code cleaning

remove development logs
remove unused engine listener
2026-04-08 10:34:26 -04:00 · 2023-12-07 18:29:00 +01:00 · 2023-12-06 16:57:56 +01:00 · 2023-12-06 16:32:39 +01:00 · 2023-12-06 16:13:31 +01:00 · 2023-12-06 15:46:38 +01:00
86 changed files with 2253 additions and 547 deletions
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -43,6 +43,16 @@ func RunClientMobile(ctx context.Context, config *Config, statusRecorder *peer.S
 	return runClient(ctx, config, statusRecorder, mobileDependency)
 }

+func RunClientiOS(ctx context.Context, config *Config, statusRecorder *peer.Status, fileDescriptor int32, networkChangeListener listener.NetworkChangeListener, dnsManager dns.IosDnsManager, interfaceName string) error {
+	mobileDependency := MobileDependency{
+		FileDescriptor:        fileDescriptor,
+		InterfaceName:         interfaceName,
+		NetworkChangeListener: networkChangeListener,
+		DnsManager:            dnsManager,
+	}
+	return runClient(ctx, config, statusRecorder, mobileDependency)
+}
+
 func runClient(ctx context.Context, config *Config, statusRecorder *peer.Status, mobileDependency MobileDependency) error {
 	log.Infof("starting NetBird client version %s", version.NetbirdVersion())

--- a/client/internal/dns/host.go
+++ b/client/internal/dns/host.go
@@ -61,7 +61,7 @@ func newNoopHostMocker() hostManager {
 	}
 }

-func dnsConfigToHostDNSConfig(dnsConfig nbdns.Config, ip string, port int) hostDNSConfig {
+func dnsConfigTohostDNSConfig(dnsConfig nbdns.Config, ip string, port int) hostDNSConfig {
 	config := hostDNSConfig{
 		routeAll:   false,
 		serverIP:   ip,
--- a/client/internal/dns/host_android.go
+++ b/client/internal/dns/host_android.go
@@ -3,7 +3,7 @@ package dns
 type androidHostManager struct {
 }

-func newHostManager(wgInterface WGIface) (hostManager, error) {
+func newHostManager() (hostManager, error) {
 	return &androidHostManager{}, nil
 }

--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -1,3 +1,5 @@
+//go:build !ios
+
 package dns

 import (
@@ -32,7 +34,7 @@ type systemConfigurator struct {
 	createdKeys      map[string]struct{}
 }

-func newHostManager(_ WGIface) (hostManager, error) {
+func newHostManager() (hostManager, error) {
 	return &systemConfigurator{
 		createdKeys: make(map[string]struct{}),
 	}, nil
--- a/client/internal/dns/host_ios.go
+++ b/client/internal/dns/host_ios.go
@@ -0,0 +1,45 @@
+package dns
+
+import (
+	"strconv"
+	"strings"
+)
+
+type iosHostManager struct {
+	dnsManager IosDnsManager
+	config     hostDNSConfig
+}
+
+func newHostManager(dnsManager IosDnsManager) (hostManager, error) {
+	return &iosHostManager{
+		dnsManager: dnsManager,
+	}, nil
+}
+
+func (a iosHostManager) applyDNSConfig(config hostDNSConfig) error {
+	var configAsString []string
+	configAsString = append(configAsString, config.serverIP)
+	configAsString = append(configAsString, strconv.Itoa(config.serverPort))
+	configAsString = append(configAsString, strconv.FormatBool(config.routeAll))
+	var domainConfigAsString []string
+	for _, domain := range config.domains {
+		var domainAsString []string
+		domainAsString = append(domainAsString, strconv.FormatBool(domain.disabled))
+		domainAsString = append(domainAsString, domain.domain)
+		domainAsString = append(domainAsString, strconv.FormatBool(domain.matchOnly))
+		domainConfigAsString = append(domainConfigAsString, strings.Join(domainAsString, "|"))
+	}
+	domainConfig := strings.Join(domainConfigAsString, ";")
+	configAsString = append(configAsString, domainConfig)
+	outputString := strings.Join(configAsString, ",")
+	a.dnsManager.ApplyDns(outputString)
+	return nil
+}
+
+func (a iosHostManager) restoreHostDNS() error {
+	return nil
+}
+
+func (a iosHostManager) supportCustomPort() bool {
+	return false
+}
--- a/client/internal/dns/mockServer.go
+++ b/client/internal/dns/mockServer.go
@@ -14,7 +14,7 @@ type MockServer struct {
 }

 // Initialize mock implementation of Initialize from Server interface
-func (m *MockServer) Initialize() error {
+func (m *MockServer) Initialize(manager IosDnsManager) error {
 	if m.InitializeFunc != nil {
 		return m.InitializeFunc()
 	}
@@ -33,7 +33,7 @@ func (m *MockServer) DnsIP() string {
 }

 func (m *MockServer) OnUpdatedHostDNSServer(strings []string) {
-	//TODO implement me
+	// TODO implement me
 	panic("implement me")
 }

--- a/client/internal/dns/network_manager_linux.go
+++ b/client/internal/dns/network_manager_linux.go
@@ -12,8 +12,9 @@ import (
 	"github.com/godbus/dbus/v5"
 	"github.com/hashicorp/go-version"
 	"github.com/miekg/dns"
-	nbversion "github.com/netbirdio/netbird/version"
 	log "github.com/sirupsen/logrus"
+
+	nbversion "github.com/netbirdio/netbird/version"
 )

 const (
--- a/client/internal/dns/notifier.go
+++ b/client/internal/dns/notifier.go
@@ -52,6 +52,6 @@ func (n *notifier) notify() {
 	}

 	go func(l listener.NetworkChangeListener) {
-		l.OnNetworkChanged()
+		l.OnNetworkChanged("")
 	}(n.listener)
 }
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -19,9 +19,14 @@ type ReadyListener interface {
 	OnReady()
 }

+// IosDnsManager is a dns manager interface for iosß
+type IosDnsManager interface {
+	ApplyDns(string)
+}
+
 // Server is a dns server interface
 type Server interface {
-	Initialize() error
+	Initialize(manager IosDnsManager) error
 	Stop()
 	DnsIP() string
 	UpdateDNSServer(serial uint64, update nbdns.Config) error
@@ -50,6 +55,9 @@ type DefaultServer struct {
 	hostsDnsList     []string
 	hostsDnsListLock sync.Mutex

+	interfaceName string
+	wgAddr        string
+
 	// make sense on mobile only
 	searchDomainNotifier *notifier
 }
@@ -65,7 +73,7 @@ type muxUpdate struct {
 }

 // NewDefaultServer returns a new dns server
-func NewDefaultServer(ctx context.Context, wgInterface WGIface, customAddress string) (*DefaultServer, error) {
+func NewDefaultServer(ctx context.Context, wgInterface WGIface, customAddress string, interfaceName string, wgAddr string) (*DefaultServer, error) {
 	var addrPort *netip.AddrPort
 	if customAddress != "" {
 		parsedAddrPort, err := netip.ParseAddrPort(customAddress)
@@ -82,24 +90,24 @@ func NewDefaultServer(ctx context.Context, wgInterface WGIface, customAddress st
 		dnsService = newServiceViaListener(wgInterface, addrPort)
 	}

-	return newDefaultServer(ctx, wgInterface, dnsService), nil
+	return newDefaultServer(ctx, wgInterface, dnsService, interfaceName, wgAddr), nil
 }

 // NewDefaultServerPermanentUpstream returns a new dns server. It optimized for mobile systems
 func NewDefaultServerPermanentUpstream(ctx context.Context, wgInterface WGIface, hostsDnsList []string, config nbdns.Config, listener listener.NetworkChangeListener) *DefaultServer {
 	log.Debugf("host dns address list is: %v", hostsDnsList)
-	ds := newDefaultServer(ctx, wgInterface, newServiceViaMemory(wgInterface))
+	ds := newDefaultServer(ctx, wgInterface, newServiceViaMemory(wgInterface), "", "")
 	ds.permanent = true
 	ds.hostsDnsList = hostsDnsList
 	ds.addHostRootZone()
-	ds.currentConfig = dnsConfigToHostDNSConfig(config, ds.service.RuntimeIP(), ds.service.RuntimePort())
+	ds.currentConfig = dnsConfigTohostDNSConfig(config, ds.service.RuntimeIP(), ds.service.RuntimePort())
 	ds.searchDomainNotifier = newNotifier(ds.SearchDomains())
 	ds.searchDomainNotifier.setListener(listener)
 	setServerDns(ds)
 	return ds
 }

-func newDefaultServer(ctx context.Context, wgInterface WGIface, dnsService service) *DefaultServer {
+func newDefaultServer(ctx context.Context, wgInterface WGIface, dnsService service, interfaceName string, wgAddr string) *DefaultServer {
 	ctx, stop := context.WithCancel(ctx)
 	defaultServer := &DefaultServer{
 		ctx:       ctx,
@@ -109,7 +117,9 @@ func newDefaultServer(ctx context.Context, wgInterface WGIface, dnsService servi
 		localResolver: &localResolver{
 			registeredMap: make(registrationMap),
 		},
-		wgInterface: wgInterface,
+		wgInterface:   wgInterface,
+		interfaceName: interfaceName,
+		wgAddr:        wgAddr,
 	}

 	return defaultServer
@@ -124,15 +134,8 @@ func (s *DefaultServer) Initialize() (err error) {
 		return nil
 	}

-	if s.permanent {
-		err = s.service.Listen()
-		if err != nil {
-			return err
-		}
-	}
-
-	s.hostManager, err = newHostManager(s.wgInterface)
-	return
+	s.hostManager, err = s.initialize()
+	return err
 }

 // DnsIP returns the DNS resolver server IP address
@@ -256,7 +259,7 @@ func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {

 	s.updateMux(muxUpdates)
 	s.updateLocalResolver(localRecords)
-	s.currentConfig = dnsConfigToHostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())
+	s.currentConfig = dnsConfigTohostDNSConfig(update, s.service.RuntimeIP(), s.service.RuntimePort())

 	hostUpdate := s.currentConfig
 	if s.service.RuntimePort() != defaultPort && !s.hostManager.supportCustomPort() {
@@ -312,7 +315,7 @@ func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.Nam
 			continue
 		}

-		handler := newUpstreamResolver(s.ctx)
+		handler := newUpstreamResolver(s.ctx, s.interfaceName, s.wgAddr)
 		for _, ns := range nsGroup.NameServers {
 			if ns.NSType != nbdns.UDPNameServerType {
 				log.Warnf("skipping nameserver %s with type %s, this peer supports only %s",
@@ -485,7 +488,7 @@ func (s *DefaultServer) upstreamCallbacks(
 }

 func (s *DefaultServer) addHostRootZone() {
-	handler := newUpstreamResolver(s.ctx)
+	handler := newUpstreamResolver(s.ctx, s.interfaceName, s.wgAddr)
 	handler.upstreamServers = make([]string, len(s.hostsDnsList))
 	for n, ua := range s.hostsDnsList {
 		a, err := netip.ParseAddr(ua)
--- a/client/internal/dns/server_android.go
+++ b/client/internal/dns/server_android.go
@@ -0,0 +1,10 @@
+package dns
+
+func (s *DefaultServer) initialize() (manager hostManager, err error) {
+	err = s.service.Listen()
+	if err != nil {
+		return err
+	}
+
+	return newHostManager()
+}
--- a/client/internal/dns/server_darwin.go
+++ b/client/internal/dns/server_darwin.go
@@ -0,0 +1,5 @@
+package dns
+
+func (s *DefaultServer) initialize() (manager hostManager, err error) {
+	return newHostManager()
+}
--- a/client/internal/dns/server_ios.go
+++ b/client/internal/dns/server_ios.go
@@ -0,0 +1,6 @@
+package dns
+
+func (s *DefaultServer) initialize() (manager hostManager, err error) {
+	// todo add ioDnsManager to constuctor
+	return newHostManager(m.ioDnsManager)
+}
--- a/client/internal/dns/server_linux.go
+++ b/client/internal/dns/server_linux.go
@@ -0,0 +1,5 @@
+package dns
+
+func (s *DefaultServer) initialize() (manager hostManager, err error) {
+	return newHostManager(s.wgInterface)
+}
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -268,11 +268,11 @@ func TestUpdateDNSServer(t *testing.T) {
 					t.Log(err)
 				}
 			}()
-			dnsServer, err := NewDefaultServer(context.Background(), wgIface, "")
+			dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", "", "")
 			if err != nil {
 				t.Fatal(err)
 			}
-			err = dnsServer.Initialize()
+			err = dnsServer.Initialize(nil)
 			if err != nil {
 				t.Fatal(err)
 			}
@@ -368,13 +368,13 @@ func TestDNSFakeResolverHandleUpdates(t *testing.T) {
 		return
 	}

-	dnsServer, err := NewDefaultServer(context.Background(), wgIface, "")
+	dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", "", "")
 	if err != nil {
 		t.Errorf("create DNS server: %v", err)
 		return
 	}

-	err = dnsServer.Initialize()
+	err = dnsServer.Initialize(nil)
 	if err != nil {
 		t.Errorf("run DNS server: %v", err)
 		return
@@ -463,7 +463,7 @@ func TestDNSServerStartStop(t *testing.T) {

 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
-			dnsServer, err := NewDefaultServer(context.Background(), &mocWGIface{}, testCase.addrPort)
+			dnsServer, err := NewDefaultServer(context.Background(), &mocWGIface{}, testCase.addrPort, "", "")
 			if err != nil {
 				t.Fatalf("%v", err)
 			}
@@ -595,7 +595,7 @@ func TestDNSPermanent_updateHostDNS_emptyUpstream(t *testing.T) {
 	var dnsList []string
 	dnsConfig := nbdns.Config{}
 	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, dnsList, dnsConfig, nil)
-	err = dnsServer.Initialize()
+	err = dnsServer.Initialize(nil)
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
 		return
@@ -619,7 +619,7 @@ func TestDNSPermanent_updateUpstream(t *testing.T) {
 	defer wgIFace.Close()
 	dnsConfig := nbdns.Config{}
 	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil)
-	err = dnsServer.Initialize()
+	err = dnsServer.Initialize(nil)
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
 		return
@@ -711,7 +711,7 @@ func TestDNSPermanent_matchOnly(t *testing.T) {
 	defer wgIFace.Close()
 	dnsConfig := nbdns.Config{}
 	dnsServer := NewDefaultServerPermanentUpstream(context.Background(), wgIFace, []string{"8.8.8.8"}, dnsConfig, nil)
-	err = dnsServer.Initialize()
+	err = dnsServer.Initialize(nil)
 	if err != nil {
 		t.Errorf("failed to initialize DNS server: %v", err)
 		return
--- a/client/internal/dns/server_windows.go
+++ b/client/internal/dns/server_windows.go
@@ -0,0 +1,5 @@
+package dns
+
+func (s *DefaultServer) initialize() (manager hostManager, err error) {
+	return newHostManager(s.wgInterface)
+}
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"runtime"
 	"sync"
 	"sync/atomic"
 	"time"
@@ -35,20 +36,50 @@ type upstreamResolver struct {
 	mutex            sync.Mutex
 	reactivatePeriod time.Duration
 	upstreamTimeout  time.Duration
+	lIP              net.IP
+	lNet             *net.IPNet
+	lName            string
+	iIndex           int

 	deactivate func()
 	reactivate func()
 }

-func newUpstreamResolver(parentCTX context.Context) *upstreamResolver {
+func getInterfaceIndex(interfaceName string) (int, error) {
+	iface, err := net.InterfaceByName(interfaceName)
+	if err != nil {
+		log.Errorf("unable to get interface by name error: %s", err)
+		return 0, err
+	}
+
+	return iface.Index, nil
+}
+
+func newUpstreamResolver(parentCTX context.Context, interfaceName string, wgAddr string) *upstreamResolver {
 	ctx, cancel := context.WithCancel(parentCTX)
+
+	// Specify the local IP address you want to bind to
+	localIP, localNet, err := net.ParseCIDR(wgAddr) // Should be our interface IP
+	if err != nil {
+		log.Errorf("error while parsing CIDR: %s", err)
+	}
+	index, err := getInterfaceIndex(interfaceName)
+
+	if err != nil {
+		log.Debugf("unable to get interface index for %s: %s", interfaceName, err)
+	}
+	localIFaceIndex := index // Should be our interface index
+
 	return &upstreamResolver{
 		ctx:              ctx,
 		cancel:           cancel,
-		upstreamClient:   &dns.Client{},
 		upstreamTimeout:  upstreamTimeout,
 		reactivatePeriod: reactivatePeriod,
 		failsTillDeact:   failsTillDeact,
+		lIP:              localIP,
+		lNet:             localNet,
+		iIndex:           localIFaceIndex,
+		lName:            interfaceName,
 	}
 }

@@ -70,26 +101,57 @@ func (u *upstreamResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	}

 	for _, upstream := range u.upstreamServers {
-		ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
-		rm, t, err := u.upstreamClient.ExchangeContext(ctx, r, upstream)
+		var (
+			exchangeErr error
+			t           time.Duration
+			rm          *dns.Msg
+		)

-		cancel()
+		upstreamExchangeClient := &dns.Client{}
+		if runtime.GOOS != "ios" {
+			ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
+			rm, t, exchangeErr = upstreamExchangeClient.ExchangeContext(ctx, r, upstream)
+			cancel()
+		} else {
+			upstreamHost, _, err := net.SplitHostPort(upstream)
+			if err != nil {
+				log.Errorf("error while parsing upstream host: %s", err)
+				return
+			}
+			upstreamIP := net.ParseIP(upstreamHost)
+			if u.lNet.Contains(upstreamIP) || net.IP.IsPrivate(upstreamIP) {
+				upstreamExchangeClient = u.getClientPrivate()
+			}
+			rm, t, exchangeErr = upstreamExchangeClient.Exchange(r, upstream)
+		}

-		if err != nil {
-			if err == context.DeadlineExceeded || isTimeout(err) {
-				log.WithError(err).WithField("upstream", upstream).
+		if exchangeErr != nil {
+			if exchangeErr == context.DeadlineExceeded || isTimeout(exchangeErr) {
+				log.WithError(exchangeErr).WithField("upstream", upstream).
 					Warn("got an error while connecting to upstream")
 				continue
 			}
 			u.failsCount.Add(1)
-			log.WithError(err).WithField("upstream", upstream).
-				Error("got an error while querying the upstream")
+			log.WithError(exchangeErr).WithField("upstream", upstream).
+				Error("got other error while querying the upstream")
+			return
+		}
+
+		if rm == nil {
+			log.WithError(exchangeErr).WithField("upstream", upstream).
+				Warn("no response from upstream")
+			return
+		}
+		// those checks need to be independent of each other due to memory address issues
+		if !rm.Response {
+			log.WithError(exchangeErr).WithField("upstream", upstream).
+				Warn("no response from upstream")
 			return
 		}

 		log.Tracef("took %s to query the upstream %s", t, upstream)

-		err = w.WriteMsg(rm)
+		err := w.WriteMsg(rm)
 		if err != nil {
 			log.WithError(err).Error("got an error while writing the upstream resolver response")
 		}
@@ -118,6 +180,7 @@ func (u *upstreamResolver) checkUpstreamFails() {
 	case <-u.ctx.Done():
 		return
 	default:
+		// todo test the deactivation logic, it seems to affect the client
 		log.Warnf("upstream resolving is disabled for %v", reactivatePeriod)
 		u.deactivate()
 		u.disabled = true
--- a/client/internal/dns/upstream_ios.go
+++ b/client/internal/dns/upstream_ios.go
@@ -0,0 +1,44 @@
+//go:build ios
+
+package dns
+
+import (
+	"net"
+	"syscall"
+
+	"github.com/miekg/dns"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+)
+
+// getClientPrivate returns a new DNS client bound to the local IP address of the Netbird interface
+// This method is needed for iOS
+func (u *upstreamResolver) getClientPrivate() *dns.Client {
+	dialer := &net.Dialer{
+		LocalAddr: &net.UDPAddr{
+			IP:   u.lIP,
+			Port: 0, // Let the OS pick a free port
+		},
+		Timeout: upstreamTimeout,
+		Control: func(network, address string, c syscall.RawConn) error {
+			var operr error
+			fn := func(s uintptr) {
+				operr = unix.SetsockoptInt(int(s), unix.IPPROTO_IP, unix.IP_BOUND_IF, u.iIndex)
+			}
+
+			if err := c.Control(fn); err != nil {
+				return err
+			}
+
+			if operr != nil {
+				log.Errorf("error while setting socket option: %s", operr)
+			}
+
+			return operr
+		},
+	}
+	client := &dns.Client{
+		Dialer: dialer,
+	}
+	return client
+}
--- a/client/internal/dns/upstream_nonios.go
+++ b/client/internal/dns/upstream_nonios.go
@@ -0,0 +1,19 @@
+//go:build !ios
+
+package dns
+
+import (
+	"net"
+
+	"github.com/miekg/dns"
+)
+
+// getClientPrivate returns a new DNS client bound to the local IP address of the Netbird interface
+// This method is needed for iOS
+func (u *upstreamResolver) getClientPrivate() *dns.Client {
+	dialer := &net.Dialer{}
+	client := &dns.Client{
+		Dialer: dialer,
+	}
+	return client
+}
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -49,15 +49,15 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 			timeout:             upstreamTimeout,
 			responseShouldBeNil: true,
 		},
-		//{
+		// {
 		//	name:        "Should Resolve CNAME Record",
 		//	inputMSG:    new(dns.Msg).SetQuestion("one.one.one.one", dns.TypeCNAME),
-		//},
-		//{
+		// },
+		// {
 		//	name:                "Should Not Write When Not Found A Record",
 		//	inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
 		//	responseShouldBeNil: true,
-		//},
+		// },
 	}
 	// should resolve if first upstream times out
 	// should not write when both fails
@@ -66,7 +66,7 @@ func TestUpstreamResolver_ServeDNS(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			ctx, cancel := context.WithCancel(context.TODO())
-			resolver := newUpstreamResolver(ctx)
+			resolver := newUpstreamResolver(ctx, "", "")
 			resolver.upstreamServers = testCase.InputServers
 			resolver.upstreamTimeout = testCase.timeout
 			if testCase.cancelCTX {
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -205,8 +205,7 @@ func (e *Engine) Start() error {
 			go e.mobileDep.DnsReadyListener.OnReady()
 		}
 	} else if e.dnsServer == nil {
-		// todo fix custom address
-		e.dnsServer, err = dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress)
+		e.dnsServer, err = dns.NewDefaultServer(e.ctx, e.wgInterface, e.config.CustomDNSAddress, e.mobileDep.InterfaceName, wgAddr)
 		if err != nil {
 			e.close()
 			return err
@@ -216,13 +215,17 @@ func (e *Engine) Start() error {
 	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder, routes)
 	e.routeManager.SetRouteChangeListener(e.mobileDep.NetworkChangeListener)

-	if runtime.GOOS == "android" {
-		err = e.wgInterface.CreateOnMobile(iface.MobileIFaceArguments{
+	switch runtime.GOOS {
+	case "android":
+		err = e.wgInterface.CreateOnAndroid(iface.MobileIFaceArguments{
 			Routes:        e.routeManager.InitialRouteRange(),
 			Dns:           e.dnsServer.DnsIP(),
 			SearchDomains: e.dnsServer.SearchDomains(),
 		})
-	} else {
+	case "ios":
+		e.mobileDep.NetworkChangeListener.SetInterfaceIP(wgAddr)
+		err = e.wgInterface.CreateOniOS(e.mobileDep.FileDescriptor)
+	default:
 		err = e.wgInterface.Create()
 	}
 	if err != nil {
@@ -264,7 +267,11 @@ func (e *Engine) Start() error {
 		e.acl = acl
 	}

-	err = e.dnsServer.Initialize()
+	if runtime.GOOS == "ios" {
+		err = e.dnsServer.Initialize(e.mobileDep.DnsManager)
+	} else {
+		err = e.dnsServer.Initialize(nil)
+	}
 	if err != nil {
 		e.close()
 		return err
@@ -466,7 +473,7 @@ func (e *Engine) updateSSH(sshConf *mgmProto.SSHConfig) error {
 		}
 		// start SSH server if it wasn't running
 		if isNil(e.sshServer) {
-			//nil sshServer means it has not yet been started
+			// nil sshServer means it has not yet been started
 			var err error
 			e.sshServer, err = e.sshServerFunc(e.config.SSHKey,
 				fmt.Sprintf("%s:%d", e.wgInterface.Address().IP.String(), nbssh.DefaultSSHPort))
--- a/client/internal/listener/network_change.go
+++ b/client/internal/listener/network_change.go
@@ -3,5 +3,6 @@ package listener
 // NetworkChangeListener is a callback interface for mobile system
 type NetworkChangeListener interface {
 	// OnNetworkChanged invoke when network settings has been changed
-	OnNetworkChanged()
+	OnNetworkChanged(string)
+	SetInterfaceIP(string)
 }
--- a/client/internal/mobile_dependency.go
+++ b/client/internal/mobile_dependency.go
@@ -14,4 +14,7 @@ type MobileDependency struct {
 	NetworkChangeListener listener.NetworkChangeListener
 	HostDNSAddresses      []string
 	DnsReadyListener      dns.ReadyListener
+	DnsManager            dns.IosDnsManager
+	FileDescriptor        int32
+	InterfaceName         string
 }
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"runtime"
 	"strings"
 	"sync"
 	"time"
@@ -225,6 +226,10 @@ func (conn *Conn) candidateTypes() []ice.CandidateType {
 	if hasICEForceRelayConn() {
 		return []ice.CandidateType{ice.CandidateTypeRelay}
 	}
+	// TODO: remove this once we have refactored userspace proxy into the bind package
+	if runtime.GOOS == "ios" {
+		return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive}
+	}
 	return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
 }

@@ -464,7 +469,7 @@ func (conn *Conn) cleanup() error {
 	err := conn.statusRecorder.UpdatePeerState(peerState)
 	if err != nil {
 		// pretty common error because by that time Engine can already remove the peer and status won't be available.
-		//todo rethink status updates
+		// todo rethink status updates
 		log.Debugf("error while updating peer's %s state, err: %v", conn.config.Key, err)
 	}

--- a/client/internal/routemanager/firewall_ios.go
+++ b/client/internal/routemanager/firewall_ios.go
@@ -0,0 +1,31 @@
+//go:build ios
+
+package routemanager
+
+import (
+	"context"
+)
+
+// newFirewall returns a nil manager
+func newFirewall(context.Context) (firewallManager, error) {
+	return iOSFirewallManager{}, nil
+}
+
+type iOSFirewallManager struct {
+}
+
+func (i iOSFirewallManager) RestoreOrCreateContainers() error {
+	return nil
+}
+
+func (i iOSFirewallManager) InsertRoutingRules(pair routerPair) error {
+	return nil
+}
+
+func (i iOSFirewallManager) RemoveRoutingRules(pair routerPair) error {
+	return nil
+}
+
+func (i iOSFirewallManager) CleanRoutingRules() {
+	return
+}
--- a/client/internal/routemanager/firewall_nonlinux.go
+++ b/client/internal/routemanager/firewall_nonlinux.go
@@ -1,5 +1,5 @@
-//go:build !linux
-// +build !linux
+//go:build !linux && !ios
+// +build !linux,!ios

 package routemanager

--- a/client/internal/routemanager/notifier.go
+++ b/client/internal/routemanager/notifier.go
@@ -2,6 +2,7 @@ package routemanager

 import (
 	"sort"
+	"strings"
 	"sync"

 	"github.com/netbirdio/netbird/client/internal/listener"
@@ -50,9 +51,6 @@ func (n *notifier) onNewRoutes(idMap map[string][]*route.Route) {

 	n.routeRangers = newNets

-	if !n.hasDiff(n.initialRouteRangers, newNets) {
-		return
-	}
 	n.notify()
 }

@@ -64,7 +62,7 @@ func (n *notifier) notify() {
 	}

 	go func(l listener.NetworkChangeListener) {
-		l.OnNetworkChanged()
+		l.OnNetworkChanged(strings.Join(n.routeRangers, ","))
 	}(n.listener)
 }

--- a/client/internal/routemanager/server_android.go
+++ b/client/internal/routemanager/server_android.go
@@ -1,3 +1,5 @@
+//go:build android
+
 package routemanager

 import (
--- a/client/internal/routemanager/systemops_ios.go
+++ b/client/internal/routemanager/systemops_ios.go
@@ -0,0 +1,15 @@
+//go:build ios
+
+package routemanager
+
+import (
+	"net/netip"
+)
+
+func addToRouteTableIfNoExists(prefix netip.Prefix, addr string) error {
+	return nil
+}
+
+func removeFromRouteTableIfNonSystem(prefix netip.Prefix, addr string) error {
+	return nil
+}
--- a/client/internal/routemanager/systemops_nonandroid.go
+++ b/client/internal/routemanager/systemops_nonandroid.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build !android && !ios

 package routemanager

--- a/client/ios/NetBirdSDK/client.go
+++ b/client/ios/NetBirdSDK/client.go
@@ -0,0 +1,223 @@
+package NetBirdSDK
+
+import (
+	"context"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/internal/auth"
+	"github.com/netbirdio/netbird/client/internal/dns"
+	"github.com/netbirdio/netbird/client/internal/listener"
+	"github.com/netbirdio/netbird/client/internal/peer"
+	"github.com/netbirdio/netbird/client/system"
+	"github.com/netbirdio/netbird/formatter"
+)
+
+// ConnectionListener export internal Listener for mobile
+type ConnectionListener interface {
+	peer.Listener
+}
+
+// RouteListener export internal RouteListener for mobile
+type NetworkChangeListener interface {
+	listener.NetworkChangeListener
+}
+
+// DnsManager export internal dns Manager for mobile
+type DnsManager interface {
+	dns.IosDnsManager
+}
+
+// CustomLogger export internal CustomLogger for mobile
+type CustomLogger interface {
+	Debug(message string)
+	Info(message string)
+	Error(message string)
+}
+
+func init() {
+	formatter.SetLogcatFormatter(log.StandardLogger())
+}
+
+// Client struct manage the life circle of background service
+type Client struct {
+	cfgFile               string
+	recorder              *peer.Status
+	ctxCancel             context.CancelFunc
+	ctxCancelLock         *sync.Mutex
+	deviceName            string
+	osName                string
+	osVersion             string
+	networkChangeListener listener.NetworkChangeListener
+	onHostDnsFn           func([]string)
+	dnsManager            dns.IosDnsManager
+	loginComplete         bool
+}
+
+// NewClient instantiate a new Client
+func NewClient(cfgFile, deviceName string, osVersion string, osName string, networkChangeListener NetworkChangeListener, dnsManager DnsManager) *Client {
+	return &Client{
+		cfgFile:               cfgFile,
+		deviceName:            deviceName,
+		osName:                osName,
+		osVersion:             osVersion,
+		recorder:              peer.NewRecorder(""),
+		ctxCancelLock:         &sync.Mutex{},
+		networkChangeListener: networkChangeListener,
+		dnsManager:            dnsManager,
+	}
+}
+
+// Run start the internal client. It is a blocker function
+func (c *Client) Run(fd int32, interfaceName string) error {
+	log.Infof("Starting NetBird client")
+	log.Debugf("Tunnel uses interface: %s", interfaceName)
+	cfg, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
+		ConfigPath: c.cfgFile,
+	})
+	if err != nil {
+		return err
+	}
+	c.recorder.UpdateManagementAddress(cfg.ManagementURL.String())
+
+	var ctx context.Context
+	//nolint
+	ctxWithValues := context.WithValue(context.Background(), system.DeviceNameCtxKey, c.deviceName)
+	//nolint
+	ctxWithValues = context.WithValue(ctxWithValues, system.OsNameCtxKey, c.osName)
+	//nolint
+	ctxWithValues = context.WithValue(ctxWithValues, system.OsVersionCtxKey, c.osVersion)
+	c.ctxCancelLock.Lock()
+	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
+	defer c.ctxCancel()
+	c.ctxCancelLock.Unlock()
+
+	auth := NewAuthWithConfig(ctx, cfg)
+	err = auth.Login()
+	if err != nil {
+		return err
+	}
+
+	log.Infof("Auth successful")
+	// todo do not throw error in case of cancelled context
+	ctx = internal.CtxInitState(ctx)
+	c.onHostDnsFn = func([]string) {}
+	return internal.RunClientiOS(ctx, cfg, c.recorder, fd, c.networkChangeListener, c.dnsManager, interfaceName)
+}
+
+// Stop the internal client and free the resources
+func (c *Client) Stop() {
+	c.ctxCancelLock.Lock()
+	defer c.ctxCancelLock.Unlock()
+	if c.ctxCancel == nil {
+		return
+	}
+
+	c.ctxCancel()
+}
+
+// ÏSetTraceLogLevel configure the logger to trace level
+func (c *Client) SetTraceLogLevel() {
+	log.SetLevel(log.TraceLevel)
+}
+
+// getStatusDetails return with the list of the PeerInfos
+func (c *Client) GetStatusDetails() *StatusDetails {
+
+	fullStatus := c.recorder.GetFullStatus()
+
+	peerInfos := make([]PeerInfo, len(fullStatus.Peers))
+	for n, p := range fullStatus.Peers {
+		pi := PeerInfo{
+			p.IP,
+			p.FQDN,
+			p.ConnStatus.String(),
+		}
+		peerInfos[n] = pi
+	}
+	return &StatusDetails{items: peerInfos, fqdn: fullStatus.LocalPeerState.FQDN, ip: fullStatus.LocalPeerState.IP}
+}
+
+// SetConnectionListener set the network connection listener
+func (c *Client) SetConnectionListener(listener ConnectionListener) {
+	c.recorder.SetConnectionListener(listener)
+}
+
+// RemoveConnectionListener remove connection listener
+func (c *Client) RemoveConnectionListener() {
+	c.recorder.RemoveConnectionListener()
+}
+
+func (c *Client) IsLoginRequired() bool {
+	var ctx context.Context
+	//nolint
+	ctxWithValues := context.WithValue(context.Background(), system.DeviceNameCtxKey, c.deviceName)
+	//nolint
+	ctxWithValues = context.WithValue(ctxWithValues, system.OsNameCtxKey, c.osName)
+	//nolint
+	ctxWithValues = context.WithValue(ctxWithValues, system.OsVersionCtxKey, c.osVersion)
+	c.ctxCancelLock.Lock()
+	defer c.ctxCancelLock.Unlock()
+	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
+
+	cfg, _ := internal.UpdateOrCreateConfig(internal.ConfigInput{
+		ConfigPath: c.cfgFile,
+	})
+
+	needsLogin, _ := internal.IsLoginRequired(ctx, cfg.PrivateKey, cfg.ManagementURL, cfg.SSHKey)
+	return needsLogin
+}
+
+func (c *Client) LoginForMobile() string {
+	var ctx context.Context
+	//nolint
+	ctxWithValues := context.WithValue(context.Background(), system.DeviceNameCtxKey, c.deviceName)
+	//nolint
+	ctxWithValues = context.WithValue(ctxWithValues, system.OsNameCtxKey, c.osName)
+	//nolint
+	ctxWithValues = context.WithValue(ctxWithValues, system.OsVersionCtxKey, c.osVersion)
+	c.ctxCancelLock.Lock()
+	defer c.ctxCancelLock.Unlock()
+	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
+
+	cfg, _ := internal.UpdateOrCreateConfig(internal.ConfigInput{
+		ConfigPath: c.cfgFile,
+	})
+
+	oAuthFlow, err := auth.NewOAuthFlow(ctx, cfg, false)
+	if err != nil {
+		return err.Error()
+	}
+
+	flowInfo, err := oAuthFlow.RequestAuthInfo(context.TODO())
+	if err != nil {
+		return err.Error()
+	}
+
+	// This could cause a potential race condition with loading the extension which need to be handled on swift side
+	go func() {
+		waitTimeout := time.Duration(flowInfo.ExpiresIn) * time.Second
+		waitCTX, cancel := context.WithTimeout(ctx, waitTimeout)
+		defer cancel()
+		tokenInfo, err := oAuthFlow.WaitToken(waitCTX, flowInfo)
+		if err != nil {
+			return
+		}
+		jwtToken := tokenInfo.GetTokenToUse()
+		_ = internal.Login(ctx, cfg, "", jwtToken)
+		c.loginComplete = true
+	}()
+
+	return flowInfo.VerificationURIComplete
+}
+
+func (c *Client) IsLoginComplete() bool {
+	return c.loginComplete
+}
+
+func (c *Client) ClearLoginComplete() {
+	c.loginComplete = false
+}
--- a/client/ios/NetBirdSDK/gomobile.go
+++ b/client/ios/NetBirdSDK/gomobile.go
@@ -0,0 +1,5 @@
+package NetBirdSDK
+
+import _ "golang.org/x/mobile/bind"
+
+// to keep our CI/CD that checks go.mod and go.sum files happy, we need to import the package above
--- a/client/ios/NetBirdSDK/logger.go
+++ b/client/ios/NetBirdSDK/logger.go
@@ -0,0 +1,10 @@
+package NetBirdSDK
+
+import (
+	"github.com/netbirdio/netbird/util"
+)
+
+// InitializeLog initializes the log file.
+func InitializeLog(logLevel string, filePath string) error {
+	return util.InitLog(logLevel, filePath)
+}
--- a/client/ios/NetBirdSDK/login.go
+++ b/client/ios/NetBirdSDK/login.go
@@ -0,0 +1,159 @@
+package NetBirdSDK
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/cenkalti/backoff/v4"
+	log "github.com/sirupsen/logrus"
+	"google.golang.org/grpc/codes"
+	gstatus "google.golang.org/grpc/status"
+
+	"github.com/netbirdio/netbird/client/cmd"
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/system"
+)
+
+// SSOListener is async listener for mobile framework
+type SSOListener interface {
+	OnSuccess(bool)
+	OnError(error)
+}
+
+// ErrListener is async listener for mobile framework
+type ErrListener interface {
+	OnSuccess()
+	OnError(error)
+}
+
+// URLOpener it is a callback interface. The Open function will be triggered if
+// the backend want to show an url for the user
+type URLOpener interface {
+	Open(string)
+}
+
+// Auth can register or login new client
+type Auth struct {
+	ctx     context.Context
+	config  *internal.Config
+	cfgPath string
+}
+
+// NewAuth instantiate Auth struct and validate the management URL
+func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {
+	inputCfg := internal.ConfigInput{
+		ManagementURL: mgmURL,
+	}
+
+	cfg, err := internal.CreateInMemoryConfig(inputCfg)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Auth{
+		ctx:     context.Background(),
+		config:  cfg,
+		cfgPath: cfgPath,
+	}, nil
+}
+
+// NewAuthWithConfig instantiate Auth based on existing config
+func NewAuthWithConfig(ctx context.Context, config *internal.Config) *Auth {
+	return &Auth{
+		ctx:    ctx,
+		config: config,
+	}
+}
+
+// SaveConfigIfSSOSupported test the connectivity with the management server by retrieving the server device flow info.
+// If it returns a flow info than save the configuration and return true. If it gets a codes.NotFound, it means that SSO
+// is not supported and returns false without saving the configuration. For other errors return false.
+func (a *Auth) SaveConfigIfSSOSupported() (bool, error) {
+	supportsSSO := true
+	err := a.withBackOff(a.ctx, func() (err error) {
+		_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+		if s, ok := gstatus.FromError(err); ok && s.Code() == codes.NotFound {
+			_, err = internal.GetPKCEAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
+			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.NotFound {
+				supportsSSO = false
+				err = nil
+			}
+
+			return err
+		}
+
+		return err
+	})
+
+	if !supportsSSO {
+		return false, nil
+	}
+
+	if err != nil {
+		return false, fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	err = internal.WriteOutConfig(a.cfgPath, a.config)
+	return true, err
+}
+
+// LoginWithSetupKeyAndSaveConfig test the connectivity with the management server with the setup key.
+func (a *Auth) LoginWithSetupKeyAndSaveConfig(setupKey string, deviceName string) error {
+	//nolint
+	ctxWithValues := context.WithValue(a.ctx, system.DeviceNameCtxKey, deviceName)
+
+	err := a.withBackOff(a.ctx, func() error {
+		backoffErr := internal.Login(ctxWithValues, a.config, setupKey, "")
+		if s, ok := gstatus.FromError(backoffErr); ok && (s.Code() == codes.PermissionDenied) {
+			// we got an answer from management, exit backoff earlier
+			return backoff.Permanent(backoffErr)
+		}
+		return backoffErr
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	return internal.WriteOutConfig(a.cfgPath, a.config)
+}
+
+func (a *Auth) Login() error {
+	var needsLogin bool
+
+	// check if we need to generate JWT token
+	err := a.withBackOff(a.ctx, func() (err error) {
+		needsLogin, err = internal.IsLoginRequired(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config.SSHKey)
+		return
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	jwtToken := ""
+	if needsLogin {
+		return fmt.Errorf("Not authenticated")
+	}
+
+	err = a.withBackOff(a.ctx, func() error {
+		err := internal.Login(a.ctx, a.config, "", jwtToken)
+		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
+			return nil
+		}
+		return err
+	})
+	if err != nil {
+		return fmt.Errorf("backoff cycle failed: %v", err)
+	}
+
+	return nil
+}
+
+func (a *Auth) withBackOff(ctx context.Context, bf func() error) error {
+	return backoff.RetryNotify(
+		bf,
+		backoff.WithContext(cmd.CLIBackOffSettings, ctx),
+		func(err error, duration time.Duration) {
+			log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
+		})
+}
--- a/client/ios/NetBirdSDK/peer_notifier.go
+++ b/client/ios/NetBirdSDK/peer_notifier.go
@@ -0,0 +1,50 @@
+package NetBirdSDK
+
+// PeerInfo describe information about the peers. It designed for the UI usage
+type PeerInfo struct {
+	IP         string
+	FQDN       string
+	ConnStatus string // Todo replace to enum
+}
+
+// PeerInfoCollection made for Java layer to get non default types as collection
+type PeerInfoCollection interface {
+	Add(s string) PeerInfoCollection
+	Get(i int) string
+	Size() int
+	GetFQDN() string
+	GetIP() string
+}
+
+// StatusDetails is the implementation of the PeerInfoCollection
+type StatusDetails struct {
+	items []PeerInfo
+	fqdn  string
+	ip    string
+}
+
+// Add new PeerInfo to the collection
+func (array StatusDetails) Add(s PeerInfo) StatusDetails {
+	array.items = append(array.items, s)
+	return array
+}
+
+// Get return an element of the collection
+func (array StatusDetails) Get(i int) *PeerInfo {
+	return &array.items[i]
+}
+
+// Size return with the size of the collection
+func (array StatusDetails) Size() int {
+	return len(array.items)
+}
+
+// GetFQDN return with the FQDN of the local peer
+func (array StatusDetails) GetFQDN() string {
+	return array.fqdn
+}
+
+// GetIP return with the IP of the local peer
+func (array StatusDetails) GetIP() string {
+	return array.ip
+}
--- a/client/ios/NetBirdSDK/preferences.go
+++ b/client/ios/NetBirdSDK/preferences.go
@@ -0,0 +1,78 @@
+package NetBirdSDK
+
+import (
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+// Preferences export a subset of the internal config for gomobile
+type Preferences struct {
+	configInput internal.ConfigInput
+}
+
+// NewPreferences create new Preferences instance
+func NewPreferences(configPath string) *Preferences {
+	ci := internal.ConfigInput{
+		ConfigPath: configPath,
+	}
+	return &Preferences{ci}
+}
+
+// GetManagementURL read url from config file
+func (p *Preferences) GetManagementURL() (string, error) {
+	if p.configInput.ManagementURL != "" {
+		return p.configInput.ManagementURL, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return "", err
+	}
+	return cfg.ManagementURL.String(), err
+}
+
+// SetManagementURL store the given url and wait for commit
+func (p *Preferences) SetManagementURL(url string) {
+	p.configInput.ManagementURL = url
+}
+
+// GetAdminURL read url from config file
+func (p *Preferences) GetAdminURL() (string, error) {
+	if p.configInput.AdminURL != "" {
+		return p.configInput.AdminURL, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return "", err
+	}
+	return cfg.AdminURL.String(), err
+}
+
+// SetAdminURL store the given url and wait for commit
+func (p *Preferences) SetAdminURL(url string) {
+	p.configInput.AdminURL = url
+}
+
+// GetPreSharedKey read preshared key from config file
+func (p *Preferences) GetPreSharedKey() (string, error) {
+	if p.configInput.PreSharedKey != nil {
+		return *p.configInput.PreSharedKey, nil
+	}
+
+	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
+	if err != nil {
+		return "", err
+	}
+	return cfg.PreSharedKey, err
+}
+
+// SetPreSharedKey store the given key and wait for commit
+func (p *Preferences) SetPreSharedKey(key string) {
+	p.configInput.PreSharedKey = &key
+}
+
+// Commit write out the changes into config file
+func (p *Preferences) Commit() error {
+	_, err := internal.UpdateOrCreateConfig(p.configInput)
+	return err
+}
--- a/client/ios/NetBirdSDK/preferences_test.go
+++ b/client/ios/NetBirdSDK/preferences_test.go
@@ -0,0 +1,120 @@
+package NetBirdSDK
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/netbirdio/netbird/client/internal"
+)
+
+func TestPreferences_DefaultValues(t *testing.T) {
+	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
+	p := NewPreferences(cfgFile)
+	defaultVar, err := p.GetAdminURL()
+	if err != nil {
+		t.Fatalf("failed to read default value: %s", err)
+	}
+
+	if defaultVar != internal.DefaultAdminURL {
+		t.Errorf("invalid default admin url: %s", defaultVar)
+	}
+
+	defaultVar, err = p.GetManagementURL()
+	if err != nil {
+		t.Fatalf("failed to read default management URL: %s", err)
+	}
+
+	if defaultVar != internal.DefaultManagementURL {
+		t.Errorf("invalid default management url: %s", defaultVar)
+	}
+
+	var preSharedKey string
+	preSharedKey, err = p.GetPreSharedKey()
+	if err != nil {
+		t.Fatalf("failed to read default preshared key: %s", err)
+	}
+
+	if preSharedKey != "" {
+		t.Errorf("invalid preshared key: %s", preSharedKey)
+	}
+}
+
+func TestPreferences_ReadUncommitedValues(t *testing.T) {
+	exampleString := "exampleString"
+	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
+	p := NewPreferences(cfgFile)
+
+	p.SetAdminURL(exampleString)
+	resp, err := p.GetAdminURL()
+	if err != nil {
+		t.Fatalf("failed to read admin url: %s", err)
+	}
+
+	if resp != exampleString {
+		t.Errorf("unexpected admin url: %s", resp)
+	}
+
+	p.SetManagementURL(exampleString)
+	resp, err = p.GetManagementURL()
+	if err != nil {
+		t.Fatalf("failed to read management url: %s", err)
+	}
+
+	if resp != exampleString {
+		t.Errorf("unexpected management url: %s", resp)
+	}
+
+	p.SetPreSharedKey(exampleString)
+	resp, err = p.GetPreSharedKey()
+	if err != nil {
+		t.Fatalf("failed to read preshared key: %s", err)
+	}
+
+	if resp != exampleString {
+		t.Errorf("unexpected preshared key: %s", resp)
+	}
+}
+
+func TestPreferences_Commit(t *testing.T) {
+	exampleURL := "https://myurl.com:443"
+	examplePresharedKey := "topsecret"
+	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
+	p := NewPreferences(cfgFile)
+
+	p.SetAdminURL(exampleURL)
+	p.SetManagementURL(exampleURL)
+	p.SetPreSharedKey(examplePresharedKey)
+
+	err := p.Commit()
+	if err != nil {
+		t.Fatalf("failed to save changes: %s", err)
+	}
+
+	p = NewPreferences(cfgFile)
+	resp, err := p.GetAdminURL()
+	if err != nil {
+		t.Fatalf("failed to read admin url: %s", err)
+	}
+
+	if resp != exampleURL {
+		t.Errorf("unexpected admin url: %s", resp)
+	}
+
+	resp, err = p.GetManagementURL()
+	if err != nil {
+		t.Fatalf("failed to read management url: %s", err)
+	}
+
+	if resp != exampleURL {
+		t.Errorf("unexpected management url: %s", resp)
+	}
+
+	resp, err = p.GetPreSharedKey()
+	if err != nil {
+		t.Fatalf("failed to read preshared key: %s", err)
+	}
+
+	if resp != examplePresharedKey {
+		t.Errorf("unexpected preshared key: %s", resp)
+	}
+}
--- a/client/system/info.go
+++ b/client/system/info.go
@@ -12,6 +12,12 @@ import (
 // DeviceNameCtxKey context key for device name
 const DeviceNameCtxKey = "deviceName"

+// OsVersionCtxKey context key for operating system version
+const OsVersionCtxKey = "OsVersion"
+
+// OsNameCtxKey context key for operating system name
+const OsNameCtxKey = "OsName"
+
 // Info is an object that contains machine information
 // Most of the code is taken from https://github.com/matishsiao/goInfo
 type Info struct {
--- a/client/system/info_darwin.go
+++ b/client/system/info_darwin.go
@@ -1,3 +1,6 @@
+//go:build !ios
+// +build !ios
+
 package system

 import (
--- a/client/system/info_ios.go
+++ b/client/system/info_ios.go
@@ -0,0 +1,45 @@
+//go:build ios
+// +build ios
+
+package system
+
+import (
+	"context"
+	"runtime"
+
+	"github.com/netbirdio/netbird/version"
+)
+
+// GetInfo retrieves and parses the system information
+func GetInfo(ctx context.Context) *Info {
+
+	// Convert fixed-size byte arrays to Go strings
+	sysName := extractOsName(ctx, "sysName")
+	swVersion := extractOsVersion(ctx, "swVersion")
+
+	gio := &Info{Kernel: sysName, OSVersion: swVersion, Core: swVersion, Platform: "unknown", OS: sysName, GoOS: runtime.GOOS, CPUs: runtime.NumCPU()}
+	// systemHostname, _ := os.Hostname()
+	gio.Hostname = extractDeviceName(ctx, "hostname")
+	gio.WiretrusteeVersion = version.NetbirdVersion()
+	gio.UIVersion = extractUserAgent(ctx)
+
+	return gio
+}
+
+// extractOsVersion extracts operating system version from context or returns the default
+func extractOsVersion(ctx context.Context, defaultName string) string {
+	v, ok := ctx.Value(OsVersionCtxKey).(string)
+	if !ok {
+		return defaultName
+	}
+	return v
+}
+
+// extractOsName extracts operating system name from context or returns the default
+func extractOsName(ctx context.Context, defaultName string) string {
+	v, ok := ctx.Value(OsNameCtxKey).(string)
+	if !ok {
+		return defaultName
+	}
+	return v
+}
--- a/go.mod
+++ b/go.mod
@@ -51,7 +51,8 @@ require (
 	github.com/miekg/dns v1.1.43
 	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/nadoo/ipset v0.5.0
-	github.com/netbirdio/management-integrations/integrations v0.0.0-20231027143200-a966bce7db88
+	github.com/netbirdio/management-integrations/additions v0.0.0-20231205113053-c462587ae695
+	github.com/netbirdio/management-integrations/integrations v0.0.0-20231205113053-c462587ae695
 	github.com/okta/okta-sdk-golang/v2 v2.18.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pion/logging v0.2.2
--- a/go.sum
+++ b/go.sum
@@ -495,8 +495,10 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/nadoo/ipset v0.5.0 h1:5GJUAuZ7ITQQQGne5J96AmFjRtI8Avlbk6CabzYWVUc=
 github.com/nadoo/ipset v0.5.0/go.mod h1:rYF5DQLRGGoQ8ZSWeK+6eX5amAuPqwFkWjhQlEITGJQ=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20231027143200-a966bce7db88 h1:zhe8qseauBuYOS910jpl5sv8Tb+36zxQPXrwYXqll0g=
-github.com/netbirdio/management-integrations/integrations v0.0.0-20231027143200-a966bce7db88/go.mod h1:KSqjzHcqlodTWiuap5lRXxt5KT3vtYRoksL0KIrTK40=
+github.com/netbirdio/management-integrations/additions v0.0.0-20231205113053-c462587ae695 h1:c/Rvyy/mqbFoKo6FS8ihQ3/3y+TAl0qDEH0pO2tXayM=
+github.com/netbirdio/management-integrations/additions v0.0.0-20231205113053-c462587ae695/go.mod h1:31FhBNvQ+riHEIu6LSTmqr8IeuSIsGfQffqV4LFmbwA=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20231205113053-c462587ae695 h1:9HRnqSosRuKyOZgVN/hJW3DG2zVyt5AARmiQlSuDPIc=
+github.com/netbirdio/management-integrations/integrations v0.0.0-20231205113053-c462587ae695/go.mod h1:B0nMS3es77gOvPYhc0K91fAzTkQLi/jRq5TffUN3klM=
 github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0 h1:hirFRfx3grVA/9eEyjME5/z3nxdJlN9kfQpvWWPk32g=
 github.com/netbirdio/service v0.0.0-20230215170314-b923b89432b0/go.mod h1:CIMRFEJVL+0DS1a3Nx06NaMn4Dz63Ng6O7dl0qH0zVM=
 github.com/netbirdio/systray v0.0.0-20231030152038-ef1ed2a27949 h1:xbWM9BU6mwZZLHxEjxIX/V8Hv3HurQt4mReIE4mY4DM=
--- a/iface/iface_android.go
+++ b/iface/iface_android.go
@@ -28,14 +28,20 @@ func NewWGIFace(ifaceName string, address string, mtu int, tunAdapter TunAdapter
 	return wgIFace, nil
 }

-// CreateOnMobile creates a new Wireguard interface, sets a given IP and brings it up.
+// CreateOnAndroid creates a new Wireguard interface, sets a given IP and brings it up.
 // Will reuse an existing one.
-func (w *WGIface) CreateOnMobile(mIFaceArgs MobileIFaceArguments) error {
+func (w *WGIface) CreateOnAndroid(mIFaceArgs MobileIFaceArguments) error {
 	w.mu.Lock()
 	defer w.mu.Unlock()
 	return w.tun.Create(mIFaceArgs)
 }

+// CreateOniOS creates a new Wireguard interface, sets a given IP and brings it up.
+// Will reuse an existing one.
+func (w *WGIface) CreateOniOS(tunFd int32) error {
+	return fmt.Errorf("this function has not implemented on mobile")
+}
+
 // Create this function make sense on mobile only
 func (w *WGIface) Create() error {
 	return fmt.Errorf("this function has not implemented on mobile")
--- a/iface/iface_ios.go
+++ b/iface/iface_ios.go
@@ -0,0 +1,51 @@
+//go:build ios
+// +build ios
+
+package iface
+
+import (
+	"fmt"
+	"sync"
+
+	"github.com/pion/transport/v2"
+)
+
+// NewWGIFace Creates a new WireGuard interface instance
+func NewWGIFace(ifaceName string, address string, mtu int, tunAdapter TunAdapter, transportNet transport.Net) (*WGIface, error) {
+	wgIFace := &WGIface{
+		mu: sync.Mutex{},
+	}
+
+	wgAddress, err := parseWGAddress(address)
+	if err != nil {
+		return wgIFace, err
+	}
+
+	tun := newTunDevice(wgAddress, mtu, tunAdapter, transportNet)
+	wgIFace.tun = tun
+
+	wgIFace.configurer = newWGConfigurer(tun)
+
+	wgIFace.userspaceBind = !WireGuardModuleIsLoaded()
+
+	return wgIFace, nil
+}
+
+// CreateOniOS creates a new Wireguard interface, sets a given IP and brings it up.
+// Will reuse an existing one.
+func (w *WGIface) CreateOniOS(tunFd int32) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+	return w.tun.Create(tunFd)
+}
+
+// CreateOnAndroid creates a new Wireguard interface, sets a given IP and brings it up.
+// Will reuse an existing one.
+func (w *WGIface) CreateOnAndroid(mIFaceArgs MobileIFaceArguments) error {
+	return fmt.Errorf("this function has not implemented on mobile")
+}
+
+// Create this function make sense on mobile only
+func (w *WGIface) Create() error {
+	return fmt.Errorf("this function has not implemented on mobile")
+}
--- a/iface/iface_nonandroid.go
+++ b/iface/iface_nonandroid.go
@@ -1,4 +1,5 @@
-//go:build !android
+//go:build !android && !ios
+// +build !android,!ios

 package iface

@@ -27,8 +28,13 @@ func NewWGIFace(iFaceName string, address string, mtu int, tunAdapter TunAdapter
 	return wgIFace, nil
 }

-// CreateOnMobile this function make sense on mobile only
-func (w *WGIface) CreateOnMobile(mIFaceArgs MobileIFaceArguments) error {
+// CreateOnAndroid this function make sense on mobile only
+func (w *WGIface) CreateOnAndroid(mIFaceArgs MobileIFaceArguments) error {
+	return fmt.Errorf("this function has not implemented on non mobile")
+}
+
+// CreateOniOS this function make sense on mobile only
+func (w *WGIface) CreateOniOS(tunFd int32) error {
 	return fmt.Errorf("this function has not implemented on non mobile")
 }

--- a/iface/ipc_parser_android.go
+++ b/iface/ipc_parser_android.go
@@ -1,3 +1,6 @@
+//go:build android
+// +build android
+
 package iface

 import (
--- a/iface/ipc_parser_ios.go
+++ b/iface/ipc_parser_ios.go
@@ -0,0 +1,63 @@
+//go:build ios
+// +build ios
+
+package iface
+
+import (
+	"encoding/hex"
+	"fmt"
+	"strings"
+
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+func toWgUserspaceString(wgCfg wgtypes.Config) string {
+	var sb strings.Builder
+	if wgCfg.PrivateKey != nil {
+		hexKey := hex.EncodeToString(wgCfg.PrivateKey[:])
+		sb.WriteString(fmt.Sprintf("private_key=%s\n", hexKey))
+	}
+
+	if wgCfg.ListenPort != nil {
+		sb.WriteString(fmt.Sprintf("listen_port=%d\n", *wgCfg.ListenPort))
+	}
+
+	if wgCfg.ReplacePeers {
+		sb.WriteString("replace_peers=true\n")
+	}
+
+	if wgCfg.FirewallMark != nil {
+		sb.WriteString(fmt.Sprintf("fwmark=%d\n", *wgCfg.FirewallMark))
+	}
+
+	for _, p := range wgCfg.Peers {
+		hexKey := hex.EncodeToString(p.PublicKey[:])
+		sb.WriteString(fmt.Sprintf("public_key=%s\n", hexKey))
+
+		if p.PresharedKey != nil {
+			preSharedHexKey := hex.EncodeToString(p.PresharedKey[:])
+			sb.WriteString(fmt.Sprintf("preshared_key=%s\n", preSharedHexKey))
+		}
+
+		if p.Remove {
+			sb.WriteString("remove=true")
+		}
+
+		if p.ReplaceAllowedIPs {
+			sb.WriteString("replace_allowed_ips=true\n")
+		}
+
+		for _, aip := range p.AllowedIPs {
+			sb.WriteString(fmt.Sprintf("allowed_ip=%s\n", aip.String()))
+		}
+
+		if p.Endpoint != nil {
+			sb.WriteString(fmt.Sprintf("endpoint=%s\n", p.Endpoint.String()))
+		}
+
+		if p.PersistentKeepaliveInterval != nil {
+			sb.WriteString(fmt.Sprintf("persistent_keepalive_interval=%d\n", int(p.PersistentKeepaliveInterval.Seconds())))
+		}
+	}
+	return sb.String()
+}
--- a/iface/tun_android.go
+++ b/iface/tun_android.go
@@ -1,3 +1,6 @@
+//go:build android
+// +build android
+
 package iface

 import (
@@ -56,7 +59,7 @@ func (t *tunDevice) Create(mIFaceArgs MobileIFaceArguments) error {
 	t.device = device.NewDevice(t.wrapper, t.iceBind, device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
 	// without this property mobile devices can discover remote endpoints if the configured one was wrong.
 	// this helps with support for the older NetBird clients that had a hardcoded direct mode
-	//t.device.DisableSomeRoamingForBrokenMobileSemantics()
+	// t.device.DisableSomeRoamingForBrokenMobileSemantics()

 	err = t.device.Up()
 	if err != nil {
--- a/iface/tun_darwin.go
+++ b/iface/tun_darwin.go
@@ -1,3 +1,6 @@
+//go:build !ios
+// +build !ios
+
 package iface

 import (
--- a/iface/tun_ios.go
+++ b/iface/tun_ios.go
@@ -0,0 +1,105 @@
+//go:build ios
+// +build ios
+
+package iface
+
+import (
+	"os"
+	"strings"
+
+	"github.com/pion/transport/v2"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
+
+	"github.com/netbirdio/netbird/iface/bind"
+)
+
+type tunDevice struct {
+	address    WGAddress
+	mtu        int
+	tunAdapter TunAdapter
+	iceBind    *bind.ICEBind
+
+	fd      int
+	name    string
+	device  *device.Device
+	wrapper *DeviceWrapper
+}
+
+func newTunDevice(address WGAddress, mtu int, tunAdapter TunAdapter, transportNet transport.Net) *tunDevice {
+	return &tunDevice{
+		address:    address,
+		mtu:        mtu,
+		tunAdapter: tunAdapter,
+		iceBind:    bind.NewICEBind(transportNet),
+	}
+}
+
+func (t *tunDevice) Create(tunFd int32) error {
+	log.Infof("create tun interface")
+
+	dupTunFd, err := unix.Dup(int(tunFd))
+	if err != nil {
+		log.Errorf("Unable to dup tun fd: %v", err)
+		return err
+	}
+
+	err = unix.SetNonblock(dupTunFd, true)
+	if err != nil {
+		log.Errorf("Unable to set tun fd as non blocking: %v", err)
+		unix.Close(dupTunFd)
+		return err
+	}
+	tun, err := tun.CreateTUNFromFile(os.NewFile(uintptr(dupTunFd), "/dev/tun"), 0)
+	if err != nil {
+		log.Errorf("Unable to create new tun device from fd: %v", err)
+		unix.Close(dupTunFd)
+		return err
+	}
+
+	t.wrapper = newDeviceWrapper(tun)
+	log.Debug("Attaching to interface")
+	t.device = device.NewDevice(t.wrapper, t.iceBind, device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
+	// without this property mobile devices can discover remote endpoints if the configured one was wrong.
+	// this helps with support for the older NetBird clients that had a hardcoded direct mode
+	// t.device.DisableSomeRoamingForBrokenMobileSemantics()
+
+	err = t.device.Up()
+	if err != nil {
+		t.device.Close()
+		return err
+	}
+	log.Debugf("device is ready to use: %s", t.name)
+	return nil
+}
+
+func (t *tunDevice) Device() *device.Device {
+	return t.device
+}
+
+func (t *tunDevice) DeviceName() string {
+	return t.name
+}
+
+func (t *tunDevice) WgAddress() WGAddress {
+	return t.address
+}
+
+func (t *tunDevice) UpdateAddr(addr WGAddress) error {
+	// todo implement
+	return nil
+}
+
+func (t *tunDevice) Close() (err error) {
+	if t.device != nil {
+		t.device.Close()
+	}
+
+	return
+}
+
+func (t *tunDevice) routesToString(routes []string) string {
+	return strings.Join(routes, ";")
+}
--- a/iface/tun_unix.go
+++ b/iface/tun_unix.go
@@ -1,4 +1,4 @@
-//go:build (linux || darwin) && !android
+//go:build (linux || darwin) && !android && !ios

 package iface

--- a/iface/wg_configurer_ios.go
+++ b/iface/wg_configurer_ios.go
@@ -0,0 +1,165 @@
+//go:build ios
+// +build ios
+
+package iface
+
+import (
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+)
+
+var (
+	errFuncNotImplemented = errors.New("function not implemented")
+)
+
+type wGConfigurer struct {
+	tunDevice *tunDevice
+}
+
+func newWGConfigurer(tunDevice *tunDevice) wGConfigurer {
+	return wGConfigurer{
+		tunDevice: tunDevice,
+	}
+}
+
+func (c *wGConfigurer) configureInterface(privateKey string, port int) error {
+	log.Debugf("adding Wireguard private key")
+	key, err := wgtypes.ParseKey(privateKey)
+	if err != nil {
+		return err
+	}
+	fwmark := 0
+	config := wgtypes.Config{
+		PrivateKey:   &key,
+		ReplacePeers: true,
+		FirewallMark: &fwmark,
+		ListenPort:   &port,
+	}
+
+	return c.tunDevice.Device().IpcSet(toWgUserspaceString(config))
+}
+
+func (c *wGConfigurer) updatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
+	// parse allowed ips
+	_, ipNet, err := net.ParseCIDR(allowedIps)
+	if err != nil {
+		return err
+	}
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+	peer := wgtypes.PeerConfig{
+		PublicKey:                   peerKeyParsed,
+		ReplaceAllowedIPs:           true,
+		AllowedIPs:                  []net.IPNet{*ipNet},
+		PersistentKeepaliveInterval: &keepAlive,
+		PresharedKey:                preSharedKey,
+		Endpoint:                    endpoint,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+
+	return c.tunDevice.Device().IpcSet(toWgUserspaceString(config))
+}
+
+func (c *wGConfigurer) removePeer(peerKey string) error {
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+
+	peer := wgtypes.PeerConfig{
+		PublicKey: peerKeyParsed,
+		Remove:    true,
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+	return c.tunDevice.Device().IpcSet(toWgUserspaceString(config))
+}
+
+func (c *wGConfigurer) addAllowedIP(peerKey string, allowedIP string) error {
+	_, ipNet, err := net.ParseCIDR(allowedIP)
+	if err != nil {
+		return err
+	}
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	if err != nil {
+		return err
+	}
+	peer := wgtypes.PeerConfig{
+		PublicKey:         peerKeyParsed,
+		UpdateOnly:        true,
+		ReplaceAllowedIPs: false,
+		AllowedIPs:        []net.IPNet{*ipNet},
+	}
+
+	config := wgtypes.Config{
+		Peers: []wgtypes.PeerConfig{peer},
+	}
+
+	return c.tunDevice.Device().IpcSet(toWgUserspaceString(config))
+}
+
+func (c *wGConfigurer) removeAllowedIP(peerKey string, ip string) error {
+	ipc, err := c.tunDevice.Device().IpcGet()
+	if err != nil {
+		return err
+	}
+
+	peerKeyParsed, err := wgtypes.ParseKey(peerKey)
+	hexKey := hex.EncodeToString(peerKeyParsed[:])
+
+	lines := strings.Split(ipc, "\n")
+
+	output := ""
+	foundPeer := false
+	removedAllowedIP := false
+	for _, line := range lines {
+		line = strings.TrimSpace(line)
+
+		// If we're within the details of the found peer and encounter another public key,
+		// this means we're starting another peer's details. So, reset the flag.
+		if strings.HasPrefix(line, "public_key=") && foundPeer {
+			foundPeer = false
+		}
+
+		// Identify the peer with the specific public key
+		if line == fmt.Sprintf("public_key=%s", hexKey) {
+			foundPeer = true
+		}
+
+		// If we're within the details of the found peer and find the specific allowed IP, skip this line
+		if foundPeer && line == "allowed_ip="+ip {
+			removedAllowedIP = true
+			continue
+		}
+
+		// Append the line to the output string
+		if strings.HasPrefix(line, "private_key=") || strings.HasPrefix(line, "listen_port=") ||
+			strings.HasPrefix(line, "public_key=") || strings.HasPrefix(line, "preshared_key=") ||
+			strings.HasPrefix(line, "endpoint=") || strings.HasPrefix(line, "persistent_keepalive_interval=") ||
+			strings.HasPrefix(line, "allowed_ip=") {
+			output += line + "\n"
+		}
+	}
+
+	if !removedAllowedIP {
+		return fmt.Errorf("allowedIP not found")
+	} else {
+		return c.tunDevice.Device().IpcSet(output)
+	}
+}
--- a/iface/wg_configurer_nonandroid.go
+++ b/iface/wg_configurer_nonandroid.go
@@ -1,4 +1,4 @@
-//go:build !android
+//go:build !android && !ios

 package iface

@@ -44,7 +44,7 @@ func (c *wGConfigurer) configureInterface(privateKey string, port int) error {
 }

 func (c *wGConfigurer) updatePeer(peerKey string, allowedIps string, keepAlive time.Duration, endpoint *net.UDPAddr, preSharedKey *wgtypes.Key) error {
-	//parse allowed ips
+	// parse allowed ips
 	_, ipNet, err := net.ParseCIDR(allowedIps)
 	if err != nil {
 		return err
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -17,15 +17,18 @@ import (

 	"github.com/eko/gocache/v3/cache"
 	cacheStore "github.com/eko/gocache/v3/store"
+	"github.com/netbirdio/management-integrations/additions"
 	gocache "github.com/patrickmn/go-cache"
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/base62"
 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/route"
 )
@@ -68,13 +71,13 @@ type AccountManager interface {
 	MarkPATUsed(tokenID string) error
 	GetUser(claims jwtclaims.AuthorizationClaims) (*User, error)
 	ListUsers(accountID string) ([]*User, error)
-	GetPeers(accountID, userID string) ([]*Peer, error)
+	GetPeers(accountID, userID string) ([]*nbpeer.Peer, error)
 	MarkPeerConnected(peerKey string, connected bool) error
 	DeletePeer(accountID, peerID, userID string) error
-	UpdatePeer(accountID, userID string, peer *Peer) (*Peer, error)
+	UpdatePeer(accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error)
 	GetNetworkMap(peerID string) (*NetworkMap, error)
 	GetPeerNetwork(peerID string) (*Network, error)
-	AddPeer(setupKey, userID string, peer *Peer) (*Peer, *NetworkMap, error)
+	AddPeer(setupKey, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, *NetworkMap, error)
 	CreatePAT(accountID string, initiatorUserID string, targetUserID string, tokenName string, expiresIn int) (*PersonalAccessTokenGenerated, error)
 	DeletePAT(accountID string, initiatorUserID string, targetUserID string, tokenID string) error
 	GetPAT(accountID string, initiatorUserID string, targetUserID string, tokenID string) (*PersonalAccessToken, error)
@@ -106,11 +109,12 @@ type AccountManager interface {
 	GetEvents(accountID, userID string) ([]*activity.Event, error)
 	GetDNSSettings(accountID string, userID string) (*DNSSettings, error)
 	SaveDNSSettings(accountID string, userID string, dnsSettingsToSave *DNSSettings) error
-	GetPeer(accountID, peerID, userID string) (*Peer, error)
+	GetPeer(accountID, peerID, userID string) (*nbpeer.Peer, error)
 	UpdateAccountSettings(accountID, userID string, newSettings *Settings) (*Account, error)
-	LoginPeer(login PeerLogin) (*Peer, *NetworkMap, error) // used by peer gRPC API
-	SyncPeer(sync PeerSync) (*Peer, *NetworkMap, error)    // used by peer gRPC API
+	LoginPeer(login PeerLogin) (*nbpeer.Peer, *NetworkMap, error) // used by peer gRPC API
+	SyncPeer(sync PeerSync) (*nbpeer.Peer, *NetworkMap, error)    // used by peer gRPC API
 	GetAllConnectedPeers() (map[string]struct{}, error)
+	HasConnectedChannel(peerID string) bool
 	GetExternalCacheManager() ExternalCacheManager
 }

@@ -159,17 +163,24 @@ type Settings struct {

 	// JWTGroupsClaimName from which we extract groups name to add it to account groups
 	JWTGroupsClaimName string
+
+	// Extra is a dictionary of Account settings
+	Extra *account.ExtraSettings `gorm:"embedded;embeddedPrefix:extra_"`
 }

 // Copy copies the Settings struct
 func (s *Settings) Copy() *Settings {
-	return &Settings{
+	settings := &Settings{
 		PeerLoginExpirationEnabled: s.PeerLoginExpirationEnabled,
 		PeerLoginExpiration:        s.PeerLoginExpiration,
 		JWTGroupsEnabled:           s.JWTGroupsEnabled,
 		JWTGroupsClaimName:         s.JWTGroupsClaimName,
 		GroupsPropagationEnabled:   s.GroupsPropagationEnabled,
 	}
+	if s.Extra != nil {
+		settings.Extra = s.Extra.Copy()
+	}
+	return settings
 }

 // Account represents a unique account of the system
@@ -185,8 +196,8 @@ type Account struct {
 	SetupKeys              map[string]*SetupKey              `gorm:"-"`
 	SetupKeysG             []SetupKey                        `json:"-" gorm:"foreignKey:AccountID;references:id"`
 	Network                *Network                          `gorm:"embedded;embeddedPrefix:network_"`
-	Peers                  map[string]*Peer                  `gorm:"-"`
-	PeersG                 []Peer                            `json:"-" gorm:"foreignKey:AccountID;references:id"`
+	Peers                  map[string]*nbpeer.Peer           `gorm:"-"`
+	PeersG                 []nbpeer.Peer                     `json:"-" gorm:"foreignKey:AccountID;references:id"`
 	Users                  map[string]*User                  `gorm:"-"`
 	UsersG                 []User                            `json:"-" gorm:"foreignKey:AccountID;references:id"`
 	Groups                 map[string]*Group                 `gorm:"-"`
@@ -221,7 +232,7 @@ type UserInfo struct {
 // getRoutesToSync returns the enabled routes for the peer ID and the routes
 // from the ACL peers that have distribution groups associated with the peer ID.
 // Please mind, that the returned route.Route objects will contain Peer.Key instead of Peer.ID.
-func (a *Account) getRoutesToSync(peerID string, aclPeers []*Peer) []*route.Route {
+func (a *Account) getRoutesToSync(peerID string, aclPeers []*nbpeer.Peer) []*route.Route {
 	routes, peerDisabledRoutes := a.getRoutingPeerRoutes(peerID)
 	peerRoutesMembership := make(lookupMap)
 	for _, r := range append(routes, peerDisabledRoutes...) {
@@ -345,10 +356,22 @@ func (a *Account) GetGroup(groupID string) *Group {

 // GetPeerNetworkMap returns a group by ID if exists, nil otherwise
 func (a *Account) GetPeerNetworkMap(peerID, dnsDomain string) *NetworkMap {
+	peer := a.Peers[peerID]
+	if peer == nil {
+		return &NetworkMap{
+			Network: a.Network.Copy(),
+		}
+	}
+	validatedPeers := additions.ValidatePeers([]*nbpeer.Peer{peer})
+	if len(validatedPeers) == 0 {
+		return &NetworkMap{
+			Network: a.Network.Copy(),
+		}
+	}
 	aclPeers, firewallRules := a.getPeerConnectionResources(peerID)
 	// exclude expired peers
-	var peersToConnect []*Peer
-	var expiredPeers []*Peer
+	var peersToConnect []*nbpeer.Peer
+	var expiredPeers []*nbpeer.Peer
 	for _, p := range aclPeers {
 		expired, _ := p.LoginExpired(a.Settings.PeerLoginExpiration)
 		if a.Settings.PeerLoginExpirationEnabled && expired {
@@ -386,8 +409,8 @@ func (a *Account) GetPeerNetworkMap(peerID, dnsDomain string) *NetworkMap {
 }

 // GetExpiredPeers returns peers that have been expired
-func (a *Account) GetExpiredPeers() []*Peer {
-	var peers []*Peer
+func (a *Account) GetExpiredPeers() []*nbpeer.Peer {
+	var peers []*nbpeer.Peer
 	for _, peer := range a.GetPeersWithExpiration() {
 		expired, _ := peer.LoginExpired(a.Settings.PeerLoginExpiration)
 		if expired {
@@ -426,8 +449,8 @@ func (a *Account) GetNextPeerExpiration() (time.Duration, bool) {
 }

 // GetPeersWithExpiration returns a list of peers that have Peer.LoginExpirationEnabled set to true and that were added by a user
-func (a *Account) GetPeersWithExpiration() []*Peer {
-	peers := make([]*Peer, 0)
+func (a *Account) GetPeersWithExpiration() []*nbpeer.Peer {
+	peers := make([]*nbpeer.Peer, 0)
 	for _, peer := range a.Peers {
 		if peer.LoginExpirationEnabled && peer.AddedWithSSOLogin() {
 			peers = append(peers, peer)
@@ -437,8 +460,8 @@ func (a *Account) GetPeersWithExpiration() []*Peer {
 }

 // GetPeers returns a list of all Account peers
-func (a *Account) GetPeers() []*Peer {
-	var peers []*Peer
+func (a *Account) GetPeers() []*nbpeer.Peer {
+	var peers []*nbpeer.Peer
 	for _, peer := range a.Peers {
 		peers = append(peers, peer)
 	}
@@ -452,7 +475,7 @@ func (a *Account) UpdateSettings(update *Settings) *Account {
 }

 // UpdatePeer saves new or replaces existing peer
-func (a *Account) UpdatePeer(update *Peer) {
+func (a *Account) UpdatePeer(update *nbpeer.Peer) {
 	a.Peers[update.ID] = update
 }

@@ -481,7 +504,7 @@ func (a *Account) DeletePeer(peerID string) {

 // FindPeerByPubKey looks for a Peer by provided WireGuard public key in the Account or returns error if it wasn't found.
 // It will return an object copy of the peer.
-func (a *Account) FindPeerByPubKey(peerPubKey string) (*Peer, error) {
+func (a *Account) FindPeerByPubKey(peerPubKey string) (*nbpeer.Peer, error) {
 	for _, peer := range a.Peers {
 		if peer.Key == peerPubKey {
 			return peer.Copy(), nil
@@ -492,8 +515,8 @@ func (a *Account) FindPeerByPubKey(peerPubKey string) (*Peer, error) {
 }

 // FindUserPeers returns a list of peers that user owns (created)
-func (a *Account) FindUserPeers(userID string) ([]*Peer, error) {
-	peers := make([]*Peer, 0)
+func (a *Account) FindUserPeers(userID string) ([]*nbpeer.Peer, error) {
+	peers := make([]*nbpeer.Peer, 0)
 	for _, peer := range a.Peers {
 		if peer.UserID == userID {
 			peers = append(peers, peer)
@@ -585,7 +608,7 @@ func (a *Account) getPeerDNSLabels() lookupMap {
 }

 func (a *Account) Copy() *Account {
-	peers := map[string]*Peer{}
+	peers := map[string]*nbpeer.Peer{}
 	for id, peer := range a.Peers {
 		peers[id] = peer.Copy()
 	}
@@ -662,7 +685,7 @@ func (a *Account) GetGroupAll() (*Group, error) {
 }

 // GetPeer looks up a Peer by ID
-func (a *Account) GetPeer(peerID string) *Peer {
+func (a *Account) GetPeer(peerID string) *nbpeer.Peer {
 	return a.Peers[peerID]
 }

@@ -872,6 +895,11 @@ func (am *DefaultAccountManager) UpdateAccountSettings(accountID, userID string,
 		return nil, err
 	}

+	err = additions.ValidateExtraSettings(newSettings.Extra, account.Settings.Extra, account.Peers, userID, accountID, am.eventStore)
+	if err != nil {
+		return nil, err
+	}
+
 	user, err := account.FindUser(userID)
 	if err != nil {
 		return nil, err
@@ -1649,6 +1677,11 @@ func (am *DefaultAccountManager) GetAllConnectedPeers() (map[string]struct{}, er
 	return am.peersUpdateManager.GetAllConnectedPeers(), nil
 }

+// HasConnectedChannel returns true if peers has channel in update manager, otherwise false
+func (am *DefaultAccountManager) HasConnectedChannel(peerID string) bool {
+	return am.peersUpdateManager.HasChannel(peerID)
+}
+
 var invalidDomainRegexp = regexp.MustCompile(`^([a-z0-9]+(-[a-z0-9]+)*\.)+[a-z]{2,}$`)

 func isDomainValid(domain string) bool {
@@ -1698,7 +1731,7 @@ func newAccountWithId(accountID, userID, domain string) *Account {
 	log.Debugf("creating new account")

 	network := NewNetwork()
-	peers := make(map[string]*Peer)
+	peers := make(map[string]*nbpeer.Peer)
 	users := make(map[string]*User)
 	routes := make(map[string]*route.Route)
 	setupKeys := map[string]*SetupKey{}
--- a/management/server/account/account.go
+++ b/management/server/account/account.go
@@ -0,0 +1,13 @@
+package account
+
+type ExtraSettings struct {
+	// PeerApprovalEnabled enables or disables the need for peers bo be approved by an administrator
+	PeerApprovalEnabled bool
+}
+
+// Copy copies the ExtraSettings struct
+func (e *ExtraSettings) Copy() *ExtraSettings {
+	return &ExtraSettings{
+		PeerApprovalEnabled: e.PeerApprovalEnabled,
+	}
+}
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -15,6 +15,7 @@ import (

 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/route"

 	"github.com/stretchr/testify/assert"
@@ -26,10 +27,10 @@ import (

 func verifyCanAddPeerToAccount(t *testing.T, manager AccountManager, account *Account, userID string) {
 	t.Helper()
-	peer := &Peer{
+	peer := &nbpeer.Peer{
 		Key:  "BhRPtynAAYRDy08+q4HTMsos8fs4plTP4NOSh7C1ry8=",
 		Name: "test-host@netbird.io",
-		Meta: PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "test-host@netbird.io",
 			GoOS:      "linux",
 			Kernel:    "Linux",
@@ -110,13 +111,14 @@ func verifyNewAccountHasDefaultFields(t *testing.T, account *Account, createdBy
 func TestAccount_GetPeerNetworkMap(t *testing.T) {
 	peerID1 := "peer-1"
 	peerID2 := "peer-2"
+	// peerID3 := "peer-3"
 	tt := []struct {
 		name                 string
 		accountSettings      Settings
 		peerID               string
 		expectedPeers        []string
 		expectedOfflinePeers []string
-		peers                map[string]*Peer
+		peers                map[string]*nbpeer.Peer
 	}{
 		{
 			name:                 "Should return ALL peers when global peer login expiration disabled",
@@ -124,14 +126,14 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 			peerID:               peerID1,
 			expectedPeers:        []string{peerID2},
 			expectedOfflinePeers: []string{},
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
 					ID:       peerID1,
 					Key:      "peer-1-key",
 					IP:       net.IP{100, 64, 0, 1},
 					Name:     peerID1,
 					DNSLabel: peerID1,
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						LastSeen:     time.Now().UTC(),
 						Connected:    false,
 						LoginExpired: true,
@@ -145,7 +147,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 					IP:       net.IP{100, 64, 0, 1},
 					Name:     peerID2,
 					DNSLabel: peerID2,
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						LastSeen:     time.Now().UTC(),
 						Connected:    false,
 						LoginExpired: false,
@@ -162,14 +164,14 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 			peerID:               peerID1,
 			expectedPeers:        []string{},
 			expectedOfflinePeers: []string{peerID2},
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
 					ID:       peerID1,
 					Key:      "peer-1-key",
 					IP:       net.IP{100, 64, 0, 1},
 					Name:     peerID1,
 					DNSLabel: peerID1,
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						LastSeen:     time.Now().UTC(),
 						Connected:    false,
 						LoginExpired: true,
@@ -184,7 +186,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 					IP:       net.IP{100, 64, 0, 1},
 					Name:     peerID2,
 					DNSLabel: peerID2,
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						LastSeen:     time.Now().UTC(),
 						Connected:    false,
 						LoginExpired: true,
@@ -195,6 +197,159 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {
 				},
 			},
 		},
+		// {
+		// 	name:                 "Should return only peers that are approved when peer approval is enabled",
+		// 	accountSettings:      Settings{PeerApprovalEnabled: true},
+		// 	peerID:               peerID1,
+		// 	expectedPeers:        []string{peerID3},
+		// 	expectedOfflinePeers: []string{},
+		// 	peers: map[string]*Peer{
+		// 		"peer-1": {
+		// 			ID:       peerID1,
+		// 			Key:      "peer-1-key",
+		// 			IP:       net.IP{100, 64, 0, 1},
+		// 			Name:     peerID1,
+		// 			DNSLabel: peerID1,
+		// 			Status: &PeerStatus{
+		// 				LastSeen:  time.Now().UTC(),
+		// 				Connected: false,
+		// 				Approved:  true,
+		// 			},
+		// 			UserID:    userID,
+		// 			LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+		// 		},
+		// 		"peer-2": {
+		// 			ID:       peerID2,
+		// 			Key:      "peer-2-key",
+		// 			IP:       net.IP{100, 64, 0, 1},
+		// 			Name:     peerID2,
+		// 			DNSLabel: peerID2,
+		// 			Status: &PeerStatus{
+		// 				LastSeen:  time.Now().UTC(),
+		// 				Connected: false,
+		// 				Approved:  false,
+		// 			},
+		// 			UserID:    userID,
+		// 			LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+		// 		},
+		// 		"peer-3": {
+		// 			ID:       peerID3,
+		// 			Key:      "peer-3-key",
+		// 			IP:       net.IP{100, 64, 0, 1},
+		// 			Name:     peerID3,
+		// 			DNSLabel: peerID3,
+		// 			Status: &PeerStatus{
+		// 				LastSeen:  time.Now().UTC(),
+		// 				Connected: false,
+		// 				Approved:  true,
+		// 			},
+		// 			UserID:    userID,
+		// 			LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+		// 		},
+		// 	},
+		// },
+		// {
+		// 	name:                 "Should return all peers when peer approval is disabled",
+		// 	accountSettings:      Settings{PeerApprovalEnabled: false},
+		// 	peerID:               peerID1,
+		// 	expectedPeers:        []string{peerID2, peerID3},
+		// 	expectedOfflinePeers: []string{},
+		// 	peers: map[string]*Peer{
+		// 		"peer-1": {
+		// 			ID:       peerID1,
+		// 			Key:      "peer-1-key",
+		// 			IP:       net.IP{100, 64, 0, 1},
+		// 			Name:     peerID1,
+		// 			DNSLabel: peerID1,
+		// 			Status: &PeerStatus{
+		// 				LastSeen:  time.Now().UTC(),
+		// 				Connected: false,
+		// 				Approved:  true,
+		// 			},
+		// 			UserID:    userID,
+		// 			LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+		// 		},
+		// 		"peer-2": {
+		// 			ID:       peerID2,
+		// 			Key:      "peer-2-key",
+		// 			IP:       net.IP{100, 64, 0, 1},
+		// 			Name:     peerID2,
+		// 			DNSLabel: peerID2,
+		// 			Status: &PeerStatus{
+		// 				LastSeen:  time.Now().UTC(),
+		// 				Connected: false,
+		// 				Approved:  false,
+		// 			},
+		// 			UserID:    userID,
+		// 			LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+		// 		},
+		// 		"peer-3": {
+		// 			ID:       peerID3,
+		// 			Key:      "peer-3-key",
+		// 			IP:       net.IP{100, 64, 0, 1},
+		// 			Name:     peerID3,
+		// 			DNSLabel: peerID3,
+		// 			Status: &PeerStatus{
+		// 				LastSeen:  time.Now().UTC(),
+		// 				Connected: false,
+		// 				Approved:  true,
+		// 			},
+		// 			UserID:    userID,
+		// 			LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+		// 		},
+		// 	},
+		// },
+		// {
+		// 	name:                 "Should return no peers when peer approval is enabled and the requesting peer is not approved",
+		// 	accountSettings:      Settings{PeerApprovalEnabled: true},
+		// 	peerID:               peerID1,
+		// 	expectedPeers:        []string{},
+		// 	expectedOfflinePeers: []string{},
+		// 	peers: map[string]*Peer{
+		// 		"peer-1": {
+		// 			ID:       peerID1,
+		// 			Key:      "peer-1-key",
+		// 			IP:       net.IP{100, 64, 0, 1},
+		// 			Name:     peerID1,
+		// 			DNSLabel: peerID1,
+		// 			Status: &PeerStatus{
+		// 				LastSeen:  time.Now().UTC(),
+		// 				Connected: false,
+		// 				Approved:  false,
+		// 			},
+		// 			UserID:    userID,
+		// 			LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+		// 		},
+		// 		"peer-2": {
+		// 			ID:       peerID2,
+		// 			Key:      "peer-2-key",
+		// 			IP:       net.IP{100, 64, 0, 1},
+		// 			Name:     peerID2,
+		// 			DNSLabel: peerID2,
+		// 			Status: &PeerStatus{
+		// 				LastSeen:  time.Now().UTC(),
+		// 				Connected: false,
+		// 				Approved:  true,
+		// 			},
+		// 			UserID:    userID,
+		// 			LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+		// 		},
+		// 		"peer-3": {
+		// 			ID:       peerID3,
+		// 			Key:      "peer-3-key",
+		// 			IP:       net.IP{100, 64, 0, 1},
+		// 			Name:     peerID3,
+		// 			DNSLabel: peerID3,
+		// 			Status: &PeerStatus{
+		// 				LastSeen:  time.Now().UTC(),
+		// 				Connected: false,
+		// 				Approved:  true,
+		// 			},
+		// 			UserID:    userID,
+		// 			LastLogin: time.Now().UTC().Add(-time.Hour * 24 * 30 * 30),
+		// 		},
+		// 	},
+		// },
 	}

 	netIP := net.IP{100, 64, 0, 0}
@@ -209,6 +364,7 @@ func TestAccount_GetPeerNetworkMap(t *testing.T) {

 	for _, testCase := range tt {
 		account := newAccountWithId("account-1", userID, "netbird.io")
+		account.UpdateSettings(&testCase.accountSettings)
 		account.Network = network
 		account.Peers = testCase.peers
 		for _, peer := range account.Peers {
@@ -805,9 +961,9 @@ func TestAccountManager_AddPeer(t *testing.T) {
 	expectedPeerKey := key.PublicKey().String()
 	expectedSetupKey := setupKey.Key

-	peer, _, err := manager.AddPeer(setupKey.Key, "", &Peer{
+	peer, _, err := manager.AddPeer(setupKey.Key, "", &nbpeer.Peer{
 		Key:  expectedPeerKey,
-		Meta: PeerSystemMeta{Hostname: expectedPeerKey},
+		Meta: nbpeer.PeerSystemMeta{Hostname: expectedPeerKey},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
@@ -873,9 +1029,9 @@ func TestAccountManager_AddPeerWithUserID(t *testing.T) {
 	expectedPeerKey := key.PublicKey().String()
 	expectedUserID := userID

-	peer, _, err := manager.AddPeer("", userID, &Peer{
+	peer, _, err := manager.AddPeer("", userID, &nbpeer.Peer{
 		Key:  expectedPeerKey,
-		Meta: PeerSystemMeta{Hostname: expectedPeerKey},
+		Meta: nbpeer.PeerSystemMeta{Hostname: expectedPeerKey},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v, account users: %v", err, account.CreatedBy)
@@ -940,7 +1096,7 @@ func TestAccountManager_NetworkUpdates(t *testing.T) {
 		return
 	}

-	getPeer := func() *Peer {
+	getPeer := func() *nbpeer.Peer {
 		key, err := wgtypes.GeneratePrivateKey()
 		if err != nil {
 			t.Fatal(err)
@@ -948,9 +1104,9 @@ func TestAccountManager_NetworkUpdates(t *testing.T) {
 		}
 		expectedPeerKey := key.PublicKey().String()

-		peer, _, err := manager.AddPeer(setupKey.Key, "", &Peer{
+		peer, _, err := manager.AddPeer(setupKey.Key, "", &nbpeer.Peer{
 			Key:  expectedPeerKey,
-			Meta: PeerSystemMeta{Hostname: expectedPeerKey},
+			Meta: nbpeer.PeerSystemMeta{Hostname: expectedPeerKey},
 		})
 		if err != nil {
 			t.Fatalf("expecting peer1 to be added, got failure %v", err)
@@ -1122,9 +1278,9 @@ func TestAccountManager_DeletePeer(t *testing.T) {

 	peerKey := key.PublicKey().String()

-	peer, _, err := manager.AddPeer(setupKey.Key, "", &Peer{
+	peer, _, err := manager.AddPeer(setupKey.Key, "", &nbpeer.Peer{
 		Key:  peerKey,
-		Meta: PeerSystemMeta{Hostname: peerKey},
+		Meta: nbpeer.PeerSystemMeta{Hostname: peerKey},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
@@ -1263,8 +1419,8 @@ func TestAccount_GetRoutesToSync(t *testing.T) {
 		t.Fatal(err)
 	}
 	account := &Account{
-		Peers: map[string]*Peer{
-			"peer-1": {Key: "peer-1", Meta: PeerSystemMeta{GoOS: "linux"}}, "peer-2": {Key: "peer-2", Meta: PeerSystemMeta{GoOS: "linux"}}, "peer-3": {Key: "peer-1", Meta: PeerSystemMeta{GoOS: "linux"}},
+		Peers: map[string]*nbpeer.Peer{
+			"peer-1": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-2": {Key: "peer-2", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}}, "peer-3": {Key: "peer-1", Meta: nbpeer.PeerSystemMeta{GoOS: "linux"}},
 		},
 		Groups: map[string]*Group{"group1": {ID: "group1", Peers: []string{"peer-1", "peer-2"}}},
 		Routes: map[string]*route.Route{
@@ -1307,7 +1463,7 @@ func TestAccount_GetRoutesToSync(t *testing.T) {
 		},
 	}

-	routes := account.getRoutesToSync("peer-2", []*Peer{{Key: "peer-1"}, {Key: "peer-3"}})
+	routes := account.getRoutesToSync("peer-2", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-3"}})

 	assert.Len(t, routes, 2)
 	routeIDs := make(map[string]struct{}, 2)
@@ -1317,7 +1473,7 @@ func TestAccount_GetRoutesToSync(t *testing.T) {
 	assert.Contains(t, routeIDs, "route-2")
 	assert.Contains(t, routeIDs, "route-3")

-	emptyRoutes := account.getRoutesToSync("peer-3", []*Peer{{Key: "peer-1"}, {Key: "peer-2"}})
+	emptyRoutes := account.getRoutesToSync("peer-3", []*nbpeer.Peer{{Key: "peer-1"}, {Key: "peer-2"}})

 	assert.Len(t, emptyRoutes, 0)
 }
@@ -1338,10 +1494,10 @@ func TestAccount_Copy(t *testing.T) {
 		Network: &Network{
 			Identifier: "net1",
 		},
-		Peers: map[string]*Peer{
+		Peers: map[string]*nbpeer.Peer{
 			"peer1": {
 				Key: "key1",
-				Status: &PeerStatus{
+				Status: &nbpeer.PeerStatus{
 					LastSeen:     time.Now(),
 					Connected:    true,
 					LoginExpired: false,
@@ -1468,9 +1624,9 @@ func TestDefaultAccountManager_UpdatePeer_PeerLoginExpiration(t *testing.T) {

 	key, err := wgtypes.GenerateKey()
 	require.NoError(t, err, "unable to generate WireGuard key")
-	peer, _, err := manager.AddPeer("", userID, &Peer{
+	peer, _, err := manager.AddPeer("", userID, &nbpeer.Peer{
 		Key:                    key.PublicKey().String(),
-		Meta:                   PeerSystemMeta{Hostname: "test-peer"},
+		Meta:                   nbpeer.PeerSystemMeta{Hostname: "test-peer"},
 		LoginExpirationEnabled: true,
 	})
 	require.NoError(t, err, "unable to add peer")
@@ -1517,9 +1673,9 @@ func TestDefaultAccountManager_MarkPeerConnected_PeerLoginExpiration(t *testing.

 	key, err := wgtypes.GenerateKey()
 	require.NoError(t, err, "unable to generate WireGuard key")
-	_, _, err = manager.AddPeer("", userID, &Peer{
+	_, _, err = manager.AddPeer("", userID, &nbpeer.Peer{
 		Key:                    key.PublicKey().String(),
-		Meta:                   PeerSystemMeta{Hostname: "test-peer"},
+		Meta:                   nbpeer.PeerSystemMeta{Hostname: "test-peer"},
 		LoginExpirationEnabled: true,
 	})
 	require.NoError(t, err, "unable to add peer")
@@ -1558,9 +1714,9 @@ func TestDefaultAccountManager_UpdateAccountSettings_PeerLoginExpiration(t *test

 	key, err := wgtypes.GenerateKey()
 	require.NoError(t, err, "unable to generate WireGuard key")
-	_, _, err = manager.AddPeer("", userID, &Peer{
+	_, _, err = manager.AddPeer("", userID, &nbpeer.Peer{
 		Key:                    key.PublicKey().String(),
-		Meta:                   PeerSystemMeta{Hostname: "test-peer"},
+		Meta:                   nbpeer.PeerSystemMeta{Hostname: "test-peer"},
 		LoginExpirationEnabled: true,
 	})
 	require.NoError(t, err, "unable to add peer")
@@ -1639,13 +1795,13 @@ func TestDefaultAccountManager_UpdateAccountSettings(t *testing.T) {
 func TestAccount_GetExpiredPeers(t *testing.T) {
 	type test struct {
 		name          string
-		peers         map[string]*Peer
+		peers         map[string]*nbpeer.Peer
 		expectedPeers map[string]struct{}
 	}
 	testCases := []test{
 		{
 			name: "Peers with login expiration disabled, no expired peers",
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
 					LoginExpirationEnabled: false,
 				},
@@ -1657,11 +1813,11 @@ func TestAccount_GetExpiredPeers(t *testing.T) {
 		},
 		{
 			name: "Two peers expired",
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
 					ID:                     "peer-1",
 					LoginExpirationEnabled: true,
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						LastSeen:     time.Now().UTC(),
 						Connected:    true,
 						LoginExpired: false,
@@ -1672,7 +1828,7 @@ func TestAccount_GetExpiredPeers(t *testing.T) {
 				"peer-2": {
 					ID:                     "peer-2",
 					LoginExpirationEnabled: true,
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						LastSeen:     time.Now().UTC(),
 						Connected:    true,
 						LoginExpired: false,
@@ -1684,7 +1840,7 @@ func TestAccount_GetExpiredPeers(t *testing.T) {
 				"peer-3": {
 					ID:                     "peer-3",
 					LoginExpirationEnabled: true,
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						LastSeen:     time.Now().UTC(),
 						Connected:    true,
 						LoginExpired: false,
@@ -1724,19 +1880,19 @@ func TestAccount_GetExpiredPeers(t *testing.T) {
 func TestAccount_GetPeersWithExpiration(t *testing.T) {
 	type test struct {
 		name          string
-		peers         map[string]*Peer
+		peers         map[string]*nbpeer.Peer
 		expectedPeers map[string]struct{}
 	}

 	testCases := []test{
 		{
 			name:          "No account peers, no peers with expiration",
-			peers:         map[string]*Peer{},
+			peers:         map[string]*nbpeer.Peer{},
 			expectedPeers: map[string]struct{}{},
 		},
 		{
 			name: "Peers with login expiration disabled, no peers with expiration",
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
 					LoginExpirationEnabled: false,
 					UserID:                 userID,
@@ -1750,7 +1906,7 @@ func TestAccount_GetPeersWithExpiration(t *testing.T) {
 		},
 		{
 			name: "Peers with login expiration enabled, return peers with expiration",
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
 					ID:                     "peer-1",
 					LoginExpirationEnabled: true,
@@ -1793,7 +1949,7 @@ func TestAccount_GetPeersWithExpiration(t *testing.T) {
 func TestAccount_GetNextPeerExpiration(t *testing.T) {
 	type test struct {
 		name                   string
-		peers                  map[string]*Peer
+		peers                  map[string]*nbpeer.Peer
 		expiration             time.Duration
 		expirationEnabled      bool
 		expectedNextRun        bool
@@ -1804,7 +1960,7 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 	testCases := []test{
 		{
 			name:                   "No peers, no expiration",
-			peers:                  map[string]*Peer{},
+			peers:                  map[string]*nbpeer.Peer{},
 			expiration:             time.Second,
 			expirationEnabled:      false,
 			expectedNextRun:        false,
@@ -1812,16 +1968,16 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 		},
 		{
 			name: "No connected peers, no expiration",
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						Connected: false,
 					},
 					LoginExpirationEnabled: true,
 					UserID:                 userID,
 				},
 				"peer-2": {
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						Connected: true,
 					},
 					LoginExpirationEnabled: false,
@@ -1835,16 +1991,16 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 		},
 		{
 			name: "Connected peers with disabled expiration, no expiration",
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						Connected: true,
 					},
 					LoginExpirationEnabled: false,
 					UserID:                 userID,
 				},
 				"peer-2": {
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						Connected: true,
 					},
 					LoginExpirationEnabled: false,
@@ -1858,9 +2014,9 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 		},
 		{
 			name: "Expired peers, no expiration",
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						Connected:    true,
 						LoginExpired: true,
 					},
@@ -1868,7 +2024,7 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 					UserID:                 userID,
 				},
 				"peer-2": {
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						Connected:    true,
 						LoginExpired: true,
 					},
@@ -1883,9 +2039,9 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 		},
 		{
 			name: "To be expired peer, return expiration",
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						Connected:    true,
 						LoginExpired: false,
 					},
@@ -1894,7 +2050,7 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 					UserID:                 userID,
 				},
 				"peer-2": {
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						Connected:    true,
 						LoginExpired: true,
 					},
@@ -1909,9 +2065,9 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 		},
 		{
 			name: "Peers added with setup keys, no expiration",
-			peers: map[string]*Peer{
+			peers: map[string]*nbpeer.Peer{
 				"peer-1": {
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						Connected:    true,
 						LoginExpired: false,
 					},
@@ -1919,7 +2075,7 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 					SetupKey:               "key",
 				},
 				"peer-2": {
-					Status: &PeerStatus{
+					Status: &nbpeer.PeerStatus{
 						Connected:    true,
 						LoginExpired: false,
 					},
@@ -1954,7 +2110,7 @@ func TestAccount_GetNextPeerExpiration(t *testing.T) {
 func TestAccount_SetJWTGroups(t *testing.T) {
 	// create a new account
 	account := &Account{
-		Peers: map[string]*Peer{
+		Peers: map[string]*nbpeer.Peer{
 			"peer1": {ID: "peer1", Key: "key1", UserID: "user1"},
 			"peer2": {ID: "peer2", Key: "key2", UserID: "user1"},
 			"peer3": {ID: "peer3", Key: "key3", UserID: "user1"},
@@ -2002,7 +2158,7 @@ func TestAccount_SetJWTGroups(t *testing.T) {

 func TestAccount_UserGroupsAddToPeers(t *testing.T) {
 	account := &Account{
-		Peers: map[string]*Peer{
+		Peers: map[string]*nbpeer.Peer{
 			"peer1": {ID: "peer1", Key: "key1", UserID: "user1"},
 			"peer2": {ID: "peer2", Key: "key2", UserID: "user1"},
 			"peer3": {ID: "peer3", Key: "key3", UserID: "user1"},
@@ -2038,7 +2194,7 @@ func TestAccount_UserGroupsAddToPeers(t *testing.T) {

 func TestAccount_UserGroupsRemoveFromPeers(t *testing.T) {
 	account := &Account{
-		Peers: map[string]*Peer{
+		Peers: map[string]*nbpeer.Peer{
 			"peer1": {ID: "peer1", Key: "key1", UserID: "user1"},
 			"peer2": {ID: "peer2", Key: "key2", UserID: "user1"},
 			"peer3": {ID: "peer3", Key: "key3", UserID: "user1"},
--- a/management/server/activity/codes.go
+++ b/management/server/activity/codes.go
@@ -120,6 +120,14 @@ const (
 	IntegrationUpdated
 	// IntegrationDeleted indicates that the user deleted an integration
 	IntegrationDeleted
+	// AccountPeerApprovalEnabled indicates that the user enabled peer approval for the account
+	AccountPeerApprovalEnabled
+	// AccountPeerApprovalDisabled indicates that the user disabled peer approval for the account
+	AccountPeerApprovalDisabled
+	// PeerApproved indicates that the peer has been approved
+	PeerApproved
+	// PeerApprovalRevoked indicates that the peer approval has been revoked
+	PeerApprovalRevoked
 	// TransferredOwnerRole indicates that the user transferred the owner role of the account
 	TransferredOwnerRole
 )
@@ -180,6 +188,10 @@ var activityMap = map[Activity]Code{
 	IntegrationCreated:                        {"Integration created", "integration.create"},
 	IntegrationUpdated:                        {"Integration updated", "integration.update"},
 	IntegrationDeleted:                        {"Integration deleted", "integration.delete"},
+	AccountPeerApprovalEnabled:                {"Account peer approval enabled", "account.setting.peer.approval.enable"},
+	AccountPeerApprovalDisabled:               {"Account peer approval disabled", "account.setting.peer.approval.disable"},
+	PeerApproved:                              {"Peer approved", "peer.approve"},
+	PeerApprovalRevoked:                       {"Peer approval revoked", "peer.approval.revoke"},
 	TransferredOwnerRole:                      {"Transferred owner role", "transferred.owner.role"},
 }

--- a/management/server/dns.go
+++ b/management/server/dns.go
@@ -10,6 +10,7 @@ import (
 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/activity"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 )

@@ -200,7 +201,7 @@ func getPeerNSGroups(account *Account, peerID string) []*nbdns.NameServerGroup {
 }

 // peerIsNameserver returns true if the peer is a nameserver for a nsGroup
-func peerIsNameserver(peer *Peer, nsGroup *nbdns.NameServerGroup) bool {
+func peerIsNameserver(peer *nbpeer.Peer, nsGroup *nbdns.NameServerGroup) bool {
 	for _, ns := range nsGroup.NameServers {
 		if peer.IP.Equal(ns.IP.AsSlice()) {
 			return true
--- a/management/server/dns_test.go
+++ b/management/server/dns_test.go
@@ -8,6 +8,7 @@ import (

 	"github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 )

@@ -208,10 +209,10 @@ func createDNSStore(t *testing.T) (Store, error) {

 func initTestDNSAccount(t *testing.T, am *DefaultAccountManager) (*Account, error) {
 	t.Helper()
-	peer1 := &Peer{
+	peer1 := &nbpeer.Peer{
 		Key:  dnsPeer1Key,
 		Name: "test-host1@netbird.io",
-		Meta: PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "test-host1@netbird.io",
 			GoOS:      "linux",
 			Kernel:    "Linux",
@@ -223,10 +224,10 @@ func initTestDNSAccount(t *testing.T, am *DefaultAccountManager) (*Account, erro
 		},
 		DNSLabel: dnsPeer1Key,
 	}
-	peer2 := &Peer{
+	peer2 := &nbpeer.Peer{
 		Key:  dnsPeer2Key,
 		Name: "test-host2@netbird.io",
-		Meta: PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "test-host2@netbird.io",
 			GoOS:      "linux",
 			Kernel:    "Linux",
--- a/management/server/ephemeral.go
+++ b/management/server/ephemeral.go
@@ -7,6 +7,7 @@ import (
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/server/activity"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 )

 const (
@@ -72,7 +73,7 @@ func (e *EphemeralManager) Stop() {

 // OnPeerConnected remove the peer from the linked list of ephemeral peers. Because it has been called when the peer
 // is active the manager will not delete it while it is active.
-func (e *EphemeralManager) OnPeerConnected(peer *Peer) {
+func (e *EphemeralManager) OnPeerConnected(peer *nbpeer.Peer) {
 	if !peer.Ephemeral {
 		return
 	}
@@ -93,7 +94,7 @@ func (e *EphemeralManager) OnPeerConnected(peer *Peer) {

 // OnPeerDisconnected add the peer to the linked list of ephemeral peers. Because of the peer
 // is inactive it will be deleted after the ephemeralLifeTime period.
-func (e *EphemeralManager) OnPeerDisconnected(peer *Peer) {
+func (e *EphemeralManager) OnPeerDisconnected(peer *nbpeer.Peer) {
 	if !peer.Ephemeral {
 		return
 	}
--- a/management/server/ephemeral_test.go
+++ b/management/server/ephemeral_test.go
@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"testing"
 	"time"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 )

 type MockStore struct {
@@ -124,7 +126,7 @@ func seedPeers(store *MockStore, numberOfPeers int, numberOfEphemeralPeers int)

 	for i := 0; i < numberOfPeers; i++ {
 		peerId := fmt.Sprintf("peer_%d", i)
-		p := &Peer{
+		p := &nbpeer.Peer{
 			ID:        peerId,
 			Ephemeral: false,
 		}
@@ -133,7 +135,7 @@ func seedPeers(store *MockStore, numberOfPeers int, numberOfEphemeralPeers int)

 	for i := 0; i < numberOfEphemeralPeers; i++ {
 		peerId := fmt.Sprintf("ephemeral_peer_%d", i)
-		p := &Peer{
+		p := &nbpeer.Peer{
 			ID:        peerId,
 			Ephemeral: true,
 		}
--- a/management/server/file_store.go
+++ b/management/server/file_store.go
@@ -10,6 +10,7 @@ import (
 	"github.com/rs/xid"
 	log "github.com/sirupsen/logrus"

+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/management/server/telemetry"

@@ -204,7 +205,7 @@ func restore(file string) (*FileStore, error) {
 		// Set the Peer.ID to the newly generated value.
 		// Replace all the mentions of Peer.Key as ID (groups and routes).
 		// Swap Peer.Key with Peer.ID in the Account.Peers map.
-		migrationPeers := make(map[string]*Peer) // key to Peer
+		migrationPeers := make(map[string]*nbpeer.Peer) // key to Peer
 		for key, peer := range account.Peers {
 			// set LastLogin for the peers that were onboarded before the peer login expiration feature
 			if peer.LastLogin.IsZero() {
@@ -606,7 +607,7 @@ func (s *FileStore) SaveInstallationID(ID string) error {

 // SavePeerStatus stores the PeerStatus in memory. It doesn't attempt to persist data to speed up things.
 // PeerStatus will be saved eventually when some other changes occur.
-func (s *FileStore) SavePeerStatus(accountID, peerID string, peerStatus PeerStatus) error {
+func (s *FileStore) SavePeerStatus(accountID, peerID string, peerStatus nbpeer.PeerStatus) error {
 	s.mux.Lock()
 	defer s.mux.Unlock()

--- a/management/server/file_store_test.go
+++ b/management/server/file_store_test.go
@@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/util"
 )

@@ -35,7 +36,7 @@ func TestStalePeerIndices(t *testing.T) {

 	peerID := "some_peer"
 	peerKey := "some_peer_key"
-	account.Peers[peerID] = &Peer{
+	account.Peers[peerID] = &nbpeer.Peer{
 		ID:  peerID,
 		Key: peerKey,
 	}
@@ -89,13 +90,13 @@ func TestSaveAccount(t *testing.T) {
 	account := newAccountWithId("account_id", "testuser", "")
 	setupKey := GenerateDefaultSetupKey()
 	account.SetupKeys[setupKey.Key] = setupKey
-	account.Peers["testpeer"] = &Peer{
+	account.Peers["testpeer"] = &nbpeer.Peer{
 		Key:      "peerkey",
 		SetupKey: "peerkeysetupkey",
 		IP:       net.IP{127, 0, 0, 1},
-		Meta:     PeerSystemMeta{},
+		Meta:     nbpeer.PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
+		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
 	}

 	// SaveAccount should trigger persist
@@ -179,13 +180,13 @@ func TestStore(t *testing.T) {
 	store := newStore(t)

 	account := newAccountWithId("account_id", "testuser", "")
-	account.Peers["testpeer"] = &Peer{
+	account.Peers["testpeer"] = &nbpeer.Peer{
 		Key:      "peerkey",
 		SetupKey: "peerkeysetupkey",
 		IP:       net.IP{127, 0, 0, 1},
-		Meta:     PeerSystemMeta{},
+		Meta:     nbpeer.PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
+		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
 	}
 	account.Groups["all"] = &Group{
 		ID:    "all",
@@ -600,19 +601,19 @@ func TestFileStore_SavePeerStatus(t *testing.T) {
 	}

 	// save status of non-existing peer
-	newStatus := PeerStatus{Connected: true, LastSeen: time.Now().UTC()}
+	newStatus := nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()}
 	err = store.SavePeerStatus(account.Id, "non-existing-peer", newStatus)
 	assert.Error(t, err)

 	// save new status of existing peer
-	account.Peers["testpeer"] = &Peer{
+	account.Peers["testpeer"] = &nbpeer.Peer{
 		Key:      "peerkey",
 		ID:       "testpeer",
 		SetupKey: "peerkeysetupkey",
 		IP:       net.IP{127, 0, 0, 1},
-		Meta:     PeerSystemMeta{},
+		Meta:     nbpeer.PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
+		Status:   &nbpeer.PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
 	}

 	err = store.SaveAccount(account)
--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -17,6 +17,7 @@ import (
 	"github.com/netbirdio/netbird/encryption"
 	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	internalStatus "github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 )
@@ -196,7 +197,7 @@ func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementServi
 	}
 }

-func (s *GRPCServer) cancelPeerRoutines(peer *Peer) {
+func (s *GRPCServer) cancelPeerRoutines(peer *nbpeer.Peer) {
 	s.peersUpdateManager.CloseChannel(peer.ID)
 	s.turnCredentialsManager.CancelRefresh(peer.ID)
 	_ = s.accountManager.MarkPeerConnected(peer.Key, false)
@@ -243,8 +244,8 @@ func mapError(err error) error {
 	return status.Errorf(codes.Internal, "failed handling request")
 }

-func extractPeerMeta(loginReq *proto.LoginRequest) PeerSystemMeta {
-	return PeerSystemMeta{
+func extractPeerMeta(loginReq *proto.LoginRequest) nbpeer.PeerSystemMeta {
+	return nbpeer.PeerSystemMeta{
 		Hostname:  loginReq.GetMeta().GetHostname(),
 		GoOS:      loginReq.GetMeta().GetGoOS(),
 		Kernel:    loginReq.GetMeta().GetKernel(),
@@ -413,7 +414,7 @@ func toWiretrusteeConfig(config *Config, turnCredentials *TURNCredentials) *prot
 	}
 }

-func toPeerConfig(peer *Peer, network *Network, dnsName string) *proto.PeerConfig {
+func toPeerConfig(peer *nbpeer.Peer, network *Network, dnsName string) *proto.PeerConfig {
 	netmask, _ := network.Net.Mask.Size()
 	fqdn := peer.FQDN(dnsName)
 	return &proto.PeerConfig{
@@ -423,7 +424,7 @@ func toPeerConfig(peer *Peer, network *Network, dnsName string) *proto.PeerConfi
 	}
 }

-func toRemotePeerConfig(peers []*Peer, dnsName string) []*proto.RemotePeerConfig {
+func toRemotePeerConfig(peers []*nbpeer.Peer, dnsName string) []*proto.RemotePeerConfig {
 	remotePeers := []*proto.RemotePeerConfig{}
 	for _, rPeer := range peers {
 		fqdn := rPeer.FQDN(dnsName)
@@ -437,7 +438,7 @@ func toRemotePeerConfig(peers []*Peer, dnsName string) []*proto.RemotePeerConfig
 	return remotePeers
 }

-func toSyncResponse(config *Config, peer *Peer, turnCredentials *TURNCredentials, networkMap *NetworkMap, dnsName string) *proto.SyncResponse {
+func toSyncResponse(config *Config, peer *nbpeer.Peer, turnCredentials *TURNCredentials, networkMap *NetworkMap, dnsName string) *proto.SyncResponse {
 	wtConfig := toWiretrusteeConfig(config, turnCredentials)

 	pConfig := toPeerConfig(peer, networkMap.Network, dnsName)
@@ -477,7 +478,7 @@ func (s *GRPCServer) IsHealthy(ctx context.Context, req *proto.Empty) (*proto.Em
 }

 // sendInitialSync sends initial proto.SyncResponse to the peer requesting synchronization
-func (s *GRPCServer) sendInitialSync(peerKey wgtypes.Key, peer *Peer, networkMap *NetworkMap, srv proto.ManagementService_SyncServer) error {
+func (s *GRPCServer) sendInitialSync(peerKey wgtypes.Key, peer *nbpeer.Peer, networkMap *NetworkMap, srv proto.ManagementService_SyncServer) error {
 	// make secret time based TURN credentials optional
 	var turnCredentials *TURNCredentials
 	if s.config.TURNConfig.TimeBasedCredentials {
--- a/management/server/http/accounts_handler.go
+++ b/management/server/http/accounts_handler.go
@@ -8,6 +8,7 @@ import (
 	"github.com/gorilla/mux"

 	"github.com/netbirdio/netbird/management/server"
+	"github.com/netbirdio/netbird/management/server/account"
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
@@ -77,6 +78,10 @@ func (h *AccountsHandler) UpdateAccount(w http.ResponseWriter, r *http.Request)
 		PeerLoginExpiration:        time.Duration(float64(time.Second.Nanoseconds()) * float64(req.Settings.PeerLoginExpiration)),
 	}

+	if req.Settings.Extra != nil {
+		settings.Extra = &account.ExtraSettings{PeerApprovalEnabled: *req.Settings.Extra.PeerApprovalEnabled}
+	}
+
 	if req.Settings.JwtGroupsEnabled != nil {
 		settings.JWTGroupsEnabled = *req.Settings.JwtGroupsEnabled
 	}
@@ -123,14 +128,20 @@ func (h *AccountsHandler) DeleteAccount(w http.ResponseWriter, r *http.Request)
 }

 func toAccountResponse(account *server.Account) *api.Account {
+	settings := api.AccountSettings{
+		PeerLoginExpiration:        int(account.Settings.PeerLoginExpiration.Seconds()),
+		PeerLoginExpirationEnabled: account.Settings.PeerLoginExpirationEnabled,
+		GroupsPropagationEnabled:   &account.Settings.GroupsPropagationEnabled,
+		JwtGroupsEnabled:           &account.Settings.JWTGroupsEnabled,
+		JwtGroupsClaimName:         &account.Settings.JWTGroupsClaimName,
+	}
+
+	if account.Settings.Extra != nil {
+		settings.Extra = &api.AccountExtraSettings{PeerApprovalEnabled: &account.Settings.Extra.PeerApprovalEnabled}
+	}
+
 	return &api.Account{
-		Id: account.Id,
-		Settings: api.AccountSettings{
-			PeerLoginExpiration:        int(account.Settings.PeerLoginExpiration.Seconds()),
-			PeerLoginExpirationEnabled: account.Settings.PeerLoginExpirationEnabled,
-			GroupsPropagationEnabled:   &account.Settings.GroupsPropagationEnabled,
-			JwtGroupsEnabled:           &account.Settings.JWTGroupsEnabled,
-			JwtGroupsClaimName:         &account.Settings.JWTGroupsClaimName,
-		},
+		Id:       account.Id,
+		Settings: settings,
 	}
 }
--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -66,9 +66,18 @@ components:
          description: Name of the claim from which we extract groups names to add it to account groups.
          type: string
          example: "roles"
+        extra:
+          $ref: '#/components/schemas/AccountExtraSettings'
      required:
        - peer_login_expiration_enabled
        - peer_login_expiration
+    AccountExtraSettings:
+      type: object
+      properties:
+        peer_approval_enabled:
+          description: (Cloud only) Enables or disables peer approval globally. If enabled, all peers added will be in pending state until approved by an admin.
+          type: boolean
+          example: true
    AccountRequest:
      type: object
      properties:
@@ -213,6 +222,10 @@ components:
        login_expiration_enabled:
          type: boolean
          example: false
+        approval_required:
+          description: (Cloud only) Indicates whether peer needs approval
+          type: boolean
+          example: true
      required:
        - name
        - ssh_enabled
@@ -281,6 +294,10 @@ components:
              type: string
              format: date-time
              example: 2023-05-05T09:00:35.477782Z
+            approval_required:
+              description: (Cloud only) Indicates whether peer needs approval
+              type: boolean
+              example: true
          required:
            - ip
            - connected
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -142,6 +142,12 @@ type Account struct {
 	Settings AccountSettings `json:"settings"`
 }

+// AccountExtraSettings defines model for AccountExtraSettings.
+type AccountExtraSettings struct {
+	// PeerApprovalEnabled (Cloud only) Enables or disables peer approval globally. If enabled, all peers added will be in pending state until approved by an admin.
+	PeerApprovalEnabled *bool `json:"peer_approval_enabled,omitempty"`
+}
+
 // AccountRequest defines model for AccountRequest.
 type AccountRequest struct {
 	Settings AccountSettings `json:"settings"`
@@ -149,6 +155,8 @@ type AccountRequest struct {

 // AccountSettings defines model for AccountSettings.
 type AccountSettings struct {
+	Extra *AccountExtraSettings `json:"extra,omitempty"`
+
 	// GroupsPropagationEnabled Allows propagate the new user auto groups to peers that belongs to the user
 	GroupsPropagationEnabled *bool `json:"groups_propagation_enabled,omitempty"`

@@ -323,6 +331,9 @@ type Peer struct {
 	// AccessiblePeers List of accessible peers
 	AccessiblePeers []AccessiblePeer `json:"accessible_peers"`

+	// ApprovalRequired (Cloud only) Indicates whether peer needs approval
+	ApprovalRequired *bool `json:"approval_required,omitempty"`
+
 	// Connected Peer to Management connection status
 	Connected bool `json:"connected"`

@@ -374,6 +385,9 @@ type Peer struct {

 // PeerBase defines model for PeerBase.
 type PeerBase struct {
+	// ApprovalRequired (Cloud only) Indicates whether peer needs approval
+	ApprovalRequired *bool `json:"approval_required,omitempty"`
+
 	// Connected Peer to Management connection status
 	Connected bool `json:"connected"`

@@ -428,6 +442,9 @@ type PeerBatch struct {
 	// AccessiblePeersCount Number of accessible peers
 	AccessiblePeersCount int `json:"accessible_peers_count"`

+	// ApprovalRequired (Cloud only) Indicates whether peer needs approval
+	ApprovalRequired *bool `json:"approval_required,omitempty"`
+
 	// Connected Peer to Management connection status
 	Connected bool `json:"connected"`

@@ -488,6 +505,8 @@ type PeerMinimum struct {

 // PeerRequest defines model for PeerRequest.
 type PeerRequest struct {
+	// ApprovalRequired (Cloud only) Indicates whether peer needs approval
+	ApprovalRequired       *bool  `json:"approval_required,omitempty"`
 	LoginExpirationEnabled bool   `json:"login_expiration_enabled"`
 	Name                   string `json:"name"`
 	SshEnabled             bool   `json:"ssh_enabled"`
--- a/management/server/http/groups_handler_test.go
+++ b/management/server/http/groups_handler_test.go
@@ -19,10 +19,11 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 	"github.com/netbirdio/netbird/management/server/mock_server"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 )

-var TestPeers = map[string]*server.Peer{
+var TestPeers = map[string]*nbpeer.Peer{
 	"A": {Key: "A", ID: "peer-A-ID", IP: net.ParseIP("100.100.100.100")},
 	"B": {Key: "B", ID: "peer-B-ID", IP: net.ParseIP("200.200.200.200")},
 }
--- a/management/server/http/peers_handler.go
+++ b/management/server/http/peers_handler.go
@@ -11,6 +11,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/http/api"
 	"github.com/netbirdio/netbird/management/server/http/util"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 )

@@ -31,17 +32,12 @@ func NewPeersHandler(accountManager server.AccountManager, authCfg AuthCfg) *Pee
 	}
 }

-func (h *PeersHandler) checkPeerStatus(peer *server.Peer) (*server.Peer, error) {
+func (h *PeersHandler) checkPeerStatus(peer *nbpeer.Peer) (*nbpeer.Peer, error) {
 	peerToReturn := peer.Copy()
 	if peer.Status.Connected {
-		statuses, err := h.accountManager.GetAllConnectedPeers()
-		if err != nil {
-			return peerToReturn, err
-		}
-
 		// Although we have online status in store we do not yet have an updated channel so have to show it as disconnected
 		// This may happen after server restart when not all peers are yet connected
-		if _, connected := statuses[peerToReturn.ID]; !connected {
+		if !h.accountManager.HasConnectedChannel(peer.ID) {
 			peerToReturn.Status.Connected = false
 		}
 	}
@@ -79,8 +75,13 @@ func (h *PeersHandler) updatePeer(account *server.Account, user *server.User, pe
 		return
 	}

-	update := &server.Peer{ID: peerID, SSHEnabled: req.SshEnabled, Name: req.Name,
+	update := &nbpeer.Peer{ID: peerID, SSHEnabled: req.SshEnabled, Name: req.Name,
 		LoginExpirationEnabled: req.LoginExpirationEnabled}
+
+	if req.ApprovalRequired != nil {
+		update.Status = &nbpeer.PeerStatus{RequiresApproval: *req.ApprovalRequired}
+	}
+
 	peer, err := h.accountManager.UpdatePeer(account.Id, user.Id, update)
 	if err != nil {
 		util.WriteError(err, w)
@@ -229,7 +230,7 @@ func toGroupsInfo(groups map[string]*server.Group, peerID string) []api.GroupMin
 	return groupsInfo
 }

-func toSinglePeerResponse(peer *server.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, accessiblePeer []api.AccessiblePeer) *api.Peer {
+func toSinglePeerResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, accessiblePeer []api.AccessiblePeer) *api.Peer {
 	return &api.Peer{
 		Id:                     peer.ID,
 		Name:                   peer.Name,
@@ -248,10 +249,11 @@ func toSinglePeerResponse(peer *server.Peer, groupsInfo []api.GroupMinimum, dnsD
 		LastLogin:              peer.LastLogin,
 		LoginExpired:           peer.Status.LoginExpired,
 		AccessiblePeers:        accessiblePeer,
+		ApprovalRequired:       &peer.Status.RequiresApproval,
 	}
 }

-func toPeerListItemResponse(peer *server.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, accessiblePeersCount int) *api.PeerBatch {
+func toPeerListItemResponse(peer *nbpeer.Peer, groupsInfo []api.GroupMinimum, dnsDomain string, accessiblePeersCount int) *api.PeerBatch {
 	return &api.PeerBatch{
 		Id:                     peer.ID,
 		Name:                   peer.Name,
@@ -270,10 +272,11 @@ func toPeerListItemResponse(peer *server.Peer, groupsInfo []api.GroupMinimum, dn
 		LastLogin:              peer.LastLogin,
 		LoginExpired:           peer.Status.LoginExpired,
 		AccessiblePeersCount:   accessiblePeersCount,
+		ApprovalRequired:       &peer.Status.RequiresApproval,
 	}
 }

-func fqdn(peer *server.Peer, dnsDomain string) string {
+func fqdn(peer *nbpeer.Peer, dnsDomain string) string {
 	fqdn := peer.FQDN(dnsDomain)
 	if fqdn == "" {
 		return peer.DNSLabel
--- a/management/server/http/peers_handler_test.go
+++ b/management/server/http/peers_handler_test.go
@@ -13,6 +13,7 @@ import (
 	"github.com/gorilla/mux"

 	"github.com/netbirdio/netbird/management/server/http/api"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"

 	"github.com/netbirdio/netbird/management/server/jwtclaims"

@@ -25,11 +26,11 @@ import (
 const testPeerID = "test_peer"
 const noUpdateChannelTestPeerID = "no-update-channel"

-func initTestMetaData(peers ...*server.Peer) *PeersHandler {
+func initTestMetaData(peers ...*nbpeer.Peer) *PeersHandler {
 	return &PeersHandler{
 		accountManager: &mock_server.MockAccountManager{
-			UpdatePeerFunc: func(accountID, userID string, update *server.Peer) (*server.Peer, error) {
-				var p *server.Peer
+			UpdatePeerFunc: func(accountID, userID string, update *nbpeer.Peer) (*nbpeer.Peer, error) {
+				var p *nbpeer.Peer
 				for _, peer := range peers {
 					if update.ID == peer.ID {
 						p = peer.Copy()
@@ -41,8 +42,8 @@ func initTestMetaData(peers ...*server.Peer) *PeersHandler {
 				p.Name = update.Name
 				return p, nil
 			},
-			GetPeerFunc: func(accountID, peerID, userID string) (*server.Peer, error) {
-				var p *server.Peer
+			GetPeerFunc: func(accountID, peerID, userID string) (*nbpeer.Peer, error) {
+				var p *nbpeer.Peer
 				for _, peer := range peers {
 					if peerID == peer.ID {
 						p = peer.Copy()
@@ -51,7 +52,7 @@ func initTestMetaData(peers ...*server.Peer) *PeersHandler {
 				}
 				return p, nil
 			},
-			GetPeersFunc: func(accountID, userID string) ([]*server.Peer, error) {
+			GetPeersFunc: func(accountID, userID string) ([]*nbpeer.Peer, error) {
 				return peers, nil
 			},
 			GetAccountFromTokenFunc: func(claims jwtclaims.AuthorizationClaims) (*server.Account, *server.User, error) {
@@ -59,8 +60,9 @@ func initTestMetaData(peers ...*server.Peer) *PeersHandler {
 				return &server.Account{
 					Id:     claims.AccountId,
 					Domain: "hotmail.com",
-					Peers: map[string]*server.Peer{
+					Peers: map[string]*nbpeer.Peer{
 						peers[0].ID: peers[0],
+						peers[1].ID: peers[1],
 					},
 					Users: map[string]*server.User{
 						"test_user": user,
@@ -79,8 +81,7 @@ func initTestMetaData(peers ...*server.Peer) *PeersHandler {
 					},
 				}, user, nil
 			},
-
-			GetAllConnectedPeersFunc: func() (map[string]struct{}, error) {
+			HasConnectedChannelFunc: func(peerID string) bool {
 				statuses := make(map[string]struct{})
 				for _, peer := range peers {
 					if peer.ID == noUpdateChannelTestPeerID {
@@ -88,7 +89,8 @@ func initTestMetaData(peers ...*server.Peer) *PeersHandler {
 					}
 					statuses[peer.ID] = struct{}{}
 				}
-				return statuses, nil
+				_, ok := statuses[peerID]
+				return ok
 			},
 		},
 		claimsExtractor: jwtclaims.NewClaimsExtractor(
@@ -107,15 +109,15 @@ func initTestMetaData(peers ...*server.Peer) *PeersHandler {
 // Use the metadata generated by initTestMetaData() to check for values
 func TestGetPeers(t *testing.T) {

-	peer := &server.Peer{
+	peer := &nbpeer.Peer{
 		ID:                     testPeerID,
 		Key:                    "key",
 		SetupKey:               "setupkey",
 		IP:                     net.ParseIP("100.64.0.1"),
-		Status:                 &server.PeerStatus{Connected: true},
+		Status:                 &nbpeer.PeerStatus{Connected: true},
 		Name:                   "PeerName",
 		LoginExpirationEnabled: false,
-		Meta: server.PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "hostname",
 			GoOS:      "GoOS",
 			Kernel:    "kernel",
@@ -144,7 +146,7 @@ func TestGetPeers(t *testing.T) {
 		requestPath    string
 		requestBody    io.Reader
 		expectedArray  bool
-		expectedPeer   *server.Peer
+		expectedPeer   *nbpeer.Peer
 	}{
 		{
 			name:           "GetPeersMetaData",
--- a/management/server/http/routes_handler_test.go
+++ b/management/server/http/routes_handler_test.go
@@ -11,6 +11,7 @@ import (
 	"testing"

 	"github.com/netbirdio/netbird/management/server/http/api"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/route"

@@ -55,12 +56,12 @@ var baseExistingRoute = &route.Route{
 var testingAccount = &server.Account{
 	Id:     testAccountID,
 	Domain: "hotmail.com",
-	Peers: map[string]*server.Peer{
+	Peers: map[string]*nbpeer.Peer{
 		existingPeerID: {
 			Key: existingPeerKey,
 			IP:  netip.MustParseAddr(existingPeerIP1).AsSlice(),
 			ID:  existingPeerID,
-			Meta: server.PeerSystemMeta{
+			Meta: nbpeer.PeerSystemMeta{
 				GoOS: "linux",
 			},
 		},
@@ -68,7 +69,7 @@ var testingAccount = &server.Account{
 			Key: nonLinuxExistingPeerID,
 			IP:  netip.MustParseAddr(existingPeerIP2).AsSlice(),
 			ID:  nonLinuxExistingPeerID,
-			Meta: server.PeerSystemMeta{
+			Meta: nbpeer.PeerSystemMeta{
 				GoOS: "darwin",
 			},
 		},
--- a/management/server/metrics/selfhosted_test.go
+++ b/management/server/metrics/selfhosted_test.go
@@ -5,6 +5,7 @@ import (

 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/route"
 )

@@ -37,12 +38,12 @@ func (mockDatasource) GetAllAccounts() []*server.Account {
 			NameServerGroups: map[string]*nbdns.NameServerGroup{
 				"1": {},
 			},
-			Peers: map[string]*server.Peer{
+			Peers: map[string]*nbpeer.Peer{
 				"1": {
 					ID:         "1",
 					UserID:     "test",
 					SSHEnabled: true,
-					Meta:       server.PeerSystemMeta{GoOS: "linux", WtVersion: "0.0.1"},
+					Meta:       nbpeer.PeerSystemMeta{GoOS: "linux", WtVersion: "0.0.1"},
 				},
 			},
 			Policies: []*server.Policy{
@@ -101,12 +102,12 @@ func (mockDatasource) GetAllAccounts() []*server.Account {
 			NameServerGroups: map[string]*nbdns.NameServerGroup{
 				"1": {},
 			},
-			Peers: map[string]*server.Peer{
+			Peers: map[string]*nbpeer.Peer{
 				"1": {
 					ID:         "1",
 					UserID:     "test",
 					SSHEnabled: true,
-					Meta:       server.PeerSystemMeta{GoOS: "linux", WtVersion: "0.0.1"},
+					Meta:       nbpeer.PeerSystemMeta{GoOS: "linux", WtVersion: "0.0.1"},
 				},
 			},
 			Policies: []*server.Policy{
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -10,6 +10,7 @@ import (
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/route"
 )

@@ -21,12 +22,12 @@ type MockAccountManager struct {
 	GetAccountByUserOrAccountIdFunc func(userId, accountId, domain string) (*server.Account, error)
 	GetUserFunc                     func(claims jwtclaims.AuthorizationClaims) (*server.User, error)
 	ListUsersFunc                   func(accountID string) ([]*server.User, error)
-	GetPeersFunc                    func(accountID, userID string) ([]*server.Peer, error)
+	GetPeersFunc                    func(accountID, userID string) ([]*nbpeer.Peer, error)
 	MarkPeerConnectedFunc           func(peerKey string, connected bool) error
 	DeletePeerFunc                  func(accountID, peerKey, userID string) error
 	GetNetworkMapFunc               func(peerKey string) (*server.NetworkMap, error)
 	GetPeerNetworkFunc              func(peerKey string) (*server.Network, error)
-	AddPeerFunc                     func(setupKey string, userId string, peer *server.Peer) (*server.Peer, *server.NetworkMap, error)
+	AddPeerFunc                     func(setupKey string, userId string, peer *nbpeer.Peer) (*nbpeer.Peer, *server.NetworkMap, error)
 	GetGroupFunc                    func(accountID, groupID string) (*server.Group, error)
 	SaveGroupFunc                   func(accountID, userID string, group *server.Group) error
 	DeleteGroupFunc                 func(accountID, userId, groupID string) error
@@ -44,9 +45,9 @@ type MockAccountManager struct {
 	GetUsersFromAccountFunc         func(accountID, userID string) ([]*server.UserInfo, error)
 	GetAccountFromPATFunc           func(pat string) (*server.Account, *server.User, *server.PersonalAccessToken, error)
 	MarkPATUsedFunc                 func(pat string) error
-	UpdatePeerMetaFunc              func(peerID string, meta server.PeerSystemMeta) error
+	UpdatePeerMetaFunc              func(peerID string, meta nbpeer.PeerSystemMeta) error
 	UpdatePeerSSHKeyFunc            func(peerID string, sshKey string) error
-	UpdatePeerFunc                  func(accountID, userID string, peer *server.Peer) (*server.Peer, error)
+	UpdatePeerFunc                  func(accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error)
 	CreateRouteFunc                 func(accountID, prefix, peer string, peerGroups []string, description, netID string, masquerade bool, metric int, groups []string, enabled bool, userID string) (*route.Route, error)
 	GetRouteFunc                    func(accountID, routeID, userID string) (*route.Route, error)
 	SaveRouteFunc                   func(accountID, userID string, route *route.Route) error
@@ -74,12 +75,13 @@ type MockAccountManager struct {
 	GetEventsFunc                   func(accountID, userID string) ([]*activity.Event, error)
 	GetDNSSettingsFunc              func(accountID, userID string) (*server.DNSSettings, error)
 	SaveDNSSettingsFunc             func(accountID, userID string, dnsSettingsToSave *server.DNSSettings) error
-	GetPeerFunc                     func(accountID, peerID, userID string) (*server.Peer, error)
+	GetPeerFunc                     func(accountID, peerID, userID string) (*nbpeer.Peer, error)
 	UpdateAccountSettingsFunc       func(accountID, userID string, newSettings *server.Settings) (*server.Account, error)
-	LoginPeerFunc                   func(login server.PeerLogin) (*server.Peer, *server.NetworkMap, error)
-	SyncPeerFunc                    func(sync server.PeerSync) (*server.Peer, *server.NetworkMap, error)
+	LoginPeerFunc                   func(login server.PeerLogin) (*nbpeer.Peer, *server.NetworkMap, error)
+	SyncPeerFunc                    func(sync server.PeerSync) (*nbpeer.Peer, *server.NetworkMap, error)
 	InviteUserFunc                  func(accountID string, initiatorUserID string, targetUserEmail string) error
 	GetAllConnectedPeersFunc        func() (map[string]struct{}, error)
+	HasConnectedChannelFunc         func(peerID string) bool
 	GetExternalCacheManagerFunc     func() server.ExternalCacheManager
 }

@@ -226,8 +228,8 @@ func (am *MockAccountManager) GetPeerNetwork(peerKey string) (*server.Network, e
 func (am *MockAccountManager) AddPeer(
 	setupKey string,
 	userId string,
-	peer *server.Peer,
-) (*server.Peer, *server.NetworkMap, error) {
+	peer *nbpeer.Peer,
+) (*nbpeer.Peer, *server.NetworkMap, error) {
 	if am.AddPeerFunc != nil {
 		return am.AddPeerFunc(setupKey, userId, peer)
 	}
@@ -347,7 +349,7 @@ func (am *MockAccountManager) ListPolicies(accountID, userID string) ([]*server.
 }

 // UpdatePeerMeta mock implementation of UpdatePeerMeta from server.AccountManager interface
-func (am *MockAccountManager) UpdatePeerMeta(peerID string, meta server.PeerSystemMeta) error {
+func (am *MockAccountManager) UpdatePeerMeta(peerID string, meta nbpeer.PeerSystemMeta) error {
 	if am.UpdatePeerMetaFunc != nil {
 		return am.UpdatePeerMetaFunc(peerID, meta)
 	}
@@ -378,7 +380,7 @@ func (am *MockAccountManager) UpdatePeerSSHKey(peerID string, sshKey string) err
 }

 // UpdatePeer mocks UpdatePeerFunc function of the account manager
-func (am *MockAccountManager) UpdatePeer(accountID, userID string, peer *server.Peer) (*server.Peer, error) {
+func (am *MockAccountManager) UpdatePeer(accountID, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, error) {
 	if am.UpdatePeerFunc != nil {
 		return am.UpdatePeerFunc(accountID, userID, peer)
 	}
@@ -542,7 +544,7 @@ func (am *MockAccountManager) GetAccountFromToken(claims jwtclaims.Authorization
 }

 // GetPeers mocks GetPeers of the AccountManager interface
-func (am *MockAccountManager) GetPeers(accountID, userID string) ([]*server.Peer, error) {
+func (am *MockAccountManager) GetPeers(accountID, userID string) ([]*nbpeer.Peer, error) {
 	if am.GetAccountFromTokenFunc != nil {
 		return am.GetPeersFunc(accountID, userID)
 	}
@@ -582,7 +584,7 @@ func (am *MockAccountManager) SaveDNSSettings(accountID string, userID string, d
 }

 // GetPeer mocks GetPeer of the AccountManager interface
-func (am *MockAccountManager) GetPeer(accountID, peerID, userID string) (*server.Peer, error) {
+func (am *MockAccountManager) GetPeer(accountID, peerID, userID string) (*nbpeer.Peer, error) {
 	if am.GetPeerFunc != nil {
 		return am.GetPeerFunc(accountID, peerID, userID)
 	}
@@ -598,7 +600,7 @@ func (am *MockAccountManager) UpdateAccountSettings(accountID, userID string, ne
 }

 // LoginPeer mocks LoginPeer of the AccountManager interface
-func (am *MockAccountManager) LoginPeer(login server.PeerLogin) (*server.Peer, *server.NetworkMap, error) {
+func (am *MockAccountManager) LoginPeer(login server.PeerLogin) (*nbpeer.Peer, *server.NetworkMap, error) {
 	if am.LoginPeerFunc != nil {
 		return am.LoginPeerFunc(login)
 	}
@@ -606,7 +608,7 @@ func (am *MockAccountManager) LoginPeer(login server.PeerLogin) (*server.Peer, *
 }

 // SyncPeer mocks SyncPeer of the AccountManager interface
-func (am *MockAccountManager) SyncPeer(sync server.PeerSync) (*server.Peer, *server.NetworkMap, error) {
+func (am *MockAccountManager) SyncPeer(sync server.PeerSync) (*nbpeer.Peer, *server.NetworkMap, error) {
 	if am.SyncPeerFunc != nil {
 		return am.SyncPeerFunc(sync)
 	}
@@ -621,6 +623,14 @@ func (am *MockAccountManager) GetAllConnectedPeers() (map[string]struct{}, error
 	return nil, status.Errorf(codes.Unimplemented, "method GetAllConnectedPeers is not implemented")
 }

+// HasconnectedChannel mocks HasConnectedChannel of the AccountManager interface
+func (am *MockAccountManager) HasConnectedChannel(peerID string) bool {
+	if am.HasConnectedChannelFunc != nil {
+		return am.HasConnectedChannelFunc(peerID)
+	}
+	return false
+}
+
 // StoreEvent mocks StoreEvent of the AccountManager interface
 func (am *MockAccountManager) StoreEvent(initiatorID, targetID, accountID string, activityID activity.Activity, meta map[string]any) {
 	if am.StoreEventFunc != nil {
--- a/management/server/nameserver_test.go
+++ b/management/server/nameserver_test.go
@@ -8,6 +8,7 @@ import (

 	nbdns "github.com/netbirdio/netbird/dns"
 	"github.com/netbirdio/netbird/management/server/activity"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 )

 const (
@@ -763,10 +764,10 @@ func createNSStore(t *testing.T) (Store, error) {

 func initTestNSAccount(t *testing.T, am *DefaultAccountManager) (*Account, error) {
 	t.Helper()
-	peer1 := &Peer{
+	peer1 := &nbpeer.Peer{
 		Key:  nsGroupPeer1Key,
 		Name: "test-host1@netbird.io",
-		Meta: PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "test-host1@netbird.io",
 			GoOS:      "linux",
 			Kernel:    "Linux",
@@ -777,10 +778,10 @@ func initTestNSAccount(t *testing.T, am *DefaultAccountManager) (*Account, error
 			UIVersion: "development",
 		},
 	}
-	peer2 := &Peer{
+	peer2 := &nbpeer.Peer{
 		Key:  nsGroupPeer2Key,
 		Name: "test-host2@netbird.io",
-		Meta: PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "test-host2@netbird.io",
 			GoOS:      "linux",
 			Kernel:    "Linux",
--- a/management/server/network.go
+++ b/management/server/network.go
@@ -10,6 +10,7 @@ import (
 	"github.com/rs/xid"

 	nbdns "github.com/netbirdio/netbird/dns"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/route"
 )
@@ -25,11 +26,11 @@ const (
 )

 type NetworkMap struct {
-	Peers         []*Peer
+	Peers         []*nbpeer.Peer
 	Network       *Network
 	Routes        []*route.Route
 	DNSConfig     nbdns.Config
-	OfflinePeers  []*Peer
+	OfflinePeers  []*nbpeer.Peer
 	FirewallRules []*FirewallRule
 }

--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -2,13 +2,14 @@ package server

 import (
 	"fmt"
-	"net"
 	"strings"
 	"time"

+	"github.com/netbirdio/management-integrations/additions"
 	"github.com/rs/xid"

 	"github.com/netbirdio/netbird/management/server/activity"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"

 	log "github.com/sirupsen/logrus"
@@ -16,38 +17,6 @@ import (
 	"github.com/netbirdio/netbird/management/proto"
 )

-// PeerSystemMeta is a metadata of a Peer machine system
-type PeerSystemMeta struct {
-	Hostname  string
-	GoOS      string
-	Kernel    string
-	Core      string
-	Platform  string
-	OS        string
-	WtVersion string
-	UIVersion string
-}
-
-func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {
-	return p.Hostname == other.Hostname &&
-		p.GoOS == other.GoOS &&
-		p.Kernel == other.Kernel &&
-		p.Core == other.Core &&
-		p.Platform == other.Platform &&
-		p.OS == other.OS &&
-		p.WtVersion == other.WtVersion &&
-		p.UIVersion == other.UIVersion
-}
-
-type PeerStatus struct {
-	// LastSeen is the last time peer was connected to the management service
-	LastSeen time.Time
-	// Connected indicates whether peer is connected to the management service or not
-	Connected bool
-	// LoginExpired
-	LoginExpired bool
-}
-
 // PeerSync used as a data object between the gRPC API and AccountManager on Sync request.
 type PeerSync struct {
 	// WireGuardPubKey is a peers WireGuard public key
@@ -61,146 +30,16 @@ type PeerLogin struct {
 	// SSHKey is a peer's ssh key. Can be empty (e.g., old version do not provide it, or this feature is disabled)
 	SSHKey string
 	// Meta is the system information passed by peer, must be always present.
-	Meta PeerSystemMeta
+	Meta nbpeer.PeerSystemMeta
 	// UserID indicates that JWT was used to log in, and it was valid. Can be empty when SetupKey is used or auth is not required.
 	UserID string
 	// SetupKey references to a server.SetupKey to log in. Can be empty when UserID is used or auth is not required.
 	SetupKey string
 }

-// Peer represents a machine connected to the network.
-// The Peer is a WireGuard peer identified by a public key
-type Peer struct {
-	// ID is an internal ID of the peer
-	ID string `gorm:"primaryKey"`
-	// AccountID is a reference to Account that this object belongs
-	AccountID string `json:"-" gorm:"index;uniqueIndex:idx_peers_account_id_ip"`
-	// WireGuard public key
-	Key string `gorm:"index"`
-	// A setup key this peer was registered with
-	SetupKey string
-	// IP address of the Peer
-	IP net.IP `gorm:"uniqueIndex:idx_peers_account_id_ip"`
-	// Meta is a Peer system meta data
-	Meta PeerSystemMeta `gorm:"embedded;embeddedPrefix:meta_"`
-	// Name is peer's name (machine name)
-	Name string
-	// DNSLabel is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's
-	// domain to the peer label. e.g. peer-dns-label.netbird.cloud
-	DNSLabel string
-	// Status peer's management connection status
-	Status *PeerStatus `gorm:"embedded;embeddedPrefix:peer_status_"`
-	// The user ID that registered the peer
-	UserID string
-	// SSHKey is a public SSH key of the peer
-	SSHKey string
-	// SSHEnabled indicates whether SSH server is enabled on the peer
-	SSHEnabled bool
-	// LoginExpirationEnabled indicates whether peer's login expiration is enabled and once expired the peer has to re-login.
-	// Works with LastLogin
-	LoginExpirationEnabled bool
-	// LastLogin the time when peer performed last login operation
-	LastLogin time.Time
-	// Indicate ephemeral peer attribute
-	Ephemeral bool
-}
-
-// AddedWithSSOLogin indicates whether this peer has been added with an SSO login by a user.
-func (p *Peer) AddedWithSSOLogin() bool {
-	return p.UserID != ""
-}
-
-// Copy copies Peer object
-func (p *Peer) Copy() *Peer {
-	peerStatus := p.Status
-	if peerStatus != nil {
-		peerStatus = p.Status.Copy()
-	}
-	return &Peer{
-		ID:                     p.ID,
-		AccountID:              p.AccountID,
-		Key:                    p.Key,
-		SetupKey:               p.SetupKey,
-		IP:                     p.IP,
-		Meta:                   p.Meta,
-		Name:                   p.Name,
-		DNSLabel:               p.DNSLabel,
-		Status:                 peerStatus,
-		UserID:                 p.UserID,
-		SSHKey:                 p.SSHKey,
-		SSHEnabled:             p.SSHEnabled,
-		LoginExpirationEnabled: p.LoginExpirationEnabled,
-		LastLogin:              p.LastLogin,
-		Ephemeral:              p.Ephemeral,
-	}
-}
-
-// UpdateMetaIfNew updates peer's system metadata if new information is provided
-// returns true if meta was updated, false otherwise
-func (p *Peer) UpdateMetaIfNew(meta PeerSystemMeta) bool {
-	// Avoid overwriting UIVersion if the update was triggered sole by the CLI client
-	if meta.UIVersion == "" {
-		meta.UIVersion = p.Meta.UIVersion
-	}
-
-	if p.Meta.isEqual(meta) {
-		return false
-	}
-	p.Meta = meta
-	return true
-}
-
-// MarkLoginExpired marks peer's status expired or not
-func (p *Peer) MarkLoginExpired(expired bool) {
-	newStatus := p.Status.Copy()
-	newStatus.LoginExpired = expired
-	if expired {
-		newStatus.Connected = false
-	}
-	p.Status = newStatus
-}
-
-// LoginExpired indicates whether the peer's login has expired or not.
-// If Peer.LastLogin plus the expiresIn duration has happened already; then login has expired.
-// Return true if a login has expired, false otherwise, and time left to expiration (negative when expired).
-// Login expiration can be disabled/enabled on a Peer level via Peer.LoginExpirationEnabled property.
-// Login expiration can also be disabled/enabled globally on the Account level via Settings.PeerLoginExpirationEnabled.
-// Only peers added by interactive SSO login can be expired.
-func (p *Peer) LoginExpired(expiresIn time.Duration) (bool, time.Duration) {
-	if !p.AddedWithSSOLogin() || !p.LoginExpirationEnabled {
-		return false, 0
-	}
-	expiresAt := p.LastLogin.Add(expiresIn)
-	now := time.Now()
-	timeLeft := expiresAt.Sub(now)
-	return timeLeft <= 0, timeLeft
-}
-
-// FQDN returns peers FQDN combined of the peer's DNS label and the system's DNS domain
-func (p *Peer) FQDN(dnsDomain string) string {
-	if dnsDomain == "" {
-		return ""
-	}
-	return fmt.Sprintf("%s.%s", p.DNSLabel, dnsDomain)
-}
-
-// EventMeta returns activity event meta related to the peer
-func (p *Peer) EventMeta(dnsDomain string) map[string]any {
-	return map[string]any{"name": p.Name, "fqdn": p.FQDN(dnsDomain), "ip": p.IP}
-}
-
-// Copy PeerStatus
-func (p *PeerStatus) Copy() *PeerStatus {
-	return &PeerStatus{
-		LastSeen:     p.LastSeen,
-		Connected:    p.Connected,
-		LoginExpired: p.LoginExpired,
-	}
-}
-
 // GetPeers returns a list of peers under the given account filtering out peers that do not belong to a user if
 // the current user is not an admin.
-func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*Peer, error) {
+func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*nbpeer.Peer, error) {
 	account, err := am.Store.GetAccount(accountID)
 	if err != nil {
 		return nil, err
@@ -211,8 +50,8 @@ func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*Peer, er
 		return nil, err
 	}

-	peers := make([]*Peer, 0)
-	peersMap := make(map[string]*Peer)
+	peers := make([]*nbpeer.Peer, 0)
+	peersMap := make(map[string]*nbpeer.Peer)
 	for _, peer := range account.Peers {
 		if !user.HasAdminPower() && user.Id != peer.UserID {
 			// only display peers that belong to the current user if the current user is not an admin
@@ -231,7 +70,7 @@ func (am *DefaultAccountManager) GetPeers(accountID, userID string) ([]*Peer, er
 		}
 	}

-	peers = make([]*Peer, 0, len(peersMap))
+	peers = make([]*nbpeer.Peer, 0, len(peersMap))
 	for _, peer := range peersMap {
 		peers = append(peers, peer)
 	}
@@ -290,7 +129,7 @@ func (am *DefaultAccountManager) MarkPeerConnected(peerPubKey string, connected
 }

 // UpdatePeer updates peer. Only Peer.Name, Peer.SSHEnabled, and Peer.LoginExpirationEnabled can be updated.
-func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *Peer) (*Peer, error) {
+func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *nbpeer.Peer) (*nbpeer.Peer, error) {
 	unlock := am.Store.AcquireAccountLock(accountID)
 	defer unlock()

@@ -304,6 +143,11 @@ func (am *DefaultAccountManager) UpdatePeer(accountID, userID string, update *Pe
 		return nil, status.Errorf(status.NotFound, "peer %s not found", update.ID)
 	}

+	update, err = additions.ValidatePeersUpdateRequest(update, peer, userID, accountID, am.eventStore, am.GetDNSDomain())
+	if err != nil {
+		return nil, err
+	}
+
 	if peer.SSHEnabled != update.SSHEnabled {
 		peer.SSHEnabled = update.SSHEnabled
 		event := activity.PeerSSHEnabled
@@ -364,7 +208,7 @@ func (am *DefaultAccountManager) deletePeers(account *Account, peerIDs []string,

 	// the first loop is needed to ensure all peers present under the account before modifying, otherwise
 	// we might have some inconsistencies
-	peers := make([]*Peer, 0, len(peerIDs))
+	peers := make([]*nbpeer.Peer, 0, len(peerIDs))
 	for _, peerID := range peerIDs {

 		peer := account.GetPeer(peerID)
@@ -456,7 +300,7 @@ func (am *DefaultAccountManager) GetPeerNetwork(peerID string) (*Network, error)
 // to it. We also add the User ID to the peer metadata to identify registrant. If no userID provided, then fail with status.PermissionDenied
 // Each new Peer will be assigned a new next net.IP from the Account.Network and Account.Network.LastIP will be updated (IP's are not reused).
 // The peer property is just a placeholder for the Peer properties to pass further
-func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*Peer, *NetworkMap, error) {
+func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *nbpeer.Peer) (*nbpeer.Peer, *NetworkMap, error) {
 	if setupKey == "" && userID == "" {
 		// no auth method provided => reject access
 		return nil, nil, status.Errorf(status.Unauthenticated, "no peer auth method provided, please use a setup key or interactive SSO login")
@@ -510,6 +354,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 	}

 	var ephemeral bool
+	setupKeyName := ""
 	if !addedByUser {
 		// validate the setup key if adding with a key
 		sk, err := account.FindSetupKey(upperKey)
@@ -525,6 +370,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 		opEvent.InitiatorID = sk.Id
 		opEvent.Activity = activity.PeerAddedWithSetupKey
 		ephemeral = sk.Ephemeral
+		setupKeyName = sk.Name
 	} else {
 		opEvent.InitiatorID = userID
 		opEvent.Activity = activity.PeerAddedByUser
@@ -545,7 +391,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 		return nil, nil, err
 	}

-	newPeer := &Peer{
+	newPeer := &nbpeer.Peer{
 		ID:                     xid.New().String(),
 		Key:                    peer.Key,
 		SetupKey:               upperKey,
@@ -554,7 +400,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 		Name:                   peer.Meta.Hostname,
 		DNSLabel:               newLabel,
 		UserID:                 userID,
-		Status:                 &PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
+		Status:                 &nbpeer.PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
 		SSHEnabled:             false,
 		SSHKey:                 peer.SSHKey,
 		LastLogin:              time.Now().UTC(),
@@ -562,6 +408,10 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 		Ephemeral:              ephemeral,
 	}

+	if account.Settings.Extra != nil {
+		newPeer = additions.PreparePeer(newPeer, account.Settings.Extra)
+	}
+
 	// add peer to 'All' group
 	group, err := account.GetGroupAll()
 	if err != nil {
@@ -599,6 +449,10 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*

 	opEvent.TargetID = newPeer.ID
 	opEvent.Meta = newPeer.EventMeta(am.GetDNSDomain())
+	if !addedByUser {
+		opEvent.Meta["setup_key_name"] = setupKeyName
+	}
+
 	am.StoreEvent(opEvent.InitiatorID, opEvent.TargetID, opEvent.AccountID, opEvent.Activity, opEvent.Meta)

 	am.updateAccountPeers(account)
@@ -608,7 +462,7 @@ func (am *DefaultAccountManager) AddPeer(setupKey, userID string, peer *Peer) (*
 }

 // SyncPeer checks whether peer is eligible for receiving NetworkMap (authenticated) and returns its NetworkMap if eligible
-func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*Peer, *NetworkMap, error) {
+func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*nbpeer.Peer, *NetworkMap, error) {
 	account, err := am.Store.GetAccountByPeerPubKey(sync.WireGuardPubKey)
 	if err != nil {
 		if errStatus, ok := status.FromError(err); ok && errStatus.Type() == status.NotFound {
@@ -645,14 +499,14 @@ func (am *DefaultAccountManager) SyncPeer(sync PeerSync) (*Peer, *NetworkMap, er

 // LoginPeer logs in or registers a peer.
 // If peer doesn't exist the function checks whether a setup key or a user is present and registers a new peer if so.
-func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*Peer, *NetworkMap, error) {
+func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*nbpeer.Peer, *NetworkMap, error) {
 	account, err := am.Store.GetAccountByPeerPubKey(login.WireGuardPubKey)

 	if err != nil {
 		if errStatus, ok := status.FromError(err); ok && errStatus.Type() == status.NotFound {
 			// we couldn't find this peer by its public key which can mean that peer hasn't been registered yet.
 			// Try registering it.
-			return am.AddPeer(login.SetupKey, login.UserID, &Peer{
+			return am.AddPeer(login.SetupKey, login.UserID, &nbpeer.Peer{
 				Key:    login.WireGuardPubKey,
 				Meta:   login.Meta,
 				SSHKey: login.SSHKey,
@@ -722,7 +576,7 @@ func (am *DefaultAccountManager) LoginPeer(login PeerLogin) (*Peer, *NetworkMap,
 	return peer, account.GetPeerNetworkMap(peer.ID, am.dnsDomain), nil
 }

-func checkIfPeerOwnerIsBlocked(peer *Peer, account *Account) error {
+func checkIfPeerOwnerIsBlocked(peer *nbpeer.Peer, account *Account) error {
 	if peer.AddedWithSSOLogin() {
 		user, err := account.FindUser(peer.UserID)
 		if err != nil {
@@ -735,7 +589,7 @@ func checkIfPeerOwnerIsBlocked(peer *Peer, account *Account) error {
 	return nil
 }

-func checkAuth(loginUserID string, peer *Peer) error {
+func checkAuth(loginUserID string, peer *nbpeer.Peer) error {
 	if loginUserID == "" {
 		// absence of a user ID indicates that JWT wasn't provided.
 		return status.Errorf(status.PermissionDenied, "peer login has expired, please log in once more")
@@ -747,7 +601,7 @@ func checkAuth(loginUserID string, peer *Peer) error {
 	return nil
 }

-func peerLoginExpired(peer *Peer, account *Account) bool {
+func peerLoginExpired(peer *nbpeer.Peer, account *Account) bool {
 	expired, expiresIn := peer.LoginExpired(account.Settings.PeerLoginExpiration)
 	expired = account.Settings.PeerLoginExpirationEnabled && expired
 	if expired || peer.Status.LoginExpired {
@@ -757,21 +611,12 @@ func peerLoginExpired(peer *Peer, account *Account) bool {
 	return false
 }

-func updatePeerLastLogin(peer *Peer, account *Account) {
+func updatePeerLastLogin(peer *nbpeer.Peer, account *Account) {
 	peer.UpdateLastLogin()
 	account.UpdatePeer(peer)
 }

-// UpdateLastLogin and set login expired false
-func (p *Peer) UpdateLastLogin() *Peer {
-	p.LastLogin = time.Now().UTC()
-	newStatus := p.Status.Copy()
-	newStatus.LoginExpired = false
-	p.Status = newStatus
-	return p
-}
-
-func (am *DefaultAccountManager) checkAndUpdatePeerSSHKey(peer *Peer, account *Account, newSSHKey string) (*Peer, error) {
+func (am *DefaultAccountManager) checkAndUpdatePeerSSHKey(peer *nbpeer.Peer, account *Account, newSSHKey string) (*nbpeer.Peer, error) {
 	if len(newSSHKey) == 0 {
 		log.Debugf("no new SSH key provided for peer %s, skipping update", peer.ID)
 		return peer, nil
@@ -842,7 +687,7 @@ func (am *DefaultAccountManager) UpdatePeerSSHKey(peerID string, sshKey string)
 }

 // GetPeer for a given accountID, peerID and userID error if not found.
-func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*Peer, error) {
+func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*nbpeer.Peer, error) {
 	unlock := am.Store.AcquireAccountLock(accountID)
 	defer unlock()

@@ -885,7 +730,7 @@ func (am *DefaultAccountManager) GetPeer(accountID, peerID, userID string) (*Pee
 	return nil, status.Errorf(status.Internal, "user %s has no access to peer %s under account %s", userID, peerID, accountID)
 }

-func updatePeerMeta(peer *Peer, meta PeerSystemMeta, account *Account) (*Peer, bool) {
+func updatePeerMeta(peer *nbpeer.Peer, meta nbpeer.PeerSystemMeta, account *Account) (*nbpeer.Peer, bool) {
 	if peer.UpdateMetaIfNew(meta) {
 		account.UpdatePeer(peer)
 		return peer, true
--- a/management/server/peer/peer.go
+++ b/management/server/peer/peer.go
@@ -0,0 +1,181 @@
+package peer
+
+import (
+	"fmt"
+	"net"
+	"time"
+)
+
+// Peer represents a machine connected to the network.
+// The Peer is a WireGuard peer identified by a public key
+type Peer struct {
+	// ID is an internal ID of the peer
+	ID string `gorm:"primaryKey"`
+	// AccountID is a reference to Account that this object belongs
+	AccountID string `json:"-" gorm:"index;uniqueIndex:idx_peers_account_id_ip"`
+	// WireGuard public key
+	Key string `gorm:"index"`
+	// A setup key this peer was registered with
+	SetupKey string
+	// IP address of the Peer
+	IP net.IP `gorm:"uniqueIndex:idx_peers_account_id_ip"`
+	// Meta is a Peer system meta data
+	Meta PeerSystemMeta `gorm:"embedded;embeddedPrefix:meta_"`
+	// Name is peer's name (machine name)
+	Name string
+	// DNSLabel is the parsed peer name for domain resolution. It is used to form an FQDN by appending the account's
+	// domain to the peer label. e.g. peer-dns-label.netbird.cloud
+	DNSLabel string
+	// Status peer's management connection status
+	Status *PeerStatus `gorm:"embedded;embeddedPrefix:peer_status_"`
+	// The user ID that registered the peer
+	UserID string
+	// SSHKey is a public SSH key of the peer
+	SSHKey string
+	// SSHEnabled indicates whether SSH server is enabled on the peer
+	SSHEnabled bool
+	// LoginExpirationEnabled indicates whether peer's login expiration is enabled and once expired the peer has to re-login.
+	// Works with LastLogin
+	LoginExpirationEnabled bool
+	// LastLogin the time when peer performed last login operation
+	LastLogin time.Time
+	// Indicate ephemeral peer attribute
+	Ephemeral bool
+}
+
+type PeerStatus struct {
+	// LastSeen is the last time peer was connected to the management service
+	LastSeen time.Time
+	// Connected indicates whether peer is connected to the management service or not
+	Connected bool
+	// LoginExpired
+	LoginExpired bool
+	// RequiresApproval indicates whether peer requires approval or not
+	RequiresApproval bool
+}
+
+// PeerSystemMeta is a metadata of a Peer machine system
+type PeerSystemMeta struct {
+	Hostname  string
+	GoOS      string
+	Kernel    string
+	Core      string
+	Platform  string
+	OS        string
+	WtVersion string
+	UIVersion string
+}
+
+func (p PeerSystemMeta) isEqual(other PeerSystemMeta) bool {
+	return p.Hostname == other.Hostname &&
+		p.GoOS == other.GoOS &&
+		p.Kernel == other.Kernel &&
+		p.Core == other.Core &&
+		p.Platform == other.Platform &&
+		p.OS == other.OS &&
+		p.WtVersion == other.WtVersion &&
+		p.UIVersion == other.UIVersion
+}
+
+// AddedWithSSOLogin indicates whether this peer has been added with an SSO login by a user.
+func (p *Peer) AddedWithSSOLogin() bool {
+	return p.UserID != ""
+}
+
+// Copy copies Peer object
+func (p *Peer) Copy() *Peer {
+	peerStatus := p.Status
+	if peerStatus != nil {
+		peerStatus = p.Status.Copy()
+	}
+	return &Peer{
+		ID:                     p.ID,
+		AccountID:              p.AccountID,
+		Key:                    p.Key,
+		SetupKey:               p.SetupKey,
+		IP:                     p.IP,
+		Meta:                   p.Meta,
+		Name:                   p.Name,
+		DNSLabel:               p.DNSLabel,
+		Status:                 peerStatus,
+		UserID:                 p.UserID,
+		SSHKey:                 p.SSHKey,
+		SSHEnabled:             p.SSHEnabled,
+		LoginExpirationEnabled: p.LoginExpirationEnabled,
+		LastLogin:              p.LastLogin,
+		Ephemeral:              p.Ephemeral,
+	}
+}
+
+// UpdateMetaIfNew updates peer's system metadata if new information is provided
+// returns true if meta was updated, false otherwise
+func (p *Peer) UpdateMetaIfNew(meta PeerSystemMeta) bool {
+	// Avoid overwriting UIVersion if the update was triggered sole by the CLI client
+	if meta.UIVersion == "" {
+		meta.UIVersion = p.Meta.UIVersion
+	}
+
+	if p.Meta.isEqual(meta) {
+		return false
+	}
+	p.Meta = meta
+	return true
+}
+
+// MarkLoginExpired marks peer's status expired or not
+func (p *Peer) MarkLoginExpired(expired bool) {
+	newStatus := p.Status.Copy()
+	newStatus.LoginExpired = expired
+	if expired {
+		newStatus.Connected = false
+	}
+	p.Status = newStatus
+}
+
+// LoginExpired indicates whether the peer's login has expired or not.
+// If Peer.LastLogin plus the expiresIn duration has happened already; then login has expired.
+// Return true if a login has expired, false otherwise, and time left to expiration (negative when expired).
+// Login expiration can be disabled/enabled on a Peer level via Peer.LoginExpirationEnabled property.
+// Login expiration can also be disabled/enabled globally on the Account level via Settings.PeerLoginExpirationEnabled.
+// Only peers added by interactive SSO login can be expired.
+func (p *Peer) LoginExpired(expiresIn time.Duration) (bool, time.Duration) {
+	if !p.AddedWithSSOLogin() || !p.LoginExpirationEnabled {
+		return false, 0
+	}
+	expiresAt := p.LastLogin.Add(expiresIn)
+	now := time.Now()
+	timeLeft := expiresAt.Sub(now)
+	return timeLeft <= 0, timeLeft
+}
+
+// FQDN returns peers FQDN combined of the peer's DNS label and the system's DNS domain
+func (p *Peer) FQDN(dnsDomain string) string {
+	if dnsDomain == "" {
+		return ""
+	}
+	return fmt.Sprintf("%s.%s", p.DNSLabel, dnsDomain)
+}
+
+// EventMeta returns activity event meta related to the peer
+func (p *Peer) EventMeta(dnsDomain string) map[string]any {
+	return map[string]any{"name": p.Name, "fqdn": p.FQDN(dnsDomain), "ip": p.IP}
+}
+
+// Copy PeerStatus
+func (p *PeerStatus) Copy() *PeerStatus {
+	return &PeerStatus{
+		LastSeen:         p.LastSeen,
+		Connected:        p.Connected,
+		LoginExpired:     p.LoginExpired,
+		RequiresApproval: p.RequiresApproval,
+	}
+}
+
+// UpdateLastLogin and set login expired false
+func (p *Peer) UpdateLastLogin() *Peer {
+	p.LastLogin = time.Now().UTC()
+	newStatus := p.Status.Copy()
+	newStatus.LoginExpired = false
+	p.Status = newStatus
+	return p
+}
--- a/management/server/peer_test.go
+++ b/management/server/peer_test.go
@@ -8,6 +8,8 @@ import (

 	"github.com/rs/xid"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 )

 func TestPeer_LoginExpired(t *testing.T) {
@@ -52,7 +54,7 @@ func TestPeer_LoginExpired(t *testing.T) {

 	for _, c := range tt {
 		t.Run(c.name, func(t *testing.T) {
-			peer := &Peer{
+			peer := &nbpeer.Peer{
 				LoginExpirationEnabled: c.expirationEnabled,
 				LastLogin:              c.lastLogin,
 				UserID:                 userID,
@@ -90,9 +92,9 @@ func TestAccountManager_GetNetworkMap(t *testing.T) {
 		return
 	}

-	peer1, _, err := manager.AddPeer(setupKey.Key, "", &Peer{
+	peer1, _, err := manager.AddPeer(setupKey.Key, "", &nbpeer.Peer{
 		Key:  peerKey1.PublicKey().String(),
-		Meta: PeerSystemMeta{Hostname: "test-peer-1"},
+		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer-1"},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
@@ -104,9 +106,9 @@ func TestAccountManager_GetNetworkMap(t *testing.T) {
 		t.Fatal(err)
 		return
 	}
-	_, _, err = manager.AddPeer(setupKey.Key, "", &Peer{
+	_, _, err = manager.AddPeer(setupKey.Key, "", &nbpeer.Peer{
 		Key:  peerKey2.PublicKey().String(),
-		Meta: PeerSystemMeta{Hostname: "test-peer-2"},
+		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer-2"},
 	})

 	if err != nil {
@@ -163,9 +165,9 @@ func TestAccountManager_GetNetworkMapWithPolicy(t *testing.T) {
 		return
 	}

-	peer1, _, err := manager.AddPeer(setupKey.Key, "", &Peer{
+	peer1, _, err := manager.AddPeer(setupKey.Key, "", &nbpeer.Peer{
 		Key:  peerKey1.PublicKey().String(),
-		Meta: PeerSystemMeta{Hostname: "test-peer-1"},
+		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer-1"},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
@@ -177,9 +179,9 @@ func TestAccountManager_GetNetworkMapWithPolicy(t *testing.T) {
 		t.Fatal(err)
 		return
 	}
-	peer2, _, err := manager.AddPeer(setupKey.Key, "", &Peer{
+	peer2, _, err := manager.AddPeer(setupKey.Key, "", &nbpeer.Peer{
 		Key:  peerKey2.PublicKey().String(),
-		Meta: PeerSystemMeta{Hostname: "test-peer-2"},
+		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer-2"},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
@@ -339,9 +341,9 @@ func TestAccountManager_GetPeerNetwork(t *testing.T) {
 		return
 	}

-	peer1, _, err := manager.AddPeer(setupKey.Key, "", &Peer{
+	peer1, _, err := manager.AddPeer(setupKey.Key, "", &nbpeer.Peer{
 		Key:  peerKey1.PublicKey().String(),
-		Meta: PeerSystemMeta{Hostname: "test-peer-1"},
+		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer-1"},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
@@ -353,9 +355,9 @@ func TestAccountManager_GetPeerNetwork(t *testing.T) {
 		t.Fatal(err)
 		return
 	}
-	_, _, err = manager.AddPeer(setupKey.Key, "", &Peer{
+	_, _, err = manager.AddPeer(setupKey.Key, "", &nbpeer.Peer{
 		Key:  peerKey2.PublicKey().String(),
-		Meta: PeerSystemMeta{Hostname: "test-peer-2"},
+		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer-2"},
 	})

 	if err != nil {
@@ -409,9 +411,9 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
 		return
 	}

-	peer1, _, err := manager.AddPeer("", someUser, &Peer{
+	peer1, _, err := manager.AddPeer("", someUser, &nbpeer.Peer{
 		Key:  peerKey1.PublicKey().String(),
-		Meta: PeerSystemMeta{Hostname: "test-peer-2"},
+		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer-2"},
 	})
 	if err != nil {
 		t.Errorf("expecting peer to be added, got failure %v", err)
@@ -425,9 +427,9 @@ func TestDefaultAccountManager_GetPeer(t *testing.T) {
 	}

 	// the second peer added with a setup key
-	peer2, _, err := manager.AddPeer(setupKey.Key, "", &Peer{
+	peer2, _, err := manager.AddPeer(setupKey.Key, "", &nbpeer.Peer{
 		Key:  peerKey2.PublicKey().String(),
-		Meta: PeerSystemMeta{Hostname: "test-peer-2"},
+		Meta: nbpeer.PeerSystemMeta{Hostname: "test-peer-2"},
 	})
 	if err != nil {
 		t.Fatal(err)
--- a/management/server/policy.go
+++ b/management/server/policy.go
@@ -5,10 +5,12 @@ import (
 	"strconv"
 	"strings"

+	"github.com/netbirdio/management-integrations/additions"
 	log "github.com/sirupsen/logrus"

 	"github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server/activity"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 )

@@ -205,7 +207,7 @@ type FirewallRule struct {
 // getPeerConnectionResources for a given peer
 //
 // This function returns the list of peers and firewall rules that are applicable to a given peer.
-func (a *Account) getPeerConnectionResources(peerID string) ([]*Peer, []*FirewallRule) {
+func (a *Account) getPeerConnectionResources(peerID string) ([]*nbpeer.Peer, []*FirewallRule) {
 	generateResources, getAccumulatedResources := a.connResourcesGenerator()
 	for _, policy := range a.Policies {
 		if !policy.Enabled {
@@ -219,6 +221,8 @@ func (a *Account) getPeerConnectionResources(peerID string) ([]*Peer, []*Firewal

 			sourcePeers, peerInSources := getAllPeersFromGroups(a, rule.Sources, peerID)
 			destinationPeers, peerInDestinations := getAllPeersFromGroups(a, rule.Destinations, peerID)
+			sourcePeers = additions.ValidatePeers(sourcePeers)
+			destinationPeers = additions.ValidatePeers(destinationPeers)

 			if rule.Bidirectional {
 				if peerInSources {
@@ -247,11 +251,11 @@ func (a *Account) getPeerConnectionResources(peerID string) ([]*Peer, []*Firewal
 // The generator function is used to generate the list of peers and firewall rules that are applicable to a given peer.
 // It safe to call the generator function multiple times for same peer and different rules no duplicates will be
 // generated. The accumulator function returns the result of all the generator calls.
-func (a *Account) connResourcesGenerator() (func(*PolicyRule, []*Peer, int), func() ([]*Peer, []*FirewallRule)) {
+func (a *Account) connResourcesGenerator() (func(*PolicyRule, []*nbpeer.Peer, int), func() ([]*nbpeer.Peer, []*FirewallRule)) {
 	rulesExists := make(map[string]struct{})
 	peersExists := make(map[string]struct{})
 	rules := make([]*FirewallRule, 0)
-	peers := make([]*Peer, 0)
+	peers := make([]*nbpeer.Peer, 0)

 	all, err := a.GetGroupAll()
 	if err != nil {
@@ -259,7 +263,7 @@ func (a *Account) connResourcesGenerator() (func(*PolicyRule, []*Peer, int), fun
 		all = &Group{}
 	}

-	return func(rule *PolicyRule, groupPeers []*Peer, direction int) {
+	return func(rule *PolicyRule, groupPeers []*nbpeer.Peer, direction int) {
 			isAll := (len(all.Peers) - 1) == len(groupPeers)
 			for _, peer := range groupPeers {
 				if peer == nil {
@@ -299,7 +303,7 @@ func (a *Account) connResourcesGenerator() (func(*PolicyRule, []*Peer, int), fun
 					rules = append(rules, &pr)
 				}
 			}
-		}, func() ([]*Peer, []*FirewallRule) {
+		}, func() ([]*nbpeer.Peer, []*FirewallRule) {
 			return peers, rules
 		}
 }
@@ -478,9 +482,9 @@ func toProtocolFirewallRules(update []*FirewallRule) []*proto.FirewallRule {
 // getAllPeersFromGroups for given peer ID and list of groups
 //
 // Returns list of peers and boolean indicating if peer is in any of the groups
-func getAllPeersFromGroups(account *Account, groups []string, peerID string) ([]*Peer, bool) {
+func getAllPeersFromGroups(account *Account, groups []string, peerID string) ([]*nbpeer.Peer, bool) {
 	peerInGroups := false
-	filteredPeers := make([]*Peer, 0, len(groups))
+	filteredPeers := make([]*nbpeer.Peer, 0, len(groups))
 	for _, g := range groups {
 		group, ok := account.Groups[g]
 		if !ok {
--- a/management/server/policy_test.go
+++ b/management/server/policy_test.go
@@ -7,11 +7,13 @@ import (

 	"github.com/stretchr/testify/assert"
 	"golang.org/x/exp/slices"
+
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 )

 func TestAccount_getPeersByPolicy(t *testing.T) {
 	account := &Account{
-		Peers: map[string]*Peer{
+		Peers: map[string]*nbpeer.Peer{
 			"peerA": {
 				ID: "peerA",
 				IP: net.ParseIP("100.65.14.88"),
@@ -255,7 +257,7 @@ func TestAccount_getPeersByPolicy(t *testing.T) {

 func TestAccount_getPeersByPolicyDirect(t *testing.T) {
 	account := &Account{
-		Peers: map[string]*Peer{
+		Peers: map[string]*nbpeer.Peer{
 			"peerA": {
 				ID: "peerA",
 				IP: net.ParseIP("100.65.14.88"),
--- a/management/server/route_test.go
+++ b/management/server/route_test.go
@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/netbirdio/netbird/management/server/activity"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/route"
 )

@@ -1045,13 +1046,13 @@ func initTestRouteAccount(t *testing.T, am *DefaultAccountManager) (*Account, er
 		return nil, err
 	}

-	peer1 := &Peer{
+	peer1 := &nbpeer.Peer{
 		IP:     peer1IP,
 		ID:     peer1ID,
 		Key:    peer1Key,
 		Name:   "test-host1@netbird.io",
 		UserID: userID,
-		Meta: PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "test-host1@netbird.io",
 			GoOS:      "linux",
 			Kernel:    "Linux",
@@ -1070,13 +1071,13 @@ func initTestRouteAccount(t *testing.T, am *DefaultAccountManager) (*Account, er
 		return nil, err
 	}

-	peer2 := &Peer{
+	peer2 := &nbpeer.Peer{
 		IP:     peer2IP,
 		ID:     peer2ID,
 		Key:    peer2Key,
 		Name:   "test-host2@netbird.io",
 		UserID: userID,
-		Meta: PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "test-host2@netbird.io",
 			GoOS:      "linux",
 			Kernel:    "Linux",
@@ -1095,13 +1096,13 @@ func initTestRouteAccount(t *testing.T, am *DefaultAccountManager) (*Account, er
 		return nil, err
 	}

-	peer3 := &Peer{
+	peer3 := &nbpeer.Peer{
 		IP:     peer3IP,
 		ID:     peer3ID,
 		Key:    peer3Key,
 		Name:   "test-host3@netbird.io",
 		UserID: userID,
-		Meta: PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "test-host3@netbird.io",
 			GoOS:      "darwin",
 			Kernel:    "Darwin",
@@ -1120,13 +1121,13 @@ func initTestRouteAccount(t *testing.T, am *DefaultAccountManager) (*Account, er
 		return nil, err
 	}

-	peer4 := &Peer{
+	peer4 := &nbpeer.Peer{
 		IP:     peer4IP,
 		ID:     peer4ID,
 		Key:    peer4Key,
 		Name:   "test-host4@netbird.io",
 		UserID: userID,
-		Meta: PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "test-host4@netbird.io",
 			GoOS:      "linux",
 			Kernel:    "Linux",
@@ -1145,13 +1146,13 @@ func initTestRouteAccount(t *testing.T, am *DefaultAccountManager) (*Account, er
 		return nil, err
 	}

-	peer5 := &Peer{
+	peer5 := &nbpeer.Peer{
 		IP:     peer5IP,
 		ID:     peer5ID,
 		Key:    peer5Key,
 		Name:   "test-host4@netbird.io",
 		UserID: userID,
-		Meta: PeerSystemMeta{
+		Meta: nbpeer.PeerSystemMeta{
 			Hostname:  "test-host4@netbird.io",
 			GoOS:      "linux",
 			Kernel:    "Linux",
--- a/management/server/sqlite_store.go
+++ b/management/server/sqlite_store.go
@@ -14,6 +14,8 @@ import (
 	"gorm.io/gorm/logger"

 	nbdns "github.com/netbirdio/netbird/dns"
+	"github.com/netbirdio/netbird/management/server/account"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 	"github.com/netbirdio/netbird/route"
@@ -59,9 +61,9 @@ func NewSqliteStore(dataDir string, metrics telemetry.AppMetrics) (*SqliteStore,
 	sql.SetMaxOpenConns(conns) // TODO: make it configurable

 	err = db.AutoMigrate(
-		&SetupKey{}, &Peer{}, &User{}, &PersonalAccessToken{}, &Group{}, &Rule{},
+		&SetupKey{}, &nbpeer.Peer{}, &User{}, &PersonalAccessToken{}, &Group{}, &Rule{},
 		&Account{}, &Policy{}, &PolicyRule{}, &route.Route{}, &nbdns.NameServerGroup{},
-		&installation{},
+		&installation{}, &account.ExtraSettings{},
 	)
 	if err != nil {
 		return nil, err
@@ -251,8 +253,8 @@ func (s *SqliteStore) GetInstallationID() string {
 	return installation.InstallationIDValue
 }

-func (s *SqliteStore) SavePeerStatus(accountID, peerID string, peerStatus PeerStatus) error {
-	var peer Peer
+func (s *SqliteStore) SavePeerStatus(accountID, peerID string, peerStatus nbpeer.PeerStatus) error {
+	var peer nbpeer.Peer

 	result := s.db.First(&peer, "account_id = ? and id = ?", accountID, peerID)
 	if result.Error != nil {
@@ -379,7 +381,7 @@ func (s *SqliteStore) GetAccount(accountID string) (*Account, error) {
 	}
 	account.SetupKeysG = nil

-	account.Peers = make(map[string]*Peer, len(account.PeersG))
+	account.Peers = make(map[string]*nbpeer.Peer, len(account.PeersG))
 	for _, peer := range account.PeersG {
 		account.Peers[peer.ID] = peer.Copy()
 	}
@@ -437,7 +439,7 @@ func (s *SqliteStore) GetAccountByUser(userID string) (*Account, error) {
 }

 func (s *SqliteStore) GetAccountByPeerID(peerID string) (*Account, error) {
-	var peer Peer
+	var peer nbpeer.Peer
 	result := s.db.Select("account_id").First(&peer, "id = ?", peerID)
 	if result.Error != nil {
 		return nil, status.Errorf(status.NotFound, "account not found: index lookup failed")
@@ -451,7 +453,7 @@ func (s *SqliteStore) GetAccountByPeerID(peerID string) (*Account, error) {
 }

 func (s *SqliteStore) GetAccountByPeerPubKey(peerKey string) (*Account, error) {
-	var peer Peer
+	var peer nbpeer.Peer

 	result := s.db.Select("account_id").First(&peer, "key = ?", peerKey)
 	if result.Error != nil {
--- a/management/server/sqlite_store_test.go
+++ b/management/server/sqlite_store_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/util"
 )

@@ -37,13 +38,13 @@ func TestSqlite_SaveAccount(t *testing.T) {
 	account := newAccountWithId("account_id", "testuser", "")
 	setupKey := GenerateDefaultSetupKey()
 	account.SetupKeys[setupKey.Key] = setupKey
-	account.Peers["testpeer"] = &Peer{
+	account.Peers["testpeer"] = &nbpeer.Peer{
 		Key:      "peerkey",
 		SetupKey: "peerkeysetupkey",
 		IP:       net.IP{127, 0, 0, 1},
-		Meta:     PeerSystemMeta{},
+		Meta:     nbpeer.PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
+		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
 	}

 	err := store.SaveAccount(account)
@@ -52,13 +53,13 @@ func TestSqlite_SaveAccount(t *testing.T) {
 	account2 := newAccountWithId("account_id2", "testuser2", "")
 	setupKey = GenerateDefaultSetupKey()
 	account2.SetupKeys[setupKey.Key] = setupKey
-	account2.Peers["testpeer2"] = &Peer{
+	account2.Peers["testpeer2"] = &nbpeer.Peer{
 		Key:      "peerkey2",
 		SetupKey: "peerkeysetupkey2",
 		IP:       net.IP{127, 0, 0, 2},
-		Meta:     PeerSystemMeta{},
+		Meta:     nbpeer.PeerSystemMeta{},
 		Name:     "peer name 2",
-		Status:   &PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
+		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
 	}

 	err = store.SaveAccount(account2)
@@ -116,13 +117,13 @@ func TestSqlite_DeleteAccount(t *testing.T) {
 	account := newAccountWithId("account_id", testUserID, "")
 	setupKey := GenerateDefaultSetupKey()
 	account.SetupKeys[setupKey.Key] = setupKey
-	account.Peers["testpeer"] = &Peer{
+	account.Peers["testpeer"] = &nbpeer.Peer{
 		Key:      "peerkey",
 		SetupKey: "peerkeysetupkey",
 		IP:       net.IP{127, 0, 0, 1},
-		Meta:     PeerSystemMeta{},
+		Meta:     nbpeer.PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
+		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
 	}
 	account.Users[testUserID] = user

@@ -184,19 +185,19 @@ func TestSqlite_SavePeerStatus(t *testing.T) {
 	require.NoError(t, err)

 	// save status of non-existing peer
-	newStatus := PeerStatus{Connected: true, LastSeen: time.Now().UTC()}
+	newStatus := nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()}
 	err = store.SavePeerStatus(account.Id, "non-existing-peer", newStatus)
 	assert.Error(t, err)

 	// save new status of existing peer
-	account.Peers["testpeer"] = &Peer{
+	account.Peers["testpeer"] = &nbpeer.Peer{
 		Key:      "peerkey",
 		ID:       "testpeer",
 		SetupKey: "peerkeysetupkey",
 		IP:       net.IP{127, 0, 0, 1},
-		Meta:     PeerSystemMeta{},
+		Meta:     nbpeer.PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
+		Status:   &nbpeer.PeerStatus{Connected: false, LastSeen: time.Now().UTC()},
 	}

 	err = store.SaveAccount(account)
@@ -291,13 +292,13 @@ func newAccount(store Store, id int) error {
 	account := newAccountWithId(str, str+"-testuser", "example.com")
 	setupKey := GenerateDefaultSetupKey()
 	account.SetupKeys[setupKey.Key] = setupKey
-	account.Peers["p"+str] = &Peer{
+	account.Peers["p"+str] = &nbpeer.Peer{
 		Key:      "peerkey" + str,
 		SetupKey: "peerkeysetupkey",
 		IP:       net.IP{127, 0, 0, 1},
-		Meta:     PeerSystemMeta{},
+		Meta:     nbpeer.PeerSystemMeta{},
 		Name:     "peer name",
-		Status:   &PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
+		Status:   &nbpeer.PeerStatus{Connected: true, LastSeen: time.Now().UTC()},
 	}

 	return store.SaveAccount(account)
--- a/management/server/store.go
+++ b/management/server/store.go
@@ -8,6 +8,7 @@ import (

 	log "github.com/sirupsen/logrus"

+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/telemetry"
 )

@@ -31,7 +32,7 @@ type Store interface {
 	AcquireAccountLock(accountID string) func()
 	// AcquireGlobalLock should attempt to acquire a global lock and return a function that releases the lock
 	AcquireGlobalLock() func()
-	SavePeerStatus(accountID, peerID string, status PeerStatus) error
+	SavePeerStatus(accountID, peerID string, status nbpeer.PeerStatus) error
 	SaveUserLastLogin(accountID, userID string, lastLogin time.Time) error
 	// Close should close the store persisting all unsaved data.
 	Close() error
--- a/management/server/telemetry/updatechannel_metrics.go
+++ b/management/server/telemetry/updatechannel_metrics.go
@@ -11,48 +11,29 @@ import (

 // UpdateChannelMetrics represents all metrics related to the UpdateChannel
 type UpdateChannelMetrics struct {
-	createChannelDurationMs           syncint64.Histogram
 	createChannelDurationMicro        syncint64.Histogram
-	closeChannelDurationMs            syncint64.Histogram
 	closeChannelDurationMicro         syncint64.Histogram
-	closeChannelsDurationMs           syncint64.Histogram
 	closeChannelsDurationMicro        syncint64.Histogram
 	closeChannels                     syncint64.Histogram
-	sendUpdateDurationMs              syncint64.Histogram
 	sendUpdateDurationMicro           syncint64.Histogram
-	getAllConnectedPeersDurationMs    syncint64.Histogram
 	getAllConnectedPeersDurationMicro syncint64.Histogram
 	getAllConnectedPeers              syncint64.Histogram
+	hasChannelDurationMicro           syncint64.Histogram
 	ctx                               context.Context
 }

 // NewUpdateChannelMetrics creates an instance of UpdateChannel
 func NewUpdateChannelMetrics(ctx context.Context, meter metric.Meter) (*UpdateChannelMetrics, error) {
-	createChannelDurationMs, err := meter.SyncInt64().Histogram("management.updatechannel.create.duration.ms")
-	if err != nil {
-		return nil, err
-	}
-
 	createChannelDurationMicro, err := meter.SyncInt64().Histogram("management.updatechannel.create.duration.micro")
 	if err != nil {
 		return nil, err
 	}

-	closeChannelDurationMs, err := meter.SyncInt64().Histogram("management.updatechannel.close.one.duration.ms")
-	if err != nil {
-		return nil, err
-	}
-
 	closeChannelDurationMicro, err := meter.SyncInt64().Histogram("management.updatechannel.close.one.duration.micro")
 	if err != nil {
 		return nil, err
 	}

-	closeChannelsDurationMs, err := meter.SyncInt64().Histogram("management.updatechannel.close.multiple.duration.ms")
-	if err != nil {
-		return nil, err
-	}
-
 	closeChannelsDurationMicro, err := meter.SyncInt64().Histogram("management.updatechannel.close.multiple.duration.micro")
 	if err != nil {
 		return nil, err
@@ -63,21 +44,11 @@ func NewUpdateChannelMetrics(ctx context.Context, meter metric.Meter) (*UpdateCh
 		return nil, err
 	}

-	sendUpdateDurationMs, err := meter.SyncInt64().Histogram("management.updatechannel.send.duration.ms")
-	if err != nil {
-		return nil, err
-	}
-
 	sendUpdateDurationMicro, err := meter.SyncInt64().Histogram("management.updatechannel.send.duration.micro")
 	if err != nil {
 		return nil, err
 	}

-	getAllConnectedPeersDurationMs, err := meter.SyncInt64().Histogram("management.updatechannel.get.all.duration.ms")
-	if err != nil {
-		return nil, err
-	}
-
 	getAllConnectedPeersDurationMicro, err := meter.SyncInt64().Histogram("management.updatechannel.get.all.duration.micro")
 	if err != nil {
 		return nil, err
@@ -88,19 +59,20 @@ func NewUpdateChannelMetrics(ctx context.Context, meter metric.Meter) (*UpdateCh
 		return nil, err
 	}

+	hasChannelDurationMicro, err := meter.SyncInt64().Histogram("management.updatechannel.haschannel.duration.micro")
+	if err != nil {
+		return nil, err
+	}
+
 	return &UpdateChannelMetrics{
-		createChannelDurationMs:           createChannelDurationMs,
 		createChannelDurationMicro:        createChannelDurationMicro,
-		closeChannelDurationMs:            closeChannelDurationMs,
 		closeChannelDurationMicro:         closeChannelDurationMicro,
-		closeChannelsDurationMs:           closeChannelsDurationMs,
 		closeChannelsDurationMicro:        closeChannelsDurationMicro,
 		closeChannels:                     closeChannels,
-		sendUpdateDurationMs:              sendUpdateDurationMs,
 		sendUpdateDurationMicro:           sendUpdateDurationMicro,
-		getAllConnectedPeersDurationMs:    getAllConnectedPeersDurationMs,
 		getAllConnectedPeersDurationMicro: getAllConnectedPeersDurationMicro,
 		getAllConnectedPeers:              getAllConnectedPeers,
+		hasChannelDurationMicro:           hasChannelDurationMicro,
 		ctx:                               ctx,
 	}, nil
 }
@@ -108,19 +80,16 @@ func NewUpdateChannelMetrics(ctx context.Context, meter metric.Meter) (*UpdateCh
 // CountCreateChannelDuration counts the duration of the CreateChannel method,
 // closed indicates if existing channel was closed before creation of a new one
 func (metrics *UpdateChannelMetrics) CountCreateChannelDuration(duration time.Duration, closed bool) {
-	metrics.createChannelDurationMs.Record(metrics.ctx, duration.Milliseconds(), attribute.Bool("closed", closed))
 	metrics.createChannelDurationMicro.Record(metrics.ctx, duration.Microseconds(), attribute.Bool("closed", closed))
 }

 // CountCloseChannelDuration counts the duration of the CloseChannel method
 func (metrics *UpdateChannelMetrics) CountCloseChannelDuration(duration time.Duration) {
-	metrics.closeChannelDurationMs.Record(metrics.ctx, duration.Milliseconds())
 	metrics.closeChannelDurationMicro.Record(metrics.ctx, duration.Microseconds())
 }

 // CountCloseChannelsDuration counts the duration of the CloseChannels method and the number of channels have been closed
 func (metrics *UpdateChannelMetrics) CountCloseChannelsDuration(duration time.Duration, channels int) {
-	metrics.closeChannelsDurationMs.Record(metrics.ctx, duration.Milliseconds())
 	metrics.closeChannelsDurationMicro.Record(metrics.ctx, duration.Microseconds())
 	metrics.closeChannels.Record(metrics.ctx, int64(channels))
 }
@@ -129,13 +98,16 @@ func (metrics *UpdateChannelMetrics) CountCloseChannelsDuration(duration time.Du
 // found indicates if peer had channel, dropped indicates if the message was dropped due channel buffer overload
 func (metrics *UpdateChannelMetrics) CountSendUpdateDuration(duration time.Duration, found, dropped bool) {
 	attrs := []attribute.KeyValue{attribute.Bool("found", found), attribute.Bool("dropped", dropped)}
-	metrics.sendUpdateDurationMs.Record(metrics.ctx, duration.Milliseconds(), attrs...)
 	metrics.sendUpdateDurationMicro.Record(metrics.ctx, duration.Microseconds(), attrs...)
 }

 // CountGetAllConnectedPeersDuration counts the duration of the GetAllConnectedPeers method and the number of peers have been returned
 func (metrics *UpdateChannelMetrics) CountGetAllConnectedPeersDuration(duration time.Duration, peers int) {
-	metrics.getAllConnectedPeersDurationMs.Record(metrics.ctx, duration.Milliseconds())
 	metrics.getAllConnectedPeersDurationMicro.Record(metrics.ctx, duration.Microseconds())
 	metrics.getAllConnectedPeers.Record(metrics.ctx, int64(peers))
 }
+
+// CountHasChannelDuration counts the duration of the HasChannel method
+func (metrics *UpdateChannelMetrics) CountHasChannelDuration(duration time.Duration) {
+	metrics.hasChannelDurationMicro.Record(metrics.ctx, duration.Microseconds())
+}
--- a/management/server/updatechannel.go
+++ b/management/server/updatechannel.go
@@ -151,3 +151,21 @@ func (p *PeersUpdateManager) GetAllConnectedPeers() map[string]struct{} {

 	return m
 }
+
+// HasChannel returns true if peers has channel in update manager, otherwise false
+func (p *PeersUpdateManager) HasChannel(peerID string) bool {
+	start := time.Now()
+
+	p.channelsMux.Lock()
+
+	defer func() {
+		p.channelsMux.Unlock()
+		if p.metrics != nil {
+			p.metrics.UpdateChannelMetrics().CountHasChannelDuration(time.Since(start))
+		}
+	}()
+
+	_, ok := p.peerChannels[peerID]
+
+	return ok
+}
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -11,6 +11,7 @@ import (
 	"github.com/netbirdio/netbird/management/server/activity"
 	"github.com/netbirdio/netbird/management/server/idp"
 	"github.com/netbirdio/netbird/management/server/jwtclaims"
+	nbpeer "github.com/netbirdio/netbird/management/server/peer"
 	"github.com/netbirdio/netbird/management/server/status"
 )

@@ -1034,7 +1035,7 @@ func (am *DefaultAccountManager) GetUsersFromAccount(accountID, userID string) (
 }

 // expireAndUpdatePeers expires all peers of the given user and updates them in the account
-func (am *DefaultAccountManager) expireAndUpdatePeers(account *Account, peers []*Peer) error {
+func (am *DefaultAccountManager) expireAndUpdatePeers(account *Account, peers []*nbpeer.Peer) error {
 	var peerIDs []string
 	for _, peer := range peers {
 		if peer.Status.LoginExpired {
Author	SHA1	Message	Date
Zoltan Papp	6a279c698c	code cleaning	2023-12-07 18:29:00 +01:00
Pascal Fischer	ca9ea29255	remove development logs	2023-12-06 16:57:56 +01:00
Pascal Fischer	148a537c19	remove unused engine listener	2023-12-06 16:32:39 +01:00
Pascal Fischer	c88e8139c7	revert exported HostDNSConfig	2023-12-06 16:13:31 +01:00
Pascal Fischer	f854ec9bb6	re-arrange duration calculation	2023-12-06 15:46:38 +01:00
Pascal Fischer	d6d2e64247	Fix linter	2023-12-06 14:53:42 +01:00
Pascal Fischer	5f3f5dc1c6	Fix some of the remarks from the linter	2023-12-06 14:01:57 +01:00
Pascal Fischer	0f7343dd58	Revert back to disabling upstream on no response	2023-12-06 13:22:40 +01:00
Pascal Fischer	71f1cf80b8	Fix engine null pointer with mobile dependencies for other OS	2023-12-06 13:02:32 +01:00
Pascal Fischer	975e8e816a	Fix dns server and upstream tests	2023-12-06 12:46:45 +01:00
Pascal Fischer	e03c07a3dc	Update mock Server	2023-12-06 12:24:58 +01:00
Pascal Fischer	ad1cf388fb	Extract private upstream for iOS and fix function headers for other OS	2023-12-06 12:09:23 +01:00
pascal-fischer	5f96c566ab	Merge branch 'main' into feature/add-ios-support	2023-12-06 11:52:27 +01:00
Yury Gargay	27ed88f918	Implement lightweight method to check is peer has update channel (#1351 ) Instead of GetAllConnectedPeers that need to traverse the whole connections map in order to find one channel there.	2023-12-05 14:17:56 +01:00
pascal-fischer	45fc89b2c9	Merge pull request #1355 from netbirdio/chore/update-integrations-branch-reference Chore: clean gomod reference	2023-12-05 13:13:14 +01:00
Pascal Fischer	f822a58326	go mod tidy	2023-12-05 12:54:01 +01:00
Pascal Fischer	d1f13025d1	switch back to use netbird main	2023-12-05 12:39:15 +01:00
pascal-fischer	3f8b500f0b	Merge pull request #1341 from netbirdio/feature/peer-approval Add peer and settings validation	2023-12-05 12:11:14 +01:00
Maycon Santos	0d2db4b172	update API doc	2023-12-04 19:02:16 +01:00
Pascal Fischer	7a18dea766	go mod tidy	2023-12-04 17:35:56 +01:00
pascal-fischer	ae5f69562d	Merge branch 'main' into feature/peer-approval	2023-12-04 17:34:53 +01:00
pascal-fischer	755ffcfc73	Merge pull request #1353 from netbirdio/feature/extend-add-peer-event-with-setup-key Extend add peer event meta with setup key name	2023-12-04 17:33:50 +01:00
Pascal Fischer	dc8f55f23e	remove dependency cycle from prepare peer	2023-12-04 16:26:34 +01:00
Pascal Fischer	89249b414f	move peer validation into getPeerconnectionResources	2023-12-04 14:53:38 +01:00
Pascal Fischer	92adf57fea	fix map assignment	2023-12-04 13:49:46 +01:00
Pascal Fischer	1cd5a66575	adding setup key name to the event meta for adding peers by setup key	2023-12-04 13:00:13 +01:00
Pascal Fischer	b9fc008542	extract peer preparation	2023-12-04 12:49:50 +01:00
pascal-fischer	d5bf79bc51	Merge branch 'main' into feature/peer-approval	2023-12-01 18:12:59 +01:00
Pascal Fischer	4bf574037f	fix sql store	2023-11-30 11:51:35 +01:00
Pascal Fischer	47c44d4b87	fix imports in sqlite store test	2023-11-30 11:08:51 +01:00
Pascal Fischer	96f866fb68	add missing imports after refactor	2023-11-29 16:46:46 +01:00
pascal-fischer	141065f14e	Merge branch 'main' into feature/peer-approval	2023-11-29 16:27:01 +01:00
Pascal Fischer	8e74fb1fa8	add account id to validating peer update	2023-11-29 15:57:56 +01:00
Pascal Fischer	ba96e102b4	settings nil check	2023-11-29 15:16:11 +01:00
Pascal Fischer	2129b23fe7	allow sync for and return empty map	2023-11-29 14:56:06 +01:00
Pascal Fischer	efd05ca023	fix api references	2023-11-28 15:15:51 +01:00
Pascal Fischer	c829ad930c	use separate package for signatures	2023-11-28 15:09:04 +01:00
Pascal Fischer	ad1f18a52a	replace with updated integrations	2023-11-28 14:55:20 +01:00
Pascal Fischer	bab420ca77	extract account into separate package	2023-11-28 14:34:57 +01:00
Pascal Fischer	a729c83b06	extract peer into seperate package	2023-11-28 13:45:26 +01:00
Pascal Fischer	a7e55cc5e3	add signatures and frame for peer approval	2023-11-28 11:44:08 +01:00
Pascal Fischer	b7c0eba1e5	add extra settings struct	2023-11-27 17:04:40 +01:00
Pascal Fischer	b2300216bb	disable relay connection for iOS until proxy is refactored into bind	2023-11-16 13:37:34 +01:00
Pascal Fischer	a37c946abe	replace engine listener with connection listener	2023-11-09 19:58:28 +01:00
Pascal Fischer	0a8249e044	add engine ready listener	2023-11-08 16:37:56 +01:00
Pascal Fischer	2b249ab9c9	fix after merge changes	2023-11-07 15:52:19 +01:00
Pascal Fischer	0e7a67cf81	merge main	2023-11-07 15:18:37 +01:00
Pascal Fischer	1c23a0e70c	fix panic on no dns response	2023-11-07 10:12:58 +01:00
Pascal Fischer	5632d222cc	switching between client to query upstream	2023-11-06 12:32:25 +01:00
Pascal Fischer	e193df3bc7	fix metadata send on startup	2023-11-04 19:46:47 +01:00
Maycon Santos	65052e5cba	use dns.Client.Exchange	2023-11-03 20:35:52 +01:00
Pascal Fischer	64084ca130	trying to bind the DNS resolver dialer to an interface	2023-11-03 14:26:07 +01:00
Pascal Fischer	79f60b86c4	fix route deletion	2023-10-27 17:44:58 +02:00
Pascal Fischer	de46393a7c	updated	2023-10-23 18:31:40 +02:00
Pascal Fischer	c4c59ed3a7	fix	2023-10-09 14:59:21 +02:00
Pascal Fischer	7f958e9338	trying to add DNS	2023-10-09 14:58:48 +02:00
Pascal Fischer	91b45eab98	Merge remote-tracking branch 'origin/main' into local/engine-restart	2023-10-06 16:33:01 +02:00
Pascal Fischer	ec8eb76b42	small refactor for better code quality in swift	2023-10-06 16:32:30 +02:00
Pascal Fischer	8b8e4bbc6a	support for routes and working connection	2023-10-05 20:15:44 +02:00
Pascal Fischer	e733cdcf33	first working connection	2023-09-25 13:02:56 +02:00
Pascal Fischer	cdbe9c4eef	Merge branch 'main' into local/engine-restart	2023-09-21 16:43:03 +02:00
Pascal Fischer	8653c32367	logger and first client	2023-09-21 16:42:44 +02:00
Pascal Fischer	6743054451	inject logger that does not compile	2023-08-17 13:35:38 +02:00
Pascal Fischer	7f7e10121d	starting engine by passing file descriptor on engine start	2023-08-09 15:21:53 +02:00