Add support for IPv6 networks (on Linux clients) (#1459 )

* Feat add basic support for IPv6 networks Newly generated networks automatically generate an IPv6 prefix of size 64 within the ULA address range, devices obtain a randomly generated address within this prefix. Currently, this is Linux only and does not yet support all features (routes currently cause an error). * Fix firewall configuration for IPv6 networks * Fix routing configuration for IPv6 networks * Feat provide info on IPv6 support for specific client to mgmt server * Feat allow configuration of IPv6 support through API, improve stability * Feat add IPv6 support to new firewall implementation * Fix peer list item response not containing IPv6 address * Fix nftables breaking on IPv6 address change * Fix build issues for non-linux systems * Fix intermittent disconnections when IPv6 is enabled * Fix test issues and make some minor revisions * Fix some more testing issues * Fix more CI issues due to IPv6 * Fix more testing issues * Add inheritance of IPv6 enablement status from groups * Fix IPv6 events not having associated messages * Address first review comments regarding IPv6 support * Fix IPv6 table being created even when IPv6 is disabled Also improved stability of IPv6 route and firewall handling on client side * Fix IPv6 routes not being removed * Fix DNS IPv6 issues, limit IPv6 nameservers to IPv6 peers * Improve code for IPv6 DNS server selection, add AAAA custom records * Ensure IPv6 routes can only exist for IPv6 routing peers * Fix IPv6 network generation randomness * Fix a bunch of compilation issues and test failures * Replace method calls that are unavailable in Go 1.21 * Fix nil dereference in cleanUpDefaultForwardRules6 * Fix nil pointer dereference when persisting IPv6 network in sqlite * Clean up of client-side code changes for IPv6 * Fix nil dereference in rule mangling and compilation issues * Add a bunch of client-side test cases for IPv6 * Fix IPv6 tests running on unsupported environments * Fix import cycle in tests * Add missing method SupportsIPv6() for windows * Require IPv6 default route for IPv6 tests * Fix panics in routemanager tests on non-linux * Fix some more route manager tests concerning IPv6 * Add some final client-side tests * Add IPv6 tests for management code, small fixes * Fix linting issues * Fix small test suite issues * Fix linter issues and builds on macOS and Windows again * fix builds for iOS because of IPv6 breakage
Add missing openid scope when requesting JWT token (#2089 )
2026-04-02 07:33:52 -04:00 · 2024-08-13 17:26:27 +02:00 · 2024-06-04 10:46:24 +02:00 · 2024-06-03 17:31:37 +02:00 · 2024-06-03 12:41:15 +02:00 · 2024-05-31 17:26:56 +02:00
348 changed files with 28660 additions and 6427 deletions
--- a/.github/ISSUE_TEMPLATE/bug-issue-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-issue-report.md
@@ -2,7 +2,7 @@
 name: Bug/Issue report
 about: Create a report to help us improve
 title: ''
-labels: ['triage']
+labels: ['triage-needed']
 assignees: ''

 ---
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -32,8 +32,14 @@ jobs:
          restore-keys: |
            macos-go-

+      - name: Install libpcap
+        run: brew install libpcap
+
      - name: Install modules
        run: go mod tidy

+      - name: check git status
+        run: git --no-pager diff --exit-code
+
      - name: Test
-        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...
+        run: NETBIRD_STORE_ENGINE=${{ matrix.store }} go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 ./...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -14,8 +14,8 @@ jobs:
  test:
    strategy:
      matrix:
-        arch: ['386','amd64']
-        store: ['jsonfile', 'sqlite']
+        arch: [ '386','amd64' ]
+        store: [ 'jsonfile', 'sqlite', 'postgres']
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
@@ -36,13 +36,20 @@ jobs:
        uses: actions/checkout@v3

      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev
+
+      - name: Install 32-bit libpcap
+        if: matrix.arch == '386'
+        run: sudo dpkg --add-architecture i386 && sudo apt update && sudo apt-get install -y libpcap0.8-dev:i386

      - name: Install modules
        run: go mod tidy

+      - name: check git status
+        run: git --no-pager diff --exit-code
+
      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...
+        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} NETBIRD_STORE_ENGINE=${{ matrix.store }} go test -exec 'sudo --preserve-env=CI,NETBIRD_STORE_ENGINE' -timeout 5m -p 1 ./...

  test_client_on_docker:
    runs-on: ubuntu-20.04
@@ -64,11 +71,14 @@ jobs:
        uses: actions/checkout@v3

      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib libpcap-dev

      - name: Install modules
        run: go mod tidy

+      - name: check git status
+        run: git --no-pager diff --exit-code
+
      - name: Generate Iface Test bin
        run: CGO_ENABLED=0 go test -c -o iface-testing.bin ./iface/

@@ -76,7 +86,7 @@ jobs:
        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock

      - name: Generate RouteManager Test bin
-        run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin ./client/internal/routemanager/...
+        run: CGO_ENABLED=1 go test -c -o routemanager-testing.bin -tags netgo -ldflags '-w -extldflags "-static -ldbus-1 -lpcap"' ./client/internal/routemanager/...

      - name: Generate nftables Manager Test bin
        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
@@ -103,7 +113,7 @@ jobs:

      - name: Run Engine tests in docker with file store
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="jsonfile" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
-      
+
      - name: Run Engine tests in docker with sqlite store
        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal -e NETBIRD_STORE_ENGINE="sqlite" --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1

--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -46,7 +46,7 @@ jobs:
      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=C:\Users\runneradmin\AppData\Local\go-build

      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 5m -p 1 ./... > test-out.txt 2>&1"
+        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 10m -p 1 ./... > test-out.txt 2>&1"
      - name: test output
        if: ${{ always() }}
        run: Get-Content test-out.txt
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -19,7 +19,7 @@ jobs:
      - name: codespell
        uses: codespell-project/actions-codespell@v2
        with:
-          ignore_words_list: erro,clienta
+          ignore_words_list: erro,clienta,hastable,
          skip: go.mod,go.sum
          only_warn: 1
  golangci:
@@ -33,6 +33,10 @@ jobs:
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
+      - name: Check for duplicate constants
+        if: matrix.os == 'ubuntu-latest'
+        run: |
+          ! awk '/const \(/,/)/{print $0}' management/server/activity/codes.go | grep -o '= [0-9]*' | sort | uniq -d | grep .
      - name: Install Go
        uses: actions/setup-go@v4
        with:
@@ -40,7 +44,7 @@ jobs:
          cache: false
      - name: Install dependencies
        if: matrix.os == 'ubuntu-latest'
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev libpcap-dev
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
--- a/.github/workflows/mobile-build-validation.yml
+++ b/.github/workflows/mobile-build-validation.yml
@@ -11,7 +11,7 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  andrloid_build:
+  android_build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
@@ -38,10 +38,10 @@ jobs:
      - name: Setup NDK
        run: /usr/local/lib/android/sdk/cmdline-tools/7.0/bin/sdkmanager --install "ndk;23.1.7779620"
      - name: install gomobile
-        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20230531173138-3c911d8e3eda
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
      - name: gomobile init
        run: gomobile init
-      - name: build android nebtird lib
+      - name: build android netbird lib
        run: PATH=$PATH:$(go env GOPATH) gomobile bind -o $GITHUB_WORKSPACE/netbird.aar -javapkg=io.netbird.gomobile -ldflags="-X golang.zx2c4.com/wireguard/ipc.socketDirectory=/data/data/io.netbird.client/cache/wireguard -X github.com/netbirdio/netbird/version.version=buildtest"  $GITHUB_WORKSPACE/client/android
        env:
          CGO_ENABLED: 0
@@ -56,10 +56,10 @@ jobs:
        with:
          go-version: "1.21.x"
      - name: install gomobile
-        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20230531173138-3c911d8e3eda
+        run: go install golang.org/x/mobile/cmd/gomobile@v0.0.0-20240404231514-09dbf07665ed
      - name: gomobile init
        run: gomobile init
-      - name: build iOS nebtird lib
-        run: PATH=$PATH:$(go env GOPATH) gomobile bind -target=ios -bundleid=io.netbird.framework -ldflags="-X github.com/netbirdio/netbird/version.version=buildtest" -o $GITHUB_WORKSPACE/NetBirdSDK.xcframework $GITHUB_WORKSPACE/client/ios/NetBirdSDK
+      - name: build iOS netbird lib
+        run: PATH=$PATH:$(go env GOPATH) gomobile bind -target=ios -bundleid=io.netbird.framework -ldflags="-X github.com/netbirdio/netbird/version.version=buildtest" -o ./NetBirdSDK.xcframework ./client/ios/NetBirdSDK
        env:
          CGO_ENABLED: 0
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,17 +7,7 @@ on:
    branches:
      - main
  pull_request:
-    paths:
-      - 'go.mod'
-      - 'go.sum'
-      - '.goreleaser.yml'
-      - '.goreleaser_ui.yaml'
-      - '.goreleaser_ui_darwin.yaml'
-      - '.github/workflows/release.yml'
-      - 'release_files/**'
-      - '**/Dockerfile'
-      - '**/Dockerfile.*'
-      - 'client/ui/**'
+

 env:
  SIGN_PIPE_VER: "v0.0.11"
@@ -106,6 +96,27 @@ jobs:
          name: release
          path: dist/
          retention-days: 3
+      -
+        name: upload linux packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: linux-packages
+          path: dist/netbird_linux**
+          retention-days: 3
+      -
+        name: upload windows packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: windows-packages
+          path: dist/netbird_windows**
+          retention-days: 3
+      -
+        name: upload macos packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: macos-packages
+          path: dist/netbird_darwin**
+          retention-days: 3

  release_ui:
    runs-on: ubuntu-latest
@@ -190,6 +201,9 @@ jobs:
      -
        name: Install modules
        run: go mod tidy
+      - 
+        name: check git status
+        run: git --no-pager diff --exit-code
      -
        name: Run GoReleaser
        id: goreleaser
--- a/.github/workflows/test-infrastructure-files.yml
+++ b/.github/workflows/test-infrastructure-files.yml
@@ -127,6 +127,9 @@ jobs:
      - name: Install modules
        run: go mod tidy

+      - name: check git status
+        run: git --no-pager diff --exit-code
+
      - name: Build management binary
        working-directory: management
        run: CGO_ENABLED=1 go build -o netbird-mgmt main.go
@@ -159,6 +162,13 @@ jobs:
          test $count -eq 4
        working-directory: infrastructure_files/artifacts

+      - name: test geolocation databases
+        working-directory: infrastructure_files/artifacts
+        run: |
+          sleep 30
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i GeoLite2-City.mmdb
+          docker compose exec management ls -l /var/lib/netbird/ | grep -i geonames.db
+
  test-getting-started-script:
    runs-on: ubuntu-latest
    steps:
@@ -186,3 +196,16 @@ jobs:
        run: test -f zitadel.env
      - name: test dashboard.env file gen
        run: test -f dashboard.env
+  test-download-geolite2-script:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y unzip sqlite3
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: test script
+        run: bash -x infrastructure_files/download-geolite2.sh
+      - name: test mmdb file exists
+        run: test -f GeoLite2-City.mmdb
+      - name: test geonames file exists
+        run: test -f geonames.db
--- a/.gitignore
+++ b/.gitignore
@@ -29,4 +29,4 @@ infrastructure_files/setup.env
 infrastructure_files/setup-*.env
 .vscode
 .DS_Store
-*.db
+GeoLite2-City*
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -63,6 +63,14 @@ linters-settings:
    enable:
      - nilness

+  revive:
+    rules:
+      - name: exported
+        severity: warning
+        disabled: false
+        arguments:
+          - "checkPrivateReceivers"
+          - "sayRepetitiveInsteadOfStutters"
  tenv:
    # The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures.
    # Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked.
@@ -93,6 +101,7 @@ linters:
    - nilerr # finds the code that returns nil even if it checks that the error is not nil
    - nilnil # checks that there is no simultaneous return of nil error and an invalid value
    - predeclared # predeclared finds code that shadows one of Go's predeclared identifiers
+    - revive # Fast, configurable, extensible, flexible, and beautiful linter for Go. Drop-in replacement of golint.
    - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed
    - thelper # thelper detects Go test helpers without t.Helper() call and checks the consistency of test helpers.
    - wastedassign # wastedassign finds wasted assignment statements
@@ -121,3 +130,10 @@ issues:
    - path: mock\.go
      linters:
      - nilnil
+    # Exclude specific deprecation warnings for grpc methods
+    - linters:
+       - staticcheck
+      text: "grpc.DialContext is deprecated"
+    - linters:
+        - staticcheck
+      text: "grpc.WithBlock is deprecated"
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -54,7 +54,7 @@ nfpms:
    contents:
      - src: client/ui/netbird.desktop
        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/netbird-systemtray-default.png
+      - src: client/ui/netbird-systemtray-connected.png
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
@@ -71,7 +71,7 @@ nfpms:
    contents:
      - src: client/ui/netbird.desktop
        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/netbird-systemtray-default.png
+      - src: client/ui/netbird-systemtray-connected.png
        dst: /usr/share/pixmaps/netbird.png
    dependencies:
      - netbird
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -5,7 +5,7 @@
 We as members, contributors, and leaders pledge to make participation in our
 community a harassment-free experience for everyone, regardless of age, body
 size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
+identity and expression, level of experience, education, socioeconomic status,
 nationality, personal appearance, race, caste, color, religion, or sexual
 identity and orientation.

--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 <p align="center">
- <strong>:hatching_chick: New Release! Self-hosting in under 5 min.</strong>
-  <a href="https://github.com/netbirdio/netbird#quickstart-with-self-hosted-netbird">
+ <strong>:hatching_chick: New Release! Device Posture Checks.</strong>
+  <a href="https://docs.netbird.io/how-to/manage-posture-checks">
       Learn more
     </a>   
 </p>
@@ -40,27 +40,26 @@

 **Connect.** NetBird creates a WireGuard-based overlay network that automatically connects your machines over an encrypted tunnel, leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

-**Secure.** NetBird enables secure remote access by applying granular access policies, while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.
+**Secure.** NetBird enables secure remote access by applying granular access policies while allowing you to manage them intuitively from a single place. Works universally on any infrastructure.

-### Secure peer-to-peer VPN with SSO and MFA in minutes
+### Open-Source Network Security in a Single Platform
+
+
+![netbird_2](https://github.com/netbirdio/netbird/assets/700848/46bc3b73-508d-4a0e-bb9a-f465d68646ab)

-https://user-images.githubusercontent.com/700848/197345890-2e2cded5-7b7a-436f-a444-94e80dd24f46.mov

 ### Key features

-| Connectivity                             	                                                                                      | Management                                 	                             | Automation                                    	                            | Platforms    	                        |
-|---------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|----------------------------------------------------------------------------|---------------------------------------|
-| <ul><li> - \[x] Kernel WireGuard </ul></li>                   	                                                                 | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                           	      | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                	     | <ul><li> - \[x] Linux </ul></li>    	 |
-| <ul><li> - \[x] Peer-to-peer connections </ul></li>             	                                                               | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>  	      | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li>  	     | <ul><li> - \[x] Mac </ul></li>      	 |
-| <ul><li> - \[x] Peer-to-peer encryption </ul></li>              	                                                               | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>                       	      | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>              	 | <ul><li> - \[x] Windows </ul></li>  	 |
-| <ul><li> - \[x] Connection relay fallback </ul></li>            	                                                               | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>                      	      | <ul><li> - \[x] IdP groups sync with JWT </ul></li> 	                      | <ul><li> - \[x] Android </ul></li>  	 |
-| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li>  	 | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>      	        | 	                                                                          | <ul><li> - \[x] iOS </ul></li>      	 |
-| <ul><li> - \[x] NAT traversal with BPF </ul></li>                                                                               | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>                            	      | 	                                                                          | <ul><li> - \[x] Docker </ul></li>   	 |
-| <ul><li> - \[x] Post-quantum-secure connection through [Rosenpass](https://rosenpass.eu) </ul></li>                             | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li>                      	      | 	                                                                          | <ul><li> - \[x] OpenWRT </ul></li>  	 |
-| 	                                                                                                                               | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                       	      | 	                                                                          | 	                                     |
-| 	                                                                                                                               | <ul><li> - \[x] SSH access management </ul></li>                       	 | 	                                                                          | 	                                     |
-
-
+| Connectivity                                                                                                                 | Management                                                                                               | Security                                                                                                                              | Automation                                                                                                                               | Platforms                                                                               |
+|------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+| <ul><li> - \[x] Kernel WireGuard </ul></li>                                                                                  | <ul><li> - \[x] [Admin Web UI](https://github.com/netbirdio/dashboard) </ul></li>                        | <ul><li> - \[x] [SSO & MFA support](https://docs.netbird.io/how-to/installation#running-net-bird-with-sso-login) </ul></li>           | <ul><li> - \[x] [Public API](https://docs.netbird.io/api) </ul></li>                                                                     | <ul><li> - \[x] Linux </ul></li>                                                        |
+| <ul><li> - \[x] Peer-to-peer connections </ul></li>                                                                          | <ul><li> - \[x] Auto peer discovery and configuration </ul></li>                                         | <ul><li> - \[x] [Access control - groups & rules](https://docs.netbird.io/how-to/manage-network-access) </ul></li>                    | <ul><li> - \[x] [Setup keys for bulk network provisioning](https://docs.netbird.io/how-to/register-machines-using-setup-keys) </ul></li> | <ul><li> - \[x] Mac </ul></li>                                                          |
+| <ul><li> - \[x] Connection relay fallback </ul></li>                                                                         | <ul><li> - \[x] [IdP integrations](https://docs.netbird.io/selfhosted/identity-providers) </ul></li>     | <ul><li> - \[x] [Activity logging](https://docs.netbird.io/how-to/monitor-system-and-network-activity) </ul></li>                     | <ul><li> - \[x] [Self-hosting quickstart script](https://docs.netbird.io/selfhosted/selfhosted-quickstart) </ul></li>                    | <ul><li> - \[x] Windows </ul></li>                                                      |
+| <ul><li> - \[x] [Routes to external networks](https://docs.netbird.io/how-to/routing-traffic-to-private-networks) </ul></li> | <ul><li> - \[x] [Private DNS](https://docs.netbird.io/how-to/manage-dns-in-your-network) </ul></li>      | <ul><li> - \[x] [Device posture checks](https://docs.netbird.io/how-to/manage-posture-checks) </ul></li>                              | <ul><li> - \[x] IdP groups sync with JWT </ul></li>                                                                                      | <ul><li> - \[x] Android </ul></li>                                                      |
+| <ul><li> - \[x] NAT traversal with BPF </ul></li>                                                                            | <ul><li> - \[x] [Multiuser support](https://docs.netbird.io/how-to/add-users-to-your-network) </ul></li> | <ul><li> -  \[x] Peer-to-peer encryption </ul></li>                                                                                   |                                                                                                                                          | <ul><li> - \[x] iOS </ul></li>                                                          |
+|                                                                                                                              |                                                                                                          | <ul><li> - \[x] [Quantum-resistance with Rosenpass](https://netbird.io/knowledge-hub/the-first-quantum-resistant-mesh-vpn) </ul></li> |                                                                                                                                          | <ul><li> - \[x] OpenWRT </ul></li>                                                      |
+|                                                                                                                              |                                                                                                          | <ui><li> - \[x] [Periodic re-authentication](https://docs.netbird.io/how-to/enforce-periodic-user-authentication)</ul></li>           |                                                                                                                                          | <ul><li> - \[x] [Serverless](https://docs.netbird.io/how-to/netbird-on-faas) </ul></li> |
+|                                                                                                                              |                                                                                                          |                                                                                                                                       |                                                                                                                                          | <ul><li> - \[x] Docker </ul></li>                                                       |
 ### Quickstart with NetBird Cloud

 - Download and install NetBird at [https://app.netbird.io/install](https://app.netbird.io/install)
@@ -79,7 +78,7 @@ Follow the [Advanced guide with a custom identity provider](https://docs.netbird
 - **Public domain** name pointing to the VM.

 **Software requirements:**
- Docker installed on the VM with the docker compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
+- Docker installed on the VM with the docker-compose plugin ([Docker installation guide](https://docs.docker.com/engine/install/)) or docker with docker-compose in version 2 or higher.
 - [jq](https://jqlang.github.io/jq/) installed. In most distributions
  Usually available in the official repositories and can be installed with `sudo apt install jq` or `sudo yum install jq`
 - [curl](https://curl.se/) installed.
@@ -96,9 +95,9 @@ export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbird
 -  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
 -  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
 -  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
-  Connection candidates are discovered with a help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
+-  Connection candidates are discovered with the help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
 -  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
+-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and a p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
 
 [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.

@@ -109,8 +108,8 @@ export NETBIRD_DOMAIN=netbird.example.com; curl -fsSL https://github.com/netbird
 See a complete [architecture overview](https://docs.netbird.io/about-netbird/how-netbird-works#architecture) for details.

 ### Community projects
-  [NetBird on OpenWRT](https://github.com/messense/openwrt-netbird)
 -  [NetBird installer script](https://github.com/physk/netbird-installer)
+-  [NetBird ansible collection by Dominion Solutions](https://galaxy.ansible.com/ui/repo/published/dominion_solutions/netbird/)

 **Note**: The `main` branch may be in an *unstable or even broken state* during development.
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).
@@ -122,7 +121,7 @@ In November 2022, NetBird joined the [StartUpSecure program](https://www.forschu
 ![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)

 ### Testimonials
-We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g. giving a star or a contribution).
+We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), [Coturn](https://github.com/coturn/coturn), and [Rosenpass](https://rosenpass.eu). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g., by giving a star or a contribution).

 ### Legal
 _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,5 +1,5 @@
 FROM alpine:3.18.5
 RUN apk add --no-cache ca-certificates iptables ip6tables
 ENV NB_FOREGROUND_MODE=true
-ENTRYPOINT [ "/go/bin/netbird","up"]
-COPY netbird /go/bin/netbird
+ENTRYPOINT [ "/usr/local/bin/netbird","up"]
+COPY netbird /usr/local/bin/netbird
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -1,3 +1,5 @@
+//go:build android
+
 package android

 import (
@@ -14,6 +16,7 @@ import (
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
 	"github.com/netbirdio/netbird/iface"
+	"github.com/netbirdio/netbird/util/net"
 )

 // ConnectionListener export internal Listener for mobile
@@ -54,14 +57,17 @@ type Client struct {
 	ctxCancel             context.CancelFunc
 	ctxCancelLock         *sync.Mutex
 	deviceName            string
+	uiVersion             string
 	networkChangeListener listener.NetworkChangeListener
 }

 // NewClient instantiate a new Client
-func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
+func NewClient(cfgFile, deviceName string, uiVersion string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, networkChangeListener NetworkChangeListener) *Client {
+	net.SetAndroidProtectSocketFn(tunAdapter.ProtectSocket)
 	return &Client{
 		cfgFile:               cfgFile,
 		deviceName:            deviceName,
+		uiVersion:             uiVersion,
 		tunAdapter:            tunAdapter,
 		iFaceDiscover:         iFaceDiscover,
 		recorder:              peer.NewRecorder(""),
@@ -79,10 +85,14 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 		return err
 	}
 	c.recorder.UpdateManagementAddress(cfg.ManagementURL.String())
+	c.recorder.UpdateRosenpass(cfg.RosenpassEnabled, cfg.RosenpassPermissive)

 	var ctx context.Context
 	//nolint
 	ctxWithValues := context.WithValue(context.Background(), system.DeviceNameCtxKey, c.deviceName)
+	//nolint
+	ctxWithValues = context.WithValue(ctxWithValues, system.UiVersionCtxKey, c.uiVersion)
+
 	c.ctxCancelLock.Lock()
 	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
 	defer c.ctxCancel()
@@ -96,7 +106,8 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead

 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	return internal.RunClientMobile(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }

 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -109,6 +120,7 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 		return err
 	}
 	c.recorder.UpdateManagementAddress(cfg.ManagementURL.String())
+	c.recorder.UpdateRosenpass(cfg.RosenpassEnabled, cfg.RosenpassPermissive)

 	var ctx context.Context
 	//nolint
@@ -120,7 +132,8 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener

 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	return internal.RunClientMobile(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }

 // Stop the internal client and free the resources
--- a/client/anonymize/anonymize.go
+++ b/client/anonymize/anonymize.go
@@ -0,0 +1,212 @@
+package anonymize
+
+import (
+	"crypto/rand"
+	"fmt"
+	"math/big"
+	"net"
+	"net/netip"
+	"net/url"
+	"regexp"
+	"slices"
+	"strings"
+)
+
+type Anonymizer struct {
+	ipAnonymizer     map[netip.Addr]netip.Addr
+	domainAnonymizer map[string]string
+	currentAnonIPv4  netip.Addr
+	currentAnonIPv6  netip.Addr
+	startAnonIPv4    netip.Addr
+	startAnonIPv6    netip.Addr
+}
+
+func DefaultAddresses() (netip.Addr, netip.Addr) {
+	// 192.51.100.0, 100::
+	return netip.AddrFrom4([4]byte{198, 51, 100, 0}), netip.AddrFrom16([16]byte{0x01})
+}
+
+func NewAnonymizer(startIPv4, startIPv6 netip.Addr) *Anonymizer {
+	return &Anonymizer{
+		ipAnonymizer:     map[netip.Addr]netip.Addr{},
+		domainAnonymizer: map[string]string{},
+		currentAnonIPv4:  startIPv4,
+		currentAnonIPv6:  startIPv6,
+		startAnonIPv4:    startIPv4,
+		startAnonIPv6:    startIPv6,
+	}
+}
+
+func (a *Anonymizer) AnonymizeIP(ip netip.Addr) netip.Addr {
+	if ip.IsLoopback() ||
+		ip.IsLinkLocalUnicast() ||
+		ip.IsLinkLocalMulticast() ||
+		ip.IsInterfaceLocalMulticast() ||
+		ip.IsPrivate() ||
+		ip.IsUnspecified() ||
+		ip.IsMulticast() ||
+		isWellKnown(ip) ||
+		a.isInAnonymizedRange(ip) {
+
+		return ip
+	}
+
+	if _, ok := a.ipAnonymizer[ip]; !ok {
+		if ip.Is4() {
+			a.ipAnonymizer[ip] = a.currentAnonIPv4
+			a.currentAnonIPv4 = a.currentAnonIPv4.Next()
+		} else {
+			a.ipAnonymizer[ip] = a.currentAnonIPv6
+			a.currentAnonIPv6 = a.currentAnonIPv6.Next()
+		}
+	}
+	return a.ipAnonymizer[ip]
+}
+
+// isInAnonymizedRange checks if an IP is within the range of already assigned anonymized IPs
+func (a *Anonymizer) isInAnonymizedRange(ip netip.Addr) bool {
+	if ip.Is4() && ip.Compare(a.startAnonIPv4) >= 0 && ip.Compare(a.currentAnonIPv4) <= 0 {
+		return true
+	} else if !ip.Is4() && ip.Compare(a.startAnonIPv6) >= 0 && ip.Compare(a.currentAnonIPv6) <= 0 {
+		return true
+	}
+	return false
+}
+
+func (a *Anonymizer) AnonymizeIPString(ip string) string {
+	addr, err := netip.ParseAddr(ip)
+	if err != nil {
+		return ip
+	}
+
+	return a.AnonymizeIP(addr).String()
+}
+
+func (a *Anonymizer) AnonymizeDomain(domain string) string {
+	if strings.HasSuffix(domain, "netbird.io") ||
+		strings.HasSuffix(domain, "netbird.selfhosted") ||
+		strings.HasSuffix(domain, "netbird.cloud") ||
+		strings.HasSuffix(domain, "netbird.stage") ||
+		strings.HasSuffix(domain, ".domain") {
+		return domain
+	}
+
+	parts := strings.Split(domain, ".")
+	if len(parts) < 2 {
+		return domain
+	}
+
+	baseDomain := parts[len(parts)-2] + "." + parts[len(parts)-1]
+
+	anonymized, ok := a.domainAnonymizer[baseDomain]
+	if !ok {
+		anonymizedBase := "anon-" + generateRandomString(5) + ".domain"
+		a.domainAnonymizer[baseDomain] = anonymizedBase
+		anonymized = anonymizedBase
+	}
+
+	return strings.Replace(domain, baseDomain, anonymized, 1)
+}
+
+func (a *Anonymizer) AnonymizeURI(uri string) string {
+	u, err := url.Parse(uri)
+	if err != nil {
+		return uri
+	}
+
+	var anonymizedHost string
+	if u.Opaque != "" {
+		host, port, err := net.SplitHostPort(u.Opaque)
+		if err == nil {
+			anonymizedHost = fmt.Sprintf("%s:%s", a.AnonymizeDomain(host), port)
+		} else {
+			anonymizedHost = a.AnonymizeDomain(u.Opaque)
+		}
+		u.Opaque = anonymizedHost
+	} else if u.Host != "" {
+		host, port, err := net.SplitHostPort(u.Host)
+		if err == nil {
+			anonymizedHost = fmt.Sprintf("%s:%s", a.AnonymizeDomain(host), port)
+		} else {
+			anonymizedHost = a.AnonymizeDomain(u.Host)
+		}
+		u.Host = anonymizedHost
+	}
+	return u.String()
+}
+
+func (a *Anonymizer) AnonymizeString(str string) string {
+	ipv4Regex := regexp.MustCompile(`\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b`)
+	ipv6Regex := regexp.MustCompile(`\b([0-9a-fA-F:]+:+[0-9a-fA-F]{0,4})(?:%[0-9a-zA-Z]+)?(?:\/[0-9]{1,3})?(?::[0-9]{1,5})?\b`)
+
+	str = ipv4Regex.ReplaceAllStringFunc(str, a.AnonymizeIPString)
+	str = ipv6Regex.ReplaceAllStringFunc(str, a.AnonymizeIPString)
+
+	for domain, anonDomain := range a.domainAnonymizer {
+		str = strings.ReplaceAll(str, domain, anonDomain)
+	}
+
+	str = a.AnonymizeSchemeURI(str)
+	str = a.AnonymizeDNSLogLine(str)
+
+	return str
+}
+
+// AnonymizeSchemeURI finds and anonymizes URIs with stun, stuns, turn, and turns schemes.
+func (a *Anonymizer) AnonymizeSchemeURI(text string) string {
+	re := regexp.MustCompile(`(?i)\b(stuns?:|turns?:|https?://)\S+\b`)
+
+	return re.ReplaceAllStringFunc(text, a.AnonymizeURI)
+}
+
+// AnonymizeDNSLogLine anonymizes domain names in DNS log entries by replacing them with a random string.
+func (a *Anonymizer) AnonymizeDNSLogLine(logEntry string) string {
+	domainPattern := `dns\.Question{Name:"([^"]+)",`
+	domainRegex := regexp.MustCompile(domainPattern)
+
+	return domainRegex.ReplaceAllStringFunc(logEntry, func(match string) string {
+		parts := strings.Split(match, `"`)
+		if len(parts) >= 2 {
+			domain := parts[1]
+			if strings.HasSuffix(domain, ".domain") {
+				return match
+			}
+			randomDomain := generateRandomString(10) + ".domain"
+			return strings.Replace(match, domain, randomDomain, 1)
+		}
+		return match
+	})
+}
+
+func isWellKnown(addr netip.Addr) bool {
+	wellKnown := []string{
+		"8.8.8.8", "8.8.4.4", // Google DNS IPv4
+		"2001:4860:4860::8888", "2001:4860:4860::8844", // Google DNS IPv6
+		"1.1.1.1", "1.0.0.1", // Cloudflare DNS IPv4
+		"2606:4700:4700::1111", "2606:4700:4700::1001", // Cloudflare DNS IPv6
+		"9.9.9.9", "149.112.112.112", // Quad9 DNS IPv4
+		"2620:fe::fe", "2620:fe::9", // Quad9 DNS IPv6
+	}
+
+	if slices.Contains(wellKnown, addr.String()) {
+		return true
+	}
+
+	cgnatRangeStart := netip.AddrFrom4([4]byte{100, 64, 0, 0})
+	cgnatRange := netip.PrefixFrom(cgnatRangeStart, 10)
+
+	return cgnatRange.Contains(addr)
+}
+
+func generateRandomString(length int) string {
+	const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	result := make([]byte, length)
+	for i := range result {
+		num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters))))
+		if err != nil {
+			continue
+		}
+		result[i] = letters[num.Int64()]
+	}
+	return string(result)
+}
--- a/client/anonymize/anonymize_test.go
+++ b/client/anonymize/anonymize_test.go
@@ -0,0 +1,223 @@
+package anonymize_test
+
+import (
+	"net/netip"
+	"regexp"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/netbirdio/netbird/client/anonymize"
+)
+
+func TestAnonymizeIP(t *testing.T) {
+	startIPv4 := netip.MustParseAddr("198.51.100.0")
+	startIPv6 := netip.MustParseAddr("100::")
+	anonymizer := anonymize.NewAnonymizer(startIPv4, startIPv6)
+
+	tests := []struct {
+		name   string
+		ip     string
+		expect string
+	}{
+		{"Well known", "8.8.8.8", "8.8.8.8"},
+		{"First Public IPv4", "1.2.3.4", "198.51.100.0"},
+		{"Second Public IPv4", "4.3.2.1", "198.51.100.1"},
+		{"Repeated IPv4", "1.2.3.4", "198.51.100.0"},
+		{"Private IPv4", "192.168.1.1", "192.168.1.1"},
+		{"First Public IPv6", "2607:f8b0:4005:805::200e", "100::"},
+		{"Second Public IPv6", "a::b", "100::1"},
+		{"Repeated IPv6", "2607:f8b0:4005:805::200e", "100::"},
+		{"Private IPv6", "fe80::1", "fe80::1"},
+		{"In Range IPv4", "198.51.100.2", "198.51.100.2"},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			ip := netip.MustParseAddr(tc.ip)
+			anonymizedIP := anonymizer.AnonymizeIP(ip)
+			if anonymizedIP.String() != tc.expect {
+				t.Errorf("%s: expected %s, got %s", tc.name, tc.expect, anonymizedIP)
+			}
+		})
+	}
+}
+
+func TestAnonymizeDNSLogLine(t *testing.T) {
+	anonymizer := anonymize.NewAnonymizer(netip.Addr{}, netip.Addr{})
+	testLog := `2024-04-23T20:01:11+02:00 TRAC client/internal/dns/local.go:25: received question: dns.Question{Name:"example.com", Qtype:0x1c, Qclass:0x1}`
+
+	result := anonymizer.AnonymizeDNSLogLine(testLog)
+	require.NotEqual(t, testLog, result)
+	assert.NotContains(t, result, "example.com")
+}
+
+func TestAnonymizeDomain(t *testing.T) {
+	anonymizer := anonymize.NewAnonymizer(netip.Addr{}, netip.Addr{})
+	tests := []struct {
+		name            string
+		domain          string
+		expectPattern   string
+		shouldAnonymize bool
+	}{
+		{
+			"General Domain",
+			"example.com",
+			`^anon-[a-zA-Z0-9]+\.domain$`,
+			true,
+		},
+		{
+			"Subdomain",
+			"sub.example.com",
+			`^sub\.anon-[a-zA-Z0-9]+\.domain$`,
+			true,
+		},
+		{
+			"Protected Domain",
+			"netbird.io",
+			`^netbird\.io$`,
+			false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := anonymizer.AnonymizeDomain(tc.domain)
+			if tc.shouldAnonymize {
+				assert.Regexp(t, tc.expectPattern, result, "The anonymized domain should match the expected pattern")
+				assert.NotContains(t, result, tc.domain, "The original domain should not be present in the result")
+			} else {
+				assert.Equal(t, tc.domain, result, "Protected domains should not be anonymized")
+			}
+		})
+	}
+}
+
+func TestAnonymizeURI(t *testing.T) {
+	anonymizer := anonymize.NewAnonymizer(netip.Addr{}, netip.Addr{})
+	tests := []struct {
+		name  string
+		uri   string
+		regex string
+	}{
+		{
+			"HTTP URI with Port",
+			"http://example.com:80/path",
+			`^http://anon-[a-zA-Z0-9]+\.domain:80/path$`,
+		},
+		{
+			"HTTP URI without Port",
+			"http://example.com/path",
+			`^http://anon-[a-zA-Z0-9]+\.domain/path$`,
+		},
+		{
+			"Opaque URI with Port",
+			"stun:example.com:80?transport=udp",
+			`^stun:anon-[a-zA-Z0-9]+\.domain:80\?transport=udp$`,
+		},
+		{
+			"Opaque URI without Port",
+			"stun:example.com?transport=udp",
+			`^stun:anon-[a-zA-Z0-9]+\.domain\?transport=udp$`,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := anonymizer.AnonymizeURI(tc.uri)
+			assert.Regexp(t, regexp.MustCompile(tc.regex), result, "URI should match expected pattern")
+			require.NotContains(t, result, "example.com", "Original domain should not be present")
+		})
+	}
+}
+
+func TestAnonymizeSchemeURI(t *testing.T) {
+	anonymizer := anonymize.NewAnonymizer(netip.Addr{}, netip.Addr{})
+	tests := []struct {
+		name   string
+		input  string
+		expect string
+	}{
+		{"STUN URI in text", "Connection made via stun:example.com", `Connection made via stun:anon-[a-zA-Z0-9]+\.domain`},
+		{"TURN URI in log", "Failed attempt turn:some.example.com:3478?transport=tcp: retrying", `Failed attempt turn:some.anon-[a-zA-Z0-9]+\.domain:3478\?transport=tcp: retrying`},
+		{"HTTPS URI in message", "Visit https://example.com for more", `Visit https://anon-[a-zA-Z0-9]+\.domain for more`},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := anonymizer.AnonymizeSchemeURI(tc.input)
+			assert.Regexp(t, tc.expect, result, "The anonymized output should match expected pattern")
+			require.NotContains(t, result, "example.com", "Original domain should not be present")
+		})
+	}
+}
+
+func TestAnonymizString_MemorizedDomain(t *testing.T) {
+	anonymizer := anonymize.NewAnonymizer(netip.Addr{}, netip.Addr{})
+	domain := "example.com"
+	anonymizedDomain := anonymizer.AnonymizeDomain(domain)
+
+	sampleString := "This is a test string including the domain example.com which should be anonymized."
+
+	firstPassResult := anonymizer.AnonymizeString(sampleString)
+	secondPassResult := anonymizer.AnonymizeString(firstPassResult)
+
+	assert.Contains(t, firstPassResult, anonymizedDomain, "The domain should be anonymized in the first pass")
+	assert.NotContains(t, firstPassResult, domain, "The original domain should not appear in the first pass output")
+
+	assert.Equal(t, firstPassResult, secondPassResult, "The second pass should not further anonymize the string")
+}
+
+func TestAnonymizeString_DoubleURI(t *testing.T) {
+	anonymizer := anonymize.NewAnonymizer(netip.Addr{}, netip.Addr{})
+	domain := "example.com"
+	anonymizedDomain := anonymizer.AnonymizeDomain(domain)
+
+	sampleString := "Check out our site at https://example.com for more info."
+
+	firstPassResult := anonymizer.AnonymizeString(sampleString)
+	secondPassResult := anonymizer.AnonymizeString(firstPassResult)
+
+	assert.Contains(t, firstPassResult, "https://"+anonymizedDomain, "The URI should be anonymized in the first pass")
+	assert.NotContains(t, firstPassResult, "https://example.com", "The original URI should not appear in the first pass output")
+
+	assert.Equal(t, firstPassResult, secondPassResult, "The second pass should not further anonymize the URI")
+}
+
+func TestAnonymizeString_IPAddresses(t *testing.T) {
+	anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
+	tests := []struct {
+		name   string
+		input  string
+		expect string
+	}{
+		{
+			name:   "IPv4 Address",
+			input:  "Error occurred at IP 122.138.1.1",
+			expect: "Error occurred at IP 198.51.100.0",
+		},
+		{
+			name:   "IPv6 Address",
+			input:  "Access attempted from 2001:db8::ff00:42",
+			expect: "Access attempted from 100::",
+		},
+		{
+			name:   "IPv6 Address with Port",
+			input:  "Access attempted from [2001:db8::ff00:42]:8080",
+			expect: "Access attempted from [100::]:8080",
+		},
+		{
+			name:   "Both IPv4 and IPv6",
+			input:  "IPv4: 142.108.0.1 and IPv6: 2001:db8::ff00:43",
+			expect: "IPv4: 198.51.100.1 and IPv6: 100::1",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := anonymizer.AnonymizeString(tc.input)
+			assert.Equal(t, tc.expect, result, "IP addresses should be anonymized correctly")
+		})
+	}
+}
--- a/client/cmd/debug.go
+++ b/client/cmd/debug.go
@@ -0,0 +1,255 @@
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/client/server"
+)
+
+var debugCmd = &cobra.Command{
+	Use:   "debug",
+	Short: "Debugging commands",
+	Long:  "Provides commands for debugging and logging control within the Netbird daemon.",
+}
+
+var debugBundleCmd = &cobra.Command{
+	Use:     "bundle",
+	Example: "  netbird debug bundle",
+	Short:   "Create a debug bundle",
+	Long:    "Generates a compressed archive of the daemon's logs and status for debugging purposes.",
+	RunE:    debugBundle,
+}
+
+var logCmd = &cobra.Command{
+	Use:   "log",
+	Short: "Manage logging for the Netbird daemon",
+	Long:  `Commands to manage logging settings for the Netbird daemon, including ICE, gRPC, and general log levels.`,
+}
+
+var logLevelCmd = &cobra.Command{
+	Use:   "level <level>",
+	Short: "Set the logging level for this session",
+	Long: `Sets the logging level for the current session. This setting is temporary and will revert to the default on daemon restart.
+Available log levels are:
+  panic:   for panic level, highest level of severity
+  fatal:   for fatal level errors that cause the program to exit
+  error:   for error conditions
+  warn:    for warning conditions
+  info:    for informational messages
+  debug:   for debug-level messages
+  trace:   for trace-level messages, which include more fine-grained information than debug`,
+	Args: cobra.ExactArgs(1),
+	RunE: setLogLevel,
+}
+
+var forCmd = &cobra.Command{
+	Use:     "for <time>",
+	Short:   "Run debug logs for a specified duration and create a debug bundle",
+	Long:    `Sets the logging level to trace, runs for the specified duration, and then generates a debug bundle.`,
+	Example: "  netbird debug for 5m",
+	Args:    cobra.ExactArgs(1),
+	RunE:    runForDuration,
+}
+
+func debugBundle(cmd *cobra.Command, _ []string) error {
+	conn, err := getClient(cmd.Context())
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
+		Anonymize: anonymizeFlag,
+		Status:    getStatusOutput(cmd),
+	})
+	if err != nil {
+		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println(resp.GetPath())
+
+	return nil
+}
+
+func setLogLevel(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd.Context())
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	level := server.ParseLogLevel(args[0])
+	if level == proto.LogLevel_UNKNOWN {
+		return fmt.Errorf("unknown log level: %s. Available levels are: panic, fatal, error, warn, info, debug, trace\n", args[0])
+	}
+
+	_, err = client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{
+		Level: level,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to set log level: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println("Log level set successfully to", args[0])
+	return nil
+}
+
+func runForDuration(cmd *cobra.Command, args []string) error {
+	duration, err := time.ParseDuration(args[0])
+	if err != nil {
+		return fmt.Errorf("invalid duration format: %v", err)
+	}
+
+	conn, err := getClient(cmd.Context())
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+
+	stat, err := client.Status(cmd.Context(), &proto.StatusRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to get status: %v", status.Convert(err).Message())
+	}
+
+	restoreUp := stat.Status == string(internal.StatusConnected) || stat.Status == string(internal.StatusConnecting)
+
+	initialLogLevel, err := client.GetLogLevel(cmd.Context(), &proto.GetLogLevelRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to get log level: %v", status.Convert(err).Message())
+	}
+
+	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
+		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
+	}
+	cmd.Println("Netbird down")
+
+	initialLevelTrace := initialLogLevel.GetLevel() >= proto.LogLevel_TRACE
+	if !initialLevelTrace {
+		_, err = client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{
+			Level: proto.LogLevel_TRACE,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to set log level to TRACE: %v", status.Convert(err).Message())
+		}
+		cmd.Println("Log level set to trace.")
+	}
+
+	time.Sleep(1 * time.Second)
+
+	if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
+		return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
+	}
+	cmd.Println("Netbird up")
+
+	time.Sleep(3 * time.Second)
+
+	headerPostUp := fmt.Sprintf("----- Netbird post-up - Timestamp: %s", time.Now().Format(time.RFC3339))
+	statusOutput := fmt.Sprintf("%s\n%s", headerPostUp, getStatusOutput(cmd))
+
+	if waitErr := waitForDurationOrCancel(cmd.Context(), duration, cmd); waitErr != nil {
+		return waitErr
+	}
+	cmd.Println("\nDuration completed")
+
+	headerPreDown := fmt.Sprintf("----- Netbird pre-down - Timestamp: %s - Duration: %s", time.Now().Format(time.RFC3339), duration)
+	statusOutput = fmt.Sprintf("%s\n%s\n%s", statusOutput, headerPreDown, getStatusOutput(cmd))
+
+	if _, err := client.Down(cmd.Context(), &proto.DownRequest{}); err != nil {
+		return fmt.Errorf("failed to down: %v", status.Convert(err).Message())
+	}
+	cmd.Println("Netbird down")
+
+	time.Sleep(1 * time.Second)
+
+	if restoreUp {
+		if _, err := client.Up(cmd.Context(), &proto.UpRequest{}); err != nil {
+			return fmt.Errorf("failed to up: %v", status.Convert(err).Message())
+		}
+		cmd.Println("Netbird up")
+	}
+
+	if !initialLevelTrace {
+		if _, err := client.SetLogLevel(cmd.Context(), &proto.SetLogLevelRequest{Level: initialLogLevel.GetLevel()}); err != nil {
+			return fmt.Errorf("failed to restore log level: %v", status.Convert(err).Message())
+		}
+		cmd.Println("Log level restored to", initialLogLevel.GetLevel())
+	}
+
+	cmd.Println("Creating debug bundle...")
+
+	resp, err := client.DebugBundle(cmd.Context(), &proto.DebugBundleRequest{
+		Anonymize: anonymizeFlag,
+		Status:    statusOutput,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to bundle debug: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println(resp.GetPath())
+
+	return nil
+}
+
+func getStatusOutput(cmd *cobra.Command) string {
+	var statusOutputString string
+	statusResp, err := getStatus(cmd.Context())
+	if err != nil {
+		cmd.PrintErrf("Failed to get status: %v\n", err)
+	} else {
+		statusOutputString = parseToFullDetailSummary(convertToStatusOutputOverview(statusResp))
+	}
+	return statusOutputString
+}
+
+func waitForDurationOrCancel(ctx context.Context, duration time.Duration, cmd *cobra.Command) error {
+	ticker := time.NewTicker(1 * time.Second)
+	defer ticker.Stop()
+
+	startTime := time.Now()
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			case <-ticker.C:
+				elapsed := time.Since(startTime)
+				if elapsed >= duration {
+					return
+				}
+				remaining := duration - elapsed
+				cmd.Printf("\rRemaining time: %s", formatDuration(remaining))
+			}
+		}
+	}()
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-done:
+		return nil
+	}
+}
+
+func formatDuration(d time.Duration) string {
+	d = d.Round(time.Second)
+	h := d / time.Hour
+	d %= time.Hour
+	m := d / time.Minute
+	d %= time.Minute
+	s := d / time.Second
+	return fmt.Sprintf("%02d:%02d:%02d", h, m, s)
+}
--- a/client/cmd/down.go
+++ b/client/cmd/down.go
@@ -2,9 +2,10 @@ package cmd

 import (
 	"context"
-	"github.com/netbirdio/netbird/util"
 	"time"

+	"github.com/netbirdio/netbird/util"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"

--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -25,12 +25,17 @@ import (
 )

 const (
-	externalIPMapFlag   = "external-ip-map"
-	dnsResolverAddress  = "dns-resolver-address"
-	enableRosenpassFlag = "enable-rosenpass"
-	preSharedKeyFlag    = "preshared-key"
-	interfaceNameFlag   = "interface-name"
-	wireguardPortFlag   = "wireguard-port"
+	externalIPMapFlag       = "external-ip-map"
+	dnsResolverAddress      = "dns-resolver-address"
+	enableRosenpassFlag     = "enable-rosenpass"
+	rosenpassPermissiveFlag = "rosenpass-permissive"
+	preSharedKeyFlag        = "preshared-key"
+	interfaceNameFlag       = "interface-name"
+	wireguardPortFlag       = "wireguard-port"
+	networkMonitorFlag      = "network-monitor"
+	disableAutoConnectFlag  = "disable-auto-connect"
+	serverSSHAllowedFlag    = "allow-server-ssh"
+	extraIFaceBlackListFlag = "extra-iface-blacklist"
 )

 var (
@@ -54,8 +59,15 @@ var (
 	natExternalIPs          []string
 	customDNSAddress        string
 	rosenpassEnabled        bool
+	rosenpassPermissive     bool
+	serverSSHAllowed        bool
 	interfaceName           string
 	wireguardPort           uint16
+	networkMonitor          bool
+	serviceName             string
+	autoConnectDisabled     bool
+	extraIFaceBlackList     []string
+	anonymizeFlag           bool
 	rootCmd                 = &cobra.Command{
 		Use:          "netbird",
 		Short:        "",
@@ -94,15 +106,24 @@ func init() {
 	if runtime.GOOS == "windows" {
 		defaultDaemonAddr = "tcp://127.0.0.1:41731"
 	}
+
+	defaultServiceName := "netbird"
+	if runtime.GOOS == "windows" {
+		defaultServiceName = "Netbird"
+	}
+
 	rootCmd.PersistentFlags().StringVar(&daemonAddr, "daemon-addr", defaultDaemonAddr, "Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
 	rootCmd.PersistentFlags().StringVarP(&managementURL, "management-url", "m", "", fmt.Sprintf("Management Service URL [http|https]://[host]:[port] (default \"%s\")", internal.DefaultManagementURL))
 	rootCmd.PersistentFlags().StringVar(&adminURL, "admin-url", "", fmt.Sprintf("Admin Panel URL [http|https]://[host]:[port] (default \"%s\")", internal.DefaultAdminURL))
+	rootCmd.PersistentFlags().StringVarP(&serviceName, "service", "s", defaultServiceName, "Netbird system service name")
 	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", defaultConfigPath, "Netbird config file location")
 	rootCmd.PersistentFlags().StringVarP(&logLevel, "log-level", "l", "info", "sets Netbird log level")
 	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Netbird log path. If console is specified the log will be output to stdout")
 	rootCmd.PersistentFlags().StringVarP(&setupKey, "setup-key", "k", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
 	rootCmd.PersistentFlags().StringVar(&preSharedKey, preSharedKeyFlag, "", "Sets Wireguard PreSharedKey property. If set, then only peers that have the same key can communicate.")
 	rootCmd.PersistentFlags().StringVarP(&hostName, "hostname", "n", "", "Sets a custom hostname for the device")
+	rootCmd.PersistentFlags().BoolVarP(&anonymizeFlag, "anonymize", "A", false, "anonymize IP addresses and non-netbird.io domains in logs and status output")
+
 	rootCmd.AddCommand(serviceCmd)
 	rootCmd.AddCommand(upCmd)
 	rootCmd.AddCommand(downCmd)
@@ -110,8 +131,20 @@ func init() {
 	rootCmd.AddCommand(loginCmd)
 	rootCmd.AddCommand(versionCmd)
 	rootCmd.AddCommand(sshCmd)
+	rootCmd.AddCommand(routesCmd)
+	rootCmd.AddCommand(debugCmd)
+
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
 	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service
+
+	routesCmd.AddCommand(routesListCmd)
+	routesCmd.AddCommand(routesSelectCmd, routesDeselectCmd)
+
+	debugCmd.AddCommand(debugBundleCmd)
+	debugCmd.AddCommand(logCmd)
+	logCmd.AddCommand(logLevelCmd)
+	debugCmd.AddCommand(forCmd)
+
 	upCmd.PersistentFlags().StringSliceVar(&natExternalIPs, externalIPMapFlag, nil,
 		`Sets external IPs maps between local addresses and interfaces.`+
 			`You can specify a comma-separated list with a single IP and IP/IP or IP/Interface Name. `+
@@ -126,6 +159,9 @@ func init() {
 			`E.g. --dns-resolver-address 127.0.0.1:5053 or --dns-resolver-address ""`,
 	)
 	upCmd.PersistentFlags().BoolVar(&rosenpassEnabled, enableRosenpassFlag, false, "[Experimental] Enable Rosenpass feature. If enabled, the connection will be post-quantum secured via Rosenpass.")
+	upCmd.PersistentFlags().BoolVar(&rosenpassPermissive, rosenpassPermissiveFlag, false, "[Experimental] Enable Rosenpass in permissive mode to allow this peer to accept WireGuard connections without requiring Rosenpass functionality from peers that do not have Rosenpass enabled.")
+	upCmd.PersistentFlags().BoolVar(&serverSSHAllowed, serverSSHAllowedFlag, false, "Allow SSH server on peer. If enabled, the SSH server will be permitted")
+	upCmd.PersistentFlags().BoolVar(&autoConnectDisabled, disableAutoConnectFlag, false, "Disables auto-connect feature. If enabled, then the client won't connect automatically when the service starts.")
 }

 // SetupCloseHandler handles SIGTERM signal and exits with success
@@ -176,7 +212,7 @@ func FlagNameToEnvVar(cmdFlag string, prefix string) string {
 	return prefix + upper
 }

-// DialClientGRPCServer returns client connection to the dameno server.
+// DialClientGRPCServer returns client connection to the daemon server.
 func DialClientGRPCServer(ctx context.Context, addr string) (*grpc.ClientConn, error) {
 	ctx, cancel := context.WithTimeout(ctx, time.Second*3)
 	defer cancel()
@@ -316,3 +352,14 @@ func migrateToNetbird(oldPath, newPath string) bool {

 	return true
 }
+
+func getClient(ctx context.Context) (*grpc.ClientConn, error) {
+	conn, err := DialClientGRPCServer(ctx, daemonAddr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
+			"If the daemon is not running please run: "+
+			"\nnetbird service install \nnetbird service start\n", err)
+	}
+
+	return conn, nil
+}
--- a/client/cmd/route.go
+++ b/client/cmd/route.go
@@ -0,0 +1,131 @@
+package cmd
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/proto"
+)
+
+var appendFlag bool
+
+var routesCmd = &cobra.Command{
+	Use:   "routes",
+	Short: "Manage network routes",
+	Long:  `Commands to list, select, or deselect network routes.`,
+}
+
+var routesListCmd = &cobra.Command{
+	Use:     "list",
+	Aliases: []string{"ls"},
+	Short:   "List routes",
+	Example: "  netbird routes list",
+	Long:    "List all available network routes.",
+	RunE:    routesList,
+}
+
+var routesSelectCmd = &cobra.Command{
+	Use:     "select route...|all",
+	Short:   "Select routes",
+	Long:    "Select a list of routes by identifiers or 'all' to clear all selections and to accept all (including new) routes.\nDefault mode is replace, use -a to append to already selected routes.",
+	Example: "  netbird routes select all\n  netbird routes select route1 route2\n  netbird routes select -a route3",
+	Args:    cobra.MinimumNArgs(1),
+	RunE:    routesSelect,
+}
+
+var routesDeselectCmd = &cobra.Command{
+	Use:     "deselect route...|all",
+	Short:   "Deselect routes",
+	Long:    "Deselect previously selected routes by identifiers or 'all' to disable accepting any routes.",
+	Example: "  netbird routes deselect all\n  netbird routes deselect route1 route2",
+	Args:    cobra.MinimumNArgs(1),
+	RunE:    routesDeselect,
+}
+
+func init() {
+	routesSelectCmd.PersistentFlags().BoolVarP(&appendFlag, "append", "a", false, "Append to current route selection instead of replacing")
+}
+
+func routesList(cmd *cobra.Command, _ []string) error {
+	conn, err := getClient(cmd.Context())
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	resp, err := client.ListRoutes(cmd.Context(), &proto.ListRoutesRequest{})
+	if err != nil {
+		return fmt.Errorf("failed to list routes: %v", status.Convert(err).Message())
+	}
+
+	if len(resp.Routes) == 0 {
+		cmd.Println("No routes available.")
+		return nil
+	}
+
+	cmd.Println("Available Routes:")
+	for _, route := range resp.Routes {
+		selectedStatus := "Not Selected"
+		if route.GetSelected() {
+			selectedStatus = "Selected"
+		}
+		cmd.Printf("\n  - ID: %s\n    Network: %s\n    Status: %s\n", route.GetID(), route.GetNetwork(), selectedStatus)
+	}
+
+	return nil
+}
+
+func routesSelect(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd.Context())
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	req := &proto.SelectRoutesRequest{
+		RouteIDs: args,
+	}
+
+	if len(args) == 1 && args[0] == "all" {
+		req.All = true
+	} else if appendFlag {
+		req.Append = true
+	}
+
+	if _, err := client.SelectRoutes(cmd.Context(), req); err != nil {
+		return fmt.Errorf("failed to select routes: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println("Routes selected successfully.")
+
+	return nil
+}
+
+func routesDeselect(cmd *cobra.Command, args []string) error {
+	conn, err := getClient(cmd.Context())
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	client := proto.NewDaemonServiceClient(conn)
+	req := &proto.SelectRoutesRequest{
+		RouteIDs: args,
+	}
+
+	if len(args) == 1 && args[0] == "all" {
+		req.All = true
+	}
+
+	if _, err := client.DeselectRoutes(cmd.Context(), req); err != nil {
+		return fmt.Errorf("failed to deselect routes: %v", status.Convert(err).Message())
+	}
+
+	cmd.Println("Routes deselected successfully.")
+
+	return nil
+}
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -2,8 +2,6 @@ package cmd

 import (
 	"context"
-	"runtime"
-
 	"github.com/kardianos/service"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
@@ -24,12 +22,8 @@ func newProgram(ctx context.Context, cancel context.CancelFunc) *program {
 }

 func newSVCConfig() *service.Config {
-	name := "netbird"
-	if runtime.GOOS == "windows" {
-		name = "Netbird"
-	}
 	return &service.Config{
-		Name:        name,
+		Name:        serviceName,
 		DisplayName: "Netbird",
 		Description: "A WireGuard-based mesh network that connects your devices into a single private network.",
 		Option:      make(service.KeyValue),
--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -64,6 +64,10 @@ var installCmd = &cobra.Command{
 			}
 		}

+		if runtime.GOOS == "windows" {
+			svcConfig.Option["OnFailure"] = "restart"
+		}
+
 		ctx, cancel := context.WithCancel(cmd.Context())

 		s, err := newSVC(newProgram(ctx, cancel), svcConfig)
@@ -77,6 +81,7 @@ var installCmd = &cobra.Command{
 			cmd.PrintErrln(err)
 			return err
 		}
+
 		cmd.Println("Netbird service has been installed")
 		return nil
 	},
@@ -106,7 +111,7 @@ var uninstallCmd = &cobra.Command{
 		if err != nil {
 			return err
 		}
-		cmd.Println("Netbird has been uninstalled")
+		cmd.Println("Netbird service has been uninstalled")
 		return nil
 	},
 }
--- a/client/cmd/ssh.go
+++ b/client/cmd/ssh.go
@@ -24,7 +24,7 @@ var (
 )

 var sshCmd = &cobra.Command{
-	Use: "ssh",
+	Use: "ssh [user@]host",
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 {
 			return errors.New("requires a host argument")
@@ -94,7 +94,7 @@ func runSSH(ctx context.Context, addr string, pemKey []byte, cmd *cobra.Command)
 	if err != nil {
 		cmd.Printf("Error: %v\n", err)
 		cmd.Printf("Couldn't connect. Please check the connection status or if the ssh server is enabled on the other peer" +
-			"You can verify the connection by running:\n\n" +
+			"\nYou can verify the connection by running:\n\n" +
 			" netbird status\n\n")
 		return err
 	}
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"os"
+	"runtime"
 	"sort"
 	"strings"
 	"time"
@@ -14,6 +16,7 @@ import (
 	"google.golang.org/grpc/status"
 	"gopkg.in/yaml.v3"

+	"github.com/netbirdio/netbird/client/anonymize"
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
@@ -34,6 +37,9 @@ type peerStateDetailOutput struct {
 	LastWireguardHandshake time.Time        `json:"lastWireguardHandshake" yaml:"lastWireguardHandshake"`
 	TransferReceived       int64            `json:"transferReceived" yaml:"transferReceived"`
 	TransferSent           int64            `json:"transferSent" yaml:"transferSent"`
+	Latency                time.Duration    `json:"latency" yaml:"latency"`
+	RosenpassEnabled       bool             `json:"quantumResistance" yaml:"quantumResistance"`
+	Routes                 []string         `json:"routes" yaml:"routes"`
 }

 type peersStateOutput struct {
@@ -71,17 +77,28 @@ type iceCandidateType struct {
 	Remote string `json:"remote" yaml:"remote"`
 }

+type nsServerGroupStateOutput struct {
+	Servers []string `json:"servers" yaml:"servers"`
+	Domains []string `json:"domains" yaml:"domains"`
+	Enabled bool     `json:"enabled" yaml:"enabled"`
+	Error   string   `json:"error" yaml:"error"`
+}
+
 type statusOutputOverview struct {
-	Peers           peersStateOutput      `json:"peers" yaml:"peers"`
-	CliVersion      string                `json:"cliVersion" yaml:"cliVersion"`
-	DaemonVersion   string                `json:"daemonVersion" yaml:"daemonVersion"`
-	ManagementState managementStateOutput `json:"management" yaml:"management"`
-	SignalState     signalStateOutput     `json:"signal" yaml:"signal"`
-	Relays          relayStateOutput      `json:"relays" yaml:"relays"`
-	IP              string                `json:"netbirdIp" yaml:"netbirdIp"`
-	PubKey          string                `json:"publicKey" yaml:"publicKey"`
-	KernelInterface bool                  `json:"usesKernelInterface" yaml:"usesKernelInterface"`
-	FQDN            string                `json:"fqdn" yaml:"fqdn"`
+	Peers               peersStateOutput           `json:"peers" yaml:"peers"`
+	CliVersion          string                     `json:"cliVersion" yaml:"cliVersion"`
+	DaemonVersion       string                     `json:"daemonVersion" yaml:"daemonVersion"`
+	ManagementState     managementStateOutput      `json:"management" yaml:"management"`
+	SignalState         signalStateOutput          `json:"signal" yaml:"signal"`
+	Relays              relayStateOutput           `json:"relays" yaml:"relays"`
+	IP                  string                     `json:"netbirdIp" yaml:"netbirdIp"`
+	PubKey              string                     `json:"publicKey" yaml:"publicKey"`
+	KernelInterface     bool                       `json:"usesKernelInterface" yaml:"usesKernelInterface"`
+	FQDN                string                     `json:"fqdn" yaml:"fqdn"`
+	RosenpassEnabled    bool                       `json:"quantumResistance" yaml:"quantumResistance"`
+	RosenpassPermissive bool                       `json:"quantumResistancePermissive" yaml:"quantumResistancePermissive"`
+	Routes              []string                   `json:"routes" yaml:"routes"`
+	NSServerGroups      []nsServerGroupStateOutput `json:"dnsServers" yaml:"dnsServers"`
 }

 var (
@@ -130,9 +147,9 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 		return fmt.Errorf("failed initializing log %v", err)
 	}

-	ctx := internal.CtxInitState(context.Background())
+	ctx := internal.CtxInitState(cmd.Context())

-	resp, err := getStatus(ctx, cmd)
+	resp, err := getStatus(ctx)
 	if err != nil {
 		return err
 	}
@@ -165,7 +182,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	case yamlFlag:
 		statusOutputString, err = parseToYAML(outputInformationHolder)
 	default:
-		statusOutputString = parseGeneralSummary(outputInformationHolder, false, false)
+		statusOutputString = parseGeneralSummary(outputInformationHolder, false, false, false)
 	}

 	if err != nil {
@@ -177,7 +194,7 @@ func statusFunc(cmd *cobra.Command, args []string) error {
 	return nil
 }

-func getStatus(ctx context.Context, cmd *cobra.Command) (*proto.StatusResponse, error) {
+func getStatus(ctx context.Context) (*proto.StatusResponse, error) {
 	conn, err := DialClientGRPCServer(ctx, daemonAddr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
@@ -186,7 +203,7 @@ func getStatus(ctx context.Context, cmd *cobra.Command) (*proto.StatusResponse,
 	}
 	defer conn.Close()

-	resp, err := proto.NewDaemonServiceClient(conn).Status(cmd.Context(), &proto.StatusRequest{GetFullPeerStatus: true})
+	resp, err := proto.NewDaemonServiceClient(conn).Status(ctx, &proto.StatusRequest{GetFullPeerStatus: true})
 	if err != nil {
 		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
 	}
@@ -253,16 +270,25 @@ func convertToStatusOutputOverview(resp *proto.StatusResponse) statusOutputOverv
 	peersOverview := mapPeers(resp.GetFullStatus().GetPeers())

 	overview := statusOutputOverview{
-		Peers:           peersOverview,
-		CliVersion:      version.NetbirdVersion(),
-		DaemonVersion:   resp.GetDaemonVersion(),
-		ManagementState: managementOverview,
-		SignalState:     signalOverview,
-		Relays:          relayOverview,
-		IP:              pbFullStatus.GetLocalPeerState().GetIP(),
-		PubKey:          pbFullStatus.GetLocalPeerState().GetPubKey(),
-		KernelInterface: pbFullStatus.GetLocalPeerState().GetKernelInterface(),
-		FQDN:            pbFullStatus.GetLocalPeerState().GetFqdn(),
+		Peers:               peersOverview,
+		CliVersion:          version.NetbirdVersion(),
+		DaemonVersion:       resp.GetDaemonVersion(),
+		ManagementState:     managementOverview,
+		SignalState:         signalOverview,
+		Relays:              relayOverview,
+		IP:                  pbFullStatus.GetLocalPeerState().GetIP(),
+		PubKey:              pbFullStatus.GetLocalPeerState().GetPubKey(),
+		KernelInterface:     pbFullStatus.GetLocalPeerState().GetKernelInterface(),
+		FQDN:                pbFullStatus.GetLocalPeerState().GetFqdn(),
+		RosenpassEnabled:    pbFullStatus.GetLocalPeerState().GetRosenpassEnabled(),
+		RosenpassPermissive: pbFullStatus.GetLocalPeerState().GetRosenpassPermissive(),
+		Routes:              pbFullStatus.GetLocalPeerState().GetRoutes(),
+		NSServerGroups:      mapNSGroups(pbFullStatus.GetDnsServers()),
+	}
+
+	if anonymizeFlag {
+		anonymizer := anonymize.NewAnonymizer(anonymize.DefaultAddresses())
+		anonymizeOverview(anonymizer, &overview)
 	}

 	return overview
@@ -294,6 +320,19 @@ func mapRelays(relays []*proto.RelayState) relayStateOutput {
 	}
 }

+func mapNSGroups(servers []*proto.NSGroupState) []nsServerGroupStateOutput {
+	mappedNSGroups := make([]nsServerGroupStateOutput, 0, len(servers))
+	for _, pbNsGroupServer := range servers {
+		mappedNSGroups = append(mappedNSGroups, nsServerGroupStateOutput{
+			Servers: pbNsGroupServer.GetServers(),
+			Domains: pbNsGroupServer.GetDomains(),
+			Enabled: pbNsGroupServer.GetEnabled(),
+			Error:   pbNsGroupServer.GetError(),
+		})
+	}
+	return mappedNSGroups
+}
+
 func mapPeers(peers []*proto.PeerState) peersStateOutput {
 	var peersStateDetail []peerStateDetailOutput
 	localICE := ""
@@ -346,6 +385,9 @@ func mapPeers(peers []*proto.PeerState) peersStateOutput {
 			LastWireguardHandshake: lastHandshake,
 			TransferReceived:       transferReceived,
 			TransferSent:           transferSent,
+			Latency:                pbPeerState.GetLatency().AsDuration(),
+			RosenpassEnabled:       pbPeerState.GetRosenpassEnabled(),
+			Routes:                 pbPeerState.GetRoutes(),
 		}

 		peersStateDetail = append(peersStateDetail, peerState)
@@ -395,8 +437,7 @@ func parseToYAML(overview statusOutputOverview) (string, error) {
 	return string(yamlBytes), nil
 }

-func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays bool) string {
-
+func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays bool, showNameServers bool) string {
 	var managementConnString string
 	if overview.ManagementState.Connected {
 		managementConnString = "Connected"
@@ -432,7 +473,7 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 		interfaceIP = "N/A"
 	}

-	var relayAvailableString string
+	var relaysString string
 	if showRelays {
 		for _, relay := range overview.Relays.Details {
 			available := "Available"
@@ -441,42 +482,98 @@ func parseGeneralSummary(overview statusOutputOverview, showURL bool, showRelays
 				available = "Unavailable"
 				reason = fmt.Sprintf(", reason: %s", relay.Error)
 			}
-			relayAvailableString += fmt.Sprintf("\n  [%s] is %s%s", relay.URI, available, reason)
-
+			relaysString += fmt.Sprintf("\n  [%s] is %s%s", relay.URI, available, reason)
 		}
 	} else {
+		relaysString = fmt.Sprintf("%d/%d Available", overview.Relays.Available, overview.Relays.Total)
+	}

-		relayAvailableString = fmt.Sprintf("%d/%d Available", overview.Relays.Available, overview.Relays.Total)
+	routes := "-"
+	if len(overview.Routes) > 0 {
+		sort.Strings(overview.Routes)
+		routes = strings.Join(overview.Routes, ", ")
+	}
+
+	var dnsServersString string
+	if showNameServers {
+		for _, nsServerGroup := range overview.NSServerGroups {
+			enabled := "Available"
+			if !nsServerGroup.Enabled {
+				enabled = "Unavailable"
+			}
+			errorString := ""
+			if nsServerGroup.Error != "" {
+				errorString = fmt.Sprintf(", reason: %s", nsServerGroup.Error)
+				errorString = strings.TrimSpace(errorString)
+			}
+
+			domainsString := strings.Join(nsServerGroup.Domains, ", ")
+			if domainsString == "" {
+				domainsString = "." // Show "." for the default zone
+			}
+			dnsServersString += fmt.Sprintf(
+				"\n  [%s] for [%s] is %s%s",
+				strings.Join(nsServerGroup.Servers, ", "),
+				domainsString,
+				enabled,
+				errorString,
+			)
+		}
+	} else {
+		dnsServersString = fmt.Sprintf("%d/%d Available", countEnabled(overview.NSServerGroups), len(overview.NSServerGroups))
+	}
+
+	rosenpassEnabledStatus := "false"
+	if overview.RosenpassEnabled {
+		rosenpassEnabledStatus = "true"
+		if overview.RosenpassPermissive {
+			rosenpassEnabledStatus = "true (permissive)" //nolint:gosec
+		}
 	}

 	peersCountString := fmt.Sprintf("%d/%d Connected", overview.Peers.Connected, overview.Peers.Total)

+	goos := runtime.GOOS
+	goarch := runtime.GOARCH
+	goarm := ""
+	if goarch == "arm" {
+		goarm = fmt.Sprintf(" (ARMv%s)", os.Getenv("GOARM"))
+	}
+
 	summary := fmt.Sprintf(
-		"Daemon version: %s\n"+
+		"OS: %s\n"+
+			"Daemon version: %s\n"+
 			"CLI version: %s\n"+
 			"Management: %s\n"+
 			"Signal: %s\n"+
 			"Relays: %s\n"+
+			"Nameservers: %s\n"+
 			"FQDN: %s\n"+
 			"NetBird IP: %s\n"+
 			"Interface type: %s\n"+
+			"Quantum resistance: %s\n"+
+			"Routes: %s\n"+
 			"Peers count: %s\n",
+		fmt.Sprintf("%s/%s%s", goos, goarch, goarm),
 		overview.DaemonVersion,
 		version.NetbirdVersion(),
 		managementConnString,
 		signalConnString,
-		relayAvailableString,
+		relaysString,
+		dnsServersString,
 		overview.FQDN,
 		interfaceIP,
 		interfaceTypeString,
+		rosenpassEnabledStatus,
+		routes,
 		peersCountString,
 	)
 	return summary
 }

 func parseToFullDetailSummary(overview statusOutputOverview) string {
-	parsedPeersString := parsePeers(overview.Peers)
-	summary := parseGeneralSummary(overview, true, true)
+	parsedPeersString := parsePeers(overview.Peers, overview.RosenpassEnabled, overview.RosenpassPermissive)
+	summary := parseGeneralSummary(overview, true, true, true)

 	return fmt.Sprintf(
 		"Peers detail:"+
@@ -487,7 +584,7 @@ func parseToFullDetailSummary(overview statusOutputOverview) string {
 	)
 }

-func parsePeers(peers peersStateOutput) string {
+func parsePeers(peers peersStateOutput, rosenpassEnabled, rosenpassPermissive bool) string {
 	var (
 		peersString = ""
 	)
@@ -513,14 +610,28 @@ func parsePeers(peers peersStateOutput) string {
 		if peerState.IceCandidateEndpoint.Remote != "" {
 			remoteICEEndpoint = peerState.IceCandidateEndpoint.Remote
 		}
-		lastStatusUpdate := "-"
-		if !peerState.LastStatusUpdate.IsZero() {
-			lastStatusUpdate = peerState.LastStatusUpdate.Format("2006-01-02 15:04:05")
+
+		rosenpassEnabledStatus := "false"
+		if rosenpassEnabled {
+			if peerState.RosenpassEnabled {
+				rosenpassEnabledStatus = "true"
+			} else {
+				if rosenpassPermissive {
+					rosenpassEnabledStatus = "false (remote didn't enable quantum resistance)"
+				} else {
+					rosenpassEnabledStatus = "false (connection won't work without a permissive mode)"
+				}
+			}
+		} else {
+			if peerState.RosenpassEnabled {
+				rosenpassEnabledStatus = "false (connection might not work without a remote permissive mode)"
+			}
 		}

-		lastWireguardHandshake := "-"
-		if !peerState.LastWireguardHandshake.IsZero() && peerState.LastWireguardHandshake != time.Unix(0, 0) {
-			lastWireguardHandshake = peerState.LastWireguardHandshake.Format("2006-01-02 15:04:05")
+		routes := "-"
+		if len(peerState.Routes) > 0 {
+			sort.Strings(peerState.Routes)
+			routes = strings.Join(peerState.Routes, ", ")
 		}

 		peerString := fmt.Sprintf(
@@ -534,8 +645,11 @@ func parsePeers(peers peersStateOutput) string {
 				"  ICE candidate (Local/Remote): %s/%s\n"+
 				"  ICE candidate endpoints (Local/Remote): %s/%s\n"+
 				"  Last connection update: %s\n"+
-				"  Last Wireguard handshake: %s\n"+
-				"  Transfer status (received/sent) %s/%s\n",
+				"  Last WireGuard handshake: %s\n"+
+				"  Transfer status (received/sent) %s/%s\n"+
+				"  Quantum resistance: %s\n"+
+				"  Routes: %s\n"+
+				"  Latency: %s\n",
 			peerState.FQDN,
 			peerState.IP,
 			peerState.PubKey,
@@ -546,10 +660,13 @@ func parsePeers(peers peersStateOutput) string {
 			remoteICE,
 			localICEEndpoint,
 			remoteICEEndpoint,
-			lastStatusUpdate,
-			lastWireguardHandshake,
+			timeAgo(peerState.LastStatusUpdate),
+			timeAgo(peerState.LastWireguardHandshake),
 			toIEC(peerState.TransferReceived),
 			toIEC(peerState.TransferSent),
+			rosenpassEnabledStatus,
+			routes,
+			peerState.Latency.String(),
 		)

 		peersString += peerString
@@ -603,3 +720,139 @@ func toIEC(b int64) string {
 	return fmt.Sprintf("%.1f %ciB",
 		float64(b)/float64(div), "KMGTPE"[exp])
 }
+
+func countEnabled(dnsServers []nsServerGroupStateOutput) int {
+	count := 0
+	for _, server := range dnsServers {
+		if server.Enabled {
+			count++
+		}
+	}
+	return count
+}
+
+// timeAgo returns a string representing the duration since the provided time in a human-readable format.
+func timeAgo(t time.Time) string {
+	if t.IsZero() || t.Equal(time.Unix(0, 0)) {
+		return "-"
+	}
+	duration := time.Since(t)
+	switch {
+	case duration < time.Second:
+		return "Now"
+	case duration < time.Minute:
+		seconds := int(duration.Seconds())
+		if seconds == 1 {
+			return "1 second ago"
+		}
+		return fmt.Sprintf("%d seconds ago", seconds)
+	case duration < time.Hour:
+		minutes := int(duration.Minutes())
+		seconds := int(duration.Seconds()) % 60
+		if minutes == 1 {
+			if seconds == 1 {
+				return "1 minute, 1 second ago"
+			} else if seconds > 0 {
+				return fmt.Sprintf("1 minute, %d seconds ago", seconds)
+			}
+			return "1 minute ago"
+		}
+		if seconds > 0 {
+			return fmt.Sprintf("%d minutes, %d seconds ago", minutes, seconds)
+		}
+		return fmt.Sprintf("%d minutes ago", minutes)
+	case duration < 24*time.Hour:
+		hours := int(duration.Hours())
+		minutes := int(duration.Minutes()) % 60
+		if hours == 1 {
+			if minutes == 1 {
+				return "1 hour, 1 minute ago"
+			} else if minutes > 0 {
+				return fmt.Sprintf("1 hour, %d minutes ago", minutes)
+			}
+			return "1 hour ago"
+		}
+		if minutes > 0 {
+			return fmt.Sprintf("%d hours, %d minutes ago", hours, minutes)
+		}
+		return fmt.Sprintf("%d hours ago", hours)
+	}
+
+	days := int(duration.Hours()) / 24
+	hours := int(duration.Hours()) % 24
+	if days == 1 {
+		if hours == 1 {
+			return "1 day, 1 hour ago"
+		} else if hours > 0 {
+			return fmt.Sprintf("1 day, %d hours ago", hours)
+		}
+		return "1 day ago"
+	}
+	if hours > 0 {
+		return fmt.Sprintf("%d days, %d hours ago", days, hours)
+	}
+	return fmt.Sprintf("%d days ago", days)
+}
+
+func anonymizePeerDetail(a *anonymize.Anonymizer, peer *peerStateDetailOutput) {
+	peer.FQDN = a.AnonymizeDomain(peer.FQDN)
+	if localIP, port, err := net.SplitHostPort(peer.IceCandidateEndpoint.Local); err == nil {
+		peer.IceCandidateEndpoint.Local = fmt.Sprintf("%s:%s", a.AnonymizeIPString(localIP), port)
+	}
+	if remoteIP, port, err := net.SplitHostPort(peer.IceCandidateEndpoint.Remote); err == nil {
+		peer.IceCandidateEndpoint.Remote = fmt.Sprintf("%s:%s", a.AnonymizeIPString(remoteIP), port)
+	}
+	for i, route := range peer.Routes {
+		peer.Routes[i] = a.AnonymizeIPString(route)
+	}
+
+	for i, route := range peer.Routes {
+		prefix, err := netip.ParsePrefix(route)
+		if err == nil {
+			ip := a.AnonymizeIPString(prefix.Addr().String())
+			peer.Routes[i] = fmt.Sprintf("%s/%d", ip, prefix.Bits())
+		}
+	}
+}
+
+func anonymizeOverview(a *anonymize.Anonymizer, overview *statusOutputOverview) {
+	for i, peer := range overview.Peers.Details {
+		peer := peer
+		anonymizePeerDetail(a, &peer)
+		overview.Peers.Details[i] = peer
+	}
+
+	overview.ManagementState.URL = a.AnonymizeURI(overview.ManagementState.URL)
+	overview.ManagementState.Error = a.AnonymizeString(overview.ManagementState.Error)
+	overview.SignalState.URL = a.AnonymizeURI(overview.SignalState.URL)
+	overview.SignalState.Error = a.AnonymizeString(overview.SignalState.Error)
+
+	overview.IP = a.AnonymizeIPString(overview.IP)
+	for i, detail := range overview.Relays.Details {
+		detail.URI = a.AnonymizeURI(detail.URI)
+		detail.Error = a.AnonymizeString(detail.Error)
+		overview.Relays.Details[i] = detail
+	}
+
+	for i, nsGroup := range overview.NSServerGroups {
+		for j, domain := range nsGroup.Domains {
+			overview.NSServerGroups[i].Domains[j] = a.AnonymizeDomain(domain)
+		}
+		for j, ns := range nsGroup.Servers {
+			host, port, err := net.SplitHostPort(ns)
+			if err == nil {
+				overview.NSServerGroups[i].Servers[j] = fmt.Sprintf("%s:%s", a.AnonymizeIPString(host), port)
+			}
+		}
+	}
+
+	for i, route := range overview.Routes {
+		prefix, err := netip.ParsePrefix(route)
+		if err == nil {
+			ip := a.AnonymizeIPString(prefix.Addr().String())
+			overview.Routes[i] = fmt.Sprintf("%s/%d", ip, prefix.Bits())
+		}
+	}
+
+	overview.FQDN = a.AnonymizeDomain(overview.FQDN)
+}
--- a/client/cmd/status_test.go
+++ b/client/cmd/status_test.go
@@ -3,11 +3,14 @@ package cmd
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
+	"runtime"
 	"testing"
 	"time"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/netbirdio/netbird/client/proto"
@@ -42,6 +45,10 @@ var resp = &proto.StatusResponse{
 				LastWireguardHandshake:     timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 2, 0, time.UTC)),
 				BytesRx:                    200,
 				BytesTx:                    100,
+				Routes: []string{
+					"10.1.0.0/24",
+				},
+				Latency: durationpb.New(time.Duration(10000000)),
 			},
 			{
 				IP:                         "192.168.178.102",
@@ -58,6 +65,7 @@ var resp = &proto.StatusResponse{
 				LastWireguardHandshake:     timestamppb.New(time.Date(2002, time.Month(2), 2, 2, 2, 3, 0, time.UTC)),
 				BytesRx:                    2000,
 				BytesTx:                    1000,
+				Latency:                    durationpb.New(time.Duration(10000000)),
 			},
 		},
 		ManagementState: &proto.ManagementState{
@@ -87,6 +95,31 @@ var resp = &proto.StatusResponse{
 			PubKey:          "Some-Pub-Key",
 			KernelInterface: true,
 			Fqdn:            "some-localhost.awesome-domain.com",
+			Routes: []string{
+				"10.10.0.0/24",
+			},
+		},
+		DnsServers: []*proto.NSGroupState{
+			{
+				Servers: []string{
+					"8.8.8.8:53",
+				},
+				Domains: nil,
+				Enabled: true,
+				Error:   "",
+			},
+			{
+				Servers: []string{
+					"1.1.1.1:53",
+					"2.2.2.2:53",
+				},
+				Domains: []string{
+					"example.com",
+					"example.net",
+				},
+				Enabled: false,
+				Error:   "timeout",
+			},
 		},
 	},
 	DaemonVersion: "0.14.1",
@@ -116,6 +149,10 @@ var overview = statusOutputOverview{
 				LastWireguardHandshake: time.Date(2001, 1, 1, 1, 1, 2, 0, time.UTC),
 				TransferReceived:       200,
 				TransferSent:           100,
+				Routes: []string{
+					"10.1.0.0/24",
+				},
+				Latency: time.Duration(10000000),
 			},
 			{
 				IP:               "192.168.178.102",
@@ -136,6 +173,7 @@ var overview = statusOutputOverview{
 				LastWireguardHandshake: time.Date(2002, 2, 2, 2, 2, 3, 0, time.UTC),
 				TransferReceived:       2000,
 				TransferSent:           1000,
+				Latency:                time.Duration(10000000),
 			},
 		},
 	},
@@ -171,6 +209,31 @@ var overview = statusOutputOverview{
 	PubKey:          "Some-Pub-Key",
 	KernelInterface: true,
 	FQDN:            "some-localhost.awesome-domain.com",
+	NSServerGroups: []nsServerGroupStateOutput{
+		{
+			Servers: []string{
+				"8.8.8.8:53",
+			},
+			Domains: nil,
+			Enabled: true,
+			Error:   "",
+		},
+		{
+			Servers: []string{
+				"1.1.1.1:53",
+				"2.2.2.2:53",
+			},
+			Domains: []string{
+				"example.com",
+				"example.net",
+			},
+			Enabled: false,
+			Error:   "timeout",
+		},
+	},
+	Routes: []string{
+		"10.10.0.0/24",
+	},
 }

 func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
@@ -231,7 +294,12 @@ func TestParsingToJSON(t *testing.T) {
                },
                "lastWireguardHandshake": "2001-01-01T01:01:02Z",
                "transferReceived": 200,
-                "transferSent": 100
+                "transferSent": 100,
+				"latency": 10000000,
+                "quantumResistance": false,
+                "routes": [
+                  "10.1.0.0/24"
+                ]
              },
              {
                "fqdn": "peer-2.awesome-domain.com",
@@ -251,7 +319,10 @@ func TestParsingToJSON(t *testing.T) {
                },
                "lastWireguardHandshake": "2002-02-02T02:02:03Z",
                "transferReceived": 2000,
-                "transferSent": 1000
+                "transferSent": 1000,
+				"latency": 10000000,
+                "quantumResistance": false,
+                "routes": null
              }
            ]
          },
@@ -286,7 +357,34 @@ func TestParsingToJSON(t *testing.T) {
          "netbirdIp": "192.168.178.100/16",
          "publicKey": "Some-Pub-Key",
          "usesKernelInterface": true,
-          "fqdn": "some-localhost.awesome-domain.com"
+          "fqdn": "some-localhost.awesome-domain.com",
+          "quantumResistance": false,
+          "quantumResistancePermissive": false,
+          "routes": [
+            "10.10.0.0/24"
+          ],
+          "dnsServers": [
+            {
+              "servers": [
+                "8.8.8.8:53"
+              ],
+              "domains": null,
+              "enabled": true,
+              "error": ""
+            },
+            {
+              "servers": [
+                "1.1.1.1:53",
+                "2.2.2.2:53"
+              ],
+              "domains": [
+                "example.com",
+                "example.net"
+              ],
+              "enabled": false,
+              "error": "timeout"
+            }
+          ]
        }`
 	// @formatter:on

@@ -320,6 +418,10 @@ func TestParsingToYAML(t *testing.T) {
          lastWireguardHandshake: 2001-01-01T01:01:02Z
          transferReceived: 200
          transferSent: 100
+          latency: 10ms
+          quantumResistance: false
+          routes:
+            - 10.1.0.0/24
        - fqdn: peer-2.awesome-domain.com
          netbirdIp: 192.168.178.102
          publicKey: Pubkey2
@@ -336,6 +438,9 @@ func TestParsingToYAML(t *testing.T) {
          lastWireguardHandshake: 2002-02-02T02:02:03Z
          transferReceived: 2000
          transferSent: 1000
+          latency: 10ms
+          quantumResistance: false
+          routes: []
 cliVersion: development
 daemonVersion: 0.14.1
 management:
@@ -360,15 +465,39 @@ netbirdIp: 192.168.178.100/16
 publicKey: Some-Pub-Key
 usesKernelInterface: true
 fqdn: some-localhost.awesome-domain.com
+quantumResistance: false
+quantumResistancePermissive: false
+routes:
+    - 10.10.0.0/24
+dnsServers:
+    - servers:
+        - 8.8.8.8:53
+      domains: []
+      enabled: true
+      error: ""
+    - servers:
+        - 1.1.1.1:53
+        - 2.2.2.2:53
+      domains:
+        - example.com
+        - example.net
+      enabled: false
+      error: timeout
 `

 	assert.Equal(t, expectedYAML, yaml)
 }

 func TestParsingToDetail(t *testing.T) {
+	// Calculate time ago based on the fixture dates
+	lastConnectionUpdate1 := timeAgo(overview.Peers.Details[0].LastStatusUpdate)
+	lastHandshake1 := timeAgo(overview.Peers.Details[0].LastWireguardHandshake)
+	lastConnectionUpdate2 := timeAgo(overview.Peers.Details[1].LastStatusUpdate)
+	lastHandshake2 := timeAgo(overview.Peers.Details[1].LastWireguardHandshake)
+
 	detail := parseToFullDetailSummary(overview)

-	expectedDetail :=
+	expectedDetail := fmt.Sprintf(
 		`Peers detail:
 peer-1.awesome-domain.com:
  NetBird IP: 192.168.178.101
@@ -379,9 +508,12 @@ func TestParsingToDetail(t *testing.T) {
  Direct: true
  ICE candidate (Local/Remote): -/-
  ICE candidate endpoints (Local/Remote): -/-
-  Last connection update: 2001-01-01 01:01:01
-  Last Wireguard handshake: 2001-01-01 01:01:02
+  Last connection update: %s
+  Last WireGuard handshake: %s
  Transfer status (received/sent) 200 B/100 B
+  Quantum resistance: false
+  Routes: 10.1.0.0/24
+  Latency: 10ms

 peer-2.awesome-domain.com:
  NetBird IP: 192.168.178.102
@@ -392,38 +524,50 @@ func TestParsingToDetail(t *testing.T) {
  Direct: false
  ICE candidate (Local/Remote): relay/prflx
  ICE candidate endpoints (Local/Remote): 10.0.0.1:10001/10.0.10.1:10002
-  Last connection update: 2002-02-02 02:02:02
-  Last Wireguard handshake: 2002-02-02 02:02:03
+  Last connection update: %s
+  Last WireGuard handshake: %s
  Transfer status (received/sent) 2.0 KiB/1000 B
+  Quantum resistance: false
+  Routes: -
+  Latency: 10ms

+OS: %s/%s
 Daemon version: 0.14.1
-CLI version: development
+CLI version: %s
 Management: Connected to my-awesome-management.com:443
 Signal: Connected to my-awesome-signal.com:443
 Relays: 
  [stun:my-awesome-stun.com:3478] is Available
  [turns:my-awesome-turn.com:443?transport=tcp] is Unavailable, reason: context: deadline exceeded
+Nameservers: 
+  [8.8.8.8:53] for [.] is Available
+  [1.1.1.1:53, 2.2.2.2:53] for [example.com, example.net] is Unavailable, reason: timeout
 FQDN: some-localhost.awesome-domain.com
 NetBird IP: 192.168.178.100/16
 Interface type: Kernel
+Quantum resistance: false
+Routes: 10.10.0.0/24
 Peers count: 2/2 Connected
-`
+`, lastConnectionUpdate1, lastHandshake1, lastConnectionUpdate2, lastHandshake2, runtime.GOOS, runtime.GOARCH, overview.CliVersion)

 	assert.Equal(t, expectedDetail, detail)
 }

 func TestParsingToShortVersion(t *testing.T) {
-	shortVersion := parseGeneralSummary(overview, false, false)
+	shortVersion := parseGeneralSummary(overview, false, false, false)

-	expectedString :=
-		`Daemon version: 0.14.1
+	expectedString := fmt.Sprintf("OS: %s/%s", runtime.GOOS, runtime.GOARCH) + `
+Daemon version: 0.14.1
 CLI version: development
 Management: Connected
 Signal: Connected
 Relays: 1/2 Available
+Nameservers: 1/2 Available
 FQDN: some-localhost.awesome-domain.com
 NetBird IP: 192.168.178.100/16
 Interface type: Kernel
+Quantum resistance: false
+Routes: 10.10.0.0/24
 Peers count: 2/2 Connected
 `

@@ -437,3 +581,31 @@ func TestParsingOfIP(t *testing.T) {

 	assert.Equal(t, "192.168.178.123\n", parsedIP)
 }
+
+func TestTimeAgo(t *testing.T) {
+	now := time.Now()
+
+	cases := []struct {
+		name     string
+		input    time.Time
+		expected string
+	}{
+		{"Now", now, "Now"},
+		{"Seconds ago", now.Add(-10 * time.Second), "10 seconds ago"},
+		{"One minute ago", now.Add(-1 * time.Minute), "1 minute ago"},
+		{"Minutes and seconds ago", now.Add(-(1*time.Minute + 30*time.Second)), "1 minute, 30 seconds ago"},
+		{"One hour ago", now.Add(-1 * time.Hour), "1 hour ago"},
+		{"Hours and minutes ago", now.Add(-(2*time.Hour + 15*time.Minute)), "2 hours, 15 minutes ago"},
+		{"One day ago", now.Add(-24 * time.Hour), "1 day ago"},
+		{"Multiple days ago", now.Add(-(72*time.Hour + 20*time.Minute)), "3 days ago"},
+		{"Zero time", time.Time{}, "-"},
+		{"Unix zero time", time.Unix(0, 0), "-"},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := timeAgo(tc.input)
+			assert.Equal(t, tc.expected, result, "Failed %s", tc.name)
+		})
+	}
+}
--- a/client/cmd/testutil.go
+++ b/client/cmd/testutil.go
@@ -13,6 +13,8 @@ import (

 	"google.golang.org/grpc"

+	"github.com/netbirdio/management-integrations/integrations"
+
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
@@ -68,18 +70,19 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, err := mgmt.NewStoreFromJson(config.Datadir, nil)
+	store, cleanUp, err := mgmt.NewTestStoreFromJson(config.Datadir)
 	if err != nil {
 		t.Fatal(err)
 	}
+	t.Cleanup(cleanUp)

 	peersUpdateManager := mgmt.NewPeersUpdateManager(nil)
 	eventStore := &activity.InMemoryEventStore{}
 	if err != nil {
 		return nil, nil
 	}
-	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "",
-		eventStore, false)
+	iv, _ := integrations.NewIntegratedValidator(eventStore)
+	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, iv)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -40,6 +40,8 @@ func init() {
 	upCmd.PersistentFlags().BoolVarP(&foregroundMode, "foreground-mode", "F", false, "start service in foreground")
 	upCmd.PersistentFlags().StringVar(&interfaceName, interfaceNameFlag, iface.WgInterfaceDefault, "Wireguard interface name")
 	upCmd.PersistentFlags().Uint16Var(&wireguardPort, wireguardPortFlag, iface.DefaultWgPort, "Wireguard interface listening port")
+	upCmd.PersistentFlags().BoolVarP(&networkMonitor, networkMonitorFlag, "N", false, "Enable network monitoring")
+	upCmd.PersistentFlags().StringSliceVar(&extraIFaceBlackList, extraIFaceBlackListFlag, nil, "Extra list of default interfaces to ignore for listening")
 }

 func upFunc(cmd *cobra.Command, args []string) error {
@@ -83,17 +85,26 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	}

 	ic := internal.ConfigInput{
-		ManagementURL:    managementURL,
-		AdminURL:         adminURL,
-		ConfigPath:       configPath,
-		NATExternalIPs:   natExternalIPs,
-		CustomDNSAddress: customDNSAddressConverted,
+		ManagementURL:       managementURL,
+		AdminURL:            adminURL,
+		ConfigPath:          configPath,
+		NATExternalIPs:      natExternalIPs,
+		CustomDNSAddress:    customDNSAddressConverted,
+		ExtraIFaceBlackList: extraIFaceBlackList,
 	}

 	if cmd.Flag(enableRosenpassFlag).Changed {
 		ic.RosenpassEnabled = &rosenpassEnabled
 	}

+	if cmd.Flag(rosenpassPermissiveFlag).Changed {
+		ic.RosenpassPermissive = &rosenpassPermissive
+	}
+
+	if cmd.Flag(serverSSHAllowedFlag).Changed {
+		ic.ServerSSHAllowed = &serverSSHAllowed
+	}
+
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			return err
@@ -106,10 +117,26 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 		ic.WireguardPort = &p
 	}

+	if cmd.Flag(networkMonitorFlag).Changed {
+		ic.NetworkMonitor = &networkMonitor
+	}
+
 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
 		ic.PreSharedKey = &preSharedKey
 	}

+	if cmd.Flag(disableAutoConnectFlag).Changed {
+		ic.DisableAutoConnect = &autoConnectDisabled
+
+		if autoConnectDisabled {
+			cmd.Println("Autoconnect has been disabled. The client won't connect automatically when the service starts.")
+		}
+
+		if !autoConnectDisabled {
+			cmd.Println("Autoconnect has been enabled. The client will connect automatically when the service starts.")
+		}
+	}
+
 	config, err := internal.UpdateOrCreateConfig(ic)
 	if err != nil {
 		return fmt.Errorf("get config file: %v", err)
@@ -125,11 +152,12 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	var cancel context.CancelFunc
 	ctx, cancel = context.WithCancel(ctx)
 	SetupCloseHandler(ctx, cancel)
-	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()))
+
+	connectClient := internal.NewConnectClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()))
+	return connectClient.Run()
 }

 func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
-
 	customDNSAddressConverted, err := parseCustomDNSAddress(cmd.Flag(dnsResolverAddress).Changed)
 	if err != nil {
 		return err
@@ -170,6 +198,7 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		CustomDNSAddress:     customDNSAddressConverted,
 		IsLinuxDesktopClient: isLinuxRunningDesktop(),
 		Hostname:             hostName,
+		ExtraIFaceBlacklist:  extraIFaceBlackList,
 	}

 	if rootCmd.PersistentFlags().Changed(preSharedKeyFlag) {
@@ -180,6 +209,18 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		loginRequest.RosenpassEnabled = &rosenpassEnabled
 	}

+	if cmd.Flag(rosenpassPermissiveFlag).Changed {
+		loginRequest.RosenpassPermissive = &rosenpassPermissive
+	}
+
+	if cmd.Flag(serverSSHAllowedFlag).Changed {
+		loginRequest.ServerSSHAllowed = &serverSSHAllowed
+	}
+
+	if cmd.Flag(disableAutoConnectFlag).Changed {
+		loginRequest.DisableAutoConnect = &autoConnectDisabled
+	}
+
 	if cmd.Flag(interfaceNameFlag).Changed {
 		if err := parseInterfaceName(interfaceName); err != nil {
 			return err
@@ -192,6 +233,10 @@ func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
 		loginRequest.WireguardPort = &wp
 	}

+	if cmd.Flag(networkMonitorFlag).Changed {
+		loginRequest.NetworkMonitor = &networkMonitor
+	}
+
 	var loginErr error

 	var loginResp *proto.LoginResponse
--- a/client/firewall/create.go
+++ b/client/firewall/create.go
@@ -30,3 +30,9 @@ func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager,
 	}
 	return fm, nil
 }
+
+// Returns true if the current firewall implementation supports IPv6.
+// Currently false for anything non-linux.
+func SupportsIPv6() bool {
+	return false
+}
--- a/client/firewall/create_linux.go
+++ b/client/firewall/create_linux.go
@@ -42,20 +42,20 @@ func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager,

 	switch check() {
 	case IPTABLES:
-		log.Debug("creating an iptables firewall manager")
+		log.Info("creating an iptables firewall manager")
 		fm, errFw = nbiptables.Create(context, iface)
 		if errFw != nil {
 			log.Errorf("failed to create iptables manager: %s", errFw)
 		}
 	case NFTABLES:
-		log.Debug("creating an nftables firewall manager")
+		log.Info("creating an nftables firewall manager")
 		fm, errFw = nbnftables.Create(context, iface)
 		if errFw != nil {
 			log.Errorf("failed to create nftables manager: %s", errFw)
 		}
 	default:
 		errFw = fmt.Errorf("no firewall manager found")
-		log.Debug("no firewall manager found, try to use userspace packet filtering firewall")
+		log.Info("no firewall manager found, trying to use userspace packet filtering firewall")
 	}

 	if iface.IsUserspaceBind() {
@@ -70,6 +70,8 @@ func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager,
 			return nil, errUsp
 		}

+		// Note for devs: When adding IPv6 support to userspace bind, the implementation of AllowNetbird() has to be
+		// adjusted accordingly.
 		if err := fm.AllowNetbird(); err != nil {
 			log.Errorf("failed to allow netbird interface traffic: %v", err)
 		}
@@ -83,18 +85,66 @@ func NewFirewall(context context.Context, iface IFaceMapper) (firewall.Manager,
 	return fm, nil
 }

+// Returns true if the current firewall implementation supports IPv6.
+// Currently true if the firewall is nftables.
+func SupportsIPv6() bool {
+	return check() == NFTABLES
+}
+
 // check returns the firewall type based on common lib checks. It returns UNKNOWN if no firewall is found.
 func check() FWType {
-	nf := nftables.Conn{}
-	if _, err := nf.ListChains(); err == nil && os.Getenv(SKIP_NFTABLES_ENV) != "true" {
-		return NFTABLES
+	useIPTABLES := false
+	var iptablesChains []string
+	ip, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
+	if err == nil && isIptablesClientAvailable(ip) {
+		major, minor, _ := ip.GetIptablesVersion()
+		// use iptables when its version is lower than 1.8.0 which doesn't work well with our nftables manager
+		if major < 1 || (major == 1 && minor < 8) {
+			return IPTABLES
+		}
+
+		useIPTABLES = true
+
+		iptablesChains, err = ip.ListChains("filter")
+		if err != nil {
+			log.Errorf("failed to list iptables chains: %s", err)
+			useIPTABLES = false
+		}
 	}

-	ip, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	if err != nil {
-		return UNKNOWN
+	nf := nftables.Conn{}
+	if chains, err := nf.ListChains(); err == nil && os.Getenv(SKIP_NFTABLES_ENV) != "true" {
+		if !useIPTABLES {
+			return NFTABLES
+		}
+
+		// search for chains where table is filter
+		// if we find one, we assume that nftables manager can be used with iptables
+		for _, chain := range chains {
+			if chain.Table.Name == "filter" {
+				return NFTABLES
+			}
+		}
+
+		// check tables for the following constraints:
+		// 1. there is no chain in nftables for the filter table and there is at least one chain in iptables, we assume that nftables manager can not be used
+		// 2. there is no tables or more than one table, we assume that nftables manager can be used
+		// 3. there is only one table and its name is filter, we assume that nftables manager can not be used, since there was no chain in it
+		// 4. if we find an error we log and continue with iptables check
+		nbTablesList, err := nf.ListTables()
+		switch {
+		case err == nil && len(iptablesChains) > 0:
+			return IPTABLES
+		case err == nil && len(nbTablesList) != 1:
+			return NFTABLES
+		case err == nil && len(nbTablesList) == 1 && nbTablesList[0].Name == "filter":
+			return IPTABLES
+		case err != nil:
+			log.Errorf("failed to list nftables tables on fw manager discovery: %s", err)
+		}
 	}
-	if isIptablesClientAvailable(ip) {
+
+	if useIPTABLES {
 		return IPTABLES
 	}

--- a/client/firewall/iface.go
+++ b/client/firewall/iface.go
@@ -6,6 +6,7 @@ import "github.com/netbirdio/netbird/iface"
 type IFaceMapper interface {
 	Name() string
 	Address() iface.WGAddress
+	Address6() *iface.WGAddress
 	IsUserspaceBind() bool
 	SetFilter(iface.PacketFilter) error
 }
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -24,6 +24,14 @@ type Manager struct {
 	router     *routerManager
 }

+func (m *Manager) ResetV6Firewall() error {
+	return nil
+}
+
+func (m *Manager) V6Active() bool {
+	return false
+}
+
 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMapper interface {
 	Name() string
--- a/client/firewall/iptables/router_linux.go
+++ b/client/firewall/iptables/router_linux.go
@@ -87,12 +87,12 @@ func (i *routerManager) InsertRoutingRules(pair firewall.RouterPair) error {
 	return nil
 }

-// insertRoutingRule inserts an iptable rule
+// insertRoutingRule inserts an iptables rule
 func (i *routerManager) insertRoutingRule(keyFormat, table, chain, jump string, pair firewall.RouterPair) error {
 	var err error

 	ruleKey := firewall.GenKey(keyFormat, pair.ID)
-	rule := genRuleSpec(jump, ruleKey, pair.Source, pair.Destination)
+	rule := genRuleSpec(jump, pair.Source, pair.Destination)
 	existingRule, found := i.rules[ruleKey]
 	if found {
 		err = i.iptablesClient.DeleteIfExists(table, chain, existingRule...)
@@ -326,9 +326,9 @@ func (i *routerManager) createChain(table, newChain string) error {
 	return nil
 }

-// genRuleSpec generates rule specification with comment identifier
-func genRuleSpec(jump, id, source, destination string) []string {
-	return []string{"-s", source, "-d", destination, "-j", jump, "-m", "comment", "--comment", id}
+// genRuleSpec generates rule specification
+func genRuleSpec(jump, source, destination string) []string {
+	return []string{"-s", source, "-d", destination, "-j", jump}
 }

 func getIptablesRuleType(table string) string {
--- a/client/firewall/iptables/router_linux_test.go
+++ b/client/firewall/iptables/router_linux_test.go
@@ -51,14 +51,12 @@ func TestIptablesManager_RestoreOrCreateContainers(t *testing.T) {
 		Destination: "100.100.100.0/24",
 		Masquerade:  true,
 	}
-	forward4RuleKey := firewall.GenKey(firewall.ForwardingFormat, pair.ID)
-	forward4Rule := genRuleSpec(routingFinalForwardJump, forward4RuleKey, pair.Source, pair.Destination)
+	forward4Rule := genRuleSpec(routingFinalForwardJump, pair.Source, pair.Destination)

 	err = manager.iptablesClient.Insert(tableFilter, chainRTFWD, 1, forward4Rule...)
 	require.NoError(t, err, "inserting rule should not return error")

-	nat4RuleKey := firewall.GenKey(firewall.NatFormat, pair.ID)
-	nat4Rule := genRuleSpec(routingFinalNatJump, nat4RuleKey, pair.Source, pair.Destination)
+	nat4Rule := genRuleSpec(routingFinalNatJump, pair.Source, pair.Destination)

 	err = manager.iptablesClient.Insert(tableNat, chainRTNAT, 1, nat4Rule...)
 	require.NoError(t, err, "inserting rule should not return error")
@@ -75,6 +73,9 @@ func TestIptablesManager_InsertRoutingRules(t *testing.T) {

 	for _, testCase := range test.InsertRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
+			if testCase.IsV6 {
+				t.Skip("Environment does not support IPv6, skipping IPv6 test...")
+			}
 			iptablesClient, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
 			require.NoError(t, err, "failed to init iptables client")

@@ -92,7 +93,7 @@ func TestIptablesManager_InsertRoutingRules(t *testing.T) {
 			require.NoError(t, err, "forwarding pair should be inserted")

 			forwardRuleKey := firewall.GenKey(firewall.ForwardingFormat, testCase.InputPair.ID)
-			forwardRule := genRuleSpec(routingFinalForwardJump, forwardRuleKey, testCase.InputPair.Source, testCase.InputPair.Destination)
+			forwardRule := genRuleSpec(routingFinalForwardJump, testCase.InputPair.Source, testCase.InputPair.Destination)

 			exists, err := iptablesClient.Exists(tableFilter, chainRTFWD, forwardRule...)
 			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableFilter, chainRTFWD)
@@ -103,7 +104,7 @@ func TestIptablesManager_InsertRoutingRules(t *testing.T) {
 			require.Equal(t, forwardRule[:4], foundRule[:4], "stored forwarding rule should match")

 			inForwardRuleKey := firewall.GenKey(firewall.InForwardingFormat, testCase.InputPair.ID)
-			inForwardRule := genRuleSpec(routingFinalForwardJump, inForwardRuleKey, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)
+			inForwardRule := genRuleSpec(routingFinalForwardJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)

 			exists, err = iptablesClient.Exists(tableFilter, chainRTFWD, inForwardRule...)
 			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableFilter, chainRTFWD)
@@ -114,7 +115,7 @@ func TestIptablesManager_InsertRoutingRules(t *testing.T) {
 			require.Equal(t, inForwardRule[:4], foundRule[:4], "stored income forwarding rule should match")

 			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair.ID)
-			natRule := genRuleSpec(routingFinalNatJump, natRuleKey, testCase.InputPair.Source, testCase.InputPair.Destination)
+			natRule := genRuleSpec(routingFinalNatJump, testCase.InputPair.Source, testCase.InputPair.Destination)

 			exists, err = iptablesClient.Exists(tableNat, chainRTNAT, natRule...)
 			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
@@ -130,7 +131,7 @@ func TestIptablesManager_InsertRoutingRules(t *testing.T) {
 			}

 			inNatRuleKey := firewall.GenKey(firewall.InNatFormat, testCase.InputPair.ID)
-			inNatRule := genRuleSpec(routingFinalNatJump, inNatRuleKey, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)
+			inNatRule := genRuleSpec(routingFinalNatJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)

 			exists, err = iptablesClient.Exists(tableNat, chainRTNAT, inNatRule...)
 			require.NoError(t, err, "should be able to query the iptables %s table and %s chain", tableNat, chainRTNAT)
@@ -156,6 +157,9 @@ func TestIptablesManager_RemoveRoutingRules(t *testing.T) {

 	for _, testCase := range test.RemoveRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
+			if testCase.IsV6 {
+				t.Skip("Environment does not support IPv6, skipping IPv6 test...")
+			}
 			iptablesClient, _ := iptables.NewWithProtocol(iptables.ProtocolIPv4)

 			manager, err := newRouterManager(context.TODO(), iptablesClient)
@@ -167,25 +171,25 @@ func TestIptablesManager_RemoveRoutingRules(t *testing.T) {
 			require.NoError(t, err, "shouldn't return error")

 			forwardRuleKey := firewall.GenKey(firewall.ForwardingFormat, testCase.InputPair.ID)
-			forwardRule := genRuleSpec(routingFinalForwardJump, forwardRuleKey, testCase.InputPair.Source, testCase.InputPair.Destination)
+			forwardRule := genRuleSpec(routingFinalForwardJump, testCase.InputPair.Source, testCase.InputPair.Destination)

 			err = iptablesClient.Insert(tableFilter, chainRTFWD, 1, forwardRule...)
 			require.NoError(t, err, "inserting rule should not return error")

 			inForwardRuleKey := firewall.GenKey(firewall.InForwardingFormat, testCase.InputPair.ID)
-			inForwardRule := genRuleSpec(routingFinalForwardJump, inForwardRuleKey, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)
+			inForwardRule := genRuleSpec(routingFinalForwardJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)

 			err = iptablesClient.Insert(tableFilter, chainRTFWD, 1, inForwardRule...)
 			require.NoError(t, err, "inserting rule should not return error")

 			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair.ID)
-			natRule := genRuleSpec(routingFinalNatJump, natRuleKey, testCase.InputPair.Source, testCase.InputPair.Destination)
+			natRule := genRuleSpec(routingFinalNatJump, testCase.InputPair.Source, testCase.InputPair.Destination)

 			err = iptablesClient.Insert(tableNat, chainRTNAT, 1, natRule...)
 			require.NoError(t, err, "inserting rule should not return error")

 			inNatRuleKey := firewall.GenKey(firewall.InNatFormat, testCase.InputPair.ID)
-			inNatRule := genRuleSpec(routingFinalNatJump, inNatRuleKey, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)
+			inNatRule := genRuleSpec(routingFinalNatJump, firewall.GetInPair(testCase.InputPair).Source, firewall.GetInPair(testCase.InputPair).Destination)

 			err = iptablesClient.Insert(tableNat, chainRTNAT, 1, inNatRule...)
 			require.NoError(t, err, "inserting rule should not return error")
--- a/client/firewall/manager/firewall.go
+++ b/client/firewall/manager/firewall.go
@@ -76,6 +76,13 @@ type Manager interface {
 	// RemoveRoutingRules removes a routing firewall rule
 	RemoveRoutingRules(pair RouterPair) error

+	// ResetV6Firewall makes changes to the firewall to adapt to the IP address changes.
+	// It is expected that after calling this method ApplyFiltering will be called to re-add the firewall rules.
+	ResetV6Firewall() error
+
+	// V6Active returns whether IPv6 rules should/may be created by upper layers.
+	V6Active() bool
+
 	// Reset firewall to the default state
 	Reset() error

--- a/client/firewall/nftables/acl_linux.go
+++ b/client/firewall/nftables/acl_linux.go
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -36,17 +36,25 @@ func Create(context context.Context, wgIface iFaceMapper) (*Manager, error) {
 		wgIface: wgIface,
 	}

-	workTable, err := m.createWorkTable()
+	workTable, err := m.createWorkTable(nftables.TableFamilyIPv4)
 	if err != nil {
 		return nil, err
 	}

-	m.router, err = newRouter(context, workTable)
+	var workTable6 *nftables.Table
+	if wgIface.Address6() != nil {
+		workTable6, err = m.createWorkTable(nftables.TableFamilyIPv6)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	m.router, err = newRouter(context, workTable, workTable6)
 	if err != nil {
 		return nil, err
 	}

-	m.aclManager, err = newAclManager(workTable, wgIface, m.router.RouteingFwChainName())
+	m.aclManager, err = newAclManager(workTable, workTable6, wgIface, m.router.RouteingFwChainName())
 	if err != nil {
 		return nil, err
 	}
@@ -54,6 +62,54 @@ func Create(context context.Context, wgIface iFaceMapper) (*Manager, error) {
 	return m, nil
 }

+// Resets the IPv6 Firewall Table to adapt to changes in IP addresses
+func (m *Manager) ResetV6Firewall() error {
+
+	// First, prepare reset by deleting all currently active rules.
+	workTable6, err := m.aclManager.PrepareV6Reset()
+	if err != nil {
+		return err
+	}
+
+	// Depending on whether we now have an IPv6 address, we now either have to create/empty an IPv6 table, or delete it.
+	if m.wgIface.Address6() != nil {
+		if workTable6 != nil {
+			m.rConn.FlushTable(workTable6)
+		} else {
+			workTable6, err = m.createWorkTable(nftables.TableFamilyIPv6)
+			if err != nil {
+				return err
+			}
+		}
+	} else {
+		m.rConn.DelTable(workTable6)
+		workTable6 = nil
+	}
+	err = m.rConn.Flush()
+	if err != nil {
+		return err
+	}
+
+	// Restore routing rules.
+	err = m.router.RestoreAfterV6Reset(workTable6)
+	if err != nil {
+		return err
+	}
+
+	// Restore basic firewall chains (needs to happen after routes because chains from router must exist).
+	// Does not restore rules (will be done later during the update, when UpdateFiltering will be called at some point)
+	err = m.aclManager.ReinitAfterV6Reset(workTable6)
+	if err != nil {
+		return err
+	}
+
+	return m.rConn.Flush()
+}
+
+func (m *Manager) V6Active() bool {
+	return m.aclManager.v6Active
+}
+
 // AddFiltering rule to the firewall
 //
 // If comment argument is empty firewall manager should set
@@ -72,7 +128,7 @@ func (m *Manager) AddFiltering(
 	defer m.mutex.Unlock()

 	rawIP := ip.To4()
-	if rawIP == nil {
+	if rawIP == nil && m.wgIface.Address6() == nil {
 		return nil, fmt.Errorf("unsupported IP version: %s", ip.String())
 	}

@@ -114,6 +170,8 @@ func (m *Manager) AllowNetbird() error {
 	m.mutex.Lock()
 	defer m.mutex.Unlock()

+	// Note for devs: When adding IPv6 support to uspfilter, the implementation of createDefaultAllowRules()
+	// must be adjusted to include IPv6 rules.
 	err := m.aclManager.createDefaultAllowRules()
 	if err != nil {
 		return fmt.Errorf("failed to create default allow rules: %v", err)
@@ -211,8 +269,8 @@ func (m *Manager) Flush() error {
 	return m.aclManager.Flush()
 }

-func (m *Manager) createWorkTable() (*nftables.Table, error) {
-	tables, err := m.rConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
+func (m *Manager) createWorkTable(tableFamily nftables.TableFamily) (*nftables.Table, error) {
+	tables, err := m.rConn.ListTablesOfFamily(tableFamily)
 	if err != nil {
 		return nil, fmt.Errorf("list of tables: %w", err)
 	}
@@ -223,7 +281,7 @@ func (m *Manager) createWorkTable() (*nftables.Table, error) {
 		}
 	}

-	table := m.rConn.AddTable(&nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv4})
+	table := m.rConn.AddTable(&nftables.Table{Name: tableName, Family: tableFamily})
 	err = m.rConn.Flush()
 	return table, err
 }
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -19,8 +19,9 @@ import (

 // iFaceMapper defines subset methods of interface required for manager
 type iFaceMock struct {
-	NameFunc    func() string
-	AddressFunc func() iface.WGAddress
+	NameFunc     func() string
+	AddressFunc  func() iface.WGAddress
+	Address6Func func() *iface.WGAddress
 }

 func (i *iFaceMock) Name() string {
@@ -37,6 +38,13 @@ func (i *iFaceMock) Address() iface.WGAddress {
 	panic("AddressFunc is not set")
 }

+func (i *iFaceMock) Address6() *iface.WGAddress {
+	if i.Address6Func != nil {
+		return i.Address6Func()
+	}
+	panic("AddressFunc is not set")
+}
+
 func (i *iFaceMock) IsUserspaceBind() bool { return false }

 func TestNftablesManager(t *testing.T) {
@@ -53,6 +61,7 @@ func TestNftablesManager(t *testing.T) {
 				},
 			}
 		},
+		Address6Func: func() *iface.WGAddress { return nil },
 	}

 	// just check on the local interface
@@ -99,11 +108,9 @@ func TestNftablesManager(t *testing.T) {
 			Register: 1,
 			Data:     ifname("lo"),
 		},
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       uint32(9),
-			Len:          uint32(1),
+		&expr.Meta{
+			Key:      expr.MetaKeyL4PROTO,
+			Register: 1,
 		},
 		&expr.Cmp{
 			Register: 1,
@@ -152,6 +159,370 @@ func TestNftablesManager(t *testing.T) {
 	require.NoError(t, err, "failed to reset")
 }

+func TestNftablesManager6Disabled(t *testing.T) {
+	mock := &iFaceMock{
+		NameFunc: func() string {
+			return "lo"
+		},
+		AddressFunc: func() iface.WGAddress {
+			return iface.WGAddress{
+				IP: net.ParseIP("100.96.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.96.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
+			}
+		},
+		Address6Func: func() *iface.WGAddress { return nil },
+	}
+
+	// just check on the local interface
+	manager, err := Create(context.Background(), mock)
+	require.NoError(t, err)
+	time.Sleep(time.Second * 3)
+
+	defer func() {
+		err = manager.Reset()
+		require.NoError(t, err, "failed to reset")
+		time.Sleep(time.Second)
+	}()
+
+	ip := net.ParseIP("2001:db8::fedc:ba09:8765:4321")
+
+	testClient := &nftables.Conn{}
+
+	_, err = manager.AddFiltering(
+		ip,
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []int{53}},
+		fw.RuleDirectionIN,
+		fw.ActionDrop,
+		"",
+		"",
+	)
+	require.Error(t, err, "IPv6 rule should not be added when IPv6 is disabled")
+
+	err = manager.Flush()
+	require.NoError(t, err, "failed to flush")
+
+	rules, err := testClient.GetRules(manager.aclManager.workTable, manager.aclManager.chainInputRules)
+	require.NoError(t, err, "failed to get rules")
+
+	require.Len(t, rules, 0, "expected no rules")
+
+	err = manager.Reset()
+	require.NoError(t, err, "failed to reset")
+}
+
+func TestNftablesManager6(t *testing.T) {
+
+	if !iface.SupportsIPv6() {
+		t.Skip("Environment does not support IPv6, skipping IPv6 test...")
+	}
+	mock := &iFaceMock{
+		NameFunc: func() string {
+			return "lo"
+		},
+		AddressFunc: func() iface.WGAddress {
+			return iface.WGAddress{
+				IP: net.ParseIP("100.96.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.96.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
+			}
+		},
+		Address6Func: func() *iface.WGAddress {
+			return &iface.WGAddress{
+				IP: net.ParseIP("2001:db8::0123:4567:890a:bcde"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("2001:db8::"),
+					Mask: net.CIDRMask(64, 128),
+				},
+			}
+		},
+	}
+
+	// just check on the local interface
+	manager, err := Create(context.Background(), mock)
+	require.NoError(t, err)
+	time.Sleep(time.Second * 3)
+
+	defer func() {
+		err = manager.Reset()
+		require.NoError(t, err, "failed to reset")
+		time.Sleep(time.Second)
+	}()
+
+	require.True(t, manager.V6Active(), "IPv6 is not active even though it should be.")
+
+	ip := net.ParseIP("2001:db8::fedc:ba09:8765:4321")
+
+	testClient := &nftables.Conn{}
+
+	rule, err := manager.AddFiltering(
+		ip,
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []int{53}},
+		fw.RuleDirectionIN,
+		fw.ActionDrop,
+		"",
+		"",
+	)
+	require.NoError(t, err, "failed to add rule")
+
+	err = manager.Flush()
+	require.NoError(t, err, "failed to flush")
+
+	rules, err := testClient.GetRules(manager.aclManager.workTable6, manager.aclManager.chainInputRules6)
+	require.NoError(t, err, "failed to get rules")
+
+	require.Len(t, rules, 1, "expected 1 rules")
+
+	ipToAdd, _ := netip.AddrFromSlice(ip)
+	add := ipToAdd.Unmap()
+	expectedExprs := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname("lo"),
+		},
+		&expr.Meta{
+			Key:      expr.MetaKeyL4PROTO,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Register: 1,
+			Op:       expr.CmpOpEq,
+			Data:     []byte{unix.IPPROTO_TCP},
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       8,
+			Len:          16,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     add.AsSlice(),
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseTransportHeader,
+			Offset:       2,
+			Len:          2,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     []byte{0, 53},
+		},
+		&expr.Verdict{Kind: expr.VerdictDrop},
+	}
+	require.ElementsMatch(t, rules[0].Exprs, expectedExprs, "expected the same expressions")
+
+	for _, r := range rule {
+		err = manager.DeleteRule(r)
+		require.NoError(t, err, "failed to delete rule")
+	}
+
+	err = manager.Flush()
+	require.NoError(t, err, "failed to flush")
+
+	rules, err = testClient.GetRules(manager.aclManager.workTable6, manager.aclManager.chainInputRules6)
+	require.NoError(t, err, "failed to get rules")
+	require.Len(t, rules, 0, "expected 0 rules after deletion")
+
+	err = manager.Reset()
+	require.NoError(t, err, "failed to reset")
+}
+
+func TestNftablesManagerAddressReset6(t *testing.T) {
+
+	if !iface.SupportsIPv6() {
+		t.Skip("Environment does not support IPv6, skipping IPv6 test...")
+	}
+	mock := &iFaceMock{
+		NameFunc: func() string {
+			return "lo"
+		},
+		AddressFunc: func() iface.WGAddress {
+			return iface.WGAddress{
+				IP: net.ParseIP("100.96.0.1"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("100.96.0.0"),
+					Mask: net.IPv4Mask(255, 255, 255, 0),
+				},
+			}
+		},
+		Address6Func: func() *iface.WGAddress {
+			return &iface.WGAddress{
+				IP: net.ParseIP("2001:db8::0123:4567:890a:bcde"),
+				Network: &net.IPNet{
+					IP:   net.ParseIP("2001:db8::"),
+					Mask: net.CIDRMask(64, 128),
+				},
+			}
+		},
+	}
+
+	// just check on the local interface
+	manager, err := Create(context.Background(), mock)
+	require.NoError(t, err)
+	time.Sleep(time.Second * 3)
+
+	defer func() {
+		err = manager.Reset()
+		require.NoError(t, err, "failed to reset")
+		time.Sleep(time.Second)
+	}()
+
+	require.True(t, manager.V6Active(), "IPv6 is not active even though it should be.")
+
+	ip := net.ParseIP("2001:db8::fedc:ba09:8765:4321")
+
+	testClient := &nftables.Conn{}
+
+	_, err = manager.AddFiltering(
+		ip,
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []int{53}},
+		fw.RuleDirectionIN,
+		fw.ActionDrop,
+		"",
+		"",
+	)
+	require.NoError(t, err, "failed to add rule")
+
+	err = manager.Flush()
+	require.NoError(t, err, "failed to flush")
+
+	rules, err := testClient.GetRules(manager.aclManager.workTable6, manager.aclManager.chainInputRules6)
+	require.NoError(t, err, "failed to get rules")
+
+	require.Len(t, rules, 1, "expected 1 rules")
+
+	mock.Address6Func = func() *iface.WGAddress {
+		return nil
+	}
+
+	err = manager.ResetV6Firewall()
+	require.NoError(t, err, "failed to reset IPv6 firewall")
+
+	err = manager.Flush()
+	require.NoError(t, err, "failed to flush")
+
+	require.False(t, manager.V6Active(), "IPv6 is active even though it shouldn't be.")
+
+	tables, err := testClient.ListTablesOfFamily(nftables.TableFamilyIPv6)
+	require.NoError(t, err, "failed to list IPv6 tables")
+
+	for _, table := range tables {
+		if table.Name == tableName {
+			t.Errorf("When IPv6 is disabled, the netbird table should not exist.")
+		}
+	}
+
+	mock.Address6Func = func() *iface.WGAddress {
+		return &iface.WGAddress{
+			IP: net.ParseIP("2001:db8::0123:4567:890a:bcdf"),
+			Network: &net.IPNet{
+				IP:   net.ParseIP("2001:db8::"),
+				Mask: net.CIDRMask(64, 128),
+			},
+		}
+	}
+
+	err = manager.ResetV6Firewall()
+	require.NoError(t, err, "failed to reset IPv6 firewall")
+
+	require.True(t, manager.V6Active(), "IPv6 is not active even though it should be.")
+
+	rule, err := manager.AddFiltering(
+		ip,
+		fw.ProtocolTCP,
+		nil,
+		&fw.Port{Values: []int{53}},
+		fw.RuleDirectionIN,
+		fw.ActionDrop,
+		"",
+		"",
+	)
+	require.NoError(t, err, "failed to add rule")
+
+	err = manager.Flush()
+	require.NoError(t, err, "failed to flush")
+
+	rules, err = testClient.GetRules(manager.aclManager.workTable6, manager.aclManager.chainInputRules6)
+	require.NoError(t, err, "failed to get rules")
+
+	require.Len(t, rules, 1, "expected 1 rule")
+
+	ipToAdd, _ := netip.AddrFromSlice(ip)
+	add := ipToAdd.Unmap()
+	expectedExprs := []expr.Any{
+		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     ifname("lo"),
+		},
+		&expr.Meta{
+			Key:      expr.MetaKeyL4PROTO,
+			Register: 1,
+		},
+		&expr.Cmp{
+			Register: 1,
+			Op:       expr.CmpOpEq,
+			Data:     []byte{unix.IPPROTO_TCP},
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseNetworkHeader,
+			Offset:       8,
+			Len:          16,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     add.AsSlice(),
+		},
+		&expr.Payload{
+			DestRegister: 1,
+			Base:         expr.PayloadBaseTransportHeader,
+			Offset:       2,
+			Len:          2,
+		},
+		&expr.Cmp{
+			Op:       expr.CmpOpEq,
+			Register: 1,
+			Data:     []byte{0, 53},
+		},
+		&expr.Verdict{Kind: expr.VerdictDrop},
+	}
+	require.ElementsMatch(t, rules[0].Exprs, expectedExprs, "expected the same expressions")
+
+	for _, r := range rule {
+		err = manager.DeleteRule(r)
+		require.NoError(t, err, "failed to delete rule")
+	}
+
+	err = manager.Flush()
+	require.NoError(t, err, "failed to flush")
+
+	rules, err = testClient.GetRules(manager.aclManager.workTable6, manager.aclManager.chainInputRules6)
+	require.NoError(t, err, "failed to get rules")
+	require.Len(t, rules, 0, "expected 0 rules after deletion")
+
+	err = manager.Reset()
+	require.NoError(t, err, "failed to reset")
+}
+
 func TestNFtablesCreatePerformance(t *testing.T) {
 	mock := &iFaceMock{
 		NameFunc: func() string {
@@ -166,6 +537,16 @@ func TestNFtablesCreatePerformance(t *testing.T) {
 				},
 			}
 		},
+		Address6Func: func() *iface.WGAddress {
+			v6addr, v6net, _ := net.ParseCIDR("fd00:1234:dead:beef::1/64")
+			return &iface.WGAddress{
+				IP: v6addr,
+				Network: &net.IPNet{
+					IP:   v6net.IP,
+					Mask: v6net.Mask,
+				},
+			}
+		},
 	}

 	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
--- a/client/firewall/nftables/route_linux.go
+++ b/client/firewall/nftables/route_linux.go
@@ -26,7 +26,8 @@ const (

 // some presets for building nftable rules
 var (
-	zeroXor = binaryutil.NativeEndian.PutUint32(0)
+	zeroXor  = binaryutil.NativeEndian.PutUint32(0)
+	zeroXor6 = []byte{0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}

 	exprCounterAccept = []expr.Any{
 		&expr.Counter{},
@@ -39,48 +40,69 @@ var (
 )

 type router struct {
-	ctx         context.Context
-	stop        context.CancelFunc
-	conn        *nftables.Conn
-	workTable   *nftables.Table
-	filterTable *nftables.Table
-	chains      map[string]*nftables.Chain
+	ctx          context.Context
+	stop         context.CancelFunc
+	conn         *nftables.Conn
+	workTable    *nftables.Table
+	workTable6   *nftables.Table
+	filterTable  *nftables.Table
+	filterTable6 *nftables.Table
+	chains       map[string]*nftables.Chain
+	chains6      map[string]*nftables.Chain
 	// rules is useful to avoid duplicates and to get missing attributes that we don't have when adding new rules
-	rules                    map[string]*nftables.Rule
-	isDefaultFwdRulesEnabled bool
+	rules                     map[string]*nftables.Rule
+	rules6                    map[string]*nftables.Rule
+	isDefaultFwdRulesEnabled  bool
+	isDefaultFwdRulesEnabled6 bool
 }

-func newRouter(parentCtx context.Context, workTable *nftables.Table) (*router, error) {
+func newRouter(parentCtx context.Context, workTable *nftables.Table, workTable6 *nftables.Table) (*router, error) {
 	ctx, cancel := context.WithCancel(parentCtx)

 	r := &router{
-		ctx:       ctx,
-		stop:      cancel,
-		conn:      &nftables.Conn{},
-		workTable: workTable,
-		chains:    make(map[string]*nftables.Chain),
-		rules:     make(map[string]*nftables.Rule),
+		ctx:        ctx,
+		stop:       cancel,
+		conn:       &nftables.Conn{},
+		workTable:  workTable,
+		workTable6: workTable6,
+		chains:     make(map[string]*nftables.Chain),
+		chains6:    make(map[string]*nftables.Chain),
+		rules:      make(map[string]*nftables.Rule),
+		rules6:     make(map[string]*nftables.Rule),
 	}

 	var err error
-	r.filterTable, err = r.loadFilterTable()
+	r.filterTable, r.filterTable6, err = r.loadFilterTables()
 	if err != nil {
 		if errors.Is(err, errFilterTableNotFound) {
-			log.Warnf("table 'filter' not found for forward rules")
+			log.Warnf("table 'filter' not found for forward rules for one of the supported address families-")
 		} else {
 			return nil, err
 		}
 	}

-	err = r.cleanUpDefaultForwardRules()
+	err = r.cleanUpDefaultForwardRules(false)
 	if err != nil {
 		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
 	}

-	err = r.createContainers()
+	err = r.cleanUpDefaultForwardRules(true)
+	if err != nil {
+		log.Errorf("failed to clean up rules from IPv6 FORWARD chain: %s", err)
+	}
+
+	err = r.createContainers(false)
 	if err != nil {
 		log.Errorf("failed to create containers for route: %s", err)
 	}
+
+	if r.workTable6 != nil {
+		err = r.createContainers(true)
+		if err != nil {
+			log.Errorf("failed to create v6 containers for route: %s", err)
+		}
+	}
+
 	return r, err
 }

@@ -90,43 +112,99 @@ func (r *router) RouteingFwChainName() string {

 // ResetForwardRules cleans existing nftables default forward rules from the system
 func (r *router) ResetForwardRules() {
-	err := r.cleanUpDefaultForwardRules()
+	err := r.cleanUpDefaultForwardRules(false)
+	if err != nil {
+		log.Errorf("failed to reset forward rules: %s", err)
+	}
+	err = r.cleanUpDefaultForwardRules(true)
 	if err != nil {
 		log.Errorf("failed to reset forward rules: %s", err)
 	}
 }

-func (r *router) loadFilterTable() (*nftables.Table, error) {
+func (r *router) RestoreAfterV6Reset(newWorktable6 *nftables.Table) error {
+	r.workTable6 = newWorktable6
+	if newWorktable6 != nil {
+
+		err := r.cleanUpDefaultForwardRules(true)
+		if err != nil {
+			log.Errorf("failed to clean up rules from IPv6 FORWARD chain: %s", err)
+		}
+
+		err = r.createContainers(true)
+		if err != nil {
+			return err
+		}
+
+		for name, rule := range r.rules6 {
+			rule = &nftables.Rule{
+				Table:    r.workTable6,
+				Chain:    r.chains6[rule.Chain.Name],
+				Exprs:    rule.Exprs,
+				UserData: rule.UserData,
+			}
+			r.rules6[name] = r.conn.AddRule(rule)
+		}
+	}
+	return r.conn.Flush()
+}
+
+func (r *router) loadFilterTables() (*nftables.Table, *nftables.Table, error) {
 	tables, err := r.conn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
-		return nil, fmt.Errorf("nftables: unable to list tables: %v", err)
+		return nil, nil, fmt.Errorf("nftables: unable to list tables: %v", err)
 	}

+	var table4 *nftables.Table = nil
 	for _, table := range tables {
 		if table.Name == "filter" {
-			return table, nil
+			table4 = table
+			break
 		}
 	}

-	return nil, errFilterTableNotFound
+	var table6 *nftables.Table = nil
+	tables, err = r.conn.ListTablesOfFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return nil, nil, fmt.Errorf("nftables: unable to list tables: %v", err)
+	}
+	for _, table := range tables {
+		if table.Name == "filter" {
+			table6 = table
+			break
+		}
+	}
+
+	err = nil
+	if table4 == nil || table6 == nil {
+		err = errFilterTableNotFound
+	}
+
+	return table4, table6, err
 }

-func (r *router) createContainers() error {
+func (r *router) createContainers(forV6 bool) error {
+	workTable := r.workTable
+	chainStorage := r.chains
+	if forV6 {
+		workTable = r.workTable6
+		chainStorage = r.chains6
+	}

-	r.chains[chainNameRouteingFw] = r.conn.AddChain(&nftables.Chain{
+	chainStorage[chainNameRouteingFw] = r.conn.AddChain(&nftables.Chain{
 		Name:  chainNameRouteingFw,
-		Table: r.workTable,
+		Table: workTable,
 	})

-	r.chains[chainNameRoutingNat] = r.conn.AddChain(&nftables.Chain{
+	chainStorage[chainNameRoutingNat] = r.conn.AddChain(&nftables.Chain{
 		Name:     chainNameRoutingNat,
-		Table:    r.workTable,
+		Table:    workTable,
 		Hooknum:  nftables.ChainHookPostrouting,
 		Priority: nftables.ChainPriorityNATSource - 1,
 		Type:     nftables.ChainTypeNAT,
 	})

-	err := r.refreshRulesMap()
+	err := r.refreshRulesMap(forV6)
 	if err != nil {
 		log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
 	}
@@ -140,7 +218,13 @@ func (r *router) createContainers() error {

 // InsertRoutingRules inserts a nftable rule pair to the forwarding chain and if enabled, to the nat chain
 func (r *router) InsertRoutingRules(pair manager.RouterPair) error {
-	err := r.refreshRulesMap()
+	parsedIp, _, _ := net.ParseCIDR(pair.Source)
+
+	if parsedIp.To4() == nil && r.workTable6 == nil {
+		return fmt.Errorf("nftables: attempted to add IPv6 routing rule even though IPv6 is not enabled for this host")
+	}
+
+	err := r.refreshRulesMap(parsedIp.To4() == nil)
 	if err != nil {
 		return err
 	}
@@ -165,7 +249,11 @@ func (r *router) InsertRoutingRules(pair manager.RouterPair) error {
 		}
 	}

-	if r.filterTable != nil && !r.isDefaultFwdRulesEnabled {
+	filterTable := r.filterTable
+	if parsedIp.To4() == nil {
+		filterTable = r.filterTable6
+	}
+	if filterTable != nil && !r.isDefaultFwdRulesEnabled {
 		log.Debugf("add default accept forward rule")
 		r.acceptForwardRule(pair.Source)
 	}
@@ -191,7 +279,13 @@ func (r *router) insertRoutingRule(format, chainName string, pair manager.Router

 	ruleKey := manager.GenKey(format, pair.ID)

-	_, exists := r.rules[ruleKey]
+	parsedIp, _, _ := net.ParseCIDR(pair.Source)
+	rules := r.rules
+	if parsedIp.To4() == nil {
+		rules = r.rules6
+	}
+
+	_, exists := rules[ruleKey]
 	if exists {
 		err := r.removeRoutingRule(format, pair)
 		if err != nil {
@@ -199,18 +293,35 @@ func (r *router) insertRoutingRule(format, chainName string, pair manager.Router
 		}
 	}

-	r.rules[ruleKey] = r.conn.InsertRule(&nftables.Rule{
-		Table:    r.workTable,
-		Chain:    r.chains[chainName],
+	table, chain := r.workTable, r.chains[chainName]
+	if parsedIp.To4() == nil {
+		table, chain = r.workTable6, r.chains6[chainName]
+	}
+
+	newRule := r.conn.InsertRule(&nftables.Rule{
+		Table:    table,
+		Chain:    chain,
 		Exprs:    expression,
 		UserData: []byte(ruleKey),
 	})
+
+	if parsedIp.To4() == nil {
+		r.rules[ruleKey] = newRule
+	} else {
+		r.rules6[ruleKey] = newRule
+	}
 	return nil
 }

 func (r *router) acceptForwardRule(sourceNetwork string) {
 	src := generateCIDRMatcherExpressions(true, sourceNetwork)
 	dst := generateCIDRMatcherExpressions(false, "0.0.0.0/0")
+	table := r.filterTable
+	parsedIp, _, _ := net.ParseCIDR(sourceNetwork)
+	if parsedIp.To4() == nil {
+		dst = generateCIDRMatcherExpressions(false, "::/0")
+		table = r.filterTable6
+	}

 	var exprs []expr.Any
 	exprs = append(src, append(dst, &expr.Verdict{ // nolint:gocritic
@@ -218,10 +329,10 @@ func (r *router) acceptForwardRule(sourceNetwork string) {
 	})...)

 	rule := &nftables.Rule{
-		Table: r.filterTable,
+		Table: table,
 		Chain: &nftables.Chain{
 			Name:     "FORWARD",
-			Table:    r.filterTable,
+			Table:    table,
 			Type:     nftables.ChainTypeFilter,
 			Hooknum:  nftables.ChainHookForward,
 			Priority: nftables.ChainPriorityFilter,
@@ -233,6 +344,9 @@ func (r *router) acceptForwardRule(sourceNetwork string) {
 	r.conn.AddRule(rule)

 	src = generateCIDRMatcherExpressions(true, "0.0.0.0/0")
+	if parsedIp.To4() == nil {
+		src = generateCIDRMatcherExpressions(true, "::/0")
+	}
 	dst = generateCIDRMatcherExpressions(false, sourceNetwork)

 	exprs = append(src, append(dst, &expr.Verdict{ //nolint:gocritic
@@ -240,10 +354,10 @@ func (r *router) acceptForwardRule(sourceNetwork string) {
 	})...)

 	rule = &nftables.Rule{
-		Table: r.filterTable,
+		Table: table,
 		Chain: &nftables.Chain{
 			Name:     "FORWARD",
-			Table:    r.filterTable,
+			Table:    table,
 			Type:     nftables.ChainTypeFilter,
 			Hooknum:  nftables.ChainHookForward,
 			Priority: nftables.ChainPriorityFilter,
@@ -252,12 +366,21 @@ func (r *router) acceptForwardRule(sourceNetwork string) {
 		UserData: []byte(userDataAcceptForwardRuleDst),
 	}
 	r.conn.AddRule(rule)
-	r.isDefaultFwdRulesEnabled = true
+	if parsedIp.To4() == nil {
+		r.isDefaultFwdRulesEnabled6 = true
+	} else {
+		r.isDefaultFwdRulesEnabled = true
+	}
 }

 // RemoveRoutingRules removes a nftable rule pair from forwarding and nat chains
 func (r *router) RemoveRoutingRules(pair manager.RouterPair) error {
-	err := r.refreshRulesMap()
+	parsedIp, _, _ := net.ParseCIDR(pair.Source)
+	if parsedIp.To4() == nil && r.workTable6 == nil {
+		return fmt.Errorf("nftables: attempted to remove IPv6 routing rule even though IPv6 is not enabled for this host")
+	}
+
+	err := r.refreshRulesMap(parsedIp.To4() == nil)
 	if err != nil {
 		return err
 	}
@@ -282,8 +405,12 @@ func (r *router) RemoveRoutingRules(pair manager.RouterPair) error {
 		return err
 	}

-	if len(r.rules) == 0 {
-		err := r.cleanUpDefaultForwardRules()
+	rulesList := r.rules
+	if parsedIp.To4() == nil {
+		rulesList = r.rules6
+	}
+	if len(rulesList) == 0 {
+		err := r.cleanUpDefaultForwardRules(parsedIp.To4() == nil)
 		if err != nil {
 			log.Errorf("failed to clean up rules from FORWARD chain: %s", err)
 		}
@@ -301,7 +428,13 @@ func (r *router) RemoveRoutingRules(pair manager.RouterPair) error {
 func (r *router) removeRoutingRule(format string, pair manager.RouterPair) error {
 	ruleKey := manager.GenKey(format, pair.ID)

-	rule, found := r.rules[ruleKey]
+	parsedIp, _, _ := net.ParseCIDR(pair.Source)
+	rules := r.rules
+	if parsedIp.To4() == nil {
+		rules = r.rules6
+	}
+
+	rule, found := rules[ruleKey]
 	if found {
 		ruleType := "forwarding"
 		if rule.Chain.Type == nftables.ChainTypeNAT {
@@ -315,49 +448,68 @@ func (r *router) removeRoutingRule(format string, pair manager.RouterPair) error

 		log.Debugf("nftables: removing %s rule for %s", ruleType, pair.Destination)

-		delete(r.rules, ruleKey)
+		delete(rules, ruleKey)
 	}
 	return nil
 }

 // refreshRulesMap refreshes the rule map with the latest rules. this is useful to avoid
 // duplicates and to get missing attributes that we don't have when adding new rules
-func (r *router) refreshRulesMap() error {
-	for _, chain := range r.chains {
+func (r *router) refreshRulesMap(forV6 bool) error {
+	chainList := r.chains
+	if forV6 {
+		chainList = r.chains6
+	}
+	for _, chain := range chainList {
 		rules, err := r.conn.GetRules(chain.Table, chain)
 		if err != nil {
 			return fmt.Errorf("nftables: unable to list rules: %v", err)
 		}
 		for _, rule := range rules {
 			if len(rule.UserData) > 0 {
-				r.rules[string(rule.UserData)] = rule
+				if forV6 {
+					r.rules6[string(rule.UserData)] = rule
+				} else {
+					r.rules[string(rule.UserData)] = rule
+				}
 			}
 		}
 	}
 	return nil
 }

-func (r *router) cleanUpDefaultForwardRules() error {
-	if r.filterTable == nil {
-		r.isDefaultFwdRulesEnabled = false
+func (r *router) cleanUpDefaultForwardRules(forV6 bool) error {
+	tableFamily := nftables.TableFamilyIPv4
+	filterTable := r.filterTable
+	if forV6 {
+		tableFamily = nftables.TableFamilyIPv6
+		filterTable = r.filterTable6
+	}
+
+	if filterTable == nil {
+		if forV6 {
+			r.isDefaultFwdRulesEnabled6 = false
+		} else {
+			r.isDefaultFwdRulesEnabled = false
+		}
 		return nil
 	}

-	chains, err := r.conn.ListChainsOfTableFamily(nftables.TableFamilyIPv4)
+	chains, err := r.conn.ListChainsOfTableFamily(tableFamily)
 	if err != nil {
 		return err
 	}

 	var rules []*nftables.Rule
 	for _, chain := range chains {
-		if chain.Table.Name != r.filterTable.Name {
+		if chain.Table.Name != filterTable.Name {
 			continue
 		}
 		if chain.Name != "FORWARD" {
 			continue
 		}

-		rules, err = r.conn.GetRules(r.filterTable, chain)
+		rules, err = r.conn.GetRules(filterTable, chain)
 		if err != nil {
 			return err
 		}
@@ -371,7 +523,12 @@ func (r *router) cleanUpDefaultForwardRules() error {
 			}
 		}
 	}
-	r.isDefaultFwdRulesEnabled = false
+
+	if forV6 {
+		r.isDefaultFwdRulesEnabled6 = false
+	} else {
+		r.isDefaultFwdRulesEnabled = false
+	}
 	return r.conn.Flush()
 }

@@ -387,6 +544,18 @@ func generateCIDRMatcherExpressions(source bool, cidr string) []expr.Any {
 	} else {
 		offSet = 16 // dst offset
 	}
+	addrLen := uint32(4)
+	zeroXor := zeroXor
+
+	if ip.To4() == nil {
+		if source {
+			offSet = 8 // src offset
+		} else {
+			offSet = 24 // dst offset
+		}
+		addrLen = 16
+		zeroXor = zeroXor6
+	}

 	return []expr.Any{
 		// fetch src add
@@ -394,13 +563,13 @@ func generateCIDRMatcherExpressions(source bool, cidr string) []expr.Any {
 			DestRegister: 1,
 			Base:         expr.PayloadBaseNetworkHeader,
 			Offset:       offSet,
-			Len:          4,
+			Len:          addrLen,
 		},
 		// net mask
 		&expr.Bitwise{
 			DestRegister:   1,
 			SourceRegister: 1,
-			Len:            4,
+			Len:            addrLen,
 			Mask:           network.Mask,
 			Xor:            zeroXor,
 		},
--- a/client/firewall/nftables/router_linux_test.go
+++ b/client/firewall/nftables/router_linux_test.go
@@ -4,6 +4,7 @@ package nftables

 import (
 	"context"
+	"github.com/netbirdio/netbird/iface"
 	"testing"

 	"github.com/coreos/go-iptables/iptables"
@@ -29,16 +30,19 @@ func TestNftablesManager_InsertRoutingRules(t *testing.T) {
 		t.Skip("nftables not supported on this OS")
 	}

-	table, err := createWorkTable()
+	table, table6, err := createWorkTables()
 	if err != nil {
 		t.Fatal(err)
 	}

-	defer deleteWorkTable()
+	defer deleteWorkTables()

 	for _, testCase := range test.InsertRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			manager, err := newRouter(context.TODO(), table)
+			if testCase.IsV6 && table6 == nil {
+				t.Skip("Environment does not support IPv6, skipping IPv6 test...")
+			}
+			manager, err := newRouter(context.TODO(), table, table6)
 			require.NoError(t, err, "failed to create router")

 			nftablesTestingClient := &nftables.Conn{}
@@ -58,8 +62,13 @@ func TestNftablesManager_InsertRoutingRules(t *testing.T) {
 			testingExpression := append(sourceExp, destExp...) //nolint:gocritic
 			fwdRuleKey := firewall.GenKey(firewall.ForwardingFormat, testCase.InputPair.ID)

+			chains := manager.chains
+			if testCase.IsV6 {
+				chains = manager.chains6
+			}
+
 			found := 0
-			for _, chain := range manager.chains {
+			for _, chain := range chains {
 				rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
 				require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
 				for _, rule := range rules {
@@ -75,7 +84,7 @@ func TestNftablesManager_InsertRoutingRules(t *testing.T) {
 			if testCase.InputPair.Masquerade {
 				natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair.ID)
 				found := 0
-				for _, chain := range manager.chains {
+				for _, chain := range chains {
 					rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
 					require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
 					for _, rule := range rules {
@@ -94,7 +103,7 @@ func TestNftablesManager_InsertRoutingRules(t *testing.T) {
 			inFwdRuleKey := firewall.GenKey(firewall.InForwardingFormat, testCase.InputPair.ID)

 			found = 0
-			for _, chain := range manager.chains {
+			for _, chain := range chains {
 				rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
 				require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
 				for _, rule := range rules {
@@ -110,7 +119,7 @@ func TestNftablesManager_InsertRoutingRules(t *testing.T) {
 			if testCase.InputPair.Masquerade {
 				inNatRuleKey := firewall.GenKey(firewall.InNatFormat, testCase.InputPair.ID)
 				found := 0
-				for _, chain := range manager.chains {
+				for _, chain := range chains {
 					rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
 					require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
 					for _, rule := range rules {
@@ -131,16 +140,19 @@ func TestNftablesManager_RemoveRoutingRules(t *testing.T) {
 		t.Skip("nftables not supported on this OS")
 	}

-	table, err := createWorkTable()
+	table, table6, err := createWorkTables()
 	if err != nil {
 		t.Fatal(err)
 	}

-	defer deleteWorkTable()
+	defer deleteWorkTables()

 	for _, testCase := range test.RemoveRuleTestCases {
 		t.Run(testCase.Name, func(t *testing.T) {
-			manager, err := newRouter(context.TODO(), table)
+			if testCase.IsV6 && table6 == nil {
+				t.Skip("Environment does not support IPv6, skipping IPv6 test...")
+			}
+			manager, err := newRouter(context.TODO(), table, table6)
 			require.NoError(t, err, "failed to create router")

 			nftablesTestingClient := &nftables.Conn{}
@@ -150,11 +162,18 @@ func TestNftablesManager_RemoveRoutingRules(t *testing.T) {
 			sourceExp := generateCIDRMatcherExpressions(true, testCase.InputPair.Source)
 			destExp := generateCIDRMatcherExpressions(false, testCase.InputPair.Destination)

+			chains := manager.chains
+			workTable := table
+			if testCase.IsV6 {
+				chains = manager.chains6
+				workTable = table6
+			}
+
 			forwardExp := append(sourceExp, append(destExp, exprCounterAccept...)...) //nolint:gocritic
 			forwardRuleKey := firewall.GenKey(firewall.ForwardingFormat, testCase.InputPair.ID)
 			insertedForwarding := nftablesTestingClient.InsertRule(&nftables.Rule{
-				Table:    manager.workTable,
-				Chain:    manager.chains[chainNameRouteingFw],
+				Table:    workTable,
+				Chain:    chains[chainNameRouteingFw],
 				Exprs:    forwardExp,
 				UserData: []byte(forwardRuleKey),
 			})
@@ -163,8 +182,8 @@ func TestNftablesManager_RemoveRoutingRules(t *testing.T) {
 			natRuleKey := firewall.GenKey(firewall.NatFormat, testCase.InputPair.ID)

 			insertedNat := nftablesTestingClient.InsertRule(&nftables.Rule{
-				Table:    manager.workTable,
-				Chain:    manager.chains[chainNameRoutingNat],
+				Table:    workTable,
+				Chain:    chains[chainNameRoutingNat],
 				Exprs:    natExp,
 				UserData: []byte(natRuleKey),
 			})
@@ -175,8 +194,8 @@ func TestNftablesManager_RemoveRoutingRules(t *testing.T) {
 			forwardExp = append(sourceExp, append(destExp, exprCounterAccept...)...) //nolint:gocritic
 			inForwardRuleKey := firewall.GenKey(firewall.InForwardingFormat, testCase.InputPair.ID)
 			insertedInForwarding := nftablesTestingClient.InsertRule(&nftables.Rule{
-				Table:    manager.workTable,
-				Chain:    manager.chains[chainNameRouteingFw],
+				Table:    workTable,
+				Chain:    chains[chainNameRouteingFw],
 				Exprs:    forwardExp,
 				UserData: []byte(inForwardRuleKey),
 			})
@@ -185,8 +204,8 @@ func TestNftablesManager_RemoveRoutingRules(t *testing.T) {
 			inNatRuleKey := firewall.GenKey(firewall.InNatFormat, testCase.InputPair.ID)

 			insertedInNat := nftablesTestingClient.InsertRule(&nftables.Rule{
-				Table:    manager.workTable,
-				Chain:    manager.chains[chainNameRoutingNat],
+				Table:    workTable,
+				Chain:    chains[chainNameRoutingNat],
 				Exprs:    natExp,
 				UserData: []byte(inNatRuleKey),
 			})
@@ -199,7 +218,7 @@ func TestNftablesManager_RemoveRoutingRules(t *testing.T) {
 			err = manager.RemoveRoutingRules(testCase.InputPair)
 			require.NoError(t, err, "shouldn't return error")

-			for _, chain := range manager.chains {
+			for _, chain := range chains {
 				rules, err := nftablesTestingClient.GetRules(chain.Table, chain)
 				require.NoError(t, err, "should list rules for %s table and %s chain", chain.Table.Name, chain.Name)
 				for _, rule := range rules {
@@ -238,30 +257,39 @@ func isIptablesClientAvailable(client *iptables.IPTables) bool {
 	return err == nil
 }

-func createWorkTable() (*nftables.Table, error) {
+func createWorkTables() (*nftables.Table, *nftables.Table, error) {
 	sConn, err := nftables.New(nftables.AsLasting())
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

 	tables, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv4)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

-	for _, t := range tables {
+	tables6, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	for _, t := range append(tables, tables6...) {
 		if t.Name == tableName {
 			sConn.DelTable(t)
 		}
 	}

 	table := sConn.AddTable(&nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv4})
+	var table6 *nftables.Table
+	if iface.SupportsIPv6() {
+		table6 = sConn.AddTable(&nftables.Table{Name: tableName, Family: nftables.TableFamilyIPv6})
+	}
 	err = sConn.Flush()

-	return table, err
+	return table, table6, err
 }

-func deleteWorkTable() {
+func deleteWorkTables() {
 	sConn, err := nftables.New(nftables.AsLasting())
 	if err != nil {
 		return
@@ -272,6 +300,12 @@ func deleteWorkTable() {
 		return
 	}

+	tables6, err := sConn.ListTablesOfFamily(nftables.TableFamilyIPv6)
+	if err != nil {
+		return
+	}
+	tables = append(tables, tables6...)
+
 	for _, t := range tables {
 		if t.Name == tableName {
 			sConn.DelTable(t)
--- a/client/firewall/test/cases_linux.go
+++ b/client/firewall/test/cases_linux.go
@@ -8,6 +8,7 @@ var (
 	InsertRuleTestCases = []struct {
 		Name      string
 		InputPair firewall.RouterPair
+		IsV6      bool
 	}{
 		{
 			Name: "Insert Forwarding IPV4 Rule",
@@ -27,12 +28,32 @@ var (
 				Masquerade:  true,
 			},
 		},
+		{
+			Name: "Insert Forwarding IPV6 Rule",
+			InputPair: firewall.RouterPair{
+				ID:          "zxa",
+				Source:      "2001:db8:0123:4567::1/128",
+				Destination: "2001:db8:0123:abcd::/64",
+				Masquerade:  false,
+			},
+			IsV6: true,
+		},
+		{
+			Name: "Insert Forwarding And Nat IPV6 Rules",
+			InputPair: firewall.RouterPair{
+				ID:          "zxa",
+				Source:      "2001:db8:0123:4567::1/128",
+				Destination: "2001:db8:0123:abcd::/64",
+				Masquerade:  true,
+			},
+			IsV6: true,
+		},
 	}

 	RemoveRuleTestCases = []struct {
 		Name      string
 		InputPair firewall.RouterPair
-		IpVersion string
+		IsV6      bool
 	}{
 		{
 			Name: "Remove Forwarding And Nat IPV4 Rules",
@@ -43,5 +64,15 @@ var (
 				Masquerade:  true,
 			},
 		},
+		{
+			Name: "Remove Forwarding And Nat IPV6 Rules",
+			InputPair: firewall.RouterPair{
+				ID:          "zxa",
+				Source:      "2001:db8:0123:4567::1/128",
+				Destination: "2001:db8:0123:abcd::/64",
+				Masquerade:  true,
+			},
+			IsV6: true,
+		},
 	}
 )
--- a/client/firewall/uspfilter/allow_netbird_windows.go
+++ b/client/firewall/uspfilter/allow_netbird_windows.go
@@ -64,15 +64,18 @@ func manageFirewallRule(ruleName string, action action, extraArgs ...string) err
 	if action == addRule {
 		args = append(args, extraArgs...)
 	}
-
-	cmd := exec.Command("netsh", args...)
+	netshCmd := GetSystem32Command("netsh")
+	cmd := exec.Command(netshCmd, args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 	return cmd.Run()
 }

 func isWindowsFirewallReachable() bool {
 	args := []string{"advfirewall", "show", "allprofiles", "state"}
-	cmd := exec.Command("netsh", args...)
+
+	netshCmd := GetSystem32Command("netsh")
+
+	cmd := exec.Command(netshCmd, args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}

 	_, err := cmd.Output()
@@ -87,8 +90,23 @@ func isWindowsFirewallReachable() bool {
 func isFirewallRuleActive(ruleName string) bool {
 	args := []string{"advfirewall", "firewall", "show", "rule", "name=" + ruleName}

-	cmd := exec.Command("netsh", args...)
+	netshCmd := GetSystem32Command("netsh")
+
+	cmd := exec.Command(netshCmd, args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 	_, err := cmd.Output()
 	return err == nil
 }
+
+// GetSystem32Command checks if a command can be found in the system path and returns it. In case it can't find it
+// in the path it will return the full path of a command assuming C:\windows\system32 as the base path.
+func GetSystem32Command(command string) string {
+	_, err := exec.LookPath(command)
+	if err == nil {
+		return command
+	}
+
+	log.Tracef("Command %s not found in PATH, using C:\\windows\\system32\\%s.exe path", command, command)
+
+	return "C:\\windows\\system32\\" + command + ".exe"
+}
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -24,6 +24,7 @@ var (
 type IFaceMapper interface {
 	SetFilter(iface.PacketFilter) error
 	Address() iface.WGAddress
+	Address6() *iface.WGAddress
 }

 // RuleSet is a set of rules grouped by a string key
@@ -69,6 +70,14 @@ func CreateWithNativeFirewall(iface IFaceMapper, nativeFirewall firewall.Manager
 	return mgr, nil
 }

+func (m *Manager) ResetV6Firewall() error {
+	return nil
+}
+
+func (m *Manager) V6Active() bool {
+	return false
+}
+
 func create(iface IFaceMapper) (*Manager, error) {
 	m := &Manager{
 		decoders: sync.Pool{
--- a/client/firewall/uspfilter/uspfilter_test.go
+++ b/client/firewall/uspfilter/uspfilter_test.go
@@ -33,6 +33,10 @@ func (i *IFaceMock) Address() iface.WGAddress {
 	return i.AddressFunc()
 }

+func (i *IFaceMock) Address6() *iface.WGAddress {
+	return nil
+}
+
 func TestManagerCreate(t *testing.T) {
 	ifaceMock := &IFaceMock{
 		SetFilterFunc: func(iface.PacketFilter) error { return nil },
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -16,9 +16,10 @@ import (
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 )

-// Manager is a ACL rules manager
+// Manager is an ACL rules manager
 type Manager interface {
 	ApplyFiltering(networkMap *mgmProto.NetworkMap)
+	ResetV6Acl() error
 }

 // DefaultManager uses firewall manager to handle
@@ -26,16 +27,36 @@ type DefaultManager struct {
 	firewall     firewall.Manager
 	ipsetCounter int
 	rulesPairs   map[string][]firewall.Rule
+	rulesPairs6  map[string][]firewall.Rule
 	mutex        sync.Mutex
 }

 func NewDefaultManager(fm firewall.Manager) *DefaultManager {
 	return &DefaultManager{
-		firewall:   fm,
-		rulesPairs: make(map[string][]firewall.Rule),
+		firewall:    fm,
+		rulesPairs:  make(map[string][]firewall.Rule),
+		rulesPairs6: make(map[string][]firewall.Rule),
 	}
 }

+func (d *DefaultManager) ResetV6Acl() error {
+	for _, rules := range d.rulesPairs6 {
+		for _, r := range rules {
+			err := d.firewall.DeleteRule(r)
+			if err != nil {
+				return err
+			}
+		}
+	}
+	err := d.firewall.ResetV6Firewall()
+	if err != nil {
+		return err
+	}
+	d.rulesPairs6 = make(map[string][]firewall.Rule)
+
+	return nil
+}
+
 // ApplyFiltering firewall rules to the local firewall manager processed by ACL policy.
 //
 // If allowByDefault is true it appends allow ALL traffic rules to input and output chains.
@@ -83,6 +104,7 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
 	if enableSSH {
 		rules = append(rules, &mgmProto.FirewallRule{
 			PeerIP:    "0.0.0.0",
+			PeerIP6:   "::",
 			Direction: mgmProto.FirewallRule_IN,
 			Action:    mgmProto.FirewallRule_ACCEPT,
 			Protocol:  mgmProto.FirewallRule_TCP,
@@ -97,12 +119,14 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
 		rules = append(rules,
 			&mgmProto.FirewallRule{
 				PeerIP:    "0.0.0.0",
+				PeerIP6:   "::",
 				Direction: mgmProto.FirewallRule_IN,
 				Action:    mgmProto.FirewallRule_ACCEPT,
 				Protocol:  mgmProto.FirewallRule_ALL,
 			},
 			&mgmProto.FirewallRule{
 				PeerIP:    "0.0.0.0",
+				PeerIP6:   "::",
 				Direction: mgmProto.FirewallRule_OUT,
 				Action:    mgmProto.FirewallRule_ACCEPT,
 				Protocol:  mgmProto.FirewallRule_ALL,
@@ -111,6 +135,7 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
 	}

 	newRulePairs := make(map[string][]firewall.Rule)
+	newRulePairs6 := make(map[string][]firewall.Rule)
 	ipsetByRuleSelectors := make(map[string]string)

 	for _, r := range rules {
@@ -123,7 +148,7 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
 			ipsetName = fmt.Sprintf("nb%07d", d.ipsetCounter)
 			ipsetByRuleSelectors[selector] = ipsetName
 		}
-		pairID, rulePair, err := d.protoRuleToFirewallRule(r, ipsetName)
+		pairID, rulePair, rulePair6, err := d.protoRuleToFirewallRule(r, ipsetName)
 		if err != nil {
 			log.Errorf("failed to apply firewall rule: %+v, %v", r, err)
 			d.rollBack(newRulePairs)
@@ -132,6 +157,8 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
 		if len(rules) > 0 {
 			d.rulesPairs[pairID] = rulePair
 			newRulePairs[pairID] = rulePair
+			d.rulesPairs6[pairID] = rulePair6
+			newRulePairs6[pairID] = rulePair6
 		}
 	}

@@ -146,59 +173,104 @@ func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
 			delete(d.rulesPairs, pairID)
 		}
 	}
+	for pairID, rules := range d.rulesPairs6 {
+		if _, ok := newRulePairs6[pairID]; !ok {
+			for _, rule := range rules {
+				if err := d.firewall.DeleteRule(rule); err != nil {
+					log.Errorf("failed to delete firewall rule: %v", err)
+					continue
+				}
+			}
+			delete(d.rulesPairs6, pairID)
+		}
+	}
+
 	d.rulesPairs = newRulePairs
+	d.rulesPairs6 = newRulePairs6
 }

 func (d *DefaultManager) protoRuleToFirewallRule(
 	r *mgmProto.FirewallRule,
 	ipsetName string,
-) (string, []firewall.Rule, error) {
+) (string, []firewall.Rule, []firewall.Rule, error) {
 	ip := net.ParseIP(r.PeerIP)
 	if ip == nil {
-		return "", nil, fmt.Errorf("invalid IP address, skipping firewall rule")
+		return "", nil, nil, fmt.Errorf("invalid IP address, skipping firewall rule")
+	}
+
+	var ip6 *net.IP = nil
+	if d.firewall.V6Active() && r.PeerIP6 != "" {
+		ip6tmp := net.ParseIP(r.PeerIP6)
+		if ip6tmp == nil {
+			return "", nil, nil, fmt.Errorf("invalid IP address, skipping firewall rule")
+		}
+		ip6 = &ip6tmp
 	}

 	protocol, err := convertToFirewallProtocol(r.Protocol)
 	if err != nil {
-		return "", nil, fmt.Errorf("skipping firewall rule: %s", err)
+		return "", nil, nil, fmt.Errorf("skipping firewall rule: %s", err)
 	}

 	action, err := convertFirewallAction(r.Action)
 	if err != nil {
-		return "", nil, fmt.Errorf("skipping firewall rule: %s", err)
+		return "", nil, nil, fmt.Errorf("skipping firewall rule: %s", err)
 	}

 	var port *firewall.Port
 	if r.Port != "" {
 		value, err := strconv.Atoi(r.Port)
 		if err != nil {
-			return "", nil, fmt.Errorf("invalid port, skipping firewall rule")
+			return "", nil, nil, fmt.Errorf("invalid port, skipping firewall rule")
 		}
 		port = &firewall.Port{
 			Values: []int{value},
 		}
 	}

-	ruleID := d.getRuleID(ip, protocol, int(r.Direction), port, action, "")
+	var rules []firewall.Rule
+	var rules6 []firewall.Rule
+
+	ruleID := d.getRuleID(ip, ip6, protocol, int(r.Direction), port, action, "")
 	if rulesPair, ok := d.rulesPairs[ruleID]; ok {
-		return ruleID, rulesPair, nil
+		rules = rulesPair
+	}
+	if rulesPair6, ok := d.rulesPairs6[ruleID]; d.firewall.V6Active() && ok && ip6 != nil {
+		rules6 = rulesPair6
 	}

-	var rules []firewall.Rule
-	switch r.Direction {
-	case mgmProto.FirewallRule_IN:
-		rules, err = d.addInRules(ip, protocol, port, action, ipsetName, "")
-	case mgmProto.FirewallRule_OUT:
-		rules, err = d.addOutRules(ip, protocol, port, action, ipsetName, "")
-	default:
-		return "", nil, fmt.Errorf("invalid direction, skipping firewall rule")
+	if rules == nil {
+		switch r.Direction {
+		case mgmProto.FirewallRule_IN:
+			rules, err = d.addInRules(ip, protocol, port, action, ipsetName, "")
+		case mgmProto.FirewallRule_OUT:
+			rules, err = d.addOutRules(ip, protocol, port, action, ipsetName, "")
+		default:
+			return "", nil, nil, fmt.Errorf("invalid direction, skipping firewall rule")
+		}
 	}

 	if err != nil {
-		return "", nil, err
+		return "", nil, nil, err
 	}

-	return ruleID, rules, nil
+	if d.firewall.V6Active() && ip6 != nil && rules6 == nil {
+		switch r.Direction {
+		case mgmProto.FirewallRule_IN:
+			rules6, err = d.addInRules(*ip6, protocol, port, action, ipsetName, "")
+		case mgmProto.FirewallRule_OUT:
+			rules6, err = d.addOutRules(*ip6, protocol, port, action, ipsetName, "")
+		default:
+			return "", nil, nil, fmt.Errorf("invalid direction, skipping firewall rule")
+		}
+
+	}
+
+	if err != nil && err.Error() != "failed to add firewall rule: attempted to configure filtering for IPv6 address even though IPv6 is not active" {
+		return "", rules, nil, err
+	}
+
+	return ruleID, rules, rules6, nil
 }

 func (d *DefaultManager) addInRules(
@@ -226,8 +298,9 @@ func (d *DefaultManager) addInRules(
 	if err != nil {
 		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
 	}
+	rules = append(rules, rule...)

-	return append(rules, rule...), nil
+	return rules, nil
 }

 func (d *DefaultManager) addOutRules(
@@ -255,20 +328,26 @@ func (d *DefaultManager) addOutRules(
 	if err != nil {
 		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
 	}
+	rules = append(rules, rule...)

-	return append(rules, rule...), nil
+	return rules, nil
 }

 // getRuleID() returns unique ID for the rule based on its parameters.
 func (d *DefaultManager) getRuleID(
 	ip net.IP,
+	ip6 *net.IP,
 	proto firewall.Protocol,
 	direction int,
 	port *firewall.Port,
 	action firewall.Action,
 	comment string,
 ) string {
-	idStr := ip.String() + string(proto) + strconv.Itoa(direction) + strconv.Itoa(int(action)) + comment
+	ip6Str := ""
+	if ip6 != nil {
+		ip6Str = ip6.String()
+	}
+	idStr := ip.String() + ip6Str + string(proto) + strconv.Itoa(direction) + strconv.Itoa(int(action)) + comment
 	if port != nil {
 		idStr += port.String()
 	}
@@ -321,6 +400,8 @@ func (d *DefaultManager) squashAcceptRules(
 		// it means that rules for that protocol was already optimized on the
 		// management side
 		if r.PeerIP == "0.0.0.0" {
+			// I don't _think_ that IPv6 is relevant here, as any optimization that has r.PeerIP6 == "::" should also
+			// implicitly have r.PeerIP == "0.0.0.0".
 			squashedRules = append(squashedRules, r)
 			squashedProtocols[r.Protocol] = struct{}{}
 			return
@@ -364,6 +445,7 @@ func (d *DefaultManager) squashAcceptRules(
 			// add special rule 0.0.0.0 which allows all IP's in our firewall implementations
 			squashedRules = append(squashedRules, &mgmProto.FirewallRule{
 				PeerIP:    "0.0.0.0",
+				PeerIP6:   "::",
 				Direction: direction,
 				Action:    mgmProto.FirewallRule_ACCEPT,
 				Protocol:  protocol,
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -19,6 +19,7 @@ func TestDefaultManager(t *testing.T) {
 		FirewallRules: []*mgmProto.FirewallRule{
 			{
 				PeerIP:    "10.93.0.1",
+				PeerIP6:   "2001:db8::fedc:ba09:8765:0001",
 				Direction: mgmProto.FirewallRule_OUT,
 				Action:    mgmProto.FirewallRule_ACCEPT,
 				Protocol:  mgmProto.FirewallRule_TCP,
@@ -26,6 +27,7 @@ func TestDefaultManager(t *testing.T) {
 			},
 			{
 				PeerIP:    "10.93.0.2",
+				PeerIP6:   "2001:db8::fedc:ba09:8765:0002",
 				Direction: mgmProto.FirewallRule_OUT,
 				Action:    mgmProto.FirewallRule_DROP,
 				Protocol:  mgmProto.FirewallRule_UDP,
@@ -50,6 +52,14 @@ func TestDefaultManager(t *testing.T) {
 		IP:      ip,
 		Network: network,
 	}).AnyTimes()
+	ip6, network6, err := net.ParseCIDR("2001:db8::fedc:ba09:8765:4321/64")
+	if err != nil {
+		t.Fatalf("failed to parse IP address: %v", err)
+	}
+	ifaceMock.EXPECT().Address6().Return(&iface.WGAddress{
+		IP:      ip6,
+		Network: network6,
+	}).AnyTimes()

 	// we receive one rule from the management so for testing purposes ignore it
 	fw, err := firewall.NewFirewall(context.Background(), ifaceMock)
@@ -83,6 +93,7 @@ func TestDefaultManager(t *testing.T) {
 			networkMap.FirewallRules,
 			&mgmProto.FirewallRule{
 				PeerIP:    "10.93.0.3",
+				PeerIP6:   "2001:db8::fedc:ba09:8765:0003",
 				Direction: mgmProto.FirewallRule_IN,
 				Action:    mgmProto.FirewallRule_DROP,
 				Protocol:  mgmProto.FirewallRule_ICMP,
@@ -343,6 +354,7 @@ func TestDefaultManagerEnableSSHRules(t *testing.T) {
 		IP:      ip,
 		Network: network,
 	}).AnyTimes()
+	ifaceMock.EXPECT().Address6().Return(nil).AnyTimes()

 	// we receive one rule from the management so for testing purposes ignore it
 	fw, err := firewall.NewFirewall(context.Background(), ifaceMock)
--- a/client/internal/acl/mocks/iface_mapper.go
+++ b/client/internal/acl/mocks/iface_mapper.go
@@ -1,5 +1,5 @@
 // Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/netbirdio/netbird/client/internal/acl (interfaces: IFaceMapper)
+// Source: ./client/firewall/iface.go

 // Package mocks is a generated GoMock package.
 package mocks
@@ -48,6 +48,20 @@ func (mr *MockIFaceMapperMockRecorder) Address() *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Address", reflect.TypeOf((*MockIFaceMapper)(nil).Address))
 }

+// Address6 mocks base method.
+func (m *MockIFaceMapper) Address6() *iface.WGAddress {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "Address6")
+	ret0, _ := ret[0].(*iface.WGAddress)
+	return ret0
+}
+
+// Address6 indicates an expected call of Address6.
+func (mr *MockIFaceMapperMockRecorder) Address6() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Address6", reflect.TypeOf((*MockIFaceMapper)(nil).Address6))
+}
+
 // IsUserspaceBind mocks base method.
 func (m *MockIFaceMapper) IsUserspaceBind() bool {
 	m.ctrl.T.Helper()
--- a/client/internal/auth/oauth.go
+++ b/client/internal/auth/oauth.go
@@ -26,7 +26,7 @@ type HTTPClient interface {
 }

 // AuthFlowInfo holds information for the OAuth 2.0  authorization flow
-type AuthFlowInfo struct {
+type AuthFlowInfo struct { //nolint:revive
 	DeviceCode              string `json:"device_code"`
 	UserCode                string `json:"user_code"`
 	VerificationURI         string `json:"verification_uri"`
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"reflect"
+	"strings"

 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -30,20 +32,27 @@ const (
 	DefaultAdminURL = "https://app.netbird.io:443"
 )

-var defaultInterfaceBlacklist = []string{iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
-	"Tailscale", "tailscale", "docker", "veth", "br-", "lo"}
+var defaultInterfaceBlacklist = []string{
+	iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
+	"Tailscale", "tailscale", "docker", "veth", "br-", "lo",
+}

 // ConfigInput carries configuration changes to the client
 type ConfigInput struct {
-	ManagementURL    string
-	AdminURL         string
-	ConfigPath       string
-	PreSharedKey     *string
-	NATExternalIPs   []string
-	CustomDNSAddress []byte
-	RosenpassEnabled *bool
-	InterfaceName    *string
-	WireguardPort    *int
+	ManagementURL       string
+	AdminURL            string
+	ConfigPath          string
+	PreSharedKey        *string
+	ServerSSHAllowed    *bool
+	NATExternalIPs      []string
+	CustomDNSAddress    []byte
+	RosenpassEnabled    *bool
+	RosenpassPermissive *bool
+	InterfaceName       *string
+	WireguardPort       *int
+	NetworkMonitor      *bool
+	DisableAutoConnect  *bool
+	ExtraIFaceBlackList []string
 }

 // Config Configuration type
@@ -55,9 +64,12 @@ type Config struct {
 	AdminURL             *url.URL
 	WgIface              string
 	WgPort               int
+	NetworkMonitor       bool
 	IFaceBlackList       []string
 	DisableIPv6Discovery bool
 	RosenpassEnabled     bool
+	RosenpassPermissive  bool
+	ServerSSHAllowed     *bool
 	// SSHKey is a private SSH key in a PEM format
 	SSHKey string

@@ -79,6 +91,10 @@ type Config struct {
 	NATExternalIPs []string
 	// CustomDNSAddress sets the DNS resolver listening address in format ip:port
 	CustomDNSAddress string
+
+	// DisableAutoConnect determines whether the client should not start with the service
+	// it's set to false by default due to backwards compatibility
+	DisableAutoConnect bool
 }

 // ReadConfig read config file and return with Config. If it is not exists create a new with default values
@@ -88,6 +104,15 @@ func ReadConfig(configPath string) (*Config, error) {
 		if _, err := util.ReadJson(configPath, config); err != nil {
 			return nil, err
 		}
+		// initialize through apply() without changes
+		if changed, err := config.apply(ConfigInput{}); err != nil {
+			return nil, err
+		} else if changed {
+			if err = WriteOutConfig(configPath, config); err != nil {
+				return nil, err
+			}
+		}
+
 		return config, nil
 	}

@@ -139,68 +164,15 @@ func WriteOutConfig(path string, config *Config) error {

 // createNewConfig creates a new config generating a new Wireguard key and saving to file
 func createNewConfig(input ConfigInput) (*Config, error) {
-	wgKey := generateKey()
-	pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
-	if err != nil {
-		return nil, err
-	}
-
 	config := &Config{
-		SSHKey:               string(pem),
-		PrivateKey:           wgKey,
-		IFaceBlackList:       []string{},
-		DisableIPv6Discovery: false,
-		NATExternalIPs:       input.NATExternalIPs,
-		CustomDNSAddress:     string(input.CustomDNSAddress),
+		// defaults to false only for new (post 0.26) configurations
+		ServerSSHAllowed: util.False(),
 	}

-	defaultManagementURL, err := parseURL("Management URL", DefaultManagementURL)
-	if err != nil {
+	if _, err := config.apply(input); err != nil {
 		return nil, err
 	}

-	config.ManagementURL = defaultManagementURL
-	if input.ManagementURL != "" {
-		URL, err := parseURL("Management URL", input.ManagementURL)
-		if err != nil {
-			return nil, err
-		}
-		config.ManagementURL = URL
-	}
-
-	config.WgPort = iface.DefaultWgPort
-	if input.WireguardPort != nil {
-		config.WgPort = *input.WireguardPort
-	}
-
-	config.WgIface = iface.WgInterfaceDefault
-	if input.InterfaceName != nil {
-		config.WgIface = *input.InterfaceName
-	}
-
-	if input.PreSharedKey != nil {
-		config.PreSharedKey = *input.PreSharedKey
-	}
-
-	if input.RosenpassEnabled != nil {
-		config.RosenpassEnabled = *input.RosenpassEnabled
-	}
-
-	defaultAdminURL, err := parseURL("Admin URL", DefaultAdminURL)
-	if err != nil {
-		return nil, err
-	}
-
-	config.AdminURL = defaultAdminURL
-	if input.AdminURL != "" {
-		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
-		if err != nil {
-			return nil, err
-		}
-		config.AdminURL = newURL
-	}
-
-	config.IFaceBlackList = defaultInterfaceBlacklist
 	return config, nil
 }

@@ -211,77 +183,12 @@ func update(input ConfigInput) (*Config, error) {
 		return nil, err
 	}

-	refresh := false
-
-	if input.ManagementURL != "" && config.ManagementURL.String() != input.ManagementURL {
-		log.Infof("new Management URL provided, updated to %s (old value %s)",
-			input.ManagementURL, config.ManagementURL)
-		newURL, err := parseURL("Management URL", input.ManagementURL)
-		if err != nil {
-			return nil, err
-		}
-		config.ManagementURL = newURL
-		refresh = true
+	updated, err := config.apply(input)
+	if err != nil {
+		return nil, err
 	}

-	if input.AdminURL != "" && (config.AdminURL == nil || config.AdminURL.String() != input.AdminURL) {
-		log.Infof("new Admin Panel URL provided, updated to %s (old value %s)",
-			input.AdminURL, config.AdminURL)
-		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
-		if err != nil {
-			return nil, err
-		}
-		config.AdminURL = newURL
-		refresh = true
-	}
-
-	if input.PreSharedKey != nil && config.PreSharedKey != *input.PreSharedKey {
-		log.Infof("new pre-shared key provided, replacing old key")
-		config.PreSharedKey = *input.PreSharedKey
-		refresh = true
-	}
-
-	if config.SSHKey == "" {
-		pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
-		if err != nil {
-			return nil, err
-		}
-		config.SSHKey = string(pem)
-		refresh = true
-	}
-
-	if config.WgPort == 0 {
-		config.WgPort = iface.DefaultWgPort
-		refresh = true
-	}
-
-	if input.WireguardPort != nil {
-		config.WgPort = *input.WireguardPort
-		refresh = true
-	}
-
-	if input.InterfaceName != nil {
-		config.WgIface = *input.InterfaceName
-		refresh = true
-	}
-
-	if input.NATExternalIPs != nil && len(config.NATExternalIPs) != len(input.NATExternalIPs) {
-		config.NATExternalIPs = input.NATExternalIPs
-		refresh = true
-	}
-
-	if input.CustomDNSAddress != nil {
-		config.CustomDNSAddress = string(input.CustomDNSAddress)
-		refresh = true
-	}
-
-	if input.RosenpassEnabled != nil {
-		config.RosenpassEnabled = *input.RosenpassEnabled
-		refresh = true
-	}
-
-	if refresh {
-		// since we have new management URL, we need to update config file
+	if updated {
 		if err := util.WriteJson(input.ConfigPath, config); err != nil {
 			return nil, err
 		}
@@ -290,6 +197,169 @@ func update(input ConfigInput) (*Config, error) {
 	return config, nil
 }

+func (config *Config) apply(input ConfigInput) (updated bool, err error) {
+	if config.ManagementURL == nil {
+		log.Infof("using default Management URL %s", DefaultManagementURL)
+		config.ManagementURL, err = parseURL("Management URL", DefaultManagementURL)
+		if err != nil {
+			return false, err
+		}
+	}
+	if input.ManagementURL != "" && input.ManagementURL != config.ManagementURL.String() {
+		log.Infof("new Management URL provided, updated to %#v (old value %#v)",
+			input.ManagementURL, config.ManagementURL.String())
+		URL, err := parseURL("Management URL", input.ManagementURL)
+		if err != nil {
+			return false, err
+		}
+		config.ManagementURL = URL
+		updated = true
+	} else if config.ManagementURL == nil {
+		log.Infof("using default Management URL %s", DefaultManagementURL)
+		config.ManagementURL, err = parseURL("Management URL", DefaultManagementURL)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	if config.AdminURL == nil {
+		log.Infof("using default Admin URL %s", DefaultManagementURL)
+		config.AdminURL, err = parseURL("Admin URL", DefaultAdminURL)
+		if err != nil {
+			return false, err
+		}
+	}
+	if input.AdminURL != "" && input.AdminURL != config.AdminURL.String() {
+		log.Infof("new Admin Panel URL provided, updated to %#v (old value %#v)",
+			input.AdminURL, config.AdminURL.String())
+		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
+		if err != nil {
+			return updated, err
+		}
+		config.AdminURL = newURL
+		updated = true
+	}
+
+	if config.PrivateKey == "" {
+		log.Infof("generated new Wireguard key")
+		config.PrivateKey = generateKey()
+		updated = true
+	}
+
+	if config.SSHKey == "" {
+		log.Infof("generated new SSH key")
+		pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
+		if err != nil {
+			return false, err
+		}
+		config.SSHKey = string(pem)
+		updated = true
+	}
+
+	if input.WireguardPort != nil && *input.WireguardPort != config.WgPort {
+		log.Infof("updating Wireguard port %d (old value %d)",
+			*input.WireguardPort, config.WgPort)
+		config.WgPort = *input.WireguardPort
+		updated = true
+	} else if config.WgPort == 0 {
+		config.WgPort = iface.DefaultWgPort
+		log.Infof("using default Wireguard port %d", config.WgPort)
+		updated = true
+	}
+
+	if input.InterfaceName != nil && *input.InterfaceName != config.WgIface {
+		log.Infof("updating Wireguard interface %#v (old value %#v)",
+			*input.InterfaceName, config.WgIface)
+		config.WgIface = *input.InterfaceName
+		updated = true
+	} else if config.WgIface == "" {
+		config.WgIface = iface.WgInterfaceDefault
+		log.Infof("using default Wireguard interface %s", config.WgIface)
+		updated = true
+	}
+
+	if input.NATExternalIPs != nil && !reflect.DeepEqual(config.NATExternalIPs, input.NATExternalIPs) {
+		log.Infof("updating NAT External IP [ %s ] (old value: [ %s ])",
+			strings.Join(input.NATExternalIPs, " "),
+			strings.Join(config.NATExternalIPs, " "))
+		config.NATExternalIPs = input.NATExternalIPs
+		updated = true
+	}
+
+	if input.PreSharedKey != nil && *input.PreSharedKey != config.PreSharedKey {
+		log.Infof("new pre-shared key provided, replacing old key")
+		config.PreSharedKey = *input.PreSharedKey
+		updated = true
+	}
+
+	if input.RosenpassEnabled != nil && *input.RosenpassEnabled != config.RosenpassEnabled {
+		log.Infof("switching Rosenpass to %t", *input.RosenpassEnabled)
+		config.RosenpassEnabled = *input.RosenpassEnabled
+		updated = true
+	}
+
+	if input.RosenpassPermissive != nil && *input.RosenpassPermissive != config.RosenpassPermissive {
+		log.Infof("switching Rosenpass permissive to %t", *input.RosenpassPermissive)
+		config.RosenpassPermissive = *input.RosenpassPermissive
+		updated = true
+	}
+
+	if input.NetworkMonitor != nil && *input.NetworkMonitor != config.NetworkMonitor {
+		log.Infof("switching Network Monitor to %t", *input.NetworkMonitor)
+		config.NetworkMonitor = *input.NetworkMonitor
+		updated = true
+	}
+
+	if input.CustomDNSAddress != nil && string(input.CustomDNSAddress) != config.CustomDNSAddress {
+		log.Infof("updating custom DNS address %#v (old value %#v)",
+			string(input.CustomDNSAddress), config.CustomDNSAddress)
+		config.CustomDNSAddress = string(input.CustomDNSAddress)
+		updated = true
+	}
+
+	if len(config.IFaceBlackList) == 0 {
+		log.Infof("filling in interface blacklist with defaults: [ %s ]",
+			strings.Join(defaultInterfaceBlacklist, " "))
+		config.IFaceBlackList = append(config.IFaceBlackList, defaultInterfaceBlacklist...)
+		updated = true
+	}
+
+	if len(input.ExtraIFaceBlackList) > 0 {
+		for _, iFace := range util.SliceDiff(input.ExtraIFaceBlackList, config.IFaceBlackList) {
+			log.Infof("adding new entry to interface blacklist: %s", iFace)
+			config.IFaceBlackList = append(config.IFaceBlackList, iFace)
+			updated = true
+		}
+	}
+
+	if input.DisableAutoConnect != nil && *input.DisableAutoConnect != config.DisableAutoConnect {
+		if *input.DisableAutoConnect {
+			log.Infof("turning off automatic connection on startup")
+		} else {
+			log.Infof("enabling automatic connection on startup")
+		}
+		config.DisableAutoConnect = *input.DisableAutoConnect
+		updated = true
+	}
+
+	if input.ServerSSHAllowed != nil && *input.ServerSSHAllowed != *config.ServerSSHAllowed {
+		if *input.ServerSSHAllowed {
+			log.Infof("enabling SSH server")
+		} else {
+			log.Infof("disabling SSH server")
+		}
+		config.ServerSSHAllowed = input.ServerSSHAllowed
+		updated = true
+	} else if config.ServerSSHAllowed == nil {
+		// enables SSH for configs from old versions to preserve backwards compatibility
+		log.Infof("falling back to enabled SSH server for pre-existing configuration")
+		config.ServerSSHAllowed = util.True()
+		updated = true
+	}
+
+	return updated, nil
+}
+
 // parseURL parses and validates a service URL
 func parseURL(serviceName, serviceURL string) (*url.URL, error) {
 	parsedMgmtURL, err := url.ParseRequestURI(serviceURL)
@@ -344,7 +414,6 @@ func configFileIsExists(path string) bool {
 // If it can switch, then it updates the config and returns a new one. Otherwise, it returns the provided config.
 // The check is performed only for the NetBird's managed version.
 func UpdateOldManagementURL(ctx context.Context, config *Config, configPath string) (*Config, error) {
-
 	defaultManagementURL, err := parseURL("Management URL", DefaultManagementURL)
 	if err != nil {
 		return nil, err
--- a/client/internal/config_test.go
+++ b/client/internal/config_test.go
@@ -18,7 +18,6 @@ func TestGetConfig(t *testing.T) {
 	config, err := UpdateOrCreateConfig(ConfigInput{
 		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
 	})
-
 	if err != nil {
 		return
 	}
@@ -86,6 +85,26 @@ func TestGetConfig(t *testing.T) {
 	assert.Equal(t, readConf.(*Config).ManagementURL.String(), newManagementURL)
 }

+func TestExtraIFaceBlackList(t *testing.T) {
+	extraIFaceBlackList := []string{"eth1"}
+	path := filepath.Join(t.TempDir(), "config.json")
+	config, err := UpdateOrCreateConfig(ConfigInput{
+		ConfigPath:          path,
+		ExtraIFaceBlackList: extraIFaceBlackList,
+	})
+	if err != nil {
+		return
+	}
+
+	assert.Contains(t, config.IFaceBlackList, "eth1")
+	readConf, err := util.ReadJson(path, config)
+	if err != nil {
+		return
+	}
+
+	assert.Contains(t, readConf.(*Config).IFaceBlackList, "eth1")
+}
+
 func TestHiddenPreSharedKey(t *testing.T) {
 	hidden := "**********"
 	samplePreSharedKey := "mysecretpresharedkey"
@@ -111,7 +130,6 @@ func TestHiddenPreSharedKey(t *testing.T) {
 				ConfigPath:   cfgFile,
 				PreSharedKey: tt.preSharedKey,
 			})
-
 			if err != nil {
 				t.Fatalf("failed to get cfg: %s", err)
 			}
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -4,7 +4,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
+	"runtime"
+	"runtime/debug"
 	"strings"
+	"sync"
 	"time"

 	"github.com/cenkalti/backoff/v4"
@@ -23,32 +27,49 @@ import (
 	mgm "github.com/netbirdio/netbird/management/client"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 	signal "github.com/netbirdio/netbird/signal/client"
+	"github.com/netbirdio/netbird/util"
 	"github.com/netbirdio/netbird/version"
 )

-// RunClient with main logic.
-func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status) error {
-	return runClient(ctx, config, statusRecorder, MobileDependency{}, nil, nil, nil, nil)
+type ConnectClient struct {
+	ctx            context.Context
+	config         *Config
+	statusRecorder *peer.Status
+	engine         *Engine
+	engineMutex    sync.Mutex
 }

-// RunClientWithProbes runs the client's main logic with probes attached
-func RunClientWithProbes(
+func NewConnectClient(
 	ctx context.Context,
 	config *Config,
 	statusRecorder *peer.Status,
+
+) *ConnectClient {
+	return &ConnectClient{
+		ctx:            ctx,
+		config:         config,
+		statusRecorder: statusRecorder,
+		engineMutex:    sync.Mutex{},
+	}
+}
+
+// Run with main logic.
+func (c *ConnectClient) Run() error {
+	return c.run(MobileDependency{}, nil, nil, nil, nil)
+}
+
+// RunWithProbes runs the client's main logic with probes attached
+func (c *ConnectClient) RunWithProbes(
 	mgmProbe *Probe,
 	signalProbe *Probe,
 	relayProbe *Probe,
 	wgProbe *Probe,
 ) error {
-	return runClient(ctx, config, statusRecorder, MobileDependency{}, mgmProbe, signalProbe, relayProbe, wgProbe)
+	return c.run(MobileDependency{}, mgmProbe, signalProbe, relayProbe, wgProbe)
 }

-// RunClientMobile with main logic on mobile system
-func RunClientMobile(
-	ctx context.Context,
-	config *Config,
-	statusRecorder *peer.Status,
+// RunOnAndroid with main logic on mobile system
+func (c *ConnectClient) RunOnAndroid(
 	tunAdapter iface.TunAdapter,
 	iFaceDiscover stdnet.ExternalIFaceDiscover,
 	networkChangeListener listener.NetworkChangeListener,
@@ -63,40 +84,43 @@ func RunClientMobile(
 		HostDNSAddresses:      dnsAddresses,
 		DnsReadyListener:      dnsReadyListener,
 	}
-	return runClient(ctx, config, statusRecorder, mobileDependency, nil, nil, nil, nil)
+	return c.run(mobileDependency, nil, nil, nil, nil)
 }

-func RunClientiOS(
-	ctx context.Context,
-	config *Config,
-	statusRecorder *peer.Status,
+func (c *ConnectClient) RunOniOS(
 	fileDescriptor int32,
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
 ) error {
+	// Set GC percent to 5% to reduce memory usage as iOS only allows 50MB of memory for the extension.
+	debug.SetGCPercent(5)
+
 	mobileDependency := MobileDependency{
 		FileDescriptor:        fileDescriptor,
 		NetworkChangeListener: networkChangeListener,
 		DnsManager:            dnsManager,
 	}
-	return runClient(ctx, config, statusRecorder, mobileDependency, nil, nil, nil, nil)
+	return c.run(mobileDependency, nil, nil, nil, nil)
 }

-func runClient(
-	ctx context.Context,
-	config *Config,
-	statusRecorder *peer.Status,
+func (c *ConnectClient) run(
 	mobileDependency MobileDependency,
 	mgmProbe *Probe,
 	signalProbe *Probe,
 	relayProbe *Probe,
 	wgProbe *Probe,
 ) error {
-	log.Infof("starting NetBird client version %s", version.NetbirdVersion())
+	defer func() {
+		if r := recover(); r != nil {
+			log.Panicf("Panic occurred: %v, stack trace: %s", r, string(debug.Stack()))
+		}
+	}()
+
+	log.Infof("starting NetBird client version %s on %s/%s", version.NetbirdVersion(), runtime.GOOS, runtime.GOARCH)

 	// Check if client was not shut down in a clean way and restore DNS config if required.
 	// Otherwise, we might not be able to connect to the management server to retrieve new config.
-	if err := dns.CheckUncleanShutdown(config.WgIface); err != nil {
+	if err := dns.CheckUncleanShutdown(c.config.WgIface); err != nil {
 		log.Errorf("checking unclean shutdown error: %s", err)
 	}

@@ -110,7 +134,7 @@ func runClient(
 		Clock:               backoff.SystemClock,
 	}

-	state := CtxGetState(ctx)
+	state := CtxGetState(c.ctx)
 	defer func() {
 		s, err := state.Status()
 		if err != nil || s != StatusNeedsLogin {
@@ -119,49 +143,49 @@ func runClient(
 	}()

 	wrapErr := state.Wrap
-	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+	myPrivateKey, err := wgtypes.ParseKey(c.config.PrivateKey)
 	if err != nil {
-		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+		log.Errorf("failed parsing Wireguard key %s: [%s]", c.config.PrivateKey, err.Error())
 		return wrapErr(err)
 	}

 	var mgmTlsEnabled bool
-	if config.ManagementURL.Scheme == "https" {
+	if c.config.ManagementURL.Scheme == "https" {
 		mgmTlsEnabled = true
 	}

-	publicSSHKey, err := ssh.GeneratePublicKey([]byte(config.SSHKey))
+	publicSSHKey, err := ssh.GeneratePublicKey([]byte(c.config.SSHKey))
 	if err != nil {
 		return err
 	}

-	defer statusRecorder.ClientStop()
+	defer c.statusRecorder.ClientStop()
 	operation := func() error {
 		// if context cancelled we not start new backoff cycle
 		select {
-		case <-ctx.Done():
+		case <-c.ctx.Done():
 			return nil
 		default:
 		}

 		state.Set(StatusConnecting)

-		engineCtx, cancel := context.WithCancel(ctx)
+		engineCtx, cancel := context.WithCancel(c.ctx)
 		defer func() {
-			statusRecorder.MarkManagementDisconnected(state.err)
-			statusRecorder.CleanLocalPeerState()
+			c.statusRecorder.MarkManagementDisconnected(state.err)
+			c.statusRecorder.CleanLocalPeerState()
 			cancel()
 		}()

-		log.Debugf("connecting to the Management service %s", config.ManagementURL.Host)
-		mgmClient, err := mgm.NewClient(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+		log.Debugf("connecting to the Management service %s", c.config.ManagementURL.Host)
+		mgmClient, err := mgm.NewClient(engineCtx, c.config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 		if err != nil {
 			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
 		}
-		mgmNotifier := statusRecorderToMgmConnStateNotifier(statusRecorder)
+		mgmNotifier := statusRecorderToMgmConnStateNotifier(c.statusRecorder)
 		mgmClient.SetConnStateListener(mgmNotifier)

-		log.Debugf("connected to the Management service %s", config.ManagementURL.Host)
+		log.Debugf("connected to the Management service %s", c.config.ManagementURL.Host)
 		defer func() {
 			err = mgmClient.Close()
 			if err != nil {
@@ -179,7 +203,7 @@ func runClient(
 			}
 			return wrapErr(err)
 		}
-		statusRecorder.MarkManagementConnected()
+		c.statusRecorder.MarkManagementConnected()

 		localPeerState := peer.LocalPeerState{
 			IP:              loginResp.GetPeerConfig().GetAddress(),
@@ -188,18 +212,18 @@ func runClient(
 			FQDN:            loginResp.GetPeerConfig().GetFqdn(),
 		}

-		statusRecorder.UpdateLocalPeerState(localPeerState)
+		c.statusRecorder.UpdateLocalPeerState(localPeerState)

 		signalURL := fmt.Sprintf("%s://%s",
 			strings.ToLower(loginResp.GetWiretrusteeConfig().GetSignal().GetProtocol().String()),
 			loginResp.GetWiretrusteeConfig().GetSignal().GetUri(),
 		)

-		statusRecorder.UpdateSignalAddress(signalURL)
+		c.statusRecorder.UpdateSignalAddress(signalURL)

-		statusRecorder.MarkSignalDisconnected(nil)
+		c.statusRecorder.MarkSignalDisconnected(nil)
 		defer func() {
-			statusRecorder.MarkSignalDisconnected(state.err)
+			c.statusRecorder.MarkSignalDisconnected(state.err)
 		}()

 		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
@@ -215,35 +239,38 @@ func runClient(
 			}
 		}()

-		signalNotifier := statusRecorderToSignalConnStateNotifier(statusRecorder)
+		signalNotifier := statusRecorderToSignalConnStateNotifier(c.statusRecorder)
 		signalClient.SetConnStateListener(signalNotifier)

-		statusRecorder.MarkSignalConnected()
+		c.statusRecorder.MarkSignalConnected()

 		peerConfig := loginResp.GetPeerConfig()

-		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
+		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig)
 		if err != nil {
 			log.Error(err)
 			return wrapErr(err)
 		}

-		engine := NewEngineWithProbes(engineCtx, cancel, signalClient, mgmClient, engineConfig, mobileDependency, statusRecorder, mgmProbe, signalProbe, relayProbe, wgProbe)
-		err = engine.Start()
+		c.engineMutex.Lock()
+		c.engine = NewEngineWithProbes(engineCtx, cancel, signalClient, mgmClient, engineConfig, mobileDependency, c.statusRecorder, mgmProbe, signalProbe, relayProbe, wgProbe)
+		c.engineMutex.Unlock()
+
+		err = c.engine.Start()
 		if err != nil {
 			log.Errorf("error while starting Netbird Connection Engine: %s", err)
 			return wrapErr(err)
 		}

-		log.Print("Netbird engine started, my IP is: ", peerConfig.Address)
+		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)

 		<-engineCtx.Done()
-		statusRecorder.ClientTeardown()
+		c.statusRecorder.ClientTeardown()

 		backOff.Reset()

-		err = engine.Stop()
+		err = c.engine.Stop()
 		if err != nil {
 			log.Errorf("failed stopping engine %v", err)
 			return wrapErr(err)
@@ -258,7 +285,7 @@ func runClient(
 		return nil
 	}

-	statusRecorder.ClientStart()
+	c.statusRecorder.ClientStart()
 	err = backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)
@@ -270,19 +297,31 @@ func runClient(
 	return nil
 }

+func (c *ConnectClient) Engine() *Engine {
+	var e *Engine
+	c.engineMutex.Lock()
+	e = c.engine
+	c.engineMutex.Unlock()
+	return e
+}
+
 // createEngineConfig converts configuration received from Management Service to EngineConfig
 func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
 	engineConf := &EngineConfig{
 		WgIfaceName:          config.WgIface,
 		WgAddr:               peerConfig.Address,
+		WgAddr6:              peerConfig.Address6,
 		IFaceBlackList:       config.IFaceBlackList,
 		DisableIPv6Discovery: config.DisableIPv6Discovery,
 		WgPrivateKey:         key,
 		WgPort:               config.WgPort,
+		NetworkMonitor:       config.NetworkMonitor,
 		SSHKey:               []byte(config.SSHKey),
 		NATExternalIPs:       config.NATExternalIPs,
 		CustomDNSAddress:     config.CustomDNSAddress,
 		RosenpassEnabled:     config.RosenpassEnabled,
+		RosenpassPermissive:  config.RosenpassPermissive,
+		ServerSSHAllowed:     util.ReturnBoolWithDefaultTrue(config.ServerSSHAllowed),
 	}

 	if config.PreSharedKey != "" {
@@ -293,6 +332,15 @@ func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.Pe
 		engineConf.PreSharedKey = &preSharedKey
 	}

+	port, err := freePort(config.WgPort)
+	if err != nil {
+		return nil, err
+	}
+	if port != config.WgPort {
+		log.Infof("using %d as wireguard port: %d is in use", port, config.WgPort)
+	}
+	engineConf.WgPort = port
+
 	return engineConf, nil
 }

@@ -342,3 +390,20 @@ func statusRecorderToSignalConnStateNotifier(statusRecorder *peer.Status) signal
 	notifier, _ := sri.(signal.ConnStateNotifier)
 	return notifier
 }
+
+func freePort(start int) (int, error) {
+	addr := net.UDPAddr{}
+	if start == 0 {
+		start = iface.DefaultWgPort
+	}
+	for x := start; x <= 65535; x++ {
+		addr.Port = x
+		conn, err := net.ListenUDP("udp", &addr)
+		if err != nil {
+			continue
+		}
+		conn.Close()
+		return x, nil
+	}
+	return 0, errors.New("no free ports")
+}
--- a/client/internal/connect_test.go
+++ b/client/internal/connect_test.go
@@ -0,0 +1,57 @@
+package internal
+
+import (
+	"net"
+	"testing"
+)
+
+func Test_freePort(t *testing.T) {
+	tests := []struct {
+		name    string
+		port    int
+		want    int
+		wantErr bool
+	}{
+		{
+			name:    "available",
+			port:    51820,
+			want:    51820,
+			wantErr: false,
+		},
+		{
+			name:    "notavailable",
+			port:    51830,
+			want:    51831,
+			wantErr: false,
+		},
+		{
+			name:    "noports",
+			port:    65535,
+			want:    0,
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+
+		c1, err := net.ListenUDP("udp", &net.UDPAddr{Port: 51830})
+		if err != nil {
+			t.Errorf("freePort error = %v", err)
+		}
+		c2, err := net.ListenUDP("udp", &net.UDPAddr{Port: 65535})
+		if err != nil {
+			t.Errorf("freePort error = %v", err)
+		}
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := freePort(tt.port)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("freePort() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("freePort() = %v, want %v", got, tt.want)
+			}
+		})
+		c1.Close()
+		c2.Close()
+	}
+}
--- a/client/internal/dns/file_linux.go
+++ b/client/internal/dns/file_linux.go
@@ -8,6 +8,7 @@ import (
 	"net/netip"
 	"os"
 	"strings"
+	"time"

 	log "github.com/sirupsen/logrus"
 )
@@ -23,10 +24,16 @@ const (
 	fileMaxNumberOfSearchDomains = 6
 )

+const (
+	dnsFailoverTimeout  = 4 * time.Second
+	dnsFailoverAttempts = 1
+)
+
 type fileConfigurator struct {
 	repair *repair

-	originalPerms os.FileMode
+	originalPerms  os.FileMode
+	nbNameserverIP string
 }

 func newFileConfigurator() (hostManager, error) {
@@ -40,31 +47,27 @@ func (f *fileConfigurator) supportCustomPort() bool {
 }

 func (f *fileConfigurator) applyDNSConfig(config HostDNSConfig) error {
-	backupFileExist := false
-	_, err := os.Stat(fileDefaultResolvConfBackupLocation)
-	if err == nil {
-		backupFileExist = true
-	}
-
+	backupFileExist := f.isBackupFileExist()
 	if !config.RouteAll {
 		if backupFileExist {
-			err = f.restore()
+			f.repair.stopWatchFileChanges()
+			err := f.restore()
 			if err != nil {
-				return fmt.Errorf("unable to configure DNS for this peer using file manager without a Primary nameserver group. Restoring the original file return err: %w", err)
+				return fmt.Errorf("restoring the original resolv.conf file return err: %w", err)
 			}
 		}
 		return fmt.Errorf("unable to configure DNS for this peer using file manager without a nameserver group with all domains configured")
 	}

 	if !backupFileExist {
-		err = f.backup()
+		err := f.backup()
 		if err != nil {
 			return fmt.Errorf("unable to backup the resolv.conf file: %w", err)
 		}
 	}

 	nbSearchDomains := searchDomains(config)
-	nbNameserverIP := config.ServerIP
+	f.nbNameserverIP = config.ServerIP

 	resolvConf, err := parseBackupResolvConf()
 	if err != nil {
@@ -73,11 +76,11 @@ func (f *fileConfigurator) applyDNSConfig(config HostDNSConfig) error {

 	f.repair.stopWatchFileChanges()

-	err = f.updateConfig(nbSearchDomains, nbNameserverIP, resolvConf)
+	err = f.updateConfig(nbSearchDomains, f.nbNameserverIP, resolvConf)
 	if err != nil {
 		return err
 	}
-	f.repair.watchFileChanges(nbSearchDomains, nbNameserverIP)
+	f.repair.watchFileChanges(nbSearchDomains, f.nbNameserverIP)
 	return nil
 }

@@ -85,10 +88,11 @@ func (f *fileConfigurator) updateConfig(nbSearchDomains []string, nbNameserverIP
 	searchDomainList := mergeSearchDomains(nbSearchDomains, cfg.searchDomains)
 	nameServers := generateNsList(nbNameserverIP, cfg)

+	options := prepareOptionsWithTimeout(cfg.others, int(dnsFailoverTimeout.Seconds()), dnsFailoverAttempts)
 	buf := prepareResolvConfContent(
 		searchDomainList,
 		nameServers,
-		cfg.others)
+		options)

 	log.Debugf("creating managed file %s", defaultResolvConfPath)
 	err := os.WriteFile(defaultResolvConfPath, buf.Bytes(), f.originalPerms)
@@ -131,7 +135,12 @@ func (f *fileConfigurator) backup() error {
 }

 func (f *fileConfigurator) restore() error {
-	err := copyFile(fileDefaultResolvConfBackupLocation, defaultResolvConfPath)
+	err := removeFirstNbNameserver(fileDefaultResolvConfBackupLocation, f.nbNameserverIP)
+	if err != nil {
+		log.Errorf("Failed to remove netbird nameserver from %s on backup restore: %s", fileDefaultResolvConfBackupLocation, err)
+	}
+
+	err = copyFile(fileDefaultResolvConfBackupLocation, defaultResolvConfPath)
 	if err != nil {
 		return fmt.Errorf("restoring %s from %s: %w", defaultResolvConfPath, fileDefaultResolvConfBackupLocation, err)
 	}
@@ -157,7 +166,7 @@ func (f *fileConfigurator) restoreUncleanShutdownDNS(storedDNSAddress *netip.Add
 	currentDNSAddress, err := netip.ParseAddr(resolvConf.nameServers[0])
 	// not a valid first nameserver -> restore
 	if err != nil {
-		log.Errorf("restoring unclean shutdown: parse dns address %s failed: %s", resolvConf.nameServers[1], err)
+		log.Errorf("restoring unclean shutdown: parse dns address %s failed: %s", resolvConf.nameServers[0], err)
 		return restoreResolvConfFile()
 	}

@@ -171,6 +180,11 @@ func (f *fileConfigurator) restoreUncleanShutdownDNS(storedDNSAddress *netip.Add
 	return nil
 }

+func (f *fileConfigurator) isBackupFileExist() bool {
+	_, err := os.Stat(fileDefaultResolvConfBackupLocation)
+	return err == nil
+}
+
 func restoreResolvConfFile() error {
 	log.Debugf("restoring unclean shutdown: restoring %s from %s", defaultResolvConfPath, fileUncleanShutdownResolvConfLocation)

--- a/client/internal/dns/file_parser_linux.go
+++ b/client/internal/dns/file_parser_linux.go
@@ -5,6 +5,7 @@ package dns
 import (
 	"fmt"
 	"os"
+	"regexp"
 	"strings"

 	log "github.com/sirupsen/logrus"
@@ -14,6 +15,9 @@ const (
 	defaultResolvConfPath = "/etc/resolv.conf"
 )

+var timeoutRegex = regexp.MustCompile(`timeout:\d+`)
+var attemptsRegex = regexp.MustCompile(`attempts:\d+`)
+
 type resolvConf struct {
 	nameServers   []string
 	searchDomains []string
@@ -103,3 +107,62 @@ func parseResolvConfFile(resolvConfFile string) (*resolvConf, error) {
 	}
 	return rconf, nil
 }
+
+// prepareOptionsWithTimeout appends timeout to existing options if it doesn't exist,
+// otherwise it adds a new option with timeout and attempts.
+func prepareOptionsWithTimeout(input []string, timeout int, attempts int) []string {
+	configs := make([]string, len(input))
+	copy(configs, input)
+
+	for i, config := range configs {
+		if strings.HasPrefix(config, "options") {
+			config = strings.ReplaceAll(config, "rotate", "")
+			config = strings.Join(strings.Fields(config), " ")
+
+			if strings.Contains(config, "timeout:") {
+				config = timeoutRegex.ReplaceAllString(config, fmt.Sprintf("timeout:%d", timeout))
+			} else {
+				config = strings.Replace(config, "options ", fmt.Sprintf("options timeout:%d ", timeout), 1)
+			}
+
+			if strings.Contains(config, "attempts:") {
+				config = attemptsRegex.ReplaceAllString(config, fmt.Sprintf("attempts:%d", attempts))
+			} else {
+				config = strings.Replace(config, "options ", fmt.Sprintf("options attempts:%d ", attempts), 1)
+			}
+
+			configs[i] = config
+			return configs
+		}
+	}
+
+	return append(configs, fmt.Sprintf("options timeout:%d attempts:%d", timeout, attempts))
+}
+
+// removeFirstNbNameserver removes the given nameserver from the given file if it is in the first position
+// and writes the file back to the original location
+func removeFirstNbNameserver(filename, nameserverIP string) error {
+	resolvConf, err := parseResolvConfFile(filename)
+	if err != nil {
+		return fmt.Errorf("parse backup resolv.conf: %w", err)
+	}
+	content, err := os.ReadFile(filename)
+	if err != nil {
+		return fmt.Errorf("read %s: %w", filename, err)
+	}
+
+	if len(resolvConf.nameServers) > 1 && resolvConf.nameServers[0] == nameserverIP {
+		newContent := strings.Replace(string(content), fmt.Sprintf("nameserver %s\n", nameserverIP), "", 1)
+
+		stat, err := os.Stat(filename)
+		if err != nil {
+			return fmt.Errorf("stat %s: %w", filename, err)
+		}
+		if err := os.WriteFile(filename, []byte(newContent), stat.Mode()); err != nil {
+			return fmt.Errorf("write %s: %w", filename, err)
+		}
+
+	}
+
+	return nil
+}
--- a/client/internal/dns/file_parser_linux_test.go
+++ b/client/internal/dns/file_parser_linux_test.go
@@ -6,6 +6,8 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )

 func Test_parseResolvConf(t *testing.T) {
@@ -172,3 +174,131 @@ nameserver 192.168.0.1
 		t.Errorf("unexpected resolv.conf content: %v", cfg)
 	}
 }
+
+func TestPrepareOptionsWithTimeout(t *testing.T) {
+	tests := []struct {
+		name     string
+		others   []string
+		timeout  int
+		attempts int
+		expected []string
+	}{
+		{
+			name:     "Append new options with timeout and attempts",
+			others:   []string{"some config"},
+			timeout:  2,
+			attempts: 2,
+			expected: []string{"some config", "options timeout:2 attempts:2"},
+		},
+		{
+			name:     "Modify existing options to exclude rotate and include timeout and attempts",
+			others:   []string{"some config", "options rotate someother"},
+			timeout:  3,
+			attempts: 2,
+			expected: []string{"some config", "options attempts:2 timeout:3 someother"},
+		},
+		{
+			name:     "Existing options with timeout and attempts are updated",
+			others:   []string{"some config", "options timeout:4 attempts:3"},
+			timeout:  5,
+			attempts: 4,
+			expected: []string{"some config", "options timeout:5 attempts:4"},
+		},
+		{
+			name:     "Modify existing options, add missing attempts before timeout",
+			others:   []string{"some config", "options timeout:4"},
+			timeout:  4,
+			attempts: 3,
+			expected: []string{"some config", "options attempts:3 timeout:4"},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := prepareOptionsWithTimeout(tc.others, tc.timeout, tc.attempts)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}
+
+func TestRemoveFirstNbNameserver(t *testing.T) {
+	testCases := []struct {
+		name       string
+		content    string
+		ipToRemove string
+		expected   string
+	}{
+		{
+			name: "Unrelated nameservers with comments and options",
+			content: `# This is a comment
+options rotate
+nameserver 1.1.1.1
+# Another comment
+nameserver 8.8.4.4
+search example.com`,
+			ipToRemove: "9.9.9.9",
+			expected: `# This is a comment
+options rotate
+nameserver 1.1.1.1
+# Another comment
+nameserver 8.8.4.4
+search example.com`,
+		},
+		{
+			name: "First nameserver matches",
+			content: `search example.com
+nameserver 9.9.9.9
+# oof, a comment
+nameserver 8.8.4.4
+options attempts:5`,
+			ipToRemove: "9.9.9.9",
+			expected: `search example.com
+# oof, a comment
+nameserver 8.8.4.4
+options attempts:5`,
+		},
+		{
+			name: "Target IP not the first nameserver",
+			// nolint:dupword
+			content: `# Comment about the first nameserver
+nameserver 8.8.4.4
+# Comment before our target
+nameserver 9.9.9.9
+options timeout:2`,
+			ipToRemove: "9.9.9.9",
+			// nolint:dupword
+			expected: `# Comment about the first nameserver
+nameserver 8.8.4.4
+# Comment before our target
+nameserver 9.9.9.9
+options timeout:2`,
+		},
+		{
+			name: "Only nameserver matches",
+			content: `options debug
+nameserver 9.9.9.9
+search localdomain`,
+			ipToRemove: "9.9.9.9",
+			expected: `options debug
+nameserver 9.9.9.9
+search localdomain`,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			tempDir := t.TempDir()
+			tempFile := filepath.Join(tempDir, "resolv.conf")
+			err := os.WriteFile(tempFile, []byte(tc.content), 0644)
+			assert.NoError(t, err)
+
+			err = removeFirstNbNameserver(tempFile, tc.ipToRemove)
+			assert.NoError(t, err)
+
+			content, err := os.ReadFile(tempFile)
+			assert.NoError(t, err)
+
+			assert.Equal(t, tc.expected, string(content), "The resulting content should match the expected output.")
+		})
+	}
+}
--- a/client/internal/dns/host_linux.go
+++ b/client/internal/dns/host_linux.go
@@ -65,7 +65,7 @@ func newHostManager(wgInterface string) (hostManager, error) {
 		return nil, err
 	}

-	log.Debugf("discovered mode is: %s", osManager)
+	log.Infof("System DNS manager discovered: %s", osManager)
 	return newHostManagerFromType(wgInterface, osManager)
 }

--- a/client/internal/dns/hosts_dns_holder.go
+++ b/client/internal/dns/hosts_dns_holder.go
@@ -0,0 +1,63 @@
+package dns
+
+import (
+	"fmt"
+	"net/netip"
+	"sync"
+
+	log "github.com/sirupsen/logrus"
+)
+
+type hostsDNSHolder struct {
+	unprotectedDNSList map[string]struct{}
+	mutex              sync.RWMutex
+}
+
+func newHostsDNSHolder() *hostsDNSHolder {
+	return &hostsDNSHolder{
+		unprotectedDNSList: make(map[string]struct{}),
+	}
+}
+
+func (h *hostsDNSHolder) set(list []string) {
+	h.mutex.Lock()
+	h.unprotectedDNSList = make(map[string]struct{})
+	for _, dns := range list {
+		dnsAddr, err := h.normalizeAddress(dns)
+		if err != nil {
+			continue
+		}
+		h.unprotectedDNSList[dnsAddr] = struct{}{}
+	}
+	h.mutex.Unlock()
+}
+
+func (h *hostsDNSHolder) get() map[string]struct{} {
+	h.mutex.RLock()
+	l := h.unprotectedDNSList
+	h.mutex.RUnlock()
+	return l
+}
+
+//nolint:unused
+func (h *hostsDNSHolder) isContain(upstream string) bool {
+	h.mutex.RLock()
+	defer h.mutex.RUnlock()
+
+	_, ok := h.unprotectedDNSList[upstream]
+	return ok
+}
+
+func (h *hostsDNSHolder) normalizeAddress(addr string) (string, error) {
+	a, err := netip.ParseAddr(addr)
+	if err != nil {
+		log.Errorf("invalid upstream IP address: %s, error: %s", addr, err)
+		return "", err
+	}
+
+	if a.Is4() {
+		return fmt.Sprintf("%s:53", addr), nil
+	} else {
+		return fmt.Sprintf("[%s]:53", addr), nil
+	}
+}
--- a/client/internal/dns/local.go
+++ b/client/internal/dns/local.go
@@ -31,6 +31,8 @@ func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	response := d.lookupRecord(r)
 	if response != nil {
 		replyMessage.Answer = append(replyMessage.Answer, response)
+	} else {
+		replyMessage.Rcode = dns.RcodeNameError
 	}

 	err := w.WriteMsg(replyMessage)
--- a/client/internal/dns/resolvconf_linux.go
+++ b/client/internal/dns/resolvconf_linux.go
@@ -53,10 +53,12 @@ func (r *resolvconf) applyDNSConfig(config HostDNSConfig) error {
 	searchDomainList := searchDomains(config)
 	searchDomainList = mergeSearchDomains(searchDomainList, r.originalSearchDomains)

+	options := prepareOptionsWithTimeout(r.othersConfigs, int(dnsFailoverTimeout.Seconds()), dnsFailoverAttempts)
+
 	buf := prepareResolvConfContent(
 		searchDomainList,
 		append([]string{config.ServerIP}, r.originalNameServers...),
-		r.othersConfigs)
+		options)

 	// create a backup for unclean shutdown detection before the resolv.conf is changed
 	if err := createUncleanShutdownIndicator(defaultResolvConfPath, resolvConfManager, config.ServerIP); err != nil {
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"
 	"net/netip"
+	"runtime"
+	"strings"
 	"sync"

 	"github.com/miekg/dns"
@@ -11,6 +13,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/client/internal/peer"
 	nbdns "github.com/netbirdio/netbird/dns"
 )

@@ -52,13 +55,14 @@ type DefaultServer struct {
 	currentConfig      HostDNSConfig

 	// permanent related properties
-	permanent        bool
-	hostsDnsList     []string
-	hostsDnsListLock sync.Mutex
+	permanent      bool
+	hostsDNSHolder *hostsDNSHolder

 	// make sense on mobile only
 	searchDomainNotifier *notifier
 	iosDnsManager        IosDnsManager
+
+	statusRecorder *peer.Status
 }

 type handlerWithStop interface {
@@ -73,7 +77,12 @@ type muxUpdate struct {
 }

 // NewDefaultServer returns a new dns server
-func NewDefaultServer(ctx context.Context, wgInterface WGIface, customAddress string) (*DefaultServer, error) {
+func NewDefaultServer(
+	ctx context.Context,
+	wgInterface WGIface,
+	customAddress string,
+	statusRecorder *peer.Status,
+) (*DefaultServer, error) {
 	var addrPort *netip.AddrPort
 	if customAddress != "" {
 		parsedAddrPort, err := netip.ParseAddrPort(customAddress)
@@ -90,15 +99,22 @@ func NewDefaultServer(ctx context.Context, wgInterface WGIface, customAddress st
 		dnsService = newServiceViaListener(wgInterface, addrPort)
 	}

-	return newDefaultServer(ctx, wgInterface, dnsService), nil
+	return newDefaultServer(ctx, wgInterface, dnsService, statusRecorder), nil
 }

 // NewDefaultServerPermanentUpstream returns a new dns server. It optimized for mobile systems
-func NewDefaultServerPermanentUpstream(ctx context.Context, wgInterface WGIface, hostsDnsList []string, config nbdns.Config, listener listener.NetworkChangeListener) *DefaultServer {
+func NewDefaultServerPermanentUpstream(
+	ctx context.Context,
+	wgInterface WGIface,
+	hostsDnsList []string,
+	config nbdns.Config,
+	listener listener.NetworkChangeListener,
+	statusRecorder *peer.Status,
+) *DefaultServer {
 	log.Debugf("host dns address list is: %v", hostsDnsList)
-	ds := newDefaultServer(ctx, wgInterface, newServiceViaMemory(wgInterface))
+	ds := newDefaultServer(ctx, wgInterface, newServiceViaMemory(wgInterface), statusRecorder)
+	ds.hostsDNSHolder.set(hostsDnsList)
 	ds.permanent = true
-	ds.hostsDnsList = hostsDnsList
 	ds.addHostRootZone()
 	ds.currentConfig = dnsConfigToHostDNSConfig(config, ds.service.RuntimeIP(), ds.service.RuntimePort())
 	ds.searchDomainNotifier = newNotifier(ds.SearchDomains())
@@ -108,13 +124,18 @@ func NewDefaultServerPermanentUpstream(ctx context.Context, wgInterface WGIface,
 }

 // NewDefaultServerIos returns a new dns server. It optimized for ios
-func NewDefaultServerIos(ctx context.Context, wgInterface WGIface, iosDnsManager IosDnsManager) *DefaultServer {
-	ds := newDefaultServer(ctx, wgInterface, newServiceViaMemory(wgInterface))
+func NewDefaultServerIos(
+	ctx context.Context,
+	wgInterface WGIface,
+	iosDnsManager IosDnsManager,
+	statusRecorder *peer.Status,
+) *DefaultServer {
+	ds := newDefaultServer(ctx, wgInterface, newServiceViaMemory(wgInterface), statusRecorder)
 	ds.iosDnsManager = iosDnsManager
 	return ds
 }

-func newDefaultServer(ctx context.Context, wgInterface WGIface, dnsService service) *DefaultServer {
+func newDefaultServer(ctx context.Context, wgInterface WGIface, dnsService service, statusRecorder *peer.Status) *DefaultServer {
 	ctx, stop := context.WithCancel(ctx)
 	defaultServer := &DefaultServer{
 		ctx:       ctx,
@@ -124,7 +145,9 @@ func newDefaultServer(ctx context.Context, wgInterface WGIface, dnsService servi
 		localResolver: &localResolver{
 			registeredMap: make(registrationMap),
 		},
-		wgInterface: wgInterface,
+		wgInterface:    wgInterface,
+		statusRecorder: statusRecorder,
+		hostsDNSHolder: newHostsDNSHolder(),
 	}

 	return defaultServer
@@ -180,10 +203,8 @@ func (s *DefaultServer) Stop() {
 // OnUpdatedHostDNSServer update the DNS servers addresses for root zones
 // It will be applied if the mgm server do not enforce DNS settings for root zone
 func (s *DefaultServer) OnUpdatedHostDNSServer(hostsDnsList []string) {
-	s.hostsDnsListLock.Lock()
-	defer s.hostsDnsListLock.Unlock()
+	s.hostsDNSHolder.set(hostsDnsList)

-	s.hostsDnsList = hostsDnsList
 	_, ok := s.dnsMuxMap[nbdns.RootZone]
 	if ok {
 		log.Debugf("on new host DNS config but skip to apply it")
@@ -256,9 +277,15 @@ func (s *DefaultServer) SearchDomains() []string {
 // ProbeAvailability tests each upstream group's servers for availability
 // and deactivates the group if no server responds
 func (s *DefaultServer) ProbeAvailability() {
+	var wg sync.WaitGroup
 	for _, mux := range s.dnsMuxMap {
-		mux.probeAvailability()
+		wg.Add(1)
+		go func(mux handlerWithStop) {
+			defer wg.Done()
+			mux.probeAvailability()
+		}(mux)
 	}
+	wg.Wait()
 }

 func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
@@ -299,6 +326,8 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
 		s.searchDomainNotifier.onNewSearchDomains(s.SearchDomains())
 	}

+	s.updateNSGroupStates(update.NameServerGroups)
+
 	return nil
 }

@@ -338,7 +367,14 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 			continue
 		}

-		handler, err := newUpstreamResolver(s.ctx, s.wgInterface.Name(), s.wgInterface.Address().IP, s.wgInterface.Address().Network)
+		handler, err := newUpstreamResolver(
+			s.ctx,
+			s.wgInterface.Name(),
+			s.wgInterface.Address().IP,
+			s.wgInterface.Address().Network,
+			s.statusRecorder,
+			s.hostsDNSHolder,
+		)
 		if err != nil {
 			return nil, fmt.Errorf("unable to create a new upstream resolver, error: %v", err)
 		}
@@ -416,9 +452,7 @@ func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
 		_, found := muxUpdateMap[key]
 		if !found {
 			if !isContainRootUpdate && key == nbdns.RootZone {
-				s.hostsDnsListLock.Lock()
 				s.addHostRootZone()
-				s.hostsDnsListLock.Unlock()
 				existingHandler.stop()
 			} else {
 				existingHandler.stop()
@@ -451,7 +485,11 @@ func (s *DefaultServer) updateLocalResolver(update map[string]nbdns.SimpleRecord
 }

 func getNSHostPort(ns nbdns.NameServer) string {
-	return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
+	if ns.IP.Is4() {
+		return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
+	} else {
+		return fmt.Sprintf("[%s]:%d", ns.IP.String(), ns.Port)
+	}
 }

 // upstreamCallbacks returns two functions, the first one is used to deactivate
@@ -460,14 +498,14 @@ func getNSHostPort(ns nbdns.NameServer) string {
 func (s *DefaultServer) upstreamCallbacks(
 	nsGroup *nbdns.NameServerGroup,
 	handler dns.Handler,
-) (deactivate func(), reactivate func()) {
+) (deactivate func(error), reactivate func()) {
 	var removeIndex map[string]int
-	deactivate = func() {
+	deactivate = func(err error) {
 		s.mux.Lock()
 		defer s.mux.Unlock()

 		l := log.WithField("nameservers", nsGroup.NameServers)
-		l.Info("temporary deactivate nameservers group due timeout")
+		l.Info("Temporarily deactivating nameservers group due to timeout")

 		removeIndex = make(map[string]int)
 		for _, domain := range nsGroup.Domains {
@@ -476,6 +514,7 @@ func (s *DefaultServer) upstreamCallbacks(
 		if nsGroup.Primary {
 			removeIndex[nbdns.RootZone] = -1
 			s.currentConfig.RouteAll = false
+			s.service.DeregisterMux(nbdns.RootZone)
 		}

 		for i, item := range s.currentConfig.Domains {
@@ -485,9 +524,17 @@ func (s *DefaultServer) upstreamCallbacks(
 				removeIndex[item.Domain] = i
 			}
 		}
+
 		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
-			l.WithError(err).Error("fail to apply nameserver deactivation on the host")
+			l.Errorf("Failed to apply nameserver deactivation on the host: %v", err)
 		}
+
+		if runtime.GOOS == "android" && nsGroup.Primary && len(s.hostsDNSHolder.get()) > 0 {
+			s.addHostRootZone()
+		}
+
+		s.updateNSState(nsGroup, err, false)
+
 	}
 	reactivate = func() {
 		s.mux.Lock()
@@ -506,36 +553,79 @@ func (s *DefaultServer) upstreamCallbacks(

 		if nsGroup.Primary {
 			s.currentConfig.RouteAll = true
+			s.service.RegisterMux(nbdns.RootZone, handler)
 		}
 		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
 			l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
 		}
+
+		s.updateNSState(nsGroup, nil, true)
 	}
 	return
 }

 func (s *DefaultServer) addHostRootZone() {
-	handler, err := newUpstreamResolver(s.ctx, s.wgInterface.Name(), s.wgInterface.Address().IP, s.wgInterface.Address().Network)
+	handler, err := newUpstreamResolver(
+		s.ctx,
+		s.wgInterface.Name(),
+		s.wgInterface.Address().IP,
+		s.wgInterface.Address().Network,
+		s.statusRecorder,
+		s.hostsDNSHolder,
+	)
 	if err != nil {
 		log.Errorf("unable to create a new upstream resolver, error: %v", err)
 		return
 	}
-	handler.upstreamServers = make([]string, len(s.hostsDnsList))
-	for n, ua := range s.hostsDnsList {
-		a, err := netip.ParseAddr(ua)
-		if err != nil {
-			log.Errorf("invalid upstream IP address: %s, error: %s", ua, err)
-			continue
-		}

-		ipString := ua
-		if !a.Is4() {
-			ipString = fmt.Sprintf("[%s]", ua)
-		}
-
-		handler.upstreamServers[n] = fmt.Sprintf("%s:53", ipString)
+	handler.upstreamServers = make([]string, 0)
+	for k := range s.hostsDNSHolder.get() {
+		handler.upstreamServers = append(handler.upstreamServers, k)
 	}
-	handler.deactivate = func() {}
+	handler.deactivate = func(error) {}
 	handler.reactivate = func() {}
 	s.service.RegisterMux(nbdns.RootZone, handler)
 }
+
+func (s *DefaultServer) updateNSGroupStates(groups []*nbdns.NameServerGroup) {
+	var states []peer.NSGroupState
+
+	for _, group := range groups {
+		var servers []string
+		for _, ns := range group.NameServers {
+			servers = append(servers, fmt.Sprintf("%s:%d", ns.IP, ns.Port))
+		}
+
+		state := peer.NSGroupState{
+			ID:      generateGroupKey(group),
+			Servers: servers,
+			Domains: group.Domains,
+			// The probe will determine the state, default enabled
+			Enabled: true,
+			Error:   nil,
+		}
+		states = append(states, state)
+	}
+	s.statusRecorder.UpdateDNSStates(states)
+}
+
+func (s *DefaultServer) updateNSState(nsGroup *nbdns.NameServerGroup, err error, enabled bool) {
+	states := s.statusRecorder.GetDNSStates()
+	id := generateGroupKey(nsGroup)
+	for i, state := range states {
+		if state.ID == id {
+			states[i].Enabled = enabled
+			states[i].Error = err
+			break
+		}
+	}
+	s.statusRecorder.UpdateDNSStates(states)
+}
+
+func generateGroupKey(nsGroup *nbdns.NameServerGroup) string {
+	var servers []string
+	for _, ns := range nsGroup.NameServers {
+		servers = append(servers, fmt.Sprintf("%s:%d", ns.IP, ns.Port))
+	}
+	return fmt.Sprintf("%s_%s_%s", nsGroup.ID, nsGroup.Name, strings.Join(servers, ","))
+}
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -15,6 +15,7 @@ import (
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"

 	"github.com/netbirdio/netbird/client/firewall/uspfilter"
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/stdnet"
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/formatter"
@@ -37,6 +38,13 @@ func (w *mocWGIface) Address() iface.WGAddress {
 		Network: network,
 	}
 }
+func (w *mocWGIface) Address6() *iface.WGAddress {
+	ip, network, _ := net.ParseCIDR("fd00:1234:dead:beef::/64")
+	return &iface.WGAddress{
+		IP:      ip,
+		Network: network,
+	}
+}

 func (w *mocWGIface) GetFilter() iface.PacketFilter {
 	return w.filter
@@ -260,7 +268,7 @@ func TestUpdateDNSServer(t *testing.T) {
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
+			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), fmt.Sprintf("fd00:1234:dead:beef::%d/128", n+1), 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -274,7 +282,7 @@ func TestUpdateDNSServer(t *testing.T) {
 					t.Log(err)
 				}
 			}()
-			dnsServer, err := NewDefaultServer(context.Background(), wgIface, "")
+			dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", &peer.Status{})
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -338,7 +346,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 	}

 	privKey, _ := wgtypes.GeneratePrivateKey()
-	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.1/32", 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
+	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.1/32", "", 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
 	if err != nil {
 		t.Errorf("build interface wireguard: %v", err)
 		return
@@ -375,7 +383,7 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		return
 	}

-	dnsServer, err := NewDefaultServer(context.Background(), wgIface, "")
+	dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", &peer.Status{})
 	if err != nil {
 		t.Errorf("create DNS server: %v", err)
 		return
@@ -470,7 +478,7 @@ func TestDNSServerStartStop(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			dnsServer, err := NewDefaultServer(context.Background(), &mocWGIface{}, testCase.addrPort)
+			dnsServer, err := NewDefaultServer(context.Background(), &mocWGIface{}, testCase.addrPort, &peer.Status{})
 			if err != nil {
 				t.Fatalf("%v", err)
 			}
@@ -541,6 +549,7 @@ func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 				{false, "domain2", false},
 			},
 		},
+		statusRecorder: &peer.Status{},
 	}

 	var domainsUpdate string
@@ -563,7 +572,7 @@ func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 		},
 	}, nil)

-	deactivate()
+	deactivate(nil)
 	expected := "domain0,domain2"
 	domains := []string{}
 	for _, item := range server.currentConfig.Domains {
@@ -593,7 +602,7 @@ func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
 }

 func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
-	wgIFace, err := createWgInterfaceWithBind(t)
+	wgIFace, err := createWgInterfaceWithBind(t, false)
 	if err != nil {
 		t.Fatal("failed to initialize wg interface")
 	}
@@ -601,7 +610,7 @@ func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {

 	var dnsList []string
 	dnsConfig := nbdns.Config{}
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, dnsList, dnsConfig, nil)
+	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, dnsList, dnsConfig, nil, &peer.Status{})
 	err = dnsServer.Initialize()
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
@@ -619,13 +628,13 @@ func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
 }

 func TestDNSPermanent_updateUpstream(t *testing.T) {
-	wgIFace, err := createWgInterfaceWithBind(t)
+	wgIFace, err := createWgInterfaceWithBind(t, false)
 	if err != nil {
 		t.Fatal("failed to initialize wg interface")
 	}
 	defer wgIFace.Close()
 	dnsConfig := nbdns.Config{}
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil)
+	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil, &peer.Status{})
 	err = dnsServer.Initialize()
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
@@ -711,13 +720,13 @@ func TestDNSPermanent_updateUpstream(t *testing.T) {
 }

 func TestDNSPermanent_matchOnly(t *testing.T) {
-	wgIFace, err := createWgInterfaceWithBind(t)
+	wgIFace, err := createWgInterfaceWithBind(t, false)
 	if err != nil {
 		t.Fatal("failed to initialize wg interface")
 	}
 	defer wgIFace.Close()
 	dnsConfig := nbdns.Config{}
-	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil)
+	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil, &peer.Status{})
 	err = dnsServer.Initialize()
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
@@ -748,6 +757,11 @@ func TestDNSPermanent_matchOnly(t *testing.T) {
 						NSType: nbdns.UDPNameServerType,
 						Port:   53,
 					},
+					{
+						IP:     netip.MustParseAddr("9.9.9.9"),
+						NSType: nbdns.UDPNameServerType,
+						Port:   53,
+					},
 				},
 				Domains: []string{"customdomain.com"},
 				Primary: false,
@@ -777,7 +791,7 @@ func TestDNSPermanent_matchOnly(t *testing.T) {
 	}
 }

-func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
+func createWgInterfaceWithBind(t *testing.T, enableV6 bool) (*iface.WGIface, error) {
 	t.Helper()
 	ov := os.Getenv("NB_WG_KERNEL_DISABLED")
 	defer t.Setenv("NB_WG_KERNEL_DISABLED", ov)
@@ -790,7 +804,11 @@ func createWgInterfaceWithBind(t *testing.T) (*iface.WGIface, error) {
 	}

 	privKey, _ := wgtypes.GeneratePrivateKey()
-	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.2/24", 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
+	v6Addr := ""
+	if enableV6 {
+		v6Addr = "fd00:1234:dead:beef::1/128"
+	}
+	wgIface, err := iface.NewWGIFace("utun2301", "100.66.100.2/24", v6Addr, 33100, privKey.String(), iface.DefaultMTU, newNet, nil)
 	if err != nil {
 		t.Fatalf("build interface wireguard: %v", err)
 		return nil, err
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -5,14 +5,16 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"runtime"
 	"sync"
 	"sync/atomic"
 	"time"

 	"github.com/cenkalti/backoff/v4"
+	"github.com/hashicorp/go-multierror"
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
 )

 const (
@@ -45,12 +47,13 @@ type upstreamResolverBase struct {
 	reactivatePeriod time.Duration
 	upstreamTimeout  time.Duration

-	deactivate func()
-	reactivate func()
+	deactivate     func(error)
+	reactivate     func()
+	statusRecorder *peer.Status
 }

-func newUpstreamResolverBase(parentCTX context.Context) *upstreamResolverBase {
-	ctx, cancel := context.WithCancel(parentCTX)
+func newUpstreamResolverBase(ctx context.Context, statusRecorder *peer.Status) *upstreamResolverBase {
+	ctx, cancel := context.WithCancel(ctx)

 	return &upstreamResolverBase{
 		ctx:              ctx,
@@ -58,6 +61,7 @@ func newUpstreamResolverBase(parentCTX context.Context) *upstreamResolverBase {
 		upstreamTimeout:  upstreamTimeout,
 		reactivatePeriod: reactivatePeriod,
 		failsTillDeact:   failsTillDeact,
+		statusRecorder:   statusRecorder,
 	}
 }

@@ -68,7 +72,10 @@ func (u *upstreamResolverBase) stop() {

 // ServeDNS handles a DNS request
 func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	defer u.checkUpstreamFails()
+	var err error
+	defer func() {
+		u.checkUpstreamFails(err)
+	}()

 	log.WithField("question", r.Question[0]).Trace("received an upstream question")

@@ -81,7 +88,6 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	for _, upstream := range u.upstreamServers {
 		var rm *dns.Msg
 		var t time.Duration
-		var err error

 		func() {
 			ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
@@ -132,7 +138,7 @@ func (u *upstreamResolverBase) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 // If fails count is greater that failsTillDeact, upstream resolving
 // will be disabled for reactivatePeriod, after that time period fails counter
 // will be reset and upstream will be reactivated.
-func (u *upstreamResolverBase) checkUpstreamFails() {
+func (u *upstreamResolverBase) checkUpstreamFails(err error) {
 	u.mutex.Lock()
 	defer u.mutex.Unlock()

@@ -146,7 +152,7 @@ func (u *upstreamResolverBase) checkUpstreamFails() {
 	default:
 	}

-	u.disable()
+	u.disable(err)
 }

 // probeAvailability tests all upstream servers simultaneously and
@@ -165,13 +171,16 @@ func (u *upstreamResolverBase) probeAvailability() {
 	var mu sync.Mutex
 	var wg sync.WaitGroup

+	var errors *multierror.Error
 	for _, upstream := range u.upstreamServers {
 		upstream := upstream

 		wg.Add(1)
 		go func() {
 			defer wg.Done()
-			if err := u.testNameserver(upstream); err != nil {
+			err := u.testNameserver(upstream)
+			if err != nil {
+				errors = multierror.Append(errors, err)
 				log.Warnf("probing upstream nameserver %s: %s", upstream, err)
 				return
 			}
@@ -186,7 +195,7 @@ func (u *upstreamResolverBase) probeAvailability() {

 	// didn't find a working upstream server, let's disable and try later
 	if !success {
-		u.disable()
+		u.disable(errors.ErrorOrNil())
 	}
 }

@@ -245,18 +254,15 @@ func isTimeout(err error) bool {
 	return false
 }

-func (u *upstreamResolverBase) disable() {
+func (u *upstreamResolverBase) disable(err error) {
 	if u.disabled {
 		return
 	}

-	// todo test the deactivation logic, it seems to affect the client
-	if runtime.GOOS != "ios" {
-		log.Warnf("upstream resolving is Disabled for %v", reactivatePeriod)
-		u.deactivate()
-		u.disabled = true
-		go u.waitUntilResponse()
-	}
+	log.Warnf("Upstream resolving is Disabled for %v", reactivatePeriod)
+	u.deactivate(err)
+	u.disabled = true
+	go u.waitUntilResponse()
 }

 func (u *upstreamResolverBase) testNameserver(server string) error {
--- a/client/internal/dns/upstream_android.go
+++ b/client/internal/dns/upstream_android.go
@@ -0,0 +1,84 @@
+package dns
+
+import (
+	"context"
+	"net"
+	"syscall"
+	"time"
+
+	"github.com/miekg/dns"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+type upstreamResolver struct {
+	*upstreamResolverBase
+	hostsDNSHolder *hostsDNSHolder
+}
+
+// newUpstreamResolver in Android we need to distinguish the DNS servers to available through VPN or outside of VPN
+// In case if the assigned DNS address is available only in the protected network then the resolver will time out at the
+// first time, and we need to wait for a while to start to use again the proper DNS resolver.
+func newUpstreamResolver(
+	ctx context.Context,
+	_ string,
+	_ net.IP,
+	_ *net.IPNet,
+	statusRecorder *peer.Status,
+	hostsDNSHolder *hostsDNSHolder,
+) (*upstreamResolver, error) {
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder)
+	c := &upstreamResolver{
+		upstreamResolverBase: upstreamResolverBase,
+		hostsDNSHolder:       hostsDNSHolder,
+	}
+	upstreamResolverBase.upstreamClient = c
+	return c, nil
+}
+
+// exchange in case of Android if the upstream is a local resolver then we do not need to mark the socket as protected.
+// In other case the DNS resolvation goes through the VPN, so we need to force to use the
+func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
+	if u.isLocalResolver(upstream) {
+		return u.exchangeWithoutVPN(ctx, upstream, r)
+	} else {
+		return u.exchangeWithinVPN(ctx, upstream, r)
+	}
+}
+
+func (u *upstreamResolver) exchangeWithinVPN(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
+	upstreamExchangeClient := &dns.Client{}
+	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
+}
+
+// exchangeWithoutVPN protect the UDP socket by Android SDK to avoid to goes through the VPN
+func (u *upstreamResolver) exchangeWithoutVPN(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
+	timeout := upstreamTimeout
+	if deadline, ok := ctx.Deadline(); ok {
+		timeout = time.Until(deadline)
+	}
+	dialTimeout := timeout
+
+	nbDialer := nbnet.NewDialer()
+
+	dialer := &net.Dialer{
+		Control: func(network, address string, c syscall.RawConn) error {
+			return nbDialer.Control(network, address, c)
+		},
+		Timeout: dialTimeout,
+	}
+
+	upstreamExchangeClient := &dns.Client{
+		Dialer: dialer,
+	}
+
+	return upstreamExchangeClient.Exchange(r, upstream)
+}
+
+func (u *upstreamResolver) isLocalResolver(upstream string) bool {
+	if u.hostsDNSHolder.isContain(upstream) {
+		return true
+	}
+	return false
+}
--- a/client/internal/dns/upstream_general.go
+++ b/client/internal/dns/upstream_general.go
@@ -0,0 +1,38 @@
+//go:build !android && !ios
+
+package dns
+
+import (
+	"context"
+	"net"
+	"time"
+
+	"github.com/miekg/dns"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+)
+
+type upstreamResolver struct {
+	*upstreamResolverBase
+}
+
+func newUpstreamResolver(
+	ctx context.Context,
+	_ string,
+	_ net.IP,
+	_ *net.IPNet,
+	statusRecorder *peer.Status,
+	_ *hostsDNSHolder,
+) (*upstreamResolver, error) {
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder)
+	nonIOS := &upstreamResolver{
+		upstreamResolverBase: upstreamResolverBase,
+	}
+	upstreamResolverBase.upstreamClient = nonIOS
+	return nonIOS, nil
+}
+
+func (u *upstreamResolver) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
+	upstreamExchangeClient := &dns.Client{}
+	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
+}
--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -11,6 +11,8 @@ import (
 	"github.com/miekg/dns"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/unix"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
 )

 type upstreamResolverIOS struct {
@@ -20,8 +22,15 @@ type upstreamResolverIOS struct {
 	iIndex int
 }

-func newUpstreamResolver(parentCTX context.Context, interfaceName string, ip net.IP, net *net.IPNet) (*upstreamResolverIOS, error) {
-	upstreamResolverBase := newUpstreamResolverBase(parentCTX)
+func newUpstreamResolver(
+	ctx context.Context,
+	interfaceName string,
+	ip net.IP,
+	net *net.IPNet,
+	statusRecorder *peer.Status,
+	_ *hostsDNSHolder,
+) (*upstreamResolverIOS, error) {
+	upstreamResolverBase := newUpstreamResolverBase(ctx, statusRecorder)

 	index, err := getInterfaceIndex(interfaceName)
 	if err != nil {
--- a/client/internal/dns/upstream_nonios.go
+++ b/client/internal/dns/upstream_nonios.go
@@ -1,29 +0,0 @@
-//go:build !ios
-
-package dns
-
-import (
-	"context"
-	"net"
-	"time"
-
-	"github.com/miekg/dns"
-)
-
-type upstreamResolverNonIOS struct {
-	*upstreamResolverBase
-}
-
-func newUpstreamResolver(parentCTX context.Context, interfaceName string, ip net.IP, net *net.IPNet) (*upstreamResolverNonIOS, error) {
-	upstreamResolverBase := newUpstreamResolverBase(parentCTX)
-	nonIOS := &upstreamResolverNonIOS{
-		upstreamResolverBase: upstreamResolverBase,
-	}
-	upstreamResolverBase.upstreamClient = nonIOS
-	return nonIOS, nil
-}
-
-func (u *upstreamResolverNonIOS) exchange(ctx context.Context, upstream string, r *dns.Msg) (rm *dns.Msg, t time.Duration, err error) {
-	upstreamExchangeClient := &dns.Client{}
-	return upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
-}
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -58,7 +58,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.TODO())
-			resolver, _ := newUpstreamResolver(ctx, "", net.IP{}, &net.IPNet{})
+			resolver, _ := newUpstreamResolver(ctx, "", net.IP{}, &net.IPNet{}, nil, nil)
 			resolver.upstreamServers = testCase.InputServers
 			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {
@@ -131,7 +131,7 @@ func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
 	}

 	failed := false
-	resolver.deactivate = func() {
+	resolver.deactivate = func(error) {
 		failed = true
 	}

--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -2,7 +2,9 @@ package internal

 import (
 	"context"
+	"errors"
 	"fmt"
+	"maps"
 	"math/rand"
 	"net"
 	"net/netip"
@@ -21,6 +23,7 @@ import (
 	"github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/acl"
 	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/networkmonitor"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/client/internal/rosenpass"
@@ -55,11 +58,15 @@ type EngineConfig struct {
 	WgIfaceName string

 	// WgAddr is a Wireguard local address (Netbird Network IP)
-	WgAddr string
+	WgAddr  string
+	WgAddr6 string

 	// WgPrivateKey is a Wireguard private key of our peer (it MUST never leave the machine)
 	WgPrivateKey wgtypes.Key

+	// NetworkMonitor is a flag to enable network monitoring
+	NetworkMonitor bool
+
 	// IFaceBlackList is a list of network interfaces to ignore when discovering connection candidates (ICE related)
 	IFaceBlackList       []string
 	DisableIPv6Discovery bool
@@ -79,7 +86,10 @@ type EngineConfig struct {

 	CustomDNSAddress string

-	RosenpassEnabled bool
+	RosenpassEnabled    bool
+	RosenpassPermissive bool
+
+	ServerSSHAllowed bool
 }

 // Engine is a mechanism responsible for reacting on Signal and Management stream events and managing connections to the remote peers.
@@ -90,6 +100,10 @@ type Engine struct {
 	mgmClient mgm.Client
 	// peerConns is a map that holds all the peers that are known to this peer
 	peerConns map[string]*peer.Conn
+
+	beforePeerHook peer.BeforeAddPeerHookFunc
+	afterPeerHook  peer.AfterRemovePeerHookFunc
+
 	// rpManager is a Rosenpass manager
 	rpManager *rosenpass.Manager

@@ -104,9 +118,15 @@ type Engine struct {
 	// TURNs is a list of STUN servers used by ICE
 	TURNs []*stun.URI

-	cancel context.CancelFunc
+	// clientRoutes is the most recent list of clientRoutes received from the Management Service
+	clientRoutes   route.HAMap
+	clientRoutesMu sync.RWMutex

-	ctx context.Context
+	clientCtx    context.Context
+	clientCancel context.CancelFunc
+
+	ctx    context.Context
+	cancel context.CancelFunc

 	wgInterface    *iface.WGIface
 	wgProxyFactory *wgproxy.Factory
@@ -116,6 +136,8 @@ type Engine struct {
 	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
 	networkSerial uint64

+	networkMonitor *networkmonitor.NetworkMonitor
+
 	sshServerFunc func(hostKeyPEM []byte, addr string) (nbssh.Server, error)
 	sshServer     nbssh.Server

@@ -131,6 +153,8 @@ type Engine struct {
 	signalProbe *Probe
 	relayProbe  *Probe
 	wgProbe     *Probe
+
+	wgConnWorker sync.WaitGroup
 }

 // Peer is an instance of the Connection Peer
@@ -141,8 +165,8 @@ type Peer struct {

 // NewEngine creates a new Connection Engine
 func NewEngine(
-	ctx context.Context,
-	cancel context.CancelFunc,
+	clientCtx context.Context,
+	clientCancel context.CancelFunc,
 	signalClient signal.Client,
 	mgmClient mgm.Client,
 	config *EngineConfig,
@@ -150,8 +174,8 @@ func NewEngine(
 	statusRecorder *peer.Status,
 ) *Engine {
 	return NewEngineWithProbes(
-		ctx,
-		cancel,
+		clientCtx,
+		clientCancel,
 		signalClient,
 		mgmClient,
 		config,
@@ -166,8 +190,8 @@ func NewEngine(

 // NewEngineWithProbes creates a new Connection Engine with probes attached
 func NewEngineWithProbes(
-	ctx context.Context,
-	cancel context.CancelFunc,
+	clientCtx context.Context,
+	clientCancel context.CancelFunc,
 	signalClient signal.Client,
 	mgmClient mgm.Client,
 	config *EngineConfig,
@@ -178,9 +202,10 @@ func NewEngineWithProbes(
 	relayProbe *Probe,
 	wgProbe *Probe,
 ) *Engine {
+
 	return &Engine{
-		ctx:            ctx,
-		cancel:         cancel,
+		clientCtx:      clientCtx,
+		clientCancel:   clientCancel,
 		signal:         signalClient,
 		mgmClient:      mgmClient,
 		peerConns:      make(map[string]*peer.Conn),
@@ -192,7 +217,6 @@ func NewEngineWithProbes(
 		networkSerial:  0,
 		sshServerFunc:  nbssh.DefaultSSHServer,
 		statusRecorder: statusRecorder,
-		wgProxyFactory: wgproxy.NewFactory(config.WgPort),
 		mgmProbe:       mgmProbe,
 		signalProbe:    signalProbe,
 		relayProbe:     relayProbe,
@@ -204,16 +228,31 @@ func (e *Engine) Stop() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

+	if e.cancel != nil {
+		e.cancel()
+	}
+
+	// stopping network monitor first to avoid starting the engine again
+	if e.networkMonitor != nil {
+		e.networkMonitor.Stop()
+	}
+	log.Info("Network monitor: stopped")
+
 	err := e.removeAllPeers()
 	if err != nil {
 		return err
 	}

+	e.clientRoutesMu.Lock()
+	e.clientRoutes = nil
+	e.clientRoutesMu.Unlock()
+
 	// very ugly but we want to remove peers from the WireGuard interface first before removing interface.
-	// Removing peers happens in the conn.CLose() asynchronously
+	// Removing peers happens in the conn.Close() asynchronously
 	time.Sleep(500 * time.Millisecond)

 	e.close()
+	e.wgConnWorker.Wait()
 	log.Infof("stopped Netbird Engine")
 	return nil
 }
@@ -225,40 +264,60 @@ func (e *Engine) Start() error {
 	e.syncMsgMux.Lock()
 	defer e.syncMsgMux.Unlock()

+	if e.cancel != nil {
+		e.cancel()
+	}
+	e.ctx, e.cancel = context.WithCancel(e.clientCtx)
+
+	e.wgProxyFactory = wgproxy.NewFactory(e.ctx, e.config.WgPort)
+
 	wgIface, err := e.newWgIface()
 	if err != nil {
-		log.Errorf("failed creating wireguard interface instance %s: [%s]", e.config.WgIfaceName, err.Error())
-		return err
+		log.Errorf("failed creating wireguard interface instance %s: [%s]", e.config.WgIfaceName, err)
+		return fmt.Errorf("new wg interface: %w", err)
 	}
 	e.wgInterface = wgIface

 	if e.config.RosenpassEnabled {
 		log.Infof("rosenpass is enabled")
+		if e.config.RosenpassPermissive {
+			log.Infof("running rosenpass in permissive mode")
+		} else {
+			log.Infof("running rosenpass in strict mode")
+		}
 		e.rpManager, err = rosenpass.NewManager(e.config.PreSharedKey, e.config.WgIfaceName)
 		if err != nil {
-			return err
+			return fmt.Errorf("create rosenpass manager: %w", err)
 		}
 		err := e.rpManager.Run()
 		if err != nil {
-			return err
+			return fmt.Errorf("run rosenpass manager: %w", err)
 		}
 	}

 	initialRoutes, dnsServer, err := e.newDnsServer()
 	if err != nil {
 		e.close()
-		return err
+		return fmt.Errorf("create dns server: %w", err)
 	}
 	e.dnsServer = dnsServer

 	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder, initialRoutes)
+	beforePeerHook, afterPeerHook, err := e.routeManager.Init()
+	if err != nil {
+		log.Errorf("Failed to initialize route manager: %s", err)
+	} else {
+		e.beforePeerHook = beforePeerHook
+		e.afterPeerHook = afterPeerHook
+	}
+
 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)

 	err = e.wgInterfaceCreate()
 	if err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", e.config.WgIfaceName, err.Error())
 		e.close()
-		return err
+		return fmt.Errorf("create wg interface: %w", err)
 	}

 	e.firewall, err = firewall.NewFirewall(e.ctx, e.wgInterface)
@@ -270,7 +329,7 @@ func (e *Engine) Start() error {
 		err = e.routeManager.EnableServerRouter(e.firewall)
 		if err != nil {
 			e.close()
-			return err
+			return fmt.Errorf("enable server router: %w", err)
 		}
 	}

@@ -278,7 +337,7 @@ func (e *Engine) Start() error {
 	if err != nil {
 		log.Errorf("failed to pull up wgInterface [%s]: %s", e.wgInterface.Name(), err.Error())
 		e.close()
-		return err
+		return fmt.Errorf("up wg interface: %w", err)
 	}

 	if e.firewall != nil {
@@ -288,13 +347,16 @@ func (e *Engine) Start() error {
 	err = e.dnsServer.Initialize()
 	if err != nil {
 		e.close()
-		return err
+		return fmt.Errorf("initialize dns server: %w", err)
 	}

 	e.receiveSignalEvents()
 	e.receiveManagementEvents()
 	e.receiveProbeEvents()

+	// starting network monitor at the very last to avoid disruptions
+	e.startNetworkMonitor()
+
 	return nil
 }

@@ -482,44 +544,52 @@ func isNil(server nbssh.Server) bool {
 }

 func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
-	if sshConf.GetSshEnabled() {
-		if runtime.GOOS == "windows" {
-			log.Warnf("running SSH server on Windows is not supported")
-			return nil
-		}
-		// start SSH server if it wasn't running
-		if isNil(e.sshServer) {
-			// nil sshServer means it has not yet been started
-			var err error
-			e.sshServer, err = e.sshServerFunc(e.config.SSHKey,
-				fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort))
-			if err != nil {
-				return err
+
+	if !e.config.ServerSSHAllowed {
+		log.Warnf("running SSH server is not permitted")
+		return nil
+	} else {
+
+		if sshConf.GetSshEnabled() {
+			if runtime.GOOS == "windows" {
+				log.Warnf("running SSH server on Windows is not supported")
+				return nil
 			}
-			go func() {
-				// blocking
-				err = e.sshServer.Start()
+			// start SSH server if it wasn't running
+			if isNil(e.sshServer) {
+				// nil sshServer means it has not yet been started
+				var err error
+				e.sshServer, err = e.sshServerFunc(e.config.SSHKey,
+					fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort))
 				if err != nil {
-					// will throw error when we stop it even if it is a graceful stop
-					log.Debugf("stopped SSH server with error %v", err)
+					return err
 				}
-				e.syncMsgMux.Lock()
-				defer e.syncMsgMux.Unlock()
-				e.sshServer = nil
-				log.Infof("stopped SSH server")
-			}()
-		} else {
-			log.Debugf("SSH server is already running")
+				go func() {
+					// blocking
+					err = e.sshServer.Start()
+					if err != nil {
+						// will throw error when we stop it even if it is a graceful stop
+						log.Debugf("stopped SSH server with error %v", err)
+					}
+					e.syncMsgMux.Lock()
+					defer e.syncMsgMux.Unlock()
+					e.sshServer = nil
+					log.Infof("stopped SSH server")
+				}()
+			} else {
+				log.Debugf("SSH server is already running")
+			}
+		} else if !isNil(e.sshServer) {
+			// Disable SSH server request, so stop it if it was running
+			err := e.sshServer.Stop()
+			if err != nil {
+				log.Warnf("failed to stop SSH server %v", err)
+			}
+			e.sshServer = nil
 		}
-	} else if !isNil(e.sshServer) {
-		// Disable SSH server request, so stop it if it was running
-		err := e.sshServer.Stop()
-		if err != nil {
-			log.Warnf("failed to stop SSH server %v", err)
-		}
-		e.sshServer = nil
+		return nil
+
 	}
-	return nil
 }

 func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
@@ -534,6 +604,32 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 		log.Infof("updated peer address from %s to %s", oldAddr, conf.Address)
 	}

+	if e.wgInterface.Address6() == nil && conf.Address6 != "" ||
+		e.wgInterface.Address6() != nil && e.wgInterface.Address6().String() != conf.Address6 {
+		oldAddr := "none"
+		if e.wgInterface.Address6() != nil {
+			oldAddr = e.wgInterface.Address6().String()
+		}
+		newAddr := "none"
+		if conf.Address6 != "" {
+			newAddr = conf.Address6
+		}
+		log.Debugf("updating peer IPv6 address from %s to %s", oldAddr, newAddr)
+		err := e.wgInterface.UpdateAddr6(conf.Address6)
+		if err != nil {
+			return err
+		}
+		e.config.WgAddr6 = conf.Address6
+
+		err = e.acl.ResetV6Acl()
+		if err != nil {
+			return err
+		}
+
+		e.routeManager.ResetV6Routes()
+		log.Infof("updated peer IPv6 address from %s to %s", oldAddr, conf.Address6)
+	}
+
 	if conf.GetSshConfig() != nil {
 		err := e.updateSSH(conf.GetSshConfig())
 		if err != nil {
@@ -543,6 +639,7 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {

 	e.statusRecorder.UpdateLocalPeerState(peer.LocalPeerState{
 		IP:              e.config.WgAddr,
+		IP6:             e.config.WgAddr6,
 		PubKey:          e.config.WgPrivateKey.PublicKey().String(),
 		KernelInterface: iface.WireGuardModuleIsLoaded(),
 		FQDN:            conf.GetFqdn(),
@@ -555,12 +652,12 @@ func (e *Engine) updateConfig(conf *mgmProto.PeerConfig) error {
 // E.g. when a new peer has been registered and we are allowed to connect to it.
 func (e *Engine) receiveManagementEvents() {
 	go func() {
-		err := e.mgmClient.Sync(e.handleSync)
+		err := e.mgmClient.Sync(e.ctx, e.handleSync)
 		if err != nil {
 			// happens if management is unavailable for a long time.
 			// We want to cancel the operation of the whole client
 			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
-			e.cancel()
+			e.clientCancel()
 			return
 		}
 		log.Debugf("stopped receiving updates from Management Service")
@@ -667,11 +764,16 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 	if protoRoutes == nil {
 		protoRoutes = []*mgmProto.Route{}
 	}
-	err := e.routeManager.UpdateRoutes(serial, toRoutes(protoRoutes))
+
+	_, clientRoutes, err := e.routeManager.UpdateRoutes(serial, toRoutes(protoRoutes))
 	if err != nil {
-		log.Errorf("failed to update routes, err: %v", err)
+		log.Errorf("failed to update clientRoutes, err: %v", err)
 	}

+	e.clientRoutesMu.Lock()
+	e.clientRoutes = clientRoutes
+	e.clientRoutesMu.Unlock()
+
 	protoDNSConfig := networkMap.GetDNSConfig()
 	if protoDNSConfig == nil {
 		protoDNSConfig = &mgmProto.DNSConfig{}
@@ -682,15 +784,16 @@ func (e *Engine) updateNetworkMap(networkMap *mgmProto.NetworkMap) error {
 		log.Errorf("failed to update dns server, err: %v", err)
 	}

-	// Test received (upstream) servers for availability right away instead of upon usage.
-	// If no server of a server group responds this will disable the respective handler and retry later.
-	e.dnsServer.ProbeAvailability()
-
 	if e.acl != nil {
 		e.acl.ApplyFiltering(networkMap)
 	}
+
 	e.networkSerial = serial

+	// Test received (upstream) servers for availability right away instead of upon usage.
+	// If no server of a server group responds this will disable the respective handler and retry later.
+	e.dnsServer.ProbeAvailability()
+
 	return nil
 }

@@ -699,9 +802,9 @@ func toRoutes(protoRoutes []*mgmProto.Route) []*route.Route {
 	for _, protoRoute := range protoRoutes {
 		_, prefix, _ := route.ParseNetwork(protoRoute.Network)
 		convertedRoute := &route.Route{
-			ID:          protoRoute.ID,
+			ID:          route.ID(protoRoute.ID),
 			Network:     prefix,
-			NetID:       protoRoute.NetID,
+			NetID:       route.NetID(protoRoute.NetID),
 			NetworkType: route.NetworkType(protoRoute.NetworkType),
 			Peer:        protoRoute.Peer,
 			Metric:      int(protoRoute.Metric),
@@ -765,6 +868,7 @@ func (e *Engine) updateOfflinePeers(offlinePeers []*mgmProto.RemotePeerConfig) {
 			FQDN:             offlinePeer.GetFqdn(),
 			ConnStatus:       peer.StatusDisconnected,
 			ConnStatusUpdate: time.Now(),
+			Mux:              new(sync.RWMutex),
 		}
 	}
 	e.statusRecorder.ReplaceOfflinePeers(replacement)
@@ -788,27 +892,39 @@ func (e *Engine) addNewPeer(peerConfig *mgmProto.RemotePeerConfig) error {
 	if _, ok := e.peerConns[peerKey]; !ok {
 		conn, err := e.createPeerConn(peerKey, strings.Join(peerIPs, ","))
 		if err != nil {
-			return err
+			return fmt.Errorf("create peer connection: %w", err)
 		}
 		e.peerConns[peerKey] = conn

+		if e.beforePeerHook != nil && e.afterPeerHook != nil {
+			conn.AddBeforeAddPeerHook(e.beforePeerHook)
+			conn.AddAfterRemovePeerHook(e.afterPeerHook)
+		}
+
 		err = e.statusRecorder.AddPeer(peerKey, peerConfig.Fqdn)
 		if err != nil {
 			log.Warnf("error adding peer %s to status recorder, got error: %v", peerKey, err)
 		}

+		e.wgConnWorker.Add(1)
 		go e.connWorker(conn, peerKey)
 	}
 	return nil
 }

 func (e *Engine) connWorker(conn *peer.Conn, peerKey string) {
+	defer e.wgConnWorker.Done()
 	for {

 		// randomize starting time a bit
 		min := 500
 		max := 2000
-		time.Sleep(time.Duration(rand.Intn(max-min)+min) * time.Millisecond)
+		duration := time.Duration(rand.Intn(max-min)+min) * time.Millisecond
+		select {
+		case <-e.ctx.Done():
+			return
+		case <-time.After(duration):
+		}

 		// if peer has been removed -> give up
 		if !e.peerExists(peerKey) {
@@ -826,11 +942,12 @@ func (e *Engine) connWorker(conn *peer.Conn, peerKey string) {
 		conn.UpdateStunTurn(append(e.STUNs, e.TURNs...))
 		e.syncMsgMux.Unlock()

-		err := conn.Open()
+		err := conn.Open(e.ctx)
 		if err != nil {
 			log.Debugf("connection to peer %s failed: %v", peerKey, err)
-			switch err.(type) {
-			case *peer.ConnectionClosedError:
+			var connectionClosedError *peer.ConnectionClosedError
+			switch {
+			case errors.As(err, &connectionClosedError):
 				// conn has been forced to close, so we exit the loop
 				return
 			default:
@@ -860,7 +977,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 		PreSharedKey: e.config.PreSharedKey,
 	}

-	if e.config.RosenpassEnabled {
+	if e.config.RosenpassEnabled && !e.config.RosenpassPermissive {
 		lk := []byte(e.config.WgPrivateKey.PublicKey().String())
 		rk := []byte(wgConfig.RemoteKey)
 		var keyInput []byte
@@ -941,7 +1058,7 @@ func (e *Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, e
 func (e *Engine) receiveSignalEvents() {
 	go func() {
 		// connect to a stream of messages coming from the signal server
-		err := e.signal.Receive(func(msg *sProto.Message) error {
+		err := e.signal.Receive(e.ctx, func(msg *sProto.Message) error {
 			e.syncMsgMux.Lock()
 			defer e.syncMsgMux.Unlock()

@@ -1005,7 +1122,8 @@ func (e *Engine) receiveSignalEvents() {
 					log.Errorf("failed on parsing remote candidate %s -> %s", candidate, err)
 					return err
 				}
-				conn.OnRemoteCandidate(candidate)
+
+				conn.OnRemoteCandidate(candidate, e.GetClientRoutes())
 			case sProto.Body_MODE:
 			}

@@ -1015,7 +1133,7 @@ func (e *Engine) receiveSignalEvents() {
 			// happens if signal is unavailable for a long time.
 			// We want to cancel the operation of the whole client
 			_ = CtxGetState(e.ctx).Wrap(ErrResetConnection)
-			e.cancel()
+			e.clientCancel()
 			return
 		}
 	}()
@@ -1076,13 +1194,20 @@ func (e *Engine) parseNATExternalIPMappings() []string {
 }

 func (e *Engine) close() {
-	if err := e.wgProxyFactory.Free(); err != nil {
-		log.Errorf("failed closing ebpf proxy: %s", err)
+	if e.wgProxyFactory != nil {
+		if err := e.wgProxyFactory.Free(); err != nil {
+			log.Errorf("failed closing ebpf proxy: %s", err)
+		}
 	}

 	// stop/restore DNS first so dbus and friends don't complain because of a missing interface
 	if e.dnsServer != nil {
 		e.dnsServer.Stop()
+		e.dnsServer = nil
+	}
+
+	if e.routeManager != nil {
+		e.routeManager.Stop()
 	}

 	log.Debugf("removing Netbird interface %s", e.config.WgIfaceName)
@@ -1099,10 +1224,6 @@ func (e *Engine) close() {
 		}
 	}

-	if e.routeManager != nil {
-		e.routeManager.Stop()
-	}
-
 	if e.firewall != nil {
 		err := e.firewall.Reset()
 		if err != nil {
@@ -1145,7 +1266,7 @@ func (e *Engine) newWgIface() (*iface.WGIface, error) {
 	default:
 	}

-	return iface.NewWGIFace(e.config.WgIfaceName, e.config.WgAddr, e.config.WgPort, e.config.WgPrivateKey.String(), iface.DefaultMTU, transportNet, mArgs)
+	return iface.NewWGIFace(e.config.WgIfaceName, e.config.WgAddr, e.config.WgAddr6, e.config.WgPort, e.config.WgPrivateKey.String(), iface.DefaultMTU, transportNet, mArgs)
 }

 func (e *Engine) wgInterfaceCreate() (err error) {
@@ -1172,14 +1293,21 @@ func (e *Engine) newDnsServer() ([]*route.Route, dns.Server, error) {
 		if err != nil {
 			return nil, nil, err
 		}
-		dnsServer := dns.NewDefaultServerPermanentUpstream(e.ctx, e.wgInterface, e.mobileDep.HostDNSAddresses, *dnsConfig, e.mobileDep.NetworkChangeListener)
+		dnsServer := dns.NewDefaultServerPermanentUpstream(
+			e.ctx,
+			e.wgInterface,
+			e.mobileDep.HostDNSAddresses,
+			*dnsConfig,
+			e.mobileDep.NetworkChangeListener,
+			e.statusRecorder,
+		)
 		go e.mobileDep.DnsReadyListener.OnReady()
 		return routes, dnsServer, nil
 	case "ios":
-		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager)
+		dnsServer := dns.NewDefaultServerIos(e.ctx, e.wgInterface, e.mobileDep.DnsManager, e.statusRecorder)
 		return nil, dnsServer, nil
 	default:
-		dnsServer, err := dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress)
+		dnsServer, err := dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress, e.statusRecorder)
 		if err != nil {
 			return nil, nil, err
 		}
@@ -1187,6 +1315,31 @@ func (e *Engine) newDnsServer() ([]*route.Route, dns.Server, error) {
 	}
 }

+// GetClientRoutes returns the current routes from the route map
+func (e *Engine) GetClientRoutes() route.HAMap {
+	e.clientRoutesMu.RLock()
+	defer e.clientRoutesMu.RUnlock()
+
+	return maps.Clone(e.clientRoutes)
+}
+
+// GetClientRoutesWithNetID returns the current routes from the route map, but the keys consist of the network ID only
+func (e *Engine) GetClientRoutesWithNetID() map[route.NetID][]*route.Route {
+	e.clientRoutesMu.RLock()
+	defer e.clientRoutesMu.RUnlock()
+
+	routes := make(map[route.NetID][]*route.Route, len(e.clientRoutes))
+	for id, v := range e.clientRoutes {
+		routes[id.NetID()] = v
+	}
+	return routes
+}
+
+// GetRouteManager returns the route manager
+func (e *Engine) GetRouteManager() routemanager.Manager {
+	return e.routeManager
+}
+
 func findIPFromInterfaceName(ifaceName string) (net.IP, error) {
 	iface, err := net.InterfaceByName(ifaceName)
 	if err != nil {
@@ -1270,7 +1423,7 @@ func (e *Engine) receiveProbeEvents() {
 					log.Debugf("failed to get wg stats for peer %s: %s", key, err)
 				}
 				// wgStats could be zero value, in which case we just reset the stats
-				if err := e.statusRecorder.UpdateWireguardPeerState(key, wgStats); err != nil {
+				if err := e.statusRecorder.UpdateWireGuardPeerState(key, wgStats); err != nil {
 					log.Debugf("failed to update wg stats for peer %s: %s", key, err)
 				}
 			}
@@ -1287,3 +1440,26 @@ func (e *Engine) probeSTUNs() []relay.ProbeResult {
 func (e *Engine) probeTURNs() []relay.ProbeResult {
 	return relay.ProbeAll(e.ctx, relay.ProbeTURN, e.TURNs)
 }
+
+func (e *Engine) startNetworkMonitor() {
+	if !e.config.NetworkMonitor {
+		log.Infof("Network monitor is disabled, not starting")
+		return
+	}
+
+	e.networkMonitor = networkmonitor.New()
+	go func() {
+		err := e.networkMonitor.Start(e.ctx, func() {
+			log.Infof("Network monitor detected network change, restarting engine")
+			if err := e.Stop(); err != nil {
+				log.Errorf("Failed to stop engine: %v", err)
+			}
+			if err := e.Start(); err != nil {
+				log.Errorf("Failed to start engine: %v", err)
+			}
+		})
+		if err != nil && !errors.Is(err, networkmonitor.ErrStopped) {
+			log.Errorf("Network monitor: %v", err)
+		}
+	}()
+}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -21,6 +21,8 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/keepalive"

+	"github.com/netbirdio/management-integrations/integrations"
+
 	"github.com/netbirdio/netbird/client/internal/dns"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/internal/routemanager"
@@ -70,10 +72,11 @@ func TestEngine_SSH(t *testing.T) {
 	defer cancel()

 	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
-		WgIfaceName:  "utun101",
-		WgAddr:       "100.64.0.1/24",
-		WgPrivateKey: key,
-		WgPort:       33100,
+		WgIfaceName:      "utun101",
+		WgAddr:           "100.64.0.1/24",
+		WgPrivateKey:     key,
+		WgPort:           33100,
+		ServerSSHAllowed: true,
 	}, MobileDependency{}, peer.NewRecorder("https://mgm"))

 	engine.dnsServer = &dns.MockServer{
@@ -213,7 +216,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", engine.config.WgPort, key.String(), iface.DefaultMTU, newNet, nil)
+	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", "", engine.config.WgPort, key.String(), iface.DefaultMTU, newNet, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -226,6 +229,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		t.Fatal(err)
 	}
 	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn})
+	engine.ctx = ctx

 	type testCase struct {
 		name       string
@@ -389,7 +393,7 @@ func TestEngine_Sync(t *testing.T) {
 	// feed updates to Engine via mocked Management client
 	updates := make(chan *mgmtProto.SyncResponse)
 	defer close(updates)
-	syncFunc := func(msgHandler func(msg *mgmtProto.SyncResponse) error) error {
+	syncFunc := func(ctx context.Context, msgHandler func(msg *mgmtProto.SyncResponse) error) error {
 		for msg := range updates {
 			err := msgHandler(msg)
 			if err != nil {
@@ -405,6 +409,7 @@ func TestEngine_Sync(t *testing.T) {
 		WgPrivateKey: key,
 		WgPort:       33100,
 	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+	engine.ctx = ctx

 	engine.dnsServer = &dns.MockServer{
 		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
@@ -560,14 +565,16 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
+				WgAddr6:      "",
 				WgPrivateKey: key,
 				WgPort:       33100,
 			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+			engine.ctx = ctx
 			newNet, err := stdnet.NewNet()
 			if err != nil {
 				t.Fatal(err)
 			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, engine.config.WgPort, key.String(), iface.DefaultMTU, newNet, nil)
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, engine.config.WgAddr6, engine.config.WgPort, key.String(), iface.DefaultMTU, newNet, nil)
 			assert.NoError(t, err, "shouldn't return error")
 			input := struct {
 				inputSerial uint64
@@ -575,10 +582,10 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			}{}

 			mockRouteManager := &routemanager.MockManager{
-				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) error {
+				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
 					input.inputSerial = updateSerial
 					input.inputRoutes = newRoutes
-					return testCase.inputErr
+					return nil, nil, testCase.inputErr
 				},
 			}

@@ -595,8 +602,8 @@ func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
 			err = engine.updateNetworkMap(testCase.networkMap)
 			assert.NoError(t, err, "shouldn't return error")
 			assert.Equal(t, testCase.expectedSerial, input.inputSerial, "serial should match")
-			assert.Len(t, input.inputRoutes, testCase.expectedLen, "routes len should match")
-			assert.Equal(t, testCase.expectedRoutes, input.inputRoutes, "routes should match")
+			assert.Len(t, input.inputRoutes, testCase.expectedLen, "clientRoutes len should match")
+			assert.Equal(t, testCase.expectedRoutes, input.inputRoutes, "clientRoutes should match")
 		})
 	}
 }
@@ -729,19 +736,22 @@ func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
 			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
 				WgIfaceName:  wgIfaceName,
 				WgAddr:       wgAddr,
+				WgAddr6:      "",
 				WgPrivateKey: key,
 				WgPort:       33100,
 			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
+			engine.ctx = ctx
+
 			newNet, err := stdnet.NewNet()
 			if err != nil {
 				t.Fatal(err)
 			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, 33100, key.String(), iface.DefaultMTU, newNet, nil)
+			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, engine.config.WgAddr6, 33100, key.String(), iface.DefaultMTU, newNet, nil)
 			assert.NoError(t, err, "shouldn't return error")

 			mockRouteManager := &routemanager.MockManager{
-				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) error {
-					return nil
+				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
+					return nil, nil, nil
 				},
 			}

@@ -1000,7 +1010,9 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		WgPort:       wgPort,
 	}

-	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf, MobileDependency{}, peer.NewRecorder("https://mgm")), nil
+	e, err := NewEngine(ctx, cancel, signalClient, mgmtClient, conf, MobileDependency{}, peer.NewRecorder("https://mgm")), nil
+	e.ctx = ctx
+	return e, err
 }

 func startSignal() (*grpc.Server, string, error) {
@@ -1039,7 +1051,7 @@ func startManagement(dataDir string) (*grpc.Server, string, error) {
 		return nil, "", err
 	}
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
-	store, err := server.NewStoreFromJson(config.Datadir, nil)
+	store, _, err := server.NewTestStoreFromJson(config.Datadir)
 	if err != nil {
 		return nil, "", err
 	}
@@ -1049,8 +1061,8 @@ func startManagement(dataDir string) (*grpc.Server, string, error) {
 	if err != nil {
 		return nil, "", err
 	}
-	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "", "",
-		eventStore, false)
+	ia, _ := integrations.NewIntegratedValidator(eventStore)
+	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "", "netbird.selfhosted", eventStore, nil, false, ia)
 	if err != nil {
 		return nil, "", err
 	}
--- a/client/internal/login.go
+++ b/client/internal/login.go
@@ -68,7 +68,7 @@ func Login(ctx context.Context, config *Config, setupKey string, jwtToken string
 	}

 	serverKey, err := doMgmLogin(ctx, mgmClient, pubSSHKey)
-	if isRegistrationNeeded(err) {
+	if serverKey != nil && isRegistrationNeeded(err) {
 		log.Debugf("peer registration required")
 		_, err = registerPeer(ctx, *serverKey, mgmClient, setupKey, jwtToken, pubSSHKey)
 		return err
--- a/client/internal/networkmonitor/monitor.go
+++ b/client/internal/networkmonitor/monitor.go
@@ -0,0 +1,21 @@
+package networkmonitor
+
+import (
+	"context"
+	"errors"
+	"sync"
+)
+
+var ErrStopped = errors.New("monitor has been stopped")
+
+// NetworkMonitor watches for changes in network configuration.
+type NetworkMonitor struct {
+	cancel context.CancelFunc
+	wg     sync.WaitGroup
+	mu     sync.Mutex
+}
+
+// New creates a new network monitor.
+func New() *NetworkMonitor {
+	return &NetworkMonitor{}
+}
--- a/client/internal/networkmonitor/monitor_bsd.go
+++ b/client/internal/networkmonitor/monitor_bsd.go
@@ -0,0 +1,133 @@
+//go:build (darwin && !ios) || dragonfly || freebsd || netbsd || openbsd
+
+package networkmonitor
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"syscall"
+	"unsafe"
+
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/net/route"
+	"golang.org/x/sys/unix"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager"
+)
+
+func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interface, nexthopv6 netip.Addr, intfv6 *net.Interface, callback func()) error {
+	fd, err := unix.Socket(syscall.AF_ROUTE, syscall.SOCK_RAW, syscall.AF_UNSPEC)
+	if err != nil {
+		return fmt.Errorf("failed to open routing socket: %v", err)
+	}
+	defer func() {
+		if err := unix.Close(fd); err != nil {
+			log.Errorf("Network monitor: failed to close routing socket: %v", err)
+		}
+	}()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ErrStopped
+		default:
+			buf := make([]byte, 2048)
+			n, err := unix.Read(fd, buf)
+			if err != nil {
+				log.Errorf("Network monitor: failed to read from routing socket: %v", err)
+				continue
+			}
+			if n < unix.SizeofRtMsghdr {
+				log.Errorf("Network monitor: read from routing socket returned less than expected: %d bytes", n)
+				continue
+			}
+
+			msg := (*unix.RtMsghdr)(unsafe.Pointer(&buf[0]))
+
+			switch msg.Type {
+
+			// handle interface state changes
+			case unix.RTM_IFINFO:
+				ifinfo, err := parseInterfaceMessage(buf[:n])
+				if err != nil {
+					log.Errorf("Network monitor: error parsing interface message: %v", err)
+					continue
+				}
+				if msg.Flags&unix.IFF_UP != 0 {
+					continue
+				}
+				if (intfv4 == nil || ifinfo.Index != intfv4.Index) && (intfv6 == nil || ifinfo.Index != intfv6.Index) {
+					continue
+				}
+
+				log.Infof("Network monitor: monitored interface (%s) is down.", ifinfo.Name)
+				go callback()
+
+			// handle route changes
+			case unix.RTM_ADD, syscall.RTM_DELETE:
+				route, err := parseRouteMessage(buf[:n])
+				if err != nil {
+					log.Errorf("Network monitor: error parsing routing message: %v", err)
+					continue
+				}
+
+				if !route.Dst.Addr().IsUnspecified() {
+					continue
+				}
+
+				intf := "<nil>"
+				if route.Interface != nil {
+					intf = route.Interface.Name
+				}
+				switch msg.Type {
+				case unix.RTM_ADD:
+					log.Infof("Network monitor: default route changed: via %s, interface %s", route.Gw, intf)
+					go callback()
+				case unix.RTM_DELETE:
+					if intfv4 != nil && route.Gw.Compare(nexthopv4) == 0 || intfv6 != nil && route.Gw.Compare(nexthopv6) == 0 {
+						log.Infof("Network monitor: default route removed: via %s, interface %s", route.Gw, intf)
+						go callback()
+					}
+				}
+			}
+		}
+	}
+}
+
+func parseInterfaceMessage(buf []byte) (*route.InterfaceMessage, error) {
+	msgs, err := route.ParseRIB(route.RIBTypeInterface, buf)
+	if err != nil {
+		return nil, fmt.Errorf("parse RIB: %v", err)
+	}
+
+	if len(msgs) != 1 {
+		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
+	}
+
+	msg, ok := msgs[0].(*route.InterfaceMessage)
+	if !ok {
+		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
+	}
+
+	return msg, nil
+}
+
+func parseRouteMessage(buf []byte) (*routemanager.Route, error) {
+	msgs, err := route.ParseRIB(route.RIBTypeRoute, buf)
+	if err != nil {
+		return nil, fmt.Errorf("parse RIB: %v", err)
+	}
+
+	if len(msgs) != 1 {
+		return nil, fmt.Errorf("unexpected RIB message msgs: %v", msgs)
+	}
+
+	msg, ok := msgs[0].(*route.RouteMessage)
+	if !ok {
+		return nil, fmt.Errorf("unexpected RIB message type: %T", msgs[0])
+	}
+
+	return routemanager.MsgToRoute(msg)
+}
--- a/client/internal/networkmonitor/monitor_generic.go
+++ b/client/internal/networkmonitor/monitor_generic.go
@@ -0,0 +1,84 @@
+//go:build !ios && !android
+
+package networkmonitor
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"runtime/debug"
+
+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager"
+)
+
+// Start begins monitoring network changes. When a change is detected, it calls the callback asynchronously and returns.
+func (nw *NetworkMonitor) Start(ctx context.Context, callback func()) (err error) {
+	if ctx.Err() != nil {
+		return ctx.Err()
+	}
+
+	nw.mu.Lock()
+	ctx, nw.cancel = context.WithCancel(ctx)
+	nw.mu.Unlock()
+
+	nw.wg.Add(1)
+	defer nw.wg.Done()
+
+	var nexthop4, nexthop6 netip.Addr
+	var intf4, intf6 *net.Interface
+
+	operation := func() error {
+		var errv4, errv6 error
+		nexthop4, intf4, errv4 = routemanager.GetNextHop(netip.IPv4Unspecified())
+		nexthop6, intf6, errv6 = routemanager.GetNextHop(netip.IPv6Unspecified())
+
+		if errv4 != nil && errv6 != nil {
+			return errors.New("failed to get default next hops")
+		}
+
+		if errv4 == nil {
+			log.Debugf("Network monitor: IPv4 default route: %s, interface: %s", nexthop4, intf4.Name)
+		}
+		if errv6 == nil {
+			log.Debugf("Network monitor: IPv6 default route: %s, interface: %s", nexthop6, intf6.Name)
+		}
+
+		// continue if either route was found
+		return nil
+	}
+
+	expBackOff := backoff.WithContext(backoff.NewExponentialBackOff(), ctx)
+
+	if err := backoff.Retry(operation, expBackOff); err != nil {
+		return fmt.Errorf("failed to get default next hops: %w", err)
+	}
+
+	// recover in case sys ops panic
+	defer func() {
+		if r := recover(); r != nil {
+			err = fmt.Errorf("panic occurred: %v, stack trace: %s", r, string(debug.Stack()))
+		}
+	}()
+
+	if err := checkChange(ctx, nexthop4, intf4, nexthop6, intf6, callback); err != nil {
+		return fmt.Errorf("check change: %w", err)
+	}
+
+	return nil
+}
+
+// Stop stops the network monitor.
+func (nw *NetworkMonitor) Stop() {
+	nw.mu.Lock()
+	defer nw.mu.Unlock()
+
+	if nw.cancel != nil {
+		nw.cancel()
+		nw.wg.Wait()
+	}
+}
--- a/client/internal/networkmonitor/monitor_linux.go
+++ b/client/internal/networkmonitor/monitor_linux.go
@@ -0,0 +1,81 @@
+//go:build !android
+
+package networkmonitor
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"syscall"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/vishvananda/netlink"
+)
+
+func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interface, nexthop6 netip.Addr, intfv6 *net.Interface, callback func()) error {
+	if intfv4 == nil && intfv6 == nil {
+		return errors.New("no interfaces available")
+	}
+
+	linkChan := make(chan netlink.LinkUpdate)
+	done := make(chan struct{})
+	defer close(done)
+
+	if err := netlink.LinkSubscribe(linkChan, done); err != nil {
+		return fmt.Errorf("subscribe to link updates: %v", err)
+	}
+
+	routeChan := make(chan netlink.RouteUpdate)
+	if err := netlink.RouteSubscribe(routeChan, done); err != nil {
+		return fmt.Errorf("subscribe to route updates: %v", err)
+	}
+
+	log.Info("Network monitor: started")
+	for {
+		select {
+		case <-ctx.Done():
+			return ErrStopped
+
+		// handle interface state changes
+		case update := <-linkChan:
+			if (intfv4 == nil || update.Index != int32(intfv4.Index)) && (intfv6 == nil || update.Index != int32(intfv6.Index)) {
+				continue
+			}
+
+			switch update.Header.Type {
+			case syscall.RTM_DELLINK:
+				log.Infof("Network monitor: monitored interface (%s) is gone", update.Link.Attrs().Name)
+				go callback()
+				return nil
+			case syscall.RTM_NEWLINK:
+				if (update.IfInfomsg.Flags&syscall.IFF_RUNNING) == 0 && update.Link.Attrs().OperState == netlink.OperDown {
+					log.Infof("Network monitor: monitored interface (%s) is down.", update.Link.Attrs().Name)
+					go callback()
+					return nil
+				}
+			}
+
+		// handle route changes
+		case route := <-routeChan:
+			// default route and main table
+			if route.Dst != nil || route.Table != syscall.RT_TABLE_MAIN {
+				continue
+			}
+			switch route.Type {
+			// triggered on added/replaced routes
+			case syscall.RTM_NEWROUTE:
+				log.Infof("Network monitor: default route changed: via %s, interface %d", route.Gw, route.LinkIndex)
+				go callback()
+				return nil
+			case syscall.RTM_DELROUTE:
+				if intfv4 != nil && route.Gw.Equal(nexthopv4.AsSlice()) || intfv6 != nil && route.Gw.Equal(nexthop6.AsSlice()) {
+					log.Infof("Network monitor: default route removed: via %s, interface %d", route.Gw, route.LinkIndex)
+					go callback()
+					return nil
+				}
+			}
+		}
+	}
+}
--- a/client/internal/networkmonitor/monitor_mobile.go
+++ b/client/internal/networkmonitor/monitor_mobile.go
@@ -0,0 +1,12 @@
+//go:build ios || android
+
+package networkmonitor
+
+import "context"
+
+func (nw *NetworkMonitor) Start(context.Context, func()) error {
+	return nil
+}
+
+func (nw *NetworkMonitor) Stop() {
+}
--- a/client/internal/networkmonitor/monitor_windows.go
+++ b/client/internal/networkmonitor/monitor_windows.go
@@ -0,0 +1,215 @@
+package networkmonitor
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/routemanager"
+)
+
+const (
+	unreachable = 0
+	incomplete  = 1
+	probe       = 2
+	delay       = 3
+	stale       = 4
+	reachable   = 5
+	permanent   = 6
+	tbd         = 7
+)
+
+const interval = 10 * time.Second
+
+func checkChange(ctx context.Context, nexthopv4 netip.Addr, intfv4 *net.Interface, nexthopv6 netip.Addr, intfv6 *net.Interface, callback func()) error {
+	var neighborv4, neighborv6 *routemanager.Neighbor
+	{
+		initialNeighbors, err := getNeighbors()
+		if err != nil {
+			return fmt.Errorf("get neighbors: %w", err)
+		}
+
+		if n, ok := initialNeighbors[nexthopv4]; ok {
+			neighborv4 = &n
+		}
+		if n, ok := initialNeighbors[nexthopv6]; ok {
+			neighborv6 = &n
+		}
+	}
+	log.Debugf("Network monitor: initial IPv4 neighbor: %v, IPv6 neighbor: %v", neighborv4, neighborv6)
+
+	ticker := time.NewTicker(interval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return ErrStopped
+		case <-ticker.C:
+			if changed(nexthopv4, intfv4, neighborv4, nexthopv6, intfv6, neighborv6) {
+				go callback()
+				return nil
+			}
+		}
+	}
+}
+
+func changed(
+	nexthopv4 netip.Addr,
+	intfv4 *net.Interface,
+	neighborv4 *routemanager.Neighbor,
+	nexthopv6 netip.Addr,
+	intfv6 *net.Interface,
+	neighborv6 *routemanager.Neighbor,
+) bool {
+	neighbors, err := getNeighbors()
+	if err != nil {
+		log.Errorf("network monitor: error fetching current neighbors: %v", err)
+		return false
+	}
+	if neighborChanged(nexthopv4, neighborv4, neighbors) || neighborChanged(nexthopv6, neighborv6, neighbors) {
+		return true
+	}
+
+	routes, err := getRoutes()
+	if err != nil {
+		log.Errorf("network monitor: error fetching current routes: %v", err)
+		return false
+	}
+
+	if routeChanged(nexthopv4, intfv4, routes) || routeChanged(nexthopv6, intfv6, routes) {
+		return true
+	}
+
+	return false
+}
+
+// routeChanged checks if the default routes still point to our nexthop/interface
+func routeChanged(nexthop netip.Addr, intf *net.Interface, routes map[netip.Prefix]routemanager.Route) bool {
+	if !nexthop.IsValid() {
+		return false
+	}
+
+	var unspec netip.Prefix
+	if nexthop.Is6() {
+		unspec = netip.PrefixFrom(netip.IPv6Unspecified(), 0)
+	} else {
+		unspec = netip.PrefixFrom(netip.IPv4Unspecified(), 0)
+	}
+
+	if r, ok := routes[unspec]; ok {
+		if r.Nexthop != nexthop || compareIntf(r.Interface, intf) != 0 {
+			intf := "<nil>"
+			if r.Interface != nil {
+				intf = r.Interface.Name
+			}
+			log.Infof("network monitor: default route changed: %s via %s (%s)", r.Destination, r.Nexthop, intf)
+			return true
+		}
+	} else {
+		log.Infof("network monitor: default route is gone")
+		return true
+	}
+
+	return false
+
+}
+
+func neighborChanged(nexthop netip.Addr, neighbor *routemanager.Neighbor, neighbors map[netip.Addr]routemanager.Neighbor) bool {
+	if neighbor == nil {
+		return false
+	}
+
+	// TODO: consider non-local nexthops, e.g. on point-to-point interfaces
+	if n, ok := neighbors[nexthop]; ok {
+		if n.State != reachable && n.State != permanent {
+			log.Infof("network monitor: neighbor %s (%s) is not reachable: %s", neighbor.IPAddress, neighbor.LinkLayerAddress, stateFromInt(n.State))
+			return true
+		} else if n.InterfaceIndex != neighbor.InterfaceIndex {
+			log.Infof(
+				"network monitor: neighbor %s (%s) changed interface from '%s' (%d) to '%s' (%d): %s",
+				neighbor.IPAddress,
+				neighbor.LinkLayerAddress,
+				neighbor.InterfaceAlias,
+				neighbor.InterfaceIndex,
+				n.InterfaceAlias,
+				n.InterfaceIndex,
+				stateFromInt(n.State),
+			)
+			return true
+		}
+	} else {
+		log.Infof("network monitor: neighbor %s (%s) is gone", neighbor.IPAddress, neighbor.LinkLayerAddress)
+		return true
+	}
+
+	return false
+}
+
+func getNeighbors() (map[netip.Addr]routemanager.Neighbor, error) {
+	entries, err := routemanager.GetNeighbors()
+	if err != nil {
+		return nil, fmt.Errorf("get neighbors: %w", err)
+	}
+
+	neighbours := make(map[netip.Addr]routemanager.Neighbor, len(entries))
+	for _, entry := range entries {
+		neighbours[entry.IPAddress] = entry
+	}
+
+	return neighbours, nil
+}
+
+func getRoutes() (map[netip.Prefix]routemanager.Route, error) {
+	entries, err := routemanager.GetRoutes()
+	if err != nil {
+		return nil, fmt.Errorf("get routes: %w", err)
+	}
+
+	routes := make(map[netip.Prefix]routemanager.Route, len(entries))
+	for _, entry := range entries {
+		routes[entry.Destination] = entry
+	}
+
+	return routes, nil
+}
+
+func stateFromInt(state uint8) string {
+	switch state {
+	case unreachable:
+		return "unreachable"
+	case incomplete:
+		return "incomplete"
+	case probe:
+		return "probe"
+	case delay:
+		return "delay"
+	case stale:
+		return "stale"
+	case reachable:
+		return "reachable"
+	case permanent:
+		return "permanent"
+	case tbd:
+		return "tbd"
+	default:
+		return "unknown"
+	}
+}
+
+func compareIntf(a, b *net.Interface) int {
+	if a == nil && b == nil {
+		return 0
+	}
+	if a == nil {
+		return -1
+	}
+	if b == nil {
+		return 1
+	}
+	return a.Index - b.Index
+}
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"net/netip"
 	"runtime"
 	"strings"
 	"sync"
@@ -18,14 +19,18 @@ import (
 	"github.com/netbirdio/netbird/client/internal/wgproxy"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/iface/bind"
+	"github.com/netbirdio/netbird/route"
 	signal "github.com/netbirdio/netbird/signal/client"
 	sProto "github.com/netbirdio/netbird/signal/proto"
+	nbnet "github.com/netbirdio/netbird/util/net"
 	"github.com/netbirdio/netbird/version"
 )

 const (
 	iceKeepAliveDefault           = 4 * time.Second
 	iceDisconnectedTimeoutDefault = 6 * time.Second
+	// iceRelayAcceptanceMinWaitDefault is the same as in the Pion ICE package
+	iceRelayAcceptanceMinWaitDefault = 2 * time.Second

 	defaultWgKeepAlive = 25 * time.Second
 )
@@ -98,6 +103,9 @@ type IceCredentials struct {
 	Pwd   string
 }

+type BeforeAddPeerHookFunc func(connID nbnet.ConnectionID, IP net.IP) error
+type AfterRemovePeerHookFunc func(connID nbnet.ConnectionID) error
+
 type Conn struct {
 	config ConnConfig
 	mu     sync.Mutex
@@ -133,6 +141,13 @@ type Conn struct {
 	adapter        iface.TunAdapter
 	iFaceDiscover  stdnet.ExternalIFaceDiscover
 	sentExtraSrflx bool
+
+	remoteEndpoint *net.UDPAddr
+	remoteConn     *ice.Conn
+
+	connID               nbnet.ConnectionID
+	beforeAddPeerHooks   []BeforeAddPeerHookFunc
+	afterRemovePeerHooks []AfterRemovePeerHookFunc
 }

 // meta holds meta information about a connection
@@ -193,20 +208,22 @@ func (conn *Conn) reCreateAgent() error {

 	iceKeepAlive := iceKeepAlive()
 	iceDisconnectedTimeout := iceDisconnectedTimeout()
+	iceRelayAcceptanceMinWait := iceRelayAcceptanceMinWait()

 	agentConfig := &ice.AgentConfig{
-		MulticastDNSMode:    ice.MulticastDNSModeDisabled,
-		NetworkTypes:        []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
-		Urls:                conn.config.StunTurn,
-		CandidateTypes:      conn.candidateTypes(),
-		FailedTimeout:       &failedTimeout,
-		InterfaceFilter:     stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
-		UDPMux:              conn.config.UDPMux,
-		UDPMuxSrflx:         conn.config.UDPMuxSrflx,
-		NAT1To1IPs:          conn.config.NATExternalIPs,
-		Net:                 transportNet,
-		DisconnectedTimeout: &iceDisconnectedTimeout,
-		KeepaliveInterval:   &iceKeepAlive,
+		MulticastDNSMode:       ice.MulticastDNSModeDisabled,
+		NetworkTypes:           []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
+		Urls:                   conn.config.StunTurn,
+		CandidateTypes:         conn.candidateTypes(),
+		FailedTimeout:          &failedTimeout,
+		InterfaceFilter:        stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
+		UDPMux:                 conn.config.UDPMux,
+		UDPMuxSrflx:            conn.config.UDPMuxSrflx,
+		NAT1To1IPs:             conn.config.NATExternalIPs,
+		Net:                    transportNet,
+		DisconnectedTimeout:    &iceDisconnectedTimeout,
+		KeepaliveInterval:      &iceKeepAlive,
+		RelayAcceptanceMinWait: &iceRelayAcceptanceMinWait,
 	}

 	if conn.config.DisableIPv6Discovery {
@@ -214,7 +231,6 @@ func (conn *Conn) reCreateAgent() error {
 	}

 	conn.agent, err = ice.NewAgent(agentConfig)
-
 	if err != nil {
 		return err
 	}
@@ -234,6 +250,17 @@ func (conn *Conn) reCreateAgent() error {
 		return err
 	}

+	err = conn.agent.OnSuccessfulSelectedPairBindingResponse(func(p *ice.CandidatePair) {
+		err := conn.statusRecorder.UpdateLatency(conn.config.Key, p.Latency())
+		if err != nil {
+			log.Debugf("failed to update latency for peer %s: %s", conn.config.Key, err)
+			return
+		}
+	})
+	if err != nil {
+		return fmt.Errorf("failed setting binding response callback: %w", err)
+	}
+
 	return nil
 }

@@ -251,7 +278,7 @@ func (conn *Conn) candidateTypes() []ice.CandidateType {
 // Open opens connection to the remote peer starting ICE candidate gathering process.
 // Blocks until connection has been closed or connection timeout.
 // ConnStatus will be set accordingly
-func (conn *Conn) Open() error {
+func (conn *Conn) Open(ctx context.Context) error {
 	log.Debugf("trying to connect to peer %s", conn.config.Key)

 	peerState := State{
@@ -259,6 +286,7 @@ func (conn *Conn) Open() error {
 		IP:               strings.Split(conn.config.WgConfig.AllowedIps, "/")[0],
 		ConnStatusUpdate: time.Now(),
 		ConnStatus:       conn.status,
+		Mux:              new(sync.RWMutex),
 	}
 	err := conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -310,7 +338,7 @@ func (conn *Conn) Open() error {
 	// at this point we received offer/answer and we are ready to gather candidates
 	conn.mu.Lock()
 	conn.status = StatusConnecting
-	conn.ctx, conn.notifyDisconnected = context.WithCancel(context.Background())
+	conn.ctx, conn.notifyDisconnected = context.WithCancel(ctx)
 	defer conn.notifyDisconnected()
 	conn.mu.Unlock()

@@ -318,6 +346,7 @@ func (conn *Conn) Open() error {
 		PubKey:           conn.config.Key,
 		ConnStatus:       conn.status,
 		ConnStatusUpdate: time.Now(),
+		Mux:              new(sync.RWMutex),
 	}
 	err = conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -326,7 +355,7 @@ func (conn *Conn) Open() error {

 	err = conn.agent.GatherCandidates()
 	if err != nil {
-		return err
+		return fmt.Errorf("gather candidates: %v", err)
 	}

 	// will block until connection succeeded
@@ -343,11 +372,14 @@ func (conn *Conn) Open() error {
 		return err
 	}

-	// dynamically set remote WireGuard port is other side specified a different one from the default one
+	// dynamically set remote WireGuard port if other side specified a different one from the default one
 	remoteWgPort := iface.DefaultWgPort
 	if remoteOfferAnswer.WgListenPort != 0 {
 		remoteWgPort = remoteOfferAnswer.WgListenPort
 	}
+
+	conn.remoteConn = remoteConn
+
 	// the ice connection has been established successfully so we are ready to start the proxy
 	remoteAddr, err := conn.configureConnection(remoteConn, remoteWgPort, remoteOfferAnswer.RosenpassPubKey,
 		remoteOfferAnswer.RosenpassAddr)
@@ -372,6 +404,14 @@ func isRelayCandidate(candidate ice.Candidate) bool {
 	return candidate.Type() == ice.CandidateTypeRelay
 }

+func (conn *Conn) AddBeforeAddPeerHook(hook BeforeAddPeerHookFunc) {
+	conn.beforeAddPeerHooks = append(conn.beforeAddPeerHooks, hook)
+}
+
+func (conn *Conn) AddAfterRemovePeerHook(hook AfterRemovePeerHookFunc) {
+	conn.afterRemovePeerHooks = append(conn.afterRemovePeerHooks, hook)
+}
+
 // configureConnection starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
 func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, remoteRosenpassPubKey []byte, remoteRosenpassAddr string) (net.Addr, error) {
 	conn.mu.Lock()
@@ -385,7 +425,7 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 	var endpoint net.Addr
 	if isRelayCandidate(pair.Local) {
 		log.Debugf("setup relay connection")
-		conn.wgProxy = conn.wgProxyFactory.GetProxy()
+		conn.wgProxy = conn.wgProxyFactory.GetProxy(conn.ctx)
 		endpoint, err = conn.wgProxy.AddTurnConn(remoteConn)
 		if err != nil {
 			return nil, err
@@ -397,16 +437,31 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 	}

 	endpointUdpAddr, _ := net.ResolveUDPAddr(endpoint.Network(), endpoint.String())
+	conn.remoteEndpoint = endpointUdpAddr
+	log.Debugf("Conn resolved IP for %s: %s", endpoint, endpointUdpAddr.IP)
+
+	conn.connID = nbnet.GenerateConnID()
+	for _, hook := range conn.beforeAddPeerHooks {
+		if err := hook(conn.connID, endpointUdpAddr.IP); err != nil {
+			log.Errorf("Before add peer hook failed: %v", err)
+		}
+	}

 	err = conn.config.WgConfig.WgInterface.UpdatePeer(conn.config.WgConfig.RemoteKey, conn.config.WgConfig.AllowedIps, defaultWgKeepAlive, endpointUdpAddr, conn.config.WgConfig.PreSharedKey)
 	if err != nil {
 		if conn.wgProxy != nil {
-			_ = conn.wgProxy.CloseConn()
+			if err := conn.wgProxy.CloseConn(); err != nil {
+				log.Warnf("Failed to close turn connection: %v", err)
+			}
 		}
-		return nil, err
+		return nil, fmt.Errorf("update peer: %w", err)
 	}

 	conn.status = StatusConnected
+	rosenpassEnabled := false
+	if remoteRosenpassPubKey != nil {
+		rosenpassEnabled = true
+	}

 	peerState := State{
 		PubKey:                     conn.config.Key,
@@ -415,8 +470,10 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 		LocalIceCandidateType:      pair.Local.Type().String(),
 		RemoteIceCandidateType:     pair.Remote.Type().String(),
 		LocalIceCandidateEndpoint:  fmt.Sprintf("%s:%d", pair.Local.Address(), pair.Local.Port()),
-		RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Local.Port()),
+		RemoteIceCandidateEndpoint: fmt.Sprintf("%s:%d", pair.Remote.Address(), pair.Remote.Port()),
 		Direct:                     !isRelayCandidate(pair.Local),
+		RosenpassEnabled:           rosenpassEnabled,
+		Mux:                        new(sync.RWMutex),
 	}
 	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
 		peerState.Relayed = true
@@ -427,11 +484,15 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 		log.Warnf("unable to save peer's state, got error: %v", err)
 	}

-	_, ipNet, err := net.ParseCIDR(conn.config.WgConfig.AllowedIps)
+	_, ipNet, err := net.ParseCIDR(strings.Split(conn.config.WgConfig.AllowedIps, ",")[0])
 	if err != nil {
 		return nil, err
 	}

+	if runtime.GOOS == "ios" {
+		runtime.GC()
+	}
+
 	if conn.onConnected != nil {
 		conn.onConnected(conn.config.Key, remoteRosenpassPubKey, ipNet.IP.String(), remoteRosenpassAddr)
 	}
@@ -483,6 +544,15 @@ func (conn *Conn) cleanup() error {
 	// todo: is it problem if we try to remove a peer what is never existed?
 	err3 = conn.config.WgConfig.WgInterface.RemovePeer(conn.config.WgConfig.RemoteKey)

+	if conn.connID != "" {
+		for _, hook := range conn.afterRemovePeerHooks {
+			if err := hook(conn.connID); err != nil {
+				log.Errorf("After remove peer hook failed: %v", err)
+			}
+		}
+	}
+	conn.connID = ""
+
 	if conn.notifyDisconnected != nil {
 		conn.notifyDisconnected()
 		conn.notifyDisconnected = nil
@@ -498,6 +568,7 @@ func (conn *Conn) cleanup() error {
 		PubKey:           conn.config.Key,
 		ConnStatus:       conn.status,
 		ConnStatusUpdate: time.Now(),
+		Mux:              new(sync.RWMutex),
 	}
 	err := conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
@@ -505,7 +576,7 @@ func (conn *Conn) cleanup() error {
 		// todo rethink status updates
 		log.Debugf("error while updating peer's %s state, err: %v", conn.config.Key, err)
 	}
-	if err := conn.statusRecorder.UpdateWireguardPeerState(conn.config.Key, iface.WGStats{}); err != nil {
+	if err := conn.statusRecorder.UpdateWireGuardPeerState(conn.config.Key, iface.WGStats{}); err != nil {
 		log.Debugf("failed to reset wireguard stats for peer %s: %s", conn.config.Key, err)
 	}

@@ -667,7 +738,7 @@ func (conn *Conn) Close() error {
 		// before conn.Open() another update from management arrives with peers: [1,2,3,4,5]
 		// engine adds a new Conn for 4 and 5
 		// therefore peer 4 has 2 Conn objects
-		log.Warnf("connection has been already closed or attempted closing not started coonection %s", conn.config.Key)
+		log.Warnf("Connection has been already closed or attempted closing not started connection %s", conn.config.Key)
 		return NewConnectionAlreadyClosed(conn.config.Key)
 	}
 }
@@ -710,7 +781,7 @@ func (conn *Conn) OnRemoteAnswer(answer OfferAnswer) bool {
 }

 // OnRemoteCandidate Handles ICE connection Candidate provided by the remote peer.
-func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate) {
+func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate, haRoutes route.HAMap) {
 	log.Debugf("OnRemoteCandidate from peer %s -> %s", conn.config.Key, candidate.String())
 	go func() {
 		conn.mu.Lock()
@@ -720,6 +791,10 @@ func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate) {
 			return
 		}

+		if candidateViaRoutes(candidate, haRoutes) {
+			return
+		}
+
 		err := conn.agent.AddRemoteCandidate(candidate)
 		if err != nil {
 			log.Errorf("error while handling remote candidate from peer %s", conn.config.Key)
@@ -737,3 +812,31 @@ func (conn *Conn) RegisterProtoSupportMeta(support []uint32) {
 	protoSupport := signal.ParseFeaturesSupported(support)
 	conn.meta.protoSupport = protoSupport
 }
+
+func candidateViaRoutes(candidate ice.Candidate, clientRoutes route.HAMap) bool {
+	var routePrefixes []netip.Prefix
+	for _, routes := range clientRoutes {
+		if len(routes) > 0 && routes[0] != nil {
+			routePrefixes = append(routePrefixes, routes[0].Network)
+		}
+	}
+
+	addr, err := netip.ParseAddr(candidate.Address())
+	if err != nil {
+		log.Errorf("Failed to parse IP address %s: %v", candidate.Address(), err)
+		return false
+	}
+
+	for _, prefix := range routePrefixes {
+		// default route is
+		if prefix.Bits() == 0 {
+			continue
+		}
+
+		if prefix.Contains(addr) {
+			log.Debugf("Ignoring candidate [%s], its address is part of routed network %s", candidate.String(), prefix)
+			return true
+		}
+	}
+	return false
+}
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -1,6 +1,7 @@
 package peer

 import (
+	"context"
 	"sync"
 	"testing"
 	"time"
@@ -35,7 +36,7 @@ func TestNewConn_interfaceFilter(t *testing.T) {
 }

 func TestConn_GetKey(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
@@ -50,7 +51,7 @@ func TestConn_GetKey(t *testing.T) {
 }

 func TestConn_OnRemoteOffer(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
@@ -87,7 +88,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 }

 func TestConn_OnRemoteAnswer(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
@@ -123,7 +124,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	wg.Wait()
 }
 func TestConn_Status(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
@@ -153,7 +154,7 @@ func TestConn_Status(t *testing.T) {
 }

 func TestConn_Close(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
--- a/client/internal/peer/env_config.go
+++ b/client/internal/peer/env_config.go
@@ -10,9 +10,10 @@ import (
 )

 const (
-	envICEKeepAliveIntervalSec   = "NB_ICE_KEEP_ALIVE_INTERVAL_SEC"
-	envICEDisconnectedTimeoutSec = "NB_ICE_DISCONNECTED_TIMEOUT_SEC"
-	envICEForceRelayConn         = "NB_ICE_FORCE_RELAY_CONN"
+	envICEKeepAliveIntervalSec      = "NB_ICE_KEEP_ALIVE_INTERVAL_SEC"
+	envICEDisconnectedTimeoutSec    = "NB_ICE_DISCONNECTED_TIMEOUT_SEC"
+	envICERelayAcceptanceMinWaitSec = "NB_ICE_RELAY_ACCEPTANCE_MIN_WAIT_SEC"
+	envICEForceRelayConn            = "NB_ICE_FORCE_RELAY_CONN"
 )

 func iceKeepAlive() time.Duration {
@@ -21,7 +22,7 @@ func iceKeepAlive() time.Duration {
 		return iceKeepAliveDefault
 	}

-	log.Debugf("setting ICE keep alive interval to %s seconds", keepAliveEnv)
+	log.Infof("setting ICE keep alive interval to %s seconds", keepAliveEnv)
 	keepAliveEnvSec, err := strconv.Atoi(keepAliveEnv)
 	if err != nil {
 		log.Warnf("invalid value %s set for %s, using default %v", keepAliveEnv, envICEKeepAliveIntervalSec, iceKeepAliveDefault)
@@ -37,7 +38,7 @@ func iceDisconnectedTimeout() time.Duration {
 		return iceDisconnectedTimeoutDefault
 	}

-	log.Debugf("setting ICE disconnected timeout to %s seconds", disconnectedTimeoutEnv)
+	log.Infof("setting ICE disconnected timeout to %s seconds", disconnectedTimeoutEnv)
 	disconnectedTimeoutSec, err := strconv.Atoi(disconnectedTimeoutEnv)
 	if err != nil {
 		log.Warnf("invalid value %s set for %s, using default %v", disconnectedTimeoutEnv, envICEDisconnectedTimeoutSec, iceDisconnectedTimeoutDefault)
@@ -47,6 +48,22 @@ func iceDisconnectedTimeout() time.Duration {
 	return time.Duration(disconnectedTimeoutSec) * time.Second
 }

+func iceRelayAcceptanceMinWait() time.Duration {
+	iceRelayAcceptanceMinWaitEnv := os.Getenv(envICERelayAcceptanceMinWaitSec)
+	if iceRelayAcceptanceMinWaitEnv == "" {
+		return iceRelayAcceptanceMinWaitDefault
+	}
+
+	log.Infof("setting ICE relay acceptance min wait to %s seconds", iceRelayAcceptanceMinWaitEnv)
+	disconnectedTimeoutSec, err := strconv.Atoi(iceRelayAcceptanceMinWaitEnv)
+	if err != nil {
+		log.Warnf("invalid value %s set for %s, using default %v", iceRelayAcceptanceMinWaitEnv, envICERelayAcceptanceMinWaitSec, iceRelayAcceptanceMinWaitDefault)
+		return iceRelayAcceptanceMinWaitDefault
+	}
+
+	return time.Duration(disconnectedTimeoutSec) * time.Second
+}
+
 func hasICEForceRelayConn() bool {
 	disconnectedTimeoutEnv := os.Getenv(envICEForceRelayConn)
 	return strings.ToLower(disconnectedTimeoutEnv) == "true"
--- a/client/internal/peer/status.go
+++ b/client/internal/peer/status.go
@@ -5,12 +5,16 @@ import (
 	"sync"
 	"time"

+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
+
 	"github.com/netbirdio/netbird/client/internal/relay"
 	"github.com/netbirdio/netbird/iface"
 )

 // State contains the latest state of a peer
 type State struct {
+	Mux                        *sync.RWMutex
 	IP                         string
 	PubKey                     string
 	FQDN                       string
@@ -25,14 +29,50 @@ type State struct {
 	LastWireguardHandshake     time.Time
 	BytesTx                    int64
 	BytesRx                    int64
+	Latency                    time.Duration
+	RosenpassEnabled           bool
+	routes                     map[string]struct{}
+}
+
+// AddRoute add a single route to routes map
+func (s *State) AddRoute(network string) {
+	s.Mux.Lock()
+	if s.routes == nil {
+		s.routes = make(map[string]struct{})
+	}
+	s.routes[network] = struct{}{}
+	s.Mux.Unlock()
+}
+
+// SetRoutes set state routes
+func (s *State) SetRoutes(routes map[string]struct{}) {
+	s.Mux.Lock()
+	s.routes = routes
+	s.Mux.Unlock()
+}
+
+// DeleteRoute removes a route from the network amp
+func (s *State) DeleteRoute(network string) {
+	s.Mux.Lock()
+	delete(s.routes, network)
+	s.Mux.Unlock()
+}
+
+// GetRoutes return routes map
+func (s *State) GetRoutes() map[string]struct{} {
+	s.Mux.RLock()
+	defer s.Mux.RUnlock()
+	return s.routes
 }

 // LocalPeerState contains the latest state of the local peer
 type LocalPeerState struct {
 	IP              string
+	IP6             string
 	PubKey          string
 	KernelInterface bool
 	FQDN            string
+	Routes          map[string]struct{}
 }

 // SignalState contains the latest state of a signal connection
@@ -49,30 +89,51 @@ type ManagementState struct {
 	Error     error
 }

+// RosenpassState contains the latest state of the Rosenpass configuration
+type RosenpassState struct {
+	Enabled    bool
+	Permissive bool
+}
+
+// NSGroupState represents the status of a DNS server group, including associated domains,
+// whether it's enabled, and the last error message encountered during probing.
+type NSGroupState struct {
+	ID      string
+	Servers []string
+	Domains []string
+	Enabled bool
+	Error   error
+}
+
 // FullStatus contains the full state held by the Status instance
 type FullStatus struct {
 	Peers           []State
 	ManagementState ManagementState
 	SignalState     SignalState
 	LocalPeerState  LocalPeerState
+	RosenpassState  RosenpassState
 	Relays          []relay.ProbeResult
+	NSGroupStates   []NSGroupState
 }

 // Status holds a state of peers, signal, management connections and relays
 type Status struct {
-	mux             sync.Mutex
-	peers           map[string]State
-	changeNotify    map[string]chan struct{}
-	signalState     bool
-	signalError     error
-	managementState bool
-	managementError error
-	relayStates     []relay.ProbeResult
-	localPeer       LocalPeerState
-	offlinePeers    []State
-	mgmAddress      string
-	signalAddress   string
-	notifier        *notifier
+	mux                 sync.Mutex
+	peers               map[string]State
+	changeNotify        map[string]chan struct{}
+	signalState         bool
+	signalError         error
+	managementState     bool
+	managementError     error
+	relayStates         []relay.ProbeResult
+	localPeer           LocalPeerState
+	offlinePeers        []State
+	mgmAddress          string
+	signalAddress       string
+	notifier            *notifier
+	rosenpassEnabled    bool
+	rosenpassPermissive bool
+	nsGroupStates       []NSGroupState

 	// To reduce the number of notification invocation this bool will be true when need to call the notification
 	// Some Peer actions mostly used by in a batch when the network map has been synchronized. In these type of events
@@ -115,6 +176,7 @@ func (d *Status) AddPeer(peerPubKey string, fqdn string) error {
 		PubKey:     peerPubKey,
 		ConnStatus: StatusDisconnected,
 		FQDN:       fqdn,
+		Mux:        new(sync.RWMutex),
 	}
 	d.peerListChangedForNotification = true
 	return nil
@@ -161,6 +223,10 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 		peerState.IP = receivedState.IP
 	}

+	if receivedState.GetRoutes() != nil {
+		peerState.SetRoutes(receivedState.GetRoutes())
+	}
+
 	skipNotification := shouldSkipNotify(receivedState, peerState)

 	if receivedState.ConnStatus != peerState.ConnStatus {
@@ -172,6 +238,7 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 		peerState.RemoteIceCandidateType = receivedState.RemoteIceCandidateType
 		peerState.LocalIceCandidateEndpoint = receivedState.LocalIceCandidateEndpoint
 		peerState.RemoteIceCandidateEndpoint = receivedState.RemoteIceCandidateEndpoint
+		peerState.RosenpassEnabled = receivedState.RosenpassEnabled
 	}

 	d.peers[receivedState.PubKey] = peerState
@@ -190,8 +257,8 @@ func (d *Status) UpdatePeerState(receivedState State) error {
 	return nil
 }

-// UpdateWireguardPeerState updates the wireguard bits of the peer state
-func (d *Status) UpdateWireguardPeerState(pubKey string, wgStats iface.WGStats) error {
+// UpdateWireGuardPeerState updates the WireGuard bits of the peer state
+func (d *Status) UpdateWireGuardPeerState(pubKey string, wgStats iface.WGStats) error {
 	d.mux.Lock()
 	defer d.mux.Unlock()

@@ -264,6 +331,13 @@ func (d *Status) GetPeerStateChangeNotifier(peer string) <-chan struct{} {
 	return ch
 }

+// GetLocalPeerState returns the local peer state
+func (d *Status) GetLocalPeerState() LocalPeerState {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	return d.localPeer
+}
+
 // UpdateLocalPeerState updates local peer status
 func (d *Status) UpdateLocalPeerState(localPeerState LocalPeerState) {
 	d.mux.Lock()
@@ -316,6 +390,14 @@ func (d *Status) UpdateManagementAddress(mgmAddress string) {
 	d.mgmAddress = mgmAddress
 }

+// UpdateRosenpass update the Rosenpass configuration
+func (d *Status) UpdateRosenpass(rosenpassEnabled, rosenpassPermissive bool) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.rosenpassPermissive = rosenpassPermissive
+	d.rosenpassEnabled = rosenpassEnabled
+}
+
 // MarkSignalDisconnected sets SignalState to disconnected
 func (d *Status) MarkSignalDisconnected(err error) {
 	d.mux.Lock()
@@ -342,6 +424,19 @@ func (d *Status) UpdateRelayStates(relayResults []relay.ProbeResult) {
 	d.relayStates = relayResults
 }

+func (d *Status) UpdateDNSStates(dnsStates []NSGroupState) {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	d.nsGroupStates = dnsStates
+}
+
+func (d *Status) GetRosenpassState() RosenpassState {
+	return RosenpassState{
+		d.rosenpassEnabled,
+		d.rosenpassPermissive,
+	}
+}
+
 func (d *Status) GetManagementState() ManagementState {
 	return ManagementState{
 		d.mgmAddress,
@@ -350,6 +445,39 @@ func (d *Status) GetManagementState() ManagementState {
 	}
 }

+func (d *Status) UpdateLatency(pubKey string, latency time.Duration) error {
+	if latency <= 0 {
+		return nil
+	}
+
+	d.mux.Lock()
+	defer d.mux.Unlock()
+	peerState, ok := d.peers[pubKey]
+	if !ok {
+		return errors.New("peer doesn't exist")
+	}
+	peerState.Latency = latency
+	d.peers[pubKey] = peerState
+	return nil
+}
+
+// IsLoginRequired determines if a peer's login has expired.
+func (d *Status) IsLoginRequired() bool {
+	d.mux.Lock()
+	defer d.mux.Unlock()
+
+	// if peer is connected to the management then login is not expired
+	if d.managementState {
+		return false
+	}
+
+	s, ok := gstatus.FromError(d.managementError)
+	if ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+		return true
+	}
+	return false
+}
+
 func (d *Status) GetSignalState() SignalState {
 	return SignalState{
 		d.signalAddress,
@@ -362,6 +490,10 @@ func (d *Status) GetRelayStates() []relay.ProbeResult {
 	return d.relayStates
 }

+func (d *Status) GetDNSStates() []NSGroupState {
+	return d.nsGroupStates
+}
+
 // GetFullStatus gets full status
 func (d *Status) GetFullStatus() FullStatus {
 	d.mux.Lock()
@@ -372,6 +504,8 @@ func (d *Status) GetFullStatus() FullStatus {
 		SignalState:     d.GetSignalState(),
 		LocalPeerState:  d.localPeer,
 		Relays:          d.GetRelayStates(),
+		RosenpassState:  d.GetRosenpassState(),
+		NSGroupStates:   d.GetDNSStates(),
 	}

 	for _, status := range d.peers {
--- a/client/internal/peer/status_test.go
+++ b/client/internal/peer/status_test.go
@@ -3,6 +3,7 @@ package peer
 import (
 	"errors"
 	"testing"
+	"sync"

 	"github.com/stretchr/testify/assert"
 )
@@ -42,6 +43,7 @@ func TestUpdatePeerState(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -62,6 +64,7 @@ func TestStatus_UpdatePeerFQDN(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -80,6 +83,7 @@ func TestGetPeerStateChangeNotifierLogic(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
@@ -104,6 +108,7 @@ func TestRemovePeer(t *testing.T) {
 	status := NewRecorder("https://mgm")
 	peerState := State{
 		PubKey: key,
+		Mux:	new(sync.RWMutex),
 	}

 	status.peers[key] = peerState
--- a/client/internal/relay/relay.go
+++ b/client/internal/relay/relay.go
@@ -10,6 +10,9 @@ import (
 	"github.com/pion/stun/v2"
 	"github.com/pion/turn/v3"
 	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/stdnet"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

 // ProbeResult holds the info about the result of a relay probe request
@@ -27,7 +30,15 @@ func ProbeSTUN(ctx context.Context, uri *stun.URI) (addr string, probeErr error)
 		}
 	}()

-	client, err := stun.DialURI(uri, &stun.DialConfig{})
+	net, err := stdnet.NewNet(nil)
+	if err != nil {
+		probeErr = fmt.Errorf("new net: %w", err)
+		return
+	}
+
+	client, err := stun.DialURI(uri, &stun.DialConfig{
+		Net: net,
+	})
 	if err != nil {
 		probeErr = fmt.Errorf("dial: %w", err)
 		return
@@ -85,14 +96,13 @@ func ProbeTURN(ctx context.Context, uri *stun.URI) (addr string, probeErr error)
 	switch uri.Proto {
 	case stun.ProtoTypeUDP:
 		var err error
-		conn, err = net.ListenPacket("udp", "")
+		conn, err = nbnet.NewListener().ListenPacket(ctx, "udp", "")
 		if err != nil {
 			probeErr = fmt.Errorf("listen: %w", err)
 			return
 		}
 	case stun.ProtoTypeTCP:
-		dialer := net.Dialer{}
-		tcpConn, err := dialer.DialContext(ctx, "tcp", turnServerAddr)
+		tcpConn, err := nbnet.NewDialer().DialContext(ctx, "tcp", turnServerAddr)
 		if err != nil {
 			probeErr = fmt.Errorf("dial: %w", err)
 			return
@@ -109,12 +119,18 @@ func ProbeTURN(ctx context.Context, uri *stun.URI) (addr string, probeErr error)
 		}
 	}()

+	net, err := stdnet.NewNet(nil)
+	if err != nil {
+		probeErr = fmt.Errorf("new net: %w", err)
+		return
+	}
 	cfg := &turn.ClientConfig{
 		STUNServerAddr: turnServerAddr,
 		TURNServerAddr: turnServerAddr,
 		Conn:           conn,
 		Username:       uri.Username,
 		Password:       uri.Password,
+		Net:            net,
 	}
 	client, err := turn.NewClient(cfg)
 	if err != nil {
@@ -154,7 +170,7 @@ func ProbeAll(

 	var wg sync.WaitGroup
 	for i, uri := range relays {
-		ctx, cancel := context.WithTimeout(ctx, 1*time.Second)
+		ctx, cancel := context.WithTimeout(ctx, 2*time.Second)
 		defer cancel()

 		wg.Add(1)
--- a/client/internal/routemanager/client.go
+++ b/client/internal/routemanager/client.go
@@ -3,7 +3,9 @@ package routemanager
 import (
 	"context"
 	"fmt"
+	"net"
 	"net/netip"
+	"time"

 	log "github.com/sirupsen/logrus"

@@ -18,6 +20,7 @@ type routerPeerStatus struct {
 	connected bool
 	relayed   bool
 	direct    bool
+	latency   time.Duration
 }

 type routesUpdate struct {
@@ -30,23 +33,25 @@ type clientNetwork struct {
 	stop                context.CancelFunc
 	statusRecorder      *peer.Status
 	wgInterface         *iface.WGIface
-	routes              map[string]*route.Route
+	routes              map[route.ID]*route.Route
 	routeUpdate         chan routesUpdate
 	peerStateUpdate     chan struct{}
 	routePeersNotifiers map[string]chan struct{}
 	chosenRoute         *route.Route
+	chosenIP            *net.IP
 	network             netip.Prefix
 	updateSerial        uint64
 }

 func newClientNetworkWatcher(ctx context.Context, wgInterface *iface.WGIface, statusRecorder *peer.Status, network netip.Prefix) *clientNetwork {
 	ctx, cancel := context.WithCancel(ctx)
+
 	client := &clientNetwork{
 		ctx:                 ctx,
 		stop:                cancel,
 		statusRecorder:      statusRecorder,
 		wgInterface:         wgInterface,
-		routes:              make(map[string]*route.Route),
+		routes:              make(map[route.ID]*route.Route),
 		routePeersNotifiers: make(map[string]chan struct{}),
 		routeUpdate:         make(chan routesUpdate),
 		peerStateUpdate:     make(chan struct{}),
@@ -55,8 +60,8 @@ func newClientNetworkWatcher(ctx context.Context, wgInterface *iface.WGIface, st
 	return client
 }

-func (c *clientNetwork) getRouterPeerStatuses() map[string]routerPeerStatus {
-	routePeerStatuses := make(map[string]routerPeerStatus)
+func (c *clientNetwork) getRouterPeerStatuses() map[route.ID]routerPeerStatus {
+	routePeerStatuses := make(map[route.ID]routerPeerStatus)
 	for _, r := range c.routes {
 		peerStatus, err := c.statusRecorder.GetPeer(r.Peer)
 		if err != nil {
@@ -67,22 +72,37 @@ func (c *clientNetwork) getRouterPeerStatuses() map[string]routerPeerStatus {
 			connected: peerStatus.ConnStatus == peer.StatusConnected,
 			relayed:   peerStatus.Relayed,
 			direct:    peerStatus.Direct,
+			latency:   peerStatus.Latency,
 		}
 	}
 	return routePeerStatuses
 }

-func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]routerPeerStatus) string {
-	chosen := ""
-	chosenScore := 0
+// getBestRouteFromStatuses determines the most optimal route from the available routes
+// within a clientNetwork, taking into account peer connection status, route metrics, and
+// preference for non-relayed and direct connections.
+//
+// It follows these prioritization rules:
+// * Connected peers: Only routes with connected peers are considered.
+// * Metric: Routes with lower metrics (better) are prioritized.
+// * Non-relayed: Routes without relays are preferred.
+// * Direct connections: Routes with direct peer connections are favored.
+// * Stability: In case of equal scores, the currently active route (if any) is maintained.
+// * Latency: Routes with lower latency are prioritized.
+//
+// It returns the ID of the selected optimal route.
+func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[route.ID]routerPeerStatus) route.ID {
+	chosen := route.ID("")
+	chosenScore := float64(0)
+	currScore := float64(0)

-	currID := ""
+	currID := route.ID("")
 	if c.chosenRoute != nil {
 		currID = c.chosenRoute.ID
 	}

 	for _, r := range c.routes {
-		tempScore := 0
+		tempScore := float64(0)
 		peerStatus, found := routePeerStatuses[r.ID]
 		if !found || !peerStatus.connected {
 			continue
@@ -90,9 +110,18 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro

 		if r.Metric < route.MaxMetric {
 			metricDiff := route.MaxMetric - r.Metric
-			tempScore = metricDiff * 10
+			tempScore = float64(metricDiff) * 10
 		}

+		// in some temporal cases, latency can be 0, so we set it to 1s to not block but try to avoid this route
+		latency := time.Second
+		if peerStatus.latency != 0 {
+			latency = peerStatus.latency
+		} else {
+			log.Warnf("peer %s has 0 latency", r.Peer)
+		}
+		tempScore += 1 - latency.Seconds()
+
 		if !peerStatus.relayed {
 			tempScore++
 		}
@@ -101,7 +130,7 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 			tempScore++
 		}

-		if tempScore > chosenScore || (tempScore == chosenScore && r.ID == currID) {
+		if tempScore > chosenScore || (tempScore == chosenScore && chosen == "") {
 			chosen = r.ID
 			chosenScore = tempScore
 		}
@@ -110,18 +139,31 @@ func (c *clientNetwork) getBestRouteFromStatuses(routePeerStatuses map[string]ro
 			chosen = r.ID
 			chosenScore = tempScore
 		}
+
+		if r.ID == currID {
+			currScore = tempScore
+		}
 	}

-	if chosen == "" {
+	switch {
+	case chosen == "":
 		var peers []string
 		for _, r := range c.routes {
 			peers = append(peers, r.Peer)
 		}

 		log.Warnf("the network %s has not been assigned a routing peer as no peers from the list %s are currently connected", c.network, peers)
-
-	} else if chosen != currID {
-		log.Infof("new chosen route is %s with peer %s with score %d for network %s", chosen, c.routes[chosen].Peer, chosenScore, c.network)
+	case chosen != currID:
+		// we compare the current score + 10ms to the chosen score to avoid flapping between routes
+		if currScore != 0 && currScore+0.01 > chosenScore {
+			log.Debugf("keeping current routing peer because the score difference with latency is less than 0.01(10ms), current: %f, new: %f", currScore, chosenScore)
+			return currID
+		}
+		var p string
+		if rt := c.routes[chosen]; rt != nil {
+			p = rt.Peer
+		}
+		log.Infof("new chosen route is %s with peer %s with score %f for network %s", chosen, p, chosenScore, c.network)
 	}

 	return chosen
@@ -158,15 +200,21 @@ func (c *clientNetwork) startPeersStatusChangeWatcher() {
 func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {
 	state, err := c.statusRecorder.GetPeer(peerKey)
 	if err != nil {
-		return err
+		return fmt.Errorf("get peer state: %v", err)
 	}
+
+	state.DeleteRoute(c.network.String())
+	if err := c.statusRecorder.UpdatePeerState(state); err != nil {
+		log.Warnf("Failed to update peer state: %v", err)
+	}
+
 	if state.ConnStatus != peer.StatusConnected {
 		return nil
 	}

 	err = c.wgInterface.RemoveAllowedIP(peerKey, c.network.String())
 	if err != nil {
-		return fmt.Errorf("couldn't remove allowed IP %s removed for peer %s, err: %v",
+		return fmt.Errorf("remove allowed IP %s removed for peer %s, err: %v",
 			c.network, c.chosenRoute.Peer, err)
 	}
 	return nil
@@ -174,30 +222,27 @@ func (c *clientNetwork) removeRouteFromWireguardPeer(peerKey string) error {

 func (c *clientNetwork) removeRouteFromPeerAndSystem() error {
 	if c.chosenRoute != nil {
-		err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer)
-		if err != nil {
-			return err
+		// TODO IPv6 (pass wgInterface)
+		if err := removeVPNRoute(c.network, c.getAsInterface()); err != nil {
+			return fmt.Errorf("remove route %s from system, err: %v", c.network, err)
 		}
-		err = removeFromRouteTableIfNonSystem(c.network, c.wgInterface.Address().IP.String())
-		if err != nil {
-			return fmt.Errorf("couldn't remove route %s from system, err: %v",
-				c.network, err)
+
+		if err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer); err != nil {
+			return fmt.Errorf("remove route: %v", err)
 		}
 	}
 	return nil
 }

 func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
-
-	var err error
-
 	routerPeerStatuses := c.getRouterPeerStatuses()

 	chosen := c.getBestRouteFromStatuses(routerPeerStatuses)
+
+	// If no route is chosen, remove the route from the peer and system
 	if chosen == "" {
-		err = c.removeRouteFromPeerAndSystem()
-		if err != nil {
-			return err
+		if err := c.removeRouteFromPeerAndSystem(); err != nil {
+			return fmt.Errorf("remove route from peer and system: %v", err)
 		}

 		c.chosenRoute = nil
@@ -205,6 +250,7 @@ func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
 		return nil
 	}

+	// If the chosen route is the same as the current route, do nothing
 	if c.chosenRoute != nil && c.chosenRoute.ID == chosen {
 		if c.chosenRoute.IsEqual(c.routes[chosen]) {
 			return nil
@@ -212,21 +258,41 @@ func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
 	}

 	if c.chosenRoute != nil {
-		err = c.removeRouteFromWireguardPeer(c.chosenRoute.Peer)
-		if err != nil {
-			return err
+		// If a previous route exists, remove it from the peer
+		if err := c.removeRouteFromWireguardPeer(c.chosenRoute.Peer); err != nil {
+			return fmt.Errorf("remove route from peer: %v", err)
 		}
 	} else {
-		err = addToRouteTableIfNoExists(c.network, c.wgInterface.Address().IP.String())
-		if err != nil {
+		// TODO recheck IPv6
+		gwAddr := c.wgInterface.Address().IP
+		c.chosenIP = &gwAddr
+		if c.network.Addr().Is6() {
+			if c.wgInterface.Address6() == nil {
+				return fmt.Errorf("Could not assign IPv6 route %s for peer %s because no IPv6 address is assigned",
+					c.network.String(), c.wgInterface.Address().IP.String())
+			}
+			c.chosenIP = &c.wgInterface.Address6().IP
+		}
+		// otherwise add the route to the system
+		if err := addVPNRoute(c.network, c.getAsInterface()); err != nil {
 			return fmt.Errorf("route %s couldn't be added for peer %s, err: %v",
-				c.network.String(), c.wgInterface.Address().IP.String(), err)
+				c.network.String(), c.chosenIP.String(), err)
 		}
 	}

 	c.chosenRoute = c.routes[chosen]
-	err = c.wgInterface.AddAllowedIP(c.chosenRoute.Peer, c.network.String())
+
+	state, err := c.statusRecorder.GetPeer(c.chosenRoute.Peer)
 	if err != nil {
+		log.Errorf("Failed to get peer state: %v", err)
+	} else {
+		state.AddRoute(c.network.String())
+		if err := c.statusRecorder.UpdatePeerState(state); err != nil {
+			log.Warnf("Failed to update peer state: %v", err)
+		}
+	}
+
+	if err := c.wgInterface.AddAllowedIP(c.chosenRoute.Peer, c.network.String()); err != nil {
 		log.Errorf("couldn't add allowed IP %s added for peer %s, err: %v",
 			c.network, c.chosenRoute.Peer, err)
 	}
@@ -241,7 +307,7 @@ func (c *clientNetwork) sendUpdateToClientNetworkWatcher(update routesUpdate) {
 }

 func (c *clientNetwork) handleUpdate(update routesUpdate) {
-	updateMap := make(map[string]*route.Route)
+	updateMap := make(map[route.ID]*route.Route)

 	for _, r := range update.routes {
 		updateMap[r.ID] = r
@@ -267,21 +333,21 @@ func (c *clientNetwork) peersStateAndUpdateWatcher() {
 			log.Debugf("stopping watcher for network %s", c.network)
 			err := c.removeRouteFromPeerAndSystem()
 			if err != nil {
-				log.Error(err)
+				log.Errorf("Couldn't remove route from peer and system for network %s: %v", c.network, err)
 			}
 			return
 		case <-c.peerStateUpdate:
 			err := c.recalculateRouteAndUpdatePeerAndSystem()
 			if err != nil {
-				log.Error(err)
+				log.Errorf("Couldn't recalculate route and update peer and system: %v", err)
 			}
 		case update := <-c.routeUpdate:
 			if update.updateSerial < c.updateSerial {
-				log.Warnf("received a routes update with smaller serial number, ignoring it")
+				log.Warnf("Received a routes update with smaller serial number, ignoring it")
 				continue
 			}

-			log.Debugf("received a new client network route update for %s", c.network)
+			log.Debugf("Received a new client network route update for %s", c.network)

 			c.handleUpdate(update)

@@ -289,10 +355,22 @@ func (c *clientNetwork) peersStateAndUpdateWatcher() {

 			err := c.recalculateRouteAndUpdatePeerAndSystem()
 			if err != nil {
-				log.Error(err)
+				log.Errorf("Couldn't recalculate route and update peer and system for network %s: %v", c.network, err)
 			}

 			c.startPeersStatusChangeWatcher()
 		}
 	}
 }
+
+func (c *clientNetwork) getAsInterface() *net.Interface {
+	intf, err := net.InterfaceByName(c.wgInterface.Name())
+	if err != nil {
+		log.Warnf("Couldn't get interface by name %s: %v", c.wgInterface.Name(), err)
+		intf = &net.Interface{
+			Name: c.wgInterface.Name(),
+		}
+	}
+
+	return intf
+}
--- a/client/internal/routemanager/client_test.go
+++ b/client/internal/routemanager/client_test.go
@@ -3,6 +3,7 @@ package routemanager
 import (
 	"net/netip"
 	"testing"
+	"time"

 	"github.com/netbirdio/netbird/route"
 )
@@ -11,90 +12,90 @@ func TestGetBestrouteFromStatuses(t *testing.T) {

 	testCases := []struct {
 		name            string
-		statuses        map[string]routerPeerStatus
-		expectedRouteID string
-		currentRoute    *route.Route
-		existingRoutes  map[string]*route.Route
+		statuses        map[route.ID]routerPeerStatus
+		expectedRouteID route.ID
+		currentRoute    route.ID
+		existingRoutes  map[route.ID]*route.Route
 	}{
 		{
 			name: "one route",
-			statuses: map[string]routerPeerStatus{
+			statuses: map[route.ID]routerPeerStatus{
 				"route1": {
 					connected: true,
 					relayed:   false,
 					direct:    true,
 				},
 			},
-			existingRoutes: map[string]*route.Route{
+			existingRoutes: map[route.ID]*route.Route{
 				"route1": {
 					ID:     "route1",
 					Metric: route.MaxMetric,
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
 			name: "one connected routes with relayed and direct",
-			statuses: map[string]routerPeerStatus{
+			statuses: map[route.ID]routerPeerStatus{
 				"route1": {
 					connected: true,
 					relayed:   true,
 					direct:    true,
 				},
 			},
-			existingRoutes: map[string]*route.Route{
+			existingRoutes: map[route.ID]*route.Route{
 				"route1": {
 					ID:     "route1",
 					Metric: route.MaxMetric,
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
 			name: "one connected routes with relayed and no direct",
-			statuses: map[string]routerPeerStatus{
+			statuses: map[route.ID]routerPeerStatus{
 				"route1": {
 					connected: true,
 					relayed:   true,
 					direct:    false,
 				},
 			},
-			existingRoutes: map[string]*route.Route{
+			existingRoutes: map[route.ID]*route.Route{
 				"route1": {
 					ID:     "route1",
 					Metric: route.MaxMetric,
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
 			name: "no connected peers",
-			statuses: map[string]routerPeerStatus{
+			statuses: map[route.ID]routerPeerStatus{
 				"route1": {
 					connected: false,
 					relayed:   false,
 					direct:    false,
 				},
 			},
-			existingRoutes: map[string]*route.Route{
+			existingRoutes: map[route.ID]*route.Route{
 				"route1": {
 					ID:     "route1",
 					Metric: route.MaxMetric,
 					Peer:   "peer1",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "",
 		},
 		{
 			name: "multiple connected peers with different metrics",
-			statuses: map[string]routerPeerStatus{
+			statuses: map[route.ID]routerPeerStatus{
 				"route1": {
 					connected: true,
 					relayed:   false,
@@ -106,7 +107,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					direct:    true,
 				},
 			},
-			existingRoutes: map[string]*route.Route{
+			existingRoutes: map[route.ID]*route.Route{
 				"route1": {
 					ID:     "route1",
 					Metric: 9000,
@@ -118,12 +119,12 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer2",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
 			name: "multiple connected peers with one relayed",
-			statuses: map[string]routerPeerStatus{
+			statuses: map[route.ID]routerPeerStatus{
 				"route1": {
 					connected: true,
 					relayed:   false,
@@ -135,7 +136,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					direct:    true,
 				},
 			},
-			existingRoutes: map[string]*route.Route{
+			existingRoutes: map[route.ID]*route.Route{
 				"route1": {
 					ID:     "route1",
 					Metric: route.MaxMetric,
@@ -147,12 +148,12 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer2",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
 		{
 			name: "multiple connected peers with one direct",
-			statuses: map[string]routerPeerStatus{
+			statuses: map[route.ID]routerPeerStatus{
 				"route1": {
 					connected: true,
 					relayed:   false,
@@ -164,7 +165,7 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					direct:    false,
 				},
 			},
-			existingRoutes: map[string]*route.Route{
+			existingRoutes: map[route.ID]*route.Route{
 				"route1": {
 					ID:     "route1",
 					Metric: route.MaxMetric,
@@ -176,18 +177,172 @@ func TestGetBestrouteFromStatuses(t *testing.T) {
 					Peer:   "peer2",
 				},
 			},
-			currentRoute:    nil,
+			currentRoute:    "",
 			expectedRouteID: "route1",
 		},
+		{
+			name: "multiple connected peers with different latencies",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					latency:   300 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "should ignore routes with latency 0",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					latency:   0 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "current route with similar score and similar but slightly worse latency should not change",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   15 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "route1",
+			expectedRouteID: "route1",
+		},
+		{
+			name: "current route with bad score should be changed to route with better score",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   200 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "route1",
+			expectedRouteID: "route2",
+		},
+		{
+			name: "current chosen route doesn't exist anymore",
+			statuses: map[route.ID]routerPeerStatus{
+				"route1": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   20 * time.Millisecond,
+				},
+				"route2": {
+					connected: true,
+					relayed:   false,
+					direct:    true,
+					latency:   10 * time.Millisecond,
+				},
+			},
+			existingRoutes: map[route.ID]*route.Route{
+				"route1": {
+					ID:     "route1",
+					Metric: route.MaxMetric,
+					Peer:   "peer1",
+				},
+				"route2": {
+					ID:     "route2",
+					Metric: route.MaxMetric,
+					Peer:   "peer2",
+				},
+			},
+			currentRoute:    "routeDoesntExistAnymore",
+			expectedRouteID: "route2",
+		},
 	}

 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
+			currentRoute := &route.Route{
+				ID: "routeDoesntExistAnymore",
+			}
+			if tc.currentRoute != "" {
+				currentRoute = tc.existingRoutes[tc.currentRoute]
+			}
+
 			// create new clientNetwork
 			client := &clientNetwork{
 				network:     netip.MustParsePrefix("192.168.0.0/24"),
 				routes:      tc.existingRoutes,
-				chosenRoute: tc.currentRoute,
+				chosenRoute: currentRoute,
 			}

 			chosenRoute := client.getBestRouteFromStatuses(tc.statuses)
--- a/client/internal/routemanager/manager.go
+++ b/client/internal/routemanager/manager.go
@@ -2,6 +2,10 @@ package routemanager

 import (
 	"context"
+	"fmt"
+	"net"
+	"net/netip"
+	"net/url"
 	"runtime"
 	"sync"

@@ -10,16 +14,27 @@ import (
 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/listener"
 	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
+	nbnet "github.com/netbirdio/netbird/util/net"
 	"github.com/netbirdio/netbird/version"
 )

+var defaultv4 = netip.PrefixFrom(netip.IPv4Unspecified(), 0)
+
+// nolint:unused
+var defaultv6 = netip.PrefixFrom(netip.IPv6Unspecified(), 0)
+
 // Manager is a route manager interface
 type Manager interface {
-	UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) error
+	Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error)
+	UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error)
+	TriggerSelection(route.HAMap)
+	GetRouteSelector() *routeselector.RouteSelector
 	SetRouteChangeListener(listener listener.NetworkChangeListener)
 	InitialRouteRange() []string
+	ResetV6Routes()
 	EnableServerRouter(firewall firewall.Manager) error
 	Stop()
 }
@@ -29,7 +44,8 @@ type DefaultManager struct {
 	ctx            context.Context
 	stop           context.CancelFunc
 	mux            sync.Mutex
-	clientNetworks map[string]*clientNetwork
+	clientNetworks map[route.HAUniqueID]*clientNetwork
+	routeSelector  *routeselector.RouteSelector
 	serverRouter   serverRouter
 	statusRecorder *peer.Status
 	wgInterface    *iface.WGIface
@@ -42,7 +58,8 @@ func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface,
 	dm := &DefaultManager{
 		ctx:            mCTX,
 		stop:           cancel,
-		clientNetworks: make(map[string]*clientNetwork),
+		clientNetworks: make(map[route.HAUniqueID]*clientNetwork),
+		routeSelector:  routeselector.NewRouteSelector(),
 		statusRecorder: statusRecorder,
 		wgInterface:    wgInterface,
 		pubKey:         pubKey,
@@ -56,9 +73,31 @@ func NewManager(ctx context.Context, pubKey string, wgInterface *iface.WGIface,
 	return dm
 }

+// Init sets up the routing
+func (m *DefaultManager) Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	if nbnet.CustomRoutingDisabled() {
+		return nil, nil, nil
+	}
+
+	if err := cleanupRouting(); err != nil {
+		log.Warnf("Failed cleaning up routing: %v", err)
+	}
+
+	mgmtAddress := m.statusRecorder.GetManagementState().URL
+	signalAddress := m.statusRecorder.GetSignalState().URL
+	ips := resolveURLsToIPs([]string{mgmtAddress, signalAddress})
+
+	beforePeerHook, afterPeerHook, err := setupRouting(ips, m.wgInterface)
+	if err != nil {
+		return nil, nil, fmt.Errorf("setup routing: %w", err)
+	}
+	log.Info("Routing setup complete")
+	return beforePeerHook, afterPeerHook, nil
+}
+
 func (m *DefaultManager) EnableServerRouter(firewall firewall.Manager) error {
 	var err error
-	m.serverRouter, err = newServerRouter(m.ctx, m.wgInterface, firewall)
+	m.serverRouter, err = newServerRouter(m.ctx, m.wgInterface, firewall, m.statusRecorder)
 	if err != nil {
 		return err
 	}
@@ -71,32 +110,54 @@ func (m *DefaultManager) Stop() {
 	if m.serverRouter != nil {
 		m.serverRouter.cleanUp()
 	}
+
+	if !nbnet.CustomRoutingDisabled() {
+		if err := cleanupRouting(); err != nil {
+			log.Errorf("Error cleaning up routing: %v", err)
+		} else {
+			log.Info("Routing cleanup complete")
+		}
+	}
+
 	m.ctx = nil
 }

-// UpdateRoutes compares received routes with existing routes and remove, update or add them to the client and server maps
-func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) error {
+// UpdateRoutes compares received routes with existing routes and removes, updates or adds them to the client and server maps
+func (m *DefaultManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
 	select {
 	case <-m.ctx.Done():
 		log.Infof("not updating routes as context is closed")
-		return m.ctx.Err()
+		return nil, nil, m.ctx.Err()
 	default:
 		m.mux.Lock()
 		defer m.mux.Unlock()

-		newServerRoutesMap, newClientRoutesIDMap := m.classifiesRoutes(newRoutes)
+		newServerRoutesMap, newClientRoutesIDMap := m.classifyRoutes(newRoutes)

-		m.updateClientNetworks(updateSerial, newClientRoutesIDMap)
-		m.notifier.onNewRoutes(newClientRoutesIDMap)
+		filteredClientRoutes := m.routeSelector.FilterSelected(newClientRoutesIDMap)
+		m.updateClientNetworks(updateSerial, filteredClientRoutes)
+		m.notifier.onNewRoutes(filteredClientRoutes)

 		if m.serverRouter != nil {
 			err := m.serverRouter.updateRoutes(newServerRoutesMap)
 			if err != nil {
-				return err
+				return nil, nil, fmt.Errorf("update routes: %w", err)
 			}
 		}

-		return nil
+		return newServerRoutesMap, newClientRoutesIDMap, nil
+	}
+}
+
+// ResetV6Routes deletes all IPv6 routes (necessary if IPv6 address changes).
+// It is expected that UpdateRoute is called afterwards to recreate the routing table.
+func (m *DefaultManager) ResetV6Routes() {
+	for id, client := range m.clientNetworks {
+		if client.network.Addr().Is6() {
+			log.Debugf("stopping client network watcher due to IPv6 address change, %s", id)
+			client.stop()
+			delete(m.clientNetworks, id)
+		}
 	}
 }

@@ -107,19 +168,57 @@ func (m *DefaultManager) SetRouteChangeListener(listener listener.NetworkChangeL

 // InitialRouteRange return the list of initial routes. It used by mobile systems
 func (m *DefaultManager) InitialRouteRange() []string {
-	return m.notifier.initialRouteRanges()
+	return m.notifier.getInitialRouteRanges()
 }

-func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks map[string][]*route.Route) {
-	// removing routes that do not exist as per the update from the Management service.
+// GetRouteSelector returns the route selector
+func (m *DefaultManager) GetRouteSelector() *routeselector.RouteSelector {
+	return m.routeSelector
+}
+
+// GetClientRoutes returns the client routes
+func (m *DefaultManager) GetClientRoutes() map[route.HAUniqueID]*clientNetwork {
+	return m.clientNetworks
+}
+
+// TriggerSelection triggers the selection of routes, stopping deselected watchers and starting newly selected ones
+func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
+	m.mux.Lock()
+	defer m.mux.Unlock()
+
+	networks = m.routeSelector.FilterSelected(networks)
+
+	m.notifier.onNewRoutes(networks)
+
+	m.stopObsoleteClients(networks)
+
+	for id, routes := range networks {
+		if _, found := m.clientNetworks[id]; found {
+			// don't touch existing client network watchers
+			continue
+		}
+
+		clientNetworkWatcher := newClientNetworkWatcher(m.ctx, m.wgInterface, m.statusRecorder, routes[0].Network)
+		m.clientNetworks[id] = clientNetworkWatcher
+		go clientNetworkWatcher.peersStateAndUpdateWatcher()
+		clientNetworkWatcher.sendUpdateToClientNetworkWatcher(routesUpdate{routes: routes})
+	}
+}
+
+// stopObsoleteClients stops the client network watcher for the networks that are not in the new list
+func (m *DefaultManager) stopObsoleteClients(networks route.HAMap) {
 	for id, client := range m.clientNetworks {
-		_, found := networks[id]
-		if !found {
-			log.Debugf("stopping client network watcher, %s", id)
+		if _, ok := networks[id]; !ok {
+			log.Debugf("Stopping client network watcher, %s", id)
 			client.stop()
 			delete(m.clientNetworks, id)
 		}
 	}
+}
+
+func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks route.HAMap) {
+	// removing routes that do not exist as per the update from the Management service.
+	m.stopObsoleteClients(networks)

 	for id, routes := range networks {
 		clientNetworkWatcher, found := m.clientNetworks[id]
@@ -136,15 +235,15 @@ func (m *DefaultManager) updateClientNetworks(updateSerial uint64, networks map[
 	}
 }

-func (m *DefaultManager) classifiesRoutes(newRoutes []*route.Route) (map[string]*route.Route, map[string][]*route.Route) {
-	newClientRoutesIDMap := make(map[string][]*route.Route)
-	newServerRoutesMap := make(map[string]*route.Route)
-	ownNetworkIDs := make(map[string]bool)
+func (m *DefaultManager) classifyRoutes(newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap) {
+	newClientRoutesIDMap := make(route.HAMap)
+	newServerRoutesMap := make(map[route.ID]*route.Route)
+	ownNetworkIDs := make(map[route.HAUniqueID]bool)

 	for _, newRoute := range newRoutes {
-		networkID := route.GetHAUniqueID(newRoute)
+		haID := route.GetHAUniqueID(newRoute)
 		if newRoute.Peer == m.pubKey {
-			ownNetworkIDs[networkID] = true
+			ownNetworkIDs[haID] = true
 			// only linux is supported for now
 			if runtime.GOOS != "linux" {
 				log.Warnf("received a route to manage, but agent doesn't support router mode on %s OS", runtime.GOOS)
@@ -155,16 +254,12 @@ func (m *DefaultManager) classifiesRoutes(newRoutes []*route.Route) (map[string]
 	}

 	for _, newRoute := range newRoutes {
-		networkID := route.GetHAUniqueID(newRoute)
-		if !ownNetworkIDs[networkID] {
-			// if prefix is too small, lets assume is a possible default route which is not yet supported
-			// we skip this route management
-			if newRoute.Network.Bits() < minRangeBits {
-				log.Errorf("this agent version: %s, doesn't support default routes, received %s, skipping this route",
-					version.NetbirdVersion(), newRoute.Network)
+		haID := route.GetHAUniqueID(newRoute)
+		if !ownNetworkIDs[haID] {
+			if !isPrefixSupported(newRoute.Network) {
 				continue
 			}
-			newClientRoutesIDMap[networkID] = append(newClientRoutesIDMap[networkID], newRoute)
+			newClientRoutesIDMap[haID] = append(newClientRoutesIDMap[haID], newRoute)
 		}
 	}

@@ -172,10 +267,44 @@ func (m *DefaultManager) classifiesRoutes(newRoutes []*route.Route) (map[string]
 }

 func (m *DefaultManager) clientRoutes(initialRoutes []*route.Route) []*route.Route {
-	_, crMap := m.classifiesRoutes(initialRoutes)
+	_, crMap := m.classifyRoutes(initialRoutes)
 	rs := make([]*route.Route, 0)
 	for _, routes := range crMap {
 		rs = append(rs, routes...)
 	}
 	return rs
 }
+
+func isPrefixSupported(prefix netip.Prefix) bool {
+	if !nbnet.CustomRoutingDisabled() {
+		return true
+	}
+
+	// If prefix is too small, lets assume it is a possible default prefix which is not yet supported
+	// we skip this prefix management
+	if prefix.Bits() <= minRangeBits {
+		log.Warnf("This agent version: %s, doesn't support default routes, received %s, skipping this prefix",
+			version.NetbirdVersion(), prefix)
+		return false
+	}
+	return true
+}
+
+// resolveURLsToIPs takes a slice of URLs, resolves them to IP addresses and returns a slice of IPs.
+func resolveURLsToIPs(urls []string) []net.IP {
+	var ips []net.IP
+	for _, rawurl := range urls {
+		u, err := url.Parse(rawurl)
+		if err != nil {
+			log.Errorf("Failed to parse url %s: %v", rawurl, err)
+			continue
+		}
+		ipAddrs, err := net.LookupIP(u.Hostname())
+		if err != nil {
+			log.Errorf("Failed to resolve host %s: %v", u.Hostname(), err)
+			continue
+		}
+		ips = append(ips, ipAddrs...)
+	}
+	return ips
+}
--- a/client/internal/routemanager/manager_test.go
+++ b/client/internal/routemanager/manager_test.go
@@ -28,13 +28,15 @@ const remotePeerKey2 = "remote1"

 func TestManagerUpdateRoutes(t *testing.T) {
 	testCases := []struct {
-		name                          string
-		inputInitRoutes               []*route.Route
-		inputRoutes                   []*route.Route
-		inputSerial                   uint64
-		removeSrvRouter               bool
-		serverRoutesExpected          int
-		clientNetworkWatchersExpected int
+		name                                 string
+		inputInitRoutes                      []*route.Route
+		inputRoutes                          []*route.Route
+		inputSerial                          uint64
+		removeSrvRouter                      bool
+		serverRoutesExpected                 int
+		clientNetworkWatchersExpected        int
+		clientNetworkWatchersExpectedAllowed int
+		isV6                                 bool
 	}{
 		{
 			name:            "Should create 2 client networks",
@@ -64,6 +66,35 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			inputSerial:                   1,
 			clientNetworkWatchersExpected: 2,
 		},
+		{
+			name:            "Should create 2 client networks (IPv6)",
+			inputInitRoutes: []*route.Route{},
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8::7890:abcd/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 2,
+			isV6:                          true,
+		},
 		{
 			name: "Should Create 2 Server Routes",
 			inputRoutes: []*route.Route{
@@ -92,6 +123,34 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			serverRoutesExpected:          2,
 			clientNetworkWatchersExpected: 0,
 		},
+		{
+			name: "Should Create 2 Server Routes (IPv6)",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("2001:db8::7890:abcd/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			serverRoutesExpected:          2,
+			clientNetworkWatchersExpected: 0,
+		},
 		{
 			name: "Should Create 1 Route For Client And Server",
 			inputRoutes: []*route.Route{
@@ -120,6 +179,84 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			serverRoutesExpected:          1,
 			clientNetworkWatchersExpected: 1,
 		},
+		{
+			name: "Should Create 1 Route For Client And Server (IPv6)",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8::7890:abcd/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			serverRoutesExpected:          1,
+			clientNetworkWatchersExpected: 1,
+			isV6:                          true,
+		},
+		{
+			name: "Should Create 1 Route For Client And Server for each IP version",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("100.64.30.250/30"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("8.8.9.9/32"),
+					NetworkType: route.IPv4Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8::7890:abcd/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			serverRoutesExpected:          2,
+			clientNetworkWatchersExpected: 2,
+			isV6:                          true,
+		},
 		{
 			name: "Should Create 1 Route For Client and Skip Server Route On Empty Server Router",
 			inputRoutes: []*route.Route{
@@ -149,6 +286,36 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			serverRoutesExpected:          0,
 			clientNetworkWatchersExpected: 1,
 		},
+		{
+			name: "Should Create 1 Route For Client and Skip Server Route On Empty Server Router (IPv6)",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8::7890:abcd/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			removeSrvRouter:               true,
+			serverRoutesExpected:          0,
+			clientNetworkWatchersExpected: 1,
+			isV6:                          true,
+		},
 		{
 			name: "Should Create 1 HA Route and 1 Standalone",
 			inputRoutes: []*route.Route{
@@ -186,6 +353,44 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			inputSerial:                   1,
 			clientNetworkWatchersExpected: 2,
 		},
+		{
+			name: "Should Create 1 HA Route and 1 Standalone (IPv6)",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeA",
+					Peer:        remotePeerKey2,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "c",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8::7890:abcd/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 2,
+			isV6:                          true,
+		},
 		{
 			name: "No Small Client Route Should Be Added",
 			inputRoutes: []*route.Route{
@@ -200,8 +405,28 @@ func TestManagerUpdateRoutes(t *testing.T) {
 					Enabled:     true,
 				},
 			},
-			inputSerial:                   1,
-			clientNetworkWatchersExpected: 0,
+			inputSerial:                          1,
+			clientNetworkWatchersExpected:        0,
+			clientNetworkWatchersExpectedAllowed: 1,
+		},
+		{
+			name: "No Small Client Route Should Be Added (IPv6)",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("::/0"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                          1,
+			clientNetworkWatchersExpected:        0,
+			clientNetworkWatchersExpectedAllowed: 1,
+			isV6:                                 true,
 		},
 		{
 			name: "Remove 1 Client Route",
@@ -242,6 +467,46 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			inputSerial:                   1,
 			clientNetworkWatchersExpected: 1,
 		},
+		{
+			name: "Remove 1 Client Route (IPv6)",
+			inputInitRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8::abcd:7890/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 1,
+			isV6:                          true,
+		},
 		{
 			name: "Update Route to HA",
 			inputInitRoutes: []*route.Route{
@@ -291,6 +556,56 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			inputSerial:                   1,
 			clientNetworkWatchersExpected: 1,
 		},
+		{
+			name: "Update Route to HA (IPv6)",
+			inputInitRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8::abcd:7890/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeA",
+					Peer:        remotePeerKey2,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 1,
+			isV6:                          true,
+		},
 		{
 			name: "Remove Client Routes",
 			inputInitRoutes: []*route.Route{
@@ -319,6 +634,35 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			inputSerial:                   1,
 			clientNetworkWatchersExpected: 0,
 		},
+		{
+			name: "Remove Client Routes (IPv6)",
+			inputInitRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8::abcd:7890/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputRoutes:                   []*route.Route{},
+			inputSerial:                   1,
+			clientNetworkWatchersExpected: 0,
+			isV6:                          true,
+		},
 		{
 			name: "Remove All Routes",
 			inputInitRoutes: []*route.Route{
@@ -348,6 +692,36 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			serverRoutesExpected:          0,
 			clientNetworkWatchersExpected: 0,
 		},
+		{
+			name: "Remove All Routes (IPv6)",
+			inputInitRoutes: []*route.Route{
+				{
+					ID:          "a",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "b",
+					NetID:       "routeB",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8::abcd:7890/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputRoutes:                   []*route.Route{},
+			inputSerial:                   1,
+			serverRoutesExpected:          0,
+			clientNetworkWatchersExpected: 0,
+			isV6:                          true,
+		},
 		{
 			name: "HA server should not register routes from the same HA group",
 			inputRoutes: []*route.Route{
@@ -396,16 +770,74 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			serverRoutesExpected:          2,
 			clientNetworkWatchersExpected: 1,
 		},
+		{
+			name: "HA server should not register routes from the same HA group (IPv6)",
+			inputRoutes: []*route.Route{
+				{
+					ID:          "l1",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "l2",
+					NetID:       "routeA",
+					Peer:        localPeerKey,
+					Network:     netip.MustParsePrefix("2001:db8::abcd:7890/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "r1",
+					NetID:       "routeA",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8:1234:5678::/64"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+				{
+					ID:          "r2",
+					NetID:       "routeC",
+					Peer:        remotePeerKey1,
+					Network:     netip.MustParsePrefix("2001:db8::abcd:789f/128"),
+					NetworkType: route.IPv6Network,
+					Metric:      9999,
+					Masquerade:  false,
+					Enabled:     true,
+				},
+			},
+			inputSerial:                   1,
+			serverRoutesExpected:          2,
+			clientNetworkWatchersExpected: 1,
+			isV6:                          true,
+		},
 	}

 	for n, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
+
+			v6Addr := ""
+			//goland:noinspection GoBoolExpressions
+			if !iface.SupportsIPv6() && testCase.isV6 {
+				t.Skip("Platform does not support IPv6, skipping IPv6 test...")
+			} else if testCase.isV6 {
+				v6Addr = "2001:db8::4242:4711/128"
+			}
+
 			peerPrivateKey, _ := wgtypes.GeneratePrivateKey()
 			newNet, err := stdnet.NewNet()
 			if err != nil {
 				t.Fatal(err)
 			}
-			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", 33100, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil)
+			wgInterface, err := iface.NewWGIFace(fmt.Sprintf("utun43%d", n), "100.65.65.2/24", v6Addr, 33100, peerPrivateKey.String(), iface.DefaultMTU, newNet, nil)
 			require.NoError(t, err, "should create testing WGIface interface")
 			defer wgInterface.Close()

@@ -415,6 +847,10 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			statusRecorder := peer.NewRecorder("https://mgm")
 			ctx := context.TODO()
 			routeManager := NewManager(ctx, localPeerKey, wgInterface, statusRecorder, nil)
+
+			_, _, err = routeManager.Init()
+
+			require.NoError(t, err, "should init route manager")
 			defer routeManager.Stop()

 			if testCase.removeSrvRouter {
@@ -422,14 +858,18 @@ func TestManagerUpdateRoutes(t *testing.T) {
 			}

 			if len(testCase.inputInitRoutes) > 0 {
-				err = routeManager.UpdateRoutes(testCase.inputSerial, testCase.inputRoutes)
+				_, _, err = routeManager.UpdateRoutes(testCase.inputSerial, testCase.inputRoutes)
 				require.NoError(t, err, "should update routes with init routes")
 			}

-			err = routeManager.UpdateRoutes(testCase.inputSerial+uint64(len(testCase.inputInitRoutes)), testCase.inputRoutes)
+			_, _, err = routeManager.UpdateRoutes(testCase.inputSerial+uint64(len(testCase.inputInitRoutes)), testCase.inputRoutes)
 			require.NoError(t, err, "should update routes")

-			require.Len(t, routeManager.clientNetworks, testCase.clientNetworkWatchersExpected, "client networks size should match")
+			expectedWatchers := testCase.clientNetworkWatchersExpected
+			if (runtime.GOOS == "linux" || runtime.GOOS == "windows" || runtime.GOOS == "darwin") && testCase.clientNetworkWatchersExpectedAllowed != 0 {
+				expectedWatchers = testCase.clientNetworkWatchersExpectedAllowed
+			}
+			require.Len(t, routeManager.clientNetworks, expectedWatchers, "client networks size should match")

 			if runtime.GOOS == "linux" && routeManager.serverRouter != nil {
 				sr := routeManager.serverRouter.(*defaultServerRouter)
--- a/client/internal/routemanager/mock.go
+++ b/client/internal/routemanager/mock.go
@@ -6,14 +6,22 @@ import (

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
 	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/internal/routeselector"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
 )

 // MockManager is the mock instance of a route manager
 type MockManager struct {
-	UpdateRoutesFunc func(updateSerial uint64, newRoutes []*route.Route) error
-	StopFunc         func()
+	UpdateRoutesFunc     func(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error)
+	TriggerSelectionFunc func(haMap route.HAMap)
+	GetRouteSelectorFunc func() *routeselector.RouteSelector
+	StopFunc             func()
+}
+
+func (m *MockManager) Init() (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	return nil, nil, nil
 }

 // InitialRouteRange mock implementation of InitialRouteRange from Manager interface
@@ -22,11 +30,25 @@ func (m *MockManager) InitialRouteRange() []string {
 }

 // UpdateRoutes mock implementation of UpdateRoutes from Manager interface
-func (m *MockManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) error {
+func (m *MockManager) UpdateRoutes(updateSerial uint64, newRoutes []*route.Route) (map[route.ID]*route.Route, route.HAMap, error) {
 	if m.UpdateRoutesFunc != nil {
 		return m.UpdateRoutesFunc(updateSerial, newRoutes)
 	}
-	return fmt.Errorf("method UpdateRoutes is not implemented")
+	return nil, nil, fmt.Errorf("method UpdateRoutes is not implemented")
+}
+
+func (m *MockManager) TriggerSelection(networks route.HAMap) {
+	if m.TriggerSelectionFunc != nil {
+		m.TriggerSelectionFunc(networks)
+	}
+}
+
+// GetRouteSelector mock implementation of GetRouteSelector from Manager interface
+func (m *MockManager) GetRouteSelector() *routeselector.RouteSelector {
+	if m.GetRouteSelectorFunc != nil {
+		return m.GetRouteSelectorFunc()
+	}
+	return nil
 }

 // Start mock implementation of Start from Manager interface
@@ -42,6 +64,10 @@ func (m *MockManager) EnableServerRouter(firewall firewall.Manager) error {
 	panic("implement me")
 }

+func (m *MockManager) ResetV6Routes() {
+	panic("implement me")
+}
+
 // Stop mock implementation of Stop from Manager interface
 func (m *MockManager) Stop() {
 	if m.StopFunc != nil {
--- a/client/internal/routemanager/notifier.go
+++ b/client/internal/routemanager/notifier.go
@@ -1,6 +1,7 @@
 package routemanager

 import (
+	"runtime"
 	"sort"
 	"strings"
 	"sync"
@@ -10,8 +11,8 @@ import (
 )

 type notifier struct {
-	initialRouteRangers []string
-	routeRangers        []string
+	initialRouteRanges []string
+	routeRanges        []string

 	listener    listener.NetworkChangeListener
 	listenerMux sync.Mutex
@@ -33,10 +34,10 @@ func (n *notifier) setInitialClientRoutes(clientRoutes []*route.Route) {
 		nets = append(nets, r.Network.String())
 	}
 	sort.Strings(nets)
-	n.initialRouteRangers = nets
+	n.initialRouteRanges = nets
 }

-func (n *notifier) onNewRoutes(idMap map[string][]*route.Route) {
+func (n *notifier) onNewRoutes(idMap route.HAMap) {
 	newNets := make([]string, 0)
 	for _, routes := range idMap {
 		for _, r := range routes {
@@ -45,11 +46,18 @@ func (n *notifier) onNewRoutes(idMap map[string][]*route.Route) {
 	}

 	sort.Strings(newNets)
-	if !n.hasDiff(n.initialRouteRangers, newNets) {
-		return
+	switch runtime.GOOS {
+	case "android":
+		if !n.hasDiff(n.initialRouteRanges, newNets) {
+			return
+		}
+	default:
+		if !n.hasDiff(n.routeRanges, newNets) {
+			return
+		}
 	}

-	n.routeRangers = newNets
+	n.routeRanges = newNets

 	n.notify()
 }
@@ -62,7 +70,7 @@ func (n *notifier) notify() {
 	}

 	go func(l listener.NetworkChangeListener) {
-		l.OnNetworkChanged(strings.Join(n.routeRangers, ","))
+		l.OnNetworkChanged(strings.Join(addIPv6RangeIfNeeded(n.routeRanges), ","))
 	}(n.listener)
 }

@@ -78,6 +86,20 @@ func (n *notifier) hasDiff(a []string, b []string) bool {
 	return false
 }

-func (n *notifier) initialRouteRanges() []string {
-	return n.initialRouteRangers
+func (n *notifier) getInitialRouteRanges() []string {
+	return addIPv6RangeIfNeeded(n.initialRouteRanges)
+}
+
+// addIPv6RangeIfNeeded returns the input ranges with the default IPv6 range when there is an IPv4 default route.
+func addIPv6RangeIfNeeded(inputRanges []string) []string {
+	ranges := inputRanges
+	for _, r := range inputRanges {
+		// we are intentionally adding the ipv6 default range in case of ipv4 default range
+		// to ensure that all traffic is managed by the tunnel interface on android
+		if r == "0.0.0.0/0" {
+			ranges = append(ranges, "::/0")
+			break
+		}
+	}
+	return ranges
 }
--- a/client/internal/routemanager/routemanager.go
+++ b/client/internal/routemanager/routemanager.go
@@ -0,0 +1,127 @@
+//go:build !android && !ios
+
+package routemanager
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"sync"
+
+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
+
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+type ref struct {
+	count   int
+	nexthop netip.Addr
+	intf    *net.Interface
+}
+
+type RouteManager struct {
+	// refCountMap keeps track of the reference ref for prefixes
+	refCountMap map[netip.Prefix]ref
+	// prefixMap keeps track of the prefixes associated with a connection ID for removal
+	prefixMap   map[nbnet.ConnectionID][]netip.Prefix
+	addRoute    AddRouteFunc
+	removeRoute RemoveRouteFunc
+	mutex       sync.Mutex
+}
+
+type AddRouteFunc func(prefix netip.Prefix) (nexthop netip.Addr, intf *net.Interface, err error)
+type RemoveRouteFunc func(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error
+
+func NewRouteManager(addRoute AddRouteFunc, removeRoute RemoveRouteFunc) *RouteManager {
+	// TODO: read initial routing table into refCountMap
+	return &RouteManager{
+		refCountMap: map[netip.Prefix]ref{},
+		prefixMap:   map[nbnet.ConnectionID][]netip.Prefix{},
+		addRoute:    addRoute,
+		removeRoute: removeRoute,
+	}
+}
+
+func (rm *RouteManager) AddRouteRef(connID nbnet.ConnectionID, prefix netip.Prefix) error {
+	rm.mutex.Lock()
+	defer rm.mutex.Unlock()
+
+	ref := rm.refCountMap[prefix]
+	log.Debugf("Increasing route ref count %d for prefix %s", ref.count, prefix)
+
+	// Add route to the system, only if it's a new prefix
+	if ref.count == 0 {
+		log.Debugf("Adding route for prefix %s", prefix)
+		nexthop, intf, err := rm.addRoute(prefix)
+		if errors.Is(err, ErrRouteNotFound) {
+			return nil
+		}
+		if errors.Is(err, ErrRouteNotAllowed) {
+			log.Debugf("Adding route for prefix %s: %s", prefix, err)
+		}
+		if err != nil {
+			return fmt.Errorf("failed to add route for prefix %s: %w", prefix, err)
+		}
+		ref.nexthop = nexthop
+		ref.intf = intf
+	}
+
+	ref.count++
+	rm.refCountMap[prefix] = ref
+	rm.prefixMap[connID] = append(rm.prefixMap[connID], prefix)
+
+	return nil
+}
+
+func (rm *RouteManager) RemoveRouteRef(connID nbnet.ConnectionID) error {
+	rm.mutex.Lock()
+	defer rm.mutex.Unlock()
+
+	prefixes, ok := rm.prefixMap[connID]
+	if !ok {
+		log.Debugf("No prefixes found for connection ID %s", connID)
+		return nil
+	}
+
+	var result *multierror.Error
+	for _, prefix := range prefixes {
+		ref := rm.refCountMap[prefix]
+		log.Debugf("Decreasing route ref count %d for prefix %s", ref.count, prefix)
+		if ref.count == 1 {
+			log.Debugf("Removing route for prefix %s", prefix)
+			// TODO: don't fail if the route is not found
+			if err := rm.removeRoute(prefix, ref.nexthop, ref.intf); err != nil {
+				result = multierror.Append(result, fmt.Errorf("remove route for prefix %s: %w", prefix, err))
+				continue
+			}
+			delete(rm.refCountMap, prefix)
+		} else {
+			ref.count--
+			rm.refCountMap[prefix] = ref
+		}
+	}
+	delete(rm.prefixMap, connID)
+
+	return result.ErrorOrNil()
+}
+
+// Flush removes all references and routes from the system
+func (rm *RouteManager) Flush() error {
+	rm.mutex.Lock()
+	defer rm.mutex.Unlock()
+
+	var result *multierror.Error
+	for prefix := range rm.refCountMap {
+		log.Debugf("Removing route for prefix %s", prefix)
+		ref := rm.refCountMap[prefix]
+		if err := rm.removeRoute(prefix, ref.nexthop, ref.intf); err != nil {
+			result = multierror.Append(result, fmt.Errorf("remove route for prefix %s: %w", prefix, err))
+		}
+	}
+	rm.refCountMap = map[netip.Prefix]ref{}
+	rm.prefixMap = map[nbnet.ConnectionID][]netip.Prefix{}
+
+	return result.ErrorOrNil()
+}
--- a/client/internal/routemanager/server.go
+++ b/client/internal/routemanager/server.go
@@ -3,7 +3,7 @@ package routemanager
 import "github.com/netbirdio/netbird/route"

 type serverRouter interface {
-	updateRoutes(map[string]*route.Route) error
+	updateRoutes(map[route.ID]*route.Route) error
 	removeFromServerNetwork(*route.Route) error
 	cleanUp()
 }
--- a/client/internal/routemanager/server_android.go
+++ b/client/internal/routemanager/server_android.go
@@ -7,9 +7,10 @@ import (
 	"fmt"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/iface"
 )

-func newServerRouter(context.Context, *iface.WGIface, firewall.Manager) (serverRouter, error) {
+func newServerRouter(context.Context, *iface.WGIface, firewall.Manager, *peer.Status) (serverRouter, error) {
 	return nil, fmt.Errorf("server route not supported on this os")
 }
--- a/client/internal/routemanager/server_nonandroid.go
+++ b/client/internal/routemanager/server_nonandroid.go
@@ -4,35 +4,39 @@ package routemanager

 import (
 	"context"
+	"fmt"
 	"net/netip"
 	"sync"

 	log "github.com/sirupsen/logrus"

 	firewall "github.com/netbirdio/netbird/client/firewall/manager"
+	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/route"
 )

 type defaultServerRouter struct {
-	mux         sync.Mutex
-	ctx         context.Context
-	routes      map[string]*route.Route
-	firewall    firewall.Manager
-	wgInterface *iface.WGIface
+	mux            sync.Mutex
+	ctx            context.Context
+	routes         map[route.ID]*route.Route
+	firewall       firewall.Manager
+	wgInterface    *iface.WGIface
+	statusRecorder *peer.Status
 }

-func newServerRouter(ctx context.Context, wgInterface *iface.WGIface, firewall firewall.Manager) (serverRouter, error) {
+func newServerRouter(ctx context.Context, wgInterface *iface.WGIface, firewall firewall.Manager, statusRecorder *peer.Status) (serverRouter, error) {
 	return &defaultServerRouter{
-		ctx:         ctx,
-		routes:      make(map[string]*route.Route),
-		firewall:    firewall,
-		wgInterface: wgInterface,
+		ctx:            ctx,
+		routes:         make(map[route.ID]*route.Route),
+		firewall:       firewall,
+		wgInterface:    wgInterface,
+		statusRecorder: statusRecorder,
 	}, nil
 }

-func (m *defaultServerRouter) updateRoutes(routesMap map[string]*route.Route) error {
-	serverRoutesToRemove := make([]string, 0)
+func (m *defaultServerRouter) updateRoutes(routesMap map[route.ID]*route.Route) error {
+	serverRoutesToRemove := make([]route.ID, 0)

 	for routeID := range m.routes {
 		update, found := routesMap[routeID]
@@ -45,7 +49,7 @@ func (m *defaultServerRouter) updateRoutes(routesMap map[string]*route.Route) er
 		oldRoute := m.routes[routeID]
 		err := m.removeFromServerNetwork(oldRoute)
 		if err != nil {
-			log.Errorf("unable to remove route id: %s, network %s, from server, got: %v",
+			log.Errorf("Unable to remove route id: %s, network %s, from server, got: %v",
 				oldRoute.ID, oldRoute.Network, err)
 		}
 		delete(m.routes, routeID)
@@ -59,14 +63,14 @@ func (m *defaultServerRouter) updateRoutes(routesMap map[string]*route.Route) er

 		err := m.addToServerNetwork(newRoute)
 		if err != nil {
-			log.Errorf("unable to add route %s from server, got: %v", newRoute.ID, err)
+			log.Errorf("Unable to add route %s from server, got: %v", newRoute.ID, err)
 			continue
 		}
 		m.routes[id] = newRoute
 	}

 	if len(m.routes) > 0 {
-		err := enableIPForwarding()
+		err := enableIPForwarding(m.wgInterface.Address6() != nil)
 		if err != nil {
 			return err
 		}
@@ -75,36 +79,74 @@ func (m *defaultServerRouter) updateRoutes(routesMap map[string]*route.Route) er
 	return nil
 }

-func (m *defaultServerRouter) removeFromServerNetwork(route *route.Route) error {
+func (m *defaultServerRouter) removeFromServerNetwork(rt *route.Route) error {
 	select {
 	case <-m.ctx.Done():
-		log.Infof("not removing from server network because context is done")
+		log.Infof("Not removing from server network because context is done")
 		return m.ctx.Err()
 	default:
 		m.mux.Lock()
 		defer m.mux.Unlock()
-		err := m.firewall.RemoveRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), route))
+		routingAddress := m.wgInterface.Address().Masked().String()
+		if rt.NetworkType == route.IPv6Network {
+			if m.wgInterface.Address6() == nil {
+				return fmt.Errorf("attempted to add route for IPv6 even though device has no v6 address")
+			}
+			routingAddress = m.wgInterface.Address6().Masked().String()
+		}
+		routerPair, err := routeToRouterPair(routingAddress, rt)
+		if err != nil {
+			return fmt.Errorf("parse prefix: %w", err)
+		}
+		err = m.firewall.RemoveRoutingRules(routerPair)
 		if err != nil {
 			return err
 		}
-		delete(m.routes, route.ID)
+
+		delete(m.routes, rt.ID)
+
+		state := m.statusRecorder.GetLocalPeerState()
+		delete(state.Routes, rt.Network.String())
+		m.statusRecorder.UpdateLocalPeerState(state)
 		return nil
 	}
 }

-func (m *defaultServerRouter) addToServerNetwork(route *route.Route) error {
+func (m *defaultServerRouter) addToServerNetwork(rt *route.Route) error {
 	select {
 	case <-m.ctx.Done():
-		log.Infof("not adding to server network because context is done")
+		log.Infof("Not adding to server network because context is done")
 		return m.ctx.Err()
 	default:
 		m.mux.Lock()
 		defer m.mux.Unlock()
-		err := m.firewall.InsertRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), route))
-		if err != nil {
-			return err
+		routingAddress := m.wgInterface.Address().Masked().String()
+		if rt.NetworkType == route.IPv6Network {
+			if m.wgInterface.Address6() == nil {
+				return fmt.Errorf("attempted to add route for IPv6 even though device has no v6 address")
+			}
+			routingAddress = m.wgInterface.Address6().Masked().String()
 		}
-		m.routes[route.ID] = route
+
+		routerPair, err := routeToRouterPair(routingAddress, rt)
+		if err != nil {
+			return fmt.Errorf("parse prefix: %w", err)
+		}
+
+		err = m.firewall.InsertRoutingRules(routerPair)
+		if err != nil {
+			return fmt.Errorf("insert routing rules: %w", err)
+		}
+
+		m.routes[rt.ID] = rt
+
+		state := m.statusRecorder.GetLocalPeerState()
+		if state.Routes == nil {
+			state.Routes = map[string]struct{}{}
+		}
+		state.Routes[rt.Network.String()] = struct{}{}
+		m.statusRecorder.UpdateLocalPeerState(state)
+
 		return nil
 	}
 }
@@ -113,19 +155,40 @@ func (m *defaultServerRouter) cleanUp() {
 	m.mux.Lock()
 	defer m.mux.Unlock()
 	for _, r := range m.routes {
-		err := m.firewall.RemoveRoutingRules(routeToRouterPair(m.wgInterface.Address().String(), r))
-		if err != nil {
-			log.Warnf("failed to remove clean up route: %s", r.ID)
+		routingAddress := m.wgInterface.Address().Masked().String()
+		if r.NetworkType == route.IPv6Network {
+			if m.wgInterface.Address6() == nil {
+				log.Errorf("attempted to remove route for IPv6 even though device has no v6 address")
+				continue
+			}
+			routingAddress = m.wgInterface.Address6().Masked().String()
 		}
+		routerPair, err := routeToRouterPair(routingAddress, r)
+		if err != nil {
+			log.Errorf("parse prefix: %v", err)
+		}
+
+		err = m.firewall.RemoveRoutingRules(routerPair)
+		if err != nil {
+			log.Errorf("Failed to remove cleanup route: %v", err)
+		}
+
 	}
+
+	state := m.statusRecorder.GetLocalPeerState()
+	state.Routes = nil
+	m.statusRecorder.UpdateLocalPeerState(state)
 }

-func routeToRouterPair(source string, route *route.Route) firewall.RouterPair {
-	parsed := netip.MustParsePrefix(source).Masked()
+func routeToRouterPair(source string, route *route.Route) (firewall.RouterPair, error) {
+	parsed, err := netip.ParsePrefix(source)
+	if err != nil {
+		return firewall.RouterPair{}, err
+	}
 	return firewall.RouterPair{
-		ID:          route.ID,
+		ID:          string(route.ID),
 		Source:      parsed.String(),
 		Destination: route.Network.Masked().String(),
 		Masquerade:  route.Masquerade,
-	}
+	}, nil
 }
--- a/client/internal/routemanager/systemops.go
+++ b/client/internal/routemanager/systemops.go
@@ -0,0 +1,424 @@
+//go:build !android && !ios
+
+package routemanager
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net"
+	"net/netip"
+	"runtime"
+	"strconv"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/libp2p/go-netroute"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
+	nbnet "github.com/netbirdio/netbird/util/net"
+)
+
+var splitDefaultv4_1 = netip.PrefixFrom(netip.IPv4Unspecified(), 1)
+var splitDefaultv4_2 = netip.PrefixFrom(netip.AddrFrom4([4]byte{128}), 1)
+var splitDefaultv6_1 = netip.PrefixFrom(netip.IPv6Unspecified(), 1)
+var splitDefaultv6_2 = netip.PrefixFrom(netip.AddrFrom16([16]byte{0x80}), 1)
+
+var ErrRouteNotFound = errors.New("route not found")
+var ErrRouteNotAllowed = errors.New("route not allowed")
+
+// TODO: fix: for default our wg address now appears as the default gw
+func addRouteForCurrentDefaultGateway(prefix netip.Prefix) error {
+	addr := netip.IPv4Unspecified()
+	if prefix.Addr().Is6() {
+		addr = netip.IPv6Unspecified()
+	}
+
+	defaultGateway, _, err := GetNextHop(addr)
+	if err != nil && !errors.Is(err, ErrRouteNotFound) {
+		return fmt.Errorf("get existing route gateway: %s", err)
+	}
+
+	if !prefix.Contains(defaultGateway) {
+		log.Debugf("Skipping adding a new route for gateway %s because it is not in the network %s", defaultGateway, prefix)
+		return nil
+	}
+
+	gatewayPrefix := netip.PrefixFrom(defaultGateway, 32)
+	if defaultGateway.Is6() {
+		gatewayPrefix = netip.PrefixFrom(defaultGateway, 128)
+	}
+
+	ok, err := existsInRouteTable(gatewayPrefix)
+	if err != nil {
+		return fmt.Errorf("unable to check if there is an existing route for gateway %s. error: %s", gatewayPrefix, err)
+	}
+
+	if ok {
+		log.Debugf("Skipping adding a new route for gateway %s because it already exists", gatewayPrefix)
+		return nil
+	}
+
+	gatewayHop, intf, err := GetNextHop(defaultGateway)
+	if err != nil && !errors.Is(err, ErrRouteNotFound) {
+		return fmt.Errorf("unable to get the next hop for the default gateway address. error: %s", err)
+	}
+
+	log.Debugf("Adding a new route for gateway %s with next hop %s", gatewayPrefix, gatewayHop)
+	return addToRouteTable(gatewayPrefix, gatewayHop, intf)
+}
+
+func GetNextHop(ip netip.Addr) (netip.Addr, *net.Interface, error) {
+	r, err := netroute.New()
+	if err != nil {
+		return netip.Addr{}, nil, fmt.Errorf("new netroute: %w", err)
+	}
+	intf, gateway, preferredSrc, err := r.Route(ip.AsSlice())
+	if err != nil {
+		log.Debugf("Failed to get route for %s: %v", ip, err)
+		return netip.Addr{}, nil, ErrRouteNotFound
+	}
+
+	log.Debugf("Route for %s: interface %v nexthop %v, preferred source %v", ip, intf, gateway, preferredSrc)
+	if gateway == nil {
+		if preferredSrc == nil {
+			return netip.Addr{}, nil, ErrRouteNotFound
+		}
+		log.Debugf("No next hop found for ip %s, using preferred source %s", ip, preferredSrc)
+
+		addr, err := ipToAddr(preferredSrc, intf)
+		if err != nil {
+			return netip.Addr{}, nil, fmt.Errorf("convert preferred source to address: %w", err)
+		}
+		return addr.Unmap(), intf, nil
+	}
+
+	addr, err := ipToAddr(gateway, intf)
+	if err != nil {
+		return netip.Addr{}, nil, fmt.Errorf("convert gateway to address: %w", err)
+	}
+
+	return addr, intf, nil
+}
+
+// converts a net.IP to a netip.Addr including the zone based on the passed interface
+func ipToAddr(ip net.IP, intf *net.Interface) (netip.Addr, error) {
+	addr, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		return netip.Addr{}, fmt.Errorf("failed to convert IP address to netip.Addr: %s", ip)
+	}
+
+	if intf != nil && (addr.IsLinkLocalMulticast() || addr.IsLinkLocalUnicast()) {
+		log.Tracef("Adding zone %s to address %s", intf.Name, addr)
+		if runtime.GOOS == "windows" {
+			addr = addr.WithZone(strconv.Itoa(intf.Index))
+		} else {
+			addr = addr.WithZone(intf.Name)
+		}
+	}
+
+	return addr.Unmap(), nil
+}
+
+func existsInRouteTable(prefix netip.Prefix) (bool, error) {
+
+	linkLocalPrefix, err := netip.ParsePrefix("fe80::/10")
+	if err != nil {
+		return false, err
+	}
+	if prefix.Addr().Is6() && linkLocalPrefix.Contains(prefix.Addr()) {
+		// The link local prefix is not explicitly part of the routing table, but should be considered as such.
+		return true, nil
+	}
+
+	routes, err := getRoutesFromTable()
+	if err != nil {
+		return false, fmt.Errorf("get routes from table: %w", err)
+	}
+	for _, tableRoute := range routes {
+		if tableRoute == prefix {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+func isSubRange(prefix netip.Prefix) (bool, error) {
+	routes, err := getRoutesFromTable()
+	if err != nil {
+		return false, fmt.Errorf("get routes from table: %w", err)
+	}
+	for _, tableRoute := range routes {
+		if tableRoute.Bits() > minRangeBits && tableRoute.Contains(prefix.Addr()) && tableRoute.Bits() < prefix.Bits() {
+			return true, nil
+		}
+	}
+	return false, nil
+}
+
+// addRouteToNonVPNIntf adds a new route to the routing table for the given prefix and returns the next hop and interface.
+// If the next hop or interface is pointing to the VPN interface, it will return the initial values.
+func addRouteToNonVPNIntf(prefix netip.Prefix, vpnIntf *iface.WGIface, initialNextHop netip.Addr, initialIntf *net.Interface) (netip.Addr, *net.Interface, error) {
+	addr := prefix.Addr()
+	switch {
+	case addr.IsLoopback(),
+		addr.IsLinkLocalUnicast(),
+		addr.IsLinkLocalMulticast(),
+		addr.IsInterfaceLocalMulticast(),
+		addr.IsUnspecified(),
+		addr.IsMulticast():
+
+		return netip.Addr{}, nil, ErrRouteNotAllowed
+	}
+
+	// Determine the exit interface and next hop for the prefix, so we can add a specific route
+	nexthop, intf, err := GetNextHop(addr)
+	if err != nil {
+		return netip.Addr{}, nil, fmt.Errorf("get next hop: %w", err)
+	}
+
+	log.Debugf("Found next hop %s for prefix %s with interface %v", nexthop, prefix, intf)
+	exitNextHop := nexthop
+	exitIntf := intf
+
+	vpnAddr, ok := netip.AddrFromSlice(vpnIntf.Address().IP)
+	if !ok {
+		return netip.Addr{}, nil, fmt.Errorf("failed to convert vpn address to netip.Addr")
+	}
+
+	// if next hop is the VPN address or the interface is the VPN interface, we should use the initial values
+	if exitNextHop == vpnAddr || exitIntf != nil && exitIntf.Name == vpnIntf.Name() {
+		log.Debugf("Route for prefix %s is pointing to the VPN interface", prefix)
+		exitNextHop = initialNextHop
+		exitIntf = initialIntf
+	}
+
+	log.Debugf("Adding a new route for prefix %s with next hop %s", prefix, exitNextHop)
+	if err := addToRouteTable(prefix, exitNextHop, exitIntf); err != nil {
+		return netip.Addr{}, nil, fmt.Errorf("add route to table: %w", err)
+	}
+
+	return exitNextHop, exitIntf, nil
+}
+
+// genericAddVPNRoute adds a new route to the vpn interface, it splits the default prefix
+// in two /1 prefixes to avoid replacing the existing default route
+func genericAddVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
+	if prefix == defaultv4 {
+		if err := addToRouteTable(splitDefaultv4_1, netip.Addr{}, intf); err != nil {
+			return err
+		}
+		if err := addToRouteTable(splitDefaultv4_2, netip.Addr{}, intf); err != nil {
+			if err2 := removeFromRouteTable(splitDefaultv4_1, netip.Addr{}, intf); err2 != nil {
+				log.Warnf("Failed to rollback route addition: %s", err2)
+			}
+			return err
+		}
+
+		// TODO: remove once IPv6 is supported on the interface
+		if err := addToRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
+			return fmt.Errorf("add unreachable route split 1: %w", err)
+		}
+		if err := addToRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
+			if err2 := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err2 != nil {
+				log.Warnf("Failed to rollback route addition: %s", err2)
+			}
+			return fmt.Errorf("add unreachable route split 2: %w", err)
+		}
+
+		return nil
+	} else if prefix == defaultv6 {
+		if err := addToRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
+			return fmt.Errorf("add unreachable route split 1: %w", err)
+		}
+		if err := addToRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
+			if err2 := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err2 != nil {
+				log.Warnf("Failed to rollback route addition: %s", err2)
+			}
+			return fmt.Errorf("add unreachable route split 2: %w", err)
+		}
+
+		return nil
+	}
+
+	return addNonExistingRoute(prefix, intf)
+}
+
+// addNonExistingRoute adds a new route to the vpn interface if it doesn't exist in the current routing table
+func addNonExistingRoute(prefix netip.Prefix, intf *net.Interface) error {
+	ok, err := existsInRouteTable(prefix)
+	if err != nil {
+		return fmt.Errorf("exists in route table: %w", err)
+	}
+	if ok {
+		log.Warnf("Skipping adding a new route for network %s because it already exists", prefix)
+		return nil
+	}
+
+	ok, err = isSubRange(prefix)
+	if err != nil {
+		return fmt.Errorf("sub range: %w", err)
+	}
+
+	if ok {
+		err := addRouteForCurrentDefaultGateway(prefix)
+		if err != nil {
+			log.Warnf("Unable to add route for current default gateway route. Will proceed without it. error: %s", err)
+		}
+	}
+
+	return addToRouteTable(prefix, netip.Addr{}, intf)
+}
+
+// genericRemoveVPNRoute removes the route from the vpn interface. If a default prefix is given,
+// it will remove the split /1 prefixes
+func genericRemoveVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
+	if prefix == defaultv4 {
+		var result *multierror.Error
+		if err := removeFromRouteTable(splitDefaultv4_1, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+		if err := removeFromRouteTable(splitDefaultv4_2, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+
+		// TODO: remove once IPv6 is supported on the interface
+		if err := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+		if err := removeFromRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+
+		return result.ErrorOrNil()
+	} else if prefix == defaultv6 {
+		var result *multierror.Error
+		if err := removeFromRouteTable(splitDefaultv6_1, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+		if err := removeFromRouteTable(splitDefaultv6_2, netip.Addr{}, intf); err != nil {
+			result = multierror.Append(result, err)
+		}
+
+		return result.ErrorOrNil()
+	}
+
+	return removeFromRouteTable(prefix, netip.Addr{}, intf)
+}
+
+func getPrefixFromIP(ip net.IP) (*netip.Prefix, error) {
+	addr, ok := netip.AddrFromSlice(ip)
+	if !ok {
+		return nil, fmt.Errorf("parse IP address: %s", ip)
+	}
+	addr = addr.Unmap()
+
+	var prefixLength int
+	switch {
+	case addr.Is4():
+		prefixLength = 32
+	case addr.Is6():
+		prefixLength = 128
+	default:
+		return nil, fmt.Errorf("invalid IP address: %s", addr)
+	}
+
+	prefix := netip.PrefixFrom(addr, prefixLength)
+	return &prefix, nil
+}
+
+func setupRoutingWithRouteManager(routeManager **RouteManager, initAddresses []net.IP, wgIface *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	initialNextHopV4, initialIntfV4, err := GetNextHop(netip.IPv4Unspecified())
+	if err != nil && !errors.Is(err, ErrRouteNotFound) {
+		log.Errorf("Unable to get initial v4 default next hop: %v", err)
+	}
+	initialNextHopV6, initialIntfV6, err := GetNextHop(netip.IPv6Unspecified())
+	if err != nil && !errors.Is(err, ErrRouteNotFound) {
+		log.Errorf("Unable to get initial v6 default next hop: %v", err)
+	}
+
+	*routeManager = NewRouteManager(
+		func(prefix netip.Prefix) (netip.Addr, *net.Interface, error) {
+			addr := prefix.Addr()
+			nexthop, intf := initialNextHopV4, initialIntfV4
+			if addr.Is6() {
+				nexthop, intf = initialNextHopV6, initialIntfV6
+			}
+			return addRouteToNonVPNIntf(prefix, wgIface, nexthop, intf)
+		},
+		removeFromRouteTable,
+	)
+
+	return setupHooks(*routeManager, initAddresses)
+}
+
+func cleanupRoutingWithRouteManager(routeManager *RouteManager) error {
+	if routeManager == nil {
+		return nil
+	}
+
+	// TODO: Remove hooks selectively
+	nbnet.RemoveDialerHooks()
+	nbnet.RemoveListenerHooks()
+
+	if err := routeManager.Flush(); err != nil {
+		return fmt.Errorf("flush route manager: %w", err)
+	}
+
+	return nil
+}
+
+func setupHooks(routeManager *RouteManager, initAddresses []net.IP) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	beforeHook := func(connID nbnet.ConnectionID, ip net.IP) error {
+		prefix, err := getPrefixFromIP(ip)
+		if err != nil {
+			return fmt.Errorf("convert ip to prefix: %w", err)
+		}
+
+		if err := routeManager.AddRouteRef(connID, *prefix); err != nil {
+			return fmt.Errorf("adding route reference: %v", err)
+		}
+
+		return nil
+	}
+	afterHook := func(connID nbnet.ConnectionID) error {
+		if err := routeManager.RemoveRouteRef(connID); err != nil {
+			return fmt.Errorf("remove route reference: %w", err)
+		}
+
+		return nil
+	}
+
+	for _, ip := range initAddresses {
+		if err := beforeHook("init", ip); err != nil {
+			log.Errorf("Failed to add route reference: %v", err)
+		}
+	}
+
+	nbnet.AddDialerHook(func(ctx context.Context, connID nbnet.ConnectionID, resolvedIPs []net.IPAddr) error {
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+
+		var result *multierror.Error
+		for _, ip := range resolvedIPs {
+			result = multierror.Append(result, beforeHook(connID, ip.IP))
+		}
+		return result.ErrorOrNil()
+	})
+
+	nbnet.AddDialerCloseHook(func(connID nbnet.ConnectionID, conn *net.Conn) error {
+		return afterHook(connID)
+	})
+
+	nbnet.AddListenerWriteHook(func(connID nbnet.ConnectionID, ip *net.IPAddr, data []byte) error {
+		return beforeHook(connID, ip.IP)
+	})
+
+	nbnet.AddListenerCloseHook(func(connID nbnet.ConnectionID, conn net.PacketConn) error {
+		return afterHook(connID)
+	})
+
+	return beforeHook, afterHook, nil
+}
--- a/client/internal/routemanager/systemops_android.go
+++ b/client/internal/routemanager/systemops_android.go
@@ -1,13 +1,33 @@
 package routemanager

 import (
+	"net"
 	"net/netip"
+	"runtime"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
 )

-func addToRouteTableIfNoExists(prefix netip.Prefix, addr string) error {
+func setupRouting([]net.IP, *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	return nil, nil, nil
+}
+
+func cleanupRouting() error {
 	return nil
 }

-func removeFromRouteTableIfNonSystem(prefix netip.Prefix, addr string) error {
+func enableIPForwarding() error {
+	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
+	return nil
+}
+
+func addVPNRoute(netip.Prefix, *net.Interface) error {
+	return nil
+}
+
+func removeVPNRoute(netip.Prefix, *net.Interface) error {
 	return nil
 }
--- a/client/internal/routemanager/systemops_bsd.go
+++ b/client/internal/routemanager/systemops_bsd.go
@@ -1,41 +1,37 @@
 //go:build darwin || dragonfly || freebsd || netbsd || openbsd
-// +build darwin dragonfly freebsd netbsd openbsd

 package routemanager

 import (
+	"errors"
 	"fmt"
 	"net"
 	"net/netip"
+	"strconv"
 	"syscall"
+	"time"

+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
 	"golang.org/x/net/route"
 )

-// selected BSD Route flags.
-const (
-	RTF_UP        = 0x1
-	RTF_GATEWAY   = 0x2
-	RTF_HOST      = 0x4
-	RTF_REJECT    = 0x8
-	RTF_DYNAMIC   = 0x10
-	RTF_MODIFIED  = 0x20
-	RTF_STATIC    = 0x800
-	RTF_BLACKHOLE = 0x1000
-	RTF_LOCAL     = 0x200000
-	RTF_BROADCAST = 0x400000
-	RTF_MULTICAST = 0x800000
-)
+type Route struct {
+	Dst       netip.Prefix
+	Gw        netip.Addr
+	Interface *net.Interface
+}

 func getRoutesFromTable() ([]netip.Prefix, error) {
-	tab, err := route.FetchRIB(syscall.AF_UNSPEC, route.RIBTypeRoute, 0)
+	tab, err := retryFetchRIB()
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("fetch RIB: %v", err)
 	}
 	msgs, err := route.ParseRIB(route.RIBTypeRoute, tab)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("parse RIB: %v", err)
 	}
+
 	var prefixList []netip.Prefix
 	for _, msg := range msgs {
 		m := msg.(*route.RouteMessage)
@@ -43,51 +39,121 @@ func getRoutesFromTable() ([]netip.Prefix, error) {
 		if m.Version < 3 || m.Version > 5 {
 			return nil, fmt.Errorf("unexpected RIB message version: %d", m.Version)
 		}
-		if m.Type != 4 /* RTM_GET */ {
+		if m.Type != syscall.RTM_GET {
 			return nil, fmt.Errorf("unexpected RIB message type: %d", m.Type)
 		}

-		if m.Flags&RTF_UP == 0 ||
-			m.Flags&(RTF_REJECT|RTF_BLACKHOLE) != 0 {
+		if m.Flags&syscall.RTF_UP == 0 ||
+			m.Flags&(syscall.RTF_REJECT|syscall.RTF_BLACKHOLE|syscall.RTF_WASCLONED) != 0 {
 			continue
 		}

-		addr, ok := toNetIPAddr(m.Addrs[0])
-		if !ok {
+		route, err := MsgToRoute(m)
+		if err != nil {
+			log.Warnf("Failed to parse route message: %v", err)
 			continue
 		}
-
-		mask, ok := toNetIPMASK(m.Addrs[2])
-		if !ok {
-			continue
-		}
-		cidr, _ := mask.Size()
-
-		routePrefix := netip.PrefixFrom(addr, cidr)
-		if routePrefix.IsValid() {
-			prefixList = append(prefixList, routePrefix)
+		if route.Dst.IsValid() {
+			prefixList = append(prefixList, route.Dst)
 		}
 	}
 	return prefixList, nil
 }

-func toNetIPAddr(a route.Addr) (netip.Addr, bool) {
+func retryFetchRIB() ([]byte, error) {
+	var out []byte
+	operation := func() error {
+		var err error
+		out, err = route.FetchRIB(syscall.AF_UNSPEC, route.RIBTypeRoute, 0)
+		if errors.Is(err, syscall.ENOMEM) {
+			log.Debug("~etrying fetchRIB due to 'cannot allocate memory' error")
+			return err
+		} else if err != nil {
+			return backoff.Permanent(err)
+		}
+		return nil
+	}
+
+	expBackOff := backoff.NewExponentialBackOff()
+	expBackOff.InitialInterval = 50 * time.Millisecond
+	expBackOff.MaxInterval = 500 * time.Millisecond
+	expBackOff.MaxElapsedTime = 1 * time.Second
+
+	err := backoff.Retry(operation, expBackOff)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch routing information: %w", err)
+	}
+	return out, nil
+}
+
+func toNetIP(a route.Addr) netip.Addr {
 	switch t := a.(type) {
 	case *route.Inet4Addr:
-		ip := net.IPv4(t.IP[0], t.IP[1], t.IP[2], t.IP[3])
-		addr := netip.MustParseAddr(ip.String())
-		return addr, true
+		return netip.AddrFrom4(t.IP)
+	case *route.Inet6Addr:
+		ip := netip.AddrFrom16(t.IP)
+		if t.ZoneID != 0 {
+			ip.WithZone(strconv.Itoa(t.ZoneID))
+		}
+		return ip
 	default:
-		return netip.Addr{}, false
+		return netip.Addr{}
 	}
 }

-func toNetIPMASK(a route.Addr) (net.IPMask, bool) {
+func ones(a route.Addr) (int, error) {
 	switch t := a.(type) {
 	case *route.Inet4Addr:
-		mask := net.IPv4Mask(t.IP[0], t.IP[1], t.IP[2], t.IP[3])
-		return mask, true
+		mask, _ := net.IPMask(t.IP[:]).Size()
+		return mask, nil
+	case *route.Inet6Addr:
+		mask, _ := net.IPMask(t.IP[:]).Size()
+		return mask, nil
 	default:
-		return nil, false
+		return 0, fmt.Errorf("unexpected address type: %T", a)
 	}
 }
+
+func MsgToRoute(msg *route.RouteMessage) (*Route, error) {
+	dstIP, nexthop, dstMask := msg.Addrs[0], msg.Addrs[1], msg.Addrs[2]
+
+	addr := toNetIP(dstIP)
+
+	var nexthopAddr netip.Addr
+	var nexthopIntf *net.Interface
+
+	switch t := nexthop.(type) {
+	case *route.Inet4Addr, *route.Inet6Addr:
+		nexthopAddr = toNetIP(t)
+	case *route.LinkAddr:
+		nexthopIntf = &net.Interface{
+			Index: t.Index,
+			Name:  t.Name,
+		}
+	default:
+		return nil, fmt.Errorf("unexpected next hop type: %T", t)
+	}
+
+	var prefix netip.Prefix
+
+	if dstMask == nil {
+		if addr.Is4() {
+			prefix = netip.PrefixFrom(addr, 32)
+		} else {
+			prefix = netip.PrefixFrom(addr, 128)
+		}
+	} else {
+		bits, err := ones(dstMask)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse mask: %v", dstMask)
+		}
+		prefix = netip.PrefixFrom(addr, bits)
+	}
+
+	return &Route{
+		Dst:       prefix,
+		Gw:        nexthopAddr,
+		Interface: nexthopIntf,
+	}, nil
+
+}
--- a/client/internal/routemanager/systemops_bsd_test.go
+++ b/client/internal/routemanager/systemops_bsd_test.go
@@ -0,0 +1,57 @@
+//go:build darwin || dragonfly || freebsd || netbsd || openbsd
+
+package routemanager
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/net/route"
+)
+
+func TestBits(t *testing.T) {
+	tests := []struct {
+		name    string
+		addr    route.Addr
+		want    int
+		wantErr bool
+	}{
+		{
+			name: "IPv4 all ones",
+			addr: &route.Inet4Addr{IP: [4]byte{255, 255, 255, 255}},
+			want: 32,
+		},
+		{
+			name: "IPv4 normal mask",
+			addr: &route.Inet4Addr{IP: [4]byte{255, 255, 255, 0}},
+			want: 24,
+		},
+		{
+			name: "IPv6 all ones",
+			addr: &route.Inet6Addr{IP: [16]byte{255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255}},
+			want: 128,
+		},
+		{
+			name: "IPv6 normal mask",
+			addr: &route.Inet6Addr{IP: [16]byte{255, 255, 255, 255, 255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0}},
+			want: 64,
+		},
+		{
+			name:    "Unsupported type",
+			addr:    &route.LinkAddr{},
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ones(tt.addr)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.want, got)
+			}
+		})
+	}
+}
--- a/client/internal/routemanager/systemops_darwin.go
+++ b/client/internal/routemanager/systemops_darwin.go
@@ -0,0 +1,84 @@
+//go:build darwin && !ios
+
+package routemanager
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
+)
+
+var routeManager *RouteManager
+
+func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
+}
+
+func cleanupRouting() error {
+	return cleanupRoutingWithRouteManager(routeManager)
+}
+
+func addToRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
+	return routeCmd("add", prefix, nexthop, intf)
+}
+
+func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
+	return routeCmd("delete", prefix, nexthop, intf)
+}
+
+func routeCmd(action string, prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
+	inet := "-inet"
+	network := prefix.String()
+	if prefix.IsSingleIP() {
+		network = prefix.Addr().String()
+	}
+	if prefix.Addr().Is6() {
+		inet = "-inet6"
+	}
+
+	args := []string{"-n", action, inet, network}
+	if nexthop.IsValid() {
+		args = append(args, nexthop.Unmap().String())
+	} else if intf != nil {
+		args = append(args, "-interface", intf.Name)
+	}
+
+	if err := retryRouteCmd(args); err != nil {
+		return fmt.Errorf("failed to %s route for %s: %w", action, prefix, err)
+	}
+	return nil
+}
+
+func retryRouteCmd(args []string) error {
+	operation := func() error {
+		out, err := exec.Command("route", args...).CombinedOutput()
+		log.Tracef("route %s: %s", strings.Join(args, " "), out)
+		// https://github.com/golang/go/issues/45736
+		if err != nil && strings.Contains(string(out), "sysctl: cannot allocate memory") {
+			return err
+		} else if err != nil {
+			return backoff.Permanent(err)
+		}
+		return nil
+	}
+
+	expBackOff := backoff.NewExponentialBackOff()
+	expBackOff.InitialInterval = 50 * time.Millisecond
+	expBackOff.MaxInterval = 500 * time.Millisecond
+	expBackOff.MaxElapsedTime = 1 * time.Second
+
+	err := backoff.Retry(operation, expBackOff)
+	if err != nil {
+		return fmt.Errorf("route cmd retry failed: %w", err)
+	}
+	return nil
+}
--- a/client/internal/routemanager/systemops_darwin_test.go
+++ b/client/internal/routemanager/systemops_darwin_test.go
@@ -0,0 +1,138 @@
+//go:build !ios
+
+package routemanager
+
+import (
+	"fmt"
+	"net"
+	"net/netip"
+	"os/exec"
+	"regexp"
+	"sync"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var expectedVPNint = "utun100"
+var expectedExternalInt = "lo0"
+var expectedInternalInt = "lo0"
+
+func init() {
+	testCases = append(testCases, []testCase{
+		{
+			name:              "To more specific route without custom dialer via vpn",
+			destination:       "10.10.0.2:53",
+			expectedInterface: expectedVPNint,
+			dialer:            &net.Dialer{},
+			expectedPacket:    createPacketExpectation("100.64.0.1", 12345, "10.10.0.2", 53),
+		},
+	}...)
+}
+
+func TestConcurrentRoutes(t *testing.T) {
+	baseIP := netip.MustParseAddr("192.0.2.0")
+	intf := &net.Interface{Name: "lo0"}
+
+	var wg sync.WaitGroup
+	for i := 0; i < 1024; i++ {
+		wg.Add(1)
+		go func(ip netip.Addr) {
+			defer wg.Done()
+			prefix := netip.PrefixFrom(ip, 32)
+			if err := addToRouteTable(prefix, netip.Addr{}, intf); err != nil {
+				t.Errorf("Failed to add route for %s: %v", prefix, err)
+			}
+		}(baseIP)
+		baseIP = baseIP.Next()
+	}
+
+	wg.Wait()
+
+	baseIP = netip.MustParseAddr("192.0.2.0")
+
+	for i := 0; i < 1024; i++ {
+		wg.Add(1)
+		go func(ip netip.Addr) {
+			defer wg.Done()
+			prefix := netip.PrefixFrom(ip, 32)
+			if err := removeFromRouteTable(prefix, netip.Addr{}, intf); err != nil {
+				t.Errorf("Failed to remove route for %s: %v", prefix, err)
+			}
+		}(baseIP)
+		baseIP = baseIP.Next()
+	}
+
+	wg.Wait()
+}
+
+func createAndSetupDummyInterface(t *testing.T, intf string, ipAddressCIDR string) string {
+	t.Helper()
+
+	err := exec.Command("ifconfig", intf, "alias", ipAddressCIDR).Run()
+	require.NoError(t, err, "Failed to create loopback alias")
+
+	t.Cleanup(func() {
+		err := exec.Command("ifconfig", intf, ipAddressCIDR, "-alias").Run()
+		assert.NoError(t, err, "Failed to remove loopback alias")
+	})
+
+	return "lo0"
+}
+
+func addDummyRoute(t *testing.T, dstCIDR string, gw net.IP, _ string) {
+	t.Helper()
+
+	var originalNexthop net.IP
+	if dstCIDR == "0.0.0.0/0" {
+		var err error
+		originalNexthop, err = fetchOriginalGateway()
+		if err != nil {
+			t.Logf("Failed to fetch original gateway: %v", err)
+		}
+
+		if output, err := exec.Command("route", "delete", "-net", dstCIDR).CombinedOutput(); err != nil {
+			t.Logf("Failed to delete route: %v, output: %s", err, output)
+		}
+	}
+
+	t.Cleanup(func() {
+		if originalNexthop != nil {
+			err := exec.Command("route", "add", "-net", dstCIDR, originalNexthop.String()).Run()
+			assert.NoError(t, err, "Failed to restore original route")
+		}
+	})
+
+	err := exec.Command("route", "add", "-net", dstCIDR, gw.String()).Run()
+	require.NoError(t, err, "Failed to add route")
+
+	t.Cleanup(func() {
+		err := exec.Command("route", "delete", "-net", dstCIDR).Run()
+		assert.NoError(t, err, "Failed to remove route")
+	})
+}
+
+func fetchOriginalGateway() (net.IP, error) {
+	output, err := exec.Command("route", "-n", "get", "default").CombinedOutput()
+	if err != nil {
+		return nil, err
+	}
+
+	matches := regexp.MustCompile(`gateway: (\S+)`).FindStringSubmatch(string(output))
+	if len(matches) == 0 {
+		return nil, fmt.Errorf("gateway not found")
+	}
+
+	return net.ParseIP(matches[1]), nil
+}
+
+func setupDummyInterfacesAndRoutes(t *testing.T) {
+	t.Helper()
+
+	defaultDummy := createAndSetupDummyInterface(t, expectedExternalInt, "192.168.0.1/24")
+	addDummyRoute(t, "0.0.0.0/0", net.IPv4(192, 168, 0, 1), defaultDummy)
+
+	otherDummy := createAndSetupDummyInterface(t, expectedInternalInt, "192.168.1.1/24")
+	addDummyRoute(t, "10.0.0.0/8", net.IPv4(192, 168, 1, 1), otherDummy)
+}
--- a/client/internal/routemanager/systemops_ios.go
+++ b/client/internal/routemanager/systemops_ios.go
@@ -1,15 +1,33 @@
-//go:build ios
-
 package routemanager

 import (
+	"net"
 	"net/netip"
+	"runtime"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
 )

-func addToRouteTableIfNoExists(prefix netip.Prefix, addr string) error {
+func setupRouting([]net.IP, *iface.WGIface) (peer.BeforeAddPeerHookFunc, peer.AfterRemovePeerHookFunc, error) {
+	return nil, nil, nil
+}
+
+func cleanupRouting() error {
 	return nil
 }

-func removeFromRouteTableIfNonSystem(prefix netip.Prefix, addr string) error {
+func enableIPForwarding(includeV6 bool) error {
+	log.Infof("Enable IP forwarding is not implemented on %s", runtime.GOOS)
+	return nil
+}
+
+func addVPNRoute(netip.Prefix, *net.Interface) error {
+	return nil
+}
+
+func removeVPNRoute(netip.Prefix, *net.Interface) error {
 	return nil
 }
--- a/client/internal/routemanager/systemops_linux.go
+++ b/client/internal/routemanager/systemops_linux.go
@@ -3,149 +3,588 @@
 package routemanager

 import (
+	"bufio"
+	"errors"
+	"fmt"
 	"net"
 	"net/netip"
 	"os"
+	"strconv"
+	"strings"
 	"syscall"
-	"unsafe"

+	"github.com/hashicorp/go-multierror"
+	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
+
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/iface"
+	nbnet "github.com/netbirdio/netbird/util/net"
 )

-// Pulled from http://man7.org/linux/man-pages/man7/rtnetlink.7.html
-// See the section on RTM_NEWROUTE, specifically 'struct rtmsg'.
-type routeInfoInMemory struct {
-	Family byte
-	DstLen byte
-	SrcLen byte
-	TOS    byte
+const (
+	// NetbirdVPNTableID is the ID of the custom routing table used by Netbird.
+	NetbirdVPNTableID = 0x1BD0
+	// NetbirdVPNTableName is the name of the custom routing table used by Netbird.
+	NetbirdVPNTableName = "netbird"

-	Table    byte
-	Protocol byte
-	Scope    byte
-	Type     byte
+	// rtTablesPath is the path to the file containing the routing table names.
+	rtTablesPath = "/etc/iproute2/rt_tables"

-	Flags uint32
+	// ipv4ForwardingPath is the path to the file containing the IP forwarding setting.
+	ipv4ForwardingPath = "net.ipv4.ip_forward"
+
+	rpFilterPath          = "net.ipv4.conf.all.rp_filter"
+	rpFilterInterfacePath = "net.ipv4.conf.%s.rp_filter"
+	srcValidMarkPath      = "net.ipv4.conf.all.src_valid_mark"
+)
+
+var ErrTableIDExists = errors.New("ID exists with different name")
+
+var routeManager = &RouteManager{}
+
+// originalSysctl stores the original sysctl values before they are modified
+var originalSysctl map[string]int
+
+// sysctlFailed is used as an indicator to emit a warning when default routes are configured
+var sysctlFailed bool
+
+type ruleParams struct {
+	priority       int
+	fwmark         int
+	tableID        int
+	family         int
+	invert         bool
+	suppressPrefix int
+	description    string
 }

-const ipv4ForwardingPath = "/proc/sys/net/ipv4/ip_forward"
+// isLegacy determines whether to use the legacy routing setup
+func isLegacy() bool {
+	return os.Getenv("NB_USE_LEGACY_ROUTING") == "true" || nbnet.CustomRoutingDisabled()
+}

-func addToRouteTable(prefix netip.Prefix, addr string) error {
-	_, ipNet, err := net.ParseCIDR(prefix.String())
+// setIsLegacy sets the legacy routing setup
+func setIsLegacy(b bool) {
+	if b {
+		os.Setenv("NB_USE_LEGACY_ROUTING", "true")
+	} else {
+		os.Unsetenv("NB_USE_LEGACY_ROUTING")
+	}
+}
+
+func getSetupRules() []ruleParams {
+	return []ruleParams{
+		{100, -1, syscall.RT_TABLE_MAIN, netlink.FAMILY_V4, false, 0, "rule with suppress prefixlen v4"},
+		{100, -1, syscall.RT_TABLE_MAIN, netlink.FAMILY_V6, false, 0, "rule with suppress prefixlen v6"},
+		{110, nbnet.NetbirdFwmark, NetbirdVPNTableID, netlink.FAMILY_V4, true, -1, "rule v4 netbird"},
+		{110, nbnet.NetbirdFwmark, NetbirdVPNTableID, netlink.FAMILY_V6, true, -1, "rule v6 netbird"},
+	}
+}
+
+// setupRouting establishes the routing configuration for the VPN, including essential rules
+// to ensure proper traffic flow for management, locally configured routes, and VPN traffic.
+//
+// Rule 1 (Main Route Precedence): Safeguards locally installed routes by giving them precedence over
+// potential routes received and configured for the VPN.  This rule is skipped for the default route and routes
+// that are not in the main table.
+//
+// Rule 2 (VPN Traffic Routing): Directs all remaining traffic to the 'NetbirdVPNTableID' custom routing table.
+// This table is where a default route or other specific routes received from the management server are configured,
+// enabling VPN connectivity.
+func setupRouting(initAddresses []net.IP, wgIface *iface.WGIface) (_ peer.BeforeAddPeerHookFunc, _ peer.AfterRemovePeerHookFunc, err error) {
+	if isLegacy() {
+		log.Infof("Using legacy routing setup")
+		return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
+	}
+
+	if err = addRoutingTableName(); err != nil {
+		log.Errorf("Error adding routing table name: %v", err)
+	}
+
+	originalValues, err := setupSysctl(wgIface)
 	if err != nil {
-		return err
+		log.Errorf("Error setting up sysctl: %v", err)
+		sysctlFailed = true
+	}
+	originalSysctl = originalValues
+
+	defer func() {
+		if err != nil {
+			if cleanErr := cleanupRouting(); cleanErr != nil {
+				log.Errorf("Error cleaning up routing: %v", cleanErr)
+			}
+		}
+	}()
+
+	rules := getSetupRules()
+	for _, rule := range rules {
+		if err := addRule(rule); err != nil {
+			if errors.Is(err, syscall.EOPNOTSUPP) {
+				log.Warnf("Rule operations are not supported, falling back to the legacy routing setup")
+				setIsLegacy(true)
+				return setupRoutingWithRouteManager(&routeManager, initAddresses, wgIface)
+			}
+			return nil, nil, fmt.Errorf("%s: %w", rule.description, err)
+		}
 	}

-	addrMask := "/32"
-	if prefix.Addr().Unmap().Is6() {
-		addrMask = "/128"
+	return nil, nil, nil
+}
+
+// cleanupRouting performs a thorough cleanup of the routing configuration established by 'setupRouting'.
+// It systematically removes the three rules and any associated routing table entries to ensure a clean state.
+// The function uses error aggregation to report any errors encountered during the cleanup process.
+func cleanupRouting() error {
+	if isLegacy() {
+		return cleanupRoutingWithRouteManager(routeManager)
 	}

-	ip, _, err := net.ParseCIDR(addr + addrMask)
-	if err != nil {
-		return err
+	var result *multierror.Error
+
+	if err := flushRoutes(NetbirdVPNTableID, netlink.FAMILY_V4); err != nil {
+		result = multierror.Append(result, fmt.Errorf("flush routes v4: %w", err))
+	}
+	if err := flushRoutes(NetbirdVPNTableID, netlink.FAMILY_V6); err != nil {
+		result = multierror.Append(result, fmt.Errorf("flush routes v6: %w", err))
 	}

-	route := &netlink.Route{
-		Scope: netlink.SCOPE_UNIVERSE,
-		Dst:   ipNet,
-		Gw:    ip,
+	rules := getSetupRules()
+	for _, rule := range rules {
+		if err := removeRule(rule); err != nil {
+			result = multierror.Append(result, fmt.Errorf("%s: %w", rule.description, err))
+		}
 	}

-	err = netlink.RouteAdd(route)
-	if err != nil {
-		return err
+	if err := cleanupSysctl(originalSysctl); err != nil {
+		result = multierror.Append(result, fmt.Errorf("cleanup sysctl: %w", err))
+	}
+	originalSysctl = nil
+	sysctlFailed = false
+
+	return result.ErrorOrNil()
+}
+
+func addToRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
+	return addRoute(prefix, nexthop, intf, syscall.RT_TABLE_MAIN)
+}
+
+func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) error {
+	return removeRoute(prefix, nexthop, intf, syscall.RT_TABLE_MAIN)
+}
+
+func addVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
+	if isLegacy() {
+		return genericAddVPNRoute(prefix, intf)
 	}

+	if sysctlFailed && (prefix == defaultv4 || prefix == defaultv6) {
+		log.Warnf("Default route is configured but sysctl operations failed, VPN traffic may not be routed correctly, consider using NB_USE_LEGACY_ROUTING=true or setting net.ipv4.conf.*.rp_filter to 2 (loose) or 0 (off)")
+	}
+
+	// No need to check if routes exist as main table takes precedence over the VPN table via Rule 1
+
+	if err := addRoute(prefix, netip.Addr{}, intf, NetbirdVPNTableID); err != nil {
+		return fmt.Errorf("add route: %w", err)
+	}
 	return nil
 }

-func removeFromRouteTable(prefix netip.Prefix, addr string) error {
-	_, ipNet, err := net.ParseCIDR(prefix.String())
-	if err != nil {
-		return err
+func removeVPNRoute(prefix netip.Prefix, intf *net.Interface) error {
+	if isLegacy() {
+		return genericRemoveVPNRoute(prefix, intf)
 	}

-	addrMask := "/32"
-	if prefix.Addr().Unmap().Is6() {
-		addrMask = "/128"
+	if err := removeRoute(prefix, netip.Addr{}, intf, NetbirdVPNTableID); err != nil {
+		return fmt.Errorf("remove route: %w", err)
 	}
-
-	ip, _, err := net.ParseCIDR(addr + addrMask)
-	if err != nil {
-		return err
-	}
-
-	route := &netlink.Route{
-		Scope: netlink.SCOPE_UNIVERSE,
-		Dst:   ipNet,
-		Gw:    ip,
-	}
-
-	err = netlink.RouteDel(route)
-	if err != nil {
-		return err
-	}
-
 	return nil
 }

 func getRoutesFromTable() ([]netip.Prefix, error) {
-	tab, err := syscall.NetlinkRIB(syscall.RTM_GETROUTE, syscall.AF_UNSPEC)
+	v4Routes, err := getRoutes(syscall.RT_TABLE_MAIN, netlink.FAMILY_V4)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("get v4 routes: %w", err)
 	}
-	msgs, err := syscall.ParseNetlinkMessage(tab)
+	v6Routes, err := getRoutes(syscall.RT_TABLE_MAIN, netlink.FAMILY_V6)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("get v6 routes: %w", err)
+
 	}
+	return append(v4Routes, v6Routes...), nil
+}
+
+// getRoutes fetches routes from a specific routing table identified by tableID.
+func getRoutes(tableID, family int) ([]netip.Prefix, error) {
 	var prefixList []netip.Prefix
-loop:
-	for _, m := range msgs {
-		switch m.Header.Type {
-		case syscall.NLMSG_DONE:
-			break loop
-		case syscall.RTM_NEWROUTE:
-			rt := (*routeInfoInMemory)(unsafe.Pointer(&m.Data[0]))
-			msg := m
-			attrs, err := syscall.ParseNetlinkRouteAttr(&msg)
-			if err != nil {
-				return nil, err
-			}
-			if rt.Family != syscall.AF_INET {
-				continue loop
+
+	routes, err := netlink.RouteListFiltered(family, &netlink.Route{Table: tableID}, netlink.RT_FILTER_TABLE)
+	if err != nil {
+		return nil, fmt.Errorf("list routes from table %d: %v", tableID, err)
+	}
+
+	for _, route := range routes {
+		if route.Dst != nil {
+			addr, ok := netip.AddrFromSlice(route.Dst.IP)
+			if !ok {
+				return nil, fmt.Errorf("parse route destination IP: %v", route.Dst.IP)
 			}

-			for _, attr := range attrs {
-				if attr.Attr.Type == syscall.RTA_DST {
-					addr, ok := netip.AddrFromSlice(attr.Value)
-					if !ok {
-						continue
-					}
-					mask := net.CIDRMask(int(rt.DstLen), len(attr.Value)*8)
-					cidr, _ := mask.Size()
-					routePrefix := netip.PrefixFrom(addr, cidr)
-					if routePrefix.IsValid() && routePrefix.Addr().Is4() {
-						prefixList = append(prefixList, routePrefix)
-					}
-				}
+			ones, _ := route.Dst.Mask.Size()
+
+			prefix := netip.PrefixFrom(addr, ones)
+			if prefix.IsValid() {
+				prefixList = append(prefixList, prefix)
 			}
 		}
 	}
+
 	return prefixList, nil
 }

-func enableIPForwarding() error {
-	bytes, err := os.ReadFile(ipv4ForwardingPath)
+// addRoute adds a route to a specific routing table identified by tableID.
+func addRoute(prefix netip.Prefix, addr netip.Addr, intf *net.Interface, tableID int) error {
+	route := &netlink.Route{
+		Scope:  netlink.SCOPE_UNIVERSE,
+		Table:  tableID,
+		Family: getAddressFamily(prefix),
+	}
+
+	_, ipNet, err := net.ParseCIDR(prefix.String())
+	if err != nil {
+		return fmt.Errorf("parse prefix %s: %w", prefix, err)
+	}
+	route.Dst = ipNet
+
+	if err := addNextHop(addr, intf, route); err != nil {
+		return fmt.Errorf("add gateway and device: %w", err)
+	}
+
+	if err := netlink.RouteAdd(route); err != nil && !errors.Is(err, syscall.EEXIST) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("netlink add route: %w", err)
+	}
+
+	return nil
+}
+
+// addUnreachableRoute adds an unreachable route for the specified IP family and routing table.
+// ipFamily should be netlink.FAMILY_V4 for IPv4 or netlink.FAMILY_V6 for IPv6.
+// tableID specifies the routing table to which the unreachable route will be added.
+// TODO should this be kept in for future use? If so, the linter needs to be told that this unreachable function should
+//
+//	be kept
+func addUnreachableRoute(prefix netip.Prefix, tableID int) error {
+	_, ipNet, err := net.ParseCIDR(prefix.String())
+	if err != nil {
+		return fmt.Errorf("parse prefix %s: %w", prefix, err)
+	}
+
+	route := &netlink.Route{
+		Type:   syscall.RTN_UNREACHABLE,
+		Table:  tableID,
+		Family: getAddressFamily(prefix),
+		Dst:    ipNet,
+	}
+
+	if err := netlink.RouteAdd(route); err != nil && !errors.Is(err, syscall.EEXIST) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("netlink add unreachable route: %w", err)
+	}
+
+	return nil
+}
+
+// TODO should this be kept in for future use? If so, the linter needs to be told that this unreachable function should
+//
+//	be kept
+func removeUnreachableRoute(prefix netip.Prefix, tableID int) error {
+	_, ipNet, err := net.ParseCIDR(prefix.String())
+	if err != nil {
+		return fmt.Errorf("parse prefix %s: %w", prefix, err)
+	}
+
+	route := &netlink.Route{
+		Type:   syscall.RTN_UNREACHABLE,
+		Table:  tableID,
+		Family: getAddressFamily(prefix),
+		Dst:    ipNet,
+	}
+
+	if err := netlink.RouteDel(route); err != nil &&
+		!errors.Is(err, syscall.ESRCH) &&
+		!errors.Is(err, syscall.ENOENT) &&
+		!errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("netlink remove unreachable route: %w", err)
+	}
+
+	return nil
+
+}
+
+// removeRoute removes a route from a specific routing table identified by tableID.
+func removeRoute(prefix netip.Prefix, addr netip.Addr, intf *net.Interface, tableID int) error {
+	_, ipNet, err := net.ParseCIDR(prefix.String())
+	if err != nil {
+		return fmt.Errorf("parse prefix %s: %w", prefix, err)
+	}
+
+	route := &netlink.Route{
+		Scope:  netlink.SCOPE_UNIVERSE,
+		Table:  tableID,
+		Family: getAddressFamily(prefix),
+		Dst:    ipNet,
+	}
+
+	if err := addNextHop(addr, intf, route); err != nil {
+		return fmt.Errorf("add gateway and device: %w", err)
+	}
+
+	if err := netlink.RouteDel(route); err != nil && !errors.Is(err, syscall.ESRCH) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("netlink remove route: %w", err)
+	}
+
+	return nil
+}
+
+func flushRoutes(tableID, family int) error {
+	routes, err := netlink.RouteListFiltered(family, &netlink.Route{Table: tableID}, netlink.RT_FILTER_TABLE)
+	if err != nil {
+		return fmt.Errorf("list routes from table %d: %w", tableID, err)
+	}
+
+	var result *multierror.Error
+	for i := range routes {
+		route := routes[i]
+		// unreachable default routes don't come back with Dst set
+		if route.Gw == nil && route.Src == nil && route.Dst == nil {
+			if family == netlink.FAMILY_V4 {
+				routes[i].Dst = &net.IPNet{IP: net.IPv4zero, Mask: net.CIDRMask(0, 32)}
+			} else {
+				routes[i].Dst = &net.IPNet{IP: net.IPv6zero, Mask: net.CIDRMask(0, 128)}
+			}
+		}
+		if err := netlink.RouteDel(&routes[i]); err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
+			result = multierror.Append(result, fmt.Errorf("failed to delete route %v from table %d: %w", routes[i], tableID, err))
+		}
+	}
+
+	return result.ErrorOrNil()
+}
+
+func enableIPForwarding(includeV6 bool) error {
+	_, err := setSysctl(ipv4ForwardingPath, 1, false)
 	if err != nil {
 		return err
 	}
+	if includeV6 {
+		_, err = setSysctl(ipv4ForwardingPath, 1, false)
+	}
+	return err
+}

-	// check if it is already enabled
-	// see more: https://github.com/netbirdio/netbird/issues/872
-	if len(bytes) > 0 && bytes[0] == 49 {
+// entryExists checks if the specified ID or name already exists in the rt_tables file
+// and verifies if existing names start with "netbird_".
+func entryExists(file *os.File, id int) (bool, error) {
+	if _, err := file.Seek(0, 0); err != nil {
+		return false, fmt.Errorf("seek rt_tables: %w", err)
+	}
+	scanner := bufio.NewScanner(file)
+	for scanner.Scan() {
+		line := scanner.Text()
+		var existingID int
+		var existingName string
+		if _, err := fmt.Sscanf(line, "%d %s\n", &existingID, &existingName); err == nil {
+			if existingID == id {
+				if existingName != NetbirdVPNTableName {
+					return true, ErrTableIDExists
+				}
+				return true, nil
+			}
+		}
+	}
+	if err := scanner.Err(); err != nil {
+		return false, fmt.Errorf("scan rt_tables: %w", err)
+	}
+	return false, nil
+}
+
+// addRoutingTableName adds human-readable names for custom routing tables.
+func addRoutingTableName() error {
+	file, err := os.Open(rtTablesPath)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return nil
+		}
+		return fmt.Errorf("open rt_tables: %w", err)
+	}
+	defer func() {
+		if err := file.Close(); err != nil {
+			log.Errorf("Error closing rt_tables: %v", err)
+		}
+	}()
+
+	exists, err := entryExists(file, NetbirdVPNTableID)
+	if err != nil {
+		return fmt.Errorf("verify entry %d, %s: %w", NetbirdVPNTableID, NetbirdVPNTableName, err)
+	}
+	if exists {
 		return nil
 	}

-	return os.WriteFile(ipv4ForwardingPath, []byte("1"), 0644) //nolint:gosec
+	// Reopen the file in append mode to add new entries
+	if err := file.Close(); err != nil {
+		log.Errorf("Error closing rt_tables before appending: %v", err)
+	}
+	file, err = os.OpenFile(rtTablesPath, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0644)
+	if err != nil {
+		return fmt.Errorf("open rt_tables for appending: %w", err)
+	}
+
+	if _, err := file.WriteString(fmt.Sprintf("\n%d\t%s\n", NetbirdVPNTableID, NetbirdVPNTableName)); err != nil {
+		return fmt.Errorf("append entry to rt_tables: %w", err)
+	}
+
+	return nil
+}
+
+// addRule adds a routing rule to a specific routing table identified by tableID.
+func addRule(params ruleParams) error {
+	rule := netlink.NewRule()
+	rule.Table = params.tableID
+	rule.Mark = params.fwmark
+	rule.Family = params.family
+	rule.Priority = params.priority
+	rule.Invert = params.invert
+	rule.SuppressPrefixlen = params.suppressPrefix
+
+	if err := netlink.RuleAdd(rule); err != nil && !errors.Is(err, syscall.EEXIST) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("add routing rule: %w", err)
+	}
+
+	return nil
+}
+
+// removeRule removes a routing rule from a specific routing table identified by tableID.
+func removeRule(params ruleParams) error {
+	rule := netlink.NewRule()
+	rule.Table = params.tableID
+	rule.Mark = params.fwmark
+	rule.Family = params.family
+	rule.Invert = params.invert
+	rule.Priority = params.priority
+	rule.SuppressPrefixlen = params.suppressPrefix
+
+	if err := netlink.RuleDel(rule); err != nil && !errors.Is(err, syscall.ENOENT) && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return fmt.Errorf("remove routing rule: %w", err)
+	}
+
+	return nil
+}
+
+// addNextHop adds the gateway and device to the route.
+func addNextHop(addr netip.Addr, intf *net.Interface, route *netlink.Route) error {
+	if intf != nil {
+		route.LinkIndex = intf.Index
+	}
+
+	if addr.IsValid() {
+		route.Gw = addr.AsSlice()
+
+		// if zone is set, it means the gateway is a link-local address, so we set the link index
+		if addr.Zone() != "" && intf == nil {
+			link, err := netlink.LinkByName(addr.Zone())
+			if err != nil {
+				return fmt.Errorf("get link by name for zone %s: %w", addr.Zone(), err)
+			}
+			route.LinkIndex = link.Attrs().Index
+		}
+	}
+
+	return nil
+}
+
+func getAddressFamily(prefix netip.Prefix) int {
+	if prefix.Addr().Is4() {
+		return netlink.FAMILY_V4
+	}
+	return netlink.FAMILY_V6
+}
+
+// setupSysctl configures sysctl settings for RP filtering and source validation.
+func setupSysctl(wgIface *iface.WGIface) (map[string]int, error) {
+	keys := map[string]int{}
+	var result *multierror.Error
+
+	oldVal, err := setSysctl(srcValidMarkPath, 1, false)
+	if err != nil {
+		result = multierror.Append(result, err)
+	} else {
+		keys[srcValidMarkPath] = oldVal
+	}
+
+	oldVal, err = setSysctl(rpFilterPath, 2, true)
+	if err != nil {
+		result = multierror.Append(result, err)
+	} else {
+		keys[rpFilterPath] = oldVal
+	}
+
+	interfaces, err := net.Interfaces()
+	if err != nil {
+		result = multierror.Append(result, fmt.Errorf("list interfaces: %w", err))
+	}
+
+	for _, intf := range interfaces {
+		if intf.Name == "lo" || wgIface != nil && intf.Name == wgIface.Name() {
+			continue
+		}
+
+		i := fmt.Sprintf(rpFilterInterfacePath, intf.Name)
+		oldVal, err := setSysctl(i, 2, true)
+		if err != nil {
+			result = multierror.Append(result, err)
+		} else {
+			keys[i] = oldVal
+		}
+	}
+
+	return keys, result.ErrorOrNil()
+}
+
+// setSysctl sets a sysctl configuration, if onlyIfOne is true it will only set the new value if it's set to 1
+func setSysctl(key string, desiredValue int, onlyIfOne bool) (int, error) {
+	path := fmt.Sprintf("/proc/sys/%s", strings.ReplaceAll(key, ".", "/"))
+	currentValue, err := os.ReadFile(path)
+	if err != nil {
+		return -1, fmt.Errorf("read sysctl %s: %w", key, err)
+	}
+
+	currentV, err := strconv.Atoi(strings.TrimSpace(string(currentValue)))
+	if err != nil && len(currentValue) > 0 {
+		return -1, fmt.Errorf("convert current desiredValue to int: %w", err)
+	}
+
+	if currentV == desiredValue || onlyIfOne && currentV != 1 {
+		return currentV, nil
+	}
+
+	//nolint:gosec
+	if err := os.WriteFile(path, []byte(strconv.Itoa(desiredValue)), 0644); err != nil {
+		return currentV, fmt.Errorf("write sysctl %s: %w", key, err)
+	}
+	log.Debugf("Set sysctl %s from %d to %d", key, currentV, desiredValue)
+
+	return currentV, nil
+}
+
+func cleanupSysctl(originalSettings map[string]int) error {
+	var result *multierror.Error
+
+	for key, value := range originalSettings {
+		_, err := setSysctl(key, value, false)
+		if err != nil {
+			result = multierror.Append(result, err)
+		}
+	}
+
+	return result.ErrorOrNil()
 }
--- a/Show More
+++ b/Show More