update build

.gitignore

@@ -31,3 +31,4 @@ infrastructure_files/setup-*.env
 .DS_Store
 vendor/
 /netbird
+client/ui/ui

client/Dockerfile

@@ -4,7 +4,7 @@
 #   sudo podman build -t localhost/netbird:latest -f client/Dockerfile --ignorefile .dockerignore-client .
 #   sudo podman run --rm -it --cap-add={BPF,NET_ADMIN,NET_RAW} localhost/netbird:latest
 
-FROM alpine:3.22.0
+FROM alpine:3.22.2
 # iproute2: busybox doesn't display ip rules properly
 RUN apk add --no-cache \
     bash \

client/cmd/login.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"os/exec"
 	"os/user"
 	"runtime"
 	"strings"
@@ -356,13 +357,21 @@ func openURL(cmd *cobra.Command, verificationURIComplete, userCode string, noBro
 	cmd.Println("")
 
 	if !noBrowser {
-		if err := open.Run(verificationURIComplete); err != nil {
+		if err := openBrowser(verificationURIComplete); err != nil {
 			cmd.Println("\nAlternatively, you may want to use a setup key, see:\n\n" +
 				"https://docs.netbird.io/how-to/register-machines-using-setup-keys")
 		}
 	}
 }
 
+// openBrowser opens the URL in a browser, respecting the BROWSER environment variable.
+func openBrowser(url string) error {
+	if browser := os.Getenv("BROWSER"); browser != "" {
+		return exec.Command(browser, url).Start()
+	}
+	return open.Run(url)
+}
+
 // isUnixRunningDesktop checks if a Linux OS is running desktop environment
 func isUnixRunningDesktop() bool {
 	if runtime.GOOS != "linux" && runtime.GOOS != "freebsd" {

client/firewall/iptables/acl_linux.go

@@ -400,7 +400,6 @@ func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action fi
 		return ""
 	}
 
-	// Include action in the ipset name to prevent squashing rules with different actions
 	actionSuffix := ""
 	if action == firewall.ActionDrop {
 		actionSuffix = "-drop"

client/iface/device.go

@@ -23,4 +23,5 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
+	GetICEBind() device.EndpointManager
 }

client/iface/device/device_android.go

@@ -150,6 +150,11 @@ func (t *WGTunDevice) GetNet() *netstack.Net {
 	return nil
 }
 
+// GetICEBind returns the ICEBind instance
+func (t *WGTunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}
+
 func routesToString(routes []string) string {
 	return strings.Join(routes, ";")
 }

client/iface/device/device_darwin.go

@@ -154,3 +154,8 @@ func (t *TunDevice) assignAddr() error {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *TunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}

client/iface/device/device_ios.go

@@ -144,3 +144,8 @@ func (t *TunDevice) FilteredDevice() *FilteredDevice {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *TunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}

client/iface/device/device_kernel_unix.go

@@ -179,3 +179,8 @@ func (t *TunKernelDevice) assignAddr() error {
 func (t *TunKernelDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns nil for kernel mode devices
+func (t *TunKernelDevice) GetICEBind() EndpointManager {
+	return nil
+}

client/iface/device/device_netstack.go

@@ -21,6 +21,7 @@ type Bind interface {
 	conn.Bind
 	GetICEMux() (*udpmux.UniversalUDPMuxDefault, error)
 	ActivityRecorder() *bind.ActivityRecorder
+	EndpointManager
 }
 
 type TunNetstackDevice struct {
@@ -155,3 +156,8 @@ func (t *TunNetstackDevice) Device() *device.Device {
 func (t *TunNetstackDevice) GetNet() *netstack.Net {
 	return t.net
 }
+
+// GetICEBind returns the bind instance
+func (t *TunNetstackDevice) GetICEBind() EndpointManager {
+	return t.bind
+}

client/iface/device/device_usp_unix.go

@@ -146,3 +146,8 @@ func (t *USPDevice) assignAddr() error {
 func (t *USPDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *USPDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}

client/iface/device/device_windows.go

@@ -185,3 +185,8 @@ func (t *TunDevice) assignAddr() error {
 func (t *TunDevice) GetNet() *netstack.Net {
 	return nil
 }
+
+// GetICEBind returns the ICEBind instance
+func (t *TunDevice) GetICEBind() EndpointManager {
+	return t.iceBind
+}

client/iface/device/endpoint_manager.go

@@ -0,0 +1,13 @@
+package device
+
+import (
+	"net"
+	"net/netip"
+)
+
+// EndpointManager manages fake IP to connection mappings for userspace bind implementations.
+// Implemented by bind.ICEBind and bind.RelayBindJS.
+type EndpointManager interface {
+	SetEndpoint(fakeIP netip.Addr, conn net.Conn)
+	RemoveEndpoint(fakeIP netip.Addr)
+}

client/iface/device_android.go

@@ -21,4 +21,5 @@ type WGTunDevice interface {
 	FilteredDevice() *device.FilteredDevice
 	Device() *wgdevice.Device
 	GetNet() *netstack.Net
+	GetICEBind() device.EndpointManager
 }

client/iface/iface.go

@@ -80,6 +80,17 @@ func (w *WGIface) GetProxy() wgproxy.Proxy {
 	return w.wgProxyFactory.GetProxy()
 }
 
+// GetBind returns the EndpointManager userspace bind mode.
+func (w *WGIface) GetBind() device.EndpointManager {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	if w.tun == nil {
+		return nil
+	}
+	return w.tun.GetICEBind()
+}
+
 // IsUserspaceBind indicates whether this interfaces is userspace with bind.ICEBind
 func (w *WGIface) IsUserspaceBind() bool {
 	return w.userspaceBind

client/internal/acl/manager.go

@@ -29,11 +29,6 @@ type Manager interface {
 	ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRouteFeatureFlag bool)
 }
 
-type protoMatch struct {
-	ips      map[string]int
-	policyID []byte
-}
-
 // DefaultManager uses firewall manager to handle
 type DefaultManager struct {
 	firewall       firewall.Manager
@@ -86,21 +81,14 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 }
 
 func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
-	rules, squashedProtocols := d.squashAcceptRules(networkMap)
+	rules := networkMap.FirewallRules
 
 	enableSSH := networkMap.PeerConfig != nil &&
 		networkMap.PeerConfig.SshConfig != nil &&
 		networkMap.PeerConfig.SshConfig.SshEnabled
-	if _, ok := squashedProtocols[mgmProto.RuleProtocol_ALL]; ok {
-		enableSSH = enableSSH && !ok
-	}
-	if _, ok := squashedProtocols[mgmProto.RuleProtocol_TCP]; ok {
-		enableSSH = enableSSH && !ok
-	}
 
-	// if TCP protocol rules not squashed and SSH enabled
-	// we add default firewall rule which accepts connection to any peer
-	// in the network by SSH (TCP 22 port).
+	// If SSH enabled, add default firewall rule which accepts connection to any peer
+	// in the network by SSH (TCP port defined by ssh.DefaultSSHPort).
 	if enableSSH {
 		rules = append(rules, &mgmProto.FirewallRule{
 			PeerIP:    "0.0.0.0",
@@ -368,145 +356,6 @@ func (d *DefaultManager) getPeerRuleID(
 	return id.RuleID(hex.EncodeToString(md5.New().Sum([]byte(idStr))))
 }
 
-// squashAcceptRules does complex logic to convert many rules which allows connection by traffic type
-// to all peers in the network map to one rule which just accepts that type of the traffic.
-//
-// NOTE: It will not squash two rules for same protocol if one covers all peers in the network,
-// but other has port definitions or has drop policy.
-func (d *DefaultManager) squashAcceptRules(
-	networkMap *mgmProto.NetworkMap,
-) ([]*mgmProto.FirewallRule, map[mgmProto.RuleProtocol]struct{}) {
-	totalIPs := 0
-	for _, p := range append(networkMap.RemotePeers, networkMap.OfflinePeers...) {
-		for range p.AllowedIps {
-			totalIPs++
-		}
-	}
-
-	in := map[mgmProto.RuleProtocol]*protoMatch{}
-	out := map[mgmProto.RuleProtocol]*protoMatch{}
-
-	// trace which type of protocols was squashed
-	squashedRules := []*mgmProto.FirewallRule{}
-	squashedProtocols := map[mgmProto.RuleProtocol]struct{}{}
-
-	// this function we use to do calculation, can we squash the rules by protocol or not.
-	// We summ amount of Peers IP for given protocol we found in original rules list.
-	// But we zeroed the IP's for protocol if:
-	// 1. Any of the rule has DROP action type.
-	// 2. Any of rule contains Port.
-	//
-	// We zeroed this to notify squash function that this protocol can't be squashed.
-	addRuleToCalculationMap := func(i int, r *mgmProto.FirewallRule, protocols map[mgmProto.RuleProtocol]*protoMatch) {
-		hasPortRestrictions := r.Action == mgmProto.RuleAction_DROP ||
-			r.Port != "" || !portInfoEmpty(r.PortInfo)
-
-		if hasPortRestrictions {
-			// Don't squash rules with port restrictions
-			protocols[r.Protocol] = &protoMatch{ips: map[string]int{}}
-			return
-		}
-
-		if _, ok := protocols[r.Protocol]; !ok {
-			protocols[r.Protocol] = &protoMatch{
-				ips: map[string]int{},
-				// store the first encountered PolicyID for this protocol
-				policyID: r.PolicyID,
-			}
-		}
-
-		// special case, when we receive this all network IP address
-		// it means that rules for that protocol was already optimized on the
-		// management side
-		if r.PeerIP == "0.0.0.0" {
-			squashedRules = append(squashedRules, r)
-			squashedProtocols[r.Protocol] = struct{}{}
-			return
-		}
-
-		ipset := protocols[r.Protocol].ips
-
-		if _, ok := ipset[r.PeerIP]; ok {
-			return
-		}
-		ipset[r.PeerIP] = i
-	}
-
-	for i, r := range networkMap.FirewallRules {
-		// calculate squash for different directions
-		if r.Direction == mgmProto.RuleDirection_IN {
-			addRuleToCalculationMap(i, r, in)
-		} else {
-			addRuleToCalculationMap(i, r, out)
-		}
-	}
-
-	// order of squashing by protocol is important
-	// only for their first element ALL, it must be done first
-	protocolOrders := []mgmProto.RuleProtocol{
-		mgmProto.RuleProtocol_ALL,
-		mgmProto.RuleProtocol_ICMP,
-		mgmProto.RuleProtocol_TCP,
-		mgmProto.RuleProtocol_UDP,
-	}
-
-	squash := func(matches map[mgmProto.RuleProtocol]*protoMatch, direction mgmProto.RuleDirection) {
-		for _, protocol := range protocolOrders {
-			match, ok := matches[protocol]
-			if !ok || len(match.ips) != totalIPs || len(match.ips) < 2 {
-				// don't squash if :
-				// 1. Rules not cover all peers in the network
-				// 2. Rules cover only one peer in the network.
-				continue
-			}
-
-			// add special rule 0.0.0.0 which allows all IP's in our firewall implementations
-			squashedRules = append(squashedRules, &mgmProto.FirewallRule{
-				PeerIP:    "0.0.0.0",
-				Direction: direction,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  protocol,
-				PolicyID:  match.policyID,
-			})
-			squashedProtocols[protocol] = struct{}{}
-
-			if protocol == mgmProto.RuleProtocol_ALL {
-				// if we have ALL traffic type squashed rule
-				// it allows all other type of traffic, so we can stop processing
-				break
-			}
-		}
-	}
-
-	squash(in, mgmProto.RuleDirection_IN)
-	squash(out, mgmProto.RuleDirection_OUT)
-
-	// if all protocol was squashed everything is allow and we can ignore all other rules
-	if _, ok := squashedProtocols[mgmProto.RuleProtocol_ALL]; ok {
-		return squashedRules, squashedProtocols
-	}
-
-	if len(squashedRules) == 0 {
-		return networkMap.FirewallRules, squashedProtocols
-	}
-
-	var rules []*mgmProto.FirewallRule
-	// filter out rules which was squashed from final list
-	// if we also have other not squashed rules.
-	for i, r := range networkMap.FirewallRules {
-		if _, ok := squashedProtocols[r.Protocol]; ok {
-			if m, ok := in[r.Protocol]; ok && m.ips[r.PeerIP] == i {
-				continue
-			} else if m, ok := out[r.Protocol]; ok && m.ips[r.PeerIP] == i {
-				continue
-			}
-		}
-		rules = append(rules, r)
-	}
-
-	return append(rules, squashedRules...), squashedProtocols
-}
-
 // getRuleGroupingSelector takes all rule properties except IP address to build selector
 func (d *DefaultManager) getRuleGroupingSelector(rule *mgmProto.FirewallRule) string {
 	return fmt.Sprintf("%v:%v:%v:%s:%v", strconv.Itoa(int(rule.Direction)), rule.Action, rule.Protocol, rule.Port, rule.PortInfo)

client/internal/acl/manager_test.go

@@ -188,492 +188,6 @@ func TestDefaultManagerStateless(t *testing.T) {
 	})
 }
 
-func TestDefaultManagerSquashRules(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{AllowedIps: []string{"10.93.0.1"}},
-			{AllowedIps: []string{"10.93.0.2"}},
-			{AllowedIps: []string{"10.93.0.3"}},
-			{AllowedIps: []string{"10.93.0.4"}},
-		},
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-		},
-	}
-
-	manager := &DefaultManager{}
-	rules, _ := manager.squashAcceptRules(networkMap)
-	assert.Equal(t, 2, len(rules))
-
-	r := rules[0]
-	assert.Equal(t, "0.0.0.0", r.PeerIP)
-	assert.Equal(t, mgmProto.RuleDirection_IN, r.Direction)
-	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
-	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
-
-	r = rules[1]
-	assert.Equal(t, "0.0.0.0", r.PeerIP)
-	assert.Equal(t, mgmProto.RuleDirection_OUT, r.Direction)
-	assert.Equal(t, mgmProto.RuleProtocol_ALL, r.Protocol)
-	assert.Equal(t, mgmProto.RuleAction_ACCEPT, r.Action)
-}
-
-func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{AllowedIps: []string{"10.93.0.1"}},
-			{AllowedIps: []string{"10.93.0.2"}},
-			{AllowedIps: []string{"10.93.0.3"}},
-			{AllowedIps: []string{"10.93.0.4"}},
-		},
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.RuleDirection_IN,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.RuleDirection_OUT,
-				Action:    mgmProto.RuleAction_ACCEPT,
-				Protocol:  mgmProto.RuleProtocol_UDP,
-			},
-		},
-	}
-
-	manager := &DefaultManager{}
-	rules, _ := manager.squashAcceptRules(networkMap)
-	assert.Equal(t, len(networkMap.FirewallRules), len(rules))
-}
-
-func TestDefaultManagerSquashRulesWithPortRestrictions(t *testing.T) {
-	tests := []struct {
-		name          string
-		rules         []*mgmProto.FirewallRule
-		expectedCount int
-		description   string
-	}{
-		{
-			name: "should not squash rules with port ranges",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Range_{
-							Range: &mgmProto.PortInfo_Range{
-								Start: 8080,
-								End:   8090,
-							},
-						},
-					},
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with port ranges should not be squashed even if they cover all peers",
-		},
-		{
-			name: "should not squash rules with specific ports",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with specific ports should not be squashed even if they cover all peers",
-		},
-		{
-			name: "should not squash rules with legacy port field",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with legacy port field should not be squashed",
-		},
-		{
-			name: "should not squash rules with DROP action",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_DROP,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 4,
-			description:   "Rules with DROP action should not be squashed",
-		},
-		{
-			name: "should squash rules without port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 1,
-			description:   "Rules without port restrictions should be squashed into a single 0.0.0.0 rule",
-		},
-		{
-			name: "mixed rules should not squash protocol with port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					PortInfo: &mgmProto.PortInfo{
-						PortSelection: &mgmProto.PortInfo_Port{
-							Port: 80,
-						},
-					},
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-				},
-			},
-			expectedCount: 4,
-			description:   "TCP should not be squashed because one rule has port restrictions",
-		},
-		{
-			name: "should squash UDP but not TCP when TCP has port restrictions",
-			rules: []*mgmProto.FirewallRule{
-				// TCP rules with port restrictions - should NOT be squashed
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_TCP,
-					Port:      "443",
-				},
-				// UDP rules without port restrictions - SHOULD be squashed
-				{
-					PeerIP:    "10.93.0.1",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.2",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.3",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-				{
-					PeerIP:    "10.93.0.4",
-					Direction: mgmProto.RuleDirection_IN,
-					Action:    mgmProto.RuleAction_ACCEPT,
-					Protocol:  mgmProto.RuleProtocol_UDP,
-				},
-			},
-			expectedCount: 5, // 4 TCP rules + 1 squashed UDP rule (0.0.0.0)
-			description:   "UDP should be squashed to 0.0.0.0 rule, but TCP should remain as individual rules due to port restrictions",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			networkMap := &mgmProto.NetworkMap{
-				RemotePeers: []*mgmProto.RemotePeerConfig{
-					{AllowedIps: []string{"10.93.0.1"}},
-					{AllowedIps: []string{"10.93.0.2"}},
-					{AllowedIps: []string{"10.93.0.3"}},
-					{AllowedIps: []string{"10.93.0.4"}},
-				},
-				FirewallRules: tt.rules,
-			}
-
-			manager := &DefaultManager{}
-			rules, _ := manager.squashAcceptRules(networkMap)
-
-			assert.Equal(t, tt.expectedCount, len(rules), tt.description)
-
-			// For squashed rules, verify we get the expected 0.0.0.0 rule
-			if tt.expectedCount == 1 {
-				assert.Equal(t, "0.0.0.0", rules[0].PeerIP)
-				assert.Equal(t, mgmProto.RuleDirection_IN, rules[0].Direction)
-				assert.Equal(t, mgmProto.RuleAction_ACCEPT, rules[0].Action)
-			}
-		})
-	}
-}
-
 func TestPortInfoEmpty(t *testing.T) {
 	tests := []struct {
 		name     string

client/internal/debug/wgshow.go

@@ -14,6 +14,9 @@ type WGIface interface {
 }
 
 func (g *BundleGenerator) addWgShow() error {
+	if g.statusRecorder == nil {
+		return fmt.Errorf("no status recorder available for wg show")
+	}
 	result, err := g.statusRecorder.PeersStatus()
 	if err != nil {
 		return err

client/internal/dns/host_windows.go

@@ -17,6 +17,7 @@ import (
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
+	"github.com/netbirdio/netbird/client/internal/winregistry"
 )
 
 var (
@@ -197,6 +198,10 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		matchDomains = append(matchDomains, "."+strings.TrimSuffix(dConf.Domain, "."))
 	}
 
+	if err := r.removeDNSMatchPolicies(); err != nil {
+		log.Errorf("cleanup old dns match policies: %s", err)
+	}
+
 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
 		if err != nil {
@@ -204,9 +209,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		}
 		r.nrptEntryCount = count
 	} else {
-		if err := r.removeDNSMatchPolicies(); err != nil {
-			return fmt.Errorf("remove dns match policies: %w", err)
-		}
 		r.nrptEntryCount = 0
 	}
 
@@ -273,9 +275,9 @@ func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []s
 		return fmt.Errorf("remove existing dns policy: %w", err)
 	}
 
-	regKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
+	regKey, _, err := winregistry.CreateVolatileKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
 	if err != nil {
-		return fmt.Errorf("create registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
+		return fmt.Errorf("create volatile registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
 	}
 	defer closer(regKey)
 

client/internal/dns/host_windows_test.go

@@ -0,0 +1,102 @@
+package dns
+
+import (
+	"fmt"
+	"net/netip"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/sys/windows/registry"
+)
+
+// TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
+// when the number of match domains decreases between configuration changes.
+func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping registry integration test in short mode")
+	}
+
+	defer cleanupRegistryKeys(t)
+	cleanupRegistryKeys(t)
+
+	testIP := netip.MustParseAddr("100.64.0.1")
+
+	// Create a test interface registry key so updateSearchDomains doesn't fail
+	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
+	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
+	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
+	require.NoError(t, err, "Should create test interface registry key")
+	testKey.Close()
+	defer func() {
+		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
+	}()
+
+	cfg := &registryConfigurator{
+		guid: testGUID,
+		gpo:  false,
+	}
+
+	config5 := HostDNSConfig{
+		ServerIP: testIP,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+			{Domain: "domain3.com", MatchOnly: true},
+			{Domain: "domain4.com", MatchOnly: true},
+			{Domain: "domain5.com", MatchOnly: true},
+		},
+	}
+
+	err = cfg.applyDNSConfig(config5, nil)
+	require.NoError(t, err)
+
+	// Verify all 5 entries exist
+	for i := 0; i < 5; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.True(t, exists, "Entry %d should exist after first config", i)
+	}
+
+	config2 := HostDNSConfig{
+		ServerIP: testIP,
+		Domains: []DomainConfig{
+			{Domain: "domain1.com", MatchOnly: true},
+			{Domain: "domain2.com", MatchOnly: true},
+		},
+	}
+
+	err = cfg.applyDNSConfig(config2, nil)
+	require.NoError(t, err)
+
+	// Verify first 2 entries exist
+	for i := 0; i < 2; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.True(t, exists, "Entry %d should exist after second config", i)
+	}
+
+	// Verify entries 2-4 are cleaned up
+	for i := 2; i < 5; i++ {
+		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
+		require.NoError(t, err)
+		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
+	}
+}
+
+func registryKeyExists(path string) (bool, error) {
+	k, err := registry.OpenKey(registry.LOCAL_MACHINE, path, registry.QUERY_VALUE)
+	if err != nil {
+		if err == registry.ErrNotExist {
+			return false, nil
+		}
+		return false, err
+	}
+	k.Close()
+	return true, nil
+}
+
+func cleanupRegistryKeys(*testing.T) {
+	cfg := &registryConfigurator{nrptEntryCount: 10}
+	_ = cfg.removeDNSMatchPolicies()
+}

client/internal/lazyconn/activity/lazy_conn.go

@@ -0,0 +1,82 @@
+package activity
+
+import (
+	"context"
+	"io"
+	"net"
+	"time"
+)
+
+// lazyConn detects activity when WireGuard attempts to send packets.
+// It does not deliver packets, only signals that activity occurred.
+type lazyConn struct {
+	activityCh chan struct{}
+	ctx        context.Context
+	cancel     context.CancelFunc
+}
+
+// newLazyConn creates a new lazyConn for activity detection.
+func newLazyConn() *lazyConn {
+	ctx, cancel := context.WithCancel(context.Background())
+	return &lazyConn{
+		activityCh: make(chan struct{}, 1),
+		ctx:        ctx,
+		cancel:     cancel,
+	}
+}
+
+// Read blocks until the connection is closed.
+func (c *lazyConn) Read(_ []byte) (n int, err error) {
+	<-c.ctx.Done()
+	return 0, io.EOF
+}
+
+// Write signals activity detection when ICEBind routes packets to this endpoint.
+func (c *lazyConn) Write(b []byte) (n int, err error) {
+	if c.ctx.Err() != nil {
+		return 0, io.EOF
+	}
+
+	select {
+	case c.activityCh <- struct{}{}:
+	default:
+	}
+
+	return len(b), nil
+}
+
+// ActivityChan returns the channel that signals when activity is detected.
+func (c *lazyConn) ActivityChan() <-chan struct{} {
+	return c.activityCh
+}
+
+// Close closes the connection.
+func (c *lazyConn) Close() error {
+	c.cancel()
+	return nil
+}
+
+// LocalAddr returns the local address.
+func (c *lazyConn) LocalAddr() net.Addr {
+	return &net.UDPAddr{IP: net.IP{127, 0, 0, 1}, Port: lazyBindPort}
+}
+
+// RemoteAddr returns the remote address.
+func (c *lazyConn) RemoteAddr() net.Addr {
+	return &net.UDPAddr{IP: net.IP{127, 0, 0, 1}, Port: lazyBindPort}
+}
+
+// SetDeadline sets the read and write deadlines.
+func (c *lazyConn) SetDeadline(_ time.Time) error {
+	return nil
+}
+
+// SetReadDeadline sets the deadline for future Read calls.
+func (c *lazyConn) SetReadDeadline(_ time.Time) error {
+	return nil
+}
+
+// SetWriteDeadline sets the deadline for future Write calls.
+func (c *lazyConn) SetWriteDeadline(_ time.Time) error {
+	return nil
+}

client/internal/lazyconn/activity/listener_bind.go

@@ -0,0 +1,127 @@
+package activity
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+)
+
+type bindProvider interface {
+	GetBind() device.EndpointManager
+}
+
+const (
+	// lazyBindPort is an obscure port used for lazy peer endpoints to avoid confusion with real peers.
+	// The actual routing is done via fakeIP in ICEBind, not by this port.
+	lazyBindPort = 17473
+)
+
+// BindListener uses lazyConn with bind implementations for direct data passing in userspace bind mode.
+type BindListener struct {
+	wgIface WgInterface
+	peerCfg lazyconn.PeerConfig
+	done    sync.WaitGroup
+
+	lazyConn *lazyConn
+	bind     device.EndpointManager
+	fakeIP   netip.Addr
+}
+
+// NewBindListener creates a listener that passes data directly through bind using LazyConn.
+// It automatically derives a unique fake IP from the peer's NetBird IP in the 127.2.x.x range.
+func NewBindListener(wgIface WgInterface, bind device.EndpointManager, cfg lazyconn.PeerConfig) (*BindListener, error) {
+	fakeIP, err := deriveFakeIP(wgIface, cfg.AllowedIPs)
+	if err != nil {
+		return nil, fmt.Errorf("derive fake IP: %w", err)
+	}
+
+	d := &BindListener{
+		wgIface: wgIface,
+		peerCfg: cfg,
+		bind:    bind,
+		fakeIP:  fakeIP,
+	}
+
+	if err := d.setupLazyConn(); err != nil {
+		return nil, fmt.Errorf("setup lazy connection: %v", err)
+	}
+
+	d.done.Add(1)
+	return d, nil
+}
+
+// deriveFakeIP creates a deterministic fake IP for bind mode based on peer's NetBird IP.
+// Maps peer IP 100.64.x.y to fake IP 127.2.x.y (similar to relay proxy using 127.1.x.y).
+// It finds the peer's actual NetBird IP by checking which allowedIP is in the same subnet as our WG interface.
+func deriveFakeIP(wgIface WgInterface, allowedIPs []netip.Prefix) (netip.Addr, error) {
+	if len(allowedIPs) == 0 {
+		return netip.Addr{}, fmt.Errorf("no allowed IPs for peer")
+	}
+
+	ourNetwork := wgIface.Address().Network
+
+	var peerIP netip.Addr
+	for _, allowedIP := range allowedIPs {
+		ip := allowedIP.Addr()
+		if !ip.Is4() {
+			continue
+		}
+		if ourNetwork.Contains(ip) {
+			peerIP = ip
+			break
+		}
+	}
+
+	if !peerIP.IsValid() {
+		return netip.Addr{}, fmt.Errorf("no peer NetBird IP found in allowed IPs")
+	}
+
+	octets := peerIP.As4()
+	fakeIP := netip.AddrFrom4([4]byte{127, 2, octets[2], octets[3]})
+	return fakeIP, nil
+}
+
+func (d *BindListener) setupLazyConn() error {
+	d.lazyConn = newLazyConn()
+	d.bind.SetEndpoint(d.fakeIP, d.lazyConn)
+
+	endpoint := &net.UDPAddr{
+		IP:   d.fakeIP.AsSlice(),
+		Port: lazyBindPort,
+	}
+	return d.wgIface.UpdatePeer(d.peerCfg.PublicKey, d.peerCfg.AllowedIPs, 0, endpoint, nil)
+}
+
+// ReadPackets blocks until activity is detected on the LazyConn or the listener is closed.
+func (d *BindListener) ReadPackets() {
+	select {
+	case <-d.lazyConn.ActivityChan():
+		d.peerCfg.Log.Infof("activity detected via LazyConn")
+	case <-d.lazyConn.ctx.Done():
+		d.peerCfg.Log.Infof("exit from activity listener")
+	}
+
+	d.peerCfg.Log.Debugf("removing lazy endpoint for peer %s", d.peerCfg.PublicKey)
+	if err := d.wgIface.RemovePeer(d.peerCfg.PublicKey); err != nil {
+		d.peerCfg.Log.Errorf("failed to remove endpoint: %s", err)
+	}
+
+	_ = d.lazyConn.Close()
+	d.bind.RemoveEndpoint(d.fakeIP)
+	d.done.Done()
+}
+
+// Close stops the listener and cleans up resources.
+func (d *BindListener) Close() {
+	d.peerCfg.Log.Infof("closing activity listener (LazyConn)")
+
+	if err := d.lazyConn.Close(); err != nil {
+		d.peerCfg.Log.Errorf("failed to close LazyConn: %s", err)
+	}
+
+	d.done.Wait()
+}

client/internal/lazyconn/activity/listener_bind_test.go

@@ -0,0 +1,291 @@
+package activity
+
+import (
+	"net"
+	"net/netip"
+	"runtime"
+	"testing"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	"github.com/netbirdio/netbird/client/iface/device"
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
+)
+
+func isBindListenerPlatform() bool {
+	return runtime.GOOS == "windows" || runtime.GOOS == "js"
+}
+
+// mockEndpointManager implements device.EndpointManager for testing
+type mockEndpointManager struct {
+	endpoints map[netip.Addr]net.Conn
+}
+
+func newMockEndpointManager() *mockEndpointManager {
+	return &mockEndpointManager{
+		endpoints: make(map[netip.Addr]net.Conn),
+	}
+}
+
+func (m *mockEndpointManager) SetEndpoint(fakeIP netip.Addr, conn net.Conn) {
+	m.endpoints[fakeIP] = conn
+}
+
+func (m *mockEndpointManager) RemoveEndpoint(fakeIP netip.Addr) {
+	delete(m.endpoints, fakeIP)
+}
+
+func (m *mockEndpointManager) GetEndpoint(fakeIP netip.Addr) net.Conn {
+	return m.endpoints[fakeIP]
+}
+
+// MockWGIfaceBind mocks WgInterface with bind support
+type MockWGIfaceBind struct {
+	endpointMgr *mockEndpointManager
+}
+
+func (m *MockWGIfaceBind) RemovePeer(string) error {
+	return nil
+}
+
+func (m *MockWGIfaceBind) UpdatePeer(string, []netip.Prefix, time.Duration, *net.UDPAddr, *wgtypes.Key) error {
+	return nil
+}
+
+func (m *MockWGIfaceBind) IsUserspaceBind() bool {
+	return true
+}
+
+func (m *MockWGIfaceBind) Address() wgaddr.Address {
+	return wgaddr.Address{
+		IP:      netip.MustParseAddr("100.64.0.1"),
+		Network: netip.MustParsePrefix("100.64.0.0/16"),
+	}
+}
+
+func (m *MockWGIfaceBind) GetBind() device.EndpointManager {
+	return m.endpointMgr
+}
+
+func TestBindListener_Creation(t *testing.T) {
+	mockEndpointMgr := newMockEndpointManager()
+	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
+
+	peer := &MocPeer{PeerID: "testPeer1"}
+	cfg := lazyconn.PeerConfig{
+		PublicKey:  peer.PeerID,
+		PeerConnID: peer.ConnID(),
+		AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
+		Log:        log.WithField("peer", "testPeer1"),
+	}
+
+	listener, err := NewBindListener(mockIface, mockEndpointMgr, cfg)
+	require.NoError(t, err)
+
+	expectedFakeIP := netip.MustParseAddr("127.2.0.2")
+	conn := mockEndpointMgr.GetEndpoint(expectedFakeIP)
+	require.NotNil(t, conn, "Endpoint should be registered in mock endpoint manager")
+
+	_, ok := conn.(*lazyConn)
+	assert.True(t, ok, "Registered endpoint should be a lazyConn")
+
+	readPacketsDone := make(chan struct{})
+	go func() {
+		listener.ReadPackets()
+		close(readPacketsDone)
+	}()
+
+	listener.Close()
+
+	select {
+	case <-readPacketsDone:
+	case <-time.After(2 * time.Second):
+		t.Fatal("timeout waiting for ReadPackets to exit after Close")
+	}
+}
+
+func TestBindListener_ActivityDetection(t *testing.T) {
+	mockEndpointMgr := newMockEndpointManager()
+	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
+
+	peer := &MocPeer{PeerID: "testPeer1"}
+	cfg := lazyconn.PeerConfig{
+		PublicKey:  peer.PeerID,
+		PeerConnID: peer.ConnID(),
+		AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
+		Log:        log.WithField("peer", "testPeer1"),
+	}
+
+	listener, err := NewBindListener(mockIface, mockEndpointMgr, cfg)
+	require.NoError(t, err)
+
+	activityDetected := make(chan struct{})
+	go func() {
+		listener.ReadPackets()
+		close(activityDetected)
+	}()
+
+	fakeIP := listener.fakeIP
+	conn := mockEndpointMgr.GetEndpoint(fakeIP)
+	require.NotNil(t, conn, "Endpoint should be registered")
+
+	_, err = conn.Write([]byte{0x01, 0x02, 0x03})
+	require.NoError(t, err)
+
+	select {
+	case <-activityDetected:
+	case <-time.After(2 * time.Second):
+		t.Fatal("timeout waiting for activity detection")
+	}
+
+	assert.Nil(t, mockEndpointMgr.GetEndpoint(fakeIP), "Endpoint should be removed after activity detection")
+}
+
+func TestBindListener_Close(t *testing.T) {
+	mockEndpointMgr := newMockEndpointManager()
+	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
+
+	peer := &MocPeer{PeerID: "testPeer1"}
+	cfg := lazyconn.PeerConfig{
+		PublicKey:  peer.PeerID,
+		PeerConnID: peer.ConnID(),
+		AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
+		Log:        log.WithField("peer", "testPeer1"),
+	}
+
+	listener, err := NewBindListener(mockIface, mockEndpointMgr, cfg)
+	require.NoError(t, err)
+
+	readPacketsDone := make(chan struct{})
+	go func() {
+		listener.ReadPackets()
+		close(readPacketsDone)
+	}()
+
+	fakeIP := listener.fakeIP
+	listener.Close()
+
+	select {
+	case <-readPacketsDone:
+	case <-time.After(2 * time.Second):
+		t.Fatal("timeout waiting for ReadPackets to exit after Close")
+	}
+
+	assert.Nil(t, mockEndpointMgr.GetEndpoint(fakeIP), "Endpoint should be removed after Close")
+}
+
+func TestManager_BindMode(t *testing.T) {
+	if !isBindListenerPlatform() {
+		t.Skip("BindListener only used on Windows/JS platforms")
+	}
+
+	mockEndpointMgr := newMockEndpointManager()
+	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
+
+	peer := &MocPeer{PeerID: "testPeer1"}
+	mgr := NewManager(mockIface)
+	defer mgr.Close()
+
+	cfg := lazyconn.PeerConfig{
+		PublicKey:  peer.PeerID,
+		PeerConnID: peer.ConnID(),
+		AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
+		Log:        log.WithField("peer", "testPeer1"),
+	}
+
+	err := mgr.MonitorPeerActivity(cfg)
+	require.NoError(t, err)
+
+	listener, exists := mgr.GetPeerListener(cfg.PeerConnID)
+	require.True(t, exists, "Peer listener should be found")
+
+	bindListener, ok := listener.(*BindListener)
+	require.True(t, ok, "Listener should be BindListener, got %T", listener)
+
+	fakeIP := bindListener.fakeIP
+	conn := mockEndpointMgr.GetEndpoint(fakeIP)
+	require.NotNil(t, conn, "Endpoint should be registered")
+
+	_, err = conn.Write([]byte{0x01, 0x02, 0x03})
+	require.NoError(t, err)
+
+	select {
+	case peerConnID := <-mgr.OnActivityChan:
+		assert.Equal(t, cfg.PeerConnID, peerConnID, "Received peer connection ID should match")
+	case <-time.After(2 * time.Second):
+		t.Fatal("timeout waiting for activity notification")
+	}
+
+	assert.Nil(t, mockEndpointMgr.GetEndpoint(fakeIP), "Endpoint should be removed after activity")
+}
+
+func TestManager_BindMode_MultiplePeers(t *testing.T) {
+	if !isBindListenerPlatform() {
+		t.Skip("BindListener only used on Windows/JS platforms")
+	}
+
+	mockEndpointMgr := newMockEndpointManager()
+	mockIface := &MockWGIfaceBind{endpointMgr: mockEndpointMgr}
+
+	peer1 := &MocPeer{PeerID: "testPeer1"}
+	peer2 := &MocPeer{PeerID: "testPeer2"}
+	mgr := NewManager(mockIface)
+	defer mgr.Close()
+
+	cfg1 := lazyconn.PeerConfig{
+		PublicKey:  peer1.PeerID,
+		PeerConnID: peer1.ConnID(),
+		AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
+		Log:        log.WithField("peer", "testPeer1"),
+	}
+
+	cfg2 := lazyconn.PeerConfig{
+		PublicKey:  peer2.PeerID,
+		PeerConnID: peer2.ConnID(),
+		AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.64.0.3/32")},
+		Log:        log.WithField("peer", "testPeer2"),
+	}
+
+	err := mgr.MonitorPeerActivity(cfg1)
+	require.NoError(t, err)
+
+	err = mgr.MonitorPeerActivity(cfg2)
+	require.NoError(t, err)
+
+	listener1, exists := mgr.GetPeerListener(cfg1.PeerConnID)
+	require.True(t, exists, "Peer1 listener should be found")
+	bindListener1 := listener1.(*BindListener)
+
+	listener2, exists := mgr.GetPeerListener(cfg2.PeerConnID)
+	require.True(t, exists, "Peer2 listener should be found")
+	bindListener2 := listener2.(*BindListener)
+
+	conn1 := mockEndpointMgr.GetEndpoint(bindListener1.fakeIP)
+	require.NotNil(t, conn1, "Peer1 endpoint should be registered")
+	_, err = conn1.Write([]byte{0x01})
+	require.NoError(t, err)
+
+	conn2 := mockEndpointMgr.GetEndpoint(bindListener2.fakeIP)
+	require.NotNil(t, conn2, "Peer2 endpoint should be registered")
+	_, err = conn2.Write([]byte{0x02})
+	require.NoError(t, err)
+
+	receivedPeers := make(map[peerid.ConnID]bool)
+	for i := 0; i < 2; i++ {
+		select {
+		case peerConnID := <-mgr.OnActivityChan:
+			receivedPeers[peerConnID] = true
+		case <-time.After(2 * time.Second):
+			t.Fatal("timeout waiting for activity notifications")
+		}
+	}
+
+	assert.True(t, receivedPeers[cfg1.PeerConnID], "Peer1 activity should be received")
+	assert.True(t, receivedPeers[cfg2.PeerConnID], "Peer2 activity should be received")
+}

client/internal/lazyconn/activity/listener_test.go

@@ -1,41 +0,0 @@
-package activity
-
-import (
-	"testing"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/lazyconn"
-)
-
-func TestNewListener(t *testing.T) {
-	peer := &MocPeer{
-		PeerID: "examplePublicKey1",
-	}
-
-	cfg := lazyconn.PeerConfig{
-		PublicKey:  peer.PeerID,
-		PeerConnID: peer.ConnID(),
-		Log:        log.WithField("peer", "examplePublicKey1"),
-	}
-
-	l, err := NewListener(MocWGIface{}, cfg)
-	if err != nil {
-		t.Fatalf("failed to create listener: %v", err)
-	}
-
-	chanClosed := make(chan struct{})
-	go func() {
-		defer close(chanClosed)
-		l.ReadPackets()
-	}()
-
-	time.Sleep(1 * time.Second)
-	l.Close()
-
-	select {
-	case <-chanClosed:
-	case <-time.After(time.Second):
-	}
-}

client/internal/lazyconn/activity/listener_udp.go

@@ -11,26 +11,27 @@ import (
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 )
 
-// Listener it is not a thread safe implementation, do not call Close before ReadPackets. It will cause blocking
-type Listener struct {
+// UDPListener uses UDP sockets for activity detection in kernel mode.
+type UDPListener struct {
 	wgIface  WgInterface
 	peerCfg  lazyconn.PeerConfig
 	conn     *net.UDPConn
 	endpoint *net.UDPAddr
 	done     sync.Mutex
 
-	isClosed atomic.Bool // use to avoid error log when closing the listener
+	isClosed atomic.Bool
 }
 
-func NewListener(wgIface WgInterface, cfg lazyconn.PeerConfig) (*Listener, error) {
-	d := &Listener{
+// NewUDPListener creates a listener that detects activity via UDP socket reads.
+func NewUDPListener(wgIface WgInterface, cfg lazyconn.PeerConfig) (*UDPListener, error) {
+	d := &UDPListener{
 		wgIface: wgIface,
 		peerCfg: cfg,
 	}
 
 	conn, err := d.newConn()
 	if err != nil {
-		return nil, fmt.Errorf("failed to creating activity listener: %v", err)
+		return nil, fmt.Errorf("create UDP connection: %v", err)
 	}
 	d.conn = conn
 	d.endpoint = conn.LocalAddr().(*net.UDPAddr)
@@ -38,12 +39,14 @@ func NewListener(wgIface WgInterface, cfg lazyconn.PeerConfig) (*Listener, error
 	if err := d.createEndpoint(); err != nil {
 		return nil, err
 	}
+
 	d.done.Lock()
-	cfg.Log.Infof("created activity listener: %s", conn.LocalAddr().(*net.UDPAddr).String())
+	cfg.Log.Infof("created activity listener: %s", d.conn.LocalAddr().(*net.UDPAddr).String())
 	return d, nil
 }
 
-func (d *Listener) ReadPackets() {
+// ReadPackets blocks reading from the UDP socket until activity is detected or the listener is closed.
+func (d *UDPListener) ReadPackets() {
 	for {
 		n, remoteAddr, err := d.conn.ReadFromUDP(make([]byte, 1))
 		if err != nil {
@@ -64,15 +67,17 @@ func (d *Listener) ReadPackets() {
 	}
 
 	d.peerCfg.Log.Debugf("removing lazy endpoint: %s", d.endpoint.String())
-	if err := d.removeEndpoint(); err != nil {
+	if err := d.wgIface.RemovePeer(d.peerCfg.PublicKey); err != nil {
 		d.peerCfg.Log.Errorf("failed to remove endpoint: %s", err)
 	}
 
-	_ = d.conn.Close() // do not care err because some cases it will return "use of closed network connection"
+	// Ignore close error as it may return "use of closed network connection" if already closed.
+	_ = d.conn.Close()
 	d.done.Unlock()
 }
 
-func (d *Listener) Close() {
+// Close stops the listener and cleans up resources.
+func (d *UDPListener) Close() {
 	d.peerCfg.Log.Infof("closing activity listener: %s", d.conn.LocalAddr().String())
 	d.isClosed.Store(true)
 
@@ -82,16 +87,12 @@ func (d *Listener) Close() {
 	d.done.Lock()
 }
 
-func (d *Listener) removeEndpoint() error {
-	return d.wgIface.RemovePeer(d.peerCfg.PublicKey)
-}
-
-func (d *Listener) createEndpoint() error {
+func (d *UDPListener) createEndpoint() error {
 	d.peerCfg.Log.Debugf("creating lazy endpoint: %s", d.endpoint.String())
 	return d.wgIface.UpdatePeer(d.peerCfg.PublicKey, d.peerCfg.AllowedIPs, 0, d.endpoint, nil)
 }
 
-func (d *Listener) newConn() (*net.UDPConn, error) {
+func (d *UDPListener) newConn() (*net.UDPConn, error) {
 	addr := &net.UDPAddr{
 		Port: 0,
 		IP:   listenIP,

client/internal/lazyconn/activity/listener_udp_test.go

@@ -0,0 +1,110 @@
+package activity
+
+import (
+	"net"
+	"net/netip"
+	"testing"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/internal/lazyconn"
+)
+
+func TestUDPListener_Creation(t *testing.T) {
+	mockIface := &MocWGIface{}
+
+	peer := &MocPeer{PeerID: "testPeer1"}
+	cfg := lazyconn.PeerConfig{
+		PublicKey:  peer.PeerID,
+		PeerConnID: peer.ConnID(),
+		AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
+		Log:        log.WithField("peer", "testPeer1"),
+	}
+
+	listener, err := NewUDPListener(mockIface, cfg)
+	require.NoError(t, err)
+	require.NotNil(t, listener.conn)
+	require.NotNil(t, listener.endpoint)
+
+	readPacketsDone := make(chan struct{})
+	go func() {
+		listener.ReadPackets()
+		close(readPacketsDone)
+	}()
+
+	listener.Close()
+
+	select {
+	case <-readPacketsDone:
+	case <-time.After(2 * time.Second):
+		t.Fatal("timeout waiting for ReadPackets to exit after Close")
+	}
+}
+
+func TestUDPListener_ActivityDetection(t *testing.T) {
+	mockIface := &MocWGIface{}
+
+	peer := &MocPeer{PeerID: "testPeer1"}
+	cfg := lazyconn.PeerConfig{
+		PublicKey:  peer.PeerID,
+		PeerConnID: peer.ConnID(),
+		AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
+		Log:        log.WithField("peer", "testPeer1"),
+	}
+
+	listener, err := NewUDPListener(mockIface, cfg)
+	require.NoError(t, err)
+
+	activityDetected := make(chan struct{})
+	go func() {
+		listener.ReadPackets()
+		close(activityDetected)
+	}()
+
+	conn, err := net.Dial("udp", listener.conn.LocalAddr().String())
+	require.NoError(t, err)
+	defer conn.Close()
+
+	_, err = conn.Write([]byte{0x01, 0x02, 0x03})
+	require.NoError(t, err)
+
+	select {
+	case <-activityDetected:
+	case <-time.After(2 * time.Second):
+		t.Fatal("timeout waiting for activity detection")
+	}
+}
+
+func TestUDPListener_Close(t *testing.T) {
+	mockIface := &MocWGIface{}
+
+	peer := &MocPeer{PeerID: "testPeer1"}
+	cfg := lazyconn.PeerConfig{
+		PublicKey:  peer.PeerID,
+		PeerConnID: peer.ConnID(),
+		AllowedIPs: []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
+		Log:        log.WithField("peer", "testPeer1"),
+	}
+
+	listener, err := NewUDPListener(mockIface, cfg)
+	require.NoError(t, err)
+
+	readPacketsDone := make(chan struct{})
+	go func() {
+		listener.ReadPackets()
+		close(readPacketsDone)
+	}()
+
+	listener.Close()
+
+	select {
+	case <-readPacketsDone:
+	case <-time.After(2 * time.Second):
+		t.Fatal("timeout waiting for ReadPackets to exit after Close")
+	}
+
+	assert.True(t, listener.isClosed.Load(), "Listener should be marked as closed")
+}

client/internal/lazyconn/activity/manager.go

@@ -1,21 +1,32 @@
 package activity
 
 import (
+	"errors"
 	"net"
 	"net/netip"
+	"runtime"
 	"sync"
 	"time"
 
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 )
 
+// listener defines the contract for activity detection listeners.
+type listener interface {
+	ReadPackets()
+	Close()
+}
+
 type WgInterface interface {
 	RemovePeer(peerKey string) error
 	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
+	IsUserspaceBind() bool
+	Address() wgaddr.Address
 }
 
 type Manager struct {
@@ -23,7 +34,7 @@ type Manager struct {
 
 	wgIface WgInterface
 
-	peers map[peerid.ConnID]*Listener
+	peers map[peerid.ConnID]listener
 	done  chan struct{}
 
 	mu sync.Mutex
@@ -33,7 +44,7 @@ func NewManager(wgIface WgInterface) *Manager {
 	m := &Manager{
 		OnActivityChan: make(chan peerid.ConnID, 1),
 		wgIface:        wgIface,
-		peers:          make(map[peerid.ConnID]*Listener),
+		peers:          make(map[peerid.ConnID]listener),
 		done:           make(chan struct{}),
 	}
 	return m
@@ -48,16 +59,38 @@ func (m *Manager) MonitorPeerActivity(peerCfg lazyconn.PeerConfig) error {
 		return nil
 	}
 
-	listener, err := NewListener(m.wgIface, peerCfg)
+	listener, err := m.createListener(peerCfg)
 	if err != nil {
 		return err
 	}
-	m.peers[peerCfg.PeerConnID] = listener
 
+	m.peers[peerCfg.PeerConnID] = listener
 	go m.waitForTraffic(listener, peerCfg.PeerConnID)
 	return nil
 }
 
+func (m *Manager) createListener(peerCfg lazyconn.PeerConfig) (listener, error) {
+	if !m.wgIface.IsUserspaceBind() {
+		return NewUDPListener(m.wgIface, peerCfg)
+	}
+
+	// BindListener is only used on Windows and JS platforms:
+	// - JS: Cannot listen to UDP sockets
+	// - Windows: IP_UNICAST_IF socket option forces packets out the interface the default
+	//   gateway points to, preventing them from reaching the loopback interface.
+	//   BindListener bypasses this by passing data directly through the bind.
+	if runtime.GOOS != "windows" && runtime.GOOS != "js" {
+		return NewUDPListener(m.wgIface, peerCfg)
+	}
+
+	provider, ok := m.wgIface.(bindProvider)
+	if !ok {
+		return nil, errors.New("interface claims userspace bind but doesn't implement bindProvider")
+	}
+
+	return NewBindListener(m.wgIface, provider.GetBind(), peerCfg)
+}
+
 func (m *Manager) RemovePeer(log *log.Entry, peerConnID peerid.ConnID) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
@@ -82,8 +115,8 @@ func (m *Manager) Close() {
 	}
 }
 
-func (m *Manager) waitForTraffic(listener *Listener, peerConnID peerid.ConnID) {
-	listener.ReadPackets()
+func (m *Manager) waitForTraffic(l listener, peerConnID peerid.ConnID) {
+	l.ReadPackets()
 
 	m.mu.Lock()
 	if _, ok := m.peers[peerConnID]; !ok {

client/internal/lazyconn/activity/manager_test.go

@@ -9,6 +9,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/lazyconn"
 	peerid "github.com/netbirdio/netbird/client/internal/peer/id"
 )
@@ -30,16 +31,26 @@ func (m MocWGIface) RemovePeer(string) error {
 
 func (m MocWGIface) UpdatePeer(string, []netip.Prefix, time.Duration, *net.UDPAddr, *wgtypes.Key) error {
 	return nil
-
 }
 
-// Add this method to the Manager struct
-func (m *Manager) GetPeerListener(peerConnID peerid.ConnID) (*Listener, bool) {
+func (m MocWGIface) IsUserspaceBind() bool {
+	return false
+}
+
+func (m MocWGIface) Address() wgaddr.Address {
+	return wgaddr.Address{
+		IP:      netip.MustParseAddr("100.64.0.1"),
+		Network: netip.MustParsePrefix("100.64.0.0/16"),
+	}
+}
+
+// GetPeerListener is a test helper to access listeners
+func (m *Manager) GetPeerListener(peerConnID peerid.ConnID) (listener, bool) {
 	m.mu.Lock()
 	defer m.mu.Unlock()
 
-	listener, exists := m.peers[peerConnID]
-	return listener, exists
+	l, exists := m.peers[peerConnID]
+	return l, exists
 }
 
 func TestManager_MonitorPeerActivity(t *testing.T) {
@@ -65,7 +76,12 @@ func TestManager_MonitorPeerActivity(t *testing.T) {
 		t.Fatalf("peer listener not found")
 	}
 
-	if err := trigger(listener.conn.LocalAddr().String()); err != nil {
+	// Get the UDP listener's address for triggering
+	udpListener, ok := listener.(*UDPListener)
+	if !ok {
+		t.Fatalf("expected UDPListener")
+	}
+	if err := trigger(udpListener.conn.LocalAddr().String()); err != nil {
 		t.Fatalf("failed to trigger activity: %v", err)
 	}
 
@@ -97,7 +113,9 @@ func TestManager_RemovePeerActivity(t *testing.T) {
 		t.Fatalf("failed to monitor peer activity: %v", err)
 	}
 
-	addr := mgr.peers[peerCfg1.PeerConnID].conn.LocalAddr().String()
+	listener, _ := mgr.GetPeerListener(peerCfg1.PeerConnID)
+	udpListener, _ := listener.(*UDPListener)
+	addr := udpListener.conn.LocalAddr().String()
 
 	mgr.RemovePeer(peerCfg1.Log, peerCfg1.PeerConnID)
 
@@ -147,7 +165,8 @@ func TestManager_MultiPeerActivity(t *testing.T) {
 		t.Fatalf("peer listener for peer1 not found")
 	}
 
-	if err := trigger(listener.conn.LocalAddr().String()); err != nil {
+	udpListener1, _ := listener.(*UDPListener)
+	if err := trigger(udpListener1.conn.LocalAddr().String()); err != nil {
 		t.Fatalf("failed to trigger activity: %v", err)
 	}
 
@@ -156,7 +175,8 @@ func TestManager_MultiPeerActivity(t *testing.T) {
 		t.Fatalf("peer listener for peer2 not found")
 	}
 
-	if err := trigger(listener.conn.LocalAddr().String()); err != nil {
+	udpListener2, _ := listener.(*UDPListener)
+	if err := trigger(udpListener2.conn.LocalAddr().String()); err != nil {
 		t.Fatalf("failed to trigger activity: %v", err)
 	}
 

client/internal/lazyconn/wgiface.go

@@ -7,6 +7,7 @@ import (
 
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
+	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/monotime"
 )
 
@@ -14,5 +15,6 @@ type WGIface interface {
 	RemovePeer(peerKey string) error
 	UpdatePeer(peerKey string, allowedIps []netip.Prefix, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error
 	IsUserspaceBind() bool
+	Address() wgaddr.Address
 	LastActivities() map[string]monotime.Time
 }

client/internal/profilemanager/config.go

@@ -195,6 +195,7 @@ func createNewConfig(input ConfigInput) (*Config, error) {
 	config := &Config{
 		// defaults to false only for new (post 0.26) configurations
 		ServerSSHAllowed: util.False(),
+		WgPort:           iface.DefaultWgPort,
 	}
 
 	if _, err := config.apply(input); err != nil {

client/internal/profilemanager/config_test.go

@@ -5,11 +5,14 @@ import (
 	"errors"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/netbirdio/netbird/client/iface"
+	"github.com/netbirdio/netbird/client/internal/routemanager/dynamic"
 	"github.com/netbirdio/netbird/util"
 )
 
@@ -141,6 +144,95 @@ func TestHiddenPreSharedKey(t *testing.T) {
 	}
 }
 
+func TestNewProfileDefaults(t *testing.T) {
+	tempDir := t.TempDir()
+	configPath := filepath.Join(tempDir, "config.json")
+
+	config, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath: configPath,
+	})
+	require.NoError(t, err, "should create new config")
+
+	assert.Equal(t, DefaultManagementURL, config.ManagementURL.String(), "ManagementURL should have default")
+	assert.Equal(t, DefaultAdminURL, config.AdminURL.String(), "AdminURL should have default")
+	assert.NotEmpty(t, config.PrivateKey, "PrivateKey should be generated")
+	assert.NotEmpty(t, config.SSHKey, "SSHKey should be generated")
+	assert.Equal(t, iface.WgInterfaceDefault, config.WgIface, "WgIface should have default")
+	assert.Equal(t, iface.DefaultWgPort, config.WgPort, "WgPort should default to 51820")
+	assert.Equal(t, uint16(iface.DefaultMTU), config.MTU, "MTU should have default")
+	assert.Equal(t, dynamic.DefaultInterval, config.DNSRouteInterval, "DNSRouteInterval should have default")
+	assert.NotNil(t, config.ServerSSHAllowed, "ServerSSHAllowed should be set")
+	assert.NotNil(t, config.DisableNotifications, "DisableNotifications should be set")
+	assert.NotEmpty(t, config.IFaceBlackList, "IFaceBlackList should have defaults")
+
+	if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
+		assert.NotNil(t, config.NetworkMonitor, "NetworkMonitor should be set on Windows/macOS")
+		assert.True(t, *config.NetworkMonitor, "NetworkMonitor should be enabled by default on Windows/macOS")
+	}
+}
+
+func TestWireguardPortZeroExplicit(t *testing.T) {
+	tempDir := t.TempDir()
+	configPath := filepath.Join(tempDir, "config.json")
+
+	// Create a new profile with explicit port 0 (random port)
+	explicitZero := 0
+	config, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath:    configPath,
+		WireguardPort: &explicitZero,
+	})
+	require.NoError(t, err, "should create config with explicit port 0")
+
+	assert.Equal(t, 0, config.WgPort, "WgPort should be 0 when explicitly set by user")
+
+	// Verify it persists
+	readConfig, err := GetConfig(configPath)
+	require.NoError(t, err)
+	assert.Equal(t, 0, readConfig.WgPort, "WgPort should remain 0 after reading from file")
+}
+
+func TestWireguardPortDefaultVsExplicit(t *testing.T) {
+	tests := []struct {
+		name           string
+		wireguardPort  *int
+		expectedPort   int
+		description    string
+	}{
+		{
+			name:          "no port specified uses default",
+			wireguardPort: nil,
+			expectedPort:  iface.DefaultWgPort,
+			description:   "When user doesn't specify port, default to 51820",
+		},
+		{
+			name:          "explicit zero for random port",
+			wireguardPort: func() *int { v := 0; return &v }(),
+			expectedPort:  0,
+			description:   "When user explicitly sets 0, use 0 for random port",
+		},
+		{
+			name:          "explicit custom port",
+			wireguardPort: func() *int { v := 52000; return &v }(),
+			expectedPort:  52000,
+			description:   "When user sets custom port, use that port",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+			configPath := filepath.Join(tempDir, "config.json")
+
+			config, err := UpdateOrCreateConfig(ConfigInput{
+				ConfigPath:    configPath,
+				WireguardPort: tt.wireguardPort,
+			})
+			require.NoError(t, err, tt.description)
+			assert.Equal(t, tt.expectedPort, config.WgPort, tt.description)
+		})
+	}
+}
+
 func TestUpdateOldManagementURL(t *testing.T) {
 	tests := []struct {
 		name                  string

client/internal/winregistry/volatile_windows.go

@@ -0,0 +1,59 @@
+package winregistry
+
+import (
+	"syscall"
+	"unsafe"
+
+	"golang.org/x/sys/windows/registry"
+)
+
+var (
+	advapi          = syscall.NewLazyDLL("advapi32.dll")
+	regCreateKeyExW = advapi.NewProc("RegCreateKeyExW")
+)
+
+const (
+	// Registry key options
+	regOptionNonVolatile = 0x0 // Key is preserved when system is rebooted
+	regOptionVolatile    = 0x1 // Key is not preserved when system is rebooted
+
+	// Registry disposition values
+	regCreatedNewKey     = 0x1
+	regOpenedExistingKey = 0x2
+)
+
+// CreateVolatileKey creates a volatile registry key named path under open key root.
+// CreateVolatileKey returns the new key and a boolean flag that reports whether the key already existed.
+// The access parameter specifies the access rights for the key to be created.
+//
+// Volatile keys are stored in memory and are automatically deleted when the system is shut down.
+// This provides automatic cleanup without requiring manual registry maintenance.
+func CreateVolatileKey(root registry.Key, path string, access uint32) (registry.Key, bool, error) {
+	pathPtr, err := syscall.UTF16PtrFromString(path)
+	if err != nil {
+		return 0, false, err
+	}
+
+	var (
+		handle      syscall.Handle
+		disposition uint32
+	)
+
+	ret, _, _ := regCreateKeyExW.Call(
+		uintptr(root),
+		uintptr(unsafe.Pointer(pathPtr)),
+		0,                          // reserved
+		0,                          // class
+		uintptr(regOptionVolatile), // options - volatile key
+		uintptr(access),            // desired access
+		0,                          // security attributes
+		uintptr(unsafe.Pointer(&handle)),
+		uintptr(unsafe.Pointer(&disposition)),
+	)
+
+	if ret != 0 {
+		return 0, false, syscall.Errno(ret)
+	}
+
+	return registry.Key(handle), disposition == regOpenedExistingKey, nil
+}

client/netbird-electron/.gitignore

@@ -0,0 +1,29 @@
+# Dependencies
+node_modules/
+package-lock.json
+
+# Build outputs
+dist/
+release/
+*.tsbuildinfo
+
+# Editor
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Environment
+.env
+.env.local
+
+# Logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*

client/netbird-electron/electron/assets/bug-extra-thick.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="6" d="M14.7 6.3a1 1 0 0 0 0 1.4l1.6 1.6a1 1 0 0 0 1.4 0l3.106-3.105c.32-.322.863-.22.983.218a6 6 0 0 1-8.259 7.057l-7.91 7.91a1 1 0 0 1-2.999-3l7.91-7.91a6 6 0 0 1 7.057-8.259c.438.12.54.662.219.984z"/></svg>

client/netbird-electron/electron/assets/bug-simple.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="white" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="M12 20v-9m2-4a4 4 0 0 1 4 4v3a6 6 0 0 1-12 0v-3a4 4 0 0 1 4-4zm.12-3.12L16 2"/><path d="M21 21a4 4 0 0 0-3.81-4M21 5a4 4 0 0 1-3.55 3.97M22 13h-4M3 21a4 4 0 0 1 3.81-4M3 5a4 4 0 0 0 3.55 3.97M6 13H2M8 2l1.88 1.88M9 7.13V6a3 3 0 1 1 6 0v1.13"/></g></svg>

client/netbird-electron/electron/assets/debug-bundle-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="M11 21.73a2 2 0 0 0 2 0l7-4A2 2 0 0 0 21 16V8a2 2 0 0 0-1-1.73l-7-4a2 2 0 0 0-2 0l-7 4A2 2 0 0 0 3 8v8a2 2 0 0 0 1 1.73zm1 .27V12"/><path d="M3.29 7L12 12l8.71-5M7.5 4.27l9 5.15"/></g></svg>

client/netbird-electron/electron/assets/debug-icon-thick.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="3"><path d="M12 20v-9m2-4a4 4 0 0 1 4 4v3a6 6 0 0 1-12 0v-3a4 4 0 0 1 4-4zm.12-3.12L16 2"/><path d="M21 21a4 4 0 0 0-3.81-4M21 5a4 4 0 0 1-3.55 3.97M22 13h-4M3 21a4 4 0 0 1 3.81-4M3 5a4 4 0 0 0 3.55 3.97M6 13H2M8 2l1.88 1.88M9 7.13V6a3 3 0 1 1 6 0v1.13"/></g></svg>

client/netbird-electron/electron/assets/debug-icon-very-thick.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="4"><path d="M12 20v-9m2-4a4 4 0 0 1 4 4v3a6 6 0 0 1-12 0v-3a4 4 0 0 1 4-4zm.12-3.12L16 2"/><path d="M21 21a4 4 0 0 0-3.81-4M21 5a4 4 0 0 1-3.55 3.97M22 13h-4M3 21a4 4 0 0 1 3.81-4M3 5a4 4 0 0 0 3.55 3.97M6 13H2M8 2l1.88 1.88M9 7.13V6a3 3 0 1 1 6 0v1.13"/></g></svg>

client/netbird-electron/electron/assets/debug-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="6" d="M14.7 6.3a1 1 0 0 0 0 1.4l1.6 1.6a1 1 0 0 0 1.4 0l3.106-3.105c.32-.322.863-.22.983.218a6 6 0 0 1-8.259 7.057l-7.91 7.91a1 1 0 0 1-2.999-3l7.91-7.91a6 6 0 0 1 7.057-8.259c.438.12.54.662.219.984z"/></svg>

client/netbird-electron/electron/assets/exit-node-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m10 17l5-5l-5-5m5 5H3m12-9h4a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2h-4"/></svg>

client/netbird-electron/electron/assets/info-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><circle cx="12" cy="12" r="10"/><path d="M12 16v-4m0-4h.01"/></g></svg>

client/netbird-electron/electron/assets/networks-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><rect width="6" height="6" x="16" y="16" rx="1"/><rect width="6" height="6" x="2" y="16" rx="1"/><rect width="6" height="6" x="9" y="2" rx="1"/><path d="M5 16v-3a1 1 0 0 1 1-1h12a1 1 0 0 1 1 1v3m-7-4V8"/></g></svg>

client/netbird-electron/electron/assets/package-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="m16 16l2 2l4-4"/><path d="M21 10V8a2 2 0 0 0-1-1.73l-7-4a2 2 0 0 0-2 0l-7 4A2 2 0 0 0 3 8v8a2 2 0 0 0 1 1.73l7 4a2 2 0 0 0 2 0l2-1.14M7.5 4.27l9 5.15"/><path d="M3.29 7L12 12l8.71-5M12 22V12"/></g></svg>

client/netbird-electron/electron/assets/power-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 2v10m6.4-5.4a9 9 0 1 1-12.77.04"/></svg>

client/netbird-electron/electron/assets/power-off-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M18.36 6.64A9 9 0 0 1 20.77 15M6.16 6.16a9 9 0 1 0 12.68 12.68M12 2v4M2 2l20 20"/></svg>

client/netbird-electron/electron/assets/power-on.png

@@ -0,0 +1,14 @@
+<svg
+  xmlns="http://www.w3.org/2000/svg"
+  width="24"
+  height="24"
+  viewBox="0 0 24 24"
+  fill="none"
+  stroke="currentColor"
+  stroke-width="2"
+  stroke-linecap="round"
+  stroke-linejoin="round"
+>
+  <path d="M12 2v10" />
+  <path d="M18.4 6.6a9 9 0 1 1-12.77.04" />
+</svg>

client/netbird-electron/electron/assets/profiles-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><circle cx="12" cy="12" r="10"/><circle cx="12" cy="10" r="3"/><path d="M7 20.662V19a2 2 0 0 1 2-2h6a2 2 0 0 1 2 2v1.662"/></g></svg>

client/netbird-electron/electron/assets/quit-icon-test.svg

@@ -0,0 +1,18 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN"
+ "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg version="1.0" xmlns="http://www.w3.org/2000/svg"
+ width="16.000000pt" height="16.000000pt" viewBox="0 0 16.000000 16.000000"
+ preserveAspectRatio="xMidYMid meet">
+<metadata>
+Created by potrace 1.16, written by Peter Selinger 2001-2019
+</metadata>
+<g transform="translate(0.000000,16.000000) scale(0.100000,-0.100000)"
+fill="#000000" stroke="none">
+<path d="M0 80 l0 -80 80 0 80 0 0 80 0 80 -80 0 -80 0 0 -80z m70 60 c0 -5
+-9 -10 -20 -10 -17 0 -20 -7 -20 -50 0 -43 3 -50 20 -50 11 0 20 -4 20 -10 0
+-5 -13 -10 -30 -10 l-30 0 0 70 0 70 30 0 c17 0 30 -4 30 -10z m65 -40 c17
+-19 17 -21 0 -40 -21 -24 -40 -26 -31 -5 4 11 -2 15 -24 15 -17 0 -30 5 -30
+10 0 6 13 10 30 10 22 0 28 4 24 15 -9 21 10 19 31 -5z"/>
+</g>
+</svg>

client/netbird-electron/electron/assets/quit-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="m16 17l5-5l-5-5m5 5H9m0 9H5a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h4"/></svg>

client/netbird-electron/electron/assets/refresh-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="M3 12a9 9 0 0 1 9-9a9.75 9.75 0 0 1 6.74 2.74L21 8"/><path d="M21 3v5h-5m5 4a9 9 0 0 1-9 9a9.75 9.75 0 0 1-6.74-2.74L3 16"/><path d="M8 16H3v5"/></g></svg>

client/netbird-electron/electron/assets/settings-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="M9.671 4.136a2.34 2.34 0 0 1 4.659 0a2.34 2.34 0 0 0 3.319 1.915a2.34 2.34 0 0 1 2.33 4.033a2.34 2.34 0 0 0 0 3.831a2.34 2.34 0 0 1-2.33 4.033a2.34 2.34 0 0 0-3.319 1.915a2.34 2.34 0 0 1-4.659 0a2.34 2.34 0 0 0-3.32-1.915a2.34 2.34 0 0 1-2.33-4.033a2.34 2.34 0 0 0 0-3.831A2.34 2.34 0 0 1 6.35 6.051a2.34 2.34 0 0 0 3.319-1.915"/><circle cx="12" cy="12" r="3"/></g></svg>

client/netbird-electron/electron/assets/version-icon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><g fill="none" stroke="#ffffff" stroke-linecap="round" stroke-linejoin="round" stroke-width="2"><path d="M12.586 2.586A2 2 0 0 0 11.172 2H4a2 2 0 0 0-2 2v7.172a2 2 0 0 0 .586 1.414l8.704 8.704a2.426 2.426 0 0 0 3.42 0l6.58-6.58a2.426 2.426 0 0 0 0-3.42z"/><circle cx="7.5" cy="7.5" r=".5" fill="#ffffff"/></g></svg>

client/netbird-electron/electron/assets/wrench.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24"><path fill="none" stroke="currentColor" stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M14.7 6.3a1 1 0 0 0 0 1.4l1.6 1.6a1 1 0 0 0 1.4 0l3.106-3.105c.32-.322.863-.22.983.218a6 6 0 0 1-8.259 7.057l-7.91 7.91a1 1 0 0 1-2.999-3l7.91-7.91a6 6 0 0 1 7.057-8.259c.438.12.54.662.219.984z"/></svg>

client/netbird-electron/electron/grpc-client.cjs

@@ -0,0 +1,385 @@
+const grpc = require('@grpc/grpc-js');
+const protoLoader = require('@grpc/proto-loader');
+const path = require('path');
+const os = require('os');
+const { app } = require('electron');
+
+class DaemonClient {
+  constructor(address) {
+    this.address = address;
+    // Path to proto file - use resourcesPath for packaged app, or relative path for dev
+    const isPackaged = app && app.isPackaged;
+    this.protoPath = isPackaged
+      ? path.join(process.resourcesPath, 'proto/daemon.proto')
+      : path.join(__dirname, '../../proto/daemon.proto');
+    this.client = null;
+    this.initializeClient();
+  }
+
+  initializeClient() {
+    try {
+      const packageDefinition = protoLoader.loadSync(this.protoPath, {
+        keepCase: true,
+        longs: String,
+        enums: String,
+        defaults: true,
+        oneofs: true,
+      });
+
+      const protoDescriptor = grpc.loadPackageDefinition(packageDefinition);
+      const DaemonService = protoDescriptor.daemon.DaemonService;
+
+      // Create client with Unix socket or TCP
+      const credentials = grpc.credentials.createInsecure();
+      this.client = new DaemonService(this.address, credentials);
+
+      console.log(`gRPC client initialized with address: ${this.address}`);
+    } catch (error) {
+      console.error('Failed to initialize gRPC client:', error);
+    }
+  }
+
+  promisifyCall(method, request = {}) {
+    return new Promise((resolve, reject) => {
+      if (!this.client) {
+        reject(new Error('gRPC client not initialized'));
+        return;
+      }
+
+      try {
+        this.client[method](request, (error, response) => {
+          if (error) {
+            const enhancedError = {
+              ...error,
+              method,
+              message: error.message || 'Unknown gRPC error',
+              code: error.code,
+            };
+            reject(enhancedError);
+          } else {
+            resolve(response);
+          }
+        });
+      } catch (error) {
+        console.error(`gRPC call ${method} failed synchronously:`, error);
+        reject({
+          method,
+          message: error.message,
+          code: error.code || 'UNKNOWN',
+          originalError: error,
+        });
+      }
+    });
+  }
+
+  async getStatus() {
+    try {
+      const response = await this.promisifyCall('Status', {});
+      return {
+        status: response.status || 'Unknown',
+        version: response.daemonVersion || '0.0.0'
+      };
+    } catch (error) {
+      console.error('getStatus error:', error);
+      return {
+        status: 'Error',
+        version: '0.0.0'
+      };
+    }
+  }
+
+  async login() {
+    try {
+      const response = await this.promisifyCall('Login', {});
+      return {
+        needsSSOLogin: response.needsSSOLogin || false,
+        userCode: response.userCode || '',
+        verificationURI: response.verificationURI || '',
+        verificationURIComplete: response.verificationURIComplete || ''
+      };
+    } catch (error) {
+      console.error('login error:', error);
+      throw error;
+    }
+  }
+
+  async waitSSOLogin(userCode) {
+    try {
+      const hostname = os.hostname();
+      const response = await this.promisifyCall('WaitSSOLogin', {
+        userCode,
+        hostname
+      });
+      return {
+        email: response.email || ''
+      };
+    } catch (error) {
+      console.error('waitSSOLogin error:', error);
+      throw error;
+    }
+  }
+
+  async up() {
+    await this.promisifyCall('Up', {});
+  }
+
+  async down() {
+    await this.promisifyCall('Down', {});
+  }
+
+  async getConfig() {
+    try {
+      const username = os.userInfo().username;
+
+      // Get active profile name
+      const profiles = await this.listProfiles();
+      const activeProfile = profiles.find(p => p.active);
+      const profileName = activeProfile?.name || 'default';
+
+      const response = await this.promisifyCall('GetConfig', { username, profileName });
+      return {
+        managementUrl: response.managementUrl || '',
+        preSharedKey: response.preSharedKey || '',
+        interfaceName: response.interfaceName || '',
+        wireguardPort: response.wireguardPort || 51820,
+        mtu: response.mtu || 1280,
+        serverSSHAllowed: response.serverSSHAllowed || false,
+        autoConnect: !response.disableAutoConnect, // Invert the daemon's disableAutoConnect
+        rosenpassEnabled: response.rosenpassEnabled || false,
+        rosenpassPermissive: response.rosenpassPermissive || false,
+        lazyConnectionEnabled: response.lazyConnectionEnabled || false,
+        blockInbound: response.blockInbound || false,
+        networkMonitor: response.networkMonitor || false,
+        disableDns: response.disable_dns || false,
+        disableClientRoutes: response.disable_client_routes || false,
+        disableServerRoutes: response.disable_server_routes || false,
+        blockLanAccess: response.block_lan_access || false,
+      };
+    } catch (error) {
+      console.error('getConfig error:', error);
+      // Return default config on error
+      return {
+        managementUrl: '',
+        preSharedKey: '',
+        interfaceName: 'wt0',
+        wireguardPort: 51820,
+        mtu: 1280,
+        serverSSHAllowed: false,
+        autoConnect: false,
+        rosenpassEnabled: false,
+        rosenpassPermissive: false,
+        lazyConnectionEnabled: false,
+        blockInbound: false,
+        networkMonitor: true,
+        disableDns: false,
+        disableClientRoutes: false,
+        disableServerRoutes: false,
+        blockLanAccess: false,
+      };
+    }
+  }
+
+  async updateConfig(config) {
+    try {
+      const username = os.userInfo().username;
+
+      // Get active profile name
+      const profiles = await this.listProfiles();
+      const activeProfile = profiles.find(p => p.active);
+      const profileName = activeProfile?.name || 'default';
+
+      // Build the SetConfigRequest with proper field names matching proto
+      const request = {
+        username,
+        profileName,
+      };
+
+      // Map config fields to proto field names (snake_case for gRPC)
+      if (config.managementUrl !== undefined) request.managementUrl = config.managementUrl;
+      if (config.interfaceName !== undefined) request.interfaceName = config.interfaceName;
+      if (config.wireguardPort !== undefined) request.wireguardPort = config.wireguardPort;
+      if (config.preSharedKey !== undefined) request.optionalPreSharedKey = config.preSharedKey;
+      if (config.mtu !== undefined) request.mtu = config.mtu;
+      if (config.serverSSHAllowed !== undefined) request.serverSSHAllowed = config.serverSSHAllowed;
+      if (config.autoConnect !== undefined) request.disableAutoConnect = !config.autoConnect; // Invert for daemon
+      if (config.rosenpassEnabled !== undefined) request.rosenpassEnabled = config.rosenpassEnabled;
+      if (config.rosenpassPermissive !== undefined) request.rosenpassPermissive = config.rosenpassPermissive;
+      if (config.lazyConnectionEnabled !== undefined) request.lazyConnectionEnabled = config.lazyConnectionEnabled;
+      if (config.blockInbound !== undefined) request.block_inbound = config.blockInbound;
+      if (config.networkMonitor !== undefined) request.networkMonitor = config.networkMonitor;
+      if (config.disableDns !== undefined) request.disable_dns = config.disableDns;
+      if (config.disableClientRoutes !== undefined) request.disable_client_routes = config.disableClientRoutes;
+      if (config.disableServerRoutes !== undefined) request.disable_server_routes = config.disableServerRoutes;
+      if (config.blockLanAccess !== undefined) request.block_lan_access = config.blockLanAccess;
+
+      await this.promisifyCall('SetConfig', request);
+    } catch (error) {
+      console.error('updateConfig error:', error);
+      throw error;
+    }
+  }
+
+  async listProfiles() {
+    try {
+      const username = os.userInfo().username;
+      const response = await this.promisifyCall('ListProfiles', { username });
+
+      console.log('Raw gRPC response profiles:', JSON.stringify(response.profiles, null, 2));
+
+      const mapped = (response.profiles || []).map((profile) => ({
+        id: profile.id || profile.name, // Use name as id if id is not provided
+        name: profile.name,
+        email: profile.email,
+        active: profile.is_active || false, // gRPC uses snake_case: is_active
+      }));
+
+      console.log('Mapped profiles:', JSON.stringify(mapped, null, 2));
+
+      return mapped;
+    } catch (error) {
+      console.error('listProfiles error:', error);
+      // Return empty array on error instead of throwing
+      if (error.code === 'EPIPE' || error.code === 'ECONNREFUSED') {
+        console.warn('gRPC connection lost, returning empty profiles list');
+      }
+      return [];
+    }
+  }
+
+  async switchProfile(profileName) {
+    try {
+      console.log('gRPC client: switchProfile called with profileName:', profileName);
+      const username = os.userInfo().username;
+      const result = await this.promisifyCall('SwitchProfile', { profileName, username });
+      console.log('gRPC client: switchProfile result:', result);
+      return result;
+    } catch (error) {
+      console.error('switchProfile error:', error);
+      throw error;
+    }
+  }
+
+  async addProfile(profileName) {
+    try {
+      const username = os.userInfo().username;
+      await this.promisifyCall('AddProfile', { username, profileName });
+    } catch (error) {
+      console.error('addProfile error:', error);
+      throw error;
+    }
+  }
+
+  async removeProfile(profileName) {
+    try {
+      const username = os.userInfo().username;
+      await this.promisifyCall('RemoveProfile', { username, profileName });
+    } catch (error) {
+      console.error('removeProfile error:', error);
+      throw error;
+    }
+  }
+
+  async logout() {
+    try {
+      await this.promisifyCall('Logout', {});
+    } catch (error) {
+      console.error('logout error:', error);
+      throw error;
+    }
+  }
+
+  async createDebugBundle(anonymize = true) {
+    try {
+      const response = await this.promisifyCall('DebugBundle', {
+        anonymize,
+        systemInfo: true,
+        status: '',
+        logFileCount: 5
+      });
+      return response.path || '';
+    } catch (error) {
+      console.error('createDebugBundle error:', error);
+      throw error;
+    }
+  }
+
+  async getPeers() {
+    try {
+      console.log('[getPeers] Calling Status RPC with getFullPeerStatus: true');
+      const response = await this.promisifyCall('Status', {
+        getFullPeerStatus: true,
+        shouldRunProbes: false,
+      });
+
+      console.log('[getPeers] Status response:', JSON.stringify({
+        status: response.status,
+        hasFullStatus: !!response.fullStatus,
+        peersCount: response.fullStatus?.peers?.length || 0
+      }));
+
+      // Extract peers from fullStatus
+      const peers = response.fullStatus?.peers || [];
+      console.log(`[getPeers] Found ${peers.length} peers`);
+
+      // Map the peers to the format expected by the UI
+      const mapped = peers.map(peer => ({
+        ip: peer.IP || '',
+        pubKey: peer.pubKey || '',
+        connStatus: peer.connStatus || 'Disconnected',
+        connStatusUpdate: peer.connStatusUpdate ? new Date(peer.connStatusUpdate.seconds * 1000).toISOString() : '',
+        relayed: peer.relayed || false,
+        localIceCandidateType: peer.localIceCandidateType || '',
+        remoteIceCandidateType: peer.remoteIceCandidateType || '',
+        fqdn: peer.fqdn || '',
+        localIceCandidateEndpoint: peer.localIceCandidateEndpoint || '',
+        remoteIceCandidateEndpoint: peer.remoteIceCandidateEndpoint || '',
+        lastWireguardHandshake: peer.lastWireguardHandshake ? new Date(peer.lastWireguardHandshake.seconds * 1000).toISOString() : '',
+        bytesRx: peer.bytesRx || 0,
+        bytesTx: peer.bytesTx || 0,
+        rosenpassEnabled: peer.rosenpassEnabled || false,
+        networks: peer.networks || [],
+        latency: peer.latency ? (peer.latency.seconds * 1000 + peer.latency.nanos / 1000000) : 0,
+        relayAddress: peer.relayAddress || '',
+      }));
+
+      console.log('[getPeers] Returning mapped peers:', JSON.stringify(mapped.map(p => ({ ip: p.ip, fqdn: p.fqdn, connStatus: p.connStatus }))));
+      return mapped;
+    } catch (error) {
+      console.error('getPeers error:', error);
+      return [];
+    }
+  }
+
+  async getLocalPeer() {
+    try {
+      const response = await this.promisifyCall('Status', {
+        getFullPeerStatus: true,
+        shouldRunProbes: false,
+      });
+
+      const localPeer = response.fullStatus?.localPeerState;
+      if (!localPeer) {
+        console.log('[getLocalPeer] No local peer state found');
+        return null;
+      }
+
+      const mapped = {
+        ip: localPeer.IP || '',
+        pubKey: localPeer.pubKey || '',
+        fqdn: localPeer.fqdn || '',
+        kernelInterface: localPeer.kernelInterface || false,
+        rosenpassEnabled: localPeer.rosenpassEnabled || false,
+        rosenpassPermissive: localPeer.rosenpassPermissive || false,
+        networks: localPeer.networks || [],
+      };
+
+      console.log('[getLocalPeer] Local peer:', JSON.stringify({ ip: mapped.ip, fqdn: mapped.fqdn }));
+      return mapped;
+    } catch (error) {
+      console.error('getLocalPeer error:', error);
+      return null;
+    }
+  }
+}
+
+module.exports = { DaemonClient };

client/netbird-electron/electron/main.cjs

@@ -0,0 +1,683 @@
+const { app, BrowserWindow, ipcMain, Tray, Menu, screen, shell, dialog } = require('electron');
+const path = require('path');
+const { exec } = require('child_process');
+const util = require('util');
+const { DaemonClient } = require('./grpc-client.cjs');
+
+const execPromise = util.promisify(exec);
+
+// Daemon address - Unix socket on Linux/BSD/macOS, TCP on Windows
+const DAEMON_ADDR = process.platform === 'win32'
+  ? 'localhost:41731'
+  : 'unix:///var/run/netbird.sock';
+
+let mainWindow = null;
+let tray = null;
+let daemonClient = null;
+let daemonVersion = '0.0.0';
+
+// Parse command line arguments for expert mode
+const expertMode = process.argv.includes('--expert-mode') || process.argv.includes('--expert');
+
+function createWindow() {
+  mainWindow = new BrowserWindow({
+    width: 520,
+    height: 800,
+    resizable: false,
+    title: 'NetBird',
+    backgroundColor: '#1a1a1a',
+    autoHideMenuBar: true,
+    frame: true,
+    show: false, // Don't show initially
+    skipTaskbar: true, // Hide from taskbar
+    webPreferences: {
+      preload: path.join(__dirname, 'preload.cjs'),
+      nodeIntegration: false,
+      contextIsolation: true,
+    },
+  });
+
+  // Load the app
+  if (process.env.NODE_ENV === 'development' || !app.isPackaged) {
+    mainWindow.loadURL('http://localhost:5173');
+    mainWindow.webContents.openDevTools(); // Temporarily enabled for debugging
+  } else {
+    mainWindow.loadFile(path.join(__dirname, '../dist/index.html'));
+  }
+
+  // Hide window when it loses focus
+  mainWindow.on('blur', () => {
+    if (!mainWindow.webContents.isDevToolsOpened()) {
+      mainWindow.hide();
+    }
+  });
+
+  mainWindow.on('closed', () => {
+    mainWindow = null;
+  });
+}
+
+let connectionState = 'disconnected'; // 'disconnected', 'connecting', 'connected', 'disconnecting'
+let pulseState = false; // For pulsating animation
+let pulseInterval = null;
+
+function createTray() {
+  const iconPath = path.join(__dirname, 'assets', 'netbird-systemtray-disconnected-white-monochrome.png');
+  tray = new Tray(iconPath);
+
+  updateTrayMenu();
+
+  tray.setToolTip('NetBird - Disconnected');
+
+  tray.on('click', () => {
+    toggleWindow();
+  });
+}
+
+function getStatusLabel() {
+  let indicator = '⚪'; // Gray circle
+  let statusText = 'Disconnected';
+
+  switch (connectionState) {
+    case 'disconnected':
+      indicator = '⚪';
+      statusText = 'Disconnected';
+      break;
+    case 'connecting':
+      indicator = pulseState ? '🟢' : '⚪';
+      statusText = 'Connecting...';
+      break;
+    case 'connected':
+      indicator = '🟢';
+      statusText = 'Connected';
+      break;
+    case 'disconnecting':
+      indicator = pulseState ? '🟢' : '⚪';
+      statusText = 'Disconnecting...';
+      break;
+  }
+
+  return `${indicator}  ${statusText}`;
+}
+
+function startPulseAnimation() {
+  if (pulseInterval) {
+    clearInterval(pulseInterval);
+  }
+
+  pulseInterval = setInterval(() => {
+    pulseState = !pulseState;
+    updateTrayMenu();
+  }, 500); // Pulse every 500ms
+}
+
+function stopPulseAnimation() {
+  if (pulseInterval) {
+    clearInterval(pulseInterval);
+    pulseInterval = null;
+  }
+  pulseState = false;
+}
+
+function setConnectionState(state) {
+  connectionState = state;
+
+  // Start/stop pulse animation based on state
+  if (state === 'connecting' || state === 'disconnecting') {
+    startPulseAnimation();
+  } else {
+    stopPulseAnimation();
+  }
+
+  updateTrayMenu();
+  updateTrayIcon();
+}
+
+async function updateTrayMenu() {
+  // Fetch version from daemon
+  try {
+    const statusInfo = await daemonClient.getStatus();
+    if (statusInfo.version) {
+      daemonVersion = statusInfo.version;
+    }
+  } catch (error) {
+    console.error('Failed to get version:', error);
+  }
+
+  const connectDisconnectIcon = connectionState === 'connected' || connectionState === 'disconnecting'
+    ? path.join(__dirname, 'assets', 'power-off-icon.png')
+    : path.join(__dirname, 'assets', 'power-icon.png');
+
+  const connectDisconnectLabel = connectionState === 'connected' || connectionState === 'disconnecting'
+    ? 'Disconnect'
+    : 'Connect';
+
+  const menuTemplate = [
+    {
+      label: getStatusLabel(),
+      enabled: false
+    },
+    { type: 'separator' },
+    {
+      label: connectDisconnectLabel,
+      icon: connectDisconnectIcon,
+      enabled: connectionState === 'disconnected' || connectionState === 'connected',
+      click: async () => {
+        if (connectionState === 'connected') {
+          setConnectionState('disconnecting');
+          try {
+            await daemonClient.down();
+            setConnectionState('disconnected');
+          } catch (error) {
+            console.error('Disconnect error:', error);
+            setConnectionState('connected');
+          }
+        } else if (connectionState === 'disconnected') {
+          setConnectionState('connecting');
+          try {
+            // Step 1: Call login to check if SSO is needed
+            console.log('[Tray] Calling login...');
+            const loginResp = await daemonClient.login();
+            console.log('[Tray] Login response:', loginResp);
+
+            // Step 2: If SSO login is needed, open browser and wait
+            if (loginResp.needsSSOLogin) {
+              console.log('[Tray] SSO login required, opening browser...');
+
+              // Open the verification URL in the default browser
+              if (loginResp.verificationURIComplete) {
+                await shell.openExternal(loginResp.verificationURIComplete);
+                console.log('[Tray] Opened URL:', loginResp.verificationURIComplete);
+              }
+
+              // Wait for user to complete login in browser
+              console.log('[Tray] Waiting for SSO login completion...');
+              const waitResp = await daemonClient.waitSSOLogin(loginResp.userCode);
+              console.log('[Tray] SSO login completed, email:', waitResp.email);
+            }
+
+            // Step 3: Call Up to connect
+            console.log('[Tray] Calling Up to connect...');
+            await daemonClient.up();
+            console.log('[Tray] Connected successfully');
+
+            setConnectionState('connected');
+          } catch (error) {
+            console.error('Connect error:', error);
+            setConnectionState('disconnected');
+          }
+        }
+      }
+    },
+    { type: 'separator' },
+    {
+      label: 'Show',
+      icon: path.join(__dirname, 'assets', 'netbird-systemtray-disconnected-white-monochrome.png'),
+      click: () => {
+        showWindow();
+      }
+    }
+  ];
+
+  // Add expert mode menu items
+  if (expertMode) {
+    menuTemplate.push({ type: 'separator' });
+
+    // Profiles submenu - load from daemon
+    let profiles = [];
+    try {
+      profiles = await daemonClient.listProfiles();
+    } catch (error) {
+      console.error('Failed to load profiles:', error);
+    }
+
+    const profilesSubmenu = profiles.map(profile => ({
+      label: profile.email ? `${profile.name} (${profile.email})` : profile.name,
+      type: 'radio',
+      checked: profile.active,
+      click: async () => {
+        try {
+          await daemonClient.switchProfile(profile.name);
+          updateTrayMenu(); // Refresh menu after profile switch
+        } catch (error) {
+          console.error('Failed to switch profile:', error);
+        }
+      }
+    }));
+
+    profilesSubmenu.push({ type: 'separator' });
+    profilesSubmenu.push({
+      label: 'Add New Profile...',
+      click: () => {
+        console.log('Add new profile - TODO: implement dialog');
+        // TODO: Show dialog to add new profile
+      }
+    });
+
+    menuTemplate.push({
+      label: 'Profiles',
+      icon: path.join(__dirname, 'assets', 'profiles-icon.png'),
+      submenu: profilesSubmenu
+    });
+
+    // Settings submenu - load from daemon
+    let config = {};
+    try {
+      config = await daemonClient.getConfig();
+    } catch (error) {
+      console.error('Failed to load config:', error);
+      // Use defaults if loading fails
+      config = {
+        autoConnect: false,
+        networkMonitor: true,
+        disableDns: false,
+        blockLanAccess: false,
+      };
+    }
+
+    menuTemplate.push({
+      label: 'Settings',
+      icon: path.join(__dirname, 'assets', 'settings-icon.png'),
+      submenu: [
+        {
+          label: 'Auto Connect',
+          type: 'checkbox',
+          checked: config.autoConnect || false,
+          click: async (menuItem) => {
+            console.log('Auto Connect:', menuItem.checked);
+            try {
+              await daemonClient.updateConfig({ autoConnect: menuItem.checked });
+            } catch (error) {
+              console.error('Failed to update autoConnect:', error);
+            }
+          }
+        },
+        {
+          label: 'Network Monitor',
+          type: 'checkbox',
+          checked: config.networkMonitor !== undefined ? config.networkMonitor : true,
+          click: async (menuItem) => {
+            console.log('Network Monitor:', menuItem.checked);
+            try {
+              await daemonClient.updateConfig({ networkMonitor: menuItem.checked });
+            } catch (error) {
+              console.error('Failed to update networkMonitor:', error);
+            }
+          }
+        },
+        {
+          label: 'Disable DNS',
+          type: 'checkbox',
+          checked: config.disableDns || false,
+          click: async (menuItem) => {
+            console.log('Disable DNS:', menuItem.checked);
+            try {
+              await daemonClient.updateConfig({ disableDns: menuItem.checked });
+            } catch (error) {
+              console.error('Failed to update disableDns:', error);
+            }
+          }
+        },
+        {
+          label: 'Block LAN Access',
+          type: 'checkbox',
+          checked: config.blockLanAccess || false,
+          click: async (menuItem) => {
+            console.log('Block LAN Access:', menuItem.checked);
+            try {
+              await daemonClient.updateConfig({ blockLanAccess: menuItem.checked });
+            } catch (error) {
+              console.error('Failed to update blockLanAccess:', error);
+            }
+          }
+        }
+      ]
+    });
+
+    // Networks button
+    menuTemplate.push({
+      label: 'Networks',
+      icon: path.join(__dirname, 'assets', 'networks-icon.png'),
+      click: () => {
+        showWindow('networks');
+      }
+    });
+
+    // Exit Nodes button
+    menuTemplate.push({
+      label: 'Exit Nodes',
+      icon: path.join(__dirname, 'assets', 'exit-node-icon.png'),
+      click: () => {
+        showWindow('networks'); // Assuming exit nodes is part of networks tab
+      }
+    });
+  }
+
+  // Add Debug (available in both modes)
+  menuTemplate.push({ type: 'separator' });
+  menuTemplate.push({
+    label: 'Debug',
+    icon: path.join(__dirname, 'assets', 'debug-icon.png'),
+    click: () => {
+      showWindow('debug');
+    }
+  });
+
+  // Add About and Quit
+  menuTemplate.push({ type: 'separator' });
+  menuTemplate.push({
+    label: 'About',
+    icon: path.join(__dirname, 'assets', 'info-icon.png'),
+    submenu: [
+      {
+        label: `Version: ${daemonVersion}`,
+        icon: path.join(__dirname, 'assets', 'version-icon.png'),
+        enabled: false
+      },
+      {
+        label: 'Check for Updates',
+        icon: path.join(__dirname, 'assets', 'refresh-icon.png'),
+        click: () => {
+          // TODO: Implement update check
+          console.log('Checking for updates...');
+        }
+      }
+    ]
+  });
+  menuTemplate.push({ type: 'separator' });
+  menuTemplate.push({
+    label: 'Quit',
+    icon: path.join(__dirname, 'assets', 'quit-icon.png'),
+    click: () => {
+      app.quit();
+    }
+  });
+
+  const contextMenu = Menu.buildFromTemplate(menuTemplate);
+  tray.setContextMenu(contextMenu);
+}
+
+function updateTrayIcon() {
+  let iconName = 'netbird-systemtray-disconnected-white-monochrome.png';
+  let tooltip = 'NetBird - Disconnected';
+
+  switch (connectionState) {
+    case 'disconnected':
+      iconName = 'netbird-systemtray-disconnected-white-monochrome.png';
+      tooltip = 'NetBird - Disconnected';
+      break;
+    case 'connecting':
+      iconName = 'netbird-systemtray-connecting-white-monochrome.png';
+      tooltip = 'NetBird - Connecting...';
+      break;
+    case 'connected':
+      iconName = 'netbird-systemtray-connected-white-monochrome.png';
+      tooltip = 'NetBird - Connected';
+      break;
+    case 'disconnecting':
+      iconName = 'netbird-systemtray-connecting-white-monochrome.png';
+      tooltip = 'NetBird - Disconnecting...';
+      break;
+  }
+
+  const iconPath = path.join(__dirname, 'assets', iconName);
+  tray.setImage(iconPath);
+  tray.setToolTip(tooltip);
+}
+
+async function syncConnectionState() {
+  try {
+    const statusInfo = await daemonClient.getStatus();
+    const daemonStatus = statusInfo.status || 'Disconnected';
+
+    // Map daemon status to our connection state
+    let newState = 'disconnected';
+    if (daemonStatus === 'Connected') {
+      newState = 'connected';
+    } else if (daemonStatus === 'Connecting') {
+      newState = 'connecting';
+    } else {
+      newState = 'disconnected';
+    }
+
+    // Only update if state changed to avoid unnecessary menu rebuilds
+    if (newState !== connectionState) {
+      console.log(`[Tray] Connection state changed: ${connectionState} -> ${newState}`);
+      setConnectionState(newState);
+    }
+  } catch (error) {
+    console.error('[Tray] Failed to sync connection state:', error);
+    // On error, assume disconnected
+    if (connectionState !== 'disconnected') {
+      setConnectionState('disconnected');
+    }
+  }
+}
+
+function toggleWindow() {
+  if (mainWindow.isVisible()) {
+    mainWindow.hide();
+  } else {
+    showWindow();
+  }
+}
+
+function showWindow(page) {
+  const windowBounds = mainWindow.getBounds();
+  const trayBounds = tray.getBounds();
+
+  // Calculate position (center horizontally under tray icon)
+  const x = Math.round(trayBounds.x + (trayBounds.width / 2) - (windowBounds.width / 2));
+  const y = Math.round(trayBounds.y + trayBounds.height + 4);
+
+  mainWindow.setPosition(x, y, false);
+  mainWindow.show();
+  mainWindow.focus();
+
+  // Send page navigation message to renderer if page is specified
+  if (page) {
+    mainWindow.webContents.send('navigate-to-page', page);
+  }
+}
+
+app.whenReady().then(async () => {
+  // Initialize gRPC client
+  daemonClient = new DaemonClient(DAEMON_ADDR);
+
+  createWindow();
+  createTray();
+
+  // Initialize connection state from daemon
+  await syncConnectionState();
+
+  // Poll daemon status every 3 seconds to keep tray updated
+  setInterval(async () => {
+    await syncConnectionState();
+  }, 3000);
+});
+
+app.on('window-all-closed', (e) => {
+  // Prevent app from quitting - tray app should stay running
+  e.preventDefault();
+});
+
+// IPC Handlers for NetBird daemon communication via gRPC
+ipcMain.handle('netbird:connect', async () => {
+  try {
+    // Check if already connected
+    const status = await daemonClient.getStatus();
+    if (status.status === 'Connected') {
+      console.log('Already connected');
+      return { success: true };
+    }
+
+    // Step 1: Call login to check if SSO is needed
+    console.log('Calling login...');
+    const loginResp = await daemonClient.login();
+    console.log('Login response:', loginResp);
+
+    // Step 2: If SSO login is needed, open browser and wait
+    if (loginResp.needsSSOLogin) {
+      console.log('SSO login required, opening browser...');
+
+      // Open the verification URL in the default browser
+      if (loginResp.verificationURIComplete) {
+        const { shell } = require('electron');
+        await shell.openExternal(loginResp.verificationURIComplete);
+        console.log('Opened URL:', loginResp.verificationURIComplete);
+      }
+
+      // Wait for user to complete login in browser
+      console.log('Waiting for SSO login completion...');
+      const waitResp = await daemonClient.waitSSOLogin(loginResp.userCode);
+      console.log('SSO login completed, email:', waitResp.email);
+    }
+
+    // Step 3: Call Up to connect
+    console.log('Calling Up to connect...');
+    await daemonClient.up();
+    console.log('Connected successfully');
+
+    return { success: true };
+  } catch (error) {
+    console.error('Connection error:', error);
+    throw new Error(error.message || 'Failed to connect');
+  }
+});
+
+ipcMain.handle('netbird:disconnect', async () => {
+  try {
+    await daemonClient.down();
+    return { success: true };
+  } catch (error) {
+    throw new Error(error.message);
+  }
+});
+
+ipcMain.handle('netbird:logout', async () => {
+  try {
+    await daemonClient.logout();
+    return { success: true };
+  } catch (error) {
+    throw new Error(error.message);
+  }
+});
+
+ipcMain.handle('netbird:status', async () => {
+  try {
+    const statusInfo = await daemonClient.getStatus();
+    return {
+      status: statusInfo.status,
+      version: statusInfo.version,
+      daemon: 'Connected'
+    };
+  } catch (error) {
+    return {
+      status: 'Disconnected',
+      version: '0.0.0',
+      daemon: 'Disconnected'
+    };
+  }
+});
+
+ipcMain.handle('netbird:get-config', async () => {
+  try {
+    return await daemonClient.getConfig();
+  } catch (error) {
+    throw new Error(error.message);
+  }
+});
+
+ipcMain.handle('netbird:update-config', async (event, config) => {
+  try {
+    await daemonClient.updateConfig(config);
+    return { success: true };
+  } catch (error) {
+    throw new Error(error.message);
+  }
+});
+
+ipcMain.handle('netbird:get-networks', async () => {
+  try {
+    // TODO: Implement networks retrieval via gRPC
+    return [];
+  } catch (error) {
+    return [];
+  }
+});
+
+ipcMain.handle('netbird:toggle-network', async (event, networkId) => {
+  try {
+    // TODO: Implement network toggle via gRPC
+    return { success: true };
+  } catch (error) {
+    throw new Error(error.message);
+  }
+});
+
+ipcMain.handle('netbird:get-profiles', async () => {
+  try {
+    return await daemonClient.listProfiles();
+  } catch (error) {
+    console.error('get-profiles error:', error);
+    return [];
+  }
+});
+
+ipcMain.handle('netbird:switch-profile', async (event, profileId) => {
+  try {
+    await daemonClient.switchProfile(profileId);
+    return { success: true };
+  } catch (error) {
+    throw new Error(error.message);
+  }
+});
+
+ipcMain.handle('netbird:delete-profile', async (event, profileId) => {
+  try {
+    await daemonClient.removeProfile(profileId);
+    return { success: true };
+  } catch (error) {
+    throw new Error(error.message);
+  }
+});
+
+ipcMain.handle('netbird:add-profile', async (event, name) => {
+  try {
+    await daemonClient.addProfile(name);
+    return { success: true };
+  } catch (error) {
+    throw new Error(error.message);
+  }
+});
+
+ipcMain.handle('netbird:remove-profile', async (event, profileId) => {
+  try {
+    await daemonClient.removeProfile(profileId);
+    return { success: true };
+  } catch (error) {
+    throw new Error(error.message);
+  }
+});
+
+ipcMain.handle('netbird:get-peers', async () => {
+  try {
+    return await daemonClient.getPeers();
+  } catch (error) {
+    console.error('get-peers error:', error);
+    return [];
+  }
+});
+
+ipcMain.handle('netbird:get-local-peer', async () => {
+  try {
+    return await daemonClient.getLocalPeer();
+  } catch (error) {
+    console.error('get-local-peer error:', error);
+    return null;
+  }
+});
+
+ipcMain.handle('netbird:get-expert-mode', async () => {
+  return expertMode;
+});

client/netbird-electron/electron/preload.cjs

@@ -0,0 +1,21 @@
+const { contextBridge, ipcRenderer } = require('electron');
+
+contextBridge.exposeInMainWorld('electronAPI', {
+  connect: () => ipcRenderer.invoke('netbird:connect'),
+  disconnect: () => ipcRenderer.invoke('netbird:disconnect'),
+  logout: () => ipcRenderer.invoke('netbird:logout'),
+  getStatus: () => ipcRenderer.invoke('netbird:status'),
+  getConfig: () => ipcRenderer.invoke('netbird:get-config'),
+  updateConfig: (config) => ipcRenderer.invoke('netbird:update-config', config),
+  getNetworks: () => ipcRenderer.invoke('netbird:get-networks'),
+  toggleNetwork: (networkId) => ipcRenderer.invoke('netbird:toggle-network', networkId),
+  getProfiles: () => ipcRenderer.invoke('netbird:get-profiles'),
+  switchProfile: (profileId) => ipcRenderer.invoke('netbird:switch-profile', profileId),
+  deleteProfile: (profileId) => ipcRenderer.invoke('netbird:delete-profile', profileId),
+  addProfile: (name) => ipcRenderer.invoke('netbird:add-profile', name),
+  removeProfile: (profileId) => ipcRenderer.invoke('netbird:remove-profile', profileId),
+  getPeers: () => ipcRenderer.invoke('netbird:get-peers'),
+  getLocalPeer: () => ipcRenderer.invoke('netbird:get-local-peer'),
+  getExpertMode: () => ipcRenderer.invoke('netbird:get-expert-mode'),
+  onNavigateToPage: (callback) => ipcRenderer.on('navigate-to-page', (event, page) => callback(page)),
+});

client/netbird-electron/index.html

@@ -0,0 +1,13 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <link rel="icon" type="image/svg+xml" href="/src/assets/netbird-full.svg" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>NetBird</title>
+  </head>
+  <body>
+    <div id="root"></div>
+    <script type="module" src="/src/main.tsx"></script>
+  </body>
+</html>