Fix lint

When there is a connection issue with the
 root zone upstream we remove it from the
 dns mux, and we need to add it again

.github/workflows/release.yml

@@ -7,17 +7,7 @@ on:
     branches:
       - main
   pull_request:
-    paths:
-      - 'go.mod'
-      - 'go.sum'
-      - '.goreleaser.yml'
-      - '.goreleaser_ui.yaml'
-      - '.goreleaser_ui_darwin.yaml'
-      - '.github/workflows/release.yml'
-      - 'release_files/**'
-      - '**/Dockerfile'
-      - '**/Dockerfile.*'
-      - 'client/ui/**'
+
 
 env:
   SIGN_PIPE_VER: "v0.0.11"
@@ -106,6 +96,27 @@ jobs:
           name: release
           path: dist/
           retention-days: 3
+      -
+        name: upload linux packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: linux-packages
+          path: dist/netbird_linux**
+          retention-days: 3
+      -
+        name: upload windows packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: windows-packages
+          path: dist/netbird_windows**
+          retention-days: 3
+      -
+        name: upload macos packages
+        uses: actions/upload-artifact@v3
+        with:
+          name: macos-packages
+          path: dist/netbird_darwin**
+          retention-days: 3
 
   release_ui:
     runs-on: ubuntu-latest

client/android/client.go

@@ -101,7 +101,8 @@ func (c *Client) Run(urlOpener URLOpener, dns *DNSList, dnsReadyListener DnsRead
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	return internal.RunClientMobile(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // RunWithoutLogin we apply this type of run function when the backed has been started without UI (i.e. after reboot).
@@ -126,7 +127,8 @@ func (c *Client) RunWithoutLogin(dns *DNSList, dnsReadyListener DnsReadyListener
 
 	// todo do not throw error in case of cancelled context
 	ctx = internal.CtxInitState(ctx)
-	return internal.RunClientMobile(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
+	connectClient := internal.NewConnectClient(ctx, cfg, c.recorder)
+	return connectClient.RunOnAndroid(c.tunAdapter, c.iFaceDiscover, c.networkChangeListener, dns.items, dnsReadyListener)
 }
 
 // Stop the internal client and free the resources

client/cmd/up.go

@@ -152,7 +152,9 @@ func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
 	var cancel context.CancelFunc
 	ctx, cancel = context.WithCancel(ctx)
 	SetupCloseHandler(ctx, cancel)
-	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()))
+
+	connectClient := internal.NewConnectClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()))
+	return connectClient.Run()
 }
 
 func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {

client/firewall/uspfilter/allow_netbird_windows.go

@@ -64,15 +64,18 @@ func manageFirewallRule(ruleName string, action action, extraArgs ...string) err
 	if action == addRule {
 		args = append(args, extraArgs...)
 	}
-
-	cmd := exec.Command("netsh", args...)
+	netshCmd := GetSystem32Command("netsh")
+	cmd := exec.Command(netshCmd, args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 	return cmd.Run()
 }
 
 func isWindowsFirewallReachable() bool {
 	args := []string{"advfirewall", "show", "allprofiles", "state"}
-	cmd := exec.Command("netsh", args...)
+
+	netshCmd := GetSystem32Command("netsh")
+
+	cmd := exec.Command(netshCmd, args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 
 	_, err := cmd.Output()
@@ -87,8 +90,23 @@ func isWindowsFirewallReachable() bool {
 func isFirewallRuleActive(ruleName string) bool {
 	args := []string{"advfirewall", "firewall", "show", "rule", "name=" + ruleName}
 
-	cmd := exec.Command("netsh", args...)
+	netshCmd := GetSystem32Command("netsh")
+
+	cmd := exec.Command(netshCmd, args...)
 	cmd.SysProcAttr = &syscall.SysProcAttr{HideWindow: true}
 	_, err := cmd.Output()
 	return err == nil
 }
+
+// GetSystem32Command checks if a command can be found in the system path and returns it. In case it can't find it
+// in the path it will return the full path of a command assuming C:\windows\system32 as the base path.
+func GetSystem32Command(command string) string {
+	_, err := exec.LookPath(command)
+	if err == nil {
+		return command
+	}
+
+	log.Tracef("Command %s not found in PATH, using C:\\windows\\system32\\%s.exe path", command, command)
+
+	return "C:\\windows\\system32\\" + command + ".exe"
+}

client/internal/config.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"net/url"
 	"os"
+	"reflect"
+	"strings"
 
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
@@ -102,6 +104,14 @@ func ReadConfig(configPath string) (*Config, error) {
 		if _, err := util.ReadJson(configPath, config); err != nil {
 			return nil, err
 		}
+		// initialize through apply() without changes
+		if changed, err := config.apply(ConfigInput{}); err != nil {
+			return nil, err
+		} else if changed {
+			if err = WriteOutConfig(configPath, config); err != nil {
+				return nil, err
+			}
+		}
 
 		return config, nil
 	}
@@ -154,83 +164,15 @@ func WriteOutConfig(path string, config *Config) error {
 
 // createNewConfig creates a new config generating a new Wireguard key and saving to file
 func createNewConfig(input ConfigInput) (*Config, error) {
-	wgKey := generateKey()
-	pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
-	if err != nil {
-		return nil, err
-	}
-
 	config := &Config{
-		SSHKey:               string(pem),
-		PrivateKey:           wgKey,
-		IFaceBlackList:       []string{},
-		DisableIPv6Discovery: false,
-		NATExternalIPs:       input.NATExternalIPs,
-		CustomDNSAddress:     string(input.CustomDNSAddress),
-		ServerSSHAllowed:     util.False(),
-		DisableAutoConnect:   false,
+		// defaults to false only for new (post 0.26) configurations
+		ServerSSHAllowed: util.False(),
 	}
 
-	defaultManagementURL, err := parseURL("Management URL", DefaultManagementURL)
-	if err != nil {
+	if _, err := config.apply(input); err != nil {
 		return nil, err
 	}
 
-	config.ManagementURL = defaultManagementURL
-	if input.ManagementURL != "" {
-		URL, err := parseURL("Management URL", input.ManagementURL)
-		if err != nil {
-			return nil, err
-		}
-		config.ManagementURL = URL
-	}
-
-	config.WgPort = iface.DefaultWgPort
-	if input.WireguardPort != nil {
-		config.WgPort = *input.WireguardPort
-	}
-
-	if input.NetworkMonitor != nil {
-		config.NetworkMonitor = *input.NetworkMonitor
-	}
-
-	config.WgIface = iface.WgInterfaceDefault
-	if input.InterfaceName != nil {
-		config.WgIface = *input.InterfaceName
-	}
-
-	if input.PreSharedKey != nil {
-		config.PreSharedKey = *input.PreSharedKey
-	}
-
-	if input.RosenpassEnabled != nil {
-		config.RosenpassEnabled = *input.RosenpassEnabled
-	}
-
-	if input.RosenpassPermissive != nil {
-		config.RosenpassPermissive = *input.RosenpassPermissive
-	}
-
-	if input.ServerSSHAllowed != nil {
-		config.ServerSSHAllowed = input.ServerSSHAllowed
-	}
-
-	defaultAdminURL, err := parseURL("Admin URL", DefaultAdminURL)
-	if err != nil {
-		return nil, err
-	}
-
-	config.AdminURL = defaultAdminURL
-	if input.AdminURL != "" {
-		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
-		if err != nil {
-			return nil, err
-		}
-		config.AdminURL = newURL
-	}
-
-	// nolint:gocritic
-	config.IFaceBlackList = append(defaultInterfaceBlacklist, input.ExtraIFaceBlackList...)
 	return config, nil
 }
 
@@ -241,109 +183,12 @@ func update(input ConfigInput) (*Config, error) {
 		return nil, err
 	}
 
-	refresh := false
-
-	if input.ManagementURL != "" && config.ManagementURL.String() != input.ManagementURL {
-		log.Infof("new Management URL provided, updated to %s (old value %s)",
-			input.ManagementURL, config.ManagementURL)
-		newURL, err := parseURL("Management URL", input.ManagementURL)
-		if err != nil {
-			return nil, err
-		}
-		config.ManagementURL = newURL
-		refresh = true
+	updated, err := config.apply(input)
+	if err != nil {
+		return nil, err
 	}
 
-	if input.AdminURL != "" && (config.AdminURL == nil || config.AdminURL.String() != input.AdminURL) {
-		log.Infof("new Admin Panel URL provided, updated to %s (old value %s)",
-			input.AdminURL, config.AdminURL)
-		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
-		if err != nil {
-			return nil, err
-		}
-		config.AdminURL = newURL
-		refresh = true
-	}
-
-	if input.PreSharedKey != nil && config.PreSharedKey != *input.PreSharedKey {
-		log.Infof("new pre-shared key provided, replacing old key")
-		config.PreSharedKey = *input.PreSharedKey
-		refresh = true
-	}
-
-	if config.SSHKey == "" {
-		pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
-		if err != nil {
-			return nil, err
-		}
-		config.SSHKey = string(pem)
-		refresh = true
-	}
-
-	if config.WgPort == 0 {
-		config.WgPort = iface.DefaultWgPort
-		refresh = true
-	}
-
-	if input.NetworkMonitor != nil {
-		config.NetworkMonitor = *input.NetworkMonitor
-		refresh = true
-	}
-
-	if input.WireguardPort != nil {
-		config.WgPort = *input.WireguardPort
-		refresh = true
-	}
-
-	if input.InterfaceName != nil {
-		config.WgIface = *input.InterfaceName
-		refresh = true
-	}
-
-	if input.NATExternalIPs != nil && len(config.NATExternalIPs) != len(input.NATExternalIPs) {
-		config.NATExternalIPs = input.NATExternalIPs
-		refresh = true
-	}
-
-	if input.CustomDNSAddress != nil {
-		config.CustomDNSAddress = string(input.CustomDNSAddress)
-		refresh = true
-	}
-
-	if input.RosenpassEnabled != nil {
-		config.RosenpassEnabled = *input.RosenpassEnabled
-		refresh = true
-	}
-
-	if input.RosenpassPermissive != nil {
-		config.RosenpassPermissive = *input.RosenpassPermissive
-		refresh = true
-	}
-
-	if input.DisableAutoConnect != nil {
-		config.DisableAutoConnect = *input.DisableAutoConnect
-		refresh = true
-	}
-
-	if input.ServerSSHAllowed != nil {
-		config.ServerSSHAllowed = input.ServerSSHAllowed
-		refresh = true
-	}
-
-	if config.ServerSSHAllowed == nil {
-		config.ServerSSHAllowed = util.True()
-		refresh = true
-	}
-
-	if len(input.ExtraIFaceBlackList) > 0 {
-		for _, iFace := range util.SliceDiff(input.ExtraIFaceBlackList, config.IFaceBlackList) {
-			config.IFaceBlackList = append(config.IFaceBlackList, iFace)
-			refresh = true
-		}
-	}
-
-	if refresh {
-		// since we have new management URL, we need to update config file
+	if updated {
 		if err := util.WriteJson(input.ConfigPath, config); err != nil {
 			return nil, err
 		}
@@ -352,6 +197,169 @@ func update(input ConfigInput) (*Config, error) {
 	return config, nil
 }
 
+func (config *Config) apply(input ConfigInput) (updated bool, err error) {
+	if config.ManagementURL == nil {
+		log.Infof("using default Management URL %s", DefaultManagementURL)
+		config.ManagementURL, err = parseURL("Management URL", DefaultManagementURL)
+		if err != nil {
+			return false, err
+		}
+	}
+	if input.ManagementURL != "" && input.ManagementURL != config.ManagementURL.String() {
+		log.Infof("new Management URL provided, updated to %#v (old value %#v)",
+			input.ManagementURL, config.ManagementURL.String())
+		URL, err := parseURL("Management URL", input.ManagementURL)
+		if err != nil {
+			return false, err
+		}
+		config.ManagementURL = URL
+		updated = true
+	} else if config.ManagementURL == nil {
+		log.Infof("using default Management URL %s", DefaultManagementURL)
+		config.ManagementURL, err = parseURL("Management URL", DefaultManagementURL)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	if config.AdminURL == nil {
+		log.Infof("using default Admin URL %s", DefaultManagementURL)
+		config.AdminURL, err = parseURL("Admin URL", DefaultAdminURL)
+		if err != nil {
+			return false, err
+		}
+	}
+	if input.AdminURL != "" && input.AdminURL != config.AdminURL.String() {
+		log.Infof("new Admin Panel URL provided, updated to %#v (old value %#v)",
+			input.AdminURL, config.AdminURL.String())
+		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
+		if err != nil {
+			return updated, err
+		}
+		config.AdminURL = newURL
+		updated = true
+	}
+
+	if config.PrivateKey == "" {
+		log.Infof("generated new Wireguard key")
+		config.PrivateKey = generateKey()
+		updated = true
+	}
+
+	if config.SSHKey == "" {
+		log.Infof("generated new SSH key")
+		pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
+		if err != nil {
+			return false, err
+		}
+		config.SSHKey = string(pem)
+		updated = true
+	}
+
+	if input.WireguardPort != nil && *input.WireguardPort != config.WgPort {
+		log.Infof("updating Wireguard port %d (old value %d)",
+			*input.WireguardPort, config.WgPort)
+		config.WgPort = *input.WireguardPort
+		updated = true
+	} else if config.WgPort == 0 {
+		config.WgPort = iface.DefaultWgPort
+		log.Infof("using default Wireguard port %d", config.WgPort)
+		updated = true
+	}
+
+	if input.InterfaceName != nil && *input.InterfaceName != config.WgIface {
+		log.Infof("updating Wireguard interface %#v (old value %#v)",
+			*input.InterfaceName, config.WgIface)
+		config.WgIface = *input.InterfaceName
+		updated = true
+	} else if config.WgIface == "" {
+		config.WgIface = iface.WgInterfaceDefault
+		log.Infof("using default Wireguard interface %s", config.WgIface)
+		updated = true
+	}
+
+	if input.NATExternalIPs != nil && !reflect.DeepEqual(config.NATExternalIPs, input.NATExternalIPs) {
+		log.Infof("updating NAT External IP [ %s ] (old value: [ %s ])",
+			strings.Join(input.NATExternalIPs, " "),
+			strings.Join(config.NATExternalIPs, " "))
+		config.NATExternalIPs = input.NATExternalIPs
+		updated = true
+	}
+
+	if input.PreSharedKey != nil && *input.PreSharedKey != config.PreSharedKey {
+		log.Infof("new pre-shared key provided, replacing old key")
+		config.PreSharedKey = *input.PreSharedKey
+		updated = true
+	}
+
+	if input.RosenpassEnabled != nil && *input.RosenpassEnabled != config.RosenpassEnabled {
+		log.Infof("switching Rosenpass to %t", *input.RosenpassEnabled)
+		config.RosenpassEnabled = *input.RosenpassEnabled
+		updated = true
+	}
+
+	if input.RosenpassPermissive != nil && *input.RosenpassPermissive != config.RosenpassPermissive {
+		log.Infof("switching Rosenpass permissive to %t", *input.RosenpassPermissive)
+		config.RosenpassPermissive = *input.RosenpassPermissive
+		updated = true
+	}
+
+	if input.NetworkMonitor != nil && *input.NetworkMonitor != config.NetworkMonitor {
+		log.Infof("switching Network Monitor to %t", *input.NetworkMonitor)
+		config.NetworkMonitor = *input.NetworkMonitor
+		updated = true
+	}
+
+	if input.CustomDNSAddress != nil && string(input.CustomDNSAddress) != config.CustomDNSAddress {
+		log.Infof("updating custom DNS address %#v (old value %#v)",
+			string(input.CustomDNSAddress), config.CustomDNSAddress)
+		config.CustomDNSAddress = string(input.CustomDNSAddress)
+		updated = true
+	}
+
+	if len(config.IFaceBlackList) == 0 {
+		log.Infof("filling in interface blacklist with defaults: [ %s ]",
+			strings.Join(defaultInterfaceBlacklist, " "))
+		config.IFaceBlackList = append(config.IFaceBlackList, defaultInterfaceBlacklist...)
+		updated = true
+	}
+
+	if len(input.ExtraIFaceBlackList) > 0 {
+		for _, iFace := range util.SliceDiff(input.ExtraIFaceBlackList, config.IFaceBlackList) {
+			log.Infof("adding new entry to interface blacklist: %s", iFace)
+			config.IFaceBlackList = append(config.IFaceBlackList, iFace)
+			updated = true
+		}
+	}
+
+	if input.DisableAutoConnect != nil && *input.DisableAutoConnect != config.DisableAutoConnect {
+		if *input.DisableAutoConnect {
+			log.Infof("turning off automatic connection on startup")
+		} else {
+			log.Infof("enabling automatic connection on startup")
+		}
+		config.DisableAutoConnect = *input.DisableAutoConnect
+		updated = true
+	}
+
+	if input.ServerSSHAllowed != nil && *input.ServerSSHAllowed != *config.ServerSSHAllowed {
+		if *input.ServerSSHAllowed {
+			log.Infof("enabling SSH server")
+		} else {
+			log.Infof("disabling SSH server")
+		}
+		config.ServerSSHAllowed = input.ServerSSHAllowed
+		updated = true
+	} else if config.ServerSSHAllowed == nil {
+		// enables SSH for configs from old versions to preserve backwards compatibility
+		log.Infof("falling back to enabled SSH server for pre-existing configuration")
+		config.ServerSSHAllowed = util.True()
+		updated = true
+	}
+
+	return updated, nil
+}
+
 // parseURL parses and validates a service URL
 func parseURL(serviceName, serviceURL string) (*url.URL, error) {
 	parsedMgmtURL, err := url.ParseRequestURI(serviceURL)

client/internal/connect.go

@@ -7,6 +7,7 @@ import (
 	"runtime"
 	"runtime/debug"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/cenkalti/backoff/v4"
@@ -29,30 +30,45 @@ import (
 	"github.com/netbirdio/netbird/version"
 )
 
-// RunClient with main logic.
-func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status) error {
-	return runClient(ctx, config, statusRecorder, MobileDependency{}, nil, nil, nil, nil, nil)
+type ConnectClient struct {
+	ctx            context.Context
+	config         *Config
+	statusRecorder *peer.Status
+	engine         *Engine
+	engineMutex    sync.Mutex
 }
 
-// RunClientWithProbes runs the client's main logic with probes attached
-func RunClientWithProbes(
+func NewConnectClient(
 	ctx context.Context,
 	config *Config,
 	statusRecorder *peer.Status,
+
+) *ConnectClient {
+	return &ConnectClient{
+		ctx:            ctx,
+		config:         config,
+		statusRecorder: statusRecorder,
+		engineMutex:    sync.Mutex{},
+	}
+}
+
+// Run with main logic.
+func (c *ConnectClient) Run() error {
+	return c.run(MobileDependency{}, nil, nil, nil, nil)
+}
+
+// RunWithProbes runs the client's main logic with probes attached
+func (c *ConnectClient) RunWithProbes(
 	mgmProbe *Probe,
 	signalProbe *Probe,
 	relayProbe *Probe,
 	wgProbe *Probe,
-	engineChan chan<- *Engine,
 ) error {
-	return runClient(ctx, config, statusRecorder, MobileDependency{}, mgmProbe, signalProbe, relayProbe, wgProbe, engineChan)
+	return c.run(MobileDependency{}, mgmProbe, signalProbe, relayProbe, wgProbe)
 }
 
-// RunClientMobile with main logic on mobile system
-func RunClientMobile(
-	ctx context.Context,
-	config *Config,
-	statusRecorder *peer.Status,
+// RunOnAndroid with main logic on mobile system
+func (c *ConnectClient) RunOnAndroid(
 	tunAdapter iface.TunAdapter,
 	iFaceDiscover stdnet.ExternalIFaceDiscover,
 	networkChangeListener listener.NetworkChangeListener,
@@ -67,13 +83,10 @@ func RunClientMobile(
 		HostDNSAddresses:      dnsAddresses,
 		DnsReadyListener:      dnsReadyListener,
 	}
-	return runClient(ctx, config, statusRecorder, mobileDependency, nil, nil, nil, nil, nil)
+	return c.run(mobileDependency, nil, nil, nil, nil)
 }
 
-func RunClientiOS(
-	ctx context.Context,
-	config *Config,
-	statusRecorder *peer.Status,
+func (c *ConnectClient) RunOniOS(
 	fileDescriptor int32,
 	networkChangeListener listener.NetworkChangeListener,
 	dnsManager dns.IosDnsManager,
@@ -83,19 +96,15 @@ func RunClientiOS(
 		NetworkChangeListener: networkChangeListener,
 		DnsManager:            dnsManager,
 	}
-	return runClient(ctx, config, statusRecorder, mobileDependency, nil, nil, nil, nil, nil)
+	return c.run(mobileDependency, nil, nil, nil, nil)
 }
 
-func runClient(
-	ctx context.Context,
-	config *Config,
-	statusRecorder *peer.Status,
+func (c *ConnectClient) run(
 	mobileDependency MobileDependency,
 	mgmProbe *Probe,
 	signalProbe *Probe,
 	relayProbe *Probe,
 	wgProbe *Probe,
-	engineChan chan<- *Engine,
 ) error {
 	defer func() {
 		if r := recover(); r != nil {
@@ -107,7 +116,7 @@ func runClient(
 
 	// Check if client was not shut down in a clean way and restore DNS config if required.
 	// Otherwise, we might not be able to connect to the management server to retrieve new config.
-	if err := dns.CheckUncleanShutdown(config.WgIface); err != nil {
+	if err := dns.CheckUncleanShutdown(c.config.WgIface); err != nil {
 		log.Errorf("checking unclean shutdown error: %s", err)
 	}
 
@@ -121,7 +130,7 @@ func runClient(
 		Clock:               backoff.SystemClock,
 	}
 
-	state := CtxGetState(ctx)
+	state := CtxGetState(c.ctx)
 	defer func() {
 		s, err := state.Status()
 		if err != nil || s != StatusNeedsLogin {
@@ -130,49 +139,49 @@ func runClient(
 	}()
 
 	wrapErr := state.Wrap
-	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+	myPrivateKey, err := wgtypes.ParseKey(c.config.PrivateKey)
 	if err != nil {
-		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+		log.Errorf("failed parsing Wireguard key %s: [%s]", c.config.PrivateKey, err.Error())
 		return wrapErr(err)
 	}
 
 	var mgmTlsEnabled bool
-	if config.ManagementURL.Scheme == "https" {
+	if c.config.ManagementURL.Scheme == "https" {
 		mgmTlsEnabled = true
 	}
 
-	publicSSHKey, err := ssh.GeneratePublicKey([]byte(config.SSHKey))
+	publicSSHKey, err := ssh.GeneratePublicKey([]byte(c.config.SSHKey))
 	if err != nil {
 		return err
 	}
 
-	defer statusRecorder.ClientStop()
+	defer c.statusRecorder.ClientStop()
 	operation := func() error {
 		// if context cancelled we not start new backoff cycle
 		select {
-		case <-ctx.Done():
+		case <-c.ctx.Done():
 			return nil
 		default:
 		}
 
 		state.Set(StatusConnecting)
 
-		engineCtx, cancel := context.WithCancel(ctx)
+		engineCtx, cancel := context.WithCancel(c.ctx)
 		defer func() {
-			statusRecorder.MarkManagementDisconnected(state.err)
-			statusRecorder.CleanLocalPeerState()
+			c.statusRecorder.MarkManagementDisconnected(state.err)
+			c.statusRecorder.CleanLocalPeerState()
 			cancel()
 		}()
 
-		log.Debugf("connecting to the Management service %s", config.ManagementURL.Host)
-		mgmClient, err := mgm.NewClient(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+		log.Debugf("connecting to the Management service %s", c.config.ManagementURL.Host)
+		mgmClient, err := mgm.NewClient(engineCtx, c.config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 		if err != nil {
 			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
 		}
-		mgmNotifier := statusRecorderToMgmConnStateNotifier(statusRecorder)
+		mgmNotifier := statusRecorderToMgmConnStateNotifier(c.statusRecorder)
 		mgmClient.SetConnStateListener(mgmNotifier)
 
-		log.Debugf("connected to the Management service %s", config.ManagementURL.Host)
+		log.Debugf("connected to the Management service %s", c.config.ManagementURL.Host)
 		defer func() {
 			err = mgmClient.Close()
 			if err != nil {
@@ -190,7 +199,7 @@ func runClient(
 			}
 			return wrapErr(err)
 		}
-		statusRecorder.MarkManagementConnected()
+		c.statusRecorder.MarkManagementConnected()
 
 		localPeerState := peer.LocalPeerState{
 			IP:              loginResp.GetPeerConfig().GetAddress(),
@@ -199,18 +208,18 @@ func runClient(
 			FQDN:            loginResp.GetPeerConfig().GetFqdn(),
 		}
 
-		statusRecorder.UpdateLocalPeerState(localPeerState)
+		c.statusRecorder.UpdateLocalPeerState(localPeerState)
 
 		signalURL := fmt.Sprintf("%s://%s",
 			strings.ToLower(loginResp.GetWiretrusteeConfig().GetSignal().GetProtocol().String()),
 			loginResp.GetWiretrusteeConfig().GetSignal().GetUri(),
 		)
 
-		statusRecorder.UpdateSignalAddress(signalURL)
+		c.statusRecorder.UpdateSignalAddress(signalURL)
 
-		statusRecorder.MarkSignalDisconnected(nil)
+		c.statusRecorder.MarkSignalDisconnected(nil)
 		defer func() {
-			statusRecorder.MarkSignalDisconnected(state.err)
+			c.statusRecorder.MarkSignalDisconnected(state.err)
 		}()
 
 		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
@@ -226,42 +235,38 @@ func runClient(
 			}
 		}()
 
-		signalNotifier := statusRecorderToSignalConnStateNotifier(statusRecorder)
+		signalNotifier := statusRecorderToSignalConnStateNotifier(c.statusRecorder)
 		signalClient.SetConnStateListener(signalNotifier)
 
-		statusRecorder.MarkSignalConnected()
+		c.statusRecorder.MarkSignalConnected()
 
 		peerConfig := loginResp.GetPeerConfig()
 
-		engineConfig, err := createEngineConfig(myPrivateKey, config, peerConfig)
+		engineConfig, err := createEngineConfig(myPrivateKey, c.config, peerConfig)
 		if err != nil {
 			log.Error(err)
 			return wrapErr(err)
 		}
 
-		engine := NewEngineWithProbes(engineCtx, cancel, signalClient, mgmClient, engineConfig, mobileDependency, statusRecorder, mgmProbe, signalProbe, relayProbe, wgProbe)
-		err = engine.Start()
+		c.engineMutex.Lock()
+		c.engine = NewEngineWithProbes(engineCtx, cancel, signalClient, mgmClient, engineConfig, mobileDependency, c.statusRecorder, mgmProbe, signalProbe, relayProbe, wgProbe)
+		c.engineMutex.Unlock()
+
+		err = c.engine.Start()
 		if err != nil {
 			log.Errorf("error while starting Netbird Connection Engine: %s", err)
 			return wrapErr(err)
 		}
-		if engineChan != nil {
-			engineChan <- engine
-		}
 
 		log.Infof("Netbird engine started, the IP is: %s", peerConfig.GetAddress())
 		state.Set(StatusConnected)
 
 		<-engineCtx.Done()
-		statusRecorder.ClientTeardown()
+		c.statusRecorder.ClientTeardown()
 
 		backOff.Reset()
 
-		if engineChan != nil {
-			engineChan <- nil
-		}
-
-		err = engine.Stop()
+		err = c.engine.Stop()
 		if err != nil {
 			log.Errorf("failed stopping engine %v", err)
 			return wrapErr(err)
@@ -276,7 +281,7 @@ func runClient(
 		return nil
 	}
 
-	statusRecorder.ClientStart()
+	c.statusRecorder.ClientStart()
 	err = backoff.Retry(operation, backOff)
 	if err != nil {
 		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)
@@ -288,6 +293,14 @@ func runClient(
 	return nil
 }
 
+func (c *ConnectClient) Engine() *Engine {
+	var e *Engine
+	c.engineMutex.Lock()
+	e = c.engine
+	c.engineMutex.Unlock()
+	return e
+}
+
 // createEngineConfig converts configuration received from Management Service to EngineConfig
 func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
 	engineConf := &EngineConfig{

client/internal/dns/server.go

@@ -549,9 +549,7 @@ func (s *DefaultServer) upstreamCallbacks(
 
 		if nsGroup.Primary {
 			s.currentConfig.RouteAll = true
-			if runtime.GOOS == "android" {
-				s.service.RegisterMux(nbdns.RootZone, handler)
-			}
+			s.service.RegisterMux(nbdns.RootZone, handler)
 		}
 		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
 			l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")

client/internal/engine.go

@@ -259,7 +259,7 @@ func (e *Engine) Start() error {
 	}
 	e.ctx, e.cancel = context.WithCancel(e.clientCtx)
 
-	e.wgProxyFactory = wgproxy.NewFactory(e.clientCtx, e.config.WgPort)
+	e.wgProxyFactory = wgproxy.NewFactory(e.config.WgPort)
 
 	wgIface, err := e.newWgIface()
 	if err != nil {

client/internal/peer/conn.go

@@ -423,7 +423,7 @@ func (conn *Conn) configureConnection(remoteConn net.Conn, remoteWgPort int, rem
 	var endpoint net.Addr
 	if isRelayCandidate(pair.Local) {
 		log.Debugf("setup relay connection")
-		conn.wgProxy = conn.wgProxyFactory.GetProxy(conn.ctx)
+		conn.wgProxy = conn.wgProxyFactory.GetProxy()
 		endpoint, err = conn.wgProxy.AddTurnConn(remoteConn)
 		if err != nil {
 			return nil, err

client/internal/peer/conn_test.go

@@ -1,7 +1,6 @@
 package peer
 
 import (
-	"context"
 	"sync"
 	"testing"
 	"time"
@@ -36,7 +35,7 @@ func TestNewConn_interfaceFilter(t *testing.T) {
 }
 
 func TestConn_GetKey(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
@@ -51,7 +50,7 @@ func TestConn_GetKey(t *testing.T) {
 }
 
 func TestConn_OnRemoteOffer(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
@@ -88,7 +87,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {
 }
 
 func TestConn_OnRemoteAnswer(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
@@ -124,7 +123,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 	wg.Wait()
 }
 func TestConn_Status(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()
@@ -154,7 +153,7 @@ func TestConn_Status(t *testing.T) {
 }
 
 func TestConn_Close(t *testing.T) {
-	wgProxyFactory := wgproxy.NewFactory(context.Background(), connConf.LocalWgPort)
+	wgProxyFactory := wgproxy.NewFactory(connConf.LocalWgPort)
 	defer func() {
 		_ = wgProxyFactory.Free()
 	}()

client/internal/routemanager/manager.go

@@ -174,6 +174,9 @@ func (m *DefaultManager) TriggerSelection(networks route.HAMap) {
 	defer m.mux.Unlock()
 
 	networks = m.routeSelector.FilterSelected(networks)
+
+	m.notifier.onNewRoutes(networks)
+
 	m.stopObsoleteClients(networks)
 
 	for id, routes := range networks {

client/internal/routemanager/notifier.go

@@ -1,6 +1,7 @@
 package routemanager
 
 import (
+	"runtime"
 	"sort"
 	"strings"
 	"sync"
@@ -45,8 +46,15 @@ func (n *notifier) onNewRoutes(idMap route.HAMap) {
 	}
 
 	sort.Strings(newNets)
-	if !n.hasDiff(n.initialRouteRanges, newNets) {
-		return
+	switch runtime.GOOS {
+	case "android":
+		if !n.hasDiff(n.initialRouteRanges, newNets) {
+			return
+		}
+	default:
+		if !n.hasDiff(n.routeRanges, newNets) {
+			return
+		}
 	}
 
 	n.routeRanges = newNets

client/internal/routemanager/systemops_windows.go

@@ -16,6 +16,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"github.com/yusufpapurcu/wmi"
 
+	"github.com/netbirdio/netbird/client/firewall/uspfilter"
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/iface"
 )
@@ -173,7 +174,9 @@ func addRouteCmd(prefix netip.Prefix, nexthop netip.Addr, intf *net.Interface) e
 		args = append(args, "if", strconv.Itoa(intf.Index))
 	}
 
-	out, err := exec.Command("route", args...).CombinedOutput()
+	routeCmd := uspfilter.GetSystem32Command("route")
+
+	out, err := exec.Command(routeCmd, args...).CombinedOutput()
 	log.Tracef("route %s: %s", strings.Join(args, " "), out)
 	if err != nil {
 		return fmt.Errorf("route add: %w", err)
@@ -202,7 +205,9 @@ func removeFromRouteTable(prefix netip.Prefix, nexthop netip.Addr, _ *net.Interf
 		args = append(args, nexthop.Unmap().String())
 	}
 
-	out, err := exec.Command("route", args...).CombinedOutput()
+	routeCmd := uspfilter.GetSystem32Command("route")
+
+	out, err := exec.Command(routeCmd, args...).CombinedOutput()
 	log.Tracef("route %s: %s", strings.Join(args, " "), out)
 
 	if err != nil {

client/internal/stdnet/filter.go

@@ -1,6 +1,7 @@
 package stdnet
 
 import (
+	"runtime"
 	"strings"
 
 	log "github.com/sirupsen/logrus"
@@ -19,7 +20,7 @@ func InterfaceFilter(disallowList []string) func(string) bool {
 		}
 
 		for _, s := range disallowList {
-			if strings.HasPrefix(iFace, s) {
+			if strings.HasPrefix(iFace, s) && runtime.GOOS != "ios" {
 				log.Tracef("ignoring interface %s - it is not allowed", iFace)
 				return false
 			}

client/internal/wgproxy/factory.go

@@ -1,17 +1,15 @@
 package wgproxy
 
-import "context"
-
 type Factory struct {
 	wgPort    int
 	ebpfProxy Proxy
 }
 
-func (w *Factory) GetProxy(ctx context.Context) Proxy {
+func (w *Factory) GetProxy() Proxy {
 	if w.ebpfProxy != nil {
 		return w.ebpfProxy
 	}
-	return NewWGUserSpaceProxy(ctx, w.wgPort)
+	return NewWGUserSpaceProxy(w.wgPort)
 }
 
 func (w *Factory) Free() error {

client/internal/wgproxy/factory_linux.go

@@ -3,15 +3,13 @@
 package wgproxy
 
 import (
-	"context"
-
 	log "github.com/sirupsen/logrus"
 )
 
-func NewFactory(ctx context.Context, wgPort int) *Factory {
+func NewFactory(wgPort int) *Factory {
 	f := &Factory{wgPort: wgPort}
 
-	ebpfProxy := NewWGEBPFProxy(ctx, wgPort)
+	ebpfProxy := NewWGEBPFProxy(wgPort)
 	err := ebpfProxy.listen()
 	if err != nil {
 		log.Warnf("failed to initialize ebpf proxy, fallback to user space proxy: %s", err)

client/internal/wgproxy/factory_nonlinux.go

@@ -2,8 +2,6 @@
 
 package wgproxy
 
-import "context"
-
-func NewFactory(ctx context.Context, wgPort int) *Factory {
+func NewFactory(wgPort int) *Factory {
 	return &Factory{wgPort: wgPort}
 }

client/internal/wgproxy/proxy_ebpf.go

@@ -3,7 +3,6 @@
 package wgproxy
 
 import (
-	"context"
 	"fmt"
 	"io"
 	"net"
@@ -23,13 +22,9 @@ import (
 
 // WGEBPFProxy definition for proxy with EBPF support
 type WGEBPFProxy struct {
-	ebpfManager ebpfMgr.Manager
-
-	ctx    context.Context
-	cancel context.CancelFunc
-
-	lastUsedPort      uint16
 	localWGListenPort int
+	ebpfManager       ebpfMgr.Manager
+	lastUsedPort      uint16
 
 	turnConnStore map[uint16]net.Conn
 	turnConnMutex sync.Mutex
@@ -39,7 +34,7 @@ type WGEBPFProxy struct {
 }
 
 // NewWGEBPFProxy create new WGEBPFProxy instance
-func NewWGEBPFProxy(ctx context.Context, wgPort int) *WGEBPFProxy {
+func NewWGEBPFProxy(wgPort int) *WGEBPFProxy {
 	log.Debugf("instantiate ebpf proxy")
 	wgProxy := &WGEBPFProxy{
 		localWGListenPort: wgPort,
@@ -47,8 +42,6 @@ func NewWGEBPFProxy(ctx context.Context, wgPort int) *WGEBPFProxy {
 		lastUsedPort:      0,
 		turnConnStore:     make(map[uint16]net.Conn),
 	}
-	wgProxy.ctx, wgProxy.cancel = context.WithCancel(ctx)
-
 	return wgProxy
 }
 
@@ -109,7 +102,6 @@ func (p *WGEBPFProxy) AddTurnConn(turnConn net.Conn) (net.Addr, error) {
 
 // CloseConn doing nothing because this type of proxy implementation does not store the connection
 func (p *WGEBPFProxy) CloseConn() error {
-	p.cancel()
 	return nil
 }
 
@@ -138,28 +130,26 @@ func (p *WGEBPFProxy) Free() error {
 }
 
 func (p *WGEBPFProxy) proxyToLocal(endpointPort uint16, remoteConn net.Conn) {
-	buf := make([]byte, 1500)
-	var err error
 	defer func() {
+		log.Tracef("stop proxying turn traffic to wg: %d", endpointPort)
 		p.removeTurnConn(endpointPort)
 	}()
+
+	buf := make([]byte, 1500)
 	for {
-		select {
-		case <-p.ctx.Done():
+		n, err := remoteConn.Read(buf)
+		if err != nil {
+			if err != io.EOF {
+				log.Errorf("failed to read from turn conn (endpoint: :%d): %s", endpointPort, err)
+			}
 			return
-		default:
-			var n int
-			n, err = remoteConn.Read(buf)
-			if err != nil {
-				if err != io.EOF {
-					log.Errorf("failed to read from turn conn (endpoint: :%d): %s", endpointPort, err)
-				}
+		}
+		err = p.sendPkg(buf[:n], endpointPort)
+		if err != nil {
+			if err == io.EOF {
 				return
 			}
-			err = p.sendPkg(buf[:n], endpointPort)
-			if err != nil {
-				log.Errorf("failed to write out turn pkg to local conn: %v", err)
-			}
+			log.Errorf("failed to write out turn pkg to local conn: %v", err)
 		}
 	}
 }
@@ -168,28 +158,23 @@ func (p *WGEBPFProxy) proxyToLocal(endpointPort uint16, remoteConn net.Conn) {
 func (p *WGEBPFProxy) proxyToRemote() {
 	buf := make([]byte, 1500)
 	for {
-		select {
-		case <-p.ctx.Done():
+		n, addr, err := p.conn.ReadFromUDP(buf)
+		if err != nil {
+			log.Errorf("failed to read UDP pkg from WG: %s", err)
 			return
-		default:
-			n, addr, err := p.conn.ReadFromUDP(buf)
-			if err != nil {
-				log.Errorf("failed to read UDP pkg from WG: %s", err)
-				return
-			}
+		}
 
-			p.turnConnMutex.Lock()
-			conn, ok := p.turnConnStore[uint16(addr.Port)]
-			p.turnConnMutex.Unlock()
-			if !ok {
-				log.Infof("turn conn not found by port: %d", addr.Port)
-				continue
-			}
+		p.turnConnMutex.Lock()
+		conn, ok := p.turnConnStore[uint16(addr.Port)]
+		p.turnConnMutex.Unlock()
+		if !ok {
+			log.Infof("turn conn not found by port: %d", addr.Port)
+			continue
+		}
 
-			_, err = conn.Write(buf[:n])
-			if err != nil {
-				log.Debugf("failed to forward local wg pkg (%d) to remote turn conn: %s", addr.Port, err)
-			}
+		_, err = conn.Write(buf[:n])
+		if err != nil {
+			log.Debugf("failed to forward local wg pkg (%d) to remote turn conn: %s", addr.Port, err)
 		}
 	}
 }
@@ -207,11 +192,9 @@ func (p *WGEBPFProxy) storeTurnConn(turnConn net.Conn) (uint16, error) {
 }
 
 func (p *WGEBPFProxy) removeTurnConn(turnConnID uint16) {
-	log.Tracef("remove turn conn from store by port: %d", turnConnID)
 	p.turnConnMutex.Lock()
 	defer p.turnConnMutex.Unlock()
 	delete(p.turnConnStore, turnConnID)
-
 }
 
 func (p *WGEBPFProxy) nextFreePort() (uint16, error) {
@@ -287,17 +270,20 @@ func (p *WGEBPFProxy) sendPkg(data []byte, port uint16) error {
 
 	err := udpH.SetNetworkLayerForChecksum(ipH)
 	if err != nil {
-		return fmt.Errorf("set network layer for checksum: %w", err)
+		log.Errorf("set network layer for checksum: %s", err)
+		return err
 	}
 
 	layerBuffer := gopacket.NewSerializeBuffer()
 
 	err = gopacket.SerializeLayers(layerBuffer, gopacket.SerializeOptions{ComputeChecksums: true, FixLengths: true}, ipH, udpH, payload)
 	if err != nil {
-		return fmt.Errorf("serialize layers: %w", err)
+		log.Errorf("serialize layers: %s", err)
+		return err
 	}
 	if _, err = p.rawConn.WriteTo(layerBuffer.Bytes(), &net.IPAddr{IP: localhost}); err != nil {
-		return fmt.Errorf("write to raw conn: %w", err)
+		log.Errorf("write to raw conn: %s", err)
+		return err
 	}
 	return nil
 }

client/internal/wgproxy/proxy_ebpf_test.go

@@ -3,12 +3,11 @@
 package wgproxy
 
 import (
-	"context"
 	"testing"
 )
 
 func TestWGEBPFProxy_connStore(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(context.Background(), 1)
+	wgProxy := NewWGEBPFProxy(1)
 
 	p, _ := wgProxy.storeTurnConn(nil)
 	if p != 1 {
@@ -28,7 +27,7 @@ func TestWGEBPFProxy_connStore(t *testing.T) {
 }
 
 func TestWGEBPFProxy_portCalculation_overflow(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(context.Background(), 1)
+	wgProxy := NewWGEBPFProxy(1)
 
 	_, _ = wgProxy.storeTurnConn(nil)
 	wgProxy.lastUsedPort = 65535
@@ -44,7 +43,7 @@ func TestWGEBPFProxy_portCalculation_overflow(t *testing.T) {
 }
 
 func TestWGEBPFProxy_portCalculation_maxConn(t *testing.T) {
-	wgProxy := NewWGEBPFProxy(context.Background(), 1)
+	wgProxy := NewWGEBPFProxy(1)
 
 	for i := 0; i < 65535; i++ {
 		_, _ = wgProxy.storeTurnConn(nil)

client/internal/wgproxy/proxy_userspace.go

@@ -21,12 +21,12 @@ type WGUserSpaceProxy struct {
 }
 
 // NewWGUserSpaceProxy instantiate a user space WireGuard proxy
-func NewWGUserSpaceProxy(ctx context.Context, wgPort int) *WGUserSpaceProxy {
+func NewWGUserSpaceProxy(wgPort int) *WGUserSpaceProxy {
 	log.Debugf("Initializing new user space proxy with port %d", wgPort)
 	p := &WGUserSpaceProxy{
 		localWGListenPort: wgPort,
 	}
-	p.ctx, p.cancel = context.WithCancel(ctx)
+	p.ctx, p.cancel = context.WithCancel(context.Background())
 	return p
 }
 
@@ -35,7 +35,7 @@ func (p *WGUserSpaceProxy) AddTurnConn(turnConn net.Conn) (net.Addr, error) {
 	p.remoteConn = turnConn
 
 	var err error
-	p.localConn, err = nbnet.NewDialer().DialContext(p.ctx, "udp", fmt.Sprintf(":%d", p.localWGListenPort))
+	p.localConn, err = nbnet.NewDialer().Dial("udp", fmt.Sprintf(":%d", p.localWGListenPort))
 	if err != nil {
 		log.Errorf("failed dialing to local Wireguard port %s", err)
 		return nil, err

client/ios/NetBirdSDK/client.go

@@ -2,10 +2,15 @@ package NetBirdSDK
 
 import (
 	"context"
+	"fmt"
+	"net/netip"
+	"sort"
+	"strings"
 	"sync"
 	"time"
 
 	log "github.com/sirupsen/logrus"
+	"golang.org/x/exp/maps"
 
 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/internal/auth"
@@ -14,6 +19,7 @@ import (
 	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/system"
 	"github.com/netbirdio/netbird/formatter"
+	"github.com/netbirdio/netbird/route"
 )
 
 // ConnectionListener export internal Listener for mobile
@@ -38,6 +44,12 @@ type CustomLogger interface {
 	Error(message string)
 }
 
+type selectRoute struct {
+	NetID    string
+	Network  netip.Prefix
+	Selected bool
+}
+
 func init() {
 	formatter.SetLogcatFormatter(log.StandardLogger())
 }
@@ -55,6 +67,7 @@ type Client struct {
 	onHostDnsFn           func([]string)
 	dnsManager            dns.IosDnsManager
 	loginComplete         bool
+	connectClient         *internal.ConnectClient
 }
 
 // NewClient instantiate a new Client
@@ -107,7 +120,9 @@ func (c *Client) Run(fd int32, interfaceName string) error {
 	ctx = internal.CtxInitState(ctx)
 	c.onHostDnsFn = func([]string) {}
 	cfg.WgIface = interfaceName
-	return internal.RunClientiOS(ctx, cfg, c.recorder, fd, c.networkChangeListener, c.dnsManager)
+
+	c.connectClient = internal.NewConnectClient(ctx, cfg, c.recorder)
+	return c.connectClient.RunOniOS(fd, c.networkChangeListener, c.dnsManager)
 }
 
 // Stop the internal client and free the resources
@@ -133,10 +148,29 @@ func (c *Client) GetStatusDetails() *StatusDetails {
 
 	peerInfos := make([]PeerInfo, len(fullStatus.Peers))
 	for n, p := range fullStatus.Peers {
+		var routes = RoutesDetails{}
+		for r := range p.GetRoutes() {
+			routeInfo := RoutesInfo{r}
+			routes.items = append(routes.items, routeInfo)
+		}
 		pi := PeerInfo{
-			p.IP,
-			p.FQDN,
-			p.ConnStatus.String(),
+			IP:                         p.IP,
+			FQDN:                       p.FQDN,
+			LocalIceCandidateEndpoint:  p.LocalIceCandidateEndpoint,
+			RemoteIceCandidateEndpoint: p.RemoteIceCandidateEndpoint,
+			LocalIceCandidateType:      p.LocalIceCandidateType,
+			RemoteIceCandidateType:     p.RemoteIceCandidateType,
+			PubKey:                     p.PubKey,
+			Latency:                    formatDuration(p.Latency),
+			BytesRx:                    p.BytesRx,
+			BytesTx:                    p.BytesTx,
+			ConnStatus:                 p.ConnStatus.String(),
+			ConnStatusUpdate:           p.ConnStatusUpdate.Format("2006-01-02 15:04:05"),
+			Direct:                     p.Direct,
+			LastWireguardHandshake:     p.LastWireguardHandshake.String(),
+			Relayed:                    p.Relayed,
+			RosenpassEnabled:           p.RosenpassEnabled,
+			Routes:                     routes,
 		}
 		peerInfos[n] = pi
 	}
@@ -223,3 +257,142 @@ func (c *Client) IsLoginComplete() bool {
 func (c *Client) ClearLoginComplete() {
 	c.loginComplete = false
 }
+
+func (c *Client) GetRoutesSelectionDetails() (*RoutesSelectionDetails, error) {
+	if c.connectClient == nil {
+		return nil, fmt.Errorf("not connected")
+	}
+
+	engine := c.connectClient.Engine()
+	if engine == nil {
+		return nil, fmt.Errorf("not connected")
+	}
+
+	routesMap := engine.GetClientRoutesWithNetID()
+	routeSelector := engine.GetRouteManager().GetRouteSelector()
+
+	var routes []*selectRoute
+	for id, rt := range routesMap {
+		if len(rt) == 0 {
+			continue
+		}
+		route := &selectRoute{
+			NetID:    string(id),
+			Network:  rt[0].Network,
+			Selected: routeSelector.IsSelected(id),
+		}
+		routes = append(routes, route)
+	}
+
+	sort.Slice(routes, func(i, j int) bool {
+		iPrefix := routes[i].Network.Bits()
+		jPrefix := routes[j].Network.Bits()
+
+		if iPrefix == jPrefix {
+			iAddr := routes[i].Network.Addr()
+			jAddr := routes[j].Network.Addr()
+			if iAddr == jAddr {
+				return routes[i].NetID < routes[j].NetID
+			}
+			return iAddr.String() < jAddr.String()
+		}
+		return iPrefix < jPrefix
+	})
+
+	var routeSelection []RoutesSelectionInfo
+	for _, r := range routes {
+		routeSelection = append(routeSelection, RoutesSelectionInfo{
+			ID:       r.NetID,
+			Network:  r.Network.String(),
+			Selected: r.Selected,
+		})
+	}
+
+	routeSelectionDetails := RoutesSelectionDetails{items: routeSelection}
+	return &routeSelectionDetails, nil
+}
+
+func (c *Client) SelectRoute(id string) error {
+	if c.connectClient == nil {
+		return fmt.Errorf("not connected")
+	}
+
+	engine := c.connectClient.Engine()
+	if engine == nil {
+		return fmt.Errorf("not connected")
+	}
+
+	routeManager := engine.GetRouteManager()
+	routeSelector := routeManager.GetRouteSelector()
+	if id == "All" {
+		log.Debugf("select all routes")
+		routeSelector.SelectAllRoutes()
+	} else {
+		log.Debugf("select route with id: %s", id)
+		routes := toNetIDs([]string{id})
+		if err := routeSelector.SelectRoutes(routes, true, maps.Keys(engine.GetClientRoutesWithNetID())); err != nil {
+			log.Debugf("error when selecting routes: %s", err)
+			return fmt.Errorf("select routes: %w", err)
+		}
+	}
+	routeManager.TriggerSelection(engine.GetClientRoutes())
+	return nil
+
+}
+
+func (c *Client) DeselectRoute(id string) error {
+	if c.connectClient == nil {
+		return fmt.Errorf("not connected")
+	}
+	engine := c.connectClient.Engine()
+	if engine == nil {
+		return fmt.Errorf("not connected")
+	}
+
+	routeManager := engine.GetRouteManager()
+	routeSelector := routeManager.GetRouteSelector()
+	if id == "All" {
+		log.Debugf("deselect all routes")
+		routeSelector.DeselectAllRoutes()
+	} else {
+		log.Debugf("deselect route with id: %s", id)
+		routes := toNetIDs([]string{id})
+		if err := routeSelector.DeselectRoutes(routes, maps.Keys(engine.GetClientRoutesWithNetID())); err != nil {
+			log.Debugf("error when deselecting routes: %s", err)
+			return fmt.Errorf("deselect routes: %w", err)
+		}
+	}
+	routeManager.TriggerSelection(engine.GetClientRoutes())
+	return nil
+}
+
+func formatDuration(d time.Duration) string {
+	ds := d.String()
+	dotIndex := strings.Index(ds, ".")
+	if dotIndex != -1 {
+		// Determine end of numeric part, ensuring we stop at two decimal places or the actual end if fewer
+		endIndex := dotIndex + 3
+		if endIndex > len(ds) {
+			endIndex = len(ds)
+		}
+		// Find where the numeric part ends by finding the first non-digit character after the dot
+		unitStart := endIndex
+		for unitStart < len(ds) && (ds[unitStart] >= '0' && ds[unitStart] <= '9') {
+			unitStart++
+		}
+		// Ensures that we only take the unit characters after the numerical part
+		if unitStart < len(ds) {
+			return ds[:endIndex] + ds[unitStart:]
+		}
+		return ds[:endIndex] // In case no units are found after the digits
+	}
+	return ds
+}
+
+func toNetIDs(routes []string) []route.NetID {
+	var netIDs []route.NetID
+	for _, rt := range routes {
+		netIDs = append(netIDs, route.NetID(rt))
+	}
+	return netIDs
+}

client/ios/NetBirdSDK/peer_notifier.go

@@ -2,9 +2,28 @@ package NetBirdSDK
 
 // PeerInfo describe information about the peers. It designed for the UI usage
 type PeerInfo struct {
-	IP         string
-	FQDN       string
-	ConnStatus string // Todo replace to enum
+	IP                         string
+	FQDN                       string
+	LocalIceCandidateEndpoint  string
+	RemoteIceCandidateEndpoint string
+	LocalIceCandidateType      string
+	RemoteIceCandidateType     string
+	PubKey                     string
+	Latency                    string
+	BytesRx                    int64
+	BytesTx                    int64
+	ConnStatus                 string
+	ConnStatusUpdate           string
+	Direct                     bool
+	LastWireguardHandshake     string
+	Relayed                    bool
+	RosenpassEnabled           bool
+	Routes                     RoutesDetails
+}
+
+// GetRoutes return with RouteDetails
+func (p PeerInfo) GetRouteDetails() *RoutesDetails {
+	return &p.Routes
 }
 
 // PeerInfoCollection made for Java layer to get non default types as collection
@@ -16,6 +35,21 @@ type PeerInfoCollection interface {
 	GetIP() string
 }
 
+// RoutesInfoCollection made for Java layer to get non default types as collection
+type RoutesInfoCollection interface {
+	Add(s string) RoutesInfoCollection
+	Get(i int) string
+	Size() int
+}
+
+type RoutesDetails struct {
+	items []RoutesInfo
+}
+
+type RoutesInfo struct {
+	Route string
+}
+
 // StatusDetails is the implementation of the PeerInfoCollection
 type StatusDetails struct {
 	items []PeerInfo
@@ -23,6 +57,22 @@ type StatusDetails struct {
 	ip    string
 }
 
+// Add new PeerInfo to the collection
+func (array RoutesDetails) Add(s RoutesInfo) RoutesDetails {
+	array.items = append(array.items, s)
+	return array
+}
+
+// Get return an element of the collection
+func (array RoutesDetails) Get(i int) *RoutesInfo {
+	return &array.items[i]
+}
+
+// Size return with the size of the collection
+func (array RoutesDetails) Size() int {
+	return len(array.items)
+}
+
 // Add new PeerInfo to the collection
 func (array StatusDetails) Add(s PeerInfo) StatusDetails {
 	array.items = append(array.items, s)

client/ios/NetBirdSDK/routes.go

@@ -0,0 +1,36 @@
+package NetBirdSDK
+
+// RoutesSelectionInfoCollection made for Java layer to get non default types as collection
+type RoutesSelectionInfoCollection interface {
+	Add(s string) RoutesSelectionInfoCollection
+	Get(i int) string
+	Size() int
+}
+
+type RoutesSelectionDetails struct {
+	All    bool
+	Append bool
+	items  []RoutesSelectionInfo
+}
+
+type RoutesSelectionInfo struct {
+	ID       string
+	Network  string
+	Selected bool
+}
+
+// Add new PeerInfo to the collection
+func (array RoutesSelectionDetails) Add(s RoutesSelectionInfo) RoutesSelectionDetails {
+	array.items = append(array.items, s)
+	return array
+}
+
+// Get return an element of the collection
+func (array RoutesSelectionDetails) Get(i int) *RoutesSelectionInfo {
+	return &array.items[i]
+}
+
+// Size return with the size of the collection
+func (array RoutesSelectionDetails) Size() int {
+	return len(array.items)
+}

client/server/route.go

@@ -23,12 +23,17 @@ func (s *Server) ListRoutes(ctx context.Context, req *proto.ListRoutesRequest) (
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	if s.engine == nil {
+	if s.connectClient == nil {
 		return nil, fmt.Errorf("not connected")
 	}
 
-	routesMap := s.engine.GetClientRoutesWithNetID()
-	routeSelector := s.engine.GetRouteManager().GetRouteSelector()
+	engine := s.connectClient.Engine()
+	if engine == nil {
+		return nil, fmt.Errorf("not connected")
+	}
+
+	routesMap := engine.GetClientRoutesWithNetID()
+	routeSelector := engine.GetRouteManager().GetRouteSelector()
 
 	var routes []*selectRoute
 	for id, rt := range routesMap {
@@ -77,17 +82,26 @@ func (s *Server) SelectRoutes(_ context.Context, req *proto.SelectRoutesRequest)
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	routeManager := s.engine.GetRouteManager()
+	if s.connectClient == nil {
+		return nil, fmt.Errorf("not connected")
+	}
+
+	engine := s.connectClient.Engine()
+	if engine == nil {
+		return nil, fmt.Errorf("not connected")
+	}
+
+	routeManager := engine.GetRouteManager()
 	routeSelector := routeManager.GetRouteSelector()
 	if req.GetAll() {
 		routeSelector.SelectAllRoutes()
 	} else {
 		routes := toNetIDs(req.GetRouteIDs())
-		if err := routeSelector.SelectRoutes(routes, req.GetAppend(), maps.Keys(s.engine.GetClientRoutesWithNetID())); err != nil {
+		if err := routeSelector.SelectRoutes(routes, req.GetAppend(), maps.Keys(engine.GetClientRoutesWithNetID())); err != nil {
 			return nil, fmt.Errorf("select routes: %w", err)
 		}
 	}
-	routeManager.TriggerSelection(s.engine.GetClientRoutes())
+	routeManager.TriggerSelection(engine.GetClientRoutes())
 
 	return &proto.SelectRoutesResponse{}, nil
 }
@@ -97,17 +111,26 @@ func (s *Server) DeselectRoutes(_ context.Context, req *proto.SelectRoutesReques
 	s.mutex.Lock()
 	defer s.mutex.Unlock()
 
-	routeManager := s.engine.GetRouteManager()
+	if s.connectClient == nil {
+		return nil, fmt.Errorf("not connected")
+	}
+
+	engine := s.connectClient.Engine()
+	if engine == nil {
+		return nil, fmt.Errorf("not connected")
+	}
+
+	routeManager := engine.GetRouteManager()
 	routeSelector := routeManager.GetRouteSelector()
 	if req.GetAll() {
 		routeSelector.DeselectAllRoutes()
 	} else {
 		routes := toNetIDs(req.GetRouteIDs())
-		if err := routeSelector.DeselectRoutes(routes, maps.Keys(s.engine.GetClientRoutesWithNetID())); err != nil {
+		if err := routeSelector.DeselectRoutes(routes, maps.Keys(engine.GetClientRoutesWithNetID())); err != nil {
 			return nil, fmt.Errorf("deselect routes: %w", err)
 		}
 	}
-	routeManager.TriggerSelection(s.engine.GetClientRoutes())
+	routeManager.TriggerSelection(engine.GetClientRoutes())
 
 	return &proto.SelectRoutesResponse{}, nil
 }

client/server/server.go

@@ -57,7 +57,7 @@ type Server struct {
 	config *internal.Config
 	proto.UnimplementedDaemonServiceServer
 
-	engine *internal.Engine
+	connectClient *internal.ConnectClient
 
 	statusRecorder *peer.Status
 	sessionWatcher *internal.SessionWatcher
@@ -143,11 +143,8 @@ func (s *Server) Start() error {
 		s.sessionWatcher.SetOnExpireListener(s.onSessionExpire)
 	}
 
-	engineChan := make(chan *internal.Engine, 1)
-	go s.watchEngine(ctx, engineChan)
-
 	if !config.DisableAutoConnect {
-		go s.connectWithRetryRuns(ctx, config, s.statusRecorder, s.mgmProbe, s.signalProbe, s.relayProbe, s.wgProbe, engineChan)
+		go s.connectWithRetryRuns(ctx, config, s.statusRecorder, s.mgmProbe, s.signalProbe, s.relayProbe, s.wgProbe)
 	}
 
 	return nil
@@ -158,7 +155,6 @@ func (s *Server) Start() error {
 // we cancel retry if the client receive a stop or down command, or if disable auto connect is configured.
 func (s *Server) connectWithRetryRuns(ctx context.Context, config *internal.Config, statusRecorder *peer.Status,
 	mgmProbe *internal.Probe, signalProbe *internal.Probe, relayProbe *internal.Probe, wgProbe *internal.Probe,
-	engineChan chan<- *internal.Engine,
 ) {
 	backOff := getConnectWithBackoff(ctx)
 	retryStarted := false
@@ -188,7 +184,8 @@ func (s *Server) connectWithRetryRuns(ctx context.Context, config *internal.Conf
 
 	runOperation := func() error {
 		log.Tracef("running client connection")
-		err := internal.RunClientWithProbes(ctx, config, statusRecorder, mgmProbe, signalProbe, relayProbe, wgProbe, engineChan)
+		s.connectClient = internal.NewConnectClient(ctx, config, statusRecorder)
+		err := s.connectClient.RunWithProbes(mgmProbe, signalProbe, relayProbe, wgProbe)
 		if err != nil {
 			log.Debugf("run client connection exited with error: %v. Will retry in the background", err)
 		}
@@ -573,10 +570,7 @@ func (s *Server) Up(callerCtx context.Context, _ *proto.UpRequest) (*proto.UpRes
 	s.statusRecorder.UpdateManagementAddress(s.config.ManagementURL.String())
 	s.statusRecorder.UpdateRosenpass(s.config.RosenpassEnabled, s.config.RosenpassPermissive)
 
-	engineChan := make(chan *internal.Engine, 1)
-	go s.watchEngine(ctx, engineChan)
-
-	go s.connectWithRetryRuns(ctx, s.config, s.statusRecorder, s.mgmProbe, s.signalProbe, s.relayProbe, s.wgProbe, engineChan)
+	go s.connectWithRetryRuns(ctx, s.config, s.statusRecorder, s.mgmProbe, s.signalProbe, s.relayProbe, s.wgProbe)
 
 	return &proto.UpResponse{}, nil
 }
@@ -593,8 +587,6 @@ func (s *Server) Down(_ context.Context, _ *proto.DownRequest) (*proto.DownRespo
 	state := internal.CtxGetState(s.rootCtx)
 	state.Set(internal.StatusIdle)
 
-	s.engine = nil
-
 	return &proto.DownResponse{}, nil
 }
 
@@ -688,22 +680,6 @@ func (s *Server) onSessionExpire() {
 	}
 }
 
-// watchEngine watches the engine channel and updates the engine state
-func (s *Server) watchEngine(ctx context.Context, engineChan chan *internal.Engine) {
-	log.Tracef("Started watching engine")
-	for {
-		select {
-		case <-ctx.Done():
-			s.engine = nil
-			log.Tracef("Stopped watching engine")
-			return
-		case engine := <-engineChan:
-			log.Tracef("Received engine from watcher")
-			s.engine = engine
-		}
-	}
-}
-
 func toProtoFullStatus(fullStatus peer.FullStatus) *proto.FullStatus {
 	pbFullStatus := proto.FullStatus{
 		ManagementState: &proto.ManagementState{},

client/server/server_test.go

@@ -70,7 +70,7 @@ func TestConnectWithRetryRuns(t *testing.T) {
 	t.Setenv(maxRetryTimeVar, "5s")
 	t.Setenv(retryMultiplierVar, "1")
 
-	s.connectWithRetryRuns(ctx, config, s.statusRecorder, s.mgmProbe, s.signalProbe, s.relayProbe, s.wgProbe, nil)
+	s.connectWithRetryRuns(ctx, config, s.statusRecorder, s.mgmProbe, s.signalProbe, s.relayProbe, s.wgProbe)
 	if counter < 3 {
 		t.Fatalf("expected counter > 2, got %d", counter)
 	}

release_files/systemd/netbird-management.service

@@ -13,7 +13,7 @@ RestartSec=5
 TimeoutStopSec=10
 CacheDirectory=netbird
 ConfigurationDirectory=netbird
-LogDirectory=netbird
+LogsDirectory=netbird
 RuntimeDirectory=netbird
 StateDirectory=netbird
 

release_files/systemd/netbird-signal.service

@@ -13,7 +13,7 @@ RestartSec=5
 TimeoutStopSec=10
 CacheDirectory=netbird
 ConfigurationDirectory=netbird
-LogDirectory=netbird
+LogsDirectory=netbird
 RuntimeDirectory=netbird
 StateDirectory=netbird
 

release_files/systemd/netbird@.service

@@ -13,7 +13,7 @@ RestartSec=5
 TimeoutStopSec=10
 CacheDirectory=netbird
 ConfigurationDirectory=netbird
-LogDirectory=netbird
+LogsDirectory=netbird
 RuntimeDirectory=netbird
 StateDirectory=netbird
 
@@ -28,7 +28,8 @@ ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
-ProtectKernelModules=no  # needed to load wg module for kernel-mode WireGuard
+# needed to load wg module for kernel-mode WireGuard
+ProtectKernelModules=no
 ProtectKernelTunables=no
 ProtectSystem=yes
 RemoveIPC=yes