[client] Enhance GPO DNS policy handling by deleting empty keys (#4391)

refactor doc workflow (#4373)

.github/workflows/docs-ack.yml

@@ -16,19 +16,29 @@ jobs:
     steps:
       - name: Read PR body
         id: body
+        shell: bash
         run: |
-          BODY=$(jq -r '.pull_request.body // ""' "$GITHUB_EVENT_PATH")
-          echo "body<<EOF" >> $GITHUB_OUTPUT
-          echo "$BODY" >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
+          set -euo pipefail
+          BODY_B64=$(jq -r '.pull_request.body // "" | @base64' "$GITHUB_EVENT_PATH")
+          {
+            echo "body_b64=$BODY_B64"
+          } >> "$GITHUB_OUTPUT"
 
       - name: Validate checkbox selection
         id: validate
+        shell: bash
+        env:
+          BODY_B64: ${{ steps.body.outputs.body_b64 }}
         run: |
-          body='${{ steps.body.outputs.body }}'
+          set -euo pipefail
+          if ! body="$(printf '%s' "$BODY_B64" | base64 -d)"; then
+            echo "::error::Failed to decode PR body from base64. Data may be corrupted or missing."
+            exit 1
+          fi
+
+          added_checked=$(printf '%s' "$body" | grep -Ei '^[[:space:]]*-\s*\[x\]\s*I added/updated documentation' | wc -l | tr -d '[:space:]' || true)
+          noneed_checked=$(printf '%s' "$body" | grep -Ei '^[[:space:]]*-\s*\[x\]\s*Documentation is \*\*not needed\*\*' | wc -l | tr -d '[:space:]' || true)
 
-          added_checked=$(printf "%s" "$body" | grep -E '^- \[x\] I added/updated documentation' -i | wc -l | tr -d ' ')
-          noneed_checked=$(printf "%s" "$body" | grep -E '^- \[x\] Documentation is \*\*not needed\*\*' -i | wc -l | tr -d ' ')
 
           if [ "$added_checked" -eq 1 ] && [ "$noneed_checked" -eq 1 ]; then
             echo "::error::Choose exactly one: either 'docs added' OR 'not needed'."
@@ -41,30 +51,35 @@ jobs:
           fi
 
           if [ "$added_checked" -eq 1 ]; then
-            echo "mode=added" >> $GITHUB_OUTPUT
+            echo "mode=added" >> "$GITHUB_OUTPUT"
           else
-            echo "mode=noneed" >> $GITHUB_OUTPUT
+            echo "mode=noneed" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Extract docs PR URL (when 'docs added')
         if: steps.validate.outputs.mode == 'added'
         id: extract
+        shell: bash
+        env:
+          BODY_B64: ${{ steps.body.outputs.body_b64 }}
         run: |
-          body='${{ steps.body.outputs.body }}'
+          set -euo pipefail
+          body="$(printf '%s' "$BODY_B64" | base64 -d)"
 
           # Strictly require HTTPS and that it's a PR in netbirdio/docs
-          # Examples accepted:
-          #   https://github.com/netbirdio/docs/pull/1234
-          url=$(printf "%s" "$body" | grep -Eo 'https://github\.com/netbirdio/docs/pull/[0-9]+' | head -n1 || true)
+          # e.g., https://github.com/netbirdio/docs/pull/1234
+          url="$(printf '%s' "$body" | grep -Eo 'https://github\.com/netbirdio/docs/pull/[0-9]+' | head -n1 || true)"
 
-          if [ -z "$url" ]; then
+          if [ -z "${url:-}" ]; then
             echo "::error::You checked 'docs added' but didn't include a valid HTTPS PR link to netbirdio/docs (e.g., https://github.com/netbirdio/docs/pull/1234)."
             exit 1
           fi
 
-          pr_number=$(echo "$url" | sed -E 's#.*/pull/([0-9]+)$#\1#')
-          echo "url=$url" >> $GITHUB_OUTPUT
-          echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
+          pr_number="$(printf '%s' "$url" | sed -E 's#.*/pull/([0-9]+)$#\1#')"
+          {
+            echo "url=$url"
+            echo "pr_number=$pr_number"
+          } >> "$GITHUB_OUTPUT"
 
       - name: Verify docs PR exists (and is open or merged)
         if: steps.validate.outputs.mode == 'added'

.github/workflows/golang-test-freebsd.yml

@@ -25,8 +25,7 @@ jobs:
           release: "14.2"
           prepare: |
             pkg install -y curl pkgconf xorg
-            LATEST_VERSION=$(curl -s https://go.dev/VERSION?m=text|head -n 1)
-            GO_TARBALL="$LATEST_VERSION.freebsd-amd64.tar.gz"
+            GO_TARBALL="go1.23.12.freebsd-amd64.tar.gz"
             GO_URL="https://go.dev/dl/$GO_TARBALL"
             curl -vLO "$GO_URL"
             tar -C /usr/local -vxzf "$GO_TARBALL"            

.github/workflows/test-infrastructure-files.yml

@@ -83,6 +83,15 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Setup MySQL privileges
+        if: matrix.store == 'mysql'
+        run: |
+          sleep 10
+          mysql -h 127.0.0.1 -u root -pmysqlroot -e "
+            GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'netbird'@'%';
+            FLUSH PRIVILEGES;
+          "
+
       - name: cp setup.env
         run: cp infrastructure_files/tests/setup.env infrastructure_files/
 

client/android/client.go

@@ -4,6 +4,7 @@ package android
 
 import (
 	"context"
+	"slices"
 	"sync"
 
 	log "github.com/sirupsen/logrus"
@@ -112,7 +113,7 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
 }
 
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -138,7 +139,7 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
 }
 
 // Stop the internal client and free the resources
@@ -235,7 +236,7 @@ func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
 		return err
 	}
 
-	dnsServer.OnUpdatedHostDNSServer(list.items)
+	dnsServer.OnUpdatedHostDNSServer(slices.Clone(list.items))
 	return nil
 }
 

client/android/dns_list.go

@@ -1,23 +1,34 @@
 package android
 
-import "fmt"
+import (
+	"fmt"
+	"net/netip"
 
-// DNSList is a wrapper of []string
+	"github.com/netbirdio/netbird/client/internal/dns"
+)
+
+// DNSList is a wrapper of []netip.AddrPort with default DNS port
 type DNSList struct {
-	items []string
+	items []netip.AddrPort
 }
 
-// Add new DNS address to the collection
-func (array *DNSList) Add(s string) {
-	array.items = append(array.items, s)
+// Add new DNS address to the collection, returns error if invalid
+func (array *DNSList) Add(s string) error {
+	addr, err := netip.ParseAddr(s)
+	if err != nil {
+		return fmt.Errorf("invalid DNS address: %s", s)
+	}
+	addrPort := netip.AddrPortFrom(addr.Unmap(), dns.DefaultPort)
+	array.items = append(array.items, addrPort)
+	return nil
 }
 
-// Get return an element of the collection
+// Get return an element of the collection as string
 func (array *DNSList) Get(i int) (string, error) {
 	if i >= len(array.items) || i < 0 {
 		return "", fmt.Errorf("out of range")
 	}
-	return array.items[i], nil
+	return array.items[i].Addr().String(), nil
 }
 
 // Size return with the size of the collection

client/android/dns_list_test.go

@@ -3,20 +3,30 @@ package android
 import "testing"
 
 func TestDNSList_Get(t *testing.T) {
-	l := DNSList{
-		items: make([]string, 1),
+	l := DNSList{}
+
+	// Add a valid DNS address
+	err := l.Add("8.8.8.8")
+	if err != nil {
+		t.Errorf("unexpected error: %s", err)
 	}
 
-	_, err := l.Get(0)
+	// Test getting valid index
+	addr, err := l.Get(0)
 	if err != nil {
 		t.Errorf("invalid error: %s", err)
 	}
+	if addr != "8.8.8.8" {
+		t.Errorf("expected 8.8.8.8, got %s", addr)
+	}
 
+	// Test negative index
 	_, err = l.Get(-1)
 	if err == nil {
 		t.Errorf("expected error but got nil")
 	}
 
+	// Test out of bounds index
 	_, err = l.Get(1)
 	if err == nil {
 		t.Errorf("expected error but got nil")

client/cmd/debug.go

@@ -33,7 +33,7 @@ var (
 var debugCmd = &cobra.Command{
 	Use:   "debug",
 	Short: "Debugging commands",
-	Long:  "Provides commands for debugging and logging control within the NetBird daemon.",
+	Long:  "Commands for debugging and logging within the NetBird daemon.",
 }
 
 var debugBundleCmd = &cobra.Command{

client/cmd/down.go

@@ -14,7 +14,8 @@ import (
 
 var downCmd = &cobra.Command{
 	Use:   "down",
-	Short: "down netbird connections",
+	Short: "Disconnect from the NetBird network",
+	Long:  "Disconnect the NetBird client from the network and management service. This will terminate all active connections with the remote peers.",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		SetFlagsFromEnvVars(rootCmd)
 

client/cmd/login.go

@@ -31,7 +31,8 @@ func init() {
 
 var loginCmd = &cobra.Command{
 	Use:   "login",
-	Short: "login to the NetBird Management Service (first run)",
+	Short: "Log in to the NetBird network",
+	Long:  "Log in to the NetBird network using a setup key or SSO",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if err := setEnvAndFlags(cmd); err != nil {
 			return fmt.Errorf("set env and flags: %v", err)

client/cmd/logout.go

@@ -14,7 +14,8 @@ import (
 var logoutCmd = &cobra.Command{
 	Use:     "deregister",
 	Aliases: []string{"logout"},
-	Short:   "deregister from the NetBird Management Service and delete peer",
+	Short:   "Deregister from the NetBird management service and delete this peer",
+	Long:    "This command will deregister the current peer from the NetBird management service and all associated configuration. Use with caution as this will remove the peer from the network.",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		SetFlagsFromEnvVars(rootCmd)
 

client/cmd/networks.go

@@ -15,7 +15,7 @@ var appendFlag bool
 var networksCMD = &cobra.Command{
 	Use:     "networks",
 	Aliases: []string{"routes"},
-	Short:   "Manage networks",
+	Short:   "Manage connections to NetBird Networks and Resources",
 	Long:    `Commands to list, select, or deselect networks. Replaces the "routes" command.`,
 }
 

client/cmd/profile.go

@@ -16,13 +16,13 @@ import (
 
 var profileCmd = &cobra.Command{
 	Use:   "profile",
-	Short: "manage NetBird profiles",
-	Long:  `Manage NetBird profiles, allowing you to list, switch, and remove profiles.`,
+	Short: "Manage NetBird client profiles",
+	Long:  `Commands to list, add, remove, and switch profiles. Profiles allow you to maintain different accounts in one client app.`,
 }
 
 var profileListCmd = &cobra.Command{
 	Use:     "list",
-	Short:   "list all profiles",
+	Short:   "List all profiles",
 	Long:    `List all available profiles in the NetBird client.`,
 	Aliases: []string{"ls"},
 	RunE:    listProfilesFunc,
@@ -30,7 +30,7 @@ var profileListCmd = &cobra.Command{
 
 var profileAddCmd = &cobra.Command{
 	Use:   "add <profile_name>",
-	Short: "add a new profile",
+	Short: "Add a new profile",
 	Long:  `Add a new profile to the NetBird client. The profile name must be unique.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  addProfileFunc,
@@ -38,16 +38,16 @@ var profileAddCmd = &cobra.Command{
 
 var profileRemoveCmd = &cobra.Command{
 	Use:   "remove <profile_name>",
-	Short: "remove a profile",
-	Long:  `Remove a profile from the NetBird client. The profile must not be active.`,
+	Short: "Remove a profile",
+	Long:  `Remove a profile from the NetBird client. The profile must not be inactive.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  removeProfileFunc,
 }
 
 var profileSelectCmd = &cobra.Command{
 	Use:   "select <profile_name>",
-	Short: "select a profile",
-	Long:  `Select a profile to be the active profile in the NetBird client. The profile must exist.`,
+	Short: "Select a profile",
+	Long:  `Make the specified profile active. This will switch the client to use the selected profile's configuration.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  selectProfileFunc,
 }

client/cmd/root.go

@@ -73,6 +73,7 @@ var (
 	dnsRouteInterval        time.Duration
 	lazyConnEnabled         bool
 	profilesDisabled        bool
+	updateSettingsDisabled  bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",

client/cmd/service.go

@@ -19,7 +19,7 @@ import (
 
 var serviceCmd = &cobra.Command{
 	Use:   "service",
-	Short: "manages NetBird service",
+	Short: "Manage the NetBird daemon service",
 }
 
 var (
@@ -42,7 +42,8 @@ func init() {
 	}
 
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd)
-	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile.")
+	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
+	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +

client/cmd/service_controller.go

@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
 
-		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled)
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}

client/cmd/service_installer.go

@@ -49,6 +49,14 @@ func buildServiceArguments() []string {
 		args = append(args, "--log-file", logFile)
 	}
 
+	if profilesDisabled {
+		args = append(args, "--disable-profiles")
+	}
+
+	if updateSettingsDisabled {
+		args = append(args, "--disable-update-settings")
+	}
+
 	return args
 }
 
@@ -99,7 +107,7 @@ func createServiceConfigForInstall() (*service.Config, error) {
 
 var installCmd = &cobra.Command{
 	Use:   "install",
-	Short: "installs NetBird service",
+	Short: "Install NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if err := setupServiceCommand(cmd); err != nil {
 			return err

client/cmd/ssh.go

@@ -40,7 +40,7 @@ var sshCmd = &cobra.Command{
 
 		return nil
 	},
-	Short: "connect to a remote SSH server",
+	Short: "Connect to a remote SSH server",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		SetFlagsFromEnvVars(rootCmd)
 		SetFlagsFromEnvVars(cmd)

client/cmd/status.go

@@ -32,7 +32,8 @@ var (
 
 var statusCmd = &cobra.Command{
 	Use:   "status",
-	Short: "status of the Netbird Service",
+	Short: "Display NetBird client status",
+	Long:  "Display the current status of the NetBird client, including connection status, peer information, and network details.",
 	RunE:  statusFunc,
 }
 

client/cmd/testutil_test.go

@@ -10,7 +10,9 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"
 
+	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
@@ -26,15 +28,15 @@ import (
 
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
-	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 	mgmt "github.com/netbirdio/netbird/management/server"
+	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 	sigProto "github.com/netbirdio/netbird/shared/signal/proto"
 	sig "github.com/netbirdio/netbird/signal/server"
 )
 
 func startTestingServices(t *testing.T) string {
 	t.Helper()
-	config := &types.Config{}
+	config := &config.Config{}
 	_, err := util.ReadJson("../testdata/management.json", config)
 	if err != nil {
 		t.Fatal(err)
@@ -69,7 +71,7 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 	return s, lis
 }
 
-func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc.Server, net.Listener) {
+func startManagement(t *testing.T, config *config.Config, testFile string) (*grpc.Server, net.Listener) {
 	t.Helper()
 
 	lis, err := net.Listen("tcp", ":0")
@@ -97,6 +99,7 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
+	groupsManager := groups.NewManagerMock()
 
 	settingsMockManager.EXPECT().
 		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
@@ -108,7 +111,7 @@ func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc
 		t.Fatal(err)
 	}
 
-	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager)
+	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
 	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &mgmt.MockIntegratedValidator{})
 	if err != nil {
 		t.Fatal(err)
@@ -134,7 +137,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 
 	server := client.New(ctx,
-		"", "", false)
+		"", "", false, false)
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -53,7 +53,8 @@ var (
 
 	upCmd = &cobra.Command{
 		Use:   "up",
-		Short: "install, login and start NetBird client",
+		Short: "Connect to the NetBird network",
+		Long:  "Connect to the NetBird network using the provided setup key or SSO auth. This command will bring up the WireGuard interface, connect to the management server, and establish peer-to-peer connections with other peers in the network if required.",
 		RunE:  upFunc,
 	}
 )

client/cmd/version.go

@@ -9,7 +9,7 @@ import (
 var (
 	versionCmd = &cobra.Command{
 		Use:   "version",
-		Short: "prints NetBird version",
+		Short: "Print the NetBird's client application version",
 		Run: func(cmd *cobra.Command, args []string) {
 			cmd.SetOut(cmd.OutOrStdout())
 			cmd.Println(version.NetbirdVersion())

client/firewall/iptables/acl_linux.go

@@ -85,7 +85,7 @@ func (m *aclManager) AddPeerFiltering(
 ) ([]firewall.Rule, error) {
 	chain := chainNameInputRules
 
-	ipsetName = transformIPsetName(ipsetName, sPort, dPort)
+	ipsetName = transformIPsetName(ipsetName, sPort, dPort, action)
 	specs := filterRuleSpecs(ip, string(protocol), sPort, dPort, action, ipsetName)
 
 	mangleSpecs := slices.Clone(specs)
@@ -135,7 +135,14 @@ func (m *aclManager) AddPeerFiltering(
 		return nil, fmt.Errorf("rule already exists")
 	}
 
-	if err := m.iptablesClient.Append(tableFilter, chain, specs...); err != nil {
+	// Insert DROP rules at the beginning, append ACCEPT rules at the end
+	if action == firewall.ActionDrop {
+		// Insert at the beginning of the chain (position 1)
+		err = m.iptablesClient.Insert(tableFilter, chain, 1, specs...)
+	} else {
+		err = m.iptablesClient.Append(tableFilter, chain, specs...)
+	}
+	if err != nil {
 		return nil, err
 	}
 
@@ -388,17 +395,25 @@ func actionToStr(action firewall.Action) string {
 	return "DROP"
 }
 
-func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port) string {
-	switch {
-	case ipsetName == "":
+func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action firewall.Action) string {
+	if ipsetName == "" {
 		return ""
+	}
+
+	// Include action in the ipset name to prevent squashing rules with different actions
+	actionSuffix := ""
+	if action == firewall.ActionDrop {
+		actionSuffix = "-drop"
+	}
+
+	switch {
 	case sPort != nil && dPort != nil:
-		return ipsetName + "-sport-dport"
+		return ipsetName + "-sport-dport" + actionSuffix
 	case sPort != nil:
-		return ipsetName + "-sport"
+		return ipsetName + "-sport" + actionSuffix
 	case dPort != nil:
-		return ipsetName + "-dport"
+		return ipsetName + "-dport" + actionSuffix
 	default:
-		return ipsetName
+		return ipsetName + actionSuffix
 	}
 }

client/firewall/iptables/manager_linux_test.go

@@ -3,6 +3,7 @@ package iptables
 import (
 	"fmt"
 	"net/netip"
+	"strings"
 	"testing"
 	"time"
 
@@ -15,7 +16,7 @@ import (
 
 var ifaceMock = &iFaceMock{
 	NameFunc: func() string {
-		return "lo"
+		return "wg-test"
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
@@ -109,10 +110,84 @@ func TestIptablesManager(t *testing.T) {
 	})
 }
 
+func TestIptablesManagerDenyRules(t *testing.T) {
+	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	require.NoError(t, err)
+
+	manager, err := Create(ifaceMock)
+	require.NoError(t, err)
+	require.NoError(t, manager.Init(nil))
+
+	defer func() {
+		err := manager.Close(nil)
+		require.NoError(t, err)
+	}()
+
+	t.Run("add deny rule", func(t *testing.T) {
+		ip := netip.MustParseAddr("10.20.0.3")
+		port := &fw.Port{Values: []uint16{22}}
+
+		rule, err := manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionDrop, "deny-ssh")
+		require.NoError(t, err, "failed to add deny rule")
+		require.NotEmpty(t, rule, "deny rule should not be empty")
+
+		// Verify the rule was added by checking iptables
+		for _, r := range rule {
+			rr := r.(*Rule)
+			checkRuleSpecs(t, ipv4Client, rr.chain, true, rr.specs...)
+		}
+	})
+
+	t.Run("deny rule precedence test", func(t *testing.T) {
+		ip := netip.MustParseAddr("10.20.0.4")
+		port := &fw.Port{Values: []uint16{80}}
+
+		// Add accept rule first
+		_, err := manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "accept-http")
+		require.NoError(t, err, "failed to add accept rule")
+
+		// Add deny rule second for same IP/port - this should take precedence
+		_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionDrop, "deny-http")
+		require.NoError(t, err, "failed to add deny rule")
+
+		// Inspect the actual iptables rules to verify deny rule comes before accept rule
+		rules, err := ipv4Client.List("filter", chainNameInputRules)
+		require.NoError(t, err, "failed to list iptables rules")
+
+		// Debug: print all rules
+		t.Logf("All iptables rules in chain %s:", chainNameInputRules)
+		for i, rule := range rules {
+			t.Logf("  [%d] %s", i, rule)
+		}
+
+		var denyRuleIndex, acceptRuleIndex int = -1, -1
+		for i, rule := range rules {
+			if strings.Contains(rule, "DROP") {
+				t.Logf("Found DROP rule at index %d: %s", i, rule)
+				if strings.Contains(rule, "deny-http") && strings.Contains(rule, "80") {
+					denyRuleIndex = i
+				}
+			}
+			if strings.Contains(rule, "ACCEPT") {
+				t.Logf("Found ACCEPT rule at index %d: %s", i, rule)
+				if strings.Contains(rule, "accept-http") && strings.Contains(rule, "80") {
+					acceptRuleIndex = i
+				}
+			}
+		}
+
+		require.NotEqual(t, -1, denyRuleIndex, "deny rule should exist in iptables")
+		require.NotEqual(t, -1, acceptRuleIndex, "accept rule should exist in iptables")
+		require.Less(t, denyRuleIndex, acceptRuleIndex,
+			"deny rule should come before accept rule in iptables chain (deny at index %d, accept at index %d)",
+			denyRuleIndex, acceptRuleIndex)
+	})
+}
+
 func TestIptablesManagerIPSet(t *testing.T) {
 	mock := &iFaceMock{
 		NameFunc: func() string {
-			return "lo"
+			return "wg-test"
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
@@ -176,7 +251,7 @@ func checkRuleSpecs(t *testing.T, ipv4Client *iptables.IPTables, chainName strin
 func TestIptablesCreatePerformance(t *testing.T) {
 	mock := &iFaceMock{
 		NameFunc: func() string {
-			return "lo"
+			return "wg-test"
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{

client/firewall/nftables/acl_linux.go

@@ -341,30 +341,38 @@ func (m *AclManager) addIOFiltering(
 	userData := []byte(ruleId)
 
 	chain := m.chainInputRules
-	nftRule := m.rConn.AddRule(&nftables.Rule{
+	rule := &nftables.Rule{
 		Table:    m.workTable,
 		Chain:    chain,
 		Exprs:    mainExpressions,
 		UserData: userData,
-	})
+	}
+
+	// Insert DROP rules at the beginning, append ACCEPT rules at the end
+	var nftRule *nftables.Rule
+	if action == firewall.ActionDrop {
+		nftRule = m.rConn.InsertRule(rule)
+	} else {
+		nftRule = m.rConn.AddRule(rule)
+	}
 
 	if err := m.rConn.Flush(); err != nil {
 		return nil, fmt.Errorf(flushError, err)
 	}
 
-	rule := &Rule{
+	ruleStruct := &Rule{
 		nftRule:    nftRule,
 		mangleRule: m.createPreroutingRule(expressions, userData),
 		nftSet:     ipset,
 		ruleID:     ruleId,
 		ip:         ip,
 	}
-	m.rules[ruleId] = rule
+	m.rules[ruleId] = ruleStruct
 	if ipset != nil {
 		m.ipsetStore.AddReferenceToIpset(ipset.Name)
 	}
 
-	return rule, nil
+	return ruleStruct, nil
 }
 
 func (m *AclManager) createPreroutingRule(expressions []expr.Any, userData []byte) *nftables.Rule {

client/firewall/nftables/manager_linux_test.go

@@ -2,6 +2,7 @@ package nftables
 
 import (
 	"bytes"
+	"encoding/binary"
 	"fmt"
 	"net/netip"
 	"os/exec"
@@ -20,7 +21,7 @@ import (
 
 var ifaceMock = &iFaceMock{
 	NameFunc: func() string {
-		return "lo"
+		return "wg-test"
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
@@ -103,9 +104,8 @@ func TestNftablesManager(t *testing.T) {
 			Kind: expr.VerdictAccept,
 		},
 	}
-	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedExprs1)
-
-	expectedExprs2 := []expr.Any{
+	// Since DROP rules are inserted at position 0, the DROP rule comes first
+	expectedDropExprs := []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
@@ -141,7 +141,12 @@ func TestNftablesManager(t *testing.T) {
 		},
 		&expr.Verdict{Kind: expr.VerdictDrop},
 	}
-	require.ElementsMatch(t, rules[1].Exprs, expectedExprs2, "expected the same expressions")
+
+	// Compare DROP rule at position 0 (inserted first due to InsertRule)
+	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedDropExprs)
+
+	// Compare connection tracking rule at position 1 (pushed down by DROP rule insertion)
+	compareExprsIgnoringCounters(t, rules[1].Exprs, expectedExprs1)
 
 	for _, r := range rule {
 		err = manager.DeletePeerRule(r)
@@ -160,10 +165,90 @@ func TestNftablesManager(t *testing.T) {
 	require.NoError(t, err, "failed to reset")
 }
 
+func TestNftablesManagerRuleOrder(t *testing.T) {
+	// This test verifies rule insertion order in nftables peer ACLs
+	// We add accept rule first, then deny rule to test ordering behavior
+	manager, err := Create(ifaceMock)
+	require.NoError(t, err)
+	require.NoError(t, manager.Init(nil))
+
+	defer func() {
+		err = manager.Close(nil)
+		require.NoError(t, err)
+	}()
+
+	ip := netip.MustParseAddr("100.96.0.2").Unmap()
+	testClient := &nftables.Conn{}
+
+	// Add accept rule first
+	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "accept-http")
+	require.NoError(t, err, "failed to add accept rule")
+
+	// Add deny rule second for the same traffic
+	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop, "deny-http")
+	require.NoError(t, err, "failed to add deny rule")
+
+	err = manager.Flush()
+	require.NoError(t, err, "failed to flush")
+
+	rules, err := testClient.GetRules(manager.aclManager.workTable, manager.aclManager.chainInputRules)
+	require.NoError(t, err, "failed to get rules")
+
+	t.Logf("Found %d rules in nftables chain", len(rules))
+
+	// Find the accept and deny rules and verify deny comes before accept
+	var acceptRuleIndex, denyRuleIndex int = -1, -1
+	for i, rule := range rules {
+		hasAcceptHTTPSet := false
+		hasDenyHTTPSet := false
+		hasPort80 := false
+		var action string
+
+		for _, e := range rule.Exprs {
+			// Check for set lookup
+			if lookup, ok := e.(*expr.Lookup); ok {
+				if lookup.SetName == "accept-http" {
+					hasAcceptHTTPSet = true
+				} else if lookup.SetName == "deny-http" {
+					hasDenyHTTPSet = true
+				}
+			}
+			// Check for port 80
+			if cmp, ok := e.(*expr.Cmp); ok {
+				if cmp.Op == expr.CmpOpEq && len(cmp.Data) == 2 && binary.BigEndian.Uint16(cmp.Data) == 80 {
+					hasPort80 = true
+				}
+			}
+			// Check for verdict
+			if verdict, ok := e.(*expr.Verdict); ok {
+				if verdict.Kind == expr.VerdictAccept {
+					action = "ACCEPT"
+				} else if verdict.Kind == expr.VerdictDrop {
+					action = "DROP"
+				}
+			}
+		}
+
+		if hasAcceptHTTPSet && hasPort80 && action == "ACCEPT" {
+			t.Logf("Rule [%d]: accept-http set + Port 80 + ACCEPT", i)
+			acceptRuleIndex = i
+		} else if hasDenyHTTPSet && hasPort80 && action == "DROP" {
+			t.Logf("Rule [%d]: deny-http set + Port 80 + DROP", i)
+			denyRuleIndex = i
+		}
+	}
+
+	require.NotEqual(t, -1, acceptRuleIndex, "accept rule should exist in nftables")
+	require.NotEqual(t, -1, denyRuleIndex, "deny rule should exist in nftables")
+	require.Less(t, denyRuleIndex, acceptRuleIndex,
+		"deny rule should come before accept rule in nftables chain (deny at index %d, accept at index %d)",
+		denyRuleIndex, acceptRuleIndex)
+}
+
 func TestNFtablesCreatePerformance(t *testing.T) {
 	mock := &iFaceMock{
 		NameFunc: func() string {
-			return "lo"
+			return "wg-test"
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{

client/firewall/uspfilter/allow_netbird.go

@@ -18,6 +18,7 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	defer m.mutex.Unlock()
 
 	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
 	m.incomingRules = make(map[netip.Addr]RuleSet)
 
 	if m.udpTracker != nil {

client/firewall/uspfilter/allow_netbird_windows.go

@@ -27,6 +27,7 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	defer m.mutex.Unlock()
 
 	m.outgoingRules = make(map[netip.Addr]RuleSet)
+	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
 	m.incomingRules = make(map[netip.Addr]RuleSet)
 
 	if m.udpTracker != nil {

client/firewall/uspfilter/filter.go

@@ -70,14 +70,13 @@ func (r RouteRules) Sort() {
 
 // Manager userspace firewall manager
 type Manager struct {
-	// outgoingRules is used for hooks only
-	outgoingRules map[netip.Addr]RuleSet
-	// incomingRules is used for filtering and hooks
-	incomingRules  map[netip.Addr]RuleSet
-	routeRules     RouteRules
-	decoders       sync.Pool
-	wgIface        common.IFaceMapper
-	nativeFirewall firewall.Manager
+	outgoingRules     map[netip.Addr]RuleSet
+	incomingDenyRules map[netip.Addr]RuleSet
+	incomingRules     map[netip.Addr]RuleSet
+	routeRules        RouteRules
+	decoders          sync.Pool
+	wgIface           common.IFaceMapper
+	nativeFirewall    firewall.Manager
 
 	mutex sync.RWMutex
 
@@ -186,6 +185,7 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		},
 		nativeFirewall:      nativeFirewall,
 		outgoingRules:       make(map[netip.Addr]RuleSet),
+		incomingDenyRules:   make(map[netip.Addr]RuleSet),
 		incomingRules:       make(map[netip.Addr]RuleSet),
 		wgIface:             iface,
 		localipmanager:      newLocalIPManager(),
@@ -417,10 +417,17 @@ func (m *Manager) AddPeerFiltering(
 	}
 
 	m.mutex.Lock()
-	if _, ok := m.incomingRules[r.ip]; !ok {
-		m.incomingRules[r.ip] = make(RuleSet)
+	var targetMap map[netip.Addr]RuleSet
+	if r.drop {
+		targetMap = m.incomingDenyRules
+	} else {
+		targetMap = m.incomingRules
 	}
-	m.incomingRules[r.ip][r.id] = r
+
+	if _, ok := targetMap[r.ip]; !ok {
+		targetMap[r.ip] = make(RuleSet)
+	}
+	targetMap[r.ip][r.id] = r
 	m.mutex.Unlock()
 	return []firewall.Rule{&r}, nil
 }
@@ -507,10 +514,24 @@ func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 		return fmt.Errorf("delete rule: invalid rule type: %T", rule)
 	}
 
-	if _, ok := m.incomingRules[r.ip][r.id]; !ok {
+	var sourceMap map[netip.Addr]RuleSet
+	if r.drop {
+		sourceMap = m.incomingDenyRules
+	} else {
+		sourceMap = m.incomingRules
+	}
+
+	if ruleset, ok := sourceMap[r.ip]; ok {
+		if _, exists := ruleset[r.id]; !exists {
+			return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
+		}
+		delete(ruleset, r.id)
+		if len(ruleset) == 0 {
+			delete(sourceMap, r.ip)
+		}
+	} else {
 		return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
 	}
-	delete(m.incomingRules[r.ip], r.id)
 
 	return nil
 }
@@ -572,7 +593,7 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nil
 }
 
-// FilterOutBound filters outgoing packets
+// FilterOutbound filters outgoing packets
 func (m *Manager) FilterOutbound(packetData []byte, size int) bool {
 	return m.filterOutbound(packetData, size)
 }
@@ -761,7 +782,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 // handleLocalTraffic handles local traffic.
 // If it returns true, the packet should be dropped.
 func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool {
-	ruleID, blocked := m.peerACLsBlock(srcIP, packetData, m.incomingRules, d)
+	ruleID, blocked := m.peerACLsBlock(srcIP, d, packetData)
 	if blocked {
 		_, pnum := getProtocolFromPacket(d)
 		srcPort, dstPort := getPortsFromPacket(d)
@@ -971,26 +992,28 @@ func (m *Manager) isSpecialICMP(d *decoder) bool {
 		icmpType == layers.ICMPv4TypeTimeExceeded
 }
 
-func (m *Manager) peerACLsBlock(srcIP netip.Addr, packetData []byte, rules map[netip.Addr]RuleSet, d *decoder) ([]byte, bool) {
+func (m *Manager) peerACLsBlock(srcIP netip.Addr, d *decoder, packetData []byte) ([]byte, bool) {
 	m.mutex.RLock()
 	defer m.mutex.RUnlock()
+
 	if m.isSpecialICMP(d) {
 		return nil, false
 	}
 
-	if mgmtId, filter, ok := validateRule(srcIP, packetData, rules[srcIP], d); ok {
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingDenyRules[srcIP], d); ok {
 		return mgmtId, filter
 	}
 
-	if mgmtId, filter, ok := validateRule(srcIP, packetData, rules[netip.IPv4Unspecified()], d); ok {
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingRules[srcIP], d); ok {
+		return mgmtId, filter
+	}
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingRules[netip.IPv4Unspecified()], d); ok {
+		return mgmtId, filter
+	}
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingRules[netip.IPv6Unspecified()], d); ok {
 		return mgmtId, filter
 	}
 
-	if mgmtId, filter, ok := validateRule(srcIP, packetData, rules[netip.IPv6Unspecified()], d); ok {
-		return mgmtId, filter
-	}
-
-	// Default policy: DROP ALL
 	return nil, true
 }
 
@@ -1013,6 +1036,7 @@ func portsMatch(rulePort *firewall.Port, packetPort uint16) bool {
 
 func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d *decoder) ([]byte, bool, bool) {
 	payloadLayer := d.decoded[1]
+
 	for _, rule := range rules {
 		if rule.matchByIP && ip.Compare(rule.ip) != 0 {
 			continue
@@ -1045,6 +1069,7 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 			return rule.mgmtId, rule.drop, true
 		}
 	}
+
 	return nil, false, false
 }
 
@@ -1116,6 +1141,7 @@ func (m *Manager) AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook fu
 
 	m.mutex.Lock()
 	if in {
+		// Incoming UDP hooks are stored in allow rules map
 		if _, ok := m.incomingRules[r.ip]; !ok {
 			m.incomingRules[r.ip] = make(map[string]PeerRule)
 		}
@@ -1136,6 +1162,7 @@ func (m *Manager) RemovePacketHook(hookID string) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	// Check incoming hooks (stored in allow rules)
 	for _, arr := range m.incomingRules {
 		for _, r := range arr {
 			if r.id == hookID {
@@ -1144,6 +1171,7 @@ func (m *Manager) RemovePacketHook(hookID string) error {
 			}
 		}
 	}
+	// Check outgoing hooks
 	for _, arr := range m.outgoingRules {
 		for _, r := range arr {
 			if r.id == hookID {

client/firewall/uspfilter/filter_filter_test.go

@@ -458,6 +458,31 @@ func TestPeerACLFiltering(t *testing.T) {
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
+		{
+			name:            "Peer ACL - Drop rule should override accept all rule",
+			srcIP:           "100.10.0.1",
+			dstIP:           "100.10.0.100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         22,
+			ruleIP:          "100.10.0.1",
+			ruleProto:       fw.ProtocolTCP,
+			ruleDstPort:     &fw.Port{Values: []uint16{22}},
+			ruleAction:      fw.ActionDrop,
+			shouldBeBlocked: true,
+		},
+		{
+			name:            "Peer ACL - Drop all traffic from specific IP",
+			srcIP:           "100.10.0.99",
+			dstIP:           "100.10.0.100",
+			proto:           fw.ProtocolTCP,
+			srcPort:         12345,
+			dstPort:         80,
+			ruleIP:          "100.10.0.99",
+			ruleProto:       fw.ProtocolALL,
+			ruleAction:      fw.ActionDrop,
+			shouldBeBlocked: true,
+		},
 	}
 
 	t.Run("Implicit DROP (no rules)", func(t *testing.T) {
@@ -468,13 +493,11 @@ func TestPeerACLFiltering(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-
 			if tc.ruleAction == fw.ActionDrop {
-				// add general accept rule to test drop rule
-				// TODO: this only works because 0.0.0.0 is tested last, we need to implement order
+				// add general accept rule for the same IP to test drop rule precedence
 				rules, err := manager.AddPeerFiltering(
 					nil,
-					net.ParseIP("0.0.0.0"),
+					net.ParseIP(tc.ruleIP),
 					fw.ProtocolALL,
 					nil,
 					nil,

client/firewall/uspfilter/filter_test.go

@@ -136,9 +136,22 @@ func TestManagerDeleteRule(t *testing.T) {
 		return
 	}
 
+	// Check rules exist in appropriate maps
 	for _, r := range rule2 {
-		if _, ok := m.incomingRules[ip][r.ID()]; !ok {
-			t.Errorf("rule2 is not in the incomingRules")
+		peerRule, ok := r.(*PeerRule)
+		if !ok {
+			t.Errorf("rule should be a PeerRule")
+			continue
+		}
+		// Check if rule exists in deny or allow maps based on action
+		var found bool
+		if peerRule.drop {
+			_, found = m.incomingDenyRules[ip][r.ID()]
+		} else {
+			_, found = m.incomingRules[ip][r.ID()]
+		}
+		if !found {
+			t.Errorf("rule2 is not in the expected rules map")
 		}
 	}
 
@@ -150,9 +163,22 @@ func TestManagerDeleteRule(t *testing.T) {
 		}
 	}
 
+	// Check rules are removed from appropriate maps
 	for _, r := range rule2 {
-		if _, ok := m.incomingRules[ip][r.ID()]; ok {
-			t.Errorf("rule2 is not in the incomingRules")
+		peerRule, ok := r.(*PeerRule)
+		if !ok {
+			t.Errorf("rule should be a PeerRule")
+			continue
+		}
+		// Check if rule is removed from deny or allow maps based on action
+		var found bool
+		if peerRule.drop {
+			_, found = m.incomingDenyRules[ip][r.ID()]
+		} else {
+			_, found = m.incomingRules[ip][r.ID()]
+		}
+		if found {
+			t.Errorf("rule2 should be removed from the rules map")
 		}
 	}
 }
@@ -196,16 +222,17 @@ func TestAddUDPPacketHook(t *testing.T) {
 
 			var addedRule PeerRule
 			if tt.in {
+				// Incoming UDP hooks are stored in allow rules map
 				if len(manager.incomingRules[tt.ip]) != 1 {
-					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules))
+					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules[tt.ip]))
 					return
 				}
 				for _, rule := range manager.incomingRules[tt.ip] {
 					addedRule = rule
 				}
 			} else {
-				if len(manager.outgoingRules) != 1 {
-					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules))
+				if len(manager.outgoingRules[tt.ip]) != 1 {
+					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules[tt.ip]))
 					return
 				}
 				for _, rule := range manager.outgoingRules[tt.ip] {
@@ -261,8 +288,8 @@ func TestManagerReset(t *testing.T) {
 		return
 	}
 
-	if len(m.outgoingRules) != 0 || len(m.incomingRules) != 0 {
-		t.Errorf("rules is not empty")
+	if len(m.outgoingRules) != 0 || len(m.incomingRules) != 0 || len(m.incomingDenyRules) != 0 {
+		t.Errorf("rules are not empty")
 	}
 }
 

client/firewall/uspfilter/tracer.go

@@ -314,7 +314,7 @@ func (m *Manager) buildConntrackStateMessage(d *decoder) string {
 func (m *Manager) handleLocalDelivery(trace *PacketTrace, packetData []byte, d *decoder, srcIP, dstIP netip.Addr) bool {
 	trace.AddResult(StageRouting, "Packet destined for local delivery", true)
 
-	ruleId, blocked := m.peerACLsBlock(srcIP, packetData, m.incomingRules, d)
+	ruleId, blocked := m.peerACLsBlock(srcIP, d, packetData)
 
 	strRuleId := "<no id>"
 	if ruleId != nil {

client/internal/auth/device_flow_test.go

@@ -3,15 +3,17 @@ package auth
 import (
 	"context"
 	"fmt"
-	"github.com/golang-jwt/jwt"
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/stretchr/testify/require"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal"
 )
 
 type mockHTTPClient struct {

client/internal/connect.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"runtime"
 	"runtime/debug"
 	"strings"
@@ -70,7 +71,7 @@ func (c *ConnectClient) RunOnAndroid(
 	tunAdapter device.TunAdapter,
 	iFaceDiscover stdnet.ExternalIFaceDiscover,
 	networkChangeListener listener.NetworkChangeListener,
-	dnsAddresses []string,
+	dnsAddresses []netip.AddrPort,
 	dnsReadyListener dns.ReadyListener,
 ) error {
 	// in case of non Android os these variables will be nil

client/internal/dns/file_parser_unix.go

@@ -16,7 +16,7 @@ const (
 )
 
 type resolvConf struct {
-	nameServers   []string
+	nameServers   []netip.Addr
 	searchDomains []string
 	others        []string
 }
@@ -36,7 +36,7 @@ func parseBackupResolvConf() (*resolvConf, error) {
 func parseResolvConfFile(resolvConfFile string) (*resolvConf, error) {
 	rconf := &resolvConf{
 		searchDomains: make([]string, 0),
-		nameServers:   make([]string, 0),
+		nameServers:   make([]netip.Addr, 0),
 		others:        make([]string, 0),
 	}
 
@@ -94,7 +94,11 @@ func parseResolvConfFile(resolvConfFile string) (*resolvConf, error) {
 			if len(splitLines) != 2 {
 				continue
 			}
-			rconf.nameServers = append(rconf.nameServers, splitLines[1])
+			if addr, err := netip.ParseAddr(splitLines[1]); err == nil {
+				rconf.nameServers = append(rconf.nameServers, addr.Unmap())
+			} else {
+				log.Warnf("invalid nameserver address in resolv.conf: %s, skipping", splitLines[1])
+			}
 			continue
 		}
 
@@ -104,31 +108,3 @@ func parseResolvConfFile(resolvConfFile string) (*resolvConf, error) {
 	}
 	return rconf, nil
 }
-
-// removeFirstNbNameserver removes the given nameserver from the given file if it is in the first position
-// and writes the file back to the original location
-func removeFirstNbNameserver(filename string, nameserverIP netip.Addr) error {
-	resolvConf, err := parseResolvConfFile(filename)
-	if err != nil {
-		return fmt.Errorf("parse backup resolv.conf: %w", err)
-	}
-	content, err := os.ReadFile(filename)
-	if err != nil {
-		return fmt.Errorf("read %s: %w", filename, err)
-	}
-
-	if len(resolvConf.nameServers) > 1 && resolvConf.nameServers[0] == nameserverIP.String() {
-		newContent := strings.Replace(string(content), fmt.Sprintf("nameserver %s\n", nameserverIP), "", 1)
-
-		stat, err := os.Stat(filename)
-		if err != nil {
-			return fmt.Errorf("stat %s: %w", filename, err)
-		}
-		if err := os.WriteFile(filename, []byte(newContent), stat.Mode()); err != nil {
-			return fmt.Errorf("write %s: %w", filename, err)
-		}
-
-	}
-
-	return nil
-}

client/internal/dns/file_parser_unix_test.go

@@ -3,13 +3,9 @@
 package dns
 
 import (
-	"net/netip"
 	"os"
 	"path/filepath"
 	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 )
 
 func Test_parseResolvConf(t *testing.T) {
@@ -99,9 +95,13 @@ options debug
 				t.Errorf("invalid parse result for search domains, expected: %v, got: %v", testCase.expectedSearch, cfg.searchDomains)
 			}
 
-			ok = compareLists(cfg.nameServers, testCase.expectedNS)
+			nsStrings := make([]string, len(cfg.nameServers))
+			for i, ns := range cfg.nameServers {
+				nsStrings[i] = ns.String()
+			}
+			ok = compareLists(nsStrings, testCase.expectedNS)
 			if !ok {
-				t.Errorf("invalid parse result for ns domains, expected: %v, got: %v", testCase.expectedNS, cfg.nameServers)
+				t.Errorf("invalid parse result for ns domains, expected: %v, got: %v", testCase.expectedNS, nsStrings)
 			}
 
 			ok = compareLists(cfg.others, testCase.expectedOther)
@@ -176,87 +176,3 @@ nameserver 192.168.0.1
 		t.Errorf("unexpected resolv.conf content: %v", cfg)
 	}
 }
-
-func TestRemoveFirstNbNameserver(t *testing.T) {
-	testCases := []struct {
-		name       string
-		content    string
-		ipToRemove string
-		expected   string
-	}{
-		{
-			name: "Unrelated nameservers with comments and options",
-			content: `# This is a comment
-options rotate
-nameserver 1.1.1.1
-# Another comment
-nameserver 8.8.4.4
-search example.com`,
-			ipToRemove: "9.9.9.9",
-			expected: `# This is a comment
-options rotate
-nameserver 1.1.1.1
-# Another comment
-nameserver 8.8.4.4
-search example.com`,
-		},
-		{
-			name: "First nameserver matches",
-			content: `search example.com
-nameserver 9.9.9.9
-# oof, a comment
-nameserver 8.8.4.4
-options attempts:5`,
-			ipToRemove: "9.9.9.9",
-			expected: `search example.com
-# oof, a comment
-nameserver 8.8.4.4
-options attempts:5`,
-		},
-		{
-			name: "Target IP not the first nameserver",
-			// nolint:dupword
-			content: `# Comment about the first nameserver
-nameserver 8.8.4.4
-# Comment before our target
-nameserver 9.9.9.9
-options timeout:2`,
-			ipToRemove: "9.9.9.9",
-			// nolint:dupword
-			expected: `# Comment about the first nameserver
-nameserver 8.8.4.4
-# Comment before our target
-nameserver 9.9.9.9
-options timeout:2`,
-		},
-		{
-			name: "Only nameserver matches",
-			content: `options debug
-nameserver 9.9.9.9
-search localdomain`,
-			ipToRemove: "9.9.9.9",
-			expected: `options debug
-nameserver 9.9.9.9
-search localdomain`,
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			tempDir := t.TempDir()
-			tempFile := filepath.Join(tempDir, "resolv.conf")
-			err := os.WriteFile(tempFile, []byte(tc.content), 0644)
-			assert.NoError(t, err)
-
-			ip, err := netip.ParseAddr(tc.ipToRemove)
-			require.NoError(t, err, "Failed to parse IP address")
-			err = removeFirstNbNameserver(tempFile, ip)
-			assert.NoError(t, err)
-
-			content, err := os.ReadFile(tempFile)
-			assert.NoError(t, err)
-
-			assert.Equal(t, tc.expected, string(content), "The resulting content should match the expected output.")
-		})
-	}
-}

client/internal/dns/file_repair_unix.go

@@ -146,7 +146,7 @@ func isNbParamsMissing(nbSearchDomains []string, nbNameserverIP netip.Addr, rCon
 		return true
 	}
 
-	if rConf.nameServers[0] != nbNameserverIP.String() {
+	if rConf.nameServers[0] != nbNameserverIP {
 		return true
 	}
 

client/internal/dns/file_unix.go

@@ -29,7 +29,7 @@ type fileConfigurator struct {
 	repair              *repair
 	originalPerms       os.FileMode
 	nbNameserverIP      netip.Addr
-	originalNameservers []string
+	originalNameservers []netip.Addr
 }
 
 func newFileConfigurator() (*fileConfigurator, error) {
@@ -70,7 +70,7 @@ func (f *fileConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *st
 }
 
 // getOriginalNameservers returns the nameservers that were found in the original resolv.conf
-func (f *fileConfigurator) getOriginalNameservers() []string {
+func (f *fileConfigurator) getOriginalNameservers() []netip.Addr {
 	return f.originalNameservers
 }
 
@@ -128,20 +128,14 @@ func (f *fileConfigurator) backup() error {
 }
 
 func (f *fileConfigurator) restore() error {
-	err := removeFirstNbNameserver(fileDefaultResolvConfBackupLocation, f.nbNameserverIP)
-	if err != nil {
-		log.Errorf("Failed to remove netbird nameserver from %s on backup restore: %s", fileDefaultResolvConfBackupLocation, err)
-	}
-
-	err = copyFile(fileDefaultResolvConfBackupLocation, defaultResolvConfPath)
-	if err != nil {
+	if err := copyFile(fileDefaultResolvConfBackupLocation, defaultResolvConfPath); err != nil {
 		return fmt.Errorf("restoring %s from %s: %w", defaultResolvConfPath, fileDefaultResolvConfBackupLocation, err)
 	}
 
 	return os.RemoveAll(fileDefaultResolvConfBackupLocation)
 }
 
-func (f *fileConfigurator) restoreUncleanShutdownDNS(storedDNSAddress *netip.Addr) error {
+func (f *fileConfigurator) restoreUncleanShutdownDNS(storedDNSAddress netip.Addr) error {
 	resolvConf, err := parseDefaultResolvConf()
 	if err != nil {
 		return fmt.Errorf("parse current resolv.conf: %w", err)
@@ -152,16 +146,9 @@ func (f *fileConfigurator) restoreUncleanShutdownDNS(storedDNSAddress *netip.Add
 		return restoreResolvConfFile()
 	}
 
-	currentDNSAddress, err := netip.ParseAddr(resolvConf.nameServers[0])
-	// not a valid first nameserver -> restore
-	if err != nil {
-		log.Errorf("restoring unclean shutdown: parse dns address %s failed: %s", resolvConf.nameServers[0], err)
-		return restoreResolvConfFile()
-	}
-
 	// current address is still netbird's non-available dns address -> restore
-	// comparing parsed addresses only, to remove ambiguity
-	if currentDNSAddress.String() == storedDNSAddress.String() {
+	currentDNSAddress := resolvConf.nameServers[0]
+	if currentDNSAddress == storedDNSAddress {
 		return restoreResolvConfFile()
 	}
 

client/internal/dns/host_darwin.go

@@ -239,7 +239,7 @@ func (s *systemConfigurator) getSystemDNSSettings() (SystemDNSSettings, error) {
 		} else if inServerAddressesArray {
 			address := strings.Split(line, " : ")[1]
 			if ip, err := netip.ParseAddr(address); err == nil && ip.Is4() {
-				dnsSettings.ServerIP = ip
+				dnsSettings.ServerIP = ip.Unmap()
 				inServerAddressesArray = false // Stop reading after finding the first IPv4 address
 			}
 		}
@@ -250,7 +250,7 @@ func (s *systemConfigurator) getSystemDNSSettings() (SystemDNSSettings, error) {
 	}
 
 	// default to 53 port
-	dnsSettings.ServerPort = defaultPort
+	dnsSettings.ServerPort = DefaultPort
 
 	return dnsSettings, nil
 }

client/internal/dns/host_unix.go

@@ -42,7 +42,7 @@ func (t osManagerType) String() string {
 
 type restoreHostManager interface {
 	hostManager
-	restoreUncleanShutdownDNS(*netip.Addr) error
+	restoreUncleanShutdownDNS(netip.Addr) error
 }
 
 func newHostManager(wgInterface string) (hostManager, error) {
@@ -130,8 +130,9 @@ func checkStub() bool {
 		return true
 	}
 
+	systemdResolvedAddr := netip.AddrFrom4([4]byte{127, 0, 0, 53}) // 127.0.0.53
 	for _, ns := range rConf.nameServers {
-		if ns == "127.0.0.53" {
+		if ns == systemdResolvedAddr {
 			return true
 		}
 	}

client/internal/dns/host_windows.go

@@ -64,9 +64,10 @@ const (
 )
 
 type registryConfigurator struct {
-	guid       string
-	routingAll bool
-	gpo        bool
+	guid           string
+	routingAll     bool
+	gpo            bool
+	nrptEntryCount int
 }
 
 func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
@@ -76,13 +77,25 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 	}
 
 	var useGPO bool
-	k, err := registry.OpenKey(registry.LOCAL_MACHINE, gpoDnsPolicyRoot, registry.QUERY_VALUE)
+	k, err := registry.OpenKey(registry.LOCAL_MACHINE, gpoDnsPolicyRoot, registry.QUERY_VALUE|registry.ENUMERATE_SUB_KEYS)
 	if err != nil {
 		log.Debugf("failed to open GPO DNS policy root: %v", err)
 	} else {
-		closer(k)
-		useGPO = true
-		log.Infof("detected GPO DNS policy configuration, using policy store")
+		// Check if the key is empty (no subkeys and no values). If empty, remove it
+		subKeys, skErr := k.ReadSubKeyNames(-1)
+		valueNames, vnErr := k.ReadValueNames(-1)
+		if skErr == nil && vnErr == nil && len(subKeys) == 0 && len(valueNames) == 0 {
+			closer(k)
+			if delErr := registry.DeleteKey(registry.LOCAL_MACHINE, gpoDnsPolicyRoot); delErr != nil {
+				log.Warnf("failed to delete empty GPO DNS policy root %s: %v", gpoDnsPolicyRoot, delErr)
+			} else {
+				log.Infof("deleted empty GPO DNS policy root %s; continuing with local DNS policy store", gpoDnsPolicyRoot)
+			}
+		} else {
+			closer(k)
+			useGPO = true
+			log.Infof("detected GPO DNS policy configuration, using policy store")
+		}
 	}
 
 	configurator := &registryConfigurator{
@@ -177,7 +190,11 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 	}
 
-	if err := stateManager.UpdateState(&ShutdownState{Guid: r.guid, GPO: r.gpo}); err != nil {
+	if err := stateManager.UpdateState(&ShutdownState{
+		Guid:           r.guid,
+		GPO:            r.gpo,
+		NRPTEntryCount: r.nrptEntryCount,
+	}); err != nil {
 		log.Errorf("failed to update shutdown state: %s", err)
 	}
 
@@ -193,13 +210,24 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	}
 
 	if len(matchDomains) != 0 {
-		if err := r.addDNSMatchPolicy(matchDomains, config.ServerIP); err != nil {
+		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
+		if err != nil {
 			return fmt.Errorf("add dns match policy: %w", err)
 		}
+		r.nrptEntryCount = count
 	} else {
 		if err := r.removeDNSMatchPolicies(); err != nil {
 			return fmt.Errorf("remove dns match policies: %w", err)
 		}
+		r.nrptEntryCount = 0
+	}
+
+	if err := stateManager.UpdateState(&ShutdownState{
+		Guid:           r.guid,
+		GPO:            r.gpo,
+		NRPTEntryCount: r.nrptEntryCount,
+	}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
 	}
 
 	if err := r.updateSearchDomains(searchDomains); err != nil {
@@ -216,32 +244,38 @@ func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 		return fmt.Errorf("adding dns setup for all failed: %w", err)
 	}
 	r.routingAll = true
-	log.Infof("configured %s:53 as main DNS forwarder for this peer", ip)
+	log.Infof("configured %s:%d as main DNS forwarder for this peer", ip, DefaultPort)
 	return nil
 }
 
-func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr) error {
+func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr) (int, error) {
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
-	if r.gpo {
-		if err := r.configureDNSPolicy(gpoDnsPolicyConfigMatchPath, domains, ip); err != nil {
-			return fmt.Errorf("configure GPO DNS policy: %w", err)
+	for i, domain := range domains {
+		policyPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		if r.gpo {
+			policyPath = fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
 		}
 
+		singleDomain := []string{domain}
+
+		if err := r.configureDNSPolicy(policyPath, singleDomain, ip); err != nil {
+			return i, fmt.Errorf("configure DNS policy for domain %s: %w", domain, err)
+		}
+
+		log.Debugf("added NRPT entry for domain: %s", domain)
+	}
+
+	if r.gpo {
 		if err := refreshGroupPolicy(); err != nil {
 			log.Warnf("failed to refresh group policy: %v", err)
 		}
-	} else {
-		if err := r.configureDNSPolicy(dnsPolicyConfigMatchPath, domains, ip); err != nil {
-			return fmt.Errorf("configure local DNS policy: %w", err)
-		}
 	}
 
-	log.Infof("added %d match domains. Domain list: %s", len(domains), domains)
-	return nil
+	log.Infof("added %d separate NRPT entries. Domain list: %s", len(domains), domains)
+	return len(domains), nil
 }
 
-// configureDNSPolicy handles the actual configuration of a DNS policy at the specified path
 func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []string, ip netip.Addr) error {
 	if err := removeRegistryKeyFromDNSPolicyConfig(policyPath); err != nil {
 		return fmt.Errorf("remove existing dns policy: %w", err)
@@ -374,12 +408,25 @@ func (r *registryConfigurator) restoreHostDNS() error {
 
 func (r *registryConfigurator) removeDNSMatchPolicies() error {
 	var merr *multierror.Error
+
+	// Try to remove the base entries (for backward compatibility)
 	if err := removeRegistryKeyFromDNSPolicyConfig(dnsPolicyConfigMatchPath); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove local registry key: %w", err))
+		merr = multierror.Append(merr, fmt.Errorf("remove local base entry: %w", err))
+	}
+	if err := removeRegistryKeyFromDNSPolicyConfig(gpoDnsPolicyConfigMatchPath); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove GPO base entry: %w", err))
 	}
 
-	if err := removeRegistryKeyFromDNSPolicyConfig(gpoDnsPolicyConfigMatchPath); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove GPO registry key: %w", err))
+	for i := 0; i < r.nrptEntryCount; i++ {
+		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
+
+		if err := removeRegistryKeyFromDNSPolicyConfig(localPath); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove local entry %d: %w", i, err))
+		}
+		if err := removeRegistryKeyFromDNSPolicyConfig(gpoPath); err != nil {
+			merr = multierror.Append(merr, fmt.Errorf("remove GPO entry %d: %w", i, err))
+		}
 	}
 
 	if err := refreshGroupPolicy(); err != nil {

client/internal/dns/hosts_dns_holder.go

@@ -1,38 +1,31 @@
 package dns
 
 import (
-	"fmt"
 	"net/netip"
 	"sync"
-
-	log "github.com/sirupsen/logrus"
 )
 
 type hostsDNSHolder struct {
-	unprotectedDNSList map[string]struct{}
+	unprotectedDNSList map[netip.AddrPort]struct{}
 	mutex              sync.RWMutex
 }
 
 func newHostsDNSHolder() *hostsDNSHolder {
 	return &hostsDNSHolder{
-		unprotectedDNSList: make(map[string]struct{}),
+		unprotectedDNSList: make(map[netip.AddrPort]struct{}),
 	}
 }
 
-func (h *hostsDNSHolder) set(list []string) {
+func (h *hostsDNSHolder) set(list []netip.AddrPort) {
 	h.mutex.Lock()
-	h.unprotectedDNSList = make(map[string]struct{})
-	for _, dns := range list {
-		dnsAddr, err := h.normalizeAddress(dns)
-		if err != nil {
-			continue
-		}
-		h.unprotectedDNSList[dnsAddr] = struct{}{}
+	h.unprotectedDNSList = make(map[netip.AddrPort]struct{})
+	for _, addrPort := range list {
+		h.unprotectedDNSList[addrPort] = struct{}{}
 	}
 	h.mutex.Unlock()
 }
 
-func (h *hostsDNSHolder) get() map[string]struct{} {
+func (h *hostsDNSHolder) get() map[netip.AddrPort]struct{} {
 	h.mutex.RLock()
 	l := h.unprotectedDNSList
 	h.mutex.RUnlock()
@@ -40,24 +33,10 @@ func (h *hostsDNSHolder) get() map[string]struct{} {
 }
 
 //nolint:unused
-func (h *hostsDNSHolder) isContain(upstream string) bool {
+func (h *hostsDNSHolder) contains(upstream netip.AddrPort) bool {
 	h.mutex.RLock()
 	defer h.mutex.RUnlock()
 
 	_, ok := h.unprotectedDNSList[upstream]
 	return ok
 }
-
-func (h *hostsDNSHolder) normalizeAddress(addr string) (string, error) {
-	a, err := netip.ParseAddr(addr)
-	if err != nil {
-		log.Errorf("invalid upstream IP address: %s, error: %s", addr, err)
-		return "", err
-	}
-
-	if a.Is4() {
-		return fmt.Sprintf("%s:53", addr), nil
-	} else {
-		return fmt.Sprintf("[%s]:53", addr), nil
-	}
-}

client/internal/dns/mock_server.go

@@ -50,7 +50,7 @@ func (m *MockServer) DnsIP() netip.Addr {
 	return netip.MustParseAddr("100.10.254.255")
 }
 
-func (m *MockServer) OnUpdatedHostDNSServer(strings []string) {
+func (m *MockServer) OnUpdatedHostDNSServer(addrs []netip.AddrPort) {
 	// TODO implement me
 	panic("implement me")
 }

client/internal/dns/network_manager_unix.go

@@ -245,7 +245,7 @@ func (n *networkManagerDbusConfigurator) deleteConnectionSettings() error {
 	return nil
 }
 
-func (n *networkManagerDbusConfigurator) restoreUncleanShutdownDNS(*netip.Addr) error {
+func (n *networkManagerDbusConfigurator) restoreUncleanShutdownDNS(netip.Addr) error {
 	if err := n.restoreHostDNS(); err != nil {
 		return fmt.Errorf("restoring dns via network-manager: %w", err)
 	}

client/internal/dns/resolvconf_unix.go

@@ -40,7 +40,7 @@ type resolvconf struct {
 	implType  resolvconfType
 
 	originalSearchDomains []string
-	originalNameServers   []string
+	originalNameServers   []netip.Addr
 	othersConfigs         []string
 }
 
@@ -110,7 +110,7 @@ func (r *resolvconf) applyDNSConfig(config HostDNSConfig, stateManager *stateman
 	return nil
 }
 
-func (r *resolvconf) getOriginalNameservers() []string {
+func (r *resolvconf) getOriginalNameservers() []netip.Addr {
 	return r.originalNameServers
 }
 
@@ -158,7 +158,7 @@ func (r *resolvconf) applyConfig(content bytes.Buffer) error {
 	return nil
 }
 
-func (r *resolvconf) restoreUncleanShutdownDNS(*netip.Addr) error {
+func (r *resolvconf) restoreUncleanShutdownDNS(netip.Addr) error {
 	if err := r.restoreHostDNS(); err != nil {
 		return fmt.Errorf("restoring dns for interface %s: %w", r.ifaceName, err)
 	}

client/internal/dns/server.go

@@ -42,7 +42,7 @@ type Server interface {
 	Stop()
 	DnsIP() netip.Addr
 	UpdateDNSServer(serial uint64, update nbdns.Config) error
-	OnUpdatedHostDNSServer(strings []string)
+	OnUpdatedHostDNSServer(addrs []netip.AddrPort)
 	SearchDomains() []string
 	ProbeAvailability()
 }
@@ -55,7 +55,7 @@ type nsGroupsByDomain struct {
 // hostManagerWithOriginalNS extends the basic hostManager interface
 type hostManagerWithOriginalNS interface {
 	hostManager
-	getOriginalNameservers() []string
+	getOriginalNameservers() []netip.Addr
 }
 
 // DefaultServer dns server object
@@ -136,7 +136,7 @@ func NewDefaultServer(
 func NewDefaultServerPermanentUpstream(
 	ctx context.Context,
 	wgInterface WGIface,
-	hostsDnsList []string,
+	hostsDnsList []netip.AddrPort,
 	config nbdns.Config,
 	listener listener.NetworkChangeListener,
 	statusRecorder *peer.Status,
@@ -144,6 +144,7 @@ func NewDefaultServerPermanentUpstream(
 ) *DefaultServer {
 	log.Debugf("host dns address list is: %v", hostsDnsList)
 	ds := newDefaultServer(ctx, wgInterface, NewServiceViaMemory(wgInterface), statusRecorder, nil, disableSys)
+
 	ds.hostsDNSHolder.set(hostsDnsList)
 	ds.permanent = true
 	ds.addHostRootZone()
@@ -340,7 +341,7 @@ func (s *DefaultServer) disableDNS() error {
 
 // OnUpdatedHostDNSServer update the DNS servers addresses for root zones
 // It will be applied if the mgm server do not enforce DNS settings for root zone
-func (s *DefaultServer) OnUpdatedHostDNSServer(hostsDnsList []string) {
+func (s *DefaultServer) OnUpdatedHostDNSServer(hostsDnsList []netip.AddrPort) {
 	s.hostsDNSHolder.set(hostsDnsList)
 
 	// Check if there's any root handler
@@ -461,7 +462,7 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 
 	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())
 
-	if s.service.RuntimePort() != defaultPort && !s.hostManager.supportCustomPort() {
+	if s.service.RuntimePort() != DefaultPort && !s.hostManager.supportCustomPort() {
 		log.Warnf("the DNS manager of this peer doesn't support custom port. Disabling primary DNS setup. " +
 			"Learn more at: https://docs.netbird.io/how-to/manage-dns-in-your-network#local-resolver")
 		s.currentConfig.RouteAll = false
@@ -581,14 +582,13 @@ func (s *DefaultServer) registerFallback(config HostDNSConfig) {
 	}
 
 	for _, ns := range originalNameservers {
-		if ns == config.ServerIP.String() {
+		if ns == config.ServerIP {
 			log.Debugf("skipping original nameserver %s as it is the same as the server IP %s", ns, config.ServerIP)
 			continue
 		}
 
-		ns = formatAddr(ns, defaultPort)
-
-		handler.upstreamServers = append(handler.upstreamServers, ns)
+		addrPort := netip.AddrPortFrom(ns, DefaultPort)
+		handler.upstreamServers = append(handler.upstreamServers, addrPort)
 	}
 	handler.deactivate = func(error) { /* always active */ }
 	handler.reactivate = func() { /* always active */ }
@@ -695,7 +695,13 @@ func (s *DefaultServer) createHandlersForDomainGroup(domainGroup nsGroupsByDomai
 					ns.IP.String(), ns.NSType.String(), nbdns.UDPNameServerType.String())
 				continue
 			}
-			handler.upstreamServers = append(handler.upstreamServers, getNSHostPort(ns))
+
+			if ns.IP == s.service.RuntimeIP() {
+				log.Warnf("skipping nameserver %s as it matches our DNS server IP, preventing potential loop", ns.IP)
+				continue
+			}
+
+			handler.upstreamServers = append(handler.upstreamServers, ns.AddrPort())
 		}
 
 		if len(handler.upstreamServers) == 0 {
@@ -770,18 +776,6 @@ func (s *DefaultServer) updateMux(muxUpdates []handlerWrapper) {
 	s.dnsMuxMap = muxUpdateMap
 }
 
-func getNSHostPort(ns nbdns.NameServer) string {
-	return formatAddr(ns.IP.String(), ns.Port)
-}
-
-// formatAddr formats a nameserver address with port, handling IPv6 addresses properly
-func formatAddr(address string, port int) string {
-	if ip, err := netip.ParseAddr(address); err == nil && ip.Is6() {
-		return fmt.Sprintf("[%s]:%d", address, port)
-	}
-	return fmt.Sprintf("%s:%d", address, port)
-}
-
 // upstreamCallbacks returns two functions, the first one is used to deactivate
 // the upstream resolver from the configuration, the second one is used to
 // reactivate it. Not allowed to call reactivate before deactivate.
@@ -879,10 +873,7 @@ func (s *DefaultServer) addHostRootZone() {
 		return
 	}
 
-	handler.upstreamServers = make([]string, 0)
-	for k := range hostDNSServers {
-		handler.upstreamServers = append(handler.upstreamServers, k)
-	}
+	handler.upstreamServers = maps.Keys(hostDNSServers)
 	handler.deactivate = func(error) {}
 	handler.reactivate = func() {}
 
@@ -893,9 +884,9 @@ func (s *DefaultServer) updateNSGroupStates(groups []*nbdns.NameServerGroup) {
 	var states []peer.NSGroupState
 
 	for _, group := range groups {
-		var servers []string
+		var servers []netip.AddrPort
 		for _, ns := range group.NameServers {
-			servers = append(servers, fmt.Sprintf("%s:%d", ns.IP, ns.Port))
+			servers = append(servers, ns.AddrPort())
 		}
 
 		state := peer.NSGroupState{
@@ -927,7 +918,7 @@ func (s *DefaultServer) updateNSState(nsGroup *nbdns.NameServerGroup, err error,
 func generateGroupKey(nsGroup *nbdns.NameServerGroup) string {
 	var servers []string
 	for _, ns := range nsGroup.NameServers {
-		servers = append(servers, fmt.Sprintf("%s:%d", ns.IP, ns.Port))
+		servers = append(servers, ns.AddrPort().String())
 	}
 	return fmt.Sprintf("%v_%v", servers, nsGroup.Domains)
 }

client/internal/dns/server_test.go

@@ -97,9 +97,9 @@ func init() {
 }
 
 func generateDummyHandler(domain string, servers []nbdns.NameServer) *upstreamResolverBase {
-	var srvs []string
+	var srvs []netip.AddrPort
 	for _, srv := range servers {
-		srvs = append(srvs, getNSHostPort(srv))
+		srvs = append(srvs, srv.AddrPort())
 	}
 	return &upstreamResolverBase{
 		domain:          domain,
@@ -705,7 +705,7 @@ func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
 	}
 	defer wgIFace.Close()
 
-	var dnsList []string
+	var dnsList []netip.AddrPort
 	dnsConfig := nbdns.Config{}
 	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, dnsList, dnsConfig, nil, peer.NewRecorder("mgm"), false)
 	err = dnsServer.Initialize()
@@ -715,7 +715,8 @@ func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
 	}
 	defer dnsServer.Stop()
 
-	dnsServer.OnUpdatedHostDNSServer([]string{"8.8.8.8"})
+	addrPort := netip.MustParseAddrPort("8.8.8.8:53")
+	dnsServer.OnUpdatedHostDNSServer([]netip.AddrPort{addrPort})
 
 	resolver := newDnsResolver(dnsServer.service.RuntimeIP(), dnsServer.service.RuntimePort())
 	_, err = resolver.LookupHost(context.Background(), "netbird.io")
@@ -731,7 +732,8 @@ func TestDNSPermanent_updateUpstream(t *testing.T) {
 	}
 	defer wgIFace.Close()
 	dnsConfig := nbdns.Config{}
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil, peer.NewRecorder("mgm"), false)
+	addrPort := netip.MustParseAddrPort("8.8.8.8:53")
+	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []netip.AddrPort{addrPort}, dnsConfig, nil, peer.NewRecorder("mgm"), false)
 	err = dnsServer.Initialize()
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
@@ -823,7 +825,8 @@ func TestDNSPermanent_matchOnly(t *testing.T) {
 	}
 	defer wgIFace.Close()
 	dnsConfig := nbdns.Config{}
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil, peer.NewRecorder("mgm"), false)
+	addrPort := netip.MustParseAddrPort("8.8.8.8:53")
+	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []netip.AddrPort{addrPort}, dnsConfig, nil, peer.NewRecorder("mgm"), false)
 	err = dnsServer.Initialize()
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
@@ -2054,55 +2057,123 @@ func TestLocalResolverPriorityConstants(t *testing.T) {
 	assert.Equal(t, "local.example.com", localMuxUpdates[0].domain)
 }
 
-func TestFormatAddr(t *testing.T) {
+func TestDNSLoopPrevention(t *testing.T) {
+	wgInterface := &mocWGIface{}
+	service := NewServiceViaMemory(wgInterface)
+	dnsServerIP := service.RuntimeIP()
+
+	server := &DefaultServer{
+		ctx:           context.Background(),
+		wgInterface:   wgInterface,
+		service:       service,
+		localResolver: local.NewResolver(),
+		handlerChain:  NewHandlerChain(),
+		hostManager:   &noopHostConfigurator{},
+		dnsMuxMap:     make(registeredHandlerMap),
+	}
+
 	tests := []struct {
-		name     string
-		address  string
-		port     int
-		expected string
+		name              string
+		nsGroups          []*nbdns.NameServerGroup
+		expectedHandlers  int
+		expectedServers   []netip.Addr
+		shouldFilterOwnIP bool
 	}{
 		{
-			name:     "IPv4 address",
-			address:  "8.8.8.8",
-			port:     53,
-			expected: "8.8.8.8:53",
+			name: "FilterOwnDNSServerIP",
+			nsGroups: []*nbdns.NameServerGroup{
+				{
+					Primary: true,
+					NameServers: []nbdns.NameServer{
+						{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: dnsServerIP, NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: netip.MustParseAddr("1.1.1.1"), NSType: nbdns.UDPNameServerType, Port: 53},
+					},
+					Domains: []string{},
+				},
+			},
+			expectedHandlers:  1,
+			expectedServers:   []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("1.1.1.1")},
+			shouldFilterOwnIP: true,
 		},
 		{
-			name:     "IPv4 address with custom port",
-			address:  "1.1.1.1",
-			port:     5353,
-			expected: "1.1.1.1:5353",
+			name: "AllServersFiltered",
+			nsGroups: []*nbdns.NameServerGroup{
+				{
+					Primary: false,
+					NameServers: []nbdns.NameServer{
+						{IP: dnsServerIP, NSType: nbdns.UDPNameServerType, Port: 53},
+					},
+					Domains: []string{"example.com"},
+				},
+			},
+			expectedHandlers:  0,
+			expectedServers:   []netip.Addr{},
+			shouldFilterOwnIP: true,
 		},
 		{
-			name:     "IPv6 address",
-			address:  "fd78:94bf:7df8::1",
-			port:     53,
-			expected: "[fd78:94bf:7df8::1]:53",
+			name: "MixedServersWithOwnIP",
+			nsGroups: []*nbdns.NameServerGroup{
+				{
+					Primary: false,
+					NameServers: []nbdns.NameServer{
+						{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: dnsServerIP, NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: netip.MustParseAddr("1.1.1.1"), NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: dnsServerIP, NSType: nbdns.UDPNameServerType, Port: 53}, // duplicate
+					},
+					Domains: []string{"test.com"},
+				},
+			},
+			expectedHandlers:  1,
+			expectedServers:   []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("1.1.1.1")},
+			shouldFilterOwnIP: true,
 		},
 		{
-			name:     "IPv6 address with custom port",
-			address:  "2001:db8::1",
-			port:     5353,
-			expected: "[2001:db8::1]:5353",
-		},
-		{
-			name:     "IPv6 localhost",
-			address:  "::1",
-			port:     53,
-			expected: "[::1]:53",
-		},
-		{
-			name:     "Invalid address treated as hostname",
-			address:  "dns.example.com",
-			port:     53,
-			expected: "dns.example.com:53",
+			name: "NoOwnIPInList",
+			nsGroups: []*nbdns.NameServerGroup{
+				{
+					Primary: true,
+					NameServers: []nbdns.NameServer{
+						{IP: netip.MustParseAddr("8.8.8.8"), NSType: nbdns.UDPNameServerType, Port: 53},
+						{IP: netip.MustParseAddr("1.1.1.1"), NSType: nbdns.UDPNameServerType, Port: 53},
+					},
+					Domains: []string{},
+				},
+			},
+			expectedHandlers:  1,
+			expectedServers:   []netip.Addr{netip.MustParseAddr("8.8.8.8"), netip.MustParseAddr("1.1.1.1")},
+			shouldFilterOwnIP: false,
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			result := formatAddr(tt.address, tt.port)
-			assert.Equal(t, tt.expected, result)
+			muxUpdates, err := server.buildUpstreamHandlerUpdate(tt.nsGroups)
+			assert.NoError(t, err)
+			assert.Len(t, muxUpdates, tt.expectedHandlers)
+
+			if tt.expectedHandlers > 0 {
+				handler := muxUpdates[0].handler.(*upstreamResolver)
+				assert.Len(t, handler.upstreamServers, len(tt.expectedServers))
+
+				if tt.shouldFilterOwnIP {
+					for _, upstream := range handler.upstreamServers {
+						assert.NotEqual(t, dnsServerIP, upstream.Addr())
+					}
+				}
+
+				for _, expected := range tt.expectedServers {
+					found := false
+					for _, upstream := range handler.upstreamServers {
+						if upstream.Addr() == expected {
+							found = true
+							break
+						}
+					}
+					assert.True(t, found, "Expected server %s not found", expected)
+				}
+			}
 		})
 	}
 }

client/internal/dns/service.go

@@ -7,7 +7,7 @@ import (
 )
 
 const (
-	defaultPort = 53
+	DefaultPort = 53
 )
 
 type service interface {

client/internal/dns/service_listener.go

@@ -122,7 +122,7 @@ func (s *serviceViaListener) RuntimePort() int {
 	defer s.listenerFlagLock.Unlock()
 
 	if s.ebpfService != nil {
-		return defaultPort
+		return DefaultPort
 	} else {
 		return int(s.listenPort)
 	}
@@ -148,9 +148,9 @@ func (s *serviceViaListener) evalListenAddress() (netip.Addr, uint16, error) {
 		return s.customAddr.Addr(), s.customAddr.Port(), nil
 	}
 
-	ip, ok := s.testFreePort(defaultPort)
+	ip, ok := s.testFreePort(DefaultPort)
 	if ok {
-		return ip, defaultPort, nil
+		return ip, DefaultPort, nil
 	}
 
 	ebpfSrv, port, ok := s.tryToUseeBPF()

client/internal/dns/service_memory.go

@@ -33,7 +33,7 @@ func NewServiceViaMemory(wgIface WGIface) *ServiceViaMemory {
 		dnsMux:      dns.NewServeMux(),
 
 		runtimeIP:   lastIP,
-		runtimePort: defaultPort,
+		runtimePort: DefaultPort,
 	}
 	return s
 }

client/internal/dns/systemd_linux.go

@@ -235,7 +235,7 @@ func (s *systemdDbusConfigurator) callLinkMethod(method string, value any) error
 	return nil
 }
 
-func (s *systemdDbusConfigurator) restoreUncleanShutdownDNS(*netip.Addr) error {
+func (s *systemdDbusConfigurator) restoreUncleanShutdownDNS(netip.Addr) error {
 	if err := s.restoreHostDNS(); err != nil {
 		return fmt.Errorf("restoring dns via systemd: %w", err)
 	}

client/internal/dns/unclean_shutdown_unix.go

@@ -27,7 +27,7 @@ func (s *ShutdownState) Cleanup() error {
 		return fmt.Errorf("create previous host manager: %w", err)
 	}
 
-	if err := manager.restoreUncleanShutdownDNS(&s.DNSAddress); err != nil {
+	if err := manager.restoreUncleanShutdownDNS(s.DNSAddress); err != nil {
 		return fmt.Errorf("restore unclean shutdown dns: %w", err)
 	}
 

client/internal/dns/unclean_shutdown_windows.go

@@ -5,8 +5,9 @@ import (
 )
 
 type ShutdownState struct {
-	Guid string
-	GPO  bool
+	Guid           string
+	GPO            bool
+	NRPTEntryCount int
 }
 
 func (s *ShutdownState) Name() string {
@@ -15,8 +16,9 @@ func (s *ShutdownState) Name() string {
 
 func (s *ShutdownState) Cleanup() error {
 	manager := &registryConfigurator{
-		guid: s.Guid,
-		gpo:  s.GPO,
+		guid:           s.Guid,
+		gpo:            s.GPO,
+		nrptEntryCount: s.NRPTEntryCount,
 	}
 
 	if err := manager.restoreUncleanShutdownDNS(); err != nil {

client/internal/dns/upstream.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"net/netip"
 	"slices"
 	"strings"
 	"sync"
@@ -48,7 +49,7 @@ type upstreamResolverBase struct {
 	ctx              context.Context
 	cancel           context.CancelFunc
 	upstreamClient   upstreamClient
-	upstreamServers  []string
+	upstreamServers  []netip.AddrPort
 	domain           string
 	disabled         bool
 	failsCount       atomic.Int32
@@ -79,17 +80,20 @@ func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status, d
 
 // String returns a string representation of the upstream resolver
 func (u *upstreamResolverBase) String() string {
-	return fmt.Sprintf("upstream %v", u.upstreamServers)
+	return fmt.Sprintf("upstream %s", u.upstreamServers)
 }
 
 // ID returns the unique handler ID
 func (u *upstreamResolverBase) ID() types.HandlerID {
 	servers := slices.Clone(u.upstreamServers)
-	slices.Sort(servers)
+	slices.SortFunc(servers, func(a, b netip.AddrPort) int { return a.Compare(b) })
 
 	hash := sha256.New()
 	hash.Write([]byte(u.domain + ":"))
-	hash.Write([]byte(strings.Join(servers, ",")))
+	for _, s := range servers {
+		hash.Write([]byte(s.String()))
+		hash.Write([]byte("|"))
+	}
 	return types.HandlerID("upstream-" + hex.EncodeToString(hash.Sum(nil)[:8]))
 }
 
@@ -130,7 +134,7 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		func() {
 			ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
 			defer cancel()
-			rm, t, err = u.upstreamClient.exchange(ctx, upstream, r)
+			rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
 		}()
 
 		if err != nil {
@@ -197,7 +201,7 @@ func (u *upstreamResolverBase) checkUpstreamFails(err error) {
 		proto.SystemEvent_DNS,
 		"All upstream servers failed (fail count exceeded)",
 		"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
-		map[string]string{"upstreams": strings.Join(u.upstreamServers, ", ")},
+		map[string]string{"upstreams": u.upstreamServersString()},
 		// TODO add domain meta
 	)
 }
@@ -258,7 +262,7 @@ func (u *upstreamResolverBase) ProbeAvailability() {
 			proto.SystemEvent_DNS,
 			"All upstream servers failed (probe failed)",
 			"Unable to reach one or more DNS servers. This might affect your ability to connect to some services.",
-			map[string]string{"upstreams": strings.Join(u.upstreamServers, ", ")},
+			map[string]string{"upstreams": u.upstreamServersString()},
 		)
 	}
 }
@@ -278,7 +282,7 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 	operation := func() error {
 		select {
 		case <-u.ctx.Done():
-			return backoff.Permanent(fmt.Errorf("exiting upstream retry loop for upstreams %s: parent context has been canceled", u.upstreamServers))
+			return backoff.Permanent(fmt.Errorf("exiting upstream retry loop for upstreams %s: parent context has been canceled", u.upstreamServersString()))
 		default:
 		}
 
@@ -291,7 +295,7 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 			}
 		}
 
-		log.Tracef("checking connectivity with upstreams %s failed. Retrying in %s", u.upstreamServers, exponentialBackOff.NextBackOff())
+		log.Tracef("checking connectivity with upstreams %s failed. Retrying in %s", u.upstreamServersString(), exponentialBackOff.NextBackOff())
 		return fmt.Errorf("upstream check call error")
 	}
 
@@ -301,7 +305,7 @@ func (u *upstreamResolverBase) waitUntilResponse() {
 		return
 	}
 
-	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServers)
+	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServersString())
 	u.failsCount.Store(0)
 	u.successCount.Add(1)
 	u.reactivate()
@@ -331,13 +335,21 @@ func (u *upstreamResolverBase) disable(err error) {
 	go u.waitUntilResponse()
 }
 
-func (u *upstreamResolverBase) testNameserver(server string, timeout time.Duration) error {
+func (u *upstreamResolverBase) upstreamServersString() string {
+	var servers []string
+	for _, server := range u.upstreamServers {
+		servers = append(servers, server.String())
+	}
+	return strings.Join(servers, ", ")
+}
+
+func (u *upstreamResolverBase) testNameserver(server netip.AddrPort, timeout time.Duration) error {
 	ctx, cancel := context.WithTimeout(u.ctx, timeout)
 	defer cancel()
 
 	r := new(dns.Msg).SetQuestion(testRecord, dns.TypeSOA)
 
-	_, _, err := u.upstreamClient.exchange(ctx, server, r)
+	_, _, err := u.upstreamClient.exchange(ctx, server.String(), r)
 	return err
 }
 

client/internal/dns/upstream_android.go

@@ -79,8 +79,8 @@ func (u *upstreamResolver) exchangeWithoutVPN(ctx context.Context, upstream stri
 }
 
 func (u *upstreamResolver) isLocalResolver(upstream string) bool {
-	if u.hostsDNSHolder.isContain(upstream) {
-		return true
+	if addrPort, err := netip.ParseAddrPort(upstream); err == nil {
+		return u.hostsDNSHolder.contains(addrPort)
 	}
 	return false
 }

client/internal/dns/upstream_ios.go

@@ -62,6 +62,8 @@ func (u *upstreamResolverIOS) exchange(ctx context.Context, upstream string, r *
 	upstreamIP, err := netip.ParseAddr(upstreamHost)
 	if err != nil {
 		log.Warnf("failed to parse upstream host %s: %s", upstreamHost, err)
+	} else {
+		upstreamIP = upstreamIP.Unmap()
 	}
 	if u.lNet.Contains(upstreamIP) || upstreamIP.IsPrivate() {
 		log.Debugf("using private client to query upstream: %s", upstream)

client/internal/dns/upstream_test.go

@@ -59,7 +59,14 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 		t.Run(testCase.name, func(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.TODO())
 			resolver, _ := newUpstreamResolver(ctx, "", netip.Addr{}, netip.Prefix{}, nil, nil, ".")
-			resolver.upstreamServers = testCase.InputServers
+			// Convert test servers to netip.AddrPort
+			var servers []netip.AddrPort
+			for _, server := range testCase.InputServers {
+				if addrPort, err := netip.ParseAddrPort(server); err == nil {
+					servers = append(servers, netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port()))
+				}
+			}
+			resolver.upstreamServers = servers
 			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {
 				cancel()
@@ -128,7 +135,8 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 		reactivatePeriod: reactivatePeriod,
 		failsTillDeact:   failsTillDeact,
 	}
-	resolver.upstreamServers = []string{"0.0.0.0:-1"}
+	addrPort, _ := netip.ParseAddrPort("0.0.0.0:1") // Use valid port for parsing, test will still fail on connection
+	resolver.upstreamServers = []netip.AddrPort{netip.AddrPortFrom(addrPort.Addr().Unmap(), addrPort.Port())}
 	resolver.failsTillDeact = 0
 	resolver.reactivatePeriod = time.Microsecond * 100
 

client/internal/dnsfwd/forwarder.go

@@ -165,7 +165,7 @@ func (f *DNSForwarder) handleDNSQuery(w dns.ResponseWriter, query *dns.Msg) *dns
 	defer cancel()
 	ips, err := f.resolver.LookupNetIP(ctx, network, domain)
 	if err != nil {
-		f.handleDNSError(w, query, resp, domain, err)
+		f.handleDNSError(ctx, w, question, resp, domain, err)
 		return nil
 	}
 
@@ -244,20 +244,57 @@ func (f *DNSForwarder) updateFirewall(matchingEntries []*ForwarderEntry, prefixe
 	}
 }
 
+// setResponseCodeForNotFound determines and sets the appropriate response code when IsNotFound is true
+// It distinguishes between NXDOMAIN (domain doesn't exist) and NODATA (domain exists but no records of requested type)
+//
+// LIMITATION: This function only checks A and AAAA record types to determine domain existence.
+// If a domain has only other record types (MX, TXT, CNAME, etc.) but no A/AAAA records,
+// it may incorrectly return NXDOMAIN instead of NODATA. This is acceptable since the forwarder
+// only handles A/AAAA queries and returns NOTIMP for other types.
+func (f *DNSForwarder) setResponseCodeForNotFound(ctx context.Context, resp *dns.Msg, domain string, originalQtype uint16) {
+	// Try querying for a different record type to see if the domain exists
+	// If the original query was for AAAA, try A. If it was for A, try AAAA.
+	// This helps distinguish between NXDOMAIN and NODATA.
+	var alternativeNetwork string
+	switch originalQtype {
+	case dns.TypeAAAA:
+		alternativeNetwork = "ip4"
+	case dns.TypeA:
+		alternativeNetwork = "ip6"
+	default:
+		resp.Rcode = dns.RcodeNameError
+		return
+	}
+
+	if _, err := f.resolver.LookupNetIP(ctx, alternativeNetwork, domain); err != nil {
+		var dnsErr *net.DNSError
+		if errors.As(err, &dnsErr) && dnsErr.IsNotFound {
+			// Alternative query also returned not found - domain truly doesn't exist
+			resp.Rcode = dns.RcodeNameError
+			return
+		}
+		// Some other error (timeout, server failure, etc.) - can't determine, assume domain exists
+		resp.Rcode = dns.RcodeSuccess
+		return
+	}
+
+	// Alternative query succeeded - domain exists but has no records of this type
+	resp.Rcode = dns.RcodeSuccess
+}
+
 // handleDNSError processes DNS lookup errors and sends an appropriate error response
-func (f *DNSForwarder) handleDNSError(w dns.ResponseWriter, query, resp *dns.Msg, domain string, err error) {
+func (f *DNSForwarder) handleDNSError(ctx context.Context, w dns.ResponseWriter, question dns.Question, resp *dns.Msg, domain string, err error) {
 	var dnsErr *net.DNSError
 
 	switch {
 	case errors.As(err, &dnsErr):
 		resp.Rcode = dns.RcodeServerFailure
 		if dnsErr.IsNotFound {
-			// Pass through NXDOMAIN
-			resp.Rcode = dns.RcodeNameError
+			f.setResponseCodeForNotFound(ctx, resp, domain, question.Qtype)
 		}
 
 		if dnsErr.Server != "" {
-			log.Warnf("failed to resolve query for type=%s domain=%s server=%s: %v", dns.TypeToString[query.Question[0].Qtype], domain, dnsErr.Server, err)
+			log.Warnf("failed to resolve query for type=%s domain=%s server=%s: %v", dns.TypeToString[question.Qtype], domain, dnsErr.Server, err)
 		} else {
 			log.Warnf(errResolveFailed, domain, err)
 		}

client/internal/dnsfwd/forwarder_test.go

@@ -3,6 +3,7 @@ package dnsfwd
 import (
 	"context"
 	"fmt"
+	"net"
 	"net/netip"
 	"strings"
 	"testing"
@@ -16,8 +17,8 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/dns/test"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 func Test_getMatchingEntries(t *testing.T) {
@@ -708,6 +709,131 @@ func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
 	assert.Len(t, matches, 3, "Should match 3 patterns")
 }
 
+// TestDNSForwarder_NodataVsNxdomain tests that the forwarder correctly distinguishes
+// between NXDOMAIN (domain doesn't exist) and NODATA (domain exists but no records of that type)
+func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
+	mockFirewall := &MockFirewall{}
+	mockResolver := &MockResolver{}
+
+	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
+	forwarder.resolver = mockResolver
+
+	d, err := domain.FromString("example.com")
+	require.NoError(t, err)
+
+	set := firewall.NewDomainSet([]domain.Domain{d})
+	entries := []*ForwarderEntry{{Domain: d, ResID: "test-res", Set: set}}
+	forwarder.UpdateDomains(entries)
+
+	tests := []struct {
+		name           string
+		queryType      uint16
+		setupMocks     func()
+		expectedCode   int
+		expectNoAnswer bool // true if we expect NOERROR with empty answer (NODATA case)
+		description    string
+	}{
+		{
+			name:      "domain exists but no AAAA records (NODATA)",
+			queryType: dns.TypeAAAA,
+			setupMocks: func() {
+				// First query for AAAA returns not found
+				mockResolver.On("LookupNetIP", mock.Anything, "ip6", "example.com.").
+					Return([]netip.Addr{}, &net.DNSError{IsNotFound: true, Name: "example.com"}).Once()
+				// Check query for A records succeeds (domain exists)
+				mockResolver.On("LookupNetIP", mock.Anything, "ip4", "example.com.").
+					Return([]netip.Addr{netip.MustParseAddr("1.2.3.4")}, nil).Once()
+			},
+			expectedCode:   dns.RcodeSuccess,
+			expectNoAnswer: true,
+			description:    "Should return NOERROR when domain exists but has no records of requested type",
+		},
+		{
+			name:      "domain exists but no A records (NODATA)",
+			queryType: dns.TypeA,
+			setupMocks: func() {
+				// First query for A returns not found
+				mockResolver.On("LookupNetIP", mock.Anything, "ip4", "example.com.").
+					Return([]netip.Addr{}, &net.DNSError{IsNotFound: true, Name: "example.com"}).Once()
+				// Check query for AAAA records succeeds (domain exists)
+				mockResolver.On("LookupNetIP", mock.Anything, "ip6", "example.com.").
+					Return([]netip.Addr{netip.MustParseAddr("2001:db8::1")}, nil).Once()
+			},
+			expectedCode:   dns.RcodeSuccess,
+			expectNoAnswer: true,
+			description:    "Should return NOERROR when domain exists but has no A records",
+		},
+		{
+			name:      "domain doesn't exist (NXDOMAIN)",
+			queryType: dns.TypeA,
+			setupMocks: func() {
+				// First query for A returns not found
+				mockResolver.On("LookupNetIP", mock.Anything, "ip4", "example.com.").
+					Return([]netip.Addr{}, &net.DNSError{IsNotFound: true, Name: "example.com"}).Once()
+				// Check query for AAAA also returns not found (domain doesn't exist)
+				mockResolver.On("LookupNetIP", mock.Anything, "ip6", "example.com.").
+					Return([]netip.Addr{}, &net.DNSError{IsNotFound: true, Name: "example.com"}).Once()
+			},
+			expectedCode:   dns.RcodeNameError,
+			expectNoAnswer: true,
+			description:    "Should return NXDOMAIN when domain doesn't exist at all",
+		},
+		{
+			name:      "domain exists with records (normal success)",
+			queryType: dns.TypeA,
+			setupMocks: func() {
+				mockResolver.On("LookupNetIP", mock.Anything, "ip4", "example.com.").
+					Return([]netip.Addr{netip.MustParseAddr("1.2.3.4")}, nil).Once()
+				// Expect firewall update for successful resolution
+				expectedPrefix := netip.PrefixFrom(netip.MustParseAddr("1.2.3.4"), 32)
+				mockFirewall.On("UpdateSet", set, []netip.Prefix{expectedPrefix}).Return(nil).Once()
+			},
+			expectedCode:   dns.RcodeSuccess,
+			expectNoAnswer: false,
+			description:    "Should return NOERROR with answer when records exist",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset mock expectations
+			mockResolver.ExpectedCalls = nil
+			mockResolver.Calls = nil
+			mockFirewall.ExpectedCalls = nil
+			mockFirewall.Calls = nil
+
+			tt.setupMocks()
+
+			query := &dns.Msg{}
+			query.SetQuestion(dns.Fqdn("example.com"), tt.queryType)
+
+			var writtenResp *dns.Msg
+			mockWriter := &test.MockResponseWriter{
+				WriteMsgFunc: func(m *dns.Msg) error {
+					writtenResp = m
+					return nil
+				},
+			}
+
+			resp := forwarder.handleDNSQuery(mockWriter, query)
+
+			// If a response was returned, it means it should be written (happens in wrapper functions)
+			if resp != nil && writtenResp == nil {
+				writtenResp = resp
+			}
+
+			require.NotNil(t, writtenResp, "Expected response to be written")
+			assert.Equal(t, tt.expectedCode, writtenResp.Rcode, tt.description)
+
+			if tt.expectNoAnswer {
+				assert.Empty(t, writtenResp.Answer, "Response should have no answer records")
+			}
+
+			mockResolver.AssertExpectations(t)
+		})
+	}
+}
+
 func TestDNSForwarder_EmptyQuery(t *testing.T) {
 	// Test handling of malformed query with no questions
 	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})

client/internal/engine.go

@@ -55,11 +55,11 @@ import (
 	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/route"
 	mgm "github.com/netbirdio/netbird/shared/management/client"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 	auth "github.com/netbirdio/netbird/shared/relay/auth/hmac"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
-	"github.com/netbirdio/netbird/route"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	sProto "github.com/netbirdio/netbird/shared/signal/proto"
 	"github.com/netbirdio/netbird/util"
@@ -254,6 +254,7 @@ func NewEngine(
 	}
 	engine.stateManager = statemanager.New(path)
 
+	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
 	return engine
 }
 
@@ -1110,15 +1111,16 @@ func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 		}
 
 		convertedRoute := &route.Route{
-			ID:          route.ID(protoRoute.ID),
-			Network:     prefix.Masked(),
-			Domains:     domain.FromPunycodeList(protoRoute.Domains),
-			NetID:       route.NetID(protoRoute.NetID),
-			NetworkType: route.NetworkType(protoRoute.NetworkType),
-			Peer:        protoRoute.Peer,
-			Metric:      int(protoRoute.Metric),
-			Masquerade:  protoRoute.Masquerade,
-			KeepRoute:   protoRoute.KeepRoute,
+			ID:            route.ID(protoRoute.ID),
+			Network:       prefix.Masked(),
+			Domains:       domain.FromPunycodeList(protoRoute.Domains),
+			NetID:         route.NetID(protoRoute.NetID),
+			NetworkType:   route.NetworkType(protoRoute.NetworkType),
+			Peer:          protoRoute.Peer,
+			Metric:        int(protoRoute.Metric),
+			Masquerade:    protoRoute.Masquerade,
+			KeepRoute:     protoRoute.KeepRoute,
+			SkipAutoApply: protoRoute.SkipAutoApply,
 		}
 		routes = append(routes, convertedRoute)
 	}
@@ -1330,52 +1332,17 @@ func (e *Engine) receiveSignalEvents() {
 			}
 
 			switch msg.GetBody().Type {
-			case sProto.Body_OFFER:
-				remoteCred, err := signal.UnMarshalCredential(msg)
+			case sProto.Body_OFFER, sProto.Body_ANSWER:
+				offerAnswer, err := convertToOfferAnswer(msg)
 				if err != nil {
 					return err
 				}
 
-				var rosenpassPubKey []byte
-				rosenpassAddr := ""
-				if msg.GetBody().GetRosenpassConfig() != nil {
-					rosenpassPubKey = msg.GetBody().GetRosenpassConfig().GetRosenpassPubKey()
-					rosenpassAddr = msg.GetBody().GetRosenpassConfig().GetRosenpassServerAddr()
+				if msg.Body.Type == sProto.Body_OFFER {
+					conn.OnRemoteOffer(*offerAnswer)
+				} else {
+					conn.OnRemoteAnswer(*offerAnswer)
 				}
-				conn.OnRemoteOffer(peer.OfferAnswer{
-					IceCredentials: peer.IceCredentials{
-						UFrag: remoteCred.UFrag,
-						Pwd:   remoteCred.Pwd,
-					},
-					WgListenPort:    int(msg.GetBody().GetWgListenPort()),
-					Version:         msg.GetBody().GetNetBirdVersion(),
-					RosenpassPubKey: rosenpassPubKey,
-					RosenpassAddr:   rosenpassAddr,
-					RelaySrvAddress: msg.GetBody().GetRelayServerAddress(),
-				})
-			case sProto.Body_ANSWER:
-				remoteCred, err := signal.UnMarshalCredential(msg)
-				if err != nil {
-					return err
-				}
-
-				var rosenpassPubKey []byte
-				rosenpassAddr := ""
-				if msg.GetBody().GetRosenpassConfig() != nil {
-					rosenpassPubKey = msg.GetBody().GetRosenpassConfig().GetRosenpassPubKey()
-					rosenpassAddr = msg.GetBody().GetRosenpassConfig().GetRosenpassServerAddr()
-				}
-				conn.OnRemoteAnswer(peer.OfferAnswer{
-					IceCredentials: peer.IceCredentials{
-						UFrag: remoteCred.UFrag,
-						Pwd:   remoteCred.Pwd,
-					},
-					WgListenPort:    int(msg.GetBody().GetWgListenPort()),
-					Version:         msg.GetBody().GetNetBirdVersion(),
-					RosenpassPubKey: rosenpassPubKey,
-					RosenpassAddr:   rosenpassAddr,
-					RelaySrvAddress: msg.GetBody().GetRelayServerAddress(),
-				})
 			case sProto.Body_CANDIDATE:
 				candidate, err := ice.UnmarshalCandidate(msg.GetBody().Payload)
 				if err != nil {
@@ -2073,3 +2040,44 @@ func createFile(path string) error {
 	}
 	return file.Close()
 }
+
+func convertToOfferAnswer(msg *sProto.Message) (*peer.OfferAnswer, error) {
+	remoteCred, err := signal.UnMarshalCredential(msg)
+	if err != nil {
+		return nil, err
+	}
+
+	var (
+		rosenpassPubKey []byte
+		rosenpassAddr   string
+	)
+	if cfg := msg.GetBody().GetRosenpassConfig(); cfg != nil {
+		rosenpassPubKey = cfg.GetRosenpassPubKey()
+		rosenpassAddr = cfg.GetRosenpassServerAddr()
+	}
+
+	// Handle optional SessionID
+	var sessionID *peer.ICESessionID
+	if sessionBytes := msg.GetBody().GetSessionId(); sessionBytes != nil {
+		if id, err := peer.ICESessionIDFromBytes(sessionBytes); err != nil {
+			log.Warnf("Invalid session ID in message: %v", err)
+			sessionID = nil // Set to nil if conversion fails
+		} else {
+			sessionID = &id
+		}
+	}
+
+	offerAnswer := peer.OfferAnswer{
+		IceCredentials: peer.IceCredentials{
+			UFrag: remoteCred.UFrag,
+			Pwd:   remoteCred.Pwd,
+		},
+		WgListenPort:    int(msg.GetBody().GetWgListenPort()),
+		Version:         msg.GetBody().GetNetBirdVersion(),
+		RosenpassPubKey: rosenpassPubKey,
+		RosenpassAddr:   rosenpassAddr,
+		RelaySrvAddress: msg.GetBody().GetRelayServerAddress(),
+		SessionID:       sessionID,
+	}
+	return &offerAnswer, nil
+}

client/internal/engine_test.go

@@ -27,6 +27,8 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/internals/server/config"
+	"github.com/netbirdio/netbird/management/server/groups"
 
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/bind"
@@ -43,8 +45,6 @@ import (
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
-	mgmt "github.com/netbirdio/netbird/shared/management/client"
-	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
@@ -54,8 +54,10 @@ import (
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/monotime"
-	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	"github.com/netbirdio/netbird/route"
+	mgmt "github.com/netbirdio/netbird/shared/management/client"
+	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
+	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/shared/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
@@ -1513,15 +1515,15 @@ func startSignal(t *testing.T) (*grpc.Server, string, error) {
 func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, string, error) {
 	t.Helper()
 
-	config := &types.Config{
-		Stuns:      []*types.Host{},
-		TURNConfig: &types.TURNConfig{},
-		Relay: &types.Relay{
+	config := &config.Config{
+		Stuns:      []*config.Host{},
+		TURNConfig: &config.TURNConfig{},
+		Relay: &config.Relay{
 			Addresses:      []string{"127.0.0.1:1234"},
 			CredentialsTTL: util.Duration{Duration: time.Hour},
 			Secret:         "222222222222222222",
 		},
-		Signal: &types.Host{
+		Signal: &config.Host{
 			Proto: "http",
 			URI:   "localhost:10000",
 		},
@@ -1564,13 +1566,14 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 		AnyTimes()
 
 	permissionsManager := permissions.NewManager(store)
+	groupsManager := groups.NewManagerMock()
 
 	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
 	}
 
-	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager)
+	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
 	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &server.MockIntegratedValidator{})
 	if err != nil {
 		return nil, "", err

client/internal/mobile_dependency.go

@@ -1,6 +1,8 @@
 package internal
 
 import (
+	"net/netip"
+
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
@@ -13,7 +15,7 @@ type MobileDependency struct {
 	TunAdapter            device.TunAdapter
 	IFaceDiscover         stdnet.ExternalIFaceDiscover
 	NetworkChangeListener listener.NetworkChangeListener
-	HostDNSAddresses      []string
+	HostDNSAddresses      []netip.AddrPort
 	DnsReadyListener      dns.ReadyListener
 
 	//	iOS only

client/internal/peer/conn.go

@@ -24,8 +24,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/id"
 	"github.com/netbirdio/netbird/client/internal/peer/worker"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	"github.com/netbirdio/netbird/route"
+	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 )
 
@@ -200,19 +200,11 @@ func (conn *Conn) Open(engineCtx context.Context) error {
 	conn.wg.Add(1)
 	go func() {
 		defer conn.wg.Done()
+
 		conn.waitInitialRandomSleepTime(conn.ctx)
 		conn.semaphore.Done(conn.ctx)
 
-		conn.dumpState.SendOffer()
-		if err := conn.handshaker.sendOffer(); err != nil {
-			conn.Log.Errorf("failed to send initial offer: %v", err)
-		}
-
-		conn.wg.Add(1)
-		go func() {
-			conn.guard.Start(conn.ctx, conn.onGuardEvent)
-			conn.wg.Done()
-		}()
+		conn.guard.Start(conn.ctx, conn.onGuardEvent)
 	}()
 	conn.opened = true
 	return nil
@@ -274,10 +266,10 @@ func (conn *Conn) Close(signalToRemote bool) {
 
 // OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
 // doesn't block, discards the message if connection wasn't ready
-func (conn *Conn) OnRemoteAnswer(answer OfferAnswer) bool {
+func (conn *Conn) OnRemoteAnswer(answer OfferAnswer) {
 	conn.dumpState.RemoteAnswer()
 	conn.Log.Infof("OnRemoteAnswer, priority: %s, status ICE: %s, status relay: %s", conn.currentConnPriority, conn.statusICE, conn.statusRelay)
-	return conn.handshaker.OnRemoteAnswer(answer)
+	conn.handshaker.OnRemoteAnswer(answer)
 }
 
 // OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
@@ -296,10 +288,10 @@ func (conn *Conn) SetOnDisconnected(handler func(remotePeer string)) {
 	conn.onDisconnected = handler
 }
 
-func (conn *Conn) OnRemoteOffer(offer OfferAnswer) bool {
+func (conn *Conn) OnRemoteOffer(offer OfferAnswer) {
 	conn.dumpState.RemoteOffer()
 	conn.Log.Infof("OnRemoteOffer, on status ICE: %s, status Relay: %s", conn.statusICE, conn.statusRelay)
-	return conn.handshaker.OnRemoteOffer(offer)
+	conn.handshaker.OnRemoteOffer(offer)
 }
 
 // WgConfig returns the WireGuard config
@@ -548,7 +540,6 @@ func (conn *Conn) onRelayDisconnected() {
 }
 
 func (conn *Conn) onGuardEvent() {
-	conn.Log.Debugf("send offer to peer")
 	conn.dumpState.SendOffer()
 	if err := conn.handshaker.SendOffer(); err != nil {
 		conn.Log.Errorf("failed to send offer: %v", err)
@@ -672,7 +663,7 @@ func (conn *Conn) isConnectedOnAllWay() (connected bool) {
 		}
 	}()
 
-	if conn.statusICE.Get() == worker.StatusDisconnected {
+	if conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
 		return false
 	}
 

client/internal/peer/conn_test.go

@@ -1,9 +1,9 @@
 package peer
 
 import (
+	"context"
 	"fmt"
 	"os"
-	"sync"
 	"testing"
 	"time"
 
@@ -79,31 +79,30 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 		return
 	}
 
-	wg := sync.WaitGroup{}
-	wg.Add(2)
-	go func() {
-		<-conn.handshaker.remoteOffersCh
-		wg.Done()
-	}()
+	onNewOffeChan := make(chan struct{})
 
-	go func() {
-		for {
-			accepted := conn.OnRemoteOffer(OfferAnswer{
-				IceCredentials: IceCredentials{
-					UFrag: "test",
-					Pwd:   "test",
-				},
-				WgListenPort: 0,
-				Version:      "",
-			})
-			if accepted {
-				wg.Done()
-				return
-			}
-		}
-	}()
+	conn.handshaker.AddOnNewOfferListener(func(remoteOfferAnswer *OfferAnswer) {
+		onNewOffeChan <- struct{}{}
+	})
 
-	wg.Wait()
+	conn.OnRemoteOffer(OfferAnswer{
+		IceCredentials: IceCredentials{
+			UFrag: "test",
+			Pwd:   "test",
+		},
+		WgListenPort: 0,
+		Version:      "",
+	})
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	select {
+	case <-onNewOffeChan:
+		// success
+	case <-ctx.Done():
+		t.Error("expected to receive a new offer notification, but timed out")
+	}
 }
 
 func TestConn_OnRemoteAnswer(t *testing.T) {
@@ -119,31 +118,29 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 		return
 	}
 
-	wg := sync.WaitGroup{}
-	wg.Add(2)
-	go func() {
-		<-conn.handshaker.remoteAnswerCh
-		wg.Done()
-	}()
+	onNewOffeChan := make(chan struct{})
 
-	go func() {
-		for {
-			accepted := conn.OnRemoteAnswer(OfferAnswer{
-				IceCredentials: IceCredentials{
-					UFrag: "test",
-					Pwd:   "test",
-				},
-				WgListenPort: 0,
-				Version:      "",
-			})
-			if accepted {
-				wg.Done()
-				return
-			}
-		}
-	}()
+	conn.handshaker.AddOnNewOfferListener(func(remoteOfferAnswer *OfferAnswer) {
+		onNewOffeChan <- struct{}{}
+	})
 
-	wg.Wait()
+	conn.OnRemoteAnswer(OfferAnswer{
+		IceCredentials: IceCredentials{
+			UFrag: "test",
+			Pwd:   "test",
+		},
+		WgListenPort: 0,
+		Version:      "",
+	})
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	select {
+	case <-onNewOffeChan:
+		// success
+	case <-ctx.Done():
+		t.Error("expected to receive a new offer notification, but timed out")
+	}
 }
 
 func TestConn_presharedKey(t *testing.T) {

client/internal/peer/guard/guard.go

@@ -19,7 +19,6 @@ type isConnectedFunc func() bool
 // - Relayed connection disconnected
 // - ICE candidate changes
 type Guard struct {
-	Reconnect               chan struct{}
 	log                     *log.Entry
 	isConnectedOnAllWay     isConnectedFunc
 	timeout                 time.Duration
@@ -30,7 +29,6 @@ type Guard struct {
 
 func NewGuard(log *log.Entry, isConnectedFn isConnectedFunc, timeout time.Duration, srWatcher *SRWatcher) *Guard {
 	return &Guard{
-		Reconnect:               make(chan struct{}, 1),
 		log:                     log,
 		isConnectedOnAllWay:     isConnectedFn,
 		timeout:                 timeout,
@@ -41,6 +39,7 @@ func NewGuard(log *log.Entry, isConnectedFn isConnectedFunc, timeout time.Durati
 }
 
 func (g *Guard) Start(ctx context.Context, eventCallback func()) {
+	g.log.Infof("starting guard for reconnection with MaxInterval: %s", g.timeout)
 	g.reconnectLoopWithRetry(ctx, eventCallback)
 }
 
@@ -61,17 +60,14 @@ func (g *Guard) SetICEConnDisconnected() {
 // reconnectLoopWithRetry periodically check the connection status.
 // Try to send offer while the P2P is not established or while the Relay is not connected if is it supported
 func (g *Guard) reconnectLoopWithRetry(ctx context.Context, callback func()) {
-	waitForInitialConnectionTry(ctx)
-
 	srReconnectedChan := g.srWatcher.NewListener()
 	defer g.srWatcher.RemoveListener(srReconnectedChan)
 
-	ticker := g.prepareExponentTicker(ctx)
+	ticker := g.initialTicker(ctx)
 	defer ticker.Stop()
 
 	tickerChannel := ticker.C
 
-	g.log.Infof("start reconnect loop...")
 	for {
 		select {
 		case t := <-tickerChannel:
@@ -85,7 +81,6 @@ func (g *Guard) reconnectLoopWithRetry(ctx context.Context, callback func()) {
 			if !g.isConnectedOnAllWay() {
 				callback()
 			}
-
 		case <-g.relayedConnDisconnected:
 			g.log.Debugf("Relay connection changed, reset reconnection ticker")
 			ticker.Stop()
@@ -111,6 +106,20 @@ func (g *Guard) reconnectLoopWithRetry(ctx context.Context, callback func()) {
 	}
 }
 
+// initialTicker give chance to the peer to establish the initial connection.
+func (g *Guard) initialTicker(ctx context.Context) *backoff.Ticker {
+	bo := backoff.WithContext(&backoff.ExponentialBackOff{
+		InitialInterval:     3 * time.Second,
+		RandomizationFactor: 0.1,
+		Multiplier:          2,
+		MaxInterval:         g.timeout,
+		Stop:                backoff.Stop,
+		Clock:               backoff.SystemClock,
+	}, ctx)
+
+	return backoff.NewTicker(bo)
+}
+
 func (g *Guard) prepareExponentTicker(ctx context.Context) *backoff.Ticker {
 	bo := backoff.WithContext(&backoff.ExponentialBackOff{
 		InitialInterval:     800 * time.Millisecond,
@@ -126,13 +135,3 @@ func (g *Guard) prepareExponentTicker(ctx context.Context) *backoff.Ticker {
 
 	return ticker
 }
-
-// Give chance to the peer to establish the initial connection.
-// With it, we can decrease to send necessary offer
-func waitForInitialConnectionTry(ctx context.Context) {
-	select {
-	case <-ctx.Done():
-		return
-	case <-time.After(3 * time.Second):
-	}
-}

client/internal/peer/handshaker.go

@@ -39,6 +39,15 @@ type OfferAnswer struct {
 
 	// relay server address
 	RelaySrvAddress string
+	// SessionID is the unique identifier of the session, used to discard old messages
+	SessionID *ICESessionID
+}
+
+func (oa *OfferAnswer) SessionIDString() string {
+	if oa.SessionID == nil {
+		return "unknown"
+	}
+	return oa.SessionID.String()
 }
 
 type Handshaker struct {
@@ -74,21 +83,25 @@ func (h *Handshaker) AddOnNewOfferListener(offer func(remoteOfferAnswer *OfferAn
 
 func (h *Handshaker) Listen(ctx context.Context) {
 	for {
-		h.log.Info("wait for remote offer confirmation")
-		remoteOfferAnswer, err := h.waitForRemoteOfferConfirmation(ctx)
-		if err != nil {
-			var connectionClosedError *ConnectionClosedError
-			if errors.As(err, &connectionClosedError) {
-				h.log.Info("exit from handshaker")
-				return
+		select {
+		case remoteOfferAnswer := <-h.remoteOffersCh:
+			// received confirmation from the remote peer -> ready to proceed
+			if err := h.sendAnswer(); err != nil {
+				h.log.Errorf("failed to send remote offer confirmation: %s", err)
+				continue
 			}
-			h.log.Errorf("failed to received remote offer confirmation: %s", err)
-			continue
-		}
-
-		h.log.Infof("received connection confirmation, running version %s and with remote WireGuard listen port %d", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort)
-		for _, listener := range h.onNewOfferListeners {
-			go listener(remoteOfferAnswer)
+			for _, listener := range h.onNewOfferListeners {
+				listener(&remoteOfferAnswer)
+			}
+			h.log.Infof("received offer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
+		case remoteOfferAnswer := <-h.remoteAnswerCh:
+			h.log.Infof("received answer, running version %s, remote WireGuard listen port %d, session id: %s", remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort, remoteOfferAnswer.SessionIDString())
+			for _, listener := range h.onNewOfferListeners {
+				listener(&remoteOfferAnswer)
+			}
+		case <-ctx.Done():
+			h.log.Infof("stop listening for remote offers and answers")
+			return
 		}
 	}
 }
@@ -101,43 +114,27 @@ func (h *Handshaker) SendOffer() error {
 
 // OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
 // doesn't block, discards the message if connection wasn't ready
-func (h *Handshaker) OnRemoteOffer(offer OfferAnswer) bool {
+func (h *Handshaker) OnRemoteOffer(offer OfferAnswer) {
 	select {
 	case h.remoteOffersCh <- offer:
-		return true
+		return
 	default:
-		h.log.Warnf("OnRemoteOffer skipping message because is not ready")
+		h.log.Warnf("skipping remote offer message because receiver not ready")
 		// connection might not be ready yet to receive so we ignore the message
-		return false
+		return
 	}
 }
 
 // OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
 // doesn't block, discards the message if connection wasn't ready
-func (h *Handshaker) OnRemoteAnswer(answer OfferAnswer) bool {
+func (h *Handshaker) OnRemoteAnswer(answer OfferAnswer) {
 	select {
 	case h.remoteAnswerCh <- answer:
-		return true
+		return
 	default:
 		// connection might not be ready yet to receive so we ignore the message
-		h.log.Debugf("OnRemoteAnswer skipping message because is not ready")
-		return false
-	}
-}
-
-func (h *Handshaker) waitForRemoteOfferConfirmation(ctx context.Context) (*OfferAnswer, error) {
-	select {
-	case remoteOfferAnswer := <-h.remoteOffersCh:
-		// received confirmation from the remote peer -> ready to proceed
-		if err := h.sendAnswer(); err != nil {
-			return nil, err
-		}
-		return &remoteOfferAnswer, nil
-	case remoteOfferAnswer := <-h.remoteAnswerCh:
-		return &remoteOfferAnswer, nil
-	case <-ctx.Done():
-		// closed externally
-		return nil, NewConnectionClosedError(h.config.Key)
+		h.log.Warnf("skipping remote answer message because receiver not ready")
+		return
 	}
 }
 
@@ -147,43 +144,34 @@ func (h *Handshaker) sendOffer() error {
 		return ErrSignalIsNotReady
 	}
 
-	iceUFrag, icePwd := h.ice.GetLocalUserCredentials()
-	offer := OfferAnswer{
-		IceCredentials:  IceCredentials{iceUFrag, icePwd},
-		WgListenPort:    h.config.LocalWgPort,
-		Version:         version.NetbirdVersion(),
-		RosenpassPubKey: h.config.RosenpassConfig.PubKey,
-		RosenpassAddr:   h.config.RosenpassConfig.Addr,
-	}
-
-	addr, err := h.relay.RelayInstanceAddress()
-	if err == nil {
-		offer.RelaySrvAddress = addr
-	}
+	offer := h.buildOfferAnswer()
+	h.log.Infof("sending offer with serial: %s", offer.SessionIDString())
 
 	return h.signaler.SignalOffer(offer, h.config.Key)
 }
 
 func (h *Handshaker) sendAnswer() error {
-	h.log.Infof("sending answer")
-	uFrag, pwd := h.ice.GetLocalUserCredentials()
+	answer := h.buildOfferAnswer()
+	h.log.Infof("sending answer with serial: %s", answer.SessionIDString())
 
+	return h.signaler.SignalAnswer(answer, h.config.Key)
+}
+
+func (h *Handshaker) buildOfferAnswer() OfferAnswer {
+	uFrag, pwd := h.ice.GetLocalUserCredentials()
+	sid := h.ice.SessionID()
 	answer := OfferAnswer{
 		IceCredentials:  IceCredentials{uFrag, pwd},
 		WgListenPort:    h.config.LocalWgPort,
 		Version:         version.NetbirdVersion(),
 		RosenpassPubKey: h.config.RosenpassConfig.PubKey,
 		RosenpassAddr:   h.config.RosenpassConfig.Addr,
+		SessionID:       &sid,
 	}
-	addr, err := h.relay.RelayInstanceAddress()
-	if err == nil {
+
+	if addr, err := h.relay.RelayInstanceAddress(); err == nil {
 		answer.RelaySrvAddress = addr
 	}
 
-	err = h.signaler.SignalAnswer(answer, h.config.Key)
-	if err != nil {
-		return err
-	}
-
-	return nil
+	return answer
 }

client/internal/peer/ice/agent.go

@@ -1,6 +1,7 @@
 package ice
 
 import (
+	"sync"
 	"time"
 
 	"github.com/pion/ice/v3"
@@ -23,7 +24,20 @@ const (
 	iceRelayAcceptanceMinWaitDefault = 2 * time.Second
 )
 
-func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ice.Agent, error) {
+type ThreadSafeAgent struct {
+	*ice.Agent
+	once sync.Once
+}
+
+func (a *ThreadSafeAgent) Close() error {
+	var err error
+	a.once.Do(func() {
+		err = a.Agent.Close()
+	})
+	return err
+}
+
+func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candidateTypes []ice.CandidateType, ufrag string, pwd string) (*ThreadSafeAgent, error) {
 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
 	iceFailedTimeout := iceFailedTimeout()
@@ -61,7 +75,12 @@ func NewAgent(iFaceDiscover stdnet.ExternalIFaceDiscover, config Config, candida
 		agentConfig.NetworkTypes = []ice.NetworkType{ice.NetworkTypeUDP4}
 	}
 
-	return ice.NewAgent(agentConfig)
+	agent, err := ice.NewAgent(agentConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return &ThreadSafeAgent{Agent: agent}, nil
 }
 
 func GenerateICECredentials() (string, string, error) {

client/internal/peer/session_id.go

@@ -0,0 +1,47 @@
+package peer
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+	"io"
+)
+
+const sessionIDSize = 5
+
+type ICESessionID string
+
+// NewICESessionID generates a new session ID for distinguishing sessions
+func NewICESessionID() (ICESessionID, error) {
+	b := make([]byte, sessionIDSize)
+	if _, err := io.ReadFull(rand.Reader, b); err != nil {
+		return "", fmt.Errorf("failed to generate session ID: %w", err)
+	}
+	return ICESessionID(hex.EncodeToString(b)), nil
+}
+
+func ICESessionIDFromBytes(b []byte) (ICESessionID, error) {
+	if len(b) != sessionIDSize {
+		return "", fmt.Errorf("invalid session ID length: %d", len(b))
+	}
+	return ICESessionID(hex.EncodeToString(b)), nil
+}
+
+// Bytes returns the raw bytes of the session ID for protobuf serialization
+func (id ICESessionID) Bytes() ([]byte, error) {
+	if len(id) == 0 {
+		return nil, fmt.Errorf("ICE session ID is empty")
+	}
+	b, err := hex.DecodeString(string(id))
+	if err != nil {
+		return nil, fmt.Errorf("invalid ICE session ID encoding: %w", err)
+	}
+	if len(b) != sessionIDSize {
+		return nil, fmt.Errorf("invalid ICE session ID length: expected %d bytes, got %d", sessionIDSize, len(b))
+	}
+	return b, nil
+}
+
+func (id ICESessionID) String() string {
+	return string(id)
+}

client/internal/peer/signaler.go

@@ -2,6 +2,7 @@ package peer
 
 import (
 	"github.com/pion/ice/v3"
+	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	signal "github.com/netbirdio/netbird/shared/signal/client"
@@ -45,6 +46,10 @@ func (s *Signaler) Ready() bool {
 
 // SignalOfferAnswer signals either an offer or an answer to remote peer
 func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string, bodyType sProto.Body_Type) error {
+	sessionIDBytes, err := offerAnswer.SessionID.Bytes()
+	if err != nil {
+		log.Warnf("failed to get session ID bytes: %v", err)
+	}
 	msg, err := signal.MarshalCredential(
 		s.wgPrivateKey,
 		offerAnswer.WgListenPort,
@@ -56,13 +61,13 @@ func (s *Signaler) signalOfferAnswer(offerAnswer OfferAnswer, remoteKey string,
 		bodyType,
 		offerAnswer.RosenpassPubKey,
 		offerAnswer.RosenpassAddr,
-		offerAnswer.RelaySrvAddress)
+		offerAnswer.RelaySrvAddress,
+		sessionIDBytes)
 	if err != nil {
 		return err
 	}
 
-	err = s.signal.Send(msg)
-	if err != nil {
+	if err = s.signal.Send(msg); err != nil {
 		return err
 	}
 

client/internal/peer/status.go

@@ -140,7 +140,7 @@ type RosenpassState struct {
 // whether it's enabled, and the last error message encountered during probing.
 type NSGroupState struct {
 	ID      string
-	Servers []string
+	Servers []netip.AddrPort
 	Domains []string
 	Enabled bool
 	Error   error

client/internal/peer/worker_ice.go

@@ -42,8 +42,18 @@ type WorkerICE struct {
 	statusRecorder    *Status
 	hasRelayOnLocally bool
 
-	agent    *ice.Agent
-	muxAgent sync.Mutex
+	agent             *icemaker.ThreadSafeAgent
+	agentDialerCancel context.CancelFunc
+	agentConnecting   bool      // while it is true, drop all incoming offers
+	lastSuccess       time.Time // with this avoid the too frequent ICE agent recreation
+	// remoteSessionID represents the peer's session identifier from the latest remote offer.
+	remoteSessionID ICESessionID
+	// sessionID is used to track the current session ID of the ICE agent
+	// increase by one when disconnecting the agent
+	// with it the remote peer can discard the already deprecated offer/answer
+	// Without it the remote peer may recreate a workable ICE connection
+	sessionID ICESessionID
+	muxAgent  sync.Mutex
 
 	StunTurn []*stun.URI
 
@@ -57,6 +67,11 @@ type WorkerICE struct {
 }
 
 func NewWorkerICE(ctx context.Context, log *log.Entry, config ConnConfig, conn *Conn, signaler *Signaler, ifaceDiscover stdnet.ExternalIFaceDiscover, statusRecorder *Status, hasRelayOnLocally bool) (*WorkerICE, error) {
+	sessionID, err := NewICESessionID()
+	if err != nil {
+		return nil, err
+	}
+
 	w := &WorkerICE{
 		ctx:               ctx,
 		log:               log,
@@ -67,6 +82,7 @@ func NewWorkerICE(ctx context.Context, log *log.Entry, config ConnConfig, conn *
 		statusRecorder:    statusRecorder,
 		hasRelayOnLocally: hasRelayOnLocally,
 		lastKnownState:    ice.ConnectionStateDisconnected,
+		sessionID:         sessionID,
 	}
 
 	localUfrag, localPwd, err := icemaker.GenerateICECredentials()
@@ -79,15 +95,36 @@ func NewWorkerICE(ctx context.Context, log *log.Entry, config ConnConfig, conn *
 }
 
 func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
-	w.log.Debugf("OnNewOffer for ICE")
+	w.log.Debugf("OnNewOffer for ICE, serial: %s", remoteOfferAnswer.SessionIDString())
 	w.muxAgent.Lock()
 
-	if w.agent != nil {
-		w.log.Debugf("agent already exists, skipping the offer")
+	if w.agentConnecting {
+		w.log.Debugf("agent connection is in progress, skipping the offer")
 		w.muxAgent.Unlock()
 		return
 	}
 
+	if w.agent != nil {
+		// backward compatibility with old clients that do not send session ID
+		if remoteOfferAnswer.SessionID == nil {
+			w.log.Debugf("agent already exists, skipping the offer")
+			w.muxAgent.Unlock()
+			return
+		}
+		if w.remoteSessionID == *remoteOfferAnswer.SessionID {
+			w.log.Debugf("agent already exists and session ID matches, skipping the offer: %s", remoteOfferAnswer.SessionIDString())
+			w.muxAgent.Unlock()
+			return
+		}
+		w.log.Debugf("agent already exists, recreate the connection")
+		w.agentDialerCancel()
+		if err := w.agent.Close(); err != nil {
+			w.log.Warnf("failed to close ICE agent: %s", err)
+		}
+		w.agent = nil
+		// todo consider to switch to Relay connection while establishing a new ICE connection
+	}
+
 	var preferredCandidateTypes []ice.CandidateType
 	if w.hasRelayOnLocally && remoteOfferAnswer.RelaySrvAddress != "" {
 		preferredCandidateTypes = icemaker.CandidateTypesP2P()
@@ -96,36 +133,124 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 	}
 
 	w.log.Debugf("recreate ICE agent")
-	agentCtx, agentCancel := context.WithCancel(w.ctx)
-	agent, err := w.reCreateAgent(agentCancel, preferredCandidateTypes)
+	dialerCtx, dialerCancel := context.WithCancel(w.ctx)
+	agent, err := w.reCreateAgent(dialerCancel, preferredCandidateTypes)
 	if err != nil {
 		w.log.Errorf("failed to recreate ICE Agent: %s", err)
 		w.muxAgent.Unlock()
 		return
 	}
+	w.sentExtraSrflx = false
 	w.agent = agent
+	w.agentDialerCancel = dialerCancel
+	w.agentConnecting = true
 	w.muxAgent.Unlock()
 
-	w.log.Debugf("gather candidates")
-	err = w.agent.GatherCandidates()
-	if err != nil {
-		w.log.Debugf("failed to gather candidates: %s", err)
+	go w.connect(dialerCtx, agent, remoteOfferAnswer)
+}
+
+// OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
+func (w *WorkerICE) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HAMap) {
+	w.muxAgent.Lock()
+	defer w.muxAgent.Unlock()
+	w.log.Debugf("OnRemoteCandidate from peer %s -> %s", w.config.Key, candidate.String())
+	if w.agent == nil {
+		w.log.Warnf("ICE Agent is not initialized yet")
+		return
+	}
+
+	if candidateViaRoutes(candidate, haRoutes) {
+		return
+	}
+
+	if err := w.agent.AddRemoteCandidate(candidate); err != nil {
+		w.log.Errorf("error while handling remote candidate")
+		return
+	}
+}
+
+func (w *WorkerICE) GetLocalUserCredentials() (frag string, pwd string) {
+	return w.localUfrag, w.localPwd
+}
+
+func (w *WorkerICE) InProgress() bool {
+	w.muxAgent.Lock()
+	defer w.muxAgent.Unlock()
+
+	return w.agentConnecting
+}
+
+func (w *WorkerICE) Close() {
+	w.muxAgent.Lock()
+	defer w.muxAgent.Unlock()
+
+	if w.agent == nil {
+		return
+	}
+
+	w.agentDialerCancel()
+	if err := w.agent.Close(); err != nil {
+		w.log.Warnf("failed to close ICE agent: %s", err)
+	}
+
+	w.agent = nil
+}
+
+func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*icemaker.ThreadSafeAgent, error) {
+	agent, err := icemaker.NewAgent(w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
+	if err != nil {
+		return nil, fmt.Errorf("create agent: %w", err)
+	}
+
+	if err := agent.OnCandidate(w.onICECandidate); err != nil {
+		return nil, err
+	}
+
+	if err := agent.OnConnectionStateChange(w.onConnectionStateChange(agent, dialerCancel)); err != nil {
+		return nil, err
+	}
+
+	if err := agent.OnSelectedCandidatePairChange(w.onICESelectedCandidatePair); err != nil {
+		return nil, err
+	}
+
+	if err := agent.OnSuccessfulSelectedPairBindingResponse(w.onSuccessfulSelectedPairBindingResponse); err != nil {
+		return nil, fmt.Errorf("failed setting binding response callback: %w", err)
+	}
+
+	return agent, nil
+}
+
+func (w *WorkerICE) SessionID() ICESessionID {
+	w.muxAgent.Lock()
+	defer w.muxAgent.Unlock()
+
+	return w.sessionID
+}
+
+// will block until connection succeeded
+// but it won't release if ICE Agent went into Disconnected or Failed state,
+// so we have to cancel it with the provided context once agent detected a broken connection
+func (w *WorkerICE) connect(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) {
+	w.log.Debugf("gather candidates")
+	if err := agent.GatherCandidates(); err != nil {
+		w.log.Warnf("failed to gather candidates: %s", err)
+		w.closeAgent(agent, w.agentDialerCancel)
 		return
 	}
 
-	// will block until connection succeeded
-	// but it won't release if ICE Agent went into Disconnected or Failed state,
-	// so we have to cancel it with the provided context once agent detected a broken connection
 	w.log.Debugf("turn agent dial")
-	remoteConn, err := w.turnAgentDial(agentCtx, remoteOfferAnswer)
+	remoteConn, err := w.turnAgentDial(ctx, agent, remoteOfferAnswer)
 	if err != nil {
 		w.log.Debugf("failed to dial the remote peer: %s", err)
+		w.closeAgent(agent, w.agentDialerCancel)
 		return
 	}
 	w.log.Debugf("agent dial succeeded")
 
-	pair, err := w.agent.GetSelectedCandidatePair()
+	pair, err := agent.GetSelectedCandidatePair()
 	if err != nil {
+		w.closeAgent(agent, w.agentDialerCancel)
 		return
 	}
 
@@ -152,114 +277,39 @@ func (w *WorkerICE) OnNewOffer(remoteOfferAnswer *OfferAnswer) {
 		RelayedOnLocal:             isRelayCandidate(pair.Local),
 	}
 	w.log.Debugf("on ICE conn is ready to use")
-	go w.conn.onICEConnectionIsReady(selectedPriority(pair), ci)
-}
 
-// OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
-func (w *WorkerICE) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HAMap) {
+	w.log.Infof("connection succeeded with offer session: %s", remoteOfferAnswer.SessionIDString())
 	w.muxAgent.Lock()
-	defer w.muxAgent.Unlock()
-	w.log.Debugf("OnRemoteCandidate from peer %s -> %s", w.config.Key, candidate.String())
-	if w.agent == nil {
-		w.log.Warnf("ICE Agent is not initialized yet")
-		return
+	w.agentConnecting = false
+	w.lastSuccess = time.Now()
+	if remoteOfferAnswer.SessionID != nil {
+		w.remoteSessionID = *remoteOfferAnswer.SessionID
 	}
+	w.muxAgent.Unlock()
 
-	if candidateViaRoutes(candidate, haRoutes) {
-		return
-	}
-
-	err := w.agent.AddRemoteCandidate(candidate)
-	if err != nil {
-		w.log.Errorf("error while handling remote candidate")
-		return
-	}
+	// todo: the potential problem is a race between the onConnectionStateChange
+	w.conn.onICEConnectionIsReady(selectedPriority(pair), ci)
 }
 
-func (w *WorkerICE) GetLocalUserCredentials() (frag string, pwd string) {
-	w.muxAgent.Lock()
-	defer w.muxAgent.Unlock()
-	return w.localUfrag, w.localPwd
-}
-
-func (w *WorkerICE) Close() {
-	w.muxAgent.Lock()
-	defer w.muxAgent.Unlock()
-
-	if w.agent == nil {
-		return
-	}
-
-	if err := w.agent.Close(); err != nil {
-		w.log.Warnf("failed to close ICE agent: %s", err)
-	}
-}
-
-func (w *WorkerICE) reCreateAgent(agentCancel context.CancelFunc, candidates []ice.CandidateType) (*ice.Agent, error) {
-	w.sentExtraSrflx = false
-
-	agent, err := icemaker.NewAgent(w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
-	if err != nil {
-		return nil, fmt.Errorf("create agent: %w", err)
-	}
-
-	err = agent.OnCandidate(w.onICECandidate)
-	if err != nil {
-		return nil, err
-	}
-
-	err = agent.OnConnectionStateChange(func(state ice.ConnectionState) {
-		w.log.Debugf("ICE ConnectionState has changed to %s", state.String())
-		switch state {
-		case ice.ConnectionStateConnected:
-			w.lastKnownState = ice.ConnectionStateConnected
-			return
-		case ice.ConnectionStateFailed, ice.ConnectionStateDisconnected:
-			if w.lastKnownState == ice.ConnectionStateConnected {
-				w.lastKnownState = ice.ConnectionStateDisconnected
-				w.conn.onICEStateDisconnected()
-			}
-			w.closeAgent(agentCancel)
-		default:
-			return
-		}
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	err = agent.OnSelectedCandidatePairChange(w.onICESelectedCandidatePair)
-	if err != nil {
-		return nil, err
-	}
-
-	err = agent.OnSuccessfulSelectedPairBindingResponse(func(p *ice.CandidatePair) {
-		err := w.statusRecorder.UpdateLatency(w.config.Key, p.Latency())
-		if err != nil {
-			w.log.Debugf("failed to update latency for peer: %s", err)
-			return
-		}
-	})
-	if err != nil {
-		return nil, fmt.Errorf("failed setting binding response callback: %w", err)
-	}
-
-	return agent, nil
-}
-
-func (w *WorkerICE) closeAgent(cancel context.CancelFunc) {
-	w.muxAgent.Lock()
-	defer w.muxAgent.Unlock()
-
+func (w *WorkerICE) closeAgent(agent *icemaker.ThreadSafeAgent, cancel context.CancelFunc) {
 	cancel()
-	if w.agent == nil {
-		return
-	}
-
-	if err := w.agent.Close(); err != nil {
+	if err := agent.Close(); err != nil {
 		w.log.Warnf("failed to close ICE agent: %s", err)
 	}
-	w.agent = nil
+
+	w.muxAgent.Lock()
+	// todo review does it make sense to generate new session ID all the time when w.agent==agent
+	sessionID, err := NewICESessionID()
+	if err != nil {
+		w.log.Errorf("failed to create new session ID: %s", err)
+	}
+	w.sessionID = sessionID
+
+	if w.agent == agent {
+		w.agent = nil
+		w.agentConnecting = false
+	}
+	w.muxAgent.Unlock()
 }
 
 func (w *WorkerICE) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
@@ -331,6 +381,32 @@ func (w *WorkerICE) onICESelectedCandidatePair(c1 ice.Candidate, c2 ice.Candidat
 		w.config.Key)
 }
 
+func (w *WorkerICE) onConnectionStateChange(agent *icemaker.ThreadSafeAgent, dialerCancel context.CancelFunc) func(ice.ConnectionState) {
+	return func(state ice.ConnectionState) {
+		w.log.Debugf("ICE ConnectionState has changed to %s", state.String())
+		switch state {
+		case ice.ConnectionStateConnected:
+			w.lastKnownState = ice.ConnectionStateConnected
+			return
+		case ice.ConnectionStateFailed, ice.ConnectionStateDisconnected:
+			if w.lastKnownState == ice.ConnectionStateConnected {
+				w.lastKnownState = ice.ConnectionStateDisconnected
+				w.conn.onICEStateDisconnected()
+			}
+			w.closeAgent(agent, dialerCancel)
+		default:
+			return
+		}
+	}
+}
+
+func (w *WorkerICE) onSuccessfulSelectedPairBindingResponse(pair *ice.CandidatePair) {
+	if err := w.statusRecorder.UpdateLatency(w.config.Key, pair.Latency()); err != nil {
+		w.log.Debugf("failed to update latency for peer: %s", err)
+		return
+	}
+}
+
 func (w *WorkerICE) shouldSendExtraSrflxCandidate(candidate ice.Candidate) bool {
 	if !w.sentExtraSrflx && candidate.Type() == ice.CandidateTypeServerReflexive && candidate.Port() != candidate.RelatedAddress().Port {
 		return true
@@ -338,12 +414,12 @@ func (w *WorkerICE) shouldSendExtraSrflxCandidate(candidate ice.Candidate) bool
 	return false
 }
 
-func (w *WorkerICE) turnAgentDial(ctx context.Context, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
+func (w *WorkerICE) turnAgentDial(ctx context.Context, agent *icemaker.ThreadSafeAgent, remoteOfferAnswer *OfferAnswer) (*ice.Conn, error) {
 	isControlling := w.config.LocalKey > w.config.Key
 	if isControlling {
-		return w.agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		return agent.Dial(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	} else {
-		return w.agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		return agent.Accept(ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
 	}
 }
 

client/internal/routemanager/manager.go

@@ -36,8 +36,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/vars"
 	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	"github.com/netbirdio/netbird/route"
+	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	nbnet "github.com/netbirdio/netbird/util/net"
 	"github.com/netbirdio/netbird/version"
 )
@@ -368,7 +368,11 @@ func (m *DefaultManager) UpdateRoutes(
 
 	var merr *multierror.Error
 	if !m.disableClientRoutes {
-		filteredClientRoutes := m.routeSelector.FilterSelected(clientRoutes)
+
+		// Update route selector based on management server's isSelected status
+		m.updateRouteSelectorFromManagement(clientRoutes)
+
+		filteredClientRoutes := m.routeSelector.FilterSelectedExitNodes(clientRoutes)
 
 		if err := m.updateSystemRoutes(filteredClientRoutes); err != nil {
 			merr = multierror.Append(merr, fmt.Errorf("update system routes: %w", err))
@@ -430,7 +434,7 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 	m.mux.Lock()
 	defer m.mux.Unlock()
 
-	networks = m.routeSelector.FilterSelected(networks)
+	networks = m.routeSelector.FilterSelectedExitNodes(networks)
 
 	m.notifier.OnNewRoutes(networks)
 
@@ -583,3 +587,106 @@ func resolveURLsToIPs(urls []string) []net.IP {
 	}
 	return ips
 }
+
+// updateRouteSelectorFromManagement updates the route selector based on the isSelected status from the management server
+func (m *DefaultManager) updateRouteSelectorFromManagement(clientRoutes route.HAMap) {
+	exitNodeInfo := m.collectExitNodeInfo(clientRoutes)
+	if len(exitNodeInfo.allIDs) == 0 {
+		return
+	}
+
+	m.updateExitNodeSelections(exitNodeInfo)
+	m.logExitNodeUpdate(exitNodeInfo)
+}
+
+type exitNodeInfo struct {
+	allIDs               []route.NetID
+	selectedByManagement []route.NetID
+	userSelected         []route.NetID
+	userDeselected       []route.NetID
+}
+
+func (m *DefaultManager) collectExitNodeInfo(clientRoutes route.HAMap) exitNodeInfo {
+	var info exitNodeInfo
+
+	for haID, routes := range clientRoutes {
+		if !m.isExitNodeRoute(routes) {
+			continue
+		}
+
+		netID := haID.NetID()
+		info.allIDs = append(info.allIDs, netID)
+
+		if m.routeSelector.HasUserSelectionForRoute(netID) {
+			m.categorizeUserSelection(netID, &info)
+		} else {
+			m.checkManagementSelection(routes, netID, &info)
+		}
+	}
+
+	return info
+}
+
+func (m *DefaultManager) isExitNodeRoute(routes []*route.Route) bool {
+	return len(routes) > 0 && routes[0].Network.String() == vars.ExitNodeCIDR
+}
+
+func (m *DefaultManager) categorizeUserSelection(netID route.NetID, info *exitNodeInfo) {
+	if m.routeSelector.IsSelected(netID) {
+		info.userSelected = append(info.userSelected, netID)
+	} else {
+		info.userDeselected = append(info.userDeselected, netID)
+	}
+}
+
+func (m *DefaultManager) checkManagementSelection(routes []*route.Route, netID route.NetID, info *exitNodeInfo) {
+	for _, route := range routes {
+		if !route.SkipAutoApply {
+			info.selectedByManagement = append(info.selectedByManagement, netID)
+			break
+		}
+	}
+}
+
+func (m *DefaultManager) updateExitNodeSelections(info exitNodeInfo) {
+	routesToDeselect := m.getRoutesToDeselect(info.allIDs)
+	m.deselectExitNodes(routesToDeselect)
+	m.selectExitNodesByManagement(info.selectedByManagement, info.allIDs)
+}
+
+func (m *DefaultManager) getRoutesToDeselect(allIDs []route.NetID) []route.NetID {
+	var routesToDeselect []route.NetID
+	for _, netID := range allIDs {
+		if !m.routeSelector.HasUserSelectionForRoute(netID) {
+			routesToDeselect = append(routesToDeselect, netID)
+		}
+	}
+	return routesToDeselect
+}
+
+func (m *DefaultManager) deselectExitNodes(routesToDeselect []route.NetID) {
+	if len(routesToDeselect) == 0 {
+		return
+	}
+
+	err := m.routeSelector.DeselectRoutes(routesToDeselect, routesToDeselect)
+	if err != nil {
+		log.Warnf("Failed to deselect exit nodes: %v", err)
+	}
+}
+
+func (m *DefaultManager) selectExitNodesByManagement(selectedByManagement []route.NetID, allIDs []route.NetID) {
+	if len(selectedByManagement) == 0 {
+		return
+	}
+
+	err := m.routeSelector.SelectRoutes(selectedByManagement, true, allIDs)
+	if err != nil {
+		log.Warnf("Failed to select exit nodes: %v", err)
+	}
+}
+
+func (m *DefaultManager) logExitNodeUpdate(info exitNodeInfo) {
+	log.Debugf("Updated route selector: %d exit nodes available, %d selected by management, %d user-selected, %d user-deselected",
+		len(info.allIDs), len(info.selectedByManagement), len(info.userSelected), len(info.userDeselected))
+}

client/internal/routemanager/manager_test.go

@@ -190,14 +190,15 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			name: "No Small Client Route Should Be Added",
 			inputRoutes: []*route.Route{
 				{
-					ID:          "a",
-					NetID:       "routeA",
-					Peer:        remotePeerKey1,
-					Network:     netip.MustParsePrefix("0.0.0.0/0"),
-					NetworkType: route.IPv4Network,
-					Metric:      9999,
-					Masquerade:  false,
-					Enabled:     true,
+					ID:            "a",
+					NetID:         "routeA",
+					Peer:          remotePeerKey1,
+					Network:       netip.MustParsePrefix("0.0.0.0/0"),
+					NetworkType:   route.IPv4Network,
+					Metric:        9999,
+					Masquerade:    false,
+					Enabled:       true,
+					SkipAutoApply: false,
 				},
 			},
 			inputSerial:                          1,

client/internal/routemanager/vars/vars.go

@@ -13,4 +13,6 @@ var (
 
 	Defaultv4 = netip.PrefixFrom(netip.IPv4Unspecified(), 0)
 	Defaultv6 = netip.PrefixFrom(netip.IPv6Unspecified(), 0)
+
+	ExitNodeCIDR = "0.0.0.0/0"
 )

client/internal/routeselector/routeselector.go

@@ -9,19 +9,27 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"golang.org/x/exp/maps"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/route"
 )
 
+const (
+	exitNodeCIDR = "0.0.0.0/0"
+)
+
 type RouteSelector struct {
 	mu               sync.RWMutex
 	deselectedRoutes map[route.NetID]struct{}
+	selectedRoutes   map[route.NetID]struct{}
 	deselectAll      bool
 }
 
 func NewRouteSelector() *RouteSelector {
 	return &RouteSelector{
 		deselectedRoutes: map[route.NetID]struct{}{},
+		selectedRoutes:   map[route.NetID]struct{}{},
 		deselectAll:      false,
 	}
 }
@@ -32,7 +40,14 @@ func (rs *RouteSelector) SelectRoutes(routes []route.NetID, appendRoute bool, al
 	defer rs.mu.Unlock()
 
 	if !appendRoute || rs.deselectAll {
+		if rs.deselectedRoutes == nil {
+			rs.deselectedRoutes = map[route.NetID]struct{}{}
+		}
+		if rs.selectedRoutes == nil {
+			rs.selectedRoutes = map[route.NetID]struct{}{}
+		}
 		maps.Clear(rs.deselectedRoutes)
+		maps.Clear(rs.selectedRoutes)
 		for _, r := range allRoutes {
 			rs.deselectedRoutes[r] = struct{}{}
 		}
@@ -45,6 +60,7 @@ func (rs *RouteSelector) SelectRoutes(routes []route.NetID, appendRoute bool, al
 			continue
 		}
 		delete(rs.deselectedRoutes, route)
+		rs.selectedRoutes[route] = struct{}{}
 	}
 
 	rs.deselectAll = false
@@ -58,7 +74,14 @@ func (rs *RouteSelector) SelectAllRoutes() {
 	defer rs.mu.Unlock()
 
 	rs.deselectAll = false
+	if rs.deselectedRoutes == nil {
+		rs.deselectedRoutes = map[route.NetID]struct{}{}
+	}
+	if rs.selectedRoutes == nil {
+		rs.selectedRoutes = map[route.NetID]struct{}{}
+	}
 	maps.Clear(rs.deselectedRoutes)
+	maps.Clear(rs.selectedRoutes)
 }
 
 // DeselectRoutes removes specific routes from the selection.
@@ -77,6 +100,7 @@ func (rs *RouteSelector) DeselectRoutes(routes []route.NetID, allRoutes []route.
 			continue
 		}
 		rs.deselectedRoutes[route] = struct{}{}
+		delete(rs.selectedRoutes, route)
 	}
 
 	return errors.FormatErrorOrNil(err)
@@ -88,7 +112,14 @@ func (rs *RouteSelector) DeselectAllRoutes() {
 	defer rs.mu.Unlock()
 
 	rs.deselectAll = true
+	if rs.deselectedRoutes == nil {
+		rs.deselectedRoutes = map[route.NetID]struct{}{}
+	}
+	if rs.selectedRoutes == nil {
+		rs.selectedRoutes = map[route.NetID]struct{}{}
+	}
 	maps.Clear(rs.deselectedRoutes)
+	maps.Clear(rs.selectedRoutes)
 }
 
 // IsSelected checks if a specific route is selected.
@@ -97,11 +128,14 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	defer rs.mu.RUnlock()
 
 	if rs.deselectAll {
+		log.Debugf("Route %s not selected (deselect all)", routeID)
 		return false
 	}
 
 	_, deselected := rs.deselectedRoutes[routeID]
-	return !deselected
+	isSelected := !deselected
+	log.Debugf("Route %s selection status: %v (deselected: %v)", routeID, isSelected, deselected)
+	return isSelected
 }
 
 // FilterSelected removes unselected routes from the provided map.
@@ -124,15 +158,98 @@ func (rs *RouteSelector) FilterSelected(routes route.HAMap) route.HAMap {
 	return filtered
 }
 
+// HasUserSelectionForRoute returns true if the user has explicitly selected or deselected this specific route
+func (rs *RouteSelector) HasUserSelectionForRoute(routeID route.NetID) bool {
+	rs.mu.RLock()
+	defer rs.mu.RUnlock()
+
+	_, selected := rs.selectedRoutes[routeID]
+	_, deselected := rs.deselectedRoutes[routeID]
+	return selected || deselected
+}
+
+func (rs *RouteSelector) FilterSelectedExitNodes(routes route.HAMap) route.HAMap {
+	rs.mu.RLock()
+	defer rs.mu.RUnlock()
+
+	if rs.deselectAll {
+		return route.HAMap{}
+	}
+
+	filtered := make(route.HAMap, len(routes))
+	for id, rt := range routes {
+		netID := id.NetID()
+		if rs.isDeselected(netID) {
+			continue
+		}
+
+		if !isExitNode(rt) {
+			filtered[id] = rt
+			continue
+		}
+
+		rs.applyExitNodeFilter(id, netID, rt, filtered)
+	}
+
+	return filtered
+}
+
+func (rs *RouteSelector) isDeselected(netID route.NetID) bool {
+	_, deselected := rs.deselectedRoutes[netID]
+	return deselected || rs.deselectAll
+}
+
+func isExitNode(rt []*route.Route) bool {
+	return len(rt) > 0 && rt[0].Network.String() == exitNodeCIDR
+}
+
+func (rs *RouteSelector) applyExitNodeFilter(
+	id route.HAUniqueID,
+	netID route.NetID,
+	rt []*route.Route,
+	out route.HAMap,
+) {
+
+	if rs.hasUserSelections() {
+		// user made explicit selects/deselects
+		if rs.IsSelected(netID) {
+			out[id] = rt
+		}
+		return
+	}
+
+	// no explicit selections: only include routes marked !SkipAutoApply (=AutoApply)
+	sel := collectSelected(rt)
+	if len(sel) > 0 {
+		out[id] = sel
+	}
+}
+
+func (rs *RouteSelector) hasUserSelections() bool {
+	return len(rs.selectedRoutes) > 0 || len(rs.deselectedRoutes) > 0
+}
+
+func collectSelected(rt []*route.Route) []*route.Route {
+	var sel []*route.Route
+	for _, r := range rt {
+		if !r.SkipAutoApply {
+			sel = append(sel, r)
+		}
+	}
+	return sel
+}
+
 // MarshalJSON implements the json.Marshaler interface
 func (rs *RouteSelector) MarshalJSON() ([]byte, error) {
 	rs.mu.RLock()
 	defer rs.mu.RUnlock()
 
 	return json.Marshal(struct {
+		SelectedRoutes   map[route.NetID]struct{} `json:"selected_routes"`
 		DeselectedRoutes map[route.NetID]struct{} `json:"deselected_routes"`
 		DeselectAll      bool                     `json:"deselect_all"`
 	}{
+		SelectedRoutes:   rs.selectedRoutes,
 		DeselectedRoutes: rs.deselectedRoutes,
 		DeselectAll:      rs.deselectAll,
 	})
@@ -147,11 +264,13 @@ func (rs *RouteSelector) UnmarshalJSON(data []byte) error {
 	// Check for null or empty JSON
 	if len(data) == 0 || string(data) == "null" {
 		rs.deselectedRoutes = map[route.NetID]struct{}{}
+		rs.selectedRoutes = map[route.NetID]struct{}{}
 		rs.deselectAll = false
 		return nil
 	}
 
 	var temp struct {
+		SelectedRoutes   map[route.NetID]struct{} `json:"selected_routes"`
 		DeselectedRoutes map[route.NetID]struct{} `json:"deselected_routes"`
 		DeselectAll      bool                     `json:"deselect_all"`
 	}
@@ -160,12 +279,16 @@ func (rs *RouteSelector) UnmarshalJSON(data []byte) error {
 		return err
 	}
 
+	rs.selectedRoutes = temp.SelectedRoutes
 	rs.deselectedRoutes = temp.DeselectedRoutes
 	rs.deselectAll = temp.DeselectAll
 
 	if rs.deselectedRoutes == nil {
 		rs.deselectedRoutes = map[route.NetID]struct{}{}
 	}
+	if rs.selectedRoutes == nil {
+		rs.selectedRoutes = map[route.NetID]struct{}{}
+	}
 
 	return nil
 }

client/internal/routeselector/routeselector_test.go

@@ -1,6 +1,7 @@
 package routeselector_test
 
 import (
+	"net/netip"
 	"slices"
 	"testing"
 
@@ -273,6 +274,62 @@ func TestRouteSelector_FilterSelected(t *testing.T) {
 	}, filtered)
 }
 
+func TestRouteSelector_FilterSelectedExitNodes(t *testing.T) {
+	rs := routeselector.NewRouteSelector()
+
+	// Create test routes
+	exitNode1 := &route.Route{
+		ID:            "route1",
+		NetID:         "net1",
+		Network:       netip.MustParsePrefix("0.0.0.0/0"),
+		Peer:          "peer1",
+		SkipAutoApply: false,
+	}
+	exitNode2 := &route.Route{
+		ID:            "route2",
+		NetID:         "net1",
+		Network:       netip.MustParsePrefix("0.0.0.0/0"),
+		Peer:          "peer2",
+		SkipAutoApply: true,
+	}
+	normalRoute := &route.Route{
+		ID:            "route3",
+		NetID:         "net2",
+		Network:       netip.MustParsePrefix("192.168.1.0/24"),
+		Peer:          "peer3",
+		SkipAutoApply: false,
+	}
+
+	routes := route.HAMap{
+		"net1|0.0.0.0/0":      {exitNode1, exitNode2},
+		"net2|192.168.1.0/24": {normalRoute},
+	}
+
+	// Test filtering
+	filtered := rs.FilterSelectedExitNodes(routes)
+
+	// Should only include selected exit nodes and all normal routes
+	assert.Len(t, filtered, 2)
+	assert.Len(t, filtered["net1|0.0.0.0/0"], 1) // Only the selected exit node
+	assert.Equal(t, exitNode1.ID, filtered["net1|0.0.0.0/0"][0].ID)
+	assert.Len(t, filtered["net2|192.168.1.0/24"], 1) // Normal route should be included
+	assert.Equal(t, normalRoute.ID, filtered["net2|192.168.1.0/24"][0].ID)
+
+	// Test with deselected routes
+	err := rs.DeselectRoutes([]route.NetID{"net1"}, []route.NetID{"net1", "net2"})
+	assert.NoError(t, err)
+	filtered = rs.FilterSelectedExitNodes(routes)
+	assert.Len(t, filtered, 1) // Only normal route should remain
+	assert.Len(t, filtered["net2|192.168.1.0/24"], 1)
+	assert.Equal(t, normalRoute.ID, filtered["net2|192.168.1.0/24"][0].ID)
+
+	// Test with deselect all
+	rs = routeselector.NewRouteSelector()
+	rs.DeselectAllRoutes()
+	filtered = rs.FilterSelectedExitNodes(routes)
+	assert.Len(t, filtered, 0) // No routes should be selected
+}
+
 func TestRouteSelector_NewRoutesBehavior(t *testing.T) {
 	initialRoutes := []route.NetID{"route1", "route2", "route3"}
 	newRoutes := []route.NetID{"route1", "route2", "route3", "route4", "route5"}

client/proto/daemon.pb.go

@@ -4430,6 +4430,94 @@ func (*LogoutResponse) Descriptor() ([]byte, []int) {
 	return file_daemon_proto_rawDescGZIP(), []int{66}
 }
 
+type GetFeaturesRequest struct {
+	state         protoimpl.MessageState `protogen:"open.v1"`
+	unknownFields protoimpl.UnknownFields
+	sizeCache     protoimpl.SizeCache
+}
+
+func (x *GetFeaturesRequest) Reset() {
+	*x = GetFeaturesRequest{}
+	mi := &file_daemon_proto_msgTypes[67]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GetFeaturesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetFeaturesRequest) ProtoMessage() {}
+
+func (x *GetFeaturesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[67]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetFeaturesRequest.ProtoReflect.Descriptor instead.
+func (*GetFeaturesRequest) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{67}
+}
+
+type GetFeaturesResponse struct {
+	state                 protoimpl.MessageState `protogen:"open.v1"`
+	DisableProfiles       bool                   `protobuf:"varint,1,opt,name=disable_profiles,json=disableProfiles,proto3" json:"disable_profiles,omitempty"`
+	DisableUpdateSettings bool                   `protobuf:"varint,2,opt,name=disable_update_settings,json=disableUpdateSettings,proto3" json:"disable_update_settings,omitempty"`
+	unknownFields         protoimpl.UnknownFields
+	sizeCache             protoimpl.SizeCache
+}
+
+func (x *GetFeaturesResponse) Reset() {
+	*x = GetFeaturesResponse{}
+	mi := &file_daemon_proto_msgTypes[68]
+	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+	ms.StoreMessageInfo(mi)
+}
+
+func (x *GetFeaturesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetFeaturesResponse) ProtoMessage() {}
+
+func (x *GetFeaturesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_daemon_proto_msgTypes[68]
+	if x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetFeaturesResponse.ProtoReflect.Descriptor instead.
+func (*GetFeaturesResponse) Descriptor() ([]byte, []int) {
+	return file_daemon_proto_rawDescGZIP(), []int{68}
+}
+
+func (x *GetFeaturesResponse) GetDisableProfiles() bool {
+	if x != nil {
+		return x.DisableProfiles
+	}
+	return false
+}
+
+func (x *GetFeaturesResponse) GetDisableUpdateSettings() bool {
+	if x != nil {
+		return x.DisableUpdateSettings
+	}
+	return false
+}
+
 type PortInfo_Range struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Start         uint32                 `protobuf:"varint,1,opt,name=start,proto3" json:"start,omitempty"`
@@ -4440,7 +4528,7 @@ type PortInfo_Range struct {
 
 func (x *PortInfo_Range) Reset() {
 	*x = PortInfo_Range{}
-	mi := &file_daemon_proto_msgTypes[68]
+	mi := &file_daemon_proto_msgTypes[70]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -4452,7 +4540,7 @@ func (x *PortInfo_Range) String() string {
 func (*PortInfo_Range) ProtoMessage() {}
 
 func (x *PortInfo_Range) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[68]
+	mi := &file_daemon_proto_msgTypes[70]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -4872,7 +4960,11 @@ const file_daemon_proto_rawDesc = "" +
 	"\busername\x18\x02 \x01(\tH\x01R\busername\x88\x01\x01B\x0e\n" +
 	"\f_profileNameB\v\n" +
 	"\t_username\"\x10\n" +
-	"\x0eLogoutResponse*b\n" +
+	"\x0eLogoutResponse\"\x14\n" +
+	"\x12GetFeaturesRequest\"x\n" +
+	"\x13GetFeaturesResponse\x12)\n" +
+	"\x10disable_profiles\x18\x01 \x01(\bR\x0fdisableProfiles\x126\n" +
+	"\x17disable_update_settings\x18\x02 \x01(\bR\x15disableUpdateSettings*b\n" +
 	"\bLogLevel\x12\v\n" +
 	"\aUNKNOWN\x10\x00\x12\t\n" +
 	"\x05PANIC\x10\x01\x12\t\n" +
@@ -4881,7 +4973,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x04WARN\x10\x04\x12\b\n" +
 	"\x04INFO\x10\x05\x12\t\n" +
 	"\x05DEBUG\x10\x06\x12\t\n" +
-	"\x05TRACE\x10\a2\xc5\x0f\n" +
+	"\x05TRACE\x10\a2\x8f\x10\n" +
 	"\rDaemonService\x126\n" +
 	"\x05Login\x12\x14.daemon.LoginRequest\x1a\x15.daemon.LoginResponse\"\x00\x12K\n" +
 	"\fWaitSSOLogin\x12\x1b.daemon.WaitSSOLoginRequest\x1a\x1c.daemon.WaitSSOLoginResponse\"\x00\x12-\n" +
@@ -4912,7 +5004,8 @@ const file_daemon_proto_rawDesc = "" +
 	"\rRemoveProfile\x12\x1c.daemon.RemoveProfileRequest\x1a\x1d.daemon.RemoveProfileResponse\"\x00\x12K\n" +
 	"\fListProfiles\x12\x1b.daemon.ListProfilesRequest\x1a\x1c.daemon.ListProfilesResponse\"\x00\x12W\n" +
 	"\x10GetActiveProfile\x12\x1f.daemon.GetActiveProfileRequest\x1a .daemon.GetActiveProfileResponse\"\x00\x129\n" +
-	"\x06Logout\x12\x15.daemon.LogoutRequest\x1a\x16.daemon.LogoutResponse\"\x00B\bZ\x06/protob\x06proto3"
+	"\x06Logout\x12\x15.daemon.LogoutRequest\x1a\x16.daemon.LogoutResponse\"\x00\x12H\n" +
+	"\vGetFeatures\x12\x1a.daemon.GetFeaturesRequest\x1a\x1b.daemon.GetFeaturesResponse\"\x00B\bZ\x06/protob\x06proto3"
 
 var (
 	file_daemon_proto_rawDescOnce sync.Once
@@ -4927,7 +5020,7 @@ func file_daemon_proto_rawDescGZIP() []byte {
 }
 
 var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 70)
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 72)
 var file_daemon_proto_goTypes = []any{
 	(LogLevel)(0),                              // 0: daemon.LogLevel
 	(SystemEvent_Severity)(0),                  // 1: daemon.SystemEvent.Severity
@@ -4999,18 +5092,20 @@ var file_daemon_proto_goTypes = []any{
 	(*GetActiveProfileResponse)(nil),           // 67: daemon.GetActiveProfileResponse
 	(*LogoutRequest)(nil),                      // 68: daemon.LogoutRequest
 	(*LogoutResponse)(nil),                     // 69: daemon.LogoutResponse
-	nil,                                        // 70: daemon.Network.ResolvedIPsEntry
-	(*PortInfo_Range)(nil),                     // 71: daemon.PortInfo.Range
-	nil,                                        // 72: daemon.SystemEvent.MetadataEntry
-	(*durationpb.Duration)(nil),                // 73: google.protobuf.Duration
-	(*timestamppb.Timestamp)(nil),              // 74: google.protobuf.Timestamp
+	(*GetFeaturesRequest)(nil),                 // 70: daemon.GetFeaturesRequest
+	(*GetFeaturesResponse)(nil),                // 71: daemon.GetFeaturesResponse
+	nil,                                        // 72: daemon.Network.ResolvedIPsEntry
+	(*PortInfo_Range)(nil),                     // 73: daemon.PortInfo.Range
+	nil,                                        // 74: daemon.SystemEvent.MetadataEntry
+	(*durationpb.Duration)(nil),                // 75: google.protobuf.Duration
+	(*timestamppb.Timestamp)(nil),              // 76: google.protobuf.Timestamp
 }
 var file_daemon_proto_depIdxs = []int32{
-	73, // 0: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	75, // 0: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
 	22, // 1: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
-	74, // 2: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
-	74, // 3: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
-	73, // 4: daemon.PeerState.latency:type_name -> google.protobuf.Duration
+	76, // 2: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
+	76, // 3: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
+	75, // 4: daemon.PeerState.latency:type_name -> google.protobuf.Duration
 	19, // 5: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
 	18, // 6: daemon.FullStatus.signalState:type_name -> daemon.SignalState
 	17, // 7: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
@@ -5019,8 +5114,8 @@ var file_daemon_proto_depIdxs = []int32{
 	21, // 10: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
 	52, // 11: daemon.FullStatus.events:type_name -> daemon.SystemEvent
 	28, // 12: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
-	70, // 13: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
-	71, // 14: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
+	72, // 13: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
+	73, // 14: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
 	29, // 15: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
 	29, // 16: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
 	30, // 17: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
@@ -5031,10 +5126,10 @@ var file_daemon_proto_depIdxs = []int32{
 	49, // 22: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
 	1,  // 23: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
 	2,  // 24: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
-	74, // 25: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
-	72, // 26: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
+	76, // 25: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
+	74, // 26: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
 	52, // 27: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
-	73, // 28: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	75, // 28: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
 	65, // 29: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
 	27, // 30: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
 	4,  // 31: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
@@ -5064,35 +5159,37 @@ var file_daemon_proto_depIdxs = []int32{
 	63, // 55: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
 	66, // 56: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
 	68, // 57: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
-	5,  // 58: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	7,  // 59: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	9,  // 60: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	11, // 61: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	13, // 62: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	15, // 63: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	24, // 64: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
-	26, // 65: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
-	26, // 66: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
-	31, // 67: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
-	33, // 68: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
-	35, // 69: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
-	37, // 70: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
-	40, // 71: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
-	42, // 72: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
-	44, // 73: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
-	46, // 74: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
-	50, // 75: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
-	52, // 76: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
-	54, // 77: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
-	56, // 78: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
-	58, // 79: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
-	60, // 80: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
-	62, // 81: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
-	64, // 82: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
-	67, // 83: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
-	69, // 84: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
-	58, // [58:85] is the sub-list for method output_type
-	31, // [31:58] is the sub-list for method input_type
+	70, // 58: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
+	5,  // 59: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	7,  // 60: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	9,  // 61: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	11, // 62: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	13, // 63: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	15, // 64: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	24, // 65: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
+	26, // 66: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
+	26, // 67: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
+	31, // 68: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
+	33, // 69: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
+	35, // 70: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
+	37, // 71: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
+	40, // 72: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
+	42, // 73: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
+	44, // 74: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
+	46, // 75: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
+	50, // 76: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
+	52, // 77: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
+	54, // 78: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
+	56, // 79: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
+	58, // 80: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
+	60, // 81: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
+	62, // 82: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
+	64, // 83: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
+	67, // 84: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
+	69, // 85: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
+	71, // 86: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
+	59, // [59:87] is the sub-list for method output_type
+	31, // [31:59] is the sub-list for method input_type
 	31, // [31:31] is the sub-list for extension type_name
 	31, // [31:31] is the sub-list for extension extendee
 	0,  // [0:31] is the sub-list for field type_name
@@ -5120,7 +5217,7 @@ func file_daemon_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_proto_rawDesc), len(file_daemon_proto_rawDesc)),
 			NumEnums:      3,
-			NumMessages:   70,
+			NumMessages:   72,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

client/proto/daemon.proto

@@ -82,6 +82,8 @@ service DaemonService {
 
   // Logout disconnects from the network and deletes the peer from the management server
   rpc Logout(LogoutRequest) returns (LogoutResponse) {}
+
+  rpc GetFeatures(GetFeaturesRequest) returns (GetFeaturesResponse) {}
 }
 
 
@@ -624,4 +626,11 @@ message LogoutRequest {
   optional string username = 2;
 }
 
-message LogoutResponse {}
+message LogoutResponse {}
+
+message GetFeaturesRequest{}
+
+message GetFeaturesResponse{
+  bool disable_profiles = 1;
+  bool disable_update_settings = 2;
+}

client/proto/daemon_grpc.pb.go

@@ -63,6 +63,7 @@ type DaemonServiceClient interface {
 	GetActiveProfile(ctx context.Context, in *GetActiveProfileRequest, opts ...grpc.CallOption) (*GetActiveProfileResponse, error)
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(ctx context.Context, in *LogoutRequest, opts ...grpc.CallOption) (*LogoutResponse, error)
+	GetFeatures(ctx context.Context, in *GetFeaturesRequest, opts ...grpc.CallOption) (*GetFeaturesResponse, error)
 }
 
 type daemonServiceClient struct {
@@ -339,6 +340,15 @@ func (c *daemonServiceClient) Logout(ctx context.Context, in *LogoutRequest, opt
 	return out, nil
 }
 
+func (c *daemonServiceClient) GetFeatures(ctx context.Context, in *GetFeaturesRequest, opts ...grpc.CallOption) (*GetFeaturesResponse, error) {
+	out := new(GetFeaturesResponse)
+	err := c.cc.Invoke(ctx, "/daemon.DaemonService/GetFeatures", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // DaemonServiceServer is the server API for DaemonService service.
 // All implementations must embed UnimplementedDaemonServiceServer
 // for forward compatibility
@@ -388,6 +398,7 @@ type DaemonServiceServer interface {
 	GetActiveProfile(context.Context, *GetActiveProfileRequest) (*GetActiveProfileResponse, error)
 	// Logout disconnects from the network and deletes the peer from the management server
 	Logout(context.Context, *LogoutRequest) (*LogoutResponse, error)
+	GetFeatures(context.Context, *GetFeaturesRequest) (*GetFeaturesResponse, error)
 	mustEmbedUnimplementedDaemonServiceServer()
 }
 
@@ -476,6 +487,9 @@ func (UnimplementedDaemonServiceServer) GetActiveProfile(context.Context, *GetAc
 func (UnimplementedDaemonServiceServer) Logout(context.Context, *LogoutRequest) (*LogoutResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Logout not implemented")
 }
+func (UnimplementedDaemonServiceServer) GetFeatures(context.Context, *GetFeaturesRequest) (*GetFeaturesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetFeatures not implemented")
+}
 func (UnimplementedDaemonServiceServer) mustEmbedUnimplementedDaemonServiceServer() {}
 
 // UnsafeDaemonServiceServer may be embedded to opt out of forward compatibility for this service.
@@ -978,6 +992,24 @@ func _DaemonService_Logout_Handler(srv interface{}, ctx context.Context, dec fun
 	return interceptor(ctx, in, info, handler)
 }
 
+func _DaemonService_GetFeatures_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetFeaturesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(DaemonServiceServer).GetFeatures(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/daemon.DaemonService/GetFeatures",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(DaemonServiceServer).GetFeatures(ctx, req.(*GetFeaturesRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // DaemonService_ServiceDesc is the grpc.ServiceDesc for DaemonService service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -1089,6 +1121,10 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "Logout",
 			Handler:    _DaemonService_Logout_Handler,
 		},
+		{
+			MethodName: "GetFeatures",
+			Handler:    _DaemonService_GetFeatures_Handler,
+		},
 	},
 	Streams: []grpc.StreamDesc{
 		{

client/server/server.go

@@ -46,8 +46,9 @@ const (
 	defaultMaxRetryTime     = 14 * 24 * time.Hour
 	defaultRetryMultiplier  = 1.7
 
-	errRestoreResidualState = "failed to restore residual state: %v"
-	errProfilesDisabled     = "profiles are disabled, you cannot use this feature without profiles enabled"
+	errRestoreResidualState   = "failed to restore residual state: %v"
+	errProfilesDisabled       = "profiles are disabled, you cannot use this feature without profiles enabled"
+	errUpdateSettingsDisabled = "update settings are disabled, you cannot use this feature without update settings enabled"
 )
 
 var ErrServiceNotUp = errors.New("service is not up")
@@ -74,8 +75,9 @@ type Server struct {
 	persistSyncResponse bool
 	isSessionActive     atomic.Bool
 
-	profileManager   *profilemanager.ServiceManager
-	profilesDisabled bool
+	profileManager         *profilemanager.ServiceManager
+	profilesDisabled       bool
+	updateSettingsDisabled bool
 }
 
 type oauthAuthFlow struct {
@@ -86,14 +88,15 @@ type oauthAuthFlow struct {
 }
 
 // New server instance constructor.
-func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool) *Server {
+func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool) *Server {
 	return &Server{
-		rootCtx:             ctx,
-		logFile:             logFile,
-		persistSyncResponse: true,
-		statusRecorder:      peer.NewRecorder(""),
-		profileManager:      profilemanager.NewServiceManager(configFile),
-		profilesDisabled:    profilesDisabled,
+		rootCtx:                ctx,
+		logFile:                logFile,
+		persistSyncResponse:    true,
+		statusRecorder:         peer.NewRecorder(""),
+		profileManager:         profilemanager.NewServiceManager(configFile),
+		profilesDisabled:       profilesDisabled,
+		updateSettingsDisabled: updateSettingsDisabled,
 	}
 }
 
@@ -322,8 +325,8 @@ func (s *Server) SetConfig(callerCtx context.Context, msg *proto.SetConfigReques
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if s.checkProfilesDisabled() {
-		return nil, gstatus.Errorf(codes.Unavailable, errProfilesDisabled)
+	if s.checkUpdateSettingsDisabled() {
+		return nil, gstatus.Errorf(codes.Unavailable, errUpdateSettingsDisabled)
 	}
 
 	profState := profilemanager.ActiveProfileState{
@@ -1197,8 +1200,14 @@ func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 		if dnsState.Error != nil {
 			err = dnsState.Error.Error()
 		}
+
+		var servers []string
+		for _, server := range dnsState.Servers {
+			servers = append(servers, server.String())
+		}
+
 		pbDnsState := &proto.NSGroupState{
-			Servers: dnsState.Servers,
+			Servers: servers,
 			Domains: dnsState.Domains,
 			Enabled: dnsState.Enabled,
 			Error:   err,
@@ -1324,10 +1333,31 @@ func (s *Server) GetActiveProfile(ctx context.Context, msg *proto.GetActiveProfi
 	}, nil
 }
 
+// GetFeatures returns the features supported by the daemon.
+func (s *Server) GetFeatures(ctx context.Context, msg *proto.GetFeaturesRequest) (*proto.GetFeaturesResponse, error) {
+	s.mutex.Lock()
+	defer s.mutex.Unlock()
+
+	features := &proto.GetFeaturesResponse{
+		DisableProfiles:       s.checkProfilesDisabled(),
+		DisableUpdateSettings: s.checkUpdateSettingsDisabled(),
+	}
+
+	return features, nil
+}
+
 func (s *Server) checkProfilesDisabled() bool {
 	// Check if the environment variable is set to disable profiles
 	if s.profilesDisabled {
-		log.Warn("Profiles are disabled via NB_DISABLE_PROFILES environment variable")
+		return true
+	}
+
+	return false
+}
+
+func (s *Server) checkUpdateSettingsDisabled() bool {
+	// Check if the environment variable is set to disable profiles
+	if s.updateSettingsDisabled {
 		return true
 	}
 

client/server/server_test.go

@@ -14,6 +14,8 @@ import (
 	"go.opentelemetry.io/otel"
 
 	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/internals/server/config"
+	"github.com/netbirdio/netbird/management/server/groups"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -24,7 +26,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	daemonProto "github.com/netbirdio/netbird/client/proto"
-	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
@@ -32,7 +33,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/management/server/types"
+	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
 	"github.com/netbirdio/netbird/shared/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
 )
@@ -94,7 +95,7 @@ func TestConnectWithRetryRuns(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "debug", "", false)
+	s := New(ctx, "debug", "", false, false)
 
 	s.config = config
 
@@ -151,7 +152,7 @@ func TestServer_Up(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "console", "", false)
+	s := New(ctx, "console", "", false, false)
 
 	err = s.Start()
 	require.NoError(t, err)
@@ -227,7 +228,7 @@ func TestServer_SubcribeEvents(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "console", "", false)
+	s := New(ctx, "console", "", false, false)
 
 	err = s.Start()
 	require.NoError(t, err)
@@ -266,10 +267,10 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	t.Helper()
 	dataDir := t.TempDir()
 
-	config := &types.Config{
-		Stuns:      []*types.Host{},
-		TURNConfig: &types.TURNConfig{},
-		Signal: &types.Host{
+	config := &config.Config{
+		Stuns:      []*config.Host{},
+		TURNConfig: &config.TURNConfig{},
+		Signal: &config.Host{
 			Proto: "http",
 			URI:   signalAddr,
 		},
@@ -302,13 +303,14 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	t.Cleanup(ctrl.Finish)
 	settingsMockManager := settings.NewMockManager(ctrl)
 	permissionsManagerMock := permissions.NewMockManager(ctrl)
+	groupsManager := groups.NewManagerMock()
 
 	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		return nil, "", err
 	}
 
-	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager)
+	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
 	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &server.MockIntegratedValidator{})
 	if err != nil {
 		return nil, "", err

client/ui/client_ui.go

@@ -392,6 +392,16 @@ func (s *serviceClient) updateIcon() {
 }
 
 func (s *serviceClient) showSettingsUI() {
+	// Check if update settings are disabled by daemon
+	features, err := s.getFeatures()
+	if err != nil {
+		log.Errorf("failed to get features from daemon: %v", err)
+		// Continue with default behavior if features can't be retrieved
+	} else if features != nil && features.DisableUpdateSettings {
+		log.Warn("Update settings are disabled by daemon")
+		return
+	}
+
 	// add settings window UI elements.
 	s.wSettings = s.app.NewWindow("NetBird Settings")
 	s.wSettings.SetOnClosed(s.cancel)
@@ -447,6 +457,17 @@ func (s *serviceClient) getSettingsForm() *widget.Form {
 		},
 		SubmitText: "Save",
 		OnSubmit: func() {
+			// Check if update settings are disabled by daemon
+			features, err := s.getFeatures()
+			if err != nil {
+				log.Errorf("failed to get features from daemon: %v", err)
+				// Continue with default behavior if features can't be retrieved
+			} else if features != nil && features.DisableUpdateSettings {
+				log.Warn("Configuration updates are disabled by daemon")
+				dialog.ShowError(fmt.Errorf("Configuration updates are disabled by daemon"), s.wSettings)
+				return
+			}
+
 			if s.iPreSharedKey.Text != "" && s.iPreSharedKey.Text != censoredPreSharedKey {
 				// validate preSharedKey if it added
 				if _, err := wgtypes.ParseKey(s.iPreSharedKey.Text); err != nil {
@@ -836,6 +857,20 @@ func (s *serviceClient) onTrayReady() {
 	s.mCreateDebugBundle = s.mSettings.AddSubMenuItem("Create Debug Bundle", debugBundleMenuDescr)
 	s.loadSettings()
 
+	// Disable settings menu if update settings are disabled by daemon
+	features, err := s.getFeatures()
+	if err != nil {
+		log.Errorf("failed to get features from daemon: %v", err)
+		// Continue with default behavior if features can't be retrieved
+	} else {
+		if features != nil && features.DisableUpdateSettings {
+			s.setSettingsEnabled(false)
+		}
+		if features != nil && features.DisableProfiles {
+			s.mProfile.setEnabled(false)
+		}
+	}
+
 	s.exitNodeMu.Lock()
 	s.mExitNode = systray.AddMenuItem("Exit Node", exitNodeMenuDescr)
 	s.mExitNode.Disable()
@@ -876,6 +911,10 @@ func (s *serviceClient) onTrayReady() {
 			if err != nil {
 				log.Errorf("error while updating status: %v", err)
 			}
+
+			// Check features periodically to handle daemon restarts
+			s.checkAndUpdateFeatures()
+
 			time.Sleep(2 * time.Second)
 		}
 	}()
@@ -948,6 +987,59 @@ func (s *serviceClient) getSrvClient(timeout time.Duration) (proto.DaemonService
 	return s.conn, nil
 }
 
+// setSettingsEnabled enables or disables the settings menu based on the provided state
+func (s *serviceClient) setSettingsEnabled(enabled bool) {
+	if s.mSettings != nil {
+		if enabled {
+			s.mSettings.Enable()
+			s.mSettings.SetTooltip(settingsMenuDescr)
+		} else {
+			s.mSettings.Hide()
+			s.mSettings.SetTooltip("Settings are disabled by daemon")
+		}
+	}
+}
+
+// checkAndUpdateFeatures checks the current features and updates the UI accordingly
+func (s *serviceClient) checkAndUpdateFeatures() {
+	features, err := s.getFeatures()
+	if err != nil {
+		log.Errorf("failed to get features from daemon: %v", err)
+		return
+	}
+
+	// Update settings menu based on current features
+	if features != nil && features.DisableUpdateSettings {
+		s.setSettingsEnabled(false)
+	} else {
+		s.setSettingsEnabled(true)
+	}
+
+	// Update profile menu based on current features
+	if s.mProfile != nil {
+		if features != nil && features.DisableProfiles {
+			s.mProfile.setEnabled(false)
+		} else {
+			s.mProfile.setEnabled(true)
+		}
+	}
+}
+
+// getFeatures from the daemon to determine which features are enabled/disabled.
+func (s *serviceClient) getFeatures() (*proto.GetFeaturesResponse, error) {
+	conn, err := s.getSrvClient(failFastTimeout)
+	if err != nil {
+		return nil, fmt.Errorf("get client for features: %w", err)
+	}
+
+	features, err := conn.GetFeatures(s.ctx, &proto.GetFeaturesRequest{})
+	if err != nil {
+		return nil, fmt.Errorf("get features from daemon: %w", err)
+	}
+
+	return features, nil
+}
+
 // getSrvConfig from the service to show it in the settings window.
 func (s *serviceClient) getSrvConfig() {
 	s.managementURL = profilemanager.DefaultManagementURL

client/ui/profile.go

@@ -654,6 +654,19 @@ func (p *profileMenu) clear(profiles []Profile) {
 	}
 }
 
+// setEnabled enables or disables the profile menu based on the provided state
+func (p *profileMenu) setEnabled(enabled bool) {
+	if p.profileMenuItem != nil {
+		if enabled {
+			p.profileMenuItem.Enable()
+			p.profileMenuItem.SetTooltip("")
+		} else {
+			p.profileMenuItem.Hide()
+			p.profileMenuItem.SetTooltip("Profiles are disabled by daemon")
+		}
+	}
+}
+
 func (p *profileMenu) updateMenu() {
 	// check every second
 	ticker := time.NewTicker(time.Second)
@@ -662,7 +675,6 @@ func (p *profileMenu) updateMenu() {
 	for {
 		select {
 		case <-ticker.C:
-
 			// get profilesList
 			profiles, err := p.getProfiles()
 			if err != nil {

dns/nameserver.go

@@ -102,6 +102,11 @@ func (n *NameServer) IsEqual(other *NameServer) bool {
 		other.Port == n.Port
 }
 
+// AddrPort returns the nameserver as a netip.AddrPort
+func (n *NameServer) AddrPort() netip.AddrPort {
+	return netip.AddrPortFrom(n.IP, uint16(n.Port))
+}
+
 // ParseNameServerURL parses a nameserver url in the format <type>://<ip>:<port>, e.g., udp://1.1.1.1:53
 func ParseNameServerURL(nsURL string) (NameServer, error) {
 	parsedURL, err := url.Parse(nsURL)

go.mod

@@ -6,7 +6,6 @@ require (
 	cunicu.li/go-rosenpass v0.4.0
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cloudflare/circl v1.3.3 // indirect
-	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.0
@@ -48,6 +47,7 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/godbus/dbus/v5 v5.1.0
+	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.7.0
 	github.com/google/gopacket v1.1.19
@@ -63,7 +63,7 @@ require (
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/nadoo/ipset v0.5.0
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20250805121557-5f225a973d1f
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20250820151658-9ee1b34f4190
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/oschwald/maxminddb-golang v1.12.0
@@ -102,7 +102,7 @@ require (
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/mobile v0.0.0-20231127183840-76ac6878050a
 	golang.org/x/net v0.39.0
-	golang.org/x/oauth2 v0.24.0
+	golang.org/x/oauth2 v0.27.0
 	golang.org/x/sync v0.13.0
 	golang.org/x/term v0.31.0
 	google.golang.org/api v0.177.0
@@ -144,7 +144,7 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/caddyserver/zerossl v0.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/containerd/containerd v1.7.26 // indirect
+	github.com/containerd/containerd v1.7.27 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v0.2.1 // indirect
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect

go.sum

@@ -142,8 +142,8 @@ github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnht
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
 github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
-github.com/containerd/containerd v1.7.26 h1:3cs8K2RHlMQaPifLqgRyI4VBkoldNdEw62cb7qQga7k=
-github.com/containerd/containerd v1.7.26/go.mod h1:m4JU0E+h0ebbo9yXD7Hyt+sWnc8tChm7MudCjj4jRvQ=
+github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII=
+github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
@@ -246,8 +246,8 @@ github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
-github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -503,8 +503,8 @@ github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6S
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e h1:PURA50S8u4mF6RrkYYCAvvPCixhqqEiEy3Ej6avh04c=
 github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e/go.mod h1:YMLU7qbKfVjmEv7EoZPIVEI+kNYxWCdPK3VS0BU+U4Q=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20250805121557-5f225a973d1f h1:YmqNWdRbeVn1lSpkLzIiFHX2cndRuaVYyynx2ibrOtg=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20250805121557-5f225a973d1f/go.mod h1:Gi9raplYzCCyh07Olw/DVfCJTFgpr1WCXJ/Q+8TSA9Q=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20250820151658-9ee1b34f4190 h1:/ZbExdcDwRq6XgTpTf5I1DPqnC3eInEf0fcmkqR8eSg=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20250820151658-9ee1b34f4190/go.mod h1:v0nUbbHbuQnqR7yKIYnKzsLBCswLtp2JctmKYmGgVhc=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=
@@ -868,8 +868,8 @@ golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
-golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
-golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

infrastructure_files/nginx.tmpl.conf

@@ -17,7 +17,7 @@ upstream signal {
     server 127.0.0.1:10000;
 }
 upstream management {
-    # insert the grpc+http port of your signal container here
+    # insert the grpc+http port of your management container here
     server 127.0.0.1:8012;
 }
 
@@ -75,4 +75,4 @@ server {
 
     ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
     ssl_certificate_key /etc/ssl/certs/ssl-cert-snakeoil.pem;
-}
+}

management/cmd/management.go

@@ -2,88 +2,40 @@ package cmd
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"io/fs"
-	"net"
 	"net/http"
-	"net/netip"
 	"net/url"
 	"os"
+	"os/signal"
 	"path"
-	"slices"
 	"strings"
-	"time"
+	"syscall"
 
-	"github.com/google/uuid"
-	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware/v2"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"golang.org/x/crypto/acme/autocert"
-	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/keepalive"
 
-	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
-
-	"github.com/netbirdio/management-integrations/integrations"
-
-	"github.com/netbirdio/netbird/management/server/peers"
-	"github.com/netbirdio/netbird/management/server/types"
-
-	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/formatter/hook"
-	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
-	"github.com/netbirdio/netbird/management/server"
-	"github.com/netbirdio/netbird/management/server/auth"
-	nbContext "github.com/netbirdio/netbird/management/server/context"
-	"github.com/netbirdio/netbird/management/server/geolocation"
-	"github.com/netbirdio/netbird/management/server/groups"
-	nbhttp "github.com/netbirdio/netbird/management/server/http"
-	"github.com/netbirdio/netbird/management/server/idp"
-	"github.com/netbirdio/netbird/management/server/metrics"
-	"github.com/netbirdio/netbird/management/server/networks"
-	"github.com/netbirdio/netbird/management/server/networks/resources"
-	"github.com/netbirdio/netbird/management/server/networks/routers"
-	"github.com/netbirdio/netbird/management/server/settings"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/management/server/users"
+	"github.com/netbirdio/netbird/management/internals/server"
+	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/version"
 )
 
-// ManagementLegacyPort is the port that was used before by the Management gRPC server.
-// It is used for backward compatibility now.
-const ManagementLegacyPort = 33073
+var newServer = func(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort int, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) server.Server {
+	return server.NewServer(config, dnsDomain, mgmtSingleAccModeDomain, mgmtPort, mgmtMetricsPort, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled)
+}
+
+func SetNewServer(fn func(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort int, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) server.Server) {
+	newServer = fn
+}
 
 var (
-	mgmtPort                int
-	mgmtMetricsPort         int
-	mgmtLetsencryptDomain   string
-	mgmtSingleAccModeDomain string
-	certFile                string
-	certKey                 string
-	config                  *types.Config
-
-	kaep = keepalive.EnforcementPolicy{
-		MinTime:             15 * time.Second,
-		PermitWithoutStream: true,
-	}
-
-	kasp = keepalive.ServerParameters{
-		MaxConnectionIdle:     15 * time.Second,
-		MaxConnectionAgeGrace: 5 * time.Second,
-		Time:                  5 * time.Second,
-		Timeout:               2 * time.Second,
-	}
+	config *nbconfig.Config
 
 	mgmtCmd = &cobra.Command{
 		Use:   "management",
@@ -102,9 +54,9 @@ var (
 			// detect whether user specified a port
 			userPort := cmd.Flag("port").Changed
 
-			config, err = loadMgmtConfig(ctx, types.MgmtConfigPath)
+			config, err = loadMgmtConfig(ctx, nbconfig.MgmtConfigPath)
 			if err != nil {
-				return fmt.Errorf("failed reading provided config file: %s: %v", types.MgmtConfigPath, err)
+				return fmt.Errorf("failed reading provided config file: %s: %v", nbconfig.MgmtConfigPath, err)
 			}
 
 			if cmd.Flag(idpSignKeyRefreshEnabledFlagName).Changed {
@@ -151,356 +103,38 @@ var (
 					return fmt.Errorf("failed creating datadir: %s: %v", config.Datadir, err)
 				}
 			}
-			appMetrics, err := telemetry.NewDefaultAppMetrics(cmd.Context())
-			if err != nil {
-				return err
-			}
-			err = appMetrics.Expose(ctx, mgmtMetricsPort, "/metrics")
-			if err != nil {
-				return err
-			}
-
-			integrationMetrics, err := integrations.InitIntegrationMetrics(ctx, appMetrics)
-			if err != nil {
-				return err
-			}
-
-			store, err := store.NewStore(ctx, config.StoreConfig.Engine, config.Datadir, appMetrics, false)
-			if err != nil {
-				return fmt.Errorf("failed creating Store: %s: %v", config.Datadir, err)
-			}
-			peersUpdateManager := server.NewPeersUpdateManager(appMetrics)
-
-			var idpManager idp.Manager
-			if config.IdpManagerConfig != nil {
-				idpManager, err = idp.NewManager(ctx, *config.IdpManagerConfig, appMetrics)
-				if err != nil {
-					return fmt.Errorf("failed retrieving a new idp manager with err: %v", err)
-				}
-			}
 
 			if disableSingleAccMode {
 				mgmtSingleAccModeDomain = ""
 			}
-			eventStore, key, err := integrations.InitEventStore(ctx, config.Datadir, config.DataStoreEncryptionKey, integrationMetrics)
-			if err != nil {
-				return fmt.Errorf("initialize database: %s", err)
-			}
 
-			if config.DataStoreEncryptionKey != key {
-				log.WithContext(ctx).Infof("update config with activity store key")
-				config.DataStoreEncryptionKey = key
-				err := updateMgmtConfig(ctx, types.MgmtConfigPath, config)
+			srv := newServer(config, dnsDomain, mgmtSingleAccModeDomain, mgmtPort, mgmtMetricsPort, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled)
+			go func() {
+				if err := srv.Start(cmd.Context()); err != nil {
+					log.Fatalf("Server error: %v", err)
+				}
+			}()
+
+			stopChan := make(chan os.Signal, 1)
+			signal.Notify(stopChan, os.Interrupt, syscall.SIGTERM)
+			select {
+			case <-stopChan:
+				log.Info("Received shutdown signal, stopping server...")
+				err = srv.Stop()
 				if err != nil {
-					return fmt.Errorf("write out store encryption key: %s", err)
+					log.Errorf("Failed to stop server gracefully: %v", err)
 				}
+			case err := <-srv.Errors():
+				log.Fatalf("Server stopped unexpectedly: %v", err)
 			}
 
-			geo, err := geolocation.NewGeolocation(ctx, config.Datadir, !disableGeoliteUpdate)
-			if err != nil {
-				log.WithContext(ctx).Warnf("could not initialize geolocation service. proceeding without geolocation support: %v", err)
-			} else {
-				log.WithContext(ctx).Infof("geolocation service has been initialized from %s", config.Datadir)
-			}
-
-			integratedPeerValidator, err := integrations.NewIntegratedValidator(ctx, eventStore)
-			if err != nil {
-				return fmt.Errorf("initialize integrated peer validator: %v", err)
-			}
-
-			permissionsManager := integrations.InitPermissionsManager(store)
-			userManager := users.NewManager(store)
-			extraSettingsManager := integrations.NewManager(eventStore)
-			settingsManager := settings.NewManager(store, userManager, extraSettingsManager, permissionsManager)
-			peersManager := peers.NewManager(store, permissionsManager)
-			proxyController := integrations.NewController(store)
-			accountManager, err := server.BuildManager(ctx, store, peersUpdateManager, idpManager, mgmtSingleAccModeDomain,
-				dnsDomain, eventStore, geo, userDeleteFromIDPEnabled, integratedPeerValidator, appMetrics, proxyController, settingsManager, permissionsManager, config.DisableDefaultPolicy)
-			if err != nil {
-				return fmt.Errorf("build default manager: %v", err)
-			}
-
-			secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsManager)
-
-			trustedPeers := config.ReverseProxy.TrustedPeers
-			defaultTrustedPeers := []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0"), netip.MustParsePrefix("::/0")}
-			if len(trustedPeers) == 0 || slices.Equal[[]netip.Prefix](trustedPeers, defaultTrustedPeers) {
-				log.WithContext(ctx).Warn("TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing.")
-				trustedPeers = defaultTrustedPeers
-			}
-			trustedHTTPProxies := config.ReverseProxy.TrustedHTTPProxies
-			trustedProxiesCount := config.ReverseProxy.TrustedHTTPProxiesCount
-			if len(trustedHTTPProxies) > 0 && trustedProxiesCount > 0 {
-				log.WithContext(ctx).Warn("TrustedHTTPProxies and TrustedHTTPProxiesCount both are configured. " +
-					"This is not recommended way to extract X-Forwarded-For. Consider using one of these options.")
-			}
-			realipOpts := []realip.Option{
-				realip.WithTrustedPeers(trustedPeers),
-				realip.WithTrustedProxies(trustedHTTPProxies),
-				realip.WithTrustedProxiesCount(trustedProxiesCount),
-				realip.WithHeaders([]string{realip.XForwardedFor, realip.XRealIp}),
-			}
-			gRPCOpts := []grpc.ServerOption{
-				grpc.KeepaliveEnforcementPolicy(kaep),
-				grpc.KeepaliveParams(kasp),
-				grpc.ChainUnaryInterceptor(realip.UnaryServerInterceptorOpts(realipOpts...), unaryInterceptor),
-				grpc.ChainStreamInterceptor(realip.StreamServerInterceptorOpts(realipOpts...), streamInterceptor),
-			}
-
-			var certManager *autocert.Manager
-			var tlsConfig *tls.Config
-			tlsEnabled := false
-			if config.HttpConfig.LetsEncryptDomain != "" {
-				certManager, err = encryption.CreateCertManager(config.Datadir, config.HttpConfig.LetsEncryptDomain)
-				if err != nil {
-					return fmt.Errorf("failed creating LetsEncrypt cert manager: %v", err)
-				}
-				transportCredentials := credentials.NewTLS(certManager.TLSConfig())
-				gRPCOpts = append(gRPCOpts, grpc.Creds(transportCredentials))
-				tlsEnabled = true
-			} else if config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "" {
-				tlsConfig, err = loadTLSConfig(config.HttpConfig.CertFile, config.HttpConfig.CertKey)
-				if err != nil {
-					log.WithContext(ctx).Errorf("cannot load TLS credentials: %v", err)
-					return err
-				}
-				transportCredentials := credentials.NewTLS(tlsConfig)
-				gRPCOpts = append(gRPCOpts, grpc.Creds(transportCredentials))
-				tlsEnabled = true
-			}
-
-			authManager := auth.NewManager(store,
-				config.HttpConfig.AuthIssuer,
-				config.HttpConfig.AuthAudience,
-				config.HttpConfig.AuthKeysLocation,
-				config.HttpConfig.AuthUserIDClaim,
-				config.GetAuthAudiences(),
-				config.HttpConfig.IdpSignKeyRefreshEnabled)
-
-			groupsManager := groups.NewManager(store, permissionsManager, accountManager)
-			resourcesManager := resources.NewManager(store, permissionsManager, groupsManager, accountManager)
-			routersManager := routers.NewManager(store, permissionsManager, accountManager)
-			networksManager := networks.NewManager(store, permissionsManager, resourcesManager, routersManager, accountManager)
-
-			httpAPIHandler, err := nbhttp.NewAPIHandler(ctx, accountManager, networksManager, resourcesManager, routersManager, groupsManager, geo, authManager, appMetrics, integratedPeerValidator, proxyController, permissionsManager, peersManager, settingsManager)
-
-			if err != nil {
-				return fmt.Errorf("failed creating HTTP API handler: %v", err)
-			}
-
-			ephemeralManager := server.NewEphemeralManager(store, accountManager)
-			ephemeralManager.LoadInitialPeers(ctx)
-
-			gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
-			srv, err := server.NewServer(ctx, config, accountManager, settingsManager, peersUpdateManager, secretsManager, appMetrics, ephemeralManager, authManager, integratedPeerValidator)
-			if err != nil {
-				return fmt.Errorf("failed creating gRPC API handler: %v", err)
-			}
-			mgmtProto.RegisterManagementServiceServer(gRPCAPIHandler, srv)
-
-			installationID, err := getInstallationID(ctx, store)
-			if err != nil {
-				log.WithContext(ctx).Errorf("cannot load TLS credentials: %v", err)
-				return err
-			}
-
-			if !disableMetrics {
-				idpManager := "disabled"
-				if config.IdpManagerConfig != nil && config.IdpManagerConfig.ManagerType != "" {
-					idpManager = config.IdpManagerConfig.ManagerType
-				}
-				metricsWorker := metrics.NewWorker(ctx, installationID, store, peersUpdateManager, idpManager)
-				go metricsWorker.Run(ctx)
-			}
-
-			var compatListener net.Listener
-			if mgmtPort != ManagementLegacyPort {
-				// The Management gRPC server was running on port 33073 previously. Old agents that are already connected to it
-				// are using port 33073. For compatibility purposes we keep running a 2nd gRPC server on port 33073.
-				compatListener, err = serveGRPC(ctx, gRPCAPIHandler, ManagementLegacyPort)
-				if err != nil {
-					return err
-				}
-				log.WithContext(ctx).Infof("running gRPC backward compatibility server: %s", compatListener.Addr().String())
-			}
-
-			rootHandler := handlerFunc(gRPCAPIHandler, httpAPIHandler)
-			var listener net.Listener
-			if certManager != nil {
-				// a call to certManager.Listener() always creates a new listener so we do it once
-				cml := certManager.Listener()
-				if mgmtPort == 443 {
-					// CertManager, HTTP and gRPC API all on the same port
-					rootHandler = certManager.HTTPHandler(rootHandler)
-					listener = cml
-				} else {
-					listener, err = tls.Listen("tcp", fmt.Sprintf(":%d", mgmtPort), certManager.TLSConfig())
-					if err != nil {
-						return fmt.Errorf("failed creating TLS listener on port %d: %v", mgmtPort, err)
-					}
-					log.WithContext(ctx).Infof("running HTTP server (LetsEncrypt challenge handler): %s", cml.Addr().String())
-					serveHTTP(ctx, cml, certManager.HTTPHandler(nil))
-				}
-			} else if tlsConfig != nil {
-				listener, err = tls.Listen("tcp", fmt.Sprintf(":%d", mgmtPort), tlsConfig)
-				if err != nil {
-					return fmt.Errorf("failed creating TLS listener on port %d: %v", mgmtPort, err)
-				}
-			} else {
-				listener, err = net.Listen("tcp", fmt.Sprintf(":%d", mgmtPort))
-				if err != nil {
-					return fmt.Errorf("failed creating TCP listener on port %d: %v", mgmtPort, err)
-				}
-			}
-
-			log.WithContext(ctx).Infof("management server version %s", version.NetbirdVersion())
-			log.WithContext(ctx).Infof("running HTTP server and gRPC server on the same port: %s", listener.Addr().String())
-			serveGRPCWithHTTP(ctx, listener, rootHandler, tlsEnabled)
-
-			update := version.NewUpdate("nb/management")
-			update.SetDaemonVersion(version.NetbirdVersion())
-			update.SetOnUpdateListener(func() {
-				log.WithContext(ctx).Infof("your management version, \"%s\", is outdated, a new management version is available. Learn more here: https://github.com/netbirdio/netbird/releases", version.NetbirdVersion())
-			})
-			defer update.StopWatch()
-
-			SetupCloseHandler()
-
-			<-stopCh
-			integratedPeerValidator.Stop(ctx)
-			if geo != nil {
-				_ = geo.Stop()
-			}
-			ephemeralManager.Stop()
-			_ = appMetrics.Close()
-			_ = listener.Close()
-			if certManager != nil {
-				_ = certManager.Listener().Close()
-			}
-			gRPCAPIHandler.Stop()
-			_ = store.Close(ctx)
-			_ = eventStore.Close(ctx)
-			log.WithContext(ctx).Infof("stopped Management Service")
-
 			return nil
 		},
 	}
 )
 
-func unaryInterceptor(
-	ctx context.Context,
-	req interface{},
-	info *grpc.UnaryServerInfo,
-	handler grpc.UnaryHandler,
-) (interface{}, error) {
-	reqID := uuid.New().String()
-	//nolint
-	ctx = context.WithValue(ctx, hook.ExecutionContextKey, hook.GRPCSource)
-	//nolint
-	ctx = context.WithValue(ctx, nbContext.RequestIDKey, reqID)
-	return handler(ctx, req)
-}
-
-func streamInterceptor(
-	srv interface{},
-	ss grpc.ServerStream,
-	info *grpc.StreamServerInfo,
-	handler grpc.StreamHandler,
-) error {
-	reqID := uuid.New().String()
-	wrapped := grpcMiddleware.WrapServerStream(ss)
-	//nolint
-	ctx := context.WithValue(ss.Context(), hook.ExecutionContextKey, hook.GRPCSource)
-	//nolint
-	wrapped.WrappedContext = context.WithValue(ctx, nbContext.RequestIDKey, reqID)
-	return handler(srv, wrapped)
-}
-
-func notifyStop(ctx context.Context, msg string) {
-	select {
-	case stopCh <- 1:
-		log.WithContext(ctx).Error(msg)
-	default:
-		// stop has been already called, nothing to report
-	}
-}
-
-func getInstallationID(ctx context.Context, store store.Store) (string, error) {
-	installationID := store.GetInstallationID()
-	if installationID != "" {
-		return installationID, nil
-	}
-
-	installationID = strings.ToUpper(uuid.New().String())
-	err := store.SaveInstallationID(ctx, installationID)
-	if err != nil {
-		return "", err
-	}
-	return installationID, nil
-}
-
-func serveGRPC(ctx context.Context, grpcServer *grpc.Server, port int) (net.Listener, error) {
-	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
-	if err != nil {
-		return nil, err
-	}
-	go func() {
-		err := grpcServer.Serve(listener)
-		if err != nil {
-			notifyStop(ctx, fmt.Sprintf("failed running gRPC server on port %d: %v", port, err))
-		}
-	}()
-	return listener, nil
-}
-
-func serveHTTP(ctx context.Context, httpListener net.Listener, handler http.Handler) {
-	go func() {
-		err := http.Serve(httpListener, handler)
-		if err != nil {
-			notifyStop(ctx, fmt.Sprintf("failed running HTTP server: %v", err))
-		}
-	}()
-}
-
-func serveGRPCWithHTTP(ctx context.Context, listener net.Listener, handler http.Handler, tlsEnabled bool) {
-	go func() {
-		var err error
-		if tlsEnabled {
-			err = http.Serve(listener, handler)
-		} else {
-			// the following magic is needed to support HTTP2 without TLS
-			// and still share a single port between gRPC and HTTP APIs
-			h1s := &http.Server{
-				Handler: h2c.NewHandler(handler, &http2.Server{}),
-			}
-			err = h1s.Serve(listener)
-		}
-
-		if err != nil {
-			select {
-			case stopCh <- 1:
-				log.WithContext(ctx).Errorf("failed to serve HTTP and gRPC server: %v", err)
-			default:
-				// stop has been already called, nothing to report
-			}
-		}
-	}()
-}
-
-func handlerFunc(gRPCHandler *grpc.Server, httpHandler http.Handler) http.Handler {
-	return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
-		grpcHeader := strings.HasPrefix(request.Header.Get("Content-Type"), "application/grpc") ||
-			strings.HasPrefix(request.Header.Get("Content-Type"), "application/grpc+proto")
-		if request.ProtoMajor == 2 && grpcHeader {
-			gRPCHandler.ServeHTTP(writer, request)
-		} else {
-			httpHandler.ServeHTTP(writer, request)
-		}
-	})
-}
-
-func loadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*types.Config, error) {
-	loadedConfig := &types.Config{}
+func loadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*nbconfig.Config, error) {
+	loadedConfig := &nbconfig.Config{}
 	_, err := util.ReadJsonWithEnvSub(mgmtConfigPath, loadedConfig)
 	if err != nil {
 		return nil, err
@@ -535,7 +169,7 @@ func loadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*types.Config,
 			oidcConfig.JwksURI, loadedConfig.HttpConfig.AuthKeysLocation)
 		loadedConfig.HttpConfig.AuthKeysLocation = oidcConfig.JwksURI
 
-		if !(loadedConfig.DeviceAuthorizationFlow == nil || strings.ToLower(loadedConfig.DeviceAuthorizationFlow.Provider) == string(types.NONE)) {
+		if !(loadedConfig.DeviceAuthorizationFlow == nil || strings.ToLower(loadedConfig.DeviceAuthorizationFlow.Provider) == string(nbconfig.NONE)) {
 			log.WithContext(ctx).Infof("overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: %s, previously configured value: %s",
 				oidcConfig.TokenEndpoint, loadedConfig.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint)
 			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.TokenEndpoint = oidcConfig.TokenEndpoint
@@ -552,7 +186,7 @@ func loadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*types.Config,
 			loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Domain = u.Host
 
 			if loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Scope == "" {
-				loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Scope = types.DefaultDeviceAuthFlowScope
+				loadedConfig.DeviceAuthorizationFlow.ProviderConfig.Scope = nbconfig.DefaultDeviceAuthFlowScope
 			}
 		}
 
@@ -573,10 +207,6 @@ func loadMgmtConfig(ctx context.Context, mgmtConfigPath string) (*types.Config,
 	return loadedConfig, err
 }
 
-func updateMgmtConfig(ctx context.Context, path string, config *types.Config) error {
-	return util.DirectWriteJson(ctx, path, config)
-}
-
 // OIDCConfigResponse used for parsing OIDC config response
 type OIDCConfigResponse struct {
 	Issuer                string `json:"issuer"`
@@ -619,25 +249,6 @@ func fetchOIDCConfig(ctx context.Context, oidcEndpoint string) (OIDCConfigRespon
 	return config, nil
 }
 
-func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) {
-	// Load server's certificate and private key
-	serverCert, err := tls.LoadX509KeyPair(certFile, certKey)
-	if err != nil {
-		return nil, err
-	}
-
-	// NewDefaultAppMetrics the credentials and return it
-	config := &tls.Config{
-		Certificates: []tls.Certificate{serverCert},
-		ClientAuth:   tls.NoClientCert,
-		NextProtos: []string{
-			"h2", "http/1.1", // enable HTTP/2
-		},
-	}
-
-	return config, nil
-}
-
 func handleRebrand(cmd *cobra.Command) error {
 	var err error
 	if logFile == defaultLogFile {
@@ -649,7 +260,7 @@ func handleRebrand(cmd *cobra.Command) error {
 			}
 		}
 	}
-	if types.MgmtConfigPath == defaultMgmtConfig {
+	if nbconfig.MgmtConfigPath == defaultMgmtConfig {
 		if migrateToNetbird(oldDefaultMgmtConfig, defaultMgmtConfig) {
 			cmd.Printf("will copy Config dir %s and its content to %s\n", oldDefaultMgmtConfigDir, defaultMgmtConfigDir)
 			err = cpDir(oldDefaultMgmtConfigDir, defaultMgmtConfigDir)

management/cmd/root.go

@@ -2,12 +2,10 @@ package cmd
 
 import (
 	"fmt"
-	"os"
-	"os/signal"
 
 	"github.com/spf13/cobra"
 
-	"github.com/netbirdio/netbird/management/server/types"
+	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/version"
 )
 
@@ -27,6 +25,12 @@ var (
 	disableGeoliteUpdate     bool
 	idpSignKeyRefreshEnabled bool
 	userDeleteFromIDPEnabled bool
+	mgmtPort                 int
+	mgmtMetricsPort          int
+	mgmtLetsencryptDomain    string
+	mgmtSingleAccModeDomain  string
+	certFile                 string
+	certKey                  string
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird-mgmt",
@@ -42,8 +46,6 @@ var (
 		Long:         "",
 		SilenceUsage: true,
 	}
-	// Execution control channel for stopCh signal
-	stopCh chan int
 )
 
 // Execute executes the root command.
@@ -52,11 +54,10 @@ func Execute() error {
 }
 
 func init() {
-	stopCh = make(chan int)
 	mgmtCmd.Flags().IntVar(&mgmtPort, "port", 80, "server port to listen on (defaults to 443 if TLS is enabled, 80 otherwise")
 	mgmtCmd.Flags().IntVar(&mgmtMetricsPort, "metrics-port", 9090, "metrics endpoint http port. Metrics are accessible under host:metrics-port/metrics")
 	mgmtCmd.Flags().StringVar(&mgmtDataDir, "datadir", defaultMgmtDataDir, "server data directory location")
-	mgmtCmd.Flags().StringVar(&types.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location. Config params specified via command line (e.g. datadir) have a precedence over configuration from this file")
+	mgmtCmd.Flags().StringVar(&nbconfig.MgmtConfigPath, "config", defaultMgmtConfig, "Netbird config file location. Config params specified via command line (e.g. datadir) have a precedence over configuration from this file")
 	mgmtCmd.Flags().StringVar(&mgmtLetsencryptDomain, "letsencrypt-domain", "", "a domain to issue Let's Encrypt certificate for. Enables TLS using Let's Encrypt. Will fetch and renew certificate, and run the server with TLS")
 	mgmtCmd.Flags().StringVar(&mgmtSingleAccModeDomain, "single-account-mode-domain", defaultSingleAccModeDomain, "Enables single account mode. This means that all the users will be under the same account grouped by the specified domain. If the installation has more than one account, the property is ineffective. Enabled by default with the default domain "+defaultSingleAccModeDomain)
 	mgmtCmd.Flags().BoolVar(&disableSingleAccMode, "disable-single-account-mode", false, "If set to true, disables single account mode. The --single-account-mode-domain property will be ignored and every new user will have a separate NetBird account.")
@@ -80,15 +81,3 @@ func init() {
 
 	rootCmd.AddCommand(migrationCmd)
 }
-
-// SetupCloseHandler handles SIGTERM signal and exits with success
-func SetupCloseHandler() {
-	c := make(chan os.Signal, 1)
-	signal.Notify(c, os.Interrupt)
-	go func() {
-		for range c {
-			fmt.Println("\r- Ctrl+C pressed in Terminal")
-			stopCh <- 0
-		}
-	}()
-}

management/internals/server/boot.go

@@ -0,0 +1,204 @@
+package server
+
+// @note this file includes all the lower level dependencies, db, http and grpc BaseServer, metrics, logger, etc.
+
+import (
+	"context"
+	"crypto/tls"
+	"net/http"
+	"net/netip"
+	"slices"
+	"time"
+
+	"github.com/google/uuid"
+	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware/v2"
+	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/realip"
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/keepalive"
+
+	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/encryption"
+	"github.com/netbirdio/netbird/formatter/hook"
+	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
+	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/activity"
+	nbContext "github.com/netbirdio/netbird/management/server/context"
+	nbhttp "github.com/netbirdio/netbird/management/server/http"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/telemetry"
+	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
+)
+
+var (
+	kaep = keepalive.EnforcementPolicy{
+		MinTime:             15 * time.Second,
+		PermitWithoutStream: true,
+	}
+
+	kasp = keepalive.ServerParameters{
+		MaxConnectionIdle:     15 * time.Second,
+		MaxConnectionAgeGrace: 5 * time.Second,
+		Time:                  5 * time.Second,
+		Timeout:               2 * time.Second,
+	}
+)
+
+func (s *BaseServer) Metrics() telemetry.AppMetrics {
+	return Create(s, func() telemetry.AppMetrics {
+		appMetrics, err := telemetry.NewDefaultAppMetrics(context.Background())
+		if err != nil {
+			log.Fatalf("error while creating app metrics: %s", err)
+		}
+		return appMetrics
+	})
+}
+
+func (s *BaseServer) Store() store.Store {
+	return Create(s, func() store.Store {
+		store, err := store.NewStore(context.Background(), s.config.StoreConfig.Engine, s.config.Datadir, s.Metrics(), false)
+		if err != nil {
+			log.Fatalf("failed to create store: %v", err)
+		}
+
+		return store
+	})
+}
+
+func (s *BaseServer) EventStore() activity.Store {
+	return Create(s, func() activity.Store {
+		integrationMetrics, err := integrations.InitIntegrationMetrics(context.Background(), s.Metrics())
+		if err != nil {
+			log.Fatalf("failed to initialize integration metrics: %v", err)
+		}
+
+		eventStore, key, err := integrations.InitEventStore(context.Background(), s.config.Datadir, s.config.DataStoreEncryptionKey, integrationMetrics)
+		if err != nil {
+			log.Fatalf("failed to initialize event store: %v", err)
+		}
+
+		if s.config.DataStoreEncryptionKey != key {
+			log.WithContext(context.Background()).Infof("update config with activity store key")
+			s.config.DataStoreEncryptionKey = key
+			err := updateMgmtConfig(context.Background(), nbconfig.MgmtConfigPath, s.config)
+			if err != nil {
+				log.Fatalf("failed to update config with activity store: %v", err)
+			}
+		}
+
+		return eventStore
+	})
+}
+
+func (s *BaseServer) APIHandler() http.Handler {
+	return Create(s, func() http.Handler {
+		httpAPIHandler, err := nbhttp.NewAPIHandler(context.Background(), s.AccountManager(), s.NetworksManager(), s.ResourcesManager(), s.RoutesManager(), s.GroupsManager(), s.GeoLocationManager(), s.AuthManager(), s.Metrics(), s.IntegratedValidator(), s.ProxyController(), s.PermissionsManager(), s.PeersManager(), s.SettingsManager())
+		if err != nil {
+			log.Fatalf("failed to create API handler: %v", err)
+		}
+		return httpAPIHandler
+	})
+}
+
+func (s *BaseServer) GRPCServer() *grpc.Server {
+	return Create(s, func() *grpc.Server {
+		trustedPeers := s.config.ReverseProxy.TrustedPeers
+		defaultTrustedPeers := []netip.Prefix{netip.MustParsePrefix("0.0.0.0/0"), netip.MustParsePrefix("::/0")}
+		if len(trustedPeers) == 0 || slices.Equal[[]netip.Prefix](trustedPeers, defaultTrustedPeers) {
+			log.WithContext(context.Background()).Warn("TrustedPeers are configured to default value '0.0.0.0/0', '::/0'. This allows connection IP spoofing.")
+			trustedPeers = defaultTrustedPeers
+		}
+		trustedHTTPProxies := s.config.ReverseProxy.TrustedHTTPProxies
+		trustedProxiesCount := s.config.ReverseProxy.TrustedHTTPProxiesCount
+		if len(trustedHTTPProxies) > 0 && trustedProxiesCount > 0 {
+			log.WithContext(context.Background()).Warn("TrustedHTTPProxies and TrustedHTTPProxiesCount both are configured. " +
+				"This is not recommended way to extract X-Forwarded-For. Consider using one of these options.")
+		}
+		realipOpts := []realip.Option{
+			realip.WithTrustedPeers(trustedPeers),
+			realip.WithTrustedProxies(trustedHTTPProxies),
+			realip.WithTrustedProxiesCount(trustedProxiesCount),
+			realip.WithHeaders([]string{realip.XForwardedFor, realip.XRealIp}),
+		}
+		gRPCOpts := []grpc.ServerOption{
+			grpc.KeepaliveEnforcementPolicy(kaep),
+			grpc.KeepaliveParams(kasp),
+			grpc.ChainUnaryInterceptor(realip.UnaryServerInterceptorOpts(realipOpts...), unaryInterceptor),
+			grpc.ChainStreamInterceptor(realip.StreamServerInterceptorOpts(realipOpts...), streamInterceptor),
+		}
+
+		if s.config.HttpConfig.LetsEncryptDomain != "" {
+			certManager, err := encryption.CreateCertManager(s.config.Datadir, s.config.HttpConfig.LetsEncryptDomain)
+			if err != nil {
+				log.Fatalf("failed to create certificate manager: %v", err)
+			}
+			transportCredentials := credentials.NewTLS(certManager.TLSConfig())
+			gRPCOpts = append(gRPCOpts, grpc.Creds(transportCredentials))
+		} else if s.config.HttpConfig.CertFile != "" && s.config.HttpConfig.CertKey != "" {
+			tlsConfig, err := loadTLSConfig(s.config.HttpConfig.CertFile, s.config.HttpConfig.CertKey)
+			if err != nil {
+				log.Fatalf("cannot load TLS credentials: %v", err)
+			}
+			transportCredentials := credentials.NewTLS(tlsConfig)
+			gRPCOpts = append(gRPCOpts, grpc.Creds(transportCredentials))
+		}
+
+		gRPCAPIHandler := grpc.NewServer(gRPCOpts...)
+		srv, err := server.NewServer(context.Background(), s.config, s.AccountManager(), s.SettingsManager(), s.PeersUpdateManager(), s.SecretsManager(), s.Metrics(), s.EphemeralManager(), s.AuthManager(), s.IntegratedValidator())
+		if err != nil {
+			log.Fatalf("failed to create management server: %v", err)
+		}
+		mgmtProto.RegisterManagementServiceServer(gRPCAPIHandler, srv)
+
+		return gRPCAPIHandler
+	})
+}
+
+func loadTLSConfig(certFile string, certKey string) (*tls.Config, error) {
+	// Load server's certificate and private key
+	serverCert, err := tls.LoadX509KeyPair(certFile, certKey)
+	if err != nil {
+		return nil, err
+	}
+
+	// NewDefaultAppMetrics the credentials and return it
+	config := &tls.Config{
+		Certificates: []tls.Certificate{serverCert},
+		ClientAuth:   tls.NoClientCert,
+		NextProtos: []string{
+			"h2", "http/1.1", // enable HTTP/2
+		},
+	}
+
+	return config, nil
+}
+
+func unaryInterceptor(
+	ctx context.Context,
+	req interface{},
+	info *grpc.UnaryServerInfo,
+	handler grpc.UnaryHandler,
+) (interface{}, error) {
+	reqID := uuid.New().String()
+	//nolint
+	ctx = context.WithValue(ctx, hook.ExecutionContextKey, hook.GRPCSource)
+	//nolint
+	ctx = context.WithValue(ctx, nbContext.RequestIDKey, reqID)
+	return handler(ctx, req)
+}
+
+func streamInterceptor(
+	srv interface{},
+	ss grpc.ServerStream,
+	info *grpc.StreamServerInfo,
+	handler grpc.StreamHandler,
+) error {
+	reqID := uuid.New().String()
+	wrapped := grpcMiddleware.WrapServerStream(ss)
+	//nolint
+	ctx := context.WithValue(ss.Context(), hook.ExecutionContextKey, hook.GRPCSource)
+	//nolint
+	wrapped.WrappedContext = context.WithValue(ctx, nbContext.RequestIDKey, reqID)
+	return handler(srv, wrapped)
+}

management/internals/server/config/config.go

@@ -1,10 +1,11 @@
-package types
+package config
 
 import (
 	"net/netip"
 
-	"github.com/netbirdio/netbird/shared/management/client/common"
 	"github.com/netbirdio/netbird/management/server/idp"
+	"github.com/netbirdio/netbird/management/server/types"
+	"github.com/netbirdio/netbird/shared/management/client/common"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -166,7 +167,7 @@ type ProviderConfig struct {
 
 // StoreConfig contains Store configuration
 type StoreConfig struct {
-	Engine Engine
+	Engine types.Engine
 }
 
 // ReverseProxy contains reverse proxy configuration in front of management.

management/internals/server/container.go

@@ -0,0 +1,55 @@
+package server
+
+import "fmt"
+
+// Create a dependency and add it to the BaseServer's container. A string key identifier will be based on its type definition.
+func Create[T any](s Server, createFunc func() T) T {
+	result, _ := maybeCreate(s, createFunc)
+
+	return result
+}
+
+// CreateNamed is the same as Create but will suffix the dependency string key identifier with a custom name.
+// Useful if you want to have multiple named instances of the same object type.
+func CreateNamed[T any](s Server, name string, createFunc func() T) T {
+	result, _ := maybeCreateNamed(s, name, createFunc)
+
+	return result
+}
+
+// Inject lets you override a specific service from outside the BaseServer itself.
+// This is useful for tests
+func Inject[T any](c Server, thing T) {
+	_, _ = maybeCreate(c, func() T {
+		return thing
+	})
+}
+
+// InjectNamed is like Inject() but with a custom name.
+func InjectNamed[T any](c Server, name string, thing T) {
+	_, _ = maybeCreateKeyed(c, name, func() T {
+		return thing
+	})
+}
+
+func maybeCreate[T any](s Server, createFunc func() T) (result T, isNew bool) {
+	key := fmt.Sprintf("%T", (*T)(nil))[1:]
+	return maybeCreateKeyed(s, key, createFunc)
+}
+
+func maybeCreateNamed[T any](s Server, name string, createFunc func() T) (result T, isNew bool) {
+	key := fmt.Sprintf("%T:%s", (*T)(nil), name)[1:]
+	return maybeCreateKeyed(s, key, createFunc)
+}
+
+func maybeCreateKeyed[T any](s Server, key string, createFunc func() T) (result T, isNew bool) {
+	if t, ok := s.GetContainer(key); ok {
+		return t.(T), false
+	}
+
+	t := createFunc()
+
+	s.SetContainer(key, t)
+
+	return t, true
+}

management/internals/server/controllers.go

@@ -0,0 +1,59 @@
+package server
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/auth"
+	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
+	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
+)
+
+func (s *BaseServer) PeersUpdateManager() *server.PeersUpdateManager {
+	return Create(s, func() *server.PeersUpdateManager {
+		return server.NewPeersUpdateManager(s.Metrics())
+	})
+}
+
+func (s *BaseServer) IntegratedValidator() integrated_validator.IntegratedValidator {
+	return Create(s, func() integrated_validator.IntegratedValidator {
+		integratedPeerValidator, err := integrations.NewIntegratedValidator(context.Background(), s.EventStore())
+		if err != nil {
+			log.Errorf("failed to create integrated peer validator: %v", err)
+		}
+		return integratedPeerValidator
+	})
+}
+
+func (s *BaseServer) ProxyController() port_forwarding.Controller {
+	return Create(s, func() port_forwarding.Controller {
+		return integrations.NewController(s.Store())
+	})
+}
+
+func (s *BaseServer) SecretsManager() *server.TimeBasedAuthSecretsManager {
+	return Create(s, func() *server.TimeBasedAuthSecretsManager {
+		return server.NewTimeBasedAuthSecretsManager(s.PeersUpdateManager(), s.config.TURNConfig, s.config.Relay, s.SettingsManager(), s.GroupsManager())
+	})
+}
+
+func (s *BaseServer) AuthManager() auth.Manager {
+	return Create(s, func() auth.Manager {
+		return auth.NewManager(s.Store(),
+			s.config.HttpConfig.AuthIssuer,
+			s.config.HttpConfig.AuthAudience,
+			s.config.HttpConfig.AuthKeysLocation,
+			s.config.HttpConfig.AuthUserIDClaim,
+			s.config.GetAuthAudiences(),
+			s.config.HttpConfig.IdpSignKeyRefreshEnabled)
+	})
+}
+
+func (s *BaseServer) EphemeralManager() *server.EphemeralManager {
+	return Create(s, func() *server.EphemeralManager {
+		return server.NewEphemeralManager(s.Store(), s.AccountManager())
+	})
+}

management/internals/server/modules.go

@@ -0,0 +1,108 @@
+package server
+
+import (
+	"context"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/management-integrations/integrations"
+	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/account"
+	"github.com/netbirdio/netbird/management/server/geolocation"
+	"github.com/netbirdio/netbird/management/server/groups"
+	"github.com/netbirdio/netbird/management/server/idp"
+	"github.com/netbirdio/netbird/management/server/networks"
+	"github.com/netbirdio/netbird/management/server/networks/resources"
+	"github.com/netbirdio/netbird/management/server/networks/routers"
+	"github.com/netbirdio/netbird/management/server/peers"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/settings"
+	"github.com/netbirdio/netbird/management/server/users"
+)
+
+func (s *BaseServer) GeoLocationManager() geolocation.Geolocation {
+	return Create(s, func() geolocation.Geolocation {
+		geo, err := geolocation.NewGeolocation(context.Background(), s.config.Datadir, !s.disableGeoliteUpdate)
+		if err != nil {
+			log.Fatalf("could not initialize geolocation service: %v", err)
+		}
+
+		log.Infof("geolocation service has been initialized from %s", s.config.Datadir)
+
+		return geo
+	})
+}
+
+func (s *BaseServer) PermissionsManager() permissions.Manager {
+	return Create(s, func() permissions.Manager {
+		return integrations.InitPermissionsManager(s.Store())
+	})
+}
+
+func (s *BaseServer) UsersManager() users.Manager {
+	return Create(s, func() users.Manager {
+		return users.NewManager(s.Store())
+	})
+}
+
+func (s *BaseServer) SettingsManager() settings.Manager {
+	return Create(s, func() settings.Manager {
+		extraSettingsManager := integrations.NewManager(s.EventStore())
+		return settings.NewManager(s.Store(), s.UsersManager(), extraSettingsManager, s.PermissionsManager())
+	})
+}
+
+func (s *BaseServer) PeersManager() peers.Manager {
+	return Create(s, func() peers.Manager {
+		return peers.NewManager(s.Store(), s.PermissionsManager())
+	})
+}
+
+func (s *BaseServer) AccountManager() account.Manager {
+	return Create(s, func() account.Manager {
+		accountManager, err := server.BuildManager(context.Background(), s.Store(), s.PeersUpdateManager(), s.IdpManager(), s.mgmtSingleAccModeDomain,
+			s.dnsDomain, s.EventStore(), s.GeoLocationManager(), s.userDeleteFromIDPEnabled, s.IntegratedValidator(), s.Metrics(), s.ProxyController(), s.SettingsManager(), s.PermissionsManager(), s.config.DisableDefaultPolicy)
+		if err != nil {
+			log.Fatalf("failed to create account manager: %v", err)
+		}
+		return accountManager
+	})
+}
+
+func (s *BaseServer) IdpManager() idp.Manager {
+	return Create(s, func() idp.Manager {
+		var idpManager idp.Manager
+		var err error
+		if s.config.IdpManagerConfig != nil {
+			idpManager, err = idp.NewManager(context.Background(), *s.config.IdpManagerConfig, s.Metrics())
+			if err != nil {
+				log.Fatalf("failed to create IDP manager: %v", err)
+			}
+		}
+		return idpManager
+	})
+}
+
+func (s *BaseServer) GroupsManager() groups.Manager {
+	return Create(s, func() groups.Manager {
+		return groups.NewManager(s.Store(), s.PermissionsManager(), s.AccountManager())
+	})
+}
+
+func (s *BaseServer) ResourcesManager() resources.Manager {
+	return Create(s, func() resources.Manager {
+		return resources.NewManager(s.Store(), s.PermissionsManager(), s.GroupsManager(), s.AccountManager())
+	})
+}
+
+func (s *BaseServer) RoutesManager() routers.Manager {
+	return Create(s, func() routers.Manager {
+		return routers.NewManager(s.Store(), s.PermissionsManager(), s.AccountManager())
+	})
+}
+
+func (s *BaseServer) NetworksManager() networks.Manager {
+	return Create(s, func() networks.Manager {
+		return networks.NewManager(s.Store(), s.PermissionsManager(), s.ResourcesManager(), s.RoutesManager(), s.AccountManager())
+	})
+}

management/internals/server/server.go

@@ -0,0 +1,341 @@
+package server
+
+import (
+	"context"
+	"crypto/tls"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/crypto/acme/autocert"
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
+	"google.golang.org/grpc"
+
+	"github.com/netbirdio/netbird/encryption"
+	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
+	"github.com/netbirdio/netbird/management/server/metrics"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/util"
+	"github.com/netbirdio/netbird/version"
+)
+
+// ManagementLegacyPort is the port that was used before by the Management gRPC server.
+// It is used for backward compatibility now.
+const ManagementLegacyPort = 33073
+
+type Server interface {
+	Start(ctx context.Context) error
+	Stop() error
+	Errors() <-chan error
+	GetContainer(key string) (any, bool)
+	SetContainer(key string, container any)
+}
+
+// Server holds the HTTP BaseServer instance.
+// Add any additional fields you need, such as database connections, config, etc.
+type BaseServer struct {
+	// config holds the server configuration
+	config *nbconfig.Config
+	// container of dependencies, each dependency is identified by a unique string.
+	container map[string]any
+	// AfterInit is a function that will be called after the server is initialized
+	afterInit []func(s *BaseServer)
+
+	disableMetrics           bool
+	dnsDomain                string
+	disableGeoliteUpdate     bool
+	userDeleteFromIDPEnabled bool
+	mgmtSingleAccModeDomain  string
+	mgmtMetricsPort          int
+	mgmtPort                 int
+
+	listener    net.Listener
+	certManager *autocert.Manager
+	update      *version.Update
+
+	errCh  chan error
+	wg     sync.WaitGroup
+	cancel context.CancelFunc
+}
+
+// NewServer initializes and configures a new Server instance
+func NewServer(config *nbconfig.Config, dnsDomain, mgmtSingleAccModeDomain string, mgmtPort, mgmtMetricsPort int, disableMetrics, disableGeoliteUpdate, userDeleteFromIDPEnabled bool) *BaseServer {
+	return &BaseServer{
+		config:                   config,
+		container:                make(map[string]any),
+		dnsDomain:                dnsDomain,
+		mgmtSingleAccModeDomain:  mgmtSingleAccModeDomain,
+		disableMetrics:           disableMetrics,
+		disableGeoliteUpdate:     disableGeoliteUpdate,
+		userDeleteFromIDPEnabled: userDeleteFromIDPEnabled,
+		mgmtPort:                 mgmtPort,
+		mgmtMetricsPort:          mgmtMetricsPort,
+	}
+}
+
+func (s *BaseServer) AfterInit(fn func(s *BaseServer)) {
+	s.afterInit = append(s.afterInit, fn)
+}
+
+// Start begins listening for HTTP requests on the configured address
+func (s *BaseServer) Start(ctx context.Context) error {
+	srvCtx, cancel := context.WithCancel(ctx)
+	s.cancel = cancel
+	s.errCh = make(chan error, 4)
+
+	s.PeersManager()
+	s.GeoLocationManager()
+
+	for _, fn := range s.afterInit {
+		if fn != nil {
+			fn(s)
+		}
+	}
+
+	err := s.Metrics().Expose(srvCtx, s.mgmtMetricsPort, "/metrics")
+	if err != nil {
+		return fmt.Errorf("failed to expose metrics: %v", err)
+	}
+	s.EphemeralManager().LoadInitialPeers(srvCtx)
+
+	var tlsConfig *tls.Config
+	tlsEnabled := false
+	if s.config.HttpConfig.LetsEncryptDomain != "" {
+		s.certManager, err = encryption.CreateCertManager(s.config.Datadir, s.config.HttpConfig.LetsEncryptDomain)
+		if err != nil {
+			return fmt.Errorf("failed creating LetsEncrypt cert manager: %v", err)
+		}
+		tlsEnabled = true
+	} else if s.config.HttpConfig.CertFile != "" && s.config.HttpConfig.CertKey != "" {
+		tlsConfig, err = loadTLSConfig(s.config.HttpConfig.CertFile, s.config.HttpConfig.CertKey)
+		if err != nil {
+			log.WithContext(srvCtx).Errorf("cannot load TLS credentials: %v", err)
+			return err
+		}
+		tlsEnabled = true
+	}
+
+	installationID, err := getInstallationID(srvCtx, s.Store())
+	if err != nil {
+		log.WithContext(srvCtx).Errorf("cannot load TLS credentials: %v", err)
+		return err
+	}
+
+	if !s.disableMetrics {
+		idpManager := "disabled"
+		if s.config.IdpManagerConfig != nil && s.config.IdpManagerConfig.ManagerType != "" {
+			idpManager = s.config.IdpManagerConfig.ManagerType
+		}
+		metricsWorker := metrics.NewWorker(srvCtx, installationID, s.Store(), s.PeersUpdateManager(), idpManager)
+		go metricsWorker.Run(srvCtx)
+	}
+
+	var compatListener net.Listener
+	if s.mgmtPort != ManagementLegacyPort {
+		// The Management gRPC server was running on port 33073 previously. Old agents that are already connected to it
+		// are using port 33073. For compatibility purposes we keep running a 2nd gRPC server on port 33073.
+		compatListener, err = s.serveGRPC(srvCtx, s.GRPCServer(), ManagementLegacyPort)
+		if err != nil {
+			return err
+		}
+		log.WithContext(srvCtx).Infof("running gRPC backward compatibility server: %s", compatListener.Addr().String())
+	}
+
+	rootHandler := handlerFunc(s.GRPCServer(), s.APIHandler())
+	switch {
+	case s.certManager != nil:
+		// a call to certManager.Listener() always creates a new listener so we do it once
+		cml := s.certManager.Listener()
+		if s.mgmtPort == 443 {
+			// CertManager, HTTP and gRPC API all on the same port
+			rootHandler = s.certManager.HTTPHandler(rootHandler)
+			s.listener = cml
+		} else {
+			s.listener, err = tls.Listen("tcp", fmt.Sprintf(":%d", s.mgmtPort), s.certManager.TLSConfig())
+			if err != nil {
+				return fmt.Errorf("failed creating TLS listener on port %d: %v", s.mgmtPort, err)
+			}
+			log.WithContext(ctx).Infof("running HTTP server (LetsEncrypt challenge handler): %s", cml.Addr().String())
+			s.serveHTTP(ctx, cml, s.certManager.HTTPHandler(nil))
+		}
+	case tlsConfig != nil:
+		s.listener, err = tls.Listen("tcp", fmt.Sprintf(":%d", s.mgmtPort), tlsConfig)
+		if err != nil {
+			return fmt.Errorf("failed creating TLS listener on port %d: %v", s.mgmtPort, err)
+		}
+	default:
+		s.listener, err = net.Listen("tcp", fmt.Sprintf(":%d", s.mgmtPort))
+		if err != nil {
+			return fmt.Errorf("failed creating TCP listener on port %d: %v", s.mgmtPort, err)
+		}
+	}
+
+	log.WithContext(ctx).Infof("management server version %s", version.NetbirdVersion())
+	log.WithContext(ctx).Infof("running HTTP server and gRPC server on the same port: %s", s.listener.Addr().String())
+	s.serveGRPCWithHTTP(ctx, s.listener, rootHandler, tlsEnabled)
+
+	s.update = version.NewUpdate("nb/management")
+	s.update.SetDaemonVersion(version.NetbirdVersion())
+	s.update.SetOnUpdateListener(func() {
+		log.WithContext(ctx).Infof("your management version, \"%s\", is outdated, a new management version is available. Learn more here: https://github.com/netbirdio/netbird/releases", version.NetbirdVersion())
+	})
+
+	return nil
+}
+
+// Stop attempts a graceful shutdown, waiting up to 5 seconds for active connections to finish
+func (s *BaseServer) Stop() error {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	s.IntegratedValidator().Stop(ctx)
+	if s.GeoLocationManager() != nil {
+		_ = s.GeoLocationManager().Stop()
+	}
+	s.EphemeralManager().Stop()
+	_ = s.Metrics().Close()
+	if s.listener != nil {
+		_ = s.listener.Close()
+	}
+	if s.certManager != nil {
+		_ = s.certManager.Listener().Close()
+	}
+	s.GRPCServer().Stop()
+	_ = s.Store().Close(ctx)
+	_ = s.EventStore().Close(ctx)
+	if s.update != nil {
+		s.update.StopWatch()
+	}
+
+	select {
+	case <-s.Errors():
+		log.WithContext(ctx).Infof("stopped Management Service")
+		return nil
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
+// Done returns a channel that is closed when the server stops
+func (s *BaseServer) Errors() <-chan error {
+	return s.errCh
+}
+
+// GetContainer retrieves a dependency from the BaseServer's container by its key
+func (s *BaseServer) GetContainer(key string) (any, bool) {
+	container, exists := s.container[key]
+	return container, exists
+}
+
+// SetContainer stores a dependency in the BaseServer's container with the specified key
+func (s *BaseServer) SetContainer(key string, container any) {
+	if _, exists := s.container[key]; exists {
+		log.Tracef("container with key %s already exists", key)
+		return
+	}
+	s.container[key] = container
+	log.Tracef("container with key %s set successfully", key)
+}
+
+func updateMgmtConfig(ctx context.Context, path string, config *nbconfig.Config) error {
+	return util.DirectWriteJson(ctx, path, config)
+}
+
+func handlerFunc(gRPCHandler *grpc.Server, httpHandler http.Handler) http.Handler {
+	return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
+		grpcHeader := strings.HasPrefix(request.Header.Get("Content-Type"), "application/grpc") ||
+			strings.HasPrefix(request.Header.Get("Content-Type"), "application/grpc+proto")
+		if request.ProtoMajor == 2 && grpcHeader {
+			gRPCHandler.ServeHTTP(writer, request)
+		} else {
+			httpHandler.ServeHTTP(writer, request)
+		}
+	})
+}
+
+func (s *BaseServer) serveGRPC(ctx context.Context, grpcServer *grpc.Server, port int) (net.Listener, error) {
+	listener, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
+	if err != nil {
+		return nil, err
+	}
+
+	s.wg.Add(1)
+	go func() {
+		defer s.wg.Done()
+		err := grpcServer.Serve(listener)
+
+		if ctx.Err() != nil {
+			return
+		}
+
+		select {
+		case s.errCh <- err:
+		default:
+		}
+	}()
+
+	return listener, nil
+}
+
+func (s *BaseServer) serveHTTP(ctx context.Context, httpListener net.Listener, handler http.Handler) {
+	s.wg.Add(1)
+	go func() {
+		defer s.wg.Done()
+		err := http.Serve(httpListener, handler)
+		if ctx.Err() != nil {
+			return
+		}
+
+		select {
+		case s.errCh <- err:
+		default:
+		}
+	}()
+}
+
+func (s *BaseServer) serveGRPCWithHTTP(ctx context.Context, listener net.Listener, handler http.Handler, tlsEnabled bool) {
+	s.wg.Add(1)
+	go func() {
+		defer s.wg.Done()
+		var err error
+		if tlsEnabled {
+			err = http.Serve(listener, handler)
+		} else {
+			// the following magic is needed to support HTTP2 without TLS
+			// and still share a single port between gRPC and HTTP APIs
+			h1s := &http.Server{
+				Handler: h2c.NewHandler(handler, &http2.Server{}),
+			}
+			err = h1s.Serve(listener)
+		}
+
+		if ctx.Err() != nil {
+			return
+		}
+
+		select {
+		case s.errCh <- err:
+		default:
+		}
+	}()
+}
+
+func getInstallationID(ctx context.Context, store store.Store) (string, error) {
+	installationID := store.GetInstallationID()
+	if installationID != "" {
+		return installationID, nil
+	}
+
+	installationID = strings.ToUpper(uuid.New().String())
+	err := store.SaveInstallationID(ctx, installationID)
+	if err != nil {
+		return "", err
+	}
+	return installationID, nil
+}

management/server/account.go

@@ -297,9 +297,6 @@ func (am *DefaultAccountManager) GetIdpManager() idp.Manager {
 // User that performs the update has to belong to the account.
 // Returns an updated Settings
 func (am *DefaultAccountManager) UpdateAccountSettings(ctx context.Context, accountID, userID string, newSettings *types.Settings) (*types.Settings, error) {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
 	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Settings, operations.Update)
 	if err != nil {
 		return nil, fmt.Errorf("failed to validate user permissions: %w", err)
@@ -495,8 +492,6 @@ func (am *DefaultAccountManager) peerLoginExpirationJob(ctx context.Context, acc
 		ctx := context.WithValue(ctx, nbcontext.AccountIDKey, accountID)
 		//nolint
 		ctx = context.WithValue(ctx, hook.ExecutionContextKey, fmt.Sprintf("%s-PEER-EXPIRATION", hook.SystemSource))
-		unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-		defer unlock()
 
 		expiredPeers, err := am.getExpiredPeers(ctx, accountID)
 		if err != nil {
@@ -532,9 +527,6 @@ func (am *DefaultAccountManager) schedulePeerLoginExpiration(ctx context.Context
 // peerInactivityExpirationJob marks login expired for all inactive peers and returns the minimum duration in which the next peer of the account will expire by inactivity if found
 func (am *DefaultAccountManager) peerInactivityExpirationJob(ctx context.Context, accountID string) func() (time.Duration, bool) {
 	return func() (time.Duration, bool) {
-		unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-		defer unlock()
-
 		inactivePeers, err := am.getInactivePeers(ctx, accountID)
 		if err != nil {
 			log.WithContext(ctx).Errorf("failed getting inactive peers for account %s", accountID)
@@ -675,8 +667,6 @@ func (am *DefaultAccountManager) isCacheCold(ctx context.Context, store cacheSto
 
 // DeleteAccount deletes an account and all its users from local store and from the remote IDP if the requester is an admin and account owner
 func (am *DefaultAccountManager) DeleteAccount(ctx context.Context, accountID, userID string) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
 	account, err := am.Store.GetAccount(ctx, accountID)
 	if err != nil {
 		return err
@@ -1045,9 +1035,6 @@ func (am *DefaultAccountManager) updateAccountDomainAttributesIfNotUpToDate(ctx
 		return nil
 	}
 
-	unlockAccount := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlockAccount()
-
 	accountDomain, domainCategory, err := am.Store.GetAccountDomainAndCategory(ctx, store.LockingStrengthNone, accountID)
 	if err != nil {
 		log.WithContext(ctx).Errorf("error getting account domain and category: %v", err)
@@ -1140,9 +1127,6 @@ func (am *DefaultAccountManager) addNewPrivateAccount(ctx context.Context, domai
 }
 
 func (am *DefaultAccountManager) addNewUserToDomainAccount(ctx context.Context, domainAccountID string, userAuth nbcontext.UserAuth) (string, error) {
-	unlockAccount := am.Store.AcquireWriteLockByUID(ctx, domainAccountID)
-	defer unlockAccount()
-
 	newUser := types.NewRegularUser(userAuth.UserId)
 	newUser.AccountID = domainAccountID
 	err := am.Store.SaveUser(ctx, newUser)
@@ -1354,13 +1338,6 @@ func (am *DefaultAccountManager) SyncUserJWTGroups(ctx context.Context, userAuth
 		return nil
 	}
 
-	unlockAccount := am.Store.AcquireWriteLockByUID(ctx, userAuth.AccountId)
-	defer func() {
-		if unlockAccount != nil {
-			unlockAccount()
-		}
-	}()
-
 	var addNewGroups []string
 	var removeOldGroups []string
 	var hasChanges bool
@@ -1423,8 +1400,6 @@ func (am *DefaultAccountManager) SyncUserJWTGroups(ctx context.Context, userAuth
 				return fmt.Errorf("error incrementing network serial: %w", err)
 			}
 		}
-		unlockAccount()
-		unlockAccount = nil
 
 		return nil
 	})
@@ -1639,11 +1614,6 @@ func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID
 		log.WithContext(ctx).Debugf("SyncAndMarkPeer: took %v", time.Since(start))
 	}()
 
-	accountUnlock := am.Store.AcquireReadLockByUID(ctx, accountID)
-	defer accountUnlock()
-	peerUnlock := am.Store.AcquireWriteLockByUID(ctx, peerPubKey)
-	defer peerUnlock()
-
 	peer, netMap, postureChecks, err := am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta}, accountID)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("error syncing peer: %w", err)
@@ -1658,18 +1628,12 @@ func (am *DefaultAccountManager) SyncAndMarkPeer(ctx context.Context, accountID
 }
 
 func (am *DefaultAccountManager) OnPeerDisconnected(ctx context.Context, accountID string, peerPubKey string) error {
-	accountUnlock := am.Store.AcquireReadLockByUID(ctx, accountID)
-	defer accountUnlock()
-	peerUnlock := am.Store.AcquireWriteLockByUID(ctx, peerPubKey)
-	defer peerUnlock()
-
 	err := am.MarkPeerConnected(ctx, peerPubKey, false, nil, accountID)
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed marking peer as disconnected %s %v", peerPubKey, err)
 	}
 
 	return nil
-
 }
 
 func (am *DefaultAccountManager) SyncPeerMeta(ctx context.Context, peerPubKey string, meta nbpeer.PeerSystemMeta) error {
@@ -1678,12 +1642,6 @@ func (am *DefaultAccountManager) SyncPeerMeta(ctx context.Context, peerPubKey st
 		return err
 	}
 
-	unlock := am.Store.AcquireReadLockByUID(ctx, accountID)
-	defer unlock()
-
-	unlockPeer := am.Store.AcquireWriteLockByUID(ctx, peerPubKey)
-	defer unlockPeer()
-
 	_, _, _, err = am.SyncPeer(ctx, types.PeerSync{WireGuardPubKey: peerPubKey, Meta: meta, UpdateAccountPeers: true}, accountID)
 	if err != nil {
 		return mapError(ctx, err)
@@ -1952,20 +1910,19 @@ func (am *DefaultAccountManager) GetOrCreateAccountByPrivateDomain(ctx context.C
 	return nil, false, status.Errorf(status.Internal, "failed to get or create new account by private domain")
 }
 
-func (am *DefaultAccountManager) UpdateToPrimaryAccount(ctx context.Context, accountId string) (*types.Account, error) {
-	var account *types.Account
+func (am *DefaultAccountManager) UpdateToPrimaryAccount(ctx context.Context, accountId string) error {
 	err := am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
 		var err error
-		account, err = transaction.GetAccount(ctx, accountId)
+		ok, domain, err := transaction.IsPrimaryAccount(ctx, accountId)
 		if err != nil {
 			return err
 		}
 
-		if account.IsDomainPrimaryAccount {
+		if ok {
 			return nil
 		}
 
-		existingPrimaryAccountID, err := transaction.GetAccountIDByPrivateDomain(ctx, store.LockingStrengthNone, account.Domain)
+		existingPrimaryAccountID, err := transaction.GetAccountIDByPrivateDomain(ctx, store.LockingStrengthNone, domain)
 
 		// error is not a not found error
 		if handleNotFound(err) != nil {
@@ -1981,9 +1938,7 @@ func (am *DefaultAccountManager) UpdateToPrimaryAccount(ctx context.Context, acc
 			return status.Errorf(status.Internal, "cannot update account to primary")
 		}
 
-		account.IsDomainPrimaryAccount = true
-
-		if err := transaction.SaveAccount(ctx, account); err != nil {
+		if err := transaction.MarkAccountPrimary(ctx, accountId); err != nil {
 			log.WithContext(ctx).WithFields(log.Fields{
 				"accountId": accountId,
 			}).Errorf("failed to update account to primary: %v", err)
@@ -1993,10 +1948,10 @@ func (am *DefaultAccountManager) UpdateToPrimaryAccount(ctx context.Context, acc
 		return nil
 	})
 	if err != nil {
-		return nil, err
+		return err
 	}
 
-	return account, nil
+	return nil
 }
 
 // propagateUserGroupMemberships propagates all account users' group memberships to their peers.
@@ -2067,14 +2022,12 @@ func (am *DefaultAccountManager) reallocateAccountPeerIPs(ctx context.Context, t
 		Mask: net.CIDRMask(newNetworkRange.Bits(), newNetworkRange.Addr().BitLen()),
 	}
 
-	account, err := transaction.GetAccount(ctx, accountID)
+	err := transaction.UpdateAccountNetwork(ctx, accountID, newIPNet)
 	if err != nil {
 		return err
 	}
 
-	account.Network.Net = newIPNet
-
-	peers, err := transaction.GetAccountPeers(ctx, store.LockingStrengthNone, accountID, "", "")
+	peers, err := transaction.GetAccountPeers(ctx, store.LockingStrengthUpdate, accountID, "", "")
 	if err != nil {
 		return err
 	}
@@ -2094,10 +2047,6 @@ func (am *DefaultAccountManager) reallocateAccountPeerIPs(ctx context.Context, t
 		takenIPs = append(takenIPs, newIP)
 	}
 
-	if err = transaction.SaveAccount(ctx, account); err != nil {
-		return err
-	}
-
 	for _, peer := range peers {
 		if err = transaction.SavePeer(ctx, accountID, peer); err != nil {
 			return status.Errorf(status.Internal, "save updated peer %s: %v", peer.ID, err)
@@ -2124,9 +2073,6 @@ func (am *DefaultAccountManager) validateIPForUpdate(account *types.Account, pee
 }
 
 func (am *DefaultAccountManager) UpdatePeerIP(ctx context.Context, accountID, userID, peerID string, newIP netip.Addr) error {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
-	defer unlock()
-
 	allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Update)
 	if err != nil {
 		return fmt.Errorf("validate user permissions: %w", err)

management/server/account/manager.go

@@ -7,7 +7,6 @@ import (
 	"time"
 
 	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbcache "github.com/netbirdio/netbird/management/server/cache"
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
@@ -18,6 +17,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/management/server/users"
 	"github.com/netbirdio/netbird/route"
+	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
 type ExternalCacheManager nbcache.UserDataCache
@@ -77,7 +77,7 @@ type Manager interface {
 	DeletePolicy(ctx context.Context, accountID, policyID, userID string) error
 	ListPolicies(ctx context.Context, accountID, userID string) ([]*types.Policy, error)
 	GetRoute(ctx context.Context, accountID string, routeID route.ID, userID string) (*route.Route, error)
-	CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool) (*route.Route, error)
+	CreateRoute(ctx context.Context, accountID string, prefix netip.Prefix, networkType route.NetworkType, domains domain.List, peerID string, peerGroupIDs []string, description string, netID route.NetID, masquerade bool, metric int, groups, accessControlGroupIDs []string, enabled bool, userID string, keepRoute bool, skipAutoApply bool) (*route.Route, error)
 	SaveRoute(ctx context.Context, accountID, userID string, route *route.Route) error
 	DeleteRoute(ctx context.Context, accountID string, routeID route.ID, userID string) error
 	ListRoutes(ctx context.Context, accountID, userID string) ([]*route.Route, error)
@@ -120,7 +120,7 @@ type Manager interface {
 	SyncUserJWTGroups(ctx context.Context, userAuth nbcontext.UserAuth) error
 	GetStore() store.Store
 	GetOrCreateAccountByPrivateDomain(ctx context.Context, initiatorId, domain string) (*types.Account, bool, error)
-	UpdateToPrimaryAccount(ctx context.Context, accountId string) (*types.Account, error)
+	UpdateToPrimaryAccount(ctx context.Context, accountId string) error
 	GetOwnerInfo(ctx context.Context, accountId string) (*types.UserInfo, error)
 	GetCurrentUserInfo(ctx context.Context, userAuth nbcontext.UserAuth) (*users.UserInfoWithPermissions, error)
 }

management/server/account_test.go

@@ -3250,11 +3250,13 @@ func Test_GetCreateAccountByPrivateDomain(t *testing.T) {
 	assert.Equal(t, 0, len(account2.Users))
 	assert.Equal(t, 0, len(account2.SetupKeys))
 
-	account, err = manager.UpdateToPrimaryAccount(ctx, account.Id)
+	err = manager.UpdateToPrimaryAccount(ctx, account.Id)
+	assert.NoError(t, err)
+	account, err = manager.Store.GetAccount(ctx, account.Id)
 	assert.NoError(t, err)
 	assert.True(t, account.IsDomainPrimaryAccount)
 
-	_, err = manager.UpdateToPrimaryAccount(ctx, account2.Id)
+	err = manager.UpdateToPrimaryAccount(ctx, account2.Id)
 	assert.Error(t, err, "should not be able to update a second account to primary")
 }
 
@@ -3275,7 +3277,9 @@ func Test_UpdateToPrimaryAccount(t *testing.T) {
 	assert.False(t, account.IsDomainPrimaryAccount)
 	assert.Equal(t, domain, account.Domain)
 
-	account, err = manager.UpdateToPrimaryAccount(ctx, account.Id)
+	err = manager.UpdateToPrimaryAccount(ctx, account.Id)
+	assert.NoError(t, err)
+	account, err = manager.Store.GetAccount(ctx, account.Id)
 	assert.NoError(t, err)
 	assert.True(t, account.IsDomainPrimaryAccount)
 

management/server/auth/jwt/extractor.go

@@ -5,7 +5,7 @@ import (
 	"net/url"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 	log "github.com/sirupsen/logrus"
 
 	nbcontext "github.com/netbirdio/netbird/management/server/context"

management/server/auth/jwt/validator.go

@@ -17,7 +17,7 @@ import (
 	"sync"
 	"time"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 
 	log "github.com/sirupsen/logrus"
 )
@@ -63,12 +63,10 @@ type Validator struct {
 }
 
 var (
-	errKeyNotFound     = errors.New("unable to find appropriate key")
-	errInvalidAudience = errors.New("invalid audience")
-	errInvalidIssuer   = errors.New("invalid issuer")
-	errTokenEmpty      = errors.New("required authorization token not found")
-	errTokenInvalid    = errors.New("token is invalid")
-	errTokenParsing    = errors.New("token could not be parsed")
+	errKeyNotFound  = errors.New("unable to find appropriate key")
+	errTokenEmpty   = errors.New("required authorization token not found")
+	errTokenInvalid = errors.New("token is invalid")
+	errTokenParsing = errors.New("token could not be parsed")
 )
 
 func NewValidator(issuer string, audienceList []string, keysLocation string, idpSignkeyRefreshEnabled bool) *Validator {
@@ -88,24 +86,6 @@ func NewValidator(issuer string, audienceList []string, keysLocation string, idp
 
 func (v *Validator) getKeyFunc(ctx context.Context) jwt.Keyfunc {
 	return func(token *jwt.Token) (interface{}, error) {
-		// Verify 'aud' claim
-		var checkAud bool
-		for _, audience := range v.audienceList {
-			checkAud = token.Claims.(jwt.MapClaims).VerifyAudience(audience, false)
-			if checkAud {
-				break
-			}
-		}
-		if !checkAud {
-			return token, errInvalidAudience
-		}
-
-		// Verify 'issuer' claim
-		checkIss := token.Claims.(jwt.MapClaims).VerifyIssuer(v.issuer, false)
-		if !checkIss {
-			return token, errInvalidIssuer
-		}
-
 		// If keys are rotated, verify the keys prior to token validation
 		if v.idpSignkeyRefreshEnabled {
 			// If the keys are invalid, retrieve new ones
@@ -144,7 +124,7 @@ func (v *Validator) getKeyFunc(ctx context.Context) jwt.Keyfunc {
 }
 
 // ValidateAndParse validates the token and returns the parsed token
-func (m *Validator) ValidateAndParse(ctx context.Context, token string) (*jwt.Token, error) {
+func (v *Validator) ValidateAndParse(ctx context.Context, token string) (*jwt.Token, error) {
 	// If the token is empty...
 	if token == "" {
 		// If we get here, the required token is missing
@@ -153,7 +133,13 @@ func (m *Validator) ValidateAndParse(ctx context.Context, token string) (*jwt.To
 	}
 
 	// Now parse the token
-	parsedToken, err := jwt.Parse(token, m.getKeyFunc(ctx))
+	parsedToken, err := jwt.Parse(
+		token,
+		v.getKeyFunc(ctx),
+		jwt.WithAudience(v.audienceList...),
+		jwt.WithIssuer(v.issuer),
+		jwt.WithIssuedAt(),
+	)
 
 	// Check if there was an error in parsing...
 	if err != nil {

management/server/auth/manager.go

@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"hash/crc32"
 
-	"github.com/golang-jwt/jwt"
+	"github.com/golang-jwt/jwt/v5"
 
 	"github.com/netbirdio/netbird/base62"
 	nbjwt "github.com/netbirdio/netbird/management/server/auth/jwt"