Include MTU and SSH auth/JWT cache config in debug bundle

2026-05-06 00:56:39 +00:00 · 2026-05-05 12:18:56 +02:00
27 changed files with 384 additions and 1659 deletions
--- a/.github/DISCUSSION_TEMPLATE/ideas-feature-requests.yml
+++ b/.github/DISCUSSION_TEMPLATE/ideas-feature-requests.yml
@@ -1,130 +0,0 @@
-body:
-  - type: markdown
-    attributes:
-      value: |
-        ## Ideas & Feature Requests
-
-        Use this category for feature requests, enhancements, integrations, and product ideas.
-
-        NetBird uses community traction in discussions — upvotes, replies, affected users, and use-case detail — as an input when deciding what should become a maintainer-curated issue or roadmap item. A clear problem statement is more useful than a solution-only request.
-
-        Please search first and add your use case to an existing discussion when one already exists.
-
-  - type: checkboxes
-    id: preflight
-    attributes:
-      label: Before posting
-      options:
-        - label: I searched existing discussions and issues for similar requests.
-          required: true
-        - label: I checked the documentation to confirm this is not already supported.
-          required: true
-        - label: This is a product idea or enhancement request, not a support question.
-          required: true
-        - label: I removed or anonymized sensitive details from examples and screenshots.
-          required: true
-
-  - type: dropdown
-    id: area
-    attributes:
-      label: Product area
-      description: Select every area this request touches.
-      multiple: true
-      options:
-        - Client / Agent
-        - CLI
-        - Desktop UI
-        - Mobile app
-        - Dashboard / Admin UI
-        - Management service / API
-        - Signal service
-        - Relay
-        - DNS
-        - Routes / Exit nodes
-        - NetBird SSH
-        - Access control policies
-        - Posture checks
-        - Identity provider / SSO
-        - Self-hosting / Deployment
-        - Kubernetes / Operator
-        - Terraform / Automation
-        - Documentation
-        - Other / not sure
-    validations:
-      required: true
-
-  - type: textarea
-    id: problem
-    attributes:
-      label: Problem or use case
-      description: What are you trying to accomplish, and what is difficult or impossible today?
-      placeholder: |
-        As a ...
-        I want to ...
-        Because ...
-    validations:
-      required: true
-
-  - type: textarea
-    id: proposal
-    attributes:
-      label: Proposed solution
-      description: Describe the behavior, workflow, API, UI, or integration you would like to see.
-    validations:
-      required: true
-
-  - type: textarea
-    id: alternatives
-    attributes:
-      label: Alternatives or workarounds considered
-      description: What have you tried today? Why is the current workaround not enough?
-
-  - type: textarea
-    id: impact
-    attributes:
-      label: Community impact and priority
-      description: Help us understand who benefits and how urgent this is.
-      placeholder: |
-        - Number of users/teams/peers affected:
-        - Deployment type: Cloud / self-hosted / both
-        - Frequency: daily / weekly / occasional
-        - Blocking production adoption? yes/no
-        - Related comments, discussions, or customer requests:
-    validations:
-      required: true
-
-  - type: textarea
-    id: examples
-    attributes:
-      label: Examples from other tools or products
-      description: If another tool solves this well, link or describe the behavior.
-
-  - type: textarea
-    id: security
-    attributes:
-      label: Security, privacy, and compatibility considerations
-      description: Note any access-control, audit, data retention, network, platform, or backward-compatibility concerns.
-
-  - type: textarea
-    id: implementation
-    attributes:
-      label: Implementation ideas
-      description: Optional. If you are familiar with the codebase or API, share possible implementation notes.
-
-  - type: dropdown
-    id: contribution
-    attributes:
-      label: Are you willing to help?
-      options:
-        - Yes, I can submit a PR if the approach is accepted.
-        - Yes, I can test or validate a proposed implementation.
-        - Yes, I can provide more use-case details.
-        - Not at this time.
-    validations:
-      required: true
-
-  - type: textarea
-    id: additional-context
-    attributes:
-      label: Additional context
-      description: Add screenshots, diagrams, links, or anything else that helps explain the request.
--- a/.github/DISCUSSION_TEMPLATE/issue-triage.yml
+++ b/.github/DISCUSSION_TEMPLATE/issue-triage.yml
@@ -1,237 +0,0 @@
-body:
-  - type: markdown
-    attributes:
-      value: |
-        ## Issue Triage
-
-        Use this category for reproducible bugs and regressions in NetBird.
-
-        The more context you include, the faster we can validate and act on your report. If you're not sure whether something is a bug, **Q&A / Support** is a good starting point — we can always move the conversation here once we've confirmed it's a product issue.
-
-        Intermittent issues are useful too. Include the trigger, frequency, timing, and any logs or debug evidence you have, and we'll work from there.
-
-        Please don't include secrets, tokens, private keys, internal hostnames, or public IPs. Security vulnerabilities should be reported through the repository security policy rather than a public discussion.
-
-  - type: checkboxes
-    id: preflight
-    attributes:
-      label: Before posting
-      options:
-        - label: I searched existing discussions and issues, including closed ones, and checked the relevant docs.
-          required: true
-        - label: I believe this is a product bug rather than a configuration or setup question.
-          required: true
-        - label: I can reproduce this issue, or for intermittent issues I've included trigger, frequency, and timing details below.
-          required: true
-        - label: I removed or anonymized sensitive data from logs, screenshots, and configuration.
-          required: true
-
-  - type: dropdown
-    id: area
-    attributes:
-      label: Affected area
-      description: Select every area this report touches.
-      multiple: true
-      options:
-        - Client / Agent
-        - Reverse Proxy
-        - CLI
-        - Desktop UI
-        - Mobile app
-        - Peer connectivity
-        - DNS
-        - Routes / Exit nodes
-        - NetBird SSH
-        - Relay / Signal / NAT traversal
-        - Login / Authentication / IdP
-        - Dashboard / Admin UI
-        - Management service / API
-        - Access control policies / Posture checks
-        - Self-hosting / Deployment
-        - Kubernetes / Operator
-        - Documentation
-        - Other / not sure
-    validations:
-      required: true
-
-  - type: dropdown
-    id: deployment
-    attributes:
-      label: Deployment type
-      options:
-        - NetBird Cloud
-        - Self-hosted - quickstart script
-        - Self-hosted - advanced/custom deployment
-        - Local development build
-        - Not sure / environment I do not fully control
-    validations:
-      required: true
-
-  - type: dropdown
-    id: platform
-    attributes:
-      label: Operating system or environment
-      description: Select every environment involved in the reproduction.
-      multiple: true
-      options:
-        - Linux
-        - macOS
-        - Windows
-        - Android
-        - iOS
-        - FreeBSD
-        - OpenWRT
-        - Docker
-        - Kubernetes
-        - Synology
-        - Browser
-        - Other / not sure
-    validations:
-      required: true
-
-  - type: textarea
-    id: version
-    attributes:
-      label: NetBird version and upgrade status
-      description: Run `netbird version` where applicable. For self-hosted deployments, include management, signal, relay, and dashboard versions if available. If you cannot test on a current/supported version, explain why.
-      placeholder: |
-        Example:
-        - Client: 0.30.2
-        - Management: 0.30.2
-        - Signal: 0.30.2
-        - Relay: 0.30.2
-        - Dashboard: 0.30.2
-        - Upgrade status: reproduced on current version / cannot upgrade because ...
-    validations:
-      required: true
-
-  - type: dropdown
-    id: regression
-    attributes:
-      label: Did this work before?
-      options:
-        - Yes, this worked before
-        - No, this never worked
-        - Not sure
-    validations:
-      required: true
-
-  - type: textarea
-    id: regression-details
-    attributes:
-      label: Regression details
-      description: If this worked before, include the last known working version, first known broken version, and any recent upgrade, configuration, network, or IdP changes.
-      placeholder: |
-        - Last known working version:
-        - First known broken version:
-        - Recent changes:
-
-  - type: textarea
-    id: summary
-    attributes:
-      label: Summary
-      description: Briefly describe the reproducible bug.
-      placeholder: What is broken?
-    validations:
-      required: true
-
-  - type: textarea
-    id: current-behavior
-    attributes:
-      label: Current behavior
-      description: What happens now? Include exact errors, timeouts, UI messages, or failed commands when possible.
-    validations:
-      required: true
-
-  - type: textarea
-    id: expected-behavior
-    attributes:
-      label: Expected behavior
-      description: What did you expect to happen instead?
-    validations:
-      required: true
-
-  - type: textarea
-    id: reproduction
-    attributes:
-      label: Steps to reproduce
-      description: Provide the smallest set of steps that reliably reproduces the bug. If the issue is intermittent, include the trigger, frequency, timing, and relevant timestamps.
-      placeholder: |
-        1. Configure ...
-        2. Run ...
-        3. Observe ...
-
-        For intermittent issues:
-        - Trigger:
-        - Frequency:
-        - Timing/timestamps:
-    validations:
-      required: true
-
-  - type: textarea
-    id: environment
-    attributes:
-      label: Environment and topology
-      description: Include the relevant topology and software involved in the reproduction. For UI/docs-only reports, write `N/A` if this does not apply. Use `None`, `Unknown`, or `N/A` where appropriate.
-      placeholder: |
-        - Peer A:
-        - Peer B:
-        - Same LAN or different networks:
-        - NAT/CGNAT/corporate firewall/mobile network:
-        - Other VPN software:
-        - Firewall, DNS, or endpoint security software:
-        - Routes, DNS, policies, posture checks, or SSH rules involved:
-        - IdP, reverse proxy, or browser involved:
-    validations:
-      required: true
-
-  - type: textarea
-    id: self-hosted-details
-    attributes:
-      label: Self-hosted details, if available
-      description: Optional. If you use self-hosting and have access to these details, include them. If you do not administer the environment, provide what you know and say what you cannot access.
-      placeholder: |
-        - Deployment method: quickstart / Docker Compose / Helm / operator / custom
-        - Management/signal/relay/dashboard versions:
-        - Reverse proxy:
-        - IdP/provider:
-        - STUN/TURN/coturn/relay details:
-        - Relevant component logs:
-
-  - type: textarea
-    id: logs
-    attributes:
-      label: Logs, status output, or debug evidence
-      description: |
-        For client, connectivity, DNS, route, relay/signal, or self-hosted reports, logs are essential — please include anonymized output from `netbird status -dA`, or a debug bundle via `netbird debug for 1m -AS -U`. Debug bundles are automatically deleted after 30 days.
-
-        For UI, dashboard, or documentation reports, leave the pre-filled `N/A`.
-      value: "N/A"
-      render: shell
-    validations:
-      required: true
-
-  - type: textarea
-    id: related-reports
-    attributes:
-      label: Related issues or discussions
-      description: Optional. Link similar reports you found while searching, if any.
-      placeholder: |
-        - Related issue/discussion:
-        - Why this may be the same or different:
-
-  - type: textarea
-    id: impact
-    attributes:
-      label: Impact
-      description: Optional. Help us understand priority. How many users, peers, environments, or workflows are affected? Is there a workaround?
-      placeholder: |
-        - Affected users/peers:
-        - Business or production impact:
-        - Workaround available:
-
-  - type: textarea
-    id: additional-context
-    attributes:
-      label: Additional context
-      description: Add links to related discussions, issues, docs, screenshots, recordings, or anything else that may help validation.
--- a/.github/DISCUSSION_TEMPLATE/q-a-support.yml
+++ b/.github/DISCUSSION_TEMPLATE/q-a-support.yml
@@ -1,146 +0,0 @@
-body:
-  - type: markdown
-    attributes:
-      value: |
-        ## Q&A / Support
-
-        Use this category for questions about configuration, setup, self-hosted deployments, troubleshooting, and general NetBird usage.
-
-        This is community support and does not provide an SLA. For NetBird Cloud support, use the official support channel linked from the issue creation page. Please do not post secrets, tokens, private keys, internal hostnames, or public IPs unless you intentionally want them public.
-
-        If your question turns into a reproducible product defect, DevRel or a maintainer may ask you to open or move the conversation to Issue Triage.
-
-  - type: checkboxes
-    id: preflight
-    attributes:
-      label: Before posting
-      options:
-        - label: I searched existing discussions and issues for similar questions.
-          required: true
-        - label: I reviewed the relevant NetBird documentation or troubleshooting guide.
-          required: true
-        - label: I removed or anonymized sensitive data from logs, screenshots, and configuration.
-          required: true
-
-  - type: dropdown
-    id: topic
-    attributes:
-      label: Topic
-      multiple: true
-      options:
-        - Getting started
-        - Self-hosting
-        - Client / Agent
-        - CLI
-        - Desktop UI
-        - Mobile app
-        - Dashboard / Admin UI
-        - DNS
-        - Routes / Exit nodes
-        - NetBird SSH
-        - Relay
-        - Access control policies
-        - Posture checks
-        - Identity provider / SSO
-        - API
-        - Kubernetes / Operator
-        - Terraform / Automation
-        - Documentation
-        - Other / not sure
-    validations:
-      required: true
-
-  - type: dropdown
-    id: deployment
-    attributes:
-      label: Deployment type
-      options:
-        - NetBird Cloud
-        - Self-hosted - quickstart script
-        - Self-hosted - advanced/custom deployment
-        - Local development build
-        - Not sure
-    validations:
-      required: true
-
-  - type: dropdown
-    id: platform
-    attributes:
-      label: Operating system or environment
-      multiple: true
-      options:
-        - Linux
-        - macOS
-        - Windows
-        - Android
-        - iOS
-        - FreeBSD
-        - OpenWRT
-        - Docker
-        - Kubernetes
-        - Synology
-        - Browser
-        - Other / not sure
-    validations:
-      required: true
-
-  - type: input
-    id: version
-    attributes:
-      label: NetBird version
-      description: Run `netbird version` where applicable. For self-hosted deployments, include component versions if relevant.
-      placeholder: "Example: client 0.30.2, management 0.30.2"
-
-  - type: textarea
-    id: question
-    attributes:
-      label: Question
-      description: What are you trying to understand or accomplish?
-      placeholder: Describe your question clearly.
-    validations:
-      required: true
-
-  - type: textarea
-    id: goal
-    attributes:
-      label: Desired outcome
-      description: What would a successful answer help you do?
-      placeholder: |
-        I want to configure ...
-        I expected ...
-        I need help deciding ...
-
-  - type: textarea
-    id: attempted
-    attributes:
-      label: What have you tried?
-      description: Include commands, documentation links, configuration attempts, or troubleshooting steps already tried.
-      placeholder: |
-        - Read ...
-        - Ran ...
-        - Changed ...
-        - Observed ...
-
-  - type: textarea
-    id: environment
-    attributes:
-      label: Relevant environment details
-      description: Include redacted topology, IdP/provider, reverse proxy, firewall, DNS, route, policy, or self-hosted setup details that may affect the answer.
-      placeholder: |
-        - Deployment:
-        - Components involved:
-        - Network/topology:
-        - Related config:
-
-  - type: textarea
-    id: logs
-    attributes:
-      label: Logs or output
-      description: Optional. Include anonymized logs, command output, screenshots, or `netbird status -dA` if relevant.
-      render: shell
-
-  - type: textarea
-    id: additional-context
-    attributes:
-      label: Additional context
-      description: Add links, diagrams, screenshots, or other details that may help the community answer.
--- a/.github/ISSUE_TEMPLATE/bug-issue-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-issue-report.md
@@ -0,0 +1,71 @@
+---
+name: Bug/Issue report
+about: Create a report to help us improve
+title: ''
+labels: ['triage-needed']
+assignees: ''
+
+---
+
+**Describe the problem**
+
+A clear and concise description of what the problem is.
+
+**To Reproduce**
+
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+
+A clear and concise description of what you expected to happen.
+
+**Are you using NetBird Cloud?**
+
+Please specify whether you use NetBird Cloud or self-host NetBird's control plane.
+
+**NetBird version**
+
+`netbird version`
+
+**Is any other VPN software installed?**
+
+If yes, which one?
+
+**Debug output**
+
+To help us resolve the problem, please attach the following anonymized status output
+
+  netbird status -dA
+
+Create and upload a debug bundle, and share the returned file key:
+
+  netbird debug for 1m -AS -U
+
+*Uploaded files are automatically deleted after 30 days.*
+
+
+Alternatively, create the file only and attach it here manually:
+
+  netbird debug for 1m -AS
+
+
+**Screenshots**
+
+If applicable, add screenshots to help explain your problem.
+
+**Additional context**
+
+Add any other context about the problem here.
+
+**Have you tried these troubleshooting steps?**
+- [ ] Reviewed [client troubleshooting](https://docs.netbird.io/how-to/troubleshooting-client) (if applicable)
+- [ ] Checked for newer NetBird versions
+- [ ] Searched for similar issues on GitHub (including closed ones)
+- [ ] Restarted the NetBird client
+- [ ] Disabled other VPN software
+- [ ] Checked firewall settings
+
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,26 +1,14 @@
-blank_issues_enabled: false
+blank_issues_enabled: true
 contact_links:
-  - name: Start an Issue Triage discussion
-    url: https://github.com/netbirdio/netbird/discussions/new?category=issue-triage
-    about: Report a bug, regression, or unexpected behavior so DevRel can validate it before it becomes an issue.
-  - name: Propose an idea or feature request
-    url: https://github.com/netbirdio/netbird/discussions/new?category=ideas-feature-requests
-    about: Share feature requests, enhancements, and integration ideas for community feedback and prioritization.
-  - name: Ask a Q&A / Support question
-    url: https://github.com/netbirdio/netbird/discussions/new?category=q-a-support
-    about: Get help with setup, configuration, self-hosting, troubleshooting, and general usage.
-  - name: Security vulnerability disclosure
-    url: https://github.com/netbirdio/netbird/security/policy
-    about: Please do not report security vulnerabilities in public issues or discussions.
-  - name: Community Support Forum
+  - name: Community Support
    url: https://forum.netbird.io/
-    about: Community support forum.
+    about: Community support forum
  - name: Cloud Support
    url: https://docs.netbird.io/help/report-bug-issues
-    about: Contact NetBird for Cloud support.
+    about: Contact us for support
  - name: Client/Connection Troubleshooting
    url: https://docs.netbird.io/help/troubleshooting-client
-    about: See the client troubleshooting guide for common connectivity issues.
+    about: See our client troubleshooting guide for help addressing common issues
  - name: Self-host Troubleshooting
    url: https://docs.netbird.io/selfhosted/troubleshooting
-    about: See the self-host troubleshooting guide for common deployment issues.
+    about: See our self-host troubleshooting guide for help addressing common issues
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -0,0 +1,20 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ['feature-request']
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
+
+**Describe the solution you'd like**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Additional context**
+Add any other context or screenshots about the feature request here.
--- a/.github/ISSUE_TEMPLATE/validated_issue.yml
+++ b/.github/ISSUE_TEMPLATE/validated_issue.yml
@@ -1,128 +0,0 @@
-name: Validated issue
-description: Maintainer/DevRel only. Create an issue after a discussion has been validated or for internally validated work.
-title: "[Validated]: "
-body:
-  - type: markdown
-    attributes:
-      value: |
-        ## Discussion-first issue policy
-
-        Issues are maintainer-curated work items. Community reports and feature requests should start in [Discussions](https://github.com/netbirdio/netbird/discussions) so DevRel can validate, reproduce, and route them before engineering time is committed.
-
-        Use this form when:
-        - A discussion has been validated and should become actionable work.
-        - A maintainer is opening internally validated work that can bypass the discussion-first flow.
-
-        Issues opened without a relevant validated discussion or maintainer context may be closed and redirected to Discussions.
-
-  - type: checkboxes
-    id: validation-checks
-    attributes:
-      label: Validation checklist
-      options:
-        - label: This issue is linked to a validated discussion, or it is being opened directly by a maintainer.
-          required: true
-        - label: The report has enough context for engineering to act on it without re-triaging from scratch.
-          required: true
-        - label: Sensitive data, secrets, private keys, internal hostnames, and public IPs have been removed or intentionally disclosed.
-          required: true
-
-  - type: dropdown
-    id: issue-type
-    attributes:
-      label: Issue type
-      options:
-        - Bug / Regression
-        - Feature / Enhancement
-        - Documentation
-        - Maintenance / Refactor
-        - Cross-repository coordination
-        - Other
-    validations:
-      required: true
-
-  - type: input
-    id: source-discussion
-    attributes:
-      label: Source discussion
-      description: Link the GitHub Discussion that was validated. Maintainers bypassing the flow can write "Maintainer-created" and explain why below.
-      placeholder: https://github.com/netbirdio/netbird/discussions/1234
-    validations:
-      required: true
-
-  - type: input
-    id: validation-owner
-    attributes:
-      label: Validation owner
-      description: GitHub handle of the DevRel team member or maintainer who validated this work.
-      placeholder: "@username"
-    validations:
-      required: true
-
-  - type: dropdown
-    id: target-repository
-    attributes:
-      label: Target repository
-      description: Where should the implementation work happen?
-      options:
-        - netbirdio/netbird
-        - netbirdio/dashboard
-        - netbirdio/kubernetes-operator
-        - netbirdio/docs
-        - Multiple repositories
-        - Unknown / needs routing
-    validations:
-      required: true
-
-  - type: textarea
-    id: summary
-    attributes:
-      label: Summary
-      description: Concise description of the validated work.
-      placeholder: What needs to be fixed, changed, documented, or built?
-    validations:
-      required: true
-
-  - type: textarea
-    id: evidence
-    attributes:
-      label: Validation evidence
-      description: For bugs, include reproduction status, affected versions, logs, and environment. For features, include community traction, affected users, and alignment notes.
-      placeholder: |
-        - Reproduced by:
-        - Affected versions / platforms:
-        - Community signal:
-        - Related logs or screenshots:
-    validations:
-      required: true
-
-  - type: textarea
-    id: scope
-    attributes:
-      label: Proposed scope
-      description: Describe what is in scope and, if helpful, what is explicitly out of scope.
-      placeholder: |
-        In scope:
-        - ...
-
-        Out of scope:
-        - ...
-    validations:
-      required: true
-
-  - type: textarea
-    id: acceptance-criteria
-    attributes:
-      label: Acceptance criteria
-      description: What must be true for this issue to be closed?
-      placeholder: |
-        - [ ] ...
-        - [ ] ...
-    validations:
-      required: true
-
-  - type: textarea
-    id: additional-context
-    attributes:
-      label: Additional context
-      description: Links to related PRs, docs, issues in other repositories, roadmap items, or implementation notes.
--- a/client/internal/debug/debug.go
+++ b/client/internal/debug/debug.go
@@ -607,6 +607,12 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	if g.internalConfig.EnableSSHRemotePortForwarding != nil {
 		configContent.WriteString(fmt.Sprintf("EnableSSHRemotePortForwarding: %v\n", *g.internalConfig.EnableSSHRemotePortForwarding))
 	}
+	if g.internalConfig.DisableSSHAuth != nil {
+		configContent.WriteString(fmt.Sprintf("DisableSSHAuth: %v\n", *g.internalConfig.DisableSSHAuth))
+	}
+	if g.internalConfig.SSHJWTCacheTTL != nil {
+		configContent.WriteString(fmt.Sprintf("SSHJWTCacheTTL: %d\n", *g.internalConfig.SSHJWTCacheTTL))
+	}

 	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
 	configContent.WriteString(fmt.Sprintf("DisableServerRoutes: %v\n", g.internalConfig.DisableServerRoutes))
@@ -633,6 +639,7 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	}

 	configContent.WriteString(fmt.Sprintf("LazyConnectionEnabled: %v\n", g.internalConfig.LazyConnectionEnabled))
+	configContent.WriteString(fmt.Sprintf("MTU: %d\n", g.internalConfig.MTU))
 }

 func (g *BundleGenerator) addProf() (err error) {
--- a/client/internal/debug/debug_test.go
+++ b/client/internal/debug/debug_test.go
@@ -5,16 +5,21 @@ import (
 	"bytes"
 	"encoding/json"
 	"net"
+	"net/url"
 	"os"
 	"path/filepath"
+	"reflect"
 	"strings"
 	"testing"
+	"time"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/netbirdio/netbird/client/anonymize"
 	"github.com/netbirdio/netbird/client/configs"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )

@@ -766,3 +771,127 @@ Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 	assert.Contains(t, anonNftables, "chain input {")
 	assert.Contains(t, anonNftables, "type filter hook input priority filter; policy accept;")
 }
+
+// TestAddConfig_AllFieldsCovered uses reflection to ensure every field in
+// profilemanager.Config is either rendered in the debug bundle or explicitly
+// excluded. When a new field is added to Config, this test fails until the
+// developer either dumps it in addConfig/addCommonConfigFields or adds it to
+// the excluded set with a justification.
+func TestAddConfig_AllFieldsCovered(t *testing.T) {
+	excluded := map[string]string{
+		"PrivateKey":        "sensitive: WireGuard private key",
+		"PreSharedKey":      "sensitive: WireGuard pre-shared key",
+		"SSHKey":            "sensitive: SSH private key",
+		"ClientCertKeyPair": "non-config: parsed cert pair, not serialized",
+	}
+
+	mURL, _ := url.Parse("https://api.example.com:443")
+	aURL, _ := url.Parse("https://admin.example.com:443")
+	bTrue := true
+	iVal := 42
+	cfg := &profilemanager.Config{
+		PrivateKey:                    "priv",
+		PreSharedKey:                  "psk",
+		ManagementURL:                 mURL,
+		AdminURL:                      aURL,
+		WgIface:                       "wt0",
+		WgPort:                        51820,
+		NetworkMonitor:                &bTrue,
+		IFaceBlackList:                []string{"eth0"},
+		DisableIPv6Discovery:          true,
+		RosenpassEnabled:              true,
+		RosenpassPermissive:           true,
+		ServerSSHAllowed:              &bTrue,
+		EnableSSHRoot:                 &bTrue,
+		EnableSSHSFTP:                 &bTrue,
+		EnableSSHLocalPortForwarding:  &bTrue,
+		EnableSSHRemotePortForwarding: &bTrue,
+		DisableSSHAuth:                &bTrue,
+		SSHJWTCacheTTL:                &iVal,
+		DisableClientRoutes:           true,
+		DisableServerRoutes:           true,
+		DisableDNS:                    true,
+		DisableFirewall:               true,
+		BlockLANAccess:                true,
+		BlockInbound:                  true,
+		DisableNotifications:          &bTrue,
+		DNSLabels:                     domain.List{},
+		SSHKey:                        "sshkey",
+		NATExternalIPs:                []string{"1.2.3.4"},
+		CustomDNSAddress:              "1.1.1.1:53",
+		DisableAutoConnect:            true,
+		DNSRouteInterval:              5 * time.Second,
+		ClientCertPath:                "/tmp/cert",
+		ClientCertKeyPath:             "/tmp/key",
+		LazyConnectionEnabled:         true,
+		MTU:                           1280,
+	}
+
+	for _, anonymize := range []bool{false, true} {
+		t.Run("anonymize="+map[bool]string{true: "true", false: "false"}[anonymize], func(t *testing.T) {
+			g := &BundleGenerator{
+				anonymizer:     newAnonymizerForTest(),
+				internalConfig: cfg,
+				anonymize:      anonymize,
+			}
+
+			var sb strings.Builder
+			g.addCommonConfigFields(&sb)
+			rendered := sb.String() + renderAddConfigSpecific(g)
+
+			val := reflect.ValueOf(cfg).Elem()
+			typ := val.Type()
+			var missing []string
+			for i := 0; i < typ.NumField(); i++ {
+				name := typ.Field(i).Name
+				if _, ok := excluded[name]; ok {
+					continue
+				}
+				if !strings.Contains(rendered, name+":") {
+					missing = append(missing, name)
+				}
+			}
+			if len(missing) > 0 {
+				t.Fatalf("Config field(s) not present in debug bundle output: %v\n"+
+					"Either render the field in addCommonConfigFields/addConfig, "+
+					"or add it to the excluded map with a justification.", missing)
+			}
+		})
+	}
+}
+
+// renderAddConfigSpecific renders the fields handled by the anonymize/non-anonymize
+// branches in addConfig (ManagementURL, AdminURL, NATExternalIPs, CustomDNSAddress).
+// addCommonConfigFields covers the rest. Keeping this in the test mirrors the
+// production shape without needing to write an actual zip.
+func renderAddConfigSpecific(g *BundleGenerator) string {
+	var sb strings.Builder
+	if g.anonymize {
+		if g.internalConfig.ManagementURL != nil {
+			sb.WriteString("ManagementURL: " + g.anonymizer.AnonymizeURI(g.internalConfig.ManagementURL.String()) + "\n")
+		}
+		if g.internalConfig.AdminURL != nil {
+			sb.WriteString("AdminURL: " + g.anonymizer.AnonymizeURI(g.internalConfig.AdminURL.String()) + "\n")
+		}
+		sb.WriteString("NATExternalIPs: x\n")
+		if g.internalConfig.CustomDNSAddress != "" {
+			sb.WriteString("CustomDNSAddress: " + g.anonymizer.AnonymizeString(g.internalConfig.CustomDNSAddress) + "\n")
+		}
+	} else {
+		if g.internalConfig.ManagementURL != nil {
+			sb.WriteString("ManagementURL: " + g.internalConfig.ManagementURL.String() + "\n")
+		}
+		if g.internalConfig.AdminURL != nil {
+			sb.WriteString("AdminURL: " + g.internalConfig.AdminURL.String() + "\n")
+		}
+		sb.WriteString("NATExternalIPs: x\n")
+		if g.internalConfig.CustomDNSAddress != "" {
+			sb.WriteString("CustomDNSAddress: " + g.internalConfig.CustomDNSAddress + "\n")
+		}
+	}
+	return sb.String()
+}
+
+func newAnonymizerForTest() *anonymize.Anonymizer {
+	return anonymize.NewAnonymizer(anonymize.DefaultAddresses())
+}
--- a/client/internal/portforward/pcp/nat.go
+++ b/client/internal/portforward/pcp/nat.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"runtime"
 	"sync"
 	"time"

@@ -178,12 +177,7 @@ func getDefaultGateway() (gateway net.IP, localIP net.IP, err error) {
 		return nil, nil, err
 	}

-	dst := net.IPv4zero
-	if runtime.GOOS == "linux" {
-		// go-netroute v0.4.0 rejects unspecified destinations client-side on Linux.
-		dst = net.IPv4(0, 0, 0, 1)
-	}
-	_, gateway, localIP, err = router.Route(dst)
+	_, gateway, localIP, err = router.Route(net.IPv4zero)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -202,12 +196,7 @@ func getDefaultGateway6() (gateway net.IP, localIP net.IP, err error) {
 		return nil, nil, err
 	}

-	dst := net.IPv6zero
-	if runtime.GOOS == "linux" {
-		// ::2
-		dst = net.IP{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2}
-	}
-	_, gateway, localIP, err = router.Route(dst)
+	_, gateway, localIP, err = router.Route(net.IPv6zero)
 	if err != nil {
 		return nil, nil, err
 	}
--- a/client/internal/routemanager/systemops/systemops_generic.go
+++ b/client/internal/routemanager/systemops/systemops_generic.go
@@ -342,22 +342,6 @@ func GetNextHop(ip netip.Addr) (Nexthop, error) {
 	if err != nil {
 		return Nexthop{}, fmt.Errorf("new netroute: %w", err)
 	}
-
-	// go-netroute v0.4.0 rejects unspecified destinations on Linux with a hard
-	// client-side check. Substitute the lowest non-loopback address so the
-	// lookup falls through to the default route (::1 / 127.0.0.1 would match
-	// loopback, ::/0.0.0.0 are unspec). BSD/Windows pass the query straight to
-	// the kernel and need no substitution.
-	if runtime.GOOS == "linux" && ip.IsUnspecified() {
-		if ip.Is6() {
-			// ::2
-			ip = netip.AddrFrom16([16]byte{15: 2})
-		} else {
-			// 0.0.0.1
-			ip = netip.AddrFrom4([4]byte{0, 0, 0, 1})
-		}
-	}
-
 	intf, gateway, preferredSrc, err := r.Route(ip.AsSlice())
 	if err != nil {
 		log.Debugf("Failed to get route for %s: %v", ip, err)
--- a/client/internal/routemanager/systemops/systemops_generic_test.go
+++ b/client/internal/routemanager/systemops/systemops_generic_test.go
@@ -354,13 +354,9 @@ func TestAddRouteToNonVPNIntf(t *testing.T) {
 			require.NoError(t, err, "Should be able to get IPv4 default route")
 			t.Logf("Initial IPv4 next hop: %s", initialNextHopV4)

-			if testCase.prefix.Addr().Is6() && !testCase.expectError {
-				ensureIPv6DefaultRoute(t)
-			}
-
 			initialNextHopV6, err := GetNextHop(netip.IPv6Unspecified())
 			if testCase.prefix.Addr().Is6() &&
-				initialNextHopV6.Intf != nil && strings.HasPrefix(initialNextHopV6.Intf.Name, "utun") {
+				(errors.Is(err, vars.ErrRouteNotFound) || initialNextHopV6.Intf != nil && strings.HasPrefix(initialNextHopV6.Intf.Name, "utun")) {
 				t.Skip("Skipping test as no ipv6 default route is available")
 			}
 			if err != nil && !errors.Is(err, vars.ErrRouteNotFound) {
--- a/client/internal/routemanager/systemops/v6route_bsd_test.go
+++ b/client/internal/routemanager/systemops/v6route_bsd_test.go
@@ -1,30 +0,0 @@
-//go:build darwin || dragonfly || freebsd || netbsd || openbsd
-
-package systemops
-
-import (
-	"bytes"
-	"os/exec"
-	"testing"
-)
-
-// ensureIPv6DefaultRoute installs an IPv6 default route via the loopback
-// interface so route lookups for global IPv6 prefixes resolve in environments
-// without v6 connectivity. If a default already exists it is left alone.
-func ensureIPv6DefaultRoute(t *testing.T) {
-	t.Helper()
-
-	out, err := exec.Command("route", "-6", "add", "default", "-iface", "lo0").CombinedOutput()
-	if err != nil {
-		// Existing default; nothing to install or clean up.
-		if bytes.Contains(out, []byte("route already in table")) {
-			return
-		}
-		t.Skipf("install IPv6 fallback default route: %v: %s", err, out)
-	}
-	t.Cleanup(func() {
-		if out, err := exec.Command("route", "-6", "delete", "default").CombinedOutput(); err != nil {
-			t.Logf("delete IPv6 fallback default route: %v: %s", err, out)
-		}
-	})
-}
--- a/client/internal/routemanager/systemops/v6route_linux_test.go
+++ b/client/internal/routemanager/systemops/v6route_linux_test.go
@@ -1,41 +0,0 @@
-//go:build linux && !android
-
-package systemops
-
-import (
-	"errors"
-	"net"
-	"syscall"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-	"github.com/vishvananda/netlink"
-)
-
-// ensureIPv6DefaultRoute installs a low-preference IPv6 default route via the
-// loopback interface so route lookups for global IPv6 prefixes resolve in
-// environments without v6 connectivity. Any pre-existing default route wins
-// because of its lower metric.
-func ensureIPv6DefaultRoute(t *testing.T) {
-	t.Helper()
-
-	lo, err := netlink.LinkByName("lo")
-	require.NoError(t, err, "find loopback interface")
-
-	route := &netlink.Route{
-		Dst:       &net.IPNet{IP: net.IPv6zero, Mask: net.CIDRMask(0, 128)},
-		LinkIndex: lo.Attrs().Index,
-		Priority:  1 << 20,
-	}
-	if err := netlink.RouteAdd(route); err != nil {
-		if errors.Is(err, syscall.EEXIST) {
-			return
-		}
-		t.Skipf("install IPv6 fallback default route: %v", err)
-	}
-	t.Cleanup(func() {
-		if err := netlink.RouteDel(route); err != nil && !errors.Is(err, syscall.ESRCH) {
-			t.Logf("delete IPv6 fallback default route: %v", err)
-		}
-	})
-}
--- a/client/internal/routemanager/systemops/v6route_windows_test.go
+++ b/client/internal/routemanager/systemops/v6route_windows_test.go
@@ -1,34 +0,0 @@
-//go:build windows
-
-package systemops
-
-import (
-	"bytes"
-	"os/exec"
-	"testing"
-)
-
-const loopbackIfaceWindows = "Loopback Pseudo-Interface 1"
-
-// ensureIPv6DefaultRoute installs an IPv6 default route via the loopback
-// interface so route lookups for global IPv6 prefixes resolve in environments
-// without v6 connectivity. If a default already exists it is left alone.
-func ensureIPv6DefaultRoute(t *testing.T) {
-	t.Helper()
-
-	script := `New-NetRoute -DestinationPrefix "::/0" -InterfaceAlias "` + loopbackIfaceWindows + `" -RouteMetric 9999 -PolicyStore ActiveStore -ErrorAction Stop`
-	out, err := exec.Command("powershell", "-Command", script).CombinedOutput()
-	if err != nil {
-		// Existing default; nothing to install or clean up.
-		if bytes.Contains(out, []byte("already exists")) {
-			return
-		}
-		t.Skipf("install IPv6 fallback default route: %v: %s", err, out)
-	}
-	t.Cleanup(func() {
-		script := `Remove-NetRoute -DestinationPrefix "::/0" -InterfaceAlias "` + loopbackIfaceWindows + `" -Confirm:$false -ErrorAction Stop`
-		if out, err := exec.Command("powershell", "-Command", script).CombinedOutput(); err != nil {
-			t.Logf("delete IPv6 fallback default route: %v: %s", err, out)
-		}
-	})
-}
--- a/go.mod
+++ b/go.mod
@@ -17,8 +17,8 @@ require (
 	github.com/spf13/cobra v1.10.1
 	github.com/spf13/pflag v1.0.9
 	github.com/vishvananda/netlink v1.3.1
-	golang.org/x/crypto v0.50.0
-	golang.org/x/sys v0.43.0
+	golang.org/x/crypto v0.49.0
+	golang.org/x/sys v0.42.0
 	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	golang.zx2c4.com/wireguard/windows v0.5.3
@@ -68,7 +68,7 @@ require (
 	github.com/jackc/pgx/v5 v5.5.5
 	github.com/libdns/route53 v1.5.0
 	github.com/libp2p/go-nat v0.2.0
-	github.com/libp2p/go-netroute v0.4.0
+	github.com/libp2p/go-netroute v0.2.1
 	github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81
 	github.com/mdlayher/socket v0.5.1
 	github.com/mdp/qrterminal/v3 v3.2.1
@@ -118,11 +118,11 @@ require (
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
 	golang.org/x/mobile v0.0.0-20251113184115-a159579294ab
-	golang.org/x/mod v0.34.0
-	golang.org/x/net v0.53.0
+	golang.org/x/mod v0.33.0
+	golang.org/x/net v0.52.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
-	golang.org/x/term v0.42.0
+	golang.org/x/term v0.41.0
 	golang.org/x/time v0.15.0
 	google.golang.org/api v0.276.0
 	gopkg.in/yaml.v3 v3.0.1
@@ -303,8 +303,8 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	golang.org/x/image v0.33.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
-	golang.org/x/tools v0.43.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401024825-9d38bb4040a9 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
@@ -323,6 +323,8 @@ replace github.com/cloudflare/circl => github.com/cunicu/circl v0.0.0-2023080111

 replace github.com/pion/ice/v4 => github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51

+replace github.com/libp2p/go-netroute => github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944
+
 replace github.com/dexidp/dex => github.com/netbirdio/dex v0.244.0

 replace github.com/mailru/easyjson => github.com/netbirdio/easyjson v0.9.0
--- a/go.sum
+++ b/go.sum
@@ -395,8 +395,6 @@ github.com/libdns/route53 v1.5.0 h1:2SKdpPFl/qgWsXQvsLNJJAoX7rSxlk7zgoL4jnWdXVA=
 github.com/libdns/route53 v1.5.0/go.mod h1:joT4hKmaTNKHEwb7GmZ65eoDz1whTu7KKYPS8ZqIh6Q=
 github.com/libp2p/go-nat v0.2.0 h1:Tyz+bUFAYqGyJ/ppPPymMGbIgNRH+WqC5QrT5fKrrGk=
 github.com/libp2p/go-nat v0.2.0/go.mod h1:3MJr+GRpRkyT65EpVPBstXLvOlAPzUVlG6Pwg9ohLJk=
-github.com/libp2p/go-netroute v0.4.0 h1:sZZx9hyANYUx9PZyqcgE/E1GUG3iEtTZHUEvdtXT7/Q=
-github.com/libp2p/go-netroute v0.4.0/go.mod h1:Nkd5ShYgSMS5MUKy/MU2T57xFoOKvvLR92Lic48LEyA=
 github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81 h1:J56rFEfUTFT9j9CiRXhi1r8lUJ4W5idG3CiaBZGojNU=
 github.com/lrh3321/ipset-go v0.0.0-20250619021614-54a0a98ace81/go.mod h1:RD8ML/YdXctQ7qbcizZkw5mZ6l8Ogrl1dodBzVJduwI=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
@@ -455,6 +453,8 @@ github.com/netbirdio/dex v0.244.0 h1:1GOvi8wnXYassnKGildzNqRHq0RbcfEUw7LKYpKIN7U
 github.com/netbirdio/dex v0.244.0/go.mod h1:STGInJhPcAflrHmDO7vyit2kSq03PdL+8zQPoGALtcU=
 github.com/netbirdio/easyjson v0.9.0 h1:6Nw2lghSVuy8RSkAYDhDv1thBVEmfVbKZnV7T7Z6Aus=
 github.com/netbirdio/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
+github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6Sf8uYFx/dMeqNOL90KUoRscdfpFZ3Im89uk=
+github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
 github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51/go.mod h1:ZSIbPdBn5hePO8CpF1PekH2SfpTxg1PDhEwtbqZS7R8=
 github.com/netbirdio/management-integrations/integrations v0.0.0-20260416123949-2355d972be42 h1:F3zS5fT9xzD1OFLfcdAE+3FfyiwjGukF1hvj0jErgs8=
@@ -711,8 +711,8 @@ golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1m
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
 golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
 golang.org/x/image v0.33.0 h1:LXRZRnv1+zGd5XBUVRFmYEphyyKJjQjCRiOuAP3sZfQ=
@@ -729,8 +729,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
-golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
@@ -749,8 +749,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=
+golang.org/x/net v0.52.0/go.mod h1:R1MAz7uMZxVMualyPXb+VaqGSa3LIaUqk0eEt3w36Sw=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
 golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
@@ -801,8 +801,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -815,8 +815,8 @@ golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
-golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
-golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -828,8 +828,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -843,8 +843,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
-golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/idp/dex/connector.go
+++ b/idp/dex/connector.go
@@ -89,33 +89,21 @@ func (p *Provider) ListConnectors(ctx context.Context) ([]*ConnectorConfig, erro
 }

 // UpdateConnector updates an existing connector in Dex storage.
-// It overlays user-mutable config fields (issuer, clientID, clientSecret,
-// redirectURI) onto the stored connector config, and updates the connector name
-// when cfg.Name is set. Empty fields on cfg leave stored values unchanged, so
-// partial updates preserve create-time defaults such as scopes, claimMapping,
-// and userIDKey.
+// It merges incoming updates with existing values to prevent data loss on partial updates.
 func (p *Provider) UpdateConnector(ctx context.Context, cfg *ConnectorConfig) error {
 	if err := p.storage.UpdateConnector(ctx, cfg.ID, func(old storage.Connector) (storage.Connector, error) {
-		if cfg.Type != "" && cfg.Type != inferIdentityProviderType(old.Type, cfg.ID, nil) {
-			return storage.Connector{}, errors.New("connector type change not allowed")
-		}
-
-		configData, err := overlayConnectorConfig(old.Config, cfg)
+		oldCfg, err := p.parseStorageConnector(old)
 		if err != nil {
-			return storage.Connector{}, fmt.Errorf("failed to overlay connector config: %w", err)
+			return storage.Connector{}, fmt.Errorf("failed to parse existing connector: %w", err)
 		}

-		name := cfg.Name
-		if name == "" {
-			name = old.Name
-		}
+		mergeConnectorConfig(cfg, oldCfg)

-		return storage.Connector{
-			ID:     cfg.ID,
-			Type:   old.Type,
-			Name:   name,
-			Config: configData,
-		}, nil
+		storageConn, err := p.buildStorageConnector(cfg)
+		if err != nil {
+			return storage.Connector{}, fmt.Errorf("failed to build connector: %w", err)
+		}
+		return storageConn, nil
 	}); err != nil {
 		return fmt.Errorf("failed to update connector: %w", err)
 	}
@@ -124,27 +112,23 @@ func (p *Provider) UpdateConnector(ctx context.Context, cfg *ConnectorConfig) er
 	return nil
 }

-// overlayConnectorConfig writes only the user-mutable fields onto the existing
-// stored config, preserving every other field (scopes, claimMapping, userIDKey,
-// insecure flags, etc.). Empty fields on cfg leave the existing value alone.
-func overlayConnectorConfig(oldConfig []byte, cfg *ConnectorConfig) ([]byte, error) {
-	var m map[string]any
-	if err := decodeConnectorConfig(oldConfig, &m); err != nil {
-		return nil, err
+// mergeConnectorConfig preserves existing values for empty fields in the update.
+func mergeConnectorConfig(cfg, oldCfg *ConnectorConfig) {
+	if cfg.ClientSecret == "" {
+		cfg.ClientSecret = oldCfg.ClientSecret
 	}
-	if cfg.Issuer != "" {
-		m["issuer"] = cfg.Issuer
+	if cfg.RedirectURI == "" {
+		cfg.RedirectURI = oldCfg.RedirectURI
 	}
-	if cfg.ClientID != "" {
-		m["clientID"] = cfg.ClientID
+	if cfg.Issuer == "" && cfg.Type == oldCfg.Type {
+		cfg.Issuer = oldCfg.Issuer
 	}
-	if cfg.ClientSecret != "" {
-		m["clientSecret"] = cfg.ClientSecret
+	if cfg.ClientID == "" {
+		cfg.ClientID = oldCfg.ClientID
 	}
-	if cfg.RedirectURI != "" {
-		m["redirectURI"] = cfg.RedirectURI
+	if cfg.Name == "" {
+		cfg.Name = oldCfg.Name
 	}
-	return encodeConnectorConfig(m)
 }

 // DeleteConnector removes a connector from Dex storage.
@@ -232,10 +216,6 @@ func buildOIDCConnectorConfig(cfg *ConnectorConfig, redirectURI string) ([]byte,
 		oidcConfig["getUserInfo"] = true
 	case "entra":
 		oidcConfig["claimMapping"] = map[string]string{"email": "preferred_username"}
-		// Use the Entra Object ID (oid) instead of the default OIDC sub claim.
-		// Entra issues sub as a per-app pairwise identifier that does not match
-		// the stable Object ID.
-		oidcConfig["userIDKey"] = "oid"
 	case "okta":
 		oidcConfig["scopes"] = []string{"openid", "profile", "email", "groups"}
 	case "pocketid":
--- a/idp/dex/connector_test.go
+++ b/idp/dex/connector_test.go
@@ -1,205 +0,0 @@
-package dex
-
-import (
-	"context"
-	"encoding/json"
-	"log/slog"
-	"os"
-	"path/filepath"
-	"testing"
-
-	"github.com/dexidp/dex/storage"
-	"github.com/dexidp/dex/storage/sql"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func newTestProvider(t *testing.T) (*Provider, func()) {
-	t.Helper()
-	tmpDir, err := os.MkdirTemp("", "dex-connector-test-*")
-	require.NoError(t, err)
-
-	logger := slog.New(slog.NewTextHandler(os.Stderr, nil))
-	s, err := (&sql.SQLite3{File: filepath.Join(tmpDir, "dex.db")}).Open(logger)
-	require.NoError(t, err)
-
-	return &Provider{storage: s, logger: logger}, func() {
-		_ = s.Close()
-		_ = os.RemoveAll(tmpDir)
-	}
-}
-
-func TestBuildOIDCConnectorConfig_EntraSetsUserIDKey(t *testing.T) {
-	cfg := &ConnectorConfig{
-		ID:           "entra-test",
-		Name:         "Entra",
-		Type:         "entra",
-		Issuer:       "https://login.microsoftonline.com/tid/v2.0",
-		ClientID:     "client-id",
-		ClientSecret: "client-secret",
-	}
-	data, err := buildOIDCConnectorConfig(cfg, "https://example.com/oauth2/callback")
-	require.NoError(t, err)
-
-	var m map[string]any
-	require.NoError(t, json.Unmarshal(data, &m))
-
-	assert.Equal(t, "oid", m["userIDKey"], "entra connectors must default userIDKey to oid")
-	assert.Equal(t, map[string]any{"email": "preferred_username"}, m["claimMapping"])
-}
-
-func TestBuildOIDCConnectorConfig_NonEntraDoesNotSetUserIDKey(t *testing.T) {
-	// ensures the Entra userIDKey override does not leak into other OIDC providers,
-	// which already use a stable sub claim.
-	for _, typ := range []string{"oidc", "zitadel", "okta", "pocketid", "authentik", "keycloak", "adfs"} {
-		t.Run(typ, func(t *testing.T) {
-			data, err := buildOIDCConnectorConfig(&ConnectorConfig{Type: typ}, "https://example.com/oauth2/callback")
-			require.NoError(t, err)
-			var m map[string]any
-			require.NoError(t, json.Unmarshal(data, &m))
-			_, ok := m["userIDKey"]
-			assert.False(t, ok, "%s connectors must not have userIDKey set", typ)
-		})
-	}
-}
-
-func TestUpdateConnector_PreservesCreateTimeDefaults(t *testing.T) {
-	ctx := context.Background()
-	p, cleanup := newTestProvider(t)
-	defer cleanup()
-
-	created, err := p.CreateConnector(ctx, &ConnectorConfig{
-		ID:           "entra-test",
-		Name:         "Entra",
-		Type:         "entra",
-		Issuer:       "https://login.microsoftonline.com/tid/v2.0",
-		ClientID:     "client-id",
-		ClientSecret: "old-secret",
-		RedirectURI:  "https://example.com/oauth2/callback",
-	})
-	require.NoError(t, err)
-	require.Equal(t, "entra-test", created.ID)
-
-	// Rotate only the client secret.
-	err = p.UpdateConnector(ctx, &ConnectorConfig{
-		ID:           "entra-test",
-		Type:         "entra",
-		ClientSecret: "new-secret",
-	})
-	require.NoError(t, err)
-
-	conn, err := p.storage.GetConnector(ctx, "entra-test")
-	require.NoError(t, err)
-	var m map[string]any
-	require.NoError(t, json.Unmarshal(conn.Config, &m))
-
-	assert.Equal(t, "new-secret", m["clientSecret"], "clientSecret should be rotated")
-	assert.Equal(t, "client-id", m["clientID"], "clientID must survive (overlay should leave it alone)")
-	assert.Equal(t, "https://login.microsoftonline.com/tid/v2.0", m["issuer"])
-	assert.Equal(t, "oid", m["userIDKey"], "userIDKey must survive update")
-	assert.Equal(t, map[string]any{"email": "preferred_username"}, m["claimMapping"], "claimMapping must survive update")
-}
-
-func TestUpdateConnector_DoesNotAddUserIDKeyToExistingConnector(t *testing.T) {
-	ctx := context.Background()
-	p, cleanup := newTestProvider(t)
-	defer cleanup()
-
-	// Seed a connector directly into storage without userIDKey
-	preFixConfig, err := json.Marshal(map[string]any{
-		"issuer":       "https://login.microsoftonline.com/tid/v2.0",
-		"clientID":     "client-id",
-		"clientSecret": "old-secret",
-		"redirectURI":  "https://example.com/oauth2/callback",
-		"scopes":       []string{"openid", "profile", "email"},
-		"claimMapping": map[string]string{"email": "preferred_username"},
-	})
-	require.NoError(t, err)
-
-	require.NoError(t, p.storage.CreateConnector(ctx, storage.Connector{
-		ID:     "entra-prefix",
-		Type:   "oidc",
-		Name:   "Entra",
-		Config: preFixConfig,
-	}))
-
-	// Rotate client secret via UpdateConnector.
-	err = p.UpdateConnector(ctx, &ConnectorConfig{
-		ID:           "entra-prefix",
-		Type:         "entra",
-		ClientSecret: "new-secret",
-	})
-	require.NoError(t, err)
-
-	conn, err := p.storage.GetConnector(ctx, "entra-prefix")
-	require.NoError(t, err)
-	var m map[string]any
-	require.NoError(t, json.Unmarshal(conn.Config, &m))
-
-	assert.Equal(t, "new-secret", m["clientSecret"])
-	_, has := m["userIDKey"]
-	assert.False(t, has, "userIDKey must not be auto-added to a connector that did not have it before")
-}
-
-func TestUpdateConnector_RejectsTypeChange(t *testing.T) {
-	ctx := context.Background()
-	p, cleanup := newTestProvider(t)
-	defer cleanup()
-
-	_, err := p.CreateConnector(ctx, &ConnectorConfig{
-		ID:           "entra-test",
-		Name:         "Entra",
-		Type:         "entra",
-		Issuer:       "https://login.microsoftonline.com/tid/v2.0",
-		ClientID:     "client-id",
-		ClientSecret: "secret",
-		RedirectURI:  "https://example.com/oauth2/callback",
-	})
-	require.NoError(t, err)
-
-	// Attempt to switch the connector to okta.
-	err = p.UpdateConnector(ctx, &ConnectorConfig{
-		ID:   "entra-test",
-		Type: "okta",
-	})
-	require.Error(t, err)
-	assert.Contains(t, err.Error(), "connector type change not allowed")
-
-	// stored connector type/config unchanged after the rejected update.
-	conn, err := p.storage.GetConnector(ctx, "entra-test")
-	require.NoError(t, err)
-	assert.Equal(t, "oidc", conn.Type)
-	var m map[string]any
-	require.NoError(t, json.Unmarshal(conn.Config, &m))
-	assert.Equal(t, "oid", m["userIDKey"])
-}
-
-func TestUpdateConnector_AllowsSameTypeUpdate(t *testing.T) {
-	ctx := context.Background()
-	p, cleanup := newTestProvider(t)
-	defer cleanup()
-
-	_, err := p.CreateConnector(ctx, &ConnectorConfig{
-		ID:           "entra-test",
-		Name:         "Entra",
-		Type:         "entra",
-		Issuer:       "https://login.microsoftonline.com/old/v2.0",
-		ClientID:     "client-id",
-		ClientSecret: "secret",
-		RedirectURI:  "https://example.com/oauth2/callback",
-	})
-	require.NoError(t, err)
-
-	err = p.UpdateConnector(ctx, &ConnectorConfig{
-		ID:     "entra-test",
-		Type:   "entra",
-		Issuer: "https://login.microsoftonline.com/new/v2.0",
-	})
-	require.NoError(t, err)
-
-	conn, err := p.storage.GetConnector(ctx, "entra-test")
-	require.NoError(t, err)
-	var m map[string]any
-	require.NoError(t, json.Unmarshal(conn.Config, &m))
-	assert.Equal(t, "https://login.microsoftonline.com/new/v2.0", m["issuer"])
-}
--- a/management/internals/shared/grpc/proxy.go
+++ b/management/internals/shared/grpc/proxy.go
@@ -11,8 +11,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"os"
-	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -84,40 +82,11 @@ type ProxyServiceServer struct {
 	// Store for PKCE verifiers
 	pkceVerifierStore *PKCEVerifierStore

-	// tokenTTL is the lifetime of one-time tokens generated for proxy
-	// authentication. Defaults to defaultProxyTokenTTL when zero.
-	tokenTTL time.Duration
-
-	// snapshotBatchSize is the number of mappings per gRPC message during
-	// initial snapshot delivery. Configurable via NB_PROXY_SNAPSHOT_BATCH_SIZE.
-	snapshotBatchSize int
-
 	cancel context.CancelFunc
 }

 const pkceVerifierTTL = 10 * time.Minute

-const defaultProxyTokenTTL = 5 * time.Minute
-
-const defaultSnapshotBatchSize = 500
-
-func snapshotBatchSizeFromEnv() int {
-	if v := os.Getenv("NB_PROXY_SNAPSHOT_BATCH_SIZE"); v != "" {
-		if n, err := strconv.Atoi(v); err == nil && n > 0 {
-			return n
-		}
-	}
-	return defaultSnapshotBatchSize
-}
-
-// proxyTokenTTL returns the configured token TTL or the default when unset.
-func (s *ProxyServiceServer) proxyTokenTTL() time.Duration {
-	if s.tokenTTL > 0 {
-		return s.tokenTTL
-	}
-	return defaultProxyTokenTTL
-}
-
 // proxyConnection represents a connected proxy
 type proxyConnection struct {
 	proxyID      string
@@ -141,7 +110,6 @@ func NewProxyServiceServer(accessLogMgr accesslogs.Manager, tokenStore *OneTimeT
 		peersManager:      peersManager,
 		usersManager:      usersManager,
 		proxyManager:      proxyMgr,
-		snapshotBatchSize: snapshotBatchSizeFromEnv(),
 		cancel:            cancel,
 	}
 	go s.cleanupStaleProxies(ctx)
@@ -224,6 +192,11 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 		cancel:       cancel,
 	}

+	s.connectedProxies.Store(proxyID, conn)
+	if err := s.proxyController.RegisterProxyToCluster(ctx, conn.address, proxyID); err != nil {
+		log.WithContext(ctx).Warnf("Failed to register proxy %s in cluster: %v", proxyID, err)
+	}
+
 	// Register proxy in database with capabilities
 	var caps *proxy.Capabilities
 	if c := req.GetCapabilities(); c != nil {
@@ -236,31 +209,13 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 	proxyRecord, err := s.proxyManager.Connect(ctx, proxyID, sessionID, proxyAddress, peerInfo, caps)
 	if err != nil {
 		log.WithContext(ctx).Warnf("failed to register proxy %s in database: %v", proxyID, err)
-		cancel()
+		s.connectedProxies.CompareAndDelete(proxyID, conn)
+		if unregErr := s.proxyController.UnregisterProxyFromCluster(ctx, conn.address, proxyID); unregErr != nil {
+			log.WithContext(ctx).Debugf("cleanup after Connect failure for proxy %s: %v", proxyID, unregErr)
+		}
 		return status.Errorf(codes.Internal, "register proxy in database: %v", err)
 	}

-	s.connectedProxies.Store(proxyID, conn)
-	if err := s.proxyController.RegisterProxyToCluster(ctx, conn.address, proxyID); err != nil {
-		log.WithContext(ctx).Warnf("Failed to register proxy %s in cluster: %v", proxyID, err)
-	}
-
-	if err := s.sendSnapshot(ctx, conn); err != nil {
-		if s.connectedProxies.CompareAndDelete(proxyID, conn) {
-			if unregErr := s.proxyController.UnregisterProxyFromCluster(context.Background(), conn.address, proxyID); unregErr != nil {
-				log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", proxyID, unregErr)
-			}
-		}
-		cancel()
-		if disconnErr := s.proxyManager.Disconnect(context.Background(), proxyID, sessionID); disconnErr != nil {
-			log.WithContext(ctx).Debugf("cleanup after snapshot failure for proxy %s: %v", proxyID, disconnErr)
-		}
-		return fmt.Errorf("send snapshot to proxy %s: %w", proxyID, err)
-	}
-
-	errChan := make(chan error, 2)
-	go s.sender(conn, errChan)
-
 	log.WithFields(log.Fields{
 		"proxy_id":      proxyID,
 		"session_id":    sessionID,
@@ -286,6 +241,13 @@ func (s *ProxyServiceServer) GetMappingUpdate(req *proto.GetMappingUpdateRequest
 		log.Infof("Proxy %s session %s disconnected", proxyID, sessionID)
 	}()

+	if err := s.sendSnapshot(ctx, conn); err != nil {
+		return fmt.Errorf("send snapshot to proxy %s: %w", proxyID, err)
+	}
+
+	errChan := make(chan error, 2)
+	go s.sender(conn, errChan)
+
 	go s.heartbeat(connCtx, proxyRecord)

 	select {
@@ -328,27 +290,22 @@ func (s *ProxyServiceServer) sendSnapshot(ctx context.Context, conn *proxyConnec
 		return err
 	}

-	// Send mappings in batches to reduce per-message gRPC overhead while
-	// staying well within the default 4 MB message size limit.
-	for i := 0; i < len(mappings); i += s.snapshotBatchSize {
-		end := i + s.snapshotBatchSize
-		if end > len(mappings) {
-			end = len(mappings)
-		}
-		if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
-			Mapping:             mappings[i:end],
-			InitialSyncComplete: end == len(mappings),
-		}); err != nil {
-			return fmt.Errorf("send snapshot batch: %w", err)
-		}
-	}
-
 	if len(mappings) == 0 {
 		if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
 			InitialSyncComplete: true,
 		}); err != nil {
 			return fmt.Errorf("send snapshot completion: %w", err)
 		}
+		return nil
+	}
+
+	for i, m := range mappings {
+		if err := conn.stream.Send(&proto.GetMappingUpdateResponse{
+			Mapping:             []*proto.ProxyMapping{m},
+			InitialSyncComplete: i == len(mappings)-1,
+		}); err != nil {
+			return fmt.Errorf("send proxy mapping: %w", err)
+		}
 	}

 	return nil
@@ -366,9 +323,13 @@ func (s *ProxyServiceServer) snapshotServiceMappings(ctx context.Context, conn *
 			continue
 		}

-		token, err := s.tokenStore.GenerateToken(service.AccountID, service.ID, s.proxyTokenTTL())
+		token, err := s.tokenStore.GenerateToken(service.AccountID, service.ID, 5*time.Minute)
 		if err != nil {
-			return nil, fmt.Errorf("generate auth token for service %s: %w", service.ID, err)
+			log.WithFields(log.Fields{
+				"service": service.Name,
+				"account": service.AccountID,
+			}).WithError(err).Error("failed to generate auth token for snapshot")
+			continue
 		}

 		m := service.ToProtoMapping(rpservice.Create, token, s.GetOIDCValidationConfig())
@@ -448,16 +409,13 @@ func (s *ProxyServiceServer) SendServiceUpdate(update *proto.GetMappingUpdateRes
 		conn := value.(*proxyConnection)
 		resp := s.perProxyMessage(update, conn.proxyID)
 		if resp == nil {
-			log.Warnf("Token generation failed for proxy %s, disconnecting to force resync", conn.proxyID)
-			conn.cancel()
 			return true
 		}
 		select {
 		case conn.sendChan <- resp:
 			log.Debugf("Sent service update to proxy server %s", conn.proxyID)
 		default:
-			log.Warnf("Send channel full for proxy %s, disconnecting to force resync", conn.proxyID)
-			conn.cancel()
+			log.Warnf("Failed to send service update to proxy server %s (channel full)", conn.proxyID)
 		}
 		return true
 	})
@@ -537,16 +495,13 @@ func (s *ProxyServiceServer) SendServiceUpdateToCluster(ctx context.Context, upd
 		}
 		msg := s.perProxyMessage(updateResponse, proxyID)
 		if msg == nil {
-			log.WithContext(ctx).Warnf("Token generation failed for proxy %s in cluster %s, disconnecting to force resync", proxyID, clusterAddr)
-			conn.cancel()
 			continue
 		}
 		select {
 		case conn.sendChan <- msg:
 			log.WithContext(ctx).Debugf("Sent service update with id %s to proxy %s in cluster %s", update.Id, proxyID, clusterAddr)
 		default:
-			log.WithContext(ctx).Warnf("Send channel full for proxy %s in cluster %s, disconnecting to force resync", proxyID, clusterAddr)
-			conn.cancel()
+			log.WithContext(ctx).Warnf("Failed to send service update to proxy %s in cluster %s (channel full)", proxyID, clusterAddr)
 		}
 	}
 }
@@ -572,8 +527,7 @@ func proxyAcceptsMapping(conn *proxyConnection, mapping *proto.ProxyMapping) boo
 // perProxyMessage returns a copy of update with a fresh one-time token for
 // create/update operations. For delete operations the original mapping is
 // used unchanged because proxies do not need to authenticate for removal.
-// Returns nil if token generation fails; the caller must disconnect the
-// proxy so it can resync via a fresh snapshot on reconnect.
+// Returns nil if token generation fails (the proxy should be skipped).
 func (s *ProxyServiceServer) perProxyMessage(update *proto.GetMappingUpdateResponse, proxyID string) *proto.GetMappingUpdateResponse {
 	resp := make([]*proto.ProxyMapping, 0, len(update.Mapping))
 	for _, mapping := range update.Mapping {
@@ -582,7 +536,7 @@ func (s *ProxyServiceServer) perProxyMessage(update *proto.GetMappingUpdateRespo
 			continue
 		}

-		token, err := s.tokenStore.GenerateToken(mapping.AccountId, mapping.Id, s.proxyTokenTTL())
+		token, err := s.tokenStore.GenerateToken(mapping.AccountId, mapping.Id, 5*time.Minute)
 		if err != nil {
 			log.Warnf("Failed to generate token for proxy %s: %v", proxyID, err)
 			return nil
--- a/management/internals/shared/grpc/proxy_snapshot_test.go
+++ b/management/internals/shared/grpc/proxy_snapshot_test.go
@@ -1,174 +0,0 @@
-package grpc
-
-import (
-	"context"
-	"fmt"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/metadata"
-
-	rpservice "github.com/netbirdio/netbird/management/internals/modules/reverseproxy/service"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// recordingStream captures all messages sent via Send so tests can inspect
-// batching behaviour without a real gRPC transport.
-type recordingStream struct {
-	grpc.ServerStream
-	messages []*proto.GetMappingUpdateResponse
-}
-
-func (s *recordingStream) Send(m *proto.GetMappingUpdateResponse) error {
-	s.messages = append(s.messages, m)
-	return nil
-}
-
-func (s *recordingStream) Context() context.Context     { return context.Background() }
-func (s *recordingStream) SetHeader(metadata.MD) error  { return nil }
-func (s *recordingStream) SendHeader(metadata.MD) error { return nil }
-func (s *recordingStream) SetTrailer(metadata.MD)       {}
-func (s *recordingStream) SendMsg(any) error            { return nil }
-func (s *recordingStream) RecvMsg(any) error            { return nil }
-
-// makeServices creates n enabled services assigned to the given cluster.
-func makeServices(n int, cluster string) []*rpservice.Service {
-	services := make([]*rpservice.Service, n)
-	for i := range n {
-		services[i] = &rpservice.Service{
-			ID:           fmt.Sprintf("svc-%d", i),
-			AccountID:    "acct-1",
-			Name:         fmt.Sprintf("svc-%d", i),
-			Domain:       fmt.Sprintf("svc-%d.example.com", i),
-			ProxyCluster: cluster,
-			Enabled:      true,
-			Targets: []*rpservice.Target{
-				{TargetType: rpservice.TargetTypeHost, TargetId: "host-1"},
-			},
-		}
-	}
-	return services
-}
-
-func newSnapshotTestServer(t *testing.T, batchSize int) *ProxyServiceServer {
-	t.Helper()
-	s := &ProxyServiceServer{
-		tokenStore:        NewOneTimeTokenStore(context.Background(), testCacheStore(t)),
-		snapshotBatchSize: batchSize,
-	}
-	s.SetProxyController(newTestProxyController())
-	return s
-}
-
-func TestSendSnapshot_BatchesMappings(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 3
-	const totalServices = 7 // 3 + 3 + 1
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	stream := &recordingStream{}
-	conn := &proxyConnection{
-		proxyID: "proxy-a",
-		address: cluster,
-		stream:  stream,
-	}
-
-	err := s.sendSnapshot(context.Background(), conn)
-	require.NoError(t, err)
-
-	// Expect ceil(7/3) = 3 messages
-	require.Len(t, stream.messages, 3, "should send ceil(totalServices/batchSize) messages")
-
-	assert.Len(t, stream.messages[0].Mapping, 3)
-	assert.False(t, stream.messages[0].InitialSyncComplete, "first batch should not be sync-complete")
-
-	assert.Len(t, stream.messages[1].Mapping, 3)
-	assert.False(t, stream.messages[1].InitialSyncComplete, "middle batch should not be sync-complete")
-
-	assert.Len(t, stream.messages[2].Mapping, 1)
-	assert.True(t, stream.messages[2].InitialSyncComplete, "last batch must be sync-complete")
-
-	// Verify all service IDs are present exactly once
-	seen := make(map[string]bool)
-	for _, msg := range stream.messages {
-		for _, m := range msg.Mapping {
-			assert.False(t, seen[m.Id], "duplicate service ID %s", m.Id)
-			seen[m.Id] = true
-		}
-	}
-	assert.Len(t, seen, totalServices)
-}
-
-func TestSendSnapshot_ExactBatchMultiple(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 3
-	const totalServices = 6 // exactly 2 batches
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	stream := &recordingStream{}
-	conn := &proxyConnection{proxyID: "proxy-a", address: cluster, stream: stream}
-
-	require.NoError(t, s.sendSnapshot(context.Background(), conn))
-	require.Len(t, stream.messages, 2)
-
-	assert.Len(t, stream.messages[0].Mapping, 3)
-	assert.False(t, stream.messages[0].InitialSyncComplete)
-
-	assert.Len(t, stream.messages[1].Mapping, 3)
-	assert.True(t, stream.messages[1].InitialSyncComplete)
-}
-
-func TestSendSnapshot_SingleBatch(t *testing.T) {
-	const cluster = "cluster.example.com"
-	const batchSize = 100
-	const totalServices = 5
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(makeServices(totalServices, cluster), nil)
-
-	s := newSnapshotTestServer(t, batchSize)
-	s.serviceManager = mgr
-
-	stream := &recordingStream{}
-	conn := &proxyConnection{proxyID: "proxy-a", address: cluster, stream: stream}
-
-	require.NoError(t, s.sendSnapshot(context.Background(), conn))
-	require.Len(t, stream.messages, 1, "all mappings should fit in one batch")
-	assert.Len(t, stream.messages[0].Mapping, totalServices)
-	assert.True(t, stream.messages[0].InitialSyncComplete)
-}
-
-func TestSendSnapshot_EmptySnapshot(t *testing.T) {
-	const cluster = "cluster.example.com"
-
-	ctrl := gomock.NewController(t)
-	mgr := rpservice.NewMockManager(ctrl)
-	mgr.EXPECT().GetGlobalServices(gomock.Any()).Return(nil, nil)
-
-	s := newSnapshotTestServer(t, 500)
-	s.serviceManager = mgr
-
-	stream := &recordingStream{}
-	conn := &proxyConnection{proxyID: "proxy-a", address: cluster, stream: stream}
-
-	require.NoError(t, s.sendSnapshot(context.Background(), conn))
-	require.Len(t, stream.messages, 1, "empty snapshot must still send sync-complete")
-	assert.Empty(t, stream.messages[0].Mapping)
-	assert.True(t, stream.messages[0].InitialSyncComplete)
-}
--- a/management/internals/shared/grpc/proxy_test.go
+++ b/management/internals/shared/grpc/proxy_test.go
@@ -85,14 +85,11 @@ func registerFakeProxy(s *ProxyServiceServer, proxyID, clusterAddr string) chan
 // registerFakeProxyWithCaps adds a fake proxy connection with explicit capabilities.
 func registerFakeProxyWithCaps(s *ProxyServiceServer, proxyID, clusterAddr string, caps *proto.ProxyCapabilities) chan *proto.GetMappingUpdateResponse {
 	ch := make(chan *proto.GetMappingUpdateResponse, 10)
-	ctx, cancel := context.WithCancel(context.Background())
 	conn := &proxyConnection{
 		proxyID:      proxyID,
 		address:      clusterAddr,
 		capabilities: caps,
 		sendChan:     ch,
-		ctx:          ctx,
-		cancel:       cancel,
 	}
 	s.connectedProxies.Store(proxyID, conn)

--- a/management/server/types/user_invite_test.go
+++ b/management/server/types/user_invite_test.go
@@ -144,11 +144,8 @@ func TestValidateInviteToken_ModifiedToken(t *testing.T) {
 	_, plainToken, err := GenerateInviteToken()
 	require.NoError(t, err)

-	replacement := "X"
-	if plainToken[5] == 'X' {
-		replacement = "Y"
-	}
-	modifiedToken := plainToken[:5] + replacement + plainToken[6:]
+	// Modify one character in the secret part
+	modifiedToken := plainToken[:5] + "X" + plainToken[6:]
 	err = ValidateInviteToken(modifiedToken)
 	require.Error(t, err)
 }
--- a/proxy/management_integration_test.go
+++ b/proxy/management_integration_test.go
@@ -364,16 +364,14 @@ func TestIntegration_ProxyConnection_HappyPath(t *testing.T) {
 	})
 	require.NoError(t, err)

+	// Receive all mappings from the snapshot - server sends each mapping individually
 	mappingsByID := make(map[string]*proto.ProxyMapping)
-	for {
+	for i := 0; i < 2; i++ {
 		msg, err := stream.Recv()
 		require.NoError(t, err)
 		for _, m := range msg.GetMapping() {
 			mappingsByID[m.GetId()] = m
 		}
-		if msg.GetInitialSyncComplete() {
-			break
-		}
 	}

 	// Should receive 2 mappings total
@@ -413,14 +411,12 @@ func TestIntegration_ProxyConnection_SendsClusterAddress(t *testing.T) {
 	})
 	require.NoError(t, err)

+	// Receive all mappings - server sends each mapping individually
 	mappings := make([]*proto.ProxyMapping, 0)
-	for {
+	for i := 0; i < 2; i++ {
 		msg, err := stream.Recv()
 		require.NoError(t, err)
 		mappings = append(mappings, msg.GetMapping()...)
-		if msg.GetInitialSyncComplete() {
-			break
-		}
 	}

 	// Should receive the 2 mappings matching the cluster
@@ -444,15 +440,13 @@ func TestIntegration_ProxyConnection_Reconnect_ReceivesSameConfig(t *testing.T)
 	clusterAddress := "test.proxy.io"
 	proxyID := "test-proxy-reconnect"

-	receiveMappings := func(stream proto.ProxyService_GetMappingUpdateClient) []*proto.ProxyMapping {
+	// Helper to receive all mappings from a stream
+	receiveMappings := func(stream proto.ProxyService_GetMappingUpdateClient, count int) []*proto.ProxyMapping {
 		var mappings []*proto.ProxyMapping
-		for {
+		for i := 0; i < count; i++ {
 			msg, err := stream.Recv()
 			require.NoError(t, err)
 			mappings = append(mappings, msg.GetMapping()...)
-			if msg.GetInitialSyncComplete() {
-				break
-			}
 		}
 		return mappings
 	}
@@ -466,7 +460,7 @@ func TestIntegration_ProxyConnection_Reconnect_ReceivesSameConfig(t *testing.T)
 	})
 	require.NoError(t, err)

-	firstMappings := receiveMappings(stream1)
+	firstMappings := receiveMappings(stream1, 2)
 	cancel1()

 	time.Sleep(100 * time.Millisecond)
@@ -482,7 +476,7 @@ func TestIntegration_ProxyConnection_Reconnect_ReceivesSameConfig(t *testing.T)
 	})
 	require.NoError(t, err)

-	secondMappings := receiveMappings(stream2)
+	secondMappings := receiveMappings(stream2, 2)

 	// Should receive the same mappings
 	assert.Equal(t, len(firstMappings), len(secondMappings),
@@ -548,14 +542,12 @@ func TestIntegration_ProxyConnection_ReconnectDoesNotDuplicateState(t *testing.T
 		}
 	}

+	// Helper to receive and apply all mappings
 	receiveAndApply := func(stream proto.ProxyService_GetMappingUpdateClient) {
-		for {
+		for i := 0; i < 2; i++ {
 			msg, err := stream.Recv()
 			require.NoError(t, err)
 			applyMappings(msg.GetMapping())
-			if msg.GetInitialSyncComplete() {
-				break
-			}
 		}
 	}

@@ -644,14 +636,12 @@ func TestIntegration_ProxyConnection_MultipleProxiesReceiveUpdates(t *testing.T)
 			})
 			require.NoError(t, err)

+			// Receive all mappings - server sends each mapping individually
 			count := 0
-			for {
+			for i := 0; i < 2; i++ {
 				msg, err := stream.Recv()
 				require.NoError(t, err)
 				count += len(msg.GetMapping())
-				if msg.GetInitialSyncComplete() {
-					break
-				}
 			}

 			mu.Lock()
@@ -691,12 +681,9 @@ func TestIntegration_ProxyConnection_FastReconnectDoesNotLoseState(t *testing.T)
 	})
 	require.NoError(t, err)

-	for {
-		msg, err := stream1.Recv()
+	for i := 0; i < 2; i++ {
+		_, err := stream1.Recv()
 		require.NoError(t, err)
-		if msg.GetInitialSyncComplete() {
-			break
-		}
 	}

 	require.Contains(t, setup.proxyService.GetConnectedProxies(), proxyID,
@@ -712,12 +699,9 @@ func TestIntegration_ProxyConnection_FastReconnectDoesNotLoseState(t *testing.T)
 	})
 	require.NoError(t, err)

-	for {
-		msg, err := stream2.Recv()
+	for i := 0; i < 2; i++ {
+		_, err := stream2.Recv()
 		require.NoError(t, err)
-		if msg.GetInitialSyncComplete() {
-			break
-		}
 	}

 	cancel1()
--- a/proxy/server.go
+++ b/proxy/server.go
@@ -943,8 +943,6 @@ func (s *Server) newManagementMappingWorker(ctx context.Context, client proto.Pr
 	operation := func() error {
 		s.Logger.Debug("connecting to management mapping stream")

-		initialSyncDone = false
-
 		if s.healthChecker != nil {
 			s.healthChecker.SetManagementConnected(false)
 		}
@@ -1002,11 +1000,6 @@ func (s *Server) handleMappingStream(ctx context.Context, mappingClient proto.Pr
 		return ctx.Err()
 	}

-	var snapshotIDs map[types.ServiceID]struct{}
-	if !*initialSyncDone {
-		snapshotIDs = make(map[types.ServiceID]struct{})
-	}
-
 	for {
 		// Check for context completion to gracefully shutdown.
 		select {
@@ -1027,13 +1020,7 @@ func (s *Server) handleMappingStream(ctx context.Context, mappingClient proto.Pr
 			s.processMappings(ctx, msg.GetMapping())
 			s.Logger.Debug("Processing mapping update completed")

-			if !*initialSyncDone {
-				for _, m := range msg.GetMapping() {
-					snapshotIDs[types.ServiceID(m.GetId())] = struct{}{}
-				}
-				if msg.GetInitialSyncComplete() {
-					s.reconcileSnapshot(ctx, snapshotIDs)
-					snapshotIDs = nil
+			if !*initialSyncDone && msg.GetInitialSyncComplete() {
 				if s.healthChecker != nil {
 					s.healthChecker.SetInitialSyncComplete()
 				}
@@ -1043,28 +1030,6 @@ func (s *Server) handleMappingStream(ctx context.Context, mappingClient proto.Pr
 		}
 	}
 }
-}
-
-// reconcileSnapshot removes local mappings that are absent from the snapshot.
-// This ensures services deleted while the proxy was disconnected get cleaned up.
-func (s *Server) reconcileSnapshot(ctx context.Context, snapshotIDs map[types.ServiceID]struct{}) {
-	s.portMu.RLock()
-	var stale []*proto.ProxyMapping
-	for svcID, mapping := range s.lastMappings {
-		if _, ok := snapshotIDs[svcID]; !ok {
-			stale = append(stale, mapping)
-		}
-	}
-	s.portMu.RUnlock()
-
-	for _, mapping := range stale {
-		s.Logger.WithFields(log.Fields{
-			"service_id": mapping.GetId(),
-			"domain":     mapping.GetDomain(),
-		}).Info("Removing stale mapping absent from snapshot")
-		s.removeMapping(ctx, mapping)
-	}
-}

 func (s *Server) processMappings(ctx context.Context, mappings []*proto.ProxyMapping) {
 	for _, mapping := range mappings {
--- a/proxy/snapshot_reconcile_test.go
+++ b/proxy/snapshot_reconcile_test.go
@@ -1,227 +0,0 @@
-package proxy
-
-import (
-	"context"
-	"io"
-	"testing"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/proxy/internal/health"
-	"github.com/netbirdio/netbird/proxy/internal/types"
-	"github.com/netbirdio/netbird/shared/management/proto"
-)
-
-// collectStaleIDs mirrors the stale-detection logic in reconcileSnapshot
-// so we can verify it without triggering removeMapping (which requires full
-// server wiring). This keeps the test focused on the detection algorithm.
-func collectStaleIDs(lastMappings map[types.ServiceID]*proto.ProxyMapping, snapshotIDs map[types.ServiceID]struct{}) []types.ServiceID {
-	var stale []types.ServiceID
-	for svcID := range lastMappings {
-		if _, ok := snapshotIDs[svcID]; !ok {
-			stale = append(stale, svcID)
-		}
-	}
-	return stale
-}
-
-// TestStaleDetection_PartialOverlap verifies that only services absent from
-// the snapshot are flagged as stale.
-func TestStaleDetection_PartialOverlap(t *testing.T) {
-	local := map[types.ServiceID]*proto.ProxyMapping{
-		"svc-1":       {Id: "svc-1"},
-		"svc-2":       {Id: "svc-2"},
-		"svc-stale-a": {Id: "svc-stale-a"},
-		"svc-stale-b": {Id: "svc-stale-b"},
-	}
-	snapshot := map[types.ServiceID]struct{}{
-		"svc-1": {},
-		"svc-2": {},
-		"svc-3": {}, // new service, not in local
-	}
-
-	stale := collectStaleIDs(local, snapshot)
-	assert.Len(t, stale, 2)
-	staleSet := make(map[types.ServiceID]struct{})
-	for _, id := range stale {
-		staleSet[id] = struct{}{}
-	}
-	assert.Contains(t, staleSet, types.ServiceID("svc-stale-a"))
-	assert.Contains(t, staleSet, types.ServiceID("svc-stale-b"))
-}
-
-// TestStaleDetection_AllStale verifies an empty snapshot flags everything.
-func TestStaleDetection_AllStale(t *testing.T) {
-	local := map[types.ServiceID]*proto.ProxyMapping{
-		"svc-1": {Id: "svc-1"},
-		"svc-2": {Id: "svc-2"},
-	}
-	stale := collectStaleIDs(local, map[types.ServiceID]struct{}{})
-	assert.Len(t, stale, 2)
-}
-
-// TestStaleDetection_NoneStale verifies full overlap produces no stale entries.
-func TestStaleDetection_NoneStale(t *testing.T) {
-	local := map[types.ServiceID]*proto.ProxyMapping{
-		"svc-1": {Id: "svc-1"},
-		"svc-2": {Id: "svc-2"},
-	}
-	snapshot := map[types.ServiceID]struct{}{
-		"svc-1": {},
-		"svc-2": {},
-	}
-	stale := collectStaleIDs(local, snapshot)
-	assert.Empty(t, stale)
-}
-
-// TestStaleDetection_EmptyLocal verifies no stale entries when local is empty.
-func TestStaleDetection_EmptyLocal(t *testing.T) {
-	stale := collectStaleIDs(
-		map[types.ServiceID]*proto.ProxyMapping{},
-		map[types.ServiceID]struct{}{"svc-1": {}},
-	)
-	assert.Empty(t, stale)
-}
-
-// TestReconcileSnapshot_NoStale verifies reconciliation is a no-op when all
-// local mappings are present in the snapshot (removeMapping is never called).
-func TestReconcileSnapshot_NoStale(t *testing.T) {
-	s := &Server{
-		Logger:       log.StandardLogger(),
-		lastMappings: make(map[types.ServiceID]*proto.ProxyMapping),
-	}
-	s.lastMappings["svc-1"] = &proto.ProxyMapping{Id: "svc-1"}
-	s.lastMappings["svc-2"] = &proto.ProxyMapping{Id: "svc-2"}
-
-	snapshotIDs := map[types.ServiceID]struct{}{
-		"svc-1": {},
-		"svc-2": {},
-	}
-	// This should not panic — no stale entries means removeMapping is never called.
-	s.reconcileSnapshot(context.Background(), snapshotIDs)
-
-	assert.Len(t, s.lastMappings, 2, "no mappings should be removed when all are in snapshot")
-}
-
-// TestReconcileSnapshot_EmptyLocal verifies reconciliation is a no-op with
-// no local mappings.
-func TestReconcileSnapshot_EmptyLocal(t *testing.T) {
-	s := &Server{
-		Logger:       log.StandardLogger(),
-		lastMappings: make(map[types.ServiceID]*proto.ProxyMapping),
-	}
-	s.reconcileSnapshot(context.Background(), map[types.ServiceID]struct{}{"svc-1": {}})
-	assert.Empty(t, s.lastMappings)
-}
-
-// --- handleMappingStream tests for batched snapshot ID accumulation ---
-
-// TestHandleMappingStream_BatchedSnapshotSyncComplete verifies that sync is
-// marked done only after the final InitialSyncComplete message, even when
-// the snapshot arrives in multiple batches.
-func TestHandleMappingStream_BatchedSnapshotSyncComplete(t *testing.T) {
-	checker := health.NewChecker(nil, nil)
-	s := &Server{
-		Logger:        log.StandardLogger(),
-		healthChecker: checker,
-		routerReady:   closedChan(),
-		lastMappings:  make(map[types.ServiceID]*proto.ProxyMapping),
-	}
-
-	stream := &mockMappingStream{
-		messages: []*proto.GetMappingUpdateResponse{
-			{},                          // batch 1: no sync-complete
-			{},                          // batch 2: no sync-complete
-			{InitialSyncComplete: true}, // batch 3: sync done
-		},
-	}
-
-	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone)
-	assert.NoError(t, err)
-	assert.True(t, syncDone, "sync should be marked done after final batch")
-}
-
-// TestHandleMappingStream_PostSyncDoesNotReconcile verifies that messages
-// arriving after InitialSyncComplete do not trigger a second reconciliation.
-func TestHandleMappingStream_PostSyncDoesNotReconcile(t *testing.T) {
-	s := &Server{
-		Logger:       log.StandardLogger(),
-		routerReady:  closedChan(),
-		lastMappings: make(map[types.ServiceID]*proto.ProxyMapping),
-	}
-
-	// Simulate state left over from a previous sync.
-	s.lastMappings["svc-1"] = &proto.ProxyMapping{Id: "svc-1", AccountId: "acct-1"}
-	s.lastMappings["svc-2"] = &proto.ProxyMapping{Id: "svc-2", AccountId: "acct-1"}
-
-	stream := &mockMappingStream{
-		messages: []*proto.GetMappingUpdateResponse{
-			{}, // post-sync empty message — must not reconcile
-		},
-	}
-
-	syncDone := true // sync already completed in a previous stream
-	err := s.handleMappingStream(context.Background(), stream, &syncDone)
-	require.NoError(t, err)
-
-	assert.Len(t, s.lastMappings, 2,
-		"post-sync messages must not trigger reconciliation — all entries should survive")
-}
-
-// TestHandleMappingStream_ImmediateEOF_NoReconciliation verifies that if the
-// stream closes before sync completes, no reconciliation occurs.
-func TestHandleMappingStream_ImmediateEOF_NoReconciliation(t *testing.T) {
-	s := &Server{
-		Logger:       log.StandardLogger(),
-		routerReady:  closedChan(),
-		lastMappings: make(map[types.ServiceID]*proto.ProxyMapping),
-	}
-
-	s.lastMappings["svc-stale"] = &proto.ProxyMapping{Id: "svc-stale", AccountId: "acct-1"}
-
-	stream := &mockMappingStream{} // no messages → immediate EOF
-
-	syncDone := false
-	err := s.handleMappingStream(context.Background(), stream, &syncDone)
-	assert.NoError(t, err)
-	assert.False(t, syncDone, "sync should not be marked done on immediate EOF")
-
-	_, hasStale := s.lastMappings["svc-stale"]
-	assert.True(t, hasStale, "stale mapping should remain when sync never completed")
-}
-
-// mockErrRecvStream returns an error on the second Recv to verify
-// handleMappingStream returns without completing sync.
-type mockErrRecvStream struct {
-	mockMappingStream
-	calls int
-}
-
-func (m *mockErrRecvStream) Recv() (*proto.GetMappingUpdateResponse, error) {
-	m.calls++
-	if m.calls == 1 {
-		return &proto.GetMappingUpdateResponse{}, nil
-	}
-	return nil, io.ErrUnexpectedEOF
-}
-
-func TestHandleMappingStream_ErrorMidSync_NoReconciliation(t *testing.T) {
-	s := &Server{
-		Logger:       log.StandardLogger(),
-		routerReady:  closedChan(),
-		lastMappings: make(map[types.ServiceID]*proto.ProxyMapping),
-	}
-
-	s.lastMappings["svc-stale"] = &proto.ProxyMapping{Id: "svc-stale", AccountId: "acct-1"}
-
-	syncDone := false
-	err := s.handleMappingStream(context.Background(), &mockErrRecvStream{}, &syncDone)
-	assert.Error(t, err)
-	assert.False(t, syncDone)
-
-	_, hasStale := s.lastMappings["svc-stale"]
-	assert.True(t, hasStale, "stale mapping should remain when sync was interrupted by error")
-}
--- a/sharedsock/sock_linux.go
+++ b/sharedsock/sock_linux.go
@@ -10,13 +10,15 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"sync"
 	"time"

 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
+	"github.com/google/gopacket/routing"
+	"github.com/libp2p/go-netroute"
 	"github.com/mdlayher/socket"
 	log "github.com/sirupsen/logrus"
-	"github.com/vishvananda/netlink"
 	"golang.org/x/sync/errgroup"
 	"golang.org/x/sys/unix"

@@ -35,6 +37,8 @@ type SharedSocket struct {
 	conn6       *socket.Conn
 	port        int
 	mtu         uint16
+	routerMux   sync.RWMutex
+	router      routing.Router
 	packetDemux chan rcvdPacket
 	cancel      context.CancelFunc
 }
@@ -78,6 +82,11 @@ func Listen(port int, filter BPFFilter, mtu uint16) (_ net.PacketConn, err error
 		}
 	}()

+	rawSock.router, err = netroute.New()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create raw socket router: %w", err)
+	}
+
 	rawSock.conn4, err = socket.Socket(unix.AF_INET, unix.SOCK_RAW, unix.IPPROTO_UDP, "raw_udp4", nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create ipv4 raw socket: %w", err)
@@ -118,26 +127,31 @@ func Listen(port int, filter BPFFilter, mtu uint16) (_ net.PacketConn, err error
 		go rawSock.read(rawSock.conn6.Recvfrom)
 	}

+	go rawSock.updateRouter()
+
 	return rawSock, nil
 }

-// resolveSrc returns the source IP the kernel will pick for a packet sent to
-// dst by these raw sockets, mirroring the fwmark the kernel will see on send.
-func (s *SharedSocket) resolveSrc(dst net.IP) (net.IP, error) {
-	opts := &netlink.RouteGetOptions{}
-	if nbnet.AdvancedRouting() {
-		opts.Mark = nbnet.ControlPlaneMark
-	}
-	routes, err := netlink.RouteGetWithOptions(dst, opts)
+// updateRouter updates the listener routing table client
+// this is needed to avoid outdated information across different client networks
+func (s *SharedSocket) updateRouter() {
+	ticker := time.NewTicker(15 * time.Second)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-s.ctx.Done():
+			return
+		case <-ticker.C:
+			router, err := netroute.New()
 			if err != nil {
-		return nil, fmt.Errorf("route get %s: %w", dst, err)
+				log.Errorf("Failed to create and update packet router for stunListener: %s", err)
+				continue
 			}
-	for _, r := range routes {
-		if r.Src != nil {
-			return r.Src, nil
+			s.routerMux.Lock()
+			s.router = router
+			s.routerMux.Unlock()
 		}
 	}
-	return nil, fmt.Errorf("no source IP for %s", dst)
 }

 // LocalAddr returns the local address, preferring IPv4 for backward compatibility.
@@ -296,15 +310,15 @@ func (s *SharedSocket) WriteTo(buf []byte, rAddr net.Addr) (n int, err error) {
 		DstPort: layers.UDPPort(rUDPAddr.Port),
 	}

-	src, err := s.resolveSrc(rUDPAddr.IP)
+	s.routerMux.RLock()
+	defer s.routerMux.RUnlock()
+
+	_, _, src, err := s.router.Route(rUDPAddr.IP)
 	if err != nil {
-		return 0, fmt.Errorf("resolve source for %s: %w", rUDPAddr.IP, err)
+		return 0, fmt.Errorf("got an error while checking route, err: %w", err)
 	}

 	rSockAddr, conn, nwLayer := s.getWriterObjects(src, rUDPAddr.IP)
-	if conn == nil {
-		return 0, fmt.Errorf("no raw socket for %s", rUDPAddr.IP)
-	}

 	if err := udp.SetNetworkLayerForChecksum(nwLayer); err != nil {
 		return -1, fmt.Errorf("failed to set network layer for checksum: %w", err)