,7 +330,8 @@ func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.K

 	msg, err := signal.MarshalCredential(myKey, remoteKey, &signal.Credential{
 		UFrag: uFrag,
-		Pwd:   pwd}, t)
+		Pwd:   pwd,
+	}, t)
 	if err != nil {
 		return err
 	}
@@ -234,41 +343,46 @@ func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.K
 	return nil
 }

+func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
+
+	if update.GetWiretrusteeConfig() != nil {
+		err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
+		if err != nil {
+			return err
+		}
+
+		err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
+		if err != nil {
+			return err
+		}
+
+		// todo update signal
+	}
+
+	if update.GetNetworkMap() != nil {
+		// only apply new changes and ignore old ones
+		err := e.updateNetworkMap(update.GetNetworkMap())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
 // E.g. when a new peer has been registered and we are allowed to connect to it.
 func (e *Engine) receiveManagementEvents() {
 	go func() {
 		err := e.mgmClient.Sync(func(update *mgmProto.SyncResponse) error {
-			e.syncMsgMux.Lock()
-			defer e.syncMsgMux.Unlock()
-
-			if update.GetWiretrusteeConfig() != nil {
-				err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
-				if err != nil {
-					return err
-				}
-
-				err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
-				if err != nil {
-					return err
-				}
-
-				//todo update signal
-			}
-
-			if update.GetRemotePeers() != nil || update.GetRemotePeersIsEmpty() {
-				// empty arrays are serialized by protobuf to null, but for our case empty array is a valid state.
-				err := e.updatePeers(update.GetRemotePeers())
-				if err != nil {
-					return err
-				}
-			}
-
-			return nil
+			return e.handleSync(update)
 		})
 		if err != nil {
 			// happens if management is unavailable for a long time.
 			// We want to cancel the operation of the whole client
+			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
 			e.cancel()
 			return
 		}
@@ -315,27 +429,40 @@ func (e *Engine) updateTURNs(turns []*mgmProto.ProtectedHostConfig) error {
 	return nil
 }

-func (e *Engine) updatePeers(remotePeers []*mgmProto.RemotePeerConfig) error {
-	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(remotePeers))
-	remotePeerMap := make(map[string]struct{})
-	for _, p := range remotePeers {
-		remotePeerMap[p.GetWgPubKey()] = struct{}{}
+func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
+	serial := networkMap.GetSerial()
+	if e.networkSerial > serial {
+		log.Debugf("received outdated NetworkMap with serial %d, ignoring", serial)
+		return nil
 	}

-	//remove peers that are no longer available for us
-	toRemove := []string{}
-	for p := range e.peerConns {
-		if _, ok := remotePeerMap[p]; !ok {
-			toRemove = append(toRemove, p)
+	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))
+
+	// cleanup request, most likely our peer has been deleted
+	if networkMap.GetRemotePeersIsEmpty() {
+		err := e.removeAllPeers()
+		if err != nil {
+			return err
+		}
+	} else {
+		err := e.removePeers(networkMap.GetRemotePeers())
+		if err != nil {
+			return err
+		}
+
+		err = e.addNewPeers(networkMap.GetRemotePeers())
+		if err != nil {
+			return err
 		}
 	}
-	err := e.removePeers(toRemove)
-	if err != nil {
-		return err
-	}

-	// add new peers
-	for _, p := range remotePeers {
+	e.networkSerial = serial
+	return nil
+}
+
+// addNewPeers finds and adds peers that were not know before but arrived from the Management service with the update
+func (e *Engine) addNewPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
+	for _, p := range peersUpdate {
 		peerKey := p.GetWgPubKey()
 		peerIPs := p.GetAllowedIps()
 		if _, ok := e.peerConns[peerKey]; !ok {
@@ -386,7 +513,6 @@ func (e Engine) peerExists(peerKey string) bool {
 }

 func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, error) {
-
 	var stunTurn []*ice.URL
 	stunTurn = append(stunTurn, e.STUNs...)
 	stunTurn = append(stunTurn, e.TURNs...)
@@ -399,7 +525,7 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 	proxyConfig := proxy.Config{
 		RemoteKey:    pubKey,
 		WgListenAddr: fmt.Sprintf("127.0.0.1:%d", e.config.WgPort),
-		WgInterface:  e.config.WgIface,
+		WgInterface:  e.wgInterface,
 		AllowedIps:   allowedIPs,
 		PreSharedKey: e.config.PreSharedKey,
 	}
@@ -412,6 +538,8 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 		StunTurn:           stunTurn,
 		InterfaceBlackList: interfaceBlacklist,
 		Timeout:            timeout,
+		UDPMux:             e.udpMux,
+		UDPMuxSrflx:        e.udpMuxSrflx,
 		ProxyConfig:        proxyConfig,
 	}

@@ -446,11 +574,9 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er

 // receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
 func (e *Engine) receiveSignalEvents() {
-
 	go func() {
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(func(msg *sProto.Message) error {
-
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()

@@ -492,6 +618,7 @@ func (e *Engine) receiveSignalEvents() {
 		if err != nil {
 			// happens if signal is unavailable for a long time.
 			// We want to cancel the operation of the whole client
+			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
 			e.cancel()
 			return
 		}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -3,7 +3,16 @@ package internal
 import (
 	"context"
 	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sync"
+	"testing"
+	"time"
+
 	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/client/system"
 	mgmt "github.com/wiretrustee/wiretrustee/management/client"
 	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
 	"github.com/wiretrustee/wiretrustee/management/server"
@@ -14,13 +23,6 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"
-	"net"
-	"os"
-	"path/filepath"
-	"runtime"
-	"sync"
-	"testing"
-	"time"
 )

 var (
@@ -37,9 +39,229 @@ var (
 	}
 )

-func TestEngine_MultiplePeers(t *testing.T) {
+func TestEngine_UpdateNetworkMap(t *testing.T) {
+	// test setup
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		t.Fatal(err)
+		return
+	}

-	//log.SetLevel(log.DebugLevel)
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
+		WgIfaceName:  "utun100",
+		WgAddr:       "100.64.0.1/24",
+		WgPrivateKey: key,
+		WgPort:       33100,
+	})
+
+	type testCase struct {
+		name       string
+		networkMap *mgmtProto.NetworkMap
+
+		expectedLen    int
+		expectedPeers  []string
+		expectedSerial uint64
+	}
+
+	peer1 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.10/24"},
+	}
+
+	peer2 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.11/24"},
+	}
+
+	peer3 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "GGHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.12/24"},
+	}
+
+	case1 := testCase{
+		name: "input with a new peer to add",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     1,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer1,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    1,
+		expectedPeers:  []string{peer1.GetWgPubKey()},
+		expectedSerial: 1,
+	}
+
+	// 2nd case - one extra peer added and network map has Serial grater than local => apply the update
+	case2 := testCase{
+		name: "input with an old peer and a new peer to add",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     2,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer1, peer2,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    2,
+		expectedPeers:  []string{peer1.GetWgPubKey(), peer2.GetWgPubKey()},
+		expectedSerial: 2,
+	}
+
+	case3 := testCase{
+		name: "input with outdated (old) update to ignore",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     0,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer1, peer2, peer3,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    2,
+		expectedPeers:  []string{peer1.GetWgPubKey(), peer2.GetWgPubKey()},
+		expectedSerial: 2,
+	}
+
+	case4 := testCase{
+		name: "input with one peer to remove and one new to add",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:     4,
+			PeerConfig: nil,
+			RemotePeers: []*mgmtProto.RemotePeerConfig{
+				peer2, peer3,
+			},
+			RemotePeersIsEmpty: false,
+		},
+		expectedLen:    2,
+		expectedPeers:  []string{peer2.GetWgPubKey(), peer3.GetWgPubKey()},
+		expectedSerial: 4,
+	}
+
+	case5 := testCase{
+		name: "input with all peers to remove",
+		networkMap: &mgmtProto.NetworkMap{
+			Serial:             5,
+			PeerConfig:         nil,
+			RemotePeers:        []*mgmtProto.RemotePeerConfig{},
+			RemotePeersIsEmpty: true,
+		},
+		expectedLen:    0,
+		expectedPeers:  nil,
+		expectedSerial: 5,
+	}
+
+	for _, c := range []testCase{case1, case2, case3, case4, case5} {
+		t.Run(c.name, func(t *testing.T) {
+			err = engine.updateNetworkMap(c.networkMap)
+			if err != nil {
+				t.Fatal(err)
+				return
+			}
+
+			if len(engine.peerConns) != c.expectedLen {
+				t.Errorf("expecting Engine.peerConns to be of size %d, got %d", c.expectedLen, len(engine.peerConns))
+			}
+
+			if engine.networkSerial != c.expectedSerial {
+				t.Errorf("expecting Engine.networkSerial to be equal to %d, actual %d", c.expectedSerial, engine.networkSerial)
+			}
+
+			for _, p := range c.expectedPeers {
+				if _, ok := engine.peerConns[p]; !ok {
+					t.Errorf("expecting Engine.peerConns to contain peer %s", p)
+				}
+			}
+		})
+	}
+}
+
+func TestEngine_Sync(t *testing.T) {
+	key, err := wgtypes.GeneratePrivateKey()
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	// feed updates to Engine via mocked Management client
+	updates := make(chan *mgmtProto.SyncResponse)
+	defer close(updates)
+	syncFunc := func(msgHandler func(msg *mgmtProto.SyncResponse) error) error {
+		for msg := range updates {
+			err := msgHandler(msg)
+			if err != nil {
+				t.Fatal(err)
+			}
+		}
+		return nil
+	}
+
+	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, &EngineConfig{
+		WgIfaceName:  "utun100",
+		WgAddr:       "100.64.0.1/24",
+		WgPrivateKey: key,
+		WgPort:       33100,
+	})
+
+	defer func() {
+		err := engine.Stop()
+		if err != nil {
+			return
+		}
+	}()
+
+	err = engine.Start()
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	peer1 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+		AllowedIps: []string{"100.64.0.10/24"},
+	}
+	peer2 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "LLHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=",
+		AllowedIps: []string{"100.64.0.11/24"},
+	}
+	peer3 := &mgmtProto.RemotePeerConfig{
+		WgPubKey:   "GGHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=",
+		AllowedIps: []string{"100.64.0.12/24"},
+	}
+	// 1st update with just 1 peer and serial larger than the current serial of the engine => apply update
+	updates <- &mgmtProto.SyncResponse{
+		NetworkMap: &mgmtProto.NetworkMap{
+			Serial:             10,
+			PeerConfig:         nil,
+			RemotePeers:        []*mgmtProto.RemotePeerConfig{peer1, peer2, peer3},
+			RemotePeersIsEmpty: false,
+		},
+	}
+
+	timeout := time.After(time.Second * 2)
+	for {
+		select {
+		case <-timeout:
+			t.Fatalf("timeout while waiting for test to finish")
+			return
+		default:
+		}
+
+		if len(engine.GetPeers()) == 3 && engine.networkSerial == 10 {
+			break
+		}
+	}
+}
+
+func TestEngine_MultiplePeers(t *testing.T) {
+	// log.SetLevel(log.DebugLevel)

 	dir := t.TempDir()

@@ -48,34 +270,30 @@ func TestEngine_MultiplePeers(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer func() {
-		os.Remove(filepath.Join(dir, "store.json")) //nolint
+		err = os.Remove(filepath.Join(dir, "store.json")) //nolint
+		if err != nil {
+			t.Fatal(err)
+			return
+		}
 	}()

-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
 	defer cancel()

-	signalServer, err := startSignal(10000)
+	sport := 10010
+	sigServer, err := startSignal(sport)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
-	defer signalServer.Stop()
-
-	mgmtServer, err := startManagement(33071, &server.Config{
-		Stuns:      []*server.Host{},
-		TURNConfig: &server.TURNConfig{},
-		Signal: &server.Host{
-			Proto: "http",
-			URI:   "localhost:10000",
-		},
-		Datadir:    dir,
-		HttpConfig: nil,
-	})
+	defer sigServer.Stop()
+	mport := 33081
+	mgmtServer, err := startManagement(mport, dir)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
-	defer mgmtServer.Stop()
+	defer mgmtServer.GracefulStop()

 	setupKey := "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"

@@ -88,7 +306,7 @@ func TestEngine_MultiplePeers(t *testing.T) {
 	for i := 0; i < numPeers; i++ {
 		j := i
 		go func() {
-			engine, err := createEngine(ctx, cancel, setupKey, j)
+			engine, err := createEngine(ctx, cancel, setupKey, j, mport, sport)
 			if err != nil {
 				return
 			}
@@ -102,33 +320,54 @@ func TestEngine_MultiplePeers(t *testing.T) {

 	// wait until all have been created and started
 	wg.Wait()
-
 	// check whether all the peer have expected peers connected
+
 	expectedConnected := numPeers * (numPeers - 1)
+	// adjust according to timeouts
+	timeout := 50 * time.Second
+	timeoutChan := time.After(timeout)
 	for {
+		select {
+		case <-timeoutChan:
+			t.Fatalf("waiting for expected connections timeout after %s", timeout.String())
+			return
+		default:
+		}
 		time.Sleep(time.Second)
 		totalConnected := 0
 		for _, engine := range engines {
 			totalConnected = totalConnected + len(engine.GetConnectedPeers())
 		}
 		if totalConnected == expectedConnected {
+			log.Debugf("total connected=%d", totalConnected)
 			break
 		}
 		log.Infof("total connected=%d", totalConnected)
 	}
+
+	// cleanup test
+	for _, peerEngine := range engines {
+		errStop := peerEngine.mgmClient.Close()
+		if errStop != nil {
+			log.Infoln("got error trying to close management clients from engine: ", errStop)
+		}
+		errStop = peerEngine.Stop()
+		if errStop != nil {
+			log.Infoln("got error trying to close testing peers engine: ", errStop)
+		}
+	}
 }

-func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int) (*Engine, error) {
-
-	key, err := wgtypes.GenerateKey()
+func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int, mport int, sport int) (*Engine, error) {
+	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		return nil, err
 	}
-	mgmtClient, err := mgmt.NewClient(ctx, "localhost:33071", key, false)
+	mgmtClient, err := mgmt.NewClient(ctx, fmt.Sprintf("localhost:%d", mport), key, false)
 	if err != nil {
 		return nil, err
 	}
-	signalClient, err := signal.NewClient(ctx, "localhost:10000", key, false)
+	signalClient, err := signal.NewClient(ctx, fmt.Sprintf("localhost:%d", sport), key, false)
 	if err != nil {
 		return nil, err
 	}
@@ -138,7 +377,8 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		return nil, err
 	}

-	resp, err := mgmtClient.Register(*publicKey, setupKey)
+	info := system.GetInfo()
+	resp, err := mgmtClient.Register(*publicKey, setupKey, info)
 	if err != nil {
 		return nil, err
 	}
@@ -150,14 +390,15 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		ifaceName = fmt.Sprintf("wt%d", i)
 	}

+	wgPort := 33100 + i
 	conf := &EngineConfig{
-		WgIface:      ifaceName,
+		WgIfaceName:  ifaceName,
 		WgAddr:       resp.PeerConfig.Address,
 		WgPrivateKey: key,
-		WgPort:       33100 + i,
+		WgPort:       wgPort,
 	}

-	return NewEngine(signalClient, mgmtClient, conf, cancel, ctx), nil
+	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf), nil
 }

 func startSignal(port int) (*grpc.Server, error) {
@@ -179,7 +420,17 @@ func startSignal(port int) (*grpc.Server, error) {
 	return s, nil
 }

-func startManagement(port int, config *server.Config) (*grpc.Server, error) {
+func startManagement(port int, dataDir string) (*grpc.Server, error) {
+	config := &server.Config{
+		Stuns:      []*server.Host{},
+		TURNConfig: &server.TURNConfig{},
+		Signal: &server.Host{
+			Proto: "http",
+			URI:   "localhost:10000",
+		},
+		Datadir:    dataDir,
+		HttpConfig: nil,
+	}

 	lis, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", port))
 	if err != nil {
@@ -191,7 +442,7 @@ func startManagement(port int, config *server.Config) (*grpc.Server, error) {
 		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 	}
 	peersUpdateManager := server.NewPeersUpdateManager()
-	accountManager := server.NewManager(store, peersUpdateManager)
+	accountManager := server.NewManager(store, peersUpdateManager, nil)
 	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
 	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager)
 	if err != nil {
--- a/client/internal/login.go
+++ b/client/internal/login.go
@@ -0,0 +1,118 @@
+package internal
+
+import (
+	"context"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	"github.com/google/uuid"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/client/system"
+	mgm "github.com/wiretrustee/wiretrustee/management/client"
+	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+func Login(ctx context.Context, config *Config, setupKey string) error {
+	backOff := &backoff.ExponentialBackOff{
+		InitialInterval:     time.Second,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         2 * time.Second,
+		MaxElapsedTime:      time.Second * 10,
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}
+
+	// validate our peer's Wireguard PRIVATE key
+	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+	if err != nil {
+		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+		return err
+	}
+
+	var mgmTlsEnabled bool
+	if config.ManagementURL.Scheme == "https" {
+		mgmTlsEnabled = true
+	}
+
+	loginOp := func() error {
+		log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
+		mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+		if err != nil {
+			log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
+			return err
+		}
+		log.Debugf("connected to management Service %s", config.ManagementURL.String())
+
+		serverKey, err := mgmClient.GetServerPublicKey()
+		if err != nil {
+			log.Errorf("failed while getting Management Service public key: %v", err)
+			return err
+		}
+
+		_, err = loginPeer(*serverKey, mgmClient, setupKey)
+		if err != nil {
+			log.Errorf("failed logging-in peer on Management Service : %v", err)
+			return err
+		}
+
+		err = mgmClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Management Service client: %v", err)
+			return err
+		}
+
+		return nil
+	}
+
+	err = backoff.RetryNotify(loginOp, backOff, func(err error, duration time.Duration) {
+		log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
+	})
+	if err != nil {
+		log.Errorf("exiting login retry loop due to unrecoverable error: %v", err)
+		return err
+	}
+
+	return nil
+}
+
+// loginPeer attempts to login to Management Service. If peer wasn't registered, tries the registration flow.
+func loginPeer(serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string) (*mgmProto.LoginResponse, error) {
+	loginResp, err := client.Login(serverPublicKey)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			log.Debugf("peer registration required")
+			return registerPeer(serverPublicKey, client, setupKey)
+		} else {
+			return nil, err
+		}
+	}
+
+	log.Info("peer has successfully logged-in to Management Service")
+
+	return loginResp, nil
+}
+
+// registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
+// Otherwise tries to register with the provided setupKey via command line.
+func registerPeer(serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string) (*mgmProto.LoginResponse, error) {
+	validSetupKey, err := uuid.Parse(setupKey)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Debugf("sending peer registration request to Management Service")
+	info := system.GetInfo()
+	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), info)
+	if err != nil {
+		log.Errorf("failed registering peer %v", err)
+		return nil, err
+	}
+
+	log.Infof("peer has been successfully registered on Management Service")
+
+	return loginResp, nil
+}
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -2,12 +2,15 @@ package peer

 import (
 	"context"
-	"github.com/pion/ice/v2"
-	log "github.com/sirupsen/logrus"
-	"github.com/wiretrustee/wiretrustee/client/internal/proxy"
+	"github.com/wiretrustee/wiretrustee/iface"
+	"golang.zx2c4.com/wireguard/wgctrl"
 	"net"
 	"sync"
 	"time"
+
+	"github.com/pion/ice/v2"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/client/internal/proxy"
 )

 // ConnConfig is a peer Connection configuration
@@ -28,6 +31,9 @@ type ConnConfig struct {
 	Timeout time.Duration

 	ProxyConfig proxy.Config
+
+	UDPMux      ice.UDPMux
+	UDPMuxSrflx ice.UniversalUDPMux
 }

 // IceCredentials ICE protocol credentials struct
@@ -83,11 +89,20 @@ func interfaceFilter(blackList []string) func(string) bool {
 		}
 	}
 	return func(iFace string) bool {
-		if len(blackListMap) == 0 {
-			return true
-		}
+
 		_, ok := blackListMap[iFace]
-		return !ok
+		if ok {
+			return false
+		}
+		// look for unlisted Wireguard interfaces
+		wg, err := wgctrl.New()
+		if err != nil {
+			log.Debugf("trying to create a wgctrl client failed with: %v", err)
+		}
+		defer wg.Close()
+
+		_, err = wg.Device(iFace)
+		return err != nil
 	}
 }

@@ -104,6 +119,8 @@ func (conn *Conn) reCreateAgent() error {
 		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
 		FailedTimeout:    &failedTimeout,
 		InterfaceFilter:  interfaceFilter(conn.config.InterfaceBlackList),
+		UDPMux:           conn.config.UDPMux,
+		UDPMuxSrflx:      conn.config.UDPMuxSrflx,
 	})
 	if err != nil {
 		return err
@@ -174,7 +191,7 @@ func (conn *Conn) Open() error {

 	log.Debugf("received connection confirmation from peer %s", conn.config.Key)

-	//at this point we received offer/answer and we are ready to gather candidates
+	// at this point we received offer/answer and we are ready to gather candidates
 	conn.mu.Lock()
 	conn.status = StatusConnecting
 	conn.ctx, conn.notifyDisconnected = context.WithCancel(context.Background())
@@ -206,7 +223,14 @@ func (conn *Conn) Open() error {
 		return err
 	}

-	log.Infof("connected to peer %s [laddr <-> raddr] [%s <-> %s]", conn.config.Key, remoteConn.LocalAddr().String(), remoteConn.RemoteAddr().String())
+	if conn.proxy.Type() == proxy.TypeNoProxy {
+		host, _, _ := net.SplitHostPort(remoteConn.LocalAddr().String())
+		rhost, _, _ := net.SplitHostPort(remoteConn.RemoteAddr().String())
+		// direct Wireguard connection
+		log.Infof("directly connected to peer %s [laddr <-> raddr] [%s:%d <-> %s:%d]", conn.config.Key, host, iface.DefaultWgPort, rhost, iface.DefaultWgPort)
+	} else {
+		log.Infof("connected to peer %s [laddr <-> raddr] [%s <-> %s]", conn.config.Key, remoteConn.LocalAddr().String(), remoteConn.RemoteAddr().String())
+	}

 	// wait until connection disconnected or has been closed externally (upper layer, e.g. engine)
 	select {
@@ -219,16 +243,65 @@ func (conn *Conn) Open() error {
 	}
 }

+// useProxy determines whether a direct connection (without a go proxy) is possible
+// There are 3 cases: one of the peers has a public IP or both peers are in the same private network
+// Please note, that this check happens when peers were already able to ping each other using ICE layer.
+func shouldUseProxy(pair *ice.CandidatePair) bool {
+	remoteIP := net.ParseIP(pair.Remote.Address())
+	myIp := net.ParseIP(pair.Local.Address())
+	remoteIsPublic := IsPublicIP(remoteIP)
+	myIsPublic := IsPublicIP(myIp)
+
+	//one of the hosts has a public IP
+	if remoteIsPublic && pair.Remote.Type() == ice.CandidateTypeHost {
+		return false
+	}
+	if myIsPublic && pair.Local.Type() == ice.CandidateTypeHost {
+		return false
+	}
+
+	if pair.Local.Type() == ice.CandidateTypeHost && pair.Remote.Type() == ice.CandidateTypeHost {
+		if !remoteIsPublic && !myIsPublic {
+			//both hosts are in the same private network
+			return false
+		}
+	}
+
+	return true
+}
+
+// IsPublicIP indicates whether IP is public or not.
+func IsPublicIP(ip net.IP) bool {
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsPrivate() {
+		return false
+	}
+	return true
+}
+
 // startProxy starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
 func (conn *Conn) startProxy(remoteConn net.Conn) error {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

-	conn.proxy = proxy.NewWireguardProxy(conn.config.ProxyConfig)
-	err := conn.proxy.Start(remoteConn)
+	var pair *ice.CandidatePair
+	pair, err := conn.agent.GetSelectedCandidatePair()
 	if err != nil {
 		return err
 	}
+
+	useProxy := shouldUseProxy(pair)
+	var p proxy.Proxy
+	if useProxy {
+		p = proxy.NewWireguardProxy(conn.config.ProxyConfig)
+	} else {
+		p = proxy.NewNoProxy(conn.config.ProxyConfig)
+	}
+	conn.proxy = p
+	err = p.Start(remoteConn)
+	if err != nil {
+		return err
+	}
+
 	conn.status = StatusConnected

 	return nil
@@ -287,7 +360,7 @@ func (conn *Conn) SetSignalCandidate(handler func(candidate ice.Candidate) error
 // and then signals them to the remote peer
 func (conn *Conn) onICECandidate(candidate ice.Candidate) {
 	if candidate != nil {
-		//log.Debugf("discovered local candidate %s", candidate.String())
+		// log.Debugf("discovered local candidate %s", candidate.String())
 		go func() {
 			err := conn.signalCandidate(candidate)
 			if err != nil {
@@ -298,8 +371,8 @@ func (conn *Conn) onICECandidate(candidate ice.Candidate) {
 }

 func (conn *Conn) onICESelectedCandidatePair(c1 ice.Candidate, c2 ice.Candidate) {
-	log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", conn.config.Key,
-		c1.String(), c2.String())
+	log.Debugf("selected candidate pair [local <-> remote] -> [%s <-> %s], peer %s", c1.String(), c2.String(),
+		conn.config.Key)
 }

 // onICEConnectionStateChange registers callback of an ICE Agent to track connection state
@@ -350,6 +423,7 @@ func (conn *Conn) Close() error {
 	defer conn.mu.Unlock()
 	select {
 	case conn.closeCh <- struct{}{}:
+		return nil
 	default:
 		// probably could happen when peer has been added and removed right after not even starting to connect
 		// todo further investigate
@@ -364,8 +438,8 @@ func (conn *Conn) Close() error {
 		// engine adds a new Conn for 4 and 5
 		// therefore peer 4 has 2 Conn objects
 		log.Warnf("closing not started coonection %s", conn.config.Key)
+		return NewConnectionAlreadyClosed(conn.config.Key)
 	}
-	return nil
 }

 // Status returns current status of the Conn
@@ -375,29 +449,33 @@ func (conn *Conn) Status() ConnStatus {
 	return conn.status
 }

-// OnRemoteOffer handles an offer from the remote peer
-// can block until Conn restarts
-func (conn *Conn) OnRemoteOffer(remoteAuth IceCredentials) {
+// OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
+// doesn't block, discards the message if connection wasn't ready
+func (conn *Conn) OnRemoteOffer(remoteAuth IceCredentials) bool {
 	log.Debugf("OnRemoteOffer from peer %s on status %s", conn.config.Key, conn.status.String())

 	select {
 	case conn.remoteOffersCh <- remoteAuth:
+		return true
 	default:
 		log.Debugf("OnRemoteOffer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
-		//connection might not be ready yet to receive so we ignore the message
+		// connection might not be ready yet to receive so we ignore the message
+		return false
 	}
 }

-// OnRemoteAnswer handles an offer from the remote peer
-// can block until Conn restarts
-func (conn *Conn) OnRemoteAnswer(remoteAuth IceCredentials) {
+// OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
+// doesn't block, discards the message if connection wasn't ready
+func (conn *Conn) OnRemoteAnswer(remoteAuth IceCredentials) bool {
 	log.Debugf("OnRemoteAnswer from peer %s on status %s", conn.config.Key, conn.status.String())

 	select {
 	case conn.remoteAnswerCh <- remoteAuth:
+		return true
 	default:
-		//connection might not be ready yet to receive so we ignore the message
+		// connection might not be ready yet to receive so we ignore the message
 		log.Debugf("OnRemoteAnswer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
+		return false
 	}
 }

@@ -419,3 +497,7 @@ func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate) {
 		}
 	}()
 }
+
+func (conn *Conn) GetKey() string {
+	return conn.config.Key
+}
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -0,0 +1,144 @@
+package peer
+
+import (
+	"github.com/magiconair/properties/assert"
+	"github.com/pion/ice/v2"
+	"github.com/wiretrustee/wiretrustee/client/internal/proxy"
+	"sync"
+	"testing"
+	"time"
+)
+
+var connConf = ConnConfig{
+	Key:                "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+	LocalKey:           "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
+	StunTurn:           []*ice.URL{},
+	InterfaceBlackList: nil,
+	Timeout:            time.Second,
+	ProxyConfig:        proxy.Config{},
+}
+
+func TestConn_GetKey(t *testing.T) {
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	got := conn.GetKey()
+
+	assert.Equal(t, got, connConf.Key, "they should be equal")
+}
+
+func TestConn_OnRemoteOffer(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(2)
+	go func() {
+		<-conn.remoteOffersCh
+		wg.Done()
+	}()
+
+	go func() {
+		for {
+			accepted := conn.OnRemoteOffer(IceCredentials{
+				UFrag: "test",
+				Pwd:   "test",
+			})
+			if accepted {
+				wg.Done()
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}
+
+func TestConn_OnRemoteAnswer(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(2)
+	go func() {
+		<-conn.remoteAnswerCh
+		wg.Done()
+	}()
+
+	go func() {
+		for {
+			accepted := conn.OnRemoteAnswer(IceCredentials{
+				UFrag: "test",
+				Pwd:   "test",
+			})
+			if accepted {
+				wg.Done()
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}
+func TestConn_Status(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	tables := []struct {
+		name   string
+		status ConnStatus
+		want   ConnStatus
+	}{
+		{"StatusConnected", StatusConnected, StatusConnected},
+		{"StatusDisconnected", StatusDisconnected, StatusDisconnected},
+		{"StatusConnecting", StatusConnecting, StatusConnecting},
+	}
+
+	for _, table := range tables {
+		t.Run(table.name, func(t *testing.T) {
+			conn.status = table.status
+
+			got := conn.Status()
+			assert.Equal(t, got, table.want, "they should be equal")
+		})
+	}
+}
+
+func TestConn_Close(t *testing.T) {
+
+	conn, err := NewConn(connConf)
+	if err != nil {
+		return
+	}
+
+	wg := sync.WaitGroup{}
+	wg.Add(1)
+	go func() {
+		<-conn.closeCh
+		wg.Done()
+	}()
+
+	go func() {
+		for {
+			err := conn.Close()
+			if err != nil {
+				continue
+			} else {
+				return
+			}
+		}
+	}()
+
+	wg.Wait()
+}
--- a/client/internal/peer/error.go
+++ b/client/internal/peer/error.go
@@ -54,3 +54,19 @@ func NewConnectionDisconnectedError(peer string) error {
 		peer: peer,
 	}
 }
+
+// ConnectionAlreadyClosedError is an error indicating that a peer Conn has been already closed and the invocation of the Close() method has been performed over a closed connection
+type ConnectionAlreadyClosedError struct {
+	peer string
+}
+
+func (e *ConnectionAlreadyClosedError) Error() string {
+	return fmt.Sprintf("connection to peer %s has been already closed", e.peer)
+}
+
+// NewConnectionAlreadyClosed creates a new ConnectionAlreadyClosedError error
+func NewConnectionAlreadyClosed(peer string) error {
+	return &ConnectionAlreadyClosedError{
+		peer: peer,
+	}
+}
--- a/client/internal/peer/error_test.go
+++ b/client/internal/peer/error_test.go
@@ -0,0 +1,27 @@
+package peer
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+	"time"
+)
+
+func TestNewConnectionClosedError(t *testing.T) {
+	err := NewConnectionClosedError("X")
+	assert.Equal(t, &ConnectionClosedError{peer: "X"}, err)
+}
+
+func TestNewConnectionDisconnectedError(t *testing.T) {
+	err := NewConnectionDisconnectedError("X")
+	assert.Equal(t, &ConnectionDisconnectedError{peer: "X"}, err)
+}
+
+func TestNewConnectionTimeoutErrorC(t *testing.T) {
+	err := NewConnectionTimeoutError("X", time.Second)
+	assert.Equal(t, &ConnectionTimeoutError{peer: "X", timeout: time.Second}, err)
+}
+
+func TestNewConnectionAlreadyClosed(t *testing.T) {
+	err := NewConnectionAlreadyClosed("X")
+	assert.Equal(t, &ConnectionAlreadyClosedError{peer: "X"}, err)
+}
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -0,0 +1,27 @@
+package peer
+
+import (
+	"github.com/magiconair/properties/assert"
+	"testing"
+)
+
+func TestConnStatus_String(t *testing.T) {
+
+	tables := []struct {
+		name   string
+		status ConnStatus
+		want   string
+	}{
+		{"StatusConnected", StatusConnected, "StatusConnected"},
+		{"StatusDisconnected", StatusDisconnected, "StatusDisconnected"},
+		{"StatusConnecting", StatusConnecting, "StatusConnecting"},
+	}
+
+	for _, table := range tables {
+		t.Run(table.name, func(t *testing.T) {
+			got := table.status.String()
+			assert.Equal(t, got, table.want, "they should be equal")
+		})
+	}
+
+}
--- a/client/internal/proxy/dummy.go
+++ b/client/internal/proxy/dummy.go
@@ -66,3 +66,7 @@ func (p *DummyProxy) Start(remoteConn net.Conn) error {

 	return nil
 }
+
+func (p *DummyProxy) Type() Type {
+	return TypeDummy
+}
--- a/client/internal/proxy/noproxy.go
+++ b/client/internal/proxy/noproxy.go
@@ -0,0 +1,52 @@
+package proxy
+
+import (
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/iface"
+	"net"
+)
+
+// NoProxy is used when there is no need for a proxy between ICE and Wireguard.
+// This is possible in either of these cases:
+// - peers are in the same local network
+// - one of the peers has a public static IP (host)
+// NoProxy will just update remote peer with a remote host and fixed Wireguard port (r.g. 51820).
+// In order NoProxy to work, Wireguard port has to be fixed for the time being.
+type NoProxy struct {
+	config Config
+}
+
+func NewNoProxy(config Config) *NoProxy {
+	return &NoProxy{config: config}
+}
+
+func (p *NoProxy) Close() error {
+	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// Start just updates Wireguard peer with the remote IP and default Wireguard port
+func (p *NoProxy) Start(remoteConn net.Conn) error {
+
+	log.Debugf("using NoProxy while connecting to peer %s", p.config.RemoteKey)
+	addr, err := net.ResolveUDPAddr("udp", remoteConn.RemoteAddr().String())
+	if err != nil {
+		return err
+	}
+	addr.Port = iface.DefaultWgPort
+	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+		addr, p.config.PreSharedKey)
+
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (p *NoProxy) Type() Type {
+	return TypeNoProxy
+}
--- a/client/internal/proxy/proxy.go
+++ b/client/internal/proxy/proxy.go
@@ -1,6 +1,7 @@
 package proxy

 import (
+	"github.com/wiretrustee/wiretrustee/iface"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"io"
 	"net"
@@ -9,10 +10,18 @@ import (

 const DefaultWgKeepAlive = 25 * time.Second

+type Type string
+
+const (
+	TypeNoProxy   Type = "NoProxy"
+	TypeWireguard Type = "Wireguard"
+	TypeDummy     Type = "Dummy"
+)
+
 type Config struct {
 	WgListenAddr string
 	RemoteKey    string
-	WgInterface  string
+	WgInterface  iface.WGIface
 	AllowedIps   string
 	PreSharedKey *wgtypes.Key
 }
@@ -21,4 +30,5 @@ type Proxy interface {
 	io.Closer
 	// Start creates a local remoteConn and starts proxying data from/to remoteConn
 	Start(remoteConn net.Conn) error
+	Type() Type
 }
--- a/client/internal/proxy/wireguard.go
+++ b/client/internal/proxy/wireguard.go
@@ -3,7 +3,6 @@ package proxy
 import (
 	"context"
 	log "github.com/sirupsen/logrus"
-	"github.com/wiretrustee/wiretrustee/iface"
 	"net"
 )

@@ -25,9 +24,13 @@ func NewWireguardProxy(config Config) *WireguardProxy {
 }

 func (p *WireguardProxy) updateEndpoint() error {
+	udpAddr, err := net.ResolveUDPAddr(p.localConn.LocalAddr().Network(), p.localConn.LocalAddr().String())
+	if err != nil {
+		return err
+	}
 	// add local proxy connection as a Wireguard peer
-	err := iface.UpdatePeer(p.config.WgInterface, p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
-		p.localConn.LocalAddr().String(), p.config.PreSharedKey)
+	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+		udpAddr, p.config.PreSharedKey)
 	if err != nil {
 		return err
 	}
@@ -65,7 +68,7 @@ func (p *WireguardProxy) Close() error {
 			return err
 		}
 	}
-	err := iface.RemovePeer(p.config.WgInterface, p.config.RemoteKey)
+	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
 	if err != nil {
 		return err
 	}
@@ -119,3 +122,7 @@ func (p *WireguardProxy) proxyToLocal() {
 		}
 	}
 }
+
+func (p *WireguardProxy) Type() Type {
+	return TypeWireguard
+}
--- a/client/internal/state.go
+++ b/client/internal/state.go
@@ -0,0 +1,67 @@
+package internal
+
+import (
+	"context"
+	"sync"
+)
+
+type StatusType string
+
+const (
+	StatusIdle StatusType = "Idle"
+
+	StatusConnecting StatusType = "Connecting"
+	StatusConnected  StatusType = "Connected"
+)
+
+// CtxInitState setup context state into the context tree.
+//
+// This function should be used to initialize context before
+// CtxGetState will be executed.
+func CtxInitState(ctx context.Context) context.Context {
+	return context.WithValue(ctx, stateCtx, &contextState{
+		status: StatusIdle,
+	})
+}
+
+// CtxGetState object to get/update state/errors of process.
+func CtxGetState(ctx context.Context) *contextState {
+	return ctx.Value(stateCtx).(*contextState)
+}
+
+type contextState struct {
+	err    error
+	status StatusType
+	mutex  sync.Mutex
+}
+
+func (c *contextState) Set(update StatusType) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	c.status = update
+	c.err = nil
+}
+
+func (c *contextState) Status() (StatusType, error) {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	if c.err != nil {
+		return "", c.err
+	}
+
+	return c.status, nil
+}
+
+func (c *contextState) Wrap(err error) error {
+	c.mutex.Lock()
+	defer c.mutex.Unlock()
+
+	c.err = err
+	return err
+}
+
+type stateKey int
+
+var stateCtx stateKey
--- a/client/main.go
+++ b/client/main.go
@@ -1,15 +1,12 @@
 package main

 import (
-	"github.com/wiretrustee/wiretrustee/client/cmd"
 	"os"
+
+	"github.com/wiretrustee/wiretrustee/client/cmd"
 )

-var version = "development"
-
 func main() {
-
-	cmd.Version = version
 	if err := cmd.Execute(); err != nil {
 		os.Exit(1)
 	}
--- a/client/proto/daemon.pb.go
+++ b/client/proto/daemon.pb.go
@@ -0,0 +1,566 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.26.0
+// 	protoc        v3.17.3
+// source: daemon.proto
+
+package proto
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	_ "google.golang.org/protobuf/types/descriptorpb"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type LoginRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// setupKey wiretrustee setup key.
+	SetupKey string `protobuf:"bytes,1,opt,name=setupKey,proto3" json:"setupKey,omitempty"`
+	// presharedKey for wireguard setup.
+	PresharedKey string `protobuf:"bytes,2,opt,name=presharedKey,proto3" json:"presharedKey,omitempty"`
+	// managementUrl to authenticate.
+	ManagementUrl string `protobuf:"bytes,3,opt,name=managementUrl,proto3" json:"managementUrl,omitempty"`
+}
+
+func (x *LoginRequest) Reset() {
+	*x = LoginRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *LoginRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*LoginRequest) ProtoMessage() {}
+
+func (x *LoginRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use LoginRequest.ProtoReflect.Descriptor instead.
+func (*LoginRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *LoginRequest) GetSetupKey() string {
+	if x != nil {
+		return x.SetupKey
+	}
+	return ""
+}
+
+func (x *LoginRequest) GetPresharedKey() string {
+	if x != nil {
+		return x.PresharedKey
+	}
+	return ""
+}
+
+func (x *LoginRequest) GetManagementUrl() string {
+	if x != nil {
+		return x.ManagementUrl
+	}
+	return ""
+}
+
+type LoginResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *LoginResponse) Reset() {
+	*x = LoginResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[1]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *LoginResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*LoginResponse) ProtoMessage() {}
+
+func (x *LoginResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[1]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use LoginResponse.ProtoReflect.Descriptor instead.
+func (*LoginResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{1}
+}
+
+type UpRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *UpRequest) Reset() {
+	*x = UpRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UpRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UpRequest) ProtoMessage() {}
+
+func (x *UpRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UpRequest.ProtoReflect.Descriptor instead.
+func (*UpRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{2}
+}
+
+type UpResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *UpResponse) Reset() {
+	*x = UpResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[3]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *UpResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*UpResponse) ProtoMessage() {}
+
+func (x *UpResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[3]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use UpResponse.ProtoReflect.Descriptor instead.
+func (*UpResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{3}
+}
+
+type StatusRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *StatusRequest) Reset() {
+	*x = StatusRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *StatusRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StatusRequest) ProtoMessage() {}
+
+func (x *StatusRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StatusRequest.ProtoReflect.Descriptor instead.
+func (*StatusRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{4}
+}
+
+type StatusResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// status of the server.
+	Status string `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"`
+}
+
+func (x *StatusResponse) Reset() {
+	*x = StatusResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *StatusResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*StatusResponse) ProtoMessage() {}
+
+func (x *StatusResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use StatusResponse.ProtoReflect.Descriptor instead.
+func (*StatusResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *StatusResponse) GetStatus() string {
+	if x != nil {
+		return x.Status
+	}
+	return ""
+}
+
+type DownRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *DownRequest) Reset() {
+	*x = DownRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DownRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DownRequest) ProtoMessage() {}
+
+func (x *DownRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DownRequest.ProtoReflect.Descriptor instead.
+func (*DownRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{6}
+}
+
+type DownResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *DownResponse) Reset() {
+	*x = DownResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_daemon_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DownResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DownResponse) ProtoMessage() {}
+
+func (x *DownResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DownResponse.ProtoReflect.Descriptor instead.
+func (*DownResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{7}
+}
+
+var File_daemon_proto protoreflect.FileDescriptor
+
+var file_daemon_proto_rawDesc = []byte{
+	0x0a, 0x0c, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x06,
+	0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74,
+	0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x74, 0x0a, 0x0c, 0x4c, 0x6f, 0x67, 0x69,
+	0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65, 0x74, 0x75,
+	0x70, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65, 0x74, 0x75,
+	0x70, 0x4b, 0x65, 0x79, 0x12, 0x22, 0x0a, 0x0c, 0x70, 0x72, 0x65, 0x73, 0x68, 0x61, 0x72, 0x65,
+	0x64, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x70, 0x72, 0x65, 0x73,
+	0x68, 0x61, 0x72, 0x65, 0x64, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x0a, 0x0d, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x0d, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x55, 0x72, 0x6c, 0x22, 0x0f,
+	0x0a, 0x0d, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x0b, 0x0a, 0x09, 0x55, 0x70, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0c, 0x0a, 0x0a,
+	0x55, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x0f, 0x0a, 0x0d, 0x53, 0x74,
+	0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x28, 0x0a, 0x0e, 0x53,
+	0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x16, 0x0a,
+	0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73,
+	0x74, 0x61, 0x74, 0x75, 0x73, 0x22, 0x0d, 0x0a, 0x0b, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x22, 0x0e, 0x0a, 0x0c, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x32, 0xe6, 0x01, 0x0a, 0x0d, 0x44, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x53,
+	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x36, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12,
+	0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x4c,
+	0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x2d,
+	0x0a, 0x02, 0x55, 0x70, 0x12, 0x11, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x55, 0x70,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x12, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e,
+	0x2e, 0x55, 0x70, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x39, 0x0a,
+	0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x15, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e,
+	0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x16,
+	0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x04, 0x44, 0x6f, 0x77, 0x6e,
+	0x12, 0x13, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x44, 0x6f, 0x77, 0x6e, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x14, 0x2e, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x2e, 0x44,
+	0x6f, 0x77, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x08, 0x5a,
+	0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+}
+
+var (
+	file_daemon_proto_rawDescOnce sync.Once
+	file_daemon_proto_rawDescData = file_daemon_proto_rawDesc
+)
+
+func file_daemon_proto_rawDescGZIP() []byte {
+	file_daemon_proto_rawDescOnce.Do(func() {
+		file_daemon_proto_rawDescData = protoimpl.X.CompressGZIP(file_daemon_proto_rawDescData)
+	})
+	return file_daemon_proto_rawDescData
+}
+
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_daemon_proto_goTypes = []interface{}{
+	(*LoginRequest)(nil),   // 0: daemon.LoginRequest
+	(*LoginResponse)(nil),  // 1: daemon.LoginResponse
+	(*UpRequest)(nil),      // 2: daemon.UpRequest
+	(*UpResponse)(nil),     // 3: daemon.UpResponse
+	(*StatusRequest)(nil),  // 4: daemon.StatusRequest
+	(*StatusResponse)(nil), // 5: daemon.StatusResponse
+	(*DownRequest)(nil),    // 6: daemon.DownRequest
+	(*DownResponse)(nil),   // 7: daemon.DownResponse
+}
+var file_daemon_proto_depIdxs = []int32{
+	0, // 0: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
+	2, // 1: daemon.DaemonService.Up:input_type -> daemon.UpRequest
+	4, // 2: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
+	6, // 3: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	1, // 4: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	3, // 5: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	5, // 6: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	7, // 7: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	4, // [4:8] is the sub-list for method output_type
+	0, // [0:4] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_daemon_proto_init() }
+func file_daemon_proto_init() {
+	if File_daemon_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_daemon_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*LoginRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*LoginResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UpRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*UpResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*StatusRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*StatusResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DownRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_daemon_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DownResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_daemon_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   8,
+			NumExtensions: 0,
+			NumServices:   1,
+		},
+		GoTypes:           file_daemon_proto_goTypes,
+		DependencyIndexes: file_daemon_proto_depIdxs,
+		MessageInfos:      file_daemon_proto_msgTypes,
+	}.Build()
+	File_daemon_proto = out.File
+	file_daemon_proto_rawDesc = nil
+	file_daemon_proto_goTypes = nil
+	file_daemon_proto_depIdxs = nil
+}
--- a/client/proto/daemon.proto
+++ b/client/proto/daemon.proto
@@ -0,0 +1,49 @@
+syntax = "proto3";
+
+import "google/protobuf/descriptor.proto";
+
+option go_package = "/proto";
+
+package daemon;
+
+service DaemonService {
+  // Login uses setup key to prepare configuration for the daemon.
+  rpc Login(LoginRequest) returns (LoginResponse) {}
+
+  // Up starts engine work in the daemon.
+  rpc Up(UpRequest) returns (UpResponse) {}
+
+  // Status of the service.
+  rpc Status(StatusRequest) returns (StatusResponse) {}
+
+  // Down engine work in the daemon.
+  rpc Down(DownRequest) returns (DownResponse) {}
+};
+
+message LoginRequest {
+  // setupKey wiretrustee setup key.
+  string setupKey = 1;
+
+  // presharedKey for wireguard setup.
+  string presharedKey = 2;
+
+  // managementUrl to authenticate.
+  string managementUrl = 3;
+}
+
+message LoginResponse {}
+
+message UpRequest {}
+
+message UpResponse {}
+
+message StatusRequest{}
+
+message StatusResponse{
+  // status of the server.
+  string status = 1;
+}
+
+message DownRequest {}
+
+message DownResponse {}
--- a/client/proto/daemon_grpc.pb.go
+++ b/client/proto/daemon_grpc.pb.go
@@ -0,0 +1,217 @@
+// Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+
+package proto
+
+import (
+	context "context"
+	grpc "google.golang.org/grpc"
+	codes "google.golang.org/grpc/codes"
+	status "google.golang.org/grpc/status"
+)
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the grpc package it is being compiled against.
+// Requires gRPC-Go v1.32.0 or later.
+const _ = grpc.SupportPackageIsVersion7
+
+// DaemonServiceClient is the client API for DaemonService service.
+//
+// For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
+type DaemonServiceClient interface {
+	// Login uses setup key to prepare configuration for the daemon.
+	Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error)
+	// Up starts engine work in the daemon.
+	Up(ctx context.Context, in *UpRequest, opts ...grpc.CallOption) (*UpResponse, error)
+	// Status of the service.
+	Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error)
+	// Down engine work in the daemon.
+	Down(ctx context.Context, in *DownRequest, opts ...grpc.CallOption) (*DownResponse, error)
+}
+
+type daemonServiceClient struct {
+	cc grpc.ClientConnInterface
+}
+
+func NewDaemonServiceClient(cc grpc.ClientConnInterface) DaemonServiceClient {
+	return &daemonServiceClient{cc}
+}
+
+func (c *daemonServiceClient) Login(ctx context.Context, in *LoginRequest, opts ...grpc.CallOption) (*LoginResponse, error) {
+	out := new(LoginResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Login", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) Up(ctx context.Context, in *UpRequest, opts ...grpc.CallOption) (*UpResponse, error) {
+	out := new(UpResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Up", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) Status(ctx context.Context, in *StatusRequest, opts ...grpc.CallOption) (*StatusResponse, error) {
+	out := new(StatusResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Status", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *daemonServiceClient) Down(ctx context.Context, in *DownRequest, opts ...grpc.CallOption) (*DownResponse, error) {
+	out := new(DownResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/Down", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+// DaemonServiceServer is the server API for DaemonService service.
+// All implementations must embed UnimplementedDaemonServiceServer
+// for forward compatibility
+type DaemonServiceServer interface {
+	// Login uses setup key to prepare configuration for the daemon.
+	Login(context.Context, *LoginRequest) (*LoginResponse, error)
+	// Up starts engine work in the daemon.
+	Up(context.Context, *UpRequest) (*UpResponse, error)
+	// Status of the service.
+	Status(context.Context, *StatusRequest) (*StatusResponse, error)
+	// Down engine work in the daemon.
+	Down(context.Context, *DownRequest) (*DownResponse, error)
+	mustEmbedUnimplementedDaemonServiceServer()
+}
+
+// UnimplementedDaemonServiceServer must be embedded to have forward compatible implementations.
+type UnimplementedDaemonServiceServer struct {
+}
+
+func (UnimplementedDaemonServiceServer) Login(context.Context, *LoginRequest) (*LoginResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Login not implemented")
+}
+func (UnimplementedDaemonServiceServer) Up(context.Context, *UpRequest) (*UpResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Up not implemented")
+}
+func (UnimplementedDaemonServiceServer) Status(context.Context, *StatusRequest) (*StatusResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Status not implemented")
+}
+func (UnimplementedDaemonServiceServer) Down(context.Context, *DownRequest) (*DownResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Down not implemented")
+}
+func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
+
+// UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
+// Use of this interface is not recommended, as added methods to DaemonServiceServer will
+// result in compilation errors.
+type UnsafeDaemonServiceServer interface {
+	mustEmbedUnimplementedDaemonServiceServer()
+}
+
+func RegisterDaemonServiceServer(s grpc.ServiceRegistrar, srv DaemonServiceServer) {
+	s.RegisterService(&DaemonService_ServiceDesc, srv)
+}
+
+func _DaemonService_Login_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(LoginRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Login(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Login",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Login(ctx, req.(*LoginRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_Up_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(UpRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Up(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Up",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Up(ctx, req.(*UpRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_Status_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(StatusRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Status(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Status",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Status(ctx, req.(*StatusRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _DaemonService_Down_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DownRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).Down(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/Down",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).Down(ctx, req.(*DownRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+// DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
+// It's only intended for direct use with grpc.RegisterService,
+// and not to be introspected or modified (even as a copy)
+var DaemonService_ServiceDesc = grpc.ServiceDesc{
+	ServiceName: "daemon.DaemonService",
+	HandlerType: (*DaemonServiceServer)(nil),
+	Methods: []grpc.MethodDesc{
+		{
+			MethodName: "Login",
+			Handler:    _DaemonService_Login_Handler,
+		},
+		{
+			MethodName: "Up",
+			Handler:    _DaemonService_Up_Handler,
+		},
+		{
+			MethodName: "Status",
+			Handler:    _DaemonService_Status_Handler,
+		},
+		{
+			MethodName: "Down",
+			Handler:    _DaemonService_Down_Handler,
+		},
+	},
+	Streams:  []grpc.StreamDesc{},
+	Metadata: "daemon.proto",
+}
--- a/client/proto/generate.sh
+++ b/client/proto/generate.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@v1.1
+protoc -I proto/ proto/daemon.proto --go_out=. --go-grpc_out=.
--- a/client/resources.rc
+++ b/client/resources.rc
@@ -5,5 +5,5 @@
 #define STRINGIZE(x) #x
 #define EXPAND(x) STRINGIZE(x)
 CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST manifest.xml
-wintun.dll RCDATA wintun.dll
-
+7 ICON ui/wiretrustee.ico
+wireguard.dll RCDATA wireguard.dll
--- a/client/resources_windows_amd64.syso
+++ b/client/resources_windows_amd64.syso
--- a/client/server/server.go
+++ b/client/server/server.go
@@ -0,0 +1,166 @@
+package server
+
+import (
+	"context"
+	"fmt"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	"github.com/wiretrustee/wiretrustee/client/proto"
+)
+
+// Server for service control.
+type Server struct {
+	rootCtx   context.Context
+	actCancel context.CancelFunc
+
+	managementURL string
+	configPath    string
+	stopCh        chan int
+	cleanupCh     chan<- struct{}
+
+	mutex  sync.Mutex
+	config *internal.Config
+	proto.UnimplementedDaemonServiceServer
+}
+
+// New server instance constructor.
+func New(
+	ctx context.Context, managementURL, configPath string,
+	stopCh chan int, cleanupCh chan<- struct{},
+) *Server {
+	return &Server{
+		rootCtx:       ctx,
+		managementURL: managementURL,
+		configPath:    configPath,
+		stopCh:        stopCh,
+		cleanupCh:     cleanupCh,
+	}
+}
+
+func (s *Server) Start() error {
+	state := internal.CtxGetState(s.rootCtx)
+
+	// if current state contains any error, return it
+	// in all other cases we can continue execution only if status is idle and up command was
+	// not in the progress or already successfully estabilished connection.
+	status, err := state.Status()
+	if err != nil {
+		return err
+	}
+
+	if status != internal.StatusIdle {
+		return nil
+	}
+
+	ctx, cancel := context.WithCancel(s.rootCtx)
+	s.actCancel = cancel
+
+	// if configuration exists, we just start connections.
+	config, err := internal.ReadConfig(s.managementURL, s.configPath)
+	if err != nil {
+		log.Warnf("no config file, skip connection stage: %v", err)
+		return nil
+	}
+
+	go func() {
+		if err := internal.RunClient(ctx, config, s.stopCh, s.cleanupCh); err != nil {
+			log.Errorf("init connections: %v", err)
+		}
+	}()
+
+	return nil
+}
+
+// Login uses setup key to prepare configuration for the daemon.
+func (s *Server) Login(_ context.Context, msg *proto.LoginRequest) (*proto.LoginResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	managementURL := s.managementURL
+	if msg.ManagementUrl != "" {
+		managementURL = msg.ManagementUrl
+	}
+
+	config, err := internal.GetConfig(managementURL, s.configPath, msg.PresharedKey)
+	if err != nil {
+		return nil, err
+	}
+	s.config = config
+
+	// login operation uses backoff scheme to connect to management API
+	// we don't wait for result and return response immediately.
+	if err := internal.Login(s.rootCtx, s.config, msg.SetupKey); err != nil {
+		log.Errorf("failed login: %v", err)
+		return nil, err
+	}
+
+	return &proto.LoginResponse{}, nil
+}
+
+// Up starts engine work in the daemon.
+func (s *Server) Up(_ context.Context, msg *proto.UpRequest) (*proto.UpResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	state := internal.CtxGetState(s.rootCtx)
+
+	// if current state contains any error, return it
+	// in all other cases we can continue execution only if status is idle and up command was
+	// not in the progress or already successfully estabilished connection.
+	status, err := state.Status()
+	if err != nil {
+		return nil, err
+	}
+	if status != internal.StatusIdle {
+		return nil, fmt.Errorf("up already in progress: current status %s", status)
+	}
+
+	// it should be nill here, but .
+	if s.actCancel != nil {
+		s.actCancel()
+	}
+	ctx, cancel := context.WithCancel(s.rootCtx)
+	s.actCancel = cancel
+
+	if s.config == nil {
+		return nil, fmt.Errorf("config is not defined, please call login command first")
+	}
+
+	go func() {
+		if err := internal.RunClient(ctx, s.config, s.stopCh, s.cleanupCh); err != nil {
+			log.Errorf("run client connection: %v", state.Wrap(err))
+			return
+		}
+	}()
+
+	return &proto.UpResponse{}, nil
+}
+
+// Down dengine work in the daemon.
+func (s *Server) Down(ctx context.Context, msg *proto.DownRequest) (*proto.DownResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	if s.actCancel == nil {
+		return nil, fmt.Errorf("service is not up")
+	}
+	s.actCancel()
+
+	return &proto.DownResponse{}, nil
+}
+
+// Status starts engine work in the daemon.
+func (s *Server) Status(ctx context.Context, msg *proto.StatusRequest) (*proto.StatusResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	status, err := internal.CtxGetState(s.rootCtx).Status()
+	if err != nil {
+		return nil, err
+	}
+
+	return &proto.StatusResponse{Status: string(status)}, nil
+}
--- a/client/system/info.go
+++ b/client/system/info.go
@@ -1,14 +1,23 @@
 package system

+// this is the wiretrustee version
+// will be replaced with the release version when using goreleaser
+var version = "development"
+
 //Info is an object that contains machine information
 // Most of the code is taken from https://github.com/matishsiao/goInfo
 type Info struct {
-	GoOS      string
-	Kernel    string
-	Core      string
-	Platform  string
-	OS        string
-	OSVersion string
-	Hostname  string
-	CPUs      int
+	GoOS               string
+	Kernel             string
+	Core               string
+	Platform           string
+	OS                 string
+	OSVersion          string
+	Hostname           string
+	CPUs               int
+	WiretrusteeVersion string
+}
+
+func WiretrusteeVersion() string {
+	return version
 }
--- a/client/system/info_darwin.go
+++ b/client/system/info_darwin.go
@@ -21,6 +21,7 @@ func GetInfo() *Info {
 	osInfo := strings.Split(osStr, " ")
 	gio := &Info{Kernel: osInfo[0], OSVersion: osInfo[1], Core: osInfo[1], Platform: osInfo[2], OS: osInfo[0], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = WiretrusteeVersion()
 	return gio
 }

--- a/client/system/info_freebsd.go
+++ b/client/system/info_freebsd.go
@@ -21,6 +21,7 @@ func GetInfo() *Info {
 	osInfo := strings.Split(osStr, " ")
 	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: runtime.GOARCH, OS: osInfo[2], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = WiretrusteeVersion()
 	return gio
 }

--- a/client/system/info_linux.go
+++ b/client/system/info_linux.go
@@ -44,6 +44,8 @@ func GetInfo() *Info {
 	}
 	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: osInfo[2], OS: osName, OSVersion: osVer, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = WiretrusteeVersion()
+
 	return gio
 }

--- a/client/system/info_test.go
+++ b/client/system/info_test.go
@@ -0,0 +1,13 @@
+package system
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_LocalVersion(t *testing.T) {
+	got := GetInfo()
+	want := "development"
+	assert.Equal(t, want, got.WiretrusteeVersion)
+}
--- a/client/system/info_windows.go
+++ b/client/system/info_windows.go
@@ -31,5 +31,7 @@ func GetInfo() *Info {
 	}
 	gio := &Info{Kernel: "windows", OSVersion: ver, Core: ver, Platform: "unknown", OS: "windows", GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
+	gio.WiretrusteeVersion = WiretrusteeVersion()
+
 	return gio
 }
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -0,0 +1,96 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"io/ioutil"
+	"time"
+
+	"github.com/getlantern/systray"
+	log "github.com/sirupsen/logrus"
+	"github.com/skratchdot/open-golang/open"
+	"github.com/wiretrustee/wiretrustee/client/internal"
+	"github.com/wiretrustee/wiretrustee/client/proto"
+	"github.com/wiretrustee/wiretrustee/client/ui/config"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func main() {
+	systray.Run(onReady, nil)
+}
+
+// TODO: implementation for SSO Logins
+func onReady() {
+	wtIcon, err := ioutil.ReadFile("wiretrustee.ico")
+	if err != nil {
+		log.Warn(err)
+	}
+	if wtIcon != nil {
+		systray.SetTemplateIcon(wtIcon, wtIcon)
+	}
+
+	go func() {
+		up := systray.AddMenuItem("Up", "Up")
+		down := systray.AddMenuItem("Down", "Down")
+
+		mUrl := systray.AddMenuItem("Open UI", "wiretrustee website")
+		systray.AddSeparator()
+
+		mQuitOrig := systray.AddMenuItem("Quit", "Quit the whole app")
+		go func() {
+			<-mQuitOrig.ClickedCh
+			fmt.Println("Requesting quit")
+			systray.Quit()
+			fmt.Println("Finished quitting")
+		}()
+
+		for {
+			select {
+			case <-mUrl.ClickedCh:
+				open.Run("https://app.wiretrustee.com")
+			case <-up.ClickedCh:
+				upCmdExec()
+			case <-down.ClickedCh:
+				fmt.Println("Clicked down")
+			}
+		}
+	}()
+}
+
+func handleUp() {
+	// This is where
+}
+
+func upCmdExec() {
+	log.Println("executing up command..")
+	cfg := config.Config()
+
+	ctx := internal.CtxInitState(context.Background())
+
+	conn, err := grpc.DialContext(ctx, cfg.DaemonAddr(),
+		grpc.WithTimeout(5*time.Second),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithBlock())
+	if err != nil {
+		log.Errorf("failed to connect to service CLI interface; %v", err)
+		return
+	}
+	daemonClient := proto.NewDaemonServiceClient(conn)
+
+	status, err := daemonClient.Status(ctx, &proto.StatusRequest{})
+	if err != nil {
+		log.Errorf("get status: %v", err)
+		return
+	}
+
+	if status.Status != string(internal.StatusIdle) {
+		log.Warnf("already connected")
+		return
+	}
+	_, err = daemonClient.Up(ctx, &proto.UpRequest{})
+	if err != nil {
+		log.Errorf("Failed to start up client; %v", err)
+		return
+	}
+}
--- a/client/ui/config/config.go
+++ b/client/ui/config/config.go
@@ -0,0 +1,41 @@
+package config
+
+import (
+	"os"
+	"runtime"
+)
+
+type ClientConfig struct {
+	configPath string
+	logFile    string
+	daemonAddr string
+}
+
+// We are creating this package to extract utility functions from the cmd package
+// reading and parsing the configurations for the client should be done here
+func Config() *ClientConfig {
+	defaultConfigPath := "/etc/wiretrustee/config.json"
+	defaultLogFile := "/var/log/wiretrustee/client.log"
+	if runtime.GOOS == "windows" {
+		defaultConfigPath = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "config.json"
+		defaultLogFile = os.Getenv("PROGRAMDATA") + "\\Wiretrustee\\" + "client.log"
+	}
+
+	defaultDaemonAddr := "unix:///var/run/wiretrustee.sock"
+	if runtime.GOOS == "windows" {
+		defaultDaemonAddr = "tcp://127.0.0.1:41731"
+	}
+	return &ClientConfig{
+		configPath: defaultConfigPath,
+		logFile:    defaultLogFile,
+		daemonAddr: defaultDaemonAddr,
+	}
+}
+
+func (c *ClientConfig) DaemonAddr() string {
+	return c.daemonAddr
+}
+
+func (c *ClientConfig) LogFile() string {
+	return c.logFile
+}
--- a/client/wireguard_nt.sh
+++ b/client/wireguard_nt.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+ldir=$PWD
+tmp_dir_path=$ldir/.distfiles
+winnt=wireguard-nt.zip
+download_file_path=$tmp_dir_path/$winnt
+download_url=https://download.wireguard.com/wireguard-nt/wireguard-nt-0.10.1.zip
+download_sha=772c0b1463d8d2212716f43f06f4594d880dea4f735165bd68e388fc41b81605
+
+function resources_windows(){
+  cmd=$1
+  arch=$2
+  out=$3
+  docker run -i --rm -v $PWD:$PWD -w $PWD mstorsjo/llvm-mingw:latest $cmd -O coff -c 65001 -I $tmp_dir_path/wireguard-nt/bin/$arch -i resources.rc -o $out
+}
+
+mkdir -p $tmp_dir_path
+curl -L#o $download_file_path.unverified $download_url
+echo "$download_sha  $download_file_path.unverified" | sha256sum -c
+mv $download_file_path.unverified $download_file_path
+
+mkdir -p .deps
+unzip $download_file_path -d $tmp_dir_path
+
+resources_windows i686-w64-mingw32-windres x86 resources_windows_386.syso
+resources_windows aarch64-w64-mingw32-windres arm64 resources_windows_arm64.syso
+resources_windows x86_64-w64-mingw32-windres amd64 resources_windows_amd64.syso
--- a/docs/self-hosting.md
+++ b/docs/self-hosting.md
@@ -6,7 +6,7 @@ a 3rd party open-source STUN/TURN service [Coturn](https://github.com/coturn/cot

 All the components can be self-hosted except for the Auth0 service.
 We chose Auth0 to "outsource" the user management part of the platform because we believe that implementing a proper user auth requires significant amount of time to make it right. 
-We focused on connectivity instead.
+We focused on connectivity instead. It also offers an always free plan that should be ok for most users as its limits are high enough for most teams.

 If you would like to learn more about the architecture please refer to the [Wiretrustee Architecture section](architecture.md).

@@ -17,10 +17,11 @@ If you would like to learn more about the architecture please refer to the [Wire
 ### Requirements

 - Virtual machine offered by any cloud provider (e.g., AWS, DigitalOcean, Hetzner, Google Cloud, Azure ...). 
- Any Linux OS.
+- Any Unix OS.
 - Docker Compose installed (see [Install Docker Compose](https://docs.docker.com/compose/install/)).
 - Domain name pointing to the public IP address of your server.
- Open ports ```443, 33071, 33073, 10000, 3478``` (Dashboard, Management HTTP API, Management gRpc API, Signal gRpc, Coturn STUN/TURN respectively) on your server.
+- Wiretrustee Open ports ```443, 33071, 33073, 10000``` (Dashboard, Management HTTP API, Management gRpc API, Signal gRpc) on your server. 
+- Coturn is used for relay using the STUN/TURN protocols. It requires a listening port, ```UDP 3478```,  and range of ports,```UDP 49152-65535```, for dynamic relay connections.
 - Maybe a cup of coffee or tea :)

 ### Step-by-step guide
@@ -41,7 +42,7 @@ For this tutorial we will be using domain ```test.wiretrustee.com``` which point
   ```
 3. Prepare configuration files.
   
-   To simplify the setup we have prepared a script to substitute required properties in the [docker-compose.yml.tmpl](../infrastructure_files/docker-compose.yml.tmpl) and [management.json.tmpl](../infrastructure_files/management.json.tmpl) files.
+   To simplify the setup we have prepared a script to substitute required properties in the [turnserver.conf.tmpl](../infrastructure_files/turnserver.conf.tmpl),[docker-compose.yml.tmpl](../infrastructure_files/docker-compose.yml.tmpl) and [management.json.tmpl](../infrastructure_files/management.json.tmpl) files.
   
   The [setup.env](../infrastructure_files/setup.env) file contains the following properties that have to be filled:
   
@@ -57,8 +58,9 @@ For this tutorial we will be using domain ```test.wiretrustee.com``` which point
   # e.g. hello@mydomain.com
   WIRETRUSTEE_LETSENCRYPT_EMAIL=""
   ```
+   > Other options are available, but they are automatically updated.
   
-   Please follow the steps to get the values.
+   Please follow the steps to get the values. 

 4. Configure ```WIRETRUSTEE_AUTH0_DOMAIN``` ```WIRETRUSTEE_AUTH0_CLIENT_ID``` ```WIRETRUSTEE_AUTH0_AUDIENCE``` properties.          
   
@@ -94,3 +96,9 @@ For this tutorial we will be using domain ```test.wiretrustee.com``` which point
    docker-compose logs management
    docker-compose logs coturn
    docker-compose logs dashboard
+
+10. Once the server is running, you can access the dashboard by https://$WIRETRUSTEE_DOMAIN
+11. Adding a peer will require you to enter the management URL by following the steps in the page https://$WIRETRUSTEE_DOMAIN/add-peer and in the 3rd step:
+```shell
+sudo wiretrustee up --setup-key <PASTE-SETUP-KEY> --management-url https://$WIRETRUSTEE_DOMAIN:33073
+```
--- a/go.mod
+++ b/go.mod
@@ -17,21 +17,35 @@ require (
 	github.com/spf13/cobra v1.3.0
 	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.1.0
-	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
+	golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838
 	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e
-	golang.zx2c4.com/wireguard v0.0.0-20210805125648-3957e9b9dd19
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c
-	golang.zx2c4.com/wireguard/windows v0.4.5
+	golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de
+	golang.zx2c4.com/wireguard/windows v0.5.1
 	google.golang.org/grpc v1.43.0
 	google.golang.org/protobuf v1.27.1
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )

-require github.com/rs/xid v1.3.0
+require (
+	github.com/getlantern/systray v1.2.0
+	github.com/magiconair/properties v1.8.5
+	github.com/rs/xid v1.3.0
+	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
+	github.com/stretchr/testify v1.7.0
+)

 require (
 	github.com/BurntSushi/toml v0.4.1 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
+	github.com/getlantern/context v0.0.0-20190109183933-c447772a6520 // indirect
+	github.com/getlantern/errors v0.0.0-20190325191628-abdb3e3e36f7 // indirect
+	github.com/getlantern/golog v0.0.0-20190830074920-4ef2e798c2d7 // indirect
+	github.com/getlantern/hex v0.0.0-20190417191902-c6586a6fe0b7 // indirect
+	github.com/getlantern/hidden v0.0.0-20190325191715-f02dbb02be55 // indirect
+	github.com/getlantern/ops v0.0.0-20190325191751-d70cb0d6f85f // indirect
+	github.com/go-stack/stack v1.8.0 // indirect
 	github.com/google/go-cmp v0.5.6 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/josharian/native v0.0.0-20200817173448-b6b71def0850 // indirect
@@ -39,22 +53,29 @@ require (
 	github.com/mdlayher/netlink v1.4.2 // indirect
 	github.com/mdlayher/socket v0.0.0-20211102153432-57e3fa563ecb // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
-	github.com/pion/dtls/v2 v2.0.12 // indirect
+	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
+	github.com/pion/dtls/v2 v2.1.2 // indirect
 	github.com/pion/logging v0.2.2 // indirect
 	github.com/pion/mdns v0.0.5 // indirect
 	github.com/pion/randutil v0.1.0 // indirect
 	github.com/pion/stun v0.3.5 // indirect
-	github.com/pion/transport v0.12.3 // indirect
-	github.com/pion/turn/v2 v2.0.5 // indirect
+	github.com/pion/transport v0.13.0 // indirect
+	github.com/pion/turn/v2 v2.0.7 // indirect
 	github.com/pion/udp v0.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
 	golang.org/x/mod v0.5.1 // indirect
-	golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b // indirect
+	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
 	golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 // indirect
 	golang.org/x/tools v0.1.8 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d // indirect
+	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	honnef.co/go/tools v0.2.2 // indirect
 )
+
+replace github.com/pion/ice/v2 => github.com/wiretrustee/ice/v2 v2.1.21-0.20220218121004-dc81faead4bb
--- a/go.sum
+++ b/go.sum
@@ -116,6 +116,20 @@ github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMo
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
 github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
+github.com/getlantern/context v0.0.0-20190109183933-c447772a6520 h1:NRUJuo3v3WGC/g5YiyF790gut6oQr5f3FBI88Wv0dx4=
+github.com/getlantern/context v0.0.0-20190109183933-c447772a6520/go.mod h1:L+mq6/vvYHKjCX2oez0CgEAJmbq1fbb/oNJIWQkBybY=
+github.com/getlantern/errors v0.0.0-20190325191628-abdb3e3e36f7 h1:6uJ+sZ/e03gkbqZ0kUG6mfKoqDb4XMAzMIwlajq19So=
+github.com/getlantern/errors v0.0.0-20190325191628-abdb3e3e36f7/go.mod h1:l+xpFBrCtDLpK9qNjxs+cHU6+BAdlBaxHqikB6Lku3A=
+github.com/getlantern/golog v0.0.0-20190830074920-4ef2e798c2d7 h1:guBYzEaLz0Vfc/jv0czrr2z7qyzTOGC9hiQ0VC+hKjk=
+github.com/getlantern/golog v0.0.0-20190830074920-4ef2e798c2d7/go.mod h1:zx/1xUUeYPy3Pcmet8OSXLbF47l+3y6hIPpyLWoR9oc=
+github.com/getlantern/hex v0.0.0-20190417191902-c6586a6fe0b7 h1:micT5vkcr9tOVk1FiH8SWKID8ultN44Z+yzd2y/Vyb0=
+github.com/getlantern/hex v0.0.0-20190417191902-c6586a6fe0b7/go.mod h1:dD3CgOrwlzca8ed61CsZouQS5h5jIzkK9ZWrTcf0s+o=
+github.com/getlantern/hidden v0.0.0-20190325191715-f02dbb02be55 h1:XYzSdCbkzOC0FDNrgJqGRo8PCMFOBFL9py72DRs7bmc=
+github.com/getlantern/hidden v0.0.0-20190325191715-f02dbb02be55/go.mod h1:6mmzY2kW1TOOrVy+r41Za2MxXM+hhqTtY3oBKd2AgFA=
+github.com/getlantern/ops v0.0.0-20190325191751-d70cb0d6f85f h1:wrYrQttPS8FHIRSlsrcuKazukx/xqO/PpLZzZXsF+EA=
+github.com/getlantern/ops v0.0.0-20190325191751-d70cb0d6f85f/go.mod h1:D5ao98qkA6pxftxoqzibIBBrLSUli+kYnJqrgBf9cIA=
+github.com/getlantern/systray v1.2.0 h1:MsAdOcmOnm4V+r3HFONDszdZeoj7E3q2dEvsPdsxXtI=
+github.com/getlantern/systray v1.2.0/go.mod h1:AecygODWIsBquJCJFop8MEQcJbWFfw/1yWbVabNgpCM=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
 github.com/gin-gonic/gin v1.5.0/go.mod h1:Nd6IXA8m5kNZdNEHMBd93KT+mdY3+bewLgRvmCsR2Do=
@@ -128,6 +142,7 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-playground/locales v0.12.1/go.mod h1:IUMDtCfWo/w/mtMfIE/IG2K+Ey3ygWanZIBtBW0W2TM=
 github.com/go-playground/universal-translator v0.16.0/go.mod h1:1AnU7NaIRDWWzGEKwgtJRd2xk99HeFyHw3yid4rvQIY=
+github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
@@ -287,6 +302,7 @@ github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdA
 github.com/lxn/walk v0.0.0-20210112085537-c389da54e794/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
 github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
 github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
+github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -352,13 +368,13 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.17.0 h1:9Luw4uT5HTjHTN8+aNcSThgH1vdXnmdJ8xIfZ4wyTRE=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
+github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c h1:rp5dCmg/yLR3mgFuSOe4oEnDDmGLROTvMragMUXpTQw=
+github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c/go.mod h1:X07ZCGwUbLaax7L0S3Tw4hpejzu63ZrrQiUe6W0hcy0=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pion/dtls/v2 v2.0.12 h1:QMSvNht7FM/XDXij3Ic90SCbl5yL7kppeI4ghfF4in8=
-github.com/pion/dtls/v2 v2.0.12/go.mod h1:5Pe3QJI0Ajsx+uCfxREeewGFlKYBzLrXe9ku7Y0oRXM=
-github.com/pion/ice/v2 v2.1.17 h1:z7aBWgs85AEeRgtj0bHnCrShzaGnZ/RS4pMoRmbYxtY=
-github.com/pion/ice/v2 v2.1.17/go.mod h1:M0MJ/tBR3IyDcaJv49hAiHEzaVBqWCV/MuWqIffBsrw=
+github.com/pion/dtls/v2 v2.1.2 h1:22Q1Jk9L++Yo7BIf9130MonNPfPVb+YgdYLeyQotuAA=
+github.com/pion/dtls/v2 v2.1.2/go.mod h1:o6+WvyLDAlXF7YiPB/RlskRoeK+/JtuaZa5emwQcWus=
 github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
 github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms=
 github.com/pion/mdns v0.0.5 h1:Q2oj/JB3NqfzY9xGZ1fPzZzK7sDSD8rZPOvcIQ10BCw=
@@ -367,12 +383,11 @@ github.com/pion/randutil v0.1.0 h1:CFG1UdESneORglEsnimhUjf33Rwjubwj6xfiOXBa3mA=
 github.com/pion/randutil v0.1.0/go.mod h1:XcJrSMMbbMRhASFVOlj/5hQial/Y8oH/HVo7TBZq+j8=
 github.com/pion/stun v0.3.5 h1:uLUCBCkQby4S1cf6CGuR9QrVOKcvUwFeemaC865QHDg=
 github.com/pion/stun v0.3.5/go.mod h1:gDMim+47EeEtfWogA37n6qXZS88L5V6LqFcf+DZA2UA=
-github.com/pion/transport v0.10.1/go.mod h1:PBis1stIILMiis0PewDw91WJeLJkyIMcEk+DwKOzf4A=
 github.com/pion/transport v0.12.2/go.mod h1:N3+vZQD9HlDP5GWkZ85LohxNsDcNgofQmyL6ojX5d8Q=
-github.com/pion/transport v0.12.3 h1:vdBfvfU/0Wq8kd2yhUMSDB/x+O4Z9MYVl2fJ5BT4JZw=
-github.com/pion/transport v0.12.3/go.mod h1:OViWW9SP2peE/HbwBvARicmAVnesphkNkCVZIWJ6q9A=
-github.com/pion/turn/v2 v2.0.5 h1:iwMHqDfPEDEOFzwWKT56eFmh6DYC6o/+xnLAEzgISbA=
-github.com/pion/turn/v2 v2.0.5/go.mod h1:APg43CFyt/14Uy7heYUOGWdkem/Wu4PhCO/bjyrTqMw=
+github.com/pion/transport v0.13.0 h1:KWTA5ZrQogizzYwPEciGtHPLwpAjE91FgXnyu+Hv2uY=
+github.com/pion/transport v0.13.0/go.mod h1:yxm9uXpK9bpBBWkITk13cLo1y5/ur5VQpG22ny6EP7g=
+github.com/pion/turn/v2 v2.0.7 h1:SZhc00WDovK6czaN1RSiHqbwANtIO6wfZQsU0m0KNE8=
+github.com/pion/turn/v2 v2.0.7/go.mod h1:+y7xl719J8bAEVpSXBXvTxStjJv3hbz9YFflvkpcGPw=
 github.com/pion/udp v0.1.1 h1:8UAPvyqmsxK8oOjloDk4wUt63TzFe9WEJkg5lChlj7o=
 github.com/pion/udp v0.1.1/go.mod h1:6AFo+CMdKQm7UiA0eUPA8/eVCTx8jBIITLZHc9DWX5M=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -408,6 +423,8 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE=
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
+github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
@@ -435,6 +452,8 @@ github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJ
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
+github.com/wiretrustee/ice/v2 v2.1.21-0.20220218121004-dc81faead4bb h1:CU1/+CEeCPvYXgfAyqTJXSQSf6hW3wsWM6Dfz6HkHEQ=
+github.com/wiretrustee/ice/v2 v2.1.21-0.20220218121004-dc81faead4bb/go.mod h1:XT1Nrb4OxbVFPffbQMbq4PaeEkpRLVzdphh3fjrw7DY=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -465,13 +484,12 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
-golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838 h1:71vQrMauZZhcTVK6KdYM+rklehEEwb3E+ZhaE5jrPrE=
+golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -559,18 +577,18 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210504132125-bbd867fde50d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211201190559-0a0e4e1bb54c/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b h1:MWaHNqZy3KTpuTMAGvv+Kw+ylsEpmyJZizz1dqxnu28=
 golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk=
+golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -663,13 +681,11 @@ golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210309040221-94ec62e08169/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210503173754-0981d6026fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -687,12 +703,15 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211214234402-4825e8c3871d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -701,8 +720,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7-0.20210524175448-3115f89c4b99/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
 golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 h1:GLw7MR8AfAG2GmGcmVgObFOHXYypgGjnGno25RDwn3Y=
 golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -771,13 +790,17 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/wireguard v0.0.0-20210427022245-097af6e1351b/go.mod h1:a057zjmoc00UN7gVkaJt2sXVK523kMJcogDTEvPIasg=
-golang.zx2c4.com/wireguard v0.0.0-20210805125648-3957e9b9dd19 h1:ab2jcw2W91Rz07eHAb8Lic7sFQKO0NhBftjv6m/gL/0=
-golang.zx2c4.com/wireguard v0.0.0-20210805125648-3957e9b9dd19/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c h1:ADNrRDI5NR23/TUCnEmlLZLt4u9DnZ2nwRkPrAcFvto=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c/go.mod h1:+1XihzyZUBJcSc5WO9SwNA7v26puQwOEDwanaxfNXPQ=
-golang.zx2c4.com/wireguard/windows v0.4.5 h1:btpw+5IM8UrSl5SILCODt1bXTM2qYpcaYArM6wDlwHA=
-golang.zx2c4.com/wireguard/windows v0.4.5/go.mod h1:LdS2bRTWu//RpztraGz5ZkPZul60cCbmgtLTPSKrS50=
+golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d h1:9+v0G0naRhLPOJEeJOL6NuXTtAHHwmkyZlgQJ0XcQ8I=
+golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d/go.mod h1:5yyfuiqVIJ7t+3MqrpTQ+QqRkMWiESiyDvPNvKYCecg=
+golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
+golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
+golang.zx2c4.com/wireguard v0.0.0-20211129173154-2dd424e2d808/go.mod h1:TjUWrnD5ATh7bFvmm/ALEJZQ4ivKbETb6pmyj1vUoNI=
+golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434 h1:3zl8RkJNQ8wfPRomwv/6DBbH2Ut6dgMaWTxM0ZunWnE=
+golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434/go.mod h1:TjUWrnD5ATh7bFvmm/ALEJZQ4ivKbETb6pmyj1vUoNI=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de h1:qDZ+lyO5jC9RNJ7ANJA0GWXk3pSn0Fu5SlcAIlgw+6w=
+golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de/go.mod h1:Q2XNgour4QSkFj0BWCkVlW0HWJwQgNMsMahpSlI0Eno=
+golang.zx2c4.com/wireguard/windows v0.5.1 h1:OnYw96PF+CsIMrqWo5QP3Q59q5hY1rFErk/yN3cS+JQ=
+golang.zx2c4.com/wireguard/windows v0.5.1/go.mod h1:EApyTk/ZNrkbZjurHL1nleDYnsPpJYBO7LZEBCyDAHk=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
--- a/iface/configuration.go
+++ b/iface/configuration.go
@@ -0,0 +1,133 @@
+package iface
+
+import (
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net"
+	"time"
+)
+
+// configureDevice configures the wireguard device
+func (w *WGIface) configureDevice(config wgtypes.Config) error {
+	wg, err := wgctrl.New()
+	if err != nil {
+		return err
+	}
+	defer wg.Close()
+
+	// validate if device with name exists
+	_, err = wg.Device(w.Name)
+	if err != nil {
+		return err
+	}
+	log.Debugf("got Wireguard device %s", w.Name)
+
+	return wg.ConfigureDevice(w.Name, config)
+}
+
+// Configure configures a Wireguard interface
+// The interface must exist before calling this method (e.g. call interface.Create() before)
+func (w *WGIface) Configure(privateKey string, port int) error {
+
+	log.Debugf("configuring Wireguard interface %s", w.Name)
+
+	log.Debugf("adding Wireguard private key")
+	key, err := wgtypes.ParseKey(privateKey)
+	if err != nil {
+		return err
+	}
+	fwmark := 0
+	config := wgtypes.Config{
+		PrivateKey:   &key,
+		ReplacePeers: true,
+		FirewallMark: &fwmark,
+		ListenPort:   &port,
+	}
+
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf("received error \"%v\" while configuring interface %s with port %d", err, w.Name, port)
+	}
+	return nil
+}
+
+// GetListenPort returns the listening port of the Wireguard endpoint
+func (w *WGIface) GetListenPort() (*int, error) {
+	log.Debugf("getting Wireguard listen port of interface %s", w.Name)
+
+	//discover Wireguard current configuration
+	wg, err := wgctrl.New()
+	if err != nil {
+		return nil, err
+	}
+	defer wg.Close()
+
+	d, err := wg.Device(w.Name)
+	if err != nil {
+		return nil, err
+	}
+	log.Debugf("got Wireguard device listen port %s, %d", w.Name, d.ListenPort)
+
+	return &d.ListenPort, nil
+}
+
+// UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
+// Endpoint is optional
+func (w *WGIface) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+
+	log.Debugf("updating interface %s peer %s: endpoint %s ", w.Name, peerKey, endpoint)
+
+	//parse allowed ips
+	_, ipNet, err := net.ParseCIDR(allowedIps)
+	if err != nil {
+		return err
+	}
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+	peer := wgtypes.PeerConfig{
+		PublicKey:                   peerKeyParsed,
+		ReplaceAllowedIPs:           true,
+		AllowedIPs:                  []net.IPNet{*ipNet},
+		PersistentKeepaliveInterval: &keepAlive,
+		PresharedKey:                preSharedKey,
+		Endpoint:                    endpoint,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf("received error \"%v\" while updating peer on interface %s with settings: allowed ips %s, endpoint %s", err, w.Name, allowedIps, endpoint.String())
+	}
+	return nil
+}
+
+// RemovePeer removes a Wireguard Peer from the interface iface
+func (w *WGIface) RemovePeer(peerKey string) error {
+	log.Debugf("Removing peer %s from interface %s ", peerKey, w.Name)
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+
+	peer := wgtypes.PeerConfig{
+		PublicKey: peerKeyParsed,
+		Remove:    true,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	err = w.configureDevice(config)
+	if err != nil {
+		return fmt.Errorf("received error \"%v\" while removing peer %s from interface %s", err, peerKey, w.Name)
+	}
+	return nil
+}
--- a/iface/iface.go
+++ b/iface/iface.go
@@ -1,78 +1,52 @@
 package iface

 import (
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
-	"golang.zx2c4.com/wireguard/device"
-	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/wgctrl"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"net"
-	"time"
+	"os"
+	"runtime"
 )

 const (
-	defaultMTU = 1280
+	DefaultMTU = 1280
+	DefaultWgPort = 51820
 )

-var (
-	tunIface tun.Device
-)
-
-// CreateWithUserspace Creates a new Wireguard interface, using wireguard-go userspace implementation
-func CreateWithUserspace(iface string, address string) error {
-	var err error
-	tunIface, err = tun.CreateTUN(iface, defaultMTU)
-	if err != nil {
-		return err
-	}
-
-	// We need to create a wireguard-go device and listen to configuration requests
-	tunDevice := device.NewDevice(tunIface, conn.NewDefaultBind(), device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
-	err = tunDevice.Up()
-	if err != nil {
-		return err
-	}
-	uapi, err := getUAPI(iface)
-	if err != nil {
-		return err
-	}
-
-	go func() {
-		for {
-			uapiConn, err := uapi.Accept()
-			if err != nil {
-				log.Debugln("uapi Accept failed with error: ", err)
-				continue
-			}
-			go tunDevice.IpcHandle(uapiConn)
-		}
-	}()
-
-	log.Debugln("UAPI listener started")
-
-	err = assignAddr(address, iface)
-	if err != nil {
-		return err
-	}
-	return nil
+// WGIface represents a interface instance
+type WGIface struct {
+	Name      string
+	Port      int
+	MTU       int
+	Address   WGAddress
+	Interface NetInterface
 }

-// configure peer for the wireguard device
-func configureDevice(iface string, config wgtypes.Config) error {
-	wg, err := wgctrl.New()
-	if err != nil {
-		return err
-	}
-	defer wg.Close()
+// WGAddress Wireguard parsed address
+type WGAddress struct {
+	IP      net.IP
+	Network *net.IPNet
+}

-	_, err = wg.Device(iface)
-	if err != nil {
-		return err
-	}
-	log.Debugf("got Wireguard device %s", iface)
+// NetInterface represents a generic network tunnel interface
+type NetInterface interface {
+	Close() error
+}

-	return wg.ConfigureDevice(iface, config)
+// NewWGIface Creates a new Wireguard interface instance
+func NewWGIface(iface string, address string, mtu int) (WGIface, error) {
+	wgIface := WGIface{
+		Name: iface,
+		MTU:  mtu,
+	}
+
+	wgAddress, err := parseAddress(address)
+	if err != nil {
+		return wgIface, err
+	}
+
+	wgIface.Address = wgAddress
+
+	return wgIface, nil
 }

 // Exists checks whether specified Wireguard device exists or not
@@ -99,140 +73,35 @@ func Exists(iface string) (*bool, error) {
 	return &exists, nil
 }

-// Configure configures a Wireguard interface
-// The interface must exist before calling this method (e.g. call interface.Create() before)
-func Configure(iface string, privateKey string, port int) error {
-
-	log.Debugf("configuring Wireguard interface %s", iface)
-
-	log.Debugf("adding Wireguard private key")
-	key, err := wgtypes.ParseKey(privateKey)
+// parseAddress parse a string ("1.2.3.4/24") address to WG Address
+func parseAddress(address string) (WGAddress, error) {
+	ip, network, err := net.ParseCIDR(address)
 	if err != nil {
-		return err
+		return WGAddress{}, err
 	}
-	fwmark := 0
-	config := wgtypes.Config{
-		PrivateKey:   &key,
-		ReplacePeers: false,
-		FirewallMark: &fwmark,
-		ListenPort:   &port,
-	}
-
-	return configureDevice(iface, config)
+	return WGAddress{
+		IP:      ip,
+		Network: network,
+	}, nil
 }

-// GetListenPort returns the listening port of the Wireguard endpoint
-func GetListenPort(iface string) (*int, error) {
-	log.Debugf("getting Wireguard listen port of interface %s", iface)
+// Closes the tunnel interface
+func (w *WGIface) Close() error {

-	//discover Wireguard current configuration
-	wg, err := wgctrl.New()
-	if err != nil {
-		return nil, err
-	}
-	defer wg.Close()
-
-	d, err := wg.Device(iface)
-	if err != nil {
-		return nil, err
-	}
-	log.Debugf("got Wireguard device listen port %s, %d", iface, d.ListenPort)
-
-	return &d.ListenPort, nil
-}
-
-// UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
-// Endpoint is optional
-func UpdatePeer(iface string, peerKey string, allowedIps string, keepAlive time.Duration, endpoint string, preSharedKey *wgtypes.Key) error {
-
-	log.Debugf("updating interface %s peer %s: endpoint %s ", iface, peerKey, endpoint)
-
-	//parse allowed ips
-	_, ipNet, err := net.ParseCIDR(allowedIps)
+	err := w.Interface.Close()
 	if err != nil {
 		return err
 	}

-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-	peer := wgtypes.PeerConfig{
-		PublicKey:                   peerKeyParsed,
-		ReplaceAllowedIPs:           true,
-		AllowedIPs:                  []net.IPNet{*ipNet},
-		PersistentKeepaliveInterval: &keepAlive,
-		PresharedKey:                preSharedKey,
-	}
-
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-
-	err = configureDevice(iface, config)
-	if err != nil {
-		return err
-	}
-
-	if endpoint != "" {
-		return UpdatePeerEndpoint(iface, peerKey, endpoint)
+	if runtime.GOOS == "darwin" {
+		sockPath := "/var/run/wireguard/" + w.Name + ".sock"
+		if _, statErr := os.Stat(sockPath); statErr == nil {
+			statErr = os.Remove(sockPath)
+			if statErr != nil {
+				return statErr
+			}
+		}
 	}

 	return nil
 }
-
-// UpdatePeerEndpoint updates a Wireguard interface Peer with the new endpoint
-// Used when NAT hole punching was successful and an update of the remote peer endpoint is required
-func UpdatePeerEndpoint(iface string, peerKey string, newEndpoint string) error {
-
-	log.Debugf("updating peer %s endpoint %s ", peerKey, newEndpoint)
-
-	peerAddr, err := net.ResolveUDPAddr("udp4", newEndpoint)
-	if err != nil {
-		return err
-	}
-
-	log.Debugf("parsed peer endpoint [%s]", peerAddr.String())
-
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	peer := wgtypes.PeerConfig{
-		PublicKey:         peerKeyParsed,
-		ReplaceAllowedIPs: false,
-		UpdateOnly:        true,
-		Endpoint:          peerAddr,
-	}
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-	return configureDevice(iface, config)
-}
-
-// RemovePeer removes a Wireguard Peer from the interface iface
-func RemovePeer(iface string, peerKey string) error {
-	log.Debugf("Removing peer %s from interface %s ", peerKey, iface)
-
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
-	if err != nil {
-		return err
-	}
-
-	peer := wgtypes.PeerConfig{
-		PublicKey: peerKeyParsed,
-		Remove:    true,
-	}
-
-	config := wgtypes.Config{
-		Peers: []wgtypes.PeerConfig{peer},
-	}
-
-	return configureDevice(iface, config)
-}
-
-// CloseWithUserspace closes the User Space tunnel interface
-func CloseWithUserspace() error {
-	return tunIface.Close()
-}
--- a/iface/iface_darwin.go
+++ b/iface/iface_darwin.go
@@ -2,62 +2,31 @@ package iface

 import (
 	log "github.com/sirupsen/logrus"
-	"net"
-	"os"
 	"os/exec"
-	"strings"
 )

 // Create Creates a new Wireguard interface, sets a given IP and brings it up.
-func Create(iface string, address string) error {
-	return CreateWithUserspace(iface, address)
+func (w *WGIface) Create() error {
+	return w.CreateWithUserspace()
 }

 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
-func assignAddr(address string, ifaceName string) error {
-	ip := strings.Split(address, "/")
-	cmd := exec.Command("ifconfig", ifaceName, "inet", address, ip[0])
+func (w *WGIface) assignAddr() error {
+	//mask,_ := w.Address.Network.Mask.Size()
+	//
+	//address := fmt.Sprintf("%s/%d",w.Address.IP.String() , mask)
+
+	cmd := exec.Command("ifconfig", w.Name, "inet", w.Address.IP.String(), w.Address.IP.String())
 	if out, err := cmd.CombinedOutput(); err != nil {
-		log.Infof("Command: %v failed with output %s and error: ", cmd.String(), out)
+		log.Infof("adding addreess command \"%v\" failed with output %s and error: ", cmd.String(), out)
 		return err
 	}
-	_, resolvedNet, err := net.ParseCIDR(address)
-	err = addRoute(ifaceName, resolvedNet)
-	if err != nil {
-		log.Infoln("Adding route failed with error:", err)
-	}
-	return nil
-}
-
-// addRoute Adds network route based on the range provided
-func addRoute(iface string, ipNet *net.IPNet) error {
-	cmd := exec.Command("route", "add", "-net", ipNet.String(), "-interface", iface)
-	if out, err := cmd.CombinedOutput(); err != nil {
-		log.Printf("Command: %v failed with output %s and error: ", cmd.String(), out)
-		return err
-	}
-	return nil
-}
-
-// Closes the tunnel interface
-func Close(iFace string) error {
-	name, err := tunIface.Name()
-	if err != nil {
-		return err
-	}
-
-	sockPath := "/var/run/wireguard/" + name + ".sock"
-
-	err = CloseWithUserspace()
-	if err != nil {
-		return err
-	}
-
-	if _, err := os.Stat(sockPath); err == nil {
-		err = os.Remove(sockPath)
-		if err != nil {
-			return err
-		}
+
+	routeCmd := exec.Command("route", "add", "-net", w.Address.Network.String(), "-interface", w.Name)
+	if out, err := routeCmd.CombinedOutput(); err != nil {
+		log.Printf("adding route command \"%v\" failed with output %s and error: ", routeCmd.String(), out)
+		return err
 	}
+
 	return nil
 }
--- a/iface/iface_linux.go
+++ b/iface/iface_linux.go
@@ -1,35 +1,58 @@
 package iface

 import (
+	"errors"
+	"fmt"
+	"math"
+	"os"
+	"syscall"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
-	"os"
 )

+type NativeLink struct {
+	Link *netlink.Link
+}
+
+func WireguardModExists() bool {
+	link := newWGLink("mustnotexist")
+
+	// We willingly try to create a device with an invalid
+	// MTU here as the validation of the MTU will be performed after
+	// the validation of the link kind and hence allows us to check
+	// for the existance of the wireguard module without actually
+	// creating a link.
+	//
+	// As a side-effect, this will also let the kernel lazy-load
+	// the wireguard module.
+	link.attrs.MTU = math.MaxInt
+
+	err := netlink.LinkAdd(link)
+
+	return errors.Is(err, syscall.EINVAL)
+}
+
 // Create Creates a new Wireguard interface, sets a given IP and brings it up.
 // Will reuse an existing one.
-func Create(iface string, address string) error {
+func (w *WGIface) Create() error {

 	if WireguardModExists() {
 		log.Debug("using kernel Wireguard module")
-		return CreateWithKernel(iface, address)
+		return w.CreateWithKernel()
 	} else {
-		return CreateWithUserspace(iface, address)
+		return w.CreateWithUserspace()
 	}
 }

 // CreateWithKernel Creates a new Wireguard interface using kernel Wireguard module.
 // Works for Linux and offers much better network performance
-func CreateWithKernel(iface string, address string) error {
-	attrs := netlink.NewLinkAttrs()
-	attrs.Name = iface
+func (w *WGIface) CreateWithKernel() error {

-	link := wgLink{
-		attrs: &attrs,
-	}
+	link := newWGLink(w.Name)

 	// check if interface exists
-	l, err := netlink.LinkByName(iface)
+	l, err := netlink.LinkByName(w.Name)
 	if err != nil {
 		switch err.(type) {
 		case netlink.LinkNotFoundError:
@@ -41,37 +64,39 @@ func CreateWithKernel(iface string, address string) error {

 	// remove if interface exists
 	if l != nil {
-		err = netlink.LinkDel(&link)
+		err = netlink.LinkDel(link)
 		if err != nil {
 			return err
 		}
 	}

-	log.Debugf("adding device: %s", iface)
-	err = netlink.LinkAdd(&link)
+	log.Debugf("adding device: %s", w.Name)
+	err = netlink.LinkAdd(link)
 	if os.IsExist(err) {
-		log.Infof("interface %s already exists. Will reuse.", iface)
+		log.Infof("interface %s already exists. Will reuse.", w.Name)
 	} else if err != nil {
 		return err
 	}

-	err = assignAddr(address, iface)
+	w.Interface = link
+
+	err = w.assignAddr()
 	if err != nil {
 		return err
 	}

 	// todo do a discovery
-	log.Debugf("setting MTU: %d interface: %s", defaultMTU, iface)
-	err = netlink.LinkSetMTU(&link, defaultMTU)
+	log.Debugf("setting MTU: %d interface: %s", w.MTU, w.Name)
+	err = netlink.LinkSetMTU(link, w.MTU)
 	if err != nil {
-		log.Errorf("error setting MTU on interface: %s", iface)
+		log.Errorf("error setting MTU on interface: %s", w.Name)
 		return err
 	}

-	log.Debugf("bringing up interface: %s", iface)
-	err = netlink.LinkSetUp(&link)
+	log.Debugf("bringing up interface: %s", w.Name)
+	err = netlink.LinkSetUp(link)
 	if err != nil {
-		log.Errorf("error bringing up interface: %s", iface)
+		log.Errorf("error bringing up interface: %s", w.Name)
 		return err
 	}

@@ -79,39 +104,37 @@ func CreateWithKernel(iface string, address string) error {
 }

 // assignAddr Adds IP address to the tunnel interface
-func assignAddr(address, name string) error {
-	var err error
-	attrs := netlink.NewLinkAttrs()
-	attrs.Name = name
+func (w *WGIface) assignAddr() error {

-	link := wgLink{
-		attrs: &attrs,
-	}
+	mask, _ := w.Address.Network.Mask.Size()
+	address := fmt.Sprintf("%s/%d", w.Address.IP.String(), mask)
+
+	link := newWGLink(w.Name)

 	//delete existing addresses
-	list, err := netlink.AddrList(&link, 0)
+	list, err := netlink.AddrList(link, 0)
 	if err != nil {
 		return err
 	}
 	if len(list) > 0 {
 		for _, a := range list {
-			err = netlink.AddrDel(&link, &a)
+			err = netlink.AddrDel(link, &a)
 			if err != nil {
 				return err
 			}
 		}
 	}

-	log.Debugf("adding address %s to interface: %s", address, attrs.Name)
+	log.Debugf("adding address %s to interface: %s", address, w.Name)
 	addr, _ := netlink.ParseAddr(address)
-	err = netlink.AddrAdd(&link, addr)
+	err = netlink.AddrAdd(link, addr)
 	if os.IsExist(err) {
-		log.Infof("interface %s already has the address: %s", attrs.Name, address)
+		log.Infof("interface %s already has the address: %s", w.Name, address)
 	} else if err != nil {
 		return err
 	}
 	// On linux, the link must be brought up
-	err = netlink.LinkSetUp(&link)
+	err = netlink.LinkSetUp(link)
 	return err
 }

@@ -119,28 +142,26 @@ type wgLink struct {
 	attrs *netlink.LinkAttrs
 }

+func newWGLink(name string) *wgLink {
+	attrs := netlink.NewLinkAttrs()
+	attrs.Name = name
+
+	return &wgLink{
+		attrs: &attrs,
+	}
+}
+
 // Attrs returns the Wireguard's default attributes
-func (w *wgLink) Attrs() *netlink.LinkAttrs {
-	return w.attrs
+func (l *wgLink) Attrs() *netlink.LinkAttrs {
+	return l.attrs
 }

 // Type returns the interface type
-func (w *wgLink) Type() string {
+func (l *wgLink) Type() string {
 	return "wireguard"
 }

-// Close closes the tunnel interface
-func Close(iFace string) error {
-
-	if tunIface != nil {
-		return CloseWithUserspace()
-	} else {
-		attrs := netlink.NewLinkAttrs()
-		attrs.Name = iFace
-
-		link := wgLink{
-			attrs: &attrs,
-		}
-		return netlink.LinkDel(&link)
-	}
+// Close deletes the link interface
+func (l *wgLink) Close() error {
+	return netlink.LinkDel(l)
 }
--- a/iface/iface_test.go
+++ b/iface/iface_test.go
@@ -12,25 +12,36 @@ import (

 // keep darwin compability
 const (
-	key        = "0PMI6OkB5JmB+Jj/iWWHekuQRx+bipZirWCWKFXexHc="
-	peerPubKey = "Ok0mC0qlJyXEPKh2UFIpsI2jG0L7LRpC3sLAusSJ5CQ="
-	WgPort     = 51820
+	WgIntNumber = 2000
+)
+
+var (
+	key        string
+	peerPubKey string
 )

 func init() {
 	log.SetLevel(log.DebugLevel)
+	privateKey, _ := wgtypes.GeneratePrivateKey()
+	key = privateKey.String()
+	peerPrivateKey, _ := wgtypes.GeneratePrivateKey()
+	peerPubKey = peerPrivateKey.PublicKey().String()
 }

 //
 func Test_CreateInterface(t *testing.T) {
-	ifaceName := "utun999"
-	wgIP := "10.99.99.1/24"
-	err := Create(ifaceName, wgIP)
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+1)
+	wgIP := "10.99.99.1/32"
+	iface, err := NewWGIface(ifaceName, wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close(ifaceName)
+		err = iface.Close()
 		if err != nil {
 			t.Error(err)
 		}
@@ -46,21 +57,58 @@ func Test_CreateInterface(t *testing.T) {
 		}
 	}()
 }
-func Test_ConfigureInterface(t *testing.T) {
-	ifaceName := "utun1000"
-	wgIP := "10.99.99.10/24"
-	err := Create(ifaceName, wgIP)
+
+func Test_Close(t *testing.T) {
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+2)
+	wgIP := "10.99.99.2/32"
+	iface, err := NewWGIface(ifaceName, wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Create()
+	if err != nil {
+		t.Fatal(err)
+	}
+	wg, err := wgctrl.New()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close(ifaceName)
+		err = wg.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()

-	err = Configure(ifaceName, key, WgPort)
+	err = iface.Close()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
+func Test_ConfigureInterface(t *testing.T) {
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+3)
+	wgIP := "10.99.99.5/30"
+	iface, err := NewWGIface(ifaceName, wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Create()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = iface.Close()
+		if err != nil {
+			t.Error(err)
+		}
+	}()
+
+	port, err := iface.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Configure(key, *port)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -86,30 +134,41 @@ func Test_ConfigureInterface(t *testing.T) {
 }

 func Test_UpdatePeer(t *testing.T) {
-	ifaceName := "utun1001"
-	wgIP := "10.99.99.20/24"
-	err := Create(ifaceName, wgIP)
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
+	wgIP := "10.99.99.9/30"
+	iface, err := NewWGIface(ifaceName, wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close(ifaceName)
+		err = iface.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
-	err = Configure(ifaceName, key, WgPort)
+	port, err := iface.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Configure(key, *port)
 	if err != nil {
 		t.Fatal(err)
 	}
 	keepAlive := 15 * time.Second
-	allowedIP := "10.99.99.2/32"
-	endpoint := "127.0.0.1:9900"
-	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint, nil)
+	allowedIP := "10.99.99.10/32"
+	endpoint, err := net.ResolveUDPAddr("udp", "127.0.0.1:9900")
 	if err != nil {
 		t.Fatal(err)
 	}
-	peer, err := getPeer(ifaceName, t)
+	err = iface.UpdatePeer(peerPubKey, allowedIP, keepAlive, endpoint, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer, err := getPeer(ifaceName, peerPubKey, t)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -117,11 +176,7 @@ func Test_UpdatePeer(t *testing.T) {
 		t.Fatal("configured peer with mismatched keepalive interval value")
 	}

-	resolvedEndpoint, err := net.ResolveUDPAddr("udp", endpoint)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if peer.Endpoint.String() != resolvedEndpoint.String() {
+	if peer.Endpoint.String() != endpoint.String() {
 		t.Fatal("configured peer with mismatched endpoint")
 	}

@@ -137,104 +192,144 @@ func Test_UpdatePeer(t *testing.T) {
 	}
 }

-func Test_UpdatePeerEndpoint(t *testing.T) {
-	ifaceName := "utun1002"
-	wgIP := "10.99.99.30/24"
-	err := Create(ifaceName, wgIP)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer func() {
-		err = Close(ifaceName)
-		if err != nil {
-			t.Error(err)
-		}
-	}()
-	err = Configure(ifaceName, key, WgPort)
-	if err != nil {
-		t.Fatal(err)
-	}
-	keepAlive := 15 * time.Second
-	allowedIP := "10.99.99.2/32"
-	endpoint := "127.0.0.1:9900"
-	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	newEndpoint := "127.0.0.1:9999"
-	err = UpdatePeerEndpoint(ifaceName, peerPubKey, newEndpoint)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	peer, err := getPeer(ifaceName, t)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if peer.Endpoint.String() != newEndpoint {
-		t.Fatal("configured peer with mismatched endpoint")
-	}
-}
-
 func Test_RemovePeer(t *testing.T) {
-	ifaceName := "utun1003"
-	wgIP := "10.99.99.40/24"
-	err := Create(ifaceName, wgIP)
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
+	wgIP := "10.99.99.13/30"
+	iface, err := NewWGIface(ifaceName, wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close(ifaceName)
+		err = iface.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
-	err = Configure(ifaceName, key, WgPort)
+	port, err := iface.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface.Configure(key, *port)
 	if err != nil {
 		t.Fatal(err)
 	}
 	keepAlive := 15 * time.Second
-	allowedIP := "10.99.99.2/32"
-	endpoint := "127.0.0.1:9900"
-	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint, nil)
+	allowedIP := "10.99.99.14/32"
+
+	err = iface.UpdatePeer(peerPubKey, allowedIP, keepAlive, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = RemovePeer(ifaceName, peerPubKey)
+	err = iface.RemovePeer(peerPubKey)
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, err = getPeer(ifaceName, t)
+	_, err = getPeer(ifaceName, peerPubKey, t)
 	if err.Error() != "peer not found" {
 		t.Fatal(err)
 	}
 }
-func Test_Close(t *testing.T) {
-	ifaceName := "utun1004"
-	wgIP := "10.99.99.50/24"
-	err := Create(ifaceName, wgIP)
+
+func Test_ConnectPeers(t *testing.T) {
+	peer1ifaceName := fmt.Sprintf("utun%d", WgIntNumber+400)
+	peer1wgIP := "10.99.99.17/30"
+	peer1Key, _ := wgtypes.GeneratePrivateKey()
+	//peer1Port := WgPort + 4
+
+	peer2ifaceName := fmt.Sprintf("utun%d", 500)
+	peer2wgIP := "10.99.99.18/30"
+	peer2Key, _ := wgtypes.GeneratePrivateKey()
+	//peer2Port := WgPort + 5
+
+	keepAlive := 1 * time.Second
+
+	iface1, err := NewWGIface(peer1ifaceName, peer1wgIP, DefaultMTU)
 	if err != nil {
 		t.Fatal(err)
 	}
-	wg, err := wgctrl.New()
+	err = iface1.Create()
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer1Port, err := iface1.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer1endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", *peer1Port))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	iface2, err := NewWGIface(peer2ifaceName, peer2wgIP, DefaultMTU)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface2.Create()
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer2Port, err := iface2.GetListenPort()
+	if err != nil {
+		t.Fatal(err)
+	}
+	peer2endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", *peer2Port))
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = wg.Close()
+		err = iface1.Close()
+		if err != nil {
+			t.Error(err)
+		}
+		err = iface2.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()

-	err = Close(ifaceName)
+	err = iface1.Configure(peer1Key.String(), *peer1Port)
 	if err != nil {
 		t.Fatal(err)
 	}
+	err = iface2.Configure(peer2Key.String(), *peer2Port)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = iface1.UpdatePeer(peer2Key.PublicKey().String(), peer2wgIP, keepAlive, peer2endpoint, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = iface2.UpdatePeer(peer1Key.PublicKey().String(), peer1wgIP, keepAlive, peer1endpoint, nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	timeout := 10 * time.Second
+	timeoutChannel := time.After(timeout)
+	for {
+		select {
+		case <-timeoutChannel:
+			t.Fatalf("waiting for peer handshake timeout after %s", timeout.String())
+		default:
+		}
+		peer, gpErr := getPeer(peer1ifaceName, peer2Key.PublicKey().String(), t)
+		if gpErr != nil {
+			t.Fatal(gpErr)
+		}
+		if !peer.LastHandshakeTime.IsZero() {
+			t.Log("peers successfully handshake")
+			break
+		}
+	}
+
 }
-func getPeer(ifaceName string, t *testing.T) (wgtypes.Peer, error) {
+
+func getPeer(ifaceName, peerPubKey string, t *testing.T) (wgtypes.Peer, error) {
 	emptyPeer := wgtypes.Peer{}
 	wg, err := wgctrl.New()
 	if err != nil {
--- a/iface/iface_unix.go
+++ b/iface/iface_unix.go
@@ -1,12 +1,58 @@
+//go:build linux || darwin
 // +build linux darwin

 package iface

 import (
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/ipc"
+	"golang.zx2c4.com/wireguard/tun"
 	"net"
 )

+// CreateWithUserspace Creates a new Wireguard interface, using wireguard-go userspace implementation
+func (w *WGIface) CreateWithUserspace() error {
+
+	tunIface, err := tun.CreateTUN(w.Name, w.MTU)
+	if err != nil {
+		return err
+	}
+
+	w.Interface = tunIface
+
+	// We need to create a wireguard-go device and listen to configuration requests
+	tunDevice := device.NewDevice(tunIface, conn.NewDefaultBind(), device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
+	err = tunDevice.Up()
+	if err != nil {
+		return err
+	}
+	uapi, err := getUAPI(w.Name)
+	if err != nil {
+		return err
+	}
+
+	go func() {
+		for {
+			uapiConn, uapiErr := uapi.Accept()
+			if uapiErr != nil {
+				log.Traceln("uapi Accept failed with error: ", uapiErr)
+				continue
+			}
+			go tunDevice.IpcHandle(uapiConn)
+		}
+	}()
+
+	log.Debugln("UAPI listener started")
+
+	err = w.assignAddr()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
 // getUAPI returns a Listener
 func getUAPI(iface string) (net.Listener, error) {
 	tunSock, err := ipc.UAPIOpen(iface)
--- a/iface/iface_windows.go
+++ b/iface/iface_windows.go
@@ -1,46 +1,47 @@
 package iface

 import (
+	"fmt"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/ipc"
-	"golang.zx2c4.com/wireguard/tun"
+	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/windows/driver"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"net"
 )

 // Create Creates a new Wireguard interface, sets a given IP and brings it up.
-func Create(iface string, address string) error {
-	return CreateWithUserspace(iface, address)
+func (w *WGIface) Create() error {
+
+	WintunStaticRequestedGUID, _ := windows.GenerateGUID()
+	adapter, err := driver.CreateAdapter(w.Name, "WireGuard", &WintunStaticRequestedGUID)
+	if err != nil {
+		err = fmt.Errorf("error creating adapter: %w", err)
+		return err
+	}
+	w.Interface = adapter
+	luid := adapter.LUID()
+	err = adapter.SetLogging(driver.AdapterLogOn)
+	if err != nil {
+		err = fmt.Errorf("Error enabling adapter logging: %w", err)
+		return err
+	}
+	err = adapter.SetAdapterState(driver.AdapterStateUp)
+	if err != nil {
+		return err
+	}
+	state, _ := luid.GUID()
+	log.Debugln("device guid: ", state.String())
+	return w.assignAddr(luid)
 }

 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
-func assignAddr(address string, ifaceName string) error {
+func (w *WGIface) assignAddr(luid winipcfg.LUID) error {

-	nativeTunDevice := tunIface.(*tun.NativeTun)
-	luid := winipcfg.LUID(nativeTunDevice.LUID())
-
-	ip, ipnet, _ := net.ParseCIDR(address)
-
-	log.Debugf("adding address %s to interface: %s", address, ifaceName)
-	err := luid.SetIPAddresses([]net.IPNet{{ip, ipnet.Mask}})
+	log.Debugf("adding address %s to interface: %s", w.Address.IP, w.Name)
+	err := luid.SetIPAddresses([]net.IPNet{{w.Address.IP, w.Address.Network.Mask}})
 	if err != nil {
 		return err
 	}

-	log.Debugf("adding Routes to interface: %s", ifaceName)
-	err = luid.SetRoutes([]*winipcfg.RouteData{{*ipnet, ipnet.IP, 0}})
-	if err != nil {
-		return err
-	}
 	return nil
 }
-
-// getUAPI returns a Listener
-func getUAPI(iface string) (net.Listener, error) {
-	return ipc.UAPIListen(iface)
-}
-
-// Closes the tunnel interface
-func Close(iFace string) error {
-	return CloseWithUserspace()
-}
--- a/iface/ifacename.go
+++ b/iface/ifacename.go
@@ -1,3 +1,4 @@
+//go:build linux || windows
 // +build linux windows

 package iface
--- a/iface/ifacename_darwin.go
+++ b/iface/ifacename_darwin.go
@@ -1,3 +1,4 @@
+//go:build darwin
 // +build darwin

 package iface
--- a/iface/mod.go
+++ b/iface/mod.go
@@ -1,144 +0,0 @@
-// +build linux
-
-package iface
-
-// Holds logic to check existence of Wireguard kernel module
-// Copied from https://github.com/paultag/go-modprobe
-
-import (
-	"debug/elf"
-	"fmt"
-	"golang.org/x/sys/unix"
-	"os"
-	"path/filepath"
-	"strings"
-)
-
-var (
-	// get the root directory for the kernel modules. If this line panics,
-	// it's because getModuleRoot has failed to get the uname of the running
-	// kernel (likely a non-POSIX system, but maybe a broken kernel?)
-	moduleRoot = getModuleRoot()
-)
-
-// Get the module root (/lib/modules/$(uname -r)/)
-func getModuleRoot() string {
-	uname := unix.Utsname{}
-	if err := unix.Uname(&uname); err != nil {
-		panic(err)
-	}
-
-	i := 0
-	for ; uname.Release[i] != 0; i++ {
-	}
-
-	return filepath.Join(
-		"/lib/modules",
-		string(uname.Release[:i]),
-	)
-}
-
-// modName will, given a file descriptor to a Kernel Module (.ko file), parse the
-// binary to get the module name. For instance, given a handle to the file at
-// `kernel/drivers/usb/gadget/legacy/g_ether.ko`, return `g_ether`.
-func modName(file *os.File) (string, error) {
-	f, err := elf.NewFile(file)
-	if err != nil {
-		return "", err
-	}
-
-	syms, err := f.Symbols()
-	if err != nil {
-		return "", err
-	}
-
-	for _, sym := range syms {
-		if strings.Compare(sym.Name, "__this_module") == 0 {
-			section := f.Sections[sym.Section]
-			data, err := section.Data()
-			if err != nil {
-				return "", err
-			}
-
-			if len(data) < 25 {
-				return "", fmt.Errorf("modprobe: data is short, __this_module is '%s'", data)
-			}
-
-			data = data[24:]
-			i := 0
-			for ; data[i] != 0x00; i++ {
-			}
-			return string(data[:i]), nil
-		}
-	}
-
-	return "", fmt.Errorf("No name found. Is this a .ko or just an ELF?")
-}
-
-// Open every single kernel module under the root, and parse the ELF headers to
-// extract the module name.
-func elfMap(root string) (map[string]string, error) {
-	ret := map[string]string{}
-
-	err := filepath.Walk(
-		root,
-		func(path string, info os.FileInfo, err error) error {
-
-			if err != nil {
-				// skip broken files
-				return nil
-			}
-
-			if !info.Mode().IsRegular() {
-				return nil
-			}
-			fd, err := os.Open(path)
-			if err != nil {
-				return err
-			}
-			defer fd.Close()
-			name, err := modName(fd)
-			if err != nil {
-				/* For now, let's just ignore that and avoid adding to it */
-				return nil
-			}
-
-			ret[name] = path
-			return nil
-		})
-
-	if err != nil {
-		return nil, err
-	}
-
-	return ret, nil
-}
-
-// Open every single kernel module under the kernel module directory
-// (/lib/modules/$(uname -r)/), and parse the ELF headers to extract the
-// module name.
-func generateMap() (map[string]string, error) {
-	return elfMap(moduleRoot)
-}
-
-// WireguardModExists returns true if Wireguard kernel module exists.
-func WireguardModExists() bool {
-	_, err := resolveModName("wireguard")
-	return err == nil
-}
-
-// resolveModName will, given a module name (such as `wireguard`) return an absolute
-// path to the .ko that provides that module.
-func resolveModName(name string) (string, error) {
-	paths, err := generateMap()
-	if err != nil {
-		return "", err
-	}
-
-	fsPath := paths[name]
-	if !strings.HasPrefix(fsPath, moduleRoot) {
-		return "", fmt.Errorf("module isn't in the module directory")
-	}
-
-	return fsPath, nil
-}
--- a/infrastructure_files/configure.sh
+++ b/infrastructure_files/configure.sh
@@ -1,7 +1,27 @@
 #!/bin/bash

-unset $(grep -v '^#' ./setup.env | sed -E 's/(.*)=.*/\1/' | xargs)
-export $(grep -v '^#' ./setup.env | xargs)
+source setup.env
+
+if [[ "x-$WIRETRUSTEE_DOMAIN" == "x-" ]]
+then
+  echo WIRETRUSTEE_DOMAIN is not set, please update your setup.env file
+  exit 1
+fi
+
+# local development or tests
+if [[ $WIRETRUSTEE_DOMAIN == "localhost" || $WIRETRUSTEE_DOMAIN == "127.0.0.1" ]]
+then
+  export WIRETRUSTEE_MGMT_API_ENDPOINT=http://$WIRETRUSTEE_DOMAIN:$WIRETRUSTEE_MGMT_API_PORT
+  unset WIRETRUSTEE_MGMT_API_CERT_FILE
+  unset WIRETRUSTEE_MGMT_API_CERT_KEY_FILE
+fi
+
+# if not provided, we generate a turn password
+if [[ "x-$TURN_PASSWORD" == "x-" ]]
+then
+  export TURN_PASSWORD=$(openssl rand -base64 32|sed 's/=//g')
+fi

 envsubst < docker-compose.yml.tmpl > docker-compose.yml
 envsubst < management.json.tmpl > management.json
+envsubst < turnserver.conf.tmpl > turnserver.conf
--- a/infrastructure_files/docker-compose.yml.tmpl
+++ b/infrastructure_files/docker-compose.yml.tmpl
@@ -11,19 +11,18 @@ services:
      - AUTH0_DOMAIN=$WIRETRUSTEE_AUTH0_DOMAIN
      - AUTH0_CLIENT_ID=$WIRETRUSTEE_AUTH0_CLIENT_ID
      - AUTH0_AUDIENCE=$WIRETRUSTEE_AUTH0_AUDIENCE
-      - WIRETRUSTEE_MGMT_API_ENDPOINT=https://$WIRETRUSTEE_DOMAIN:33071
+      - WIRETRUSTEE_MGMT_API_ENDPOINT=$WIRETRUSTEE_MGMT_API_ENDPOINT
      - NGINX_SSL_PORT=443
      - LETSENCRYPT_DOMAIN=$WIRETRUSTEE_DOMAIN
      - LETSENCRYPT_EMAIL=$WIRETRUSTEE_LETSENCRYPT_EMAIL
    volumes:
-      - /var/lib/wiretrustee/dashboard/letsencrypt:/etc/letsencrypt/
+      - wiretrustee-letsencrypt:/etc/letsencrypt/
  # Signal
  signal:
    image: wiretrustee/signal:latest
    restart: unless-stopped
    volumes:
      - wiretrustee-signal:/var/lib/wiretrustee
-    #      - /var/log/wiretrustee/signal.log:/var/log/wiretrustee/signal.log
    ports:
      - 10000:10000
  #     # port and command for Let's Encrypt validation
@@ -37,12 +36,11 @@ services:
      - dashboard
    volumes:
      - wiretrustee-mgmt:/var/lib/wiretrustee
-      - /var/lib/wiretrustee/dashboard/letsencrypt:/etc/letsencrypt:ro
+      - wiretrustee-letsencrypt:/etc/letsencrypt:ro
      - ./management.json:/etc/wiretrustee/management.json
-    #      - /var/log/wiretrustee/management.log:/var/log/wiretrustee/management.log
    ports:
      - 33073:33073 #gRPC port
-      - 33071:33071 #HTTP port
+      - $WIRETRUSTEE_MGMT_API_PORT:33071 #API port
  #     # port and command for Let's Encrypt validation
  #      - 443:443
  #    command: ["--letsencrypt-domain", "$WIRETRUSTEE_DOMAIN", "--log-file", "console"]
@@ -50,7 +48,7 @@ services:
  coturn:
    image: coturn/coturn
    restart: unless-stopped
-    domainname: <YOUR DOMAIN>
+    domainname: $WIRETRUSTEE_DOMAIN
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    #      - ./privkey.pem:/etc/coturn/private/privkey.pem:ro
@@ -58,4 +56,5 @@ services:
    network_mode: host
 volumes:
  wiretrustee-mgmt:
-  wiretrustee-signal:
+  wiretrustee-signal:
+  wiretrustee-letsencrypt:
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -12,8 +12,8 @@
            {
                "Proto": "udp",
                "URI": "turn:$WIRETRUSTEE_DOMAIN:3478",
-                "Username": "",
-                "Password": null
+                "Username": "$TURN_USER",
+                "Password": "$TURN_PASSWORD"
            }
        ],
        "CredentialsTTL": "12h",
@@ -28,12 +28,14 @@
    },
    "Datadir": "",
    "HttpConfig": {
-        "LetsEncryptDomain": "",
-        "CertFile":"/etc/letsencrypt/live/$WIRETRUSTEE_DOMAIN/fullchain.pem",
-        "CertKey":"/etc/letsencrypt/live/$WIRETRUSTEE_DOMAIN/privkey.pem",
-        "Address": "0.0.0.0:33071",
+        "Address": "0.0.0.0:$WIRETRUSTEE_MGMT_API_PORT",
        "AuthIssuer": "https://$WIRETRUSTEE_AUTH0_DOMAIN/",
        "AuthAudience": "$WIRETRUSTEE_AUTH0_AUDIENCE",
-        "AuthKeysLocation": "https://$WIRETRUSTEE_AUTH0_DOMAIN/.well-known/jwks.json"
-    }
+        "AuthKeysLocation": "https://$WIRETRUSTEE_AUTH0_DOMAIN/.well-known/jwks.json",
+        "CertFile":"$WIRETRUSTEE_MGMT_API_CERT_FILE",
+        "CertKey":"$WIRETRUSTEE_MGMT_API_CERT_KEY_FILE"
+    },
+    "IdpManagerConfig": {
+        "Manager": "none"
+     }
 }
--- a/infrastructure_files/setup.env
+++ b/infrastructure_files/setup.env
@@ -1,4 +1,6 @@
-# e.g. app.mydomain.com
+# Dashboard domain and auth0 configuration
+
+# Dashboard domain. e.g. app.mydomain.com
 WIRETRUSTEE_DOMAIN=""
 # e.g. dev-24vkclam.us.auth0.com
 WIRETRUSTEE_AUTH0_DOMAIN=""
@@ -8,3 +10,42 @@ WIRETRUSTEE_AUTH0_CLIENT_ID=""
 WIRETRUSTEE_AUTH0_AUDIENCE=""
 # e.g. hello@mydomain.com
 WIRETRUSTEE_LETSENCRYPT_EMAIL=""
+
+## From this point, most settings are being done automatically, but you can edit if you need some customization
+
+# Management API
+
+# Management API port
+WIRETRUSTEE_MGMT_API_PORT=33071
+# Management API endpoint address, used by the Dashboard
+WIRETRUSTEE_MGMT_API_ENDPOINT=https://$WIRETRUSTEE_DOMAIN:$WIRETRUSTEE_MGMT_API_PORT
+# Management Certficate file path. These are generated by the Dashboard container
+WIRETRUSTEE_MGMT_API_CERT_FILE="/etc/letsencrypt/live/$WIRETRUSTEE_DOMAIN/fullchain.pem"
+# Management Certficate key file path.
+WIRETRUSTEE_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$WIRETRUSTEE_DOMAIN/privkey.pem"
+
+# Turn credentials
+
+# User
+TURN_USER=self
+# Password. If empty, the configure.sh will generate one with openssl
+TURN_PASSWORD=
+# Min port
+TURN_MIN_PORT=49152
+# Max port
+TURN_MAX_PORT=65535
+
+# exports
+export WIRETRUSTEE_DOMAIN
+export WIRETRUSTEE_AUTH0_DOMAIN
+export WIRETRUSTEE_AUTH0_CLIENT_ID
+export WIRETRUSTEE_AUTH0_AUDIENCE
+export WIRETRUSTEE_LETSENCRYPT_EMAIL
+export WIRETRUSTEE_MGMT_API_PORT
+export WIRETRUSTEE_MGMT_API_ENDPOINT
+export WIRETRUSTEE_MGMT_API_CERT_FILE
+export WIRETRUSTEE_MGMT_API_CERT_KEY_FILE
+export TURN_USER
+export TURN_PASSWORD
+export TURN_MIN_PORT
+export TURN_MAX_PORT
--- a/infrastructure_files/turnserver.conf.tmpl
+++ b/infrastructure_files/turnserver.conf.tmpl
@@ -154,12 +154,12 @@ tls-listening-port=5349
 # Lower and upper bounds of the UDP relay endpoints:
 # (default values are 49152 and 65535)
 #
-min-port=49152
-max-port=65535
+min-port=$TURN_MIN_PORT
+max-port=$TURN_MAX_PORT

 # Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
 # By default the verbose mode is off.
-verbose
+#verbose

 # Uncomment to run TURN server in 'extra' verbose mode.
 # This mode is very annoying and produces lots of output.
@@ -249,7 +249,7 @@ lt-cred-mech
 #user=username1:key1
 #user=username2:key2
 # OR:
-user=username1:password1
+user=$TURN_USER:$TURN_PASSWORD
 #user=username2:password2
 #
 # Keys must be generated by turnadmin utility. The key value depends
--- a/management/README.md
+++ b/management/README.md
@@ -45,7 +45,7 @@ docker run -d --name wiretrustee-management \
 wiretrustee/management:latest \
 --letsencrypt-domain <YOUR-DOMAIN>
 ```
-> An example of config.json can be found here [config.json](../infrastructure_files/config.json)
+> An example of config.json can be found here [management.json](../infrastructure_files/management.json.tmpl)

 Trigger Let's encrypt certificate generation:
 ```bash
--- a/management/client/client.go
+++ b/management/client/client.go
@@ -1,253 +1,17 @@
 package client

 import (
-	"context"
-	"crypto/tls"
-	"fmt"
-	"github.com/cenkalti/backoff/v4"
-	log "github.com/sirupsen/logrus"
+	"io"
+
 	"github.com/wiretrustee/wiretrustee/client/system"
-	"github.com/wiretrustee/wiretrustee/encryption"
 	"github.com/wiretrustee/wiretrustee/management/proto"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/connectivity"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/credentials/insecure"
-	"google.golang.org/grpc/keepalive"
-	"io"
-	"time"
 )

-type Client struct {
-	key        wgtypes.Key
-	realClient proto.ManagementServiceClient
-	ctx        context.Context
-	conn       *grpc.ClientConn
-}
-
-// NewClient creates a new client to Management service
-func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*Client, error) {
-
-	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
-
-	if tlsEnabled {
-		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
-	}
-
-	mgmCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
-	defer cancel()
-	conn, err := grpc.DialContext(
-		mgmCtx,
-		addr,
-		transportOption,
-		grpc.WithBlock(),
-		grpc.WithKeepaliveParams(keepalive.ClientParameters{
-			Time:    15 * time.Second,
-			Timeout: 10 * time.Second,
-		}))
-
-	if err != nil {
-		log.Errorf("failed creating connection to Management Service %v", err)
-		return nil, err
-	}
-
-	realClient := proto.NewManagementServiceClient(conn)
-
-	return &Client{
-		key:        ourPrivateKey,
-		realClient: realClient,
-		ctx:        ctx,
-		conn:       conn,
-	}, nil
-}
-
-// Close closes connection to the Management Service
-func (c *Client) Close() error {
-	return c.conn.Close()
-}
-
-//defaultBackoff is a basic backoff mechanism for general issues
-func defaultBackoff(ctx context.Context) backoff.BackOff {
-	return backoff.WithContext(&backoff.ExponentialBackOff{
-		InitialInterval:     800 * time.Millisecond,
-		RandomizationFactor: backoff.DefaultRandomizationFactor,
-		Multiplier:          backoff.DefaultMultiplier,
-		MaxInterval:         10 * time.Second,
-		MaxElapsedTime:      12 * time.Hour, //stop after 12 hours of trying, the error will be propagated to the general retry of the client
-		Stop:                backoff.Stop,
-		Clock:               backoff.SystemClock,
-	}, ctx)
-}
-
-// ready indicates whether the client is okay and ready to be used
-// for now it just checks whether gRPC connection to the service is ready
-func (c *Client) ready() bool {
-	return c.conn.GetState() == connectivity.Ready || c.conn.GetState() == connectivity.Idle
-}
-
-// Sync wraps the real client's Sync endpoint call and takes care of retries and encryption/decryption of messages
-// Blocking request. The result will be sent via msgHandler callback function
-func (c *Client) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
-
-	var backOff = defaultBackoff(c.ctx)
-
-	operation := func() error {
-
-		log.Debugf("management connection state %v", c.conn.GetState())
-
-		if !c.ready() {
-			return fmt.Errorf("no connection to management")
-		}
-
-		// todo we already have it since we did the Login, maybe cache it locally?
-		serverPubKey, err := c.GetServerPublicKey()
-		if err != nil {
-			log.Errorf("failed getting Management Service public key: %s", err)
-			return err
-		}
-
-		stream, err := c.connectToStream(*serverPubKey)
-		if err != nil {
-			log.Errorf("failed to open Management Service stream: %s", err)
-			return err
-		}
-
-		log.Infof("connected to the Management Service stream")
-
-		// blocking until error
-		err = c.receiveEvents(stream, *serverPubKey, msgHandler)
-		if err != nil {
-			backOff.Reset()
-			return err
-		}
-
-		return nil
-	}
-
-	err := backoff.Retry(operation, backOff)
-	if err != nil {
-		log.Warnf("exiting Management Service connection retry loop due to unrecoverable error: %s", err)
-		return err
-	}
-
-	return nil
-}
-
-func (c *Client) connectToStream(serverPubKey wgtypes.Key) (proto.ManagementService_SyncClient, error) {
-	req := &proto.SyncRequest{}
-
-	myPrivateKey := c.key
-	myPublicKey := myPrivateKey.PublicKey()
-
-	encryptedReq, err := encryption.EncryptMessage(serverPubKey, myPrivateKey, req)
-	if err != nil {
-		log.Errorf("failed encrypting message: %s", err)
-		return nil, err
-	}
-
-	syncReq := &proto.EncryptedMessage{WgPubKey: myPublicKey.String(), Body: encryptedReq}
-	return c.realClient.Sync(c.ctx, syncReq)
-}
-
-func (c *Client) receiveEvents(stream proto.ManagementService_SyncClient, serverPubKey wgtypes.Key, msgHandler func(msg *proto.SyncResponse) error) error {
-	for {
-		update, err := stream.Recv()
-		if err == io.EOF {
-			log.Errorf("Management stream has been closed by server: %s", err)
-			return err
-		}
-		if err != nil {
-			log.Warnf("disconnected from Management Service sync stream: %v", err)
-			return err
-		}
-
-		log.Debugf("got an update message from Management Service")
-		decryptedResp := &proto.SyncResponse{}
-		err = encryption.DecryptMessage(serverPubKey, c.key, update.Body, decryptedResp)
-		if err != nil {
-			log.Errorf("failed decrypting update message from Management Service: %s", err)
-			return err
-		}
-
-		err = msgHandler(decryptedResp)
-		if err != nil {
-			log.Errorf("failed handling an update message received from Management Service: %v", err.Error())
-			return err
-		}
-	}
-}
-
-// GetServerPublicKey returns server Wireguard public key (used later for encrypting messages sent to the server)
-func (c *Client) GetServerPublicKey() (*wgtypes.Key, error) {
-	if !c.ready() {
-		return nil, fmt.Errorf("no connection to management")
-	}
-
-	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second) //todo make a general setting
-	defer cancel()
-	resp, err := c.realClient.GetServerKey(mgmCtx, &proto.Empty{})
-	if err != nil {
-		return nil, err
-	}
-
-	serverKey, err := wgtypes.ParseKey(resp.Key)
-	if err != nil {
-		return nil, err
-	}
-
-	return &serverKey, nil
-}
-
-func (c *Client) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*proto.LoginResponse, error) {
-	if !c.ready() {
-		return nil, fmt.Errorf("no connection to management")
-	}
-	loginReq, err := encryption.EncryptMessage(serverKey, c.key, req)
-	if err != nil {
-		log.Errorf("failed to encrypt message: %s", err)
-		return nil, err
-	}
-	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second) //todo make a general setting
-	defer cancel()
-	resp, err := c.realClient.Login(mgmCtx, &proto.EncryptedMessage{
-		WgPubKey: c.key.PublicKey().String(),
-		Body:     loginReq,
-	})
-
-	if err != nil {
-		return nil, err
-	}
-
-	loginResp := &proto.LoginResponse{}
-	err = encryption.DecryptMessage(serverKey, c.key, resp.Body, loginResp)
-	if err != nil {
-		log.Errorf("failed to decrypt registration message: %s", err)
-		return nil, err
-	}
-
-	return loginResp, nil
-}
-
-// Register registers peer on Management Server. It actually calls a Login endpoint with a provided setup key
-// Takes care of encrypting and decrypting messages.
-// This method will also collect system info and send it with the request (e.g. hostname, os, etc)
-func (c *Client) Register(serverKey wgtypes.Key, setupKey string) (*proto.LoginResponse, error) {
-	gi := system.GetInfo()
-	meta := &proto.PeerSystemMeta{
-		Hostname:           gi.Hostname,
-		GoOS:               gi.GoOS,
-		OS:                 gi.OS,
-		Core:               gi.OSVersion,
-		Platform:           gi.Platform,
-		Kernel:             gi.Kernel,
-		WiretrusteeVersion: "",
-	}
-	log.Debugf("detected system %v", meta)
-	return c.login(serverKey, &proto.LoginRequest{SetupKey: setupKey, Meta: meta})
-}
-
-// Login attempts login to Management Server. Takes care of encrypting and decrypting messages.
-func (c *Client) Login(serverKey wgtypes.Key) (*proto.LoginResponse, error) {
-	return c.login(serverKey, &proto.LoginRequest{})
+type Client interface {
+	io.Closer
+	Sync(msgHandler func(msg *proto.SyncResponse) error) error
+	GetServerPublicKey() (*wgtypes.Key, error)
+	Register(serverKey wgtypes.Key, setupKey string, info *system.Info) (*proto.LoginResponse, error)
+	Login(serverKey wgtypes.Key) (*proto.LoginResponse, error)
 }
--- a/management/client/client_test.go
+++ b/management/client/client_test.go
@@ -2,22 +2,33 @@ package client

 import (
 	"context"
+	"net"
+	"path/filepath"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/wiretrustee/wiretrustee/client/system"
+
 	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/wiretrustee/wiretrustee/encryption"
+	"github.com/wiretrustee/wiretrustee/management/proto"
 	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
 	mgmt "github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/management/server/mock_server"
+
 	"github.com/wiretrustee/wiretrustee/util"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
-	"net"
-	"path/filepath"
-	"testing"
-	"time"
 )

-var tested *Client
+var tested *GrpcClient
 var serverAddr string
+var mgmtMockServer *mock_server.ManagementServiceServerMock
+var serverKey wgtypes.Key

 const ValidKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"

@@ -61,7 +72,7 @@ func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Liste
 	}

 	peersUpdateManager := mgmt.NewPeersUpdateManager()
-	accountManager := mgmt.NewManager(store, peersUpdateManager)
+	accountManager := mgmt.NewManager(store, peersUpdateManager, nil)
 	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
 	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
 	if err != nil {
@@ -78,6 +89,39 @@ func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Liste
 	return s, lis
 }

+func startMockManagement(t *testing.T) (*grpc.Server, net.Listener) {
+	lis, err := net.Listen("tcp", ":0")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	s := grpc.NewServer()
+
+	serverKey, err = wgtypes.GenerateKey()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	mgmtMockServer = &mock_server.ManagementServiceServerMock{
+		GetServerKeyFunc: func(context.Context, *proto.Empty) (*proto.ServerKeyResponse, error) {
+			response := &proto.ServerKeyResponse{
+				Key: serverKey.PublicKey().String(),
+			}
+			return response, nil
+		},
+	}
+
+	mgmtProto.RegisterManagementServiceServer(s, mgmtMockServer)
+	go func() {
+		if err := s.Serve(lis); err != nil {
+			t.Error(err)
+			return
+		}
+	}()
+
+	return s, lis
+}
+
 func TestClient_GetServerPublicKey(t *testing.T) {

 	key, err := tested.GetServerPublicKey()
@@ -109,7 +153,8 @@ func TestClient_LoginRegistered(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	resp, err := tested.Register(*key, ValidKey)
+	info := system.GetInfo()
+	resp, err := tested.Register(*key, ValidKey, info)
 	if err != nil {
 		t.Error(err)
 	}
@@ -125,7 +170,8 @@ func TestClient_Sync(t *testing.T) {
 		t.Error(err)
 	}

-	_, err = tested.Register(*serverKey, ValidKey)
+	info := system.GetInfo()
+	_, err = tested.Register(*serverKey, ValidKey, info)
 	if err != nil {
 		t.Error(err)
 	}
@@ -139,7 +185,9 @@ func TestClient_Sync(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, err = remoteClient.Register(*serverKey, ValidKey)
+
+	info = system.GetInfo()
+	_, err = remoteClient.Register(*serverKey, ValidKey, info)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -177,3 +225,82 @@ func TestClient_Sync(t *testing.T) {
 		t.Error("timeout waiting for test to finish")
 	}
 }
+
+func Test_SystemMetaDataFromClient(t *testing.T) {
+	_, lis := startMockManagement(t)
+
+	testKey, err := wgtypes.GenerateKey()
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	serverAddr := lis.Addr().String()
+	ctx := context.Background()
+
+	testClient, err := NewClient(ctx, serverAddr, testKey, false)
+	if err != nil {
+		log.Fatalf("error while creating testClient: %v", err)
+	}
+
+	key, err := testClient.GetServerPublicKey()
+	if err != nil {
+		log.Fatalf("error while getting server public key from testclient, %v", err)
+	}
+
+	var actualMeta *proto.PeerSystemMeta
+	var actualValidKey string
+	var wg sync.WaitGroup
+	wg.Add(1)
+
+	mgmtMockServer.LoginFunc =
+		func(ctx context.Context, msg *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
+			peerKey, err := wgtypes.ParseKey(msg.GetWgPubKey())
+			if err != nil {
+				log.Warnf("error while parsing peer's Wireguard public key %s on Sync request.", msg.WgPubKey)
+				return nil, status.Errorf(codes.InvalidArgument, "provided wgPubKey %s is invalid", msg.WgPubKey)
+			}
+
+			loginReq := &proto.LoginRequest{}
+			err = encryption.DecryptMessage(peerKey, serverKey, msg.Body, loginReq)
+			if err != nil {
+				log.Fatal(err)
+			}
+
+			actualMeta = loginReq.GetMeta()
+			actualValidKey = loginReq.GetSetupKey()
+			wg.Done()
+
+			loginResp := &proto.LoginResponse{}
+			encryptedResp, err := encryption.EncryptMessage(peerKey, serverKey, loginResp)
+			if err != nil {
+				return nil, err
+			}
+
+			return &mgmtProto.EncryptedMessage{
+				WgPubKey: serverKey.PublicKey().String(),
+				Body:     encryptedResp,
+				Version:  0,
+			}, nil
+		}
+
+	info := system.GetInfo()
+	_, err = testClient.Register(*key, ValidKey, info)
+	if err != nil {
+		t.Errorf("error while trying to register client: %v", err)
+	}
+
+	wg.Wait()
+
+	expectedMeta := &proto.PeerSystemMeta{
+		Hostname:           info.Hostname,
+		GoOS:               info.GoOS,
+		Kernel:             info.Kernel,
+		Core:               info.OSVersion,
+		Platform:           info.Platform,
+		OS:                 info.OS,
+		WiretrusteeVersion: info.WiretrusteeVersion,
+	}
+
+	assert.Equal(t, ValidKey, actualValidKey)
+	assert.Equal(t, expectedMeta, actualMeta)
+}
--- a/management/client/grpc.go
+++ b/management/client/grpc.go
@@ -0,0 +1,247 @@
+package client
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/client/system"
+	"github.com/wiretrustee/wiretrustee/encryption"
+	"github.com/wiretrustee/wiretrustee/management/proto"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/connectivity"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/keepalive"
+)
+
+type GrpcClient struct {
+	key        wgtypes.Key
+	realClient proto.ManagementServiceClient
+	ctx        context.Context
+	conn       *grpc.ClientConn
+}
+
+// NewClient creates a new client to Management service
+func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*GrpcClient, error) {
+	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
+
+	if tlsEnabled {
+		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+	}
+
+	mgmCtx, cancel := context.WithTimeout(ctx, time.Second*3)
+	defer cancel()
+	conn, err := grpc.DialContext(
+		mgmCtx,
+		addr,
+		transportOption,
+		grpc.WithBlock(),
+		grpc.WithKeepaliveParams(keepalive.ClientParameters{
+			Time:    15 * time.Second,
+			Timeout: 10 * time.Second,
+		}))
+	if err != nil {
+		log.Errorf("failed creating connection to Management Service %v", err)
+		return nil, err
+	}
+
+	realClient := proto.NewManagementServiceClient(conn)
+
+	return &GrpcClient{
+		key:        ourPrivateKey,
+		realClient: realClient,
+		ctx:        ctx,
+		conn:       conn,
+	}, nil
+}
+
+// Close closes connection to the Management Service
+func (c *GrpcClient) Close() error {
+	return c.conn.Close()
+}
+
+// defaultBackoff is a basic backoff mechanism for general issues
+func defaultBackoff(ctx context.Context) backoff.BackOff {
+	return backoff.WithContext(&backoff.ExponentialBackOff{
+		InitialInterval:     800 * time.Millisecond,
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         10 * time.Second,
+		MaxElapsedTime:      12 * time.Hour, // stop after 12 hours of trying, the error will be propagated to the general retry of the client
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}, ctx)
+}
+
+// ready indicates whether the client is okay and ready to be used
+// for now it just checks whether gRPC connection to the service is ready
+func (c *GrpcClient) ready() bool {
+	return c.conn.GetState() == connectivity.Ready || c.conn.GetState() == connectivity.Idle
+}
+
+// Sync wraps the real client's Sync endpoint call and takes care of retries and encryption/decryption of messages
+// Blocking request. The result will be sent via msgHandler callback function
+func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
+	backOff := defaultBackoff(c.ctx)
+
+	operation := func() error {
+		log.Debugf("management connection state %v", c.conn.GetState())
+
+		if !c.ready() {
+			return fmt.Errorf("no connection to management")
+		}
+
+		// todo we already have it since we did the Login, maybe cache it locally?
+		serverPubKey, err := c.GetServerPublicKey()
+		if err != nil {
+			log.Errorf("failed getting Management Service public key: %s", err)
+			return err
+		}
+
+		stream, err := c.connectToStream(*serverPubKey)
+		if err != nil {
+			log.Errorf("failed to open Management Service stream: %s", err)
+			return err
+		}
+
+		log.Infof("connected to the Management Service stream")
+
+		// blocking until error
+		err = c.receiveEvents(stream, *serverPubKey, msgHandler)
+		if err != nil {
+			backOff.Reset()
+			return err
+		}
+
+		return nil
+	}
+
+	err := backoff.Retry(operation, backOff)
+	if err != nil {
+		log.Warnf("exiting Management Service connection retry loop due to unrecoverable error: %s", err)
+		return err
+	}
+
+	return nil
+}
+
+func (c *GrpcClient) connectToStream(serverPubKey wgtypes.Key) (proto.ManagementService_SyncClient, error) {
+	req := &proto.SyncRequest{}
+
+	myPrivateKey := c.key
+	myPublicKey := myPrivateKey.PublicKey()
+
+	encryptedReq, err := encryption.EncryptMessage(serverPubKey, myPrivateKey, req)
+	if err != nil {
+		log.Errorf("failed encrypting message: %s", err)
+		return nil, err
+	}
+
+	syncReq := &proto.EncryptedMessage{WgPubKey: myPublicKey.String(), Body: encryptedReq}
+	return c.realClient.Sync(c.ctx, syncReq)
+}
+
+func (c *GrpcClient) receiveEvents(stream proto.ManagementService_SyncClient, serverPubKey wgtypes.Key, msgHandler func(msg *proto.SyncResponse) error) error {
+	for {
+		update, err := stream.Recv()
+		if err == io.EOF {
+			log.Errorf("Management stream has been closed by server: %s", err)
+			return err
+		}
+		if err != nil {
+			log.Warnf("disconnected from Management Service sync stream: %v", err)
+			return err
+		}
+
+		log.Debugf("got an update message from Management Service")
+		decryptedResp := &proto.SyncResponse{}
+		err = encryption.DecryptMessage(serverPubKey, c.key, update.Body, decryptedResp)
+		if err != nil {
+			log.Errorf("failed decrypting update message from Management Service: %s", err)
+			return err
+		}
+
+		err = msgHandler(decryptedResp)
+		if err != nil {
+			log.Errorf("failed handling an update message received from Management Service: %v", err.Error())
+			return err
+		}
+	}
+}
+
+// GetServerPublicKey returns server Wireguard public key (used later for encrypting messages sent to the server)
+func (c *GrpcClient) GetServerPublicKey() (*wgtypes.Key, error) {
+	if !c.ready() {
+		return nil, fmt.Errorf("no connection to management")
+	}
+
+	mgmCtx, cancel := context.WithTimeout(c.ctx, time.Second*2)
+	defer cancel()
+	resp, err := c.realClient.GetServerKey(mgmCtx, &proto.Empty{})
+	if err != nil {
+		return nil, err
+	}
+
+	serverKey, err := wgtypes.ParseKey(resp.Key)
+	if err != nil {
+		return nil, err
+	}
+
+	return &serverKey, nil
+}
+
+func (c *GrpcClient) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*proto.LoginResponse, error) {
+	if !c.ready() {
+		return nil, fmt.Errorf("no connection to management")
+	}
+	loginReq, err := encryption.EncryptMessage(serverKey, c.key, req)
+	if err != nil {
+		log.Errorf("failed to encrypt message: %s", err)
+		return nil, err
+	}
+	mgmCtx, cancel := context.WithTimeout(c.ctx, time.Second*2)
+	defer cancel()
+	resp, err := c.realClient.Login(mgmCtx, &proto.EncryptedMessage{
+		WgPubKey: c.key.PublicKey().String(),
+		Body:     loginReq,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	loginResp := &proto.LoginResponse{}
+	err = encryption.DecryptMessage(serverKey, c.key, resp.Body, loginResp)
+	if err != nil {
+		log.Errorf("failed to decrypt registration message: %s", err)
+		return nil, err
+	}
+
+	return loginResp, nil
+}
+
+// Register registers peer on Management Server. It actually calls a Login endpoint with a provided setup key
+// Takes care of encrypting and decrypting messages.
+// This method will also collect system info and send it with the request (e.g. hostname, os, etc)
+func (c *GrpcClient) Register(serverKey wgtypes.Key, setupKey string, info *system.Info) (*proto.LoginResponse, error) {
+	meta := &proto.PeerSystemMeta{
+		Hostname:           info.Hostname,
+		GoOS:               info.GoOS,
+		OS:                 info.OS,
+		Core:               info.OSVersion,
+		Platform:           info.Platform,
+		Kernel:             info.Kernel,
+		WiretrusteeVersion: info.WiretrusteeVersion,
+	}
+	return c.login(serverKey, &proto.LoginRequest{SetupKey: setupKey, Meta: meta})
+}
+
+// Login attempts login to Management Server. Takes care of encrypting and decrypting messages.
+func (c *GrpcClient) Login(serverKey wgtypes.Key) (*proto.LoginResponse, error) {
+	return c.login(serverKey, &proto.LoginRequest{})
+}
--- a/management/client/mock.go
+++ b/management/client/mock.go
@@ -0,0 +1,50 @@
+package client
+
+import (
+	"github.com/wiretrustee/wiretrustee/client/system"
+	"github.com/wiretrustee/wiretrustee/management/proto"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+type MockClient struct {
+	CloseFunc              func() error
+	SyncFunc               func(msgHandler func(msg *proto.SyncResponse) error) error
+	GetServerPublicKeyFunc func() (*wgtypes.Key, error)
+	RegisterFunc           func(serverKey wgtypes.Key, setupKey string, info *system.Info) (*proto.LoginResponse, error)
+	LoginFunc              func(serverKey wgtypes.Key) (*proto.LoginResponse, error)
+}
+
+func (m *MockClient) Close() error {
+	if m.CloseFunc == nil {
+		return nil
+	}
+	return m.CloseFunc()
+}
+
+func (m *MockClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
+	if m.SyncFunc == nil {
+		return nil
+	}
+	return m.SyncFunc(msgHandler)
+}
+
+func (m *MockClient) GetServerPublicKey() (*wgtypes.Key, error) {
+	if m.GetServerPublicKeyFunc == nil {
+		return nil, nil
+	}
+	return m.GetServerPublicKeyFunc()
+}
+
+func (m *MockClient) Register(serverKey wgtypes.Key, setupKey string, info *system.Info) (*proto.LoginResponse, error) {
+	if m.RegisterFunc == nil {
+		return nil, nil
+	}
+	return m.RegisterFunc(serverKey, setupKey, info)
+}
+
+func (m *MockClient) Login(serverKey wgtypes.Key) (*proto.LoginResponse, error) {
+	if m.LoginFunc == nil {
+		return nil, nil
+	}
+	return m.LoginFunc(serverKey)
+}
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"github.com/wiretrustee/wiretrustee/management/server"
 	"github.com/wiretrustee/wiretrustee/management/server/http"
+	"github.com/wiretrustee/wiretrustee/management/server/idp"
 	"github.com/wiretrustee/wiretrustee/util"
 	"net"
 	"os"
@@ -68,7 +69,16 @@ var (
 				log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 			}
 			peersUpdateManager := server.NewPeersUpdateManager()
-			accountManager := server.NewManager(store, peersUpdateManager)
+
+			var idpManager idp.Manager
+			if config.IdpManagerConfig != nil {
+				idpManager, err = idp.NewManager(*config.IdpManagerConfig)
+				if err != nil {
+					log.Fatalln("failed retrieving a new idp manager with err: ", err)
+				}
+			}
+
+			accountManager := server.NewManager(store, peersUpdateManager, idpManager)

 			var opts []grpc.ServerOption

--- a/management/proto/management.pb.go
+++ b/management/proto/management.pb.go
@@ -85,6 +85,8 @@ type EncryptedMessage struct {
 	WgPubKey string `protobuf:"bytes,1,opt,name=wgPubKey,proto3" json:"wgPubKey,omitempty"`
 	// encrypted message Body
 	Body []byte `protobuf:"bytes,2,opt,name=body,proto3" json:"body,omitempty"`
+	// Version of the Wiretrustee Management Service protocol
+	Version int32 `protobuf:"varint,3,opt,name=version,proto3" json:"version,omitempty"`
 }

 func (x *EncryptedMessage) Reset() {
@@ -133,6 +135,13 @@ func (x *EncryptedMessage) GetBody() []byte {
 	return nil
 }

+func (x *EncryptedMessage) GetVersion() int32 {
+	if x != nil {
+		return x.Version
+	}
+	return 0
+}
+
 type SyncRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -178,11 +187,15 @@ type SyncResponse struct {
 	unknownFields protoimpl.UnknownFields

 	// Global config
-	WiretrusteeConfig *WiretrusteeConfig  `protobuf:"bytes,1,opt,name=wiretrusteeConfig,proto3" json:"wiretrusteeConfig,omitempty"`
-	PeerConfig        *PeerConfig         `protobuf:"bytes,2,opt,name=peerConfig,proto3" json:"peerConfig,omitempty"`
-	RemotePeers       []*RemotePeerConfig `protobuf:"bytes,3,rep,name=remotePeers,proto3" json:"remotePeers,omitempty"`
+	WiretrusteeConfig *WiretrusteeConfig `protobuf:"bytes,1,opt,name=wiretrusteeConfig,proto3" json:"wiretrusteeConfig,omitempty"`
+	// Deprecated. Use NetworkMap.PeerConfig
+	PeerConfig *PeerConfig `protobuf:"bytes,2,opt,name=peerConfig,proto3" json:"peerConfig,omitempty"`
+	// Deprecated. Use NetworkMap.RemotePeerConfig
+	RemotePeers []*RemotePeerConfig `protobuf:"bytes,3,rep,name=remotePeers,proto3" json:"remotePeers,omitempty"`
 	// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
-	RemotePeersIsEmpty bool `protobuf:"varint,4,opt,name=remotePeersIsEmpty,proto3" json:"remotePeersIsEmpty,omitempty"`
+	// Deprecated. Use NetworkMap.remotePeersIsEmpty
+	RemotePeersIsEmpty bool        `protobuf:"varint,4,opt,name=remotePeersIsEmpty,proto3" json:"remotePeersIsEmpty,omitempty"`
+	NetworkMap         *NetworkMap `protobuf:"bytes,5,opt,name=NetworkMap,proto3" json:"NetworkMap,omitempty"`
 }

 func (x *SyncResponse) Reset() {
@@ -245,6 +258,13 @@ func (x *SyncResponse) GetRemotePeersIsEmpty() bool {
 	return false
 }

+func (x *SyncResponse) GetNetworkMap() *NetworkMap {
+	if x != nil {
+		return x.NetworkMap
+	}
+	return nil
+}
+
 type LoginRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -464,6 +484,8 @@ type ServerKeyResponse struct {
 	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
 	// Key expiration timestamp after which the key should be fetched again by the client
 	ExpiresAt *timestamp.Timestamp `protobuf:"bytes,2,opt,name=expiresAt,proto3" json:"expiresAt,omitempty"`
+	// Version of the Wiretrustee Management Service protocol
+	Version int32 `protobuf:"varint,3,opt,name=version,proto3" json:"version,omitempty"`
 }

 func (x *ServerKeyResponse) Reset() {
@@ -512,6 +534,13 @@ func (x *ServerKeyResponse) GetExpiresAt() *timestamp.Timestamp {
 	return nil
 }

+func (x *ServerKeyResponse) GetVersion() int32 {
+	if x != nil {
+		return x.Version
+	}
+	return 0
+}
+
 type Empty struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -798,6 +827,84 @@ func (x *PeerConfig) GetDns() string {
 	return ""
 }

+// NetworkMap represents a network state of the peer with the corresponding configuration parameters to establish peer-to-peer connections
+type NetworkMap struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	// Serial is an ID of the network state to be used by clients to order updates.
+	// The larger the Serial the newer the configuration.
+	// E.g. the client app should keep track of this id locally and discard all the configurations with a lower value
+	Serial uint64 `protobuf:"varint,1,opt,name=Serial,proto3" json:"Serial,omitempty"`
+	// PeerConfig represents configuration of a peer
+	PeerConfig *PeerConfig `protobuf:"bytes,2,opt,name=peerConfig,proto3" json:"peerConfig,omitempty"`
+	// RemotePeerConfig represents a list of remote peers that the receiver can connect to
+	RemotePeers []*RemotePeerConfig `protobuf:"bytes,3,rep,name=remotePeers,proto3" json:"remotePeers,omitempty"`
+	// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
+	RemotePeersIsEmpty bool `protobuf:"varint,4,opt,name=remotePeersIsEmpty,proto3" json:"remotePeersIsEmpty,omitempty"`
+}
+
+func (x *NetworkMap) Reset() {
+	*x = NetworkMap{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_management_proto_msgTypes[12]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *NetworkMap) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*NetworkMap) ProtoMessage() {}
+
+func (x *NetworkMap) ProtoReflect() protoreflect.Message {
+	mi := &file_management_proto_msgTypes[12]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use NetworkMap.ProtoReflect.Descriptor instead.
+func (*NetworkMap) Descriptor() ([]byte, []int) {
+	return file_management_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *NetworkMap) GetSerial() uint64 {
+	if x != nil {
+		return x.Serial
+	}
+	return 0
+}
+
+func (x *NetworkMap) GetPeerConfig() *PeerConfig {
+	if x != nil {
+		return x.PeerConfig
+	}
+	return nil
+}
+
+func (x *NetworkMap) GetRemotePeers() []*RemotePeerConfig {
+	if x != nil {
+		return x.RemotePeers
+	}
+	return nil
+}
+
+func (x *NetworkMap) GetRemotePeersIsEmpty() bool {
+	if x != nil {
+		return x.RemotePeersIsEmpty
+	}
+	return false
+}
+
 // RemotePeerConfig represents a configuration of a remote peer.
 // The properties are used to configure Wireguard Peers sections
 type RemotePeerConfig struct {
@@ -814,7 +921,7 @@ type RemotePeerConfig struct {
 func (x *RemotePeerConfig) Reset() {
 	*x = RemotePeerConfig{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_management_proto_msgTypes[12]
+		mi := &file_management_proto_msgTypes[13]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -827,7 +934,7 @@ func (x *RemotePeerConfig) String() string {
 func (*RemotePeerConfig) ProtoMessage() {}

 func (x *RemotePeerConfig) ProtoReflect() protoreflect.Message {
-	mi := &file_management_proto_msgTypes[12]
+	mi := &file_management_proto_msgTypes[13]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -840,7 +947,7 @@ func (x *RemotePeerConfig) ProtoReflect() protoreflect.Message {

 // Deprecated: Use RemotePeerConfig.ProtoReflect.Descriptor instead.
 func (*RemotePeerConfig) Descriptor() ([]byte, []int) {
-	return file_management_proto_rawDescGZIP(), []int{12}
+	return file_management_proto_rawDescGZIP(), []int{13}
 }

 func (x *RemotePeerConfig) GetWgPubKey() string {
@@ -864,12 +971,52 @@ var file_management_proto_rawDesc = []byte{
 	0x74, 0x6f, 0x12, 0x0a, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x1a, 0x1f,
 	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f,
 	0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
-	0x42, 0x0a, 0x10, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73,
+	0x5c, 0x0a, 0x10, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73,
 	0x61, 0x67, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18,
 	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12,
 	0x12, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x62,
-	0x6f, 0x64, 0x79, 0x22, 0x0d, 0x0a, 0x0b, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x22, 0x83, 0x02, 0x0a, 0x0c, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x6f, 0x64, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03,
+	0x20, 0x01, 0x28, 0x05, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x0d, 0x0a,
+	0x0b, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xbb, 0x02, 0x0a,
+	0x0c, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4b, 0x0a,
+	0x11, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x57, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65,
+	0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x11, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75,
+	0x73, 0x74, 0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x36, 0x0a, 0x0a, 0x70, 0x65,
+	0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16,
+	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x65, 0x65, 0x72,
+	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x12, 0x3e, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72,
+	0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0b, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65,
+	0x72, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72,
+	0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12,
+	0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70,
+	0x74, 0x79, 0x12, 0x36, 0x0a, 0x0a, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70,
+	0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x52, 0x0a,
+	0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x22, 0x5a, 0x0a, 0x0c, 0x4c, 0x6f,
+	0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65,
+	0x74, 0x75, 0x70, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65,
+	0x74, 0x75, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x2e, 0x0a, 0x04, 0x6d, 0x65, 0x74, 0x61, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x4d, 0x65, 0x74, 0x61,
+	0x52, 0x04, 0x6d, 0x65, 0x74, 0x61, 0x22, 0xc8, 0x01, 0x0a, 0x0e, 0x50, 0x65, 0x65, 0x72, 0x53,
+	0x79, 0x73, 0x74, 0x65, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73,
+	0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73,
+	0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x67, 0x6f, 0x4f, 0x53, 0x18, 0x02, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x04, 0x67, 0x6f, 0x4f, 0x53, 0x12, 0x16, 0x0a, 0x06, 0x6b, 0x65, 0x72,
+	0x6e, 0x65, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x65, 0x72, 0x6e, 0x65,
+	0x6c, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x04, 0x63, 0x6f, 0x72, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72,
+	0x6d, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72,
+	0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x4f, 0x53, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x4f,
+	0x53, 0x12, 0x2e, 0x0a, 0x12, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65,
+	0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x77,
+	0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f,
+	0x6e, 0x22, 0x94, 0x01, 0x0a, 0x0d, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f,
 	0x6e, 0x73, 0x65, 0x12, 0x4b, 0x0a, 0x11, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74,
 	0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d,
 	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x57, 0x69, 0x72, 0x65,
@@ -878,104 +1025,84 @@ var file_management_proto_rawDesc = []byte{
 	0x12, 0x36, 0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02,
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
 	0x74, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x70, 0x65,
-	0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3e, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f,
-	0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74,
-	0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0b, 0x72, 0x65, 0x6d,
-	0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x72, 0x65, 0x6d, 0x6f,
-	0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x18, 0x04,
-	0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72,
-	0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x5a, 0x0a, 0x0c, 0x4c, 0x6f, 0x67, 0x69,
-	0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65, 0x74, 0x75,
-	0x70, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65, 0x74, 0x75,
-	0x70, 0x4b, 0x65, 0x79, 0x12, 0x2e, 0x0a, 0x04, 0x6d, 0x65, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x50, 0x65, 0x65, 0x72, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x52, 0x04,
-	0x6d, 0x65, 0x74, 0x61, 0x22, 0xc8, 0x01, 0x0a, 0x0e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x79, 0x73,
-	0x74, 0x65, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e,
-	0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e,
-	0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x67, 0x6f, 0x4f, 0x53, 0x18, 0x02, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x04, 0x67, 0x6f, 0x4f, 0x53, 0x12, 0x16, 0x0a, 0x06, 0x6b, 0x65, 0x72, 0x6e, 0x65,
-	0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x12,
-	0x12, 0x0a, 0x04, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x63,
-	0x6f, 0x72, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18,
-	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12,
-	0x0e, 0x0a, 0x02, 0x4f, 0x53, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x4f, 0x53, 0x12,
-	0x2e, 0x0a, 0x12, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x56, 0x65,
-	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x77, 0x69, 0x72,
-	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22,
-	0x94, 0x01, 0x0a, 0x0d, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x12, 0x4b, 0x0a, 0x11, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x57, 0x69, 0x72, 0x65, 0x74, 0x72,
-	0x75, 0x73, 0x74, 0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x11, 0x77, 0x69, 0x72,
-	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x36,
-	0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x70, 0x65, 0x65, 0x72,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x5f, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
-	0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b,
-	0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x38, 0x0a,
-	0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b,
-	0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
-	0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78,
-	0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x22, 0x07, 0x0a, 0x05, 0x45, 0x6d, 0x70, 0x74, 0x79,
-	0x22, 0xa8, 0x01, 0x0a, 0x11, 0x57, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2c, 0x0a, 0x05, 0x73, 0x74, 0x75, 0x6e, 0x73, 0x18,
-	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x05, 0x73,
-	0x74, 0x75, 0x6e, 0x73, 0x12, 0x35, 0x0a, 0x05, 0x74, 0x75, 0x72, 0x6e, 0x73, 0x18, 0x02, 0x20,
-	0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
-	0x2e, 0x50, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f,
-	0x6e, 0x66, 0x69, 0x67, 0x52, 0x05, 0x74, 0x75, 0x72, 0x6e, 0x73, 0x12, 0x2e, 0x0a, 0x06, 0x73,
-	0x69, 0x67, 0x6e, 0x61, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61,
-	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x52, 0x06, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x22, 0x98, 0x01, 0x0a, 0x0a,
-	0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72,
-	0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x3b, 0x0a, 0x08,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74,
-	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52,
-	0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x22, 0x3b, 0x0a, 0x08, 0x50, 0x72, 0x6f,
-	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x00, 0x12, 0x07,
-	0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x01, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10,
-	0x02, 0x12, 0x09, 0x0a, 0x05, 0x48, 0x54, 0x54, 0x50, 0x53, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04,
-	0x44, 0x54, 0x4c, 0x53, 0x10, 0x04, 0x22, 0x7d, 0x0a, 0x13, 0x50, 0x72, 0x6f, 0x74, 0x65, 0x63,
-	0x74, 0x65, 0x64, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x36, 0x0a,
-	0x0a, 0x68, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x79, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x10, 0x0a,
+	0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
+	0x38, 0x0a, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x18, 0x02, 0x20, 0x01,
+	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09,
+	0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72,
+	0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73,
+	0x69, 0x6f, 0x6e, 0x22, 0x07, 0x0a, 0x05, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0xa8, 0x01, 0x0a,
+	0x11, 0x57, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x12, 0x2c, 0x0a, 0x05, 0x73, 0x74, 0x75, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
 	0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48,
-	0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x43,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x02, 0x20,
-	0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x61, 0x73,
-	0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x73,
-	0x73, 0x77, 0x6f, 0x72, 0x64, 0x22, 0x38, 0x0a, 0x0a, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x10, 0x0a,
-	0x03, 0x64, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x64, 0x6e, 0x73, 0x22,
-	0x4e, 0x0a, 0x10, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12,
-	0x1e, 0x0a, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x18, 0x02, 0x20,
-	0x03, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x32,
-	0x9b, 0x02, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72,
-	0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
-	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04,
-	0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61,
-	0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
-	0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
-	0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65,
-	0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
-	0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65,
-	0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
-	0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x42, 0x08, 0x5a,
-	0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x05, 0x73, 0x74, 0x75, 0x6e, 0x73,
+	0x12, 0x35, 0x0a, 0x05, 0x74, 0x75, 0x72, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x1f, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f,
+	0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x52, 0x05, 0x74, 0x75, 0x72, 0x6e, 0x73, 0x12, 0x2e, 0x0a, 0x06, 0x73, 0x69, 0x67, 0x6e, 0x61,
+	0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52,
+	0x06, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x22, 0x98, 0x01, 0x0a, 0x0a, 0x48, 0x6f, 0x73, 0x74,
+	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x3b, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f, 0x2e, 0x6d, 0x61, 0x6e,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66,
+	0x69, 0x67, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x22, 0x3b, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
+	0x6c, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43,
+	0x50, 0x10, 0x01, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10, 0x02, 0x12, 0x09, 0x0a,
+	0x05, 0x48, 0x54, 0x54, 0x50, 0x53, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x54, 0x4c, 0x53,
+	0x10, 0x04, 0x22, 0x7d, 0x0a, 0x13, 0x50, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x48,
+	0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x36, 0x0a, 0x0a, 0x68, 0x6f, 0x73,
+	0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69,
+	0x67, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x04, 0x75, 0x73, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72,
+	0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72,
+	0x64, 0x22, 0x38, 0x0a, 0x0a, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12,
+	0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x64, 0x6e, 0x73,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x64, 0x6e, 0x73, 0x22, 0xcc, 0x01, 0x0a, 0x0a,
+	0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x12, 0x16, 0x0a, 0x06, 0x53, 0x65,
+	0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x53, 0x65, 0x72, 0x69,
+	0x61, 0x6c, 0x12, 0x36, 0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
+	0x65, 0x6e, 0x74, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a,
+	0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3e, 0x0a, 0x0b, 0x72, 0x65,
+	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32,
+	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d,
+	0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0b, 0x72,
+	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x72, 0x65,
+	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79,
+	0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65,
+	0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x4e, 0x0a, 0x10, 0x52, 0x65,
+	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a,
+	0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
+	0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x6c,
+	0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a,
+	0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x32, 0x9b, 0x02, 0x0a, 0x11, 0x4d,
+	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
+	0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
+	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
+	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65,
+	0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e, 0x63, 0x12,
+	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63,
+	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79,
+	0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12,
+	0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12,
+	0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70,
+	0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x79,
+	0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d,
+	0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
+	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f,
+	0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var (
@@ -991,7 +1118,7 @@ func file_management_proto_rawDescGZIP() []byte {
 }

 var file_management_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 13)
+var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 14)
 var file_management_proto_goTypes = []interface{}{
 	(HostConfig_Protocol)(0),    // 0: management.HostConfig.Protocol
 	(*EncryptedMessage)(nil),    // 1: management.EncryptedMessage
@@ -1006,35 +1133,39 @@ var file_management_proto_goTypes = []interface{}{
 	(*HostConfig)(nil),          // 10: management.HostConfig
 	(*ProtectedHostConfig)(nil), // 11: management.ProtectedHostConfig
 	(*PeerConfig)(nil),          // 12: management.PeerConfig
-	(*RemotePeerConfig)(nil),    // 13: management.RemotePeerConfig
-	(*timestamp.Timestamp)(nil), // 14: google.protobuf.Timestamp
+	(*NetworkMap)(nil),          // 13: management.NetworkMap
+	(*RemotePeerConfig)(nil),    // 14: management.RemotePeerConfig
+	(*timestamp.Timestamp)(nil), // 15: google.protobuf.Timestamp
 }
 var file_management_proto_depIdxs = []int32{
 	9,  // 0: management.SyncResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
 	12, // 1: management.SyncResponse.peerConfig:type_name -> management.PeerConfig
-	13, // 2: management.SyncResponse.remotePeers:type_name -> management.RemotePeerConfig
-	5,  // 3: management.LoginRequest.meta:type_name -> management.PeerSystemMeta
-	9,  // 4: management.LoginResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
-	12, // 5: management.LoginResponse.peerConfig:type_name -> management.PeerConfig
-	14, // 6: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
-	10, // 7: management.WiretrusteeConfig.stuns:type_name -> management.HostConfig
-	11, // 8: management.WiretrusteeConfig.turns:type_name -> management.ProtectedHostConfig
-	10, // 9: management.WiretrusteeConfig.signal:type_name -> management.HostConfig
-	0,  // 10: management.HostConfig.protocol:type_name -> management.HostConfig.Protocol
-	10, // 11: management.ProtectedHostConfig.hostConfig:type_name -> management.HostConfig
-	1,  // 12: management.ManagementService.Login:input_type -> management.EncryptedMessage
-	1,  // 13: management.ManagementService.Sync:input_type -> management.EncryptedMessage
-	8,  // 14: management.ManagementService.GetServerKey:input_type -> management.Empty
-	8,  // 15: management.ManagementService.isHealthy:input_type -> management.Empty
-	1,  // 16: management.ManagementService.Login:output_type -> management.EncryptedMessage
-	1,  // 17: management.ManagementService.Sync:output_type -> management.EncryptedMessage
-	7,  // 18: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
-	8,  // 19: management.ManagementService.isHealthy:output_type -> management.Empty
-	16, // [16:20] is the sub-list for method output_type
-	12, // [12:16] is the sub-list for method input_type
-	12, // [12:12] is the sub-list for extension type_name
-	12, // [12:12] is the sub-list for extension extendee
-	0,  // [0:12] is the sub-list for field type_name
+	14, // 2: management.SyncResponse.remotePeers:type_name -> management.RemotePeerConfig
+	13, // 3: management.SyncResponse.NetworkMap:type_name -> management.NetworkMap
+	5,  // 4: management.LoginRequest.meta:type_name -> management.PeerSystemMeta
+	9,  // 5: management.LoginResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
+	12, // 6: management.LoginResponse.peerConfig:type_name -> management.PeerConfig
+	15, // 7: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
+	10, // 8: management.WiretrusteeConfig.stuns:type_name -> management.HostConfig
+	11, // 9: management.WiretrusteeConfig.turns:type_name -> management.ProtectedHostConfig
+	10, // 10: management.WiretrusteeConfig.signal:type_name -> management.HostConfig
+	0,  // 11: management.HostConfig.protocol:type_name -> management.HostConfig.Protocol
+	10, // 12: management.ProtectedHostConfig.hostConfig:type_name -> management.HostConfig
+	12, // 13: management.NetworkMap.peerConfig:type_name -> management.PeerConfig
+	14, // 14: management.NetworkMap.remotePeers:type_name -> management.RemotePeerConfig
+	1,  // 15: management.ManagementService.Login:input_type -> management.EncryptedMessage
+	1,  // 16: management.ManagementService.Sync:input_type -> management.EncryptedMessage
+	8,  // 17: management.ManagementService.GetServerKey:input_type -> management.Empty
+	8,  // 18: management.ManagementService.isHealthy:input_type -> management.Empty
+	1,  // 19: management.ManagementService.Login:output_type -> management.EncryptedMessage
+	1,  // 20: management.ManagementService.Sync:output_type -> management.EncryptedMessage
+	7,  // 21: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
+	8,  // 22: management.ManagementService.isHealthy:output_type -> management.Empty
+	19, // [19:23] is the sub-list for method output_type
+	15, // [15:19] is the sub-list for method input_type
+	15, // [15:15] is the sub-list for extension type_name
+	15, // [15:15] is the sub-list for extension extendee
+	0,  // [0:15] is the sub-list for field type_name
 }

 func init() { file_management_proto_init() }
@@ -1188,6 +1319,18 @@ func file_management_proto_init() {
 			}
 		}
 		file_management_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*NetworkMap); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_management_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*RemotePeerConfig); i {
 			case 0:
 				return &v.state
@@ -1206,7 +1349,7 @@ func file_management_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_management_proto_rawDesc,
 			NumEnums:      1,
-			NumMessages:   13,
+			NumMessages:   14,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/management/proto/management.proto
+++ b/management/proto/management.proto
@@ -9,11 +9,13 @@ package management;
 service ManagementService {

  // Login logs in peer. In case server returns codes.PermissionDenied this endpoint can be used to register Peer providing LoginRequest.setupKey
+  // Returns encrypted LoginResponse in EncryptedMessage.Body
  rpc Login(EncryptedMessage) returns (EncryptedMessage) {}

  // Sync enables peer synchronization. Each peer that is connected to this stream will receive updates from the server.
  // For example, if a new peer has been added to an account all other connected peers will receive this peer's Wireguard public key as an update
  // The initial SyncResponse contains all of the available peers so the local state can be refreshed
+  // Returns encrypted SyncResponse in EncryptedMessage.Body
  rpc Sync(EncryptedMessage) returns (stream EncryptedMessage) {}

  // Exposes a Wireguard public key of the Management service.
@@ -30,20 +32,29 @@ message EncryptedMessage {

  // encrypted message Body
  bytes body = 2;
+  // Version of the Wiretrustee Management Service protocol
+  int32 version = 3;
 }

 message SyncRequest {}

 // SyncResponse represents a state that should be applied to the local peer (e.g. Wiretrustee servers config as well as local peer and remote peers configs)
 message SyncResponse {
+
  // Global config
  WiretrusteeConfig wiretrusteeConfig = 1;

+  // Deprecated. Use NetworkMap.PeerConfig
  PeerConfig peerConfig = 2;

+  // Deprecated. Use NetworkMap.RemotePeerConfig
  repeated RemotePeerConfig remotePeers = 3;
+
  // Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
+  // Deprecated. Use NetworkMap.remotePeersIsEmpty
  bool remotePeersIsEmpty = 4;
+
+  NetworkMap NetworkMap = 5;
 }

 message LoginRequest {
@@ -76,6 +87,8 @@ message ServerKeyResponse {
  string key = 1;
  // Key expiration timestamp after which the key should be fetched again by the client
  google.protobuf.Timestamp expiresAt = 2;
+  // Version of the Wiretrustee Management Service protocol
+  int32 version = 3;
 }

 message Empty {}
@@ -122,6 +135,24 @@ message PeerConfig {
  string dns = 2;
 }

+// NetworkMap represents a network state of the peer with the corresponding configuration parameters to establish peer-to-peer connections
+message NetworkMap {
+  // Serial is an ID of the network state to be used by clients to order updates.
+  // The larger the Serial the newer the configuration.
+  // E.g. the client app should keep track of this id locally and discard all the configurations with a lower value
+  uint64 Serial = 1;
+
+  // PeerConfig represents configuration of a peer
+  PeerConfig peerConfig = 2;
+
+  // RemotePeerConfig represents a list of remote peers that the receiver can connect to
+  repeated RemotePeerConfig remotePeers = 3;
+
+  // Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
+  bool remotePeersIsEmpty = 4;
+
+}
+
 // RemotePeerConfig represents a configuration of a remote peer.
 // The properties are used to configure Wireguard Peers sections
 message RemotePeerConfig {
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -1,32 +1,69 @@
 package server

 import (
-	"github.com/google/uuid"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
+	"github.com/wiretrustee/wiretrustee/management/server/idp"
+	"github.com/wiretrustee/wiretrustee/management/server/jwtclaims"
 	"github.com/wiretrustee/wiretrustee/util"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
-	"net"
+	"strings"
 	"sync"
 )

-type AccountManager struct {
+const (
+	PublicCategory  = "public"
+	PrivateCategory = "private"
+	UnknownCategory = "unknown"
+)
+
+type AccountManager interface {
+	GetOrCreateAccountByUser(userId, domain string) (*Account, error)
+	GetAccountByUser(userId string) (*Account, error)
+	AddSetupKey(accountId string, keyName string, keyType SetupKeyType, expiresIn *util.Duration) (*SetupKey, error)
+	RevokeSetupKey(accountId string, keyId string) (*SetupKey, error)
+	RenameSetupKey(accountId string, keyId string, newName string) (*SetupKey, error)
+	GetAccountById(accountId string) (*Account, error)
+	GetAccountByUserOrAccountId(userId, accountId, domain string) (*Account, error)
+	GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error)
+	AccountExists(accountId string) (*bool, error)
+	AddAccount(accountId, userId, domain string) (*Account, error)
+	GetPeer(peerKey string) (*Peer, error)
+	MarkPeerConnected(peerKey string, connected bool) error
+	RenamePeer(accountId string, peerKey string, newName string) (*Peer, error)
+	DeletePeer(accountId string, peerKey string) (*Peer, error)
+	GetPeerByIP(accountId string, peerIP string) (*Peer, error)
+	GetNetworkMap(peerKey string) (*NetworkMap, error)
+	AddPeer(setupKey string, peer *Peer) (*Peer, error)
+}
+
+type DefaultAccountManager struct {
 	Store Store
 	// mutex to synchronise account operations (e.g. generating Peer IP address inside the Network)
 	mux                sync.Mutex
 	peersUpdateManager *PeersUpdateManager
+	idpManager         idp.Manager
 }

 // Account represents a unique account of the system
 type Account struct {
 	Id string
 	// User.Id it was created by
-	CreatedBy string
-	SetupKeys map[string]*SetupKey
-	Network   *Network
-	Peers     map[string]*Peer
-	Users     map[string]*User
+	CreatedBy              string
+	Domain                 string
+	DomainCategory         string
+	IsDomainPrimaryAccount bool
+	SetupKeys              map[string]*SetupKey
+	Network                *Network
+	Peers                  map[string]*Peer
+	Users                  map[string]*User
+}
+
+// NewAccount creates a new Account with a generated ID and generated default setup keys
+func NewAccount(userId, domain string) *Account {
+	accountId := xid.New().String()
+	return newAccountWithId(accountId, userId, domain)
 }

 func (a *Account) Copy() *Account {
@@ -55,17 +92,18 @@ func (a *Account) Copy() *Account {
 	}
 }

-// NewManager creates a new AccountManager with a provided Store
-func NewManager(store Store, peersUpdateManager *PeersUpdateManager) *AccountManager {
-	return &AccountManager{
+// NewManager creates a new DefaultAccountManager with a provided Store
+func NewManager(store Store, peersUpdateManager *PeersUpdateManager, idpManager idp.Manager) *DefaultAccountManager {
+	return &DefaultAccountManager{
 		Store:              store,
 		mux:                sync.Mutex{},
 		peersUpdateManager: peersUpdateManager,
+		idpManager:         idpManager,
 	}
 }

 //AddSetupKey generates a new setup key with a given name and type, and adds it to the specified account
-func (am *AccountManager) AddSetupKey(accountId string, keyName string, keyType SetupKeyType, expiresIn *util.Duration) (*SetupKey, error) {
+func (am *DefaultAccountManager) AddSetupKey(accountId string, keyName string, keyType SetupKeyType, expiresIn *util.Duration) (*SetupKey, error) {
 	am.mux.Lock()
 	defer am.mux.Unlock()

@@ -91,7 +129,7 @@ func (am *AccountManager) AddSetupKey(accountId string, keyName string, keyType
 }

 //RevokeSetupKey marks SetupKey as revoked - becomes not valid anymore
-func (am *AccountManager) RevokeSetupKey(accountId string, keyId string) (*SetupKey, error) {
+func (am *DefaultAccountManager) RevokeSetupKey(accountId string, keyId string) (*SetupKey, error) {
 	am.mux.Lock()
 	defer am.mux.Unlock()

@@ -117,7 +155,7 @@ func (am *AccountManager) RevokeSetupKey(accountId string, keyId string) (*Setup
 }

 //RenameSetupKey renames existing setup key of the specified account.
-func (am *AccountManager) RenameSetupKey(accountId string, keyId string, newName string) (*SetupKey, error) {
+func (am *DefaultAccountManager) RenameSetupKey(accountId string, keyId string, newName string) (*SetupKey, error) {
 	am.mux.Lock()
 	defer am.mux.Unlock()

@@ -142,8 +180,8 @@ func (am *AccountManager) RenameSetupKey(accountId string, keyId string, newName
 	return keyCopy, nil
 }

-//GetAccount returns an existing account or error (NotFound) if doesn't exist
-func (am *AccountManager) GetAccount(accountId string) (*Account, error) {
+//GetAccountById returns an existing account using its ID or error (NotFound) if doesn't exist
+func (am *DefaultAccountManager) GetAccountById(accountId string) (*Account, error) {
 	am.mux.Lock()
 	defer am.mux.Unlock()

@@ -155,8 +193,160 @@ func (am *AccountManager) GetAccount(accountId string) (*Account, error) {
 	return account, nil
 }

+//GetAccountByUserOrAccountId look for an account by user or account Id, if no account is provided and
+// user id doesn't have an account associated with it, one account is created
+func (am *DefaultAccountManager) GetAccountByUserOrAccountId(userId, accountId, domain string) (*Account, error) {
+
+	if accountId != "" {
+		return am.GetAccountById(accountId)
+	} else if userId != "" {
+		account, err := am.GetOrCreateAccountByUser(userId, domain)
+		if err != nil {
+			return nil, status.Errorf(codes.NotFound, "account not found using user id: %s", userId)
+		}
+		err = am.updateIDPMetadata(userId, account.Id)
+		if err != nil {
+			return nil, err
+		}
+		return account, nil
+	}
+
+	return nil, status.Errorf(codes.NotFound, "no valid user or account Id provided")
+}
+
+// updateIDPMetadata update user's  app metadata in idp manager
+func (am *DefaultAccountManager) updateIDPMetadata(userId, accountID string) error {
+	if am.idpManager != nil {
+		err := am.idpManager.UpdateUserAppMetadata(userId, idp.AppMetadata{WTAccountId: accountID})
+		if err != nil {
+			return status.Errorf(codes.Internal, "updating user's app metadata failed with: %v", err)
+		}
+	}
+	return nil
+}
+
+// updateAccountDomainAttributes updates the account domain attributes and then, saves the account
+func (am *DefaultAccountManager) updateAccountDomainAttributes(account *Account, claims jwtclaims.AuthorizationClaims, primaryDomain bool) error {
+	account.IsDomainPrimaryAccount = primaryDomain
+	account.Domain = strings.ToLower(claims.Domain)
+	account.DomainCategory = claims.DomainCategory
+	err := am.Store.SaveAccount(account)
+	if err != nil {
+		return status.Errorf(codes.Internal, "failed saving updated account")
+	}
+	return nil
+}
+
+// handleExistingUserAccount handles existing User accounts and update its domain attributes.
+//
+//
+// If there is no primary domain account yet, we set the account as primary for the domain. Otherwise,
+// we compare the account's ID with the domain account ID, and if they don't match, we set the account as
+// non-primary account for the domain. We don't merge accounts at this stage, because of cases when a domain
+// was previously unclassified or classified as public so N users that logged int that time, has they own account
+// and peers that shouldn't be lost.
+func (am *DefaultAccountManager) handleExistingUserAccount(existingAcc *Account, domainAcc *Account, claims jwtclaims.AuthorizationClaims) error {
+	var err error
+
+	if domainAcc == nil || existingAcc.Id != domainAcc.Id {
+		err = am.updateAccountDomainAttributes(existingAcc, claims, false)
+		if err != nil {
+			return err
+		}
+	}
+
+	// we should register the account ID to this user's metadata in our IDP manager
+	err = am.updateIDPMetadata(claims.UserId, existingAcc.Id)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// handleNewUserAccount validates if there is an existing primary account for the domain, if so it adds the new user to that account,
+// otherwise it will create a new account and make it primary account for the domain.
+func (am *DefaultAccountManager) handleNewUserAccount(domainAcc *Account, claims jwtclaims.AuthorizationClaims) (*Account, error) {
+	var (
+		account        *Account
+		primaryAccount bool
+	)
+	lowerDomain := strings.ToLower(claims.Domain)
+	// if domain already has a primary account, add regular user
+	if domainAcc != nil {
+		account = domainAcc
+		account.Users[claims.UserId] = NewRegularUser(claims.UserId)
+		primaryAccount = false
+	} else {
+		account = NewAccount(claims.UserId, lowerDomain)
+		account.Users[claims.UserId] = NewAdminUser(claims.UserId)
+		primaryAccount = true
+	}
+
+	err := am.updateAccountDomainAttributes(account, claims, primaryAccount)
+	if err != nil {
+		return nil, err
+	}
+
+	err = am.updateIDPMetadata(claims.UserId, account.Id)
+	if err != nil {
+		return nil, err
+	}
+
+	return account, nil
+}
+
+// GetAccountWithAuthorizationClaims retrievs an account using JWT Claims.
+// if domain is of the PrivateCategory category, it will evaluate
+// if account is new, existing or if there is another account with the same domain
+//
+// Use cases:
+//
+// New user + New account + New domain -> create account, user role = admin (if private domain, index domain)
+//
+// New user + New account + Existing Private Domain -> add user to the existing account, user role = regular (not admin)
+//
+// New user + New account + Existing Public Domain -> create account, user role = admin
+//
+// Existing user + Existing account + Existing Domain -> Nothing changes (if private, index domain)
+//
+// Existing user + Existing account + Existing Indexed Domain -> Nothing changes
+//
+// Existing user + Existing account + Existing domain reclassified Domain as private -> Nothing changes (index domain)
+func (am *DefaultAccountManager) GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error) {
+	// if Account ID is part of the claims
+	// it means that we've already classified the domain and user has an account
+	if claims.DomainCategory != PrivateCategory || claims.AccountId != "" {
+		return am.GetAccountByUserOrAccountId(claims.UserId, claims.AccountId, claims.Domain)
+	}
+
+	am.mux.Lock()
+	defer am.mux.Unlock()
+
+	// We checked if the domain has a primary account already
+	domainAccount, err := am.Store.GetAccountByPrivateDomain(claims.Domain)
+	accStatus, _ := status.FromError(err)
+	if accStatus.Code() != codes.OK && accStatus.Code() != codes.NotFound {
+		return nil, err
+	}
+
+	account, err := am.Store.GetUserAccount(claims.UserId)
+	if err == nil {
+		err = am.handleExistingUserAccount(account, domainAccount, claims)
+		if err != nil {
+			return nil, err
+		}
+		return account, nil
+	} else if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
+		return am.handleNewUserAccount(domainAccount, claims)
+	} else {
+		// other error
+		return nil, err
+	}
+}
+
 //AccountExists checks whether account exists (returns true) or not (returns false)
-func (am *AccountManager) AccountExists(accountId string) (*bool, error) {
+func (am *DefaultAccountManager) AccountExists(accountId string) (*bool, error) {
 	am.mux.Lock()
 	defer am.mux.Unlock()

@@ -176,17 +366,17 @@ func (am *AccountManager) AccountExists(accountId string) (*bool, error) {
 }

 // AddAccount generates a new Account with a provided accountId and userId, saves to the Store
-func (am *AccountManager) AddAccount(accountId string, userId string) (*Account, error) {
+func (am *DefaultAccountManager) AddAccount(accountId, userId, domain string) (*Account, error) {

 	am.mux.Lock()
 	defer am.mux.Unlock()

-	return am.createAccount(accountId, userId)
+	return am.createAccount(accountId, userId, domain)

 }

-func (am *AccountManager) createAccount(accountId string, userId string) (*Account, error) {
-	account, _ := newAccountWithId(accountId, userId)
+func (am *DefaultAccountManager) createAccount(accountId, userId, domain string) (*Account, error) {
+	account := newAccountWithId(accountId, userId, domain)

 	err := am.Store.SaveAccount(account)
 	if err != nil {
@@ -197,7 +387,7 @@ func (am *AccountManager) createAccount(accountId string, userId string) (*Accou
 }

 // newAccountWithId creates a new Account with a default SetupKey (doesn't store in a Store) and provided id
-func newAccountWithId(accountId string, userId string) (*Account, *SetupKey) {
+func newAccountWithId(accountId, userId, domain string) *Account {

 	log.Debugf("creating new account")

@@ -206,22 +396,21 @@ func newAccountWithId(accountId string, userId string) (*Account, *SetupKey) {
 	oneOffKey := GenerateSetupKey("One-off key", SetupKeyOneOff, DefaultSetupKeyDuration)
 	setupKeys[defaultKey.Key] = defaultKey
 	setupKeys[oneOffKey.Key] = oneOffKey
-	network := &Network{
-		Id:  uuid.New().String(),
-		Net: net.IPNet{IP: net.ParseIP("100.64.0.0"), Mask: net.IPMask{255, 192, 0, 0}},
-		Dns: ""}
+	network := NewNetwork()
 	peers := make(map[string]*Peer)
 	users := make(map[string]*User)

 	log.Debugf("created new account %s with setup key %s", accountId, defaultKey.Key)

-	return &Account{Id: accountId, SetupKeys: setupKeys, Network: network, Peers: peers, Users: users, CreatedBy: userId}, defaultKey
-}
-
-// newAccount creates a new Account with a default SetupKey and a provided User.Id of a user who issued account creation (doesn't store in a Store)
-func newAccount(userId string) (*Account, *SetupKey) {
-	accountId := xid.New().String()
-	return newAccountWithId(accountId, userId)
+	return &Account{
+		Id:        accountId,
+		SetupKeys: setupKeys,
+		Network:   network,
+		Peers:     peers,
+		Users:     users,
+		CreatedBy: userId,
+		Domain:    domain,
+	}
 }

 func getAccountSetupKeyById(acc *Account, keyId string) *SetupKey {
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -1,6 +1,8 @@
 package server

 import (
+	"github.com/stretchr/testify/require"
+	"github.com/wiretrustee/wiretrustee/management/server/jwtclaims"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"net"
 	"testing"
@@ -14,7 +16,7 @@ func TestAccountManager_GetOrCreateAccountByUser(t *testing.T) {
 	}

 	userId := "test_user"
-	account, err := manager.GetOrCreateAccountByUser(userId)
+	account, err := manager.GetOrCreateAccountByUser(userId, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -32,6 +34,191 @@ func TestAccountManager_GetOrCreateAccountByUser(t *testing.T) {
 	}
 }

+func TestDefaultAccountManager_GetAccountWithAuthorizationClaims(t *testing.T) {
+
+	type initUserParams jwtclaims.AuthorizationClaims
+
+	type test struct {
+		name                string
+		inputClaims         jwtclaims.AuthorizationClaims
+		inputInitUserParams initUserParams
+		inputUpdateAttrs    bool
+		testingFunc         require.ComparisonAssertionFunc
+		expectedMSG         string
+		expectedUserRole    UserRole
+	}
+
+	var (
+		publicDomain  = "public.com"
+		privateDomain = "private.com"
+		unknownDomain = "unknown.com"
+	)
+
+	defaultInitAccount := initUserParams{
+		Domain: publicDomain,
+		UserId: "defaultUser",
+	}
+
+	testCase1 := test{
+		name: "New User With Public Domain",
+		inputClaims: jwtclaims.AuthorizationClaims{
+			Domain:         publicDomain,
+			UserId:         "pub-domain-user",
+			DomainCategory: PublicCategory,
+		},
+		inputInitUserParams: defaultInitAccount,
+		testingFunc:         require.NotEqual,
+		expectedMSG:         "account IDs shouldn't match",
+		expectedUserRole:    UserRoleAdmin,
+	}
+
+	initUnknown := defaultInitAccount
+	initUnknown.DomainCategory = UnknownCategory
+	initUnknown.Domain = unknownDomain
+
+	testCase2 := test{
+		name: "New User With Unknown Domain",
+		inputClaims: jwtclaims.AuthorizationClaims{
+			Domain:         unknownDomain,
+			UserId:         "unknown-domain-user",
+			DomainCategory: UnknownCategory,
+		},
+		inputInitUserParams: initUnknown,
+		testingFunc:         require.NotEqual,
+		expectedMSG:         "account IDs shouldn't match",
+		expectedUserRole:    UserRoleAdmin,
+	}
+
+	testCase3 := test{
+		name: "New User With Private Domain",
+		inputClaims: jwtclaims.AuthorizationClaims{
+			Domain:         privateDomain,
+			UserId:         "pvt-domain-user",
+			DomainCategory: PrivateCategory,
+		},
+		inputInitUserParams: defaultInitAccount,
+		testingFunc:         require.NotEqual,
+		expectedMSG:         "account IDs shouldn't match",
+		expectedUserRole:    UserRoleAdmin,
+	}
+
+	privateInitAccount := defaultInitAccount
+	privateInitAccount.Domain = privateDomain
+	privateInitAccount.DomainCategory = PrivateCategory
+
+	testCase4 := test{
+		name: "New Regular User With Existing Private Domain",
+		inputClaims: jwtclaims.AuthorizationClaims{
+			Domain:         privateDomain,
+			UserId:         "pvt-domain-user",
+			DomainCategory: PrivateCategory,
+		},
+		inputUpdateAttrs:    true,
+		inputInitUserParams: privateInitAccount,
+		testingFunc:         require.Equal,
+		expectedMSG:         "account IDs should match",
+		expectedUserRole:    UserRoleUser,
+	}
+
+	testCase5 := test{
+		name: "Existing User With Existing Reclassified Private Domain",
+		inputClaims: jwtclaims.AuthorizationClaims{
+			Domain:         defaultInitAccount.Domain,
+			UserId:         defaultInitAccount.UserId,
+			DomainCategory: PrivateCategory,
+		},
+		inputInitUserParams: defaultInitAccount,
+		testingFunc:         require.Equal,
+		expectedMSG:         "account IDs should match",
+		expectedUserRole:    UserRoleAdmin,
+	}
+
+	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			manager, err := createManager(t)
+			require.NoError(t, err, "unable to create account manager")
+
+			initAccount, err := manager.GetAccountByUserOrAccountId(testCase.inputInitUserParams.UserId, testCase.inputInitUserParams.AccountId, testCase.inputInitUserParams.Domain)
+			require.NoError(t, err, "create init user failed")
+
+			if testCase.inputUpdateAttrs {
+				err = manager.updateAccountDomainAttributes(initAccount, jwtclaims.AuthorizationClaims{UserId: testCase.inputInitUserParams.UserId, Domain: testCase.inputInitUserParams.Domain, DomainCategory: testCase.inputInitUserParams.DomainCategory}, true)
+				require.NoError(t, err, "update init user failed")
+			}
+
+			account, err := manager.GetAccountWithAuthorizationClaims(testCase.inputClaims)
+			require.NoError(t, err, "support function failed")
+
+			testCase.testingFunc(t, initAccount.Id, account.Id, testCase.expectedMSG)
+
+			require.EqualValues(t, testCase.expectedUserRole, account.Users[testCase.inputClaims.UserId].Role, "user role should match")
+		})
+	}
+}
+func TestAccountManager_PrivateAccount(t *testing.T) {
+	manager, err := createManager(t)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	userId := "test_user"
+	account, err := manager.GetOrCreateAccountByUser(userId, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if account == nil {
+		t.Fatalf("expected to create an account for a user %s", userId)
+	}
+
+	account, err = manager.GetAccountByUser(userId)
+	if err != nil {
+		t.Errorf("expected to get existing account after creation, no account was found for a user %s", userId)
+	}
+
+	if account != nil && account.Users[userId] == nil {
+		t.Fatalf("expected to create an account for a user %s but no user was found after creation udner the account %s", userId, account.Id)
+	}
+}
+
+func TestAccountManager_SetOrUpdateDomain(t *testing.T) {
+	manager, err := createManager(t)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	userId := "test_user"
+	domain := "hotmail.com"
+	account, err := manager.GetOrCreateAccountByUser(userId, domain)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if account == nil {
+		t.Fatalf("expected to create an account for a user %s", userId)
+	}
+
+	if account.Domain != domain {
+		t.Errorf("setting account domain failed, expected %s, got %s", domain, account.Domain)
+	}
+
+	domain = "gmail.com"
+
+	account, err = manager.GetOrCreateAccountByUser(userId, domain)
+	if err != nil {
+		t.Fatalf("got the following error while retrieving existing acc: %v", err)
+	}
+
+	if account == nil {
+		t.Fatalf("expected to get an account for a user %s", userId)
+	}
+
+	if account.Domain != domain {
+		t.Errorf("updating domain. expected %s got %s", domain, account.Domain)
+	}
+}
+
 func TestAccountManager_AddAccount(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
@@ -48,7 +235,7 @@ func TestAccountManager_AddAccount(t *testing.T) {
 		Mask: net.IPMask{255, 192, 0, 0},
 	}

-	account, err := manager.AddAccount(expectedId, userId)
+	account, err := manager.AddAccount(expectedId, userId, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -70,6 +257,36 @@ func TestAccountManager_AddAccount(t *testing.T) {
 	}
 }

+func TestAccountManager_GetAccountByUserOrAccountId(t *testing.T) {
+	manager, err := createManager(t)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	userId := "test_user"
+
+	account, err := manager.GetAccountByUserOrAccountId(userId, "", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if account == nil {
+		t.Fatalf("expected to create an account for a user %s", userId)
+	}
+
+	accountId := account.Id
+
+	_, err = manager.GetAccountByUserOrAccountId("", accountId, "")
+	if err != nil {
+		t.Errorf("expected to get existing account after creation using userid, no account was found for a account %s", accountId)
+	}
+
+	_, err = manager.GetAccountByUserOrAccountId("", "", "")
+	if err == nil {
+		t.Errorf("expected an error when user and account IDs are empty")
+	}
+}
+
 func TestAccountManager_AccountExists(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
@@ -79,7 +296,7 @@ func TestAccountManager_AccountExists(t *testing.T) {

 	expectedId := "test_account"
 	userId := "account_creator"
-	_, err = manager.AddAccount(expectedId, userId)
+	_, err = manager.AddAccount(expectedId, userId, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -104,13 +321,13 @@ func TestAccountManager_GetAccount(t *testing.T) {

 	expectedId := "test_account"
 	userId := "account_creator"
-	account, err := manager.AddAccount(expectedId, userId)
+	account, err := manager.AddAccount(expectedId, userId, "")
 	if err != nil {
 		t.Fatal(err)
 	}

 	//AddAccount has been already tested so we can assume it is correct and compare results
-	getAccount, err := manager.GetAccount(expectedId)
+	getAccount, err := manager.GetAccountById(expectedId)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -141,11 +358,13 @@ func TestAccountManager_AddPeer(t *testing.T) {
 		return
 	}

-	account, err := manager.AddAccount("test_account", "account_creator")
+	account, err := manager.AddAccount("test_account", "account_creator", "")
 	if err != nil {
 		t.Fatal(err)
 	}

+	serial := account.Network.Serial() //should be 0
+
 	var setupKey *SetupKey
 	for _, key := range account.SetupKeys {
 		setupKey = key
@@ -156,7 +375,12 @@ func TestAccountManager_AddPeer(t *testing.T) {
 		return
 	}

-	key, err := wgtypes.GenerateKey()
+	if account.Network.serial != 0 {
+		t.Errorf("expecting account network to have an initial serial=0")
+		return
+	}
+
+	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -164,7 +388,7 @@ func TestAccountManager_AddPeer(t *testing.T) {
 	expectedPeerKey := key.PublicKey().String()
 	expectedPeerIP := "100.64.0.1"

-	peer, err := manager.AddPeer(setupKey.Key, Peer{
+	peer, err := manager.AddPeer(setupKey.Key, &Peer{
 		Key:  expectedPeerKey,
 		Meta: PeerSystemMeta{},
 		Name: expectedPeerKey,
@@ -174,6 +398,12 @@ func TestAccountManager_AddPeer(t *testing.T) {
 		return
 	}

+	account, err = manager.GetAccountById(account.Id)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
 	if peer.Key != expectedPeerKey {
 		t.Errorf("expecting just added peer to have key = %s, got %s", expectedPeerKey, peer.Key)
 	}
@@ -182,13 +412,70 @@ func TestAccountManager_AddPeer(t *testing.T) {
 		t.Errorf("expecting just added peer to have IP = %s, got %s", expectedPeerIP, peer.IP.String())
 	}

+	if account.Network.Serial() != 1 {
+		t.Errorf("expecting Network serial=%d to be incremented by 1 and be equal to %d when adding new peer to account", serial, account.Network.Serial())
+	}
+
 }
-func createManager(t *testing.T) (*AccountManager, error) {
+
+func TestAccountManager_DeletePeer(t *testing.T) {
+	manager, err := createManager(t)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	account, err := manager.AddAccount("test_account", "account_creator", "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var setupKey *SetupKey
+	for _, key := range account.SetupKeys {
+		setupKey = key
+	}
+
+	key, err := wgtypes.GenerateKey()
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	peerKey := key.PublicKey().String()
+
+	_, err = manager.AddPeer(setupKey.Key, &Peer{
+		Key:  peerKey,
+		Meta: PeerSystemMeta{},
+		Name: peerKey,
+	})
+	if err != nil {
+		t.Errorf("expecting peer to be added, got failure %v", err)
+		return
+	}
+
+	_, err = manager.DeletePeer(account.Id, peerKey)
+	if err != nil {
+		return
+	}
+
+	account, err = manager.GetAccountById(account.Id)
+	if err != nil {
+		t.Fatal(err)
+		return
+	}
+
+	if account.Network.Serial() != 2 {
+		t.Errorf("expecting Network serial=%d to be incremented and be equal to 2 after adding and deleteing a peer", account.Network.Serial())
+	}
+
+}
+
+func createManager(t *testing.T) (*DefaultAccountManager, error) {
 	store, err := createStore(t)
 	if err != nil {
 		return nil, err
 	}
-	return NewManager(store, NewPeersUpdateManager()), nil
+	return NewManager(store, NewPeersUpdateManager(), nil), nil
 }

 func createStore(t *testing.T) (Store, error) {
--- a/management/server/config.go
+++ b/management/server/config.go
@@ -1,6 +1,7 @@
 package server

 import (
+	"github.com/wiretrustee/wiretrustee/management/server/idp"
 	"github.com/wiretrustee/wiretrustee/util"
 )

@@ -23,6 +24,8 @@ type Config struct {
 	Datadir string

 	HttpConfig *HttpServerConfig
+
+	IdpManagerConfig *idp.Config
 }

 // TURNConfig is a config of the TURNCredentialsManager
--- a/management/server/file_store.go
+++ b/management/server/file_store.go
@@ -17,10 +17,11 @@ const storeFileName = "store.json"

 // FileStore represents an account storage backed by a file persisted to disk
 type FileStore struct {
-	Accounts             map[string]*Account
-	SetupKeyId2AccountId map[string]string `json:"-"`
-	PeerKeyId2AccountId  map[string]string `json:"-"`
-	UserId2AccountId     map[string]string `json:"-"`
+	Accounts                map[string]*Account
+	SetupKeyId2AccountId    map[string]string `json:"-"`
+	PeerKeyId2AccountId     map[string]string `json:"-"`
+	UserId2AccountId        map[string]string `json:"-"`
+	PrivateDomain2AccountId map[string]string `json:"-"`

 	// mutex to synchronise Store read/write operations
 	mux       sync.Mutex `json:"-"`
@@ -42,12 +43,13 @@ func restore(file string) (*FileStore, error) {
 	if _, err := os.Stat(file); os.IsNotExist(err) {
 		// create a new FileStore if previously didn't exist (e.g. first run)
 		s := &FileStore{
-			Accounts:             make(map[string]*Account),
-			mux:                  sync.Mutex{},
-			SetupKeyId2AccountId: make(map[string]string),
-			PeerKeyId2AccountId:  make(map[string]string),
-			UserId2AccountId:     make(map[string]string),
-			storeFile:            file,
+			Accounts:                make(map[string]*Account),
+			mux:                     sync.Mutex{},
+			SetupKeyId2AccountId:    make(map[string]string),
+			PeerKeyId2AccountId:     make(map[string]string),
+			UserId2AccountId:        make(map[string]string),
+			PrivateDomain2AccountId: make(map[string]string),
+			storeFile:               file,
 		}

 		err = s.persist(file)
@@ -68,6 +70,7 @@ func restore(file string) (*FileStore, error) {
 	store.SetupKeyId2AccountId = make(map[string]string)
 	store.PeerKeyId2AccountId = make(map[string]string)
 	store.UserId2AccountId = make(map[string]string)
+	store.PrivateDomain2AccountId = make(map[string]string)
 	for accountId, account := range store.Accounts {
 		for setupKeyId := range account.SetupKeys {
 			store.SetupKeyId2AccountId[strings.ToUpper(setupKeyId)] = accountId
@@ -78,6 +81,12 @@ func restore(file string) (*FileStore, error) {
 		for _, user := range account.Users {
 			store.UserId2AccountId[user.Id] = accountId
 		}
+		for _, user := range account.Users {
+			store.UserId2AccountId[user.Id] = accountId
+		}
+		if account.Domain != "" && account.DomainCategory == PrivateCategory && account.IsDomainPrimaryAccount {
+			store.PrivateDomain2AccountId[account.Domain] = accountId
+		}
 	}

 	return store, nil
@@ -178,6 +187,10 @@ func (s *FileStore) SaveAccount(account *Account) error {
 		s.UserId2AccountId[user.Id] = account.Id
 	}

+	if account.DomainCategory == PrivateCategory && account.IsDomainPrimaryAccount {
+		s.PrivateDomain2AccountId[account.Domain] = account.Id
+	}
+
 	err := s.persist(s.storeFile)
 	if err != nil {
 		return err
@@ -186,6 +199,21 @@ func (s *FileStore) SaveAccount(account *Account) error {
 	return nil
 }

+func (s *FileStore) GetAccountByPrivateDomain(domain string) (*Account, error) {
+
+	accountId, accountIdFound := s.PrivateDomain2AccountId[strings.ToLower(domain)]
+	if !accountIdFound {
+		return nil, status.Errorf(codes.NotFound, "provided domain is not registered or is not private")
+	}
+
+	account, err := s.GetAccount(accountId)
+	if err != nil {
+		return nil, err
+	}
+
+	return account, nil
+}
+
 func (s *FileStore) GetAccountBySetupKey(setupKey string) (*Account, error) {

 	accountId, accountIdFound := s.SetupKeyId2AccountId[strings.ToUpper(setupKey)]
--- a/management/server/file_store_test.go
+++ b/management/server/file_store_test.go
@@ -1,6 +1,7 @@
 package server

 import (
+	"github.com/stretchr/testify/require"
 	"github.com/wiretrustee/wiretrustee/util"
 	"net"
 	"path/filepath"
@@ -32,7 +33,7 @@ func TestNewStore(t *testing.T) {
 func TestSaveAccount(t *testing.T) {
 	store := newStore(t)

-	account, _ := newAccount("testuser")
+	account := NewAccount("testuser", "")
 	account.Users["testuser"] = NewAdminUser("testuser")
 	setupKey := GenerateDefaultSetupKey()
 	account.SetupKeys[setupKey.Key] = setupKey
@@ -72,7 +73,7 @@ func TestSaveAccount(t *testing.T) {
 func TestStore(t *testing.T) {
 	store := newStore(t)

-	account, _ := newAccount("testuser")
+	account := NewAccount("testuser", "")
 	account.Users["testuser"] = NewAdminUser("testuser")
 	account.Peers["testpeer"] = &Peer{
 		Key:      "peerkey",
@@ -131,34 +132,45 @@ func TestRestore(t *testing.T) {
 	}

 	account := store.Accounts["bf1c8084-ba50-4ce7-9439-34653001fc3b"]
-	if account == nil {
-		t.Errorf("failed to restore a FileStore file - missing account bf1c8084-ba50-4ce7-9439-34653001fc3b")
+
+	require.NotNil(t, account, "failed to restore a FileStore file - missing account bf1c8084-ba50-4ce7-9439-34653001fc3b")
+
+	require.NotNil(t, account.Users["edafee4e-63fb-11ec-90d6-0242ac120003"], "failed to restore a FileStore file - missing Account User edafee4e-63fb-11ec-90d6-0242ac120003")
+
+	require.NotNil(t, account.Users["f4f6d672-63fb-11ec-90d6-0242ac120003"], "failed to restore a FileStore file - missing Account User f4f6d672-63fb-11ec-90d6-0242ac120003")
+
+	require.NotNil(t, account.Network, "failed to restore a FileStore file - missing Account Network")
+
+	require.NotNil(t, account.SetupKeys["A2C8E62B-38F5-4553-B31E-DD66C696CEBB"], "failed to restore a FileStore file - missing Account SetupKey A2C8E62B-38F5-4553-B31E-DD66C696CEBB")
+
+	require.Len(t, store.UserId2AccountId, 2, "failed to restore a FileStore wrong UserId2AccountId mapping length")
+
+	require.Len(t, store.SetupKeyId2AccountId, 1, "failed to restore a FileStore wrong SetupKeyId2AccountId mapping length")
+
+	require.Len(t, store.PrivateDomain2AccountId, 1, "failed to restore a FileStore wrong PrivateDomain2AccountId mapping length")
+}
+
+func TestGetAccountByPrivateDomain(t *testing.T) {
+	storeDir := t.TempDir()
+
+	err := util.CopyFileContents("testdata/store.json", filepath.Join(storeDir, "store.json"))
+	if err != nil {
+		t.Fatal(err)
 	}

-	if account != nil && account.Users["edafee4e-63fb-11ec-90d6-0242ac120003"] == nil {
-		t.Errorf("failed to restore a FileStore file - missing Account User edafee4e-63fb-11ec-90d6-0242ac120003")
+	store, err := NewStore(storeDir)
+	if err != nil {
+		return
 	}

-	if account != nil && account.Users["f4f6d672-63fb-11ec-90d6-0242ac120003"] == nil {
-		t.Errorf("failed to restore a FileStore file - missing Account User f4f6d672-63fb-11ec-90d6-0242ac120003")
-	}
+	existingDomain := "test.com"

-	if account != nil && account.Network == nil {
-		t.Errorf("failed to restore a FileStore file - missing Account Network")
-	}
-
-	if account != nil && account.SetupKeys["A2C8E62B-38F5-4553-B31E-DD66C696CEBB"] == nil {
-		t.Errorf("failed to restore a FileStore file - missing Account SetupKey A2C8E62B-38F5-4553-B31E-DD66C696CEBB")
-	}
-
-	if len(store.UserId2AccountId) != 2 {
-		t.Errorf("failed to restore a FileStore wrong UserId2AccountId mapping")
-	}
-
-	if len(store.SetupKeyId2AccountId) != 1 {
-		t.Errorf("failed to restore a FileStore wrong SetupKeyId2AccountId mapping")
-	}
+	account, err := store.GetAccountByPrivateDomain(existingDomain)
+	require.NoError(t, err, "should found account")
+	require.Equal(t, existingDomain, account.Domain, "domains should match")

+	_, err = store.GetAccountByPrivateDomain("missing-domain.com")
+	require.Error(t, err, "should return error on domain lookup")
 }

 func newStore(t *testing.T) *FileStore {
--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -16,7 +16,7 @@ import (

 // Server an instance of a Management server
 type Server struct {
-	accountManager *AccountManager
+	accountManager AccountManager
 	wgKey          wgtypes.Key
 	proto.UnimplementedManagementServiceServer
 	peersUpdateManager     *PeersUpdateManager
@@ -28,7 +28,7 @@ type Server struct {
 const AllowedIPsFormat = "%s/32"

 // NewServer creates a new Management server
-func NewServer(config *Config, accountManager *AccountManager, peersUpdateManager *PeersUpdateManager, turnCredentialsManager TURNCredentialsManager) (*Server, error) {
+func NewServer(config *Config, accountManager AccountManager, peersUpdateManager *PeersUpdateManager, turnCredentialsManager TURNCredentialsManager) (*Server, error) {
 	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		return nil, err
@@ -141,7 +141,7 @@ func (s *Server) registerPeer(peerKey wgtypes.Key, req *proto.LoginRequest) (*Pe
 	if meta == nil {
 		return nil, status.Errorf(codes.InvalidArgument, "peer meta data was not provided")
 	}
-	peer, err := s.accountManager.AddPeer(req.GetSetupKey(), Peer{
+	peer, err := s.accountManager.AddPeer(req.GetSetupKey(), &Peer{
 		Key:  peerKey.String(),
 		Name: meta.GetHostname(),
 		Meta: PeerSystemMeta{
@@ -158,21 +158,22 @@ func (s *Server) registerPeer(peerKey wgtypes.Key, req *proto.LoginRequest) (*Pe
 		return nil, status.Errorf(codes.NotFound, "provided setup key doesn't exists")
 	}

-	peers, err := s.accountManager.GetPeersForAPeer(peer.Key)
+	//todo move to DefaultAccountManager the code below
+	networkMap, err := s.accountManager.GetNetworkMap(peer.Key)
 	if err != nil {
 		return nil, status.Error(codes.Internal, "internal server error")
 	}

 	// notify other peers of our registration
-	for _, remotePeer := range peers {
+	for _, remotePeer := range networkMap.Peers {
 		// exclude notified peer and add ourselves
 		peersToSend := []*Peer{peer}
-		for _, p := range peers {
+		for _, p := range networkMap.Peers {
 			if remotePeer.Key != p.Key {
 				peersToSend = append(peersToSend, p)
 			}
 		}
-		update := toSyncResponse(s.config, peer, peersToSend, nil)
+		update := toSyncResponse(s.config, peer, peersToSend, nil, networkMap.Network.Serial())
 		err = s.peersUpdateManager.SendUpdate(remotePeer.Key, &UpdateMessage{Update: update})
 		if err != nil {
 			// todo rethink if we should keep this return
@@ -317,7 +318,7 @@ func toRemotePeerConfig(peers []*Peer) []*proto.RemotePeerConfig {

 }

-func toSyncResponse(config *Config, peer *Peer, peers []*Peer, turnCredentials *TURNCredentials) *proto.SyncResponse {
+func toSyncResponse(config *Config, peer *Peer, peers []*Peer, turnCredentials *TURNCredentials, serial uint64) *proto.SyncResponse {

 	wtConfig := toWiretrusteeConfig(config, turnCredentials)

@@ -330,6 +331,12 @@ func toSyncResponse(config *Config, peer *Peer, peers []*Peer, turnCredentials *
 		PeerConfig:         pConfig,
 		RemotePeers:        remotePeers,
 		RemotePeersIsEmpty: len(remotePeers) == 0,
+		NetworkMap: &proto.NetworkMap{
+			Serial:             serial,
+			PeerConfig:         pConfig,
+			RemotePeers:        remotePeers,
+			RemotePeersIsEmpty: len(remotePeers) == 0,
+		},
 	}
 }

@@ -341,7 +348,7 @@ func (s *Server) IsHealthy(ctx context.Context, req *proto.Empty) (*proto.Empty,
 // sendInitialSync sends initial proto.SyncResponse to the peer requesting synchronization
 func (s *Server) sendInitialSync(peerKey wgtypes.Key, peer *Peer, srv proto.ManagementService_SyncServer) error {

-	peers, err := s.accountManager.GetPeersForAPeer(peer.Key)
+	networkMap, err := s.accountManager.GetNetworkMap(peer.Key)
 	if err != nil {
 		log.Warnf("error getting a list of peers for a peer %s", peer.Key)
 		return err
@@ -355,7 +362,7 @@ func (s *Server) sendInitialSync(peerKey wgtypes.Key, peer *Peer, srv proto.Mana
 	} else {
 		turnCredentials = nil
 	}
-	plainResp := toSyncResponse(s.config, peer, peers, turnCredentials)
+	plainResp := toSyncResponse(s.config, peer, networkMap.Peers, turnCredentials, networkMap.Network.Serial())

 	encryptedResp, err := encryption.EncryptMessage(peerKey, s.wgKey, plainResp)
 	if err != nil {
--- a/management/server/http/handler/peers.go
+++ b/management/server/http/handler/peers.go
@@ -3,16 +3,20 @@ package handler
 import (
 	"encoding/json"
 	"fmt"
+	"github.com/wiretrustee/wiretrustee/management/server/jwtclaims"
+	"net/http"
+	"time"
+
 	"github.com/gorilla/mux"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/management/server"
-	"net/http"
-	"time"
 )

 //Peers is a handler that returns peers of the account
 type Peers struct {
-	accountManager *server.AccountManager
+	accountManager server.AccountManager
+	authAudience   string
+	jwtExtractor   jwtclaims.ClaimsExtractor
 }

 //PeerResponse is a response sent to the client
@@ -22,6 +26,7 @@ type PeerResponse struct {
 	Connected bool
 	LastSeen  time.Time
 	OS        string
+	Version   string
 }

 //PeerRequest is a request sent by the client
@@ -29,9 +34,11 @@ type PeerRequest struct {
 	Name string
 }

-func NewPeers(accountManager *server.AccountManager) *Peers {
+func NewPeers(accountManager server.AccountManager, authAudience string) *Peers {
 	return &Peers{
 		accountManager: accountManager,
+		authAudience:   authAudience,
+		jwtExtractor:   *jwtclaims.NewClaimsExtractor(nil),
 	}
 }

@@ -51,6 +58,7 @@ func (h *Peers) updatePeer(accountId string, peer *server.Peer, w http.ResponseW
 	}
 	writeJSONObject(w, toPeerResponse(peer))
 }
+
 func (h *Peers) deletePeer(accountId string, peer *server.Peer, w http.ResponseWriter, r *http.Request) {
 	_, err := h.accountManager.DeletePeer(accountId, peer.Key)
 	if err != nil {
@@ -61,11 +69,21 @@ func (h *Peers) deletePeer(accountId string, peer *server.Peer, w http.ResponseW
 	writeJSONObject(w, "")
 }

-func (h *Peers) HandlePeer(w http.ResponseWriter, r *http.Request) {
-	userId := extractUserIdFromRequestContext(r)
-	account, err := h.accountManager.GetOrCreateAccountByUser(userId)
+func (h *Peers) getPeerAccount(r *http.Request) (*server.Account, error) {
+	jwtClaims := h.jwtExtractor.ExtractClaimsFromRequestContext(r, h.authAudience)
+
+	account, err := h.accountManager.GetAccountWithAuthorizationClaims(jwtClaims)
 	if err != nil {
-		log.Errorf("failed getting account of a user %s: %v", userId, err)
+		return nil, fmt.Errorf("failed getting account of a user %s: %v", jwtClaims.UserId, err)
+	}
+
+	return account, nil
+}
+
+func (h *Peers) HandlePeer(w http.ResponseWriter, r *http.Request) {
+	account, err := h.getPeerAccount(r)
+	if err != nil {
+		log.Error(err)
 		http.Redirect(w, r, "/", http.StatusInternalServerError)
 		return
 	}
@@ -102,11 +120,9 @@ func (h *Peers) HandlePeer(w http.ResponseWriter, r *http.Request) {
 func (h *Peers) GetPeers(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case http.MethodGet:
-		userId := extractUserIdFromRequestContext(r)
-		//new user -> create a new account
-		account, err := h.accountManager.GetOrCreateAccountByUser(userId)
+		account, err := h.getPeerAccount(r)
 		if err != nil {
-			log.Errorf("failed getting account of a user %s: %v", userId, err)
+			log.Error(err)
 			http.Redirect(w, r, "/", http.StatusInternalServerError)
 			return
 		}
@@ -129,5 +145,6 @@ func toPeerResponse(peer *server.Peer) *PeerResponse {
 		Connected: peer.Status.Connected,
 		LastSeen:  peer.Status.LastSeen,
 		OS:        fmt.Sprintf("%s %s", peer.Meta.OS, peer.Meta.Core),
+		Version:   peer.Meta.WtVersion,
 	}
 }
--- a/management/server/http/handler/peers_test.go
+++ b/management/server/http/handler/peers_test.go
@@ -0,0 +1,108 @@
+package handler
+
+import (
+	"encoding/json"
+	"github.com/wiretrustee/wiretrustee/management/server/jwtclaims"
+	"io"
+	"net"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/magiconair/properties/assert"
+	"github.com/wiretrustee/wiretrustee/management/server"
+	"github.com/wiretrustee/wiretrustee/management/server/mock_server"
+)
+
+func initTestMetaData(peer ...*server.Peer) *Peers {
+	return &Peers{
+		accountManager: &mock_server.MockAccountManager{
+			GetAccountWithAuthorizationClaimsFunc: func(claims jwtclaims.AuthorizationClaims) (*server.Account, error) {
+				return &server.Account{
+					Id:     claims.AccountId,
+					Domain: "hotmail.com",
+					Peers: map[string]*server.Peer{
+						"test_peer": peer[0],
+					},
+				}, nil
+			},
+		},
+		authAudience: "",
+		jwtExtractor: jwtclaims.ClaimsExtractor{
+			ExtractClaimsFromRequestContext: func(r *http.Request, authAudiance string) jwtclaims.AuthorizationClaims {
+				return jwtclaims.AuthorizationClaims{
+					UserId:    "test_user",
+					Domain:    "hotmail.com",
+					AccountId: "test_id",
+				}
+			},
+		},
+	}
+}
+
+// Tests the GetPeers endpoint reachable in the route /api/peers
+// Use the metadata generated by initTestMetaData() to check for values
+func TestGetPeers(t *testing.T) {
+	var tt = []struct {
+		name           string
+		expectedStatus int
+		requestType    string
+		requestPath    string
+		requestBody    io.Reader
+	}{
+		{name: "GetPeersMetaData", requestType: http.MethodGet, requestPath: "/api/peers/", expectedStatus: http.StatusOK},
+	}
+
+	rr := httptest.NewRecorder()
+	peer := &server.Peer{
+		Key:      "key",
+		SetupKey: "setupkey",
+		IP:       net.ParseIP("100.64.0.1"),
+		Status:   &server.PeerStatus{},
+		Name:     "PeerName",
+		Meta: server.PeerSystemMeta{
+			Hostname:  "hostname",
+			GoOS:      "GoOS",
+			Kernel:    "kernel",
+			Core:      "core",
+			Platform:  "platform",
+			OS:        "OS",
+			WtVersion: "development",
+		},
+	}
+
+	p := initTestMetaData(peer)
+
+	for _, tc := range tt {
+		t.Run(tc.name, func(t *testing.T) {
+			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
+
+			p.GetPeers(rr, req)
+
+			res := rr.Result()
+			defer res.Body.Close()
+
+			if status := rr.Code; status != tc.expectedStatus {
+				t.Fatalf("handler returned wrong status code: got %v want %v",
+					status, http.StatusOK)
+			}
+
+			content, err := io.ReadAll(res.Body)
+			if err != nil {
+				t.Fatalf("I don't know what I expected; %v", err)
+			}
+
+			respBody := []*PeerResponse{}
+			err = json.Unmarshal(content, &respBody)
+			if err != nil {
+				t.Fatalf("Sent content is not in correct json format; %v", err)
+			}
+
+			got := respBody[0]
+			assert.Equal(t, got.Name, peer.Name)
+			assert.Equal(t, got.Version, peer.Meta.WtVersion)
+			assert.Equal(t, got.IP, peer.IP.String())
+			assert.Equal(t, got.OS, "OS core")
+		})
+	}
+}
--- a/management/server/http/handler/setupkeys.go
+++ b/management/server/http/handler/setupkeys.go
@@ -2,19 +2,23 @@ package handler

 import (
 	"encoding/json"
+	"fmt"
+	"github.com/wiretrustee/wiretrustee/management/server/jwtclaims"
+	"net/http"
+	"time"
+
 	"github.com/gorilla/mux"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/management/server"
 	"github.com/wiretrustee/wiretrustee/util"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
-	"net/http"
-	"time"
 )

 // SetupKeys is a handler that returns a list of setup keys of the account
 type SetupKeys struct {
-	accountManager *server.AccountManager
+	accountManager server.AccountManager
+	authAudience   string
 }

 // SetupKeyResponse is a response sent to the client
@@ -39,9 +43,10 @@ type SetupKeyRequest struct {
 	Revoked   bool
 }

-func NewSetupKeysHandler(accountManager *server.AccountManager) *SetupKeys {
+func NewSetupKeysHandler(accountManager server.AccountManager, authAudience string) *SetupKeys {
 	return &SetupKeys{
 		accountManager: accountManager,
+		authAudience:   authAudience,
 	}
 }

@@ -76,7 +81,7 @@ func (h *SetupKeys) updateKey(accountId string, keyId string, w http.ResponseWri
 }

 func (h *SetupKeys) getKey(accountId string, keyId string, w http.ResponseWriter, r *http.Request) {
-	account, err := h.accountManager.GetAccount(accountId)
+	account, err := h.accountManager.GetAccountById(accountId)
 	if err != nil {
 		http.Error(w, "account doesn't exist", http.StatusInternalServerError)
 		return
@@ -117,11 +122,22 @@ func (h *SetupKeys) createKey(accountId string, w http.ResponseWriter, r *http.R
 	writeSuccess(w, setupKey)
 }

-func (h *SetupKeys) HandleKey(w http.ResponseWriter, r *http.Request) {
-	userId := extractUserIdFromRequestContext(r)
-	account, err := h.accountManager.GetOrCreateAccountByUser(userId)
+func (h *SetupKeys) getSetupKeyAccount(r *http.Request) (*server.Account, error) {
+	extractor := jwtclaims.NewClaimsExtractor(nil)
+	jwtClaims := extractor.ExtractClaimsFromRequestContext(r, h.authAudience)
+
+	account, err := h.accountManager.GetAccountWithAuthorizationClaims(jwtClaims)
 	if err != nil {
-		log.Errorf("failed getting account of a user %s: %v", userId, err)
+		return nil, fmt.Errorf("failed getting account of a user %s: %v", jwtClaims.UserId, err)
+	}
+
+	return account, nil
+}
+
+func (h *SetupKeys) HandleKey(w http.ResponseWriter, r *http.Request) {
+	account, err := h.getSetupKeyAccount(r)
+	if err != nil {
+		log.Error(err)
 		http.Redirect(w, r, "/", http.StatusInternalServerError)
 		return
 	}
@@ -147,11 +163,9 @@ func (h *SetupKeys) HandleKey(w http.ResponseWriter, r *http.Request) {

 func (h *SetupKeys) GetKeys(w http.ResponseWriter, r *http.Request) {

-	userId := extractUserIdFromRequestContext(r)
-	//new user -> create a new account
-	account, err := h.accountManager.GetOrCreateAccountByUser(userId)
+	account, err := h.getSetupKeyAccount(r)
 	if err != nil {
-		log.Errorf("failed getting account of a user %s: %v", userId, err)
+		log.Error(err)
 		http.Redirect(w, r, "/", http.StatusInternalServerError)
 		return
 	}
--- a/management/server/http/handler/util.go
+++ b/management/server/http/handler/util.go
@@ -3,23 +3,13 @@ package handler
 import (
 	"encoding/json"
 	"errors"
-	"github.com/golang-jwt/jwt"
 	"net/http"
 	"time"
 )

-// extractUserIdFromRequestContext extracts accountId from the request context previously filled by the JWT token (after auth)
-func extractUserIdFromRequestContext(r *http.Request) string {
-	token := r.Context().Value("user").(*jwt.Token)
-	claims := token.Claims.(jwt.MapClaims)
-
-	//actually a user id but for now we have a 1 to 1 mapping.
-	return claims["sub"].(string)
-}
-
 //writeJSONObject simply writes object to the HTTP reponse in JSON format
 func writeJSONObject(w http.ResponseWriter, obj interface{}) {
-	w.WriteHeader(200)
+	w.WriteHeader(http.StatusOK)
 	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
 	err := json.NewEncoder(w).Encode(obj)
 	if err != nil {
--- a/management/server/http/server.go
+++ b/management/server/http/server.go
@@ -3,6 +3,9 @@ package http
 import (
 	"context"
 	"crypto/tls"
+	"net/http"
+	"time"
+
 	"github.com/gorilla/mux"
 	"github.com/rs/cors"
 	log "github.com/sirupsen/logrus"
@@ -10,8 +13,6 @@ import (
 	"github.com/wiretrustee/wiretrustee/management/server/http/handler"
 	"github.com/wiretrustee/wiretrustee/management/server/http/middleware"
 	"golang.org/x/crypto/acme/autocert"
-	"net/http"
-	"time"
 )

 type Server struct {
@@ -19,12 +20,12 @@ type Server struct {
 	config         *s.HttpServerConfig
 	certManager    *autocert.Manager
 	tlsConfig      *tls.Config
-	accountManager *s.AccountManager
+	accountManager s.AccountManager
 }

 // NewHttpsServer creates a new HTTPs server (with HTTPS support) and a certManager that is responsible for generating and renewing Let's Encrypt certificate
 // The listening address will be :443 no matter what was specified in s.HttpServerConfig.Address
-func NewHttpsServer(config *s.HttpServerConfig, certManager *autocert.Manager, accountManager *s.AccountManager) *Server {
+func NewHttpsServer(config *s.HttpServerConfig, certManager *autocert.Manager, accountManager s.AccountManager) *Server {
 	server := &http.Server{
 		Addr:         config.Address,
 		WriteTimeout: time.Second * 15,
@@ -36,7 +37,7 @@ func NewHttpsServer(config *s.HttpServerConfig, certManager *autocert.Manager, a

 // NewHttpsServerWithTLSConfig creates a new HTTPs server with a provided tls.Config.
 // Usually used when you already have a certificate
-func NewHttpsServerWithTLSConfig(config *s.HttpServerConfig, tlsConfig *tls.Config, accountManager *s.AccountManager) *Server {
+func NewHttpsServerWithTLSConfig(config *s.HttpServerConfig, tlsConfig *tls.Config, accountManager s.AccountManager) *Server {
 	server := &http.Server{
 		Addr:         config.Address,
 		WriteTimeout: time.Second * 15,
@@ -47,7 +48,7 @@ func NewHttpsServerWithTLSConfig(config *s.HttpServerConfig, tlsConfig *tls.Conf
 }

 // NewHttpServer creates a new HTTP server (without HTTPS)
-func NewHttpServer(config *s.HttpServerConfig, accountManager *s.AccountManager) *Server {
+func NewHttpServer(config *s.HttpServerConfig, accountManager s.AccountManager) *Server {
 	return NewHttpsServer(config, nil, accountManager)
 }

@@ -73,8 +74,8 @@ func (s *Server) Start() error {
 	r := mux.NewRouter()
 	r.Use(jwtMiddleware.Handler, corsMiddleware.Handler)

-	peersHandler := handler.NewPeers(s.accountManager)
-	keysHandler := handler.NewSetupKeysHandler(s.accountManager)
+	peersHandler := handler.NewPeers(s.accountManager, s.config.AuthAudience)
+	keysHandler := handler.NewSetupKeysHandler(s.accountManager, s.config.AuthAudience)
 	r.HandleFunc("/api/peers", peersHandler.GetPeers).Methods("GET", "OPTIONS")
 	r.HandleFunc("/api/peers/{id}", peersHandler.HandlePeer).Methods("GET", "PUT", "DELETE", "OPTIONS")

--- a/management/server/idp/auth0.go
+++ b/management/server/idp/auth0.go
@@ -0,0 +1,207 @@
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/golang-jwt/jwt"
+	log "github.com/sirupsen/logrus"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+)
+
+// Auth0Manager auth0 manager client instance
+type Auth0Manager struct {
+	authIssuer  string
+	httpClient  ManagerHTTPClient
+	credentials ManagerCredentials
+	helper      ManagerHelper
+}
+
+// Auth0ClientConfig auth0 manager client configurations
+type Auth0ClientConfig struct {
+	Audience     string `json:"audiance"`
+	AuthIssuer   string `json:"auth_issuer"`
+	ClientId     string `json:"client_id"`
+	ClientSecret string `json:"client_secret"`
+	GrantType    string `json:"grant_type"`
+}
+
+// Auth0Credentials auth0 authentication information
+type Auth0Credentials struct {
+	clientConfig Auth0ClientConfig
+	helper       ManagerHelper
+	httpClient   ManagerHTTPClient
+	jwtToken     JWTToken
+	mux          sync.Mutex
+}
+
+// NewAuth0Manager creates a new instance of the Auth0Manager
+func NewAuth0Manager(config Auth0ClientConfig) *Auth0Manager {
+
+	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
+	httpTransport.MaxIdleConns = 5
+	httpTransport.IdleConnTimeout = 30
+
+	httpClient := &http.Client{
+		Timeout:   10 * time.Second,
+		Transport: httpTransport,
+	}
+
+	helper := JsonParser{}
+
+	credentials := &Auth0Credentials{
+		clientConfig: config,
+		httpClient:   httpClient,
+		helper:       helper,
+	}
+	return &Auth0Manager{
+		authIssuer:  config.AuthIssuer,
+		credentials: credentials,
+		httpClient:  httpClient,
+		helper:      helper,
+	}
+}
+
+// jwtStillValid returns true if the token still valid and have enough time to be used and get a response from Auth0
+func (c *Auth0Credentials) jwtStillValid() bool {
+	return !c.jwtToken.expiresInTime.IsZero() && time.Now().Add(5*time.Second).Before(c.jwtToken.expiresInTime)
+}
+
+// requestJWTToken performs request to get jwt token
+func (c *Auth0Credentials) requestJWTToken() (*http.Response, error) {
+	var res *http.Response
+	url := c.clientConfig.AuthIssuer + "/oauth/token"
+
+	p, err := c.helper.Marshal(c.clientConfig)
+	if err != nil {
+		return res, err
+	}
+	payload := strings.NewReader(string(p))
+
+	req, err := http.NewRequest("POST", url, payload)
+	if err != nil {
+		return res, err
+	}
+
+	req.Header.Add("content-type", "application/json")
+
+	res, err = c.httpClient.Do(req)
+	if err != nil {
+		return res, err
+	}
+
+	if res.StatusCode != 200 {
+		return res, fmt.Errorf("unable to get token, statusCode %d", res.StatusCode)
+	}
+	return res, nil
+}
+
+// parseRequestJWTResponse parses jwt raw response body and extracts token and expires in seconds
+func (c *Auth0Credentials) parseRequestJWTResponse(rawBody io.ReadCloser) (JWTToken, error) {
+	jwtToken := JWTToken{}
+	body, err := ioutil.ReadAll(rawBody)
+	if err != nil {
+		return jwtToken, err
+	}
+
+	err = c.helper.Unmarshal(body, &jwtToken)
+	if err != nil {
+		return jwtToken, err
+	}
+	if jwtToken.ExpiresIn == 0 && jwtToken.AccessToken == "" {
+		return jwtToken, fmt.Errorf("error while reading response body, expires_in: %d and access_token: %s", jwtToken.ExpiresIn, jwtToken.AccessToken)
+	}
+	data, err := jwt.DecodeSegment(strings.Split(jwtToken.AccessToken, ".")[1])
+	if err != nil {
+		return jwtToken, err
+	}
+	// Exp maps into exp from jwt token
+	var IssuedAt struct{ Exp int64 }
+	err = json.Unmarshal(data, &IssuedAt)
+	if err != nil {
+		return jwtToken, err
+	}
+	jwtToken.expiresInTime = time.Unix(IssuedAt.Exp, 0)
+
+	return jwtToken, nil
+}
+
+// Authenticate retrieves access token to use the Auth0 Management API
+func (c *Auth0Credentials) Authenticate() (JWTToken, error) {
+	c.mux.Lock()
+	defer c.mux.Unlock()
+
+	// If jwtToken has an expires time and we have enough time to do a request return immediately
+	if c.jwtStillValid() {
+		return c.jwtToken, nil
+	}
+
+	res, err := c.requestJWTToken()
+	if err != nil {
+		return c.jwtToken, err
+	}
+	defer func() {
+		err = res.Body.Close()
+		if err != nil {
+			log.Errorf("error while closing get jwt token response body: %v", err)
+		}
+	}()
+
+	jwtToken, err := c.parseRequestJWTResponse(res.Body)
+	if err != nil {
+		return c.jwtToken, err
+	}
+
+	c.jwtToken = jwtToken
+
+	return c.jwtToken, nil
+}
+
+// UpdateUserAppMetadata updates user app metadata based on userId and metadata map
+func (am *Auth0Manager) UpdateUserAppMetadata(userId string, appMetadata AppMetadata) error {
+
+	jwtToken, err := am.credentials.Authenticate()
+	if err != nil {
+		return err
+	}
+
+	url := am.authIssuer + "/api/v2/users/" + userId
+
+	data, err := am.helper.Marshal(appMetadata)
+	if err != nil {
+		return err
+	}
+
+	payloadString := fmt.Sprintf("{\"app_metadata\": %s}", string(data))
+
+	payload := strings.NewReader(payloadString)
+
+	req, err := http.NewRequest("PATCH", url, payload)
+	if err != nil {
+		return err
+	}
+	req.Header.Add("authorization", "Bearer "+jwtToken.AccessToken)
+	req.Header.Add("content-type", "application/json")
+
+	res, err := am.httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		err = res.Body.Close()
+		if err != nil {
+			log.Errorf("error while closing update user app metadata response body: %v", err)
+		}
+	}()
+
+	if res.StatusCode != 200 {
+		return fmt.Errorf("unable to update the appMetadata, statusCode %d", res.StatusCode)
+	}
+
+	return nil
+}
--- a/management/server/idp/auth0_test.go
+++ b/management/server/idp/auth0_test.go
@@ -0,0 +1,404 @@
+package idp
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt"
+	"github.com/stretchr/testify/assert"
+)
+
+type mockHTTPClient struct {
+	code    int
+	resBody string
+	reqBody string
+	err     error
+}
+
+func (c *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
+	body, err := ioutil.ReadAll(req.Body)
+	if err == nil {
+		c.reqBody = string(body)
+	}
+	return &http.Response{
+		StatusCode: c.code,
+		Body:       ioutil.NopCloser(strings.NewReader(c.resBody)),
+	}, c.err
+}
+
+type mockJsonParser struct {
+	jsonParser           JsonParser
+	marshalErrorString   string
+	unmarshalErrorString string
+}
+
+func (m *mockJsonParser) Marshal(v interface{}) ([]byte, error) {
+	if m.marshalErrorString != "" {
+		return nil, fmt.Errorf(m.marshalErrorString)
+	}
+	return m.jsonParser.Marshal(v)
+}
+
+func (m *mockJsonParser) Unmarshal(data []byte, v interface{}) error {
+	if m.unmarshalErrorString != "" {
+		return fmt.Errorf(m.unmarshalErrorString)
+	}
+	return m.jsonParser.Unmarshal(data, v)
+}
+
+type mockAuth0Credentials struct {
+	jwtToken JWTToken
+	err      error
+}
+
+func (mc *mockAuth0Credentials) Authenticate() (JWTToken, error) {
+	return mc.jwtToken, mc.err
+}
+
+func newTestJWT(t *testing.T, expInt int) string {
+	now := time.Now()
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		"iat": now.Unix(),
+		"exp": now.Add(time.Duration(expInt) * time.Second).Unix(),
+	})
+	var hmacSampleSecret []byte
+	tokenString, err := token.SignedString(hmacSampleSecret)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return tokenString
+}
+
+func TestAuth0_RequestJWTToken(t *testing.T) {
+
+	type requestJWTTokenTest struct {
+		name                    string
+		inputCode               int
+		inputResBody            string
+		helper                  ManagerHelper
+		expectedFuncExitErrDiff error
+		expectedCode            int
+		expectedToken           string
+	}
+	exp := 5
+	token := newTestJWT(t, exp)
+
+	requestJWTTokenTesttCase1 := requestJWTTokenTest{
+		name:          "Get Good JWT Response",
+		inputCode:     200,
+		inputResBody:  fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
+		helper:        JsonParser{},
+		expectedCode:  200,
+		expectedToken: token,
+	}
+	requestJWTTokenTestCase2 := requestJWTTokenTest{
+		name:                    "Request Bad Status Code",
+		inputCode:               400,
+		inputResBody:            "{}",
+		helper:                  JsonParser{},
+		expectedFuncExitErrDiff: fmt.Errorf("unable to get token, statusCode 400"),
+		expectedCode:            200,
+		expectedToken:           "",
+	}
+
+	for _, testCase := range []requestJWTTokenTest{requestJWTTokenTesttCase1, requestJWTTokenTestCase2} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			jwtReqClient := mockHTTPClient{
+				resBody: testCase.inputResBody,
+				code:    testCase.inputCode,
+			}
+			config := Auth0ClientConfig{}
+
+			creds := Auth0Credentials{
+				clientConfig: config,
+				httpClient:   &jwtReqClient,
+				helper:       testCase.helper,
+			}
+
+			res, err := creds.requestJWTToken()
+			if err != nil {
+				if testCase.expectedFuncExitErrDiff != nil {
+					assert.EqualError(t, err, testCase.expectedFuncExitErrDiff.Error(), "errors should be the same")
+				} else {
+					t.Fatal(err)
+				}
+			}
+			body, err := ioutil.ReadAll(res.Body)
+			assert.NoError(t, err, "unable to read the response body")
+
+			jwtToken := JWTToken{}
+			err = json.Unmarshal(body, &jwtToken)
+			assert.NoError(t, err, "unable to parse the json input")
+
+			assert.Equalf(t, testCase.expectedToken, jwtToken.AccessToken, "two tokens should be the same")
+		})
+	}
+}
+
+func TestAuth0_ParseRequestJWTResponse(t *testing.T) {
+	type parseRequestJWTResponseTest struct {
+		name                 string
+		inputResBody         string
+		helper               ManagerHelper
+		expectedToken        string
+		expectedExpiresIn    int
+		assertErrFunc        func(t assert.TestingT, err error, msgAndArgs ...interface{}) bool
+		assertErrFuncMessage string
+	}
+
+	exp := 100
+	token := newTestJWT(t, exp)
+
+	parseRequestJWTResponseTestCase1 := parseRequestJWTResponseTest{
+		name:                 "Parse Good JWT Body",
+		inputResBody:         fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
+		helper:               JsonParser{},
+		expectedToken:        token,
+		expectedExpiresIn:    exp,
+		assertErrFunc:        assert.NoError,
+		assertErrFuncMessage: "no error was expected",
+	}
+	parseRequestJWTResponseTestCase2 := parseRequestJWTResponseTest{
+		name:                 "Parse Bad json JWT Body",
+		inputResBody:         "",
+		helper:               JsonParser{},
+		expectedToken:        "",
+		expectedExpiresIn:    0,
+		assertErrFunc:        assert.Error,
+		assertErrFuncMessage: "json error was expected",
+	}
+
+	for _, testCase := range []parseRequestJWTResponseTest{parseRequestJWTResponseTestCase1, parseRequestJWTResponseTestCase2} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			rawBody := ioutil.NopCloser(strings.NewReader(testCase.inputResBody))
+
+			config := Auth0ClientConfig{}
+
+			creds := Auth0Credentials{
+				clientConfig: config,
+				helper:       testCase.helper,
+			}
+
+			jwtToken, err := creds.parseRequestJWTResponse(rawBody)
+			testCase.assertErrFunc(t, err, testCase.assertErrFuncMessage)
+
+			assert.Equalf(t, testCase.expectedToken, jwtToken.AccessToken, "two tokens should be the same")
+			assert.Equalf(t, testCase.expectedExpiresIn, jwtToken.ExpiresIn, "the two expire times should be the same")
+		})
+	}
+}
+
+func TestAuth0_JwtStillValid(t *testing.T) {
+
+	type jwtStillValidTest struct {
+		name           string
+		inputTime      time.Time
+		expectedResult bool
+		message        string
+	}
+	jwtStillValidTestCase1 := jwtStillValidTest{
+		name:           "JWT still valid",
+		inputTime:      time.Now().Add(10 * time.Second),
+		expectedResult: true,
+		message:        "should be true",
+	}
+	jwtStillValidTestCase2 := jwtStillValidTest{
+		name:           "JWT is invalid",
+		inputTime:      time.Now(),
+		expectedResult: false,
+		message:        "should be false",
+	}
+
+	for _, testCase := range []jwtStillValidTest{jwtStillValidTestCase1, jwtStillValidTestCase2} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			config := Auth0ClientConfig{}
+
+			creds := Auth0Credentials{
+				clientConfig: config,
+			}
+			creds.jwtToken.expiresInTime = testCase.inputTime
+
+			assert.Equalf(t, testCase.expectedResult, creds.jwtStillValid(), testCase.message)
+		})
+	}
+}
+
+func TestAuth0_Authenticate(t *testing.T) {
+	type authenticateTest struct {
+		name                    string
+		inputCode               int
+		inputResBody            string
+		inputExpireToken        time.Time
+		helper                  ManagerHelper
+		expectedFuncExitErrDiff error
+		expectedCode            int
+		expectedToken           string
+	}
+	exp := 5
+	token := newTestJWT(t, exp)
+
+	authenticateTestCase1 := authenticateTest{
+		name:             "Get Cached token",
+		inputExpireToken: time.Now().Add(30 * time.Second),
+		helper:           JsonParser{},
+		//expectedFuncExitErrDiff: fmt.Errorf("unable to get token, statusCode 400"),
+		expectedCode:  200,
+		expectedToken: "",
+	}
+
+	authenticateTestCase2 := authenticateTest{
+		name:          "Get Good JWT Response",
+		inputCode:     200,
+		inputResBody:  fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
+		helper:        JsonParser{},
+		expectedCode:  200,
+		expectedToken: token,
+	}
+	authenticateTestCase3 := authenticateTest{
+		name:                    "Get Bad Status Code",
+		inputCode:               400,
+		inputResBody:            "{}",
+		helper:                  JsonParser{},
+		expectedFuncExitErrDiff: fmt.Errorf("unable to get token, statusCode 400"),
+		expectedCode:            200,
+		expectedToken:           "",
+	}
+
+	for _, testCase := range []authenticateTest{authenticateTestCase1, authenticateTestCase2, authenticateTestCase3} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			jwtReqClient := mockHTTPClient{
+				resBody: testCase.inputResBody,
+				code:    testCase.inputCode,
+			}
+			config := Auth0ClientConfig{}
+
+			creds := Auth0Credentials{
+				clientConfig: config,
+				httpClient:   &jwtReqClient,
+				helper:       testCase.helper,
+			}
+
+			creds.jwtToken.expiresInTime = testCase.inputExpireToken
+
+			_, err := creds.Authenticate()
+			if err != nil {
+				if testCase.expectedFuncExitErrDiff != nil {
+					assert.EqualError(t, err, testCase.expectedFuncExitErrDiff.Error(), "errors should be the same")
+				} else {
+					t.Fatal(err)
+				}
+			}
+
+			assert.Equalf(t, testCase.expectedToken, creds.jwtToken.AccessToken, "two tokens should be the same")
+		})
+	}
+}
+
+func TestAuth0_UpdateUserAppMetadata(t *testing.T) {
+
+	type updateUserAppMetadataTest struct {
+		name                 string
+		inputReqBody         string
+		expectedReqBody      string
+		appMetadata          AppMetadata
+		statusCode           int
+		helper               ManagerHelper
+		managerCreds         ManagerCredentials
+		assertErrFunc        func(t assert.TestingT, err error, msgAndArgs ...interface{}) bool
+		assertErrFuncMessage string
+	}
+
+	exp := 15
+	token := newTestJWT(t, exp)
+	appMetadata := AppMetadata{WTAccountId: "ok"}
+
+	updateUserAppMetadataTestCase1 := updateUserAppMetadataTest{
+		name:            "Bad Authentication",
+		inputReqBody:    fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
+		expectedReqBody: "",
+		appMetadata:     appMetadata,
+		statusCode:      400,
+		helper:          JsonParser{},
+		managerCreds: &mockAuth0Credentials{
+			jwtToken: JWTToken{},
+			err:      fmt.Errorf("error"),
+		},
+		assertErrFunc:        assert.Error,
+		assertErrFuncMessage: "should return error",
+	}
+
+	updateUserAppMetadataTestCase2 := updateUserAppMetadataTest{
+		name:            "Bad Status Code",
+		inputReqBody:    fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
+		expectedReqBody: fmt.Sprintf("{\"app_metadata\": {\"wt_account_id\":\"%s\"}}", appMetadata.WTAccountId),
+		appMetadata:     appMetadata,
+		statusCode:      400,
+		helper:          JsonParser{},
+		managerCreds: &mockAuth0Credentials{
+			jwtToken: JWTToken{},
+		},
+		assertErrFunc:        assert.Error,
+		assertErrFuncMessage: "should return error",
+	}
+
+	updateUserAppMetadataTestCase3 := updateUserAppMetadataTest{
+		name:                 "Bad Response Parsing",
+		inputReqBody:         fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
+		statusCode:           400,
+		helper:               &mockJsonParser{marshalErrorString: "error"},
+		assertErrFunc:        assert.Error,
+		assertErrFuncMessage: "should return error",
+	}
+
+	updateUserAppMetadataTestCase4 := updateUserAppMetadataTest{
+		name:                 "Good request",
+		inputReqBody:         fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
+		expectedReqBody:      fmt.Sprintf("{\"app_metadata\": {\"wt_account_id\":\"%s\"}}", appMetadata.WTAccountId),
+		appMetadata:          appMetadata,
+		statusCode:           200,
+		helper:               JsonParser{},
+		assertErrFunc:        assert.NoError,
+		assertErrFuncMessage: "shouldn't return error",
+	}
+
+	for _, testCase := range []updateUserAppMetadataTest{updateUserAppMetadataTestCase1, updateUserAppMetadataTestCase2, updateUserAppMetadataTestCase3, updateUserAppMetadataTestCase4} {
+		t.Run(testCase.name, func(t *testing.T) {
+			jwtReqClient := mockHTTPClient{
+				resBody: testCase.inputReqBody,
+				code:    testCase.statusCode,
+			}
+			config := Auth0ClientConfig{}
+
+			var creds ManagerCredentials
+			if testCase.managerCreds != nil {
+				creds = testCase.managerCreds
+			} else {
+				creds = &Auth0Credentials{
+					clientConfig: config,
+					httpClient:   &jwtReqClient,
+					helper:       testCase.helper,
+				}
+			}
+
+			manager := Auth0Manager{
+				httpClient:  &jwtReqClient,
+				credentials: creds,
+				helper:      testCase.helper,
+			}
+
+			err := manager.UpdateUserAppMetadata("1", testCase.appMetadata)
+			testCase.assertErrFunc(t, err, testCase.assertErrFuncMessage)
+
+			assert.Equal(t, testCase.expectedReqBody, jwtReqClient.reqBody, "request body should match")
+		})
+	}
+}
--- a/management/server/idp/idp.go
+++ b/management/server/idp/idp.go
@@ -0,0 +1,63 @@
+package idp
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+)
+
+// Manager idp manager interface
+type Manager interface {
+	UpdateUserAppMetadata(userId string, appMetadata AppMetadata) error
+}
+
+// Config an idp configuration struct to be loaded from management server's config file
+type Config struct {
+	ManagerType            string
+	Auth0ClientCredentials Auth0ClientConfig
+}
+
+// ManagerCredentials interface that authenticates using the credential of each type of idp
+type ManagerCredentials interface {
+	Authenticate() (JWTToken, error)
+}
+
+// ManagerHTTPClient http client interface for API calls
+type ManagerHTTPClient interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
+// ManagerHelper helper
+type ManagerHelper interface {
+	Marshal(v interface{}) ([]byte, error)
+	Unmarshal(data []byte, v interface{}) error
+}
+
+// AppMetadata user app metadata to associate with a profile
+type AppMetadata struct {
+	// Wiretrustee account id to update in the IDP
+	// maps to wt_account_id when json.marshal
+	WTAccountId string `json:"wt_account_id"`
+}
+
+// JWTToken a JWT object that holds information of a token
+type JWTToken struct {
+	AccessToken   string `json:"access_token"`
+	ExpiresIn     int    `json:"expires_in"`
+	expiresInTime time.Time
+	Scope         string `json:"scope"`
+	TokenType     string `json:"token_type"`
+}
+
+// NewManager returns a new idp manager based on the configuration that it receives
+func NewManager(config Config) (Manager, error) {
+	switch strings.ToLower(config.ManagerType) {
+	case "none", "":
+		return nil, nil
+	case "auth0":
+		return NewAuth0Manager(config.Auth0ClientCredentials), nil
+	default:
+		return nil, fmt.Errorf("invalid manager type: %s", config.ManagerType)
+	}
+}
--- a/management/server/idp/util.go
+++ b/management/server/idp/util.go
@@ -0,0 +1,13 @@
+package idp
+
+import "encoding/json"
+
+type JsonParser struct{}
+
+func (JsonParser) Marshal(v interface{}) ([]byte, error) {
+	return json.Marshal(v)
+}
+
+func (JsonParser) Unmarshal(data []byte, v interface{}) error {
+	return json.Unmarshal(data, v)
+}
--- a/management/server/jwtclaims/claims.go
+++ b/management/server/jwtclaims/claims.go
@@ -0,0 +1,9 @@
+package jwtclaims
+
+// AuthorizationClaims stores authorization information from JWTs
+type AuthorizationClaims struct {
+	UserId         string
+	AccountId      string
+	Domain         string
+	DomainCategory string
+}
--- a/management/server/jwtclaims/extractor.go
+++ b/management/server/jwtclaims/extractor.go
@@ -0,0 +1,56 @@
+package jwtclaims
+
+import (
+	"github.com/golang-jwt/jwt"
+	"net/http"
+)
+
+const (
+	TokenUserProperty    = "user"
+	AccountIDSuffix      = "wt_account_id"
+	DomainIDSuffix       = "wt_account_domain"
+	DomainCategorySuffix = "wt_account_domain_category"
+	UserIDClaim          = "sub"
+)
+
+// Extract function type
+type ExtractClaims func(r *http.Request, authAudiance string) AuthorizationClaims
+
+// ClaimsExtractor struct that holds the extract function
+type ClaimsExtractor struct {
+	ExtractClaimsFromRequestContext ExtractClaims
+}
+
+// NewClaimsExtractor returns an extractor, and if provided with a function with ExtractClaims signature,
+// then it will use that logic. Uses ExtractClaimsFromRequestContext by default
+func NewClaimsExtractor(e ExtractClaims) *ClaimsExtractor {
+	var extractFunc ExtractClaims
+	if extractFunc = e; extractFunc == nil {
+		extractFunc = ExtractClaimsFromRequestContext
+	}
+
+	return &ClaimsExtractor{
+		ExtractClaimsFromRequestContext: extractFunc,
+	}
+}
+
+// ExtractClaimsFromRequestContext extracts claims from the request context previously filled by the JWT token (after auth)
+func ExtractClaimsFromRequestContext(r *http.Request, authAudiance string) AuthorizationClaims {
+	token := r.Context().Value(TokenUserProperty).(*jwt.Token)
+	claims := token.Claims.(jwt.MapClaims)
+	jwtClaims := AuthorizationClaims{}
+	jwtClaims.UserId = claims[UserIDClaim].(string)
+	accountIdClaim, ok := claims[authAudiance+AccountIDSuffix]
+	if ok {
+		jwtClaims.AccountId = accountIdClaim.(string)
+	}
+	domainClaim, ok := claims[authAudiance+DomainIDSuffix]
+	if ok {
+		jwtClaims.Domain = domainClaim.(string)
+	}
+	domainCategoryClaim, ok := claims[authAudiance+DomainCategorySuffix]
+	if ok {
+		jwtClaims.DomainCategory = domainCategoryClaim.(string)
+	}
+	return jwtClaims
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Misha Bragin	5c84ba73fb	Revert "Add UI binary to windows installer (#283 )" This reverts commit `9ec4ea8e03`.	2022-03-23 09:15:06 +01:00
Givi Khojanashvili	9ec4ea8e03	Add UI binary to windows installer (#283 ) Windows installer has been updated to add systray UI as an installation step additionally to the service installation	2022-03-23 09:13:57 +01:00
braginini	9c3cd1a5db	Add basic desktop UI - systray	2022-03-08 16:14:00 +01:00
braginini	347a668bd5	Fix UP cmd to pass managementURL to daemon	2022-03-08 16:10:44 +01:00
Givi Khojanashvili	ef47385e38	Split client app into cmd and daemon service (#239 )	2022-03-08 14:47:55 +01:00
Mikhail Bragin	3e46f38166	Fix README	2022-03-06 21:40:09 +01:00
Mikhail Bragin	64e2e34dae	Add Slack badge	2022-03-06 14:16:17 +01:00
Mikhail Bragin	8dd92f14bf	Add more badges to README Codacy and Go report badges	2022-03-06 09:57:07 +01:00
Maycon Santos	071b03e790	Updated self-hosted scripts and documentation (#249 ) * Updated self-hosted scripts and documentation Added more variables to setup.env and Updated the documentation. We are now configuring turn server with template as well. * Updated self-hosted scripts and documentation Added more variables to setup.env and Updated the documentation. We are now configuring turn server with template as well. * Updated self-hosted scripts and documentation Added more variables to setup.env and Updated the documentation. We are now configuring turn server with template as well. * Updated self-hosted scripts and documentation Added more variables to setup.env and Updated the documentation. We are now configuring turn server with template as well.	2022-03-05 11:20:04 +01:00
Maycon Santos	3385ea6379	Update windows sign pipeline version (#248 ) With the latest versions of runner and updates of dependencies a new version was generated.	2022-03-03 10:21:58 +01:00
Mikhail Bragin	430e0415df	Remove Wireguard peer in no-proxy mode on Close (#247 ) When connection is closed the wireguard peer should be gone. It wasn't happening until this fix.	2022-03-02 14:50:22 +01:00
Mikhail Bragin	b72ed91cb4	Update self-hosting docs Running Dashboard, Management, Signal, and Coturn section. Mentioned in #244	2022-03-02 09:52:09 +01:00
Maycon Santos	0b8387bd2c	Group users of same private domain (#243 ) * Added Domain Category field and fix store tests * Add GetAccountByDomain method * Add Domain Category to authorization claims * Initial GetAccountWithAuthorizationClaims test cases * Renamed Private Domain map and index it on saving account * New Go build tags * Added NewRegularUser function * Updated restore to account for primary domain account Also, added another test case * Added grouping user of private domains Also added auxiliary methods for update metadata and domain attributes * Update http handles get account method and tests * Fix lint and document another case * Removed unnecessary log * Move use cases to method and add flow comments * Split the new user and existing logic from GetAccountWithAuthorizationClaims * Review: minor corrections Co-authored-by: braginini <bangvalo@gmail.com>	2022-03-01 15:22:18 +01:00
Mikhail Bragin	5d4c2643a3	Support no-proxy mode connection mode (#245 ) When one of the peers has a static public host IP or both peers are in the same local network we establish a direct Wireguard connection bypassing proxy usage. This helps reduce FD usage and improves performance.	2022-03-01 14:07:33 +01:00
Mikhail Bragin	69cda73bbb	Update README badges	2022-02-28 16:51:12 +01:00
Maycon Santos	b29948b910	Jwtclaims package (#242 ) * Move JWTClaims logic to its own package * Add extractor tests	2022-02-23 20:02:02 +01:00
shatoboar	5f5cbf7e20	Test mgmt http handler (#240 )	2022-02-22 18:18:05 +01:00
shatoboar	41c6af6b6f	Extracted AccountManager to interface (#230 )	2022-02-22 11:28:19 +01:00
Mikhail Bragin	23fad49756	Update docker pull badge	2022-02-22 11:24:24 +01:00
Maycon Santos	5546eba36a	Write to temp file before saving data (#238 ) * Create temp file before saving data On the event of full disk, we may encounter the case where the destination file get replaced by an empty file as the ioutil.WriteFile truncates the destination before write. * Close the tempFile instance before moving it * Blacklist Wireguard interfaces for ICE checks	2022-02-20 19:03:16 +01:00
braginini	60a9da734f	Bump wiretrustee-ice version	2022-02-18 15:06:44 +01:00
Maycon Santos	852c7c50c0	Fix IDPManagement initialization when no config (#234 ) * initialize idpmanage only if config was set * removed LetsEncryption information for local selfhosted deployments	2022-02-17 19:18:46 +01:00
braginini	1c2c1a876b	chore: fix selected candidate pair logging	2022-02-17 08:36:37 +01:00
Mikhail Bragin	e5dcd4753e	single socket ice (#232 ) Enables single socket for HOST and SRFLX candidates by utilizing pion.ice UDPMux	2022-02-16 20:00:21 +01:00
braginini	765d3a0ad0	fix: account JWT claim	2022-02-15 13:38:22 +01:00
braginini	97e4f9a801	chore: add client distfiles to gitignore	2022-02-15 13:01:56 +01:00
shatoboar	d468718d00	fix: go mod tidy (#231 )	2022-02-15 12:46:46 +01:00
shatoboar	15e371b592	sends wtversion to dashboard-UI (#229 )	2022-02-14 17:51:07 +01:00
Maycon Santos	cd9a418df2	Store domain information (#217 ) * extract claim information from JWT * get account function * Store domain * tests missing domain * update existing account with domain * add store domain tests	2022-02-11 17:18:18 +01:00
Jim Tittsler	919f0aa3da	fix typos (#226 )	2022-02-10 19:18:25 +01:00
shatoboar	b59fd50226	Add client version to the client app and send it to the management service (#222 ) * test: WIP mocking the grpc server for testing the sending of the client information * WIP: Test_SystemMetaDataFromClient with mocks, todo: * fix: failing meta data test * test: add system meta expectation in management client test * fix: removing deprecated register function, replacing with new one * fix: removing deprecated register function from mockclient interface impl * fix: fixing interface declaration * chore: remove unused commented code Co-authored-by: braginini <bangvalo@gmail.com>	2022-02-08 18:03:27 +01:00
Mikhail Bragin	3c959bb178	Login exits on a single attempt to connect to management (#220 ) * fix: login exits on a single attempt to connect to management * chore: add log verbosity for Login operation	2022-02-06 18:56:00 +01:00
shatoboar	efbb5acf63	Add client version to the client app and send it to the management service (#218 ) * moved wiretrustee version from main to system.info * added wiretrustee version for all supported platforms * typo corrected * refactor: use single WiretrusteeVersion() func to get version of the client Co-authored-by: braginini <bangvalo@gmail.com>	2022-02-03 18:35:54 +01:00
shatoboar	b339a9321a	fix: reducing github actions (#215 )	2022-02-01 11:53:24 +01:00
Maycon Santos	b045865d6e	remove demo word from Hosted version (#212 )	2022-01-26 14:25:33 +01:00
Mikhail Bragin	8680f16abd	Conduct (#205 ) * docs: add code of conduct	2022-01-26 09:33:16 +01:00
Maycon Santos	98dc5824ce	Rollback stopping management client within engine stop (#204 ) * start close handler when using console * don't close management client within engine stop	2022-01-25 11:18:01 +01:00
Maycon Santos	0739038d51	Fix unstable parallel tests (#202 ) * update interface tests and configuration messages * little debug * little debug on both errors * print all devs * list of devices * debug func * handle interface close * debug socks * debug socks * if ports match * use random assigned ports * remove unused const * close management client connection when stopping engine * GracefulStop when management clients are closed * enable workflows on PRs too * remove iface_test debug code	2022-01-25 09:40:28 +01:00
braginini	8ab6eb1cf4	chore: fix lint errors	2022-01-25 08:41:27 +01:00
Steffen Vogel	30625c68a9	Fix detection of wireguard kernel module on non-amd64 archs (#200 )	2022-01-24 22:45:52 +01:00
Maycon Santos	fd7282d3cf	Link account id with the external user store (#184 ) * get account id from access token claim * use GetOrCreateAccountByUser and add test * correct account id claim * remove unused account * Idp manager interface * auth0 idp manager * use if instead of switch case * remove unnecessary lock * NewAuth0Manager * move idpmanager to its own package * update metadata when accountId is not supplied * update tests with idpmanager field * format * new idp manager and config support * validate if we fetch the interface before converting to string * split getJWTToken * improve tests * proper json fields and handle defer body close * fix ci lint notes * documentation and proper defer position * UpdateUserAppMetadata tests * update documentation * ManagerCredentials interface * Marshal and Unmarshal functions * fix tests * ManagerHelper and ManagerHTTPClient * further tests with mocking * rename package and custom http client * sync local packages * remove idp suffix	2022-01-24 11:21:30 +01:00
Mikhail Bragin	2ad899b066	Test conn (#199 ) * test: add conn tests * test: add ConnStatus tests * test: add error test * test: add more conn tests	2022-01-21 13:52:19 +01:00
braginini	dfa67410b5	chore: update license and AUTHORS	2022-01-19 16:22:40 +01:00
Mikhail Bragin	23f028e65d	test: improve engine test (#198 )	2022-01-18 17:52:55 +01:00
Mikhail Bragin	5db130a12e	Support new Management service protocol (NetworkMap) (#193 ) * feature: support new management service protocol * chore: add more logging to track networkmap serial * refactor: organize peer update code in engine * chore: fix lint issues * refactor: extract Signal client interface * test: add signal client mock * refactor: introduce Management Service client interface * chore: place management and signal clients mocks to respective packages * test: add Serial test to the engine * fix: lint issues * test: unit tests for a networkMapUpdate * test: unit tests Sync update	2022-01-18 16:44:58 +01:00
Mikhail Bragin	9a3fba3fa3	docs: fix typo	2022-01-17 20:21:52 +01:00
Maycon Santos	0f7ab4354b	Fix cicd testing issue (#197 ) * sync module * cache per test os * different port for tests * wireguard packages versions	2022-01-17 15:10:18 +01:00
Maycon Santos	64f2d295a8	Refactor Interface package and update windows driver (#192 ) * script to generate syso files * test wireguard-windows driver package * set int log * add windows test * add windows test * verbose bash * use cd * move checkout * exit 0 * removed tty flag * artifact path * fix tags and add cache * fix cache * fix cache * test dir * restore artifacts in the root * try dll file * try dll file * copy dll * typo in copy dll * compile test * checkout first * updated cicd * fix add address issue and gen GUID * psexec typo * accept eula * mod tidy before tests * regular test exec and verbose test with psexec * test all * return WGInterface Interface * use WgIfaceName and timeout after 30 seconds * different ports and validate connect 2 peers * Use time.After for timeout and close interface * Use time.After for testing connect peers * WG Interface struct * Update engine and parse address * refactor Linux create and assignAddress * NewWGIface and configuration methods * Update proxy with interface methods * update up command test * resolve lint warnings * remove psexec test * close copied files * add goos before build * run tests on mac,windows and linux * cache by testing os * run on push * fix indentation * adjust test timeouts * remove parallel flag * mod tidy before test * ignore syso files * removed functions and renamed vars * different IPs for connect peers test * Generate syso with DLL * Single Close method * use port from test constant * test: remove wireguard interfaces after finishing engine test * use load_wgnt_from_rsrc Co-authored-by: braginini <bangvalo@gmail.com>	2022-01-17 14:01:58 +01:00
Mikhail Bragin	afb302d5e7	Change Management Sync protocol to support incremental (serial) network changes (#191 ) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish	2022-01-16 17:10:36 +01:00
Mikhail Bragin	9d1ecbbfb2	Management - add serial to Network reflecting network updates (#179 ) * chore: [management] - add account serial ID * Fix concurrency on the client (#183) * reworked peer connection establishment logic eliminating race conditions and deadlocks while running many peers * chore: move serial to Network from Account * feature: increment Network serial ID when adding/removing peers * chore: extract network struct init to network.go * chore: add serial test when adding peer to the account * test: add ModificationID test on AddPeer and DeletePeer	2022-01-14 14:34:27 +01:00