fix: management/Dockerfile.debug to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-UBUNTU2404-PERL-10285352
- https://snyk.io/vuln/SNYK-UBUNTU2404-GLIBC-10321975
- https://snyk.io/vuln/SNYK-UBUNTU2404-GLIBC-10321975
- https://snyk.io/vuln/SNYK-UBUNTU2404-PAM-8303372
- https://snyk.io/vuln/SNYK-UBUNTU2404-TAR-10769052

.github/pull_request_template.md

@@ -12,16 +12,6 @@
 - [ ] Is a feature enhancement
 - [ ] It is a refactor
 - [ ] Created tests that fail without the change (if possible)
+- [ ] Extended the README / documentation, if necessary
 
 > By submitting this pull request, you confirm that you have read and agree to the terms of the [Contributor License Agreement](https://github.com/netbirdio/netbird/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT.md).
-
-## Documentation
-Select exactly one:
-
-- [ ] I added/updated documentation for this change
-- [ ] Documentation is **not needed** for this change (explain why)
-
-### Docs PR URL (required if "docs added" is checked)
-Paste the PR link from https://github.com/netbirdio/docs here:
-
-https://github.com/netbirdio/docs/pull/__

.github/workflows/docs-ack.yml

@@ -1,109 +0,0 @@
-name: Docs Acknowledgement
-
-on:
-  pull_request:
-    types: [opened, edited, synchronize]
-
-permissions:
-  contents: read
-  pull-requests: read
-
-jobs:
-  docs-ack:
-    name: Require docs PR URL or explicit "not needed"
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Read PR body
-        id: body
-        shell: bash
-        run: |
-          set -euo pipefail
-          BODY_B64=$(jq -r '.pull_request.body // "" | @base64' "$GITHUB_EVENT_PATH")
-          {
-            echo "body_b64=$BODY_B64"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Validate checkbox selection
-        id: validate
-        shell: bash
-        env:
-          BODY_B64: ${{ steps.body.outputs.body_b64 }}
-        run: |
-          set -euo pipefail
-          if ! body="$(printf '%s' "$BODY_B64" | base64 -d)"; then
-            echo "::error::Failed to decode PR body from base64. Data may be corrupted or missing."
-            exit 1
-          fi
-
-          added_checked=$(printf '%s' "$body" | grep -Ei '^[[:space:]]*-\s*\[x\]\s*I added/updated documentation' | wc -l | tr -d '[:space:]' || true)
-          noneed_checked=$(printf '%s' "$body" | grep -Ei '^[[:space:]]*-\s*\[x\]\s*Documentation is \*\*not needed\*\*' | wc -l | tr -d '[:space:]' || true)
-
-
-          if [ "$added_checked" -eq 1 ] && [ "$noneed_checked" -eq 1 ]; then
-            echo "::error::Choose exactly one: either 'docs added' OR 'not needed'."
-            exit 1
-          fi
-
-          if [ "$added_checked" -eq 0 ] && [ "$noneed_checked" -eq 0 ]; then
-            echo "::error::You must check exactly one docs option in the PR template."
-            exit 1
-          fi
-
-          if [ "$added_checked" -eq 1 ]; then
-            echo "mode=added" >> "$GITHUB_OUTPUT"
-          else
-            echo "mode=noneed" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Extract docs PR URL (when 'docs added')
-        if: steps.validate.outputs.mode == 'added'
-        id: extract
-        shell: bash
-        env:
-          BODY_B64: ${{ steps.body.outputs.body_b64 }}
-        run: |
-          set -euo pipefail
-          body="$(printf '%s' "$BODY_B64" | base64 -d)"
-
-          # Strictly require HTTPS and that it's a PR in netbirdio/docs
-          # e.g., https://github.com/netbirdio/docs/pull/1234
-          url="$(printf '%s' "$body" | grep -Eo 'https://github\.com/netbirdio/docs/pull/[0-9]+' | head -n1 || true)"
-
-          if [ -z "${url:-}" ]; then
-            echo "::error::You checked 'docs added' but didn't include a valid HTTPS PR link to netbirdio/docs (e.g., https://github.com/netbirdio/docs/pull/1234)."
-            exit 1
-          fi
-
-          pr_number="$(printf '%s' "$url" | sed -E 's#.*/pull/([0-9]+)$#\1#')"
-          {
-            echo "url=$url"
-            echo "pr_number=$pr_number"
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Verify docs PR exists (and is open or merged)
-        if: steps.validate.outputs.mode == 'added'
-        uses: actions/github-script@v7
-        id: verify
-        with:
-          pr_number: ${{ steps.extract.outputs.pr_number }}
-          script: |
-            const prNumber = parseInt(core.getInput('pr_number'), 10);
-            const { data } = await github.rest.pulls.get({
-              owner: 'netbirdio',
-              repo: 'docs',
-              pull_number: prNumber
-            });
-
-            // Allow open or merged PRs
-            const ok = data.state === 'open' || data.merged === true;
-            core.setOutput('state', data.state);
-            core.setOutput('merged', String(!!data.merged));
-            if (!ok) {
-              core.setFailed(`Docs PR #${prNumber} exists but is neither open nor merged (state=${data.state}, merged=${data.merged}).`);
-            }
-          result-encoding: string
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: All good
-        run: echo "Documentation requirement satisfied ✅"

.github/workflows/forum.yml

@@ -1,18 +0,0 @@
-name: Post release topic on Discourse
-
-on:
-  release:
-    types: [published]
-
-jobs:
-  post:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: roots/discourse-topic-github-release-action@main
-        with:
-          discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
-          discourse-base-url: https://forum.netbird.io
-          discourse-author-username: NetBird
-          discourse-category: 17
-          discourse-tags:
-            releases

.github/workflows/golang-test-freebsd.yml

@@ -25,7 +25,8 @@ jobs:
           release: "14.2"
           prepare: |
             pkg install -y curl pkgconf xorg
-            GO_TARBALL="go1.23.12.freebsd-amd64.tar.gz"
+            LATEST_VERSION=$(curl -s https://go.dev/VERSION?m=text|head -n 1)
+            GO_TARBALL="$LATEST_VERSION.freebsd-amd64.tar.gz"
             GO_URL="https://go.dev/dl/$GO_TARBALL"
             curl -vLO "$GO_URL"
             tar -C /usr/local -vxzf "$GO_TARBALL"            

.github/workflows/golang-test-linux.yml

@@ -217,7 +217,7 @@ jobs:
           - arch: "386"
             raceFlag: ""
           - arch: "amd64"
-            raceFlag: "-race"
+            raceFlag: ""
     runs-on: ubuntu-22.04
     steps:
       - name: Install Go
@@ -382,32 +382,6 @@ jobs:
         store: [ 'sqlite', 'postgres' ]
     runs-on: ubuntu-22.04
     steps:
-      - name: Create Docker network
-        run: docker network create promnet
-
-      - name: Start Prometheus Pushgateway
-        run: docker run -d --name pushgateway --network promnet -p 9091:9091 prom/pushgateway
-
-      - name: Start Prometheus (for Pushgateway forwarding)
-        run: |
-          echo '
-          global:
-            scrape_interval: 15s
-          scrape_configs:
-            - job_name: "pushgateway"
-              static_configs:
-                - targets: ["pushgateway:9091"]
-          remote_write:
-            - url: ${{ secrets.GRAFANA_URL }}
-              basic_auth:
-                username: ${{ secrets.GRAFANA_USER }}
-                password: ${{ secrets.GRAFANA_API_KEY }}
-          ' > prometheus.yml
-
-          docker run -d --name prometheus --network promnet \
-            -v $PWD/prometheus.yml:/etc/prometheus/prometheus.yml \
-            -p 9090:9090 \
-            prom/prometheus
       - name: Install Go
         uses: actions/setup-go@v5
         with:
@@ -454,10 +428,9 @@ jobs:
           CGO_ENABLED=1 GOARCH=${{ matrix.arch }} \
           NETBIRD_STORE_ENGINE=${{ matrix.store }} \
           CI=true \
-          GIT_BRANCH=${{ github.ref_name }} \
           go test -tags devcert -run=^$ -bench=. \
-          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
-          -timeout 20m ./management/... ./shared/management/... $(go list ./management/... ./shared/management/... | grep -v -e /management/server/http)
+          -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
+          -timeout 20m ./management/... ./shared/management/...
 
   api_benchmark:
     name: "Management / Benchmark (API)"
@@ -548,7 +521,7 @@ jobs:
             -run=^$ \
             -bench=. \
             -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE,GIT_BRANCH,GITHUB_RUN_ID' \
-            -timeout 20m ./management/server/http/...
+            -timeout 20m ./management/... ./shared/management/...
 
   api_integration_test:
     name: "Management / Integration"
@@ -598,4 +571,4 @@ jobs:
           CI=true \
           go test -tags=integration \
           -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' \
-          -timeout 20m ./management/server/http/...
+          -timeout 20m ./management/... ./shared/management/...

.github/workflows/golang-test-windows.yml

@@ -63,7 +63,7 @@ jobs:
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=${{ env.cache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=${{ env.modcache }}
       - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe mod tidy
-      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' } | Where-Object { $_ -notmatch '/relay' } | Where-Object { $_ -notmatch '/signal' })" >> $env:GITHUB_ENV
+      - run: echo "files=$(go list ./... | ForEach-Object { $_ } | Where-Object { $_ -notmatch '/management' })" >> $env:GITHUB_ENV
 
       - name: test
         run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -tags=devcert -timeout 10m -p 1 ${{ env.files }} > test-out.txt 2>&1"

.github/workflows/golangci-lint.yml

@@ -19,7 +19,7 @@ jobs:
       - name: codespell
         uses: codespell-project/actions-codespell@v2
         with:
-          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe,cros
+          ignore_words_list: erro,clienta,hastable,iif,groupd,testin,groupe
           skip: go.mod,go.sum
   golangci:
     strategy:

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.0.23"
+  SIGN_PIPE_VER: "v0.0.21"
   GORELEASER_VER: "v2.3.2"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"
@@ -79,8 +79,6 @@ jobs:
         run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
       - name: Generate windows syso amd64
         run: goversioninfo  -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_amd64.syso
-      - name: Generate windows syso arm64
-        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/manifest.xml -product-name ${{ env.PRODUCT_NAME }} -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/resources_windows_arm64.syso
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
         with:
@@ -156,20 +154,10 @@ jobs:
 
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y -q libappindicator3-dev gir1.2-appindicator3-0.1 libxxf86vm-dev gcc-mingw-w64-x86-64
-
-      - name: Install LLVM-MinGW for ARM64 cross-compilation
-        run: |
-          cd /tmp
-          wget -q https://github.com/mstorsjo/llvm-mingw/releases/download/20250709/llvm-mingw-20250709-ucrt-ubuntu-22.04-x86_64.tar.xz
-          echo "60cafae6474c7411174cff1d4ba21a8e46cadbaeb05a1bace306add301628337  llvm-mingw-20250709-ucrt-ubuntu-22.04-x86_64.tar.xz" | sha256sum -c
-          tar -xf llvm-mingw-20250709-ucrt-ubuntu-22.04-x86_64.tar.xz
-          echo "/tmp/llvm-mingw-20250709-ucrt-ubuntu-22.04-x86_64/bin" >> $GITHUB_PATH
       - name: Install goversioninfo
         run: go install github.com/josephspurrier/goversioninfo/cmd/goversioninfo@233067e
       - name: Generate windows syso amd64
         run: goversioninfo -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_amd64.syso
-      - name: Generate windows syso arm64
-        run: goversioninfo -arm -64 -icon client/ui/assets/netbird.ico -manifest client/ui/manifest.xml -product-name ${{ env.PRODUCT_NAME }}-"UI" -copyright "${{ env.COPYRIGHT }}" -ver-major ${{ steps.semver_parser.outputs.major }} -ver-minor ${{ steps.semver_parser.outputs.minor }} -ver-patch ${{ steps.semver_parser.outputs.patch }} -ver-build 0 -file-version ${{ steps.semver_parser.outputs.fullversion }}.0 -product-version ${{ steps.semver_parser.outputs.fullversion }}.0 -o client/ui/resources_windows_arm64.syso
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4
@@ -243,3 +231,17 @@ jobs:
           ref: ${{ env.SIGN_PIPE_VER }}
           token: ${{ secrets.SIGN_GITHUB_TOKEN }}
           inputs: '{ "tag": "${{ github.ref }}", "skipRelease": false }'
+
+  post_on_forum:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    needs: [trigger_signer]
+    steps:
+      - uses: Codixer/discourse-topic-github-release-action@v2.0.1
+        with:
+          discourse-api-key: ${{ secrets.DISCOURSE_RELEASES_API_KEY }}
+          discourse-base-url: https://forum.netbird.io
+          discourse-author-username: NetBird
+          discourse-category: 17
+          discourse-tags:
+            releases          

.github/workflows/test-infrastructure-files.yml

@@ -83,15 +83,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
-      - name: Setup MySQL privileges
-        if: matrix.store == 'mysql'
-        run: |
-          sleep 10
-          mysql -h 127.0.0.1 -u root -pmysqlroot -e "
-            GRANT SYSTEM_VARIABLES_ADMIN ON *.* TO 'netbird'@'%';
-            FLUSH PRIVILEGES;
-          "
-
       - name: cp setup.env
         run: cp infrastructure_files/tests/setup.env infrastructure_files/
 

.github/workflows/wasm-build-validation.yml

@@ -1,67 +0,0 @@
-name: Wasm
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
-jobs:
-  js_lint:
-    name: "JS / Lint"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
-      - name: Install golangci-lint
-        uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc
-        with:
-          version: latest
-          install-mode: binary
-          skip-cache: true
-          skip-pkg-cache: true
-          skip-build-cache: true
-      - name: Run golangci-lint for WASM
-        run: |
-          GOOS=js GOARCH=wasm golangci-lint run --timeout=12m --out-format colored-line-number ./client/...
-        continue-on-error: true
-
-  js_build:
-    name: "JS / Build"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install Go
-        uses: actions/setup-go@v5
-        with:
-          go-version: "1.23.x"
-      - name: Build Wasm client
-        run: GOOS=js GOARCH=wasm go build -o netbird.wasm ./client/wasm/cmd
-        env:
-          CGO_ENABLED: 0
-      - name: Check Wasm build size
-        run: |
-          echo "Wasm build size:"
-          ls -lh netbird.wasm
-
-          SIZE=$(stat -c%s netbird.wasm)
-          SIZE_MB=$((SIZE / 1024 / 1024))
-
-          echo "Size: ${SIZE} bytes (${SIZE_MB} MB)"
-
-          if [ ${SIZE} -gt 52428800 ]; then
-            echo "Wasm binary size (${SIZE_MB}MB) exceeds 50MB limit!"
-            exit 1
-          fi
-

.goreleaser.yaml

@@ -2,18 +2,6 @@ version: 2
 
 project_name: netbird
 builds:
-  - id: netbird-wasm
-    dir: client/wasm/cmd
-    binary: netbird
-    env: [GOOS=js, GOARCH=wasm, CGO_ENABLED=0]
-    goos:
-      - js
-    goarch:
-      - wasm
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
   - id: netbird
     dir: client
     binary: netbird
@@ -28,6 +16,8 @@ builds:
       - arm64
       - 386
     ignore:
+      - goos: windows
+        goarch: arm64
       - goos: windows
         goarch: arm
       - goos: windows
@@ -127,11 +117,6 @@ archives:
   - builds:
       - netbird
       - netbird-static
-  - id: netbird-wasm
-    builds:
-      - netbird-wasm
-    name_template: "{{ .ProjectName }}_{{ .Version }}"
-    format: binary
 
 nfpms:
   - maintainer: Netbird <dev@netbird.io>

.goreleaser_ui.yaml

@@ -15,7 +15,7 @@ builds:
       - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
     mod_timestamp: "{{ .CommitTimestamp }}"
 
-  - id: netbird-ui-windows-amd64
+  - id: netbird-ui-windows
     dir: client/ui
     binary: netbird-ui
     env:
@@ -30,22 +30,6 @@ builds:
       - -H windowsgui
     mod_timestamp: "{{ .CommitTimestamp }}"
 
-  - id: netbird-ui-windows-arm64
-    dir: client/ui
-    binary: netbird-ui
-    env:
-      - CGO_ENABLED=1
-      - CC=aarch64-w64-mingw32-clang
-      - CXX=aarch64-w64-mingw32-clang++
-    goos:
-      - windows
-    goarch:
-      - arm64
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-      - -H windowsgui
-    mod_timestamp: "{{ .CommitTimestamp }}"
-
 archives:
   - id: linux-arch
     name_template: "{{ .ProjectName }}-linux_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
@@ -54,8 +38,7 @@ archives:
   - id: windows-arch
     name_template: "{{ .ProjectName }}-windows_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
     builds:
-      - netbird-ui-windows-amd64
-      - netbird-ui-windows-arm64
+      - netbird-ui-windows
 
 nfpms:
   - maintainer: Netbird <dev@netbird.io>

README.md

@@ -1,4 +1,3 @@
-
 <div align="center">
 <br/>
   <br/>
@@ -53,7 +52,7 @@
 
 ### Open Source Network Security in a Single Platform
 
-https://github.com/user-attachments/assets/10cec749-bb56-4ab3-97af-4e38850108d2
+<img width="1188" alt="centralized-network-management 1" src="https://github.com/user-attachments/assets/c28cc8e4-15d2-4d2f-bb97-a6433db39d56" />
 
 ### NetBird on Lawrence Systems (Video)
 [![Watch the video](https://img.youtube.com/vi/Kwrff6h0rEw/0.jpg)](https://www.youtube.com/watch?v=Kwrff6h0rEw)

client/Dockerfile

@@ -18,7 +18,7 @@ ENV \
     NB_LOG_FILE="console,/var/log/netbird/client.log" \
     NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="5" \
-    NB_ENTRYPOINT_LOGIN_TIMEOUT="5"
+    NB_ENTRYPOINT_LOGIN_TIMEOUT="1"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]
 

client/android/client.go

@@ -4,8 +4,6 @@ package android
 
 import (
 	"context"
-	"os"
-	"slices"
 	"sync"
 
 	log "github.com/sirupsen/logrus"
@@ -19,7 +17,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/client/net"
+	"github.com/netbirdio/netbird/util/net"
 )
 
 // ConnectionListener export internal Listener for mobile
@@ -84,8 +82,7 @@ func NewClient(cfgFile string, androidSDKVersion int, deviceName string, uiVersi
 }
 
 // Run start the internal client. It is a blocker function
-func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsReadyListener, envList *EnvList) error {
-	exportEnvList(envList)
+func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsReadyListener) error {
 	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
@@ -115,13 +112,12 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
+	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
 // In this case make no sense handle registration steps.
-func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener, envList *EnvList) error {
-	exportEnvList(envList)
+func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener) error {
 	cfg, err := profilemanager.UpdateOrCreateConfig(profilemanager.ConfigInput{
 		ConfigPath: c.cfgFile,
 	})
@@ -142,7 +138,7 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, slices.Clone(dns.items), dnsReadyListener)
+	return c.connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // Stop the internal client and free the resources
@@ -239,7 +235,7 @@ func (c *Client) OnUpdatedHostDNS(list *DNSList) error {
 		return err
 	}
 
-	dnsServer.OnUpdatedHostDNSServer(slices.Clone(list.items))
+	dnsServer.OnUpdatedHostDNSServer(list.items)
 	return nil
 }
 
@@ -252,14 +248,3 @@ func (c *Client) SetConnectionListener(listener ConnectionListener) {
 func (c *Client) RemoveConnectionListener() {
 	c.recorder.RemoveConnectionListener()
 }
-
-func exportEnvList(list *EnvList) {
-	if list == nil {
-		return
-	}
-	for k, v := range list.AllItems() {
-		if err := os.Setenv(k, v); err != nil {
-			log.Errorf("could not set env variable %s: %v", k, err)
-		}
-	}
-}

client/android/dns_list.go

@@ -1,34 +1,23 @@
 package android
 
-import (
-	"fmt"
-	"net/netip"
+import "fmt"
 
-	"github.com/netbirdio/netbird/client/internal/dns"
-)
-
-// DNSList is a wrapper of []netip.AddrPort with default DNS port
+// DNSList is a wrapper of []string
 type DNSList struct {
-	items []netip.AddrPort
+	items []string
 }
 
-// Add new DNS address to the collection, returns error if invalid
-func (array *DNSList) Add(s string) error {
-	addr, err := netip.ParseAddr(s)
-	if err != nil {
-		return fmt.Errorf("invalid DNS address: %s", s)
-	}
-	addrPort := netip.AddrPortFrom(addr.Unmap(), dns.DefaultPort)
-	array.items = append(array.items, addrPort)
-	return nil
+// Add new DNS address to the collection
+func (array *DNSList) Add(s string) {
+	array.items = append(array.items, s)
 }
 
-// Get return an element of the collection as string
+// Get return an element of the collection
 func (array *DNSList) Get(i int) (string, error) {
 	if i >= len(array.items) || i < 0 {
 		return "", fmt.Errorf("out of range")
 	}
-	return array.items[i].Addr().String(), nil
+	return array.items[i], nil
 }
 
 // Size return with the size of the collection

client/android/dns_list_test.go

@@ -3,30 +3,20 @@ package android
 import "testing"
 
 func TestDNSList_Get(t *testing.T) {
-	l := DNSList{}
-
-	// Add a valid DNS address
-	err := l.Add("8.8.8.8")
-	if err != nil {
-		t.Errorf("unexpected error: %s", err)
+	l := DNSList{
+		items: make([]string, 1),
 	}
 
-	// Test getting valid index
-	addr, err := l.Get(0)
+	_, err := l.Get(0)
 	if err != nil {
 		t.Errorf("invalid error: %s", err)
 	}
-	if addr != "8.8.8.8" {
-		t.Errorf("expected 8.8.8.8, got %s", addr)
-	}
 
-	// Test negative index
 	_, err = l.Get(-1)
 	if err == nil {
 		t.Errorf("expected error but got nil")
 	}
 
-	// Test out of bounds index
 	_, err = l.Get(1)
 	if err == nil {
 		t.Errorf("expected error but got nil")

client/android/env_list.go

@@ -1,32 +0,0 @@
-package android
-
-import "github.com/netbirdio/netbird/client/internal/peer"
-
-var (
-	// EnvKeyNBForceRelay Exported for Android java client
-	EnvKeyNBForceRelay = peer.EnvKeyNBForceRelay
-)
-
-// EnvList wraps a Go map for export to Java
-type EnvList struct {
-	data map[string]string
-}
-
-// NewEnvList creates a new EnvList
-func NewEnvList() *EnvList {
-	return &EnvList{data: make(map[string]string)}
-}
-
-// Put adds a key-value pair
-func (el *EnvList) Put(key, value string) {
-	el.data[key] = value
-}
-
-// Get retrieves a value by key
-func (el *EnvList) Get(key string) string {
-	return el.data[key]
-}
-
-func (el *EnvList) AllItems() map[string]string {
-	return el.data
-}

client/android/login.go

@@ -33,7 +33,6 @@ type ErrListener interface {
 // the backend want to show an url for the user
 type URLOpener interface {
 	Open(string)
-	OnLoginSuccess()
 }
 
 // Auth can register or login new client
@@ -182,11 +181,6 @@ func (a *Auth) login(urlOpener URLOpener) error {
 
 	err = a.withBackOff(a.ctx, func() error {
 		err := internal.Login(a.ctx, a.config, "", jwtToken)
-
-		if err == nil {
-			go urlOpener.OnLoginSuccess()
-		}
-
 		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
 			return nil
 		}

client/cmd/debug.go

@@ -33,7 +33,7 @@ var (
 var debugCmd = &cobra.Command{
 	Use:   "debug",
 	Short: "Debugging commands",
-	Long:  "Commands for debugging and logging within the NetBird daemon.",
+	Long:  "Provides commands for debugging and logging control within the NetBird daemon.",
 }
 
 var debugBundleCmd = &cobra.Command{

client/cmd/debug_js.go

@@ -1,8 +0,0 @@
-package cmd
-
-import "context"
-
-// SetupDebugHandler is a no-op for WASM
-func SetupDebugHandler(context.Context, interface{}, interface{}, interface{}, string) {
-	// Debug handler not needed for WASM
-}

client/cmd/down.go

@@ -14,8 +14,7 @@ import (
 
 var downCmd = &cobra.Command{
 	Use:   "down",
-	Short: "Disconnect from the NetBird network",
-	Long:  "Disconnect the NetBird client from the network and management service. This will terminate all active connections with the remote peers.",
+	Short: "down netbird connections",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		SetFlagsFromEnvVars(rootCmd)
 
@@ -27,7 +26,7 @@ var downCmd = &cobra.Command{
 			return err
 		}
 
-		ctx, cancel := context.WithTimeout(context.Background(), time.Second*20)
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*7)
 		defer cancel()
 
 		conn, err := DialClientGRPCServer(ctx, daemonAddr)

client/cmd/login.go

@@ -31,8 +31,7 @@ func init() {
 
 var loginCmd = &cobra.Command{
 	Use:   "login",
-	Short: "Log in to the NetBird network",
-	Long:  "Log in to the NetBird network using a setup key or SSO",
+	Short: "login to the NetBird Management Service (first run)",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if err := setEnvAndFlags(cmd); err != nil {
 			return fmt.Errorf("set env and flags: %v", err)
@@ -227,7 +226,7 @@ func doForegroundLogin(ctx context.Context, cmd *cobra.Command, setupKey string,
 	}
 
 	// update host's static platform and system information
-	system.UpdateStaticInfoAsync()
+	system.UpdateStaticInfo()
 
 	configFilePath, err := activeProf.FilePath()
 	if err != nil {

client/cmd/logout.go

@@ -12,16 +12,14 @@ import (
 )
 
 var logoutCmd = &cobra.Command{
-	Use:     "deregister",
-	Aliases: []string{"logout"},
-	Short:   "Deregister from the NetBird management service and delete this peer",
-	Long:    "This command will deregister the current peer from the NetBird management service and all associated configuration. Use with caution as this will remove the peer from the network.",
+	Use:   "logout",
+	Short: "logout from the NetBird Management Service and delete peer",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		SetFlagsFromEnvVars(rootCmd)
 
 		cmd.SetOut(cmd.OutOrStdout())
 
-		ctx, cancel := context.WithTimeout(cmd.Context(), time.Second*15)
+		ctx, cancel := context.WithTimeout(context.Background(), time.Second*7)
 		defer cancel()
 
 		conn, err := DialClientGRPCServer(ctx, daemonAddr)
@@ -46,10 +44,10 @@ var logoutCmd = &cobra.Command{
 		}
 
 		if _, err := daemonClient.Logout(ctx, req); err != nil {
-			return fmt.Errorf("deregister: %v", err)
+			return fmt.Errorf("logout: %v", err)
 		}
 
-		cmd.Println("Deregistered successfully")
+		cmd.Println("Logged out successfully")
 		return nil
 	},
 }

client/cmd/networks.go

@@ -15,7 +15,7 @@ var appendFlag bool
 var networksCMD = &cobra.Command{
 	Use:     "networks",
 	Aliases: []string{"routes"},
-	Short:   "Manage connections to NetBird Networks and Resources",
+	Short:   "Manage networks",
 	Long:    `Commands to list, select, or deselect networks. Replaces the "routes" command.`,
 }
 

client/cmd/profile.go

@@ -16,13 +16,13 @@ import (
 
 var profileCmd = &cobra.Command{
 	Use:   "profile",
-	Short: "Manage NetBird client profiles",
-	Long:  `Commands to list, add, remove, and switch profiles. Profiles allow you to maintain different accounts in one client app.`,
+	Short: "manage NetBird profiles",
+	Long:  `Manage NetBird profiles, allowing you to list, switch, and remove profiles.`,
 }
 
 var profileListCmd = &cobra.Command{
 	Use:     "list",
-	Short:   "List all profiles",
+	Short:   "list all profiles",
 	Long:    `List all available profiles in the NetBird client.`,
 	Aliases: []string{"ls"},
 	RunE:    listProfilesFunc,
@@ -30,7 +30,7 @@ var profileListCmd = &cobra.Command{
 
 var profileAddCmd = &cobra.Command{
 	Use:   "add <profile_name>",
-	Short: "Add a new profile",
+	Short: "add a new profile",
 	Long:  `Add a new profile to the NetBird client. The profile name must be unique.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  addProfileFunc,
@@ -38,16 +38,16 @@ var profileAddCmd = &cobra.Command{
 
 var profileRemoveCmd = &cobra.Command{
 	Use:   "remove <profile_name>",
-	Short: "Remove a profile",
-	Long:  `Remove a profile from the NetBird client. The profile must not be inactive.`,
+	Short: "remove a profile",
+	Long:  `Remove a profile from the NetBird client. The profile must not be active.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  removeProfileFunc,
 }
 
 var profileSelectCmd = &cobra.Command{
 	Use:   "select <profile_name>",
-	Short: "Select a profile",
-	Long:  `Make the specified profile active. This will switch the client to use the selected profile's configuration.`,
+	Short: "select a profile",
+	Long:  `Select a profile to be the active profile in the NetBird client. The profile must exist.`,
 	Args:  cobra.ExactArgs(1),
 	RunE:  selectProfileFunc,
 }

client/cmd/root.go

@@ -39,7 +39,6 @@ const (
 	extraIFaceBlackListFlag  = "extra-iface-blacklist"
 	dnsRouteIntervalFlag     = "dns-router-interval"
 	enableLazyConnectionFlag = "enable-lazy-connection"
-	mtuFlag                  = "mtu"
 )
 
 var (
@@ -73,9 +72,7 @@ var (
 	anonymizeFlag           bool
 	dnsRouteInterval        time.Duration
 	lazyConnEnabled         bool
-	mtu                     uint16
 	profilesDisabled        bool
-	updateSettingsDisabled  bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",
@@ -231,7 +228,7 @@ func FlagNameToEnvVar(cmdFlag string, prefix string) string {
 
 // DialClientGRPCServer returns client connection to the daemon server.
 func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, error) {
-	ctx, cancel := context.WithTimeout(ctx, time.Second*10)
+	ctx, cancel := context.WithTimeout(ctx, time.Second*3)
 	defer cancel()
 
 	return grpc.DialContext(

client/cmd/root_test.go

@@ -54,7 +54,6 @@ func TestSetFlagsFromEnvVars(t *testing.T) {
 	cmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "WireGuard interface name")
 	cmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "Enable Rosenpass feature Rosenpass.")
 	cmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "WireGuard interface listening port")
-	cmd.PersistentFlags().Uint16Var(&mtu, mtuFlag, iface.DefaultMTU, "Set MTU (Maximum Transmission Unit) for the WireGuard interface")
 
 	t.Setenv("NB_EXTERNAL_IP_MAP", "abc,dec")
 	t.Setenv("NB_INTERFACE_NAME", "test-name")

client/cmd/service.go

@@ -19,7 +19,7 @@ import (
 
 var serviceCmd = &cobra.Command{
 	Use:   "service",
-	Short: "Manage the NetBird daemon service",
+	Short: "manages NetBird service",
 }
 
 var (
@@ -42,13 +42,12 @@ func init() {
 	}
 
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd)
-	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
-	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
+	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile.")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +
 		`You can specify a comma-separated list of KEY=VALUE pairs. ` +
-		`E.g. --service-env NB_LOG_LEVEL=debug,CUSTOM_VAR=value`
+		`E.g. --service-env LOG_LEVEL=debug,CUSTOM_VAR=value`
 
 	installCmd.Flags().StringSliceVar(&serviceEnvVars, "service-env", nil, serviceEnvDesc)
 	reconfigureCmd.Flags().StringSliceVar(&serviceEnvVars, "service-env", nil, serviceEnvDesc)

client/cmd/service_controller.go

@@ -27,7 +27,7 @@ func (p *program) Start(svc service.Service) error {
 	log.Info("starting NetBird service") //nolint
 
 	// Collect static system and platform information
-	system.UpdateStaticInfoAsync()
+	system.UpdateStaticInfo()
 
 	// in any case, even if configuration does not exists we run daemon to serve CLI gRPC API.
 	p.serv = grpc.NewServer()
@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
 
-		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled)
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}

client/cmd/service_installer.go

@@ -49,14 +49,6 @@ func buildServiceArguments() []string {
 		args = append(args, "--log-file", logFile)
 	}
 
-	if profilesDisabled {
-		args = append(args, "--disable-profiles")
-	}
-
-	if updateSettingsDisabled {
-		args = append(args, "--disable-update-settings")
-	}
-
 	return args
 }
 
@@ -107,7 +99,7 @@ func createServiceConfigForInstall() (*service.Config, error) {
 
 var installCmd = &cobra.Command{
 	Use:   "install",
-	Short: "Install NetBird service",
+	Short: "installs NetBird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		if err := setupServiceCommand(cmd); err != nil {
 			return err

client/cmd/ssh.go

@@ -40,7 +40,7 @@ var sshCmd = &cobra.Command{
 
 		return nil
 	},
-	Short: "Connect to a remote SSH server",
+	Short: "connect to a remote SSH server",
 	RunE: func(cmd *cobra.Command, args []string) error {
 		SetFlagsFromEnvVars(rootCmd)
 		SetFlagsFromEnvVars(cmd)
@@ -59,8 +59,8 @@ var sshCmd = &cobra.Command{
 
 		ctx := internal.CtxInitState(cmd.Context())
 
-		sm := profilemanager.NewServiceManager(configPath)
-		activeProf, err := sm.GetActiveProfileState()
+		pm := profilemanager.NewProfileManager()
+		activeProf, err := pm.GetActiveProfile()
 		if err != nil {
 			return fmt.Errorf("get active profile: %v", err)
 		}

client/cmd/status.go

@@ -32,8 +32,7 @@ var (
 
 var statusCmd = &cobra.Command{
 	Use:   "status",
-	Short: "Display NetBird client status",
-	Long:  "Display the current status of the NetBird client, including connection status, peer information, and network details.",
+	Short: "status of the Netbird Service",
 	RunE:  statusFunc,
 }
 

client/cmd/testutil_test.go

@@ -9,33 +9,32 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/stretchr/testify/require"
 	"go.opentelemetry.io/otel"
+
+	"github.com/netbirdio/netbird/management/server/activity"
+	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
+	"github.com/netbirdio/netbird/management/server/permissions"
+	"github.com/netbirdio/netbird/management/server/settings"
+	"github.com/netbirdio/netbird/management/server/store"
+	"github.com/netbirdio/netbird/management/server/telemetry"
+	"github.com/netbirdio/netbird/management/server/types"
+
+	"github.com/netbirdio/netbird/util"
+
 	"google.golang.org/grpc"
 
 	"github.com/netbirdio/management-integrations/integrations"
 
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
-	"github.com/netbirdio/netbird/management/internals/server/config"
-	mgmt "github.com/netbirdio/netbird/management/server"
-	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/management/server/groups"
-	"github.com/netbirdio/netbird/management/server/integrations/port_forwarding"
-	"github.com/netbirdio/netbird/management/server/peers"
-	"github.com/netbirdio/netbird/management/server/peers/ephemeral/manager"
-	"github.com/netbirdio/netbird/management/server/permissions"
-	"github.com/netbirdio/netbird/management/server/settings"
-	"github.com/netbirdio/netbird/management/server/store"
-	"github.com/netbirdio/netbird/management/server/telemetry"
-	"github.com/netbirdio/netbird/management/server/types"
 	mgmtProto "github.com/netbirdio/netbird/shared/management/proto"
+	mgmt "github.com/netbirdio/netbird/management/server"
 	sigProto "github.com/netbirdio/netbird/shared/signal/proto"
 	sig "github.com/netbirdio/netbird/signal/server"
-	"github.com/netbirdio/netbird/util"
 )
 
 func startTestingServices(t *testing.T) string {
 	t.Helper()
-	config := &config.Config{}
+	config := &types.Config{}
 	_, err := util.ReadJson("../testdata/management.json", config)
 	if err != nil {
 		t.Fatal(err)
@@ -70,7 +69,7 @@ func startSignal(t *testing.T) (*grpc.Server, net.Listener) {
 	return s, lis
 }
 
-func startManagement(t *testing.T, config *config.Config, testFile string) (*grpc.Server, net.Listener) {
+func startManagement(t *testing.T, config *types.Config, testFile string) (*grpc.Server, net.Listener) {
 	t.Helper()
 
 	lis, err := net.Listen("tcp", ":0")
@@ -89,21 +88,15 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 	if err != nil {
 		return nil, nil
 	}
-
-	ctrl := gomock.NewController(t)
-	t.Cleanup(ctrl.Finish)
-
-	permissionsManagerMock := permissions.NewMockManager(ctrl)
-	peersmanager := peers.NewManager(store, permissionsManagerMock)
-	settingsManagerMock := settings.NewMockManager(ctrl)
-
-	iv, _ := integrations.NewIntegratedValidator(context.Background(), peersmanager, settingsManagerMock, eventStore)
+	iv, _ := integrations.NewIntegratedValidator(context.Background(), eventStore)
 
 	metrics, err := telemetry.NewDefaultAppMetrics(context.Background())
 	require.NoError(t, err)
+	ctrl := gomock.NewController(t)
+	t.Cleanup(ctrl.Finish)
 
 	settingsMockManager := settings.NewMockManager(ctrl)
-	groupsManager := groups.NewManagerMock()
+	permissionsManagerMock := permissions.NewMockManager(ctrl)
 
 	settingsMockManager.EXPECT().
 		GetSettings(gomock.Any(), gomock.Any(), gomock.Any()).
@@ -115,8 +108,8 @@ func startManagement(t *testing.T, config *config.Config, testFile string) (*grp
 		t.Fatal(err)
 	}
 
-	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager, groupsManager)
-	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, &manager.EphemeralManager{}, nil, &mgmt.MockIntegratedValidator{})
+	secretsManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig, config.Relay, settingsMockManager)
+	mgmtServer, err := mgmt.NewServer(context.Background(), config, accountManager, settingsMockManager, peersUpdateManager, secretsManager, nil, nil, nil, &mgmt.MockIntegratedValidator{})
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -141,7 +134,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 
 	server := client.New(ctx,
-		"", "", false, false)
+		"", "", false)
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}

client/cmd/up.go

@@ -53,8 +53,7 @@ var (
 
 	upCmd = &cobra.Command{
 		Use:   "up",
-		Short: "Connect to the NetBird network",
-		Long:  "Connect to the NetBird network using the provided setup key or SSO auth. This command will bring up the WireGuard interface, connect to the management server, and establish peer-to-peer connections with other peers in the network if required.",
+		Short: "install, login and start NetBird client",
 		RunE:  upFunc,
 	}
 )
@@ -63,7 +62,6 @@ func init() {
 	upCmd.PersistentFlags().BoolVarP(&foregroundMode, "foreground-mode", "F", false, "start service in foreground")
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "WireGuard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "WireGuard interface listening port")
-	upCmd.PersistentFlags().Uint16Var(&mtu, mtuFlag, iface.DefaultMTU, "Set MTU (Maximum Transmission Unit) for the WireGuard interface")
 	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", networkMonitor,
 		`Manage network monitoring. Defaults to true on Windows and macOS, false on Linux and FreeBSD. `+
 			`E.g. --network-monitor=false to disable or --network-monitor=true to enable.`,
@@ -230,9 +228,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command, pm *profilemanager
 
 	client := proto.NewDaemonServiceClient(conn)
 
-	status, err := client.Status(ctx, &proto.StatusRequest{
-		WaitForReady: func() *bool { b := true; return &b }(),
-	})
+	status, err := client.Status(ctx, &proto.StatusRequest{})
 	if err != nil {
 		return fmt.Errorf("unable to get daemon status: %v", err)
 	}
@@ -360,11 +356,6 @@ func setupSetConfigReq(customDNSAddressConverted []byte, cmd *cobra.Command, pro
 		req.WireguardPort = &p
 	}
 
-	if cmd.Flag(mtuFlag).Changed {
-		m := int64(mtu)
-		req.Mtu = &m
-	}
-
 	if cmd.Flag(networkMonitorFlag).Changed {
 		req.NetworkMonitor = &networkMonitor
 	}
@@ -444,13 +435,6 @@ func setupConfig(customDNSAddressConverted []byte, cmd *cobra.Command, configFil
 		ic.WireguardPort = &p
 	}
 
-	if cmd.Flag(mtuFlag).Changed {
-		if err := iface.ValidateMTU(mtu); err != nil {
-			return nil, err
-		}
-		ic.MTU = &mtu
-	}
-
 	if cmd.Flag(networkMonitorFlag).Changed {
 		ic.NetworkMonitor = &networkMonitor
 	}
@@ -548,14 +532,6 @@ func setupLoginRequest(providedSetupKey string, customDNSAddressConverted []byte
 		loginRequest.WireguardPort = &wp
 	}
 
-	if cmd.Flag(mtuFlag).Changed {
-		if err := iface.ValidateMTU(mtu); err != nil {
-			return nil, err
-		}
-		m := int64(mtu)
-		loginRequest.Mtu = &m
-	}
-
 	if cmd.Flag(networkMonitorFlag).Changed {
 		loginRequest.NetworkMonitor = &networkMonitor
 	}

client/cmd/version.go

@@ -9,7 +9,7 @@ import (
 var (
 	versionCmd = &cobra.Command{
 		Use:   "version",
-		Short: "Print the NetBird's client application version",
+		Short: "prints NetBird version",
 		Run: func(cmd *cobra.Command, args []string) {
 			cmd.SetOut(cmd.OutOrStdout())
 			cmd.Println(version.NetbirdVersion())

client/embed/embed.go

@@ -23,29 +23,23 @@ import (
 
 var ErrClientAlreadyStarted = errors.New("client already started")
 var ErrClientNotStarted = errors.New("client not started")
-var ErrConfigNotInitialized = errors.New("config not initialized")
 
-// Client manages a netbird embedded client instance.
+// Client manages a netbird embedded client instance
 type Client struct {
 	deviceName string
 	config     *profilemanager.Config
 	mu         sync.Mutex
 	cancel     context.CancelFunc
 	setupKey   string
-	jwtToken   string
 	connect    *internal.ConnectClient
 }
 
-// Options configures a new Client.
+// Options configures a new Client
 type Options struct {
 	// DeviceName is this peer's name in the network
 	DeviceName string
 	// SetupKey is used for authentication
 	SetupKey string
-	// JWTToken is used for JWT-based authentication
-	JWTToken string
-	// PrivateKey is used for direct private key authentication
-	PrivateKey string
 	// ManagementURL overrides the default management server URL
 	ManagementURL string
 	// PreSharedKey is the pre-shared key for the WireGuard interface
@@ -64,35 +58,8 @@ type Options struct {
 	DisableClientRoutes bool
 }
 
-// validateCredentials checks that exactly one credential type is provided
-func (opts *Options) validateCredentials() error {
-	credentialsProvided := 0
-	if opts.SetupKey != "" {
-		credentialsProvided++
-	}
-	if opts.JWTToken != "" {
-		credentialsProvided++
-	}
-	if opts.PrivateKey != "" {
-		credentialsProvided++
-	}
-
-	if credentialsProvided == 0 {
-		return fmt.Errorf("one of SetupKey, JWTToken, or PrivateKey must be provided")
-	}
-	if credentialsProvided > 1 {
-		return fmt.Errorf("only one of SetupKey, JWTToken, or PrivateKey can be specified")
-	}
-
-	return nil
-}
-
-// New creates a new netbird embedded client.
+// New creates a new netbird embedded client
 func New(opts Options) (*Client, error) {
-	if err := opts.validateCredentials(); err != nil {
-		return nil, err
-	}
-
 	if opts.LogOutput != nil {
 		logrus.SetOutput(opts.LogOutput)
 	}
@@ -140,14 +107,9 @@ func New(opts Options) (*Client, error) {
 		return nil, fmt.Errorf("create config: %w", err)
 	}
 
-	if opts.PrivateKey != "" {
-		config.PrivateKey = opts.PrivateKey
-	}
-
 	return &Client{
 		deviceName: opts.DeviceName,
 		setupKey:   opts.SetupKey,
-		jwtToken:   opts.JWTToken,
 		config:     config,
 	}, nil
 }
@@ -164,7 +126,7 @@ func (c *Client) Start(startCtx context.Context) error {
 	ctx := internal.CtxInitState(context.Background())
 	// nolint:staticcheck
 	ctx = context.WithValue(ctx, system.DeviceNameCtxKey, c.deviceName)
-	if err := internal.Login(ctx, c.config, c.setupKey, c.jwtToken); err != nil {
+	if err := internal.Login(ctx, c.config, c.setupKey, ""); err != nil {
 		return fmt.Errorf("login: %w", err)
 	}
 
@@ -173,7 +135,7 @@ func (c *Client) Start(startCtx context.Context) error {
 
 	// either startup error (permanent backoff err) or nil err (successful engine up)
 	// TODO: make after-startup backoff err available
-	run := make(chan struct{})
+	run := make(chan struct{}, 1)
 	clientErr := make(chan error, 1)
 	go func() {
 		if err := client.Run(run); err != nil {
@@ -225,16 +187,6 @@ func (c *Client) Stop(ctx context.Context) error {
 	}
 }
 
-// GetConfig returns a copy of the internal client config.
-func (c *Client) GetConfig() (profilemanager.Config, error) {
-	c.mu.Lock()
-	defer c.mu.Unlock()
-	if c.config == nil {
-		return profilemanager.Config{}, ErrConfigNotInitialized
-	}
-	return *c.config, nil
-}
-
 // Dial dials a network address in the netbird network.
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, error) {
@@ -259,7 +211,7 @@ func (c *Client) Dial(ctx context.Context, network, address string) (net.Conn, e
 	return nsnet.DialContext(ctx, network, address)
 }
 
-// ListenTCP listens on the given address in the netbird network.
+// ListenTCP listens on the given address in the netbird network
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	nsnet, addr, err := c.getNet()
@@ -280,7 +232,7 @@ func (c *Client) ListenTCP(address string) (net.Listener, error) {
 	return nsnet.ListenTCP(tcpAddr)
 }
 
-// ListenUDP listens on the given address in the netbird network.
+// ListenUDP listens on the given address in the netbird network
 // Not applicable if the userspace networking mode is disabled.
 func (c *Client) ListenUDP(address string) (net.PacketConn, error) {
 	nsnet, addr, err := c.getNet()

client/firewall/iptables/acl_linux.go

@@ -12,7 +12,7 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (
@@ -85,7 +85,7 @@ func (m *aclManager) AddPeerFiltering(
 ) ([]firewall.Rule, error) {
 	chain := chainNameInputRules
 
-	ipsetName = transformIPsetName(ipsetName, sPort, dPort, action)
+	ipsetName = transformIPsetName(ipsetName, sPort, dPort)
 	specs := filterRuleSpecs(ip, string(protocol), sPort, dPort, action, ipsetName)
 
 	mangleSpecs := slices.Clone(specs)
@@ -135,14 +135,7 @@ func (m *aclManager) AddPeerFiltering(
 		return nil, fmt.Errorf("rule already exists")
 	}
 
-	// Insert DROP rules at the beginning, append ACCEPT rules at the end
-	if action == firewall.ActionDrop {
-		// Insert at the beginning of the chain (position 1)
-		err = m.iptablesClient.Insert(tableFilter, chain, 1, specs...)
-	} else {
-		err = m.iptablesClient.Append(tableFilter, chain, specs...)
-	}
-	if err != nil {
+	if err := m.iptablesClient.Append(tableFilter, chain, specs...); err != nil {
 		return nil, err
 	}
 
@@ -395,25 +388,17 @@ func actionToStr(action firewall.Action) string {
 	return "DROP"
 }
 
-func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port, action firewall.Action) string {
-	if ipsetName == "" {
-		return ""
-	}
-
-	// Include action in the ipset name to prevent squashing rules with different actions
-	actionSuffix := ""
-	if action == firewall.ActionDrop {
-		actionSuffix = "-drop"
-	}
-
+func transformIPsetName(ipsetName string, sPort, dPort *firewall.Port) string {
 	switch {
+	case ipsetName == "":
+		return ""
 	case sPort != nil && dPort != nil:
-		return ipsetName + "-sport-dport" + actionSuffix
+		return ipsetName + "-sport-dport"
 	case sPort != nil:
-		return ipsetName + "-sport" + actionSuffix
+		return ipsetName + "-sport"
 	case dPort != nil:
-		return ipsetName + "-dport" + actionSuffix
+		return ipsetName + "-dport"
 	default:
-		return ipsetName + actionSuffix
+		return ipsetName
 	}
 }

client/firewall/iptables/manager_linux_test.go

@@ -3,7 +3,6 @@ package iptables
 import (
 	"fmt"
 	"net/netip"
-	"strings"
 	"testing"
 	"time"
 
@@ -16,7 +15,7 @@ import (
 
 var ifaceMock = &iFaceMock{
 	NameFunc: func() string {
-		return "wg-test"
+		return "lo"
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
@@ -110,84 +109,10 @@ func TestIptablesManager(t *testing.T) {
 	})
 }
 
-func TestIptablesManagerDenyRules(t *testing.T) {
-	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	require.NoError(t, err)
-
-	manager, err := Create(ifaceMock)
-	require.NoError(t, err)
-	require.NoError(t, manager.Init(nil))
-
-	defer func() {
-		err := manager.Close(nil)
-		require.NoError(t, err)
-	}()
-
-	t.Run("add deny rule", func(t *testing.T) {
-		ip := netip.MustParseAddr("10.20.0.3")
-		port := &fw.Port{Values: []uint16{22}}
-
-		rule, err := manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionDrop, "deny-ssh")
-		require.NoError(t, err, "failed to add deny rule")
-		require.NotEmpty(t, rule, "deny rule should not be empty")
-
-		// Verify the rule was added by checking iptables
-		for _, r := range rule {
-			rr := r.(*Rule)
-			checkRuleSpecs(t, ipv4Client, rr.chain, true, rr.specs...)
-		}
-	})
-
-	t.Run("deny rule precedence test", func(t *testing.T) {
-		ip := netip.MustParseAddr("10.20.0.4")
-		port := &fw.Port{Values: []uint16{80}}
-
-		// Add accept rule first
-		_, err := manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionAccept, "accept-http")
-		require.NoError(t, err, "failed to add accept rule")
-
-		// Add deny rule second for same IP/port - this should take precedence
-		_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), "tcp", nil, port, fw.ActionDrop, "deny-http")
-		require.NoError(t, err, "failed to add deny rule")
-
-		// Inspect the actual iptables rules to verify deny rule comes before accept rule
-		rules, err := ipv4Client.List("filter", chainNameInputRules)
-		require.NoError(t, err, "failed to list iptables rules")
-
-		// Debug: print all rules
-		t.Logf("All iptables rules in chain %s:", chainNameInputRules)
-		for i, rule := range rules {
-			t.Logf("  [%d] %s", i, rule)
-		}
-
-		var denyRuleIndex, acceptRuleIndex int = -1, -1
-		for i, rule := range rules {
-			if strings.Contains(rule, "DROP") {
-				t.Logf("Found DROP rule at index %d: %s", i, rule)
-				if strings.Contains(rule, "deny-http") && strings.Contains(rule, "80") {
-					denyRuleIndex = i
-				}
-			}
-			if strings.Contains(rule, "ACCEPT") {
-				t.Logf("Found ACCEPT rule at index %d: %s", i, rule)
-				if strings.Contains(rule, "accept-http") && strings.Contains(rule, "80") {
-					acceptRuleIndex = i
-				}
-			}
-		}
-
-		require.NotEqual(t, -1, denyRuleIndex, "deny rule should exist in iptables")
-		require.NotEqual(t, -1, acceptRuleIndex, "accept rule should exist in iptables")
-		require.Less(t, denyRuleIndex, acceptRuleIndex,
-			"deny rule should come before accept rule in iptables chain (deny at index %d, accept at index %d)",
-			denyRuleIndex, acceptRuleIndex)
-	})
-}
-
 func TestIptablesManagerIPSet(t *testing.T) {
 	mock := &iFaceMock{
 		NameFunc: func() string {
-			return "wg-test"
+			return "lo"
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{
@@ -251,7 +176,7 @@ func checkRuleSpecs(t *testing.T, ipv4Client *iptables.IPTables, chainName strin
 func TestIptablesCreatePerformance(t *testing.T) {
 	mock := &iFaceMock{
 		NameFunc: func() string {
-			return "wg-test"
+			return "lo"
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{

client/firewall/iptables/router_linux.go

@@ -19,7 +19,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 // constants needed to manage and create iptable rules

client/firewall/iptables/router_linux_test.go

@@ -14,7 +14,7 @@ import (
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/firewall/test"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 func isIptablesSupported() bool {

client/firewall/nftables/acl_linux.go

@@ -16,7 +16,7 @@ import (
 	"golang.org/x/sys/unix"
 
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (
@@ -341,38 +341,30 @@ func (m *AclManager) addIOFiltering(
 	userData := []byte(ruleId)
 
 	chain := m.chainInputRules
-	rule := &nftables.Rule{
+	nftRule := m.rConn.AddRule(&nftables.Rule{
 		Table:    m.workTable,
 		Chain:    chain,
 		Exprs:    mainExpressions,
 		UserData: userData,
-	}
-
-	// Insert DROP rules at the beginning, append ACCEPT rules at the end
-	var nftRule *nftables.Rule
-	if action == firewall.ActionDrop {
-		nftRule = m.rConn.InsertRule(rule)
-	} else {
-		nftRule = m.rConn.AddRule(rule)
-	}
+	})
 
 	if err := m.rConn.Flush(); err != nil {
 		return nil, fmt.Errorf(flushError, err)
 	}
 
-	ruleStruct := &Rule{
+	rule := &Rule{
 		nftRule:    nftRule,
 		mangleRule: m.createPreroutingRule(expressions, userData),
 		nftSet:     ipset,
 		ruleID:     ruleId,
 		ip:         ip,
 	}
-	m.rules[ruleId] = ruleStruct
+	m.rules[ruleId] = rule
 	if ipset != nil {
 		m.ipsetStore.AddReferenceToIpset(ipset.Name)
 	}
 
-	return ruleStruct, nil
+	return rule, nil
 }
 
 func (m *AclManager) createPreroutingRule(expressions []expr.Any, userData []byte) *nftables.Rule {

client/firewall/nftables/manager_linux_test.go

@@ -2,7 +2,6 @@ package nftables
 
 import (
 	"bytes"
-	"encoding/binary"
 	"fmt"
 	"net/netip"
 	"os/exec"
@@ -21,7 +20,7 @@ import (
 
 var ifaceMock = &iFaceMock{
 	NameFunc: func() string {
-		return "wg-test"
+		return "lo"
 	},
 	AddressFunc: func() wgaddr.Address {
 		return wgaddr.Address{
@@ -104,8 +103,9 @@ func TestNftablesManager(t *testing.T) {
 			Kind: expr.VerdictAccept,
 		},
 	}
-	// Since DROP rules are inserted at position 0, the DROP rule comes first
-	expectedDropExprs := []expr.Any{
+	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedExprs1)
+
+	expectedExprs2 := []expr.Any{
 		&expr.Payload{
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
@@ -141,12 +141,7 @@ func TestNftablesManager(t *testing.T) {
 		},
 		&expr.Verdict{Kind: expr.VerdictDrop},
 	}
-
-	// Compare DROP rule at position 0 (inserted first due to InsertRule)
-	compareExprsIgnoringCounters(t, rules[0].Exprs, expectedDropExprs)
-
-	// Compare connection tracking rule at position 1 (pushed down by DROP rule insertion)
-	compareExprsIgnoringCounters(t, rules[1].Exprs, expectedExprs1)
+	require.ElementsMatch(t, rules[1].Exprs, expectedExprs2, "expected the same expressions")
 
 	for _, r := range rule {
 		err = manager.DeletePeerRule(r)
@@ -165,90 +160,10 @@ func TestNftablesManager(t *testing.T) {
 	require.NoError(t, err, "failed to reset")
 }
 
-func TestNftablesManagerRuleOrder(t *testing.T) {
-	// This test verifies rule insertion order in nftables peer ACLs
-	// We add accept rule first, then deny rule to test ordering behavior
-	manager, err := Create(ifaceMock)
-	require.NoError(t, err)
-	require.NoError(t, manager.Init(nil))
-
-	defer func() {
-		err = manager.Close(nil)
-		require.NoError(t, err)
-	}()
-
-	ip := netip.MustParseAddr("100.96.0.2").Unmap()
-	testClient := &nftables.Conn{}
-
-	// Add accept rule first
-	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionAccept, "accept-http")
-	require.NoError(t, err, "failed to add accept rule")
-
-	// Add deny rule second for the same traffic
-	_, err = manager.AddPeerFiltering(nil, ip.AsSlice(), fw.ProtocolTCP, nil, &fw.Port{Values: []uint16{80}}, fw.ActionDrop, "deny-http")
-	require.NoError(t, err, "failed to add deny rule")
-
-	err = manager.Flush()
-	require.NoError(t, err, "failed to flush")
-
-	rules, err := testClient.GetRules(manager.aclManager.workTable, manager.aclManager.chainInputRules)
-	require.NoError(t, err, "failed to get rules")
-
-	t.Logf("Found %d rules in nftables chain", len(rules))
-
-	// Find the accept and deny rules and verify deny comes before accept
-	var acceptRuleIndex, denyRuleIndex int = -1, -1
-	for i, rule := range rules {
-		hasAcceptHTTPSet := false
-		hasDenyHTTPSet := false
-		hasPort80 := false
-		var action string
-
-		for _, e := range rule.Exprs {
-			// Check for set lookup
-			if lookup, ok := e.(*expr.Lookup); ok {
-				if lookup.SetName == "accept-http" {
-					hasAcceptHTTPSet = true
-				} else if lookup.SetName == "deny-http" {
-					hasDenyHTTPSet = true
-				}
-			}
-			// Check for port 80
-			if cmp, ok := e.(*expr.Cmp); ok {
-				if cmp.Op == expr.CmpOpEq && len(cmp.Data) == 2 && binary.BigEndian.Uint16(cmp.Data) == 80 {
-					hasPort80 = true
-				}
-			}
-			// Check for verdict
-			if verdict, ok := e.(*expr.Verdict); ok {
-				if verdict.Kind == expr.VerdictAccept {
-					action = "ACCEPT"
-				} else if verdict.Kind == expr.VerdictDrop {
-					action = "DROP"
-				}
-			}
-		}
-
-		if hasAcceptHTTPSet && hasPort80 && action == "ACCEPT" {
-			t.Logf("Rule [%d]: accept-http set + Port 80 + ACCEPT", i)
-			acceptRuleIndex = i
-		} else if hasDenyHTTPSet && hasPort80 && action == "DROP" {
-			t.Logf("Rule [%d]: deny-http set + Port 80 + DROP", i)
-			denyRuleIndex = i
-		}
-	}
-
-	require.NotEqual(t, -1, acceptRuleIndex, "accept rule should exist in nftables")
-	require.NotEqual(t, -1, denyRuleIndex, "deny rule should exist in nftables")
-	require.Less(t, denyRuleIndex, acceptRuleIndex,
-		"deny rule should come before accept rule in nftables chain (deny at index %d, accept at index %d)",
-		denyRuleIndex, acceptRuleIndex)
-}
-
 func TestNFtablesCreatePerformance(t *testing.T) {
 	mock := &iFaceMock{
 		NameFunc: func() string {
-			return "wg-test"
+			return "lo"
 		},
 		AddressFunc: func() wgaddr.Address {
 			return wgaddr.Address{

client/firewall/nftables/router_linux.go

@@ -22,7 +22,7 @@ import (
 	nbid "github.com/netbirdio/netbird/client/internal/acl/id"
 	"github.com/netbirdio/netbird/client/internal/routemanager/ipfwdstate"
 	"github.com/netbirdio/netbird/client/internal/routemanager/refcounter"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (

client/firewall/uspfilter/allow_netbird.go

@@ -18,7 +18,6 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	defer m.mutex.Unlock()
 
 	m.outgoingRules = make(map[netip.Addr]RuleSet)
-	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
 	m.incomingRules = make(map[netip.Addr]RuleSet)
 
 	if m.udpTracker != nil {

client/firewall/uspfilter/allow_netbird_windows.go

@@ -27,7 +27,6 @@ func (m *Manager) Close(*statemanager.Manager) error {
 	defer m.mutex.Unlock()
 
 	m.outgoingRules = make(map[netip.Addr]RuleSet)
-	m.incomingDenyRules = make(map[netip.Addr]RuleSet)
 	m.incomingRules = make(map[netip.Addr]RuleSet)
 
 	if m.udpTracker != nil {

client/firewall/uspfilter/filter.go

@@ -70,13 +70,14 @@ func (r RouteRules) Sort() {
 
 // Manager userspace firewall manager
 type Manager struct {
-	outgoingRules     map[netip.Addr]RuleSet
-	incomingDenyRules map[netip.Addr]RuleSet
-	incomingRules     map[netip.Addr]RuleSet
-	routeRules        RouteRules
-	decoders          sync.Pool
-	wgIface           common.IFaceMapper
-	nativeFirewall    firewall.Manager
+	// outgoingRules is used for hooks only
+	outgoingRules map[netip.Addr]RuleSet
+	// incomingRules is used for filtering and hooks
+	incomingRules  map[netip.Addr]RuleSet
+	routeRules     RouteRules
+	decoders       sync.Pool
+	wgIface        common.IFaceMapper
+	nativeFirewall firewall.Manager
 
 	mutex sync.RWMutex
 
@@ -185,7 +186,6 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe
 		},
 		nativeFirewall:      nativeFirewall,
 		outgoingRules:       make(map[netip.Addr]RuleSet),
-		incomingDenyRules:   make(map[netip.Addr]RuleSet),
 		incomingRules:       make(map[netip.Addr]RuleSet),
 		wgIface:             iface,
 		localipmanager:      newLocalIPManager(),
@@ -417,17 +417,10 @@ func (m *Manager) AddPeerFiltering(
 	}
 
 	m.mutex.Lock()
-	var targetMap map[netip.Addr]RuleSet
-	if r.drop {
-		targetMap = m.incomingDenyRules
-	} else {
-		targetMap = m.incomingRules
+	if _, ok := m.incomingRules[r.ip]; !ok {
+		m.incomingRules[r.ip] = make(RuleSet)
 	}
-
-	if _, ok := targetMap[r.ip]; !ok {
-		targetMap[r.ip] = make(RuleSet)
-	}
-	targetMap[r.ip][r.id] = r
+	m.incomingRules[r.ip][r.id] = r
 	m.mutex.Unlock()
 	return []firewall.Rule{&r}, nil
 }
@@ -514,24 +507,10 @@ func (m *Manager) DeletePeerRule(rule firewall.Rule) error {
 		return fmt.Errorf("delete rule: invalid rule type: %T", rule)
 	}
 
-	var sourceMap map[netip.Addr]RuleSet
-	if r.drop {
-		sourceMap = m.incomingDenyRules
-	} else {
-		sourceMap = m.incomingRules
-	}
-
-	if ruleset, ok := sourceMap[r.ip]; ok {
-		if _, exists := ruleset[r.id]; !exists {
-			return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
-		}
-		delete(ruleset, r.id)
-		if len(ruleset) == 0 {
-			delete(sourceMap, r.ip)
-		}
-	} else {
+	if _, ok := m.incomingRules[r.ip][r.id]; !ok {
 		return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
 	}
+	delete(m.incomingRules[r.ip], r.id)
 
 	return nil
 }
@@ -593,7 +572,7 @@ func (m *Manager) UpdateSet(set firewall.Set, prefixes []netip.Prefix) error {
 	return nil
 }
 
-// FilterOutbound filters outgoing packets
+// FilterOutBound filters outgoing packets
 func (m *Manager) FilterOutbound(packetData []byte, size int) bool {
 	return m.filterOutbound(packetData, size)
 }
@@ -782,7 +761,7 @@ func (m *Manager) filterInbound(packetData []byte, size int) bool {
 // handleLocalTraffic handles local traffic.
 // If it returns true, the packet should be dropped.
 func (m *Manager) handleLocalTraffic(d *decoder, srcIP, dstIP netip.Addr, packetData []byte, size int) bool {
-	ruleID, blocked := m.peerACLsBlock(srcIP, d, packetData)
+	ruleID, blocked := m.peerACLsBlock(srcIP, packetData, m.incomingRules, d)
 	if blocked {
 		_, pnum := getProtocolFromPacket(d)
 		srcPort, dstPort := getPortsFromPacket(d)
@@ -992,28 +971,26 @@ func (m *Manager) isSpecialICMP(d *decoder) bool {
 		icmpType == layers.ICMPv4TypeTimeExceeded
 }
 
-func (m *Manager) peerACLsBlock(srcIP netip.Addr, d *decoder, packetData []byte) ([]byte, bool) {
+func (m *Manager) peerACLsBlock(srcIP netip.Addr, packetData []byte, rules map[netip.Addr]RuleSet, d *decoder) ([]byte, bool) {
 	m.mutex.RLock()
 	defer m.mutex.RUnlock()
-
 	if m.isSpecialICMP(d) {
 		return nil, false
 	}
 
-	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingDenyRules[srcIP], d); ok {
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, rules[srcIP], d); ok {
 		return mgmtId, filter
 	}
 
-	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingRules[srcIP], d); ok {
-		return mgmtId, filter
-	}
-	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingRules[netip.IPv4Unspecified()], d); ok {
-		return mgmtId, filter
-	}
-	if mgmtId, filter, ok := validateRule(srcIP, packetData, m.incomingRules[netip.IPv6Unspecified()], d); ok {
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, rules[netip.IPv4Unspecified()], d); ok {
 		return mgmtId, filter
 	}
 
+	if mgmtId, filter, ok := validateRule(srcIP, packetData, rules[netip.IPv6Unspecified()], d); ok {
+		return mgmtId, filter
+	}
+
+	// Default policy: DROP ALL
 	return nil, true
 }
 
@@ -1036,7 +1013,6 @@ func portsMatch(rulePort *firewall.Port, packetPort uint16) bool {
 
 func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d *decoder) ([]byte, bool, bool) {
 	payloadLayer := d.decoded[1]
-
 	for _, rule := range rules {
 		if rule.matchByIP && ip.Compare(rule.ip) != 0 {
 			continue
@@ -1069,7 +1045,6 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 			return rule.mgmtId, rule.drop, true
 		}
 	}
-
 	return nil, false, false
 }
 
@@ -1141,7 +1116,6 @@ func (m *Manager) AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook fu
 
 	m.mutex.Lock()
 	if in {
-		// Incoming UDP hooks are stored in allow rules map
 		if _, ok := m.incomingRules[r.ip]; !ok {
 			m.incomingRules[r.ip] = make(map[string]PeerRule)
 		}
@@ -1162,7 +1136,6 @@ func (m *Manager) RemovePacketHook(hookID string) error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
-	// Check incoming hooks (stored in allow rules)
 	for _, arr := range m.incomingRules {
 		for _, r := range arr {
 			if r.id == hookID {
@@ -1171,7 +1144,6 @@ func (m *Manager) RemovePacketHook(hookID string) error {
 			}
 		}
 	}
-	// Check outgoing hooks
 	for _, arr := range m.outgoingRules {
 		for _, r := range arr {
 			if r.id == hookID {

client/firewall/uspfilter/filter_filter_test.go

@@ -458,31 +458,6 @@ func TestPeerACLFiltering(t *testing.T) {
 			ruleAction:      fw.ActionDrop,
 			shouldBeBlocked: true,
 		},
-		{
-			name:            "Peer ACL - Drop rule should override accept all rule",
-			srcIP:           "100.10.0.1",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         22,
-			ruleIP:          "100.10.0.1",
-			ruleProto:       fw.ProtocolTCP,
-			ruleDstPort:     &fw.Port{Values: []uint16{22}},
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
-		{
-			name:            "Peer ACL - Drop all traffic from specific IP",
-			srcIP:           "100.10.0.99",
-			dstIP:           "100.10.0.100",
-			proto:           fw.ProtocolTCP,
-			srcPort:         12345,
-			dstPort:         80,
-			ruleIP:          "100.10.0.99",
-			ruleProto:       fw.ProtocolALL,
-			ruleAction:      fw.ActionDrop,
-			shouldBeBlocked: true,
-		},
 	}
 
 	t.Run("Implicit DROP (no rules)", func(t *testing.T) {
@@ -493,11 +468,13 @@ func TestPeerACLFiltering(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+
 			if tc.ruleAction == fw.ActionDrop {
-				// add general accept rule for the same IP to test drop rule precedence
+				// add general accept rule to test drop rule
+				// TODO: this only works because 0.0.0.0 is tested last, we need to implement order
 				rules, err := manager.AddPeerFiltering(
 					nil,
-					net.ParseIP(tc.ruleIP),
+					net.ParseIP("0.0.0.0"),
 					fw.ProtocolALL,
 					nil,
 					nil,

client/firewall/uspfilter/filter_test.go

@@ -136,22 +136,9 @@ func TestManagerDeleteRule(t *testing.T) {
 		return
 	}
 
-	// Check rules exist in appropriate maps
 	for _, r := range rule2 {
-		peerRule, ok := r.(*PeerRule)
-		if !ok {
-			t.Errorf("rule should be a PeerRule")
-			continue
-		}
-		// Check if rule exists in deny or allow maps based on action
-		var found bool
-		if peerRule.drop {
-			_, found = m.incomingDenyRules[ip][r.ID()]
-		} else {
-			_, found = m.incomingRules[ip][r.ID()]
-		}
-		if !found {
-			t.Errorf("rule2 is not in the expected rules map")
+		if _, ok := m.incomingRules[ip][r.ID()]; !ok {
+			t.Errorf("rule2 is not in the incomingRules")
 		}
 	}
 
@@ -163,22 +150,9 @@ func TestManagerDeleteRule(t *testing.T) {
 		}
 	}
 
-	// Check rules are removed from appropriate maps
 	for _, r := range rule2 {
-		peerRule, ok := r.(*PeerRule)
-		if !ok {
-			t.Errorf("rule should be a PeerRule")
-			continue
-		}
-		// Check if rule is removed from deny or allow maps based on action
-		var found bool
-		if peerRule.drop {
-			_, found = m.incomingDenyRules[ip][r.ID()]
-		} else {
-			_, found = m.incomingRules[ip][r.ID()]
-		}
-		if found {
-			t.Errorf("rule2 should be removed from the rules map")
+		if _, ok := m.incomingRules[ip][r.ID()]; ok {
+			t.Errorf("rule2 is not in the incomingRules")
 		}
 	}
 }
@@ -222,17 +196,16 @@ func TestAddUDPPacketHook(t *testing.T) {
 
 			var addedRule PeerRule
 			if tt.in {
-				// Incoming UDP hooks are stored in allow rules map
 				if len(manager.incomingRules[tt.ip]) != 1 {
-					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules[tt.ip]))
+					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules))
 					return
 				}
 				for _, rule := range manager.incomingRules[tt.ip] {
 					addedRule = rule
 				}
 			} else {
-				if len(manager.outgoingRules[tt.ip]) != 1 {
-					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules[tt.ip]))
+				if len(manager.outgoingRules) != 1 {
+					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules))
 					return
 				}
 				for _, rule := range manager.outgoingRules[tt.ip] {
@@ -288,8 +261,8 @@ func TestManagerReset(t *testing.T) {
 		return
 	}
 
-	if len(m.outgoingRules) != 0 || len(m.incomingRules) != 0 || len(m.incomingDenyRules) != 0 {
-		t.Errorf("rules are not empty")
+	if len(m.outgoingRules) != 0 || len(m.incomingRules) != 0 {
+		t.Errorf("rules is not empty")
 	}
 }
 

client/firewall/uspfilter/tracer.go

@@ -314,7 +314,7 @@ func (m *Manager) buildConntrackStateMessage(d *decoder) string {
 func (m *Manager) handleLocalDelivery(trace *PacketTrace, packetData []byte, d *decoder, srcIP, dstIP netip.Addr) bool {
 	trace.AddResult(StageRouting, "Packet destined for local delivery", true)
 
-	ruleId, blocked := m.peerACLsBlock(srcIP, d, packetData)
+	ruleId, blocked := m.peerACLsBlock(srcIP, packetData, m.incomingRules, d)
 
 	strRuleId := "<no id>"
 	if ruleId != nil {

client/grpc/dialer_generic.go

@@ -1,44 +0,0 @@
-//go:build !js
-
-package grpc
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"os/user"
-	"runtime"
-
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc"
-
-	nbnet "github.com/netbirdio/netbird/client/net"
-)
-
-func WithCustomDialer(tlsEnabled bool, component string) grpc.DialOption {
-	return grpc.WithContextDialer(func(ctx context.Context, addr string) (net.Conn, error) {
-		if runtime.GOOS == "linux" {
-			currentUser, err := user.Current()
-			if err != nil {
-				return nil, status.Errorf(codes.FailedPrecondition, "failed to get current user: %v", err)
-			}
-
-			// the custom dialer requires root permissions which are not required for use cases run as non-root
-			if currentUser.Uid != "0" {
-				log.Debug("Not running as root, using standard dialer")
-				dialer := &net.Dialer{}
-				return dialer.DialContext(ctx, "tcp", addr)
-			}
-		}
-
-		conn, err := nbnet.NewDialer().DialContext(ctx, "tcp", addr)
-		if err != nil {
-			log.Errorf("Failed to dial: %s", err)
-			return nil, fmt.Errorf("nbnet.NewDialer().DialContext: %w", err)
-		}
-		return conn, nil
-	})
-}

client/grpc/dialer_js.go

@@ -1,13 +0,0 @@
-package grpc
-
-import (
-	"google.golang.org/grpc"
-
-	"github.com/netbirdio/netbird/util/wsproxy/client"
-)
-
-// WithCustomDialer returns a gRPC dial option that uses WebSocket transport for WASM/JS environments.
-// The component parameter specifies the WebSocket proxy component path (e.g., "/management", "/signal").
-func WithCustomDialer(tlsEnabled bool, component string) grpc.DialOption {
-	return client.WithWebSocketDialer(tlsEnabled, component)
-}

client/iface/bind/control.go

@@ -3,7 +3,7 @@ package bind
 import (
 	wireguard "golang.zx2c4.com/wireguard/conn"
 
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 // TODO: This is most likely obsolete since the control fns should be called by the wrapped udpconn (ice_bind.go)

client/iface/bind/endpoint.go

@@ -1,17 +1,5 @@
 package bind
 
-import (
-	"net"
-
-	wgConn "golang.zx2c4.com/wireguard/conn"
-)
+import wgConn "golang.zx2c4.com/wireguard/conn"
 
 type Endpoint = wgConn.StdNetEndpoint
-
-func EndpointToUDPAddr(e Endpoint) *net.UDPAddr {
-	return &net.UDPAddr{
-		IP:   e.Addr().AsSlice(),
-		Port: int(e.Port()),
-		Zone: e.Addr().Zone(),
-	}
-}

client/iface/bind/error.go

@@ -1,7 +0,0 @@
-package bind
-
-import "fmt"
-
-var (
-	ErrUDPMUXNotSupported = fmt.Errorf("UDPMUX is not supported in WASM")
-)

client/iface/bind/ice_bind.go

@@ -1,9 +1,6 @@
-//go:build !js
-
 package bind
 
 import (
-	"context"
 	"encoding/binary"
 	"fmt"
 	"net"
@@ -11,18 +8,22 @@ import (
 	"runtime"
 	"sync"
 
-	"github.com/pion/stun/v3"
+	"github.com/pion/stun/v2"
 	"github.com/pion/transport/v3"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/ipv4"
 	"golang.org/x/net/ipv6"
 	wgConn "golang.zx2c4.com/wireguard/conn"
 
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
+type RecvMessage struct {
+	Endpoint *Endpoint
+	Buffer   []byte
+}
+
 type receiverCreator struct {
 	iceBind *ICEBind
 }
@@ -40,38 +41,35 @@ func (rc receiverCreator) CreateIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UD
 // use the port because in the Send function the wgConn.Endpoint the port info is not exported.
 type ICEBind struct {
 	*wgConn.StdNetBind
+	RecvChan chan RecvMessage
 
 	transportNet transport.Net
-	filterFn     udpmux.FilterFn
-	address      wgaddr.Address
-	mtu          uint16
-
-	endpoints   map[netip.Addr]net.Conn
-	endpointsMu sync.Mutex
-	recvChan    chan recvMessage
+	filterFn     FilterFn
+	endpoints    map[netip.Addr]net.Conn
+	endpointsMu  sync.Mutex
 	// every time when Close() is called (i.e. BindUpdate()) we need to close exit from the receiveRelayed and create a
 	// new closed channel. With the closedChanMu we can safely close the channel and create a new one
-	closedChan       chan struct{}
-	closedChanMu     sync.RWMutex // protect the closeChan recreation from reading from it.
-	closed           bool
-	activityRecorder *ActivityRecorder
+	closedChan   chan struct{}
+	closedChanMu sync.RWMutex // protect the closeChan recreation from reading from it.
+	closed       bool
 
-	muUDPMux sync.Mutex
-	udpMux   *udpmux.UniversalUDPMuxDefault
+	muUDPMux         sync.Mutex
+	udpMux           *UniversalUDPMuxDefault
+	address          wgaddr.Address
+	activityRecorder *ActivityRecorder
 }
 
-func NewICEBind(transportNet transport.Net, filterFn udpmux.FilterFn, address wgaddr.Address, mtu uint16) *ICEBind {
+func NewICEBind(transportNet transport.Net, filterFn FilterFn, address wgaddr.Address) *ICEBind {
 	b, _ := wgConn.NewStdNetBind().(*wgConn.StdNetBind)
 	ib := &ICEBind{
 		StdNetBind:       b,
+		RecvChan:         make(chan RecvMessage, 1),
 		transportNet:     transportNet,
 		filterFn:         filterFn,
-		address:          address,
-		mtu:              mtu,
 		endpoints:        make(map[netip.Addr]net.Conn),
-		recvChan:         make(chan recvMessage, 1),
 		closedChan:       make(chan struct{}),
 		closed:           true,
+		address:          address,
 		activityRecorder: NewActivityRecorder(),
 	}
 
@@ -111,7 +109,7 @@ func (s *ICEBind) ActivityRecorder() *ActivityRecorder {
 }
 
 // GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (s *ICEBind) GetICEMux() (*udpmux.UniversalUDPMuxDefault, error) {
+func (s *ICEBind) GetICEMux() (*UniversalUDPMuxDefault, error) {
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 	if s.udpMux == nil {
@@ -134,16 +132,6 @@ func (b *ICEBind) RemoveEndpoint(fakeIP netip.Addr) {
 	delete(b.endpoints, fakeIP)
 }
 
-func (b *ICEBind) ReceiveFromEndpoint(ctx context.Context, ep *Endpoint, buf []byte) {
-	select {
-	case <-b.closedChan:
-		return
-	case <-ctx.Done():
-		return
-	case b.recvChan <- recvMessage{ep, buf}:
-	}
-}
-
 func (b *ICEBind) Send(bufs [][]byte, ep wgConn.Endpoint) error {
 	b.endpointsMu.Lock()
 	conn, ok := b.endpoints[ep.DstIP()]
@@ -164,13 +152,12 @@ func (s *ICEBind) createIPv4ReceiverFn(pc *ipv4.PacketConn, conn *net.UDPConn, r
 	s.muUDPMux.Lock()
 	defer s.muUDPMux.Unlock()
 
-	s.udpMux = udpmux.NewUniversalUDPMuxDefault(
-		udpmux.UniversalUDPMuxParams{
+	s.udpMux = NewUniversalUDPMuxDefault(
+		UniversalUDPMuxParams{
 			UDPConn:   nbnet.WrapPacketConn(conn),
 			Net:       s.transportNet,
 			FilterFn:  s.filterFn,
 			WGAddress: s.address,
-			MTU:       s.mtu,
 		},
 	)
 	return func(bufs [][]byte, sizes []int, eps []wgConn.Endpoint) (n int, err error) {
@@ -276,7 +263,7 @@ func (c *ICEBind) receiveRelayed(buffs [][]byte, sizes []int, eps []wgConn.Endpo
 	select {
 	case <-c.closedChan:
 		return 0, net.ErrClosed
-	case msg, ok := <-c.recvChan:
+	case msg, ok := <-c.RecvChan:
 		if !ok {
 			return 0, net.ErrClosed
 		}

client/iface/bind/recv_msg.go

@@ -1,6 +0,0 @@
-package bind
-
-type recvMessage struct {
-	Endpoint *Endpoint
-	Buffer   []byte
-}

client/iface/bind/relay_bind.go

@@ -1,125 +0,0 @@
-package bind
-
-import (
-	"context"
-	"net"
-	"net/netip"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
-
-	"github.com/netbirdio/netbird/client/iface/udpmux"
-)
-
-// RelayBindJS is a conn.Bind implementation for WebAssembly environments.
-// Do not limit to build only js, because we want to be able to run tests
-type RelayBindJS struct {
-	*conn.StdNetBind
-
-	recvChan         chan recvMessage
-	endpoints        map[netip.Addr]net.Conn
-	endpointsMu      sync.Mutex
-	activityRecorder *ActivityRecorder
-	ctx              context.Context
-	cancel           context.CancelFunc
-}
-
-func NewRelayBindJS() *RelayBindJS {
-	return &RelayBindJS{
-		recvChan:         make(chan recvMessage, 100),
-		endpoints:        make(map[netip.Addr]net.Conn),
-		activityRecorder: NewActivityRecorder(),
-	}
-}
-
-// Open creates a receive function for handling relay packets in WASM.
-func (s *RelayBindJS) Open(uport uint16) ([]conn.ReceiveFunc, uint16, error) {
-	log.Debugf("Open: creating receive function for port %d", uport)
-
-	s.ctx, s.cancel = context.WithCancel(context.Background())
-
-	receiveFn := func(bufs [][]byte, sizes []int, eps []conn.Endpoint) (int, error) {
-		select {
-		case <-s.ctx.Done():
-			return 0, net.ErrClosed
-		case msg, ok := <-s.recvChan:
-			if !ok {
-				return 0, net.ErrClosed
-			}
-			copy(bufs[0], msg.Buffer)
-			sizes[0] = len(msg.Buffer)
-			eps[0] = conn.Endpoint(msg.Endpoint)
-			return 1, nil
-		}
-	}
-
-	log.Debugf("Open: receive function created, returning port %d", uport)
-	return []conn.ReceiveFunc{receiveFn}, uport, nil
-}
-
-func (s *RelayBindJS) Close() error {
-	if s.cancel == nil {
-		return nil
-	}
-	log.Debugf("close RelayBindJS")
-	s.cancel()
-	return nil
-}
-
-func (s *RelayBindJS) ReceiveFromEndpoint(ctx context.Context, ep *Endpoint, buf []byte) {
-	select {
-	case <-s.ctx.Done():
-		return
-	case <-ctx.Done():
-		return
-	case s.recvChan <- recvMessage{ep, buf}:
-	}
-}
-
-// Send forwards packets through the relay connection for WASM.
-func (s *RelayBindJS) Send(bufs [][]byte, ep conn.Endpoint) error {
-	if ep == nil {
-		return nil
-	}
-
-	fakeIP := ep.DstIP()
-
-	s.endpointsMu.Lock()
-	relayConn, ok := s.endpoints[fakeIP]
-	s.endpointsMu.Unlock()
-
-	if !ok {
-		return nil
-	}
-
-	for _, buf := range bufs {
-		if _, err := relayConn.Write(buf); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (b *RelayBindJS) SetEndpoint(fakeIP netip.Addr, conn net.Conn) {
-	b.endpointsMu.Lock()
-	b.endpoints[fakeIP] = conn
-	b.endpointsMu.Unlock()
-}
-
-func (s *RelayBindJS) RemoveEndpoint(fakeIP netip.Addr) {
-	s.endpointsMu.Lock()
-	defer s.endpointsMu.Unlock()
-
-	delete(s.endpoints, fakeIP)
-}
-
-// GetICEMux returns the ICE UDPMux that was created and used by ICEBind
-func (s *RelayBindJS) GetICEMux() (*udpmux.UniversalUDPMuxDefault, error) {
-	return nil, ErrUDPMUXNotSupported
-}
-
-func (s *RelayBindJS) ActivityRecorder() *ActivityRecorder {
-	return s.activityRecorder
-}

client/iface/bind/udp_mux.go

@@ -1,4 +1,4 @@
-package udpmux
+package bind
 
 import (
 	"fmt"
@@ -8,9 +8,9 @@ import (
 	"strings"
 	"sync"
 
-	"github.com/pion/ice/v4"
+	"github.com/pion/ice/v3"
 	"github.com/pion/logging"
-	"github.com/pion/stun/v3"
+	"github.com/pion/stun/v2"
 	"github.com/pion/transport/v3"
 	"github.com/pion/transport/v3/stdnet"
 	log "github.com/sirupsen/logrus"
@@ -22,9 +22,9 @@ import (
 
 const receiveMTU = 8192
 
-// SingleSocketUDPMux is an implementation of the interface
-type SingleSocketUDPMux struct {
-	params Params
+// UDPMuxDefault is an implementation of the interface
+type UDPMuxDefault struct {
+	params UDPMuxParams
 
 	closedChan chan struct{}
 	closeOnce  sync.Once
@@ -32,9 +32,6 @@ type SingleSocketUDPMux struct {
 	// connsIPv4 and connsIPv6 are maps of all udpMuxedConn indexed by ufrag|network|candidateType
 	connsIPv4, connsIPv6 map[string]*udpMuxedConn
 
-	// candidateConnMap maps local candidate IDs to their corresponding connection.
-	candidateConnMap map[string]*udpMuxedConn
-
 	addressMapMu sync.RWMutex
 	addressMap   map[string][]*udpMuxedConn
 
@@ -49,8 +46,8 @@ type SingleSocketUDPMux struct {
 
 const maxAddrSize = 512
 
-// Params are parameters for UDPMux.
-type Params struct {
+// UDPMuxParams are parameters for UDPMux.
+type UDPMuxParams struct {
 	Logger  logging.LeveledLogger
 	UDPConn net.PacketConn
 
@@ -150,19 +147,18 @@ func isZeros(ip net.IP) bool {
 	return true
 }
 
-// NewSingleSocketUDPMux creates an implementation of UDPMux
-func NewSingleSocketUDPMux(params Params) *SingleSocketUDPMux {
+// NewUDPMuxDefault creates an implementation of UDPMux
+func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
 	if params.Logger == nil {
 		params.Logger = getLogger()
 	}
 
-	mux := &SingleSocketUDPMux{
-		addressMap:       map[string][]*udpMuxedConn{},
-		params:           params,
-		connsIPv4:        make(map[string]*udpMuxedConn),
-		connsIPv6:        make(map[string]*udpMuxedConn),
-		candidateConnMap: make(map[string]*udpMuxedConn),
-		closedChan:       make(chan struct{}, 1),
+	mux := &UDPMuxDefault{
+		addressMap: map[string][]*udpMuxedConn{},
+		params:     params,
+		connsIPv4:  make(map[string]*udpMuxedConn),
+		connsIPv6:  make(map[string]*udpMuxedConn),
+		closedChan: make(chan struct{}, 1),
 		pool: &sync.Pool{
 			New: func() interface{} {
 				// big enough buffer to fit both packet and address
@@ -175,15 +171,15 @@ func NewSingleSocketUDPMux(params Params) *SingleSocketUDPMux {
 	return mux
 }
 
-func (m *SingleSocketUDPMux) updateLocalAddresses() {
+func (m *UDPMuxDefault) updateLocalAddresses() {
 	var localAddrsForUnspecified []net.Addr
 	if addr, ok := m.params.UDPConn.LocalAddr().(*net.UDPAddr); !ok {
 		m.params.Logger.Errorf("LocalAddr is not a net.UDPAddr, got %T", m.params.UDPConn.LocalAddr())
 	} else if ok && addr.IP.IsUnspecified() {
 		// For unspecified addresses, the correct behavior is to return errListenUnspecified, but
 		// it will break the applications that are already using unspecified UDP connection
-		// with SingleSocketUDPMux, so print a warn log and create a local address list for mux.
-		m.params.Logger.Warn("SingleSocketUDPMux should not listening on unspecified address, use NewMultiUDPMuxFromPort instead")
+		// with UDPMuxDefault, so print a warn log and create a local address list for mux.
+		m.params.Logger.Warn("UDPMuxDefault should not listening on unspecified address, use NewMultiUDPMuxFromPort instead")
 		var networks []ice.NetworkType
 		switch {
 
@@ -220,13 +216,13 @@ func (m *SingleSocketUDPMux) updateLocalAddresses() {
 	m.mu.Unlock()
 }
 
-// LocalAddr returns the listening address of this SingleSocketUDPMux
-func (m *SingleSocketUDPMux) LocalAddr() net.Addr {
+// LocalAddr returns the listening address of this UDPMuxDefault
+func (m *UDPMuxDefault) LocalAddr() net.Addr {
 	return m.params.UDPConn.LocalAddr()
 }
 
 // GetListenAddresses returns the list of addresses that this mux is listening on
-func (m *SingleSocketUDPMux) GetListenAddresses() []net.Addr {
+func (m *UDPMuxDefault) GetListenAddresses() []net.Addr {
 	m.updateLocalAddresses()
 
 	m.mu.Lock()
@@ -240,7 +236,7 @@ func (m *SingleSocketUDPMux) GetListenAddresses() []net.Addr {
 
 // GetConn returns a PacketConn given the connection's ufrag and network address
 // creates the connection if an existing one can't be found
-func (m *SingleSocketUDPMux) GetConn(ufrag string, addr net.Addr, candidateID string) (net.PacketConn, error) {
+func (m *UDPMuxDefault) GetConn(ufrag string, addr net.Addr) (net.PacketConn, error) {
 	// don't check addr for mux using unspecified address
 	m.mu.Lock()
 	lenLocalAddrs := len(m.localAddrsForUnspecified)
@@ -264,14 +260,12 @@ func (m *SingleSocketUDPMux) GetConn(ufrag string, addr net.Addr, candidateID st
 		return conn, nil
 	}
 
-	c := m.createMuxedConn(ufrag, candidateID)
+	c := m.createMuxedConn(ufrag)
 	go func() {
 		<-c.CloseChannel()
 		m.RemoveConnByUfrag(ufrag)
 	}()
 
-	m.candidateConnMap[candidateID] = c
-
 	if isIPv6 {
 		m.connsIPv6[ufrag] = c
 	} else {
@@ -282,7 +276,7 @@ func (m *SingleSocketUDPMux) GetConn(ufrag string, addr net.Addr, candidateID st
 }
 
 // RemoveConnByUfrag stops and removes the muxed packet connection
-func (m *SingleSocketUDPMux) RemoveConnByUfrag(ufrag string) {
+func (m *UDPMuxDefault) RemoveConnByUfrag(ufrag string) {
 	removedConns := make([]*udpMuxedConn, 0, 2)
 
 	// Keep lock section small to avoid deadlock with conn lock
@@ -290,12 +284,10 @@ func (m *SingleSocketUDPMux) RemoveConnByUfrag(ufrag string) {
 	if c, ok := m.connsIPv4[ufrag]; ok {
 		delete(m.connsIPv4, ufrag)
 		removedConns = append(removedConns, c)
-		delete(m.candidateConnMap, c.GetCandidateID())
 	}
 	if c, ok := m.connsIPv6[ufrag]; ok {
 		delete(m.connsIPv6, ufrag)
 		removedConns = append(removedConns, c)
-		delete(m.candidateConnMap, c.GetCandidateID())
 	}
 	m.mu.Unlock()
 
@@ -322,7 +314,7 @@ func (m *SingleSocketUDPMux) RemoveConnByUfrag(ufrag string) {
 }
 
 // IsClosed returns true if the mux had been closed
-func (m *SingleSocketUDPMux) IsClosed() bool {
+func (m *UDPMuxDefault) IsClosed() bool {
 	select {
 	case <-m.closedChan:
 		return true
@@ -332,7 +324,7 @@ func (m *SingleSocketUDPMux) IsClosed() bool {
 }
 
 // Close the mux, no further connections could be created
-func (m *SingleSocketUDPMux) Close() error {
+func (m *UDPMuxDefault) Close() error {
 	var err error
 	m.closeOnce.Do(func() {
 		m.mu.Lock()
@@ -355,11 +347,11 @@ func (m *SingleSocketUDPMux) Close() error {
 	return err
 }
 
-func (m *SingleSocketUDPMux) writeTo(buf []byte, rAddr net.Addr) (n int, err error) {
+func (m *UDPMuxDefault) writeTo(buf []byte, rAddr net.Addr) (n int, err error) {
 	return m.params.UDPConn.WriteTo(buf, rAddr)
 }
 
-func (m *SingleSocketUDPMux) registerConnForAddress(conn *udpMuxedConn, addr string) {
+func (m *UDPMuxDefault) registerConnForAddress(conn *udpMuxedConn, addr string) {
 	if m.IsClosed() {
 		return
 	}
@@ -376,109 +368,81 @@ func (m *SingleSocketUDPMux) registerConnForAddress(conn *udpMuxedConn, addr str
 	log.Debugf("ICE: registered %s for %s", addr, conn.params.Key)
 }
 
-func (m *SingleSocketUDPMux) createMuxedConn(key string, candidateID string) *udpMuxedConn {
+func (m *UDPMuxDefault) createMuxedConn(key string) *udpMuxedConn {
 	c := newUDPMuxedConn(&udpMuxedConnParams{
-		Mux:         m,
-		Key:         key,
-		AddrPool:    m.pool,
-		LocalAddr:   m.LocalAddr(),
-		Logger:      m.params.Logger,
-		CandidateID: candidateID,
+		Mux:       m,
+		Key:       key,
+		AddrPool:  m.pool,
+		LocalAddr: m.LocalAddr(),
+		Logger:    m.params.Logger,
 	})
 	return c
 }
 
 // HandleSTUNMessage handles STUN packets and forwards them to underlying pion/ice library
-func (m *SingleSocketUDPMux) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
+func (m *UDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
+
 	remoteAddr, ok := addr.(*net.UDPAddr)
 	if !ok {
 		return fmt.Errorf("underlying PacketConn did not return a UDPAddr")
 	}
 
-	// Try to route to specific candidate connection first
-	if conn := m.findCandidateConnection(msg); conn != nil {
-		return conn.writePacket(msg.Raw, remoteAddr)
-	}
-
-	// Fallback: route to all possible connections
-	return m.forwardToAllConnections(msg, addr, remoteAddr)
-}
-
-// findCandidateConnection attempts to find the specific connection for a STUN message
-func (m *SingleSocketUDPMux) findCandidateConnection(msg *stun.Message) *udpMuxedConn {
-	candidatePairID, ok, err := ice.CandidatePairIDFromSTUN(msg)
-	if err != nil {
-		return nil
-	} else if !ok {
-		return nil
-	}
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	conn, exists := m.candidateConnMap[candidatePairID.TargetCandidateID()]
-	if !exists {
-		return nil
-	}
-	return conn
-}
-
-// forwardToAllConnections forwards STUN message to all relevant connections
-func (m *SingleSocketUDPMux) forwardToAllConnections(msg *stun.Message, addr net.Addr, remoteAddr *net.UDPAddr) error {
-	var destinationConnList []*udpMuxedConn
-
-	// Add connections from address map
+	// If we have already seen this address dispatch to the appropriate destination
+	// If you are using the same socket for the Host and SRFLX candidates, it might be that there are more than one
+	// muxed connection - one for the SRFLX candidate and the other one for the HOST one.
+	// We will then forward STUN packets to each of these connections.
 	m.addressMapMu.RLock()
+	var destinationConnList []*udpMuxedConn
 	if storedConns, ok := m.addressMap[addr.String()]; ok {
 		destinationConnList = append(destinationConnList, storedConns...)
 	}
 	m.addressMapMu.RUnlock()
 
-	if conn, ok := m.findConnectionByUsername(msg, addr); ok {
-		// If we have already seen this address dispatch to the appropriate destination
-		// If you are using the same socket for the Host and SRFLX candidates, it might be that there are more than one
-		// muxed connection - one for the SRFLX candidate and the other one for the HOST one.
-		// We will then forward STUN packets to each of these connections.
-		if !m.connectionExists(conn, destinationConnList) {
-			destinationConnList = append(destinationConnList, conn)
-		}
+	var isIPv6 bool
+	if udpAddr, _ := addr.(*net.UDPAddr); udpAddr != nil && udpAddr.IP.To4() == nil {
+		isIPv6 = true
 	}
 
-	// Forward to all found connections
+	// This block is needed to discover Peer Reflexive Candidates for which we don't know the Endpoint upfront.
+	// However, we can take a username attribute from the STUN message which contains ufrag.
+	// We can use ufrag to identify the destination conn to route packet to.
+	attr, stunAttrErr := msg.Get(stun.AttrUsername)
+	if stunAttrErr == nil {
+		ufrag := strings.Split(string(attr), ":")[0]
+
+		m.mu.Lock()
+		destinationConn := m.connsIPv4[ufrag]
+		if isIPv6 {
+			destinationConn = m.connsIPv6[ufrag]
+		}
+
+		if destinationConn != nil {
+			exists := false
+			for _, conn := range destinationConnList {
+				if conn.params.Key == destinationConn.params.Key {
+					exists = true
+					break
+				}
+			}
+			if !exists {
+				destinationConnList = append(destinationConnList, destinationConn)
+			}
+		}
+		m.mu.Unlock()
+	}
+
+	// Forward STUN packets to each destination connections even thought the STUN packet might not belong there.
+	// It will be discarded by the further ICE candidate logic if so.
 	for _, conn := range destinationConnList {
 		if err := conn.writePacket(msg.Raw, remoteAddr); err != nil {
 			log.Errorf("could not write packet: %v", err)
 		}
 	}
+
 	return nil
 }
 
-// findConnectionByUsername finds connection using username attribute from STUN message
-func (m *SingleSocketUDPMux) findConnectionByUsername(msg *stun.Message, addr net.Addr) (*udpMuxedConn, bool) {
-	attr, err := msg.Get(stun.AttrUsername)
-	if err != nil {
-		return nil, false
-	}
-
-	ufrag := strings.Split(string(attr), ":")[0]
-	isIPv6 := isIPv6Address(addr)
-
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	return m.getConn(ufrag, isIPv6)
-}
-
-// connectionExists checks if a connection already exists in the list
-func (m *SingleSocketUDPMux) connectionExists(target *udpMuxedConn, conns []*udpMuxedConn) bool {
-	for _, conn := range conns {
-		if conn.params.Key == target.params.Key {
-			return true
-		}
-	}
-	return false
-}
-
-func (m *SingleSocketUDPMux) getConn(ufrag string, isIPv6 bool) (val *udpMuxedConn, ok bool) {
+func (m *UDPMuxDefault) getConn(ufrag string, isIPv6 bool) (val *udpMuxedConn, ok bool) {
 	if isIPv6 {
 		val, ok = m.connsIPv6[ufrag]
 	} else {
@@ -487,13 +451,6 @@ func (m *SingleSocketUDPMux) getConn(ufrag string, isIPv6 bool) (val *udpMuxedCo
 	return
 }
 
-func isIPv6Address(addr net.Addr) bool {
-	if udpAddr, ok := addr.(*net.UDPAddr); ok {
-		return udpAddr.IP.To4() == nil
-	}
-	return false
-}
-
 type bufferHolder struct {
 	buf []byte
 }

client/iface/bind/udp_mux_generic.go

@@ -1,12 +1,12 @@
 //go:build !ios
 
-package udpmux
+package bind
 
 import (
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
-func (m *SingleSocketUDPMux) notifyAddressRemoval(addr string) {
+func (m *UDPMuxDefault) notifyAddressRemoval(addr string) {
 	// Kernel mode: direct nbnet.PacketConn (SharedSocket wrapped with nbnet)
 	if conn, ok := m.params.UDPConn.(*nbnet.PacketConn); ok {
 		conn.RemoveAddress(addr)

client/iface/bind/udp_mux_ios.go

@@ -0,0 +1,7 @@
+//go:build ios
+
+package bind
+
+func (m *UDPMuxDefault) notifyAddressRemoval(addr string) {
+	// iOS doesn't support nbnet hooks, so this is a no-op
+}

client/iface/bind/udp_mux_universal.go

@@ -1,4 +1,4 @@
-package udpmux
+package bind
 
 /*
  Most of this code was copied from https://github.com/pion/ice and modified to fulfill NetBird's requirements.
@@ -15,10 +15,9 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/pion/logging"
-	"github.com/pion/stun/v3"
+	"github.com/pion/stun/v2"
 	"github.com/pion/transport/v3"
 
-	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -29,7 +28,7 @@ type FilterFn func(address netip.Addr) (bool, netip.Prefix, error)
 // UniversalUDPMuxDefault handles STUN and TURN servers packets by wrapping the original UDPConn
 // It then passes packets to the UDPMux that does the actual connection muxing.
 type UniversalUDPMuxDefault struct {
-	*SingleSocketUDPMux
+	*UDPMuxDefault
 	params UniversalUDPMuxParams
 
 	// since we have a shared socket, for srflx candidates it makes sense to have a shared mapped address across all the agents
@@ -45,7 +44,6 @@ type UniversalUDPMuxParams struct {
 	Net                   transport.Net
 	FilterFn              FilterFn
 	WGAddress             wgaddr.Address
-	MTU                   uint16
 }
 
 // NewUniversalUDPMuxDefault creates an implementation of UniversalUDPMux embedding UDPMux
@@ -72,12 +70,12 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 		address:    params.WGAddress,
 	}
 
-	udpMuxParams := Params{
+	udpMuxParams := UDPMuxParams{
 		Logger:  params.Logger,
 		UDPConn: m.params.UDPConn,
 		Net:     m.params.Net,
 	}
-	m.SingleSocketUDPMux = NewSingleSocketUDPMux(udpMuxParams)
+	m.UDPMuxDefault = NewUDPMuxDefault(udpMuxParams)
 
 	return m
 }
@@ -86,7 +84,7 @@ func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDef
 // just ignore other packets printing an warning message.
 // It is a blocking method, consider running in a go routine.
 func (m *UniversalUDPMuxDefault) ReadFromConn(ctx context.Context) {
-	buf := make([]byte, m.params.MTU+bufsize.WGBufferOverhead)
+	buf := make([]byte, 1500)
 	for {
 		select {
 		case <-ctx.Done():
@@ -211,8 +209,8 @@ func (m *UniversalUDPMuxDefault) GetRelayedAddr(turnAddr net.Addr, deadline time
 
 // GetConnForURL add uniques to the muxed connection by concatenating ufrag and URL (e.g. STUN URL) to be able to support multiple STUN/TURN servers
 // and return a unique connection per server.
-func (m *UniversalUDPMuxDefault) GetConnForURL(ufrag string, url string, addr net.Addr, candidateID string) (net.PacketConn, error) {
-	return m.SingleSocketUDPMux.GetConn(fmt.Sprintf("%s%s", ufrag, url), addr, candidateID)
+func (m *UniversalUDPMuxDefault) GetConnForURL(ufrag string, url string, addr net.Addr) (net.PacketConn, error) {
+	return m.UDPMuxDefault.GetConn(fmt.Sprintf("%s%s", ufrag, url), addr)
 }
 
 // HandleSTUNMessage discovers STUN packets that carry a XOR mapped address from a STUN server.
@@ -233,7 +231,7 @@ func (m *UniversalUDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.A
 		}
 		return nil
 	}
-	return m.SingleSocketUDPMux.HandleSTUNMessage(msg, addr)
+	return m.UDPMuxDefault.HandleSTUNMessage(msg, addr)
 }
 
 // isXORMappedResponse indicates whether the message is a XORMappedAddress and is coming from the known STUN server.

client/iface/bind/udp_muxed_conn.go

@@ -1,4 +1,4 @@
-package udpmux
+package bind
 
 /*
  Most of this code was copied from https://github.com/pion/ice and modified to fulfill NetBird's requirements
@@ -16,12 +16,11 @@ import (
 )
 
 type udpMuxedConnParams struct {
-	Mux         *SingleSocketUDPMux
-	AddrPool    *sync.Pool
-	Key         string
-	LocalAddr   net.Addr
-	Logger      logging.LeveledLogger
-	CandidateID string
+	Mux       *UDPMuxDefault
+	AddrPool  *sync.Pool
+	Key       string
+	LocalAddr net.Addr
+	Logger    logging.LeveledLogger
 }
 
 // udpMuxedConn represents a logical packet conn for a single remote as identified by ufrag
@@ -120,10 +119,6 @@ func (c *udpMuxedConn) Close() error {
 	return err
 }
 
-func (c *udpMuxedConn) GetCandidateID() string {
-	return c.params.CandidateID
-}
-
 func (c *udpMuxedConn) isClosed() bool {
 	select {
 	case <-c.closedChan:

client/iface/bufsize/bufsize.go

@@ -1,9 +0,0 @@
-package bufsize
-
-const (
-	// WGBufferOverhead represents the additional buffer space needed beyond MTU
-	// for WireGuard packet encapsulation (WG header + UDP + IP + safety margin)
-	// Original hardcoded buffers were 1500, default MTU is 1280, so overhead = 220
-	// TODO: Calculate this properly based on actual protocol overhead instead of using hardcoded difference
-	WGBufferOverhead = 220
-)

client/iface/configurer/name.go

@@ -1,4 +1,4 @@
-//go:build linux || windows || freebsd || js || wasip1
+//go:build linux || windows || freebsd
 
 package configurer
 

client/iface/configurer/uapi.go

@@ -1,4 +1,4 @@
-//go:build !windows && !js
+//go:build !windows
 
 package configurer
 

client/iface/configurer/uapi_js.go

@@ -1,23 +0,0 @@
-package configurer
-
-import (
-	"net"
-)
-
-type noopListener struct{}
-
-func (n *noopListener) Accept() (net.Conn, error) {
-	return nil, net.ErrClosed
-}
-
-func (n *noopListener) Close() error {
-	return nil
-}
-
-func (n *noopListener) Addr() net.Addr {
-	return nil
-}
-
-func openUAPI(deviceName string) (net.Listener, error) {
-	return &noopListener{}, nil
-}

client/iface/configurer/usp.go

@@ -17,8 +17,8 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/monotime"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (
@@ -394,13 +394,6 @@ func toLastHandshake(stringVar string) (time.Time, error) {
 	if err != nil {
 		return time.Time{}, fmt.Errorf("parse handshake sec: %w", err)
 	}
-
-	// If sec is 0 (Unix epoch), return zero time instead
-	// This indicates no handshake has occurred
-	if sec == 0 {
-		return time.Time{}, nil
-	}
-
 	return time.Unix(sec, 0), nil
 }
 
@@ -409,7 +402,7 @@ func toBytes(s string) (int64, error) {
 }
 
 func getFwmark() int {
-	if nbnet.AdvancedRouting() && runtime.GOOS == "linux" {
+	if nbnet.AdvancedRouting() {
 		return nbnet.ControlPlaneMark
 	}
 	return 0

client/iface/device.go

@@ -7,17 +7,16 @@ import (
 
 	wgdevice "golang.zx2c4.com/wireguard/device"
 
+	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
 type WGTunDevice interface {
 	Create() (device.WGConfigurer, error)
-	Up() (*udpmux.UniversalUDPMuxDefault, error)
+	Up() (*bind.UniversalUDPMuxDefault, error)
 	UpdateAddr(address wgaddr.Address) error
 	WgAddress() wgaddr.Address
-	MTU() uint16
 	DeviceName() string
 	Close() error
 	FilteredDevice() *device.FilteredDevice

client/iface/device/device_android.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -22,7 +21,7 @@ type WGTunDevice struct {
 	address    wgaddr.Address
 	port       int
 	key        string
-	mtu        uint16
+	mtu        int
 	iceBind    *bind.ICEBind
 	tunAdapter TunAdapter
 	disableDNS bool
@@ -30,11 +29,11 @@ type WGTunDevice struct {
 	name           string
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *udpmux.UniversalUDPMuxDefault
+	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
+func NewTunDevice(address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind, tunAdapter TunAdapter, disableDNS bool) *WGTunDevice {
 	return &WGTunDevice{
 		address:    address,
 		port:       port,
@@ -59,7 +58,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 		searchDomainsToString = ""
 	}
 
-	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), int(t.mtu), dns, searchDomainsToString, routesString)
+	fd, err := t.tunAdapter.ConfigureInterface(t.address.String(), t.mtu, dns, searchDomainsToString, routesString)
 	if err != nil {
 		log.Errorf("failed to create Android interface: %s", err)
 		return nil, err
@@ -89,7 +88,7 @@ func (t *WGTunDevice) Create(routes []string, dns string, searchDomains []string
 	}
 	return t.configurer, nil
 }
-func (t *WGTunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *WGTunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -138,10 +137,6 @@ func (t *WGTunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *WGTunDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *WGTunDevice) FilteredDevice() *FilteredDevice {
 	return t.filteredDevice
 }

client/iface/device/device_darwin.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -22,16 +21,16 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     uint16
+	mtu     int
 	iceBind *bind.ICEBind
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *udpmux.UniversalUDPMuxDefault
+	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
@@ -43,7 +42,7 @@ func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu
 }
 
 func (t *TunDevice) Create() (WGConfigurer, error) {
-	tunDevice, err := tun.CreateTUN(t.name, int(t.mtu))
+	tunDevice, err := tun.CreateTUN(t.name, t.mtu)
 	if err != nil {
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
@@ -72,7 +71,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -112,10 +111,6 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *TunDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *TunDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_ios.go

@@ -14,7 +14,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -23,23 +22,21 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     uint16
 	iceBind *bind.ICEBind
 	tunFd   int
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *udpmux.UniversalUDPMuxDefault
+	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind, tunFd int) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, iceBind *bind.ICEBind, tunFd int) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
 		port:    port,
 		key:     key,
-		mtu:     mtu,
 		iceBind: iceBind,
 		tunFd:   tunFd,
 	}
@@ -84,7 +81,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -128,10 +125,6 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *TunDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *TunDevice) UpdateAddr(_ wgaddr.Address) error {
 	// todo implement
 	return nil

client/iface/device/device_kernel_unix.go

@@ -12,11 +12,11 @@ import (
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
+	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/client/net"
 	"github.com/netbirdio/netbird/sharedsock"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 type TunKernelDevice struct {
@@ -24,19 +24,19 @@ type TunKernelDevice struct {
 	address      wgaddr.Address
 	wgPort       int
 	key          string
-	mtu          uint16
+	mtu          int
 	ctx          context.Context
 	ctxCancel    context.CancelFunc
 	transportNet transport.Net
 
 	link       *wgLink
 	udpMuxConn net.PacketConn
-	udpMux     *udpmux.UniversalUDPMuxDefault
+	udpMux     *bind.UniversalUDPMuxDefault
 
-	filterFn udpmux.FilterFn
+	filterFn bind.FilterFn
 }
 
-func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, transportNet transport.Net) *TunKernelDevice {
+func NewKernelDevice(name string, address wgaddr.Address, wgPort int, key string, mtu int, transportNet transport.Net) *TunKernelDevice {
 	ctx, cancel := context.WithCancel(context.Background())
 	return &TunKernelDevice{
 		ctx:          ctx,
@@ -66,7 +66,7 @@ func (t *TunKernelDevice) Create() (WGConfigurer, error) {
 	// TODO: do a MTU discovery
 	log.Debugf("setting MTU: %d interface: %s", t.mtu, t.name)
 
-	if err := link.setMTU(int(t.mtu)); err != nil {
+	if err := link.setMTU(t.mtu); err != nil {
 		return nil, fmt.Errorf("set mtu: %w", err)
 	}
 
@@ -79,7 +79,7 @@ func (t *TunKernelDevice) Create() (WGConfigurer, error) {
 	return configurer, nil
 }
 
-func (t *TunKernelDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunKernelDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	if t.udpMux != nil {
 		return t.udpMux, nil
 	}
@@ -96,19 +96,23 @@ func (t *TunKernelDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}
 
-	rawSock, err := sharedsock.Listen(t.wgPort, sharedsock.NewIncomingSTUNFilter(), t.mtu)
+	rawSock, err := sharedsock.Listen(t.wgPort, sharedsock.NewIncomingSTUNFilter())
 	if err != nil {
 		return nil, err
 	}
 
-	bindParams := udpmux.UniversalUDPMuxParams{
-		UDPConn:   nbnet.WrapPacketConn(rawSock),
+	var udpConn net.PacketConn = rawSock
+	if !nbnet.AdvancedRouting() {
+		udpConn = nbnet.WrapPacketConn(rawSock)
+	}
+
+	bindParams := bind.UniversalUDPMuxParams{
+		UDPConn:   udpConn,
 		Net:       t.transportNet,
 		FilterFn:  t.filterFn,
 		WGAddress: t.address,
-		MTU:       t.mtu,
 	}
-	mux := udpmux.NewUniversalUDPMuxDefault(bindParams)
+	mux := bind.NewUniversalUDPMuxDefault(bindParams)
 	go mux.ReadFromConn(t.ctx)
 	t.udpMuxConn = rawSock
 	t.udpMux = mux
@@ -154,10 +158,6 @@ func (t *TunKernelDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *TunKernelDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *TunKernelDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_netstack.go

@@ -1,47 +1,41 @@
+//go:build !android
+// +build !android
+
 package device
 
 import (
-	"errors"
 	"fmt"
 
 	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/conn"
 	"golang.zx2c4.com/wireguard/device"
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
-type Bind interface {
-	conn.Bind
-	GetICEMux() (*udpmux.UniversalUDPMuxDefault, error)
-	ActivityRecorder() *bind.ActivityRecorder
-}
-
 type TunNetstackDevice struct {
 	name          string
 	address       wgaddr.Address
 	port          int
 	key           string
-	mtu           uint16
+	mtu           int
 	listenAddress string
-	bind          Bind
+	iceBind       *bind.ICEBind
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
 	nsTun          *nbnetstack.NetStackTun
-	udpMux         *udpmux.UniversalUDPMuxDefault
+	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 
 	net *netstack.Net
 }
 
-func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu uint16, bind Bind, listenAddress string) *TunNetstackDevice {
+func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key string, mtu int, iceBind *bind.ICEBind, listenAddress string) *TunNetstackDevice {
 	return &TunNetstackDevice{
 		name:          name,
 		address:       address,
@@ -49,11 +43,11 @@ func NewNetstackDevice(name string, address wgaddr.Address, wgPort int, key stri
 		key:           key,
 		mtu:           mtu,
 		listenAddress: listenAddress,
-		bind:          bind,
+		iceBind:       iceBind,
 	}
 }
 
-func (t *TunNetstackDevice) create() (WGConfigurer, error) {
+func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
 	log.Info("create nbnetstack tun interface")
 
 	// TODO: get from service listener runtime IP
@@ -63,7 +57,7 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 	}
 
 	log.Debugf("netstack using address: %s", t.address.IP)
-	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, int(t.mtu))
+	t.nsTun = nbnetstack.NewNetStackTun(t.listenAddress, t.address.IP, dnsAddr, t.mtu)
 	log.Debugf("netstack using dns address: %s", dnsAddr)
 	tunIface, net, err := t.nsTun.Create()
 	if err != nil {
@@ -74,11 +68,11 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 
 	t.device = device.NewDevice(
 		t.filteredDevice,
-		t.bind,
+		t.iceBind,
 		device.NewLogger(wgLogLevel(), "[netbird] "),
 	)
 
-	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.bind.ActivityRecorder())
+	t.configurer = configurer.NewUSPConfigurer(t.device, t.name, t.iceBind.ActivityRecorder())
 	err = t.configurer.ConfigureInterface(t.key, t.port)
 	if err != nil {
 		_ = tunIface.Close()
@@ -89,7 +83,7 @@ func (t *TunNetstackDevice) create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunNetstackDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunNetstackDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	if t.device == nil {
 		return nil, fmt.Errorf("device is not ready yet")
 	}
@@ -99,15 +93,11 @@ func (t *TunNetstackDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
 		return nil, err
 	}
 
-	udpMux, err := t.bind.GetICEMux()
-	if err != nil && !errors.Is(err, bind.ErrUDPMUXNotSupported) {
+	udpMux, err := t.iceBind.GetICEMux()
+	if err != nil {
 		return nil, err
 	}
-
-	if udpMux != nil {
-		t.udpMux = udpMux
-	}
-
+	t.udpMux = udpMux
 	log.Debugf("netstack device is ready to use")
 	return udpMux, nil
 }
@@ -135,10 +125,6 @@ func (t *TunNetstackDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *TunNetstackDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *TunNetstackDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_netstack_android.go

@@ -1,7 +0,0 @@
-//go:build android
-
-package device
-
-func (t *TunNetstackDevice) Create(routes []string, dns string, searchDomains []string) (WGConfigurer, error) {
-	return t.create()
-}

client/iface/device/device_netstack_generic.go

@@ -1,7 +0,0 @@
-//go:build !android
-
-package device
-
-func (t *TunNetstackDevice) Create() (WGConfigurer, error) {
-	return t.create()
-}

client/iface/device/device_netstack_test.go

@@ -1,27 +0,0 @@
-package device
-
-import (
-	"testing"
-
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-)
-
-func TestNewNetstackDevice(t *testing.T) {
-	privateKey, _ := wgtypes.GeneratePrivateKey()
-	wgAddress, _ := wgaddr.ParseWGAddress("1.2.3.4/24")
-
-	relayBind := bind.NewRelayBindJS()
-	nsTun := NewNetstackDevice("wtx", wgAddress, 1234, privateKey.String(), 1500, relayBind, netstack.ListenAddr())
-
-	cfgr, err := nsTun.Create()
-	if err != nil {
-		t.Fatalf("failed to create netstack device: %v", err)
-	}
-	if cfgr == nil {
-		t.Fatal("expected non-nil configurer")
-	}
-}

client/iface/device/device_usp_unix.go

@@ -12,7 +12,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -21,16 +20,16 @@ type USPDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     uint16
+	mtu     int
 	iceBind *bind.ICEBind
 
 	device         *device.Device
 	filteredDevice *FilteredDevice
-	udpMux         *udpmux.UniversalUDPMuxDefault
+	udpMux         *bind.UniversalUDPMuxDefault
 	configurer     WGConfigurer
 }
 
-func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *USPDevice {
+func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *USPDevice {
 	log.Infof("using userspace bind mode")
 
 	return &USPDevice{
@@ -45,9 +44,9 @@ func NewUSPDevice(name string, address wgaddr.Address, port int, key string, mtu
 
 func (t *USPDevice) Create() (WGConfigurer, error) {
 	log.Info("create tun interface")
-	tunIface, err := tun.CreateTUN(t.name, int(t.mtu))
+	tunIface, err := tun.CreateTUN(t.name, t.mtu)
 	if err != nil {
-		log.Debugf("failed to create tun interface (%s, %d): %s", t.name, int(t.mtu), err)
+		log.Debugf("failed to create tun interface (%s, %d): %s", t.name, t.mtu, err)
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
 	t.filteredDevice = newDeviceFilter(tunIface)
@@ -75,7 +74,7 @@ func (t *USPDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *USPDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *USPDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	if t.device == nil {
 		return nil, fmt.Errorf("device is not ready yet")
 	}
@@ -119,10 +118,6 @@ func (t *USPDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *USPDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *USPDevice) DeviceName() string {
 	return t.name
 }

client/iface/device/device_windows.go

@@ -13,7 +13,6 @@ import (
 
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
@@ -24,17 +23,17 @@ type TunDevice struct {
 	address wgaddr.Address
 	port    int
 	key     string
-	mtu     uint16
+	mtu     int
 	iceBind *bind.ICEBind
 
 	device          *device.Device
 	nativeTunDevice *tun.NativeTun
 	filteredDevice  *FilteredDevice
-	udpMux          *udpmux.UniversalUDPMuxDefault
+	udpMux          *bind.UniversalUDPMuxDefault
 	configurer      WGConfigurer
 }
 
-func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu uint16, iceBind *bind.ICEBind) *TunDevice {
+func NewTunDevice(name string, address wgaddr.Address, port int, key string, mtu int, iceBind *bind.ICEBind) *TunDevice {
 	return &TunDevice{
 		name:    name,
 		address: address,
@@ -60,7 +59,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 		return nil, err
 	}
 	log.Info("create tun interface")
-	tunDevice, err := tun.CreateTUNWithRequestedGUID(t.name, &guid, int(t.mtu))
+	tunDevice, err := tun.CreateTUNWithRequestedGUID(t.name, &guid, t.mtu)
 	if err != nil {
 		return nil, fmt.Errorf("error creating tun device: %s", err)
 	}
@@ -105,7 +104,7 @@ func (t *TunDevice) Create() (WGConfigurer, error) {
 	return t.configurer, nil
 }
 
-func (t *TunDevice) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (t *TunDevice) Up() (*bind.UniversalUDPMuxDefault, error) {
 	err := t.device.Up()
 	if err != nil {
 		return nil, err
@@ -145,10 +144,6 @@ func (t *TunDevice) WgAddress() wgaddr.Address {
 	return t.address
 }
 
-func (t *TunDevice) MTU() uint16 {
-	return t.mtu
-}
-
 func (t *TunDevice) DeviceName() string {
 	return t.name
 }

client/iface/device_android.go

@@ -5,17 +5,16 @@ import (
 
 	"golang.zx2c4.com/wireguard/tun/netstack"
 
+	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
 type WGTunDevice interface {
 	Create(routes []string, dns string, searchDomains []string) (device.WGConfigurer, error)
-	Up() (*udpmux.UniversalUDPMuxDefault, error)
+	Up() (*bind.UniversalUDPMuxDefault, error)
 	UpdateAddr(address wgaddr.Address) error
 	WgAddress() wgaddr.Address
-	MTU() uint16
 	DeviceName() string
 	Close() error
 	FilteredDevice() *device.FilteredDevice

client/iface/iface.go

@@ -16,9 +16,9 @@ import (
 	wgdevice "golang.zx2c4.com/wireguard/device"
 
 	"github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/configurer"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 	"github.com/netbirdio/netbird/monotime"
@@ -26,8 +26,6 @@ import (
 
 const (
 	DefaultMTU         = 1280
-	MinMTU             = 576
-	MaxMTU             = 8192
 	DefaultWgPort      = 51820
 	WgInterfaceDefault = configurer.WgInterfaceDefault
 )
@@ -37,17 +35,6 @@ var (
 	ErrIfaceNotFound = fmt.Errorf("wireguard interface not found")
 )
 
-// ValidateMTU validates that MTU is within acceptable range
-func ValidateMTU(mtu uint16) error {
-	if mtu < MinMTU {
-		return fmt.Errorf("MTU %d below minimum (%d bytes)", mtu, MinMTU)
-	}
-	if mtu > MaxMTU {
-		return fmt.Errorf("MTU %d exceeds maximum supported size (%d bytes)", mtu, MaxMTU)
-	}
-	return nil
-}
-
 type wgProxyFactory interface {
 	GetProxy() wgproxy.Proxy
 	Free() error
@@ -58,10 +45,10 @@ type WGIFaceOpts struct {
 	Address      string
 	WGPort       int
 	WGPrivKey    string
-	MTU          uint16
+	MTU          int
 	MobileArgs   *device.MobileIFaceArguments
 	TransportNet transport.Net
-	FilterFn     udpmux.FilterFn
+	FilterFn     bind.FilterFn
 	DisableDNS   bool
 }
 
@@ -95,10 +82,6 @@ func (w *WGIface) Address() wgaddr.Address {
 	return w.tun.WgAddress()
 }
 
-func (w *WGIface) MTU() uint16 {
-	return w.tun.MTU()
-}
-
 // ToInterface returns the net.Interface for the Wireguard interface
 func (r *WGIface) ToInterface() *net.Interface {
 	name := r.tun.DeviceName()
@@ -114,7 +97,7 @@ func (r *WGIface) ToInterface() *net.Interface {
 
 // Up configures a Wireguard interface
 // The interface must exist before calling this method (e.g. call interface.Create() before)
-func (w *WGIface) Up() (*udpmux.UniversalUDPMuxDefault, error) {
+func (w *WGIface) Up() (*bind.UniversalUDPMuxDefault, error) {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 

client/iface/iface_destroy_js.go

@@ -1,6 +0,0 @@
-package iface
-
-// Destroy is a no-op on WASM
-func (w *WGIface) Destroy() error {
-	return nil
-}

client/iface/iface_new_android.go

@@ -3,7 +3,6 @@ package iface
 import (
 	"github.com/netbirdio/netbird/client/iface/bind"
 	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 	"github.com/netbirdio/netbird/client/iface/wgproxy"
 )
@@ -15,21 +14,12 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}
 
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-
-	if netstack.IsEnabled() {
-		wgIFace := &WGIface{
-			userspaceBind:  true,
-			tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr()),
-			wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
-		}
-		return wgIFace, nil
-	}
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            device.NewTunDevice(wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunAdapter, opts.DisableDNS),
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_darwin.go

@@ -17,7 +17,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}
 
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 
 	var tun WGTunDevice
 	if netstack.IsEnabled() {
@@ -29,7 +29,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_freebsd.go

@@ -1,41 +0,0 @@
-//go:build freebsd
-
-package iface
-
-import (
-	"fmt"
-
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace Creates a new WireGuard interface instance
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	wgIFace := &WGIface{}
-
-	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
-		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
-		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
-		return wgIFace, nil
-	}
-
-	return nil, fmt.Errorf("couldn't check or load tun module")
-}

client/iface/iface_new_ios.go

@@ -16,12 +16,12 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 		return nil, err
 	}
 
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 
 	wgIFace := &WGIface{
-		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, opts.MobileArgs.TunFd),
+		tun:            device.NewTunDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, iceBind, opts.MobileArgs.TunFd),
 		userspaceBind:  true,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 }

client/iface/iface_new_js.go

@@ -1,27 +0,0 @@
-package iface
-
-import (
-	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/device"
-	"github.com/netbirdio/netbird/client/iface/netstack"
-	"github.com/netbirdio/netbird/client/iface/wgaddr"
-	"github.com/netbirdio/netbird/client/iface/wgproxy"
-)
-
-// NewWGIFace creates a new WireGuard interface for WASM (always uses netstack mode)
-func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
-	wgAddress, err := wgaddr.ParseWGAddress(opts.Address)
-	if err != nil {
-		return nil, err
-	}
-
-	relayBind := bind.NewRelayBindJS()
-
-	wgIface := &WGIface{
-		tun:            device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, relayBind, netstack.ListenAddr()),
-		userspaceBind:  true,
-		wgProxyFactory: wgproxy.NewUSPFactory(relayBind, opts.MTU),
-	}
-
-	return wgIface, nil
-}

client/iface/iface_new_unix.go

@@ -1,4 +1,4 @@
-//go:build linux && !android
+//go:build (linux && !android) || freebsd
 
 package iface
 
@@ -22,23 +22,23 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{}
 
 	if netstack.IsEnabled() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 		wgIFace.tun = device.NewNetstackDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind, netstack.ListenAddr())
 		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
 		return wgIFace, nil
 	}
 
 	if device.WireGuardModuleIsLoaded() {
 		wgIFace.tun = device.NewKernelDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, opts.TransportNet)
-		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort, opts.MTU)
+		wgIFace.wgProxyFactory = wgproxy.NewKernelFactory(opts.WGPort)
 		return wgIFace, nil
 	}
 	if device.ModuleTunIsLoaded() {
-		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+		iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 		wgIFace.tun = device.NewUSPDevice(opts.IFaceName, wgAddress, opts.WGPort, opts.WGPrivKey, opts.MTU, iceBind)
 		wgIFace.userspaceBind = true
-		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind, opts.MTU)
+		wgIFace.wgProxyFactory = wgproxy.NewUSPFactory(iceBind)
 		return wgIFace, nil
 	}
 

client/iface/iface_new_windows.go

@@ -14,7 +14,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	if err != nil {
 		return nil, err
 	}
-	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress, opts.MTU)
+	iceBind := bind.NewICEBind(opts.TransportNet, opts.FilterFn, wgAddress)
 
 	var tun WGTunDevice
 	if netstack.IsEnabled() {
@@ -26,7 +26,7 @@ func NewWGIFace(opts WGIFaceOpts) (*WGIface, error) {
 	wgIFace := &WGIface{
 		userspaceBind:  true,
 		tun:            tun,
-		wgProxyFactory: wgproxy.NewUSPFactory(iceBind, opts.MTU),
+		wgProxyFactory: wgproxy.NewUSPFactory(iceBind),
 	}
 	return wgIFace, nil
 

client/iface/netstack/env.go

@@ -1,5 +1,3 @@
-//go:build !js
-
 package netstack
 
 import (

client/iface/netstack/env_js.go

@@ -1,12 +0,0 @@
-package netstack
-
-const EnvUseNetstackMode = "NB_USE_NETSTACK_MODE"
-
-// IsEnabled always returns true for js since it's the only mode available
-func IsEnabled() bool {
-	return true
-}
-
-func ListenAddr() string {
-	return ""
-}

client/iface/udpmux/doc.go

@@ -1,64 +0,0 @@
-// Package udpmux provides a custom implementation of a UDP multiplexer
-// that allows multiple logical ICE connections to share a single underlying
-// UDP socket. This is based on Pion's ICE library, with modifications for
-// NetBird's requirements.
-//
-// # Background
-//
-// In WebRTC and NAT traversal scenarios, ICE (Interactive Connectivity
-// Establishment) is responsible for discovering candidate network paths
-// and maintaining connectivity between peers. Each ICE connection
-// normally requires a dedicated UDP socket. However, using one socket
-// per candidate can be inefficient and difficult to manage.
-//
-// This package introduces SingleSocketUDPMux, which allows multiple ICE
-// candidate connections (muxed connections) to share a single UDP socket.
-// It handles demultiplexing of packets based on ICE ufrag values, STUN
-// attributes, and candidate IDs.
-//
-// # Usage
-//
-// The typical flow is:
-//
-//  1. Create a UDP socket (net.PacketConn).
-//  2. Construct Params with the socket and optional logger/net stack.
-//  3. Call NewSingleSocketUDPMux(params).
-//  4. For each ICE candidate ufrag, call GetConn(ufrag, addr, candidateID)
-//     to obtain a logical PacketConn.
-//  5. Use the returned PacketConn just like a normal UDP connection.
-//
-// # STUN Message Routing Logic
-//
-//		When a STUN packet arrives, the mux decides which connection should
-//		receive it using this routing logic:
-//
-//		Primary Routing: Candidate Pair ID
-//		  - Extract the candidate pair ID from the STUN message using
-//		    ice.CandidatePairIDFromSTUN(msg)
-//	   - The target candidate is the locally generated candidate that
-//	     corresponds to the connection that should handle this STUN message
-//		  - If found, use the target candidate ID to lookup the specific
-//		    connection in candidateConnMap
-//		  - Route the message directly to that connection
-//
-//		Fallback Routing: Broadcasting
-//		  When candidate pair ID is not available or lookup fails:
-//		  - Collect connections from addressMap based on source address
-//		  - Find connection using username attribute (ufrag) from STUN message
-//		  - Remove duplicate connections from the list
-//		  - Send the STUN message to all collected connections
-//
-// # Peer Reflexive Candidate Discovery
-//
-//	When a remote peer sends a STUN message from an unknown source address
-//	(from a candidate that has not been exchanged via signal), the ICE
-//	library will:
-//	  - Generate a new peer reflexive candidate for this source address
-//	  - Extract or assign a candidate ID based on the STUN message attributes
-//	  - Create a mapping between the new peer reflexive candidate ID and
-//	    the appropriate local connection
-//
-//	This discovery mechanism ensures that STUN messages from newly discovered
-//	peer reflexive candidates can be properly routed to the correct local
-//	connection without requiring fallback broadcasting.
-package udpmux

client/iface/udpmux/mux_ios.go

@@ -1,7 +0,0 @@
-//go:build ios
-
-package udpmux
-
-func (m *SingleSocketUDPMux) notifyAddressRemoval(addr string) {
-	// iOS doesn't support nbnet hooks, so this is a no-op
-}

client/iface/wgproxy/bind/proxy.go

@@ -12,42 +12,31 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	"github.com/netbirdio/netbird/client/iface/bind"
-	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
-type Bind interface {
-	SetEndpoint(addr netip.Addr, conn net.Conn)
-	RemoveEndpoint(addr netip.Addr)
-	ReceiveFromEndpoint(ctx context.Context, ep *bind.Endpoint, buf []byte)
-}
-
 type ProxyBind struct {
-	bind Bind
+	Bind *bind.ICEBind
 
-	// wgRelayedEndpoint is a fake address that generated by the Bind.SetEndpoint based on the remote NetBird peer address
-	wgRelayedEndpoint *bind.Endpoint
-	wgCurrentUsed     *bind.Endpoint
-	remoteConn        net.Conn
-	ctx               context.Context
-	cancel            context.CancelFunc
-	closeMu           sync.Mutex
-	closed            bool
+	fakeNetIP      *netip.AddrPort
+	wgBindEndpoint *bind.Endpoint
+	remoteConn     net.Conn
+	ctx            context.Context
+	cancel         context.CancelFunc
+	closeMu        sync.Mutex
+	closed         bool
 
-	paused     bool
-	pausedCond *sync.Cond
-	isStarted  bool
+	pausedMu  sync.Mutex
+	paused    bool
+	isStarted bool
 
 	closeListener *listener.CloseListener
-	mtu           uint16
 }
 
-func NewProxyBind(bind Bind, mtu uint16) *ProxyBind {
+func NewProxyBind(bind *bind.ICEBind) *ProxyBind {
 	p := &ProxyBind{
-		bind:          bind,
+		Bind:          bind,
 		closeListener: listener.NewCloseListener(),
-		pausedCond:    sync.NewCond(&sync.Mutex{}),
-		mtu:           mtu + bufsize.WGBufferOverhead,
 	}
 
 	return p
@@ -56,25 +45,25 @@ func NewProxyBind(bind Bind, mtu uint16) *ProxyBind {
 // AddTurnConn adds a new connection to the bind.
 // endpoint is the NetBird address of the remote peer. The SetEndpoint return with the address what will be used in the
 // WireGuard configuration.
-//
-// Parameters:
-//   - ctx: Context is used for proxyToLocal to avoid unnecessary error messages
-//   - nbAddr: The NetBird UDP address of the remote peer, it required to generate fake address
-//   - remoteConn: The established TURN connection to the remote peer
 func (p *ProxyBind) AddTurnConn(ctx context.Context, nbAddr *net.UDPAddr, remoteConn net.Conn) error {
 	fakeNetIP, err := fakeAddress(nbAddr)
 	if err != nil {
 		return err
 	}
-	p.wgRelayedEndpoint = &bind.Endpoint{AddrPort: *fakeNetIP}
+
+	p.fakeNetIP = fakeNetIP
+	p.wgBindEndpoint = &bind.Endpoint{AddrPort: *fakeNetIP}
 	p.remoteConn = remoteConn
 	p.ctx, p.cancel = context.WithCancel(ctx)
 	return nil
 
 }
-
 func (p *ProxyBind) EndpointAddr() *net.UDPAddr {
-	return bind.EndpointToUDPAddr(*p.wgRelayedEndpoint)
+	return &net.UDPAddr{
+		IP:   p.fakeNetIP.Addr().AsSlice(),
+		Port: int(p.fakeNetIP.Port()),
+		Zone: p.fakeNetIP.Addr().Zone(),
+	}
 }
 
 func (p *ProxyBind) SetDisconnectListener(disconnected func()) {
@@ -86,21 +75,17 @@ func (p *ProxyBind) Work() {
 		return
 	}
 
-	p.bind.SetEndpoint(p.wgRelayedEndpoint.Addr(), p.remoteConn)
+	p.Bind.SetEndpoint(p.fakeNetIP.Addr(), p.remoteConn)
 
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = false
-
-	p.wgCurrentUsed = p.wgRelayedEndpoint
+	p.pausedMu.Unlock()
 
 	// Start the proxy only once
 	if !p.isStarted {
 		p.isStarted = true
 		go p.proxyToLocal(p.ctx)
 	}
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
 }
 
 func (p *ProxyBind) Pause() {
@@ -108,25 +93,9 @@ func (p *ProxyBind) Pause() {
 		return
 	}
 
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = true
-	p.pausedCond.L.Unlock()
-}
-
-func (p *ProxyBind) RedirectAs(endpoint *net.UDPAddr) {
-	p.pausedCond.L.Lock()
-	p.paused = false
-
-	p.wgCurrentUsed = addrToEndpoint(endpoint)
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-}
-
-func addrToEndpoint(addr *net.UDPAddr) *bind.Endpoint {
-	ip, _ := netip.AddrFromSlice(addr.IP.To4())
-	addrPort := netip.AddrPortFrom(ip, uint16(addr.Port))
-	return &bind.Endpoint{AddrPort: addrPort}
+	p.pausedMu.Unlock()
 }
 
 func (p *ProxyBind) CloseConn() error {
@@ -137,10 +106,6 @@ func (p *ProxyBind) CloseConn() error {
 }
 
 func (p *ProxyBind) close() error {
-	if p.remoteConn == nil {
-		return nil
-	}
-
 	p.closeMu.Lock()
 	defer p.closeMu.Unlock()
 
@@ -154,12 +119,7 @@ func (p *ProxyBind) close() error {
 
 	p.cancel()
 
-	p.pausedCond.L.Lock()
-	p.paused = false
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-
-	p.bind.RemoveEndpoint(p.wgRelayedEndpoint.Addr())
+	p.Bind.RemoveEndpoint(p.fakeNetIP.Addr())
 
 	if rErr := p.remoteConn.Close(); rErr != nil && !errors.Is(rErr, net.ErrClosed) {
 		return rErr
@@ -175,7 +135,7 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 	}()
 
 	for {
-		buf := make([]byte, p.mtu)
+		buf := make([]byte, 1500)
 		n, err := p.remoteConn.Read(buf)
 		if err != nil {
 			if ctx.Err() != nil {
@@ -186,13 +146,18 @@ func (p *ProxyBind) proxyToLocal(ctx context.Context) {
 			return
 		}
 
-		p.pausedCond.L.Lock()
-		for p.paused {
-			p.pausedCond.Wait()
+		p.pausedMu.Lock()
+		if p.paused {
+			p.pausedMu.Unlock()
+			continue
 		}
 
-		p.bind.ReceiveFromEndpoint(ctx, p.wgCurrentUsed, buf[:n])
-		p.pausedCond.L.Unlock()
+		msg := bind.RecvMessage{
+			Endpoint: p.wgBindEndpoint,
+			Buffer:   buf[:n],
+		}
+		p.Bind.RecvChan <- msg
+		p.pausedMu.Unlock()
 	}
 }
 

client/iface/wgproxy/ebpf/proxy.go

@@ -6,7 +6,9 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"os"
 	"sync"
+	"syscall"
 
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
@@ -15,25 +17,18 @@ import (
 	log "github.com/sirupsen/logrus"
 
 	nberrors "github.com/netbirdio/netbird/client/errors"
-	"github.com/netbirdio/netbird/client/iface/bufsize"
-	"github.com/netbirdio/netbird/client/iface/wgproxy/rawsocket"
 	"github.com/netbirdio/netbird/client/internal/ebpf"
 	ebpfMgr "github.com/netbirdio/netbird/client/internal/ebpf/manager"
-	nbnet "github.com/netbirdio/netbird/client/net"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )
 
 const (
 	loopbackAddr = "127.0.0.1"
 )
 
-var (
-	localHostNetIP = net.ParseIP("127.0.0.1")
-)
-
 // WGEBPFProxy definition for proxy with EBPF support
 type WGEBPFProxy struct {
 	localWGListenPort int
-	mtu               uint16
 
 	ebpfManager   ebpfMgr.Manager
 	turnConnStore map[uint16]net.Conn
@@ -48,11 +43,10 @@ type WGEBPFProxy struct {
 }
 
 // NewWGEBPFProxy create new WGEBPFProxy instance
-func NewWGEBPFProxy(wgPort int, mtu uint16) *WGEBPFProxy {
+func NewWGEBPFProxy(wgPort int) *WGEBPFProxy {
 	log.Debugf("instantiate ebpf proxy")
 	wgProxy := &WGEBPFProxy{
 		localWGListenPort: wgPort,
-		mtu:               mtu,
 		ebpfManager:       ebpf.GetEbpfManagerInstance(),
 		turnConnStore:     make(map[uint16]net.Conn),
 	}
@@ -67,7 +61,7 @@ func (p *WGEBPFProxy) Listen() error {
 		return err
 	}
 
-	p.rawConn, err = rawsocket.PrepareSenderRawSocket()
+	p.rawConn, err = p.prepareSenderRawSocket()
 	if err != nil {
 		return err
 	}
@@ -144,7 +138,7 @@ func (p *WGEBPFProxy) Free() error {
 // proxyToRemote read messages from local WireGuard interface and forward it to remote conn
 // From this go routine has only one instance.
 func (p *WGEBPFProxy) proxyToRemote() {
-	buf := make([]byte, p.mtu+bufsize.WGBufferOverhead)
+	buf := make([]byte, 1500)
 	for p.ctx.Err() == nil {
 		if err := p.readAndForwardPacket(buf); err != nil {
 			if p.ctx.Err() != nil {
@@ -217,17 +211,57 @@ generatePort:
 	return p.lastUsedPort, nil
 }
 
-func (p *WGEBPFProxy) sendPkg(data []byte, endpointAddr *net.UDPAddr) error {
+func (p *WGEBPFProxy) prepareSenderRawSocket() (net.PacketConn, error) {
+	// Create a raw socket.
+	fd, err := syscall.Socket(syscall.AF_INET, syscall.SOCK_RAW, syscall.IPPROTO_RAW)
+	if err != nil {
+		return nil, fmt.Errorf("creating raw socket failed: %w", err)
+	}
+
+	// Set the IP_HDRINCL option on the socket to tell the kernel that headers are included in the packet.
+	err = syscall.SetsockoptInt(fd, syscall.IPPROTO_IP, syscall.IP_HDRINCL, 1)
+	if err != nil {
+		return nil, fmt.Errorf("setting IP_HDRINCL failed: %w", err)
+	}
+
+	// Bind the socket to the "lo" interface.
+	err = syscall.SetsockoptString(fd, syscall.SOL_SOCKET, syscall.SO_BINDTODEVICE, "lo")
+	if err != nil {
+		return nil, fmt.Errorf("binding to lo interface failed: %w", err)
+	}
+
+	// Set the fwmark on the socket.
+	err = nbnet.SetSocketOpt(fd)
+	if err != nil {
+		return nil, fmt.Errorf("setting fwmark failed: %w", err)
+	}
+
+	// Convert the file descriptor to a PacketConn.
+	file := os.NewFile(uintptr(fd), fmt.Sprintf("fd %d", fd))
+	if file == nil {
+		return nil, fmt.Errorf("converting fd to file failed")
+	}
+	packetConn, err := net.FilePacketConn(file)
+	if err != nil {
+		return nil, fmt.Errorf("converting file to packet conn failed: %w", err)
+	}
+
+	return packetConn, nil
+}
+
+func (p *WGEBPFProxy) sendPkg(data []byte, port int) error {
+	localhost := net.ParseIP("127.0.0.1")
+
 	payload := gopacket.Payload(data)
 	ipH := &layers.IPv4{
-		DstIP:    localHostNetIP,
-		SrcIP:    endpointAddr.IP,
+		DstIP:    localhost,
+		SrcIP:    localhost,
 		Version:  4,
 		TTL:      64,
 		Protocol: layers.IPProtocolUDP,
 	}
 	udpH := &layers.UDP{
-		SrcPort: layers.UDPPort(endpointAddr.Port),
+		SrcPort: layers.UDPPort(port),
 		DstPort: layers.UDPPort(p.localWGListenPort),
 	}
 
@@ -242,7 +276,7 @@ func (p *WGEBPFProxy) sendPkg(data []byte, endpointAddr *net.UDPAddr) error {
 	if err != nil {
 		return fmt.Errorf("serialize layers: %w", err)
 	}
-	if _, err = p.rawConn.WriteTo(layerBuffer.Bytes(), &net.IPAddr{IP: localHostNetIP}); err != nil {
+	if _, err = p.rawConn.WriteTo(layerBuffer.Bytes(), &net.IPAddr{IP: localhost}); err != nil {
 		return fmt.Errorf("write to raw conn: %w", err)
 	}
 	return nil

client/iface/wgproxy/ebpf/proxy_test.go

@@ -7,7 +7,7 @@ import (
 )
 
 func TestWGEBPFProxy_connStore(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1, 1280)
+	wgProxy := NewWGEBPFProxy(1)
 
 	p, _ := wgProxy.storeTurnConn(nil)
 	if p != 1 {
@@ -27,7 +27,7 @@ func TestWGEBPFProxy_connStore(t *testing.T) {
 }
 
 func TestWGEBPFProxy_portCalculation_overflow(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1, 1280)
+	wgProxy := NewWGEBPFProxy(1)
 
 	_, _ = wgProxy.storeTurnConn(nil)
 	wgProxy.lastUsedPort = 65535
@@ -43,7 +43,7 @@ func TestWGEBPFProxy_portCalculation_overflow(t *testing.T) {
 }
 
 func TestWGEBPFProxy_portCalculation_maxConn(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(1, 1280)
+	wgProxy := NewWGEBPFProxy(1)
 
 	for i := 0; i < 65535; i++ {
 		_, _ = wgProxy.storeTurnConn(nil)

client/iface/wgproxy/ebpf/wrapper.go

@@ -12,48 +12,46 @@ import (
 
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/client/iface/bufsize"
 	"github.com/netbirdio/netbird/client/iface/wgproxy/listener"
 )
 
 // ProxyWrapper help to keep the remoteConn instance for net.Conn.Close function call
 type ProxyWrapper struct {
-	wgeBPFProxy *WGEBPFProxy
+	WgeBPFProxy *WGEBPFProxy
 
 	remoteConn net.Conn
 	ctx        context.Context
 	cancel     context.CancelFunc
 
-	wgRelayedEndpointAddr     *net.UDPAddr
-	wgEndpointCurrentUsedAddr *net.UDPAddr
+	wgEndpointAddr *net.UDPAddr
 
-	paused     bool
-	pausedCond *sync.Cond
-	isStarted  bool
+	pausedMu  sync.Mutex
+	paused    bool
+	isStarted bool
 
 	closeListener *listener.CloseListener
 }
 
-func NewProxyWrapper(proxy *WGEBPFProxy) *ProxyWrapper {
+func NewProxyWrapper(WgeBPFProxy *WGEBPFProxy) *ProxyWrapper {
 	return &ProxyWrapper{
-		wgeBPFProxy:   proxy,
-		pausedCond:    sync.NewCond(&sync.Mutex{}),
+		WgeBPFProxy:   WgeBPFProxy,
 		closeListener: listener.NewCloseListener(),
 	}
 }
+
 func (p *ProxyWrapper) AddTurnConn(ctx context.Context, endpoint *net.UDPAddr, remoteConn net.Conn) error {
-	addr, err := p.wgeBPFProxy.AddTurnConn(remoteConn)
+	addr, err := p.WgeBPFProxy.AddTurnConn(remoteConn)
 	if err != nil {
 		return fmt.Errorf("add turn conn: %w", err)
 	}
 	p.remoteConn = remoteConn
 	p.ctx, p.cancel = context.WithCancel(ctx)
-	p.wgRelayedEndpointAddr = addr
+	p.wgEndpointAddr = addr
 	return err
 }
 
 func (p *ProxyWrapper) EndpointAddr() *net.UDPAddr {
-	return p.wgRelayedEndpointAddr
+	return p.wgEndpointAddr
 }
 
 func (p *ProxyWrapper) SetDisconnectListener(disconnected func()) {
@@ -65,18 +63,14 @@ func (p *ProxyWrapper) Work() {
 		return
 	}
 
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = false
-
-	p.wgEndpointCurrentUsedAddr = p.wgRelayedEndpointAddr
+	p.pausedMu.Unlock()
 
 	if !p.isStarted {
 		p.isStarted = true
 		go p.proxyToLocal(p.ctx)
 	}
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
 }
 
 func (p *ProxyWrapper) Pause() {
@@ -85,59 +79,45 @@ func (p *ProxyWrapper) Pause() {
 	}
 
 	log.Tracef("pause proxy reading from: %s", p.remoteConn.RemoteAddr())
-	p.pausedCond.L.Lock()
+	p.pausedMu.Lock()
 	p.paused = true
-	p.pausedCond.L.Unlock()
-}
-
-func (p *ProxyWrapper) RedirectAs(endpoint *net.UDPAddr) {
-	p.pausedCond.L.Lock()
-	p.paused = false
-
-	p.wgEndpointCurrentUsedAddr = endpoint
-
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
+	p.pausedMu.Unlock()
 }
 
 // CloseConn close the remoteConn and automatically remove the conn instance from the map
-func (p *ProxyWrapper) CloseConn() error {
-	if p.cancel == nil {
+func (e *ProxyWrapper) CloseConn() error {
+	if e.cancel == nil {
 		return fmt.Errorf("proxy not started")
 	}
 
-	p.cancel()
+	e.cancel()
 
-	p.closeListener.SetCloseListener(nil)
+	e.closeListener.SetCloseListener(nil)
 
-	p.pausedCond.L.Lock()
-	p.paused = false
-	p.pausedCond.Signal()
-	p.pausedCond.L.Unlock()
-
-	if err := p.remoteConn.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
-		return fmt.Errorf("failed to close remote conn: %w", err)
+	if err := e.remoteConn.Close(); err != nil && !errors.Is(err, net.ErrClosed) {
+		return fmt.Errorf("close remote conn: %w", err)
 	}
 	return nil
 }
 
 func (p *ProxyWrapper) proxyToLocal(ctx context.Context) {
-	defer p.wgeBPFProxy.removeTurnConn(uint16(p.wgRelayedEndpointAddr.Port))
+	defer p.WgeBPFProxy.removeTurnConn(uint16(p.wgEndpointAddr.Port))
 
-	buf := make([]byte, p.wgeBPFProxy.mtu+bufsize.WGBufferOverhead)
+	buf := make([]byte, 1500)
 	for {
 		n, err := p.readFromRemote(ctx, buf)
 		if err != nil {
 			return
 		}
 
-		p.pausedCond.L.Lock()
-		for p.paused {
-			p.pausedCond.Wait()
+		p.pausedMu.Lock()
+		if p.paused {
+			p.pausedMu.Unlock()
+			continue
 		}
 
-		err = p.wgeBPFProxy.sendPkg(buf[:n], p.wgEndpointCurrentUsedAddr)
-		p.pausedCond.L.Unlock()
+		err = p.WgeBPFProxy.sendPkg(buf[:n], p.wgEndpointAddr.Port)
+		p.pausedMu.Unlock()
 
 		if err != nil {
 			if ctx.Err() != nil {
@@ -156,7 +136,7 @@ func (p *ProxyWrapper) readFromRemote(ctx context.Context, buf []byte) (int, err
 		}
 		p.closeListener.Notify()
 		if !errors.Is(err, io.EOF) {
-			log.Errorf("failed to read from turn conn (endpoint: :%d): %s", p.wgRelayedEndpointAddr.Port, err)
+			log.Errorf("failed to read from turn conn (endpoint: :%d): %s", p.wgEndpointAddr.Port, err)
 		}
 		return 0, err
 	}

client/iface/wgproxy/factory_kernel.go

@@ -11,18 +11,16 @@ import (
 
 type KernelFactory struct {
 	wgPort int
-	mtu    uint16
 
 	ebpfProxy *ebpf.WGEBPFProxy
 }
 
-func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
+func NewKernelFactory(wgPort int) *KernelFactory {
 	f := &KernelFactory{
 		wgPort: wgPort,
-		mtu:    mtu,
 	}
 
-	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort, mtu)
+	ebpfProxy := ebpf.NewWGEBPFProxy(wgPort)
 	if err := ebpfProxy.Listen(); err != nil {
 		log.Infof("WireGuard Proxy Factory will produce UDP proxy")
 		log.Warnf("failed to initialize ebpf proxy, fallback to user space proxy: %s", err)
@@ -35,10 +33,11 @@ func NewKernelFactory(wgPort int, mtu uint16) *KernelFactory {
 
 func (w *KernelFactory) GetProxy() Proxy {
 	if w.ebpfProxy == nil {
-		return udpProxy.NewWGUDPProxy(w.wgPort, w.mtu)
+		return udpProxy.NewWGUDPProxy(w.wgPort)
 	}
 
 	return ebpf.NewProxyWrapper(w.ebpfProxy)
+
 }
 
 func (w *KernelFactory) Free() error {

client/iface/wgproxy/factory_kernel_freebsd.go

@@ -0,0 +1,29 @@
+package wgproxy
+
+import (
+	log "github.com/sirupsen/logrus"
+
+	udpProxy "github.com/netbirdio/netbird/client/iface/wgproxy/udp"
+)
+
+// KernelFactory todo: check eBPF support on FreeBSD
+type KernelFactory struct {
+	wgPort int
+}
+
+func NewKernelFactory(wgPort int) *KernelFactory {
+	log.Infof("WireGuard Proxy Factory will produce UDP proxy")
+	f := &KernelFactory{
+		wgPort: wgPort,
+	}
+
+	return f
+}
+
+func (w *KernelFactory) GetProxy() Proxy {
+	return udpProxy.NewWGUDPProxy(w.wgPort)
+}
+
+func (w *KernelFactory) Free() error {
+	return nil
+}