After add listener automatically trigger peer list change event

Fix map reading
Fix build without import C
2026-04-05 17:04:21 -04:00 · 2023-08-02 16:20:09 +02:00 · 2023-08-01 12:15:45 +02:00 · 2023-08-01 10:31:03 +02:00 · 2023-08-01 10:15:44 +02:00
43 changed files with 698 additions and 1200 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,16 +7,6 @@ on:
    branches:
      - main
  pull_request:
-    paths:
-      - 'go.mod'
-      - 'go.sum'
-      - '.goreleaser.yml'
-      - '.goreleaser_ui.yaml'
-      - '.goreleaser_ui_darwin.yaml'
-      - '.github/workflows/release.yml'
-      - 'release_files/**'
-      - '**/Dockerfile'
-      - '**/Dockerfile.*'

 env:
  SIGN_PIPE_VER: "v0.0.8"
--- a/.github/workflows/test-docker-compose-linux.yml
+++ b/.github/workflows/test-docker-compose-linux.yml
@@ -1,13 +1,10 @@
-name: Test Infrastructure files
+name: Test Docker Compose Linux

 on:
  push:
    branches:
      - main
  pull_request:
-    paths:
-      - 'infrastructure_files/**'
-      - '.github/workflows/test-infrastructure-files.yml'


 concurrency:
@@ -15,7 +12,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  test-docker-compose:
+  test:
    runs-on: ubuntu-latest
    steps:
      - name: Install jq
@@ -38,7 +35,7 @@ jobs:
            ${{ runner.os }}-go-

      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2

      - name: cp setup.env
        run: cp infrastructure_files/tests/setup.env infrastructure_files/
@@ -124,28 +121,3 @@ jobs:
          count=$(docker compose ps --format json | jq '.[] | select(.Project | contains("infrastructure_files")) | .State' | grep -c running)
          test $count -eq 4
        working-directory: infrastructure_files
-
-  test-getting-started-script:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install jq
-        run: sudo apt-get install -y jq
-
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: run script
-        run: NETBIRD_DOMAIN=use-ip bash -x infrastructure_files/getting-started-with-zitadel.sh
-
-      - name: test Caddy file gen
-        run: test -f Caddyfile
-      - name: test docker-compose file gen
-        run: test -f docker-compose.yml
-      - name: test management.json file gen
-        run: test -f management.json
-      - name: test turnserver.conf file gen
-        run: test -f turnserver.conf
-      - name: test zitadel.env file gen
-        run: test -f zitadel.env
-      - name: test dashboard.env file gen
-        run: test -f dashboard.env
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -377,13 +377,3 @@ uploads:
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
    method: PUT
-
-checksum:
-  extra_files:
-    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
-    - glob: ./release_files/install.sh
-
-release:
-  extra_files:
-    - glob: ./infrastructure_files/getting-started-with-zitadel.sh
-    - glob: ./release_files/install.sh
--- a/README.md
+++ b/README.md
@@ -36,61 +36,46 @@

 <br>

-**NetBird combines a configuration-free peer-to-peer private network and a centralized access control system in a single platform, making it easy to create secure private networks for your organization or home.**
+**NetBird is an open-source VPN management platform built on top of WireGuard® making it easy to create secure private networks for your organization or home.**

-**Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.
+It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

-**Secure.** NetBird isolates every machine and device by applying granular access policies, while allowing you to manage them intuitively from a single place.
+NetBird uses [NAT traversal techniques](https://en.wikipedia.org/wiki/Interactive_Connectivity_Establishment) to automatically create an overlay peer-to-peer network connecting machines regardless of location (home, office, data center, container, cloud, or edge environments), unifying virtual private network management experience.

 **Key features:**
+- \[x] Automatic IP allocation and network management with a Web UI ([separate repo](https://github.com/netbirdio/dashboard))
+- \[x] Automatic WireGuard peer (machine) discovery and configuration.
+- \[x] Encrypted peer-to-peer connections without a central VPN gateway.
+- \[x] Connection relay fallback in case a peer-to-peer connection is not possible.
+- \[x] Desktop client applications for Linux, MacOS, and Windows (systray).
+- \[x] Multiuser support - sharing network between multiple users.
+- \[x] SSO and MFA support. 
+- \[x] Multicloud and hybrid-cloud support.
+- \[x] Kernel WireGuard usage when possible.
+- \[x] Access Controls - groups & rules.
+- \[x] Remote SSH access without managing SSH keys.
+- \[x] Network Routes.  
+- \[x] Private DNS.
+- \[x] Network Activity Monitoring.

-| Connectivity                             	                        | Management                                 	                             | Automation                                    	                            | Platforms    	                        |
-|-------------------------------------------------------------------|--------------------------------------------------------------------------|----------------------------------------------------------------------------|---------------------------------------|
-| <ul><li> - \[x] Kernel WireGuard </ul></li>                   	   | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                           	      | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                	     | <ul><li> - \[x] Linux </ul></li>    	 |
-| <ul><li> - \[x] Peer-to-peer connections </ul></li>             	 | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>  	      | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li>  	     | <ul><li> - \[x] Mac </ul></li>      	 |
-| <ul><li> - \[x] Peer-to-peer encryption </ul></li>              	 | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>                       	      | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>              	 | <ul><li> - \[x] Windows </ul></li>  	 |
-| <ul><li> - \[x] Connection relay fallback </ul></li>            	 | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>                      	      | <ul><li> - \[x] IdP groups sync with JWT </ul></li> 	                      | <ul><li> - \[x] Android </ul></li>  	 |
-| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li>  	         | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>      	        | 	                                                                          | <ul><li> - \[ ] iOS </ul></li>      	 |
-| <ul><li> - \[x] NAT traversal with BPF </ul></li>                 | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>                            	      | 	                                                                          | <ul><li> - \[x] Docker </ul></li>   	 |
-|                                                                   | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li>                      	      | 	                                                                          | <ul><li> - \[x] OpenWRT </ul></li>  	 |
-| 	                                                                 | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                       	      | 	                                                                          | 	                                     |
-| 	                                                                 | <ul><li> - \[x] SSH access management </ul></li>                       	 | 	                                                                          | 	                                     |
-
+**Coming soon:**
+-  \[ ] Mobile clients.

 ### Secure peer-to-peer VPN with SSO and MFA in minutes

 https://user-images.githubusercontent.com/700848/197345890-2e2cded5-7b7a-436f-a444-94e80dd24f46.mov

-### Quickstart with NetBird Cloud
+**Note**: The `main` branch may be in an *unstable or even broken state* during development. 
+For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).

- Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
- Follow the steps to sign-up with Google, Microsoft, GitHub or your email address.
- Check NetBird [admin UI](https://app.netbird.io/).
- Add more machines.
+### Start using NetBird
+-  Hosted version: [https://app.netbird.io/](https://app.netbird.io/).
+-  See our documentation for [Quickstart Guide](https://docs.netbird.io/how-to/getting-started).
+-  If you are looking to self-host NetBird, check our [Self-Hosting Guide](https://docs.netbird.io/selfhosted/selfhosted-guide).
+-  Step-by-step [Installation Guide](https://docs.netbird.io/how-to/getting-started#installation) for different platforms.
+-  Web UI [repository](https://github.com/netbirdio/dashboard).
+-  5 min [demo video](https://youtu.be/Tu9tPsUWaY0) on YouTube.

-### Quickstart with self-hosted NetBird
-
-> This is the quickest way to try self-hosted NetBird. It should take around 5 minutes to get started if you already have a public domain and a VM.
-Follow the [Advanced guide with a custom identity provider](https://docs.netbird.io/selfhosted/selfhosted-guide#advanced-guide-with-a-custom-identity-provider) for installations with different IDPs.
-
-**Infrastructure requirements:**
- A Linux VM with at least **1CPU** and **2GB** of memory.
- The VM should be publicly accessible on TCP ports **80** and **443** and UDP ports: **3478**, **49152-65535**.
- **Public domain** name pointing to the VM.
-
-**Software requirements:**
- Docker installed on the VM with the docker compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
- [jq](https://jqlang.github.io/jq/) installed. In most distributions
-  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
- [curl](https://curl.se/) installed.
-  Usually available in the official repositories and can be installed with `sudo apt install curl` or `sudo yum install curl`
-
-**Steps**
- Download and run the installation script:
-```bash
-export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbirdio/netbird/releases/latest/download/getting-started-with-zitadel.sh | bash
-```
- Once finished, you can manage the resources via `docker-compose`

 ### A bit on NetBird internals
 -  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
@@ -103,18 +88,18 @@ export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbird
 [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.

 <p float="left" align="middle">
-  <img src="https://docs.netbird.io/docs-static/img/architecture/high-level-dia.png" width="700"/>
+  <img src="https://netbird.io/docs/img/architecture/high-level-dia.png" width="700"/>
 </p>

 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.

+### Roadmap
+-  [Public Roadmap](https://github.com/netbirdio/netbird/projects/2)
+
 ### Community projects
 -  [NetBird on OpenWRT](https://github.com/messense/openwrt-netbird)
 -  [NetBird installer script](https://github.com/physk/netbird-installer)

-**Note**: The `main` branch may be in an *unstable or even broken state* during development.
-For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
-
 ### Support acknowledgement

 In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.
@@ -122,7 +107,7 @@ In November 2022, NetBird joined the [StartUpSecure program](https://www.forschu
 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)

 ### Testimonials
-We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g. giving a star or a contribution).
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), and [Coturn](https://github.com/coturn/coturn). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g. giving a star or a contribution).

 ### Legal
 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
--- a/client/internal/dns/file_linux.go
+++ b/client/internal/dns/file_linux.go
@@ -15,8 +15,7 @@ const (
 	fileGeneratedResolvConfSearchBeginContent = "search "
 	fileGeneratedResolvConfContentFormat      = fileGeneratedResolvConfContentHeader +
 		"\n# If needed you can restore the original file by copying back %s\n\nnameserver %s\n" +
-		fileGeneratedResolvConfSearchBeginContent + "%s\n\n" +
-		"%s\n"
+		fileGeneratedResolvConfSearchBeginContent + "%s\n"
 )

 const (
@@ -92,12 +91,7 @@ func (f *fileConfigurator) applyDNSConfig(config hostDNSConfig) error {
 		searchDomains += " " + dConf.domain
 		appendedDomains++
 	}
-
-	originalContent, err := os.ReadFile(fileDefaultResolvConfBackupLocation)
-	if err != nil {
-		log.Errorf("Could not read existing resolv.conf")
-	}
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains, string(originalContent))
+	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)
 	err = writeDNSConfig(content, defaultResolvConfPath, f.originalPerms)
 	if err != nil {
 		err = f.restore()
--- a/client/internal/dns/forwarder/bpf_bpfeb.go
+++ b/client/internal/dns/forwarder/bpf_bpfeb.go
@@ -0,0 +1,123 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build arm64be || armbe || mips || mips64 || mips64p32 || ppc64 || s390 || s390x || sparc || sparc64
+// +build arm64be armbe mips mips64 mips64p32 ppc64 s390 s390x sparc sparc64
+
+package forwarder
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	XdpDnsPortFwd *ebpf.ProgramSpec `ebpf:"xdp_dns_port_fwd"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	XdpIpMap   *ebpf.MapSpec `ebpf:"xdp_ip_map"`
+	XdpPortMap *ebpf.MapSpec `ebpf:"xdp_port_map"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	XdpIpMap   *ebpf.Map `ebpf:"xdp_ip_map"`
+	XdpPortMap *ebpf.Map `ebpf:"xdp_port_map"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.XdpIpMap,
+		m.XdpPortMap,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	XdpDnsPortFwd *ebpf.Program `ebpf:"xdp_dns_port_fwd"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.XdpDnsPortFwd,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfeb.o
+var _BpfBytes []byte
--- a/client/internal/dns/forwarder/bpf_bpfeb.o
+++ b/client/internal/dns/forwarder/bpf_bpfeb.o
--- a/client/internal/dns/forwarder/bpf_bpfel.go
+++ b/client/internal/dns/forwarder/bpf_bpfel.go
@@ -0,0 +1,123 @@
+// Code generated by bpf2go; DO NOT EDIT.
+//go:build 386 || amd64 || amd64p32 || arm || arm64 || mips64le || mips64p32le || mipsle || ppc64le || riscv64
+// +build 386 amd64 amd64p32 arm arm64 mips64le mips64p32le mipsle ppc64le riscv64
+
+package forwarder
+
+import (
+	"bytes"
+	_ "embed"
+	"fmt"
+	"io"
+
+	"github.com/cilium/ebpf"
+)
+
+// loadBpf returns the embedded CollectionSpec for bpf.
+func loadBpf() (*ebpf.CollectionSpec, error) {
+	reader := bytes.NewReader(_BpfBytes)
+	spec, err := ebpf.LoadCollectionSpecFromReader(reader)
+	if err != nil {
+		return nil, fmt.Errorf("can't load bpf: %w", err)
+	}
+
+	return spec, err
+}
+
+// loadBpfObjects loads bpf and converts it into a struct.
+//
+// The following types are suitable as obj argument:
+//
+//	*bpfObjects
+//	*bpfPrograms
+//	*bpfMaps
+//
+// See ebpf.CollectionSpec.LoadAndAssign documentation for details.
+func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error {
+	spec, err := loadBpf()
+	if err != nil {
+		return err
+	}
+
+	return spec.LoadAndAssign(obj, opts)
+}
+
+// bpfSpecs contains maps and programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfSpecs struct {
+	bpfProgramSpecs
+	bpfMapSpecs
+}
+
+// bpfSpecs contains programs before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfProgramSpecs struct {
+	XdpDnsPortFwd *ebpf.ProgramSpec `ebpf:"xdp_dns_port_fwd"`
+}
+
+// bpfMapSpecs contains maps before they are loaded into the kernel.
+//
+// It can be passed ebpf.CollectionSpec.Assign.
+type bpfMapSpecs struct {
+	XdpIpMap   *ebpf.MapSpec `ebpf:"xdp_ip_map"`
+	XdpPortMap *ebpf.MapSpec `ebpf:"xdp_port_map"`
+}
+
+// bpfObjects contains all objects after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfObjects struct {
+	bpfPrograms
+	bpfMaps
+}
+
+func (o *bpfObjects) Close() error {
+	return _BpfClose(
+		&o.bpfPrograms,
+		&o.bpfMaps,
+	)
+}
+
+// bpfMaps contains all maps after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfMaps struct {
+	XdpIpMap   *ebpf.Map `ebpf:"xdp_ip_map"`
+	XdpPortMap *ebpf.Map `ebpf:"xdp_port_map"`
+}
+
+func (m *bpfMaps) Close() error {
+	return _BpfClose(
+		m.XdpIpMap,
+		m.XdpPortMap,
+	)
+}
+
+// bpfPrograms contains all programs after they have been loaded into the kernel.
+//
+// It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
+type bpfPrograms struct {
+	XdpDnsPortFwd *ebpf.Program `ebpf:"xdp_dns_port_fwd"`
+}
+
+func (p *bpfPrograms) Close() error {
+	return _BpfClose(
+		p.XdpDnsPortFwd,
+	)
+}
+
+func _BpfClose(closers ...io.Closer) error {
+	for _, closer := range closers {
+		if err := closer.Close(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Do not access this directly.
+//
+//go:embed bpf_bpfel.o
+var _BpfBytes []byte
--- a/client/internal/dns/forwarder/bpf_bpfel.o
+++ b/client/internal/dns/forwarder/bpf_bpfel.o
--- a/client/internal/dns/forwarder/src/port_fwd.c
+++ b/client/internal/dns/forwarder/src/port_fwd.c
@@ -0,0 +1,100 @@
+#include <stdbool.h>
+#include <linux/if_ether.h> // ETH_P_IP
+#include <linux/udp.h>
+#include <linux/ip.h>
+#include <netinet/in.h>
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+#define bpf_printk(fmt, ...)                                                   \
+  ({                                                                           \
+    char ____fmt[] = fmt;                                                      \
+    bpf_trace_printk(____fmt, sizeof(____fmt), ##__VA_ARGS__);                 \
+  })
+
+const __u32 map_key_dns_ip = 0;
+const __u32 map_key_dns_port = 1;
+
+struct bpf_map_def SEC("maps") xdp_ip_map = {
+	.type = BPF_MAP_TYPE_ARRAY,
+	.key_size = sizeof(__u32),
+	.value_size = sizeof(__u32),
+	.max_entries = 10,
+};
+
+struct bpf_map_def SEC("maps") xdp_port_map = {
+	.type = BPF_MAP_TYPE_ARRAY,
+	.key_size = sizeof(__u32),
+	.value_size = sizeof(__u16),
+	.max_entries = 10,
+};
+
+__be32 dns_ip = 0;
+__be16 dns_port = 0;
+
+// 13568 is 53 in big endian
+__be16 GENERAL_DNS_PORT = 13568;
+
+bool read_settings() {
+    __u16 *port_value;
+    __u32 *ip_value;
+
+    // read dns ip
+    ip_value = bpf_map_lookup_elem(&xdp_ip_map, &map_key_dns_ip);
+    if(!ip_value) {
+        return false;
+    }
+    dns_ip = htonl(*ip_value);
+
+    // read dns port
+    port_value = bpf_map_lookup_elem(&xdp_port_map, &map_key_dns_port);
+    if(!port_value) {
+        return false;
+    }
+    dns_port = htons(*port_value);
+    return true;
+}
+
+SEC("xdp")
+int xdp_dns_port_fwd(struct xdp_md *ctx) {
+    if(dns_port == 0) {
+        if(!read_settings()){
+            return XDP_PASS;
+        }
+        bpf_printk("dns port: %d", ntohs(dns_port));
+        bpf_printk("dns ip: %d", ntohl(dns_ip));
+    }
+
+	void *data     = (void *)(long)ctx->data;
+	void *data_end = (void *)(long)ctx->data_end;
+	struct ethhdr *eth = data;
+    struct iphdr  *ip   = (data + sizeof(struct ethhdr));
+    struct udphdr *udp = (data + sizeof(struct ethhdr) + sizeof(struct iphdr));
+
+    // return early if not enough data
+    if (data + sizeof(struct ethhdr) + sizeof(struct iphdr) + sizeof(struct udphdr) > data_end){
+        return XDP_PASS;
+    }
+
+    // skip non IPv4 packages
+    if (eth->h_proto != htons(ETH_P_IP)) {
+       return XDP_PASS;
+    }
+
+    if (ip->protocol != IPPROTO_UDP) {
+       return XDP_PASS;
+    }
+
+    if (ip->daddr != dns_ip) {
+        return XDP_PASS;
+    }
+
+    // skip non dns ports
+    if (udp->dest != GENERAL_DNS_PORT){
+        return XDP_PASS;
+    }
+
+    udp->dest = dns_port;
+	return XDP_PASS;
+}
+char _license[] SEC("license") = "GPL";
--- a/client/internal/dns/forwarder/traffic_forwarder.go
+++ b/client/internal/dns/forwarder/traffic_forwarder.go
@@ -0,0 +1,89 @@
+package forwarder
+
+import (
+	_ "embed"
+	"encoding/binary"
+	"net"
+
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/rlimit"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	mapKeyDNSIP   uint32 = 0
+	mapKeyDNSPort uint32 = 1
+)
+
+// libbpf-dev, libc6-dev-i386-amd64-cross
+//
+//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang-14 bpf src/port_fwd.c -- -I /usr/x86_64-linux-gnu/include
+type TrafficForwarder struct {
+	link      link.Link
+	iFaceName string
+}
+
+func NewTrafficForwarder(iFace string) *TrafficForwarder {
+	return &TrafficForwarder{
+		iFaceName: iFace,
+	}
+}
+
+func (tf *TrafficForwarder) Start(ip string, dnsPort int) error {
+	log.Debugf("start DNS port forwarder")
+	// it required for Docker
+	err := rlimit.RemoveMemlock()
+	if err != nil {
+		return err
+	}
+
+	iFace, err := net.InterfaceByName(tf.iFaceName)
+	if err != nil {
+		return err
+	}
+
+	// load pre-compiled programs into the kernel.
+	objs := bpfObjects{}
+	err = loadBpfObjects(&objs, nil)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		_ = objs.Close()
+	}()
+
+	err = objs.XdpIpMap.Put(mapKeyDNSIP, tf.ip2int(ip))
+	if err != nil {
+		return err
+	}
+
+	err = objs.XdpPortMap.Put(mapKeyDNSPort, uint16(dnsPort))
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = objs.XdpPortMap.Close()
+	}()
+
+	tf.link, err = link.AttachXDP(link.XDPOptions{
+		Program:   objs.XdpDnsPortFwd,
+		Interface: iFace.Index,
+	})
+	return err
+}
+
+func (tf *TrafficForwarder) Free() error {
+	if tf.link == nil {
+		return nil
+	}
+
+	err := tf.link.Close()
+	tf.link = nil
+	return err
+}
+
+func (tf *TrafficForwarder) ip2int(ipString string) uint32 {
+	ip := net.ParseIP(ipString)
+	return binary.BigEndian.Uint32(ip.To4())
+}
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -182,11 +182,12 @@ func (s *systemConfigurator) addDNSState(state, domains, dnsServer string, port
 }

 func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error {
-	primaryServiceKey, existingNameserver := s.getPrimaryService()
+	primaryServiceKey := s.getPrimaryService()
 	if primaryServiceKey == "" {
 		return fmt.Errorf("couldn't find the primary service key")
 	}
-	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port, existingNameserver)
+
+	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port)
 	if err != nil {
 		return err
 	}
@@ -195,32 +196,27 @@ func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error
 	return nil
 }

-func (s *systemConfigurator) getPrimaryService() (string, string) {
+func (s *systemConfigurator) getPrimaryService() string {
 	line := buildCommandLine("show", globalIPv4State, "")
 	stdinCommands := wrapCommand(line)
 	b, err := runSystemConfigCommand(stdinCommands)
 	if err != nil {
 		log.Error("got error while sending the command: ", err)
-		return "", ""
+		return ""
 	}
 	scanner := bufio.NewScanner(bytes.NewReader(b))
-	primaryService := ""
-	router := ""
 	for scanner.Scan() {
 		text := scanner.Text()
 		if strings.Contains(text, "PrimaryService") {
-			primaryService = strings.TrimSpace(strings.Split(text, ":")[1])
-		}
-		if strings.Contains(text, "Router") {
-			router = strings.TrimSpace(strings.Split(text, ":")[1])
+			return strings.TrimSpace(strings.Split(text, ":")[1])
 		}
 	}
-	return primaryService, router
+	return ""
 }

-func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int, existingDNSServer string) error {
+func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int) error {
 	lines := buildAddCommandLine(keySupplementalMatchDomainsNoSearch, digitSymbol+strconv.Itoa(0))
-	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer+" "+existingDNSServer)
+	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer)
 	lines += buildAddCommandLine(keyServerPort, digitSymbol+strconv.Itoa(port))
 	addDomainCommand := buildCreateStateWithOperation(setupKey, lines)
 	stdinCommands := wrapCommand(addDomainCommand)
--- a/client/internal/dns/resolvconf_linux.go
+++ b/client/internal/dns/resolvconf_linux.go
@@ -4,7 +4,6 @@ package dns

 import (
 	"fmt"
-	"os"
 	"os/exec"
 	"strings"

@@ -60,11 +59,7 @@ func (r *resolvconf) applyDNSConfig(config hostDNSConfig) error {
 		appendedDomains++
 	}

-	originalContent, err := os.ReadFile(fileDefaultResolvConfBackupLocation)
-	if err != nil {
-		log.Errorf("Could not read existing resolv.conf")
-	}
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains, string(originalContent))
+	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)

 	err = r.applyConfig(content)
 	if err != nil {
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -132,7 +132,7 @@ func (s *DefaultServer) Initialize() (err error) {
 // When kernel space interface used it return real DNS server listener IP address
 // For bind interface, fake DNS resolver address returned (second last IP address from Nebird network)
 func (s *DefaultServer) DnsIP() string {
-	return s.service.RuntimeIP()
+	return s.service.ListenIp()
 }

 // Stop stops the server
@@ -233,16 +233,9 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {

 	s.updateMux(muxUpdates)
 	s.updateLocalResolver(localRecords)
-	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())
+	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.ListenIp(), s.service.ListenPort())

-	hostUpdate := s.currentConfig
-	if s.service.RuntimePort() != defaultPort && !s.hostManager.supportCustomPort() {
-		log.Warnf("the DNS manager of this peer doesn't support custom port. Disabling primary DNS setup. " +
-			"Learn more at: https://netbird.io/docs/how-to-guides/nameservers#local-resolver")
-		hostUpdate.routeAll = false
-	}
-
-	if err = s.hostManager.applyDNSConfig(hostUpdate); err != nil {
+	if err = s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
 		log.Error(err)
 	}

--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -487,7 +487,7 @@ func TestDNSServerStartStop(t *testing.T) {
 					d := net.Dialer{
 						Timeout: time.Second * 5,
 					}
-					addr := fmt.Sprintf("%s:%d", dnsServer.service.RuntimeIP(), dnsServer.service.RuntimePort())
+					addr := fmt.Sprintf("%s:%d", dnsServer.service.ListenIp(), dnsServer.service.ListenPort())
 					conn, err := d.DialContext(ctx, network, addr)
 					if err != nil {
 						t.Log(err)
@@ -603,7 +603,7 @@ func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {

 	dnsServer.OnUpdatedHostDNSServer([]string{"8.8.8.8"})

-	resolver := newDnsResolver(dnsServer.service.RuntimeIP(), dnsServer.service.RuntimePort())
+	resolver := newDnsResolver(dnsServer.service.ListenIp(), dnsServer.service.ListenPort())
 	_, err = resolver.LookupHost(context.Background(), "netbird.io")
 	if err != nil {
 		t.Errorf("failed to resolve: %s", err)
@@ -626,7 +626,7 @@ func TestDNSPermanent_updateUpstream(t *testing.T) {
 	defer dnsServer.Stop()

 	// check initial state
-	resolver := newDnsResolver(dnsServer.service.RuntimeIP(), dnsServer.service.RuntimePort())
+	resolver := newDnsResolver(dnsServer.service.ListenIp(), dnsServer.service.ListenPort())
 	_, err = resolver.LookupHost(context.Background(), "netbird.io")
 	if err != nil {
 		t.Errorf("failed to resolve: %s", err)
@@ -718,7 +718,7 @@ func TestDNSPermanent_matchOnly(t *testing.T) {
 	defer dnsServer.Stop()

 	// check initial state
-	resolver := newDnsResolver(dnsServer.service.RuntimeIP(), dnsServer.service.RuntimePort())
+	resolver := newDnsResolver(dnsServer.service.ListenIp(), dnsServer.service.ListenPort())
 	_, err = resolver.LookupHost(context.Background(), "netbird.io")
 	if err != nil {
 		t.Errorf("failed to resolve: %s", err)
--- a/client/internal/dns/service.go
+++ b/client/internal/dns/service.go
@@ -13,6 +13,6 @@ type service interface {
 	Stop()
 	RegisterMux(domain string, handler dns.Handler)
 	DeregisterMux(key string)
-	RuntimePort() int
-	RuntimeIP() string
+	ListenPort() int
+	ListenIp() string
 }
--- a/client/internal/dns/service_listener.go
+++ b/client/internal/dns/service_listener.go
@@ -3,6 +3,7 @@ package dns
 import (
 	"context"
 	"fmt"
+	"github.com/netbirdio/netbird/client/internal/dns/forwarder"
 	"net"
 	"net/netip"
 	"runtime"
@@ -28,6 +29,7 @@ type serviceViaListener struct {
 	runtimePort       int
 	listenerIsRunning bool
 	listenerFlagLock  sync.Mutex
+	trafficForwarder  *forwarder.TrafficForwarder
 }

 func newServiceViaListener(wgIface WGIface, customAddr *netip.AddrPort) *serviceViaListener {
@@ -42,6 +44,7 @@ func newServiceViaListener(wgIface WGIface, customAddr *netip.AddrPort) *service
 			Handler: mux,
 			UDPSize: 65535,
 		},
+		trafficForwarder: forwarder.NewTrafficForwarder(wgIface.Name()),
 	}
 	return s
 }
@@ -72,6 +75,13 @@ func (s *serviceViaListener) Listen() error {
 			log.Errorf("dns server running with %d port returned an error: %v. Will not retry", s.runtimePort, err)
 		}
 	}()
+
+	if s.runtimePort != defaultPort {
+		err = s.trafficForwarder.Start(s.runtimeIP, s.runtimePort)
+		if err != nil {
+			return err
+		}
+	}
 	return nil
 }

@@ -90,6 +100,11 @@ func (s *serviceViaListener) Stop() {
 	if err != nil {
 		log.Errorf("stopping dns server listener returned an error: %v", err)
 	}
+
+	err = s.trafficForwarder.Free()
+	if err != nil {
+		log.Errorf("stopping traffic forwarder returned an error: %v", err)
+	}
 }

 func (s *serviceViaListener) RegisterMux(pattern string, handler dns.Handler) {
@@ -100,11 +115,11 @@ func (s *serviceViaListener) DeregisterMux(pattern string) {
 	s.dnsMux.HandleRemove(pattern)
 }

-func (s *serviceViaListener) RuntimePort() int {
-	return s.runtimePort
+func (s *serviceViaListener) ListenPort() int {
+	return defaultPort
 }

-func (s *serviceViaListener) RuntimeIP() string {
+func (s *serviceViaListener) ListenIp() string {
 	return s.runtimeIP
 }

@@ -117,7 +132,8 @@ func (s *serviceViaListener) getFirstListenerAvailable() (string, int, error) {
 	if runtime.GOOS != "darwin" {
 		ips = append([]string{s.wgInterface.Address().IP.String()}, ips...)
 	}
-	ports := []int{defaultPort, customPort}
+	//todo change the order back
+	ports := []int{customPort, defaultPort}
 	for _, port := range ports {
 		for _, ip := range ips {
 			addrString := fmt.Sprintf("%s:%d", ip, port)
--- a/client/internal/dns/service_memory.go
+++ b/client/internal/dns/service_memory.go
@@ -48,7 +48,7 @@ func (s *serviceViaMemory) Listen() error {
 	}
 	s.listenerIsRunning = true

-	log.Debugf("dns service listening on: %s", s.RuntimeIP())
+	log.Debugf("dns service listening on: %s", s.ListenIp())
 	return nil
 }

@@ -75,11 +75,11 @@ func (s *serviceViaMemory) DeregisterMux(pattern string) {
 	s.dnsMux.HandleRemove(pattern)
 }

-func (s *serviceViaMemory) RuntimePort() int {
+func (s *serviceViaMemory) ListenPort() int {
 	return s.runtimePort
 }

-func (s *serviceViaMemory) RuntimeIP() string {
+func (s *serviceViaMemory) ListenIp() string {
 	return s.runtimeIP
 }

--- a/client/internal/routemanager/iptables_linux.go
+++ b/client/internal/routemanager/iptables_linux.go
@@ -51,17 +51,13 @@ type iptablesManager struct {

 func newIptablesManager(parentCtx context.Context) *iptablesManager {
 	ctx, cancel := context.WithCancel(parentCtx)
-	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	if err != nil {
-		log.Debugf("failed to initialize iptables for ipv4: %s", err)
-	} else if !isIptablesClientAvailable(ipv4Client) {
+	ipv4Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if !isIptablesClientAvailable(ipv4Client) {
 		log.Infof("iptables is missing for ipv4")
 		ipv4Client = nil
 	}
-	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
-	if err != nil {
-		log.Debugf("failed to initialize iptables for ipv6: %s", err)
-	} else if !isIptablesClientAvailable(ipv6Client) {
+	ipv6Client, _ := iptables.NewWithProtocol(iptables.ProtocolIPv6)
+	if !isIptablesClientAvailable(ipv6Client) {
 		log.Infof("iptables is missing for ipv6")
 		ipv6Client = nil
 	}
--- a/client/internal/wgproxy/ebpf/bpf_bpfeb.go
+++ b/client/internal/wgproxy/ebpf/bpf_bpfeb.go
@@ -54,14 +54,14 @@ type bpfSpecs struct {
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfProgramSpecs struct {
-	NbWgProxy *ebpf.ProgramSpec `ebpf:"nb_wg_proxy"`
+	XdpProgFunc *ebpf.ProgramSpec `ebpf:"xdp_prog_func"`
 }

 // bpfMapSpecs contains maps before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfMapSpecs struct {
-	NbWgProxySettingsMap *ebpf.MapSpec `ebpf:"nb_wg_proxy_settings_map"`
+	XdpPortMap *ebpf.MapSpec `ebpf:"xdp_port_map"`
 }

 // bpfObjects contains all objects after they have been loaded into the kernel.
@@ -83,12 +83,12 @@ func (o *bpfObjects) Close() error {
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfMaps struct {
-	NbWgProxySettingsMap *ebpf.Map `ebpf:"nb_wg_proxy_settings_map"`
+	XdpPortMap *ebpf.Map `ebpf:"xdp_port_map"`
 }

 func (m *bpfMaps) Close() error {
 	return _BpfClose(
-		m.NbWgProxySettingsMap,
+		m.XdpPortMap,
 	)
 }

@@ -96,12 +96,12 @@ func (m *bpfMaps) Close() error {
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfPrograms struct {
-	NbWgProxy *ebpf.Program `ebpf:"nb_wg_proxy"`
+	XdpProgFunc *ebpf.Program `ebpf:"xdp_prog_func"`
 }

 func (p *bpfPrograms) Close() error {
 	return _BpfClose(
-		p.NbWgProxy,
+		p.XdpProgFunc,
 	)
 }

--- a/client/internal/wgproxy/ebpf/bpf_bpfeb.o
+++ b/client/internal/wgproxy/ebpf/bpf_bpfeb.o
--- a/client/internal/wgproxy/ebpf/bpf_bpfel.go
+++ b/client/internal/wgproxy/ebpf/bpf_bpfel.go
@@ -54,14 +54,14 @@ type bpfSpecs struct {
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfProgramSpecs struct {
-	NbWgProxy *ebpf.ProgramSpec `ebpf:"nb_wg_proxy"`
+	XdpProgFunc *ebpf.ProgramSpec `ebpf:"xdp_prog_func"`
 }

 // bpfMapSpecs contains maps before they are loaded into the kernel.
 //
 // It can be passed ebpf.CollectionSpec.Assign.
 type bpfMapSpecs struct {
-	NbWgProxySettingsMap *ebpf.MapSpec `ebpf:"nb_wg_proxy_settings_map"`
+	XdpPortMap *ebpf.MapSpec `ebpf:"xdp_port_map"`
 }

 // bpfObjects contains all objects after they have been loaded into the kernel.
@@ -83,12 +83,12 @@ func (o *bpfObjects) Close() error {
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfMaps struct {
-	NbWgProxySettingsMap *ebpf.Map `ebpf:"nb_wg_proxy_settings_map"`
+	XdpPortMap *ebpf.Map `ebpf:"xdp_port_map"`
 }

 func (m *bpfMaps) Close() error {
 	return _BpfClose(
-		m.NbWgProxySettingsMap,
+		m.XdpPortMap,
 	)
 }

@@ -96,12 +96,12 @@ func (m *bpfMaps) Close() error {
 //
 // It can be passed to loadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.
 type bpfPrograms struct {
-	NbWgProxy *ebpf.Program `ebpf:"nb_wg_proxy"`
+	XdpProgFunc *ebpf.Program `ebpf:"xdp_prog_func"`
 }

 func (p *bpfPrograms) Close() error {
 	return _BpfClose(
-		p.NbWgProxy,
+		p.XdpProgFunc,
 	)
 }

--- a/client/internal/wgproxy/ebpf/bpf_bpfel.o
+++ b/client/internal/wgproxy/ebpf/bpf_bpfel.o
--- a/client/internal/wgproxy/ebpf/loader.go
+++ b/client/internal/wgproxy/ebpf/loader.go
@@ -50,22 +50,22 @@ func (l *EBPF) Load(proxyPort, wgPort int) error {
 		_ = objs.Close()
 	}()

-	err = objs.NbWgProxySettingsMap.Put(mapKeyProxyPort, uint16(proxyPort))
+	err = objs.XdpPortMap.Put(mapKeyProxyPort, uint16(proxyPort))
 	if err != nil {
 		return err
 	}

-	err = objs.NbWgProxySettingsMap.Put(mapKeyWgPort, uint16(wgPort))
+	err = objs.XdpPortMap.Put(mapKeyWgPort, uint16(wgPort))
 	if err != nil {
 		return err
 	}

 	defer func() {
-		_ = objs.NbWgProxySettingsMap.Close()
+		_ = objs.XdpPortMap.Close()
 	}()

 	l.link, err = link.AttachXDP(link.XDPOptions{
-		Program:   objs.NbWgProxy,
+		Program:   objs.XdpProgFunc,
 		Interface: ifce.Index,
 	})
 	if err != nil {
@@ -75,7 +75,7 @@ func (l *EBPF) Load(proxyPort, wgPort int) error {
 	return err
 }

-// Free ebpf program
+// Free free ebpf program
 func (l *EBPF) Free() error {
 	if l.link != nil {
 		return l.link.Close()
--- a/client/internal/wgproxy/ebpf/src/portreplace.c
+++ b/client/internal/wgproxy/ebpf/src/portreplace.c
@@ -15,7 +15,7 @@
 const __u32 map_key_proxy_port = 0;
 const __u32 map_key_wg_port = 1;

-struct bpf_map_def SEC("maps") nb_wg_proxy_settings_map = {
+struct bpf_map_def SEC("maps") xdp_port_map = {
 	.type = BPF_MAP_TYPE_ARRAY,
 	.key_size = sizeof(__u32),
 	.value_size = sizeof(__u16),
@@ -27,14 +27,14 @@ __u16 wg_port = 0;

 bool read_port_settings() {
    __u16 *value;
-    value = bpf_map_lookup_elem(&nb_wg_proxy_settings_map, &map_key_proxy_port);
+    value = bpf_map_lookup_elem(&xdp_port_map, &map_key_proxy_port);
    if(!value) {
        return false;
    }

    proxy_port = *value;

-    value = bpf_map_lookup_elem(&nb_wg_proxy_settings_map, &map_key_wg_port);
+    value = bpf_map_lookup_elem(&xdp_port_map, &map_key_wg_port);
    if(!value) {
        return false;
    }
@@ -44,7 +44,7 @@ bool read_port_settings() {
 }

 SEC("xdp")
-int nb_wg_proxy(struct xdp_md *ctx) {
+int xdp_prog_func(struct xdp_md *ctx) {
    if(proxy_port == 0 || wg_port == 0) {
        if(!read_port_settings()){
            return XDP_PASS;
--- a/client/internal/wgproxy/factory.go
+++ b/client/internal/wgproxy/factory.go
@@ -14,7 +14,7 @@ func (w *Factory) GetProxy() Proxy {

 func (w *Factory) Free() error {
 	if w.ebpfProxy != nil {
-		return w.ebpfProxy.Free()
+		return w.ebpfProxy.CloseConn()
 	}
 	return nil
 }
--- a/client/internal/wgproxy/factory_linux.go
+++ b/client/internal/wgproxy/factory_linux.go
@@ -12,7 +12,7 @@ func NewFactory(wgPort int) *Factory {
 	ebpfProxy := NewWGEBPFProxy(wgPort)
 	err := ebpfProxy.Listen()
 	if err != nil {
-		log.Warnf("failed to initialize ebpf proxy, fallback to user space proxy: %s", err)
+		log.Errorf("failed to initialize ebpf proxy: %s", err)
 		return f
 	}

--- a/client/internal/wgproxy/proxy_ebpf.go
+++ b/client/internal/wgproxy/proxy_ebpf.go
@@ -69,7 +69,7 @@ func (p *WGEBPFProxy) Listen() error {
 	p.conn, err = net.ListenUDP("udp", &addr)
 	if err != nil {
 		cErr := p.Free()
-		if cErr != nil {
+		if err != nil {
 			log.Errorf("failed to close the wgproxy: %s", cErr)
 		}
 		return err
@@ -104,7 +104,6 @@ func (p *WGEBPFProxy) CloseConn() error {

 // Free resources
 func (p *WGEBPFProxy) Free() error {
-	log.Debugf("free up ebpf wg proxy")
 	var err1, err2, err3 error
 	if p.conn != nil {
 		err1 = p.conn.Close()
@@ -154,9 +153,7 @@ func (p *WGEBPFProxy) proxyToRemote() {
 			return
 		}

-		p.turnConnMutex.Lock()
 		conn, ok := p.turnConnStore[uint16(addr.Port)]
-		p.turnConnMutex.Unlock()
 		if !ok {
 			log.Errorf("turn conn not found by port: %d", addr.Port)
 			continue
--- a/client/internal/wgproxy/proxy_userspace.go
+++ b/client/internal/wgproxy/proxy_userspace.go
@@ -20,7 +20,6 @@ type WGUserSpaceProxy struct {

 // NewWGUserSpaceProxy instantiate a user space WireGuard proxy
 func NewWGUserSpaceProxy(wgPort int) *WGUserSpaceProxy {
-	log.Debugf("instantiate new userspace proxy")
 	p := &WGUserSpaceProxy{
 		localWGListenPort: wgPort,
 	}
--- a/go.mod
+++ b/go.mod
@@ -126,6 +126,7 @@ require (
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/srwiley/oksvg v0.0.0-20200311192757-870daf9aa564 // indirect
 	github.com/srwiley/rasterx v0.0.0-20200120212402-85cb7272f5e9 // indirect
--- a/go.sum
+++ b/go.sum
@@ -100,6 +100,7 @@ github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMn
 github.com/cilium/ebpf v0.0.0-20200110133405-4032b1d8aae3/go.mod h1:MA5e5Lr8slmEg9bt0VpxxWqJlO4iwu3FBdHUzV7wQVg=
 github.com/cilium/ebpf v0.4.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/cilium/ebpf v0.5.0/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
+github.com/cilium/ebpf v0.7.0 h1:1k/q3ATgxSXRdrmPfH8d7YK0GfqVsEKZAX9dQZvs56k=
 github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
 github.com/cilium/ebpf v0.10.0 h1:nk5HPMeoBXtOzbkZBWym+ZWq1GIiHUsBFXxwewXAHLQ=
 github.com/cilium/ebpf v0.10.0/go.mod h1:DPiVdY/kT534dgc9ERmvP8mWA+9gvwgKfRvk4nNWnoE=
@@ -597,8 +598,7 @@ github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40T
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
-github.com/rs/cors v1.8.0 h1:P2KMzcFwrPoSjkF1WLRPsp3UMLyql8L4v9hQpVeK5so=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rs/cors v1.8.0/go.mod h1:EBwu+T5AvHOcXwvZIkQFjUN6s8Czyqw12GL/Y0tUyRM=
 github.com/rs/xid v1.3.0 h1:6NjYksEUlhurdVehpc7S7dk6DAmcKv8V9gG0FsVN2U4=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
@@ -615,8 +615,6 @@ github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
-github.com/smartystreets/assertions v1.13.0 h1:Dx1kYM01xsSqKPno3aqLnrwac2LetPvN23diwyr69Qs=
-github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hgR6gDIPg=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
@@ -633,9 +631,7 @@ github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnIn
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
-github.com/srwiley/oksvg v0.0.0-20200311192757-870daf9aa564 h1:HunZiaEKNGVdhTRQOVpMmj5MQnGnv+e8uZNu3xFLgyM=
 github.com/srwiley/oksvg v0.0.0-20200311192757-870daf9aa564/go.mod h1:afMbS0qvv1m5tfENCwnOdZGOF8RGR/FsZ7bvBxQGZG4=
-github.com/srwiley/rasterx v0.0.0-20200120212402-85cb7272f5e9 h1:m59mIOBO4kfcNCEzJNy71UkeF4XIx2EVmL9KLwDQdmM=
 github.com/srwiley/rasterx v0.0.0-20200120212402-85cb7272f5e9/go.mod h1:mvWM0+15UqyrFKqdRjY6LuAVJR0HOVhJlEgZ5JWtSWU=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -651,7 +647,6 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
-github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/syndtr/gocapability v0.0.0-20180916011248-d98352740cb2/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -677,7 +672,6 @@ github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1
 github.com/yuin/goldmark v1.3.8/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
-github.com/yuin/goldmark v1.4.13 h1:fVcFKWvrslecOb/tg+Cc05dkeYx540o0FuFt3nUVDoE=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.3 h1:E1ctvB7uKFMOJw3fdOW32DwGE9I7t++CRUEMKvFoFiw=
 github.com/yusufpapurcu/wmi v1.2.3/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
@@ -739,7 +733,6 @@ golang.org/x/exp v0.0.0-20220518171630-0b5c67f07fdf/go.mod h1:yh0Ynu2b5ZUe3MQfp2
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.0.0-20200430140353-33d19683fad8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.5.0 h1:5JMiNunQeQw++mMOz48/ISeNu3Iweh/JaZU8ZLqHRrI=
 golang.org/x/image v0.5.0/go.mod h1:FVC7BI/5Ym8R25iw5OLsgshdUBbT1h5jZTpA+mvAdZ4=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -753,7 +746,6 @@ golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPI
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
-golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028 h1:4+4C/Iv2U4fMZBiMCc98MG1In4gJY5YRhtpDNeDeHWs=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
@@ -982,7 +974,6 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac h1:7zkz7BUtwNFFqcowJ+RIgu2MaV/MapERkDIy+mwPyjs=
 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1109,8 +1100,6 @@ google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20201019141844-1ed22bb0c154/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48=
-google.golang.org/genproto v0.0.0-20230530153820-e85fd2cbaebc h1:8DyZCyvI8mE1IdLy/60bS+52xfymkE72wv1asokgtao=
-google.golang.org/genproto/googleapis/api v0.0.0-20230530153820-e85fd2cbaebc h1:kVKPf/IiYSBWEWtkIn6wZXwWGCnLKcC8oWfZvXjsGnM=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc h1:XSJ8Vk1SWuNr8S18z1NZSziL0CPIXLCCMDOEFtHBOFc=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc/go.mod h1:66JfowdXAEgad5O9NnYcsNPLCPZJD++2L9X0PCMODrA=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
@@ -1156,7 +1145,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
@@ -1168,7 +1156,6 @@ gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24
 gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
 gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI=
 gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=
-gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637 h1:yiW+nvdHb9LVqSHQBXfZCieqV4fzYhNBql77zY0ykqs=
 gopkg.in/tomb.v2 v2.0.0-20161208151619-d5d1b5820637/go.mod h1:BHsqpu/nsuzkT5BpiH1EMZPLyqSMM8JbIavyFACoFNk=
@@ -1180,7 +1167,6 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -1189,7 +1175,6 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
-gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0 h1:Wobr37noukisGxpKo5jAsLREcpj61RxrWYzD8uwveOY=
 gvisor.dev/gvisor v0.0.0-20221203005347-703fd9b7fbc0/go.mod h1:Dn5idtptoW1dIos9U6A2rpebLs/MtTwFacjKb8jLdQA=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/iface/iface.go
+++ b/iface/iface.go
@@ -112,7 +112,7 @@ func (w *WGIface) Close() error {
 	return w.tun.Close()
 }

-// SetFilter sets packet filters for the userspace impelemntation
+// SetFilter sets packet filters for the userspace implementation
 func (w *WGIface) SetFilter(filter PacketFilter) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
--- a/infrastructure_files/getting-started-with-zitadel.sh
+++ b/infrastructure_files/getting-started-with-zitadel.sh
@@ -1,736 +0,0 @@
-#!/bin/bash
-
-set -e
-
-handle_request_command_status() {
-  PARSED_RESPONSE=$1
-  FUNCTION_NAME=$2
-  RESPONSE=$3
-  if [[ $PARSED_RESPONSE -ne 0 ]]; then
-    echo "ERROR calling $FUNCTION_NAME:" $(echo "$RESPONSE" | jq -r '.message') > /dev/stderr
-    exit 1
-  fi
-}
-
-handle_zitadel_request_response() {
-  PARSED_RESPONSE=$1
-  FUNCTION_NAME=$2
-  RESPONSE=$3
-  if [[ $PARSED_RESPONSE == "null" ]]; then
-    echo "ERROR calling $FUNCTION_NAME:" $(echo "$RESPONSE" | jq -r '.message') > /dev/stderr
-    exit 1
-  fi
-  sleep 1
-}
-
-check_docker_compose() {
-  if command -v docker-compose &> /dev/null
-  then
-      echo "docker-compose"
-      return
-  fi
-  if docker compose --help &> /dev/null
-  then
-      echo "docker compose"
-      return
-  fi
-
-  echo "docker-compose is not installed or not in PATH. Please follow the steps from the official guide: https://docs.docker.com/engine/install/" > /dev/stderr
-  exit 1
-}
-
-check_jq() {
-  if ! command -v jq &> /dev/null
-  then
-    echo "jq is not installed or not in PATH, please install with your package manager. e.g. sudo apt install jq" > /dev/stderr
-    exit 1
-  fi
-}
-
-wait_crdb() {
-  set +e
-  while true; do
-    if $DOCKER_COMPOSE_COMMAND exec -T crdb curl -sf -o /dev/null 'http://localhost:8080/health?ready=1'; then
-      break
-    fi
-    echo -n " ."
-    sleep 5
-  done
-  echo " done"
-  set -e
-}
-
-init_crdb() {
-  echo -e "\nInitializing Zitadel's CockroachDB\n\n"
-  $DOCKER_COMPOSE_COMMAND up -d crdb
-  echo ""
-  # shellcheck disable=SC2028
-  echo -n "Waiting cockroachDB  to become ready "
-  wait_crdb
-  $DOCKER_COMPOSE_COMMAND exec -T crdb /bin/bash -c "cp /cockroach/certs/* /zitadel-certs/ && cockroach cert create-client --overwrite --certs-dir /zitadel-certs/ --ca-key /zitadel-certs/ca.key zitadel_user && chown -R 1000:1000 /zitadel-certs/"
-  handle_request_command_status $? "init_crdb failed" ""
-}
-
-get_main_ip_address() {
-  if [[ "$OSTYPE" == "darwin"* ]]; then
-    interface=$(route -n get default | grep 'interface:' | awk '{print $2}')
-    ip_address=$(ifconfig "$interface" | grep 'inet ' | awk '{print $2}')
-  else
-    interface=$(ip route | grep default | awk '{print $5}' | head -n 1)
-    ip_address=$(ip addr show "$interface" | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1)
-  fi
-
-  echo "$ip_address"
-}
-
-wait_pat() {
-  PAT_PATH=$1
-  set +e
-  while true; do
-    if [[ -f "$PAT_PATH" ]]; then
-      break
-    fi
-    echo -n " ."
-    sleep 1
-  done
-  echo " done"
-  set -e
-}
-
-wait_api() {
-    INSTANCE_URL=$1
-    PAT=$2
-    set +e
-    while true; do
-      curl -s --fail -o /dev/null "$INSTANCE_URL/auth/v1/users/me" -H "Authorization: Bearer $PAT"
-      if [[ $? -eq 0 ]]; then
-        break
-      fi
-      echo -n " ."
-      sleep 1
-    done
-    echo " done"
-    set -e
-}
-
-create_new_project() {
-  INSTANCE_URL=$1
-  PAT=$2
-  PROJECT_NAME="NETBIRD"
-
-  RESPONSE=$(
-    curl -sS -X POST "$INSTANCE_URL/management/v1/projects" \
-      -H "Authorization: Bearer $PAT" \
-      -H "Content-Type: application/json" \
-      -d '{"name": "'"$PROJECT_NAME"'"}'
-  )
-  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.id')
-  handle_zitadel_request_response "$PARSED_RESPONSE" "create_new_project" "$RESPONSE"
-  echo "$PARSED_RESPONSE"
-}
-
-create_new_application() {
-  INSTANCE_URL=$1
-  PAT=$2
-  APPLICATION_NAME=$3
-  BASE_REDIRECT_URL1=$4
-  BASE_REDIRECT_URL2=$5
-  LOGOUT_URL=$6
-  ZITADEL_DEV_MODE=$7
-
-  RESPONSE=$(
-    curl -sS -X POST "$INSTANCE_URL/management/v1/projects/$PROJECT_ID/apps/oidc" \
-      -H "Authorization: Bearer $PAT" \
-      -H "Content-Type: application/json" \
-      -d '{
-    "name": "'"$APPLICATION_NAME"'",
-    "redirectUris": [
-      "'"$BASE_REDIRECT_URL1"'",
-      "'"$BASE_REDIRECT_URL2"'"
-    ],
-    "postLogoutRedirectUris": [
-       "'"$LOGOUT_URL"'"
-    ],
-    "RESPONSETypes": [
-      "OIDC_RESPONSE_TYPE_CODE"
-    ],
-    "grantTypes": [
-      "OIDC_GRANT_TYPE_AUTHORIZATION_CODE",
-      "OIDC_GRANT_TYPE_REFRESH_TOKEN"
-    ],
-    "appType": "OIDC_APP_TYPE_USER_AGENT",
-    "authMethodType": "OIDC_AUTH_METHOD_TYPE_NONE",
-    "version": "OIDC_VERSION_1_0",
-    "devMode": '"$ZITADEL_DEV_MODE"',
-    "accessTokenType": "OIDC_TOKEN_TYPE_JWT",
-    "accessTokenRoleAssertion": true,
-    "skipNativeAppSuccessPage": true
-  }'
-  )
-
-  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.clientId')
-  handle_zitadel_request_response "$PARSED_RESPONSE" "create_new_application" "$RESPONSE"
-  echo "$PARSED_RESPONSE"
-}
-
-create_service_user() {
-  INSTANCE_URL=$1
-  PAT=$2
-
-  RESPONSE=$(
-    curl -sS -X POST "$INSTANCE_URL/management/v1/users/machine" \
-      -H "Authorization: Bearer $PAT" \
-      -H "Content-Type: application/json" \
-      -d '{
-            "userName": "netbird-service-account",
-            "name": "Netbird Service Account",
-            "description": "Netbird Service Account for IDP management",
-            "accessTokenType": "ACCESS_TOKEN_TYPE_JWT"
-      }'
-  )
-  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.userId')
-  handle_zitadel_request_response "$PARSED_RESPONSE" "create_service_user" "$RESPONSE"
-  echo "$PARSED_RESPONSE"
-}
-
-create_service_user_secret() {
-  INSTANCE_URL=$1
-  PAT=$2
-  USER_ID=$3
-
-  RESPONSE=$(
-    curl -sS -X PUT "$INSTANCE_URL/management/v1/users/$USER_ID/secret" \
-      -H "Authorization: Bearer $PAT" \
-      -H "Content-Type: application/json" \
-      -d '{}'
-  )
-  SERVICE_USER_CLIENT_ID=$(echo "$RESPONSE" | jq -r '.clientId')
-  handle_zitadel_request_response "$SERVICE_USER_CLIENT_ID" "create_service_user_secret_id" "$RESPONSE"
-  SERVICE_USER_CLIENT_SECRET=$(echo "$RESPONSE" | jq -r '.clientSecret')
-  handle_zitadel_request_response "$SERVICE_USER_CLIENT_SECRET" "create_service_user_secret" "$RESPONSE"
-}
-
-add_organization_user_manager() {
-  INSTANCE_URL=$1
-  PAT=$2
-  USER_ID=$3
-
-  RESPONSE=$(
-    curl -sS -X POST "$INSTANCE_URL/management/v1/orgs/me/members" \
-      -H "Authorization: Bearer $PAT" \
-      -H "Content-Type: application/json" \
-      -d '{
-            "userId": "'"$USER_ID"'",
-            "roles": [
-              "ORG_USER_MANAGER"
-            ]
-      }'
-  )
-  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.details.creationDate')
-  handle_zitadel_request_response "$PARSED_RESPONSE" "add_organization_user_manager" "$RESPONSE"
-  echo "$PARSED_RESPONSE"
-}
-
-create_admin_user() {
-    INSTANCE_URL=$1
-    PAT=$2
-    USERNAME=$3
-    PASSWORD=$4
-    RESPONSE=$(
-        curl -sS -X POST "$INSTANCE_URL/management/v1/users/human/_import" \
-          -H "Authorization: Bearer $PAT" \
-          -H "Content-Type: application/json" \
-          -d '{
-                "userName": "'"$USERNAME"'",
-                "profile": {
-                  "firstName": "Zitadel",
-                  "lastName": "Admin"
-                },
-                "email": {
-                  "email": "'"$USERNAME"'",
-                  "isEmailVerified": true
-                },
-                "password": "'"$PASSWORD"'",
-                "passwordChangeRequired": true
-          }'
-      )
-      PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.userId')
-      handle_zitadel_request_response "$PARSED_RESPONSE" "create_admin_user" "$RESPONSE"
-      echo "$PARSED_RESPONSE"
-}
-
-add_instance_admin() {
-  INSTANCE_URL=$1
-  PAT=$2
-  USER_ID=$3
-
-  RESPONSE=$(
-    curl -sS -X POST "$INSTANCE_URL/admin/v1/members" \
-      -H "Authorization: Bearer $PAT" \
-      -H "Content-Type: application/json" \
-      -d '{
-            "userId": "'"$USER_ID"'",
-            "roles": [
-              "IAM_OWNER"
-            ]
-      }'
-  )
-  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.details.creationDate')
-  handle_zitadel_request_response "$PARSED_RESPONSE" "add_instance_admin" "$RESPONSE"
-  echo "$PARSED_RESPONSE"
-}
-
-delete_auto_service_user() {
-  INSTANCE_URL=$1
-  PAT=$2
-
-  RESPONSE=$(
-    curl -sS -X GET "$INSTANCE_URL/auth/v1/users/me" \
-      -H "Authorization: Bearer $PAT" \
-      -H "Content-Type: application/json" \
-  )
-  USER_ID=$(echo "$RESPONSE" | jq -r '.user.id')
-  handle_zitadel_request_response "$USER_ID" "delete_auto_service_user_get_user" "$RESPONSE"
-
-  RESPONSE=$(
-      curl -sS -X DELETE "$INSTANCE_URL/admin/v1/members/$USER_ID" \
-        -H "Authorization: Bearer $PAT" \
-        -H "Content-Type: application/json" \
-  )
-  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.details.changeDate')
-  handle_zitadel_request_response "$PARSED_RESPONSE" "delete_auto_service_user_remove_instance_permissions" "$RESPONSE"
-
-  RESPONSE=$(
-      curl -sS -X DELETE "$INSTANCE_URL/management/v1/orgs/me/members/$USER_ID" \
-        -H "Authorization: Bearer $PAT" \
-        -H "Content-Type: application/json" \
-  )
-  PARSED_RESPONSE=$(echo "$RESPONSE" | jq -r '.details.changeDate')
-  handle_zitadel_request_response "$PARSED_RESPONSE" "delete_auto_service_user_remove_org_permissions" "$RESPONSE"
-  echo "$PARSED_RESPONSE"
-}
-
-init_zitadel() {
-  echo -e "\nInitializing Zitadel with NetBird's applications\n"
-  INSTANCE_URL="$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT"
-
-  TOKEN_PATH=./machinekey/zitadel-admin-sa.token
-
-  echo -n "Waiting for Zitadel's PAT to be created "
-  wait_pat "$TOKEN_PATH"
-  echo "Reading Zitadel PAT"
-  PAT=$(cat $TOKEN_PATH)
-  if [ "$PAT" = "null" ]; then
-    echo "Failed requesting getting Zitadel PAT"
-    exit 1
-  fi
-
-  echo -n "Waiting for Zitadel to become ready "
-  wait_api "$INSTANCE_URL" "$PAT"
-
-  #  create the zitadel project
-  echo "Creating new zitadel project"
-  PROJECT_ID=$(create_new_project "$INSTANCE_URL" "$PAT")
-
-  ZITADEL_DEV_MODE=false
-  BASE_REDIRECT_URL=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN
-  if [[ $NETBIRD_HTTP_PROTOCOL == "http" ]]; then
-    ZITADEL_DEV_MODE=true
-  fi
-
-  # create zitadel spa applications
-  echo "Creating new Zitadel SPA Dashboard application"
-  DASHBOARD_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Dashboard" "$BASE_REDIRECT_URL/nb-auth" "$BASE_REDIRECT_URL/nb-silent-auth" "$BASE_REDIRECT_URL/" "$ZITADEL_DEV_MODE")
-
-  echo "Creating new Zitadel SPA Cli application"
-  CLI_APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$PAT" "Cli" "http://localhost:53000/" "http://localhost:54000/" "http://localhost:53000/" "true")
-
-  MACHINE_USER_ID=$(create_service_user "$INSTANCE_URL" "$PAT")
-
-  SERVICE_USER_CLIENT_ID="null"
-  SERVICE_USER_CLIENT_SECRET="null"
-
-  create_service_user_secret "$INSTANCE_URL" "$PAT" "$MACHINE_USER_ID"
-
-  DATE=$(add_organization_user_manager "$INSTANCE_URL" "$PAT" "$MACHINE_USER_ID")
-
-  ZITADEL_ADMIN_USERNAME="admin@$NETBIRD_DOMAIN"
-  ZITADEL_ADMIN_PASSWORD="$(openssl rand -base64 32 | sed 's/=//g')@"
-
-  HUMAN_USER_ID=$(create_admin_user "$INSTANCE_URL" "$PAT" "$ZITADEL_ADMIN_USERNAME" "$ZITADEL_ADMIN_PASSWORD")
-
-  DATE="null"
-
-  DATE=$(add_instance_admin "$INSTANCE_URL" "$PAT" "$HUMAN_USER_ID")
-
-  DATE="null"
-  DATE=$(delete_auto_service_user "$INSTANCE_URL" "$PAT")
-  if [ "$DATE" = "null" ]; then
-      echo "Failed deleting auto service user"
-      echo "Please remove it manually"
-  fi
-
-  export NETBIRD_AUTH_CLIENT_ID=$DASHBOARD_APPLICATION_CLIENT_ID
-  export NETBIRD_AUTH_CLIENT_ID_CLI=$CLI_APPLICATION_CLIENT_ID
-  export NETBIRD_IDP_MGMT_CLIENT_ID=$SERVICE_USER_CLIENT_ID
-  export NETBIRD_IDP_MGMT_CLIENT_SECRET=$SERVICE_USER_CLIENT_SECRET
-  export ZITADEL_ADMIN_USERNAME
-  export ZITADEL_ADMIN_PASSWORD
-}
-
-check_nb_domain() {
-  DOMAIN=$1
-  if [ "$DOMAIN-x" == "-x" ]; then
-    echo "The NETBIRD_DOMAIN variable cannot be empty." > /dev/stderr
-    return 1
-  fi
-
-  if [ "$DOMAIN" == "netbird.example.com" ]; then
-    echo "The NETBIRD_DOMAIN cannot be netbird.example.com" > /dev/stderr
-    retrun 1
-  fi
-  return 0
-}
-
-read_nb_domain() {
-  READ_NETBIRD_DOMAIN=""
-  echo -n "Enter the domain you want to use for NetBird (e.g. netbird.my-domain.com): " > /dev/stderr
-  read -r READ_NETBIRD_DOMAIN < /dev/tty
-  if ! check_nb_domain "$READ_NETBIRD_DOMAIN"; then
-    read_nb_domain
-  fi
-  echo "$READ_NETBIRD_DOMAIN"
-}
-
-initEnvironment() {
-  CADDY_SECURE_DOMAIN=""
-  ZITADEL_EXTERNALSECURE="false"
-  ZITADEL_TLS_MODE="disabled"
-  ZITADEL_MASTERKEY="$(openssl rand -base64 32 | head -c 32)"
-  NETBIRD_PORT=80
-  NETBIRD_HTTP_PROTOCOL="http"
-  TURN_USER="self"
-  TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
-  TURN_MIN_PORT=49152
-  TURN_MAX_PORT=65535
-
-  if ! check_nb_domain "$NETBIRD_DOMAIN"; then
-    NETBIRD_DOMAIN=$(read_nb_domain)
-  fi
-
-  if [ "$NETBIRD_DOMAIN" == "use-ip" ]; then
-    NETBIRD_DOMAIN=$(get_main_ip_address)
-  else
-    ZITADEL_EXTERNALSECURE="true"
-    ZITADEL_TLS_MODE="external"
-    NETBIRD_PORT=443
-    CADDY_SECURE_DOMAIN=", $NETBIRD_DOMAIN:$NETBIRD_PORT"
-    NETBIRD_HTTP_PROTOCOL="https"
-  fi
-
-  if [[ "$OSTYPE" == "darwin"* ]]; then
-      ZIDATE_TOKEN_EXPIRATION_DATE=$(date -u -v+30M "+%Y-%m-%dT%H:%M:%SZ")
-  else
-      ZIDATE_TOKEN_EXPIRATION_DATE=$(date -u -d "+30 minutes" "+%Y-%m-%dT%H:%M:%SZ")
-  fi
-
-  check_jq
-
-  DOCKER_COMPOSE_COMMAND=$(check_docker_compose)
-
-  if [ -f zitadel.env ]; then
-    echo "Generated files already exist, if you want to reinitialize the environment, please remove them first."
-    echo "You can use the following commands:"
-    echo "  $DOCKER_COMPOSE_COMMAND down --volumes # to remove all containers and volumes"
-    echo "  rm -f docker-compose.yml Caddyfile zitadel.env dashboard.env machinekey/zitadel-admin-sa.token turnserver.conf management.json"
-    echo "Be aware that this will remove all data from the database, and you will have to reconfigure the dashboard."
-    exit 1
-  fi
-
-  echo Rendering initial files...
-  renderDockerCompose > docker-compose.yml
-  renderCaddyfile > Caddyfile
-  renderZitadelEnv > zitadel.env
-  echo "" > dashboard.env
-  echo "" > turnserver.conf
-  echo "" > management.json
-
-  mkdir -p machinekey
-  chmod 777 machinekey
-
-  init_crdb
-
-  echo -e "\nStarting Zidatel IDP for user management\n\n"
-  $DOCKER_COMPOSE_COMMAND up -d caddy zitadel
-  init_zitadel
-
-  echo -e "\nRendering NetBird files...\n"
-  renderTurnServerConf > turnserver.conf
-  renderManagementJson > management.json
-  renderDashboardEnv > dashboard.env
-
-  echo -e "\nStarting NetBird services\n"
-  $DOCKER_COMPOSE_COMMAND up -d
-  echo -e "\nDone!\n"
-  echo "You can access the NetBird dashboard at $NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT"
-  echo "Login with the following credentials:"
-  echo "Username: $ZITADEL_ADMIN_USERNAME" | tee .env
-  echo "Password: $ZITADEL_ADMIN_PASSWORD" | tee -a .env
-}
-
-renderCaddyfile() {
-  cat <<EOF
-{
-  debug
-	servers :80,:443 {
-    protocols h1 h2c
-  }
-}
-
-:80${CADDY_SECURE_DOMAIN} {
-    # Signal
-    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
-    # Management
-    reverse_proxy /api/* management:80
-    reverse_proxy /management.ManagementService/* h2c://management:80
-    # Zitadel
-    reverse_proxy /zitadel.admin.v1.AdminService/* h2c://zitadel:8080
-    reverse_proxy /admin/v1/* h2c://zitadel:8080
-    reverse_proxy /zitadel.auth.v1.AuthService/* h2c://zitadel:8080
-    reverse_proxy /auth/v1/* h2c://zitadel:8080
-    reverse_proxy /zitadel.management.v1.ManagementService/* h2c://zitadel:8080
-    reverse_proxy /management/v1/* h2c://zitadel:8080
-    reverse_proxy /zitadel.system.v1.SystemService/* h2c://zitadel:8080
-    reverse_proxy /system/v1/* h2c://zitadel:8080
-    reverse_proxy /assets/v1/* h2c://zitadel:8080
-    reverse_proxy /ui/* h2c://zitadel:8080
-    reverse_proxy /oidc/v1/* h2c://zitadel:8080
-    reverse_proxy /saml/v2/* h2c://zitadel:8080
-    reverse_proxy /oauth/v2/* h2c://zitadel:8080
-    reverse_proxy /.well-known/openid-configuration h2c://zitadel:8080
-    reverse_proxy /openapi/* h2c://zitadel:8080
-    reverse_proxy /debug/* h2c://zitadel:8080
-    # Dashboard
-    reverse_proxy /* dashboard:80
-}
-EOF
-}
-
-renderTurnServerConf() {
-  cat <<EOF
-listening-port=3478
-tls-listening-port=5349
-min-port=$TURN_MIN_PORT
-max-port=$TURN_MAX_PORT
-fingerprint
-lt-cred-mech
-user=$TURN_USER:$TURN_PASSWORD
-realm=wiretrustee.com
-cert=/etc/coturn/certs/cert.pem
-pkey=/etc/coturn/private/privkey.pem
-log-file=stdout
-no-software-attribute
-pidfile="/var/tmp/turnserver.pid"
-no-cli
-EOF
-}
-
-renderManagementJson() {
-  cat <<EOF
-{
-    "Stuns": [
-        {
-            "Proto": "udp",
-            "URI": "stun:$NETBIRD_DOMAIN:3478"
-        }
-    ],
-    "TURNConfig": {
-        "Turns": [
-            {
-                "Proto": "udp",
-                "URI": "turn:$NETBIRD_DOMAIN:3478",
-                "Username": "$TURN_USER",
-                "Password": "$TURN_PASSWORD"
-            }
-        ],
-        "TimeBasedCredentials": false
-    },
-    "Signal": {
-        "Proto": "$NETBIRD_HTTP_PROTOCOL",
-        "URI": "$NETBIRD_DOMAIN:$NETBIRD_PORT"
-    },
-    "HttpConfig": {
-        "AuthIssuer": "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN",
-        "AuthAudience": "$NETBIRD_AUTH_CLIENT_ID",
-        "OIDCConfigEndpoint":"$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN/.well-known/openid-configuration"
-    },
-    "IdpManagerConfig": {
-        "ManagerType": "zitadel",
-        "ClientConfig": {
-            "Issuer": "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT",
-            "TokenEndpoint": "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT/oauth/v2/token",
-            "ClientID": "$NETBIRD_IDP_MGMT_CLIENT_ID",
-            "ClientSecret": "$NETBIRD_IDP_MGMT_CLIENT_SECRET",
-            "GrantType": "client_credentials"
-        },
-        "ExtraConfig": {
-            "ManagementEndpoint": "$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT/management/v1"
-        }
-     },
-    "PKCEAuthorizationFlow": {
-        "ProviderConfig": {
-            "Audience": "$NETBIRD_AUTH_CLIENT_ID_CLI",
-            "ClientID": "$NETBIRD_AUTH_CLIENT_ID_CLI",
-            "Scope": "openid profile email offline_access",
-            "RedirectURLs": ["http://localhost:53000/","http://localhost:54000/"]
-        }
-    }
-}
-EOF
-}
-
-renderDashboardEnv() {
-  cat <<EOF
-# Endpoints
-NETBIRD_MGMT_API_ENDPOINT=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT
-NETBIRD_MGMT_GRPC_API_ENDPOINT=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT
-# OIDC
-AUTH_AUDIENCE=$NETBIRD_AUTH_CLIENT_ID
-AUTH_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
-AUTH_AUTHORITY=$NETBIRD_HTTP_PROTOCOL://$NETBIRD_DOMAIN:$NETBIRD_PORT
-USE_AUTH0=false
-AUTH_SUPPORTED_SCOPES="openid profile email offline_access"
-AUTH_REDIRECT_URI=/nb-auth
-AUTH_SILENT_REDIRECT_URI=/nb-silent-auth
-# SSL
-NGINX_SSL_PORT=443
-# Letsencrypt
-LETSENCRYPT_DOMAIN=none
-EOF
-}
-
-renderZitadelEnv() {
-  cat <<EOF
-ZITADEL_LOG_LEVEL=debug
-ZITADEL_MASTERKEY=$ZITADEL_MASTERKEY
-ZITADEL_DATABASE_COCKROACH_HOST=crdb
-ZITADEL_DATABASE_COCKROACH_USER_USERNAME=zitadel_user
-ZITADEL_DATABASE_COCKROACH_USER_SSL_MODE=verify-full
-ZITADEL_DATABASE_COCKROACH_USER_SSL_ROOTCERT="/crdb-certs/ca.crt"
-ZITADEL_DATABASE_COCKROACH_USER_SSL_CERT="/crdb-certs/client.zitadel_user.crt"
-ZITADEL_DATABASE_COCKROACH_USER_SSL_KEY="/crdb-certs/client.zitadel_user.key"
-ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_MODE=verify-full
-ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_ROOTCERT="/crdb-certs/ca.crt"
-ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_CERT="/crdb-certs/client.root.crt"
-ZITADEL_DATABASE_COCKROACH_ADMIN_SSL_KEY="/crdb-certs/client.root.key"
-ZITADEL_EXTERNALSECURE=$ZITADEL_EXTERNALSECURE
-ZITADEL_TLS_ENABLED="false"
-ZITADEL_EXTERNALPORT=$NETBIRD_PORT
-ZITADEL_EXTERNALDOMAIN=$NETBIRD_DOMAIN
-ZITADEL_FIRSTINSTANCE_PATPATH=/machinekey/zitadel-admin-sa.token
-ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME=zitadel-admin-sa
-ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME=Admin
-ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_SCOPES=openid
-ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE=$ZIDATE_TOKEN_EXPIRATION_DATE
-EOF
-}
-
-renderDockerCompose() {
-  cat <<EOF
-version: "3.4"
-services:
-  # Caddy reverse proxy
-  caddy:
-    image: caddy
-    restart: unless-stopped
-    networks: [ netbird ]
-    ports:
-      - '443:443'
-      - '80:80'
-      - '8080:8080'
-    volumes:
-      - netbird_caddy_data:/data
-      - ./Caddyfile:/etc/caddy/Caddyfile
-  #UI dashboard
-  dashboard:
-    image: wiretrustee/dashboard:latest
-    restart: unless-stopped
-    networks: [netbird]
-    env_file:
-      - ./dashboard.env
-  # Signal
-  signal:
-    image: netbirdio/signal:latest
-    restart: unless-stopped
-    networks: [netbird]
-  # Management
-  management:
-    image: netbirdio/management:latest
-    restart: unless-stopped
-    networks: [netbird]
-    volumes:
-      - netbird_management:/var/lib/netbird
-      - ./management.json:/etc/netbird/management.json
-    command: [
-      "--port", "80",
-      "--log-file", "console",
-      "--log-level", "info",
-      "--disable-anonymous-metrics=false",
-      "--single-account-mode-domain=netbird.selfhosted",
-      "--dns-domain=netbird.selfhosted",
-      "--idp-sign-key-refresh-enabled",
-    ]
-  # Coturn, AKA relay server
-  coturn:
-    image: coturn/coturn
-    restart: unless-stopped
-    domainname: netbird.relay.selfhosted
-    volumes:
-      - ./turnserver.conf:/etc/turnserver.conf:ro
-    network_mode: host
-    command:
-      - -c /etc/turnserver.conf
-  # Zitadel - identity provider
-  zitadel:
-    restart: 'always'
-    networks: [netbird]
-    image: 'ghcr.io/zitadel/zitadel:v2.31.3'
-    command: 'start-from-init --masterkeyFromEnv --tlsMode $ZITADEL_TLS_MODE'
-    env_file:
-      - ./zitadel.env
-    depends_on:
-      crdb:
-        condition: 'service_healthy'
-    volumes:
-      - ./machinekey:/machinekey
-      - netbird_zitadel_certs:/crdb-certs:ro
-  # CockroachDB for zitadel
-  crdb:
-    restart: 'always'
-    networks: [netbird]
-    image: 'cockroachdb/cockroach:v22.2.2'
-    command: 'start-single-node --advertise-addr crdb'
-    volumes:
-      - netbird_crdb_data:/cockroach/cockroach-data
-      - netbird_crdb_certs:/cockroach/certs
-      - netbird_zitadel_certs:/zitadel-certs
-    healthcheck:
-      test: [ "CMD", "curl", "-f", "http://localhost:8080/health?ready=1" ]
-      interval: '10s'
-      timeout: '30s'
-      retries: 5
-      start_period: '20s'
-
-volumes:
-  netbird_management:
-  netbird_caddy_data:
-  netbird_crdb_data:
-  netbird_crdb_certs:
-  netbird_zitadel_certs:
-
-networks:
-  netbird:
-EOF
-}
-
-initEnvironment
--- a/infrastructure_files/zitadel.sh
+++ b/infrastructure_files/zitadel.sh
@@ -0,0 +1,122 @@
+#!/bin/bash
+
+set -e
+
+request_jwt_token() {
+  INSTANCE_URL=$1
+  BODY="grant_type=client_credentials&scope=urn:zitadel:iam:org:project:id:zitadel:aud&client_id=$ZITADEL_CLIENT_ID&client_secret=$ZITADEL_CLIENT_SECRET"
+
+  RESPONSE=$(
+    curl -X POST "$INSTANCE_URL/oauth/v2/token" \
+      -H "Content-Type: application/x-www-form-urlencoded" \
+      -d "$BODY"
+  )
+  echo "$RESPONSE" | jq -r '.access_token'
+}
+
+create_new_project() {
+  INSTANCE_URL=$1
+  ACCESS_TOKEN=$2
+  PROJECT_NAME="NETBIRD"
+
+  RESPONSE=$(
+    curl -X POST "$INSTANCE_URL/management/v1/projects" \
+      -H "Authorization: Bearer $ACCESS_TOKEN" \
+      -H "Content-Type: application/json" \
+      -d '{"name": "'"$PROJECT_NAME"'"}'
+  )
+  echo "$RESPONSE" | jq -r '.id'
+}
+
+create_new_application() {
+  INSTANCE_URL=$1
+  ACCESS_TOKEN=$2
+  APPLICATION_NAME="netbird"
+
+  RESPONSE=$(
+    curl -X POST "$INSTANCE_URL/management/v1/projects/$PROJECT_ID/apps/oidc" \
+      -H "Authorization: Bearer $ACCESS_TOKEN" \
+      -H "Content-Type: application/json" \
+      -d '{
+    "name": "'"$APPLICATION_NAME"'",
+    "redirectUris": [
+      "'"$BASE_REDIRECT_URL"'/auth"
+    ],
+    "RESPONSETypes": [
+      "OIDC_RESPONSE_TYPE_CODE"
+    ],
+    "grantTypes": [
+      "OIDC_GRANT_TYPE_AUTHORIZATION_CODE",
+      "OIDC_GRANT_TYPE_REFRESH_TOKEN"
+    ],
+    "appType": "OIDC_APP_TYPE_USER_AGENT",
+    "authMethodType": "OIDC_AUTH_METHOD_TYPE_NONE",
+    "postLogoutRedirectUris": [
+      "'"$BASE_REDIRECT_URL"'/silent-auth"
+    ],
+    "version": "OIDC_VERSION_1_0",
+    "devMode": '"$ZITADEL_DEV_MODE"',
+    "accessTokenType": "OIDC_TOKEN_TYPE_JWT",
+    "accessTokenRoleAssertion": true,
+    "skipNativeAppSuccessPage": true
+  }'
+  )
+  echo "$RESPONSE" | jq -r '.clientId'
+}
+
+configure_zitadel_instance() {
+  # extract zitadel instance url
+  INSTANCE_URL=$(echo "$NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT" | sed 's/\/\.well-known\/openid-configuration//')
+  DOC_URL="https://netbird.io/docs/integrations/identity-providers/self-hosted/using-netbird-with-zitadel#step-4-create-a-service-user"
+
+  echo ""
+  printf "configuring zitadel instance: $INSTANCE_URL \n \
+  before proceeding, please create a new service account for authorization by following the instructions (step 4 and 5
+  ) in the documentation at %s\n" "$DOC_URL"
+  echo "Please ensure that the new service account has 'Org Owner' permission in order for this to work."
+  echo ""
+
+  read -n 1 -s -r -p "press any key to continue..."
+  echo ""
+
+  # prompt the user to enter service account clientID
+  echo ""
+  read -r -p "enter service account ClientId: " ZITADEL_CLIENT_ID
+  echo ""
+
+  # Prompt the user to enter service account clientSecret
+  read -r -p "enter service account ClientSecret: " ZITADEL_CLIENT_SECRET
+  echo ""
+
+  # get an access token from zitadel
+  echo "retrieving access token from zitadel"
+  ACCESS_TOKEN=$(request_jwt_token "$INSTANCE_URL")
+  if [ "$ACCESS_TOKEN" = "null" ]; then
+    echo "failed requesting access token"
+    exit 1
+  fi
+
+  #  create the zitadel project
+  echo "creating new zitadel project"
+  PROJECT_ID=$(create_new_project "$INSTANCE_URL" "$ACCESS_TOKEN")
+  if [ "$PROJECT_ID" = "null" ]; then
+    echo "failed creating new zitadel project"
+    exit 1
+  fi
+
+  ZITADEL_DEV_MODE=false
+  if [[ $NETBIRD_DOMAIN == *"localhost"* ]]; then
+    BASE_REDIRECT_URL="http://$NETBIRD_DOMAIN"
+    ZITADEL_DEV_MODE=true
+  else
+    BASE_REDIRECT_URL="https://$NETBIRD_DOMAIN"
+  fi
+
+  # create zitadel spa application
+  echo "creating new zitadel spa application"
+  APPLICATION_CLIENT_ID=$(create_new_application "$INSTANCE_URL" "$ACCESS_TOKEN")
+  if [ "$APPLICATION_CLIENT_ID" = "null" ]; then
+    echo "failed creating new zitadel spa application"
+    exit 1
+  fi
+}
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -139,14 +139,10 @@ type DefaultAccountManager struct {
 type Settings struct {
 	// PeerLoginExpirationEnabled globally enables or disables peer login expiration
 	PeerLoginExpirationEnabled bool
-
 	// PeerLoginExpiration is a setting that indicates when peer login expires.
 	// Applies to all peers that have Peer.LoginExpirationEnabled set to true.
 	PeerLoginExpiration time.Duration

-	// GroupsPropagationEnabled allows to propagate auto groups from the user to the peer
-	GroupsPropagationEnabled bool
-
 	// JWTGroupsEnabled allows extract groups from JWT claim, which name defined in the JWTGroupsClaimName
 	// and add it to account groups.
 	JWTGroupsEnabled bool
@@ -162,7 +158,6 @@ func (s *Settings) Copy() *Settings {
 		PeerLoginExpiration:        s.PeerLoginExpiration,
 		JWTGroupsEnabled:           s.JWTGroupsEnabled,
 		JWTGroupsClaimName:         s.JWTGroupsClaimName,
-		GroupsPropagationEnabled:   s.GroupsPropagationEnabled,
 	}
 }

@@ -629,96 +624,26 @@ func (a *Account) GetPeer(peerID string) *Peer {
 	return a.Peers[peerID]
 }

-// AddJWTGroups to account and to user autoassigned groups
-func (a *Account) AddJWTGroups(userID string, groups []string) bool {
-	user, ok := a.Users[userID]
-	if !ok {
-		return false
+// AddJWTGroups to existed groups if they does not exists
+func (a *Account) AddJWTGroups(groups []string) (int, error) {
+	existedGroups := make(map[string]*Group)
+	for _, g := range a.Groups {
+		existedGroups[g.Name] = g
 	}

-	existedGroupsByName := make(map[string]*Group)
-	for _, group := range a.Groups {
-		existedGroupsByName[group.Name] = group
-	}
-
-	autoGroups := make(map[string]struct{})
-	for _, groupID := range user.AutoGroups {
-		autoGroups[groupID] = struct{}{}
-	}
-
-	var modified bool
+	var count int
 	for _, name := range groups {
-		group, ok := existedGroupsByName[name]
-		if !ok {
-			group = &Group{
-				ID:     xid.New().String(),
+		if _, ok := existedGroups[name]; !ok {
+			id := xid.New().String()
+			a.Groups[id] = &Group{
+				ID:     id,
 				Name:   name,
 				Issued: GroupIssuedJWT,
 			}
-			a.Groups[group.ID] = group
-			modified = true
-		}
-		if _, ok := autoGroups[group.ID]; !ok {
-			if group.Issued == GroupIssuedJWT {
-				user.AutoGroups = append(user.AutoGroups, group.ID)
-				modified = true
-			}
+			count++
 		}
 	}
-
-	return modified
-}
-
-// UserGroupsAddToPeers adds groups to all peers of user
-func (a *Account) UserGroupsAddToPeers(userID string, groups ...string) {
-	userPeers := make(map[string]struct{})
-	for pid, peer := range a.Peers {
-		if peer.UserID == userID {
-			userPeers[pid] = struct{}{}
-		}
-	}
-
-	for _, gid := range groups {
-		group, ok := a.Groups[gid]
-		if !ok {
-			continue
-		}
-
-		groupPeers := make(map[string]struct{})
-		for _, pid := range group.Peers {
-			groupPeers[pid] = struct{}{}
-		}
-
-		for pid := range userPeers {
-			groupPeers[pid] = struct{}{}
-		}
-
-		group.Peers = group.Peers[:0]
-		for pid := range groupPeers {
-			group.Peers = append(group.Peers, pid)
-		}
-	}
-}
-
-// UserGroupsRemoveFromPeers removes groups from all peers of user
-func (a *Account) UserGroupsRemoveFromPeers(userID string, groups ...string) {
-	for _, gid := range groups {
-		group, ok := a.Groups[gid]
-		if !ok {
-			continue
-		}
-		update := make([]string, 0, len(group.Peers))
-		for _, pid := range group.Peers {
-			peer, ok := a.Peers[pid]
-			if !ok {
-				continue
-			}
-			if peer.UserID != userID {
-				update = append(update, pid)
-			}
-		}
-		group.Peers = update
-	}
+	return count, nil
 }

 // BuildManager creates a new DefaultAccountManager with a provided Store
@@ -1365,13 +1290,11 @@ func (am *DefaultAccountManager) GetAccountFromToken(claims jwtclaims.Authorizat
 						log.Errorf("JWT claim %q is not a string: %v", account.Settings.JWTGroupsClaimName, item)
 					}
 				}
-				// if groups were added or modified, save the account
-				if account.AddJWTGroups(claims.UserId, groups) {
-					if account.Settings.GroupsPropagationEnabled {
-						if user, err := account.FindUser(claims.UserId); err == nil {
-							account.UserGroupsAddToPeers(claims.UserId, append(user.AutoGroups, groups...)...)
-						}
-					}
+				n, err := account.AddJWTGroups(groups)
+				if err != nil {
+					log.Errorf("failed to add JWT groups: %v", err)
+				}
+				if n > 0 {
 					if err := am.Store.SaveAccount(account); err != nil {
 						log.Errorf("failed to save account: %v", err)
 					}
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -216,6 +216,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 		assert.Len(t, networkMap.Peers, len(testCase.expectedPeers))
 		assert.Len(t, networkMap.OfflinePeers, len(testCase.expectedOfflinePeers))
 	}
+
 }

 func TestNewAccount(t *testing.T) {
@@ -1930,120 +1931,6 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 	}
 }

-func TestAccount_AddJWTGroups(t *testing.T) {
-	// create a new account
-	account := &Account{
-		Peers: map[string]*Peer{
-			"peer1": {ID: "peer1", Key: "key1", UserID: "user1"},
-			"peer2": {ID: "peer2", Key: "key2", UserID: "user1"},
-			"peer3": {ID: "peer3", Key: "key3", UserID: "user1"},
-			"peer4": {ID: "peer4", Key: "key4", UserID: "user2"},
-			"peer5": {ID: "peer5", Key: "key5", UserID: "user2"},
-		},
-		Groups: map[string]*Group{
-			"group1": {ID: "group1", Name: "group1", Issued: GroupIssuedAPI, Peers: []string{}},
-		},
-		Settings: &Settings{GroupsPropagationEnabled: true},
-		Users: map[string]*User{
-			"user1": {Id: "user1"},
-			"user2": {Id: "user2"},
-		},
-	}
-
-	t.Run("api group already exists", func(t *testing.T) {
-		updated := account.AddJWTGroups("user1", []string{"group1"})
-		assert.False(t, updated, "account should not be updated")
-		assert.Empty(t, account.Users["user1"].AutoGroups, "auto groups must be empty")
-	})
-
-	t.Run("add jwt group", func(t *testing.T) {
-		updated := account.AddJWTGroups("user1", []string{"group1", "group2"})
-		assert.True(t, updated, "account should be updated")
-		assert.Len(t, account.Groups, 2, "new group should be added")
-		assert.Len(t, account.Users["user1"].AutoGroups, 1, "new group should be added")
-		assert.Contains(t, account.Groups, account.Users["user1"].AutoGroups[0], "groups must contain group2 from user groups")
-	})
-
-	t.Run("existed group not update", func(t *testing.T) {
-		updated := account.AddJWTGroups("user1", []string{"group2"})
-		assert.False(t, updated, "account should not be updated")
-		assert.Len(t, account.Groups, 2, "groups count should not be changed")
-	})
-
-	t.Run("add new group", func(t *testing.T) {
-		updated := account.AddJWTGroups("user2", []string{"group1", "group3"})
-		assert.True(t, updated, "account should be updated")
-		assert.Len(t, account.Groups, 3, "new group should be added")
-		assert.Len(t, account.Users["user2"].AutoGroups, 1, "new group should be added")
-		assert.Contains(t, account.Groups, account.Users["user2"].AutoGroups[0], "groups must contain group3 from user groups")
-	})
-}
-
-func TestAccount_UserGroupsAddToPeers(t *testing.T) {
-	account := &Account{
-		Peers: map[string]*Peer{
-			"peer1": {ID: "peer1", Key: "key1", UserID: "user1"},
-			"peer2": {ID: "peer2", Key: "key2", UserID: "user1"},
-			"peer3": {ID: "peer3", Key: "key3", UserID: "user1"},
-			"peer4": {ID: "peer4", Key: "key4", UserID: "user2"},
-			"peer5": {ID: "peer5", Key: "key5", UserID: "user2"},
-		},
-		Groups: map[string]*Group{
-			"group1": {ID: "group1", Name: "group1", Issued: GroupIssuedAPI, Peers: []string{}},
-			"group2": {ID: "group2", Name: "group2", Issued: GroupIssuedAPI, Peers: []string{}},
-			"group3": {ID: "group3", Name: "group3", Issued: GroupIssuedAPI, Peers: []string{}},
-		},
-		Users: map[string]*User{"user1": {Id: "user1"}, "user2": {Id: "user2"}},
-	}
-
-	t.Run("add groups", func(t *testing.T) {
-		account.UserGroupsAddToPeers("user1", "group1", "group2")
-		assert.ElementsMatch(t, account.Groups["group1"].Peers, []string{"peer1", "peer2", "peer3"}, "group1 contains users peers")
-		assert.ElementsMatch(t, account.Groups["group2"].Peers, []string{"peer1", "peer2", "peer3"}, "group2 contains users peers")
-	})
-
-	t.Run("add same groups", func(t *testing.T) {
-		account.UserGroupsAddToPeers("user1", "group1", "group2")
-		assert.Len(t, account.Groups["group1"].Peers, 3, "peers amount in group1 didn't change")
-		assert.Len(t, account.Groups["group2"].Peers, 3, "peers amount in group2 didn't change")
-	})
-
-	t.Run("add second user peers", func(t *testing.T) {
-		account.UserGroupsAddToPeers("user2", "group2")
-		assert.ElementsMatch(t, account.Groups["group2"].Peers,
-			[]string{"peer1", "peer2", "peer3", "peer4", "peer5"}, "group2 contains first and second user peers")
-	})
-}
-
-func TestAccount_UserGroupsRemoveFromPeers(t *testing.T) {
-	account := &Account{
-		Peers: map[string]*Peer{
-			"peer1": {ID: "peer1", Key: "key1", UserID: "user1"},
-			"peer2": {ID: "peer2", Key: "key2", UserID: "user1"},
-			"peer3": {ID: "peer3", Key: "key3", UserID: "user1"},
-			"peer4": {ID: "peer4", Key: "key4", UserID: "user2"},
-			"peer5": {ID: "peer5", Key: "key5", UserID: "user2"},
-		},
-		Groups: map[string]*Group{
-			"group1": {ID: "group1", Name: "group1", Issued: GroupIssuedAPI, Peers: []string{"peer1", "peer2", "peer3"}},
-			"group2": {ID: "group2", Name: "group2", Issued: GroupIssuedAPI, Peers: []string{"peer1", "peer2", "peer3", "peer4", "peer5"}},
-			"group3": {ID: "group3", Name: "group3", Issued: GroupIssuedAPI, Peers: []string{"peer4", "peer5"}},
-		},
-		Users: map[string]*User{"user1": {Id: "user1"}, "user2": {Id: "user2"}},
-	}
-
-	t.Run("remove groups", func(t *testing.T) {
-		account.UserGroupsRemoveFromPeers("user1", "group1", "group2")
-		assert.Empty(t, account.Groups["group1"].Peers, "remove all peers from group1")
-		assert.ElementsMatch(t, account.Groups["group2"].Peers, []string{"peer4", "peer5"}, "group2 contains only second users peers")
-	})
-
-	t.Run("remove group with no peers", func(t *testing.T) {
-		account.UserGroupsRemoveFromPeers("user1", "group3")
-		assert.Len(t, account.Groups["group3"].Peers, 2, "peers amount should not change")
-	})
-}
-
 func createManager(t *testing.T) (*DefaultAccountManager, error) {
 	store, err := createStore(t)
 	if err != nil {
--- a/management/server/http/accounts_handler.go
+++ b/management/server/http/accounts_handler.go
@@ -80,14 +80,12 @@ func (h *AccountsHandler) UpdateAccount(w http.ResponseWriter, r *http.Request)
 	if req.Settings.JwtGroupsEnabled != nil {
 		settings.JWTGroupsEnabled = *req.Settings.JwtGroupsEnabled
 	}
-	if req.Settings.GroupsPropagationEnabled != nil {
-		settings.GroupsPropagationEnabled = *req.Settings.GroupsPropagationEnabled
-	}
 	if req.Settings.JwtGroupsClaimName != nil {
 		settings.JWTGroupsClaimName = *req.Settings.JwtGroupsClaimName
 	}

 	updatedAccount, err := h.accountManager.UpdateAccountSettings(accountID, user.Id, settings)
+
 	if err != nil {
 		util.WriteError(err, w)
 		return
@@ -104,7 +102,6 @@ func toAccountResponse(account *server.Account) *api.Account {
 		Settings: api.AccountSettings{
 			PeerLoginExpiration:        int(account.Settings.PeerLoginExpiration.Seconds()),
 			PeerLoginExpirationEnabled: account.Settings.PeerLoginExpirationEnabled,
-			GroupsPropagationEnabled:   &account.Settings.GroupsPropagationEnabled,
 			JwtGroupsEnabled:           &account.Settings.JWTGroupsEnabled,
 			JwtGroupsClaimName:         &account.Settings.JWTGroupsClaimName,
 		},
--- a/management/server/http/accounts_handler_test.go
+++ b/management/server/http/accounts_handler_test.go
@@ -38,6 +38,7 @@ func initAccountsTestData(account *server.Account, admin *server.User) *Accounts
 				accCopy := account.Copy()
 				accCopy.UpdateSettings(newSettings)
 				return accCopy, nil
+
 			},
 		},
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
@@ -53,6 +54,7 @@ func initAccountsTestData(account *server.Account, admin *server.User) *Accounts
 }

 func TestAccounts_AccountsHandler(t *testing.T) {
+
 	accountID := "test_account"
 	adminUser := server.NewAdminUser("test_user")

@@ -92,7 +94,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:        int(time.Hour.Seconds()),
 				PeerLoginExpirationEnabled: false,
-				GroupsPropagationEnabled:   br(false),
 				JwtGroupsClaimName:         sr(""),
 				JwtGroupsEnabled:           br(false),
 			},
@@ -109,7 +110,6 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:        15552000,
 				PeerLoginExpirationEnabled: true,
-				GroupsPropagationEnabled:   br(false),
 				JwtGroupsClaimName:         sr(""),
 				JwtGroupsEnabled:           br(false),
 			},
@@ -126,30 +126,12 @@ func TestAccounts_AccountsHandler(t *testing.T) {
 			expectedSettings: api.AccountSettings{
 				PeerLoginExpiration:        15552000,
 				PeerLoginExpirationEnabled: false,
-				GroupsPropagationEnabled:   br(false),
 				JwtGroupsClaimName:         sr("roles"),
 				JwtGroupsEnabled:           br(true),
 			},
 			expectedArray: false,
 			expectedID:    accountID,
 		},
-		{
-			name:           "PutAccount OK wiht JWT Propagation",
-			expectedBody:   true,
-			requestType:    http.MethodPut,
-			requestPath:    "/api/accounts/" + accountID,
-			requestBody:    bytes.NewBufferString("{\"settings\": {\"peer_login_expiration\": 554400,\"peer_login_expiration_enabled\": true,\"jwt_groups_enabled\":true,\"jwt_groups_claim_name\":\"groups\",\"groups_propagation_enabled\":true}}"),
-			expectedStatus: http.StatusOK,
-			expectedSettings: api.AccountSettings{
-				PeerLoginExpiration:        554400,
-				PeerLoginExpirationEnabled: true,
-				GroupsPropagationEnabled:   br(true),
-				JwtGroupsClaimName:         sr("groups"),
-				JwtGroupsEnabled:           br(true),
-			},
-			expectedArray: false,
-			expectedID:    accountID,
-		},
 		{
 			name:           "Update account failure with high peer_login_expiration more than 180 days",
 			expectedBody:   true,
--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -54,10 +54,6 @@ components:
          description: Period of time after which peer login expires (seconds).
          type: integer
          example: 43200
-        groups_propagation_enabled:
-          description: Allows propagate the new user auto groups to peers that belongs to the user
-          type: boolean
-          example: true
        jwt_groups_enabled:
          description: Allows extract groups from JWT claim and add it to account groups.
          type: boolean
@@ -331,7 +327,7 @@ components:
          type: string
          example: valid
        auto_groups:
-          description: List of group IDs to auto-assign to peers registered with this key
+          description: Setup key groups to auto-assign to peers registered with this key
          type: array
          items:
            type: string
@@ -373,15 +369,13 @@ components:
        expires_in:
          description: Expiration time in seconds
          type: integer
-          minimum: 86400
-          maximum: 31536000
-          example: 86400
+          example: 43200
        revoked:
          description: Setup key revocation status
          type: boolean
          example: false
        auto_groups:
-          description: List of group IDs to auto-assign to peers registered with this key
+          description: Setup key groups to auto-assign to peers registered with this key
          type: array
          items:
            type: string
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -129,9 +129,6 @@ type AccountRequest struct {

 // AccountSettings defines model for AccountSettings.
 type AccountSettings struct {
-	// GroupsPropagationEnabled Allows propagate the new user auto groups to peers that belongs to the user
-	GroupsPropagationEnabled *bool `json:"groups_propagation_enabled,omitempty"`
-
 	// JwtGroupsClaimName Name of the claim from which we extract groups names to add it to account groups.
 	JwtGroupsClaimName *string `json:"jwt_groups_claim_name,omitempty"`

@@ -684,7 +681,7 @@ type RuleRequest struct {

 // SetupKey defines model for SetupKey.
 type SetupKey struct {
-	// AutoGroups List of group IDs to auto-assign to peers registered with this key
+	// AutoGroups Setup key groups to auto-assign to peers registered with this key
 	AutoGroups []string `json:"auto_groups"`

 	// Expires Setup Key expiration date
@@ -726,7 +723,7 @@ type SetupKey struct {

 // SetupKeyRequest defines model for SetupKeyRequest.
 type SetupKeyRequest struct {
-	// AutoGroups List of group IDs to auto-assign to peers registered with this key
+	// AutoGroups Setup key groups to auto-assign to peers registered with this key
 	AutoGroups []string `json:"auto_groups"`

 	// ExpiresIn Expiration time in seconds
--- a/management/server/http/setupkeys_handler.go
+++ b/management/server/http/setupkeys_handler.go
@@ -60,13 +60,6 @@ func (h *SetupKeysHandler) CreateSetupKey(w http.ResponseWriter, r *http.Request

 	expiresIn := time.Duration(req.ExpiresIn) * time.Second

-	day := time.Hour * 24
-	year := day * 365
-	if expiresIn < day || expiresIn > year {
-		util.WriteError(status.Errorf(status.InvalidArgument, "expiresIn should be between 1 day and 365 days"), w)
-		return
-	}
-
 	if req.AutoGroups == nil {
 		req.AutoGroups = []string{}
 	}
--- a/management/server/http/setupkeys_handler_test.go
+++ b/management/server/http/setupkeys_handler_test.go
@@ -143,7 +143,7 @@ func TestSetupKeysHandlers(t *testing.T) {
 			requestType: http.MethodPost,
 			requestPath: "/api/setup-keys",
 			requestBody: bytes.NewBuffer(
-				[]byte(fmt.Sprintf("{\"name\":\"%s\",\"type\":\"%s\",\"expires_in\":86400}", newSetupKey.Name, newSetupKey.Type))),
+				[]byte(fmt.Sprintf("{\"name\":\"%s\",\"type\":\"%s\"}", newSetupKey.Name, newSetupKey.Type))),
 			expectedStatus:   http.StatusOK,
 			expectedBody:     true,
 			expectedSetupKey: toResponseBody(newSetupKey),
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -260,6 +260,7 @@ func (am *DefaultAccountManager) inviteNewUser(accountID, userID string, invite
 	am.storeEvent(userID, newUser.Id, accountID, activity.UserInvited, nil)

 	return newUser.ToUserInfo(idpUser)
+
 }

 // GetUser looks up a user by provided authorization claims.
@@ -599,13 +600,6 @@ func (am *DefaultAccountManager) SaveUser(accountID, initiatorUserID string, upd
 		}
 	}

-	if update.AutoGroups != nil && account.Settings.GroupsPropagationEnabled {
-		removedGroups := difference(oldUser.AutoGroups, update.AutoGroups)
-		// need force update all auto groups in any case they will not be dublicated
-		account.UserGroupsAddToPeers(oldUser.Id, update.AutoGroups...)
-		account.UserGroupsRemoveFromPeers(oldUser.Id, removedGroups...)
-	}
-
 	if err = am.Store.SaveAccount(account); err != nil {
 		return nil, err
 	}
@@ -646,6 +640,7 @@ func (am *DefaultAccountManager) SaveUser(accountID, initiatorUserID string, upd
 				}
 			}
 		}
+
 	}()

 	if !isNil(am.idpManager) && !newUser.IsServiceUser {
Author	SHA1	Message	Date
Zoltan Papp	c92ca4a0dc	After add listener automatically trigger peer list change event	2023-08-02 16:20:09 +02:00
Zoltan Papp	b5affa1b12	Fix map reading	2023-08-01 12:15:45 +02:00
Zoltan Papp	9a418e8dbf	Fix build without import C	2023-08-01 10:31:03 +02:00
Zoltan Papp	337020bf59	Add forwarder logic	2023-08-01 10:15:44 +02:00