getting started changes for l4 proxy

.github/workflows/proto-version-check.yml

@@ -1,62 +0,0 @@
-name: Proto Version Check
-
-on:
-  pull_request:
-    paths:
-      - "**/*.pb.go"
-
-jobs:
-  check-proto-versions:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check for proto tool version changes
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const files = await github.paginate(github.rest.pulls.listFiles, {
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.issue.number,
-              per_page: 100,
-            });
-
-            const pbFiles = files.filter(f => f.filename.endsWith('.pb.go'));
-            const missingPatch = pbFiles.filter(f => !f.patch).map(f => f.filename);
-            if (missingPatch.length > 0) {
-              core.setFailed(
-                `Cannot inspect patch data for:\n` +
-                missingPatch.map(f => `- ${f}`).join('\n') +
-                `\nThis can happen with very large PRs. Verify proto versions manually.`
-              );
-              return;
-            }
-            const versionPattern = /^[+-]\s*\/\/\s+protoc(?:-gen-go)?\s+v[\d.]+/;
-            const violations = [];
-
-            for (const file of pbFiles) {
-              const changed = file.patch
-                .split('\n')
-                .filter(line => versionPattern.test(line));
-              if (changed.length > 0) {
-                violations.push({
-                  file: file.filename,
-                  lines: changed,
-                });
-              }
-            }
-
-            if (violations.length > 0) {
-              const details = violations.map(v =>
-                `${v.file}:\n${v.lines.map(l => '  ' + l).join('\n')}`
-              ).join('\n\n');
-
-              core.setFailed(
-                `Proto version strings changed in generated files.\n` +
-                `This usually means the wrong protoc or protoc-gen-go version was used.\n` +
-                `Regenerate with the matching tool versions.\n\n` +
-                details
-              );
-              return;
-            }
-
-            console.log('No proto version string changes detected');

.github/workflows/release.yml

@@ -9,7 +9,7 @@ on:
   pull_request:
 
 env:
-  SIGN_PIPE_VER: "v0.1.2"
+  SIGN_PIPE_VER: "v0.1.1"
   GORELEASER_VER: "v2.14.3"
   PRODUCT_NAME: "NetBird"
   COPYRIGHT: "NetBird GmbH"

client/Dockerfile

@@ -17,7 +17,6 @@ ENV \
     NETBIRD_BIN="/usr/local/bin/netbird" \
     NB_LOG_FILE="console,/var/log/netbird/client.log" \
     NB_DAEMON_ADDR="unix:///var/run/netbird.sock" \
-    NB_ENABLE_CAPTURE="false" \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

client/Dockerfile-rootless

@@ -23,7 +23,6 @@ ENV \
     NB_DAEMON_ADDR="unix:///var/lib/netbird/netbird.sock" \
     NB_LOG_FILE="console,/var/lib/netbird/client.log" \
     NB_DISABLE_DNS="true" \
-    NB_ENABLE_CAPTURE="false" \
     NB_ENTRYPOINT_SERVICE_TIMEOUT="30"
 
 ENTRYPOINT [ "/usr/local/bin/netbird-entrypoint.sh" ]

client/cmd/capture.go

@@ -1,186 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"fmt"
-	"io"
-	"os"
-	"os/signal"
-	"path/filepath"
-	"strings"
-	"syscall"
-
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/durationpb"
-
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util/capture"
-)
-
-var captureCmd = &cobra.Command{
-	Use:   "capture",
-	Short: "Capture packets on the WireGuard interface",
-	Long: `Captures decrypted packets flowing through the WireGuard interface.
-
-Default output is human-readable text. Use --pcap or --output for pcap binary.
-Requires --enable-capture to be set at service install or reconfigure time.
-
-Examples:
-  netbird debug capture
-  netbird debug capture host 100.64.0.1 and port 443
-  netbird debug capture tcp
-  netbird debug capture icmp
-  netbird debug capture src host 10.0.0.1 and dst port 80
-  netbird debug capture -o capture.pcap
-  netbird debug capture --pcap | tshark -r -
-  netbird debug capture --pcap | tcpdump -r - -n`,
-	Args: cobra.ArbitraryArgs,
-	RunE: runCapture,
-}
-
-func init() {
-	debugCmd.AddCommand(captureCmd)
-
-	captureCmd.Flags().Bool("pcap", false, "Force pcap binary output (default when --output is set)")
-	captureCmd.Flags().BoolP("verbose", "v", false, "Show seq/ack, TTL, window, total length")
-	captureCmd.Flags().Bool("ascii", false, "Print payload as ASCII after each packet (useful for HTTP)")
-	captureCmd.Flags().Uint32("snap-len", 0, "Max bytes per packet (0 = full)")
-	captureCmd.Flags().DurationP("duration", "d", 0, "Capture duration (0 = until interrupted)")
-	captureCmd.Flags().StringP("output", "o", "", "Write pcap to file instead of stdout")
-}
-
-func runCapture(cmd *cobra.Command, args []string) error {
-	conn, err := getClient(cmd)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if err := conn.Close(); err != nil {
-			cmd.PrintErrf(errCloseConnection, err)
-		}
-	}()
-
-	client := proto.NewDaemonServiceClient(conn)
-
-	req, err := buildCaptureRequest(cmd, args)
-	if err != nil {
-		return err
-	}
-
-	ctx, cancel := signal.NotifyContext(cmd.Context(), syscall.SIGINT, syscall.SIGTERM)
-	defer cancel()
-
-	stream, err := client.StartCapture(ctx, req)
-	if err != nil {
-		return handleCaptureError(err)
-	}
-
-	// First Recv is the empty acceptance message from the server. If the
-	// device is unavailable (kernel WG, not connected, capture disabled),
-	// the server returns an error instead.
-	if _, err := stream.Recv(); err != nil {
-		return handleCaptureError(err)
-	}
-
-	out, cleanup, err := captureOutput(cmd)
-	if err != nil {
-		return err
-	}
-	defer cleanup()
-
-	if req.TextOutput {
-		cmd.PrintErrf("Capturing packets... Press Ctrl+C to stop.\n")
-	} else {
-		cmd.PrintErrf("Capturing packets (pcap)... Press Ctrl+C to stop.\n")
-	}
-
-	return streamCapture(ctx, cmd, stream, out)
-}
-
-func buildCaptureRequest(cmd *cobra.Command, args []string) (*proto.StartCaptureRequest, error) {
-	req := &proto.StartCaptureRequest{}
-
-	if len(args) > 0 {
-		expr := strings.Join(args, " ")
-		if _, err := capture.ParseFilter(expr); err != nil {
-			return nil, fmt.Errorf("invalid filter: %w", err)
-		}
-		req.FilterExpr = expr
-	}
-
-	if snap, _ := cmd.Flags().GetUint32("snap-len"); snap > 0 {
-		req.SnapLen = snap
-	}
-	if d, _ := cmd.Flags().GetDuration("duration"); d != 0 {
-		if d < 0 {
-			return nil, fmt.Errorf("duration must not be negative")
-		}
-		req.Duration = durationpb.New(d)
-	}
-	req.Verbose, _ = cmd.Flags().GetBool("verbose")
-	req.Ascii, _ = cmd.Flags().GetBool("ascii")
-
-	outPath, _ := cmd.Flags().GetString("output")
-	forcePcap, _ := cmd.Flags().GetBool("pcap")
-	req.TextOutput = !forcePcap && outPath == ""
-
-	return req, nil
-}
-
-func streamCapture(ctx context.Context, cmd *cobra.Command, stream proto.DaemonService_StartCaptureClient, out io.Writer) error {
-	for {
-		pkt, err := stream.Recv()
-		if err != nil {
-			if ctx.Err() != nil {
-				cmd.PrintErrf("\nCapture stopped.\n")
-				return nil //nolint:nilerr // user interrupted
-			}
-			if err == io.EOF {
-				cmd.PrintErrf("\nCapture finished.\n")
-				return nil
-			}
-			return handleCaptureError(err)
-		}
-		if _, err := out.Write(pkt.GetData()); err != nil {
-			return fmt.Errorf("write output: %w", err)
-		}
-	}
-}
-
-// captureOutput returns the writer for capture data and a cleanup function.
-func captureOutput(cmd *cobra.Command) (io.Writer, func(), error) {
-	outPath, _ := cmd.Flags().GetString("output")
-	if outPath == "" {
-		return os.Stdout, func() {
-			// no cleanup needed for stdout
-		}, nil
-	}
-
-	f, err := os.CreateTemp(filepath.Dir(outPath), filepath.Base(outPath)+".*.tmp")
-	if err != nil {
-		return nil, nil, fmt.Errorf("create output file: %w", err)
-	}
-	tmpPath := f.Name()
-	return f, func() {
-		if err := f.Close(); err != nil {
-			cmd.PrintErrf("close output file: %v\n", err)
-		}
-		if fi, err := os.Stat(tmpPath); err == nil && fi.Size() > 0 {
-			if err := os.Rename(tmpPath, outPath); err != nil {
-				cmd.PrintErrf("rename output file: %v\n", err)
-			} else {
-				cmd.PrintErrf("Wrote %s\n", outPath)
-			}
-		} else {
-			os.Remove(tmpPath)
-		}
-	}, nil
-}
-
-func handleCaptureError(err error) error {
-	if s, ok := status.FromError(err); ok {
-		return fmt.Errorf("%s", s.Message())
-	}
-	return err
-}

client/cmd/debug.go

@@ -9,7 +9,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
-	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/debug"
@@ -200,11 +199,9 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		cmd.Println("Log level set to trace.")
 	}
 
-	needsRestoreUp := false
 	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
 		cmd.PrintErrf("Failed to bring service down: %v\n", status.Convert(err).Message())
 	} else {
-		needsRestoreUp = !stateWasDown
 		cmd.Println("netbird down")
 	}
 
@@ -220,7 +217,6 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
 		cmd.PrintErrf("Failed to bring service up: %v\n", status.Convert(err).Message())
 	} else {
-		needsRestoreUp = false
 		cmd.Println("netbird up")
 	}
 
@@ -240,50 +236,11 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		}()
 	}
 
-	captureStarted := false
-	if wantCapture, _ := cmd.Flags().GetBool("capture"); wantCapture {
-		captureTimeout := duration + 30*time.Second
-		const maxBundleCapture = 10 * time.Minute
-		if captureTimeout > maxBundleCapture {
-			captureTimeout = maxBundleCapture
-		}
-		_, err := client.StartBundleCapture(cmd.Context(), &proto.StartBundleCaptureRequest{
-			Timeout: durationpb.New(captureTimeout),
-		})
-		if err != nil {
-			cmd.PrintErrf("Failed to start packet capture: %v\n", status.Convert(err).Message())
-		} else {
-			captureStarted = true
-			cmd.Println("Packet capture started.")
-			// Safety: always stop on exit, even if the normal stop below runs too.
-			defer func() {
-				if captureStarted {
-					stopCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-					defer cancel()
-					if _, err := client.StopBundleCapture(stopCtx, &proto.StopBundleCaptureRequest{}); err != nil {
-						cmd.PrintErrf("Failed to stop packet capture: %v\n", err)
-					}
-				}
-			}()
-		}
-	}
-
 	if waitErr := waitForDurationOrCancel(cmd.Context(), duration, cmd); waitErr != nil {
 		return waitErr
 	}
 	cmd.Println("\nDuration completed")
 
-	if captureStarted {
-		stopCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		if _, err := client.StopBundleCapture(stopCtx, &proto.StopBundleCaptureRequest{}); err != nil {
-			cmd.PrintErrf("Failed to stop packet capture: %v\n", err)
-		} else {
-			captureStarted = false
-			cmd.Println("Packet capture stopped.")
-		}
-	}
-
 	if cpuProfilingStarted {
 		if _, err := client.StopCPUProfile(cmd.Context(), &proto.StopCPUProfileRequest{}); err != nil {
 			cmd.PrintErrf("Failed to stop CPU profiling: %v\n", err)
@@ -307,14 +264,6 @@ func runForDuration(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
 	}
 
-	if needsRestoreUp {
-		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
-			cmd.PrintErrf("Failed to restore service up state: %v\n", status.Convert(err).Message())
-		} else {
-			cmd.Println("netbird up (restored)")
-		}
-	}
-
 	if stateWasDown {
 		if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
 			cmd.PrintErrf("Failed to restore service down state: %v\n", status.Convert(err).Message())
@@ -456,5 +405,4 @@ func init() {
 	forCmd.Flags().BoolVarP(&systemInfoFlag, "system-info", "S", true, "Adds system information to the debug bundle")
 	forCmd.Flags().BoolVarP(&uploadBundleFlag, "upload-bundle", "U", false, "Uploads the debug bundle to a server")
 	forCmd.Flags().StringVar(&uploadBundleURLFlag, "upload-bundle-url", types.DefaultBundleURL, "Service URL to get an URL to upload the debug bundle")
-	forCmd.Flags().Bool("capture", false, "Capture packets during the debug duration and include in bundle")
 }

client/cmd/expose.go

@@ -14,7 +14,6 @@ import (
 
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
 
 	"github.com/netbirdio/netbird/client/internal/expose"
 	"github.com/netbirdio/netbird/client/proto"
@@ -202,7 +201,7 @@ func exposeFn(cmd *cobra.Command, args []string) error {
 
 	stream, err := client.ExposeService(ctx, req)
 	if err != nil {
-		return fmt.Errorf("expose service: %v", status.Convert(err).Message())
+		return fmt.Errorf("expose service: %w", err)
 	}
 
 	if err := handleExposeReady(cmd, stream, port); err != nil {
@@ -237,7 +236,7 @@ func toExposeProtocol(exposeProtocol string) (proto.ExposeProtocol, error) {
 func handleExposeReady(cmd *cobra.Command, stream proto.DaemonService_ExposeServiceClient, port uint64) error {
 	event, err := stream.Recv()
 	if err != nil {
-		return fmt.Errorf("receive expose event: %v", status.Convert(err).Message())
+		return fmt.Errorf("receive expose event: %w", err)
 	}
 
 	ready, ok := event.Event.(*proto.ExposeServiceEvent_Ready)

client/cmd/root.go

@@ -75,7 +75,6 @@ var (
 	mtu                     uint16
 	profilesDisabled        bool
 	updateSettingsDisabled  bool
-	captureEnabled          bool
 
 	rootCmd = &cobra.Command{
 		Use:          "netbird",

client/cmd/service.go

@@ -44,7 +44,6 @@ func init() {
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd, svcStatusCmd, installCmd, uninstallCmd, reconfigureCmd, resetParamsCmd)
 	serviceCmd.PersistentFlags().BoolVar(&profilesDisabled, "disable-profiles", false, "Disables profiles feature. If enabled, the client will not be able to change or edit any profile. To persist this setting, use: netbird service install --disable-profiles")
 	serviceCmd.PersistentFlags().BoolVar(&updateSettingsDisabled, "disable-update-settings", false, "Disables update settings feature. If enabled, the client will not be able to change or edit any settings. To persist this setting, use: netbird service install --disable-update-settings")
-	serviceCmd.PersistentFlags().BoolVar(&captureEnabled, "enable-capture", false, "Enables packet capture via 'netbird debug capture'. To persist, use: netbird service install --enable-capture")
 
 	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	serviceEnvDesc := `Sets extra environment variables for the service. ` +

client/cmd/service_controller.go

@@ -61,7 +61,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}
 
-		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled, captureEnabled)
+		serverInstance := server.New(p.ctx, util.FindFirstLogPath(logFiles), configPath, profilesDisabled, updateSettingsDisabled)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}

client/cmd/service_installer.go

@@ -59,10 +59,6 @@ func buildServiceArguments() []string {
 		args = append(args, "--disable-update-settings")
 	}
 
-	if captureEnabled {
-		args = append(args, "--enable-capture")
-	}
-
 	return args
 }
 

client/cmd/service_params.go

@@ -28,7 +28,6 @@ type serviceParams struct {
 	LogFiles              []string          `json:"log_files,omitempty"`
 	DisableProfiles       bool              `json:"disable_profiles,omitempty"`
 	DisableUpdateSettings bool              `json:"disable_update_settings,omitempty"`
-	EnableCapture         bool              `json:"enable_capture,omitempty"`
 	ServiceEnvVars        map[string]string `json:"service_env_vars,omitempty"`
 }
 
@@ -79,7 +78,6 @@ func currentServiceParams() *serviceParams {
 		LogFiles:              logFiles,
 		DisableProfiles:       profilesDisabled,
 		DisableUpdateSettings: updateSettingsDisabled,
-		EnableCapture:         captureEnabled,
 	}
 
 	if len(serviceEnvVars) > 0 {
@@ -144,10 +142,6 @@ func applyServiceParams(cmd *cobra.Command, params *serviceParams) {
 		updateSettingsDisabled = params.DisableUpdateSettings
 	}
 
-	if !serviceCmd.PersistentFlags().Changed("enable-capture") {
-		captureEnabled = params.EnableCapture
-	}
-
 	applyServiceEnvParams(cmd, params)
 }
 

client/cmd/service_params_test.go

@@ -500,7 +500,6 @@ func fieldToGlobalVar(field string) string {
 		"LogFiles":              "logFiles",
 		"DisableProfiles":       "profilesDisabled",
 		"DisableUpdateSettings": "updateSettingsDisabled",
-		"EnableCapture":         "captureEnabled",
 		"ServiceEnvVars":        "serviceEnvVars",
 	}
 	if v, ok := m[field]; ok {

client/cmd/service_test.go

@@ -4,9 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
-	"os/signal"
 	"runtime"
-	"syscall"
 	"testing"
 	"time"
 
@@ -15,22 +13,6 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-// TestMain intercepts when this test binary is run as a daemon subprocess.
-// On FreeBSD, the rc.d service script runs the binary via daemon(8) -r with
-// "service run ..." arguments. Since the test binary can't handle cobra CLI
-// args, it exits immediately, causing daemon -r to respawn rapidly until
-// hitting the rate limit and exiting. This makes service restart unreliable.
-// Blocking here keeps the subprocess alive until the init system sends SIGTERM.
-func TestMain(m *testing.M) {
-	if len(os.Args) > 2 && os.Args[1] == "service" && os.Args[2] == "run" {
-		sig := make(chan os.Signal, 1)
-		signal.Notify(sig, syscall.SIGTERM, os.Interrupt)
-		<-sig
-		return
-	}
-	os.Exit(m.Run())
-}
-
 const (
 	serviceStartTimeout = 10 * time.Second
 	serviceStopTimeout  = 5 * time.Second
@@ -97,34 +79,6 @@ func TestServiceLifecycle(t *testing.T) {
 	logLevel = "info"
 	daemonAddr = fmt.Sprintf("unix://%s/netbird-test.sock", tempDir)
 
-	// Ensure cleanup even if a subtest fails and Stop/Uninstall subtests don't run.
-	t.Cleanup(func() {
-		cfg, err := newSVCConfig()
-		if err != nil {
-			t.Errorf("cleanup: create service config: %v", err)
-			return
-		}
-		ctxSvc, cancel := context.WithCancel(context.Background())
-		defer cancel()
-		s, err := newSVC(newProgram(ctxSvc, cancel), cfg)
-		if err != nil {
-			t.Errorf("cleanup: create service: %v", err)
-			return
-		}
-
-		// If the subtests already cleaned up, there's nothing to do.
-		if _, err := s.Status(); err != nil {
-			return
-		}
-
-		if err := s.Stop(); err != nil {
-			t.Errorf("cleanup: stop service: %v", err)
-		}
-		if err := s.Uninstall(); err != nil {
-			t.Errorf("cleanup: uninstall service: %v", err)
-		}
-	})
-
 	ctx := context.Background()
 
 	t.Run("Install", func(t *testing.T) {

client/cmd/testutil_test.go

@@ -152,7 +152,7 @@ func startClientDaemon(
 	s := grpc.NewServer()
 
 	server := client.New(ctx,
-		"", "", false, false, false)
+		"", "", false, false)
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}

client/embed/capture.go

@@ -1,65 +0,0 @@
-package embed
-
-import (
-	"io"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/util/capture"
-)
-
-// CaptureOptions configures a packet capture session.
-type CaptureOptions struct {
-	// Output receives pcap-formatted data. Nil disables pcap output.
-	Output io.Writer
-	// TextOutput receives human-readable packet summaries. Nil disables text output.
-	TextOutput io.Writer
-	// Filter is a BPF-like filter expression (e.g. "host 10.0.0.1 and tcp port 443").
-	// Empty captures all packets.
-	Filter string
-	// Verbose adds seq/ack, TTL, window, and total length to text output.
-	Verbose bool
-	// ASCII dumps transport payload as printable ASCII after each packet line.
-	ASCII bool
-}
-
-// CaptureStats reports capture session counters.
-type CaptureStats struct {
-	Packets int64
-	Bytes   int64
-	Dropped int64
-}
-
-// CaptureSession represents an active packet capture. Call Stop to end the
-// capture and flush buffered packets.
-type CaptureSession struct {
-	sess   *capture.Session
-	engine *internal.Engine
-}
-
-// Stop ends the capture, flushes remaining packets, and detaches from the device.
-// Safe to call multiple times.
-func (cs *CaptureSession) Stop() {
-	if cs.engine != nil {
-		_ = cs.engine.SetCapture(nil)
-		cs.engine = nil
-	}
-	if cs.sess != nil {
-		cs.sess.Stop()
-	}
-}
-
-// Stats returns current capture counters.
-func (cs *CaptureSession) Stats() CaptureStats {
-	s := cs.sess.Stats()
-	return CaptureStats{
-		Packets: s.Packets,
-		Bytes:   s.Bytes,
-		Dropped: s.Dropped,
-	}
-}
-
-// Done returns a channel that is closed when the capture's writer goroutine
-// has fully exited and all buffered packets have been flushed.
-func (cs *CaptureSession) Done() <-chan struct{} {
-	return cs.sess.Done()
-}

client/embed/embed.go

@@ -24,7 +24,6 @@ import (
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/shared/management/domain"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
-	"github.com/netbirdio/netbird/util/capture"
 )
 
 var (
@@ -66,7 +65,7 @@ type Options struct {
 	PrivateKey string
 	// ManagementURL overrides the default management server URL
 	ManagementURL string
-	// PreSharedKey is the pre-shared key for the tunnel interface
+	// PreSharedKey is the pre-shared key for the WireGuard interface
 	PreSharedKey string
 	// LogOutput is the output destination for logs (defaults to os.Stderr if nil)
 	LogOutput io.Writer
@@ -82,9 +81,9 @@ type Options struct {
 	DisableClientRoutes bool
 	// BlockInbound blocks all inbound connections from peers
 	BlockInbound bool
-	// WireguardPort is the port for the tunnel interface. Use 0 for a random port.
+	// WireguardPort is the port for the WireGuard interface. Use 0 for a random port.
 	WireguardPort *int
-	// MTU is the MTU for the tunnel interface.
+	// MTU is the MTU for the WireGuard interface.
 	// Valid values are in the range 576..8192 bytes.
 	// If non-nil, this value overrides any value stored in the config file.
 	// If nil, the existing config MTU (if non-zero) is preserved; otherwise it defaults to 1280.
@@ -470,52 +469,6 @@ func (c *Client) VerifySSHHostKey(peerAddress string, key []byte) error {
 	return sshcommon.VerifyHostKey(storedKey, key, peerAddress)
 }
 
-// StartCapture begins capturing packets on this client's tunnel device.
-// Only one capture can be active at a time; starting a new one stops the previous.
-// Call StopCapture (or CaptureSession.Stop) to end it.
-func (c *Client) StartCapture(opts CaptureOptions) (*CaptureSession, error) {
-	engine, err := c.getEngine()
-	if err != nil {
-		return nil, err
-	}
-
-	var matcher capture.Matcher
-	if opts.Filter != "" {
-		m, err := capture.ParseFilter(opts.Filter)
-		if err != nil {
-			return nil, fmt.Errorf("parse filter: %w", err)
-		}
-		matcher = m
-	}
-
-	sess, err := capture.NewSession(capture.Options{
-		Output:     opts.Output,
-		TextOutput: opts.TextOutput,
-		Matcher:    matcher,
-		Verbose:    opts.Verbose,
-		ASCII:      opts.ASCII,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("create capture session: %w", err)
-	}
-
-	if err := engine.SetCapture(sess); err != nil {
-		sess.Stop()
-		return nil, fmt.Errorf("set capture: %w", err)
-	}
-
-	return &CaptureSession{sess: sess, engine: engine}, nil
-}
-
-// StopCapture stops the active capture session if one is running.
-func (c *Client) StopCapture() error {
-	engine, err := c.getEngine()
-	if err != nil {
-		return err
-	}
-	return engine.SetCapture(nil)
-}
-
 // getEngine safely retrieves the engine from the client with proper locking.
 // Returns ErrClientNotStarted if the client is not started.
 // Returns ErrEngineNotStarted if the engine is not available.

client/firewall/create_linux.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"os"
-	"strconv"
 
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/google/nftables"
@@ -36,34 +35,20 @@ const SKIP_NFTABLES_ENV = "NB_SKIP_NFTABLES_CHECK"
 type FWType int
 
 func NewFirewall(iface IFaceMapper, stateManager *statemanager.Manager, flowLogger nftypes.FlowLogger, disableServerRoutes bool, mtu uint16) (firewall.Manager, error) {
-	// We run in userspace mode and force userspace firewall was requested. We don't attempt native firewall.
-	if iface.IsUserspaceBind() && forceUserspaceFirewall() {
-		log.Info("forcing userspace firewall")
-		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
-	}
-
-	// Use native firewall for either kernel or userspace, the interface appears identical to netfilter
+	// on the linux system we try to user nftables or iptables
+	// in any case, because we need to allow netbird interface traffic
+	// so we use AllowNetbird traffic from these firewall managers
+	// for the userspace packet filtering firewall
 	fm, err := createNativeFirewall(iface, stateManager, disableServerRoutes, mtu)
 
-	// Kernel cannot fall back to anything else, need to return error
 	if !iface.IsUserspaceBind() {
 		return fm, err
 	}
 
-	// Fall back to the userspace packet filter if native is unavailable
 	if err != nil {
 		log.Warnf("failed to create native firewall: %v. Proceeding with userspace", err)
-		return createUserspaceFirewall(iface, nil, disableServerRoutes, flowLogger, mtu)
 	}
-
-	// Native firewall handles packet filtering, but the userspace WireGuard bind
-	// needs a device filter for DNS interception hooks. Install a minimal
-	// hooks-only filter that passes all traffic through to the kernel firewall.
-	if err := iface.SetFilter(&uspfilter.HooksFilter{}); err != nil {
-		log.Warnf("failed to set hooks filter, DNS via memory hooks will not work: %v", err)
-	}
-
-	return fm, nil
+	return createUserspaceFirewall(iface, fm, disableServerRoutes, flowLogger, mtu)
 }
 
 func createNativeFirewall(iface IFaceMapper, stateManager *statemanager.Manager, routes bool, mtu uint16) (firewall.Manager, error) {
@@ -175,17 +160,3 @@ func isIptablesClientAvailable(client *iptables.IPTables) bool {
 	_, err := client.ListChains("filter")
 	return err == nil
 }
-
-func forceUserspaceFirewall() bool {
-	val := os.Getenv(EnvForceUserspaceFirewall)
-	if val == "" {
-		return false
-	}
-
-	force, err := strconv.ParseBool(val)
-	if err != nil {
-		log.Warnf("failed to parse %s: %v", EnvForceUserspaceFirewall, err)
-		return false
-	}
-	return force
-}

client/firewall/iface.go

@@ -7,12 +7,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/wgaddr"
 )
 
-// EnvForceUserspaceFirewall forces the use of the userspace packet filter even when
-// native iptables/nftables is available. This only applies when the WireGuard interface
-// runs in userspace mode. When set, peer ACLs are handled by USPFilter instead of
-// kernel netfilter rules.
-const EnvForceUserspaceFirewall = "NB_FORCE_USERSPACE_FIREWALL"
-
 // IFaceMapper defines subset methods of interface required for manager
 type IFaceMapper interface {
 	Name() string

client/firewall/iptables/manager_linux.go

@@ -33,6 +33,7 @@ type Manager struct {
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
+	IsUserspaceBind() bool
 }
 
 // Create iptables firewall manager
@@ -63,9 +64,10 @@ func Create(wgIface iFaceMapper, mtu uint16) (*Manager, error) {
 func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	state := &ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:   m.wgIface.Name(),
-			WGAddress: m.wgIface.Address(),
-			MTU:       m.router.mtu,
+			NameStr:       m.wgIface.Name(),
+			WGAddress:     m.wgIface.Address(),
+			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}
 	stateManager.RegisterState(state)
@@ -201,10 +203,12 @@ func (m *Manager) Close(stateManager *statemanager.Manager) error {
 	return nberrors.FormatErrorOrNil(merr)
 }
 
-// AllowNetbird allows netbird interface traffic.
-// This is called when USPFilter wraps the native firewall, adding blanket accept
-// rules so that packet filtering is handled in userspace instead of by netfilter.
+// AllowNetbird allows netbird interface traffic
 func (m *Manager) AllowNetbird() error {
+	if !m.wgIface.IsUserspaceBind() {
+		return nil
+	}
+
 	_, err := m.AddPeerFiltering(
 		nil,
 		net.IP{0, 0, 0, 0},
@@ -282,22 +286,6 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 
-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 const (
 	chainNameRaw = "NETBIRD-RAW"
 	chainOUTPUT  = "OUTPUT"

client/firewall/iptables/manager_linux_test.go

@@ -47,6 +47,8 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }
 
+func (i *iFaceMock) IsUserspaceBind() bool { return false }
+
 func TestIptablesManager(t *testing.T) {
 	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 	require.NoError(t, err)

client/firewall/iptables/router_linux.go

@@ -36,7 +36,6 @@ const (
 	chainRTFWDOUT           = "NETBIRD-RT-FWD-OUT"
 	chainRTPRE              = "NETBIRD-RT-PRE"
 	chainRTRDR              = "NETBIRD-RT-RDR"
-	chainNATOutput          = "NETBIRD-NAT-OUTPUT"
 	chainRTMSSCLAMP         = "NETBIRD-RT-MSSCLAMP"
 	routingFinalForwardJump = "ACCEPT"
 	routingFinalNatJump     = "MASQUERADE"
@@ -44,7 +43,6 @@ const (
 	jumpManglePre  = "jump-mangle-pre"
 	jumpNatPre     = "jump-nat-pre"
 	jumpNatPost    = "jump-nat-post"
-	jumpNatOutput  = "jump-nat-output"
 	jumpMSSClamp   = "jump-mss-clamp"
 	markManglePre  = "mark-mangle-pre"
 	markManglePost = "mark-mangle-post"
@@ -389,14 +387,6 @@ func (r *router) cleanUpDefaultForwardRules() error {
 	}
 
 	log.Debug("flushing routing related tables")
-
-	// Remove jump rules from built-in chains before deleting custom chains,
-	// otherwise the chain deletion fails with "device or resource busy".
-	jumpRule := []string{"-j", chainNATOutput}
-	if err := r.iptablesClient.Delete(tableNat, "OUTPUT", jumpRule...); err != nil {
-		log.Debugf("clean OUTPUT jump rule: %v", err)
-	}
-
 	for _, chainInfo := range []struct {
 		chain string
 		table string
@@ -406,7 +396,6 @@ func (r *router) cleanUpDefaultForwardRules() error {
 		{chainRTPRE, tableMangle},
 		{chainRTNAT, tableNat},
 		{chainRTRDR, tableNat},
-		{chainNATOutput, tableNat},
 		{chainRTMSSCLAMP, tableMangle},
 	} {
 		ok, err := r.iptablesClient.ChainExists(chainInfo.table, chainInfo.chain)
@@ -981,81 +970,6 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto
 	return nil
 }
 
-// ensureNATOutputChain lazily creates the OUTPUT NAT chain and jump rule on first use.
-func (r *router) ensureNATOutputChain() error {
-	if _, exists := r.rules[jumpNatOutput]; exists {
-		return nil
-	}
-
-	chainExists, err := r.iptablesClient.ChainExists(tableNat, chainNATOutput)
-	if err != nil {
-		return fmt.Errorf("check chain %s: %w", chainNATOutput, err)
-	}
-	if !chainExists {
-		if err := r.iptablesClient.NewChain(tableNat, chainNATOutput); err != nil {
-			return fmt.Errorf("create chain %s: %w", chainNATOutput, err)
-		}
-	}
-
-	jumpRule := []string{"-j", chainNATOutput}
-	if err := r.iptablesClient.Insert(tableNat, "OUTPUT", 1, jumpRule...); err != nil {
-		if !chainExists {
-			if delErr := r.iptablesClient.ClearAndDeleteChain(tableNat, chainNATOutput); delErr != nil {
-				log.Warnf("failed to rollback chain %s: %v", chainNATOutput, delErr)
-			}
-		}
-		return fmt.Errorf("add OUTPUT jump rule: %w", err)
-	}
-	r.rules[jumpNatOutput] = jumpRule
-
-	r.updateState()
-	return nil
-}
-
-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	if err := r.ensureNATOutputChain(); err != nil {
-		return err
-	}
-
-	dnatRule := []string{
-		"-p", strings.ToLower(string(protocol)),
-		"--dport", strconv.Itoa(int(sourcePort)),
-		"-d", localAddr.String(),
-		"-j", "DNAT",
-		"--to-destination", ":" + strconv.Itoa(int(targetPort)),
-	}
-
-	if err := r.iptablesClient.Append(tableNat, chainNATOutput, dnatRule...); err != nil {
-		return fmt.Errorf("add output DNAT rule: %w", err)
-	}
-	r.rules[ruleID] = dnatRule
-
-	r.updateState()
-	return nil
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if dnatRule, exists := r.rules[ruleID]; exists {
-		if err := r.iptablesClient.Delete(tableNat, chainNATOutput, dnatRule...); err != nil {
-			return fmt.Errorf("delete output DNAT rule: %w", err)
-		}
-		delete(r.rules, ruleID)
-	}
-
-	r.updateState()
-	return nil
-}
-
 func applyPort(flag string, port *firewall.Port) []string {
 	if port == nil {
 		return nil

client/firewall/iptables/state_linux.go

@@ -9,9 +9,10 @@ import (
 )
 
 type InterfaceState struct {
-	NameStr   string         `json:"name"`
-	WGAddress wgaddr.Address `json:"wg_address"`
-	MTU       uint16         `json:"mtu"`
+	NameStr       string         `json:"name"`
+	WGAddress     wgaddr.Address `json:"wg_address"`
+	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }
 
 func (i *InterfaceState) Name() string {
@@ -22,6 +23,10 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }
 
+func (i *InterfaceState) IsUserspaceBind() bool {
+	return i.UserspaceBind
+}
+
 type ShutdownState struct {
 	sync.Mutex
 

client/firewall/manager/firewall.go

@@ -169,14 +169,6 @@ type Manager interface {
 	// RemoveInboundDNAT removes inbound DNAT rule
 	RemoveInboundDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
 
-	// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
-	AddOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
-	// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-	// localAddr must be IPv4; the underlying iptables/nftables backends are IPv4-only.
-	RemoveOutputDNAT(localAddr netip.Addr, protocol Protocol, sourcePort, targetPort uint16) error
-
 	// SetupEBPFProxyNoTrack creates static notrack rules for eBPF proxy loopback traffic.
 	// This prevents conntrack from interfering with WireGuard proxy communication.
 	SetupEBPFProxyNoTrack(proxyPort, wgPort uint16) error

client/firewall/nftables/manager_linux.go

@@ -40,6 +40,7 @@ func getTableName() string {
 type iFaceMapper interface {
 	Name() string
 	Address() wgaddr.Address
+	IsUserspaceBind() bool
 }
 
 // Manager of iptables firewall
@@ -105,9 +106,10 @@ func (m *Manager) Init(stateManager *statemanager.Manager) error {
 	// cleanup using Close() without needing to store specific rules.
 	if err := stateManager.UpdateState(&ShutdownState{
 		InterfaceState: &InterfaceState{
-			NameStr:   m.wgIface.Name(),
-			WGAddress: m.wgIface.Address(),
-			MTU:       m.router.mtu,
+			NameStr:       m.wgIface.Name(),
+			WGAddress:     m.wgIface.Address(),
+			UserspaceBind: m.wgIface.IsUserspaceBind(),
+			MTU:           m.router.mtu,
 		},
 	}); err != nil {
 		log.Errorf("failed to update state: %v", err)
@@ -203,10 +205,12 @@ func (m *Manager) RemoveNatRule(pair firewall.RouterPair) error {
 	return m.router.RemoveNatRule(pair)
 }
 
-// AllowNetbird allows netbird interface traffic.
-// This is called when USPFilter wraps the native firewall, adding blanket accept
-// rules so that packet filtering is handled in userspace instead of by netfilter.
+// AllowNetbird allows netbird interface traffic
 func (m *Manager) AllowNetbird() error {
+	if !m.wgIface.IsUserspaceBind() {
+		return nil
+	}
+
 	m.mutex.Lock()
 	defer m.mutex.Unlock()
 
@@ -342,22 +346,6 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	return m.router.RemoveInboundDNAT(localAddr, protocol, sourcePort, targetPort)
 }
 
-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	return m.router.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 const (
 	chainNameRawOutput     = "netbird-raw-out"
 	chainNameRawPrerouting = "netbird-raw-pre"

client/firewall/nftables/manager_linux_test.go

@@ -52,6 +52,8 @@ func (i *iFaceMock) Address() wgaddr.Address {
 	panic("AddressFunc is not set")
 }
 
+func (i *iFaceMock) IsUserspaceBind() bool { return false }
+
 func TestNftablesManager(t *testing.T) {
 
 	// just check on the local interface

client/firewall/nftables/router_linux.go

@@ -36,7 +36,6 @@ const (
 	chainNameRoutingFw     = "netbird-rt-fwd"
 	chainNameRoutingNat    = "netbird-rt-postrouting"
 	chainNameRoutingRdr    = "netbird-rt-redirect"
-	chainNameNATOutput     = "netbird-nat-output"
 	chainNameForward       = "FORWARD"
 	chainNameMangleForward = "netbird-mangle-forward"
 
@@ -1854,130 +1853,6 @@ func (r *router) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Proto
 	return nil
 }
 
-// ensureNATOutputChain lazily creates the OUTPUT NAT chain on first use.
-func (r *router) ensureNATOutputChain() error {
-	if _, exists := r.chains[chainNameNATOutput]; exists {
-		return nil
-	}
-
-	r.chains[chainNameNATOutput] = r.conn.AddChain(&nftables.Chain{
-		Name:     chainNameNATOutput,
-		Table:    r.workTable,
-		Hooknum:  nftables.ChainHookOutput,
-		Priority: nftables.ChainPriorityNATDest,
-		Type:     nftables.ChainTypeNAT,
-	})
-
-	if err := r.conn.Flush(); err != nil {
-		delete(r.chains, chainNameNATOutput)
-		return fmt.Errorf("create NAT output chain: %w", err)
-	}
-	return nil
-}
-
-// AddOutputDNAT adds an OUTPUT chain DNAT rule for locally-generated traffic.
-func (r *router) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	if _, exists := r.rules[ruleID]; exists {
-		return nil
-	}
-
-	if err := r.ensureNATOutputChain(); err != nil {
-		return err
-	}
-
-	protoNum, err := protoToInt(protocol)
-	if err != nil {
-		return fmt.Errorf("convert protocol to number: %w", err)
-	}
-
-	exprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     []byte{protoNum},
-		},
-		&expr.Payload{
-			DestRegister: 2,
-			Base:         expr.PayloadBaseTransportHeader,
-			Offset:       2,
-			Len:          2,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(sourcePort),
-		},
-	}
-
-	exprs = append(exprs, applyPrefix(netip.PrefixFrom(localAddr, 32), false)...)
-
-	exprs = append(exprs,
-		&expr.Immediate{
-			Register: 1,
-			Data:     localAddr.AsSlice(),
-		},
-		&expr.Immediate{
-			Register: 2,
-			Data:     binaryutil.BigEndian.PutUint16(targetPort),
-		},
-		&expr.NAT{
-			Type:        expr.NATTypeDestNAT,
-			Family:      uint32(nftables.TableFamilyIPv4),
-			RegAddrMin:  1,
-			RegProtoMin: 2,
-		},
-	)
-
-	dnatRule := &nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainNameNATOutput],
-		Exprs:    exprs,
-		UserData: []byte(ruleID),
-	}
-	r.conn.AddRule(dnatRule)
-
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("add output DNAT rule: %w", err)
-	}
-
-	r.rules[ruleID] = dnatRule
-
-	return nil
-}
-
-// RemoveOutputDNAT removes an OUTPUT chain DNAT rule.
-func (r *router) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if err := r.refreshRulesMap(); err != nil {
-		return fmt.Errorf(refreshRulesMapError, err)
-	}
-
-	ruleID := fmt.Sprintf("output-dnat-%s-%s-%d-%d", localAddr.String(), protocol, sourcePort, targetPort)
-
-	rule, exists := r.rules[ruleID]
-	if !exists {
-		return nil
-	}
-
-	if rule.Handle == 0 {
-		log.Warnf("output DNAT rule %s has no handle, removing stale entry", ruleID)
-		delete(r.rules, ruleID)
-		return nil
-	}
-
-	if err := r.conn.DelRule(rule); err != nil {
-		return fmt.Errorf("delete output DNAT rule %s: %w", ruleID, err)
-	}
-	if err := r.conn.Flush(); err != nil {
-		return fmt.Errorf("flush delete output DNAT rule: %w", err)
-	}
-	delete(r.rules, ruleID)
-
-	return nil
-}
-
 // applyNetwork generates nftables expressions for networks (CIDR) or sets
 func (r *router) applyNetwork(
 	network firewall.Network,

client/firewall/nftables/state_linux.go

@@ -8,9 +8,10 @@ import (
 )
 
 type InterfaceState struct {
-	NameStr   string         `json:"name"`
-	WGAddress wgaddr.Address `json:"wg_address"`
-	MTU       uint16         `json:"mtu"`
+	NameStr       string         `json:"name"`
+	WGAddress     wgaddr.Address `json:"wg_address"`
+	UserspaceBind bool           `json:"userspace_bind"`
+	MTU           uint16         `json:"mtu"`
 }
 
 func (i *InterfaceState) Name() string {
@@ -21,6 +22,10 @@ func (i *InterfaceState) Address() wgaddr.Address {
 	return i.WGAddress
 }
 
+func (i *InterfaceState) IsUserspaceBind() bool {
+	return i.UserspaceBind
+}
+
 type ShutdownState struct {
 	InterfaceState *InterfaceState `json:"interface_state,omitempty"`
 }

client/firewall/uspfilter/common/hooks.go

@@ -1,37 +0,0 @@
-package common
-
-import (
-	"net/netip"
-	"sync/atomic"
-)
-
-// PacketHook stores a registered hook for a specific IP:port.
-type PacketHook struct {
-	IP   netip.Addr
-	Port uint16
-	Fn   func([]byte) bool
-}
-
-// HookMatches checks if a packet's destination matches the hook and invokes it.
-func HookMatches(h *PacketHook, dstIP netip.Addr, dport uint16, packetData []byte) bool {
-	if h == nil {
-		return false
-	}
-	if h.IP == dstIP && h.Port == dport {
-		return h.Fn(packetData)
-	}
-	return false
-}
-
-// SetHook atomically stores a hook, handling nil removal.
-func SetHook(ptr *atomic.Pointer[PacketHook], ip netip.Addr, dPort uint16, hook func([]byte) bool) {
-	if hook == nil {
-		ptr.Store(nil)
-		return
-	}
-	ptr.Store(&PacketHook{
-		IP:   ip,
-		Port: dPort,
-		Fn:   hook,
-	})
-}

client/firewall/uspfilter/filter.go

@@ -115,13 +115,12 @@ type Manager struct {
 
 	localipmanager *localIPManager
 
-	udpTracker     *conntrack.UDPTracker
-	icmpTracker    *conntrack.ICMPTracker
-	tcpTracker     *conntrack.TCPTracker
-	forwarder      atomic.Pointer[forwarder.Forwarder]
-	pendingCapture atomic.Pointer[forwarder.PacketCapture]
-	logger         *nblog.Logger
-	flowLogger     nftypes.FlowLogger
+	udpTracker  *conntrack.UDPTracker
+	icmpTracker *conntrack.ICMPTracker
+	tcpTracker  *conntrack.TCPTracker
+	forwarder   atomic.Pointer[forwarder.Forwarder]
+	logger      *nblog.Logger
+	flowLogger  nftypes.FlowLogger
 
 	blockRule firewall.Rule
 
@@ -141,10 +140,6 @@ type Manager struct {
 	mtu             uint16
 	mssClampValue   uint16
 	mssClampEnabled bool
-
-	// Only one hook per protocol is supported. Outbound direction only.
-	udpHookOut atomic.Pointer[common.PacketHook]
-	tcpHookOut atomic.Pointer[common.PacketHook]
 }
 
 // decoder for packages
@@ -352,19 +347,6 @@ func (m *Manager) determineRouting() error {
 	return nil
 }
 
-// SetPacketCapture sets or clears packet capture on the forwarder endpoint.
-// This captures outbound response packets that bypass the FilteredDevice in netstack mode.
-func (m *Manager) SetPacketCapture(pc forwarder.PacketCapture) {
-	if pc == nil {
-		m.pendingCapture.Store(nil)
-	} else {
-		m.pendingCapture.Store(&pc)
-	}
-	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.SetCapture(pc)
-	}
-}
-
 // initForwarder initializes the forwarder, it disables routing on errors
 func (m *Manager) initForwarder() error {
 	if m.forwarder.Load() != nil {
@@ -384,10 +366,6 @@ func (m *Manager) initForwarder() error {
 		return fmt.Errorf("create forwarder: %w", err)
 	}
 
-	if pc := m.pendingCapture.Load(); pc != nil {
-		forwarder.SetCapture(*pc)
-	}
-
 	m.forwarder.Store(forwarder)
 
 	log.Debug("forwarder initialized")
@@ -616,8 +594,6 @@ func (m *Manager) resetState() {
 	maps.Clear(m.incomingRules)
 	maps.Clear(m.routeRulesMap)
 	m.routeRules = m.routeRules[:0]
-	m.udpHookOut.Store(nil)
-	m.tcpHookOut.Store(nil)
 
 	if m.udpTracker != nil {
 		m.udpTracker.Close()
@@ -632,7 +608,6 @@ func (m *Manager) resetState() {
 	}
 
 	if fwder := m.forwarder.Load(); fwder != nil {
-		fwder.SetCapture(nil)
 		fwder.Stop()
 	}
 
@@ -738,9 +713,6 @@ func (m *Manager) filterOutbound(packetData []byte, size int) bool {
 			return true
 		}
 	case layers.LayerTypeTCP:
-		if m.tcpHooksDrop(uint16(d.tcp.DstPort), dstIP, packetData) {
-			return true
-		}
 		// Clamp MSS on all TCP SYN packets, including those from local IPs.
 		// SNATed routed traffic may appear as local IP but still requires clamping.
 		if m.mssClampEnabled {
@@ -923,12 +895,39 @@ func (m *Manager) trackInbound(d *decoder, srcIP, dstIP netip.Addr, ruleID []byt
 	d.dnatOrigPort = 0
 }
 
+// udpHooksDrop checks if any UDP hooks should drop the packet
 func (m *Manager) udpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return common.HookMatches(m.udpHookOut.Load(), dstIP, dport, packetData)
-}
+	m.mutex.RLock()
+	defer m.mutex.RUnlock()
 
-func (m *Manager) tcpHooksDrop(dport uint16, dstIP netip.Addr, packetData []byte) bool {
-	return common.HookMatches(m.tcpHookOut.Load(), dstIP, dport, packetData)
+	// Check specific destination IP first
+	if rules, exists := m.outgoingRules[dstIP]; exists {
+		for _, rule := range rules {
+			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
+				return rule.udpHook(packetData)
+			}
+		}
+	}
+
+	// Check IPv4 unspecified address
+	if rules, exists := m.outgoingRules[netip.IPv4Unspecified()]; exists {
+		for _, rule := range rules {
+			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
+				return rule.udpHook(packetData)
+			}
+		}
+	}
+
+	// Check IPv6 unspecified address
+	if rules, exists := m.outgoingRules[netip.IPv6Unspecified()]; exists {
+		for _, rule := range rules {
+			if rule.udpHook != nil && portsMatch(rule.dPort, dport) {
+				return rule.udpHook(packetData)
+			}
+		}
+	}
+
+	return false
 }
 
 // filterInbound implements filtering logic for incoming packets.
@@ -1279,6 +1278,12 @@ func validateRule(ip netip.Addr, packetData []byte, rules map[string]PeerRule, d
 				return rule.mgmtId, rule.drop, true
 			}
 		case layers.LayerTypeUDP:
+			// if rule has UDP hook (and if we are here we match this rule)
+			// we ignore rule.drop and call this hook
+			if rule.udpHook != nil {
+				return rule.mgmtId, rule.udpHook(packetData), true
+			}
+
 			if portsMatch(rule.sPort, uint16(d.udp.SrcPort)) && portsMatch(rule.dPort, uint16(d.udp.DstPort)) {
 				return rule.mgmtId, rule.drop, true
 			}
@@ -1337,14 +1342,65 @@ func (m *Manager) ruleMatches(rule *RouteRule, srcAddr, dstAddr netip.Addr, prot
 	return sourceMatched
 }
 
-// SetUDPPacketHook sets the outbound UDP packet hook. Pass nil hook to remove.
-func (m *Manager) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	common.SetHook(&m.udpHookOut, ip, dPort, hook)
+// AddUDPPacketHook calls hook when UDP packet from given direction matched
+//
+// Hook function returns flag which indicates should be the matched package dropped or not
+func (m *Manager) AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook func(packet []byte) bool) string {
+	r := PeerRule{
+		id:         uuid.New().String(),
+		ip:         ip,
+		protoLayer: layers.LayerTypeUDP,
+		dPort:      &firewall.Port{Values: []uint16{dPort}},
+		ipLayer:    layers.LayerTypeIPv6,
+		udpHook:    hook,
+	}
+
+	if ip.Is4() {
+		r.ipLayer = layers.LayerTypeIPv4
+	}
+
+	m.mutex.Lock()
+	if in {
+		// Incoming UDP hooks are stored in allow rules map
+		if _, ok := m.incomingRules[r.ip]; !ok {
+			m.incomingRules[r.ip] = make(map[string]PeerRule)
+		}
+		m.incomingRules[r.ip][r.id] = r
+	} else {
+		if _, ok := m.outgoingRules[r.ip]; !ok {
+			m.outgoingRules[r.ip] = make(map[string]PeerRule)
+		}
+		m.outgoingRules[r.ip][r.id] = r
+	}
+	m.mutex.Unlock()
+
+	return r.id
 }
 
-// SetTCPPacketHook sets the outbound TCP packet hook. Pass nil hook to remove.
-func (m *Manager) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool) {
-	common.SetHook(&m.tcpHookOut, ip, dPort, hook)
+// RemovePacketHook removes packet hook by given ID
+func (m *Manager) RemovePacketHook(hookID string) error {
+	m.mutex.Lock()
+	defer m.mutex.Unlock()
+
+	// Check incoming hooks (stored in allow rules)
+	for _, arr := range m.incomingRules {
+		for _, r := range arr {
+			if r.id == hookID {
+				delete(arr, r.id)
+				return nil
+			}
+		}
+	}
+	// Check outgoing hooks
+	for _, arr := range m.outgoingRules {
+		for _, r := range arr {
+			if r.id == hookID {
+				delete(arr, r.id)
+				return nil
+			}
+		}
+	}
+	return fmt.Errorf("hook with given id not found")
 }
 
 // SetLogLevel sets the log level for the firewall manager

client/firewall/uspfilter/filter_test.go

@@ -12,7 +12,6 @@ import (
 	"github.com/google/gopacket"
 	"github.com/google/gopacket/layers"
 	"github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	wgdevice "golang.zx2c4.com/wireguard/device"
 
@@ -187,52 +186,81 @@ func TestManagerDeleteRule(t *testing.T) {
 	}
 }
 
-func TestSetUDPPacketHook(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
+func TestAddUDPPacketHook(t *testing.T) {
+	tests := []struct {
+		name       string
+		in         bool
+		expDir     fw.RuleDirection
+		ip         netip.Addr
+		dPort      uint16
+		hook       func([]byte) bool
+		expectedID string
+	}{
+		{
+			name:   "Test Outgoing UDP Packet Hook",
+			in:     false,
+			expDir: fw.RuleDirectionOUT,
+			ip:     netip.MustParseAddr("10.168.0.1"),
+			dPort:  8000,
+			hook:   func([]byte) bool { return true },
+		},
+		{
+			name:   "Test Incoming UDP Packet Hook",
+			in:     true,
+			expDir: fw.RuleDirectionIN,
+			ip:     netip.MustParseAddr("::1"),
+			dPort:  9000,
+			hook:   func([]byte) bool { return false },
+		},
+	}
 
-	var called bool
-	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, func([]byte) bool {
-		called = true
-		return true
-	})
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			manager, err := Create(&IFaceMock{
+				SetFilterFunc: func(device.PacketFilter) error { return nil },
+			}, false, flowLogger, nbiface.DefaultMTU)
+			require.NoError(t, err)
 
-	h := manager.udpHookOut.Load()
-	require.NotNil(t, h)
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.IP)
-	assert.Equal(t, uint16(8000), h.Port)
-	assert.True(t, h.Fn(nil))
-	assert.True(t, called)
+			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)
 
-	manager.SetUDPPacketHook(netip.MustParseAddr("10.168.0.1"), 8000, nil)
-	assert.Nil(t, manager.udpHookOut.Load())
-}
+			var addedRule PeerRule
+			if tt.in {
+				// Incoming UDP hooks are stored in allow rules map
+				if len(manager.incomingRules[tt.ip]) != 1 {
+					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules[tt.ip]))
+					return
+				}
+				for _, rule := range manager.incomingRules[tt.ip] {
+					addedRule = rule
+				}
+			} else {
+				if len(manager.outgoingRules[tt.ip]) != 1 {
+					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules[tt.ip]))
+					return
+				}
+				for _, rule := range manager.outgoingRules[tt.ip] {
+					addedRule = rule
+				}
+			}
 
-func TestSetTCPPacketHook(t *testing.T) {
-	manager, err := Create(&IFaceMock{
-		SetFilterFunc: func(device.PacketFilter) error { return nil },
-	}, false, flowLogger, nbiface.DefaultMTU)
-	require.NoError(t, err)
-	t.Cleanup(func() { require.NoError(t, manager.Close(nil)) })
-
-	var called bool
-	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, func([]byte) bool {
-		called = true
-		return true
-	})
-
-	h := manager.tcpHookOut.Load()
-	require.NotNil(t, h)
-	assert.Equal(t, netip.MustParseAddr("10.168.0.1"), h.IP)
-	assert.Equal(t, uint16(53), h.Port)
-	assert.True(t, h.Fn(nil))
-	assert.True(t, called)
-
-	manager.SetTCPPacketHook(netip.MustParseAddr("10.168.0.1"), 53, nil)
-	assert.Nil(t, manager.tcpHookOut.Load())
+			if tt.ip.Compare(addedRule.ip) != 0 {
+				t.Errorf("expected ip %s, got %s", tt.ip, addedRule.ip)
+				return
+			}
+			if tt.dPort != addedRule.dPort.Values[0] {
+				t.Errorf("expected dPort %d, got %d", tt.dPort, addedRule.dPort.Values[0])
+				return
+			}
+			if layers.LayerTypeUDP != addedRule.protoLayer {
+				t.Errorf("expected protoLayer %s, got %s", layers.LayerTypeUDP, addedRule.protoLayer)
+				return
+			}
+			if addedRule.udpHook == nil {
+				t.Errorf("expected udpHook to be set")
+				return
+			}
+		})
+	}
 }
 
 // TestPeerRuleLifecycleDenyRules verifies that deny rules are correctly added
@@ -502,12 +530,39 @@ func TestRemovePacketHook(t *testing.T) {
 		require.NoError(t, manager.Close(nil))
 	}()
 
-	manager.SetUDPPacketHook(netip.MustParseAddr("192.168.0.1"), 8080, func([]byte) bool { return true })
+	// Add a UDP packet hook
+	hookFunc := func(data []byte) bool { return true }
+	hookID := manager.AddUDPPacketHook(false, netip.MustParseAddr("192.168.0.1"), 8080, hookFunc)
 
-	require.NotNil(t, manager.udpHookOut.Load(), "hook should be registered")
+	// Assert the hook is added by finding it in the manager's outgoing rules
+	found := false
+	for _, arr := range manager.outgoingRules {
+		for _, rule := range arr {
+			if rule.id == hookID {
+				found = true
+				break
+			}
+		}
+	}
 
-	manager.SetUDPPacketHook(netip.MustParseAddr("192.168.0.1"), 8080, nil)
-	assert.Nil(t, manager.udpHookOut.Load(), "hook should be removed")
+	if !found {
+		t.Fatalf("The hook was not added properly.")
+	}
+
+	// Now remove the packet hook
+	err = manager.RemovePacketHook(hookID)
+	if err != nil {
+		t.Fatalf("Failed to remove hook: %s", err)
+	}
+
+	// Assert the hook is removed by checking it in the manager's outgoing rules
+	for _, arr := range manager.outgoingRules {
+		for _, rule := range arr {
+			if rule.id == hookID {
+				t.Fatalf("The hook was not removed properly.")
+			}
+		}
+	}
 }
 
 func TestProcessOutgoingHooks(t *testing.T) {
@@ -537,7 +592,8 @@ func TestProcessOutgoingHooks(t *testing.T) {
 	}
 
 	hookCalled := false
-	manager.SetUDPPacketHook(
+	hookID := manager.AddUDPPacketHook(
+		false,
 		netip.MustParseAddr("100.10.0.100"),
 		53,
 		func([]byte) bool {
@@ -545,6 +601,7 @@ func TestProcessOutgoingHooks(t *testing.T) {
 			return true
 		},
 	)
+	require.NotEmpty(t, hookID)
 
 	// Create test UDP packet
 	ipv4 := &layers.IPv4{

client/firewall/uspfilter/forwarder/endpoint.go

@@ -12,19 +12,12 @@ import (
 	nblog "github.com/netbirdio/netbird/client/firewall/uspfilter/log"
 )
 
-// PacketCapture captures raw packets for debugging. Implementations must be
-// safe for concurrent use and must not block.
-type PacketCapture interface {
-	Offer(data []byte, outbound bool)
-}
-
 // endpoint implements stack.LinkEndpoint and handles integration with the wireguard device
 type endpoint struct {
 	logger     *nblog.Logger
 	dispatcher stack.NetworkDispatcher
 	device     *wgdevice.Device
 	mtu        atomic.Uint32
-	capture    atomic.Pointer[PacketCapture]
 }
 
 func (e *endpoint) Attach(dispatcher stack.NetworkDispatcher) {
@@ -61,17 +54,13 @@ func (e *endpoint) WritePackets(pkts stack.PacketBufferList) (int, tcpip.Error)
 			continue
 		}
 
-		pktBytes := data.AsSlice()
-
+		// Send the packet through WireGuard
 		address := netHeader.DestinationAddress()
-		if err := e.device.CreateOutboundPacket(pktBytes, address.AsSlice()); err != nil {
+		err := e.device.CreateOutboundPacket(data.AsSlice(), address.AsSlice())
+		if err != nil {
 			e.logger.Error1("CreateOutboundPacket: %v", err)
 			continue
 		}
-
-		if pc := e.capture.Load(); pc != nil {
-			(*pc).Offer(pktBytes, true)
-		}
 		written++
 	}
 

client/firewall/uspfilter/forwarder/forwarder.go

@@ -139,16 +139,6 @@ func New(iface common.IFaceMapper, logger *nblog.Logger, flowLogger nftypes.Flow
 	return f, nil
 }
 
-// SetCapture sets or clears the packet capture on the forwarder endpoint.
-// This captures outbound packets that bypass the FilteredDevice (netstack forwarding).
-func (f *Forwarder) SetCapture(pc PacketCapture) {
-	if pc == nil {
-		f.endpoint.capture.Store(nil)
-		return
-	}
-	f.endpoint.capture.Store(&pc)
-}
-
 func (f *Forwarder) InjectIncomingPacket(payload []byte) error {
 	if len(payload) < header.IPv4MinimumSize {
 		return fmt.Errorf("packet too small: %d bytes", len(payload))

client/firewall/uspfilter/forwarder/icmp.go

@@ -270,9 +270,5 @@ func (f *Forwarder) injectICMPReply(id stack.TransportEndpointID, icmpPayload []
 		return 0
 	}
 
-	if pc := f.endpoint.capture.Load(); pc != nil {
-		(*pc).Offer(fullPacket, true)
-	}
-
 	return len(fullPacket)
 }

client/firewall/uspfilter/hooks_filter.go

@@ -1,90 +0,0 @@
-package uspfilter
-
-import (
-	"encoding/binary"
-	"net/netip"
-	"sync/atomic"
-
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/common"
-	"github.com/netbirdio/netbird/client/iface/device"
-)
-
-const (
-	ipv4HeaderMinLen = 20
-	ipv4ProtoOffset  = 9
-	ipv4FlagsOffset  = 6
-	ipv4DstOffset    = 16
-	ipProtoUDP       = 17
-	ipProtoTCP       = 6
-	ipv4FragOffMask  = 0x1fff
-	// dstPortOffset is the offset of the destination port within a UDP or TCP header.
-	dstPortOffset = 2
-)
-
-// HooksFilter is a minimal packet filter that only handles outbound DNS hooks.
-// It is installed on the WireGuard interface when the userspace bind is active
-// but a full firewall filter (Manager) is not needed because a native kernel
-// firewall (nftables/iptables) handles packet filtering.
-type HooksFilter struct {
-	udpHook atomic.Pointer[common.PacketHook]
-	tcpHook atomic.Pointer[common.PacketHook]
-}
-
-var _ device.PacketFilter = (*HooksFilter)(nil)
-
-// FilterOutbound checks outbound packets for DNS hook matches.
-// Only IPv4 packets matching the registered hook IP:port are intercepted.
-// IPv6 and non-IP packets pass through unconditionally.
-func (f *HooksFilter) FilterOutbound(packetData []byte, _ int) bool {
-	if len(packetData) < ipv4HeaderMinLen {
-		return false
-	}
-
-	// Only process IPv4 packets, let everything else pass through.
-	if packetData[0]>>4 != 4 {
-		return false
-	}
-
-	ihl := int(packetData[0]&0x0f) * 4
-	if ihl < ipv4HeaderMinLen || len(packetData) < ihl+4 {
-		return false
-	}
-
-	// Skip non-first fragments: they don't carry L4 headers.
-	flagsAndOffset := binary.BigEndian.Uint16(packetData[ipv4FlagsOffset : ipv4FlagsOffset+2])
-	if flagsAndOffset&ipv4FragOffMask != 0 {
-		return false
-	}
-
-	dstIP, ok := netip.AddrFromSlice(packetData[ipv4DstOffset : ipv4DstOffset+4])
-	if !ok {
-		return false
-	}
-
-	proto := packetData[ipv4ProtoOffset]
-	dstPort := binary.BigEndian.Uint16(packetData[ihl+dstPortOffset : ihl+dstPortOffset+2])
-
-	switch proto {
-	case ipProtoUDP:
-		return common.HookMatches(f.udpHook.Load(), dstIP, dstPort, packetData)
-	case ipProtoTCP:
-		return common.HookMatches(f.tcpHook.Load(), dstIP, dstPort, packetData)
-	default:
-		return false
-	}
-}
-
-// FilterInbound allows all inbound packets (native firewall handles filtering).
-func (f *HooksFilter) FilterInbound([]byte, int) bool {
-	return false
-}
-
-// SetUDPPacketHook registers the UDP packet hook.
-func (f *HooksFilter) SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func([]byte) bool) {
-	common.SetHook(&f.udpHook, ip, dPort, hook)
-}
-
-// SetTCPPacketHook registers the TCP packet hook.
-func (f *HooksFilter) SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func([]byte) bool) {
-	common.SetHook(&f.tcpHook, ip, dPort, hook)
-}

client/firewall/uspfilter/localip.go

@@ -144,8 +144,6 @@ func (m *localIPManager) UpdateLocalIPs(iface common.IFaceMapper) (err error) {
 	if err != nil {
 		log.Warnf("failed to get interfaces: %v", err)
 	} else {
-		// TODO: filter out down interfaces (net.FlagUp). Also handle the reverse
-		// case where an interface comes up between refreshes.
 		for _, intf := range interfaces {
 			m.processInterface(intf, &newIPv4Bitmap, ipv4Set, &ipv4Addresses)
 		}

client/firewall/uspfilter/nat.go

@@ -421,7 +421,6 @@ func (m *Manager) addPortRedirection(targetIP netip.Addr, protocol gopacket.Laye
 }
 
 // AddInboundDNAT adds an inbound DNAT rule redirecting traffic from NetBird peers to local services.
-// TODO: also delegate to nativeFirewall when available for kernel WG mode
 func (m *Manager) AddInboundDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
 	var layerType gopacket.LayerType
 	switch protocol {
@@ -467,22 +466,6 @@ func (m *Manager) RemoveInboundDNAT(localAddr netip.Addr, protocol firewall.Prot
 	return m.removePortRedirection(localAddr, layerType, sourcePort, targetPort)
 }
 
-// AddOutputDNAT delegates to the native firewall if available.
-func (m *Manager) AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if m.nativeFirewall == nil {
-		return fmt.Errorf("output DNAT not supported without native firewall")
-	}
-	return m.nativeFirewall.AddOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
-// RemoveOutputDNAT delegates to the native firewall if available.
-func (m *Manager) RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error {
-	if m.nativeFirewall == nil {
-		return nil
-	}
-	return m.nativeFirewall.RemoveOutputDNAT(localAddr, protocol, sourcePort, targetPort)
-}
-
 // translateInboundPortDNAT applies port-specific DNAT translation to inbound packets.
 func (m *Manager) translateInboundPortDNAT(packetData []byte, d *decoder, srcIP, dstIP netip.Addr) bool {
 	if !m.portDNATEnabled.Load() {

client/firewall/uspfilter/rule.go

@@ -18,7 +18,9 @@ type PeerRule struct {
 	protoLayer gopacket.LayerType
 	sPort      *firewall.Port
 	dPort      *firewall.Port
-	drop bool
+	drop       bool
+
+	udpHook func([]byte) bool
 }
 
 // ID returns the rule id

client/firewall/uspfilter/tracer_test.go

@@ -399,17 +399,21 @@ func TestTracePacket(t *testing.T) {
 		{
 			name: "UDPTraffic_WithHook",
 			setup: func(m *Manager) {
-				m.SetUDPPacketHook(netip.MustParseAddr("100.10.255.254"), 53, func([]byte) bool {
-					return true // drop (intercepted by hook)
-				})
+				hookFunc := func([]byte) bool {
+					return true
+				}
+				m.AddUDPPacketHook(true, netip.MustParseAddr("1.1.1.1"), 53, hookFunc)
 			},
 			packetBuilder: func() *PacketBuilder {
-				return createPacketBuilder("100.10.0.100", "100.10.255.254", "udp", 12345, 53, fw.RuleDirectionOUT)
+				return createPacketBuilder("1.1.1.1", "100.10.0.100", "udp", 12345, 53, fw.RuleDirectionIN)
 			},
 			expectedStages: []PacketStage{
 				StageReceived,
-				StageOutbound1to1NAT,
-				StageOutboundPortReverse,
+				StageInboundPortDNAT,
+				StageInbound1to1NAT,
+				StageConntrack,
+				StageRouting,
+				StagePeerACL,
 				StageCompleted,
 			},
 			expectedAllow: false,

client/iface/device/device_filter.go

@@ -3,7 +3,6 @@ package device
 import (
 	"net/netip"
 	"sync"
-	"sync/atomic"
 
 	"golang.zx2c4.com/wireguard/tun"
 )
@@ -16,25 +15,14 @@ type PacketFilter interface {
 	// FilterInbound filter incoming packets from external sources to host
 	FilterInbound(packetData []byte, size int) bool
 
-	// SetUDPPacketHook registers a hook for outbound UDP packets matching the given IP and port.
-	// Hook function returns true if the packet should be dropped.
-	// Only one UDP hook is supported; calling again replaces the previous hook.
-	// Pass nil hook to remove.
-	SetUDPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool)
+	// AddUDPPacketHook calls hook when UDP packet from given direction matched
+	//
+	// Hook function returns flag which indicates should be the matched package dropped or not.
+	// Hook function receives raw network packet data as argument.
+	AddUDPPacketHook(in bool, ip netip.Addr, dPort uint16, hook func(packet []byte) bool) string
 
-	// SetTCPPacketHook registers a hook for outbound TCP packets matching the given IP and port.
-	// Hook function returns true if the packet should be dropped.
-	// Only one TCP hook is supported; calling again replaces the previous hook.
-	// Pass nil hook to remove.
-	SetTCPPacketHook(ip netip.Addr, dPort uint16, hook func(packet []byte) bool)
-}
-
-// PacketCapture captures raw packets for debugging. Implementations must be
-// safe for concurrent use and must not block.
-type PacketCapture interface {
-	// Offer submits a packet for capture. outbound is true for packets
-	// leaving the host (Read path), false for packets arriving (Write path).
-	Offer(data []byte, outbound bool)
+	// RemovePacketHook removes hook by ID
+	RemovePacketHook(hookID string) error
 }
 
 // FilteredDevice to override Read or Write of packets
@@ -42,7 +30,6 @@ type FilteredDevice struct {
 	tun.Device
 
 	filter    PacketFilter
-	capture   atomic.Pointer[PacketCapture]
 	mutex     sync.RWMutex
 	closeOnce sync.Once
 }
@@ -73,25 +60,20 @@ func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, er
 	if n, err = d.Device.Read(bufs, sizes, offset); err != nil {
 		return 0, err
 	}
-
 	d.mutex.RLock()
 	filter := d.filter
 	d.mutex.RUnlock()
 
-	if filter != nil {
-		for i := 0; i < n; i++ {
-			if filter.FilterOutbound(bufs[i][offset:offset+sizes[i]], sizes[i]) {
-				bufs = append(bufs[:i], bufs[i+1:]...)
-				sizes = append(sizes[:i], sizes[i+1:]...)
-				n--
-				i--
-			}
-		}
+	if filter == nil {
+		return
 	}
 
-	if pc := d.capture.Load(); pc != nil {
-		for i := 0; i < n; i++ {
-			(*pc).Offer(bufs[i][offset:offset+sizes[i]], true)
+	for i := 0; i < n; i++ {
+		if filter.FilterOutbound(bufs[i][offset:offset+sizes[i]], sizes[i]) {
+			bufs = append(bufs[:i], bufs[i+1:]...)
+			sizes = append(sizes[:i], sizes[i+1:]...)
+			n--
+			i--
 		}
 	}
 
@@ -100,13 +82,6 @@ func (d *FilteredDevice) Read(bufs [][]byte, sizes []int, offset int) (n int, er
 
 // Write wraps write method with filtering feature
 func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
-	// Capture before filtering so dropped packets are still visible in captures.
-	if pc := d.capture.Load(); pc != nil {
-		for _, buf := range bufs {
-			(*pc).Offer(buf[offset:], false)
-		}
-	}
-
 	d.mutex.RLock()
 	filter := d.filter
 	d.mutex.RUnlock()
@@ -118,10 +93,9 @@ func (d *FilteredDevice) Write(bufs [][]byte, offset int) (int, error) {
 	filteredBufs := make([][]byte, 0, len(bufs))
 	dropped := 0
 	for _, buf := range bufs {
-		if filter.FilterInbound(buf[offset:], len(buf)) {
-			dropped++
-		} else {
+		if !filter.FilterInbound(buf[offset:], len(buf)) {
 			filteredBufs = append(filteredBufs, buf)
+			dropped++
 		}
 	}
 
@@ -136,14 +110,3 @@ func (d *FilteredDevice) SetFilter(filter PacketFilter) {
 	d.filter = filter
 	d.mutex.Unlock()
 }
-
-// SetCapture sets or clears the packet capture sink. Pass nil to disable.
-// Uses atomic store so the hot path (Read/Write) is a single pointer load
-// with no locking overhead when capture is off.
-func (d *FilteredDevice) SetCapture(pc PacketCapture) {
-	if pc == nil {
-		d.capture.Store(nil)
-		return
-	}
-	d.capture.Store(&pc)
-}

client/iface/device/device_filter_test.go

@@ -158,7 +158,7 @@ func TestDeviceWrapperRead(t *testing.T) {
 			t.Errorf("unexpected error: %v", err)
 			return
 		}
-		if n != 1 {
+		if n != 0 {
 			t.Errorf("expected n=1, got %d", n)
 			return
 		}

client/iface/mocks/filter.go

@@ -34,28 +34,18 @@ func (m *MockPacketFilter) EXPECT() *MockPacketFilterMockRecorder {
 	return m.recorder
 }
 
-// SetUDPPacketHook mocks base method.
-func (m *MockPacketFilter) SetUDPPacketHook(arg0 netip.Addr, arg1 uint16, arg2 func([]byte) bool) {
+// AddUDPPacketHook mocks base method.
+func (m *MockPacketFilter) AddUDPPacketHook(arg0 bool, arg1 netip.Addr, arg2 uint16, arg3 func([]byte) bool) string {
 	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "SetUDPPacketHook", arg0, arg1, arg2)
+	ret := m.ctrl.Call(m, "AddUDPPacketHook", arg0, arg1, arg2, arg3)
+	ret0, _ := ret[0].(string)
+	return ret0
 }
 
-// SetUDPPacketHook indicates an expected call of SetUDPPacketHook.
-func (mr *MockPacketFilterMockRecorder) SetUDPPacketHook(arg0, arg1, arg2 interface{}) *gomock.Call {
+// AddUDPPacketHook indicates an expected call of AddUDPPacketHook.
+func (mr *MockPacketFilterMockRecorder) AddUDPPacketHook(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
 	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).SetUDPPacketHook), arg0, arg1, arg2)
-}
-
-// SetTCPPacketHook mocks base method.
-func (m *MockPacketFilter) SetTCPPacketHook(arg0 netip.Addr, arg1 uint16, arg2 func([]byte) bool) {
-	m.ctrl.T.Helper()
-	m.ctrl.Call(m, "SetTCPPacketHook", arg0, arg1, arg2)
-}
-
-// SetTCPPacketHook indicates an expected call of SetTCPPacketHook.
-func (mr *MockPacketFilterMockRecorder) SetTCPPacketHook(arg0, arg1, arg2 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetTCPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).SetTCPPacketHook), arg0, arg1, arg2)
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).AddUDPPacketHook), arg0, arg1, arg2, arg3)
 }
 
 // FilterInbound mocks base method.
@@ -85,3 +75,17 @@ func (mr *MockPacketFilterMockRecorder) FilterOutbound(arg0 interface{}, arg1 an
 	mr.mock.ctrl.T.Helper()
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterOutbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterOutbound), arg0, arg1)
 }
+
+// RemovePacketHook mocks base method.
+func (m *MockPacketFilter) RemovePacketHook(arg0 string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "RemovePacketHook", arg0)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// RemovePacketHook indicates an expected call of RemovePacketHook.
+func (mr *MockPacketFilterMockRecorder) RemovePacketHook(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RemovePacketHook", reflect.TypeOf((*MockPacketFilter)(nil).RemovePacketHook), arg0)
+}

client/iface/mocks/iface/mocks/filter.go

@@ -0,0 +1,87 @@
+// Code generated by MockGen. DO NOT EDIT.
+// Source: github.com/netbirdio/netbird/client/iface (interfaces: PacketFilter)
+
+// Package mocks is a generated GoMock package.
+package mocks
+
+import (
+	net "net"
+	reflect "reflect"
+
+	gomock "github.com/golang/mock/gomock"
+)
+
+// MockPacketFilter is a mock of PacketFilter interface.
+type MockPacketFilter struct {
+	ctrl     *gomock.Controller
+	recorder *MockPacketFilterMockRecorder
+}
+
+// MockPacketFilterMockRecorder is the mock recorder for MockPacketFilter.
+type MockPacketFilterMockRecorder struct {
+	mock *MockPacketFilter
+}
+
+// NewMockPacketFilter creates a new mock instance.
+func NewMockPacketFilter(ctrl *gomock.Controller) *MockPacketFilter {
+	mock := &MockPacketFilter{ctrl: ctrl}
+	mock.recorder = &MockPacketFilterMockRecorder{mock}
+	return mock
+}
+
+// EXPECT returns an object that allows the caller to indicate expected use.
+func (m *MockPacketFilter) EXPECT() *MockPacketFilterMockRecorder {
+	return m.recorder
+}
+
+// AddUDPPacketHook mocks base method.
+func (m *MockPacketFilter) AddUDPPacketHook(arg0 bool, arg1 net.IP, arg2 uint16, arg3 func(*net.UDPAddr, []byte) bool) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "AddUDPPacketHook", arg0, arg1, arg2, arg3)
+}
+
+// AddUDPPacketHook indicates an expected call of AddUDPPacketHook.
+func (mr *MockPacketFilterMockRecorder) AddUDPPacketHook(arg0, arg1, arg2, arg3 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "AddUDPPacketHook", reflect.TypeOf((*MockPacketFilter)(nil).AddUDPPacketHook), arg0, arg1, arg2, arg3)
+}
+
+// FilterInbound mocks base method.
+func (m *MockPacketFilter) FilterInbound(arg0 []byte) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "FilterInbound", arg0)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// FilterInbound indicates an expected call of FilterInbound.
+func (mr *MockPacketFilterMockRecorder) FilterInbound(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterInbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterInbound), arg0)
+}
+
+// FilterOutbound mocks base method.
+func (m *MockPacketFilter) FilterOutbound(arg0 []byte) bool {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "FilterOutbound", arg0)
+	ret0, _ := ret[0].(bool)
+	return ret0
+}
+
+// FilterOutbound indicates an expected call of FilterOutbound.
+func (mr *MockPacketFilterMockRecorder) FilterOutbound(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "FilterOutbound", reflect.TypeOf((*MockPacketFilter)(nil).FilterOutbound), arg0)
+}
+
+// SetNetwork mocks base method.
+func (m *MockPacketFilter) SetNetwork(arg0 *net.IPNet) {
+	m.ctrl.T.Helper()
+	m.ctrl.Call(m, "SetNetwork", arg0)
+}
+
+// SetNetwork indicates an expected call of SetNetwork.
+func (mr *MockPacketFilterMockRecorder) SetNetwork(arg0 interface{}) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetNetwork", reflect.TypeOf((*MockPacketFilter)(nil).SetNetwork), arg0)
+}

client/internal/acl/manager_test.go

@@ -19,9 +19,6 @@ import (
 var flowLogger = netflow.NewManager(nil, []byte{}, nil).GetLogger()
 
 func TestDefaultManager(t *testing.T) {
-	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
-
 	networkMap := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
 			{
@@ -138,7 +135,6 @@ func TestDefaultManager(t *testing.T) {
 func TestDefaultManagerStateless(t *testing.T) {
 	// stateless currently only in userspace, so we have to disable kernel
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 	t.Setenv("NB_DISABLE_CONNTRACK", "true")
 
 	networkMap := &mgmProto.NetworkMap{
@@ -198,7 +194,6 @@ func TestDefaultManagerStateless(t *testing.T) {
 // This tests the full ACL manager -> uspfilter integration.
 func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 
 	networkMap := &mgmProto.NetworkMap{
 		FirewallRules: []*mgmProto.FirewallRule{
@@ -263,7 +258,6 @@ func TestDenyRulesNotAccumulatedOnRepeatedApply(t *testing.T) {
 // up when they're removed from the network map in a subsequent update.
 func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()
@@ -345,7 +339,6 @@ func TestDenyRulesCleanedUpOnRemoval(t *testing.T) {
 // one added without leaking.
 func TestRuleUpdateChangingAction(t *testing.T) {
 	t.Setenv("NB_WG_KERNEL_DISABLED", "true")
-	t.Setenv(firewall.EnvForceUserspaceFirewall, "true")
 
 	ctrl := gomock.NewController(t)
 	defer ctrl.Finish()

client/internal/auth/auth.go

@@ -155,7 +155,7 @@ func (a *Auth) IsLoginRequired(ctx context.Context) (bool, error) {
 	var needsLogin bool
 
 	err = a.withRetry(ctx, func(client *mgm.GrpcClient) error {
-		err := a.doMgmLogin(client, ctx, pubSSHKey)
+		_, _, err := a.doMgmLogin(client, ctx, pubSSHKey)
 		if isLoginNeeded(err) {
 			needsLogin = true
 			return nil
@@ -179,8 +179,8 @@ func (a *Auth) Login(ctx context.Context, setupKey string, jwtToken string) (err
 	var isAuthError bool
 
 	err = a.withRetry(ctx, func(client *mgm.GrpcClient) error {
-		err := a.doMgmLogin(client, ctx, pubSSHKey)
-		if isRegistrationNeeded(err) {
+		serverKey, _, err := a.doMgmLogin(client, ctx, pubSSHKey)
+		if serverKey != nil && isRegistrationNeeded(err) {
 			log.Debugf("peer registration required")
 			_, err = a.registerPeer(client, ctx, setupKey, jwtToken, pubSSHKey)
 			if err != nil {
@@ -201,7 +201,13 @@ func (a *Auth) Login(ctx context.Context, setupKey string, jwtToken string) (err
 
 // getPKCEFlow retrieves PKCE authorization flow configuration and creates a flow instance
 func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, error) {
-	protoFlow, err := client.GetPKCEAuthorizationFlow()
+	serverKey, err := client.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return nil, err
+	}
+
+	protoFlow, err := client.GetPKCEAuthorizationFlow(*serverKey)
 	if err != nil {
 		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
 			log.Warnf("server couldn't find pkce flow, contact admin: %v", err)
@@ -240,7 +246,13 @@ func (a *Auth) getPKCEFlow(client *mgm.GrpcClient) (*PKCEAuthorizationFlow, erro
 
 // getDeviceFlow retrieves device authorization flow configuration and creates a flow instance
 func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow, error) {
-	protoFlow, err := client.GetDeviceAuthorizationFlow()
+	serverKey, err := client.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return nil, err
+	}
+
+	protoFlow, err := client.GetDeviceAuthorizationFlow(*serverKey)
 	if err != nil {
 		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
 			log.Warnf("server couldn't find device flow, contact admin: %v", err)
@@ -280,16 +292,28 @@ func (a *Auth) getDeviceFlow(client *mgm.GrpcClient) (*DeviceAuthorizationFlow,
 }
 
 // doMgmLogin performs the actual login operation with the management service
-func (a *Auth) doMgmLogin(client *mgm.GrpcClient, ctx context.Context, pubSSHKey []byte) error {
+func (a *Auth) doMgmLogin(client *mgm.GrpcClient, ctx context.Context, pubSSHKey []byte) (*wgtypes.Key, *mgmProto.LoginResponse, error) {
+	serverKey, err := client.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return nil, nil, err
+	}
+
 	sysInfo := system.GetInfo(ctx)
 	a.setSystemInfoFlags(sysInfo)
-	_, err := client.Login(sysInfo, pubSSHKey, a.config.DNSLabels)
-	return err
+	loginResp, err := client.Login(*serverKey, sysInfo, pubSSHKey, a.config.DNSLabels)
+	return serverKey, loginResp, err
 }
 
 // registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
 // Otherwise tries to register with the provided setupKey via command line.
 func (a *Auth) registerPeer(client *mgm.GrpcClient, ctx context.Context, setupKey string, jwtToken string, pubSSHKey []byte) (*mgmProto.LoginResponse, error) {
+	serverPublicKey, err := client.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return nil, err
+	}
+
 	validSetupKey, err := uuid.Parse(setupKey)
 	if err != nil && jwtToken == "" {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid setup-key or no sso information provided, err: %v", err)
@@ -298,7 +322,7 @@ func (a *Auth) registerPeer(client *mgm.GrpcClient, ctx context.Context, setupKe
 	log.Debugf("sending peer registration request to Management Service")
 	info := system.GetInfo(ctx)
 	a.setSystemInfoFlags(info)
-	loginResp, err := client.Register(validSetupKey.String(), jwtToken, info, pubSSHKey, a.config.DNSLabels)
+	loginResp, err := client.Register(*serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey, a.config.DNSLabels)
 	if err != nil {
 		log.Errorf("failed registering peer %v", err)
 		return nil, err

client/internal/connect.go

@@ -111,7 +111,6 @@ func (c *ConnectClient) RunOniOS(
 	fileDescriptor int32,
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
-	dnsAddresses []netip.AddrPort,
 	stateFilePath string,
 ) error {
 	// Set GC percent to 5% to reduce memory usage as iOS only allows 50MB of memory for the extension.
@@ -121,7 +120,6 @@ func (c *ConnectClient) RunOniOS(
 		FileDescriptor:        fileDescriptor,
 		NetworkChangeListener: networkChangeListener,
 		DnsManager:            dnsManager,
-		HostDNSAddresses:      dnsAddresses,
 		StateFilePath:         stateFilePath,
 	}
 	return c.run(mobileDependency, nil, "")
@@ -619,6 +617,12 @@ func connectToSignal(ctx context.Context, wtConfig *mgmProto.NetbirdConfig, ourP
 
 // loginToManagement creates Management ServiceDependencies client, establishes a connection, logs-in and gets a global Netbird config (signal, turn, stun hosts, etc)
 func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte, config *profilemanager.Config) (*mgmProto.LoginResponse, error) {
+
+	serverPublicKey, err := client.GetServerPublicKey()
+	if err != nil {
+		return nil, gstatus.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
+	}
+
 	sysInfo := system.GetInfo(ctx)
 	sysInfo.SetFlags(
 		config.RosenpassEnabled,
@@ -637,7 +641,12 @@ func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte,
 		config.EnableSSHRemotePortForwarding,
 		config.DisableSSHAuth,
 	)
-	return client.Login(sysInfo, pubSSHKey, config.DNSLabels)
+	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey, config.DNSLabels)
+	if err != nil {
+		return nil, err
+	}
+
+	return loginResp, nil
 }
 
 func statusRecorderToMgmConnStateNotifier(statusRecorder *peer.Status) mgm.ConnStateNotifier {

client/internal/debug/debug.go

@@ -25,7 +25,6 @@ import (
 	"google.golang.org/protobuf/encoding/protojson"
 
 	"github.com/netbirdio/netbird/client/anonymize"
-	"github.com/netbirdio/netbird/client/configs"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/updater/installer"
@@ -53,7 +52,6 @@ resolved_domains.txt: Anonymized resolved domain IP addresses from the status re
 config.txt: Anonymized configuration information of the NetBird client.
 network_map.json: Anonymized sync response containing peer configurations, routes, DNS settings, and firewall rules.
 state.json: Anonymized client state dump containing netbird states for the active profile.
-service_params.json: Sanitized service install parameters (service.json). Sensitive environment variable values are masked. Only present when service.json exists.
 metrics.txt: Buffered client metrics in InfluxDB line protocol format. Only present when metrics collection is enabled. Peer identifiers are anonymized.
 mutex.prof: Mutex profiling information.
 goroutine.prof: Goroutine profiling information.
@@ -63,7 +61,6 @@ allocs.prof: Allocations profiling information.
 threadcreate.prof: Thread creation profiling information.
 cpu.prof: CPU profiling information.
 stack_trace.txt: Complete stack traces of all goroutines at the time of bundle creation.
-capture.pcap: Packet capture in pcap format. Only present when capture was running during bundle collection. Omitted from anonymized bundles because it contains raw decrypted packet data.
 
 
 Anonymization Process
@@ -236,7 +233,6 @@ type BundleGenerator struct {
 	syncResponse   *mgmProto.SyncResponse
 	logPath        string
 	cpuProfile     []byte
-	capturePath    string
 	refreshStatus  func() // Optional callback to refresh status before bundle generation
 	clientMetrics  MetricsExporter
 
@@ -259,8 +255,7 @@ type GeneratorDependencies struct {
 	SyncResponse   *mgmProto.SyncResponse
 	LogPath        string
 	CPUProfile     []byte
-	CapturePath    string
-	RefreshStatus  func()
+	RefreshStatus  func() // Optional callback to refresh status before bundle generation
 	ClientMetrics  MetricsExporter
 }
 
@@ -279,7 +274,6 @@ func NewBundleGenerator(deps GeneratorDependencies, cfg BundleConfig) *BundleGen
 		syncResponse:   deps.SyncResponse,
 		logPath:        deps.LogPath,
 		cpuProfile:     deps.CPUProfile,
-		capturePath:    deps.CapturePath,
 		refreshStatus:  deps.RefreshStatus,
 		clientMetrics:  deps.ClientMetrics,
 
@@ -349,10 +343,6 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("failed to add CPU profile to debug bundle: %v", err)
 	}
 
-	if err := g.addCaptureFile(); err != nil {
-		log.Errorf("failed to add capture file to debug bundle: %v", err)
-	}
-
 	if err := g.addStackTrace(); err != nil {
 		log.Errorf("failed to add stack trace to debug bundle: %v", err)
 	}
@@ -369,10 +359,6 @@ func (g *BundleGenerator) createArchive() error {
 		log.Errorf("failed to add corrupted state files to debug bundle: %v", err)
 	}
 
-	if err := g.addServiceParams(); err != nil {
-		log.Errorf("failed to add service params to debug bundle: %v", err)
-	}
-
 	if err := g.addMetrics(); err != nil {
 		log.Errorf("failed to add metrics to debug bundle: %v", err)
 	}
@@ -502,90 +488,6 @@ func (g *BundleGenerator) addConfig() error {
 	return nil
 }
 
-const (
-	serviceParamsFile    = "service.json"
-	serviceParamsBundle  = "service_params.json"
-	maskedValue          = "***"
-	envVarPrefix         = "NB_"
-	jsonKeyManagementURL = "management_url"
-	jsonKeyServiceEnv    = "service_env_vars"
-)
-
-var sensitiveEnvSubstrings = []string{"key", "token", "secret", "password", "credential"}
-
-// addServiceParams reads the service.json file and adds a sanitized version to the bundle.
-// Non-NB_ env vars and vars with sensitive names are masked. Other NB_ values are anonymized.
-func (g *BundleGenerator) addServiceParams() error {
-	path := filepath.Join(configs.StateDir, serviceParamsFile)
-
-	data, err := os.ReadFile(path)
-	if err != nil {
-		if os.IsNotExist(err) {
-			return nil
-		}
-		return fmt.Errorf("read service params: %w", err)
-	}
-
-	var params map[string]any
-	if err := json.Unmarshal(data, &params); err != nil {
-		return fmt.Errorf("parse service params: %w", err)
-	}
-
-	if g.anonymize {
-		if mgmtURL, ok := params[jsonKeyManagementURL].(string); ok && mgmtURL != "" {
-			params[jsonKeyManagementURL] = g.anonymizer.AnonymizeURI(mgmtURL)
-		}
-	}
-
-	g.sanitizeServiceEnvVars(params)
-
-	sanitizedData, err := json.MarshalIndent(params, "", "  ")
-	if err != nil {
-		return fmt.Errorf("marshal sanitized service params: %w", err)
-	}
-
-	if err := g.addFileToZip(bytes.NewReader(sanitizedData), serviceParamsBundle); err != nil {
-		return fmt.Errorf("add service params to zip: %w", err)
-	}
-
-	return nil
-}
-
-// sanitizeServiceEnvVars masks or anonymizes env var values in service params.
-// Non-NB_ vars and vars with sensitive names (key, token, etc.) are fully masked.
-// Other NB_ var values are passed through the anonymizer when anonymization is enabled.
-func (g *BundleGenerator) sanitizeServiceEnvVars(params map[string]any) {
-	envVars, ok := params[jsonKeyServiceEnv].(map[string]any)
-	if !ok {
-		return
-	}
-
-	sanitized := make(map[string]any, len(envVars))
-	for k, v := range envVars {
-		val, _ := v.(string)
-		switch {
-		case !strings.HasPrefix(k, envVarPrefix) || isSensitiveEnvVar(k):
-			sanitized[k] = maskedValue
-		case g.anonymize:
-			sanitized[k] = g.anonymizer.AnonymizeString(val)
-		default:
-			sanitized[k] = val
-		}
-	}
-	params[jsonKeyServiceEnv] = sanitized
-}
-
-// isSensitiveEnvVar returns true for env var names that may contain secrets.
-func isSensitiveEnvVar(key string) bool {
-	lower := strings.ToLower(key)
-	for _, s := range sensitiveEnvSubstrings {
-		if strings.Contains(lower, s) {
-			return true
-		}
-	}
-	return false
-}
-
 func (g *BundleGenerator) addCommonConfigFields(configContent *strings.Builder) {
 	configContent.WriteString("NetBird Client Configuration:\n\n")
 
@@ -683,29 +585,6 @@ func (g *BundleGenerator) addCPUProfile() error {
 	return nil
 }
 
-func (g *BundleGenerator) addCaptureFile() error {
-	if g.capturePath == "" {
-		return nil
-	}
-
-	if g.anonymize {
-		log.Info("skipping capture file in anonymized bundle (contains raw packet data)")
-		return nil
-	}
-
-	f, err := os.Open(g.capturePath)
-	if err != nil {
-		return fmt.Errorf("open capture file: %w", err)
-	}
-	defer f.Close()
-
-	if err := g.addFileToZip(f, "capture.pcap"); err != nil {
-		return fmt.Errorf("add capture file to zip: %w", err)
-	}
-
-	return nil
-}
-
 func (g *BundleGenerator) addStackTrace() error {
 	buf := make([]byte, 5242880) // 5 MB buffer
 	n := runtime.Stack(buf, true)

client/internal/debug/debug_test.go

@@ -1,12 +1,8 @@
 package debug
 
 import (
-	"archive/zip"
-	"bytes"
 	"encoding/json"
 	"net"
-	"os"
-	"path/filepath"
 	"strings"
 	"testing"
 
@@ -14,7 +10,6 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/netbirdio/netbird/client/anonymize"
-	"github.com/netbirdio/netbird/client/configs"
 	mgmProto "github.com/netbirdio/netbird/shared/management/proto"
 )
 
@@ -425,226 +420,6 @@ func TestAnonymizeNetworkMap(t *testing.T) {
 	}
 }
 
-func TestIsSensitiveEnvVar(t *testing.T) {
-	tests := []struct {
-		key       string
-		sensitive bool
-	}{
-		{"NB_SETUP_KEY", true},
-		{"NB_API_TOKEN", true},
-		{"NB_CLIENT_SECRET", true},
-		{"NB_PASSWORD", true},
-		{"NB_CREDENTIAL", true},
-		{"NB_LOG_LEVEL", false},
-		{"NB_MANAGEMENT_URL", false},
-		{"NB_HOSTNAME", false},
-		{"HOME", false},
-		{"PATH", false},
-	}
-	for _, tt := range tests {
-		t.Run(tt.key, func(t *testing.T) {
-			assert.Equal(t, tt.sensitive, isSensitiveEnvVar(tt.key))
-		})
-	}
-}
-
-func TestSanitizeServiceEnvVars(t *testing.T) {
-	tests := []struct {
-		name      string
-		anonymize bool
-		input     map[string]any
-		check     func(t *testing.T, params map[string]any)
-	}{
-		{
-			name:      "no env vars key",
-			anonymize: false,
-			input:     map[string]any{"management_url": "https://mgmt.example.com"},
-			check: func(t *testing.T, params map[string]any) {
-				t.Helper()
-				assert.Equal(t, "https://mgmt.example.com", params["management_url"], "non-env fields should be untouched")
-				_, ok := params[jsonKeyServiceEnv]
-				assert.False(t, ok, "service_env_vars should not be added")
-			},
-		},
-		{
-			name:      "non-NB vars are masked",
-			anonymize: false,
-			input: map[string]any{
-				jsonKeyServiceEnv: map[string]any{
-					"HOME":       "/root",
-					"PATH":       "/usr/bin",
-					"NB_LOG_LEVEL": "debug",
-				},
-			},
-			check: func(t *testing.T, params map[string]any) {
-				t.Helper()
-				env := params[jsonKeyServiceEnv].(map[string]any)
-				assert.Equal(t, maskedValue, env["HOME"], "non-NB_ var should be masked")
-				assert.Equal(t, maskedValue, env["PATH"], "non-NB_ var should be masked")
-				assert.Equal(t, "debug", env["NB_LOG_LEVEL"], "safe NB_ var should pass through")
-			},
-		},
-		{
-			name:      "sensitive NB vars are masked",
-			anonymize: false,
-			input: map[string]any{
-				jsonKeyServiceEnv: map[string]any{
-					"NB_SETUP_KEY":  "abc123",
-					"NB_API_TOKEN":  "tok_xyz",
-					"NB_LOG_LEVEL":  "info",
-				},
-			},
-			check: func(t *testing.T, params map[string]any) {
-				t.Helper()
-				env := params[jsonKeyServiceEnv].(map[string]any)
-				assert.Equal(t, maskedValue, env["NB_SETUP_KEY"], "sensitive NB_ var should be masked")
-				assert.Equal(t, maskedValue, env["NB_API_TOKEN"], "sensitive NB_ var should be masked")
-				assert.Equal(t, "info", env["NB_LOG_LEVEL"], "safe NB_ var should pass through")
-			},
-		},
-		{
-			name:      "safe NB vars anonymized when anonymize is true",
-			anonymize: true,
-			input: map[string]any{
-				jsonKeyServiceEnv: map[string]any{
-					"NB_MANAGEMENT_URL": "https://mgmt.example.com:443",
-					"NB_LOG_LEVEL":      "debug",
-					"NB_SETUP_KEY":      "secret",
-					"SOME_OTHER":        "val",
-				},
-			},
-			check: func(t *testing.T, params map[string]any) {
-				t.Helper()
-				env := params[jsonKeyServiceEnv].(map[string]any)
-				// Safe NB_ values should be anonymized (not the original, not masked)
-				mgmtVal := env["NB_MANAGEMENT_URL"].(string)
-				assert.NotEqual(t, "https://mgmt.example.com:443", mgmtVal, "should be anonymized")
-				assert.NotEqual(t, maskedValue, mgmtVal, "should not be masked")
-
-				logVal := env["NB_LOG_LEVEL"].(string)
-				assert.NotEqual(t, maskedValue, logVal, "safe NB_ var should not be masked")
-
-				// Sensitive and non-NB_ still masked
-				assert.Equal(t, maskedValue, env["NB_SETUP_KEY"])
-				assert.Equal(t, maskedValue, env["SOME_OTHER"])
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
-			g := &BundleGenerator{
-				anonymize:  tt.anonymize,
-				anonymizer: anonymizer,
-			}
-			g.sanitizeServiceEnvVars(tt.input)
-			tt.check(t, tt.input)
-		})
-	}
-}
-
-func TestAddServiceParams(t *testing.T) {
-	t.Run("missing service.json returns nil", func(t *testing.T) {
-		g := &BundleGenerator{
-			anonymizer: anonymize.NewAnonymizer(anonymize.DefaultAddresses()),
-		}
-
-		origStateDir := configs.StateDir
-		configs.StateDir = t.TempDir()
-		t.Cleanup(func() { configs.StateDir = origStateDir })
-
-		err := g.addServiceParams()
-		assert.NoError(t, err)
-	})
-
-	t.Run("management_url anonymized when anonymize is true", func(t *testing.T) {
-		dir := t.TempDir()
-		origStateDir := configs.StateDir
-		configs.StateDir = dir
-		t.Cleanup(func() { configs.StateDir = origStateDir })
-
-		input := map[string]any{
-			jsonKeyManagementURL: "https://api.example.com:443",
-			jsonKeyServiceEnv: map[string]any{
-				"NB_LOG_LEVEL": "trace",
-			},
-		}
-		data, err := json.Marshal(input)
-		require.NoError(t, err)
-		require.NoError(t, os.WriteFile(filepath.Join(dir, serviceParamsFile), data, 0600))
-
-		var buf bytes.Buffer
-		zw := zip.NewWriter(&buf)
-
-		g := &BundleGenerator{
-			anonymize:  true,
-			anonymizer: anonymize.NewAnonymizer(anonymize.DefaultAddresses()),
-			archive:    zw,
-		}
-
-		require.NoError(t, g.addServiceParams())
-		require.NoError(t, zw.Close())
-
-		zr, err := zip.NewReader(bytes.NewReader(buf.Bytes()), int64(buf.Len()))
-		require.NoError(t, err)
-		require.Len(t, zr.File, 1)
-		assert.Equal(t, serviceParamsBundle, zr.File[0].Name)
-
-		rc, err := zr.File[0].Open()
-		require.NoError(t, err)
-		defer rc.Close()
-
-		var result map[string]any
-		require.NoError(t, json.NewDecoder(rc).Decode(&result))
-
-		mgmt := result[jsonKeyManagementURL].(string)
-		assert.NotEqual(t, "https://api.example.com:443", mgmt, "management_url should be anonymized")
-		assert.NotEmpty(t, mgmt)
-
-		env := result[jsonKeyServiceEnv].(map[string]any)
-		assert.NotEqual(t, maskedValue, env["NB_LOG_LEVEL"], "safe NB_ var should not be masked")
-	})
-
-	t.Run("management_url preserved when anonymize is false", func(t *testing.T) {
-		dir := t.TempDir()
-		origStateDir := configs.StateDir
-		configs.StateDir = dir
-		t.Cleanup(func() { configs.StateDir = origStateDir })
-
-		input := map[string]any{
-			jsonKeyManagementURL: "https://api.example.com:443",
-		}
-		data, err := json.Marshal(input)
-		require.NoError(t, err)
-		require.NoError(t, os.WriteFile(filepath.Join(dir, serviceParamsFile), data, 0600))
-
-		var buf bytes.Buffer
-		zw := zip.NewWriter(&buf)
-
-		g := &BundleGenerator{
-			anonymize:  false,
-			anonymizer: anonymize.NewAnonymizer(anonymize.DefaultAddresses()),
-			archive:    zw,
-		}
-
-		require.NoError(t, g.addServiceParams())
-		require.NoError(t, zw.Close())
-
-		zr, err := zip.NewReader(bytes.NewReader(buf.Bytes()), int64(buf.Len()))
-		require.NoError(t, err)
-
-		rc, err := zr.File[0].Open()
-		require.NoError(t, err)
-		defer rc.Close()
-
-		var result map[string]any
-		require.NoError(t, json.NewDecoder(rc).Decode(&result))
-
-		assert.Equal(t, "https://api.example.com:443", result[jsonKeyManagementURL], "management_url should be preserved")
-	})
-}
-
 // Helper function to check if IP is in CGNAT range
 func isInCGNATRange(ip net.IP) bool {
 	cgnat := net.IPNet{

client/internal/dns/handler_chain.go

@@ -73,9 +73,6 @@ func (w *ResponseWriterChain) WriteMsg(m *dns.Msg) error {
 		return nil
 	}
 	w.response = m
-	if m.MsgHdr.Truncated {
-		w.SetMeta("truncated", "true")
-	}
 	return w.ResponseWriter.WriteMsg(m)
 }
 
@@ -198,14 +195,10 @@ func (c *HandlerChain) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 
 	startTime := time.Now()
 	requestID := resutil.GenerateRequestID()
-	fields := log.Fields{
+	logger := log.WithFields(log.Fields{
 		"request_id": requestID,
 		"dns_id":     fmt.Sprintf("%04x", r.Id),
-	}
-	if addr := w.RemoteAddr(); addr != nil {
-		fields["client"] = addr.String()
-	}
-	logger := log.WithFields(fields)
+	})
 
 	question := r.Question[0]
 	qname := strings.ToLower(question.Name)
@@ -268,9 +261,9 @@ func (c *HandlerChain) logResponse(logger *log.Entry, cw *ResponseWriterChain, q
 		meta += " " + k + "=" + v
 	}
 
-	logger.Tracef("response: domain=%s rcode=%s answers=%s size=%dB%s took=%s",
+	logger.Tracef("response: domain=%s rcode=%s answers=%s%s took=%s",
 		qname, dns.RcodeToString[cw.response.Rcode], resutil.FormatAnswers(cw.response.Answer),
-		cw.response.Len(), meta, time.Since(startTime))
+		meta, time.Since(startTime))
 }
 
 func (c *HandlerChain) isHandlerMatch(qname string, entry HandlerEntry) bool {

client/internal/dns/local/local_test.go

@@ -1263,9 +1263,9 @@ func TestLocalResolver_AuthoritativeFlag(t *testing.T) {
 	})
 }
 
-// TestLocalResolver_Stop tests cleanup on GracefullyStop
+// TestLocalResolver_Stop tests cleanup on Stop
 func TestLocalResolver_Stop(t *testing.T) {
-	t.Run("GracefullyStop clears all state", func(t *testing.T) {
+	t.Run("Stop clears all state", func(t *testing.T) {
 		resolver := NewResolver()
 		resolver.Update([]nbdns.CustomZone{{
 			Domain: "example.com.",
@@ -1285,7 +1285,7 @@ func TestLocalResolver_Stop(t *testing.T) {
 		assert.False(t, resolver.isInManagedZone("host.example.com."))
 	})
 
-	t.Run("GracefullyStop is safe to call multiple times", func(t *testing.T) {
+	t.Run("Stop is safe to call multiple times", func(t *testing.T) {
 		resolver := NewResolver()
 		resolver.Update([]nbdns.CustomZone{{
 			Domain: "example.com.",
@@ -1299,7 +1299,7 @@ func TestLocalResolver_Stop(t *testing.T) {
 		resolver.Stop()
 	})
 
-	t.Run("GracefullyStop cancels in-flight external resolution", func(t *testing.T) {
+	t.Run("Stop cancels in-flight external resolution", func(t *testing.T) {
 		resolver := NewResolver()
 
 		lookupStarted := make(chan struct{})

client/internal/dns/mock_server.go

@@ -90,11 +90,6 @@ func (m *MockServer) SetRouteChecker(func(netip.Addr) bool) {
 	// Mock implementation - no-op
 }
 
-// SetFirewall mock implementation of SetFirewall from Server interface
-func (m *MockServer) SetFirewall(Firewall) {
-	// Mock implementation - no-op
-}
-
 // BeginBatch mock implementation of BeginBatch from Server interface
 func (m *MockServer) BeginBatch() {
 	// Mock implementation - no-op

client/internal/dns/response_writer.go

@@ -104,23 +104,3 @@ func (r *responseWriter) TsigTimersOnly(bool) {
 // After a call to Hijack(), the DNS package will not do anything with the connection.
 func (r *responseWriter) Hijack() {
 }
-
-// remoteAddrFromPacket extracts the source IP:port from a decoded packet for logging.
-func remoteAddrFromPacket(packet gopacket.Packet) *net.UDPAddr {
-	var srcIP net.IP
-	if ipv4 := packet.Layer(layers.LayerTypeIPv4); ipv4 != nil {
-		srcIP = ipv4.(*layers.IPv4).SrcIP
-	} else if ipv6 := packet.Layer(layers.LayerTypeIPv6); ipv6 != nil {
-		srcIP = ipv6.(*layers.IPv6).SrcIP
-	}
-
-	var srcPort int
-	if udp := packet.Layer(layers.LayerTypeUDP); udp != nil {
-		srcPort = int(udp.(*layers.UDP).SrcPort)
-	}
-
-	if srcIP == nil {
-		return nil
-	}
-	return &net.UDPAddr{IP: srcIP, Port: srcPort}
-}

client/internal/dns/server.go

@@ -58,7 +58,6 @@ type Server interface {
 	UpdateServerConfig(domains dnsconfig.ServerDomains) error
 	PopulateManagementDomain(mgmtURL *url.URL) error
 	SetRouteChecker(func(netip.Addr) bool)
-	SetFirewall(Firewall)
 }
 
 type nsGroupsByDomain struct {
@@ -152,7 +151,7 @@ func NewDefaultServer(ctx context.Context, config DefaultServerConfig) (*Default
 	if config.WgInterface.IsUserspaceBind() {
 		dnsService = NewServiceViaMemory(config.WgInterface)
 	} else {
-		dnsService = newServiceViaListener(config.WgInterface, addrPort, nil)
+		dnsService = newServiceViaListener(config.WgInterface, addrPort)
 	}
 
 	server := newDefaultServer(ctx, config.WgInterface, dnsService, config.StatusRecorder, config.StateManager, config.DisableSys)
@@ -187,16 +186,11 @@ func NewDefaultServerIos(
 	ctx context.Context,
 	wgInterface WGIface,
 	iosDnsManager IosDnsManager,
-	hostsDnsList []netip.AddrPort,
 	statusRecorder *peer.Status,
 	disableSys bool,
 ) *DefaultServer {
-	log.Debugf("iOS host dns address list is: %v", hostsDnsList)
 	ds := newDefaultServer(ctx, wgInterface, NewServiceViaMemory(wgInterface), statusRecorder, nil, disableSys)
 	ds.iosDnsManager = iosDnsManager
-	ds.hostsDNSHolder.set(hostsDnsList)
-	ds.permanent = true
-	ds.addHostRootZone()
 	return ds
 }
 
@@ -380,17 +374,6 @@ func (s *DefaultServer) DnsIP() netip.Addr {
 	return s.service.RuntimeIP()
 }
 
-// SetFirewall sets the firewall used for DNS port DNAT rules.
-// This must be called before Initialize when using the listener-based service,
-// because the firewall is typically not available at construction time.
-func (s *DefaultServer) SetFirewall(fw Firewall) {
-	if svc, ok := s.service.(*serviceViaListener); ok {
-		svc.listenerFlagLock.Lock()
-		svc.firewall = fw
-		svc.listenerFlagLock.Unlock()
-	}
-}
-
 // Stop stops the server
 func (s *DefaultServer) Stop() {
 	s.probeMu.Lock()
@@ -412,12 +395,8 @@ func (s *DefaultServer) Stop() {
 	maps.Clear(s.extraDomains)
 }
 
-func (s *DefaultServer) disableDNS() (retErr error) {
-	defer func() {
-		if err := s.service.Stop(); err != nil {
-			retErr = errors.Join(retErr, fmt.Errorf("stop DNS service: %w", err))
-		}
-	}()
+func (s *DefaultServer) disableDNS() error {
+	defer s.service.Stop()
 
 	if s.isUsingNoopHostManager() {
 		return nil

client/internal/dns/server_test.go

@@ -476,8 +476,8 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 
 	packetfilter := pfmock.NewMockPacketFilter(ctrl)
 	packetfilter.EXPECT().FilterOutbound(gomock.Any(), gomock.Any()).AnyTimes()
-	packetfilter.EXPECT().SetUDPPacketHook(gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()
-	packetfilter.EXPECT().SetTCPPacketHook(gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes()
+	packetfilter.EXPECT().AddUDPPacketHook(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any())
+	packetfilter.EXPECT().RemovePacketHook(gomock.Any())
 
 	if err := wgIface.SetFilter(packetfilter); err != nil {
 		t.Errorf("set packet filter: %v", err)
@@ -1071,7 +1071,7 @@ func (m *mockHandler) ID() types.HandlerID                   { return types.Hand
 type mockService struct{}
 
 func (m *mockService) Listen() error                   { return nil }
-func (m *mockService) Stop() error                     { return nil }
+func (m *mockService) Stop()                           {}
 func (m *mockService) RuntimeIP() netip.Addr           { return netip.MustParseAddr("127.0.0.1") }
 func (m *mockService) RuntimePort() int                { return 53 }
 func (m *mockService) RegisterMux(string, dns.Handler) {}

client/internal/dns/service.go

@@ -4,25 +4,15 @@ import (
 	"net/netip"
 
 	"github.com/miekg/dns"
-
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 )
 
 const (
 	DefaultPort = 53
 )
 
-// Firewall provides DNAT capabilities for DNS port redirection.
-// This is used when the DNS server cannot bind port 53 directly
-// and needs firewall rules to redirect traffic.
-type Firewall interface {
-	AddOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error
-	RemoveOutputDNAT(localAddr netip.Addr, protocol firewall.Protocol, sourcePort, targetPort uint16) error
-}
-
 type service interface {
 	Listen() error
-	Stop() error
+	Stop()
 	RegisterMux(domain string, handler dns.Handler)
 	DeregisterMux(key string)
 	RuntimePort() int

client/internal/dns/service_listener.go

@@ -10,13 +10,9 @@ import (
 	"sync"
 	"time"
 
-	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 
-	nberrors "github.com/netbirdio/netbird/client/errors"
-
-	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/ebpf"
 	ebpfMgr "github.com/netbirdio/netbird/client/internal/ebpf/manager"
 )
@@ -35,33 +31,25 @@ type serviceViaListener struct {
 	dnsMux            *dns.ServeMux
 	customAddr        *netip.AddrPort
 	server            *dns.Server
-	tcpServer         *dns.Server
 	listenIP          netip.Addr
 	listenPort        uint16
 	listenerIsRunning bool
 	listenerFlagLock  sync.Mutex
 	ebpfService       ebpfMgr.Manager
-	firewall          Firewall
-	tcpDNATConfigured bool
 }
 
-func newServiceViaListener(wgIface WGIface, customAddr *netip.AddrPort, fw Firewall) *serviceViaListener {
+func newServiceViaListener(wgIface WGIface, customAddr *netip.AddrPort) *serviceViaListener {
 	mux := dns.NewServeMux()
 
 	s := &serviceViaListener{
 		wgInterface: wgIface,
 		dnsMux:      mux,
 		customAddr:  customAddr,
-		firewall:    fw,
 		server: &dns.Server{
 			Net:     "udp",
 			Handler: mux,
 			UDPSize: 65535,
 		},
-		tcpServer: &dns.Server{
-			Net:     "tcp",
-			Handler: mux,
-		},
 	}
 
 	return s
@@ -82,86 +70,43 @@ func (s *serviceViaListener) Listen() error {
 		return fmt.Errorf("eval listen address: %w", err)
 	}
 	s.listenIP = s.listenIP.Unmap()
-	addr := net.JoinHostPort(s.listenIP.String(), strconv.Itoa(int(s.listenPort)))
-	s.server.Addr = addr
-	s.tcpServer.Addr = addr
-
-	log.Debugf("starting dns on %s (UDP + TCP)", addr)
-	s.listenerIsRunning = true
-
+	s.server.Addr = net.JoinHostPort(s.listenIP.String(), strconv.Itoa(int(s.listenPort)))
+	log.Debugf("starting dns on %s", s.server.Addr)
 	go func() {
-		if err := s.server.ListenAndServe(); err != nil {
-			log.Errorf("failed to run DNS UDP server on port %d: %v", s.listenPort, err)
-		}
+		s.setListenerStatus(true)
+		defer s.setListenerStatus(false)
 
-		s.listenerFlagLock.Lock()
-		unexpected := s.listenerIsRunning
-		s.listenerIsRunning = false
-		s.listenerFlagLock.Unlock()
-
-		if unexpected {
-			if err := s.tcpServer.Shutdown(); err != nil {
-				log.Debugf("failed to shutdown DNS TCP server: %v", err)
-			}
+		err := s.server.ListenAndServe()
+		if err != nil {
+			log.Errorf("dns server running with %d port returned an error: %v. Will not retry", s.listenPort, err)
 		}
 	}()
 
-	go func() {
-		if err := s.tcpServer.ListenAndServe(); err != nil {
-			log.Errorf("failed to run DNS TCP server on port %d: %v", s.listenPort, err)
-		}
-	}()
-
-	// When eBPF redirects UDP port 53 to our listen port, TCP still needs
-	// a DNAT rule because eBPF only handles UDP.
-	if s.ebpfService != nil && s.firewall != nil && s.listenPort != DefaultPort {
-		if err := s.firewall.AddOutputDNAT(s.listenIP, firewall.ProtocolTCP, DefaultPort, s.listenPort); err != nil {
-			log.Warnf("failed to add DNS TCP DNAT rule, TCP DNS on port 53 will not work: %v", err)
-		} else {
-			s.tcpDNATConfigured = true
-			log.Infof("added DNS TCP DNAT rule: %s:%d -> %s:%d", s.listenIP, DefaultPort, s.listenIP, s.listenPort)
-		}
-	}
-
 	return nil
 }
 
-func (s *serviceViaListener) Stop() error {
+func (s *serviceViaListener) Stop() {
 	s.listenerFlagLock.Lock()
 	defer s.listenerFlagLock.Unlock()
 
 	if !s.listenerIsRunning {
-		return nil
+		return
 	}
-	s.listenerIsRunning = false
 
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	var merr *multierror.Error
-
-	if err := s.server.ShutdownContext(ctx); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("stop DNS UDP server: %w", err))
-	}
-
-	if err := s.tcpServer.ShutdownContext(ctx); err != nil {
-		merr = multierror.Append(merr, fmt.Errorf("stop DNS TCP server: %w", err))
-	}
-
-	if s.tcpDNATConfigured && s.firewall != nil {
-		if err := s.firewall.RemoveOutputDNAT(s.listenIP, firewall.ProtocolTCP, DefaultPort, s.listenPort); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("remove DNS TCP DNAT rule: %w", err))
-		}
-		s.tcpDNATConfigured = false
+	err := s.server.ShutdownContext(ctx)
+	if err != nil {
+		log.Errorf("stopping dns server listener returned an error: %v", err)
 	}
 
 	if s.ebpfService != nil {
-		if err := s.ebpfService.FreeDNSFwd(); err != nil {
-			merr = multierror.Append(merr, fmt.Errorf("stop traffic forwarder: %w", err))
+		err = s.ebpfService.FreeDNSFwd()
+		if err != nil {
+			log.Errorf("stopping traffic forwarder returned an error: %v", err)
 		}
 	}
-
-	return nberrors.FormatErrorOrNil(merr)
 }
 
 func (s *serviceViaListener) RegisterMux(pattern string, handler dns.Handler) {
@@ -188,6 +133,12 @@ func (s *serviceViaListener) RuntimeIP() netip.Addr {
 	return s.listenIP
 }
 
+func (s *serviceViaListener) setListenerStatus(running bool) {
+	s.listenerFlagLock.Lock()
+	defer s.listenerFlagLock.Unlock()
+
+	s.listenerIsRunning = running
+}
 
 // evalListenAddress figure out the listen address for the DNS server
 // first check the 53 port availability on WG interface or lo, if not success
@@ -236,28 +187,18 @@ func (s *serviceViaListener) testFreePort(port int) (netip.Addr, bool) {
 }
 
 func (s *serviceViaListener) tryToBind(ip netip.Addr, port int) bool {
-	addrPort := netip.AddrPortFrom(ip, uint16(port))
-
-	udpAddr := net.UDPAddrFromAddrPort(addrPort)
-	udpLn, err := net.ListenUDP("udp", udpAddr)
+	addrString := net.JoinHostPort(ip.String(), strconv.Itoa(port))
+	udpAddr := net.UDPAddrFromAddrPort(netip.MustParseAddrPort(addrString))
+	probeListener, err := net.ListenUDP("udp", udpAddr)
 	if err != nil {
-		log.Warnf("binding dns UDP on %s is not available: %s", addrPort, err)
+		log.Warnf("binding dns on %s is not available, error: %s", addrString, err)
 		return false
 	}
-	if err := udpLn.Close(); err != nil {
-		log.Debugf("close UDP probe listener: %s", err)
-	}
 
-	tcpAddr := net.TCPAddrFromAddrPort(addrPort)
-	tcpLn, err := net.ListenTCP("tcp", tcpAddr)
+	err = probeListener.Close()
 	if err != nil {
-		log.Warnf("binding dns TCP on %s is not available: %s", addrPort, err)
-		return false
+		log.Errorf("got an error closing the probe listener, error: %s", err)
 	}
-	if err := tcpLn.Close(); err != nil {
-		log.Debugf("close TCP probe listener: %s", err)
-	}
-
 	return true
 }
 

client/internal/dns/service_listener_test.go

@@ -1,86 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/miekg/dns"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-func TestServiceViaListener_TCPAndUDP(t *testing.T) {
-	handler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(r)
-		m.Answer = append(m.Answer, &dns.A{
-			Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("192.0.2.1"),
-		})
-		if err := w.WriteMsg(m); err != nil {
-			t.Logf("write msg: %v", err)
-		}
-	})
-
-	// Create a service using a custom address to avoid needing root
-	svc := newServiceViaListener(nil, nil, nil)
-	svc.dnsMux.Handle(".", handler)
-
-	// Bind both transports up front to avoid TOCTOU races.
-	udpAddr := net.UDPAddrFromAddrPort(netip.AddrPortFrom(customIP, 0))
-	udpConn, err := net.ListenUDP("udp", udpAddr)
-	if err != nil {
-		t.Skip("cannot bind to 127.0.0.153, skipping")
-	}
-	port := uint16(udpConn.LocalAddr().(*net.UDPAddr).Port)
-
-	tcpAddr := net.TCPAddrFromAddrPort(netip.AddrPortFrom(customIP, port))
-	tcpLn, err := net.ListenTCP("tcp", tcpAddr)
-	if err != nil {
-		udpConn.Close()
-		t.Skip("cannot bind TCP on same port, skipping")
-	}
-
-	addr := fmt.Sprintf("%s:%d", customIP, port)
-	svc.server.PacketConn = udpConn
-	svc.tcpServer.Listener = tcpLn
-	svc.listenIP = customIP
-	svc.listenPort = port
-
-	go func() {
-		if err := svc.server.ActivateAndServe(); err != nil {
-			t.Logf("udp server: %v", err)
-		}
-	}()
-	go func() {
-		if err := svc.tcpServer.ActivateAndServe(); err != nil {
-			t.Logf("tcp server: %v", err)
-		}
-	}()
-	svc.listenerIsRunning = true
-
-	defer func() {
-		require.NoError(t, svc.Stop())
-	}()
-
-	q := new(dns.Msg).SetQuestion("example.com.", dns.TypeA)
-
-	// Test UDP query
-	udpClient := &dns.Client{Net: "udp", Timeout: 2 * time.Second}
-	udpResp, _, err := udpClient.Exchange(q, addr)
-	require.NoError(t, err, "UDP query should succeed")
-	require.NotNil(t, udpResp)
-	require.NotEmpty(t, udpResp.Answer)
-	assert.Contains(t, udpResp.Answer[0].String(), "192.0.2.1", "UDP response should contain expected IP")
-
-	// Test TCP query
-	tcpClient := &dns.Client{Net: "tcp", Timeout: 2 * time.Second}
-	tcpResp, _, err := tcpClient.Exchange(q, addr)
-	require.NoError(t, err, "TCP query should succeed")
-	require.NotNil(t, tcpResp)
-	require.NotEmpty(t, tcpResp.Answer)
-	assert.Contains(t, tcpResp.Answer[0].String(), "192.0.2.1", "TCP response should contain expected IP")
-}

client/internal/dns/service_memory.go

@@ -1,7 +1,6 @@
 package dns
 
 import (
-	"errors"
 	"fmt"
 	"net/netip"
 	"sync"
@@ -11,7 +10,6 @@ import (
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 
-	"github.com/netbirdio/netbird/client/iface"
 	nbnet "github.com/netbirdio/netbird/client/net"
 )
 
@@ -20,8 +18,7 @@ type ServiceViaMemory struct {
 	dnsMux            *dns.ServeMux
 	runtimeIP         netip.Addr
 	runtimePort       int
-	tcpDNS            *tcpDNSServer
-	tcpHookSet        bool
+	udpFilterHookID   string
 	listenerIsRunning bool
 	listenerFlagLock  sync.Mutex
 }
@@ -31,13 +28,14 @@ func NewServiceViaMemory(wgIface WGIface) *ServiceViaMemory {
 	if err != nil {
 		log.Errorf("get last ip from network: %v", err)
 	}
-
-	return &ServiceViaMemory{
+	s := &ServiceViaMemory{
 		wgInterface: wgIface,
 		dnsMux:      dns.NewServeMux(),
+
 		runtimeIP:   lastIP,
 		runtimePort: DefaultPort,
 	}
+	return s
 }
 
 func (s *ServiceViaMemory) Listen() error {
@@ -48,8 +46,10 @@ func (s *ServiceViaMemory) Listen() error {
 		return nil
 	}
 
-	if err := s.filterDNSTraffic(); err != nil {
-		return fmt.Errorf("filter dns traffic: %w", err)
+	var err error
+	s.udpFilterHookID, err = s.filterDNSTraffic()
+	if err != nil {
+		return fmt.Errorf("filter dns traffice: %w", err)
 	}
 	s.listenerIsRunning = true
 
@@ -57,29 +57,19 @@ func (s *ServiceViaMemory) Listen() error {
 	return nil
 }
 
-func (s *ServiceViaMemory) Stop() error {
+func (s *ServiceViaMemory) Stop() {
 	s.listenerFlagLock.Lock()
 	defer s.listenerFlagLock.Unlock()
 
 	if !s.listenerIsRunning {
-		return nil
+		return
 	}
 
-	filter := s.wgInterface.GetFilter()
-	if filter != nil {
-		filter.SetUDPPacketHook(s.runtimeIP, uint16(s.runtimePort), nil)
-		if s.tcpHookSet {
-			filter.SetTCPPacketHook(s.runtimeIP, uint16(s.runtimePort), nil)
-		}
-	}
-
-	if s.tcpDNS != nil {
-		s.tcpDNS.Stop()
+	if err := s.wgInterface.GetFilter().RemovePacketHook(s.udpFilterHookID); err != nil {
+		log.Errorf("unable to remove DNS packet hook: %s", err)
 	}
 
 	s.listenerIsRunning = false
-
-	return nil
 }
 
 func (s *ServiceViaMemory) RegisterMux(pattern string, handler dns.Handler) {
@@ -98,18 +88,10 @@ func (s *ServiceViaMemory) RuntimeIP() netip.Addr {
 	return s.runtimeIP
 }
 
-func (s *ServiceViaMemory) filterDNSTraffic() error {
+func (s *ServiceViaMemory) filterDNSTraffic() (string, error) {
 	filter := s.wgInterface.GetFilter()
 	if filter == nil {
-		return errors.New("DNS filter not initialized")
-	}
-
-	// Create TCP DNS server lazily here since the device may not exist at construction time.
-	if s.tcpDNS == nil {
-		if dev := s.wgInterface.GetDevice(); dev != nil {
-			// MTU only affects TCP segment sizing; DNS messages are small so this has no practical impact.
-			s.tcpDNS = newTCPDNSServer(s.dnsMux, dev.Device, s.runtimeIP, uint16(s.runtimePort), iface.DefaultMTU)
-		}
+		return "", fmt.Errorf("can't set DNS filter, filter not initialized")
 	}
 
 	firstLayerDecoder := layers.LayerTypeIPv4
@@ -118,16 +100,12 @@ func (s *ServiceViaMemory) filterDNSTraffic() error {
 	}
 
 	hook := func(packetData []byte) bool {
+		// Decode the packet
 		packet := gopacket.NewPacket(packetData, firstLayerDecoder, gopacket.Default)
 
+		// Get the UDP layer
 		udpLayer := packet.Layer(layers.LayerTypeUDP)
-		if udpLayer == nil {
-			return true
-		}
-		udp, ok := udpLayer.(*layers.UDP)
-		if !ok {
-			return true
-		}
+		udp := udpLayer.(*layers.UDP)
 
 		msg := new(dns.Msg)
 		if err := msg.Unpack(udp.Payload); err != nil {
@@ -135,30 +113,13 @@ func (s *ServiceViaMemory) filterDNSTraffic() error {
 			return true
 		}
 
-		dev := s.wgInterface.GetDevice()
-		if dev == nil {
-			return true
-		}
-
-		writer := &responseWriter{
-			remote: remoteAddrFromPacket(packet),
+		writer := responseWriter{
 			packet: packet,
-			device: dev.Device,
+			device: s.wgInterface.GetDevice().Device,
 		}
-		go s.dnsMux.ServeDNS(writer, msg)
+		go s.dnsMux.ServeDNS(&writer, msg)
 		return true
 	}
 
-	filter.SetUDPPacketHook(s.runtimeIP, uint16(s.runtimePort), hook)
-
-	if s.tcpDNS != nil {
-		tcpHook := func(packetData []byte) bool {
-			s.tcpDNS.InjectPacket(packetData)
-			return true
-		}
-		filter.SetTCPPacketHook(s.runtimeIP, uint16(s.runtimePort), tcpHook)
-		s.tcpHookSet = true
-	}
-
-	return nil
+	return filter.AddUDPPacketHook(false, s.runtimeIP, uint16(s.runtimePort), hook), nil
 }

client/internal/dns/tcpstack.go

@@ -1,444 +0,0 @@
-package dns
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"net"
-	"net/netip"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/tun"
-	"gvisor.dev/gvisor/pkg/buffer"
-	"gvisor.dev/gvisor/pkg/tcpip"
-	"gvisor.dev/gvisor/pkg/tcpip/adapters/gonet"
-	"gvisor.dev/gvisor/pkg/tcpip/header"
-	"gvisor.dev/gvisor/pkg/tcpip/network/ipv4"
-	"gvisor.dev/gvisor/pkg/tcpip/stack"
-	"gvisor.dev/gvisor/pkg/tcpip/transport/tcp"
-	"gvisor.dev/gvisor/pkg/waiter"
-)
-
-const (
-	dnsTCPReceiveWindow = 8192
-	dnsTCPMaxInFlight   = 16
-	dnsTCPIdleTimeout   = 30 * time.Second
-	dnsTCPReadTimeout   = 5 * time.Second
-)
-
-// tcpDNSServer is an on-demand TCP DNS server backed by a minimal gvisor stack.
-// It is started lazily when a truncated DNS response is detected and shuts down
-// after a period of inactivity to conserve resources.
-type tcpDNSServer struct {
-	mu     sync.Mutex
-	s      *stack.Stack
-	ep     *dnsEndpoint
-	mux    *dns.ServeMux
-	tunDev tun.Device
-	ip     netip.Addr
-	port   uint16
-	mtu    uint16
-
-	running bool
-	closed  bool
-	timerID uint64
-	timer   *time.Timer
-}
-
-func newTCPDNSServer(mux *dns.ServeMux, tunDev tun.Device, ip netip.Addr, port uint16, mtu uint16) *tcpDNSServer {
-	return &tcpDNSServer{
-		mux:    mux,
-		tunDev: tunDev,
-		ip:     ip,
-		port:   port,
-		mtu:    mtu,
-	}
-}
-
-// InjectPacket ensures the stack is running and delivers a raw IP packet into
-// the gvisor stack for TCP processing. Combining both operations under a single
-// lock prevents a race where the idle timer could stop the stack between
-// start and delivery.
-func (t *tcpDNSServer) InjectPacket(payload []byte) {
-	t.mu.Lock()
-	defer t.mu.Unlock()
-
-	if t.closed {
-		return
-	}
-
-	if !t.running {
-		if err := t.startLocked(); err != nil {
-			log.Errorf("failed to start TCP DNS stack: %v", err)
-			return
-		}
-		t.running = true
-		log.Debugf("TCP DNS stack started on %s:%d (triggered by %s)", t.ip, t.port, srcAddrFromPacket(payload))
-	}
-	t.resetTimerLocked()
-
-	ep := t.ep
-	if ep == nil || ep.dispatcher == nil {
-		return
-	}
-
-	pkt := stack.NewPacketBuffer(stack.PacketBufferOptions{
-		Payload: buffer.MakeWithData(payload),
-	})
-	// DeliverNetworkPacket takes ownership of the packet buffer; do not DecRef.
-	ep.dispatcher.DeliverNetworkPacket(ipv4.ProtocolNumber, pkt)
-}
-
-// Stop tears down the gvisor stack and releases resources permanently.
-// After Stop, InjectPacket becomes a no-op.
-func (t *tcpDNSServer) Stop() {
-	t.mu.Lock()
-	defer t.mu.Unlock()
-
-	t.stopLocked()
-	t.closed = true
-}
-
-func (t *tcpDNSServer) startLocked() error {
-	// TODO: add ipv6.NewProtocol when IPv6 overlay support lands.
-	s := stack.New(stack.Options{
-		NetworkProtocols:   []stack.NetworkProtocolFactory{ipv4.NewProtocol},
-		TransportProtocols: []stack.TransportProtocolFactory{tcp.NewProtocol},
-		HandleLocal:        false,
-	})
-
-	nicID := tcpip.NICID(1)
-	ep := &dnsEndpoint{
-		tunDev: t.tunDev,
-	}
-	ep.mtu.Store(uint32(t.mtu))
-
-	if err := s.CreateNIC(nicID, ep); err != nil {
-		s.Close()
-		s.Wait()
-		return fmt.Errorf("create NIC: %v", err)
-	}
-
-	protoAddr := tcpip.ProtocolAddress{
-		Protocol: ipv4.ProtocolNumber,
-		AddressWithPrefix: tcpip.AddressWithPrefix{
-			Address:   tcpip.AddrFromSlice(t.ip.AsSlice()),
-			PrefixLen: 32,
-		},
-	}
-	if err := s.AddProtocolAddress(nicID, protoAddr, stack.AddressProperties{}); err != nil {
-		s.Close()
-		s.Wait()
-		return fmt.Errorf("add protocol address: %s", err)
-	}
-
-	if err := s.SetPromiscuousMode(nicID, true); err != nil {
-		s.Close()
-		s.Wait()
-		return fmt.Errorf("set promiscuous mode: %s", err)
-	}
-	if err := s.SetSpoofing(nicID, true); err != nil {
-		s.Close()
-		s.Wait()
-		return fmt.Errorf("set spoofing: %s", err)
-	}
-
-	defaultSubnet, err := tcpip.NewSubnet(
-		tcpip.AddrFrom4([4]byte{0, 0, 0, 0}),
-		tcpip.MaskFromBytes([]byte{0, 0, 0, 0}),
-	)
-	if err != nil {
-		s.Close()
-		s.Wait()
-		return fmt.Errorf("create default subnet: %w", err)
-	}
-
-	s.SetRouteTable([]tcpip.Route{
-		{Destination: defaultSubnet, NIC: nicID},
-	})
-
-	tcpFwd := tcp.NewForwarder(s, dnsTCPReceiveWindow, dnsTCPMaxInFlight, func(r *tcp.ForwarderRequest) {
-		t.handleTCPDNS(r)
-	})
-	s.SetTransportProtocolHandler(tcp.ProtocolNumber, tcpFwd.HandlePacket)
-
-	t.s = s
-	t.ep = ep
-	return nil
-}
-
-func (t *tcpDNSServer) stopLocked() {
-	if !t.running {
-		return
-	}
-
-	if t.timer != nil {
-		t.timer.Stop()
-		t.timer = nil
-	}
-
-	if t.s != nil {
-		t.s.Close()
-		t.s.Wait()
-		t.s = nil
-	}
-	t.ep = nil
-	t.running = false
-
-	log.Debugf("TCP DNS stack stopped")
-}
-
-func (t *tcpDNSServer) resetTimerLocked() {
-	if t.timer != nil {
-		t.timer.Stop()
-	}
-	t.timerID++
-	id := t.timerID
-	t.timer = time.AfterFunc(dnsTCPIdleTimeout, func() {
-		t.mu.Lock()
-		defer t.mu.Unlock()
-
-		// Only stop if this timer is still the active one.
-		// A racing InjectPacket may have replaced it.
-		if t.timerID != id {
-			return
-		}
-		t.stopLocked()
-	})
-}
-
-func (t *tcpDNSServer) handleTCPDNS(r *tcp.ForwarderRequest) {
-	id := r.ID()
-
-	wq := waiter.Queue{}
-	ep, epErr := r.CreateEndpoint(&wq)
-	if epErr != nil {
-		log.Debugf("TCP DNS: failed to create endpoint: %v", epErr)
-		r.Complete(true)
-		return
-	}
-	r.Complete(false)
-
-	conn := gonet.NewTCPConn(&wq, ep)
-	defer func() {
-		if err := conn.Close(); err != nil {
-			log.Tracef("TCP DNS: close conn: %v", err)
-		}
-	}()
-
-	// Reset idle timer on activity
-	t.mu.Lock()
-	t.resetTimerLocked()
-	t.mu.Unlock()
-
-	localAddr := &net.TCPAddr{
-		IP:   id.LocalAddress.AsSlice(),
-		Port: int(id.LocalPort),
-	}
-	remoteAddr := &net.TCPAddr{
-		IP:   id.RemoteAddress.AsSlice(),
-		Port: int(id.RemotePort),
-	}
-
-	for {
-		if err := conn.SetReadDeadline(time.Now().Add(dnsTCPReadTimeout)); err != nil {
-			log.Debugf("TCP DNS: set deadline for %s: %v", remoteAddr, err)
-			break
-		}
-
-		msg, err := readTCPDNSMessage(conn)
-		if err != nil {
-			if !errors.Is(err, io.EOF) && !errors.Is(err, io.ErrUnexpectedEOF) {
-				log.Debugf("TCP DNS: read from %s: %v", remoteAddr, err)
-			}
-			break
-		}
-
-		writer := &tcpResponseWriter{
-			conn:       conn,
-			localAddr:  localAddr,
-			remoteAddr: remoteAddr,
-		}
-		t.mux.ServeDNS(writer, msg)
-	}
-}
-
-// dnsEndpoint implements stack.LinkEndpoint for writing packets back via the tun device.
-type dnsEndpoint struct {
-	dispatcher stack.NetworkDispatcher
-	tunDev     tun.Device
-	mtu        atomic.Uint32
-}
-
-func (e *dnsEndpoint) Attach(dispatcher stack.NetworkDispatcher)    { e.dispatcher = dispatcher }
-func (e *dnsEndpoint) IsAttached() bool                             { return e.dispatcher != nil }
-func (e *dnsEndpoint) MTU() uint32                                  { return e.mtu.Load() }
-func (e *dnsEndpoint) Capabilities() stack.LinkEndpointCapabilities { return stack.CapabilityNone }
-func (e *dnsEndpoint) MaxHeaderLength() uint16                      { return 0 }
-func (e *dnsEndpoint) LinkAddress() tcpip.LinkAddress               { return "" }
-func (e *dnsEndpoint) Wait()                                        { /* no async work */ }
-func (e *dnsEndpoint) ARPHardwareType() header.ARPHardwareType      { return header.ARPHardwareNone }
-func (e *dnsEndpoint) AddHeader(*stack.PacketBuffer)                { /* IP-level endpoint, no link header */ }
-func (e *dnsEndpoint) ParseHeader(*stack.PacketBuffer) bool         { return true }
-func (e *dnsEndpoint) Close()                                       { /* lifecycle managed by tcpDNSServer */ }
-func (e *dnsEndpoint) SetLinkAddress(tcpip.LinkAddress)             { /* no link address for tun */ }
-func (e *dnsEndpoint) SetMTU(mtu uint32)                            { e.mtu.Store(mtu) }
-func (e *dnsEndpoint) SetOnCloseAction(func())                      { /* not needed */ }
-
-const tunPacketOffset = 40
-
-func (e *dnsEndpoint) WritePackets(pkts stack.PacketBufferList) (int, tcpip.Error) {
-	var written int
-	for _, pkt := range pkts.AsSlice() {
-		data := stack.PayloadSince(pkt.NetworkHeader())
-		if data == nil {
-			continue
-		}
-
-		raw := data.AsSlice()
-		buf := make([]byte, tunPacketOffset, tunPacketOffset+len(raw))
-		buf = append(buf, raw...)
-		data.Release()
-
-		if _, err := e.tunDev.Write([][]byte{buf}, tunPacketOffset); err != nil {
-			log.Tracef("TCP DNS endpoint: failed to write packet: %v", err)
-			continue
-		}
-		written++
-	}
-	return written, nil
-}
-
-// tcpResponseWriter implements dns.ResponseWriter for TCP DNS connections.
-type tcpResponseWriter struct {
-	conn       *gonet.TCPConn
-	localAddr  net.Addr
-	remoteAddr net.Addr
-}
-
-func (w *tcpResponseWriter) LocalAddr() net.Addr {
-	return w.localAddr
-}
-
-func (w *tcpResponseWriter) RemoteAddr() net.Addr {
-	return w.remoteAddr
-}
-
-func (w *tcpResponseWriter) WriteMsg(msg *dns.Msg) error {
-	data, err := msg.Pack()
-	if err != nil {
-		return fmt.Errorf("pack: %w", err)
-	}
-
-	// DNS TCP: 2-byte length prefix + message
-	buf := make([]byte, 2+len(data))
-	buf[0] = byte(len(data) >> 8)
-	buf[1] = byte(len(data))
-	copy(buf[2:], data)
-
-	if _, err = w.conn.Write(buf); err != nil {
-		return err
-	}
-	return nil
-}
-
-func (w *tcpResponseWriter) Write(data []byte) (int, error) {
-	buf := make([]byte, 2+len(data))
-	buf[0] = byte(len(data) >> 8)
-	buf[1] = byte(len(data))
-	copy(buf[2:], data)
-	if _, err := w.conn.Write(buf); err != nil {
-		return 0, err
-	}
-	return len(data), nil
-}
-
-func (w *tcpResponseWriter) Close() error {
-	return w.conn.Close()
-}
-
-func (w *tcpResponseWriter) TsigStatus() error   { return nil }
-func (w *tcpResponseWriter) TsigTimersOnly(bool) { /* TSIG not supported */ }
-func (w *tcpResponseWriter) Hijack()             { /* not supported */ }
-
-// readTCPDNSMessage reads a single DNS message from a TCP connection (length-prefixed).
-func readTCPDNSMessage(conn *gonet.TCPConn) (*dns.Msg, error) {
-	// DNS over TCP uses a 2-byte length prefix
-	lenBuf := make([]byte, 2)
-	if _, err := io.ReadFull(conn, lenBuf); err != nil {
-		return nil, fmt.Errorf("read length: %w", err)
-	}
-
-	msgLen := int(lenBuf[0])<<8 | int(lenBuf[1])
-	if msgLen == 0 || msgLen > 65535 {
-		return nil, fmt.Errorf("invalid message length: %d", msgLen)
-	}
-
-	msgBuf := make([]byte, msgLen)
-	if _, err := io.ReadFull(conn, msgBuf); err != nil {
-		return nil, fmt.Errorf("read message: %w", err)
-	}
-
-	msg := new(dns.Msg)
-	if err := msg.Unpack(msgBuf); err != nil {
-		return nil, fmt.Errorf("unpack: %w", err)
-	}
-	return msg, nil
-}
-
-// srcAddrFromPacket extracts the source IP:port from a raw IP+TCP packet for logging.
-// Supports both IPv4 and IPv6.
-func srcAddrFromPacket(pkt []byte) netip.AddrPort {
-	if len(pkt) == 0 {
-		return netip.AddrPort{}
-	}
-
-	srcIP, transportOffset := srcIPFromPacket(pkt)
-	if !srcIP.IsValid() || len(pkt) < transportOffset+2 {
-		return netip.AddrPort{}
-	}
-
-	srcPort := uint16(pkt[transportOffset])<<8 | uint16(pkt[transportOffset+1])
-	return netip.AddrPortFrom(srcIP.Unmap(), srcPort)
-}
-
-func srcIPFromPacket(pkt []byte) (netip.Addr, int) {
-	switch header.IPVersion(pkt) {
-	case 4:
-		return srcIPv4(pkt)
-	case 6:
-		return srcIPv6(pkt)
-	default:
-		return netip.Addr{}, 0
-	}
-}
-
-func srcIPv4(pkt []byte) (netip.Addr, int) {
-	if len(pkt) < header.IPv4MinimumSize {
-		return netip.Addr{}, 0
-	}
-	hdr := header.IPv4(pkt)
-	src := hdr.SourceAddress()
-	ip, ok := netip.AddrFromSlice(src.AsSlice())
-	if !ok {
-		return netip.Addr{}, 0
-	}
-	return ip, int(hdr.HeaderLength())
-}
-
-func srcIPv6(pkt []byte) (netip.Addr, int) {
-	if len(pkt) < header.IPv6MinimumSize {
-		return netip.Addr{}, 0
-	}
-	hdr := header.IPv6(pkt)
-	src := hdr.SourceAddress()
-	ip, ok := netip.AddrFromSlice(src.AsSlice())
-	if !ok {
-		return netip.Addr{}, 0
-	}
-	return ip, header.IPv6MinimumSize
-}

client/internal/dns/upstream.go

@@ -41,61 +41,10 @@ const (
 
 	reactivatePeriod = 30 * time.Second
 	probeTimeout     = 2 * time.Second
-
-	// ipv6HeaderSize + udpHeaderSize, used to derive the maximum DNS UDP
-	// payload from the tunnel MTU.
-	ipUDPHeaderSize = 60 + 8
 )
 
 const testRecord = "com."
 
-const (
-	protoUDP = "udp"
-	protoTCP = "tcp"
-)
-
-type dnsProtocolKey struct{}
-
-// contextWithDNSProtocol stores the inbound DNS protocol ("udp" or "tcp") in context.
-func contextWithDNSProtocol(ctx context.Context, network string) context.Context {
-	return context.WithValue(ctx, dnsProtocolKey{}, network)
-}
-
-// dnsProtocolFromContext retrieves the inbound DNS protocol from context.
-func dnsProtocolFromContext(ctx context.Context) string {
-	if ctx == nil {
-		return ""
-	}
-	if v, ok := ctx.Value(dnsProtocolKey{}).(string); ok {
-		return v
-	}
-	return ""
-}
-
-type upstreamProtocolKey struct{}
-
-// upstreamProtocolResult holds the protocol used for the upstream exchange.
-// Stored as a pointer in context so the exchange function can set it.
-type upstreamProtocolResult struct {
-	protocol string
-}
-
-// contextWithupstreamProtocolResult stores a mutable result holder in the context.
-func contextWithupstreamProtocolResult(ctx context.Context) (context.Context, *upstreamProtocolResult) {
-	r := &upstreamProtocolResult{}
-	return context.WithValue(ctx, upstreamProtocolKey{}, r), r
-}
-
-// setUpstreamProtocol sets the upstream protocol on the result holder in context, if present.
-func setUpstreamProtocol(ctx context.Context, protocol string) {
-	if ctx == nil {
-		return
-	}
-	if r, ok := ctx.Value(upstreamProtocolKey{}).(*upstreamProtocolResult); ok && r != nil {
-		r.protocol = protocol
-	}
-}
-
 type upstreamClient interface {
 	exchange(ctx context.Context, upstream string, r *dns.Msg) (*dns.Msg, time.Duration, error)
 }
@@ -189,16 +138,7 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		return
 	}
 
-	// Propagate inbound protocol so upstream exchange can use TCP directly
-	// when the request came in over TCP.
-	ctx := u.ctx
-	if addr := w.RemoteAddr(); addr != nil {
-		network := addr.Network()
-		ctx = contextWithDNSProtocol(ctx, network)
-		resutil.SetMeta(w, "protocol", network)
-	}
-
-	ok, failures := u.tryUpstreamServers(ctx, w, r, logger)
+	ok, failures := u.tryUpstreamServers(w, r, logger)
 	if len(failures) > 0 {
 		u.logUpstreamFailures(r.Question[0].Name, failures, ok, logger)
 	}
@@ -213,7 +153,7 @@ func (u *upstreamResolverBase) prepareRequest(r *dns.Msg) {
 	}
 }
 
-func (u *upstreamResolverBase) tryUpstreamServers(ctx context.Context, w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) (bool, []upstreamFailure) {
+func (u *upstreamResolverBase) tryUpstreamServers(w dns.ResponseWriter, r *dns.Msg, logger *log.Entry) (bool, []upstreamFailure) {
 	timeout := u.upstreamTimeout
 	if len(u.upstreamServers) > 1 {
 		maxTotal := 5 * time.Second
@@ -228,7 +168,7 @@ func (u *upstreamResolverBase) tryUpstreamServers(ctx context.Context, w dns.Res
 
 	var failures []upstreamFailure
 	for _, upstream := range u.upstreamServers {
-		if failure := u.queryUpstream(ctx, w, r, upstream, timeout, logger); failure != nil {
+		if failure := u.queryUpstream(w, r, upstream, timeout, logger); failure != nil {
 			failures = append(failures, *failure)
 		} else {
 			return true, failures
@@ -238,17 +178,15 @@ func (u *upstreamResolverBase) tryUpstreamServers(ctx context.Context, w dns.Res
 }
 
 // queryUpstream queries a single upstream server. Returns nil on success, or failure info to try next upstream.
-func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, w dns.ResponseWriter, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration, logger *log.Entry) *upstreamFailure {
+func (u *upstreamResolverBase) queryUpstream(w dns.ResponseWriter, r *dns.Msg, upstream netip.AddrPort, timeout time.Duration, logger *log.Entry) *upstreamFailure {
 	var rm *dns.Msg
 	var t time.Duration
 	var err error
 
 	var startTime time.Time
-	var upstreamProto *upstreamProtocolResult
 	func() {
-		ctx, cancel := context.WithTimeout(parentCtx, timeout)
+		ctx, cancel := context.WithTimeout(u.ctx, timeout)
 		defer cancel()
-		ctx, upstreamProto = contextWithupstreamProtocolResult(ctx)
 		startTime = time.Now()
 		rm, t, err = u.upstreamClient.exchange(ctx, upstream.String(), r)
 	}()
@@ -265,7 +203,7 @@ func (u *upstreamResolverBase) queryUpstream(parentCtx context.Context, w dns.Re
 		return &upstreamFailure{upstream: upstream, reason: dns.RcodeToString[rm.Rcode]}
 	}
 
-	u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, upstreamProto, logger)
+	u.writeSuccessResponse(w, rm, upstream, r.Question[0].Name, t, logger)
 	return nil
 }
 
@@ -282,13 +220,10 @@ func (u *upstreamResolverBase) handleUpstreamError(err error, upstream netip.Add
 	return &upstreamFailure{upstream: upstream, reason: reason}
 }
 
-func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, t time.Duration, upstreamProto *upstreamProtocolResult, logger *log.Entry) bool {
+func (u *upstreamResolverBase) writeSuccessResponse(w dns.ResponseWriter, rm *dns.Msg, upstream netip.AddrPort, domain string, t time.Duration, logger *log.Entry) bool {
 	u.successCount.Add(1)
 
 	resutil.SetMeta(w, "upstream", upstream.String())
-	if upstreamProto != nil && upstreamProto.protocol != "" {
-		resutil.SetMeta(w, "upstream_protocol", upstreamProto.protocol)
-	}
 
 	// Clear Zero bit from external responses to prevent upstream servers from
 	// manipulating our internal fallthrough signaling mechanism
@@ -493,42 +428,13 @@ func (u *upstreamResolverBase) testNameserver(baseCtx context.Context, externalC
 	return err
 }
 
-// clientUDPMaxSize returns the maximum UDP response size the client accepts.
-func clientUDPMaxSize(r *dns.Msg) int {
-	if opt := r.IsEdns0(); opt != nil {
-		return int(opt.UDPSize())
-	}
-	return dns.MinMsgSize
-}
-
 // ExchangeWithFallback exchanges a DNS message with the upstream server.
 // It first tries to use UDP, and if it is truncated, it falls back to TCP.
-// If the inbound request came over TCP (via context), it skips the UDP attempt.
 // If the passed context is nil, this will use Exchange instead of ExchangeContext.
 func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, upstream string) (*dns.Msg, time.Duration, error) {
-	// If the request came in over TCP, go straight to TCP upstream.
-	if dnsProtocolFromContext(ctx) == protoTCP {
-		tcpClient := *client
-		tcpClient.Net = protoTCP
-		rm, t, err := tcpClient.ExchangeContext(ctx, r, upstream)
-		if err != nil {
-			return nil, t, fmt.Errorf("with tcp: %w", err)
-		}
-		setUpstreamProtocol(ctx, protoTCP)
-		return rm, t, nil
-	}
-
-	clientMaxSize := clientUDPMaxSize(r)
-
-	// Cap EDNS0 to our tunnel MTU so the upstream doesn't send a
-	// response larger than our read buffer.
-	// Note: the query could be sent out on an interface that is not ours,
-	// but higher MTU settings could break truncation handling.
-	maxUDPPayload := uint16(currentMTU - ipUDPHeaderSize)
-	client.UDPSize = maxUDPPayload
-	if opt := r.IsEdns0(); opt != nil && opt.UDPSize() > maxUDPPayload {
-		opt.SetUDPSize(maxUDPPayload)
-	}
+	// MTU - ip + udp headers
+	// Note: this could be sent out on an interface that is not ours, but higher MTU settings could break truncation handling.
+	client.UDPSize = uint16(currentMTU - (60 + 8))
 
 	var (
 		rm  *dns.Msg
@@ -547,32 +453,25 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 	}
 
 	if rm == nil || !rm.MsgHdr.Truncated {
-		setUpstreamProtocol(ctx, protoUDP)
 		return rm, t, nil
 	}
 
-	// TODO: if the upstream's truncated UDP response already contains more
-	// data than the client's buffer, we could truncate locally and skip
-	// the TCP retry.
+	log.Tracef("udp response for domain=%s type=%v class=%v is truncated, trying TCP.",
+		r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
 
-	tcpClient := *client
-	tcpClient.Net = protoTCP
+	client.Net = "tcp"
 
 	if ctx == nil {
-		rm, t, err = tcpClient.Exchange(r, upstream)
+		rm, t, err = client.Exchange(r, upstream)
 	} else {
-		rm, t, err = tcpClient.ExchangeContext(ctx, r, upstream)
+		rm, t, err = client.ExchangeContext(ctx, r, upstream)
 	}
 
 	if err != nil {
 		return nil, t, fmt.Errorf("with tcp: %w", err)
 	}
 
-	setUpstreamProtocol(ctx, protoTCP)
-
-	if rm.Len() > clientMaxSize {
-		rm.Truncate(clientMaxSize)
-	}
+	// TODO: once TCP is implemented, rm.Truncate() if the request came in over UDP
 
 	return rm, t, nil
 }
@@ -580,46 +479,18 @@ func ExchangeWithFallback(ctx context.Context, client *dns.Client, r *dns.Msg, u
 // ExchangeWithNetstack performs a DNS exchange using netstack for dialing.
 // This is needed when netstack is enabled to reach peer IPs through the tunnel.
 func ExchangeWithNetstack(ctx context.Context, nsNet *netstack.Net, r *dns.Msg, upstream string) (*dns.Msg, error) {
-	// If request came in over TCP, go straight to TCP upstream
-	if dnsProtocolFromContext(ctx) == protoTCP {
-		rm, err := netstackExchange(ctx, nsNet, r, upstream, protoTCP)
-		if err != nil {
-			return nil, err
-		}
-		setUpstreamProtocol(ctx, protoTCP)
-		return rm, nil
-	}
-
-	clientMaxSize := clientUDPMaxSize(r)
-
-	// Cap EDNS0 to our tunnel MTU so the upstream doesn't send a
-	// response larger than what we can read over UDP.
-	maxUDPPayload := uint16(currentMTU - ipUDPHeaderSize)
-	if opt := r.IsEdns0(); opt != nil && opt.UDPSize() > maxUDPPayload {
-		opt.SetUDPSize(maxUDPPayload)
-	}
-
-	reply, err := netstackExchange(ctx, nsNet, r, upstream, protoUDP)
+	reply, err := netstackExchange(ctx, nsNet, r, upstream, "udp")
 	if err != nil {
 		return nil, err
 	}
 
+	// If response is truncated, retry with TCP
 	if reply != nil && reply.MsgHdr.Truncated {
-		rm, err := netstackExchange(ctx, nsNet, r, upstream, protoTCP)
-		if err != nil {
-			return nil, err
-		}
-
-		setUpstreamProtocol(ctx, protoTCP)
-		if rm.Len() > clientMaxSize {
-			rm.Truncate(clientMaxSize)
-		}
-
-		return rm, nil
+		log.Tracef("udp response for domain=%s type=%v class=%v is truncated, trying TCP",
+			r.Question[0].Name, r.Question[0].Qtype, r.Question[0].Qclass)
+		return netstackExchange(ctx, nsNet, r, upstream, "tcp")
 	}
 
-	setUpstreamProtocol(ctx, protoUDP)
-
 	return reply, nil
 }
 
@@ -640,7 +511,7 @@ func netstackExchange(ctx context.Context, nsNet *netstack.Net, r *dns.Msg, upst
 		}
 	}
 
-	dnsConn := &dns.Conn{Conn: conn, UDPSize: uint16(currentMTU - ipUDPHeaderSize)}
+	dnsConn := &dns.Conn{Conn: conn}
 
 	if err := dnsConn.WriteMsg(r); err != nil {
 		return nil, fmt.Errorf("write %s message: %w", network, err)

client/internal/dns/upstream_android.go

@@ -51,7 +51,7 @@ func (u *upstreamResolver) exchangeWithinVPN(ctx context.Context, upstream strin
 	upstreamExchangeClient := &dns.Client{
 		Timeout: ClientTimeout,
 	}
-	return ExchangeWithFallback(ctx, upstreamExchangeClient, r, upstream)
+	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
 }
 
 // exchangeWithoutVPN protect the UDP socket by Android SDK to avoid to goes through the VPN
@@ -76,7 +76,7 @@ func (u *upstreamResolver) exchangeWithoutVPN(ctx context.Context, upstream stri
 		Timeout: timeout,
 	}
 
-	return ExchangeWithFallback(ctx, upstreamExchangeClient, r, upstream)
+	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
 }
 
 func (u *upstreamResolver) isLocalResolver(upstream string) bool {

client/internal/dns/upstream_test.go

@@ -475,298 +475,3 @@ func TestFormatFailures(t *testing.T) {
 		})
 	}
 }
-
-func TestDNSProtocolContext(t *testing.T) {
-	t.Run("roundtrip udp", func(t *testing.T) {
-		ctx := contextWithDNSProtocol(context.Background(), protoUDP)
-		assert.Equal(t, protoUDP, dnsProtocolFromContext(ctx))
-	})
-
-	t.Run("roundtrip tcp", func(t *testing.T) {
-		ctx := contextWithDNSProtocol(context.Background(), protoTCP)
-		assert.Equal(t, protoTCP, dnsProtocolFromContext(ctx))
-	})
-
-	t.Run("missing returns empty", func(t *testing.T) {
-		assert.Equal(t, "", dnsProtocolFromContext(context.Background()))
-	})
-}
-
-func TestExchangeWithFallback_TCPContext(t *testing.T) {
-	// Start a local DNS server that responds on TCP only
-	tcpHandler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(r)
-		m.Answer = append(m.Answer, &dns.A{
-			Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.1"),
-		})
-		if err := w.WriteMsg(m); err != nil {
-			t.Logf("write msg: %v", err)
-		}
-	})
-
-	tcpServer := &dns.Server{
-		Addr:    "127.0.0.1:0",
-		Net:     "tcp",
-		Handler: tcpHandler,
-	}
-
-	tcpLn, err := net.Listen("tcp", "127.0.0.1:0")
-	require.NoError(t, err)
-	tcpServer.Listener = tcpLn
-
-	go func() {
-		if err := tcpServer.ActivateAndServe(); err != nil {
-			t.Logf("tcp server: %v", err)
-		}
-	}()
-	defer func() {
-		_ = tcpServer.Shutdown()
-	}()
-
-	upstream := tcpLn.Addr().String()
-
-	// With TCP context, should connect directly via TCP without trying UDP
-	ctx := contextWithDNSProtocol(context.Background(), protoTCP)
-	client := &dns.Client{Timeout: 2 * time.Second}
-	r := new(dns.Msg).SetQuestion("example.com.", dns.TypeA)
-
-	rm, _, err := ExchangeWithFallback(ctx, client, r, upstream)
-	require.NoError(t, err)
-	require.NotNil(t, rm)
-	require.NotEmpty(t, rm.Answer)
-	assert.Contains(t, rm.Answer[0].String(), "10.0.0.1")
-}
-
-func TestExchangeWithFallback_UDPFallbackToTCP(t *testing.T) {
-	// UDP handler returns a truncated response to trigger TCP retry.
-	udpHandler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(r)
-		m.Truncated = true
-		if err := w.WriteMsg(m); err != nil {
-			t.Logf("write msg: %v", err)
-		}
-	})
-
-	// TCP handler returns the full answer.
-	tcpHandler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(r)
-		m.Answer = append(m.Answer, &dns.A{
-			Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.3"),
-		})
-		if err := w.WriteMsg(m); err != nil {
-			t.Logf("write msg: %v", err)
-		}
-	})
-
-	udpPC, err := net.ListenPacket("udp", "127.0.0.1:0")
-	require.NoError(t, err)
-	addr := udpPC.LocalAddr().String()
-
-	udpServer := &dns.Server{
-		PacketConn: udpPC,
-		Net:        "udp",
-		Handler:    udpHandler,
-	}
-
-	tcpLn, err := net.Listen("tcp", addr)
-	require.NoError(t, err)
-
-	tcpServer := &dns.Server{
-		Listener: tcpLn,
-		Net:      "tcp",
-		Handler:  tcpHandler,
-	}
-
-	go func() {
-		if err := udpServer.ActivateAndServe(); err != nil {
-			t.Logf("udp server: %v", err)
-		}
-	}()
-	go func() {
-		if err := tcpServer.ActivateAndServe(); err != nil {
-			t.Logf("tcp server: %v", err)
-		}
-	}()
-	defer func() {
-		_ = udpServer.Shutdown()
-		_ = tcpServer.Shutdown()
-	}()
-
-	ctx := context.Background()
-	client := &dns.Client{Timeout: 2 * time.Second}
-	r := new(dns.Msg).SetQuestion("example.com.", dns.TypeA)
-
-	rm, _, err := ExchangeWithFallback(ctx, client, r, addr)
-	require.NoError(t, err, "should fall back to TCP after truncated UDP response")
-	require.NotNil(t, rm)
-	require.NotEmpty(t, rm.Answer, "TCP response should contain the full answer")
-	assert.Contains(t, rm.Answer[0].String(), "10.0.0.3")
-	assert.False(t, rm.Truncated, "TCP response should not be truncated")
-}
-
-func TestExchangeWithFallback_TCPContextSkipsUDP(t *testing.T) {
-	// Start only a TCP server (no UDP). With TCP context it should succeed.
-	tcpHandler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(r)
-		m.Answer = append(m.Answer, &dns.A{
-			Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.2"),
-		})
-		if err := w.WriteMsg(m); err != nil {
-			t.Logf("write msg: %v", err)
-		}
-	})
-
-	tcpLn, err := net.Listen("tcp", "127.0.0.1:0")
-	require.NoError(t, err)
-
-	tcpServer := &dns.Server{
-		Listener: tcpLn,
-		Net:      "tcp",
-		Handler:  tcpHandler,
-	}
-
-	go func() {
-		if err := tcpServer.ActivateAndServe(); err != nil {
-			t.Logf("tcp server: %v", err)
-		}
-	}()
-	defer func() {
-		_ = tcpServer.Shutdown()
-	}()
-
-	upstream := tcpLn.Addr().String()
-
-	// TCP context: should skip UDP entirely and go directly to TCP
-	ctx := contextWithDNSProtocol(context.Background(), protoTCP)
-	client := &dns.Client{Timeout: 2 * time.Second}
-	r := new(dns.Msg).SetQuestion("example.com.", dns.TypeA)
-
-	rm, _, err := ExchangeWithFallback(ctx, client, r, upstream)
-	require.NoError(t, err)
-	require.NotNil(t, rm)
-	require.NotEmpty(t, rm.Answer)
-	assert.Contains(t, rm.Answer[0].String(), "10.0.0.2")
-
-	// Without TCP context, trying to reach a TCP-only server via UDP should fail
-	ctx2 := context.Background()
-	client2 := &dns.Client{Timeout: 500 * time.Millisecond}
-	_, _, err = ExchangeWithFallback(ctx2, client2, r, upstream)
-	assert.Error(t, err, "should fail when no UDP server and no TCP context")
-}
-
-func TestExchangeWithFallback_EDNS0Capped(t *testing.T) {
-	// Verify that a client EDNS0 larger than our MTU-derived limit gets
-	// capped in the outgoing request so the upstream doesn't send a
-	// response larger than our read buffer.
-	var receivedUDPSize uint16
-	udpHandler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
-		if opt := r.IsEdns0(); opt != nil {
-			receivedUDPSize = opt.UDPSize()
-		}
-		m := new(dns.Msg)
-		m.SetReply(r)
-		m.Answer = append(m.Answer, &dns.A{
-			Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeA, Class: dns.ClassINET, Ttl: 60},
-			A:   net.ParseIP("10.0.0.1"),
-		})
-		if err := w.WriteMsg(m); err != nil {
-			t.Logf("write msg: %v", err)
-		}
-	})
-
-	udpPC, err := net.ListenPacket("udp", "127.0.0.1:0")
-	require.NoError(t, err)
-	addr := udpPC.LocalAddr().String()
-
-	udpServer := &dns.Server{PacketConn: udpPC, Net: "udp", Handler: udpHandler}
-	go func() { _ = udpServer.ActivateAndServe() }()
-	t.Cleanup(func() { _ = udpServer.Shutdown() })
-
-	ctx := context.Background()
-	client := &dns.Client{Timeout: 2 * time.Second}
-	r := new(dns.Msg).SetQuestion("example.com.", dns.TypeA)
-	r.SetEdns0(4096, false)
-
-	rm, _, err := ExchangeWithFallback(ctx, client, r, addr)
-	require.NoError(t, err)
-	require.NotNil(t, rm)
-
-	expectedMax := uint16(currentMTU - ipUDPHeaderSize)
-	assert.Equal(t, expectedMax, receivedUDPSize,
-		"upstream should see capped EDNS0, not the client's 4096")
-}
-
-func TestExchangeWithFallback_TCPTruncatesToClientSize(t *testing.T) {
-	// When the client advertises a large EDNS0 (4096) and the upstream
-	// truncates, the TCP response should NOT be truncated since the full
-	// answer fits within the client's original buffer.
-	udpHandler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(r)
-		m.Truncated = true
-		if err := w.WriteMsg(m); err != nil {
-			t.Logf("write msg: %v", err)
-		}
-	})
-
-	tcpHandler := dns.HandlerFunc(func(w dns.ResponseWriter, r *dns.Msg) {
-		m := new(dns.Msg)
-		m.SetReply(r)
-		// Add enough records to exceed MTU but fit within 4096
-		for i := range 20 {
-			m.Answer = append(m.Answer, &dns.TXT{
-				Hdr: dns.RR_Header{Name: r.Question[0].Name, Rrtype: dns.TypeTXT, Class: dns.ClassINET, Ttl: 60},
-				Txt: []string{fmt.Sprintf("record-%d-padding-data-to-make-it-longer", i)},
-			})
-		}
-		if err := w.WriteMsg(m); err != nil {
-			t.Logf("write msg: %v", err)
-		}
-	})
-
-	udpPC, err := net.ListenPacket("udp", "127.0.0.1:0")
-	require.NoError(t, err)
-	addr := udpPC.LocalAddr().String()
-
-	udpServer := &dns.Server{PacketConn: udpPC, Net: "udp", Handler: udpHandler}
-	tcpLn, err := net.Listen("tcp", addr)
-	require.NoError(t, err)
-	tcpServer := &dns.Server{Listener: tcpLn, Net: "tcp", Handler: tcpHandler}
-
-	go func() { _ = udpServer.ActivateAndServe() }()
-	go func() { _ = tcpServer.ActivateAndServe() }()
-	t.Cleanup(func() {
-		_ = udpServer.Shutdown()
-		_ = tcpServer.Shutdown()
-	})
-
-	ctx := context.Background()
-	client := &dns.Client{Timeout: 2 * time.Second}
-
-	// Client with large buffer: should get all records without truncation
-	r := new(dns.Msg).SetQuestion("example.com.", dns.TypeTXT)
-	r.SetEdns0(4096, false)
-
-	rm, _, err := ExchangeWithFallback(ctx, client, r, addr)
-	require.NoError(t, err)
-	require.NotNil(t, rm)
-	assert.Len(t, rm.Answer, 20, "large EDNS0 client should get all records")
-	assert.False(t, rm.Truncated, "response should not be truncated for large buffer client")
-
-	// Client with small buffer: should get truncated response
-	r2 := new(dns.Msg).SetQuestion("example.com.", dns.TypeTXT)
-	r2.SetEdns0(512, false)
-
-	rm2, _, err := ExchangeWithFallback(ctx, &dns.Client{Timeout: 2 * time.Second}, r2, addr)
-	require.NoError(t, err)
-	require.NotNil(t, rm2)
-	assert.Less(t, len(rm2.Answer), 20, "small EDNS0 client should get fewer records")
-	assert.True(t, rm2.Truncated, "response should be truncated for small buffer client")
-}

client/internal/dnsfwd/forwarder.go

@@ -237,8 +237,8 @@ func (f *DNSForwarder) writeResponse(logger *log.Entry, w dns.ResponseWriter, re
 		return
 	}
 
-	logger.Tracef("response: domain=%s rcode=%s answers=%s size=%dB took=%s",
-		qname, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), resp.Len(), time.Since(startTime))
+	logger.Tracef("response: domain=%s rcode=%s answers=%s took=%s",
+		qname, dns.RcodeToString[resp.Rcode], resutil.FormatAnswers(resp.Answer), time.Since(startTime))
 }
 
 // udpResponseWriter wraps a dns.ResponseWriter to handle UDP-specific truncation.
@@ -263,28 +263,20 @@ func (u *udpResponseWriter) WriteMsg(resp *dns.Msg) error {
 
 func (f *DNSForwarder) handleDNSQueryUDP(w dns.ResponseWriter, query *dns.Msg) {
 	startTime := time.Now()
-	fields := log.Fields{
+	logger := log.WithFields(log.Fields{
 		"request_id": resutil.GenerateRequestID(),
 		"dns_id":     fmt.Sprintf("%04x", query.Id),
-	}
-	if addr := w.RemoteAddr(); addr != nil {
-		fields["client"] = addr.String()
-	}
-	logger := log.WithFields(fields)
+	})
 
 	f.handleDNSQuery(logger, &udpResponseWriter{ResponseWriter: w, query: query}, query, startTime)
 }
 
 func (f *DNSForwarder) handleDNSQueryTCP(w dns.ResponseWriter, query *dns.Msg) {
 	startTime := time.Now()
-	fields := log.Fields{
+	logger := log.WithFields(log.Fields{
 		"request_id": resutil.GenerateRequestID(),
 		"dns_id":     fmt.Sprintf("%04x", query.Id),
-	}
-	if addr := w.RemoteAddr(); addr != nil {
-		fields["client"] = addr.String()
-	}
-	logger := log.WithFields(fields)
+	})
 
 	f.handleDNSQuery(logger, w, query, startTime)
 }

client/internal/engine.go

@@ -27,7 +27,6 @@ import (
 	nberrors "github.com/netbirdio/netbird/client/errors"
 	"github.com/netbirdio/netbird/client/firewall"
 	firewallManager "github.com/netbirdio/netbird/client/firewall/manager"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter/forwarder"
 	"github.com/netbirdio/netbird/client/iface"
 	"github.com/netbirdio/netbird/client/iface/device"
 	nbnetstack "github.com/netbirdio/netbird/client/iface/netstack"
@@ -47,7 +46,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer/guard"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/peerstore"
-	"github.com/netbirdio/netbird/client/internal/portforward"
 	"github.com/netbirdio/netbird/client/internal/profilemanager"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
@@ -68,7 +66,6 @@ import (
 	signal "github.com/netbirdio/netbird/shared/signal/client"
 	sProto "github.com/netbirdio/netbird/shared/signal/proto"
 	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/util/capture"
 )
 
 // PeerConnectionTimeoutMax is a timeout of an initial connection attempt to a remote peer.
@@ -213,12 +210,9 @@ type Engine struct {
 	// checks are the client-applied posture checks that need to be evaluated on the client
 	checks []*mgmProto.Checks
 
-	relayManager       *relayClient.Manager
-	stateManager       *statemanager.Manager
-	portForwardManager *portforward.Manager
-	srWatcher          *guard.SRWatcher
-
-	afpacketCapture *capture.AFPacketCapture
+	relayManager *relayClient.Manager
+	stateManager *statemanager.Manager
+	srWatcher    *guard.SRWatcher
 
 	// Sync response persistence (protected by syncRespMux)
 	syncRespMux         sync.RWMutex
@@ -265,27 +259,26 @@ func NewEngine(
 	mobileDep MobileDependency,
 ) *Engine {
 	engine := &Engine{
-		clientCtx:          clientCtx,
-		clientCancel:       clientCancel,
-		signal:             services.SignalClient,
-		signaler:           peer.NewSignaler(services.SignalClient, config.WgPrivateKey),
-		mgmClient:          services.MgmClient,
-		relayManager:       services.RelayManager,
-		peerStore:          peerstore.NewConnStore(),
-		syncMsgMux:         &sync.Mutex{},
-		config:             config,
-		mobileDep:          mobileDep,
-		STUNs:              []*stun.URI{},
-		TURNs:              []*stun.URI{},
-		networkSerial:      0,
-		statusRecorder:     services.StatusRecorder,
-		stateManager:       services.StateManager,
-		portForwardManager: portforward.NewManager(),
-		checks:             services.Checks,
-		probeStunTurn:      relay.NewStunTurnProbe(relay.DefaultCacheTTL),
-		jobExecutor:        jobexec.NewExecutor(),
-		clientMetrics:      services.ClientMetrics,
-		updateManager:      services.UpdateManager,
+		clientCtx:      clientCtx,
+		clientCancel:   clientCancel,
+		signal:         services.SignalClient,
+		signaler:       peer.NewSignaler(services.SignalClient, config.WgPrivateKey),
+		mgmClient:      services.MgmClient,
+		relayManager:   services.RelayManager,
+		peerStore:      peerstore.NewConnStore(),
+		syncMsgMux:     &sync.Mutex{},
+		config:         config,
+		mobileDep:      mobileDep,
+		STUNs:          []*stun.URI{},
+		TURNs:          []*stun.URI{},
+		networkSerial:  0,
+		statusRecorder: services.StatusRecorder,
+		stateManager:   services.StateManager,
+		checks:         services.Checks,
+		probeStunTurn:  relay.NewStunTurnProbe(relay.DefaultCacheTTL),
+		jobExecutor:    jobexec.NewExecutor(),
+		clientMetrics:  services.ClientMetrics,
+		updateManager:  services.UpdateManager,
 	}
 
 	log.Infof("I am: %s", config.WgPrivateKey.PublicKey().String())
@@ -507,7 +500,7 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)
 
 	e.dnsServer.SetRouteChecker(func(ip netip.Addr) bool {
-		for _, routes := range e.routeManager.GetSelectedClientRoutes() {
+		for _, routes := range e.routeManager.GetClientRoutes() {
 			for _, r := range routes {
 				if r.Network.Contains(ip) {
 					return true
@@ -528,11 +521,6 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 		return err
 	}
 
-	// Inject firewall into DNS server now that it's available.
-	// The DNS server is created before the firewall because the route manager
-	// depends on the DNS server, and the firewall depends on the wg interface.
-	e.dnsServer.SetFirewall(e.firewall)
-
 	e.udpMux, err = e.wgInterface.Up()
 	if err != nil {
 		log.Errorf("failed to pull up wgInterface [%s]: %s", e.wgInterface.Name(), err.Error())
@@ -544,13 +532,6 @@ func (e *Engine) Start(netbirdConfig *mgmProto.NetbirdConfig, mgmtURL *url.URL)
 	// conntrack entries from being created before the rules are in place
 	e.setupWGProxyNoTrack()
 
-	// Start after interface is up since port may have been resolved from 0 or changed if occupied
-	e.shutdownWg.Add(1)
-	go func() {
-		defer e.shutdownWg.Done()
-		e.portForwardManager.Start(e.ctx, uint16(e.config.WgPort))
-	}()
-
 	// Set the WireGuard interface for rosenpass after interface is up
 	if e.rpManager != nil {
 		e.rpManager.SetInterface(e.wgInterface)
@@ -1554,13 +1535,12 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs []netip.Prefix, agentV
 	}
 
 	serviceDependencies := peer.ServiceDependencies{
-		StatusRecorder:     e.statusRecorder,
-		Signaler:           e.signaler,
-		IFaceDiscover:      e.mobileDep.IFaceDiscover,
-		RelayManager:       e.relayManager,
-		SrWatcher:          e.srWatcher,
-		PortForwardManager: e.portForwardManager,
-		MetricsRecorder:    e.clientMetrics,
+		StatusRecorder:  e.statusRecorder,
+		Signaler:        e.signaler,
+		IFaceDiscover:   e.mobileDep.IFaceDiscover,
+		RelayManager:    e.relayManager,
+		SrWatcher:       e.srWatcher,
+		MetricsRecorder: e.clientMetrics,
 	}
 	peerConn, err := peer.NewConn(config, serviceDependencies)
 	if err != nil {
@@ -1697,11 +1677,6 @@ func (e *Engine) parseNATExternalIPMappings() []string {
 }
 
 func (e *Engine) close() {
-	if e.afpacketCapture != nil {
-		e.afpacketCapture.Stop()
-		e.afpacketCapture = nil
-	}
-
 	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
 
 	if e.wgInterface != nil {
@@ -1722,12 +1697,6 @@ func (e *Engine) close() {
 	if e.rpManager != nil {
 		_ = e.rpManager.Close()
 	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-	if err := e.portForwardManager.GracefullyStop(ctx); err != nil {
-		log.Warnf("failed to gracefully stop port forwarding manager: %s", err)
-	}
 }
 
 func (e *Engine) readInitialSettings() ([]*route.Route, *nbdns.Config, bool, error) {
@@ -1831,7 +1800,7 @@ func (e *Engine) newDnsServer(dnsConfig *nbdns.Config) (dns.Server, error) {
 		return dnsServer, nil
 
 	case "ios":
-		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager, e.mobileDep.HostDNSAddresses, e.statusRecorder, e.config.DisableDNS)
+		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager, e.statusRecorder, e.config.DisableDNS)
 		return dnsServer, nil
 
 	default:
@@ -1868,11 +1837,6 @@ func (e *Engine) GetExposeManager() *expose.Manager {
 	return e.exposeManager
 }
 
-// IsBlockInbound returns whether inbound connections are blocked.
-func (e *Engine) IsBlockInbound() bool {
-	return e.config.BlockInbound
-}
-
 // GetClientMetrics returns the client metrics
 func (e *Engine) GetClientMetrics() *metrics.ClientMetrics {
 	return e.clientMetrics
@@ -2167,62 +2131,6 @@ func (e *Engine) Address() (netip.Addr, error) {
 	return e.wgInterface.Address().IP, nil
 }
 
-// SetCapture sets or clears packet capture on the WireGuard device.
-// On userspace WireGuard, it taps the FilteredDevice directly.
-// On kernel WireGuard (Linux), it falls back to AF_PACKET raw socket capture.
-// Pass nil to disable capture.
-func (e *Engine) SetCapture(pc device.PacketCapture) error {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-
-	intf := e.wgInterface
-	if intf == nil {
-		return errors.New("wireguard interface not initialized")
-	}
-
-	if e.afpacketCapture != nil {
-		e.afpacketCapture.Stop()
-		e.afpacketCapture = nil
-	}
-
-	dev := intf.GetDevice()
-	if dev != nil {
-		dev.SetCapture(pc)
-		e.setForwarderCapture(pc)
-		return nil
-	}
-
-	// Kernel mode: no FilteredDevice. Use AF_PACKET on Linux.
-	if pc == nil {
-		return nil
-	}
-	sess, ok := pc.(*capture.Session)
-	if !ok {
-		return errors.New("filtered device not available and AF_PACKET requires *capture.Session")
-	}
-
-	afc := capture.NewAFPacketCapture(intf.Name(), sess)
-	if err := afc.Start(); err != nil {
-		return fmt.Errorf("start AF_PACKET capture on %s: %w", intf.Name(), err)
-	}
-	e.afpacketCapture = afc
-	return nil
-}
-
-// setForwarderCapture propagates capture to the USP filter's forwarder endpoint.
-// This captures outbound response packets that bypass the FilteredDevice in netstack mode.
-func (e *Engine) setForwarderCapture(pc device.PacketCapture) {
-	if e.firewall == nil {
-		return
-	}
-	type forwarderCapturer interface {
-		SetPacketCapture(pc forwarder.PacketCapture)
-	}
-	if fc, ok := e.firewall.(forwarderCapturer); ok {
-		fc.SetPacketCapture(pc)
-	}
-}
-
 func (e *Engine) updateForwardRules(rules []*mgmProto.ForwardingRule) ([]firewallManager.ForwardRule, error) {
 	if e.firewall == nil {
 		log.Warn("firewall is disabled, not updating forwarding rules")

client/internal/engine_test.go

@@ -828,7 +828,7 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 				WgPrivateKey: key,
 				WgPort:       33100,
 				MTU:          iface.DefaultMTU,
-			}, EngineServices{
+	}, EngineServices{
 				SignalClient:   &signal.MockClient{},
 				MgmClient:      &mgmt.MockClient{},
 				RelayManager:   relayMgr,
@@ -1035,7 +1035,7 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 				WgPrivateKey: key,
 				WgPort:       33100,
 				MTU:          iface.DefaultMTU,
-			}, EngineServices{
+	}, EngineServices{
 				SignalClient:   &signal.MockClient{},
 				MgmClient:      &mgmt.MockClient{},
 				RelayManager:   relayMgr,
@@ -1538,8 +1538,13 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		return nil, err
 	}
 
+	publicKey, err := mgmtClient.GetServerPublicKey()
+	if err != nil {
+		return nil, err
+	}
+
 	info := system.GetInfo(ctx)
-	resp, err := mgmtClient.Register(setupKey, "", info, nil, nil)
+	resp, err := mgmtClient.Register(*publicKey, setupKey, "", info, nil, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -1561,7 +1566,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 	}
 
 	relayMgr := relayClient.NewManager(ctx, nil, key.PublicKey().String(), iface.DefaultMTU)
-	e, err := NewEngine(ctx, cancel, conf, EngineServices{
+e, err := NewEngine(ctx, cancel, conf, EngineServices{
 		SignalClient:   signalClient,
 		MgmClient:      mgmtClient,
 		RelayManager:   relayMgr,

client/internal/peer/conn.go

@@ -22,7 +22,6 @@ import (
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
 	"github.com/netbirdio/netbird/client/internal/peer/id"
 	"github.com/netbirdio/netbird/client/internal/peer/worker"
-	"github.com/netbirdio/netbird/client/internal/portforward"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 	relayClient "github.com/netbirdio/netbird/shared/relay/client"
@@ -46,7 +45,6 @@ type ServiceDependencies struct {
 	RelayManager       *relayClient.Manager
 	SrWatcher          *guard.SRWatcher
 	PeerConnDispatcher *dispatcher.ConnectionDispatcher
-	PortForwardManager *portforward.Manager
 	MetricsRecorder    MetricsRecorder
 }
 
@@ -89,17 +87,16 @@ type ConnConfig struct {
 }
 
 type Conn struct {
-	Log                *log.Entry
-	mu                 sync.Mutex
-	ctx                context.Context
-	ctxCancel          context.CancelFunc
-	config             ConnConfig
-	statusRecorder     *Status
-	signaler           *Signaler
-	iFaceDiscover      stdnet.ExternalIFaceDiscover
-	relayManager       *relayClient.Manager
-	srWatcher          *guard.SRWatcher
-	portForwardManager *portforward.Manager
+	Log            *log.Entry
+	mu             sync.Mutex
+	ctx            context.Context
+	ctxCancel      context.CancelFunc
+	config         ConnConfig
+	statusRecorder *Status
+	signaler       *Signaler
+	iFaceDiscover  stdnet.ExternalIFaceDiscover
+	relayManager   *relayClient.Manager
+	srWatcher      *guard.SRWatcher
 
 	onConnected                               func(remoteWireGuardKey string, remoteRosenpassPubKey []byte, wireGuardIP string, remoteRosenpassAddr string)
 	onDisconnected                            func(remotePeer string)
@@ -148,20 +145,19 @@ func NewConn(config ConnConfig, services ServiceDependencies) (*Conn, error) {
 
 	dumpState := newStateDump(config.Key, connLog, services.StatusRecorder)
 	var conn = &Conn{
-		Log:                connLog,
-		config:             config,
-		statusRecorder:     services.StatusRecorder,
-		signaler:           services.Signaler,
-		iFaceDiscover:      services.IFaceDiscover,
-		relayManager:       services.RelayManager,
-		srWatcher:          services.SrWatcher,
-		portForwardManager: services.PortForwardManager,
-		statusRelay:        worker.NewAtomicStatus(),
-		statusICE:          worker.NewAtomicStatus(),
-		dumpState:          dumpState,
-		endpointUpdater:    NewEndpointUpdater(connLog, config.WgConfig, isController(config)),
-		wgWatcher:          NewWGWatcher(connLog, config.WgConfig.WgInterface, config.Key, dumpState),
-		metricsRecorder:    services.MetricsRecorder,
+		Log:             connLog,
+		config:          config,
+		statusRecorder:  services.StatusRecorder,
+		signaler:        services.Signaler,
+		iFaceDiscover:   services.IFaceDiscover,
+		relayManager:    services.RelayManager,
+		srWatcher:       services.SrWatcher,
+		statusRelay:     worker.NewAtomicStatus(),
+		statusICE:       worker.NewAtomicStatus(),
+		dumpState:       dumpState,
+		endpointUpdater: NewEndpointUpdater(connLog, config.WgConfig, isController(config)),
+		wgWatcher:       NewWGWatcher(connLog, config.WgConfig.WgInterface, config.Key, dumpState),
+		metricsRecorder: services.MetricsRecorder,
 	}
 
 	return conn, nil

client/internal/peer/worker_ice.go

@@ -16,7 +16,6 @@ import (
 	"github.com/netbirdio/netbird/client/iface/udpmux"
 	"github.com/netbirdio/netbird/client/internal/peer/conntype"
 	icemaker "github.com/netbirdio/netbird/client/internal/peer/ice"
-	"github.com/netbirdio/netbird/client/internal/portforward"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	"github.com/netbirdio/netbird/route"
 )
@@ -62,9 +61,6 @@ type WorkerICE struct {
 
 	// we record the last known state of the ICE agent to avoid duplicate on disconnected events
 	lastKnownState ice.ConnectionState
-
-	// portForwardAttempted tracks if we've already tried port forwarding this session
-	portForwardAttempted bool
 }
 
 func NewWorkerICE(ctx context.Context, log *log.Entry, config ConnConfig, conn *Conn, signaler *Signaler, ifaceDiscover stdnet.ExternalIFaceDiscover, statusRecorder *Status, hasRelayOnLocally bool) (*WorkerICE, error) {
@@ -218,8 +214,6 @@ func (w *WorkerICE) Close() {
 }
 
 func (w *WorkerICE) reCreateAgent(dialerCancel context.CancelFunc, candidates []ice.CandidateType) (*icemaker.ThreadSafeAgent, error) {
-	w.portForwardAttempted = false
-
 	agent, err := icemaker.NewAgent(w.ctx, w.iFaceDiscover, w.config.ICEConfig, candidates, w.localUfrag, w.localPwd)
 	if err != nil {
 		return nil, fmt.Errorf("create agent: %w", err)
@@ -376,93 +370,6 @@ func (w *WorkerICE) onICECandidate(candidate ice.Candidate) {
 			w.log.Errorf("failed signaling candidate to the remote peer %s %s", w.config.Key, err)
 		}
 	}()
-
-	if candidate.Type() == ice.CandidateTypeServerReflexive {
-		w.injectPortForwardedCandidate(candidate)
-	}
-}
-
-// injectPortForwardedCandidate signals an additional candidate using the pre-created port mapping.
-func (w *WorkerICE) injectPortForwardedCandidate(srflxCandidate ice.Candidate) {
-	pfManager := w.conn.portForwardManager
-	if pfManager == nil {
-		return
-	}
-
-	mapping := pfManager.GetMapping()
-	if mapping == nil {
-		return
-	}
-
-	w.muxAgent.Lock()
-	if w.portForwardAttempted {
-		w.muxAgent.Unlock()
-		return
-	}
-	w.portForwardAttempted = true
-	w.muxAgent.Unlock()
-
-	forwardedCandidate, err := w.createForwardedCandidate(srflxCandidate, mapping)
-	if err != nil {
-		w.log.Warnf("create forwarded candidate: %v", err)
-		return
-	}
-
-	w.log.Debugf("injecting port-forwarded candidate: %s (mapping: %d -> %d via %s, priority: %d)",
-		forwardedCandidate.String(), mapping.InternalPort, mapping.ExternalPort, mapping.NATType, forwardedCandidate.Priority())
-
-	go func() {
-		if err := w.signaler.SignalICECandidate(forwardedCandidate, w.config.Key); err != nil {
-			w.log.Errorf("signal port-forwarded candidate: %v", err)
-		}
-	}()
-}
-
-// createForwardedCandidate creates a new server reflexive candidate with the forwarded port.
-// It uses the NAT gateway's external IP with the forwarded port.
-func (w *WorkerICE) createForwardedCandidate(srflxCandidate ice.Candidate, mapping *portforward.Mapping) (ice.Candidate, error) {
-	var externalIP string
-	if mapping.ExternalIP != nil && !mapping.ExternalIP.IsUnspecified() {
-		externalIP = mapping.ExternalIP.String()
-	} else {
-		// Fallback to STUN-discovered address if NAT didn't provide external IP
-		externalIP = srflxCandidate.Address()
-	}
-
-	// Per RFC 8445, the related address for srflx is the base (host candidate address).
-	// If the original srflx has unspecified related address, use its own address as base.
-	relAddr := srflxCandidate.RelatedAddress().Address
-	if relAddr == "" || relAddr == "0.0.0.0" || relAddr == "::" {
-		relAddr = srflxCandidate.Address()
-	}
-
-	// Arbitrary +1000 boost on top of RFC 8445 priority to favor port-forwarded candidates
-	// over regular srflx during ICE connectivity checks.
-	priority := srflxCandidate.Priority() + 1000
-
-	candidate, err := ice.NewCandidateServerReflexive(&ice.CandidateServerReflexiveConfig{
-		Network:   srflxCandidate.NetworkType().String(),
-		Address:   externalIP,
-		Port:      int(mapping.ExternalPort),
-		Component: srflxCandidate.Component(),
-		Priority:  priority,
-		RelAddr:   relAddr,
-		RelPort:   int(mapping.InternalPort),
-	})
-	if err != nil {
-		return nil, fmt.Errorf("create candidate: %w", err)
-	}
-
-	for _, e := range srflxCandidate.Extensions() {
-		if e.Key == ice.ExtensionKeyCandidateID {
-			e.Value = srflxCandidate.ID()
-		}
-		if err := candidate.AddExtension(e); err != nil {
-			return nil, fmt.Errorf("add extension: %w", err)
-		}
-	}
-
-	return candidate, nil
 }
 
 func (w *WorkerICE) onICESelectedCandidatePair(agent *icemaker.ThreadSafeAgent, c1, c2 ice.Candidate) {
@@ -504,10 +411,10 @@ func (w *WorkerICE) logSuccessfulPaths(agent *icemaker.ThreadSafeAgent) {
 			if !lok || !rok {
 				continue
 			}
-			w.log.Debugf("successful ICE path %s: [%s %s %s:%d] <-> [%s %s %s:%d] rtt=%.3fms",
+			w.log.Debugf("successful ICE path %s: [%s %s %s] <-> [%s %s %s] rtt=%.3fms",
 				sessionID,
-				local.NetworkType(), local.Type(), local.Address(), local.Port(),
-				remote.NetworkType(), remote.Type(), remote.Address(), remote.Port(),
+				local.NetworkType(), local.Type(), local.Address(),
+				remote.NetworkType(), remote.Type(), remote.Address(),
 				stat.CurrentRoundTripTime*1000)
 		}
 	}

client/internal/portforward/env.go

@@ -1,26 +0,0 @@
-package portforward
-
-import (
-	"os"
-	"strconv"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	envDisableNATMapper = "NB_DISABLE_NAT_MAPPER"
-)
-
-func isDisabledByEnv() bool {
-	val := os.Getenv(envDisableNATMapper)
-	if val == "" {
-		return false
-	}
-
-	disabled, err := strconv.ParseBool(val)
-	if err != nil {
-		log.Warnf("failed to parse %s: %v", envDisableNATMapper, err)
-		return false
-	}
-	return disabled
-}

client/internal/portforward/manager.go

@@ -1,280 +0,0 @@
-//go:build !js
-
-package portforward
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"regexp"
-	"sync"
-	"time"
-
-	"github.com/libp2p/go-nat"
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	defaultMappingTTL  = 2 * time.Hour
-	discoveryTimeout   = 10 * time.Second
-	mappingDescription = "NetBird"
-)
-
-// upnpErrPermanentLeaseOnly matches UPnP error 725 in SOAP fault XML,
-// allowing for whitespace/newlines between tags from different router firmware.
-var upnpErrPermanentLeaseOnly = regexp.MustCompile(`<errorCode>\s*725\s*</errorCode>`)
-
-// Mapping represents an active NAT port mapping.
-type Mapping struct {
-	Protocol     string
-	InternalPort uint16
-	ExternalPort uint16
-	ExternalIP   net.IP
-	NATType      string
-	// TTL is the lease duration. Zero means a permanent lease that never expires.
-	TTL time.Duration
-}
-
-// TODO: persist mapping state for crash recovery cleanup of permanent leases.
-// Currently not done because State.Cleanup requires NAT gateway re-discovery,
-// which blocks startup for ~10s when no gateway is present (affects all clients).
-
-type Manager struct {
-	cancel context.CancelFunc
-
-	mapping     *Mapping
-	mappingLock sync.Mutex
-
-	wgPort uint16
-
-	done    chan struct{}
-	stopCtx chan context.Context
-
-	// protect exported functions
-	mu sync.Mutex
-}
-
-// NewManager creates a new port forwarding manager.
-func NewManager() *Manager {
-	return &Manager{
-		stopCtx: make(chan context.Context, 1),
-	}
-}
-
-func (m *Manager) Start(ctx context.Context, wgPort uint16) {
-	m.mu.Lock()
-	if m.cancel != nil {
-		m.mu.Unlock()
-		return
-	}
-
-	if isDisabledByEnv() {
-		log.Infof("NAT port mapper disabled via %s", envDisableNATMapper)
-		m.mu.Unlock()
-		return
-	}
-
-	if wgPort == 0 {
-		log.Warnf("invalid WireGuard port 0; NAT mapping disabled")
-		m.mu.Unlock()
-		return
-	}
-	m.wgPort = wgPort
-
-	m.done = make(chan struct{})
-	defer close(m.done)
-
-	ctx, m.cancel = context.WithCancel(ctx)
-	m.mu.Unlock()
-
-	gateway, mapping, err := m.setup(ctx)
-	if err != nil {
-		log.Infof("port forwarding setup: %v", err)
-		return
-	}
-
-	m.mappingLock.Lock()
-	m.mapping = mapping
-	m.mappingLock.Unlock()
-
-	m.renewLoop(ctx, gateway, mapping.TTL)
-
-	select {
-	case cleanupCtx := <-m.stopCtx:
-		// block the Start while cleaned up gracefully
-		m.cleanup(cleanupCtx, gateway)
-	default:
-		// return Start immediately and cleanup in background
-		cleanupCtx, cleanupCancel := context.WithTimeout(context.Background(), 10*time.Second)
-		go func() {
-			defer cleanupCancel()
-			m.cleanup(cleanupCtx, gateway)
-		}()
-	}
-}
-
-// GetMapping returns the current mapping if ready, nil otherwise
-func (m *Manager) GetMapping() *Mapping {
-	m.mappingLock.Lock()
-	defer m.mappingLock.Unlock()
-
-	if m.mapping == nil {
-		return nil
-	}
-
-	mapping := *m.mapping
-	return &mapping
-}
-
-// GracefullyStop cancels the manager and attempts to delete the port mapping.
-// After GracefullyStop returns, the manager cannot be restarted.
-func (m *Manager) GracefullyStop(ctx context.Context) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	if m.cancel == nil {
-		return nil
-	}
-
-	// Send cleanup context before cancelling, so Start picks it up after renewLoop exits.
-	m.startTearDown(ctx)
-
-	m.cancel()
-	m.cancel = nil
-
-	select {
-	case <-ctx.Done():
-		return ctx.Err()
-	case <-m.done:
-		return nil
-	}
-}
-
-func (m *Manager) setup(ctx context.Context) (nat.NAT, *Mapping, error) {
-	discoverCtx, discoverCancel := context.WithTimeout(ctx, discoveryTimeout)
-	defer discoverCancel()
-
-	gateway, err := nat.DiscoverGateway(discoverCtx)
-	if err != nil {
-		return nil, nil, fmt.Errorf("discover gateway: %w", err)
-	}
-
-	log.Infof("discovered NAT gateway: %s", gateway.Type())
-
-	mapping, err := m.createMapping(ctx, gateway)
-	if err != nil {
-		return nil, nil, fmt.Errorf("create port mapping: %w", err)
-	}
-	return gateway, mapping, nil
-}
-
-func (m *Manager) createMapping(ctx context.Context, gateway nat.NAT) (*Mapping, error) {
-	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
-	defer cancel()
-
-	ttl := defaultMappingTTL
-	externalPort, err := gateway.AddPortMapping(ctx, "udp", int(m.wgPort), mappingDescription, ttl)
-	if err != nil {
-		if !isPermanentLeaseRequired(err) {
-			return nil, err
-		}
-		log.Infof("gateway only supports permanent leases, retrying with indefinite duration")
-		ttl = 0
-		externalPort, err = gateway.AddPortMapping(ctx, "udp", int(m.wgPort), mappingDescription, ttl)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	externalIP, err := gateway.GetExternalAddress()
-	if err != nil {
-		log.Debugf("failed to get external address: %v", err)
-		// todo return with err?
-	}
-
-	mapping := &Mapping{
-		Protocol:     "udp",
-		InternalPort: m.wgPort,
-		ExternalPort: uint16(externalPort),
-		ExternalIP:   externalIP,
-		NATType:      gateway.Type(),
-		TTL:          ttl,
-	}
-
-	log.Infof("created port mapping: %d -> %d via %s (external IP: %s)",
-		m.wgPort, externalPort, gateway.Type(), externalIP)
-	return mapping, nil
-}
-
-func (m *Manager) renewLoop(ctx context.Context, gateway nat.NAT, ttl time.Duration) {
-	if ttl == 0 {
-		// Permanent mappings don't expire, just wait for cancellation.
-		<-ctx.Done()
-		return
-	}
-
-	ticker := time.NewTicker(ttl / 2)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-ticker.C:
-			if err := m.renewMapping(ctx, gateway); err != nil {
-				log.Warnf("failed to renew port mapping: %v", err)
-				continue
-			}
-		}
-	}
-}
-
-func (m *Manager) renewMapping(ctx context.Context, gateway nat.NAT) error {
-	ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
-	defer cancel()
-
-	externalPort, err := gateway.AddPortMapping(ctx, m.mapping.Protocol, int(m.mapping.InternalPort), mappingDescription, m.mapping.TTL)
-	if err != nil {
-		return fmt.Errorf("add port mapping: %w", err)
-	}
-
-	if uint16(externalPort) != m.mapping.ExternalPort {
-		log.Warnf("external port changed on renewal: %d -> %d (candidate may be stale)", m.mapping.ExternalPort, externalPort)
-		m.mappingLock.Lock()
-		m.mapping.ExternalPort = uint16(externalPort)
-		m.mappingLock.Unlock()
-	}
-
-	log.Debugf("renewed port mapping: %d -> %d", m.mapping.InternalPort, m.mapping.ExternalPort)
-	return nil
-}
-
-func (m *Manager) cleanup(ctx context.Context, gateway nat.NAT) {
-	m.mappingLock.Lock()
-	mapping := m.mapping
-	m.mapping = nil
-	m.mappingLock.Unlock()
-
-	if mapping == nil {
-		return
-	}
-
-	if err := gateway.DeletePortMapping(ctx, mapping.Protocol, int(mapping.InternalPort)); err != nil {
-		log.Warnf("delete port mapping on stop: %v", err)
-		return
-	}
-
-	log.Infof("deleted port mapping for port %d", mapping.InternalPort)
-}
-
-func (m *Manager) startTearDown(ctx context.Context) {
-	select {
-	case m.stopCtx <- ctx:
-	default:
-	}
-}
-
-// isPermanentLeaseRequired checks if a UPnP error indicates the gateway only supports permanent leases (error 725).
-func isPermanentLeaseRequired(err error) bool {
-	return err != nil && upnpErrPermanentLeaseOnly.MatchString(err.Error())
-}

client/internal/portforward/manager_js.go

@@ -1,39 +0,0 @@
-package portforward
-
-import (
-	"context"
-	"net"
-	"time"
-)
-
-// Mapping represents an active NAT port mapping.
-type Mapping struct {
-	Protocol     string
-	InternalPort uint16
-	ExternalPort uint16
-	ExternalIP   net.IP
-	NATType      string
-	// TTL is the lease duration. Zero means a permanent lease that never expires.
-	TTL time.Duration
-}
-
-// Manager is a stub for js/wasm builds where NAT-PMP/UPnP is not supported.
-type Manager struct{}
-
-// NewManager returns a stub manager for js/wasm builds.
-func NewManager() *Manager {
-	return &Manager{}
-}
-
-// Start is a no-op on js/wasm: NAT-PMP/UPnP is not available in browser environments.
-func (m *Manager) Start(context.Context, uint16) {
-	// no NAT traversal in wasm
-}
-
-// GracefullyStop is a no-op on js/wasm.
-func (m *Manager) GracefullyStop(context.Context) error { return nil }
-
-// GetMapping always returns nil on js/wasm.
-func (m *Manager) GetMapping() *Mapping {
-	return nil
-}

client/internal/portforward/manager_test.go

@@ -1,201 +0,0 @@
-//go:build !js
-
-package portforward
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-type mockNAT struct {
-	natType             string
-	deviceAddr          net.IP
-	externalAddr        net.IP
-	internalAddr        net.IP
-	mappings            map[int]int
-	addMappingErr       error
-	deleteMappingErr    error
-	onlyPermanentLeases bool
-	lastTimeout         time.Duration
-}
-
-func newMockNAT() *mockNAT {
-	return &mockNAT{
-		natType:      "Mock-NAT",
-		deviceAddr:   net.ParseIP("192.168.1.1"),
-		externalAddr: net.ParseIP("203.0.113.50"),
-		internalAddr: net.ParseIP("192.168.1.100"),
-		mappings:     make(map[int]int),
-	}
-}
-
-func (m *mockNAT) Type() string {
-	return m.natType
-}
-
-func (m *mockNAT) GetDeviceAddress() (net.IP, error) {
-	return m.deviceAddr, nil
-}
-
-func (m *mockNAT) GetExternalAddress() (net.IP, error) {
-	return m.externalAddr, nil
-}
-
-func (m *mockNAT) GetInternalAddress() (net.IP, error) {
-	return m.internalAddr, nil
-}
-
-func (m *mockNAT) AddPortMapping(ctx context.Context, protocol string, internalPort int, description string, timeout time.Duration) (int, error) {
-	if m.addMappingErr != nil {
-		return 0, m.addMappingErr
-	}
-	if m.onlyPermanentLeases && timeout != 0 {
-		return 0, fmt.Errorf("SOAP fault. Code:  | Explanation:  | Detail: <UPnPError xmlns=\"urn:schemas-upnp-org:control-1-0\"><errorCode>725</errorCode><errorDescription>OnlyPermanentLeasesSupported</errorDescription></UPnPError>")
-	}
-	externalPort := internalPort
-	m.mappings[internalPort] = externalPort
-	m.lastTimeout = timeout
-	return externalPort, nil
-}
-
-func (m *mockNAT) DeletePortMapping(ctx context.Context, protocol string, internalPort int) error {
-	if m.deleteMappingErr != nil {
-		return m.deleteMappingErr
-	}
-	delete(m.mappings, internalPort)
-	return nil
-}
-
-func TestManager_CreateMapping(t *testing.T) {
-	m := NewManager()
-	m.wgPort = 51820
-
-	gateway := newMockNAT()
-	mapping, err := m.createMapping(context.Background(), gateway)
-	require.NoError(t, err)
-	require.NotNil(t, mapping)
-
-	assert.Equal(t, "udp", mapping.Protocol)
-	assert.Equal(t, uint16(51820), mapping.InternalPort)
-	assert.Equal(t, uint16(51820), mapping.ExternalPort)
-	assert.Equal(t, "Mock-NAT", mapping.NATType)
-	assert.Equal(t, net.ParseIP("203.0.113.50").To4(), mapping.ExternalIP.To4())
-	assert.Equal(t, defaultMappingTTL, mapping.TTL)
-}
-
-func TestManager_GetMapping_ReturnsNilWhenNotReady(t *testing.T) {
-	m := NewManager()
-	assert.Nil(t, m.GetMapping())
-}
-
-func TestManager_GetMapping_ReturnsCopy(t *testing.T) {
-	m := NewManager()
-	m.mapping = &Mapping{
-		Protocol:     "udp",
-		InternalPort: 51820,
-		ExternalPort: 51820,
-	}
-
-	mapping := m.GetMapping()
-	require.NotNil(t, mapping)
-	assert.Equal(t, uint16(51820), mapping.InternalPort)
-
-	// Mutating the returned copy should not affect the manager's mapping.
-	mapping.ExternalPort = 9999
-	assert.Equal(t, uint16(51820), m.GetMapping().ExternalPort)
-}
-
-func TestManager_Cleanup_DeletesMapping(t *testing.T) {
-	m := NewManager()
-	m.mapping = &Mapping{
-		Protocol:     "udp",
-		InternalPort: 51820,
-		ExternalPort: 51820,
-	}
-
-	gateway := newMockNAT()
-	// Seed the mock so we can verify deletion.
-	gateway.mappings[51820] = 51820
-
-	m.cleanup(context.Background(), gateway)
-
-	_, exists := gateway.mappings[51820]
-	assert.False(t, exists, "mapping should be deleted from gateway")
-	assert.Nil(t, m.GetMapping(), "in-memory mapping should be cleared")
-}
-
-func TestManager_Cleanup_NilMapping(t *testing.T) {
-	m := NewManager()
-	gateway := newMockNAT()
-
-	// Should not panic or call gateway.
-	m.cleanup(context.Background(), gateway)
-}
-
-
-func TestManager_CreateMapping_PermanentLeaseFallback(t *testing.T) {
-	m := NewManager()
-	m.wgPort = 51820
-
-	gateway := newMockNAT()
-	gateway.onlyPermanentLeases = true
-
-	mapping, err := m.createMapping(context.Background(), gateway)
-	require.NoError(t, err)
-	require.NotNil(t, mapping)
-
-	assert.Equal(t, uint16(51820), mapping.InternalPort)
-	assert.Equal(t, time.Duration(0), mapping.TTL, "should return zero TTL for permanent lease")
-	assert.Equal(t, time.Duration(0), gateway.lastTimeout, "should have retried with zero duration")
-}
-
-func TestIsPermanentLeaseRequired(t *testing.T) {
-	tests := []struct {
-		name     string
-		err      error
-		expected bool
-	}{
-		{
-			name:     "nil error",
-			err:      nil,
-			expected: false,
-		},
-		{
-			name:     "UPnP error 725",
-			err:      fmt.Errorf("SOAP fault. Code:  | Detail: <UPnPError><errorCode>725</errorCode><errorDescription>OnlyPermanentLeasesSupported</errorDescription></UPnPError>"),
-			expected: true,
-		},
-		{
-			name:     "wrapped error with 725",
-			err:      fmt.Errorf("add port mapping: %w", fmt.Errorf("Detail: <errorCode>725</errorCode>")),
-			expected: true,
-		},
-		{
-			name:     "error 725 with newlines in XML",
-			err:      fmt.Errorf("<errorCode>\n  725\n</errorCode>"),
-			expected: true,
-		},
-		{
-			name:     "bare 725 without XML tag",
-			err:      fmt.Errorf("error code 725"),
-			expected: false,
-		},
-		{
-			name:     "unrelated error",
-			err:      fmt.Errorf("connection refused"),
-			expected: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equal(t, tt.expected, isPermanentLeaseRequired(tt.err))
-		})
-	}
-}

client/internal/profilemanager/config.go

@@ -41,7 +41,7 @@ const (
 
 // mgmProber is the subset of management client needed for URL migration probes.
 type mgmProber interface {
-	HealthCheck() error
+	GetServerPublicKey() (*wgtypes.Key, error)
 	Close() error
 }
 
@@ -777,7 +777,8 @@ func UpdateOldManagementURL(ctx context.Context, config *Config, configPath stri
 	}()
 
 	// gRPC check
-	if err = client.HealthCheck(); err != nil {
+	_, err = client.GetServerPublicKey()
+	if err != nil {
 		log.Infof("couldn't switch to the new Management %s", newURL.String())
 		return nil, err
 	}

client/internal/profilemanager/config_test.go

@@ -17,10 +17,12 @@ import (
 	"github.com/netbirdio/netbird/util"
 )
 
-type mockMgmProber struct{}
+type mockMgmProber struct {
+	key wgtypes.Key
+}
 
-func (m *mockMgmProber) HealthCheck() error {
-	return nil
+func (m *mockMgmProber) GetServerPublicKey() (*wgtypes.Key, error) {
+	return &m.key, nil
 }
 
 func (m *mockMgmProber) Close() error { return nil }
@@ -245,7 +247,11 @@ func TestWireguardPortDefaultVsExplicit(t *testing.T) {
 func TestUpdateOldManagementURL(t *testing.T) {
 	origProber := newMgmProber
 	newMgmProber = func(_ context.Context, _ string, _ wgtypes.Key, _ bool) (mgmProber, error) {
-		return &mockMgmProber{}, nil
+		key, err := wgtypes.GenerateKey()
+		if err != nil {
+			return nil, err
+		}
+		return &mockMgmProber{key: key.PublicKey()}, nil
 	}
 	t.Cleanup(func() { newMgmProber = origProber })
 

client/internal/routemanager/manager.go

@@ -52,7 +52,6 @@ type Manager interface {
 	TriggerSelection(route.HAMap)
 	GetRouteSelector() *routeselector.RouteSelector
 	GetClientRoutes() route.HAMap
-	GetSelectedClientRoutes() route.HAMap
 	GetClientRoutesWithNetID() map[route.NetID][]*route.Route
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
@@ -168,7 +167,6 @@ func (m *DefaultManager) setupAndroidRoutes(config ManagerConfig) {
 			NetworkType: route.IPv4Network,
 		}
 		cr = append(cr, fakeIPRoute)
-		m.notifier.SetFakeIPRoute(fakeIPRoute)
 	}
 
 	m.notifier.SetInitialClientRoutes(cr, routesForComparison)
@@ -467,16 +465,6 @@ func (m *DefaultManager) GetClientRoutes() route.HAMap {
 	return maps.Clone(m.clientRoutes)
 }
 
-// GetSelectedClientRoutes returns only the currently selected/active client routes,
-// filtering out deselected exit nodes. Use this instead of GetClientRoutes when checking
-// if traffic should be routed through the tunnel.
-func (m *DefaultManager) GetSelectedClientRoutes() route.HAMap {
-	m.mux.Lock()
-	defer m.mux.Unlock()
-
-	return m.routeSelector.FilterSelectedExitNodes(maps.Clone(m.clientRoutes))
-}
-
 // GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
 func (m *DefaultManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	m.mux.Lock()

client/internal/routemanager/mock.go

@@ -18,7 +18,6 @@ type MockManager struct {
 	TriggerSelectionFunc         func(haMap route.HAMap)
 	GetRouteSelectorFunc         func() *routeselector.RouteSelector
 	GetClientRoutesFunc          func() route.HAMap
-	GetSelectedClientRoutesFunc  func() route.HAMap
 	GetClientRoutesWithNetIDFunc func() map[route.NetID][]*route.Route
 	StopFunc                     func(manager *statemanager.Manager)
 }
@@ -62,7 +61,7 @@ func (m *MockManager) GetRouteSelector() *routeselector.RouteSelector {
 	return nil
 }
 
-// GetClientRoutes mock implementation of GetClientRoutes from the Manager interface
+// GetClientRoutes mock implementation of GetClientRoutes from Manager interface
 func (m *MockManager) GetClientRoutes() route.HAMap {
 	if m.GetClientRoutesFunc != nil {
 		return m.GetClientRoutesFunc()
@@ -70,14 +69,6 @@ func (m *MockManager) GetClientRoutes() route.HAMap {
 	return nil
 }
 
-// GetSelectedClientRoutes mock implementation of GetSelectedClientRoutes from the Manager interface
-func (m *MockManager) GetSelectedClientRoutes() route.HAMap {
-	if m.GetSelectedClientRoutesFunc != nil {
-		return m.GetSelectedClientRoutesFunc()
-	}
-	return nil
-}
-
 // GetClientRoutesWithNetID mock implementation of GetClientRoutesWithNetID from Manager interface
 func (m *MockManager) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
 	if m.GetClientRoutesWithNetIDFunc != nil {

client/internal/routemanager/notifier/notifier_android.go

@@ -16,7 +16,6 @@ import (
 type Notifier struct {
 	initialRoutes []*route.Route
 	currentRoutes []*route.Route
-	fakeIPRoute   *route.Route
 
 	listener    listener.NetworkChangeListener
 	listenerMux sync.Mutex
@@ -32,17 +31,13 @@ func (n *Notifier) SetListener(listener listener.NetworkChangeListener) {
 	n.listener = listener
 }
 
-// SetInitialClientRoutes stores the initial route sets for TUN configuration.
+// SetInitialClientRoutes stores the full initial route set (including fake IP blocks)
+// and a separate comparison set (without fake IP blocks) for diff detection.
 func (n *Notifier) SetInitialClientRoutes(initialRoutes []*route.Route, routesForComparison []*route.Route) {
 	n.initialRoutes = filterStatic(initialRoutes)
 	n.currentRoutes = filterStatic(routesForComparison)
 }
 
-// SetFakeIPRoute stores the fake IP route to be included in every TUN rebuild.
-func (n *Notifier) SetFakeIPRoute(r *route.Route) {
-	n.fakeIPRoute = r
-}
-
 func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
 	var newRoutes []*route.Route
 	for _, routes := range idMap {
@@ -74,9 +69,7 @@ func (n *Notifier) notify() {
 	}
 
 	allRoutes := slices.Clone(n.currentRoutes)
-	if n.fakeIPRoute != nil {
-		allRoutes = append(allRoutes, n.fakeIPRoute)
-	}
+	allRoutes = append(allRoutes, n.extraInitialRoutes()...)
 
 	routeStrings := n.routesToStrings(allRoutes)
 	sort.Strings(routeStrings)
@@ -85,6 +78,23 @@ func (n *Notifier) notify() {
 	}(n.listener)
 }
 
+// extraInitialRoutes returns initialRoutes whose network prefix is absent
+// from currentRoutes (e.g. the fake IP block added at setup time).
+func (n *Notifier) extraInitialRoutes() []*route.Route {
+	currentNets := make(map[netip.Prefix]struct{}, len(n.currentRoutes))
+	for _, r := range n.currentRoutes {
+		currentNets[r.Network] = struct{}{}
+	}
+
+	var extra []*route.Route
+	for _, r := range n.initialRoutes {
+		if _, ok := currentNets[r.Network]; !ok {
+			extra = append(extra, r)
+		}
+	}
+	return extra
+}
+
 func filterStatic(routes []*route.Route) []*route.Route {
 	out := make([]*route.Route, 0, len(routes))
 	for _, r := range routes {

client/internal/routemanager/notifier/notifier_ios.go

@@ -34,10 +34,6 @@ func (n *Notifier) SetInitialClientRoutes([]*route.Route, []*route.Route) {
 	// iOS doesn't care about initial routes
 }
 
-func (n *Notifier) SetFakeIPRoute(*route.Route) {
-	// Not used on iOS
-}
-
 func (n *Notifier) OnNewRoutes(route.HAMap) {
 	// Not used on iOS
 }
@@ -57,6 +53,7 @@ func (n *Notifier) OnNewPrefixes(prefixes []netip.Prefix) {
 	n.currentPrefixes = newNets
 	n.notify()
 }
+
 func (n *Notifier) notify() {
 	n.listenerMux.Lock()
 	defer n.listenerMux.Unlock()

client/internal/routemanager/notifier/notifier_other.go

@@ -23,10 +23,6 @@ func (n *Notifier) SetInitialClientRoutes([]*route.Route, []*route.Route) {
 	// Not used on non-mobile platforms
 }
 
-func (n *Notifier) SetFakeIPRoute(*route.Route) {
-	// Not used on non-mobile platforms
-}
-
 func (n *Notifier) OnNewRoutes(idMap route.HAMap) {
 	// Not used on non-mobile platforms
 }

client/ios/NetBirdSDK/client.go

@@ -161,11 +161,7 @@ func (c *Client) Run(fd int32, interfaceName string, envList *EnvList) error {
 	cfg.WgIface = interfaceName
 
 	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
-	hostDNS := []netip.AddrPort{
-		netip.MustParseAddrPort("9.9.9.9:53"),
-		netip.MustParseAddrPort("149.112.112.112:53"),
-	}
-	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, hostDNS, c.stateFile)
+	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager, c.stateFile)
 }
 
 // Stop the internal client and free the resources

client/proto/daemon.pb.go

@@ -5969,288 +5969,6 @@ func (x *ExposeServiceReady) GetPortAutoAssigned() bool {
 	return false
 }
 
-type StartCaptureRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	TextOutput    bool                   `protobuf:"varint,1,opt,name=text_output,json=textOutput,proto3" json:"text_output,omitempty"`
-	SnapLen       uint32                 `protobuf:"varint,2,opt,name=snap_len,json=snapLen,proto3" json:"snap_len,omitempty"`
-	Duration      *durationpb.Duration   `protobuf:"bytes,3,opt,name=duration,proto3" json:"duration,omitempty"`
-	FilterExpr    string                 `protobuf:"bytes,4,opt,name=filter_expr,json=filterExpr,proto3" json:"filter_expr,omitempty"`
-	Verbose       bool                   `protobuf:"varint,5,opt,name=verbose,proto3" json:"verbose,omitempty"`
-	Ascii         bool                   `protobuf:"varint,6,opt,name=ascii,proto3" json:"ascii,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *StartCaptureRequest) Reset() {
-	*x = StartCaptureRequest{}
-	mi := &file_daemon_proto_msgTypes[90]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *StartCaptureRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*StartCaptureRequest) ProtoMessage() {}
-
-func (x *StartCaptureRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[90]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use StartCaptureRequest.ProtoReflect.Descriptor instead.
-func (*StartCaptureRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{90}
-}
-
-func (x *StartCaptureRequest) GetTextOutput() bool {
-	if x != nil {
-		return x.TextOutput
-	}
-	return false
-}
-
-func (x *StartCaptureRequest) GetSnapLen() uint32 {
-	if x != nil {
-		return x.SnapLen
-	}
-	return 0
-}
-
-func (x *StartCaptureRequest) GetDuration() *durationpb.Duration {
-	if x != nil {
-		return x.Duration
-	}
-	return nil
-}
-
-func (x *StartCaptureRequest) GetFilterExpr() string {
-	if x != nil {
-		return x.FilterExpr
-	}
-	return ""
-}
-
-func (x *StartCaptureRequest) GetVerbose() bool {
-	if x != nil {
-		return x.Verbose
-	}
-	return false
-}
-
-func (x *StartCaptureRequest) GetAscii() bool {
-	if x != nil {
-		return x.Ascii
-	}
-	return false
-}
-
-type CapturePacket struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	Data          []byte                 `protobuf:"bytes,1,opt,name=data,proto3" json:"data,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *CapturePacket) Reset() {
-	*x = CapturePacket{}
-	mi := &file_daemon_proto_msgTypes[91]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *CapturePacket) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*CapturePacket) ProtoMessage() {}
-
-func (x *CapturePacket) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[91]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use CapturePacket.ProtoReflect.Descriptor instead.
-func (*CapturePacket) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{91}
-}
-
-func (x *CapturePacket) GetData() []byte {
-	if x != nil {
-		return x.Data
-	}
-	return nil
-}
-
-type StartBundleCaptureRequest struct {
-	state protoimpl.MessageState `protogen:"open.v1"`
-	// timeout auto-stops the capture after this duration.
-	// Clamped to a server-side maximum (10 minutes). Zero or unset defaults to the maximum.
-	Timeout       *durationpb.Duration `protobuf:"bytes,1,opt,name=timeout,proto3" json:"timeout,omitempty"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *StartBundleCaptureRequest) Reset() {
-	*x = StartBundleCaptureRequest{}
-	mi := &file_daemon_proto_msgTypes[92]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *StartBundleCaptureRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*StartBundleCaptureRequest) ProtoMessage() {}
-
-func (x *StartBundleCaptureRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[92]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use StartBundleCaptureRequest.ProtoReflect.Descriptor instead.
-func (*StartBundleCaptureRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{92}
-}
-
-func (x *StartBundleCaptureRequest) GetTimeout() *durationpb.Duration {
-	if x != nil {
-		return x.Timeout
-	}
-	return nil
-}
-
-type StartBundleCaptureResponse struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *StartBundleCaptureResponse) Reset() {
-	*x = StartBundleCaptureResponse{}
-	mi := &file_daemon_proto_msgTypes[93]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *StartBundleCaptureResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*StartBundleCaptureResponse) ProtoMessage() {}
-
-func (x *StartBundleCaptureResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[93]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use StartBundleCaptureResponse.ProtoReflect.Descriptor instead.
-func (*StartBundleCaptureResponse) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{93}
-}
-
-type StopBundleCaptureRequest struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *StopBundleCaptureRequest) Reset() {
-	*x = StopBundleCaptureRequest{}
-	mi := &file_daemon_proto_msgTypes[94]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *StopBundleCaptureRequest) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*StopBundleCaptureRequest) ProtoMessage() {}
-
-func (x *StopBundleCaptureRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[94]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use StopBundleCaptureRequest.ProtoReflect.Descriptor instead.
-func (*StopBundleCaptureRequest) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{94}
-}
-
-type StopBundleCaptureResponse struct {
-	state         protoimpl.MessageState `protogen:"open.v1"`
-	unknownFields protoimpl.UnknownFields
-	sizeCache     protoimpl.SizeCache
-}
-
-func (x *StopBundleCaptureResponse) Reset() {
-	*x = StopBundleCaptureResponse{}
-	mi := &file_daemon_proto_msgTypes[95]
-	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-	ms.StoreMessageInfo(mi)
-}
-
-func (x *StopBundleCaptureResponse) String() string {
-	return protoimpl.X.MessageStringOf(x)
-}
-
-func (*StopBundleCaptureResponse) ProtoMessage() {}
-
-func (x *StopBundleCaptureResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[95]
-	if x != nil {
-		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
-		if ms.LoadMessageInfo() == nil {
-			ms.StoreMessageInfo(mi)
-		}
-		return ms
-	}
-	return mi.MessageOf(x)
-}
-
-// Deprecated: Use StopBundleCaptureResponse.ProtoReflect.Descriptor instead.
-func (*StopBundleCaptureResponse) Descriptor() ([]byte, []int) {
-	return file_daemon_proto_rawDescGZIP(), []int{95}
-}
-
 type PortInfo_Range struct {
 	state         protoimpl.MessageState `protogen:"open.v1"`
 	Start         uint32                 `protobuf:"varint,1,opt,name=start,proto3" json:"start,omitempty"`
@@ -6261,7 +5979,7 @@ type PortInfo_Range struct {
 
 func (x *PortInfo_Range) Reset() {
 	*x = PortInfo_Range{}
-	mi := &file_daemon_proto_msgTypes[97]
+	mi := &file_daemon_proto_msgTypes[91]
 	ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 	ms.StoreMessageInfo(mi)
 }
@@ -6273,7 +5991,7 @@ func (x *PortInfo_Range) String() string {
 func (*PortInfo_Range) ProtoMessage() {}
 
 func (x *PortInfo_Range) ProtoReflect() protoreflect.Message {
-	mi := &file_daemon_proto_msgTypes[97]
+	mi := &file_daemon_proto_msgTypes[91]
 	if x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -6821,23 +6539,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\vservice_url\x18\x02 \x01(\tR\n" +
 	"serviceUrl\x12\x16\n" +
 	"\x06domain\x18\x03 \x01(\tR\x06domain\x12,\n" +
-	"\x12port_auto_assigned\x18\x04 \x01(\bR\x10portAutoAssigned\"\xd9\x01\n" +
-	"\x13StartCaptureRequest\x12\x1f\n" +
-	"\vtext_output\x18\x01 \x01(\bR\n" +
-	"textOutput\x12\x19\n" +
-	"\bsnap_len\x18\x02 \x01(\rR\asnapLen\x125\n" +
-	"\bduration\x18\x03 \x01(\v2\x19.google.protobuf.DurationR\bduration\x12\x1f\n" +
-	"\vfilter_expr\x18\x04 \x01(\tR\n" +
-	"filterExpr\x12\x18\n" +
-	"\averbose\x18\x05 \x01(\bR\averbose\x12\x14\n" +
-	"\x05ascii\x18\x06 \x01(\bR\x05ascii\"#\n" +
-	"\rCapturePacket\x12\x12\n" +
-	"\x04data\x18\x01 \x01(\fR\x04data\"P\n" +
-	"\x19StartBundleCaptureRequest\x123\n" +
-	"\atimeout\x18\x01 \x01(\v2\x19.google.protobuf.DurationR\atimeout\"\x1c\n" +
-	"\x1aStartBundleCaptureResponse\"\x1a\n" +
-	"\x18StopBundleCaptureRequest\"\x1b\n" +
-	"\x19StopBundleCaptureResponse*b\n" +
+	"\x12port_auto_assigned\x18\x04 \x01(\bR\x10portAutoAssigned*b\n" +
 	"\bLogLevel\x12\v\n" +
 	"\aUNKNOWN\x10\x00\x12\t\n" +
 	"\x05PANIC\x10\x01\x12\t\n" +
@@ -6855,7 +6557,7 @@ const file_daemon_proto_rawDesc = "" +
 	"\n" +
 	"EXPOSE_UDP\x10\x03\x12\x0e\n" +
 	"\n" +
-	"EXPOSE_TLS\x10\x042\xff\x17\n" +
+	"EXPOSE_TLS\x10\x042\xfc\x15\n" +
 	"\rDaemonService\x126\n" +
 	"\x05Login\x12\x14.daemon.LoginRequest\x1a\x15.daemon.LoginResponse\"\x00\x12K\n" +
 	"\fWaitSSOLogin\x12\x1b.daemon.WaitSSOLoginRequest\x1a\x1c.daemon.WaitSSOLoginResponse\"\x00\x12-\n" +
@@ -6876,10 +6578,7 @@ const file_daemon_proto_rawDesc = "" +
 	"CleanState\x12\x19.daemon.CleanStateRequest\x1a\x1a.daemon.CleanStateResponse\"\x00\x12H\n" +
 	"\vDeleteState\x12\x1a.daemon.DeleteStateRequest\x1a\x1b.daemon.DeleteStateResponse\"\x00\x12u\n" +
 	"\x1aSetSyncResponsePersistence\x12).daemon.SetSyncResponsePersistenceRequest\x1a*.daemon.SetSyncResponsePersistenceResponse\"\x00\x12H\n" +
-	"\vTracePacket\x12\x1a.daemon.TracePacketRequest\x1a\x1b.daemon.TracePacketResponse\"\x00\x12F\n" +
-	"\fStartCapture\x12\x1b.daemon.StartCaptureRequest\x1a\x15.daemon.CapturePacket\"\x000\x01\x12]\n" +
-	"\x12StartBundleCapture\x12!.daemon.StartBundleCaptureRequest\x1a\".daemon.StartBundleCaptureResponse\"\x00\x12Z\n" +
-	"\x11StopBundleCapture\x12 .daemon.StopBundleCaptureRequest\x1a!.daemon.StopBundleCaptureResponse\"\x00\x12D\n" +
+	"\vTracePacket\x12\x1a.daemon.TracePacketRequest\x1a\x1b.daemon.TracePacketResponse\"\x00\x12D\n" +
 	"\x0fSubscribeEvents\x12\x18.daemon.SubscribeRequest\x1a\x13.daemon.SystemEvent\"\x000\x01\x12B\n" +
 	"\tGetEvents\x12\x18.daemon.GetEventsRequest\x1a\x19.daemon.GetEventsResponse\"\x00\x12N\n" +
 	"\rSwitchProfile\x12\x1c.daemon.SwitchProfileRequest\x1a\x1d.daemon.SwitchProfileResponse\"\x00\x12B\n" +
@@ -6914,7 +6613,7 @@ func file_daemon_proto_rawDescGZIP() []byte {
 }
 
 var file_daemon_proto_enumTypes = make([]protoimpl.EnumInfo, 5)
-var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 99)
+var file_daemon_proto_msgTypes = make([]protoimpl.MessageInfo, 93)
 var file_daemon_proto_goTypes = []any{
 	(LogLevel)(0),                              // 0: daemon.LogLevel
 	(ExposeProtocol)(0),                        // 1: daemon.ExposeProtocol
@@ -7011,142 +6710,128 @@ var file_daemon_proto_goTypes = []any{
 	(*ExposeServiceRequest)(nil),               // 92: daemon.ExposeServiceRequest
 	(*ExposeServiceEvent)(nil),                 // 93: daemon.ExposeServiceEvent
 	(*ExposeServiceReady)(nil),                 // 94: daemon.ExposeServiceReady
-	(*StartCaptureRequest)(nil),                // 95: daemon.StartCaptureRequest
-	(*CapturePacket)(nil),                      // 96: daemon.CapturePacket
-	(*StartBundleCaptureRequest)(nil),          // 97: daemon.StartBundleCaptureRequest
-	(*StartBundleCaptureResponse)(nil),         // 98: daemon.StartBundleCaptureResponse
-	(*StopBundleCaptureRequest)(nil),           // 99: daemon.StopBundleCaptureRequest
-	(*StopBundleCaptureResponse)(nil),          // 100: daemon.StopBundleCaptureResponse
-	nil,                                        // 101: daemon.Network.ResolvedIPsEntry
-	(*PortInfo_Range)(nil),                     // 102: daemon.PortInfo.Range
-	nil,                                        // 103: daemon.SystemEvent.MetadataEntry
-	(*durationpb.Duration)(nil),                // 104: google.protobuf.Duration
-	(*timestamppb.Timestamp)(nil),              // 105: google.protobuf.Timestamp
+	nil,                                        // 95: daemon.Network.ResolvedIPsEntry
+	(*PortInfo_Range)(nil),                     // 96: daemon.PortInfo.Range
+	nil,                                        // 97: daemon.SystemEvent.MetadataEntry
+	(*durationpb.Duration)(nil),                // 98: google.protobuf.Duration
+	(*timestamppb.Timestamp)(nil),              // 99: google.protobuf.Timestamp
 }
 var file_daemon_proto_depIdxs = []int32{
-	2,   // 0: daemon.OSLifecycleRequest.type:type_name -> daemon.OSLifecycleRequest.CycleType
-	104, // 1: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
-	28,  // 2: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
-	105, // 3: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
-	105, // 4: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
-	104, // 5: daemon.PeerState.latency:type_name -> google.protobuf.Duration
-	26,  // 6: daemon.SSHServerState.sessions:type_name -> daemon.SSHSessionInfo
-	23,  // 7: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
-	22,  // 8: daemon.FullStatus.signalState:type_name -> daemon.SignalState
-	21,  // 9: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
-	20,  // 10: daemon.FullStatus.peers:type_name -> daemon.PeerState
-	24,  // 11: daemon.FullStatus.relays:type_name -> daemon.RelayState
-	25,  // 12: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
-	58,  // 13: daemon.FullStatus.events:type_name -> daemon.SystemEvent
-	27,  // 14: daemon.FullStatus.sshServerState:type_name -> daemon.SSHServerState
-	34,  // 15: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
-	101, // 16: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
-	102, // 17: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
-	35,  // 18: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
-	35,  // 19: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
-	36,  // 20: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
-	0,   // 21: daemon.GetLogLevelResponse.level:type_name -> daemon.LogLevel
-	0,   // 22: daemon.SetLogLevelRequest.level:type_name -> daemon.LogLevel
-	44,  // 23: daemon.ListStatesResponse.states:type_name -> daemon.State
-	53,  // 24: daemon.TracePacketRequest.tcp_flags:type_name -> daemon.TCPFlags
-	55,  // 25: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
-	3,   // 26: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
-	4,   // 27: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
-	105, // 28: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
-	103, // 29: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
-	58,  // 30: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
-	104, // 31: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
-	71,  // 32: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
-	1,   // 33: daemon.ExposeServiceRequest.protocol:type_name -> daemon.ExposeProtocol
-	94,  // 34: daemon.ExposeServiceEvent.ready:type_name -> daemon.ExposeServiceReady
-	104, // 35: daemon.StartCaptureRequest.duration:type_name -> google.protobuf.Duration
-	104, // 36: daemon.StartBundleCaptureRequest.timeout:type_name -> google.protobuf.Duration
-	33,  // 37: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
-	8,   // 38: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
-	10,  // 39: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
-	12,  // 40: daemon.DaemonService.Up:input_type -> daemon.UpRequest
-	14,  // 41: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
-	16,  // 42: daemon.DaemonService.Down:input_type -> daemon.DownRequest
-	18,  // 43: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
-	29,  // 44: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
-	31,  // 45: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
-	31,  // 46: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
-	5,   // 47: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
-	38,  // 48: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
-	40,  // 49: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
-	42,  // 50: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
-	45,  // 51: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
-	47,  // 52: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
-	49,  // 53: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
-	51,  // 54: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
-	54,  // 55: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
-	95,  // 56: daemon.DaemonService.StartCapture:input_type -> daemon.StartCaptureRequest
-	97,  // 57: daemon.DaemonService.StartBundleCapture:input_type -> daemon.StartBundleCaptureRequest
-	99,  // 58: daemon.DaemonService.StopBundleCapture:input_type -> daemon.StopBundleCaptureRequest
-	57,  // 59: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
-	59,  // 60: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
-	61,  // 61: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
-	63,  // 62: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
-	65,  // 63: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
-	67,  // 64: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
-	69,  // 65: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
-	72,  // 66: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
-	74,  // 67: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
-	76,  // 68: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
-	78,  // 69: daemon.DaemonService.TriggerUpdate:input_type -> daemon.TriggerUpdateRequest
-	80,  // 70: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
-	82,  // 71: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
-	84,  // 72: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
-	86,  // 73: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
-	88,  // 74: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
-	6,   // 75: daemon.DaemonService.NotifyOSLifecycle:input_type -> daemon.OSLifecycleRequest
-	90,  // 76: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
-	92,  // 77: daemon.DaemonService.ExposeService:input_type -> daemon.ExposeServiceRequest
-	9,   // 78: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
-	11,  // 79: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
-	13,  // 80: daemon.DaemonService.Up:output_type -> daemon.UpResponse
-	15,  // 81: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
-	17,  // 82: daemon.DaemonService.Down:output_type -> daemon.DownResponse
-	19,  // 83: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
-	30,  // 84: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
-	32,  // 85: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
-	32,  // 86: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
-	37,  // 87: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
-	39,  // 88: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
-	41,  // 89: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
-	43,  // 90: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
-	46,  // 91: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
-	48,  // 92: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
-	50,  // 93: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
-	52,  // 94: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
-	56,  // 95: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
-	96,  // 96: daemon.DaemonService.StartCapture:output_type -> daemon.CapturePacket
-	98,  // 97: daemon.DaemonService.StartBundleCapture:output_type -> daemon.StartBundleCaptureResponse
-	100, // 98: daemon.DaemonService.StopBundleCapture:output_type -> daemon.StopBundleCaptureResponse
-	58,  // 99: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
-	60,  // 100: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
-	62,  // 101: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
-	64,  // 102: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
-	66,  // 103: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
-	68,  // 104: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
-	70,  // 105: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
-	73,  // 106: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
-	75,  // 107: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
-	77,  // 108: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
-	79,  // 109: daemon.DaemonService.TriggerUpdate:output_type -> daemon.TriggerUpdateResponse
-	81,  // 110: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
-	83,  // 111: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
-	85,  // 112: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
-	87,  // 113: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
-	89,  // 114: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
-	7,   // 115: daemon.DaemonService.NotifyOSLifecycle:output_type -> daemon.OSLifecycleResponse
-	91,  // 116: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
-	93,  // 117: daemon.DaemonService.ExposeService:output_type -> daemon.ExposeServiceEvent
-	78,  // [78:118] is the sub-list for method output_type
-	38,  // [38:78] is the sub-list for method input_type
-	38,  // [38:38] is the sub-list for extension type_name
-	38,  // [38:38] is the sub-list for extension extendee
-	0,   // [0:38] is the sub-list for field type_name
+	2,  // 0: daemon.OSLifecycleRequest.type:type_name -> daemon.OSLifecycleRequest.CycleType
+	98, // 1: daemon.LoginRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	28, // 2: daemon.StatusResponse.fullStatus:type_name -> daemon.FullStatus
+	99, // 3: daemon.PeerState.connStatusUpdate:type_name -> google.protobuf.Timestamp
+	99, // 4: daemon.PeerState.lastWireguardHandshake:type_name -> google.protobuf.Timestamp
+	98, // 5: daemon.PeerState.latency:type_name -> google.protobuf.Duration
+	26, // 6: daemon.SSHServerState.sessions:type_name -> daemon.SSHSessionInfo
+	23, // 7: daemon.FullStatus.managementState:type_name -> daemon.ManagementState
+	22, // 8: daemon.FullStatus.signalState:type_name -> daemon.SignalState
+	21, // 9: daemon.FullStatus.localPeerState:type_name -> daemon.LocalPeerState
+	20, // 10: daemon.FullStatus.peers:type_name -> daemon.PeerState
+	24, // 11: daemon.FullStatus.relays:type_name -> daemon.RelayState
+	25, // 12: daemon.FullStatus.dns_servers:type_name -> daemon.NSGroupState
+	58, // 13: daemon.FullStatus.events:type_name -> daemon.SystemEvent
+	27, // 14: daemon.FullStatus.sshServerState:type_name -> daemon.SSHServerState
+	34, // 15: daemon.ListNetworksResponse.routes:type_name -> daemon.Network
+	95, // 16: daemon.Network.resolvedIPs:type_name -> daemon.Network.ResolvedIPsEntry
+	96, // 17: daemon.PortInfo.range:type_name -> daemon.PortInfo.Range
+	35, // 18: daemon.ForwardingRule.destinationPort:type_name -> daemon.PortInfo
+	35, // 19: daemon.ForwardingRule.translatedPort:type_name -> daemon.PortInfo
+	36, // 20: daemon.ForwardingRulesResponse.rules:type_name -> daemon.ForwardingRule
+	0,  // 21: daemon.GetLogLevelResponse.level:type_name -> daemon.LogLevel
+	0,  // 22: daemon.SetLogLevelRequest.level:type_name -> daemon.LogLevel
+	44, // 23: daemon.ListStatesResponse.states:type_name -> daemon.State
+	53, // 24: daemon.TracePacketRequest.tcp_flags:type_name -> daemon.TCPFlags
+	55, // 25: daemon.TracePacketResponse.stages:type_name -> daemon.TraceStage
+	3,  // 26: daemon.SystemEvent.severity:type_name -> daemon.SystemEvent.Severity
+	4,  // 27: daemon.SystemEvent.category:type_name -> daemon.SystemEvent.Category
+	99, // 28: daemon.SystemEvent.timestamp:type_name -> google.protobuf.Timestamp
+	97, // 29: daemon.SystemEvent.metadata:type_name -> daemon.SystemEvent.MetadataEntry
+	58, // 30: daemon.GetEventsResponse.events:type_name -> daemon.SystemEvent
+	98, // 31: daemon.SetConfigRequest.dnsRouteInterval:type_name -> google.protobuf.Duration
+	71, // 32: daemon.ListProfilesResponse.profiles:type_name -> daemon.Profile
+	1,  // 33: daemon.ExposeServiceRequest.protocol:type_name -> daemon.ExposeProtocol
+	94, // 34: daemon.ExposeServiceEvent.ready:type_name -> daemon.ExposeServiceReady
+	33, // 35: daemon.Network.ResolvedIPsEntry.value:type_name -> daemon.IPList
+	8,  // 36: daemon.DaemonService.Login:input_type -> daemon.LoginRequest
+	10, // 37: daemon.DaemonService.WaitSSOLogin:input_type -> daemon.WaitSSOLoginRequest
+	12, // 38: daemon.DaemonService.Up:input_type -> daemon.UpRequest
+	14, // 39: daemon.DaemonService.Status:input_type -> daemon.StatusRequest
+	16, // 40: daemon.DaemonService.Down:input_type -> daemon.DownRequest
+	18, // 41: daemon.DaemonService.GetConfig:input_type -> daemon.GetConfigRequest
+	29, // 42: daemon.DaemonService.ListNetworks:input_type -> daemon.ListNetworksRequest
+	31, // 43: daemon.DaemonService.SelectNetworks:input_type -> daemon.SelectNetworksRequest
+	31, // 44: daemon.DaemonService.DeselectNetworks:input_type -> daemon.SelectNetworksRequest
+	5,  // 45: daemon.DaemonService.ForwardingRules:input_type -> daemon.EmptyRequest
+	38, // 46: daemon.DaemonService.DebugBundle:input_type -> daemon.DebugBundleRequest
+	40, // 47: daemon.DaemonService.GetLogLevel:input_type -> daemon.GetLogLevelRequest
+	42, // 48: daemon.DaemonService.SetLogLevel:input_type -> daemon.SetLogLevelRequest
+	45, // 49: daemon.DaemonService.ListStates:input_type -> daemon.ListStatesRequest
+	47, // 50: daemon.DaemonService.CleanState:input_type -> daemon.CleanStateRequest
+	49, // 51: daemon.DaemonService.DeleteState:input_type -> daemon.DeleteStateRequest
+	51, // 52: daemon.DaemonService.SetSyncResponsePersistence:input_type -> daemon.SetSyncResponsePersistenceRequest
+	54, // 53: daemon.DaemonService.TracePacket:input_type -> daemon.TracePacketRequest
+	57, // 54: daemon.DaemonService.SubscribeEvents:input_type -> daemon.SubscribeRequest
+	59, // 55: daemon.DaemonService.GetEvents:input_type -> daemon.GetEventsRequest
+	61, // 56: daemon.DaemonService.SwitchProfile:input_type -> daemon.SwitchProfileRequest
+	63, // 57: daemon.DaemonService.SetConfig:input_type -> daemon.SetConfigRequest
+	65, // 58: daemon.DaemonService.AddProfile:input_type -> daemon.AddProfileRequest
+	67, // 59: daemon.DaemonService.RemoveProfile:input_type -> daemon.RemoveProfileRequest
+	69, // 60: daemon.DaemonService.ListProfiles:input_type -> daemon.ListProfilesRequest
+	72, // 61: daemon.DaemonService.GetActiveProfile:input_type -> daemon.GetActiveProfileRequest
+	74, // 62: daemon.DaemonService.Logout:input_type -> daemon.LogoutRequest
+	76, // 63: daemon.DaemonService.GetFeatures:input_type -> daemon.GetFeaturesRequest
+	78, // 64: daemon.DaemonService.TriggerUpdate:input_type -> daemon.TriggerUpdateRequest
+	80, // 65: daemon.DaemonService.GetPeerSSHHostKey:input_type -> daemon.GetPeerSSHHostKeyRequest
+	82, // 66: daemon.DaemonService.RequestJWTAuth:input_type -> daemon.RequestJWTAuthRequest
+	84, // 67: daemon.DaemonService.WaitJWTToken:input_type -> daemon.WaitJWTTokenRequest
+	86, // 68: daemon.DaemonService.StartCPUProfile:input_type -> daemon.StartCPUProfileRequest
+	88, // 69: daemon.DaemonService.StopCPUProfile:input_type -> daemon.StopCPUProfileRequest
+	6,  // 70: daemon.DaemonService.NotifyOSLifecycle:input_type -> daemon.OSLifecycleRequest
+	90, // 71: daemon.DaemonService.GetInstallerResult:input_type -> daemon.InstallerResultRequest
+	92, // 72: daemon.DaemonService.ExposeService:input_type -> daemon.ExposeServiceRequest
+	9,  // 73: daemon.DaemonService.Login:output_type -> daemon.LoginResponse
+	11, // 74: daemon.DaemonService.WaitSSOLogin:output_type -> daemon.WaitSSOLoginResponse
+	13, // 75: daemon.DaemonService.Up:output_type -> daemon.UpResponse
+	15, // 76: daemon.DaemonService.Status:output_type -> daemon.StatusResponse
+	17, // 77: daemon.DaemonService.Down:output_type -> daemon.DownResponse
+	19, // 78: daemon.DaemonService.GetConfig:output_type -> daemon.GetConfigResponse
+	30, // 79: daemon.DaemonService.ListNetworks:output_type -> daemon.ListNetworksResponse
+	32, // 80: daemon.DaemonService.SelectNetworks:output_type -> daemon.SelectNetworksResponse
+	32, // 81: daemon.DaemonService.DeselectNetworks:output_type -> daemon.SelectNetworksResponse
+	37, // 82: daemon.DaemonService.ForwardingRules:output_type -> daemon.ForwardingRulesResponse
+	39, // 83: daemon.DaemonService.DebugBundle:output_type -> daemon.DebugBundleResponse
+	41, // 84: daemon.DaemonService.GetLogLevel:output_type -> daemon.GetLogLevelResponse
+	43, // 85: daemon.DaemonService.SetLogLevel:output_type -> daemon.SetLogLevelResponse
+	46, // 86: daemon.DaemonService.ListStates:output_type -> daemon.ListStatesResponse
+	48, // 87: daemon.DaemonService.CleanState:output_type -> daemon.CleanStateResponse
+	50, // 88: daemon.DaemonService.DeleteState:output_type -> daemon.DeleteStateResponse
+	52, // 89: daemon.DaemonService.SetSyncResponsePersistence:output_type -> daemon.SetSyncResponsePersistenceResponse
+	56, // 90: daemon.DaemonService.TracePacket:output_type -> daemon.TracePacketResponse
+	58, // 91: daemon.DaemonService.SubscribeEvents:output_type -> daemon.SystemEvent
+	60, // 92: daemon.DaemonService.GetEvents:output_type -> daemon.GetEventsResponse
+	62, // 93: daemon.DaemonService.SwitchProfile:output_type -> daemon.SwitchProfileResponse
+	64, // 94: daemon.DaemonService.SetConfig:output_type -> daemon.SetConfigResponse
+	66, // 95: daemon.DaemonService.AddProfile:output_type -> daemon.AddProfileResponse
+	68, // 96: daemon.DaemonService.RemoveProfile:output_type -> daemon.RemoveProfileResponse
+	70, // 97: daemon.DaemonService.ListProfiles:output_type -> daemon.ListProfilesResponse
+	73, // 98: daemon.DaemonService.GetActiveProfile:output_type -> daemon.GetActiveProfileResponse
+	75, // 99: daemon.DaemonService.Logout:output_type -> daemon.LogoutResponse
+	77, // 100: daemon.DaemonService.GetFeatures:output_type -> daemon.GetFeaturesResponse
+	79, // 101: daemon.DaemonService.TriggerUpdate:output_type -> daemon.TriggerUpdateResponse
+	81, // 102: daemon.DaemonService.GetPeerSSHHostKey:output_type -> daemon.GetPeerSSHHostKeyResponse
+	83, // 103: daemon.DaemonService.RequestJWTAuth:output_type -> daemon.RequestJWTAuthResponse
+	85, // 104: daemon.DaemonService.WaitJWTToken:output_type -> daemon.WaitJWTTokenResponse
+	87, // 105: daemon.DaemonService.StartCPUProfile:output_type -> daemon.StartCPUProfileResponse
+	89, // 106: daemon.DaemonService.StopCPUProfile:output_type -> daemon.StopCPUProfileResponse
+	7,  // 107: daemon.DaemonService.NotifyOSLifecycle:output_type -> daemon.OSLifecycleResponse
+	91, // 108: daemon.DaemonService.GetInstallerResult:output_type -> daemon.InstallerResultResponse
+	93, // 109: daemon.DaemonService.ExposeService:output_type -> daemon.ExposeServiceEvent
+	73, // [73:110] is the sub-list for method output_type
+	36, // [36:73] is the sub-list for method input_type
+	36, // [36:36] is the sub-list for extension type_name
+	36, // [36:36] is the sub-list for extension extendee
+	0,  // [0:36] is the sub-list for field type_name
 }
 
 func init() { file_daemon_proto_init() }
@@ -7176,7 +6861,7 @@ func file_daemon_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: unsafe.Slice(unsafe.StringData(file_daemon_proto_rawDesc), len(file_daemon_proto_rawDesc)),
 			NumEnums:      5,
-			NumMessages:   99,
+			NumMessages:   93,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

client/proto/daemon.proto

@@ -64,17 +64,6 @@ service DaemonService {
 
   rpc TracePacket(TracePacketRequest) returns (TracePacketResponse) {}
 
-  // StartCapture begins streaming packet capture on the WireGuard interface.
-  // Requires --enable-capture set at service install/reconfigure time.
-  rpc StartCapture(StartCaptureRequest) returns (stream CapturePacket) {}
-
-  // StartBundleCapture begins capturing packets to a server-side temp file
-  // for inclusion in the next debug bundle. Auto-stops after the given timeout.
-  rpc StartBundleCapture(StartBundleCaptureRequest) returns (StartBundleCaptureResponse) {}
-
-  // StopBundleCapture stops the running bundle capture. Idempotent.
-  rpc StopBundleCapture(StopBundleCaptureRequest) returns (StopBundleCaptureResponse) {}
-
   rpc SubscribeEvents(SubscribeRequest) returns (stream SystemEvent) {}
 
   rpc GetEvents(GetEventsRequest) returns (GetEventsResponse) {}
@@ -858,26 +847,3 @@ message ExposeServiceReady {
   string domain = 3;
   bool port_auto_assigned = 4;
 }
-
-message StartCaptureRequest {
-  bool text_output = 1;
-  uint32 snap_len = 2;
-  google.protobuf.Duration duration = 3;
-  string filter_expr = 4;
-  bool verbose = 5;
-  bool ascii = 6;
-}
-
-message CapturePacket {
-  bytes data = 1;
-}
-
-message StartBundleCaptureRequest {
-  // timeout auto-stops the capture after this duration.
-  // Clamped to a server-side maximum (10 minutes). Zero or unset defaults to the maximum.
-  google.protobuf.Duration timeout = 1;
-}
-
-message StartBundleCaptureResponse {}
-message StopBundleCaptureRequest {}
-message StopBundleCaptureResponse {}

client/proto/daemon_grpc.pb.go

@@ -53,14 +53,6 @@ type DaemonServiceClient interface {
 	// SetSyncResponsePersistence enables or disables sync response persistence
 	SetSyncResponsePersistence(ctx context.Context, in *SetSyncResponsePersistenceRequest, opts ...grpc.CallOption) (*SetSyncResponsePersistenceResponse, error)
 	TracePacket(ctx context.Context, in *TracePacketRequest, opts ...grpc.CallOption) (*TracePacketResponse, error)
-	// StartCapture begins streaming packet capture on the WireGuard interface.
-	// Requires --enable-capture set at service install/reconfigure time.
-	StartCapture(ctx context.Context, in *StartCaptureRequest, opts ...grpc.CallOption) (DaemonService_StartCaptureClient, error)
-	// StartBundleCapture begins capturing packets to a server-side temp file
-	// for inclusion in the next debug bundle. Auto-stops after the given timeout.
-	StartBundleCapture(ctx context.Context, in *StartBundleCaptureRequest, opts ...grpc.CallOption) (*StartBundleCaptureResponse, error)
-	// StopBundleCapture stops the running bundle capture. Idempotent.
-	StopBundleCapture(ctx context.Context, in *StopBundleCaptureRequest, opts ...grpc.CallOption) (*StopBundleCaptureResponse, error)
 	SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (DaemonService_SubscribeEventsClient, error)
 	GetEvents(ctx context.Context, in *GetEventsRequest, opts ...grpc.CallOption) (*GetEventsResponse, error)
 	SwitchProfile(ctx context.Context, in *SwitchProfileRequest, opts ...grpc.CallOption) (*SwitchProfileResponse, error)
@@ -261,58 +253,8 @@ func (c *daemonServiceClient) TracePacket(ctx context.Context, in *TracePacketRe
 	return out, nil
 }
 
-func (c *daemonServiceClient) StartCapture(ctx context.Context, in *StartCaptureRequest, opts ...grpc.CallOption) (DaemonService_StartCaptureClient, error) {
-	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[0], "/daemon.DaemonService/StartCapture", opts...)
-	if err != nil {
-		return nil, err
-	}
-	x := &daemonServiceStartCaptureClient{stream}
-	if err := x.ClientStream.SendMsg(in); err != nil {
-		return nil, err
-	}
-	if err := x.ClientStream.CloseSend(); err != nil {
-		return nil, err
-	}
-	return x, nil
-}
-
-type DaemonService_StartCaptureClient interface {
-	Recv() (*CapturePacket, error)
-	grpc.ClientStream
-}
-
-type daemonServiceStartCaptureClient struct {
-	grpc.ClientStream
-}
-
-func (x *daemonServiceStartCaptureClient) Recv() (*CapturePacket, error) {
-	m := new(CapturePacket)
-	if err := x.ClientStream.RecvMsg(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
-func (c *daemonServiceClient) StartBundleCapture(ctx context.Context, in *StartBundleCaptureRequest, opts ...grpc.CallOption) (*StartBundleCaptureResponse, error) {
-	out := new(StartBundleCaptureResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/StartBundleCapture", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
-func (c *daemonServiceClient) StopBundleCapture(ctx context.Context, in *StopBundleCaptureRequest, opts ...grpc.CallOption) (*StopBundleCaptureResponse, error) {
-	out := new(StopBundleCaptureResponse)
-	err := c.cc.Invoke(ctx, "/daemon.DaemonService/StopBundleCapture", in, out, opts...)
-	if err != nil {
-		return nil, err
-	}
-	return out, nil
-}
-
 func (c *daemonServiceClient) SubscribeEvents(ctx context.Context, in *SubscribeRequest, opts ...grpc.CallOption) (DaemonService_SubscribeEventsClient, error) {
-	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[1], "/daemon.DaemonService/SubscribeEvents", opts...)
+	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[0], "/daemon.DaemonService/SubscribeEvents", opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -497,7 +439,7 @@ func (c *daemonServiceClient) GetInstallerResult(ctx context.Context, in *Instal
 }
 
 func (c *daemonServiceClient) ExposeService(ctx context.Context, in *ExposeServiceRequest, opts ...grpc.CallOption) (DaemonService_ExposeServiceClient, error) {
-	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[2], "/daemon.DaemonService/ExposeService", opts...)
+	stream, err := c.cc.NewStream(ctx, &DaemonService_ServiceDesc.Streams[1], "/daemon.DaemonService/ExposeService", opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -567,14 +509,6 @@ type DaemonServiceServer interface {
 	// SetSyncResponsePersistence enables or disables sync response persistence
 	SetSyncResponsePersistence(context.Context, *SetSyncResponsePersistenceRequest) (*SetSyncResponsePersistenceResponse, error)
 	TracePacket(context.Context, *TracePacketRequest) (*TracePacketResponse, error)
-	// StartCapture begins streaming packet capture on the WireGuard interface.
-	// Requires --enable-capture set at service install/reconfigure time.
-	StartCapture(*StartCaptureRequest, DaemonService_StartCaptureServer) error
-	// StartBundleCapture begins capturing packets to a server-side temp file
-	// for inclusion in the next debug bundle. Auto-stops after the given timeout.
-	StartBundleCapture(context.Context, *StartBundleCaptureRequest) (*StartBundleCaptureResponse, error)
-	// StopBundleCapture stops the running bundle capture. Idempotent.
-	StopBundleCapture(context.Context, *StopBundleCaptureRequest) (*StopBundleCaptureResponse, error)
 	SubscribeEvents(*SubscribeRequest, DaemonService_SubscribeEventsServer) error
 	GetEvents(context.Context, *GetEventsRequest) (*GetEventsResponse, error)
 	SwitchProfile(context.Context, *SwitchProfileRequest) (*SwitchProfileResponse, error)
@@ -664,15 +598,6 @@ func (UnimplementedDaemonServiceServer) SetSyncResponsePersistence(context.Conte
 func (UnimplementedDaemonServiceServer) TracePacket(context.Context, *TracePacketRequest) (*TracePacketResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method TracePacket not implemented")
 }
-func (UnimplementedDaemonServiceServer) StartCapture(*StartCaptureRequest, DaemonService_StartCaptureServer) error {
-	return status.Errorf(codes.Unimplemented, "method StartCapture not implemented")
-}
-func (UnimplementedDaemonServiceServer) StartBundleCapture(context.Context, *StartBundleCaptureRequest) (*StartBundleCaptureResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method StartBundleCapture not implemented")
-}
-func (UnimplementedDaemonServiceServer) StopBundleCapture(context.Context, *StopBundleCaptureRequest) (*StopBundleCaptureResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method StopBundleCapture not implemented")
-}
 func (UnimplementedDaemonServiceServer) SubscribeEvents(*SubscribeRequest, DaemonService_SubscribeEventsServer) error {
 	return status.Errorf(codes.Unimplemented, "method SubscribeEvents not implemented")
 }
@@ -1067,63 +992,6 @@ func _DaemonService_TracePacket_Handler(srv interface{}, ctx context.Context, de
 	return interceptor(ctx, in, info, handler)
 }
 
-func _DaemonService_StartCapture_Handler(srv interface{}, stream grpc.ServerStream) error {
-	m := new(StartCaptureRequest)
-	if err := stream.RecvMsg(m); err != nil {
-		return err
-	}
-	return srv.(DaemonServiceServer).StartCapture(m, &daemonServiceStartCaptureServer{stream})
-}
-
-type DaemonService_StartCaptureServer interface {
-	Send(*CapturePacket) error
-	grpc.ServerStream
-}
-
-type daemonServiceStartCaptureServer struct {
-	grpc.ServerStream
-}
-
-func (x *daemonServiceStartCaptureServer) Send(m *CapturePacket) error {
-	return x.ServerStream.SendMsg(m)
-}
-
-func _DaemonService_StartBundleCapture_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(StartBundleCaptureRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DaemonServiceServer).StartBundleCapture(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/daemon.DaemonService/StartBundleCapture",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).StartBundleCapture(ctx, req.(*StartBundleCaptureRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
-func _DaemonService_StopBundleCapture_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(StopBundleCaptureRequest)
-	if err := dec(in); err != nil {
-		return nil, err
-	}
-	if interceptor == nil {
-		return srv.(DaemonServiceServer).StopBundleCapture(ctx, in)
-	}
-	info := &grpc.UnaryServerInfo{
-		Server:     srv,
-		FullMethod: "/daemon.DaemonService/StopBundleCapture",
-	}
-	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(DaemonServiceServer).StopBundleCapture(ctx, req.(*StopBundleCaptureRequest))
-	}
-	return interceptor(ctx, in, info, handler)
-}
-
 func _DaemonService_SubscribeEvents_Handler(srv interface{}, stream grpc.ServerStream) error {
 	m := new(SubscribeRequest)
 	if err := stream.RecvMsg(m); err != nil {
@@ -1551,14 +1419,6 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "TracePacket",
 			Handler:    _DaemonService_TracePacket_Handler,
 		},
-		{
-			MethodName: "StartBundleCapture",
-			Handler:    _DaemonService_StartBundleCapture_Handler,
-		},
-		{
-			MethodName: "StopBundleCapture",
-			Handler:    _DaemonService_StopBundleCapture_Handler,
-		},
 		{
 			MethodName: "GetEvents",
 			Handler:    _DaemonService_GetEvents_Handler,
@@ -1629,11 +1489,6 @@ var DaemonService_ServiceDesc = grpc.ServiceDesc{
 		},
 	},
 	Streams: []grpc.StreamDesc{
-		{
-			StreamName:    "StartCapture",
-			Handler:       _DaemonService_StartCapture_Handler,
-			ServerStreams: true,
-		},
 		{
 			StreamName:    "SubscribeEvents",
 			Handler:       _DaemonService_SubscribeEvents_Handler,

client/server/capture.go

@@ -1,325 +0,0 @@
-package server
-
-import (
-	"context"
-	"io"
-	"os"
-	"sync"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util/capture"
-)
-
-const maxBundleCaptureDuration = 10 * time.Minute
-
-// bundleCapture holds the state of an in-progress capture destined for the
-// debug bundle. The lifecycle is:
-//
-//	StartBundleCapture → capture running, writing to temp file
-//	StopBundleCapture  → capture stopped, temp file available
-//	DebugBundle        → temp file included in zip, then cleaned up
-type bundleCapture struct {
-	mu      sync.Mutex
-	sess    *capture.Session
-	file    *os.File
-	engine  *internal.Engine
-	cancel  context.CancelFunc
-	stopped bool
-}
-
-// stop halts the capture session and closes the pcap writer. Idempotent.
-func (bc *bundleCapture) stop() {
-	bc.mu.Lock()
-	defer bc.mu.Unlock()
-
-	if bc.stopped {
-		return
-	}
-	bc.stopped = true
-
-	if bc.cancel != nil {
-		bc.cancel()
-	}
-	if bc.engine != nil {
-		if err := bc.engine.SetCapture(nil); err != nil {
-			log.Debugf("clear bundle capture: %v", err)
-		}
-	}
-	if bc.sess != nil {
-		bc.sess.Stop()
-	}
-}
-
-// path returns the temp file path, or "" if no file exists.
-func (bc *bundleCapture) path() string {
-	if bc.file == nil {
-		return ""
-	}
-	return bc.file.Name()
-}
-
-// cleanup removes the temp file.
-func (bc *bundleCapture) cleanup() {
-	if bc.file == nil {
-		return
-	}
-	name := bc.file.Name()
-	if err := bc.file.Close(); err != nil {
-		log.Debugf("close bundle capture file: %v", err)
-	}
-	if err := os.Remove(name); err != nil && !os.IsNotExist(err) {
-		log.Debugf("remove bundle capture file: %v", err)
-	}
-	bc.file = nil
-}
-
-// StartCapture streams a pcap or text packet capture over gRPC.
-// Gated by the --enable-capture service flag.
-func (s *Server) StartCapture(req *proto.StartCaptureRequest, stream proto.DaemonService_StartCaptureServer) error {
-	if !s.captureEnabled {
-		return status.Error(codes.PermissionDenied,
-			"packet capture is disabled; reinstall or reconfigure the service with --enable-capture")
-	}
-
-	engine, err := s.getCaptureEngine()
-	if err != nil {
-		return err
-	}
-
-	matcher, err := parseCaptureFilter(req)
-	if err != nil {
-		return status.Errorf(codes.InvalidArgument, "invalid filter: %v", err)
-	}
-
-	pr, pw := io.Pipe()
-
-	opts := capture.Options{
-		Matcher: matcher,
-		SnapLen: req.GetSnapLen(),
-		Verbose: req.GetVerbose(),
-		ASCII:   req.GetAscii(),
-	}
-	if req.GetTextOutput() {
-		opts.TextOutput = pw
-	} else {
-		opts.Output = pw
-	}
-
-	sess, err := capture.NewSession(opts)
-	if err != nil {
-		pw.Close()
-		return status.Errorf(codes.Internal, "create capture session: %v", err)
-	}
-
-	if err := engine.SetCapture(sess); err != nil {
-		sess.Stop()
-		pw.Close()
-		return status.Errorf(codes.Internal, "set capture: %v", err)
-	}
-
-	// Send an empty initial message to signal that the capture was accepted.
-	// The client waits for this before printing the banner, so it must arrive
-	// before any packet data.
-	if err := stream.Send(&proto.CapturePacket{}); err != nil {
-		if clearErr := engine.SetCapture(nil); clearErr != nil {
-			log.Debugf("clear capture after send failure: %v", clearErr)
-		}
-		sess.Stop()
-		pw.Close()
-		return status.Errorf(codes.Internal, "send initial message: %v", err)
-	}
-
-	ctx := stream.Context()
-	if d := req.GetDuration(); d != nil {
-		dur := d.AsDuration()
-		if dur < 0 {
-			if clearErr := engine.SetCapture(nil); clearErr != nil {
-				log.Debugf("clear capture: %v", clearErr)
-			}
-			sess.Stop()
-			pw.Close()
-			return status.Errorf(codes.InvalidArgument, "duration must not be negative")
-		}
-		if dur > 0 {
-			var cancel context.CancelFunc
-			ctx, cancel = context.WithTimeout(ctx, dur)
-			defer cancel()
-		}
-	}
-
-	go func() {
-		<-ctx.Done()
-		if err := engine.SetCapture(nil); err != nil {
-			log.Debugf("clear capture: %v", err)
-		}
-		sess.Stop()
-		pw.Close()
-	}()
-	defer pr.Close()
-
-	log.Infof("packet capture started (text=%v, expr=%q)", req.GetTextOutput(), req.GetFilterExpr())
-	defer func() {
-		stats := sess.Stats()
-		log.Infof("packet capture stopped: %d packets, %d bytes, %d dropped",
-			stats.Packets, stats.Bytes, stats.Dropped)
-	}()
-
-	return streamToGRPC(pr, stream)
-}
-
-func streamToGRPC(r io.Reader, stream proto.DaemonService_StartCaptureServer) error {
-	buf := make([]byte, 32*1024)
-	for {
-		n, readErr := r.Read(buf)
-		if n > 0 {
-			if err := stream.Send(&proto.CapturePacket{Data: buf[:n]}); err != nil {
-				log.Debugf("capture stream send: %v", err)
-				return nil //nolint:nilerr // client disconnected
-			}
-		}
-		if readErr != nil {
-			return nil //nolint:nilerr // pipe closed, capture stopped normally
-		}
-	}
-}
-
-// StartBundleCapture begins capturing packets to a server-side temp file for
-// inclusion in the next debug bundle. Not gated by --enable-capture since the
-// output stays on the server (same trust level as CPU profiling).
-//
-// A timeout auto-stops the capture as a safety net if StopBundleCapture is
-// never called (e.g. CLI crash).
-func (s *Server) StartBundleCapture(_ context.Context, req *proto.StartBundleCaptureRequest) (*proto.StartBundleCaptureResponse, error) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	s.stopBundleCaptureLocked()
-	s.cleanupBundleCapture()
-
-	engine, err := s.getCaptureEngineLocked()
-	if err != nil {
-		// Not fatal: kernel mode or not connected. Log and return success
-		// so the debug bundle still generates without capture data.
-		log.Warnf("packet capture unavailable, skipping: %v", err)
-		return &proto.StartBundleCaptureResponse{}, nil
-	}
-
-	timeout := req.GetTimeout().AsDuration()
-	if timeout <= 0 || timeout > maxBundleCaptureDuration {
-		timeout = maxBundleCaptureDuration
-	}
-
-	f, err := os.CreateTemp("", "netbird.capture.*.pcap")
-	if err != nil {
-		return nil, status.Errorf(codes.Internal, "create temp file: %v", err)
-	}
-
-	sess, err := capture.NewSession(capture.Options{Output: f})
-	if err != nil {
-		f.Close()
-		os.Remove(f.Name())
-		return nil, status.Errorf(codes.Internal, "create capture session: %v", err)
-	}
-
-	if err := engine.SetCapture(sess); err != nil {
-		sess.Stop()
-		f.Close()
-		os.Remove(f.Name())
-		log.Warnf("packet capture unavailable (no filtered device), skipping: %v", err)
-		return &proto.StartBundleCaptureResponse{}, nil
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), timeout)
-	bc := &bundleCapture{
-		sess:   sess,
-		file:   f,
-		engine: engine,
-		cancel: cancel,
-	}
-
-	go func() {
-		<-ctx.Done()
-		bc.stop()
-		log.Infof("bundle capture auto-stopped after timeout")
-	}()
-
-	s.bundleCapture = bc
-	log.Infof("bundle capture started (timeout=%s, file=%s)", timeout, f.Name())
-
-	return &proto.StartBundleCaptureResponse{}, nil
-}
-
-// StopBundleCapture stops the running bundle capture. Idempotent.
-func (s *Server) StopBundleCapture(_ context.Context, _ *proto.StopBundleCaptureRequest) (*proto.StopBundleCaptureResponse, error) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-
-	s.stopBundleCaptureLocked()
-	return &proto.StopBundleCaptureResponse{}, nil
-}
-
-// stopBundleCaptureLocked stops the bundle capture if running. Must hold s.mutex.
-func (s *Server) stopBundleCaptureLocked() {
-	if s.bundleCapture == nil {
-		return
-	}
-	s.bundleCapture.stop()
-
-	stats := s.bundleCapture.sess.Stats()
-	log.Infof("bundle capture stopped: %d packets, %d bytes, %d dropped",
-		stats.Packets, stats.Bytes, stats.Dropped)
-}
-
-// bundleCapturePath returns the temp file path if a capture has been taken,
-// stops any running capture, and returns "". Called from DebugBundle.
-// Must hold s.mutex.
-func (s *Server) bundleCapturePath() string {
-	if s.bundleCapture == nil {
-		return ""
-	}
-
-	s.bundleCapture.stop()
-	return s.bundleCapture.path()
-}
-
-// cleanupBundleCapture removes the temp file and clears state. Must hold s.mutex.
-func (s *Server) cleanupBundleCapture() {
-	if s.bundleCapture == nil {
-		return
-	}
-	s.bundleCapture.cleanup()
-	s.bundleCapture = nil
-}
-
-func (s *Server) getCaptureEngine() (*internal.Engine, error) {
-	s.mutex.Lock()
-	defer s.mutex.Unlock()
-	return s.getCaptureEngineLocked()
-}
-
-func (s *Server) getCaptureEngineLocked() (*internal.Engine, error) {
-	if s.connectClient == nil {
-		return nil, status.Error(codes.FailedPrecondition, "client not connected")
-	}
-	engine := s.connectClient.Engine()
-	if engine == nil {
-		return nil, status.Error(codes.FailedPrecondition, "engine not initialized")
-	}
-	return engine, nil
-}
-
-// parseCaptureFilter returns a Matcher from the request.
-// Returns nil (match all) when no filter expression is set.
-func parseCaptureFilter(req *proto.StartCaptureRequest) (capture.Matcher, error) {
-	expr := req.GetFilterExpr()
-	if expr == "" {
-		return nil, nil //nolint:nilnil // nil Matcher means "match all"
-	}
-	return capture.ParseFilter(expr)
-}

client/server/debug.go

@@ -43,9 +43,7 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 		}()
 	}
 
-	capturePath := s.bundleCapturePath()
-	defer s.cleanupBundleCapture()
-
+	// Prepare refresh callback for health probes
 	var refreshStatus func()
 	if s.connectClient != nil {
 		engine := s.connectClient.Engine()
@@ -64,7 +62,6 @@ func (s *Server) DebugBundle(_ context.Context, req *proto.DebugBundleRequest) (
 			SyncResponse:   syncResponse,
 			LogPath:        s.logFile,
 			CPUProfile:     cpuProfileData,
-			CapturePath:    capturePath,
 			RefreshStatus:  refreshStatus,
 			ClientMetrics:  clientMetrics,
 		},

client/server/server.go

@@ -88,8 +88,6 @@ type Server struct {
 	profileManager         *profilemanager.ServiceManager
 	profilesDisabled       bool
 	updateSettingsDisabled bool
-	captureEnabled         bool
-	bundleCapture          *bundleCapture
 
 	sleepHandler *sleephandler.SleepHandler
 
@@ -106,7 +104,7 @@ type oauthAuthFlow struct {
 }
 
 // New server instance constructor.
-func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool, captureEnabled bool) *Server {
+func New(ctx context.Context, logFile string, configFile string, profilesDisabled bool, updateSettingsDisabled bool) *Server {
 	s := &Server{
 		rootCtx:                ctx,
 		logFile:                logFile,
@@ -115,7 +113,6 @@ func New(ctx context.Context, logFile string, configFile string, profilesDisable
 		profileManager:         profilemanager.NewServiceManager(configFile),
 		profilesDisabled:       profilesDisabled,
 		updateSettingsDisabled: updateSettingsDisabled,
-		captureEnabled:         captureEnabled,
 		jwtCache:               newJWTCache(),
 	}
 	agent := &serverAgent{s}
@@ -1362,10 +1359,6 @@ func (s *Server) ExposeService(req *proto.ExposeServiceRequest, srv proto.Daemon
 		return gstatus.Errorf(codes.FailedPrecondition, "engine not initialized")
 	}
 
-	if engine.IsBlockInbound() {
-		return gstatus.Errorf(codes.FailedPrecondition, "expose requires inbound connections but 'block inbound' is enabled, disable it first")
-	}
-
 	mgr := engine.GetExposeManager()
 	if mgr == nil {
 		return gstatus.Errorf(codes.Internal, "expose manager not available")

client/server/server_test.go

@@ -103,7 +103,7 @@ func TestConnectWithRetryRuns(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "debug", "", false, false, false)
+	s := New(ctx, "debug", "", false, false)
 
 	s.config = config
 
@@ -164,7 +164,7 @@ func TestServer_Up(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "console", "", false, false, false)
+	s := New(ctx, "console", "", false, false)
 	err = s.Start()
 	require.NoError(t, err)
 
@@ -234,7 +234,7 @@ func TestServer_SubcribeEvents(t *testing.T) {
 		t.Fatalf("failed to set active profile state: %v", err)
 	}
 
-	s := New(ctx, "console", "", false, false, false)
+	s := New(ctx, "console", "", false, false)
 
 	err = s.Start()
 	require.NoError(t, err)

client/server/setconfig_test.go

@@ -53,7 +53,7 @@ func TestSetConfig_AllFieldsSaved(t *testing.T) {
 	require.NoError(t, err)
 
 	ctx := context.Background()
-	s := New(ctx, "console", "", false, false, false)
+	s := New(ctx, "console", "", false, false)
 
 	rosenpassEnabled := true
 	rosenpassPermissive := true

client/server/state_generic.go

@@ -9,7 +9,6 @@ import (
 	"github.com/netbirdio/netbird/client/ssh/config"
 )
 
-// registerStates registers all states that need crash recovery cleanup.
 func registerStates(mgr *statemanager.Manager) {
 	mgr.RegisterState(&dns.ShutdownState{})
 	mgr.RegisterState(&systemops.ShutdownState{})

client/server/state_linux.go

@@ -11,7 +11,6 @@ import (
 	"github.com/netbirdio/netbird/client/ssh/config"
 )
 
-// registerStates registers all states that need crash recovery cleanup.
 func registerStates(mgr *statemanager.Manager) {
 	mgr.RegisterState(&dns.ShutdownState{})
 	mgr.RegisterState(&systemops.ShutdownState{})

client/ssh/proxy/proxy.go

@@ -141,7 +141,7 @@ func (p *SSHProxy) runProxySSHServer(jwtToken string) error {
 
 func (p *SSHProxy) handleSSHSession(session ssh.Session) {
 	ptyReq, winCh, isPty := session.Pty()
-	hasCommand := session.RawCommand() != ""
+	hasCommand := len(session.Command()) > 0
 
 	sshClient, err := p.getOrCreateBackendClient(session.Context(), session.User())
 	if err != nil {
@@ -180,7 +180,7 @@ func (p *SSHProxy) handleSSHSession(session ssh.Session) {
 	}
 
 	if hasCommand {
-		if err := serverSession.Run(session.RawCommand()); err != nil {
+		if err := serverSession.Run(strings.Join(session.Command(), " ")); err != nil {
 			log.Debugf("run command: %v", err)
 			p.handleProxyExitCode(session, err)
 		}

client/ssh/proxy/proxy_test.go

@@ -1,7 +1,6 @@
 package proxy
 
 import (
-	"bytes"
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
@@ -246,191 +245,6 @@ func TestSSHProxy_Connect(t *testing.T) {
 	cancel()
 }
 
-// TestSSHProxy_CommandQuoting verifies that the proxy preserves shell quoting
-// when forwarding commands to the backend. This is critical for tools like
-// Ansible that send commands such as:
-//
-//	/bin/sh -c '( umask 77 && mkdir -p ... ) && sleep 0'
-//
-// The single quotes must be preserved so the backend shell receives the
-// subshell expression as a single argument to -c.
-func TestSSHProxy_CommandQuoting(t *testing.T) {
-	if testing.Short() {
-		t.Skip("Skipping integration test in short mode")
-	}
-
-	sshClient, cleanup := setupProxySSHClient(t)
-	defer cleanup()
-
-	// These commands simulate what the SSH protocol delivers as exec payloads.
-	// When a user types: ssh host '/bin/sh -c "( echo hello )"'
-	// the local shell strips the outer single quotes, and the SSH exec request
-	// contains the raw string: /bin/sh -c "( echo hello )"
-	//
-	// The proxy must forward this string verbatim. Using session.Command()
-	// (shlex.Split + strings.Join) strips the inner double quotes, breaking
-	// the command on the backend.
-	tests := []struct {
-		name    string
-		command string
-		expect  string
-	}{
-		{
-			name:    "subshell_in_double_quotes",
-			command: `/bin/sh -c "( echo from-subshell ) && echo outer"`,
-			expect:  "from-subshell\nouter\n",
-		},
-		{
-			name:    "printf_with_special_chars",
-			command: `/bin/sh -c "printf '%s\n' 'hello world'"`,
-			expect:  "hello world\n",
-		},
-		{
-			name:    "nested_command_substitution",
-			command: `/bin/sh -c "echo $(echo nested)"`,
-			expect:  "nested\n",
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			session, err := sshClient.NewSession()
-			require.NoError(t, err)
-			defer func() { _ = session.Close() }()
-
-			var stderrBuf bytes.Buffer
-			session.Stderr = &stderrBuf
-
-			outputCh := make(chan []byte, 1)
-			errCh := make(chan error, 1)
-			go func() {
-				output, err := session.Output(tc.command)
-				outputCh <- output
-				errCh <- err
-			}()
-
-			select {
-			case output := <-outputCh:
-				err := <-errCh
-				if stderrBuf.Len() > 0 {
-					t.Logf("stderr: %s", stderrBuf.String())
-				}
-				require.NoError(t, err, "command should succeed: %s", tc.command)
-				assert.Equal(t, tc.expect, string(output), "output mismatch for: %s", tc.command)
-			case <-time.After(5 * time.Second):
-				t.Fatalf("command timed out: %s", tc.command)
-			}
-		})
-	}
-}
-
-// setupProxySSHClient creates a full proxy test environment and returns
-// an SSH client connected through the proxy to a backend NetBird SSH server.
-func setupProxySSHClient(t *testing.T) (*cryptossh.Client, func()) {
-	t.Helper()
-
-	const (
-		issuer   = "https://test-issuer.example.com"
-		audience = "test-audience"
-	)
-
-	jwksServer, privateKey, jwksURL := setupJWKSServer(t)
-
-	hostKey, err := nbssh.GeneratePrivateKey(nbssh.ED25519)
-	require.NoError(t, err)
-	hostPubKey, err := nbssh.GeneratePublicKey(hostKey)
-	require.NoError(t, err)
-
-	serverConfig := &server.Config{
-		HostKeyPEM: hostKey,
-		JWT: &server.JWTConfig{
-			Issuer:       issuer,
-			Audiences:    []string{audience},
-			KeysLocation: jwksURL,
-		},
-	}
-	sshServer := server.New(serverConfig)
-	sshServer.SetAllowRootLogin(true)
-
-	testUsername := testutil.GetTestUsername(t)
-	testJWTUser := "test-username"
-	testUserHash, err := sshuserhash.HashUserID(testJWTUser)
-	require.NoError(t, err)
-
-	authConfig := &sshauth.Config{
-		UserIDClaim:     sshauth.DefaultUserIDClaim,
-		AuthorizedUsers: []sshuserhash.UserIDHash{testUserHash},
-		MachineUsers: map[string][]uint32{
-			testUsername: {0},
-		},
-	}
-	sshServer.UpdateSSHAuth(authConfig)
-
-	sshServerAddr := server.StartTestServer(t, sshServer)
-
-	mockDaemon := startMockDaemon(t)
-
-	host, portStr, err := net.SplitHostPort(sshServerAddr)
-	require.NoError(t, err)
-	port, err := strconv.Atoi(portStr)
-	require.NoError(t, err)
-
-	mockDaemon.setHostKey(host, hostPubKey)
-
-	validToken := generateValidJWT(t, privateKey, issuer, audience, testJWTUser)
-	mockDaemon.setJWTToken(validToken)
-
-	proxyInstance, err := New(mockDaemon.addr, host, port, io.Discard, nil)
-	require.NoError(t, err)
-
-	origStdin := os.Stdin
-	origStdout := os.Stdout
-
-	stdinReader, stdinWriter, err := os.Pipe()
-	require.NoError(t, err)
-	stdoutReader, stdoutWriter, err := os.Pipe()
-	require.NoError(t, err)
-
-	os.Stdin = stdinReader
-	os.Stdout = stdoutWriter
-
-	clientConn, proxyConn := net.Pipe()
-
-	go func() { _, _ = io.Copy(stdinWriter, proxyConn) }()
-	go func() { _, _ = io.Copy(proxyConn, stdoutReader) }()
-
-	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-
-	go func() {
-		_ = proxyInstance.Connect(ctx)
-	}()
-
-	sshConfig := &cryptossh.ClientConfig{
-		User:            testutil.GetTestUsername(t),
-		Auth:            []cryptossh.AuthMethod{},
-		HostKeyCallback: cryptossh.InsecureIgnoreHostKey(),
-		Timeout:         5 * time.Second,
-	}
-
-	sshClientConn, chans, reqs, err := cryptossh.NewClientConn(clientConn, "test", sshConfig)
-	require.NoError(t, err)
-
-	client := cryptossh.NewClient(sshClientConn, chans, reqs)
-
-	cleanupFn := func() {
-		_ = client.Close()
-		_ = clientConn.Close()
-		cancel()
-		os.Stdin = origStdin
-		os.Stdout = origStdout
-		_ = sshServer.Stop()
-		mockDaemon.stop()
-		jwksServer.Close()
-	}
-
-	return client, cleanupFn
-}
-
 type mockDaemonServer struct {
 	proto.UnimplementedDaemonServiceServer
 	hostKeys map[string][]byte

client/ssh/server/server.go

@@ -284,21 +284,19 @@ func (s *Server) closeListener(ln net.Listener) {
 // Stop closes the SSH server
 func (s *Server) Stop() error {
 	s.mu.Lock()
-	sshServer := s.sshServer
-	if sshServer == nil {
-		s.mu.Unlock()
+	defer s.mu.Unlock()
+
+	if s.sshServer == nil {
 		return nil
 	}
-	s.sshServer = nil
-	s.listener = nil
-	s.mu.Unlock()
 
-	// Close outside the lock: session handlers need s.mu for unregisterSession.
-	if err := sshServer.Close(); err != nil {
+	if err := s.sshServer.Close(); err != nil {
 		log.Debugf("close SSH server: %v", err)
 	}
 
-	s.mu.Lock()
+	s.sshServer = nil
+	s.listener = nil
+
 	maps.Clear(s.sessions)
 	maps.Clear(s.pendingAuthJWT)
 	maps.Clear(s.connections)
@@ -309,7 +307,6 @@ func (s *Server) Stop() error {
 		}
 	}
 	maps.Clear(s.remoteForwardListeners)
-	s.mu.Unlock()
 
 	return nil
 }

client/ssh/server/session_handlers.go

@@ -60,7 +60,7 @@ func (s *Server) sessionHandler(session ssh.Session) {
 	}
 
 	ptyReq, winCh, isPty := session.Pty()
-	hasCommand := session.RawCommand() != ""
+	hasCommand := len(session.Command()) > 0
 
 	if isPty && !hasCommand {
 		// ssh <host> - PTY interactive session (login)

client/system/info.go

@@ -153,9 +153,6 @@ func networkAddresses() ([]NetworkAddress, error) {
 
 	var netAddresses []NetworkAddress
 	for _, iface := range interfaces {
-		if iface.Flags&net.FlagUp == 0 {
-			continue
-		}
 		if iface.HardwareAddr.String() == "" {
 			continue
 		}

client/system/info_freebsd.go

@@ -43,24 +43,18 @@ func GetInfo(ctx context.Context) *Info {
 
 	systemHostname, _ := os.Hostname()
 
-	addrs, err := networkAddresses()
-	if err != nil {
-		log.Warnf("failed to discover network addresses: %s", err)
-	}
-
 	return &Info{
-		GoOS:             runtime.GOOS,
-		Kernel:           osInfo[0],
-		Platform:         runtime.GOARCH,
-		OS:               osName,
-		OSVersion:        osVersion,
-		Hostname:         extractDeviceName(ctx, systemHostname),
-		CPUs:             runtime.NumCPU(),
-		NetbirdVersion:   version.NetbirdVersion(),
-		UIVersion:        extractUserAgent(ctx),
-		KernelVersion:    osInfo[1],
-		NetworkAddresses: addrs,
-		Environment:      env,
+		GoOS:           runtime.GOOS,
+		Kernel:         osInfo[0],
+		Platform:       runtime.GOARCH,
+		OS:             osName,
+		OSVersion:      osVersion,
+		Hostname:       extractDeviceName(ctx, systemHostname),
+		CPUs:           runtime.NumCPU(),
+		NetbirdVersion: version.NetbirdVersion(),
+		UIVersion:      extractUserAgent(ctx),
+		KernelVersion:  osInfo[1],
+		Environment:    env,
 	}
 }
 

client/ui/debug.go

@@ -16,7 +16,6 @@ import (
 	"fyne.io/fyne/v2/widget"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"
-	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
@@ -25,10 +24,9 @@ import (
 
 // Initial state for the debug collection
 type debugInitialState struct {
-	wasDown        bool
-	needsRestoreUp bool
-	logLevel       proto.LogLevel
-	isLevelTrace   bool
+	wasDown      bool
+	logLevel     proto.LogLevel
+	isLevelTrace bool
 }
 
 // Debug collection parameters
@@ -39,7 +37,6 @@ type debugCollectionParams struct {
 	upload            bool
 	uploadURL         string
 	enablePersistence bool
-	capture           bool
 }
 
 // UI components for progress tracking
@@ -53,58 +50,25 @@ type progressUI struct {
 func (s *serviceClient) showDebugUI() {
 	w := s.app.NewWindow("NetBird Debug")
 	w.SetOnClosed(s.cancel)
+
 	w.Resize(fyne.NewSize(600, 500))
 	w.SetFixedSize(true)
 
 	anonymizeCheck := widget.NewCheck("Anonymize sensitive information (public IPs, domains, ...)", nil)
 	systemInfoCheck := widget.NewCheck("Include system information (routes, interfaces, ...)", nil)
 	systemInfoCheck.SetChecked(true)
-	captureCheck := widget.NewCheck("Include packet capture", nil)
 	uploadCheck := widget.NewCheck("Upload bundle automatically after creation", nil)
 	uploadCheck.SetChecked(true)
 
-	uploadURLContainer, uploadURL := s.buildUploadSection(uploadCheck)
-
-	debugModeContainer, runForDurationCheck, durationInput, noteLabel := s.buildDurationSection()
-
-	statusLabel := widget.NewLabel("")
-	statusLabel.Hide()
-	progressBar := widget.NewProgressBar()
-	progressBar.Hide()
-	createButton := widget.NewButton("Create Debug Bundle", nil)
-
-	uiControls := []fyne.Disableable{
-		anonymizeCheck, systemInfoCheck, captureCheck,
-		uploadCheck, uploadURL, runForDurationCheck, durationInput, createButton,
-	}
-
-	createButton.OnTapped = s.getCreateHandler(
-		statusLabel, progressBar, uploadCheck, uploadURL,
-		anonymizeCheck, systemInfoCheck, captureCheck,
-		runForDurationCheck, durationInput, uiControls, w,
-	)
-
-	content := container.NewVBox(
-		widget.NewLabel("Create a debug bundle to help troubleshoot issues with NetBird"),
-		widget.NewLabel(""),
-		anonymizeCheck, systemInfoCheck, captureCheck,
-		uploadCheck, uploadURLContainer,
-		widget.NewLabel(""),
-		debugModeContainer, noteLabel,
-		widget.NewLabel(""),
-		statusLabel, progressBar, createButton,
-	)
-
-	w.SetContent(container.NewPadded(content))
-	w.Show()
-}
-
-func (s *serviceClient) buildUploadSection(uploadCheck *widget.Check) (*fyne.Container, *widget.Entry) {
+	uploadURLLabel := widget.NewLabel("Debug upload URL:")
 	uploadURL := widget.NewEntry()
 	uploadURL.SetText(uptypes.DefaultBundleURL)
 	uploadURL.SetPlaceHolder("Enter upload URL")
 
-	uploadURLContainer := container.NewVBox(widget.NewLabel("Debug upload URL:"), uploadURL)
+	uploadURLContainer := container.NewVBox(
+		uploadURLLabel,
+		uploadURL,
+	)
 
 	uploadCheck.OnChanged = func(checked bool) {
 		if checked {
@@ -113,14 +77,13 @@ func (s *serviceClient) buildUploadSection(uploadCheck *widget.Check) (*fyne.Con
 			uploadURLContainer.Hide()
 		}
 	}
-	return uploadURLContainer, uploadURL
-}
 
-func (s *serviceClient) buildDurationSection() (*fyne.Container, *widget.Check, *widget.Entry, *widget.Label) {
+	debugModeContainer := container.NewHBox()
 	runForDurationCheck := widget.NewCheck("Run with trace logs before creating bundle", nil)
 	runForDurationCheck.SetChecked(true)
 
 	forLabel := widget.NewLabel("for")
+
 	durationInput := widget.NewEntry()
 	durationInput.SetText("1")
 	minutesLabel := widget.NewLabel("minute")
@@ -144,8 +107,63 @@ func (s *serviceClient) buildDurationSection() (*fyne.Container, *widget.Check,
 		}
 	}
 
-	modeContainer := container.NewHBox(runForDurationCheck, forLabel, durationInput, minutesLabel)
-	return modeContainer, runForDurationCheck, durationInput, noteLabel
+	debugModeContainer.Add(runForDurationCheck)
+	debugModeContainer.Add(forLabel)
+	debugModeContainer.Add(durationInput)
+	debugModeContainer.Add(minutesLabel)
+
+	statusLabel := widget.NewLabel("")
+	statusLabel.Hide()
+
+	progressBar := widget.NewProgressBar()
+	progressBar.Hide()
+
+	createButton := widget.NewButton("Create Debug Bundle", nil)
+
+	// UI controls that should be disabled during debug collection
+	uiControls := []fyne.Disableable{
+		anonymizeCheck,
+		systemInfoCheck,
+		uploadCheck,
+		uploadURL,
+		runForDurationCheck,
+		durationInput,
+		createButton,
+	}
+
+	createButton.OnTapped = s.getCreateHandler(
+		statusLabel,
+		progressBar,
+		uploadCheck,
+		uploadURL,
+		anonymizeCheck,
+		systemInfoCheck,
+		runForDurationCheck,
+		durationInput,
+		uiControls,
+		w,
+	)
+
+	content := container.NewVBox(
+		widget.NewLabel("Create a debug bundle to help troubleshoot issues with NetBird"),
+		widget.NewLabel(""),
+		anonymizeCheck,
+		systemInfoCheck,
+		uploadCheck,
+		uploadURLContainer,
+		widget.NewLabel(""),
+		debugModeContainer,
+		noteLabel,
+		widget.NewLabel(""),
+		statusLabel,
+		progressBar,
+		createButton,
+	)
+
+	paddedContent := container.NewPadded(content)
+	w.SetContent(paddedContent)
+
+	w.Show()
 }
 
 func validateMinute(s string, minutesLabel *widget.Label) error {
@@ -181,7 +199,6 @@ func (s *serviceClient) getCreateHandler(
 	uploadURL *widget.Entry,
 	anonymizeCheck *widget.Check,
 	systemInfoCheck *widget.Check,
-	captureCheck *widget.Check,
 	runForDurationCheck *widget.Check,
 	duration *widget.Entry,
 	uiControls []fyne.Disableable,
@@ -204,7 +221,6 @@ func (s *serviceClient) getCreateHandler(
 		params := &debugCollectionParams{
 			anonymize:         anonymizeCheck.Checked,
 			systemInfo:        systemInfoCheck.Checked,
-			capture:           captureCheck.Checked,
 			upload:            uploadCheck.Checked,
 			uploadURL:         url,
 			enablePersistence: true,
@@ -236,7 +252,10 @@ func (s *serviceClient) getCreateHandler(
 
 		statusLabel.SetText("Creating debug bundle...")
 		go s.handleDebugCreation(
-			params,
+			anonymizeCheck.Checked,
+			systemInfoCheck.Checked,
+			uploadCheck.Checked,
+			url,
 			statusLabel,
 			uiControls,
 			w,
@@ -351,72 +370,47 @@ func startProgressTracker(ctx context.Context, wg *sync.WaitGroup, duration time
 func (s *serviceClient) configureServiceForDebug(
 	conn proto.DaemonServiceClient,
 	state *debugInitialState,
-	params *debugCollectionParams,
-) {
+	enablePersistence bool,
+) error {
 	if state.wasDown {
 		if _, err := conn.Up(s.ctx, &proto.UpRequest{}); err != nil {
-			log.Warnf("failed to bring service up: %v", err)
-		} else {
-			log.Info("Service brought up for debug")
-			time.Sleep(time.Second * 10)
+			return fmt.Errorf("bring service up: %v", err)
 		}
+		log.Info("Service brought up for debug")
+		time.Sleep(time.Second * 10)
 	}
 
 	if !state.isLevelTrace {
 		if _, err := conn.SetLogLevel(s.ctx, &proto.SetLogLevelRequest{Level: proto.LogLevel_TRACE}); err != nil {
-			log.Warnf("failed to set log level to TRACE: %v", err)
-		} else {
-			log.Info("Log level set to TRACE for debug")
+			return fmt.Errorf("set log level to TRACE: %v", err)
 		}
+		log.Info("Log level set to TRACE for debug")
 	}
 
 	if _, err := conn.Down(s.ctx, &proto.DownRequest{}); err != nil {
-		log.Warnf("failed to bring service down: %v", err)
-	} else {
-		state.needsRestoreUp = !state.wasDown
-		time.Sleep(time.Second)
+		return fmt.Errorf("bring service down: %v", err)
 	}
+	time.Sleep(time.Second)
 
-	if params.enablePersistence {
+	if enablePersistence {
 		if _, err := conn.SetSyncResponsePersistence(s.ctx, &proto.SetSyncResponsePersistenceRequest{
 			Enabled: true,
 		}); err != nil {
-			log.Warnf("failed to enable sync response persistence: %v", err)
-		} else {
-			log.Info("Sync response persistence enabled for debug")
+			return fmt.Errorf("enable sync response persistence: %v", err)
 		}
+		log.Info("Sync response persistence enabled for debug")
 	}
 
 	if _, err := conn.Up(s.ctx, &proto.UpRequest{}); err != nil {
-		log.Warnf("failed to bring service back up: %v", err)
-	} else {
-		state.needsRestoreUp = false
-		time.Sleep(time.Second * 3)
+		return fmt.Errorf("bring service back up: %v", err)
 	}
+	time.Sleep(time.Second * 3)
 
 	if _, err := conn.StartCPUProfile(s.ctx, &proto.StartCPUProfileRequest{}); err != nil {
 		log.Warnf("failed to start CPU profiling: %v", err)
 	}
 
-	s.startBundleCaptureIfEnabled(conn, params)
-}
-
-func (s *serviceClient) startBundleCaptureIfEnabled(conn proto.DaemonServiceClient, params *debugCollectionParams) {
-	if !params.capture {
-		return
-	}
-
-	const maxCapture = 10 * time.Minute
-	timeout := params.duration + 30*time.Second
-	if timeout > maxCapture {
-		timeout = maxCapture
-		log.Warnf("packet capture clamped to %s (server maximum)", maxCapture)
-	}
-	if _, err := conn.StartBundleCapture(s.ctx, &proto.StartBundleCaptureRequest{
-		Timeout: durationpb.New(timeout),
-	}); err != nil {
-		log.Warnf("failed to start bundle capture: %v", err)
-	}
+	return nil
 }
 
 func (s *serviceClient) collectDebugData(
@@ -430,7 +424,9 @@ func (s *serviceClient) collectDebugData(
 	var wg sync.WaitGroup
 	startProgressTracker(ctx, &wg, params.duration, progress)
 
-	s.configureServiceForDebug(conn, state, params)
+	if err := s.configureServiceForDebug(conn, state, params.enablePersistence); err != nil {
+		return err
+	}
 
 	wg.Wait()
 	progress.progressBar.Hide()
@@ -440,14 +436,6 @@ func (s *serviceClient) collectDebugData(
 		log.Warnf("failed to stop CPU profiling: %v", err)
 	}
 
-	if params.capture {
-		stopCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancel()
-		if _, err := conn.StopBundleCapture(stopCtx, &proto.StopBundleCaptureRequest{}); err != nil {
-			log.Warnf("failed to stop bundle capture: %v", err)
-		}
-	}
-
 	return nil
 }
 
@@ -494,17 +482,9 @@ func (s *serviceClient) createDebugBundleFromCollection(
 
 // Restore service to original state
 func (s *serviceClient) restoreServiceState(conn proto.DaemonServiceClient, state *debugInitialState) {
-	if state.needsRestoreUp {
-		if _, err := conn.Up(s.ctx, &proto.UpRequest{}); err != nil {
-			log.Warnf("failed to restore up state: %v", err)
-		} else {
-			log.Info("Service state restored to up")
-		}
-	}
-
 	if state.wasDown {
 		if _, err := conn.Down(s.ctx, &proto.DownRequest{}); err != nil {
-			log.Warnf("failed to restore down state: %v", err)
+			log.Errorf("Failed to restore down state: %v", err)
 		} else {
 			log.Info("Service state restored to down")
 		}
@@ -512,7 +492,7 @@ func (s *serviceClient) restoreServiceState(conn proto.DaemonServiceClient, stat
 
 	if !state.isLevelTrace {
 		if _, err := conn.SetLogLevel(s.ctx, &proto.SetLogLevelRequest{Level: state.logLevel}); err != nil {
-			log.Warnf("failed to restore log level: %v", err)
+			log.Errorf("Failed to restore log level: %v", err)
 		} else {
 			log.Info("Log level restored to original setting")
 		}
@@ -528,37 +508,18 @@ func handleError(progress *progressUI, errMsg string) {
 }
 
 func (s *serviceClient) handleDebugCreation(
-	params *debugCollectionParams,
+	anonymize bool,
+	systemInfo bool,
+	upload bool,
+	uploadURL string,
 	statusLabel *widget.Label,
 	uiControls []fyne.Disableable,
 	w fyne.Window,
 ) {
-	conn, err := s.getSrvClient(failFastTimeout)
-	if err != nil {
-		log.Errorf("Failed to get client for debug: %v", err)
-		statusLabel.SetText(fmt.Sprintf("Error: %v", err))
-		enableUIControls(uiControls)
-		return
-	}
+	log.Infof("Creating debug bundle (Anonymized: %v, System Info: %v, Upload Attempt: %v)...",
+		anonymize, systemInfo, upload)
 
-	if params.capture {
-		if _, err := conn.StartBundleCapture(s.ctx, &proto.StartBundleCaptureRequest{
-			Timeout: durationpb.New(30 * time.Second),
-		}); err != nil {
-			log.Warnf("failed to start bundle capture: %v", err)
-		} else {
-			defer func() {
-				stopCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-				defer cancel()
-				if _, err := conn.StopBundleCapture(stopCtx, &proto.StopBundleCaptureRequest{}); err != nil {
-					log.Warnf("failed to stop bundle capture: %v", err)
-				}
-			}()
-			time.Sleep(2 * time.Second)
-		}
-	}
-
-	resp, err := s.createDebugBundle(params.anonymize, params.systemInfo, params.uploadURL)
+	resp, err := s.createDebugBundle(anonymize, systemInfo, uploadURL)
 	if err != nil {
 		log.Errorf("Failed to create debug bundle: %v", err)
 		statusLabel.SetText(fmt.Sprintf("Error creating bundle: %v", err))
@@ -570,7 +531,7 @@ func (s *serviceClient) handleDebugCreation(
 	uploadFailureReason := resp.GetUploadFailureReason()
 	uploadedKey := resp.GetUploadedKey()
 
-	if params.upload {
+	if upload {
 		if uploadFailureReason != "" {
 			showUploadFailedDialog(w, localPath, uploadFailureReason)
 		} else {

client/wasm/cmd/main.go

@@ -5,7 +5,6 @@ package main
 import (
 	"context"
 	"fmt"
-	"sync"
 	"syscall/js"
 	"time"
 
@@ -15,7 +14,6 @@ import (
 	netbird "github.com/netbirdio/netbird/client/embed"
 	sshdetection "github.com/netbirdio/netbird/client/ssh/detection"
 	nbstatus "github.com/netbirdio/netbird/client/status"
-	wasmcapture "github.com/netbirdio/netbird/client/wasm/internal/capture"
 	"github.com/netbirdio/netbird/client/wasm/internal/http"
 	"github.com/netbirdio/netbird/client/wasm/internal/rdp"
 	"github.com/netbirdio/netbird/client/wasm/internal/ssh"
@@ -461,95 +459,6 @@ func createSetLogLevelMethod(client *netbird.Client) js.Func {
 	})
 }
 
-// createStartCaptureMethod creates the programmable packet capture method.
-// Returns a JS interface with onpacket callback and stop() method.
-//
-// Usage from JavaScript:
-//
-//	const cap = await client.startCapture({ filter: "tcp port 443", verbose: true })
-//	cap.onpacket = (line) => console.log(line)
-//	const stats = cap.stop()
-func createStartCaptureMethod(client *netbird.Client) js.Func {
-	return js.FuncOf(func(_ js.Value, args []js.Value) any {
-		var opts js.Value
-		if len(args) > 0 {
-			opts = args[0]
-		}
-
-		return createPromise(func(resolve, reject js.Value) {
-			iface, err := wasmcapture.Start(client, opts)
-			if err != nil {
-				reject.Invoke(js.ValueOf(fmt.Sprintf("start capture: %v", err)))
-				return
-			}
-			resolve.Invoke(iface)
-		})
-	})
-}
-
-// captureMethods returns capture() and stopCapture() that share state for
-// the console-log shortcut. capture() logs packets to the browser console
-// and stopCapture() ends it, like Ctrl+C on the CLI.
-//
-// Usage from browser devtools console:
-//
-//	await client.capture()              // capture all packets
-//	await client.capture("tcp")         // capture with filter
-//	await client.capture({filter: "host 10.0.0.1", verbose: true})
-//	client.stopCapture()                // stop and print stats
-func captureMethods(client *netbird.Client) (startFn, stopFn js.Func) {
-	var mu sync.Mutex
-	var active *wasmcapture.Handle
-
-	startFn = js.FuncOf(func(_ js.Value, args []js.Value) any {
-		var opts js.Value
-		if len(args) > 0 {
-			opts = args[0]
-		}
-
-		return createPromise(func(resolve, reject js.Value) {
-			mu.Lock()
-			defer mu.Unlock()
-
-			if active != nil {
-				active.Stop()
-				active = nil
-			}
-
-			h, err := wasmcapture.StartConsole(client, opts)
-			if err != nil {
-				reject.Invoke(js.ValueOf(fmt.Sprintf("start capture: %v", err)))
-				return
-			}
-			active = h
-
-			console := js.Global().Get("console")
-			console.Call("log", "[capture] started, call client.stopCapture() to stop")
-			resolve.Invoke(js.Undefined())
-		})
-	})
-
-	stopFn = js.FuncOf(func(_ js.Value, _ []js.Value) any {
-		mu.Lock()
-		defer mu.Unlock()
-
-		if active == nil {
-			js.Global().Get("console").Call("log", "[capture] no active capture")
-			return js.Undefined()
-		}
-
-		stats := active.Stop()
-		active = nil
-
-		console := js.Global().Get("console")
-		console.Call("log", fmt.Sprintf("[capture] stopped: %d packets, %d bytes, %d dropped",
-			stats.Packets, stats.Bytes, stats.Dropped))
-		return js.Undefined()
-	})
-
-	return startFn, stopFn
-}
-
 // createPromise is a helper to create JavaScript promises
 func createPromise(handler func(resolve, reject js.Value)) js.Value {
 	return js.Global().Get("Promise").New(js.FuncOf(func(_ js.Value, promiseArgs []js.Value) any {
@@ -612,11 +521,6 @@ func createClientObject(client *netbird.Client) js.Value {
 	obj["statusDetail"] = createStatusDetailMethod(client)
 	obj["getSyncResponse"] = createGetSyncResponseMethod(client)
 	obj["setLogLevel"] = createSetLogLevelMethod(client)
-	obj["startCapture"] = createStartCaptureMethod(client)
-
-	capStart, capStop := captureMethods(client)
-	obj["capture"] = capStart
-	obj["stopCapture"] = capStop
 
 	return js.ValueOf(obj)
 }

client/wasm/internal/capture/capture.go

@@ -1,176 +0,0 @@
-//go:build js
-
-// Package capture bridges the util/capture package to JavaScript via syscall/js.
-package capture
-
-import (
-	"strings"
-	"sync"
-	"syscall/js"
-
-	netbird "github.com/netbirdio/netbird/client/embed"
-)
-
-// Handle holds a running capture session so it can be stopped later.
-type Handle struct {
-	cs      *netbird.CaptureSession
-	stopFn  js.Func
-	stopped bool
-}
-
-// Stop ends the capture and returns stats.
-func (h *Handle) Stop() netbird.CaptureStats {
-	if h.stopped {
-		return h.cs.Stats()
-	}
-	h.stopped = true
-	h.stopFn.Release()
-
-	h.cs.Stop()
-	return h.cs.Stats()
-}
-
-func statsToJS(s netbird.CaptureStats) js.Value {
-	obj := js.Global().Get("Object").Call("create", js.Null())
-	obj.Set("packets", js.ValueOf(s.Packets))
-	obj.Set("bytes", js.ValueOf(s.Bytes))
-	obj.Set("dropped", js.ValueOf(s.Dropped))
-	return obj
-}
-
-// parseOpts extracts filter/verbose/ascii from a JS options value.
-func parseOpts(jsOpts js.Value) (filter string, verbose, ascii bool) {
-	if jsOpts.IsNull() || jsOpts.IsUndefined() {
-		return
-	}
-	if jsOpts.Type() == js.TypeString {
-		filter = jsOpts.String()
-		return
-	}
-	if jsOpts.Type() != js.TypeObject {
-		return
-	}
-	if f := jsOpts.Get("filter"); !f.IsUndefined() && !f.IsNull() {
-		filter = f.String()
-	}
-	if v := jsOpts.Get("verbose"); !v.IsUndefined() {
-		verbose = v.Truthy()
-	}
-	if a := jsOpts.Get("ascii"); !a.IsUndefined() {
-		ascii = a.Truthy()
-	}
-	return
-}
-
-// Start creates a capture session and returns a JS interface for streaming text
-// output. The returned object exposes:
-//
-//	onpacket(callback)  - set callback(string) for each text line
-//	stop()              - stop capture and return stats { packets, bytes, dropped }
-//
-// Options: { filter: string, verbose: bool, ascii: bool } or just a filter string.
-func Start(client *netbird.Client, jsOpts js.Value) (js.Value, error) {
-	filter, verbose, ascii := parseOpts(jsOpts)
-
-	cb := &jsCallbackWriter{}
-
-	cs, err := client.StartCapture(netbird.CaptureOptions{
-		TextOutput: cb,
-		Filter:     filter,
-		Verbose:    verbose,
-		ASCII:      ascii,
-	})
-	if err != nil {
-		return js.Undefined(), err
-	}
-
-	handle := &Handle{cs: cs}
-
-	iface := js.Global().Get("Object").Call("create", js.Null())
-	handle.stopFn = js.FuncOf(func(_ js.Value, _ []js.Value) any {
-		return statsToJS(handle.Stop())
-	})
-	iface.Set("stop", handle.stopFn)
-	iface.Set("onpacket", js.Undefined())
-	cb.setInterface(iface)
-
-	return iface, nil
-}
-
-// StartConsole starts a capture that logs every packet line to console.log.
-// Returns a Handle so the caller can stop it later.
-func StartConsole(client *netbird.Client, jsOpts js.Value) (*Handle, error) {
-	filter, verbose, ascii := parseOpts(jsOpts)
-
-	cb := &jsCallbackWriter{}
-
-	cs, err := client.StartCapture(netbird.CaptureOptions{
-		TextOutput: cb,
-		Filter:     filter,
-		Verbose:    verbose,
-		ASCII:      ascii,
-	})
-	if err != nil {
-		return nil, err
-	}
-
-	handle := &Handle{cs: cs}
-	handle.stopFn = js.FuncOf(func(_ js.Value, _ []js.Value) any {
-		return statsToJS(handle.Stop())
-	})
-
-	iface := js.Global().Get("Object").Call("create", js.Null())
-	console := js.Global().Get("console")
-	iface.Set("onpacket", console.Get("log").Call("bind", console, js.ValueOf("[capture]")))
-	cb.setInterface(iface)
-
-	return handle, nil
-}
-
-// jsCallbackWriter is an io.Writer that buffers text until a newline, then
-// invokes the JS onpacket callback with each complete line.
-type jsCallbackWriter struct {
-	mu    sync.Mutex
-	iface js.Value
-	buf   strings.Builder
-}
-
-func (w *jsCallbackWriter) setInterface(iface js.Value) {
-	w.mu.Lock()
-	defer w.mu.Unlock()
-	w.iface = iface
-}
-
-func (w *jsCallbackWriter) Write(p []byte) (int, error) {
-	w.mu.Lock()
-	w.buf.Write(p)
-
-	var lines []string
-	for {
-		str := w.buf.String()
-		idx := strings.IndexByte(str, '\n')
-		if idx < 0 {
-			break
-		}
-		lines = append(lines, str[:idx])
-		w.buf.Reset()
-		if idx+1 < len(str) {
-			w.buf.WriteString(str[idx+1:])
-		}
-	}
-
-	iface := w.iface
-	w.mu.Unlock()
-
-	if iface.IsUndefined() {
-		return len(p), nil
-	}
-	cb := iface.Get("onpacket")
-	if cb.IsUndefined() || cb.IsNull() {
-		return len(p), nil
-	}
-	for _, line := range lines {
-		cb.Invoke(js.ValueOf(line))
-	}
-	return len(p), nil
-}

combined/cmd/config.go

@@ -179,11 +179,9 @@ type StoreConfig struct {
 
 // ReverseProxyConfig contains reverse proxy settings
 type ReverseProxyConfig struct {
-	TrustedHTTPProxies            []string `yaml:"trustedHTTPProxies"`
-	TrustedHTTPProxiesCount       uint     `yaml:"trustedHTTPProxiesCount"`
-	TrustedPeers                  []string `yaml:"trustedPeers"`
-	AccessLogRetentionDays        int      `yaml:"accessLogRetentionDays"`
-	AccessLogCleanupIntervalHours int      `yaml:"accessLogCleanupIntervalHours"`
+	TrustedHTTPProxies      []string `yaml:"trustedHTTPProxies"`
+	TrustedHTTPProxiesCount uint     `yaml:"trustedHTTPProxiesCount"`
+	TrustedPeers            []string `yaml:"trustedPeers"`
 }
 
 // DefaultConfig returns a CombinedConfig with default values
@@ -647,9 +645,7 @@ func (c *CombinedConfig) ToManagementConfig() (*nbconfig.Config, error) {
 
 	// Build reverse proxy config
 	reverseProxy := nbconfig.ReverseProxy{
-		TrustedHTTPProxiesCount:       mgmt.ReverseProxy.TrustedHTTPProxiesCount,
-		AccessLogRetentionDays:        mgmt.ReverseProxy.AccessLogRetentionDays,
-		AccessLogCleanupIntervalHours: mgmt.ReverseProxy.AccessLogCleanupIntervalHours,
+		TrustedHTTPProxiesCount: mgmt.ReverseProxy.TrustedHTTPProxiesCount,
 	}
 	for _, p := range mgmt.ReverseProxy.TrustedHTTPProxies {
 		if prefix, err := netip.ParsePrefix(p); err == nil {

combined/cmd/root.go

@@ -29,7 +29,6 @@ import (
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/relay/healthcheck"
 	relayServer "github.com/netbirdio/netbird/relay/server"
-	"github.com/netbirdio/netbird/relay/server/listener"
 	"github.com/netbirdio/netbird/relay/server/listener/ws"
 	sharedMetrics "github.com/netbirdio/netbird/shared/metrics"
 	"github.com/netbirdio/netbird/shared/relay/auth"
@@ -524,7 +523,7 @@ func createManagementServer(cfg *CombinedConfig, mgmtConfig *nbconfig.Config) (*
 func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, relaySrv *relayServer.Server, meter metric.Meter, cfg *CombinedConfig) http.Handler {
 	wsProxy := wsproxyserver.New(grpcServer, wsproxyserver.WithOTelMeter(meter))
 
-	var relayAcceptFn func(conn listener.Conn)
+	var relayAcceptFn func(conn net.Conn)
 	if relaySrv != nil {
 		relayAcceptFn = relaySrv.RelayAccept()
 	}
@@ -564,7 +563,7 @@ func createCombinedHandler(grpcServer *grpc.Server, httpHandler http.Handler, re
 }
 
 // handleRelayWebSocket handles incoming WebSocket connections for the relay service
-func handleRelayWebSocket(w http.ResponseWriter, r *http.Request, acceptFn func(conn listener.Conn), cfg *CombinedConfig) {
+func handleRelayWebSocket(w http.ResponseWriter, r *http.Request, acceptFn func(conn net.Conn), cfg *CombinedConfig) {
 	acceptOptions := &websocket.AcceptOptions{
 		OriginPatterns: []string{"*"},
 	}
@@ -586,9 +585,15 @@ func handleRelayWebSocket(w http.ResponseWriter, r *http.Request, acceptFn func(
 		return
 	}
 
+	lAddr, err := net.ResolveTCPAddr("tcp", cfg.Server.ListenAddress)
+	if err != nil {
+		_ = wsConn.Close(websocket.StatusInternalError, "internal error")
+		return
+	}
+
 	log.Debugf("Relay WS client connected from: %s", rAddr)
 
-	conn := ws.NewConn(wsConn, rAddr)
+	conn := ws.NewConn(wsConn, lAddr, rAddr)
 	acceptFn(conn)
 }