added logs for an addPeer

Merge branch 'main' into add-account-onboarding
[management] Add option to disable default all-to-all policy (#3970 )
2026-05-12 03:39:55 +00:00 · 2025-07-07 18:16:02 +02:00 · 2025-07-02 02:59:03 +02:00 · 2025-07-02 02:41:59 +02:00 · 2025-07-02 02:35:13 +02:00 · 2025-07-02 01:38:40 +02:00
76 changed files with 2235 additions and 687 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,7 +9,7 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.0.18"
+  SIGN_PIPE_VER: "v0.0.20"
  GORELEASER_VER: "v2.3.2"
  PRODUCT_NAME: "NetBird"
  COPYRIGHT: "NetBird GmbH"
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -134,6 +134,7 @@ jobs:
          NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
          CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
+          CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY: false

        run: |
          set -x
@@ -180,6 +181,7 @@ jobs:
          grep -A 7 Relay management.json | egrep '"Secret": ".+"'
          grep DisablePromptLogin management.json | grep 'true'
          grep LoginFlag management.json | grep 0
+          grep DisableDefaultPolicy management.json | grep "$CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY"

      - name: Install modules
        run: go mod tidy
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,6 +1,9 @@
 FROM alpine:3.21.3
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache ca-certificates ip6tables iproute2 iptables
+
+ARG NETBIRD_BINARY=netbird
+COPY ${NETBIRD_BINARY} /usr/local/bin/netbird
+
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
-COPY netbird /usr/local/bin/netbird
--- a/client/Dockerfile-rootless
+++ b/client/Dockerfile-rootless
@@ -1,6 +1,7 @@
 FROM alpine:3.21.0

-COPY netbird /usr/local/bin/netbird
+ARG NETBIRD_BINARY=netbird
+COPY ${NETBIRD_BINARY} /usr/local/bin/netbird

 RUN apk add --no-cache ca-certificates \
    && adduser -D -h /var/lib/netbird netbird
--- a/client/android/preferences.go
+++ b/client/android/preferences.go
@@ -4,12 +4,12 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 )

-// Preferences export a subset of the internal config for gomobile
+// Preferences exports a subset of the internal config for gomobile
 type Preferences struct {
 	configInput internal.ConfigInput
 }

-// NewPreferences create new Preferences instance
+// NewPreferences creates a new Preferences instance
 func NewPreferences(configPath string) *Preferences {
 	ci := internal.ConfigInput{
 		ConfigPath: configPath,
@@ -17,7 +17,7 @@ func NewPreferences(configPath string) *Preferences {
 	return &Preferences{ci}
 }

-// GetManagementURL read url from config file
+// GetManagementURL reads URL from config file
 func (p *Preferences) GetManagementURL() (string, error) {
 	if p.configInput.ManagementURL != "" {
 		return p.configInput.ManagementURL, nil
@@ -30,12 +30,12 @@ func (p *Preferences) GetManagementURL() (string, error) {
 	return cfg.ManagementURL.String(), err
 }

-// SetManagementURL store the given url and wait for commit
+// SetManagementURL stores the given URL and waits for commit
 func (p *Preferences) SetManagementURL(url string) {
 	p.configInput.ManagementURL = url
 }

-// GetAdminURL read url from config file
+// GetAdminURL reads URL from config file
 func (p *Preferences) GetAdminURL() (string, error) {
 	if p.configInput.AdminURL != "" {
 		return p.configInput.AdminURL, nil
@@ -48,12 +48,12 @@ func (p *Preferences) GetAdminURL() (string, error) {
 	return cfg.AdminURL.String(), err
 }

-// SetAdminURL store the given url and wait for commit
+// SetAdminURL stores the given URL and waits for commit
 func (p *Preferences) SetAdminURL(url string) {
 	p.configInput.AdminURL = url
 }

-// GetPreSharedKey read preshared key from config file
+// GetPreSharedKey reads pre-shared key from config file
 func (p *Preferences) GetPreSharedKey() (string, error) {
 	if p.configInput.PreSharedKey != nil {
 		return *p.configInput.PreSharedKey, nil
@@ -66,17 +66,17 @@ func (p *Preferences) GetPreSharedKey() (string, error) {
 	return cfg.PreSharedKey, err
 }

-// SetPreSharedKey store the given key and wait for commit
+// SetPreSharedKey stores the given key and waits for commit
 func (p *Preferences) SetPreSharedKey(key string) {
 	p.configInput.PreSharedKey = &key
 }

-// SetRosenpassEnabled store if rosenpass is enabled
+// SetRosenpassEnabled stores whether Rosenpass is enabled
 func (p *Preferences) SetRosenpassEnabled(enabled bool) {
 	p.configInput.RosenpassEnabled = &enabled
 }

-// GetRosenpassEnabled read rosenpass enabled from config file
+// GetRosenpassEnabled reads Rosenpass enabled status from config file
 func (p *Preferences) GetRosenpassEnabled() (bool, error) {
 	if p.configInput.RosenpassEnabled != nil {
 		return *p.configInput.RosenpassEnabled, nil
@@ -89,12 +89,12 @@ func (p *Preferences) GetRosenpassEnabled() (bool, error) {
 	return cfg.RosenpassEnabled, err
 }

-// SetRosenpassPermissive store the given permissive and wait for commit
+// SetRosenpassPermissive stores the given permissive setting and waits for commit
 func (p *Preferences) SetRosenpassPermissive(permissive bool) {
 	p.configInput.RosenpassPermissive = &permissive
 }

-// GetRosenpassPermissive read rosenpass permissive from config file
+// GetRosenpassPermissive reads Rosenpass permissive setting from config file
 func (p *Preferences) GetRosenpassPermissive() (bool, error) {
 	if p.configInput.RosenpassPermissive != nil {
 		return *p.configInput.RosenpassPermissive, nil
@@ -107,7 +107,119 @@ func (p *Preferences) GetRosenpassPermissive() (bool, error) {
 	return cfg.RosenpassPermissive, err
 }

-// Commit write out the changes into config file
+// GetDisableClientRoutes reads disable client routes setting from config file
+func (p *Preferences) GetDisableClientRoutes() (bool, error) {
+	if p.configInput.DisableClientRoutes != nil {
+		return *p.configInput.DisableClientRoutes, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	return cfg.DisableClientRoutes, err
+}
+
+// SetDisableClientRoutes stores the given value and waits for commit
+func (p *Preferences) SetDisableClientRoutes(disable bool) {
+	p.configInput.DisableClientRoutes = &disable
+}
+
+// GetDisableServerRoutes reads disable server routes setting from config file
+func (p *Preferences) GetDisableServerRoutes() (bool, error) {
+	if p.configInput.DisableServerRoutes != nil {
+		return *p.configInput.DisableServerRoutes, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	return cfg.DisableServerRoutes, err
+}
+
+// SetDisableServerRoutes stores the given value and waits for commit
+func (p *Preferences) SetDisableServerRoutes(disable bool) {
+	p.configInput.DisableServerRoutes = &disable
+}
+
+// GetDisableDNS reads disable DNS setting from config file
+func (p *Preferences) GetDisableDNS() (bool, error) {
+	if p.configInput.DisableDNS != nil {
+		return *p.configInput.DisableDNS, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	return cfg.DisableDNS, err
+}
+
+// SetDisableDNS stores the given value and waits for commit
+func (p *Preferences) SetDisableDNS(disable bool) {
+	p.configInput.DisableDNS = &disable
+}
+
+// GetDisableFirewall reads disable firewall setting from config file
+func (p *Preferences) GetDisableFirewall() (bool, error) {
+	if p.configInput.DisableFirewall != nil {
+		return *p.configInput.DisableFirewall, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	return cfg.DisableFirewall, err
+}
+
+// SetDisableFirewall stores the given value and waits for commit
+func (p *Preferences) SetDisableFirewall(disable bool) {
+	p.configInput.DisableFirewall = &disable
+}
+
+// GetServerSSHAllowed reads server SSH allowed setting from config file
+func (p *Preferences) GetServerSSHAllowed() (bool, error) {
+	if p.configInput.ServerSSHAllowed != nil {
+		return *p.configInput.ServerSSHAllowed, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	if cfg.ServerSSHAllowed == nil {
+		// Default to false for security on Android
+		return false, nil
+	}
+	return *cfg.ServerSSHAllowed, err
+}
+
+// SetServerSSHAllowed stores the given value and waits for commit
+func (p *Preferences) SetServerSSHAllowed(allowed bool) {
+	p.configInput.ServerSSHAllowed = &allowed
+}
+
+// GetBlockInbound reads block inbound setting from config file
+func (p *Preferences) GetBlockInbound() (bool, error) {
+	if p.configInput.BlockInbound != nil {
+		return *p.configInput.BlockInbound, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return false, err
+	}
+	return cfg.BlockInbound, err
+}
+
+// SetBlockInbound stores the given value and waits for commit
+func (p *Preferences) SetBlockInbound(block bool) {
+	p.configInput.BlockInbound = &block
+}
+
+// Commit writes out the changes to the config file
 func (p *Preferences) Commit() error {
 	_, err := internal.UpdateOrCreateConfig(p.configInput)
 	return err
--- a/client/cmd/system.go
+++ b/client/cmd/system.go
@@ -38,5 +38,5 @@ func init() {

 	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
 		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
-		"This overrides any policies received from the management service.")
+			"This overrides any policies received from the management service.")
 }
--- a/client/cmd/testutil_test.go
+++ b/client/cmd/testutil_test.go
@@ -103,7 +103,7 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 		Return(&types.Settings{}, nil).
 		AnyTimes()

-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/iface/device/device_android.go
+++ b/client/iface/device/device_android.go
@@ -24,6 +24,7 @@ type WGTunDevice struct {
 	mtu        int
 	iceBind    *bind.ICEBind
 	tunAdapter TunAdapter
+	disableDNS bool

 	name           string
 	device         *device.Device
@@ -32,7 +33,7 @@ type WGTunDevice struct {
 	configurer     WGConfigurer
 }

-func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter) *WGTunDevice {
+func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
 	return &WGTunDevice{
 		address:    address,
 		port:       port,
@@ -40,6 +41,7 @@ func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind
 		mtu:        mtu,
 		iceBind:    iceBind,
 		tunAdapter: tunAdapter,
+		disableDNS: disableDNS,
 	}
 }

@@ -49,6 +51,13 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	routesString := routesToString(routes)
 	searchDomainsToString := searchDomainsToString(searchDomains)

+	// Skip DNS configuration when DisableDNS is enabled
+	if t.disableDNS {
+		log.Info("DNS is disabled, skipping DNS and search domain configuration")
+		dns = ""
+		searchDomainsToString = ""
+	}
+
 	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.mtu, dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)
--- a/client/iface/iface.go
+++ b/client/iface/iface.go
@@ -43,6 +43,7 @@ type WGIFaceOpts struct {
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
 	FilterFn     bind.FilterFn
+	DisableDNS   bool
 }

 // WGIface represents an interface instance
--- a/client/iface/iface_new_android.go
+++ b/client/iface/iface_new_android.go
@@ -18,7 +18,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {

 	wgIFace := &WGIface{
 		userspaceBind:  true,
-		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter),
+		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -398,11 +398,15 @@ func (d *DefaultManager) squashAcceptRules(
 	//
 	// We zeroed this to notify squash function that this protocol can't be squashed.
 	addRuleToCalculationMap := func(i int, r *mgmProto.FirewallRule, protocols map[mgmProto.RuleProtocol]*protoMatch) {
-		drop := r.Action == mgmProto.RuleAction_DROP || r.Port != ""
-		if drop {
+		hasPortRestrictions := r.Action == mgmProto.RuleAction_DROP ||
+			r.Port != "" || !portInfoEmpty(r.PortInfo)
+
+		if hasPortRestrictions {
+			// Don't squash rules with port restrictions
 			protocols[r.Protocol] = &protoMatch{ips: map[string]int{}}
 			return
 		}
+
 		if _, ok := protocols[r.Protocol]; !ok {
 			protocols[r.Protocol] = &protoMatch{
 				ips: map[string]int{},
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -330,6 +330,434 @@ func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
 	assert.Equal(t, len(networkMap.FirewallRules), len(rules))
 }

+func TestDefaultManagerSquashRulesWithPortRestrictions(t *testing.T) {
+	tests := []struct {
+		name          string
+		rules         []*mgmProto.FirewallRule
+		expectedCount int
+		description   string
+	}{
+		{
+			name: "should not squash rules with port ranges",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Range_{
+							Range: &mgmProto.PortInfo_Range{
+								Start: 8080,
+								End:   8090,
+							},
+						},
+					},
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with port ranges should not be squashed even if they cover all peers",
+		},
+		{
+			name: "should not squash rules with specific ports",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with specific ports should not be squashed even if they cover all peers",
+		},
+		{
+			name: "should not squash rules with legacy port field",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with legacy port field should not be squashed",
+		},
+		{
+			name: "should not squash rules with DROP action",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_DROP,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+			},
+			expectedCount: 4,
+			description:   "Rules with DROP action should not be squashed",
+		},
+		{
+			name: "should squash rules without port restrictions",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+			},
+			expectedCount: 1,
+			description:   "Rules without port restrictions should be squashed into a single 0.0.0.0 rule",
+		},
+		{
+			name: "mixed rules should not squash protocol with port restrictions",
+			rules: []*mgmProto.FirewallRule{
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					PortInfo: &mgmProto.PortInfo{
+						PortSelection: &mgmProto.PortInfo_Port{
+							Port: 80,
+						},
+					},
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+				},
+			},
+			expectedCount: 4,
+			description:   "TCP should not be squashed because one rule has port restrictions",
+		},
+		{
+			name: "should squash UDP but not TCP when TCP has port restrictions",
+			rules: []*mgmProto.FirewallRule{
+				// TCP rules with port restrictions - should NOT be squashed
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_TCP,
+					Port:      "443",
+				},
+				// UDP rules without port restrictions - SHOULD be squashed
+				{
+					PeerIP:    "10.93.0.1",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+				{
+					PeerIP:    "10.93.0.2",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+				{
+					PeerIP:    "10.93.0.3",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+				{
+					PeerIP:    "10.93.0.4",
+					Direction: mgmProto.RuleDirection_IN,
+					Action:    mgmProto.RuleAction_ACCEPT,
+					Protocol:  mgmProto.RuleProtocol_UDP,
+				},
+			},
+			expectedCount: 5, // 4 TCP rules + 1 squashed UDP rule (0.0.0.0)
+			description:   "UDP should be squashed to 0.0.0.0 rule, but TCP should remain as individual rules due to port restrictions",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			networkMap := &mgmProto.NetworkMap{
+				RemotePeers: []*mgmProto.RemotePeerConfig{
+					{AllowedIps: []string{"10.93.0.1"}},
+					{AllowedIps: []string{"10.93.0.2"}},
+					{AllowedIps: []string{"10.93.0.3"}},
+					{AllowedIps: []string{"10.93.0.4"}},
+				},
+				FirewallRules: tt.rules,
+			}
+
+			manager := &DefaultManager{}
+			rules, _ := manager.squashAcceptRules(networkMap)
+
+			assert.Equal(t, tt.expectedCount, len(rules), tt.description)
+
+			// For squashed rules, verify we get the expected 0.0.0.0 rule
+			if tt.expectedCount == 1 {
+				assert.Equal(t, "0.0.0.0", rules[0].PeerIP)
+				assert.Equal(t, mgmProto.RuleDirection_IN, rules[0].Direction)
+				assert.Equal(t, mgmProto.RuleAction_ACCEPT, rules[0].Action)
+			}
+		})
+	}
+}
+
+func TestPortInfoEmpty(t *testing.T) {
+	tests := []struct {
+		name     string
+		portInfo *mgmProto.PortInfo
+		expected bool
+	}{
+		{
+			name:     "nil PortInfo should be empty",
+			portInfo: nil,
+			expected: true,
+		},
+		{
+			name: "PortInfo with zero port should be empty",
+			portInfo: &mgmProto.PortInfo{
+				PortSelection: &mgmProto.PortInfo_Port{
+					Port: 0,
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "PortInfo with valid port should not be empty",
+			portInfo: &mgmProto.PortInfo{
+				PortSelection: &mgmProto.PortInfo_Port{
+					Port: 80,
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "PortInfo with nil range should be empty",
+			portInfo: &mgmProto.PortInfo{
+				PortSelection: &mgmProto.PortInfo_Range_{
+					Range: nil,
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "PortInfo with zero start range should be empty",
+			portInfo: &mgmProto.PortInfo{
+				PortSelection: &mgmProto.PortInfo_Range_{
+					Range: &mgmProto.PortInfo_Range{
+						Start: 0,
+						End:   100,
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "PortInfo with zero end range should be empty",
+			portInfo: &mgmProto.PortInfo{
+				PortSelection: &mgmProto.PortInfo_Range_{
+					Range: &mgmProto.PortInfo_Range{
+						Start: 80,
+						End:   0,
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "PortInfo with valid range should not be empty",
+			portInfo: &mgmProto.PortInfo{
+				PortSelection: &mgmProto.PortInfo_Range_{
+					Range: &mgmProto.PortInfo_Range{
+						Start: 8080,
+						End:   8090,
+					},
+				},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := portInfoEmpty(tt.portInfo)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
 func TestDefaultManagerEnableSSHRules(t *testing.T) {
 	networkMap := &mgmProto.NetworkMap{
 		PeerConfig: &mgmProto.PeerConfig{
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -223,6 +223,8 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 	config := &Config{
 		// defaults to false only for new (post 0.26) configurations
 		ServerSSHAllowed: util.False(),
+		// default to disabling server routes on Android for security
+		DisableServerRoutes: runtime.GOOS == "android",
 	}

 	if _, err := config.apply(input); err != nil {
@@ -416,9 +418,15 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		config.ServerSSHAllowed = input.ServerSSHAllowed
 		updated = true
 	} else if config.ServerSSHAllowed == nil {
-		// enables SSH for configs from old versions to preserve backwards compatibility
-		log.Infof("falling back to enabled SSH server for pre-existing configuration")
-		config.ServerSSHAllowed = util.True()
+		if runtime.GOOS == "android" {
+			// default to disabled SSH on Android for security
+			log.Infof("setting SSH server to false by default on Android")
+			config.ServerSSHAllowed = util.False()
+		} else {
+			// enables SSH for configs from old versions to preserve backwards compatibility
+			log.Infof("falling back to enabled SSH server for pre-existing configuration")
+			config.ServerSSHAllowed = util.True()
+		}
 		updated = true
 	}

--- a/client/internal/conn_mgr.go
+++ b/client/internal/conn_mgr.go
@@ -175,7 +175,7 @@ func (e *ConnMgr) AddPeerConn(ctx context.Context, peerKey string, conn *peer.Co
 		PeerConnID: conn.ConnID(),
 		Log:        conn.Log,
 	}
-	excluded, err := e.lazyConnMgr.AddPeer(lazyPeerCfg)
+	excluded, err := e.lazyConnMgr.AddPeer(e.lazyCtx, lazyPeerCfg)
 	if err != nil {
 		conn.Log.Errorf("failed to add peer to lazyconn manager: %v", err)
 		if err := conn.Open(ctx); err != nil {
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -1527,6 +1527,7 @@ func (e *Engine) newWgIface() (*iface.WGIface, error) {
 		MTU:          iface.DefaultMTU,
 		TransportNet: transportNet,
 		FilterFn:     e.addrViaRoutes,
+		DisableDNS:   e.config.DisableDNS,
 	}

 	switch runtime.GOOS {
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -1476,7 +1476,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri

 	permissionsManager := permissions.NewManager(store)

-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/lazyconn/inactivity/inactivity.go
+++ b/client/internal/lazyconn/inactivity/inactivity.go
@@ -68,3 +68,8 @@ func (i *Monitor) PauseTimer() {
 func (i *Monitor) ResetTimer() {
 	i.timer.Reset(i.inactivityThreshold)
 }
+
+func (i *Monitor) ResetMonitor(ctx context.Context, timeoutChan chan peer.ConnID) {
+	i.Stop()
+	go i.Start(ctx, timeoutChan)
+}
--- a/client/internal/lazyconn/manager/manager.go
+++ b/client/internal/lazyconn/manager/manager.go
@@ -58,7 +58,7 @@ type Manager struct {
 	// Route HA group management
 	peerToHAGroups map[string][]route.HAUniqueID // peer ID -> HA groups they belong to
 	haGroupToPeers map[route.HAUniqueID][]string // HA group -> peer IDs in the group
-	routesMu       sync.RWMutex                  // protects route mappings
+	routesMu       sync.RWMutex

 	onInactive chan peerid.ConnID
 }
@@ -146,7 +146,7 @@ func (m *Manager) Start(ctx context.Context) {
 		case peerConnID := <-m.activityManager.OnActivityChan:
 			m.onPeerActivity(ctx, peerConnID)
 		case peerConnID := <-m.onInactive:
-			m.onPeerInactivityTimedOut(peerConnID)
+			m.onPeerInactivityTimedOut(ctx, peerConnID)
 		}
 	}
 }
@@ -197,7 +197,7 @@ func (m *Manager) ExcludePeer(ctx context.Context, peerConfigs []lazyconn.PeerCo
 	return added
 }

-func (m *Manager) AddPeer(peerCfg lazyconn.PeerConfig) (bool, error) {
+func (m *Manager) AddPeer(ctx context.Context, peerCfg lazyconn.PeerConfig) (bool, error) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()

@@ -225,6 +225,13 @@ func (m *Manager) AddPeer(peerCfg lazyconn.PeerConfig) (bool, error) {
 		peerCfg:         &peerCfg,
 		expectedWatcher: watcherActivity,
 	}
+
+	// Check if this peer should be activated because its HA group peers are active
+	if group, ok := m.shouldActivateNewPeer(peerCfg.PublicKey); ok {
+		peerCfg.Log.Debugf("peer belongs to active HA group %s, will activate immediately", group)
+		m.activateNewPeerInActiveGroup(ctx, peerCfg)
+	}
+
 	return false, nil
 }

@@ -315,36 +322,38 @@ func (m *Manager) activateSinglePeer(ctx context.Context, cfg *lazyconn.PeerConf

 // activateHAGroupPeers activates all peers in HA groups that the given peer belongs to
 func (m *Manager) activateHAGroupPeers(ctx context.Context, triggerPeerID string) {
+	var peersToActivate []string
+
 	m.routesMu.RLock()
 	haGroups := m.peerToHAGroups[triggerPeerID]
-	m.routesMu.RUnlock()

 	if len(haGroups) == 0 {
+		m.routesMu.RUnlock()
 		log.Debugf("peer %s is not part of any HA groups", triggerPeerID)
 		return
 	}

-	activatedCount := 0
 	for _, haGroup := range haGroups {
-		m.routesMu.RLock()
 		peers := m.haGroupToPeers[haGroup]
-		m.routesMu.RUnlock()
-
 		for _, peerID := range peers {
-			if peerID == triggerPeerID {
-				continue
+			if peerID != triggerPeerID {
+				peersToActivate = append(peersToActivate, peerID)
 			}
+		}
+	}
+	m.routesMu.RUnlock()

-			cfg, mp := m.getPeerForActivation(peerID)
-			if cfg == nil {
-				continue
-			}
+	activatedCount := 0
+	for _, peerID := range peersToActivate {
+		cfg, mp := m.getPeerForActivation(peerID)
+		if cfg == nil {
+			continue
+		}

-			if m.activateSinglePeer(ctx, cfg, mp) {
-				activatedCount++
-				cfg.Log.Infof("activated peer as part of HA group %s (triggered by %s)", haGroup, triggerPeerID)
-				m.peerStore.PeerConnOpen(m.engineCtx, cfg.PublicKey)
-			}
+		if m.activateSinglePeer(ctx, cfg, mp) {
+			activatedCount++
+			cfg.Log.Infof("activated peer as part of HA group (triggered by %s)", triggerPeerID)
+			m.peerStore.PeerConnOpen(m.engineCtx, cfg.PublicKey)
 		}
 	}

@@ -354,6 +363,51 @@ func (m *Manager) activateHAGroupPeers(ctx context.Context, triggerPeerID string
 	}
 }

+// shouldActivateNewPeer checks if a newly added peer should be activated
+// because other peers in its HA groups are already active
+func (m *Manager) shouldActivateNewPeer(peerID string) (route.HAUniqueID, bool) {
+	m.routesMu.RLock()
+	defer m.routesMu.RUnlock()
+
+	haGroups := m.peerToHAGroups[peerID]
+	if len(haGroups) == 0 {
+		return "", false
+	}
+
+	for _, haGroup := range haGroups {
+		peers := m.haGroupToPeers[haGroup]
+		for _, groupPeerID := range peers {
+			if groupPeerID == peerID {
+				continue
+			}
+
+			cfg, ok := m.managedPeers[groupPeerID]
+			if !ok {
+				continue
+			}
+			if mp, ok := m.managedPeersByConnID[cfg.PeerConnID]; ok && mp.expectedWatcher == watcherInactivity {
+				return haGroup, true
+			}
+		}
+	}
+	return "", false
+}
+
+// activateNewPeerInActiveGroup activates a newly added peer that should be active due to HA group
+func (m *Manager) activateNewPeerInActiveGroup(ctx context.Context, peerCfg lazyconn.PeerConfig) {
+	mp, ok := m.managedPeersByConnID[peerCfg.PeerConnID]
+	if !ok {
+		return
+	}
+
+	if !m.activateSinglePeer(ctx, &peerCfg, mp) {
+		return
+	}
+
+	peerCfg.Log.Infof("activated newly added peer due to active HA group peers")
+	m.peerStore.PeerConnOpen(m.engineCtx, peerCfg.PublicKey)
+}
+
 func (m *Manager) addActivePeer(ctx context.Context, peerCfg lazyconn.PeerConfig) error {
 	if _, ok := m.managedPeers[peerCfg.PublicKey]; ok {
 		peerCfg.Log.Warnf("peer already managed")
@@ -415,6 +469,48 @@ func (m *Manager) close() {
 	log.Infof("lazy connection manager closed")
 }

+// shouldDeferIdleForHA checks if peer should stay connected due to HA group requirements
+func (m *Manager) shouldDeferIdleForHA(peerID string) bool {
+	m.routesMu.RLock()
+	defer m.routesMu.RUnlock()
+
+	haGroups := m.peerToHAGroups[peerID]
+	if len(haGroups) == 0 {
+		return false
+	}
+
+	for _, haGroup := range haGroups {
+		groupPeers := m.haGroupToPeers[haGroup]
+
+		for _, groupPeerID := range groupPeers {
+			if groupPeerID == peerID {
+				continue
+			}
+
+			cfg, ok := m.managedPeers[groupPeerID]
+			if !ok {
+				continue
+			}
+
+			groupMp, ok := m.managedPeersByConnID[cfg.PeerConnID]
+			if !ok {
+				continue
+			}
+
+			if groupMp.expectedWatcher != watcherInactivity {
+				continue
+			}
+
+			// Other member is still connected, defer idle
+			if peer, ok := m.peerStore.PeerConn(groupPeerID); ok && peer.IsConnected() {
+				return true
+			}
+		}
+	}
+
+	return false
+}
+
 func (m *Manager) onPeerActivity(ctx context.Context, peerConnID peerid.ConnID) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()
@@ -441,7 +537,7 @@ func (m *Manager) onPeerActivity(ctx context.Context, peerConnID peerid.ConnID)
 	m.peerStore.PeerConnOpen(m.engineCtx, mp.peerCfg.PublicKey)
 }

-func (m *Manager) onPeerInactivityTimedOut(peerConnID peerid.ConnID) {
+func (m *Manager) onPeerInactivityTimedOut(ctx context.Context, peerConnID peerid.ConnID) {
 	m.managedPeersMu.Lock()
 	defer m.managedPeersMu.Unlock()

@@ -456,6 +552,17 @@ func (m *Manager) onPeerInactivityTimedOut(peerConnID peerid.ConnID) {
 		return
 	}

+	if m.shouldDeferIdleForHA(mp.peerCfg.PublicKey) {
+		iw, ok := m.inactivityMonitors[peerConnID]
+		if ok {
+			mp.peerCfg.Log.Debugf("resetting inactivity timer due to HA group requirements")
+			iw.ResetMonitor(ctx, m.onInactive)
+		} else {
+			mp.peerCfg.Log.Errorf("inactivity monitor not found for HA defer reset")
+		}
+		return
+	}
+
 	mp.peerCfg.Log.Infof("connection timed out")

 	// this is blocking operation, potentially can be optimized
@@ -489,7 +596,7 @@ func (m *Manager) onPeerConnected(peerConnID peerid.ConnID) {

 	iw, ok := m.inactivityMonitors[mp.peerCfg.PeerConnID]
 	if !ok {
-		mp.peerCfg.Log.Errorf("inactivity monitor not found for peer")
+		mp.peerCfg.Log.Warnf("inactivity monitor not found for peer")
 		return
 	}

--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -317,12 +317,12 @@ func (conn *Conn) WgConfig() WgConfig {
 	return conn.config.WgConfig
 }

-// IsConnected unit tests only
-// refactor unit test to use status recorder use refactor status recorded to manage connection status in peer.Conn
+// IsConnected returns true if the peer is connected
 func (conn *Conn) IsConnected() bool {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()
-	return conn.currentConnPriority != conntype.None
+
+	return conn.evalStatus() == StatusConnected
 }

 func (conn *Conn) GetKey() string {
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -15,7 +15,7 @@ import (
 // MockManager is the mock instance of a route manager
 type MockManager struct {
 	ClassifyRoutesFunc           func(routes []*route.Route) (map[route.ID]*route.Route, route.HAMap)
-	UpdateRoutesFunc             func (updateSerial uint64, serverRoutes map[route.ID]*route.Route, clientRoutes route.HAMap, useNewDNSRoute bool) error
+	UpdateRoutesFunc             func(updateSerial uint64, serverRoutes map[route.ID]*route.Route, clientRoutes route.HAMap, useNewDNSRoute bool) error
 	TriggerSelectionFunc         func(haMap route.HAMap)
 	GetRouteSelectorFunc         func() *routeselector.RouteSelector
 	GetClientRoutesFunc          func() route.HAMap
--- a/client/internal/routemanager/notifier/notifier.go
+++ b/client/internal/routemanager/notifier/notifier.go
@@ -32,7 +32,6 @@ func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
 func (n *Notifier) SetInitialClientRoutes(clientRoutes []*route.Route) {
 	nets := make([]string, 0)
 	for _, r := range clientRoutes {
-		// filter out domain routes
 		if r.IsDynamic() {
 			continue
 		}
@@ -46,30 +45,27 @@ func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
 	if runtime.GOOS != "android" {
 		return
 	}
-	newNets := make([]string, 0)
+
+	var newNets []string
 	for _, routes := range idMap {
 		for _, r := range routes {
+			if r.IsDynamic() {
+				continue
+			}
 			newNets = append(newNets, r.Network.String())
 		}
 	}

 	sort.Strings(newNets)
-	switch runtime.GOOS {
-	case "android":
-		if !n.hasDiff(n.initialRouteRanges, newNets) {
-			return
-		}
-	default:
-		if !n.hasDiff(n.routeRanges, newNets) {
-			return
-		}
+	if !n.hasDiff(n.initialRouteRanges, newNets) {
+		return
 	}

 	n.routeRanges = newNets
-
 	n.notify()
 }

+// OnNewPrefixes is called from iOS only
 func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
 	newNets := make([]string, 0)
 	for _, prefix := range prefixes {
@@ -77,19 +73,11 @@ func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
 	}

 	sort.Strings(newNets)
-	switch runtime.GOOS {
-	case "android":
-		if !n.hasDiff(n.initialRouteRanges, newNets) {
-			return
-		}
-	default:
-		if !n.hasDiff(n.routeRanges, newNets) {
-			return
-		}
+	if !n.hasDiff(n.routeRanges, newNets) {
+		return
 	}

 	n.routeRanges = newNets
-
 	n.notify()
 }

--- a/client/internal/routemanager/systemops/systemops.go
+++ b/client/internal/routemanager/systemops/systemops.go
@@ -28,7 +28,10 @@ func (n Nexthop) String() string {
 	if n.Intf == nil {
 		return n.IP.String()
 	}
-	return fmt.Sprintf("%s @ %d (%s)", n.IP.String(), n.Intf.Index, n.Intf.Name)
+	if n.IP.IsValid() {
+		return fmt.Sprintf("%s @ %d (%s)", n.IP.String(), n.Intf.Index, n.Intf.Name)
+	}
+	return fmt.Sprintf("no-ip @ %d (%s)", n.Intf.Index, n.Intf.Name)
 }

 type wgIface interface {
--- a/client/netbird.wxs
+++ b/client/netbird.wxs
@@ -1,8 +1,10 @@
 <Wix
-	xmlns="http://wixtoolset.org/schemas/v4/wxs">
+	xmlns="http://wixtoolset.org/schemas/v4/wxs"
+	xmlns:util="http://wixtoolset.org/schemas/v4/wxs/util">
 	<Package Name="NetBird" Version="$(env.NETBIRD_VERSION)" Manufacturer="NetBird GmbH" Language="1033" UpgradeCode="6456ec4e-3ad6-4b9b-a2be-98e81cb21ccf"
        InstallerVersion="500" Compressed="yes"  Codepage="utf-8" >

+
 		<MediaTemplate EmbedCab="yes" />

 		<Feature Id="NetbirdFeature" Title="Netbird" Level="1">
@@ -46,29 +48,10 @@
 			<ComponentRef Id="NetbirdFiles" />
 		</ComponentGroup>

-		<Property Id="cmd" Value="cmd.exe"/>
+		<util:CloseApplication Id="CloseNetBird" CloseMessage="no" Target="netbird.exe" RebootPrompt="no" />
+		<util:CloseApplication Id="CloseNetBirdUI" CloseMessage="no" Target="netbird-ui.exe" RebootPrompt="no" />

-		<CustomAction Id="KillDaemon"
-                      ExeCommand='/c "taskkill /im netbird.exe"'
-                      Execute="deferred"
-                      Property="cmd"
-                      Impersonate="no"
-                      Return="ignore"
-            />

-		<CustomAction Id="KillUI"
-                      ExeCommand='/c "taskkill /im netbird-ui.exe"'
-                      Execute="deferred"
-                      Property="cmd"
-                      Impersonate="no"
-                      Return="ignore"
-            />
-
-		<InstallExecuteSequence>
-			<!-- For Uninstallation -->
-			<Custom Action="KillDaemon" Before="RemoveFiles" Condition="Installed"/>
-			<Custom Action="KillUI" After="KillDaemon" Condition="Installed"/>
-		</InstallExecuteSequence>

 		<!-- Icons -->
 		<Icon Id="NetbirdIcon" SourceFile=".\client\ui\assets\netbird.ico" />
--- a/client/server/server_test.go
+++ b/client/server/server_test.go
@@ -206,7 +206,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)

-	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/system/info.go
+++ b/client/system/info.go
@@ -59,16 +59,16 @@ type Info struct {
 	Environment        Environment
 	Files              []File // for posture checks

-	RosenpassEnabled      bool
-	RosenpassPermissive   bool
-	ServerSSHAllowed      bool
+	RosenpassEnabled    bool
+	RosenpassPermissive bool
+	ServerSSHAllowed    bool

-	DisableClientRoutes   bool
-	DisableServerRoutes   bool
-	DisableDNS            bool
-	DisableFirewall       bool
-	BlockLANAccess        bool
-	BlockInbound          bool
+	DisableClientRoutes bool
+	DisableServerRoutes bool
+	DisableDNS          bool
+	DisableFirewall     bool
+	BlockLANAccess      bool
+	BlockInbound        bool

 	LazyConnectionEnabled bool
 }
--- a/client/ui/client_ui.go
+++ b/client/ui/client_ui.go
@@ -280,7 +280,7 @@ func newServiceClient(addr string, logFile string, a fyne.App, showSettings bool

 		showAdvancedSettings: showSettings,
 		showNetworks:         showNetworks,
-		update:               version.NewUpdate(),
+		update:               version.NewUpdate("nb/client-ui"),
 	}

 	s.eventHandler = newEventHandler(s)
@@ -879,7 +879,7 @@ func (s *serviceClient) onUpdateAvailable() {
 func (s *serviceClient) onSessionExpire() {
 	s.sendNotification = true
 	if s.sendNotification {
-		s.eventHandler.runSelfCommand("login-url", "true")
+		go s.eventHandler.runSelfCommand(s.ctx, "login-url", "true")
 		s.sendNotification = false
 	}
 }
@@ -992,21 +992,6 @@ func (s *serviceClient) restartClient(loginRequest *proto.LoginRequest) error {
 // showLoginURL creates a borderless window styled like a pop-up in the top-right corner using s.wLoginURL.
 func (s *serviceClient) showLoginURL() {

-	resp, err := s.login(false)
-	if err != nil {
-		log.Errorf("failed to fetch login URL: %v", err)
-		return
-	}
-	verificationURL := resp.VerificationURIComplete
-	if verificationURL == "" {
-		verificationURL = resp.VerificationURI
-	}
-
-	if verificationURL == "" {
-		log.Error("no verification URL provided in the login response")
-		return
-	}
-
 	resIcon := fyne.NewStaticResource("netbird.png", iconAbout)

 	if s.wLoginURL == nil {
@@ -1025,6 +1010,21 @@ func (s *serviceClient) showLoginURL() {
 			return
 		}

+		resp, err := s.login(false)
+		if err != nil {
+			log.Errorf("failed to fetch login URL: %v", err)
+			return
+		}
+		verificationURL := resp.VerificationURIComplete
+		if verificationURL == "" {
+			verificationURL = resp.VerificationURI
+		}
+
+		if verificationURL == "" {
+			log.Error("no verification URL provided in the login response")
+			return
+		}
+
 		if err := openURL(verificationURL); err != nil {
 			log.Errorf("failed to open login URL: %v", err)
 			return
@@ -1038,7 +1038,19 @@ func (s *serviceClient) showLoginURL() {
 		}

 		label.SetText("Re-authentication successful.\nReconnecting")
-		time.Sleep(300 * time.Millisecond)
+		status, err := conn.Status(s.ctx, &proto.StatusRequest{})
+		if err != nil {
+			log.Errorf("get service status: %v", err)
+			return
+		}
+
+		if status.Status == string(internal.StatusConnected) {
+			label.SetText("Already connected.\nClosing this window.")
+			time.Sleep(2 * time.Second)
+			s.wLoginURL.Close()
+			return
+		}
+
 		_, err = conn.Up(s.ctx, &proto.UpRequest{})
 		if err != nil {
 			label.SetText("Reconnecting failed, please create \na debug bundle in the settings and contact support.")
--- a/client/ui/event_handler.go
+++ b/client/ui/event_handler.go
@@ -122,7 +122,7 @@ func (h *eventHandler) handleAdvancedSettingsClick() {
 	go func() {
 		defer h.client.mAdvancedSettings.Enable()
 		defer h.client.getSrvConfig()
-		h.runSelfCommand("settings", "true")
+		h.runSelfCommand(h.client.ctx, "settings", "true")
 	}()
 }

@@ -130,7 +130,7 @@ func (h *eventHandler) handleCreateDebugBundleClick() {
 	h.client.mCreateDebugBundle.Disable()
 	go func() {
 		defer h.client.mCreateDebugBundle.Enable()
-		h.runSelfCommand("debug", "true")
+		h.runSelfCommand(h.client.ctx, "debug", "true")
 	}()
 }

@@ -154,7 +154,7 @@ func (h *eventHandler) handleNetworksClick() {
 	h.client.mNetworks.Disable()
 	go func() {
 		defer h.client.mNetworks.Enable()
-		h.runSelfCommand("networks", "true")
+		h.runSelfCommand(h.client.ctx, "networks", "true")
 	}()
 }

@@ -172,14 +172,14 @@ func (h *eventHandler) updateConfigWithErr() {
 	}
 }

-func (h *eventHandler) runSelfCommand(command, arg string) {
+func (h *eventHandler) runSelfCommand(ctx context.Context, command, arg string) {
 	proc, err := os.Executable()
 	if err != nil {
 		log.Errorf("error getting executable path: %v", err)
 		return
 	}

-	cmd := exec.Command(proc,
+	cmd := exec.CommandContext(ctx, proc,
 		fmt.Sprintf("--%s=%s", command, arg),
 		fmt.Sprintf("--daemon-addr=%s", h.client.addr),
 	)
--- a/infrastructure_files/base.setup.env
+++ b/infrastructure_files/base.setup.env
@@ -15,6 +15,7 @@ NETBIRD_MGMT_API_CERT_KEY_FILE="/etc/letsencrypt/live/$NETBIRD_LETSENCRYPT_DOMAI
 NETBIRD_MGMT_SINGLE_ACCOUNT_MODE_DOMAIN=$NETBIRD_DOMAIN
 NETBIRD_MGMT_DNS_DOMAIN=${NETBIRD_MGMT_DNS_DOMAIN:-netbird.selfhosted}
 NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=${NETBIRD_MGMT_IDP_SIGNKEY_REFRESH:-false}
+NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=${NETBIRD_MGMT_DISABLE_DEFAULT_POLICY:-false}

 # Signal
 NETBIRD_SIGNAL_PROTOCOL="http"
@@ -60,7 +61,7 @@ NETBIRD_TOKEN_SOURCE=${NETBIRD_TOKEN_SOURCE:-accessToken}
 NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS=${NETBIRD_AUTH_PKCE_REDIRECT_URL_PORTS:-"53000"}
 NETBIRD_AUTH_PKCE_USE_ID_TOKEN=${NETBIRD_AUTH_PKCE_USE_ID_TOKEN:-false}
 NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN=${NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN:-false}
-NETBIRD_AUTH_PKCE_LOGIN_FLAG=${NETBIRD_AUTH_PKCE_LOGIN_FLAG:-1}
+NETBIRD_AUTH_PKCE_LOGIN_FLAG=${NETBIRD_AUTH_PKCE_LOGIN_FLAG:-0}
 NETBIRD_AUTH_PKCE_AUDIENCE=$NETBIRD_AUTH_AUDIENCE

 # Dashboard
@@ -139,3 +140,4 @@ export NETBIRD_RELAY_PORT
 export NETBIRD_RELAY_ENDPOINT
 export NETBIRD_RELAY_AUTH_SECRET
 export NETBIRD_RELAY_TAG
+export NETBIRD_MGMT_DISABLE_DEFAULT_POLICY
--- a/infrastructure_files/getting-started-with-zitadel.sh
+++ b/infrastructure_files/getting-started-with-zitadel.sh
@@ -791,7 +791,6 @@ services:
      - '443:443'
      - '443:443/udp'
      - '80:80'
-      - '8080:8080'
    volumes:
      - netbird_caddy_data:/data
      - ./Caddyfile:/etc/caddy/Caddyfile
--- a/infrastructure_files/management.json.tmpl
+++ b/infrastructure_files/management.json.tmpl
@@ -38,6 +38,7 @@
             "0.0.0.0/0"
        ]
    },
+    "DisableDefaultPolicy": $NETBIRD_MGMT_DISABLE_DEFAULT_POLICY,
    "Datadir": "",
    "DataStoreEncryptionKey": "$NETBIRD_DATASTORE_ENC_KEY",
    "StoreConfig": {
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@@ -92,7 +92,8 @@ NETBIRD_LETSENCRYPT_EMAIL=""
 NETBIRD_DISABLE_ANONYMOUS_METRICS=false
 # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
 NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
-
+# Disable default all-to-all policy for new accounts
+NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=false
 # -------------------------------------------
 # Relay settings
 # -------------------------------------------
--- a/infrastructure_files/tests/setup.env
+++ b/infrastructure_files/tests/setup.env
@@ -29,3 +29,4 @@ NETBIRD_TURN_EXTERNAL_IP=1.2.3.4
 NETBIRD_RELAY_PORT=33445
 NETBIRD_AUTH_PKCE_DISABLE_PROMPT_LOGIN=true
 NETBIRD_AUTH_PKCE_LOGIN_FLAG=0
+NETBIRD_MGMT_DISABLE_DEFAULT_POLICY=$CI_NETBIRD_MGMT_DISABLE_DEFAULT_POLICY
--- a/management/client/client_test.go
+++ b/management/client/client_test.go
@@ -100,7 +100,7 @@ func startManagement(t *testing.T) (*grpc.Server, net.Listener) {
 		Return(true, nil).
 		AnyTimes()

-	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/management/cmd/management.go
+++ b/management/cmd/management.go
@@ -215,7 +215,7 @@ var (
 			peersManager := peers.NewManager(store, permissionsManager)
 			proxyController := integrations.NewController(store)
 			accountManager, err := server.BuildManager(ctx, store, peersUpdateManager, idpManager, mgmtSingleAccModeDomain,
-				dnsDomain, eventStore, geo, userDeleteFromIDPEnabled, integratedPeerValidator, appMetrics, proxyController, settingsManager, permissionsManager)
+				dnsDomain, eventStore, geo, userDeleteFromIDPEnabled, integratedPeerValidator, appMetrics, proxyController, settingsManager, permissionsManager, config.DisableDefaultPolicy)
 			if err != nil {
 				return fmt.Errorf("failed to build default manager: %v", err)
 			}
@@ -357,6 +357,13 @@ var (
 			log.WithContext(ctx).Infof("running HTTP server and gRPC server on the same port: %s", listener.Addr().String())
 			serveGRPCWithHTTP(ctx, listener, rootHandler, tlsEnabled)

+			update := version.NewUpdate("nb/management")
+			update.SetDaemonVersion(version.NetbirdVersion())
+			update.SetOnUpdateListener(func() {
+				log.WithContext(ctx).Infof("your management version, \"%s\", is outdated, a new management version is available. Learn more here: https://github.com/netbirdio/netbird/releases", version.NetbirdVersion())
+			})
+			defer update.StopWatch()
+
 			SetupCloseHandler()

 			<-stopCh
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -102,6 +102,8 @@ type DefaultAccountManager struct {

 	accountUpdateLocks               sync.Map
 	updateAccountPeersBufferInterval atomic.Int64
+
+	disableDefaultPolicy bool
 }

 // getJWTGroupsChanges calculates the changes needed to sync a user's JWT groups.
@@ -170,6 +172,7 @@ func BuildManager(
 	proxyController port_forwarding.Controller,
 	settingsManager settings.Manager,
 	permissionsManager permissions.Manager,
+	disableDefaultPolicy bool,
 ) (*DefaultAccountManager, error) {
 	start := time.Now()
 	defer func() {
@@ -195,6 +198,7 @@ func BuildManager(
 		proxyController:          proxyController,
 		settingsManager:          settingsManager,
 		permissionsManager:       permissionsManager,
+		disableDefaultPolicy:     disableDefaultPolicy,
 	}

 	am.startWarmup(ctx)
@@ -543,7 +547,7 @@ func (am *DefaultAccountManager) newAccount(ctx context.Context, userID, domain
 			log.WithContext(ctx).Warnf("an account with ID already exists, retrying...")
 			continue
 		case statusErr.Type() == status.NotFound:
-			newAccount := newAccountWithId(ctx, accountId, userID, domain)
+			newAccount := newAccountWithId(ctx, accountId, userID, domain, am.disableDefaultPolicy)
 			am.StoreEvent(ctx, userID, newAccount.Id, accountId, activity.AccountCreated, nil)
 			return newAccount, nil
 		default:
@@ -1188,6 +1192,71 @@ func (am *DefaultAccountManager) GetAccountMeta(ctx context.Context, accountID s
 	return am.Store.GetAccountMeta(ctx, store.LockingStrengthShare, accountID)
 }

+// GetAccountOnboarding retrieves the onboarding information for a specific account.
+func (am *DefaultAccountManager) GetAccountOnboarding(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Accounts, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	onboarding, err := am.Store.GetAccountOnboarding(ctx, accountID)
+	if err != nil && err.Error() != status.NewAccountOnboardingNotFoundError(accountID).Error() {
+		log.Errorf("failed to get account onboarding for accountssssssss %s: %v", accountID, err)
+		return nil, err
+	}
+
+	if onboarding == nil {
+		onboarding = &types.AccountOnboarding{
+			AccountID: accountID,
+		}
+	}
+
+	return onboarding, nil
+}
+
+func (am *DefaultAccountManager) UpdateAccountOnboarding(ctx context.Context, accountID, userID string, newOnboarding *types.AccountOnboarding) (*types.AccountOnboarding, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
+	}
+
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	oldOnboarding, err := am.Store.GetAccountOnboarding(ctx, accountID)
+	if err != nil && err.Error() != status.NewAccountOnboardingNotFoundError(accountID).Error() {
+		return nil, fmt.Errorf("failed to get account onboarding: %w", err)
+	}
+
+	if oldOnboarding == nil {
+		oldOnboarding = &types.AccountOnboarding{
+			AccountID: accountID,
+		}
+	}
+
+	if newOnboarding == nil {
+		return oldOnboarding, nil
+	}
+
+	if oldOnboarding.IsEqual(*newOnboarding) {
+		log.WithContext(ctx).Debugf("no changes in onboarding for account %s", accountID)
+		return oldOnboarding, nil
+	}
+
+	newOnboarding.AccountID = accountID
+	err = am.Store.SaveAccountOnboarding(ctx, newOnboarding)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update account onboarding: %w", err)
+	}
+
+	return newOnboarding, nil
+}
+
 func (am *DefaultAccountManager) GetAccountIDFromUserAuth(ctx context.Context, userAuth nbcontext.UserAuth) (string, string, error) {
 	if userAuth.UserId == "" {
 		return "", "", errors.New(emptyUserID)
@@ -1688,7 +1757,7 @@ func (am *DefaultAccountManager) GetAccountSettings(ctx context.Context, account
 }

 // newAccountWithId creates a new Account with a default SetupKey (doesn't store in a Store) and provided id
-func newAccountWithId(ctx context.Context, accountID, userID, domain string) *types.Account {
+func newAccountWithId(ctx context.Context, accountID, userID, domain string, disableDefaultPolicy bool) *types.Account {
 	log.WithContext(ctx).Debugf("creating new account")

 	network := types.NewNetwork()
@@ -1729,9 +1798,13 @@ func newAccountWithId(ctx context.Context, accountID, userID, domain string) *ty
 			PeerInactivityExpiration:        types.DefaultPeerInactivityExpiration,
 			RoutingPeerDNSResolutionEnabled: true,
 		},
+		Onboarding: types.AccountOnboarding{
+			OnboardingFlowPending: true,
+			SignupFormPending:     true,
+		},
 	}

-	if err := acc.AddAllGroup(); err != nil {
+	if err := acc.AddAllGroup(disableDefaultPolicy); err != nil {
 		log.WithContext(ctx).Errorf("error adding all group to account %s: %v", acc.Id, err)
 	}
 	return acc
@@ -1833,7 +1906,7 @@ func (am *DefaultAccountManager) GetOrCreateAccountByPrivateDomain(ctx context.C
 			},
 		}

-		if err := newAccount.AddAllGroup(); err != nil {
+		if err := newAccount.AddAllGroup(am.disableDefaultPolicy); err != nil {
 			return nil, false, status.Errorf(status.Internal, "failed to add all group to new account by private domain")
 		}

@@ -1853,40 +1926,49 @@ func (am *DefaultAccountManager) GetOrCreateAccountByPrivateDomain(ctx context.C
 }

 func (am *DefaultAccountManager) UpdateToPrimaryAccount(ctx context.Context, accountId string) (*types.Account, error) {
-	account, err := am.Store.GetAccount(ctx, accountId)
+	var account *types.Account
+	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		var err error
+		account, err = transaction.GetAccount(ctx, accountId)
+		if err != nil {
+			return err
+		}
+
+		if account.IsDomainPrimaryAccount {
+			return nil
+		}
+
+		existingPrimaryAccountID, err := transaction.GetAccountIDByPrivateDomain(ctx, store.LockingStrengthShare, account.Domain)
+
+		// error is not a not found error
+		if handleNotFound(err) != nil {
+			return err
+		}
+
+		// a primary account already exists for this private domain
+		if err == nil {
+			log.WithContext(ctx).WithFields(log.Fields{
+				"accountId":         accountId,
+				"existingAccountId": existingPrimaryAccountID,
+			}).Errorf("cannot update account to primary, another account already exists as primary for the same domain")
+			return status.Errorf(status.Internal, "cannot update account to primary")
+		}
+
+		account.IsDomainPrimaryAccount = true
+
+		if err := transaction.SaveAccount(ctx, account); err != nil {
+			log.WithContext(ctx).WithFields(log.Fields{
+				"accountId": accountId,
+			}).Errorf("failed to update account to primary: %v", err)
+			return status.Errorf(status.Internal, "failed to update account to primary")
+		}
+
+		return nil
+	})
 	if err != nil {
 		return nil, err
 	}

-	if account.IsDomainPrimaryAccount {
-		return account, nil
-	}
-
-	existingPrimaryAccountID, err := am.Store.GetAccountIDByPrivateDomain(ctx, store.LockingStrengthShare, account.Domain)
-
-	// error is not a not found error
-	if handleNotFound(err) != nil {
-		return nil, err
-	}
-
-	// a primary account already exists for this private domain
-	if err == nil {
-		log.WithContext(ctx).WithFields(log.Fields{
-			"accountId":         accountId,
-			"existingAccountId": existingPrimaryAccountID,
-		}).Errorf("cannot update account to primary, another account already exists as primary for the same domain")
-		return nil, status.Errorf(status.Internal, "cannot update account to primary")
-	}
-
-	account.IsDomainPrimaryAccount = true
-
-	if err := am.Store.SaveAccount(ctx, account); err != nil {
-		log.WithContext(ctx).WithFields(log.Fields{
-			"accountId": accountId,
-		}).Errorf("failed to update account to primary: %v", err)
-		return nil, status.Errorf(status.Internal, "failed to update account to primary")
-	}
-
 	return account, nil
 }

--- a/management/server/account/manager.go
+++ b/management/server/account/manager.go
@@ -39,6 +39,7 @@ type Manager interface {
 	GetSetupKey(ctx context.Context, accountID, userID, keyID string) (*types.SetupKey, error)
 	GetAccountByID(ctx context.Context, accountID string, userID string) (*types.Account, error)
 	GetAccountMeta(ctx context.Context, accountID string, userID string) (*types.AccountMeta, error)
+	GetAccountOnboarding(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error)
 	AccountExists(ctx context.Context, accountID string) (bool, error)
 	GetAccountIDByUserID(ctx context.Context, userID, domain string) (string, error)
 	GetAccountIDFromUserAuth(ctx context.Context, userAuth nbcontext.UserAuth) (string, string, error)
@@ -89,6 +90,7 @@ type Manager interface {
 	SaveDNSSettings(ctx context.Context, accountID string, userID string, dnsSettingsToSave *types.DNSSettings) error
 	GetPeer(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error)
 	UpdateAccountSettings(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error)
+	UpdateAccountOnboarding(ctx context.Context, accountID, userID string, newOnboarding *types.AccountOnboarding) (*types.AccountOnboarding, error)
 	LoginPeer(ctx context.Context, login types.PeerLogin) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)                // used by peer gRPC API
 	SyncPeer(ctx context.Context, sync types.PeerSync, accountID string) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error) // used by peer gRPC API
 	GetAllConnectedPeers() (map[string]struct{}, error)
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -373,7 +373,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 	}

 	for _, testCase := range tt {
-		account := newAccountWithId(context.Background(), "account-1", userID, "netbird.io")
+		account := newAccountWithId(context.Background(), "account-1", userID, "netbird.io", false)
 		account.UpdateSettings(&testCase.accountSettings)
 		account.Network = network
 		account.Peers = testCase.peers
@@ -398,7 +398,7 @@ func TestNewAccount(t *testing.T) {
 	domain := "netbird.io"
 	userId := "account_creator"
 	accountID := "account_id"
-	account := newAccountWithId(context.Background(), accountID, userId, domain)
+	account := newAccountWithId(context.Background(), accountID, userId, domain, false)
 	verifyNewAccountHasDefaultFields(t, account, userId, domain, []string{userId})
 }

@@ -640,7 +640,7 @@ func TestDefaultAccountManager_GetAccountIDFromToken(t *testing.T) {
 func TestDefaultAccountManager_SyncUserJWTGroups(t *testing.T) {
 	userId := "user-id"
 	domain := "test.domain"
-	_ = newAccountWithId(context.Background(), "", userId, domain)
+	_ = newAccountWithId(context.Background(), "", userId, domain, false)
 	manager, err := createManager(t)
 	require.NoError(t, err, "unable to create account manager")
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), userId, domain)
@@ -793,7 +793,7 @@ func TestAccountManager_GetAccountByUserID(t *testing.T) {
 }

 func createAccount(am *DefaultAccountManager, accountID, userID, domain string) (*types.Account, error) {
-	account := newAccountWithId(context.Background(), accountID, userID, domain)
+	account := newAccountWithId(context.Background(), accountID, userID, domain, false)
 	err := am.Store.SaveAccount(context.Background(), account)
 	if err != nil {
 		return nil, err
@@ -2879,7 +2879,7 @@ func createManager(t testing.TB) (*DefaultAccountManager, error) {

 	permissionsManager := permissions.NewManager(store)

-	manager, err := BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	manager, err := BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, err
 	}
@@ -3440,3 +3440,74 @@ func TestPropagateUserGroupMemberships(t *testing.T) {
 		}
 	})
 }
+
+func TestDefaultAccountManager_GetAccountOnboarding(t *testing.T) {
+	manager, err := createManager(t)
+	require.NoError(t, err)
+
+	account, err := manager.GetOrCreateAccountByUser(context.Background(), userID, "")
+	require.NoError(t, err)
+
+	t.Run("should return account onboarding when onboarding exist", func(t *testing.T) {
+		onboarding, err := manager.GetAccountOnboarding(context.Background(), account.Id, userID)
+		require.NoError(t, err)
+		require.NotNil(t, onboarding)
+		assert.Equal(t, account.Id, onboarding.AccountID)
+		assert.Equal(t, true, onboarding.OnboardingFlowPending)
+		assert.Equal(t, true, onboarding.SignupFormPending)
+		if onboarding.UpdatedAt.IsZero() {
+			t.Errorf("Onboarding was not retrieved from the store")
+		}
+	})
+
+	t.Run("should return account onboarding when onboard don't exist", func(t *testing.T) {
+		account.Id = "with-zero-onboarding"
+		account.Onboarding = types.AccountOnboarding{}
+		err = manager.Store.SaveAccount(context.Background(), account)
+		require.NoError(t, err)
+		onboarding, err := manager.GetAccountOnboarding(context.Background(), account.Id, userID)
+		require.NoError(t, err)
+		require.NotNil(t, onboarding)
+		_, err = manager.Store.GetAccountOnboarding(context.Background(), account.Id)
+		require.Error(t, err, "should return error when onboarding is not set")
+	})
+}
+
+func TestDefaultAccountManager_UpdateAccountOnboarding(t *testing.T) {
+	manager, err := createManager(t)
+	require.NoError(t, err)
+
+	account, err := manager.GetOrCreateAccountByUser(context.Background(), userID, "")
+	require.NoError(t, err)
+
+	onboarding := &types.AccountOnboarding{
+		OnboardingFlowPending: true,
+		SignupFormPending:     true,
+	}
+
+	t.Run("update onboarding with no change", func(t *testing.T) {
+		updated, err := manager.UpdateAccountOnboarding(context.Background(), account.Id, userID, onboarding)
+		require.NoError(t, err)
+		assert.Equal(t, onboarding.OnboardingFlowPending, updated.OnboardingFlowPending)
+		assert.Equal(t, onboarding.SignupFormPending, updated.SignupFormPending)
+		if updated.UpdatedAt.IsZero() {
+			t.Errorf("Onboarding was updated in the store")
+		}
+	})
+
+	onboarding.OnboardingFlowPending = false
+	onboarding.SignupFormPending = false
+
+	t.Run("update onboarding", func(t *testing.T) {
+		updated, err := manager.UpdateAccountOnboarding(context.Background(), account.Id, userID, onboarding)
+		require.NoError(t, err)
+		require.NotNil(t, updated)
+		assert.Equal(t, onboarding.OnboardingFlowPending, updated.OnboardingFlowPending)
+		assert.Equal(t, onboarding.SignupFormPending, updated.SignupFormPending)
+	})
+
+	t.Run("update onboarding with no onboarding", func(t *testing.T) {
+		_, err = manager.UpdateAccountOnboarding(context.Background(), account.Id, userID, nil)
+		require.NoError(t, err)
+	})
+}
--- a/management/server/dns_test.go
+++ b/management/server/dns_test.go
@@ -217,7 +217,7 @@ func createDNSManager(t *testing.T) (*DefaultAccountManager, error) {

 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManager := permissions.NewManager(store)
-	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.test", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.test", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 }

 func createDNSStore(t *testing.T) (store.Store, error) {
@@ -267,7 +267,7 @@ func initTestDNSAccount(t *testing.T, am *DefaultAccountManager) (*types.Account

 	domain := "example.com"

-	account := newAccountWithId(context.Background(), dnsAccountID, dnsAdminUserID, domain)
+	account := newAccountWithId(context.Background(), dnsAccountID, dnsAdminUserID, domain, false)

 	account.Users[dnsRegularUserID] = &types.User{
 		Id:   dnsRegularUserID,
--- a/management/server/ephemeral_test.go
+++ b/management/server/ephemeral_test.go
@@ -127,7 +127,7 @@ func TestNewManagerPeerDisconnected(t *testing.T) {
 }

 func seedPeers(store *MockStore, numberOfPeers int, numberOfEphemeralPeers int) {
-	store.account = newAccountWithId(context.Background(), "my account", "", "")
+	store.account = newAccountWithId(context.Background(), "my account", "", "", false)

 	for i := 0; i < numberOfPeers; i++ {
 		peerId := fmt.Sprintf("peer_%d", i)
--- a/management/server/group.go
+++ b/management/server/group.go
@@ -664,15 +664,6 @@ func areGroupChangesAffectPeers(ctx context.Context, transaction store.Store, ac
 	return false, nil
 }

-func (am *DefaultAccountManager) anyGroupHasPeers(account *types.Account, groupIDs []string) bool {
-	for _, groupID := range groupIDs {
-		if group, exists := account.Groups[groupID]; exists && group.HasPeers() {
-			return true
-		}
-	}
-	return false
-}
-
 // anyGroupHasPeersOrResources checks if any of the given groups in the account have peers or resources.
 func anyGroupHasPeersOrResources(ctx context.Context, transaction store.Store, accountID string, groupIDs []string) (bool, error) {
 	groups, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthShare, accountID, groupIDs)
--- a/management/server/group_test.go
+++ b/management/server/group_test.go
@@ -369,7 +369,7 @@ func initTestGroupAccount(am *DefaultAccountManager) (*DefaultAccountManager, *t
 		Id:         "example user",
 		AutoGroups: []string{groupForUsers.ID},
 	}
-	account := newAccountWithId(context.Background(), accountID, groupAdminUserID, domain)
+	account := newAccountWithId(context.Background(), accountID, groupAdminUserID, domain, false)
 	account.Routes[routeResource.ID] = routeResource
 	account.Routes[routePeerGroupResource.ID] = routePeerGroupResource
 	account.NameServerGroups[nameServerGroup.ID] = nameServerGroup
--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -60,6 +60,8 @@ components:
          description: Account creator
          type: string
          example: google-oauth2|277474792786460067937
+        onboarding:
+          $ref: '#/components/schemas/AccountOnboarding'
      required:
        - id
        - settings
@@ -67,6 +69,21 @@ components:
        - domain_category
        - created_at
        - created_by
+        - onboarding
+    AccountOnboarding:
+      type: object
+      properties:
+        signup_form_pending:
+          description: Indicates whether the account signup form is pending
+          type: boolean
+          example: true
+        onboarding_flow_pending:
+          description: Indicates whether the account onboarding flow is pending
+          type: boolean
+          example: false
+      required:
+        - signup_form_pending
+        - onboarding_flow_pending
    AccountSettings:
      type: object
      properties:
@@ -153,6 +170,8 @@ components:
      properties:
        settings:
          $ref: '#/components/schemas/AccountSettings'
+        onboarding:
+          $ref: '#/components/schemas/AccountOnboarding'
      required:
        - settings
    User:
@@ -426,6 +445,10 @@ components:
              items:
                type: string
                example: "stage-host-1"
+            ephemeral:
+              description: Indicates whether the peer is ephemeral or not
+              type: boolean
+              example: false
          required:
            - city_name
            - connected
@@ -450,6 +473,7 @@ components:
            - approval_required
            - serial_number
            - extra_dns_labels
+            - ephemeral
    AccessiblePeer:
      allOf:
        - $ref: '#/components/schemas/PeerMinimum'
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -250,8 +250,9 @@ type Account struct {
 	DomainCategory string `json:"domain_category"`

 	// Id Account ID
-	Id       string          `json:"id"`
-	Settings AccountSettings `json:"settings"`
+	Id         string            `json:"id"`
+	Onboarding AccountOnboarding `json:"onboarding"`
+	Settings   AccountSettings   `json:"settings"`
 }

 // AccountExtraSettings defines model for AccountExtraSettings.
@@ -266,9 +267,19 @@ type AccountExtraSettings struct {
 	PeerApprovalEnabled bool `json:"peer_approval_enabled"`
 }

+// AccountOnboarding defines model for AccountOnboarding.
+type AccountOnboarding struct {
+	// OnboardingFlowPending Indicates whether the account onboarding flow is pending
+	OnboardingFlowPending bool `json:"onboarding_flow_pending"`
+
+	// SignupFormPending Indicates whether the account signup form is pending
+	SignupFormPending bool `json:"signup_form_pending"`
+}
+
 // AccountRequest defines model for AccountRequest.
 type AccountRequest struct {
-	Settings AccountSettings `json:"settings"`
+	Onboarding *AccountOnboarding `json:"onboarding,omitempty"`
+	Settings   AccountSettings    `json:"settings"`
 }

 // AccountSettings defines model for AccountSettings.
@@ -1016,6 +1027,9 @@ type Peer struct {
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`

+	// Ephemeral Indicates whether the peer is ephemeral or not
+	Ephemeral bool `json:"ephemeral"`
+
 	// ExtraDnsLabels Extra DNS labels added to the peer
 	ExtraDnsLabels []string `json:"extra_dns_labels"`

@@ -1097,6 +1111,9 @@ type PeerBatch struct {
 	// DnsLabel Peer's DNS label is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's domain to the peer label. e.g. peer-dns-label.netbird.cloud
 	DnsLabel string `json:"dns_label"`

+	// Ephemeral Indicates whether the peer is ephemeral or not
+	Ephemeral bool `json:"ephemeral"`
+
 	// ExtraDnsLabels Extra DNS labels added to the peer
 	ExtraDnsLabels []string `json:"extra_dns_labels"`

--- a/management/server/http/handlers/accounts/accounts_handler.go
+++ b/management/server/http/handlers/accounts/accounts_handler.go
@@ -59,7 +59,13 @@ func (h *handler) getAllAccounts(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	resp := toAccountResponse(accountID, settings, meta)
+	onboarding, err := h.accountManager.GetAccountOnboarding(r.Context(), accountID, userID)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
+	resp := toAccountResponse(accountID, settings, meta, onboarding)
 	util.WriteJSONObject(r.Context(), w, []*api.Account{resp})
 }

@@ -126,6 +132,20 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request) {
 		settings.LazyConnectionEnabled = *req.Settings.LazyConnectionEnabled
 	}

+	var onboarding *types.AccountOnboarding
+	if req.Onboarding != nil {
+		onboarding = &types.AccountOnboarding{
+			OnboardingFlowPending: req.Onboarding.OnboardingFlowPending,
+			SignupFormPending:     req.Onboarding.SignupFormPending,
+		}
+	}
+
+	updatedOnboarding, err := h.accountManager.UpdateAccountOnboarding(r.Context(), accountID, userID, onboarding)
+	if err != nil {
+		util.WriteError(r.Context(), err, w)
+		return
+	}
+
 	updatedSettings, err := h.accountManager.UpdateAccountSettings(r.Context(), accountID, userID, settings)
 	if err != nil {
 		util.WriteError(r.Context(), err, w)
@@ -138,7 +158,7 @@ func (h *handler) updateAccount(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	resp := toAccountResponse(accountID, updatedSettings, meta)
+	resp := toAccountResponse(accountID, updatedSettings, meta, updatedOnboarding)

 	util.WriteJSONObject(r.Context(), w, &resp)
 }
@@ -167,7 +187,7 @@ func (h *handler) deleteAccount(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(r.Context(), w, util.EmptyObject{})
 }

-func toAccountResponse(accountID string, settings *types.Settings, meta *types.AccountMeta) *api.Account {
+func toAccountResponse(accountID string, settings *types.Settings, meta *types.AccountMeta, onboarding *types.AccountOnboarding) *api.Account {
 	jwtAllowGroups := settings.JWTAllowGroups
 	if jwtAllowGroups == nil {
 		jwtAllowGroups = []string{}
@@ -188,6 +208,11 @@ func toAccountResponse(accountID string, settings *types.Settings, meta *types.A
 		DnsDomain:                       &settings.DNSDomain,
 	}

+	apiOnboarding := api.AccountOnboarding{
+		OnboardingFlowPending: onboarding.OnboardingFlowPending,
+		SignupFormPending:     onboarding.SignupFormPending,
+	}
+
 	if settings.Extra != nil {
 		apiSettings.Extra = &api.AccountExtraSettings{
 			PeerApprovalEnabled:                settings.Extra.PeerApprovalEnabled,
@@ -203,5 +228,6 @@ func toAccountResponse(accountID string, settings *types.Settings, meta *types.A
 		CreatedBy:      meta.CreatedBy,
 		Domain:         meta.Domain,
 		DomainCategory: meta.DomainCategory,
+		Onboarding:     apiOnboarding,
 	}
 }
--- a/management/server/http/handlers/accounts/accounts_handler_test.go
+++ b/management/server/http/handlers/accounts/accounts_handler_test.go
@@ -54,6 +54,18 @@ func initAccountsTestData(t *testing.T, account *types.Account) *handler {
 			GetAccountMetaFunc: func(ctx context.Context, accountID string, userID string) (*types.AccountMeta, error) {
 				return account.GetMeta(), nil
 			},
+			GetAccountOnboardingFunc: func(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error) {
+				return &types.AccountOnboarding{
+					OnboardingFlowPending: true,
+					SignupFormPending:     true,
+				}, nil
+			},
+			UpdateAccountOnboardingFunc: func(ctx context.Context, accountID, userID string, onboarding *types.AccountOnboarding) (*types.AccountOnboarding, error) {
+				return &types.AccountOnboarding{
+					OnboardingFlowPending: true,
+					SignupFormPending:     true,
+				}, nil
+			},
 		},
 		settingsManager: settingsMockManager,
 	}
@@ -117,7 +129,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": true},\"onboarding\": {\"onboarding_flow_pending\": true,\"signup_form_pending\": true}}"),
 			expectedStatus: http.StatusOK,
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:             15552000,
@@ -139,7 +151,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": false,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"roles\",\"jwt_allow_groups\":[\"test\"],\"regular_users_view_blocked\":true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": false,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"roles\",\"jwt_allow_groups\":[\"test\"],\"regular_users_view_blocked\":true},\"onboarding\": {\"onboarding_flow_pending\": true,\"signup_form_pending\": true}}"),
 			expectedStatus: http.StatusOK,
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:             15552000,
@@ -161,7 +173,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 554400,\"peer_login_expiration_enabled\": true,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"groups\",\"groups_propagation_enabled\":true,\"regular_users_view_blocked\":true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 554400,\"peer_login_expiration_enabled\": true,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"groups\",\"groups_propagation_enabled\":true,\"regular_users_view_blocked\":true},\"onboarding\": {\"onboarding_flow_pending\": true,\"signup_form_pending\": true}}"),
 			expectedStatus: http.StatusOK,
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:             554400,
@@ -178,12 +190,34 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedArray: false,
 			expectedID:    accountID,
 		},
+		{
+			name:           "PutAccount OK without onboarding",
+			expectedBody:   true,
+			requestType:    http.MethodPut,
+			requestPath:    "/api/accounts/" + accountID,
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552000,\"peer_login_expiration_enabled\": false,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"roles\",\"jwt_allow_groups\":[\"test\"],\"regular_users_view_blocked\":true}}"),
+			expectedStatus: http.StatusOK,
+			expectedSettings: api.AccountSettings{
+				PeerLoginExpiration:             15552000,
+				PeerLoginExpirationEnabled:      false,
+				GroupsPropagationEnabled:        br(false),
+				JwtGroupsClaimName:              sr("roles"),
+				JwtGroupsEnabled:                br(true),
+				JwtAllowGroups:                  &[]string{"test"},
+				RegularUsersViewBlocked:         true,
+				RoutingPeerDnsResolutionEnabled: br(false),
+				LazyConnectionEnabled:           br(false),
+				DnsDomain:                       sr(""),
+			},
+			expectedArray: false,
+			expectedID:    accountID,
+		},
 		{
 			name:           "Update account failure with high peer_login_expiration more than 180 days",
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552001,\"peer_login_expiration_enabled\": true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 15552001,\"peer_login_expiration_enabled\": true},\"onboarding\": {\"onboarding_flow_pending\": true,\"signup_form_pending\": true}}"),
 			expectedStatus: http.StatusUnprocessableEntity,
 			expectedArray:  false,
 		},
@@ -192,7 +226,7 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedBody:   true,
 			requestType:    http.MethodPut,
 			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 3599,\"peer_login_expiration_enabled\": true}}"),
+			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 3599,\"peer_login_expiration_enabled\": true},\"onboarding\": {\"onboarding_flow_pending\": true,\"signup_form_pending\": true}}"),
 			expectedStatus: http.StatusUnprocessableEntity,
 			expectedArray:  false,
 		},
--- a/management/server/http/handlers/peers/peers_handler.go
+++ b/management/server/http/handlers/peers/peers_handler.go
@@ -365,6 +365,7 @@ func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsD
 		CityName:                    peer.Location.CityName,
 		SerialNumber:                peer.Meta.SystemSerialNumber,
 		InactivityExpirationEnabled: peer.InactivityExpirationEnabled,
+		Ephemeral:                   peer.Ephemeral,
 	}
 }

--- a/management/server/http/testing/testing_tools/tools.go
+++ b/management/server/http/testing/testing_tools/tools.go
@@ -1,5 +1,4 @@
 package testing_tools
-
 import (
 	"bytes"
 	"context"
@@ -138,7 +137,7 @@ func BuildApiBlackBoxWithDBState(t TB, sqlFile string, expectedPeerUpdate *serve
 	userManager := users.NewManager(store)
 	permissionsManager := permissions.NewManager(store)
 	settingsManager := settings.NewManager(store, userManager, integrations.NewManager(&activity.InMemoryEventStore{}), permissionsManager)
-	am, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "", &activity.InMemoryEventStore{}, geoMock, false, validatorMock, metrics, proxyController, settingsManager, permissionsManager)
+	am, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "", &activity.InMemoryEventStore{}, geoMock, false, validatorMock, metrics, proxyController, settingsManager, permissionsManager, false)
 	if err != nil {
 		t.Fatalf("Failed to create manager: %v", err)
 	}
--- a/management/server/integrated_validator.go
+++ b/management/server/integrated_validator.go
@@ -37,21 +37,23 @@ func (am *DefaultAccountManager) UpdateIntegratedValidatorGroups(ctx context.Con
 	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
 	defer unlock()

-	a, err := am.Store.GetAccountByUser(ctx, userID)
-	if err != nil {
-		return err
-	}
+	return am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		a, err := transaction.GetAccountByUser(ctx, userID)
+		if err != nil {
+			return err
+		}

-	var extra *types.ExtraSettings
+		var extra *types.ExtraSettings

-	if a.Settings.Extra != nil {
-		extra = a.Settings.Extra
-	} else {
-		extra = &types.ExtraSettings{}
-		a.Settings.Extra = extra
-	}
-	extra.IntegratedValidatorGroups = groups
-	return am.Store.SaveAccount(ctx, a)
+		if a.Settings.Extra != nil {
+			extra = a.Settings.Extra
+		} else {
+			extra = &types.ExtraSettings{}
+			a.Settings.Extra = extra
+		}
+		extra.IntegratedValidatorGroups = groups
+		return transaction.SaveAccount(ctx, a)
+	})
 }

 func (am *DefaultAccountManager) GroupValidation(ctx context.Context, accountID string, groupIDs []string) (bool, error) {
@@ -81,15 +83,12 @@ func (am *DefaultAccountManager) GetValidatedPeers(ctx context.Context, accountI
 	var peers []*nbpeer.Peer
 	var settings *types.Settings

-	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		groups, err = transaction.GetAccountGroups(ctx, store.LockingStrengthShare, accountID)
-		if err != nil {
-			return err
-		}
+	groups, err = am.Store.GetAccountGroups(ctx, store.LockingStrengthShare, accountID)
+	if err != nil {
+		return nil, err
+	}

-		peers, err = transaction.GetAccountPeers(ctx, store.LockingStrengthShare, accountID, "", "")
-		return err
-	})
+	peers, err = am.Store.GetAccountPeers(ctx, store.LockingStrengthShare, accountID, "", "")
 	if err != nil {
 		return nil, err
 	}
--- a/management/server/management_proto_test.go
+++ b/management/server/management_proto_test.go
@@ -444,7 +444,7 @@ func startManagementForTest(t *testing.T, testFile string, config *types.Config)
 	permissionsManager := permissions.NewManager(store)

 	accountManager, err := BuildManager(ctx, store, peersUpdateManager, nil, "", "netbird.selfhosted",
-		eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+		eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)

 	if err != nil {
 		cleanup()
--- a/management/server/management_test.go
+++ b/management/server/management_test.go
@@ -211,7 +211,7 @@ func startServer(
 		port_forwarding.NewControllerMock(),
 		settingsMockManager,
 		permissionsManager,
-	)
+		false)
 	if err != nil {
 		t.Fatalf("failed creating an account manager: %v", err)
 	}
--- a/management/server/metrics/selfhosted.go
+++ b/management/server/metrics/selfhosted.go
@@ -184,7 +184,9 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 		ephemeralPeersSKs         int
 		ephemeralPeersSKUsage     int
 		activePeersLastDay        int
+		activeUserPeersLastDay    int
 		osPeers                   map[string]int
+		activeUsersLastDay        map[string]struct{}
 		userPeers                 int
 		rules                     int
 		rulesProtocol             map[string]int
@@ -203,6 +205,7 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 		version                   string
 		peerActiveVersions        []string
 		osUIClients               map[string]int
+		rosenpassEnabled          int
 	)
 	start := time.Now()
 	metricsProperties := make(properties)
@@ -210,6 +213,7 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 	osUIClients = make(map[string]int)
 	rulesProtocol = make(map[string]int)
 	rulesDirection = make(map[string]int)
+	activeUsersLastDay = make(map[string]struct{})
 	uptime = time.Since(w.startupTime).Seconds()
 	connections := w.connManager.GetAllConnectedPeers()
 	version = nbversion.NetbirdVersion()
@@ -277,10 +281,14 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 		for _, peer := range account.Peers {
 			peers++

-			if peer.SSHEnabled {
+			if peer.SSHEnabled || peer.Meta.Flags.ServerSSHAllowed {
 				peersSSHEnabled++
 			}

+			if peer.Meta.Flags.RosenpassEnabled {
+				rosenpassEnabled++
+			}
+
 			if peer.UserID != "" {
 				userPeers++
 			}
@@ -299,6 +307,10 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 			_, connected := connections[peer.ID]
 			if connected || peer.Status.LastSeen.After(w.lastRun) {
 				activePeersLastDay++
+				if peer.UserID != "" {
+					activeUserPeersLastDay++
+					activeUsersLastDay[peer.UserID] = struct{}{}
+				}
 				osActiveKey := osKey + "_active"
 				osActiveCount := osPeers[osActiveKey]
 				osPeers[osActiveKey] = osActiveCount + 1
@@ -320,6 +332,8 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 	metricsProperties["ephemeral_peers_setup_keys"] = ephemeralPeersSKs
 	metricsProperties["ephemeral_peers_setup_keys_usage"] = ephemeralPeersSKUsage
 	metricsProperties["active_peers_last_day"] = activePeersLastDay
+	metricsProperties["active_user_peers_last_day"] = activeUserPeersLastDay
+	metricsProperties["active_users_last_day"] = len(activeUsersLastDay)
 	metricsProperties["user_peers"] = userPeers
 	metricsProperties["rules"] = rules
 	metricsProperties["rules_with_src_posture_checks"] = rulesWithSrcPostureChecks
@@ -338,6 +352,7 @@ func (w *Worker) generateProperties(ctx context.Context) properties {
 	metricsProperties["ui_clients"] = uiClient
 	metricsProperties["idp_manager"] = w.idpManager
 	metricsProperties["store_engine"] = w.dataSource.GetStoreEngine()
+	metricsProperties["rosenpass_enabled"] = rosenpassEnabled

 	for protocol, count := range rulesProtocol {
 		metricsProperties["rules_protocol_"+protocol] = count
--- a/management/server/metrics/selfhosted_test.go
+++ b/management/server/metrics/selfhosted_test.go
@@ -47,8 +47,8 @@ func (mockDatasource) GetAllAccounts(_ context.Context) []*types.Account {
 				"1": {
 					ID:         "1",
 					UserID:     "test",
-					SSHEnabled: true,
-					Meta:       nbpeer.PeerSystemMeta{GoOS: "linux", WtVersion: "0.0.1"},
+					SSHEnabled: false,
+					Meta:       nbpeer.PeerSystemMeta{GoOS: "linux", WtVersion: "0.0.1", Flags: nbpeer.Flags{ServerSSHAllowed: true, RosenpassEnabled: true}},
 				},
 			},
 			Policies: []*types.Policy{
@@ -312,7 +312,19 @@ func TestGenerateProperties(t *testing.T) {
 	}

 	if properties["posture_checks"] != 2 {
-		t.Errorf("expected 1 posture_checks, got %d", properties["posture_checks"])
+		t.Errorf("expected 2 posture_checks, got %d", properties["posture_checks"])
+	}
+
+	if properties["rosenpass_enabled"] != 1 {
+		t.Errorf("expected 1 rosenpass_enabled, got %d", properties["rosenpass_enabled"])
+	}
+
+	if properties["active_user_peers_last_day"] != 2 {
+		t.Errorf("expected 2 active_user_peers_last_day, got %d", properties["active_user_peers_last_day"])
+	}
+
+	if properties["active_users_last_day"] != 1 {
+		t.Errorf("expected 1 active_users_last_day, got %d", properties["active_users_last_day"])
 	}

 }
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -30,94 +30,95 @@ type MockAccountManager struct {
 	GetAccountFunc               func(ctx context.Context, accountID string) (*types.Account, error)
 	CreateSetupKeyFunc           func(ctx context.Context, accountId string, keyName string, keyType types.SetupKeyType,
 		expiresIn time.Duration, autoGroups []string, usageLimit int, userID string, ephemeral bool, allowExtraDNSLabels bool) (*types.SetupKey, error)
-	GetSetupKeyFunc                     func(ctx context.Context, accountID, userID, keyID string) (*types.SetupKey, error)
-	AccountExistsFunc                   func(ctx context.Context, accountID string) (bool, error)
-	GetAccountIDByUserIdFunc            func(ctx context.Context, userId, domain string) (string, error)
-	GetUserFromUserAuthFunc             func(ctx context.Context, userAuth nbcontext.UserAuth) (*types.User, error)
-	ListUsersFunc                       func(ctx context.Context, accountID string) ([]*types.User, error)
-	GetPeersFunc                        func(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
-	MarkPeerConnectedFunc               func(ctx context.Context, peerKey string, connected bool, realIP net.IP) error
-	SyncAndMarkPeerFunc                 func(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
-	DeletePeerFunc                      func(ctx context.Context, accountID, peerKey, userID string) error
-	GetNetworkMapFunc                   func(ctx context.Context, peerKey string) (*types.NetworkMap, error)
-	GetPeerNetworkFunc                  func(ctx context.Context, peerKey string) (*types.Network, error)
-	AddPeerFunc                         func(ctx context.Context, setupKey string, userId string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
-	GetGroupFunc                        func(ctx context.Context, accountID, groupID, userID string) (*types.Group, error)
-	GetAllGroupsFunc                    func(ctx context.Context, accountID, userID string) ([]*types.Group, error)
-	GetGroupByNameFunc                  func(ctx context.Context, accountID, groupName string) (*types.Group, error)
-	SaveGroupFunc                       func(ctx context.Context, accountID, userID string, group *types.Group, create bool) error
-	SaveGroupsFunc                      func(ctx context.Context, accountID, userID string, groups []*types.Group, create bool) error
-	DeleteGroupFunc                     func(ctx context.Context, accountID, userId, groupID string) error
-	DeleteGroupsFunc                    func(ctx context.Context, accountId, userId string, groupIDs []string) error
-	GroupAddPeerFunc                    func(ctx context.Context, accountID, groupID, peerID string) error
-	GroupDeletePeerFunc                 func(ctx context.Context, accountID, groupID, peerID string) error
-	GetPeerGroupsFunc                   func(ctx context.Context, accountID, peerID string) ([]*types.Group, error)
-	DeleteRuleFunc                      func(ctx context.Context, accountID, ruleID, userID string) error
-	GetPolicyFunc                       func(ctx context.Context, accountID, policyID, userID string) (*types.Policy, error)
-	SavePolicyFunc                      func(ctx context.Context, accountID, userID string, policy *types.Policy, create bool) (*types.Policy, error)
-	DeletePolicyFunc                    func(ctx context.Context, accountID, policyID, userID string) error
-	ListPoliciesFunc                    func(ctx context.Context, accountID, userID string) ([]*types.Policy, error)
-	GetUsersFromAccountFunc             func(ctx context.Context, accountID, userID string) (map[string]*types.UserInfo, error)
-	UpdatePeerMetaFunc                  func(ctx context.Context, peerID string, meta nbpeer.PeerSystemMeta) error
-	UpdatePeerFunc                      func(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error)
-	CreateRouteFunc                     func(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peer string, peerGroups []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool) (*route.Route, error)
-	GetRouteFunc                        func(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error)
-	SaveRouteFunc                       func(ctx context.Context, accountID string, userID string, route *route.Route) error
-	DeleteRouteFunc                     func(ctx context.Context, accountID string, routeID route.ID, userID string) error
-	ListRoutesFunc                      func(ctx context.Context, accountID, userID string) ([]*route.Route, error)
-	SaveSetupKeyFunc                    func(ctx context.Context, accountID string, key *types.SetupKey, userID string) (*types.SetupKey, error)
-	ListSetupKeysFunc                   func(ctx context.Context, accountID, userID string) ([]*types.SetupKey, error)
-	SaveUserFunc                        func(ctx context.Context, accountID, userID string, user *types.User) (*types.UserInfo, error)
-	SaveOrAddUserFunc                   func(ctx context.Context, accountID, userID string, user *types.User, addIfNotExists bool) (*types.UserInfo, error)
-	SaveOrAddUsersFunc                  func(ctx context.Context, accountID, initiatorUserID string, update []*types.User, addIfNotExists bool) ([]*types.UserInfo, error)
-	DeleteUserFunc                      func(ctx context.Context, accountID string, initiatorUserID string, targetUserID string) error
-	DeleteRegularUsersFunc              func(ctx context.Context, accountID, initiatorUserID string, targetUserIDs []string, userInfos map[string]*types.UserInfo) error
-	CreatePATFunc                       func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenName string, expiresIn int) (*types.PersonalAccessTokenGenerated, error)
-	DeletePATFunc                       func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenID string) error
-	GetPATFunc                          func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenID string) (*types.PersonalAccessToken, error)
-	GetAllPATsFunc                      func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string) ([]*types.PersonalAccessToken, error)
-	GetNameServerGroupFunc              func(ctx context.Context, accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error)
-	CreateNameServerGroupFunc           func(ctx context.Context, accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string, searchDomainsEnabled bool) (*nbdns.NameServerGroup, error)
-	SaveNameServerGroupFunc             func(ctx context.Context, accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error
-	DeleteNameServerGroupFunc           func(ctx context.Context, accountID, nsGroupID, userID string) error
-	ListNameServerGroupsFunc            func(ctx context.Context, accountID string, userID string) ([]*nbdns.NameServerGroup, error)
-	CreateUserFunc                      func(ctx context.Context, accountID, userID string, key *types.UserInfo) (*types.UserInfo, error)
-	GetAccountIDFromUserAuthFunc        func(ctx context.Context, userAuth nbcontext.UserAuth) (string, string, error)
-	DeleteAccountFunc                   func(ctx context.Context, accountID, userID string) error
-	GetDNSDomainFunc                    func(settings *types.Settings) string
-	StoreEventFunc                      func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any)
-	GetEventsFunc                       func(ctx context.Context, accountID, userID string) ([]*activity.Event, error)
-	GetDNSSettingsFunc                  func(ctx context.Context, accountID, userID string) (*types.DNSSettings, error)
-	SaveDNSSettingsFunc                 func(ctx context.Context, accountID, userID string, dnsSettingsToSave *types.DNSSettings) error
-	GetPeerFunc                         func(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error)
-	UpdateAccountSettingsFunc           func(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error)
-	LoginPeerFunc                       func(ctx context.Context, login types.PeerLogin) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
-	SyncPeerFunc                        func(ctx context.Context, sync types.PeerSync, accountID string) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
-	InviteUserFunc                      func(ctx context.Context, accountID string, initiatorUserID string, targetUserEmail string) error
-	GetAllConnectedPeersFunc            func() (map[string]struct{}, error)
-	HasConnectedChannelFunc             func(peerID string) bool
-	GetExternalCacheManagerFunc         func() account.ExternalCacheManager
-	GetPostureChecksFunc                func(ctx context.Context, accountID, postureChecksID, userID string) (*posture.Checks, error)
-	SavePostureChecksFunc               func(ctx context.Context, accountID, userID string, postureChecks *posture.Checks, create bool) (*posture.Checks, error)
-	DeletePostureChecksFunc             func(ctx context.Context, accountID, postureChecksID, userID string) error
-	ListPostureChecksFunc               func(ctx context.Context, accountID, userID string) ([]*posture.Checks, error)
-	GetIdpManagerFunc                   func() idp.Manager
-	UpdateIntegratedValidatorGroupsFunc func(ctx context.Context, accountID string, userID string, groups []string) error
-	GroupValidationFunc                 func(ctx context.Context, accountId string, groups []string) (bool, error)
-	SyncPeerMetaFunc                    func(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error
-	FindExistingPostureCheckFunc        func(accountID string, checks *posture.ChecksDefinition) (*posture.Checks, error)
-	GetAccountIDForPeerKeyFunc          func(ctx context.Context, peerKey string) (string, error)
-	GetAccountByIDFunc                  func(ctx context.Context, accountID string, userID string) (*types.Account, error)
-	GetUserByIDFunc                     func(ctx context.Context, id string) (*types.User, error)
-	GetAccountSettingsFunc              func(ctx context.Context, accountID string, userID string) (*types.Settings, error)
-	DeleteSetupKeyFunc                  func(ctx context.Context, accountID, userID, keyID string) error
-	BuildUserInfosForAccountFunc        func(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
-	GetStoreFunc                        func() store.Store
-	UpdateToPrimaryAccountFunc          func(ctx context.Context, accountId string) (*types.Account, error)
-	GetOwnerInfoFunc                    func(ctx context.Context, accountID string) (*types.UserInfo, error)
-	GetCurrentUserInfoFunc              func(ctx context.Context, userAuth nbcontext.UserAuth) (*users.UserInfoWithPermissions, error)
-	GetAccountMetaFunc                  func(ctx context.Context, accountID, userID string) (*types.AccountMeta, error)
-
+	GetSetupKeyFunc                       func(ctx context.Context, accountID, userID, keyID string) (*types.SetupKey, error)
+	AccountExistsFunc                     func(ctx context.Context, accountID string) (bool, error)
+	GetAccountIDByUserIdFunc              func(ctx context.Context, userId, domain string) (string, error)
+	GetUserFromUserAuthFunc               func(ctx context.Context, userAuth nbcontext.UserAuth) (*types.User, error)
+	ListUsersFunc                         func(ctx context.Context, accountID string) ([]*types.User, error)
+	GetPeersFunc                          func(ctx context.Context, accountID, userID, nameFilter, ipFilter string) ([]*nbpeer.Peer, error)
+	MarkPeerConnectedFunc                 func(ctx context.Context, peerKey string, connected bool, realIP net.IP) error
+	SyncAndMarkPeerFunc                   func(ctx context.Context, accountID string, peerPubKey string, meta nbpeer.PeerSystemMeta, realIP net.IP) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
+	DeletePeerFunc                        func(ctx context.Context, accountID, peerKey, userID string) error
+	GetNetworkMapFunc                     func(ctx context.Context, peerKey string) (*types.NetworkMap, error)
+	GetPeerNetworkFunc                    func(ctx context.Context, peerKey string) (*types.Network, error)
+	AddPeerFunc                           func(ctx context.Context, setupKey string, userId string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
+	GetGroupFunc                          func(ctx context.Context, accountID, groupID, userID string) (*types.Group, error)
+	GetAllGroupsFunc                      func(ctx context.Context, accountID, userID string) ([]*types.Group, error)
+	GetGroupByNameFunc                    func(ctx context.Context, accountID, groupName string) (*types.Group, error)
+	SaveGroupFunc                         func(ctx context.Context, accountID, userID string, group *types.Group, create bool) error
+	SaveGroupsFunc                        func(ctx context.Context, accountID, userID string, groups []*types.Group, create bool) error
+	DeleteGroupFunc                       func(ctx context.Context, accountID, userId, groupID string) error
+	DeleteGroupsFunc                      func(ctx context.Context, accountId, userId string, groupIDs []string) error
+	GroupAddPeerFunc                      func(ctx context.Context, accountID, groupID, peerID string) error
+	GroupDeletePeerFunc                   func(ctx context.Context, accountID, groupID, peerID string) error
+	GetPeerGroupsFunc                     func(ctx context.Context, accountID, peerID string) ([]*types.Group, error)
+	DeleteRuleFunc                        func(ctx context.Context, accountID, ruleID, userID string) error
+	GetPolicyFunc                         func(ctx context.Context, accountID, policyID, userID string) (*types.Policy, error)
+	SavePolicyFunc                        func(ctx context.Context, accountID, userID string, policy *types.Policy, create bool) (*types.Policy, error)
+	DeletePolicyFunc                      func(ctx context.Context, accountID, policyID, userID string) error
+	ListPoliciesFunc                      func(ctx context.Context, accountID, userID string) ([]*types.Policy, error)
+	GetUsersFromAccountFunc               func(ctx context.Context, accountID, userID string) (map[string]*types.UserInfo, error)
+	UpdatePeerMetaFunc                    func(ctx context.Context, peerID string, meta nbpeer.PeerSystemMeta) error
+	UpdatePeerFunc                        func(ctx context.Context, accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error)
+	CreateRouteFunc                       func(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peer string, peerGroups []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool) (*route.Route, error)
+	GetRouteFunc                          func(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error)
+	SaveRouteFunc                         func(ctx context.Context, accountID string, userID string, route *route.Route) error
+	DeleteRouteFunc                       func(ctx context.Context, accountID string, routeID route.ID, userID string) error
+	ListRoutesFunc                        func(ctx context.Context, accountID, userID string) ([]*route.Route, error)
+	SaveSetupKeyFunc                      func(ctx context.Context, accountID string, key *types.SetupKey, userID string) (*types.SetupKey, error)
+	ListSetupKeysFunc                     func(ctx context.Context, accountID, userID string) ([]*types.SetupKey, error)
+	SaveUserFunc                          func(ctx context.Context, accountID, userID string, user *types.User) (*types.UserInfo, error)
+	SaveOrAddUserFunc                     func(ctx context.Context, accountID, userID string, user *types.User, addIfNotExists bool) (*types.UserInfo, error)
+	SaveOrAddUsersFunc                    func(ctx context.Context, accountID, initiatorUserID string, update []*types.User, addIfNotExists bool) ([]*types.UserInfo, error)
+	DeleteUserFunc                        func(ctx context.Context, accountID string, initiatorUserID string, targetUserID string) error
+	DeleteRegularUsersFunc                func(ctx context.Context, accountID, initiatorUserID string, targetUserIDs []string, userInfos map[string]*types.UserInfo) error
+	CreatePATFunc                         func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenName string, expiresIn int) (*types.PersonalAccessTokenGenerated, error)
+	DeletePATFunc                         func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenID string) error
+	GetPATFunc                            func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string, tokenID string) (*types.PersonalAccessToken, error)
+	GetAllPATsFunc                        func(ctx context.Context, accountID string, initiatorUserID string, targetUserId string) ([]*types.PersonalAccessToken, error)
+	GetNameServerGroupFunc                func(ctx context.Context, accountID, userID, nsGroupID string) (*nbdns.NameServerGroup, error)
+	CreateNameServerGroupFunc             func(ctx context.Context, accountID string, name, description string, nameServerList []nbdns.NameServer, groups []string, primary bool, domains []string, enabled bool, userID string, searchDomainsEnabled bool) (*nbdns.NameServerGroup, error)
+	SaveNameServerGroupFunc               func(ctx context.Context, accountID, userID string, nsGroupToSave *nbdns.NameServerGroup) error
+	DeleteNameServerGroupFunc             func(ctx context.Context, accountID, nsGroupID, userID string) error
+	ListNameServerGroupsFunc              func(ctx context.Context, accountID string, userID string) ([]*nbdns.NameServerGroup, error)
+	CreateUserFunc                        func(ctx context.Context, accountID, userID string, key *types.UserInfo) (*types.UserInfo, error)
+	GetAccountIDFromUserAuthFunc          func(ctx context.Context, userAuth nbcontext.UserAuth) (string, string, error)
+	DeleteAccountFunc                     func(ctx context.Context, accountID, userID string) error
+	GetDNSDomainFunc                      func(settings *types.Settings) string
+	StoreEventFunc                        func(ctx context.Context, initiatorID, targetID, accountID string, activityID activity.ActivityDescriber, meta map[string]any)
+	GetEventsFunc                         func(ctx context.Context, accountID, userID string) ([]*activity.Event, error)
+	GetDNSSettingsFunc                    func(ctx context.Context, accountID, userID string) (*types.DNSSettings, error)
+	SaveDNSSettingsFunc                   func(ctx context.Context, accountID, userID string, dnsSettingsToSave *types.DNSSettings) error
+	GetPeerFunc                           func(ctx context.Context, accountID, peerID, userID string) (*nbpeer.Peer, error)
+	UpdateAccountSettingsFunc             func(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error)
+	LoginPeerFunc                         func(ctx context.Context, login types.PeerLogin) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
+	SyncPeerFunc                          func(ctx context.Context, sync types.PeerSync, accountID string) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
+	InviteUserFunc                        func(ctx context.Context, accountID string, initiatorUserID string, targetUserEmail string) error
+	GetAllConnectedPeersFunc              func() (map[string]struct{}, error)
+	HasConnectedChannelFunc               func(peerID string) bool
+	GetExternalCacheManagerFunc           func() account.ExternalCacheManager
+	GetPostureChecksFunc                  func(ctx context.Context, accountID, postureChecksID, userID string) (*posture.Checks, error)
+	SavePostureChecksFunc                 func(ctx context.Context, accountID, userID string, postureChecks *posture.Checks, create bool) (*posture.Checks, error)
+	DeletePostureChecksFunc               func(ctx context.Context, accountID, postureChecksID, userID string) error
+	ListPostureChecksFunc                 func(ctx context.Context, accountID, userID string) ([]*posture.Checks, error)
+	GetIdpManagerFunc                     func() idp.Manager
+	UpdateIntegratedValidatorGroupsFunc   func(ctx context.Context, accountID string, userID string, groups []string) error
+	GroupValidationFunc                   func(ctx context.Context, accountId string, groups []string) (bool, error)
+	SyncPeerMetaFunc                      func(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error
+	FindExistingPostureCheckFunc          func(accountID string, checks *posture.ChecksDefinition) (*posture.Checks, error)
+	GetAccountIDForPeerKeyFunc            func(ctx context.Context, peerKey string) (string, error)
+	GetAccountByIDFunc                    func(ctx context.Context, accountID string, userID string) (*types.Account, error)
+	GetUserByIDFunc                       func(ctx context.Context, id string) (*types.User, error)
+	GetAccountSettingsFunc                func(ctx context.Context, accountID string, userID string) (*types.Settings, error)
+	DeleteSetupKeyFunc                    func(ctx context.Context, accountID, userID, keyID string) error
+	BuildUserInfosForAccountFunc          func(ctx context.Context, accountID, initiatorUserID string, accountUsers []*types.User) (map[string]*types.UserInfo, error)
+	GetStoreFunc                          func() store.Store
+	UpdateToPrimaryAccountFunc            func(ctx context.Context, accountId string) (*types.Account, error)
+	GetOwnerInfoFunc                      func(ctx context.Context, accountID string) (*types.UserInfo, error)
+	GetCurrentUserInfoFunc                func(ctx context.Context, userAuth nbcontext.UserAuth) (*users.UserInfoWithPermissions, error)
+	GetAccountMetaFunc                    func(ctx context.Context, accountID, userID string) (*types.AccountMeta, error)
+	GetAccountOnboardingFunc              func(ctx context.Context, accountID, userID string) (*types.AccountOnboarding, error)
+	UpdateAccountOnboardingFunc           func(ctx context.Context, accountID, userID string, onboarding *types.AccountOnboarding) (*types.AccountOnboarding, error)
 	GetOrCreateAccountByPrivateDomainFunc func(ctx context.Context, initiatorId, domain string) (*types.Account, bool, error)
 }

@@ -814,6 +815,22 @@ func (am *MockAccountManager) GetAccountMeta(ctx context.Context, accountID stri
 	return nil, status.Errorf(codes.Unimplemented, "method GetAccountMeta is not implemented")
 }

+// GetAccountOnboarding mocks GetAccountOnboarding of the AccountManager interface
+func (am *MockAccountManager) GetAccountOnboarding(ctx context.Context, accountID string, userID string) (*types.AccountOnboarding, error) {
+	if am.GetAccountOnboardingFunc != nil {
+		return am.GetAccountOnboardingFunc(ctx, accountID, userID)
+	}
+	return nil, status.Errorf(codes.Unimplemented, "method GetAccountOnboarding is not implemented")
+}
+
+// UpdateAccountOnboarding mocks UpdateAccountOnboarding of the AccountManager interface
+func (am *MockAccountManager) UpdateAccountOnboarding(ctx context.Context, accountID string, userID string, onboarding *types.AccountOnboarding) (*types.AccountOnboarding, error) {
+	if am.UpdateAccountOnboardingFunc != nil {
+		return am.UpdateAccountOnboardingFunc(ctx, accountID, userID, onboarding)
+	}
+	return nil, status.Errorf(codes.Unimplemented, "method UpdateAccountOnboarding is not implemented")
+}
+
 // GetUserByID mocks GetUserByID of the AccountManager interface
 func (am *MockAccountManager) GetUserByID(ctx context.Context, id string) (*types.User, error) {
 	if am.GetUserByIDFunc != nil {
--- a/management/server/nameserver_test.go
+++ b/management/server/nameserver_test.go
@@ -779,7 +779,7 @@ func createNSManager(t *testing.T) (*DefaultAccountManager, error) {
 	t.Cleanup(ctrl.Finish)
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManager := permissions.NewManager(store)
-	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 }

 func createNSStore(t *testing.T) (store.Store, error) {
@@ -848,7 +848,7 @@ func initTestNSAccount(t *testing.T, am *DefaultAccountManager) (*types.Account,
 	userID := testUserID
 	domain := "example.com"

-	account := newAccountWithId(context.Background(), accountID, userID, domain)
+	account := newAccountWithId(context.Background(), accountID, userID, domain, false)

 	account.NameServerGroups[existingNSGroup.ID] = &existingNSGroup

--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -92,7 +92,7 @@ func (am *DefaultAccountManager) getUserAccessiblePeers(ctx context.Context, acc

 	// fetch all the peers that have access to the user's peers
 	for _, peer := range peers {
-		aclPeers, _ := account.GetPeerConnectionResources(ctx, peer.ID, approvedPeersMap)
+		aclPeers, _ := account.GetPeerConnectionResources(ctx, peer, approvedPeersMap)
 		for _, p := range aclPeers {
 			peersMap[p.ID] = p
 		}
@@ -473,6 +473,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, setupKey, userID s
 		accountID, err = am.Store.GetAccountIDBySetupKey(ctx, encodedHashedKey)
 	}
 	if err != nil {
+		log.WithContext(ctx).Errorf("failed login: sk - %s, userId - %s, dnsLabel - %s, meta - %v", setupKey, userID, peer.DNSLabel, peer.Meta)
 		return nil, nil, nil, status.Errorf(status.NotFound, "failed adding new peer: account not found")
 	}

@@ -1149,7 +1150,7 @@ func (am *DefaultAccountManager) checkIfUserOwnsPeer(ctx context.Context, accoun
 	}

 	for _, p := range userPeers {
-		aclPeers, _ := account.GetPeerConnectionResources(ctx, p.ID, approvedPeersMap)
+		aclPeers, _ := account.GetPeerConnectionResources(ctx, p, approvedPeersMap)
 		for _, aclPeer := range aclPeers {
 			if aclPeer.ID == peer.ID {
 				return peer, nil
@@ -1169,7 +1170,7 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 		return
 	}

-	start := time.Now()
+	globalStart := time.Now()

 	approvedPeersMap, err := am.integratedPeerValidator.GetValidatedPeers(account.Id, maps.Values(account.Groups), maps.Values(account.Peers), account.Settings.Extra)
 	if err != nil {
@@ -1204,18 +1205,27 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 			defer wg.Done()
 			defer func() { <-semaphore }()

+			start := time.Now()
+
 			postureChecks, err := am.getPeerPostureChecks(account, p.ID)
 			if err != nil {
 				log.WithContext(ctx).Debugf("failed to get posture checks for peer %s: %v", peer.ID, err)
 				return
 			}

+			am.metrics.UpdateChannelMetrics().CountCalcPostureChecksDuration(time.Since(start))
+			start = time.Now()
+
 			remotePeerNetworkMap := account.GetPeerNetworkMap(ctx, p.ID, customZone, approvedPeersMap, resourcePolicies, routers, am.metrics.AccountManagerMetrics())

+			am.metrics.UpdateChannelMetrics().CountCalcPeerNetworkMapDuration(time.Since(start))
+			start = time.Now()
+
 			proxyNetworkMap, ok := proxyNetworkMaps[p.ID]
 			if ok {
 				remotePeerNetworkMap.Merge(proxyNetworkMap)
 			}
+			am.metrics.UpdateChannelMetrics().CountMergeNetworkMapDuration(time.Since(start))

 			extraSetting, err := am.settingsManager.GetExtraSettings(ctx, accountID)
 			if err != nil {
@@ -1223,7 +1233,10 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 				return
 			}

+			start = time.Now()
 			update := toSyncResponse(ctx, nil, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting)
+			am.metrics.UpdateChannelMetrics().CountToSyncResponseDuration(time.Since(start))
+
 			am.peersUpdateManager.SendUpdate(ctx, p.ID, &UpdateMessage{Update: update, NetworkMap: remotePeerNetworkMap})
 		}(peer)
 	}
@@ -1232,7 +1245,7 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account

 	wg.Wait()
 	if am.metrics != nil {
-		am.metrics.AccountManagerMetrics().CountUpdateAccountPeersDuration(time.Since(start))
+		am.metrics.AccountManagerMetrics().CountUpdateAccountPeersDuration(time.Since(globalStart))
 	}
 }

--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -480,7 +480,7 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
 	accountID := "test_account"
 	adminUser := "account_creator"
 	someUser := "some_user"
-	account := newAccountWithId(context.Background(), accountID, adminUser, "")
+	account := newAccountWithId(context.Background(), accountID, adminUser, "", false)
 	account.Users[someUser] = &types.User{
 		Id:   someUser,
 		Role: types.UserRoleUser,
@@ -667,7 +667,7 @@ func TestDefaultAccountManager_GetPeers(t *testing.T) {
 			accountID := "test_account"
 			adminUser := "account_creator"
 			someUser := "some_user"
-			account := newAccountWithId(context.Background(), accountID, adminUser, "")
+			account := newAccountWithId(context.Background(), accountID, adminUser, "", false)
 			account.Users[someUser] = &types.User{
 				Id:            someUser,
 				Role:          testCase.role,
@@ -737,7 +737,7 @@ func setupTestAccountManager(b testing.TB, peers int, groups int) (*DefaultAccou
 	adminUser := "account_creator"
 	regularUser := "regular_user"

-	account := newAccountWithId(context.Background(), accountID, adminUser, "")
+	account := newAccountWithId(context.Background(), accountID, adminUser, "", false)
 	account.Users[regularUser] = &types.User{
 		Id:   regularUser,
 		Role: types.UserRoleUser,
@@ -1267,7 +1267,7 @@ func Test_RegisterPeerByUser(t *testing.T) {
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManager := permissions.NewManager(s)

-	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	assert.NoError(t, err)

 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
@@ -1342,7 +1342,7 @@ func Test_RegisterPeerBySetupKey(t *testing.T) {
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManager := permissions.NewManager(s)

-	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	assert.NoError(t, err)

 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
@@ -1477,7 +1477,7 @@ func Test_RegisterPeerRollbackOnFailure(t *testing.T) {

 	permissionsManager := permissions.NewManager(s)

-	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	assert.NoError(t, err)

 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
@@ -1546,7 +1546,7 @@ func Test_LoginPeer(t *testing.T) {
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManager := permissions.NewManager(s)

-	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	am, err := BuildManager(context.Background(), s, NewPeersUpdateManager(nil), nil, "", "netbird.cloud", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	assert.NoError(t, err)

 	existingAccountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
@@ -2052,7 +2052,7 @@ func Test_DeletePeer(t *testing.T) {
 	// account with an admin and a regular user
 	accountID := "test_account"
 	adminUser := "account_creator"
-	account := newAccountWithId(context.Background(), accountID, adminUser, "")
+	account := newAccountWithId(context.Background(), accountID, adminUser, "", false)
 	account.Peers = map[string]*nbpeer.Peer{
 		"peer1": {
 			ID:        "peer1",
--- a/management/server/policy_test.go
+++ b/management/server/policy_test.go
@@ -27,6 +27,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				ID:     "peerB",
 				IP:     net.ParseIP("100.65.80.39"),
 				Status: &nbpeer.PeerStatus{},
+				Meta:   nbpeer.PeerSystemMeta{WtVersion: "0.48.0"},
 			},
 			"peerC": {
 				ID:     "peerC",
@@ -63,6 +64,12 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 				IP:     net.ParseIP("100.65.31.2"),
 				Status: &nbpeer.PeerStatus{},
 			},
+			"peerK": {
+				ID:     "peerK",
+				IP:     net.ParseIP("100.32.80.1"),
+				Status: &nbpeer.PeerStatus{},
+				Meta:   nbpeer.PeerSystemMeta{WtVersion: "0.30.0"},
+			},
 		},
 		Groups: map[string]*types.Group{
 			"GroupAll": {
@@ -111,6 +118,13 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 					"peerI",
 				},
 			},
+			"GroupWorkflow": {
+				ID:   "GroupWorkflow",
+				Name: "workflow",
+				Peers: []string{
+					"peerK",
+				},
+			},
 		},
 		Policies: []*types.Policy{
 			{
@@ -189,6 +203,39 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 					},
 				},
 			},
+			{
+				ID:          "RuleWorkflow",
+				Name:        "Workflow",
+				Description: "No description",
+				Enabled:     true,
+				Rules: []*types.PolicyRule{
+					{
+						ID:            "RuleWorkflow",
+						Name:          "Workflow",
+						Description:   "No description",
+						Bidirectional: true,
+						Enabled:       true,
+						Protocol:      types.PolicyRuleProtocolTCP,
+						Action:        types.PolicyTrafficActionAccept,
+						PortRanges: []types.RulePortRange{
+							{
+								Start: 8088,
+								End:   8088,
+							},
+							{
+								Start: 9090,
+								End:   9095,
+							},
+						},
+						Sources: []string{
+							"GroupWorkflow",
+						},
+						Destinations: []string{
+							"GroupDMZ",
+						},
+					},
+				},
+			},
 		},
 	}

@@ -199,14 +246,14 @@ func TestAccount_getPeersByPolicy(t *testing.T) {

 	t.Run("check that all peers get map", func(t *testing.T) {
 		for _, p := range account.Peers {
-			peers, firewallRules := account.GetPeerConnectionResources(context.Background(), p.ID, validatedPeers)
-			assert.GreaterOrEqual(t, len(peers), 2, "minimum number peers should present")
-			assert.GreaterOrEqual(t, len(firewallRules), 2, "minimum number of firewall rules should present")
+			peers, firewallRules := account.GetPeerConnectionResources(context.Background(), p, validatedPeers)
+			assert.GreaterOrEqual(t, len(peers), 1, "minimum number peers should present")
+			assert.GreaterOrEqual(t, len(firewallRules), 1, "minimum number of firewall rules should present")
 		}
 	})

 	t.Run("check first peer map details", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", validatedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerB"], validatedPeers)
 		assert.Len(t, peers, 8)
 		assert.Contains(t, peers, account.Peers["peerA"])
 		assert.Contains(t, peers, account.Peers["peerC"])
@@ -364,6 +411,32 @@ func TestAccount_getPeersByPolicy(t *testing.T) {
 			assert.True(t, contains, "rule not found in expected rules %#v", rule)
 		}
 	})
+
+	t.Run("check port ranges support for older peers", func(t *testing.T) {
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerK"], validatedPeers)
+		assert.Len(t, peers, 1)
+		assert.Contains(t, peers, account.Peers["peerI"])
+
+		expectedFirewallRules := []*types.FirewallRule{
+			{
+				PeerIP:    "100.65.31.2",
+				Direction: types.FirewallRuleDirectionIN,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "8088",
+				PolicyID:  "RuleWorkflow",
+			},
+			{
+				PeerIP:    "100.65.31.2",
+				Direction: types.FirewallRuleDirectionOUT,
+				Action:    "accept",
+				Protocol:  "tcp",
+				Port:      "8088",
+				PolicyID:  "RuleWorkflow",
+			},
+		}
+		assert.ElementsMatch(t, firewallRules, expectedFirewallRules)
+	})
 }

 func TestAccount_getPeersByPolicyDirect(t *testing.T) {
@@ -466,10 +539,10 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	}

 	t.Run("check first peer map", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerB"], approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerC"])

-		epectedFirewallRules := []*types.FirewallRule{
+		expectedFirewallRules := []*types.FirewallRule{
 			{
 				PeerIP:    "100.65.254.139",
 				Direction: types.FirewallRuleDirectionIN,
@@ -487,19 +560,19 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				PolicyID:  "RuleSwarm",
 			},
 		}
-		assert.Len(t, firewallRules, len(epectedFirewallRules))
-		slices.SortFunc(epectedFirewallRules, sortFunc())
+		assert.Len(t, firewallRules, len(expectedFirewallRules))
+		slices.SortFunc(expectedFirewallRules, sortFunc())
 		slices.SortFunc(firewallRules, sortFunc())
 		for i := range firewallRules {
-			assert.Equal(t, epectedFirewallRules[i], firewallRules[i])
+			assert.Equal(t, expectedFirewallRules[i], firewallRules[i])
 		}
 	})

 	t.Run("check second peer map", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerC"], approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerB"])

-		epectedFirewallRules := []*types.FirewallRule{
+		expectedFirewallRules := []*types.FirewallRule{
 			{
 				PeerIP:    "100.65.80.39",
 				Direction: types.FirewallRuleDirectionIN,
@@ -517,21 +590,21 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				PolicyID:  "RuleSwarm",
 			},
 		}
-		assert.Len(t, firewallRules, len(epectedFirewallRules))
-		slices.SortFunc(epectedFirewallRules, sortFunc())
+		assert.Len(t, firewallRules, len(expectedFirewallRules))
+		slices.SortFunc(expectedFirewallRules, sortFunc())
 		slices.SortFunc(firewallRules, sortFunc())
 		for i := range firewallRules {
-			assert.Equal(t, epectedFirewallRules[i], firewallRules[i])
+			assert.Equal(t, expectedFirewallRules[i], firewallRules[i])
 		}
 	})

 	account.Policies[1].Rules[0].Bidirectional = false

 	t.Run("check first peer map directional only", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerB"], approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerC"])

-		epectedFirewallRules := []*types.FirewallRule{
+		expectedFirewallRules := []*types.FirewallRule{
 			{
 				PeerIP:    "100.65.254.139",
 				Direction: types.FirewallRuleDirectionOUT,
@@ -541,19 +614,19 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				PolicyID:  "RuleSwarm",
 			},
 		}
-		assert.Len(t, firewallRules, len(epectedFirewallRules))
-		slices.SortFunc(epectedFirewallRules, sortFunc())
+		assert.Len(t, firewallRules, len(expectedFirewallRules))
+		slices.SortFunc(expectedFirewallRules, sortFunc())
 		slices.SortFunc(firewallRules, sortFunc())
 		for i := range firewallRules {
-			assert.Equal(t, epectedFirewallRules[i], firewallRules[i])
+			assert.Equal(t, expectedFirewallRules[i], firewallRules[i])
 		}
 	})

 	t.Run("check second peer map directional only", func(t *testing.T) {
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerC"], approvedPeers)
 		assert.Contains(t, peers, account.Peers["peerB"])

-		epectedFirewallRules := []*types.FirewallRule{
+		expectedFirewallRules := []*types.FirewallRule{
 			{
 				PeerIP:    "100.65.80.39",
 				Direction: types.FirewallRuleDirectionIN,
@@ -563,11 +636,11 @@ func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 				PolicyID:  "RuleSwarm",
 			},
 		}
-		assert.Len(t, firewallRules, len(epectedFirewallRules))
-		slices.SortFunc(epectedFirewallRules, sortFunc())
+		assert.Len(t, firewallRules, len(expectedFirewallRules))
+		slices.SortFunc(expectedFirewallRules, sortFunc())
 		slices.SortFunc(firewallRules, sortFunc())
 		for i := range firewallRules {
-			assert.Equal(t, epectedFirewallRules[i], firewallRules[i])
+			assert.Equal(t, expectedFirewallRules[i], firewallRules[i])
 		}
 	})
 }
@@ -748,7 +821,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {
 	t.Run("verify peer's network map with default group peer list", func(t *testing.T) {
 		// peerB doesn't fulfill the NB posture check but is included in the destination group Swarm,
 		// will establish a connection with all source peers satisfying the NB posture check.
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerB"], approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@@ -758,7 +831,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerC satisfy the NB posture check, should establish connection to all destination group peer's
 		// We expect a single permissive firewall rule which all outgoing connections
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerC"], approvedPeers)
 		assert.Len(t, peers, len(account.Groups["GroupSwarm"].Peers))
 		assert.Len(t, firewallRules, 1)
 		expectedFirewallRules := []*types.FirewallRule{
@@ -775,7 +848,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerE doesn't fulfill the NB posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerE", approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerE"], approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@@ -785,7 +858,7 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerI doesn't fulfill the OS version posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerI", approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerI"], approvedPeers)
 		assert.Len(t, peers, 4)
 		assert.Len(t, firewallRules, 4)
 		assert.Contains(t, peers, account.Peers["peerA"])
@@ -800,19 +873,19 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerB doesn't satisfy the NB posture check, and doesn't exist in destination group peer's
 		// no connection should be established to any peer of destination group
-		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), "peerB", approvedPeers)
+		peers, firewallRules := account.GetPeerConnectionResources(context.Background(), account.Peers["peerB"], approvedPeers)
 		assert.Len(t, peers, 0)
 		assert.Len(t, firewallRules, 0)

 		// peerI doesn't satisfy the OS version posture check, and doesn't exist in destination group peer's
 		// no connection should be established to any peer of destination group
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerI", approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerI"], approvedPeers)
 		assert.Len(t, peers, 0)
 		assert.Len(t, firewallRules, 0)

 		// peerC satisfy the NB posture check, should establish connection to all destination group peer's
 		// We expect a single permissive firewall rule which all outgoing connections
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerC", approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerC"], approvedPeers)
 		assert.Len(t, peers, len(account.Groups["GroupSwarm"].Peers))
 		assert.Len(t, firewallRules, len(account.Groups["GroupSwarm"].Peers))

@@ -827,14 +900,14 @@ func TestAccount_getPeersByPolicyPostureChecks(t *testing.T) {

 		// peerE doesn't fulfill the NB posture check and exists in only destination group Swarm,
 		// all source group peers satisfying the NB posture check should establish connection
-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerE", approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerE"], approvedPeers)
 		assert.Len(t, peers, 3)
 		assert.Len(t, firewallRules, 3)
 		assert.Contains(t, peers, account.Peers["peerA"])
 		assert.Contains(t, peers, account.Peers["peerC"])
 		assert.Contains(t, peers, account.Peers["peerD"])

-		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), "peerA", approvedPeers)
+		peers, firewallRules = account.GetPeerConnectionResources(context.Background(), account.Peers["peerA"], approvedPeers)
 		assert.Len(t, peers, 5)
 		// assert peers from Group Swarm
 		assert.Contains(t, peers, account.Peers["peerD"])
--- a/management/server/posture/nb_version.go
+++ b/management/server/posture/nb_version.go
@@ -24,20 +24,12 @@ func sanitizeVersion(version string) string {
 }

 func (n *NBVersionCheck) Check(ctx context.Context, peer nbpeer.Peer) (bool, error) {
-	peerVersion := sanitizeVersion(peer.Meta.WtVersion)
-	minVersion := sanitizeVersion(n.MinVersion)
-
-	peerNBVersion, err := version.NewVersion(peerVersion)
+	meetsMin, err := MeetsMinVersion(n.MinVersion, peer.Meta.WtVersion)
 	if err != nil {
 		return false, err
 	}

-	constraints, err := version.NewConstraint(">= " + minVersion)
-	if err != nil {
-		return false, err
-	}
-
-	if constraints.Check(peerNBVersion) {
+	if meetsMin {
 		return true, nil
 	}

@@ -60,3 +52,21 @@ func (n *NBVersionCheck) Validate() error {
 	}
 	return nil
 }
+
+// MeetsMinVersion checks if the peer's version meets or exceeds the minimum required version
+func MeetsMinVersion(minVer, peerVer string) (bool, error) {
+	peerVer = sanitizeVersion(peerVer)
+	minVer = sanitizeVersion(minVer)
+
+	peerNBVer, err := version.NewVersion(peerVer)
+	if err != nil {
+		return false, err
+	}
+
+	constraints, err := version.NewConstraint(">= " + minVer)
+	if err != nil {
+		return false, err
+	}
+
+	return constraints.Check(peerNBVer), nil
+}
--- a/management/server/posture/nb_version_test.go
+++ b/management/server/posture/nb_version_test.go
@@ -139,3 +139,68 @@ func TestNBVersionCheck_Validate(t *testing.T) {
 		})
 	}
 }
+
+func TestMeetsMinVersion(t *testing.T) {
+	tests := []struct {
+		name    string
+		minVer  string
+		peerVer string
+		want    bool
+		wantErr bool
+	}{
+		{
+			name:    "Peer version greater than min version",
+			minVer:  "0.26.0",
+			peerVer: "0.60.1",
+			want:    true,
+			wantErr: false,
+		},
+		{
+			name:    "Peer version equals min version",
+			minVer:  "1.0.0",
+			peerVer: "1.0.0",
+			want:    true,
+			wantErr: false,
+		},
+		{
+			name:    "Peer version less than min version",
+			minVer:  "1.0.0",
+			peerVer: "0.9.9",
+			want:    false,
+			wantErr: false,
+		},
+		{
+			name:    "Peer version with pre-release tag greater than min version",
+			minVer:  "1.0.0",
+			peerVer: "1.0.1-alpha",
+			want:    true,
+			wantErr: false,
+		},
+		{
+			name:    "Invalid peer version format",
+			minVer:  "1.0.0",
+			peerVer: "dev",
+			want:    false,
+			wantErr: true,
+		},
+		{
+			name:    "Invalid min version format",
+			minVer:  "invalid.version",
+			peerVer: "1.0.0",
+			want:    false,
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := MeetsMinVersion(tt.minVer, tt.peerVer)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+			}
+			assert.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/management/server/posture_checks_test.go
+++ b/management/server/posture_checks_test.go
@@ -106,7 +106,7 @@ func initTestPostureChecksAccount(am *DefaultAccountManager) (*types.Account, er
 		Role: types.UserRoleUser,
 	}

-	account := newAccountWithId(context.Background(), accountID, groupAdminUserID, domain)
+	account := newAccountWithId(context.Background(), accountID, groupAdminUserID, domain, false)
 	account.Users[admin.Id] = admin
 	account.Users[user.Id] = user

--- a/management/server/route.go
+++ b/management/server/route.go
@@ -4,19 +4,19 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
+	"slices"
 	"unicode/utf8"

 	"github.com/rs/xid"

-	"github.com/netbirdio/netbird/management/server/permissions/modules"
-	"github.com/netbirdio/netbird/management/server/permissions/operations"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/types"
-
 	"github.com/netbirdio/netbird/management/domain"
 	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/permissions/modules"
+	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/status"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/route"
 )

@@ -30,13 +30,19 @@ func (am *DefaultAccountManager) GetRoute(ctx context.Context, accountID string,
 		return nil, status.NewPermissionDeniedError()
 	}

-	return am.Store.GetRouteByID(ctx, store.LockingStrengthShare, string(routeID), accountID)
+	return am.Store.GetRouteByID(ctx, store.LockingStrengthShare, accountID, string(routeID))
 }

 // checkRoutePrefixOrDomainsExistForPeers checks if a route with a given prefix exists for a single peer or multiple peer groups.
-func (am *DefaultAccountManager) checkRoutePrefixOrDomainsExistForPeers(account *types.Account, peerID string, routeID route.ID, peerGroupIDs []string, prefix netip.Prefix, domains domain.List) error {
+func checkRoutePrefixOrDomainsExistForPeers(ctx context.Context, transaction store.Store, accountID string, checkRoute *route.Route, groupsMap map[string]*types.Group) error {
 	// routes can have both peer and peer_groups
-	routesWithPrefix := account.GetRoutesByPrefixOrDomains(prefix, domains)
+	prefix := checkRoute.Network
+	domains := checkRoute.Domains
+
+	routesWithPrefix, err := getRoutesByPrefixOrDomains(ctx, transaction, accountID, prefix, domains)
+	if err != nil {
+		return err
+	}

 	// lets remember all the peers and the peer groups from routesWithPrefix
 	seenPeers := make(map[string]bool)
@@ -45,18 +51,24 @@ func (am *DefaultAccountManager) checkRoutePrefixOrDomainsExistForPeers(account
 	for _, prefixRoute := range routesWithPrefix {
 		// we skip route(s) with the same network ID as we want to allow updating of the existing route
 		// when creating a new route routeID is newly generated so nothing will be skipped
-		if routeID == prefixRoute.ID {
+		if checkRoute.ID == prefixRoute.ID {
 			continue
 		}

 		if prefixRoute.Peer != "" {
 			seenPeers[string(prefixRoute.ID)] = true
 		}
+
+		peerGroupsMap, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthShare, accountID, prefixRoute.PeerGroups)
+		if err != nil {
+			return err
+		}
+
 		for _, groupID := range prefixRoute.PeerGroups {
 			seenPeerGroups[groupID] = true

-			group := account.GetGroup(groupID)
-			if group == nil {
+			group, ok := peerGroupsMap[groupID]
+			if !ok || group == nil {
 				return status.Errorf(
 					status.InvalidArgument, "failed to add route with %s - peer group %s doesn't exist",
 					getRouteDescriptor(prefix, domains), groupID,
@@ -69,12 +81,13 @@ func (am *DefaultAccountManager) checkRoutePrefixOrDomainsExistForPeers(account
 		}
 	}

-	if peerID != "" {
+	if peerID := checkRoute.Peer; peerID != "" {
 		// check that peerID exists and is not in any route as single peer or part of the group
-		peer := account.GetPeer(peerID)
-		if peer == nil {
+		_, err = transaction.GetPeerByID(context.Background(), store.LockingStrengthShare, accountID, peerID)
+		if err != nil {
 			return status.Errorf(status.InvalidArgument, "peer with ID %s not found", peerID)
 		}
+
 		if _, ok := seenPeers[peerID]; ok {
 			return status.Errorf(status.AlreadyExists,
 				"failed to add route with %s - peer %s already has this route", getRouteDescriptor(prefix, domains), peerID)
@@ -82,9 +95,8 @@ func (am *DefaultAccountManager) checkRoutePrefixOrDomainsExistForPeers(account
 	}

 	// check that peerGroupIDs are not in any route peerGroups list
-	for _, groupID := range peerGroupIDs {
-		group := account.GetGroup(groupID) // we validated the group existence before entering this function, no need to check again.
-
+	for _, groupID := range checkRoute.PeerGroups {
+		group := groupsMap[groupID] // we validated the group existence before entering this function, no need to check again.
 		if _, ok := seenPeerGroups[groupID]; ok {
 			return status.Errorf(
 				status.AlreadyExists, "failed to add route with %s - peer group %s already has this route",
@@ -92,12 +104,18 @@ func (am *DefaultAccountManager) checkRoutePrefixOrDomainsExistForPeers(account
 		}

 		// check that the peers from peerGroupIDs groups are not the same peers we saw in routesWithPrefix
+		peersMap, err := transaction.GetPeersByIDs(ctx, store.LockingStrengthShare, accountID, group.Peers)
+		if err != nil {
+			return err
+		}
+
 		for _, id := range group.Peers {
 			if _, ok := seenPeers[id]; ok {
-				peer := account.GetPeer(id)
-				if peer == nil {
-					return status.Errorf(status.InvalidArgument, "peer with ID %s not found", peerID)
+				peer, ok := peersMap[id]
+				if !ok || peer == nil {
+					return status.Errorf(status.InvalidArgument, "peer with ID %s not found", id)
 				}
+
 				return status.Errorf(status.AlreadyExists,
 					"failed to add route with %s - peer %s from the group %s already has this route",
 					getRouteDescriptor(prefix, domains), peer.Name, group.Name)
@@ -128,97 +146,58 @@ func (am *DefaultAccountManager) CreateRoute(ctx context.Context, accountID stri
 		return nil, status.NewPermissionDeniedError()
 	}

-	account, err := am.Store.GetAccount(ctx, accountID)
-	if err != nil {
-		return nil, err
-	}
-
 	if len(domains) > 0 && prefix.IsValid() {
 		return nil, status.Errorf(status.InvalidArgument, "domains and network should not be provided at the same time")
 	}

-	if len(domains) == 0 && !prefix.IsValid() {
-		return nil, status.Errorf(status.InvalidArgument, "invalid Prefix")
-	}
+	var newRoute *route.Route
+	var updateAccountPeers bool

-	if len(domains) > 0 {
-		prefix = getPlaceholderIP()
-	}
-
-	if peerID != "" && len(peerGroupIDs) != 0 {
-		return nil, status.Errorf(
-			status.InvalidArgument,
-			"peer with ID %s and peers group %s should not be provided at the same time",
-			peerID, peerGroupIDs)
-	}
-
-	var newRoute route.Route
-	newRoute.ID = route.ID(xid.New().String())
-
-	if len(peerGroupIDs) > 0 {
-		err = validateGroups(peerGroupIDs, account.Groups)
-		if err != nil {
-			return nil, err
+	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		newRoute = &route.Route{
+			ID:                  route.ID(xid.New().String()),
+			AccountID:           accountID,
+			Network:             prefix,
+			Domains:             domains,
+			KeepRoute:           keepRoute,
+			NetID:               netID,
+			Description:         description,
+			Peer:                peerID,
+			PeerGroups:          peerGroupIDs,
+			NetworkType:         networkType,
+			Masquerade:          masquerade,
+			Metric:              metric,
+			Enabled:             enabled,
+			Groups:              groups,
+			AccessControlGroups: accessControlGroupIDs,
 		}
-	}

-	if len(accessControlGroupIDs) > 0 {
-		err = validateGroups(accessControlGroupIDs, account.Groups)
-		if err != nil {
-			return nil, err
+		if err = validateRoute(ctx, transaction, accountID, newRoute); err != nil {
+			return err
 		}
-	}

-	err = am.checkRoutePrefixOrDomainsExistForPeers(account, peerID, newRoute.ID, peerGroupIDs, prefix, domains)
+		updateAccountPeers, err = areRouteChangesAffectPeers(ctx, transaction, newRoute)
+		if err != nil {
+			return err
+		}
+
+		if err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, accountID); err != nil {
+			return err
+		}
+
+		return transaction.SaveRoute(ctx, store.LockingStrengthUpdate, newRoute)
+	})
 	if err != nil {
 		return nil, err
 	}

-	if metric < route.MinMetric || metric > route.MaxMetric {
-		return nil, status.Errorf(status.InvalidArgument, "metric should be between %d and %d", route.MinMetric, route.MaxMetric)
-	}
-
-	if utf8.RuneCountInString(string(netID)) > route.MaxNetIDChar || netID == "" {
-		return nil, status.Errorf(status.InvalidArgument, "identifier should be between 1 and %d", route.MaxNetIDChar)
-	}
-
-	err = validateGroups(groups, account.Groups)
-	if err != nil {
-		return nil, err
-	}
-
-	newRoute.Peer = peerID
-	newRoute.PeerGroups = peerGroupIDs
-	newRoute.Network = prefix
-	newRoute.Domains = domains
-	newRoute.NetworkType = networkType
-	newRoute.Description = description
-	newRoute.NetID = netID
-	newRoute.Masquerade = masquerade
-	newRoute.Metric = metric
-	newRoute.Enabled = enabled
-	newRoute.Groups = groups
-	newRoute.KeepRoute = keepRoute
-	newRoute.AccessControlGroups = accessControlGroupIDs
-
-	if account.Routes == nil {
-		account.Routes = make(map[route.ID]*route.Route)
-	}
-
-	account.Routes[newRoute.ID] = &newRoute
-
-	account.Network.IncSerial()
-	if err = am.Store.SaveAccount(ctx, account); err != nil {
-		return nil, err
-	}
-
-	if am.isRouteChangeAffectPeers(account, &newRoute) {
-		am.UpdateAccountPeers(ctx, accountID)
-	}
-
 	am.StoreEvent(ctx, userID, string(newRoute.ID), accountID, activity.RouteCreated, newRoute.EventMeta())

-	return &newRoute, nil
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID)
+	}
+
+	return newRoute, nil
 }

 // SaveRoute saves route
@@ -226,6 +205,115 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
 	defer unlock()

+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Update)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
+	var oldRoute *route.Route
+	var oldRouteAffectsPeers bool
+	var newRouteAffectsPeers bool
+
+	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		if err = validateRoute(ctx, transaction, accountID, routeToSave); err != nil {
+			return err
+		}
+
+		oldRoute, err = transaction.GetRouteByID(ctx, store.LockingStrengthUpdate, accountID, string(routeToSave.ID))
+		if err != nil {
+			return err
+		}
+
+		oldRouteAffectsPeers, err = areRouteChangesAffectPeers(ctx, transaction, oldRoute)
+		if err != nil {
+			return err
+		}
+
+		newRouteAffectsPeers, err = areRouteChangesAffectPeers(ctx, transaction, routeToSave)
+		if err != nil {
+			return err
+		}
+		routeToSave.AccountID = accountID
+
+		if err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, accountID); err != nil {
+			return err
+		}
+
+		return transaction.SaveRoute(ctx, store.LockingStrengthUpdate, routeToSave)
+	})
+	if err != nil {
+		return err
+	}
+
+	am.StoreEvent(ctx, userID, string(routeToSave.ID), accountID, activity.RouteUpdated, routeToSave.EventMeta())
+
+	if oldRouteAffectsPeers || newRouteAffectsPeers {
+		am.UpdateAccountPeers(ctx, accountID)
+	}
+
+	return nil
+}
+
+// DeleteRoute deletes route with routeID
+func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID string, routeID route.ID, userID string) error {
+	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
+	defer unlock()
+
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Delete)
+	if err != nil {
+		return status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return status.NewPermissionDeniedError()
+	}
+
+	var route *route.Route
+	var updateAccountPeers bool
+
+	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		route, err = transaction.GetRouteByID(ctx, store.LockingStrengthUpdate, accountID, string(routeID))
+		if err != nil {
+			return err
+		}
+
+		updateAccountPeers, err = areRouteChangesAffectPeers(ctx, transaction, route)
+		if err != nil {
+			return err
+		}
+
+		if err = transaction.IncrementNetworkSerial(ctx, store.LockingStrengthUpdate, accountID); err != nil {
+			return err
+		}
+
+		return transaction.DeleteRoute(ctx, store.LockingStrengthUpdate, accountID, string(routeID))
+	})
+
+	am.StoreEvent(ctx, userID, string(route.ID), accountID, activity.RouteRemoved, route.EventMeta())
+
+	if updateAccountPeers {
+		am.UpdateAccountPeers(ctx, accountID)
+	}
+
+	return nil
+}
+
+// ListRoutes returns a list of routes from account
+func (am *DefaultAccountManager) ListRoutes(ctx context.Context, accountID, userID string) ([]*route.Route, error) {
+	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Read)
+	if err != nil {
+		return nil, status.NewPermissionValidationError(err)
+	}
+	if !allowed {
+		return nil, status.NewPermissionDeniedError()
+	}
+
+	return am.Store.GetAccountRoutes(ctx, store.LockingStrengthShare, accountID)
+}
+
+func validateRoute(ctx context.Context, transaction store.Store, accountID string, routeToSave *route.Route) error {
 	if routeToSave == nil {
 		return status.Errorf(status.InvalidArgument, "route provided is nil")
 	}
@@ -238,19 +326,6 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 		return status.Errorf(status.InvalidArgument, "identifier should be between 1 and %d", route.MaxNetIDChar)
 	}

-	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Update)
-	if err != nil {
-		return status.NewPermissionValidationError(err)
-	}
-	if !allowed {
-		return status.NewPermissionDeniedError()
-	}
-
-	account, err := am.Store.GetAccount(ctx, accountID)
-	if err != nil {
-		return err
-	}
-
 	if len(routeToSave.Domains) > 0 && routeToSave.Network.IsValid() {
 		return status.Errorf(status.InvalidArgument, "domains and network should not be provided at the same time")
 	}
@@ -267,96 +342,39 @@ func (am *DefaultAccountManager) SaveRoute(ctx context.Context, accountID, userI
 		return status.Errorf(status.InvalidArgument, "peer with ID and peer groups should not be provided at the same time")
 	}

+	groupsMap, err := validateRouteGroups(ctx, transaction, accountID, routeToSave)
+	if err != nil {
+		return err
+	}
+
+	return checkRoutePrefixOrDomainsExistForPeers(ctx, transaction, accountID, routeToSave, groupsMap)
+}
+
+// validateRouteGroups validates the route groups and returns the validated groups map.
+func validateRouteGroups(ctx context.Context, transaction store.Store, accountID string, routeToSave *route.Route) (map[string]*types.Group, error) {
+	groupsToValidate := slices.Concat(routeToSave.Groups, routeToSave.PeerGroups, routeToSave.AccessControlGroups)
+	groupsMap, err := transaction.GetGroupsByIDs(ctx, store.LockingStrengthShare, accountID, groupsToValidate)
+	if err != nil {
+		return nil, err
+	}
+
 	if len(routeToSave.PeerGroups) > 0 {
-		err = validateGroups(routeToSave.PeerGroups, account.Groups)
-		if err != nil {
-			return err
+		if err = validateGroups(routeToSave.PeerGroups, groupsMap); err != nil {
+			return nil, err
 		}
 	}

 	if len(routeToSave.AccessControlGroups) > 0 {
-		err = validateGroups(routeToSave.AccessControlGroups, account.Groups)
-		if err != nil {
-			return err
+		if err = validateGroups(routeToSave.AccessControlGroups, groupsMap); err != nil {
+			return nil, err
 		}
 	}

-	err = am.checkRoutePrefixOrDomainsExistForPeers(account, routeToSave.Peer, routeToSave.ID, routeToSave.Copy().PeerGroups, routeToSave.Network, routeToSave.Domains)
-	if err != nil {
-		return err
+	if err = validateGroups(routeToSave.Groups, groupsMap); err != nil {
+		return nil, err
 	}

-	err = validateGroups(routeToSave.Groups, account.Groups)
-	if err != nil {
-		return err
-	}
-
-	oldRoute := account.Routes[routeToSave.ID]
-	account.Routes[routeToSave.ID] = routeToSave
-
-	account.Network.IncSerial()
-	if err = am.Store.SaveAccount(ctx, account); err != nil {
-		return err
-	}
-
-	if am.isRouteChangeAffectPeers(account, oldRoute) || am.isRouteChangeAffectPeers(account, routeToSave) {
-		am.UpdateAccountPeers(ctx, accountID)
-	}
-
-	am.StoreEvent(ctx, userID, string(routeToSave.ID), accountID, activity.RouteUpdated, routeToSave.EventMeta())
-
-	return nil
-}
-
-// DeleteRoute deletes route with routeID
-func (am *DefaultAccountManager) DeleteRoute(ctx context.Context, accountID string, routeID route.ID, userID string) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
-	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Delete)
-	if err != nil {
-		return status.NewPermissionValidationError(err)
-	}
-	if !allowed {
-		return status.NewPermissionDeniedError()
-	}
-
-	account, err := am.Store.GetAccount(ctx, accountID)
-	if err != nil {
-		return err
-	}
-
-	routy := account.Routes[routeID]
-	if routy == nil {
-		return status.Errorf(status.NotFound, "route with ID %s doesn't exist", routeID)
-	}
-	delete(account.Routes, routeID)
-
-	account.Network.IncSerial()
-	if err = am.Store.SaveAccount(ctx, account); err != nil {
-		return err
-	}
-
-	am.StoreEvent(ctx, userID, string(routy.ID), accountID, activity.RouteRemoved, routy.EventMeta())
-
-	if am.isRouteChangeAffectPeers(account, routy) {
-		am.UpdateAccountPeers(ctx, accountID)
-	}
-
-	return nil
-}
-
-// ListRoutes returns a list of routes from account
-func (am *DefaultAccountManager) ListRoutes(ctx context.Context, accountID, userID string) ([]*route.Route, error) {
-	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Routes, operations.Read)
-	if err != nil {
-		return nil, status.NewPermissionValidationError(err)
-	}
-	if !allowed {
-		return nil, status.NewPermissionDeniedError()
-	}
-
-	return am.Store.GetAccountRoutes(ctx, store.LockingStrengthShare, accountID)
+	return groupsMap, nil
 }

 func toProtocolRoute(route *route.Route) *proto.Route {
@@ -455,8 +473,40 @@ func getProtoPortInfo(rule *types.RouteFirewallRule) *proto.PortInfo {
 	return &portInfo
 }

-// isRouteChangeAffectPeers checks if a given route affects peers by determining
-// if it has a routing peer, distribution, or peer groups that include peers
-func (am *DefaultAccountManager) isRouteChangeAffectPeers(account *types.Account, route *route.Route) bool {
-	return am.anyGroupHasPeers(account, route.Groups) || am.anyGroupHasPeers(account, route.PeerGroups) || route.Peer != ""
+// areRouteChangesAffectPeers checks if a given route affects peers by determining
+// if it has a routing peer, distribution, or peer groups that include peers.
+func areRouteChangesAffectPeers(ctx context.Context, transaction store.Store, route *route.Route) (bool, error) {
+	if route.Peer != "" {
+		return true, nil
+	}
+
+	hasPeers, err := anyGroupHasPeersOrResources(ctx, transaction, route.AccountID, route.Groups)
+	if err != nil {
+		return false, err
+	}
+
+	if hasPeers {
+		return true, nil
+	}
+
+	return anyGroupHasPeersOrResources(ctx, transaction, route.AccountID, route.PeerGroups)
+}
+
+// GetRoutesByPrefixOrDomains return list of routes by account and route prefix
+func getRoutesByPrefixOrDomains(ctx context.Context, transaction store.Store, accountID string, prefix netip.Prefix, domains domain.List) ([]*route.Route, error) {
+	accountRoutes, err := transaction.GetAccountRoutes(ctx, store.LockingStrengthShare, accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	routes := make([]*route.Route, 0)
+	for _, r := range accountRoutes {
+		dynamic := r.IsDynamic()
+		if dynamic && r.Domains.PunycodeString() == domains.PunycodeString() ||
+			!dynamic && r.Network.String() == prefix.String() {
+			routes = append(routes, r)
+		}
+	}
+
+	return routes, nil
 }
--- a/management/server/route_test.go
+++ b/management/server/route_test.go
@@ -1284,7 +1284,7 @@ func createRouterManager(t *testing.T) (*DefaultAccountManager, error) {

 	permissionsManager := permissions.NewManager(store)

-	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager)
+	return BuildManager(context.Background(), store, NewPeersUpdateManager(nil), nil, "", "netbird.selfhosted", eventStore, nil, false, MocIntegratedValidator{}, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 }

 func createRouterStore(t *testing.T) (store.Store, error) {
@@ -1305,7 +1305,7 @@ func initTestRouteAccount(t *testing.T, am *DefaultAccountManager) (*types.Accou
 	accountID := "testingAcc"
 	domain := "example.com"

-	account := newAccountWithId(context.Background(), accountID, userID, domain)
+	account := newAccountWithId(context.Background(), accountID, userID, domain, false)
 	err := am.Store.SaveAccount(context.Background(), account)
 	if err != nil {
 		return nil, err
--- a/management/server/status/error.go
+++ b/management/server/status/error.go
@@ -90,6 +90,11 @@ func NewAccountNotFoundError(accountKey string) error {
 	return Errorf(NotFound, "account not found: %s", accountKey)
 }

+// NewAccountOnboardingNotFoundError creates a new Error with NotFound type for a missing account onboarding
+func NewAccountOnboardingNotFoundError(accountKey string) error {
+	return Errorf(NotFound, "account onboarding not found: %s", accountKey)
+}
+
 // NewPeerNotPartOfAccountError creates a new Error with PermissionDenied type for a peer not being part of an account
 func NewPeerNotPartOfAccountError() error {
 	return Errorf(PermissionDenied, "peer is not part of this account")
@@ -227,3 +232,7 @@ func NewUserRoleNotFoundError(role string) error {
 func NewOperationNotFoundError(operation operations.Operation) error {
 	return Errorf(NotFound, "operation: %s not found", operation)
 }
+
+func NewRouteNotFoundError(routeID string) error {
+	return Errorf(NotFound, "route: %s not found", routeID)
+}
--- a/management/server/store/sql_store.go
+++ b/management/server/store/sql_store.go
@@ -23,8 +23,6 @@ import (
 	"gorm.io/gorm/clause"
 	"gorm.io/gorm/logger"

-	"github.com/netbirdio/netbird/management/server/util"
-
 	nbdns "github.com/netbirdio/netbird/dns"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
@@ -34,6 +32,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/management/server/util"
 	"github.com/netbirdio/netbird/route"
 )

@@ -100,7 +99,7 @@ func NewSqlStore(ctx context.Context, db *gorm.DB, storeEngine types.Engine, met
 		&types.SetupKey{}, &nbpeer.Peer{}, &types.User{}, &types.PersonalAccessToken{}, &types.Group{},
 		&types.Account{}, &types.Policy{}, &types.PolicyRule{}, &route.Route{}, &nbdns.NameServerGroup{},
 		&installation{}, &types.ExtraSettings{}, &posture.Checks{}, &nbpeer.NetworkAddress{},
-		&networkTypes.Network{}, &routerTypes.NetworkRouter{}, &resourceTypes.NetworkResource{},
+		&networkTypes.Network{}, &routerTypes.NetworkRouter{}, &resourceTypes.NetworkResource{}, &types.AccountOnboarding{},
 	)
 	if err != nil {
 		return nil, fmt.Errorf("auto migrate: %w", err)
@@ -726,6 +725,32 @@ func (s *SqlStore) GetAccountMeta(ctx context.Context, lockStrength LockingStren
 	return &accountMeta, nil
 }

+// GetAccountOnboarding retrieves the onboarding information for a specific account.
+func (s *SqlStore) GetAccountOnboarding(ctx context.Context, accountID string) (*types.AccountOnboarding, error) {
+	var accountOnboarding types.AccountOnboarding
+	result := s.db.Model(&accountOnboarding).First(&accountOnboarding, accountIDCondition, accountID)
+	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, status.NewAccountOnboardingNotFoundError(accountID)
+		}
+		log.WithContext(ctx).Errorf("error when getting account onboarding %s from the store: %s", accountID, result.Error)
+		return nil, status.NewGetAccountFromStoreError(result.Error)
+	}
+
+	return &accountOnboarding, nil
+}
+
+// SaveAccountOnboarding updates the onboarding information for a specific account.
+func (s *SqlStore) SaveAccountOnboarding(ctx context.Context, onboarding *types.AccountOnboarding) error {
+	result := s.db.Clauses(clause.OnConflict{UpdateAll: true}).Create(onboarding)
+	if result.Error != nil {
+		log.WithContext(ctx).Errorf("error when saving account onboarding %s in the store: %s", onboarding.AccountID, result.Error)
+		return status.Errorf(status.Internal, "error when saving account onboarding %s in the store: %s", onboarding.AccountID, result.Error)
+	}
+
+	return nil
+}
+
 func (s *SqlStore) GetAccount(ctx context.Context, accountID string) (*types.Account, error) {
 	start := time.Now()
 	defer func() {
@@ -1185,7 +1210,7 @@ func NewSqliteStoreFromFileStore(ctx context.Context, fileStore *FileStore, data
 	for _, account := range fileStore.GetAllAccounts(ctx) {
 		_, err = account.GetGroupAll()
 		if err != nil {
-			if err := account.AddAllGroup(); err != nil {
+			if err := account.AddAllGroup(false); err != nil {
 				return nil, err
 			}
 		}
@@ -1968,12 +1993,58 @@ func (s *SqlStore) DeletePostureChecks(ctx context.Context, lockStrength Locking

 // GetAccountRoutes retrieves network routes for an account.
 func (s *SqlStore) GetAccountRoutes(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*route.Route, error) {
-	return getRecords[*route.Route](s.db, lockStrength, accountID)
+	var routes []*route.Route
+	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).
+		Find(&routes, accountIDCondition, accountID)
+	if err := result.Error; err != nil {
+		log.WithContext(ctx).Errorf("failed to get routes from the store: %s", err)
+		return nil, status.Errorf(status.Internal, "failed to get routes from store")
+	}
+
+	return routes, nil
 }

 // GetRouteByID retrieves a route by its ID and account ID.
-func (s *SqlStore) GetRouteByID(ctx context.Context, lockStrength LockingStrength, routeID string, accountID string) (*route.Route, error) {
-	return getRecordByID[route.Route](s.db, lockStrength, routeID, accountID)
+func (s *SqlStore) GetRouteByID(ctx context.Context, lockStrength LockingStrength, accountID string, routeID string) (*route.Route, error) {
+	var route *route.Route
+	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).
+		First(&route, accountAndIDQueryCondition, accountID, routeID)
+	if err := result.Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, status.NewRouteNotFoundError(routeID)
+		}
+		log.WithContext(ctx).Errorf("failed to get route from the store: %s", err)
+		return nil, status.Errorf(status.Internal, "failed to get route from store")
+	}
+
+	return route, nil
+}
+
+// SaveRoute saves a route to the database.
+func (s *SqlStore) SaveRoute(ctx context.Context, lockStrength LockingStrength, route *route.Route) error {
+	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).Save(route)
+	if err := result.Error; err != nil {
+		log.WithContext(ctx).Errorf("failed to save route to the store: %s", err)
+		return status.Errorf(status.Internal, "failed to save route to store")
+	}
+
+	return nil
+}
+
+// DeleteRoute deletes a route from the database.
+func (s *SqlStore) DeleteRoute(ctx context.Context, lockStrength LockingStrength, accountID, routeID string) error {
+	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).
+		Delete(&route.Route{}, accountAndIDQueryCondition, accountID, routeID)
+	if err := result.Error; err != nil {
+		log.WithContext(ctx).Errorf("failed to delete route from the store: %s", err)
+		return status.Errorf(status.Internal, "failed to delete route from store")
+	}
+
+	if result.RowsAffected == 0 {
+		return status.NewRouteNotFoundError(routeID)
+	}
+
+	return nil
 }

 // GetAccountSetupKeys retrieves setup keys for an account.
@@ -2104,49 +2175,6 @@ func (s *SqlStore) DeleteNameServerGroup(ctx context.Context, lockStrength Locki
 	return nil
 }

-// getRecords retrieves records from the database based on the account ID.
-func getRecords[T any](db *gorm.DB, lockStrength LockingStrength, accountID string) ([]T, error) {
-	tx := db
-	if lockStrength != LockingStrengthNone {
-		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
-	}
-
-	var record []T
-
-	result := tx.Find(&record, accountIDCondition, accountID)
-	if err := result.Error; err != nil {
-		parts := strings.Split(fmt.Sprintf("%T", record), ".")
-		recordType := parts[len(parts)-1]
-
-		return nil, status.Errorf(status.Internal, "failed to get account %ss from store: %v", recordType, err)
-	}
-
-	return record, nil
-}
-
-// getRecordByID retrieves a record by its ID and account ID from the database.
-func getRecordByID[T any](db *gorm.DB, lockStrength LockingStrength, recordID, accountID string) (*T, error) {
-	tx := db
-	if lockStrength != LockingStrengthNone {
-		tx = tx.Clauses(clause.Locking{Strength: string(lockStrength)})
-	}
-
-	var record T
-
-	result := tx.Clauses(clause.Locking{Strength: string(lockStrength)}).
-		First(&record, accountAndIDQueryCondition, accountID, recordID)
-	if err := result.Error; err != nil {
-		parts := strings.Split(fmt.Sprintf("%T", record), ".")
-		recordType := parts[len(parts)-1]
-
-		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
-			return nil, status.Errorf(status.NotFound, "%s not found", recordType)
-		}
-		return nil, status.Errorf(status.Internal, "failed to get %s from store: %v", recordType, err)
-	}
-	return &record, nil
-}
-
 // SaveDNSSettings saves the DNS settings to the store.
 func (s *SqlStore) SaveDNSSettings(ctx context.Context, lockStrength LockingStrength, accountID string, settings *types.DNSSettings) error {
 	result := s.db.Clauses(clause.Locking{Strength: string(lockStrength)}).Model(&types.Account{}).
--- a/management/server/store/sql_store_test.go
+++ b/management/server/store/sql_store_test.go
@@ -19,21 +19,17 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

-	"github.com/netbirdio/netbird/management/server/util"
-
 	nbdns "github.com/netbirdio/netbird/dns"
 	resourceTypes "github.com/netbirdio/netbird/management/server/networks/resources/types"
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
-	"github.com/netbirdio/netbird/management/server/posture"
-	"github.com/netbirdio/netbird/management/server/types"
-
-	route2 "github.com/netbirdio/netbird/route"
-
-	"github.com/netbirdio/netbird/management/server/status"
-
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
+	"github.com/netbirdio/netbird/management/server/status"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/management/server/util"
 	nbroute "github.com/netbirdio/netbird/route"
+	route2 "github.com/netbirdio/netbird/route"
 )

 func runTestForAllEngines(t *testing.T, testDataFile string, f func(t *testing.T, store Store)) {
@@ -357,9 +353,16 @@ func TestSqlite_DeleteAccount(t *testing.T) {
 		t.Errorf("expecting 1 Accounts to be stored after SaveAccount()")
 	}

+	o, err := store.GetAccountOnboarding(context.Background(), account.Id)
+	require.NoError(t, err)
+	require.Equal(t, o.AccountID, account.Id)
+
 	err = store.DeleteAccount(context.Background(), account)
 	require.NoError(t, err)

+	_, err = store.GetAccountOnboarding(context.Background(), account.Id)
+	require.Error(t, err, "expecting error after removing DeleteAccount when getting onboarding")
+
 	if len(store.GetAllAccounts(context.Background())) != 0 {
 		t.Errorf("expecting 0 Accounts to be stored after DeleteAccount()")
 	}
@@ -417,12 +420,21 @@ func Test_GetAccount(t *testing.T) {
 		account, err := store.GetAccount(context.Background(), id)
 		require.NoError(t, err)
 		require.Equal(t, id, account.Id, "account id should match")
+		require.Equal(t, false, account.Onboarding.OnboardingFlowPending)
+
+		id = "9439-34653001fc3b-bf1c8084-ba50-4ce7"
+
+		account, err = store.GetAccount(context.Background(), id)
+		require.NoError(t, err)
+		require.Equal(t, id, account.Id, "account id should match")
+		require.Equal(t, true, account.Onboarding.OnboardingFlowPending)

 		_, err = store.GetAccount(context.Background(), "non-existing-account")
 		assert.Error(t, err)
 		parsedErr, ok := status.FromError(err)
 		require.True(t, ok)
 		require.Equal(t, status.NotFound, parsedErr.Type(), "should return not found error")
+
 	})
 }

@@ -2046,9 +2058,10 @@ func newAccountWithId(ctx context.Context, accountID, userID, domain string) *ty
 			PeerInactivityExpirationEnabled: false,
 			PeerInactivityExpiration:        types.DefaultPeerInactivityExpiration,
 		},
+		Onboarding: types.AccountOnboarding{SignupFormPending: true, OnboardingFlowPending: true},
 	}

-	if err := acc.AddAllGroup(); err != nil {
+	if err := acc.AddAllGroup(false); err != nil {
 		log.WithContext(ctx).Errorf("error adding all group to account %s: %v", acc.Id, err)
 	}
 	return acc
@@ -3247,6 +3260,132 @@ func TestSqlStore_SaveGroups_LargeBatch(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, 8003, len(accountGroups))
 }
+func TestSqlStore_GetAccountRoutes(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name          string
+		accountID     string
+		expectedCount int
+	}{
+		{
+			name:          "retrieve routes by existing account ID",
+			accountID:     "bf1c8084-ba50-4ce7-9439-34653001fc3b",
+			expectedCount: 1,
+		},
+		{
+			name:          "non-existing account ID",
+			accountID:     "nonexistent",
+			expectedCount: 0,
+		},
+		{
+			name:          "empty account ID",
+			accountID:     "",
+			expectedCount: 0,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			routes, err := store.GetAccountRoutes(context.Background(), LockingStrengthShare, tt.accountID)
+			require.NoError(t, err)
+			require.Len(t, routes, tt.expectedCount)
+		})
+	}
+}
+
+func TestSqlStore_GetRouteByID(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
+	tests := []struct {
+		name        string
+		routeID     string
+		expectError bool
+	}{
+		{
+			name:        "retrieve existing route",
+			routeID:     "ct03t427qv97vmtmglog",
+			expectError: false,
+		},
+		{
+			name:        "retrieve non-existing route",
+			routeID:     "non-existing",
+			expectError: true,
+		},
+		{
+			name:        "retrieve with empty route ID",
+			routeID:     "",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			route, err := store.GetRouteByID(context.Background(), LockingStrengthShare, accountID, tt.routeID)
+			if tt.expectError {
+				require.Error(t, err)
+				sErr, ok := status.FromError(err)
+				require.True(t, ok)
+				require.Equal(t, sErr.Type(), status.NotFound)
+				require.Nil(t, route)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, route)
+				require.Equal(t, tt.routeID, string(route.ID))
+			}
+		})
+	}
+}
+
+func TestSqlStore_SaveRoute(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
+
+	route := &route2.Route{
+		ID:                  "route-id",
+		AccountID:           accountID,
+		Network:             netip.MustParsePrefix("10.10.0.0/16"),
+		NetID:               "netID",
+		PeerGroups:          []string{"routeA"},
+		NetworkType:         route2.IPv4Network,
+		Masquerade:          true,
+		Metric:              9999,
+		Enabled:             true,
+		Groups:              []string{"groupA"},
+		AccessControlGroups: []string{},
+	}
+	err = store.SaveRoute(context.Background(), LockingStrengthUpdate, route)
+	require.NoError(t, err)
+
+	saveRoute, err := store.GetRouteByID(context.Background(), LockingStrengthShare, accountID, string(route.ID))
+	require.NoError(t, err)
+	require.Equal(t, route, saveRoute)
+
+}
+
+func TestSqlStore_DeleteRoute(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
+	routeID := "ct03t427qv97vmtmglog"
+
+	err = store.DeleteRoute(context.Background(), LockingStrengthUpdate, accountID, routeID)
+	require.NoError(t, err)
+
+	route, err := store.GetRouteByID(context.Background(), LockingStrengthShare, accountID, routeID)
+	require.Error(t, err)
+	require.Nil(t, route)
+}

 func TestSqlStore_GetAccountMeta(t *testing.T) {
 	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
@@ -3264,6 +3403,63 @@ func TestSqlStore_GetAccountMeta(t *testing.T) {
 	require.Equal(t, time.Date(2024, time.October, 2, 14, 1, 38, 210000000, time.UTC), accountMeta.CreatedAt.UTC())
 }

+func TestSqlStore_GetAccountOnboarding(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	accountID := "9439-34653001fc3b-bf1c8084-ba50-4ce7"
+	a, err := store.GetAccount(context.Background(), accountID)
+	require.NoError(t, err)
+	t.Logf("Onboarding: %+v", a.Onboarding)
+	err = store.SaveAccount(context.Background(), a)
+	require.NoError(t, err)
+	onboarding, err := store.GetAccountOnboarding(context.Background(), accountID)
+	require.NoError(t, err)
+	require.NotNil(t, onboarding)
+	require.Equal(t, accountID, onboarding.AccountID)
+	require.Equal(t, time.Date(2024, time.October, 2, 14, 1, 38, 210000000, time.UTC), onboarding.CreatedAt.UTC())
+}
+
+func TestSqlStore_SaveAccountOnboarding(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+	t.Run("New onboarding should be saved correctly", func(t *testing.T) {
+		accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
+		onboarding := &types.AccountOnboarding{
+			AccountID:             accountID,
+			SignupFormPending:     true,
+			OnboardingFlowPending: true,
+		}
+
+		err = store.SaveAccountOnboarding(context.Background(), onboarding)
+		require.NoError(t, err)
+
+		savedOnboarding, err := store.GetAccountOnboarding(context.Background(), accountID)
+		require.NoError(t, err)
+		require.Equal(t, onboarding.SignupFormPending, savedOnboarding.SignupFormPending)
+		require.Equal(t, onboarding.OnboardingFlowPending, savedOnboarding.OnboardingFlowPending)
+	})
+
+	t.Run("Existing onboarding should be updated correctly", func(t *testing.T) {
+		accountID := "9439-34653001fc3b-bf1c8084-ba50-4ce7"
+		onboarding, err := store.GetAccountOnboarding(context.Background(), accountID)
+		require.NoError(t, err)
+
+		onboarding.OnboardingFlowPending = !onboarding.OnboardingFlowPending
+		onboarding.SignupFormPending = !onboarding.SignupFormPending
+
+		err = store.SaveAccountOnboarding(context.Background(), onboarding)
+		require.NoError(t, err)
+
+		savedOnboarding, err := store.GetAccountOnboarding(context.Background(), accountID)
+		require.NoError(t, err)
+		require.Equal(t, onboarding.SignupFormPending, savedOnboarding.SignupFormPending)
+		require.Equal(t, onboarding.OnboardingFlowPending, savedOnboarding.OnboardingFlowPending)
+	})
+}
+
 func TestSqlStore_GetAnyAccountID(t *testing.T) {
 	t.Run("should return account ID when accounts exist", func(t *testing.T) {
 		store, cleanup, err := NewTestStoreFromSQL(context.Background(), "../testdata/extended-store.sql", t.TempDir())
--- a/management/server/store/store.go
+++ b/management/server/store/store.go
@@ -52,6 +52,7 @@ type Store interface {
 	GetAllAccounts(ctx context.Context) []*types.Account
 	GetAccount(ctx context.Context, accountID string) (*types.Account, error)
 	GetAccountMeta(ctx context.Context, lockStrength LockingStrength, accountID string) (*types.AccountMeta, error)
+	GetAccountOnboarding(ctx context.Context, accountID string) (*types.AccountOnboarding, error)
 	AccountExists(ctx context.Context, lockStrength LockingStrength, id string) (bool, error)
 	GetAccountDomainAndCategory(ctx context.Context, lockStrength LockingStrength, accountID string) (string, string, error)
 	GetAccountByUser(ctx context.Context, userID string) (*types.Account, error)
@@ -74,6 +75,7 @@ type Store interface {
 	SaveDNSSettings(ctx context.Context, lockStrength LockingStrength, accountID string, settings *types.DNSSettings) error
 	SaveAccountSettings(ctx context.Context, lockStrength LockingStrength, accountID string, settings *types.Settings) error
 	CountAccountsByPrivateDomain(ctx context.Context, domain string) (int64, error)
+	SaveAccountOnboarding(ctx context.Context, onboarding *types.AccountOnboarding) error

 	GetUserByPATID(ctx context.Context, lockStrength LockingStrength, patID string) (*types.User, error)
 	GetUserByUserID(ctx context.Context, lockStrength LockingStrength, userID string) (*types.User, error)
@@ -145,7 +147,9 @@ type Store interface {
 	DeleteSetupKey(ctx context.Context, lockStrength LockingStrength, accountID, keyID string) error

 	GetAccountRoutes(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*route.Route, error)
-	GetRouteByID(ctx context.Context, lockStrength LockingStrength, routeID string, accountID string) (*route.Route, error)
+	GetRouteByID(ctx context.Context, lockStrength LockingStrength, accountID, routeID string) (*route.Route, error)
+	SaveRoute(ctx context.Context, lockStrength LockingStrength, route *route.Route) error
+	DeleteRoute(ctx context.Context, lockStrength LockingStrength, accountID, routeID string) error

 	GetAccountNameServerGroups(ctx context.Context, lockStrength LockingStrength, accountID string) ([]*dns.NameServerGroup, error)
 	GetNameServerGroupByID(ctx context.Context, lockStrength LockingStrength, nameServerGroupID string, accountID string) (*dns.NameServerGroup, error)
@@ -389,7 +393,7 @@ func addAllGroupToAccount(ctx context.Context, store Store) error {

 		_, err := account.GetGroupAll()
 		if err != nil {
-			if err := account.AddAllGroup(); err != nil {
+			if err := account.AddAllGroup(false); err != nil {
 				return err
 			}
 			shouldSave = true
--- a/management/server/telemetry/updatechannel_metrics.go
+++ b/management/server/telemetry/updatechannel_metrics.go
@@ -18,6 +18,10 @@ type UpdateChannelMetrics struct {
 	getAllConnectedPeersDurationMicro metric.Int64Histogram
 	getAllConnectedPeers              metric.Int64Histogram
 	hasChannelDurationMicro           metric.Int64Histogram
+	calcPostureChecksDurationMicro    metric.Int64Histogram
+	calcPeerNetworkMapDurationMs      metric.Int64Histogram
+	mergeNetworkMapDurationMicro      metric.Int64Histogram
+	toSyncResponseDurationMicro       metric.Int64Histogram
 	ctx                               context.Context
 }

@@ -89,6 +93,38 @@ func NewUpdateChannelMetrics(ctx context.Context, meter metric.Meter) (*UpdateCh
 		return nil, err
 	}

+	calcPostureChecksDurationMicro, err := meter.Int64Histogram("management.updatechannel.calc.posturechecks.duration.micro",
+		metric.WithUnit("microseconds"),
+		metric.WithDescription("Duration of how long it takes to get the posture checks for a peer"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	calcPeerNetworkMapDurationMs, err := meter.Int64Histogram("management.updatechannel.calc.networkmap.duration.ms",
+		metric.WithUnit("milliseconds"),
+		metric.WithDescription("Duration of how long it takes to calculate the network map for a peer"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	mergeNetworkMapDurationMicro, err := meter.Int64Histogram("management.updatechannel.merge.networkmap.duration.micro",
+		metric.WithUnit("microseconds"),
+		metric.WithDescription("Duration of how long it takes to merge the network maps for a peer"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	toSyncResponseDurationMicro, err := meter.Int64Histogram("management.updatechannel.tosyncresponse.duration.micro",
+		metric.WithUnit("microseconds"),
+		metric.WithDescription("Duration of how long it takes to convert the network map to sync response"),
+	)
+	if err != nil {
+		return nil, err
+	}
+
 	return &UpdateChannelMetrics{
 		createChannelDurationMicro:        createChannelDurationMicro,
 		closeChannelDurationMicro:         closeChannelDurationMicro,
@@ -98,6 +134,10 @@ func NewUpdateChannelMetrics(ctx context.Context, meter metric.Meter) (*UpdateCh
 		getAllConnectedPeersDurationMicro: getAllConnectedPeersDurationMicro,
 		getAllConnectedPeers:              getAllConnectedPeers,
 		hasChannelDurationMicro:           hasChannelDurationMicro,
+		calcPostureChecksDurationMicro:    calcPostureChecksDurationMicro,
+		calcPeerNetworkMapDurationMs:      calcPeerNetworkMapDurationMs,
+		mergeNetworkMapDurationMicro:      mergeNetworkMapDurationMicro,
+		toSyncResponseDurationMicro:       toSyncResponseDurationMicro,
 		ctx:                               ctx,
 	}, nil
 }
@@ -137,3 +177,19 @@ func (metrics *UpdateChannelMetrics) CountGetAllConnectedPeersDuration(duration
 func (metrics *UpdateChannelMetrics) CountHasChannelDuration(duration time.Duration) {
 	metrics.hasChannelDurationMicro.Record(metrics.ctx, duration.Microseconds())
 }
+
+func (metrics *UpdateChannelMetrics) CountCalcPostureChecksDuration(duration time.Duration) {
+	metrics.calcPostureChecksDurationMicro.Record(metrics.ctx, duration.Microseconds())
+}
+
+func (metrics *UpdateChannelMetrics) CountCalcPeerNetworkMapDuration(duration time.Duration) {
+	metrics.calcPeerNetworkMapDurationMs.Record(metrics.ctx, duration.Milliseconds())
+}
+
+func (metrics *UpdateChannelMetrics) CountMergeNetworkMapDuration(duration time.Duration) {
+	metrics.mergeNetworkMapDurationMicro.Record(metrics.ctx, duration.Microseconds())
+}
+
+func (metrics *UpdateChannelMetrics) CountToSyncResponseDuration(duration time.Duration) {
+	metrics.toSyncResponseDurationMicro.Record(metrics.ctx, duration.Microseconds())
+}
--- a/management/server/testdata/extended-store.sql
+++ b/management/server/testdata/extended-store.sql
@@ -38,4 +38,5 @@ INSERT INTO "groups" VALUES('cfefqs706sqkneg59g2g','bf1c8084-ba50-4ce7-9439-3465
 INSERT INTO posture_checks VALUES('csplshq7qv948l48f7t0','NetBird Version > 0.32.0','','bf1c8084-ba50-4ce7-9439-34653001fc3b','{"NBVersionCheck":{"MinVersion":"0.31.0"}}');
 INSERT INTO posture_checks VALUES('cspnllq7qv95uq1r4k90','Allow Berlin and Deny local network 172.16.1.0/24','','bf1c8084-ba50-4ce7-9439-34653001fc3b','{"GeoLocationCheck":{"Locations":[{"CountryCode":"DE","CityName":"Berlin"}],"Action":"allow"},"PeerNetworkRangeCheck":{"Action":"deny","Ranges":["172.16.1.0/24"]}}');
 INSERT INTO name_server_groups VALUES('csqdelq7qv97ncu7d9t0','bf1c8084-ba50-4ce7-9439-34653001fc3b','Google DNS','Google DNS Servers','[{"IP":"8.8.8.8","NSType":1,"Port":53},{"IP":"8.8.4.4","NSType":1,"Port":53}]','["cfefqs706sqkneg59g2g"]',1,'[]',1,0);
+INSERT INTO routes VALUES('ct03t427qv97vmtmglog','bf1c8084-ba50-4ce7-9439-34653001fc3b','"10.10.0.0/16"',NULL,0,'aws-eu-central-1-vpc','Production VPC in Frankfurt','ct03r5q7qv97vmtmglng',NULL,1,1,9999,1,'["cfefqs706sqkneg59g2g"]',NULL);
 INSERT INTO installations VALUES(1,'');
--- a/management/server/testdata/store.sql
+++ b/management/server/testdata/store.sql
@@ -1,4 +1,5 @@
 CREATE TABLE `accounts` (`id` text,`created_by` text,`created_at` datetime,`domain` text,`domain_category` text,`is_domain_primary_account` numeric,`network_identifier` text,`network_net` text,`network_dns` text,`network_serial` integer,`dns_settings_disabled_management_groups` text,`settings_peer_login_expiration_enabled` numeric,`settings_peer_login_expiration` integer,`settings_regular_users_view_blocked` numeric,`settings_groups_propagation_enabled` numeric,`settings_jwt_groups_enabled` numeric,`settings_jwt_groups_claim_name` text,`settings_jwt_allow_groups` text,`settings_extra_peer_approval_enabled` numeric,`settings_extra_integrated_validator_groups` text,PRIMARY KEY (`id`));
+CREATE TABLE `account_onboardings` (`account_id` text, `created_at` datetime,`updated_at` datetime, `onboarding_flow_pending` numeric, `signup_form_pending` numeric, PRIMARY KEY (`account_id`));
 CREATE TABLE `setup_keys` (`id` text,`account_id` text,`key` text,`name` text,`type` text,`created_at` datetime,`expires_at` datetime,`updated_at` datetime,`revoked` numeric,`used_times` integer,`last_used` datetime DEFAULT NULL,`auto_groups` text,`usage_limit` integer,`ephemeral` numeric,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_setup_keys_g` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
 CREATE TABLE `peers` (`id` text,`account_id` text,`key` text,`setup_key` text,`ip` text,`meta_hostname` text,`meta_go_os` text,`meta_kernel` text,`meta_core` text,`meta_platform` text,`meta_os` text,`meta_os_version` text,`meta_wt_version` text,`meta_ui_version` text,`meta_kernel_version` text,`meta_network_addresses` text,`meta_system_serial_number` text,`meta_system_product_name` text,`meta_system_manufacturer` text,`meta_environment` text,`meta_files` text,`name` text,`dns_label` text,`peer_status_last_seen` datetime,`peer_status_connected` numeric,`peer_status_login_expired` numeric,`peer_status_requires_approval` numeric,`user_id` text,`ssh_key` text,`ssh_enabled` numeric,`login_expiration_enabled` numeric,`last_login` datetime,`created_at` datetime,`ephemeral` numeric,`location_connection_ip` text,`location_country_code` text,`location_city_name` text,`location_geo_name_id` integer,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_peers_g` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
 CREATE TABLE `users` (`id` text,`account_id` text,`role` text,`is_service_user` numeric,`non_deletable` numeric,`service_user_name` text,`auto_groups` text,`blocked` numeric,`last_login` datetime,`created_at` datetime,`issued` text DEFAULT "api",`integration_ref_id` integer,`integration_ref_integration_type` text,PRIMARY KEY (`id`),CONSTRAINT `fk_accounts_users_g` FOREIGN KEY (`account_id`) REFERENCES `accounts`(`id`));
@@ -38,7 +39,8 @@ CREATE INDEX `idx_networks_id` ON `networks`(`id`);
 CREATE INDEX `idx_networks_account_id` ON `networks`(`account_id`);

 INSERT INTO accounts VALUES('bf1c8084-ba50-4ce7-9439-34653001fc3b','edafee4e-63fb-11ec-90d6-0242ac120003','2024-10-02 16:03:06.778746+02:00','test.com','private',1,'af1c8024-ha40-4ce2-9418-34653101fc3c','{"IP":"100.64.0.0","Mask":"//8AAA=="}','',0,'[]',0,86400000000000,0,0,0,'',NULL,NULL,NULL);
-INSERT INTO "groups" VALUES('cs1tnh0hhcjnqoiuebeg','bf1c8084-ba50-4ce7-9439-34653001fc3b','All','api','[]',0,'');
+INSERT INTO accounts VALUES('9439-34653001fc3b-bf1c8084-ba50-4ce7','90d6-0242ac120003-edafee4e-63fb-11ec','2024-10-02 16:01:38.210000+02:00','test2.com','private',1,'af1c8024-ha40-4ce2-9418-34653101fc3c','{"IP":"100.64.0.0","Mask":"//8AAA=="}','',0,'[]',0,86400000000000,0,0,0,'',NULL,NULL,NULL);
+INSERT INTO account_onboardings VALUES('9439-34653001fc3b-bf1c8084-ba50-4ce7','2024-10-02 16:01:38.210000+02:00','2021-08-19 20:46:20.005936822+02:00',1,0);INSERT INTO "groups" VALUES('cs1tnh0hhcjnqoiuebeg','bf1c8084-ba50-4ce7-9439-34653001fc3b','All','api','[]',0,'');
 INSERT INTO setup_keys VALUES('','bf1c8084-ba50-4ce7-9439-34653001fc3b','A2C8E62B-38F5-4553-B31E-DD66C696CEBB','Default key','reusable','2021-08-19 20:46:20.005936822+02:00','2321-09-18 20:46:20.005936822+02:00','2021-08-19 20:46:20.005936822+02:00',0,0,NULL,'["cs1tnh0hhcjnqoiuebeg"]',0,0);
 INSERT INTO users VALUES('a23efe53-63fb-11ec-90d6-0242ac120003','bf1c8084-ba50-4ce7-9439-34653001fc3b','owner',0,0,'','[]',0,NULL,'2024-10-02 16:03:06.779156+02:00','api',0,'');
 INSERT INTO users VALUES('edafee4e-63fb-11ec-90d6-0242ac120003','bf1c8084-ba50-4ce7-9439-34653001fc3b','admin',0,0,'','[]',0,NULL,'2024-10-02 16:03:06.779156+02:00','api',0,'');
--- a/management/server/types/account.go
+++ b/management/server/types/account.go
@@ -36,6 +36,9 @@ const (
 	PublicCategory  = "public"
 	PrivateCategory = "private"
 	UnknownCategory = "unknown"
+
+	// firewallRuleMinPortRangesVer defines the minimum peer version that supports port range rules.
+	firewallRuleMinPortRangesVer = "0.48.0"
 )

 type LookupMap map[string]struct{}
@@ -79,11 +82,11 @@ type Account struct {
 	DNSSettings            DNSSettings                       `gorm:"embedded;embeddedPrefix:dns_settings_"`
 	PostureChecks          []*posture.Checks                 `gorm:"foreignKey:AccountID;references:id"`
 	// Settings is a dictionary of Account settings
-	Settings *Settings `gorm:"embedded;embeddedPrefix:settings_"`
-
+	Settings         *Settings                        `gorm:"embedded;embeddedPrefix:settings_"`
 	Networks         []*networkTypes.Network          `gorm:"foreignKey:AccountID;references:id"`
 	NetworkRouters   []*routerTypes.NetworkRouter     `gorm:"foreignKey:AccountID;references:id"`
 	NetworkResources []*resourceTypes.NetworkResource `gorm:"foreignKey:AccountID;references:id"`
+	Onboarding       AccountOnboarding                `gorm:"foreignKey:AccountID;references:id;constraint:OnDelete:CASCADE"`
 }

 // Subclass used in gorm to only load network and not whole account
@@ -101,6 +104,20 @@ type AccountSettings struct {
 	Settings *Settings `gorm:"embedded;embeddedPrefix:settings_"`
 }

+type AccountOnboarding struct {
+	AccountID             string `gorm:"primaryKey"`
+	OnboardingFlowPending bool
+	SignupFormPending     bool
+	CreatedAt             time.Time
+	UpdatedAt             time.Time
+}
+
+// IsEqual compares two AccountOnboarding objects and returns true if they are equal
+func (o AccountOnboarding) IsEqual(onboarding AccountOnboarding) bool {
+	return o.OnboardingFlowPending == onboarding.OnboardingFlowPending &&
+		o.SignupFormPending == onboarding.SignupFormPending
+}
+
 // GetRoutesToSync returns the enabled routes for the peer ID and the routes
 // from the ACL peers that have distribution groups associated with the peer ID.
 // Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
@@ -248,7 +265,7 @@ func (a *Account) GetPeerNetworkMap(
 		}
 	}

-	aclPeers, firewallRules := a.GetPeerConnectionResources(ctx, peerID, validatedPeersMap)
+	aclPeers, firewallRules := a.GetPeerConnectionResources(ctx, peer, validatedPeersMap)
 	// exclude expired peers
 	var peersToConnect []*nbpeer.Peer
 	var expiredPeers []*nbpeer.Peer
@@ -863,6 +880,7 @@ func (a *Account) Copy() *Account {
 		Networks:               nets,
 		NetworkRouters:         networkRouters,
 		NetworkResources:       networkResources,
+		Onboarding:             a.Onboarding,
 	}
 }

@@ -961,8 +979,9 @@ func (a *Account) UserGroupsRemoveFromPeers(userID string, groups ...string) map
 // GetPeerConnectionResources for a given peer
 //
 // This function returns the list of peers and firewall rules that are applicable to a given peer.
-func (a *Account) GetPeerConnectionResources(ctx context.Context, peerID string, validatedPeersMap map[string]struct{}) ([]*nbpeer.Peer, []*FirewallRule) {
-	generateResources, getAccumulatedResources := a.connResourcesGenerator(ctx)
+func (a *Account) GetPeerConnectionResources(ctx context.Context, peer *nbpeer.Peer, validatedPeersMap map[string]struct{}) ([]*nbpeer.Peer, []*FirewallRule) {
+	generateResources, getAccumulatedResources := a.connResourcesGenerator(ctx, peer)
+
 	for _, policy := range a.Policies {
 		if !policy.Enabled {
 			continue
@@ -973,8 +992,8 @@ func (a *Account) GetPeerConnectionResources(ctx context.Context, peerID string,
 				continue
 			}

-			sourcePeers, peerInSources := a.getAllPeersFromGroups(ctx, rule.Sources, peerID, policy.SourcePostureChecks, validatedPeersMap)
-			destinationPeers, peerInDestinations := a.getAllPeersFromGroups(ctx, rule.Destinations, peerID, nil, validatedPeersMap)
+			sourcePeers, peerInSources := a.getAllPeersFromGroups(ctx, rule.Sources, peer.ID, policy.SourcePostureChecks, validatedPeersMap)
+			destinationPeers, peerInDestinations := a.getAllPeersFromGroups(ctx, rule.Destinations, peer.ID, nil, validatedPeersMap)

 			if rule.Bidirectional {
 				if peerInSources {
@@ -1003,7 +1022,7 @@ func (a *Account) GetPeerConnectionResources(ctx context.Context, peerID string,
 // The generator function is used to generate the list of peers and firewall rules that are applicable to a given peer.
 // It safe to call the generator function multiple times for same peer and different rules no duplicates will be
 // generated. The accumulator function returns the result of all the generator calls.
-func (a *Account) connResourcesGenerator(ctx context.Context) (func(*PolicyRule, []*nbpeer.Peer, int), func() ([]*nbpeer.Peer, []*FirewallRule)) {
+func (a *Account) connResourcesGenerator(ctx context.Context, targetPeer *nbpeer.Peer) (func(*PolicyRule, []*nbpeer.Peer, int), func() ([]*nbpeer.Peer, []*FirewallRule)) {
 	rulesExists := make(map[string]struct{})
 	peersExists := make(map[string]struct{})
 	rules := make([]*FirewallRule, 0)
@@ -1051,17 +1070,7 @@ func (a *Account) connResourcesGenerator(ctx context.Context) (func(*PolicyRule,
 					continue
 				}

-				for _, port := range rule.Ports {
-					pr := fr // clone rule and add set new port
-					pr.Port = port
-					rules = append(rules, &pr)
-				}
-
-				for _, portRange := range rule.PortRanges {
-					pr := fr
-					pr.PortRange = portRange
-					rules = append(rules, &pr)
-				}
+				rules = append(rules, expandPortsAndRanges(fr, rule, targetPeer)...)
 			}
 		}, func() ([]*nbpeer.Peer, []*FirewallRule) {
 			return peers, rules
@@ -1552,7 +1561,7 @@ func getPoliciesSourcePeers(policies []*Policy, groups map[string]*Group) map[st
 }

 // AddAllGroup to account object if it doesn't exist
-func (a *Account) AddAllGroup() error {
+func (a *Account) AddAllGroup(disableDefaultPolicy bool) error {
 	if len(a.Groups) == 0 {
 		allGroup := &Group{
 			ID:     xid.New().String(),
@@ -1564,6 +1573,10 @@ func (a *Account) AddAllGroup() error {
 		}
 		a.Groups = map[string]*Group{allGroup.ID: allGroup}

+		if disableDefaultPolicy {
+			return nil
+		}
+
 		id := xid.New().String()

 		defaultPolicy := &Policy{
@@ -1590,3 +1603,45 @@ func (a *Account) AddAllGroup() error {
 	}
 	return nil
 }
+
+// expandPortsAndRanges expands Ports and PortRanges of a rule into individual firewall rules
+func expandPortsAndRanges(base FirewallRule, rule *PolicyRule, peer *nbpeer.Peer) []*FirewallRule {
+	var expanded []*FirewallRule
+
+	if len(rule.Ports) > 0 {
+		for _, port := range rule.Ports {
+			fr := base
+			fr.Port = port
+			expanded = append(expanded, &fr)
+		}
+		return expanded
+	}
+
+	supportPortRanges := peerSupportsPortRanges(peer.Meta.WtVersion)
+	for _, portRange := range rule.PortRanges {
+		fr := base
+
+		if supportPortRanges {
+			fr.PortRange = portRange
+		} else {
+			// Peer doesn't support port ranges, only allow single-port ranges
+			if portRange.Start != portRange.End {
+				continue
+			}
+			fr.Port = strconv.FormatUint(uint64(portRange.Start), 10)
+		}
+		expanded = append(expanded, &fr)
+	}
+
+	return expanded
+}
+
+// peerSupportsPortRanges checks if the peer version supports port ranges.
+func peerSupportsPortRanges(peerVer string) bool {
+	if strings.Contains(peerVer, "dev") {
+		return true
+	}
+
+	meetMinVer, err := posture.MeetsMinVersion(firewallRuleMinPortRangesVer, peerVer)
+	return err == nil && meetMinVer
+}
--- a/management/server/types/config.go
+++ b/management/server/types/config.go
@@ -53,6 +53,9 @@ type Config struct {
 	StoreConfig StoreConfig

 	ReverseProxy ReverseProxy
+	
+	// disable default all-to-all policy
+	DisableDefaultPolicy bool
 }

 // GetAuthAudiences returns the audience from the http config and device authorization flow config
--- a/management/server/types/firewall_rule.go
+++ b/management/server/types/firewall_rule.go
@@ -76,7 +76,6 @@ func generateRouteFirewallRules(ctx context.Context, route *nbroute.Route, rule
 		rules = append(rules, generateRulesWithPortRanges(baseRule, rule, rulesExists)...)
 	} else {
 		rules = append(rules, generateRulesWithPorts(ctx, baseRule, rule, rulesExists)...)
-
 	}

 	// TODO: generate IPv6 rules for dynamic routes
--- a/management/server/user_test.go
+++ b/management/server/user_test.go
@@ -56,7 +56,7 @@ func TestUser_CreatePAT_ForSameUser(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	err = s.SaveAccount(context.Background(), account)
 	if err != nil {
@@ -103,7 +103,7 @@ func TestUser_CreatePAT_ForDifferentUser(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)
 	account.Users[mockTargetUserId] = &types.User{
 		Id:            mockTargetUserId,
 		IsServiceUser: false,
@@ -131,7 +131,7 @@ func TestUser_CreatePAT_ForServiceUser(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)
 	account.Users[mockTargetUserId] = &types.User{
 		Id:            mockTargetUserId,
 		IsServiceUser: true,
@@ -163,7 +163,7 @@ func TestUser_CreatePAT_WithWrongExpiration(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	err = store.SaveAccount(context.Background(), account)
 	if err != nil {
@@ -188,7 +188,7 @@ func TestUser_CreatePAT_WithEmptyName(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	err = store.SaveAccount(context.Background(), account)
 	if err != nil {
@@ -213,7 +213,7 @@ func TestUser_DeletePAT(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)
 	account.Users[mockUserID] = &types.User{
 		Id: mockUserID,
 		PATs: map[string]*types.PersonalAccessToken{
@@ -256,7 +256,7 @@ func TestUser_GetPAT(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)
 	account.Users[mockUserID] = &types.User{
 		Id:        mockUserID,
 		AccountID: mockAccountID,
@@ -296,7 +296,7 @@ func TestUser_GetAllPATs(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)
 	account.Users[mockUserID] = &types.User{
 		Id:        mockUserID,
 		AccountID: mockAccountID,
@@ -406,7 +406,7 @@ func TestUser_CreateServiceUser(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	err = store.SaveAccount(context.Background(), account)
 	if err != nil {
@@ -453,7 +453,7 @@ func TestUser_CreateUser_ServiceUser(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	err = store.SaveAccount(context.Background(), account)
 	if err != nil {
@@ -501,7 +501,7 @@ func TestUser_CreateUser_RegularUser(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	err = store.SaveAccount(context.Background(), account)
 	if err != nil {
@@ -532,7 +532,7 @@ func TestUser_InviteNewUser(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	err = store.SaveAccount(context.Background(), account)
 	if err != nil {
@@ -639,7 +639,7 @@ func TestUser_DeleteUser_ServiceUser(t *testing.T) {
 			}
 			t.Cleanup(cleanup)

-			account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+			account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)
 			account.Users[mockServiceUserID] = tt.serviceUser

 			err = store.SaveAccount(context.Background(), account)
@@ -678,7 +678,7 @@ func TestUser_DeleteUser_SelfDelete(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	err = store.SaveAccount(context.Background(), account)
 	if err != nil {
@@ -705,7 +705,7 @@ func TestUser_DeleteUser_regularUser(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	targetId := "user2"
 	account.Users[targetId] = &types.User{
@@ -792,7 +792,7 @@ func TestUser_DeleteUser_RegularUsers(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	targetId := "user2"
 	account.Users[targetId] = &types.User{
@@ -952,7 +952,7 @@ func TestDefaultAccountManager_GetUser(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)

 	err = store.SaveAccount(context.Background(), account)
 	if err != nil {
@@ -988,7 +988,7 @@ func TestDefaultAccountManager_ListUsers(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)
 	account.Users["normal_user1"] = types.NewRegularUser("normal_user1")
 	account.Users["normal_user2"] = types.NewRegularUser("normal_user2")

@@ -1030,7 +1030,7 @@ func TestDefaultAccountManager_ExternalCache(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)
 	externalUser := &types.User{
 		Id:     "externalUser",
 		Role:   types.UserRoleUser,
@@ -1098,7 +1098,7 @@ func TestUser_GetUsersFromAccount_ForAdmin(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)
 	account.Users[mockServiceUserID] = &types.User{
 		Id:            mockServiceUserID,
 		Role:          "user",
@@ -1132,7 +1132,7 @@ func TestUser_GetUsersFromAccount_ForUser(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "")
+	account := newAccountWithId(context.Background(), mockAccountID, mockUserID, "", false)
 	account.Users[mockServiceUserID] = &types.User{
 		Id:            mockServiceUserID,
 		Role:          "user",
@@ -1499,7 +1499,7 @@ func TestSaveOrAddUser_PreventAccountSwitch(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account1 := newAccountWithId(context.Background(), "account1", "ownerAccount1", "")
+	account1 := newAccountWithId(context.Background(), "account1", "ownerAccount1", "", false)
 	targetId := "user2"
 	account1.Users[targetId] = &types.User{
 		Id:              targetId,
@@ -1508,7 +1508,7 @@ func TestSaveOrAddUser_PreventAccountSwitch(t *testing.T) {
 	}
 	require.NoError(t, s.SaveAccount(context.Background(), account1))

-	account2 := newAccountWithId(context.Background(), "account2", "ownerAccount2", "")
+	account2 := newAccountWithId(context.Background(), "account2", "ownerAccount2", "", false)
 	require.NoError(t, s.SaveAccount(context.Background(), account2))

 	permissionsManager := permissions.NewManager(s)
@@ -1535,7 +1535,7 @@ func TestDefaultAccountManager_GetCurrentUserInfo(t *testing.T) {
 	}
 	t.Cleanup(cleanup)

-	account1 := newAccountWithId(context.Background(), "account1", "account1Owner", "")
+	account1 := newAccountWithId(context.Background(), "account1", "account1Owner", "", false)
 	account1.Settings.RegularUsersViewBlocked = false
 	account1.Users["blocked-user"] = &types.User{
 		Id:        "blocked-user",
@@ -1557,7 +1557,7 @@ func TestDefaultAccountManager_GetCurrentUserInfo(t *testing.T) {
 	}
 	require.NoError(t, store.SaveAccount(context.Background(), account1))

-	account2 := newAccountWithId(context.Background(), "account2", "account2Owner", "")
+	account2 := newAccountWithId(context.Background(), "account2", "account2Owner", "", false)
 	account2.Users["settings-blocked-user"] = &types.User{
 		Id:   "settings-blocked-user",
 		Role: types.UserRoleUser,
--- a/release_files/install.sh
+++ b/release_files/install.sh
@@ -130,7 +130,7 @@ repo_gpgcheck=1
 EOF
 }

-add_aur_repo() {
+install_aur_package() {
    INSTALL_PKGS="git base-devel go"
    REMOVE_PKGS=""

@@ -154,8 +154,10 @@ add_aur_repo() {
        cd netbird-ui && makepkg -sri --noconfirm
    fi

-    # Clean up the installed packages
-    ${SUDO} pacman -Rs "$REMOVE_PKGS" --noconfirm
+    if [ -n "$REMOVE_PKGS" ]; then
+      # Clean up the installed packages
+      ${SUDO} pacman -Rs "$REMOVE_PKGS" --noconfirm
+    fi
 }

 prepare_tun_module() {
@@ -277,7 +279,9 @@ install_netbird() {
    ;;
    pacman)
        ${SUDO} pacman -Syy
-        add_aur_repo
+        install_aur_package
+        # in-line with the docs at https://wiki.archlinux.org/title/Netbird
+        ${SUDO} systemctl enable --now netbird@main.service
    ;;
    pkg)
        # Check if the package is already installed
@@ -494,4 +498,4 @@ case "$UPDATE_FLAG" in
    ;;
    *)
      install_netbird
-esac
+esac
--- a/version/update.go
+++ b/version/update.go
@@ -21,6 +21,7 @@ var (
 // Update fetch the version info periodically and notify the onUpdateListener in case the UI version or the
 // daemon version are deprecated
 type Update struct {
+	httpAgent       string
 	uiVersion       *goversion.Version
 	daemonVersion   *goversion.Version
 	latestAvailable *goversion.Version
@@ -34,7 +35,7 @@ type Update struct {
 }

 // NewUpdate instantiate Update and start to fetch the new version information
-func NewUpdate() *Update {
+func NewUpdate(httpAgent string) *Update {
 	currentVersion, err := goversion.NewVersion(version)
 	if err != nil {
 		currentVersion, _ = goversion.NewVersion("0.0.0")
@@ -43,6 +44,7 @@ func NewUpdate() *Update {
 	latestAvailable, _ := goversion.NewVersion("0.0.0")

 	u := &Update{
+		httpAgent:       httpAgent,
 		latestAvailable: latestAvailable,
 		uiVersion:       currentVersion,
 		fetchTicker:     time.NewTicker(fetchPeriod),
@@ -112,7 +114,15 @@ func (u *Update) startFetcher() {
 func (u *Update) fetchVersion() bool {
 	log.Debugf("fetching version info from %s", versionURL)

-	resp, err := http.Get(versionURL)
+	req, err := http.NewRequest("GET", versionURL, nil)
+	if err != nil {
+		log.Errorf("failed to create request for version info: %s", err)
+		return false
+	}
+
+	req.Header.Set("User-Agent", u.httpAgent)
+
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		log.Errorf("failed to fetch version info: %s", err)
 		return false
--- a/version/update_test.go
+++ b/version/update_test.go
@@ -9,6 +9,8 @@ import (
 	"time"
 )

+const httpAgent = "pkg/test"
+
 func TestNewUpdate(t *testing.T) {
 	version = "1.0.0"
 	svr := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -21,7 +23,7 @@ func TestNewUpdate(t *testing.T) {
 	wg.Add(1)

 	onUpdate := false
-	u := NewUpdate()
+	u := NewUpdate(httpAgent)
 	defer u.StopWatch()
 	u.SetOnUpdateListener(func() {
 		onUpdate = true
@@ -46,7 +48,7 @@ func TestDoNotUpdate(t *testing.T) {
 	wg.Add(1)

 	onUpdate := false
-	u := NewUpdate()
+	u := NewUpdate(httpAgent)
 	defer u.StopWatch()
 	u.SetOnUpdateListener(func() {
 		onUpdate = true
@@ -71,7 +73,7 @@ func TestDaemonUpdate(t *testing.T) {
 	wg.Add(1)

 	onUpdate := false
-	u := NewUpdate()
+	u := NewUpdate(httpAgent)
 	defer u.StopWatch()
 	u.SetOnUpdateListener(func() {
 		onUpdate = true
Author	SHA1	Message	Date
crn4	0886b67ce9	added logs for an addPeer	2025-07-07 18:16:02 +02:00
Maycon Santos	ad22e9eea1	Merge branch 'main' into add-account-onboarding	2025-07-02 02:59:03 +02:00
Ali Amer	d9402168ad	[management] Add option to disable default all-to-all policy (#3970 ) This PR introduces a new configuration option `DisableDefaultPolicy` that prevents the creation of the default all-to-all policy when new accounts are created. This is useful for automation scenarios where explicit policies are preferred. ### Key Changes: - Added DisableDefaultPolicy flag to the management server config - Modified account creation logic to respect this flag - Updated all test cases to explicitly pass the flag (defaulting to false to maintain backward compatibility) - Propagated the flag through the account manager initialization chain ### Testing: - Verified default behavior remains unchanged when flag is false - Confirmed no default policy is created when flag is true - All existing tests pass with the new parameter	2025-07-02 02:41:59 +02:00
Krzysztof Nazarewski (kdn)	dbdef04b9e	[misc] getting-started-with-zitadel.sh: drop unnecessary port 8080 (#4075 )	2025-07-02 02:35:13 +02:00
Maycon Santos	d806fc4a03	handle empty onboard to avoid breaking clients and dashboard	2025-07-02 01:38:40 +02:00
Maycon Santos	7a5edb3894	create accounts with pending onboarding	2025-07-01 23:25:52 +02:00
Maycon Santos	2dc230ab9a	add store and account manager methods add store tests	2025-07-01 19:54:53 +02:00
Maycon Santos	29cbfe8467	[misc] update sign pipeline version to v0.0.20 (#4082 )	2025-07-01 16:23:31 +02:00
Maycon Santos	6ce8643368	[client] Run login popup on goroutine (#4080 )	2025-07-01 13:45:55 +02:00
Maycon Santos	432dc42bf5	add account onboarding	2025-07-01 11:51:46 +02:00
Krzysztof Nazarewski (kdn)	07d1ad35fc	[misc] start the service after installation on arch linux (#4071 )	2025-06-30 12:02:03 +02:00
Krzysztof Nazarewski (kdn)	ef6cd36f1a	[misc] fix arch install.sh error with empty temporary dependencies handle empty var before calling removal command	2025-06-30 11:59:35 +02:00
Krzysztof Nazarewski (kdn)	c1c71b6d39	[client] improve adding route log message (#4034 ) from: Adding route to 1.2.3.4/32 via invalid IP @ 10 (wt0) to: Adding route to 1.2.3.4/32 via no-ip @ 10 (wt0)	2025-06-30 11:57:42 +02:00
Pascal Fischer	0480507a10	[management] report networkmap duration in ms (#4064 )	2025-06-28 11:38:15 +02:00
Krzysztof Nazarewski (kdn)	34ac4e4b5a	[misc] fix: self-hosting: the wrong default for NETBIRD_AUTH_PKCE_LOGIN_FLAG (#4055 ) * fix: self-hosting: the wrong default for NETBIRD_AUTH_PKCE_LOGIN_FLAG fixes https://github.com/netbirdio/netbird/issues/4054 * un-quote the number Co-authored-by: Maycon Santos <mlsmaycon@gmail.com> --------- Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>	2025-06-26 10:45:00 +02:00
Pascal Fischer	52ff9d9602	[management] remove unused transaction (#4053 )	2025-06-26 01:34:22 +02:00
Pascal Fischer	1b73fae46e	[management] add breakdown of network map calculation metrics (#4020 )	2025-06-25 11:46:35 +02:00
Viktor Liu	d897365abc	[client] Don't open cmd.exe during MSI actions (#4041 )	2025-06-24 21:32:37 +02:00
Viktor Liu	f37aa2cc9d	[misc] Specify netbird binary location in Dockerfiles (#4024 )	2025-06-23 10:09:02 +02:00
Maycon Santos	5343bee7b2	[management] check and log on new management version (#4029 ) This PR enhances the version checker to send a custom User-Agent header when polling for updates, and configures both the management CLI and client UI to use distinct agents. - NewUpdate now takes an `httpAgent` string to set the User-Agent header. - `fetchVersion` builds a custom HTTP request (instead of `http.Get`) and sets the User-Agent. - Management CLI and client UI now pass `"nb/management"` and `"nb/client-ui"` respectively to NewUpdate. - Tests updated to supply an `httpAgent` constant. - Logs if there is a new version available for management	2025-06-22 16:44:33 +02:00
Maycon Santos	870e29db63	[misc] add additional metrics (#4028 ) * add additional metrics we are collecting active rosenpass, ssh from the client side we are also collecting active user peers and active users * remove duplicated	2025-06-22 13:44:25 +02:00
Maycon Santos	08e9b05d51	[client] close windows when process needs to exit (#4027 ) This PR fixes a bug by ensuring that the advanced settings and re-authentication windows are closed appropriately when the main GUI process exits. - Updated runSelfCommand calls throughout the UI to pass a context parameter. - Modified runSelfCommand’s signature and its internal command invocation to use exec.CommandContext for proper cancellation handling.	2025-06-22 10:33:04 +02:00
hakansa	3581648071	[client] Refactor showLoginURL to improve error handling and connection status checks (#4026 ) This PR refactors showLoginURL to improve error handling and connection status checks by delaying the login fetch until user interaction and closing the pop-up if already connected. - Moved s.login(false) call into the click handler to defer network I/O. - Added a conn.Status check after opening the URL to skip reconnection if already connected. - Enhanced error logs for missing verification URLs and service status failures.	2025-06-22 10:03:58 +02:00
Viktor Liu	2a51609436	[client] Handle lazy routing peers that are part of HA groups (#3943 ) * Activate new lazy routing peers if the HA group is active * Prevent lazy peers going to idle if HA group members are active (#3948)	2025-06-20 18:07:19 +02:00
Pascal Fischer	83457f8b99	[management] add transaction for integrated validator groups update and primary account update (#4014 )	2025-06-20 12:13:24 +02:00
Pascal Fischer	b45284f086	[management] export ephemeral peer flag on api (#4004 )	2025-06-19 16:46:56 +02:00
Bethuel Mmbaga	e9016aecea	[management] Add backward compatibility for older clients without firewall rules port range support (#4003 ) Adds backward compatibility for clients with versions prior to v0.48.0 that do not support port range firewall rules. - Skips generation of firewall rules with multi-port ranges for older clients - Preserves support for single-port ranges by treating them as individual port rules, ensuring compatibility with older clients	2025-06-19 13:07:06 +03:00
Viktor Liu	23b5d45b68	[client] Fix port range squashing (#4007 )	2025-06-18 18:56:48 +02:00
Viktor Liu	0e5dc9d412	[client] Add more Android advanced settings (#4001 )	2025-06-18 17:23:23 +02:00
Zoltan Papp	91f7ee6a3c	Fix route notification On Android ignore the dynamic roots in the route notifications	2025-06-18 16:49:03 +02:00
Bethuel Mmbaga	7c6b85b4cb	[management] Refactor routes to use store methods (#2928 )	2025-06-18 16:40:29 +03:00