fix: account JWT claim

chore: add client distfiles to gitignore
fix: go mod tidy (#231 )
2026-05-08 17:59:56 +00:00 · 2022-02-15 13:38:22 +01:00 · 2022-02-15 13:01:56 +01:00 · 2022-02-15 12:46:46 +01:00 · 2022-02-14 17:51:07 +01:00 · 2022-02-11 17:18:18 +01:00
84 changed files with 4415 additions and 1600 deletions
--- a/.github/workflows/golang-test-build.yml
+++ b/.github/workflows/golang-test-build.yml
@@ -1,9 +1,5 @@
 on:
  push:
    branches:
      - main
  pull_request:
 name: Test Build On Platforms
 on: [pull_request]
 jobs:
  test_build:
    strategy:
@@ -21,15 +17,15 @@ jobs:
          go-version: ${{ matrix.go-version }}
      - name: Cache Go modules
-        uses: actions/cache@v1
+        uses: actions/cache@v2
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go-test-${{ matrix.os }}-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go-
+            ${{ runner.os }}-go-test-${{ matrix.os }}
      - name: Install modules
-        run: go mod tidy
+        run: GOOS=${{ matrix.os }} go mod tidy
      - name: run build client
        run: GOOS=${{ matrix.os }} go build .
@@ -41,4 +37,4 @@ jobs:
      - name: run build signal
        run: GOOS=${{ matrix.os }} go build .
-        working-directory: signal
+        working-directory: signal
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -0,0 +1,29 @@
 name: Test Code Darwin
 on: [push,pull_request]
 jobs:
  test:
    strategy:
      matrix:
        go-version: [1.17.x]
    runs-on: macos-latest
    steps:
      - name: Install Go
        uses: actions/setup-go@v2
        with:
          go-version: ${{ matrix.go-version }}
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Cache Go modules
        uses: actions/cache@v2
        with:
          path: ~/go/pkg/mod
          key: macos-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            macos-go-
      - name: Install modules
        run: go mod tidy
      - name: Test
        run: GOBIN=$(which go) && sudo --preserve-env=GOROOT $GOBIN test ./...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -1,9 +1,5 @@
-on:
+name: Test Code Linux
-  push:
+on: [push,pull_request]
    branches:
      - main
  pull_request:
 name: Test Code
 jobs:
  test:
    strategy:
@@ -27,7 +23,20 @@ jobs:
          $(whoami) soft     nofile         65535
          $(whoami) hard     nofile         65535
          EOF
      - name: Cache Go modules
        uses: actions/cache@v2
        with:
          path: ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Install modules
        run: go mod tidy
      - name: Test
-        run: GOBIN=$(which go) && sudo --preserve-env=GOROOT $GOBIN test -p 1 ./...
+        run: GOBIN=$(which go) && sudo --preserve-env=GOROOT $GOBIN test ./...
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -0,0 +1,51 @@
 name: Test Code Windows
 on: [push,pull_request]
 jobs:
  pre:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - run: bash -x wireguard_nt.sh
        working-directory: client
      - uses: actions/upload-artifact@v2
        with:
          name: syso
          path: client/*.syso
          retention-days: 1
  test:
    needs: pre
    strategy:
      matrix:
        go-version: [1.17.x]
    runs-on: windows-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Install Go
        uses: actions/setup-go@v2
        with:
          go-version: ${{ matrix.go-version }}
      - uses: actions/cache@v2
        with:
          path: |
            %LocalAppData%\go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-
      - uses: actions/download-artifact@v2
        with:
          name: syso
          path: iface\
      - name: Install modules
        run: go mod tidy
      - name: Test
        run: go test -tags=load_wgnt_from_rsrc ./...
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -1,9 +1,5 @@
 name: golangci-lint
-on:
+on: [pull_request]
  push:
    branches:
      - main
  pull_request:
 jobs:
  golangci:
    name: lint
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,10 @@ jobs:
        uses: actions/checkout@v2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
      - name: Generate syso with DLL
        run: bash -x wireguard_nt.sh
        working-directory: client
      -
        name: Set up Go
        uses: actions/setup-go@v2
--- a/.gitignore
+++ b/.gitignore
@@ -5,4 +5,6 @@ dist/
 conf.json
 http-cmds.sh
 infrastructure_files/management.json
-infrastructure_files/docker-compose.yml
+infrastructure_files/docker-compose.yml
 *.syso
 client/.distfiles/
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -23,10 +23,10 @@ builds:
      - goos: windows
        goarch: arm
    ldflags:
-      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/wiretrustee/wiretrustee/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
-      - load_wintun_from_rsrc
+      - load_wgnt_from_rsrc
  - id: wiretrustee-mgmt
    dir: management
--- a/1
+++ b/1
@@ -1,2 +1,3 @@
 Mikhail Bragin (https://github.com/braginini)
 Maycon Santos (https://github.com/mlsmaycon)
 Wiretrustee UG (haftungsbeschränkt)
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -0,0 +1,132 @@
 # Contributor Covenant Code of Conduct
 ## Our Pledge
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
 identity and expression, level of experience, education, socio-economic status,
 nationality, personal appearance, race, caste, color, religion, or sexual
 identity and orientation.
 We pledge to act and interact in ways that contribute to an open, welcoming,
 diverse, inclusive, and healthy community.
 ## Our Standards
 Examples of behavior that contributes to a positive environment for our
 community include:
 * Demonstrating empathy and kindness toward other people
 * Being respectful of differing opinions, viewpoints, and experiences
 * Giving and gracefully accepting constructive feedback
 * Accepting responsibility and apologizing to those affected by our mistakes,
  and learning from the experience
 * Focusing on what is best not just for us as individuals, but for the overall
  community
 Examples of unacceptable behavior include:
 * The use of sexualized language or imagery, and sexual attention or advances of
  any kind
 * Trolling, insulting or derogatory comments, and personal or political attacks
 * Public or private harassment
 * Publishing others' private information, such as a physical or email address,
  without their explicit permission
 * Other conduct which could reasonably be considered inappropriate in a
  professional setting
 ## Enforcement Responsibilities
 Community leaders are responsible for clarifying and enforcing our standards of
 acceptable behavior and will take appropriate and fair corrective action in
 response to any behavior that they deem inappropriate, threatening, offensive,
 or harmful.
 Community leaders have the right and responsibility to remove, edit, or reject
 comments, commits, code, wiki edits, issues, and other contributions that are
 not aligned to this Code of Conduct, and will communicate reasons for moderation
 decisions when appropriate.
 ## Scope
 This Code of Conduct applies within all community spaces, and also applies when
 an individual is officially representing the community in public spaces.
 Examples of representing our community include using an official e-mail address,
 posting via an official social media account, or acting as an appointed
 representative at an online or offline event.
 ## Enforcement
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
 dev@wiretrustee.com.
 All complaints will be reviewed and investigated promptly and fairly.
 All community leaders are obligated to respect the privacy and security of the
 reporter of any incident.
 ## Enforcement Guidelines
 Community leaders will follow these Community Impact Guidelines in determining
 the consequences for any action they deem in violation of this Code of Conduct:
 ### 1. Correction
 **Community Impact**: Use of inappropriate language or other behavior deemed
 unprofessional or unwelcome in the community.
 **Consequence**: A private, written warning from community leaders, providing
 clarity around the nature of the violation and an explanation of why the
 behavior was inappropriate. A public apology may be requested.
 ### 2. Warning
 **Community Impact**: A violation through a single incident or series of
 actions.
 **Consequence**: A warning with consequences for continued behavior. No
 interaction with the people involved, including unsolicited interaction with
 those enforcing the Code of Conduct, for a specified period of time. This
 includes avoiding interactions in community spaces as well as external channels
 like social media. Violating these terms may lead to a temporary or permanent
 ban.
 ### 3. Temporary Ban
 **Community Impact**: A serious violation of community standards, including
 sustained inappropriate behavior.
 **Consequence**: A temporary ban from any sort of interaction or public
 communication with the community for a specified period of time. No public or
 private interaction with the people involved, including unsolicited interaction
 with those enforcing the Code of Conduct, is allowed during this period.
 Violating these terms may lead to a permanent ban.
 ### 4. Permanent Ban
 **Community Impact**: Demonstrating a pattern of violation of community
 standards, including sustained inappropriate behavior, harassment of an
 individual, or aggression toward or disparagement of classes of individuals.
 **Consequence**: A permanent ban from any sort of public interaction within the
 community.
 ## Attribution
 This Code of Conduct is adapted from the [Contributor Covenant][homepage],
 version 2.1, available at
 [https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
 Community Impact Guidelines were inspired by
 [Mozilla's code of conduct enforcement ladder][Mozilla CoC].
 For answers to common questions about this code of conduct, see the FAQ at
 [https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
 [https://www.contributor-covenant.org/translations][translations].
 [homepage]: https://www.contributor-covenant.org
 [v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
 [Mozilla CoC]: https://github.com/mozilla/diversity
 [FAQ]: https://www.contributor-covenant.org/faq
 [translations]: https://www.contributor-covenant.org/translations
--- a/2
+++ b/2
@@ -1,6 +1,6 @@
 BSD 3-Clause License
-Copyright (c) 2021 Wiretrustee AUTHORS
+Copyright (c) 2022 Wiretrustee UG (haftungsbeschränkt) & AUTHORS
 Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ It requires zero configuration effort leaving behind the hassle of opening ports
 **Wiretrustee automates Wireguard-based networks, offering a management layer with:**
 * Centralized Peer IP management with a UI dashboard.
-* Encrypted peer-to-peet connections without a centralized VPN gateway.
+* Encrypted peer-to-peer connections without a centralized VPN gateway.
 * Automatic Peer discovery and configuration.
 * UDP hole punching to establish peer-to-peer connections behind NAT, firewall, and without a public static IP.
 * Connection relay fallback in case a peer-to-peer connection is not possible.
@@ -39,7 +39,7 @@ It requires zero configuration effort leaving behind the hassle of opening ports
 * Client application SSO with MFA (coming soon).
 * Access Controls (coming soon).
 * Activity Monitoring (coming soon).
-* Private DNS (coming baoon)
+* Private DNS (coming soon)
 ### Secure peer-to-peer VPN in minutes
 <p float="left" align="middle">
@@ -49,7 +49,7 @@ It requires zero configuration effort leaving behind the hassle of opening ports
 **Note**: The `main` branch may be in an *unstable or even broken state* during development. For stable versions, see [releases](https://github.com/wiretrustee/wiretrustee/releases).
-Hosted demo version: 
+Hosted version: 
 [https://app.wiretrustee.com/](https://app.wiretrustee.com/peers). 
 [UI Dashboard Repo](https://github.com/wiretrustee/wiretrustee-dashboard)
@@ -159,7 +159,7 @@ Alternatively, if you are hosting your own Management Service provide `--managem
  sudo wiretrustee up --setup-key <SETUP KEY> --management-url https://localhost:33073
  ```
-> You could also omit `--setup-key` property. In this case the tool will prompt it the key.
+> You could also omit the `--setup-key` property. In this case, the tool will prompt for the key.
 2. Check your IP:
@@ -181,8 +181,8 @@ For **Windows** systems:
 ### Running Dashboard, Management, Signal and Coturn
 Wiretrustee uses [Auth0](https://auth0.com) for user authentication and authorization, therefore you will need to create a free account 
 and configure Auth0 variables in the compose file (dashboard) and in the management config file.
-We chose Auth0 to "outsource" the user management part of our platform because we believe that implementing a proper user auth is not a trivial task and requires significant amount of time to make it right. We focused on connectivity instead.
+We chose Auth0 to "outsource" the user management part of our platform because we believe that implementing a proper user auth is not a trivial task and requires a significant amount of time to make it right. We focused on connectivity instead.
-It is worth mentioning that dependency to Auth0 is the only one that cannot be self-hosted.
+It is worth mentioning that the dependency on Auth0 is the only one that cannot be self-hosted.
 Configuring Wiretrustee Auth0 integration:
 - check [How to run](https://github.com/wiretrustee/wiretrustee-dashboard#how-to-run) to obtain Auth0 environment variables for UI Dashboard
@@ -194,13 +194,13 @@ Configuring Wiretrustee Auth0 integration:
 Under infrastructure_files we have a docker-compose example to run Dashboard, Wiretrustee Management and Signal services, plus an instance of [Coturn](https://github.com/coturn/coturn), it also provides a turnserver.conf file as a simple example of Coturn configuration. 
 You can edit the turnserver.conf file and change its Realm setting (defaults to wiretrustee.com) to your own domain and user setting (defaults to username1:password1) to **proper credentials**.
-The example is set to use the official images from Wiretrustee and Coturn, you can find our documentation to run the signal server in docker in [Running the Signal service](#running-the-signal-service), the management in [Management](./management/README.md), and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn).
+The example is set to use the official images from Wiretrustee and Coturn; you can find our documentation to run the signal server in docker in [Running the Signal service](#running-the-signal-service), the management in [Management](./management/README.md), and the Coturn official documentation [here](https://hub.docker.com/r/coturn/coturn).
 > Run Coturn at your own risk, we are just providing an example, be sure to follow security best practices and to configure proper credentials as this service can be exploited and you may face large data transfer charges.
-Also, if you have an SSL certificate for Coturn, you can modify the docker-compose.yml file to point to its files in your host machine, then switch the domainname to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation
+Also, if you have an SSL certificate for Coturn, you can modify the docker-compose.yml file to point to its files in your host machine and then switch the domain name to your own SSL domain. If you don't already have an SSL certificate, you can follow [Certbot's](https://certbot.eff.org/docs/intro.html) official documentation
 to generate one from [Let’s Encrypt](https://letsencrypt.org/), or, we found that the example provided by [BigBlueButton](https://docs.bigbluebutton.org/2.2/setup-turn-server.html#generating-tls-certificates) covers the basics to configure Coturn with Let's Encrypt certs. 
-> The Wiretrustee Management service can generate and maintain the certificates automatically, all you need to do is run the servicein a host  with a public IP, configure a valid DNS record pointing to that IP and uncomment the 443 ports and command lines in the docker-compose.yml file.
+> The Wiretrustee Management service can generate and maintain the certificates automatically, all you need to do is run the service in a host with a public IP, configure a valid DNS record pointing to that IP and uncomment the 443 ports and command lines in the docker-compose.yml file.
 Simple docker-composer execution:
 ````shell
--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -4,17 +4,21 @@ import (
 	"bufio"
 	"context"
 	"fmt"
 	"os"
 	"time"
 	"github.com/cenkalti/backoff/v4"
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/wiretrustee/wiretrustee/client/internal"
 	"github.com/wiretrustee/wiretrustee/client/system"
 	mgm "github.com/wiretrustee/wiretrustee/management/client"
 	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
 	"github.com/wiretrustee/wiretrustee/util"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"os"
 )
 var (
@@ -24,55 +28,78 @@ var (
 		RunE: func(cmd *cobra.Command, args []string) error {
 			SetFlagsFromEnvVars()
-			err := util.InitLog(logLevel, logFile)
+			var backOff = &backoff.ExponentialBackOff{
-			if err != nil {
+				InitialInterval:     time.Second,
-				log.Errorf("failed initializing log %v", err)
+				RandomizationFactor: backoff.DefaultRandomizationFactor,
-				return err
+				Multiplier:          backoff.DefaultMultiplier,
 				MaxInterval:         2 * time.Second,
 				MaxElapsedTime:      time.Second * 10,
 				Stop:                backoff.Stop,
 				Clock:               backoff.SystemClock,
 			}
-			config, err := internal.GetConfig(managementURL, configPath, preSharedKey)
+			loginOp := func() error {
-			if err != nil {
+
-				log.Errorf("failed getting config %s %v", configPath, err)
+				err := util.InitLog(logLevel, logFile)
-				return err
+				if err != nil {
 					log.Errorf("failed initializing log %v", err)
 					return err
 				}
 				config, err := internal.GetConfig(managementURL, configPath, preSharedKey)
 				if err != nil {
 					log.Errorf("failed getting config %s %v", configPath, err)
 					return err
 				}
 				//validate our peer's Wireguard PRIVATE key
 				myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
 				if err != nil {
 					log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
 					return err
 				}
 				ctx := context.Background()
 				mgmTlsEnabled := false
 				if config.ManagementURL.Scheme == "https" {
 					mgmTlsEnabled = true
 				}
 				log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
 				mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 				if err != nil {
 					log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
 					return err
 				}
 				log.Debugf("connected to management Service %s", config.ManagementURL.String())
 				serverKey, err := mgmClient.GetServerPublicKey()
 				if err != nil {
 					log.Errorf("failed while getting Management Service public key: %v", err)
 					return err
 				}
 				_, err = loginPeer(*serverKey, mgmClient, setupKey)
 				if err != nil {
 					log.Errorf("failed logging-in peer on Management Service : %v", err)
 					return err
 				}
 				err = mgmClient.Close()
 				if err != nil {
 					log.Errorf("failed closing Management Service client: %v", err)
 					return err
 				}
 				return nil
 			}
-			//validate our peer's Wireguard PRIVATE key
+			err := backoff.RetryNotify(loginOp, backOff, func(err error, duration time.Duration) {
-			myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+				log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
 			})
 			if err != nil {
-				log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+				log.Errorf("exiting login retry loop due to unrecoverable error: %v", err)
 				return err
 			}
 			ctx := context.Background()
 			mgmTlsEnabled := false
 			if config.ManagementURL.Scheme == "https" {
 				mgmTlsEnabled = true
 			}
 			log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
 			mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 			if err != nil {
 				log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
 				return err
 			}
 			log.Debugf("connected to anagement Service %s", config.ManagementURL.String())
 			serverKey, err := mgmClient.GetServerPublicKey()
 			if err != nil {
 				log.Errorf("failed while getting Management Service public key: %v", err)
 				return err
 			}
 			_, err = loginPeer(*serverKey, mgmClient, setupKey)
 			if err != nil {
 				log.Errorf("failed logging-in peer on Management Service : %v", err)
 				return err
 			}
 			err = mgmClient.Close()
 			if err != nil {
 				log.Errorf("failed closing Management Service client: %v", err)
 				return err
 			}
@@ -82,7 +109,7 @@ var (
 )
 // loginPeer attempts to login to Management Service. If peer wasn't registered, tries the registration flow.
-func loginPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string) (*mgmProto.LoginResponse, error) {
+func loginPeer(serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string) (*mgmProto.LoginResponse, error) {
 	loginResp, err := client.Login(serverPublicKey)
 	if err != nil {
@@ -101,7 +128,7 @@ func loginPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string)
 // registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
 // Otherwise tries to register with the provided setupKey via command line.
-func registerPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey string) (*mgmProto.LoginResponse, error) {
+func registerPeer(serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string) (*mgmProto.LoginResponse, error) {
 	var err error
 	if setupKey == "" {
@@ -118,7 +145,8 @@ func registerPeer(serverPublicKey wgtypes.Key, client *mgm.Client, setupKey stri
 	}
 	log.Debugf("sending peer registration request to Management Service")
-	loginResp, err := client.Register(serverPublicKey, validSetupKey.String())
+	info := system.GetInfo()
 	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), info)
 	if err != nil {
 		log.Errorf("failed registering peer %v", err)
 		return nil, err
--- a/client/cmd/login_test.go
+++ b/client/cmd/login_test.go
@@ -60,7 +60,7 @@ func TestLogin(t *testing.T) {
 	}
 	if actualConf.WgIface != iface.WgInterfaceDefault {
-		t.Errorf("expected WgIface %s got %s", iface.WgInterfaceDefault, actualConf.WgIface)
+		t.Errorf("expected WgIfaceName %s got %s", iface.WgInterfaceDefault, actualConf.WgIface)
 	}
 	if len(actualConf.PrivateKey) == 0 {
--- a/client/cmd/testutil.go
+++ b/client/cmd/testutil.go
@@ -38,7 +38,7 @@ func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Liste
 	}
 	peersUpdateManager := mgmt.NewPeersUpdateManager()
-	accountManager := mgmt.NewManager(store, peersUpdateManager)
+	accountManager := mgmt.NewManager(store, peersUpdateManager, nil)
 	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
 	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
 	if err != nil {
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -2,6 +2,8 @@ package cmd
 import (
 	"context"
 	"time"
 	"github.com/cenkalti/backoff/v4"
 	"github.com/kardianos/service"
 	log "github.com/sirupsen/logrus"
@@ -13,7 +15,6 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"time"
 )
 var (
@@ -22,11 +23,13 @@ var (
 		Short: "install, login and start wiretrustee client",
 		RunE: func(cmd *cobra.Command, args []string) error {
 			SetFlagsFromEnvVars()
 			err := loginCmd.RunE(cmd, args)
 			if err != nil {
 				return err
 			}
 			if logFile == "console" {
 				SetupCloseHandler()
 				return runClient()
 			}
@@ -64,7 +67,7 @@ func createEngineConfig(key wgtypes.Key, config *internal.Config, peerConfig *mg
 	}
 	engineConf := &internal.EngineConfig{
-		WgIface:        config.WgIface,
+		WgIfaceName:    config.WgIface,
 		WgAddr:         peerConfig.Address,
 		IFaceBlackList: iFaceBlackList,
 		WgPrivateKey:   key,
@@ -83,7 +86,7 @@ func createEngineConfig(key wgtypes.Key, config *internal.Config, peerConfig *mg
 }
 // connectToSignal creates Signal Service client and established a connection
-func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig, ourPrivateKey wgtypes.Key) (*signal.Client, error) {
+func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig, ourPrivateKey wgtypes.Key) (*signal.GrpcClient, error) {
 	var sigTLSEnabled bool
 	if wtConfig.Signal.Protocol == mgmProto.HostConfig_HTTPS {
 		sigTLSEnabled = true
@@ -101,7 +104,7 @@ func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig,
 }
 // connectToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
-func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.Client, *mgmProto.LoginResponse, error) {
+func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.GrpcClient, *mgmProto.LoginResponse, error) {
 	log.Debugf("connecting to management server %s", managementAddr)
 	client, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
 	if err != nil {
@@ -184,7 +187,6 @@ func runClient() error {
 			return err
 		}
 		// create start the Wiretrustee Engine that will connect to the Signal and Management streams and manage connections to remote peers.
 		engine := internal.NewEngine(signalClient, mgmClient, engineConfig, cancel, ctx)
 		err = engine.Start()
 		if err != nil {
--- a/client/cmd/up_test.go
+++ b/client/cmd/up_test.go
@@ -36,7 +36,7 @@ func TestUp_Start(t *testing.T) {
 func TestUp(t *testing.T) {
-	defer iface.Close("wt0")
+	//defer iface.Close("wt0")
 	tempDir := t.TempDir()
 	confPath := tempDir + "/config.json"
@@ -53,6 +53,8 @@ func TestUp(t *testing.T) {
 		"A2C8E62B-38F5-4553-B31E-DD66C696CEBB",
 		"--management-url",
 		mgmtURL.String(),
 		"--log-level",
 		"debug",
 		"--log-file",
 		"console",
 	})
@@ -63,20 +65,23 @@ func TestUp(t *testing.T) {
 		}
 	}()
-	exists := false
+	timeout := 15 * time.Second
-	for start := time.Now(); time.Since(start) < 15*time.Second; {
+	timeoutChannel := time.After(timeout)
 	for {
 		select {
 		case <-timeoutChannel:
 			t.Fatalf("expected wireguard interface %s to be created before %s", iface.WgInterfaceDefault, timeout.String())
 		default:
 		}
 		e, err := iface.Exists(iface.WgInterfaceDefault)
 		if err != nil {
 			continue
 		}
 		if err != nil {
 			continue
 		}
 		if *e {
 			exists = true
 			break
 		}
 	}
 	if !exists {
 		t.Errorf("expected wireguard interface %s to be created", iface.WgInterfaceDefault)
 	}
 }
--- a/client/cmd/version.go
+++ b/client/cmd/version.go
@@ -1,14 +1,16 @@
 package cmd
-import "github.com/spf13/cobra"
+import (
 	"github.com/spf13/cobra"
 	"github.com/wiretrustee/wiretrustee/client/system"
 )
 var (
 	Version    string
 	versionCmd = &cobra.Command{
 		Use:   "version",
 		Short: "prints wiretrustee version",
 		Run: func(cmd *cobra.Command, args []string) {
-			cmd.Println(Version)
+			cmd.Println(system.WiretrusteeVersion())
 		},
 	}
 )
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -110,7 +110,7 @@ func GetConfig(managementURL string, configPath string, preSharedKey string) (*C
 // generateKey generates a new Wireguard private key
 func generateKey() string {
-	key, err := wgtypes.GenerateKey()
+	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		panic(err)
 	}
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -3,6 +3,11 @@ package internal
 import (
 	"context"
 	"fmt"
 	"math/rand"
 	"strings"
 	"sync"
 	"time"
 	"github.com/pion/ice/v2"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/client/internal/peer"
@@ -12,15 +17,13 @@ import (
 	mgmProto "github.com/wiretrustee/wiretrustee/management/proto"
 	signal "github.com/wiretrustee/wiretrustee/signal/client"
 	sProto "github.com/wiretrustee/wiretrustee/signal/proto"
 	"github.com/wiretrustee/wiretrustee/util"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"math/rand"
 	"strings"
 	"sync"
 	"time"
 )
 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
 // E.g. this peer will wait PeerConnectionTimeoutMax for the remote peer to respond, if not successful then it will retry the connection attempt.
 // Todo pass timeout at EnginConfig
 const PeerConnectionTimeoutMax = 45000 //ms
 const PeerConnectionTimeoutMin = 30000 //ms
@@ -28,8 +31,8 @@ const WgPort = 51820
 // EngineConfig is a config for the Engine
 type EngineConfig struct {
-	WgPort  int
+	WgPort      int
-	WgIface string
+	WgIfaceName string
 	// WgAddr is a Wireguard local address (Wiretrustee Network IP)
 	WgAddr string
 	// WgPrivateKey is a Wireguard private key of our peer (it MUST never leave the machine)
@@ -43,9 +46,9 @@ type EngineConfig struct {
 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
 type Engine struct {
 	// signal is a Signal Service client
-	signal *signal.Client
+	signal signal.Client
 	// mgmClient is a Management Service client
-	mgmClient *mgm.Client
+	mgmClient mgm.Client
 	// peerConns is a map that holds all the peers that are known to this peer
 	peerConns map[string]*peer.Conn
@@ -61,6 +64,11 @@ type Engine struct {
 	cancel context.CancelFunc
 	ctx context.Context
 	wgInterface iface.WGIface
 	// networkSerial is the latest Serial (state ID) of the network sent by the Management service
 	networkSerial uint64
 }
 // Peer is an instance of the Connection Peer
@@ -70,17 +78,18 @@ type Peer struct {
 }
 // NewEngine creates a new Connection Engine
-func NewEngine(signalClient *signal.Client, mgmClient *mgm.Client, config *EngineConfig, cancel context.CancelFunc, ctx context.Context) *Engine {
+func NewEngine(signalClient signal.Client, mgmClient mgm.Client, config *EngineConfig, cancel context.CancelFunc, ctx context.Context) *Engine {
 	return &Engine{
-		signal:     signalClient,
+		signal:        signalClient,
-		mgmClient:  mgmClient,
+		mgmClient:     mgmClient,
-		peerConns:  map[string]*peer.Conn{},
+		peerConns:     map[string]*peer.Conn{},
-		syncMsgMux: &sync.Mutex{},
+		syncMsgMux:    &sync.Mutex{},
-		config:     config,
+		config:        config,
-		STUNs:      []*ice.URL{},
+		STUNs:         []*ice.URL{},
-		TURNs:      []*ice.URL{},
+		TURNs:         []*ice.URL{},
-		cancel:     cancel,
+		cancel:        cancel,
-		ctx:        ctx,
+		ctx:           ctx,
 		networkSerial: 0,
 	}
 }
@@ -88,16 +97,18 @@ func (e *Engine) Stop() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
-	err := e.removeAllPeerConnections()
+	err := e.removeAllPeers()
 	if err != nil {
 		return err
 	}
-	log.Debugf("removing Wiretrustee interface %s", e.config.WgIface)
+	log.Debugf("removing Wiretrustee interface %s", e.config.WgIfaceName)
-	err = iface.Close(e.config.WgIface)
+	if e.wgInterface.Interface != nil {
-	if err != nil {
+		err = e.wgInterface.Close()
-		log.Errorf("failed closing Wiretrustee interface %s %v", e.config.WgIface, err)
+		if err != nil {
-		return err
+			log.Errorf("failed closing Wiretrustee interface %s %v", e.config.WgIfaceName, err)
 			return err
 		}
 	}
 	log.Infof("stopped Wiretrustee Engine")
@@ -112,19 +123,26 @@ func (e *Engine) Start() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
-	wgIface := e.config.WgIface
+	wgIfaceName := e.config.WgIfaceName
 	wgAddr := e.config.WgAddr
 	myPrivateKey := e.config.WgPrivateKey
 	var err error
-	err := iface.Create(wgIface, wgAddr)
+	e.wgInterface, err = iface.NewWGIface(wgIfaceName, wgAddr, iface.DefaultMTU)
 	if err != nil {
-		log.Errorf("failed creating interface %s: [%s]", wgIface, err.Error())
+		log.Errorf("failed creating wireguard interface instance %s: [%s]", wgIfaceName, err.Error())
 		return err
 	}
-	err = iface.Configure(wgIface, myPrivateKey.String(), e.config.WgPort)
+	err = e.wgInterface.Create()
 	if err != nil {
-		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIface, err.Error())
+		log.Errorf("failed creating tunnel interface %s: [%s]", wgIfaceName, err.Error())
 		return err
 	}
 	err = e.wgInterface.Configure(myPrivateKey.String(), e.config.WgPort)
 	if err != nil {
 		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIfaceName, err.Error())
 		return err
 	}
@@ -134,8 +152,22 @@ func (e *Engine) Start() error {
 	return nil
 }
-func (e *Engine) removePeers(peers []string) error {
+// removePeers finds and removes peers that do not exist anymore in the network map received from the Management Service
-	for _, p := range peers {
+func (e *Engine) removePeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 	currentPeers := make([]string, 0, len(e.peerConns))
 	for p := range e.peerConns {
 		currentPeers = append(currentPeers, p)
 	}
 	newPeers := make([]string, 0, len(peersUpdate))
 	for _, p := range peersUpdate {
 		newPeers = append(newPeers, p.GetWgPubKey())
 	}
 	toRemove := util.SliceDiff(currentPeers, newPeers)
 	for _, p := range toRemove {
 		err := e.removePeer(p)
 		if err != nil {
 			return err
@@ -145,7 +177,7 @@ func (e *Engine) removePeers(peers []string) error {
 	return nil
 }
-func (e *Engine) removeAllPeerConnections() error {
+func (e *Engine) removeAllPeers() error {
 	log.Debugf("removing all peer connections")
 	for p := range e.peerConns {
 		err := e.removePeer(p)
@@ -162,7 +194,15 @@ func (e *Engine) removePeer(peerKey string) error {
 	conn, exists := e.peerConns[peerKey]
 	if exists {
 		delete(e.peerConns, peerKey)
-		return conn.Close()
+		err := conn.Close()
 		if err != nil {
 			switch err.(type) {
 			case *peer.ConnectionAlreadyClosedError:
 				return nil
 			default:
 				return err
 			}
 		}
 	}
 	return nil
 }
@@ -177,6 +217,16 @@ func (e *Engine) GetPeerConnectionStatus(peerKey string) peer.ConnStatus {
 	return -1
 }
 func (e *Engine) GetPeers() []string {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 	peers := []string{}
 	for s := range e.peerConns {
 		peers = append(peers, s)
 	}
 	return peers
 }
 // GetConnectedPeers returns a connection Status or nil if peer connection wasn't found
 func (e *Engine) GetConnectedPeers() []string {
@@ -193,7 +243,7 @@ func (e *Engine) GetConnectedPeers() []string {
 	return peers
 }
-func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client) error {
+func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client) error {
 	err := s.Send(&sProto.Message{
 		Key:       myKey.PublicKey().String(),
 		RemoteKey: remoteKey.String(),
@@ -211,7 +261,7 @@ func signalCandidate(candidate ice.Candidate, myKey wgtypes.Key, remoteKey wgtyp
 	return nil
 }
-func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s *signal.Client, isAnswer bool) error {
+func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.Key, s signal.Client, isAnswer bool) error {
 	var t sProto.Body_Type
 	if isAnswer {
@@ -234,37 +284,42 @@ func signalAuth(uFrag string, pwd string, myKey wgtypes.Key, remoteKey wgtypes.K
 	return nil
 }
 func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 	if update.GetWiretrusteeConfig() != nil {
 		err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
 		if err != nil {
 			return err
 		}
 		err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
 		if err != nil {
 			return err
 		}
 		//todo update signal
 	}
 	if update.GetNetworkMap() != nil {
 		// only apply new changes and ignore old ones
 		err := e.updateNetworkMap(update.GetNetworkMap())
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 // receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
 // E.g. when a new peer has been registered and we are allowed to connect to it.
 func (e *Engine) receiveManagementEvents() {
 	go func() {
 		err := e.mgmClient.Sync(func(update *mgmProto.SyncResponse) error {
-			e.syncMsgMux.Lock()
+			return e.handleSync(update)
 			defer e.syncMsgMux.Unlock()
 			if update.GetWiretrusteeConfig() != nil {
 				err := e.updateTURNs(update.GetWiretrusteeConfig().GetTurns())
 				if err != nil {
 					return err
 				}
 				err = e.updateSTUNs(update.GetWiretrusteeConfig().GetStuns())
 				if err != nil {
 					return err
 				}
 				//todo update signal
 			}
 			if update.GetRemotePeers() != nil || update.GetRemotePeersIsEmpty() {
 				// empty arrays are serialized by protobuf to null, but for our case empty array is a valid state.
 				err := e.updatePeers(update.GetRemotePeers())
 				if err != nil {
 					return err
 				}
 			}
 			return nil
 		})
 		if err != nil {
 			// happens if management is unavailable for a long time.
@@ -315,27 +370,41 @@ func (e *Engine) updateTURNs(turns []*mgmProto.ProtectedHostConfig) error {
 	return nil
 }
-func (e *Engine) updatePeers(remotePeers []*mgmProto.RemotePeerConfig) error {
+func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
-	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(remotePeers))
+
-	remotePeerMap := make(map[string]struct{})
+	serial := networkMap.GetSerial()
-	for _, p := range remotePeers {
+	if e.networkSerial > serial {
-		remotePeerMap[p.GetWgPubKey()] = struct{}{}
+		log.Debugf("received outdated NetworkMap with serial %d, ignoring", serial)
 		return nil
 	}
-	//remove peers that are no longer available for us
+	log.Debugf("got peers update from Management Service, total peers to connect to = %d", len(networkMap.GetRemotePeers()))
-	toRemove := []string{}
+
-	for p := range e.peerConns {
+	// cleanup request, most likely our peer has been deleted
-		if _, ok := remotePeerMap[p]; !ok {
+	if networkMap.GetRemotePeersIsEmpty() {
-			toRemove = append(toRemove, p)
+		err := e.removeAllPeers()
 		if err != nil {
 			return err
 		}
 	} else {
 		err := e.removePeers(networkMap.GetRemotePeers())
 		if err != nil {
 			return err
 		}
 		err = e.addNewPeers(networkMap.GetRemotePeers())
 		if err != nil {
 			return err
 		}
 	}
 	err := e.removePeers(toRemove)
 	if err != nil {
 		return err
 	}
-	// add new peers
+	e.networkSerial = serial
-	for _, p := range remotePeers {
+	return nil
 }
 // addNewPeers finds and adds peers that were not know before but arrived from the Management service with the update
 func (e *Engine) addNewPeers(peersUpdate []*mgmProto.RemotePeerConfig) error {
 	for _, p := range peersUpdate {
 		peerKey := p.GetWgPubKey()
 		peerIPs := p.GetAllowedIps()
 		if _, ok := e.peerConns[peerKey]; !ok {
@@ -399,7 +468,7 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 	proxyConfig := proxy.Config{
 		RemoteKey:    pubKey,
 		WgListenAddr: fmt.Sprintf("127.0.0.1:%d", e.config.WgPort),
-		WgInterface:  e.config.WgIface,
+		WgInterface:  e.wgInterface,
 		AllowedIps:   allowedIPs,
 		PreSharedKey: e.config.PreSharedKey,
 	}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -3,7 +3,16 @@ package internal
 import (
 	"context"
 	"fmt"
 	"net"
 	"os"
 	"path/filepath"
 	"runtime"
 	"sync"
 	"testing"
 	"time"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/client/system"
 	mgmt "github.com/wiretrustee/wiretrustee/management/client"
 	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
 	"github.com/wiretrustee/wiretrustee/management/server"
@@ -14,13 +23,6 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"
 	"net"
 	"os"
 	"path/filepath"
 	"runtime"
 	"sync"
 	"testing"
 	"time"
 )
 var (
@@ -37,6 +39,233 @@ var (
 	}
 )
 func TestEngine_UpdateNetworkMap(t *testing.T) {
 	// test setup
 	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	engine := NewEngine(&signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
 		WgIfaceName:  "utun100",
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
 	}, cancel, ctx)
 	type testCase struct {
 		name       string
 		networkMap *mgmtProto.NetworkMap
 		expectedLen    int
 		expectedPeers  []string
 		expectedSerial uint64
 	}
 	peer1 := &mgmtProto.RemotePeerConfig{
 		WgPubKey:   "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
 		AllowedIps: []string{"100.64.0.10/24"},
 	}
 	peer2 := &mgmtProto.RemotePeerConfig{
 		WgPubKey:   "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
 		AllowedIps: []string{"100.64.0.11/24"},
 	}
 	peer3 := &mgmtProto.RemotePeerConfig{
 		WgPubKey:   "GGHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
 		AllowedIps: []string{"100.64.0.12/24"},
 	}
 	case1 := testCase{
 		name: "input with a new peer to add",
 		networkMap: &mgmtProto.NetworkMap{
 			Serial:     1,
 			PeerConfig: nil,
 			RemotePeers: []*mgmtProto.RemotePeerConfig{
 				peer1,
 			},
 			RemotePeersIsEmpty: false,
 		},
 		expectedLen:    1,
 		expectedPeers:  []string{peer1.GetWgPubKey()},
 		expectedSerial: 1,
 	}
 	// 2nd case - one extra peer added and network map has Serial grater than local => apply the update
 	case2 := testCase{
 		name: "input with an old peer and a new peer to add",
 		networkMap: &mgmtProto.NetworkMap{
 			Serial:     2,
 			PeerConfig: nil,
 			RemotePeers: []*mgmtProto.RemotePeerConfig{
 				peer1, peer2,
 			},
 			RemotePeersIsEmpty: false,
 		},
 		expectedLen:    2,
 		expectedPeers:  []string{peer1.GetWgPubKey(), peer2.GetWgPubKey()},
 		expectedSerial: 2,
 	}
 	case3 := testCase{
 		name: "input with outdated (old) update to ignore",
 		networkMap: &mgmtProto.NetworkMap{
 			Serial:     0,
 			PeerConfig: nil,
 			RemotePeers: []*mgmtProto.RemotePeerConfig{
 				peer1, peer2, peer3,
 			},
 			RemotePeersIsEmpty: false,
 		},
 		expectedLen:    2,
 		expectedPeers:  []string{peer1.GetWgPubKey(), peer2.GetWgPubKey()},
 		expectedSerial: 2,
 	}
 	case4 := testCase{
 		name: "input with one peer to remove and one new to add",
 		networkMap: &mgmtProto.NetworkMap{
 			Serial:     4,
 			PeerConfig: nil,
 			RemotePeers: []*mgmtProto.RemotePeerConfig{
 				peer2, peer3,
 			},
 			RemotePeersIsEmpty: false,
 		},
 		expectedLen:    2,
 		expectedPeers:  []string{peer2.GetWgPubKey(), peer3.GetWgPubKey()},
 		expectedSerial: 4,
 	}
 	case5 := testCase{
 		name: "input with all peers to remove",
 		networkMap: &mgmtProto.NetworkMap{
 			Serial:             5,
 			PeerConfig:         nil,
 			RemotePeers:        []*mgmtProto.RemotePeerConfig{},
 			RemotePeersIsEmpty: true,
 		},
 		expectedLen:    0,
 		expectedPeers:  nil,
 		expectedSerial: 5,
 	}
 	for _, c := range []testCase{case1, case2, case3, case4, case5} {
 		t.Run(c.name, func(t *testing.T) {
 			err = engine.updateNetworkMap(c.networkMap)
 			if err != nil {
 				t.Fatal(err)
 				return
 			}
 			if len(engine.peerConns) != c.expectedLen {
 				t.Errorf("expecting Engine.peerConns to be of size %d, got %d", c.expectedLen, len(engine.peerConns))
 			}
 			if engine.networkSerial != c.expectedSerial {
 				t.Errorf("expecting Engine.networkSerial to be equal to %d, actual %d", c.expectedSerial, engine.networkSerial)
 			}
 			for _, p := range c.expectedPeers {
 				if _, ok := engine.peerConns[p]; !ok {
 					t.Errorf("expecting Engine.peerConns to contain peer %s", p)
 				}
 			}
 		})
 	}
 }
 func TestEngine_Sync(t *testing.T) {
 	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 	// feed updates to Engine via mocked Management client
 	updates := make(chan *mgmtProto.SyncResponse)
 	defer close(updates)
 	syncFunc := func(msgHandler func(msg *mgmtProto.SyncResponse) error) error {
 		for msg := range updates {
 			err := msgHandler(msg)
 			if err != nil {
 				t.Fatal(err)
 			}
 		}
 		return nil
 	}
 	engine := NewEngine(&signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, &EngineConfig{
 		WgIfaceName:  "utun100",
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
 	}, cancel, ctx)
 	defer func() {
 		err := engine.Stop()
 		if err != nil {
 			return
 		}
 	}()
 	err = engine.Start()
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	peer1 := &mgmtProto.RemotePeerConfig{
 		WgPubKey:   "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
 		AllowedIps: []string{"100.64.0.10/24"},
 	}
 	peer2 := &mgmtProto.RemotePeerConfig{
 		WgPubKey:   "LLHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=",
 		AllowedIps: []string{"100.64.0.11/24"},
 	}
 	peer3 := &mgmtProto.RemotePeerConfig{
 		WgPubKey:   "GGHf3Ma6z6mdLbriAJbqhX9+nM/B71lgw2+91q3LlhU=",
 		AllowedIps: []string{"100.64.0.12/24"},
 	}
 	// 1st update with just 1 peer and serial larger than the current serial of the engine => apply update
 	updates <- &mgmtProto.SyncResponse{
 		NetworkMap: &mgmtProto.NetworkMap{
 			Serial:             10,
 			PeerConfig:         nil,
 			RemotePeers:        []*mgmtProto.RemotePeerConfig{peer1, peer2, peer3},
 			RemotePeersIsEmpty: false,
 		},
 	}
 	timeout := time.After(time.Second * 2)
 	for {
 		select {
 		case <-timeout:
 			t.Fatalf("timeout while waiting for test to finish")
 		default:
 		}
 		if len(engine.GetPeers()) == 3 && engine.networkSerial == 10 {
 			break
 		}
 	}
 }
 func TestEngine_MultiplePeers(t *testing.T) {
 	//log.SetLevel(log.DebugLevel)
@@ -48,34 +277,29 @@ func TestEngine_MultiplePeers(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer func() {
-		os.Remove(filepath.Join(dir, "store.json")) //nolint
+		err = os.Remove(filepath.Join(dir, "store.json")) //nolint
 		if err != nil {
 			t.Fatal(err)
 			return
 		}
 	}()
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
-
+	sport := 10010
-	signalServer, err := startSignal(10000)
+	sigServer, err := startSignal(sport)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
-	defer signalServer.Stop()
+	defer sigServer.Stop()
-
+	mport := 33081
-	mgmtServer, err := startManagement(33071, &server.Config{
+	mgmtServer, err := startManagement(mport, dir)
 		Stuns:      []*server.Host{},
 		TURNConfig: &server.TURNConfig{},
 		Signal: &server.Host{
 			Proto: "http",
 			URI:   "localhost:10000",
 		},
 		Datadir:    dir,
 		HttpConfig: nil,
 	})
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
-	defer mgmtServer.Stop()
+	defer mgmtServer.GracefulStop()
 	setupKey := "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
@@ -88,7 +312,7 @@ func TestEngine_MultiplePeers(t *testing.T) {
 	for i := 0; i < numPeers; i++ {
 		j := i
 		go func() {
-			engine, err := createEngine(ctx, cancel, setupKey, j)
+			engine, err := createEngine(ctx, cancel, setupKey, j, mport, sport)
 			if err != nil {
 				return
 			}
@@ -102,33 +326,55 @@ func TestEngine_MultiplePeers(t *testing.T) {
 	// wait until all have been created and started
 	wg.Wait()
 	// check whether all the peer have expected peers connected
 	expectedConnected := numPeers * (numPeers - 1)
 	// adjust according to timeouts
 	timeout := 50 * time.Second
 	timeoutChan := time.After(timeout)
 	for {
 		select {
 		case <-timeoutChan:
 			t.Fatalf("waiting for expected connections timeout after %s", timeout.String())
 			return
 		default:
 		}
 		time.Sleep(time.Second)
 		totalConnected := 0
 		for _, engine := range engines {
 			totalConnected = totalConnected + len(engine.GetConnectedPeers())
 		}
 		if totalConnected == expectedConnected {
 			log.Debugf("total connected=%d", totalConnected)
 			break
 		}
 		log.Infof("total connected=%d", totalConnected)
 	}
 	// cleanup test
 	for _, peerEngine := range engines {
 		errStop := peerEngine.mgmClient.Close()
 		if errStop != nil {
 			log.Infoln("got error trying to close management clients from engine: ", errStop)
 		}
 		errStop = peerEngine.Stop()
 		if errStop != nil {
 			log.Infoln("got error trying to close testing peers engine: ", errStop)
 		}
 	}
 }
-func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int) (*Engine, error) {
+func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int, mport int, sport int) (*Engine, error) {
-	key, err := wgtypes.GenerateKey()
+	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		return nil, err
 	}
-	mgmtClient, err := mgmt.NewClient(ctx, "localhost:33071", key, false)
+	mgmtClient, err := mgmt.NewClient(ctx, fmt.Sprintf("localhost:%d", mport), key, false)
 	if err != nil {
 		return nil, err
 	}
-	signalClient, err := signal.NewClient(ctx, "localhost:10000", key, false)
+	signalClient, err := signal.NewClient(ctx, fmt.Sprintf("localhost:%d", sport), key, false)
 	if err != nil {
 		return nil, err
 	}
@@ -138,7 +384,8 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		return nil, err
 	}
-	resp, err := mgmtClient.Register(*publicKey, setupKey)
+	info := system.GetInfo()
 	resp, err := mgmtClient.Register(*publicKey, setupKey, info)
 	if err != nil {
 		return nil, err
 	}
@@ -151,7 +398,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 	}
 	conf := &EngineConfig{
-		WgIface:      ifaceName,
+		WgIfaceName:  ifaceName,
 		WgAddr:       resp.PeerConfig.Address,
 		WgPrivateKey: key,
 		WgPort:       33100 + i,
@@ -179,7 +426,18 @@ func startSignal(port int) (*grpc.Server, error) {
 	return s, nil
 }
-func startManagement(port int, config *server.Config) (*grpc.Server, error) {
+func startManagement(port int, dataDir string) (*grpc.Server, error) {
 	config := &server.Config{
 		Stuns:      []*server.Host{},
 		TURNConfig: &server.TURNConfig{},
 		Signal: &server.Host{
 			Proto: "http",
 			URI:   "localhost:10000",
 		},
 		Datadir:    dataDir,
 		HttpConfig: nil,
 	}
 	lis, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", port))
 	if err != nil {
@@ -191,7 +449,7 @@ func startManagement(port int, config *server.Config) (*grpc.Server, error) {
 		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 	}
 	peersUpdateManager := server.NewPeersUpdateManager()
-	accountManager := server.NewManager(store, peersUpdateManager)
+	accountManager := server.NewManager(store, peersUpdateManager, nil)
 	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
 	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager)
 	if err != nil {
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -350,6 +350,7 @@ func (conn *Conn) Close() error {
 	defer conn.mu.Unlock()
 	select {
 	case conn.closeCh <- struct{}{}:
 		return nil
 	default:
 		// probably could happen when peer has been added and removed right after not even starting to connect
 		// todo further investigate
@@ -364,8 +365,8 @@ func (conn *Conn) Close() error {
 		// engine adds a new Conn for 4 and 5
 		// therefore peer 4 has 2 Conn objects
 		log.Warnf("closing not started coonection %s", conn.config.Key)
 		return NewConnectionAlreadyClosed(conn.config.Key)
 	}
 	return nil
 }
 // Status returns current status of the Conn
@@ -375,29 +376,33 @@ func (conn *Conn) Status() ConnStatus {
 	return conn.status
 }
-// OnRemoteOffer handles an offer from the remote peer
+// OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
-// can block until Conn restarts
+// doesn't block, discards the message if connection wasn't ready
-func (conn *Conn) OnRemoteOffer(remoteAuth IceCredentials) {
+func (conn *Conn) OnRemoteOffer(remoteAuth IceCredentials) bool {
 	log.Debugf("OnRemoteOffer from peer %s on status %s", conn.config.Key, conn.status.String())
 	select {
 	case conn.remoteOffersCh <- remoteAuth:
 		return true
 	default:
 		log.Debugf("OnRemoteOffer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
 		//connection might not be ready yet to receive so we ignore the message
 		return false
 	}
 }
-// OnRemoteAnswer handles an offer from the remote peer
+// OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
-// can block until Conn restarts
+// doesn't block, discards the message if connection wasn't ready
-func (conn *Conn) OnRemoteAnswer(remoteAuth IceCredentials) {
+func (conn *Conn) OnRemoteAnswer(remoteAuth IceCredentials) bool {
 	log.Debugf("OnRemoteAnswer from peer %s on status %s", conn.config.Key, conn.status.String())
 	select {
 	case conn.remoteAnswerCh <- remoteAuth:
 		return true
 	default:
 		//connection might not be ready yet to receive so we ignore the message
 		log.Debugf("OnRemoteAnswer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
 		return false
 	}
 }
@@ -419,3 +424,7 @@ func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate) {
 		}
 	}()
 }
 func (conn *Conn) GetKey() string {
 	return conn.config.Key
 }
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -0,0 +1,144 @@
 package peer
 import (
 	"github.com/magiconair/properties/assert"
 	"github.com/pion/ice/v2"
 	"github.com/wiretrustee/wiretrustee/client/internal/proxy"
 	"sync"
 	"testing"
 	"time"
 )
 var connConf = ConnConfig{
 	Key:                "LLHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
 	LocalKey:           "RRHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
 	StunTurn:           []*ice.URL{},
 	InterfaceBlackList: nil,
 	Timeout:            time.Second,
 	ProxyConfig:        proxy.Config{},
 }
 func TestConn_GetKey(t *testing.T) {
 	conn, err := NewConn(connConf)
 	if err != nil {
 		return
 	}
 	got := conn.GetKey()
 	assert.Equal(t, got, connConf.Key, "they should be equal")
 }
 func TestConn_OnRemoteOffer(t *testing.T) {
 	conn, err := NewConn(connConf)
 	if err != nil {
 		return
 	}
 	wg := sync.WaitGroup{}
 	wg.Add(2)
 	go func() {
 		<-conn.remoteOffersCh
 		wg.Done()
 	}()
 	go func() {
 		for {
 			accepted := conn.OnRemoteOffer(IceCredentials{
 				UFrag: "test",
 				Pwd:   "test",
 			})
 			if accepted {
 				wg.Done()
 				return
 			}
 		}
 	}()
 	wg.Wait()
 }
 func TestConn_OnRemoteAnswer(t *testing.T) {
 	conn, err := NewConn(connConf)
 	if err != nil {
 		return
 	}
 	wg := sync.WaitGroup{}
 	wg.Add(2)
 	go func() {
 		<-conn.remoteAnswerCh
 		wg.Done()
 	}()
 	go func() {
 		for {
 			accepted := conn.OnRemoteAnswer(IceCredentials{
 				UFrag: "test",
 				Pwd:   "test",
 			})
 			if accepted {
 				wg.Done()
 				return
 			}
 		}
 	}()
 	wg.Wait()
 }
 func TestConn_Status(t *testing.T) {
 	conn, err := NewConn(connConf)
 	if err != nil {
 		return
 	}
 	tables := []struct {
 		name   string
 		status ConnStatus
 		want   ConnStatus
 	}{
 		{"StatusConnected", StatusConnected, StatusConnected},
 		{"StatusDisconnected", StatusDisconnected, StatusDisconnected},
 		{"StatusConnecting", StatusConnecting, StatusConnecting},
 	}
 	for _, table := range tables {
 		t.Run(table.name, func(t *testing.T) {
 			conn.status = table.status
 			got := conn.Status()
 			assert.Equal(t, got, table.want, "they should be equal")
 		})
 	}
 }
 func TestConn_Close(t *testing.T) {
 	conn, err := NewConn(connConf)
 	if err != nil {
 		return
 	}
 	wg := sync.WaitGroup{}
 	wg.Add(1)
 	go func() {
 		<-conn.closeCh
 		wg.Done()
 	}()
 	go func() {
 		for {
 			err := conn.Close()
 			if err != nil {
 				continue
 			} else {
 				return
 			}
 		}
 	}()
 	wg.Wait()
 }
--- a/client/internal/peer/error.go
+++ b/client/internal/peer/error.go
@@ -54,3 +54,19 @@ func NewConnectionDisconnectedError(peer string) error {
 		peer: peer,
 	}
 }
 // ConnectionAlreadyClosedError is an error indicating that a peer Conn has been already closed and the invocation of the Close() method has been performed over a closed connection
 type ConnectionAlreadyClosedError struct {
 	peer string
 }
 func (e *ConnectionAlreadyClosedError) Error() string {
 	return fmt.Sprintf("connection to peer %s has been already closed", e.peer)
 }
 // NewConnectionAlreadyClosed creates a new ConnectionAlreadyClosedError error
 func NewConnectionAlreadyClosed(peer string) error {
 	return &ConnectionAlreadyClosedError{
 		peer: peer,
 	}
 }
--- a/client/internal/peer/error_test.go
+++ b/client/internal/peer/error_test.go
@@ -0,0 +1,27 @@
 package peer
 import (
 	"github.com/stretchr/testify/assert"
 	"testing"
 	"time"
 )
 func TestNewConnectionClosedError(t *testing.T) {
 	err := NewConnectionClosedError("X")
 	assert.Equal(t, &ConnectionClosedError{peer: "X"}, err)
 }
 func TestNewConnectionDisconnectedError(t *testing.T) {
 	err := NewConnectionDisconnectedError("X")
 	assert.Equal(t, &ConnectionDisconnectedError{peer: "X"}, err)
 }
 func TestNewConnectionTimeoutErrorC(t *testing.T) {
 	err := NewConnectionTimeoutError("X", time.Second)
 	assert.Equal(t, &ConnectionTimeoutError{peer: "X", timeout: time.Second}, err)
 }
 func TestNewConnectionAlreadyClosed(t *testing.T) {
 	err := NewConnectionAlreadyClosed("X")
 	assert.Equal(t, &ConnectionAlreadyClosedError{peer: "X"}, err)
 }
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -0,0 +1,27 @@
 package peer
 import (
 	"github.com/magiconair/properties/assert"
 	"testing"
 )
 func TestConnStatus_String(t *testing.T) {
 	tables := []struct {
 		name   string
 		status ConnStatus
 		want   string
 	}{
 		{"StatusConnected", StatusConnected, "StatusConnected"},
 		{"StatusDisconnected", StatusDisconnected, "StatusDisconnected"},
 		{"StatusConnecting", StatusConnecting, "StatusConnecting"},
 	}
 	for _, table := range tables {
 		t.Run(table.name, func(t *testing.T) {
 			got := table.status.String()
 			assert.Equal(t, got, table.want, "they should be equal")
 		})
 	}
 }
--- a/client/internal/proxy/proxy.go
+++ b/client/internal/proxy/proxy.go
@@ -1,6 +1,7 @@
 package proxy
 import (
 	"github.com/wiretrustee/wiretrustee/iface"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"io"
 	"net"
@@ -12,7 +13,7 @@ const DefaultWgKeepAlive = 25 * time.Second
 type Config struct {
 	WgListenAddr string
 	RemoteKey    string
-	WgInterface  string
+	WgInterface  iface.WGIface
 	AllowedIps   string
 	PreSharedKey *wgtypes.Key
 }
--- a/client/internal/proxy/wireguard.go
+++ b/client/internal/proxy/wireguard.go
@@ -3,7 +3,6 @@ package proxy
 import (
 	"context"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/iface"
 	"net"
 )
@@ -25,9 +24,13 @@ func NewWireguardProxy(config Config) *WireguardProxy {
 }
 func (p *WireguardProxy) updateEndpoint() error {
 	udpAddr, err := net.ResolveUDPAddr(p.localConn.LocalAddr().Network(), p.localConn.LocalAddr().String())
 	if err != nil {
 		return err
 	}
 	// add local proxy connection as a Wireguard peer
-	err := iface.UpdatePeer(p.config.WgInterface, p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
+	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
-		p.localConn.LocalAddr().String(), p.config.PreSharedKey)
+		udpAddr, p.config.PreSharedKey)
 	if err != nil {
 		return err
 	}
@@ -65,7 +68,7 @@ func (p *WireguardProxy) Close() error {
 			return err
 		}
 	}
-	err := iface.RemovePeer(p.config.WgInterface, p.config.RemoteKey)
+	err := p.config.WgInterface.RemovePeer(p.config.RemoteKey)
 	if err != nil {
 		return err
 	}
--- a/client/main.go
+++ b/client/main.go
@@ -1,15 +1,12 @@
 package main
 import (
 	"github.com/wiretrustee/wiretrustee/client/cmd"
 	"os"
 	"github.com/wiretrustee/wiretrustee/client/cmd"
 )
 var version = "development"
 func main() {
 	cmd.Version = version
 	if err := cmd.Execute(); err != nil {
 		os.Exit(1)
 	}
--- a/client/resources.rc
+++ b/client/resources.rc
@@ -5,5 +5,5 @@
 #define STRINGIZE(x) #x
 #define EXPAND(x) STRINGIZE(x)
 CREATEPROCESS_MANIFEST_RESOURCE_ID RT_MANIFEST manifest.xml
-wintun.dll RCDATA wintun.dll
+7 ICON ui/wiretrustee.ico
-
+wireguard.dll RCDATA wireguard.dll
--- a/client/resources_windows_amd64.syso
+++ b/client/resources_windows_amd64.syso
--- a/client/system/info.go
+++ b/client/system/info.go
@@ -1,14 +1,23 @@
 package system
 // this is the wiretrustee version
 // will be replaced with the release version when using goreleaser
 var version = "development"
 //Info is an object that contains machine information
 // Most of the code is taken from https://github.com/matishsiao/goInfo
 type Info struct {
-	GoOS      string
+	GoOS               string
-	Kernel    string
+	Kernel             string
-	Core      string
+	Core               string
-	Platform  string
+	Platform           string
-	OS        string
+	OS                 string
-	OSVersion string
+	OSVersion          string
-	Hostname  string
+	Hostname           string
-	CPUs      int
+	CPUs               int
 	WiretrusteeVersion string
 }
 func WiretrusteeVersion() string {
 	return version
 }
--- a/client/system/info_darwin.go
+++ b/client/system/info_darwin.go
@@ -21,6 +21,7 @@ func GetInfo() *Info {
 	osInfo := strings.Split(osStr, " ")
 	gio := &Info{Kernel: osInfo[0], OSVersion: osInfo[1], Core: osInfo[1], Platform: osInfo[2], OS: osInfo[0], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
 	gio.WiretrusteeVersion = WiretrusteeVersion()
 	return gio
 }
--- a/client/system/info_freebsd.go
+++ b/client/system/info_freebsd.go
@@ -21,6 +21,7 @@ func GetInfo() *Info {
 	osInfo := strings.Split(osStr, " ")
 	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: runtime.GOARCH, OS: osInfo[2], GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
 	gio.WiretrusteeVersion = WiretrusteeVersion()
 	return gio
 }
--- a/client/system/info_linux.go
+++ b/client/system/info_linux.go
@@ -44,6 +44,8 @@ func GetInfo() *Info {
 	}
 	gio := &Info{Kernel: osInfo[0], Core: osInfo[1], Platform: osInfo[2], OS: osName, OSVersion: osVer, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
 	gio.WiretrusteeVersion = WiretrusteeVersion()
 	return gio
 }
--- a/client/system/info_test.go
+++ b/client/system/info_test.go
@@ -0,0 +1,13 @@
 package system
 import (
 	"testing"
 	"github.com/stretchr/testify/assert"
 )
 func Test_LocalVersion(t *testing.T) {
 	got := GetInfo()
 	want := "development"
 	assert.Equal(t, want, got.WiretrusteeVersion)
 }
--- a/client/system/info_windows.go
+++ b/client/system/info_windows.go
@@ -31,5 +31,7 @@ func GetInfo() *Info {
 	}
 	gio := &Info{Kernel: "windows", OSVersion: ver, Core: ver, Platform: "unknown", OS: "windows", GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
 	gio.Hostname, _ = os.Hostname()
 	gio.WiretrusteeVersion = WiretrusteeVersion()
 	return gio
 }
--- a/client/wireguard_nt.sh
+++ b/client/wireguard_nt.sh
@@ -0,0 +1,27 @@
 #!/bin/bash
 ldir=$PWD
 tmp_dir_path=$ldir/.distfiles
 winnt=wireguard-nt.zip
 download_file_path=$tmp_dir_path/$winnt
 download_url=https://download.wireguard.com/wireguard-nt/wireguard-nt-0.10.1.zip
 download_sha=772c0b1463d8d2212716f43f06f4594d880dea4f735165bd68e388fc41b81605
 function resources_windows(){
  cmd=$1
  arch=$2
  out=$3
  docker run -i --rm -v $PWD:$PWD -w $PWD mstorsjo/llvm-mingw:latest $cmd -O coff -c 65001 -I $tmp_dir_path/wireguard-nt/bin/$arch -i resources.rc -o $out
 }
 mkdir -p $tmp_dir_path
 curl -L#o $download_file_path.unverified $download_url
 echo "$download_sha  $download_file_path.unverified" | sha256sum -c
 mv $download_file_path.unverified $download_file_path
 mkdir -p .deps
 unzip $download_file_path -d $tmp_dir_path
 resources_windows i686-w64-mingw32-windres x86 resources_windows_386.syso
 resources_windows aarch64-w64-mingw32-windres arm64 resources_windows_arm64.syso
 resources_windows x86_64-w64-mingw32-windres amd64 resources_windows_amd64.syso
--- a/go.mod
+++ b/go.mod
@@ -19,18 +19,23 @@ require (
 	github.com/vishvananda/netlink v1.1.0
 	golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3
 	golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e
-	golang.zx2c4.com/wireguard v0.0.0-20210805125648-3957e9b9dd19
+	golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434
-	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c
+	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de
-	golang.zx2c4.com/wireguard/windows v0.4.5
+	golang.zx2c4.com/wireguard/windows v0.5.1
 	google.golang.org/grpc v1.43.0
 	google.golang.org/protobuf v1.27.1
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
-require github.com/rs/xid v1.3.0
+require (
 	github.com/magiconair/properties v1.8.5
 	github.com/rs/xid v1.3.0
 	github.com/stretchr/testify v1.7.0
 )
 require (
 	github.com/BurntSushi/toml v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
 	github.com/google/go-cmp v0.5.6 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
@@ -47,14 +52,18 @@ require (
 	github.com/pion/transport v0.12.3 // indirect
 	github.com/pion/turn/v2 v2.0.5 // indirect
 	github.com/pion/udp v0.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
 	golang.org/x/mod v0.5.1 // indirect
-	golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b // indirect
+	golang.org/x/net v0.0.0-20211215060638-4ddde0e984e9 // indirect
 	golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 // indirect
 	golang.org/x/tools v0.1.8 // indirect
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d // indirect
 	golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 // indirect
 	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 	honnef.co/go/tools v0.2.2 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -287,6 +287,7 @@ github.com/leodido/go-urn v1.1.0/go.mod h1:+cyI34gQWZcE1eQU7NVgKkkzdXDQHr1dBMtdA
 github.com/lxn/walk v0.0.0-20210112085537-c389da54e794/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
 github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
 github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
 github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -465,11 +466,11 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190923035154-9ee001bba392/go.mod h1:/lpIB1dKB+9EgE3H3cr1v9wB50oz8l4C4h62xy7jSTY=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211117183948-ae814b36b871/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -559,18 +560,18 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk=
 golang.org/x/net v0.0.0-20210503060351-7fd8e65b6420/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210504132125-bbd867fde50d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210726213435-c6fcb2dbf985/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211015210444-4f30a5c0130f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211020060615-d418f374d309/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211111083644-e5c967477495/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211201190559-0a0e4e1bb54c/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b h1:MWaHNqZy3KTpuTMAGvv+Kw+ylsEpmyJZizz1dqxnu28=
 golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211215060638-4ddde0e984e9 h1:kmreh1vGI63l2FxOAYS3Yv6ATsi7lSTuwNSVbGfJV9I=
 golang.org/x/net v0.0.0-20211215060638-4ddde0e984e9/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -663,13 +664,11 @@ golang.org/x/sys v0.0.0-20210216163648-f7da38b97c65/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210303074136-134d130e1a04/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210309040221-94ec62e08169/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210503173754-0981d6026fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210525143221-35b2ab0089ea/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -687,11 +686,13 @@ golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211019181941-9d821ace8654/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211103235746-7861aae1554b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211124211545-fe61309f8881/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211214234402-4825e8c3871d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e h1:fLOSk5Q00efkSvAm+4xcoXD+RRmLmmulPn5I3Y9F2EM=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -701,8 +702,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7-0.20210524175448-3115f89c4b99/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
 golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2 h1:GLw7MR8AfAG2GmGcmVgObFOHXYypgGjnGno25RDwn3Y=
 golang.org/x/text v0.3.8-0.20211105212822-18b340fc7af2/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -771,13 +772,17 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.zx2c4.com/wireguard v0.0.0-20210427022245-097af6e1351b/go.mod h1:a057zjmoc00UN7gVkaJt2sXVK523kMJcogDTEvPIasg=
+golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d h1:9+v0G0naRhLPOJEeJOL6NuXTtAHHwmkyZlgQJ0XcQ8I=
-golang.zx2c4.com/wireguard v0.0.0-20210805125648-3957e9b9dd19 h1:ab2jcw2W91Rz07eHAb8Lic7sFQKO0NhBftjv6m/gL/0=
+golang.zx2c4.com/go118/netip v0.0.0-20211111135330-a4a02eeacf9d/go.mod h1:5yyfuiqVIJ7t+3MqrpTQ+QqRkMWiESiyDvPNvKYCecg=
-golang.zx2c4.com/wireguard v0.0.0-20210805125648-3957e9b9dd19/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
+golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224 h1:Ug9qvr1myri/zFN6xL17LSCBGFDnphBBhzmILHsM5TY=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c h1:ADNrRDI5NR23/TUCnEmlLZLt4u9DnZ2nwRkPrAcFvto=
+golang.zx2c4.com/wintun v0.0.0-20211104114900-415007cec224/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
-golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210803171230-4253848d036c/go.mod h1:+1XihzyZUBJcSc5WO9SwNA7v26puQwOEDwanaxfNXPQ=
+golang.zx2c4.com/wireguard v0.0.0-20211129173154-2dd424e2d808/go.mod h1:TjUWrnD5ATh7bFvmm/ALEJZQ4ivKbETb6pmyj1vUoNI=
-golang.zx2c4.com/wireguard/windows v0.4.5 h1:btpw+5IM8UrSl5SILCODt1bXTM2qYpcaYArM6wDlwHA=
+golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434 h1:3zl8RkJNQ8wfPRomwv/6DBbH2Ut6dgMaWTxM0ZunWnE=
-golang.zx2c4.com/wireguard/windows v0.4.5/go.mod h1:LdS2bRTWu//RpztraGz5ZkPZul60cCbmgtLTPSKrS50=
+golang.zx2c4.com/wireguard v0.0.0-20211209221555-9c9e7e272434/go.mod h1:TjUWrnD5ATh7bFvmm/ALEJZQ4ivKbETb6pmyj1vUoNI=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de h1:qDZ+lyO5jC9RNJ7ANJA0GWXk3pSn0Fu5SlcAIlgw+6w=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20211215182854-7a385b3431de/go.mod h1:Q2XNgour4QSkFj0BWCkVlW0HWJwQgNMsMahpSlI0Eno=
 golang.zx2c4.com/wireguard/windows v0.5.1 h1:OnYw96PF+CsIMrqWo5QP3Q59q5hY1rFErk/yN3cS+JQ=
 golang.zx2c4.com/wireguard/windows v0.5.1/go.mod h1:EApyTk/ZNrkbZjurHL1nleDYnsPpJYBO7LZEBCyDAHk=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
--- a/iface/configuration.go
+++ b/iface/configuration.go
@@ -0,0 +1,133 @@
 package iface
 import (
 	"fmt"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"net"
 	"time"
 )
 // configureDevice configures the wireguard device
 func (w *WGIface) configureDevice(config wgtypes.Config) error {
 	wg, err := wgctrl.New()
 	if err != nil {
 		return err
 	}
 	defer wg.Close()
 	// validate if device with name exists
 	_, err = wg.Device(w.Name)
 	if err != nil {
 		return err
 	}
 	log.Debugf("got Wireguard device %s", w.Name)
 	return wg.ConfigureDevice(w.Name, config)
 }
 // Configure configures a Wireguard interface
 // The interface must exist before calling this method (e.g. call interface.Create() before)
 func (w *WGIface) Configure(privateKey string, port int) error {
 	log.Debugf("configuring Wireguard interface %s", w.Name)
 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
 	if err != nil {
 		return err
 	}
 	fwmark := 0
 	config := wgtypes.Config{
 		PrivateKey:   &key,
 		ReplacePeers: true,
 		FirewallMark: &fwmark,
 		ListenPort:   &port,
 	}
 	err = w.configureDevice(config)
 	if err != nil {
 		return fmt.Errorf("received error \"%v\" while configuring interface %s with port %d", err, w.Name, port)
 	}
 	return nil
 }
 // GetListenPort returns the listening port of the Wireguard endpoint
 func (w *WGIface) GetListenPort() (*int, error) {
 	log.Debugf("getting Wireguard listen port of interface %s", w.Name)
 	//discover Wireguard current configuration
 	wg, err := wgctrl.New()
 	if err != nil {
 		return nil, err
 	}
 	defer wg.Close()
 	d, err := wg.Device(w.Name)
 	if err != nil {
 		return nil, err
 	}
 	log.Debugf("got Wireguard device listen port %s, %d", w.Name, d.ListenPort)
 	return &d.ListenPort, nil
 }
 // UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
 // Endpoint is optional
 func (w *WGIface) UpdatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	log.Debugf("updating interface %s peer %s: endpoint %s ", w.Name, peerKey, endpoint)
 	//parse allowed ips
 	_, ipNet, err := net.ParseCIDR(allowedIps)
 	if err != nil {
 		return err
 	}
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
 	}
 	peer := wgtypes.PeerConfig{
 		PublicKey:                   peerKeyParsed,
 		ReplaceAllowedIPs:           true,
 		AllowedIPs:                  []net.IPNet{*ipNet},
 		PersistentKeepaliveInterval: &keepAlive,
 		PresharedKey:                preSharedKey,
 		Endpoint:                    endpoint,
 	}
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 	err = w.configureDevice(config)
 	if err != nil {
 		return fmt.Errorf("received error \"%v\" while updating peer on interface %s with settings: allowed ips %s, endpoint %s", err, w.Name, allowedIps, endpoint.String())
 	}
 	return nil
 }
 // RemovePeer removes a Wireguard Peer from the interface iface
 func (w *WGIface) RemovePeer(peerKey string) error {
 	log.Debugf("Removing peer %s from interface %s ", peerKey, w.Name)
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
 	}
 	peer := wgtypes.PeerConfig{
 		PublicKey: peerKeyParsed,
 		Remove:    true,
 	}
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 	err = w.configureDevice(config)
 	if err != nil {
 		return fmt.Errorf("received error \"%v\" while removing peer %s from interface %s", err, peerKey, w.Name)
 	}
 	return nil
 }
--- a/iface/iface.go
+++ b/iface/iface.go
@@ -1,78 +1,51 @@
 package iface
 import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun"
 	"golang.zx2c4.com/wireguard/wgctrl"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"net"
-	"time"
+	"os"
 	"runtime"
 )
 const (
-	defaultMTU = 1280
+	DefaultMTU = 1280
 )
-var (
+// WGIface represents a interface instance
-	tunIface tun.Device
+type WGIface struct {
-)
+	Name      string
-
+	Port      int
-// CreateWithUserspace Creates a new Wireguard interface, using wireguard-go userspace implementation
+	MTU       int
-func CreateWithUserspace(iface string, address string) error {
+	Address   WGAddress
-	var err error
+	Interface NetInterface
 	tunIface, err = tun.CreateTUN(iface, defaultMTU)
 	if err != nil {
 		return err
 	}
 	// We need to create a wireguard-go device and listen to configuration requests
 	tunDevice := device.NewDevice(tunIface, conn.NewDefaultBind(), device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
 	err = tunDevice.Up()
 	if err != nil {
 		return err
 	}
 	uapi, err := getUAPI(iface)
 	if err != nil {
 		return err
 	}
 	go func() {
 		for {
 			uapiConn, err := uapi.Accept()
 			if err != nil {
 				log.Debugln("uapi Accept failed with error: ", err)
 				continue
 			}
 			go tunDevice.IpcHandle(uapiConn)
 		}
 	}()
 	log.Debugln("UAPI listener started")
 	err = assignAddr(address, iface)
 	if err != nil {
 		return err
 	}
 	return nil
 }
-// configure peer for the wireguard device
+// WGAddress Wireguard parsed address
-func configureDevice(iface string, config wgtypes.Config) error {
+type WGAddress struct {
-	wg, err := wgctrl.New()
+	IP      net.IP
-	if err != nil {
+	Network *net.IPNet
-		return err
+}
 	}
 	defer wg.Close()
-	_, err = wg.Device(iface)
+// NetInterface represents a generic network tunnel interface
-	if err != nil {
+type NetInterface interface {
-		return err
+	Close() error
-	}
+}
 	log.Debugf("got Wireguard device %s", iface)
-	return wg.ConfigureDevice(iface, config)
+// NewWGIface Creates a new Wireguard interface instance
 func NewWGIface(iface string, address string, mtu int) (WGIface, error) {
 	wgIface := WGIface{
 		Name: iface,
 		MTU:  mtu,
 	}
 	wgAddress, err := parseAddress(address)
 	if err != nil {
 		return wgIface, err
 	}
 	wgIface.Address = wgAddress
 	return wgIface, nil
 }
 // Exists checks whether specified Wireguard device exists or not
@@ -99,140 +72,35 @@ func Exists(iface string) (*bool, error) {
 	return &exists, nil
 }
-// Configure configures a Wireguard interface
+// parseAddress parse a string ("1.2.3.4/24") address to WG Address
-// The interface must exist before calling this method (e.g. call interface.Create() before)
+func parseAddress(address string) (WGAddress, error) {
-func Configure(iface string, privateKey string, port int) error {
+	ip, network, err := net.ParseCIDR(address)
 	log.Debugf("configuring Wireguard interface %s", iface)
 	log.Debugf("adding Wireguard private key")
 	key, err := wgtypes.ParseKey(privateKey)
 	if err != nil {
-		return err
+		return WGAddress{}, err
 	}
-	fwmark := 0
+	return WGAddress{
-	config := wgtypes.Config{
+		IP:      ip,
-		PrivateKey:   &key,
+		Network: network,
-		ReplacePeers: false,
+	}, nil
 		FirewallMark: &fwmark,
 		ListenPort:   &port,
 	}
 	return configureDevice(iface, config)
 }
-// GetListenPort returns the listening port of the Wireguard endpoint
+// Closes the tunnel interface
-func GetListenPort(iface string) (*int, error) {
+func (w *WGIface) Close() error {
 	log.Debugf("getting Wireguard listen port of interface %s", iface)
-	//discover Wireguard current configuration
+	err := w.Interface.Close()
 	wg, err := wgctrl.New()
 	if err != nil {
 		return nil, err
 	}
 	defer wg.Close()
 	d, err := wg.Device(iface)
 	if err != nil {
 		return nil, err
 	}
 	log.Debugf("got Wireguard device listen port %s, %d", iface, d.ListenPort)
 	return &d.ListenPort, nil
 }
 // UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
 // Endpoint is optional
 func UpdatePeer(iface string, peerKey string, allowedIps string, keepAlive time.Duration, endpoint string, preSharedKey *wgtypes.Key) error {
 	log.Debugf("updating interface %s peer %s: endpoint %s ", iface, peerKey, endpoint)
 	//parse allowed ips
 	_, ipNet, err := net.ParseCIDR(allowedIps)
 	if err != nil {
 		return err
 	}
-	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if runtime.GOOS == "darwin" {
-	if err != nil {
+		sockPath := "/var/run/wireguard/" + w.Name + ".sock"
-		return err
+		if _, statErr := os.Stat(sockPath); statErr == nil {
-	}
+			statErr = os.Remove(sockPath)
-	peer := wgtypes.PeerConfig{
+			if statErr != nil {
-		PublicKey:                   peerKeyParsed,
+				return statErr
-		ReplaceAllowedIPs:           true,
+			}
-		AllowedIPs:                  []net.IPNet{*ipNet},
+		}
 		PersistentKeepaliveInterval: &keepAlive,
 		PresharedKey:                preSharedKey,
 	}
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 	err = configureDevice(iface, config)
 	if err != nil {
 		return err
 	}
 	if endpoint != "" {
 		return UpdatePeerEndpoint(iface, peerKey, endpoint)
 	}
 	return nil
 }
 // UpdatePeerEndpoint updates a Wireguard interface Peer with the new endpoint
 // Used when NAT hole punching was successful and an update of the remote peer endpoint is required
 func UpdatePeerEndpoint(iface string, peerKey string, newEndpoint string) error {
 	log.Debugf("updating peer %s endpoint %s ", peerKey, newEndpoint)
 	peerAddr, err := net.ResolveUDPAddr("udp4", newEndpoint)
 	if err != nil {
 		return err
 	}
 	log.Debugf("parsed peer endpoint [%s]", peerAddr.String())
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
 	}
 	peer := wgtypes.PeerConfig{
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		UpdateOnly:        true,
 		Endpoint:          peerAddr,
 	}
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 	return configureDevice(iface, config)
 }
 // RemovePeer removes a Wireguard Peer from the interface iface
 func RemovePeer(iface string, peerKey string) error {
 	log.Debugf("Removing peer %s from interface %s ", peerKey, iface)
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
 	}
 	peer := wgtypes.PeerConfig{
 		PublicKey: peerKeyParsed,
 		Remove:    true,
 	}
 	config := wgtypes.Config{
 		Peers: []wgtypes.PeerConfig{peer},
 	}
 	return configureDevice(iface, config)
 }
 // CloseWithUserspace closes the User Space tunnel interface
 func CloseWithUserspace() error {
 	return tunIface.Close()
 }
--- a/iface/iface_darwin.go
+++ b/iface/iface_darwin.go
@@ -2,62 +2,31 @@ package iface
 import (
 	log "github.com/sirupsen/logrus"
 	"net"
 	"os"
 	"os/exec"
 	"strings"
 )
 // Create Creates a new Wireguard interface, sets a given IP and brings it up.
-func Create(iface string, address string) error {
+func (w *WGIface) Create() error {
-	return CreateWithUserspace(iface, address)
+	return w.CreateWithUserspace()
 }
 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
-func assignAddr(address string, ifaceName string) error {
+func (w *WGIface) assignAddr() error {
-	ip := strings.Split(address, "/")
+	//mask,_ := w.Address.Network.Mask.Size()
-	cmd := exec.Command("ifconfig", ifaceName, "inet", address, ip[0])
+	//
 	//address := fmt.Sprintf("%s/%d",w.Address.IP.String() , mask)
 	cmd := exec.Command("ifconfig", w.Name, "inet", w.Address.IP.String(), w.Address.IP.String())
 	if out, err := cmd.CombinedOutput(); err != nil {
-		log.Infof("Command: %v failed with output %s and error: ", cmd.String(), out)
+		log.Infof("adding addreess command \"%v\" failed with output %s and error: ", cmd.String(), out)
 		return err
 	}
-	_, resolvedNet, err := net.ParseCIDR(address)
+
-	err = addRoute(ifaceName, resolvedNet)
+	routeCmd := exec.Command("route", "add", "-net", w.Address.Network.String(), "-interface", w.Name)
-	if err != nil {
+	if out, err := routeCmd.CombinedOutput(); err != nil {
-		log.Infoln("Adding route failed with error:", err)
+		log.Printf("adding route command \"%v\" failed with output %s and error: ", routeCmd.String(), out)
-	}
+		return err
 	return nil
 }
 // addRoute Adds network route based on the range provided
 func addRoute(iface string, ipNet *net.IPNet) error {
 	cmd := exec.Command("route", "add", "-net", ipNet.String(), "-interface", iface)
 	if out, err := cmd.CombinedOutput(); err != nil {
 		log.Printf("Command: %v failed with output %s and error: ", cmd.String(), out)
 		return err
 	}
 	return nil
 }
 // Closes the tunnel interface
 func Close(iFace string) error {
 	name, err := tunIface.Name()
 	if err != nil {
 		return err
 	}
 	sockPath := "/var/run/wireguard/" + name + ".sock"
 	err = CloseWithUserspace()
 	if err != nil {
 		return err
 	}
 	if _, err := os.Stat(sockPath); err == nil {
 		err = os.Remove(sockPath)
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
--- a/iface/iface_linux.go
+++ b/iface/iface_linux.go
@@ -1,35 +1,58 @@
 package iface
 import (
 	"errors"
 	"fmt"
 	"math"
 	"os"
 	"syscall"
 	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
 	"os"
 )
 type NativeLink struct {
 	Link *netlink.Link
 }
 func WireguardModExists() bool {
 	link := newWGLink("mustnotexist")
 	// We willingly try to create a device with an invalid
 	// MTU here as the validation of the MTU will be performed after
 	// the validation of the link kind and hence allows us to check
 	// for the existance of the wireguard module without actually
 	// creating a link.
 	//
 	// As a side-effect, this will also let the kernel lazy-load
 	// the wireguard module.
 	link.attrs.MTU = math.MaxInt
 	err := netlink.LinkAdd(link)
 	return errors.Is(err, syscall.EINVAL)
 }
 // Create Creates a new Wireguard interface, sets a given IP and brings it up.
 // Will reuse an existing one.
-func Create(iface string, address string) error {
+func (w *WGIface) Create() error {
 	if WireguardModExists() {
 		log.Debug("using kernel Wireguard module")
-		return CreateWithKernel(iface, address)
+		return w.CreateWithKernel()
 	} else {
-		return CreateWithUserspace(iface, address)
+		return w.CreateWithUserspace()
 	}
 }
 // CreateWithKernel Creates a new Wireguard interface using kernel Wireguard module.
 // Works for Linux and offers much better network performance
-func CreateWithKernel(iface string, address string) error {
+func (w *WGIface) CreateWithKernel() error {
 	attrs := netlink.NewLinkAttrs()
 	attrs.Name = iface
-	link := wgLink{
+	link := newWGLink(w.Name)
 		attrs: &attrs,
 	}
 	// check if interface exists
-	l, err := netlink.LinkByName(iface)
+	l, err := netlink.LinkByName(w.Name)
 	if err != nil {
 		switch err.(type) {
 		case netlink.LinkNotFoundError:
@@ -41,37 +64,39 @@ func CreateWithKernel(iface string, address string) error {
 	// remove if interface exists
 	if l != nil {
-		err = netlink.LinkDel(&link)
+		err = netlink.LinkDel(link)
 		if err != nil {
 			return err
 		}
 	}
-	log.Debugf("adding device: %s", iface)
+	log.Debugf("adding device: %s", w.Name)
-	err = netlink.LinkAdd(&link)
+	err = netlink.LinkAdd(link)
 	if os.IsExist(err) {
-		log.Infof("interface %s already exists. Will reuse.", iface)
+		log.Infof("interface %s already exists. Will reuse.", w.Name)
 	} else if err != nil {
 		return err
 	}
-	err = assignAddr(address, iface)
+	w.Interface = link
 	err = w.assignAddr()
 	if err != nil {
 		return err
 	}
 	// todo do a discovery
-	log.Debugf("setting MTU: %d interface: %s", defaultMTU, iface)
+	log.Debugf("setting MTU: %d interface: %s", w.MTU, w.Name)
-	err = netlink.LinkSetMTU(&link, defaultMTU)
+	err = netlink.LinkSetMTU(link, w.MTU)
 	if err != nil {
-		log.Errorf("error setting MTU on interface: %s", iface)
+		log.Errorf("error setting MTU on interface: %s", w.Name)
 		return err
 	}
-	log.Debugf("bringing up interface: %s", iface)
+	log.Debugf("bringing up interface: %s", w.Name)
-	err = netlink.LinkSetUp(&link)
+	err = netlink.LinkSetUp(link)
 	if err != nil {
-		log.Errorf("error bringing up interface: %s", iface)
+		log.Errorf("error bringing up interface: %s", w.Name)
 		return err
 	}
@@ -79,39 +104,37 @@ func CreateWithKernel(iface string, address string) error {
 }
 // assignAddr Adds IP address to the tunnel interface
-func assignAddr(address, name string) error {
+func (w *WGIface) assignAddr() error {
 	var err error
 	attrs := netlink.NewLinkAttrs()
 	attrs.Name = name
-	link := wgLink{
+	mask, _ := w.Address.Network.Mask.Size()
-		attrs: &attrs,
+	address := fmt.Sprintf("%s/%d", w.Address.IP.String(), mask)
-	}
+
 	link := newWGLink(w.Name)
 	//delete existing addresses
-	list, err := netlink.AddrList(&link, 0)
+	list, err := netlink.AddrList(link, 0)
 	if err != nil {
 		return err
 	}
 	if len(list) > 0 {
 		for _, a := range list {
-			err = netlink.AddrDel(&link, &a)
+			err = netlink.AddrDel(link, &a)
 			if err != nil {
 				return err
 			}
 		}
 	}
-	log.Debugf("adding address %s to interface: %s", address, attrs.Name)
+	log.Debugf("adding address %s to interface: %s", address, w.Name)
 	addr, _ := netlink.ParseAddr(address)
-	err = netlink.AddrAdd(&link, addr)
+	err = netlink.AddrAdd(link, addr)
 	if os.IsExist(err) {
-		log.Infof("interface %s already has the address: %s", attrs.Name, address)
+		log.Infof("interface %s already has the address: %s", w.Name, address)
 	} else if err != nil {
 		return err
 	}
 	// On linux, the link must be brought up
-	err = netlink.LinkSetUp(&link)
+	err = netlink.LinkSetUp(link)
 	return err
 }
@@ -119,28 +142,26 @@ type wgLink struct {
 	attrs *netlink.LinkAttrs
 }
 func newWGLink(name string) *wgLink {
 	attrs := netlink.NewLinkAttrs()
 	attrs.Name = name
 	return &wgLink{
 		attrs: &attrs,
 	}
 }
 // Attrs returns the Wireguard's default attributes
-func (w *wgLink) Attrs() *netlink.LinkAttrs {
+func (l *wgLink) Attrs() *netlink.LinkAttrs {
-	return w.attrs
+	return l.attrs
 }
 // Type returns the interface type
-func (w *wgLink) Type() string {
+func (l *wgLink) Type() string {
 	return "wireguard"
 }
-// Close closes the tunnel interface
+// Close deletes the link interface
-func Close(iFace string) error {
+func (l *wgLink) Close() error {
-
+	return netlink.LinkDel(l)
 	if tunIface != nil {
 		return CloseWithUserspace()
 	} else {
 		attrs := netlink.NewLinkAttrs()
 		attrs.Name = iFace
 		link := wgLink{
 			attrs: &attrs,
 		}
 		return netlink.LinkDel(&link)
 	}
 }
--- a/iface/iface_test.go
+++ b/iface/iface_test.go
@@ -12,25 +12,36 @@ import (
 // keep darwin compability
 const (
-	key        = "0PMI6OkB5JmB+Jj/iWWHekuQRx+bipZirWCWKFXexHc="
+	WgIntNumber = 2000
-	peerPubKey = "Ok0mC0qlJyXEPKh2UFIpsI2jG0L7LRpC3sLAusSJ5CQ="
+)
-	WgPort     = 51820
+
 var (
 	key        string
 	peerPubKey string
 )
 func init() {
 	log.SetLevel(log.DebugLevel)
 	privateKey, _ := wgtypes.GeneratePrivateKey()
 	key = privateKey.String()
 	peerPrivateKey, _ := wgtypes.GeneratePrivateKey()
 	peerPubKey = peerPrivateKey.PublicKey().String()
 }
 //
 func Test_CreateInterface(t *testing.T) {
-	ifaceName := "utun999"
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+1)
-	wgIP := "10.99.99.1/24"
+	wgIP := "10.99.99.1/32"
-	err := Create(ifaceName, wgIP)
+	iface, err := NewWGIface(ifaceName, wgIP, DefaultMTU)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close(ifaceName)
+		err = iface.Close()
 		if err != nil {
 			t.Error(err)
 		}
@@ -46,21 +57,58 @@ func Test_CreateInterface(t *testing.T) {
 		}
 	}()
 }
-func Test_ConfigureInterface(t *testing.T) {
+
-	ifaceName := "utun1000"
+func Test_Close(t *testing.T) {
-	wgIP := "10.99.99.10/24"
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+2)
-	err := Create(ifaceName, wgIP)
+	wgIP := "10.99.99.2/32"
 	iface, err := NewWGIface(ifaceName, wgIP, DefaultMTU)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	wg, err := wgctrl.New()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close(ifaceName)
+		err = wg.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
-	err = Configure(ifaceName, key, WgPort)
+	err = iface.Close()
 	if err != nil {
 		t.Fatal(err)
 	}
 }
 func Test_ConfigureInterface(t *testing.T) {
 	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+3)
 	wgIP := "10.99.99.5/30"
 	iface, err := NewWGIface(ifaceName, wgIP, DefaultMTU)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
 		err = iface.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
 	port, err := iface.GetListenPort()
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface.Configure(key, *port)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -86,30 +134,41 @@ func Test_ConfigureInterface(t *testing.T) {
 }
 func Test_UpdatePeer(t *testing.T) {
-	ifaceName := "utun1001"
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
-	wgIP := "10.99.99.20/24"
+	wgIP := "10.99.99.9/30"
-	err := Create(ifaceName, wgIP)
+	iface, err := NewWGIface(ifaceName, wgIP, DefaultMTU)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close(ifaceName)
+		err = iface.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
-	err = Configure(ifaceName, key, WgPort)
+	port, err := iface.GetListenPort()
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface.Configure(key, *port)
 	if err != nil {
 		t.Fatal(err)
 	}
 	keepAlive := 15 * time.Second
-	allowedIP := "10.99.99.2/32"
+	allowedIP := "10.99.99.10/32"
-	endpoint := "127.0.0.1:9900"
+	endpoint, err := net.ResolveUDPAddr("udp", "127.0.0.1:9900")
 	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-	peer, err := getPeer(ifaceName, t)
+	err = iface.UpdatePeer(peerPubKey, allowedIP, keepAlive, endpoint, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	peer, err := getPeer(ifaceName, peerPubKey, t)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -117,11 +176,7 @@ func Test_UpdatePeer(t *testing.T) {
 		t.Fatal("configured peer with mismatched keepalive interval value")
 	}
-	resolvedEndpoint, err := net.ResolveUDPAddr("udp", endpoint)
+	if peer.Endpoint.String() != endpoint.String() {
 	if err != nil {
 		t.Fatal(err)
 	}
 	if peer.Endpoint.String() != resolvedEndpoint.String() {
 		t.Fatal("configured peer with mismatched endpoint")
 	}
@@ -137,104 +192,144 @@ func Test_UpdatePeer(t *testing.T) {
 	}
 }
 func Test_UpdatePeerEndpoint(t *testing.T) {
 	ifaceName := "utun1002"
 	wgIP := "10.99.99.30/24"
 	err := Create(ifaceName, wgIP)
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
 		err = Close(ifaceName)
 		if err != nil {
 			t.Error(err)
 		}
 	}()
 	err = Configure(ifaceName, key, WgPort)
 	if err != nil {
 		t.Fatal(err)
 	}
 	keepAlive := 15 * time.Second
 	allowedIP := "10.99.99.2/32"
 	endpoint := "127.0.0.1:9900"
 	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	newEndpoint := "127.0.0.1:9999"
 	err = UpdatePeerEndpoint(ifaceName, peerPubKey, newEndpoint)
 	if err != nil {
 		t.Fatal(err)
 	}
 	peer, err := getPeer(ifaceName, t)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if peer.Endpoint.String() != newEndpoint {
 		t.Fatal("configured peer with mismatched endpoint")
 	}
 }
 func Test_RemovePeer(t *testing.T) {
-	ifaceName := "utun1003"
+	ifaceName := fmt.Sprintf("utun%d", WgIntNumber+4)
-	wgIP := "10.99.99.40/24"
+	wgIP := "10.99.99.13/30"
-	err := Create(ifaceName, wgIP)
+	iface, err := NewWGIface(ifaceName, wgIP, DefaultMTU)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = Close(ifaceName)
+		err = iface.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
-	err = Configure(ifaceName, key, WgPort)
+	port, err := iface.GetListenPort()
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface.Configure(key, *port)
 	if err != nil {
 		t.Fatal(err)
 	}
 	keepAlive := 15 * time.Second
-	allowedIP := "10.99.99.2/32"
+	allowedIP := "10.99.99.14/32"
-	endpoint := "127.0.0.1:9900"
+
-	err = UpdatePeer(ifaceName, peerPubKey, allowedIP, keepAlive, endpoint, nil)
+	err = iface.UpdatePeer(peerPubKey, allowedIP, keepAlive, nil, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = RemovePeer(ifaceName, peerPubKey)
+	err = iface.RemovePeer(peerPubKey)
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, err = getPeer(ifaceName, t)
+	_, err = getPeer(ifaceName, peerPubKey, t)
 	if err.Error() != "peer not found" {
 		t.Fatal(err)
 	}
 }
-func Test_Close(t *testing.T) {
+
-	ifaceName := "utun1004"
+func Test_ConnectPeers(t *testing.T) {
-	wgIP := "10.99.99.50/24"
+	peer1ifaceName := fmt.Sprintf("utun%d", WgIntNumber+400)
-	err := Create(ifaceName, wgIP)
+	peer1wgIP := "10.99.99.17/30"
 	peer1Key, _ := wgtypes.GeneratePrivateKey()
 	//peer1Port := WgPort + 4
 	peer2ifaceName := fmt.Sprintf("utun%d", 500)
 	peer2wgIP := "10.99.99.18/30"
 	peer2Key, _ := wgtypes.GeneratePrivateKey()
 	//peer2Port := WgPort + 5
 	keepAlive := 1 * time.Second
 	iface1, err := NewWGIface(peer1ifaceName, peer1wgIP, DefaultMTU)
 	if err != nil {
 		t.Fatal(err)
 	}
-	wg, err := wgctrl.New()
+	err = iface1.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	peer1Port, err := iface1.GetListenPort()
 	if err != nil {
 		t.Fatal(err)
 	}
 	peer1endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", *peer1Port))
 	if err != nil {
 		t.Fatal(err)
 	}
 	iface2, err := NewWGIface(peer2ifaceName, peer2wgIP, DefaultMTU)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface2.Create()
 	if err != nil {
 		t.Fatal(err)
 	}
 	peer2Port, err := iface2.GetListenPort()
 	if err != nil {
 		t.Fatal(err)
 	}
 	peer2endpoint, err := net.ResolveUDPAddr("udp", fmt.Sprintf("127.0.0.1:%d", *peer2Port))
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
-		err = wg.Close()
+		err = iface1.Close()
 		if err != nil {
 			t.Error(err)
 		}
 		err = iface2.Close()
 		if err != nil {
 			t.Error(err)
 		}
 	}()
-	err = Close(ifaceName)
+	err = iface1.Configure(peer1Key.String(), *peer1Port)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface2.Configure(peer2Key.String(), *peer2Port)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface1.UpdatePeer(peer2Key.PublicKey().String(), peer2wgIP, keepAlive, peer2endpoint, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	err = iface2.UpdatePeer(peer1Key.PublicKey().String(), peer1wgIP, keepAlive, peer1endpoint, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	timeout := 10 * time.Second
 	timeoutChannel := time.After(timeout)
 	for {
 		select {
 		case <-timeoutChannel:
 			t.Fatalf("waiting for peer handshake timeout after %s", timeout.String())
 		default:
 		}
 		peer, gpErr := getPeer(peer1ifaceName, peer2Key.PublicKey().String(), t)
 		if gpErr != nil {
 			t.Fatal(gpErr)
 		}
 		if !peer.LastHandshakeTime.IsZero() {
 			t.Log("peers successfully handshake")
 			break
 		}
 	}
 }
-func getPeer(ifaceName string, t *testing.T) (wgtypes.Peer, error) {
+
 func getPeer(ifaceName, peerPubKey string, t *testing.T) (wgtypes.Peer, error) {
 	emptyPeer := wgtypes.Peer{}
 	wg, err := wgctrl.New()
 	if err != nil {
--- a/iface/iface_unix.go
+++ b/iface/iface_unix.go
@@ -1,12 +1,58 @@
 //go:build linux || darwin
 // +build linux darwin
 package iface
 import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/tun"
 	"net"
 )
 // CreateWithUserspace Creates a new Wireguard interface, using wireguard-go userspace implementation
 func (w *WGIface) CreateWithUserspace() error {
 	tunIface, err := tun.CreateTUN(w.Name, w.MTU)
 	if err != nil {
 		return err
 	}
 	w.Interface = tunIface
 	// We need to create a wireguard-go device and listen to configuration requests
 	tunDevice := device.NewDevice(tunIface, conn.NewDefaultBind(), device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
 	err = tunDevice.Up()
 	if err != nil {
 		return err
 	}
 	uapi, err := getUAPI(w.Name)
 	if err != nil {
 		return err
 	}
 	go func() {
 		for {
 			uapiConn, uapiErr := uapi.Accept()
 			if uapiErr != nil {
 				log.Traceln("uapi Accept failed with error: ", uapiErr)
 				continue
 			}
 			go tunDevice.IpcHandle(uapiConn)
 		}
 	}()
 	log.Debugln("UAPI listener started")
 	err = w.assignAddr()
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // getUAPI returns a Listener
 func getUAPI(iface string) (net.Listener, error) {
 	tunSock, err := ipc.UAPIOpen(iface)
--- a/iface/iface_windows.go
+++ b/iface/iface_windows.go
@@ -1,46 +1,47 @@
 package iface
 import (
 	"fmt"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/ipc"
+	"golang.org/x/sys/windows"
-	"golang.zx2c4.com/wireguard/tun"
+	"golang.zx2c4.com/wireguard/windows/driver"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"net"
 )
 // Create Creates a new Wireguard interface, sets a given IP and brings it up.
-func Create(iface string, address string) error {
+func (w *WGIface) Create() error {
-	return CreateWithUserspace(iface, address)
+
 	WintunStaticRequestedGUID, _ := windows.GenerateGUID()
 	adapter, err := driver.CreateAdapter(w.Name, "WireGuard", &WintunStaticRequestedGUID)
 	if err != nil {
 		err = fmt.Errorf("error creating adapter: %w", err)
 		return err
 	}
 	w.Interface = adapter
 	luid := adapter.LUID()
 	err = adapter.SetLogging(driver.AdapterLogOn)
 	if err != nil {
 		err = fmt.Errorf("Error enabling adapter logging: %w", err)
 		return err
 	}
 	err = adapter.SetAdapterState(driver.AdapterStateUp)
 	if err != nil {
 		return err
 	}
 	state, _ := luid.GUID()
 	log.Debugln("device guid: ", state.String())
 	return w.assignAddr(luid)
 }
 // assignAddr Adds IP address to the tunnel interface and network route based on the range provided
-func assignAddr(address string, ifaceName string) error {
+func (w *WGIface) assignAddr(luid winipcfg.LUID) error {
-	nativeTunDevice := tunIface.(*tun.NativeTun)
+	log.Debugf("adding address %s to interface: %s", w.Address.IP, w.Name)
-	luid := winipcfg.LUID(nativeTunDevice.LUID())
+	err := luid.SetIPAddresses([]net.IPNet{{w.Address.IP, w.Address.Network.Mask}})
 	ip, ipnet, _ := net.ParseCIDR(address)
 	log.Debugf("adding address %s to interface: %s", address, ifaceName)
 	err := luid.SetIPAddresses([]net.IPNet{{ip, ipnet.Mask}})
 	if err != nil {
 		return err
 	}
 	log.Debugf("adding Routes to interface: %s", ifaceName)
 	err = luid.SetRoutes([]*winipcfg.RouteData{{*ipnet, ipnet.IP, 0}})
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // getUAPI returns a Listener
 func getUAPI(iface string) (net.Listener, error) {
 	return ipc.UAPIListen(iface)
 }
 // Closes the tunnel interface
 func Close(iFace string) error {
 	return CloseWithUserspace()
 }
--- a/iface/mod.go
+++ b/iface/mod.go
@@ -1,144 +0,0 @@
 // +build linux
 package iface
 // Holds logic to check existence of Wireguard kernel module
 // Copied from https://github.com/paultag/go-modprobe
 import (
 	"debug/elf"
 	"fmt"
 	"golang.org/x/sys/unix"
 	"os"
 	"path/filepath"
 	"strings"
 )
 var (
 	// get the root directory for the kernel modules. If this line panics,
 	// it's because getModuleRoot has failed to get the uname of the running
 	// kernel (likely a non-POSIX system, but maybe a broken kernel?)
 	moduleRoot = getModuleRoot()
 )
 // Get the module root (/lib/modules/$(uname -r)/)
 func getModuleRoot() string {
 	uname := unix.Utsname{}
 	if err := unix.Uname(&uname); err != nil {
 		panic(err)
 	}
 	i := 0
 	for ; uname.Release[i] != 0; i++ {
 	}
 	return filepath.Join(
 		"/lib/modules",
 		string(uname.Release[:i]),
 	)
 }
 // modName will, given a file descriptor to a Kernel Module (.ko file), parse the
 // binary to get the module name. For instance, given a handle to the file at
 // `kernel/drivers/usb/gadget/legacy/g_ether.ko`, return `g_ether`.
 func modName(file *os.File) (string, error) {
 	f, err := elf.NewFile(file)
 	if err != nil {
 		return "", err
 	}
 	syms, err := f.Symbols()
 	if err != nil {
 		return "", err
 	}
 	for _, sym := range syms {
 		if strings.Compare(sym.Name, "__this_module") == 0 {
 			section := f.Sections[sym.Section]
 			data, err := section.Data()
 			if err != nil {
 				return "", err
 			}
 			if len(data) < 25 {
 				return "", fmt.Errorf("modprobe: data is short, __this_module is '%s'", data)
 			}
 			data = data[24:]
 			i := 0
 			for ; data[i] != 0x00; i++ {
 			}
 			return string(data[:i]), nil
 		}
 	}
 	return "", fmt.Errorf("No name found. Is this a .ko or just an ELF?")
 }
 // Open every single kernel module under the root, and parse the ELF headers to
 // extract the module name.
 func elfMap(root string) (map[string]string, error) {
 	ret := map[string]string{}
 	err := filepath.Walk(
 		root,
 		func(path string, info os.FileInfo, err error) error {
 			if err != nil {
 				// skip broken files
 				return nil
 			}
 			if !info.Mode().IsRegular() {
 				return nil
 			}
 			fd, err := os.Open(path)
 			if err != nil {
 				return err
 			}
 			defer fd.Close()
 			name, err := modName(fd)
 			if err != nil {
 				/* For now, let's just ignore that and avoid adding to it */
 				return nil
 			}
 			ret[name] = path
 			return nil
 		})
 	if err != nil {
 		return nil, err
 	}
 	return ret, nil
 }
 // Open every single kernel module under the kernel module directory
 // (/lib/modules/$(uname -r)/), and parse the ELF headers to extract the
 // module name.
 func generateMap() (map[string]string, error) {
 	return elfMap(moduleRoot)
 }
 // WireguardModExists returns true if Wireguard kernel module exists.
 func WireguardModExists() bool {
 	_, err := resolveModName("wireguard")
 	return err == nil
 }
 // resolveModName will, given a module name (such as `wireguard`) return an absolute
 // path to the .ko that provides that module.
 func resolveModName(name string) (string, error) {
 	paths, err := generateMap()
 	if err != nil {
 		return "", err
 	}
 	fsPath := paths[name]
 	if !strings.HasPrefix(fsPath, moduleRoot) {
 		return "", fmt.Errorf("module isn't in the module directory")
 	}
 	return fsPath, nil
 }
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -35,5 +35,15 @@
        "AuthIssuer": "https://$WIRETRUSTEE_AUTH0_DOMAIN/",
        "AuthAudience": "$WIRETRUSTEE_AUTH0_AUDIENCE",
        "AuthKeysLocation": "https://$WIRETRUSTEE_AUTH0_DOMAIN/.well-known/jwks.json"
-    }
+    },
    "IdpManagerConfig": {
        "Manager": "none",
        "Auth0ClientCredentials": {
        "Audience": "<PASTE YOUR AUTH0 AUDIENCE HERE>",
        "AuthIssuer": "<PASTE YOUR AUTH0 Auth Issuer HERE>",
        "ClientId": "<PASTE YOUR AUTH0 Application Client ID HERE>",
        "ClientSecret": "<PASTE YOUR AUTH0 Application Client Secret HERE>",
         "GrantType": "client_credentials"
         }
     }
 }
--- a/management/README.md
+++ b/management/README.md
@@ -45,7 +45,7 @@ docker run -d --name wiretrustee-management \
 wiretrustee/management:latest \
 --letsencrypt-domain <YOUR-DOMAIN>
 ```
-> An example of config.json can be found here [config.json](../infrastructure_files/config.json)
+> An example of config.json can be found here [management.json](../infrastructure_files/management.json.tmpl)
 Trigger Let's encrypt certificate generation:
 ```bash
--- a/management/client/client.go
+++ b/management/client/client.go
@@ -1,253 +1,17 @@
 package client
 import (
-	"context"
+	"io"
-	"crypto/tls"
+
 	"fmt"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/client/system"
 	"github.com/wiretrustee/wiretrustee/encryption"
 	"github.com/wiretrustee/wiretrustee/management/proto"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/connectivity"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
 	"io"
 	"time"
 )
-type Client struct {
+type Client interface {
-	key        wgtypes.Key
+	io.Closer
-	realClient proto.ManagementServiceClient
+	Sync(msgHandler func(msg *proto.SyncResponse) error) error
-	ctx        context.Context
+	GetServerPublicKey() (*wgtypes.Key, error)
-	conn       *grpc.ClientConn
+	Register(serverKey wgtypes.Key, setupKey string, info *system.Info) (*proto.LoginResponse, error)
-}
+	Login(serverKey wgtypes.Key) (*proto.LoginResponse, error)
 // NewClient creates a new client to Management service
 func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*Client, error) {
 	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	if tlsEnabled {
 		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
 	}
 	mgmCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 	conn, err := grpc.DialContext(
 		mgmCtx,
 		addr,
 		transportOption,
 		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    15 * time.Second,
 			Timeout: 10 * time.Second,
 		}))
 	if err != nil {
 		log.Errorf("failed creating connection to Management Service %v", err)
 		return nil, err
 	}
 	realClient := proto.NewManagementServiceClient(conn)
 	return &Client{
 		key:        ourPrivateKey,
 		realClient: realClient,
 		ctx:        ctx,
 		conn:       conn,
 	}, nil
 }
 // Close closes connection to the Management Service
 func (c *Client) Close() error {
 	return c.conn.Close()
 }
 //defaultBackoff is a basic backoff mechanism for general issues
 func defaultBackoff(ctx context.Context) backoff.BackOff {
 	return backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval:     800 * time.Millisecond,
 		RandomizationFactor: backoff.DefaultRandomizationFactor,
 		Multiplier:          backoff.DefaultMultiplier,
 		MaxInterval:         10 * time.Second,
 		MaxElapsedTime:      12 * time.Hour, //stop after 12 hours of trying, the error will be propagated to the general retry of the client
 		Stop:                backoff.Stop,
 		Clock:               backoff.SystemClock,
 	}, ctx)
 }
 // ready indicates whether the client is okay and ready to be used
 // for now it just checks whether gRPC connection to the service is ready
 func (c *Client) ready() bool {
 	return c.conn.GetState() == connectivity.Ready || c.conn.GetState() == connectivity.Idle
 }
 // Sync wraps the real client's Sync endpoint call and takes care of retries and encryption/decryption of messages
 // Blocking request. The result will be sent via msgHandler callback function
 func (c *Client) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
 	var backOff = defaultBackoff(c.ctx)
 	operation := func() error {
 		log.Debugf("management connection state %v", c.conn.GetState())
 		if !c.ready() {
 			return fmt.Errorf("no connection to management")
 		}
 		// todo we already have it since we did the Login, maybe cache it locally?
 		serverPubKey, err := c.GetServerPublicKey()
 		if err != nil {
 			log.Errorf("failed getting Management Service public key: %s", err)
 			return err
 		}
 		stream, err := c.connectToStream(*serverPubKey)
 		if err != nil {
 			log.Errorf("failed to open Management Service stream: %s", err)
 			return err
 		}
 		log.Infof("connected to the Management Service stream")
 		// blocking until error
 		err = c.receiveEvents(stream, *serverPubKey, msgHandler)
 		if err != nil {
 			backOff.Reset()
 			return err
 		}
 		return nil
 	}
 	err := backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Warnf("exiting Management Service connection retry loop due to unrecoverable error: %s", err)
 		return err
 	}
 	return nil
 }
 func (c *Client) connectToStream(serverPubKey wgtypes.Key) (proto.ManagementService_SyncClient, error) {
 	req := &proto.SyncRequest{}
 	myPrivateKey := c.key
 	myPublicKey := myPrivateKey.PublicKey()
 	encryptedReq, err := encryption.EncryptMessage(serverPubKey, myPrivateKey, req)
 	if err != nil {
 		log.Errorf("failed encrypting message: %s", err)
 		return nil, err
 	}
 	syncReq := &proto.EncryptedMessage{WgPubKey: myPublicKey.String(), Body: encryptedReq}
 	return c.realClient.Sync(c.ctx, syncReq)
 }
 func (c *Client) receiveEvents(stream proto.ManagementService_SyncClient, serverPubKey wgtypes.Key, msgHandler func(msg *proto.SyncResponse) error) error {
 	for {
 		update, err := stream.Recv()
 		if err == io.EOF {
 			log.Errorf("Management stream has been closed by server: %s", err)
 			return err
 		}
 		if err != nil {
 			log.Warnf("disconnected from Management Service sync stream: %v", err)
 			return err
 		}
 		log.Debugf("got an update message from Management Service")
 		decryptedResp := &proto.SyncResponse{}
 		err = encryption.DecryptMessage(serverPubKey, c.key, update.Body, decryptedResp)
 		if err != nil {
 			log.Errorf("failed decrypting update message from Management Service: %s", err)
 			return err
 		}
 		err = msgHandler(decryptedResp)
 		if err != nil {
 			log.Errorf("failed handling an update message received from Management Service: %v", err.Error())
 			return err
 		}
 	}
 }
 // GetServerPublicKey returns server Wireguard public key (used later for encrypting messages sent to the server)
 func (c *Client) GetServerPublicKey() (*wgtypes.Key, error) {
 	if !c.ready() {
 		return nil, fmt.Errorf("no connection to management")
 	}
 	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second) //todo make a general setting
 	defer cancel()
 	resp, err := c.realClient.GetServerKey(mgmCtx, &proto.Empty{})
 	if err != nil {
 		return nil, err
 	}
 	serverKey, err := wgtypes.ParseKey(resp.Key)
 	if err != nil {
 		return nil, err
 	}
 	return &serverKey, nil
 }
 func (c *Client) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*proto.LoginResponse, error) {
 	if !c.ready() {
 		return nil, fmt.Errorf("no connection to management")
 	}
 	loginReq, err := encryption.EncryptMessage(serverKey, c.key, req)
 	if err != nil {
 		log.Errorf("failed to encrypt message: %s", err)
 		return nil, err
 	}
 	mgmCtx, cancel := context.WithTimeout(c.ctx, 5*time.Second) //todo make a general setting
 	defer cancel()
 	resp, err := c.realClient.Login(mgmCtx, &proto.EncryptedMessage{
 		WgPubKey: c.key.PublicKey().String(),
 		Body:     loginReq,
 	})
 	if err != nil {
 		return nil, err
 	}
 	loginResp := &proto.LoginResponse{}
 	err = encryption.DecryptMessage(serverKey, c.key, resp.Body, loginResp)
 	if err != nil {
 		log.Errorf("failed to decrypt registration message: %s", err)
 		return nil, err
 	}
 	return loginResp, nil
 }
 // Register registers peer on Management Server. It actually calls a Login endpoint with a provided setup key
 // Takes care of encrypting and decrypting messages.
 // This method will also collect system info and send it with the request (e.g. hostname, os, etc)
 func (c *Client) Register(serverKey wgtypes.Key, setupKey string) (*proto.LoginResponse, error) {
 	gi := system.GetInfo()
 	meta := &proto.PeerSystemMeta{
 		Hostname:           gi.Hostname,
 		GoOS:               gi.GoOS,
 		OS:                 gi.OS,
 		Core:               gi.OSVersion,
 		Platform:           gi.Platform,
 		Kernel:             gi.Kernel,
 		WiretrusteeVersion: "",
 	}
 	log.Debugf("detected system %v", meta)
 	return c.login(serverKey, &proto.LoginRequest{SetupKey: setupKey, Meta: meta})
 }
 // Login attempts login to Management Server. Takes care of encrypting and decrypting messages.
 func (c *Client) Login(serverKey wgtypes.Key) (*proto.LoginResponse, error) {
 	return c.login(serverKey, &proto.LoginRequest{})
 }
--- a/management/client/client_test.go
+++ b/management/client/client_test.go
@@ -2,7 +2,18 @@ package client
 import (
 	"context"
 	"net"
 	"path/filepath"
 	"sync"
 	"testing"
 	"time"
 	"github.com/wiretrustee/wiretrustee/client/system"
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"github.com/wiretrustee/wiretrustee/encryption"
 	"github.com/wiretrustee/wiretrustee/management/proto"
 	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
 	mgmt "github.com/wiretrustee/wiretrustee/management/server"
 	"github.com/wiretrustee/wiretrustee/util"
@@ -10,14 +21,12 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"net"
 	"path/filepath"
 	"testing"
 	"time"
 )
-var tested *Client
+var tested *GrpcClient
 var serverAddr string
 var mgmtMockServer *mgmt.ManagementServiceServerMock
 var serverKey wgtypes.Key
 const ValidKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
@@ -61,7 +70,7 @@ func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Liste
 	}
 	peersUpdateManager := mgmt.NewPeersUpdateManager()
-	accountManager := mgmt.NewManager(store, peersUpdateManager)
+	accountManager := mgmt.NewManager(store, peersUpdateManager, nil)
 	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
 	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
 	if err != nil {
@@ -78,6 +87,39 @@ func startManagement(config *mgmt.Config, t *testing.T) (*grpc.Server, net.Liste
 	return s, lis
 }
 func startMockManagement(t *testing.T) (*grpc.Server, net.Listener) {
 	lis, err := net.Listen("tcp", ":0")
 	if err != nil {
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
 	serverKey, err = wgtypes.GenerateKey()
 	if err != nil {
 		t.Fatal(err)
 	}
 	mgmtMockServer = &mgmt.ManagementServiceServerMock{
 		GetServerKeyFunc: func(context.Context, *proto.Empty) (*proto.ServerKeyResponse, error) {
 			response := &proto.ServerKeyResponse{
 				Key: serverKey.PublicKey().String(),
 			}
 			return response, nil
 		},
 	}
 	mgmtProto.RegisterManagementServiceServer(s, mgmtMockServer)
 	go func() {
 		if err := s.Serve(lis); err != nil {
 			t.Error(err)
 			return
 		}
 	}()
 	return s, lis
 }
 func TestClient_GetServerPublicKey(t *testing.T) {
 	key, err := tested.GetServerPublicKey()
@@ -109,7 +151,8 @@ func TestClient_LoginRegistered(t *testing.T) {
 	if err != nil {
 		t.Error(err)
 	}
-	resp, err := tested.Register(*key, ValidKey)
+	info := system.GetInfo()
 	resp, err := tested.Register(*key, ValidKey, info)
 	if err != nil {
 		t.Error(err)
 	}
@@ -125,7 +168,8 @@ func TestClient_Sync(t *testing.T) {
 		t.Error(err)
 	}
-	_, err = tested.Register(*serverKey, ValidKey)
+	info := system.GetInfo()
 	_, err = tested.Register(*serverKey, ValidKey, info)
 	if err != nil {
 		t.Error(err)
 	}
@@ -139,7 +183,9 @@ func TestClient_Sync(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	_, err = remoteClient.Register(*serverKey, ValidKey)
+
 	info = system.GetInfo()
 	_, err = remoteClient.Register(*serverKey, ValidKey, info)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -177,3 +223,82 @@ func TestClient_Sync(t *testing.T) {
 		t.Error("timeout waiting for test to finish")
 	}
 }
 func Test_SystemMetaDataFromClient(t *testing.T) {
 	_, lis := startMockManagement(t)
 	testKey, err := wgtypes.GenerateKey()
 	if err != nil {
 		log.Fatal(err)
 	}
 	serverAddr := lis.Addr().String()
 	ctx := context.Background()
 	testClient, err := NewClient(ctx, serverAddr, testKey, false)
 	if err != nil {
 		log.Fatalf("error while creating testClient: %v", err)
 	}
 	key, err := testClient.GetServerPublicKey()
 	if err != nil {
 		log.Fatalf("error while getting server public key from testclient, %v", err)
 	}
 	var actualMeta *proto.PeerSystemMeta
 	var actualValidKey string
 	var wg sync.WaitGroup
 	wg.Add(1)
 	mgmtMockServer.LoginFunc =
 		func(ctx context.Context, msg *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
 			peerKey, err := wgtypes.ParseKey(msg.GetWgPubKey())
 			if err != nil {
 				log.Warnf("error while parsing peer's Wireguard public key %s on Sync request.", msg.WgPubKey)
 				return nil, status.Errorf(codes.InvalidArgument, "provided wgPubKey %s is invalid", msg.WgPubKey)
 			}
 			loginReq := &proto.LoginRequest{}
 			err = encryption.DecryptMessage(peerKey, serverKey, msg.Body, loginReq)
 			if err != nil {
 				log.Fatal(err)
 			}
 			actualMeta = loginReq.GetMeta()
 			actualValidKey = loginReq.GetSetupKey()
 			wg.Done()
 			loginResp := &proto.LoginResponse{}
 			encryptedResp, err := encryption.EncryptMessage(peerKey, serverKey, loginResp)
 			if err != nil {
 				return nil, err
 			}
 			return &mgmtProto.EncryptedMessage{
 				WgPubKey: serverKey.PublicKey().String(),
 				Body:     encryptedResp,
 				Version:  0,
 			}, nil
 		}
 	info := system.GetInfo()
 	_, err = testClient.Register(*key, ValidKey, info)
 	if err != nil {
 		t.Errorf("error while trying to register client: %v", err)
 	}
 	wg.Wait()
 	expectedMeta := &proto.PeerSystemMeta{
 		Hostname:           info.Hostname,
 		GoOS:               info.GoOS,
 		Kernel:             info.Kernel,
 		Core:               info.OSVersion,
 		Platform:           info.Platform,
 		OS:                 info.OS,
 		WiretrusteeVersion: info.WiretrusteeVersion,
 	}
 	assert.Equal(t, ValidKey, actualValidKey)
 	assert.Equal(t, expectedMeta, actualMeta)
 }
--- a/management/client/grpc.go
+++ b/management/client/grpc.go
@@ -0,0 +1,252 @@
 package client
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	"io"
 	"time"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/client/system"
 	"github.com/wiretrustee/wiretrustee/encryption"
 	"github.com/wiretrustee/wiretrustee/management/proto"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/connectivity"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
 )
 type GrpcClient struct {
 	key        wgtypes.Key
 	realClient proto.ManagementServiceClient
 	ctx        context.Context
 	conn       *grpc.ClientConn
 }
 // NewClient creates a new client to Management service
 func NewClient(ctx context.Context, addr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*GrpcClient, error) {
 	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	if tlsEnabled {
 		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
 	}
 	mgmCtx, cancel := context.WithTimeout(ctx, time.Second*3)
 	defer cancel()
 	conn, err := grpc.DialContext(
 		mgmCtx,
 		addr,
 		transportOption,
 		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    15 * time.Second,
 			Timeout: 10 * time.Second,
 		}))
 	if err != nil {
 		log.Errorf("failed creating connection to Management Service %v", err)
 		return nil, err
 	}
 	realClient := proto.NewManagementServiceClient(conn)
 	return &GrpcClient{
 		key:        ourPrivateKey,
 		realClient: realClient,
 		ctx:        ctx,
 		conn:       conn,
 	}, nil
 }
 // Close closes connection to the Management Service
 func (c *GrpcClient) Close() error {
 	return c.conn.Close()
 }
 //defaultBackoff is a basic backoff mechanism for general issues
 func defaultBackoff(ctx context.Context) backoff.BackOff {
 	return backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval:     800 * time.Millisecond,
 		RandomizationFactor: backoff.DefaultRandomizationFactor,
 		Multiplier:          backoff.DefaultMultiplier,
 		MaxInterval:         10 * time.Second,
 		MaxElapsedTime:      12 * time.Hour, //stop after 12 hours of trying, the error will be propagated to the general retry of the client
 		Stop:                backoff.Stop,
 		Clock:               backoff.SystemClock,
 	}, ctx)
 }
 // ready indicates whether the client is okay and ready to be used
 // for now it just checks whether gRPC connection to the service is ready
 func (c *GrpcClient) ready() bool {
 	return c.conn.GetState() == connectivity.Ready || c.conn.GetState() == connectivity.Idle
 }
 // Sync wraps the real client's Sync endpoint call and takes care of retries and encryption/decryption of messages
 // Blocking request. The result will be sent via msgHandler callback function
 func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
 	var backOff = defaultBackoff(c.ctx)
 	operation := func() error {
 		log.Debugf("management connection state %v", c.conn.GetState())
 		if !c.ready() {
 			return fmt.Errorf("no connection to management")
 		}
 		// todo we already have it since we did the Login, maybe cache it locally?
 		serverPubKey, err := c.GetServerPublicKey()
 		if err != nil {
 			log.Errorf("failed getting Management Service public key: %s", err)
 			return err
 		}
 		stream, err := c.connectToStream(*serverPubKey)
 		if err != nil {
 			log.Errorf("failed to open Management Service stream: %s", err)
 			return err
 		}
 		log.Infof("connected to the Management Service stream")
 		// blocking until error
 		err = c.receiveEvents(stream, *serverPubKey, msgHandler)
 		if err != nil {
 			backOff.Reset()
 			return err
 		}
 		return nil
 	}
 	err := backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Warnf("exiting Management Service connection retry loop due to unrecoverable error: %s", err)
 		return err
 	}
 	return nil
 }
 func (c *GrpcClient) connectToStream(serverPubKey wgtypes.Key) (proto.ManagementService_SyncClient, error) {
 	req := &proto.SyncRequest{}
 	myPrivateKey := c.key
 	myPublicKey := myPrivateKey.PublicKey()
 	encryptedReq, err := encryption.EncryptMessage(serverPubKey, myPrivateKey, req)
 	if err != nil {
 		log.Errorf("failed encrypting message: %s", err)
 		return nil, err
 	}
 	syncReq := &proto.EncryptedMessage{WgPubKey: myPublicKey.String(), Body: encryptedReq}
 	return c.realClient.Sync(c.ctx, syncReq)
 }
 func (c *GrpcClient) receiveEvents(stream proto.ManagementService_SyncClient, serverPubKey wgtypes.Key, msgHandler func(msg *proto.SyncResponse) error) error {
 	for {
 		update, err := stream.Recv()
 		if err == io.EOF {
 			log.Errorf("Management stream has been closed by server: %s", err)
 			return err
 		}
 		if err != nil {
 			log.Warnf("disconnected from Management Service sync stream: %v", err)
 			return err
 		}
 		log.Debugf("got an update message from Management Service")
 		decryptedResp := &proto.SyncResponse{}
 		err = encryption.DecryptMessage(serverPubKey, c.key, update.Body, decryptedResp)
 		if err != nil {
 			log.Errorf("failed decrypting update message from Management Service: %s", err)
 			return err
 		}
 		err = msgHandler(decryptedResp)
 		if err != nil {
 			log.Errorf("failed handling an update message received from Management Service: %v", err.Error())
 			return err
 		}
 	}
 }
 // GetServerPublicKey returns server Wireguard public key (used later for encrypting messages sent to the server)
 func (c *GrpcClient) GetServerPublicKey() (*wgtypes.Key, error) {
 	if !c.ready() {
 		return nil, fmt.Errorf("no connection to management")
 	}
 	mgmCtx, cancel := context.WithTimeout(c.ctx, time.Second*2)
 	defer cancel()
 	resp, err := c.realClient.GetServerKey(mgmCtx, &proto.Empty{})
 	if err != nil {
 		return nil, err
 	}
 	serverKey, err := wgtypes.ParseKey(resp.Key)
 	if err != nil {
 		return nil, err
 	}
 	return &serverKey, nil
 }
 func (c *GrpcClient) login(serverKey wgtypes.Key, req *proto.LoginRequest) (*proto.LoginResponse, error) {
 	if !c.ready() {
 		return nil, fmt.Errorf("no connection to management")
 	}
 	loginReq, err := encryption.EncryptMessage(serverKey, c.key, req)
 	if err != nil {
 		log.Errorf("failed to encrypt message: %s", err)
 		return nil, err
 	}
 	mgmCtx, cancel := context.WithTimeout(c.ctx, time.Second*2)
 	defer cancel()
 	resp, err := c.realClient.Login(mgmCtx, &proto.EncryptedMessage{
 		WgPubKey: c.key.PublicKey().String(),
 		Body:     loginReq,
 	})
 	if err != nil {
 		return nil, err
 	}
 	loginResp := &proto.LoginResponse{}
 	err = encryption.DecryptMessage(serverKey, c.key, resp.Body, loginResp)
 	if err != nil {
 		log.Errorf("failed to decrypt registration message: %s", err)
 		return nil, err
 	}
 	return loginResp, nil
 }
 // Register registers peer on Management Server. It actually calls a Login endpoint with a provided setup key
 // Takes care of encrypting and decrypting messages.
 // This method will also collect system info and send it with the request (e.g. hostname, os, etc)
 func (c *GrpcClient) Register(serverKey wgtypes.Key, setupKey string, info *system.Info) (*proto.LoginResponse, error) {
 	meta := &proto.PeerSystemMeta{
 		Hostname:           info.Hostname,
 		GoOS:               info.GoOS,
 		OS:                 info.OS,
 		Core:               info.OSVersion,
 		Platform:           info.Platform,
 		Kernel:             info.Kernel,
 		WiretrusteeVersion: info.WiretrusteeVersion,
 	}
 	return c.login(serverKey, &proto.LoginRequest{SetupKey: setupKey, Meta: meta})
 }
 // Login attempts login to Management Server. Takes care of encrypting and decrypting messages.
 func (c *GrpcClient) Login(serverKey wgtypes.Key) (*proto.LoginResponse, error) {
 	return c.login(serverKey, &proto.LoginRequest{})
 }
--- a/management/client/mock.go
+++ b/management/client/mock.go
@@ -0,0 +1,50 @@
 package client
 import (
 	"github.com/wiretrustee/wiretrustee/client/system"
 	"github.com/wiretrustee/wiretrustee/management/proto"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 type MockClient struct {
 	CloseFunc              func() error
 	SyncFunc               func(msgHandler func(msg *proto.SyncResponse) error) error
 	GetServerPublicKeyFunc func() (*wgtypes.Key, error)
 	RegisterFunc           func(serverKey wgtypes.Key, setupKey string, info *system.Info) (*proto.LoginResponse, error)
 	LoginFunc              func(serverKey wgtypes.Key) (*proto.LoginResponse, error)
 }
 func (m *MockClient) Close() error {
 	if m.CloseFunc == nil {
 		return nil
 	}
 	return m.CloseFunc()
 }
 func (m *MockClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error {
 	if m.SyncFunc == nil {
 		return nil
 	}
 	return m.SyncFunc(msgHandler)
 }
 func (m *MockClient) GetServerPublicKey() (*wgtypes.Key, error) {
 	if m.GetServerPublicKeyFunc == nil {
 		return nil, nil
 	}
 	return m.GetServerPublicKeyFunc()
 }
 func (m *MockClient) Register(serverKey wgtypes.Key, setupKey string, info *system.Info) (*proto.LoginResponse, error) {
 	if m.RegisterFunc == nil {
 		return nil, nil
 	}
 	return m.RegisterFunc(serverKey, setupKey, info)
 }
 func (m *MockClient) Login(serverKey wgtypes.Key) (*proto.LoginResponse, error) {
 	if m.LoginFunc == nil {
 		return nil, nil
 	}
 	return m.LoginFunc(serverKey)
 }
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"github.com/wiretrustee/wiretrustee/management/server"
 	"github.com/wiretrustee/wiretrustee/management/server/http"
 	"github.com/wiretrustee/wiretrustee/management/server/idp"
 	"github.com/wiretrustee/wiretrustee/util"
 	"net"
 	"os"
@@ -68,7 +69,11 @@ var (
 				log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 			}
 			peersUpdateManager := server.NewPeersUpdateManager()
-			accountManager := server.NewManager(store, peersUpdateManager)
+			idpManager, err := idp.NewManager(*config.IdpManagerConfig)
 			if err != nil {
 				log.Fatalln("failed retrieving a new idp manager with err: ", err)
 			}
 			accountManager := server.NewManager(store, peersUpdateManager, idpManager)
 			var opts []grpc.ServerOption
--- a/management/proto/management.pb.go
+++ b/management/proto/management.pb.go
@@ -85,6 +85,8 @@ type EncryptedMessage struct {
 	WgPubKey string `protobuf:"bytes,1,opt,name=wgPubKey,proto3" json:"wgPubKey,omitempty"`
 	// encrypted message Body
 	Body []byte `protobuf:"bytes,2,opt,name=body,proto3" json:"body,omitempty"`
 	// Version of the Wiretrustee Management Service protocol
 	Version int32 `protobuf:"varint,3,opt,name=version,proto3" json:"version,omitempty"`
 }
 func (x *EncryptedMessage) Reset() {
@@ -133,6 +135,13 @@ func (x *EncryptedMessage) GetBody() []byte {
 	return nil
 }
 func (x *EncryptedMessage) GetVersion() int32 {
 	if x != nil {
 		return x.Version
 	}
 	return 0
 }
 type SyncRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -178,11 +187,15 @@ type SyncResponse struct {
 	unknownFields protoimpl.UnknownFields
 	// Global config
-	WiretrusteeConfig *WiretrusteeConfig  `protobuf:"bytes,1,opt,name=wiretrusteeConfig,proto3" json:"wiretrusteeConfig,omitempty"`
+	WiretrusteeConfig *WiretrusteeConfig `protobuf:"bytes,1,opt,name=wiretrusteeConfig,proto3" json:"wiretrusteeConfig,omitempty"`
-	PeerConfig        *PeerConfig         `protobuf:"bytes,2,opt,name=peerConfig,proto3" json:"peerConfig,omitempty"`
+	// Deprecated. Use NetworkMap.PeerConfig
-	RemotePeers       []*RemotePeerConfig `protobuf:"bytes,3,rep,name=remotePeers,proto3" json:"remotePeers,omitempty"`
+	PeerConfig *PeerConfig `protobuf:"bytes,2,opt,name=peerConfig,proto3" json:"peerConfig,omitempty"`
 	// Deprecated. Use NetworkMap.RemotePeerConfig
 	RemotePeers []*RemotePeerConfig `protobuf:"bytes,3,rep,name=remotePeers,proto3" json:"remotePeers,omitempty"`
 	// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
-	RemotePeersIsEmpty bool `protobuf:"varint,4,opt,name=remotePeersIsEmpty,proto3" json:"remotePeersIsEmpty,omitempty"`
+	// Deprecated. Use NetworkMap.remotePeersIsEmpty
 	RemotePeersIsEmpty bool        `protobuf:"varint,4,opt,name=remotePeersIsEmpty,proto3" json:"remotePeersIsEmpty,omitempty"`
 	NetworkMap         *NetworkMap `protobuf:"bytes,5,opt,name=NetworkMap,proto3" json:"NetworkMap,omitempty"`
 }
 func (x *SyncResponse) Reset() {
@@ -245,6 +258,13 @@ func (x *SyncResponse) GetRemotePeersIsEmpty() bool {
 	return false
 }
 func (x *SyncResponse) GetNetworkMap() *NetworkMap {
 	if x != nil {
 		return x.NetworkMap
 	}
 	return nil
 }
 type LoginRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -464,6 +484,8 @@ type ServerKeyResponse struct {
 	Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"`
 	// Key expiration timestamp after which the key should be fetched again by the client
 	ExpiresAt *timestamp.Timestamp `protobuf:"bytes,2,opt,name=expiresAt,proto3" json:"expiresAt,omitempty"`
 	// Version of the Wiretrustee Management Service protocol
 	Version int32 `protobuf:"varint,3,opt,name=version,proto3" json:"version,omitempty"`
 }
 func (x *ServerKeyResponse) Reset() {
@@ -512,6 +534,13 @@ func (x *ServerKeyResponse) GetExpiresAt() *timestamp.Timestamp {
 	return nil
 }
 func (x *ServerKeyResponse) GetVersion() int32 {
 	if x != nil {
 		return x.Version
 	}
 	return 0
 }
 type Empty struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -798,6 +827,84 @@ func (x *PeerConfig) GetDns() string {
 	return ""
 }
 // NetworkMap represents a network state of the peer with the corresponding configuration parameters to establish peer-to-peer connections
 type NetworkMap struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 	// Serial is an ID of the network state to be used by clients to order updates.
 	// The larger the Serial the newer the configuration.
 	// E.g. the client app should keep track of this id locally and discard all the configurations with a lower value
 	Serial uint64 `protobuf:"varint,1,opt,name=Serial,proto3" json:"Serial,omitempty"`
 	// PeerConfig represents configuration of a peer
 	PeerConfig *PeerConfig `protobuf:"bytes,2,opt,name=peerConfig,proto3" json:"peerConfig,omitempty"`
 	// RemotePeerConfig represents a list of remote peers that the receiver can connect to
 	RemotePeers []*RemotePeerConfig `protobuf:"bytes,3,rep,name=remotePeers,proto3" json:"remotePeers,omitempty"`
 	// Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
 	RemotePeersIsEmpty bool `protobuf:"varint,4,opt,name=remotePeersIsEmpty,proto3" json:"remotePeersIsEmpty,omitempty"`
 }
 func (x *NetworkMap) Reset() {
 	*x = NetworkMap{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_management_proto_msgTypes[12]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
 }
 func (x *NetworkMap) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }
 func (*NetworkMap) ProtoMessage() {}
 func (x *NetworkMap) ProtoReflect() protoreflect.Message {
 	mi := &file_management_proto_msgTypes[12]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
 			ms.StoreMessageInfo(mi)
 		}
 		return ms
 	}
 	return mi.MessageOf(x)
 }
 // Deprecated: Use NetworkMap.ProtoReflect.Descriptor instead.
 func (*NetworkMap) Descriptor() ([]byte, []int) {
 	return file_management_proto_rawDescGZIP(), []int{12}
 }
 func (x *NetworkMap) GetSerial() uint64 {
 	if x != nil {
 		return x.Serial
 	}
 	return 0
 }
 func (x *NetworkMap) GetPeerConfig() *PeerConfig {
 	if x != nil {
 		return x.PeerConfig
 	}
 	return nil
 }
 func (x *NetworkMap) GetRemotePeers() []*RemotePeerConfig {
 	if x != nil {
 		return x.RemotePeers
 	}
 	return nil
 }
 func (x *NetworkMap) GetRemotePeersIsEmpty() bool {
 	if x != nil {
 		return x.RemotePeersIsEmpty
 	}
 	return false
 }
 // RemotePeerConfig represents a configuration of a remote peer.
 // The properties are used to configure Wireguard Peers sections
 type RemotePeerConfig struct {
@@ -814,7 +921,7 @@ type RemotePeerConfig struct {
 func (x *RemotePeerConfig) Reset() {
 	*x = RemotePeerConfig{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_management_proto_msgTypes[12]
+		mi := &file_management_proto_msgTypes[13]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -827,7 +934,7 @@ func (x *RemotePeerConfig) String() string {
 func (*RemotePeerConfig) ProtoMessage() {}
 func (x *RemotePeerConfig) ProtoReflect() protoreflect.Message {
-	mi := &file_management_proto_msgTypes[12]
+	mi := &file_management_proto_msgTypes[13]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -840,7 +947,7 @@ func (x *RemotePeerConfig) ProtoReflect() protoreflect.Message {
 // Deprecated: Use RemotePeerConfig.ProtoReflect.Descriptor instead.
 func (*RemotePeerConfig) Descriptor() ([]byte, []int) {
-	return file_management_proto_rawDescGZIP(), []int{12}
+	return file_management_proto_rawDescGZIP(), []int{13}
 }
 func (x *RemotePeerConfig) GetWgPubKey() string {
@@ -864,12 +971,52 @@ var file_management_proto_rawDesc = []byte{
 	0x74, 0x6f, 0x12, 0x0a, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x1a, 0x1f,
 	0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f,
 	0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22,
-	0x42, 0x0a, 0x10, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73,
+	0x5c, 0x0a, 0x10, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73,
 	0x61, 0x67, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18,
 	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12,
 	0x12, 0x0a, 0x04, 0x62, 0x6f, 0x64, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x04, 0x62,
-	0x6f, 0x64, 0x79, 0x22, 0x0d, 0x0a, 0x0b, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x6f, 0x64, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03,
-	0x73, 0x74, 0x22, 0x83, 0x02, 0x0a, 0x0c, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x73, 0x70, 0x6f,
+	0x20, 0x01, 0x28, 0x05, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x0d, 0x0a,
 	0x0b, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0xbb, 0x02, 0x0a,
 	0x0c, 0x53, 0x79, 0x6e, 0x63, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x4b, 0x0a,
 	0x11, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66,
 	0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
 	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x57, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65,
 	0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x11, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75,
 	0x73, 0x74, 0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x36, 0x0a, 0x0a, 0x70, 0x65,
 	0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16,
 	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x65, 0x65, 0x72,
 	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66,
 	0x69, 0x67, 0x12, 0x3e, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72,
 	0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
 	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43,
 	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0b, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65,
 	0x72, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72,
 	0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12,
 	0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70,
 	0x74, 0x79, 0x12, 0x36, 0x0a, 0x0a, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70,
 	0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
 	0x65, 0x6e, 0x74, 0x2e, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x52, 0x0a,
 	0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x22, 0x5a, 0x0a, 0x0c, 0x4c, 0x6f,
 	0x67, 0x69, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65,
 	0x74, 0x75, 0x70, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65,
 	0x74, 0x75, 0x70, 0x4b, 0x65, 0x79, 0x12, 0x2e, 0x0a, 0x04, 0x6d, 0x65, 0x74, 0x61, 0x18, 0x02,
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
 	0x74, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x4d, 0x65, 0x74, 0x61,
 	0x52, 0x04, 0x6d, 0x65, 0x74, 0x61, 0x22, 0xc8, 0x01, 0x0a, 0x0e, 0x50, 0x65, 0x65, 0x72, 0x53,
 	0x79, 0x73, 0x74, 0x65, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73,
 	0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73,
 	0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x67, 0x6f, 0x4f, 0x53, 0x18, 0x02, 0x20,
 	0x01, 0x28, 0x09, 0x52, 0x04, 0x67, 0x6f, 0x4f, 0x53, 0x12, 0x16, 0x0a, 0x06, 0x6b, 0x65, 0x72,
 	0x6e, 0x65, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x65, 0x72, 0x6e, 0x65,
 	0x6c, 0x12, 0x12, 0x0a, 0x04, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52,
 	0x04, 0x63, 0x6f, 0x72, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72,
 	0x6d, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72,
 	0x6d, 0x12, 0x0e, 0x0a, 0x02, 0x4f, 0x53, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x4f,
 	0x53, 0x12, 0x2e, 0x0a, 0x12, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65,
 	0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x77,
 	0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f,
 	0x6e, 0x22, 0x94, 0x01, 0x0a, 0x0d, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f,
 	0x6e, 0x73, 0x65, 0x12, 0x4b, 0x0a, 0x11, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74,
 	0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d,
 	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x57, 0x69, 0x72, 0x65,
@@ -878,104 +1025,84 @@ var file_management_proto_rawDesc = []byte{
 	0x12, 0x36, 0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02,
 	0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
 	0x74, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x70, 0x65,
-	0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3e, 0x0a, 0x0b, 0x72, 0x65, 0x6d, 0x6f,
+	0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x79, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76,
-	0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1c, 0x2e,
+	0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x10, 0x0a,
-	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d, 0x6f, 0x74,
+	0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
-	0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0b, 0x72, 0x65, 0x6d,
+	0x38, 0x0a, 0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x18, 0x02, 0x20, 0x01,
-	0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x72, 0x65, 0x6d, 0x6f,
+	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74,
-	0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x18, 0x04,
+	0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09,
-	0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72,
+	0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x76, 0x65, 0x72,
-	0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x5a, 0x0a, 0x0c, 0x4c, 0x6f, 0x67, 0x69,
+	0x73, 0x69, 0x6f, 0x6e, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73,
-	0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x73, 0x65, 0x74, 0x75,
+	0x69, 0x6f, 0x6e, 0x22, 0x07, 0x0a, 0x05, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0xa8, 0x01, 0x0a,
-	0x70, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x73, 0x65, 0x74, 0x75,
+	0x11, 0x57, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66,
-	0x70, 0x4b, 0x65, 0x79, 0x12, 0x2e, 0x0a, 0x04, 0x6d, 0x65, 0x74, 0x61, 0x18, 0x02, 0x20, 0x01,
+	0x69, 0x67, 0x12, 0x2c, 0x0a, 0x05, 0x73, 0x74, 0x75, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
 	0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
 	0x50, 0x65, 0x65, 0x72, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x52, 0x04,
 	0x6d, 0x65, 0x74, 0x61, 0x22, 0xc8, 0x01, 0x0a, 0x0e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x79, 0x73,
 	0x74, 0x65, 0x6d, 0x4d, 0x65, 0x74, 0x61, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e,
 	0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e,
 	0x61, 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x67, 0x6f, 0x4f, 0x53, 0x18, 0x02, 0x20, 0x01, 0x28,
 	0x09, 0x52, 0x04, 0x67, 0x6f, 0x4f, 0x53, 0x12, 0x16, 0x0a, 0x06, 0x6b, 0x65, 0x72, 0x6e, 0x65,
 	0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x6b, 0x65, 0x72, 0x6e, 0x65, 0x6c, 0x12,
 	0x12, 0x0a, 0x04, 0x63, 0x6f, 0x72, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x63,
 	0x6f, 0x72, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x18,
 	0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x12,
 	0x0e, 0x0a, 0x02, 0x4f, 0x53, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x02, 0x4f, 0x53, 0x12,
 	0x2e, 0x0a, 0x12, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x56, 0x65,
 	0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x77, 0x69, 0x72,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22,
 	0x94, 0x01, 0x0a, 0x0d, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
 	0x65, 0x12, 0x4b, 0x0a, 0x11, 0x77, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65,
 	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x6d,
 	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x57, 0x69, 0x72, 0x65, 0x74, 0x72,
 	0x75, 0x73, 0x74, 0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x11, 0x77, 0x69, 0x72,
 	0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x36,
 	0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x02, 0x20, 0x01,
 	0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
 	0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x70, 0x65, 0x65, 0x72,
 	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x22, 0x5f, 0x0a, 0x11, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72,
 	0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b,
 	0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x38, 0x0a,
 	0x09, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b,
 	0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62,
 	0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x65, 0x78,
 	0x70, 0x69, 0x72, 0x65, 0x73, 0x41, 0x74, 0x22, 0x07, 0x0a, 0x05, 0x45, 0x6d, 0x70, 0x74, 0x79,
 	0x22, 0xa8, 0x01, 0x0a, 0x11, 0x57, 0x69, 0x72, 0x65, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x65,
 	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x2c, 0x0a, 0x05, 0x73, 0x74, 0x75, 0x6e, 0x73, 0x18,
 	0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
 	0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x05, 0x73,
 	0x74, 0x75, 0x6e, 0x73, 0x12, 0x35, 0x0a, 0x05, 0x74, 0x75, 0x72, 0x6e, 0x73, 0x18, 0x02, 0x20,
 	0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
 	0x2e, 0x50, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f,
 	0x6e, 0x66, 0x69, 0x67, 0x52, 0x05, 0x74, 0x75, 0x72, 0x6e, 0x73, 0x12, 0x2e, 0x0a, 0x06, 0x73,
 	0x69, 0x67, 0x6e, 0x61, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61,
 	0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e,
 	0x66, 0x69, 0x67, 0x52, 0x06, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x22, 0x98, 0x01, 0x0a, 0x0a,
 	0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72,
 	0x69, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x3b, 0x0a, 0x08,
 	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f,
 	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74,
 	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52,
 	0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x22, 0x3b, 0x0a, 0x08, 0x50, 0x72, 0x6f,
 	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x00, 0x12, 0x07,
 	0x0a, 0x03, 0x54, 0x43, 0x50, 0x10, 0x01, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10,
 	0x02, 0x12, 0x09, 0x0a, 0x05, 0x48, 0x54, 0x54, 0x50, 0x53, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04,
 	0x44, 0x54, 0x4c, 0x53, 0x10, 0x04, 0x22, 0x7d, 0x0a, 0x13, 0x50, 0x72, 0x6f, 0x74, 0x65, 0x63,
 	0x74, 0x65, 0x64, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x36, 0x0a,
 	0x0a, 0x68, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28,
 	0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48,
-	0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x43,
+	0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x05, 0x73, 0x74, 0x75, 0x6e, 0x73,
-	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x02, 0x20,
+	0x12, 0x35, 0x0a, 0x05, 0x74, 0x75, 0x72, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32,
-	0x01, 0x28, 0x09, 0x52, 0x04, 0x75, 0x73, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x61, 0x73,
+	0x1f, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x50, 0x72, 0x6f,
-	0x73, 0x77, 0x6f, 0x72, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x73,
+	0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
-	0x73, 0x77, 0x6f, 0x72, 0x64, 0x22, 0x38, 0x0a, 0x0a, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e,
+	0x52, 0x05, 0x74, 0x75, 0x72, 0x6e, 0x73, 0x12, 0x2e, 0x0a, 0x06, 0x73, 0x69, 0x67, 0x6e, 0x61,
-	0x66, 0x69, 0x67, 0x12, 0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01,
+	0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x10, 0x0a,
+	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52,
-	0x03, 0x64, 0x6e, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x64, 0x6e, 0x73, 0x22,
+	0x06, 0x73, 0x69, 0x67, 0x6e, 0x61, 0x6c, 0x22, 0x98, 0x01, 0x0a, 0x0a, 0x48, 0x6f, 0x73, 0x74,
-	0x4e, 0x0a, 0x10, 0x52, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e,
+	0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x10, 0x0a, 0x03, 0x75, 0x72, 0x69, 0x18, 0x01, 0x20,
-	0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18,
+	0x01, 0x28, 0x09, 0x52, 0x03, 0x75, 0x72, 0x69, 0x12, 0x3b, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12,
+	0x6f, 0x63, 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1f, 0x2e, 0x6d, 0x61, 0x6e,
-	0x1e, 0x0a, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x18, 0x02, 0x20,
+	0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66,
-	0x03, 0x28, 0x09, 0x52, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x32,
+	0x69, 0x67, 0x2e, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x52, 0x08, 0x70, 0x72, 0x6f,
-	0x9b, 0x02, 0x0a, 0x11, 0x4d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65,
+	0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x22, 0x3b, 0x0a, 0x08, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f,
-	0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c,
+	0x6c, 0x12, 0x07, 0x0a, 0x03, 0x55, 0x44, 0x50, 0x10, 0x00, 0x12, 0x07, 0x0a, 0x03, 0x54, 0x43,
-	0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72,
+	0x50, 0x10, 0x01, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x10, 0x02, 0x12, 0x09, 0x0a,
-	0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d,
+	0x05, 0x48, 0x54, 0x54, 0x50, 0x53, 0x10, 0x03, 0x12, 0x08, 0x0a, 0x04, 0x44, 0x54, 0x4c, 0x53,
-	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70,
+	0x10, 0x04, 0x22, 0x7d, 0x0a, 0x13, 0x50, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x48,
-	0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04,
+	0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x36, 0x0a, 0x0a, 0x68, 0x6f, 0x73,
-	0x53, 0x79, 0x6e, 0x63, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e,
-	0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61,
+	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x48, 0x6f, 0x73, 0x74, 0x43,
-	0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x68, 0x6f, 0x73, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69,
-	0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65,
+	0x67, 0x12, 0x12, 0x0a, 0x04, 0x75, 0x73, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x22, 0x00, 0x30, 0x01, 0x12, 0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65,
+	0x04, 0x75, 0x73, 0x65, 0x72, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72,
-	0x72, 0x4b, 0x65, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e,
+	0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72,
-	0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
+	0x64, 0x22, 0x38, 0x0a, 0x0a, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12,
-	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65,
+	0x18, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65,
+	0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x64, 0x6e, 0x73,
-	0x61, 0x6c, 0x74, 0x68, 0x79, 0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x64, 0x6e, 0x73, 0x22, 0xcc, 0x01, 0x0a, 0x0a,
-	0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67,
+	0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x4d, 0x61, 0x70, 0x12, 0x16, 0x0a, 0x06, 0x53, 0x65,
-	0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x42, 0x08, 0x5a,
+	0x72, 0x69, 0x61, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x06, 0x53, 0x65, 0x72, 0x69,
-	0x06, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x61, 0x6c, 0x12, 0x36, 0x0a, 0x0a, 0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67,
 	0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x16, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d,
 	0x65, 0x6e, 0x74, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a,
 	0x70, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x3e, 0x0a, 0x0b, 0x72, 0x65,
 	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32,
 	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x52, 0x65, 0x6d,
 	0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0b, 0x72,
 	0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x12, 0x2e, 0x0a, 0x12, 0x72, 0x65,
 	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79,
 	0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x12, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65,
 	0x65, 0x72, 0x73, 0x49, 0x73, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x4e, 0x0a, 0x10, 0x52, 0x65,
 	0x6d, 0x6f, 0x74, 0x65, 0x50, 0x65, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a,
 	0x0a, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x08, 0x77, 0x67, 0x50, 0x75, 0x62, 0x4b, 0x65, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x6c,
 	0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a,
 	0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x32, 0x9b, 0x02, 0x0a, 0x11, 0x4d,
 	0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65,
 	0x12, 0x45, 0x0a, 0x05, 0x4c, 0x6f, 0x67, 0x69, 0x6e, 0x12, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61,
 	0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64,
 	0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65,
 	0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65,
 	0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x12, 0x46, 0x0a, 0x04, 0x53, 0x79, 0x6e, 0x63, 0x12,
 	0x1c, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63,
 	0x72, 0x79, 0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x1a, 0x1c, 0x2e,
 	0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6e, 0x63, 0x72, 0x79,
 	0x70, 0x74, 0x65, 0x64, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x00, 0x30, 0x01, 0x12,
 	0x42, 0x0a, 0x0c, 0x47, 0x65, 0x74, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x12,
 	0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d, 0x70,
 	0x74, 0x79, 0x1a, 0x1d, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e,
 	0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
 	0x65, 0x22, 0x00, 0x12, 0x33, 0x0a, 0x09, 0x69, 0x73, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x79,
 	0x12, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x2e, 0x45, 0x6d,
 	0x70, 0x74, 0x79, 0x1a, 0x11, 0x2e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x6d, 0x65, 0x6e, 0x74,
 	0x2e, 0x45, 0x6d, 0x70, 0x74, 0x79, 0x22, 0x00, 0x42, 0x08, 0x5a, 0x06, 0x2f, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 var (
@@ -991,7 +1118,7 @@ func file_management_proto_rawDescGZIP() []byte {
 }
 var file_management_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 13)
+var file_management_proto_msgTypes = make([]protoimpl.MessageInfo, 14)
 var file_management_proto_goTypes = []interface{}{
 	(HostConfig_Protocol)(0),    // 0: management.HostConfig.Protocol
 	(*EncryptedMessage)(nil),    // 1: management.EncryptedMessage
@@ -1006,35 +1133,39 @@ var file_management_proto_goTypes = []interface{}{
 	(*HostConfig)(nil),          // 10: management.HostConfig
 	(*ProtectedHostConfig)(nil), // 11: management.ProtectedHostConfig
 	(*PeerConfig)(nil),          // 12: management.PeerConfig
-	(*RemotePeerConfig)(nil),    // 13: management.RemotePeerConfig
+	(*NetworkMap)(nil),          // 13: management.NetworkMap
-	(*timestamp.Timestamp)(nil), // 14: google.protobuf.Timestamp
+	(*RemotePeerConfig)(nil),    // 14: management.RemotePeerConfig
 	(*timestamp.Timestamp)(nil), // 15: google.protobuf.Timestamp
 }
 var file_management_proto_depIdxs = []int32{
 	9,  // 0: management.SyncResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
 	12, // 1: management.SyncResponse.peerConfig:type_name -> management.PeerConfig
-	13, // 2: management.SyncResponse.remotePeers:type_name -> management.RemotePeerConfig
+	14, // 2: management.SyncResponse.remotePeers:type_name -> management.RemotePeerConfig
-	5,  // 3: management.LoginRequest.meta:type_name -> management.PeerSystemMeta
+	13, // 3: management.SyncResponse.NetworkMap:type_name -> management.NetworkMap
-	9,  // 4: management.LoginResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
+	5,  // 4: management.LoginRequest.meta:type_name -> management.PeerSystemMeta
-	12, // 5: management.LoginResponse.peerConfig:type_name -> management.PeerConfig
+	9,  // 5: management.LoginResponse.wiretrusteeConfig:type_name -> management.WiretrusteeConfig
-	14, // 6: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
+	12, // 6: management.LoginResponse.peerConfig:type_name -> management.PeerConfig
-	10, // 7: management.WiretrusteeConfig.stuns:type_name -> management.HostConfig
+	15, // 7: management.ServerKeyResponse.expiresAt:type_name -> google.protobuf.Timestamp
-	11, // 8: management.WiretrusteeConfig.turns:type_name -> management.ProtectedHostConfig
+	10, // 8: management.WiretrusteeConfig.stuns:type_name -> management.HostConfig
-	10, // 9: management.WiretrusteeConfig.signal:type_name -> management.HostConfig
+	11, // 9: management.WiretrusteeConfig.turns:type_name -> management.ProtectedHostConfig
-	0,  // 10: management.HostConfig.protocol:type_name -> management.HostConfig.Protocol
+	10, // 10: management.WiretrusteeConfig.signal:type_name -> management.HostConfig
-	10, // 11: management.ProtectedHostConfig.hostConfig:type_name -> management.HostConfig
+	0,  // 11: management.HostConfig.protocol:type_name -> management.HostConfig.Protocol
-	1,  // 12: management.ManagementService.Login:input_type -> management.EncryptedMessage
+	10, // 12: management.ProtectedHostConfig.hostConfig:type_name -> management.HostConfig
-	1,  // 13: management.ManagementService.Sync:input_type -> management.EncryptedMessage
+	12, // 13: management.NetworkMap.peerConfig:type_name -> management.PeerConfig
-	8,  // 14: management.ManagementService.GetServerKey:input_type -> management.Empty
+	14, // 14: management.NetworkMap.remotePeers:type_name -> management.RemotePeerConfig
-	8,  // 15: management.ManagementService.isHealthy:input_type -> management.Empty
+	1,  // 15: management.ManagementService.Login:input_type -> management.EncryptedMessage
-	1,  // 16: management.ManagementService.Login:output_type -> management.EncryptedMessage
+	1,  // 16: management.ManagementService.Sync:input_type -> management.EncryptedMessage
-	1,  // 17: management.ManagementService.Sync:output_type -> management.EncryptedMessage
+	8,  // 17: management.ManagementService.GetServerKey:input_type -> management.Empty
-	7,  // 18: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
+	8,  // 18: management.ManagementService.isHealthy:input_type -> management.Empty
-	8,  // 19: management.ManagementService.isHealthy:output_type -> management.Empty
+	1,  // 19: management.ManagementService.Login:output_type -> management.EncryptedMessage
-	16, // [16:20] is the sub-list for method output_type
+	1,  // 20: management.ManagementService.Sync:output_type -> management.EncryptedMessage
-	12, // [12:16] is the sub-list for method input_type
+	7,  // 21: management.ManagementService.GetServerKey:output_type -> management.ServerKeyResponse
-	12, // [12:12] is the sub-list for extension type_name
+	8,  // 22: management.ManagementService.isHealthy:output_type -> management.Empty
-	12, // [12:12] is the sub-list for extension extendee
+	19, // [19:23] is the sub-list for method output_type
-	0,  // [0:12] is the sub-list for field type_name
+	15, // [15:19] is the sub-list for method input_type
 	15, // [15:15] is the sub-list for extension type_name
 	15, // [15:15] is the sub-list for extension extendee
 	0,  // [0:15] is the sub-list for field type_name
 }
 func init() { file_management_proto_init() }
@@ -1188,6 +1319,18 @@ func file_management_proto_init() {
 			}
 		}
 		file_management_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*NetworkMap); i {
 			case 0:
 				return &v.state
 			case 1:
 				return &v.sizeCache
 			case 2:
 				return &v.unknownFields
 			default:
 				return nil
 			}
 		}
 		file_management_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*RemotePeerConfig); i {
 			case 0:
 				return &v.state
@@ -1206,7 +1349,7 @@ func file_management_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_management_proto_rawDesc,
 			NumEnums:      1,
-			NumMessages:   13,
+			NumMessages:   14,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
--- a/management/proto/management.proto
+++ b/management/proto/management.proto
@@ -9,11 +9,13 @@ package management;
 service ManagementService {
  // Login logs in peer. In case server returns codes.PermissionDenied this endpoint can be used to register Peer providing LoginRequest.setupKey
  // Returns encrypted LoginResponse in EncryptedMessage.Body
  rpc Login(EncryptedMessage) returns (EncryptedMessage) {}
  // Sync enables peer synchronization. Each peer that is connected to this stream will receive updates from the server.
  // For example, if a new peer has been added to an account all other connected peers will receive this peer's Wireguard public key as an update
  // The initial SyncResponse contains all of the available peers so the local state can be refreshed
  // Returns encrypted SyncResponse in EncryptedMessage.Body
  rpc Sync(EncryptedMessage) returns (stream EncryptedMessage) {}
  // Exposes a Wireguard public key of the Management service.
@@ -30,20 +32,29 @@ message EncryptedMessage {
  // encrypted message Body
  bytes body = 2;
  // Version of the Wiretrustee Management Service protocol
  int32 version = 3;
 }
 message SyncRequest {}
 // SyncResponse represents a state that should be applied to the local peer (e.g. Wiretrustee servers config as well as local peer and remote peers configs)
 message SyncResponse {
  // Global config
  WiretrusteeConfig wiretrusteeConfig = 1;
  // Deprecated. Use NetworkMap.PeerConfig
  PeerConfig peerConfig = 2;
  // Deprecated. Use NetworkMap.RemotePeerConfig
  repeated RemotePeerConfig remotePeers = 3;
  // Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
  // Deprecated. Use NetworkMap.remotePeersIsEmpty
  bool remotePeersIsEmpty = 4;
  NetworkMap NetworkMap = 5;
 }
 message LoginRequest {
@@ -76,6 +87,8 @@ message ServerKeyResponse {
  string key = 1;
  // Key expiration timestamp after which the key should be fetched again by the client
  google.protobuf.Timestamp expiresAt = 2;
  // Version of the Wiretrustee Management Service protocol
  int32 version = 3;
 }
 message Empty {}
@@ -122,6 +135,24 @@ message PeerConfig {
  string dns = 2;
 }
 // NetworkMap represents a network state of the peer with the corresponding configuration parameters to establish peer-to-peer connections
 message NetworkMap {
  // Serial is an ID of the network state to be used by clients to order updates.
  // The larger the Serial the newer the configuration.
  // E.g. the client app should keep track of this id locally and discard all the configurations with a lower value
  uint64 Serial = 1;
  // PeerConfig represents configuration of a peer
  PeerConfig peerConfig = 2;
  // RemotePeerConfig represents a list of remote peers that the receiver can connect to
  repeated RemotePeerConfig remotePeers = 3;
  // Indicates whether remotePeers array is empty or not to bypass protobuf null and empty array equality.
  bool remotePeersIsEmpty = 4;
 }
 // RemotePeerConfig represents a configuration of a remote peer.
 // The properties are used to configure Wireguard Peers sections
 message RemotePeerConfig {
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -1,13 +1,12 @@
 package server
 import (
 	"github.com/google/uuid"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/management/server/idp"
 	"github.com/wiretrustee/wiretrustee/util"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"net"
 	"sync"
 )
@@ -16,6 +15,7 @@ type AccountManager struct {
 	// mutex to synchronise account operations (e.g. generating Peer IP address inside the Network)
 	mux                sync.Mutex
 	peersUpdateManager *PeersUpdateManager
 	idpManager         idp.Manager
 }
 // Account represents a unique account of the system
@@ -23,12 +23,19 @@ type Account struct {
 	Id string
 	// User.Id it was created by
 	CreatedBy string
 	Domain    string
 	SetupKeys map[string]*SetupKey
 	Network   *Network
 	Peers     map[string]*Peer
 	Users     map[string]*User
 }
 // NewAccount creates a new Account with a generated ID and generated default setup keys
 func NewAccount(userId, domain string) *Account {
 	accountId := xid.New().String()
 	return newAccountWithId(accountId, userId, domain)
 }
 func (a *Account) Copy() *Account {
 	peers := map[string]*Peer{}
 	for id, peer := range a.Peers {
@@ -56,11 +63,12 @@ func (a *Account) Copy() *Account {
 }
 // NewManager creates a new AccountManager with a provided Store
-func NewManager(store Store, peersUpdateManager *PeersUpdateManager) *AccountManager {
+func NewManager(store Store, peersUpdateManager *PeersUpdateManager, idpManager idp.Manager) *AccountManager {
 	return &AccountManager{
 		Store:              store,
 		mux:                sync.Mutex{},
 		peersUpdateManager: peersUpdateManager,
 		idpManager:         idpManager,
 	}
 }
@@ -142,8 +150,8 @@ func (am *AccountManager) RenameSetupKey(accountId string, keyId string, newName
 	return keyCopy, nil
 }
-//GetAccount returns an existing account or error (NotFound) if doesn't exist
+//GetAccountById returns an existing account using its ID or error (NotFound) if doesn't exist
-func (am *AccountManager) GetAccount(accountId string) (*Account, error) {
+func (am *AccountManager) GetAccountById(accountId string) (*Account, error) {
 	am.mux.Lock()
 	defer am.mux.Unlock()
@@ -155,6 +163,30 @@ func (am *AccountManager) GetAccount(accountId string) (*Account, error) {
 	return account, nil
 }
 //GetAccountByUserOrAccountId look for an account by user or account Id, if no account is provided and
 // user id doesn't have an account associated with it, one account is created
 func (am *AccountManager) GetAccountByUserOrAccountId(userId, accountId, domain string) (*Account, error) {
 	if accountId != "" {
 		return am.GetAccountById(accountId)
 	} else if userId != "" {
 		account, err := am.GetOrCreateAccountByUser(userId, domain)
 		if err != nil {
 			return nil, status.Errorf(codes.NotFound, "account not found using user id: %s", userId)
 		}
 		// update idp manager app metadata
 		if am.idpManager != nil {
 			err = am.idpManager.UpdateUserAppMetadata(userId, idp.AppMetadata{WTAccountId: account.Id})
 			if err != nil {
 				return nil, status.Errorf(codes.Internal, "updating user's app metadata failed with: %v", err)
 			}
 		}
 		return account, nil
 	}
 	return nil, status.Errorf(codes.NotFound, "no valid user or account Id provided")
 }
 //AccountExists checks whether account exists (returns true) or not (returns false)
 func (am *AccountManager) AccountExists(accountId string) (*bool, error) {
 	am.mux.Lock()
@@ -176,17 +208,17 @@ func (am *AccountManager) AccountExists(accountId string) (*bool, error) {
 }
 // AddAccount generates a new Account with a provided accountId and userId, saves to the Store
-func (am *AccountManager) AddAccount(accountId string, userId string) (*Account, error) {
+func (am *AccountManager) AddAccount(accountId, userId, domain string) (*Account, error) {
 	am.mux.Lock()
 	defer am.mux.Unlock()
-	return am.createAccount(accountId, userId)
+	return am.createAccount(accountId, userId, domain)
 }
-func (am *AccountManager) createAccount(accountId string, userId string) (*Account, error) {
+func (am *AccountManager) createAccount(accountId, userId, domain string) (*Account, error) {
-	account, _ := newAccountWithId(accountId, userId)
+	account := newAccountWithId(accountId, userId, domain)
 	err := am.Store.SaveAccount(account)
 	if err != nil {
@@ -197,7 +229,7 @@ func (am *AccountManager) createAccount(accountId string, userId string) (*Accou
 }
 // newAccountWithId creates a new Account with a default SetupKey (doesn't store in a Store) and provided id
-func newAccountWithId(accountId string, userId string) (*Account, *SetupKey) {
+func newAccountWithId(accountId, userId, domain string) *Account {
 	log.Debugf("creating new account")
@@ -206,22 +238,21 @@ func newAccountWithId(accountId string, userId string) (*Account, *SetupKey) {
 	oneOffKey := GenerateSetupKey("One-off key", SetupKeyOneOff, DefaultSetupKeyDuration)
 	setupKeys[defaultKey.Key] = defaultKey
 	setupKeys[oneOffKey.Key] = oneOffKey
-	network := &Network{
+	network := NewNetwork()
 		Id:  uuid.New().String(),
 		Net: net.IPNet{IP: net.ParseIP("100.64.0.0"), Mask: net.IPMask{255, 192, 0, 0}},
 		Dns: ""}
 	peers := make(map[string]*Peer)
 	users := make(map[string]*User)
 	log.Debugf("created new account %s with setup key %s", accountId, defaultKey.Key)
-	return &Account{Id: accountId, SetupKeys: setupKeys, Network: network, Peers: peers, Users: users, CreatedBy: userId}, defaultKey
+	return &Account{
-}
+		Id:        accountId,
-
+		SetupKeys: setupKeys,
-// newAccount creates a new Account with a default SetupKey and a provided User.Id of a user who issued account creation (doesn't store in a Store)
+		Network:   network,
-func newAccount(userId string) (*Account, *SetupKey) {
+		Peers:     peers,
-	accountId := xid.New().String()
+		Users:     users,
-	return newAccountWithId(accountId, userId)
+		CreatedBy: userId,
 		Domain:    domain,
 	}
 }
 func getAccountSetupKeyById(acc *Account, keyId string) *SetupKey {
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -14,7 +14,7 @@ func TestAccountManager_GetOrCreateAccountByUser(t *testing.T) {
 	}
 	userId := "test_user"
-	account, err := manager.GetOrCreateAccountByUser(userId)
+	account, err := manager.GetOrCreateAccountByUser(userId, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -32,6 +32,43 @@ func TestAccountManager_GetOrCreateAccountByUser(t *testing.T) {
 	}
 }
 func TestAccountManager_SetOrUpdateDomain(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	userId := "test_user"
 	domain := "hotmail.com"
 	account, err := manager.GetOrCreateAccountByUser(userId, domain)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if account == nil {
 		t.Fatalf("expected to create an account for a user %s", userId)
 	}
 	if account.Domain != domain {
 		t.Errorf("setting account domain failed, expected %s, got %s", domain, account.Domain)
 	}
 	domain = "gmail.com"
 	account, err = manager.GetOrCreateAccountByUser(userId, domain)
 	if err != nil {
 		t.Fatalf("got the following error while retrieving existing acc: %v", err)
 	}
 	if account == nil {
 		t.Fatalf("expected to get an account for a user %s", userId)
 	}
 	if account.Domain != domain {
 		t.Errorf("updating domain. expected %s got %s", domain, account.Domain)
 	}
 }
 func TestAccountManager_AddAccount(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
@@ -48,7 +85,7 @@ func TestAccountManager_AddAccount(t *testing.T) {
 		Mask: net.IPMask{255, 192, 0, 0},
 	}
-	account, err := manager.AddAccount(expectedId, userId)
+	account, err := manager.AddAccount(expectedId, userId, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -70,6 +107,36 @@ func TestAccountManager_AddAccount(t *testing.T) {
 	}
 }
 func TestAccountManager_GetAccountByUserOrAccountId(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	userId := "test_user"
 	account, err := manager.GetAccountByUserOrAccountId(userId, "", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 	if account == nil {
 		t.Fatalf("expected to create an account for a user %s", userId)
 	}
 	accountId := account.Id
 	_, err = manager.GetAccountByUserOrAccountId("", accountId, "")
 	if err != nil {
 		t.Errorf("expected to get existing account after creation using userid, no account was found for a account %s", accountId)
 	}
 	_, err = manager.GetAccountByUserOrAccountId("", "", "")
 	if err == nil {
 		t.Errorf("expected an error when user and account IDs are empty")
 	}
 }
 func TestAccountManager_AccountExists(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
@@ -79,7 +146,7 @@ func TestAccountManager_AccountExists(t *testing.T) {
 	expectedId := "test_account"
 	userId := "account_creator"
-	_, err = manager.AddAccount(expectedId, userId)
+	_, err = manager.AddAccount(expectedId, userId, "")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -104,13 +171,13 @@ func TestAccountManager_GetAccount(t *testing.T) {
 	expectedId := "test_account"
 	userId := "account_creator"
-	account, err := manager.AddAccount(expectedId, userId)
+	account, err := manager.AddAccount(expectedId, userId, "")
 	if err != nil {
 		t.Fatal(err)
 	}
 	//AddAccount has been already tested so we can assume it is correct and compare results
-	getAccount, err := manager.GetAccount(expectedId)
+	getAccount, err := manager.GetAccountById(expectedId)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -141,11 +208,13 @@ func TestAccountManager_AddPeer(t *testing.T) {
 		return
 	}
-	account, err := manager.AddAccount("test_account", "account_creator")
+	account, err := manager.AddAccount("test_account", "account_creator", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 	serial := account.Network.Serial() //should be 0
 	var setupKey *SetupKey
 	for _, key := range account.SetupKeys {
 		setupKey = key
@@ -156,7 +225,12 @@ func TestAccountManager_AddPeer(t *testing.T) {
 		return
 	}
-	key, err := wgtypes.GenerateKey()
+	if account.Network.serial != 0 {
 		t.Errorf("expecting account network to have an initial serial=0")
 		return
 	}
 	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -164,7 +238,7 @@ func TestAccountManager_AddPeer(t *testing.T) {
 	expectedPeerKey := key.PublicKey().String()
 	expectedPeerIP := "100.64.0.1"
-	peer, err := manager.AddPeer(setupKey.Key, Peer{
+	peer, err := manager.AddPeer(setupKey.Key, &Peer{
 		Key:  expectedPeerKey,
 		Meta: PeerSystemMeta{},
 		Name: expectedPeerKey,
@@ -174,6 +248,12 @@ func TestAccountManager_AddPeer(t *testing.T) {
 		return
 	}
 	account, err = manager.GetAccountById(account.Id)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	if peer.Key != expectedPeerKey {
 		t.Errorf("expecting just added peer to have key = %s, got %s", expectedPeerKey, peer.Key)
 	}
@@ -182,13 +262,70 @@ func TestAccountManager_AddPeer(t *testing.T) {
 		t.Errorf("expecting just added peer to have IP = %s, got %s", expectedPeerIP, peer.IP.String())
 	}
 	if account.Network.Serial() != 1 {
 		t.Errorf("expecting Network serial=%d to be incremented by 1 and be equal to %d when adding new peer to account", serial, account.Network.Serial())
 	}
 }
 func TestAccountManager_DeletePeer(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	account, err := manager.AddAccount("test_account", "account_creator", "")
 	if err != nil {
 		t.Fatal(err)
 	}
 	var setupKey *SetupKey
 	for _, key := range account.SetupKeys {
 		setupKey = key
 	}
 	key, err := wgtypes.GenerateKey()
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	peerKey := key.PublicKey().String()
 	_, err = manager.AddPeer(setupKey.Key, &Peer{
 		Key:  peerKey,
 		Meta: PeerSystemMeta{},
 		Name: peerKey,
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
 		return
 	}
 	_, err = manager.DeletePeer(account.Id, peerKey)
 	if err != nil {
 		return
 	}
 	account, err = manager.GetAccountById(account.Id)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	if account.Network.Serial() != 2 {
 		t.Errorf("expecting Network serial=%d to be incremented and be equal to 2 after adding and deleteing a peer", account.Network.Serial())
 	}
 }
 func createManager(t *testing.T) (*AccountManager, error) {
 	store, err := createStore(t)
 	if err != nil {
 		return nil, err
 	}
-	return NewManager(store, NewPeersUpdateManager()), nil
+	return NewManager(store, NewPeersUpdateManager(), nil), nil
 }
 func createStore(t *testing.T) (Store, error) {
--- a/management/server/config.go
+++ b/management/server/config.go
@@ -1,6 +1,7 @@
 package server
 import (
 	"github.com/wiretrustee/wiretrustee/management/server/idp"
 	"github.com/wiretrustee/wiretrustee/util"
 )
@@ -23,6 +24,8 @@ type Config struct {
 	Datadir string
 	HttpConfig *HttpServerConfig
 	IdpManagerConfig *idp.Config
 }
 // TURNConfig is a config of the TURNCredentialsManager
--- a/management/server/file_store_test.go
+++ b/management/server/file_store_test.go
@@ -32,7 +32,7 @@ func TestNewStore(t *testing.T) {
 func TestSaveAccount(t *testing.T) {
 	store := newStore(t)
-	account, _ := newAccount("testuser")
+	account := NewAccount("testuser", "")
 	account.Users["testuser"] = NewAdminUser("testuser")
 	setupKey := GenerateDefaultSetupKey()
 	account.SetupKeys[setupKey.Key] = setupKey
@@ -72,7 +72,7 @@ func TestSaveAccount(t *testing.T) {
 func TestStore(t *testing.T) {
 	store := newStore(t)
-	account, _ := newAccount("testuser")
+	account := NewAccount("testuser", "")
 	account.Users["testuser"] = NewAdminUser("testuser")
 	account.Peers["testpeer"] = &Peer{
 		Key:      "peerkey",
--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -141,7 +141,7 @@ func (s *Server) registerPeer(peerKey wgtypes.Key, req *proto.LoginRequest) (*Pe
 	if meta == nil {
 		return nil, status.Errorf(codes.InvalidArgument, "peer meta data was not provided")
 	}
-	peer, err := s.accountManager.AddPeer(req.GetSetupKey(), Peer{
+	peer, err := s.accountManager.AddPeer(req.GetSetupKey(), &Peer{
 		Key:  peerKey.String(),
 		Name: meta.GetHostname(),
 		Meta: PeerSystemMeta{
@@ -158,21 +158,22 @@ func (s *Server) registerPeer(peerKey wgtypes.Key, req *proto.LoginRequest) (*Pe
 		return nil, status.Errorf(codes.NotFound, "provided setup key doesn't exists")
 	}
-	peers, err := s.accountManager.GetPeersForAPeer(peer.Key)
+	//todo move to AccountManager the code below
 	networkMap, err := s.accountManager.GetNetworkMap(peer.Key)
 	if err != nil {
 		return nil, status.Error(codes.Internal, "internal server error")
 	}
 	// notify other peers of our registration
-	for _, remotePeer := range peers {
+	for _, remotePeer := range networkMap.Peers {
 		// exclude notified peer and add ourselves
 		peersToSend := []*Peer{peer}
-		for _, p := range peers {
+		for _, p := range networkMap.Peers {
 			if remotePeer.Key != p.Key {
 				peersToSend = append(peersToSend, p)
 			}
 		}
-		update := toSyncResponse(s.config, peer, peersToSend, nil)
+		update := toSyncResponse(s.config, peer, peersToSend, nil, networkMap.Network.Serial())
 		err = s.peersUpdateManager.SendUpdate(remotePeer.Key, &UpdateMessage{Update: update})
 		if err != nil {
 			// todo rethink if we should keep this return
@@ -317,7 +318,7 @@ func toRemotePeerConfig(peers []*Peer) []*proto.RemotePeerConfig {
 }
-func toSyncResponse(config *Config, peer *Peer, peers []*Peer, turnCredentials *TURNCredentials) *proto.SyncResponse {
+func toSyncResponse(config *Config, peer *Peer, peers []*Peer, turnCredentials *TURNCredentials, serial uint64) *proto.SyncResponse {
 	wtConfig := toWiretrusteeConfig(config, turnCredentials)
@@ -330,6 +331,12 @@ func toSyncResponse(config *Config, peer *Peer, peers []*Peer, turnCredentials *
 		PeerConfig:         pConfig,
 		RemotePeers:        remotePeers,
 		RemotePeersIsEmpty: len(remotePeers) == 0,
 		NetworkMap: &proto.NetworkMap{
 			Serial:             serial,
 			PeerConfig:         pConfig,
 			RemotePeers:        remotePeers,
 			RemotePeersIsEmpty: len(remotePeers) == 0,
 		},
 	}
 }
@@ -341,7 +348,7 @@ func (s *Server) IsHealthy(ctx context.Context, req *proto.Empty) (*proto.Empty,
 // sendInitialSync sends initial proto.SyncResponse to the peer requesting synchronization
 func (s *Server) sendInitialSync(peerKey wgtypes.Key, peer *Peer, srv proto.ManagementService_SyncServer) error {
-	peers, err := s.accountManager.GetPeersForAPeer(peer.Key)
+	networkMap, err := s.accountManager.GetNetworkMap(peer.Key)
 	if err != nil {
 		log.Warnf("error getting a list of peers for a peer %s", peer.Key)
 		return err
@@ -355,7 +362,7 @@ func (s *Server) sendInitialSync(peerKey wgtypes.Key, peer *Peer, srv proto.Mana
 	} else {
 		turnCredentials = nil
 	}
-	plainResp := toSyncResponse(s.config, peer, peers, turnCredentials)
+	plainResp := toSyncResponse(s.config, peer, networkMap.Peers, turnCredentials, networkMap.Network.Serial())
 	encryptedResp, err := encryption.EncryptMessage(peerKey, s.wgKey, plainResp)
 	if err != nil {
--- a/management/server/http/handler/peers.go
+++ b/management/server/http/handler/peers.go
@@ -13,6 +13,7 @@ import (
 //Peers is a handler that returns peers of the account
 type Peers struct {
 	accountManager *server.AccountManager
 	authAudience   string
 }
 //PeerResponse is a response sent to the client
@@ -22,6 +23,7 @@ type PeerResponse struct {
 	Connected bool
 	LastSeen  time.Time
 	OS        string
 	Version   string
 }
 //PeerRequest is a request sent by the client
@@ -29,9 +31,10 @@ type PeerRequest struct {
 	Name string
 }
-func NewPeers(accountManager *server.AccountManager) *Peers {
+func NewPeers(accountManager *server.AccountManager, authAudience string) *Peers {
 	return &Peers{
 		accountManager: accountManager,
 		authAudience:   authAudience,
 	}
 }
@@ -61,11 +64,21 @@ func (h *Peers) deletePeer(accountId string, peer *server.Peer, w http.ResponseW
 	writeJSONObject(w, "")
 }
-func (h *Peers) HandlePeer(w http.ResponseWriter, r *http.Request) {
+func (h *Peers) getPeerAccount(r *http.Request) (*server.Account, error) {
-	userId := extractUserIdFromRequestContext(r)
+	jwtClaims := extractClaimsFromRequestContext(r, h.authAudience)
-	account, err := h.accountManager.GetOrCreateAccountByUser(userId)
+
 	account, err := h.accountManager.GetAccountByUserOrAccountId(jwtClaims.UserId, jwtClaims.AccountId, jwtClaims.Domain)
 	if err != nil {
-		log.Errorf("failed getting account of a user %s: %v", userId, err)
+		return nil, fmt.Errorf("failed getting account of a user %s: %v", jwtClaims.UserId, err)
 	}
 	return account, nil
 }
 func (h *Peers) HandlePeer(w http.ResponseWriter, r *http.Request) {
 	account, err := h.getPeerAccount(r)
 	if err != nil {
 		log.Error(err)
 		http.Redirect(w, r, "/", http.StatusInternalServerError)
 		return
 	}
@@ -102,11 +115,9 @@ func (h *Peers) HandlePeer(w http.ResponseWriter, r *http.Request) {
 func (h *Peers) GetPeers(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case http.MethodGet:
-		userId := extractUserIdFromRequestContext(r)
+		account, err := h.getPeerAccount(r)
 		//new user -> create a new account
 		account, err := h.accountManager.GetOrCreateAccountByUser(userId)
 		if err != nil {
-			log.Errorf("failed getting account of a user %s: %v", userId, err)
+			log.Error(err)
 			http.Redirect(w, r, "/", http.StatusInternalServerError)
 			return
 		}
@@ -129,5 +140,6 @@ func toPeerResponse(peer *server.Peer) *PeerResponse {
 		Connected: peer.Status.Connected,
 		LastSeen:  peer.Status.LastSeen,
 		OS:        fmt.Sprintf("%s %s", peer.Meta.OS, peer.Meta.Core),
 		Version:   peer.Meta.WtVersion,
 	}
 }
--- a/management/server/http/handler/setupkeys.go
+++ b/management/server/http/handler/setupkeys.go
@@ -2,6 +2,7 @@ package handler
 import (
 	"encoding/json"
 	"fmt"
 	"github.com/gorilla/mux"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/management/server"
@@ -15,6 +16,7 @@ import (
 // SetupKeys is a handler that returns a list of setup keys of the account
 type SetupKeys struct {
 	accountManager *server.AccountManager
 	authAudience   string
 }
 // SetupKeyResponse is a response sent to the client
@@ -39,9 +41,10 @@ type SetupKeyRequest struct {
 	Revoked   bool
 }
-func NewSetupKeysHandler(accountManager *server.AccountManager) *SetupKeys {
+func NewSetupKeysHandler(accountManager *server.AccountManager, authAudience string) *SetupKeys {
 	return &SetupKeys{
 		accountManager: accountManager,
 		authAudience:   authAudience,
 	}
 }
@@ -76,7 +79,7 @@ func (h *SetupKeys) updateKey(accountId string, keyId string, w http.ResponseWri
 }
 func (h *SetupKeys) getKey(accountId string, keyId string, w http.ResponseWriter, r *http.Request) {
-	account, err := h.accountManager.GetAccount(accountId)
+	account, err := h.accountManager.GetAccountById(accountId)
 	if err != nil {
 		http.Error(w, "account doesn't exist", http.StatusInternalServerError)
 		return
@@ -117,11 +120,21 @@ func (h *SetupKeys) createKey(accountId string, w http.ResponseWriter, r *http.R
 	writeSuccess(w, setupKey)
 }
-func (h *SetupKeys) HandleKey(w http.ResponseWriter, r *http.Request) {
+func (h *SetupKeys) getSetupKeyAccount(r *http.Request) (*server.Account, error) {
-	userId := extractUserIdFromRequestContext(r)
+	jwtClaims := extractClaimsFromRequestContext(r, h.authAudience)
-	account, err := h.accountManager.GetOrCreateAccountByUser(userId)
+
 	account, err := h.accountManager.GetAccountByUserOrAccountId(jwtClaims.UserId, jwtClaims.AccountId, jwtClaims.Domain)
 	if err != nil {
-		log.Errorf("failed getting account of a user %s: %v", userId, err)
+		return nil, fmt.Errorf("failed getting account of a user %s: %v", jwtClaims.UserId, err)
 	}
 	return account, nil
 }
 func (h *SetupKeys) HandleKey(w http.ResponseWriter, r *http.Request) {
 	account, err := h.getSetupKeyAccount(r)
 	if err != nil {
 		log.Error(err)
 		http.Redirect(w, r, "/", http.StatusInternalServerError)
 		return
 	}
@@ -147,11 +160,9 @@ func (h *SetupKeys) HandleKey(w http.ResponseWriter, r *http.Request) {
 func (h *SetupKeys) GetKeys(w http.ResponseWriter, r *http.Request) {
-	userId := extractUserIdFromRequestContext(r)
+	account, err := h.getSetupKeyAccount(r)
 	//new user -> create a new account
 	account, err := h.accountManager.GetOrCreateAccountByUser(userId)
 	if err != nil {
-		log.Errorf("failed getting account of a user %s: %v", userId, err)
+		log.Error(err)
 		http.Redirect(w, r, "/", http.StatusInternalServerError)
 		return
 	}
--- a/management/server/http/handler/util.go
+++ b/management/server/http/handler/util.go
@@ -8,13 +8,28 @@ import (
 	"time"
 )
-// extractUserIdFromRequestContext extracts accountId from the request context previously filled by the JWT token (after auth)
+// JWTClaims stores information from JWTs
-func extractUserIdFromRequestContext(r *http.Request) string {
+type JWTClaims struct {
 	UserId    string
 	AccountId string
 	Domain    string
 }
 // extractClaimsFromRequestContext extracts claims from the request context previously filled by the JWT token (after auth)
 func extractClaimsFromRequestContext(r *http.Request, authAudiance string) JWTClaims {
 	token := r.Context().Value("user").(*jwt.Token)
 	claims := token.Claims.(jwt.MapClaims)
-
+	jwtClaims := JWTClaims{}
-	//actually a user id but for now we have a 1 to 1 mapping.
+	jwtClaims.UserId = claims["sub"].(string)
-	return claims["sub"].(string)
+	accountIdClaim, ok := claims[authAudiance+"wt_account_id"]
 	if ok {
 		jwtClaims.AccountId = accountIdClaim.(string)
 	}
 	domainClaim, ok := claims[authAudiance+"wt_user_domain"]
 	if ok {
 		jwtClaims.Domain = domainClaim.(string)
 	}
 	return jwtClaims
 }
 //writeJSONObject simply writes object to the HTTP reponse in JSON format
--- a/management/server/http/server.go
+++ b/management/server/http/server.go
@@ -73,8 +73,8 @@ func (s *Server) Start() error {
 	r := mux.NewRouter()
 	r.Use(jwtMiddleware.Handler, corsMiddleware.Handler)
-	peersHandler := handler.NewPeers(s.accountManager)
+	peersHandler := handler.NewPeers(s.accountManager, s.config.AuthAudience)
-	keysHandler := handler.NewSetupKeysHandler(s.accountManager)
+	keysHandler := handler.NewSetupKeysHandler(s.accountManager, s.config.AuthAudience)
 	r.HandleFunc("/api/peers", peersHandler.GetPeers).Methods("GET", "OPTIONS")
 	r.HandleFunc("/api/peers/{id}", peersHandler.HandlePeer).Methods("GET", "PUT", "DELETE", "OPTIONS")
--- a/management/server/idp/auth0.go
+++ b/management/server/idp/auth0.go
@@ -0,0 +1,207 @@
 package idp
 import (
 	"encoding/json"
 	"fmt"
 	"github.com/golang-jwt/jwt"
 	log "github.com/sirupsen/logrus"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"strings"
 	"sync"
 	"time"
 )
 // Auth0Manager auth0 manager client instance
 type Auth0Manager struct {
 	authIssuer  string
 	httpClient  ManagerHTTPClient
 	credentials ManagerCredentials
 	helper      ManagerHelper
 }
 // Auth0ClientConfig auth0 manager client configurations
 type Auth0ClientConfig struct {
 	Audience     string `json:"audiance"`
 	AuthIssuer   string `json:"auth_issuer"`
 	ClientId     string `json:"client_id"`
 	ClientSecret string `json:"client_secret"`
 	GrantType    string `json:"grant_type"`
 }
 // Auth0Credentials auth0 authentication information
 type Auth0Credentials struct {
 	clientConfig Auth0ClientConfig
 	helper       ManagerHelper
 	httpClient   ManagerHTTPClient
 	jwtToken     JWTToken
 	mux          sync.Mutex
 }
 // NewAuth0Manager creates a new instance of the Auth0Manager
 func NewAuth0Manager(config Auth0ClientConfig) *Auth0Manager {
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5
 	httpTransport.IdleConnTimeout = 30
 	httpClient := &http.Client{
 		Timeout:   10 * time.Second,
 		Transport: httpTransport,
 	}
 	helper := JsonParser{}
 	credentials := &Auth0Credentials{
 		clientConfig: config,
 		httpClient:   httpClient,
 		helper:       helper,
 	}
 	return &Auth0Manager{
 		authIssuer:  config.AuthIssuer,
 		credentials: credentials,
 		httpClient:  httpClient,
 		helper:      helper,
 	}
 }
 // jwtStillValid returns true if the token still valid and have enough time to be used and get a response from Auth0
 func (c *Auth0Credentials) jwtStillValid() bool {
 	return !c.jwtToken.expiresInTime.IsZero() && time.Now().Add(5*time.Second).Before(c.jwtToken.expiresInTime)
 }
 // requestJWTToken performs request to get jwt token
 func (c *Auth0Credentials) requestJWTToken() (*http.Response, error) {
 	var res *http.Response
 	url := c.clientConfig.AuthIssuer + "/oauth/token"
 	p, err := c.helper.Marshal(c.clientConfig)
 	if err != nil {
 		return res, err
 	}
 	payload := strings.NewReader(string(p))
 	req, err := http.NewRequest("POST", url, payload)
 	if err != nil {
 		return res, err
 	}
 	req.Header.Add("content-type", "application/json")
 	res, err = c.httpClient.Do(req)
 	if err != nil {
 		return res, err
 	}
 	if res.StatusCode != 200 {
 		return res, fmt.Errorf("unable to get token, statusCode %d", res.StatusCode)
 	}
 	return res, nil
 }
 // parseRequestJWTResponse parses jwt raw response body and extracts token and expires in seconds
 func (c *Auth0Credentials) parseRequestJWTResponse(rawBody io.ReadCloser) (JWTToken, error) {
 	jwtToken := JWTToken{}
 	body, err := ioutil.ReadAll(rawBody)
 	if err != nil {
 		return jwtToken, err
 	}
 	err = c.helper.Unmarshal(body, &jwtToken)
 	if err != nil {
 		return jwtToken, err
 	}
 	if jwtToken.ExpiresIn == 0 && jwtToken.AccessToken == "" {
 		return jwtToken, fmt.Errorf("error while reading response body, expires_in: %d and access_token: %s", jwtToken.ExpiresIn, jwtToken.AccessToken)
 	}
 	data, err := jwt.DecodeSegment(strings.Split(jwtToken.AccessToken, ".")[1])
 	if err != nil {
 		return jwtToken, err
 	}
 	// Exp maps into exp from jwt token
 	var IssuedAt struct{ Exp int64 }
 	err = json.Unmarshal(data, &IssuedAt)
 	if err != nil {
 		return jwtToken, err
 	}
 	jwtToken.expiresInTime = time.Unix(IssuedAt.Exp, 0)
 	return jwtToken, nil
 }
 // Authenticate retrieves access token to use the Auth0 Management API
 func (c *Auth0Credentials) Authenticate() (JWTToken, error) {
 	c.mux.Lock()
 	defer c.mux.Unlock()
 	// If jwtToken has an expires time and we have enough time to do a request return immediately
 	if c.jwtStillValid() {
 		return c.jwtToken, nil
 	}
 	res, err := c.requestJWTToken()
 	if err != nil {
 		return c.jwtToken, err
 	}
 	defer func() {
 		err = res.Body.Close()
 		if err != nil {
 			log.Errorf("error while closing get jwt token response body: %v", err)
 		}
 	}()
 	jwtToken, err := c.parseRequestJWTResponse(res.Body)
 	if err != nil {
 		return c.jwtToken, err
 	}
 	c.jwtToken = jwtToken
 	return c.jwtToken, nil
 }
 // UpdateUserAppMetadata updates user app metadata based on userId and metadata map
 func (am *Auth0Manager) UpdateUserAppMetadata(userId string, appMetadata AppMetadata) error {
 	jwtToken, err := am.credentials.Authenticate()
 	if err != nil {
 		return err
 	}
 	url := am.authIssuer + "/api/v2/users/" + userId
 	data, err := am.helper.Marshal(appMetadata)
 	if err != nil {
 		return err
 	}
 	payloadString := fmt.Sprintf("{\"app_metadata\": %s}", string(data))
 	payload := strings.NewReader(payloadString)
 	req, err := http.NewRequest("PATCH", url, payload)
 	if err != nil {
 		return err
 	}
 	req.Header.Add("authorization", "Bearer "+jwtToken.AccessToken)
 	req.Header.Add("content-type", "application/json")
 	res, err := am.httpClient.Do(req)
 	if err != nil {
 		return err
 	}
 	defer func() {
 		err = res.Body.Close()
 		if err != nil {
 			log.Errorf("error while closing update user app metadata response body: %v", err)
 		}
 	}()
 	if res.StatusCode != 200 {
 		return fmt.Errorf("unable to update the appMetadata, statusCode %d", res.StatusCode)
 	}
 	return nil
 }
--- a/management/server/idp/auth0_test.go
+++ b/management/server/idp/auth0_test.go
@@ -0,0 +1,403 @@
 package idp
 import (
 	"encoding/json"
 	"fmt"
 	"github.com/golang-jwt/jwt"
 	"github.com/stretchr/testify/assert"
 	"io/ioutil"
 	"net/http"
 	"strings"
 	"testing"
 	"time"
 )
 type mockHTTPClient struct {
 	code    int
 	resBody string
 	reqBody string
 	err     error
 }
 func (c *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
 	body, err := ioutil.ReadAll(req.Body)
 	if err == nil {
 		c.reqBody = string(body)
 	}
 	return &http.Response{
 		StatusCode: c.code,
 		Body:       ioutil.NopCloser(strings.NewReader(c.resBody)),
 	}, c.err
 }
 type mockJsonParser struct {
 	jsonParser           JsonParser
 	marshalErrorString   string
 	unmarshalErrorString string
 }
 func (m *mockJsonParser) Marshal(v interface{}) ([]byte, error) {
 	if m.marshalErrorString != "" {
 		return nil, fmt.Errorf(m.marshalErrorString)
 	}
 	return m.jsonParser.Marshal(v)
 }
 func (m *mockJsonParser) Unmarshal(data []byte, v interface{}) error {
 	if m.unmarshalErrorString != "" {
 		return fmt.Errorf(m.unmarshalErrorString)
 	}
 	return m.jsonParser.Unmarshal(data, v)
 }
 type mockAuth0Credentials struct {
 	jwtToken JWTToken
 	err      error
 }
 func (mc *mockAuth0Credentials) Authenticate() (JWTToken, error) {
 	return mc.jwtToken, mc.err
 }
 func newTestJWT(t *testing.T, expInt int) string {
 	now := time.Now()
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		"iat": now.Unix(),
 		"exp": now.Add(time.Duration(expInt) * time.Second).Unix(),
 	})
 	var hmacSampleSecret []byte
 	tokenString, err := token.SignedString(hmacSampleSecret)
 	if err != nil {
 		t.Fatal(err)
 	}
 	return tokenString
 }
 func TestAuth0_RequestJWTToken(t *testing.T) {
 	type requestJWTTokenTest struct {
 		name                    string
 		inputCode               int
 		inputResBody            string
 		helper                  ManagerHelper
 		expectedFuncExitErrDiff error
 		expectedCode            int
 		expectedToken           string
 	}
 	exp := 5
 	token := newTestJWT(t, exp)
 	requestJWTTokenTesttCase1 := requestJWTTokenTest{
 		name:          "Get Good JWT Response",
 		inputCode:     200,
 		inputResBody:  fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
 		helper:        JsonParser{},
 		expectedCode:  200,
 		expectedToken: token,
 	}
 	requestJWTTokenTestCase2 := requestJWTTokenTest{
 		name:                    "Request Bad Status Code",
 		inputCode:               400,
 		inputResBody:            "{}",
 		helper:                  JsonParser{},
 		expectedFuncExitErrDiff: fmt.Errorf("unable to get token, statusCode 400"),
 		expectedCode:            200,
 		expectedToken:           "",
 	}
 	for _, testCase := range []requestJWTTokenTest{requestJWTTokenTesttCase1, requestJWTTokenTestCase2} {
 		t.Run(testCase.name, func(t *testing.T) {
 			jwtReqClient := mockHTTPClient{
 				resBody: testCase.inputResBody,
 				code:    testCase.inputCode,
 			}
 			config := Auth0ClientConfig{}
 			creds := Auth0Credentials{
 				clientConfig: config,
 				httpClient:   &jwtReqClient,
 				helper:       testCase.helper,
 			}
 			res, err := creds.requestJWTToken()
 			if err != nil {
 				if testCase.expectedFuncExitErrDiff != nil {
 					assert.EqualError(t, err, testCase.expectedFuncExitErrDiff.Error(), "errors should be the same")
 				} else {
 					t.Fatal(err)
 				}
 			}
 			body, err := ioutil.ReadAll(res.Body)
 			assert.NoError(t, err, "unable to read the response body")
 			jwtToken := JWTToken{}
 			err = json.Unmarshal(body, &jwtToken)
 			assert.NoError(t, err, "unable to parse the json input")
 			assert.Equalf(t, testCase.expectedToken, jwtToken.AccessToken, "two tokens should be the same")
 		})
 	}
 }
 func TestAuth0_ParseRequestJWTResponse(t *testing.T) {
 	type parseRequestJWTResponseTest struct {
 		name                 string
 		inputResBody         string
 		helper               ManagerHelper
 		expectedToken        string
 		expectedExpiresIn    int
 		assertErrFunc        func(t assert.TestingT, err error, msgAndArgs ...interface{}) bool
 		assertErrFuncMessage string
 	}
 	exp := 100
 	token := newTestJWT(t, exp)
 	parseRequestJWTResponseTestCase1 := parseRequestJWTResponseTest{
 		name:                 "Parse Good JWT Body",
 		inputResBody:         fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
 		helper:               JsonParser{},
 		expectedToken:        token,
 		expectedExpiresIn:    exp,
 		assertErrFunc:        assert.NoError,
 		assertErrFuncMessage: "no error was expected",
 	}
 	parseRequestJWTResponseTestCase2 := parseRequestJWTResponseTest{
 		name:                 "Parse Bad json JWT Body",
 		inputResBody:         "",
 		helper:               JsonParser{},
 		expectedToken:        "",
 		expectedExpiresIn:    0,
 		assertErrFunc:        assert.Error,
 		assertErrFuncMessage: "json error was expected",
 	}
 	for _, testCase := range []parseRequestJWTResponseTest{parseRequestJWTResponseTestCase1, parseRequestJWTResponseTestCase2} {
 		t.Run(testCase.name, func(t *testing.T) {
 			rawBody := ioutil.NopCloser(strings.NewReader(testCase.inputResBody))
 			config := Auth0ClientConfig{}
 			creds := Auth0Credentials{
 				clientConfig: config,
 				helper:       testCase.helper,
 			}
 			jwtToken, err := creds.parseRequestJWTResponse(rawBody)
 			testCase.assertErrFunc(t, err, testCase.assertErrFuncMessage)
 			assert.Equalf(t, testCase.expectedToken, jwtToken.AccessToken, "two tokens should be the same")
 			assert.Equalf(t, testCase.expectedExpiresIn, jwtToken.ExpiresIn, "the two expire times should be the same")
 		})
 	}
 }
 func TestAuth0_JwtStillValid(t *testing.T) {
 	type jwtStillValidTest struct {
 		name           string
 		inputTime      time.Time
 		expectedResult bool
 		message        string
 	}
 	jwtStillValidTestCase1 := jwtStillValidTest{
 		name:           "JWT still valid",
 		inputTime:      time.Now().Add(10 * time.Second),
 		expectedResult: true,
 		message:        "should be true",
 	}
 	jwtStillValidTestCase2 := jwtStillValidTest{
 		name:           "JWT is invalid",
 		inputTime:      time.Now(),
 		expectedResult: false,
 		message:        "should be false",
 	}
 	for _, testCase := range []jwtStillValidTest{jwtStillValidTestCase1, jwtStillValidTestCase2} {
 		t.Run(testCase.name, func(t *testing.T) {
 			config := Auth0ClientConfig{}
 			creds := Auth0Credentials{
 				clientConfig: config,
 			}
 			creds.jwtToken.expiresInTime = testCase.inputTime
 			assert.Equalf(t, testCase.expectedResult, creds.jwtStillValid(), testCase.message)
 		})
 	}
 }
 func TestAuth0_Authenticate(t *testing.T) {
 	type authenticateTest struct {
 		name                    string
 		inputCode               int
 		inputResBody            string
 		inputExpireToken        time.Time
 		helper                  ManagerHelper
 		expectedFuncExitErrDiff error
 		expectedCode            int
 		expectedToken           string
 	}
 	exp := 5
 	token := newTestJWT(t, exp)
 	authenticateTestCase1 := authenticateTest{
 		name:             "Get Cached token",
 		inputExpireToken: time.Now().Add(30 * time.Second),
 		helper:           JsonParser{},
 		//expectedFuncExitErrDiff: fmt.Errorf("unable to get token, statusCode 400"),
 		expectedCode:  200,
 		expectedToken: "",
 	}
 	authenticateTestCase2 := authenticateTest{
 		name:          "Get Good JWT Response",
 		inputCode:     200,
 		inputResBody:  fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
 		helper:        JsonParser{},
 		expectedCode:  200,
 		expectedToken: token,
 	}
 	authenticateTestCase3 := authenticateTest{
 		name:                    "Get Bad Status Code",
 		inputCode:               400,
 		inputResBody:            "{}",
 		helper:                  JsonParser{},
 		expectedFuncExitErrDiff: fmt.Errorf("unable to get token, statusCode 400"),
 		expectedCode:            200,
 		expectedToken:           "",
 	}
 	for _, testCase := range []authenticateTest{authenticateTestCase1, authenticateTestCase2, authenticateTestCase3} {
 		t.Run(testCase.name, func(t *testing.T) {
 			jwtReqClient := mockHTTPClient{
 				resBody: testCase.inputResBody,
 				code:    testCase.inputCode,
 			}
 			config := Auth0ClientConfig{}
 			creds := Auth0Credentials{
 				clientConfig: config,
 				httpClient:   &jwtReqClient,
 				helper:       testCase.helper,
 			}
 			creds.jwtToken.expiresInTime = testCase.inputExpireToken
 			_, err := creds.Authenticate()
 			if err != nil {
 				if testCase.expectedFuncExitErrDiff != nil {
 					assert.EqualError(t, err, testCase.expectedFuncExitErrDiff.Error(), "errors should be the same")
 				} else {
 					t.Fatal(err)
 				}
 			}
 			assert.Equalf(t, testCase.expectedToken, creds.jwtToken.AccessToken, "two tokens should be the same")
 		})
 	}
 }
 func TestAuth0_UpdateUserAppMetadata(t *testing.T) {
 	type updateUserAppMetadataTest struct {
 		name                 string
 		inputReqBody         string
 		expectedReqBody      string
 		appMetadata          AppMetadata
 		statusCode           int
 		helper               ManagerHelper
 		managerCreds         ManagerCredentials
 		assertErrFunc        func(t assert.TestingT, err error, msgAndArgs ...interface{}) bool
 		assertErrFuncMessage string
 	}
 	exp := 15
 	token := newTestJWT(t, exp)
 	appMetadata := AppMetadata{WTAccountId: "ok"}
 	updateUserAppMetadataTestCase1 := updateUserAppMetadataTest{
 		name:            "Bad Authentication",
 		inputReqBody:    fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
 		expectedReqBody: "",
 		appMetadata:     appMetadata,
 		statusCode:      400,
 		helper:          JsonParser{},
 		managerCreds: &mockAuth0Credentials{
 			jwtToken: JWTToken{},
 			err:      fmt.Errorf("error"),
 		},
 		assertErrFunc:        assert.Error,
 		assertErrFuncMessage: "should return error",
 	}
 	updateUserAppMetadataTestCase2 := updateUserAppMetadataTest{
 		name:            "Bad Status Code",
 		inputReqBody:    fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
 		expectedReqBody: fmt.Sprintf("{\"app_metadata\": {\"wt_account_id\":\"%s\"}}", appMetadata.WTAccountId),
 		appMetadata:     appMetadata,
 		statusCode:      400,
 		helper:          JsonParser{},
 		managerCreds: &mockAuth0Credentials{
 			jwtToken: JWTToken{},
 		},
 		assertErrFunc:        assert.Error,
 		assertErrFuncMessage: "should return error",
 	}
 	updateUserAppMetadataTestCase3 := updateUserAppMetadataTest{
 		name:                 "Bad Response Parsing",
 		inputReqBody:         fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
 		statusCode:           400,
 		helper:               &mockJsonParser{marshalErrorString: "error"},
 		assertErrFunc:        assert.Error,
 		assertErrFuncMessage: "should return error",
 	}
 	updateUserAppMetadataTestCase4 := updateUserAppMetadataTest{
 		name:                 "Good request",
 		inputReqBody:         fmt.Sprintf("{\"access_token\":\"%s\",\"scope\":\"read:users\",\"expires_in\":%d,\"token_type\":\"Bearer\"}", token, exp),
 		expectedReqBody:      fmt.Sprintf("{\"app_metadata\": {\"wt_account_id\":\"%s\"}}", appMetadata.WTAccountId),
 		appMetadata:          appMetadata,
 		statusCode:           200,
 		helper:               JsonParser{},
 		assertErrFunc:        assert.NoError,
 		assertErrFuncMessage: "shouldn't return error",
 	}
 	for _, testCase := range []updateUserAppMetadataTest{updateUserAppMetadataTestCase1, updateUserAppMetadataTestCase2, updateUserAppMetadataTestCase3, updateUserAppMetadataTestCase4} {
 		t.Run(testCase.name, func(t *testing.T) {
 			jwtReqClient := mockHTTPClient{
 				resBody: testCase.inputReqBody,
 				code:    testCase.statusCode,
 			}
 			config := Auth0ClientConfig{}
 			var creds ManagerCredentials
 			if testCase.managerCreds != nil {
 				creds = testCase.managerCreds
 			} else {
 				creds = &Auth0Credentials{
 					clientConfig: config,
 					httpClient:   &jwtReqClient,
 					helper:       testCase.helper,
 				}
 			}
 			manager := Auth0Manager{
 				httpClient:  &jwtReqClient,
 				credentials: creds,
 				helper:      testCase.helper,
 			}
 			err := manager.UpdateUserAppMetadata("1", testCase.appMetadata)
 			testCase.assertErrFunc(t, err, testCase.assertErrFuncMessage)
 			assert.Equal(t, testCase.expectedReqBody, jwtReqClient.reqBody, "request body should match")
 		})
 	}
 }
--- a/management/server/idp/idp.go
+++ b/management/server/idp/idp.go
@@ -0,0 +1,63 @@
 package idp
 import (
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
 )
 // Manager idp manager interface
 type Manager interface {
 	UpdateUserAppMetadata(userId string, appMetadata AppMetadata) error
 }
 // Config an idp configuration struct to be loaded from management server's config file
 type Config struct {
 	ManagerType            string
 	Auth0ClientCredentials Auth0ClientConfig
 }
 // ManagerCredentials interface that authenticates using the credential of each type of idp
 type ManagerCredentials interface {
 	Authenticate() (JWTToken, error)
 }
 // ManagerHTTPClient http client interface for API calls
 type ManagerHTTPClient interface {
 	Do(req *http.Request) (*http.Response, error)
 }
 // ManagerHelper helper
 type ManagerHelper interface {
 	Marshal(v interface{}) ([]byte, error)
 	Unmarshal(data []byte, v interface{}) error
 }
 // AppMetadata user app metadata to associate with a profile
 type AppMetadata struct {
 	// Wiretrustee account id to update in the IDP
 	// maps to wt_account_id when json.marshal
 	WTAccountId string `json:"wt_account_id"`
 }
 // JWTToken a JWT object that holds information of a token
 type JWTToken struct {
 	AccessToken   string `json:"access_token"`
 	ExpiresIn     int    `json:"expires_in"`
 	expiresInTime time.Time
 	Scope         string `json:"scope"`
 	TokenType     string `json:"token_type"`
 }
 // NewManager returns a new idp manager based on the configuration that it receives
 func NewManager(config Config) (Manager, error) {
 	switch strings.ToLower(config.ManagerType) {
 	case "none", "":
 		return nil, nil
 	case "auth0":
 		return NewAuth0Manager(config.Auth0ClientCredentials), nil
 	default:
 		return nil, fmt.Errorf("invalid manager type: %s", config.ManagerType)
 	}
 }
--- a/management/server/idp/util.go
+++ b/management/server/idp/util.go
@@ -0,0 +1,13 @@
 package idp
 import "encoding/json"
 type JsonParser struct{}
 func (JsonParser) Marshal(v interface{}) ([]byte, error) {
 	return json.Marshal(v)
 }
 func (JsonParser) Unmarshal(data []byte, v interface{}) error {
 	return json.Unmarshal(data, v)
 }
--- a/management/server/management_proto_test.go
+++ b/management/server/management_proto_test.go
@@ -0,0 +1,348 @@
 package server
 import (
 	"context"
 	"fmt"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/encryption"
 	mgmtProto "github.com/wiretrustee/wiretrustee/management/proto"
 	"github.com/wiretrustee/wiretrustee/util"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
 	"net"
 	"os"
 	"path/filepath"
 	"runtime"
 	"testing"
 	"time"
 )
 var (
 	kaep = keepalive.EnforcementPolicy{
 		MinTime:             15 * time.Second,
 		PermitWithoutStream: true,
 	}
 	kasp = keepalive.ServerParameters{
 		MaxConnectionIdle:     15 * time.Second,
 		MaxConnectionAgeGrace: 5 * time.Second,
 		Time:                  5 * time.Second,
 		Timeout:               2 * time.Second,
 	}
 )
 const (
 	TestValidSetupKey = "A2C8E62B-38F5-4553-B31E-DD66C696CEBB"
 )
 // registerPeers registers peersNum peers on the management service and returns their Wireguard keys
 func registerPeers(peersNum int, client mgmtProto.ManagementServiceClient) ([]*wgtypes.Key, error) {
 	var peers = []*wgtypes.Key{}
 	for i := 0; i < peersNum; i++ {
 		key, err := wgtypes.GeneratePrivateKey()
 		if err != nil {
 			return nil, err
 		}
 		_, err = loginPeerWithValidSetupKey(key, client)
 		if err != nil {
 			return nil, err
 		}
 		peers = append(peers, &key)
 	}
 	return peers, nil
 }
 // getServerKey gets Management Service Wireguard public key
 func getServerKey(client mgmtProto.ManagementServiceClient) (*wgtypes.Key, error) {
 	keyResp, err := client.GetServerKey(context.TODO(), &mgmtProto.Empty{})
 	if err != nil {
 		return nil, err
 	}
 	serverKey, err := wgtypes.ParseKey(keyResp.Key)
 	if err != nil {
 		return nil, err
 	}
 	return &serverKey, nil
 }
 func Test_SyncProtocol(t *testing.T) {
 	dir := t.TempDir()
 	err := util.CopyFileContents("testdata/store.json", filepath.Join(dir, "store.json"))
 	if err != nil {
 		t.Fatal(err)
 	}
 	defer func() {
 		os.Remove(filepath.Join(dir, "store.json")) //nolint
 	}()
 	mport := 33091
 	mgmtServer, err := startManagement(mport, &Config{
 		Stuns: []*Host{{
 			Proto: "udp",
 			URI:   "stun:stun.wiretrustee.com:3468",
 		}},
 		TURNConfig: &TURNConfig{
 			TimeBasedCredentials: false,
 			CredentialsTTL:       util.Duration{},
 			Secret:               "whatever",
 			Turns: []*Host{{
 				Proto: "udp",
 				URI:   "turn:stun.wiretrustee.com:3468",
 			}},
 		},
 		Signal: &Host{
 			Proto: "http",
 			URI:   "signal.wiretrustee.com:10000",
 		},
 		Datadir:    dir,
 		HttpConfig: nil,
 	})
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	defer mgmtServer.GracefulStop()
 	client, clientConn, err := createRawClient(fmt.Sprintf("localhost:%d", mport))
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	defer clientConn.Close()
 	peers, err := registerPeers(2, client)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	serverKey, err := getServerKey(client)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	// take the first registered peer as a base for the test
 	key := *peers[0]
 	message, err := encryption.EncryptMessage(*serverKey, key, &mgmtProto.SyncRequest{})
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	sync, err := client.Sync(context.TODO(), &mgmtProto.EncryptedMessage{
 		WgPubKey: key.PublicKey().String(),
 		Body:     message,
 	})
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	resp := &mgmtProto.EncryptedMessage{}
 	err = sync.RecvMsg(resp)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	syncResp := &mgmtProto.SyncResponse{}
 	err = encryption.DecryptMessage(*serverKey, key, resp.Body, syncResp)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	wiretrusteeConfig := syncResp.GetWiretrusteeConfig()
 	if wiretrusteeConfig == nil {
 		t.Fatal("expecting SyncResponse to have non-nil WiretrusteeConfig")
 	}
 	if wiretrusteeConfig.GetSignal() == nil {
 		t.Fatal("expecting SyncResponse to have WiretrusteeConfig with non-nil Signal config")
 	}
 	expectedSignalConfig := &mgmtProto.HostConfig{
 		Uri:      "signal.wiretrustee.com:10000",
 		Protocol: mgmtProto.HostConfig_HTTP,
 	}
 	if wiretrusteeConfig.GetSignal().GetUri() != expectedSignalConfig.GetUri() {
 		t.Fatalf("expecting SyncResponse to have WiretrusteeConfig with expected Signal URI: %v, actual: %v",
 			expectedSignalConfig.GetUri(),
 			wiretrusteeConfig.GetSignal().GetUri())
 	}
 	if wiretrusteeConfig.GetSignal().GetProtocol() != expectedSignalConfig.GetProtocol() {
 		t.Fatalf("expecting SyncResponse to have WiretrusteeConfig with expected Signal Protocol: %v, actual: %v",
 			expectedSignalConfig.GetProtocol().String(),
 			wiretrusteeConfig.GetSignal().GetProtocol())
 	}
 	expectedStunsConfig := &mgmtProto.HostConfig{
 		Uri:      "stun:stun.wiretrustee.com:3468",
 		Protocol: mgmtProto.HostConfig_UDP,
 	}
 	if wiretrusteeConfig.GetStuns()[0].GetUri() != expectedStunsConfig.GetUri() {
 		t.Fatalf("expecting SyncResponse to have WiretrusteeConfig with expected STUN URI: %v, actual: %v",
 			expectedStunsConfig.GetUri(),
 			wiretrusteeConfig.GetStuns()[0].GetUri())
 	}
 	if wiretrusteeConfig.GetStuns()[0].GetProtocol() != expectedStunsConfig.GetProtocol() {
 		t.Fatalf("expecting SyncResponse to have WiretrusteeConfig with expected STUN Protocol: %v, actual: %v",
 			expectedStunsConfig.GetProtocol(),
 			wiretrusteeConfig.GetStuns()[0].GetProtocol())
 	}
 	expectedTRUNHost := &mgmtProto.HostConfig{
 		Uri:      "turn:stun.wiretrustee.com:3468",
 		Protocol: mgmtProto.HostConfig_UDP,
 	}
 	if wiretrusteeConfig.GetTurns()[0].GetHostConfig().GetUri() != expectedTRUNHost.GetUri() {
 		t.Fatalf("expecting SyncResponse to have WiretrusteeConfig with expected TURN URI: %v, actual: %v",
 			expectedTRUNHost.GetUri(),
 			wiretrusteeConfig.GetTurns()[0].GetHostConfig().GetUri())
 	}
 	if wiretrusteeConfig.GetTurns()[0].GetHostConfig().GetProtocol() != expectedTRUNHost.GetProtocol() {
 		t.Fatalf("expecting SyncResponse to have WiretrusteeConfig with expected TURN Protocol: %v, actual: %v",
 			expectedTRUNHost.GetProtocol().String(),
 			wiretrusteeConfig.GetTurns()[0].GetHostConfig().GetProtocol())
 	}
 	// ensure backward compatibility
 	if syncResp.GetRemotePeers() == nil {
 		t.Fatal("expecting SyncResponse to have non-nil RemotePeers for backward compatibility")
 	}
 	if syncResp.GetPeerConfig() == nil {
 		t.Fatal("expecting SyncResponse to have non-nil PeerConfig for backward compatibility")
 	}
 	// new field - NetworkMap
 	networkMap := syncResp.GetNetworkMap()
 	if networkMap == nil {
 		t.Fatal("expecting SyncResponse to have non-nil NetworkMap")
 	}
 	if len(networkMap.GetRemotePeers()) != 1 {
 		t.Fatal("expecting SyncResponse to have NetworkMap with 1 remote peer")
 	}
 	if networkMap.GetPeerConfig() == nil {
 		t.Fatal("expecting SyncResponse to have NetworkMap with a non-nil PeerConfig")
 	}
 	if networkMap.GetPeerConfig().GetAddress() != "100.64.0.1/24" {
 		t.Fatal("expecting SyncResponse to have NetworkMap with a PeerConfig having valid Address")
 	}
 	if networkMap.GetSerial() <= 0 {
 		t.Fatalf("expecting SyncResponse to have NetworkMap with a positive Network Serial, actual %d", networkMap.GetSerial())
 	}
 }
 func loginPeerWithValidSetupKey(key wgtypes.Key, client mgmtProto.ManagementServiceClient) (*mgmtProto.LoginResponse, error) {
 	serverKey, err := getServerKey(client)
 	if err != nil {
 		return nil, err
 	}
 	meta := &mgmtProto.PeerSystemMeta{
 		Hostname:           key.PublicKey().String(),
 		GoOS:               runtime.GOOS,
 		OS:                 runtime.GOOS,
 		Core:               "core",
 		Platform:           "platform",
 		Kernel:             "kernel",
 		WiretrusteeVersion: "",
 	}
 	message, err := encryption.EncryptMessage(*serverKey, key, &mgmtProto.LoginRequest{SetupKey: TestValidSetupKey, Meta: meta})
 	if err != nil {
 		return nil, err
 	}
 	resp, err := client.Login(context.TODO(), &mgmtProto.EncryptedMessage{
 		WgPubKey: key.PublicKey().String(),
 		Body:     message,
 	})
 	if err != nil {
 		return nil, err
 	}
 	loginResp := &mgmtProto.LoginResponse{}
 	err = encryption.DecryptMessage(*serverKey, key, resp.Body, loginResp)
 	if err != nil {
 		return nil, err
 	}
 	return loginResp, nil
 }
 func startManagement(port int, config *Config) (*grpc.Server, error) {
 	lis, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", port))
 	if err != nil {
 		return nil, err
 	}
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
 	store, err := NewStore(config.Datadir)
 	if err != nil {
 		return nil, err
 	}
 	peersUpdateManager := NewPeersUpdateManager()
 	accountManager := NewManager(store, peersUpdateManager, nil)
 	turnManager := NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
 	mgmtServer, err := NewServer(config, accountManager, peersUpdateManager, turnManager)
 	if err != nil {
 		return nil, err
 	}
 	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
 	go func() {
 		if err = s.Serve(lis); err != nil {
 			log.Fatalf("failed to serve: %v", err)
 		}
 	}()
 	return s, nil
 }
 func createRawClient(addr string) (mgmtProto.ManagementServiceClient, *grpc.ClientConn, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	conn, err := grpc.DialContext(ctx, addr,
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
 		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    10 * time.Second,
 			Timeout: 2 * time.Second,
 		}))
 	if err != nil {
 		return nil, nil, err
 	}
 	return mgmtProto.NewManagementServiceClient(conn), conn, nil
 }
--- a/management/server/management_server_mock.go
+++ b/management/server/management_server_mock.go
@@ -0,0 +1,46 @@
 package server
 import (
 	"context"
 	"github.com/wiretrustee/wiretrustee/management/proto"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
 type ManagementServiceServerMock struct {
 	proto.UnimplementedManagementServiceServer
 	LoginFunc        func(context.Context, *proto.EncryptedMessage) (*proto.EncryptedMessage, error)
 	SyncFunc         func(*proto.EncryptedMessage, proto.ManagementService_SyncServer)
 	GetServerKeyFunc func(context.Context, *proto.Empty) (*proto.ServerKeyResponse, error)
 	IsHealthyFunc    func(context.Context, *proto.Empty) (*proto.Empty, error)
 }
 func (m ManagementServiceServerMock) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
 	if m.LoginFunc != nil {
 		return m.LoginFunc(ctx, req)
 	}
 	return nil, status.Errorf(codes.Unimplemented, "method Login not implemented")
 }
 func (m ManagementServiceServerMock) Sync(msg *proto.EncryptedMessage, sync proto.ManagementService_SyncServer) error {
 	if m.SyncFunc != nil {
 		return m.Sync(msg, sync)
 	}
 	return status.Errorf(codes.Unimplemented, "method Sync not implemented")
 }
 func (m ManagementServiceServerMock) GetServerKey(ctx context.Context, empty *proto.Empty) (*proto.ServerKeyResponse, error) {
 	if m.GetServerKeyFunc != nil {
 		return m.GetServerKeyFunc(ctx, empty)
 	}
 	return nil, status.Errorf(codes.Unimplemented, "method GetServerKey not implemented")
 }
 func (m ManagementServiceServerMock) IsHealthy(ctx context.Context, empty *proto.Empty) (*proto.Empty, error) {
 	if m.IsHealthyFunc != nil {
 		return m.IsHealthyFunc(ctx, empty)
 	}
 	return nil, status.Errorf(codes.Unimplemented, "method IsHealthy not implemented")
 }
--- a/management/server/management_test.go
+++ b/management/server/management_test.go
@@ -496,7 +496,7 @@ func startServer(config *server.Config) (*grpc.Server, net.Listener) {
 		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 	}
 	peersUpdateManager := server.NewPeersUpdateManager()
-	accountManager := server.NewManager(store, peersUpdateManager)
+	accountManager := server.NewManager(store, peersUpdateManager, nil)
 	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
 	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager)
 	Expect(err).NotTo(HaveOccurred())
--- a/management/server/network.go
+++ b/management/server/network.go
@@ -3,7 +3,9 @@ package server
 import (
 	"encoding/binary"
 	"fmt"
 	"github.com/rs/xid"
 	"net"
 	"sync"
 )
 var (
@@ -11,17 +13,51 @@ var (
 	upperIPv6 = []byte{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}
 )
 type NetworkMap struct {
 	Peers   []*Peer
 	Network *Network
 }
 type Network struct {
 	Id  string
 	Net net.IPNet
 	Dns string
 	// serial is an ID that increments by 1 when any change to the network happened (e.g. new peer has been added).
 	// Used to synchronize state to the client apps.
 	serial uint64
 	mu sync.Mutex `json:"-"`
 }
 // NewNetwork creates a new Network initializing it with a serial=0
 func NewNetwork() *Network {
 	return &Network{
 		Id:     xid.New().String(),
 		Net:    net.IPNet{IP: net.ParseIP("100.64.0.0"), Mask: net.IPMask{255, 192, 0, 0}},
 		Dns:    "",
 		serial: 0}
 }
 // IncSerial increments serial by 1 reflecting that the network state has been changed
 func (n *Network) IncSerial() {
 	n.mu.Lock()
 	defer n.mu.Unlock()
 	n.serial = n.serial + 1
 }
 // Serial returns the Network.serial of the network (latest state id)
 func (n *Network) Serial() uint64 {
 	n.mu.Lock()
 	defer n.mu.Unlock()
 	return n.serial
 }
 func (n *Network) Copy() *Network {
 	return &Network{
-		Id:  n.Id,
+		Id:     n.Id,
-		Net: n.Net,
+		Net:    n.Net,
-		Dns: n.Dns,
+		Dns:    n.Dns,
 		serial: n.serial,
 	}
 }
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -118,16 +118,34 @@ func (am *AccountManager) DeletePeer(accountId string, peerKey string) (*Peer, e
 	am.mux.Lock()
 	defer am.mux.Unlock()
 	account, err := am.Store.GetAccount(accountId)
 	if err != nil {
 		return nil, status.Errorf(codes.NotFound, "account not found")
 	}
 	peer, err := am.Store.DeletePeer(accountId, peerKey)
 	if err != nil {
 		return nil, err
 	}
 	account.Network.IncSerial()
 	err = am.Store.SaveAccount(account)
 	if err != nil {
 		return nil, err
 	}
 	err = am.peersUpdateManager.SendUpdate(peerKey,
 		&UpdateMessage{
 			Update: &proto.SyncResponse{
 				// fill those field for backward compatibility
 				RemotePeers:        []*proto.RemotePeerConfig{},
 				RemotePeersIsEmpty: true,
 				// new field
 				NetworkMap: &proto.NetworkMap{
 					Serial:             account.Network.Serial(),
 					RemotePeers:        []*proto.RemotePeerConfig{},
 					RemotePeersIsEmpty: true,
 				},
 			}})
 	if err != nil {
 		return nil, err
@@ -150,8 +168,15 @@ func (am *AccountManager) DeletePeer(accountId string, peerKey string) (*Peer, e
 		err = am.peersUpdateManager.SendUpdate(p.Key,
 			&UpdateMessage{
 				Update: &proto.SyncResponse{
 					// fill those field for backward compatibility
 					RemotePeers:        update,
 					RemotePeersIsEmpty: len(update) == 0,
 					// new field
 					NetworkMap: &proto.NetworkMap{
 						Serial:             account.Network.Serial(),
 						RemotePeers:        update,
 						RemotePeersIsEmpty: len(update) == 0,
 					},
 				}})
 		if err != nil {
 			return nil, err
@@ -181,9 +206,8 @@ func (am *AccountManager) GetPeerByIP(accountId string, peerIP string) (*Peer, e
 	return nil, status.Errorf(codes.NotFound, "peer with IP %s not found", peerIP)
 }
-// GetPeersForAPeer returns a list of peers available for a given peer (key)
+// GetNetworkMap returns Network map for a given peer (omits original peer from the Peers result)
-// Effectively all the peers of the original peer's account except for the peer itself
+func (am *AccountManager) GetNetworkMap(peerKey string) (*NetworkMap, error) {
 func (am *AccountManager) GetPeersForAPeer(peerKey string) ([]*Peer, error) {
 	am.mux.Lock()
 	defer am.mux.Unlock()
@@ -194,12 +218,16 @@ func (am *AccountManager) GetPeersForAPeer(peerKey string) ([]*Peer, error) {
 	var res []*Peer
 	for _, peer := range account.Peers {
 		// exclude original peer
 		if peer.Key != peerKey {
-			res = append(res, peer)
+			res = append(res, peer.Copy())
 		}
 	}
-	return res, nil
+	return &NetworkMap{
 		Peers:   res,
 		Network: account.Network.Copy(),
 	}, err
 }
 // AddPeer adds a new peer to the Store.
@@ -207,7 +235,7 @@ func (am *AccountManager) GetPeersForAPeer(peerKey string) ([]*Peer, error) {
 // will be returned, meaning the key is invalid
 // Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused).
 // The peer property is just a placeholder for the Peer properties to pass further
-func (am *AccountManager) AddPeer(setupKey string, peer Peer) (*Peer, error) {
+func (am *AccountManager) AddPeer(setupKey string, peer *Peer) (*Peer, error) {
 	am.mux.Lock()
 	defer am.mux.Unlock()
@@ -255,6 +283,8 @@ func (am *AccountManager) AddPeer(setupKey string, peer Peer) (*Peer, error) {
 	account.Peers[newPeer.Key] = newPeer
 	account.SetupKeys[sk.Key] = sk.IncrementUsage()
 	account.Network.IncSerial()
 	err = am.Store.SaveAccount(account)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed adding peer")
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -0,0 +1,76 @@
 package server
 import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"testing"
 )
 func TestAccountManager_GetNetworkMap(t *testing.T) {
 	manager, err := createManager(t)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	expectedId := "test_account"
 	userId := "account_creator"
 	account, err := manager.AddAccount(expectedId, userId, "")
 	if err != nil {
 		t.Fatal(err)
 	}
 	var setupKey *SetupKey
 	for _, key := range account.SetupKeys {
 		if key.Type == SetupKeyReusable {
 			setupKey = key
 		}
 	}
 	peerKey1, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	_, err = manager.AddPeer(setupKey.Key, &Peer{
 		Key:  peerKey1.PublicKey().String(),
 		Meta: PeerSystemMeta{},
 		Name: "test-peer-2",
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
 		return
 	}
 	peerKey2, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	_, err = manager.AddPeer(setupKey.Key, &Peer{
 		Key:  peerKey2.PublicKey().String(),
 		Meta: PeerSystemMeta{},
 		Name: "test-peer-2",
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
 		return
 	}
 	networkMap, err := manager.GetNetworkMap(peerKey1.PublicKey().String())
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	if len(networkMap.Peers) != 1 {
 		t.Errorf("expecting Account NetworkMap to have 1 peers, got %v", len(networkMap.Peers))
 	}
 	if networkMap.Peers[0].Key != peerKey2.PublicKey().String() {
 		t.Errorf("expecting Account NetworkMap to have peer with a key %s, got %s", peerKey2.PublicKey().String(), networkMap.Peers[0].Key)
 	}
 }
--- a/management/server/testdata/management.json
+++ b/management/server/testdata/management.json
@@ -33,5 +33,15 @@
        "AuthIssuer": "<PASTE YOUR AUTH0 ISSUER HERE>,",
        "AuthAudience": "<PASTE YOUR AUTH0 AUDIENCE HERE>",
        "AuthKeysLocation": "<PASTE YOUR AUTH0 PUBLIC JWT KEYS LOCATION HERE>"
    },
    "IdpManagerConfig": {
        "Manager": "<none|auth0>",
        "Auth0ClientCredentials": {
            "Audience": "<PASTE YOUR AUTH0 AUDIENCE HERE>",
            "AuthIssuer": "<PASTE YOUR AUTH0 Auth Issuer HERE>",
            "ClientId": "<PASTE YOUR AUTH0 Application Client ID HERE>",
            "ClientSecret": "<PASTE YOUR AUTH0 Application Client Secret HERE>",
            "GrantType": "client_credentials"
        }
    }
 }
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -40,14 +40,14 @@ func NewAdminUser(id string) *User {
 }
 // GetOrCreateAccountByUser returns an existing account for a given user id or creates a new one if doesn't exist
-func (am *AccountManager) GetOrCreateAccountByUser(userId string) (*Account, error) {
+func (am *AccountManager) GetOrCreateAccountByUser(userId, domain string) (*Account, error) {
 	am.mux.Lock()
 	defer am.mux.Unlock()
 	account, err := am.Store.GetUserAccount(userId)
 	if err != nil {
 		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
-			account, _ = newAccount(userId)
+			account = NewAccount(userId, domain)
 			account.Users[userId] = NewAdminUser(userId)
 			err = am.Store.SaveAccount(account)
 			if err != nil {
@@ -59,6 +59,14 @@ func (am *AccountManager) GetOrCreateAccountByUser(userId string) (*Account, err
 		}
 	}
 	if account.Domain != domain {
 		account.Domain = domain
 		err = am.Store.SaveAccount(account)
 		if err != nil {
 			return nil, status.Errorf(codes.Internal, "failed updating account with domain")
 		}
 	}
 	return account, nil
 }
--- a/signal/client/client.go
+++ b/signal/client/client.go
@@ -1,26 +1,11 @@
 package client
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/encryption"
 	"github.com/wiretrustee/wiretrustee/signal/proto"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/connectivity"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
 	"io"
 	"strings"
 	"sync"
 	"time"
 )
 // A set of tools to exchange connection details (Wireguard endpoints) with the remote peer.
@@ -31,317 +16,15 @@ type Status string
 const StreamConnected Status = "Connected"
 const StreamDisconnected Status = "Disconnected"
-// Client Wraps the Signal Exchange Service gRpc client
+type Client interface {
-type Client struct {
+	io.Closer
-	key        wgtypes.Key
+	StreamConnected() bool
-	realClient proto.SignalExchangeClient
+	GetStatus() Status
-	signalConn *grpc.ClientConn
+	Receive(msgHandler func(msg *proto.Message) error) error
-	ctx        context.Context
+	Ready() bool
-	stream     proto.SignalExchange_ConnectStreamClient
+	WaitStreamConnected()
-	// connectedCh used to notify goroutines waiting for the connection to the Signal stream
+	SendToStream(msg *proto.EncryptedMessage) error
-	connectedCh chan struct{}
+	Send(msg *proto.Message) error
 	mux         sync.Mutex
 	// StreamConnected indicates whether this client is StreamConnected to the Signal stream
 	status Status
 }
 func (c *Client) StreamConnected() bool {
 	return c.status == StreamConnected
 }
 func (c *Client) GetStatus() Status {
 	return c.status
 }
 // Close Closes underlying connections to the Signal Exchange
 func (c *Client) Close() error {
 	return c.signalConn.Close()
 }
 // NewClient creates a new Signal client
 func NewClient(ctx context.Context, addr string, key wgtypes.Key, tlsEnabled bool) (*Client, error) {
 	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	if tlsEnabled {
 		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
 	}
 	sigCtx, cancel := context.WithTimeout(ctx, 10*time.Second)
 	defer cancel()
 	conn, err := grpc.DialContext(
 		sigCtx,
 		addr,
 		transportOption,
 		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    15 * time.Second,
 			Timeout: 10 * time.Second,
 		}))
 	if err != nil {
 		log.Errorf("failed to connect to the signalling server %v", err)
 		return nil, err
 	}
 	return &Client{
 		realClient: proto.NewSignalExchangeClient(conn),
 		ctx:        ctx,
 		signalConn: conn,
 		key:        key,
 		mux:        sync.Mutex{},
 		status:     StreamDisconnected,
 	}, nil
 }
 //defaultBackoff is a basic backoff mechanism for general issues
 func defaultBackoff(ctx context.Context) backoff.BackOff {
 	return backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval:     800 * time.Millisecond,
 		RandomizationFactor: backoff.DefaultRandomizationFactor,
 		Multiplier:          backoff.DefaultMultiplier,
 		MaxInterval:         10 * time.Second,
 		MaxElapsedTime:      12 * time.Hour, //stop after 12 hours of trying, the error will be propagated to the general retry of the client
 		Stop:                backoff.Stop,
 		Clock:               backoff.SystemClock,
 	}, ctx)
 }
 // Receive Connects to the Signal Exchange message stream and starts receiving messages.
 // The messages will be handled by msgHandler function provided.
 // This function is blocking and reconnects to the Signal Exchange if errors occur (e.g. Exchange restart)
 // The connection retry logic will try to reconnect for 30 min and if wasn't successful will propagate the error to the function caller.
 func (c *Client) Receive(msgHandler func(msg *proto.Message) error) error {
 	var backOff = defaultBackoff(c.ctx)
 	operation := func() error {
 		c.notifyStreamDisconnected()
 		log.Debugf("signal connection state %v", c.signalConn.GetState())
 		if !c.Ready() {
 			return fmt.Errorf("no connection to signal")
 		}
 		// connect to Signal stream identifying ourselves with a public Wireguard key
 		// todo once the key rotation logic has been implemented, consider changing to some other identifier (received from management)
 		stream, err := c.connect(c.key.PublicKey().String())
 		if err != nil {
 			log.Warnf("disconnected from the Signal Exchange due to an error: %v", err)
 			return err
 		}
 		c.notifyStreamConnected()
 		log.Infof("connected to the Signal Service stream")
 		// start receiving messages from the Signal stream (from other peers through signal)
 		err = c.receive(stream, msgHandler)
 		if err != nil {
 			log.Warnf("disconnected from the Signal Exchange due to an error: %v", err)
 			backOff.Reset()
 			return err
 		}
 		return nil
 	}
 	err := backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Errorf("exiting Signal Service connection retry loop due to unrecoverable error: %s", err)
 		return err
 	}
 	return nil
 }
 func (c *Client) notifyStreamDisconnected() {
 	c.mux.Lock()
 	defer c.mux.Unlock()
 	c.status = StreamDisconnected
 }
 func (c *Client) notifyStreamConnected() {
 	c.mux.Lock()
 	defer c.mux.Unlock()
 	c.status = StreamConnected
 	if c.connectedCh != nil {
 		// there are goroutines waiting on this channel -> release them
 		close(c.connectedCh)
 		c.connectedCh = nil
 	}
 }
 func (c *Client) getStreamStatusChan() <-chan struct{} {
 	c.mux.Lock()
 	defer c.mux.Unlock()
 	if c.connectedCh == nil {
 		c.connectedCh = make(chan struct{})
 	}
 	return c.connectedCh
 }
 func (c *Client) connect(key string) (proto.SignalExchange_ConnectStreamClient, error) {
 	c.stream = nil
 	// add key fingerprint to the request header to be identified on the server side
 	md := metadata.New(map[string]string{proto.HeaderId: key})
 	ctx := metadata.NewOutgoingContext(c.ctx, md)
 	stream, err := c.realClient.ConnectStream(ctx, grpc.WaitForReady(true))
 	c.stream = stream
 	if err != nil {
 		return nil, err
 	}
 	// blocks
 	header, err := c.stream.Header()
 	if err != nil {
 		return nil, err
 	}
 	registered := header.Get(proto.HeaderRegistered)
 	if len(registered) == 0 {
 		return nil, fmt.Errorf("didn't receive a registration header from the Signal server whille connecting to the streams")
 	}
 	return stream, nil
 }
 // Ready indicates whether the client is okay and Ready to be used
 // for now it just checks whether gRPC connection to the service is in state Ready
 func (c *Client) Ready() bool {
 	return c.signalConn.GetState() == connectivity.Ready || c.signalConn.GetState() == connectivity.Idle
 }
 // WaitStreamConnected waits until the client is connected to the Signal stream
 func (c *Client) WaitStreamConnected() {
 	if c.status == StreamConnected {
 		return
 	}
 	ch := c.getStreamStatusChan()
 	select {
 	case <-c.ctx.Done():
 	case <-ch:
 	}
 }
 // SendToStream sends a message to the remote Peer through the Signal Exchange using established stream connection to the Signal Server
 // The Client.Receive method must be called before sending messages to establish initial connection to the Signal Exchange
 // Client.connWg can be used to wait
 func (c *Client) SendToStream(msg *proto.EncryptedMessage) error {
 	if !c.Ready() {
 		return fmt.Errorf("no connection to signal")
 	}
 	if c.stream == nil {
 		return fmt.Errorf("connection to the Signal Exchnage has not been established yet. Please call Client.Receive before sending messages")
 	}
 	err := c.stream.Send(msg)
 	if err != nil {
 		log.Errorf("error while sending message to peer [%s] [error: %v]", msg.RemoteKey, err)
 		return err
 	}
 	return nil
 }
 // decryptMessage decrypts the body of the msg using Wireguard private key and Remote peer's public key
 func (c *Client) decryptMessage(msg *proto.EncryptedMessage) (*proto.Message, error) {
 	remoteKey, err := wgtypes.ParseKey(msg.GetKey())
 	if err != nil {
 		return nil, err
 	}
 	body := &proto.Body{}
 	err = encryption.DecryptMessage(remoteKey, c.key, msg.GetBody(), body)
 	if err != nil {
 		return nil, err
 	}
 	return &proto.Message{
 		Key:       msg.Key,
 		RemoteKey: msg.RemoteKey,
 		Body:      body,
 	}, nil
 }
 // encryptMessage encrypts the body of the msg using Wireguard private key and Remote peer's public key
 func (c *Client) encryptMessage(msg *proto.Message) (*proto.EncryptedMessage, error) {
 	remoteKey, err := wgtypes.ParseKey(msg.RemoteKey)
 	if err != nil {
 		return nil, err
 	}
 	encryptedBody, err := encryption.EncryptMessage(remoteKey, c.key, msg.Body)
 	if err != nil {
 		return nil, err
 	}
 	return &proto.EncryptedMessage{
 		Key:       msg.GetKey(),
 		RemoteKey: msg.GetRemoteKey(),
 		Body:      encryptedBody,
 	}, nil
 }
 // Send sends a message to the remote Peer through the Signal Exchange.
 func (c *Client) Send(msg *proto.Message) error {
 	if !c.Ready() {
 		return fmt.Errorf("no connection to signal")
 	}
 	encryptedMessage, err := c.encryptMessage(msg)
 	if err != nil {
 		return err
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	_, err = c.realClient.Send(ctx, encryptedMessage)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // receive receives messages from other peers coming through the Signal Exchange
 func (c *Client) receive(stream proto.SignalExchange_ConnectStreamClient,
 	msgHandler func(msg *proto.Message) error) error {
 	for {
 		msg, err := stream.Recv()
 		if s, ok := status.FromError(err); ok && s.Code() == codes.Canceled {
 			log.Warnf("stream canceled (usually indicates shutdown)")
 			return err
 		} else if s.Code() == codes.Unavailable {
 			log.Warnf("Signal Service is unavailable")
 			return err
 		} else if err == io.EOF {
 			log.Warnf("Signal Service stream closed by server")
 			return err
 		} else if err != nil {
 			return err
 		}
 		log.Debugf("received a new message from Peer [fingerprint: %s]", msg.Key)
 		decryptedMessage, err := c.decryptMessage(msg)
 		if err != nil {
 			log.Errorf("failed decrypting message of Peer [key: %s] error: [%s]", msg.Key, err.Error())
 		}
 		err = msgHandler(decryptedMessage)
 		if err != nil {
 			log.Errorf("error while handling message of Peer [key: %s] error: [%s]", msg.Key, err.Error())
 			//todo send something??
 		}
 	}
 }
 // UnMarshalCredential parses the credentials from the message and returns a Credential instance
@@ -369,7 +52,7 @@ func MarshalCredential(myKey wgtypes.Key, remoteKey wgtypes.Key, credential *Cre
 	}, nil
 }
-// Credential is an instance of a Client's Credential
+// Credential is an instance of a GrpcClient's Credential
 type Credential struct {
 	UFrag string
 	Pwd   string
--- a/signal/client/client_test.go
+++ b/signal/client/client_test.go
@@ -17,7 +17,7 @@ import (
 	"time"
 )
-var _ = Describe("Client", func() {
+var _ = Describe("GrpcClient", func() {
 	var (
 		addr     string
@@ -160,7 +160,7 @@ var _ = Describe("Client", func() {
 })
-func createSignalClient(addr string, key wgtypes.Key) *Client {
+func createSignalClient(addr string, key wgtypes.Key) *GrpcClient {
 	var sigTLSEnabled = false
 	client, err := NewClient(context.Background(), addr, key, sigTLSEnabled)
 	if err != nil {
--- a/signal/client/grpc.go
+++ b/signal/client/grpc.go
@@ -0,0 +1,336 @@
 package client
 import (
 	"context"
 	"crypto/tls"
 	"fmt"
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"github.com/wiretrustee/wiretrustee/encryption"
 	"github.com/wiretrustee/wiretrustee/signal/proto"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/connectivity"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
 	"io"
 	"sync"
 	"time"
 )
 // GrpcClient Wraps the Signal Exchange Service gRpc client
 type GrpcClient struct {
 	key        wgtypes.Key
 	realClient proto.SignalExchangeClient
 	signalConn *grpc.ClientConn
 	ctx        context.Context
 	stream     proto.SignalExchange_ConnectStreamClient
 	// connectedCh used to notify goroutines waiting for the connection to the Signal stream
 	connectedCh chan struct{}
 	mux         sync.Mutex
 	// StreamConnected indicates whether this client is StreamConnected to the Signal stream
 	status Status
 }
 func (c *GrpcClient) StreamConnected() bool {
 	return c.status == StreamConnected
 }
 func (c *GrpcClient) GetStatus() Status {
 	return c.status
 }
 // Close Closes underlying connections to the Signal Exchange
 func (c *GrpcClient) Close() error {
 	return c.signalConn.Close()
 }
 // NewClient creates a new Signal client
 func NewClient(ctx context.Context, addr string, key wgtypes.Key, tlsEnabled bool) (*GrpcClient, error) {
 	transportOption := grpc.WithTransportCredentials(insecure.NewCredentials())
 	if tlsEnabled {
 		transportOption = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
 	}
 	sigCtx, cancel := context.WithTimeout(ctx, time.Second*3)
 	defer cancel()
 	conn, err := grpc.DialContext(
 		sigCtx,
 		addr,
 		transportOption,
 		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    15 * time.Second,
 			Timeout: 10 * time.Second,
 		}))
 	if err != nil {
 		log.Errorf("failed to connect to the signalling server %v", err)
 		return nil, err
 	}
 	return &GrpcClient{
 		realClient: proto.NewSignalExchangeClient(conn),
 		ctx:        ctx,
 		signalConn: conn,
 		key:        key,
 		mux:        sync.Mutex{},
 		status:     StreamDisconnected,
 	}, nil
 }
 //defaultBackoff is a basic backoff mechanism for general issues
 func defaultBackoff(ctx context.Context) backoff.BackOff {
 	return backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval:     800 * time.Millisecond,
 		RandomizationFactor: backoff.DefaultRandomizationFactor,
 		Multiplier:          backoff.DefaultMultiplier,
 		MaxInterval:         10 * time.Second,
 		MaxElapsedTime:      12 * time.Hour, //stop after 12 hours of trying, the error will be propagated to the general retry of the client
 		Stop:                backoff.Stop,
 		Clock:               backoff.SystemClock,
 	}, ctx)
 }
 // Receive Connects to the Signal Exchange message stream and starts receiving messages.
 // The messages will be handled by msgHandler function provided.
 // This function is blocking and reconnects to the Signal Exchange if errors occur (e.g. Exchange restart)
 // The connection retry logic will try to reconnect for 30 min and if wasn't successful will propagate the error to the function caller.
 func (c *GrpcClient) Receive(msgHandler func(msg *proto.Message) error) error {
 	var backOff = defaultBackoff(c.ctx)
 	operation := func() error {
 		c.notifyStreamDisconnected()
 		log.Debugf("signal connection state %v", c.signalConn.GetState())
 		if !c.Ready() {
 			return fmt.Errorf("no connection to signal")
 		}
 		// connect to Signal stream identifying ourselves with a public Wireguard key
 		// todo once the key rotation logic has been implemented, consider changing to some other identifier (received from management)
 		stream, err := c.connect(c.key.PublicKey().String())
 		if err != nil {
 			log.Warnf("disconnected from the Signal Exchange due to an error: %v", err)
 			return err
 		}
 		c.notifyStreamConnected()
 		log.Infof("connected to the Signal Service stream")
 		// start receiving messages from the Signal stream (from other peers through signal)
 		err = c.receive(stream, msgHandler)
 		if err != nil {
 			log.Warnf("disconnected from the Signal Exchange due to an error: %v", err)
 			backOff.Reset()
 			return err
 		}
 		return nil
 	}
 	err := backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Errorf("exiting Signal Service connection retry loop due to unrecoverable error: %s", err)
 		return err
 	}
 	return nil
 }
 func (c *GrpcClient) notifyStreamDisconnected() {
 	c.mux.Lock()
 	defer c.mux.Unlock()
 	c.status = StreamDisconnected
 }
 func (c *GrpcClient) notifyStreamConnected() {
 	c.mux.Lock()
 	defer c.mux.Unlock()
 	c.status = StreamConnected
 	if c.connectedCh != nil {
 		// there are goroutines waiting on this channel -> release them
 		close(c.connectedCh)
 		c.connectedCh = nil
 	}
 }
 func (c *GrpcClient) getStreamStatusChan() <-chan struct{} {
 	c.mux.Lock()
 	defer c.mux.Unlock()
 	if c.connectedCh == nil {
 		c.connectedCh = make(chan struct{})
 	}
 	return c.connectedCh
 }
 func (c *GrpcClient) connect(key string) (proto.SignalExchange_ConnectStreamClient, error) {
 	c.stream = nil
 	// add key fingerprint to the request header to be identified on the server side
 	md := metadata.New(map[string]string{proto.HeaderId: key})
 	ctx := metadata.NewOutgoingContext(c.ctx, md)
 	stream, err := c.realClient.ConnectStream(ctx, grpc.WaitForReady(true))
 	c.stream = stream
 	if err != nil {
 		return nil, err
 	}
 	// blocks
 	header, err := c.stream.Header()
 	if err != nil {
 		return nil, err
 	}
 	registered := header.Get(proto.HeaderRegistered)
 	if len(registered) == 0 {
 		return nil, fmt.Errorf("didn't receive a registration header from the Signal server whille connecting to the streams")
 	}
 	return stream, nil
 }
 // Ready indicates whether the client is okay and Ready to be used
 // for now it just checks whether gRPC connection to the service is in state Ready
 func (c *GrpcClient) Ready() bool {
 	return c.signalConn.GetState() == connectivity.Ready || c.signalConn.GetState() == connectivity.Idle
 }
 // WaitStreamConnected waits until the client is connected to the Signal stream
 func (c *GrpcClient) WaitStreamConnected() {
 	if c.status == StreamConnected {
 		return
 	}
 	ch := c.getStreamStatusChan()
 	select {
 	case <-c.ctx.Done():
 	case <-ch:
 	}
 }
 // SendToStream sends a message to the remote Peer through the Signal Exchange using established stream connection to the Signal Server
 // The GrpcClient.Receive method must be called before sending messages to establish initial connection to the Signal Exchange
 // GrpcClient.connWg can be used to wait
 func (c *GrpcClient) SendToStream(msg *proto.EncryptedMessage) error {
 	if !c.Ready() {
 		return fmt.Errorf("no connection to signal")
 	}
 	if c.stream == nil {
 		return fmt.Errorf("connection to the Signal Exchnage has not been established yet. Please call GrpcClient.Receive before sending messages")
 	}
 	err := c.stream.Send(msg)
 	if err != nil {
 		log.Errorf("error while sending message to peer [%s] [error: %v]", msg.RemoteKey, err)
 		return err
 	}
 	return nil
 }
 // decryptMessage decrypts the body of the msg using Wireguard private key and Remote peer's public key
 func (c *GrpcClient) decryptMessage(msg *proto.EncryptedMessage) (*proto.Message, error) {
 	remoteKey, err := wgtypes.ParseKey(msg.GetKey())
 	if err != nil {
 		return nil, err
 	}
 	body := &proto.Body{}
 	err = encryption.DecryptMessage(remoteKey, c.key, msg.GetBody(), body)
 	if err != nil {
 		return nil, err
 	}
 	return &proto.Message{
 		Key:       msg.Key,
 		RemoteKey: msg.RemoteKey,
 		Body:      body,
 	}, nil
 }
 // encryptMessage encrypts the body of the msg using Wireguard private key and Remote peer's public key
 func (c *GrpcClient) encryptMessage(msg *proto.Message) (*proto.EncryptedMessage, error) {
 	remoteKey, err := wgtypes.ParseKey(msg.RemoteKey)
 	if err != nil {
 		return nil, err
 	}
 	encryptedBody, err := encryption.EncryptMessage(remoteKey, c.key, msg.Body)
 	if err != nil {
 		return nil, err
 	}
 	return &proto.EncryptedMessage{
 		Key:       msg.GetKey(),
 		RemoteKey: msg.GetRemoteKey(),
 		Body:      encryptedBody,
 	}, nil
 }
 // Send sends a message to the remote Peer through the Signal Exchange.
 func (c *GrpcClient) Send(msg *proto.Message) error {
 	if !c.Ready() {
 		return fmt.Errorf("no connection to signal")
 	}
 	encryptedMessage, err := c.encryptMessage(msg)
 	if err != nil {
 		return err
 	}
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*2)
 	defer cancel()
 	_, err = c.realClient.Send(ctx, encryptedMessage)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // receive receives messages from other peers coming through the Signal Exchange
 func (c *GrpcClient) receive(stream proto.SignalExchange_ConnectStreamClient,
 	msgHandler func(msg *proto.Message) error) error {
 	for {
 		msg, err := stream.Recv()
 		if s, ok := status.FromError(err); ok && s.Code() == codes.Canceled {
 			log.Warnf("stream canceled (usually indicates shutdown)")
 			return err
 		} else if s.Code() == codes.Unavailable {
 			log.Warnf("Signal Service is unavailable")
 			return err
 		} else if err == io.EOF {
 			log.Warnf("Signal Service stream closed by server")
 			return err
 		} else if err != nil {
 			return err
 		}
 		log.Debugf("received a new message from Peer [fingerprint: %s]", msg.Key)
 		decryptedMessage, err := c.decryptMessage(msg)
 		if err != nil {
 			log.Errorf("failed decrypting message of Peer [key: %s] error: [%s]", msg.Key, err.Error())
 		}
 		err = msgHandler(decryptedMessage)
 		if err != nil {
 			log.Errorf("error while handling message of Peer [key: %s] error: [%s]", msg.Key, err.Error())
 			//todo send something??
 		}
 	}
 }
--- a/signal/client/mock.go
+++ b/signal/client/mock.go
@@ -0,0 +1,72 @@
 package client
 import (
 	"github.com/wiretrustee/wiretrustee/signal/proto"
 )
 type MockClient struct {
 	CloseFunc               func() error
 	GetStatusFunc           func() Status
 	StreamConnectedFunc     func() bool
 	ReadyFunc               func() bool
 	WaitStreamConnectedFunc func()
 	ReceiveFunc             func(msgHandler func(msg *proto.Message) error) error
 	SendToStreamFunc        func(msg *proto.EncryptedMessage) error
 	SendFunc                func(msg *proto.Message) error
 }
 func (sm *MockClient) Close() error {
 	if sm.CloseFunc == nil {
 		return nil
 	}
 	return sm.CloseFunc()
 }
 func (sm *MockClient) GetStatus() Status {
 	if sm.GetStatusFunc == nil {
 		return ""
 	}
 	return sm.GetStatusFunc()
 }
 func (sm *MockClient) StreamConnected() bool {
 	if sm.StreamConnectedFunc == nil {
 		return false
 	}
 	return sm.StreamConnectedFunc()
 }
 func (sm *MockClient) Ready() bool {
 	if sm.ReadyFunc == nil {
 		return false
 	}
 	return sm.ReadyFunc()
 }
 func (sm *MockClient) WaitStreamConnected() {
 	if sm.WaitStreamConnectedFunc == nil {
 		return
 	}
 	sm.WaitStreamConnectedFunc()
 }
 func (sm *MockClient) Receive(msgHandler func(msg *proto.Message) error) error {
 	if sm.ReceiveFunc == nil {
 		return nil
 	}
 	return sm.ReceiveFunc(msgHandler)
 }
 func (sm *MockClient) SendToStream(msg *proto.EncryptedMessage) error {
 	if sm.SendToStreamFunc == nil {
 		return nil
 	}
 	return sm.SendToStreamFunc(msg)
 }
 func (sm *MockClient) Send(msg *proto.Message) error {
 	if sm.SendFunc == nil {
 		return nil
 	}
 	return sm.SendFunc(msg)
 }
--- a/util/common.go
+++ b/util/common.go
@@ -0,0 +1,16 @@
 package util
 // SliceDiff returns the elements in slice `x` that are not in slice `y`
 func SliceDiff(x, y []string) []string {
 	mapY := make(map[string]struct{}, len(y))
 	for _, val := range y {
 		mapY[val] = struct{}{}
 	}
 	var diff []string
 	for _, val := range x {
 		if _, found := mapY[val]; !found {
 			diff = append(diff, val)
 		}
 	}
 	return diff
 }
--- a/util/file_test.go
+++ b/util/file_test.go
@@ -93,6 +93,12 @@ var _ = Describe("Client", func() {
 				_, err = io.Copy(hashDst, dstFile)
 				Expect(err).NotTo(HaveOccurred())
 				err = srcFile.Close()
 				Expect(err).NotTo(HaveOccurred())
 				err = dstFile.Close()
 				Expect(err).NotTo(HaveOccurred())
 				Expect(hex.EncodeToString(hashSrc.Sum(nil)[:16])).To(BeEquivalentTo(hex.EncodeToString(hashDst.Sum(nil)[:16])))
 			})
 		})
Author	SHA1	Message	Date
braginini	765d3a0ad0	fix: account JWT claim	2022-02-15 13:38:22 +01:00
braginini	97e4f9a801	chore: add client distfiles to gitignore	2022-02-15 13:01:56 +01:00
shatoboar	d468718d00	fix: go mod tidy (#231 )	2022-02-15 12:46:46 +01:00
shatoboar	15e371b592	sends wtversion to dashboard-UI (#229 )	2022-02-14 17:51:07 +01:00
Maycon Santos	cd9a418df2	Store domain information (#217 ) * extract claim information from JWT * get account function * Store domain * tests missing domain * update existing account with domain * add store domain tests	2022-02-11 17:18:18 +01:00
Jim Tittsler	919f0aa3da	fix typos (#226 )	2022-02-10 19:18:25 +01:00
shatoboar	b59fd50226	Add client version to the client app and send it to the management service (#222 ) * test: WIP mocking the grpc server for testing the sending of the client information * WIP: Test_SystemMetaDataFromClient with mocks, todo: * fix: failing meta data test * test: add system meta expectation in management client test * fix: removing deprecated register function, replacing with new one * fix: removing deprecated register function from mockclient interface impl * fix: fixing interface declaration * chore: remove unused commented code Co-authored-by: braginini <bangvalo@gmail.com>	2022-02-08 18:03:27 +01:00
Mikhail Bragin	3c959bb178	Login exits on a single attempt to connect to management (#220 ) * fix: login exits on a single attempt to connect to management * chore: add log verbosity for Login operation	2022-02-06 18:56:00 +01:00
shatoboar	efbb5acf63	Add client version to the client app and send it to the management service (#218 ) * moved wiretrustee version from main to system.info * added wiretrustee version for all supported platforms * typo corrected * refactor: use single WiretrusteeVersion() func to get version of the client Co-authored-by: braginini <bangvalo@gmail.com>	2022-02-03 18:35:54 +01:00
shatoboar	b339a9321a	fix: reducing github actions (#215 )	2022-02-01 11:53:24 +01:00
Maycon Santos	b045865d6e	remove demo word from Hosted version (#212 )	2022-01-26 14:25:33 +01:00
Mikhail Bragin	8680f16abd	Conduct (#205 ) * docs: add code of conduct	2022-01-26 09:33:16 +01:00
Maycon Santos	98dc5824ce	Rollback stopping management client within engine stop (#204 ) * start close handler when using console * don't close management client within engine stop	2022-01-25 11:18:01 +01:00
Maycon Santos	0739038d51	Fix unstable parallel tests (#202 ) * update interface tests and configuration messages * little debug * little debug on both errors * print all devs * list of devices * debug func * handle interface close * debug socks * debug socks * if ports match * use random assigned ports * remove unused const * close management client connection when stopping engine * GracefulStop when management clients are closed * enable workflows on PRs too * remove iface_test debug code	2022-01-25 09:40:28 +01:00
braginini	8ab6eb1cf4	chore: fix lint errors	2022-01-25 08:41:27 +01:00
Steffen Vogel	30625c68a9	Fix detection of wireguard kernel module on non-amd64 archs (#200 )	2022-01-24 22:45:52 +01:00
Maycon Santos	fd7282d3cf	Link account id with the external user store (#184 ) * get account id from access token claim * use GetOrCreateAccountByUser and add test * correct account id claim * remove unused account * Idp manager interface * auth0 idp manager * use if instead of switch case * remove unnecessary lock * NewAuth0Manager * move idpmanager to its own package * update metadata when accountId is not supplied * update tests with idpmanager field * format * new idp manager and config support * validate if we fetch the interface before converting to string * split getJWTToken * improve tests * proper json fields and handle defer body close * fix ci lint notes * documentation and proper defer position * UpdateUserAppMetadata tests * update documentation * ManagerCredentials interface * Marshal and Unmarshal functions * fix tests * ManagerHelper and ManagerHTTPClient * further tests with mocking * rename package and custom http client * sync local packages * remove idp suffix	2022-01-24 11:21:30 +01:00
Mikhail Bragin	2ad899b066	Test conn (#199 ) * test: add conn tests * test: add ConnStatus tests * test: add error test * test: add more conn tests	2022-01-21 13:52:19 +01:00
braginini	dfa67410b5	chore: update license and AUTHORS	2022-01-19 16:22:40 +01:00
Mikhail Bragin	23f028e65d	test: improve engine test (#198 )	2022-01-18 17:52:55 +01:00
Mikhail Bragin	5db130a12e	Support new Management service protocol (NetworkMap) (#193 ) * feature: support new management service protocol * chore: add more logging to track networkmap serial * refactor: organize peer update code in engine * chore: fix lint issues * refactor: extract Signal client interface * test: add signal client mock * refactor: introduce Management Service client interface * chore: place management and signal clients mocks to respective packages * test: add Serial test to the engine * fix: lint issues * test: unit tests for a networkMapUpdate * test: unit tests Sync update	2022-01-18 16:44:58 +01:00
Mikhail Bragin	9a3fba3fa3	docs: fix typo	2022-01-17 20:21:52 +01:00
Maycon Santos	0f7ab4354b	Fix cicd testing issue (#197 ) * sync module * cache per test os * different port for tests * wireguard packages versions	2022-01-17 15:10:18 +01:00
Maycon Santos	64f2d295a8	Refactor Interface package and update windows driver (#192 ) * script to generate syso files * test wireguard-windows driver package * set int log * add windows test * add windows test * verbose bash * use cd * move checkout * exit 0 * removed tty flag * artifact path * fix tags and add cache * fix cache * fix cache * test dir * restore artifacts in the root * try dll file * try dll file * copy dll * typo in copy dll * compile test * checkout first * updated cicd * fix add address issue and gen GUID * psexec typo * accept eula * mod tidy before tests * regular test exec and verbose test with psexec * test all * return WGInterface Interface * use WgIfaceName and timeout after 30 seconds * different ports and validate connect 2 peers * Use time.After for timeout and close interface * Use time.After for testing connect peers * WG Interface struct * Update engine and parse address * refactor Linux create and assignAddress * NewWGIface and configuration methods * Update proxy with interface methods * update up command test * resolve lint warnings * remove psexec test * close copied files * add goos before build * run tests on mac,windows and linux * cache by testing os * run on push * fix indentation * adjust test timeouts * remove parallel flag * mod tidy before test * ignore syso files * removed functions and renamed vars * different IPs for connect peers test * Generate syso with DLL * Single Close method * use port from test constant * test: remove wireguard interfaces after finishing engine test * use load_wgnt_from_rsrc Co-authored-by: braginini <bangvalo@gmail.com>	2022-01-17 14:01:58 +01:00
Mikhail Bragin	afb302d5e7	Change Management Sync protocol to support incremental (serial) network changes (#191 ) * feature: introduce NetworkMap to the management protocol with a Serial ID * test: add Management Sync method protocol test * test: add Management Sync method NetworkMap field check [FAILING] * test: add Management Sync method NetworkMap field check [FAILING] * feature: fill NetworkMap property to when Deleting peer * feature: fill NetworkMap in the Sync protocol * test: code review mentions - GeneratePrivateKey() in the test * fix: wiretrustee client use wireguard GeneratePrivateKey() instead of GenerateKey() * test: add NetworkMap test * fix: management_proto test remove store.json on test finish	2022-01-16 17:10:36 +01:00
Mikhail Bragin	9d1ecbbfb2	Management - add serial to Network reflecting network updates (#179 ) * chore: [management] - add account serial ID * Fix concurrency on the client (#183) * reworked peer connection establishment logic eliminating race conditions and deadlocks while running many peers * chore: move serial to Network from Account * feature: increment Network serial ID when adding/removing peers * chore: extract network struct init to network.go * chore: add serial test when adding peer to the account * test: add ModificationID test on AddPeer and DeletePeer	2022-01-14 14:34:27 +01:00