add debug logs for user state change

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>

.github/ISSUE_TEMPLATE/bug-issue-report.md

@@ -37,21 +37,16 @@ If yes, which one?
 
 **Debug output**
 
-To help us resolve the problem, please attach the following anonymized status output
+To help us resolve the problem, please attach the following debug output
 
   netbird status -dA
 
-Create and upload a debug bundle, and share the returned file key:
-
-  netbird debug for 1m -AS -U
-
-*Uploaded files are automatically deleted after 30 days.*
-
-
-Alternatively, create the file only and attach it here manually:
+As well as the file created by
 
   netbird debug for 1m -AS
 
+  
+We advise reviewing the anonymized output for any remaining personal information.
 
 **Screenshots**
 
@@ -62,10 +57,8 @@ If applicable, add screenshots to help explain your problem.
 Add any other context about the problem here.
 
 **Have you tried these troubleshooting steps?**
-- [ ] Reviewed [client troubleshooting](https://docs.netbird.io/how-to/troubleshooting-client) (if applicable)
 - [ ] Checked for newer NetBird versions
 - [ ] Searched for similar issues on GitHub (including closed ones)
 - [ ] Restarted the NetBird client
 - [ ] Disabled other VPN software
 - [ ] Checked firewall settings
-

.github/pull_request_template.md

@@ -13,5 +13,3 @@
 - [ ] It is a refactor
 - [ ] Created tests that fail without the change (if possible)
 - [ ] Extended the README / documentation, if necessary
-
-> By submitting this pull request, you confirm that you have read and agree to the terms of the [Contributor License Agreement](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md).

.github/workflows/git-town.yml

@@ -0,0 +1,21 @@
+name: Git Town
+
+on:
+  pull_request:
+    branches:
+      - '**'
+
+jobs:
+  git-town:
+    name: Display the branch stack
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: git-town/action@v1
+        with:
+          skip-single-stacks: true

.github/workflows/golang-test-darwin.yml

@@ -0,0 +1,46 @@
+name: "Darwin"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: "Client / Unit"
+    runs-on: macos-latest
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: ~/go/pkg/mod
+          key: macos-gotest-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            macos-gotest-
+            macos-go-
+
+      - name: Install libpcap
+        run: brew install libpcap
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Test
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} CI=true go test -tags=devcert -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 $(go list ./... | grep -v /management)
+

.github/workflows/golang-test-freebsd.yml

@@ -0,0 +1,52 @@
+name: "FreeBSD"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: "Client / Unit"
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Test in FreeBSD
+        id: test
+        uses: vmactions/freebsd-vm@v1
+        with:
+          usesh: true
+          copyback: false
+          release: "14.2"
+          prepare: |
+            pkg install -y curl pkgconf xorg
+            LATEST_VERSION=$(curl -s https://go.dev/VERSION?m=text|head -n 1)
+            GO_TARBALL="$LATEST_VERSION.freebsd-amd64.tar.gz"
+            GO_URL="https://go.dev/dl/$GO_TARBALL"
+            curl -vLO "$GO_URL"
+            tar -C /usr/local -vxzf "$GO_TARBALL"            
+
+          # -x - to print all executed commands
+          # -e - to faile on first error
+          run: |
+            set -e -x
+            export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin
+            time go build -o netbird client/main.go
+            # check all component except management, since we do not support management server on freebsd
+            time go test -timeout 1m -failfast ./base62/...
+            # NOTE: without -p1 `client/internal/dns` will fail because of `listen udp4 :33100: bind: address already in use`
+            time go test -timeout 8m -failfast -p 1 ./client/...
+            time go test -timeout 1m -failfast ./dns/...
+            time go test -timeout 1m -failfast ./encryption/...
+            time go test -timeout 1m -failfast ./formatter/...
+            time go test -timeout 1m -failfast ./client/iface/...
+            time go test -timeout 1m -failfast ./route/...
+            time go test -timeout 1m -failfast ./sharedsock/...
+            time go test -timeout 1m -failfast ./signal/...
+            time go test -timeout 1m -failfast ./util/...
+            time go test -timeout 1m -failfast ./version/...

.github/workflows/golang-test-linux.yml

@@ -0,0 +1,560 @@
+name: Linux
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  build-cache:
+    name: "Build Cache"
+    runs-on: ubuntu-22.04
+    outputs:
+      management: ${{ steps.filter.outputs.management }}
+    steps:        
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+              management:
+                - 'management/**'
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        id: cache
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+
+      - name: Install dependencies
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
+      - name: Build client
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: client
+        run: CGO_ENABLED=1 go build .
+
+      - name: Build client 386
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: client
+        run: CGO_ENABLED=1 GOARCH=386 go build -o client-386 .
+
+      - name: Build management
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: management
+        run: CGO_ENABLED=1 go build .
+
+      - name: Build management 386
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: management
+        run: CGO_ENABLED=1 GOARCH=386 go build -o management-386 .
+
+      - name: Build signal
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: signal
+        run: CGO_ENABLED=1 go build .
+
+      - name: Build signal 386
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: signal
+        run: CGO_ENABLED=1 GOARCH=386 go build -o signal-386 .
+
+      - name: Build relay
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: relay
+        run: CGO_ENABLED=1 go build .
+
+      - name: Build relay 386
+        if: steps.cache.outputs.cache-hit != 'true'
+        working-directory: relay
+        run: CGO_ENABLED=1 GOARCH=386 go build -o relay-386 .
+
+  test:
+    name: "Client / Unit"
+    needs: [build-cache]
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ '386','amd64' ]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Test
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} CI=true go test -tags devcert -exec 'sudo' -timeout 10m -p 1 $(go list ./... | grep -v -e /management -e /signal -e /relay)
+
+  test_client_on_docker:
+    name: "Client (Docker) / Unit"
+    needs: [build-cache]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        id: go-env
+        run: |
+          echo "cache_dir=$(go env GOCACHE)" >> $GITHUB_OUTPUT
+          echo "modcache_dir=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        id: cache-restore
+        with:
+          path: |
+            ${{ steps.go-env.outputs.cache_dir }}
+            ${{ steps.go-env.outputs.modcache_dir }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Run tests in container
+        env:
+          HOST_GOCACHE: ${{ steps.go-env.outputs.cache_dir }}
+          HOST_GOMODCACHE: ${{ steps.go-env.outputs.modcache_dir }}
+        run: |
+          CONTAINER_GOCACHE="/root/.cache/go-build"
+          CONTAINER_GOMODCACHE="/go/pkg/mod"
+
+          docker run --rm \
+            --cap-add=NET_ADMIN \
+            --privileged \
+            -v $PWD:/app \
+            -w /app \
+            -v "${HOST_GOCACHE}:${CONTAINER_GOCACHE}" \
+            -v "${HOST_GOMODCACHE}:${CONTAINER_GOMODCACHE}" \
+            -e CGO_ENABLED=1 \
+            -e CI=true \
+            -e DOCKER_CI=true \
+            -e GOARCH=${GOARCH_TARGET} \
+            -e GOCACHE=${CONTAINER_GOCACHE} \
+            -e GOMODCACHE=${CONTAINER_GOMODCACHE} \
+            golang:1.23-alpine \
+            sh -c ' \
+              apk update; apk add --no-cache \
+                ca-certificates iptables ip6tables dbus dbus-dev libpcap-dev build-base; \
+              go test -buildvcs=false -tags devcert -v -timeout 10m -p 1 $(go list -buildvcs=false ./... | grep -v -e /management -e /signal -e /relay -e /client/ui -e /upload-server)
+            '
+
+  test_relay:
+    name: "Relay / Unit"
+    needs: [build-cache]
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ '386','amd64' ]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Test
+        run: |
+          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
+          go test \
+            -exec 'sudo' \
+            -timeout 10m ./signal/...
+
+  test_signal:
+    name: "Signal / Unit"
+    needs: [build-cache]
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ '386','amd64' ]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Test
+        run: |
+          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
+          go test \
+            -exec 'sudo' \
+            -timeout 10m ./signal/...
+
+  test_management:
+    name: "Management / Unit"
+    needs: [ build-cache ]
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres', 'mysql' ]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Login to Docker hub
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8
+
+      - name: Test
+        run: |          
+          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
+          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
+            CI=true \
+          go test -tags=devcert \
+            -exec "sudo --preserve-env=CI,NETBIRD_STORE_ENGINE" \
+            -timeout 20m ./management/...
+
+  benchmark:
+    name: "Management / Benchmark"
+    needs: [ build-cache ]
+    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres' ]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Login to Docker hub
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8
+
+      - name: Test
+        run: |
+          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
+          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
+          CI=true \
+          go test -tags devcert -run=^$ -bench=. \
+          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
+          -timeout 20m ./management/...
+
+  api_benchmark:
+    name: "Management / Benchmark (API)"
+    needs: [ build-cache ]
+    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres' ]
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Create Docker network
+        run: docker network create promnet
+
+      - name: Start Prometheus Pushgateway
+        run: docker run -d --name pushgateway --network promnet -p 9091:9091 prom/pushgateway
+
+      - name: Start Prometheus (for Pushgateway forwarding)
+        run: |
+          echo '
+          global:
+            scrape_interval: 15s
+          scrape_configs:
+            - job_name: "pushgateway"
+              static_configs:
+                - targets: ["pushgateway:9091"]
+          remote_write:
+            - url: ${{ secrets.GRAFANA_URL }}
+              basic_auth:
+                username: ${{ secrets.GRAFANA_USER }}
+                password: ${{ secrets.GRAFANA_API_KEY }}
+          ' > prometheus.yml
+
+          docker run -d --name prometheus --network promnet \
+            -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml \
+            -p 9090:9090 \
+            prom/prometheus
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Login to Docker hub
+        if: matrix.store == 'mysql' && (github.repository == github.head.repo.full_name || !github.head_ref)
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: download mysql image
+        if: matrix.store == 'mysql'
+        run: docker pull mlsmaycon/warmed-mysql:8
+
+      - name: Test
+        run: |
+          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
+          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
+          CI=true \
+          GIT_BRANCH=${{ github.ref_name }} \
+          go test -tags=benchmark \
+            -run=^$ \
+            -bench=. \
+            -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
+            -timeout 20m ./management/...
+
+  api_integration_test:
+    name: "Management / Integration"
+    needs: [ build-cache ]
+    if: ${{ needs.build-cache.outputs.management == 'true' || github.event_name != 'pull_request' }}
+    strategy:
+      fail-fast: false
+      matrix:
+        arch: [ 'amd64' ]
+        store: [ 'sqlite', 'postgres']
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV     
+
+      - name: Cache Go modules
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-cache-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-cache-
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Test
+        run: |
+          CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
+          NETBIRD_STORE_ENGINE=${{ matrix.store }} \
+          CI=true \
+          go test -tags=integration \
+          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
+          -timeout 20m ./management/...

.github/workflows/golang-test-windows.yml

@@ -0,0 +1,72 @@
+name: "Windows"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+env:
+  downloadPath: '${{ github.workspace }}\temp'
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    name: "Client / Unit"
+    runs-on: windows-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        id: go
+        with:
+          go-version: "1.23.x"
+          cache: false
+
+      - name: Get Go environment
+        run: |
+          echo "cache=$(go env GOCACHE)" >> $env:GITHUB_ENV
+          echo "modcache=$(go env GOMODCACHE)" >> $env:GITHUB_ENV
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: |
+            ${{ env.cache }}
+            ${{ env.modcache }}
+          key: ${{ runner.os }}-gotest-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-gotest-
+            ${{ runner.os }}-go-
+
+      - name: Download wintun
+        uses: carlosperate/download-file-action@v2
+        id: download-wintun
+        with:
+          file-url: https://pkgs.netbird.io/wintun/wintun-0.14.1.zip
+          file-name: wintun.zip
+          location: ${{ env.downloadPath }}
+          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+
+      - name: Decompressing wintun files
+        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+
+      - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'
+
+      - run: choco install -y sysinternals --ignore-checksums
+      - run: choco install -y mingw
+
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
+      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' })" >> $env:GITHUB_ENV
+
+      - name: test
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"
+      - name: test output
+        if: ${{ always() }}
+        run: Get-Content test-out.txt

.github/workflows/golangci-lint.yml

@@ -0,0 +1,59 @@
+name: Lint
+on: [pull_request]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  codespell:
+    name: codespell
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: codespell
+        uses: codespell-project/actions-codespell@v2
+        with:
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
+          skip: go.mod,go.sum
+          only_warn: 1
+  golangci:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [macos-latest, windows-latest, ubuntu-latest]
+        include:
+          - os: macos-latest
+            display_name: Darwin
+          - os: windows-latest
+            display_name: Windows
+          - os: ubuntu-latest
+            display_name: Linux
+    name: ${{ matrix.display_name }}
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 15
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Check for duplicate constants
+        if: matrix.os == 'ubuntu-latest'
+        run: |
+          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+          cache: false
+      - name: Install dependencies
+        if: matrix.os == 'ubuntu-latest'
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v4
+        with:
+          version: latest
+          args: --timeout=12m --out-format colored-line-number

.github/workflows/install-script-test.yml

@@ -0,0 +1,37 @@
+name: Test installation
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - "release_files/install.sh"
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+jobs:
+  test-install-script:
+    strategy:
+      fail-fast: false
+      max-parallel: 2
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        skip_ui_mode: [true, false]
+        install_binary: [true, false]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: run install script
+        env:
+          SKIP_UI_APP: ${{ matrix.skip_ui_mode }}
+          USE_BIN_INSTALL: ${{ matrix.install_binary }}
+          GITHUB_TOKEN: ${{ secrets.RO_API_CALLER_TOKEN }}
+        run: |
+          [ "$SKIP_UI_APP" == "false" ] && export XDG_CURRENT_DESKTOP="none"
+          cat release_files/install.sh | sh -x
+
+      - name: check cli binary
+        run: command -v netbird

.github/workflows/mobile-build-validation.yml

@@ -0,0 +1,67 @@
+name: Mobile
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  android_build:
+    name: "Android / Build"
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+      - name: Setup Android SDK
+        uses: android-actions/setup-android@v3
+        with:
+          cmdline-tools-version: 8512546
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          java-version: "11"
+          distribution: "adopt"
+      - name: NDK Cache
+        id: ndk-cache
+        uses: actions/cache@v4
+        with:
+          path: /usr/local/lib/android/sdk/ndk
+          key: ndk-cache-23.1.7779620
+      - name: Setup NDK
+        run: /usr/local/lib/android/sdk/cmdline-tools/7.0/bin/sdkmanager --install "ndk;23.1.7779620"
+      - name: install gomobile
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
+      - name: gomobile init
+        run: gomobile init
+      - name: build android netbird lib
+        run: PATH=$PATH:$(go env GOPATH) gomobile bind -o $GITHUB_WORKSPACE/netbird.aar -javapkg=io.netbird.gomobile -ldflags="-X golang.zx2c4.com/wireguard/ipc.socketDirectory=/data/data/io.netbird.client/cache/wireguard -X github.com/netbirdio/netbird/version.version=buildtest"  $GITHUB_WORKSPACE/client/android
+        env:
+          CGO_ENABLED: 0
+          ANDROID_NDK_HOME: /usr/local/lib/android/sdk/ndk/23.1.7779620
+  ios_build:
+    name: "iOS / Build"
+    runs-on: macos-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+      - name: install gomobile
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
+      - name: gomobile init
+        run: gomobile init
+      - name: build iOS netbird lib
+        run: PATH=$PATH:$(go env GOPATH) gomobile bind -target=ios -bundleid=io.netbird.framework -ldflags="-X github.com/netbirdio/netbird/version.version=buildtest" -o ./NetBirdSDK.xcframework ./client/ios/NetBirdSDK
+        env:
+          CGO_ENABLED: 0

.github/workflows/release.yml

@@ -55,23 +55,16 @@ jobs:
         run: go mod tidy
       - name: check git status
         run: git --no-pager diff --exit-code
-      # - name: Set up QEMU
-      #   uses: docker/setup-qemu-action@v2
-      # - name: Set up Docker Buildx
-      #   uses: docker/setup-buildx-action@v2
-      # - name: Login to Docker hub
-      #   if: github.event_name != 'pull_request'
-      #   uses: docker/login-action@v1
-      #   with:
-      #     username: ${{ secrets.DOCKER_USER }}
-      #     password: ${{ secrets.DOCKER_TOKEN }}
-      # - name: Log in to the GitHub container registry
-      #   if: github.event_name != 'pull_request'
-      #   uses: docker/login-action@v3
-      #   with:
-      #     registry: ghcr.io
-      #     username: ${{ github.actor }}
-      #     password: ${{ secrets.CI_DOCKER_PUSH_GITHUB_TOKEN }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login to Docker hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKER_USER }}
+          password: ${{ secrets.DOCKER_TOKEN }}
       - name: Install OS build dependencies
         run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
 

.github/workflows/sync-main.yml

@@ -0,0 +1,22 @@
+name: sync main
+
+on:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  trigger_sync_main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger main branch sync
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: sync-main.yml
+          repo: ${{ secrets.UPSTREAM_REPO }}
+          token: ${{ secrets.NC_GITHUB_TOKEN }}
+          inputs: '{ "sha": "${{ github.sha }}" }'

.github/workflows/sync-tag.yml

@@ -0,0 +1,23 @@
+name: sync tag
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  trigger_sync_tag:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Trigger release tag sync
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: sync-tag.yml
+          ref: main
+          repo: ${{ secrets.UPSTREAM_REPO }}
+          token: ${{ secrets.NC_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref_name }}" }'

.github/workflows/test-infrastructure-files.yml

@@ -0,0 +1,309 @@
+name: Test Infrastructure files
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - 'infrastructure_files/**'
+      - '.github/workflows/test-infrastructure-files.yml'
+      - 'management/cmd/**'
+      - 'signal/cmd/**'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
+  cancel-in-progress: true
+
+jobs:
+  test-docker-compose:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        store: [ 'sqlite', 'postgres', 'mysql' ]
+    services:
+      postgres:
+        image: ${{ (matrix.store == 'postgres') && 'postgres' || '' }}
+        env:
+          POSTGRES_USER: netbird
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: netbird
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+        ports:
+          - 5432:5432
+      mysql:
+        image: ${{ (matrix.store == 'mysql') && 'mysql' || '' }}
+        env:
+          MYSQL_USER: netbird
+          MYSQL_PASSWORD: mysql
+          MYSQL_ROOT_PASSWORD: mysqlroot
+          MYSQL_DATABASE: netbird
+        options: >-
+          --health-cmd "mysqladmin ping --silent"
+          --health-interval 10s
+          --health-timeout 5s
+        ports:
+          - 3306:3306
+    steps:
+      - name: Set Database Connection String
+        run: |
+          if [ "${{ matrix.store }}" == "postgres" ]; then
+            echo "NETBIRD_STORE_ENGINE_POSTGRES_DSN=host=$(hostname -I | awk '{print $1}') user=netbird password=postgres dbname=netbird port=5432" >> $GITHUB_ENV
+          else
+            echo "NETBIRD_STORE_ENGINE_POSTGRES_DSN==" >> $GITHUB_ENV
+          fi
+          if [ "${{ matrix.store }}" == "mysql" ]; then
+            echo "NETBIRD_STORE_ENGINE_MYSQL_DSN=netbird:mysql@tcp($(hostname -I | awk '{print $1}'):3306)/netbird" >> $GITHUB_ENV
+          else
+            echo "NETBIRD_STORE_ENGINE_MYSQL_DSN==" >> $GITHUB_ENV
+          fi
+
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Install curl
+        run: sudo apt-get install -y curl
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "1.23.x"
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: cp setup.env
+        run: cp infrastructure_files/tests/setup.env infrastructure_files/
+
+      - name: run configure
+        working-directory: infrastructure_files
+        run: bash -x configure.sh
+        env:
+          CI_NETBIRD_DOMAIN: localhost
+          CI_NETBIRD_AUTH_CLIENT_ID: testing.client.id
+          CI_NETBIRD_AUTH_CLIENT_SECRET: testing.client.secret
+          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
+          CI_NETBIRD_USE_AUTH0: true
+          CI_NETBIRD_MGMT_IDP: "none"
+          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
+          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
+          CI_NETBIRD_AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified"
+          CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
+          NETBIRD_STORE_ENGINE_POSTGRES_DSN: ${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}
+          NETBIRD_STORE_ENGINE_MYSQL_DSN: ${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}
+          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
+
+      - name: check values
+        working-directory: infrastructure_files/artifacts
+        env:
+          CI_NETBIRD_DOMAIN: localhost
+          CI_NETBIRD_AUTH_CLIENT_ID: testing.client.id
+          CI_NETBIRD_AUTH_CLIENT_SECRET: testing.client.secret
+          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
+          CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
+          CI_NETBIRD_USE_AUTH0: true
+          CI_NETBIRD_AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified"
+          CI_NETBIRD_AUTH_AUTHORITY: https://example.eu.auth0.com/
+          CI_NETBIRD_AUTH_JWT_CERTS: https://example.eu.auth0.com/.well-known/jwks.json
+          CI_NETBIRD_AUTH_TOKEN_ENDPOINT: https://example.eu.auth0.com/oauth/token
+          CI_NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT: https://example.eu.auth0.com/oauth/device/code
+          CI_NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT: https://example.eu.auth0.com/authorize
+          CI_NETBIRD_AUTH_REDIRECT_URI: "/peers"
+          CI_NETBIRD_TOKEN_SOURCE: "idToken"
+          CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
+          CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
+          CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE: "openid email"
+          CI_NETBIRD_MGMT_IDP: "none"
+          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
+          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
+          CI_NETBIRD_SIGNAL_PORT: 12345
+          CI_NETBIRD_STORE_CONFIG_ENGINE: ${{ matrix.store }}
+          NETBIRD_STORE_ENGINE_POSTGRES_DSN: '${{ env.NETBIRD_STORE_ENGINE_POSTGRES_DSN }}$'
+          NETBIRD_STORE_ENGINE_MYSQL_DSN: '${{ env.NETBIRD_STORE_ENGINE_MYSQL_DSN }}$'
+          CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
+          CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
+
+        run: |
+          set -x
+          grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
+          grep AUTH_CLIENT_SECRET docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_SECRET
+          grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
+          grep AUTH_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH_AUDIENCE
+          grep AUTH_SUPPORTED_SCOPES docker-compose.yml | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
+          grep USE_AUTH0 docker-compose.yml | grep $CI_NETBIRD_USE_AUTH0
+          grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "$CI_NETBIRD_DOMAIN:33073"
+          grep AUTH_REDIRECT_URI docker-compose.yml | grep $CI_NETBIRD_AUTH_REDIRECT_URI
+          grep AUTH_SILENT_REDIRECT_URI docker-compose.yml | egrep 'AUTH_SILENT_REDIRECT_URI=$'
+          grep $CI_NETBIRD_SIGNAL_PORT docker-compose.yml | grep ':80'
+          grep LETSENCRYPT_DOMAIN docker-compose.yml | egrep 'LETSENCRYPT_DOMAIN=$'
+          grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
+          grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
+          grep -A 3 DeviceAuthorizationFlow management.json | grep -A 1 ProviderConfig | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
+          grep -A 3 DeviceAuthorizationFlow management.json | grep -A 1 ProviderConfig | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
+          grep Engine management.json  | grep "$CI_NETBIRD_STORE_CONFIG_ENGINE"
+          grep IdpSignKeyRefreshEnabled management.json | grep "$CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH"
+          grep UseIDToken management.json | grep false
+          grep -A 1 IdpManagerConfig management.json | grep ManagerType | grep $CI_NETBIRD_MGMT_IDP
+          grep -A 3 IdpManagerConfig management.json | grep -A 1 ClientConfig | grep Issuer | grep $CI_NETBIRD_AUTH_AUTHORITY
+          grep -A 4 IdpManagerConfig management.json | grep -A 2 ClientConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
+          grep -A 5 IdpManagerConfig management.json | grep -A 3 ClientConfig | grep ClientID | grep $CI_NETBIRD_IDP_MGMT_CLIENT_ID
+          grep -A 6 IdpManagerConfig management.json | grep -A 4 ClientConfig | grep ClientSecret | grep $CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
+          grep -A 7 IdpManagerConfig management.json | grep -A 5 ClientConfig | grep GrantType | grep client_credentials
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep Audience | grep $CI_NETBIRD_AUTH_AUDIENCE
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep ClientID | grep $CI_NETBIRD_AUTH_CLIENT_ID
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep ClientSecret | grep $CI_NETBIRD_AUTH_CLIENT_SECRET
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep AuthorizationEndpoint | grep $CI_NETBIRD_AUTH_PKCE_AUTHORIZATION_ENDPOINT
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep Scope | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
+          grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep -A 3 RedirectURLs | grep "http://localhost:53000"
+          grep "external-ip" turnserver.conf | grep $CI_NETBIRD_TURN_EXTERNAL_IP
+          grep "NETBIRD_STORE_ENGINE_MYSQL_DSN=$NETBIRD_STORE_ENGINE_MYSQL_DSN" docker-compose.yml
+          grep NETBIRD_STORE_ENGINE_POSTGRES_DSN docker-compose.yml | egrep "$NETBIRD_STORE_ENGINE_POSTGRES_DSN"
+          # check relay values
+          grep "NB_EXPOSED_ADDRESS=$CI_NETBIRD_DOMAIN:33445" docker-compose.yml
+          grep "NB_LISTEN_ADDRESS=:33445" docker-compose.yml
+          grep '33445:33445' docker-compose.yml
+          grep -A 10 'relay:' docker-compose.yml | egrep 'NB_AUTH_SECRET=.+$'
+          grep -A 7 Relay management.json | grep "rel://$CI_NETBIRD_DOMAIN:33445"
+          grep -A 7 Relay management.json | egrep '"Secret": ".+"'
+          grep DisablePromptLogin management.json | grep 'true'
+
+      - name: Install modules
+        run: go mod tidy
+
+      - name: check git status
+        run: git --no-pager diff --exit-code
+
+      - name: Build management binary
+        working-directory: management
+        run: CGO_ENABLED=1 go build -o netbird-mgmt main.go
+
+      - name: Build management docker image
+        working-directory: management
+        run: |
+          docker build -t netbirdio/management:latest .
+
+      - name: Build signal binary
+        working-directory: signal
+        run: CGO_ENABLED=0 go build -o netbird-signal main.go
+
+      - name: Build signal docker image
+        working-directory: signal
+        run: |
+          docker build -t netbirdio/signal:latest .
+
+      - name: Build relay binary
+        working-directory: relay
+        run: CGO_ENABLED=0 go build -o netbird-relay main.go
+
+      - name: Build relay docker image
+        working-directory: relay
+        run: |
+          docker build -t netbirdio/relay:latest .
+
+      - name: run docker compose up
+        working-directory: infrastructure_files/artifacts
+        run: |
+          docker compose up -d
+          sleep 5
+          docker compose ps
+          docker compose logs --tail=20
+
+      - name: test running containers
+        run: |
+          count=$(docker compose ps --format json | jq '. | select(.Name | contains("artifacts")) | .State' | grep -c running)
+          test $count -eq 5 || docker compose logs
+        working-directory: infrastructure_files/artifacts
+
+      - name: test geolocation databases
+        working-directory: infrastructure_files/artifacts
+        run: |
+          sleep 30
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i GeoLite2-City_[0-9]*.mmdb
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i geonames_[0-9]*.db
+
+  test-getting-started-script:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: run script with Zitadel PostgreSQL
+        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
+
+      - name: test Caddy file gen postgres
+        run: test -f Caddyfile
+
+      - name: test docker-compose file gen postgres
+        run: test -f docker-compose.yml
+
+      - name: test management.json file gen postgres
+        run: test -f management.json
+
+      - name: test turnserver.conf file gen postgres
+        run: |
+          set -x
+          test -f turnserver.conf
+          grep external-ip turnserver.conf
+
+      - name: test zitadel.env file gen postgres
+        run: test -f zitadel.env
+
+      - name: test dashboard.env file gen postgres
+        run: test -f dashboard.env
+
+      - name: test relay.env file gen postgres
+        run: test -f relay.env
+
+      - name: test zdb.env file gen postgres
+        run: test -f zdb.env
+
+      - name: Postgres run cleanup
+        run: |
+          docker compose down --volumes --rmi all
+          rm -rf docker-compose.yml Caddyfile zitadel.env dashboard.env machinekey/zitadel-admin-sa.token turnserver.conf management.json zdb.env
+
+      - name: run script with Zitadel CockroachDB
+        run: bash -x infrastructure_files/getting-started-with-zitadel.sh
+        env:
+          NETBIRD_DOMAIN: use-ip
+          ZITADEL_DATABASE: cockroach
+
+      - name: test Caddy file gen CockroachDB
+        run: test -f Caddyfile
+
+      - name: test docker-compose file gen CockroachDB
+        run: test -f docker-compose.yml
+
+      - name: test management.json file gen CockroachDB
+        run: test -f management.json
+
+      - name: test turnserver.conf file gen CockroachDB
+        run: |
+          set -x
+          test -f turnserver.conf
+          grep external-ip turnserver.conf
+
+      - name: test zitadel.env file gen CockroachDB
+        run: test -f zitadel.env
+
+      - name: test dashboard.env file gen CockroachDB
+        run: test -f dashboard.env
+
+      - name: test relay.env file gen CockroachDB
+        run: test -f relay.env

.github/workflows/update-docs.yml

@@ -0,0 +1,22 @@
+name: update docs
+
+on:
+  push:
+    tags:
+      - 'v*'
+    paths:
+      - 'management/server/http/api/openapi.yml'
+
+jobs:
+  trigger_docs_api_update:
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Trigger API pages generation
+        uses: benc-uk/workflow-dispatch@v1
+        with:
+          workflow: generate api pages
+          repo: netbirdio/docs
+          ref: "refs/heads/main"
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'

.goreleaser.yaml

@@ -146,541 +146,439 @@ nfpms:
     scripts:
       postinstall: "release_files/post_install.sh"
       preremove: "release_files/pre_remove.sh"
-# dockers:
-#  - image_templates:
-#      - netbirdio/netbird:{{ .Version }}-amd64
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-#    ids:
-#      - netbird
-#    goarch: amd64
-#    use: buildx
-#    dockerfile: client/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/amd64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/netbird:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-#    ids:
-#      - netbird
-#    goarch: arm64
-#    use: buildx
-#    dockerfile: client/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/arm64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/netbird:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-#    ids:
-#      - netbird
-#    goarch: arm
-#    goarm: 6
-#    use: buildx
-#    dockerfile: client/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/arm"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
+dockers:
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-amd64
+    ids:
+      - netbird
+    goarch: amd64
+    use: buildx
+    dockerfile: client/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+    ids:
+      - netbird
+    goarch: arm64
+    use: buildx
+    dockerfile: client/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm
+    ids:
+      - netbird
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: client/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
 
-#  - image_templates:
-#      - netbirdio/netbird:{{ .Version }}-rootless-amd64
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-#    ids:
-#      - netbird
-#    goarch: amd64
-#    use: buildx
-#    dockerfile: client/Dockerfile-rootless
-#    build_flag_templates:
-#      - "--platform=linux/amd64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-#    ids:
-#      - netbird
-#    goarch: arm64
-#    use: buildx
-#    dockerfile: client/Dockerfile-rootless
-#    build_flag_templates:
-#      - "--platform=linux/arm64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/netbird:{{ .Version }}-rootless-arm
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-#    ids:
-#      - netbird
-#    goarch: arm
-#    goarm: 6
-#    use: buildx
-#    dockerfile: client/Dockerfile-rootless
-#    build_flag_templates:
-#      - "--platform=linux/arm"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-amd64
+    ids:
+      - netbird
+    goarch: amd64
+    use: buildx
+    dockerfile: client/Dockerfile-rootless
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+    ids:
+      - netbird
+    goarch: arm64
+    use: buildx
+    dockerfile: client/Dockerfile-rootless
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm
+    ids:
+      - netbird
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: client/Dockerfile-rootless
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=maintainer=dev@netbird.io"
 
-#  - image_templates:
-#      - netbirdio/relay:{{ .Version }}-amd64
-#      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-#    ids:
-#      - netbird-relay
-#    goarch: amd64
-#    use: buildx
-#    dockerfile: relay/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/amd64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/relay:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-#    ids:
-#      - netbird-relay
-#    goarch: arm64
-#    use: buildx
-#    dockerfile: relay/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/arm64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/relay:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-#    ids:
-#      - netbird-relay
-#    goarch: arm
-#    goarm: 6
-#    use: buildx
-#    dockerfile: relay/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/arm"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/signal:{{ .Version }}-amd64
-#      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-#    ids:
-#      - netbird-signal
-#    goarch: amd64
-#    use: buildx
-#    dockerfile: signal/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/amd64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/signal:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
-#    ids:
-#      - netbird-signal
-#    goarch: arm64
-#    use: buildx
-#    dockerfile: signal/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/arm64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/signal:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
-#    ids:
-#      - netbird-signal
-#    goarch: arm
-#    goarm: 6
-#    use: buildx
-#    dockerfile: signal/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/arm"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/management:{{ .Version }}-amd64
-#      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
-#    ids:
-#      - netbird-mgmt
-#    goarch: amd64
-#    use: buildx
-#    dockerfile: management/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/amd64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/management:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
-#    ids:
-#      - netbird-mgmt
-#    goarch: arm64
-#    use: buildx
-#    dockerfile: management/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/arm64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/management:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/management:{{ .Version }}-arm
-#    ids:
-#      - netbird-mgmt
-#    goarch: arm
-#    goarm: 6
-#    use: buildx
-#    dockerfile: management/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/arm"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/management:{{ .Version }}-debug-amd64
-#      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
-#    ids:
-#      - netbird-mgmt
-#    goarch: amd64
-#    use: buildx
-#    dockerfile: management/Dockerfile.debug
-#    build_flag_templates:
-#      - "--platform=linux/amd64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/management:{{ .Version }}-debug-arm64v8
-#      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
-#    ids:
-#      - netbird-mgmt
-#    goarch: arm64
-#    use: buildx
-#    dockerfile: management/Dockerfile.debug
-#    build_flag_templates:
-#      - "--platform=linux/arm64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/relay:{{ .Version }}-amd64
+    ids:
+      - netbird-relay
+    goarch: amd64
+    use: buildx
+    dockerfile: relay/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/relay:{{ .Version }}-arm64v8
+    ids:
+      - netbird-relay
+    goarch: arm64
+    use: buildx
+    dockerfile: relay/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/relay:{{ .Version }}-arm
+    ids:
+      - netbird-relay
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: relay/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-amd64
+    ids:
+      - netbird-signal
+    goarch: amd64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+    ids:
+      - netbird-signal
+    goarch: arm64
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/signal:{{ .Version }}-arm
+    ids:
+      - netbird-signal
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: signal/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-amd64
+    ids:
+      - netbird-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+    ids:
+      - netbird-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-arm
+    ids:
+      - netbird-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-amd64
+    ids:
+      - netbird-mgmt
+    goarch: amd64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm64v8
+    ids:
+      - netbird-mgmt
+    goarch: arm64
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
 
-#  - image_templates:
-#      - netbirdio/management:{{ .Version }}-debug-arm
-#      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
-#    ids:
-#      - netbird-mgmt
-#    goarch: arm
-#    goarm: 6
-#    use: buildx
-#    dockerfile: management/Dockerfile.debug
-#    build_flag_templates:
-#      - "--platform=linux/arm"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/upload:{{ .Version }}-amd64
-#      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-#    ids:
-#      - netbird-upload
-#    goarch: amd64
-#    use: buildx
-#    dockerfile: upload-server/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/amd64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/upload:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-#    ids:
-#      - netbird-upload
-#    goarch: arm64
-#    use: buildx
-#    dockerfile: upload-server/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/arm64"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-#  - image_templates:
-#      - netbirdio/upload:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-#    ids:
-#      - netbird-upload
-#    goarch: arm
-#    goarm: 6
-#    use: buildx
-#    dockerfile: upload-server/Dockerfile
-#    build_flag_templates:
-#      - "--platform=linux/arm"
-#      - "--label=org.opencontainers.image.created={{.Date}}"
-#      - "--label=org.opencontainers.image.title={{.ProjectName}}"
-#      - "--label=org.opencontainers.image.version={{.Version}}"
-#      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
-#      - "--label=org.opencontainers.image.source=https://github.com/netbirdio/{{.ProjectName}}"
-#      - "--label=maintainer=dev@netbird.io"
-# docker_manifests:
-#  - name_template: netbirdio/netbird:{{ .Version }}
-#    image_templates:
-#      - netbirdio/netbird:{{ .Version }}-arm64v8
-#      - netbirdio/netbird:{{ .Version }}-arm
-#      - netbirdio/netbird:{{ .Version }}-amd64
-#
-#  - name_template: netbirdio/netbird:latest
-#    image_templates:
-#      - netbirdio/netbird:{{ .Version }}-arm64v8
-#      - netbirdio/netbird:{{ .Version }}-arm
-#      - netbirdio/netbird:{{ .Version }}-amd64
-#
-#  - name_template: netbirdio/netbird:{{ .Version }}-rootless
-#    image_templates:
-#      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-#      - netbirdio/netbird:{{ .Version }}-rootless-arm
-#      - netbirdio/netbird:{{ .Version }}-rootless-amd64
-#
-#  - name_template: netbirdio/netbird:rootless-latest
-#    image_templates:
-#      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-#      - netbirdio/netbird:{{ .Version }}-rootless-arm
-#      - netbirdio/netbird:{{ .Version }}-rootless-amd64
-#
-#  - name_template: netbirdio/relay:{{ .Version }}
-#    image_templates:
-#      - netbirdio/relay:{{ .Version }}-arm64v8
-#      - netbirdio/relay:{{ .Version }}-arm
-#      - netbirdio/relay:{{ .Version }}-amd64
-#
-#  - name_template: netbirdio/relay:latest
-#    image_templates:
-#      - netbirdio/relay:{{ .Version }}-arm64v8
-#      - netbirdio/relay:{{ .Version }}-arm
-#      - netbirdio/relay:{{ .Version }}-amd64
-#
-#  - name_template: netbirdio/signal:{{ .Version }}
-#    image_templates:
-#      - netbirdio/signal:{{ .Version }}-arm64v8
-#      - netbirdio/signal:{{ .Version }}-arm
-#      - netbirdio/signal:{{ .Version }}-amd64
-#
-#  - name_template: netbirdio/signal:latest
-#    image_templates:
-#      - netbirdio/signal:{{ .Version }}-arm64v8
-#      - netbirdio/signal:{{ .Version }}-arm
-#      - netbirdio/signal:{{ .Version }}-amd64
-#
-#  - name_template: netbirdio/management:{{ .Version }}
-#    image_templates:
-#      - netbirdio/management:{{ .Version }}-arm64v8
-#      - netbirdio/management:{{ .Version }}-arm
-#      - netbirdio/management:{{ .Version }}-amd64
-#
-#  - name_template: netbirdio/management:latest
-#    image_templates:
-#      - netbirdio/management:{{ .Version }}-arm64v8
-#      - netbirdio/management:{{ .Version }}-arm
-#      - netbirdio/management:{{ .Version }}-amd64
-#
-#  - name_template: netbirdio/management:debug-latest
-#    image_templates:
-#      - netbirdio/management:{{ .Version }}-debug-arm64v8
-#      - netbirdio/management:{{ .Version }}-debug-arm
-#      - netbirdio/management:{{ .Version }}-debug-amd64
-#  - name_template: netbirdio/upload:{{ .Version }}
-#    image_templates:
-#      - netbirdio/upload:{{ .Version }}-arm64v8
-#      - netbirdio/upload:{{ .Version }}-arm
-#      - netbirdio/upload:{{ .Version }}-amd64
-#
-#  - name_template: netbirdio/upload:latest
-#    image_templates:
-#      - netbirdio/upload:{{ .Version }}-arm64v8
-#      - netbirdio/upload:{{ .Version }}-arm
-#      - netbirdio/upload:{{ .Version }}-amd64
-#
-#  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}
-#    image_templates:
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-#
-#  - name_template: ghcr.io/netbirdio/netbird:latest
-#    image_templates:
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-amd64
-#
-#  - name_template: ghcr.io/netbirdio/netbird:{{ .Version }}-rootless
-#    image_templates:
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-#
-#  - name_template: ghcr.io/netbirdio/netbird:rootless-latest
-#    image_templates:
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm64v8
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-arm
-#      - ghcr.io/netbirdio/netbird:{{ .Version }}-rootless-amd64
-#
-#  - name_template: ghcr.io/netbirdio/relay:{{ .Version }}
-#    image_templates:
-#      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-#
-#  - name_template: ghcr.io/netbirdio/relay:latest
-#    image_templates:
-#      - ghcr.io/netbirdio/relay:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/relay:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/relay:{{ .Version }}-amd64
-#
-#  - name_template: ghcr.io/netbirdio/signal:{{ .Version }}
-#    image_templates:
-#      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-#
-#  - name_template: ghcr.io/netbirdio/signal:latest
-#    image_templates:
-#      - ghcr.io/netbirdio/signal:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/signal:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/signal:{{ .Version }}-amd64
-#
-#  - name_template: ghcr.io/netbirdio/management:{{ .Version }}
-#    image_templates:
-#      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/management:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
-#
-#  - name_template: ghcr.io/netbirdio/management:latest
-#    image_templates:
-#      - ghcr.io/netbirdio/management:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/management:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/management:{{ .Version }}-amd64
-#
-#  - name_template: ghcr.io/netbirdio/management:debug-latest
-#    image_templates:
-#      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm64v8
-#      - ghcr.io/netbirdio/management:{{ .Version }}-debug-arm
-#      - ghcr.io/netbirdio/management:{{ .Version }}-debug-amd64
-#
-#  - name_template: ghcr.io/netbirdio/upload:{{ .Version }}
-#    image_templates:
-#      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-#
-#  - name_template: ghcr.io/netbirdio/upload:latest
-#    image_templates:
-#      - ghcr.io/netbirdio/upload:{{ .Version }}-arm64v8
-#      - ghcr.io/netbirdio/upload:{{ .Version }}-arm
-#      - ghcr.io/netbirdio/upload:{{ .Version }}-amd64
-# brews:
-#  - ids:
-#      - default
-#    repository:
-#      owner: netbirdio
-#      name: homebrew-tap
-#      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
-#    commit_author:
-#      name: Netbird
-#      email: dev@netbird.io
-#    description: Netbird project.
-#    download_strategy: CurlDownloadStrategy
-#    homepage: https://netbird.io/
-#    license: "BSD3"
-#    test: |
-#      system "#{bin}/{{ .ProjectName	}} version"
+  - image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm
+    ids:
+      - netbird-mgmt
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: management/Dockerfile.debug
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/upload:{{ .Version }}-amd64
+    ids:
+      - netbird-upload
+    goarch: amd64
+    use: buildx
+    dockerfile: upload-server/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/amd64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/upload:{{ .Version }}-arm64v8
+    ids:
+      - netbird-upload
+    goarch: arm64
+    use: buildx
+    dockerfile: upload-server/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm64"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+  - image_templates:
+      - netbirdio/upload:{{ .Version }}-arm
+    ids:
+      - netbird-upload
+    goarch: arm
+    goarm: 6
+    use: buildx
+    dockerfile: upload-server/Dockerfile
+    build_flag_templates:
+      - "--platform=linux/arm"
+      - "--label=org.opencontainers.image.created={{.Date}}"
+      - "--label=org.opencontainers.image.title={{.ProjectName}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=org.opencontainers.image.revision={{.FullCommit}}"
+      - "--label=org.opencontainers.image.version={{.Version}}"
+      - "--label=maintainer=dev@netbird.io"
+docker_manifests:
+  - name_template: netbirdio/netbird:{{ .Version }}
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-amd64
 
-# uploads:
-#  - name: debian
-#    ids:
-#      - netbird-deb
-#    mode: archive
-#    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
-#    username: dev@wiretrustee.com
-#    method: PUT
+  - name_template: netbirdio/netbird:latest
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-arm64v8
+      - netbirdio/netbird:{{ .Version }}-arm
+      - netbirdio/netbird:{{ .Version }}-amd64
 
-#  - name: yum
-#    ids:
-#      - netbird-rpm
-#    mode: archive
-#    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
-#    username: dev@wiretrustee.com
-#    method: PUT
+  - name_template: netbirdio/netbird:{{ .Version }}-rootless
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - netbirdio/netbird:{{ .Version }}-rootless-arm
+      - netbirdio/netbird:{{ .Version }}-rootless-amd64
+
+  - name_template: netbirdio/netbird:rootless-latest
+    image_templates:
+      - netbirdio/netbird:{{ .Version }}-rootless-arm64v8
+      - netbirdio/netbird:{{ .Version }}-rootless-arm
+      - netbirdio/netbird:{{ .Version }}-rootless-amd64
+
+  - name_template: netbirdio/relay:{{ .Version }}
+    image_templates:
+      - netbirdio/relay:{{ .Version }}-arm64v8
+      - netbirdio/relay:{{ .Version }}-arm
+      - netbirdio/relay:{{ .Version }}-amd64
+
+  - name_template: netbirdio/relay:latest
+    image_templates:
+      - netbirdio/relay:{{ .Version }}-arm64v8
+      - netbirdio/relay:{{ .Version }}-arm
+      - netbirdio/relay:{{ .Version }}-amd64
+
+  - name_template: netbirdio/signal:{{ .Version }}
+    image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: netbirdio/signal:latest
+    image_templates:
+      - netbirdio/signal:{{ .Version }}-arm64v8
+      - netbirdio/signal:{{ .Version }}-arm
+      - netbirdio/signal:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:{{ .Version }}
+    image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:latest
+    image_templates:
+      - netbirdio/management:{{ .Version }}-arm64v8
+      - netbirdio/management:{{ .Version }}-arm
+      - netbirdio/management:{{ .Version }}-amd64
+
+  - name_template: netbirdio/management:debug-latest
+    image_templates:
+      - netbirdio/management:{{ .Version }}-debug-arm64v8
+      - netbirdio/management:{{ .Version }}-debug-arm
+      - netbirdio/management:{{ .Version }}-debug-amd64
+  - name_template: netbirdio/upload:{{ .Version }}
+    image_templates:
+      - netbirdio/upload:{{ .Version }}-arm64v8
+      - netbirdio/upload:{{ .Version }}-arm
+      - netbirdio/upload:{{ .Version }}-amd64
+
+  - name_template: netbirdio/upload:latest
+    image_templates:
+      - netbirdio/upload:{{ .Version }}-arm64v8
+      - netbirdio/upload:{{ .Version }}-arm
+      - netbirdio/upload:{{ .Version }}-amd64
+brews:
+  - ids:
+      - default
+    repository:
+      owner: netbirdio
+      name: homebrew-tap
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    commit_author:
+      name: Netbird
+      email: dev@netbird.io
+    description: Netbird project.
+    download_strategy: CurlDownloadStrategy
+    homepage: https://netbird.io/
+    license: "BSD3"
+    test: |
+      system "#{bin}/{{ .ProjectName	}} version"
+
+uploads:
+  - name: debian
+    ids:
+      - netbird-deb
+    mode: archive
+    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
+    username: dev@wiretrustee.com
+    method: PUT
+
+  - name: yum
+    ids:
+      - netbird-rpm
+    mode: archive
+    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
+    username: dev@wiretrustee.com
+    method: PUT
 
 checksum:
   extra_files:

.goreleaser_ui.yaml

@@ -79,19 +79,19 @@ nfpms:
     dependencies:
       - netbird
 
-# uploads:
-#  - name: debian
-#    ids:
-#      - netbird-ui-deb
-#    mode: archive
-#    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
-#    username: dev@wiretrustee.com
-#    method: PUT
+uploads:
+  - name: debian
+    ids:
+      - netbird-ui-deb
+    mode: archive
+    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
+    username: dev@wiretrustee.com
+    method: PUT
 
-#  - name: yum
-#    ids:
-#      - netbird-ui-rpm
-#    mode: archive
-#    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
-#    username: dev@wiretrustee.com
-#    method: PUT
+  - name: yum
+    ids:
+      - netbird-ui-rpm
+    mode: archive
+    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
+    username: dev@wiretrustee.com
+    method: PUT

README.md

@@ -12,7 +12,7 @@
        <img src="https://img.shields.io/badge/license-BSD--3-blue" />
      </a> 
     <br>
-    <a href="https://docs.netbird.io/slack-url">
+    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-31rofwmxc-27akKd0Le0vyRpBcwXkP0g">
         <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
      </a>  
      <br>
@@ -29,7 +29,7 @@
   <br/>
   See <a href="https://netbird.io/docs/">Documentation</a>
   <br/>
-   Join our <a href="https://docs.netbird.io/slack-url">Slack channel</a>
+   Join our <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-31rofwmxc-27akKd0Le0vyRpBcwXkP0g">Slack channel</a>
   <br/>
  
 </strong>

client/Dockerfile

@@ -1,9 +1,6 @@
 FROM alpine:3.21.3
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache ca-certificates ip6tables iproute2 iptables
-
-ARG NETBIRD_BINARY=netbird
-COPY ${NETBIRD_BINARY} /usr/local/bin/netbird
-
 ENV NB_FOREGROUND_MODE=true
 ENTRYPOINT [ "/usr/local/bin/netbird","up"]
+COPY netbird /usr/local/bin/netbird

client/Dockerfile-rootless

@@ -1,7 +1,6 @@
 FROM alpine:3.21.0
 
-ARG NETBIRD_BINARY=netbird
-COPY ${NETBIRD_BINARY} /usr/local/bin/netbird
+COPY netbird /usr/local/bin/netbird
 
 RUN apk add --no-cache ca-certificates \
     && adduser -D -h /var/lib/netbird netbird

client/android/client.go

@@ -59,8 +59,6 @@ type Client struct {
 	deviceName            string
 	uiVersion             string
 	networkChangeListener listener.NetworkChangeListener
-
-	connectClient *internal.ConnectClient
 }
 
 // NewClient instantiate a new Client
@@ -108,8 +106,8 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -134,8 +132,8 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // Stop the internal client and free the resources
@@ -176,53 +174,6 @@ func (c *Client) PeersList() *PeerInfoArray {
 	return &PeerInfoArray{items: peerInfos}
 }
 
-func (c *Client) Networks() *NetworkArray {
-	if c.connectClient == nil {
-		log.Error("not connected")
-		return nil
-	}
-
-	engine := c.connectClient.Engine()
-	if engine == nil {
-		log.Error("could not get engine")
-		return nil
-	}
-
-	routeManager := engine.GetRouteManager()
-	if routeManager == nil {
-		log.Error("could not get route manager")
-		return nil
-	}
-
-	networkArray := &NetworkArray{
-		items: make([]Network, 0),
-	}
-
-	for id, routes := range routeManager.GetClientRoutesWithNetID() {
-		if len(routes) == 0 {
-			continue
-		}
-
-		if routes[0].IsDynamic() {
-			continue
-		}
-
-		peer, err := c.recorder.GetPeer(routes[0].Peer)
-		if err != nil {
-			log.Errorf("could not get peer info for %s: %v", routes[0].Peer, err)
-			continue
-		}
-		network := Network{
-			Name:    string(id),
-			Network: routes[0].Network.String(),
-			Peer:    peer.FQDN,
-			Status:  peer.ConnStatus.String(),
-		}
-		networkArray.Add(network)
-	}
-	return networkArray
-}
-
 // OnUpdatedHostDNS update the DNS servers addresses for root zones
 func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
 	dnsServer, err := dns.GetServerDns()

client/android/networks.go

@@ -1,27 +0,0 @@
-//go:build android
-
-package android
-
-type Network struct {
-	Name    string
-	Network string
-	Peer    string
-	Status  string
-}
-
-type NetworkArray struct {
-	items []Network
-}
-
-func (array *NetworkArray) Add(s Network) *NetworkArray {
-	array.items = append(array.items, s)
-	return array
-}
-
-func (array *NetworkArray) Get(i int) *Network {
-	return &array.items[i]
-}
-
-func (array *NetworkArray) Size() int {
-	return len(array.items)
-}

client/android/peer_notifier.go

@@ -7,23 +7,30 @@ type PeerInfo struct {
 	ConnStatus string // Todo replace to enum
 }
 
-// PeerInfoArray is a wrapper of []PeerInfo
+// PeerInfoCollection made for Java layer to get non default types as collection
+type PeerInfoCollection interface {
+	Add(s string) PeerInfoCollection
+	Get(i int) string
+	Size() int
+}
+
+// PeerInfoArray is the implementation of the PeerInfoCollection
 type PeerInfoArray struct {
 	items []PeerInfo
 }
 
 // Add new PeerInfo to the collection
-func (array *PeerInfoArray) Add(s PeerInfo) *PeerInfoArray {
+func (array PeerInfoArray) Add(s PeerInfo) PeerInfoArray {
 	array.items = append(array.items, s)
 	return array
 }
 
 // Get return an element of the collection
-func (array *PeerInfoArray) Get(i int) *PeerInfo {
+func (array PeerInfoArray) Get(i int) *PeerInfo {
 	return &array.items[i]
 }
 
 // Size return with the size of the collection
-func (array *PeerInfoArray) Size() int {
+func (array PeerInfoArray) Size() int {
 	return len(array.items)
 }

client/android/preferences.go

@@ -4,12 +4,12 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 )
 
-// Preferences exports a subset of the internal config for gomobile
+// Preferences export a subset of the internal config for gomobile
 type Preferences struct {
 	configInput internal.ConfigInput
 }
 
-// NewPreferences creates a new Preferences instance
+// NewPreferences create new Preferences instance
 func NewPreferences(configPath string) *Preferences {
 	ci := internal.ConfigInput{
 		ConfigPath: configPath,
@@ -17,7 +17,7 @@ func NewPreferences(configPath string) *Preferences {
 	return &Preferences{ci}
 }
 
-// GetManagementURL reads URL from config file
+// GetManagementURL read url from config file
 func (p *Preferences) GetManagementURL() (string, error) {
 	if p.configInput.ManagementURL != "" {
 		return p.configInput.ManagementURL, nil
@@ -30,12 +30,12 @@ func (p *Preferences) GetManagementURL() (string, error) {
 	return cfg.ManagementURL.String(), err
 }
 
-// SetManagementURL stores the given URL and waits for commit
+// SetManagementURL store the given url and wait for commit
 func (p *Preferences) SetManagementURL(url string) {
 	p.configInput.ManagementURL = url
 }
 
-// GetAdminURL reads URL from config file
+// GetAdminURL read url from config file
 func (p *Preferences) GetAdminURL() (string, error) {
 	if p.configInput.AdminURL != "" {
 		return p.configInput.AdminURL, nil
@@ -48,12 +48,12 @@ func (p *Preferences) GetAdminURL() (string, error) {
 	return cfg.AdminURL.String(), err
 }
 
-// SetAdminURL stores the given URL and waits for commit
+// SetAdminURL store the given url and wait for commit
 func (p *Preferences) SetAdminURL(url string) {
 	p.configInput.AdminURL = url
 }
 
-// GetPreSharedKey reads pre-shared key from config file
+// GetPreSharedKey read preshared key from config file
 func (p *Preferences) GetPreSharedKey() (string, error) {
 	if p.configInput.PreSharedKey != nil {
 		return *p.configInput.PreSharedKey, nil
@@ -66,160 +66,12 @@ func (p *Preferences) GetPreSharedKey() (string, error) {
 	return cfg.PreSharedKey, err
 }
 
-// SetPreSharedKey stores the given key and waits for commit
+// SetPreSharedKey store the given key and wait for commit
 func (p *Preferences) SetPreSharedKey(key string) {
 	p.configInput.PreSharedKey = &key
 }
 
-// SetRosenpassEnabled stores whether Rosenpass is enabled
-func (p *Preferences) SetRosenpassEnabled(enabled bool) {
-	p.configInput.RosenpassEnabled = &enabled
-}
-
-// GetRosenpassEnabled reads Rosenpass enabled status from config file
-func (p *Preferences) GetRosenpassEnabled() (bool, error) {
-	if p.configInput.RosenpassEnabled != nil {
-		return *p.configInput.RosenpassEnabled, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.RosenpassEnabled, err
-}
-
-// SetRosenpassPermissive stores the given permissive setting and waits for commit
-func (p *Preferences) SetRosenpassPermissive(permissive bool) {
-	p.configInput.RosenpassPermissive = &permissive
-}
-
-// GetRosenpassPermissive reads Rosenpass permissive setting from config file
-func (p *Preferences) GetRosenpassPermissive() (bool, error) {
-	if p.configInput.RosenpassPermissive != nil {
-		return *p.configInput.RosenpassPermissive, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.RosenpassPermissive, err
-}
-
-// GetDisableClientRoutes reads disable client routes setting from config file
-func (p *Preferences) GetDisableClientRoutes() (bool, error) {
-	if p.configInput.DisableClientRoutes != nil {
-		return *p.configInput.DisableClientRoutes, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableClientRoutes, err
-}
-
-// SetDisableClientRoutes stores the given value and waits for commit
-func (p *Preferences) SetDisableClientRoutes(disable bool) {
-	p.configInput.DisableClientRoutes = &disable
-}
-
-// GetDisableServerRoutes reads disable server routes setting from config file
-func (p *Preferences) GetDisableServerRoutes() (bool, error) {
-	if p.configInput.DisableServerRoutes != nil {
-		return *p.configInput.DisableServerRoutes, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableServerRoutes, err
-}
-
-// SetDisableServerRoutes stores the given value and waits for commit
-func (p *Preferences) SetDisableServerRoutes(disable bool) {
-	p.configInput.DisableServerRoutes = &disable
-}
-
-// GetDisableDNS reads disable DNS setting from config file
-func (p *Preferences) GetDisableDNS() (bool, error) {
-	if p.configInput.DisableDNS != nil {
-		return *p.configInput.DisableDNS, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableDNS, err
-}
-
-// SetDisableDNS stores the given value and waits for commit
-func (p *Preferences) SetDisableDNS(disable bool) {
-	p.configInput.DisableDNS = &disable
-}
-
-// GetDisableFirewall reads disable firewall setting from config file
-func (p *Preferences) GetDisableFirewall() (bool, error) {
-	if p.configInput.DisableFirewall != nil {
-		return *p.configInput.DisableFirewall, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.DisableFirewall, err
-}
-
-// SetDisableFirewall stores the given value and waits for commit
-func (p *Preferences) SetDisableFirewall(disable bool) {
-	p.configInput.DisableFirewall = &disable
-}
-
-// GetServerSSHAllowed reads server SSH allowed setting from config file
-func (p *Preferences) GetServerSSHAllowed() (bool, error) {
-	if p.configInput.ServerSSHAllowed != nil {
-		return *p.configInput.ServerSSHAllowed, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	if cfg.ServerSSHAllowed == nil {
-		// Default to false for security on Android
-		return false, nil
-	}
-	return *cfg.ServerSSHAllowed, err
-}
-
-// SetServerSSHAllowed stores the given value and waits for commit
-func (p *Preferences) SetServerSSHAllowed(allowed bool) {
-	p.configInput.ServerSSHAllowed = &allowed
-}
-
-// GetBlockInbound reads block inbound setting from config file
-func (p *Preferences) GetBlockInbound() (bool, error) {
-	if p.configInput.BlockInbound != nil {
-		return *p.configInput.BlockInbound, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	return cfg.BlockInbound, err
-}
-
-// SetBlockInbound stores the given value and waits for commit
-func (p *Preferences) SetBlockInbound(block bool) {
-	p.configInput.BlockInbound = &block
-}
-
-// Commit writes out the changes to the config file
+// Commit write out the changes into config file
 func (p *Preferences) Commit() error {
 	_, err := internal.UpdateOrCreateConfig(p.configInput)
 	return err

client/anonymize/anonymize.go

@@ -69,22 +69,6 @@ func (a *Anonymizer) AnonymizeIP(ip netip.Addr) netip.Addr {
 	return a.ipAnonymizer[ip]
 }
 
-func (a *Anonymizer) AnonymizeUDPAddr(addr net.UDPAddr) net.UDPAddr {
-	// Convert IP to netip.Addr
-	ip, ok := netip.AddrFromSlice(addr.IP)
-	if !ok {
-		return addr
-	}
-
-	anonIP := a.AnonymizeIP(ip)
-
-	return net.UDPAddr{
-		IP:   anonIP.AsSlice(),
-		Port: addr.Port,
-		Zone: addr.Zone,
-	}
-}
-
 // isInAnonymizedRange checks if an IP is within the range of already assigned anonymized IPs
 func (a *Anonymizer) isInAnonymizedRange(ip netip.Addr) bool {
 	if ip.Is4() && ip.Compare(a.startAnonIPv4) >= 0 && ip.Compare(a.currentAnonIPv4) <= 0 {

client/cmd/debug.go

@@ -235,6 +235,13 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
 
+	// Disable network map persistence after creating the debug bundle
+	if _, err := client.SetNetworkMapPersistence(cmd.Context(), &proto.SetNetworkMapPersistenceRequest{
+		Enabled: false,
+	}); err != nil {
+		return fmt.Errorf("failed to disable network map persistence: %v", status.Convert(err).Message())
+	}
+
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
 			return fmt.Errorf("failed to down: %v", status.Convert(err).Message())

client/cmd/login.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"runtime"
 	"strings"
 	"time"
 
@@ -99,11 +98,11 @@ var loginCmd = &cobra.Command{
 		}
 
 		loginRequest := proto.LoginRequest{
-			SetupKey:            providedSetupKey,
-			ManagementUrl:       managementURL,
-			IsUnixDesktopClient: isUnixRunningDesktop(),
-			Hostname:            hostName,
-			DnsLabels:           dnsLabelsReq,
+			SetupKey:             providedSetupKey,
+			ManagementUrl:        managementURL,
+			IsLinuxDesktopClient: isLinuxRunningDesktop(),
+			Hostname:             hostName,
+			DnsLabels:            dnsLabelsReq,
 		}
 
 		if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
@@ -196,7 +195,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.C
 }
 
 func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *internal.Config) (*auth.TokenInfo, error) {
-	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isUnixRunningDesktop())
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, config, isLinuxRunningDesktop())
 	if err != nil {
 		return nil, err
 	}
@@ -244,10 +243,7 @@ func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBro
 	}
 }
 
-// isUnixRunningDesktop checks if a Linux OS is running desktop environment
-func isUnixRunningDesktop() bool {
-	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {
-		return false
-	}
+// isLinuxRunningDesktop checks if a Linux OS is running desktop environment
+func isLinuxRunningDesktop() bool {
 	return os.Getenv("DESKTOP_SESSION") != "" || os.Getenv("XDG_CURRENT_DESKTOP") != ""
 }

client/cmd/root.go

@@ -26,22 +26,23 @@ import (
 )
 
 const (
-	externalIPMapFlag        = "external-ip-map"
-	dnsResolverAddress       = "dns-resolver-address"
-	enableRosenpassFlag      = "enable-rosenpass"
-	rosenpassPermissiveFlag  = "rosenpass-permissive"
-	preSharedKeyFlag         = "preshared-key"
-	interfaceNameFlag        = "interface-name"
-	wireguardPortFlag        = "wireguard-port"
-	networkMonitorFlag       = "network-monitor"
-	disableAutoConnectFlag   = "disable-auto-connect"
-	serverSSHAllowedFlag     = "allow-server-ssh"
-	extraIFaceBlackListFlag  = "extra-iface-blacklist"
-	dnsRouteIntervalFlag     = "dns-router-interval"
-	systemInfoFlag           = "system-info"
-	enableLazyConnectionFlag = "enable-lazy-connection"
-	uploadBundle             = "upload-bundle"
-	uploadBundleURL          = "upload-bundle-url"
+	externalIPMapFlag       = "external-ip-map"
+	dnsResolverAddress      = "dns-resolver-address"
+	enableRosenpassFlag     = "enable-rosenpass"
+	rosenpassPermissiveFlag = "rosenpass-permissive"
+	preSharedKeyFlag        = "preshared-key"
+	interfaceNameFlag       = "interface-name"
+	wireguardPortFlag       = "wireguard-port"
+	networkMonitorFlag      = "network-monitor"
+	disableAutoConnectFlag  = "disable-auto-connect"
+	serverSSHAllowedFlag    = "allow-server-ssh"
+	extraIFaceBlackListFlag = "extra-iface-blacklist"
+	dnsRouteIntervalFlag    = "dns-router-interval"
+	systemInfoFlag          = "system-info"
+	blockLANAccessFlag      = "block-lan-access"
+	uploadBundle            = "upload-bundle"
+	uploadBundleURL         = "upload-bundle-url"
+	defaultBundleURL        = "https://upload.debug.netbird.io" + types.GetURLPath
 )
 
 var (
@@ -77,9 +78,9 @@ var (
 	anonymizeFlag           bool
 	debugSystemInfoFlag     bool
 	dnsRouteInterval        time.Duration
+	blockLANAccess          bool
 	debugUploadBundle       bool
 	debugUploadBundleURL    string
-	lazyConnEnabled         bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",
@@ -184,11 +185,10 @@ func init() {
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
 	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
-	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand.")
 
 	debugCmd.PersistentFlags().BoolVarP(&debugSystemInfoFlag, systemInfoFlag, "S", true, "Adds system information to the debug bundle")
 	debugCmd.PersistentFlags().BoolVarP(&debugUploadBundle, uploadBundle, "U", false, fmt.Sprintf("Uploads the debug bundle to a server from URL defined by %s", uploadBundleURL))
-	debugCmd.PersistentFlags().StringVar(&debugUploadBundleURL, uploadBundleURL, types.DefaultBundleURL, "Service URL to get an URL to upload the debug bundle")
+	debugCmd.PersistentFlags().StringVar(&debugUploadBundleURL, uploadBundleURL, defaultBundleURL, "Service URL to get an URL to upload the debug bundle")
 }
 
 // SetupCloseHandler handles SIGTERM signal and exits with success

client/cmd/service.go

@@ -2,7 +2,6 @@ package cmd
 
 import (
 	"context"
-	"runtime"
 	"sync"
 
 	"github.com/kardianos/service"
@@ -28,19 +27,12 @@ func newProgram(ctx context.Context, cancel context.CancelFunc) *program {
 }
 
 func newSVCConfig() *service.Config {
-	config := &service.Config{
+	return &service.Config{
 		Name:        serviceName,
 		DisplayName: "Netbird",
-		Description: "Netbird mesh network client",
+		Description: "A WireGuard-based mesh network that connects your devices into a single private network.",
 		Option:      make(service.KeyValue),
-		EnvVars:     make(map[string]string),
 	}
-
-	if runtime.GOOS == "linux" {
-		config.EnvVars["SYSTEMD_UNIT"] = serviceName
-	}
-
-	return config
 }
 
 func newSVC(prg *program, conf *service.Config) (service.Service, error) {

client/cmd/service_installer.go

@@ -39,7 +39,7 @@ var installCmd = &cobra.Command{
 			svcConfig.Arguments = append(svcConfig.Arguments, "--management-url", managementURL)
 		}
 
-		if logFile != "" {
+		if logFile != "console" {
 			svcConfig.Arguments = append(svcConfig.Arguments, "--log-file", logFile)
 		}
 

client/cmd/status.go

@@ -44,7 +44,7 @@ func init() {
 	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4")
 	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g., --filter-by-ips 100.64.0.100,100.64.0.200")
 	statusCmd.PersistentFlags().StringSliceVar(&prefixNamesFilter, "filter-by-names", []string{}, "filters the detailed output by a list of one or more peer FQDN or hostnames, e.g., --filter-by-names peer-a,peer-b.netbird.cloud")
-	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(idle|connecting|connected), e.g., --filter-by-status connected")
+	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(connected|disconnected), e.g., --filter-by-status connected")
 }
 
 func statusFunc(cmd *cobra.Command, args []string) error {
@@ -69,10 +69,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	status := resp.GetStatus()
-
-	if status == string(internal.StatusNeedsLogin) || status == string(internal.StatusLoginFailed) ||
-		status == string(internal.StatusSessionExpired) {
+	if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
 		cmd.Printf("Daemon status: %s\n\n"+
 			"Run UP command to log in with SSO (interactive login):\n\n"+
 			" netbird up \n\n"+
@@ -130,12 +127,12 @@ func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 
 func parseFilters() error {
 	switch strings.ToLower(statusFilter) {
-	case "", "idle", "connecting", "connected":
+	case "", "disconnected", "connected":
 		if strings.ToLower(statusFilter) != "" {
 			enableDetailFlagWhenFilterFlag()
 		}
 	default:
-		return fmt.Errorf("wrong status filter, should be one of connected|connecting|idle, got: %s", statusFilter)
+		return fmt.Errorf("wrong status filter, should be one of connected|disconnected, got: %s", statusFilter)
 	}
 
 	if len(ipsFilter) > 0 {

client/cmd/system.go

@@ -6,8 +6,6 @@ const (
 	disableServerRoutesFlag = "disable-server-routes"
 	disableDNSFlag          = "disable-dns"
 	disableFirewallFlag     = "disable-firewall"
-	blockLANAccessFlag      = "block-lan-access"
-	blockInboundFlag        = "block-inbound"
 )
 
 var (
@@ -15,8 +13,6 @@ var (
 	disableServerRoutes bool
 	disableDNS          bool
 	disableFirewall     bool
-	blockLANAccess      bool
-	blockInbound        bool
 )
 
 func init() {
@@ -32,11 +28,4 @@ func init() {
 
 	upCmd.PersistentFlags().BoolVar(&disableFirewall, disableFirewallFlag, false,
 		"Disable firewall configuration. If enabled, the client won't modify firewall rules.")
-
-	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false,
-		"Block access to local networks (LAN) when using this peer as a router or exit node")
-
-	upCmd.PersistentFlags().BoolVar(&blockInbound, blockInboundFlag, false,
-		"Block inbound connections. If enabled, the client will not allow any inbound connections to the local machine nor routed networks.\n"+
-			"This overrides any policies received from the management service.")
 }

client/cmd/trace.go

@@ -17,7 +17,7 @@ var traceCmd = &cobra.Command{
 	Example: `
   netbird debug trace in 192.168.1.10 10.10.0.2 -p tcp --sport 12345 --dport 443 --syn --ack
   netbird debug trace out 10.10.0.1 8.8.8.8 -p udp  --dport 53
-  netbird debug trace in 10.10.0.2 10.10.0.1 -p icmp --icmp-type 8 --icmp-code 0
+  netbird debug trace in 10.10.0.2 10.10.0.1 -p icmp --type 8 --code 0
   netbird debug trace in 100.64.1.1 self -p tcp --dport 80`,
 	Args: cobra.ExactArgs(3),
 	RunE: tracePacket,
@@ -118,7 +118,7 @@ func tracePacket(cmd *cobra.Command, args []string) error {
 }
 
 func printTrace(cmd *cobra.Command, src, dst, proto string, sport, dport uint16, resp *proto.TracePacketResponse) {
-	cmd.Printf("Packet trace %s:%d → %s:%d (%s)\n\n", src, sport, dst, dport, strings.ToUpper(proto))
+	cmd.Printf("Packet trace %s:%d -> %s:%d (%s)\n\n", src, sport, dst, dport, strings.ToUpper(proto))
 
 	for _, stage := range resp.Stages {
 		if stage.ForwardingDetails != nil {

client/cmd/up.go

@@ -55,11 +55,12 @@ func init() {
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "Wireguard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "Wireguard interface listening port")
 	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
-		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux and FreeBSD. `+
+		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux. `+
 			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
 	)
 	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
 	upCmd.PersistentFlags().DurationVar(&dnsRouteInterval, dnsRouteIntervalFlag, time.Minute, "DNS route update interval")
+	upCmd.PersistentFlags().BoolVar(&blockLANAccess, blockLANAccessFlag, false, "Block access to local networks (LAN) when using this peer as a router or exit node")
 
 	upCmd.PersistentFlags().StringSliceVar(&dnsLabels, dnsLabelsFlag, nil,
 		`Sets DNS labels`+
@@ -118,9 +119,79 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	ic, err := setupConfig(customDNSAddressConverted, cmd)
-	if err != nil {
-		return fmt.Errorf("setup config: %v", err)
+	ic := internal.ConfigInput{
+		ManagementURL:       managementURL,
+		AdminURL:            adminURL,
+		ConfigPath:          configPath,
+		NATExternalIPs:      natExternalIPs,
+		CustomDNSAddress:    customDNSAddressConverted,
+		ExtraIFaceBlackList: extraIFaceBlackList,
+		DNSLabels:           dnsLabelsValidated,
+	}
+
+	if cmd.Flag(enableRosenpassFlag).Changed {
+		ic.RosenpassEnabled = &rosenpassEnabled
+	}
+
+	if cmd.Flag(rosenpassPermissiveFlag).Changed {
+		ic.RosenpassPermissive = &rosenpassPermissive
+	}
+
+	if cmd.Flag(serverSSHAllowedFlag).Changed {
+		ic.ServerSSHAllowed = &serverSSHAllowed
+	}
+
+	if cmd.Flag(interfaceNameFlag).Changed {
+		if err := parseInterfaceName(interfaceName); err != nil {
+			return err
+		}
+		ic.InterfaceName = &interfaceName
+	}
+
+	if cmd.Flag(wireguardPortFlag).Changed {
+		p := int(wireguardPort)
+		ic.WireguardPort = &p
+	}
+
+	if cmd.Flag(networkMonitorFlag).Changed {
+		ic.NetworkMonitor = &networkMonitor
+	}
+
+	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
+		ic.PreSharedKey = &preSharedKey
+	}
+
+	if cmd.Flag(disableAutoConnectFlag).Changed {
+		ic.DisableAutoConnect = &autoConnectDisabled
+
+		if autoConnectDisabled {
+			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
+		}
+
+		if !autoConnectDisabled {
+			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
+		}
+	}
+
+	if cmd.Flag(dnsRouteIntervalFlag).Changed {
+		ic.DNSRouteInterval = &dnsRouteInterval
+	}
+
+	if cmd.Flag(disableClientRoutesFlag).Changed {
+		ic.DisableClientRoutes = &disableClientRoutes
+	}
+	if cmd.Flag(disableServerRoutesFlag).Changed {
+		ic.DisableServerRoutes = &disableServerRoutes
+	}
+	if cmd.Flag(disableDNSFlag).Changed {
+		ic.DisableDNS = &disableDNS
+	}
+	if cmd.Flag(disableFirewallFlag).Changed {
+		ic.DisableFirewall = &disableFirewall
+	}
+
+	if cmd.Flag(blockLANAccessFlag).Changed {
+		ic.BlockLANAccess = &blockLANAccess
 	}
 
 	providedSetupKey, err := getSetupKey()
@@ -128,7 +199,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		return err
 	}
 
-	config, err := internal.UpdateOrCreateConfig(*ic)
+	config, err := internal.UpdateOrCreateConfig(ic)
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
 	}
@@ -187,153 +258,21 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 
 	providedSetupKey, err := getSetupKey()
 	if err != nil {
-		return fmt.Errorf("get setup key: %v", err)
+		return err
 	}
 
-	loginRequest, err := setupLoginRequest(providedSetupKey, customDNSAddressConverted, cmd)
-	if err != nil {
-		return fmt.Errorf("setup login request: %v", err)
-	}
-
-	var loginErr error
-	var loginResp *proto.LoginResponse
-
-	err = WithBackOff(func() error {
-		var backOffErr error
-		loginResp, backOffErr = client.Login(ctx, loginRequest)
-		if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
-			s.Code() == codes.PermissionDenied ||
-			s.Code() == codes.NotFound ||
-			s.Code() == codes.Unimplemented) {
-			loginErr = backOffErr
-			return nil
-		}
-		return backOffErr
-	})
-	if err != nil {
-		return fmt.Errorf("login backoff cycle failed: %v", err)
-	}
-
-	if loginErr != nil {
-		return fmt.Errorf("login failed: %v", loginErr)
-	}
-
-	if loginResp.NeedsSSOLogin {
-
-		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
-
-		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
-		if err != nil {
-			return fmt.Errorf("waiting sso login failed with: %v", err)
-		}
-	}
-
-	if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
-		return fmt.Errorf("call service up method: %v", err)
-	}
-	cmd.Println("Connected")
-	return nil
-}
-
-func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command) (*internal.ConfigInput, error) {
-	ic := internal.ConfigInput{
-		ManagementURL:       managementURL,
-		AdminURL:            adminURL,
-		ConfigPath:          configPath,
-		NATExternalIPs:      natExternalIPs,
-		CustomDNSAddress:    customDNSAddressConverted,
-		ExtraIFaceBlackList: extraIFaceBlackList,
-		DNSLabels:           dnsLabelsValidated,
-	}
-
-	if cmd.Flag(enableRosenpassFlag).Changed {
-		ic.RosenpassEnabled = &rosenpassEnabled
-	}
-
-	if cmd.Flag(rosenpassPermissiveFlag).Changed {
-		ic.RosenpassPermissive = &rosenpassPermissive
-	}
-
-	if cmd.Flag(serverSSHAllowedFlag).Changed {
-		ic.ServerSSHAllowed = &serverSSHAllowed
-	}
-
-	if cmd.Flag(interfaceNameFlag).Changed {
-		if err := parseInterfaceName(interfaceName); err != nil {
-			return nil, err
-		}
-		ic.InterfaceName = &interfaceName
-	}
-
-	if cmd.Flag(wireguardPortFlag).Changed {
-		p := int(wireguardPort)
-		ic.WireguardPort = &p
-	}
-
-	if cmd.Flag(networkMonitorFlag).Changed {
-		ic.NetworkMonitor = &networkMonitor
-	}
-
-	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
-		ic.PreSharedKey = &preSharedKey
-	}
-
-	if cmd.Flag(disableAutoConnectFlag).Changed {
-		ic.DisableAutoConnect = &autoConnectDisabled
-
-		if autoConnectDisabled {
-			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
-		}
-
-		if !autoConnectDisabled {
-			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
-		}
-	}
-
-	if cmd.Flag(dnsRouteIntervalFlag).Changed {
-		ic.DNSRouteInterval = &dnsRouteInterval
-	}
-
-	if cmd.Flag(disableClientRoutesFlag).Changed {
-		ic.DisableClientRoutes = &disableClientRoutes
-	}
-	if cmd.Flag(disableServerRoutesFlag).Changed {
-		ic.DisableServerRoutes = &disableServerRoutes
-	}
-	if cmd.Flag(disableDNSFlag).Changed {
-		ic.DisableDNS = &disableDNS
-	}
-	if cmd.Flag(disableFirewallFlag).Changed {
-		ic.DisableFirewall = &disableFirewall
-	}
-
-	if cmd.Flag(blockLANAccessFlag).Changed {
-		ic.BlockLANAccess = &blockLANAccess
-	}
-
-	if cmd.Flag(blockInboundFlag).Changed {
-		ic.BlockInbound = &blockInbound
-	}
-
-	if cmd.Flag(enableLazyConnectionFlag).Changed {
-		ic.LazyConnectionEnabled = &lazyConnEnabled
-	}
-	return &ic, nil
-}
-
-func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte, cmd *cobra.Command) (*proto.LoginRequest, error) {
 	loginRequest := proto.LoginRequest{
-		SetupKey:            providedSetupKey,
-		ManagementUrl:       managementURL,
-		AdminURL:            adminURL,
-		NatExternalIPs:      natExternalIPs,
-		CleanNATExternalIPs: natExternalIPs != nil && len(natExternalIPs) == 0,
-		CustomDNSAddress:    customDNSAddressConverted,
-		IsUnixDesktopClient: isUnixRunningDesktop(),
-		Hostname:            hostName,
-		ExtraIFaceBlacklist: extraIFaceBlackList,
-		DnsLabels:           dnsLabels,
-		CleanDNSLabels:      dnsLabels != nil && len(dnsLabels) == 0,
+		SetupKey:             providedSetupKey,
+		ManagementUrl:        managementURL,
+		AdminURL:             adminURL,
+		NatExternalIPs:       natExternalIPs,
+		CleanNATExternalIPs:  natExternalIPs != nil && len(natExternalIPs) == 0,
+		CustomDNSAddress:     customDNSAddressConverted,
+		IsLinuxDesktopClient: isLinuxRunningDesktop(),
+		Hostname:             hostName,
+		ExtraIFaceBlacklist:  extraIFaceBlackList,
+		DnsLabels:            dnsLabels,
+		CleanDNSLabels:       dnsLabels != nil && len(dnsLabels) == 0,
 	}
 
 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
@@ -358,7 +297,7 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
-			return nil, err
+			return err
 		}
 		loginRequest.InterfaceName = &interfaceName
 	}
@@ -393,14 +332,45 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.BlockLanAccess = &blockLANAccess
 	}
 
-	if cmd.Flag(blockInboundFlag).Changed {
-		loginRequest.BlockInbound = &blockInbound
+	var loginErr error
+
+	var loginResp *proto.LoginResponse
+
+	err = WithBackOff(func() error {
+		var backOffErr error
+		loginResp, backOffErr = client.Login(ctx, &loginRequest)
+		if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
+			s.Code() == codes.PermissionDenied ||
+			s.Code() == codes.NotFound ||
+			s.Code() == codes.Unimplemented) {
+			loginErr = backOffErr
+			return nil
+		}
+		return backOffErr
+	})
+	if err != nil {
+		return fmt.Errorf("login backoff cycle failed: %v", err)
 	}
 
-	if cmd.Flag(enableLazyConnectionFlag).Changed {
-		loginRequest.LazyConnectionEnabled = &lazyConnEnabled
+	if loginErr != nil {
+		return fmt.Errorf("login failed: %v", loginErr)
 	}
-	return &loginRequest, nil
+
+	if loginResp.NeedsSSOLogin {
+
+		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode, noBrowser)
+
+		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode, Hostname: hostName})
+		if err != nil {
+			return fmt.Errorf("waiting sso login failed with: %v", err)
+		}
+	}
+
+	if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
+		return fmt.Errorf("call service up method: %v", err)
+	}
+	cmd.Println("Connected")
+	return nil
 }
 
 func validateNATExternalIPs(list []string) error {

client/firewall/iptables/manager_linux.go

@@ -147,10 +147,6 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
-func (m *Manager) IsStateful() bool {
-	return true
-}
-
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -202,7 +198,7 @@ func (m *Manager) AllowNetbird() error {
 	_, err := m.AddPeerFiltering(
 		nil,
 		net.IP{0, 0, 0, 0},
-		firewall.ProtocolALL,
+		"all",
 		nil,
 		nil,
 		firewall.ActionAccept,
@@ -223,16 +219,10 @@ func (m *Manager) SetLogLevel(log.Level) {
 }
 
 func (m *Manager) EnableRouting() error {
-	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
-		return fmt.Errorf("enable IP forwarding: %w", err)
-	}
 	return nil
 }
 
 func (m *Manager) DisableRouting() error {
-	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
-		return fmt.Errorf("disable IP forwarding: %w", err)
-	}
 	return nil
 }
 

client/firewall/iptables/manager_linux_test.go

@@ -2,7 +2,7 @@ package iptables
 
 import (
 	"fmt"
-	"net/netip"
+	"net"
 	"testing"
 	"time"
 
@@ -19,8 +19,11 @@ var ifaceMock = &iFaceMock{
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
-			IP:      netip.MustParseAddr("10.20.0.1"),
-			Network: netip.MustParsePrefix("10.20.0.0/24"),
+			IP: net.ParseIP("10.20.0.1"),
+			Network: &net.IPNet{
+				IP:   net.ParseIP("10.20.0.0"),
+				Mask: net.IPv4Mask(255, 255, 255, 0),
+			},
 		}
 	},
 }
@@ -67,12 +70,12 @@ func TestIptablesManager(t *testing.T) {
 
 	var rule2 []fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
-		ip := netip.MustParseAddr("10.20.0.3")
+		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
 			IsRange: true,
 			Values:  []uint16{8043, 8046},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", port, nil, fw.ActionAccept, "")
+		rule2, err = manager.AddPeerFiltering(nil, ip, "tcp", port, nil, fw.ActionAccept, "")
 		require.NoError(t, err, "failed to add rule")
 
 		for _, r := range rule2 {
@@ -92,9 +95,9 @@ func TestIptablesManager(t *testing.T) {
 
 	t.Run("reset check", func(t *testing.T) {
 		// add second rule
-		ip := netip.MustParseAddr("10.20.0.3")
+		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{Values: []uint16{5353}}
-		_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "udp", nil, port, fw.ActionAccept, "")
+		_, err = manager.AddPeerFiltering(nil, ip, "udp", nil, port, fw.ActionAccept, "")
 		require.NoError(t, err, "failed to add rule")
 
 		err = manager.Close(nil)
@@ -116,8 +119,11 @@ func TestIptablesManagerIPSet(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: netip.MustParsePrefix("10.20.0.0/24"),
+				IP: net.ParseIP("10.20.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("10.20.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
 			}
 		},
 	}
@@ -138,11 +144,11 @@ func TestIptablesManagerIPSet(t *testing.T) {
 
 	var rule2 []fw.Rule
 	t.Run("add second rule", func(t *testing.T) {
-		ip := netip.MustParseAddr("10.20.0.3")
+		ip := net.ParseIP("10.20.0.3")
 		port := &fw.Port{
 			Values: []uint16{443},
 		}
-		rule2, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", port, nil, fw.ActionAccept, "default")
+		rule2, err = manager.AddPeerFiltering(nil, ip, "tcp", port, nil, fw.ActionAccept, "default")
 		for _, r := range rule2 {
 			require.NoError(t, err, "failed to add rule")
 			require.Equal(t, r.(*Rule).ipsetName, "default-sport", "ipset name must be set")
@@ -180,8 +186,11 @@ func TestIptablesCreatePerformance(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("10.20.0.1"),
-				Network: netip.MustParsePrefix("10.20.0.0/24"),
+				IP: net.ParseIP("10.20.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("10.20.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
 			}
 		},
 	}
@@ -203,11 +212,11 @@ func TestIptablesCreatePerformance(t *testing.T) {
 
 			require.NoError(t, err)
 
-			ip := netip.MustParseAddr("10.20.0.100")
+			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
 
 				require.NoError(t, err, "failed to add rule")
 			}

client/firewall/iptables/router_linux.go

@@ -248,6 +248,10 @@ func (r *router) deleteIpSet(setName string) error {
 
 // AddNatRule inserts an iptables rule pair into the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.RequestForwarding(); err != nil {
+		return err
+	}
+
 	if r.legacyManagement {
 		log.Warnf("This peer is connected to a NetBird Management service with an older version. Allowing all traffic for %s", pair.Destination)
 		if err := r.addLegacyRouteRule(pair); err != nil {
@@ -274,6 +278,10 @@ func (r *router) AddNatRule(pair firewall.RouterPair) error {
 
 // RemoveNatRule removes an iptables rule pair from forwarding and nat chains
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
+		log.Errorf("%v", err)
+	}
+
 	if pair.Masquerade {
 		if err := r.removeNatRule(pair); err != nil {
 			return fmt.Errorf("remove nat rule: %w", err)

client/firewall/manager/firewall.go

@@ -116,8 +116,6 @@ type Manager interface {
 	// IsServerRouteSupported returns true if the firewall supports server side routing operations
 	IsServerRouteSupported() bool
 
-	IsStateful() bool
-
 	AddRouteFiltering(
 		id []byte,
 		sources []netip.Prefix,

client/firewall/nftables/manager_linux.go

@@ -170,10 +170,6 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
-func (m *Manager) IsStateful() bool {
-	return true
-}
-
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
@@ -328,16 +324,10 @@ func (m *Manager) SetLogLevel(log.Level) {
 }
 
 func (m *Manager) EnableRouting() error {
-	if err := m.router.ipFwdState.RequestForwarding(); err != nil {
-		return fmt.Errorf("enable IP forwarding: %w", err)
-	}
 	return nil
 }
 
 func (m *Manager) DisableRouting() error {
-	if err := m.router.ipFwdState.ReleaseForwarding(); err != nil {
-		return fmt.Errorf("disable IP forwarding: %w", err)
-	}
 	return nil
 }
 

client/firewall/nftables/manager_linux_test.go

@@ -3,6 +3,7 @@ package nftables
 import (
 	"bytes"
 	"fmt"
+	"net"
 	"net/netip"
 	"os/exec"
 	"testing"
@@ -24,8 +25,11 @@ var ifaceMock = &iFaceMock{
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
-			IP:      netip.MustParseAddr("100.96.0.1"),
-			Network: netip.MustParsePrefix("100.96.0.0/16"),
+			IP: net.ParseIP("100.96.0.1"),
+			Network: &net.IPNet{
+				IP:   net.ParseIP("100.96.0.0"),
+				Mask: net.IPv4Mask(255, 255, 255, 0),
+			},
 		}
 	},
 }
@@ -66,11 +70,11 @@ func TestNftablesManager(t *testing.T) {
 		time.Sleep(time.Second)
 	}()
 
-	ip := netip.MustParseAddr("100.96.0.1").Unmap()
+	ip := net.ParseIP("100.96.0.1")
 
 	testClient := &nftables.Conn{}
 
-	rule, err := manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "")
+	rule, err := manager.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{53}}, fw.ActionDrop, "")
 	require.NoError(t, err, "failed to add rule")
 
 	err = manager.Flush()
@@ -105,6 +109,8 @@ func TestNftablesManager(t *testing.T) {
 	}
 	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedExprs1)
 
+	ipToAdd, _ := netip.AddrFromSlice(ip)
+	add := ipToAdd.Unmap()
 	expectedExprs2 := []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
@@ -126,7 +132,7 @@ func TestNftablesManager(t *testing.T) {
 		&expr.Cmp{
 			Op:       expr.CmpOpEq,
 			Register: 1,
-			Data:     ip.AsSlice(),
+			Data:     add.AsSlice(),
 		},
 		&expr.Payload{
 			DestRegister: 1,
@@ -167,8 +173,11 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.96.0.1"),
-				Network: netip.MustParsePrefix("100.96.0.0/16"),
+				IP: net.ParseIP("100.96.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.96.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
 			}
 		},
 	}
@@ -188,11 +197,11 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 				time.Sleep(time.Second)
 			}()
 
-			ip := netip.MustParseAddr("10.20.0.100")
+			ip := net.ParseIP("10.20.0.100")
 			start := time.Now()
 			for i := 0; i < testMax; i++ {
 				port := &fw.Port{Values: []uint16{uint16(1000 + i)}}
-				_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "")
+				_, err = manager.AddPeerFiltering(nil, ip, "tcp", nil, port, fw.ActionAccept, "")
 				require.NoError(t, err, "failed to add rule")
 
 				if i%100 == 0 {
@@ -273,8 +282,8 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 		verifyIptablesOutput(t, stdout, stderr)
 	})
 
-	ip := netip.MustParseAddr("100.96.0.1")
-	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
+	ip := net.ParseIP("100.96.0.1")
+	_, err = manager.AddPeerFiltering(nil, ip, fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "")
 	require.NoError(t, err, "failed to add peer filtering rule")
 
 	_, err = manager.AddRouteFiltering(

client/firewall/nftables/router_linux.go

@@ -573,6 +573,10 @@ func (r *router) deleteNftRule(rule *nftables.Rule, ruleKey string) error {
 
 // AddNatRule appends a nftables rule pair to the nat chain
 func (r *router) AddNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.RequestForwarding(); err != nil {
+		return err
+	}
+
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}
@@ -1002,6 +1006,10 @@ func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error
 
 // RemoveNatRule removes the prerouting mark rule
 func (r *router) RemoveNatRule(pair firewall.RouterPair) error {
+	if err := r.ipFwdState.ReleaseForwarding(); err != nil {
+		log.Errorf("%v", err)
+	}
+
 	if err := r.refreshRulesMap(); err != nil {
 		return fmt.Errorf(refreshRulesMapError, err)
 	}

client/firewall/uspfilter/conntrack/common.go

@@ -62,5 +62,5 @@ type ConnKey struct {
 }
 
 func (c ConnKey) String() string {
-	return fmt.Sprintf("%s:%d → %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
+	return fmt.Sprintf("%s:%d -> %s:%d", c.SrcIP.Unmap(), c.SrcPort, c.DstIP.Unmap(), c.DstPort)
 }

client/firewall/uspfilter/conntrack/icmp.go

@@ -3,7 +3,6 @@ package conntrack
 import (
 	"context"
 	"fmt"
-	"net"
 	"net/netip"
 	"sync"
 	"time"
@@ -20,10 +19,6 @@ const (
 	DefaultICMPTimeout = 30 * time.Second
 	// ICMPCleanupInterval is how often we check for stale ICMP connections
 	ICMPCleanupInterval = 15 * time.Second
-
-	// MaxICMPPayloadLength is the maximum length of ICMP payload we consider for original packet info,
-	// which includes the IP header (20 bytes) and transport header (8 bytes)
-	MaxICMPPayloadLength = 28
 )
 
 // ICMPConnKey uniquely identifies an ICMP connection
@@ -34,7 +29,7 @@ type ICMPConnKey struct {
 }
 
 func (i ICMPConnKey) String() string {
-	return fmt.Sprintf("%s → %s (id %d)", i.SrcIP, i.DstIP, i.ID)
+	return fmt.Sprintf("%s -> %s (id %d)", i.SrcIP, i.DstIP, i.ID)
 }
 
 // ICMPConnTrack represents an ICMP connection state
@@ -55,72 +50,6 @@ type ICMPTracker struct {
 	flowLogger    nftypes.FlowLogger
 }
 
-// ICMPInfo holds ICMP type, code, and payload for lazy string formatting in logs
-type ICMPInfo struct {
-	TypeCode    layers.ICMPv4TypeCode
-	PayloadData [MaxICMPPayloadLength]byte
-	// actual length of valid data
-	PayloadLen int
-}
-
-// String implements fmt.Stringer for lazy evaluation in log messages
-func (info ICMPInfo) String() string {
-	if info.isErrorMessage() && info.PayloadLen >= MaxICMPPayloadLength {
-		if origInfo := info.parseOriginalPacket(); origInfo != "" {
-			return fmt.Sprintf("%s (original: %s)", info.TypeCode, origInfo)
-		}
-	}
-
-	return info.TypeCode.String()
-}
-
-// isErrorMessage returns true if this ICMP type carries original packet info
-func (info ICMPInfo) isErrorMessage() bool {
-	typ := info.TypeCode.Type()
-	return typ == 3 || // Destination Unreachable
-		typ == 5 || // Redirect
-		typ == 11 || // Time Exceeded
-		typ == 12 // Parameter Problem
-}
-
-// parseOriginalPacket extracts info about the original packet from ICMP payload
-func (info ICMPInfo) parseOriginalPacket() string {
-	if info.PayloadLen < MaxICMPPayloadLength {
-		return ""
-	}
-
-	// TODO: handle IPv6
-	if version := (info.PayloadData[0] >> 4) & 0xF; version != 4 {
-		return ""
-	}
-
-	protocol := info.PayloadData[9]
-	srcIP := net.IP(info.PayloadData[12:16])
-	dstIP := net.IP(info.PayloadData[16:20])
-
-	transportData := info.PayloadData[20:]
-
-	switch nftypes.Protocol(protocol) {
-	case nftypes.TCP:
-		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
-		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("TCP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
-
-	case nftypes.UDP:
-		srcPort := uint16(transportData[0])<<8 | uint16(transportData[1])
-		dstPort := uint16(transportData[2])<<8 | uint16(transportData[3])
-		return fmt.Sprintf("UDP %s:%d → %s:%d", srcIP, srcPort, dstIP, dstPort)
-
-	case nftypes.ICMP:
-		icmpType := transportData[0]
-		icmpCode := transportData[1]
-		return fmt.Sprintf("ICMP %s → %s (type %d code %d)", srcIP, dstIP, icmpType, icmpCode)
-
-	default:
-		return fmt.Sprintf("Proto %d %s → %s", protocol, srcIP, dstIP)
-	}
-}
-
 // NewICMPTracker creates a new ICMP connection tracker
 func NewICMPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *ICMPTracker {
 	if timeout == 0 {
@@ -164,64 +93,30 @@ func (t *ICMPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, id uint
 }
 
 // TrackOutbound records an outbound ICMP connection
-func (t *ICMPTracker) TrackOutbound(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	payload []byte,
-	size int,
-) {
+func (t *ICMPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, size int) {
 	if _, exists := t.updateIfExists(dstIP, srcIP, id, nftypes.Egress, size); !exists {
 		// if (inverted direction) conn is not tracked, track this direction
-		t.track(srcIP, dstIP, id, typecode, nftypes.Egress, nil, payload, size)
+		t.track(srcIP, dstIP, id, typecode, nftypes.Egress, nil, size)
 	}
 }
 
 // TrackInbound records an inbound ICMP Echo Request
-func (t *ICMPTracker) TrackInbound(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	ruleId []byte,
-	payload []byte,
-	size int,
-) {
-	t.track(srcIP, dstIP, id, typecode, nftypes.Ingress, ruleId, payload, size)
+func (t *ICMPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, ruleId []byte, size int) {
+	t.track(srcIP, dstIP, id, typecode, nftypes.Ingress, ruleId, size)
 }
 
 // track is the common implementation for tracking both inbound and outbound ICMP connections
-func (t *ICMPTracker) track(
-	srcIP netip.Addr,
-	dstIP netip.Addr,
-	id uint16,
-	typecode layers.ICMPv4TypeCode,
-	direction nftypes.Direction,
-	ruleId []byte,
-	payload []byte,
-	size int,
-) {
+func (t *ICMPTracker) track(srcIP netip.Addr, dstIP netip.Addr, id uint16, typecode layers.ICMPv4TypeCode, direction nftypes.Direction, ruleId []byte, size int) {
 	key, exists := t.updateIfExists(srcIP, dstIP, id, direction, size)
 	if exists {
 		return
 	}
 
 	typ, code := typecode.Type(), typecode.Code()
-	icmpInfo := ICMPInfo{
-		TypeCode: typecode,
-	}
-	if len(payload) > 0 {
-		icmpInfo.PayloadLen = len(payload)
-		if icmpInfo.PayloadLen > MaxICMPPayloadLength {
-			icmpInfo.PayloadLen = MaxICMPPayloadLength
-		}
-		copy(icmpInfo.PayloadData[:], payload[:icmpInfo.PayloadLen])
-	}
 
 	// non echo requests don't need tracking
 	if typ != uint8(layers.ICMPv4TypeEchoRequest) {
-		t.logger.Trace("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+		t.logger.Trace("New %s ICMP connection %s type %d code %d", direction, key, typ, code)
 		t.sendStartEvent(direction, srcIP, dstIP, typ, code, ruleId, size)
 		return
 	}
@@ -243,7 +138,7 @@ func (t *ICMPTracker) track(
 	t.connections[key] = conn
 	t.mutex.Unlock()
 
-	t.logger.Trace("New %s ICMP connection %s - %s", direction, key, icmpInfo)
+	t.logger.Trace("New %s ICMP connection %s type %d code %d", direction, key, typ, code)
 	t.sendEvent(nftypes.TypeStart, conn, ruleId)
 }
 

client/firewall/uspfilter/conntrack/icmp_test.go

@@ -15,7 +15,7 @@ func BenchmarkICMPTracker(b *testing.B) {
 
 		b.ResetTimer()
 		for i := 0; i < b.N; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 0, []byte{}, 0)
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i%65535), 0, 0)
 		}
 	})
 
@@ -28,7 +28,7 @@ func BenchmarkICMPTracker(b *testing.B) {
 
 		// Pre-populate some connections
 		for i := 0; i < 1000; i++ {
-			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 0, []byte{}, 0)
+			tracker.TrackOutbound(srcIP, dstIP, uint16(i), 0, 0)
 		}
 
 		b.ResetTimer()

client/firewall/uspfilter/forwarder/endpoint.go

@@ -86,5 +86,5 @@ type epID stack.TransportEndpointID
 
 func (i epID) String() string {
 	// src and remote is swapped
-	return fmt.Sprintf("%s:%d → %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
+	return fmt.Sprintf("%s:%d -> %s:%d", i.RemoteAddress, i.RemotePort, i.LocalAddress, i.LocalPort)
 }

client/firewall/uspfilter/forwarder/forwarder.go

@@ -41,7 +41,7 @@ type Forwarder struct {
 	udpForwarder *udpForwarder
 	ctx          context.Context
 	cancel       context.CancelFunc
-	ip           tcpip.Address
+	ip           net.IP
 	netstack     bool
 }
 
@@ -71,11 +71,12 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		return nil, fmt.Errorf("failed to create NIC: %v", err)
 	}
 
+	ones, _ := iface.Address().Network.Mask.Size()
 	protoAddr := tcpip.ProtocolAddress{
 		Protocol: ipv4.ProtocolNumber,
 		AddressWithPrefix: tcpip.AddressWithPrefix{
-			Address:   tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
-			PrefixLen: iface.Address().Network.Bits(),
+			Address:   tcpip.AddrFromSlice(iface.Address().IP.To4()),
+			PrefixLen: ones,
 		},
 	}
 
@@ -115,7 +116,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		ctx:          ctx,
 		cancel:       cancel,
 		netstack:     netstack,
-		ip:           tcpip.AddrFromSlice(iface.Address().IP.AsSlice()),
+		ip:           iface.Address().IP,
 	}
 
 	receiveWindow := defaultReceiveWindow
@@ -166,7 +167,7 @@ func (f *Forwarder) Stop() {
 }
 
 func (f *Forwarder) determineDialAddr(addr tcpip.Address) net.IP {
-	if f.netstack && f.ip.Equal(addr) {
+	if f.netstack && f.ip.Equal(addr.AsSlice()) {
 		return net.IPv4(127, 0, 0, 1)
 	}
 	return addr.AsSlice()
@@ -178,6 +179,7 @@ func (f *Forwarder) RegisterRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uin
 }
 
 func (f *Forwarder) getRuleID(srcIP, dstIP netip.Addr, srcPort, dstPort uint16) ([]byte, bool) {
+
 	if value, ok := f.ruleIdMap.Load(buildKey(srcIP, dstIP, srcPort, dstPort)); ok {
 		return value.([]byte), true
 	} else if value, ok := f.ruleIdMap.Load(buildKey(dstIP, srcIP, dstPort, srcPort)); ok {

client/firewall/uspfilter/forwarder/tcp.go

@@ -111,12 +111,12 @@ func (f *Forwarder) proxyTCP(id stack.TransportEndpointID, inConn *gonet.TCPConn
 
 	if errInToOut != nil {
 		if !isClosedError(errInToOut) {
-			f.logger.Error("proxyTCP: copy error (in → out) for %s: %v", epID(id), errInToOut)
+			f.logger.Error("proxyTCP: copy error (in -> out): %v", errInToOut)
 		}
 	}
 	if errOutToIn != nil {
 		if !isClosedError(errOutToIn) {
-			f.logger.Error("proxyTCP: copy error (out → in) for %s: %v", epID(id), errOutToIn)
+			f.logger.Error("proxyTCP: copy error (out -> in): %v", errOutToIn)
 		}
 	}
 

client/firewall/uspfilter/forwarder/udp.go

@@ -250,10 +250,10 @@ func (f *Forwarder) proxyUDP(ctx context.Context, pConn *udpPacketConn, id stack
 	wg.Wait()
 
 	if outboundErr != nil && !isClosedError(outboundErr) {
-		f.logger.Error("proxyUDP: copy error (outbound→inbound) for %s: %v", epID(id), outboundErr)
+		f.logger.Error("proxyUDP: copy error (outbound->inbound): %v", outboundErr)
 	}
 	if inboundErr != nil && !isClosedError(inboundErr) {
-		f.logger.Error("proxyUDP: copy error (inbound→outbound) for %s: %v", epID(id), inboundErr)
+		f.logger.Error("proxyUDP: copy error (inbound->outbound): %v", inboundErr)
 	}
 
 	var rxPackets, txPackets uint64

client/firewall/uspfilter/localip.go

@@ -45,26 +45,24 @@ func (m *localIPManager) setBitmapBit(ip net.IP) {
 	m.ipv4Bitmap[high].bitmap[index] |= 1 << bit
 }
 
-func (m *localIPManager) setBitInBitmap(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
-	if !ip.Is4() {
-		return
-	}
-	ipv4 := ip.AsSlice()
+func (m *localIPManager) setBitInBitmap(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
+	if ipv4 := ip.To4(); ipv4 != nil {
+		high := uint16(ipv4[0])
+		low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
 
-	high := uint16(ipv4[0])
-	low := (uint16(ipv4[1]) << 8) | (uint16(ipv4[2]) << 4) | uint16(ipv4[3])
+		if bitmap[high] == nil {
+			bitmap[high] = &ipv4LowBitmap{}
+		}
 
-	if bitmap[high] == nil {
-		bitmap[high] = &ipv4LowBitmap{}
-	}
+		index := low / 32
+		bit := low % 32
+		bitmap[high].bitmap[index] |= 1 << bit
 
-	index := low / 32
-	bit := low % 32
-	bitmap[high].bitmap[index] |= 1 << bit
-
-	if _, exists := ipv4Set[ip]; !exists {
-		ipv4Set[ip] = struct{}{}
-		*ipv4Addresses = append(*ipv4Addresses, ip)
+		ipStr := ipv4.String()
+		if _, exists := ipv4Set[ipStr]; !exists {
+			ipv4Set[ipStr] = struct{}{}
+			*ipv4Addresses = append(*ipv4Addresses, ipStr)
+		}
 	}
 }
 
@@ -81,12 +79,12 @@ func (m *localIPManager) checkBitmapBit(ip []byte) bool {
 	return (m.ipv4Bitmap[high].bitmap[index] & (1 << bit)) != 0
 }
 
-func (m *localIPManager) processIP(ip netip.Addr, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) error {
+func (m *localIPManager) processIP(ip net.IP, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) error {
 	m.setBitInBitmap(ip, bitmap, ipv4Set, ipv4Addresses)
 	return nil
 }
 
-func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[netip.Addr]struct{}, ipv4Addresses *[]netip.Addr) {
+func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv4LowBitmap, ipv4Set map[string]struct{}, ipv4Addresses *[]string) {
 	addrs, err := iface.Addrs()
 	if err != nil {
 		log.Debugf("get addresses for interface %s failed: %v", iface.Name, err)
@@ -104,13 +102,7 @@ func (m *localIPManager) processInterface(iface net.Interface, bitmap *[256]*ipv
 			continue
 		}
 
-		addr, ok := netip.AddrFromSlice(ip)
-		if !ok {
-			log.Warnf("invalid IP address %s in interface %s", ip.String(), iface.Name)
-			continue
-		}
-
-		if err := m.processIP(addr.Unmap(), bitmap, ipv4Set, ipv4Addresses); err != nil {
+		if err := m.processIP(ip, bitmap, ipv4Set, ipv4Addresses); err != nil {
 			log.Debugf("process IP failed: %v", err)
 		}
 	}
@@ -124,8 +116,8 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	}()
 
 	var newIPv4Bitmap [256]*ipv4LowBitmap
-	ipv4Set := make(map[netip.Addr]struct{})
-	var ipv4Addresses []netip.Addr
+	ipv4Set := make(map[string]struct{})
+	var ipv4Addresses []string
 
 	// 127.0.0.0/8
 	newIPv4Bitmap[127] = &ipv4LowBitmap{}

client/firewall/uspfilter/localip_test.go

@@ -20,8 +20,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost range",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("127.0.0.2"),
 			expected: true,
@@ -29,8 +32,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost standard address",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("127.0.0.1"),
 			expected: true,
@@ -38,8 +44,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Localhost range edge",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("127.255.255.255"),
 			expected: true,
@@ -47,8 +56,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP matches",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.1"),
 			expected: true,
@@ -56,8 +68,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP doesn't match",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.2"),
 			expected: false,
@@ -65,8 +80,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "Local IP doesn't match - addresses 32 apart",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("192.168.1.1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("192.168.1.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("192.168.1.0"),
+					Mask: net.CIDRMask(24, 32),
+				},
 			},
 			testIP:   netip.MustParseAddr("192.168.1.33"),
 			expected: false,
@@ -74,8 +92,11 @@ func TestLocalIPManager(t *testing.T) {
 		{
 			name: "IPv6 address",
 			setupAddr: wgaddr.Address{
-				IP:      netip.MustParseAddr("fe80::1"),
-				Network: netip.MustParsePrefix("192.168.1.0/24"),
+				IP: net.ParseIP("fe80::1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("fe80::"),
+					Mask: net.CIDRMask(64, 128),
+				},
 			},
 			testIP:   netip.MustParseAddr("fe80::1"),
 			expected: false,

client/firewall/uspfilter/tracer_test.go

@@ -38,8 +38,11 @@ func TestTracePacket(t *testing.T) {
 			SetFilterFunc: func(device.PacketFilter) error { return nil },
 			AddressFunc: func() wgaddr.Address {
 				return wgaddr.Address{
-					IP:      netip.MustParseAddr("100.10.0.100"),
-					Network: netip.MustParsePrefix("100.10.0.0/16"),
+					IP: net.ParseIP("100.10.0.100"),
+					Network: &net.IPNet{
+						IP:   net.ParseIP("100.10.0.0"),
+						Mask: net.CIDRMask(16, 32),
+					},
 				}
 			},
 		}

client/firewall/uspfilter/uspfilter.go

@@ -39,12 +39,8 @@ const (
 	// EnvForceUserspaceRouter forces userspace routing even if native routing is available.
 	EnvForceUserspaceRouter = "NB_FORCE_USERSPACE_ROUTER"
 
-	// EnvEnableLocalForwarding enables forwarding of local traffic to the native stack for internal (non-NetBird) interfaces.
-	// Default off as it might be security risk because sockets listening on localhost only will become accessible.
-	EnvEnableLocalForwarding = "NB_ENABLE_LOCAL_FORWARDING"
-
-	// EnvEnableNetstackLocalForwarding is an alias for EnvEnableLocalForwarding.
-	// In netstack mode, it enables forwarding of local traffic to the native stack for all interfaces.
+	// EnvEnableNetstackLocalForwarding enables forwarding of local traffic to the native stack when running netstack
+	// Leaving this on by default introduces a security risk as sockets on listening on localhost only will be accessible
 	EnvEnableNetstackLocalForwarding = "NB_ENABLE_NETSTACK_LOCAL_FORWARDING"
 )
 
@@ -75,6 +71,7 @@ type Manager struct {
 	// incomingRules is used for filtering and hooks
 	incomingRules  map[netip.Addr]RuleSet
 	routeRules     RouteRules
+	wgNetwork      *net.IPNet
 	decoders       sync.Pool
 	wgIface        common.IFaceMapper
 	nativeFirewall firewall.Manager
@@ -151,11 +148,6 @@ func parseCreateEnv() (bool, bool) {
 		if err != nil {
 			log.Warnf("failed to parse %s: %v", EnvEnableNetstackLocalForwarding, err)
 		}
-	} else if val := os.Getenv(EnvEnableLocalForwarding); val != "" {
-		enableLocalForwarding, err = strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", EnvEnableLocalForwarding, err)
-		}
 	}
 
 	return disableConntrack, enableLocalForwarding
@@ -277,7 +269,7 @@ func (m *Manager) determineRouting() error {
 
 		log.Info("userspace routing is forced")
 
-	case !m.netstack && m.nativeFirewall != nil:
+	case !m.netstack && m.nativeFirewall != nil && m.nativeFirewall.IsServerRouteSupported():
 		// if the OS supports routing natively, then we don't need to filter/route ourselves
 		// netstack mode won't support native routing as there is no interface
 
@@ -334,10 +326,6 @@ func (m *Manager) IsServerRouteSupported() bool {
 	return true
 }
 
-func (m *Manager) IsStateful() bool {
-	return m.stateful
-}
-
 func (m *Manager) AddNatRule(pair firewall.RouterPair) error {
 	if m.nativeRouter.Load() && m.nativeFirewall != nil {
 		return m.nativeFirewall.AddNatRule(pair)
@@ -618,8 +606,9 @@ func (m *Manager) processOutgoingHooks(packetData []byte, size int) bool {
 		return true
 	}
 
-	// for netflow we keep track even if the firewall is stateless
-	m.trackOutbound(d, srcIP, dstIP, size)
+	if m.stateful {
+		m.trackOutbound(d, srcIP, dstIP, size)
+	}
 
 	return false
 }
@@ -671,7 +660,7 @@ func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, size int) {
 		flags := getTCPFlags(&d.tcp)
 		m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
 	case layers.LayerTypeICMPv4:
-		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
+		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, size)
 	}
 }
 
@@ -684,7 +673,7 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 		flags := getTCPFlags(&d.tcp)
 		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size)
 	case layers.LayerTypeICMPv4:
-		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
+		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, size)
 	}
 }
 
@@ -788,10 +777,9 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		return true
 	}
 
-	// If requested we pass local traffic to internal interfaces to the forwarder.
-	// netstack doesn't have an interface to forward packets to the native stack so we always need to use the forwarder.
-	if m.localForwarding && (m.netstack || dstIP != m.wgIface.Address().IP) {
-		return m.handleForwardedLocalTraffic(packetData)
+	// if running in netstack mode we need to pass this to the forwarder
+	if m.netstack && m.localForwarding {
+		return m.handleNetstackLocalTraffic(packetData)
 	}
 
 	// track inbound packets to get the correct direction and session id for flows
@@ -801,7 +789,8 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 	return false
 }
 
-func (m *Manager) handleForwardedLocalTraffic(packetData []byte) bool {
+func (m *Manager) handleNetstackLocalTraffic(packetData []byte) bool {
+
 	fwd := m.forwarder.Load()
 	if fwd == nil {
 		m.logger.Trace("Dropping local packet (forwarder not initialized)")
@@ -1099,6 +1088,11 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 	return true
 }
 
+// SetNetwork of the wireguard interface to which filtering applied
+func (m *Manager) SetNetwork(network *net.IPNet) {
+	m.wgNetwork = network
+}
+
 // AddUDPPacketHook calls hook when UDP packet from given direction matched
 //
 // Hook function returns flag which indicates should be the matched package dropped or not

client/firewall/uspfilter/uspfilter_bench_test.go

@@ -174,6 +174,11 @@ func BenchmarkCoreFiltering(b *testing.B) {
 					require.NoError(b, manager.Close(nil))
 				})
 
+				manager.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
+
 				// Apply scenario-specific setup
 				sc.setupFunc(manager)
 
@@ -214,6 +219,11 @@ func BenchmarkStateScaling(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.wgNetwork = &net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			}
+
 			// Pre-populate connection table
 			srcIPs := generateRandomIPs(count)
 			dstIPs := generateRandomIPs(count)
@@ -257,6 +267,11 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.wgNetwork = &net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			}
+
 			srcIP := generateRandomIPs(1)[0]
 			dstIP := generateRandomIPs(1)[0]
 			outbound := generatePacket(b, srcIP, dstIP, 1024, 80, layers.IPProtocolTCP)
@@ -289,6 +304,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -302,6 +321,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -316,6 +339,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -329,6 +356,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("100.64.0.0"),
+					Mask: net.CIDRMask(10, 32),
+				}
 				b.Setenv("NB_DISABLE_CONNTRACK", "1")
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -342,6 +373,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -355,6 +390,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -369,6 +408,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolTCP,
 			state: "post_handshake",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -383,6 +426,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "new",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -396,6 +443,10 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 			proto: layers.IPProtocolUDP,
 			state: "established",
 			setupFunc: func(m *Manager) {
+				m.wgNetwork = &net.IPNet{
+					IP:   net.ParseIP("0.0.0.0"),
+					Mask: net.CIDRMask(0, 32),
+				}
 				require.NoError(b, os.Unsetenv("NB_DISABLE_CONNTRACK"))
 			},
 			genPackets: func(srcIP, dstIP net.IP) ([]byte, []byte) {
@@ -542,6 +593,11 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
@@ -625,6 +681,11 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			// Setup initial state based on scenario
 			if sc.rules {
 				// Single rule to allow all return traffic from port 80
@@ -736,6 +797,11 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			// Setup initial state based on scenario
 			if sc.rules {
 				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
@@ -816,6 +882,11 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 				require.NoError(b, manager.Close(nil))
 			})
 
+			manager.SetNetwork(&net.IPNet{
+				IP:   net.ParseIP("100.64.0.0"),
+				Mask: net.CIDRMask(10, 32),
+			})
+
 			if sc.rules {
 				_, err := manager.AddPeerFiltering(nil, net.ParseIP("0.0.0.0"), fw.ProtocolTCP, &fw.Port{Values: []uint16{80}}, nil, fw.ActionAccept, "")
 				require.NoError(b, err)
@@ -961,8 +1032,7 @@ func BenchmarkRouteACLs(b *testing.B) {
 	}
 
 	for _, r := range rules {
-		dst := fw.Network{Prefix: r.dest}
-		_, err := manager.AddRouteFiltering(nil, r.sources, dst, r.proto, nil, r.port, fw.ActionAccept)
+		_, err := manager.AddRouteFiltering(nil, r.sources, r.dest, r.proto, nil, r.port, fw.ActionAccept)
 		if err != nil {
 			b.Fatal(err)
 		}

client/firewall/uspfilter/uspfilter_filter_test.go

@@ -19,8 +19,12 @@ import (
 )
 
 func TestPeerACLFiltering(t *testing.T) {
-	localIP := netip.MustParseAddr("100.10.0.100")
-	wgNet := netip.MustParsePrefix("100.10.0.0/16")
+	localIP := net.ParseIP("100.10.0.100")
+	wgNet := &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
+
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
@@ -39,6 +43,8 @@ func TestPeerACLFiltering(t *testing.T) {
 		require.NoError(t, manager.Close(nil))
 	})
 
+	manager.wgNetwork = wgNet
+
 	err = manager.UpdateLocalIPs()
 	require.NoError(t, err)
 
@@ -575,13 +581,14 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 	dev := mocks.NewMockDevice(ctrl)
 	dev.EXPECT().MTU().Return(1500, nil).AnyTimes()
 
-	wgNet := netip.MustParsePrefix(network)
+	localIP, wgNet, err := net.ParseCIDR(network)
+	require.NoError(tb, err)
 
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      wgNet.Addr(),
+				IP:      localIP,
 				Network: wgNet,
 			}
 		},
@@ -1433,8 +1440,11 @@ func TestRouteACLSet(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.10.0.100"),
-				Network: netip.MustParsePrefix("100.10.0.0/16"),
+				IP: net.ParseIP("100.10.0.100"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.10.0.0"),
+					Mask: net.CIDRMask(16, 32),
+				},
 			}
 		},
 	}

client/firewall/uspfilter/uspfilter_test.go

@@ -271,8 +271,11 @@ func TestNotMatchByIP(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.10.0.100"),
-				Network: netip.MustParsePrefix("100.10.0.0/16"),
+				IP: net.ParseIP("100.10.0.100"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.10.0.0"),
+					Mask: net.CIDRMask(16, 32),
+				},
 			}
 		},
 	}
@@ -282,6 +285,10 @@ func TestNotMatchByIP(t *testing.T) {
 		t.Errorf("failed to create Manager: %v", err)
 		return
 	}
+	m.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
 
 	ip := net.ParseIP("0.0.0.0")
 	proto := fw.ProtocolUDP
@@ -389,6 +396,10 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	}, false, flowLogger)
 	require.NoError(t, err)
 
+	manager.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
 	manager.udpTracker.Close()
 	manager.udpTracker = conntrack.NewUDPTracker(100*time.Millisecond, logger, flowLogger)
 	defer func() {
@@ -498,6 +509,11 @@ func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	}, false, flowLogger)
 	require.NoError(t, err)
 
+	manager.wgNetwork = &net.IPNet{
+		IP:   net.ParseIP("100.10.0.0"),
+		Mask: net.CIDRMask(16, 32),
+	}
+
 	manager.udpTracker.Close() // Close the existing tracker
 	manager.udpTracker = conntrack.NewUDPTracker(200*time.Millisecond, logger, flowLogger)
 	manager.decoders = sync.Pool{

client/iface/bind/udp_mux_universal.go

@@ -164,7 +164,7 @@ func (u *udpConn) performFilterCheck(addr net.Addr) error {
 		return nil
 	}
 
-	if u.address.Network.Contains(a) {
+	if u.address.Network.Contains(a.AsSlice()) {
 		log.Warnf("Address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 		return fmt.Errorf("address %s is part of the NetBird network %s, refusing to write", addr, u.address)
 	}

client/iface/configurer/common.go

@@ -1,17 +0,0 @@
-package configurer
-
-import (
-	"net"
-	"net/netip"
-)
-
-func prefixesToIPNets(prefixes []netip.Prefix) []net.IPNet {
-	ipNets := make([]net.IPNet, len(prefixes))
-	for i, prefix := range prefixes {
-		ipNets[i] = net.IPNet{
-			IP:   prefix.Addr().AsSlice(),                             // Convert netip.Addr to net.IP
-			Mask: net.CIDRMask(prefix.Bits(), prefix.Addr().BitLen()), // Create subnet mask
-		}
-	}
-	return ipNets
-}

client/iface/configurer/kernel_unix.go

@@ -5,7 +5,6 @@ package configurer
 import (
 	"fmt"
 	"net"
-	"net/netip"
 	"time"
 
 	log "github.com/sirupsen/logrus"
@@ -13,8 +12,6 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
 
-var zeroKey wgtypes.Key
-
 type KernelConfigurer struct {
 	deviceName string
 }
@@ -46,7 +43,7 @@ func (c *KernelConfigurer) ConfigureInterface(privateKey string, port int) error
 	return nil
 }
 
-func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
@@ -55,7 +52,7 @@ func (c *KernelConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		// don't replace allowed ips, wg will handle duplicated peer IP
-		AllowedIPs:                  prefixesToIPNets(allowedIps),
+		AllowedIPs:                  allowedIps,
 		PersistentKeepaliveInterval: &keepAlive,
 		Endpoint:                    endpoint,
 		PresharedKey:                preSharedKey,
@@ -92,10 +89,10 @@ func (c *KernelConfigurer) RemovePeer(peerKey string) error {
 	return nil
 }
 
-func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
-	ipNet := net.IPNet{
-		IP:   allowedIP.Addr().AsSlice(),
-		Mask: net.CIDRMask(allowedIP.Bits(), allowedIP.Addr().BitLen()),
+func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP string) error {
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
 	}
 
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
@@ -106,7 +103,7 @@ func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix)
 		PublicKey:         peerKeyParsed,
 		UpdateOnly:        true,
 		ReplaceAllowedIPs: false,
-		AllowedIPs:        []net.IPNet{ipNet},
+		AllowedIPs:        []net.IPNet{*ipNet},
 	}
 
 	config := wgtypes.Config{
@@ -119,10 +116,10 @@ func (c *KernelConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix)
 	return nil
 }
 
-func (c *KernelConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
-	ipNet := net.IPNet{
-		IP:   allowedIP.Addr().AsSlice(),
-		Mask: net.CIDRMask(allowedIP.Bits(), allowedIP.Addr().BitLen()),
+func (c *KernelConfigurer) RemoveAllowedIP(peerKey string, allowedIP string) error {
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return fmt.Errorf("parse allowed IP: %w", err)
 	}
 
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
@@ -190,11 +187,7 @@ func (c *KernelConfigurer) configure(config wgtypes.Config) error {
 	if err != nil {
 		return err
 	}
-	defer func() {
-		if err := wg.Close(); err != nil {
-			log.Errorf("Failed to close wgctrl client: %v", err)
-		}
-	}()
+	defer wg.Close()
 
 	// validate if device with name exists
 	_, err = wg.Device(c.deviceName)
@@ -208,71 +201,14 @@ func (c *KernelConfigurer) configure(config wgtypes.Config) error {
 func (c *KernelConfigurer) Close() {
 }
 
-func (c *KernelConfigurer) FullStats() (*Stats, error) {
-	wg, err := wgctrl.New()
+func (c *KernelConfigurer) GetStats(peerKey string) (WGStats, error) {
+	peer, err := c.getPeer(c.deviceName, peerKey)
 	if err != nil {
-		return nil, fmt.Errorf("wgctl: %w", err)
+		return WGStats{}, fmt.Errorf("get wireguard stats: %w", err)
 	}
-	defer func() {
-		err = wg.Close()
-		if err != nil {
-			log.Errorf("Got error while closing wgctl: %v", err)
-		}
-	}()
-
-	wgDevice, err := wg.Device(c.deviceName)
-	if err != nil {
-		return nil, fmt.Errorf("get device %s: %w", c.deviceName, err)
-	}
-	fullStats := &Stats{
-		DeviceName: wgDevice.Name,
-		PublicKey:  wgDevice.PublicKey.String(),
-		ListenPort: wgDevice.ListenPort,
-		FWMark:     wgDevice.FirewallMark,
-		Peers:      []Peer{},
-	}
-
-	for _, p := range wgDevice.Peers {
-		peer := Peer{
-			PublicKey:     p.PublicKey.String(),
-			AllowedIPs:    p.AllowedIPs,
-			TxBytes:       p.TransmitBytes,
-			RxBytes:       p.ReceiveBytes,
-			LastHandshake: p.LastHandshakeTime,
-			PresharedKey:  p.PresharedKey != zeroKey,
-		}
-		if p.Endpoint != nil {
-			peer.Endpoint = *p.Endpoint
-		}
-		fullStats.Peers = append(fullStats.Peers, peer)
-	}
-	return fullStats, nil
-}
-
-func (c *KernelConfigurer) GetStats() (map[string]WGStats, error) {
-	stats := make(map[string]WGStats)
-	wg, err := wgctrl.New()
-	if err != nil {
-		return nil, fmt.Errorf("wgctl: %w", err)
-	}
-	defer func() {
-		err = wg.Close()
-		if err != nil {
-			log.Errorf("Got error while closing wgctl: %v", err)
-		}
-	}()
-
-	wgDevice, err := wg.Device(c.deviceName)
-	if err != nil {
-		return nil, fmt.Errorf("get device %s: %w", c.deviceName, err)
-	}
-
-	for _, peer := range wgDevice.Peers {
-		stats[peer.PublicKey.String()] = WGStats{
-			LastHandshake: peer.LastHandshakeTime,
-			TxBytes:       peer.TransmitBytes,
-			RxBytes:       peer.ReceiveBytes,
-		}
-	}
-	return stats, nil
+	return WGStats{
+		LastHandshake: peer.LastHandshakeTime,
+		TxBytes:       peer.TransmitBytes,
+		RxBytes:       peer.ReceiveBytes,
+	}, nil
 }

client/iface/configurer/usp.go

@@ -1,11 +1,9 @@
 package configurer
 
 import (
-	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"net"
-	"net/netip"
 	"os"
 	"runtime"
 	"strconv"
@@ -19,20 +17,6 @@ import (
 	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
-const (
-	privateKey                  = "private_key"
-	ipcKeyLastHandshakeTimeSec  = "last_handshake_time_sec"
-	ipcKeyLastHandshakeTimeNsec = "last_handshake_time_nsec"
-	ipcKeyTxBytes               = "tx_bytes"
-	ipcKeyRxBytes               = "rx_bytes"
-	allowedIP                   = "allowed_ip"
-	endpoint                    = "endpoint"
-	fwmark                      = "fwmark"
-	listenPort                  = "listen_port"
-	publicKey                   = "public_key"
-	presharedKey                = "preshared_key"
-)
-
 var ErrAllowedIPNotFound = fmt.Errorf("allowed IP not found")
 
 type WGUSPConfigurer struct {
@@ -68,7 +52,7 @@ func (c *WGUSPConfigurer) ConfigureInterface(privateKey string, port int) error
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
 	if err != nil {
 		return err
@@ -77,7 +61,7 @@ func (c *WGUSPConfigurer) UpdatePeer(peerKey string, allowedIps []netip.Prefix,
 		PublicKey:         peerKeyParsed,
 		ReplaceAllowedIPs: false,
 		// don't replace allowed ips, wg will handle duplicated peer IP
-		AllowedIPs:                  prefixesToIPNets(allowedIps),
+		AllowedIPs:                  allowedIps,
 		PersistentKeepaliveInterval: &keepAlive,
 		PresharedKey:                preSharedKey,
 		Endpoint:                    endpoint,
@@ -107,10 +91,10 @@ func (c *WGUSPConfigurer) RemovePeer(peerKey string) error {
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
-	ipNet := net.IPNet{
-		IP:   allowedIP.Addr().AsSlice(),
-		Mask: net.CIDRMask(allowedIP.Bits(), allowedIP.Addr().BitLen()),
+func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP string) error {
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
 	}
 
 	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
@@ -121,7 +105,7 @@ func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) e
 		PublicKey:         peerKeyParsed,
 		UpdateOnly:        true,
 		ReplaceAllowedIPs: false,
-		AllowedIPs:        []net.IPNet{ipNet},
+		AllowedIPs:        []net.IPNet{*ipNet},
 	}
 
 	config := wgtypes.Config{
@@ -131,7 +115,7 @@ func (c *WGUSPConfigurer) AddAllowedIP(peerKey string, allowedIP netip.Prefix) e
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, ip string) error {
 	ipc, err := c.device.IpcGet()
 	if err != nil {
 		return err
@@ -154,8 +138,6 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 
 	foundPeer := false
 	removedAllowedIP := false
-	ip := allowedIP.String()
-
 	for _, line := range lines {
 		line = strings.TrimSpace(line)
 
@@ -178,8 +160,8 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 
 		// Append the line to the output string
 		if foundPeer && strings.HasPrefix(line, "allowed_ip=") {
-			allowedIPStr := strings.TrimPrefix(line, "allowed_ip=")
-			_, ipNet, err := net.ParseCIDR(allowedIPStr)
+			allowedIP := strings.TrimPrefix(line, "allowed_ip=")
+			_, ipNet, err := net.ParseCIDR(allowedIP)
 			if err != nil {
 				return err
 			}
@@ -196,15 +178,6 @@ func (c *WGUSPConfigurer) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix
 	return c.device.IpcSet(toWgUserspaceString(config))
 }
 
-func (c *WGUSPConfigurer) FullStats() (*Stats, error) {
-	ipcStr, err := c.device.IpcGet()
-	if err != nil {
-		return nil, fmt.Errorf("IpcGet failed: %w", err)
-	}
-
-	return parseStatus(c.deviceName, ipcStr)
-}
-
 // startUAPI starts the UAPI listener for managing the WireGuard interface via external tool
 func (t *WGUSPConfigurer) startUAPI() {
 	var err error
@@ -244,75 +217,91 @@ func (t *WGUSPConfigurer) Close() {
 	}
 }
 
-func (t *WGUSPConfigurer) GetStats() (map[string]WGStats, error) {
+func (t *WGUSPConfigurer) GetStats(peerKey string) (WGStats, error) {
 	ipc, err := t.device.IpcGet()
 	if err != nil {
-		return nil, fmt.Errorf("ipc get: %w", err)
+		return WGStats{}, fmt.Errorf("ipc get: %w", err)
 	}
 
-	return parseTransfers(ipc)
+	stats, err := findPeerInfo(ipc, peerKey, []string{
+		"last_handshake_time_sec",
+		"last_handshake_time_nsec",
+		"tx_bytes",
+		"rx_bytes",
+	})
+	if err != nil {
+		return WGStats{}, fmt.Errorf("find peer info: %w", err)
+	}
+
+	sec, err := strconv.ParseInt(stats["last_handshake_time_sec"], 10, 64)
+	if err != nil {
+		return WGStats{}, fmt.Errorf("parse handshake sec: %w", err)
+	}
+	nsec, err := strconv.ParseInt(stats["last_handshake_time_nsec"], 10, 64)
+	if err != nil {
+		return WGStats{}, fmt.Errorf("parse handshake nsec: %w", err)
+	}
+	txBytes, err := strconv.ParseInt(stats["tx_bytes"], 10, 64)
+	if err != nil {
+		return WGStats{}, fmt.Errorf("parse tx_bytes: %w", err)
+	}
+	rxBytes, err := strconv.ParseInt(stats["rx_bytes"], 10, 64)
+	if err != nil {
+		return WGStats{}, fmt.Errorf("parse rx_bytes: %w", err)
+	}
+
+	return WGStats{
+		LastHandshake: time.Unix(sec, nsec),
+		TxBytes:       txBytes,
+		RxBytes:       rxBytes,
+	}, nil
 }
 
-func parseTransfers(ipc string) (map[string]WGStats, error) {
-	stats := make(map[string]WGStats)
-	var (
-		currentKey   string
-		currentStats WGStats
-		hasPeer      bool
-	)
-	lines := strings.Split(ipc, "\n")
+func findPeerInfo(ipcInput string, peerKey string, searchConfigKeys []string) (map[string]string, error) {
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return nil, fmt.Errorf("parse key: %w", err)
+	}
+
+	hexKey := hex.EncodeToString(peerKeyParsed[:])
+
+	lines := strings.Split(ipcInput, "\n")
+
+	configFound := map[string]string{}
+	foundPeer := false
 	for _, line := range lines {
 		line = strings.TrimSpace(line)
 
 		// If we're within the details of the found peer and encounter another public key,
 		// this means we're starting another peer's details. So, stop.
-		if strings.HasPrefix(line, "public_key=") {
-			peerID := strings.TrimPrefix(line, "public_key=")
-			h, err := hex.DecodeString(peerID)
-			if err != nil {
-				return nil, fmt.Errorf("decode peerID: %w", err)
-			}
-			currentKey = base64.StdEncoding.EncodeToString(h)
-			currentStats = WGStats{} // Reset stats for the new peer
-			hasPeer = true
-			stats[currentKey] = currentStats
-			continue
+		if strings.HasPrefix(line, "public_key=") && foundPeer {
+			break
 		}
 
-		if !hasPeer {
-			continue
+		// Identify the peer with the specific public key
+		if line == fmt.Sprintf("public_key=%s", hexKey) {
+			foundPeer = true
 		}
 
-		key := strings.SplitN(line, "=", 2)
-		if len(key) != 2 {
-			continue
-		}
-		switch key[0] {
-		case ipcKeyLastHandshakeTimeSec:
-			hs, err := toLastHandshake(key[1])
-			if err != nil {
-				return nil, err
+		for _, key := range searchConfigKeys {
+			if foundPeer && strings.HasPrefix(line, key+"=") {
+				v := strings.SplitN(line, "=", 2)
+				configFound[v[0]] = v[1]
 			}
-			currentStats.LastHandshake = hs
-			stats[currentKey] = currentStats
-		case ipcKeyRxBytes:
-			rxBytes, err := toBytes(key[1])
-			if err != nil {
-				return nil, fmt.Errorf("parse rx_bytes: %w", err)
-			}
-			currentStats.RxBytes = rxBytes
-			stats[currentKey] = currentStats
-		case ipcKeyTxBytes:
-			TxBytes, err := toBytes(key[1])
-			if err != nil {
-				return nil, fmt.Errorf("parse tx_bytes: %w", err)
-			}
-			currentStats.TxBytes = TxBytes
-			stats[currentKey] = currentStats
 		}
 	}
 
-	return stats, nil
+	// todo: use multierr
+	for _, key := range searchConfigKeys {
+		if _, ok := configFound[key]; !ok {
+			return configFound, fmt.Errorf("config key not found: %s", key)
+		}
+	}
+	if !foundPeer {
+		return nil, fmt.Errorf("%w: %s", ErrPeerNotFound, peerKey)
+	}
+
+	return configFound, nil
 }
 
 func toWgUserspaceString(wgCfg wgtypes.Config) string {
@@ -366,154 +355,9 @@ func toWgUserspaceString(wgCfg wgtypes.Config) string {
 	return sb.String()
 }
 
-func toLastHandshake(stringVar string) (time.Time, error) {
-	sec, err := strconv.ParseInt(stringVar, 10, 64)
-	if err != nil {
-		return time.Time{}, fmt.Errorf("parse handshake sec: %w", err)
-	}
-	return time.Unix(sec, 0), nil
-}
-
-func toBytes(s string) (int64, error) {
-	return strconv.ParseInt(s, 10, 64)
-}
-
 func getFwmark() int {
 	if nbnet.AdvancedRouting() {
 		return nbnet.ControlPlaneMark
 	}
 	return 0
 }
-
-func hexToWireguardKey(hexKey string) (wgtypes.Key, error) {
-	// Decode hex string to bytes
-	keyBytes, err := hex.DecodeString(hexKey)
-	if err != nil {
-		return wgtypes.Key{}, fmt.Errorf("failed to decode hex key: %w", err)
-	}
-
-	// Check if we have the right number of bytes (WireGuard keys are 32 bytes)
-	if len(keyBytes) != 32 {
-		return wgtypes.Key{}, fmt.Errorf("invalid key length: expected 32 bytes, got %d", len(keyBytes))
-	}
-
-	// Convert to wgtypes.Key
-	var key wgtypes.Key
-	copy(key[:], keyBytes)
-
-	return key, nil
-}
-
-func parseStatus(deviceName, ipcStr string) (*Stats, error) {
-	stats := &Stats{DeviceName: deviceName}
-	var currentPeer *Peer
-	for _, line := range strings.Split(strings.TrimSpace(ipcStr), "\n") {
-		if line == "" {
-			continue
-		}
-		parts := strings.SplitN(line, "=", 2)
-		if len(parts) != 2 {
-			continue
-		}
-		key := parts[0]
-		val := parts[1]
-
-		switch key {
-		case privateKey:
-			key, err := hexToWireguardKey(val)
-			if err != nil {
-				log.Errorf("failed to parse private key: %v", err)
-				continue
-			}
-			stats.PublicKey = key.PublicKey().String()
-		case publicKey:
-			// Save previous peer
-			if currentPeer != nil {
-				stats.Peers = append(stats.Peers, *currentPeer)
-			}
-			key, err := hexToWireguardKey(val)
-			if err != nil {
-				log.Errorf("failed to parse public key: %v", err)
-				continue
-			}
-			currentPeer = &Peer{
-				PublicKey: key.String(),
-			}
-		case listenPort:
-			if port, err := strconv.Atoi(val); err == nil {
-				stats.ListenPort = port
-			}
-		case fwmark:
-			if fwmark, err := strconv.Atoi(val); err == nil {
-				stats.FWMark = fwmark
-			}
-		case endpoint:
-			if currentPeer == nil {
-				continue
-			}
-
-			host, portStr, err := net.SplitHostPort(strings.Trim(val, "[]"))
-			if err != nil {
-				log.Errorf("failed to parse endpoint: %v", err)
-				continue
-			}
-			port, err := strconv.Atoi(portStr)
-			if err != nil {
-				log.Errorf("failed to parse endpoint port: %v", err)
-				continue
-			}
-			currentPeer.Endpoint = net.UDPAddr{
-				IP:   net.ParseIP(host),
-				Port: port,
-			}
-		case allowedIP:
-			if currentPeer == nil {
-				continue
-			}
-			_, ipnet, err := net.ParseCIDR(val)
-			if err == nil {
-				currentPeer.AllowedIPs = append(currentPeer.AllowedIPs, *ipnet)
-			}
-		case ipcKeyTxBytes:
-			if currentPeer == nil {
-				continue
-			}
-			rxBytes, err := toBytes(val)
-			if err != nil {
-				continue
-			}
-			currentPeer.TxBytes = rxBytes
-		case ipcKeyRxBytes:
-			if currentPeer == nil {
-				continue
-			}
-			rxBytes, err := toBytes(val)
-			if err != nil {
-				continue
-			}
-			currentPeer.RxBytes = rxBytes
-
-		case ipcKeyLastHandshakeTimeSec:
-			if currentPeer == nil {
-				continue
-			}
-
-			ts, err := toLastHandshake(val)
-			if err != nil {
-				continue
-			}
-			currentPeer.LastHandshake = ts
-		case presharedKey:
-			if currentPeer == nil {
-				continue
-			}
-			if val != "" {
-				currentPeer.PresharedKey = true
-			}
-		}
-	}
-	if currentPeer != nil {
-		stats.Peers = append(stats.Peers, *currentPeer)
-	}
-	return stats, nil
-}

client/iface/configurer/usp_test.go

@@ -2,8 +2,10 @@ package configurer
 
 import (
 	"encoding/hex"
+	"fmt"
 	"testing"
 
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )
@@ -32,35 +34,58 @@ errno=0
 
 `
 
-func Test_parseTransfers(t *testing.T) {
+func Test_findPeerInfo(t *testing.T) {
 	tests := []struct {
-		name    string
-		peerKey string
-		want    WGStats
+		name       string
+		peerKey    string
+		searchKeys []string
+		want       map[string]string
+		wantErr    bool
 	}{
 		{
-			name:    "single",
-			peerKey: "b85996fecc9c7f1fc6d2572a76eda11d59bcd20be8e543b15ce4bd85a8e75a33",
-			want: WGStats{
-				TxBytes: 0,
-				RxBytes: 0,
+			name:       "single",
+			peerKey:    "58402e695ba1772b1cc9309755f043251ea77fdcf10fbe63989ceb7e19321376",
+			searchKeys: []string{"tx_bytes"},
+			want: map[string]string{
+				"tx_bytes": "38333",
 			},
+			wantErr: false,
 		},
 		{
-			name:    "multiple",
-			peerKey: "58402e695ba1772b1cc9309755f043251ea77fdcf10fbe63989ceb7e19321376",
-			want: WGStats{
-				TxBytes: 38333,
-				RxBytes: 2224,
+			name:       "multiple",
+			peerKey:    "58402e695ba1772b1cc9309755f043251ea77fdcf10fbe63989ceb7e19321376",
+			searchKeys: []string{"tx_bytes", "rx_bytes"},
+			want: map[string]string{
+				"tx_bytes": "38333",
+				"rx_bytes": "2224",
 			},
+			wantErr: false,
 		},
 		{
-			name:    "lastpeer",
-			peerKey: "662e14fd594556f522604703340351258903b64f35553763f19426ab2a515c58",
-			want: WGStats{
-				TxBytes: 1212111,
-				RxBytes: 1929999999,
+			name:       "lastpeer",
+			peerKey:    "662e14fd594556f522604703340351258903b64f35553763f19426ab2a515c58",
+			searchKeys: []string{"tx_bytes", "rx_bytes"},
+			want: map[string]string{
+				"tx_bytes": "1212111",
+				"rx_bytes": "1929999999",
 			},
+			wantErr: false,
+		},
+		{
+			name:       "peer not found",
+			peerKey:    "1111111111111111111111111111111111111111111111111111111111111111",
+			searchKeys: nil,
+			want:       nil,
+			wantErr:    true,
+		},
+		{
+			name:       "key not found",
+			peerKey:    "662e14fd594556f522604703340351258903b64f35553763f19426ab2a515c58",
+			searchKeys: []string{"tx_bytes", "unknown_key"},
+			want: map[string]string{
+				"tx_bytes": "1212111",
+			},
+			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
@@ -71,19 +96,9 @@ func Test_parseTransfers(t *testing.T) {
 			key, err := wgtypes.NewKey(res)
 			require.NoError(t, err)
 
-			stats, err := parseTransfers(ipcFixture)
-			if err != nil {
-				require.NoError(t, err)
-				return
-			}
-
-			stat, ok := stats[key.String()]
-			if !ok {
-				require.True(t, ok)
-				return
-			}
-
-			require.Equal(t, tt.want, stat)
+			got, err := findPeerInfo(ipcFixture, key.String(), tt.searchKeys)
+			assert.Equalf(t, tt.wantErr, err != nil, fmt.Sprintf("findPeerInfo(%v, %v, %v)", ipcFixture, key.String(), tt.searchKeys))
+			assert.Equalf(t, tt.want, got, "findPeerInfo(%v, %v, %v)", ipcFixture, key.String(), tt.searchKeys)
 		})
 	}
 }

client/iface/configurer/wgshow.go

@@ -1,24 +0,0 @@
-package configurer
-
-import (
-	"net"
-	"time"
-)
-
-type Peer struct {
-	PublicKey     string
-	Endpoint      net.UDPAddr
-	AllowedIPs    []net.IPNet
-	TxBytes       int64
-	RxBytes       int64
-	LastHandshake time.Time
-	PresharedKey  bool
-}
-
-type Stats struct {
-	DeviceName string
-	PublicKey  string
-	ListenPort int
-	FWMark     int
-	Peers      []Peer
-}

client/iface/device/device_android.go

@@ -24,7 +24,6 @@ type WGTunDevice struct {
 	mtu        int
 	iceBind    *bind.ICEBind
 	tunAdapter TunAdapter
-	disableDNS bool
 
 	name           string
 	device         *device.Device
@@ -33,7 +32,7 @@ type WGTunDevice struct {
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
+func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter) *WGTunDevice {
 	return &WGTunDevice{
 		address:    address,
 		port:       port,
@@ -41,7 +40,6 @@ func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind
 		mtu:        mtu,
 		iceBind:    iceBind,
 		tunAdapter: tunAdapter,
-		disableDNS: disableDNS,
 	}
 }
 
@@ -51,13 +49,6 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	routesString := routesToString(routes)
 	searchDomainsToString := searchDomainsToString(searchDomains)
 
-	// Skip DNS configuration when DisableDNS is enabled
-	if t.disableDNS {
-		log.Info("DNS is disabled, skipping DNS and search domain configuration")
-		dns = ""
-		searchDomainsToString = ""
-	}
-
 	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.mtu, dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)

client/iface/device/device_filter.go

@@ -1,6 +1,7 @@
 package device
 
 import (
+	"net"
 	"net/netip"
 	"sync"
 
@@ -23,6 +24,9 @@ type PacketFilter interface {
 
 	// RemovePacketHook removes hook by ID
 	RemovePacketHook(hookID string) error
+
+	// SetNetwork of the wireguard interface to which filtering applied
+	SetNetwork(*net.IPNet)
 }
 
 // FilteredDevice to override Read or Write of packets

client/iface/device/device_netstack.go

@@ -51,11 +51,7 @@ func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 	log.Info("create nbnetstack tun interface")
 
 	// TODO: get from service listener runtime IP
-	dnsAddr, err := nbnet.GetLastIPFromNetwork(t.address.Network, 1)
-	if err != nil {
-		return nil, fmt.Errorf("last ip: %w", err)
-	}
-
+	dnsAddr := nbnet.GetLastIPFromNetwork(t.address.Network, 1)
 	log.Debugf("netstack using address: %s", t.address.IP)
 	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, t.mtu)
 	log.Debugf("netstack using dns address: %s", dnsAddr)

client/iface/device/interface.go

@@ -2,7 +2,6 @@ package device
 
 import (
 	"net"
-	"net/netip"
 	"time"
 
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -12,11 +11,10 @@ import (
 
 type WGConfigurer interface {
 	ConfigureInterface(privateKey string, port int) error
-	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+	UpdatePeer(peerKey string, allowedIps []net.IPNet, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
 	RemovePeer(peerKey string) error
-	AddAllowedIP(peerKey string, allowedIP netip.Prefix) error
-	RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error
+	AddAllowedIP(peerKey string, allowedIP string) error
+	RemoveAllowedIP(peerKey string, allowedIP string) error
 	Close()
-	GetStats() (map[string]configurer.WGStats, error)
-	FullStats() (*configurer.Stats, error)
+	GetStats(peerKey string) (configurer.WGStats, error)
 }

client/iface/device/wg_link_freebsd.go

@@ -64,15 +64,7 @@ func (l *wgLink) assignAddr(address wgaddr.Address) error {
 	}
 
 	ip := address.IP.String()
-
-	// Convert prefix length to hex netmask
-	prefixLen := address.Network.Bits()
-	if !address.IP.Is4() {
-		return fmt.Errorf("IPv6 not supported for interface assignment")
-	}
-
-	maskBits := uint32(0xffffffff) << (32 - prefixLen)
-	mask := fmt.Sprintf("0x%08x", maskBits)
+	mask := "0x" + address.Network.Mask.String()
 
 	log.Infof("assign addr %s mask %s to %s interface", ip, mask, l.name)
 

client/iface/iface.go

@@ -43,7 +43,6 @@ type WGIFaceOpts struct {
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
 	FilterFn     bind.FilterFn
-	DisableDNS   bool
 }
 
 // WGIface represents an interface instance
@@ -112,14 +111,14 @@ func (w *WGIface) UpdateAddr(newAddr string) error {
 }
 
 // UpdatePeer updates existing Wireguard Peer or creates a new one if doesn't exist
-// Endpoint is optional.
-// If allowedIps is given it will be added to the existing ones.
+// Endpoint is optional
 func (w *WGIface) UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
-	log.Debugf("updating interface %s peer %s, endpoint %s, allowedIPs %v", w.tun.DeviceName(), peerKey, endpoint, allowedIps)
-	return w.configurer.UpdatePeer(peerKey, allowedIps, keepAlive, endpoint, preSharedKey)
+	netIPNets := prefixesToIPNets(allowedIps)
+	log.Debugf("updating interface %s peer %s, endpoint %s", w.tun.DeviceName(), peerKey, endpoint)
+	return w.configurer.UpdatePeer(peerKey, netIPNets, keepAlive, endpoint, preSharedKey)
 }
 
 // RemovePeer removes a Wireguard Peer from the interface iface
@@ -132,7 +131,7 @@ func (w *WGIface) RemovePeer(peerKey string) error {
 }
 
 // AddAllowedIP adds a prefix to the allowed IPs list of peer
-func (w *WGIface) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (w *WGIface) AddAllowedIP(peerKey string, allowedIP string) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
@@ -141,7 +140,7 @@ func (w *WGIface) AddAllowedIP(peerKey string, allowedIP netip.Prefix) error {
 }
 
 // RemoveAllowedIP removes a prefix from the allowed IPs list of peer
-func (w *WGIface) RemoveAllowedIP(peerKey string, allowedIP netip.Prefix) error {
+func (w *WGIface) RemoveAllowedIP(peerKey string, allowedIP string) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 
@@ -186,6 +185,7 @@ func (w *WGIface) SetFilter(filter device.PacketFilter) error {
 	}
 
 	w.filter = filter
+	w.filter.SetNetwork(w.tun.WgAddress().Network)
 
 	w.tun.FilteredDevice().SetFilter(filter)
 	return nil
@@ -212,13 +212,9 @@ func (w *WGIface) GetWGDevice() *wgdevice.Device {
 	return w.tun.Device()
 }
 
-// GetStats returns the last handshake time, rx and tx bytes
-func (w *WGIface) GetStats() (map[string]configurer.WGStats, error) {
-	return w.configurer.GetStats()
-}
-
-func (w *WGIface) FullStats() (*configurer.Stats, error) {
-	return w.configurer.FullStats()
+// GetStats returns the last handshake time, rx and tx bytes for the given peer
+func (w *WGIface) GetStats(peerKey string) (configurer.WGStats, error) {
+	return w.configurer.GetStats(peerKey)
 }
 
 func (w *WGIface) waitUntilRemoved() error {
@@ -255,3 +251,14 @@ func (w *WGIface) GetNet() *netstack.Net {
 
 	return w.tun.GetNet()
 }
+
+func prefixesToIPNets(prefixes []netip.Prefix) []net.IPNet {
+	ipNets := make([]net.IPNet, len(prefixes))
+	for i, prefix := range prefixes {
+		ipNets[i] = net.IPNet{
+			IP:   net.IP(prefix.Addr().AsSlice()),                     // Convert netip.Addr to net.IP
+			Mask: net.CIDRMask(prefix.Bits(), prefix.Addr().BitLen()), // Create subnet mask
+		}
+	}
+	return ipNets
+}

client/iface/iface_new_android.go

@@ -18,7 +18,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 
 	wgIFace := &WGIface{
 		userspaceBind:  true,
-		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
+		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter),
 		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil

client/iface/mocks/filter.go

@@ -5,6 +5,7 @@
 package mocks
 
 import (
+	net "net"
 	"net/netip"
 	reflect "reflect"
 
@@ -89,3 +90,15 @@ func (mr *MockPacketFilterMockRecorder) RemovePacketHook(arg0 interface{}) *gomo
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePacketHook", reflect.TypeOf((*MockPacketFilter)(nil).RemovePacketHook), arg0)
 }
+
+// SetNetwork mocks base method.
+func (m *MockPacketFilter) SetNetwork(arg0 *net.IPNet) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetNetwork", arg0)
+}
+
+// SetNetwork indicates an expected call of SetNetwork.
+func (mr *MockPacketFilterMockRecorder) SetNetwork(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetwork", reflect.TypeOf((*MockPacketFilter)(nil).SetNetwork), arg0)
+}

client/iface/netstack/tun.go

@@ -1,6 +1,8 @@
 package netstack
 
 import (
+	"fmt"
+	"net"
 	"net/netip"
 	"os"
 	"strconv"
@@ -13,8 +15,8 @@ import (
 const EnvSkipProxy = "NB_NETSTACK_SKIP_PROXY"
 
 type NetStackTun struct { //nolint:revive
-	address       netip.Addr
-	dnsAddress    netip.Addr
+	address       net.IP
+	dnsAddress    net.IP
 	mtu           int
 	listenAddress string
 
@@ -22,7 +24,7 @@ type NetStackTun struct { //nolint:revive
 	tundev tun.Device
 }
 
-func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.Addr, mtu int) *NetStackTun {
+func NewNetStackTun(listenAddress string, address net.IP, dnsAddress net.IP, mtu int) *NetStackTun {
 	return &NetStackTun{
 		address:       address,
 		dnsAddress:    dnsAddress,
@@ -32,9 +34,19 @@ func NewNetStackTun(listenAddress string, address netip.Addr, dnsAddress netip.A
 }
 
 func (t *NetStackTun) Create() (tun.Device, *netstack.Net, error) {
+	addr, ok := netip.AddrFromSlice(t.address)
+	if !ok {
+		return nil, nil, fmt.Errorf("convert address to netip.Addr: %v", t.address)
+	}
+
+	dnsAddr, ok := netip.AddrFromSlice(t.dnsAddress)
+	if !ok {
+		return nil, nil, fmt.Errorf("convert dns address to netip.Addr: %v", t.dnsAddress)
+	}
+
 	nsTunDev, tunNet, err := netstack.CreateNetTUN(
-		[]netip.Addr{t.address},
-		[]netip.Addr{t.dnsAddress},
+		[]netip.Addr{addr.Unmap()},
+		[]netip.Addr{dnsAddr.Unmap()},
 		t.mtu)
 	if err != nil {
 		return nil, nil, err

client/iface/wgaddr/address.go

@@ -2,27 +2,28 @@ package wgaddr
 
 import (
 	"fmt"
-	"net/netip"
+	"net"
 )
 
 // Address WireGuard parsed address
 type Address struct {
-	IP      netip.Addr
-	Network netip.Prefix
+	IP      net.IP
+	Network *net.IPNet
 }
 
 // ParseWGAddress parse a string ("1.2.3.4/24") address to WG Address
 func ParseWGAddress(address string) (Address, error) {
-	prefix, err := netip.ParsePrefix(address)
+	ip, network, err := net.ParseCIDR(address)
 	if err != nil {
 		return Address{}, err
 	}
 	return Address{
-		IP:      prefix.Addr().Unmap(),
-		Network: prefix.Masked(),
+		IP:      ip,
+		Network: network,
 	}, nil
 }
 
 func (addr Address) String() string {
-	return fmt.Sprintf("%s/%d", addr.IP.String(), addr.Network.Bits())
+	maskSize, _ := addr.Network.Mask.Size()
+	return fmt.Sprintf("%s/%d", addr.IP.String(), maskSize)
 }

client/installer.nsis

@@ -24,8 +24,6 @@
 
 !define AUTOSTART_REG_KEY "Software\Microsoft\Windows\CurrentVersion\Run"
 
-!define NETBIRD_DATA_DIR "$COMMONPROGRAMDATA\Netbird"
-
 Unicode True
 
 ######################################################################
@@ -51,10 +49,6 @@ ShowInstDetails Show
 
 ######################################################################
 
-!include "MUI2.nsh"
-!include LogicLib.nsh
-!include "nsDialogs.nsh"
-
 !define MUI_ICON "${ICON}"
 !define MUI_UNICON "${ICON}"
 !define MUI_WELCOMEFINISHPAGE_BITMAP "${BANNER}"
@@ -64,6 +58,9 @@ ShowInstDetails Show
 !define MUI_FINISHPAGE_RUN_FUNCTION "LaunchLink"
 ######################################################################
 
+!include "MUI2.nsh"
+!include LogicLib.nsh
+
 !define MUI_ABORTWARNING
 !define MUI_UNABORTWARNING
 
@@ -73,16 +70,13 @@ ShowInstDetails Show
 
 !insertmacro MUI_PAGE_DIRECTORY
 
+; Custom page for autostart checkbox
 Page custom AutostartPage AutostartPageLeave
 
 !insertmacro MUI_PAGE_INSTFILES
 
 !insertmacro MUI_PAGE_FINISH
 
-!insertmacro MUI_UNPAGE_WELCOME
-
-UninstPage custom un.DeleteDataPage un.DeleteDataPageLeave
-
 !insertmacro MUI_UNPAGE_CONFIRM
 
 !insertmacro MUI_UNPAGE_INSTFILES
@@ -95,10 +89,6 @@ UninstPage custom un.DeleteDataPage un.DeleteDataPageLeave
 Var AutostartCheckbox
 Var AutostartEnabled
 
-; Variables for uninstall data deletion option
-Var DeleteDataCheckbox
-Var DeleteDataEnabled
-
 ######################################################################
 
 ; Function to create the autostart options page
@@ -114,8 +104,8 @@ Function AutostartPage
 
   ${NSD_CreateCheckbox} 0 20u 100% 10u "Start ${APP_NAME} UI automatically when Windows starts"
   Pop $AutostartCheckbox
-  ${NSD_Check} $AutostartCheckbox
-  StrCpy $AutostartEnabled "1"
+  ${NSD_Check} $AutostartCheckbox ; Default to checked
+  StrCpy $AutostartEnabled "1" ; Default to enabled
 
   nsDialogs::Show
 FunctionEnd
@@ -125,30 +115,6 @@ Function AutostartPageLeave
   ${NSD_GetState} $AutostartCheckbox $AutostartEnabled
 FunctionEnd
 
-; Function to create the uninstall data deletion page
-Function un.DeleteDataPage
-  !insertmacro MUI_HEADER_TEXT "Uninstall Options" "Choose whether to delete ${APP_NAME} data."
-
-  nsDialogs::Create 1018
-  Pop $0
-
-  ${If} $0 == error
-    Abort
-  ${EndIf}
-
-  ${NSD_CreateCheckbox} 0 20u 100% 10u "Delete all ${APP_NAME} configuration and state data (${NETBIRD_DATA_DIR})"
-  Pop $DeleteDataCheckbox
-  ${NSD_Uncheck} $DeleteDataCheckbox
-  StrCpy $DeleteDataEnabled "0"
-
-  nsDialogs::Show
-FunctionEnd
-
-; Function to handle leaving the data deletion page
-Function un.DeleteDataPageLeave
-  ${NSD_GetState} $DeleteDataCheckbox $DeleteDataEnabled
-FunctionEnd
-
 Function GetAppFromCommand
 Exch $1
 Push $2
@@ -210,10 +176,10 @@ ${EndIf}
 FunctionEnd
 ######################################################################
 Section -MainProgram
-    ${INSTALL_TYPE}
-    # SetOverwrite ifnewer
-    SetOutPath "$INSTDIR"
-    File /r "..\\dist\\netbird_windows_amd64\\"
+	${INSTALL_TYPE}
+	# SetOverwrite ifnewer
+	SetOutPath "$INSTDIR"
+	File /r "..\\dist\\netbird_windows_amd64\\"
 SectionEnd
 ######################################################################
 
@@ -259,58 +225,31 @@ SectionEnd
 Section Uninstall
 ${INSTALL_TYPE}
 
-DetailPrint "Stopping Netbird service..."
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service stop'
-DetailPrint "Uninstalling Netbird service..."
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 
-DetailPrint "Terminating Netbird UI process..."
+# kill ui client
 ExecWait `taskkill /im ${UI_APP_EXE}.exe /f`
 
 ; Remove autostart registry entry
-DetailPrint "Removing autostart registry entry if exists..."
 DeleteRegValue HKCU "${AUTOSTART_REG_KEY}" "${APP_NAME}"
 
-; Handle data deletion based on checkbox
-DetailPrint "Checking if user requested data deletion..."
-${If} $DeleteDataEnabled == "1"
-    DetailPrint "User opted to delete Netbird data. Removing ${NETBIRD_DATA_DIR}..."
-    ClearErrors
-    RMDir /r "${NETBIRD_DATA_DIR}"
-    IfErrors 0 +2 ; If no errors, jump over the message
-    DetailPrint "Error deleting Netbird data directory. It might be in use or already removed."
-    DetailPrint "Netbird data directory removal complete."
-${Else}
-    DetailPrint "User did not opt to delete Netbird data."
-${EndIf}
-
 # wait the service uninstall take unblock the executable
-DetailPrint "Waiting for service handle to be released..."
 Sleep 3000
-
-DetailPrint "Deleting application files..."
 Delete "$INSTDIR\${UI_APP_EXE}"
 Delete "$INSTDIR\${MAIN_APP_EXE}"
 Delete "$INSTDIR\wintun.dll"
 Delete "$INSTDIR\opengl32.dll"
-DetailPrint "Removing application directory..."
 RmDir /r "$INSTDIR"
 
-DetailPrint "Removing shortcuts..."
 SetShellVarContext all
 Delete "$DESKTOP\${APP_NAME}.lnk"
 Delete "$SMPROGRAMS\${APP_NAME}.lnk"
 
-DetailPrint "Removing registry keys..."
 DeleteRegKey ${REG_ROOT} "${REG_APP_PATH}"
 DeleteRegKey ${REG_ROOT} "${UNINSTALL_PATH}"
-DeleteRegKey ${REG_ROOT} "${UI_REG_APP_PATH}"
-
-DetailPrint "Removing application directory from PATH..."
 EnVar::SetHKLM
 EnVar::DeleteValue "path" "$INSTDIR"
-
-DetailPrint "Uninstallation finished."
 SectionEnd
 
 

client/internal/acl/manager.go

@@ -58,11 +58,6 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 	d.mutex.Lock()
 	defer d.mutex.Unlock()
 
-	if d.firewall == nil {
-		log.Debug("firewall manager is not supported, skipping firewall rules")
-		return
-	}
-
 	start := time.Now()
 	defer func() {
 		total := 0
@@ -74,8 +69,20 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 			time.Since(start), total)
 	}()
 
+	if d.firewall == nil {
+		log.Debug("firewall manager is not supported, skipping firewall rules")
+		return
+	}
+
 	d.applyPeerACLs(networkMap)
 
+	// If we got empty rules list but management did not set the networkMap.FirewallRulesIsEmpty flag,
+	// then the mgmt server is older than the client, and we need to allow all traffic for routes
+	isLegacy := len(networkMap.RoutesFirewallRules) == 0 && !networkMap.RoutesFirewallRulesIsEmpty
+	if err := d.firewall.SetLegacyManagement(isLegacy); err != nil {
+		log.Errorf("failed to set legacy management flag: %v", err)
+	}
+
 	if err := d.applyRouteACLs(networkMap.RoutesFirewallRules, dnsRouteFeatureFlag); err != nil {
 		log.Errorf("Failed to apply route ACLs: %v", err)
 	}
@@ -284,10 +291,8 @@ func (d *DefaultManager) protoRuleToFirewallRule(
 	case mgmProto.RuleDirection_IN:
 		rules, err = d.addInRules(r.PolicyID, ip, protocol, port, action, ipsetName)
 	case mgmProto.RuleDirection_OUT:
-		if d.firewall.IsStateful() {
-			return "", nil, nil
-		}
-		// return traffic for outbound connections if firewall is stateless
+		// TODO: Remove this soon. Outbound rules are obsolete.
+		// We only maintain this for return traffic (inbound dir) which is now handled by the stateful firewall already
 		rules, err = d.addOutRules(r.PolicyID, ip, protocol, port, action, ipsetName)
 	default:
 		return "", nil, fmt.Errorf("invalid direction, skipping firewall rule")
@@ -398,15 +403,11 @@ func (d *DefaultManager) squashAcceptRules(
 	//
 	// We zeroed this to notify squash function that this protocol can't be squashed.
 	addRuleToCalculationMap := func(i int, r *mgmProto.FirewallRule, protocols map[mgmProto.RuleProtocol]*protoMatch) {
-		hasPortRestrictions := r.Action == mgmProto.RuleAction_DROP ||
-			r.Port != "" || !portInfoEmpty(r.PortInfo)
-
-		if hasPortRestrictions {
-			// Don't squash rules with port restrictions
+		drop := r.Action == mgmProto.RuleAction_DROP || r.Port != ""
+		if drop {
 			protocols[r.Protocol] = &protoMatch{ips: map[string]int{}}
 			return
 		}
-
 		if _, ok := protocols[r.Protocol]; !ok {
 			protocols[r.Protocol] = &protoMatch{
 				ips: map[string]int{},

client/internal/acl/manager_test.go

@@ -1,14 +1,13 @@
 package acl
 
 import (
-	"net/netip"
+	"net"
 	"testing"
 
 	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/client/firewall"
+	"github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl/mocks"
 	"github.com/netbirdio/netbird/client/internal/netflow"
@@ -43,31 +42,35 @@ func TestDefaultManager(t *testing.T) {
 	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
 	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
 	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
+	ip, network, err := net.ParseCIDR("172.0.0.1/32")
+	if err != nil {
+		t.Fatalf("failed to parse IP address: %v", err)
+	}
 
 	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
 	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
+		IP:      ip,
 		Network: network,
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
+	// we receive one rule from the management so for testing purposes ignore it
 	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
-	require.NoError(t, err)
-	defer func() {
-		err = fw.Close(nil)
-		require.NoError(t, err)
-	}()
-
+	if err != nil {
+		t.Errorf("create firewall: %v", err)
+		return
+	}
+	defer func(fw manager.Manager) {
+		_ = fw.Close(nil)
+	}(fw)
 	acl := NewDefaultManager(fw)
 
 	t.Run("apply firewall rules", func(t *testing.T) {
 		acl.ApplyFiltering(networkMap, false)
 
-		if fw.IsStateful() {
-			assert.Equal(t, 0, len(acl.peerRulesPairs))
-		} else {
-			assert.Equal(t, 2, len(acl.peerRulesPairs))
+		if len(acl.peerRulesPairs) != 2 {
+			t.Errorf("firewall rules not applied: %v", acl.peerRulesPairs)
+			return
 		}
 	})
 
@@ -91,13 +94,12 @@ func TestDefaultManager(t *testing.T) {
 
 		acl.ApplyFiltering(networkMap, false)
 
-		expectedRules := 2
-		if fw.IsStateful() {
-			expectedRules = 1 // only the inbound rule
+		// we should have one old and one new rule in the existed rules
+		if len(acl.peerRulesPairs) != 2 {
+			t.Errorf("firewall rules not applied")
+			return
 		}
 
-		assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
-
 		// check that old rule was removed
 		previousCount := 0
 		for id := range acl.peerRulesPairs {
@@ -105,86 +107,26 @@ func TestDefaultManager(t *testing.T) {
 				previousCount++
 			}
 		}
-
-		expectedPreviousCount := 0
-		if !fw.IsStateful() {
-			expectedPreviousCount = 1
+		if previousCount != 1 {
+			t.Errorf("old rule was not removed")
 		}
-		assert.Equal(t, expectedPreviousCount, previousCount)
 	})
 
 	t.Run("handle default rules", func(t *testing.T) {
 		networkMap.FirewallRules = networkMap.FirewallRules[:0]
 
 		networkMap.FirewallRulesIsEmpty = true
-		acl.ApplyFiltering(networkMap, false)
-		assert.Equal(t, 0, len(acl.peerRulesPairs))
+		if acl.ApplyFiltering(networkMap, false); len(acl.peerRulesPairs) != 0 {
+			t.Errorf("rules should be empty if FirewallRulesIsEmpty is set, got: %v", len(acl.peerRulesPairs))
+			return
+		}
 
 		networkMap.FirewallRulesIsEmpty = false
 		acl.ApplyFiltering(networkMap, false)
-
-		expectedRules := 1
-		if fw.IsStateful() {
-			expectedRules = 1 // only inbound allow-all rule
+		if len(acl.peerRulesPairs) != 1 {
+			t.Errorf("rules should contain 1 rules if FirewallRulesIsEmpty is not set, got: %v", len(acl.peerRulesPairs))
+			return
 		}
-		assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
-	})
-}
-
-func TestDefaultManagerStateless(t *testing.T) {
-	// stateless currently only in userspace, so we have to disable kernel
-	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv("NB_DISABLE_CONNTRACK", "true")
-
-	networkMap := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-				Port:      "80",
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_UDP,
-				Port:      "53",
-			},
-		},
-	}
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
-	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
-	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
-
-	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
-	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
-		Network: network,
-	}).AnyTimes()
-	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
-
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
-	require.NoError(t, err)
-	defer func() {
-		err = fw.Close(nil)
-		require.NoError(t, err)
-	}()
-
-	acl := NewDefaultManager(fw)
-
-	t.Run("stateless firewall creates outbound rules", func(t *testing.T) {
-		acl.ApplyFiltering(networkMap, false)
-
-		// In stateless mode, we should have both inbound and outbound rules
-		assert.False(t, fw.IsStateful())
-		assert.Equal(t, 2, len(acl.peerRulesPairs))
 	})
 }
 
@@ -250,19 +192,42 @@ func TestDefaultManagerSquashRules(t *testing.T) {
 
 	manager := &DefaultManager{}
 	rules, _ := manager.squashAcceptRules(networkMap)
-	assert.Equal(t, 2, len(rules))
+	if len(rules) != 2 {
+		t.Errorf("rules should contain 2, got: %v", rules)
+		return
+	}
 
 	r := rules[0]
-	assert.Equal(t, "0.0.0.0", r.PeerIP)
-	assert.Equal(t, mgmProto.RuleDirection_IN, r.Direction)
-	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
-	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
+	switch {
+	case r.PeerIP != "0.0.0.0":
+		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
+		return
+	case r.Direction != mgmProto.RuleDirection_IN:
+		t.Errorf("direction should be IN, got: %v", r.Direction)
+		return
+	case r.Protocol != mgmProto.RuleProtocol_ALL:
+		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
+		return
+	case r.Action != mgmProto.RuleAction_ACCEPT:
+		t.Errorf("action should be ACCEPT, got: %v", r.Action)
+		return
+	}
 
 	r = rules[1]
-	assert.Equal(t, "0.0.0.0", r.PeerIP)
-	assert.Equal(t, mgmProto.RuleDirection_OUT, r.Direction)
-	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
-	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
+	switch {
+	case r.PeerIP != "0.0.0.0":
+		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
+		return
+	case r.Direction != mgmProto.RuleDirection_OUT:
+		t.Errorf("direction should be OUT, got: %v", r.Direction)
+		return
+	case r.Protocol != mgmProto.RuleProtocol_ALL:
+		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
+		return
+	case r.Action != mgmProto.RuleAction_ACCEPT:
+		t.Errorf("action should be ACCEPT, got: %v", r.Action)
+		return
+	}
 }
 
 func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
@@ -326,435 +291,8 @@ func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
 	}
 
 	manager := &DefaultManager{}
-	rules, _ := manager.squashAcceptRules(networkMap)
-	assert.Equal(t, len(networkMap.FirewallRules), len(rules))
-}
-
-func TestDefaultManagerSquashRulesWithPortRestrictions(t *testing.T) {
-	tests := []struct {
-		name          string
-		rules         []*mgmProto.FirewallRule
-		expectedCount int
-		description   string
-	}{
-		{
-			name: "should not squash rules with port ranges",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with port ranges should not be squashed even if they cover all peers",
-		},
-		{
-			name: "should not squash rules with specific ports",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with specific ports should not be squashed even if they cover all peers",
-		},
-		{
-			name: "should not squash rules with legacy port field",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with legacy port field should not be squashed",
-		},
-		{
-			name: "should not squash rules with DROP action",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with DROP action should not be squashed",
-		},
-		{
-			name: "should squash rules without port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 1,
-			description:   "Rules without port restrictions should be squashed into a single 0.0.0.0 rule",
-		},
-		{
-			name: "mixed rules should not squash protocol with port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 4,
-			description:   "TCP should not be squashed because one rule has port restrictions",
-		},
-		{
-			name: "should squash UDP but not TCP when TCP has port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				// TCP rules with port restrictions - should NOT be squashed
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				// UDP rules without port restrictions - SHOULD be squashed
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-			},
-			expectedCount: 5, // 4 TCP rules + 1 squashed UDP rule (0.0.0.0)
-			description:   "UDP should be squashed to 0.0.0.0 rule, but TCP should remain as individual rules due to port restrictions",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			networkMap := &mgmProto.NetworkMap{
-				RemotePeers: []*mgmProto.RemotePeerConfig{
-					{AllowedIps: []string{"10.93.0.1"}},
-					{AllowedIps: []string{"10.93.0.2"}},
-					{AllowedIps: []string{"10.93.0.3"}},
-					{AllowedIps: []string{"10.93.0.4"}},
-				},
-				FirewallRules: tt.rules,
-			}
-
-			manager := &DefaultManager{}
-			rules, _ := manager.squashAcceptRules(networkMap)
-
-			assert.Equal(t, tt.expectedCount, len(rules), tt.description)
-
-			// For squashed rules, verify we get the expected 0.0.0.0 rule
-			if tt.expectedCount == 1 {
-				assert.Equal(t, "0.0.0.0", rules[0].PeerIP)
-				assert.Equal(t, mgmProto.RuleDirection_IN, rules[0].Direction)
-				assert.Equal(t, mgmProto.RuleAction_ACCEPT, rules[0].Action)
-			}
-		})
-	}
-}
-
-func TestPortInfoEmpty(t *testing.T) {
-	tests := []struct {
-		name     string
-		portInfo *mgmProto.PortInfo
-		expected bool
-	}{
-		{
-			name:     "nil PortInfo should be empty",
-			portInfo: nil,
-			expected: true,
-		},
-		{
-			name: "PortInfo with zero port should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Port{
-					Port: 0,
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with valid port should not be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Port{
-					Port: 80,
-				},
-			},
-			expected: false,
-		},
-		{
-			name: "PortInfo with nil range should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: nil,
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with zero start range should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: &mgmProto.PortInfo_Range{
-						Start: 0,
-						End:   100,
-					},
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with zero end range should be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: &mgmProto.PortInfo_Range{
-						Start: 80,
-						End:   0,
-					},
-				},
-			},
-			expected: true,
-		},
-		{
-			name: "PortInfo with valid range should not be empty",
-			portInfo: &mgmProto.PortInfo{
-				PortSelection: &mgmProto.PortInfo_Range_{
-					Range: &mgmProto.PortInfo_Range{
-						Start: 8080,
-						End:   8090,
-					},
-				},
-			},
-			expected: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			result := portInfoEmpty(tt.portInfo)
-			assert.Equal(t, tt.expected, result)
-		})
+	if rules, _ := manager.squashAcceptRules(networkMap); len(rules) != len(networkMap.FirewallRules) {
+		t.Errorf("we should get the same amount of rules as output, got %v", len(rules))
 	}
 }
 
@@ -798,29 +336,33 @@ func TestDefaultManagerEnableSSHRules(t *testing.T) {
 	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
 	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
 	ifaceMock.EXPECT().SetFilter(gomock.Any())
-	network := netip.MustParsePrefix("172.0.0.1/32")
+	ip, network, err := net.ParseCIDR("172.0.0.1/32")
+	if err != nil {
+		t.Fatalf("failed to parse IP address: %v", err)
+	}
 
 	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
 	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
-		IP:      network.Addr(),
+		IP:      ip,
 		Network: network,
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
+	// we receive one rule from the management so for testing purposes ignore it
 	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
-	require.NoError(t, err)
-	defer func() {
-		err = fw.Close(nil)
-		require.NoError(t, err)
-	}()
-
+	if err != nil {
+		t.Errorf("create firewall: %v", err)
+		return
+	}
+	defer func(fw manager.Manager) {
+		_ = fw.Close(nil)
+	}(fw)
 	acl := NewDefaultManager(fw)
 
 	acl.ApplyFiltering(networkMap, false)
 
-	expectedRules := 3
-	if fw.IsStateful() {
-		expectedRules = 3 // 2 inbound rules + SSH rule
+	if len(acl.peerRulesPairs) != 3 {
+		t.Errorf("expect 3 rules (last must be SSH), got: %d", len(acl.peerRulesPairs))
+		return
 	}
-	assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
 }

client/internal/auth/oauth.go

@@ -64,8 +64,13 @@ func (t TokenInfo) GetTokenToUse() string {
 // and if that also fails, the authentication process is deemed unsuccessful
 //
 // On Linux distros without desktop environment support, it only tries to initialize the Device Code Flow
-func NewOAuthFlow(ctx context.Context, config *internal.Config, isUnixDesktopClient bool) (OAuthFlow, error) {
-	if (runtime.GOOS == "linux" || runtime.GOOS == "freebsd") && !isUnixDesktopClient {
+func NewOAuthFlow(ctx context.Context, config *internal.Config, isLinuxDesktopClient bool) (OAuthFlow, error) {
+	if runtime.GOOS == "linux" && !isLinuxDesktopClient {
+		return authenticateWithDeviceCodeFlow(ctx, config)
+	}
+
+	// On FreeBSD we currently do not support desktop environments and offer only Device Code Flow (#2384)
+	if runtime.GOOS == "freebsd" {
 		return authenticateWithDeviceCodeFlow(ctx, config)
 	}
 

client/internal/auth/pkce_flow.go

@@ -101,12 +101,7 @@ func (p *PKCEAuthorizationFlow) RequestAuthInfo(ctx context.Context) (AuthFlowIn
 		oauth2.SetAuthURLParam("audience", p.providerConfig.Audience),
 	}
 	if !p.providerConfig.DisablePromptLogin {
-		if p.providerConfig.LoginFlag.IsPromptLogin() {
-			params = append(params, oauth2.SetAuthURLParam("prompt", "login"))
-		}
-		if p.providerConfig.LoginFlag.IsMaxAge0Login() {
-			params = append(params, oauth2.SetAuthURLParam("max_age", "0"))
-		}
+		params = append(params, oauth2.SetAuthURLParam("prompt", "login"))
 	}
 
 	authURL := p.oAuthConfig.AuthCodeURL(state, params...)

client/internal/auth/pkce_flow_test.go

@@ -7,36 +7,15 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/client/internal"
-	mgm "github.com/netbirdio/netbird/management/client/common"
 )
 
 func TestPromptLogin(t *testing.T) {
-	const (
-		promptLogin = "prompt=login"
-		maxAge0     = "max_age=0"
-	)
-
 	tt := []struct {
-		name               string
-		loginFlag          mgm.LoginFlag
-		disablePromptLogin bool
-		expect             string
+		name   string
+		prompt bool
 	}{
-		{
-			name:      "Prompt login",
-			loginFlag: mgm.LoginFlagPrompt,
-			expect:    promptLogin,
-		},
-		{
-			name:      "Max age 0 login",
-			loginFlag: mgm.LoginFlagMaxAge0,
-			expect:    maxAge0,
-		},
-		{
-			name:               "Disable prompt login",
-			loginFlag:          mgm.LoginFlagPrompt,
-			disablePromptLogin: true,
-		},
+		{"PromptLogin", true},
+		{"NoPromptLogin", false},
 	}
 
 	for _, tc := range tt {
@@ -49,7 +28,7 @@ func TestPromptLogin(t *testing.T) {
 				AuthorizationEndpoint: "https://test-auth-endpoint.com/authorize",
 				RedirectURLs:          []string{"http://127.0.0.1:33992/"},
 				UseIDToken:            true,
-				LoginFlag:             tc.loginFlag,
+				DisablePromptLogin:    !tc.prompt,
 			}
 			pkce, err := NewPKCEAuthorizationFlow(config)
 			if err != nil {
@@ -59,12 +38,11 @@ func TestPromptLogin(t *testing.T) {
 			if err != nil {
 				t.Fatalf("Failed to request auth info: %v", err)
 			}
-
-			if !tc.disablePromptLogin {
-				require.Contains(t, authInfo.VerificationURIComplete, tc.expect)
+			pattern := "prompt=login"
+			if tc.prompt {
+				require.Contains(t, authInfo.VerificationURIComplete, pattern)
 			} else {
-				require.Contains(t, authInfo.VerificationURIComplete, promptLogin)
-				require.NotContains(t, authInfo.VerificationURIComplete, maxAge0)
+				require.NotContains(t, authInfo.VerificationURIComplete, pattern)
 			}
 		})
 	}

client/internal/config.go

@@ -68,14 +68,12 @@ type ConfigInput struct {
 	DisableServerRoutes *bool
 	DisableDNS          *bool
 	DisableFirewall     *bool
-	BlockLANAccess      *bool
-	BlockInbound        *bool
+
+	BlockLANAccess *bool
 
 	DisableNotifications *bool
 
 	DNSLabels domain.List
-
-	LazyConnectionEnabled *bool
 }
 
 // Config Configuration type
@@ -98,8 +96,8 @@ type Config struct {
 	DisableServerRoutes bool
 	DisableDNS          bool
 	DisableFirewall     bool
-	BlockLANAccess      bool
-	BlockInbound        bool
+
+	BlockLANAccess bool
 
 	DisableNotifications *bool
 
@@ -140,8 +138,6 @@ type Config struct {
 	ClientCertKeyPath string
 
 	ClientCertKeyPair *tls.Certificate `json:"-"`
-
-	LazyConnectionEnabled bool
 }
 
 // ReadConfig read config file and return with Config. If it is not exists create a new with default values
@@ -223,8 +219,6 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 	config := &Config{
 		// defaults to false only for new (post 0.26) configurations
 		ServerSSHAllowed: util.False(),
-		// default to disabling server routes on Android for security
-		DisableServerRoutes: runtime.GOOS == "android",
 	}
 
 	if _, err := config.apply(input); err != nil {
@@ -418,15 +412,9 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		config.ServerSSHAllowed = input.ServerSSHAllowed
 		updated = true
 	} else if config.ServerSSHAllowed == nil {
-		if runtime.GOOS == "android" {
-			// default to disabled SSH on Android for security
-			log.Infof("setting SSH server to false by default on Android")
-			config.ServerSSHAllowed = util.False()
-		} else {
-			// enables SSH for configs from old versions to preserve backwards compatibility
-			log.Infof("falling back to enabled SSH server for pre-existing configuration")
-			config.ServerSSHAllowed = util.True()
-		}
+		// enables SSH for configs from old versions to preserve backwards compatibility
+		log.Infof("falling back to enabled SSH server for pre-existing configuration")
+		config.ServerSSHAllowed = util.True()
 		updated = true
 	}
 
@@ -491,16 +479,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
-	if input.BlockInbound != nil && *input.BlockInbound != config.BlockInbound {
-		if *input.BlockInbound {
-			log.Infof("blocking inbound connections")
-		} else {
-			log.Infof("allowing inbound connections")
-		}
-		config.BlockInbound = *input.BlockInbound
-		updated = true
-	}
-
 	if input.DisableNotifications != nil && input.DisableNotifications != config.DisableNotifications {
 		if *input.DisableNotifications {
 			log.Infof("disabling notifications")
@@ -546,12 +524,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
-	if input.LazyConnectionEnabled != nil && *input.LazyConnectionEnabled != config.LazyConnectionEnabled {
-		log.Infof("switching lazy connection to %t", *input.LazyConnectionEnabled)
-		config.LazyConnectionEnabled = *input.LazyConnectionEnabled
-		updated = true
-	}
-
 	return updated, nil
 }
 

client/internal/conn_mgr.go

@@ -1,312 +0,0 @@
-package internal
-
-import (
-	"context"
-	"os"
-	"strconv"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-	"github.com/netbirdio/netbird/client/internal/lazyconn/manager"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/peer/dispatcher"
-	"github.com/netbirdio/netbird/client/internal/peerstore"
-	"github.com/netbirdio/netbird/route"
-)
-
-// ConnMgr coordinates both lazy connections (established on-demand) and permanent peer connections.
-//
-// The connection manager is responsible for:
-// - Managing lazy connections via the lazyConnManager
-// - Maintaining a list of excluded peers that should always have permanent connections
-// - Handling connection establishment based on peer signaling
-//
-// The implementation is not thread-safe; it is protected by engine.syncMsgMux.
-type ConnMgr struct {
-	peerStore      *peerstore.Store
-	statusRecorder *peer.Status
-	iface          lazyconn.WGIface
-	dispatcher     *dispatcher.ConnectionDispatcher
-	enabledLocally bool
-
-	lazyConnMgr *manager.Manager
-
-	wg            sync.WaitGroup
-	lazyCtx       context.Context
-	lazyCtxCancel context.CancelFunc
-}
-
-func NewConnMgr(engineConfig *EngineConfig, statusRecorder *peer.Status, peerStore *peerstore.Store, iface lazyconn.WGIface, dispatcher *dispatcher.ConnectionDispatcher) *ConnMgr {
-	e := &ConnMgr{
-		peerStore:      peerStore,
-		statusRecorder: statusRecorder,
-		iface:          iface,
-		dispatcher:     dispatcher,
-	}
-	if engineConfig.LazyConnectionEnabled || lazyconn.IsLazyConnEnabledByEnv() {
-		e.enabledLocally = true
-	}
-	return e
-}
-
-// Start initializes the connection manager and starts the lazy connection manager if enabled by env var or cmd line option.
-func (e *ConnMgr) Start(ctx context.Context) {
-	if e.lazyConnMgr != nil {
-		log.Errorf("lazy connection manager is already started")
-		return
-	}
-
-	if !e.enabledLocally {
-		log.Infof("lazy connection manager is disabled")
-		return
-	}
-
-	e.initLazyManager(ctx)
-	e.statusRecorder.UpdateLazyConnection(true)
-}
-
-// UpdatedRemoteFeatureFlag is called when the remote feature flag is updated.
-// If enabled, it initializes the lazy connection manager and start it. Do not need to call Start() again.
-// If disabled, then it closes the lazy connection manager and open the connections to all peers.
-func (e *ConnMgr) UpdatedRemoteFeatureFlag(ctx context.Context, enabled bool) error {
-	// do not disable lazy connection manager if it was enabled by env var
-	if e.enabledLocally {
-		return nil
-	}
-
-	if enabled {
-		// if the lazy connection manager is already started, do not start it again
-		if e.lazyConnMgr != nil {
-			return nil
-		}
-
-		log.Infof("lazy connection manager is enabled by management feature flag")
-		e.initLazyManager(ctx)
-		e.statusRecorder.UpdateLazyConnection(true)
-		return e.addPeersToLazyConnManager()
-	} else {
-		if e.lazyConnMgr == nil {
-			return nil
-		}
-		log.Infof("lazy connection manager is disabled by management feature flag")
-		e.closeManager(ctx)
-		e.statusRecorder.UpdateLazyConnection(false)
-		return nil
-	}
-}
-
-// UpdateRouteHAMap updates the route HA mappings in the lazy connection manager
-func (e *ConnMgr) UpdateRouteHAMap(haMap route.HAMap) {
-	if !e.isStartedWithLazyMgr() {
-		log.Debugf("lazy connection manager is not started, skipping UpdateRouteHAMap")
-		return
-	}
-
-	e.lazyConnMgr.UpdateRouteHAMap(haMap)
-}
-
-// SetExcludeList sets the list of peer IDs that should always have permanent connections.
-func (e *ConnMgr) SetExcludeList(ctx context.Context, peerIDs map[string]bool) {
-	if e.lazyConnMgr == nil {
-		return
-	}
-
-	excludedPeers := make([]lazyconn.PeerConfig, 0, len(peerIDs))
-
-	for peerID := range peerIDs {
-		var peerConn *peer.Conn
-		var exists bool
-		if peerConn, exists = e.peerStore.PeerConn(peerID); !exists {
-			log.Warnf("failed to find peer conn for peerID: %s", peerID)
-			continue
-		}
-
-		lazyPeerCfg := lazyconn.PeerConfig{
-			PublicKey:  peerID,
-			AllowedIPs: peerConn.WgConfig().AllowedIps,
-			PeerConnID: peerConn.ConnID(),
-			Log:        peerConn.Log,
-		}
-		excludedPeers = append(excludedPeers, lazyPeerCfg)
-	}
-
-	added := e.lazyConnMgr.ExcludePeer(e.lazyCtx, excludedPeers)
-	for _, peerID := range added {
-		var peerConn *peer.Conn
-		var exists bool
-		if peerConn, exists = e.peerStore.PeerConn(peerID); !exists {
-			// if the peer not exist in the store, it means that the engine will call the AddPeerConn in next step
-			continue
-		}
-
-		peerConn.Log.Infof("peer has been added to lazy connection exclude list, opening permanent connection")
-		if err := peerConn.Open(ctx); err != nil {
-			peerConn.Log.Errorf("failed to open connection: %v", err)
-		}
-	}
-}
-
-func (e *ConnMgr) AddPeerConn(ctx context.Context, peerKey string, conn *peer.Conn) (exists bool) {
-	if success := e.peerStore.AddPeerConn(peerKey, conn); !success {
-		return true
-	}
-
-	if !e.isStartedWithLazyMgr() {
-		if err := conn.Open(ctx); err != nil {
-			conn.Log.Errorf("failed to open connection: %v", err)
-		}
-		return
-	}
-
-	if !lazyconn.IsSupported(conn.AgentVersionString()) {
-		conn.Log.Warnf("peer does not support lazy connection (%s), open permanent connection", conn.AgentVersionString())
-		if err := conn.Open(ctx); err != nil {
-			conn.Log.Errorf("failed to open connection: %v", err)
-		}
-		return
-	}
-
-	lazyPeerCfg := lazyconn.PeerConfig{
-		PublicKey:  peerKey,
-		AllowedIPs: conn.WgConfig().AllowedIps,
-		PeerConnID: conn.ConnID(),
-		Log:        conn.Log,
-	}
-	excluded, err := e.lazyConnMgr.AddPeer(e.lazyCtx, lazyPeerCfg)
-	if err != nil {
-		conn.Log.Errorf("failed to add peer to lazyconn manager: %v", err)
-		if err := conn.Open(ctx); err != nil {
-			conn.Log.Errorf("failed to open connection: %v", err)
-		}
-		return
-	}
-
-	if excluded {
-		conn.Log.Infof("peer is on lazy conn manager exclude list, opening connection")
-		if err := conn.Open(ctx); err != nil {
-			conn.Log.Errorf("failed to open connection: %v", err)
-		}
-		return
-	}
-
-	conn.Log.Infof("peer added to lazy conn manager")
-	return
-}
-
-func (e *ConnMgr) RemovePeerConn(peerKey string) {
-	conn, ok := e.peerStore.Remove(peerKey)
-	if !ok {
-		return
-	}
-	defer conn.Close()
-
-	if !e.isStartedWithLazyMgr() {
-		return
-	}
-
-	e.lazyConnMgr.RemovePeer(peerKey)
-	conn.Log.Infof("removed peer from lazy conn manager")
-}
-
-func (e *ConnMgr) OnSignalMsg(ctx context.Context, peerKey string) (*peer.Conn, bool) {
-	conn, ok := e.peerStore.PeerConn(peerKey)
-	if !ok {
-		return nil, false
-	}
-
-	if !e.isStartedWithLazyMgr() {
-		return conn, true
-	}
-
-	if found := e.lazyConnMgr.ActivatePeer(e.lazyCtx, peerKey); found {
-		conn.Log.Infof("activated peer from inactive state")
-		if err := conn.Open(ctx); err != nil {
-			conn.Log.Errorf("failed to open connection: %v", err)
-		}
-	}
-	return conn, true
-}
-
-func (e *ConnMgr) Close() {
-	if !e.isStartedWithLazyMgr() {
-		return
-	}
-
-	e.lazyCtxCancel()
-	e.wg.Wait()
-	e.lazyConnMgr = nil
-}
-
-func (e *ConnMgr) initLazyManager(engineCtx context.Context) {
-	cfg := manager.Config{
-		InactivityThreshold: inactivityThresholdEnv(),
-	}
-	e.lazyConnMgr = manager.NewManager(cfg, engineCtx, e.peerStore, e.iface, e.dispatcher)
-
-	e.lazyCtx, e.lazyCtxCancel = context.WithCancel(engineCtx)
-
-	e.wg.Add(1)
-	go func() {
-		defer e.wg.Done()
-		e.lazyConnMgr.Start(e.lazyCtx)
-	}()
-}
-
-func (e *ConnMgr) addPeersToLazyConnManager() error {
-	peers := e.peerStore.PeersPubKey()
-	lazyPeerCfgs := make([]lazyconn.PeerConfig, 0, len(peers))
-	for _, peerID := range peers {
-		var peerConn *peer.Conn
-		var exists bool
-		if peerConn, exists = e.peerStore.PeerConn(peerID); !exists {
-			log.Warnf("failed to find peer conn for peerID: %s", peerID)
-			continue
-		}
-
-		lazyPeerCfg := lazyconn.PeerConfig{
-			PublicKey:  peerID,
-			AllowedIPs: peerConn.WgConfig().AllowedIps,
-			PeerConnID: peerConn.ConnID(),
-			Log:        peerConn.Log,
-		}
-		lazyPeerCfgs = append(lazyPeerCfgs, lazyPeerCfg)
-	}
-
-	return e.lazyConnMgr.AddActivePeers(e.lazyCtx, lazyPeerCfgs)
-}
-
-func (e *ConnMgr) closeManager(ctx context.Context) {
-	if e.lazyConnMgr == nil {
-		return
-	}
-
-	e.lazyCtxCancel()
-	e.wg.Wait()
-	e.lazyConnMgr = nil
-
-	for _, peerID := range e.peerStore.PeersPubKey() {
-		e.peerStore.PeerConnOpen(ctx, peerID)
-	}
-}
-
-func (e *ConnMgr) isStartedWithLazyMgr() bool {
-	return e.lazyConnMgr != nil && e.lazyCtxCancel != nil
-}
-
-func inactivityThresholdEnv() *time.Duration {
-	envValue := os.Getenv(lazyconn.EnvInactivityThreshold)
-	if envValue == "" {
-		return nil
-	}
-
-	parsedMinutes, err := strconv.Atoi(envValue)
-	if err != nil || parsedMinutes <= 0 {
-		return nil
-	}
-
-	d := time.Duration(parsedMinutes) * time.Minute
-	return &d
-}

client/internal/connect.go

@@ -436,13 +436,11 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		DNSRouteInterval:     config.DNSRouteInterval,
 
 		DisableClientRoutes: config.DisableClientRoutes,
-		DisableServerRoutes: config.DisableServerRoutes || config.BlockInbound,
+		DisableServerRoutes: config.DisableServerRoutes,
 		DisableDNS:          config.DisableDNS,
 		DisableFirewall:     config.DisableFirewall,
-		BlockLANAccess:      config.BlockLANAccess,
-		BlockInbound:        config.BlockInbound,
 
-		LazyConnectionEnabled: config.LazyConnectionEnabled,
+		BlockLANAccess: config.BlockLANAccess,
 	}
 
 	if config.PreSharedKey != "" {
@@ -483,7 +481,7 @@ func connectToSignal(ctx context.Context, wtConfig *mgmProto.NetbirdConfig, ourP
 	return signalClient, nil
 }
 
-// loginToManagement creates Management ServiceDependencies client, establishes a connection, logs-in and gets a global Netbird config (signal, turn, stun hosts, etc)
+// loginToManagement creates Management Services client, establishes a connection, logs-in and gets a global Netbird config (signal, turn, stun hosts, etc)
 func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte, config *Config) (*mgmProto.LoginResponse, error) {
 
 	serverPublicKey, err := client.GetServerPublicKey()
@@ -500,9 +498,6 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.DisableServerRoutes,
 		config.DisableDNS,
 		config.DisableFirewall,
-		config.BlockLANAccess,
-		config.BlockInbound,
-		config.LazyConnectionEnabled,
 	)
 	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey, config.DNSLabels)
 	if err != nil {

client/internal/debug/debug.go

@@ -4,7 +4,6 @@ import (
 	"archive/zip"
 	"bufio"
 	"bytes"
-	"compress/gzip"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -270,21 +269,11 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("Failed to add corrupted state files to debug bundle: %v", err)
 	}
 
-	if err := g.addWgShow(); err != nil {
-		log.Errorf("Failed to add wg show output: %v", err)
-	}
-
-	if g.logFile != "console" && g.logFile != "" {
+	if g.logFile != "console" {
 		if err := g.addLogfile(); err != nil {
-			log.Errorf("Failed to add log file to debug bundle: %v", err)
-			if err := g.trySystemdLogFallback(); err != nil {
-				log.Errorf("Failed to add systemd logs as fallback: %v", err)
-			}
+			return fmt.Errorf("add log file: %w", err)
 		}
-	} else if err := g.trySystemdLogFallback(); err != nil {
-		log.Errorf("Failed to add systemd logs: %v", err)
 	}
-
 	return nil
 }
 
@@ -376,34 +365,17 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	configContent.WriteString(fmt.Sprintf("RosenpassEnabled: %v\n", g.internalConfig.RosenpassEnabled))
 	configContent.WriteString(fmt.Sprintf("RosenpassPermissive: %v\n", g.internalConfig.RosenpassPermissive))
 	if g.internalConfig.ServerSSHAllowed != nil {
-		configContent.WriteString(fmt.Sprintf("ServerSSHAllowed: %v\n", *g.internalConfig.ServerSSHAllowed))
+		configContent.WriteString(fmt.Sprintf("BundleGeneratorSSHAllowed: %v\n", *g.internalConfig.ServerSSHAllowed))
 	}
-
-	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
-	configContent.WriteString(fmt.Sprintf("DisableServerRoutes: %v\n", g.internalConfig.DisableServerRoutes))
-	configContent.WriteString(fmt.Sprintf("DisableDNS: %v\n", g.internalConfig.DisableDNS))
-	configContent.WriteString(fmt.Sprintf("DisableFirewall: %v\n", g.internalConfig.DisableFirewall))
-	configContent.WriteString(fmt.Sprintf("BlockLANAccess: %v\n", g.internalConfig.BlockLANAccess))
-	configContent.WriteString(fmt.Sprintf("BlockInbound: %v\n", g.internalConfig.BlockInbound))
-
-	if g.internalConfig.DisableNotifications != nil {
-		configContent.WriteString(fmt.Sprintf("DisableNotifications: %v\n", *g.internalConfig.DisableNotifications))
-	}
-
-	configContent.WriteString(fmt.Sprintf("DNSLabels: %v\n", g.internalConfig.DNSLabels))
-
 	configContent.WriteString(fmt.Sprintf("DisableAutoConnect: %v\n", g.internalConfig.DisableAutoConnect))
-
 	configContent.WriteString(fmt.Sprintf("DNSRouteInterval: %s\n", g.internalConfig.DNSRouteInterval))
 
-	if g.internalConfig.ClientCertPath != "" {
-		configContent.WriteString(fmt.Sprintf("ClientCertPath: %s\n", g.internalConfig.ClientCertPath))
-	}
-	if g.internalConfig.ClientCertKeyPath != "" {
-		configContent.WriteString(fmt.Sprintf("ClientCertKeyPath: %s\n", g.internalConfig.ClientCertKeyPath))
-	}
+	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
+	configContent.WriteString(fmt.Sprintf("DisableBundleGeneratorRoutes: %v\n", g.internalConfig.DisableServerRoutes))
+	configContent.WriteString(fmt.Sprintf("DisableDNS: %v\n", g.internalConfig.DisableDNS))
+	configContent.WriteString(fmt.Sprintf("DisableFirewall: %v\n", g.internalConfig.DisableFirewall))
 
-	configContent.WriteString(fmt.Sprintf("LazyConnectionEnabled: %v\n", g.internalConfig.LazyConnectionEnabled))
+	configContent.WriteString(fmt.Sprintf("BlockLANAccess: %v\n", g.internalConfig.BlockLANAccess))
 }
 
 func (g *BundleGenerator) addProf() (err error) {
@@ -561,33 +533,6 @@ func (g *BundleGenerator) addLogfile() error {
 		return fmt.Errorf("add client log file to zip: %w", err)
 	}
 
-	// add latest rotated log file
-	pattern := filepath.Join(logDir, "client-*.log.gz")
-	files, err := filepath.Glob(pattern)
-	if err != nil {
-		log.Warnf("failed to glob rotated logs: %v", err)
-	} else if len(files) > 0 {
-		// pick the file with the latest ModTime
-		sort.Slice(files, func(i, j int) bool {
-			fi, err := os.Stat(files[i])
-			if err != nil {
-				log.Warnf("failed to stat rotated log %s: %v", files[i], err)
-				return false
-			}
-			fj, err := os.Stat(files[j])
-			if err != nil {
-				log.Warnf("failed to stat rotated log %s: %v", files[j], err)
-				return false
-			}
-			return fi.ModTime().Before(fj.ModTime())
-		})
-		latest := files[len(files)-1]
-		name := filepath.Base(latest)
-		if err := g.addSingleLogFileGz(latest, name); err != nil {
-			log.Warnf("failed to add rotated log %s: %v", name, err)
-		}
-	}
-
 	stdErrLogPath := filepath.Join(logDir, errorLogFile)
 	stdoutLogPath := filepath.Join(logDir, stdoutLogFile)
 	if runtime.GOOS == "darwin" {
@@ -618,13 +563,16 @@ func (g *BundleGenerator) addSingleLogfile(logPath, targetName string) error {
 		}
 	}()
 
-	var logReader io.Reader = logFile
+	var logReader io.Reader
 	if g.anonymize {
 		var writer *io.PipeWriter
 		logReader, writer = io.Pipe()
 
 		go anonymizeLog(logFile, writer, g.anonymizer)
+	} else {
+		logReader = logFile
 	}
+
 	if err := g.addFileToZip(logReader, targetName); err != nil {
 		return fmt.Errorf("add %s to zip: %w", targetName, err)
 	}
@@ -632,44 +580,6 @@ func (g *BundleGenerator) addSingleLogfile(logPath, targetName string) error {
 	return nil
 }
 
-// addSingleLogFileGz adds a single gzipped log file to the archive
-func (g *BundleGenerator) addSingleLogFileGz(logPath, targetName string) error {
-	f, err := os.Open(logPath)
-	if err != nil {
-		return fmt.Errorf("open gz log file %s: %w", targetName, err)
-	}
-	defer f.Close()
-
-	gzr, err := gzip.NewReader(f)
-	if err != nil {
-		return fmt.Errorf("create gzip reader: %w", err)
-	}
-	defer gzr.Close()
-
-	var logReader io.Reader = gzr
-	if g.anonymize {
-		var pw *io.PipeWriter
-		logReader, pw = io.Pipe()
-		go anonymizeLog(gzr, pw, g.anonymizer)
-	}
-
-	var buf bytes.Buffer
-	gw := gzip.NewWriter(&buf)
-	if _, err := io.Copy(gw, logReader); err != nil {
-		return fmt.Errorf("re-gzip: %w", err)
-	}
-
-	if err := gw.Close(); err != nil {
-		return fmt.Errorf("close gzip writer: %w", err)
-	}
-
-	if err := g.addFileToZip(&buf, targetName); err != nil {
-		return fmt.Errorf("add anonymized gz: %w", err)
-	}
-
-	return nil
-}
-
 func (g *BundleGenerator) addFileToZip(reader io.Reader, filename string) error {
 	header := &zip.FileHeader{
 		Name:     filename,

client/internal/debug/debug_linux.go

@@ -4,104 +4,17 @@ package debug
 
 import (
 	"bytes"
-	"context"
 	"encoding/binary"
-	"errors"
 	"fmt"
-	"os"
 	"os/exec"
 	"sort"
 	"strings"
-	"time"
 
 	"github.com/google/nftables"
 	"github.com/google/nftables/expr"
 	log "github.com/sirupsen/logrus"
 )
 
-const (
-	maxLogEntries = 100000
-	maxLogAge     = 7 * 24 * time.Hour // Last 7 days
-)
-
-// trySystemdLogFallback attempts to get logs from systemd journal as fallback
-func (g *BundleGenerator) trySystemdLogFallback() error {
-	log.Debug("Attempting to collect systemd journal logs")
-
-	serviceName := getServiceName()
-	journalLogs, err := getSystemdLogs(serviceName)
-	if err != nil {
-		return fmt.Errorf("get systemd logs for %s: %w", serviceName, err)
-	}
-
-	if strings.Contains(journalLogs, "No recent log entries found") {
-		log.Debug("No recent log entries found in systemd journal")
-		return nil
-	}
-
-	if g.anonymize {
-		journalLogs = g.anonymizer.AnonymizeString(journalLogs)
-	}
-
-	logReader := strings.NewReader(journalLogs)
-	fileName := fmt.Sprintf("systemd-%s.log", serviceName)
-	if err := g.addFileToZip(logReader, fileName); err != nil {
-		return fmt.Errorf("add systemd logs to bundle: %w", err)
-	}
-
-	log.Infof("Added systemd journal logs for %s to debug bundle", serviceName)
-	return nil
-}
-
-// getServiceName gets the service name from environment or defaults to netbird
-func getServiceName() string {
-	if unitName := os.Getenv("SYSTEMD_UNIT"); unitName != "" {
-		log.Debugf("Detected SYSTEMD_UNIT environment variable: %s", unitName)
-		return unitName
-	}
-
-	return "netbird"
-}
-
-// getSystemdLogs retrieves logs from systemd journal for a specific service using journalctl
-func getSystemdLogs(serviceName string) (string, error) {
-	args := []string{
-		"-u", fmt.Sprintf("%s.service", serviceName),
-		"--since", fmt.Sprintf("-%s", maxLogAge.String()),
-		"--lines", fmt.Sprintf("%d", maxLogEntries),
-		"--no-pager",
-		"--output", "short-iso",
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-
-	cmd := exec.CommandContext(ctx, "journalctl", args...)
-	var stdout, stderr bytes.Buffer
-	cmd.Stdout = &stdout
-	cmd.Stderr = &stderr
-
-	if err := cmd.Run(); err != nil {
-		if errors.Is(ctx.Err(), context.DeadlineExceeded) {
-			return "", fmt.Errorf("journalctl command timed out after 30 seconds")
-		}
-		if strings.Contains(err.Error(), "executable file not found") {
-			return "", fmt.Errorf("journalctl command not found: %w", err)
-		}
-		return "", fmt.Errorf("execute journalctl: %w (stderr: %s)", err, stderr.String())
-	}
-
-	logs := stdout.String()
-	if strings.TrimSpace(logs) == "" {
-		return "No recent log entries found in systemd journal", nil
-	}
-
-	header := fmt.Sprintf("=== Systemd Journal Logs for %s.service (last %d entries, max %s) ===\n",
-		serviceName, maxLogEntries, maxLogAge.String())
-
-	return header + logs, nil
-}
-
 // addFirewallRules collects and adds firewall rules to the archive
 func (g *BundleGenerator) addFirewallRules() error {
 	log.Info("Collecting firewall rules")
@@ -568,7 +481,7 @@ func formatExpr(exp expr.Any) string {
 	case *expr.Fib:
 		return formatFib(e)
 	case *expr.Target:
-		return fmt.Sprintf("jump %s", e.Name)
+		return fmt.Sprintf("jump %s", e.Name) // Properly format jump targets
 	case *expr.Immediate:
 		if e.Register == 1 {
 			return formatImmediateData(e.Data)

client/internal/debug/debug_nonlinux.go

@@ -6,9 +6,3 @@ package debug
 func (g *BundleGenerator) addFirewallRules() error {
 	return nil
 }
-
-func (g *BundleGenerator) trySystemdLogFallback() error {
-	// Systemd is only available on Linux
-	// TODO: Add BSD support
-	return nil
-}

client/internal/debug/wgshow.go

@@ -1,66 +0,0 @@
-package debug
-
-import (
-	"bytes"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/netbirdio/netbird/client/iface/configurer"
-)
-
-type WGIface interface {
-	FullStats() (*configurer.Stats, error)
-}
-
-func (g *BundleGenerator) addWgShow() error {
-	result, err := g.statusRecorder.PeersStatus()
-	if err != nil {
-		return err
-	}
-
-	output := g.toWGShowFormat(result)
-	reader := bytes.NewReader([]byte(output))
-
-	if err := g.addFileToZip(reader, "wgshow.txt"); err != nil {
-		return fmt.Errorf("add wg show to zip: %w", err)
-	}
-	return nil
-}
-
-func (g *BundleGenerator) toWGShowFormat(s *configurer.Stats) string {
-	var sb strings.Builder
-
-	sb.WriteString(fmt.Sprintf("interface: %s\n", s.DeviceName))
-	sb.WriteString(fmt.Sprintf("  public key: %s\n", s.PublicKey))
-	sb.WriteString(fmt.Sprintf("  listen port: %d\n", s.ListenPort))
-	if s.FWMark != 0 {
-		sb.WriteString(fmt.Sprintf("  fwmark: %#x\n", s.FWMark))
-	}
-
-	for _, peer := range s.Peers {
-		sb.WriteString(fmt.Sprintf("\npeer: %s\n", peer.PublicKey))
-		if peer.Endpoint.IP != nil {
-			if g.anonymize {
-				anonEndpoint := g.anonymizer.AnonymizeUDPAddr(peer.Endpoint)
-				sb.WriteString(fmt.Sprintf("  endpoint: %s\n", anonEndpoint.String()))
-			} else {
-				sb.WriteString(fmt.Sprintf("  endpoint: %s\n", peer.Endpoint.String()))
-			}
-		}
-		if len(peer.AllowedIPs) > 0 {
-			var ipStrings []string
-			for _, ipnet := range peer.AllowedIPs {
-				ipStrings = append(ipStrings, ipnet.String())
-			}
-			sb.WriteString(fmt.Sprintf("  allowed ips: %s\n", strings.Join(ipStrings, ", ")))
-		}
-		sb.WriteString(fmt.Sprintf("  latest handshake: %s\n", peer.LastHandshake.Format(time.RFC1123)))
-		sb.WriteString(fmt.Sprintf("  transfer: %d B received, %d B sent\n", peer.RxBytes, peer.TxBytes))
-		if peer.PresharedKey {
-			sb.WriteString("  preshared key: (hidden)\n")
-		}
-	}
-
-	return sb.String()
-}

client/internal/dns.go

@@ -2,7 +2,7 @@ package internal
 
 import (
 	"fmt"
-	"net/netip"
+	"net"
 	"slices"
 	"strings"
 
@@ -12,14 +12,13 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 )
 
-func createPTRRecord(aRecord nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.SimpleRecord, bool) {
-	ip, err := netip.ParseAddr(aRecord.RData)
-	if err != nil {
-		log.Warnf("failed to parse IP address %s: %v", aRecord.RData, err)
+func createPTRRecord(aRecord nbdns.SimpleRecord, ipNet *net.IPNet) (nbdns.SimpleRecord, bool) {
+	ip := net.ParseIP(aRecord.RData)
+	if ip == nil || ip.To4() == nil {
 		return nbdns.SimpleRecord{}, false
 	}
 
-	if !prefix.Contains(ip) {
+	if !ipNet.Contains(ip) {
 		return nbdns.SimpleRecord{}, false
 	}
 
@@ -37,19 +36,16 @@ func createPTRRecord(aRecord nbdns.SimpleRecord, prefix netip.Prefix) (nbdns.Sim
 }
 
 // generateReverseZoneName creates the reverse DNS zone name for a given network
-func generateReverseZoneName(network netip.Prefix) (string, error) {
-	networkIP := network.Masked().Addr()
-
-	if !networkIP.Is4() {
-		return "", fmt.Errorf("reverse DNS is only supported for IPv4 networks, got: %s", networkIP)
-	}
+func generateReverseZoneName(ipNet *net.IPNet) (string, error) {
+	networkIP := ipNet.IP.Mask(ipNet.Mask)
+	maskOnes, _ := ipNet.Mask.Size()
 
 	// round up to nearest byte
-	octetsToUse := (network.Bits() + 7) / 8
+	octetsToUse := (maskOnes + 7) / 8
 
 	octets := strings.Split(networkIP.String(), ".")
 	if octetsToUse > len(octets) {
-		return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", network.Bits())
+		return "", fmt.Errorf("invalid network mask size for reverse DNS: %d", maskOnes)
 	}
 
 	reverseOctets := make([]string, octetsToUse)
@@ -72,7 +68,7 @@ func zoneExists(config *nbdns.Config, zoneName string) bool {
 }
 
 // collectPTRRecords gathers all PTR records for the given network from A records
-func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.SimpleRecord {
+func collectPTRRecords(config *nbdns.Config, ipNet *net.IPNet) []nbdns.SimpleRecord {
 	var records []nbdns.SimpleRecord
 
 	for _, zone := range config.CustomZones {
@@ -81,7 +77,7 @@ func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.Simple
 				continue
 			}
 
-			if ptrRecord, ok := createPTRRecord(record, prefix); ok {
+			if ptrRecord, ok := createPTRRecord(record, ipNet); ok {
 				records = append(records, ptrRecord)
 			}
 		}
@@ -91,8 +87,8 @@ func collectPTRRecords(config *nbdns.Config, prefix netip.Prefix) []nbdns.Simple
 }
 
 // addReverseZone adds a reverse DNS zone to the configuration for the given network
-func addReverseZone(config *nbdns.Config, network netip.Prefix) {
-	zoneName, err := generateReverseZoneName(network)
+func addReverseZone(config *nbdns.Config, ipNet *net.IPNet) {
+	zoneName, err := generateReverseZoneName(ipNet)
 	if err != nil {
 		log.Warn(err)
 		return
@@ -103,7 +99,7 @@ func addReverseZone(config *nbdns.Config, network netip.Prefix) {
 		return
 	}
 
-	records := collectPTRRecords(config, network)
+	records := collectPTRRecords(config, ipNet)
 
 	reverseZone := nbdns.CustomZone{
 		Domain:  zoneName,

client/internal/dns/handler_chain.go

@@ -1,7 +1,6 @@
 package dns
 
 import (
-	"fmt"
 	"slices"
 	"strings"
 	"sync"
@@ -11,10 +10,9 @@ import (
 )
 
 const (
-	PriorityLocal    = 100
-	PriorityDNSRoute = 75
-	PriorityUpstream = 50
-	PriorityDefault  = 1
+	PriorityDNSRoute    = 100
+	PriorityMatchDomain = 50
+	PriorityDefault     = 1
 )
 
 type SubdomainMatcher interface {
@@ -150,42 +148,61 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}
 
 	qname := strings.ToLower(r.Question[0].Name)
+	log.Tracef("handling DNS request for domain=%s", qname)
 
 	c.mu.RLock()
 	handlers := slices.Clone(c.handlers)
 	c.mu.RUnlock()
 
 	if log.IsLevelEnabled(log.TraceLevel) {
-		var b strings.Builder
-		b.WriteString(fmt.Sprintf("DNS request domain=%s, handlers (%d):\n", qname, len(handlers)))
+		log.Tracef("current handlers (%d):", len(handlers))
 		for _, h := range handlers {
-			b.WriteString(fmt.Sprintf("  - pattern: domain=%s original: domain=%s wildcard=%v match_subdomain=%v priority=%d\n",
-				h.Pattern, h.OrigPattern, h.IsWildcard, h.MatchSubdomains, h.Priority))
+			log.Tracef("  - pattern: domain=%s original: domain=%s wildcard=%v match_subdomain=%v priority=%d",
+				h.Pattern, h.OrigPattern, h.IsWildcard, h.MatchSubdomains, h.Priority)
 		}
-		log.Trace(strings.TrimSuffix(b.String(), "\n"))
 	}
 
 	// Try handlers in priority order
 	for _, entry := range handlers {
-		matched := c.isHandlerMatch(qname, entry)
-
-		if matched {
-			log.Tracef("handler matched: domain=%s -> pattern=%s wildcard=%v match_subdomain=%v priority=%d",
-				qname, entry.OrigPattern, entry.IsWildcard, entry.MatchSubdomains, entry.Priority)
-
-			chainWriter := &ResponseWriterChain{
-				ResponseWriter: w,
-				origPattern:    entry.OrigPattern,
+		var matched bool
+		switch {
+		case entry.Pattern == ".":
+			matched = true
+		case entry.IsWildcard:
+			parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
+			matched = len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
+		default:
+			// For non-wildcard patterns:
+			// If handler wants subdomain matching, allow suffix match
+			// Otherwise require exact match
+			if entry.MatchSubdomains {
+				matched = strings.EqualFold(qname, entry.Pattern) || strings.HasSuffix(qname, "."+entry.Pattern)
+			} else {
+				matched = strings.EqualFold(qname, entry.Pattern)
 			}
-			entry.Handler.ServeDNS(chainWriter, r)
-
-			// If handler wants to continue, try next handler
-			if chainWriter.shouldContinue {
-				log.Tracef("handler requested continue to next handler for domain=%s", qname)
-				continue
-			}
-			return
 		}
+
+		if !matched {
+			log.Tracef("trying domain match: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v priority=%d matched=false",
+				qname, entry.OrigPattern, entry.MatchSubdomains, entry.IsWildcard, entry.Priority)
+			continue
+		}
+
+		log.Tracef("handler matched: request: domain=%s pattern: domain=%s wildcard=%v match_subdomain=%v priority=%d",
+			qname, entry.OrigPattern, entry.IsWildcard, entry.MatchSubdomains, entry.Priority)
+
+		chainWriter := &ResponseWriterChain{
+			ResponseWriter: w,
+			origPattern:    entry.OrigPattern,
+		}
+		entry.Handler.ServeDNS(chainWriter, r)
+
+		// If handler wants to continue, try next handler
+		if chainWriter.shouldContinue {
+			log.Tracef("handler requested continue to next handler")
+			continue
+		}
+		return
 	}
 
 	// No handler matched or all handlers passed
@@ -196,22 +213,3 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		log.Errorf("failed to write DNS response: %v", err)
 	}
 }
-
-func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {
-	switch {
-	case entry.Pattern == ".":
-		return true
-	case entry.IsWildcard:
-		parts := strings.Split(strings.TrimSuffix(qname, entry.Pattern), ".")
-		return len(parts) >= 2 && strings.HasSuffix(qname, entry.Pattern)
-	default:
-		// For non-wildcard patterns:
-		// If handler wants subdomain matching, allow suffix match
-		// Otherwise require exact match
-		if entry.MatchSubdomains {
-			return strings.EqualFold(qname, entry.Pattern) || strings.HasSuffix(qname, "."+entry.Pattern)
-		} else {
-			return strings.EqualFold(qname, entry.Pattern)
-		}
-	}
-}

client/internal/dns/handler_chain_test.go

@@ -1,6 +1,7 @@
 package dns_test
 
 import (
+	"net"
 	"testing"
 
 	"github.com/miekg/dns"
@@ -8,7 +9,6 @@ import (
 	"github.com/stretchr/testify/mock"
 
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/dns/test"
 )
 
 // TestHandlerChain_ServeDNS_Priorities tests that handlers are executed in priority order
@@ -22,7 +22,7 @@ func TestHandlerChain_ServeDNS_Priorities(t *testing.T) {
 
 	// Setup handlers with different priorities
 	chain.AddHandler("example.com.", defaultHandler, nbdns.PriorityDefault)
-	chain.AddHandler("example.com.", matchDomainHandler, nbdns.PriorityUpstream)
+	chain.AddHandler("example.com.", matchDomainHandler, nbdns.PriorityMatchDomain)
 	chain.AddHandler("example.com.", dnsRouteHandler, nbdns.PriorityDNSRoute)
 
 	// Create test request
@@ -30,7 +30,7 @@ func TestHandlerChain_ServeDNS_Priorities(t *testing.T) {
 	r.SetQuestion("example.com.", dns.TypeA)
 
 	// Create test writer
-	w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 
 	// Setup expectations - only highest priority handler should be called
 	dnsRouteHandler.On("ServeDNS", mock.Anything, r).Once()
@@ -142,7 +142,7 @@ func TestHandlerChain_ServeDNS_DomainMatching(t *testing.T) {
 
 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryDomain, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 
 			chain.ServeDNS(w, r)
 
@@ -200,7 +200,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 				priority int
 			}{
 				{pattern: "*.example.com.", priority: nbdns.PriorityDefault},
-				{pattern: "*.example.com.", priority: nbdns.PriorityUpstream},
+				{pattern: "*.example.com.", priority: nbdns.PriorityMatchDomain},
 				{pattern: "*.example.com.", priority: nbdns.PriorityDNSRoute},
 			},
 			queryDomain:     "test.example.com.",
@@ -214,7 +214,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 				priority int
 			}{
 				{pattern: "*.example.com.", priority: nbdns.PriorityDefault},
-				{pattern: "test.example.com.", priority: nbdns.PriorityUpstream},
+				{pattern: "test.example.com.", priority: nbdns.PriorityMatchDomain},
 				{pattern: "*.test.example.com.", priority: nbdns.PriorityDNSRoute},
 			},
 			queryDomain:     "sub.test.example.com.",
@@ -259,7 +259,7 @@ func TestHandlerChain_ServeDNS_OverlappingDomains(t *testing.T) {
 			// Create and execute request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryDomain, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 			chain.ServeDNS(w, r)
 
 			// Verify expectations
@@ -281,7 +281,7 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 
 	// Add handlers in priority order
 	chain.AddHandler("example.com.", handler1, nbdns.PriorityDNSRoute)
-	chain.AddHandler("example.com.", handler2, nbdns.PriorityUpstream)
+	chain.AddHandler("example.com.", handler2, nbdns.PriorityMatchDomain)
 	chain.AddHandler("example.com.", handler3, nbdns.PriorityDefault)
 
 	// Create test request
@@ -316,7 +316,7 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 	}).Once()
 
 	// Execute
-	w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 	chain.ServeDNS(w, r)
 
 	// Verify all handlers were called in order
@@ -325,6 +325,20 @@ func TestHandlerChain_ServeDNS_ChainContinuation(t *testing.T) {
 	handler3.AssertExpectations(t)
 }
 
+// mockResponseWriter implements dns.ResponseWriter for testing
+type mockResponseWriter struct {
+	mock.Mock
+}
+
+func (m *mockResponseWriter) LocalAddr() net.Addr       { return nil }
+func (m *mockResponseWriter) RemoteAddr() net.Addr      { return nil }
+func (m *mockResponseWriter) WriteMsg(*dns.Msg) error   { return nil }
+func (m *mockResponseWriter) Write([]byte) (int, error) { return 0, nil }
+func (m *mockResponseWriter) Close() error              { return nil }
+func (m *mockResponseWriter) TsigStatus() error         { return nil }
+func (m *mockResponseWriter) TsigTimersOnly(bool)       {}
+func (m *mockResponseWriter) Hijack()                   {}
+
 func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 	tests := []struct {
 		name string
@@ -344,13 +358,13 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 				priority int
 			}{
 				{"add", "example.com.", nbdns.PriorityDNSRoute},
-				{"add", "example.com.", nbdns.PriorityUpstream},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
 				{"remove", "example.com.", nbdns.PriorityDNSRoute},
 			},
 			query: "example.com.",
 			expectedCalls: map[int]bool{
-				nbdns.PriorityDNSRoute: false,
-				nbdns.PriorityUpstream: true,
+				nbdns.PriorityDNSRoute:    false,
+				nbdns.PriorityMatchDomain: true,
 			},
 		},
 		{
@@ -361,13 +375,13 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 				priority int
 			}{
 				{"add", "example.com.", nbdns.PriorityDNSRoute},
-				{"add", "example.com.", nbdns.PriorityUpstream},
-				{"remove", "example.com.", nbdns.PriorityUpstream},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
+				{"remove", "example.com.", nbdns.PriorityMatchDomain},
 			},
 			query: "example.com.",
 			expectedCalls: map[int]bool{
-				nbdns.PriorityDNSRoute: true,
-				nbdns.PriorityUpstream: false,
+				nbdns.PriorityDNSRoute:    true,
+				nbdns.PriorityMatchDomain: false,
 			},
 		},
 		{
@@ -378,16 +392,16 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 				priority int
 			}{
 				{"add", "example.com.", nbdns.PriorityDNSRoute},
-				{"add", "example.com.", nbdns.PriorityUpstream},
+				{"add", "example.com.", nbdns.PriorityMatchDomain},
 				{"add", "example.com.", nbdns.PriorityDefault},
 				{"remove", "example.com.", nbdns.PriorityDNSRoute},
-				{"remove", "example.com.", nbdns.PriorityUpstream},
+				{"remove", "example.com.", nbdns.PriorityMatchDomain},
 			},
 			query: "example.com.",
 			expectedCalls: map[int]bool{
-				nbdns.PriorityDNSRoute: false,
-				nbdns.PriorityUpstream: false,
-				nbdns.PriorityDefault:  true,
+				nbdns.PriorityDNSRoute:    false,
+				nbdns.PriorityMatchDomain: false,
+				nbdns.PriorityDefault:     true,
 			},
 		},
 	}
@@ -411,7 +425,7 @@ func TestHandlerChain_PriorityDeregistration(t *testing.T) {
 			// Create test request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 
 			// Setup expectations
 			for priority, handler := range handlers {
@@ -454,10 +468,10 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Add handlers in mixed order
 	chain.AddHandler(testDomain, defaultHandler, nbdns.PriorityDefault)
 	chain.AddHandler(testDomain, routeHandler, nbdns.PriorityDNSRoute)
-	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityUpstream)
+	chain.AddHandler(testDomain, matchHandler, nbdns.PriorityMatchDomain)
 
 	// Test 1: Initial state
-	w1 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	w1 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 	// Highest priority handler (routeHandler) should be called
 	routeHandler.On("ServeDNS", mock.Anything, r).Return().Once()
 	matchHandler.On("ServeDNS", mock.Anything, r).Maybe()   // Ensure others are not expected yet
@@ -476,7 +490,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Test 2: Remove highest priority handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityDNSRoute)
 
-	w2 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	w2 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 	// Now middle priority handler (matchHandler) should be called
 	matchHandler.On("ServeDNS", mock.Anything, r).Return().Once()
 	defaultHandler.On("ServeDNS", mock.Anything, r).Maybe() // Ensure default is not expected yet
@@ -490,9 +504,9 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	defaultHandler.Calls = nil
 
 	// Test 3: Remove middle priority handler
-	chain.RemoveHandler(testDomain, nbdns.PriorityUpstream)
+	chain.RemoveHandler(testDomain, nbdns.PriorityMatchDomain)
 
-	w3 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	w3 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 	// Now lowest priority handler (defaultHandler) should be called
 	defaultHandler.On("ServeDNS", mock.Anything, r).Return().Once()
 
@@ -505,7 +519,7 @@ func TestHandlerChain_MultiPriorityHandling(t *testing.T) {
 	// Test 4: Remove last handler
 	chain.RemoveHandler(testDomain, nbdns.PriorityDefault)
 
-	w4 := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+	w4 := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 	chain.ServeDNS(w4, r) // Call ServeDNS on the now empty chain for this domain
 
 	for _, m := range mocks {
@@ -607,7 +621,7 @@ func TestHandlerChain_CaseSensitivity(t *testing.T) {
 				shouldMatch bool
 			}{
 				{"EXAMPLE.COM.", nbdns.PriorityDefault, false, false},
-				{"example.com.", nbdns.PriorityUpstream, false, false},
+				{"example.com.", nbdns.PriorityMatchDomain, false, false},
 				{"Example.Com.", nbdns.PriorityDNSRoute, false, true},
 			},
 			query:         "example.com.",
@@ -661,7 +675,7 @@ func TestHandlerChain_CaseSensitivity(t *testing.T) {
 			// Execute request
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			chain.ServeDNS(&test.MockResponseWriter{}, r)
+			chain.ServeDNS(&mockResponseWriter{}, r)
 
 			// Verify each handler was called exactly as expected
 			for _, h := range tt.addHandlers {
@@ -702,8 +716,8 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, false},
 			},
 			query:         "sub.example.com.",
 			expectedMatch: "sub.example.com.",
@@ -717,8 +731,8 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, true},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, true},
 			},
 			query:         "sub.example.com.",
 			expectedMatch: "sub.example.com.",
@@ -732,10 +746,10 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, true},
-				{"add", "test.sub.example.com.", nbdns.PriorityUpstream, false},
-				{"remove", "test.sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "test.sub.example.com.", nbdns.PriorityMatchDomain, false},
+				{"remove", "test.sub.example.com.", nbdns.PriorityMatchDomain, false},
 			},
 			query:         "test.sub.example.com.",
 			expectedMatch: "sub.example.com.",
@@ -749,7 +763,7 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, false},
 				{"add", "example.com.", nbdns.PriorityDNSRoute, true},
 			},
 			query:         "sub.example.com.",
@@ -764,9 +778,9 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 				priority  int
 				subdomain bool
 			}{
-				{"add", "example.com.", nbdns.PriorityUpstream, true},
-				{"add", "other.example.com.", nbdns.PriorityUpstream, true},
-				{"add", "sub.example.com.", nbdns.PriorityUpstream, false},
+				{"add", "example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "other.example.com.", nbdns.PriorityMatchDomain, true},
+				{"add", "sub.example.com.", nbdns.PriorityMatchDomain, false},
 			},
 			query:         "sub.example.com.",
 			expectedMatch: "sub.example.com.",
@@ -805,7 +819,7 @@ func TestHandlerChain_DomainSpecificityOrdering(t *testing.T) {
 
 			r := new(dns.Msg)
 			r.SetQuestion(tt.query, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 
 			// Setup handler expectations
 			for pattern, handler := range handlers {
@@ -955,7 +969,7 @@ func TestHandlerChain_AddRemoveRoundtrip(t *testing.T) {
 			handler := &nbdns.MockHandler{}
 			r := new(dns.Msg)
 			r.SetQuestion(tt.queryPattern, dns.TypeA)
-			w := &nbdns.ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &nbdns.ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 
 			// First verify no handler is called before adding any
 			chain.ServeDNS(w, r)

client/internal/dns/host_windows.go

@@ -1,14 +1,11 @@
 package dns
 
 import (
-	"context"
 	"errors"
 	"fmt"
 	"io"
-	"os/exec"
 	"strings"
 	"syscall"
-	"time"
 
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
@@ -44,20 +41,6 @@ const (
 	interfaceConfigNameServerKey = "NameServer"
 	interfaceConfigSearchListKey = "SearchList"
 
-	// Network interface DNS registration settings
-	disableDynamicUpdateKey           = "DisableDynamicUpdate"
-	registrationEnabledKey            = "RegistrationEnabled"
-	maxNumberOfAddressesToRegisterKey = "MaxNumberOfAddressesToRegister"
-
-	// NetBIOS/WINS settings
-	netbtInterfacePath = `SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces`
-	netbiosOptionsKey  = "NetbiosOptions"
-
-	// NetBIOS option values: 0 = from DHCP, 1 = enabled, 2 = disabled
-	netbiosFromDHCP = 0
-	netbiosEnabled  = 1
-	netbiosDisabled = 2
-
 	// RP_FORCE: Reapply all policies even if no policy change was detected
 	rpForce = 0x1
 )
@@ -84,85 +67,16 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 		log.Infof("detected GPO DNS policy configuration, using policy store")
 	}
 
-	configurator := &registryConfigurator{
+	return &registryConfigurator{
 		guid: guid,
 		gpo:  useGPO,
-	}
-
-	if err := configurator.configureInterface(); err != nil {
-		log.Errorf("failed to configure interface settings: %v", err)
-	}
-
-	return configurator, nil
+	}, nil
 }
 
 func (r *registryConfigurator) supportCustomPort() bool {
 	return false
 }
 
-func (r *registryConfigurator) configureInterface() error {
-	var merr *multierror.Error
-
-	if err := r.disableDNSRegistrationForInterface(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("disable DNS registration: %w", err))
-	}
-
-	if err := r.disableWINSForInterface(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("disable WINS: %w", err))
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *registryConfigurator) disableDNSRegistrationForInterface() error {
-	regKey, err := r.getInterfaceRegistryKey()
-	if err != nil {
-		return fmt.Errorf("get interface registry key: %w", err)
-	}
-	defer closer(regKey)
-
-	var merr *multierror.Error
-
-	if err := regKey.SetDWordValue(disableDynamicUpdateKey, 1); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("set %s: %w", disableDynamicUpdateKey, err))
-	}
-
-	if err := regKey.SetDWordValue(registrationEnabledKey, 0); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("set %s: %w", registrationEnabledKey, err))
-	}
-
-	if err := regKey.SetDWordValue(maxNumberOfAddressesToRegisterKey, 0); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("set %s: %w", maxNumberOfAddressesToRegisterKey, err))
-	}
-
-	if merr == nil || len(merr.Errors) == 0 {
-		log.Infof("disabled DNS registration for interface %s", r.guid)
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
-func (r *registryConfigurator) disableWINSForInterface() error {
-	netbtKeyPath := fmt.Sprintf(`%s\Tcpip_%s`, netbtInterfacePath, r.guid)
-
-	regKey, err := registry.OpenKey(registry.LOCAL_MACHINE, netbtKeyPath, registry.SET_VALUE)
-	if err != nil {
-		regKey, _, err = registry.CreateKey(registry.LOCAL_MACHINE, netbtKeyPath, registry.SET_VALUE)
-		if err != nil {
-			return fmt.Errorf("create NetBT interface key %s: %w", netbtKeyPath, err)
-		}
-	}
-	defer closer(regKey)
-
-	// NetbiosOptions: 2 = disabled
-	if err := regKey.SetDWordValue(netbiosOptionsKey, netbiosDisabled); err != nil {
-		return fmt.Errorf("set %s: %w", netbiosOptionsKey, err)
-	}
-
-	log.Infof("disabled WINS/NetBIOS for interface %s", r.guid)
-	return nil
-}
-
 func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
 	if config.RouteAll {
 		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
@@ -205,7 +119,9 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		return fmt.Errorf("update search domains: %w", err)
 	}
 
-	go r.flushDNSCache()
+	if err := r.flushDNSCache(); err != nil {
+		log.Errorf("failed to flush DNS cache: %v", err)
+	}
 
 	return nil
 }
@@ -275,25 +191,7 @@ func (r *registryConfigurator) string() string {
 	return "registry"
 }
 
-func (r *registryConfigurator) registerDNS() {
-	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
-	defer cancel()
-
-	// nolint:misspell
-	cmd := exec.CommandContext(ctx, "ipconfig", "/registerdns")
-	out, err := cmd.CombinedOutput()
-
-	if err != nil {
-		log.Errorf("failed to register DNS: %v, output: %s", err, out)
-		return
-	}
-
-	log.Info("registered DNS names")
-}
-
-func (r *registryConfigurator) flushDNSCache() {
-	r.registerDNS()
-
+func (r *registryConfigurator) flushDNSCache() error {
 	// dnsFlushResolverCacheFn.Call() may panic if the func is not found
 	defer func() {
 		if rec := recover(); rec != nil {
@@ -304,14 +202,13 @@ func (r *registryConfigurator) flushDNSCache() {
 	ret, _, err := dnsFlushResolverCacheFn.Call()
 	if ret == 0 {
 		if err != nil && !errors.Is(err, syscall.Errno(0)) {
-			log.Errorf("DnsFlushResolverCache failed: %v", err)
-			return
+			return fmt.Errorf("DnsFlushResolverCache failed: %w", err)
 		}
-		log.Errorf("DnsFlushResolverCache failed")
-		return
+		return fmt.Errorf("DnsFlushResolverCache failed")
 	}
 
 	log.Info("flushed DNS cache")
+	return nil
 }
 
 func (r *registryConfigurator) updateSearchDomains(domains []string) error {
@@ -366,7 +263,9 @@ func (r *registryConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("remove interface registry key: %w", err)
 	}
 
-	go r.flushDNSCache()
+	if err := r.flushDNSCache(); err != nil {
+		log.Errorf("failed to flush DNS cache: %v", err)
+	}
 
 	return nil
 }

client/internal/dns/local.go

@@ -0,0 +1,130 @@
+package dns
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+
+	"github.com/miekg/dns"
+	log "github.com/sirupsen/logrus"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+)
+
+type registrationMap map[string]struct{}
+
+type localResolver struct {
+	registeredMap registrationMap
+	records       sync.Map // key: string (domain_class_type), value: []dns.RR
+}
+
+func (d *localResolver) MatchSubdomains() bool {
+	return true
+}
+
+func (d *localResolver) stop() {
+}
+
+// String returns a string representation of the local resolver
+func (d *localResolver) String() string {
+	return fmt.Sprintf("local resolver [%d records]", len(d.registeredMap))
+}
+
+// ID returns the unique handler ID
+func (d *localResolver) id() handlerID {
+	return "local-resolver"
+}
+
+// ServeDNS handles a DNS request
+func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
+	if len(r.Question) > 0 {
+		log.Tracef("received local question: domain=%s type=%v class=%v", r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+	}
+
+	replyMessage := &dns.Msg{}
+	replyMessage.SetReply(r)
+	replyMessage.RecursionAvailable = true
+
+	// lookup all records matching the question
+	records := d.lookupRecords(r)
+	if len(records) > 0 {
+		replyMessage.Rcode = dns.RcodeSuccess
+		replyMessage.Answer = append(replyMessage.Answer, records...)
+	} else {
+		replyMessage.Rcode = dns.RcodeNameError
+	}
+
+	err := w.WriteMsg(replyMessage)
+	if err != nil {
+		log.Debugf("got an error while writing the local resolver response, error: %v", err)
+	}
+}
+
+// lookupRecords fetches *all* DNS records matching the first question in r.
+func (d *localResolver) lookupRecords(r *dns.Msg) []dns.RR {
+	if len(r.Question) == 0 {
+		return nil
+	}
+	question := r.Question[0]
+	question.Name = strings.ToLower(question.Name)
+	key := buildRecordKey(question.Name, question.Qclass, question.Qtype)
+
+	value, found := d.records.Load(key)
+	if !found {
+		// alternatively check if we have a cname
+		if question.Qtype != dns.TypeCNAME {
+			r.Question[0].Qtype = dns.TypeCNAME
+			return d.lookupRecords(r)
+		}
+
+		return nil
+	}
+
+	records, ok := value.([]dns.RR)
+	if !ok {
+		log.Errorf("failed to cast records to []dns.RR, records: %v", value)
+		return nil
+	}
+
+	// if there's more than one record, rotate them (round-robin)
+	if len(records) > 1 {
+		first := records[0]
+		records = append(records[1:], first)
+		d.records.Store(key, records)
+	}
+
+	return records
+}
+
+// registerRecord stores a new record by appending it to any existing list
+func (d *localResolver) registerRecord(record nbdns.SimpleRecord) (string, error) {
+	rr, err := dns.NewRR(record.String())
+	if err != nil {
+		return "", fmt.Errorf("register record: %w", err)
+	}
+
+	rr.Header().Rdlength = record.Len()
+	header := rr.Header()
+	key := buildRecordKey(header.Name, header.Class, header.Rrtype)
+
+	// load any existing slice of records, then append
+	existing, _ := d.records.LoadOrStore(key, []dns.RR{})
+	records := existing.([]dns.RR)
+	records = append(records, rr)
+
+	// store updated slice
+	d.records.Store(key, records)
+	return key, nil
+}
+
+// deleteRecord removes *all* records under the recordKey.
+func (d *localResolver) deleteRecord(recordKey string) {
+	d.records.Delete(dns.Fqdn(recordKey))
+}
+
+// buildRecordKey consistently generates a key: name_class_type
+func buildRecordKey(name string, class, qType uint16) string {
+	return fmt.Sprintf("%s_%d_%d", dns.Fqdn(name), class, qType)
+}
+
+func (d *localResolver) probeAvailability() {}

client/internal/dns/local/local.go

@@ -1,167 +0,0 @@
-package local
-
-import (
-	"fmt"
-	"slices"
-	"strings"
-	"sync"
-
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"
-
-	"github.com/netbirdio/netbird/client/internal/dns/types"
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/management/domain"
-)
-
-type Resolver struct {
-	mu      sync.RWMutex
-	records map[dns.Question][]dns.RR
-	domains map[domain.Domain]struct{}
-}
-
-func NewResolver() *Resolver {
-	return &Resolver{
-		records: make(map[dns.Question][]dns.RR),
-		domains: make(map[domain.Domain]struct{}),
-	}
-}
-
-func (d *Resolver) MatchSubdomains() bool {
-	return true
-}
-
-// String returns a string representation of the local resolver
-func (d *Resolver) String() string {
-	return fmt.Sprintf("local resolver [%d records]", len(d.records))
-}
-
-func (d *Resolver) Stop() {}
-
-// ID returns the unique handler ID
-func (d *Resolver) ID() types.HandlerID {
-	return "local-resolver"
-}
-
-func (d *Resolver) ProbeAvailability() {}
-
-// ServeDNS handles a DNS request
-func (d *Resolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	if len(r.Question) == 0 {
-		log.Debugf("received local resolver request with no question")
-		return
-	}
-	question := r.Question[0]
-	question.Name = strings.ToLower(dns.Fqdn(question.Name))
-
-	log.Tracef("received local question: domain=%s type=%v class=%v", r.Question[0].Name, question.Qtype, question.Qclass)
-
-	replyMessage := &dns.Msg{}
-	replyMessage.SetReply(r)
-	replyMessage.RecursionAvailable = true
-
-	// lookup all records matching the question
-	records := d.lookupRecords(question)
-	if len(records) > 0 {
-		replyMessage.Rcode = dns.RcodeSuccess
-		replyMessage.Answer = append(replyMessage.Answer, records...)
-	} else {
-		// Check if we have any records for this domain name with different types
-		if d.hasRecordsForDomain(domain.Domain(question.Name)) {
-			replyMessage.Rcode = dns.RcodeSuccess // NOERROR with 0 records
-		} else {
-			replyMessage.Rcode = dns.RcodeNameError // NXDOMAIN
-		}
-	}
-
-	if err := w.WriteMsg(replyMessage); err != nil {
-		log.Warnf("failed to write the local resolver response: %v", err)
-	}
-}
-
-// hasRecordsForDomain checks if any records exist for the given domain name regardless of type
-func (d *Resolver) hasRecordsForDomain(domainName domain.Domain) bool {
-	d.mu.RLock()
-	defer d.mu.RUnlock()
-
-	_, exists := d.domains[domainName]
-	return exists
-}
-
-// lookupRecords fetches *all* DNS records matching the first question in r.
-func (d *Resolver) lookupRecords(question dns.Question) []dns.RR {
-	d.mu.RLock()
-	records, found := d.records[question]
-
-	if !found {
-		d.mu.RUnlock()
-		// alternatively check if we have a cname
-		if question.Qtype != dns.TypeCNAME {
-			question.Qtype = dns.TypeCNAME
-			return d.lookupRecords(question)
-		}
-		return nil
-	}
-
-	recordsCopy := slices.Clone(records)
-	d.mu.RUnlock()
-
-	// if there's more than one record, rotate them (round-robin)
-	if len(recordsCopy) > 1 {
-		d.mu.Lock()
-		records = d.records[question]
-		if len(records) > 1 {
-			first := records[0]
-			records = append(records[1:], first)
-			d.records[question] = records
-		}
-		d.mu.Unlock()
-	}
-
-	return recordsCopy
-}
-
-func (d *Resolver) Update(update []nbdns.SimpleRecord) {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-
-	maps.Clear(d.records)
-	maps.Clear(d.domains)
-
-	for _, rec := range update {
-		if err := d.registerRecord(rec); err != nil {
-			log.Warnf("failed to register the record (%s): %v", rec, err)
-			continue
-		}
-	}
-}
-
-// RegisterRecord stores a new record by appending it to any existing list
-func (d *Resolver) RegisterRecord(record nbdns.SimpleRecord) error {
-	d.mu.Lock()
-	defer d.mu.Unlock()
-
-	return d.registerRecord(record)
-}
-
-// registerRecord performs the registration with the lock already held
-func (d *Resolver) registerRecord(record nbdns.SimpleRecord) error {
-	rr, err := dns.NewRR(record.String())
-	if err != nil {
-		return fmt.Errorf("register record: %w", err)
-	}
-
-	rr.Header().Rdlength = record.Len()
-	header := rr.Header()
-	q := dns.Question{
-		Name:   strings.ToLower(dns.Fqdn(header.Name)),
-		Qtype:  header.Rrtype,
-		Qclass: header.Class,
-	}
-
-	d.records[q] = append(d.records[q], rr)
-	d.domains[domain.Domain(q.Name)] = struct{}{}
-
-	return nil
-}

client/internal/dns/local/local_test.go

@@ -1,584 +0,0 @@
-package local
-
-import (
-	"strings"
-	"testing"
-
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal/dns/test"
-	nbdns "github.com/netbirdio/netbird/dns"
-)
-
-func TestLocalResolver_ServeDNS(t *testing.T) {
-	recordA := nbdns.SimpleRecord{
-		Name:  "peera.netbird.cloud.",
-		Type:  1,
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "1.2.3.4",
-	}
-
-	recordCNAME := nbdns.SimpleRecord{
-		Name:  "peerb.netbird.cloud.",
-		Type:  5,
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "www.netbird.io",
-	}
-
-	testCases := []struct {
-		name                string
-		inputRecord         nbdns.SimpleRecord
-		inputMSG            *dns.Msg
-		responseShouldBeNil bool
-	}{
-		{
-			name:        "Should Resolve A Record",
-			inputRecord: recordA,
-			inputMSG:    new(dns.Msg).SetQuestion(recordA.Name, dns.TypeA),
-		},
-		{
-			name:        "Should Resolve CNAME Record",
-			inputRecord: recordCNAME,
-			inputMSG:    new(dns.Msg).SetQuestion(recordCNAME.Name, dns.TypeCNAME),
-		},
-		{
-			name:                "Should Not Write When Not Found A Record",
-			inputRecord:         recordA,
-			inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
-			responseShouldBeNil: true,
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			resolver := NewResolver()
-			_ = resolver.RegisterRecord(testCase.inputRecord)
-			var responseMSG *dns.Msg
-			responseWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			resolver.ServeDNS(responseWriter, testCase.inputMSG)
-
-			if responseMSG == nil || len(responseMSG.Answer) == 0 {
-				if testCase.responseShouldBeNil {
-					return
-				}
-				t.Fatalf("should write a response message")
-			}
-
-			answerString := responseMSG.Answer[0].String()
-			if !strings.Contains(answerString, testCase.inputRecord.Name) {
-				t.Fatalf("answer doesn't contain the same domain name: \nWant: %s\nGot:%s", testCase.name, answerString)
-			}
-			if !strings.Contains(answerString, dns.Type(testCase.inputRecord.Type).String()) {
-				t.Fatalf("answer doesn't contain the correct type: \nWant: %s\nGot:%s", dns.Type(testCase.inputRecord.Type).String(), answerString)
-			}
-			if !strings.Contains(answerString, testCase.inputRecord.RData) {
-				t.Fatalf("answer doesn't contain the same address: \nWant: %s\nGot:%s", testCase.inputRecord.RData, answerString)
-			}
-		})
-	}
-}
-
-// TestLocalResolver_Update_StaleRecord verifies that updating
-// a record correctly replaces the old one, preventing stale entries.
-func TestLocalResolver_Update_StaleRecord(t *testing.T) {
-	recordName := "host.example.com."
-	recordType := dns.TypeA
-	recordClass := dns.ClassINET
-
-	record1 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "1.1.1.1",
-	}
-	record2 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "2.2.2.2",
-	}
-
-	recordKey := dns.Question{Name: recordName, Qtype: uint16(recordClass), Qclass: recordType}
-
-	resolver := NewResolver()
-
-	update1 := []nbdns.SimpleRecord{record1}
-	update2 := []nbdns.SimpleRecord{record2}
-
-	// Apply first update
-	resolver.Update(update1)
-
-	// Verify first update
-	resolver.mu.RLock()
-	rrSlice1, found1 := resolver.records[recordKey]
-	resolver.mu.RUnlock()
-
-	require.True(t, found1, "Record key %s not found after first update", recordKey)
-	require.Len(t, rrSlice1, 1, "Should have exactly 1 record after first update")
-	assert.Contains(t, rrSlice1[0].String(), record1.RData, "Record after first update should be %s", record1.RData)
-
-	// Apply second update
-	resolver.Update(update2)
-
-	// Verify second update
-	resolver.mu.RLock()
-	rrSlice2, found2 := resolver.records[recordKey]
-	resolver.mu.RUnlock()
-
-	require.True(t, found2, "Record key %s not found after second update", recordKey)
-	require.Len(t, rrSlice2, 1, "Should have exactly 1 record after update overwriting the key")
-	assert.Contains(t, rrSlice2[0].String(), record2.RData, "The single record should be the updated one (%s)", record2.RData)
-	assert.NotContains(t, rrSlice2[0].String(), record1.RData, "The stale record (%s) should not be present", record1.RData)
-}
-
-// TestLocalResolver_MultipleRecords_SameQuestion verifies that multiple records
-// with the same question are stored properly
-func TestLocalResolver_MultipleRecords_SameQuestion(t *testing.T) {
-	resolver := NewResolver()
-
-	recordName := "multi.example.com."
-	recordType := dns.TypeA
-
-	// Create two records with the same name and type but different IPs
-	record1 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1",
-	}
-	record2 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.2",
-	}
-
-	update := []nbdns.SimpleRecord{record1, record2}
-
-	// Apply update with both records
-	resolver.Update(update)
-
-	// Create question that matches both records
-	question := dns.Question{
-		Name:   recordName,
-		Qtype:  recordType,
-		Qclass: dns.ClassINET,
-	}
-
-	// Verify both records are stored
-	resolver.mu.RLock()
-	records, found := resolver.records[question]
-	resolver.mu.RUnlock()
-
-	require.True(t, found, "Records for question %v not found", question)
-	require.Len(t, records, 2, "Should have exactly 2 records for the same question")
-
-	// Verify both record data values are present
-	recordStrings := []string{records[0].String(), records[1].String()}
-	assert.Contains(t, recordStrings[0]+recordStrings[1], record1.RData, "First record data should be present")
-	assert.Contains(t, recordStrings[0]+recordStrings[1], record2.RData, "Second record data should be present")
-}
-
-// TestLocalResolver_RecordRotation verifies that records are rotated in a round-robin fashion
-func TestLocalResolver_RecordRotation(t *testing.T) {
-	resolver := NewResolver()
-
-	recordName := "rotation.example.com."
-	recordType := dns.TypeA
-
-	// Create three records with the same name and type but different IPs
-	record1 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.1",
-	}
-	record2 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.2",
-	}
-	record3 := nbdns.SimpleRecord{
-		Name: recordName, Type: int(recordType), Class: nbdns.DefaultClass, TTL: 300, RData: "192.168.1.3",
-	}
-
-	update := []nbdns.SimpleRecord{record1, record2, record3}
-
-	// Apply update with all three records
-	resolver.Update(update)
-
-	msg := new(dns.Msg).SetQuestion(recordName, recordType)
-
-	// First lookup - should return the records in original order
-	var responses [3]*dns.Msg
-
-	// Perform three lookups to verify rotation
-	for i := 0; i < 3; i++ {
-		responseWriter := &test.MockResponseWriter{
-			WriteMsgFunc: func(m *dns.Msg) error {
-				responses[i] = m
-				return nil
-			},
-		}
-
-		resolver.ServeDNS(responseWriter, msg)
-	}
-
-	// Verify all three responses contain answers
-	for i, resp := range responses {
-		require.NotNil(t, resp, "Response %d should not be nil", i)
-		require.Len(t, resp.Answer, 3, "Response %d should have 3 answers", i)
-	}
-
-	// Verify the first record in each response is different due to rotation
-	firstRecordIPs := []string{
-		responses[0].Answer[0].String(),
-		responses[1].Answer[0].String(),
-		responses[2].Answer[0].String(),
-	}
-
-	// Each record should be different (rotated)
-	assert.NotEqual(t, firstRecordIPs[0], firstRecordIPs[1], "First lookup should differ from second lookup due to rotation")
-	assert.NotEqual(t, firstRecordIPs[1], firstRecordIPs[2], "Second lookup should differ from third lookup due to rotation")
-	assert.NotEqual(t, firstRecordIPs[0], firstRecordIPs[2], "First lookup should differ from third lookup due to rotation")
-
-	// After three rotations, we should have cycled through all records
-	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record1.RData)
-	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record2.RData)
-	assert.Contains(t, firstRecordIPs[0]+firstRecordIPs[1]+firstRecordIPs[2], record3.RData)
-}
-
-// TestLocalResolver_CaseInsensitiveMatching verifies that DNS record lookups are case-insensitive
-func TestLocalResolver_CaseInsensitiveMatching(t *testing.T) {
-	resolver := NewResolver()
-
-	// Create record with lowercase name
-	lowerCaseRecord := nbdns.SimpleRecord{
-		Name:  "lower.example.com.",
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "10.10.10.10",
-	}
-
-	// Create record with mixed case name
-	mixedCaseRecord := nbdns.SimpleRecord{
-		Name:  "MiXeD.ExAmPlE.CoM.",
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "20.20.20.20",
-	}
-
-	// Update resolver with the records
-	resolver.Update([]nbdns.SimpleRecord{lowerCaseRecord, mixedCaseRecord})
-
-	testCases := []struct {
-		name          string
-		queryName     string
-		expectedRData string
-		shouldResolve bool
-	}{
-		{
-			name:          "Query lowercase with lowercase record",
-			queryName:     "lower.example.com.",
-			expectedRData: "10.10.10.10",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query uppercase with lowercase record",
-			queryName:     "LOWER.EXAMPLE.COM.",
-			expectedRData: "10.10.10.10",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query mixed case with lowercase record",
-			queryName:     "LoWeR.eXaMpLe.CoM.",
-			expectedRData: "10.10.10.10",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query lowercase with mixed case record",
-			queryName:     "mixed.example.com.",
-			expectedRData: "20.20.20.20",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query uppercase with mixed case record",
-			queryName:     "MIXED.EXAMPLE.COM.",
-			expectedRData: "20.20.20.20",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query with different casing pattern",
-			queryName:     "mIxEd.ExaMpLe.cOm.",
-			expectedRData: "20.20.20.20",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query non-existent domain",
-			queryName:     "nonexistent.example.com.",
-			shouldResolve: false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var responseMSG *dns.Msg
-
-			// Create DNS query with the test case name
-			msg := new(dns.Msg).SetQuestion(tc.queryName, dns.TypeA)
-
-			// Create mock response writer to capture the response
-			responseWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			// Perform DNS query
-			resolver.ServeDNS(responseWriter, msg)
-
-			// Check if we expect a successful resolution
-			if !tc.shouldResolve {
-				if responseMSG == nil || len(responseMSG.Answer) == 0 {
-					// Expected no answer, test passes
-					return
-				}
-				t.Fatalf("Expected no resolution for %s, but got answer: %v", tc.queryName, responseMSG.Answer)
-			}
-
-			// Verify we got a response
-			require.NotNil(t, responseMSG, "Should have received a response message")
-			require.Greater(t, len(responseMSG.Answer), 0, "Response should contain at least one answer")
-
-			// Verify the response contains the expected data
-			answerString := responseMSG.Answer[0].String()
-			assert.Contains(t, answerString, tc.expectedRData,
-				"Answer should contain the expected IP address %s, got: %s",
-				tc.expectedRData, answerString)
-		})
-	}
-}
-
-// TestLocalResolver_CNAMEFallback verifies that the resolver correctly falls back
-// to checking for CNAME records when the requested record type isn't found
-func TestLocalResolver_CNAMEFallback(t *testing.T) {
-	resolver := NewResolver()
-
-	// Create a CNAME record (but no A record for this name)
-	cnameRecord := nbdns.SimpleRecord{
-		Name:  "alias.example.com.",
-		Type:  int(dns.TypeCNAME),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "target.example.com.",
-	}
-
-	// Create an A record for the CNAME target
-	targetRecord := nbdns.SimpleRecord{
-		Name:  "target.example.com.",
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "192.168.100.100",
-	}
-
-	// Update resolver with both records
-	resolver.Update([]nbdns.SimpleRecord{cnameRecord, targetRecord})
-
-	testCases := []struct {
-		name          string
-		queryName     string
-		queryType     uint16
-		expectedType  string
-		expectedRData string
-		shouldResolve bool
-	}{
-		{
-			name:          "Directly query CNAME record",
-			queryName:     "alias.example.com.",
-			queryType:     dns.TypeCNAME,
-			expectedType:  "CNAME",
-			expectedRData: "target.example.com.",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query A record but get CNAME fallback",
-			queryName:     "alias.example.com.",
-			queryType:     dns.TypeA,
-			expectedType:  "CNAME",
-			expectedRData: "target.example.com.",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query AAAA record but get CNAME fallback",
-			queryName:     "alias.example.com.",
-			queryType:     dns.TypeAAAA,
-			expectedType:  "CNAME",
-			expectedRData: "target.example.com.",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query direct A record",
-			queryName:     "target.example.com.",
-			queryType:     dns.TypeA,
-			expectedType:  "A",
-			expectedRData: "192.168.100.100",
-			shouldResolve: true,
-		},
-		{
-			name:          "Query non-existent name",
-			queryName:     "nonexistent.example.com.",
-			queryType:     dns.TypeA,
-			shouldResolve: false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var responseMSG *dns.Msg
-
-			// Create DNS query with the test case parameters
-			msg := new(dns.Msg).SetQuestion(tc.queryName, tc.queryType)
-
-			// Create mock response writer to capture the response
-			responseWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			// Perform DNS query
-			resolver.ServeDNS(responseWriter, msg)
-
-			// Check if we expect a successful resolution
-			if !tc.shouldResolve {
-				if responseMSG == nil || len(responseMSG.Answer) == 0 || responseMSG.Rcode != dns.RcodeSuccess {
-					// Expected no resolution, test passes
-					return
-				}
-				t.Fatalf("Expected no resolution for %s, but got answer: %v", tc.queryName, responseMSG.Answer)
-			}
-
-			// Verify we got a successful response
-			require.NotNil(t, responseMSG, "Should have received a response message")
-			require.Equal(t, dns.RcodeSuccess, responseMSG.Rcode, "Response should have success status code")
-			require.Greater(t, len(responseMSG.Answer), 0, "Response should contain at least one answer")
-
-			// Verify the response contains the expected data
-			answerString := responseMSG.Answer[0].String()
-			assert.Contains(t, answerString, tc.expectedType,
-				"Answer should be of type %s, got: %s", tc.expectedType, answerString)
-			assert.Contains(t, answerString, tc.expectedRData,
-				"Answer should contain the expected data %s, got: %s", tc.expectedRData, answerString)
-		})
-	}
-}
-
-// TestLocalResolver_NoErrorWithDifferentRecordType verifies that querying for a record type
-// that doesn't exist but where other record types exist for the same domain returns NOERROR
-// with 0 records instead of NXDOMAIN
-func TestLocalResolver_NoErrorWithDifferentRecordType(t *testing.T) {
-	resolver := NewResolver()
-
-	recordA := nbdns.SimpleRecord{
-		Name:  "example.netbird.cloud.",
-		Type:  int(dns.TypeA),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "192.168.1.100",
-	}
-
-	recordCNAME := nbdns.SimpleRecord{
-		Name:  "alias.netbird.cloud.",
-		Type:  int(dns.TypeCNAME),
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "target.example.com.",
-	}
-
-	resolver.Update([]nbdns.SimpleRecord{recordA, recordCNAME})
-
-	testCases := []struct {
-		name           string
-		queryName      string
-		queryType      uint16
-		expectedRcode  int
-		shouldHaveData bool
-	}{
-		{
-			name:           "Query A record that exists",
-			queryName:      "example.netbird.cloud.",
-			queryType:      dns.TypeA,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: true,
-		},
-		{
-			name:           "Query AAAA for domain with only A record",
-			queryName:      "example.netbird.cloud.",
-			queryType:      dns.TypeAAAA,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: false,
-		},
-		{
-			name:           "Query other record with different case and non-fqdn",
-			queryName:      "EXAMPLE.netbird.cloud",
-			queryType:      dns.TypeAAAA,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: false,
-		},
-		{
-			name:           "Query TXT for domain with only A record",
-			queryName:      "example.netbird.cloud.",
-			queryType:      dns.TypeTXT,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: false,
-		},
-		{
-			name:           "Query A for domain with only CNAME record",
-			queryName:      "alias.netbird.cloud.",
-			queryType:      dns.TypeA,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: true,
-		},
-		{
-			name:           "Query AAAA for domain with only CNAME record",
-			queryName:      "alias.netbird.cloud.",
-			queryType:      dns.TypeAAAA,
-			expectedRcode:  dns.RcodeSuccess,
-			shouldHaveData: true,
-		},
-		{
-			name:           "Query for completely non-existent domain",
-			queryName:      "nonexistent.netbird.cloud.",
-			queryType:      dns.TypeA,
-			expectedRcode:  dns.RcodeNameError,
-			shouldHaveData: false,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			var responseMSG *dns.Msg
-
-			msg := new(dns.Msg).SetQuestion(tc.queryName, tc.queryType)
-
-			responseWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			resolver.ServeDNS(responseWriter, msg)
-
-			require.NotNil(t, responseMSG, "Should have received a response message")
-
-			assert.Equal(t, tc.expectedRcode, responseMSG.Rcode,
-				"Response code should be %d (%s)",
-				tc.expectedRcode, dns.RcodeToString[tc.expectedRcode])
-
-			if tc.shouldHaveData {
-				assert.Greater(t, len(responseMSG.Answer), 0, "Response should contain answers")
-			} else {
-				assert.Equal(t, 0, len(responseMSG.Answer), "Response should contain no answers")
-			}
-		})
-	}
-}

client/internal/dns/local_test.go

@@ -0,0 +1,88 @@
+package dns
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/miekg/dns"
+
+	nbdns "github.com/netbirdio/netbird/dns"
+)
+
+func TestLocalResolver_ServeDNS(t *testing.T) {
+	recordA := nbdns.SimpleRecord{
+		Name:  "peera.netbird.cloud.",
+		Type:  1,
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "1.2.3.4",
+	}
+
+	recordCNAME := nbdns.SimpleRecord{
+		Name:  "peerb.netbird.cloud.",
+		Type:  5,
+		Class: nbdns.DefaultClass,
+		TTL:   300,
+		RData: "www.netbird.io",
+	}
+
+	testCases := []struct {
+		name                string
+		inputRecord         nbdns.SimpleRecord
+		inputMSG            *dns.Msg
+		responseShouldBeNil bool
+	}{
+		{
+			name:        "Should Resolve A Record",
+			inputRecord: recordA,
+			inputMSG:    new(dns.Msg).SetQuestion(recordA.Name, dns.TypeA),
+		},
+		{
+			name:        "Should Resolve CNAME Record",
+			inputRecord: recordCNAME,
+			inputMSG:    new(dns.Msg).SetQuestion(recordCNAME.Name, dns.TypeCNAME),
+		},
+		{
+			name:                "Should Not Write When Not Found A Record",
+			inputRecord:         recordA,
+			inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
+			responseShouldBeNil: true,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(testCase.name, func(t *testing.T) {
+			resolver := &localResolver{
+				registeredMap: make(registrationMap),
+			}
+			_, _ = resolver.registerRecord(testCase.inputRecord)
+			var responseMSG *dns.Msg
+			responseWriter := &mockResponseWriter{
+				WriteMsgFunc: func(m *dns.Msg) error {
+					responseMSG = m
+					return nil
+				},
+			}
+
+			resolver.ServeDNS(responseWriter, testCase.inputMSG)
+
+			if responseMSG == nil || len(responseMSG.Answer) == 0 {
+				if testCase.responseShouldBeNil {
+					return
+				}
+				t.Fatalf("should write a response message")
+			}
+
+			answerString := responseMSG.Answer[0].String()
+			if !strings.Contains(answerString, testCase.inputRecord.Name) {
+				t.Fatalf("answer doesn't contain the same domain name: \nWant: %s\nGot:%s", testCase.name, answerString)
+			}
+			if !strings.Contains(answerString, dns.Type(testCase.inputRecord.Type).String()) {
+				t.Fatalf("answer doesn't contain the correct type: \nWant: %s\nGot:%s", dns.Type(testCase.inputRecord.Type).String(), answerString)
+			}
+			if !strings.Contains(answerString, testCase.inputRecord.RData) {
+				t.Fatalf("answer doesn't contain the same address: \nWant: %s\nGot:%s", testCase.inputRecord.RData, answerString)
+			}
+		})
+	}
+}

client/internal/dns/mock_test.go

@@ -0,0 +1,26 @@
+package dns
+
+import (
+	"net"
+
+	"github.com/miekg/dns"
+)
+
+type mockResponseWriter struct {
+	WriteMsgFunc func(m *dns.Msg) error
+}
+
+func (rw *mockResponseWriter) WriteMsg(m *dns.Msg) error {
+	if rw.WriteMsgFunc != nil {
+		return rw.WriteMsgFunc(m)
+	}
+	return nil
+}
+
+func (rw *mockResponseWriter) LocalAddr() net.Addr       { return nil }
+func (rw *mockResponseWriter) RemoteAddr() net.Addr      { return nil }
+func (rw *mockResponseWriter) Write([]byte) (int, error) { return 0, nil }
+func (rw *mockResponseWriter) Close() error              { return nil }
+func (rw *mockResponseWriter) TsigStatus() error         { return nil }
+func (rw *mockResponseWriter) TsigTimersOnly(bool)       {}
+func (rw *mockResponseWriter) Hijack()                   {}

client/internal/dns/server.go

@@ -15,8 +15,6 @@ import (
 	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/internal/dns/local"
-	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -48,6 +46,8 @@ type Server interface {
 	ProbeAvailability()
 }
 
+type handlerID string
+
 type nsGroupsByDomain struct {
 	domain string
 	groups []*nbdns.NameServerGroup
@@ -61,7 +61,7 @@ type DefaultServer struct {
 	mux                sync.Mutex
 	service            service
 	dnsMuxMap          registeredHandlerMap
-	localResolver      *local.Resolver
+	localResolver      *localResolver
 	wgInterface        WGIface
 	hostManager        hostManager
 	updateSerial       uint64
@@ -84,9 +84,9 @@ type DefaultServer struct {
 
 type handlerWithStop interface {
 	dns.Handler
-	Stop()
-	ProbeAvailability()
-	ID() types.HandlerID
+	stop()
+	probeAvailability()
+	id() handlerID
 }
 
 type handlerWrapper struct {
@@ -95,7 +95,7 @@ type handlerWrapper struct {
 	priority int
 }
 
-type registeredHandlerMap map[types.HandlerID]handlerWrapper
+type registeredHandlerMap map[handlerID]handlerWrapper
 
 // NewDefaultServer returns a new dns server
 func NewDefaultServer(
@@ -171,14 +171,16 @@ func newDefaultServer(
 	handlerChain := NewHandlerChain()
 	ctx, stop := context.WithCancel(ctx)
 	defaultServer := &DefaultServer{
-		ctx:            ctx,
-		ctxCancel:      stop,
-		disableSys:     disableSys,
-		service:        dnsService,
-		handlerChain:   handlerChain,
-		extraDomains:   make(map[domain.Domain]int),
-		dnsMuxMap:      make(registeredHandlerMap),
-		localResolver:  local.NewResolver(),
+		ctx:          ctx,
+		ctxCancel:    stop,
+		disableSys:   disableSys,
+		service:      dnsService,
+		handlerChain: handlerChain,
+		extraDomains: make(map[domain.Domain]int),
+		dnsMuxMap:    make(registeredHandlerMap),
+		localResolver: &localResolver{
+			registeredMap: make(registrationMap),
+		},
 		wgInterface:    wgInterface,
 		statusRecorder: statusRecorder,
 		stateManager:   stateManager,
@@ -401,7 +403,7 @@ func (s *DefaultServer) ProbeAvailability() {
 		wg.Add(1)
 		go func(mux handlerWithStop) {
 			defer wg.Done()
-			mux.ProbeAvailability()
+			mux.probeAvailability()
 		}(mux.handler)
 	}
 	wg.Wait()
@@ -418,7 +420,7 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.service.Stop()
 	}
 
-	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
+	localMuxUpdates, localRecordsByDomain, err := s.buildLocalHandlerUpdate(update.CustomZones)
 	if err != nil {
 		return fmt.Errorf("local handler updater: %w", err)
 	}
@@ -432,7 +434,7 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 	s.updateMux(muxUpdates)
 
 	// register local records
-	s.localResolver.Update(localRecords)
+	s.updateLocalResolver(localRecordsByDomain)
 
 	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())
 
@@ -489,7 +491,7 @@ func (s *DefaultServer) applyHostConfig() {
 		}
 	}
 
-	log.Debugf("extra match domains: %v", maps.Keys(s.extraDomains))
+	log.Debugf("extra match domains: %v", s.extraDomains)
 
 	if err := s.hostManager.applyDNSConfig(config, s.stateManager); err != nil {
 		log.Errorf("failed to apply DNS host manager update: %v", err)
@@ -514,9 +516,11 @@ func (s *DefaultServer) handleErrNoGroupaAll(err error) {
 	)
 }
 
-func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]handlerWrapper, []nbdns.SimpleRecord, error) {
+func (s *DefaultServer) buildLocalHandlerUpdate(
+	customZones []nbdns.CustomZone,
+) ([]handlerWrapper, map[string][]nbdns.SimpleRecord, error) {
 	var muxUpdates []handlerWrapper
-	var localRecords []nbdns.SimpleRecord
+	localRecords := make(map[string][]nbdns.SimpleRecord)
 
 	for _, customZone := range customZones {
 		if len(customZone.Records) == 0 {
@@ -527,16 +531,20 @@ func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone)
 		muxUpdates = append(muxUpdates, handlerWrapper{
 			domain:   customZone.Domain,
 			handler:  s.localResolver,
-			priority: PriorityLocal,
+			priority: PriorityMatchDomain,
 		})
 
+		// group all records under this domain
 		for _, record := range customZone.Records {
+			var class uint16 = dns.ClassINET
 			if record.Class != nbdns.DefaultClass {
 				log.Warnf("received an invalid class type: %s", record.Class)
 				continue
 			}
-			// zone records contain the fqdn, so we can just flatten them
-			localRecords = append(localRecords, record)
+
+			key := buildRecordKey(record.Name, class, uint16(record.Type))
+
+			localRecords[key] = append(localRecords[key], record)
 		}
 	}
 
@@ -566,7 +574,7 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 	groupedNS := groupNSGroupsByDomain(nameServerGroups)
 
 	for _, domainGroup := range groupedNS {
-		basePriority := PriorityUpstream
+		basePriority := PriorityMatchDomain
 		if domainGroup.domain == nbdns.RootZone {
 			basePriority = PriorityDefault
 		}
@@ -588,14 +596,10 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		// Decrement priority by handler index (0, 1, 2, ...) to avoid conflicts
 		priority := basePriority - i
 
-		// Check if we're about to overlap with the next priority tier.
-		// This boundary check ensures that the priority of upstream handlers does not conflict
-		// with the default priority tier. By decrementing the priority for each handler, we avoid
-		// overlaps, but if the calculated priority falls into the default tier, we skip the remaining
-		// handlers to maintain the integrity of the priority system.
-		if basePriority == PriorityUpstream && priority <= PriorityDefault {
+		// Check if we're about to overlap with the next priority tier
+		if basePriority == PriorityMatchDomain && priority <= PriorityDefault {
 			log.Warnf("too many handlers for domain=%s, would overlap with default priority tier (diff=%d). Skipping remaining handlers",
-				domainGroup.domain, PriorityUpstream-PriorityDefault)
+				domainGroup.domain, PriorityMatchDomain-PriorityDefault)
 			break
 		}
 
@@ -623,7 +627,7 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 		}
 
 		if len(handler.upstreamServers) == 0 {
-			handler.Stop()
+			handler.stop()
 			log.Errorf("received a nameserver group with an invalid nameserver list")
 			continue
 		}
@@ -652,7 +656,7 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	// this will introduce a short period of time when the server is not able to handle DNS requests
 	for _, existing := range s.dnsMuxMap {
 		s.deregisterHandler([]string{existing.domain}, existing.priority)
-		existing.handler.Stop()
+		existing.handler.stop()
 	}
 
 	muxUpdateMap := make(registeredHandlerMap)
@@ -663,7 +667,7 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 			containsRootUpdate = true
 		}
 		s.registerHandler([]string{update.domain}, update.handler, update.priority)
-		muxUpdateMap[update.handler.ID()] = update
+		muxUpdateMap[update.handler.id()] = update
 	}
 
 	// If there's no root update and we had a root handler, restore it
@@ -679,6 +683,33 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	s.dnsMuxMap = muxUpdateMap
 }
 
+func (s *DefaultServer) updateLocalResolver(update map[string][]nbdns.SimpleRecord) {
+	// remove old records that are no longer present
+	for key := range s.localResolver.registeredMap {
+		_, found := update[key]
+		if !found {
+			s.localResolver.deleteRecord(key)
+		}
+	}
+
+	updatedMap := make(registrationMap)
+	for _, recs := range update {
+		for _, rec := range recs {
+			// convert the record to a dns.RR and register
+			key, err := s.localResolver.registerRecord(rec)
+			if err != nil {
+				log.Warnf("got an error while registering the record (%s), error: %v",
+					rec.String(), err)
+				continue
+			}
+
+			updatedMap[key] = struct{}{}
+		}
+	}
+
+	s.localResolver.registeredMap = updatedMap
+}
+
 func getNSHostPort(ns nbdns.NameServer) string {
 	return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
 }

client/internal/dns/server_test.go

@@ -23,9 +23,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	pfmock "github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/internal/dns/local"
-	"github.com/netbirdio/netbird/client/internal/dns/test"
-	"github.com/netbirdio/netbird/client/internal/dns/types"
 	"github.com/netbirdio/netbird/client/internal/netflow"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
@@ -46,9 +43,10 @@ func (w *mocWGIface) Name() string {
 }
 
 func (w *mocWGIface) Address() wgaddr.Address {
+	ip, network, _ := net.ParseCIDR("100.66.100.0/24")
 	return wgaddr.Address{
-		IP:      netip.MustParseAddr("100.66.100.1"),
-		Network: netip.MustParsePrefix("100.66.100.0/24"),
+		IP:      ip,
+		Network: network,
 	}
 }
 
@@ -109,7 +107,6 @@ func generateDummyHandler(domain string, servers []nbdns.NameServer) *upstreamRe
 }
 
 func TestUpdateDNSServer(t *testing.T) {
-
 	nameServers := []nbdns.NameServer{
 		{
 			IP:     netip.MustParseAddr("8.8.8.8"),
@@ -123,21 +120,22 @@ func TestUpdateDNSServer(t *testing.T) {
 		},
 	}
 
-	dummyHandler := local.NewResolver()
+	dummyHandler := &localResolver{}
 
 	testCases := []struct {
 		name                string
 		initUpstreamMap     registeredHandlerMap
-		initLocalRecords    []nbdns.SimpleRecord
+		initLocalMap        registrationMap
 		initSerial          uint64
 		inputSerial         uint64
 		inputUpdate         nbdns.Config
 		shouldFail          bool
 		expectedUpstreamMap registeredHandlerMap
-		expectedLocalQs     []dns.Question
+		expectedLocalMap    registrationMap
 	}{
 		{
 			name:            "Initial Config Should Succeed",
+			initLocalMap:    make(registrationMap),
 			initUpstreamMap: make(registeredHandlerMap),
 			initSerial:      0,
 			inputSerial:     1,
@@ -161,32 +159,32 @@ func TestUpdateDNSServer(t *testing.T) {
 				},
 			},
 			expectedUpstreamMap: registeredHandlerMap{
-				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
+				generateDummyHandler("netbird.io", nameServers).id(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
-				dummyHandler.ID(): handlerWrapper{
+				dummyHandler.id(): handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
-					priority: PriorityLocal,
+					priority: PriorityMatchDomain,
 				},
-				generateDummyHandler(".", nameServers).ID(): handlerWrapper{
+				generateDummyHandler(".", nameServers).id(): handlerWrapper{
 					domain:   nbdns.RootZone,
 					handler:  dummyHandler,
 					priority: PriorityDefault,
 				},
 			},
-			expectedLocalQs: []dns.Question{{Name: "peera.netbird.cloud.", Qtype: dns.TypeA, Qclass: dns.ClassINET}},
+			expectedLocalMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 		},
 		{
-			name:             "New Config Should Succeed",
-			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: 1, Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
+			name:         "New Config Should Succeed",
+			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
-					domain:   "netbird.cloud",
+				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
+					domain:   buildRecordKey(zoneRecords[0].Name, 1, 1),
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			initSerial:  0,
@@ -207,33 +205,33 @@ func TestUpdateDNSServer(t *testing.T) {
 				},
 			},
 			expectedUpstreamMap: registeredHandlerMap{
-				generateDummyHandler("netbird.io", nameServers).ID(): handlerWrapper{
+				generateDummyHandler("netbird.io", nameServers).id(): handlerWrapper{
 					domain:   "netbird.io",
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				"local-resolver": handlerWrapper{
 					domain:   "netbird.cloud",
 					handler:  dummyHandler,
-					priority: PriorityLocal,
+					priority: PriorityMatchDomain,
 				},
 			},
-			expectedLocalQs: []dns.Question{{Name: zoneRecords[0].Name, Qtype: 1, Qclass: 1}},
+			expectedLocalMap: registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
 		},
 		{
-			name:             "Smaller Config Serial Should Be Skipped",
-			initLocalRecords: []nbdns.SimpleRecord{},
-			initUpstreamMap:  make(registeredHandlerMap),
-			initSerial:       2,
-			inputSerial:      1,
-			shouldFail:       true,
+			name:            "Smaller Config Serial Should Be Skipped",
+			initLocalMap:    make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
+			initSerial:      2,
+			inputSerial:     1,
+			shouldFail:      true,
 		},
 		{
-			name:             "Empty NS Group Domain Or Not Primary Element Should Fail",
-			initLocalRecords: []nbdns.SimpleRecord{},
-			initUpstreamMap:  make(registeredHandlerMap),
-			initSerial:       0,
-			inputSerial:      1,
+			name:            "Empty NS Group Domain Or Not Primary Element Should Fail",
+			initLocalMap:    make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
+			initSerial:      0,
+			inputSerial:     1,
 			inputUpdate: nbdns.Config{
 				ServiceEnable: true,
 				CustomZones: []nbdns.CustomZone{
@@ -251,11 +249,11 @@ func TestUpdateDNSServer(t *testing.T) {
 			shouldFail: true,
 		},
 		{
-			name:             "Invalid NS Group Nameservers list Should Fail",
-			initLocalRecords: []nbdns.SimpleRecord{},
-			initUpstreamMap:  make(registeredHandlerMap),
-			initSerial:       0,
-			inputSerial:      1,
+			name:            "Invalid NS Group Nameservers list Should Fail",
+			initLocalMap:    make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
+			initSerial:      0,
+			inputSerial:     1,
 			inputUpdate: nbdns.Config{
 				ServiceEnable: true,
 				CustomZones: []nbdns.CustomZone{
@@ -273,11 +271,11 @@ func TestUpdateDNSServer(t *testing.T) {
 			shouldFail: true,
 		},
 		{
-			name:             "Invalid Custom Zone Records list Should Skip",
-			initLocalRecords: []nbdns.SimpleRecord{},
-			initUpstreamMap:  make(registeredHandlerMap),
-			initSerial:       0,
-			inputSerial:      1,
+			name:            "Invalid Custom Zone Records list Should Skip",
+			initLocalMap:    make(registrationMap),
+			initUpstreamMap: make(registeredHandlerMap),
+			initSerial:      0,
+			inputSerial:     1,
 			inputUpdate: nbdns.Config{
 				ServiceEnable: true,
 				CustomZones: []nbdns.CustomZone{
@@ -292,43 +290,43 @@ func TestUpdateDNSServer(t *testing.T) {
 					},
 				},
 			},
-			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).ID(): handlerWrapper{
+			expectedUpstreamMap: registeredHandlerMap{generateDummyHandler(".", nameServers).id(): handlerWrapper{
 				domain:   ".",
 				handler:  dummyHandler,
 				priority: PriorityDefault,
 			}},
 		},
 		{
-			name:             "Empty Config Should Succeed and Clean Maps",
-			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
+			name:         "Empty Config Should Succeed and Clean Maps",
+			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: true},
 			expectedUpstreamMap: make(registeredHandlerMap),
-			expectedLocalQs:     []dns.Question{},
+			expectedLocalMap:    make(registrationMap),
 		},
 		{
-			name:             "Disabled Service Should clean map",
-			initLocalRecords: []nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}},
+			name:         "Disabled Service Should clean map",
+			initLocalMap: registrationMap{"netbird.cloud": struct{}{}},
 			initUpstreamMap: registeredHandlerMap{
-				generateDummyHandler(zoneRecords[0].Name, nameServers).ID(): handlerWrapper{
+				generateDummyHandler(zoneRecords[0].Name, nameServers).id(): handlerWrapper{
 					domain:   zoneRecords[0].Name,
 					handler:  dummyHandler,
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			initSerial:          0,
 			inputSerial:         1,
 			inputUpdate:         nbdns.Config{ServiceEnable: false},
 			expectedUpstreamMap: make(registeredHandlerMap),
-			expectedLocalQs:     []dns.Question{},
+			expectedLocalMap:    make(registrationMap),
 		},
 	}
 
@@ -379,7 +377,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			}()
 
 			dnsServer.dnsMuxMap = testCase.initUpstreamMap
-			dnsServer.localResolver.Update(testCase.initLocalRecords)
+			dnsServer.localResolver.registeredMap = testCase.initLocalMap
 			dnsServer.updateSerial = testCase.initSerial
 
 			err = dnsServer.UpdateDNSServer(testCase.inputSerial, testCase.inputUpdate)
@@ -401,23 +399,15 @@ func TestUpdateDNSServer(t *testing.T) {
 				}
 			}
 
-			var responseMSG *dns.Msg
-			responseWriter := &test.MockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-			for _, q := range testCase.expectedLocalQs {
-				dnsServer.localResolver.ServeDNS(responseWriter, &dns.Msg{
-					Question: []dns.Question{q},
-				})
+			if len(dnsServer.localResolver.registeredMap) != len(testCase.expectedLocalMap) {
+				t.Fatalf("update local failed, registered map size is different than expected, want %d, got %d", len(testCase.expectedLocalMap), len(dnsServer.localResolver.registeredMap))
 			}
 
-			if len(testCase.expectedLocalQs) > 0 {
-				assert.NotNil(t, responseMSG, "response message should not be nil")
-				assert.Equal(t, dns.RcodeSuccess, responseMSG.Rcode, "response code should be success")
-				assert.NotEmpty(t, responseMSG.Answer, "response message should have answers")
+			for key := range testCase.expectedLocalMap {
+				_, found := dnsServer.localResolver.registeredMap[key]
+				if !found {
+					t.Fatalf("update local failed, key %s was not found in the localResolver.registeredMap: %#v", key, dnsServer.localResolver.registeredMap)
+				}
 			}
 		})
 	}
@@ -463,10 +453,17 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
 
+	_, ipNet, err := net.ParseCIDR("100.66.100.1/32")
+	if err != nil {
+		t.Errorf("parse CIDR: %v", err)
+		return
+	}
+
 	packetfilter := pfmock.NewMockPacketFilter(ctrl)
 	packetfilter.EXPECT().DropOutgoing(gomock.Any(), gomock.Any()).AnyTimes()
 	packetfilter.EXPECT().AddUDPPacketHook(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any())
 	packetfilter.EXPECT().RemovePacketHook(gomock.Any())
+	packetfilter.EXPECT().SetNetwork(ipNet)
 
 	if err := wgIface.SetFilter(packetfilter); err != nil {
 		t.Errorf("set packet filter: %v", err)
@@ -494,12 +491,11 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	dnsServer.dnsMuxMap = registeredHandlerMap{
 		"id1": handlerWrapper{
 			domain:   zoneRecords[0].Name,
-			handler:  &local.Resolver{},
-			priority: PriorityUpstream,
+			handler:  &localResolver{},
+			priority: PriorityMatchDomain,
 		},
 	}
-	//dnsServer.localResolver.RegisteredMap = local.RegistrationMap{local.BuildRecordKey("netbird.cloud", dns.ClassINET, dns.TypeA): struct{}{}}
-	dnsServer.localResolver.Update([]nbdns.SimpleRecord{{Name: "netbird.cloud", Type: int(dns.TypeA), Class: nbdns.DefaultClass, TTL: 300, RData: "10.0.0.1"}})
+	dnsServer.localResolver.registeredMap = registrationMap{"netbird.cloud": struct{}{}}
 	dnsServer.updateSerial = 0
 
 	nameServers := []nbdns.NameServer{
@@ -586,7 +582,7 @@ func TestDNSServerStartStop(t *testing.T) {
 			}
 			time.Sleep(100 * time.Millisecond)
 			defer dnsServer.Stop()
-			err = dnsServer.localResolver.RegisterRecord(zoneRecords[0])
+			_, err = dnsServer.localResolver.registerRecord(zoneRecords[0])
 			if err != nil {
 				t.Error(err)
 			}
@@ -634,11 +630,13 @@ func TestDNSServerStartStop(t *testing.T) {
 func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 	hostManager := &mockHostConfigurator{}
 	server := DefaultServer{
-		ctx:           context.Background(),
-		service:       NewServiceViaMemory(&mocWGIface{}),
-		localResolver: local.NewResolver(),
-		handlerChain:  NewHandlerChain(),
-		hostManager:   hostManager,
+		ctx:     context.Background(),
+		service: NewServiceViaMemory(&mocWGIface{}),
+		localResolver: &localResolver{
+			registeredMap: make(registrationMap),
+		},
+		handlerChain: NewHandlerChain(),
+		hostManager:  hostManager,
 		currentConfig: HostDNSConfig{
 			Domains: []DomainConfig{
 				{false, "domain0", false},
@@ -978,7 +976,7 @@ func TestHandlerChain_DomainPriorities(t *testing.T) {
 	}
 
 	chain.AddHandler("example.com.", dnsRouteHandler, PriorityDNSRoute)
-	chain.AddHandler("example.com.", upstreamHandler, PriorityUpstream)
+	chain.AddHandler("example.com.", upstreamHandler, PriorityMatchDomain)
 
 	testCases := []struct {
 		name            string
@@ -1006,7 +1004,7 @@ func TestHandlerChain_DomainPriorities(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			r := new(dns.Msg)
 			r.SetQuestion(tc.query, dns.TypeA)
-			w := &ResponseWriterChain{ResponseWriter: &test.MockResponseWriter{}}
+			w := &ResponseWriterChain{ResponseWriter: &mockResponseWriter{}}
 
 			if mh, ok := tc.expectedHandler.(*MockHandler); ok {
 				mh.On("ServeDNS", mock.Anything, r).Once()
@@ -1039,9 +1037,9 @@ type mockHandler struct {
 }
 
 func (m *mockHandler) ServeDNS(dns.ResponseWriter, *dns.Msg) {}
-func (m *mockHandler) Stop()                                 {}
-func (m *mockHandler) ProbeAvailability()                    {}
-func (m *mockHandler) ID() types.HandlerID                   { return types.HandlerID(m.Id) }
+func (m *mockHandler) stop()                                 {}
+func (m *mockHandler) probeAvailability()                    {}
+func (m *mockHandler) id() handlerID                         { return handlerID(m.Id) }
 
 type mockService struct{}
 
@@ -1059,14 +1057,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			handler: &mockHandler{
 				Id: "upstream-group1",
 			},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 		"upstream-group2": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group2",
 			},
-			priority: PriorityUpstream - 1,
+			priority: PriorityMatchDomain - 1,
 		},
 	}
 
@@ -1093,21 +1091,21 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			handler: &mockHandler{
 				Id: "upstream-group1",
 			},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 		"upstream-group2": {
 			domain: "example.com",
 			handler: &mockHandler{
 				Id: "upstream-group2",
 			},
-			priority: PriorityUpstream - 1,
+			priority: PriorityMatchDomain - 1,
 		},
 		"upstream-other": {
 			domain: "other.com",
 			handler: &mockHandler{
 				Id: "upstream-other",
 			},
-			priority: PriorityUpstream,
+			priority: PriorityMatchDomain,
 		},
 	}
 
@@ -1115,7 +1113,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 		name             string
 		initialHandlers  registeredHandlerMap
 		updates          []handlerWrapper
-		expectedHandlers map[string]string // map[HandlerID]domain
+		expectedHandlers map[string]string // map[handlerID]domain
 		description      string
 	}{
 		{
@@ -1128,7 +1126,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1146,7 +1144,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1164,7 +1162,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group3",
 					},
-					priority: PriorityUpstream + 1,
+					priority: PriorityMatchDomain + 1,
 				},
 				// Keep existing groups with their original priorities
 				{
@@ -1172,14 +1170,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "example.com",
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1199,14 +1197,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "example.com",
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 				// Add group3 with lowest priority
 				{
@@ -1214,7 +1212,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group3",
 					},
-					priority: PriorityUpstream - 2,
+					priority: PriorityMatchDomain - 2,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1335,14 +1333,14 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "other.com",
 					handler: &mockHandler{
 						Id: "upstream-other",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1360,28 +1358,28 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 					handler: &mockHandler{
 						Id: "upstream-group1",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "example.com",
 					handler: &mockHandler{
 						Id: "upstream-group2",
 					},
-					priority: PriorityUpstream - 1,
+					priority: PriorityMatchDomain - 1,
 				},
 				{
 					domain: "other.com",
 					handler: &mockHandler{
 						Id: "upstream-other",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 				{
 					domain: "new.com",
 					handler: &mockHandler{
 						Id: "upstream-new",
 					},
-					priority: PriorityUpstream,
+					priority: PriorityMatchDomain,
 				},
 			},
 			expectedHandlers: map[string]string{
@@ -1411,7 +1409,7 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 
 			// Check each expected handler
 			for id, expectedDomain := range tt.expectedHandlers {
-				handler, exists := server.dnsMuxMap[types.HandlerID(id)]
+				handler, exists := server.dnsMuxMap[handlerID(id)]
 				assert.True(t, exists, "Expected handler %s not found", id)
 				if exists {
 					assert.Equal(t, expectedDomain, handler.domain,
@@ -1420,9 +1418,9 @@ func TestDefaultServer_UpdateMux(t *testing.T) {
 			}
 
 			// Verify no unexpected handlers exist
-			for HandlerID := range server.dnsMuxMap {
-				_, expected := tt.expectedHandlers[string(HandlerID)]
-				assert.True(t, expected, "Unexpected handler found: %s", HandlerID)
+			for handlerID := range server.dnsMuxMap {
+				_, expected := tt.expectedHandlers[string(handlerID)]
+				assert.True(t, expected, "Unexpected handler found: %s", handlerID)
 			}
 
 			// Verify the handlerChain state and order
@@ -1698,7 +1696,7 @@ func TestExtraDomains(t *testing.T) {
 				handlerChain:   NewHandlerChain(),
 				wgInterface:    &mocWGIface{},
 				hostManager:    mockHostConfig,
-				localResolver:  &local.Resolver{},
+				localResolver:  &localResolver{},
 				service:        mockSvc,
 				statusRecorder: peer.NewRecorder("test"),
 				extraDomains:   make(map[domain.Domain]int),
@@ -1783,7 +1781,7 @@ func TestExtraDomainsRefCounting(t *testing.T) {
 		ctx:            context.Background(),
 		handlerChain:   NewHandlerChain(),
 		hostManager:    mockHostConfig,
-		localResolver:  &local.Resolver{},
+		localResolver:  &localResolver{},
 		service:        mockSvc,
 		statusRecorder: peer.NewRecorder("test"),
 		extraDomains:   make(map[domain.Domain]int),
@@ -1791,14 +1789,14 @@ func TestExtraDomainsRefCounting(t *testing.T) {
 
 	// Register domains from different handlers with same domain
 	server.RegisterHandler(domain.List{"*.shared.example.com"}, &MockHandler{}, PriorityDNSRoute)
-	server.RegisterHandler(domain.List{"shared.example.com."}, &MockHandler{}, PriorityUpstream)
+	server.RegisterHandler(domain.List{"shared.example.com."}, &MockHandler{}, PriorityMatchDomain)
 
 	// Verify refcount is 2
 	zoneKey := toZone("shared.example.com")
 	assert.Equal(t, 2, server.extraDomains[zoneKey], "Refcount should be 2 after registering same domain twice")
 
 	// Deregister one handler
-	server.DeregisterHandler(domain.List{"shared.example.com"}, PriorityUpstream)
+	server.DeregisterHandler(domain.List{"shared.example.com"}, PriorityMatchDomain)
 
 	// Verify refcount is 1
 	assert.Equal(t, 1, server.extraDomains[zoneKey], "Refcount should be 1 after deregistering one handler")
@@ -1835,7 +1833,7 @@ func TestUpdateConfigWithExistingExtraDomains(t *testing.T) {
 		ctx:            context.Background(),
 		handlerChain:   NewHandlerChain(),
 		hostManager:    mockHostConfig,
-		localResolver:  &local.Resolver{},
+		localResolver:  &localResolver{},
 		service:        mockSvc,
 		statusRecorder: peer.NewRecorder("test"),
 		extraDomains:   make(map[domain.Domain]int),
@@ -1918,14 +1916,14 @@ func TestDomainCaseHandling(t *testing.T) {
 		ctx:            context.Background(),
 		handlerChain:   NewHandlerChain(),
 		hostManager:    mockHostConfig,
-		localResolver:  &local.Resolver{},
+		localResolver:  &localResolver{},
 		service:        mockSvc,
 		statusRecorder: peer.NewRecorder("test"),
 		extraDomains:   make(map[domain.Domain]int),
 	}
 
 	server.RegisterHandler(domain.List{"MIXED.example.com"}, &MockHandler{}, PriorityDefault)
-	server.RegisterHandler(domain.List{"mixed.EXAMPLE.com"}, &MockHandler{}, PriorityUpstream)
+	server.RegisterHandler(domain.List{"mixed.EXAMPLE.com"}, &MockHandler{}, PriorityMatchDomain)
 
 	assert.Equal(t, 1, len(server.extraDomains), "Case differences should be normalized")
 
@@ -1945,111 +1943,3 @@ func TestDomainCaseHandling(t *testing.T) {
 	assert.Contains(t, domains, "config.example.com.", "Mixed case domain should be normalized and pre.sent")
 	assert.Contains(t, domains, "mixed.example.com.", "Mixed case domain should be normalized and present")
 }
-
-func TestLocalResolverPriorityInServer(t *testing.T) {
-	server := &DefaultServer{
-		ctx:           context.Background(),
-		wgInterface:   &mocWGIface{},
-		handlerChain:  NewHandlerChain(),
-		localResolver: local.NewResolver(),
-		service:       &mockService{},
-		extraDomains:  make(map[domain.Domain]int),
-	}
-
-	config := nbdns.Config{
-		ServiceEnable: true,
-		CustomZones: []nbdns.CustomZone{
-			{
-				Domain: "local.example.com",
-				Records: []nbdns.SimpleRecord{
-					{
-						Name:  "test.local.example.com",
-						Type:  int(dns.TypeA),
-						Class: nbdns.DefaultClass,
-						TTL:   300,
-						RData: "192.168.1.100",
-					},
-				},
-			},
-		},
-		NameServerGroups: []*nbdns.NameServerGroup{
-			{
-				Domains: []string{"local.example.com"}, // Same domain as local records
-				NameServers: []nbdns.NameServer{
-					{
-						IP:     netip.MustParseAddr("8.8.8.8"),
-						NSType: nbdns.UDPNameServerType,
-						Port:   53,
-					},
-				},
-			},
-		},
-	}
-
-	localMuxUpdates, _, err := server.buildLocalHandlerUpdate(config.CustomZones)
-	assert.NoError(t, err)
-
-	upstreamMuxUpdates, err := server.buildUpstreamHandlerUpdate(config.NameServerGroups)
-	assert.NoError(t, err)
-
-	// Verify that local handler has higher priority than upstream for same domain
-	var localPriority, upstreamPriority int
-	localFound, upstreamFound := false, false
-
-	for _, update := range localMuxUpdates {
-		if update.domain == "local.example.com" {
-			localPriority = update.priority
-			localFound = true
-		}
-	}
-
-	for _, update := range upstreamMuxUpdates {
-		if update.domain == "local.example.com" {
-			upstreamPriority = update.priority
-			upstreamFound = true
-		}
-	}
-
-	assert.True(t, localFound, "Local handler should be found")
-	assert.True(t, upstreamFound, "Upstream handler should be found")
-	assert.Greater(t, localPriority, upstreamPriority,
-		"Local handler priority (%d) should be higher than upstream priority (%d)",
-		localPriority, upstreamPriority)
-	assert.Equal(t, PriorityLocal, localPriority, "Local handler should use PriorityLocal")
-	assert.Equal(t, PriorityUpstream, upstreamPriority, "Upstream handler should use PriorityUpstream")
-}
-
-func TestLocalResolverPriorityConstants(t *testing.T) {
-	// Test that priority constants are ordered correctly
-	assert.Greater(t, PriorityLocal, PriorityDNSRoute, "Local priority should be higher than DNS route")
-	assert.Greater(t, PriorityLocal, PriorityUpstream, "Local priority should be higher than upstream")
-	assert.Greater(t, PriorityUpstream, PriorityDefault, "Upstream priority should be higher than default")
-
-	// Test that local resolver uses the correct priority
-	server := &DefaultServer{
-		localResolver: local.NewResolver(),
-	}
-
-	config := nbdns.Config{
-		CustomZones: []nbdns.CustomZone{
-			{
-				Domain: "local.example.com",
-				Records: []nbdns.SimpleRecord{
-					{
-						Name:  "test.local.example.com",
-						Type:  int(dns.TypeA),
-						Class: nbdns.DefaultClass,
-						TTL:   300,
-						RData: "192.168.1.100",
-					},
-				},
-			},
-		},
-	}
-
-	localMuxUpdates, _, err := server.buildLocalHandlerUpdate(config.CustomZones)
-	assert.NoError(t, err)
-	assert.Len(t, localMuxUpdates, 1)
-	assert.Equal(t, PriorityLocal, localMuxUpdates[0].priority, "Local handler should use PriorityLocal")
-	assert.Equal(t, "local.example.com", localMuxUpdates[0].domain)
-}

client/internal/dns/service_memory.go

@@ -24,15 +24,11 @@ type ServiceViaMemory struct {
 }
 
 func NewServiceViaMemory(wgIface WGIface) *ServiceViaMemory {
-	lastIP, err := nbnet.GetLastIPFromNetwork(wgIface.Address().Network, 1)
-	if err != nil {
-		log.Errorf("get last ip from network: %v", err)
-	}
 	s := &ServiceViaMemory{
 		wgInterface: wgIface,
 		dnsMux:      dns.NewServeMux(),
 
-		runtimeIP:   lastIP.String(),
+		runtimeIP:   nbnet.GetLastIPFromNetwork(wgIface.Address().Network, 1).String(),
 		runtimePort: defaultPort,
 	}
 	return s
@@ -95,7 +91,7 @@ func (s *ServiceViaMemory) filterDNSTraffic() (string, error) {
 	}
 
 	firstLayerDecoder := layers.LayerTypeIPv4
-	if s.wgInterface.Address().IP.Is6() {
+	if s.wgInterface.Address().Network.IP.To4() == nil {
 		firstLayerDecoder = layers.LayerTypeIPv6
 	}
 

client/internal/dns/service_memory_test.go

@@ -0,0 +1,33 @@
+package dns
+
+import (
+	"net"
+	"testing"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+func TestGetLastIPFromNetwork(t *testing.T) {
+	tests := []struct {
+		addr string
+		ip   string
+	}{
+		{"2001:db8::/32", "2001:db8:ffff:ffff:ffff:ffff:ffff:fffe"},
+		{"192.168.0.0/30", "192.168.0.2"},
+		{"192.168.0.0/16", "192.168.255.254"},
+		{"192.168.0.0/24", "192.168.0.254"},
+	}
+
+	for _, tt := range tests {
+		_, ipnet, err := net.ParseCIDR(tt.addr)
+		if err != nil {
+			t.Errorf("Error parsing CIDR: %v", err)
+			return
+		}
+
+		lastIP := nbnet.GetLastIPFromNetwork(ipnet, 1).String()
+		if lastIP != tt.ip {
+			t.Errorf("wrong IP address, expected %s: got %s", tt.ip, lastIP)
+		}
+	}
+}

client/internal/dns/systemd_linux.go

@@ -30,12 +30,9 @@ const (
 	systemdDbusSetDNSMethodSuffix          = systemdDbusLinkInterface + ".SetDNS"
 	systemdDbusSetDefaultRouteMethodSuffix = systemdDbusLinkInterface + ".SetDefaultRoute"
 	systemdDbusSetDomainsMethodSuffix      = systemdDbusLinkInterface + ".SetDomains"
-	systemdDbusSetDNSSECMethodSuffix       = systemdDbusLinkInterface + ".SetDNSSEC"
 	systemdDbusResolvConfModeForeign       = "foreign"
 
 	dbusErrorUnknownObject = "org.freedesktop.DBus.Error.UnknownObject"
-
-	dnsSecDisabled = "no"
 )
 
 type systemdDbusConfigurator struct {
@@ -98,13 +95,9 @@ func (s *systemdDbusConfigurator) applyDNSConfig(config HostDNSConfig, stateMana
 		Family:  unix.AF_INET,
 		Address: ipAs4[:],
 	}
-	if err = s.callLinkMethod(systemdDbusSetDNSMethodSuffix, []systemdDbusDNSInput{defaultLinkInput}); err != nil {
-		return fmt.Errorf("set interface DNS server %s:%d: %w", config.ServerIP, config.ServerPort, err)
-	}
-
-	// We don't support dnssec. On some machines this is default on so we explicitly set it to off
-	if err = s.callLinkMethod(systemdDbusSetDNSSECMethodSuffix, dnsSecDisabled); err != nil {
-		log.Warnf("failed to set DNSSEC to 'no': %v", err)
+	err = s.callLinkMethod(systemdDbusSetDNSMethodSuffix, []systemdDbusDNSInput{defaultLinkInput})
+	if err != nil {
+		return fmt.Errorf("setting the interface DNS server %s:%d failed with error: %w", config.ServerIP, config.ServerPort, err)
 	}
 
 	var (

client/internal/dns/test/mock.go

@@ -1,26 +0,0 @@
-package test
-
-import (
-	"net"
-
-	"github.com/miekg/dns"
-)
-
-type MockResponseWriter struct {
-	WriteMsgFunc func(m *dns.Msg) error
-}
-
-func (rw *MockResponseWriter) WriteMsg(m *dns.Msg) error {
-	if rw.WriteMsgFunc != nil {
-		return rw.WriteMsgFunc(m)
-	}
-	return nil
-}
-
-func (rw *MockResponseWriter) LocalAddr() net.Addr       { return nil }
-func (rw *MockResponseWriter) RemoteAddr() net.Addr      { return nil }
-func (rw *MockResponseWriter) Write([]byte) (int, error) { return 0, nil }
-func (rw *MockResponseWriter) Close() error              { return nil }
-func (rw *MockResponseWriter) TsigStatus() error         { return nil }
-func (rw *MockResponseWriter) TsigTimersOnly(bool)       {}
-func (rw *MockResponseWriter) Hijack()                   {}

client/internal/dns/types/types.go

@@ -1,3 +0,0 @@
-package types
-
-type HandlerID string