just testing

.github/workflows/golangci-lint.yml

@@ -19,7 +19,7 @@ jobs:
       - name: codespell
         uses: codespell-project/actions-codespell@v2
         with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
           skip: go.mod,go.sum
   golangci:
     strategy:

.github/workflows/wasm-build-validation.yml

@@ -1,67 +0,0 @@
-name: Wasm
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
-jobs:
-  js_lint:
-    name: "JS / Lint"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
-      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc
-        with:
-          version: latest
-          install-mode: binary
-          skip-cache: true
-          skip-pkg-cache: true
-          skip-build-cache: true
-      - name: Run golangci-lint for WASM
-        run: |
-          GOOS=js GOARCH=wasm golangci-lint run --timeout=12m --out-format colored-line-number ./client/...
-        continue-on-error: true
-
-  js_build:
-    name: "JS / Build"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-      - name: Build Wasm client
-        run: GOOS=js GOARCH=wasm go build -o netbird.wasm ./client/wasm/cmd
-        env:
-          CGO_ENABLED: 0
-      - name: Check Wasm build size
-        run: |
-          echo "Wasm build size:"
-          ls -lh netbird.wasm
-
-          SIZE=$(stat -c%s netbird.wasm)
-          SIZE_MB=$((SIZE / 1024 / 1024))
-
-          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
-
-          if [ ${SIZE} -gt 52428800 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 50MB limit!"
-            exit 1
-          fi
-

.goreleaser.yaml

@@ -2,18 +2,6 @@ version: 2
 
 project_name: netbird
 builds:
-  - id: netbird-wasm
-    dir: client/wasm/cmd
-    binary: netbird
-    env: [GOOS=js, GOARCH=wasm, CGO_ENABLED=0]
-    goos:
-      - js
-    goarch:
-      - wasm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
   - id: netbird
     dir: client
     binary: netbird
@@ -127,11 +115,6 @@ archives:
   - builds:
       - netbird
       - netbird-static
-  - id: netbird-wasm
-    builds:
-      - netbird-wasm
-    name_template: "{{ .ProjectName }}_{{ .Version }}"
-    format: binary
 
 nfpms:
   - maintainer: Netbird <dev@netbird.io>

client/android/client.go

@@ -112,7 +112,7 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, "")
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
 }
 
@@ -138,7 +138,7 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, "")
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
 	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
 }
 

client/cmd/debug.go

@@ -308,7 +308,7 @@ func getStatusOutput(cmd *cobra.Command, anon bool) string {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
 		statusOutputString = nbstatus.ParseToFullDetailSummary(
-			nbstatus.ConvertToStatusOutputOverview(statusResp.GetFullStatus(), anon, statusResp.GetDaemonVersion(), "", nil, nil, nil, "", ""),
+			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", ""),
 		)
 	}
 	return statusOutputString

client/cmd/debug_js.go

@@ -1,8 +0,0 @@
-package cmd
-
-import "context"
-
-// SetupDebugHandler is a no-op for WASM
-func SetupDebugHandler(context.Context, interface{}, interface{}, interface{}, string) {
-	// Debug handler not needed for WASM
-}

client/cmd/status.go

@@ -99,7 +99,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		profName = activeProf.Name
 	}
 
-	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp.GetFullStatus(), anonymizeFlag, resp.GetDaemonVersion(), statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
+	var outputInformationHolder = nbstatus.ConvertToStatusOutputOverview(resp, anonymizeFlag, statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilterMap, connectionTypeFilter, profName)
 	var statusOutputString string
 	switch {
 	case detailFlag:

client/cmd/testutil_test.go

@@ -10,15 +10,10 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"
 
-	"github.com/netbirdio/management-integrations/integrations"
-
-	clientProto "github.com/netbirdio/netbird/client/proto"
-	client "github.com/netbirdio/netbird/client/server"
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -118,7 +113,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	}
 
 	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, jobManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &mgmt.MockIntegratedValidator{})
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, jobManager, secretsManager, nil, nil, nil, &mgmt.MockIntegratedValidator{})
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -196,8 +196,7 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command, activeProf *pr
 	r := peer.NewRecorder(config.ManagementURL.String())
 	r.GetFullStatus()
 
-	//todo: do we need to pass logFile here ?
-	connectClient := internal.NewConnectClient(ctx, config, r, "")
+	connectClient := internal.NewConnectClient(ctx, config, r)
 	SetupDebugHandler(ctx, config, r, connectClient, "")
 
 	return connectClient.Run(nil)

client/embed/embed.go

@@ -23,29 +23,23 @@ import (
 
 var ErrClientAlreadyStarted = errors.New("client already started")
 var ErrClientNotStarted = errors.New("client not started")
-var ErrConfigNotInitialized = errors.New("config not initialized")
 
-// Client manages a netbird embedded client instance.
+// Client manages a netbird embedded client instance
 type Client struct {
 	deviceName string
 	config     *profilemanager.Config
 	mu         sync.Mutex
 	cancel     context.CancelFunc
 	setupKey   string
-	jwtToken   string
 	connect    *internal.ConnectClient
 }
 
-// Options configures a new Client.
+// Options configures a new Client
 type Options struct {
 	// DeviceName is this peer's name in the network
 	DeviceName string
 	// SetupKey is used for authentication
 	SetupKey string
-	// JWTToken is used for JWT-based authentication
-	JWTToken string
-	// PrivateKey is used for direct private key authentication
-	PrivateKey string
 	// ManagementURL overrides the default management server URL
 	ManagementURL string
 	// PreSharedKey is the pre-shared key for the WireGuard interface
@@ -64,35 +58,8 @@ type Options struct {
 	DisableClientRoutes bool
 }
 
-// validateCredentials checks that exactly one credential type is provided
-func (opts *Options) validateCredentials() error {
-	credentialsProvided := 0
-	if opts.SetupKey != "" {
-		credentialsProvided++
-	}
-	if opts.JWTToken != "" {
-		credentialsProvided++
-	}
-	if opts.PrivateKey != "" {
-		credentialsProvided++
-	}
-
-	if credentialsProvided == 0 {
-		return fmt.Errorf("one of SetupKey, JWTToken, or PrivateKey must be provided")
-	}
-	if credentialsProvided > 1 {
-		return fmt.Errorf("only one of SetupKey, JWTToken, or PrivateKey can be specified")
-	}
-
-	return nil
-}
-
-// New creates a new netbird embedded client.
+// New creates a new netbird embedded client
 func New(opts Options) (*Client, error) {
-	if err := opts.validateCredentials(); err != nil {
-		return nil, err
-	}
-
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -140,14 +107,9 @@ func New(opts Options) (*Client, error) {
 		return nil, fmt.Errorf("create config: %w", err)
 	}
 
-	if opts.PrivateKey != "" {
-		config.PrivateKey = opts.PrivateKey
-	}
-
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
-		jwtToken:   opts.JWTToken,
 		config:     config,
 	}, nil
 }
@@ -164,14 +126,12 @@ func (c *Client) Start(startCtx context.Context) error {
 	ctx := internal.CtxInitState(context.Background())
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-	if err := internal.Login(ctx, c.config, c.setupKey, c.jwtToken); err != nil {
+	if err := internal.Login(ctx, c.config, c.setupKey, ""); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
 
 	recorder := peer.NewRecorder(c.config.ManagementURL.String())
-
-	//todo: do we need to pass logFile here ?
-	client := internal.NewConnectClient(ctx, c.config, recorder, "")
+	client := internal.NewConnectClient(ctx, c.config, recorder)
 
 	// either startup error (permanent backoff err) or nil err (successful engine up)
 	// TODO: make after-startup backoff err available
@@ -227,16 +187,6 @@ func (c *Client) Stop(ctx context.Context) error {
 	}
 }
 
-// GetConfig returns a copy of the internal client config.
-func (c *Client) GetConfig() (profilemanager.Config, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.config == nil {
-		return profilemanager.Config{}, ErrConfigNotInitialized
-	}
-	return *c.config, nil
-}
-
 // Dial dials a network address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
@@ -261,7 +211,7 @@ func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return nsnet.DialContext(ctx, network, address)
 }
 
-// ListenTCP listens on the given address in the netbird network.
+// ListenTCP listens on the given address in the netbird network
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	nsnet, addr, err := c.getNet()
@@ -282,7 +232,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	return nsnet.ListenTCP(tcpAddr)
 }
 
-// ListenUDP listens on the given address in the netbird network.
+// ListenUDP listens on the given address in the netbird network
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	nsnet, addr, err := c.getNet()

client/iface/bind/error.go

@@ -1,7 +0,0 @@
-package bind
-
-import "fmt"
-
-var (
-	ErrUDPMUXNotSupported = fmt.Errorf("UDPMUX is not supported in WASM")
-)

client/iface/bind/ice_bind.go

@@ -1,9 +1,6 @@
-//go:build !js
-
 package bind
 
 import (
-	"context"
 	"encoding/binary"
 	"fmt"
 	"net"
@@ -11,18 +8,22 @@ import (
 	"runtime"
 	"sync"
 
-	"github.com/pion/stun/v3"
+	"github.com/pion/stun/v2"
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/ipv4"
 	"golang.org/x/net/ipv6"
 	wgConn "golang.zx2c4.com/wireguard/conn"
 
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
+type RecvMessage struct {
+	Endpoint *Endpoint
+	Buffer   []byte
+}
+
 type receiverCreator struct {
 	iceBind *ICEBind
 }
@@ -40,38 +41,35 @@ func (rc receiverCreator) CreateIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UD
 // use the port because in the Send function the wgConn.Endpoint the port info is not exported.
 type ICEBind struct {
 	*wgConn.StdNetBind
+	RecvChan chan RecvMessage
 
 	transportNet transport.Net
-	filterFn     udpmux.FilterFn
-	address      wgaddr.Address
-	mtu          uint16
-
-	endpoints   map[netip.Addr]net.Conn
-	endpointsMu sync.Mutex
-	recvChan    chan recvMessage
+	filterFn     FilterFn
+	endpoints    map[netip.Addr]net.Conn
+	endpointsMu  sync.Mutex
 	// every time when Close() is called (i.e. BindUpdate()) we need to close exit from the receiveRelayed and create a
 	// new closed channel. With the closedChanMu we can safely close the channel and create a new one
-	closedChan       chan struct{}
-	closedChanMu     sync.RWMutex // protect the closeChan recreation from reading from it.
-	closed           bool
-	activityRecorder *ActivityRecorder
+	closedChan   chan struct{}
+	closedChanMu sync.RWMutex // protect the closeChan recreation from reading from it.
+	closed       bool
 
-	muUDPMux sync.Mutex
-	udpMux   *udpmux.UniversalUDPMuxDefault
+	muUDPMux         sync.Mutex
+	udpMux           *UniversalUDPMuxDefault
+	address          wgaddr.Address
+	activityRecorder *ActivityRecorder
 }
 
-func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
+func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Address) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
 		StdNetBind:       b,
+		RecvChan:         make(chan RecvMessage, 1),
 		transportNet:     transportNet,
 		filterFn:         filterFn,
-		address:          address,
-		mtu:              mtu,
 		endpoints:        make(map[netip.Addr]net.Conn),
-		recvChan:         make(chan recvMessage, 1),
 		closedChan:       make(chan struct{}),
 		closed:           true,
+		address:          address,
 		activityRecorder: NewActivityRecorder(),
 	}
 
@@ -111,7 +109,7 @@ func (s *ICEBind) ActivityRecorder() *ActivityRecorder {
 }
 
 // GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (s *ICEBind) GetICEMux() (*udpmux.UniversalUDPMuxDefault, error) {
+func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 	if s.udpMux == nil {
@@ -134,16 +132,6 @@ func (b *ICEBind) RemoveEndpoint(fakeIP netip.Addr) {
 	delete(b.endpoints, fakeIP)
 }
 
-func (b *ICEBind) ReceiveFromEndpoint(ctx context.Context, ep *Endpoint, buf []byte) {
-	select {
-	case <-b.closedChan:
-		return
-	case <-ctx.Done():
-		return
-	case b.recvChan <- recvMessage{ep, buf}:
-	}
-}
-
 func (b *ICEBind) Send(bufs [][]byte, ep wgConn.Endpoint) error {
 	b.endpointsMu.Lock()
 	conn, ok := b.endpoints[ep.DstIP()]
@@ -164,13 +152,12 @@ func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, r
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 
-	s.udpMux = udpmux.NewUniversalUDPMuxDefault(
-		udpmux.UniversalUDPMuxParams{
+	s.udpMux = NewUniversalUDPMuxDefault(
+		UniversalUDPMuxParams{
 			UDPConn:   nbnet.WrapPacketConn(conn),
 			Net:       s.transportNet,
 			FilterFn:  s.filterFn,
 			WGAddress: s.address,
-			MTU:       s.mtu,
 		},
 	)
 	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
@@ -276,7 +263,7 @@ func (c *ICEBind) receiveRelayed(buffs [][]byte, sizes []int, eps []wgConn.Endpo
 	select {
 	case <-c.closedChan:
 		return 0, net.ErrClosed
-	case msg, ok := <-c.recvChan:
+	case msg, ok := <-c.RecvChan:
 		if !ok {
 			return 0, net.ErrClosed
 		}

client/iface/bind/recv_msg.go

@@ -1,6 +0,0 @@
-package bind
-
-type recvMessage struct {
-	Endpoint *Endpoint
-	Buffer   []byte
-}

client/iface/bind/relay_bind.go

@@ -1,125 +0,0 @@
-package bind
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
-
-	"github.com/netbirdio/netbird/client/iface/udpmux"
-)
-
-// RelayBindJS is a conn.Bind implementation for WebAssembly environments.
-// Do not limit to build only js, because we want to be able to run tests
-type RelayBindJS struct {
-	*conn.StdNetBind
-
-	recvChan         chan recvMessage
-	endpoints        map[netip.Addr]net.Conn
-	endpointsMu      sync.Mutex
-	activityRecorder *ActivityRecorder
-	ctx              context.Context
-	cancel           context.CancelFunc
-}
-
-func NewRelayBindJS() *RelayBindJS {
-	return &RelayBindJS{
-		recvChan:         make(chan recvMessage, 100),
-		endpoints:        make(map[netip.Addr]net.Conn),
-		activityRecorder: NewActivityRecorder(),
-	}
-}
-
-// Open creates a receive function for handling relay packets in WASM.
-func (s *RelayBindJS) Open(uport uint16) ([]conn.ReceiveFunc, uint16, error) {
-	log.Debugf("Open: creating receive function for port %d", uport)
-
-	s.ctx, s.cancel = context.WithCancel(context.Background())
-
-	receiveFn := func(bufs [][]byte, sizes []int, eps []conn.Endpoint) (int, error) {
-		select {
-		case <-s.ctx.Done():
-			return 0, net.ErrClosed
-		case msg, ok := <-s.recvChan:
-			if !ok {
-				return 0, net.ErrClosed
-			}
-			copy(bufs[0], msg.Buffer)
-			sizes[0] = len(msg.Buffer)
-			eps[0] = conn.Endpoint(msg.Endpoint)
-			return 1, nil
-		}
-	}
-
-	log.Debugf("Open: receive function created, returning port %d", uport)
-	return []conn.ReceiveFunc{receiveFn}, uport, nil
-}
-
-func (s *RelayBindJS) Close() error {
-	if s.cancel == nil {
-		return nil
-	}
-	log.Debugf("close RelayBindJS")
-	s.cancel()
-	return nil
-}
-
-func (s *RelayBindJS) ReceiveFromEndpoint(ctx context.Context, ep *Endpoint, buf []byte) {
-	select {
-	case <-s.ctx.Done():
-		return
-	case <-ctx.Done():
-		return
-	case s.recvChan <- recvMessage{ep, buf}:
-	}
-}
-
-// Send forwards packets through the relay connection for WASM.
-func (s *RelayBindJS) Send(bufs [][]byte, ep conn.Endpoint) error {
-	if ep == nil {
-		return nil
-	}
-
-	fakeIP := ep.DstIP()
-
-	s.endpointsMu.Lock()
-	relayConn, ok := s.endpoints[fakeIP]
-	s.endpointsMu.Unlock()
-
-	if !ok {
-		return nil
-	}
-
-	for _, buf := range bufs {
-		if _, err := relayConn.Write(buf); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (b *RelayBindJS) SetEndpoint(fakeIP netip.Addr, conn net.Conn) {
-	b.endpointsMu.Lock()
-	b.endpoints[fakeIP] = conn
-	b.endpointsMu.Unlock()
-}
-
-func (s *RelayBindJS) RemoveEndpoint(fakeIP netip.Addr) {
-	s.endpointsMu.Lock()
-	defer s.endpointsMu.Unlock()
-
-	delete(s.endpoints, fakeIP)
-}
-
-// GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (s *RelayBindJS) GetICEMux() (*udpmux.UniversalUDPMuxDefault, error) {
-	return nil, ErrUDPMUXNotSupported
-}
-
-func (s *RelayBindJS) ActivityRecorder() *ActivityRecorder {
-	return s.activityRecorder
-}

client/iface/configurer/name.go

@@ -1,4 +1,4 @@
-//go:build linux || windows || freebsd || js || wasip1
+//go:build linux || windows || freebsd
 
 package configurer
 

client/iface/configurer/uapi.go

@@ -1,4 +1,4 @@
-//go:build !windows && !js
+//go:build !windows
 
 package configurer
 

client/iface/configurer/uapi_js.go

@@ -1,23 +0,0 @@
-package configurer
-
-import (
-	"net"
-)
-
-type noopListener struct{}
-
-func (n *noopListener) Accept() (net.Conn, error) {
-	return nil, net.ErrClosed
-}
-
-func (n *noopListener) Close() error {
-	return nil
-}
-
-func (n *noopListener) Addr() net.Addr {
-	return nil
-}
-
-func openUAPI(deviceName string) (net.Listener, error) {
-	return &noopListener{}, nil
-}

client/iface/device/device_netstack.go

@@ -4,11 +4,9 @@
 package device
 
 import (
-	"errors"
 	"fmt"
 
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
@@ -19,12 +17,6 @@ import (
 	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
-type Bind interface {
-	conn.Bind
-	GetICEMux() (*udpmux.UniversalUDPMuxDefault, error)
-	ActivityRecorder() *bind.ActivityRecorder
-}
-
 type TunNetstackDevice struct {
 	name          string
 	address       wgaddr.Address
@@ -32,7 +24,7 @@ type TunNetstackDevice struct {
 	key           string
 	mtu           int
 	listenAddress string
-	bind          Bind
+	iceBind       *bind.ICEBind
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
@@ -43,7 +35,7 @@ type TunNetstackDevice struct {
 	net *netstack.Net
 }
 
-func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, bind Bind, listenAddress string) *TunNetstackDevice {
+func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu int, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
 	return &TunNetstackDevice{
 		name:          name,
 		address:       address,
@@ -51,7 +43,7 @@ func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key stri
 		key:           key,
 		mtu:           mtu,
 		listenAddress: listenAddress,
-		bind:          bind,
+		iceBind:       iceBind,
 	}
 }
 
@@ -76,11 +68,11 @@ func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 
 	t.device = device.NewDevice(
 		t.filteredDevice,
-		t.bind,
+		t.iceBind,
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		_ = tunIface.Close()
@@ -101,15 +93,11 @@ func (t *TunNetstackDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}
 
-	udpMux, err := t.bind.GetICEMux()
-	if err != nil && !errors.Is(err, bind.ErrUDPMUXNotSupported) {
+	udpMux, err := t.iceBind.GetICEMux()
+	if err != nil {
 		return nil, err
 	}
-
-	if udpMux != nil {
-		t.udpMux = udpMux
-	}
-
+	t.udpMux = udpMux
 	log.Debugf("netstack device is ready to use")
 	return udpMux, nil
 }

client/iface/device/device_netstack_test.go

@@ -1,27 +0,0 @@
-package device
-
-import (
-	"testing"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-func TestNewNetstackDevice(t *testing.T) {
-	privateKey, _ := wgtypes.GeneratePrivateKey()
-	wgAddress, _ := wgaddr.ParseWGAddress("1.2.3.4/24")
-
-	relayBind := bind.NewRelayBindJS()
-	nsTun := NewNetstackDevice("wtx", wgAddress, 1234, privateKey.String(), 1500, relayBind, netstack.ListenAddr())
-
-	cfgr, err := nsTun.Create()
-	if err != nil {
-		t.Fatalf("failed to create netstack device: %v", err)
-	}
-	if cfgr == nil {
-		t.Fatal("expected non-nil configurer")
-	}
-}

client/iface/iface_destroy_js.go

@@ -1,6 +0,0 @@
-package iface
-
-// Destroy is a no-op on WASM
-func (w *WGIface) Destroy() error {
-	return nil
-}

client/iface/iface_new_android.go

@@ -3,7 +3,6 @@ package iface
 import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )
@@ -15,21 +14,12 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}
 
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-
-	if netstack.IsEnabled() {
-		wgIFace := &WGIface{
-			userspaceBind:  true,
-			tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
-			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
-		}
-		return wgIFace, nil
-	}
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_darwin.go

@@ -29,7 +29,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_freebsd.go

@@ -1,41 +0,0 @@
-//go:build freebsd
-
-package iface
-
-import (
-	"fmt"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	wgIFace := &WGIface{}
-
-	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	return nil, fmt.Errorf("couldn't check or load tun module")
-}

client/iface/iface_new_ios.go

@@ -21,7 +21,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, iceBind, opts.MobileArgs.TunFd),
 		userspaceBind:  true,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_js.go

@@ -1,27 +0,0 @@
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace creates a new WireGuard interface for WASM (always uses netstack mode)
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	relayBind := bind.NewRelayBindJS()
-
-	wgIface := &WGIface{
-		tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, relayBind, netstack.ListenAddr()),
-		userspaceBind:  true,
-		wgProxyFactory: wgproxy.NewUSPFactory(relayBind, opts.MTU),
-	}
-
-	return wgIface, nil
-}

client/iface/iface_new_unix.go

@@ -25,7 +25,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
 		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
 		return wgIFace, nil
 	}
 
@@ -38,7 +38,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
 		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
 		return wgIFace, nil
 	}
 

client/iface/iface_new_windows.go

@@ -26,7 +26,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 

client/iface/netstack/env.go

@@ -1,5 +1,3 @@
-//go:build !js
-
 package netstack
 
 import (

client/iface/netstack/env_js.go

@@ -1,12 +0,0 @@
-package netstack
-
-const EnvUseNetstackMode = "NB_USE_NETSTACK_MODE"
-
-// IsEnabled always returns true for js since it's the only mode available
-func IsEnabled() bool {
-	return true
-}
-
-func ListenAddr() string {
-	return ""
-}

client/iface/wgproxy/bind/proxy.go

@@ -15,38 +15,28 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
-type Bind interface {
-	SetEndpoint(addr netip.Addr, conn net.Conn)
-	RemoveEndpoint(addr netip.Addr)
-	ReceiveFromEndpoint(ctx context.Context, ep *bind.Endpoint, buf []byte)
-}
-
 type ProxyBind struct {
-	bind Bind
+	Bind *bind.ICEBind
 
-	// wgRelayedEndpoint is a fake address that generated by the Bind.SetEndpoint based on the remote NetBird peer address
-	wgRelayedEndpoint *bind.Endpoint
-	wgCurrentUsed     *bind.Endpoint
-	remoteConn        net.Conn
-	ctx               context.Context
-	cancel            context.CancelFunc
-	closeMu           sync.Mutex
-	closed            bool
+	fakeNetIP      *netip.AddrPort
+	wgBindEndpoint *bind.Endpoint
+	remoteConn     net.Conn
+	ctx            context.Context
+	cancel         context.CancelFunc
+	closeMu        sync.Mutex
+	closed         bool
 
 	pausedMu  sync.Mutex
 	paused    bool
 	isStarted bool
 
 	closeListener *listener.CloseListener
-	mtu           uint16
 }
 
-func NewProxyBind(bind Bind, mtu uint16) *ProxyBind {
+func NewProxyBind(bind *bind.ICEBind) *ProxyBind {
 	p := &ProxyBind{
 		Bind:          bind,
 		closeListener: listener.NewCloseListener(),
-		pausedCond:    sync.NewCond(&sync.Mutex{}),
-		mtu:           mtu + bufsize.WGBufferOverhead,
 	}
 
 	return p
@@ -145,7 +135,7 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 	}()
 
 	for {
-		buf := make([]byte, p.mtu)
+		buf := make([]byte, 1500)
 		n, err := p.remoteConn.Read(buf)
 		if err != nil {
 			if ctx.Err() != nil {
@@ -162,8 +152,12 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 			continue
 		}
 
-		p.bind.ReceiveFromEndpoint(ctx, p.wgCurrentUsed, buf[:n])
-		p.pausedCond.L.Unlock()
+		msg := bind.RecvMessage{
+			Endpoint: p.wgBindEndpoint,
+			Buffer:   buf[:n],
+		}
+		p.Bind.RecvChan <- msg
+		p.pausedMu.Unlock()
 	}
 }
 

client/iface/wgproxy/factory_usp.go

@@ -3,25 +3,24 @@ package wgproxy
 import (
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/iface/bind"
 	proxyBind "github.com/netbirdio/netbird/client/iface/wgproxy/bind"
 )
 
 type USPFactory struct {
-	bind proxyBind.Bind
-	mtu  uint16
+	bind *bind.ICEBind
 }
 
-func NewUSPFactory(bind proxyBind.Bind, mtu uint16) *USPFactory {
+func NewUSPFactory(iceBind *bind.ICEBind) *USPFactory {
 	log.Infof("WireGuard Proxy Factory will produce bind proxy")
 	f := &USPFactory{
-		bind: bind,
-		mtu:  mtu,
+		bind: iceBind,
 	}
 	return f
 }
 
 func (w *USPFactory) GetProxy() Proxy {
-	return proxyBind.NewProxyBind(w.bind, w.mtu)
+	return proxyBind.NewProxyBind(w.bind)
 }
 
 func (w *USPFactory) Free() error {

client/iface/wgproxy/proxy_linux_test.go

@@ -27,30 +27,30 @@ func TestProxyCloseByRemoteConnEBPF(t *testing.T) {
 		}
 	}()
 
-	pUDP := proxyInstance{
-		name:    "udp kernel proxy",
-		proxy:   udp.NewWGUDPProxy(51832, 1280),
-		wgPort:  51832,
-		closeFn: func() error { return nil },
-	}
-	pl = append(pl, pUDP)
-	wgAddress, err := wgaddr.ParseWGAddress("10.0.0.1/32")
-	if err != nil {
-		return nil, err
-	}
-	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
-	endpointAddress := &net.UDPAddr{
-		IP:   net.IPv4(10, 0, 0, 1),
-		Port: 1234,
+	tests := []struct {
+		name  string
+		proxy Proxy
+	}{
+		{
+			name: "ebpf proxy",
+			proxy: &ebpf.ProxyWrapper{
+				WgeBPFProxy: ebpfProxy,
+			},
+		},
 	}
 
-	pBind := proxyInstance{
-		name:         "bind proxy",
-		proxy:        bindproxy.NewProxyBind(iceBind, 0),
-		endpointAddr: endpointAddress,
-		closeFn:      func() error { return nil },
-	}
-	pl = append(pl, pBind)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			relayedConn := newMockConn()
+			err := tt.proxy.AddTurnConn(ctx, nil, relayedConn)
+			if err != nil {
+				t.Errorf("error: %v", err)
+			}
 
-	return pl, nil
+			_ = relayedConn.Close()
+			if err := tt.proxy.CloseConn(); err != nil {
+				t.Errorf("error: %v", err)
+			}
+		})
+	}
 }

client/iface/wgproxy/proxy_seed_test.go

@@ -1,39 +0,0 @@
-//go:build !linux
-
-package wgproxy
-
-import (
-	"net"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	bindproxy "github.com/netbirdio/netbird/client/iface/wgproxy/bind"
-)
-
-func seedProxies() ([]proxyInstance, error) {
-	// todo extend with Bind proxy
-	pl := make([]proxyInstance, 0)
-	return pl, nil
-}
-
-func seedProxyForProxyCloseByRemoteConn() ([]proxyInstance, error) {
-	pl := make([]proxyInstance, 0)
-	wgAddress, err := wgaddr.ParseWGAddress("10.0.0.1/32")
-	if err != nil {
-		return nil, err
-	}
-	iceBind := bind.NewICEBind(nil, nil, wgAddress, 1280)
-	endpointAddress := &net.UDPAddr{
-		IP:   net.IPv4(10, 0, 0, 1),
-		Port: 1234,
-	}
-
-	pBind := proxyInstance{
-		name:         "bind proxy",
-		proxy:        bindproxy.NewProxyBind(iceBind, 0),
-		endpointAddr: endpointAddress,
-		closeFn:      func() error { return nil },
-	}
-	pl = append(pl, pBind)
-	return pl, nil
-}

client/internal/connect.go

@@ -45,19 +45,17 @@ type ConnectClient struct {
 	engineMutex    sync.Mutex
 
 	persistSyncResponse bool
-	LogFile             string
 }
 
 func NewConnectClient(
 	ctx context.Context,
 	config *profilemanager.Config,
 	statusRecorder *peer.Status,
-	logFile string,
+
 ) *ConnectClient {
 	return &ConnectClient{
 		ctx:            ctx,
 		config:         config,
-		LogFile:        logFile,
 		statusRecorder: statusRecorder,
 		engineMutex:    sync.Mutex{},
 	}
@@ -263,7 +261,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 
 		peerConfig := loginResp.GetPeerConfig()
 
-		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig, c.LogFile)
+		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig)
 		if err != nil {
 			log.Error(err)
 			return wrapErr(err)
@@ -272,7 +270,7 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		checks := loginResp.GetChecks()
 
 		c.engineMutex.Lock()
-		c.engine = NewEngine(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, checks, c.config)
+		c.engine = NewEngine(engineCtx, cancel, signalClient, mgmClient, relayManager, engineConfig, mobileDependency, c.statusRecorder, checks)
 		c.engine.SetSyncResponsePersistence(c.persistSyncResponse)
 		c.engineMutex.Unlock()
 
@@ -417,7 +415,7 @@ func (c *ConnectClient) SetSyncResponsePersistence(enabled bool) {
 }
 
 // createEngineConfig converts configuration received from Management Service to EngineConfig
-func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConfig *mgmProto.PeerConfig, logFile string) (*EngineConfig, error) {
+func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
 	nm := false
 	if config.NetworkMonitor != nil {
 		nm = *config.NetworkMonitor
@@ -446,9 +444,6 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		BlockInbound:        config.BlockInbound,
 
 		LazyConnectionEnabled: config.LazyConnectionEnabled,
-		LogFile:               logFile,
-
-		ProfileConfig: config,
 	}
 
 	if config.PreSharedKey != "" {

client/internal/debug/upload.go

@@ -1,101 +0,0 @@
-package debug
-
-import (
-	"context"
-	"crypto/sha256"
-	"encoding/json"
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-
-	"github.com/netbirdio/netbird/upload-server/types"
-)
-
-const maxBundleUploadSize = 50 * 1024 * 1024
-
-func UploadDebugBundle(ctx context.Context, url, managementURL, filePath string) (key string, err error) {
-	response, err := getUploadURL(ctx, url, managementURL)
-	if err != nil {
-		return "", err
-	}
-
-	err = upload(ctx, filePath, response)
-	if err != nil {
-		return "", err
-	}
-	return response.Key, nil
-}
-
-func upload(ctx context.Context, filePath string, response *types.GetURLResponse) error {
-	fileData, err := os.Open(filePath)
-	if err != nil {
-		return fmt.Errorf("open file: %w", err)
-	}
-
-	defer fileData.Close()
-
-	stat, err := fileData.Stat()
-	if err != nil {
-		return fmt.Errorf("stat file: %w", err)
-	}
-
-	if stat.Size() > maxBundleUploadSize {
-		return fmt.Errorf("file size exceeds maximum limit of %d bytes", maxBundleUploadSize)
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "PUT", response.URL, fileData)
-	if err != nil {
-		return fmt.Errorf("create PUT request: %w", err)
-	}
-
-	req.ContentLength = stat.Size()
-	req.Header.Set("Content-Type", "application/octet-stream")
-
-	putResp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return fmt.Errorf("upload failed: %v", err)
-	}
-	defer putResp.Body.Close()
-
-	if putResp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(putResp.Body)
-		return fmt.Errorf("upload status %d: %s", putResp.StatusCode, string(body))
-	}
-	return nil
-}
-
-func getUploadURL(ctx context.Context, url string, managementURL string) (*types.GetURLResponse, error) {
-	id := getURLHash(managementURL)
-	getReq, err := http.NewRequestWithContext(ctx, "GET", url+"?id="+id, nil)
-	if err != nil {
-		return nil, fmt.Errorf("create GET request: %w", err)
-	}
-
-	getReq.Header.Set(types.ClientHeader, types.ClientHeaderValue)
-
-	resp, err := http.DefaultClient.Do(getReq)
-	if err != nil {
-		return nil, fmt.Errorf("get presigned URL: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(resp.Body)
-		return nil, fmt.Errorf("get presigned URL status %d: %s", resp.StatusCode, string(body))
-	}
-
-	urlBytes, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, fmt.Errorf("read response body: %w", err)
-	}
-	var response types.GetURLResponse
-	if err := json.Unmarshal(urlBytes, &response); err != nil {
-		return nil, fmt.Errorf("unmarshal response: %w", err)
-	}
-	return &response, nil
-}
-
-func getURLHash(url string) string {
-	return fmt.Sprintf("%x", sha256.Sum256([]byte(url)))
-}

client/internal/dns/host_windows.go

@@ -240,19 +240,15 @@ func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip netip.Addr
 	// if the gpo key is present, we need to put our DNS settings there, otherwise our config might be ignored
 	// see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnrpt/8cc31cb9-20cb-4140-9e85-3e08703b4745
 	for i, domain := range domains {
-		localPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
-		gpoPath := fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
+		policyPath := fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i)
+		if r.gpo {
+			policyPath = fmt.Sprintf("%s-%d", gpoDnsPolicyConfigMatchPath, i)
+		}
 
 		singleDomain := []string{domain}
 
-		if err := r.configureDNSPolicy(localPath, singleDomain, ip); err != nil {
-			return i, fmt.Errorf("configure DNS Local policy for domain %s: %w", domain, err)
-		}
-
-		if r.gpo {
-			if err := r.configureDNSPolicy(gpoPath, singleDomain, ip); err != nil {
-				return i, fmt.Errorf("configure gpo DNS policy: %w", err)
-			}
+		if err := r.configureDNSPolicy(policyPath, singleDomain, ip); err != nil {
+			return i, fmt.Errorf("configure DNS policy for domain %s: %w", domain, err)
 		}
 
 		log.Debugf("added NRPT entry for domain: %s", domain)

client/internal/dns/server_js.go

@@ -1,5 +0,0 @@
-package dns
-
-func (s *DefaultServer) initialize() (hostManager, error) {
-	return &noopHostConfigurator{}, nil
-}

client/internal/dns/unclean_shutdown_js.go

@@ -1,19 +0,0 @@
-package dns
-
-import (
-	"context"
-)
-
-type ShutdownState struct{}
-
-func (s *ShutdownState) Name() string {
-	return "dns_state"
-}
-
-func (s *ShutdownState) Cleanup() error {
-	return nil
-}
-
-func (s *ShutdownState) RestoreUncleanShutdownConfigs(context.Context) error {
-	return nil
-}

client/internal/dnsfwd/manager.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"sync"
 
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
@@ -12,18 +11,14 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
-)
-
-var (
-	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
-	listenPort   uint16 = 5353
-	listenPortMu sync.RWMutex
+	"github.com/netbirdio/netbird/route"
 )
 
 const (
-	dnsTTL = 60 //seconds
+	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
+	ListenPort = 5353
+	dnsTTL     = 60 //seconds
 )
 
 // ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
@@ -40,20 +35,12 @@ type Manager struct {
 	fwRules      []firewall.Rule
 	tcpRules     []firewall.Rule
 	dnsForwarder *DNSForwarder
-	port         uint16
 }
 
-func ListenPort() uint16 {
-	listenPortMu.RLock()
-	defer listenPortMu.RUnlock()
-	return listenPort
-}
-
-func NewManager(fw firewall.Manager, statusRecorder *peer.Status, port uint16) *Manager {
+func NewManager(fw firewall.Manager, statusRecorder *peer.Status) *Manager {
 	return &Manager{
 		firewall:       fw,
 		statusRecorder: statusRecorder,
-		port:           port,
 	}
 }
 
@@ -67,13 +54,7 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}
 
-	if m.port > 0 {
-		listenPortMu.Lock()
-		listenPort = m.port
-		listenPortMu.Unlock()
-	}
-
-	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort()), dnsTTL, m.firewall, m.statusRecorder)
+	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort), dnsTTL, m.firewall, m.statusRecorder)
 	go func() {
 		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
 			// todo handle close error if it is exists
@@ -113,7 +94,7 @@ func (m *Manager) Stop(ctx context.Context) error {
 func (m *Manager) allowDNSFirewall() error {
 	dport := &firewall.Port{
 		IsRange: false,
-		Values:  []uint16{ListenPort()},
+		Values:  []uint16{ListenPort},
 	}
 
 	if m.firewall == nil {

client/internal/engine.go

@@ -22,6 +22,8 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/protobuf/proto"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
@@ -32,7 +34,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/acl"
-	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
@@ -49,7 +50,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	"github.com/netbirdio/netbird/client/jobexec"
 	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
@@ -65,8 +65,9 @@ import (
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	sProto "github.com/netbirdio/netbird/shared/signal/proto"
+	"github.com/netbirdio/netbird/upload-server/types"
 	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/version"
+	"google.golang.org/grpc/status"
 )
 
 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -130,10 +131,7 @@ type EngineConfig struct {
 
 	LazyConnectionEnabled bool
 
-	// for debug bundle generation
-	ProfileConfig *profilemanager.Config
-
-	LogFile string
+	peerDaemonAddr string
 }
 
 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
@@ -198,18 +196,11 @@ type Engine struct {
 	stateManager *statemanager.Manager
 	srWatcher    *guard.SRWatcher
 
-	// Sync response persistence (protected by syncRespMux)
-	syncRespMux         sync.RWMutex
+	// Sync response persistence
 	persistSyncResponse bool
 	latestSyncResponse  *mgmProto.SyncResponse
 	connSemaphore       *semaphoregroup.SemaphoreGroup
 	flowManager         nftypes.FlowManager
-
-	jobExecutor   *jobexec.Executor
-	jobExecutorWG sync.WaitGroup
-
-	// dns forwarder port
-	dnsFwdPort uint16
 }
 
 // Peer is an instance of the Connection Peer
@@ -223,7 +214,17 @@ type localIpUpdater interface {
 }
 
 // NewEngine creates a new Connection Engine with probes attached
-func NewEngine(clientCtx context.Context, clientCancel context.CancelFunc, signalClient signal.Client, mgmClient mgm.Client, relayManager *relayClient.Manager, config *EngineConfig, mobileDep MobileDependency, statusRecorder *peer.Status, checks []*mgmProto.Checks, c *profilemanager.Config) *Engine {
+func NewEngine(
+	clientCtx context.Context,
+	clientCancel context.CancelFunc,
+	signalClient signal.Client,
+	mgmClient mgm.Client,
+	relayManager *relayClient.Manager,
+	config *EngineConfig,
+	mobileDep MobileDependency,
+	statusRecorder *peer.Status,
+	checks []*mgmProto.Checks,
+) *Engine {
 	engine := &Engine{
 		clientCtx:      clientCtx,
 		clientCancel:   clientCancel,
@@ -242,8 +243,6 @@ func NewEngine(clientCtx context.Context, clientCancel context.CancelFunc, signa
 		statusRecorder: statusRecorder,
 		checks:         checks,
 		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
-		jobExecutor:    jobexec.NewExecutor(),
-		dnsFwdPort:     dnsfwd.ListenPort(),
 	}
 
 	sm := profilemanager.NewServiceManager("")
@@ -322,8 +321,6 @@ func (e *Engine) Stop() error {
 		e.cancel()
 	}
 
-	e.jobExecutorWG.Wait() // block until job goroutines finish
-
 	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
 	// Removing peers happens in the conn.Close() asynchronously
 	time.Sleep(500 * time.Millisecond)
@@ -454,7 +451,14 @@ func (e *Engine) Start() error {
 		return fmt.Errorf("initialize dns server: %w", err)
 	}
 
-	iceCfg := e.createICEConfig()
+	iceCfg := icemaker.Config{
+		StunTurn:             &e.stunTurn,
+		InterfaceBlackList:   e.config.IFaceBlackList,
+		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
+		UDPMux:               e.udpMux.UDPMuxDefault,
+		UDPMuxSrflx:          e.udpMux,
+		NATExternalIPs:       e.parseNATExternalIPMappings(),
+	}
 
 	e.connMgr = NewConnMgr(e.config, e.statusRecorder, e.peerStore, wgIface)
 	e.connMgr.Start(e.ctx)
@@ -702,18 +706,9 @@ func (e *Engine) handleSync(update *mgmProto.SyncResponse) error {
 		return nil
 	}
 
-	// Persist sync response under the dedicated lock (syncRespMux), not under syncMsgMux.
-	// Read the storage-enabled flag under the syncRespMux too.
-	e.syncRespMux.RLock()
-	enabled := e.persistSyncResponse
-	e.syncRespMux.RUnlock()
-
 	// Store sync response if persistence is enabled
-	if enabled {
-		e.syncRespMux.Lock()
+	if e.persistSyncResponse {
 		e.latestSyncResponse = update
-		e.syncRespMux.Unlock()
-
 		log.Debugf("sync response persisted with serial %d", nm.GetSerial())
 	}
 
@@ -898,27 +893,34 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 
 	return nil
 }
+
+func (e *Engine) getPeerClient(addr string) (*grpc.ClientConn, error) {
+	conn, err := grpc.NewClient(
+		strings.TrimPrefix(addr, "tcp://"),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
+			"If the daemon is not running please run: "+
+			"\nnetbird service install \nnetbird service start\n", err)
+	}
+
+	return conn, nil
+}
+
 func (e *Engine) receiveJobEvents() {
-	e.jobExecutorWG.Add(1)
 	go func() {
-		defer e.jobExecutorWG.Done()
 		err := e.mgmClient.Job(e.ctx, func(msg *mgmProto.JobRequest) *mgmProto.JobResponse {
-			resp := mgmProto.JobResponse{
-				ID:     msg.ID,
-				Status: mgmProto.JobStatus_failed,
-			}
-			switch params := msg.WorkloadParameters.(type) {
-			case *mgmProto.JobRequest_Bundle:
-				bundleResult, err := e.handleBundle(params.Bundle)
-				if err != nil {
-					resp.Reason = []byte(err.Error())
-					return &resp
-				}
-				resp.Status = mgmProto.JobStatus_succeeded
-				resp.WorkloadResults = bundleResult
-				return &resp
-			default:
-				return nil
+			// Simple test handler — replace with real logic
+			log.Infof("Received job request: %+v", msg)
+			// TODO: trigger local debug bundle or other job
+			return &mgmProto.JobResponse{
+				ID: msg.ID,
+				WorkloadResults: &mgmProto.JobResponse_Bundle{
+					Bundle: &mgmProto.BundleResult{
+						UploadKey: "upload-key",
+					},
+				},
 			}
 		})
 		if err != nil {
@@ -933,47 +935,58 @@ func (e *Engine) receiveJobEvents() {
 	log.Debugf("connecting to Management Service jobs stream")
 }
 
-func (e *Engine) handleBundle(params *mgmProto.BundleParameters) (*mgmProto.JobResponse_Bundle, error) {
-	syncResponse, err := e.GetLatestSyncResponse()
+func (e *Engine) handleBundle(params *mgmProto.BundleParameters) (string, error) {
+	conn, err := e.getPeerClient("unix:///var/run/netbird.sock")
 	if err != nil {
-		return nil, fmt.Errorf("get latest sync response: %w", err)
+		return "", err
 	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Errorf("Failed to close connection: %v", err)
+		}
+	}()
 
-	if syncResponse == nil {
-		return nil, errors.New("sync response is not available")
-	}
-
-	// convert fullStatus to statusOutput
-	fullStatus := e.statusRecorder.GetFullStatus()
-	protoFullStatus := nbstatus.ToProtoFullStatus(fullStatus)
-	overview := nbstatus.ConvertToStatusOutputOverview(protoFullStatus, params.Anonymize, version.NetbirdVersion(), "", nil, nil, nil, "", "")
-	statusOutput := nbstatus.ParseToFullDetailSummary(overview)
-
-	bundleDeps := debug.GeneratorDependencies{
-		InternalConfig: e.config.ProfileConfig,
-		StatusRecorder: e.statusRecorder,
-		SyncResponse:   syncResponse,
-		LogFile:        e.config.LogFile,
-	}
-
-	bundleJobParams := debug.BundleConfig{
-		Anonymize:         params.Anonymize,
-		ClientStatus:      statusOutput,
-		IncludeSystemInfo: true,
-		LogFileCount:      uint32(params.LogFileCount),
-	}
-
-	uploadKey, err := e.jobExecutor.BundleJob(e.ctx, bundleDeps, bundleJobParams, e.config.ProfileConfig.ManagementURL.String())
+	statusOutput, err := e.getStatusOutput(params.Anonymize)
 	if err != nil {
-		return nil, err
+		return "", err
+	}
+	request := &cProto.DebugBundleRequest{
+		Anonymize:    params.Anonymize,
+		SystemInfo:   true,
+		Status:       statusOutput,
+		LogFileCount: uint32(params.LogFileCount),
+		UploadURL:    types.DefaultBundleURL,
+	}
+	service := cProto.NewDaemonServiceClient(conn)
+	resp, err := service.DebugBundle(e.clientCtx, request)
+	if err != nil {
+		return "", fmt.Errorf("failed to bundle debug: " + status.Convert(err).Message())
 	}
 
-	response := &mgmProto.JobResponse_Bundle{
-		Bundle: &mgmProto.BundleResult{
-			UploadKey: uploadKey,
-		},
+	if resp.GetUploadFailureReason() != "" {
+		return "", fmt.Errorf("upload failed: " + resp.GetUploadFailureReason())
 	}
-	return response, nil
+	return resp.GetUploadedKey(), nil
+}
+
+func (e *Engine) getStatusOutput(anon bool) (string, error) {
+	conn, err := e.getPeerClient("unix:///var/run/netbird.sock")
+	if err != nil {
+		return "", err
+	}
+	defer func() {
+		if err := conn.Close(); err != nil {
+			log.Errorf("Failed to close connection: %v", err)
+		}
+	}()
+
+	statusResp, err := cProto.NewDaemonServiceClient(conn).Status(e.clientCtx, &cProto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: true})
+	if err != nil {
+		return "", fmt.Errorf("status failed: %v", status.Convert(err).Message())
+	}
+	return nbstatus.ParseToFullDetailSummary(
+		nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", ""),
+	), nil
 }
 
 // receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
@@ -1114,7 +1127,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	}
 
 	fwdEntries := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), routes)
-	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries, uint16(protoDNSConfig.ForwarderPort))
+	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries)
 
 	// Ingress forward rules
 	forwardingRules, err := e.updateForwardRules(networkMap.GetForwardingRules())
@@ -1371,7 +1384,14 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 			Addr:           e.getRosenpassAddr(),
 			PermissiveMode: e.config.RosenpassPermissive,
 		},
-		ICEConfig: e.createICEConfig(),
+		ICEConfig: icemaker.Config{
+			StunTurn:             &e.stunTurn,
+			InterfaceBlackList:   e.config.IFaceBlackList,
+			DisableIPv6Discovery: e.config.DisableIPv6Discovery,
+			UDPMux:               e.udpMux.UDPMuxDefault,
+			UDPMuxSrflx:          e.udpMux,
+			NATExternalIPs:       e.parseNATExternalIPMappings(),
+		},
 	}
 
 	serviceDependencies := peer.ServiceDependencies{
@@ -1816,8 +1836,8 @@ func (e *Engine) stopDNSServer() {
 
 // SetSyncResponsePersistence enables or disables sync response persistence
 func (e *Engine) SetSyncResponsePersistence(enabled bool) {
-	e.syncRespMux.Lock()
-	defer e.syncRespMux.Unlock()
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
 
 	if enabled == e.persistSyncResponse {
 		return
@@ -1832,22 +1852,20 @@ func (e *Engine) SetSyncResponsePersistence(enabled bool) {
 
 // GetLatestSyncResponse returns the stored sync response if persistence is enabled
 func (e *Engine) GetLatestSyncResponse() (*mgmProto.SyncResponse, error) {
-	e.syncRespMux.RLock()
-	enabled := e.persistSyncResponse
-	latest := e.latestSyncResponse
-	e.syncRespMux.RUnlock()
+	e.syncMsgMux.Lock()
+	defer e.syncMsgMux.Unlock()
 
-	if !enabled {
+	if !e.persistSyncResponse {
 		return nil, errors.New("sync response persistence is disabled")
 	}
 
-	if latest == nil {
+	if e.latestSyncResponse == nil {
 		//nolint:nilnil
 		return nil, nil
 	}
 
-	log.Debugf("Retrieving latest sync response with size %d bytes", proto.Size(latest))
-	sr, ok := proto.Clone(latest).(*mgmProto.SyncResponse)
+	log.Debugf("Retrieving latest sync response with size %d bytes", proto.Size(e.latestSyncResponse))
+	sr, ok := proto.Clone(e.latestSyncResponse).(*mgmProto.SyncResponse)
 	if !ok {
 		return nil, fmt.Errorf("failed to clone sync response")
 	}
@@ -1867,7 +1885,6 @@ func (e *Engine) GetWgAddr() netip.Addr {
 func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
-	forwarderPort uint16,
 ) {
 	if e.config.DisableServerRoutes {
 		return
@@ -1884,20 +1901,16 @@ func (e *Engine) updateDNSForwarder(
 	}
 
 	if len(fwdEntries) > 0 {
-		switch {
-		case e.dnsForwardMgr == nil:
-			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, forwarderPort)
+		if e.dnsForwardMgr == nil {
+			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder)
+
 			if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
 				log.Errorf("failed to start DNS forward: %v", err)
 				e.dnsForwardMgr = nil
 			}
-			log.Infof("started domain router service with %d entries", len(fwdEntries))
-		case e.dnsFwdPort != forwarderPort:
-			log.Infof("updating domain router service port from %d to %d", e.dnsFwdPort, forwarderPort)
-			e.restartDnsFwd(fwdEntries, forwarderPort)
-			e.dnsFwdPort = forwarderPort
 
-		default:
+			log.Infof("started domain router service with %d entries", len(fwdEntries))
+		} else {
 			e.dnsForwardMgr.UpdateDomains(fwdEntries)
 		}
 	} else if e.dnsForwardMgr != nil {
@@ -1907,20 +1920,6 @@ func (e *Engine) updateDNSForwarder(
 		}
 		e.dnsForwardMgr = nil
 	}
-
-}
-
-func (e *Engine) restartDnsFwd(fwdEntries []*dnsfwd.ForwarderEntry, forwarderPort uint16) {
-	log.Infof("updating domain router service port from %d to %d", e.dnsFwdPort, forwarderPort)
-	// stop and start the forwarder to apply the new port
-	if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
-		log.Errorf("failed to stop DNS forward: %v", err)
-	}
-	e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, forwarderPort)
-	if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
-		log.Errorf("failed to start DNS forward: %v", err)
-		e.dnsForwardMgr = nil
-	}
 }
 
 func (e *Engine) GetNet() (*netstack.Net, error) {

client/internal/engine_generic.go

@@ -1,19 +0,0 @@
-//go:build !js
-
-package internal
-
-import (
-	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
-)
-
-// createICEConfig creates ICE configuration for non-WASM environments
-func (e *Engine) createICEConfig() icemaker.Config {
-	return icemaker.Config{
-		StunTurn:             &e.stunTurn,
-		InterfaceBlackList:   e.config.IFaceBlackList,
-		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
-		UDPMux:               e.udpMux.SingleSocketUDPMux,
-		UDPMuxSrflx:          e.udpMux,
-		NATExternalIPs:       e.parseNATExternalIPMappings(),
-	}
-}

client/internal/engine_js.go

@@ -1,18 +0,0 @@
-//go:build js
-
-package internal
-
-import (
-	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
-)
-
-// createICEConfig creates ICE configuration for WASM environment.
-func (e *Engine) createICEConfig() icemaker.Config {
-	cfg := icemaker.Config{
-		StunTurn:             &e.stunTurn,
-		InterfaceBlackList:   e.config.IFaceBlackList,
-		DisableIPv6Discovery: e.config.DisableIPv6Discovery,
-		NATExternalIPs:       e.parseNATExternalIPMappings(),
-	}
-	return cfg
-}

client/internal/engine_test.go

@@ -27,10 +27,8 @@ import (
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/management-integrations/integrations"
-
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/groups"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/bind"
@@ -221,13 +219,22 @@ func TestEngine_SSH(t *testing.T) {
 	defer cancel()
 
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
-	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
-		WgIfaceName:      "utun101",
-		WgAddr:           "100.64.0.1/24",
-		WgPrivateKey:     key,
-		WgPort:           33100,
-		ServerSSHAllowed: true,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
+	engine := NewEngine(
+		ctx, cancel,
+		&signal.MockClient{},
+		&mgmt.MockClient{},
+		relayMgr,
+		&EngineConfig{
+			WgIfaceName:      "utun101",
+			WgAddr:           "100.64.0.1/24",
+			WgPrivateKey:     key,
+			WgPort:           33100,
+			ServerSSHAllowed: true,
+		},
+		MobileDependency{},
+		peer.NewRecorder("https://mgm"),
+		nil,
+	)
 
 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -357,12 +364,20 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	defer cancel()
 
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
-	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, relayMgr, &EngineConfig{
-		WgIfaceName:  "utun102",
-		WgAddr:       "100.64.0.1/24",
-		WgPrivateKey: key,
-		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
+	engine := NewEngine(
+		ctx, cancel,
+		&signal.MockClient{},
+		&mgmt.MockClient{},
+		relayMgr,
+		&EngineConfig{
+			WgIfaceName:  "utun102",
+			WgAddr:       "100.64.0.1/24",
+			WgPrivateKey: key,
+			WgPort:       33100,
+		},
+		MobileDependency{},
+		peer.NewRecorder("https://mgm"),
+		nil)
 
 	wgIface := &MockWGIface{
 		NameFunc: func() string { return "utun102" },
@@ -580,7 +595,7 @@ func TestEngine_Sync(t *testing.T) {
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
+	}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 	engine.ctx = ctx
 
 	engine.dnsServer = &dns.MockServer{
@@ -744,7 +759,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx
 			newNet, err := stdnet.NewNet()
 			if err != nil {
@@ -945,7 +960,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 				WgAddr:       wgAddr,
 				WgPrivateKey: key,
 				WgPort:       33100,
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil)
+			}, MobileDependency{}, peer.NewRecorder("https://mgm"), nil)
 			engine.ctx = ctx
 
 			newNet, err := stdnet.NewNet()
@@ -1469,7 +1484,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 	}
 
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String())
-	e, err := NewEngine(ctx, cancel, signalClient, mgmtClient, relayMgr, conf, MobileDependency{}, peer.NewRecorder("https://mgm"), nil, nil), nil
+	e, err := NewEngine(ctx, cancel, signalClient, mgmtClient, relayMgr, conf, MobileDependency{}, peer.NewRecorder("https://mgm"), nil), nil
 	e.ctx = ctx
 	return e, err
 }
@@ -1560,7 +1575,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 	}
 
 	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, jobManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &server.MockIntegratedValidator{})
+	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, jobManager, secretsManager, nil, nil, nil, &server.MockIntegratedValidator{})
 	if err != nil {
 		return nil, "", err
 	}

client/internal/netflow/logger/logger.go

@@ -138,7 +138,7 @@ func (l *Logger) UpdateConfig(dnsCollection, exitNodeCollection bool) {
 
 func (l *Logger) shouldStore(event *types.EventFields, isExitNode bool) bool {
 	// check dns collection
-	if !l.dnsCollection.Load() && event.Protocol == types.UDP && (event.DestPort == 53 || event.DestPort == uint16(dnsfwd.ListenPort())) {
+	if !l.dnsCollection.Load() && event.Protocol == types.UDP && (event.DestPort == 53 || event.DestPort == dnsfwd.ListenPort) {
 		return false
 	}
 

client/internal/networkmonitor/check_change_js.go

@@ -1,12 +0,0 @@
-package networkmonitor
-
-import (
-	"context"
-
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
-)
-
-func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
-	// No-op for WASM - network changes don't apply
-	return nil
-}

client/internal/peer/guard/ice_monitor.go

@@ -3,8 +3,6 @@ package guard
 import (
 	"context"
 	"fmt"
-	"slices"
-	"sort"
 	"sync"
 	"time"
 
@@ -26,8 +24,8 @@ type ICEMonitor struct {
 	iFaceDiscover stdnet.ExternalIFaceDiscover
 	iceConfig     icemaker.Config
 
-	currentCandidatesAddress []string
-	candidatesMu             sync.Mutex
+	currentCandidates []ice.Candidate
+	candidatesMu      sync.Mutex
 }
 
 func NewICEMonitor(iFaceDiscover stdnet.ExternalIFaceDiscover, config icemaker.Config) *ICEMonitor {
@@ -117,21 +115,16 @@ func (cm *ICEMonitor) updateCandidates(newCandidates []ice.Candidate) bool {
 	cm.candidatesMu.Lock()
 	defer cm.candidatesMu.Unlock()
 
-	newAddresses := make([]string, len(newCandidates))
-	for i, c := range newCandidates {
-		newAddresses[i] = c.Address()
-	}
-	sort.Strings(newAddresses)
-
-	if len(cm.currentCandidatesAddress) != len(newAddresses) {
-		cm.currentCandidatesAddress = newAddresses
+	if len(cm.currentCandidates) != len(newCandidates) {
+		cm.currentCandidates = newCandidates
 		return true
 	}
 
-	// Compare elements
-	if !slices.Equal(cm.currentCandidatesAddress, newAddresses) {
-		cm.currentCandidatesAddress = newAddresses
-		return true
+	for i, candidate := range cm.currentCandidates {
+		if candidate.Address() != newCandidates[i].Address() {
+			cm.currentCandidates = newCandidates
+			return true
+		}
 	}
 
 	return false

client/internal/routemanager/dnsinterceptor/handler.go

@@ -7,7 +7,6 @@ import (
 	"runtime"
 	"strings"
 	"sync"
-	"time"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
@@ -23,8 +22,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/common"
 	"github.com/netbirdio/netbird/client/internal/routemanager/fakeip"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
+	"github.com/netbirdio/netbird/route"
 )
 
 type domainMap map[domain.Domain][]netip.Prefix
@@ -254,12 +253,8 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		r.MsgHdr.AuthenticatedData = true
 	}
 
-	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), dnsfwd.ListenPort())
-	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
-	defer cancel()
-
-	startTime := time.Now()
-	reply, _, err := nbdns.ExchangeWithFallback(ctx, client, r, upstream)
+	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), dnsfwd.ListenPort)
+	reply, _, err := nbdns.ExchangeWithFallback(context.TODO(), client, r, upstream)
 	if err != nil {
 		logger.Errorf("failed to exchange DNS request with %s (%s) for domain=%s: %v", upstreamIP.String(), peerKey, r.Question[0].Name, err)
 		if err := w.WriteMsg(&dns.Msg{MsgHdr: dns.MsgHdr{Rcode: dns.RcodeServerFailure, Id: r.Id}}); err != nil {

client/internal/routemanager/systemops/systemops_js.go

@@ -1,48 +0,0 @@
-package systemops
-
-import (
-	"errors"
-	"net"
-	"net/netip"
-
-	"github.com/netbirdio/netbird/client/internal/statemanager"
-)
-
-var ErrRouteNotSupported = errors.New("route operations not supported on js")
-
-func (r *SysOps) addToRouteTable(prefix netip.Prefix, nexthop Nexthop) error {
-	return ErrRouteNotSupported
-}
-
-func (r *SysOps) removeFromRouteTable(prefix netip.Prefix, nexthop Nexthop) error {
-	return ErrRouteNotSupported
-}
-
-func GetRoutesFromTable() ([]netip.Prefix, error) {
-	return []netip.Prefix{}, nil
-}
-
-func hasSeparateRouting() ([]netip.Prefix, error) {
-	return []netip.Prefix{}, nil
-}
-
-// GetDetailedRoutesFromTable returns empty routes for WASM.
-func GetDetailedRoutesFromTable() ([]DetailedRoute, error) {
-	return []DetailedRoute{}, nil
-}
-
-func (r *SysOps) AddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
-	return ErrRouteNotSupported
-}
-
-func (r *SysOps) RemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
-	return ErrRouteNotSupported
-}
-
-func (r *SysOps) SetupRouting(initAddresses []net.IP, stateManager *statemanager.Manager, _ bool) error {
-	return nil
-}
-
-func (r *SysOps) CleanupRouting(stateManager *statemanager.Manager, _ bool) error {
-	return nil
-}

client/internal/routemanager/systemops/systemops_nonlinux.go

@@ -1,4 +1,4 @@
-//go:build !linux && !ios && !js
+//go:build !linux && !ios
 
 package systemops
 

client/ios/NetBirdSDK/client.go

@@ -20,8 +20,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
+	"github.com/netbirdio/netbird/route"
 )
 
 // ConnectionListener export internal Listener for mobile
@@ -127,8 +127,7 @@ func (c *Client) Run(fd int32, interfaceName string) error {
 	c.onHostDnsFn = func([]string) {}
 	cfg.WgIface = interfaceName
 
-	//todo: do we need to pass logFile here ?
-	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder, "")
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
 	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, c.stateFile)
 }
 

client/jobexec/executor.go

@@ -1,35 +0,0 @@
-package jobexec
-
-import (
-	"context"
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/debug"
-	"github.com/netbirdio/netbird/upload-server/types"
-)
-
-type Executor struct {
-}
-
-func NewExecutor() *Executor {
-	return &Executor{}
-}
-
-func (e *Executor) BundleJob(ctx context.Context, debugBundleDependencies debug.GeneratorDependencies, params debug.BundleConfig, mgmURL string) (string, error) {
-	bundleGenerator := debug.NewBundleGenerator(debugBundleDependencies, params)
-
-	path, err := bundleGenerator.Generate()
-	if err != nil {
-		return "", fmt.Errorf("generate debug bundle: %w", err)
-	}
-
-	key, err := debug.UploadDebugBundle(ctx, types.DefaultBundleURL, mgmURL, path)
-	if err != nil {
-		log.Errorf("failed to upload debug bundle to %v", err)
-		return "", fmt.Errorf("upload debug bundle: %w", err)
-	}
-
-	return key, nil
-}

client/server/debug.go

@@ -4,16 +4,24 @@ package server
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"net/http"
+	"os"
 
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/internal/debug"
 	"github.com/netbirdio/netbird/client/proto"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
+	"github.com/netbirdio/netbird/upload-server/types"
 )
 
+const maxBundleUploadSize = 50 * 1024 * 1024
+
 // DebugBundle creates a debug bundle and returns the location.
 func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (resp *proto.DebugBundleResponse, err error) {
 	s.mutex.Lock()
@@ -47,7 +55,7 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 	if req.GetUploadURL() == "" {
 		return &proto.DebugBundleResponse{Path: path}, nil
 	}
-	key, err := debug.UploadDebugBundle(context.Background(), req.GetUploadURL(), s.config.ManagementURL.String(), path)
+	key, err := uploadDebugBundle(context.Background(), req.GetUploadURL(), s.config.ManagementURL.String(), path)
 	if err != nil {
 		log.Errorf("failed to upload debug bundle to %s: %v", req.GetUploadURL(), err)
 		return &proto.DebugBundleResponse{Path: path, UploadFailureReason: err.Error()}, nil
@@ -58,6 +66,92 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 	return &proto.DebugBundleResponse{Path: path, UploadedKey: key}, nil
 }
 
+func uploadDebugBundle(ctx context.Context, url, managementURL, filePath string) (key string, err error) {
+	response, err := getUploadURL(ctx, url, managementURL)
+	if err != nil {
+		return "", err
+	}
+
+	err = upload(ctx, filePath, response)
+	if err != nil {
+		return "", err
+	}
+	return response.Key, nil
+}
+
+func upload(ctx context.Context, filePath string, response *types.GetURLResponse) error {
+	fileData, err := os.Open(filePath)
+	if err != nil {
+		return fmt.Errorf("open file: %w", err)
+	}
+
+	defer fileData.Close()
+
+	stat, err := fileData.Stat()
+	if err != nil {
+		return fmt.Errorf("stat file: %w", err)
+	}
+
+	if stat.Size() > maxBundleUploadSize {
+		return fmt.Errorf("file size exceeds maximum limit of %d bytes", maxBundleUploadSize)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, "PUT", response.URL, fileData)
+	if err != nil {
+		return fmt.Errorf("create PUT request: %w", err)
+	}
+
+	req.ContentLength = stat.Size()
+	req.Header.Set("Content-Type", "application/octet-stream")
+
+	putResp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("upload failed: %v", err)
+	}
+	defer putResp.Body.Close()
+
+	if putResp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(putResp.Body)
+		return fmt.Errorf("upload status %d: %s", putResp.StatusCode, string(body))
+	}
+	return nil
+}
+
+func getUploadURL(ctx context.Context, url string, managementURL string) (*types.GetURLResponse, error) {
+	id := getURLHash(managementURL)
+	getReq, err := http.NewRequestWithContext(ctx, "GET", url+"?id="+id, nil)
+	if err != nil {
+		return nil, fmt.Errorf("create GET request: %w", err)
+	}
+
+	getReq.Header.Set(types.ClientHeader, types.ClientHeaderValue)
+
+	resp, err := http.DefaultClient.Do(getReq)
+	if err != nil {
+		return nil, fmt.Errorf("get presigned URL: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("get presigned URL status %d: %s", resp.StatusCode, string(body))
+	}
+
+	urlBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("read response body: %w", err)
+	}
+	var response types.GetURLResponse
+	if err := json.Unmarshal(urlBytes, &response); err != nil {
+		return nil, fmt.Errorf("unmarshal response: %w", err)
+	}
+	return &response, nil
+}
+
+func getURLHash(url string) string {
+	return fmt.Sprintf("%x", sha256.Sum256([]byte(url)))
+}
+
 // GetLogLevel gets the current logging level for the server.
 func (s *Server) GetLogLevel(_ context.Context, _ *proto.GetLogLevelRequest) (*proto.GetLogLevelResponse, error) {
 	s.mutex.Lock()

client/server/debug_test.go

@@ -1,4 +1,4 @@
-package debug
+package server
 
 import (
 	"context"
@@ -38,7 +38,7 @@ func TestUpload(t *testing.T) {
 	fileContent := []byte("test file content")
 	err := os.WriteFile(file, fileContent, 0640)
 	require.NoError(t, err)
-	key, err := UploadDebugBundle(context.Background(), testURL+types.GetURLPath, testURL, file)
+	key, err := uploadDebugBundle(context.Background(), testURL+types.GetURLPath, testURL, file)
 	require.NoError(t, err)
 	id := getURLHash(testURL)
 	require.Contains(t, key, id+"/")

client/server/server.go

@@ -13,12 +13,15 @@ import (
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
+	"golang.org/x/exp/maps"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/protobuf/types/known/durationpb"
 
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
 	gstatus "google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
 
 	"github.com/netbirdio/netbird/client/internal/auth"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
@@ -29,7 +32,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
-	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/version"
 )
 
@@ -233,7 +235,7 @@ func (s *Server) connectWithRetryRuns(ctx context.Context, config *profilemanage
 
 	runOperation := func() error {
 		log.Tracef("running client connection")
-		s.connectClient = internal.NewConnectClient(ctx, config, statusRecorder, s.logFile)
+		s.connectClient = internal.NewConnectClient(ctx, config, statusRecorder)
 		s.connectClient.SetSyncResponsePersistence(s.persistSyncResponse)
 
 		err := s.connectClient.Run(runningChan)
@@ -1024,7 +1026,7 @@ func (s *Server) Status(
 		}
 
 		fullStatus := s.statusRecorder.GetFullStatus()
-		pbFullStatus := nbstatus.ToProtoFullStatus(fullStatus)
+		pbFullStatus := toProtoFullStatus(fullStatus)
 		pbFullStatus.Events = s.statusRecorder.GetEventHistory()
 		statusResponse.FullStatus = pbFullStatus
 	}
@@ -1129,6 +1131,93 @@ func (s *Server) onSessionExpire() {
 	}
 }
 
+func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
+	pbFullStatus := proto.FullStatus{
+		ManagementState: &proto.ManagementState{},
+		SignalState:     &proto.SignalState{},
+		LocalPeerState:  &proto.LocalPeerState{},
+		Peers:           []*proto.PeerState{},
+	}
+
+	pbFullStatus.ManagementState.URL = fullStatus.ManagementState.URL
+	pbFullStatus.ManagementState.Connected = fullStatus.ManagementState.Connected
+	if err := fullStatus.ManagementState.Error; err != nil {
+		pbFullStatus.ManagementState.Error = err.Error()
+	}
+
+	pbFullStatus.SignalState.URL = fullStatus.SignalState.URL
+	pbFullStatus.SignalState.Connected = fullStatus.SignalState.Connected
+	if err := fullStatus.SignalState.Error; err != nil {
+		pbFullStatus.SignalState.Error = err.Error()
+	}
+
+	pbFullStatus.LocalPeerState.IP = fullStatus.LocalPeerState.IP
+	pbFullStatus.LocalPeerState.PubKey = fullStatus.LocalPeerState.PubKey
+	pbFullStatus.LocalPeerState.KernelInterface = fullStatus.LocalPeerState.KernelInterface
+	pbFullStatus.LocalPeerState.Fqdn = fullStatus.LocalPeerState.FQDN
+	pbFullStatus.LocalPeerState.RosenpassPermissive = fullStatus.RosenpassState.Permissive
+	pbFullStatus.LocalPeerState.RosenpassEnabled = fullStatus.RosenpassState.Enabled
+	pbFullStatus.LocalPeerState.Networks = maps.Keys(fullStatus.LocalPeerState.Routes)
+	pbFullStatus.NumberOfForwardingRules = int32(fullStatus.NumOfForwardingRules)
+	pbFullStatus.LazyConnectionEnabled = fullStatus.LazyConnectionEnabled
+
+	for _, peerState := range fullStatus.Peers {
+		pbPeerState := &proto.PeerState{
+			IP:                         peerState.IP,
+			PubKey:                     peerState.PubKey,
+			ConnStatus:                 peerState.ConnStatus.String(),
+			ConnStatusUpdate:           timestamppb.New(peerState.ConnStatusUpdate),
+			Relayed:                    peerState.Relayed,
+			LocalIceCandidateType:      peerState.LocalIceCandidateType,
+			RemoteIceCandidateType:     peerState.RemoteIceCandidateType,
+			LocalIceCandidateEndpoint:  peerState.LocalIceCandidateEndpoint,
+			RemoteIceCandidateEndpoint: peerState.RemoteIceCandidateEndpoint,
+			RelayAddress:               peerState.RelayServerAddress,
+			Fqdn:                       peerState.FQDN,
+			LastWireguardHandshake:     timestamppb.New(peerState.LastWireguardHandshake),
+			BytesRx:                    peerState.BytesRx,
+			BytesTx:                    peerState.BytesTx,
+			RosenpassEnabled:           peerState.RosenpassEnabled,
+			Networks:                   maps.Keys(peerState.GetRoutes()),
+			Latency:                    durationpb.New(peerState.Latency),
+		}
+		pbFullStatus.Peers = append(pbFullStatus.Peers, pbPeerState)
+	}
+
+	for _, relayState := range fullStatus.Relays {
+		pbRelayState := &proto.RelayState{
+			URI:       relayState.URI,
+			Available: relayState.Err == nil,
+		}
+		if err := relayState.Err; err != nil {
+			pbRelayState.Error = err.Error()
+		}
+		pbFullStatus.Relays = append(pbFullStatus.Relays, pbRelayState)
+	}
+
+	for _, dnsState := range fullStatus.NSGroupStates {
+		var err string
+		if dnsState.Error != nil {
+			err = dnsState.Error.Error()
+		}
+
+		var servers []string
+		for _, server := range dnsState.Servers {
+			servers = append(servers, server.String())
+		}
+
+		pbDnsState := &proto.NSGroupState{
+			Servers: servers,
+			Domains: dnsState.Domains,
+			Enabled: dnsState.Enabled,
+			Error:   err,
+		}
+		pbFullStatus.DnsServers = append(pbFullStatus.DnsServers, pbDnsState)
+	}
+
+	return &pbFullStatus
+}
+
 // sendTerminalNotification sends a terminal notification message
 // to inform the user that the NetBird connection session has expired.
 func sendTerminalNotification() error {

client/server/server_test.go

@@ -14,10 +14,8 @@ import (
 	"go.opentelemetry.io/otel"
 
 	"github.com/netbirdio/management-integrations/integrations"
-
 	"github.com/netbirdio/netbird/management/internals/server/config"
 	"github.com/netbirdio/netbird/management/server/groups"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 
 	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
@@ -314,7 +312,7 @@ func startManagement(t *testing.T, signalAddr string, counter *int) (*grpc.Serve
 	}
 
 	secretsManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, jobManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &server.MockIntegratedValidator{})
+	mgmtServer, err := server.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, jobManager, secretsManager, nil, nil, nil, &server.MockIntegratedValidator{})
 	if err != nil {
 		return nil, "", err
 	}

client/ssh/client.go

@@ -1,5 +1,3 @@
-//go:build !js
-
 package ssh
 
 import (

client/ssh/login.go

@@ -1,5 +1,3 @@
-//go:build !js
-
 package ssh
 
 import (

client/ssh/server.go

@@ -1,5 +1,3 @@
-//go:build !js
-
 package ssh
 
 import (

client/ssh/server_mock.go

@@ -1,5 +1,3 @@
-//go:build !js
-
 package ssh
 
 import "context"

client/ssh/server_test.go

@@ -1,5 +1,3 @@
-//go:build !js
-
 package ssh
 
 import (

client/ssh/ssh_js.go

@@ -1,137 +0,0 @@
-package ssh
-
-import (
-	"context"
-	"crypto/ed25519"
-	"crypto/rand"
-	"crypto/x509"
-	"encoding/pem"
-	"errors"
-	"strings"
-
-	"golang.org/x/crypto/ssh"
-)
-
-var ErrSSHNotSupported = errors.New("SSH is not supported in WASM environment")
-
-// Server is a dummy SSH server interface for WASM.
-type Server interface {
-	Start() error
-	Stop() error
-	EnableSSH(enabled bool)
-	AddAuthorizedKey(peer string, key string) error
-	RemoveAuthorizedKey(key string)
-}
-
-type dummyServer struct{}
-
-func DefaultSSHServer(hostKeyPEM []byte, addr string) (Server, error) {
-	return &dummyServer{}, nil
-}
-
-func NewServer(addr string) Server {
-	return &dummyServer{}
-}
-
-func (s *dummyServer) Start() error {
-	return ErrSSHNotSupported
-}
-
-func (s *dummyServer) Stop() error {
-	return nil
-}
-
-func (s *dummyServer) EnableSSH(enabled bool) {
-}
-
-func (s *dummyServer) AddAuthorizedKey(peer string, key string) error {
-	return nil
-}
-
-func (s *dummyServer) RemoveAuthorizedKey(key string) {
-}
-
-type Client struct{}
-
-func NewClient(ctx context.Context, addr string, config interface{}, recorder *SessionRecorder) (*Client, error) {
-	return nil, ErrSSHNotSupported
-}
-
-func (c *Client) Close() error {
-	return nil
-}
-
-func (c *Client) Run(command []string) error {
-	return ErrSSHNotSupported
-}
-
-type SessionRecorder struct{}
-
-func NewSessionRecorder() *SessionRecorder {
-	return &SessionRecorder{}
-}
-
-func (r *SessionRecorder) Record(session string, data []byte) {
-}
-
-func GetUserShell() string {
-	return "/bin/sh"
-}
-
-func LookupUserInfo(username string) (string, string, error) {
-	return "", "", ErrSSHNotSupported
-}
-
-const DefaultSSHPort = 44338
-
-const ED25519 = "ed25519"
-
-func isRoot() bool {
-	return false
-}
-
-func GeneratePrivateKey(keyType string) ([]byte, error) {
-	if keyType != ED25519 {
-		return nil, errors.New("only ED25519 keys are supported in WASM")
-	}
-
-	_, privateKey, err := ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, err
-	}
-
-	pkcs8Bytes, err := x509.MarshalPKCS8PrivateKey(privateKey)
-	if err != nil {
-		return nil, err
-	}
-
-	pemBlock := &pem.Block{
-		Type:  "PRIVATE KEY",
-		Bytes: pkcs8Bytes,
-	}
-
-	pemBytes := pem.EncodeToMemory(pemBlock)
-	return pemBytes, nil
-}
-
-func GeneratePublicKey(privateKey []byte) ([]byte, error) {
-	signer, err := ssh.ParsePrivateKey(privateKey)
-	if err != nil {
-		block, _ := pem.Decode(privateKey)
-		if block != nil {
-			key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
-			if err != nil {
-				return nil, err
-			}
-			signer, err = ssh.NewSignerFromKey(key)
-			if err != nil {
-				return nil, err
-			}
-		} else {
-			return nil, err
-		}
-	}
-
-	pubKeyBytes := ssh.MarshalAuthorizedKey(signer.PublicKey())
-	return []byte(strings.TrimSpace(string(pubKeyBytes))), nil
-}

client/ssh/util.go

@@ -1,5 +1,3 @@
-//go:build !js
-
 package ssh
 
 import (

client/status/status.go

@@ -11,8 +11,6 @@ import (
 	"strings"
 	"time"
 
-	"google.golang.org/protobuf/types/known/durationpb"
-	"google.golang.org/protobuf/types/known/timestamppb"
 	"gopkg.in/yaml.v3"
 
 	"github.com/netbirdio/netbird/client/anonymize"
@@ -20,7 +18,6 @@ import (
 	"github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	"github.com/netbirdio/netbird/version"
-	"golang.org/x/exp/maps"
 )
 
 type PeerStateDetailOutput struct {
@@ -104,7 +101,9 @@ type OutputOverview struct {
 	ProfileName             string                     `json:"profileName" yaml:"profileName"`
 }
 
-func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, anon bool, daemonVersion string, statusFilter string, prefixNamesFilter []string, prefixNamesFilterMap map[string]struct{}, ipsFilter map[string]struct{}, connectionTypeFilter string, profName string) OutputOverview {
+func ConvertToStatusOutputOverview(resp *proto.StatusResponse, anon bool, statusFilter string, prefixNamesFilter []string, prefixNamesFilterMap map[string]struct{}, ipsFilter map[string]struct{}, connectionTypeFilter string, profName string) OutputOverview {
+	pbFullStatus := resp.GetFullStatus()
+
 	managementState := pbFullStatus.GetManagementState()
 	managementOverview := ManagementStateOutput{
 		URL:       managementState.GetURL(),
@@ -120,12 +119,12 @@ func ConvertToStatusOutputOverview(pbFullStatus *proto.FullStatus, anon bool, da
 	}
 
 	relayOverview := mapRelays(pbFullStatus.GetRelays())
-	peersOverview := mapPeers(pbFullStatus.GetPeers(), statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilter, connectionTypeFilter)
+	peersOverview := mapPeers(resp.GetFullStatus().GetPeers(), statusFilter, prefixNamesFilter, prefixNamesFilterMap, ipsFilter, connectionTypeFilter)
 
 	overview := OutputOverview{
 		Peers:                   peersOverview,
 		CliVersion:              version.NetbirdVersion(),
-		DaemonVersion:           daemonVersion,
+		DaemonVersion:           resp.GetDaemonVersion(),
 		ManagementState:         managementOverview,
 		SignalState:             signalOverview,
 		Relays:                  relayOverview,
@@ -459,93 +458,6 @@ func ParseToFullDetailSummary(overview OutputOverview) string {
 	)
 }
 
-func ToProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
-	pbFullStatus := proto.FullStatus{
-		ManagementState: &proto.ManagementState{},
-		SignalState:     &proto.SignalState{},
-		LocalPeerState:  &proto.LocalPeerState{},
-		Peers:           []*proto.PeerState{},
-	}
-
-	pbFullStatus.ManagementState.URL = fullStatus.ManagementState.URL
-	pbFullStatus.ManagementState.Connected = fullStatus.ManagementState.Connected
-	if err := fullStatus.ManagementState.Error; err != nil {
-		pbFullStatus.ManagementState.Error = err.Error()
-	}
-
-	pbFullStatus.SignalState.URL = fullStatus.SignalState.URL
-	pbFullStatus.SignalState.Connected = fullStatus.SignalState.Connected
-	if err := fullStatus.SignalState.Error; err != nil {
-		pbFullStatus.SignalState.Error = err.Error()
-	}
-
-	pbFullStatus.LocalPeerState.IP = fullStatus.LocalPeerState.IP
-	pbFullStatus.LocalPeerState.PubKey = fullStatus.LocalPeerState.PubKey
-	pbFullStatus.LocalPeerState.KernelInterface = fullStatus.LocalPeerState.KernelInterface
-	pbFullStatus.LocalPeerState.Fqdn = fullStatus.LocalPeerState.FQDN
-	pbFullStatus.LocalPeerState.RosenpassPermissive = fullStatus.RosenpassState.Permissive
-	pbFullStatus.LocalPeerState.RosenpassEnabled = fullStatus.RosenpassState.Enabled
-	pbFullStatus.LocalPeerState.Networks = maps.Keys(fullStatus.LocalPeerState.Routes)
-	pbFullStatus.NumberOfForwardingRules = int32(fullStatus.NumOfForwardingRules)
-	pbFullStatus.LazyConnectionEnabled = fullStatus.LazyConnectionEnabled
-
-	for _, peerState := range fullStatus.Peers {
-		pbPeerState := &proto.PeerState{
-			IP:                         peerState.IP,
-			PubKey:                     peerState.PubKey,
-			ConnStatus:                 peerState.ConnStatus.String(),
-			ConnStatusUpdate:           timestamppb.New(peerState.ConnStatusUpdate),
-			Relayed:                    peerState.Relayed,
-			LocalIceCandidateType:      peerState.LocalIceCandidateType,
-			RemoteIceCandidateType:     peerState.RemoteIceCandidateType,
-			LocalIceCandidateEndpoint:  peerState.LocalIceCandidateEndpoint,
-			RemoteIceCandidateEndpoint: peerState.RemoteIceCandidateEndpoint,
-			RelayAddress:               peerState.RelayServerAddress,
-			Fqdn:                       peerState.FQDN,
-			LastWireguardHandshake:     timestamppb.New(peerState.LastWireguardHandshake),
-			BytesRx:                    peerState.BytesRx,
-			BytesTx:                    peerState.BytesTx,
-			RosenpassEnabled:           peerState.RosenpassEnabled,
-			Networks:                   maps.Keys(peerState.GetRoutes()),
-			Latency:                    durationpb.New(peerState.Latency),
-		}
-		pbFullStatus.Peers = append(pbFullStatus.Peers, pbPeerState)
-	}
-
-	for _, relayState := range fullStatus.Relays {
-		pbRelayState := &proto.RelayState{
-			URI:       relayState.URI,
-			Available: relayState.Err == nil,
-		}
-		if err := relayState.Err; err != nil {
-			pbRelayState.Error = err.Error()
-		}
-		pbFullStatus.Relays = append(pbFullStatus.Relays, pbRelayState)
-	}
-
-	for _, dnsState := range fullStatus.NSGroupStates {
-		var err string
-		if dnsState.Error != nil {
-			err = dnsState.Error.Error()
-		}
-
-		var servers []string
-		for _, server := range dnsState.Servers {
-			servers = append(servers, server.String())
-		}
-
-		pbDnsState := &proto.NSGroupState{
-			Servers: servers,
-			Domains: dnsState.Domains,
-			Enabled: dnsState.Enabled,
-			Error:   err,
-		}
-		pbFullStatus.DnsServers = append(pbFullStatus.DnsServers, pbDnsState)
-	}
-
-	return &pbFullStatus
-}
-
 func parsePeers(peers PeersStateOutput, rosenpassEnabled, rosenpassPermissive bool) string {
 	var (
 		peersString = ""
@@ -825,4 +737,3 @@ func anonymizeOverview(a *anonymize.Anonymizer, overview *OutputOverview) {
 		}
 	}
 }
-

client/status/status_test.go

@@ -234,7 +234,7 @@ var overview = OutputOverview{
 }
 
 func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
-	convertedResult := ConvertToStatusOutputOverview(resp.GetFullStatus(), false, resp.GetDaemonVersion(), "", nil, nil, nil, "", "")
+	convertedResult := ConvertToStatusOutputOverview(resp, false, "", nil, nil, nil, "", "")
 
 	assert.Equal(t, overview, convertedResult)
 }

client/system/info_js.go

@@ -1,231 +0,0 @@
-package system
-
-import (
-	"context"
-	"runtime"
-	"strings"
-	"syscall/js"
-
-	"github.com/netbirdio/netbird/version"
-)
-
-// UpdateStaticInfoAsync is a no-op on JS as there is no static info to update
-func UpdateStaticInfoAsync() {
-	// do nothing
-}
-
-// GetInfo retrieves system information for WASM environment
-func GetInfo(_ context.Context) *Info {
-	info := &Info{
-		GoOS:           runtime.GOOS,
-		Kernel:         runtime.GOARCH,
-		KernelVersion:  runtime.GOARCH,
-		Platform:       runtime.GOARCH,
-		OS:             runtime.GOARCH,
-		Hostname:       "wasm-client",
-		CPUs:           runtime.NumCPU(),
-		NetbirdVersion: version.NetbirdVersion(),
-	}
-
-	collectBrowserInfo(info)
-	collectLocationInfo(info)
-	collectSystemInfo(info)
-	return info
-}
-
-func collectBrowserInfo(info *Info) {
-	navigator := js.Global().Get("navigator")
-	if navigator.IsUndefined() {
-		return
-	}
-
-	collectUserAgent(info, navigator)
-	collectPlatform(info, navigator)
-	collectCPUInfo(info, navigator)
-}
-
-func collectUserAgent(info *Info, navigator js.Value) {
-	ua := navigator.Get("userAgent")
-	if ua.IsUndefined() {
-		return
-	}
-
-	userAgent := ua.String()
-	os, osVersion := parseOSFromUserAgent(userAgent)
-	if os != "" {
-		info.OS = os
-	}
-	if osVersion != "" {
-		info.OSVersion = osVersion
-	}
-}
-
-func collectPlatform(info *Info, navigator js.Value) {
-	// Try regular platform property
-	if plat := navigator.Get("platform"); !plat.IsUndefined() {
-		if platStr := plat.String(); platStr != "" {
-			info.Platform = platStr
-		}
-	}
-
-	// Try newer userAgentData API for more accurate platform
-	userAgentData := navigator.Get("userAgentData")
-	if userAgentData.IsUndefined() {
-		return
-	}
-
-	platformInfo := userAgentData.Get("platform")
-	if !platformInfo.IsUndefined() {
-		if platStr := platformInfo.String(); platStr != "" {
-			info.Platform = platStr
-		}
-	}
-}
-
-func collectCPUInfo(info *Info, navigator js.Value) {
-	hardwareConcurrency := navigator.Get("hardwareConcurrency")
-	if !hardwareConcurrency.IsUndefined() {
-		info.CPUs = hardwareConcurrency.Int()
-	}
-}
-
-func collectLocationInfo(info *Info) {
-	location := js.Global().Get("location")
-	if location.IsUndefined() {
-		return
-	}
-
-	if host := location.Get("hostname"); !host.IsUndefined() {
-		hostnameStr := host.String()
-		if hostnameStr != "" && hostnameStr != "localhost" {
-			info.Hostname = hostnameStr
-		}
-	}
-}
-
-func checkFileAndProcess(_ []string) ([]File, error) {
-	return []File{}, nil
-}
-
-func collectSystemInfo(info *Info) {
-	navigator := js.Global().Get("navigator")
-	if navigator.IsUndefined() {
-		return
-	}
-
-	if vendor := navigator.Get("vendor"); !vendor.IsUndefined() {
-		info.SystemManufacturer = vendor.String()
-	}
-
-	if product := navigator.Get("product"); !product.IsUndefined() {
-		info.SystemProductName = product.String()
-	}
-
-	if userAgent := navigator.Get("userAgent"); !userAgent.IsUndefined() {
-		ua := userAgent.String()
-		info.Environment = detectEnvironmentFromUA(ua)
-	}
-}
-
-func parseOSFromUserAgent(userAgent string) (string, string) {
-	if userAgent == "" {
-		return "", ""
-	}
-
-	switch {
-	case strings.Contains(userAgent, "Windows NT"):
-		return parseWindowsVersion(userAgent)
-	case strings.Contains(userAgent, "Mac OS X"):
-		return parseMacOSVersion(userAgent)
-	case strings.Contains(userAgent, "FreeBSD"):
-		return "FreeBSD", ""
-	case strings.Contains(userAgent, "OpenBSD"):
-		return "OpenBSD", ""
-	case strings.Contains(userAgent, "NetBSD"):
-		return "NetBSD", ""
-	case strings.Contains(userAgent, "Linux"):
-		return parseLinuxVersion(userAgent)
-	case strings.Contains(userAgent, "iPhone") || strings.Contains(userAgent, "iPad"):
-		return parseiOSVersion(userAgent)
-	case strings.Contains(userAgent, "CrOS"):
-		return "ChromeOS", ""
-	default:
-		return "", ""
-	}
-}
-
-func parseWindowsVersion(userAgent string) (string, string) {
-	switch {
-	case strings.Contains(userAgent, "Windows NT 10.0; Win64; x64"):
-		return "Windows", "10/11"
-	case strings.Contains(userAgent, "Windows NT 10.0"):
-		return "Windows", "10"
-	case strings.Contains(userAgent, "Windows NT 6.3"):
-		return "Windows", "8.1"
-	case strings.Contains(userAgent, "Windows NT 6.2"):
-		return "Windows", "8"
-	case strings.Contains(userAgent, "Windows NT 6.1"):
-		return "Windows", "7"
-	default:
-		return "Windows", "Unknown"
-	}
-}
-
-func parseMacOSVersion(userAgent string) (string, string) {
-	idx := strings.Index(userAgent, "Mac OS X ")
-	if idx == -1 {
-		return "macOS", "Unknown"
-	}
-
-	versionStart := idx + len("Mac OS X ")
-	versionEnd := strings.Index(userAgent[versionStart:], ")")
-	if versionEnd <= 0 {
-		return "macOS", "Unknown"
-	}
-
-	ver := userAgent[versionStart : versionStart+versionEnd]
-	ver = strings.ReplaceAll(ver, "_", ".")
-	return "macOS", ver
-}
-
-func parseLinuxVersion(userAgent string) (string, string) {
-	if strings.Contains(userAgent, "Android") {
-		return "Android", extractAndroidVersion(userAgent)
-	}
-	if strings.Contains(userAgent, "Ubuntu") {
-		return "Ubuntu", ""
-	}
-	return "Linux", ""
-}
-
-func parseiOSVersion(userAgent string) (string, string) {
-	idx := strings.Index(userAgent, "OS ")
-	if idx == -1 {
-		return "iOS", "Unknown"
-	}
-
-	versionStart := idx + 3
-	versionEnd := strings.Index(userAgent[versionStart:], " ")
-	if versionEnd <= 0 {
-		return "iOS", "Unknown"
-	}
-
-	ver := userAgent[versionStart : versionStart+versionEnd]
-	ver = strings.ReplaceAll(ver, "_", ".")
-	return "iOS", ver
-}
-
-func extractAndroidVersion(userAgent string) string {
-	if idx := strings.Index(userAgent, "Android "); idx != -1 {
-		versionStart := idx + len("Android ")
-		versionEnd := strings.IndexAny(userAgent[versionStart:], ";)")
-		if versionEnd > 0 {
-			return userAgent[versionStart : versionStart+versionEnd]
-		}
-	}
-	return "Unknown"
-}
-
-func detectEnvironmentFromUA(_ string) Environment {
-	return Environment{}
-}

client/ui/debug.go

@@ -433,7 +433,7 @@ func (s *serviceClient) collectDebugData(
 
 	var postUpStatusOutput string
 	if postUpStatus != nil {
-		overview := nbstatus.ConvertToStatusOutputOverview(postUpStatus.GetFullStatus(), params.anonymize, postUpStatus.GetDaemonVersion(), "", nil, nil, nil, "", "")
+		overview := nbstatus.ConvertToStatusOutputOverview(postUpStatus, params.anonymize, "", nil, nil, nil, "", "")
 		postUpStatusOutput = nbstatus.ParseToFullDetailSummary(overview)
 	}
 	headerPostUp := fmt.Sprintf("----- NetBird post-up - Timestamp: %s", time.Now().Format(time.RFC3339))
@@ -450,7 +450,7 @@ func (s *serviceClient) collectDebugData(
 
 	var preDownStatusOutput string
 	if preDownStatus != nil {
-		overview := nbstatus.ConvertToStatusOutputOverview(preDownStatus.GetFullStatus(), params.anonymize, preDownStatus.GetDaemonVersion(), "", nil, nil, nil, "", "")
+		overview := nbstatus.ConvertToStatusOutputOverview(preDownStatus, params.anonymize, "", nil, nil, nil, "", "")
 		preDownStatusOutput = nbstatus.ParseToFullDetailSummary(overview)
 	}
 	headerPreDown := fmt.Sprintf("----- NetBird pre-down - Timestamp: %s - Duration: %s",
@@ -581,7 +581,7 @@ func (s *serviceClient) createDebugBundle(anonymize bool, systemInfo bool, uploa
 
 	var statusOutput string
 	if statusResp != nil {
-		overview := nbstatus.ConvertToStatusOutputOverview(statusResp.GetFullStatus(), anonymize, statusResp.GetDaemonVersion(), "", nil, nil, nil, "", "")
+		overview := nbstatus.ConvertToStatusOutputOverview(statusResp, anonymize, "", nil, nil, nil, "", "")
 		statusOutput = nbstatus.ParseToFullDetailSummary(overview)
 	}
 

client/wasm/cmd/main.go

@@ -1,245 +0,0 @@
-//go:build js
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"syscall/js"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	netbird "github.com/netbirdio/netbird/client/embed"
-	"github.com/netbirdio/netbird/client/wasm/internal/http"
-	"github.com/netbirdio/netbird/client/wasm/internal/rdp"
-	"github.com/netbirdio/netbird/client/wasm/internal/ssh"
-	"github.com/netbirdio/netbird/util"
-)
-
-const (
-	clientStartTimeout = 30 * time.Second
-	clientStopTimeout  = 10 * time.Second
-	defaultLogLevel    = "warn"
-)
-
-func main() {
-	js.Global().Set("NetBirdClient", js.FuncOf(netBirdClientConstructor))
-
-	select {}
-}
-
-func startClient(ctx context.Context, nbClient *netbird.Client) error {
-	log.Info("Starting NetBird client...")
-	if err := nbClient.Start(ctx); err != nil {
-		return err
-	}
-	log.Info("NetBird client started successfully")
-	return nil
-}
-
-// parseClientOptions extracts NetBird options from JavaScript object
-func parseClientOptions(jsOptions js.Value) (netbird.Options, error) {
-	options := netbird.Options{
-		DeviceName: "dashboard-client",
-		LogLevel:   defaultLogLevel,
-	}
-
-	if jwtToken := jsOptions.Get("jwtToken"); !jwtToken.IsNull() && !jwtToken.IsUndefined() {
-		options.JWTToken = jwtToken.String()
-	}
-
-	if setupKey := jsOptions.Get("setupKey"); !setupKey.IsNull() && !setupKey.IsUndefined() {
-		options.SetupKey = setupKey.String()
-	}
-
-	if privateKey := jsOptions.Get("privateKey"); !privateKey.IsNull() && !privateKey.IsUndefined() {
-		options.PrivateKey = privateKey.String()
-	}
-
-	if mgmtURL := jsOptions.Get("managementURL"); !mgmtURL.IsNull() && !mgmtURL.IsUndefined() {
-		mgmtURLStr := mgmtURL.String()
-		if mgmtURLStr != "" {
-			options.ManagementURL = mgmtURLStr
-		}
-	}
-
-	if logLevel := jsOptions.Get("logLevel"); !logLevel.IsNull() && !logLevel.IsUndefined() {
-		options.LogLevel = logLevel.String()
-	}
-
-	if deviceName := jsOptions.Get("deviceName"); !deviceName.IsNull() && !deviceName.IsUndefined() {
-		options.DeviceName = deviceName.String()
-	}
-
-	return options, nil
-}
-
-// createStartMethod creates the start method for the client
-func createStartMethod(client *netbird.Client) js.Func {
-	return js.FuncOf(func(this js.Value, args []js.Value) any {
-		return createPromise(func(resolve, reject js.Value) {
-			ctx, cancel := context.WithTimeout(context.Background(), clientStartTimeout)
-			defer cancel()
-
-			if err := startClient(ctx, client); err != nil {
-				reject.Invoke(js.ValueOf(err.Error()))
-				return
-			}
-
-			resolve.Invoke(js.ValueOf(true))
-		})
-	})
-}
-
-// createStopMethod creates the stop method for the client
-func createStopMethod(client *netbird.Client) js.Func {
-	return js.FuncOf(func(this js.Value, args []js.Value) any {
-		return createPromise(func(resolve, reject js.Value) {
-			ctx, cancel := context.WithTimeout(context.Background(), clientStopTimeout)
-			defer cancel()
-
-			if err := client.Stop(ctx); err != nil {
-				log.Errorf("Error stopping client: %v", err)
-				reject.Invoke(js.ValueOf(err.Error()))
-				return
-			}
-
-			log.Info("NetBird client stopped")
-			resolve.Invoke(js.ValueOf(true))
-		})
-	})
-}
-
-// createSSHMethod creates the SSH connection method
-func createSSHMethod(client *netbird.Client) js.Func {
-	return js.FuncOf(func(this js.Value, args []js.Value) any {
-		if len(args) < 2 {
-			return js.ValueOf("error: requires host and port")
-		}
-
-		host := args[0].String()
-		port := args[1].Int()
-		username := "root"
-		if len(args) > 2 && args[2].String() != "" {
-			username = args[2].String()
-		}
-
-		return createPromise(func(resolve, reject js.Value) {
-			sshClient := ssh.NewClient(client)
-
-			if err := sshClient.Connect(host, port, username); err != nil {
-				reject.Invoke(err.Error())
-				return
-			}
-
-			if err := sshClient.StartSession(80, 24); err != nil {
-				if closeErr := sshClient.Close(); closeErr != nil {
-					log.Errorf("Error closing SSH client: %v", closeErr)
-				}
-				reject.Invoke(err.Error())
-				return
-			}
-
-			jsInterface := ssh.CreateJSInterface(sshClient)
-			resolve.Invoke(jsInterface)
-		})
-	})
-}
-
-// createProxyRequestMethod creates the proxyRequest method
-func createProxyRequestMethod(client *netbird.Client) js.Func {
-	return js.FuncOf(func(this js.Value, args []js.Value) any {
-		if len(args) < 1 {
-			return js.ValueOf("error: request details required")
-		}
-
-		request := args[0]
-
-		return createPromise(func(resolve, reject js.Value) {
-			response, err := http.ProxyRequest(client, request)
-			if err != nil {
-				reject.Invoke(err.Error())
-				return
-			}
-			resolve.Invoke(response)
-		})
-	})
-}
-
-// createRDPProxyMethod creates the RDP proxy method
-func createRDPProxyMethod(client *netbird.Client) js.Func {
-	return js.FuncOf(func(_ js.Value, args []js.Value) any {
-		if len(args) < 2 {
-			return js.ValueOf("error: hostname and port required")
-		}
-
-		proxy := rdp.NewRDCleanPathProxy(client)
-		return proxy.CreateProxy(args[0].String(), args[1].String())
-	})
-}
-
-// createPromise is a helper to create JavaScript promises
-func createPromise(handler func(resolve, reject js.Value)) js.Value {
-	return js.Global().Get("Promise").New(js.FuncOf(func(_ js.Value, promiseArgs []js.Value) any {
-		resolve := promiseArgs[0]
-		reject := promiseArgs[1]
-
-		go handler(resolve, reject)
-
-		return nil
-	}))
-}
-
-// createClientObject wraps the NetBird client in a JavaScript object
-func createClientObject(client *netbird.Client) js.Value {
-	obj := make(map[string]interface{})
-
-	obj["start"] = createStartMethod(client)
-	obj["stop"] = createStopMethod(client)
-	obj["createSSHConnection"] = createSSHMethod(client)
-	obj["proxyRequest"] = createProxyRequestMethod(client)
-	obj["createRDPProxy"] = createRDPProxyMethod(client)
-
-	return js.ValueOf(obj)
-}
-
-// netBirdClientConstructor acts as a JavaScript constructor function
-func netBirdClientConstructor(this js.Value, args []js.Value) any {
-	return js.Global().Get("Promise").New(js.FuncOf(func(this js.Value, promiseArgs []js.Value) any {
-		resolve := promiseArgs[0]
-		reject := promiseArgs[1]
-
-		if len(args) < 1 {
-			reject.Invoke(js.ValueOf("Options object required"))
-			return nil
-		}
-
-		go func() {
-			options, err := parseClientOptions(args[0])
-			if err != nil {
-				reject.Invoke(js.ValueOf(err.Error()))
-				return
-			}
-
-			if err := util.InitLog(options.LogLevel, util.LogConsole); err != nil {
-				log.Warnf("Failed to initialize logging: %v", err)
-			}
-
-			log.Infof("Creating NetBird client with options: deviceName=%s, hasJWT=%v, hasSetupKey=%v, mgmtURL=%s",
-				options.DeviceName, options.JWTToken != "", options.SetupKey != "", options.ManagementURL)
-
-			client, err := netbird.New(options)
-			if err != nil {
-				reject.Invoke(js.ValueOf(fmt.Sprintf("create client: %v", err)))
-				return
-			}
-
-			clientObj := createClientObject(client)
-			log.Info("NetBird client created successfully")
-			resolve.Invoke(clientObj)
-		}()
-
-		return nil
-	}))
-}

client/wasm/internal/http/http.go

@@ -1,100 +0,0 @@
-//go:build js
-
-package http
-
-import (
-	"fmt"
-	"io"
-	log "github.com/sirupsen/logrus"
-	"net/http"
-	"strings"
-	"syscall/js"
-	"time"
-
-	netbird "github.com/netbirdio/netbird/client/embed"
-)
-
-const (
-	httpTimeout     = 30 * time.Second
-	maxResponseSize = 1024 * 1024 // 1MB
-)
-
-// performRequest executes an HTTP request through NetBird and returns the response and body
-func performRequest(nbClient *netbird.Client, method, url string, headers map[string]string, body []byte) (*http.Response, []byte, error) {
-	httpClient := nbClient.NewHTTPClient()
-	httpClient.Timeout = httpTimeout
-
-	req, err := http.NewRequest(method, url, strings.NewReader(string(body)))
-	if err != nil {
-		return nil, nil, fmt.Errorf("create request: %w", err)
-	}
-
-	for key, value := range headers {
-		req.Header.Set(key, value)
-	}
-
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return nil, nil, fmt.Errorf("request failed: %w", err)
-	}
-	defer func() {
-		if err := resp.Body.Close(); err != nil {
-			log.Errorf("failed to close response body: %v", err)
-		}
-	}()
-
-	respBody, err := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize))
-	if err != nil {
-		return nil, nil, fmt.Errorf("read response: %w", err)
-	}
-
-	return resp, respBody, nil
-}
-
-// ProxyRequest performs a proxied HTTP request through NetBird and returns a JavaScript object
-func ProxyRequest(nbClient *netbird.Client, request js.Value) (js.Value, error) {
-	url := request.Get("url").String()
-	if url == "" {
-		return js.Undefined(), fmt.Errorf("URL is required")
-	}
-
-	method := "GET"
-	if methodVal := request.Get("method"); !methodVal.IsNull() && !methodVal.IsUndefined() {
-		method = strings.ToUpper(methodVal.String())
-	}
-
-	var requestBody []byte
-	if bodyVal := request.Get("body"); !bodyVal.IsNull() && !bodyVal.IsUndefined() {
-		requestBody = []byte(bodyVal.String())
-	}
-
-	requestHeaders := make(map[string]string)
-	if headersVal := request.Get("headers"); !headersVal.IsNull() && !headersVal.IsUndefined() && headersVal.Type() == js.TypeObject {
-		headerKeys := js.Global().Get("Object").Call("keys", headersVal)
-		for i := 0; i < headerKeys.Length(); i++ {
-			key := headerKeys.Index(i).String()
-			value := headersVal.Get(key).String()
-			requestHeaders[key] = value
-		}
-	}
-
-	resp, body, err := performRequest(nbClient, method, url, requestHeaders, requestBody)
-	if err != nil {
-		return js.Undefined(), err
-	}
-
-	result := js.Global().Get("Object").New()
-	result.Set("status", resp.StatusCode)
-	result.Set("statusText", resp.Status)
-	result.Set("body", string(body))
-
-	headers := js.Global().Get("Object").New()
-	for key, values := range resp.Header {
-		if len(values) > 0 {
-			headers.Set(strings.ToLower(key), values[0])
-		}
-	}
-	result.Set("headers", headers)
-
-	return result, nil
-}

client/wasm/internal/rdp/cert_validation.go

@@ -1,96 +0,0 @@
-//go:build js
-
-package rdp
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"fmt"
-	"syscall/js"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	certValidationTimeout = 60 * time.Second
-)
-
-func (p *RDCleanPathProxy) validateCertificateWithJS(conn *proxyConnection, certChain [][]byte) (bool, error) {
-	if !conn.wsHandlers.Get("onCertificateRequest").Truthy() {
-		return false, fmt.Errorf("certificate validation handler not configured")
-	}
-
-	certInfo := js.Global().Get("Object").New()
-	certInfo.Set("ServerAddr", conn.destination)
-
-	certArray := js.Global().Get("Array").New()
-	for i, certBytes := range certChain {
-		uint8Array := js.Global().Get("Uint8Array").New(len(certBytes))
-		js.CopyBytesToJS(uint8Array, certBytes)
-		certArray.SetIndex(i, uint8Array)
-	}
-	certInfo.Set("ServerCertChain", certArray)
-	if len(certChain) > 0 {
-		cert, err := x509.ParseCertificate(certChain[0])
-		if err == nil {
-			info := js.Global().Get("Object").New()
-			info.Set("subject", cert.Subject.String())
-			info.Set("issuer", cert.Issuer.String())
-			info.Set("validFrom", cert.NotBefore.Format(time.RFC3339))
-			info.Set("validTo", cert.NotAfter.Format(time.RFC3339))
-			info.Set("serialNumber", cert.SerialNumber.String())
-			certInfo.Set("CertificateInfo", info)
-		}
-	}
-
-	promise := conn.wsHandlers.Call("onCertificateRequest", certInfo)
-
-	resultChan := make(chan bool)
-	errorChan := make(chan error)
-
-	promise.Call("then", js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		result := args[0].Bool()
-		resultChan <- result
-		return nil
-	})).Call("catch", js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		errorChan <- fmt.Errorf("certificate validation failed")
-		return nil
-	}))
-
-	select {
-	case result := <-resultChan:
-		if result {
-			log.Info("Certificate accepted by user")
-		} else {
-			log.Info("Certificate rejected by user")
-		}
-		return result, nil
-	case err := <-errorChan:
-		return false, err
-	case <-time.After(certValidationTimeout):
-		return false, fmt.Errorf("certificate validation timeout")
-	}
-}
-
-func (p *RDCleanPathProxy) getTLSConfigWithValidation(conn *proxyConnection) *tls.Config {
-	return &tls.Config{
-		InsecureSkipVerify: true, // We'll validate manually after handshake
-		VerifyConnection: func(cs tls.ConnectionState) error {
-			var certChain [][]byte
-			for _, cert := range cs.PeerCertificates {
-				certChain = append(certChain, cert.Raw)
-			}
-
-			accepted, err := p.validateCertificateWithJS(conn, certChain)
-			if err != nil {
-				return err
-			}
-			if !accepted {
-				return fmt.Errorf("certificate rejected by user")
-			}
-
-			return nil
-		},
-	}
-}

client/wasm/internal/rdp/rdcleanpath.go

@@ -1,271 +0,0 @@
-//go:build js
-
-package rdp
-
-import (
-	"context"
-	"crypto/tls"
-	"encoding/asn1"
-	"fmt"
-	"io"
-	"net"
-	"sync"
-	"syscall/js"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	RDCleanPathVersion     = 3390
-	RDCleanPathProxyHost   = "rdcleanpath.proxy.local"
-	RDCleanPathProxyScheme = "ws"
-)
-
-type RDCleanPathPDU struct {
-	Version           int64    `asn1:"tag:0,explicit"`
-	Error             []byte   `asn1:"tag:1,explicit,optional"`
-	Destination       string   `asn1:"utf8,tag:2,explicit,optional"`
-	ProxyAuth         string   `asn1:"utf8,tag:3,explicit,optional"`
-	ServerAuth        string   `asn1:"utf8,tag:4,explicit,optional"`
-	PreconnectionBlob string   `asn1:"utf8,tag:5,explicit,optional"`
-	X224ConnectionPDU []byte   `asn1:"tag:6,explicit,optional"`
-	ServerCertChain   [][]byte `asn1:"tag:7,explicit,optional"`
-	ServerAddr        string   `asn1:"utf8,tag:9,explicit,optional"`
-}
-
-type RDCleanPathProxy struct {
-	nbClient interface {
-		Dial(ctx context.Context, network, address string) (net.Conn, error)
-	}
-	activeConnections map[string]*proxyConnection
-	destinations      map[string]string
-	mu                sync.Mutex
-}
-
-type proxyConnection struct {
-	id          string
-	destination string
-	rdpConn     net.Conn
-	tlsConn     *tls.Conn
-	wsHandlers  js.Value
-	ctx         context.Context
-	cancel      context.CancelFunc
-}
-
-// NewRDCleanPathProxy creates a new RDCleanPath proxy
-func NewRDCleanPathProxy(client interface {
-	Dial(ctx context.Context, network, address string) (net.Conn, error)
-}) *RDCleanPathProxy {
-	return &RDCleanPathProxy{
-		nbClient:          client,
-		activeConnections: make(map[string]*proxyConnection),
-	}
-}
-
-// CreateProxy creates a new proxy endpoint for the given destination
-func (p *RDCleanPathProxy) CreateProxy(hostname, port string) js.Value {
-	destination := fmt.Sprintf("%s:%s", hostname, port)
-
-	return js.Global().Get("Promise").New(js.FuncOf(func(_ js.Value, args []js.Value) any {
-		resolve := args[0]
-
-		go func() {
-			proxyID := fmt.Sprintf("proxy_%d", len(p.activeConnections))
-
-			p.mu.Lock()
-			if p.destinations == nil {
-				p.destinations = make(map[string]string)
-			}
-			p.destinations[proxyID] = destination
-			p.mu.Unlock()
-
-			proxyURL := fmt.Sprintf("%s://%s/%s", RDCleanPathProxyScheme, RDCleanPathProxyHost, proxyID)
-
-			// Register the WebSocket handler for this specific proxy
-			js.Global().Set(fmt.Sprintf("handleRDCleanPathWebSocket_%s", proxyID), js.FuncOf(func(_ js.Value, args []js.Value) any {
-				if len(args) < 1 {
-					return js.ValueOf("error: requires WebSocket argument")
-				}
-
-				ws := args[0]
-				p.HandleWebSocketConnection(ws, proxyID)
-				return nil
-			}))
-
-			log.Infof("Created RDCleanPath proxy endpoint: %s for destination: %s", proxyURL, destination)
-			resolve.Invoke(proxyURL)
-		}()
-
-		return nil
-	}))
-}
-
-// HandleWebSocketConnection handles incoming WebSocket connections from IronRDP
-func (p *RDCleanPathProxy) HandleWebSocketConnection(ws js.Value, proxyID string) {
-	p.mu.Lock()
-	destination := p.destinations[proxyID]
-	p.mu.Unlock()
-
-	if destination == "" {
-		log.Errorf("No destination found for proxy ID: %s", proxyID)
-		return
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	// Don't defer cancel here - it will be called by cleanupConnection
-
-	conn := &proxyConnection{
-		id:          proxyID,
-		destination: destination,
-		wsHandlers:  ws,
-		ctx:         ctx,
-		cancel:      cancel,
-	}
-
-	p.mu.Lock()
-	p.activeConnections[proxyID] = conn
-	p.mu.Unlock()
-
-	p.setupWebSocketHandlers(ws, conn)
-
-	log.Infof("RDCleanPath proxy WebSocket connection established for %s", proxyID)
-}
-
-func (p *RDCleanPathProxy) setupWebSocketHandlers(ws js.Value, conn *proxyConnection) {
-	ws.Set("onGoMessage", js.FuncOf(func(this js.Value, args []js.Value) any {
-		if len(args) < 1 {
-			return nil
-		}
-
-		data := args[0]
-		go p.handleWebSocketMessage(conn, data)
-		return nil
-	}))
-
-	ws.Set("onGoClose", js.FuncOf(func(_ js.Value, args []js.Value) any {
-		log.Debug("WebSocket closed by JavaScript")
-		conn.cancel()
-		return nil
-	}))
-}
-
-func (p *RDCleanPathProxy) handleWebSocketMessage(conn *proxyConnection, data js.Value) {
-	if !data.InstanceOf(js.Global().Get("Uint8Array")) {
-		return
-	}
-
-	length := data.Get("length").Int()
-	bytes := make([]byte, length)
-	js.CopyBytesToGo(bytes, data)
-
-	if conn.rdpConn != nil || conn.tlsConn != nil {
-		p.forwardToRDP(conn, bytes)
-		return
-	}
-
-	var pdu RDCleanPathPDU
-	_, err := asn1.Unmarshal(bytes, &pdu)
-	if err != nil {
-		log.Warnf("Failed to parse RDCleanPath PDU: %v", err)
-		n := len(bytes)
-		if n > 20 {
-			n = 20
-		}
-		log.Warnf("First %d bytes: %x", n, bytes[:n])
-
-		if len(bytes) > 0 && bytes[0] == 0x03 {
-			log.Debug("Received raw RDP packet instead of RDCleanPath PDU")
-			go p.handleDirectRDP(conn, bytes)
-			return
-		}
-		return
-	}
-
-	go p.processRDCleanPathPDU(conn, pdu)
-}
-
-func (p *RDCleanPathProxy) forwardToRDP(conn *proxyConnection, bytes []byte) {
-	var writer io.Writer
-	var connType string
-
-	if conn.tlsConn != nil {
-		writer = conn.tlsConn
-		connType = "TLS"
-	} else if conn.rdpConn != nil {
-		writer = conn.rdpConn
-		connType = "TCP"
-	} else {
-		log.Error("No RDP connection available")
-		return
-	}
-
-	if _, err := writer.Write(bytes); err != nil {
-		log.Errorf("Failed to write to %s: %v", connType, err)
-	}
-}
-
-func (p *RDCleanPathProxy) handleDirectRDP(conn *proxyConnection, firstPacket []byte) {
-	defer p.cleanupConnection(conn)
-
-	destination := conn.destination
-	log.Infof("Direct RDP mode: Connecting to %s via NetBird", destination)
-
-	rdpConn, err := p.nbClient.Dial(conn.ctx, "tcp", destination)
-	if err != nil {
-		log.Errorf("Failed to connect to %s: %v", destination, err)
-		return
-	}
-	conn.rdpConn = rdpConn
-
-	_, err = rdpConn.Write(firstPacket)
-	if err != nil {
-		log.Errorf("Failed to write first packet: %v", err)
-		return
-	}
-
-	response := make([]byte, 1024)
-	n, err := rdpConn.Read(response)
-	if err != nil {
-		log.Errorf("Failed to read X.224 response: %v", err)
-		return
-	}
-
-	p.sendToWebSocket(conn, response[:n])
-
-	go p.forwardWSToConn(conn, conn.rdpConn, "TCP")
-	go p.forwardConnToWS(conn, conn.rdpConn, "TCP")
-}
-
-func (p *RDCleanPathProxy) cleanupConnection(conn *proxyConnection) {
-	log.Debugf("Cleaning up connection %s", conn.id)
-	conn.cancel()
-	if conn.tlsConn != nil {
-		log.Debug("Closing TLS connection")
-		if err := conn.tlsConn.Close(); err != nil {
-			log.Debugf("Error closing TLS connection: %v", err)
-		}
-		conn.tlsConn = nil
-	}
-	if conn.rdpConn != nil {
-		log.Debug("Closing TCP connection")
-		if err := conn.rdpConn.Close(); err != nil {
-			log.Debugf("Error closing TCP connection: %v", err)
-		}
-		conn.rdpConn = nil
-	}
-	p.mu.Lock()
-	delete(p.activeConnections, conn.id)
-	p.mu.Unlock()
-}
-
-func (p *RDCleanPathProxy) sendToWebSocket(conn *proxyConnection, data []byte) {
-	if conn.wsHandlers.Get("receiveFromGo").Truthy() {
-		uint8Array := js.Global().Get("Uint8Array").New(len(data))
-		js.CopyBytesToJS(uint8Array, data)
-		conn.wsHandlers.Call("receiveFromGo", uint8Array.Get("buffer"))
-	} else if conn.wsHandlers.Get("send").Truthy() {
-		uint8Array := js.Global().Get("Uint8Array").New(len(data))
-		js.CopyBytesToJS(uint8Array, data)
-		conn.wsHandlers.Call("send", uint8Array.Get("buffer"))
-	}
-}

client/wasm/internal/rdp/rdcleanpath_handlers.go

@@ -1,251 +0,0 @@
-//go:build js
-
-package rdp
-
-import (
-	"crypto/tls"
-	"encoding/asn1"
-	"io"
-	"syscall/js"
-
-	log "github.com/sirupsen/logrus"
-)
-
-func (p *RDCleanPathProxy) processRDCleanPathPDU(conn *proxyConnection, pdu RDCleanPathPDU) {
-	log.Infof("Processing RDCleanPath PDU: Version=%d, Destination=%s", pdu.Version, pdu.Destination)
-
-	if pdu.Version != RDCleanPathVersion {
-		p.sendRDCleanPathError(conn, "Unsupported version")
-		return
-	}
-
-	destination := conn.destination
-	if pdu.Destination != "" {
-		destination = pdu.Destination
-	}
-
-	rdpConn, err := p.nbClient.Dial(conn.ctx, "tcp", destination)
-	if err != nil {
-		log.Errorf("Failed to connect to %s: %v", destination, err)
-		p.sendRDCleanPathError(conn, "Connection failed")
-		p.cleanupConnection(conn)
-		return
-	}
-	conn.rdpConn = rdpConn
-
-	// RDP always starts with X.224 negotiation, then determines if TLS is needed
-	// Modern RDP (since Windows Vista/2008) typically requires TLS
-	// The X.224 Connection Confirm response will indicate if TLS is required
-	// For now, we'll attempt TLS for all connections as it's the modern default
-	p.setupTLSConnection(conn, pdu)
-}
-
-func (p *RDCleanPathProxy) setupTLSConnection(conn *proxyConnection, pdu RDCleanPathPDU) {
-	var x224Response []byte
-	if len(pdu.X224ConnectionPDU) > 0 {
-		log.Debugf("Forwarding X.224 Connection Request (%d bytes)", len(pdu.X224ConnectionPDU))
-		_, err := conn.rdpConn.Write(pdu.X224ConnectionPDU)
-		if err != nil {
-			log.Errorf("Failed to write X.224 PDU: %v", err)
-			p.sendRDCleanPathError(conn, "Failed to forward X.224")
-			return
-		}
-
-		response := make([]byte, 1024)
-		n, err := conn.rdpConn.Read(response)
-		if err != nil {
-			log.Errorf("Failed to read X.224 response: %v", err)
-			p.sendRDCleanPathError(conn, "Failed to read X.224 response")
-			return
-		}
-		x224Response = response[:n]
-		log.Debugf("Received X.224 Connection Confirm (%d bytes)", n)
-	}
-
-	tlsConfig := p.getTLSConfigWithValidation(conn)
-
-	tlsConn := tls.Client(conn.rdpConn, tlsConfig)
-	conn.tlsConn = tlsConn
-
-	if err := tlsConn.Handshake(); err != nil {
-		log.Errorf("TLS handshake failed: %v", err)
-		p.sendRDCleanPathError(conn, "TLS handshake failed")
-		return
-	}
-
-	log.Info("TLS handshake successful")
-
-	// Certificate validation happens during handshake via VerifyConnection callback
-	var certChain [][]byte
-	connState := tlsConn.ConnectionState()
-	if len(connState.PeerCertificates) > 0 {
-		for _, cert := range connState.PeerCertificates {
-			certChain = append(certChain, cert.Raw)
-		}
-		log.Debugf("Extracted %d certificates from TLS connection", len(certChain))
-	}
-
-	responsePDU := RDCleanPathPDU{
-		Version:         RDCleanPathVersion,
-		ServerAddr:      conn.destination,
-		ServerCertChain: certChain,
-	}
-
-	if len(x224Response) > 0 {
-		responsePDU.X224ConnectionPDU = x224Response
-	}
-
-	p.sendRDCleanPathPDU(conn, responsePDU)
-
-	log.Debug("Starting TLS forwarding")
-	go p.forwardConnToWS(conn, conn.tlsConn, "TLS")
-	go p.forwardWSToConn(conn, conn.tlsConn, "TLS")
-
-	<-conn.ctx.Done()
-	log.Debug("TLS connection context done, cleaning up")
-	p.cleanupConnection(conn)
-}
-
-func (p *RDCleanPathProxy) setupPlainConnection(conn *proxyConnection, pdu RDCleanPathPDU) {
-	if len(pdu.X224ConnectionPDU) > 0 {
-		log.Debugf("Forwarding X.224 Connection Request (%d bytes)", len(pdu.X224ConnectionPDU))
-		_, err := conn.rdpConn.Write(pdu.X224ConnectionPDU)
-		if err != nil {
-			log.Errorf("Failed to write X.224 PDU: %v", err)
-			p.sendRDCleanPathError(conn, "Failed to forward X.224")
-			return
-		}
-
-		response := make([]byte, 1024)
-		n, err := conn.rdpConn.Read(response)
-		if err != nil {
-			log.Errorf("Failed to read X.224 response: %v", err)
-			p.sendRDCleanPathError(conn, "Failed to read X.224 response")
-			return
-		}
-
-		responsePDU := RDCleanPathPDU{
-			Version:           RDCleanPathVersion,
-			X224ConnectionPDU: response[:n],
-			ServerAddr:        conn.destination,
-		}
-
-		p.sendRDCleanPathPDU(conn, responsePDU)
-	} else {
-		responsePDU := RDCleanPathPDU{
-			Version:    RDCleanPathVersion,
-			ServerAddr: conn.destination,
-		}
-		p.sendRDCleanPathPDU(conn, responsePDU)
-	}
-
-	go p.forwardConnToWS(conn, conn.rdpConn, "TCP")
-	go p.forwardWSToConn(conn, conn.rdpConn, "TCP")
-
-	<-conn.ctx.Done()
-	log.Debug("TCP connection context done, cleaning up")
-	p.cleanupConnection(conn)
-}
-
-func (p *RDCleanPathProxy) sendRDCleanPathPDU(conn *proxyConnection, pdu RDCleanPathPDU) {
-	data, err := asn1.Marshal(pdu)
-	if err != nil {
-		log.Errorf("Failed to marshal RDCleanPath PDU: %v", err)
-		return
-	}
-
-	log.Debugf("Sending RDCleanPath PDU response (%d bytes)", len(data))
-	p.sendToWebSocket(conn, data)
-}
-
-func (p *RDCleanPathProxy) sendRDCleanPathError(conn *proxyConnection, errorMsg string) {
-	pdu := RDCleanPathPDU{
-		Version: RDCleanPathVersion,
-		Error:   []byte(errorMsg),
-	}
-
-	data, err := asn1.Marshal(pdu)
-	if err != nil {
-		log.Errorf("Failed to marshal error PDU: %v", err)
-		return
-	}
-
-	p.sendToWebSocket(conn, data)
-}
-
-func (p *RDCleanPathProxy) readWebSocketMessage(conn *proxyConnection) ([]byte, error) {
-	msgChan := make(chan []byte)
-	errChan := make(chan error)
-
-	handler := js.FuncOf(func(this js.Value, args []js.Value) interface{} {
-		if len(args) < 1 {
-			errChan <- io.EOF
-			return nil
-		}
-
-		data := args[0]
-		if data.InstanceOf(js.Global().Get("Uint8Array")) {
-			length := data.Get("length").Int()
-			bytes := make([]byte, length)
-			js.CopyBytesToGo(bytes, data)
-			msgChan <- bytes
-		}
-		return nil
-	})
-	defer handler.Release()
-
-	conn.wsHandlers.Set("onceGoMessage", handler)
-
-	select {
-	case msg := <-msgChan:
-		return msg, nil
-	case err := <-errChan:
-		return nil, err
-	case <-conn.ctx.Done():
-		return nil, conn.ctx.Err()
-	}
-}
-
-func (p *RDCleanPathProxy) forwardWSToConn(conn *proxyConnection, dst io.Writer, connType string) {
-	for {
-		if conn.ctx.Err() != nil {
-			return
-		}
-
-		msg, err := p.readWebSocketMessage(conn)
-		if err != nil {
-			if err != io.EOF {
-				log.Errorf("Failed to read from WebSocket: %v", err)
-			}
-			return
-		}
-
-		_, err = dst.Write(msg)
-		if err != nil {
-			log.Errorf("Failed to write to %s: %v", connType, err)
-			return
-		}
-	}
-}
-
-func (p *RDCleanPathProxy) forwardConnToWS(conn *proxyConnection, src io.Reader, connType string) {
-	buffer := make([]byte, 32*1024)
-
-	for {
-		if conn.ctx.Err() != nil {
-			return
-		}
-
-		n, err := src.Read(buffer)
-		if err != nil {
-			if err != io.EOF {
-				log.Errorf("Failed to read from %s: %v", connType, err)
-			}
-			return
-		}
-
-		if n > 0 {
-			p.sendToWebSocket(conn, buffer[:n])
-		}
-	}
-}

client/wasm/internal/ssh/client.go

@@ -1,213 +0,0 @@
-//go:build js
-
-package ssh
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"sync"
-	"time"
-
-	"github.com/sirupsen/logrus"
-	"golang.org/x/crypto/ssh"
-
-	netbird "github.com/netbirdio/netbird/client/embed"
-)
-
-const (
-	sshDialTimeout = 30 * time.Second
-)
-
-func closeWithLog(c io.Closer, resource string) {
-	if c != nil {
-		if err := c.Close(); err != nil {
-			logrus.Debugf("Failed to close %s: %v", resource, err)
-		}
-	}
-}
-
-type Client struct {
-	nbClient  *netbird.Client
-	sshClient *ssh.Client
-	session   *ssh.Session
-	stdin     io.WriteCloser
-	stdout    io.Reader
-	stderr    io.Reader
-	mu        sync.RWMutex
-}
-
-// NewClient creates a new SSH client
-func NewClient(nbClient *netbird.Client) *Client {
-	return &Client{
-		nbClient: nbClient,
-	}
-}
-
-// Connect establishes an SSH connection through NetBird network
-func (c *Client) Connect(host string, port int, username string) error {
-	addr := fmt.Sprintf("%s:%d", host, port)
-	logrus.Infof("SSH: Connecting to %s as %s", addr, username)
-
-	var authMethods []ssh.AuthMethod
-
-	nbConfig, err := c.nbClient.GetConfig()
-	if err != nil {
-		return fmt.Errorf("get NetBird config: %w", err)
-	}
-	if nbConfig.SSHKey == "" {
-		return fmt.Errorf("no NetBird SSH key available - key should be generated during client initialization")
-	}
-
-	signer, err := parseSSHPrivateKey([]byte(nbConfig.SSHKey))
-	if err != nil {
-		return fmt.Errorf("parse NetBird SSH private key: %w", err)
-	}
-
-	pubKey := signer.PublicKey()
-	logrus.Infof("SSH: Using NetBird key authentication with public key type: %s", pubKey.Type())
-
-	authMethods = append(authMethods, ssh.PublicKeys(signer))
-
-	config := &ssh.ClientConfig{
-		User:            username,
-		Auth:            authMethods,
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-		Timeout:         sshDialTimeout,
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), sshDialTimeout)
-	defer cancel()
-
-	conn, err := c.nbClient.Dial(ctx, "tcp", addr)
-	if err != nil {
-		return fmt.Errorf("dial %s: %w", addr, err)
-	}
-
-	sshConn, chans, reqs, err := ssh.NewClientConn(conn, addr, config)
-	if err != nil {
-		closeWithLog(conn, "connection after handshake error")
-		return fmt.Errorf("SSH handshake: %w", err)
-	}
-
-	c.sshClient = ssh.NewClient(sshConn, chans, reqs)
-	logrus.Infof("SSH: Connected to %s", addr)
-
-	return nil
-}
-
-// StartSession starts an SSH session with PTY
-func (c *Client) StartSession(cols, rows int) error {
-	if c.sshClient == nil {
-		return fmt.Errorf("SSH client not connected")
-	}
-
-	session, err := c.sshClient.NewSession()
-	if err != nil {
-		return fmt.Errorf("create session: %w", err)
-	}
-
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	c.session = session
-
-	modes := ssh.TerminalModes{
-		ssh.ECHO:          1,
-		ssh.TTY_OP_ISPEED: 14400,
-		ssh.TTY_OP_OSPEED: 14400,
-		ssh.VINTR:         3,
-		ssh.VQUIT:         28,
-		ssh.VERASE:        127,
-	}
-
-	if err := session.RequestPty("xterm-256color", rows, cols, modes); err != nil {
-		closeWithLog(session, "session after PTY error")
-		return fmt.Errorf("PTY request: %w", err)
-	}
-
-	c.stdin, err = session.StdinPipe()
-	if err != nil {
-		closeWithLog(session, "session after stdin error")
-		return fmt.Errorf("get stdin: %w", err)
-	}
-
-	c.stdout, err = session.StdoutPipe()
-	if err != nil {
-		closeWithLog(session, "session after stdout error")
-		return fmt.Errorf("get stdout: %w", err)
-	}
-
-	c.stderr, err = session.StderrPipe()
-	if err != nil {
-		closeWithLog(session, "session after stderr error")
-		return fmt.Errorf("get stderr: %w", err)
-	}
-
-	if err := session.Shell(); err != nil {
-		closeWithLog(session, "session after shell error")
-		return fmt.Errorf("start shell: %w", err)
-	}
-
-	logrus.Info("SSH: Session started with PTY")
-	return nil
-}
-
-// Write sends data to the SSH session
-func (c *Client) Write(data []byte) (int, error) {
-	c.mu.RLock()
-	stdin := c.stdin
-	c.mu.RUnlock()
-
-	if stdin == nil {
-		return 0, fmt.Errorf("SSH session not started")
-	}
-	return stdin.Write(data)
-}
-
-// Read reads data from the SSH session
-func (c *Client) Read(buffer []byte) (int, error) {
-	c.mu.RLock()
-	stdout := c.stdout
-	c.mu.RUnlock()
-
-	if stdout == nil {
-		return 0, fmt.Errorf("SSH session not started")
-	}
-	return stdout.Read(buffer)
-}
-
-// Resize updates the terminal size
-func (c *Client) Resize(cols, rows int) error {
-	c.mu.RLock()
-	session := c.session
-	c.mu.RUnlock()
-
-	if session == nil {
-		return fmt.Errorf("SSH session not started")
-	}
-	return session.WindowChange(rows, cols)
-}
-
-// Close closes the SSH connection
-func (c *Client) Close() error {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-
-	if c.session != nil {
-		closeWithLog(c.session, "SSH session")
-		c.session = nil
-	}
-	if c.stdin != nil {
-		closeWithLog(c.stdin, "stdin")
-		c.stdin = nil
-	}
-	c.stdout = nil
-	c.stderr = nil
-
-	if c.sshClient != nil {
-		err := c.sshClient.Close()
-		c.sshClient = nil
-		return err
-	}
-	return nil
-}

client/wasm/internal/ssh/handlers.go

@@ -1,78 +0,0 @@
-//go:build js
-
-package ssh
-
-import (
-	"io"
-	"syscall/js"
-
-	"github.com/sirupsen/logrus"
-)
-
-// CreateJSInterface creates a JavaScript interface for the SSH client
-func CreateJSInterface(client *Client) js.Value {
-	jsInterface := js.Global().Get("Object").Call("create", js.Null())
-
-	jsInterface.Set("write", js.FuncOf(func(this js.Value, args []js.Value) any {
-		if len(args) < 1 {
-			return js.ValueOf(false)
-		}
-
-		data := args[0]
-		var bytes []byte
-
-		if data.Type() == js.TypeString {
-			bytes = []byte(data.String())
-		} else {
-			uint8Array := js.Global().Get("Uint8Array").New(data)
-			length := uint8Array.Get("length").Int()
-			bytes = make([]byte, length)
-			js.CopyBytesToGo(bytes, uint8Array)
-		}
-
-		_, err := client.Write(bytes)
-		return js.ValueOf(err == nil)
-	}))
-
-	jsInterface.Set("resize", js.FuncOf(func(this js.Value, args []js.Value) any {
-		if len(args) < 2 {
-			return js.ValueOf(false)
-		}
-		cols := args[0].Int()
-		rows := args[1].Int()
-		err := client.Resize(cols, rows)
-		return js.ValueOf(err == nil)
-	}))
-
-	jsInterface.Set("close", js.FuncOf(func(this js.Value, args []js.Value) any {
-		client.Close()
-		return js.Undefined()
-	}))
-
-	go readLoop(client, jsInterface)
-
-	return jsInterface
-}
-
-func readLoop(client *Client, jsInterface js.Value) {
-	buffer := make([]byte, 4096)
-	for {
-		n, err := client.Read(buffer)
-		if err != nil {
-			if err != io.EOF {
-				logrus.Debugf("SSH read error: %v", err)
-			}
-			if onclose := jsInterface.Get("onclose"); !onclose.IsUndefined() {
-				onclose.Invoke()
-			}
-			client.Close()
-			return
-		}
-
-		if ondata := jsInterface.Get("ondata"); !ondata.IsUndefined() {
-			uint8Array := js.Global().Get("Uint8Array").New(n)
-			js.CopyBytesToJS(uint8Array, buffer[:n])
-			ondata.Invoke(uint8Array)
-		}
-	}
-}

client/wasm/internal/ssh/key.go

@@ -1,50 +0,0 @@
-//go:build js
-
-package ssh
-
-import (
-	"crypto/x509"
-	"encoding/pem"
-	"fmt"
-	"strings"
-
-	"github.com/sirupsen/logrus"
-	"golang.org/x/crypto/ssh"
-)
-
-// parseSSHPrivateKey parses a private key in either SSH or PKCS8 format
-func parseSSHPrivateKey(keyPEM []byte) (ssh.Signer, error) {
-	keyStr := string(keyPEM)
-	if !strings.Contains(keyStr, "-----BEGIN") {
-		keyPEM = []byte("-----BEGIN PRIVATE KEY-----\n" + keyStr + "\n-----END PRIVATE KEY-----")
-	}
-
-	signer, err := ssh.ParsePrivateKey(keyPEM)
-	if err == nil {
-		return signer, nil
-	}
-	logrus.Debugf("SSH: Failed to parse as SSH format: %v", err)
-
-	block, _ := pem.Decode(keyPEM)
-	if block == nil {
-		keyPreview := string(keyPEM)
-		if len(keyPreview) > 100 {
-			keyPreview = keyPreview[:100]
-		}
-		return nil, fmt.Errorf("decode PEM block from key: %s", keyPreview)
-	}
-
-	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
-	if err != nil {
-		logrus.Debugf("SSH: Failed to parse as PKCS8: %v", err)
-		if rsaKey, err := x509.ParsePKCS1PrivateKey(block.Bytes); err == nil {
-			return ssh.NewSignerFromKey(rsaKey)
-		}
-		if ecKey, err := x509.ParseECPrivateKey(block.Bytes); err == nil {
-			return ssh.NewSignerFromKey(ecKey)
-		}
-		return nil, fmt.Errorf("parse private key: %w", err)
-	}
-
-	return ssh.NewSignerFromKey(key)
-}

encryption/route53.go

@@ -1,5 +1,3 @@
-//go:build !js
-
 package encryption
 
 import (

flow/client/client.go

@@ -23,7 +23,6 @@ import (
 	"github.com/netbirdio/netbird/flow/proto"
 	"github.com/netbirdio/netbird/util/embeddedroots"
 	nbgrpc "github.com/netbirdio/netbird/util/grpc"
-	"github.com/netbirdio/netbird/util/wsproxy"
 )
 
 type GRPCClient struct {
@@ -39,8 +38,7 @@ func NewClient(addr, payload, signature string, interval time.Duration) (*GRPCCl
 		return nil, fmt.Errorf("parsing url: %w", err)
 	}
 	var opts []grpc.DialOption
-	tlsEnabled := parsedURL.Scheme == "https"
-	if tlsEnabled {
+	if parsedURL.Scheme == "https" {
 		certPool, err := x509.SystemCertPool()
 		if err != nil || certPool == nil {
 			log.Debugf("System cert pool not available; falling back to embedded cert, error: %v", err)
@@ -55,7 +53,7 @@ func NewClient(addr, payload, signature string, interval time.Duration) (*GRPCCl
 	}
 
 	opts = append(opts,
-		nbgrpc.WithCustomDialer(tlsEnabled, wsproxy.FlowComponent),
+		nbgrpc.WithCustomDialer(),
 		grpc.WithIdleTimeout(interval*2),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    30 * time.Second,

go.mod

@@ -6,24 +6,26 @@ require (
 	cunicu.li/go-rosenpass v0.4.0
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/golang/protobuf v1.5.4
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.0
 	github.com/kardianos/service v1.2.3-0.20240613133416-becf2eb62b83
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.27.6
+	github.com/pion/ice/v3 v3.0.2
 	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
 	github.com/spf13/pflag v1.0.5
 	github.com/vishvananda/netlink v1.3.0
-	golang.org/x/crypto v0.40.0
-	golang.org/x/sys v0.34.0
+	golang.org/x/crypto v0.37.0
+	golang.org/x/sys v0.32.0
 	golang.zx2c4.com/wireguard v0.0.0-20230704135630-469159ecf7d1
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20230429144221-925a1e7659e6
 	golang.zx2c4.com/wireguard/windows v0.5.3
-	google.golang.org/grpc v1.73.0
-	google.golang.org/protobuf v1.36.8
+	google.golang.org/grpc v1.64.1
+	google.golang.org/protobuf v1.36.6
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
 
@@ -37,7 +39,7 @@ require (
 	github.com/c-robinson/iplib v1.0.3
 	github.com/caddyserver/certmagic v0.21.3
 	github.com/cilium/ebpf v0.15.0
-	github.com/coder/websocket v1.8.13
+	github.com/coder/websocket v1.8.12
 	github.com/coreos/go-iptables v0.7.0
 	github.com/creack/pty v1.1.18
 	github.com/eko/gocache/lib/v4 v4.2.0
@@ -46,7 +48,6 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/godbus/dbus/v5 v5.1.0
-	github.com/golang-jwt/jwt/v5 v5.3.0
 	github.com/golang/mock v1.6.0
 	github.com/google/go-cmp v0.7.0
 	github.com/google/gopacket v1.1.19
@@ -62,18 +63,17 @@ require (
 	github.com/miekg/dns v1.1.59
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/nadoo/ipset v0.5.0
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20250906095204-f87a07690ba0
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20250812185008-dfc66fa49a2e
 	github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45
+	github.com/oapi-codegen/runtime v1.1.2
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/oschwald/maxminddb-golang v1.12.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203
-	github.com/pion/ice/v4 v4.0.0-00010101000000-000000000000
-	github.com/pion/logging v0.2.4
+	github.com/pion/logging v0.2.2
 	github.com/pion/randutil v0.1.0
 	github.com/pion/stun/v2 v2.0.0
-	github.com/pion/stun/v3 v3.0.0
-	github.com/pion/transport/v3 v3.0.7
+	github.com/pion/transport/v3 v3.0.1
 	github.com/pion/turn/v3 v3.0.1
 	github.com/prometheus/client_golang v1.22.0
 	github.com/quic-go/quic-go v0.48.2
@@ -94,19 +94,18 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.4
 	github.com/zcalusic/sysinfo v1.1.3
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0
-	go.opentelemetry.io/otel v1.35.0
+	go.opentelemetry.io/otel v1.26.0
 	go.opentelemetry.io/otel/exporters/prometheus v0.48.0
-	go.opentelemetry.io/otel/metric v1.35.0
-	go.opentelemetry.io/otel/sdk/metric v1.35.0
+	go.opentelemetry.io/otel/metric v1.26.0
+	go.opentelemetry.io/otel/sdk/metric v1.26.0
 	go.uber.org/zap v1.27.0
 	goauthentik.io/api/v3 v3.2023051.3
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/mobile v0.0.0-20231127183840-76ac6878050a
-	golang.org/x/mod v0.25.0
-	golang.org/x/net v0.42.0
-	golang.org/x/oauth2 v0.28.0
-	golang.org/x/sync v0.16.0
-	golang.org/x/term v0.33.0
+	golang.org/x/net v0.39.0
+	golang.org/x/oauth2 v0.27.0
+	golang.org/x/sync v0.13.0
+	golang.org/x/term v0.31.0
 	google.golang.org/api v0.177.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.5.7
@@ -119,7 +118,7 @@ require (
 require (
 	cloud.google.com/go/auth v0.3.0 // indirect
 	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
-	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	dario.cat/mergo v1.0.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
@@ -127,6 +126,7 @@ require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/Microsoft/hcsshim v0.12.3 // indirect
 	github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect
+	github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.10 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
@@ -214,16 +214,15 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pion/dtls/v2 v2.2.10 // indirect
-	github.com/pion/dtls/v3 v3.0.7 // indirect
-	github.com/pion/mdns/v2 v2.0.7 // indirect
+	github.com/pion/mdns v0.0.12 // indirect
 	github.com/pion/transport/v2 v2.2.4 // indirect
-	github.com/pion/turn/v4 v4.1.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
+	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/rymdport/portal v0.3.0 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c // indirect
@@ -233,22 +232,22 @@ require (
 	github.com/tklauser/numcpus v0.8.0 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
-	github.com/wlynxg/anet v0.0.3 // indirect
 	github.com/yuin/goldmark v1.7.1 // indirect
 	github.com/zeebo/blake3 v0.2.3 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
-	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.26.0 // indirect
+	go.opentelemetry.io/otel/trace v1.26.0 // indirect
 	go.uber.org/mock v0.4.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/image v0.18.0 // indirect
-	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240509183442-62759503f434 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 )
@@ -261,6 +260,6 @@ replace golang.zx2c4.com/wireguard => github.com/netbirdio/wireguard-go v0.0.0-2
 
 replace github.com/cloudflare/circl => github.com/cunicu/circl v0.0.0-20230801113412-fec58fc7b5f6
 
-replace github.com/pion/ice/v4 => github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51
+replace github.com/pion/ice/v3 => github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e
 
-replace github.com/libp2p/go-netroute => github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944
+replace github.com/libp2p/go-netroute => github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944

go.sum

@@ -29,8 +29,8 @@ cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUM
 cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
 cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
 cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
-cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
 cloud.google.com/go/firestore v1.1.0/go.mod h1:ulACoGHTpvq5r8rxGJ4ddJZBZqakUQqClKRT5SZwBmk=
@@ -66,11 +66,14 @@ github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERo
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/Microsoft/hcsshim v0.12.3 h1:LS9NXqXhMoqNCplK1ApmVSfB4UnVLRDWRapB6EIlxE0=
 github.com/Microsoft/hcsshim v0.12.3/go.mod h1:Iyl1WVpZzr+UkzjekHZbV8o5Z9ZkxNGx6CtY2Qg/JVQ=
+github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk=
 github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible h1:hqcTK6ZISdip65SR792lwYJTa/axESA0889D3UlZbLo=
 github.com/TheJumpCloud/jcapi-go v3.0.0+incompatible/go.mod h1:6B1nuc1MUs6c62ODZDl7hVE5Pv7O2XGSkgg2olnq34I=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY=
+github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ=
+github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk=
 github.com/armon/circbuf v0.0.0-20150827004946-bbbad097214e/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
@@ -116,6 +119,7 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
+github.com/bmatcuk/doublestar v1.1.1/go.mod h1:UD6OnuiIn0yFxxA2le/rnRU1G4RaI4UvFv1sNto9p6w=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
@@ -140,8 +144,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/coder/websocket v1.8.13 h1:f3QZdXy7uGVz+4uCJy2nTZyM0yTBj8yANEHhqlXZ9FE=
-github.com/coder/websocket v1.8.13/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
+github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
+github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII=
 github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
@@ -246,8 +250,8 @@ github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk=
 github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -416,6 +420,7 @@ github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/X
 github.com/jsummers/gobmp v0.0.0-20151104160322-e2ba15ffa76e h1:LvL4XsI70QxOGHed6yhQtAU34Kx3Qq2wwBzGFKY8zKk=
 github.com/jsummers/gobmp v0.0.0-20151104160322-e2ba15ffa76e/go.mod h1:kLgvv7o6UM+0QSf0QjAse3wReFDsb9qbZJdfexWlrQw=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/juju/gnuflag v0.0.0-20171113085948-2ce1bb71843d/go.mod h1:2PavIy+JPciBPrBUjwbNvtwB6RQlve+hkpll6QSNmOE=
 github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
 github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
@@ -501,10 +506,10 @@ github.com/neelance/astrewrite v0.0.0-20160511093645-99348263ae86/go.mod h1:kHJE
 github.com/neelance/sourcemap v0.0.0-20200213170602-2833bce08e4c/go.mod h1:Qr6/a/Q4r9LP1IltGz7tA7iOK1WonHEYhu1HRBA7ZiM=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944 h1:TDtJKmM6Sf8uYFx/dMeqNOL90KUoRscdfpFZ3Im89uk=
 github.com/netbirdio/go-netroute v0.0.0-20240611143515-f59b0e1d3944/go.mod h1:sHA6TRxjQ6RLbnI+3R4DZo2Eseg/iKiPRfNmcuNySVQ=
-github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51 h1:Ov4qdafATOgGMB1wbSuh+0aAHcwz9hdvB6VZjh1mVMI=
-github.com/netbirdio/ice/v4 v4.0.0-20250908184934-6202be846b51/go.mod h1:ZSIbPdBn5hePO8CpF1PekH2SfpTxg1PDhEwtbqZS7R8=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20250906095204-f87a07690ba0 h1:9BUqQHPVOGr0edk8EifUBUfTr2Ob0ypAPxtasUApBxQ=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20250906095204-f87a07690ba0/go.mod h1:v0nUbbHbuQnqR7yKIYnKzsLBCswLtp2JctmKYmGgVhc=
+github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e h1:PURA50S8u4mF6RrkYYCAvvPCixhqqEiEy3Ej6avh04c=
+github.com/netbirdio/ice/v3 v3.0.0-20240315174635-e72a50fcb64e/go.mod h1:YMLU7qbKfVjmEv7EoZPIVEI+kNYxWCdPK3VS0BU+U4Q=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20250812185008-dfc66fa49a2e h1:S85laGfx1UP+nmRF9smP6/TY965kLWz41PbBK1TX8g0=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20250812185008-dfc66fa49a2e/go.mod h1:Jjve0+eUjOLKL3PJtAhjfM2iJ0SxWio5elHqlV1ymP8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502 h1:3tHlFmhTdX9axERMVN63dqyFqnvuD+EMJHzM7mNGON8=
 github.com/netbirdio/service v0.0.0-20240911161631-f62744f42502/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/signal-dispatcher/dispatcher v0.0.0-20250805121659-6b4ac470ca45 h1:ujgviVYmx243Ksy7NdSwrdGPSRNE3pb8kEDSpH0QuAQ=
@@ -516,6 +521,8 @@ github.com/nicksnyder/go-i18n/v2 v2.4.0/go.mod h1:nxYSZE9M0bf3Y70gPQjN9ha7XNHX7g
 github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE=
 github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU=
+github.com/oapi-codegen/runtime v1.1.2 h1:P2+CubHq8fO4Q6fV1tqDBZHCwpVpvPg7oKiYzQgXIyI=
+github.com/oapi-codegen/runtime v1.1.2/go.mod h1:SK9X900oXmPWilYR5/WKPzt3Kqxn/uS/+lbpREv+eCg=
 github.com/okta/okta-sdk-golang/v2 v2.18.0 h1:cfDasMb7CShbZvOrF6n+DnLevWwiHgedWMGJ8M8xKDc=
 github.com/okta/okta-sdk-golang/v2 v2.18.0/go.mod h1:dz30v3ctAiMb7jpsCngGfQUAEGm1/NsWT92uTbNDQIs=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
@@ -546,29 +553,21 @@ github.com/petermattis/goid v0.0.0-20250303134427-723919f7f203/go.mod h1:pxMtw7c
 github.com/pion/dtls/v2 v2.2.7/go.mod h1:8WiMkebSHFD0T+dIU+UeBaoV7kDhOW5oDCzZ7WZ/F9s=
 github.com/pion/dtls/v2 v2.2.10 h1:u2Axk+FyIR1VFTPurktB+1zoEPGIW3bmyj3LEFrXjAA=
 github.com/pion/dtls/v2 v2.2.10/go.mod h1:d9SYc9fch0CqK90mRk1dC7AkzzpwJj6u2GU3u+9pqFE=
-github.com/pion/dtls/v3 v3.0.7 h1:bItXtTYYhZwkPFk4t1n3Kkf5TDrfj6+4wG+CZR8uI9Q=
-github.com/pion/dtls/v3 v3.0.7/go.mod h1:uDlH5VPrgOQIw59irKYkMudSFprY9IEFCqz/eTz16f8=
+github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
 github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms=
-github.com/pion/logging v0.2.4 h1:tTew+7cmQ+Mc1pTBLKH2puKsOvhm32dROumOZ655zB8=
-github.com/pion/logging v0.2.4/go.mod h1:DffhXTKYdNZU+KtJ5pyQDjvOAh/GsNSyv1lbkFbe3so=
-github.com/pion/mdns/v2 v2.0.7 h1:c9kM8ewCgjslaAmicYMFQIde2H9/lrZpjBkN8VwoVtM=
-github.com/pion/mdns/v2 v2.0.7/go.mod h1:vAdSYNAT0Jy3Ru0zl2YiW3Rm/fJCwIeM0nToenfOJKA=
+github.com/pion/mdns v0.0.12 h1:CiMYlY+O0azojWDmxdNr7ADGrnZ+V6Ilfner+6mSVK8=
+github.com/pion/mdns v0.0.12/go.mod h1:VExJjv8to/6Wqm1FXK+Ii/Z9tsVk/F5sD/N70cnYFbk=
 github.com/pion/randutil v0.1.0 h1:CFG1UdESneORglEsnimhUjf33Rwjubwj6xfiOXBa3mA=
 github.com/pion/randutil v0.1.0/go.mod h1:XcJrSMMbbMRhASFVOlj/5hQial/Y8oH/HVo7TBZq+j8=
 github.com/pion/stun/v2 v2.0.0 h1:A5+wXKLAypxQri59+tmQKVs7+l6mMM+3d+eER9ifRU0=
 github.com/pion/stun/v2 v2.0.0/go.mod h1:22qRSh08fSEttYUmJZGlriq9+03jtVmXNODgLccj8GQ=
-github.com/pion/stun/v3 v3.0.0 h1:4h1gwhWLWuZWOJIJR9s2ferRO+W3zA/b6ijOI6mKzUw=
-github.com/pion/stun/v3 v3.0.0/go.mod h1:HvCN8txt8mwi4FBvS3EmDghW6aQJ24T+y+1TKjB5jyU=
 github.com/pion/transport/v2 v2.2.1/go.mod h1:cXXWavvCnFF6McHTft3DWS9iic2Mftcz1Aq29pGcU5g=
 github.com/pion/transport/v2 v2.2.4 h1:41JJK6DZQYSeVLxILA2+F4ZkKb4Xd/tFJZRFZQ9QAlo=
 github.com/pion/transport/v2 v2.2.4/go.mod h1:q2U/tf9FEfnSBGSW6w5Qp5PFWRLRj3NjLhCCgpRK4p0=
+github.com/pion/transport/v3 v3.0.1 h1:gDTlPJwROfSfz6QfSi0ZmeCSkFcnWWiiR9ES0ouANiM=
 github.com/pion/transport/v3 v3.0.1/go.mod h1:UY7kiITrlMv7/IKgd5eTUcaahZx5oUN3l9SzK5f5xE0=
-github.com/pion/transport/v3 v3.0.7 h1:iRbMH05BzSNwhILHoBoAPxoB9xQgOaJk+591KC9P1o0=
-github.com/pion/transport/v3 v3.0.7/go.mod h1:YleKiTZ4vqNxVwh77Z0zytYi7rXHl7j6uPLGhhz9rwo=
 github.com/pion/turn/v3 v3.0.1 h1:wLi7BTQr6/Q20R0vt/lHbjv6y4GChFtC33nkYbasoT8=
 github.com/pion/turn/v3 v3.0.1/go.mod h1:MrJDKgqryDyWy1/4NT9TWfXWGMC7UHT6pJIv1+gMeNE=
-github.com/pion/turn/v4 v4.1.1 h1:9UnY2HB99tpDyz3cVVZguSxcqkJ1DsTSZ+8TGruh4fc=
-github.com/pion/turn/v4 v4.1.1/go.mod h1:2123tHk1O++vmjI5VSD0awT50NywDAq5A2NNNU4Jjs8=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -596,8 +595,8 @@ github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0
 github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
-github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/cors v1.8.0 h1:P2KMzcFwrPoSjkF1WLRPsp3UMLyql8L4v9hQpVeK5so=
 github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM=
 github.com/rs/xid v1.3.0 h1:6NjYksEUlhurdVehpc7S7dk6DAmcKv8V9gG0FsVN2U4=
@@ -635,6 +634,7 @@ github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
+github.com/spkg/bom v0.0.0-20160624110644-59b7046e48ad/go.mod h1:qLr4V1qq6nMqFKkMo8ZTx3f+BZEkzsRUY10Xsm2mwU0=
 github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c h1:km8GpoQut05eY3GiYWEedbTT0qnSxrCjsVbb7yKY1KE=
 github.com/srwiley/oksvg v0.0.0-20221011165216-be6e8873101c/go.mod h1:cNQ3dwVJtS5Hmnjxy6AgTPd0Inb3pW05ftPSX7NZO7Q=
 github.com/srwiley/rasterx v0.0.0-20220730225603-2ab79fcdd4ef h1:Ch6Q+AZUxDBCVqdkI8FSpFyZDtCVBc2VmejdNrm5rRQ=
@@ -689,8 +689,6 @@ github.com/vmihailenco/msgpack/v5 v5.4.1 h1:cQriyiUvjTwOHg8QZaPihLWeRAAVoCpE00IU
 github.com/vmihailenco/msgpack/v5 v5.4.1/go.mod h1:GaZTsDaehaPpQVyxrf5mtQlH+pc21PIudVV/E3rRQok=
 github.com/vmihailenco/tagparser/v2 v2.0.0 h1:y09buUbR+b5aycVFQs/g70pqKVZNBmxwAhO7/IwNM9g=
 github.com/vmihailenco/tagparser/v2 v2.0.0/go.mod h1:Wri+At7QHww0WTrCBeu4J6bNtoV6mEfg5OIWRZA9qds=
-github.com/wlynxg/anet v0.0.3 h1:PvR53psxFXstc12jelG6f1Lv4MWqE0tI76/hHGjh9rg=
-github.com/wlynxg/anet v0.0.3/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -722,28 +720,26 @@ go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
-go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 h1:4Pp6oUg3+e/6M4C0A/3kJ2VYa++dsWVTtGgLVj5xtHg=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0/go.mod h1:Mjt1i1INqiaoZOMGR1RIUJN+i3ChKoFRqzrRQhlkbs0=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc=
-go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
-go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs=
+go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0 h1:Mne5On7VWdx7omSrSSZvM4Kw7cS7NQkOOmLcgscI51U=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.19.0/go.mod h1:IPtUMKL4O3tH5y+iXVyAXqpAwMuzC1IrxVS81rummfE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU=
 go.opentelemetry.io/otel/exporters/prometheus v0.48.0 h1:sBQe3VNGUjY9IKWQC6z2lNqa5iGbDSxhs60ABwK4y0s=
 go.opentelemetry.io/otel/exporters/prometheus v0.48.0/go.mod h1:DtrbMzoZWwQHyrQmCfLam5DZbnmorsGbOtTbYHycU5o=
-go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
-go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
-go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
-go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
-go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
-go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
-go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
-go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30=
+go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4=
+go.opentelemetry.io/otel/sdk v1.26.0 h1:Y7bumHf5tAiDlRYFmGqetNcLaVUZmh4iYfmGxtmz7F8=
+go.opentelemetry.io/otel/sdk v1.26.0/go.mod h1:0p8MXpqLeJ0pzcszQQN4F0S5FVjBLgypeGSngLsmirs=
+go.opentelemetry.io/otel/sdk/metric v1.26.0 h1:cWSks5tfriHPdWFnl+qpX3P681aAYqlZHcAyHw5aU9Y=
+go.opentelemetry.io/otel/sdk/metric v1.26.0/go.mod h1:ClMFFknnThJCksebJwz7KIyEDHO+nTB6gK8obLy8RyE=
+go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA=
+go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0=
 go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
 go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
@@ -771,8 +767,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
-golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -818,8 +814,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -865,8 +861,8 @@ golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
-golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -880,8 +876,8 @@ golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
-golang.org/x/oauth2 v0.28.0 h1:CrgCKl8PPAVtLnU3c+EDw6x11699EWlsDeWNWKdIOkc=
-golang.org/x/oauth2 v0.28.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -895,8 +891,8 @@ golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -964,8 +960,8 @@ golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
-golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
+golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -973,8 +969,8 @@ golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
-golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
-golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
+golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
+golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -988,8 +984,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
-golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1052,8 +1048,8 @@ golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.8-0.20211022200916-316ba0b74098/go.mod h1:LGqMHiF4EqQNHR1JncWGqT5BVaXmza+X+BDGol+dOxo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1136,11 +1132,10 @@ google.golang.org/genproto v0.0.0-20210310155132-4ce2db91004e/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210319143718-93e7006c17a6/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210402141018-6c239bbf2bb1/go.mod h1:9lPAdzaEmUacj36I+k7YKbEc5CXzPIeORRgDAUOu28A=
 google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c/go.mod h1:UODoCrxHCcBojKKwX1terBiRUaqAsFqJiF615XL43r0=
-google.golang.org/genproto v0.0.0-20240123012728-ef4313101c80 h1:KAeGQVN3M9nD0/bQXnr/ClcEMJ968gUXJQ9pwfSynuQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463 h1:hE3bRWtU6uceqlh4fhrSnUyjKHMKB9KrTLLG+bc0ddM=
-google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463/go.mod h1:U90ffi8eUL9MwPcrJylN5+Mk2v3vuPDptd5yyNUiRR8=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 h1:pFyd6EwwL2TqFf8emdthzeX+gZE1ElRq3iM8pui4KBY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/genproto/googleapis/api v0.0.0-20240509183442-62759503f434 h1:OpXbo8JnN8+jZGPrL4SSfaDjSCjupr8lXyBAbexEm/U=
+google.golang.org/genproto/googleapis/api v0.0.0-20240509183442-62759503f434/go.mod h1:FfiGhwUm6CJviekPrc0oJ+7h29e+DmWU6UtjX0ZvI7Y=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1161,8 +1156,8 @@ google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.36.1/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM=
-google.golang.org/grpc v1.73.0 h1:VIWSmpI2MegBtTuFt5/JWy2oXxtjJ/e89Z70ImfD2ok=
-google.golang.org/grpc v1.73.0/go.mod h1:50sbHOUqWoCQGI8V2HQLJM0B+LMlIUjNSZmow7EVBQc=
+google.golang.org/grpc v1.64.1 h1:LKtvyfbX3UGVPFcGqJ9ItpVWW6oN/2XqTxfAnwRRXiA=
+google.golang.org/grpc v1.64.1/go.mod h1:hiQF4LFZelK2WKaP6W0L92zGHtiQdZxk8CrSdvyjeP0=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -1177,10 +1172,11 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
@@ -1229,4 +1225,4 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
-rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

infrastructure_files/docker-compose.yml.tmpl.traefik

@@ -45,9 +45,6 @@ services:
       - $SIGNAL_VOLUMENAME:/var/lib/netbird
     labels:
     - traefik.enable=true
-    - traefik.http.routers.netbird-wsproxy-signal.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/ws-proxy/signal`)
-    - traefik.http.routers.netbird-wsproxy-signal.service=netbird-wsproxy-signal
-    - traefik.http.services.netbird-wsproxy-signal.loadbalancer.server.port=10000
     - traefik.http.routers.netbird-signal.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/signalexchange.SignalExchange/`)
     - traefik.http.services.netbird-signal.loadbalancer.server.port=10000
     - traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
@@ -90,9 +87,7 @@ services:
     - traefik.http.routers.netbird-api.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/api`)
     - traefik.http.routers.netbird-api.service=netbird-api
     - traefik.http.services.netbird-api.loadbalancer.server.port=33073
-    - traefik.http.routers.netbird-wsproxy-mgmt.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/ws-proxy/management`)
-    - traefik.http.routers.netbird-wsproxy-mgmt.service=netbird-wsproxy-mgmt
-    - traefik.http.services.netbird-wsproxy-mgmt.loadbalancer.server.port=33073
+
     - traefik.http.routers.netbird-management.rule=Host(`$NETBIRD_DOMAIN`) && PathPrefix(`/management.ManagementService/`)
     - traefik.http.routers.netbird-management.service=netbird-management
     - traefik.http.services.netbird-management.loadbalancer.server.port=33073

infrastructure_files/getting-started-with-zitadel.sh

@@ -579,11 +579,9 @@ renderCaddyfile() {
     # relay
     reverse_proxy /relay* relay:80
     # Signal
-    reverse_proxy /ws-proxy/signal* signal:10000
     reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
     # Management
     reverse_proxy /api/* management:80
-    reverse_proxy /ws-proxy/management* management:80
     reverse_proxy /management.ManagementService/* h2c://management:80
     # Zitadel
     reverse_proxy /zitadel.admin.v1.AdminService/* h2c://zitadel:8080

infrastructure_files/nginx.tmpl.conf

@@ -20,10 +20,6 @@ upstream management {
     # insert the grpc+http port of your signal container here
     server 127.0.0.1:8012;
 }
-upstream relay {
-    # insert the port of your relay container here
-    server 127.0.0.1:33080;
-}
 
 server {
     # HTTP server config
@@ -56,14 +52,6 @@ server {
     location / {
         proxy_pass http://dashboard;
     }
-    # Proxy Signal wsproxy endpoint
-    location /ws-proxy/signal {
-        proxy_pass http://signal;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_set_header Host $host;
-    }
     # Proxy Signal
     location /signalexchange.SignalExchange/ {
         grpc_pass grpc://signal;
@@ -76,14 +64,6 @@ server {
     location /api {
         proxy_pass http://management;
     }
-    # Proxy Management wsproxy endpoint
-    location /ws-proxy/management {
-        proxy_pass http://management;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_set_header Host $host;
-    }
     # Proxy Management grpc endpoint
     location /management.ManagementService/ {
         grpc_pass grpc://management;
@@ -92,14 +72,6 @@ server {
         grpc_send_timeout 1d;
         grpc_socket_keepalive on;
     }
-    # Proxy Relay
-    location /relay {
-        proxy_pass http://relay;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "Upgrade";
-        proxy_set_header Host $host;
-    }
 
     ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
     ssl_certificate_key /etc/ssl/certs/ssl-cert-snakeoil.pem;

management/internals/server/controllers.go

@@ -10,8 +10,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/auth"
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 )
 
 func (s *BaseServer) PeersUpdateManager() *server.PeersUpdateManager {
@@ -60,8 +58,8 @@ func (s *BaseServer) AuthManager() auth.Manager {
 	})
 }
 
-func (s *BaseServer) EphemeralManager() ephemeral.Manager {
-	return Create(s, func() ephemeral.Manager {
-		return manager.NewEphemeralManager(s.Store(), s.AccountManager())
+func (s *BaseServer) EphemeralManager() *server.EphemeralManager {
+	return Create(s, func() *server.EphemeralManager {
+		return server.NewEphemeralManager(s.Store(), s.AccountManager())
 	})
 }

management/internals/server/modules.go

@@ -65,10 +65,6 @@ func (s *BaseServer) AccountManager() account.Manager {
 		if err != nil {
 			log.Fatalf("failed to create account manager: %v", err)
 		}
-
-		s.AfterInit(func(s *BaseServer) {
-			accountManager.SetEphemeralManager(s.EphemeralManager())
-		})
 		return accountManager
 	})
 }

management/internals/server/server.go

@@ -6,14 +6,12 @@ import (
 	"fmt"
 	"net"
 	"net/http"
-	"net/netip"
 	"strings"
 	"sync"
 	"time"
 
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
-	"go.opentelemetry.io/otel/metric"
 	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/net/http2"
 	"golang.org/x/net/http2/h2c"
@@ -24,8 +22,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/metrics"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/wsproxy"
-	wsproxyserver "github.com/netbirdio/netbird/util/wsproxy/server"
 	"github.com/netbirdio/netbird/version"
 )
 
@@ -96,6 +92,12 @@ func (s *BaseServer) Start(ctx context.Context) error {
 	s.PeersManager()
 	s.GeoLocationManager()
 
+	for _, fn := range s.afterInit {
+		if fn != nil {
+			fn(s)
+		}
+	}
+
 	err := s.Metrics().Expose(srvCtx, s.mgmtMetricsPort, "/metrics")
 	if err != nil {
 		return fmt.Errorf("failed to expose metrics: %v", err)
@@ -145,7 +147,7 @@ func (s *BaseServer) Start(ctx context.Context) error {
 		log.WithContext(srvCtx).Infof("running gRPC backward compatibility server: %s", compatListener.Addr().String())
 	}
 
-	rootHandler := s.handlerFunc(s.GRPCServer(), s.APIHandler(), s.Metrics().GetMeter())
+	rootHandler := handlerFunc(s.GRPCServer(), s.APIHandler())
 	switch {
 	case s.certManager != nil:
 		// a call to certManager.Listener() always creates a new listener so we do it once
@@ -174,12 +176,6 @@ func (s *BaseServer) Start(ctx context.Context) error {
 		}
 	}
 
-	for _, fn := range s.afterInit {
-		if fn != nil {
-			fn(s)
-		}
-	}
-
 	log.WithContext(ctx).Infof("management server version %s", version.NetbirdVersion())
 	log.WithContext(ctx).Infof("running HTTP server and gRPC server on the same port: %s", s.listener.Addr().String())
 	s.serveGRPCWithHTTP(ctx, s.listener, rootHandler, tlsEnabled)
@@ -251,17 +247,13 @@ func updateMgmtConfig(ctx context.Context, path string, config *nbconfig.Config)
 	return util.DirectWriteJson(ctx, path, config)
 }
 
-func (s *BaseServer) handlerFunc(gRPCHandler *grpc.Server, httpHandler http.Handler, meter metric.Meter) http.Handler {
-	wsProxy := wsproxyserver.New(netip.AddrPortFrom(netip.AddrFrom4([4]byte{127, 0, 0, 1}), ManagementLegacyPort), wsproxyserver.WithOTelMeter(meter))
-
+func handlerFunc(gRPCHandler *grpc.Server, httpHandler http.Handler) http.Handler {
 	return http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
-		switch {
-		case request.ProtoMajor == 2 && (strings.HasPrefix(request.Header.Get("Content-Type"), "application/grpc") ||
-			strings.HasPrefix(request.Header.Get("Content-Type"), "application/grpc+proto")):
+		grpcHeader := strings.HasPrefix(request.Header.Get("Content-Type"), "application/grpc") ||
+			strings.HasPrefix(request.Header.Get("Content-Type"), "application/grpc+proto")
+		if request.ProtoMajor == 2 && grpcHeader {
 			gRPCHandler.ServeHTTP(writer, request)
-		case request.URL.Path == wsproxy.ProxyPath+wsproxy.ManagementComponent:
-			wsProxy.Handler().ServeHTTP(writer, request)
-		default:
+		} else {
 			httpHandler.ServeHTTP(writer, request)
 		}
 	})

management/server/account.go

@@ -35,7 +35,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
@@ -76,7 +75,6 @@ type DefaultAccountManager struct {
 	ctx                  context.Context
 	eventStore           activity.Store
 	geo                  geolocation.Geolocation
-	ephemeralManager     ephemeral.Manager
 
 	requestBuffer *AccountRequestBuffer
 
@@ -263,10 +261,6 @@ func BuildManager(
 	return am, nil
 }
 
-func (am *DefaultAccountManager) SetEphemeralManager(em ephemeral.Manager) {
-	am.ephemeralManager = em
-}
-
 func (am *DefaultAccountManager) startWarmup(ctx context.Context) {
 	var initialInterval int64
 	intervalStr := os.Getenv("NB_PEER_UPDATE_INTERVAL_MS")

management/server/account/manager.go

@@ -12,7 +12,6 @@ import (
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/idp"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
@@ -55,7 +54,7 @@ type Manager interface {
 	UpdatePeerIP(ctx context.Context, accountID, userID, peerID string, newIP netip.Addr) error
 	GetNetworkMap(ctx context.Context, peerID string) (*types.NetworkMap, error)
 	GetPeerNetwork(ctx context.Context, peerID string) (*types.Network, error)
-	AddPeer(ctx context.Context, accountID, setupKey, userID string, peer *nbpeer.Peer, temporary bool) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
+	AddPeer(ctx context.Context, setupKey, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
 	CreatePAT(ctx context.Context, accountID string, initiatorUserID string, targetUserID string, tokenName string, expiresIn int) (*types.PersonalAccessTokenGenerated, error)
 	DeletePAT(ctx context.Context, accountID string, initiatorUserID string, targetUserID string, tokenID string) error
 	GetPAT(ctx context.Context, accountID string, initiatorUserID string, targetUserID string, tokenID string) (*types.PersonalAccessToken, error)
@@ -127,6 +126,4 @@ type Manager interface {
 	CreatePeerJob(ctx context.Context, accountID, peerID, userID string, job *types.Job) error
 	GetAllPeerJobs(ctx context.Context, accountID, userID, peerID string) ([]*types.Job, error)
 	GetPeerJobByID(ctx context.Context, accountID, userID, peerID, jobID string) (*types.Job, error)
-	SetEphemeralManager(em ephemeral.Manager)
-	AllowSync(string, uint64) bool
 }

management/server/account_test.go

@@ -64,7 +64,7 @@ func verifyCanAddPeerToAccount(t *testing.T, manager nbAccount.Manager, account
 		setupKey = key.Key
 	}
 
-	_, _, _, err := manager.AddPeer(context.Background(), "", setupKey, userID, peer, false)
+	_, _, _, err := manager.AddPeer(context.Background(), setupKey, userID, peer)
 	if err != nil {
 		t.Error("expected to add new peer successfully after creating new account, but failed", err)
 	}
@@ -1046,10 +1046,10 @@ func TestAccountManager_AddPeer(t *testing.T) {
 	}
 	expectedPeerKey := key.PublicKey().String()
 
-	peer, _, _, err := manager.AddPeer(context.Background(), "", setupKey.Key, "", &nbpeer.Peer{
+	peer, _, _, err := manager.AddPeer(context.Background(), setupKey.Key, "", &nbpeer.Peer{
 		Key:  expectedPeerKey,
 		Meta: nbpeer.PeerSystemMeta{Hostname: expectedPeerKey},
-	}, false)
+	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
 		return
@@ -1110,10 +1110,10 @@ func TestAccountManager_AddPeerWithUserID(t *testing.T) {
 	expectedPeerKey := key.PublicKey().String()
 	expectedUserID := userID
 
-	peer, _, _, err := manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
+	peer, _, _, err := manager.AddPeer(context.Background(), "", userID, &nbpeer.Peer{
 		Key:  expectedPeerKey,
 		Meta: nbpeer.PeerSystemMeta{Hostname: expectedPeerKey},
-	}, false)
+	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v, account users: %v", err, account.CreatedBy)
 		return
@@ -1427,10 +1427,10 @@ func TestAccountManager_DeletePeer(t *testing.T) {
 
 	peerKey := key.PublicKey().String()
 
-	peer, _, _, err := manager.AddPeer(context.Background(), "", setupKey.Key, "", &nbpeer.Peer{
+	peer, _, _, err := manager.AddPeer(context.Background(), setupKey.Key, "", &nbpeer.Peer{
 		Key:  peerKey,
 		Meta: nbpeer.PeerSystemMeta{Hostname: peerKey},
-	}, false)
+	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
 		return
@@ -1803,11 +1803,11 @@ func TestDefaultAccountManager_UpdatePeer_PeerLoginExpiration(t *testing.T) {
 
 	key, err := wgtypes.GenerateKey()
 	require.NoError(t, err, "unable to generate WireGuard key")
-	peer, _, _, err := manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
+	peer, _, _, err := manager.AddPeer(context.Background(), "", userID, &nbpeer.Peer{
 		Key:                    key.PublicKey().String(),
 		Meta:                   nbpeer.PeerSystemMeta{Hostname: "test-peer"},
 		LoginExpirationEnabled: true,
-	}, false)
+	})
 	require.NoError(t, err, "unable to add peer")
 
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), userID, "")
@@ -1859,11 +1859,11 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.
 
 	key, err := wgtypes.GenerateKey()
 	require.NoError(t, err, "unable to generate WireGuard key")
-	_, _, _, err = manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
+	_, _, _, err = manager.AddPeer(context.Background(), "", userID, &nbpeer.Peer{
 		Key:                    key.PublicKey().String(),
 		Meta:                   nbpeer.PeerSystemMeta{Hostname: "test-peer"},
 		LoginExpirationEnabled: true,
-	}, false)
+	})
 	require.NoError(t, err, "unable to add peer")
 	_, err = manager.UpdateAccountSettings(context.Background(), accountID, userID, &types.Settings{
 		PeerLoginExpiration:        time.Hour,
@@ -1902,11 +1902,11 @@ func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *test
 
 	key, err := wgtypes.GenerateKey()
 	require.NoError(t, err, "unable to generate WireGuard key")
-	_, _, _, err = manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
+	_, _, _, err = manager.AddPeer(context.Background(), "", userID, &nbpeer.Peer{
 		Key:                    key.PublicKey().String(),
 		Meta:                   nbpeer.PeerSystemMeta{Hostname: "test-peer"},
 		LoginExpirationEnabled: true,
-	}, false)
+	})
 	require.NoError(t, err, "unable to add peer")
 
 	accountID, err := manager.GetAccountIDByUserID(context.Background(), userID, "")
@@ -2950,14 +2950,14 @@ func setupNetworkMapTest(t *testing.T) (*DefaultAccountManager, *types.Account,
 		}
 		expectedPeerKey := key.PublicKey().String()
 
-		peer, _, _, err := manager.AddPeer(context.Background(), "", setupKey.Key, "", &nbpeer.Peer{
+		peer, _, _, err := manager.AddPeer(context.Background(), setupKey.Key, "", &nbpeer.Peer{
 			Key:  expectedPeerKey,
 			Meta: nbpeer.PeerSystemMeta{Hostname: expectedPeerKey},
 			Status: &nbpeer.PeerStatus{
 				Connected: true,
 				LastSeen:  time.Now().UTC(),
 			},
-		}, false)
+		})
 		if err != nil {
 			t.Fatalf("expecting peer to be added, got failure %v", err)
 		}
@@ -3540,16 +3540,16 @@ func TestDefaultAccountManager_UpdatePeerIP(t *testing.T) {
 	key2, err := wgtypes.GenerateKey()
 	require.NoError(t, err, "unable to generate WireGuard key")
 
-	peer1, _, _, err := manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
+	peer1, _, _, err := manager.AddPeer(context.Background(), "", userID, &nbpeer.Peer{
 		Key:  key1.PublicKey().String(),
 		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer-1"},
-	}, false)
+	})
 	require.NoError(t, err, "unable to add peer1")
 
-	peer2, _, _, err := manager.AddPeer(context.Background(), "", "", userID, &nbpeer.Peer{
+	peer2, _, _, err := manager.AddPeer(context.Background(), "", userID, &nbpeer.Peer{
 		Key:  key2.PublicKey().String(),
 		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer-2"},
-	}, false)
+	})
 	require.NoError(t, err, "unable to add peer2")
 
 	t.Run("update peer IP successfully", func(t *testing.T) {

management/server/dns.go

@@ -6,11 +6,9 @@ import (
 	"sync"
 
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/mod/semver"
 
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
-	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/permissions/modules"
 	"github.com/netbirdio/netbird/management/server/permissions/operations"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -20,13 +18,6 @@ import (
 	"github.com/netbirdio/netbird/shared/management/status"
 )
 
-const (
-	dnsForwarderPort = 22054
-	oldForwarderPort = 5353
-)
-
-const dnsForwarderPortMinVersion = "v0.59.0"
-
 // DNSConfigCache is a thread-safe cache for DNS configuration components
 type DNSConfigCache struct {
 	CustomZones      sync.Map
@@ -212,45 +203,12 @@ func validateDNSSettings(ctx context.Context, transaction store.Store, accountID
 	return validateGroups(settings.DisabledManagementGroups, groups)
 }
 
-// computeForwarderPort checks if all peers in the account have updated to a specific version or newer.
-// If all peers have the required version, it returns the new well-known port (22054), otherwise returns 0.
-func computeForwarderPort(peers []*nbpeer.Peer, requiredVersion string) int64 {
-	if len(peers) == 0 {
-		return oldForwarderPort
-	}
-
-	reqVer := semver.Canonical(requiredVersion)
-
-	// Check if all peers have the required version or newer
-	for _, peer := range peers {
-
-		// Development version is always supported
-		if peer.Meta.WtVersion == "development" {
-			continue
-		}
-		peerVersion := semver.Canonical("v" + peer.Meta.WtVersion)
-		if peerVersion == "" {
-			// If any peer doesn't have version info, return 0
-			return oldForwarderPort
-		}
-
-		// Compare versions
-		if semver.Compare(peerVersion, reqVer) < 0 {
-			return oldForwarderPort
-		}
-	}
-
-	// All peers have the required version or newer
-	return dnsForwarderPort
-}
-
 // toProtocolDNSConfig converts nbdns.Config to proto.DNSConfig using the cache
-func toProtocolDNSConfig(update nbdns.Config, cache *DNSConfigCache, forwardPort int64) *proto.DNSConfig {
+func toProtocolDNSConfig(update nbdns.Config, cache *DNSConfigCache) *proto.DNSConfig {
 	protoUpdate := &proto.DNSConfig{
 		ServiceEnable:    update.ServiceEnable,
 		CustomZones:      make([]*proto.CustomZone, 0, len(update.CustomZones)),
 		NameServerGroups: make([]*proto.NameServerGroup, 0, len(update.NameServerGroups)),
-		ForwarderPort:    forwardPort,
 	}
 
 	for _, zone := range update.CustomZones {

management/server/dns_test.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/stretchr/testify/require"
 
+	"github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/shared/management/status"
@@ -280,11 +281,11 @@ func initTestDNSAccount(t *testing.T, am *DefaultAccountManager) (*types.Account
 		return nil, err
 	}
 
-	savedPeer1, _, _, err := am.AddPeer(context.Background(), "", "", dnsAdminUserID, peer1, false)
+	savedPeer1, _, _, err := am.AddPeer(context.Background(), "", dnsAdminUserID, peer1)
 	if err != nil {
 		return nil, err
 	}
-	_, _, _, err = am.AddPeer(context.Background(), "", "", dnsAdminUserID, peer2, false)
+	_, _, _, err = am.AddPeer(context.Background(), "", dnsAdminUserID, peer2)
 	if err != nil {
 		return nil, err
 	}
@@ -323,13 +324,13 @@ func initTestDNSAccount(t *testing.T, am *DefaultAccountManager) (*types.Account
 		return nil, err
 	}
 
-	account.NameServerGroups[dnsNSGroup1] = &nbdns.NameServerGroup{
+	account.NameServerGroups[dnsNSGroup1] = &dns.NameServerGroup{
 		ID:   dnsNSGroup1,
 		Name: "ns-group-1",
-		NameServers: []nbdns.NameServer{{
+		NameServers: []dns.NameServer{{
 			IP:     netip.MustParseAddr(savedPeer1.IP.String()),
-			NSType: nbdns.UDPNameServerType,
-			Port:   nbdns.DefaultDNSPort,
+			NSType: dns.UDPNameServerType,
+			Port:   dns.DefaultDNSPort,
 		}},
 		Primary: true,
 		Enabled: true,
@@ -394,7 +395,7 @@ func BenchmarkToProtocolDNSConfig(b *testing.B) {
 
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
-				toProtocolDNSConfig(testData, cache, dnsForwarderPort)
+				toProtocolDNSConfig(testData, cache)
 			}
 		})
 
@@ -402,7 +403,7 @@ func BenchmarkToProtocolDNSConfig(b *testing.B) {
 			b.ResetTimer()
 			for i := 0; i < b.N; i++ {
 				cache := &DNSConfigCache{}
-				toProtocolDNSConfig(testData, cache, dnsForwarderPort)
+				toProtocolDNSConfig(testData, cache)
 			}
 		})
 	}
@@ -455,13 +456,13 @@ func TestToProtocolDNSConfigWithCache(t *testing.T) {
 	}
 
 	// First run with config1
-	result1 := toProtocolDNSConfig(config1, &cache, dnsForwarderPort)
+	result1 := toProtocolDNSConfig(config1, &cache)
 
 	// Second run with config2
-	result2 := toProtocolDNSConfig(config2, &cache, dnsForwarderPort)
+	result2 := toProtocolDNSConfig(config2, &cache)
 
 	// Third run with config1 again
-	result3 := toProtocolDNSConfig(config1, &cache, dnsForwarderPort)
+	result3 := toProtocolDNSConfig(config1, &cache)
 
 	// Verify that result1 and result3 are identical
 	if !reflect.DeepEqual(result1, result3) {
@@ -491,107 +492,6 @@ func TestToProtocolDNSConfigWithCache(t *testing.T) {
 	}
 }
 
-func TestComputeForwarderPort(t *testing.T) {
-	// Test with empty peers list
-	peers := []*nbpeer.Peer{}
-	result := computeForwarderPort(peers, "v0.59.0")
-	if result != oldForwarderPort {
-		t.Errorf("Expected %d for empty peers list, got %d", oldForwarderPort, result)
-	}
-
-	// Test with peers that have old versions
-	peers = []*nbpeer.Peer{
-		{
-			Meta: nbpeer.PeerSystemMeta{
-				WtVersion: "0.57.0",
-			},
-		},
-		{
-			Meta: nbpeer.PeerSystemMeta{
-				WtVersion: "0.26.0",
-			},
-		},
-	}
-	result = computeForwarderPort(peers, "v0.59.0")
-	if result != oldForwarderPort {
-		t.Errorf("Expected %d for peers with old versions, got %d", oldForwarderPort, result)
-	}
-
-	// Test with peers that have new versions
-	peers = []*nbpeer.Peer{
-		{
-			Meta: nbpeer.PeerSystemMeta{
-				WtVersion: "0.59.0",
-			},
-		},
-		{
-			Meta: nbpeer.PeerSystemMeta{
-				WtVersion: "0.59.0",
-			},
-		},
-	}
-	result = computeForwarderPort(peers, "v0.59.0")
-	if result != dnsForwarderPort {
-		t.Errorf("Expected %d for peers with new versions, got %d", dnsForwarderPort, result)
-	}
-
-	// Test with peers that have mixed versions
-	peers = []*nbpeer.Peer{
-		{
-			Meta: nbpeer.PeerSystemMeta{
-				WtVersion: "0.59.0",
-			},
-		},
-		{
-			Meta: nbpeer.PeerSystemMeta{
-				WtVersion: "0.57.0",
-			},
-		},
-	}
-	result = computeForwarderPort(peers, "v0.59.0")
-	if result != oldForwarderPort {
-		t.Errorf("Expected %d for peers with mixed versions, got %d", oldForwarderPort, result)
-	}
-
-	// Test with peers that have empty version
-	peers = []*nbpeer.Peer{
-		{
-			Meta: nbpeer.PeerSystemMeta{
-				WtVersion: "",
-			},
-		},
-	}
-	result = computeForwarderPort(peers, "v0.59.0")
-	if result != oldForwarderPort {
-		t.Errorf("Expected %d for peers with empty version, got %d", oldForwarderPort, result)
-	}
-
-	peers = []*nbpeer.Peer{
-		{
-			Meta: nbpeer.PeerSystemMeta{
-				WtVersion: "development",
-			},
-		},
-	}
-	result = computeForwarderPort(peers, "v0.59.0")
-	if result == oldForwarderPort {
-		t.Errorf("Expected %d for peers with dev version, got %d", dnsForwarderPort, result)
-	}
-
-	// Test with peers that have unknown version string
-	peers = []*nbpeer.Peer{
-		{
-			Meta: nbpeer.PeerSystemMeta{
-				WtVersion: "unknown",
-			},
-		},
-	}
-	result = computeForwarderPort(peers, "v0.59.0")
-	if result != oldForwarderPort {
-		t.Errorf("Expected %d for peers with unknown version, got %d", oldForwarderPort, result)
-	}
-}
-
 func TestDNSAccountPeersUpdate(t *testing.T) {
 	manager, account, peer1, peer2, peer3 := setupNetworkMapTest(t)
 
@@ -643,10 +543,10 @@ func TestDNSAccountPeersUpdate(t *testing.T) {
 		}()
 
 		_, err = manager.CreateNameServerGroup(
-			context.Background(), account.Id, "ns-group", "ns-group", []nbdns.NameServer{{
+			context.Background(), account.Id, "ns-group", "ns-group", []dns.NameServer{{
 				IP:     netip.MustParseAddr(peer1.IP.String()),
-				NSType: nbdns.UDPNameServerType,
-				Port:   nbdns.DefaultDNSPort,
+				NSType: dns.UDPNameServerType,
+				Port:   dns.DefaultDNSPort,
 			}},
 			[]string{"groupB"},
 			true, []string{}, true, userID, false,
@@ -676,10 +576,10 @@ func TestDNSAccountPeersUpdate(t *testing.T) {
 		}()
 
 		_, err = manager.CreateNameServerGroup(
-			context.Background(), account.Id, "ns-group-1", "ns-group-1", []nbdns.NameServer{{
+			context.Background(), account.Id, "ns-group-1", "ns-group-1", []dns.NameServer{{
 				IP:     netip.MustParseAddr(peer1.IP.String()),
-				NSType: nbdns.UDPNameServerType,
-				Port:   nbdns.DefaultDNSPort,
+				NSType: dns.UDPNameServerType,
+				Port:   dns.DefaultDNSPort,
 			}},
 			[]string{"groupA"},
 			true, []string{}, true, userID, false,

management/server/ephemeral.go

@@ -1,4 +1,4 @@
-package manager
+package server
 
 import (
 	"context"

management/server/ephemeral_test.go

@@ -1,4 +1,4 @@
-package manager
+package server
 
 import (
 	"context"
@@ -7,15 +7,12 @@ import (
 	"testing"
 	"time"
 
-	log "github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 
-	nbdns "github.com/netbirdio/netbird/dns"
 	nbAccount "github.com/netbirdio/netbird/management/server/account"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
-	"github.com/netbirdio/netbird/route"
 )
 
 type MockStore struct {
@@ -226,57 +223,3 @@ func seedPeers(store *MockStore, numberOfPeers int, numberOfEphemeralPeers int)
 		store.account.Peers[p.ID] = p
 	}
 }
-
-// newAccountWithId creates a new Account with a default SetupKey (doesn't store in a Store) and provided id
-func newAccountWithId(ctx context.Context, accountID, userID, domain string, disableDefaultPolicy bool) *types.Account {
-	log.WithContext(ctx).Debugf("creating new account")
-
-	network := types.NewNetwork()
-	peers := make(map[string]*nbpeer.Peer)
-	users := make(map[string]*types.User)
-	routes := make(map[route.ID]*route.Route)
-	setupKeys := map[string]*types.SetupKey{}
-	nameServersGroups := make(map[string]*nbdns.NameServerGroup)
-
-	owner := types.NewOwnerUser(userID)
-	owner.AccountID = accountID
-	users[userID] = owner
-
-	dnsSettings := types.DNSSettings{
-		DisabledManagementGroups: make([]string, 0),
-	}
-	log.WithContext(ctx).Debugf("created new account %s", accountID)
-
-	acc := &types.Account{
-		Id:               accountID,
-		CreatedAt:        time.Now().UTC(),
-		SetupKeys:        setupKeys,
-		Network:          network,
-		Peers:            peers,
-		Users:            users,
-		CreatedBy:        userID,
-		Domain:           domain,
-		Routes:           routes,
-		NameServerGroups: nameServersGroups,
-		DNSSettings:      dnsSettings,
-		Settings: &types.Settings{
-			PeerLoginExpirationEnabled: true,
-			PeerLoginExpiration:        types.DefaultPeerLoginExpiration,
-			GroupsPropagationEnabled:   true,
-			RegularUsersViewBlocked:    true,
-
-			PeerInactivityExpirationEnabled: false,
-			PeerInactivityExpiration:        types.DefaultPeerInactivityExpiration,
-			RoutingPeerDNSResolutionEnabled: true,
-		},
-		Onboarding: types.AccountOnboarding{
-			OnboardingFlowPending: true,
-			SignupFormPending:     true,
-		},
-	}
-
-	if err := acc.AddAllGroup(disableDefaultPolicy); err != nil {
-		log.WithContext(ctx).Errorf("error adding all group to account %s: %v", acc.Id, err)
-	}
-	return acc
-}

management/server/grpcserver.go

@@ -22,7 +22,6 @@ import (
 
 	integrationsConfig "github.com/netbirdio/management-integrations/integrations/config"
 	nbconfig "github.com/netbirdio/netbird/management/internals/server/config"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral"
 
 	"github.com/netbirdio/netbird/management/server/integrations/integrated_validator"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -56,10 +55,6 @@ type GRPCServer struct {
 	peerLocks               sync.Map
 	authManager             auth.Manager
 	integratedPeerValidator integrated_validator.IntegratedValidator
-
-	logBlockedPeers          bool
-	blockPeersWithSameConfig bool
-	integratedPeerValidator  integrated_validator.IntegratedValidator
 }
 
 // NewServer creates a new Management server
@@ -72,7 +67,7 @@ func NewServer(
 	jobManager *JobManager,
 	secretsManager SecretsManager,
 	appMetrics telemetry.AppMetrics,
-	ephemeralManager ephemeral.Manager,
+	ephemeralManager *EphemeralManager,
 	authManager auth.Manager,
 	integratedPeerValidator integrated_validator.IntegratedValidator,
 ) (*GRPCServer, error) {
@@ -171,8 +166,11 @@ func (s *GRPCServer) Job(srv proto.ManagementService_JobServer) error {
 	s.startResponseReceiver(ctx, srv)
 
 	// Prepare per-peer state
-	updates := s.jobManager.CreateJobChannel(ctx, accountID, peer.ID)
-	log.WithContext(ctx).Debugf("Job: took %v", time.Since(reqStart))
+	updates, err := s.jobManager.CreateJobChannel(ctx, accountID, peer.ID)
+	if err != nil {
+		return status.Errorf(codes.Internal, err.Error())
+	}
+	log.WithContext(ctx).Debugf("Sync: took %v", time.Since(reqStart))
 
 	// Main loop: forward jobs to client
 	return s.sendJobsLoop(ctx, accountID, peerKey, peer, updates, srv)
@@ -796,13 +794,13 @@ func toPeerConfig(peer *nbpeer.Peer, network *types.Network, dnsName string, set
 	}
 }
 
-func toSyncResponse(ctx context.Context, config *nbconfig.Config, peer *nbpeer.Peer, turnCredentials *Token, relayCredentials *Token, networkMap *types.NetworkMap, dnsName string, checks []*posture.Checks, dnsCache *DNSConfigCache, settings *types.Settings, extraSettings *types.ExtraSettings, peerGroups []string, dnsFwdPort int64) *proto.SyncResponse {
+func toSyncResponse(ctx context.Context, config *nbconfig.Config, peer *nbpeer.Peer, turnCredentials *Token, relayCredentials *Token, networkMap *types.NetworkMap, dnsName string, checks []*posture.Checks, dnsCache *DNSConfigCache, settings *types.Settings, extraSettings *types.ExtraSettings, peerGroups []string) *proto.SyncResponse {
 	response := &proto.SyncResponse{
 		PeerConfig: toPeerConfig(peer, networkMap.Network, dnsName, settings),
 		NetworkMap: &proto.NetworkMap{
 			Serial:    networkMap.Network.CurrentSerial(),
 			Routes:    toProtocolRoutes(networkMap.Routes),
-			DNSConfig: toProtocolDNSConfig(networkMap.DNSConfig, dnsCache, dnsFwdPort),
+			DNSConfig: toProtocolDNSConfig(networkMap.DNSConfig, dnsCache),
 		},
 		Checks: toProtocolChecks(ctx, checks),
 	}
@@ -813,11 +811,11 @@ func toSyncResponse(ctx context.Context, config *nbconfig.Config, peer *nbpeer.P
 
 	response.NetworkMap.PeerConfig = response.PeerConfig
 
-	remotePeers := make([]*proto.RemotePeerConfig, 0, len(networkMap.Peers)+len(networkMap.OfflinePeers))
-	remotePeers = appendRemotePeerConfig(remotePeers, networkMap.Peers, dnsName)
-	response.RemotePeers = remotePeers
-	response.NetworkMap.RemotePeers = remotePeers
-	response.RemotePeersIsEmpty = len(remotePeers) == 0
+	allPeers := make([]*proto.RemotePeerConfig, 0, len(networkMap.Peers)+len(networkMap.OfflinePeers))
+	allPeers = appendRemotePeerConfig(allPeers, networkMap.Peers, dnsName)
+	response.RemotePeers = allPeers
+	response.NetworkMap.RemotePeers = allPeers
+	response.RemotePeersIsEmpty = len(allPeers) == 0
 	response.NetworkMap.RemotePeersIsEmpty = response.RemotePeersIsEmpty
 
 	response.NetworkMap.OfflinePeers = appendRemotePeerConfig(nil, networkMap.OfflinePeers, dnsName)
@@ -889,14 +887,7 @@ func (s *GRPCServer) sendInitialSync(ctx context.Context, peerKey wgtypes.Key, p
 		return status.Errorf(codes.Internal, "failed to get peer groups %s", err)
 	}
 
-	// Get all peers in the account for forwarder port computation
-	allPeers, err := s.accountManager.GetStore().GetAccountPeers(ctx, store.LockingStrengthNone, peer.AccountID, "", "")
-	if err != nil {
-		return fmt.Errorf("get account peers: %w", err)
-	}
-	dnsFwdPort := computeForwarderPort(allPeers, dnsForwarderPortMinVersion)
-
-	plainResp := toSyncResponse(ctx, s.config, peer, turnToken, relayToken, networkMap, s.accountManager.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra, peerGroups, dnsFwdPort)
+	plainResp := toSyncResponse(ctx, s.config, peer, turnToken, relayToken, networkMap, s.accountManager.GetDNSDomain(settings), postureChecks, nil, settings, settings.Extra, peerGroups)
 
 	encryptedResp, err := encryption.EncryptMessage(peerKey, s.wgKey, plainResp)
 	if err != nil {

management/server/http/handlers/peers/peers_handler.go

@@ -36,7 +36,6 @@ func AddEndpoints(accountManager account.Manager, router *mux.Router) {
 	router.HandleFunc("/peers/{peerId}/jobs", peersHandler.ListJobs).Methods("GET", "OPTIONS")
 	router.HandleFunc("/peers/{peerId}/jobs", peersHandler.CreateJob).Methods("POST", "OPTIONS")
 	router.HandleFunc("/peers/{peerId}/jobs/{jobId}", peersHandler.GetJob).Methods("GET", "OPTIONS")
-	router.HandleFunc("/peers/{peerId}/temporary-access", peersHandler.CreateTemporaryAccess).Methods("POST", "OPTIONS")
 }
 
 // NewHandler creates a new peers Handler
@@ -416,88 +415,6 @@ func (h *Handler) GetAccessiblePeers(w http.ResponseWriter, r *http.Request) {
 	util.WriteJSONObject(r.Context(), w, toAccessiblePeers(netMap, dnsDomain))
 }
 
-func (h *Handler) CreateTemporaryAccess(w http.ResponseWriter, r *http.Request) {
-	userAuth, err := nbcontext.GetUserAuthFromContext(r.Context())
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	vars := mux.Vars(r)
-	peerID := vars["peerId"]
-	if len(peerID) == 0 {
-		util.WriteError(r.Context(), status.Errorf(status.InvalidArgument, "invalid peer ID"), w)
-		return
-	}
-
-	var req api.PeerTemporaryAccessRequest
-	err = json.NewDecoder(r.Body).Decode(&req)
-	if err != nil {
-		util.WriteErrorResponse("couldn't parse JSON request", http.StatusBadRequest, w)
-		return
-	}
-
-	newPeer := &nbpeer.Peer{}
-	newPeer.FromAPITemporaryAccessRequest(&req)
-
-	targetPeer, err := h.accountManager.GetPeer(r.Context(), userAuth.AccountId, peerID, userAuth.UserId)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	peer, _, _, err := h.accountManager.AddPeer(r.Context(), userAuth.AccountId, "", userAuth.UserId, newPeer, true)
-	if err != nil {
-		util.WriteError(r.Context(), err, w)
-		return
-	}
-
-	for _, rule := range req.Rules {
-		protocol, portRange, err := types.ParseRuleString(rule)
-		if err != nil {
-			util.WriteError(r.Context(), err, w)
-			return
-		}
-		policy := &types.Policy{
-			AccountID:   userAuth.AccountId,
-			Description: "Temporary access policy for peer " + peer.Name,
-			Name:        "Temporary access policy for peer " + peer.Name,
-			Enabled:     true,
-			Rules: []*types.PolicyRule{{
-				Name:        "Temporary access rule",
-				Description: "Temporary access rule",
-				Enabled:     true,
-				Action:      types.PolicyTrafficActionAccept,
-				SourceResource: types.Resource{
-					Type: types.ResourceTypePeer,
-					ID:   peer.ID,
-				},
-				DestinationResource: types.Resource{
-					Type: types.ResourceTypePeer,
-					ID:   targetPeer.ID,
-				},
-				Bidirectional: false,
-				Protocol:      protocol,
-				PortRanges:    []types.RulePortRange{portRange},
-			}},
-		}
-
-		_, err = h.accountManager.SavePolicy(r.Context(), userAuth.AccountId, userAuth.UserId, policy, true)
-		if err != nil {
-			util.WriteError(r.Context(), err, w)
-			return
-		}
-	}
-
-	resp := &api.PeerTemporaryAccessResponse{
-		Id:    peer.ID,
-		Name:  peer.Name,
-		Rules: req.Rules,
-	}
-
-	util.WriteJSONObject(r.Context(), w, resp)
-}
-
 func toAccessiblePeers(netMap *types.NetworkMap, dnsDomain string) []api.AccessiblePeer {
 	accessiblePeers := make([]api.AccessiblePeer, 0, len(netMap.Peers)+len(netMap.OfflinePeers))
 	for _, p := range netMap.Peers {

management/server/jobChannel.go

@@ -6,6 +6,7 @@ import (
 	"sync"
 	"time"
 
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/management/server/types"
@@ -16,9 +17,11 @@ import (
 const jobChannelBuffer = 100
 
 type JobEvent struct {
-	PeerID   string
-	Request  *proto.JobRequest
-	Response *proto.JobResponse
+	Job        *types.Job
+	Request    *proto.JobRequest
+	Response   *proto.JobResponse
+	Done       chan struct{} // closed when response arrives
+	StoreEvent func(meta map[string]any, peer *nbpeer.Peer)
 }
 
 type JobManager struct {
@@ -43,10 +46,10 @@ func NewJobManager(metrics telemetry.AppMetrics, store store.Store) *JobManager
 }
 
 // CreateJobChannel creates or replaces a channel for a peer
-func (jm *JobManager) CreateJobChannel(ctx context.Context, accountID, peerID string) chan *JobEvent {
+func (jm *JobManager) CreateJobChannel(ctx context.Context, accountID, peerID string) (chan *JobEvent, error) {
 	// all pending jobs stored in db for this peer should be failed
 	if err := jm.Store.MarkPendingJobsAsFailed(ctx, accountID, peerID, "Pending job cleanup: marked as failed automatically due to being stuck too long"); err != nil {
-		log.WithContext(ctx).Error(err.Error())
+		return nil, err
 	}
 
 	jm.mu.Lock()
@@ -59,21 +62,28 @@ func (jm *JobManager) CreateJobChannel(ctx context.Context, accountID, peerID st
 
 	ch := make(chan *JobEvent, jobChannelBuffer)
 	jm.jobChannels[peerID] = ch
-	return ch
+	return ch, nil
 }
 
 // SendJob sends a job to a peer and tracks it as pending
-func (jm *JobManager) SendJob(ctx context.Context, accountID, peerID string, req *proto.JobRequest) error {
+func (jm *JobManager) SendJob(ctx context.Context, job *types.Job, storeEvent func(meta map[string]any, peer *nbpeer.Peer)) error {
 	jm.mu.RLock()
-	ch, ok := jm.jobChannels[peerID]
+	ch, ok := jm.jobChannels[job.PeerID]
 	jm.mu.RUnlock()
 	if !ok {
-		return fmt.Errorf("peer %s has no channel", peerID)
+		return fmt.Errorf("peer %s has no channel", job.PeerID)
+	}
+
+	req, err := job.ToStreamJobRequest()
+	if err != nil {
+		return err
 	}
 
 	event := &JobEvent{
-		PeerID:  peerID,
-		Request: req,
+		Job:        job,
+		Request:    req,
+		Done:       make(chan struct{}),
+		StoreEvent: storeEvent,
 	}
 
 	jm.mu.Lock()
@@ -82,14 +92,21 @@ func (jm *JobManager) SendJob(ctx context.Context, accountID, peerID string, req
 
 	select {
 	case ch <- event:
+	case <-time.After(5 * time.Second):
+		jm.cleanup(ctx, string(req.ID), "timed out")
+		return fmt.Errorf("job channel full for peer %s", job.PeerID)
+	}
+
+	select {
+	case <-event.Done:
+		return nil
 	case <-time.After(jm.responseWait):
-		jm.cleanup(ctx, accountID, string(req.ID), "timed out")
+		jm.cleanup(ctx, string(req.ID), "timed out")
 		return fmt.Errorf("job %s timed out", req.ID)
 	case <-ctx.Done():
-		jm.cleanup(ctx, accountID, string(req.ID), ctx.Err().Error())
+		jm.cleanup(ctx, string(req.ID), ctx.Err().Error())
 		return ctx.Err()
 	}
-	return nil
 }
 
 // HandleResponse marks a job as finished and moves it to completed
@@ -97,23 +114,20 @@ func (jm *JobManager) HandleResponse(ctx context.Context, resp *proto.JobRespons
 	jm.mu.Lock()
 	defer jm.mu.Unlock()
 
-	jobID := string(resp.ID)
-
-	event, ok := jm.pending[jobID]
+	event, ok := jm.pending[string(resp.ID)]
 	if !ok {
-		return fmt.Errorf("job %s not found", jobID)
-	}
-	var job types.Job
-	if err := job.ApplyResponse(resp); err != nil {
-		return fmt.Errorf("invalid job response: %v", err)
+		return fmt.Errorf("job %s not found", resp.ID)
 	}
+	fmt.Printf("we got this %+v\n", resp)
 	//update or create the store for job response
-	err := jm.Store.CompletePeerJob(ctx, &job)
+	err := jm.saveJob(ctx, event.Job, resp, event.StoreEvent)
 	if err == nil {
 		event.Response = resp
 	}
 
-	delete(jm.pending, jobID)
+	close(event.Done)
+	delete(jm.pending, string(resp.ID))
+
 	return err
 }
 
@@ -129,9 +143,9 @@ func (jm *JobManager) CloseChannel(ctx context.Context, accountID, peerID string
 	}
 
 	for jobID, ev := range jm.pending {
-		if ev.PeerID == peerID {
+		if ev.Job.PeerID == peerID {
 			// if the client disconnect and there is pending job then marke it as failed
-			if err := jm.Store.MarkPendingJobsAsFailed(ctx, accountID, peerID, "Time out peer disconnected"); err != nil {
+			if err := jm.Store.MarkPendingJobsAsFailed(ctx, accountID, peerID, "Time out"); err != nil {
 				log.WithContext(ctx).Errorf(err.Error())
 			}
 			delete(jm.pending, jobID)
@@ -140,12 +154,13 @@ func (jm *JobManager) CloseChannel(ctx context.Context, accountID, peerID string
 }
 
 // cleanup removes a pending job safely
-func (jm *JobManager) cleanup(ctx context.Context, accountID, jobID string, reason string) {
+func (jm *JobManager) cleanup(ctx context.Context, jobID string, reason string) {
 	jm.mu.Lock()
 	defer jm.mu.Unlock()
 
 	if ev, ok := jm.pending[jobID]; ok {
-		if err := jm.Store.MarkPendingJobsAsFailed(ctx, accountID, ev.PeerID, reason); err != nil {
+		close(ev.Done)
+		if err := jm.Store.MarkPendingJobsAsFailed(ctx, ev.Job.AccountID, ev.Job.PeerID, reason); err != nil {
 			log.WithContext(ctx).Errorf(err.Error())
 		}
 		delete(jm.pending, jobID)
@@ -165,9 +180,44 @@ func (jm *JobManager) IsPeerHasPendingJobs(peerID string) bool {
 	defer jm.mu.RUnlock()
 
 	for _, ev := range jm.pending {
-		if ev.PeerID == peerID {
+		if ev.Job.PeerID == peerID {
 			return true
 		}
 	}
 	return false
 }
+
+func (jm *JobManager) saveJob(ctx context.Context, job *types.Job, response *proto.JobResponse, StoreEvent func(meta map[string]any, peer *nbpeer.Peer)) error {
+	var peer *nbpeer.Peer
+	var err error
+	var eventsToStore func()
+
+	// persist job in DB only if send succeeded
+	err = jm.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
+		peer, err = transaction.GetPeerByID(ctx, store.LockingStrengthUpdate, job.AccountID, job.PeerID)
+		if err != nil {
+			return err
+		}
+		if err := transaction.CreateOrUpdatePeerJob(ctx, job, response); err != nil {
+			return err
+		}
+
+		jobMeta := map[string]any{
+			"job_id":       job.ID,
+			"for_peer_id":  job.PeerID,
+			"job_type":     job.Workload.Type,
+			"job_status":   job.Status,
+			"job_workload": job.Workload,
+		}
+
+		eventsToStore = func() {
+			StoreEvent(jobMeta, peer)
+		}
+		return nil
+	})
+	if err != nil {
+		return err
+	}
+	eventsToStore()
+	return nil
+}

management/server/management_test.go

@@ -25,7 +25,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/groups"
 	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
 	"github.com/netbirdio/netbird/management/server/permissions"
 	"github.com/netbirdio/netbird/management/server/settings"
 	"github.com/netbirdio/netbird/management/server/store"
@@ -232,7 +231,7 @@ func startServer(
 		jobManager,
 		secretsManager,
 		nil,
-		&manager.EphemeralManager{},
+		nil,
 		nil,
 		server.MockIntegratedValidator{},
 	)

management/server/mock_server/account_mock.go

@@ -15,7 +15,6 @@ import (
 	nbcontext "github.com/netbirdio/netbird/management/server/context"
 	"github.com/netbirdio/netbird/management/server/idp"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral"
 	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
@@ -42,7 +41,7 @@ type MockAccountManager struct {
 	DeletePeerFunc                        func(ctx context.Context, accountID, peerKey, userID string) error
 	GetNetworkMapFunc                     func(ctx context.Context, peerKey string) (*types.NetworkMap, error)
 	GetPeerNetworkFunc                    func(ctx context.Context, peerKey string) (*types.Network, error)
-	AddPeerFunc                           func(ctx context.Context, accountID string, setupKey string, userId string, peer *nbpeer.Peer, temporary bool) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
+	AddPeerFunc                           func(ctx context.Context, setupKey string, userId string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error)
 	GetGroupFunc                          func(ctx context.Context, accountID, groupID, userID string) (*types.Group, error)
 	GetAllGroupsFunc                      func(ctx context.Context, accountID, userID string) ([]*types.Group, error)
 	GetGroupByNameFunc                    func(ctx context.Context, accountID, groupName string) (*types.Group, error)
@@ -149,6 +148,7 @@ func (am *MockAccountManager) GetPeerJobByID(ctx context.Context, accountID, use
 	return nil, status.Errorf(codes.Unimplemented, "method CreateJob is not implemented")
 }
 
+
 func (am *MockAccountManager) CreateGroup(ctx context.Context, accountID, userID string, group *types.Group) error {
 	if am.SaveGroupFunc != nil {
 		return am.SaveGroupFunc(ctx, accountID, userID, group, true)
@@ -371,14 +371,12 @@ func (am *MockAccountManager) GetPeerNetwork(ctx context.Context, peerKey string
 // AddPeer mock implementation of AddPeer from server.AccountManager interface
 func (am *MockAccountManager) AddPeer(
 	ctx context.Context,
-	accountID string,
 	setupKey string,
 	userId string,
 	peer *nbpeer.Peer,
-	temporary bool,
 ) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error) {
 	if am.AddPeerFunc != nil {
-		return am.AddPeerFunc(ctx, accountID, setupKey, userId, peer, temporary)
+		return am.AddPeerFunc(ctx, setupKey, userId, peer)
 	}
 	return nil, nil, nil, status.Errorf(codes.Unimplemented, "method AddPeer is not implemented")
 }
@@ -979,15 +977,3 @@ func (am *MockAccountManager) GetCurrentUserInfo(ctx context.Context, userAuth n
 	}
 	return nil, status.Errorf(codes.Unimplemented, "method GetCurrentUserInfo is not implemented")
 }
-
-// SetEphemeralManager mocks SetEphemeralManager of the AccountManager interface
-func (am *MockAccountManager) SetEphemeralManager(em ephemeral.Manager) {
-	// Mock implementation - does nothing
-}
-
-func (am *MockAccountManager) AllowSync(key string, hash uint64) bool {
-	if am.AllowSyncFunc != nil {
-		return am.AllowSyncFunc(key, hash)
-	}
-	return true
-}

management/server/nameserver_test.go

@@ -876,11 +876,11 @@ func initTestNSAccount(t *testing.T, am *DefaultAccountManager) (*types.Account,
 		return nil, err
 	}
 
-	_, _, _, err = am.AddPeer(context.Background(), "", "", userID, peer1, false)
+	_, _, _, err = am.AddPeer(context.Background(), "", userID, peer1)
 	if err != nil {
 		return nil, err
 	}
-	_, _, _, err = am.AddPeer(context.Background(), "", "", userID, peer2, false)
+	_, _, _, err = am.AddPeer(context.Background(), "", userID, peer2)
 	if err != nil {
 		return nil, err
 	}

management/server/networks/resources/manager.go

@@ -135,7 +135,7 @@ func (m *managerImpl) CreateResource(ctx context.Context, userID string, resourc
 
 		res := nbtypes.Resource{
 			ID:   resource.ID,
-			Type: nbtypes.ResourceType(resource.Type.String()),
+			Type: resource.Type.String(),
 		}
 		for _, groupID := range resource.GroupIDs {
 			event, err := m.groupsManager.AddResourceToGroupInTransaction(ctx, transaction, resource.AccountID, userID, groupID, &res)
@@ -271,7 +271,7 @@ func (m *managerImpl) UpdateResource(ctx context.Context, userID string, resourc
 func (m *managerImpl) updateResourceGroups(ctx context.Context, transaction store.Store, userID string, newResource, oldResource *types.NetworkResource) ([]func(), error) {
 	res := nbtypes.Resource{
 		ID:   newResource.ID,
-		Type: nbtypes.ResourceType(newResource.Type.String()),
+		Type: newResource.Type.String(),
 	}
 
 	oldResourceGroups, err := m.groupsManager.GetResourceGroupsInTransaction(ctx, transaction, store.LockingStrengthUpdate, oldResource.AccountID, oldResource.ID)

management/server/peer.go

@@ -362,46 +362,12 @@ func (am *DefaultAccountManager) CreatePeerJob(ctx context.Context, accountID, p
 		return status.Errorf(status.BadRequest, "peer already hase pending job")
 	}
 
-	jobStream, err := job.ToStreamJobRequest()
-	if err != nil {
-		return status.Errorf(status.BadRequest, "invalid job request %v", err)
-	}
-
 	// try sending job first
-	if err := am.jobManager.SendJob(ctx, accountID, peerID, jobStream); err != nil {
+	if err := am.jobManager.SendJob(ctx, job, func(meta map[string]any, peer *nbpeer.Peer) {
+		am.StoreEvent(ctx, userID, peer.ID, accountID, activity.JobCreatedByUser, meta)
+	}); err != nil {
 		return status.Errorf(status.Internal, "failed to send job: %v", err)
 	}
-
-	var peer *nbpeer.Peer
-	var eventsToStore func()
-
-	// persist job in DB only if send succeeded
-	err = am.Store.ExecuteInTransaction(ctx, func(transaction store.Store) error {
-		peer, err = transaction.GetPeerByID(ctx, store.LockingStrengthUpdate, accountID, peerID)
-		if err != nil {
-			return err
-		}
-		if err := transaction.CreatePeerJob(ctx, job); err != nil {
-			return err
-		}
-
-		jobMeta := map[string]any{
-			"job_id":       job.ID,
-			"for_peer_id":  job.PeerID,
-			"job_type":     job.Workload.Type,
-			"job_status":   job.Status,
-			"job_workload": job.Workload,
-		}
-
-		eventsToStore = func() {
-			am.StoreEvent(ctx, userID, peer.ID, accountID, activity.JobCreatedByUser, jobMeta)
-		}
-		return nil
-	})
-	if err != nil {
-		return err
-	}
-	eventsToStore()
 	return nil
 }
 
@@ -424,7 +390,7 @@ func (am *DefaultAccountManager) GetAllPeerJobs(ctx context.Context, accountID,
 		return []*types.Job{}, nil
 	}
 
-	accountJobs, err := am.Store.GetPeerJobs(ctx, accountID, peerID)
+	accountJobs, err := am.Store.GetPeerJobs(accountID, peerID)
 	if err != nil {
 		return nil, err
 	}
@@ -451,7 +417,7 @@ func (am *DefaultAccountManager) GetPeerJobByID(ctx context.Context, accountID,
 		return &types.Job{}, nil
 	}
 
-	job, err := am.Store.GetPeerJobByID(ctx, accountID, jobID)
+	job, err := am.Store.GetPeerJobByID(accountID, jobID)
 	if err != nil {
 		return nil, err
 	}
@@ -586,7 +552,7 @@ func (am *DefaultAccountManager) GetPeerNetwork(ctx context.Context, peerID stri
 // to it. We also add the User ID to the peer metadata to identify registrant. If no userID provided, then fail with status.PermissionDenied
 // Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused).
 // The peer property is just a placeholder for the Peer properties to pass further
-func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKey, userID string, peer *nbpeer.Peer, temporary bool) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error) {
+func (am *DefaultAccountManager) AddPeer(ctx context.Context, setupKey, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, *types.NetworkMap, []*posture.Checks, error) {
 	if setupKey == "" && userID == "" {
 		// no auth method provided => reject access
 		return nil, nil, nil, status.Errorf(status.Unauthenticated, "no peer auth method provided, please use a setup key or interactive SSO login")
@@ -618,29 +584,17 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 	var ephemeral bool
 	var groupsToAdd []string
 	var allowExtraDNSLabels bool
+	var accountID string
+	var isEphemeral bool
 	if addedByUser {
 		user, err := am.Store.GetUserByUserID(ctx, store.LockingStrengthNone, userID)
 		if err != nil {
 			return nil, nil, nil, status.Errorf(status.NotFound, "failed adding new peer: user not found")
 		}
-		if user.PendingApproval {
-			return nil, nil, nil, status.Errorf(status.PermissionDenied, "user pending approval cannot add peers")
-		}
-		if temporary {
-			allowed, err := am.permissionsManager.ValidateUserPermissions(ctx, accountID, userID, modules.Peers, operations.Create)
-			if err != nil {
-				return nil, nil, nil, status.NewPermissionValidationError(err)
-			}
-
-			if !allowed {
-				return nil, nil, nil, status.NewPermissionDeniedError()
-			}
-		} else {
-			accountID = user.AccountID
-			groupsToAdd = user.AutoGroups
-		}
+		groupsToAdd = user.AutoGroups
 		opEvent.InitiatorID = userID
 		opEvent.Activity = activity.PeerAddedByUser
+		accountID = user.AccountID
 	} else {
 		// Validate the setup key
 		sk, err := am.Store.GetSetupKeyBySecret(ctx, store.LockingStrengthNone, encodedHashedKey)
@@ -661,16 +615,13 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		setupKeyName = sk.Name
 		allowExtraDNSLabels = sk.AllowExtraDNSLabels
 		accountID = sk.AccountID
+		isEphemeral = sk.Ephemeral
 		if !sk.AllowExtraDNSLabels && len(peer.ExtraDNSLabels) > 0 {
 			return nil, nil, nil, status.Errorf(status.PreconditionFailed, "couldn't add peer: setup key doesn't allow extra DNS labels")
 		}
 	}
 	opEvent.AccountID = accountID
 
-	if temporary {
-		ephemeral = true
-	}
-
 	if (strings.ToLower(peer.Meta.Hostname) == "iphone" || strings.ToLower(peer.Meta.Hostname) == "ipad") && userID != "" {
 		if am.idpManager != nil {
 			userdata, err := am.idpManager.GetUserDataByID(ctx, userID, idp.AppMetadata{WTAccountID: accountID})
@@ -697,10 +648,10 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		SSHKey:                      peer.SSHKey,
 		LastLogin:                   &registrationTime,
 		CreatedAt:                   registrationTime,
-		LoginExpirationEnabled:      addedByUser && !temporary,
+		LoginExpirationEnabled:      addedByUser,
 		Ephemeral:                   ephemeral,
 		Location:                    peer.Location,
-		InactivityExpirationEnabled: addedByUser && !temporary,
+		InactivityExpirationEnabled: addedByUser,
 		ExtraDNSLabels:              peer.ExtraDNSLabels,
 		AllowExtraDNSLabels:         allowExtraDNSLabels,
 	}
@@ -736,7 +687,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 		}
 
 		var freeLabel string
-		if ephemeral || attempt > 1 {
+		if isEphemeral || attempt > 1 {
 			freeLabel, err = getPeerIPDNSLabel(freeIP, peer.Meta.Hostname)
 			if err != nil {
 				return nil, nil, nil, fmt.Errorf("failed to get free DNS label: %w", err)
@@ -777,11 +728,6 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe
 				return fmt.Errorf("failed adding peer to All group: %w", err)
 			}
 
-			if temporary {
-				// we are running the on disconnect handler so that it is considered not connected as we are adding the peer manually
-				am.ephemeralManager.OnPeerDisconnected(ctx, newPeer)
-			}
-
 			if addedByUser {
 				err := transaction.SaveUserLastLogin(ctx, accountID, userID, newPeer.GetLastLogin())
 				if err != nil {
@@ -876,7 +822,7 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 	var peer *nbpeer.Peer
 	var peerNotValid bool
 	var isStatusChanged bool
-	var updated, versionChanged bool
+	var updated bool
 	var err error
 	var postureChecks []*posture.Checks
 
@@ -916,7 +862,7 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 			return err
 		}
 
-		updated, versionChanged = peer.UpdateMetaIfNew(sync.Meta)
+		updated = peer.UpdateMetaIfNew(sync.Meta)
 		if updated {
 			am.metrics.AccountManagerMetrics().CountPeerMetUpdate()
 			log.WithContext(ctx).Tracef("peer %s metadata updated", peer.ID)
@@ -935,7 +881,7 @@ func (am *DefaultAccountManager) SyncPeer(ctx context.Context, sync types.PeerSy
 		return nil, nil, nil, err
 	}
 
-	if isStatusChanged || sync.UpdateAccountPeers || (updated && (len(postureChecks) > 0 || versionChanged)) {
+	if isStatusChanged || sync.UpdateAccountPeers || (updated && len(postureChecks) > 0) {
 		am.BufferUpdateAccountPeers(ctx, accountID)
 	}
 
@@ -954,7 +900,7 @@ func (am *DefaultAccountManager) handlePeerLoginNotFound(ctx context.Context, lo
 			ExtraDNSLabels: login.ExtraDNSLabels,
 		}
 
-		return am.AddPeer(ctx, "", login.SetupKey, login.UserID, newPeer, false)
+		return am.AddPeer(ctx, login.SetupKey, login.UserID, newPeer)
 	}
 
 	log.WithContext(ctx).Errorf("failed while logging in peer %s: %v", login.WireGuardPubKey, err)
@@ -1036,7 +982,7 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 			return err
 		}
 
-		isPeerUpdated, _ = peer.UpdateMetaIfNew(login.Meta)
+		isPeerUpdated = peer.UpdateMetaIfNew(login.Meta)
 		if isPeerUpdated {
 			am.metrics.AccountManagerMetrics().CountPeerMetUpdate()
 			shouldStorePeer = true
@@ -1050,7 +996,6 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login types.Peer
 		if peer.SSHKey != login.SSHKey {
 			peer.SSHKey = login.SSHKey
 			shouldStorePeer = true
-			updateRemotePeers = true
 		}
 
 		if !peer.AllowExtraDNSLabels && len(login.ExtraDNSLabels) > 0 {
@@ -1388,8 +1333,6 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 		return
 	}
 
-	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), dnsForwarderPortMinVersion)
-
 	for _, peer := range account.Peers {
 		if !am.peersUpdateManager.HasChannel(peer.ID) {
 			log.WithContext(ctx).Tracef("peer %s doesn't have a channel, skipping network map update", peer.ID)
@@ -1426,7 +1369,7 @@ func (am *DefaultAccountManager) UpdateAccountPeers(ctx context.Context, account
 
 			peerGroups := account.GetPeerGroups(p.ID)
 			start = time.Now()
-			update := toSyncResponse(ctx, nil, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups), dnsFwdPort)
+			update := toSyncResponse(ctx, nil, p, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSetting, maps.Keys(peerGroups))
 			am.metrics.UpdateChannelMetrics().CountToSyncResponseDuration(time.Since(start))
 
 			am.peersUpdateManager.SendUpdate(ctx, p.ID, &UpdateMessage{Update: update, NetworkMap: remotePeerNetworkMap})
@@ -1537,9 +1480,7 @@ func (am *DefaultAccountManager) UpdateAccountPeer(ctx context.Context, accountI
 	}
 
 	peerGroups := account.GetPeerGroups(peerId)
-	dnsFwdPort := computeForwarderPort(maps.Values(account.Peers), dnsForwarderPortMinVersion)
-
-	update := toSyncResponse(ctx, nil, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups), dnsFwdPort)
+	update := toSyncResponse(ctx, nil, peer, nil, nil, remotePeerNetworkMap, dnsDomain, postureChecks, dnsCache, account.Settings, extraSettings, maps.Keys(peerGroups))
 	am.peersUpdateManager.SendUpdate(ctx, peer.ID, &UpdateMessage{Update: update, NetworkMap: remotePeerNetworkMap})
 }
 
@@ -1712,8 +1653,6 @@ func deletePeers(ctx context.Context, am *DefaultAccountManager, transaction sto
 		return nil, err
 	}
 
-	dnsFwdPort := computeForwarderPort(peers, dnsForwarderPortMinVersion)
-
 	for _, peer := range peers {
 		if err := transaction.RemovePeerFromAllGroups(ctx, peer.ID); err != nil {
 			return nil, fmt.Errorf("failed to remove peer %s from groups", peer.ID)
@@ -1723,26 +1662,6 @@ func deletePeers(ctx context.Context, am *DefaultAccountManager, transaction sto
 			return nil, err
 		}
 
-		peerPolicyRules, err := transaction.GetPolicyRulesByResourceID(ctx, store.LockingStrengthNone, accountID, peer.ID)
-		if err != nil {
-			return nil, err
-		}
-		for _, rule := range peerPolicyRules {
-			policy, err := transaction.GetPolicyByID(ctx, store.LockingStrengthNone, accountID, rule.PolicyID)
-			if err != nil {
-				return nil, err
-			}
-
-			err = transaction.DeletePolicy(ctx, accountID, rule.PolicyID)
-			if err != nil {
-				return nil, err
-			}
-
-			peerDeletedEvents = append(peerDeletedEvents, func() {
-				am.StoreEvent(ctx, userID, peer.ID, accountID, activity.PolicyRemoved, policy.EventMeta())
-			})
-		}
-
 		if err = transaction.DeletePeer(ctx, accountID, peer.ID); err != nil {
 			return nil, err
 		}
@@ -1757,9 +1676,6 @@ func deletePeers(ctx context.Context, am *DefaultAccountManager, transaction sto
 					RemotePeersIsEmpty:   true,
 					FirewallRules:        []*proto.FirewallRule{},
 					FirewallRulesIsEmpty: true,
-					DNSConfig: &proto.DNSConfig{
-						ForwarderPort: dnsFwdPort,
-					},
 				},
 			},
 			NetworkMap: &types.NetworkMap{},