extract modules

.github/workflows/check-license-dependencies.yml

@@ -15,28 +15,27 @@ jobs:
     - name: Check for problematic license dependencies
       run: |
         echo "Checking for dependencies on management/, signal/, and relay/ packages..."
-        echo ""
 
         # Find all directories except the problematic ones and system dirs
         FOUND_ISSUES=0
-        while IFS= read -r dir; do
+        find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort | while read dir; do
           echo "=== Checking $dir ==="
           # Search for problematic imports, excluding test files
-          RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" 2>/dev/null | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
-          if [ -n "$RESULTS" ]; then
+          RESULTS=$(grep -r "github.com/netbirdio/netbird/\(management\|signal\|relay\)" "$dir" --include="*.go" | grep -v "_test.go" | grep -v "test_" | grep -v "/test/" || true)
+          if [ ! -z "$RESULTS" ]; then
             echo "❌ Found problematic dependencies:"
             echo "$RESULTS"
             FOUND_ISSUES=1
           else
             echo "✓ No problematic dependencies found"
           fi
-        done < <(find . -maxdepth 1 -type d -not -name "." -not -name "management" -not -name "signal" -not -name "relay" -not -name ".git*" | sort)
-
-        echo ""
+        done
         if [ $FOUND_ISSUES -eq 1 ]; then
+          echo ""
           echo "❌ Found dependencies on management/, signal/, or relay/ packages"
-          echo "These packages are licensed under AGPLv3 and must not be imported by BSD-licensed code"
+          echo "These packages will change license and should not be imported by client or shared code"
           exit 1
         else
+          echo ""
           echo "✅ All license dependencies are clean"
         fi

client/android/client.go

@@ -17,9 +17,9 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
+	"github.com/netbirdio/netbird/client/net"
 )
 
 // ConnectionListener export internal Listener for mobile

client/android/preferences.go

@@ -201,94 +201,6 @@ func (p *Preferences) SetServerSSHAllowed(allowed bool) {
 	p.configInput.ServerSSHAllowed = &allowed
 }
 
-// GetEnableSSHRoot reads SSH root login setting from config file
-func (p *Preferences) GetEnableSSHRoot() (bool, error) {
-	if p.configInput.EnableSSHRoot != nil {
-		return *p.configInput.EnableSSHRoot, nil
-	}
-
-	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	if cfg.EnableSSHRoot == nil {
-		// Default to false for security on Android
-		return false, nil
-	}
-	return *cfg.EnableSSHRoot, err
-}
-
-// SetEnableSSHRoot stores the given value and waits for commit
-func (p *Preferences) SetEnableSSHRoot(enabled bool) {
-	p.configInput.EnableSSHRoot = &enabled
-}
-
-// GetEnableSSHSFTP reads SSH SFTP setting from config file
-func (p *Preferences) GetEnableSSHSFTP() (bool, error) {
-	if p.configInput.EnableSSHSFTP != nil {
-		return *p.configInput.EnableSSHSFTP, nil
-	}
-
-	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	if cfg.EnableSSHSFTP == nil {
-		// Default to false for security on Android
-		return false, nil
-	}
-	return *cfg.EnableSSHSFTP, err
-}
-
-// SetEnableSSHSFTP stores the given value and waits for commit
-func (p *Preferences) SetEnableSSHSFTP(enabled bool) {
-	p.configInput.EnableSSHSFTP = &enabled
-}
-
-// GetEnableSSHLocalPortForwarding reads SSH local port forwarding setting from config file
-func (p *Preferences) GetEnableSSHLocalPortForwarding() (bool, error) {
-	if p.configInput.EnableSSHLocalPortForwarding != nil {
-		return *p.configInput.EnableSSHLocalPortForwarding, nil
-	}
-
-	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	if cfg.EnableSSHLocalPortForwarding == nil {
-		// Default to false for security on Android
-		return false, nil
-	}
-	return *cfg.EnableSSHLocalPortForwarding, err
-}
-
-// SetEnableSSHLocalPortForwarding stores the given value and waits for commit
-func (p *Preferences) SetEnableSSHLocalPortForwarding(enabled bool) {
-	p.configInput.EnableSSHLocalPortForwarding = &enabled
-}
-
-// GetEnableSSHRemotePortForwarding reads SSH remote port forwarding setting from config file
-func (p *Preferences) GetEnableSSHRemotePortForwarding() (bool, error) {
-	if p.configInput.EnableSSHRemotePortForwarding != nil {
-		return *p.configInput.EnableSSHRemotePortForwarding, nil
-	}
-
-	cfg, err := profilemanager.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return false, err
-	}
-	if cfg.EnableSSHRemotePortForwarding == nil {
-		// Default to false for security on Android
-		return false, nil
-	}
-	return *cfg.EnableSSHRemotePortForwarding, err
-}
-
-// SetEnableSSHRemotePortForwarding stores the given value and waits for commit
-func (p *Preferences) SetEnableSSHRemotePortForwarding(enabled bool) {
-	p.configInput.EnableSSHRemotePortForwarding = &enabled
-}
-
 // GetBlockInbound reads block inbound setting from config file
 func (p *Preferences) GetBlockInbound() (bool, error) {
 	if p.configInput.BlockInbound != nil {

client/cmd/debug.go

@@ -168,7 +168,7 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 
 	client := proto.NewDaemonServiceClient(conn)
 
-	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{ShouldRunProbes: true})
+	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{})
 	if err != nil {
 		return fmt.Errorf("failed to get status: %v", status.Convert(err).Message())
 	}
@@ -303,18 +303,12 @@ func setSyncResponsePersistence(cmd *cobra.Command, args []string) error {
 
 func getStatusOutput(cmd *cobra.Command, anon bool) string {
 	var statusOutputString string
-	statusResp, err := getStatus(cmd.Context(), true)
+	statusResp, err := getStatus(cmd.Context())
 	if err != nil {
 		cmd.PrintErrf("Failed to get status: %v\n", err)
 	} else {
-		pm := profilemanager.NewProfileManager()
-		var profName string
-		if activeProf, err := pm.GetActiveProfile(); err == nil {
-			profName = activeProf.Name
-		}
-
 		statusOutputString = nbstatus.ParseToFullDetailSummary(
-			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", profName),
+			nbstatus.ConvertToStatusOutputOverview(statusResp, anon, "", nil, nil, nil, "", ""),
 		)
 	}
 	return statusOutputString

client/cmd/root.go

@@ -35,6 +35,7 @@ const (
 	wireguardPortFlag        = "wireguard-port"
 	networkMonitorFlag       = "network-monitor"
 	disableAutoConnectFlag   = "disable-auto-connect"
+	serverSSHAllowedFlag     = "allow-server-ssh"
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	enableLazyConnectionFlag = "enable-lazy-connection"
@@ -63,6 +64,7 @@ var (
 	customDNSAddress        string
 	rosenpassEnabled        bool
 	rosenpassPermissive     bool
+	serverSSHAllowed        bool
 	interfaceName           string
 	wireguardPort           uint16
 	networkMonitor          bool
@@ -174,6 +176,7 @@ func init() {
 	)
 	upCmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "[Experimental] Enable Rosenpass feature. If enabled, the connection will be post-quantum secured via Rosenpass.")
 	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
+	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
 	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
 	upCmd.PersistentFlags().BoolVar(&lazyConnEnabled, enableLazyConnectionFlag, false, "[Experimental] Enable the lazy connection feature. If enabled, the client will establish connections on-demand. Note: this setting may be overridden by management configuration.")
 

client/cmd/service_installer.go

@@ -10,8 +10,6 @@ import (
 	"path/filepath"
 	"runtime"
 
-	log "github.com/sirupsen/logrus"
-
 	"github.com/kardianos/service"
 	"github.com/spf13/cobra"
 
@@ -83,10 +81,6 @@ func configurePlatformSpecificSettings(svcConfig *service.Config) error {
 				svcConfig.Option["LogDirectory"] = dir
 			}
 		}
-
-		if err := configureSystemdNetworkd(); err != nil {
-			log.Warnf("failed to configure systemd-networkd: %v", err)
-		}
 	}
 
 	if runtime.GOOS == "windows" {
@@ -166,12 +160,6 @@ var uninstallCmd = &cobra.Command{
 			return fmt.Errorf("uninstall service: %w", err)
 		}
 
-		if runtime.GOOS == "linux" {
-			if err := cleanupSystemdNetworkd(); err != nil {
-				log.Warnf("failed to cleanup systemd-networkd configuration: %v", err)
-			}
-		}
-
 		cmd.Println("NetBird service has been uninstalled")
 		return nil
 	},
@@ -257,45 +245,3 @@ func isServiceRunning() (bool, error) {
 
 	return status == service.StatusRunning, nil
 }
-
-const (
-	networkdConfDir     = "/etc/systemd/networkd.conf.d"
-	networkdConfFile    = "/etc/systemd/networkd.conf.d/99-netbird.conf"
-	networkdConfContent = `# Created by NetBird to prevent systemd-networkd from removing
-# routes and policy rules managed by NetBird.
-
-[Network]
-ManageForeignRoutes=no
-ManageForeignRoutingPolicyRules=no
-`
-)
-
-// configureSystemdNetworkd creates a drop-in configuration file to prevent
-// systemd-networkd from removing NetBird's routes and policy rules.
-func configureSystemdNetworkd() error {
-	parentDir := filepath.Dir(networkdConfDir)
-	if _, err := os.Stat(parentDir); os.IsNotExist(err) {
-		log.Debug("systemd networkd.conf.d parent directory does not exist, skipping configuration")
-		return nil
-	}
-
-	// nolint:gosec // standard networkd permissions
-	if err := os.WriteFile(networkdConfFile, []byte(networkdConfContent), 0644); err != nil {
-		return fmt.Errorf("write networkd configuration: %w", err)
-	}
-
-	return nil
-}
-
-// cleanupSystemdNetworkd removes the NetBird systemd-networkd configuration file.
-func cleanupSystemdNetworkd() error {
-	if _, err := os.Stat(networkdConfFile); os.IsNotExist(err) {
-		return nil
-	}
-
-	if err := os.Remove(networkdConfFile); err != nil {
-		return fmt.Errorf("remove networkd configuration: %w", err)
-	}
-
-	return nil
-}

client/cmd/ssh.go

@@ -3,757 +3,125 @@ package cmd
 import (
 	"context"
 	"errors"
-	"flag"
 	"fmt"
-	"net"
 	"os"
 	"os/signal"
-	"os/user"
-	"slices"
-	"strconv"
 	"strings"
 	"syscall"
 
 	"github.com/spf13/cobra"
 
 	"github.com/netbirdio/netbird/client/internal"
-	sshclient "github.com/netbirdio/netbird/client/ssh/client"
-	"github.com/netbirdio/netbird/client/ssh/detection"
-	sshproxy "github.com/netbirdio/netbird/client/ssh/proxy"
-	sshserver "github.com/netbirdio/netbird/client/ssh/server"
+	"github.com/netbirdio/netbird/client/internal/profilemanager"
+	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/util"
 )
 
-const (
-	sshUsernameDesc      = "SSH username"
-	hostArgumentRequired = "host argument required"
-
-	serverSSHAllowedFlag           = "allow-server-ssh"
-	enableSSHRootFlag              = "enable-ssh-root"
-	enableSSHSFTPFlag              = "enable-ssh-sftp"
-	enableSSHLocalPortForwardFlag  = "enable-ssh-local-port-forwarding"
-	enableSSHRemotePortForwardFlag = "enable-ssh-remote-port-forwarding"
-	disableSSHAuthFlag             = "disable-ssh-auth"
-)
-
 var (
-	port                  int
-	username              string
-	host                  string
-	command               string
-	localForwards         []string
-	remoteForwards        []string
-	strictHostKeyChecking bool
-	knownHostsFile        string
-	identityFile          string
-	skipCachedToken       bool
+	port     int
+	userName = "root"
+	host     string
 )
 
-var (
-	serverSSHAllowed           bool
-	enableSSHRoot              bool
-	enableSSHSFTP              bool
-	enableSSHLocalPortForward  bool
-	enableSSHRemotePortForward bool
-	disableSSHAuth             bool
-)
-
-func init() {
-	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer")
-	upCmd.PersistentFlags().BoolVar(&enableSSHRoot, enableSSHRootFlag, false, "Enable root login for SSH server")
-	upCmd.PersistentFlags().BoolVar(&enableSSHSFTP, enableSSHSFTPFlag, false, "Enable SFTP subsystem for SSH server")
-	upCmd.PersistentFlags().BoolVar(&enableSSHLocalPortForward, enableSSHLocalPortForwardFlag, false, "Enable local port forwarding for SSH server")
-	upCmd.PersistentFlags().BoolVar(&enableSSHRemotePortForward, enableSSHRemotePortForwardFlag, false, "Enable remote port forwarding for SSH server")
-	upCmd.PersistentFlags().BoolVar(&disableSSHAuth, disableSSHAuthFlag, false, "Disable SSH authentication")
-
-	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", sshserver.DefaultSSHPort, "Remote SSH port")
-	sshCmd.PersistentFlags().StringVarP(&username, "user", "u", "", sshUsernameDesc)
-	sshCmd.PersistentFlags().StringVar(&username, "login", "", sshUsernameDesc+" (alias for --user)")
-	sshCmd.PersistentFlags().BoolVar(&strictHostKeyChecking, "strict-host-key-checking", true, "Enable strict host key checking (default: true)")
-	sshCmd.PersistentFlags().StringVarP(&knownHostsFile, "known-hosts", "o", "", "Path to known_hosts file (default: ~/.ssh/known_hosts)")
-	sshCmd.PersistentFlags().StringVarP(&identityFile, "identity", "i", "", "Path to SSH private key file")
-	sshCmd.PersistentFlags().BoolVar(&skipCachedToken, "no-cache", false, "Skip cached JWT token and force fresh authentication")
-
-	sshCmd.PersistentFlags().StringArrayP("L", "L", []string{}, "Local port forwarding [bind_address:]port:host:hostport")
-	sshCmd.PersistentFlags().StringArrayP("R", "R", []string{}, "Remote port forwarding [bind_address:]port:host:hostport")
-
-	sshCmd.AddCommand(sshSftpCmd)
-	sshCmd.AddCommand(sshProxyCmd)
-	sshCmd.AddCommand(sshDetectCmd)
-}
-
 var sshCmd = &cobra.Command{
-	Use:   "ssh [flags] [user@]host [command]",
-	Short: "Connect to a NetBird peer via SSH",
-	Long: `Connect to a NetBird peer using SSH with support for port forwarding.
-
-Port Forwarding:
-  -L [bind_address:]port:host:hostport   Local port forwarding
-  -L [bind_address:]port:/path/to/socket Local port forwarding to Unix socket
-  -R [bind_address:]port:host:hostport   Remote port forwarding
-  -R [bind_address:]port:/path/to/socket Remote port forwarding to Unix socket
-
-SSH Options:
-  -p, --port int                       Remote SSH port (default 22)
-  -u, --user string                    SSH username
-      --login string                   SSH username (alias for --user)
-      --strict-host-key-checking       Enable strict host key checking (default: true)
-  -o, --known-hosts string             Path to known_hosts file
-  -i, --identity string                Path to SSH private key file
-
-Examples:
-  netbird ssh peer-hostname
-  netbird ssh root@peer-hostname
-  netbird ssh --login root peer-hostname
-  netbird ssh peer-hostname ls -la
-  netbird ssh peer-hostname whoami
-  netbird ssh -L 8080:localhost:80 peer-hostname    # Local port forwarding
-  netbird ssh -R 9090:localhost:3000 peer-hostname  # Remote port forwarding
-  netbird ssh -L "*:8080:localhost:80" peer-hostname # Bind to all interfaces
-  netbird ssh -L 8080:/tmp/socket peer-hostname      # Unix socket forwarding`,
-	DisableFlagParsing: true,
-	Args:               validateSSHArgsWithoutFlagParsing,
-	RunE:               sshFn,
-	Aliases:            []string{"ssh"},
-}
-
-func sshFn(cmd *cobra.Command, args []string) error {
-	for _, arg := range args {
-		if arg == "-h" || arg == "--help" {
-			return cmd.Help()
+	Use: "ssh [user@]host",
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 {
+			return errors.New("requires a host argument")
 		}
-	}
 
-	SetFlagsFromEnvVars(rootCmd)
-	SetFlagsFromEnvVars(cmd)
-
-	cmd.SetOut(cmd.OutOrStdout())
-
-	logOutput := "console"
-	if firstLogFile := util.FindFirstLogPath(logFiles); firstLogFile != "" && firstLogFile != defaultLogFile {
-		logOutput = firstLogFile
-	}
-	if err := util.InitLog(logLevel, logOutput); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	ctx := internal.CtxInitState(cmd.Context())
-
-	sig := make(chan os.Signal, 1)
-	signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
-	sshctx, cancel := context.WithCancel(ctx)
-
-	go func() {
-		if err := runSSH(sshctx, host, cmd); err != nil {
-			cmd.Printf("Error: %v\n", err)
-			os.Exit(1)
-		}
-		cancel()
-	}()
-
-	select {
-	case <-sig:
-		cancel()
-	case <-sshctx.Done():
-	}
-
-	return nil
-}
-
-// getEnvOrDefault checks for environment variables with WT_ and NB_ prefixes
-func getEnvOrDefault(flagName, defaultValue string) string {
-	if envValue := os.Getenv("WT_" + flagName); envValue != "" {
-		return envValue
-	}
-	if envValue := os.Getenv("NB_" + flagName); envValue != "" {
-		return envValue
-	}
-	return defaultValue
-}
-
-// resetSSHGlobals sets SSH globals to their default values
-func resetSSHGlobals() {
-	port = sshserver.DefaultSSHPort
-	username = ""
-	host = ""
-	command = ""
-	localForwards = nil
-	remoteForwards = nil
-	strictHostKeyChecking = true
-	knownHostsFile = ""
-	identityFile = ""
-}
-
-// parseCustomSSHFlags extracts -L, -R flags and returns filtered args
-func parseCustomSSHFlags(args []string) ([]string, []string, []string) {
-	var localForwardFlags []string
-	var remoteForwardFlags []string
-	var filteredArgs []string
-
-	for i := 0; i < len(args); i++ {
-		arg := args[i]
-		switch {
-		case strings.HasPrefix(arg, "-L"):
-			localForwardFlags, i = parseForwardFlag(arg, args, i, localForwardFlags)
-		case strings.HasPrefix(arg, "-R"):
-			remoteForwardFlags, i = parseForwardFlag(arg, args, i, remoteForwardFlags)
-		default:
-			filteredArgs = append(filteredArgs, arg)
-		}
-	}
-
-	return filteredArgs, localForwardFlags, remoteForwardFlags
-}
-
-func parseForwardFlag(arg string, args []string, i int, flags []string) ([]string, int) {
-	if arg == "-L" || arg == "-R" {
-		if i+1 < len(args) {
-			flags = append(flags, args[i+1])
-			i++
-		}
-	} else if len(arg) > 2 {
-		flags = append(flags, arg[2:])
-	}
-	return flags, i
-}
-
-// extractGlobalFlags parses global flags that were passed before 'ssh' command
-func extractGlobalFlags(args []string) {
-	sshPos := findSSHCommandPosition(args)
-	if sshPos == -1 {
-		return
-	}
-
-	globalArgs := args[:sshPos]
-	parseGlobalArgs(globalArgs)
-}
-
-// findSSHCommandPosition locates the 'ssh' command in the argument list
-func findSSHCommandPosition(args []string) int {
-	for i, arg := range args {
-		if arg == "ssh" {
-			return i
-		}
-	}
-	return -1
-}
-
-const (
-	configFlag   = "config"
-	logLevelFlag = "log-level"
-	logFileFlag  = "log-file"
-)
-
-// parseGlobalArgs processes the global arguments and sets the corresponding variables
-func parseGlobalArgs(globalArgs []string) {
-	flagHandlers := map[string]func(string){
-		configFlag:   func(value string) { configPath = value },
-		logLevelFlag: func(value string) { logLevel = value },
-		logFileFlag: func(value string) {
-			if !slices.Contains(logFiles, value) {
-				logFiles = append(logFiles, value)
-			}
-		},
-	}
-
-	shortFlags := map[string]string{
-		"c": configFlag,
-		"l": logLevelFlag,
-	}
-
-	for i := 0; i < len(globalArgs); i++ {
-		arg := globalArgs[i]
-
-		if handled, nextIndex := parseFlag(arg, globalArgs, i, flagHandlers, shortFlags); handled {
-			i = nextIndex
-		}
-	}
-}
-
-// parseFlag handles generic flag parsing for both long and short forms
-func parseFlag(arg string, args []string, currentIndex int, flagHandlers map[string]func(string), shortFlags map[string]string) (bool, int) {
-	if parsedValue, found := parseEqualsFormat(arg, flagHandlers, shortFlags); found {
-		flagHandlers[parsedValue.flagName](parsedValue.value)
-		return true, currentIndex
-	}
-
-	if parsedValue, found := parseSpacedFormat(arg, args, currentIndex, flagHandlers, shortFlags); found {
-		flagHandlers[parsedValue.flagName](parsedValue.value)
-		return true, currentIndex + 1
-	}
-
-	return false, currentIndex
-}
-
-type parsedFlag struct {
-	flagName string
-	value    string
-}
-
-// parseEqualsFormat handles --flag=value and -f=value formats
-func parseEqualsFormat(arg string, flagHandlers map[string]func(string), shortFlags map[string]string) (parsedFlag, bool) {
-	if !strings.Contains(arg, "=") {
-		return parsedFlag{}, false
-	}
-
-	parts := strings.SplitN(arg, "=", 2)
-	if len(parts) != 2 {
-		return parsedFlag{}, false
-	}
-
-	if strings.HasPrefix(parts[0], "--") {
-		flagName := strings.TrimPrefix(parts[0], "--")
-		if _, exists := flagHandlers[flagName]; exists {
-			return parsedFlag{flagName: flagName, value: parts[1]}, true
-		}
-	}
-
-	if strings.HasPrefix(parts[0], "-") && len(parts[0]) == 2 {
-		shortFlag := strings.TrimPrefix(parts[0], "-")
-		if longFlag, exists := shortFlags[shortFlag]; exists {
-			if _, exists := flagHandlers[longFlag]; exists {
-				return parsedFlag{flagName: longFlag, value: parts[1]}, true
-			}
-		}
-	}
-
-	return parsedFlag{}, false
-}
-
-// parseSpacedFormat handles --flag value and -f value formats
-func parseSpacedFormat(arg string, args []string, currentIndex int, flagHandlers map[string]func(string), shortFlags map[string]string) (parsedFlag, bool) {
-	if currentIndex+1 >= len(args) {
-		return parsedFlag{}, false
-	}
-
-	if strings.HasPrefix(arg, "--") {
-		flagName := strings.TrimPrefix(arg, "--")
-		if _, exists := flagHandlers[flagName]; exists {
-			return parsedFlag{flagName: flagName, value: args[currentIndex+1]}, true
-		}
-	}
-
-	if strings.HasPrefix(arg, "-") && len(arg) == 2 {
-		shortFlag := strings.TrimPrefix(arg, "-")
-		if longFlag, exists := shortFlags[shortFlag]; exists {
-			if _, exists := flagHandlers[longFlag]; exists {
-				return parsedFlag{flagName: longFlag, value: args[currentIndex+1]}, true
-			}
-		}
-	}
-
-	return parsedFlag{}, false
-}
-
-// createSSHFlagSet creates and configures the flag set for SSH command parsing
-// sshFlags contains all SSH-related flags and parameters
-type sshFlags struct {
-	Port                  int
-	Username              string
-	Login                 string
-	StrictHostKeyChecking bool
-	KnownHostsFile        string
-	IdentityFile          string
-	SkipCachedToken       bool
-	ConfigPath            string
-	LogLevel              string
-	LocalForwards         []string
-	RemoteForwards        []string
-	Host                  string
-	Command               string
-}
-
-func createSSHFlagSet() (*flag.FlagSet, *sshFlags) {
-	defaultConfigPath := getEnvOrDefault("CONFIG", configPath)
-	defaultLogLevel := getEnvOrDefault("LOG_LEVEL", logLevel)
-
-	fs := flag.NewFlagSet("ssh-flags", flag.ContinueOnError)
-	fs.SetOutput(nil)
-
-	flags := &sshFlags{}
-
-	fs.IntVar(&flags.Port, "p", sshserver.DefaultSSHPort, "SSH port")
-	fs.Int("port", sshserver.DefaultSSHPort, "SSH port")
-	fs.StringVar(&flags.Username, "u", "", sshUsernameDesc)
-	fs.String("user", "", sshUsernameDesc)
-	fs.StringVar(&flags.Login, "login", "", sshUsernameDesc+" (alias for --user)")
-
-	fs.BoolVar(&flags.StrictHostKeyChecking, "strict-host-key-checking", true, "Enable strict host key checking")
-	fs.StringVar(&flags.KnownHostsFile, "o", "", "Path to known_hosts file")
-	fs.String("known-hosts", "", "Path to known_hosts file")
-	fs.StringVar(&flags.IdentityFile, "i", "", "Path to SSH private key file")
-	fs.String("identity", "", "Path to SSH private key file")
-	fs.BoolVar(&flags.SkipCachedToken, "no-cache", false, "Skip cached JWT token and force fresh authentication")
-
-	fs.StringVar(&flags.ConfigPath, "c", defaultConfigPath, "Netbird config file location")
-	fs.String("config", defaultConfigPath, "Netbird config file location")
-	fs.StringVar(&flags.LogLevel, "l", defaultLogLevel, "sets Netbird log level")
-	fs.String("log-level", defaultLogLevel, "sets Netbird log level")
-
-	return fs, flags
-}
-
-func validateSSHArgsWithoutFlagParsing(_ *cobra.Command, args []string) error {
-	if len(args) < 1 {
-		return errors.New(hostArgumentRequired)
-	}
-
-	resetSSHGlobals()
-
-	if len(os.Args) > 2 {
-		extractGlobalFlags(os.Args[1:])
-	}
-
-	filteredArgs, localForwardFlags, remoteForwardFlags := parseCustomSSHFlags(args)
-
-	fs, flags := createSSHFlagSet()
-
-	if err := fs.Parse(filteredArgs); err != nil {
-		return parseHostnameAndCommand(filteredArgs)
-	}
-
-	remaining := fs.Args()
-	if len(remaining) < 1 {
-		return errors.New(hostArgumentRequired)
-	}
-
-	port = flags.Port
-	if flags.Username != "" {
-		username = flags.Username
-	} else if flags.Login != "" {
-		username = flags.Login
-	}
-
-	strictHostKeyChecking = flags.StrictHostKeyChecking
-	knownHostsFile = flags.KnownHostsFile
-	identityFile = flags.IdentityFile
-	skipCachedToken = flags.SkipCachedToken
-
-	if flags.ConfigPath != getEnvOrDefault("CONFIG", configPath) {
-		configPath = flags.ConfigPath
-	}
-	if flags.LogLevel != getEnvOrDefault("LOG_LEVEL", logLevel) {
-		logLevel = flags.LogLevel
-	}
-
-	localForwards = localForwardFlags
-	remoteForwards = remoteForwardFlags
-
-	return parseHostnameAndCommand(remaining)
-}
-
-func parseHostnameAndCommand(args []string) error {
-	if len(args) < 1 {
-		return errors.New(hostArgumentRequired)
-	}
-
-	arg := args[0]
-	if strings.Contains(arg, "@") {
-		parts := strings.SplitN(arg, "@", 2)
-		if len(parts) != 2 || parts[0] == "" || parts[1] == "" {
-			return errors.New("invalid user@host format")
-		}
-		if username == "" {
-			username = parts[0]
-		}
-		host = parts[1]
-	} else {
-		host = arg
-	}
-
-	if username == "" {
-		if sudoUser := os.Getenv("SUDO_USER"); sudoUser != "" {
-			username = sudoUser
-		} else if currentUser, err := user.Current(); err == nil {
-			username = currentUser.Username
+		split := strings.Split(args[0], "@")
+		if len(split) == 2 {
+			userName = split[0]
+			host = split[1]
 		} else {
-			username = "root"
+			host = args[0]
 		}
-	}
 
-	// Everything after hostname becomes the command
-	if len(args) > 1 {
-		command = strings.Join(args[1:], " ")
-	}
+		return nil
+	},
+	Short: "Connect to a remote SSH server",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars(rootCmd)
+		SetFlagsFromEnvVars(cmd)
 
-	return nil
+		cmd.SetOut(cmd.OutOrStdout())
+
+		err := util.InitLog(logLevel, util.LogConsole)
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}
+
+		if !util.IsAdmin() {
+			cmd.Printf("error: you must have Administrator privileges to run this command\n")
+			return nil
+		}
+
+		ctx := internal.CtxInitState(cmd.Context())
+
+		sm := profilemanager.NewServiceManager(configPath)
+		activeProf, err := sm.GetActiveProfileState()
+		if err != nil {
+			return fmt.Errorf("get active profile: %v", err)
+		}
+		profPath, err := activeProf.FilePath()
+		if err != nil {
+			return fmt.Errorf("get active profile path: %v", err)
+		}
+
+		config, err := profilemanager.ReadConfig(profPath)
+		if err != nil {
+			return fmt.Errorf("read profile config: %v", err)
+		}
+
+		sig := make(chan os.Signal, 1)
+		signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
+		sshctx, cancel := context.WithCancel(ctx)
+
+		go func() {
+			// blocking
+			if err := runSSH(sshctx, host, []byte(config.SSHKey), cmd); err != nil {
+				cmd.Printf("Error: %v\n", err)
+				os.Exit(1)
+			}
+			cancel()
+		}()
+
+		select {
+		case <-sig:
+			cancel()
+		case <-sshctx.Done():
+		}
+
+		return nil
+	},
 }
 
-func runSSH(ctx context.Context, addr string, cmd *cobra.Command) error {
-	target := fmt.Sprintf("%s:%d", addr, port)
-	c, err := sshclient.Dial(ctx, target, username, sshclient.DialOptions{
-		KnownHostsFile:     knownHostsFile,
-		IdentityFile:       identityFile,
-		DaemonAddr:         daemonAddr,
-		SkipCachedToken:    skipCachedToken,
-		InsecureSkipVerify: !strictHostKeyChecking,
-	})
-
+func runSSH(ctx context.Context, addr string, pemKey []byte, cmd *cobra.Command) error {
+	c, err := nbssh.DialWithKey(fmt.Sprintf("%s:%d", addr, port), userName, pemKey)
 	if err != nil {
-		cmd.Printf("Failed to connect to %s@%s\n", username, target)
-		cmd.Printf("\nTroubleshooting steps:\n")
-		cmd.Printf("  1. Check peer connectivity: netbird status -d\n")
-		cmd.Printf("  2. Verify SSH server is enabled on the peer\n")
-		cmd.Printf("  3. Ensure correct hostname/IP is used\n")
-		return fmt.Errorf("dial %s: %w", target, err)
+		cmd.Printf("Error: %v\n", err)
+		cmd.Printf("Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer" +
+			"\nYou can verify the connection by running:\n\n" +
+			" netbird status\n\n")
+		return err
 	}
-
-	sshCtx, cancel := context.WithCancel(ctx)
-	defer cancel()
-
 	go func() {
-		<-sshCtx.Done()
-		if err := c.Close(); err != nil {
-			cmd.Printf("Error closing SSH connection: %v\n", err)
+		<-ctx.Done()
+		err = c.Close()
+		if err != nil {
+			return
 		}
 	}()
 
-	if err := startPortForwarding(sshCtx, c, cmd); err != nil {
-		return fmt.Errorf("start port forwarding: %w", err)
-	}
-
-	if command != "" {
-		return executeSSHCommand(sshCtx, c, command)
-	}
-	return openSSHTerminal(sshCtx, c)
-}
-
-// executeSSHCommand executes a command over SSH.
-func executeSSHCommand(ctx context.Context, c *sshclient.Client, command string) error {
-	if err := c.ExecuteCommandWithIO(ctx, command); err != nil {
-		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
-			return nil
-		}
-		return fmt.Errorf("execute command: %w", err)
-	}
-	return nil
-}
-
-// openSSHTerminal opens an interactive SSH terminal.
-func openSSHTerminal(ctx context.Context, c *sshclient.Client) error {
-	if err := c.OpenTerminal(ctx); err != nil {
-		if errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
-			return nil
-		}
-		return fmt.Errorf("open terminal: %w", err)
-	}
-	return nil
-}
-
-// startPortForwarding starts local and remote port forwarding based on command line flags
-func startPortForwarding(ctx context.Context, c *sshclient.Client, cmd *cobra.Command) error {
-	for _, forward := range localForwards {
-		if err := parseAndStartLocalForward(ctx, c, forward, cmd); err != nil {
-			return fmt.Errorf("local port forward %s: %w", forward, err)
-		}
-	}
-
-	for _, forward := range remoteForwards {
-		if err := parseAndStartRemoteForward(ctx, c, forward, cmd); err != nil {
-			return fmt.Errorf("remote port forward %s: %w", forward, err)
-		}
-	}
-
-	return nil
-}
-
-// parseAndStartLocalForward parses and starts a local port forward (-L)
-func parseAndStartLocalForward(ctx context.Context, c *sshclient.Client, forward string, cmd *cobra.Command) error {
-	localAddr, remoteAddr, err := parsePortForwardSpec(forward)
+	err = c.OpenTerminal()
 	if err != nil {
 		return err
 	}
 
-	cmd.Printf("Local port forwarding: %s -> %s\n", localAddr, remoteAddr)
-
-	go func() {
-		if err := c.LocalPortForward(ctx, localAddr, remoteAddr); err != nil && !errors.Is(err, context.Canceled) {
-			cmd.Printf("Local port forward error: %v\n", err)
-		}
-	}()
-
 	return nil
 }
 
-// parseAndStartRemoteForward parses and starts a remote port forward (-R)
-func parseAndStartRemoteForward(ctx context.Context, c *sshclient.Client, forward string, cmd *cobra.Command) error {
-	remoteAddr, localAddr, err := parsePortForwardSpec(forward)
-	if err != nil {
-		return err
-	}
-
-	cmd.Printf("Remote port forwarding: %s -> %s\n", remoteAddr, localAddr)
-
-	go func() {
-		if err := c.RemotePortForward(ctx, remoteAddr, localAddr); err != nil && !errors.Is(err, context.Canceled) {
-			cmd.Printf("Remote port forward error: %v\n", err)
-		}
-	}()
-
-	return nil
-}
-
-// parsePortForwardSpec parses port forward specifications like "8080:localhost:80" or "[::1]:8080:localhost:80".
-// Also supports Unix sockets like "8080:/tmp/socket" or "127.0.0.1:8080:/tmp/socket".
-func parsePortForwardSpec(spec string) (string, string, error) {
-	// Support formats:
-	// port:host:hostport  -> localhost:port -> host:hostport
-	// host:port:host:hostport  -> host:port -> host:hostport
-	// [host]:port:host:hostport -> [host]:port -> host:hostport
-	// port:unix_socket_path -> localhost:port -> unix_socket_path
-	// host:port:unix_socket_path -> host:port -> unix_socket_path
-
-	if strings.HasPrefix(spec, "[") && strings.Contains(spec, "]:") {
-		return parseIPv6ForwardSpec(spec)
-	}
-
-	parts := strings.Split(spec, ":")
-	if len(parts) < 2 {
-		return "", "", fmt.Errorf("invalid port forward specification: %s (expected format: [local_host:]local_port:remote_target)", spec)
-	}
-
-	switch len(parts) {
-	case 2:
-		return parseTwoPartForwardSpec(parts, spec)
-	case 3:
-		return parseThreePartForwardSpec(parts)
-	case 4:
-		return parseFourPartForwardSpec(parts)
-	default:
-		return "", "", fmt.Errorf("invalid port forward specification: %s", spec)
-	}
-}
-
-// parseTwoPartForwardSpec handles "port:unix_socket" format.
-func parseTwoPartForwardSpec(parts []string, spec string) (string, string, error) {
-	if isUnixSocket(parts[1]) {
-		localAddr := "localhost:" + parts[0]
-		remoteAddr := parts[1]
-		return localAddr, remoteAddr, nil
-	}
-	return "", "", fmt.Errorf("invalid port forward specification: %s (expected format: [local_host:]local_port:remote_host:remote_port or [local_host:]local_port:unix_socket)", spec)
-}
-
-// parseThreePartForwardSpec handles "port:host:hostport" or "host:port:unix_socket" formats.
-func parseThreePartForwardSpec(parts []string) (string, string, error) {
-	if isUnixSocket(parts[2]) {
-		localHost := normalizeLocalHost(parts[0])
-		localAddr := localHost + ":" + parts[1]
-		remoteAddr := parts[2]
-		return localAddr, remoteAddr, nil
-	}
-	localAddr := "localhost:" + parts[0]
-	remoteAddr := parts[1] + ":" + parts[2]
-	return localAddr, remoteAddr, nil
-}
-
-// parseFourPartForwardSpec handles "host:port:host:hostport" format.
-func parseFourPartForwardSpec(parts []string) (string, string, error) {
-	localHost := normalizeLocalHost(parts[0])
-	localAddr := localHost + ":" + parts[1]
-	remoteAddr := parts[2] + ":" + parts[3]
-	return localAddr, remoteAddr, nil
-}
-
-// parseIPv6ForwardSpec handles "[host]:port:host:hostport" format.
-func parseIPv6ForwardSpec(spec string) (string, string, error) {
-	idx := strings.Index(spec, "]:")
-	if idx == -1 {
-		return "", "", fmt.Errorf("invalid IPv6 port forward specification: %s", spec)
-	}
-
-	ipv6Host := spec[:idx+1]
-	remaining := spec[idx+2:]
-
-	parts := strings.Split(remaining, ":")
-	if len(parts) != 3 {
-		return "", "", fmt.Errorf("invalid IPv6 port forward specification: %s (expected [ipv6]:port:host:hostport)", spec)
-	}
-
-	localAddr := ipv6Host + ":" + parts[0]
-	remoteAddr := parts[1] + ":" + parts[2]
-	return localAddr, remoteAddr, nil
-}
-
-// isUnixSocket checks if a path is a Unix socket path.
-func isUnixSocket(path string) bool {
-	return strings.HasPrefix(path, "/") || strings.HasPrefix(path, "./")
-}
-
-// normalizeLocalHost converts "*" to "0.0.0.0" for binding to all interfaces.
-func normalizeLocalHost(host string) string {
-	if host == "*" {
-		return "0.0.0.0"
-	}
-	return host
-}
-
-var sshProxyCmd = &cobra.Command{
-	Use:    "proxy <host> <port>",
-	Short:  "Internal SSH proxy for native SSH client integration",
-	Long:   "Internal command used by SSH ProxyCommand to handle JWT authentication",
-	Hidden: true,
-	Args:   cobra.ExactArgs(2),
-	RunE:   sshProxyFn,
-}
-
-func sshProxyFn(cmd *cobra.Command, args []string) error {
-	logOutput := "console"
-	if firstLogFile := util.FindFirstLogPath(logFiles); firstLogFile != "" && firstLogFile != defaultLogFile {
-		logOutput = firstLogFile
-	}
-	if err := util.InitLog(logLevel, logOutput); err != nil {
-		return fmt.Errorf("init log: %w", err)
-	}
-
-	host := args[0]
-	portStr := args[1]
-
-	port, err := strconv.Atoi(portStr)
-	if err != nil {
-		return fmt.Errorf("invalid port: %s", portStr)
-	}
-
-	proxy, err := sshproxy.New(daemonAddr, host, port, cmd.ErrOrStderr())
-	if err != nil {
-		return fmt.Errorf("create SSH proxy: %w", err)
-	}
-
-	if err := proxy.Connect(cmd.Context()); err != nil {
-		return fmt.Errorf("SSH proxy: %w", err)
-	}
-
-	return nil
-}
-
-var sshDetectCmd = &cobra.Command{
-	Use:    "detect <host> <port>",
-	Short:  "Detect if a host is running NetBird SSH",
-	Long:   "Internal command used by SSH Match exec to detect NetBird SSH servers. Exit codes: 0=JWT, 1=no-JWT, 2=regular SSH",
-	Hidden: true,
-	Args:   cobra.ExactArgs(2),
-	RunE:   sshDetectFn,
-}
-
-func sshDetectFn(cmd *cobra.Command, args []string) error {
-	if err := util.InitLog(logLevel, "console"); err != nil {
-		os.Exit(detection.ServerTypeRegular.ExitCode())
-	}
-
-	host := args[0]
-	portStr := args[1]
-
-	port, err := strconv.Atoi(portStr)
-	if err != nil {
-		os.Exit(detection.ServerTypeRegular.ExitCode())
-	}
-
-	dialer := &net.Dialer{Timeout: detection.Timeout}
-	serverType, err := detection.DetectSSHServerType(cmd.Context(), dialer, host, port)
-	if err != nil {
-		os.Exit(detection.ServerTypeRegular.ExitCode())
-	}
-
-	os.Exit(serverType.ExitCode())
-	return nil
+func init() {
+	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", nbssh.DefaultSSHPort, "Sets remote SSH port. Defaults to "+fmt.Sprint(nbssh.DefaultSSHPort))
 }

client/cmd/ssh_exec_unix.go

@@ -1,74 +0,0 @@
-//go:build unix
-
-package cmd
-
-import (
-	"fmt"
-	"os"
-
-	"github.com/spf13/cobra"
-
-	sshserver "github.com/netbirdio/netbird/client/ssh/server"
-)
-
-var (
-	sshExecUID        uint32
-	sshExecGID        uint32
-	sshExecGroups     []uint
-	sshExecWorkingDir string
-	sshExecShell      string
-	sshExecCommand    string
-	sshExecPTY        bool
-)
-
-// sshExecCmd represents the hidden ssh exec subcommand for privilege dropping
-var sshExecCmd = &cobra.Command{
-	Use:    "exec",
-	Short:  "Internal SSH execution with privilege dropping (hidden)",
-	Hidden: true,
-	RunE:   runSSHExec,
-}
-
-func init() {
-	sshExecCmd.Flags().Uint32Var(&sshExecUID, "uid", 0, "Target user ID")
-	sshExecCmd.Flags().Uint32Var(&sshExecGID, "gid", 0, "Target group ID")
-	sshExecCmd.Flags().UintSliceVar(&sshExecGroups, "groups", nil, "Supplementary group IDs (can be repeated)")
-	sshExecCmd.Flags().StringVar(&sshExecWorkingDir, "working-dir", "", "Working directory")
-	sshExecCmd.Flags().StringVar(&sshExecShell, "shell", "/bin/sh", "Shell to execute")
-	sshExecCmd.Flags().BoolVar(&sshExecPTY, "pty", false, "Request PTY (will fail as executor doesn't support PTY)")
-	sshExecCmd.Flags().StringVar(&sshExecCommand, "cmd", "", "Command to execute")
-
-	if err := sshExecCmd.MarkFlagRequired("uid"); err != nil {
-		_, _ = fmt.Fprintf(os.Stderr, "failed to mark uid flag as required: %v\n", err)
-		os.Exit(1)
-	}
-	if err := sshExecCmd.MarkFlagRequired("gid"); err != nil {
-		_, _ = fmt.Fprintf(os.Stderr, "failed to mark gid flag as required: %v\n", err)
-		os.Exit(1)
-	}
-
-	sshCmd.AddCommand(sshExecCmd)
-}
-
-// runSSHExec handles the SSH exec subcommand execution.
-func runSSHExec(cmd *cobra.Command, _ []string) error {
-	privilegeDropper := sshserver.NewPrivilegeDropper()
-
-	var groups []uint32
-	for _, groupInt := range sshExecGroups {
-		groups = append(groups, uint32(groupInt))
-	}
-
-	config := sshserver.ExecutorConfig{
-		UID:        sshExecUID,
-		GID:        sshExecGID,
-		Groups:     groups,
-		WorkingDir: sshExecWorkingDir,
-		Shell:      sshExecShell,
-		Command:    sshExecCommand,
-		PTY:        sshExecPTY,
-	}
-
-	privilegeDropper.ExecuteWithPrivilegeDrop(cmd.Context(), config)
-	return nil
-}

client/cmd/ssh_sftp_unix.go

@@ -1,94 +0,0 @@
-//go:build unix
-
-package cmd
-
-import (
-	"errors"
-	"io"
-	"os"
-
-	"github.com/pkg/sftp"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	sshserver "github.com/netbirdio/netbird/client/ssh/server"
-)
-
-var (
-	sftpUID        uint32
-	sftpGID        uint32
-	sftpGroupsInt  []uint
-	sftpWorkingDir string
-)
-
-var sshSftpCmd = &cobra.Command{
-	Use:    "sftp",
-	Short:  "SFTP server with privilege dropping (internal use)",
-	Hidden: true,
-	RunE:   sftpMain,
-}
-
-func init() {
-	sshSftpCmd.Flags().Uint32Var(&sftpUID, "uid", 0, "Target user ID")
-	sshSftpCmd.Flags().Uint32Var(&sftpGID, "gid", 0, "Target group ID")
-	sshSftpCmd.Flags().UintSliceVar(&sftpGroupsInt, "groups", nil, "Supplementary group IDs (can be repeated)")
-	sshSftpCmd.Flags().StringVar(&sftpWorkingDir, "working-dir", "", "Working directory")
-}
-
-func sftpMain(cmd *cobra.Command, _ []string) error {
-	privilegeDropper := sshserver.NewPrivilegeDropper()
-
-	var groups []uint32
-	for _, groupInt := range sftpGroupsInt {
-		groups = append(groups, uint32(groupInt))
-	}
-
-	config := sshserver.ExecutorConfig{
-		UID:        sftpUID,
-		GID:        sftpGID,
-		Groups:     groups,
-		WorkingDir: sftpWorkingDir,
-		Shell:      "",
-		Command:    "",
-	}
-
-	log.Tracef("dropping privileges for SFTP to UID=%d, GID=%d, groups=%v", config.UID, config.GID, config.Groups)
-
-	if err := privilegeDropper.DropPrivileges(config.UID, config.GID, config.Groups); err != nil {
-		cmd.PrintErrf("privilege drop failed: %v\n", err)
-		os.Exit(sshserver.ExitCodePrivilegeDropFail)
-	}
-
-	if config.WorkingDir != "" {
-		if err := os.Chdir(config.WorkingDir); err != nil {
-			cmd.PrintErrf("failed to change to working directory %s: %v\n", config.WorkingDir, err)
-		}
-	}
-
-	sftpServer, err := sftp.NewServer(struct {
-		io.Reader
-		io.WriteCloser
-	}{
-		Reader:      os.Stdin,
-		WriteCloser: os.Stdout,
-	})
-	if err != nil {
-		cmd.PrintErrf("SFTP server creation failed: %v\n", err)
-		os.Exit(sshserver.ExitCodeShellExecFail)
-	}
-
-	log.Tracef("starting SFTP server with dropped privileges")
-	if err := sftpServer.Serve(); err != nil && !errors.Is(err, io.EOF) {
-		cmd.PrintErrf("SFTP server error: %v\n", err)
-		if closeErr := sftpServer.Close(); closeErr != nil {
-			cmd.PrintErrf("SFTP server close error: %v\n", closeErr)
-		}
-		os.Exit(sshserver.ExitCodeShellExecFail)
-	}
-
-	if closeErr := sftpServer.Close(); closeErr != nil {
-		cmd.PrintErrf("SFTP server close error: %v\n", closeErr)
-	}
-	os.Exit(sshserver.ExitCodeSuccess)
-	return nil
-}

client/cmd/ssh_sftp_windows.go

@@ -1,93 +0,0 @@
-//go:build windows
-
-package cmd
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"os/user"
-
-	"github.com/pkg/sftp"
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	sshserver "github.com/netbirdio/netbird/client/ssh/server"
-)
-
-var (
-	sftpWorkingDir  string
-	windowsUsername string
-	windowsDomain   string
-)
-
-var sshSftpCmd = &cobra.Command{
-	Use:    "sftp",
-	Short:  "SFTP server with user switching for Windows (internal use)",
-	Hidden: true,
-	RunE:   sftpMain,
-}
-
-func init() {
-	sshSftpCmd.Flags().StringVar(&sftpWorkingDir, "working-dir", "", "Working directory")
-	sshSftpCmd.Flags().StringVar(&windowsUsername, "windows-username", "", "Windows username for user switching")
-	sshSftpCmd.Flags().StringVar(&windowsDomain, "windows-domain", "", "Windows domain for user switching")
-}
-
-func sftpMain(cmd *cobra.Command, _ []string) error {
-	return sftpMainDirect(cmd)
-}
-
-func sftpMainDirect(cmd *cobra.Command) error {
-	currentUser, err := user.Current()
-	if err != nil {
-		cmd.PrintErrf("failed to get current user: %v\n", err)
-		os.Exit(sshserver.ExitCodeValidationFail)
-	}
-
-	if windowsUsername != "" {
-		expectedUsername := windowsUsername
-		if windowsDomain != "" {
-			expectedUsername = fmt.Sprintf(`%s\%s`, windowsDomain, windowsUsername)
-		}
-		if currentUser.Username != expectedUsername && currentUser.Username != windowsUsername {
-			cmd.PrintErrf("user switching failed\n")
-			os.Exit(sshserver.ExitCodeValidationFail)
-		}
-	}
-
-	log.Debugf("SFTP process running as: %s (UID: %s, Name: %s)", currentUser.Username, currentUser.Uid, currentUser.Name)
-
-	if sftpWorkingDir != "" {
-		if err := os.Chdir(sftpWorkingDir); err != nil {
-			cmd.PrintErrf("failed to change to working directory %s: %v\n", sftpWorkingDir, err)
-		}
-	}
-
-	sftpServer, err := sftp.NewServer(struct {
-		io.Reader
-		io.WriteCloser
-	}{
-		Reader:      os.Stdin,
-		WriteCloser: os.Stdout,
-	})
-	if err != nil {
-		cmd.PrintErrf("SFTP server creation failed: %v\n", err)
-		os.Exit(sshserver.ExitCodeShellExecFail)
-	}
-
-	log.Debugf("starting SFTP server")
-	exitCode := sshserver.ExitCodeSuccess
-	if err := sftpServer.Serve(); err != nil && !errors.Is(err, io.EOF) {
-		cmd.PrintErrf("SFTP server error: %v\n", err)
-		exitCode = sshserver.ExitCodeShellExecFail
-	}
-
-	if err := sftpServer.Close(); err != nil {
-		log.Debugf("SFTP server close error: %v", err)
-	}
-
-	os.Exit(exitCode)
-	return nil
-}

client/cmd/ssh_test.go

@@ -1,669 +0,0 @@
-package cmd
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestSSHCommand_FlagParsing(t *testing.T) {
-	tests := []struct {
-		name         string
-		args         []string
-		expectedHost string
-		expectedUser string
-		expectedPort int
-		expectedCmd  string
-		expectError  bool
-	}{
-		{
-			name:         "basic host",
-			args:         []string{"hostname"},
-			expectedHost: "hostname",
-			expectedUser: "",
-			expectedPort: 22,
-			expectedCmd:  "",
-		},
-		{
-			name:         "user@host format",
-			args:         []string{"user@hostname"},
-			expectedHost: "hostname",
-			expectedUser: "user",
-			expectedPort: 22,
-			expectedCmd:  "",
-		},
-		{
-			name:         "host with command",
-			args:         []string{"hostname", "echo", "hello"},
-			expectedHost: "hostname",
-			expectedUser: "",
-			expectedPort: 22,
-			expectedCmd:  "echo hello",
-		},
-		{
-			name:         "command with flags should be preserved",
-			args:         []string{"hostname", "ls", "-la", "/tmp"},
-			expectedHost: "hostname",
-			expectedUser: "",
-			expectedPort: 22,
-			expectedCmd:  "ls -la /tmp",
-		},
-		{
-			name:         "double dash separator",
-			args:         []string{"hostname", "--", "ls", "-la"},
-			expectedHost: "hostname",
-			expectedUser: "",
-			expectedPort: 22,
-			expectedCmd:  "-- ls -la",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Reset global variables
-			host = ""
-			username = ""
-			port = 22
-			command = ""
-
-			// Mock command for testing
-			cmd := sshCmd
-			cmd.SetArgs(tt.args)
-
-			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
-
-			if tt.expectError {
-				assert.Error(t, err)
-				return
-			}
-
-			require.NoError(t, err, "SSH args validation should succeed for valid input")
-			assert.Equal(t, tt.expectedHost, host, "host mismatch")
-			if tt.expectedUser != "" {
-				assert.Equal(t, tt.expectedUser, username, "username mismatch")
-			}
-			assert.Equal(t, tt.expectedPort, port, "port mismatch")
-			assert.Equal(t, tt.expectedCmd, command, "command mismatch")
-		})
-	}
-}
-
-func TestSSHCommand_FlagConflictPrevention(t *testing.T) {
-	// Test that SSH flags don't conflict with command flags
-	tests := []struct {
-		name        string
-		args        []string
-		expectedCmd string
-		description string
-	}{
-		{
-			name:        "ls with -la flags",
-			args:        []string{"hostname", "ls", "-la"},
-			expectedCmd: "ls -la",
-			description: "ls flags should be passed to remote command",
-		},
-		{
-			name:        "grep with -r flag",
-			args:        []string{"hostname", "grep", "-r", "pattern", "/path"},
-			expectedCmd: "grep -r pattern /path",
-			description: "grep flags should be passed to remote command",
-		},
-		{
-			name:        "ps with aux flags",
-			args:        []string{"hostname", "ps", "aux"},
-			expectedCmd: "ps aux",
-			description: "ps flags should be passed to remote command",
-		},
-		{
-			name:        "command with double dash",
-			args:        []string{"hostname", "--", "ls", "-la"},
-			expectedCmd: "-- ls -la",
-			description: "double dash should be preserved in command",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Reset global variables
-			host = ""
-			username = ""
-			port = 22
-			command = ""
-
-			cmd := sshCmd
-			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
-			require.NoError(t, err, "SSH args validation should succeed for valid input")
-
-			assert.Equal(t, tt.expectedCmd, command, tt.description)
-		})
-	}
-}
-
-func TestSSHCommand_NonInteractiveExecution(t *testing.T) {
-	// Test that commands with arguments should execute the command and exit,
-	// not drop to an interactive shell
-	tests := []struct {
-		name        string
-		args        []string
-		expectedCmd string
-		shouldExit  bool
-		description string
-	}{
-		{
-			name:        "ls command should execute and exit",
-			args:        []string{"hostname", "ls"},
-			expectedCmd: "ls",
-			shouldExit:  true,
-			description: "ls command should execute and exit, not drop to shell",
-		},
-		{
-			name:        "ls with flags should execute and exit",
-			args:        []string{"hostname", "ls", "-la"},
-			expectedCmd: "ls -la",
-			shouldExit:  true,
-			description: "ls with flags should execute and exit, not drop to shell",
-		},
-		{
-			name:        "pwd command should execute and exit",
-			args:        []string{"hostname", "pwd"},
-			expectedCmd: "pwd",
-			shouldExit:  true,
-			description: "pwd command should execute and exit, not drop to shell",
-		},
-		{
-			name:        "echo command should execute and exit",
-			args:        []string{"hostname", "echo", "hello"},
-			expectedCmd: "echo hello",
-			shouldExit:  true,
-			description: "echo command should execute and exit, not drop to shell",
-		},
-		{
-			name:        "no command should open shell",
-			args:        []string{"hostname"},
-			expectedCmd: "",
-			shouldExit:  false,
-			description: "no command should open interactive shell",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Reset global variables
-			host = ""
-			username = ""
-			port = 22
-			command = ""
-
-			cmd := sshCmd
-			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
-			require.NoError(t, err, "SSH args validation should succeed for valid input")
-
-			assert.Equal(t, tt.expectedCmd, command, tt.description)
-
-			// When command is present, it should execute the command and exit
-			// When command is empty, it should open interactive shell
-			hasCommand := command != ""
-			assert.Equal(t, tt.shouldExit, hasCommand, "Command presence should match expected behavior")
-		})
-	}
-}
-
-func TestSSHCommand_FlagHandling(t *testing.T) {
-	// Test that flags after hostname are not parsed by netbird but passed to SSH command
-	tests := []struct {
-		name         string
-		args         []string
-		expectedHost string
-		expectedCmd  string
-		expectError  bool
-		description  string
-	}{
-		{
-			name:         "ls with -la flag should not be parsed by netbird",
-			args:         []string{"debian2", "ls", "-la"},
-			expectedHost: "debian2",
-			expectedCmd:  "ls -la",
-			expectError:  false,
-			description:  "ls -la should be passed as SSH command, not parsed as netbird flags",
-		},
-		{
-			name:         "command with netbird-like flags should be passed through",
-			args:         []string{"hostname", "echo", "--help"},
-			expectedHost: "hostname",
-			expectedCmd:  "echo --help",
-			expectError:  false,
-			description:  "--help should be passed to echo, not parsed by netbird",
-		},
-		{
-			name:         "command with -p flag should not conflict with SSH port flag",
-			args:         []string{"hostname", "ps", "-p", "1234"},
-			expectedHost: "hostname",
-			expectedCmd:  "ps -p 1234",
-			expectError:  false,
-			description:  "ps -p should be passed to ps command, not parsed as port",
-		},
-		{
-			name:         "tar with flags should be passed through",
-			args:         []string{"hostname", "tar", "-czf", "backup.tar.gz", "/home"},
-			expectedHost: "hostname",
-			expectedCmd:  "tar -czf backup.tar.gz /home",
-			expectError:  false,
-			description:  "tar flags should be passed to tar command",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Reset global variables
-			host = ""
-			username = ""
-			port = 22
-			command = ""
-
-			cmd := sshCmd
-			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
-
-			if tt.expectError {
-				assert.Error(t, err)
-				return
-			}
-
-			require.NoError(t, err, "SSH args validation should succeed for valid input")
-			assert.Equal(t, tt.expectedHost, host, "host mismatch")
-			assert.Equal(t, tt.expectedCmd, command, tt.description)
-		})
-	}
-}
-
-func TestSSHCommand_RegressionFlagParsing(t *testing.T) {
-	// Regression test for the specific issue: "sudo ./netbird ssh debian2 ls -la"
-	// should not parse -la as netbird flags but pass them to the SSH command
-	tests := []struct {
-		name         string
-		args         []string
-		expectedHost string
-		expectedCmd  string
-		expectError  bool
-		description  string
-	}{
-		{
-			name:         "original issue: ls -la should be preserved",
-			args:         []string{"debian2", "ls", "-la"},
-			expectedHost: "debian2",
-			expectedCmd:  "ls -la",
-			expectError:  false,
-			description:  "The original failing case should now work",
-		},
-		{
-			name:         "ls -l should be preserved",
-			args:         []string{"hostname", "ls", "-l"},
-			expectedHost: "hostname",
-			expectedCmd:  "ls -l",
-			expectError:  false,
-			description:  "Single letter flags should be preserved",
-		},
-		{
-			name:         "SSH port flag should work",
-			args:         []string{"-p", "2222", "hostname", "ls", "-la"},
-			expectedHost: "hostname",
-			expectedCmd:  "ls -la",
-			expectError:  false,
-			description:  "SSH -p flag should be parsed, command flags preserved",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Reset global variables
-			host = ""
-			username = ""
-			port = 22
-			command = ""
-
-			cmd := sshCmd
-			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
-
-			if tt.expectError {
-				assert.Error(t, err)
-				return
-			}
-
-			require.NoError(t, err, "SSH args validation should succeed for valid input")
-			assert.Equal(t, tt.expectedHost, host, "host mismatch")
-			assert.Equal(t, tt.expectedCmd, command, tt.description)
-
-			// Check port for the test case with -p flag
-			if len(tt.args) > 0 && tt.args[0] == "-p" {
-				assert.Equal(t, 2222, port, "port should be parsed from -p flag")
-			}
-		})
-	}
-}
-
-func TestSSHCommand_PortForwardingFlagParsing(t *testing.T) {
-	tests := []struct {
-		name           string
-		args           []string
-		expectedHost   string
-		expectedLocal  []string
-		expectedRemote []string
-		expectError    bool
-		description    string
-	}{
-		{
-			name:           "local port forwarding -L",
-			args:           []string{"-L", "8080:localhost:80", "hostname"},
-			expectedHost:   "hostname",
-			expectedLocal:  []string{"8080:localhost:80"},
-			expectedRemote: []string{},
-			expectError:    false,
-			description:    "Single -L flag should be parsed correctly",
-		},
-		{
-			name:           "remote port forwarding -R",
-			args:           []string{"-R", "8080:localhost:80", "hostname"},
-			expectedHost:   "hostname",
-			expectedLocal:  []string{},
-			expectedRemote: []string{"8080:localhost:80"},
-			expectError:    false,
-			description:    "Single -R flag should be parsed correctly",
-		},
-		{
-			name:           "multiple local port forwards",
-			args:           []string{"-L", "8080:localhost:80", "-L", "9090:localhost:443", "hostname"},
-			expectedHost:   "hostname",
-			expectedLocal:  []string{"8080:localhost:80", "9090:localhost:443"},
-			expectedRemote: []string{},
-			expectError:    false,
-			description:    "Multiple -L flags should be parsed correctly",
-		},
-		{
-			name:           "multiple remote port forwards",
-			args:           []string{"-R", "8080:localhost:80", "-R", "9090:localhost:443", "hostname"},
-			expectedHost:   "hostname",
-			expectedLocal:  []string{},
-			expectedRemote: []string{"8080:localhost:80", "9090:localhost:443"},
-			expectError:    false,
-			description:    "Multiple -R flags should be parsed correctly",
-		},
-		{
-			name:           "mixed local and remote forwards",
-			args:           []string{"-L", "8080:localhost:80", "-R", "9090:localhost:443", "hostname"},
-			expectedHost:   "hostname",
-			expectedLocal:  []string{"8080:localhost:80"},
-			expectedRemote: []string{"9090:localhost:443"},
-			expectError:    false,
-			description:    "Mixed -L and -R flags should be parsed correctly",
-		},
-		{
-			name:           "port forwarding with bind address",
-			args:           []string{"-L", "127.0.0.1:8080:localhost:80", "hostname"},
-			expectedHost:   "hostname",
-			expectedLocal:  []string{"127.0.0.1:8080:localhost:80"},
-			expectedRemote: []string{},
-			expectError:    false,
-			description:    "Port forwarding with bind address should work",
-		},
-		{
-			name:           "port forwarding with command",
-			args:           []string{"-L", "8080:localhost:80", "hostname", "ls", "-la"},
-			expectedHost:   "hostname",
-			expectedLocal:  []string{"8080:localhost:80"},
-			expectedRemote: []string{},
-			expectError:    false,
-			description:    "Port forwarding with command should work",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Reset global variables
-			host = ""
-			username = ""
-			port = 22
-			command = ""
-			localForwards = nil
-			remoteForwards = nil
-
-			cmd := sshCmd
-			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
-
-			if tt.expectError {
-				assert.Error(t, err)
-				return
-			}
-
-			require.NoError(t, err, "SSH args validation should succeed for valid input")
-			assert.Equal(t, tt.expectedHost, host, "host mismatch")
-			// Handle nil vs empty slice comparison
-			if len(tt.expectedLocal) == 0 {
-				assert.True(t, len(localForwards) == 0, tt.description+" - local forwards should be empty")
-			} else {
-				assert.Equal(t, tt.expectedLocal, localForwards, tt.description+" - local forwards")
-			}
-			if len(tt.expectedRemote) == 0 {
-				assert.True(t, len(remoteForwards) == 0, tt.description+" - remote forwards should be empty")
-			} else {
-				assert.Equal(t, tt.expectedRemote, remoteForwards, tt.description+" - remote forwards")
-			}
-		})
-	}
-}
-
-func TestParsePortForward(t *testing.T) {
-	tests := []struct {
-		name           string
-		spec           string
-		expectedLocal  string
-		expectedRemote string
-		expectError    bool
-		description    string
-	}{
-		{
-			name:           "simple port forward",
-			spec:           "8080:localhost:80",
-			expectedLocal:  "localhost:8080",
-			expectedRemote: "localhost:80",
-			expectError:    false,
-			description:    "Simple port:host:port format should work",
-		},
-		{
-			name:           "port forward with bind address",
-			spec:           "127.0.0.1:8080:localhost:80",
-			expectedLocal:  "127.0.0.1:8080",
-			expectedRemote: "localhost:80",
-			expectError:    false,
-			description:    "bind_address:port:host:port format should work",
-		},
-		{
-			name:           "port forward to different host",
-			spec:           "8080:example.com:443",
-			expectedLocal:  "localhost:8080",
-			expectedRemote: "example.com:443",
-			expectError:    false,
-			description:    "Forwarding to different host should work",
-		},
-		{
-			name:        "port forward with IPv6 (needs bracket support)",
-			spec:        "::1:8080:localhost:80",
-			expectError: true,
-			description: "IPv6 without brackets fails as expected (feature to implement)",
-		},
-		{
-			name:        "invalid format - too few parts",
-			spec:        "8080:localhost",
-			expectError: true,
-			description: "Invalid format with too few parts should fail",
-		},
-		{
-			name:        "invalid format - too many parts",
-			spec:        "127.0.0.1:8080:localhost:80:extra",
-			expectError: true,
-			description: "Invalid format with too many parts should fail",
-		},
-		{
-			name:        "empty spec",
-			spec:        "",
-			expectError: true,
-			description: "Empty spec should fail",
-		},
-		{
-			name:           "unix socket local forward",
-			spec:           "8080:/tmp/socket",
-			expectedLocal:  "localhost:8080",
-			expectedRemote: "/tmp/socket",
-			expectError:    false,
-			description:    "Unix socket forwarding should work",
-		},
-		{
-			name:           "unix socket with bind address",
-			spec:           "127.0.0.1:8080:/tmp/socket",
-			expectedLocal:  "127.0.0.1:8080",
-			expectedRemote: "/tmp/socket",
-			expectError:    false,
-			description:    "Unix socket with bind address should work",
-		},
-		{
-			name:           "wildcard bind all interfaces",
-			spec:           "*:8080:localhost:80",
-			expectedLocal:  "0.0.0.0:8080",
-			expectedRemote: "localhost:80",
-			expectError:    false,
-			description:    "Wildcard * should bind to all interfaces (0.0.0.0)",
-		},
-		{
-			name:           "wildcard for port only",
-			spec:           "8080:*:80",
-			expectedLocal:  "localhost:8080",
-			expectedRemote: "*:80",
-			expectError:    false,
-			description:    "Wildcard in remote host should be preserved",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			localAddr, remoteAddr, err := parsePortForwardSpec(tt.spec)
-
-			if tt.expectError {
-				assert.Error(t, err, tt.description)
-				return
-			}
-
-			require.NoError(t, err, tt.description)
-			assert.Equal(t, tt.expectedLocal, localAddr, tt.description+" - local address")
-			assert.Equal(t, tt.expectedRemote, remoteAddr, tt.description+" - remote address")
-		})
-	}
-}
-
-func TestSSHCommand_IntegrationPortForwarding(t *testing.T) {
-	// Integration test for port forwarding with the actual SSH command implementation
-	tests := []struct {
-		name           string
-		args           []string
-		expectedHost   string
-		expectedLocal  []string
-		expectedRemote []string
-		expectedCmd    string
-		description    string
-	}{
-		{
-			name:           "local forward with command",
-			args:           []string{"-L", "8080:localhost:80", "hostname", "echo", "test"},
-			expectedHost:   "hostname",
-			expectedLocal:  []string{"8080:localhost:80"},
-			expectedRemote: []string{},
-			expectedCmd:    "echo test",
-			description:    "Local forwarding should work with commands",
-		},
-		{
-			name:           "remote forward with command",
-			args:           []string{"-R", "8080:localhost:80", "hostname", "ls", "-la"},
-			expectedHost:   "hostname",
-			expectedLocal:  []string{},
-			expectedRemote: []string{"8080:localhost:80"},
-			expectedCmd:    "ls -la",
-			description:    "Remote forwarding should work with commands",
-		},
-		{
-			name:           "multiple forwards with user and command",
-			args:           []string{"-L", "8080:localhost:80", "-R", "9090:localhost:443", "user@hostname", "ps", "aux"},
-			expectedHost:   "hostname",
-			expectedLocal:  []string{"8080:localhost:80"},
-			expectedRemote: []string{"9090:localhost:443"},
-			expectedCmd:    "ps aux",
-			description:    "Complex case with multiple forwards, user, and command",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Reset global variables
-			host = ""
-			username = ""
-			port = 22
-			command = ""
-			localForwards = nil
-			remoteForwards = nil
-
-			cmd := sshCmd
-			err := validateSSHArgsWithoutFlagParsing(cmd, tt.args)
-			require.NoError(t, err, "SSH args validation should succeed for valid input")
-
-			assert.Equal(t, tt.expectedHost, host, "host mismatch")
-			// Handle nil vs empty slice comparison
-			if len(tt.expectedLocal) == 0 {
-				assert.True(t, len(localForwards) == 0, tt.description+" - local forwards should be empty")
-			} else {
-				assert.Equal(t, tt.expectedLocal, localForwards, tt.description+" - local forwards")
-			}
-			if len(tt.expectedRemote) == 0 {
-				assert.True(t, len(remoteForwards) == 0, tt.description+" - remote forwards should be empty")
-			} else {
-				assert.Equal(t, tt.expectedRemote, remoteForwards, tt.description+" - remote forwards")
-			}
-			assert.Equal(t, tt.expectedCmd, command, tt.description+" - command")
-		})
-	}
-}
-
-func TestSSHCommand_ParameterIsolation(t *testing.T) {
-	tests := []struct {
-		name        string
-		args        []string
-		expectedCmd string
-	}{
-		{
-			name:        "cmd flag passed as command",
-			args:        []string{"hostname", "--cmd", "echo test"},
-			expectedCmd: "--cmd echo test",
-		},
-		{
-			name:        "uid flag passed as command",
-			args:        []string{"hostname", "--uid", "1000"},
-			expectedCmd: "--uid 1000",
-		},
-		{
-			name:        "shell flag passed as command",
-			args:        []string{"hostname", "--shell", "/bin/bash"},
-			expectedCmd: "--shell /bin/bash",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			host = ""
-			username = ""
-			port = 22
-			command = ""
-
-			err := validateSSHArgsWithoutFlagParsing(sshCmd, tt.args)
-			require.NoError(t, err)
-
-			assert.Equal(t, "hostname", host)
-			assert.Equal(t, tt.expectedCmd, command)
-		})
-	}
-}

client/cmd/status.go

@@ -68,7 +68,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 
 	ctx := internal.CtxInitState(cmd.Context())
 
-	resp, err := getStatus(ctx, false)
+	resp, err := getStatus(ctx)
 	if err != nil {
 		return err
 	}
@@ -121,7 +121,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
-func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse, error) {
+func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
@@ -130,7 +130,7 @@ func getStatus(ctx context.Context, shouldRunProbes bool) (*proto.StatusResponse
 	}
 	defer conn.Close()
 
-	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: shouldRunProbes})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true, ShouldRunProbes: true})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}

client/cmd/testutil_test.go

@@ -110,7 +110,7 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		Return(&types.Settings{}, nil).
 		AnyTimes()
 
-	accountManager, err := mgmt.BuildManager(context.Background(), config, store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
+	accountManager, err := mgmt.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManagerMock, false)
 	if err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -348,21 +348,6 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 	if cmd.Flag(serverSSHAllowedFlag).Changed {
 		req.ServerSSHAllowed = &serverSSHAllowed
 	}
-	if cmd.Flag(enableSSHRootFlag).Changed {
-		req.EnableSSHRoot = &enableSSHRoot
-	}
-	if cmd.Flag(enableSSHSFTPFlag).Changed {
-		req.EnableSSHSFTP = &enableSSHSFTP
-	}
-	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
-		req.EnableSSHLocalPortForward = &enableSSHLocalPortForward
-	}
-	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
-		req.EnableSSHRemotePortForward = &enableSSHRemotePortForward
-	}
-	if cmd.Flag(disableSSHAuthFlag).Changed {
-		req.DisableSSHAuth = &disableSSHAuth
-	}
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			log.Errorf("parse interface name: %v", err)
@@ -447,26 +432,6 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.ServerSSHAllowed = &serverSSHAllowed
 	}
 
-	if cmd.Flag(enableSSHRootFlag).Changed {
-		ic.EnableSSHRoot = &enableSSHRoot
-	}
-
-	if cmd.Flag(enableSSHSFTPFlag).Changed {
-		ic.EnableSSHSFTP = &enableSSHSFTP
-	}
-
-	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
-		ic.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
-	}
-
-	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
-		ic.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
-	}
-
-	if cmd.Flag(disableSSHAuthFlag).Changed {
-		ic.DisableSSHAuth = &disableSSHAuth
-	}
-
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			return nil, err
@@ -567,26 +532,6 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.ServerSSHAllowed = &serverSSHAllowed
 	}
 
-	if cmd.Flag(enableSSHRootFlag).Changed {
-		loginRequest.EnableSSHRoot = &enableSSHRoot
-	}
-
-	if cmd.Flag(enableSSHSFTPFlag).Changed {
-		loginRequest.EnableSSHSFTP = &enableSSHSFTP
-	}
-
-	if cmd.Flag(enableSSHLocalPortForwardFlag).Changed {
-		loginRequest.EnableSSHLocalPortForwarding = &enableSSHLocalPortForward
-	}
-
-	if cmd.Flag(enableSSHRemotePortForwardFlag).Changed {
-		loginRequest.EnableSSHRemotePortForwarding = &enableSSHRemotePortForward
-	}
-
-	if cmd.Flag(disableSSHAuthFlag).Changed {
-		loginRequest.DisableSSHAuth = &disableSSHAuth
-	}
-
 	if cmd.Flag(disableAutoConnectFlag).Changed {
 		loginRequest.DisableAutoConnect = &autoConnectDisabled
 	}

client/embed/embed.go

@@ -18,16 +18,12 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
-	sshcommon "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 )
 
-var (
-	ErrClientAlreadyStarted = errors.New("client already started")
-	ErrClientNotStarted     = errors.New("client not started")
-	ErrEngineNotStarted     = errors.New("engine not started")
-	ErrConfigNotInitialized = errors.New("config not initialized")
-)
+var ErrClientAlreadyStarted = errors.New("client already started")
+var ErrClientNotStarted = errors.New("client not started")
+var ErrConfigNotInitialized = errors.New("config not initialized")
 
 // Client manages a netbird embedded client instance.
 type Client struct {
@@ -242,9 +238,17 @@ func (c *Client) GetConfig() (profilemanager.Config, error) {
 // Dial dials a network address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
-	engine, err := c.getEngine()
-	if err != nil {
-		return nil, err
+	c.mu.Lock()
+	connect := c.connect
+	if connect == nil {
+		c.mu.Unlock()
+		return nil, ErrClientNotStarted
+	}
+	c.mu.Unlock()
+
+	engine := connect.Engine()
+	if engine == nil {
+		return nil, errors.New("engine not started")
 	}
 
 	nsnet, err := engine.GetNet()
@@ -255,11 +259,6 @@ func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return nsnet.DialContext(ctx, network, address)
 }
 
-// DialContext dials a network address in the netbird network with context
-func (c *Client) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
-	return c.Dial(ctx, network, address)
-}
-
 // ListenTCP listens on the given address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenTCP(address string) (net.Listener, error) {
@@ -315,47 +314,18 @@ func (c *Client) NewHTTPClient() *http.Client {
 	}
 }
 
-// VerifySSHHostKey verifies an SSH host key against stored peer keys.
-// Returns nil if the key matches, ErrPeerNotFound if peer is not in network,
-// ErrNoStoredKey if peer has no stored key, or an error for verification failures.
-func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
-	engine, err := c.getEngine()
-	if err != nil {
-		return err
-	}
-
-	storedKey, found := engine.GetPeerSSHKey(peerAddress)
-	if !found {
-		return sshcommon.ErrPeerNotFound
-	}
-
-	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
-}
-
-// getEngine safely retrieves the engine from the client with proper locking.
-// Returns ErrClientNotStarted if the client is not started.
-// Returns ErrEngineNotStarted if the engine is not available.
-func (c *Client) getEngine() (*internal.Engine, error) {
+func (c *Client) getNet() (*wgnetstack.Net, netip.Addr, error) {
 	c.mu.Lock()
 	connect := c.connect
-	c.mu.Unlock()
-
 	if connect == nil {
-		return nil, ErrClientNotStarted
+		c.mu.Unlock()
+		return nil, netip.Addr{}, errors.New("client not started")
 	}
+	c.mu.Unlock()
 
 	engine := connect.Engine()
 	if engine == nil {
-		return nil, ErrEngineNotStarted
-	}
-
-	return engine, nil
-}
-
-func (c *Client) getNet() (*wgnetstack.Net, netip.Addr, error) {
-	engine, err := c.getEngine()
-	if err != nil {
-		return nil, netip.Addr{}, err
+		return nil, netip.Addr{}, errors.New("engine not started")
 	}
 
 	addr, err := engine.Address()

client/firewall/create.go

@@ -15,13 +15,13 @@ import (
 )
 
 // NewFirewall creates a firewall manager instance
-func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, _ *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
 	if !iface.IsUserspaceBind() {
 		return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
 	}
 
 	// use userspace packet filtering firewall
-	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
+	fm, err := uspfilter.Create(iface, disableServerRoutes, flowLogger)
 	if err != nil {
 		return nil, err
 	}

client/firewall/create_linux.go

@@ -34,12 +34,12 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 // FWType is the type for the firewall type
 type FWType int
 
-func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
+func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool) (firewall.Manager, error) {
 	// on the linux system we try to user nftables or iptables
 	// in any case, because we need to allow netbird interface traffic
 	// so we use AllowNetbird traffic from these firewall managers
 	// for the userspace packet filtering firewall
-	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)
+	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes)
 
 	if !iface.IsUserspaceBind() {
 		return fm, err
@@ -48,11 +48,11 @@ func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogg
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
 	}
-	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
+	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger)
 }
 
-func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
-	fm, err := createFW(iface, mtu)
+func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool) (firewall.Manager, error) {
+	fm, err := createFW(iface)
 	if err != nil {
 		return nil, fmt.Errorf("create firewall: %s", err)
 	}
@@ -64,26 +64,26 @@ func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager,
 	return fm, nil
 }
 
-func createFW(iface IFaceMapper, mtu uint16) (firewall.Manager, error) {
+func createFW(iface IFaceMapper) (firewall.Manager, error) {
 	switch check() {
 	case IPTABLES:
 		log.Info("creating an iptables firewall manager")
-		return nbiptables.Create(iface, mtu)
+		return nbiptables.Create(iface)
 	case NFTABLES:
 		log.Info("creating an nftables firewall manager")
-		return nbnftables.Create(iface, mtu)
+		return nbnftables.Create(iface)
 	default:
 		log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
 		return nil, errors.New("no firewall manager found")
 	}
 }
 
-func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (firewall.Manager, error) {
+func createUserspaceFirewall(iface IFaceMapper, fm firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (firewall.Manager, error) {
 	var errUsp error
 	if fm != nil {
-		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
+		fm, errUsp = uspfilter.CreateWithNativeFirewall(iface, fm, disableServerRoutes, flowLogger)
 	} else {
-		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger, mtu)
+		fm, errUsp = uspfilter.Create(iface, disableServerRoutes, flowLogger)
 	}
 
 	if errUsp != nil {

client/firewall/iptables/manager_linux.go

@@ -36,7 +36,7 @@ type iFaceMapper interface {
 }
 
 // Create iptables firewall manager
-func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
+func Create(wgIface iFaceMapper) (*Manager, error) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("init iptables: %w", err)
@@ -47,7 +47,7 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 		ipv4Client: iptablesClient,
 	}
 
-	m.router, err = newRouter(iptablesClient, wgIface, mtu)
+	m.router, err = newRouter(iptablesClient, wgIface)
 	if err != nil {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
@@ -66,7 +66,6 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 			NameStr:       m.wgIface.Name(),
 			WGAddress:     m.wgIface.Address(),
 			UserspaceBind: m.wgIface.IsUserspaceBind(),
-			MTU:           m.router.mtu,
 		},
 	}
 	stateManager.RegisterState(state)
@@ -261,22 +260,6 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return m.router.UpdateSet(set, prefixes)
 }
 
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 func getConntrackEstablished() []string {
 	return []string{"-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
 }

client/firewall/iptables/manager_linux_test.go

@@ -11,7 +11,6 @@ import (
 	"github.com/stretchr/testify/require"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -54,7 +53,7 @@ func TestIptablesManager(t *testing.T) {
 	require.NoError(t, err)
 
 	// just check on the local interface
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	manager, err := Create(ifaceMock)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -115,7 +114,7 @@ func TestIptablesManagerDenyRules(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)
 
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	manager, err := Create(ifaceMock)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -199,7 +198,7 @@ func TestIptablesManagerIPSet(t *testing.T) {
 	}
 
 	// just check on the local interface
-	manager, err := Create(mock, iface.DefaultMTU)
+	manager, err := Create(mock)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -265,7 +264,7 @@ func TestIptablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock, iface.DefaultMTU)
+			manager, err := Create(mock)
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second)

client/firewall/iptables/router_linux.go

@@ -30,20 +30,17 @@ const (
 
 	chainPOSTROUTING        = "POSTROUTING"
 	chainPREROUTING         = "PREROUTING"
-	chainFORWARD            = "FORWARD"
 	chainRTNAT              = "NETBIRD-RT-NAT"
 	chainRTFWDIN            = "NETBIRD-RT-FWD-IN"
 	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
 	chainRTPRE              = "NETBIRD-RT-PRE"
 	chainRTRDR              = "NETBIRD-RT-RDR"
-	chainRTMSSCLAMP         = "NETBIRD-RT-MSSCLAMP"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"
 
 	jumpManglePre  = "jump-mangle-pre"
 	jumpNatPre     = "jump-nat-pre"
 	jumpNatPost    = "jump-nat-post"
-	jumpMSSClamp   = "jump-mss-clamp"
 	markManglePre  = "mark-mangle-pre"
 	markManglePost = "mark-mangle-post"
 	matchSet       = "--match-set"
@@ -51,9 +48,6 @@ const (
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
 	fwdSuffix  = "_fwd"
-
-	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
-	ipTCPHeaderMinSize = 40
 )
 
 type ruleInfo struct {
@@ -83,18 +77,16 @@ type router struct {
 	ipsetCounter     *ipsetCounter
 	wgIface          iFaceMapper
 	legacyManagement bool
-	mtu              uint16
 
 	stateManager *statemanager.Manager
 	ipFwdState   *ipfwdstate.IPForwardingState
 }
 
-func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper, mtu uint16) (*router, error) {
+func newRouter(iptablesClient *iptables.IPTables, wgIface iFaceMapper) (*router, error) {
 	r := &router{
 		iptablesClient: iptablesClient,
 		rules:          make(map[string][]string),
 		wgIface:        wgIface,
-		mtu:            mtu,
 		ipFwdState:     ipfwdstate.NewIPForwardingState(),
 	}
 
@@ -400,7 +392,6 @@ func (r *router) cleanUpDefaultForwardRules() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
-		{chainRTMSSCLAMP, tableMangle},
 	} {
 		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
 		if err != nil {
@@ -425,7 +416,6 @@ func (r *router) createContainers() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
-		{chainRTMSSCLAMP, tableMangle},
 	} {
 		if err := r.iptablesClient.NewChain(chainInfo.table, chainInfo.chain); err != nil {
 			return fmt.Errorf("create chain %s in table %s: %w", chainInfo.chain, chainInfo.table, err)
@@ -448,10 +438,6 @@ func (r *router) createContainers() error {
 		return fmt.Errorf("add jump rules: %w", err)
 	}
 
-	if err := r.addMSSClampingRules(); err != nil {
-		log.Errorf("failed to add MSS clamping rules: %s", err)
-	}
-
 	return nil
 }
 
@@ -532,35 +518,6 @@ func (r *router) addPostroutingRules() error {
 	return nil
 }
 
-// addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
-// TODO: Add IPv6 support
-func (r *router) addMSSClampingRules() error {
-	mss := r.mtu - ipTCPHeaderMinSize
-
-	// Add jump rule from FORWARD chain in mangle table to our custom chain
-	jumpRule := []string{
-		"-j", chainRTMSSCLAMP,
-	}
-	if err := r.iptablesClient.Insert(tableMangle, chainFORWARD, 1, jumpRule...); err != nil {
-		return fmt.Errorf("add jump to MSS clamp chain: %w", err)
-	}
-	r.rules[jumpMSSClamp] = jumpRule
-
-	ruleOut := []string{
-		"-o", r.wgIface.Name(),
-		"-p", "tcp",
-		"--tcp-flags", "SYN,RST", "SYN",
-		"-j", "TCPMSS",
-		"--set-mss", fmt.Sprintf("%d", mss),
-	}
-	if err := r.iptablesClient.Append(tableMangle, chainRTMSSCLAMP, ruleOut...); err != nil {
-		return fmt.Errorf("add outbound MSS clamp rule: %w", err)
-	}
-	r.rules["mss-clamp-out"] = ruleOut
-
-	return nil
-}
-
 func (r *router) insertEstablishedRule(chain string) error {
 	establishedRule := getConntrackEstablished()
 
@@ -601,7 +558,7 @@ func (r *router) addJumpRules() error {
 }
 
 func (r *router) cleanJumpRules() error {
-	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre, jumpMSSClamp} {
+	for _, ruleKey := range []string{jumpNatPost, jumpManglePre, jumpNatPre} {
 		if rule, exists := r.rules[ruleKey]; exists {
 			var table, chain string
 			switch ruleKey {
@@ -614,9 +571,6 @@ func (r *router) cleanJumpRules() error {
 			case jumpNatPre:
 				table = tableNat
 				chain = chainPREROUTING
-			case jumpMSSClamp:
-				table = tableMangle
-				chain = chainFORWARD
 			default:
 				return fmt.Errorf("unknown jump rule: %s", ruleKey)
 			}
@@ -926,54 +880,6 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nberrors.FormatErrorOrNil(merr)
 }
 
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	dnatRule := []string{
-		"-i", r.wgIface.Name(),
-		"-p", strings.ToLower(string(protocol)),
-		"--dport", strconv.Itoa(int(sourcePort)),
-		"-d", localAddr.String(),
-		"-m", "addrtype", "--dst-type", "LOCAL",
-		"-j", "DNAT",
-		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
-	}
-
-	ruleInfo := ruleInfo{
-		table: tableNat,
-		chain: chainRTRDR,
-		rule:  dnatRule,
-	}
-
-	if err := r.iptablesClient.Append(ruleInfo.table, ruleInfo.chain, ruleInfo.rule...); err != nil {
-		return fmt.Errorf("add inbound DNAT rule: %w", err)
-	}
-	r.rules[ruleID] = ruleInfo.rule
-
-	r.updateState()
-	return nil
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if dnatRule, exists := r.rules[ruleID]; exists {
-		if err := r.iptablesClient.Delete(tableNat, chainRTRDR, dnatRule...); err != nil {
-			return fmt.Errorf("delete inbound DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
-	}
-
-	r.updateState()
-	return nil
-}
-
 func applyPort(flag string, port *firewall.Port) []string {
 	if port == nil {
 		return nil

client/firewall/iptables/router_linux_test.go

@@ -14,7 +14,6 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
-	"github.com/netbirdio/netbird/client/iface"
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
@@ -31,7 +30,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "failed to init iptables client")
 
-	manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+	manager, err := newRouter(iptablesClient, ifaceMock)
 	require.NoError(t, err, "should return a valid iptables manager")
 	require.NoError(t, manager.init(nil))
 
@@ -39,6 +38,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 		assert.NoError(t, manager.Reset(), "shouldn't return error")
 	}()
 
+	// Now 5 rules:
 	// 1. established rule forward in
 	// 2. estbalished rule forward out
 	// 3. jump rule to POST nat chain
@@ -48,9 +48,7 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 	// 7. static return masquerade rule
 	// 8. mangle prerouting mark rule
 	// 9. mangle postrouting mark rule
-	// 10. jump rule to MSS clamping chain
-	// 11. MSS clamping rule for outbound traffic
-	require.Len(t, manager.rules, 11, "should have created rules map")
+	require.Len(t, manager.rules, 9, "should have created rules map")
 
 	exists, err := manager.iptablesClient.Exists(tableNat, chainPOSTROUTING, "-j", chainRTNAT)
 	require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainPOSTROUTING)
@@ -84,7 +82,7 @@ func TestIptablesManager_AddNatRule(t *testing.T) {
 			iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 			require.NoError(t, err, "failed to init iptables client")
 
-			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+			manager, err := newRouter(iptablesClient, ifaceMock)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
 
@@ -157,7 +155,7 @@ func TestIptablesManager_RemoveNatRule(t *testing.T) {
 		t.Run(testCase.Name, func(t *testing.T) {
 			iptablesClient, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 
-			manager, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+			manager, err := newRouter(iptablesClient, ifaceMock)
 			require.NoError(t, err, "shouldn't return error")
 			require.NoError(t, manager.init(nil))
 			defer func() {
@@ -219,7 +217,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 	iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err, "Failed to create iptables client")
 
-	r, err := newRouter(iptablesClient, ifaceMock, iface.DefaultMTU)
+	r, err := newRouter(iptablesClient, ifaceMock)
 	require.NoError(t, err, "Failed to create router manager")
 	require.NoError(t, r.init(nil))
 

client/firewall/iptables/state_linux.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"sync"
 
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -12,7 +11,6 @@ type InterfaceState struct {
 	NameStr       string         `json:"name"`
 	WGAddress     wgaddr.Address `json:"wg_address"`
 	UserspaceBind bool           `json:"userspace_bind"`
-	MTU           uint16         `json:"mtu"`
 }
 
 func (i *InterfaceState) Name() string {
@@ -44,11 +42,7 @@ func (s *ShutdownState) Name() string {
 }
 
 func (s *ShutdownState) Cleanup() error {
-	mtu := s.InterfaceState.MTU
-	if mtu == 0 {
-		mtu = iface.DefaultMTU
-	}
-	ipt, err := Create(s.InterfaceState, mtu)
+	ipt, err := Create(s.InterfaceState)
 	if err != nil {
 		return fmt.Errorf("create iptables manager: %w", err)
 	}

client/firewall/manager/firewall.go

@@ -100,9 +100,6 @@ type Manager interface {
 	//
 	// If comment argument is empty firewall manager should set
 	// rule ID as comment for the rule
-	//
-	// Note: Callers should call Flush() after adding rules to ensure
-	// they are applied to the kernel and rule handles are refreshed.
 	AddPeerFiltering(
 		id []byte,
 		ip net.IP,
@@ -154,20 +151,14 @@ type Manager interface {
 
 	DisableRouting() error
 
-	// AddDNATRule adds outbound DNAT rule for forwarding external traffic to the NetBird network.
+	// AddDNATRule adds a DNAT rule
 	AddDNATRule(ForwardRule) (Rule, error)
 
-	// DeleteDNATRule deletes the outbound DNAT rule.
+	// DeleteDNATRule deletes a DNAT rule
 	DeleteDNATRule(Rule) error
 
 	// UpdateSet updates the set with the given prefixes
 	UpdateSet(hash Set, prefixes []netip.Prefix) error
-
-	// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services
-	AddInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
-	// RemoveInboundDNAT removes inbound DNAT rule
-	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 }
 
 func GenKey(format string, pair RouterPair) string {

client/firewall/nftables/acl_linux.go

@@ -29,6 +29,8 @@ const (
 	chainNameForwardFilter     = "netbird-acl-forward-filter"
 	chainNameManglePrerouting  = "netbird-mangle-prerouting"
 	chainNameManglePostrouting = "netbird-mangle-postrouting"
+
+	allowNetbirdInputRuleID = "allow Netbird incoming traffic"
 )
 
 const flushError = "flush: %w"
@@ -193,6 +195,25 @@ func (m *AclManager) DeletePeerRule(rule firewall.Rule) error {
 // createDefaultAllowRules creates default allow rules for the input and output chains
 func (m *AclManager) createDefaultAllowRules() error {
 	expIn := []expr.Any{
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       12,
+			Len:          4,
+		},
+		// mask
+		&expr.Bitwise{
+			SourceRegister: 1,
+			DestRegister:   1,
+			Len:            4,
+			Mask:           []byte{0, 0, 0, 0},
+			Xor:            []byte{0, 0, 0, 0},
+		},
+		// net address
+		&expr.Cmp{
+			Register: 1,
+			Data:     []byte{0, 0, 0, 0},
+		},
 		&expr.Verdict{
 			Kind: expr.VerdictAccept,
 		},
@@ -237,7 +258,7 @@ func (m *AclManager) addIOFiltering(
 	action firewall.Action,
 	ipset *nftables.Set,
 ) (*Rule, error) {
-	ruleId := generatePeerRuleId(ip, proto, sPort, dPort, action, ipset)
+	ruleId := generatePeerRuleId(ip, sPort, dPort, action, ipset)
 	if r, ok := m.rules[ruleId]; ok {
 		return &Rule{
 			nftRule:    r.nftRule,
@@ -336,12 +357,11 @@ func (m *AclManager) addIOFiltering(
 	}
 
 	if err := m.rConn.Flush(); err != nil {
-		return nil, fmt.Errorf("flush input rule %s: %v", ruleId, err)
+		return nil, fmt.Errorf(flushError, err)
 	}
 
 	ruleStruct := &Rule{
-		nftRule: nftRule,
-		// best effort mangle rule
+		nftRule:    nftRule,
 		mangleRule: m.createPreroutingRule(expressions, userData),
 		nftSet:     ipset,
 		ruleID:     ruleId,
@@ -400,19 +420,12 @@ func (m *AclManager) createPreroutingRule(expressions []expr.Any, userData []byt
 		},
 	)
 
-	nfRule := m.rConn.AddRule(&nftables.Rule{
+	return m.rConn.AddRule(&nftables.Rule{
 		Table:    m.workTable,
 		Chain:    m.chainPrerouting,
 		Exprs:    preroutingExprs,
 		UserData: userData,
 	})
-
-	if err := m.rConn.Flush(); err != nil {
-		log.Errorf("failed to flush mangle rule %s: %v", string(userData), err)
-		return nil
-	}
-
-	return nfRule
 }
 
 func (m *AclManager) createDefaultChains() (err error) {
@@ -684,8 +697,8 @@ func (m *AclManager) refreshRuleHandles(chain *nftables.Chain, mangle bool) erro
 	return nil
 }
 
-func generatePeerRuleId(ip net.IP, proto firewall.Protocol, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
-	rulesetID := ":" + string(proto) + ":"
+func generatePeerRuleId(ip net.IP, sPort *firewall.Port, dPort *firewall.Port, action firewall.Action, ipset *nftables.Set) string {
+	rulesetID := ":"
 	if sPort != nil {
 		rulesetID += sPort.String()
 	}

client/firewall/nftables/manager_linux.go

@@ -1,11 +1,11 @@
 package nftables
 
 import (
+	"bytes"
 	"context"
 	"fmt"
 	"net"
 	"net/netip"
-	"os"
 	"sync"
 
 	"github.com/google/nftables"
@@ -19,22 +19,13 @@ import (
 )
 
 const (
-	// tableNameNetbird is the default name of the table that is used for filtering by the Netbird client
+	// tableNameNetbird is the name of the table that is used for filtering by the Netbird client
 	tableNameNetbird = "netbird"
-	// envTableName is the environment variable to override the table name
-	envTableName = "NB_NFTABLES_TABLE"
 
 	tableNameFilter = "filter"
 	chainNameInput  = "INPUT"
 )
 
-func getTableName() string {
-	if name := os.Getenv(envTableName); name != "" {
-		return name
-	}
-	return tableNameNetbird
-}
-
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
@@ -53,16 +44,16 @@ type Manager struct {
 }
 
 // Create nftables firewall manager
-func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
+func Create(wgIface iFaceMapper) (*Manager, error) {
 	m := &Manager{
 		rConn:   &nftables.Conn{},
 		wgIface: wgIface,
 	}
 
-	workTable := &nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4}
+	workTable := &nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4}
 
 	var err error
-	m.router, err = newRouter(workTable, wgIface, mtu)
+	m.router, err = newRouter(workTable, wgIface)
 	if err != nil {
 		return nil, fmt.Errorf("create router: %w", err)
 	}
@@ -102,7 +93,6 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 			NameStr:       m.wgIface.Name(),
 			WGAddress:     m.wgIface.Address(),
 			UserspaceBind: m.wgIface.IsUserspaceBind(),
-			MTU:           m.router.mtu,
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -207,11 +197,44 @@ func (m *Manager) AllowNetbird() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	if err := m.aclManager.createDefaultAllowRules(); err != nil {
-		return fmt.Errorf("create default allow rules: %w", err)
+	err := m.aclManager.createDefaultAllowRules()
+	if err != nil {
+		return fmt.Errorf("failed to create default allow rules: %v", err)
 	}
-	if err := m.rConn.Flush(); err != nil {
-		return fmt.Errorf("flush allow input netbird rules: %w", err)
+
+	chains, err := m.rConn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
+	if err != nil {
+		return fmt.Errorf("list of chains: %w", err)
+	}
+
+	var chain *nftables.Chain
+	for _, c := range chains {
+		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
+			chain = c
+			break
+		}
+	}
+
+	if chain == nil {
+		log.Debugf("chain INPUT not found. Skipping add allow netbird rule")
+		return nil
+	}
+
+	rules, err := m.rConn.GetRules(chain.Table, chain)
+	if err != nil {
+		return fmt.Errorf("failed to get rules for the INPUT chain: %v", err)
+	}
+
+	if rule := m.detectAllowNetbirdRule(rules); rule != nil {
+		log.Debugf("allow netbird rule already exists: %v", rule)
+		return nil
+	}
+
+	m.applyAllowNetbirdRules(chain)
+
+	err = m.rConn.Flush()
+	if err != nil {
+		return fmt.Errorf("failed to flush allow input netbird rules: %v", err)
 	}
 
 	return nil
@@ -227,6 +250,10 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
+	if err := m.resetNetbirdInputRules(); err != nil {
+		return fmt.Errorf("reset netbird input rules: %v", err)
+	}
+
 	if err := m.router.Reset(); err != nil {
 		return fmt.Errorf("reset router: %v", err)
 	}
@@ -246,15 +273,49 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nil
 }
 
+func (m *Manager) resetNetbirdInputRules() error {
+	chains, err := m.rConn.ListChains()
+	if err != nil {
+		return fmt.Errorf("list chains: %w", err)
+	}
+
+	m.deleteNetbirdInputRules(chains)
+
+	return nil
+}
+
+func (m *Manager) deleteNetbirdInputRules(chains []*nftables.Chain) {
+	for _, c := range chains {
+		if c.Table.Name == tableNameFilter && c.Name == chainNameInput {
+			rules, err := m.rConn.GetRules(c.Table, c)
+			if err != nil {
+				log.Errorf("get rules for chain %q: %v", c.Name, err)
+				continue
+			}
+
+			m.deleteMatchingRules(rules)
+		}
+	}
+}
+
+func (m *Manager) deleteMatchingRules(rules []*nftables.Rule) {
+	for _, r := range rules {
+		if bytes.Equal(r.UserData, []byte(allowNetbirdInputRuleID)) {
+			if err := m.rConn.DelRule(r); err != nil {
+				log.Errorf("delete rule: %v", err)
+			}
+		}
+	}
+}
+
 func (m *Manager) cleanupNetbirdTables() error {
 	tables, err := m.rConn.ListTables()
 	if err != nil {
 		return fmt.Errorf("list tables: %w", err)
 	}
 
-	tableName := getTableName()
 	for _, t := range tables {
-		if t.Name == tableName {
+		if t.Name == tableNameNetbird {
 			m.rConn.DelTable(t)
 		}
 	}
@@ -315,40 +376,61 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return m.router.UpdateSet(set, prefixes)
 }
 
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 func (m *Manager) createWorkTable() (*nftables.Table, error) {
 	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}
 
-	tableName := getTableName()
 	for _, t := range tables {
-		if t.Name == tableName {
+		if t.Name == tableNameNetbird {
 			m.rConn.DelTable(t)
 		}
 	}
 
-	table := m.rConn.AddTable(&nftables.Table{Name: getTableName(), Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: tableNameNetbird, Family: nftables.TableFamilyIPv4})
 	err = m.rConn.Flush()
 	return table, err
 }
 
+func (m *Manager) applyAllowNetbirdRules(chain *nftables.Chain) {
+	rule := &nftables.Rule{
+		Table: chain.Table,
+		Chain: chain,
+		Exprs: []expr.Any{
+			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+			&expr.Cmp{
+				Op:       expr.CmpOpEq,
+				Register: 1,
+				Data:     ifname(m.wgIface.Name()),
+			},
+			&expr.Verdict{
+				Kind: expr.VerdictAccept,
+			},
+		},
+		UserData: []byte(allowNetbirdInputRuleID),
+	}
+	_ = m.rConn.InsertRule(rule)
+}
+
+func (m *Manager) detectAllowNetbirdRule(existedRules []*nftables.Rule) *nftables.Rule {
+	ifName := ifname(m.wgIface.Name())
+	for _, rule := range existedRules {
+		if rule.Table.Name == tableNameFilter && rule.Chain.Name == chainNameInput {
+			if len(rule.Exprs) < 4 {
+				if e, ok := rule.Exprs[0].(*expr.Meta); !ok || e.Key != expr.MetaKeyIIFNAME {
+					continue
+				}
+				if e, ok := rule.Exprs[1].(*expr.Cmp); !ok || e.Op != expr.CmpOpEq || !bytes.Equal(e.Data, ifName) {
+					continue
+				}
+				return rule
+			}
+		}
+	}
+	return nil
+}
+
 func insertReturnTrafficRule(conn *nftables.Conn, table *nftables.Table, chain *nftables.Chain) {
 	rule := &nftables.Rule{
 		Table: table,

client/firewall/nftables/manager_linux_test.go

@@ -16,7 +16,6 @@ import (
 	"golang.org/x/sys/unix"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -57,7 +56,7 @@ func (i *iFaceMock) IsUserspaceBind() bool { return false }
 func TestNftablesManager(t *testing.T) {
 
 	// just check on the local interface
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	manager, err := Create(ifaceMock)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 	time.Sleep(time.Second * 3)
@@ -169,7 +168,7 @@ func TestNftablesManager(t *testing.T) {
 func TestNftablesManagerRuleOrder(t *testing.T) {
 	// This test verifies rule insertion order in nftables peer ACLs
 	// We add accept rule first, then deny rule to test ordering behavior
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	manager, err := Create(ifaceMock)
 	require.NoError(t, err)
 	require.NoError(t, manager.Init(nil))
 
@@ -262,7 +261,7 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
 		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
 			// just check on the local interface
-			manager, err := Create(mock, iface.DefaultMTU)
+			manager, err := Create(mock)
 			require.NoError(t, err)
 			require.NoError(t, manager.Init(nil))
 			time.Sleep(time.Second * 3)
@@ -346,7 +345,7 @@ func TestNftablesManagerCompatibilityWithIptables(t *testing.T) {
 	stdout, stderr := runIptablesSave(t)
 	verifyIptablesOutput(t, stdout, stderr)
 
-	manager, err := Create(ifaceMock, iface.DefaultMTU)
+	manager, err := Create(ifaceMock)
 	require.NoError(t, err, "failed to create manager")
 	require.NoError(t, manager.Init(nil))
 

client/firewall/nftables/router_linux.go

@@ -16,7 +16,6 @@ import (
 	"github.com/google/nftables/xt"
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -33,17 +32,12 @@ const (
 	chainNameRoutingNat    = "netbird-rt-postrouting"
 	chainNameRoutingRdr    = "netbird-rt-redirect"
 	chainNameForward       = "FORWARD"
-	chainNameMangleForward = "netbird-mangle-forward"
 
 	userDataAcceptForwardRuleIif = "frwacceptiif"
 	userDataAcceptForwardRuleOif = "frwacceptoif"
-	userDataAcceptInputRule      = "inputaccept"
 
 	dnatSuffix = "_dnat"
 	snatSuffix = "_snat"
-
-	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
-	ipTCPHeaderMinSize = 40
 )
 
 const refreshRulesMapError = "refresh rules map: %w"
@@ -69,10 +63,9 @@ type router struct {
 	wgIface          iFaceMapper
 	ipFwdState       *ipfwdstate.IPForwardingState
 	legacyManagement bool
-	mtu              uint16
 }
 
-func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*router, error) {
+func newRouter(workTable *nftables.Table, wgIface iFaceMapper) (*router, error) {
 	r := &router{
 		conn:       &nftables.Conn{},
 		workTable:  workTable,
@@ -80,7 +73,6 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*rou
 		rules:      make(map[string]*nftables.Rule),
 		wgIface:    wgIface,
 		ipFwdState: ipfwdstate.NewIPForwardingState(),
-		mtu:        mtu,
 	}
 
 	r.ipsetCounter = refcounter.New(
@@ -104,8 +96,8 @@ func newRouter(workTable *nftables.Table, wgIface iFaceMapper, mtu uint16) (*rou
 func (r *router) init(workTable *nftables.Table) error {
 	r.workTable = workTable
 
-	if err := r.removeAcceptFilterRules(); err != nil {
-		log.Errorf("failed to clean up rules from filter table: %s", err)
+	if err := r.removeAcceptForwardRules(); err != nil {
+		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
 	}
 
 	if err := r.createContainers(); err != nil {
@@ -119,15 +111,15 @@ func (r *router) init(workTable *nftables.Table) error {
 	return nil
 }
 
-// Reset cleans existing nftables filter table rules from the system
+// Reset cleans existing nftables default forward rules from the system
 func (r *router) Reset() error {
 	// clear without deleting the ipsets, the nf table will be deleted by the caller
 	r.ipsetCounter.Clear()
 
 	var merr *multierror.Error
 
-	if err := r.removeAcceptFilterRules(); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("remove accept filter rules: %w", err))
+	if err := r.removeAcceptForwardRules(); err != nil {
+		merr = multierror.Append(merr, fmt.Errorf("remove accept forward rules: %w", err))
 	}
 
 	if err := r.removeNatPreroutingRules(); err != nil {
@@ -228,23 +220,11 @@ func (r *router) createContainers() error {
 		Type:     nftables.ChainTypeFilter,
 	})
 
-	r.chains[chainNameMangleForward] = r.conn.AddChain(&nftables.Chain{
-		Name:     chainNameMangleForward,
-		Table:    r.workTable,
-		Hooknum:  nftables.ChainHookForward,
-		Priority: nftables.ChainPriorityMangle,
-		Type:     nftables.ChainTypeFilter,
-	})
-
 	// Add the single NAT rule that matches on mark
 	if err := r.addPostroutingRules(); err != nil {
 		return fmt.Errorf("add single nat rule: %v", err)
 	}
 
-	if err := r.addMSSClampingRules(); err != nil {
-		log.Errorf("failed to add MSS clamping rules: %s", err)
-	}
-
 	if err := r.acceptForwardRules(); err != nil {
 		log.Errorf("failed to add accept rules for the forward chain: %s", err)
 	}
@@ -765,83 +745,6 @@ func (r *router) addPostroutingRules() error {
 	return nil
 }
 
-// addMSSClampingRules adds MSS clamping rules to prevent fragmentation for forwarded traffic.
-// TODO: Add IPv6 support
-func (r *router) addMSSClampingRules() error {
-	mss := r.mtu - ipTCPHeaderMinSize
-
-	exprsOut := []expr.Any{
-		&expr.Meta{
-			Key:      expr.MetaKeyOIFNAME,
-			Register: 1,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(r.wgIface.Name()),
-		},
-		&expr.Meta{
-			Key:      expr.MetaKeyL4PROTO,
-			Register: 1,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     []byte{unix.IPPROTO_TCP},
-		},
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseTransportHeader,
-			Offset:       13,
-			Len:          1,
-		},
-		&expr.Bitwise{
-			DestRegister:   1,
-			SourceRegister: 1,
-			Len:            1,
-			Mask:           []byte{0x02},
-			Xor:            []byte{0x00},
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpNeq,
-			Register: 1,
-			Data:     []byte{0x00},
-		},
-		&expr.Counter{},
-		&expr.Exthdr{
-			DestRegister: 1,
-			Type:         2,
-			Offset:       2,
-			Len:          2,
-			Op:           expr.ExthdrOpTcpopt,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpGt,
-			Register: 1,
-			Data:     binaryutil.BigEndian.PutUint16(uint16(mss)),
-		},
-		&expr.Immediate{
-			Register: 1,
-			Data:     binaryutil.BigEndian.PutUint16(uint16(mss)),
-		},
-		&expr.Exthdr{
-			SourceRegister: 1,
-			Type:           2,
-			Offset:         2,
-			Len:            2,
-			Op:             expr.ExthdrOpTcpopt,
-		},
-	}
-
-	r.conn.AddRule(&nftables.Rule{
-		Table: r.workTable,
-		Chain: r.chains[chainNameMangleForward],
-		Exprs: exprsOut,
-	})
-
-	return nil
-}
-
 // addLegacyRouteRule adds a legacy routing rule for mgmt servers pre route acls
 func (r *router) addLegacyRouteRule(pair firewall.RouterPair) error {
 	sourceExp, err := r.applyNetwork(pair.Source, nil, true)
@@ -937,7 +840,6 @@ func (r *router) RemoveAllLegacyRouteRules() error {
 // that our traffic is not dropped by existing rules there.
 // The existing FORWARD rules/policies decide outbound traffic towards our interface.
 // In case the FORWARD policy is set to "drop", we add an established/related rule to allow return traffic for the inbound rule.
-// This method also adds INPUT chain rules to allow traffic to the local interface.
 func (r *router) acceptForwardRules() error {
 	if r.filterTable == nil {
 		log.Debugf("table 'filter' not found for forward rules, skipping accept rules")
@@ -947,7 +849,7 @@ func (r *router) acceptForwardRules() error {
 	fw := "iptables"
 
 	defer func() {
-		log.Debugf("Used %s to add accept forward and input rules", fw)
+		log.Debugf("Used %s to add accept forward rules", fw)
 	}()
 
 	// Try iptables first and fallback to nftables if iptables is not available
@@ -957,30 +859,22 @@ func (r *router) acceptForwardRules() error {
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
 
 		fw = "nftables"
-		return r.acceptFilterRulesNftables()
+		return r.acceptForwardRulesNftables()
 	}
 
-	return r.acceptFilterRulesIptables(ipt)
+	return r.acceptForwardRulesIptables(ipt)
 }
 
-func (r *router) acceptFilterRulesIptables(ipt *iptables.IPTables) error {
+func (r *router) acceptForwardRulesIptables(ipt *iptables.IPTables) error {
 	var merr *multierror.Error
-
 	for _, rule := range r.getAcceptForwardRules() {
 		if err := ipt.Insert("filter", chainNameForward, 1, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("add iptables forward rule: %v", err))
+			merr = multierror.Append(err, fmt.Errorf("add iptables rule: %v", err))
 		} else {
-			log.Debugf("added iptables forward rule: %v", rule)
+			log.Debugf("added iptables rule: %v", rule)
 		}
 	}
 
-	inputRule := r.getAcceptInputRule()
-	if err := ipt.Insert("filter", chainNameInput, 1, inputRule...); err != nil {
-		merr = multierror.Append(err, fmt.Errorf("add iptables input rule: %v", err))
-	} else {
-		log.Debugf("added iptables input rule: %v", inputRule)
-	}
-
 	return nberrors.FormatErrorOrNil(merr)
 }
 
@@ -992,13 +886,10 @@ func (r *router) getAcceptForwardRules() [][]string {
 	}
 }
 
-func (r *router) getAcceptInputRule() []string {
-	return []string{"-i", r.wgIface.Name(), "-j", "ACCEPT"}
-}
-
-func (r *router) acceptFilterRulesNftables() error {
+func (r *router) acceptForwardRulesNftables() error {
 	intf := ifname(r.wgIface.Name())
 
+	// Rule for incoming interface (iif) with counter
 	iifRule := &nftables.Rule{
 		Table: r.filterTable,
 		Chain: &nftables.Chain{
@@ -1031,10 +922,11 @@ func (r *router) acceptFilterRulesNftables() error {
 		},
 	}
 
+	// Rule for outgoing interface (oif) with counter
 	oifRule := &nftables.Rule{
 		Table: r.filterTable,
 		Chain: &nftables.Chain{
-			Name:     chainNameForward,
+			Name:     "FORWARD",
 			Table:    r.filterTable,
 			Type:     nftables.ChainTypeFilter,
 			Hooknum:  nftables.ChainHookForward,
@@ -1043,60 +935,35 @@ func (r *router) acceptFilterRulesNftables() error {
 		Exprs:    append(oifExprs, getEstablishedExprs(2)...),
 		UserData: []byte(userDataAcceptForwardRuleOif),
 	}
-	r.conn.InsertRule(oifRule)
 
-	inputRule := &nftables.Rule{
-		Table: r.filterTable,
-		Chain: &nftables.Chain{
-			Name:     chainNameInput,
-			Table:    r.filterTable,
-			Type:     nftables.ChainTypeFilter,
-			Hooknum:  nftables.ChainHookInput,
-			Priority: nftables.ChainPriorityFilter,
-		},
-		Exprs: []expr.Any{
-			&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     intf,
-			},
-			&expr.Counter{},
-			&expr.Verdict{Kind: expr.VerdictAccept},
-		},
-		UserData: []byte(userDataAcceptInputRule),
-	}
-	r.conn.InsertRule(inputRule)
+	r.conn.InsertRule(oifRule)
 
 	return nil
 }
 
-func (r *router) removeAcceptFilterRules() error {
+func (r *router) removeAcceptForwardRules() error {
 	if r.filterTable == nil {
 		return nil
 	}
 
+	// Try iptables first and fallback to nftables if iptables is not available
 	ipt, err := iptables.New()
 	if err != nil {
 		log.Warnf("Will use nftables to manipulate the filter table because iptables is not available: %v", err)
-		return r.removeAcceptFilterRulesNftables()
+		return r.removeAcceptForwardRulesNftables()
 	}
 
-	return r.removeAcceptFilterRulesIptables(ipt)
+	return r.removeAcceptForwardRulesIptables(ipt)
 }
 
-func (r *router) removeAcceptFilterRulesNftables() error {
+func (r *router) removeAcceptForwardRulesNftables() error {
 	chains, err := r.conn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
 	if err != nil {
 		return fmt.Errorf("list chains: %v", err)
 	}
 
 	for _, chain := range chains {
-		if chain.Table.Name != r.filterTable.Name {
-			continue
-		}
-
-		if chain.Name != chainNameForward && chain.Name != chainNameInput {
+		if chain.Table.Name != r.filterTable.Name || chain.Name != chainNameForward {
 			continue
 		}
 
@@ -1107,8 +974,7 @@ func (r *router) removeAcceptFilterRulesNftables() error {
 
 		for _, rule := range rules {
 			if bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleIif)) ||
-				bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) ||
-				bytes.Equal(rule.UserData, []byte(userDataAcceptInputRule)) {
+				bytes.Equal(rule.UserData, []byte(userDataAcceptForwardRuleOif)) {
 				if err := r.conn.DelRule(rule); err != nil {
 					return fmt.Errorf("delete rule: %v", err)
 				}
@@ -1123,20 +989,14 @@ func (r *router) removeAcceptFilterRulesNftables() error {
 	return nil
 }
 
-func (r *router) removeAcceptFilterRulesIptables(ipt *iptables.IPTables) error {
+func (r *router) removeAcceptForwardRulesIptables(ipt *iptables.IPTables) error {
 	var merr *multierror.Error
-
 	for _, rule := range r.getAcceptForwardRules() {
 		if err := ipt.DeleteIfExists("filter", chainNameForward, rule...); err != nil {
-			merr = multierror.Append(err, fmt.Errorf("remove iptables forward rule: %v", err))
+			merr = multierror.Append(err, fmt.Errorf("remove iptables rule: %v", err))
 		}
 	}
 
-	inputRule := r.getAcceptInputRule()
-	if err := ipt.DeleteIfExists("filter", chainNameInput, inputRule...); err != nil {
-		merr = multierror.Append(err, fmt.Errorf("remove iptables input rule: %v", err))
-	}
-
 	return nberrors.FormatErrorOrNil(merr)
 }
 
@@ -1490,103 +1350,6 @@ func (r *router) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nil
 }
 
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (r *router) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	protoNum, err := protoToInt(protocol)
-	if err != nil {
-		return fmt.Errorf("convert protocol to number: %w", err)
-	}
-
-	exprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(r.wgIface.Name()),
-		},
-		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 2},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 2,
-			Data:     []byte{protoNum},
-		},
-		&expr.Payload{
-			DestRegister: 3,
-			Base:         expr.PayloadBaseTransportHeader,
-			Offset:       2,
-			Len:          2,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 3,
-			Data:     binaryutil.BigEndian.PutUint16(sourcePort),
-		},
-	}
-
-	exprs = append(exprs, applyPrefix(netip.PrefixFrom(localAddr, 32), false)...)
-
-	exprs = append(exprs,
-		&expr.Immediate{
-			Register: 1,
-			Data:     localAddr.AsSlice(),
-		},
-		&expr.Immediate{
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(targetPort),
-		},
-		&expr.NAT{
-			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
-			RegAddrMin:  1,
-			RegProtoMin: 2,
-			RegProtoMax: 0,
-		},
-	)
-
-	dnatRule := &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameRoutingRdr],
-		Exprs:    exprs,
-		UserData: []byte(ruleID),
-	}
-	r.conn.AddRule(dnatRule)
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("add inbound DNAT rule: %w", err)
-	}
-
-	r.rules[ruleID] = dnatRule
-
-	return nil
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	ruleID := fmt.Sprintf("inbound-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if rule, exists := r.rules[ruleID]; exists {
-		if err := r.conn.DelRule(rule); err != nil {
-			return fmt.Errorf("delete inbound DNAT rule %s: %w", ruleID, err)
-		}
-		if err := r.conn.Flush(); err != nil {
-			return fmt.Errorf("flush delete inbound DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
-	}
-
-	return nil
-}
-
 // applyNetwork generates nftables expressions for networks (CIDR) or sets
 func (r *router) applyNetwork(
 	network firewall.Network,

client/firewall/nftables/router_linux_test.go

@@ -17,7 +17,6 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
-	"github.com/netbirdio/netbird/client/iface"
 )
 
 const (
@@ -37,7 +36,7 @@ func TestNftablesManager_AddNatRule(t *testing.T) {
 	for _, testCase := range test.InsertRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
 			// need fw manager to init both acl mgr and router for all chains to be present
-			manager, err := Create(ifaceMock, iface.DefaultMTU)
+			manager, err := Create(ifaceMock)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
 			})
@@ -126,7 +125,7 @@ func TestNftablesManager_RemoveNatRule(t *testing.T) {
 
 	for _, testCase := range test.RemoveRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			manager, err := Create(ifaceMock, iface.DefaultMTU)
+			manager, err := Create(ifaceMock)
 			t.Cleanup(func() {
 				require.NoError(t, manager.Close(nil))
 			})
@@ -198,7 +197,7 @@ func TestRouter_AddRouteFiltering(t *testing.T) {
 
 	defer deleteWorkTable()
 
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	r, err := newRouter(workTable, ifaceMock)
 	require.NoError(t, err, "Failed to create router")
 	require.NoError(t, r.init(workTable))
 
@@ -365,7 +364,7 @@ func TestNftablesCreateIpSet(t *testing.T) {
 
 	defer deleteWorkTable()
 
-	r, err := newRouter(workTable, ifaceMock, iface.DefaultMTU)
+	r, err := newRouter(workTable, ifaceMock)
 	require.NoError(t, err, "Failed to create router")
 	require.NoError(t, r.init(workTable))
 

client/firewall/nftables/state_linux.go

@@ -3,7 +3,6 @@ package nftables
 import (
 	"fmt"
 
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -11,7 +10,6 @@ type InterfaceState struct {
 	NameStr       string         `json:"name"`
 	WGAddress     wgaddr.Address `json:"wg_address"`
 	UserspaceBind bool           `json:"userspace_bind"`
-	MTU           uint16         `json:"mtu"`
 }
 
 func (i *InterfaceState) Name() string {
@@ -35,11 +33,7 @@ func (s *ShutdownState) Name() string {
 }
 
 func (s *ShutdownState) Cleanup() error {
-	mtu := s.InterfaceState.MTU
-	if mtu == 0 {
-		mtu = iface.DefaultMTU
-	}
-	nft, err := Create(s.InterfaceState, mtu)
+	nft, err := Create(s.InterfaceState)
 	if err != nil {
 		return fmt.Errorf("create nftables manager: %w", err)
 	}

client/firewall/uspfilter/conntrack/common.go

@@ -22,8 +22,6 @@ type BaseConnTrack struct {
 	PacketsRx atomic.Uint64
 	BytesTx   atomic.Uint64
 	BytesRx   atomic.Uint64
-
-	DNATOrigPort atomic.Uint32
 }
 
 // these small methods will be inlined by the compiler

client/firewall/uspfilter/conntrack/tcp.go

@@ -157,7 +157,7 @@ func NewTCPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	return tracker
 }
 
-func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, uint16, bool) {
+func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, size int) (ConnKey, bool) {
 	key := ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
@@ -171,30 +171,28 @@ func (t *TCPTracker) updateIfExists(srcIP, dstIP netip.Addr, srcPort, dstPort ui
 
 	if exists {
 		t.updateState(key, conn, flags, direction, size)
-		return key, uint16(conn.DNATOrigPort.Load()), true
+		return key, true
 	}
 
-	return key, 0, false
+	return key, false
 }
 
-// TrackOutbound records an outbound TCP connection and returns the original port if DNAT reversal is needed
-func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) uint16 {
-	if _, origPort, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, flags, nftypes.Egress, size); exists {
-		return origPort
+// TrackOutbound records an outbound TCP connection
+func (t *TCPTracker) TrackOutbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, size int) {
+	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, flags, nftypes.Egress, size); !exists {
+		// if (inverted direction) conn is not tracked, track this direction
+		t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Egress, nil, size)
 	}
-	// if (inverted direction) conn is not tracked, track this direction
-	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Egress, nil, size, 0)
-	return 0
 }
 
 // TrackInbound processes an inbound TCP packet and updates connection state
-func (t *TCPTracker) TrackInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, ruleID []byte, size int, dnatOrigPort uint16) {
-	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Ingress, ruleID, size, dnatOrigPort)
+func (t *TCPTracker) TrackInbound(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, ruleID []byte, size int) {
+	t.track(srcIP, dstIP, srcPort, dstPort, flags, nftypes.Ingress, ruleID, size)
 }
 
 // track is the common implementation for tracking both inbound and outbound connections
-func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int, origPort uint16) {
-	key, _, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, flags, direction, size)
+func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, flags uint8, direction nftypes.Direction, ruleID []byte, size int) {
+	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, flags, direction, size)
 	if exists || flags&TCPSyn == 0 {
 		return
 	}
@@ -212,13 +210,8 @@ func (t *TCPTracker) track(srcIP, dstIP netip.Addr, srcPort, dstPort uint16, fla
 
 	conn.tombstone.Store(false)
 	conn.state.Store(int32(TCPStateNew))
-	conn.DNATOrigPort.Store(uint32(origPort))
 
-	if origPort != 0 {
-		t.logger.Trace4("New %s TCP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-	} else {
-		t.logger.Trace2("New %s TCP connection: %s", direction, key)
-	}
+	t.logger.Trace2("New %s TCP connection: %s", direction, key)
 	t.updateState(key, conn, flags, direction, size)
 
 	t.mutex.Lock()
@@ -456,21 +449,6 @@ func (t *TCPTracker) cleanup() {
 	}
 }
 
-// GetConnection safely retrieves a connection state
-func (t *TCPTracker) GetConnection(srcIP netip.Addr, srcPort uint16, dstIP netip.Addr, dstPort uint16) (*TCPConnTrack, bool) {
-	t.mutex.RLock()
-	defer t.mutex.RUnlock()
-
-	key := ConnKey{
-		SrcIP:   srcIP,
-		DstIP:   dstIP,
-		SrcPort: srcPort,
-		DstPort: dstPort,
-	}
-	conn, exists := t.connections[key]
-	return conn, exists
-}
-
 // Close stops the cleanup routine and releases resources
 func (t *TCPTracker) Close() {
 	t.tickerCancel()

client/firewall/uspfilter/conntrack/tcp_test.go

@@ -603,7 +603,7 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	serverPort := uint16(80)
 
 	// 1. Client sends SYN (we receive it as inbound)
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPSyn, nil, 100)
 
 	key := ConnKey{
 		SrcIP:   clientIP,
@@ -623,12 +623,12 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPSyn|TCPAck, 100)
 
 	// 3. Client sends ACK to complete handshake
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)
 	require.Equal(t, TCPStateEstablished, conn.GetState(), "Connection should be ESTABLISHED after handshake completion")
 
 	// 4. Test data transfer
 	// Client sends data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPPush|TCPAck, nil, 1000, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPPush|TCPAck, nil, 1000)
 
 	// Server sends ACK for data
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPAck, 100)
@@ -637,7 +637,7 @@ func TestTCPInboundInitiatedConnection(t *testing.T) {
 	tracker.TrackOutbound(serverIP, clientIP, serverPort, clientPort, TCPPush|TCPAck, 1500)
 
 	// Client sends ACK for data
-	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100, 0)
+	tracker.TrackInbound(clientIP, serverIP, clientPort, serverPort, TCPAck, nil, 100)
 
 	// Verify state and counters
 	require.Equal(t, TCPStateEstablished, conn.GetState())

client/firewall/uspfilter/conntrack/udp.go

@@ -58,23 +58,20 @@ func NewUDPTracker(timeout time.Duration, logger *nblog.Logger, flowLogger nftyp
 	return tracker
 }
 
-// TrackOutbound records an outbound UDP connection and returns the original port if DNAT reversal is needed
-func (t *UDPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, size int) uint16 {
-	_, origPort, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, nftypes.Egress, size)
-	if exists {
-		return origPort
+// TrackOutbound records an outbound UDP connection
+func (t *UDPTracker) TrackOutbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, size int) {
+	if _, exists := t.updateIfExists(dstIP, srcIP, dstPort, srcPort, nftypes.Egress, size); !exists {
+		// if (inverted direction) conn is not tracked, track this direction
+		t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Egress, nil, size)
 	}
-	// if (inverted direction) conn is not tracked, track this direction
-	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Egress, nil, size, 0)
-	return 0
 }
 
 // TrackInbound records an inbound UDP connection
-func (t *UDPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, ruleID []byte, size int, dnatOrigPort uint16) {
-	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Ingress, ruleID, size, dnatOrigPort)
+func (t *UDPTracker) TrackInbound(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, ruleID []byte, size int) {
+	t.track(srcIP, dstIP, srcPort, dstPort, nftypes.Ingress, ruleID, size)
 }
 
-func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, size int) (ConnKey, uint16, bool) {
+func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, size int) (ConnKey, bool) {
 	key := ConnKey{
 		SrcIP:   srcIP,
 		DstIP:   dstIP,
@@ -89,15 +86,15 @@ func (t *UDPTracker) updateIfExists(srcIP netip.Addr, dstIP netip.Addr, srcPort
 	if exists {
 		conn.UpdateLastSeen()
 		conn.UpdateCounters(direction, size)
-		return key, uint16(conn.DNATOrigPort.Load()), true
+		return key, true
 	}
 
-	return key, 0, false
+	return key, false
 }
 
 // track is the common implementation for tracking both inbound and outbound connections
-func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, ruleID []byte, size int, origPort uint16) {
-	key, _, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, direction, size)
+func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, dstPort uint16, direction nftypes.Direction, ruleID []byte, size int) {
+	key, exists := t.updateIfExists(srcIP, dstIP, srcPort, dstPort, direction, size)
 	if exists {
 		return
 	}
@@ -112,7 +109,6 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 		SourcePort: srcPort,
 		DestPort:   dstPort,
 	}
-	conn.DNATOrigPort.Store(uint32(origPort))
 	conn.UpdateLastSeen()
 	conn.UpdateCounters(direction, size)
 
@@ -120,11 +116,7 @@ func (t *UDPTracker) track(srcIP netip.Addr, dstIP netip.Addr, srcPort uint16, d
 	t.connections[key] = conn
 	t.mutex.Unlock()
 
-	if origPort != 0 {
-		t.logger.Trace4("New %s UDP connection: %s (port DNAT %d -> %d)", direction, key, origPort, dstPort)
-	} else {
-		t.logger.Trace2("New %s UDP connection: %s", direction, key)
-	}
+	t.logger.Trace2("New %s UDP connection: %s", direction, key)
 	t.sendEvent(nftypes.TypeStart, conn, ruleID)
 }
 

client/firewall/uspfilter/filter.go

@@ -1,7 +1,6 @@
 package uspfilter
 
 import (
-	"encoding/binary"
 	"errors"
 	"fmt"
 	"net"
@@ -28,18 +27,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
-const (
-	layerTypeAll = 0
-
-	// ipTCPHeaderMinSize represents minimum IP (20) + TCP (20) header size for MSS calculation
-	ipTCPHeaderMinSize = 40
-)
-
-// serviceKey represents a protocol/port combination for netstack service registry
-type serviceKey struct {
-	protocol gopacket.LayerType
-	port     uint16
-}
+const layerTypeAll = 0
 
 const (
 	// EnvDisableConntrack disables the stateful filter, replies to outbound traffic won't be allowed.
@@ -48,9 +36,6 @@ const (
 	// EnvDisableUserspaceRouting disables userspace routing, to-be-routed packets will be dropped.
 	EnvDisableUserspaceRouting = "NB_DISABLE_USERSPACE_ROUTING"
 
-	// EnvDisableMSSClamping disables TCP MSS clamping for forwarded traffic.
-	EnvDisableMSSClamping = "NB_DISABLE_MSS_CLAMPING"
-
 	// EnvForceUserspaceRouter forces userspace routing even if native routing is available.
 	EnvForceUserspaceRouter = "NB_FORCE_USERSPACE_ROUTER"
 
@@ -124,17 +109,6 @@ type Manager struct {
 	dnatMappings map[netip.Addr]netip.Addr
 	dnatMutex    sync.RWMutex
 	dnatBiMap    *biDNATMap
-
-	portDNATEnabled atomic.Bool
-	portDNATRules   []portDNATRule
-	portDNATMutex   sync.RWMutex
-
-	netstackServices     map[serviceKey]struct{}
-	netstackServiceMutex sync.RWMutex
-
-	mtu             uint16
-	mssClampValue   uint16
-	mssClampEnabled bool
 }
 
 // decoder for packages
@@ -148,21 +122,19 @@ type decoder struct {
 	icmp6   layers.ICMPv6
 	decoded []gopacket.LayerType
 	parser  *gopacket.DecodingLayerParser
-
-	dnatOrigPort uint16
 }
 
 // Create userspace firewall manager constructor
-func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
-	return create(iface, nil, disableServerRoutes, flowLogger, mtu)
+func Create(iface common.IFaceMapper, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
+	return create(iface, nil, disableServerRoutes, flowLogger)
 }
 
-func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
+func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
 	if nativeFirewall == nil {
 		return nil, errors.New("native firewall is nil")
 	}
 
-	mgr, err := create(iface, nativeFirewall, disableServerRoutes, flowLogger, mtu)
+	mgr, err := create(iface, nativeFirewall, disableServerRoutes, flowLogger)
 	if err != nil {
 		return nil, err
 	}
@@ -170,8 +142,8 @@ func CreateWithNativeFirewall(iface common.IFaceMapper, nativeFirewall firewall.
 	return mgr, nil
 }
 
-func parseCreateEnv() (bool, bool, bool) {
-	var disableConntrack, enableLocalForwarding, disableMSSClamping bool
+func parseCreateEnv() (bool, bool) {
+	var disableConntrack, enableLocalForwarding bool
 	var err error
 	if val := os.Getenv(EnvDisableConntrack); val != "" {
 		disableConntrack, err = strconv.ParseBool(val)
@@ -190,18 +162,12 @@ func parseCreateEnv() (bool, bool, bool) {
 			log.Warnf("failed to parse %s: %v", EnvEnableLocalForwarding, err)
 		}
 	}
-	if val := os.Getenv(EnvDisableMSSClamping); val != "" {
-		disableMSSClamping, err = strconv.ParseBool(val)
-		if err != nil {
-			log.Warnf("failed to parse %s: %v", EnvDisableMSSClamping, err)
-		}
-	}
 
-	return disableConntrack, enableLocalForwarding, disableMSSClamping
+	return disableConntrack, enableLocalForwarding
 }
 
-func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger, mtu uint16) (*Manager, error) {
-	disableConntrack, enableLocalForwarding, disableMSSClamping := parseCreateEnv()
+func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableServerRoutes bool, flowLogger nftypes.FlowLogger) (*Manager, error) {
+	disableConntrack, enableLocalForwarding := parseCreateEnv()
 
 	m := &Manager{
 		decoders: sync.Pool{
@@ -230,19 +196,13 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		netstack:            netstack.IsEnabled(),
 		localForwarding:     enableLocalForwarding,
 		dnatMappings:        make(map[netip.Addr]netip.Addr),
-		portDNATRules:       []portDNATRule{},
-		netstackServices:    make(map[serviceKey]struct{}),
-		mtu:                 mtu,
 	}
 	m.routingEnabled.Store(false)
 
-	if !disableMSSClamping {
-		m.mssClampEnabled = true
-		m.mssClampValue = mtu - ipTCPHeaderMinSize
-	}
 	if err := m.localipmanager.UpdateLocalIPs(iface); err != nil {
 		return nil, fmt.Errorf("update local IPs: %w", err)
 	}
+
 	if disableConntrack {
 		log.Info("conntrack is disabled")
 	} else {
@@ -250,11 +210,14 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		m.icmpTracker = conntrack.NewICMPTracker(conntrack.DefaultICMPTimeout, m.logger, flowLogger)
 		m.tcpTracker = conntrack.NewTCPTracker(conntrack.DefaultTCPTimeout, m.logger, flowLogger)
 	}
+
+	// netstack needs the forwarder for local traffic
 	if m.netstack && m.localForwarding {
 		if err := m.initForwarder(); err != nil {
 			log.Errorf("failed to initialize forwarder: %v", err)
 		}
 	}
+
 	if err := iface.SetFilter(m); err != nil {
 		return nil, fmt.Errorf("set filter: %w", err)
 	}
@@ -357,7 +320,7 @@ func (m *Manager) initForwarder() error {
 		return errors.New("forwarding not supported")
 	}
 
-	forwarder, err := forwarder.New(m.wgIface, m.logger, m.flowLogger, m.netstack, m.mtu)
+	forwarder, err := forwarder.New(m.wgIface, m.logger, m.flowLogger, m.netstack)
 	if err != nil {
 		m.routingEnabled.Store(false)
 		return fmt.Errorf("create forwarder: %w", err)
@@ -663,20 +626,11 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 		return false
 	}
 
-	switch d.decoded[1] {
-	case layers.LayerTypeUDP:
-		if m.udpHooksDrop(uint16(d.udp.DstPort), dstIP, packetData) {
-			return true
-		}
-	case layers.LayerTypeTCP:
-		// Clamp MSS on all TCP SYN packets, including those from local IPs.
-		// SNATed routed traffic may appear as local IP but still requires clamping.
-		if m.mssClampEnabled {
-			m.clampTCPMSS(packetData, d)
-		}
+	if d.decoded[1] == layers.LayerTypeUDP && m.udpHooksDrop(uint16(d.udp.DstPort), dstIP, packetData) {
+		return true
 	}
 
-	m.trackOutbound(d, srcIP, dstIP, packetData, size)
+	m.trackOutbound(d, srcIP, dstIP, size)
 	m.translateOutboundDNAT(packetData, d)
 
 	return false
@@ -720,117 +674,14 @@ func getTCPFlags(tcp *layers.TCP) uint8 {
 	return flags
 }
 
-// clampTCPMSS clamps the TCP MSS option in SYN and SYN-ACK packets to prevent fragmentation.
-// Both sides advertise their MSS during connection establishment, so we need to clamp both.
-func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
-	if !d.tcp.SYN {
-		return false
-	}
-	if len(d.tcp.Options) == 0 {
-		return false
-	}
-
-	mssOptionIndex := -1
-	var currentMSS uint16
-	for i, opt := range d.tcp.Options {
-		if opt.OptionType == layers.TCPOptionKindMSS && len(opt.OptionData) == 2 {
-			currentMSS = binary.BigEndian.Uint16(opt.OptionData)
-			if currentMSS > m.mssClampValue {
-				mssOptionIndex = i
-				break
-			}
-		}
-	}
-
-	if mssOptionIndex == -1 {
-		return false
-	}
-
-	ipHeaderSize := int(d.ip4.IHL) * 4
-	if ipHeaderSize < 20 {
-		return false
-	}
-
-	if !m.updateMSSOption(packetData, d, mssOptionIndex, ipHeaderSize) {
-		return false
-	}
-
-	m.logger.Trace2("Clamped TCP MSS from %d to %d", currentMSS, m.mssClampValue)
-	return true
-}
-
-func (m *Manager) updateMSSOption(packetData []byte, d *decoder, mssOptionIndex, ipHeaderSize int) bool {
-	tcpHeaderStart := ipHeaderSize
-	tcpOptionsStart := tcpHeaderStart + 20
-
-	optOffset := tcpOptionsStart
-	for j := 0; j < mssOptionIndex; j++ {
-		switch d.tcp.Options[j].OptionType {
-		case layers.TCPOptionKindEndList, layers.TCPOptionKindNop:
-			optOffset++
-		default:
-			optOffset += 2 + len(d.tcp.Options[j].OptionData)
-		}
-	}
-
-	mssValueOffset := optOffset + 2
-	binary.BigEndian.PutUint16(packetData[mssValueOffset:mssValueOffset+2], m.mssClampValue)
-
-	m.recalculateTCPChecksum(packetData, d, tcpHeaderStart)
-	return true
-}
-
-func (m *Manager) recalculateTCPChecksum(packetData []byte, d *decoder, tcpHeaderStart int) {
-	tcpLayer := packetData[tcpHeaderStart:]
-	tcpLength := len(packetData) - tcpHeaderStart
-
-	tcpLayer[16] = 0
-	tcpLayer[17] = 0
-
-	var pseudoSum uint32
-	pseudoSum += uint32(d.ip4.SrcIP[0])<<8 | uint32(d.ip4.SrcIP[1])
-	pseudoSum += uint32(d.ip4.SrcIP[2])<<8 | uint32(d.ip4.SrcIP[3])
-	pseudoSum += uint32(d.ip4.DstIP[0])<<8 | uint32(d.ip4.DstIP[1])
-	pseudoSum += uint32(d.ip4.DstIP[2])<<8 | uint32(d.ip4.DstIP[3])
-	pseudoSum += uint32(d.ip4.Protocol)
-	pseudoSum += uint32(tcpLength)
-
-	var sum uint32 = pseudoSum
-	for i := 0; i < tcpLength-1; i += 2 {
-		sum += uint32(tcpLayer[i])<<8 | uint32(tcpLayer[i+1])
-	}
-	if tcpLength%2 == 1 {
-		sum += uint32(tcpLayer[tcpLength-1]) << 8
-	}
-
-	for sum > 0xFFFF {
-		sum = (sum & 0xFFFF) + (sum >> 16)
-	}
-
-	checksum := ^uint16(sum)
-	binary.BigEndian.PutUint16(tcpLayer[16:18], checksum)
-}
-
-func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) {
+func (m *Manager) trackOutbound(d *decoder, srcIP, dstIP netip.Addr, size int) {
 	transport := d.decoded[1]
 	switch transport {
 	case layers.LayerTypeUDP:
-		origPort := m.udpTracker.TrackOutbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), size)
-		if origPort == 0 {
-			break
-		}
-		if err := m.rewriteUDPPort(packetData, d, origPort, sourcePortOffset); err != nil {
-			m.logger.Error1("failed to rewrite UDP port: %v", err)
-		}
+		m.udpTracker.TrackOutbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), size)
 	case layers.LayerTypeTCP:
 		flags := getTCPFlags(&d.tcp)
-		origPort := m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
-		if origPort == 0 {
-			break
-		}
-		if err := m.rewriteTCPPort(packetData, d, origPort, sourcePortOffset); err != nil {
-			m.logger.Error1("failed to rewrite TCP port: %v", err)
-		}
+		m.tcpTracker.TrackOutbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, size)
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackOutbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, d.icmp4.Payload, size)
 	}
@@ -840,15 +691,13 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 	transport := d.decoded[1]
 	switch transport {
 	case layers.LayerTypeUDP:
-		m.udpTracker.TrackInbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), ruleID, size, d.dnatOrigPort)
+		m.udpTracker.TrackInbound(srcIP, dstIP, uint16(d.udp.SrcPort), uint16(d.udp.DstPort), ruleID, size)
 	case layers.LayerTypeTCP:
 		flags := getTCPFlags(&d.tcp)
-		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size, d.dnatOrigPort)
+		m.tcpTracker.TrackInbound(srcIP, dstIP, uint16(d.tcp.SrcPort), uint16(d.tcp.DstPort), flags, ruleID, size)
 	case layers.LayerTypeICMPv4:
 		m.icmpTracker.TrackInbound(srcIP, dstIP, d.icmp4.Id, d.icmp4.TypeCode, ruleID, d.icmp4.Payload, size)
 	}
-
-	d.dnatOrigPort = 0
 }
 
 // udpHooksDrop checks if any UDP hooks should drop the packet
@@ -910,20 +759,10 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 		return false
 	}
 
-	// TODO: optimize port DNAT by caching matched rules in conntrack
-	if translated := m.translateInboundPortDNAT(packetData, d, srcIP, dstIP); translated {
-		// Re-decode after port DNAT translation to update port information
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			m.logger.Error1("failed to re-decode packet after port DNAT: %v", err)
-			return true
-		}
-		srcIP, dstIP = m.extractIPs(d)
-	}
-
 	if translated := m.translateInboundReverse(packetData, d); translated {
 		// Re-decode after translation to get original addresses
 		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			m.logger.Error1("failed to re-decode packet after reverse DNAT: %v", err)
+			m.logger.Error1("Failed to re-decode packet after reverse DNAT: %v", err)
 			return true
 		}
 		srcIP, dstIP = m.extractIPs(d)
@@ -968,7 +807,9 @@ func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packet
 		return true
 	}
 
-	if m.shouldForward(d, dstIP) {
+	// If requested we pass local traffic to internal interfaces to the forwarder.
+	// netstack doesn't have an interface to forward packets to the native stack so we always need to use the forwarder.
+	if m.localForwarding && (m.netstack || dstIP != m.wgIface.Address().IP) {
 		return m.handleForwardedLocalTraffic(packetData)
 	}
 
@@ -1402,86 +1243,3 @@ func (m *Manager) DisableRouting() error {
 
 	return nil
 }
-
-// RegisterNetstackService registers a service as listening on the netstack for the given protocol and port
-func (m *Manager) RegisterNetstackService(protocol nftypes.Protocol, port uint16) {
-	m.netstackServiceMutex.Lock()
-	defer m.netstackServiceMutex.Unlock()
-	layerType := m.protocolToLayerType(protocol)
-	key := serviceKey{protocol: layerType, port: port}
-	m.netstackServices[key] = struct{}{}
-	m.logger.Debug3("RegisterNetstackService: registered %s:%d (layerType=%s)", protocol, port, layerType)
-	m.logger.Debug1("RegisterNetstackService: current registry size: %d", len(m.netstackServices))
-}
-
-// UnregisterNetstackService removes a service from the netstack registry
-func (m *Manager) UnregisterNetstackService(protocol nftypes.Protocol, port uint16) {
-	m.netstackServiceMutex.Lock()
-	defer m.netstackServiceMutex.Unlock()
-	layerType := m.protocolToLayerType(protocol)
-	key := serviceKey{protocol: layerType, port: port}
-	delete(m.netstackServices, key)
-	m.logger.Debug2("Unregistered netstack service on protocol %s port %d", protocol, port)
-}
-
-// protocolToLayerType converts nftypes.Protocol to gopacket.LayerType for internal use
-func (m *Manager) protocolToLayerType(protocol nftypes.Protocol) gopacket.LayerType {
-	switch protocol {
-	case nftypes.TCP:
-		return layers.LayerTypeTCP
-	case nftypes.UDP:
-		return layers.LayerTypeUDP
-	case nftypes.ICMP:
-		return layers.LayerTypeICMPv4
-	default:
-		return gopacket.LayerType(0) // Invalid/unknown
-	}
-}
-
-// shouldForward determines if a packet should be forwarded to the forwarder.
-// The forwarder handles routing packets to the native OS network stack.
-// Returns true if packet should go to the forwarder, false if it should go to netstack listeners or the native stack directly.
-func (m *Manager) shouldForward(d *decoder, dstIP netip.Addr) bool {
-	// not enabled, never forward
-	if !m.localForwarding {
-		return false
-	}
-
-	// netstack always needs to forward because it's lacking a native interface
-	// exception for registered netstack services, those should go to netstack listeners
-	if m.netstack {
-		return !m.hasMatchingNetstackService(d)
-	}
-
-	// traffic to our other local interfaces (not NetBird IP) - always forward
-	if dstIP != m.wgIface.Address().IP {
-		return true
-	}
-
-	// traffic to our NetBird IP, not netstack mode - send to netstack listeners
-	return false
-}
-
-// hasMatchingNetstackService checks if there's a registered netstack service for this packet
-func (m *Manager) hasMatchingNetstackService(d *decoder) bool {
-	if len(d.decoded) < 2 {
-		return false
-	}
-
-	var dstPort uint16
-	switch d.decoded[1] {
-	case layers.LayerTypeTCP:
-		dstPort = uint16(d.tcp.DstPort)
-	case layers.LayerTypeUDP:
-		dstPort = uint16(d.udp.DstPort)
-	default:
-		return false
-	}
-
-	key := serviceKey{protocol: d.decoded[1], port: dstPort}
-	m.netstackServiceMutex.RLock()
-	_, exists := m.netstackServices[key]
-	m.netstackServiceMutex.RUnlock()
-
-	return exists
-}

client/firewall/uspfilter/filter_bench_test.go

@@ -17,7 +17,6 @@ import (
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
 
@@ -170,7 +169,7 @@ func BenchmarkCoreFiltering(b *testing.B) {
 				// Create manager and basic setup
 				manager, _ := Create(&IFaceMock{
 					SetFilterFunc: func(device.PacketFilter) error { return nil },
-				}, false, flowLogger, iface.DefaultMTU)
+				}, false, flowLogger)
 				defer b.Cleanup(func() {
 					require.NoError(b, manager.Close(nil))
 				})
@@ -210,7 +209,7 @@ func BenchmarkStateScaling(b *testing.B) {
 		b.Run(fmt.Sprintf("conns_%d", count), func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -253,7 +252,7 @@ func BenchmarkEstablishmentOverhead(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -411,7 +410,7 @@ func BenchmarkRoutedNetworkReturn(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -538,7 +537,7 @@ func BenchmarkLongLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -621,7 +620,7 @@ func BenchmarkShortLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -732,7 +731,7 @@ func BenchmarkParallelLongLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -812,7 +811,7 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 
 			manager, _ := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			defer b.Cleanup(func() {
 				require.NoError(b, manager.Close(nil))
 			})
@@ -897,6 +896,38 @@ func BenchmarkParallelShortLivedConnections(b *testing.B) {
 	}
 }
 
+// generateTCPPacketWithFlags creates a TCP packet with specific flags
+func generateTCPPacketWithFlags(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort, flags uint16) []byte {
+	b.Helper()
+
+	ipv4 := &layers.IPv4{
+		TTL:      64,
+		Version:  4,
+		SrcIP:    srcIP,
+		DstIP:    dstIP,
+		Protocol: layers.IPProtocolTCP,
+	}
+
+	tcp := &layers.TCP{
+		SrcPort: layers.TCPPort(srcPort),
+		DstPort: layers.TCPPort(dstPort),
+	}
+
+	// Set TCP flags
+	tcp.SYN = (flags & uint16(conntrack.TCPSyn)) != 0
+	tcp.ACK = (flags & uint16(conntrack.TCPAck)) != 0
+	tcp.PSH = (flags & uint16(conntrack.TCPPush)) != 0
+	tcp.RST = (flags & uint16(conntrack.TCPRst)) != 0
+	tcp.FIN = (flags & uint16(conntrack.TCPFin)) != 0
+
+	require.NoError(b, tcp.SetNetworkLayerForChecksum(ipv4))
+
+	buf := gopacket.NewSerializeBuffer()
+	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
+	require.NoError(b, gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test")))
+	return buf.Bytes()
+}
+
 func BenchmarkRouteACLs(b *testing.B) {
 	manager := setupRoutedManager(b, "10.10.0.100/16")
 
@@ -959,231 +990,3 @@ func BenchmarkRouteACLs(b *testing.B) {
 		}
 	}
 }
-
-// BenchmarkMSSClamping benchmarks the MSS clamping impact on filterOutbound.
-// This shows the overhead difference between the common case (non-SYN packets, fast path)
-// and the rare case (SYN packets that need clamping, expensive path).
-func BenchmarkMSSClamping(b *testing.B) {
-	scenarios := []struct {
-		name        string
-		description string
-		genPacket   func(*testing.B, net.IP, net.IP) []byte
-		frequency   string
-	}{
-		{
-			name:        "syn_needs_clamp",
-			description: "SYN packet needing MSS clamping",
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
-			},
-			frequency: "~0.1% of traffic - EXPENSIVE",
-		},
-		{
-			name:        "syn_no_clamp_needed",
-			description: "SYN packet with already-small MSS",
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1200)
-			},
-			frequency: "~0.05% of traffic",
-		},
-		{
-			name:        "tcp_ack",
-			description: "Non-SYN TCP packet (ACK, data transfer)",
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
-			},
-			frequency: "~60-70% of traffic - FAST PATH",
-		},
-		{
-			name:        "tcp_psh_ack",
-			description: "TCP data packet (PSH+ACK)",
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPPush|conntrack.TCPAck))
-			},
-			frequency: "~10-20% of traffic - FAST PATH",
-		},
-		{
-			name:        "udp",
-			description: "UDP packet",
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generatePacket(b, src, dst, 12345, 80, layers.IPProtocolUDP)
-			},
-			frequency: "~20-30% of traffic - FAST PATH",
-		},
-	}
-
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			manager, err := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
-			require.NoError(b, err)
-			defer func() {
-				require.NoError(b, manager.Close(nil))
-			}()
-
-			manager.mssClampEnabled = true
-			manager.mssClampValue = 1240
-
-			srcIP := net.ParseIP("100.64.0.2")
-			dstIP := net.ParseIP("8.8.8.8")
-			packet := sc.genPacket(b, srcIP, dstIP)
-
-			b.ReportAllocs()
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				manager.filterOutbound(packet, len(packet))
-			}
-		})
-	}
-}
-
-// BenchmarkMSSClampingOverhead compares overhead of MSS clamping enabled vs disabled
-// for the common case (non-SYN TCP packets).
-func BenchmarkMSSClampingOverhead(b *testing.B) {
-	scenarios := []struct {
-		name      string
-		enabled   bool
-		genPacket func(*testing.B, net.IP, net.IP) []byte
-	}{
-		{
-			name:    "disabled_tcp_ack",
-			enabled: false,
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
-			},
-		},
-		{
-			name:    "enabled_tcp_ack",
-			enabled: true,
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
-			},
-		},
-		{
-			name:    "disabled_syn_needs_clamp",
-			enabled: false,
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
-			},
-		},
-		{
-			name:    "enabled_syn_needs_clamp",
-			enabled: true,
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
-			},
-		},
-	}
-
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			manager, err := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
-			require.NoError(b, err)
-			defer func() {
-				require.NoError(b, manager.Close(nil))
-			}()
-
-			manager.mssClampEnabled = sc.enabled
-			if sc.enabled {
-				manager.mssClampValue = 1240
-			}
-
-			srcIP := net.ParseIP("100.64.0.2")
-			dstIP := net.ParseIP("8.8.8.8")
-			packet := sc.genPacket(b, srcIP, dstIP)
-
-			b.ReportAllocs()
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				manager.filterOutbound(packet, len(packet))
-			}
-		})
-	}
-}
-
-// BenchmarkMSSClampingMemory measures memory allocations for common vs rare cases
-func BenchmarkMSSClampingMemory(b *testing.B) {
-	scenarios := []struct {
-		name      string
-		genPacket func(*testing.B, net.IP, net.IP) []byte
-	}{
-		{
-			name: "tcp_ack_fast_path",
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generateTCPPacketWithFlags(b, src, dst, 12345, 80, uint16(conntrack.TCPAck))
-			},
-		},
-		{
-			name: "syn_needs_clamp",
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generateSYNPacketWithMSS(b, src, dst, 12345, 80, 1460)
-			},
-		},
-		{
-			name: "udp_fast_path",
-			genPacket: func(b *testing.B, src, dst net.IP) []byte {
-				return generatePacket(b, src, dst, 12345, 80, layers.IPProtocolUDP)
-			},
-		},
-	}
-
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			manager, err := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
-			require.NoError(b, err)
-			defer func() {
-				require.NoError(b, manager.Close(nil))
-			}()
-
-			manager.mssClampEnabled = true
-			manager.mssClampValue = 1240
-
-			srcIP := net.ParseIP("100.64.0.2")
-			dstIP := net.ParseIP("8.8.8.8")
-			packet := sc.genPacket(b, srcIP, dstIP)
-
-			b.ReportAllocs()
-			b.ResetTimer()
-			for i := 0; i < b.N; i++ {
-				manager.filterOutbound(packet, len(packet))
-			}
-		})
-	}
-}
-
-func generateSYNPacketNoMSS(b *testing.B, srcIP, dstIP net.IP, srcPort, dstPort uint16) []byte {
-	b.Helper()
-
-	ip := &layers.IPv4{
-		Version:  4,
-		IHL:      5,
-		TTL:      64,
-		Protocol: layers.IPProtocolTCP,
-		SrcIP:    srcIP,
-		DstIP:    dstIP,
-	}
-
-	tcp := &layers.TCP{
-		SrcPort: layers.TCPPort(srcPort),
-		DstPort: layers.TCPPort(dstPort),
-		SYN:     true,
-		Seq:     1000,
-		Window:  65535,
-	}
-
-	require.NoError(b, tcp.SetNetworkLayerForChecksum(ip))
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{
-		FixLengths:       true,
-		ComputeChecksums: true,
-	}
-
-	require.NoError(b, gopacket.SerializeLayers(buf, opts, ip, tcp, gopacket.Payload([]byte{})))
-	return buf.Bytes()
-}

client/firewall/uspfilter/filter_filter_test.go

@@ -12,7 +12,6 @@ import (
 	wgdevice "golang.zx2c4.com/wireguard/device"
 
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/mocks"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
@@ -32,7 +31,7 @@ func TestPeerACLFiltering(t *testing.T) {
 		},
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	require.NotNil(t, manager)
 
@@ -617,7 +616,7 @@ func setupRoutedManager(tb testing.TB, network string) *Manager {
 		},
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(tb, err)
 	require.NoError(tb, manager.EnableRouting())
 	require.NotNil(tb, manager)
@@ -1463,7 +1462,7 @@ func TestRouteACLSet(t *testing.T) {
 		},
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))

client/firewall/uspfilter/filter_test.go

@@ -1,7 +1,6 @@
 package uspfilter
 
 import (
-	"encoding/binary"
 	"fmt"
 	"net"
 	"net/netip"
@@ -18,11 +17,9 @@ import (
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/log"
-	nbiface "github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/netflow"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
@@ -69,7 +66,7 @@ func TestManagerCreate(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, false, flowLogger)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -89,7 +86,7 @@ func TestManagerAddPeerFiltering(t *testing.T) {
 		},
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, false, flowLogger)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -122,7 +119,7 @@ func TestManagerDeleteRule(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, false, flowLogger)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -218,7 +215,7 @@ func TestAddUDPPacketHook(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, nbiface.DefaultMTU)
+			}, false, flowLogger)
 			require.NoError(t, err)
 
 			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)
@@ -268,7 +265,7 @@ func TestManagerReset(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, false, flowLogger)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -307,7 +304,7 @@ func TestNotMatchByIP(t *testing.T) {
 		},
 	}
 
-	m, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	m, err := Create(ifaceMock, false, flowLogger)
 	if err != nil {
 		t.Errorf("failed to create Manager: %v", err)
 		return
@@ -370,7 +367,7 @@ func TestRemovePacketHook(t *testing.T) {
 	}
 
 	// creating manager instance
-	manager, err := Create(iface, false, flowLogger, nbiface.DefaultMTU)
+	manager, err := Create(iface, false, flowLogger)
 	if err != nil {
 		t.Fatalf("Failed to create Manager: %s", err)
 	}
@@ -416,7 +413,7 @@ func TestRemovePacketHook(t *testing.T) {
 func TestProcessOutgoingHooks(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
+	}, false, flowLogger)
 	require.NoError(t, err)
 
 	manager.udpTracker.Close()
@@ -498,7 +495,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 			ifaceMock := &IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
 			}
-			manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+			manager, err := Create(ifaceMock, false, flowLogger)
 			require.NoError(t, err)
 			time.Sleep(time.Second)
 
@@ -525,7 +522,7 @@ func TestUSPFilterCreatePerformance(t *testing.T) {
 func TestStatefulFirewall_UDPTracking(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
+	}, false, flowLogger)
 	require.NoError(t, err)
 
 	manager.udpTracker.Close() // Close the existing tracker
@@ -732,7 +729,7 @@ func TestUpdateSetMerge(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -818,7 +815,7 @@ func TestUpdateSetDeduplication(t *testing.T) {
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
 	}
 
-	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
+	manager, err := Create(ifaceMock, false, flowLogger)
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		require.NoError(t, manager.Close(nil))
@@ -926,327 +923,3 @@ func TestUpdateSetDeduplication(t *testing.T) {
 		require.Equal(t, tc.expected, isAllowed, tc.desc)
 	}
 }
-
-func TestMSSClamping(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-		AddressFunc: func() wgaddr.Address {
-			return wgaddr.Address{
-				IP:      netip.MustParseAddr("100.10.0.100"),
-				Network: netip.MustParsePrefix("100.10.0.0/16"),
-			}
-		},
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, 1280)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	require.True(t, manager.mssClampEnabled, "MSS clamping should be enabled by default")
-	expectedMSSValue := uint16(1280 - ipTCPHeaderMinSize)
-	require.Equal(t, expectedMSSValue, manager.mssClampValue, "MSS clamp value should be MTU - 40")
-
-	err = manager.UpdateLocalIPs()
-	require.NoError(t, err)
-
-	srcIP := net.ParseIP("100.10.0.2")
-	dstIP := net.ParseIP("8.8.8.8")
-
-	t.Run("SYN packet with high MSS gets clamped", func(t *testing.T) {
-		highMSS := uint16(1460)
-		packet := generateSYNPacketWithMSS(t, srcIP, dstIP, 12345, 80, highMSS)
-
-		manager.filterOutbound(packet, len(packet))
-
-		d := parsePacket(t, packet)
-		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
-		require.Equal(t, uint8(layers.TCPOptionKindMSS), uint8(d.tcp.Options[0].OptionType))
-		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, expectedMSSValue, actualMSS, "MSS should be clamped to MTU - 40")
-	})
-
-	t.Run("SYN packet with low MSS unchanged", func(t *testing.T) {
-		lowMSS := uint16(1200)
-		packet := generateSYNPacketWithMSS(t, srcIP, dstIP, 12345, 80, lowMSS)
-
-		manager.filterOutbound(packet, len(packet))
-
-		d := parsePacket(t, packet)
-		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
-		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, lowMSS, actualMSS, "Low MSS should not be modified")
-	})
-
-	t.Run("SYN-ACK packet gets clamped", func(t *testing.T) {
-		highMSS := uint16(1460)
-		packet := generateSYNACKPacketWithMSS(t, srcIP, dstIP, 12345, 80, highMSS)
-
-		manager.filterOutbound(packet, len(packet))
-
-		d := parsePacket(t, packet)
-		require.Len(t, d.tcp.Options, 1, "Should have MSS option")
-		actualMSS := binary.BigEndian.Uint16(d.tcp.Options[0].OptionData)
-		require.Equal(t, expectedMSSValue, actualMSS, "MSS in SYN-ACK should be clamped")
-	})
-
-	t.Run("Non-SYN packet unchanged", func(t *testing.T) {
-		packet := generateTCPPacketWithFlags(t, srcIP, dstIP, 12345, 80, uint16(conntrack.TCPAck))
-
-		manager.filterOutbound(packet, len(packet))
-
-		d := parsePacket(t, packet)
-		require.Empty(t, d.tcp.Options, "ACK packet should have no options")
-	})
-}
-
-func generateSYNPacketWithMSS(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, mss uint16) []byte {
-	tb.Helper()
-
-	ipLayer := &layers.IPv4{
-		Version:  4,
-		TTL:      64,
-		Protocol: layers.IPProtocolTCP,
-		SrcIP:    srcIP,
-		DstIP:    dstIP,
-	}
-
-	tcpLayer := &layers.TCP{
-		SrcPort: layers.TCPPort(srcPort),
-		DstPort: layers.TCPPort(dstPort),
-		SYN:     true,
-		Window:  65535,
-		Options: []layers.TCPOption{
-			{
-				OptionType:   layers.TCPOptionKindMSS,
-				OptionLength: 4,
-				OptionData:   binary.BigEndian.AppendUint16(nil, mss),
-			},
-		},
-	}
-	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
-	require.NoError(tb, err)
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
-	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
-	require.NoError(tb, err)
-
-	return buf.Bytes()
-}
-
-func generateSYNACKPacketWithMSS(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, mss uint16) []byte {
-	tb.Helper()
-
-	ipLayer := &layers.IPv4{
-		Version:  4,
-		TTL:      64,
-		Protocol: layers.IPProtocolTCP,
-		SrcIP:    srcIP,
-		DstIP:    dstIP,
-	}
-
-	tcpLayer := &layers.TCP{
-		SrcPort: layers.TCPPort(srcPort),
-		DstPort: layers.TCPPort(dstPort),
-		SYN:     true,
-		ACK:     true,
-		Window:  65535,
-		Options: []layers.TCPOption{
-			{
-				OptionType:   layers.TCPOptionKindMSS,
-				OptionLength: 4,
-				OptionData:   binary.BigEndian.AppendUint16(nil, mss),
-			},
-		},
-	}
-	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
-	require.NoError(tb, err)
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
-	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
-	require.NoError(tb, err)
-
-	return buf.Bytes()
-}
-
-func generateTCPPacketWithFlags(tb testing.TB, srcIP, dstIP net.IP, srcPort, dstPort uint16, flags uint16) []byte {
-	tb.Helper()
-
-	ipLayer := &layers.IPv4{
-		Version:  4,
-		TTL:      64,
-		Protocol: layers.IPProtocolTCP,
-		SrcIP:    srcIP,
-		DstIP:    dstIP,
-	}
-
-	tcpLayer := &layers.TCP{
-		SrcPort: layers.TCPPort(srcPort),
-		DstPort: layers.TCPPort(dstPort),
-		Window:  65535,
-	}
-
-	if flags&uint16(conntrack.TCPSyn) != 0 {
-		tcpLayer.SYN = true
-	}
-	if flags&uint16(conntrack.TCPAck) != 0 {
-		tcpLayer.ACK = true
-	}
-	if flags&uint16(conntrack.TCPFin) != 0 {
-		tcpLayer.FIN = true
-	}
-	if flags&uint16(conntrack.TCPRst) != 0 {
-		tcpLayer.RST = true
-	}
-	if flags&uint16(conntrack.TCPPush) != 0 {
-		tcpLayer.PSH = true
-	}
-
-	err := tcpLayer.SetNetworkLayerForChecksum(ipLayer)
-	require.NoError(tb, err)
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
-	err = gopacket.SerializeLayers(buf, opts, ipLayer, tcpLayer, gopacket.Payload([]byte{}))
-	require.NoError(tb, err)
-
-	return buf.Bytes()
-}
-
-func TestShouldForward(t *testing.T) {
-	// Set up test addresses
-	wgIP := netip.MustParseAddr("100.10.0.1")
-	otherIP := netip.MustParseAddr("100.10.0.2")
-
-	// Create test manager with mock interface
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}
-	// Set the mock to return our test WG IP
-	ifaceMock.AddressFunc = func() wgaddr.Address {
-		return wgaddr.Address{IP: wgIP, Network: netip.PrefixFrom(wgIP, 24)}
-	}
-
-	manager, err := Create(ifaceMock, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	// Helper to create decoder with TCP packet
-	createTCPDecoder := func(dstPort uint16) *decoder {
-		ipv4 := &layers.IPv4{
-			Version:  4,
-			Protocol: layers.IPProtocolTCP,
-			SrcIP:    net.ParseIP("192.168.1.100"),
-			DstIP:    wgIP.AsSlice(),
-		}
-		tcp := &layers.TCP{
-			SrcPort: 54321,
-			DstPort: layers.TCPPort(dstPort),
-		}
-
-		err := tcp.SetNetworkLayerForChecksum(ipv4)
-		require.NoError(t, err)
-
-		buf := gopacket.NewSerializeBuffer()
-		opts := gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}
-		err = gopacket.SerializeLayers(buf, opts, ipv4, tcp, gopacket.Payload("test"))
-		require.NoError(t, err)
-
-		d := &decoder{
-			decoded: []gopacket.LayerType{},
-		}
-		d.parser = gopacket.NewDecodingLayerParser(
-			layers.LayerTypeIPv4,
-			&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-		)
-		d.parser.IgnoreUnsupported = true
-
-		err = d.parser.DecodeLayers(buf.Bytes(), &d.decoded)
-		require.NoError(t, err)
-
-		return d
-	}
-
-	tests := []struct {
-		name              string
-		localForwarding   bool
-		netstack          bool
-		dstIP             netip.Addr
-		serviceRegistered bool
-		servicePort       uint16
-		expected          bool
-		description       string
-	}{
-		{
-			name:            "no local forwarding",
-			localForwarding: false,
-			netstack:        true,
-			dstIP:           wgIP,
-			expected:        false,
-			description:     "should never forward when local forwarding disabled",
-		},
-		{
-			name:            "traffic to other local interface",
-			localForwarding: true,
-			netstack:        false,
-			dstIP:           otherIP,
-			expected:        true,
-			description:     "should forward traffic to our other local interfaces (not NetBird IP)",
-		},
-		{
-			name:            "traffic to NetBird IP, no netstack",
-			localForwarding: true,
-			netstack:        false,
-			dstIP:           wgIP,
-			expected:        false,
-			description:     "should send to netstack listeners (final return false path)",
-		},
-		{
-			name:            "traffic to our IP, netstack mode, no service",
-			localForwarding: true,
-			netstack:        true,
-			dstIP:           wgIP,
-			expected:        true,
-			description:     "should forward when in netstack mode with no matching service",
-		},
-		{
-			name:              "traffic to our IP, netstack mode, with service",
-			localForwarding:   true,
-			netstack:          true,
-			dstIP:             wgIP,
-			serviceRegistered: true,
-			servicePort:       22,
-			expected:          false,
-			description:       "should send to netstack listeners when service is registered",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// Configure manager
-			manager.localForwarding = tt.localForwarding
-			manager.netstack = tt.netstack
-
-			// Register service if needed
-			if tt.serviceRegistered {
-				manager.RegisterNetstackService(nftypes.TCP, tt.servicePort)
-				defer manager.UnregisterNetstackService(nftypes.TCP, tt.servicePort)
-			}
-
-			// Create decoder for the test
-			decoder := createTCPDecoder(tt.servicePort)
-			if !tt.serviceRegistered {
-				decoder = createTCPDecoder(8080) // Use non-registered port
-			}
-
-			// Test the method
-			result := manager.shouldForward(decoder, tt.dstIP)
-			require.Equal(t, tt.expected, result, tt.description)
-		})
-	}
-}

client/firewall/uspfilter/forwarder/forwarder.go

@@ -45,7 +45,7 @@ type Forwarder struct {
 	netstack     bool
 }
 
-func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool, mtu uint16) (*Forwarder, error) {
+func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.FlowLogger, netstack bool) (*Forwarder, error) {
 	s := stack.New(stack.Options{
 		NetworkProtocols: []stack.NetworkProtocolFactory{ipv4.NewProtocol},
 		TransportProtocols: []stack.TransportProtocolFactory{
@@ -56,6 +56,10 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 		HandleLocal: false,
 	})
 
+	mtu, err := iface.GetDevice().MTU()
+	if err != nil {
+		return nil, fmt.Errorf("get MTU: %w", err)
+	}
 	nicID := tcpip.NICID(1)
 	endpoint := &endpoint{
 		logger: logger,
@@ -64,7 +68,7 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	}
 
 	if err := s.CreateNIC(nicID, endpoint); err != nil {
-		return nil, fmt.Errorf("create NIC: %v", err)
+		return nil, fmt.Errorf("failed to create NIC: %v", err)
 	}
 
 	protoAddr := tcpip.ProtocolAddress{

client/firewall/uspfilter/forwarder/udp.go

@@ -49,7 +49,7 @@ type idleConn struct {
 	conn *udpPacketConn
 }
 
-func newUDPForwarder(mtu uint16, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *udpForwarder {
+func newUDPForwarder(mtu int, logger *nblog.Logger, flowLogger nftypes.FlowLogger) *udpForwarder {
 	ctx, cancel := context.WithCancel(context.Background())
 	f := &udpForwarder{
 		logger:     logger,

client/firewall/uspfilter/log/log.go

@@ -50,8 +50,6 @@ type logMessage struct {
 	arg4   any
 	arg5   any
 	arg6   any
-	arg7   any
-	arg8   any
 }
 
 // Logger is a high-performance, non-blocking logger
@@ -96,6 +94,7 @@ func (l *Logger) SetLevel(level Level) {
 	log.Debugf("Set uspfilter logger loglevel to %v", levelStrings[level])
 }
 
+
 func (l *Logger) Error(format string) {
 	if l.level.Load() >= uint32(LevelError) {
 		select {
@@ -186,15 +185,6 @@ func (l *Logger) Debug2(format string, arg1, arg2 any) {
 	}
 }
 
-func (l *Logger) Debug3(format string, arg1, arg2, arg3 any) {
-	if l.level.Load() >= uint32(LevelDebug) {
-		select {
-		case l.msgChannel <- logMessage{level: LevelDebug, format: format, arg1: arg1, arg2: arg2, arg3: arg3}:
-		default:
-		}
-	}
-}
-
 func (l *Logger) Trace1(format string, arg1 any) {
 	if l.level.Load() >= uint32(LevelTrace) {
 		select {
@@ -249,16 +239,6 @@ func (l *Logger) Trace6(format string, arg1, arg2, arg3, arg4, arg5, arg6 any) {
 	}
 }
 
-// Trace8 logs a trace message with 8 arguments (8 placeholder in format string)
-func (l *Logger) Trace8(format string, arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8 any) {
-	if l.level.Load() >= uint32(LevelTrace) {
-		select {
-		case l.msgChannel <- logMessage{level: LevelTrace, format: format, arg1: arg1, arg2: arg2, arg3: arg3, arg4: arg4, arg5: arg5, arg6: arg6, arg7: arg7, arg8: arg8}:
-		default:
-		}
-	}
-}
-
 func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 	*buf = (*buf)[:0]
 	*buf = time.Now().AppendFormat(*buf, "2006-01-02T15:04:05-07:00")
@@ -280,12 +260,6 @@ func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 						argCount++
 						if msg.arg6 != nil {
 							argCount++
-							if msg.arg7 != nil {
-								argCount++
-								if msg.arg8 != nil {
-									argCount++
-								}
-							}
 						}
 					}
 				}
@@ -309,10 +283,6 @@ func (l *Logger) formatMessage(buf *[]byte, msg logMessage) {
 		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5)
 	case 6:
 		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5, msg.arg6)
-	case 7:
-		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5, msg.arg6, msg.arg7)
-	case 8:
-		formatted = fmt.Sprintf(msg.format, msg.arg1, msg.arg2, msg.arg3, msg.arg4, msg.arg5, msg.arg6, msg.arg7, msg.arg8)
 	}
 
 	*buf = append(*buf, formatted...)
@@ -420,4 +390,4 @@ func (l *Logger) Stop(ctx context.Context) error {
 	case <-done:
 		return nil
 	}
-}
+}

client/firewall/uspfilter/nat.go

@@ -5,9 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/netip"
-	"slices"
 
-	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -15,21 +13,6 @@ import (
 
 var ErrIPv4Only = errors.New("only IPv4 is supported for DNAT")
 
-var (
-	errInvalidIPHeaderLength = errors.New("invalid IP header length")
-)
-
-const (
-	// Port offsets in TCP/UDP headers
-	sourcePortOffset      = 0
-	destinationPortOffset = 2
-
-	// IP address offsets in IPv4 header
-	sourceIPOffset      = 12
-	destinationIPOffset = 16
-)
-
-// ipv4Checksum calculates IPv4 header checksum.
 func ipv4Checksum(header []byte) uint16 {
 	if len(header) < 20 {
 		return 0
@@ -69,7 +52,6 @@ func ipv4Checksum(header []byte) uint16 {
 	return ^uint16(sum)
 }
 
-// icmpChecksum calculates ICMP checksum.
 func icmpChecksum(data []byte) uint16 {
 	var sum1, sum2, sum3, sum4 uint32
 	i := 0
@@ -107,21 +89,11 @@ func icmpChecksum(data []byte) uint16 {
 	return ^uint16(sum)
 }
 
-// biDNATMap maintains bidirectional DNAT mappings.
 type biDNATMap struct {
 	forward map[netip.Addr]netip.Addr
 	reverse map[netip.Addr]netip.Addr
 }
 
-// portDNATRule represents a port-specific DNAT rule.
-type portDNATRule struct {
-	protocol   gopacket.LayerType
-	origPort   uint16
-	targetPort uint16
-	targetIP   netip.Addr
-}
-
-// newBiDNATMap creates a new bidirectional DNAT mapping structure.
 func newBiDNATMap() *biDNATMap {
 	return &biDNATMap{
 		forward: make(map[netip.Addr]netip.Addr),
@@ -129,13 +101,11 @@ func newBiDNATMap() *biDNATMap {
 	}
 }
 
-// set adds a bidirectional DNAT mapping between original and translated addresses.
 func (b *biDNATMap) set(original, translated netip.Addr) {
 	b.forward[original] = translated
 	b.reverse[translated] = original
 }
 
-// delete removes a bidirectional DNAT mapping for the given original address.
 func (b *biDNATMap) delete(original netip.Addr) {
 	if translated, exists := b.forward[original]; exists {
 		delete(b.forward, original)
@@ -143,25 +113,19 @@ func (b *biDNATMap) delete(original netip.Addr) {
 	}
 }
 
-// getTranslated returns the translated address for a given original address.
 func (b *biDNATMap) getTranslated(original netip.Addr) (netip.Addr, bool) {
 	translated, exists := b.forward[original]
 	return translated, exists
 }
 
-// getOriginal returns the original address for a given translated address.
 func (b *biDNATMap) getOriginal(translated netip.Addr) (netip.Addr, bool) {
 	original, exists := b.reverse[translated]
 	return original, exists
 }
 
-// AddInternalDNATMapping adds a 1:1 IP address mapping for internal DNAT translation.
 func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr) error {
-	if !originalAddr.IsValid() {
-		return fmt.Errorf("invalid original IP address")
-	}
-	if !translatedAddr.IsValid() {
-		return fmt.Errorf("invalid translated IP address")
+	if !originalAddr.IsValid() || !translatedAddr.IsValid() {
+		return fmt.Errorf("invalid IP addresses")
 	}
 
 	if m.localipmanager.IsLocalIP(translatedAddr) {
@@ -171,6 +135,7 @@ func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr
 	m.dnatMutex.Lock()
 	defer m.dnatMutex.Unlock()
 
+	// Initialize both maps together if either is nil
 	if m.dnatMappings == nil || m.dnatBiMap == nil {
 		m.dnatMappings = make(map[netip.Addr]netip.Addr)
 		m.dnatBiMap = newBiDNATMap()
@@ -186,7 +151,7 @@ func (m *Manager) AddInternalDNATMapping(originalAddr, translatedAddr netip.Addr
 	return nil
 }
 
-// RemoveInternalDNATMapping removes a 1:1 IP address mapping.
+// RemoveInternalDNATMapping removes a 1:1 IP address mapping
 func (m *Manager) RemoveInternalDNATMapping(originalAddr netip.Addr) error {
 	m.dnatMutex.Lock()
 	defer m.dnatMutex.Unlock()
@@ -204,7 +169,7 @@ func (m *Manager) RemoveInternalDNATMapping(originalAddr netip.Addr) error {
 	return nil
 }
 
-// getDNATTranslation returns the translated address if a mapping exists.
+// getDNATTranslation returns the translated address if a mapping exists
 func (m *Manager) getDNATTranslation(addr netip.Addr) (netip.Addr, bool) {
 	if !m.dnatEnabled.Load() {
 		return addr, false
@@ -216,7 +181,7 @@ func (m *Manager) getDNATTranslation(addr netip.Addr) (netip.Addr, bool) {
 	return translated, exists
 }
 
-// findReverseDNATMapping finds original address for return traffic.
+// findReverseDNATMapping finds original address for return traffic
 func (m *Manager) findReverseDNATMapping(translatedAddr netip.Addr) (netip.Addr, bool) {
 	if !m.dnatEnabled.Load() {
 		return translatedAddr, false
@@ -228,12 +193,16 @@ func (m *Manager) findReverseDNATMapping(translatedAddr netip.Addr) (netip.Addr,
 	return original, exists
 }
 
-// translateOutboundDNAT applies DNAT translation to outbound packets.
+// translateOutboundDNAT applies DNAT translation to outbound packets
 func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 	if !m.dnatEnabled.Load() {
 		return false
 	}
 
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
+		return false
+	}
+
 	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
 
 	translatedIP, exists := m.getDNATTranslation(dstIP)
@@ -241,8 +210,8 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 		return false
 	}
 
-	if err := m.rewritePacketIP(packetData, d, translatedIP, destinationIPOffset); err != nil {
-		m.logger.Error1("failed to rewrite packet destination: %v", err)
+	if err := m.rewritePacketDestination(packetData, d, translatedIP); err != nil {
+		m.logger.Error1("Failed to rewrite packet destination: %v", err)
 		return false
 	}
 
@@ -250,12 +219,16 @@ func (m *Manager) translateOutboundDNAT(packetData []byte, d *decoder) bool {
 	return true
 }
 
-// translateInboundReverse applies reverse DNAT to inbound return traffic.
+// translateInboundReverse applies reverse DNAT to inbound return traffic
 func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	if !m.dnatEnabled.Load() {
 		return false
 	}
 
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
+		return false
+	}
+
 	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
 
 	originalIP, exists := m.findReverseDNATMapping(srcIP)
@@ -263,8 +236,8 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 		return false
 	}
 
-	if err := m.rewritePacketIP(packetData, d, originalIP, sourceIPOffset); err != nil {
-		m.logger.Error1("failed to rewrite packet source: %v", err)
+	if err := m.rewritePacketSource(packetData, d, originalIP); err != nil {
+		m.logger.Error1("Failed to rewrite packet source: %v", err)
 		return false
 	}
 
@@ -272,21 +245,21 @@ func (m *Manager) translateInboundReverse(packetData []byte, d *decoder) bool {
 	return true
 }
 
-// rewritePacketIP replaces an IP address (source or destination) in the packet and updates checksums.
-func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Addr, ipOffset int) error {
-	if !newIP.Is4() {
+// rewritePacketDestination replaces destination IP in the packet
+func (m *Manager) rewritePacketDestination(packetData []byte, d *decoder, newIP netip.Addr) error {
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
 		return ErrIPv4Only
 	}
 
-	var oldIP [4]byte
-	copy(oldIP[:], packetData[ipOffset:ipOffset+4])
-	newIPBytes := newIP.As4()
+	var oldDst [4]byte
+	copy(oldDst[:], packetData[16:20])
+	newDst := newIP.As4()
 
-	copy(packetData[ipOffset:ipOffset+4], newIPBytes[:])
+	copy(packetData[16:20], newDst[:])
 
 	ipHeaderLen := int(d.ip4.IHL) * 4
 	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
+		return fmt.Errorf("invalid IP header length")
 	}
 
 	binary.BigEndian.PutUint16(packetData[10:12], 0)
@@ -296,9 +269,44 @@ func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Add
 	if len(d.decoded) > 1 {
 		switch d.decoded[1] {
 		case layers.LayerTypeTCP:
-			m.updateTCPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
+			m.updateTCPChecksum(packetData, ipHeaderLen, oldDst[:], newDst[:])
 		case layers.LayerTypeUDP:
-			m.updateUDPChecksum(packetData, ipHeaderLen, oldIP[:], newIPBytes[:])
+			m.updateUDPChecksum(packetData, ipHeaderLen, oldDst[:], newDst[:])
+		case layers.LayerTypeICMPv4:
+			m.updateICMPChecksum(packetData, ipHeaderLen)
+		}
+	}
+
+	return nil
+}
+
+// rewritePacketSource replaces the source IP address in the packet
+func (m *Manager) rewritePacketSource(packetData []byte, d *decoder, newIP netip.Addr) error {
+	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 || !newIP.Is4() {
+		return ErrIPv4Only
+	}
+
+	var oldSrc [4]byte
+	copy(oldSrc[:], packetData[12:16])
+	newSrc := newIP.As4()
+
+	copy(packetData[12:16], newSrc[:])
+
+	ipHeaderLen := int(d.ip4.IHL) * 4
+	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
+		return fmt.Errorf("invalid IP header length")
+	}
+
+	binary.BigEndian.PutUint16(packetData[10:12], 0)
+	ipChecksum := ipv4Checksum(packetData[:ipHeaderLen])
+	binary.BigEndian.PutUint16(packetData[10:12], ipChecksum)
+
+	if len(d.decoded) > 1 {
+		switch d.decoded[1] {
+		case layers.LayerTypeTCP:
+			m.updateTCPChecksum(packetData, ipHeaderLen, oldSrc[:], newSrc[:])
+		case layers.LayerTypeUDP:
+			m.updateUDPChecksum(packetData, ipHeaderLen, oldSrc[:], newSrc[:])
 		case layers.LayerTypeICMPv4:
 			m.updateICMPChecksum(packetData, ipHeaderLen)
 		}
@@ -307,7 +315,6 @@ func (m *Manager) rewritePacketIP(packetData []byte, d *decoder, newIP netip.Add
 	return nil
 }
 
-// updateTCPChecksum updates TCP checksum after IP address change per RFC 1624.
 func (m *Manager) updateTCPChecksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
 	tcpStart := ipHeaderLen
 	if len(packetData) < tcpStart+18 {
@@ -320,7 +327,6 @@ func (m *Manager) updateTCPChecksum(packetData []byte, ipHeaderLen int, oldIP, n
 	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
 }
 
-// updateUDPChecksum updates UDP checksum after IP address change per RFC 1624.
 func (m *Manager) updateUDPChecksum(packetData []byte, ipHeaderLen int, oldIP, newIP []byte) {
 	udpStart := ipHeaderLen
 	if len(packetData) < udpStart+8 {
@@ -338,7 +344,6 @@ func (m *Manager) updateUDPChecksum(packetData []byte, ipHeaderLen int, oldIP, n
 	binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
 }
 
-// updateICMPChecksum recalculates ICMP checksum after packet modification.
 func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
 	icmpStart := ipHeaderLen
 	if len(packetData) < icmpStart+8 {
@@ -351,7 +356,7 @@ func (m *Manager) updateICMPChecksum(packetData []byte, ipHeaderLen int) {
 	binary.BigEndian.PutUint16(icmpData[2:4], checksum)
 }
 
-// incrementalUpdate performs incremental checksum update per RFC 1624.
+// incrementalUpdate performs incremental checksum update per RFC 1624
 func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	sum := uint32(^oldChecksum)
 
@@ -386,7 +391,7 @@ func incrementalUpdate(oldChecksum uint16, oldBytes, newBytes []byte) uint16 {
 	return ^uint16(sum)
 }
 
-// AddDNATRule adds outbound DNAT rule for forwarding external traffic to NetBird network.
+// AddDNATRule adds a DNAT rule (delegates to native firewall for port forwarding)
 func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error) {
 	if m.nativeFirewall == nil {
 		return nil, errNatNotSupported
@@ -394,184 +399,10 @@ func (m *Manager) AddDNATRule(rule firewall.ForwardRule) (firewall.Rule, error)
 	return m.nativeFirewall.AddDNATRule(rule)
 }
 
-// DeleteDNATRule deletes outbound DNAT rule.
+// DeleteDNATRule deletes a DNAT rule (delegates to native firewall)
 func (m *Manager) DeleteDNATRule(rule firewall.Rule) error {
 	if m.nativeFirewall == nil {
 		return errNatNotSupported
 	}
 	return m.nativeFirewall.DeleteDNATRule(rule)
 }
-
-// addPortRedirection adds a port redirection rule.
-func (m *Manager) addPortRedirection(targetIP netip.Addr, protocol gopacket.LayerType, sourcePort, targetPort uint16) error {
-	m.portDNATMutex.Lock()
-	defer m.portDNATMutex.Unlock()
-
-	rule := portDNATRule{
-		protocol:   protocol,
-		origPort:   sourcePort,
-		targetPort: targetPort,
-		targetIP:   targetIP,
-	}
-
-	m.portDNATRules = append(m.portDNATRules, rule)
-	m.portDNATEnabled.Store(true)
-
-	return nil
-}
-
-// AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	var layerType gopacket.LayerType
-	switch protocol {
-	case firewall.ProtocolTCP:
-		layerType = layers.LayerTypeTCP
-	case firewall.ProtocolUDP:
-		layerType = layers.LayerTypeUDP
-	default:
-		return fmt.Errorf("unsupported protocol: %s", protocol)
-	}
-
-	return m.addPortRedirection(localAddr, layerType, sourcePort, targetPort)
-}
-
-// removePortRedirection removes a port redirection rule.
-func (m *Manager) removePortRedirection(targetIP netip.Addr, protocol gopacket.LayerType, sourcePort, targetPort uint16) error {
-	m.portDNATMutex.Lock()
-	defer m.portDNATMutex.Unlock()
-
-	m.portDNATRules = slices.DeleteFunc(m.portDNATRules, func(rule portDNATRule) bool {
-		return rule.protocol == protocol && rule.origPort == sourcePort && rule.targetPort == targetPort && rule.targetIP.Compare(targetIP) == 0
-	})
-
-	if len(m.portDNATRules) == 0 {
-		m.portDNATEnabled.Store(false)
-	}
-
-	return nil
-}
-
-// RemoveInboundDNAT removes an inbound DNAT rule.
-func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	var layerType gopacket.LayerType
-	switch protocol {
-	case firewall.ProtocolTCP:
-		layerType = layers.LayerTypeTCP
-	case firewall.ProtocolUDP:
-		layerType = layers.LayerTypeUDP
-	default:
-		return fmt.Errorf("unsupported protocol: %s", protocol)
-	}
-
-	return m.removePortRedirection(localAddr, layerType, sourcePort, targetPort)
-}
-
-// translateInboundPortDNAT applies port-specific DNAT translation to inbound packets.
-func (m *Manager) translateInboundPortDNAT(packetData []byte, d *decoder, srcIP, dstIP netip.Addr) bool {
-	if !m.portDNATEnabled.Load() {
-		return false
-	}
-
-	switch d.decoded[1] {
-	case layers.LayerTypeTCP:
-		dstPort := uint16(d.tcp.DstPort)
-		return m.applyPortRule(packetData, d, srcIP, dstIP, dstPort, layers.LayerTypeTCP, m.rewriteTCPPort)
-	case layers.LayerTypeUDP:
-		dstPort := uint16(d.udp.DstPort)
-		return m.applyPortRule(packetData, d, netip.Addr{}, dstIP, dstPort, layers.LayerTypeUDP, m.rewriteUDPPort)
-	default:
-		return false
-	}
-}
-
-type portRewriteFunc func(packetData []byte, d *decoder, newPort uint16, portOffset int) error
-
-func (m *Manager) applyPortRule(packetData []byte, d *decoder, srcIP, dstIP netip.Addr, port uint16, protocol gopacket.LayerType, rewriteFn portRewriteFunc) bool {
-	m.portDNATMutex.RLock()
-	defer m.portDNATMutex.RUnlock()
-
-	for _, rule := range m.portDNATRules {
-		if rule.protocol != protocol || rule.targetIP.Compare(dstIP) != 0 {
-			continue
-		}
-
-		if rule.targetPort == port && rule.targetIP.Compare(srcIP) == 0 {
-			return false
-		}
-
-		if rule.origPort != port {
-			continue
-		}
-
-		if err := rewriteFn(packetData, d, rule.targetPort, destinationPortOffset); err != nil {
-			m.logger.Error1("failed to rewrite port: %v", err)
-			return false
-		}
-		d.dnatOrigPort = rule.origPort
-		return true
-	}
-	return false
-}
-
-// rewriteTCPPort rewrites a TCP port (source or destination) and updates checksum.
-func (m *Manager) rewriteTCPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
-	}
-
-	tcpStart := ipHeaderLen
-	if len(packetData) < tcpStart+4 {
-		return fmt.Errorf("packet too short for TCP header")
-	}
-
-	portStart := tcpStart + portOffset
-	oldPort := binary.BigEndian.Uint16(packetData[portStart : portStart+2])
-	binary.BigEndian.PutUint16(packetData[portStart:portStart+2], newPort)
-
-	if len(packetData) >= tcpStart+18 {
-		checksumOffset := tcpStart + 16
-		oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-
-		var oldPortBytes, newPortBytes [2]byte
-		binary.BigEndian.PutUint16(oldPortBytes[:], oldPort)
-		binary.BigEndian.PutUint16(newPortBytes[:], newPort)
-
-		newChecksum := incrementalUpdate(oldChecksum, oldPortBytes[:], newPortBytes[:])
-		binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-	}
-
-	return nil
-}
-
-// rewriteUDPPort rewrites a UDP port (source or destination) and updates checksum.
-func (m *Manager) rewriteUDPPort(packetData []byte, d *decoder, newPort uint16, portOffset int) error {
-	ipHeaderLen := int(d.ip4.IHL) * 4
-	if ipHeaderLen < 20 || ipHeaderLen > len(packetData) {
-		return errInvalidIPHeaderLength
-	}
-
-	udpStart := ipHeaderLen
-	if len(packetData) < udpStart+8 {
-		return fmt.Errorf("packet too short for UDP header")
-	}
-
-	portStart := udpStart + portOffset
-	oldPort := binary.BigEndian.Uint16(packetData[portStart : portStart+2])
-	binary.BigEndian.PutUint16(packetData[portStart:portStart+2], newPort)
-
-	checksumOffset := udpStart + 6
-	if len(packetData) >= udpStart+8 {
-		oldChecksum := binary.BigEndian.Uint16(packetData[checksumOffset : checksumOffset+2])
-		if oldChecksum != 0 {
-			var oldPortBytes, newPortBytes [2]byte
-			binary.BigEndian.PutUint16(oldPortBytes[:], oldPort)
-			binary.BigEndian.PutUint16(newPortBytes[:], newPort)
-
-			newChecksum := incrementalUpdate(oldChecksum, oldPortBytes[:], newPortBytes[:])
-			binary.BigEndian.PutUint16(packetData[checksumOffset:checksumOffset+2], newChecksum)
-		}
-	}
-
-	return nil
-}

client/firewall/uspfilter/nat_bench_test.go

@@ -12,7 +12,6 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
 
@@ -66,7 +65,7 @@ func BenchmarkDNATTranslation(b *testing.B) {
 		b.Run(sc.name, func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
@@ -126,7 +125,7 @@ func BenchmarkDNATTranslation(b *testing.B) {
 func BenchmarkDNATConcurrency(b *testing.B) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, iface.DefaultMTU)
+	}, false, flowLogger)
 	require.NoError(b, err)
 	defer func() {
 		require.NoError(b, manager.Close(nil))
@@ -198,7 +197,7 @@ func BenchmarkDNATScaling(b *testing.B) {
 		b.Run(fmt.Sprintf("mappings_%d", count), func(b *testing.B) {
 			manager, err := Create(&IFaceMock{
 				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
+			}, false, flowLogger)
 			require.NoError(b, err)
 			defer func() {
 				require.NoError(b, manager.Close(nil))
@@ -310,7 +309,7 @@ func BenchmarkChecksumUpdate(b *testing.B) {
 func BenchmarkDNATMemoryAllocations(b *testing.B) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, iface.DefaultMTU)
+	}, false, flowLogger)
 	require.NoError(b, err)
 	defer func() {
 		require.NoError(b, manager.Close(nil))
@@ -415,127 +414,3 @@ func BenchmarkChecksumOptimizations(b *testing.B) {
 		}
 	})
 }
-
-// BenchmarkPortDNAT measures the performance of port DNAT operations
-func BenchmarkPortDNAT(b *testing.B) {
-	scenarios := []struct {
-		name         string
-		proto        layers.IPProtocol
-		setupDNAT    bool
-		useMatchPort bool
-		description  string
-	}{
-		{
-			name:         "tcp_inbound_dnat_match",
-			proto:        layers.IPProtocolTCP,
-			setupDNAT:    true,
-			useMatchPort: true,
-			description:  "TCP inbound port DNAT translation (22 → 22022)",
-		},
-		{
-			name:         "tcp_inbound_dnat_nomatch",
-			proto:        layers.IPProtocolTCP,
-			setupDNAT:    true,
-			useMatchPort: false,
-			description:  "TCP inbound with DNAT configured but no port match",
-		},
-		{
-			name:         "tcp_inbound_no_dnat",
-			proto:        layers.IPProtocolTCP,
-			setupDNAT:    false,
-			useMatchPort: false,
-			description:  "TCP inbound without DNAT (baseline)",
-		},
-		{
-			name:         "udp_inbound_dnat_match",
-			proto:        layers.IPProtocolUDP,
-			setupDNAT:    true,
-			useMatchPort: true,
-			description:  "UDP inbound port DNAT translation (5353 → 22054)",
-		},
-		{
-			name:         "udp_inbound_dnat_nomatch",
-			proto:        layers.IPProtocolUDP,
-			setupDNAT:    true,
-			useMatchPort: false,
-			description:  "UDP inbound with DNAT configured but no port match",
-		},
-		{
-			name:         "udp_inbound_no_dnat",
-			proto:        layers.IPProtocolUDP,
-			setupDNAT:    false,
-			useMatchPort: false,
-			description:  "UDP inbound without DNAT (baseline)",
-		},
-	}
-
-	for _, sc := range scenarios {
-		b.Run(sc.name, func(b *testing.B) {
-			manager, err := Create(&IFaceMock{
-				SetFilterFunc: func(device.PacketFilter) error { return nil },
-			}, false, flowLogger, iface.DefaultMTU)
-			require.NoError(b, err)
-			defer func() {
-				require.NoError(b, manager.Close(nil))
-			}()
-
-			// Set logger to error level to reduce noise during benchmarking
-			manager.SetLogLevel(log.ErrorLevel)
-			defer func() {
-				// Restore to info level after benchmark
-				manager.SetLogLevel(log.InfoLevel)
-			}()
-
-			localAddr := netip.MustParseAddr("100.0.2.175")
-			clientIP := netip.MustParseAddr("100.0.169.249")
-
-			var origPort, targetPort, testPort uint16
-			if sc.proto == layers.IPProtocolTCP {
-				origPort, targetPort = 22, 22022
-			} else {
-				origPort, targetPort = 5353, 22054
-			}
-
-			if sc.useMatchPort {
-				testPort = origPort
-			} else {
-				testPort = 443 // Different port
-			}
-
-			// Setup port DNAT mapping if needed
-			if sc.setupDNAT {
-				err := manager.AddInboundDNAT(localAddr, protocolToFirewall(sc.proto), origPort, targetPort)
-				require.NoError(b, err)
-			}
-
-			// Pre-establish inbound connection for outbound reverse test
-			if sc.setupDNAT && sc.useMatchPort {
-				inboundPacket := generateDNATTestPacket(b, clientIP, localAddr, sc.proto, 54321, origPort)
-				manager.filterInbound(inboundPacket, 0)
-			}
-
-			b.ResetTimer()
-			b.ReportAllocs()
-
-			// Benchmark inbound DNAT translation
-			b.Run("inbound", func(b *testing.B) {
-				for i := 0; i < b.N; i++ {
-					// Create fresh packet each time
-					packet := generateDNATTestPacket(b, clientIP, localAddr, sc.proto, 54321, testPort)
-					manager.filterInbound(packet, 0)
-				}
-			})
-
-			// Benchmark outbound reverse DNAT translation (only if DNAT is set up and port matches)
-			if sc.setupDNAT && sc.useMatchPort {
-				b.Run("outbound_reverse", func(b *testing.B) {
-					for i := 0; i < b.N; i++ {
-						// Create fresh return packet (from target port)
-						packet := generateDNATTestPacket(b, localAddr, clientIP, sc.proto, targetPort, 54321)
-						manager.filterOutbound(packet, 0)
-					}
-				})
-			}
-		})
-	}
-}

client/firewall/uspfilter/nat_stateful_test.go

@@ -1,85 +0,0 @@
-package uspfilter
-
-import (
-	"net/netip"
-	"testing"
-
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/iface"
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-// TestPortDNATBasic tests basic port DNAT functionality
-func TestPortDNATBasic(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	// Define peer IPs
-	peerA := netip.MustParseAddr("100.10.0.50")
-	peerB := netip.MustParseAddr("100.10.0.51")
-
-	// Add SSH port redirection rule for peer B (the target)
-	err = manager.addPortRedirection(peerB, layers.LayerTypeTCP, 22, 22022)
-	require.NoError(t, err)
-
-	// Scenario: Peer A connects to Peer B on port 22 (should get NAT)
-	packetAtoB := generateDNATTestPacket(t, peerA, peerB, layers.IPProtocolTCP, 54321, 22)
-	d := parsePacket(t, packetAtoB)
-	translatedAtoB := manager.translateInboundPortDNAT(packetAtoB, d, peerA, peerB)
-	require.True(t, translatedAtoB, "Peer A to Peer B should be translated (NAT applied)")
-
-	// Verify port was translated to 22022
-	d = parsePacket(t, packetAtoB)
-	require.Equal(t, uint16(22022), uint16(d.tcp.DstPort), "Port should be rewritten to 22022")
-
-	// Scenario: Return traffic from Peer B to Peer A should NOT be translated
-	// (prevents double NAT - original port stored in conntrack)
-	returnPacket := generateDNATTestPacket(t, peerB, peerA, layers.IPProtocolTCP, 22022, 54321)
-	d2 := parsePacket(t, returnPacket)
-	translatedReturn := manager.translateInboundPortDNAT(returnPacket, d2, peerB, peerA)
-	require.False(t, translatedReturn, "Return traffic from same IP should not be translated")
-}
-
-// TestPortDNATMultipleRules tests multiple port DNAT rules
-func TestPortDNATMultipleRules(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	// Define peer IPs
-	peerA := netip.MustParseAddr("100.10.0.50")
-	peerB := netip.MustParseAddr("100.10.0.51")
-
-	// Add SSH port redirection rules for both peers
-	err = manager.addPortRedirection(peerA, layers.LayerTypeTCP, 22, 22022)
-	require.NoError(t, err)
-	err = manager.addPortRedirection(peerB, layers.LayerTypeTCP, 22, 22022)
-	require.NoError(t, err)
-
-	// Test traffic to peer B gets translated
-	packetToB := generateDNATTestPacket(t, peerA, peerB, layers.IPProtocolTCP, 54321, 22)
-	d1 := parsePacket(t, packetToB)
-	translatedToB := manager.translateInboundPortDNAT(packetToB, d1, peerA, peerB)
-	require.True(t, translatedToB, "Traffic to peer B should be translated")
-	d1 = parsePacket(t, packetToB)
-	require.Equal(t, uint16(22022), uint16(d1.tcp.DstPort), "Port should be 22022")
-
-	// Test traffic to peer A gets translated
-	packetToA := generateDNATTestPacket(t, peerB, peerA, layers.IPProtocolTCP, 54322, 22)
-	d2 := parsePacket(t, packetToA)
-	translatedToA := manager.translateInboundPortDNAT(packetToA, d2, peerB, peerA)
-	require.True(t, translatedToA, "Traffic to peer A should be translated")
-	d2 = parsePacket(t, packetToA)
-	require.Equal(t, uint16(22022), uint16(d2.tcp.DstPort), "Port should be 22022")
-}

client/firewall/uspfilter/nat_test.go

@@ -8,8 +8,6 @@ import (
 	"github.com/google/gopacket/layers"
 	"github.com/stretchr/testify/require"
 
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 )
 
@@ -17,7 +15,7 @@ import (
 func TestDNATTranslationCorrectness(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, iface.DefaultMTU)
+	}, false, flowLogger)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -101,7 +99,7 @@ func parsePacket(t testing.TB, packetData []byte) *decoder {
 func TestDNATMappingManagement(t *testing.T) {
 	manager, err := Create(&IFaceMock{
 		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, iface.DefaultMTU)
+	}, false, flowLogger)
 	require.NoError(t, err)
 	defer func() {
 		require.NoError(t, manager.Close(nil))
@@ -145,111 +143,3 @@ func TestDNATMappingManagement(t *testing.T) {
 	err = manager.RemoveInternalDNATMapping(originalIP)
 	require.Error(t, err, "Should error when removing non-existent mapping")
 }
-
-func TestInboundPortDNAT(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	localAddr := netip.MustParseAddr("100.0.2.175")
-	clientIP := netip.MustParseAddr("100.0.169.249")
-
-	testCases := []struct {
-		name       string
-		protocol   layers.IPProtocol
-		sourcePort uint16
-		targetPort uint16
-	}{
-		{"TCP SSH", layers.IPProtocolTCP, 22, 22022},
-		{"UDP DNS", layers.IPProtocolUDP, 5353, 22054},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			err := manager.AddInboundDNAT(localAddr, protocolToFirewall(tc.protocol), tc.sourcePort, tc.targetPort)
-			require.NoError(t, err)
-
-			inboundPacket := generateDNATTestPacket(t, clientIP, localAddr, tc.protocol, 54321, tc.sourcePort)
-			d := parsePacket(t, inboundPacket)
-
-			translated := manager.translateInboundPortDNAT(inboundPacket, d, clientIP, localAddr)
-			require.True(t, translated, "Inbound packet should be translated")
-
-			d = parsePacket(t, inboundPacket)
-			var dstPort uint16
-			switch tc.protocol {
-			case layers.IPProtocolTCP:
-				dstPort = uint16(d.tcp.DstPort)
-			case layers.IPProtocolUDP:
-				dstPort = uint16(d.udp.DstPort)
-			}
-
-			require.Equal(t, tc.targetPort, dstPort, "Destination port should be rewritten to target port")
-
-			err = manager.RemoveInboundDNAT(localAddr, protocolToFirewall(tc.protocol), tc.sourcePort, tc.targetPort)
-			require.NoError(t, err)
-		})
-	}
-}
-
-func TestInboundPortDNATNegative(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, iface.DefaultMTU)
-	require.NoError(t, err)
-	defer func() {
-		require.NoError(t, manager.Close(nil))
-	}()
-
-	localAddr := netip.MustParseAddr("100.0.2.175")
-	clientIP := netip.MustParseAddr("100.0.169.249")
-
-	err = manager.AddInboundDNAT(localAddr, firewall.ProtocolTCP, 22, 22022)
-	require.NoError(t, err)
-
-	testCases := []struct {
-		name     string
-		protocol layers.IPProtocol
-		srcIP    netip.Addr
-		dstIP    netip.Addr
-		srcPort  uint16
-		dstPort  uint16
-	}{
-		{"Wrong port", layers.IPProtocolTCP, clientIP, localAddr, 54321, 80},
-		{"Wrong IP", layers.IPProtocolTCP, clientIP, netip.MustParseAddr("100.64.0.99"), 54321, 22},
-		{"Wrong protocol", layers.IPProtocolUDP, clientIP, localAddr, 54321, 22},
-		{"ICMP", layers.IPProtocolICMPv4, clientIP, localAddr, 0, 0},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			packet := generateDNATTestPacket(t, tc.srcIP, tc.dstIP, tc.protocol, tc.srcPort, tc.dstPort)
-			d := parsePacket(t, packet)
-
-			translated := manager.translateInboundPortDNAT(packet, d, tc.srcIP, tc.dstIP)
-			require.False(t, translated, "Packet should NOT be translated for %s", tc.name)
-
-			d = parsePacket(t, packet)
-			if tc.protocol == layers.IPProtocolTCP {
-				require.Equal(t, tc.dstPort, uint16(d.tcp.DstPort), "Port should remain unchanged")
-			} else if tc.protocol == layers.IPProtocolUDP {
-				require.Equal(t, tc.dstPort, uint16(d.udp.DstPort), "Port should remain unchanged")
-			}
-		})
-	}
-}
-
-func protocolToFirewall(proto layers.IPProtocol) firewall.Protocol {
-	switch proto {
-	case layers.IPProtocolTCP:
-		return firewall.ProtocolTCP
-	case layers.IPProtocolUDP:
-		return firewall.ProtocolUDP
-	default:
-		return firewall.ProtocolALL
-	}
-}

client/firewall/uspfilter/tracer.go

@@ -16,33 +16,25 @@ type PacketStage int
 
 const (
 	StageReceived PacketStage = iota
-	StageInboundPortDNAT
-	StageInbound1to1NAT
 	StageConntrack
 	StagePeerACL
 	StageRouting
 	StageRouteACL
 	StageForwarding
 	StageCompleted
-	StageOutbound1to1NAT
-	StageOutboundPortReverse
 )
 
 const msgProcessingCompleted = "Processing completed"
 
 func (s PacketStage) String() string {
 	return map[PacketStage]string{
-		StageReceived:            "Received",
-		StageInboundPortDNAT:     "Inbound Port DNAT",
-		StageInbound1to1NAT:      "Inbound 1:1 NAT",
-		StageConntrack:           "Connection Tracking",
-		StagePeerACL:             "Peer ACL",
-		StageRouting:             "Routing",
-		StageRouteACL:            "Route ACL",
-		StageForwarding:          "Forwarding",
-		StageCompleted:           "Completed",
-		StageOutbound1to1NAT:     "Outbound 1:1 NAT",
-		StageOutboundPortReverse: "Outbound DNAT Reverse",
+		StageReceived:   "Received",
+		StageConntrack:  "Connection Tracking",
+		StagePeerACL:    "Peer ACL",
+		StageRouting:    "Routing",
+		StageRouteACL:   "Route ACL",
+		StageForwarding: "Forwarding",
+		StageCompleted:  "Completed",
 	}[s]
 }
 
@@ -269,10 +261,6 @@ func (m *Manager) TracePacket(packetData []byte, direction fw.RuleDirection) *Pa
 }
 
 func (m *Manager) traceInbound(packetData []byte, trace *PacketTrace, d *decoder, srcIP netip.Addr, dstIP netip.Addr) *PacketTrace {
-	if m.handleInboundDNAT(trace, packetData, d, &srcIP, &dstIP) {
-		return trace
-	}
-
 	if m.stateful && m.handleConntrackState(trace, d, srcIP, dstIP) {
 		return trace
 	}
@@ -412,16 +400,7 @@ func (m *Manager) addForwardingResult(trace *PacketTrace, action, remoteAddr str
 }
 
 func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTrace {
-	d := m.decoders.Get().(*decoder)
-	defer m.decoders.Put(d)
-
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-		trace.AddResult(StageCompleted, "Packet dropped - decode error", false)
-		return trace
-	}
-
-	m.handleOutboundDNAT(trace, packetData, d)
-
+	// will create or update the connection state
 	dropped := m.filterOutbound(packetData, 0)
 	if dropped {
 		trace.AddResult(StageCompleted, "Packet dropped by outgoing hook", false)
@@ -430,199 +409,3 @@ func (m *Manager) traceOutbound(packetData []byte, trace *PacketTrace) *PacketTr
 	}
 	return trace
 }
-
-func (m *Manager) handleInboundDNAT(trace *PacketTrace, packetData []byte, d *decoder, srcIP, dstIP *netip.Addr) bool {
-	portDNATApplied := m.traceInboundPortDNAT(trace, packetData, d)
-	if portDNATApplied {
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			trace.AddResult(StageInboundPortDNAT, "Failed to re-decode after port DNAT", false)
-			return true
-		}
-		*srcIP, *dstIP = m.extractIPs(d)
-		trace.DestinationPort = m.getDestPort(d)
-	}
-
-	nat1to1Applied := m.traceInbound1to1NAT(trace, packetData, d)
-	if nat1to1Applied {
-		if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-			trace.AddResult(StageInbound1to1NAT, "Failed to re-decode after 1:1 NAT", false)
-			return true
-		}
-		*srcIP, *dstIP = m.extractIPs(d)
-	}
-
-	return false
-}
-
-func (m *Manager) traceInboundPortDNAT(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.portDNATEnabled.Load() {
-		trace.AddResult(StageInboundPortDNAT, "Port DNAT not enabled", true)
-		return false
-	}
-
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
-		trace.AddResult(StageInboundPortDNAT, "Not IPv4, skipping port DNAT", true)
-		return false
-	}
-
-	if len(d.decoded) < 2 {
-		trace.AddResult(StageInboundPortDNAT, "No transport layer, skipping port DNAT", true)
-		return false
-	}
-
-	protocol := d.decoded[1]
-	if protocol != layers.LayerTypeTCP && protocol != layers.LayerTypeUDP {
-		trace.AddResult(StageInboundPortDNAT, "Not TCP/UDP, skipping port DNAT", true)
-		return false
-	}
-
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-	var originalPort uint16
-	if protocol == layers.LayerTypeTCP {
-		originalPort = uint16(d.tcp.DstPort)
-	} else {
-		originalPort = uint16(d.udp.DstPort)
-	}
-
-	translated := m.translateInboundPortDNAT(packetData, d, srcIP, dstIP)
-	if translated {
-		ipHeaderLen := int((packetData[0] & 0x0F) * 4)
-		translatedPort := uint16(packetData[ipHeaderLen+2])<<8 | uint16(packetData[ipHeaderLen+3])
-
-		protoStr := "TCP"
-		if protocol == layers.LayerTypeUDP {
-			protoStr = "UDP"
-		}
-		msg := fmt.Sprintf("%s port DNAT applied: %s:%d -> %s:%d", protoStr, dstIP, originalPort, dstIP, translatedPort)
-		trace.AddResult(StageInboundPortDNAT, msg, true)
-		return true
-	}
-
-	trace.AddResult(StageInboundPortDNAT, "No matching port DNAT rule", true)
-	return false
-}
-
-func (m *Manager) traceInbound1to1NAT(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.dnatEnabled.Load() {
-		trace.AddResult(StageInbound1to1NAT, "1:1 NAT not enabled", true)
-		return false
-	}
-
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-
-	translated := m.translateInboundReverse(packetData, d)
-	if translated {
-		m.dnatMutex.RLock()
-		translatedIP, exists := m.dnatBiMap.getOriginal(srcIP)
-		m.dnatMutex.RUnlock()
-
-		if exists {
-			msg := fmt.Sprintf("1:1 NAT reverse applied: %s -> %s", srcIP, translatedIP)
-			trace.AddResult(StageInbound1to1NAT, msg, true)
-			return true
-		}
-	}
-
-	trace.AddResult(StageInbound1to1NAT, "No matching 1:1 NAT rule", true)
-	return false
-}
-
-func (m *Manager) handleOutboundDNAT(trace *PacketTrace, packetData []byte, d *decoder) {
-	m.traceOutbound1to1NAT(trace, packetData, d)
-	m.traceOutboundPortReverse(trace, packetData, d)
-}
-
-func (m *Manager) traceOutbound1to1NAT(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.dnatEnabled.Load() {
-		trace.AddResult(StageOutbound1to1NAT, "1:1 NAT not enabled", true)
-		return false
-	}
-
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-
-	translated := m.translateOutboundDNAT(packetData, d)
-	if translated {
-		m.dnatMutex.RLock()
-		translatedIP, exists := m.dnatMappings[dstIP]
-		m.dnatMutex.RUnlock()
-
-		if exists {
-			msg := fmt.Sprintf("1:1 NAT applied: %s -> %s", dstIP, translatedIP)
-			trace.AddResult(StageOutbound1to1NAT, msg, true)
-			return true
-		}
-	}
-
-	trace.AddResult(StageOutbound1to1NAT, "No matching 1:1 NAT rule", true)
-	return false
-}
-
-func (m *Manager) traceOutboundPortReverse(trace *PacketTrace, packetData []byte, d *decoder) bool {
-	if !m.portDNATEnabled.Load() {
-		trace.AddResult(StageOutboundPortReverse, "Port DNAT not enabled", true)
-		return false
-	}
-
-	if len(packetData) < 20 || d.decoded[0] != layers.LayerTypeIPv4 {
-		trace.AddResult(StageOutboundPortReverse, "Not IPv4, skipping port reverse", true)
-		return false
-	}
-
-	if len(d.decoded) < 2 {
-		trace.AddResult(StageOutboundPortReverse, "No transport layer, skipping port reverse", true)
-		return false
-	}
-
-	srcIP := netip.AddrFrom4([4]byte{packetData[12], packetData[13], packetData[14], packetData[15]})
-	dstIP := netip.AddrFrom4([4]byte{packetData[16], packetData[17], packetData[18], packetData[19]})
-
-	var origPort uint16
-	transport := d.decoded[1]
-	switch transport {
-	case layers.LayerTypeTCP:
-		srcPort := uint16(d.tcp.SrcPort)
-		dstPort := uint16(d.tcp.DstPort)
-		conn, exists := m.tcpTracker.GetConnection(dstIP, dstPort, srcIP, srcPort)
-		if exists {
-			origPort = uint16(conn.DNATOrigPort.Load())
-		}
-		if origPort != 0 {
-			msg := fmt.Sprintf("TCP DNAT reverse (tracked connection): %s:%d -> %s:%d", srcIP, srcPort, srcIP, origPort)
-			trace.AddResult(StageOutboundPortReverse, msg, true)
-			return true
-		}
-	case layers.LayerTypeUDP:
-		srcPort := uint16(d.udp.SrcPort)
-		dstPort := uint16(d.udp.DstPort)
-		conn, exists := m.udpTracker.GetConnection(dstIP, dstPort, srcIP, srcPort)
-		if exists {
-			origPort = uint16(conn.DNATOrigPort.Load())
-		}
-		if origPort != 0 {
-			msg := fmt.Sprintf("UDP DNAT reverse (tracked connection): %s:%d -> %s:%d", srcIP, srcPort, srcIP, origPort)
-			trace.AddResult(StageOutboundPortReverse, msg, true)
-			return true
-		}
-	default:
-		trace.AddResult(StageOutboundPortReverse, "Not TCP/UDP, skipping port reverse", true)
-		return false
-	}
-
-	trace.AddResult(StageOutboundPortReverse, "No tracked connection for DNAT reverse", true)
-	return false
-}
-
-func (m *Manager) getDestPort(d *decoder) uint16 {
-	if len(d.decoded) < 2 {
-		return 0
-	}
-	switch d.decoded[1] {
-	case layers.LayerTypeTCP:
-		return uint16(d.tcp.DstPort)
-	case layers.LayerTypeUDP:
-		return uint16(d.udp.DstPort)
-	default:
-		return 0
-	}
-}

client/firewall/uspfilter/tracer_test.go

@@ -10,7 +10,6 @@ import (
 	fw "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/conntrack"
 	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
@@ -45,7 +44,7 @@ func TestTracePacket(t *testing.T) {
 			},
 		}
 
-		m, err := Create(ifaceMock, false, flowLogger, iface.DefaultMTU)
+		m, err := Create(ifaceMock, false, flowLogger)
 		require.NoError(t, err)
 
 		if !statefulMode {
@@ -105,8 +104,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -129,8 +126,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -158,8 +153,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -186,8 +179,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -213,8 +204,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageRouteACL,
@@ -239,8 +228,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageRouteACL,
@@ -259,8 +246,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageRouteACL,
@@ -279,8 +264,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StageCompleted,
@@ -304,8 +287,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageCompleted,
 			},
@@ -320,8 +301,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageOutbound1to1NAT,
-				StageOutboundPortReverse,
 				StageCompleted,
 			},
 			expectedAllow: true,
@@ -340,8 +319,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -363,8 +340,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -387,8 +362,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -409,8 +382,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageConntrack,
 				StageRouting,
 				StagePeerACL,
@@ -435,8 +406,6 @@ func TestTracePacket(t *testing.T) {
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageInboundPortDNAT,
-				StageInbound1to1NAT,
 				StageRouting,
 				StagePeerACL,
 				StageCompleted,

client/grpc/dialer.go

@@ -4,15 +4,12 @@ import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
-	"errors"
-	"fmt"
 	"runtime"
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
 	log "github.com/sirupsen/logrus"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/connectivity"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/keepalive"
@@ -20,9 +17,6 @@ import (
 	"github.com/netbirdio/netbird/util/embeddedroots"
 )
 
-// ErrConnectionShutdown indicates that the connection entered shutdown state before becoming ready
-var ErrConnectionShutdown = errors.New("connection shutdown before ready")
-
 // Backoff returns a backoff configuration for gRPC calls
 func Backoff(ctx context.Context) backoff.BackOff {
 	b := backoff.NewExponentialBackOff()
@@ -31,26 +25,6 @@ func Backoff(ctx context.Context) backoff.BackOff {
 	return backoff.WithContext(b, ctx)
 }
 
-// waitForConnectionReady blocks until the connection becomes ready or fails.
-// Returns an error if the connection times out, is cancelled, or enters shutdown state.
-func waitForConnectionReady(ctx context.Context, conn *grpc.ClientConn) error {
-	conn.Connect()
-
-	state := conn.GetState()
-	for state != connectivity.Ready && state != connectivity.Shutdown {
-		if !conn.WaitForStateChange(ctx, state) {
-			return fmt.Errorf("wait state change from %s: %w", state, ctx.Err())
-		}
-		state = conn.GetState()
-	}
-
-	if state == connectivity.Shutdown {
-		return ErrConnectionShutdown
-	}
-
-	return nil
-}
-
 // CreateConnection creates a gRPC client connection with the appropriate transport options.
 // The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
 func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, component string) (*grpc.ClientConn, error) {
@@ -68,24 +42,22 @@ func CreateConnection(ctx context.Context, addr string, tlsEnabled bool, compone
 		}))
 	}
 
-	conn, err := grpc.NewClient(
+	connCtx, cancel := context.WithTimeout(ctx, 30*time.Second)
+	defer cancel()
+
+	conn, err := grpc.DialContext(
+		connCtx,
 		addr,
 		transportOption,
 		WithCustomDialer(tlsEnabled, component),
+		grpc.WithBlock(),
 		grpc.WithKeepaliveParams(keepalive.ClientParameters{
 			Time:    30 * time.Second,
 			Timeout: 10 * time.Second,
 		}),
 	)
 	if err != nil {
-		return nil, fmt.Errorf("new client: %w", err)
-	}
-
-	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
-	defer cancel()
-
-	if err := waitForConnectionReady(ctx, conn); err != nil {
-		_ = conn.Close()
+		log.Printf("DialContext error: %v", err)
 		return nil, err
 	}
 

client/grpc/dialer_generic.go

@@ -18,7 +18,7 @@ import (
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
-func WithCustomDialer(_ bool, _ string) grpc.DialOption {
+func WithCustomDialer(tlsEnabled bool, component string) grpc.DialOption {
 	return grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
 		if runtime.GOOS == "linux" {
 			currentUser, err := user.Current()
@@ -36,6 +36,7 @@ func WithCustomDialer(_ bool, _ string) grpc.DialOption {
 
 		conn, err := nbnet.NewDialer().DialContext(ctx, "tcp", addr)
 		if err != nil {
+			log.Errorf("Failed to dial: %s", err)
 			return nil, fmt.Errorf("nbnet.NewDialer().DialContext: %w", err)
 		}
 		return conn, nil

client/internal/acl/manager.go

@@ -17,6 +17,7 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/acl/id"
+	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )
@@ -82,6 +83,22 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap, dnsRout
 func (d *DefaultManager) applyPeerACLs(networkMap *mgmProto.NetworkMap) {
 	rules := networkMap.FirewallRules
 
+	enableSSH := networkMap.PeerConfig != nil &&
+		networkMap.PeerConfig.SshConfig != nil &&
+		networkMap.PeerConfig.SshConfig.SshEnabled
+
+	// If SSH enabled, add default firewall rule which accepts connection to any peer
+	// in the network by SSH (TCP port defined by ssh.DefaultSSHPort).
+	if enableSSH {
+		rules = append(rules, &mgmProto.FirewallRule{
+			PeerIP:    "0.0.0.0",
+			Direction: mgmProto.RuleDirection_IN,
+			Action:    mgmProto.RuleAction_ACCEPT,
+			Protocol:  mgmProto.RuleProtocol_TCP,
+			Port:      strconv.Itoa(ssh.DefaultSSHPort),
+		})
+	}
+
 	// if we got empty rules list but management not set networkMap.FirewallRulesIsEmpty flag
 	// we have old version of management without rules handling, we should allow all traffic
 	if len(networkMap.FirewallRules) == 0 && !networkMap.FirewallRulesIsEmpty {

client/internal/acl/manager_test.go

@@ -9,7 +9,6 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/internal/acl/mocks"
 	"github.com/netbirdio/netbird/client/internal/netflow"
@@ -53,7 +52,7 @@ func TestDefaultManager(t *testing.T) {
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
 	require.NoError(t, err)
 	defer func() {
 		err = fw.Close(nil)
@@ -171,7 +170,7 @@ func TestDefaultManagerStateless(t *testing.T) {
 	}).AnyTimes()
 	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
 
-	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false, iface.DefaultMTU)
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
 	require.NoError(t, err)
 	defer func() {
 		err = fw.Close(nil)
@@ -272,3 +271,70 @@ func TestPortInfoEmpty(t *testing.T) {
 		})
 	}
 }
+
+func TestDefaultManagerEnableSSHRules(t *testing.T) {
+	networkMap := &mgmProto.NetworkMap{
+		PeerConfig: &mgmProto.PeerConfig{
+			SshConfig: &mgmProto.SSHConfig{
+				SshEnabled: true,
+			},
+		},
+		RemotePeers: []*mgmProto.RemotePeerConfig{
+			{AllowedIps: []string{"10.93.0.1"}},
+			{AllowedIps: []string{"10.93.0.2"}},
+			{AllowedIps: []string{"10.93.0.3"}},
+		},
+		FirewallRules: []*mgmProto.FirewallRule{
+			{
+				PeerIP:    "10.93.0.1",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+			},
+			{
+				PeerIP:    "10.93.0.2",
+				Direction: mgmProto.RuleDirection_IN,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_TCP,
+			},
+			{
+				PeerIP:    "10.93.0.3",
+				Direction: mgmProto.RuleDirection_OUT,
+				Action:    mgmProto.RuleAction_ACCEPT,
+				Protocol:  mgmProto.RuleProtocol_UDP,
+			},
+		},
+	}
+
+	ctrl := gomock.NewController(t)
+	defer ctrl.Finish()
+
+	ifaceMock := mocks.NewMockIFaceMapper(ctrl)
+	ifaceMock.EXPECT().IsUserspaceBind().Return(true).AnyTimes()
+	ifaceMock.EXPECT().SetFilter(gomock.Any())
+	network := netip.MustParsePrefix("172.0.0.1/32")
+
+	ifaceMock.EXPECT().Name().Return("lo").AnyTimes()
+	ifaceMock.EXPECT().Address().Return(wgaddr.Address{
+		IP:      network.Addr(),
+		Network: network,
+	}).AnyTimes()
+	ifaceMock.EXPECT().GetWGDevice().Return(nil).AnyTimes()
+
+	fw, err := firewall.NewFirewall(ifaceMock, nil, flowLogger, false)
+	require.NoError(t, err)
+	defer func() {
+		err = fw.Close(nil)
+		require.NoError(t, err)
+	}()
+
+	acl := NewDefaultManager(fw)
+
+	acl.ApplyFiltering(networkMap, false)
+
+	expectedRules := 3
+	if fw.IsStateful() {
+		expectedRules = 3 // 2 inbound rules + SSH rule
+	}
+	assert.Equal(t, expectedRules, len(acl.peerRulesPairs))
+}

client/internal/connect.go

@@ -25,7 +25,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	cProto "github.com/netbirdio/netbird/client/proto"
 	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
@@ -35,6 +34,7 @@ import (
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	"github.com/netbirdio/netbird/util"
+	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/version"
 )
 
@@ -289,18 +289,15 @@ func (c *ConnectClient) run(mobileDependency MobileDependency, runningChan chan
 		}
 
 		<-engineCtx.Done()
-
 		c.engineMutex.Lock()
-		engine := c.engine
-		c.engine = nil
-		c.engineMutex.Unlock()
-
-		if engine != nil && engine.wgInterface != nil {
-			log.Infof("ensuring %s is removed, Netbird engine context cancelled", engine.wgInterface.Name())
-			if err := engine.Stop(); err != nil {
+		if c.engine != nil && c.engine.wgInterface != nil {
+			log.Infof("ensuring %s is removed, Netbird engine context cancelled", c.engine.wgInterface.Name())
+			if err := c.engine.Stop(); err != nil {
 				log.Errorf("Failed to stop engine: %v", err)
 			}
+			c.engine = nil
 		}
+		c.engineMutex.Unlock()
 		c.statusRecorder.ClientTeardown()
 
 		backOff.Reset()
@@ -385,12 +382,19 @@ func (c *ConnectClient) Status() StatusType {
 }
 
 func (c *ConnectClient) Stop() error {
-	engine := c.Engine()
-	if engine != nil {
-		if err := engine.Stop(); err != nil {
-			return fmt.Errorf("stop engine: %w", err)
-		}
+	if c == nil {
+		return nil
 	}
+	c.engineMutex.Lock()
+	defer c.engineMutex.Unlock()
+
+	if c.engine == nil {
+		return nil
+	}
+	if err := c.engine.Stop(); err != nil {
+		return fmt.Errorf("stop engine: %w", err)
+	}
+
 	return nil
 }
 
@@ -416,25 +420,20 @@ func createEngineConfig(key wgtypes.Key, config *profilemanager.Config, peerConf
 		nm = *config.NetworkMonitor
 	}
 	engineConf := &EngineConfig{
-		WgIfaceName:                   config.WgIface,
-		WgAddr:                        peerConfig.Address,
-		IFaceBlackList:                config.IFaceBlackList,
-		DisableIPv6Discovery:          config.DisableIPv6Discovery,
-		WgPrivateKey:                  key,
-		WgPort:                        config.WgPort,
-		NetworkMonitor:                nm,
-		SSHKey:                        []byte(config.SSHKey),
-		NATExternalIPs:                config.NATExternalIPs,
-		CustomDNSAddress:              config.CustomDNSAddress,
-		RosenpassEnabled:              config.RosenpassEnabled,
-		RosenpassPermissive:           config.RosenpassPermissive,
-		ServerSSHAllowed:              util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
-		EnableSSHRoot:                 config.EnableSSHRoot,
-		EnableSSHSFTP:                 config.EnableSSHSFTP,
-		EnableSSHLocalPortForwarding:  config.EnableSSHLocalPortForwarding,
-		EnableSSHRemotePortForwarding: config.EnableSSHRemotePortForwarding,
-		DisableSSHAuth:                config.DisableSSHAuth,
-		DNSRouteInterval:              config.DNSRouteInterval,
+		WgIfaceName:          config.WgIface,
+		WgAddr:               peerConfig.Address,
+		IFaceBlackList:       config.IFaceBlackList,
+		DisableIPv6Discovery: config.DisableIPv6Discovery,
+		WgPrivateKey:         key,
+		WgPort:               config.WgPort,
+		NetworkMonitor:       nm,
+		SSHKey:               []byte(config.SSHKey),
+		NATExternalIPs:       config.NATExternalIPs,
+		CustomDNSAddress:     config.CustomDNSAddress,
+		RosenpassEnabled:     config.RosenpassEnabled,
+		RosenpassPermissive:  config.RosenpassPermissive,
+		ServerSSHAllowed:     util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
+		DNSRouteInterval:     config.DNSRouteInterval,
 
 		DisableClientRoutes: config.DisableClientRoutes,
 		DisableServerRoutes: config.DisableServerRoutes || config.BlockInbound,
@@ -520,11 +519,6 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.BlockLANAccess,
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
-		config.EnableSSHRoot,
-		config.EnableSSHSFTP,
-		config.EnableSSHLocalPortForwarding,
-		config.EnableSSHRemotePortForwarding,
-		config.DisableSSHAuth,
 	)
 	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey, config.DNSLabels)
 	if err != nil {

client/internal/debug/debug.go

@@ -47,7 +47,7 @@ nftables.txt: Anonymized nftables rules with packet counters, if --system-info f
 resolved_domains.txt: Anonymized resolved domain IP addresses from the status recorder.
 config.txt: Anonymized configuration information of the NetBird client.
 network_map.json: Anonymized sync response containing peer configurations, routes, DNS settings, and firewall rules.
-state.json: Anonymized client state dump containing netbird states for the active profile.
+state.json: Anonymized client state dump containing netbird states.
 mutex.prof: Mutex profiling information.
 goroutine.prof: Goroutine profiling information.
 block.prof: Block profiling information.
@@ -433,18 +433,6 @@ func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder)
 	if g.internalConfig.ServerSSHAllowed != nil {
 		configContent.WriteString(fmt.Sprintf("ServerSSHAllowed: %v\n", *g.internalConfig.ServerSSHAllowed))
 	}
-	if g.internalConfig.EnableSSHRoot != nil {
-		configContent.WriteString(fmt.Sprintf("EnableSSHRoot: %v\n", *g.internalConfig.EnableSSHRoot))
-	}
-	if g.internalConfig.EnableSSHSFTP != nil {
-		configContent.WriteString(fmt.Sprintf("EnableSSHSFTP: %v\n", *g.internalConfig.EnableSSHSFTP))
-	}
-	if g.internalConfig.EnableSSHLocalPortForwarding != nil {
-		configContent.WriteString(fmt.Sprintf("EnableSSHLocalPortForwarding: %v\n", *g.internalConfig.EnableSSHLocalPortForwarding))
-	}
-	if g.internalConfig.EnableSSHRemotePortForwarding != nil {
-		configContent.WriteString(fmt.Sprintf("EnableSSHRemotePortForwarding: %v\n", *g.internalConfig.EnableSSHRemotePortForwarding))
-	}
 
 	configContent.WriteString(fmt.Sprintf("DisableClientRoutes: %v\n", g.internalConfig.DisableClientRoutes))
 	configContent.WriteString(fmt.Sprintf("DisableServerRoutes: %v\n", g.internalConfig.DisableServerRoutes))
@@ -576,8 +564,6 @@ func (g *BundleGenerator) addStateFile() error {
 		return nil
 	}
 
-	log.Debugf("Adding state file from: %s", path)
-
 	data, err := os.ReadFile(path)
 	if err != nil {
 		if errors.Is(err, fs.ErrNotExist) {

client/internal/dns/host_darwin.go

@@ -13,7 +13,6 @@ import (
 	"strings"
 
 	log "github.com/sirupsen/logrus"
-	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
@@ -51,21 +50,28 @@ func (s *systemConfigurator) supportCustomPort() bool {
 }
 
 func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
+	var err error
+
+	if err := stateManager.UpdateState(&ShutdownState{}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
+	}
+
 	var (
 		searchDomains []string
 		matchDomains  []string
 	)
 
-	if err := s.recordSystemDNSSettings(true); err != nil {
+	err = s.recordSystemDNSSettings(true)
+	if err != nil {
 		log.Errorf("unable to update record of System's DNS config: %s", err.Error())
 	}
 
 	if config.RouteAll {
 		searchDomains = append(searchDomains, "\"\"")
-		if err := s.addLocalDNS(); err != nil {
-			log.Warnf("failed to add local DNS: %v", err)
+		err = s.addLocalDNS()
+		if err != nil {
+			log.Infof("failed to enable split DNS")
 		}
-		s.updateState(stateManager)
 	}
 
 	for _, dConf := range config.Domains {
@@ -80,7 +86,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	}
 
 	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
-	var err error
 	if len(matchDomains) != 0 {
 		err = s.addMatchDomains(matchKey, strings.Join(matchDomains, " "), config.ServerIP, config.ServerPort)
 	} else {
@@ -90,7 +95,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	if err != nil {
 		return fmt.Errorf("add match domains: %w", err)
 	}
-	s.updateState(stateManager)
 
 	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
 	if len(searchDomains) != 0 {
@@ -102,7 +106,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	if err != nil {
 		return fmt.Errorf("add search domains: %w", err)
 	}
-	s.updateState(stateManager)
 
 	if err := s.flushDNSCache(); err != nil {
 		log.Errorf("failed to flush DNS cache: %v", err)
@@ -111,12 +114,6 @@ func (s *systemConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *
 	return nil
 }
 
-func (s *systemConfigurator) updateState(stateManager *statemanager.Manager) {
-	if err := stateManager.UpdateState(&ShutdownState{CreatedKeys: maps.Keys(s.createdKeys)}); err != nil {
-		log.Errorf("failed to update shutdown state: %s", err)
-	}
-}
-
 func (s *systemConfigurator) string() string {
 	return "scutil"
 }
@@ -170,20 +167,18 @@ func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
 func (s *systemConfigurator) addLocalDNS() error {
 	if !s.systemDNSSettings.ServerIP.IsValid() || len(s.systemDNSSettings.Domains) == 0 {
 		if err := s.recordSystemDNSSettings(true); err != nil {
+			log.Errorf("Unable to get system DNS configuration")
 			return fmt.Errorf("recordSystemDNSSettings(): %w", err)
 		}
 	}
 	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
-	if !s.systemDNSSettings.ServerIP.IsValid() || len(s.systemDNSSettings.Domains) == 0 {
+	if s.systemDNSSettings.ServerIP.IsValid() && len(s.systemDNSSettings.Domains) != 0 {
+		err := s.addSearchDomains(localKey, strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort)
+		if err != nil {
+			return fmt.Errorf("couldn't add local network DNS conf: %w", err)
+		}
+	} else {
 		log.Info("Not enabling local DNS server")
-		return nil
-	}
-
-	if err := s.addSearchDomains(
-		localKey,
-		strings.Join(s.systemDNSSettings.Domains, " "), s.systemDNSSettings.ServerIP, s.systemDNSSettings.ServerPort,
-	); err != nil {
-		return fmt.Errorf("add search domains: %w", err)
 	}
 
 	return nil

client/internal/dns/host_darwin_test.go

@@ -1,111 +0,0 @@
-//go:build !ios
-
-package dns
-
-import (
-	"context"
-	"net/netip"
-	"os/exec"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/netbirdio/netbird/client/internal/statemanager"
-)
-
-func TestDarwinDNSUncleanShutdownCleanup(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping scutil integration test in short mode")
-	}
-
-	tmpDir := t.TempDir()
-	stateFile := filepath.Join(tmpDir, "state.json")
-
-	sm := statemanager.New(stateFile)
-	sm.RegisterState(&ShutdownState{})
-	sm.Start()
-	defer func() {
-		require.NoError(t, sm.Stop(context.Background()))
-	}()
-
-	configurator := &systemConfigurator{
-		createdKeys: make(map[string]struct{}),
-	}
-
-	config := HostDNSConfig{
-		ServerIP:   netip.MustParseAddr("100.64.0.1"),
-		ServerPort: 53,
-		RouteAll:   true,
-		Domains: []DomainConfig{
-			{Domain: "example.com", MatchOnly: true},
-		},
-	}
-
-	err := configurator.applyDNSConfig(config, sm)
-	require.NoError(t, err)
-
-	require.NoError(t, sm.PersistState(context.Background()))
-
-	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
-	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
-	localKey := getKeyWithInput(netbirdDNSStateKeyFormat, localSuffix)
-
-	defer func() {
-		for _, key := range []string{searchKey, matchKey, localKey} {
-			_ = removeTestDNSKey(key)
-		}
-	}()
-
-	for _, key := range []string{searchKey, matchKey, localKey} {
-		exists, err := checkDNSKeyExists(key)
-		require.NoError(t, err)
-		if exists {
-			t.Logf("Key %s exists before cleanup", key)
-		}
-	}
-
-	sm2 := statemanager.New(stateFile)
-	sm2.RegisterState(&ShutdownState{})
-	err = sm2.LoadState(&ShutdownState{})
-	require.NoError(t, err)
-
-	state := sm2.GetState(&ShutdownState{})
-	if state == nil {
-		t.Skip("State not saved, skipping cleanup test")
-	}
-
-	shutdownState, ok := state.(*ShutdownState)
-	require.True(t, ok)
-
-	err = shutdownState.Cleanup()
-	require.NoError(t, err)
-
-	for _, key := range []string{searchKey, matchKey, localKey} {
-		exists, err := checkDNSKeyExists(key)
-		require.NoError(t, err)
-		assert.False(t, exists, "Key %s should NOT exist after cleanup", key)
-	}
-}
-
-func checkDNSKeyExists(key string) (bool, error) {
-	cmd := exec.Command(scutilPath)
-	cmd.Stdin = strings.NewReader("show " + key + "\nquit\n")
-	output, err := cmd.CombinedOutput()
-	if err != nil {
-		if strings.Contains(string(output), "No such key") {
-			return false, nil
-		}
-		return false, err
-	}
-	return !strings.Contains(string(output), "No such key"), nil
-}
-
-func removeTestDNSKey(key string) error {
-	cmd := exec.Command(scutilPath)
-	cmd.Stdin = strings.NewReader("remove " + key + "\nquit\n")
-	_, err := cmd.CombinedOutput()
-	return err
-}

client/internal/dns/host_windows.go

@@ -17,7 +17,6 @@ import (
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	"github.com/netbirdio/netbird/client/internal/winregistry"
 )
 
 var (
@@ -179,7 +178,13 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 	}
 
-	r.updateState(stateManager)
+	if err := stateManager.UpdateState(&ShutdownState{
+		Guid:           r.guid,
+		GPO:            r.gpo,
+		NRPTEntryCount: r.nrptEntryCount,
+	}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
+	}
 
 	var searchDomains, matchDomains []string
 	for _, dConf := range config.Domains {
@@ -192,10 +197,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		matchDomains = append(matchDomains, "."+strings.TrimSuffix(dConf.Domain, "."))
 	}
 
-	if err := r.removeDNSMatchPolicies(); err != nil {
-		log.Errorf("cleanup old dns match policies: %s", err)
-	}
-
 	if len(matchDomains) != 0 {
 		count, err := r.addDNSMatchPolicy(matchDomains, config.ServerIP)
 		if err != nil {
@@ -203,10 +204,19 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 		}
 		r.nrptEntryCount = count
 	} else {
+		if err := r.removeDNSMatchPolicies(); err != nil {
+			return fmt.Errorf("remove dns match policies: %w", err)
+		}
 		r.nrptEntryCount = 0
 	}
 
-	r.updateState(stateManager)
+	if err := stateManager.UpdateState(&ShutdownState{
+		Guid:           r.guid,
+		GPO:            r.gpo,
+		NRPTEntryCount: r.nrptEntryCount,
+	}); err != nil {
+		log.Errorf("failed to update shutdown state: %s", err)
+	}
 
 	if err := r.updateSearchDomains(searchDomains); err != nil {
 		return fmt.Errorf("update search domains: %w", err)
@@ -217,16 +227,6 @@ func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager
 	return nil
 }
 
-func (r *registryConfigurator) updateState(stateManager *statemanager.Manager) {
-	if err := stateManager.UpdateState(&ShutdownState{
-		Guid:           r.guid,
-		GPO:            r.gpo,
-		NRPTEntryCount: r.nrptEntryCount,
-	}); err != nil {
-		log.Errorf("failed to update shutdown state: %s", err)
-	}
-}
-
 func (r *registryConfigurator) addDNSSetupForAll(ip netip.Addr) error {
 	if err := r.setInterfaceRegistryKeyStringValue(interfaceConfigNameServerKey, ip.String()); err != nil {
 		return fmt.Errorf("adding dns setup for all failed: %w", err)
@@ -273,9 +273,9 @@ func (r *registryConfigurator) configureDNSPolicy(policyPath string, domains []s
 		return fmt.Errorf("remove existing dns policy: %w", err)
 	}
 
-	regKey, _, err := winregistry.CreateVolatileKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
+	regKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, policyPath, registry.SET_VALUE)
 	if err != nil {
-		return fmt.Errorf("create volatile registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
+		return fmt.Errorf("create registry key HKEY_LOCAL_MACHINE\\%s: %w", policyPath, err)
 	}
 	defer closer(regKey)
 

client/internal/dns/host_windows_test.go

@@ -1,102 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"net/netip"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/sys/windows/registry"
-)
-
-// TestNRPTEntriesCleanupOnConfigChange tests that old NRPT entries are properly cleaned up
-// when the number of match domains decreases between configuration changes.
-func TestNRPTEntriesCleanupOnConfigChange(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping registry integration test in short mode")
-	}
-
-	defer cleanupRegistryKeys(t)
-	cleanupRegistryKeys(t)
-
-	testIP := netip.MustParseAddr("100.64.0.1")
-
-	// Create a test interface registry key so updateSearchDomains doesn't fail
-	testGUID := "{12345678-1234-1234-1234-123456789ABC}"
-	interfacePath := `SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\` + testGUID
-	testKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, interfacePath, registry.SET_VALUE)
-	require.NoError(t, err, "Should create test interface registry key")
-	testKey.Close()
-	defer func() {
-		_ = registry.DeleteKey(registry.LOCAL_MACHINE, interfacePath)
-	}()
-
-	cfg := &registryConfigurator{
-		guid: testGUID,
-		gpo:  false,
-	}
-
-	config5 := HostDNSConfig{
-		ServerIP: testIP,
-		Domains: []DomainConfig{
-			{Domain: "domain1.com", MatchOnly: true},
-			{Domain: "domain2.com", MatchOnly: true},
-			{Domain: "domain3.com", MatchOnly: true},
-			{Domain: "domain4.com", MatchOnly: true},
-			{Domain: "domain5.com", MatchOnly: true},
-		},
-	}
-
-	err = cfg.applyDNSConfig(config5, nil)
-	require.NoError(t, err)
-
-	// Verify all 5 entries exist
-	for i := 0; i < 5; i++ {
-		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-		require.NoError(t, err)
-		assert.True(t, exists, "Entry %d should exist after first config", i)
-	}
-
-	config2 := HostDNSConfig{
-		ServerIP: testIP,
-		Domains: []DomainConfig{
-			{Domain: "domain1.com", MatchOnly: true},
-			{Domain: "domain2.com", MatchOnly: true},
-		},
-	}
-
-	err = cfg.applyDNSConfig(config2, nil)
-	require.NoError(t, err)
-
-	// Verify first 2 entries exist
-	for i := 0; i < 2; i++ {
-		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-		require.NoError(t, err)
-		assert.True(t, exists, "Entry %d should exist after second config", i)
-	}
-
-	// Verify entries 2-4 are cleaned up
-	for i := 2; i < 5; i++ {
-		exists, err := registryKeyExists(fmt.Sprintf("%s-%d", dnsPolicyConfigMatchPath, i))
-		require.NoError(t, err)
-		assert.False(t, exists, "Entry %d should NOT exist after reducing to 2 domains", i)
-	}
-}
-
-func registryKeyExists(path string) (bool, error) {
-	k, err := registry.OpenKey(registry.LOCAL_MACHINE, path, registry.QUERY_VALUE)
-	if err != nil {
-		if err == registry.ErrNotExist {
-			return false, nil
-		}
-		return false, err
-	}
-	k.Close()
-	return true, nil
-}
-
-func cleanupRegistryKeys(*testing.T) {
-	cfg := &registryConfigurator{nrptEntryCount: 10}
-	_ = cfg.removeDNSMatchPolicies()
-}

client/internal/dns/server.go

@@ -65,9 +65,8 @@ type hostManagerWithOriginalNS interface {
 
 // DefaultServer dns server object
 type DefaultServer struct {
-	ctx        context.Context
-	ctxCancel  context.CancelFunc
-	shutdownWg sync.WaitGroup
+	ctx       context.Context
+	ctxCancel context.CancelFunc
 	// disableSys disables system DNS management (e.g., /etc/resolv.conf updates) while keeping the DNS service running.
 	// This is different from ServiceEnable=false from management which completely disables the DNS service.
 	disableSys         bool
@@ -319,7 +318,6 @@ func (s *DefaultServer) DnsIP() netip.Addr {
 // Stop stops the server
 func (s *DefaultServer) Stop() {
 	s.ctxCancel()
-	s.shutdownWg.Wait()
 
 	s.mux.Lock()
 	defer s.mux.Unlock()
@@ -509,9 +507,8 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 
 	s.applyHostConfig()
 
-	s.shutdownWg.Add(1)
 	go func() {
-		defer s.shutdownWg.Done()
+		// persist dns state right away
 		if err := s.stateManager.PersistState(s.ctx); err != nil {
 			log.Errorf("Failed to persist dns state: %v", err)
 		}

client/internal/dns/server_test.go

@@ -944,7 +944,7 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 		return nil, err
 	}
 
-	pf, err := uspfilter.Create(wgIface, false, flowLogger, iface.DefaultMTU)
+	pf, err := uspfilter.Create(wgIface, false, flowLogger)
 	if err != nil {
 		t.Fatalf("failed to create uspfilter: %v", err)
 		return nil, err

client/internal/dns/unclean_shutdown_darwin.go

@@ -7,7 +7,6 @@ import (
 )
 
 type ShutdownState struct {
-	CreatedKeys []string
 }
 
 func (s *ShutdownState) Name() string {
@@ -20,10 +19,6 @@ func (s *ShutdownState) Cleanup() error {
 		return fmt.Errorf("create host manager: %w", err)
 	}
 
-	for _, key := range s.CreatedKeys {
-		manager.createdKeys[key] = struct{}{}
-	}
-
 	if err := manager.restoreUncleanShutdownDNS(); err != nil {
 		return fmt.Errorf("restore unclean shutdown dns: %w", err)
 	}

client/internal/dnsfwd/cache_test.go

@@ -83,3 +83,4 @@ func TestCacheMiss(t *testing.T) {
 		t.Fatalf("expected cache miss, got=%v ok=%v", got, ok)
 	}
 }
+

client/internal/dnsfwd/forwarder.go

@@ -14,7 +14,6 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
@@ -34,7 +33,7 @@ type firewaller interface {
 }
 
 type DNSForwarder struct {
-	listenAddress  netip.AddrPort
+	listenAddress  string
 	ttl            uint32
 	statusRecorder *peer.Status
 
@@ -48,11 +47,9 @@ type DNSForwarder struct {
 	firewall   firewaller
 	resolver   resolver
 	cache      *cache
-
-	wgIface wgIface
 }
 
-func NewDNSForwarder(listenAddress netip.AddrPort, ttl uint32, firewall firewaller, statusRecorder *peer.Status, wgIface wgIface) *DNSForwarder {
+func NewDNSForwarder(listenAddress string, ttl uint32, firewall firewaller, statusRecorder *peer.Status) *DNSForwarder {
 	log.Debugf("creating DNS forwarder with listen_address=%s ttl=%d", listenAddress, ttl)
 	return &DNSForwarder{
 		listenAddress:  listenAddress,
@@ -61,46 +58,30 @@ func NewDNSForwarder(listenAddress netip.AddrPort, ttl uint32, firewall firewall
 		statusRecorder: statusRecorder,
 		resolver:       net.DefaultResolver,
 		cache:          newCache(),
-		wgIface:        wgIface,
 	}
 }
 
 func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
-	var netstackNet *netstack.Net
-	if f.wgIface != nil {
-		netstackNet = f.wgIface.GetNet()
-	}
-
-	addrDesc := f.listenAddress.String()
-	if netstackNet != nil {
-		addrDesc = fmt.Sprintf("netstack %s", f.listenAddress)
-	}
-	log.Infof("starting DNS forwarder on address=%s", addrDesc)
-
-	udpLn, err := f.createUDPListener(netstackNet)
-	if err != nil {
-		return fmt.Errorf("create UDP listener: %w", err)
-	}
-
-	tcpLn, err := f.createTCPListener(netstackNet)
-	if err != nil {
-		return fmt.Errorf("create TCP listener: %w", err)
-	}
+	log.Infof("starting DNS forwarder on address=%s", f.listenAddress)
 
+	// UDP server
 	mux := dns.NewServeMux()
 	f.mux = mux
 	mux.HandleFunc(".", f.handleDNSQueryUDP)
 	f.dnsServer = &dns.Server{
-		PacketConn: udpLn,
-		Handler:    mux,
+		Addr:    f.listenAddress,
+		Net:     "udp",
+		Handler: mux,
 	}
 
+	// TCP server
 	tcpMux := dns.NewServeMux()
 	f.tcpMux = tcpMux
 	tcpMux.HandleFunc(".", f.handleDNSQueryTCP)
 	f.tcpServer = &dns.Server{
-		Listener: tcpLn,
-		Handler:  tcpMux,
+		Addr:    f.listenAddress,
+		Net:     "tcp",
+		Handler: tcpMux,
 	}
 
 	f.UpdateDomains(entries)
@@ -108,33 +89,18 @@ func (f *DNSForwarder) Listen(entries []*ForwarderEntry) error {
 	errCh := make(chan error, 2)
 
 	go func() {
-		log.Infof("DNS UDP listener running on %s", addrDesc)
-		errCh <- f.dnsServer.ActivateAndServe()
+		log.Infof("DNS UDP listener running on %s", f.listenAddress)
+		errCh <- f.dnsServer.ListenAndServe()
 	}()
 	go func() {
-		log.Infof("DNS TCP listener running on %s", addrDesc)
-		errCh <- f.tcpServer.ActivateAndServe()
+		log.Infof("DNS TCP listener running on %s", f.listenAddress)
+		errCh <- f.tcpServer.ListenAndServe()
 	}()
 
+	// return the first error we get (e.g. bind failure or shutdown)
 	return <-errCh
 }
 
-func (f *DNSForwarder) createUDPListener(netstackNet *netstack.Net) (net.PacketConn, error) {
-	if netstackNet != nil {
-		return netstackNet.ListenUDPAddrPort(f.listenAddress)
-	}
-
-	return net.ListenUDP("udp", net.UDPAddrFromAddrPort(f.listenAddress))
-}
-
-func (f *DNSForwarder) createTCPListener(netstackNet *netstack.Net) (net.Listener, error) {
-	if netstackNet != nil {
-		return netstackNet.ListenTCPAddrPort(f.listenAddress)
-	}
-
-	return net.ListenTCP("tcp", net.TCPAddrFromAddrPort(f.listenAddress))
-}
-
 func (f *DNSForwarder) UpdateDomains(entries []*ForwarderEntry) {
 	f.mutex.Lock()
 	defer f.mutex.Unlock()

client/internal/dnsfwd/forwarder_test.go

@@ -297,7 +297,7 @@ func TestDNSForwarder_UnauthorizedDomainAccess(t *testing.T) {
 				mockResolver.On("LookupNetIP", mock.Anything, "ip4", dns.Fqdn(tt.queryDomain)).Return([]netip.Addr{fakeIP}, nil)
 			}
 
-			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
+			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
 			forwarder.resolver = mockResolver
 
 			d, err := domain.FromString(tt.configuredDomain)
@@ -402,7 +402,7 @@ func TestDNSForwarder_FirewallSetUpdates(t *testing.T) {
 			mockResolver := &MockResolver{}
 
 			// Set up forwarder
-			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
+			forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
 			forwarder.resolver = mockResolver
 
 			// Create entries and track sets
@@ -489,7 +489,7 @@ func TestDNSForwarder_MultipleIPsInSingleUpdate(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}
 
-	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
+	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
 	forwarder.resolver = mockResolver
 
 	// Configure a single domain
@@ -584,7 +584,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
+			forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
 
 			d, err := domain.FromString(tt.configured)
 			require.NoError(t, err)
@@ -616,7 +616,7 @@ func TestDNSForwarder_ResponseCodes(t *testing.T) {
 func TestDNSForwarder_TCPTruncation(t *testing.T) {
 	// Test that large UDP responses are truncated with TC bit set
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
+	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
 	forwarder.resolver = mockResolver
 
 	d, _ := domain.FromString("example.com")
@@ -652,7 +652,7 @@ func TestDNSForwarder_TCPTruncation(t *testing.T) {
 // a subsequent upstream failure still returns a successful response from cache.
 func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
+	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
 	forwarder.resolver = mockResolver
 
 	d, err := domain.FromString("example.com")
@@ -696,7 +696,7 @@ func TestDNSForwarder_ServeFromCacheOnUpstreamFailure(t *testing.T) {
 // Verifies that cache normalization works across casing and trailing dot variations.
 func TestDNSForwarder_CacheNormalizationCasingAndDot(t *testing.T) {
 	mockResolver := &MockResolver{}
-	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
+	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
 	forwarder.resolver = mockResolver
 
 	d, err := domain.FromString("ExAmPlE.CoM")
@@ -742,7 +742,7 @@ func TestDNSForwarder_MultipleOverlappingPatterns(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}
 
-	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
+	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
 	forwarder.resolver = mockResolver
 
 	// Set up complex overlapping patterns
@@ -804,7 +804,7 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 	mockFirewall := &MockFirewall{}
 	mockResolver := &MockResolver{}
 
-	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, mockFirewall, &peer.Status{}, nil)
+	forwarder := NewDNSForwarder("127.0.0.1:0", 300, mockFirewall, &peer.Status{})
 	forwarder.resolver = mockResolver
 
 	d, err := domain.FromString("example.com")
@@ -925,7 +925,7 @@ func TestDNSForwarder_NodataVsNxdomain(t *testing.T) {
 
 func TestDNSForwarder_EmptyQuery(t *testing.T) {
 	// Test handling of malformed query with no questions
-	forwarder := NewDNSForwarder(netip.MustParseAddrPort("127.0.0.1:0"), 300, nil, &peer.Status{}, nil)
+	forwarder := NewDNSForwarder("127.0.0.1:0", 300, nil, &peer.Status{})
 
 	query := &dns.Msg{}
 	// Don't set any question

client/internal/dnsfwd/manager.go

@@ -4,34 +4,27 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
-	"os"
-	"strconv"
+	"sync"
 
 	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 )
 
-const (
-	dnsTTL        = 60
-	envServerPort = "NB_DNS_FORWARDER_PORT"
+var (
+	// ListenPort is the port that the DNS forwarder listens on. It has been used by the client peers also
+	listenPort   uint16 = 5353
+	listenPortMu sync.RWMutex
 )
 
-// wgIface defines the interface for WireGuard interface operations needed by the DNS forwarder.
-type wgIface interface {
-	GetNet() *netstack.Net
-	Address() wgaddr.Address
-}
+const (
+	dnsTTL = 60 //seconds
+)
 
 // ForwarderEntry is a mapping from a domain to a resource ID and a hash of the parent domain list.
 type ForwarderEntry struct {
@@ -43,30 +36,28 @@ type ForwarderEntry struct {
 type Manager struct {
 	firewall       firewall.Manager
 	statusRecorder *peer.Status
-	wgIface        wgIface
-	serverPort     uint16
 
 	fwRules      []firewall.Rule
 	tcpRules     []firewall.Rule
 	dnsForwarder *DNSForwarder
 }
 
-func NewManager(fw firewall.Manager, statusRecorder *peer.Status, wgIface wgIface) *Manager {
-	serverPort := nbdns.ForwarderServerPort
-	if envPort := os.Getenv(envServerPort); envPort != "" {
-		if port, err := strconv.ParseUint(envPort, 10, 16); err == nil && port > 0 {
-			serverPort = uint16(port)
-			log.Infof("using custom DNS forwarder port from %s: %d", envServerPort, serverPort)
-		} else {
-			log.Warnf("invalid %s value %q, using default %d", envServerPort, envPort, nbdns.ForwarderServerPort)
-		}
-	}
+func ListenPort() uint16 {
+	listenPortMu.RLock()
+	defer listenPortMu.RUnlock()
+	return listenPort
+}
 
+func SetListenPort(port uint16) {
+	listenPortMu.Lock()
+	listenPort = port
+	listenPortMu.Unlock()
+}
+
+func NewManager(fw firewall.Manager, statusRecorder *peer.Status) *Manager {
 	return &Manager{
 		firewall:       fw,
 		statusRecorder: statusRecorder,
-		wgIface:        wgIface,
-		serverPort:     serverPort,
 	}
 }
 
@@ -80,25 +71,7 @@ func (m *Manager) Start(fwdEntries []*ForwarderEntry) error {
 		return err
 	}
 
-	localAddr := m.wgIface.Address().IP
-
-	if localAddr.IsValid() && m.firewall != nil {
-		if err := m.firewall.AddInboundDNAT(localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
-			log.Warnf("failed to add DNS UDP DNAT rule: %v", err)
-		} else {
-			log.Infof("added DNS UDP DNAT rule: %s:%d -> %s:%d", localAddr, nbdns.ForwarderClientPort, localAddr, m.serverPort)
-		}
-
-		if err := m.firewall.AddInboundDNAT(localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
-			log.Warnf("failed to add DNS TCP DNAT rule: %v", err)
-		} else {
-			log.Infof("added DNS TCP DNAT rule: %s:%d -> %s:%d", localAddr, nbdns.ForwarderClientPort, localAddr, m.serverPort)
-		}
-	}
-
-	listenAddress := netip.AddrPortFrom(localAddr, m.serverPort)
-	m.dnsForwarder = NewDNSForwarder(listenAddress, dnsTTL, m.firewall, m.statusRecorder, m.wgIface)
-
+	m.dnsForwarder = NewDNSForwarder(fmt.Sprintf(":%d", ListenPort()), dnsTTL, m.firewall, m.statusRecorder)
 	go func() {
 		if err := m.dnsForwarder.Listen(fwdEntries); err != nil {
 			// todo handle close error if it is exists
@@ -123,20 +96,6 @@ func (m *Manager) Stop(ctx context.Context) error {
 	}
 
 	var mErr *multierror.Error
-
-	localAddr := m.wgIface.Address().IP
-	if localAddr.IsValid() && m.firewall != nil {
-		if err := m.firewall.RemoveInboundDNAT(localAddr, firewall.ProtocolUDP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
-			mErr = multierror.Append(mErr, fmt.Errorf("remove DNS UDP DNAT rule: %w", err))
-		}
-
-		if err := m.firewall.RemoveInboundDNAT(localAddr, firewall.ProtocolTCP, nbdns.ForwarderClientPort, m.serverPort); err != nil {
-			mErr = multierror.Append(mErr, fmt.Errorf("remove DNS TCP DNAT rule: %w", err))
-		}
-	}
-
-	m.unregisterNetstackServices()
-
 	if err := m.dropDNSFirewall(); err != nil {
 		mErr = multierror.Append(mErr, err)
 	}
@@ -152,7 +111,7 @@ func (m *Manager) Stop(ctx context.Context) error {
 func (m *Manager) allowDNSFirewall() error {
 	dport := &firewall.Port{
 		IsRange: false,
-		Values:  []uint16{m.serverPort},
+		Values:  []uint16{ListenPort()},
 	}
 
 	if m.firewall == nil {
@@ -161,50 +120,21 @@ func (m *Manager) allowDNSFirewall() error {
 
 	dnsRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolUDP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
-		return fmt.Errorf("add udp firewall rule: %w", err)
+		log.Errorf("failed to add allow DNS router rules, err: %v", err)
+		return err
 	}
+	m.fwRules = dnsRules
 
 	tcpRules, err := m.firewall.AddPeerFiltering(nil, net.IP{0, 0, 0, 0}, firewall.ProtocolTCP, nil, dport, firewall.ActionAccept, "")
 	if err != nil {
-		return fmt.Errorf("add tcp firewall rule: %w", err)
+		log.Errorf("failed to add allow DNS router rules, err: %v", err)
+		return err
 	}
-
-	if err := m.firewall.Flush(); err != nil {
-		return fmt.Errorf("flush: %w", err)
-	}
-
-	m.fwRules = dnsRules
 	m.tcpRules = tcpRules
 
-	m.registerNetstackServices()
-
 	return nil
 }
 
-func (m *Manager) registerNetstackServices() {
-	if netstackNet := m.wgIface.GetNet(); netstackNet != nil {
-		if registrar, ok := m.firewall.(interface {
-			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
-		}); ok {
-			registrar.RegisterNetstackService(nftypes.TCP, m.serverPort)
-			registrar.RegisterNetstackService(nftypes.UDP, m.serverPort)
-			log.Debugf("registered DNS forwarder service with netstack for UDP/TCP:%d", m.serverPort)
-		}
-	}
-}
-
-func (m *Manager) unregisterNetstackServices() {
-	if netstackNet := m.wgIface.GetNet(); netstackNet != nil {
-		if registrar, ok := m.firewall.(interface {
-			UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
-		}); ok {
-			registrar.UnregisterNetstackService(nftypes.TCP, m.serverPort)
-			registrar.UnregisterNetstackService(nftypes.UDP, m.serverPort)
-			log.Debugf("unregistered DNS forwarder service with netstack for UDP/TCP:%d", m.serverPort)
-		}
-	}
-}
-
 func (m *Manager) dropDNSFirewall() error {
 	var mErr *multierror.Error
 	for _, rule := range m.fwRules {

client/internal/engine.go

@@ -9,6 +9,7 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
+	"reflect"
 	"runtime"
 	"slices"
 	"sort"
@@ -29,6 +30,7 @@ import (
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
+	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
@@ -49,10 +51,10 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	cProto "github.com/netbirdio/netbird/client/proto"
-	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	semaphoregroup "github.com/netbirdio/netbird/util/semaphore-group"
 
+	nbssh "github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/route"
@@ -113,12 +115,7 @@ type EngineConfig struct {
 	RosenpassEnabled    bool
 	RosenpassPermissive bool
 
-	ServerSSHAllowed              bool
-	EnableSSHRoot                 *bool
-	EnableSSHSFTP                 *bool
-	EnableSSHLocalPortForwarding  *bool
-	EnableSSHRemotePortForwarding *bool
-	DisableSSHAuth                *bool
+	ServerSSHAllowed bool
 
 	DNSRouteInterval time.Duration
 
@@ -176,7 +173,8 @@ type Engine struct {
 
 	networkMonitor *networkmonitor.NetworkMonitor
 
-	sshServer sshServer
+	sshServerFunc func(hostKeyPEM []byte, addr string) (nbssh.Server, error)
+	sshServer     nbssh.Server
 
 	statusRecorder *peer.Status
 
@@ -202,12 +200,11 @@ type Engine struct {
 	flowManager         nftypes.FlowManager
 
 	// WireGuard interface monitor
-	wgIfaceMonitor *WGIfaceMonitor
+	wgIfaceMonitor   *WGIfaceMonitor
+	wgIfaceMonitorWg sync.WaitGroup
 
-	// shutdownWg tracks all long-running goroutines to ensure clean shutdown
-	shutdownWg sync.WaitGroup
-
-	probeStunTurn *relay.StunTurnProbe
+	// dns forwarder port
+	dnsFwdPort uint16
 }
 
 // Peer is an instance of the Connection Peer
@@ -246,10 +243,11 @@ func NewEngine(
 		STUNs:          []*stun.URI{},
 		TURNs:          []*stun.URI{},
 		networkSerial:  0,
+		sshServerFunc:  nbssh.DefaultSSHServer,
 		statusRecorder: statusRecorder,
 		checks:         checks,
 		connSemaphore:  semaphoregroup.NewSemaphoreGroup(connInitLimit),
-		probeStunTurn:  relay.NewStunTurnProbe(relay.DefaultCacheTTL),
+		dnsFwdPort:     dnsfwd.ListenPort(),
 	}
 
 	sm := profilemanager.NewServiceManager("")
@@ -267,7 +265,6 @@ func NewEngine(
 		path = mobileDep.StateFilePath
 	}
 	engine.stateManager = statemanager.New(path)
-	engine.stateManager.RegisterState(&sshconfig.ShutdownState{})
 
 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
 	return engine
@@ -292,12 +289,6 @@ func (e *Engine) Stop() error {
 	}
 	log.Info("Network monitor: stopped")
 
-	if err := e.stopSSHServer(); err != nil {
-		log.Warnf("failed to stop SSH server: %v", err)
-	}
-
-	e.cleanupSSHConfig()
-
 	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
 	e.stopDNSServer()
 
@@ -308,12 +299,17 @@ func (e *Engine) Stop() error {
 		e.ingressGatewayMgr = nil
 	}
 
-	e.stopDNSForwarder()
-
 	if e.routeManager != nil {
 		e.routeManager.Stop(e.stateManager)
 	}
 
+	if e.dnsForwardMgr != nil {
+		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+			log.Errorf("failed to stop DNS forward: %v", err)
+		}
+		e.dnsForwardMgr = nil
+	}
+
 	if e.srWatcher != nil {
 		e.srWatcher.Close()
 	}
@@ -330,6 +326,10 @@ func (e *Engine) Stop() error {
 		e.cancel()
 	}
 
+	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
+	// Removing peers happens in the conn.Close() asynchronously
+	time.Sleep(500 * time.Millisecond)
+
 	e.close()
 
 	// stop flow manager after wg interface is gone
@@ -337,6 +337,8 @@ func (e *Engine) Stop() error {
 		e.flowManager.Close()
 	}
 
+	log.Infof("stopped Netbird Engine")
+
 	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
 	defer cancel()
 
@@ -347,52 +349,12 @@ func (e *Engine) Stop() error {
 		log.Errorf("failed to persist state: %v", err)
 	}
 
-	timeout := e.calculateShutdownTimeout()
-	log.Debugf("waiting for goroutines to finish with timeout: %v", timeout)
-	shutdownCtx, cancel := context.WithTimeout(context.Background(), timeout)
-	defer cancel()
-
-	if err := waitWithContext(shutdownCtx, &e.shutdownWg); err != nil {
-		log.Warnf("shutdown timeout exceeded after %v, some goroutines may still be running", timeout)
-	}
-
-	log.Infof("stopped Netbird Engine")
+	// Stop WireGuard interface monitor and wait for it to exit
+	e.wgIfaceMonitorWg.Wait()
 
 	return nil
 }
 
-// calculateShutdownTimeout returns shutdown timeout: 10s base + 100ms per peer, capped at 30s.
-func (e *Engine) calculateShutdownTimeout() time.Duration {
-	peerCount := len(e.peerStore.PeersPubKey())
-
-	baseTimeout := 10 * time.Second
-	perPeerTimeout := time.Duration(peerCount) * 100 * time.Millisecond
-	timeout := baseTimeout + perPeerTimeout
-
-	maxTimeout := 30 * time.Second
-	if timeout > maxTimeout {
-		timeout = maxTimeout
-	}
-
-	return timeout
-}
-
-// waitWithContext waits for WaitGroup with timeout, returns ctx.Err() on timeout.
-func waitWithContext(ctx context.Context, wg *sync.WaitGroup) error {
-	done := make(chan struct{})
-	go func() {
-		wg.Wait()
-		close(done)
-	}()
-
-	select {
-	case <-done:
-		return nil
-	case <-ctx.Done():
-		return ctx.Err()
-	}
-}
-
 // Start creates a new WireGuard tunnel interface and listens to events from Signal and Management services
 // Connections to remote peers are not established here.
 // However, they will be established once an event with a list of peers to connect to will be received from Management Service
@@ -522,14 +484,14 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 
 	// monitor WireGuard interface lifecycle and restart engine on changes
 	e.wgIfaceMonitor = NewWGIfaceMonitor()
-	e.shutdownWg.Add(1)
+	e.wgIfaceMonitorWg.Add(1)
 
 	go func() {
-		defer e.shutdownWg.Done()
+		defer e.wgIfaceMonitorWg.Done()
 
 		if shouldRestart, err := e.wgIfaceMonitor.Start(e.ctx, e.wgInterface.Name()); shouldRestart {
 			log.Infof("WireGuard interface monitor: %s, restarting engine", err)
-			e.triggerClientRestart()
+			e.restartEngine()
 		} else if err != nil {
 			log.Warnf("WireGuard interface monitor: %s", err)
 		}
@@ -545,7 +507,7 @@ func (e *Engine) createFirewall() error {
 	}
 
 	var err error
-	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes, e.config.MTU)
+	e.firewall, err = firewall.NewFirewall(e.wgInterface, e.stateManager, e.flowManager.GetLogger(), e.config.DisableServerRoutes)
 	if err != nil || e.firewall == nil {
 		log.Errorf("failed creating firewall manager: %s", err)
 		return nil
@@ -709,10 +671,14 @@ func (e *Engine) removeAllPeers() error {
 	return nil
 }
 
-// removePeer closes an existing peer connection and removes a peer
+// removePeer closes an existing peer connection, removes a peer, and clears authorized key of the SSH server
 func (e *Engine) removePeer(peerKey string) error {
 	log.Debugf("removing peer from engine %s", peerKey)
 
+	if !isNil(e.sshServer) {
+		e.sshServer.RemoveAuthorizedKey(peerKey)
+	}
+
 	e.connMgr.RemovePeerConn(peerKey)
 
 	err := e.statusRecorder.RemovePeer(peerKey)
@@ -884,11 +850,6 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 		e.config.BlockLANAccess,
 		e.config.BlockInbound,
 		e.config.LazyConnectionEnabled,
-		e.config.EnableSSHRoot,
-		e.config.EnableSSHSFTP,
-		e.config.EnableSSHLocalPortForwarding,
-		e.config.EnableSSHRemotePortForwarding,
-		e.config.DisableSSHAuth,
 	)
 
 	if err := e.mgmClient.SyncMeta(info); err != nil {
@@ -898,6 +859,65 @@ func (e *Engine) updateChecksIfNew(checks []*mgmProto.Checks) error {
 	return nil
 }
 
+func isNil(server nbssh.Server) bool {
+	return server == nil || reflect.ValueOf(server).IsNil()
+}
+
+func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
+	if e.config.BlockInbound {
+		log.Infof("SSH server is disabled because inbound connections are blocked")
+		return nil
+	}
+
+	if !e.config.ServerSSHAllowed {
+		log.Info("SSH server is not enabled")
+		return nil
+	}
+
+	if sshConf.GetSshEnabled() {
+		if runtime.GOOS == "windows" {
+			log.Warnf("running SSH server on %s is not supported", runtime.GOOS)
+			return nil
+		}
+		// start SSH server if it wasn't running
+		if isNil(e.sshServer) {
+			listenAddr := fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort)
+			if nbnetstack.IsEnabled() {
+				listenAddr = fmt.Sprintf("127.0.0.1:%d", nbssh.DefaultSSHPort)
+			}
+			// nil sshServer means it has not yet been started
+			var err error
+			e.sshServer, err = e.sshServerFunc(e.config.SSHKey, listenAddr)
+
+			if err != nil {
+				return fmt.Errorf("create ssh server: %w", err)
+			}
+			go func() {
+				// blocking
+				err = e.sshServer.Start()
+				if err != nil {
+					// will throw error when we stop it even if it is a graceful stop
+					log.Debugf("stopped SSH server with error %v", err)
+				}
+				e.syncMsgMux.Lock()
+				defer e.syncMsgMux.Unlock()
+				e.sshServer = nil
+				log.Infof("stopped SSH server")
+			}()
+		} else {
+			log.Debugf("SSH server is already running")
+		}
+	} else if !isNil(e.sshServer) {
+		// Disable SSH server request, so stop it if it was running
+		err := e.sshServer.Stop()
+		if err != nil {
+			log.Warnf("failed to stop SSH server %v", err)
+		}
+		e.sshServer = nil
+	}
+	return nil
+}
+
 func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	if e.wgInterface == nil {
 		return errors.New("wireguard interface is not initialized")
@@ -910,7 +930,8 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 	}
 
 	if conf.GetSshConfig() != nil {
-		if err := e.updateSSH(conf.GetSshConfig()); err != nil {
+		err := e.updateSSH(conf.GetSshConfig())
+		if err != nil {
 			log.Warnf("failed handling SSH server setup: %v", err)
 		}
 	}
@@ -929,9 +950,7 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 // receiveManagementEvents connects to the Management Service event stream to receive updates from the management service
 // E.g. when a new peer has been registered and we are allowed to connect to it.
 func (e *Engine) receiveManagementEvents() {
-	e.shutdownWg.Add(1)
 	go func() {
-		defer e.shutdownWg.Done()
 		info, err := system.GetInfoWithChecks(e.ctx, e.checks)
 		if err != nil {
 			log.Warnf("failed to get system info with checks: %v", err)
@@ -948,11 +967,6 @@ func (e *Engine) receiveManagementEvents() {
 			e.config.BlockLANAccess,
 			e.config.BlockInbound,
 			e.config.LazyConnectionEnabled,
-			e.config.EnableSSHRoot,
-			e.config.EnableSSHSFTP,
-			e.config.EnableSSHLocalPortForwarding,
-			e.config.EnableSSHRemotePortForwarding,
-			e.config.DisableSSHAuth,
 		)
 
 		err = e.mgmClient.Sync(e.ctx, info, e.handleSync)
@@ -1046,14 +1060,10 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		protoDNSConfig = &mgmProto.DNSConfig{}
 	}
 
-	dnsConfig := toDNSConfig(protoDNSConfig, e.wgInterface.Address().Network)
-
-	if err := e.dnsServer.UpdateDNSServer(serial, dnsConfig); err != nil {
+	if err := e.dnsServer.UpdateDNSServer(serial, toDNSConfig(protoDNSConfig, e.wgInterface.Address().Network)); err != nil {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}
 
-	e.routeManager.SetDNSForwarderPort(dnsConfig.ForwarderPort)
-
 	// apply routes first, route related actions might depend on routing being enabled
 	routes := toRoutes(networkMap.GetRoutes())
 	serverRoutes, clientRoutes := e.routeManager.ClassifyRoutes(routes)
@@ -1074,7 +1084,7 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	}
 
 	fwdEntries := toRouteDomains(e.config.WgPrivateKey.PublicKey().String(), routes)
-	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries)
+	e.updateDNSForwarder(dnsRouteFeatureFlag, fwdEntries, uint16(protoDNSConfig.ForwarderPort))
 
 	// Ingress forward rules
 	forwardingRules, err := e.updateForwardRules(networkMap.GetForwardingRules())
@@ -1111,10 +1121,16 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 
 		e.statusRecorder.FinishPeerListModifications()
 
-		e.updatePeerSSHHostKeys(networkMap.GetRemotePeers())
-
-		if err := e.updateSSHClientConfig(networkMap.GetRemotePeers()); err != nil {
-			log.Warnf("failed to update SSH client config: %v", err)
+		// update SSHServer by adding remote peer SSH keys
+		if !isNil(e.sshServer) {
+			for _, config := range networkMap.GetRemotePeers() {
+				if config.GetSshConfig() != nil && config.GetSshConfig().GetSshPubKey() != nil {
+					err := e.sshServer.AddAuthorizedKey(config.WgPubKey, string(config.GetSshConfig().GetSshPubKey()))
+					if err != nil {
+						log.Warnf("failed adding authorized key to SSH DefaultServer %v", err)
+					}
+				}
+			}
 		}
 	}
 
@@ -1192,16 +1208,10 @@ func toRouteDomains(myPubKey string, routes []*route.Route) []*dnsfwd.ForwarderE
 }
 
 func toDNSConfig(protoDNSConfig *mgmProto.DNSConfig, network netip.Prefix) nbdns.Config {
-	forwarderPort := uint16(protoDNSConfig.GetForwarderPort())
-	if forwarderPort == 0 {
-		forwarderPort = nbdns.ForwarderClientPort
-	}
-
 	dnsUpdate := nbdns.Config{
 		ServiceEnable:    protoDNSConfig.GetServiceEnable(),
 		CustomZones:      make([]nbdns.CustomZone, 0),
 		NameServerGroups: make([]*nbdns.NameServerGroup, 0),
-		ForwarderPort:    forwarderPort,
 	}
 
 	for _, zone := range protoDNSConfig.GetCustomZones() {
@@ -1358,9 +1368,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 
 // receiveSignalEvents connects to the Signal Service event stream to negotiate connection with remote peers
 func (e *Engine) receiveSignalEvents() {
-	e.shutdownWg.Add(1)
 	go func() {
-		defer e.shutdownWg.Done()
 		// connect to a stream of messages coming from the signal server
 		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
 			e.syncMsgMux.Lock()
@@ -1477,6 +1485,13 @@ func (e *Engine) close() {
 		e.statusRecorder.SetWgIface(nil)
 	}
 
+	if !isNil(e.sshServer) {
+		err := e.sshServer.Stop()
+		if err != nil {
+			log.Warnf("failed stopping the SSH server: %v", err)
+		}
+	}
+
 	if e.firewall != nil {
 		err := e.firewall.Close(e.stateManager)
 		if err != nil {
@@ -1507,11 +1522,6 @@ func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, err
 		e.config.BlockLANAccess,
 		e.config.BlockInbound,
 		e.config.LazyConnectionEnabled,
-		e.config.EnableSSHRoot,
-		e.config.EnableSSHSFTP,
-		e.config.EnableSSHLocalPortForwarding,
-		e.config.EnableSSHRemotePortForwarding,
-		e.config.DisableSSHAuth,
 	)
 
 	netMap, err := e.mgmClient.GetNetworkMap(info)
@@ -1657,7 +1667,7 @@ func (e *Engine) getRosenpassAddr() string {
 
 // RunHealthProbes executes health checks for Signal, Management, Relay and WireGuard services
 // and updates the status recorder with the latest states.
-func (e *Engine) RunHealthProbes(waitForResult bool) bool {
+func (e *Engine) RunHealthProbes() bool {
 	e.syncMsgMux.Lock()
 
 	signalHealthy := e.signal.IsHealthy()
@@ -1689,12 +1699,8 @@ func (e *Engine) RunHealthProbes(waitForResult bool) bool {
 	}
 
 	e.syncMsgMux.Unlock()
-	var results []relay.ProbeResult
-	if waitForResult {
-		results = e.probeStunTurn.ProbeAllWaitResult(e.ctx, stuns, turns)
-	} else {
-		results = e.probeStunTurn.ProbeAll(e.ctx, stuns, turns)
-	}
+
+	results := e.probeICE(stuns, turns)
 	e.statusRecorder.UpdateRelayStates(results)
 
 	relayHealthy := true
@@ -1711,10 +1717,15 @@ func (e *Engine) RunHealthProbes(waitForResult bool) bool {
 	return allHealthy
 }
 
-// triggerClientRestart triggers a full client restart by cancelling the client context.
-// Note: This does NOT just restart the engine - it cancels the entire client context,
-// which causes the connect client's retry loop to create a completely new engine.
-func (e *Engine) triggerClientRestart() {
+func (e *Engine) probeICE(stuns, turns []*stun.URI) []relay.ProbeResult {
+	return append(
+		relay.ProbeAll(e.ctx, relay.ProbeSTUN, stuns),
+		relay.ProbeAll(e.ctx, relay.ProbeTURN, turns)...,
+	)
+}
+
+// restartEngine restarts the engine by cancelling the client context
+func (e *Engine) restartEngine() {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()
 
@@ -1736,9 +1747,7 @@ func (e *Engine) startNetworkMonitor() {
 	}
 
 	e.networkMonitor = networkmonitor.New()
-	e.shutdownWg.Add(1)
 	go func() {
-		defer e.shutdownWg.Done()
 		if err := e.networkMonitor.Listen(e.ctx); err != nil {
 			if errors.Is(err, context.Canceled) {
 				log.Infof("network monitor stopped")
@@ -1748,8 +1757,8 @@ func (e *Engine) startNetworkMonitor() {
 			return
 		}
 
-		log.Infof("Network monitor: detected network change, triggering client restart")
-		e.triggerClientRestart()
+		log.Infof("Network monitor: detected network change, restarting engine")
+		e.restartEngine()
 	}()
 }
 
@@ -1834,50 +1843,64 @@ func (e *Engine) GetWgAddr() netip.Addr {
 func (e *Engine) updateDNSForwarder(
 	enabled bool,
 	fwdEntries []*dnsfwd.ForwarderEntry,
+	forwarderPort uint16,
 ) {
 	if e.config.DisableServerRoutes {
 		return
 	}
 
+	if forwarderPort > 0 {
+		dnsfwd.SetListenPort(forwarderPort)
+	}
+
 	if !enabled {
-		e.stopDNSForwarder()
+		if e.dnsForwardMgr == nil {
+			return
+		}
+		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+			log.Errorf("failed to stop DNS forward: %v", err)
+		}
 		return
 	}
 
 	if len(fwdEntries) > 0 {
-		if e.dnsForwardMgr == nil {
-			e.startDNSForwarder(fwdEntries)
-		} else {
+		switch {
+		case e.dnsForwardMgr == nil:
+			e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder)
+			if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
+				log.Errorf("failed to start DNS forward: %v", err)
+				e.dnsForwardMgr = nil
+			}
+			log.Infof("started domain router service with %d entries", len(fwdEntries))
+		case e.dnsFwdPort != forwarderPort:
+			log.Infof("updating domain router service port from %d to %d", e.dnsFwdPort, forwarderPort)
+			e.restartDnsFwd(fwdEntries, forwarderPort)
+			e.dnsFwdPort = forwarderPort
+
+		default:
 			e.dnsForwardMgr.UpdateDomains(fwdEntries)
 		}
 	} else if e.dnsForwardMgr != nil {
 		log.Infof("disable domain router service")
-		e.stopDNSForwarder()
-	}
-}
-
-func (e *Engine) startDNSForwarder(fwdEntries []*dnsfwd.ForwarderEntry) {
-	e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder, e.wgInterface)
-
-	if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
-		log.Errorf("failed to start DNS forward: %v", err)
+		if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
+			log.Errorf("failed to stop DNS forward: %v", err)
+		}
 		e.dnsForwardMgr = nil
-		return
 	}
 
-	log.Infof("started domain router service with %d entries", len(fwdEntries))
 }
 
-func (e *Engine) stopDNSForwarder() {
-	if e.dnsForwardMgr == nil {
-		return
-	}
-
+func (e *Engine) restartDnsFwd(fwdEntries []*dnsfwd.ForwarderEntry, forwarderPort uint16) {
+	log.Infof("updating domain router service port from %d to %d", e.dnsFwdPort, forwarderPort)
+	// stop and start the forwarder to apply the new port
 	if err := e.dnsForwardMgr.Stop(context.Background()); err != nil {
 		log.Errorf("failed to stop DNS forward: %v", err)
 	}
-
-	e.dnsForwardMgr = nil
+	e.dnsForwardMgr = dnsfwd.NewManager(e.firewall, e.statusRecorder)
+	if err := e.dnsForwardMgr.Start(fwdEntries); err != nil {
+		log.Errorf("failed to start DNS forward: %v", err)
+		e.dnsForwardMgr = nil
+	}
 }
 
 func (e *Engine) GetNet() (*netstack.Net, error) {

client/internal/engine_ssh.go

@@ -1,338 +0,0 @@
-package internal
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/netip"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-
-	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
-	nftypes "github.com/netbirdio/netbird/client/internal/netflow/types"
-	sshconfig "github.com/netbirdio/netbird/client/ssh/config"
-	sshserver "github.com/netbirdio/netbird/client/ssh/server"
-	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-)
-
-type sshServer interface {
-	Start(ctx context.Context, addr netip.AddrPort) error
-	Stop() error
-}
-
-func (e *Engine) setupSSHPortRedirection() error {
-	if e.firewall == nil || e.wgInterface == nil {
-		return nil
-	}
-
-	localAddr := e.wgInterface.Address().IP
-	if !localAddr.IsValid() {
-		return errors.New("invalid local NetBird address")
-	}
-
-	if err := e.firewall.AddInboundDNAT(localAddr, firewallManager.ProtocolTCP, 22, 22022); err != nil {
-		return fmt.Errorf("add SSH port redirection: %w", err)
-	}
-	log.Infof("SSH port redirection enabled: %s:22 -> %s:22022", localAddr, localAddr)
-
-	return nil
-}
-
-func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
-	if e.config.BlockInbound {
-		log.Info("SSH server is disabled because inbound connections are blocked")
-		return e.stopSSHServer()
-	}
-
-	if !e.config.ServerSSHAllowed {
-		log.Info("SSH server is disabled in config")
-		return e.stopSSHServer()
-	}
-
-	if !sshConf.GetSshEnabled() {
-		if e.config.ServerSSHAllowed {
-			log.Info("SSH server is locally allowed but disabled by management server")
-		}
-		return e.stopSSHServer()
-	}
-
-	if e.sshServer != nil {
-		log.Debug("SSH server is already running")
-		return nil
-	}
-
-	if e.config.DisableSSHAuth != nil && *e.config.DisableSSHAuth {
-		log.Info("starting SSH server without JWT authentication (authentication disabled by config)")
-		return e.startSSHServer(nil)
-	}
-
-	if protoJWT := sshConf.GetJwtConfig(); protoJWT != nil {
-		jwtConfig := &sshserver.JWTConfig{
-			Issuer:       protoJWT.GetIssuer(),
-			Audience:     protoJWT.GetAudience(),
-			KeysLocation: protoJWT.GetKeysLocation(),
-			MaxTokenAge:  protoJWT.GetMaxTokenAge(),
-		}
-
-		return e.startSSHServer(jwtConfig)
-	}
-
-	return errors.New("SSH server requires valid JWT configuration")
-}
-
-// updateSSHClientConfig updates the SSH client configuration with peer information
-func (e *Engine) updateSSHClientConfig(remotePeers []*mgmProto.RemotePeerConfig) error {
-	peerInfo := e.extractPeerSSHInfo(remotePeers)
-	if len(peerInfo) == 0 {
-		log.Debug("no SSH-enabled peers found, skipping SSH config update")
-		return nil
-	}
-
-	configMgr := sshconfig.New()
-	if err := configMgr.SetupSSHClientConfig(peerInfo); err != nil {
-		log.Warnf("failed to update SSH client config: %v", err)
-		return nil // Don't fail engine startup on SSH config issues
-	}
-
-	log.Debugf("updated SSH client config with %d peers", len(peerInfo))
-
-	if err := e.stateManager.UpdateState(&sshconfig.ShutdownState{
-		SSHConfigDir:  configMgr.GetSSHConfigDir(),
-		SSHConfigFile: configMgr.GetSSHConfigFile(),
-	}); err != nil {
-		log.Warnf("failed to update SSH config state: %v", err)
-	}
-
-	return nil
-}
-
-// extractPeerSSHInfo extracts SSH information from peer configurations
-func (e *Engine) extractPeerSSHInfo(remotePeers []*mgmProto.RemotePeerConfig) []sshconfig.PeerSSHInfo {
-	var peerInfo []sshconfig.PeerSSHInfo
-
-	for _, peerConfig := range remotePeers {
-		if peerConfig.GetSshConfig() == nil {
-			continue
-		}
-
-		sshPubKeyBytes := peerConfig.GetSshConfig().GetSshPubKey()
-		if len(sshPubKeyBytes) == 0 {
-			continue
-		}
-
-		peerIP := e.extractPeerIP(peerConfig)
-		hostname := e.extractHostname(peerConfig)
-
-		peerInfo = append(peerInfo, sshconfig.PeerSSHInfo{
-			Hostname: hostname,
-			IP:       peerIP,
-			FQDN:     peerConfig.GetFqdn(),
-		})
-	}
-
-	return peerInfo
-}
-
-// extractPeerIP extracts IP address from peer's allowed IPs
-func (e *Engine) extractPeerIP(peerConfig *mgmProto.RemotePeerConfig) string {
-	if len(peerConfig.GetAllowedIps()) == 0 {
-		return ""
-	}
-
-	if prefix, err := netip.ParsePrefix(peerConfig.GetAllowedIps()[0]); err == nil {
-		return prefix.Addr().String()
-	}
-	return ""
-}
-
-// extractHostname extracts short hostname from FQDN
-func (e *Engine) extractHostname(peerConfig *mgmProto.RemotePeerConfig) string {
-	fqdn := peerConfig.GetFqdn()
-	if fqdn == "" {
-		return ""
-	}
-
-	parts := strings.Split(fqdn, ".")
-	if len(parts) > 0 && parts[0] != "" {
-		return parts[0]
-	}
-	return ""
-}
-
-// updatePeerSSHHostKeys updates peer SSH host keys in the status recorder for daemon API access
-func (e *Engine) updatePeerSSHHostKeys(remotePeers []*mgmProto.RemotePeerConfig) {
-	for _, peerConfig := range remotePeers {
-		if peerConfig.GetSshConfig() == nil {
-			continue
-		}
-
-		sshPubKeyBytes := peerConfig.GetSshConfig().GetSshPubKey()
-		if len(sshPubKeyBytes) == 0 {
-			continue
-		}
-
-		if err := e.statusRecorder.UpdatePeerSSHHostKey(peerConfig.GetWgPubKey(), sshPubKeyBytes); err != nil {
-			log.Warnf("failed to update SSH host key for peer %s: %v", peerConfig.GetWgPubKey(), err)
-		}
-	}
-
-	log.Debugf("updated peer SSH host keys for daemon API access")
-}
-
-// GetPeerSSHKey returns the SSH host key for a specific peer by IP or FQDN
-func (e *Engine) GetPeerSSHKey(peerAddress string) ([]byte, bool) {
-	e.syncMsgMux.Lock()
-	statusRecorder := e.statusRecorder
-	e.syncMsgMux.Unlock()
-
-	if statusRecorder == nil {
-		return nil, false
-	}
-
-	fullStatus := statusRecorder.GetFullStatus()
-	for _, peerState := range fullStatus.Peers {
-		if peerState.IP == peerAddress || peerState.FQDN == peerAddress {
-			if len(peerState.SSHHostKey) > 0 {
-				return peerState.SSHHostKey, true
-			}
-			return nil, false
-		}
-	}
-
-	return nil, false
-}
-
-// cleanupSSHConfig removes NetBird SSH client configuration on shutdown
-func (e *Engine) cleanupSSHConfig() {
-	configMgr := sshconfig.New()
-
-	if err := configMgr.RemoveSSHClientConfig(); err != nil {
-		log.Warnf("failed to remove SSH client config: %v", err)
-	} else {
-		log.Debugf("SSH client config cleanup completed")
-	}
-}
-
-// startSSHServer initializes and starts the SSH server with proper configuration.
-func (e *Engine) startSSHServer(jwtConfig *sshserver.JWTConfig) error {
-	if e.wgInterface == nil {
-		return errors.New("wg interface not initialized")
-	}
-
-	serverConfig := &sshserver.Config{
-		HostKeyPEM: e.config.SSHKey,
-		JWT:        jwtConfig,
-	}
-	server := sshserver.New(serverConfig)
-
-	wgAddr := e.wgInterface.Address()
-	server.SetNetworkValidation(wgAddr)
-
-	netbirdIP := wgAddr.IP
-	listenAddr := netip.AddrPortFrom(netbirdIP, sshserver.InternalSSHPort)
-
-	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
-		server.SetNetstackNet(netstackNet)
-
-		if registrar, ok := e.firewall.(interface {
-			RegisterNetstackService(protocol nftypes.Protocol, port uint16)
-		}); ok {
-			registrar.RegisterNetstackService(nftypes.TCP, sshserver.InternalSSHPort)
-			log.Debugf("registered SSH service with netstack for TCP:%d", sshserver.InternalSSHPort)
-		}
-	}
-
-	e.configureSSHServer(server)
-	e.sshServer = server
-
-	if err := e.setupSSHPortRedirection(); err != nil {
-		log.Warnf("failed to setup SSH port redirection: %v", err)
-	}
-
-	if err := server.Start(e.ctx, listenAddr); err != nil {
-		return fmt.Errorf("start SSH server: %w", err)
-	}
-
-	return nil
-}
-
-// configureSSHServer applies SSH configuration options to the server.
-func (e *Engine) configureSSHServer(server *sshserver.Server) {
-	if e.config.EnableSSHRoot != nil && *e.config.EnableSSHRoot {
-		server.SetAllowRootLogin(true)
-		log.Info("SSH root login enabled")
-	} else {
-		server.SetAllowRootLogin(false)
-		log.Info("SSH root login disabled (default)")
-	}
-
-	if e.config.EnableSSHSFTP != nil && *e.config.EnableSSHSFTP {
-		server.SetAllowSFTP(true)
-		log.Info("SSH SFTP subsystem enabled")
-	} else {
-		server.SetAllowSFTP(false)
-		log.Info("SSH SFTP subsystem disabled (default)")
-	}
-
-	if e.config.EnableSSHLocalPortForwarding != nil && *e.config.EnableSSHLocalPortForwarding {
-		server.SetAllowLocalPortForwarding(true)
-		log.Info("SSH local port forwarding enabled")
-	} else {
-		server.SetAllowLocalPortForwarding(false)
-		log.Info("SSH local port forwarding disabled (default)")
-	}
-
-	if e.config.EnableSSHRemotePortForwarding != nil && *e.config.EnableSSHRemotePortForwarding {
-		server.SetAllowRemotePortForwarding(true)
-		log.Info("SSH remote port forwarding enabled")
-	} else {
-		server.SetAllowRemotePortForwarding(false)
-		log.Info("SSH remote port forwarding disabled (default)")
-	}
-}
-
-func (e *Engine) cleanupSSHPortRedirection() error {
-	if e.firewall == nil || e.wgInterface == nil {
-		return nil
-	}
-
-	localAddr := e.wgInterface.Address().IP
-	if !localAddr.IsValid() {
-		return errors.New("invalid local NetBird address")
-	}
-
-	if err := e.firewall.RemoveInboundDNAT(localAddr, firewallManager.ProtocolTCP, 22, 22022); err != nil {
-		return fmt.Errorf("remove SSH port redirection: %w", err)
-	}
-	log.Debugf("SSH port redirection removed: %s:22 -> %s:22022", localAddr, localAddr)
-
-	return nil
-}
-
-func (e *Engine) stopSSHServer() error {
-	if e.sshServer == nil {
-		return nil
-	}
-
-	if err := e.cleanupSSHPortRedirection(); err != nil {
-		log.Warnf("failed to cleanup SSH port redirection: %v", err)
-	}
-
-	if netstackNet := e.wgInterface.GetNet(); netstackNet != nil {
-		if registrar, ok := e.firewall.(interface {
-			UnregisterNetstackService(protocol nftypes.Protocol, port uint16)
-		}); ok {
-			registrar.UnregisterNetstackService(nftypes.TCP, sshserver.InternalSSHPort)
-			log.Debugf("unregistered SSH service from netstack for TCP:%d", sshserver.InternalSSHPort)
-		}
-	}
-
-	log.Info("stopping SSH server")
-	err := e.sshServer.Stop()
-	e.sshServer = nil
-	if err != nil {
-		return fmt.Errorf("stop: %w", err)
-	}
-	return nil
-}

client/internal/engine_test.go

@@ -43,7 +43,7 @@ import (
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
-	nbssh "github.com/netbirdio/netbird/client/ssh"
+	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server"
@@ -211,13 +211,11 @@ func TestMain(m *testing.M) {
 }
 
 func TestEngine_SSH(t *testing.T) {
-	key, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		t.Fatal(err)
-		return
+	if runtime.GOOS == "windows" {
+		t.Skip("skipping TestEngine_SSH")
 	}
 
-	sshKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
+	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -239,7 +237,6 @@ func TestEngine_SSH(t *testing.T) {
 			WgPort:           33100,
 			ServerSSHAllowed: true,
 			MTU:              iface.DefaultMTU,
-			SSHKey:           sshKey,
 		},
 		MobileDependency{},
 		peer.NewRecorder("https://mgm"),
@@ -250,8 +247,35 @@ func TestEngine_SSH(t *testing.T) {
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
 	}
 
+	var sshKeysAdded []string
+	var sshPeersRemoved []string
+
+	sshCtx, cancel := context.WithCancel(context.Background())
+
+	engine.sshServerFunc = func(hostKeyPEM []byte, addr string) (ssh.Server, error) {
+		return &ssh.MockServer{
+			Ctx: sshCtx,
+			StopFunc: func() error {
+				cancel()
+				return nil
+			},
+			StartFunc: func() error {
+				<-ctx.Done()
+				return ctx.Err()
+			},
+			AddAuthorizedKeyFunc: func(peer, newKey string) error {
+				sshKeysAdded = append(sshKeysAdded, newKey)
+				return nil
+			},
+			RemoveAuthorizedKeyFunc: func(peer string) {
+				sshPeersRemoved = append(sshPeersRemoved, peer)
+			},
+		}, nil
+	}
 	err = engine.Start(nil, nil)
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	defer func() {
 		err := engine.Stop()
@@ -277,7 +301,9 @@ func TestEngine_SSH(t *testing.T) {
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	assert.Nil(t, engine.sshServer)
 
@@ -285,24 +311,19 @@ func TestEngine_SSH(t *testing.T) {
 	networkMap = &mgmtProto.NetworkMap{
 		Serial: 7,
 		PeerConfig: &mgmtProto.PeerConfig{Address: "100.64.0.1/24",
-			SshConfig: &mgmtProto.SSHConfig{
-				SshEnabled: true,
-				JwtConfig: &mgmtProto.JWTConfig{
-					Issuer:       "test-issuer",
-					Audience:     "test-audience",
-					KeysLocation: "test-keys",
-					MaxTokenAge:  3600,
-				},
-			}},
+			SshConfig: &mgmtProto.SSHConfig{SshEnabled: true}},
 		RemotePeers:        []*mgmtProto.RemotePeerConfig{peerWithSSH},
 		RemotePeersIsEmpty: false,
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	time.Sleep(250 * time.Millisecond)
 	assert.NotNil(t, engine.sshServer)
+	assert.Contains(t, sshKeysAdded, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFATYCqaQw/9id1Qkq3n16JYhDhXraI6Pc1fgB8ynEfQ")
 
 	// now remove peer
 	networkMap = &mgmtProto.NetworkMap{
@@ -312,10 +333,13 @@ func TestEngine_SSH(t *testing.T) {
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	require.NoError(t, err)
+	if err != nil {
+		t.Fatal(err)
+	}
 
 	// time.Sleep(250 * time.Millisecond)
 	assert.NotNil(t, engine.sshServer)
+	assert.Contains(t, sshPeersRemoved, "MNHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=")
 
 	// now disable SSH server
 	networkMap = &mgmtProto.NetworkMap{
@@ -327,70 +351,12 @@ func TestEngine_SSH(t *testing.T) {
 	}
 
 	err = engine.updateNetworkMap(networkMap)
-	require.NoError(t, err)
-
-	assert.Nil(t, engine.sshServer)
-}
-
-func TestEngine_SSHUpdateLogic(t *testing.T) {
-	// Test that SSH server start/stop logic works based on config
-	engine := &Engine{
-		config: &EngineConfig{
-			ServerSSHAllowed: false, // Start with SSH disabled
-		},
-		syncMsgMux: &sync.Mutex{},
+	if err != nil {
+		t.Fatal(err)
 	}
 
-	// Test SSH disabled config
-	sshConfig := &mgmtProto.SSHConfig{SshEnabled: false}
-	err := engine.updateSSH(sshConfig)
-	assert.NoError(t, err)
 	assert.Nil(t, engine.sshServer)
 
-	// Test inbound blocked
-	engine.config.BlockInbound = true
-	err = engine.updateSSH(&mgmtProto.SSHConfig{SshEnabled: true})
-	assert.NoError(t, err)
-	assert.Nil(t, engine.sshServer)
-	engine.config.BlockInbound = false
-
-	// Test with server SSH not allowed
-	err = engine.updateSSH(&mgmtProto.SSHConfig{SshEnabled: true})
-	assert.NoError(t, err)
-	assert.Nil(t, engine.sshServer)
-}
-
-func TestEngine_SSHServerConsistency(t *testing.T) {
-
-	t.Run("server set only on successful creation", func(t *testing.T) {
-		engine := &Engine{
-			config: &EngineConfig{
-				ServerSSHAllowed: true,
-				SSHKey:           []byte("test-key"),
-			},
-			syncMsgMux: &sync.Mutex{},
-		}
-
-		engine.wgInterface = nil
-
-		err := engine.updateSSH(&mgmtProto.SSHConfig{SshEnabled: true})
-
-		assert.Error(t, err)
-		assert.Nil(t, engine.sshServer)
-	})
-
-	t.Run("cleanup handles nil gracefully", func(t *testing.T) {
-		engine := &Engine{
-			config: &EngineConfig{
-				ServerSSHAllowed: false,
-			},
-			syncMsgMux: &sync.Mutex{},
-		}
-
-		err := engine.stopSSHServer()
-		assert.NoError(t, err)
-		assert.Nil(t, engine.sshServer)
-	})
 }
 
 func TestEngine_UpdateNetworkMap(t *testing.T) {
@@ -1618,7 +1584,7 @@ func startManagement(t *testing.T, dataDir, testFile string) (*grpc.Server, stri
 
 	groupsManager := groups.NewManagerMock()
 
-	accountManager, err := server.BuildManager(context.Background(), config, store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
+	accountManager, err := server.BuildManager(context.Background(), store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia, metrics, port_forwarding.NewControllerMock(), settingsMockManager, permissionsManager, false)
 	if err != nil {
 		return nil, "", err
 	}

client/internal/login.go

@@ -124,11 +124,6 @@ func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte
 		config.BlockLANAccess,
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
-		config.EnableSSHRoot,
-		config.EnableSSHSFTP,
-		config.EnableSSHLocalPortForwarding,
-		config.EnableSSHRemotePortForwarding,
-		config.DisableSSHAuth,
 	)
 	loginResp, err := mgmClient.Login(*serverKey, sysInfo, pubSSHKey, config.DNSLabels)
 	return serverKey, loginResp, err
@@ -155,11 +150,6 @@ func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.
 		config.BlockLANAccess,
 		config.BlockInbound,
 		config.LazyConnectionEnabled,
-		config.EnableSSHRoot,
-		config.EnableSSHSFTP,
-		config.EnableSSHLocalPortForwarding,
-		config.EnableSSHRemotePortForwarding,
-		config.DisableSSHAuth,
 	)
 	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey, config.DNSLabels)
 	if err != nil {

client/internal/netflow/logger/logger.go

@@ -10,10 +10,10 @@ import (
 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
 
+	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/netflow/store"
 	"github.com/netbirdio/netbird/client/internal/netflow/types"
 	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/dns"
 )
 
 type rcvChan chan *types.EventFields
@@ -138,8 +138,7 @@ func (l *Logger) UpdateConfig(dnsCollection, exitNodeCollection bool) {
 
 func (l *Logger) shouldStore(event *types.EventFields, isExitNode bool) bool {
 	// check dns collection
-	if !l.dnsCollection.Load() && event.Protocol == types.UDP &&
-		(event.DestPort == 53 || event.DestPort == dns.ForwarderClientPort || event.DestPort == dns.ForwarderServerPort) {
+	if !l.dnsCollection.Load() && event.Protocol == types.UDP && (event.DestPort == 53 || event.DestPort == uint16(dnsfwd.ListenPort())) {
 		return false
 	}
 

client/internal/netflow/manager.go

@@ -24,7 +24,6 @@ import (
 // Manager handles netflow tracking and logging
 type Manager struct {
 	mux            sync.Mutex
-	shutdownWg     sync.WaitGroup
 	logger         nftypes.FlowLogger
 	flowConfig     *nftypes.FlowConfig
 	conntrack      nftypes.ConnTracker
@@ -106,15 +105,8 @@ func (m *Manager) resetClient() error {
 	ctx, cancel := context.WithCancel(context.Background())
 	m.cancel = cancel
 
-	m.shutdownWg.Add(2)
-	go func() {
-		defer m.shutdownWg.Done()
-		m.receiveACKs(ctx, flowClient)
-	}()
-	go func() {
-		defer m.shutdownWg.Done()
-		m.startSender(ctx)
-	}()
+	go m.receiveACKs(ctx, flowClient)
+	go m.startSender(ctx)
 
 	return nil
 }
@@ -184,12 +176,11 @@ func (m *Manager) Update(update *nftypes.FlowConfig) error {
 // Close cleans up all resources
 func (m *Manager) Close() {
 	m.mux.Lock()
+	defer m.mux.Unlock()
+
 	if err := m.disableFlow(); err != nil {
 		log.Warnf("failed to disable flow manager: %v", err)
 	}
-	m.mux.Unlock()
-
-	m.shutdownWg.Wait()
 }
 
 // GetLogger returns the flow logger

client/internal/networkmonitor/check_change_bsd.go

@@ -1,4 +1,4 @@
-//go:build dragonfly || freebsd || netbsd || openbsd
+//go:build (darwin && !ios) || dragonfly || freebsd || netbsd || openbsd
 
 package networkmonitor
 
@@ -6,19 +6,21 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"syscall"
+	"unsafe"
 
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"
 
 	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
 )
 
 func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
-	fd, err := prepareFd()
+	fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
 	if err != nil {
 		return fmt.Errorf("open routing socket: %v", err)
 	}
-
 	defer func() {
 		err := unix.Close(fd)
 		if err != nil && !errors.Is(err, unix.EBADF) {
@@ -26,5 +28,72 @@ func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) er
 		}
 	}()
 
-	return routeCheck(ctx, fd, nexthopv4, nexthopv6)
+	for {
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		default:
+			buf := make([]byte, 2048)
+			n, err := unix.Read(fd, buf)
+			if err != nil {
+				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
+					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
+				}
+				continue
+			}
+			if n < unix.SizeofRtMsghdr {
+				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
+				continue
+			}
+
+			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
+
+			switch msg.Type {
+			// handle route changes
+			case unix.RTM_ADD, syscall.RTM_DELETE:
+				route, err := parseRouteMessage(buf[:n])
+				if err != nil {
+					log.Debugf("Network monitor: error parsing routing message: %v", err)
+					continue
+				}
+
+				if route.Dst.Bits() != 0 {
+					continue
+				}
+
+				intf := "<nil>"
+				if route.Interface != nil {
+					intf = route.Interface.Name
+				}
+				switch msg.Type {
+				case unix.RTM_ADD:
+					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
+					return nil
+				case unix.RTM_DELETE:
+					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
+						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+						return nil
+					}
+				}
+			}
+		}
+	}
+}
+
+func parseRouteMessage(buf []byte) (*systemops.Route, error) {
+	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
+	if err != nil {
+		return nil, fmt.Errorf("parse RIB: %v", err)
+	}
+
+	if len(msgs) != 1 {
+		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
+	}
+
+	msg, ok := msgs[0].(*route.RouteMessage)
+	if !ok {
+		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
+	}
+
+	return systemops.MsgToRoute(msg)
 }

client/internal/networkmonitor/check_change_common.go

@@ -1,92 +0,0 @@
-//go:build dragonfly || freebsd || netbsd || openbsd || darwin
-
-package networkmonitor
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"syscall"
-	"unsafe"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/net/route"
-	"golang.org/x/sys/unix"
-
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
-)
-
-func prepareFd() (int, error) {
-	return unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
-}
-
-func routeCheck(ctx context.Context, fd int, nexthopv4, nexthopv6 systemops.Nexthop) error {
-	for {
-		select {
-		case <-ctx.Done():
-			return ctx.Err()
-		default:
-			buf := make([]byte, 2048)
-			n, err := unix.Read(fd, buf)
-			if err != nil {
-				if !errors.Is(err, unix.EBADF) && !errors.Is(err, unix.EINVAL) {
-					log.Warnf("Network monitor: failed to read from routing socket: %v", err)
-				}
-				continue
-			}
-			if n < unix.SizeofRtMsghdr {
-				log.Debugf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
-				continue
-			}
-
-			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
-
-			switch msg.Type {
-			// handle route changes
-			case unix.RTM_ADD, syscall.RTM_DELETE:
-				route, err := parseRouteMessage(buf[:n])
-				if err != nil {
-					log.Debugf("Network monitor: error parsing routing message: %v", err)
-					continue
-				}
-
-				if route.Dst.Bits() != 0 {
-					continue
-				}
-
-				intf := "<nil>"
-				if route.Interface != nil {
-					intf = route.Interface.Name
-				}
-				switch msg.Type {
-				case unix.RTM_ADD:
-					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
-					return nil
-				case unix.RTM_DELETE:
-					if nexthopv4.Intf != nil && route.Gw.Compare(nexthopv4.IP) == 0 || nexthopv6.Intf != nil && route.Gw.Compare(nexthopv6.IP) == 0 {
-						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
-						return nil
-					}
-				}
-			}
-		}
-	}
-}
-
-func parseRouteMessage(buf []byte) (*systemops.Route, error) {
-	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
-	if err != nil {
-		return nil, fmt.Errorf("parse RIB: %v", err)
-	}
-
-	if len(msgs) != 1 {
-		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
-	}
-
-	msg, ok := msgs[0].(*route.RouteMessage)
-	if !ok {
-		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
-	}
-
-	return systemops.MsgToRoute(msg)
-}

client/internal/networkmonitor/check_change_darwin.go

@@ -1,149 +0,0 @@
-//go:build darwin && !ios
-
-package networkmonitor
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"hash/fnv"
-	"os/exec"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-
-	"github.com/netbirdio/netbird/client/internal/routemanager/systemops"
-)
-
-// todo: refactor to not use static functions
-
-func checkChange(ctx context.Context, nexthopv4, nexthopv6 systemops.Nexthop) error {
-	fd, err := prepareFd()
-	if err != nil {
-		return fmt.Errorf("open routing socket: %v", err)
-	}
-
-	defer func() {
-		if err := unix.Close(fd); err != nil {
-			if !errors.Is(err, unix.EBADF) {
-				log.Warnf("Network monitor: failed to close routing socket: %v", err)
-			}
-		}
-	}()
-
-	routeChanged := make(chan struct{})
-	go func() {
-		_ = routeCheck(ctx, fd, nexthopv4, nexthopv6)
-		close(routeChanged)
-	}()
-
-	wakeUp := make(chan struct{})
-	go func() {
-		wakeUpListen(ctx)
-		close(wakeUp)
-	}()
-
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	case <-routeChanged:
-		if ctx.Err() != nil {
-			return ctx.Err()
-		}
-		log.Infof("route change detected")
-		return nil
-	case <-wakeUp:
-		if ctx.Err() != nil {
-			return ctx.Err()
-		}
-		log.Infof("wakeup detected")
-		return nil
-	}
-}
-
-func wakeUpListen(ctx context.Context) {
-	log.Infof("start to watch for system wakeups")
-	var (
-		initialHash uint32
-		err         error
-	)
-
-	// Keep retrying until initial sysctl succeeds or context is canceled
-	for {
-		select {
-		case <-ctx.Done():
-			log.Info("exit from wakeUpListen initial hash detection due to context cancellation")
-			return
-		default:
-			initialHash, err = readSleepTimeHash()
-			if err != nil {
-				log.Errorf("failed to detect initial sleep time: %v", err)
-				select {
-				case <-ctx.Done():
-					log.Info("exit from wakeUpListen initial hash detection due to context cancellation")
-					return
-				case <-time.After(3 * time.Second):
-					continue
-				}
-			}
-			log.Debugf("initial wakeup hash: %d", initialHash)
-			break
-		}
-		break
-	}
-
-	ticker := time.NewTicker(5 * time.Second)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
-			log.Info("context canceled, stopping wakeUpListen")
-			return
-
-		case <-ticker.C:
-			newHash, err := readSleepTimeHash()
-			if err != nil {
-				log.Errorf("failed to read sleep time hash: %v", err)
-				continue
-			}
-
-			if newHash == initialHash {
-				log.Tracef("no wakeup detected")
-				continue
-			}
-
-			upOut, err := exec.Command("uptime").Output()
-			if err != nil {
-				log.Errorf("failed to run uptime command: %v", err)
-				upOut = []byte("unknown")
-			}
-			log.Infof("Wakeup detected: %d -> %d, uptime: %s", initialHash, newHash, upOut)
-			return
-		}
-	}
-}
-
-func readSleepTimeHash() (uint32, error) {
-	cmd := exec.Command("sysctl", "kern.sleeptime")
-	out, err := cmd.Output()
-	if err != nil {
-		return 0, fmt.Errorf("failed to run sysctl: %w", err)
-	}
-
-	h, err := hash(out)
-	if err != nil {
-		return 0, fmt.Errorf("failed to compute hash: %w", err)
-	}
-
-	return h, nil
-}
-
-func hash(data []byte) (uint32, error) {
-	hasher := fnv.New32a() // Create a new 32-bit FNV-1a hasher
-	if _, err := hasher.Write(data); err != nil {
-		return 0, err
-	}
-	return hasher.Sum32(), nil
-}

client/internal/networkmonitor/monitor.go

@@ -88,7 +88,6 @@ func (nw *NetworkMonitor) Listen(ctx context.Context) (err error) {
 	event := make(chan struct{}, 1)
 	go nw.checkChanges(ctx, event, nexthop4, nexthop6)
 
-	log.Infof("start watching for network changes")
 	// debounce changes
 	timer := time.NewTimer(0)
 	timer.Stop()

client/internal/peer/conn.go

@@ -666,7 +666,7 @@ func (conn *Conn) isConnectedOnAllWay() (connected bool) {
 		}
 	}()
 
-	if runtime.GOOS != "js" && conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
+	if conn.statusICE.Get() == worker.StatusDisconnected && !conn.workerICE.InProgress() {
 		return false
 	}
 

client/internal/peer/env.go

@@ -2,7 +2,6 @@ package peer
 
 import (
 	"os"
-	"runtime"
 	"strings"
 )
 
@@ -11,8 +10,5 @@ const (
 )
 
 func isForceRelayed() bool {
-	if runtime.GOOS == "js" {
-		return true
-	}
 	return strings.EqualFold(os.Getenv(EnvKeyNBForceRelay), "true")
 }

client/internal/peer/guard/sr_watcher.go

@@ -19,10 +19,11 @@ type SRWatcher struct {
 	signalClient chNotifier
 	relayManager chNotifier
 
-	listeners        map[chan struct{}]struct{}
-	mu               sync.Mutex
-	iFaceDiscover    stdnet.ExternalIFaceDiscover
-	iceConfig        ice.Config
+	listeners     map[chan struct{}]struct{}
+	mu            sync.Mutex
+	iFaceDiscover stdnet.ExternalIFaceDiscover
+	iceConfig     ice.Config
+
 	cancelIceMonitor context.CancelFunc
 }
 

client/internal/peer/status.go

@@ -21,9 +21,9 @@ import (
 	"github.com/netbirdio/netbird/client/internal/ingressgw"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
+	"github.com/netbirdio/netbird/route"
 )
 
 const eventQueueSize = 10
@@ -67,7 +67,6 @@ type State struct {
 	BytesRx                    int64
 	Latency                    time.Duration
 	RosenpassEnabled           bool
-	SSHHostKey                 []byte
 	routes                     map[string]struct{}
 }
 
@@ -573,22 +572,6 @@ func (d *Status) UpdatePeerFQDN(peerPubKey, fqdn string) error {
 	return nil
 }
 
-// UpdatePeerSSHHostKey updates peer's SSH host key
-func (d *Status) UpdatePeerSSHHostKey(peerPubKey string, sshHostKey []byte) error {
-	d.mux.Lock()
-	defer d.mux.Unlock()
-
-	peerState, ok := d.peers[peerPubKey]
-	if !ok {
-		return errors.New("peer doesn't exist")
-	}
-
-	peerState.SSHHostKey = sshHostKey
-	d.peers[peerPubKey] = peerState
-
-	return nil
-}
-
 // FinishPeerListModifications this event invoke the notification
 func (d *Status) FinishPeerListModifications() {
 	d.mux.Lock()

client/internal/profilemanager/config.go

@@ -44,29 +44,24 @@ var DefaultInterfaceBlacklist = []string{
 
 // ConfigInput carries configuration changes to the client
 type ConfigInput struct {
-	ManagementURL                 string
-	AdminURL                      string
-	ConfigPath                    string
-	StateFilePath                 string
-	PreSharedKey                  *string
-	ServerSSHAllowed              *bool
-	EnableSSHRoot                 *bool
-	EnableSSHSFTP                 *bool
-	EnableSSHLocalPortForwarding  *bool
-	EnableSSHRemotePortForwarding *bool
-	DisableSSHAuth                *bool
-	NATExternalIPs                []string
-	CustomDNSAddress              []byte
-	RosenpassEnabled              *bool
-	RosenpassPermissive           *bool
-	InterfaceName                 *string
-	WireguardPort                 *int
-	NetworkMonitor                *bool
-	DisableAutoConnect            *bool
-	ExtraIFaceBlackList           []string
-	DNSRouteInterval              *time.Duration
-	ClientCertPath                string
-	ClientCertKeyPath             string
+	ManagementURL       string
+	AdminURL            string
+	ConfigPath          string
+	StateFilePath       string
+	PreSharedKey        *string
+	ServerSSHAllowed    *bool
+	NATExternalIPs      []string
+	CustomDNSAddress    []byte
+	RosenpassEnabled    *bool
+	RosenpassPermissive *bool
+	InterfaceName       *string
+	WireguardPort       *int
+	NetworkMonitor      *bool
+	DisableAutoConnect  *bool
+	ExtraIFaceBlackList []string
+	DNSRouteInterval    *time.Duration
+	ClientCertPath      string
+	ClientCertKeyPath   string
 
 	DisableClientRoutes *bool
 	DisableServerRoutes *bool
@@ -87,23 +82,18 @@ type ConfigInput struct {
 // Config Configuration type
 type Config struct {
 	// Wireguard private key of local peer
-	PrivateKey                    string
-	PreSharedKey                  string
-	ManagementURL                 *url.URL
-	AdminURL                      *url.URL
-	WgIface                       string
-	WgPort                        int
-	NetworkMonitor                *bool
-	IFaceBlackList                []string
-	DisableIPv6Discovery          bool
-	RosenpassEnabled              bool
-	RosenpassPermissive           bool
-	ServerSSHAllowed              *bool
-	EnableSSHRoot                 *bool
-	EnableSSHSFTP                 *bool
-	EnableSSHLocalPortForwarding  *bool
-	EnableSSHRemotePortForwarding *bool
-	DisableSSHAuth                *bool
+	PrivateKey           string
+	PreSharedKey         string
+	ManagementURL        *url.URL
+	AdminURL             *url.URL
+	WgIface              string
+	WgPort               int
+	NetworkMonitor       *bool
+	IFaceBlackList       []string
+	DisableIPv6Discovery bool
+	RosenpassEnabled     bool
+	RosenpassPermissive  bool
+	ServerSSHAllowed     *bool
 
 	DisableClientRoutes bool
 	DisableServerRoutes bool
@@ -386,56 +376,6 @@ func (config *Config) apply(input ConfigInput) (updated bool, err error) {
 		updated = true
 	}
 
-	if input.EnableSSHRoot != nil && input.EnableSSHRoot != config.EnableSSHRoot {
-		if *input.EnableSSHRoot {
-			log.Infof("enabling SSH root login")
-		} else {
-			log.Infof("disabling SSH root login")
-		}
-		config.EnableSSHRoot = input.EnableSSHRoot
-		updated = true
-	}
-
-	if input.EnableSSHSFTP != nil && input.EnableSSHSFTP != config.EnableSSHSFTP {
-		if *input.EnableSSHSFTP {
-			log.Infof("enabling SSH SFTP subsystem")
-		} else {
-			log.Infof("disabling SSH SFTP subsystem")
-		}
-		config.EnableSSHSFTP = input.EnableSSHSFTP
-		updated = true
-	}
-
-	if input.EnableSSHLocalPortForwarding != nil && input.EnableSSHLocalPortForwarding != config.EnableSSHLocalPortForwarding {
-		if *input.EnableSSHLocalPortForwarding {
-			log.Infof("enabling SSH local port forwarding")
-		} else {
-			log.Infof("disabling SSH local port forwarding")
-		}
-		config.EnableSSHLocalPortForwarding = input.EnableSSHLocalPortForwarding
-		updated = true
-	}
-
-	if input.EnableSSHRemotePortForwarding != nil && input.EnableSSHRemotePortForwarding != config.EnableSSHRemotePortForwarding {
-		if *input.EnableSSHRemotePortForwarding {
-			log.Infof("enabling SSH remote port forwarding")
-		} else {
-			log.Infof("disabling SSH remote port forwarding")
-		}
-		config.EnableSSHRemotePortForwarding = input.EnableSSHRemotePortForwarding
-		updated = true
-	}
-
-	if input.DisableSSHAuth != nil && input.DisableSSHAuth != config.DisableSSHAuth {
-		if *input.DisableSSHAuth {
-			log.Infof("disabling SSH authentication")
-		} else {
-			log.Infof("enabling SSH authentication")
-		}
-		config.DisableSSHAuth = input.DisableSSHAuth
-		updated = true
-	}
-
 	if input.DNSRouteInterval != nil && *input.DNSRouteInterval != config.DNSRouteInterval {
 		log.Infof("updating DNS route interval to %s (old value %s)",
 			input.DNSRouteInterval.String(), config.DNSRouteInterval.String())

client/internal/profilemanager/config_test.go

@@ -193,10 +193,10 @@ func TestWireguardPortZeroExplicit(t *testing.T) {
 
 func TestWireguardPortDefaultVsExplicit(t *testing.T) {
 	tests := []struct {
-		name          string
-		wireguardPort *int
-		expectedPort  int
-		description   string
+		name           string
+		wireguardPort  *int
+		expectedPort   int
+		description    string
 	}{
 		{
 			name:          "no port specified uses default",

client/internal/relay/relay.go

@@ -2,8 +2,6 @@ package relay
 
 import (
 	"context"
-	"crypto/sha256"
-	"errors"
 	"fmt"
 	"net"
 	"sync"
@@ -17,15 +15,6 @@ import (
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
-const (
-	DefaultCacheTTL = 20 * time.Second
-	probeTimeout    = 6 * time.Second
-)
-
-var (
-	ErrCheckInProgress = errors.New("probe check is already in progress")
-)
-
 // ProbeResult holds the info about the result of a relay probe request
 type ProbeResult struct {
 	URI  string
@@ -33,164 +22,8 @@ type ProbeResult struct {
 	Addr string
 }
 
-type StunTurnProbe struct {
-	cacheResults    []ProbeResult
-	cacheTimestamp  time.Time
-	cacheKey        string
-	cacheTTL        time.Duration
-	probeInProgress bool
-	probeDone       chan struct{}
-	mu              sync.Mutex
-}
-
-func NewStunTurnProbe(cacheTTL time.Duration) *StunTurnProbe {
-	return &StunTurnProbe{
-		cacheTTL: cacheTTL,
-	}
-}
-
-func (p *StunTurnProbe) ProbeAllWaitResult(ctx context.Context, stuns []*stun.URI, turns []*stun.URI) []ProbeResult {
-	cacheKey := generateCacheKey(stuns, turns)
-
-	p.mu.Lock()
-	if p.probeInProgress {
-		doneChan := p.probeDone
-		p.mu.Unlock()
-
-		select {
-		case <-ctx.Done():
-			log.Debugf("Context cancelled while waiting for probe results")
-			return createErrorResults(stuns, turns)
-		case <-doneChan:
-			return p.getCachedResults(cacheKey, stuns, turns)
-		}
-	}
-
-	p.probeInProgress = true
-	probeDone := make(chan struct{})
-	p.probeDone = probeDone
-	p.mu.Unlock()
-
-	p.doProbe(ctx, stuns, turns, cacheKey)
-	close(probeDone)
-
-	return p.getCachedResults(cacheKey, stuns, turns)
-}
-
-// ProbeAll probes all given servers asynchronously and returns the results
-func (p *StunTurnProbe) ProbeAll(ctx context.Context, stuns []*stun.URI, turns []*stun.URI) []ProbeResult {
-	cacheKey := generateCacheKey(stuns, turns)
-
-	p.mu.Lock()
-
-	if results := p.checkCache(cacheKey); results != nil {
-		p.mu.Unlock()
-		return results
-	}
-
-	if p.probeInProgress {
-		p.mu.Unlock()
-		return createErrorResults(stuns, turns)
-	}
-
-	p.probeInProgress = true
-	probeDone := make(chan struct{})
-	p.probeDone = probeDone
-	log.Infof("started new probe for STUN, TURN servers")
-	go func() {
-		p.doProbe(ctx, stuns, turns, cacheKey)
-		close(probeDone)
-	}()
-
-	p.mu.Unlock()
-
-	timer := time.NewTimer(1300 * time.Millisecond)
-	defer timer.Stop()
-
-	select {
-	case <-ctx.Done():
-		log.Debugf("Context cancelled while waiting for probe results")
-		return createErrorResults(stuns, turns)
-	case <-probeDone:
-		// when the probe is return fast, return the results right away
-		return p.getCachedResults(cacheKey, stuns, turns)
-	case <-timer.C:
-		// if the probe takes longer than 1.3s, return error results to avoid blocking
-		return createErrorResults(stuns, turns)
-	}
-}
-
-func (p *StunTurnProbe) checkCache(cacheKey string) []ProbeResult {
-	if p.cacheKey == cacheKey && len(p.cacheResults) > 0 {
-		age := time.Since(p.cacheTimestamp)
-		if age < p.cacheTTL {
-			results := append([]ProbeResult(nil), p.cacheResults...)
-			log.Debugf("returning cached probe results (age: %v)", age)
-			return results
-		}
-	}
-	return nil
-}
-
-func (p *StunTurnProbe) getCachedResults(cacheKey string, stuns []*stun.URI, turns []*stun.URI) []ProbeResult {
-	p.mu.Lock()
-	defer p.mu.Unlock()
-
-	if p.cacheKey == cacheKey && len(p.cacheResults) > 0 {
-		return append([]ProbeResult(nil), p.cacheResults...)
-	}
-	return createErrorResults(stuns, turns)
-}
-
-func (p *StunTurnProbe) doProbe(ctx context.Context, stuns []*stun.URI, turns []*stun.URI, cacheKey string) {
-	defer func() {
-		p.mu.Lock()
-		p.probeInProgress = false
-		p.mu.Unlock()
-	}()
-	results := make([]ProbeResult, len(stuns)+len(turns))
-
-	var wg sync.WaitGroup
-	for i, uri := range stuns {
-		wg.Add(1)
-		go func(idx int, stunURI *stun.URI) {
-			defer wg.Done()
-
-			probeCtx, cancel := context.WithTimeout(ctx, probeTimeout)
-			defer cancel()
-
-			results[idx].URI = stunURI.String()
-			results[idx].Addr, results[idx].Err = p.probeSTUN(probeCtx, stunURI)
-		}(i, uri)
-	}
-
-	stunOffset := len(stuns)
-	for i, uri := range turns {
-		wg.Add(1)
-		go func(idx int, turnURI *stun.URI) {
-			defer wg.Done()
-
-			probeCtx, cancel := context.WithTimeout(ctx, probeTimeout)
-			defer cancel()
-
-			results[idx].URI = turnURI.String()
-			results[idx].Addr, results[idx].Err = p.probeTURN(probeCtx, turnURI)
-		}(stunOffset+i, uri)
-	}
-
-	wg.Wait()
-
-	p.mu.Lock()
-	p.cacheResults = results
-	p.cacheTimestamp = time.Now()
-	p.cacheKey = cacheKey
-	p.mu.Unlock()
-
-	log.Debug("Stored new probe results in cache")
-}
-
 // ProbeSTUN tries binding to the given STUN uri and acquiring an address
-func (p *StunTurnProbe) probeSTUN(ctx context.Context, uri *stun.URI) (addr string, probeErr error) {
+func ProbeSTUN(ctx context.Context, uri *stun.URI) (addr string, probeErr error) {
 	defer func() {
 		if probeErr != nil {
 			log.Debugf("stun probe error from %s: %s", uri, probeErr)
@@ -250,7 +83,7 @@ func (p *StunTurnProbe) probeSTUN(ctx context.Context, uri *stun.URI) (addr stri
 }
 
 // ProbeTURN tries allocating a session from the given TURN URI
-func (p *StunTurnProbe) probeTURN(ctx context.Context, uri *stun.URI) (addr string, probeErr error) {
+func ProbeTURN(ctx context.Context, uri *stun.URI) (addr string, probeErr error) {
 	defer func() {
 		if probeErr != nil {
 			log.Debugf("turn probe error from %s: %s", uri, probeErr)
@@ -327,28 +160,28 @@ func (p *StunTurnProbe) probeTURN(ctx context.Context, uri *stun.URI) (addr stri
 	return relayConn.LocalAddr().String(), nil
 }
 
-func createErrorResults(stuns []*stun.URI, turns []*stun.URI) []ProbeResult {
-	total := len(stuns) + len(turns)
-	results := make([]ProbeResult, total)
+// ProbeAll probes all given servers asynchronously and returns the results
+func ProbeAll(
+	ctx context.Context,
+	fn func(ctx context.Context, uri *stun.URI) (addr string, probeErr error),
+	relays []*stun.URI,
+) []ProbeResult {
+	results := make([]ProbeResult, len(relays))
 
-	allURIs := append(append([]*stun.URI{}, stuns...), turns...)
-	for i, uri := range allURIs {
-		results[i] = ProbeResult{
-			URI: uri.String(),
-			Err: ErrCheckInProgress,
-		}
+	var wg sync.WaitGroup
+	for i, uri := range relays {
+		ctx, cancel := context.WithTimeout(ctx, 6*time.Second)
+		defer cancel()
+
+		wg.Add(1)
+		go func(res *ProbeResult, stunURI *stun.URI) {
+			defer wg.Done()
+			res.URI = stunURI.String()
+			res.Addr, res.Err = fn(ctx, stunURI)
+		}(&results[i], uri)
 	}
 
+	wg.Wait()
+
 	return results
 }
-
-func generateCacheKey(stuns []*stun.URI, turns []*stun.URI) string {
-	h := sha256.New()
-	for _, uri := range stuns {
-		h.Write([]byte(uri.String()))
-	}
-	for _, uri := range turns {
-		h.Write([]byte(uri.String()))
-	}
-	return fmt.Sprintf("%x", h.Sum(nil))
-}

client/internal/routemanager/common/params.go

@@ -1,7 +1,6 @@
 package common
 
 import (
-	"sync/atomic"
 	"time"
 
 	"github.com/netbirdio/netbird/client/firewall/manager"
@@ -26,5 +25,4 @@ type HandlerParams struct {
 	UseNewDNSRoute       bool
 	Firewall             manager.Manager
 	FakeIPManager        *fakeip.Manager
-	ForwarderPort        *atomic.Uint32
 }

client/internal/routemanager/dnsinterceptor/handler.go

@@ -8,7 +8,6 @@ import (
 	"runtime"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"time"
 
 	"github.com/hashicorp/go-multierror"
@@ -19,6 +18,7 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	nbdns "github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/dnsfwd"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/routemanager/common"
@@ -55,7 +55,6 @@ type DnsInterceptor struct {
 	peerStore            *peerstore.Store
 	firewall             firewall.Manager
 	fakeIPManager        *fakeip.Manager
-	forwarderPort        *atomic.Uint32
 }
 
 func New(params common.HandlerParams) *DnsInterceptor {
@@ -70,7 +69,6 @@ func New(params common.HandlerParams) *DnsInterceptor {
 		firewall:             params.Firewall,
 		fakeIPManager:        params.FakeIPManager,
 		interceptedDomains:   make(domainMap),
-		forwarderPort:        params.ForwarderPort,
 	}
 }
 
@@ -259,7 +257,7 @@ func (d *DnsInterceptor) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		r.MsgHdr.AuthenticatedData = true
 	}
 
-	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), uint16(d.forwarderPort.Load()))
+	upstream := fmt.Sprintf("%s:%d", upstreamIP.String(), dnsfwd.ListenPort())
 	ctx, cancel := context.WithTimeout(context.Background(), dnsTimeout)
 	defer cancel()
 

client/internal/routemanager/dynamic/route.go

@@ -18,8 +18,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/iface"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/routemanager/util"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
+	"github.com/netbirdio/netbird/route"
 )
 
 const (

client/internal/routemanager/manager.go

@@ -10,7 +10,6 @@ import (
 	"runtime"
 	"slices"
 	"sync"
-	"sync/atomic"
 	"time"
 
 	"github.com/google/uuid"
@@ -24,7 +23,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/listener"
-	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
 	"github.com/netbirdio/netbird/client/internal/routemanager/client"
@@ -56,7 +54,6 @@ type Manager interface {
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
 	SetFirewall(firewall.Manager) error
-	SetDNSForwarderPort(port uint16)
 	Stop(stateManager *statemanager.Manager)
 }
 
@@ -81,7 +78,6 @@ type DefaultManager struct {
 	ctx                  context.Context
 	stop                 context.CancelFunc
 	mux                  sync.Mutex
-	shutdownWg           sync.WaitGroup
 	clientNetworks       map[route.HAUniqueID]*client.Watcher
 	routeSelector        *routeselector.RouteSelector
 	serverRouter         *server.Router
@@ -105,13 +101,12 @@ type DefaultManager struct {
 	disableServerRoutes bool
 	activeRoutes        map[route.HAUniqueID]client.RouteHandler
 	fakeIPManager       *fakeip.Manager
-	dnsForwarderPort    atomic.Uint32
 }
 
 func NewManager(config ManagerConfig) *DefaultManager {
 	mCTX, cancel := context.WithCancel(config.Context)
 	notifier := notifier.NewNotifier()
-	sysOps := systemops.New(config.WGInterface, notifier)
+	sysOps := systemops.NewSysOps(config.WGInterface, notifier)
 
 	if runtime.GOOS == "windows" && config.WGInterface != nil {
 		nbnet.SetVPNInterfaceName(config.WGInterface.Name())
@@ -135,7 +130,6 @@ func NewManager(config ManagerConfig) *DefaultManager {
 		disableServerRoutes: config.DisableServerRoutes,
 		activeRoutes:        make(map[route.HAUniqueID]client.RouteHandler),
 	}
-	dm.dnsForwarderPort.Store(uint32(nbdns.ForwarderClientPort))
 
 	useNoop := netstack.IsEnabled() || config.DisableClientRoutes
 	dm.setupRefCounters(useNoop)
@@ -276,15 +270,9 @@ func (m *DefaultManager) SetFirewall(firewall firewall.Manager) error {
 	return nil
 }
 
-// SetDNSForwarderPort sets the DNS forwarder port for route handlers
-func (m *DefaultManager) SetDNSForwarderPort(port uint16) {
-	m.dnsForwarderPort.Store(uint32(port))
-}
-
 // Stop stops the manager watchers and clean firewall rules
 func (m *DefaultManager) Stop(stateManager *statemanager.Manager) {
 	m.stop()
-	m.shutdownWg.Wait()
 	if m.serverRouter != nil {
 		m.serverRouter.CleanUp()
 	}
@@ -357,7 +345,6 @@ func (m *DefaultManager) updateSystemRoutes(newRoutes route.HAMap) error {
 			UseNewDNSRoute:       m.useNewDNSRoute,
 			Firewall:             m.firewall,
 			FakeIPManager:        m.fakeIPManager,
-			ForwarderPort:        &m.dnsForwarderPort,
 		}
 		handler := client.HandlerFromRoute(params)
 		if err := handler.AddRoute(m.ctx); err != nil {
@@ -487,11 +474,7 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 		}
 		clientNetworkWatcher := client.NewWatcher(config)
 		m.clientNetworks[id] = clientNetworkWatcher
-		m.shutdownWg.Add(1)
-		go func() {
-			defer m.shutdownWg.Done()
-			clientNetworkWatcher.Start()
-		}()
+		go clientNetworkWatcher.Start()
 		clientNetworkWatcher.SendUpdate(client.RoutesUpdate{Routes: routes})
 	}
 
@@ -533,11 +516,7 @@ func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks rout
 			}
 			clientNetworkWatcher = client.NewWatcher(config)
 			m.clientNetworks[id] = clientNetworkWatcher
-			m.shutdownWg.Add(1)
-			go func() {
-				defer m.shutdownWg.Done()
-				clientNetworkWatcher.Start()
-			}()
+			go clientNetworkWatcher.Start()
 		}
 		update := client.RoutesUpdate{
 			UpdateSerial: updateSerial,

client/internal/routemanager/mock.go

@@ -90,10 +90,6 @@ func (m *MockManager) SetFirewall(firewall.Manager) error {
 	panic("implement me")
 }
 
-// SetDNSForwarderPort mock implementation of SetDNSForwarderPort from Manager interface
-func (m *MockManager) SetDNSForwarderPort(port uint16) {
-}
-
 // Stop mock implementation of Stop from Manager interface
 func (m *MockManager) Stop(stateManager *statemanager.Manager) {
 	if m.StopFunc != nil {

client/internal/routemanager/systemops/flush_nonbsd.go

@@ -1,8 +0,0 @@
-//go:build !((darwin && !ios) || dragonfly || freebsd || netbsd || openbsd)
-
-package systemops
-
-// FlushMarkedRoutes is a no-op on non-BSD platforms.
-func (r *SysOps) FlushMarkedRoutes() error {
-	return nil
-}

client/internal/routemanager/systemops/state.go

@@ -13,11 +13,11 @@ func (s *ShutdownState) Name() string {
 }
 
 func (s *ShutdownState) Cleanup() error {
-	sysOps := New(nil, nil)
-	sysOps.refCounter = refcounter.New[netip.Prefix, struct{}, Nexthop](nil, sysOps.removeFromRouteTable)
-	sysOps.refCounter.LoadData((*ExclusionCounter)(s))
+	sysops := NewSysOps(nil, nil)
+	sysops.refCounter = refcounter.New[netip.Prefix, struct{}, Nexthop](nil, sysops.removeFromRouteTable)
+	sysops.refCounter.LoadData((*ExclusionCounter)(s))
 
-	return sysOps.refCounter.Flush()
+	return sysops.refCounter.Flush()
 }
 
 func (s *ShutdownState) MarshalJSON() ([]byte, error) {

client/internal/routemanager/systemops/systemops.go

@@ -83,7 +83,7 @@ type SysOps struct {
 	localSubnetsCacheTime time.Time
 }
 
-func New(wgInterface wgIface, notifier *notifier.Notifier) *SysOps {
+func NewSysOps(wgInterface wgIface, notifier *notifier.Notifier) *SysOps {
 	return &SysOps{
 		wgInterface: wgInterface,
 		notifier:    notifier,

client/internal/routemanager/systemops/systemops_bsd_test.go

@@ -42,7 +42,7 @@ func TestConcurrentRoutes(t *testing.T) {
 	_, intf = setupDummyInterface(t)
 	nexthop = Nexthop{netip.Addr{}, intf}
 
-	r := New(nil, nil)
+	r := NewSysOps(nil, nil)
 
 	var wg sync.WaitGroup
 	for i := 0; i < 1024; i++ {
@@ -146,7 +146,7 @@ func createAndSetupDummyInterface(t *testing.T, intf string, ipAddressCIDR strin
 
 	nexthop := Nexthop{netip.Addr{}, netIntf}
 
-	r := New(nil, nil)
+	r := NewSysOps(nil, nil)
 	err = r.addToRouteTable(prefix, nexthop)
 	require.NoError(t, err, "Failed to add route to table")
 

client/internal/routemanager/systemops/systemops_generic_test.go

@@ -143,7 +143,7 @@ func TestAddVPNRoute(t *testing.T) {
 
 			wgInterface := createWGInterface(t, fmt.Sprintf("utun53%d", n), "100.65.75.2/24", 33100+n)
 
-			r := New(wgInterface, nil)
+			r := NewSysOps(wgInterface, nil)
 			advancedRouting := nbnet.AdvancedRouting()
 			err := r.SetupRouting(nil, nil, advancedRouting)
 			require.NoError(t, err)
@@ -342,7 +342,7 @@ func TestAddRouteToNonVPNIntf(t *testing.T) {
 
 			wgInterface := createWGInterface(t, fmt.Sprintf("utun54%d", n), "100.65.75.2/24", 33200+n)
 
-			r := New(wgInterface, nil)
+			r := NewSysOps(wgInterface, nil)
 			advancedRouting := nbnet.AdvancedRouting()
 			err := r.SetupRouting(nil, nil, advancedRouting)
 			require.NoError(t, err)
@@ -486,7 +486,7 @@ func setupTestEnv(t *testing.T) {
 		assert.NoError(t, wgInterface.Close())
 	})
 
-	r := New(wgInterface, nil)
+	r := NewSysOps(wgInterface, nil)
 	advancedRouting := nbnet.AdvancedRouting()
 	err := r.SetupRouting(nil, nil, advancedRouting)
 	require.NoError(t, err, "setupRouting should not return err")

client/internal/routemanager/systemops/systemops_unix.go

@@ -7,39 +7,19 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
-	"os"
 	"strconv"
 	"syscall"
 	"time"
 	"unsafe"
 
 	"github.com/cenkalti/backoff/v4"
-	"github.com/hashicorp/go-multierror"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/route"
 	"golang.org/x/sys/unix"
 
-	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 )
 
-const (
-	envRouteProtoFlag = "NB_ROUTE_PROTO_FLAG"
-)
-
-var routeProtoFlag int
-
-func init() {
-	switch os.Getenv(envRouteProtoFlag) {
-	case "2":
-		routeProtoFlag = unix.RTF_PROTO2
-	case "3":
-		routeProtoFlag = unix.RTF_PROTO3
-	default:
-		routeProtoFlag = unix.RTF_PROTO1
-	}
-}
-
 func (r *SysOps) SetupRouting(initAddresses []net.IP, stateManager *statemanager.Manager, advancedRouting bool) error {
 	return r.setupRefCounter(initAddresses, stateManager)
 }
@@ -48,62 +28,6 @@ func (r *SysOps) CleanupRouting(stateManager *statemanager.Manager, advancedRout
 	return r.cleanupRefCounter(stateManager)
 }
 
-// FlushMarkedRoutes removes single IP exclusion routes marked with the configured RTF_PROTO flag.
-func (r *SysOps) FlushMarkedRoutes() error {
-	rib, err := retryFetchRIB()
-	if err != nil {
-		return fmt.Errorf("fetch routing table: %w", err)
-	}
-
-	msgs, err := route.ParseRIB(route.RIBTypeRoute, rib)
-	if err != nil {
-		return fmt.Errorf("parse routing table: %w", err)
-	}
-
-	var merr *multierror.Error
-	flushedCount := 0
-
-	for _, msg := range msgs {
-		rtMsg, ok := msg.(*route.RouteMessage)
-		if !ok {
-			continue
-		}
-
-		if rtMsg.Flags&routeProtoFlag == 0 {
-			continue
-		}
-
-		routeInfo, err := MsgToRoute(rtMsg)
-		if err != nil {
-			log.Debugf("Skipping route flush: %v", err)
-			continue
-		}
-
-		if !routeInfo.Dst.IsValid() || !routeInfo.Dst.IsSingleIP() {
-			continue
-		}
-
-		nexthop := Nexthop{
-			IP:   routeInfo.Gw,
-			Intf: routeInfo.Interface,
-		}
-
-		if err := r.removeFromRouteTable(routeInfo.Dst, nexthop); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove route %s: %w", routeInfo.Dst, err))
-			continue
-		}
-
-		flushedCount++
-		log.Debugf("Flushed marked route: %s", routeInfo.Dst)
-	}
-
-	if flushedCount > 0 {
-		log.Infof("Flushed %d residual NetBird routes from previous session", flushedCount)
-	}
-
-	return nberrors.FormatErrorOrNil(merr)
-}
-
 func (r *SysOps) addToRouteTable(prefix netip.Prefix, nexthop Nexthop) error {
 	return r.routeSocket(unix.RTM_ADD, prefix, nexthop)
 }
@@ -181,7 +105,7 @@ func (r *SysOps) routeOp(action int, prefix netip.Prefix, nexthop Nexthop) func(
 func (r *SysOps) buildRouteMessage(action int, prefix netip.Prefix, nexthop Nexthop) (msg *route.RouteMessage, err error) {
 	msg = &route.RouteMessage{
 		Type:    action,
-		Flags:   unix.RTF_UP | routeProtoFlag,
+		Flags:   unix.RTF_UP,
 		Version: unix.RTM_VERSION,
 		Seq:     r.getSeq(),
 	}

client/internal/routeselector/routeselector.go

@@ -9,6 +9,8 @@ import (
 	"github.com/hashicorp/go-multierror"
 	"golang.org/x/exp/maps"
 
+	log "github.com/sirupsen/logrus"
+
 	"github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/route"
 )
@@ -126,11 +128,13 @@ func (rs *RouteSelector) IsSelected(routeID route.NetID) bool {
 	defer rs.mu.RUnlock()
 
 	if rs.deselectAll {
+		log.Debugf("Route %s not selected (deselect all)", routeID)
 		return false
 	}
 
 	_, deselected := rs.deselectedRoutes[routeID]
 	isSelected := !deselected
+	log.Debugf("Route %s selection status: %v (deselected: %v)", routeID, isSelected, deselected)
 	return isSelected
 }
 

client/internal/statemanager/manager.go

@@ -295,7 +295,7 @@ func (m *Manager) loadStateFile(deleteCorrupt bool) (map[string]json.RawMessage,
 	data, err := os.ReadFile(m.filePath)
 	if err != nil {
 		if errors.Is(err, fs.ErrNotExist) {
-			log.Debugf("state file %s does not exist", m.filePath)
+			log.Debug("state file does not exist")
 			return nil, nil // nolint:nilnil
 		}
 		return nil, fmt.Errorf("read state file: %w", err)

client/internal/winregistry/volatile_windows.go

@@ -1,59 +0,0 @@
-package winregistry
-
-import (
-	"syscall"
-	"unsafe"
-
-	"golang.org/x/sys/windows/registry"
-)
-
-var (
-	advapi          = syscall.NewLazyDLL("advapi32.dll")
-	regCreateKeyExW = advapi.NewProc("RegCreateKeyExW")
-)
-
-const (
-	// Registry key options
-	regOptionNonVolatile = 0x0 // Key is preserved when system is rebooted
-	regOptionVolatile    = 0x1 // Key is not preserved when system is rebooted
-
-	// Registry disposition values
-	regCreatedNewKey     = 0x1
-	regOpenedExistingKey = 0x2
-)
-
-// CreateVolatileKey creates a volatile registry key named path under open key root.
-// CreateVolatileKey returns the new key and a boolean flag that reports whether the key already existed.
-// The access parameter specifies the access rights for the key to be created.
-//
-// Volatile keys are stored in memory and are automatically deleted when the system is shut down.
-// This provides automatic cleanup without requiring manual registry maintenance.
-func CreateVolatileKey(root registry.Key, path string, access uint32) (registry.Key, bool, error) {
-	pathPtr, err := syscall.UTF16PtrFromString(path)
-	if err != nil {
-		return 0, false, err
-	}
-
-	var (
-		handle      syscall.Handle
-		disposition uint32
-	)
-
-	ret, _, _ := regCreateKeyExW.Call(
-		uintptr(root),
-		uintptr(unsafe.Pointer(pathPtr)),
-		0,                          // reserved
-		0,                          // class
-		uintptr(regOptionVolatile), // options - volatile key
-		uintptr(access),            // desired access
-		0,                          // security attributes
-		uintptr(unsafe.Pointer(&handle)),
-		uintptr(unsafe.Pointer(&disposition)),
-	)
-
-	if ret != 0 {
-		return 0, false, syscall.Errno(ret)
-	}
-
-	return registry.Key(handle), disposition == regOpenedExistingKey, nil
-}

client/ios/NetBirdSDK/client.go

@@ -20,8 +20,8 @@ import (
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/route"
 	"github.com/netbirdio/netbird/shared/management/domain"
+	"github.com/netbirdio/netbird/route"
 )
 
 // ConnectionListener export internal Listener for mobile

client/net/conn.go

@@ -17,7 +17,8 @@ type Conn struct {
 	ID hooks.ConnectionID
 }
 
-// Close overrides the net.Conn Close method to execute all registered hooks after closing the connection.
+// Close overrides the net.Conn Close method to execute all registered hooks after closing the connection
+// Close overrides the net.Conn Close method to execute all registered hooks before closing the connection.
 func (c *Conn) Close() error {
 	return closeConn(c.ID, c.Conn)
 }
@@ -28,7 +29,7 @@ type TCPConn struct {
 	ID hooks.ConnectionID
 }
 
-// Close overrides the net.TCPConn Close method to execute all registered hooks after closing the connection.
+// Close overrides the net.TCPConn Close method to execute all registered hooks before closing the connection.
 func (c *TCPConn) Close() error {
 	return closeConn(c.ID, c.TCPConn)
 }
@@ -36,16 +37,13 @@ func (c *TCPConn) Close() error {
 // closeConn is a helper function to close connections and execute close hooks.
 func closeConn(id hooks.ConnectionID, conn io.Closer) error {
 	err := conn.Close()
-	cleanupConnID(id)
-	return err
-}
 
-// cleanupConnID executes close hooks for a connection ID.
-func cleanupConnID(id hooks.ConnectionID) {
 	closeHooks := hooks.GetCloseHooks()
 	for _, hook := range closeHooks {
 		if err := hook(id); err != nil {
 			log.Errorf("Error executing close hook: %v", err)
 		}
 	}
+
+	return err
 }

client/net/dial.go

@@ -74,6 +74,7 @@ func DialTCP(network string, laddr, raddr *net.TCPAddr) (transport.TCPConn, erro
 		}
 		return &TCPConn{TCPConn: tcpConn, ID: c.ID}, nil
 	}
+
 	if err := conn.Close(); err != nil {
 		log.Errorf("failed to close connection: %v", err)
 	}

client/net/dialer_dial.go

@@ -30,7 +30,6 @@ func (d *Dialer) DialContext(ctx context.Context, network, address string) (net.
 
 	conn, err := d.Dialer.DialContext(ctx, network, address)
 	if err != nil {
-		cleanupConnID(connID)
 		return nil, fmt.Errorf("d.Dialer.DialContext: %w", err)
 	}
 
@@ -65,7 +64,7 @@ func callDialerHooks(ctx context.Context, connID hooks.ConnectionID, address str
 
 	ips, err := resolver.LookupIPAddr(ctx, host)
 	if err != nil {
-		return fmt.Errorf("resolve address %s: %w", address, err)
+		return fmt.Errorf("failed to resolve address %s: %w", address, err)
 	}
 
 	log.Debugf("Dialer resolved IPs for %s: %v", address, ips)

client/net/listener_listen.go

@@ -48,7 +48,7 @@ func (c *PacketConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
 	return c.PacketConn.WriteTo(b, addr)
 }
 
-// Close overrides the net.PacketConn Close method to execute all registered hooks after closing the connection.
+// Close overrides the net.PacketConn Close method to execute all registered hooks before closing the connection.
 func (c *PacketConn) Close() error {
 	defer c.seenAddrs.Clear()
 	return closeConn(c.ID, c.PacketConn)
@@ -69,7 +69,7 @@ func (c *UDPConn) WriteTo(b []byte, addr net.Addr) (n int, err error) {
 	return c.UDPConn.WriteTo(b, addr)
 }
 
-// Close overrides the net.UDPConn Close method to execute all registered hooks after closing the connection.
+// Close overrides the net.UDPConn Close method to execute all registered hooks before closing the connection.
 func (c *UDPConn) Close() error {
 	defer c.seenAddrs.Clear()
 	return closeConn(c.ID, c.UDPConn)

client/proto/daemon.pb.go

@@ -273,19 +273,14 @@ type LoginRequest struct {
 	// cleanDNSLabels clean map list of DNS labels.
 	// This is needed because the generated code
 	// omits initialized empty slices due to omitempty tags
-	CleanDNSLabels                bool    `protobuf:"varint,27,opt,name=cleanDNSLabels,proto3" json:"cleanDNSLabels,omitempty"`
-	LazyConnectionEnabled         *bool   `protobuf:"varint,28,opt,name=lazyConnectionEnabled,proto3,oneof" json:"lazyConnectionEnabled,omitempty"`
-	BlockInbound                  *bool   `protobuf:"varint,29,opt,name=block_inbound,json=blockInbound,proto3,oneof" json:"block_inbound,omitempty"`
-	ProfileName                   *string `protobuf:"bytes,30,opt,name=profileName,proto3,oneof" json:"profileName,omitempty"`
-	Username                      *string `protobuf:"bytes,31,opt,name=username,proto3,oneof" json:"username,omitempty"`
-	Mtu                           *int64  `protobuf:"varint,32,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
-	EnableSSHRoot                 *bool   `protobuf:"varint,33,opt,name=enableSSHRoot,proto3,oneof" json:"enableSSHRoot,omitempty"`
-	EnableSSHSFTP                 *bool   `protobuf:"varint,34,opt,name=enableSSHSFTP,proto3,oneof" json:"enableSSHSFTP,omitempty"`
-	EnableSSHLocalPortForwarding  *bool   `protobuf:"varint,35,opt,name=enableSSHLocalPortForwarding,proto3,oneof" json:"enableSSHLocalPortForwarding,omitempty"`
-	EnableSSHRemotePortForwarding *bool   `protobuf:"varint,36,opt,name=enableSSHRemotePortForwarding,proto3,oneof" json:"enableSSHRemotePortForwarding,omitempty"`
-	DisableSSHAuth                *bool   `protobuf:"varint,37,opt,name=disableSSHAuth,proto3,oneof" json:"disableSSHAuth,omitempty"`
-	unknownFields                 protoimpl.UnknownFields
-	sizeCache                     protoimpl.SizeCache
+	CleanDNSLabels        bool    `protobuf:"varint,27,opt,name=cleanDNSLabels,proto3" json:"cleanDNSLabels,omitempty"`
+	LazyConnectionEnabled *bool   `protobuf:"varint,28,opt,name=lazyConnectionEnabled,proto3,oneof" json:"lazyConnectionEnabled,omitempty"`
+	BlockInbound          *bool   `protobuf:"varint,29,opt,name=block_inbound,json=blockInbound,proto3,oneof" json:"block_inbound,omitempty"`
+	ProfileName           *string `protobuf:"bytes,30,opt,name=profileName,proto3,oneof" json:"profileName,omitempty"`
+	Username              *string `protobuf:"bytes,31,opt,name=username,proto3,oneof" json:"username,omitempty"`
+	Mtu                   *int64  `protobuf:"varint,32,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
+	unknownFields         protoimpl.UnknownFields
+	sizeCache             protoimpl.SizeCache
 }
 
 func (x *LoginRequest) Reset() {
@@ -543,41 +538,6 @@ func (x *LoginRequest) GetMtu() int64 {
 	return 0
 }
 
-func (x *LoginRequest) GetEnableSSHRoot() bool {
-	if x != nil && x.EnableSSHRoot != nil {
-		return *x.EnableSSHRoot
-	}
-	return false
-}
-
-func (x *LoginRequest) GetEnableSSHSFTP() bool {
-	if x != nil && x.EnableSSHSFTP != nil {
-		return *x.EnableSSHSFTP
-	}
-	return false
-}
-
-func (x *LoginRequest) GetEnableSSHLocalPortForwarding() bool {
-	if x != nil && x.EnableSSHLocalPortForwarding != nil {
-		return *x.EnableSSHLocalPortForwarding
-	}
-	return false
-}
-
-func (x *LoginRequest) GetEnableSSHRemotePortForwarding() bool {
-	if x != nil && x.EnableSSHRemotePortForwarding != nil {
-		return *x.EnableSSHRemotePortForwarding
-	}
-	return false
-}
-
-func (x *LoginRequest) GetDisableSSHAuth() bool {
-	if x != nil && x.DisableSSHAuth != nil {
-		return *x.DisableSSHAuth
-	}
-	return false
-}
-
 type LoginResponse struct {
 	state                   protoimpl.MessageState `protogen:"open.v1"`
 	NeedsSSOLogin           bool                   `protobuf:"varint,1,opt,name=needsSSOLogin,proto3" json:"needsSSOLogin,omitempty"`
@@ -1088,29 +1048,24 @@ type GetConfigResponse struct {
 	// preSharedKey settings value.
 	PreSharedKey string `protobuf:"bytes,4,opt,name=preSharedKey,proto3" json:"preSharedKey,omitempty"`
 	// adminURL settings value.
-	AdminURL                      string `protobuf:"bytes,5,opt,name=adminURL,proto3" json:"adminURL,omitempty"`
-	InterfaceName                 string `protobuf:"bytes,6,opt,name=interfaceName,proto3" json:"interfaceName,omitempty"`
-	WireguardPort                 int64  `protobuf:"varint,7,opt,name=wireguardPort,proto3" json:"wireguardPort,omitempty"`
-	Mtu                           int64  `protobuf:"varint,8,opt,name=mtu,proto3" json:"mtu,omitempty"`
-	DisableAutoConnect            bool   `protobuf:"varint,9,opt,name=disableAutoConnect,proto3" json:"disableAutoConnect,omitempty"`
-	ServerSSHAllowed              bool   `protobuf:"varint,10,opt,name=serverSSHAllowed,proto3" json:"serverSSHAllowed,omitempty"`
-	RosenpassEnabled              bool   `protobuf:"varint,11,opt,name=rosenpassEnabled,proto3" json:"rosenpassEnabled,omitempty"`
-	RosenpassPermissive           bool   `protobuf:"varint,12,opt,name=rosenpassPermissive,proto3" json:"rosenpassPermissive,omitempty"`
-	DisableNotifications          bool   `protobuf:"varint,13,opt,name=disable_notifications,json=disableNotifications,proto3" json:"disable_notifications,omitempty"`
-	LazyConnectionEnabled         bool   `protobuf:"varint,14,opt,name=lazyConnectionEnabled,proto3" json:"lazyConnectionEnabled,omitempty"`
-	BlockInbound                  bool   `protobuf:"varint,15,opt,name=blockInbound,proto3" json:"blockInbound,omitempty"`
-	NetworkMonitor                bool   `protobuf:"varint,16,opt,name=networkMonitor,proto3" json:"networkMonitor,omitempty"`
-	DisableDns                    bool   `protobuf:"varint,17,opt,name=disable_dns,json=disableDns,proto3" json:"disable_dns,omitempty"`
-	DisableClientRoutes           bool   `protobuf:"varint,18,opt,name=disable_client_routes,json=disableClientRoutes,proto3" json:"disable_client_routes,omitempty"`
-	DisableServerRoutes           bool   `protobuf:"varint,19,opt,name=disable_server_routes,json=disableServerRoutes,proto3" json:"disable_server_routes,omitempty"`
-	BlockLanAccess                bool   `protobuf:"varint,20,opt,name=block_lan_access,json=blockLanAccess,proto3" json:"block_lan_access,omitempty"`
-	EnableSSHRoot                 bool   `protobuf:"varint,21,opt,name=enableSSHRoot,proto3" json:"enableSSHRoot,omitempty"`
-	EnableSSHSFTP                 bool   `protobuf:"varint,24,opt,name=enableSSHSFTP,proto3" json:"enableSSHSFTP,omitempty"`
-	EnableSSHLocalPortForwarding  bool   `protobuf:"varint,22,opt,name=enableSSHLocalPortForwarding,proto3" json:"enableSSHLocalPortForwarding,omitempty"`
-	EnableSSHRemotePortForwarding bool   `protobuf:"varint,23,opt,name=enableSSHRemotePortForwarding,proto3" json:"enableSSHRemotePortForwarding,omitempty"`
-	DisableSSHAuth                bool   `protobuf:"varint,25,opt,name=disableSSHAuth,proto3" json:"disableSSHAuth,omitempty"`
-	unknownFields                 protoimpl.UnknownFields
-	sizeCache                     protoimpl.SizeCache
+	AdminURL              string `protobuf:"bytes,5,opt,name=adminURL,proto3" json:"adminURL,omitempty"`
+	InterfaceName         string `protobuf:"bytes,6,opt,name=interfaceName,proto3" json:"interfaceName,omitempty"`
+	WireguardPort         int64  `protobuf:"varint,7,opt,name=wireguardPort,proto3" json:"wireguardPort,omitempty"`
+	Mtu                   int64  `protobuf:"varint,8,opt,name=mtu,proto3" json:"mtu,omitempty"`
+	DisableAutoConnect    bool   `protobuf:"varint,9,opt,name=disableAutoConnect,proto3" json:"disableAutoConnect,omitempty"`
+	ServerSSHAllowed      bool   `protobuf:"varint,10,opt,name=serverSSHAllowed,proto3" json:"serverSSHAllowed,omitempty"`
+	RosenpassEnabled      bool   `protobuf:"varint,11,opt,name=rosenpassEnabled,proto3" json:"rosenpassEnabled,omitempty"`
+	RosenpassPermissive   bool   `protobuf:"varint,12,opt,name=rosenpassPermissive,proto3" json:"rosenpassPermissive,omitempty"`
+	DisableNotifications  bool   `protobuf:"varint,13,opt,name=disable_notifications,json=disableNotifications,proto3" json:"disable_notifications,omitempty"`
+	LazyConnectionEnabled bool   `protobuf:"varint,14,opt,name=lazyConnectionEnabled,proto3" json:"lazyConnectionEnabled,omitempty"`
+	BlockInbound          bool   `protobuf:"varint,15,opt,name=blockInbound,proto3" json:"blockInbound,omitempty"`
+	NetworkMonitor        bool   `protobuf:"varint,16,opt,name=networkMonitor,proto3" json:"networkMonitor,omitempty"`
+	DisableDns            bool   `protobuf:"varint,17,opt,name=disable_dns,json=disableDns,proto3" json:"disable_dns,omitempty"`
+	DisableClientRoutes   bool   `protobuf:"varint,18,opt,name=disable_client_routes,json=disableClientRoutes,proto3" json:"disable_client_routes,omitempty"`
+	DisableServerRoutes   bool   `protobuf:"varint,19,opt,name=disable_server_routes,json=disableServerRoutes,proto3" json:"disable_server_routes,omitempty"`
+	BlockLanAccess        bool   `protobuf:"varint,20,opt,name=block_lan_access,json=blockLanAccess,proto3" json:"block_lan_access,omitempty"`
+	unknownFields         protoimpl.UnknownFields
+	sizeCache             protoimpl.SizeCache
 }
 
 func (x *GetConfigResponse) Reset() {
@@ -1283,41 +1238,6 @@ func (x *GetConfigResponse) GetBlockLanAccess() bool {
 	return false
 }
 
-func (x *GetConfigResponse) GetEnableSSHRoot() bool {
-	if x != nil {
-		return x.EnableSSHRoot
-	}
-	return false
-}
-
-func (x *GetConfigResponse) GetEnableSSHSFTP() bool {
-	if x != nil {
-		return x.EnableSSHSFTP
-	}
-	return false
-}
-
-func (x *GetConfigResponse) GetEnableSSHLocalPortForwarding() bool {
-	if x != nil {
-		return x.EnableSSHLocalPortForwarding
-	}
-	return false
-}
-
-func (x *GetConfigResponse) GetEnableSSHRemotePortForwarding() bool {
-	if x != nil {
-		return x.EnableSSHRemotePortForwarding
-	}
-	return false
-}
-
-func (x *GetConfigResponse) GetDisableSSHAuth() bool {
-	if x != nil {
-		return x.DisableSSHAuth
-	}
-	return false
-}
-
 // PeerState contains the latest state of a peer
 type PeerState struct {
 	state                      protoimpl.MessageState `protogen:"open.v1"`
@@ -1338,7 +1258,6 @@ type PeerState struct {
 	Networks                   []string               `protobuf:"bytes,16,rep,name=networks,proto3" json:"networks,omitempty"`
 	Latency                    *durationpb.Duration   `protobuf:"bytes,17,opt,name=latency,proto3" json:"latency,omitempty"`
 	RelayAddress               string                 `protobuf:"bytes,18,opt,name=relayAddress,proto3" json:"relayAddress,omitempty"`
-	SshHostKey                 []byte                 `protobuf:"bytes,19,opt,name=sshHostKey,proto3" json:"sshHostKey,omitempty"`
 	unknownFields              protoimpl.UnknownFields
 	sizeCache                  protoimpl.SizeCache
 }
@@ -1492,13 +1411,6 @@ func (x *PeerState) GetRelayAddress() string {
 	return ""
 }
 
-func (x *PeerState) GetSshHostKey() []byte {
-	if x != nil {
-		return x.SshHostKey
-	}
-	return nil
-}
-
 // LocalPeerState contains the latest state of the local peer
 type LocalPeerState struct {
 	state               protoimpl.MessageState `protogen:"open.v1"`
@@ -3790,16 +3702,11 @@ type SetConfigRequest struct {
 	ExtraIFaceBlacklist   []string `protobuf:"bytes,24,rep,name=extraIFaceBlacklist,proto3" json:"extraIFaceBlacklist,omitempty"`
 	DnsLabels             []string `protobuf:"bytes,25,rep,name=dns_labels,json=dnsLabels,proto3" json:"dns_labels,omitempty"`
 	// cleanDNSLabels clean map list of DNS labels.
-	CleanDNSLabels             bool                 `protobuf:"varint,26,opt,name=cleanDNSLabels,proto3" json:"cleanDNSLabels,omitempty"`
-	DnsRouteInterval           *durationpb.Duration `protobuf:"bytes,27,opt,name=dnsRouteInterval,proto3,oneof" json:"dnsRouteInterval,omitempty"`
-	Mtu                        *int64               `protobuf:"varint,28,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
-	EnableSSHRoot              *bool                `protobuf:"varint,29,opt,name=enableSSHRoot,proto3,oneof" json:"enableSSHRoot,omitempty"`
-	EnableSSHSFTP              *bool                `protobuf:"varint,30,opt,name=enableSSHSFTP,proto3,oneof" json:"enableSSHSFTP,omitempty"`
-	EnableSSHLocalPortForward  *bool                `protobuf:"varint,31,opt,name=enableSSHLocalPortForward,proto3,oneof" json:"enableSSHLocalPortForward,omitempty"`
-	EnableSSHRemotePortForward *bool                `protobuf:"varint,32,opt,name=enableSSHRemotePortForward,proto3,oneof" json:"enableSSHRemotePortForward,omitempty"`
-	DisableSSHAuth             *bool                `protobuf:"varint,33,opt,name=disableSSHAuth,proto3,oneof" json:"disableSSHAuth,omitempty"`
-	unknownFields              protoimpl.UnknownFields
-	sizeCache                  protoimpl.SizeCache
+	CleanDNSLabels   bool                 `protobuf:"varint,26,opt,name=cleanDNSLabels,proto3" json:"cleanDNSLabels,omitempty"`
+	DnsRouteInterval *durationpb.Duration `protobuf:"bytes,27,opt,name=dnsRouteInterval,proto3,oneof" json:"dnsRouteInterval,omitempty"`
+	Mtu              *int64               `protobuf:"varint,28,opt,name=mtu,proto3,oneof" json:"mtu,omitempty"`
+	unknownFields    protoimpl.UnknownFields
+	sizeCache        protoimpl.SizeCache
 }
 
 func (x *SetConfigRequest) Reset() {
@@ -4028,41 +3935,6 @@ func (x *SetConfigRequest) GetMtu() int64 {
 	return 0
 }
 
-func (x *SetConfigRequest) GetEnableSSHRoot() bool {
-	if x != nil && x.EnableSSHRoot != nil {
-		return *x.EnableSSHRoot
-	}
-	return false
-}
-
-func (x *SetConfigRequest) GetEnableSSHSFTP() bool {
-	if x != nil && x.EnableSSHSFTP != nil {
-		return *x.EnableSSHSFTP
-	}
-	return false
-}
-
-func (x *SetConfigRequest) GetEnableSSHLocalPortForward() bool {
-	if x != nil && x.EnableSSHLocalPortForward != nil {
-		return *x.EnableSSHLocalPortForward
-	}
-	return false
-}
-
-func (x *SetConfigRequest) GetEnableSSHRemotePortForward() bool {
-	if x != nil && x.EnableSSHRemotePortForward != nil {
-		return *x.EnableSSHRemotePortForward
-	}
-	return false
-}
-
-func (x *SetConfigRequest) GetDisableSSHAuth() bool {
-	if x != nil && x.DisableSSHAuth != nil {
-		return *x.DisableSSHAuth
-	}
-	return false
-}
-
 type SetConfigResponse struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	unknownFields protoimpl.UnknownFields
@@ -4679,381 +4551,6 @@ func (x *GetFeaturesResponse) GetDisableUpdateSettings() bool {
 	return false
 }
 
-// GetPeerSSHHostKeyRequest for retrieving SSH host key for a specific peer
-type GetPeerSSHHostKeyRequest struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	// peer IP address or FQDN to get SSH host key for
-	PeerAddress   string `protobuf:"bytes,1,opt,name=peerAddress,proto3" json:"peerAddress,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *GetPeerSSHHostKeyRequest) Reset() {
-	*x = GetPeerSSHHostKeyRequest{}
-	mi := &file_daemon_proto_msgTypes[69]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *GetPeerSSHHostKeyRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*GetPeerSSHHostKeyRequest) ProtoMessage() {}
-
-func (x *GetPeerSSHHostKeyRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[69]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use GetPeerSSHHostKeyRequest.ProtoReflect.Descriptor instead.
-func (*GetPeerSSHHostKeyRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{69}
-}
-
-func (x *GetPeerSSHHostKeyRequest) GetPeerAddress() string {
-	if x != nil {
-		return x.PeerAddress
-	}
-	return ""
-}
-
-// GetPeerSSHHostKeyResponse contains the SSH host key for the requested peer
-type GetPeerSSHHostKeyResponse struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	// SSH host key in SSH public key format (e.g., "ssh-ed25519 AAAAC3... hostname")
-	SshHostKey []byte `protobuf:"bytes,1,opt,name=sshHostKey,proto3" json:"sshHostKey,omitempty"`
-	// peer IP address
-	PeerIP string `protobuf:"bytes,2,opt,name=peerIP,proto3" json:"peerIP,omitempty"`
-	// peer FQDN
-	PeerFQDN string `protobuf:"bytes,3,opt,name=peerFQDN,proto3" json:"peerFQDN,omitempty"`
-	// indicates if the SSH host key was found
-	Found         bool `protobuf:"varint,4,opt,name=found,proto3" json:"found,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *GetPeerSSHHostKeyResponse) Reset() {
-	*x = GetPeerSSHHostKeyResponse{}
-	mi := &file_daemon_proto_msgTypes[70]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *GetPeerSSHHostKeyResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*GetPeerSSHHostKeyResponse) ProtoMessage() {}
-
-func (x *GetPeerSSHHostKeyResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[70]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use GetPeerSSHHostKeyResponse.ProtoReflect.Descriptor instead.
-func (*GetPeerSSHHostKeyResponse) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{70}
-}
-
-func (x *GetPeerSSHHostKeyResponse) GetSshHostKey() []byte {
-	if x != nil {
-		return x.SshHostKey
-	}
-	return nil
-}
-
-func (x *GetPeerSSHHostKeyResponse) GetPeerIP() string {
-	if x != nil {
-		return x.PeerIP
-	}
-	return ""
-}
-
-func (x *GetPeerSSHHostKeyResponse) GetPeerFQDN() string {
-	if x != nil {
-		return x.PeerFQDN
-	}
-	return ""
-}
-
-func (x *GetPeerSSHHostKeyResponse) GetFound() bool {
-	if x != nil {
-		return x.Found
-	}
-	return false
-}
-
-// RequestJWTAuthRequest for initiating JWT authentication flow
-type RequestJWTAuthRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *RequestJWTAuthRequest) Reset() {
-	*x = RequestJWTAuthRequest{}
-	mi := &file_daemon_proto_msgTypes[71]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *RequestJWTAuthRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*RequestJWTAuthRequest) ProtoMessage() {}
-
-func (x *RequestJWTAuthRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[71]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use RequestJWTAuthRequest.ProtoReflect.Descriptor instead.
-func (*RequestJWTAuthRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{71}
-}
-
-// RequestJWTAuthResponse contains authentication flow information
-type RequestJWTAuthResponse struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	// verification URI for user authentication
-	VerificationURI string `protobuf:"bytes,1,opt,name=verificationURI,proto3" json:"verificationURI,omitempty"`
-	// complete verification URI (with embedded user code)
-	VerificationURIComplete string `protobuf:"bytes,2,opt,name=verificationURIComplete,proto3" json:"verificationURIComplete,omitempty"`
-	// user code to enter on verification URI
-	UserCode string `protobuf:"bytes,3,opt,name=userCode,proto3" json:"userCode,omitempty"`
-	// device code for polling
-	DeviceCode string `protobuf:"bytes,4,opt,name=deviceCode,proto3" json:"deviceCode,omitempty"`
-	// expiration time in seconds
-	ExpiresIn int64 `protobuf:"varint,5,opt,name=expiresIn,proto3" json:"expiresIn,omitempty"`
-	// if a cached token is available, it will be returned here
-	CachedToken string `protobuf:"bytes,6,opt,name=cachedToken,proto3" json:"cachedToken,omitempty"`
-	// maximum age of JWT tokens in seconds (from management server)
-	MaxTokenAge   int64 `protobuf:"varint,7,opt,name=maxTokenAge,proto3" json:"maxTokenAge,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *RequestJWTAuthResponse) Reset() {
-	*x = RequestJWTAuthResponse{}
-	mi := &file_daemon_proto_msgTypes[72]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *RequestJWTAuthResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*RequestJWTAuthResponse) ProtoMessage() {}
-
-func (x *RequestJWTAuthResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[72]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use RequestJWTAuthResponse.ProtoReflect.Descriptor instead.
-func (*RequestJWTAuthResponse) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{72}
-}
-
-func (x *RequestJWTAuthResponse) GetVerificationURI() string {
-	if x != nil {
-		return x.VerificationURI
-	}
-	return ""
-}
-
-func (x *RequestJWTAuthResponse) GetVerificationURIComplete() string {
-	if x != nil {
-		return x.VerificationURIComplete
-	}
-	return ""
-}
-
-func (x *RequestJWTAuthResponse) GetUserCode() string {
-	if x != nil {
-		return x.UserCode
-	}
-	return ""
-}
-
-func (x *RequestJWTAuthResponse) GetDeviceCode() string {
-	if x != nil {
-		return x.DeviceCode
-	}
-	return ""
-}
-
-func (x *RequestJWTAuthResponse) GetExpiresIn() int64 {
-	if x != nil {
-		return x.ExpiresIn
-	}
-	return 0
-}
-
-func (x *RequestJWTAuthResponse) GetCachedToken() string {
-	if x != nil {
-		return x.CachedToken
-	}
-	return ""
-}
-
-func (x *RequestJWTAuthResponse) GetMaxTokenAge() int64 {
-	if x != nil {
-		return x.MaxTokenAge
-	}
-	return 0
-}
-
-// WaitJWTTokenRequest for waiting for authentication completion
-type WaitJWTTokenRequest struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	// device code from RequestJWTAuthResponse
-	DeviceCode string `protobuf:"bytes,1,opt,name=deviceCode,proto3" json:"deviceCode,omitempty"`
-	// user code for verification
-	UserCode      string `protobuf:"bytes,2,opt,name=userCode,proto3" json:"userCode,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *WaitJWTTokenRequest) Reset() {
-	*x = WaitJWTTokenRequest{}
-	mi := &file_daemon_proto_msgTypes[73]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *WaitJWTTokenRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*WaitJWTTokenRequest) ProtoMessage() {}
-
-func (x *WaitJWTTokenRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[73]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use WaitJWTTokenRequest.ProtoReflect.Descriptor instead.
-func (*WaitJWTTokenRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{73}
-}
-
-func (x *WaitJWTTokenRequest) GetDeviceCode() string {
-	if x != nil {
-		return x.DeviceCode
-	}
-	return ""
-}
-
-func (x *WaitJWTTokenRequest) GetUserCode() string {
-	if x != nil {
-		return x.UserCode
-	}
-	return ""
-}
-
-// WaitJWTTokenResponse contains the JWT token after authentication
-type WaitJWTTokenResponse struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	// JWT token (access token or ID token)
-	Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"`
-	// token type (e.g., "Bearer")
-	TokenType string `protobuf:"bytes,2,opt,name=tokenType,proto3" json:"tokenType,omitempty"`
-	// expiration time in seconds
-	ExpiresIn     int64 `protobuf:"varint,3,opt,name=expiresIn,proto3" json:"expiresIn,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *WaitJWTTokenResponse) Reset() {
-	*x = WaitJWTTokenResponse{}
-	mi := &file_daemon_proto_msgTypes[74]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *WaitJWTTokenResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*WaitJWTTokenResponse) ProtoMessage() {}
-
-func (x *WaitJWTTokenResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[74]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use WaitJWTTokenResponse.ProtoReflect.Descriptor instead.
-func (*WaitJWTTokenResponse) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{74}
-}
-
-func (x *WaitJWTTokenResponse) GetToken() string {
-	if x != nil {
-		return x.Token
-	}
-	return ""
-}
-
-func (x *WaitJWTTokenResponse) GetTokenType() string {
-	if x != nil {
-		return x.TokenType
-	}
-	return ""
-}
-
-func (x *WaitJWTTokenResponse) GetExpiresIn() int64 {
-	if x != nil {
-		return x.ExpiresIn
-	}
-	return 0
-}
-
 type PortInfo_Range struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Start         uint32                 `protobuf:"varint,1,opt,name=start,proto3" json:"start,omitempty"`
@@ -5064,7 +4561,7 @@ type PortInfo_Range struct {
 
 func (x *PortInfo_Range) Reset() {
 	*x = PortInfo_Range{}
-	mi := &file_daemon_proto_msgTypes[76]
+	mi := &file_daemon_proto_msgTypes[70]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -5076,7 +4573,7 @@ func (x *PortInfo_Range) String() string {
 func (*PortInfo_Range) ProtoMessage() {}
 
 func (x *PortInfo_Range) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[76]
+	mi := &file_daemon_proto_msgTypes[70]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -5111,7 +4608,7 @@ var File_daemon_proto protoreflect.FileDescriptor
 const file_daemon_proto_rawDesc = "" +
 	"\n" +
 	"\fdaemon.proto\x12\x06daemon\x1a google/protobuf/descriptor.proto\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x1egoogle/protobuf/duration.proto\"\x0e\n" +
-	"\fEmptyRequest\"\xd4\x11\n" +
+	"\fEmptyRequest\"\xc3\x0e\n" +
 	"\fLoginRequest\x12\x1a\n" +
 	"\bsetupKey\x18\x01 \x01(\tR\bsetupKey\x12&\n" +
 	"\fpreSharedKey\x18\x02 \x01(\tB\x02\x18\x01R\fpreSharedKey\x12$\n" +
@@ -5148,12 +4645,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\rblock_inbound\x18\x1d \x01(\bH\x10R\fblockInbound\x88\x01\x01\x12%\n" +
 	"\vprofileName\x18\x1e \x01(\tH\x11R\vprofileName\x88\x01\x01\x12\x1f\n" +
 	"\busername\x18\x1f \x01(\tH\x12R\busername\x88\x01\x01\x12\x15\n" +
-	"\x03mtu\x18  \x01(\x03H\x13R\x03mtu\x88\x01\x01\x12)\n" +
-	"\renableSSHRoot\x18! \x01(\bH\x14R\renableSSHRoot\x88\x01\x01\x12)\n" +
-	"\renableSSHSFTP\x18\" \x01(\bH\x15R\renableSSHSFTP\x88\x01\x01\x12G\n" +
-	"\x1cenableSSHLocalPortForwarding\x18# \x01(\bH\x16R\x1cenableSSHLocalPortForwarding\x88\x01\x01\x12I\n" +
-	"\x1denableSSHRemotePortForwarding\x18$ \x01(\bH\x17R\x1denableSSHRemotePortForwarding\x88\x01\x01\x12+\n" +
-	"\x0edisableSSHAuth\x18% \x01(\bH\x18R\x0edisableSSHAuth\x88\x01\x01B\x13\n" +
+	"\x03mtu\x18  \x01(\x03H\x13R\x03mtu\x88\x01\x01B\x13\n" +
 	"\x11_rosenpassEnabledB\x10\n" +
 	"\x0e_interfaceNameB\x10\n" +
 	"\x0e_wireguardPortB\x17\n" +
@@ -5173,12 +4665,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x0e_block_inboundB\x0e\n" +
 	"\f_profileNameB\v\n" +
 	"\t_usernameB\x06\n" +
-	"\x04_mtuB\x10\n" +
-	"\x0e_enableSSHRootB\x10\n" +
-	"\x0e_enableSSHSFTPB\x1f\n" +
-	"\x1d_enableSSHLocalPortForwardingB \n" +
-	"\x1e_enableSSHRemotePortForwardingB\x11\n" +
-	"\x0f_disableSSHAuth\"\xb5\x01\n" +
+	"\x04_mtu\"\xb5\x01\n" +
 	"\rLoginResponse\x12$\n" +
 	"\rneedsSSOLogin\x18\x01 \x01(\bR\rneedsSSOLogin\x12\x1a\n" +
 	"\buserCode\x18\x02 \x01(\tR\buserCode\x12(\n" +
@@ -5211,7 +4698,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\fDownResponse\"P\n" +
 	"\x10GetConfigRequest\x12 \n" +
 	"\vprofileName\x18\x01 \x01(\tR\vprofileName\x12\x1a\n" +
-	"\busername\x18\x02 \x01(\tR\busername\"\xb3\b\n" +
+	"\busername\x18\x02 \x01(\tR\busername\"\xb5\x06\n" +
 	"\x11GetConfigResponse\x12$\n" +
 	"\rmanagementUrl\x18\x01 \x01(\tR\rmanagementUrl\x12\x1e\n" +
 	"\n" +
@@ -5236,12 +4723,7 @@ const file_daemon_proto_rawDesc = "" +
 	"disableDns\x122\n" +
 	"\x15disable_client_routes\x18\x12 \x01(\bR\x13disableClientRoutes\x122\n" +
 	"\x15disable_server_routes\x18\x13 \x01(\bR\x13disableServerRoutes\x12(\n" +
-	"\x10block_lan_access\x18\x14 \x01(\bR\x0eblockLanAccess\x12$\n" +
-	"\renableSSHRoot\x18\x15 \x01(\bR\renableSSHRoot\x12$\n" +
-	"\renableSSHSFTP\x18\x18 \x01(\bR\renableSSHSFTP\x12B\n" +
-	"\x1cenableSSHLocalPortForwarding\x18\x16 \x01(\bR\x1cenableSSHLocalPortForwarding\x12D\n" +
-	"\x1denableSSHRemotePortForwarding\x18\x17 \x01(\bR\x1denableSSHRemotePortForwarding\x12&\n" +
-	"\x0edisableSSHAuth\x18\x19 \x01(\bR\x0edisableSSHAuth\"\xfe\x05\n" +
+	"\x10block_lan_access\x18\x14 \x01(\bR\x0eblockLanAccess\"\xde\x05\n" +
 	"\tPeerState\x12\x0e\n" +
 	"\x02IP\x18\x01 \x01(\tR\x02IP\x12\x16\n" +
 	"\x06pubKey\x18\x02 \x01(\tR\x06pubKey\x12\x1e\n" +
@@ -5262,10 +4744,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x10rosenpassEnabled\x18\x0f \x01(\bR\x10rosenpassEnabled\x12\x1a\n" +
 	"\bnetworks\x18\x10 \x03(\tR\bnetworks\x123\n" +
 	"\alatency\x18\x11 \x01(\v2\x19.google.protobuf.DurationR\alatency\x12\"\n" +
-	"\frelayAddress\x18\x12 \x01(\tR\frelayAddress\x12\x1e\n" +
-	"\n" +
-	"sshHostKey\x18\x13 \x01(\fR\n" +
-	"sshHostKey\"\xf0\x01\n" +
+	"\frelayAddress\x18\x12 \x01(\tR\frelayAddress\"\xf0\x01\n" +
 	"\x0eLocalPeerState\x12\x0e\n" +
 	"\x02IP\x18\x01 \x01(\tR\x02IP\x12\x16\n" +
 	"\x06pubKey\x18\x02 \x01(\tR\x06pubKey\x12(\n" +
@@ -5444,7 +4923,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\busername\x18\x02 \x01(\tH\x01R\busername\x88\x01\x01B\x0e\n" +
 	"\f_profileNameB\v\n" +
 	"\t_username\"\x17\n" +
-	"\x15SwitchProfileResponse\"\x8d\x10\n" +
+	"\x15SwitchProfileResponse\"\x8e\r\n" +
 	"\x10SetConfigRequest\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12 \n" +
 	"\vprofileName\x18\x02 \x01(\tR\vprofileName\x12$\n" +
@@ -5477,12 +4956,7 @@ const file_daemon_proto_rawDesc = "" +
 	"dns_labels\x18\x19 \x03(\tR\tdnsLabels\x12&\n" +
 	"\x0ecleanDNSLabels\x18\x1a \x01(\bR\x0ecleanDNSLabels\x12J\n" +
 	"\x10dnsRouteInterval\x18\x1b \x01(\v2\x19.google.protobuf.DurationH\x10R\x10dnsRouteInterval\x88\x01\x01\x12\x15\n" +
-	"\x03mtu\x18\x1c \x01(\x03H\x11R\x03mtu\x88\x01\x01\x12)\n" +
-	"\renableSSHRoot\x18\x1d \x01(\bH\x12R\renableSSHRoot\x88\x01\x01\x12)\n" +
-	"\renableSSHSFTP\x18\x1e \x01(\bH\x13R\renableSSHSFTP\x88\x01\x01\x12A\n" +
-	"\x19enableSSHLocalPortForward\x18\x1f \x01(\bH\x14R\x19enableSSHLocalPortForward\x88\x01\x01\x12C\n" +
-	"\x1aenableSSHRemotePortForward\x18  \x01(\bH\x15R\x1aenableSSHRemotePortForward\x88\x01\x01\x12+\n" +
-	"\x0edisableSSHAuth\x18! \x01(\bH\x16R\x0edisableSSHAuth\x88\x01\x01B\x13\n" +
+	"\x03mtu\x18\x1c \x01(\x03H\x11R\x03mtu\x88\x01\x01B\x13\n" +
 	"\x11_rosenpassEnabledB\x10\n" +
 	"\x0e_interfaceNameB\x10\n" +
 	"\x0e_wireguardPortB\x17\n" +
@@ -5500,12 +4974,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x16_lazyConnectionEnabledB\x10\n" +
 	"\x0e_block_inboundB\x13\n" +
 	"\x11_dnsRouteIntervalB\x06\n" +
-	"\x04_mtuB\x10\n" +
-	"\x0e_enableSSHRootB\x10\n" +
-	"\x0e_enableSSHSFTPB\x1c\n" +
-	"\x1a_enableSSHLocalPortForwardB\x1d\n" +
-	"\x1b_enableSSHRemotePortForwardB\x11\n" +
-	"\x0f_disableSSHAuth\"\x13\n" +
+	"\x04_mtu\"\x13\n" +
 	"\x11SetConfigResponse\"Q\n" +
 	"\x11AddProfileRequest\x12\x1a\n" +
 	"\busername\x18\x01 \x01(\tR\busername\x12 \n" +
@@ -5535,36 +5004,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x12GetFeaturesRequest\"x\n" +
 	"\x13GetFeaturesResponse\x12)\n" +
 	"\x10disable_profiles\x18\x01 \x01(\bR\x0fdisableProfiles\x126\n" +
-	"\x17disable_update_settings\x18\x02 \x01(\bR\x15disableUpdateSettings\"<\n" +
-	"\x18GetPeerSSHHostKeyRequest\x12 \n" +
-	"\vpeerAddress\x18\x01 \x01(\tR\vpeerAddress\"\x85\x01\n" +
-	"\x19GetPeerSSHHostKeyResponse\x12\x1e\n" +
-	"\n" +
-	"sshHostKey\x18\x01 \x01(\fR\n" +
-	"sshHostKey\x12\x16\n" +
-	"\x06peerIP\x18\x02 \x01(\tR\x06peerIP\x12\x1a\n" +
-	"\bpeerFQDN\x18\x03 \x01(\tR\bpeerFQDN\x12\x14\n" +
-	"\x05found\x18\x04 \x01(\bR\x05found\"\x17\n" +
-	"\x15RequestJWTAuthRequest\"\x9a\x02\n" +
-	"\x16RequestJWTAuthResponse\x12(\n" +
-	"\x0fverificationURI\x18\x01 \x01(\tR\x0fverificationURI\x128\n" +
-	"\x17verificationURIComplete\x18\x02 \x01(\tR\x17verificationURIComplete\x12\x1a\n" +
-	"\buserCode\x18\x03 \x01(\tR\buserCode\x12\x1e\n" +
-	"\n" +
-	"deviceCode\x18\x04 \x01(\tR\n" +
-	"deviceCode\x12\x1c\n" +
-	"\texpiresIn\x18\x05 \x01(\x03R\texpiresIn\x12 \n" +
-	"\vcachedToken\x18\x06 \x01(\tR\vcachedToken\x12 \n" +
-	"\vmaxTokenAge\x18\a \x01(\x03R\vmaxTokenAge\"Q\n" +
-	"\x13WaitJWTTokenRequest\x12\x1e\n" +
-	"\n" +
-	"deviceCode\x18\x01 \x01(\tR\n" +
-	"deviceCode\x12\x1a\n" +
-	"\buserCode\x18\x02 \x01(\tR\buserCode\"h\n" +
-	"\x14WaitJWTTokenResponse\x12\x14\n" +
-	"\x05token\x18\x01 \x01(\tR\x05token\x12\x1c\n" +
-	"\ttokenType\x18\x02 \x01(\tR\ttokenType\x12\x1c\n" +
-	"\texpiresIn\x18\x03 \x01(\x03R\texpiresIn*b\n" +
+	"\x17disable_update_settings\x18\x02 \x01(\bR\x15disableUpdateSettings*b\n" +
 	"\bLogLevel\x12\v\n" +
 	"\aUNKNOWN\x10\x00\x12\t\n" +
 	"\x05PANIC\x10\x01\x12\t\n" +
@@ -5573,7 +5013,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\x04WARN\x10\x04\x12\b\n" +
 	"\x04INFO\x10\x05\x12\t\n" +
 	"\x05DEBUG\x10\x06\x12\t\n" +
-	"\x05TRACE\x10\a2\x8b\x12\n" +
+	"\x05TRACE\x10\a2\x8f\x10\n" +
 	"\rDaemonService\x126\n" +
 	"\x05Login\x12\x14.daemon.LoginRequest\x1a\x15.daemon.LoginResponse\"\x00\x12K\n" +
 	"\fWaitSSOLogin\x12\x1b.daemon.WaitSSOLoginRequest\x1a\x1c.daemon.WaitSSOLoginResponse\"\x00\x12-\n" +
@@ -5605,10 +5045,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\fListProfiles\x12\x1b.daemon.ListProfilesRequest\x1a\x1c.daemon.ListProfilesResponse\"\x00\x12W\n" +
 	"\x10GetActiveProfile\x12\x1f.daemon.GetActiveProfileRequest\x1a .daemon.GetActiveProfileResponse\"\x00\x129\n" +
 	"\x06Logout\x12\x15.daemon.LogoutRequest\x1a\x16.daemon.LogoutResponse\"\x00\x12H\n" +
-	"\vGetFeatures\x12\x1a.daemon.GetFeaturesRequest\x1a\x1b.daemon.GetFeaturesResponse\"\x00\x12Z\n" +
-	"\x11GetPeerSSHHostKey\x12 .daemon.GetPeerSSHHostKeyRequest\x1a!.daemon.GetPeerSSHHostKeyResponse\"\x00\x12Q\n" +
-	"\x0eRequestJWTAuth\x12\x1d.daemon.RequestJWTAuthRequest\x1a\x1e.daemon.RequestJWTAuthResponse\"\x00\x12K\n" +
-	"\fWaitJWTToken\x12\x1b.daemon.WaitJWTTokenRequest\x1a\x1c.daemon.WaitJWTTokenResponse\"\x00B\bZ\x06/protob\x06proto3"
+	"\vGetFeatures\x12\x1a.daemon.GetFeaturesRequest\x1a\x1b.daemon.GetFeaturesResponse\"\x00B\bZ\x06/protob\x06proto3"
 
 var (
 	file_daemon_proto_rawDescOnce sync.Once
@@ -5623,7 +5060,7 @@ func file_daemon_proto_rawDescGZIP() []byte {
 }
 
 var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 3)
-var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 78)
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 72)
 var file_daemon_proto_goTypes = []any{
 	(LogLevel)(0),                              // 0: daemon.LogLevel
 	(SystemEvent_Severity)(0),                  // 1: daemon.SystemEvent.Severity
@@ -5697,24 +5134,18 @@ var file_daemon_proto_goTypes = []any{
 	(*LogoutResponse)(nil),                     // 69: daemon.LogoutResponse
 	(*GetFeaturesRequest)(nil),                 // 70: daemon.GetFeaturesRequest
 	(*GetFeaturesResponse)(nil),                // 71: daemon.GetFeaturesResponse
-	(*GetPeerSSHHostKeyRequest)(nil),           // 72: daemon.GetPeerSSHHostKeyRequest
-	(*GetPeerSSHHostKeyResponse)(nil),          // 73: daemon.GetPeerSSHHostKeyResponse
-	(*RequestJWTAuthRequest)(nil),              // 74: daemon.RequestJWTAuthRequest
-	(*RequestJWTAuthResponse)(nil),             // 75: daemon.RequestJWTAuthResponse
-	(*WaitJWTTokenRequest)(nil),                // 76: daemon.WaitJWTTokenRequest
-	(*WaitJWTTokenResponse)(nil),               // 77: daemon.WaitJWTTokenResponse
-	nil,                                        // 78: daemon.Network.ResolvedIPsEntry
-	(*PortInfo_Range)(nil),                     // 79: daemon.PortInfo.Range
-	nil,                                        // 80: daemon.SystemEvent.MetadataEntry
-	(*durationpb.Duration)(nil),                // 81: google.protobuf.Duration
-	(*timestamppb.Timestamp)(nil),              // 82: google.protobuf.Timestamp
+	nil,                                        // 72: daemon.Network.ResolvedIPsEntry
+	(*PortInfo_Range)(nil),                     // 73: daemon.PortInfo.Range
+	nil,                                        // 74: daemon.SystemEvent.MetadataEntry
+	(*durationpb.Duration)(nil),                // 75: google.protobuf.Duration
+	(*timestamppb.Timestamp)(nil),              // 76: google.protobuf.Timestamp
 }
 var file_daemon_proto_depIdxs = []int32{
-	81, // 0: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	75, // 0: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
 	22, // 1: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
-	82, // 2: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
-	82, // 3: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
-	81, // 4: daemon.PeerState.latency:type_name -> google.protobuf.Duration
+	76, // 2: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
+	76, // 3: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
+	75, // 4: daemon.PeerState.latency:type_name -> google.protobuf.Duration
 	19, // 5: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
 	18, // 6: daemon.FullStatus.signalState:type_name -> daemon.SignalState
 	17, // 7: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
@@ -5723,8 +5154,8 @@ var file_daemon_proto_depIdxs = []int32{
 	21, // 10: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
 	52, // 11: daemon.FullStatus.events:type_name -> daemon.SystemEvent
 	28, // 12: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
-	78, // 13: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
-	79, // 14: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
+	72, // 13: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
+	73, // 14: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
 	29, // 15: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
 	29, // 16: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
 	30, // 17: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
@@ -5735,10 +5166,10 @@ var file_daemon_proto_depIdxs = []int32{
 	49, // 22: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
 	1,  // 23: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
 	2,  // 24: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
-	82, // 25: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
-	80, // 26: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
+	76, // 25: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
+	74, // 26: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
 	52, // 27: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
-	81, // 28: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	75, // 28: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
 	65, // 29: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
 	27, // 30: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
 	4,  // 31: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
@@ -5769,42 +5200,36 @@ var file_daemon_proto_depIdxs = []int32{
 	66, // 56: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
 	68, // 57: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
 	70, // 58: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
-	72, // 59: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
-	74, // 60: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
-	76, // 61: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
-	5,  // 62: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	7,  // 63: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	9,  // 64: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	11, // 65: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	13, // 66: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	15, // 67: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	24, // 68: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
-	26, // 69: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
-	26, // 70: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
-	31, // 71: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
-	33, // 72: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
-	35, // 73: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
-	37, // 74: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
-	40, // 75: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
-	42, // 76: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
-	44, // 77: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
-	46, // 78: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
-	50, // 79: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
-	52, // 80: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
-	54, // 81: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
-	56, // 82: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
-	58, // 83: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
-	60, // 84: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
-	62, // 85: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
-	64, // 86: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
-	67, // 87: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
-	69, // 88: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
-	71, // 89: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
-	73, // 90: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
-	75, // 91: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
-	77, // 92: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
-	62, // [62:93] is the sub-list for method output_type
-	31, // [31:62] is the sub-list for method input_type
+	5,  // 59: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	7,  // 60: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	9,  // 61: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	11, // 62: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	13, // 63: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	15, // 64: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	24, // 65: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
+	26, // 66: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
+	26, // 67: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
+	31, // 68: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
+	33, // 69: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
+	35, // 70: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
+	37, // 71: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
+	40, // 72: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
+	42, // 73: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
+	44, // 74: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
+	46, // 75: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
+	50, // 76: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
+	52, // 77: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
+	54, // 78: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
+	56, // 79: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
+	58, // 80: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
+	60, // 81: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
+	62, // 82: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
+	64, // 83: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
+	67, // 84: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
+	69, // 85: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
+	71, // 86: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
+	59, // [59:87] is the sub-list for method output_type
+	31, // [31:59] is the sub-list for method input_type
 	31, // [31:31] is the sub-list for extension type_name
 	31, // [31:31] is the sub-list for extension extendee
 	0,  // [0:31] is the sub-list for field type_name
@@ -5833,7 +5258,7 @@ func file_daemon_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_proto_rawDesc), len(file_daemon_proto_rawDesc)),
 			NumEnums:      3,
-			NumMessages:   78,
+			NumMessages:   72,
 			NumExtensions: 0,
 			NumServices:   1,
 		},