Fix(auth0) caching Users by accountId

Merge remote-tracking branch 'origin' into users_cache
WIP idpmanager users_cache by accountId
2026-04-01 23:23:54 -04:00 · 2022-06-03 17:19:31 +02:00 · 2022-06-03 14:42:06 +02:00 · 2022-06-03 14:39:07 +02:00 · 2022-06-03 14:39:07 +02:00 · 2022-06-03 14:39:07 +02:00
386 changed files with 7374 additions and 57118 deletions
--- a/.github/ISSUE_TEMPLATE/bug-issue-report.md
+++ b/.github/ISSUE_TEMPLATE/bug-issue-report.md
@@ -1,30 +0,0 @@
---
-name: Bug/Issue report
-about: Create a report to help us improve
-title: ''
-labels: ''
-assignees: ''
-
---
-
-**Describe the problem**
-A clear and concise description of what the problem is.
-
-**To Reproduce**
-Steps to reproduce the behavior:
-1. Go to '...'
-2. Click on '....'
-3. Scroll down to '....'
-4. See error
-
-**Expected behavior**
-A clear and concise description of what you expected to happen.
-
-**NetBird status -d output:**
-If applicable, add the output of the `netbird status -d` command
-
-**Screenshots**
-If applicable, add screenshots to help explain your problem.
-
-**Additional context**
-Add any other context about the problem here.
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,20 +0,0 @@
---
-name: Feature request
-about: Suggest an idea for this project
-title: ''
-labels: ''
-assignees: ''
-
---
-
-**Is your feature request related to a problem? Please describe.**
-A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
-
-**Describe the solution you'd like**
-A clear and concise description of what you want to happen.
-
-**Describe alternatives you've considered**
-A clear and concise description of any alternative solutions or features you've considered.
-
-**Additional context**
-Add any other context or screenshots about the feature request here.
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,11 +0,0 @@
-## Describe your changes
-
-## Issue ticket number and link
-
-### Checklist
- [ ] Is it a bug fix
- [ ] Is a typo/documentation fix
- [ ] Is a feature enhancement
- [ ] It is a refactor
- [ ] Created tests that fail without the change (if possible)
- [ ] Extended the README / documentation, if necessary
--- a/.github/workflows/golang-test-darwin.yml
+++ b/.github/workflows/golang-test-darwin.yml
@@ -1,23 +1,16 @@
 name: Test Code Darwin
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
+on: [push,pull_request]
 jobs:
  test:
+    strategy:
+      matrix:
+        go-version: [1.18.x]
    runs-on: macos-latest
    steps:
      - name: Install Go
        uses: actions/setup-go@v2
        with:
-          go-version: "1.20.x"
+          go-version: ${{ matrix.go-version }}
      - name: Checkout code
        uses: actions/checkout@v2

@@ -33,4 +26,4 @@ jobs:
        run: go mod tidy

      - name: Test
-        run: go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...
+        run: go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -1,26 +1,16 @@
 name: Test Code Linux
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
+on: [push,pull_request]
 jobs:
  test:
    strategy:
      matrix:
-        arch: ['386','amd64']
+        go-version: [1.18.x]
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
        uses: actions/setup-go@v2
        with:
-          go-version: "1.20.x"
+          go-version: ${{ matrix.go-version }}


      - name: Cache Go modules
@@ -35,75 +25,10 @@ jobs:
        uses: actions/checkout@v2

      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-multilib
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev

      - name: Install modules
        run: go mod tidy

      - name: Test
-        run: CGO_ENABLED=1 GOARCH=${{ matrix.arch }} go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...
-
-  test_client_on_docker:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: "1.20.x"
-
-
-      - name: Cache Go modules
-        uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: Generate Iface Test bin
-        run: CGO_ENABLED=0 go test -c -o iface-testing.bin ./iface/
-
-      - name: Generate Shared Sock Test bin
-        run: CGO_ENABLED=0 go test -c -o sharedsock-testing.bin ./sharedsock
-
-      - name: Generate RouteManager Test bin
-        run: CGO_ENABLED=0 go test -c -o routemanager-testing.bin ./client/internal/routemanager/...
-
-      - name: Generate nftables Manager Test bin
-        run: CGO_ENABLED=0 go test -c -o nftablesmanager-testing.bin ./client/firewall/nftables/...
-
-      - name: Generate Engine Test bin
-        run: CGO_ENABLED=0 go test -c -o engine-testing.bin ./client/internal
-
-      - name: Generate Peer Test bin
-        run: CGO_ENABLED=0 go test -c -o peer-testing.bin ./client/internal/peer/...
-
-      - run: chmod +x *testing.bin
-
-      - name: Run Shared Sock tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/sharedsock --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/sharedsock-testing.bin -test.timeout 5m -test.parallel 1
-
-      - name: Run Iface tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/iface --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/iface-testing.bin -test.timeout 5m -test.parallel 1
-
-
-      - name: Run RouteManager tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin  -test.timeout 5m -test.parallel 1
-
-      - name: Run nftables Manager tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/firewall --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/nftablesmanager-testing.bin  -test.timeout 5m -test.parallel 1
-
-      - name: Run Engine tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin  -test.timeout 5m -test.parallel 1
-
-      - name: Run Peer tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin  -test.timeout 5m -test.parallel 1
+        run: go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...
--- a/.github/workflows/golang-test-windows.yml
+++ b/.github/workflows/golang-test-windows.yml
@@ -1,50 +1,57 @@
 name: Test Code Windows
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-
-env:
-  downloadPath: '${{ github.workspace }}\temp'
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
+on: [push,pull_request]
 jobs:
-  test:
-    runs-on: windows-latest
+  pre:
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v2
+      - run: bash -x wireguard_nt.sh
+        working-directory: client
+
+      - uses: actions/upload-artifact@v2
+        with:
+          name: syso
+          path: client/*.syso
+          retention-days: 1
+
+  test:
+    needs: pre
+    strategy:
+      matrix:
+        go-version: [1.18.x]
+    runs-on: windows-latest
+    steps:
+      - name: disable defender
+        run: Set-MpPreference -DisableRealtimeMonitoring $true
+
+      - name: Checkout code
+        uses: actions/checkout@v2

      - name: Install Go
-        uses: actions/setup-go@v4
-        id: go
+        uses: actions/setup-go@v2
        with:
-          go-version: "1.20.x"
+          go-version: ${{ matrix.go-version }}

-      - name: Download wintun
-        uses: carlosperate/download-file-action@v2
-        id: download-wintun
+      - uses: actions/cache@v2
        with:
-          file-url: https://www.wintun.net/builds/wintun-0.14.1.zip
-          file-name: wintun.zip
-          location: ${{ env.downloadPath }}
-          sha256: '07c256185d6ee3652e09fa55c0b673e2624b565e02c4b9091c79ca7d2f24ef51'
+          path: |
+            %LocalAppData%\go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-

-      - name: Decompressing wintun files
-        run: tar -zvxf "${{ steps.download-wintun.outputs.file-path }}" -C ${{ env.downloadPath }}
+      - name: enable defender
+        run: Set-MpPreference -DisableRealtimeMonitoring $false

-      - run: mv ${{ env.downloadPath }}/wintun/bin/amd64/wintun.dll 'C:\Windows\System32\'
+      - uses: actions/download-artifact@v2
+        with:
+          name: syso
+          path: iface\

-      - run: choco install -y sysinternals
-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOMODCACHE=C:\Users\runneradmin\go\pkg\mod
-      - run: PsExec64 -s -w ${{ github.workspace }} C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe env -w GOCACHE=C:\Users\runneradmin\AppData\Local\go-build
+#      - name: Install modules
+#        run: go mod tidy

-      - name: test
-        run: PsExec64 -s -w ${{ github.workspace }} cmd.exe /c "C:\hostedtoolcache\windows\go\${{ steps.go.outputs.go-version }}\x64\bin\go.exe test -timeout 5m -p 1 ./... > test-out.txt 2>&1"
-      - name: test output
-        if: ${{ always() }}
-        run: Get-Content test-out.txt
+      - name: Test
+        run: go test -tags=load_wgnt_from_rsrc -timeout 5m -p 1 ./...
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -1,21 +1,17 @@
 name: golangci-lint
 on: [pull_request]
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
 jobs:
  golangci:
    name: lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: "1.20.x"
+
      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v2
        with:
-          args: --timeout=6m
+          args: --timeout=6m
+
+
--- a/.github/workflows/install-test-darwin.yml
+++ b/.github/workflows/install-test-darwin.yml
@@ -1,60 +0,0 @@
-name: Test installation Darwin
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    paths:
-      - "release_files/install.sh"
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-jobs:
-  install-cli-only:
-    runs-on: macos-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Rename brew package
-        if: ${{ matrix.check_bin_install }}
-        run: mv /opt/homebrew/bin/brew /opt/homebrew/bin/brew.bak
-
-      - name: Run install script
-        run: |
-          sh ./release_files/install.sh
-        env:
-          SKIP_UI_APP: true
-
-      - name: Run tests
-        run: |
-          if ! command -v netbird &> /dev/null; then
-            echo "Error: netbird is not installed"
-            exit 1
-          fi
-  install-all:
-    runs-on: macos-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Rename brew package
-        if: ${{ matrix.check_bin_install }}
-        run: mv /opt/homebrew/bin/brew /opt/homebrew/bin/brew.bak
-
-      - name: Run install script
-        run: |
-          sh ./release_files/install.sh
-
-      - name: Run tests
-        run: |
-          if ! command -v netbird &> /dev/null; then
-              echo "Error: netbird is not installed"
-              exit 1
-          fi
-
-          if [[ $(mdfind "kMDItemContentType == 'com.apple.application-bundle' && kMDItemFSName == '*NetBird UI.app'") ]]; then
-            echo "Error: NetBird UI is not installed"
-            exit 1
-          fi
--- a/.github/workflows/install-test-linux.yml
+++ b/.github/workflows/install-test-linux.yml
@@ -1,38 +0,0 @@
-name: Test installation Linux
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    paths:
-      - "release_files/install.sh"
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-jobs:
-  install-cli-only:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        check_bin_install: [true, false]
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Rename apt package
-        if: ${{ matrix.check_bin_install }}
-        run: |
-          sudo mv /usr/bin/apt /usr/bin/apt.bak
-          sudo mv /usr/bin/apt-get /usr/bin/apt-get.bak
-
-      - name: Run install script
-        run: |
-          sh ./release_files/install.sh
-
-      - name: Run tests
-        run: |
-          if ! command -v netbird &> /dev/null; then
-            echo "Error: netbird is not installed"
-            exit 1
-          fi
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,12 +9,7 @@ on:
  pull_request:

 env:
-  SIGN_PIPE_VER: "v0.0.8"
-  GORELEASER_VER: "v1.14.1"
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
+  SIGN_PIPE_VER: "v0.0.3"

 jobs:
  release:
@@ -25,11 +20,15 @@ jobs:
        uses: actions/checkout@v2
        with:
          fetch-depth: 0 # It is required for GoReleaser to work properly
+
+      - name: Generate syso with DLL
+        run: bash -x wireguard_nt.sh
+        working-directory: client
      -
        name: Set up Go
        uses: actions/setup-go@v2
        with:
-          go-version: "1.20"
+          go-version: 1.18
      -
        name: Cache Go modules
        uses: actions/cache@v1
@@ -41,9 +40,6 @@ jobs:
      -
        name: Install modules
        run: go mod tidy
-      -
-        name: check git status
-        run: git --no-pager diff --exit-code
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v1
@@ -57,89 +53,47 @@ jobs:
        with:
          username: netbirdio
          password: ${{ secrets.DOCKER_TOKEN }}
-      - name: Install OS build dependencies
-        run: sudo apt update && sudo apt install -y -q gcc-arm-linux-gnueabihf gcc-aarch64-linux-gnu
+
+      - name: Install dependencies
+        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-mingw-w64-x86-64

      - name: Install rsrc
        run: go install github.com/akavel/rsrc@v0.10.2
-      - name: Generate windows rsrc amd64
-        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_amd64.syso
-      - name: Generate windows rsrc arm64
-        run: rsrc -arch arm64 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_arm64.syso
-      - name: Generate windows rsrc arm
-        run: rsrc -arch arm -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_arm.syso
-      - name: Generate windows rsrc 386
-        run: rsrc -arch 386 -ico client/ui/netbird.ico -manifest client/manifest.xml -o client/resources_windows_386.syso
+
+      - name: Generate windows rsrc
+        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/ui/manifest.xml -o client/ui/resources_windows_amd64.syso
+
      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v2
        with:
-          version: ${{ env.GORELEASER_VER }}
+          version: v1.6.3
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
+      -
+        name: Trigger Windows binaries sign pipeline
+        uses: benc-uk/workflow-dispatch@v1
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          workflow: Sign windows bin and installer
+          repo: netbirdio/sign-pipelines
+          ref: ${{ env.SIGN_PIPE_VER }}
+          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
+          inputs: '{ "tag": "${{ github.ref }}" }'
      -
        name: upload non tags for debug purposes
        uses: actions/upload-artifact@v2
        with:
-          name: release
+          name: build
          path: dist/
          retention-days: 3
-
+          
  release_ui:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0 # It is required for GoReleaser to work properly
-
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: "1.20"
-      - name: Cache Go modules
-        uses: actions/cache@v1
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-ui-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-ui-go-
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: check git status
-        run: git --no-pager diff --exit-code
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev gcc-mingw-w64-x86-64
-      - name: Install rsrc
-        run: go install github.com/akavel/rsrc@v0.10.2
-      - name: Generate windows rsrc
-        run: rsrc -arch amd64 -ico client/ui/netbird.ico -manifest client/ui/manifest.xml -o client/ui/resources_windows_amd64.syso
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          version: ${{ env.GORELEASER_VER }}
-          args: release --config .goreleaser_ui.yaml --rm-dist
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
-          UPLOAD_DEBIAN_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-          UPLOAD_YUM_SECRET: ${{ secrets.PKG_UPLOAD_SECRET }}
-      - name: upload non tags for debug purposes
-        uses: actions/upload-artifact@v2
-        with:
-          name: release-ui
-          path: dist/
-          retention-days: 3
-
-  release_ui_darwin:
-    runs-on: macos-11
+    runs-on: macos-latest
    steps:
      -
        name: Checkout
@@ -150,15 +104,15 @@ jobs:
        name: Set up Go
        uses: actions/setup-go@v2
        with:
-          go-version: "1.20"
+          go-version: 1.18
      -
        name: Cache Go modules
        uses: actions/cache@v1
        with:
          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-ui-go-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-ui-go-
+            ${{ runner.os }}-go-
      -
        name: Install modules
        run: go mod tidy
@@ -167,42 +121,26 @@ jobs:
        id: goreleaser
        uses: goreleaser/goreleaser-action@v2
        with:
-          version: ${{ env.GORELEASER_VER }}
+          version: v1.6.3
          args: release --config .goreleaser_ui_darwin.yaml --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
      -
-        name: upload non tags for debug purposes
-        uses: actions/upload-artifact@v2
-        with:
-          name: release-ui-darwin
-          path: dist/
-          retention-days: 3
-
-  trigger_windows_signer:
-    runs-on: ubuntu-latest
-    needs: [release,release_ui]
-    if: startsWith(github.ref, 'refs/tags/')
-    steps:
-      - name: Trigger Windows binaries sign pipeline
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: Sign windows bin and installer
-          repo: netbirdio/sign-pipelines
-          ref: ${{ env.SIGN_PIPE_VER }}
-          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
-
-  trigger_darwin_signer:
-    runs-on: ubuntu-latest
-    needs: [release,release_ui_darwin]
-    if: startsWith(github.ref, 'refs/tags/')
-    steps:
-      - name: Trigger Darwin App binaries sign pipeline
+        name: Trigger Darwin App binaries sign pipeline
        uses: benc-uk/workflow-dispatch@v1
+        if: startsWith(github.ref, 'refs/tags/')
        with:
          workflow: Sign darwin ui app with dispatch
          repo: netbirdio/sign-pipelines
          ref: ${{ env.SIGN_PIPE_VER }}
          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
          inputs: '{ "tag": "${{ github.ref }}" }'
+
+      -
+        name: upload non tags for debug purposes
+        uses: actions/upload-artifact@v2
+        with:
+          name: build-ui-darwin
+          path: dist/
+          retention-days: 3
--- a/.github/workflows/test-docker-compose-linux.yml
+++ b/.github/workflows/test-docker-compose-linux.yml
@@ -1,115 +0,0 @@
-name: Test Docker Compose Linux
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}-${{ github.head_ref || github.actor_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install jq
-        run: sudo apt-get install -y jq
-
-      - name: Install curl
-        run: sudo apt-get install -y curl
-
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: "1.20.x"
-
-      - name: Cache Go modules
-        uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: cp setup.env
-        run: cp infrastructure_files/tests/setup.env infrastructure_files/
-
-      - name: run configure
-        working-directory: infrastructure_files
-        run: bash -x configure.sh
-        env:
-          CI_NETBIRD_DOMAIN: localhost
-          CI_NETBIRD_AUTH_CLIENT_ID: testing.client.id
-          CI_NETBIRD_AUTH_CLIENT_SECRET: testing.client.secret
-          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
-          CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
-          CI_NETBIRD_USE_AUTH0: true
-          CI_NETBIRD_MGMT_IDP: "none"
-          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
-          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
-
-      - name: check values
-        working-directory: infrastructure_files
-        env:
-          CI_NETBIRD_DOMAIN: localhost
-          CI_NETBIRD_AUTH_CLIENT_ID: testing.client.id
-          CI_NETBIRD_AUTH_CLIENT_SECRET: testing.client.secret
-          CI_NETBIRD_AUTH_AUDIENCE: testing.ci
-          CI_NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT: https://example.eu.auth0.com/.well-known/openid-configuration
-          CI_NETBIRD_USE_AUTH0: true
-          CI_NETBIRD_AUTH_SUPPORTED_SCOPES: "openid profile email offline_access api email_verified"
-          CI_NETBIRD_AUTH_AUTHORITY: https://example.eu.auth0.com/
-          CI_NETBIRD_AUTH_JWT_CERTS: https://example.eu.auth0.com/.well-known/jwks.json
-          CI_NETBIRD_AUTH_TOKEN_ENDPOINT: https://example.eu.auth0.com/oauth/token
-          CI_NETBIRD_AUTH_DEVICE_AUTH_ENDPOINT: https://example.eu.auth0.com/oauth/device/code
-          CI_NETBIRD_AUTH_REDIRECT_URI: "/peers"
-          CI_NETBIRD_TOKEN_SOURCE: "idToken"
-          CI_NETBIRD_AUTH_USER_ID_CLAIM: "email"
-          CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE: "super"
-          CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE: "openid email"
-          CI_NETBIRD_MGMT_IDP: "none"
-          CI_NETBIRD_IDP_MGMT_CLIENT_ID: testing.client.id
-          CI_NETBIRD_IDP_MGMT_CLIENT_SECRET: testing.client.secret
-
-        run: |
-          grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
-          grep AUTH_CLIENT_SECRET docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_SECRET
-          grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
-          grep AUTH_AUDIENCE docker-compose.yml | grep $CI_NETBIRD_AUTH_AUDIENCE
-          grep AUTH_SUPPORTED_SCOPES docker-compose.yml | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
-          grep USE_AUTH0 docker-compose.yml | grep $CI_NETBIRD_USE_AUTH0
-          grep NETBIRD_MGMT_API_ENDPOINT docker-compose.yml | grep "$CI_NETBIRD_DOMAIN:33073"
-          grep AUTH_REDIRECT_URI docker-compose.yml | grep $CI_NETBIRD_AUTH_REDIRECT_URI
-          grep AUTH_SILENT_REDIRECT_URI docker-compose.yml | egrep 'AUTH_SILENT_REDIRECT_URI=$'
-          grep LETSENCRYPT_DOMAIN docker-compose.yml | egrep 'LETSENCRYPT_DOMAIN=$'
-          grep NETBIRD_TOKEN_SOURCE docker-compose.yml | grep $CI_NETBIRD_TOKEN_SOURCE
-          grep AuthUserIDClaim management.json | grep $CI_NETBIRD_AUTH_USER_ID_CLAIM
-          grep -A 1 ProviderConfig management.json | grep Audience | grep $CI_NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE
-          grep Scope management.json | grep "$CI_NETBIRD_AUTH_DEVICE_AUTH_SCOPE"
-          grep UseIDToken management.json | grep false
-          grep -A 1 IdpManagerConfig management.json | grep ManagerType | grep $CI_NETBIRD_MGMT_IDP 
-          grep -A 3 IdpManagerConfig management.json | grep -A 1 ClientConfig | grep Issuer | grep $CI_NETBIRD_AUTH_AUTHORITY
-          grep -A 4 IdpManagerConfig management.json | grep -A 2 ClientConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
-          grep -A 5 IdpManagerConfig management.json | grep -A 3 ClientConfig | grep ClientID | grep $CI_NETBIRD_IDP_MGMT_CLIENT_ID
-          grep -A 6 IdpManagerConfig management.json | grep -A 4 ClientConfig | grep ClientSecret | grep $CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
-          grep -A 7 IdpManagerConfig management.json | grep -A 5 ClientConfig | grep GrantType | grep client_credentials
-
-      - name: run docker compose up
-        working-directory: infrastructure_files
-        run: |
-          docker-compose up -d
-          sleep 5
-          docker-compose ps
-          docker-compose logs --tail=20
-
-      - name: test running containers
-        run: |
-          count=$(docker compose ps --format json | jq '.[] | select(.Project | contains("infrastructure_files")) | .State' | grep -c running)
-          test $count -eq 4
-        working-directory: infrastructure_files
--- a/.github/workflows/update-docs.yml
+++ b/.github/workflows/update-docs.yml
@@ -1,22 +0,0 @@
-name: update docs
-
-on:
-  push:
-    tags:
-      - 'v*'
-    paths:
-      - 'management/server/http/api/openapi.yml'
-
-jobs:
-  trigger_docs_api_update:
-    runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/')
-    steps:
-      - name: Trigger API pages generation
-        uses: benc-uk/workflow-dispatch@v1
-        with:
-          workflow: generate api pages
-          repo: netbirdio/docs
-          ref: "refs/heads/main"
-          token: ${{ secrets.SIGN_GITHUB_TOKEN }}
-          inputs: '{ "tag": "${{ github.ref }}" }'
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,4 @@
 .idea
-.run
 *.iml
 dist/
 bin/
@@ -10,5 +9,3 @@ infrastructure_files/management.json
 infrastructure_files/docker-compose.yml
 *.syso
 client/.distfiles/
-infrastructure_files/setup.env
-.vscode
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -12,49 +12,24 @@ builds:
      - arm
      - amd64
      - arm64
-      - 386
+      - mips
+    gomips:
+      - hardfloat
+      - softfloat
    ignore:
      - goos: windows
        goarch: arm64
      - goos: windows
        goarch: arm
-      - goos: windows
-        goarch: 386
    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: '{{ .CommitTimestamp }}'
-    tags:
-      - load_wgnt_from_rsrc
-
-  - id: netbird-static
-    dir: client
-    binary: netbird
-    env: [CGO_ENABLED=0]
-    goos:
-      - linux
-    goarch:
-      - mips
-      - mipsle
-      - mips64
-      - mips64le
-    gomips:
-      - hardfloat
-      - softfloat
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
      - load_wgnt_from_rsrc

  - id: netbird-mgmt
    dir: management
-    env:
-    - CGO_ENABLED=1
-    - >-
-      {{- if eq .Runtime.Goos "linux" }}
-        {{- if eq .Arch "arm64"}}CC=aarch64-linux-gnu-gcc{{- end }}
-        {{- if eq .Arch "arm"}}CC=arm-linux-gnueabihf-gcc{{- end }}
-      {{- end }}
+    env: [CGO_ENABLED=0]
    binary: netbird-mgmt
    goos:
      - linux
@@ -63,7 +38,7 @@ builds:
      - arm64
      - arm
    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'

  - id: netbird-signal
@@ -77,16 +52,91 @@ builds:
      - arm64
      - arm
    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X main.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+  - id: netbird-ui
+    dir: client/ui
+    binary: netbird-ui
+    env:
+      - CGO_ENABLED=1
+    goos:
+      - linux
+    goarch:
+      - amd64
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+    mod_timestamp: '{{ .CommitTimestamp }}'
+
+  - id: netbird-ui-windows
+    dir: client/ui
+    binary: netbird-ui
+    env:
+      - CGO_ENABLED=1
+      - CC=x86_64-w64-mingw32-gcc
+    goos:
+      - windows
+    goarch:
+      - amd64
+    ldflags:
+      - -s -w -X github.com/netbirdio/netbird/client/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -H windowsgui
    mod_timestamp: '{{ .CommitTimestamp }}'

 archives:
  - builds:
      - netbird
-      - netbird-static
+  - id: linux-arch
+    name_template: "{{ .ProjectName }}-ui-linux_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    builds:
+      - netbird-ui
+  - id: windows-arch
+    name_template: "{{ .ProjectName }}-ui-windows_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    builds:
+      - netbird-ui-windows

 nfpms:

+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client UI.
+    homepage: https://netbird.io/
+    id: netbird-ui-deb
+    package_name: netbird-ui
+    builds:
+      - netbird-ui
+    formats:
+      - deb
+    contents:
+      - src: client/ui/netbird.desktop
+        dst: /usr/share/applications/netbird.desktop
+      - src: client/ui/disconnected.png
+        dst: /usr/share/pixmaps/netbird.png
+    dependencies:
+      - libayatana-appindicator3-1
+      - libgtk-3-dev
+      - libappindicator3-dev
+      - netbird
+
+  - maintainer: Netbird <dev@netbird.io>
+    description: Netbird client UI.
+    homepage: https://netbird.io/
+    id: netbird-ui-rpm
+    package_name: netbird-ui
+    builds:
+      - netbird-ui
+    formats:
+      - rpm
+    contents:
+      - src: client/ui/netbird.desktop
+        dst: /usr/share/applications/netbird.desktop
+      - src: client/ui/disconnected.png
+        dst: /usr/share/pixmaps/netbird.png
+    dependencies:
+      - libayatana-appindicator3-1
+      - libgtk-3-dev
+      - libappindicator3-dev
+      - netbird
+
  - maintainer: Netbird <dev@netbird.io>
    description: Netbird client.
    homepage: https://netbird.io/
@@ -97,6 +147,11 @@ nfpms:
    formats:
      - deb

+    replaces:
+      - wiretrustee
+    conflicts:
+      - wiretrustee
+
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
@@ -111,6 +166,12 @@ nfpms:
    formats:
      - rpm

+    replaces:
+      - wiretrustee
+
+    conflicts:
+      - wiretrustee
+
    scripts:
      postinstall: "release_files/post_install.sh"
      preremove: "release_files/pre_remove.sh"
@@ -360,11 +421,14 @@ brews:
    license: "BSD3"
    test: |
      system "#{bin}/{{ .ProjectName	}} version"
+    conflicts:
+      - wiretrustee

 uploads:
  - name: debian
    ids:
    - netbird-deb
+    - netbird-ui-deb
    mode: archive
    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
    username: dev@wiretrustee.com
@@ -373,7 +437,8 @@ uploads:
  - name: yum
    ids:
      - netbird-rpm
+      - netbird-ui-rpm
    mode: archive
    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
    username: dev@wiretrustee.com
-    method: PUT
+    method: PUT
--- a/.goreleaser_ui.yaml
+++ b/.goreleaser_ui.yaml
@@ -1,98 +0,0 @@
-project_name: netbird-ui
-builds:
-  - id: netbird-ui
-    dir: client/ui
-    binary: netbird-ui
-    env:
-      - CGO_ENABLED=1
-    goos:
-      - linux
-    goarch:
-      - amd64
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-    mod_timestamp: '{{ .CommitTimestamp }}'
-
-  - id: netbird-ui-windows
-    dir: client/ui
-    binary: netbird-ui
-    env:
-      - CGO_ENABLED=1
-      - CC=x86_64-w64-mingw32-gcc
-    goos:
-      - windows
-    goarch:
-      - amd64
-    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
-      - -H windowsgui
-    mod_timestamp: '{{ .CommitTimestamp }}'
-
-archives:
-  - id: linux-arch
-    name_template: "{{ .ProjectName }}-linux_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
-    builds:
-      - netbird-ui
-  - id: windows-arch
-    name_template: "{{ .ProjectName }}-windows_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
-    builds:
-      - netbird-ui-windows
-
-nfpms:
-
-  - maintainer: Netbird <dev@netbird.io>
-    description: Netbird client UI.
-    homepage: https://netbird.io/
-    id: netbird-ui-deb
-    package_name: netbird-ui
-    builds:
-      - netbird-ui
-    formats:
-      - deb
-    contents:
-      - src: client/ui/netbird.desktop
-        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/disconnected.png
-        dst: /usr/share/pixmaps/netbird.png
-    dependencies:
-      - libayatana-appindicator3-1
-      - libgtk-3-dev
-      - libappindicator3-dev
-      - netbird
-
-  - maintainer: Netbird <dev@netbird.io>
-    description: Netbird client UI.
-    homepage: https://netbird.io/
-    id: netbird-ui-rpm
-    package_name: netbird-ui
-    builds:
-      - netbird-ui
-    formats:
-      - rpm
-    contents:
-      - src: client/ui/netbird.desktop
-        dst: /usr/share/applications/netbird.desktop
-      - src: client/ui/disconnected.png
-        dst: /usr/share/pixmaps/netbird.png
-    dependencies:
-      - libayatana-appindicator3-1
-      - libgtk-3-dev
-      - libappindicator3-dev
-      - netbird
-
-uploads:
-  - name: debian
-    ids:
-    - netbird-ui-deb
-    mode: archive
-    target: https://pkgs.wiretrustee.com/debian/pool/{{ .ArtifactName }};deb.distribution=stable;deb.component=main;deb.architecture={{ if .Arm }}armhf{{ else }}{{ .Arch }}{{ end }};deb.package=
-    username: dev@wiretrustee.com
-    method: PUT
-
-  - name: yum
-    ids:
-      - netbird-ui-rpm
-    mode: archive
-    target: https://pkgs.wiretrustee.com/yum/{{ .Arch }}{{ if .Arm }}{{ .Arm }}{{ end }}
-    username: dev@wiretrustee.com
-    method: PUT
--- a/.goreleaser_ui_darwin.yaml
+++ b/.goreleaser_ui_darwin.yaml
@@ -14,7 +14,7 @@ builds:
      - hardfloat
      - softfloat
    ldflags:
-      - -s -w -X github.com/netbirdio/netbird/version.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
+      - -s -w -X github.com/netbirdio/netbird/client/ui/system.version={{.Version}} -X main.commit={{.Commit}} -X main.date={{.CommitDate}} -X main.builtBy=goreleaser
    mod_timestamp: '{{ .CommitTimestamp }}'
    tags:
      - load_wgnt_from_rsrc
@@ -23,7 +23,5 @@ archives:
  - builds:
      - netbird-ui-darwin

-checksum:
-  name_template: "{{ .ProjectName }}_darwin_checksums.txt"
 changelog:
  skip: true
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -60,7 +60,7 @@ representative at an online or offline event.

 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported to the community leaders responsible for enforcement at
-community@netbird.io.
+dev@wiretrustee.com.
 All complaints will be reviewed and investigated promptly and fairly.

 All community leaders are obligated to respect the privacy and security of the
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,218 +0,0 @@
-# Contributing to NetBird
-
-Thanks for your interest in contributing to NetBird. 
-
-There are many ways that you can contribute:
- Reporting issues
- Updating documentation
- Sharing use cases in slack or Reddit
- Bug fix or feature enhancement
-
-If you haven't already, join our slack workspace [here](https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A), we would love to discuss topics that need community contribution and enhancements to existing features.
-
-## Contents
-
- [Contributing to NetBird](#contributing-to-netbird)
-    - [Contents](#contents)
-    - [Code of conduct](#code-of-conduct)
-    - [Directory structure](#directory-structure)
-    - [Development setup](#development-setup)
-        - [Requirements](#requirements)
-        - [Local NetBird setup](#local-netbird-setup)
-        - [Build and start](#build-and-start)
-        - [Test suite](#test-suite)
-    - [Checklist before submitting a PR](#checklist-before-submitting-a-pr)
-    - [Other project repositories](#other-project-repositories)
-    - [Checklist before submitting a new node](#checklist-before-submitting-a-new-node)
-    - [Contributor License Agreement](#contributor-license-agreement)
-
-## Code of conduct
-
-This project and everyone participating in it are governed by the Code of
-Conduct which can be found in the file [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md).
-By participating, you are expected to uphold this code. Please report
-unacceptable behavior to community@netbird.io.
-
-## Directory structure
-
-The NetBird project monorepo is organized to maintain most of its individual dependencies code within their directories, except for a few auxiliary or shared packages.
-
-The most important directories are:
-
- [/.github](/.github) - Github actions workflow files and issue templates
- [/client](/client) - NetBird agent code
- [/client/cmd](/client/cmd) - NetBird agent cli code
- [/client/internal](/client/internal) - NetBird agent business logic code
- [/client/proto](/client/proto) - NetBird agent daemon GRPC proto files
- [/client/server](/client/server) - NetBird agent daemon code for background execution
- [/client/ui](/client/ui) - NetBird agent UI code
- [/encryption](/encryption) - Contain main encryption code for agent communication
- [/iface](/iface) - Wireguard® interface code
- [/infrastructure_files](/infrastructure_files) - Getting started files containing docker and template scripts
- [/management](/management) - Management service code
- [/management/client](/management/client) - Management service client code which is imported by the agent code
- [/management/proto](/management/proto) - Management service GRPC proto files
- [/management/server](/management/server) - Management service server code
- [/management/server/http](/management/server/http) - Management service REST API code
- [/management/server/idp](/management/server/idp) - Management service IDP management code
- [/release_files](/release_files) - Files that goes into release packages
- [/signal](/signal) - Signal service code
- [/signal/client](/signal/client) - Signal service client code which is imported by the agent code
- [/signal/peer](/signal/peer) - Signal service peer message logic
- [/signal/proto](/signal/proto) - Signal service GRPC proto files
- [/signal/server](/signal/server) - Signal service server code
-
-
-## Development setup
-
-If you want to contribute to bug fixes or improve existing features, you have to ensure that all needed
-dependencies are installed. Here is a short guide on how that can be done.
-
-### Requirements
-
-#### Go 1.19
-
-Follow the installation guide from https://go.dev/
-
-#### UI client - Fyne toolkit 
-
-We use the fyne toolkit in our UI client. You can follow its requirement guide to have all its dependencies installed: https://developer.fyne.io/started/#prerequisites
-
-#### gRPC
-You can follow the instructions from the quickstarter guide https://grpc.io/docs/languages/go/quickstart/#prerequisites and then run the `generate.sh` files located in each `proto` directory to generate changes.
-> **IMPORTANT**: We are very open to contributions that can improve the client daemon protocol. For Signal and Management protocols, please reach out on slack or via github issues with your proposals.
-
-#### Docker
-
-Follow the installation guide from https://docs.docker.com/get-docker/
-
-#### Goreleaser and golangci-lint
-
-We utilize two tools in our Github actions workflows:
- Goreleaser: Used for release packaging. You can follow the installation steps [here](https://goreleaser.com/install/); keep in mind to match the version defined in [release.yml](/.github/workflows/release.yml)
- golangci-lint: Used for linting checks. You can follow the installation steps [here](https://golangci-lint.run/usage/install/); keep in mind to match the version defined in [golangci-lint.yml](/.github/workflows/golangci-lint.yml)
-
-They can be executed from the repository root before every push or PR:
-
-**Goreleaser**
-```shell
-goreleaser --snapshot --rm-dist
-```
-**golangci-lint**
-```shell
-golangci-lint run
-```
-
-### Local NetBird setup
-
-> **IMPORTANT**: All the steps below have to get executed at least once to get the development setup up and running!
-
-Now that everything NetBird requires to run is installed, the actual NetBird code can be
-checked out and set up:
-
-1. [Fork](https://guides.github.com/activities/forking/#fork) the NetBird repository
-
-2. Clone your forked repository
-
-   ```
-   git clone https://github.com/<your_github_username>/netbird.git
-   ```
-
-3. Go into the repository folder
-
-   ```
-   cd netbird
-   ```
-
-4. Add the original NetBird repository as `upstream` to your forked repository
-
-   ```
-   git remote add upstream https://github.com/netbirdio/netbird.git
-   ```
-
-5. Install all Go dependencies:
-
-   ```
-   go mod tidy
-   ```
-
-### Build and start
-#### Client
-
-> Windows clients have a Wireguard driver requirement. We provide a bash script that can be executed in WLS 2 with docker support [wireguard_nt.sh](/client/wireguard_nt.sh).
-
-To start NetBird, execute:
-```
-cd client
-# bash wireguard_nt.sh # if windows
-go build .
-```
-
-To start NetBird the client in the foreground:
-
-```
-sudo ./client up --log-level debug --log-file console
-```
-> On Windows use a powershell with administrator privileges
-#### Signal service
-
-To start NetBird's signal, execute:
-
-```
-cd signal
-go build .
-```
-
-To start NetBird the signal service:
-
-```
-./signal run --log-level debug --log-file console
-```
-
-#### Management service
-> You may need to generate a configuration file for management. Follow steps 2 to 5 from our [self-hosting guide](https://netbird.io/docs/getting-started/self-hosting).
-
-To start NetBird's management, execute:
-
-```
-cd management
-go build .
-```
-
-To start NetBird the management service:
-
-```
-./management management --log-level debug --log-file console --config ./management.json
-```
-
-### Test suite
-
-The tests can be started via:
-
-```
-cd netbird
-go test -exec sudo ./...
-```
-> On Windows use a powershell with administrator privileges
-
-## Checklist before submitting a PR
-As a critical network service and open-source project, we must enforce a few things before submitting the pull-requests:
- Keep functions as simple as possible, with a single purpose
- Use private functions and constants where possible
- Comment on any new public functions
- Add unit tests for any new public function
-
-> When pushing fixes to the PR comments, please push as separate commits; we will squash the PR before merging, so there is no need to squash it before pushing it, and we are more than okay with 10-100 commits in a single PR. This helps review the fixes to the requested changes.
-
-## Other project repositories
-
-NetBird project is composed of 3 main repositories:
- NetBird: This repository, which contains the code for the agents and control plane services.
- Dashboard: https://github.com/netbirdio/dashboard, contains the Administration UI for the management service
- Documentations: https://github.com/netbirdio/docs, contains the documentation from https://netbird.io/docs
-
-## Contributor License Agreement
-
-That we do not have any potential problems later it is sadly necessary to sign a [Contributor License Agreement](CONTRIBUTOR_LICENSE_AGREEMENT.md). That can be done literally with the push of a button.
-
-A bot will automatically comment on the pull request once it got opened asking for the agreement to be signed. Before it did not get signed it is sadly not possible to merge it in.
--- a/CONTRIBUTOR_LICENSE_AGREEMENT.md
+++ b/CONTRIBUTOR_LICENSE_AGREEMENT.md
@@ -1,148 +0,0 @@
-#  Contributor License Agreement
-
-We are incredibly thankful for the contributions we receive from the community.
-We require our external contributors to sign a Contributor License Agreement ("CLA") in
-order to ensure that our projects remain licensed under Free and Open Source licenses such
-as BSD-3 while allowing Wiretrustee to build a sustainable business.
-
-Wiretrustee is committed to having a true Open Source Software ("OSS") license for
-our software. A CLA enables Wiretrustee to safely commercialize our products
-while keeping a standard OSS license with all the rights that license grants to users: the
-ability to use the project in their own projects or businesses, to republish modified
-source, or to completely fork the project.
-
-This page gives a human-friendly summary of our CLA, details on why we require a CLA, how
-contributors can sign our CLA, and more. You may view the full legal CLA document (below).
-
-# Human-friendly summary
-
-This is a human-readable summary of (and not a substitute for) the full agreement (below).
-This highlights only some of key terms of the CLA. It has no legal value and you should
-carefully review all the terms of the actual CLA before agreeing.
-
-<li>Grant of copyright license. You give Wiretrustee permission to use your copyrighted work
-in commercial products.
-</li>
-
-<li>Grant of patent license. If your contributed work uses a patent, you give Wiretrustee a
-license to use that patent including within commercial products. You also agree that you
-have permission to grant this license.
-</li>
-
-<li>No Warranty or Support Obligations.
-By making a contribution, you are not obligating yourself to provide support for the
-contribution, and you are not taking on any warranty obligations or providing any
-assurances about how it will perform.
-</li>
-
-The CLA does not change the terms of the standard open source license used by our software
-such as BSD-3 or MIT.
-You are still free to use our projects within your own projects or businesses, republish
-modified source, and more.
-Please reference the appropriate license for the project you're contributing to to learn
-more.
-
-# Why require a CLA?
-
-Agreeing to a CLA explicitly states that you are entitled to provide a contribution, that you cannot withdraw permission
-to use your contribution at a later date, and that Wiretrustee has permission to use your contribution in our commercial
-products.
-
-This removes any ambiguities or uncertainties caused by not having a CLA and allows users and customers to confidently
-adopt our projects. At the same time, the CLA ensures that all contributions to our open source projects are licensed
-under the project's respective open source license, such as BSD-3.
-
-Requiring a CLA is a common and well-accepted practice in open source. Major open source projects require CLAs such as
-Apache Software Foundation projects, Facebook projects (such as React), Google projects (including Go), Python, Django,
-and more. Each of these projects remains licensed under permissive OSS licenses such as MIT, Apache, BSD, and more.
-
-# Signing the CLA
-
-Open a pull request ("PR") to any of our open source projects to sign the CLA. A bot will comment on the PR asking you
-to sign the CLA if you haven't already.
-
-Follow the steps given by the bot to sign the CLA. This will require you to log in with GitHub (we only request public
-information from your account) and to fill in a few additional details such as your name and email address. We will only
-use this information for CLA tracking; none of your submitted information will be used for marketing purposes.
-
-You only have to sign the CLA once. Once you've signed the CLA, future contributions to any Wiretrustee project will not
-require you to sign again.
-
-# Legal Terms and Agreement
-
-In order to clarify the intellectual property license granted with Contributions from any person or entity, Wiretrustee
-UG (haftungsbeschränkt) ("Wiretrustee") must have a Contributor License Agreement ("CLA") on file that has been signed
-by each Contributor, indicating agreement to the license terms below. This license does not change your rights to use
-your own Contributions for any other purpose.
-
-You accept and agree to the following terms and conditions for Your present and future Contributions submitted to
-Wiretrustee. Except for the license granted herein to Wiretrustee and recipients of software distributed by Wiretrustee,
-You reserve all right, title, and interest in and to Your Contributions.
-
-1. Definitions.
-
-    ```
-   "You" (or "Your") shall mean the copyright owner or legal entity authorized by the copyright owner 
-   that is making this Agreement with Wiretrustee. For legal entities, the entity making a Contribution and all other 
-   entities that control, are controlled by, or are under common control with that entity are considered 
-   to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect,
-    to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty 
-   percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
-   ```
-   ```
-    "Contribution" shall mean any original work of authorship, including any modifications or additions to 
-   an existing work, that is or previously has been intentionally submitted by You to Wiretrustee for inclusion in, 
-   or documentation of, any of the products owned or managed by Wiretrustee (the "Work"). 
-   For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication 
-   sent to Wiretrustee or its representatives, including but not limited to communication on electronic mailing lists, 
-   source code control systems, and issue tracking systems that are managed by, or on behalf of, 
-   Wiretrustee for the purpose of discussing and improving the Work, but excluding communication that is conspicuously 
-   marked or otherwise designated in writing by You as "Not a Contribution."
-   ```
-
-2. Grant of Copyright License. Subject to the terms and conditions of this Agreement, You hereby grant to Wiretrustee
-   and to recipients of software distributed by Wiretrustee a perpetual, worldwide, non-exclusive, no-charge,
-   royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly
-   perform, sublicense, and distribute Your Contributions and such derivative works.
-
-
-3. Grant of Patent License. Subject to the terms and conditions of this Agreement, You hereby grant to Wiretrustee and
-   to recipients of software distributed by Wiretrustee a perpetual, worldwide, non-exclusive, no-charge, royalty-free,
-   irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import,
-   and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are
-   necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which
-   such Contribution(s) was submitted. If any entity institutes patent litigation against You or any other entity (
-   including a cross-claim or counterclaim in a lawsuit) alleging that your Contribution, or the Work to which you have
-   contributed, constitutes direct or contributory patent infringement, then any patent licenses granted to that entity
-   under this Agreement for that Contribution or Work shall terminate as of the date such litigation is filed.
-
-
-4. You represent that you are legally entitled to grant the above license. If your employer(s) has rights to
-   intellectual property that you create that includes your Contributions, you represent that you have received
-   permission to make Contributions on behalf of that employer, that you will have received permission from your current
-   and future employers for all future Contributions, that your applicable employer has waived such rights for all of
-   your current and future Contributions to Wiretrustee, or that your employer has executed a separate Corporate CLA
-   with Wiretrustee.
-
-
-5. You represent that each of Your Contributions is Your original creation (see section 7 for submissions on behalf of
-   others). You represent that Your Contribution submissions include complete details of any third-party license or
-   other restriction (including, but not limited to, related patents and trademarks) of which you are personally aware
-   and which are associated with any part of Your Contributions.
-
-
-6. You are not expected to provide support for Your Contributions, except to the extent You desire to provide support.
-   You may provide support for free, for a fee, or not at all. Unless required by applicable law or agreed to in
-   writing, You provide Your Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
-   express or implied, including, without limitation, any warranties or conditions of TITLE, NON- INFRINGEMENT,
-   MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.
-
-
-7. Should You wish to submit work that is not Your original creation, You may submit it to Wiretrustee separately from
-   any Contribution, identifying the complete details of its source and of any license or other restriction (including,
-   but not limited to, related patents, trademarks, and license agreements) of which you are personally aware, and
-   conspicuously marking the work as "Submitted on behalf of a third-party: [named here]".
-
-
-8. You agree to notify Wiretrustee of any facts or circumstances of which you become aware that would make these
-   representations inaccurate in any respect.
--- a/README.md
+++ b/README.md
@@ -1,22 +1,32 @@
 <p align="center">
- <strong>:hatching_chick: New Release! Peer expiration.</strong>
-  <a href="https://github.com/netbirdio/netbird/releases">
+ <strong>:hatching_chick: New release! Beta Update May 2022</strong>.
+  <a href="https://github.com/netbirdio/netbird/releases/tag/v0.6.0">
       Learn more
     </a>   
 </p>
+
 <br/>
 <div align="center">
+
 <p align="center">
  <img width="234" src="docs/media/logo-full.png"/>
 </p>
+
  <p>
     <a href="https://github.com/netbirdio/netbird/blob/main/LICENSE">
       <img src="https://img.shields.io/badge/license-BSD--3-blue" />
     </a> 
-   <a href="https://www.codacy.com/gh/netbirdio/netbird/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=netbirdio/netbird&amp;utm_campaign=Badge_Grade"><img src="https://app.codacy.com/project/badge/Grade/e3013d046aec44cdb7462c8673b00976"/></a>
+     <a href="https://hub.docker.com/r/wiretrustee/wiretrustee/tags">
+        <img src="https://img.shields.io/docker/pulls/wiretrustee/wiretrustee" />
+     </a> 
    <br>
-    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">
-        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
+    <a href="https://www.codacy.com/gh/wiretrustee/wiretrustee/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=wiretrustee/wiretrustee&amp;utm_campaign=Badge_Grade"><img src="https://app.codacy.com/project/badge/Grade/d366de2c9d8b4cf982da27f8f5831809"/></a>
+     <a href="https://goreportcard.com/report/wiretrustee/wiretrustee">
+        <img src="https://goreportcard.com/badge/github.com/wiretrustee/wiretrustee?style=flat-square" />
+     </a>
+    <br>
+    <a href="https://join.slack.com/t/wiretrustee/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">
+        <img src="https://img.shields.io/badge/slack-@wiretrustee-red.svg?logo=slack"/>
     </a>    
  </p>
 </div>
@@ -28,7 +38,7 @@
  <br/>
  See <a href="https://netbird.io/docs/">Documentation</a>
  <br/>
-   Join our <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">Slack channel</a>
+   Join our <a href="https://join.slack.com/t/wiretrustee/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">Slack channel</a>
  <br/>
 
 </strong>
@@ -40,50 +50,51 @@

 It requires zero configuration effort leaving behind the hassle of opening ports, complex firewall rules, VPN gateways, and so forth.

-NetBird uses [NAT traversal techniques](https://en.wikipedia.org/wiki/Interactive_Connectivity_Establishment) to automatically create an overlay peer-to-peer network connecting machines regardless of location (home, office, data center, container, cloud, or edge environments), unifying virtual private network management experience.
+NetBird creates an overlay peer-to-peer network connecting machines automatically regardless of their location (home, office, datacenter, container, cloud or edge environments) unifying virtual private network management experience.

 **Key features:**
- \[x] Automatic IP allocation and network management with a Web UI ([separate repo](https://github.com/netbirdio/dashboard))
- \[x] Automatic WireGuard peer (machine) discovery and configuration.
- \[x] Encrypted peer-to-peer connections without a central VPN gateway.
- \[x] Connection relay fallback in case a peer-to-peer connection is not possible.
- \[x] Desktop client applications for Linux, MacOS, and Windows (systray).
- \[x] Multiuser support - sharing network between multiple users.
- \[x] SSO and MFA support. 
- \[x] Multicloud and hybrid-cloud support.
- \[x] Kernel WireGuard usage when possible.
- \[x] Access Controls - groups & rules.
- \[x] Remote SSH access without managing SSH keys.
- \[x] Network Routes.  
- \[x] Private DNS.
- \[x] Network Activity Monitoring.
-
-**Coming soon:**
-  \[ ] Mobile clients.
+* Automatic IP allocation and management.
+* Automatic WireGuard peer (machine) discovery and configuration.
+* Encrypted peer-to-peer connections without a central VPN gateway.
+* Connection relay fallback in case a peer-to-peer connection is not possible.
+* Network management layer with a neat Web UI panel ([separate repo](https://github.com/netbirdio/dashboard))
+* Desktop client applications for Linux, MacOS, and Windows.
+* Multiuser support - sharing network between multiple users.
+* SSO and MFA support. 
+* Multicloud and hybrid-cloud support.
+* Kernel WireGuard usage when possible.
+* Access Controls - groups & rules (coming soon).
+* Private DNS (coming soon).
+* Mobile clients (coming soon).
+* Network Activity Monitoring (coming soon).

 ### Secure peer-to-peer VPN with SSO and MFA in minutes
-
-https://user-images.githubusercontent.com/700848/197345890-2e2cded5-7b7a-436f-a444-94e80dd24f46.mov
+<p float="left" align="middle">
+  <img src="docs/media/peerA.gif" width="400"/> 
+  <img src="docs/media/peerB.gif" width="400"/>
+</p>

 **Note**: The `main` branch may be in an *unstable or even broken state* during development. 
 For stable versions, see [releases](https://github.com/netbirdio/netbird/releases).

 ### Start using NetBird
-  Hosted version: [https://app.netbird.io/](https://app.netbird.io/).
-  See our documentation for [Quickstart Guide](https://netbird.io/docs/getting-started/quickstart).
-  If you are looking to self-host NetBird, check our [Self-Hosting Guide](https://netbird.io/docs/getting-started/self-hosting).
-  Step-by-step [Installation Guide](https://netbird.io/docs/getting-started/installation) for different platforms.
-  Web UI [repository](https://github.com/netbirdio/dashboard).
-  5 min [demo video](https://youtu.be/Tu9tPsUWaY0) on YouTube.
+* Hosted version: [https://app.netbird.io/](https://app.netbird.io/).
+* See our documentation for [Quickstart Guide](https://netbird.io/docs/getting-started/quickstart).
+* If you are looking to self-host NetBird, check our [Self-Hosting Guide](https://netbird.io/docs/getting-started/self-hosting).
+* Step-by-step [Installation Guide](https://netbird.io/docs/getting-started/installation) for different platforms.
+* Web UI [repository](https://github.com/netbirdio/dashboard).
+* 5 min [demo video](https://youtu.be/Tu9tPsUWaY0) on YouTube.


 ### A bit on NetBird internals
-  Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
-  Every agent connects to [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to agents (peers).
-  NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
-  Connection candidates are discovered with a help of [STUN](https://en.wikipedia.org/wiki/STUN) servers.
-  Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages with candidates.
-  Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
+* Every machine in the network runs [NetBird Agent (or Client)](client/) that manages WireGuard.
+* NetBird features [Management Service](management/) that holds network state, manages peer IPs, and distributes network updates to peers.
+* Every agent is connected to Management Service.
+* NetBird agent uses WebRTC ICE implemented in [pion/ice library](https://github.com/pion/ice) to discover connection candidates when establishing a peer-to-peer connection between machines.
+* Connection candidates are discovered with a help of [STUN](https://en.wikipedia.org/wiki/STUN) server. 
+* Agents negotiate a connection through [Signal Service](signal/) passing p2p encrypted messages.
+* Signal Service uses public WireGuard keys to route messages between peers.
+* Sometimes the NAT traversal is unsuccessful due to strict NATs (e.g. mobile carrier-grade NAT) and p2p connection isn't possible. When this occurs the system falls back to a relay server called [TURN](https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT), and a secure WireGuard tunnel is established via the TURN server. 
 
 [Coturn](https://github.com/coturn/coturn) is the one that has been successfully used for STUN and TURN in NetBird setups.

@@ -94,21 +105,11 @@ For stable versions, see [releases](https://github.com/netbirdio/netbird/release
 See a complete [architecture overview](https://netbird.io/docs/overview/architecture) for details.

 ### Roadmap
-  [Public Roadmap](https://github.com/netbirdio/netbird/projects/2)
-
-### Community projects
-  [NetBird on OpenWRT](https://github.com/messense/openwrt-netbird)
-  [NetBird installer script](https://github.com/physk/netbird-installer)
-
-### Support acknowledgement
-
-In November 2022, NetBird joined the [StartUpSecure program](https://www.forschung-it-sicherheit-kommunikationssysteme.de/foerderung/bekanntmachungen/startup-secure) sponsored by The Federal Ministry of Education and Research of The Federal Republic of Germany. Together with [CISPA Helmholtz Center for Information Security](https://cispa.de/en) NetBird brings the security best practices and simplicity to private networking.
-
-![CISPA_Logo_BLACK_EN_RZ_RGB (1)](https://user-images.githubusercontent.com/700848/203091324-c6d311a0-22b5-4b05-a288-91cbc6cdcc46.png)
+- [Public Roadmap](https://github.com/netbirdio/netbird/projects/2)

 ### Testimonials
 We use open-source technologies like [WireGuard®](https://www.wireguard.com/), [Pion ICE (WebRTC)](https://github.com/pion/ice), and [Coturn](https://github.com/coturn/coturn). We very much appreciate the work these guys are doing and we'd greatly appreciate if you could support them in any way (e.g. giving a star or a contribution).

 ### Legal
- _WireGuard_ and the _WireGuard_ logo are [registered trademarks](https://www.wireguard.com/trademark-policy/) of Jason A. Donenfeld.
+ [WireGuard](https://wireguard.com/) is a registered trademark of Jason A. Donenfeld.

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,12 +0,0 @@
-# Security Policy
-
-NetBird's goal is to provide a secure network. If you find a vulnerability or bug, please report it by opening an issue [here](https://github.com/netbirdio/netbird/issues/new?assignees=&labels=&template=bug-issue-report.md&title=) or by contacting us by email.
-
-There has yet to be an official bug bounty program for the NetBird project.
-
-## Supported Versions
- We currently support only the latest version
-
-## Reporting a Vulnerability
-
-Please report security issues to `security@netbird.io`
--- a/base62/base62.go
+++ b/base62/base62.go
@@ -1,59 +0,0 @@
-package base62
-
-import (
-	"fmt"
-	"math"
-	"strings"
-)
-
-const (
-	alphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
-	base     = uint32(len(alphabet))
-)
-
-// Encode encodes a uint32 value to a base62 string.
-func Encode(num uint32) string {
-	if num == 0 {
-		return string(alphabet[0])
-	}
-
-	var encoded strings.Builder
-	remainder := uint32(0)
-
-	for num > 0 {
-		remainder = num % base
-		encoded.WriteByte(alphabet[remainder])
-		num /= base
-	}
-
-	// Reverse the encoded string
-	encodedString := encoded.String()
-	reversed := reverse(encodedString)
-	return reversed
-}
-
-// Decode decodes a base62 string to a uint32 value.
-func Decode(encoded string) (uint32, error) {
-	var decoded uint32
-	strLen := len(encoded)
-
-	for i, char := range encoded {
-		index := strings.IndexRune(alphabet, char)
-		if index < 0 {
-			return 0, fmt.Errorf("invalid character: %c", char)
-		}
-
-		decoded += uint32(index) * uint32(math.Pow(float64(base), float64(strLen-i-1)))
-	}
-
-	return decoded, nil
-}
-
-// Reverse a string.
-func reverse(s string) string {
-	runes := []rune(s)
-	for i, j := 0, len(runes)-1; i < j; i, j = i+1, j-1 {
-		runes[i], runes[j] = runes[j], runes[i]
-	}
-	return string(runes)
-}
--- a/base62/base62_test.go
+++ b/base62/base62_test.go
@@ -1,31 +0,0 @@
-package base62
-
-import (
-	"testing"
-)
-
-func TestEncodeDecode(t *testing.T) {
-	tests := []struct {
-		num uint32
-	}{
-		{0},
-		{1},
-		{42},
-		{12345},
-		{99999},
-		{123456789},
-	}
-
-	for _, tt := range tests {
-		encoded := Encode(tt.num)
-		decoded, err := Decode(encoded)
-
-		if err != nil {
-			t.Errorf("Decode error: %v", err)
-		}
-
-		if decoded != tt.num {
-			t.Errorf("Decode(%v) = %v, want %v", encoded, decoded, tt.num)
-		}
-	}
-}
--- a/client/Dockerfile
+++ b/client/Dockerfile
@@ -1,7 +1,4 @@
 FROM gcr.io/distroless/base:debug
-ENV NB_FOREGROUND_MODE=true
-ENV PATH=/sbin:/usr/sbin:/bin:/usr/bin:/busybox
-SHELL ["/busybox/sh","-c"]
-RUN sed -i -E 's/(^root:.+)\/sbin\/nologin/\1\/busybox\/sh/g' /etc/passwd
+ENV WT_LOG_FILE=console
 ENTRYPOINT [ "/go/bin/netbird","up"]
-COPY netbird /go/bin/netbird
+COPY netbird /go/bin/netbird
--- a/client/android/client.go
+++ b/client/android/client.go
@@ -1,137 +0,0 @@
-package android
-
-import (
-	"context"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/client/system"
-	"github.com/netbirdio/netbird/formatter"
-	"github.com/netbirdio/netbird/iface"
-)
-
-// ConnectionListener export internal Listener for mobile
-type ConnectionListener interface {
-	peer.Listener
-}
-
-// TunAdapter export internal TunAdapter for mobile
-type TunAdapter interface {
-	iface.TunAdapter
-}
-
-// IFaceDiscover export internal IFaceDiscover for mobile
-type IFaceDiscover interface {
-	stdnet.ExternalIFaceDiscover
-}
-
-// RouteListener export internal RouteListener for mobile
-type RouteListener interface {
-	routemanager.RouteListener
-}
-
-func init() {
-	formatter.SetLogcatFormatter(log.StandardLogger())
-}
-
-// Client struct manage the life circle of background service
-type Client struct {
-	cfgFile       string
-	tunAdapter    iface.TunAdapter
-	iFaceDiscover IFaceDiscover
-	recorder      *peer.Status
-	ctxCancel     context.CancelFunc
-	ctxCancelLock *sync.Mutex
-	deviceName    string
-	routeListener routemanager.RouteListener
-}
-
-// NewClient instantiate a new Client
-func NewClient(cfgFile, deviceName string, tunAdapter TunAdapter, iFaceDiscover IFaceDiscover, routeListener RouteListener) *Client {
-	return &Client{
-		cfgFile:       cfgFile,
-		deviceName:    deviceName,
-		tunAdapter:    tunAdapter,
-		iFaceDiscover: iFaceDiscover,
-		recorder:      peer.NewRecorder(""),
-		ctxCancelLock: &sync.Mutex{},
-		routeListener: routeListener,
-	}
-}
-
-// Run start the internal client. It is a blocker function
-func (c *Client) Run(urlOpener URLOpener) error {
-	cfg, err := internal.UpdateOrCreateConfig(internal.ConfigInput{
-		ConfigPath: c.cfgFile,
-	})
-	if err != nil {
-		return err
-	}
-	c.recorder.UpdateManagementAddress(cfg.ManagementURL.String())
-
-	var ctx context.Context
-	//nolint
-	ctxWithValues := context.WithValue(context.Background(), system.DeviceNameCtxKey, c.deviceName)
-	c.ctxCancelLock.Lock()
-	ctx, c.ctxCancel = context.WithCancel(ctxWithValues)
-	defer c.ctxCancel()
-	c.ctxCancelLock.Unlock()
-
-	auth := NewAuthWithConfig(ctx, cfg)
-	err = auth.login(urlOpener)
-	if err != nil {
-		return err
-	}
-
-	// todo do not throw error in case of cancelled context
-	ctx = internal.CtxInitState(ctx)
-	return internal.RunClient(ctx, cfg, c.recorder, c.tunAdapter, c.iFaceDiscover, c.routeListener)
-}
-
-// Stop the internal client and free the resources
-func (c *Client) Stop() {
-	c.ctxCancelLock.Lock()
-	defer c.ctxCancelLock.Unlock()
-	if c.ctxCancel == nil {
-		return
-	}
-
-	c.ctxCancel()
-}
-
-// SetTraceLogLevel configure the logger to trace level
-func (c *Client) SetTraceLogLevel() {
-	log.SetLevel(log.TraceLevel)
-}
-
-// PeersList return with the list of the PeerInfos
-func (c *Client) PeersList() *PeerInfoArray {
-
-	fullStatus := c.recorder.GetFullStatus()
-
-	peerInfos := make([]PeerInfo, len(fullStatus.Peers))
-	for n, p := range fullStatus.Peers {
-		pi := PeerInfo{
-			p.IP,
-			p.FQDN,
-			p.ConnStatus.String(),
-		}
-		peerInfos[n] = pi
-	}
-	return &PeerInfoArray{items: peerInfos}
-}
-
-// SetConnectionListener set the network connection listener
-func (c *Client) SetConnectionListener(listener ConnectionListener) {
-	c.recorder.SetConnectionListener(listener)
-}
-
-// RemoveConnectionListener remove connection listener
-func (c *Client) RemoveConnectionListener() {
-	c.recorder.RemoveConnectionListener()
-}
--- a/client/android/gomobile.go
+++ b/client/android/gomobile.go
@@ -1,5 +0,0 @@
-package android
-
-import _ "golang.org/x/mobile/bind"
-
-// to keep our CI/CD that checks go.mod and go.sum files happy, we need to import the package above
--- a/client/android/login.go
+++ b/client/android/login.go
@@ -1,229 +0,0 @@
-package android
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/cenkalti/backoff/v4"
-
-	log "github.com/sirupsen/logrus"
-	"google.golang.org/grpc/codes"
-	gstatus "google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/cmd"
-	"github.com/netbirdio/netbird/client/system"
-
-	"github.com/netbirdio/netbird/client/internal"
-)
-
-// SSOListener is async listener for mobile framework
-type SSOListener interface {
-	OnSuccess(bool)
-	OnError(error)
-}
-
-// ErrListener is async listener for mobile framework
-type ErrListener interface {
-	OnSuccess()
-	OnError(error)
-}
-
-// URLOpener it is a callback interface. The Open function will be triggered if
-// the backend want to show an url for the user
-type URLOpener interface {
-	Open(string)
-}
-
-// Auth can register or login new client
-type Auth struct {
-	ctx     context.Context
-	config  *internal.Config
-	cfgPath string
-}
-
-// NewAuth instantiate Auth struct and validate the management URL
-func NewAuth(cfgPath string, mgmURL string) (*Auth, error) {
-	inputCfg := internal.ConfigInput{
-		ManagementURL: mgmURL,
-	}
-
-	cfg, err := internal.CreateInMemoryConfig(inputCfg)
-	if err != nil {
-		return nil, err
-	}
-
-	return &Auth{
-		ctx:     context.Background(),
-		config:  cfg,
-		cfgPath: cfgPath,
-	}, nil
-}
-
-// NewAuthWithConfig instantiate Auth based on existing config
-func NewAuthWithConfig(ctx context.Context, config *internal.Config) *Auth {
-	return &Auth{
-		ctx:    ctx,
-		config: config,
-	}
-}
-
-// SaveConfigIfSSOSupported test the connectivity with the management server by retrieving the server device flow info.
-// If it returns a flow info than save the configuration and return true. If it gets a codes.NotFound, it means that SSO
-// is not supported and returns false without saving the configuration. For other errors return false.
-func (a *Auth) SaveConfigIfSSOSupported(listener SSOListener) {
-	go func() {
-		sso, err := a.saveConfigIfSSOSupported()
-		if err != nil {
-			listener.OnError(err)
-		} else {
-			listener.OnSuccess(sso)
-		}
-	}()
-}
-
-func (a *Auth) saveConfigIfSSOSupported() (bool, error) {
-	supportsSSO := true
-	err := a.withBackOff(a.ctx, func() (err error) {
-		_, err = internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
-		if s, ok := gstatus.FromError(err); ok && s.Code() == codes.NotFound {
-			supportsSSO = false
-			err = nil
-		}
-		return err
-	})
-
-	if !supportsSSO {
-		return false, nil
-	}
-
-	if err != nil {
-		return false, fmt.Errorf("backoff cycle failed: %v", err)
-	}
-
-	err = internal.WriteOutConfig(a.cfgPath, a.config)
-	return true, err
-}
-
-// LoginWithSetupKeyAndSaveConfig test the connectivity with the management server with the setup key.
-func (a *Auth) LoginWithSetupKeyAndSaveConfig(resultListener ErrListener, setupKey string, deviceName string) {
-	go func() {
-		err := a.loginWithSetupKeyAndSaveConfig(setupKey, deviceName)
-		if err != nil {
-			resultListener.OnError(err)
-		} else {
-			resultListener.OnSuccess()
-		}
-	}()
-}
-
-func (a *Auth) loginWithSetupKeyAndSaveConfig(setupKey string, deviceName string) error {
-	//nolint
-	ctxWithValues := context.WithValue(a.ctx, system.DeviceNameCtxKey, deviceName)
-
-	err := a.withBackOff(a.ctx, func() error {
-		backoffErr := internal.Login(ctxWithValues, a.config, setupKey, "")
-		if s, ok := gstatus.FromError(backoffErr); ok && (s.Code() == codes.PermissionDenied) {
-			// we got an answer from management, exit backoff earlier
-			return backoff.Permanent(backoffErr)
-		}
-		return backoffErr
-	})
-	if err != nil {
-		return fmt.Errorf("backoff cycle failed: %v", err)
-	}
-
-	return internal.WriteOutConfig(a.cfgPath, a.config)
-}
-
-// Login try register the client on the server
-func (a *Auth) Login(resultListener ErrListener, urlOpener URLOpener) {
-	go func() {
-		err := a.login(urlOpener)
-		if err != nil {
-			resultListener.OnError(err)
-		} else {
-			resultListener.OnSuccess()
-		}
-	}()
-}
-
-func (a *Auth) login(urlOpener URLOpener) error {
-	var needsLogin bool
-
-	// check if we need to generate JWT token
-	err := a.withBackOff(a.ctx, func() (err error) {
-		needsLogin, err = internal.IsLoginRequired(a.ctx, a.config.PrivateKey, a.config.ManagementURL, a.config.SSHKey)
-		return
-	})
-	if err != nil {
-		return fmt.Errorf("backoff cycle failed: %v", err)
-	}
-
-	jwtToken := ""
-	if needsLogin {
-		tokenInfo, err := a.foregroundGetTokenInfo(urlOpener)
-		if err != nil {
-			return fmt.Errorf("interactive sso login failed: %v", err)
-		}
-		jwtToken = tokenInfo.GetTokenToUse()
-	}
-
-	err = a.withBackOff(a.ctx, func() error {
-		err := internal.Login(a.ctx, a.config, "", jwtToken)
-		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied) {
-			return nil
-		}
-		return err
-	})
-	if err != nil {
-		return fmt.Errorf("backoff cycle failed: %v", err)
-	}
-
-	return nil
-}
-
-func (a *Auth) foregroundGetTokenInfo(urlOpener URLOpener) (*internal.TokenInfo, error) {
-	providerConfig, err := internal.GetDeviceAuthorizationFlowInfo(a.ctx, a.config.PrivateKey, a.config.ManagementURL)
-	if err != nil {
-		s, ok := gstatus.FromError(err)
-		if ok && s.Code() == codes.NotFound {
-			return nil, fmt.Errorf("no SSO provider returned from management. " +
-				"If you are using hosting Netbird see documentation at " +
-				"https://github.com/netbirdio/netbird/tree/main/management for details")
-		} else if ok && s.Code() == codes.Unimplemented {
-			return nil, fmt.Errorf("the management server, %s, does not support SSO providers, "+
-				"please update your servver or use Setup Keys to login", a.config.ManagementURL)
-		} else {
-			return nil, fmt.Errorf("getting device authorization flow info failed with error: %v", err)
-		}
-	}
-
-	hostedClient := internal.NewHostedDeviceFlow(providerConfig.ProviderConfig)
-
-	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
-	if err != nil {
-		return nil, fmt.Errorf("getting a request device code failed: %v", err)
-	}
-
-	go urlOpener.Open(flowInfo.VerificationURIComplete)
-
-	waitTimeout := time.Duration(flowInfo.ExpiresIn)
-	waitCTX, cancel := context.WithTimeout(a.ctx, waitTimeout*time.Second)
-	defer cancel()
-	tokenInfo, err := hostedClient.WaitToken(waitCTX, flowInfo)
-	if err != nil {
-		return nil, fmt.Errorf("waiting for browser login failed: %v", err)
-	}
-
-	return &tokenInfo, nil
-}
-
-func (a *Auth) withBackOff(ctx context.Context, bf func() error) error {
-	return backoff.RetryNotify(
-		bf,
-		backoff.WithContext(cmd.CLIBackOffSettings, ctx),
-		func(err error, duration time.Duration) {
-			log.Warnf("retrying Login to the Management service in %v due to error %v", duration, err)
-		})
-}
--- a/client/android/peer_notifier.go
+++ b/client/android/peer_notifier.go
@@ -1,36 +0,0 @@
-package android
-
-// PeerInfo describe information about the peers. It designed for the UI usage
-type PeerInfo struct {
-	IP         string
-	FQDN       string
-	ConnStatus string // Todo replace to enum
-}
-
-// PeerInfoCollection made for Java layer to get non default types as collection
-type PeerInfoCollection interface {
-	Add(s string) PeerInfoCollection
-	Get(i int) string
-	Size() int
-}
-
-// PeerInfoArray is the implementation of the PeerInfoCollection
-type PeerInfoArray struct {
-	items []PeerInfo
-}
-
-// Add new PeerInfo to the collection
-func (array PeerInfoArray) Add(s PeerInfo) PeerInfoArray {
-	array.items = append(array.items, s)
-	return array
-}
-
-// Get return an element of the collection
-func (array PeerInfoArray) Get(i int) *PeerInfo {
-	return &array.items[i]
-}
-
-// Size return with the size of the collection
-func (array PeerInfoArray) Size() int {
-	return len(array.items)
-}
--- a/client/android/preferences.go
+++ b/client/android/preferences.go
@@ -1,78 +0,0 @@
-package android
-
-import (
-	"github.com/netbirdio/netbird/client/internal"
-)
-
-// Preferences export a subset of the internal config for gomobile
-type Preferences struct {
-	configInput internal.ConfigInput
-}
-
-// NewPreferences create new Preferences instance
-func NewPreferences(configPath string) *Preferences {
-	ci := internal.ConfigInput{
-		ConfigPath: configPath,
-	}
-	return &Preferences{ci}
-}
-
-// GetManagementURL read url from config file
-func (p *Preferences) GetManagementURL() (string, error) {
-	if p.configInput.ManagementURL != "" {
-		return p.configInput.ManagementURL, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return "", err
-	}
-	return cfg.ManagementURL.String(), err
-}
-
-// SetManagementURL store the given url and wait for commit
-func (p *Preferences) SetManagementURL(url string) {
-	p.configInput.ManagementURL = url
-}
-
-// GetAdminURL read url from config file
-func (p *Preferences) GetAdminURL() (string, error) {
-	if p.configInput.AdminURL != "" {
-		return p.configInput.AdminURL, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return "", err
-	}
-	return cfg.AdminURL.String(), err
-}
-
-// SetAdminURL store the given url and wait for commit
-func (p *Preferences) SetAdminURL(url string) {
-	p.configInput.AdminURL = url
-}
-
-// GetPreSharedKey read preshared key from config file
-func (p *Preferences) GetPreSharedKey() (string, error) {
-	if p.configInput.PreSharedKey != nil {
-		return *p.configInput.PreSharedKey, nil
-	}
-
-	cfg, err := internal.ReadConfig(p.configInput.ConfigPath)
-	if err != nil {
-		return "", err
-	}
-	return cfg.PreSharedKey, err
-}
-
-// SetPreSharedKey store the given key and wait for commit
-func (p *Preferences) SetPreSharedKey(key string) {
-	p.configInput.PreSharedKey = &key
-}
-
-// Commit write out the changes into config file
-func (p *Preferences) Commit() error {
-	_, err := internal.UpdateOrCreateConfig(p.configInput)
-	return err
-}
--- a/client/android/preferences_test.go
+++ b/client/android/preferences_test.go
@@ -1,120 +0,0 @@
-package android
-
-import (
-	"path/filepath"
-	"testing"
-
-	"github.com/netbirdio/netbird/client/internal"
-)
-
-func TestPreferences_DefaultValues(t *testing.T) {
-	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
-	p := NewPreferences(cfgFile)
-	defaultVar, err := p.GetAdminURL()
-	if err != nil {
-		t.Fatalf("failed to read default value: %s", err)
-	}
-
-	if defaultVar != internal.DefaultAdminURL {
-		t.Errorf("invalid default admin url: %s", defaultVar)
-	}
-
-	defaultVar, err = p.GetManagementURL()
-	if err != nil {
-		t.Fatalf("failed to read default management URL: %s", err)
-	}
-
-	if defaultVar != internal.DefaultManagementURL {
-		t.Errorf("invalid default management url: %s", defaultVar)
-	}
-
-	var preSharedKey string
-	preSharedKey, err = p.GetPreSharedKey()
-	if err != nil {
-		t.Fatalf("failed to read default preshared key: %s", err)
-	}
-
-	if preSharedKey != "" {
-		t.Errorf("invalid preshared key: %s", preSharedKey)
-	}
-}
-
-func TestPreferences_ReadUncommitedValues(t *testing.T) {
-	exampleString := "exampleString"
-	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
-	p := NewPreferences(cfgFile)
-
-	p.SetAdminURL(exampleString)
-	resp, err := p.GetAdminURL()
-	if err != nil {
-		t.Fatalf("failed to read admin url: %s", err)
-	}
-
-	if resp != exampleString {
-		t.Errorf("unexpected admin url: %s", resp)
-	}
-
-	p.SetManagementURL(exampleString)
-	resp, err = p.GetManagementURL()
-	if err != nil {
-		t.Fatalf("failed to read managmenet url: %s", err)
-	}
-
-	if resp != exampleString {
-		t.Errorf("unexpected managemenet url: %s", resp)
-	}
-
-	p.SetPreSharedKey(exampleString)
-	resp, err = p.GetPreSharedKey()
-	if err != nil {
-		t.Fatalf("failed to read preshared key: %s", err)
-	}
-
-	if resp != exampleString {
-		t.Errorf("unexpected preshared key: %s", resp)
-	}
-}
-
-func TestPreferences_Commit(t *testing.T) {
-	exampleURL := "https://myurl.com:443"
-	examplePresharedKey := "topsecret"
-	cfgFile := filepath.Join(t.TempDir(), "netbird.json")
-	p := NewPreferences(cfgFile)
-
-	p.SetAdminURL(exampleURL)
-	p.SetManagementURL(exampleURL)
-	p.SetPreSharedKey(examplePresharedKey)
-
-	err := p.Commit()
-	if err != nil {
-		t.Fatalf("failed to save changes: %s", err)
-	}
-
-	p = NewPreferences(cfgFile)
-	resp, err := p.GetAdminURL()
-	if err != nil {
-		t.Fatalf("failed to read admin url: %s", err)
-	}
-
-	if resp != exampleURL {
-		t.Errorf("unexpected admin url: %s", resp)
-	}
-
-	resp, err = p.GetManagementURL()
-	if err != nil {
-		t.Fatalf("failed to read managmenet url: %s", err)
-	}
-
-	if resp != exampleURL {
-		t.Errorf("unexpected managemenet url: %s", resp)
-	}
-
-	resp, err = p.GetPreSharedKey()
-	if err != nil {
-		t.Fatalf("failed to read preshared key: %s", err)
-	}
-
-	if resp != examplePresharedKey {
-		t.Errorf("unexpected preshared key: %s", resp)
-	}
-}
--- a/client/cmd/down.go
+++ b/client/cmd/down.go
@@ -15,7 +15,7 @@ var downCmd = &cobra.Command{
 	Use:   "down",
 	Short: "down netbird connections",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
+		SetFlagsFromEnvVars()

 		cmd.SetOut(cmd.OutOrStdout())

--- a/client/cmd/login.go
+++ b/client/cmd/login.go
@@ -3,12 +3,10 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"strings"
-	"time"
-
 	"github.com/skratchdot/open-golang/open"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
+	"time"

 	"github.com/netbirdio/netbird/util"

@@ -16,14 +14,13 @@ import (

 	"github.com/netbirdio/netbird/client/internal"
 	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/client/system"
 )

 var loginCmd = &cobra.Command{
 	Use:   "login",
 	Short: "login to the Netbird Management Service (first run)",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
+		SetFlagsFromEnvVars()

 		cmd.SetOut(cmd.OutOrStdout())

@@ -34,11 +31,6 @@ var loginCmd = &cobra.Command{

 		ctx := internal.CtxInitState(context.Background())

-		if hostName != "" {
-			// nolint
-			ctx = context.WithValue(ctx, system.DeviceNameCtxKey, hostName)
-		}
-
 		// workaround to run without service
 		if logFile == "console" {
 			err = handleRebrand(cmd)
@@ -46,22 +38,11 @@ var loginCmd = &cobra.Command{
 				return err
 			}

-			ic := internal.ConfigInput{
-				ManagementURL: managementURL,
-				AdminURL:      adminURL,
-				ConfigPath:    configPath,
-			}
-			if preSharedKey != "" {
-				ic.PreSharedKey = &preSharedKey
-			}
-
-			config, err := internal.UpdateOrCreateConfig(ic)
+			config, err := internal.GetConfig(managementURL, adminURL, configPath, preSharedKey)
 			if err != nil {
 				return fmt.Errorf("get config file: %v", err)
 			}

-			config, _ = internal.UpdateOldManagementPort(ctx, config, configPath)
-
 			err = foregroundLogin(ctx, cmd, config, setupKey)
 			if err != nil {
 				return fmt.Errorf("foreground login failed: %v", err)
@@ -111,7 +92,7 @@ var loginCmd = &cobra.Command{
 		}

 		if loginResp.NeedsSSOLogin {
-			openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode)
+			openURL(cmd, loginResp.VerificationURIComplete)

 			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
 			if err != nil {
@@ -146,7 +127,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.C
 		if err != nil {
 			return fmt.Errorf("interactive sso login failed: %v", err)
 		}
-		jwtToken = tokenInfo.GetTokenToUse()
+		jwtToken = tokenInfo.AccessToken
 	}

 	err = WithBackOff(func() error {
@@ -164,7 +145,7 @@ func foregroundLogin(ctx context.Context, cmd *cobra.Command, config *internal.C
 }

 func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *internal.Config) (*internal.TokenInfo, error) {
-	providerConfig, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config.PrivateKey, config.ManagementURL)
+	providerConfig, err := internal.GetDeviceAuthorizationFlowInfo(ctx, config)
 	if err != nil {
 		s, ok := gstatus.FromError(err)
 		if ok && s.Code() == codes.NotFound {
@@ -174,7 +155,7 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 		} else if ok && s.Code() == codes.Unimplemented {
 			mgmtURL := managementURL
 			if mgmtURL == "" {
-				mgmtURL = internal.DefaultManagementURL
+				mgmtURL = internal.ManagementURLDefault().String()
 			}
 			return nil, fmt.Errorf("the management server, %s, does not support SSO providers, "+
 				"please update your servver or use Setup Keys to login", mgmtURL)
@@ -183,14 +164,18 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 		}
 	}

-	hostedClient := internal.NewHostedDeviceFlow(providerConfig.ProviderConfig)
+	hostedClient := internal.NewHostedDeviceFlow(
+		providerConfig.ProviderConfig.Audience,
+		providerConfig.ProviderConfig.ClientID,
+		providerConfig.ProviderConfig.Domain,
+	)

 	flowInfo, err := hostedClient.RequestDeviceCode(context.TODO())
 	if err != nil {
 		return nil, fmt.Errorf("getting a request device code failed: %v", err)
 	}

-	openURL(cmd, flowInfo.VerificationURIComplete, flowInfo.UserCode)
+	openURL(cmd, flowInfo.VerificationURIComplete)

 	waitTimeout := time.Duration(flowInfo.ExpiresIn)
 	waitCTX, c := context.WithTimeout(context.TODO(), waitTimeout*time.Second)
@@ -204,16 +189,11 @@ func foregroundGetTokenInfo(ctx context.Context, cmd *cobra.Command, config *int
 	return &tokenInfo, nil
 }

-func openURL(cmd *cobra.Command, verificationURIComplete, userCode string) {
-	var codeMsg string
-	if !strings.Contains(verificationURIComplete, userCode) {
-		codeMsg = fmt.Sprintf("and enter the code %s to authenticate.", userCode)
-	}
-
+func openURL(cmd *cobra.Command, verificationURIComplete string) {
 	err := open.Run(verificationURIComplete)
 	cmd.Printf("Please do the SSO login in your browser. \n" +
 		"If your browser didn't open automatically, use this URL to log in:\n\n" +
-		" " + verificationURIComplete + " " + codeMsg + " \n\n")
+		" " + verificationURIComplete + " \n\n")
 	if err != nil {
 		cmd.Printf("Alternatively, you may want to use a setup key, see:\n\n https://www.netbird.io/docs/overview/setup-keys\n")
 	}
--- a/client/cmd/root.go
+++ b/client/cmd/root.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"io/ioutil"
 	"os"
 	"os/signal"
 	"path"
@@ -24,11 +25,6 @@ import (
 	"github.com/netbirdio/netbird/client/internal"
 )

-const (
-	externalIPMapFlag  = "external-ip-map"
-	dnsResolverAddress = "dns-resolver-address"
-)
-
 var (
 	configPath              string
 	defaultConfigPathDir    string
@@ -45,10 +41,7 @@ var (
 	managementURL           string
 	adminURL                string
 	setupKey                string
-	hostName                string
 	preSharedKey            string
-	natExternalIPs          []string
-	customDNSAddress        string
 	rootCmd                 = &cobra.Command{
 		Use:          "netbird",
 		Short:        "",
@@ -88,36 +81,21 @@ func init() {
 		defaultDaemonAddr = "tcp://127.0.0.1:41731"
 	}
 	rootCmd.PersistentFlags().StringVar(&daemonAddr, "daemon-addr", defaultDaemonAddr, "Daemon service address to serve CLI requests [unix|tcp]://[path|host:port]")
-	rootCmd.PersistentFlags().StringVarP(&managementURL, "management-url", "m", "", fmt.Sprintf("Management Service URL [http|https]://[host]:[port] (default \"%s\")", internal.DefaultManagementURL))
-	rootCmd.PersistentFlags().StringVar(&adminURL, "admin-url", "", fmt.Sprintf("Admin Panel URL [http|https]://[host]:[port] (default \"%s\")", internal.DefaultAdminURL))
-	rootCmd.PersistentFlags().StringVarP(&configPath, "config", "c", defaultConfigPath, "Netbird config file location")
-	rootCmd.PersistentFlags().StringVarP(&logLevel, "log-level", "l", "info", "sets Netbird log level")
+	rootCmd.PersistentFlags().StringVar(&managementURL, "management-url", "", fmt.Sprintf("Management Service URL [http|https]://[host]:[port] (default \"%s\")", internal.ManagementURLDefault().String()))
+	rootCmd.PersistentFlags().StringVar(&adminURL, "admin-url", "https://app.netbird.io", "Admin Panel URL [http|https]://[host]:[port]")
+	rootCmd.PersistentFlags().StringVar(&configPath, "config", defaultConfigPath, "Netbird config file location")
+	rootCmd.PersistentFlags().StringVar(&logLevel, "log-level", "info", "sets Netbird log level")
 	rootCmd.PersistentFlags().StringVar(&logFile, "log-file", defaultLogFile, "sets Netbird log path. If console is specified the the log will be output to stdout")
-	rootCmd.PersistentFlags().StringVarP(&setupKey, "setup-key", "k", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
+	rootCmd.PersistentFlags().StringVar(&setupKey, "setup-key", "", "Setup key obtained from the Management Service Dashboard (used to register peer)")
 	rootCmd.PersistentFlags().StringVar(&preSharedKey, "preshared-key", "", "Sets Wireguard PreSharedKey property. If set, then only peers that have the same key can communicate.")
-	rootCmd.PersistentFlags().StringVarP(&hostName, "hostname", "n", "", "Sets a custom hostname for the device")
 	rootCmd.AddCommand(serviceCmd)
 	rootCmd.AddCommand(upCmd)
 	rootCmd.AddCommand(downCmd)
 	rootCmd.AddCommand(statusCmd)
 	rootCmd.AddCommand(loginCmd)
 	rootCmd.AddCommand(versionCmd)
-	rootCmd.AddCommand(sshCmd)
 	serviceCmd.AddCommand(runCmd, startCmd, stopCmd, restartCmd) // service control commands are subcommands of service
 	serviceCmd.AddCommand(installCmd, uninstallCmd)              // service installer commands are subcommands of service
-	upCmd.PersistentFlags().StringSliceVar(&natExternalIPs, externalIPMapFlag, nil,
-		`Sets external IPs maps between local addresses and interfaces.`+
-			`You can specify a comma-separated list with a single IP and IP/IP or IP/Interface Name. `+
-			`An empty string "" clears the previous configuration. `+
-			`E.g. --external-ip-map 12.34.56.78/10.0.0.1 or --external-ip-map 12.34.56.200,12.34.56.78/10.0.0.1,12.34.56.80/eth1 `+
-			`or --external-ip-map ""`,
-	)
-	upCmd.PersistentFlags().StringVar(&customDNSAddress, dnsResolverAddress, "",
-		`Sets a custom address for NetBird's local DNS resolver. `+
-			`If set, the agent won't attempt to discover the best ip and port to listen on. `+
-			`An empty string "" clears the previous configuration. `+
-			`E.g. --dns-resolver-address 127.0.0.1:5053 or --dns-resolver-address ""`,
-	)
 }

 // SetupCloseHandler handles SIGTERM signal and exits with success
@@ -137,8 +115,8 @@ func SetupCloseHandler(ctx context.Context, cancel context.CancelFunc) {
 }

 // SetFlagsFromEnvVars reads and updates flag values from environment variables with prefix WT_
-func SetFlagsFromEnvVars(cmd *cobra.Command) {
-	flags := cmd.PersistentFlags()
+func SetFlagsFromEnvVars() {
+	flags := rootCmd.PersistentFlags()
 	flags.VisitAll(func(f *pflag.Flag) {
 		oldEnvVar := FlagNameToEnvVar(f.Name, "WT_")

@@ -257,7 +235,7 @@ func copySymLink(source, dest string) error {

 func cpDir(src string, dst string) error {
 	var err error
-	var fds []os.DirEntry
+	var fds []os.FileInfo
 	var srcinfo os.FileInfo

 	if srcinfo, err = os.Stat(src); err != nil {
@@ -268,7 +246,7 @@ func cpDir(src string, dst string) error {
 		return err
 	}

-	if fds, err = os.ReadDir(src); err != nil {
+	if fds, err = ioutil.ReadDir(src); err != nil {
 		return err
 	}
 	for _, fd := range fds {
--- a/client/cmd/root_test.go
+++ b/client/cmd/root_test.go
@@ -1,36 +0,0 @@
-package cmd
-
-import (
-	"fmt"
-	"io"
-	"testing"
-)
-
-func TestInitCommands(t *testing.T) {
-	helpFlag := "-h"
-	commandArgs := [][]string{{"root", helpFlag}}
-	for _, command := range rootCmd.Commands() {
-		commandArgs = append(commandArgs, []string{command.Name(), command.Name(), helpFlag})
-		for _, subcommand := range command.Commands() {
-			commandArgs = append(commandArgs, []string{command.Name() + " " + subcommand.Name(), command.Name(), subcommand.Name(), helpFlag})
-		}
-	}
-
-	for _, args := range commandArgs {
-		t.Run(fmt.Sprintf("Testing Command %s", args[0]), func(t *testing.T) {
-			defer func() {
-				err := recover()
-				if err != nil {
-					t.Fatalf("got an panic error while running the command: %s -h. Error: %s", args[0], err)
-				}
-			}()
-
-			rootCmd.SetArgs(args[1:])
-			rootCmd.SetOut(io.Discard)
-			if err := rootCmd.Execute(); err != nil {
-				t.Errorf("expected no error while running %s command, got %v", args[0], err)
-				return
-			}
-		})
-	}
-}
--- a/client/cmd/service.go
+++ b/client/cmd/service.go
@@ -32,7 +32,6 @@ func newSVCConfig() *service.Config {
 		Name:        name,
 		DisplayName: "Netbird",
 		Description: "A WireGuard-based mesh network that connects your devices into a single private network.",
-		Option:      make(service.KeyValue),
 	}
 }

--- a/client/cmd/service_controller.go
+++ b/client/cmd/service_controller.go
@@ -54,7 +54,7 @@ func (p *program) Start(svc service.Service) error {
 			}
 		}

-		serverInstance := server.New(p.ctx, configPath, logFile)
+		serverInstance := server.New(p.ctx, managementURL, adminURL, configPath, logFile)
 		if err := serverInstance.Start(); err != nil {
 			log.Fatalf("failed to start daemon: %v", err)
 		}
@@ -84,7 +84,7 @@ var runCmd = &cobra.Command{
 	Use:   "run",
 	Short: "runs Netbird as service",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
+		SetFlagsFromEnvVars()

 		cmd.SetOut(cmd.OutOrStdout())

@@ -118,7 +118,7 @@ var startCmd = &cobra.Command{
 	Use:   "start",
 	Short: "starts Netbird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
+		SetFlagsFromEnvVars()

 		cmd.SetOut(cmd.OutOrStdout())

@@ -153,7 +153,7 @@ var stopCmd = &cobra.Command{
 	Use:   "stop",
 	Short: "stops Netbird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
+		SetFlagsFromEnvVars()

 		cmd.SetOut(cmd.OutOrStdout())

@@ -186,7 +186,7 @@ var restartCmd = &cobra.Command{
 	Use:   "restart",
 	Short: "restarts Netbird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
+		SetFlagsFromEnvVars()

 		cmd.SetOut(cmd.OutOrStdout())

--- a/client/cmd/service_installer.go
+++ b/client/cmd/service_installer.go
@@ -2,8 +2,6 @@ package cmd

 import (
 	"context"
-	"os"
-	"path/filepath"
 	"runtime"

 	"github.com/spf13/cobra"
@@ -13,7 +11,7 @@ var installCmd = &cobra.Command{
 	Use:   "install",
 	Short: "installs Netbird service",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
+		SetFlagsFromEnvVars()

 		cmd.SetOut(cmd.OutOrStdout())

@@ -34,34 +32,13 @@ var installCmd = &cobra.Command{
 		}

 		if managementURL != "" {
-			svcConfig.Arguments = append(svcConfig.Arguments, "--management-url", managementURL)
-		}
-
-		if logFile != "console" {
-			svcConfig.Arguments = append(svcConfig.Arguments, "--log-file", logFile)
+			svcConfig.Arguments = append(svcConfig.Arguments, "--management-url")
+			svcConfig.Arguments = append(svcConfig.Arguments, managementURL)
 		}

 		if runtime.GOOS == "linux" {
 			// Respected only by systemd systems
 			svcConfig.Dependencies = []string{"After=network.target syslog.target"}
-
-			if logFile != "console" {
-				setStdLogPath := true
-				dir := filepath.Dir(logFile)
-
-				_, err := os.Stat(dir)
-				if err != nil {
-					err = os.MkdirAll(dir, 0750)
-					if err != nil {
-						setStdLogPath = false
-					}
-				}
-
-				if setStdLogPath {
-					svcConfig.Option["LogOutput"] = true
-					svcConfig.Option["LogDirectory"] = dir
-				}
-			}
 		}

 		ctx, cancel := context.WithCancel(cmd.Context())
@@ -86,7 +63,7 @@ var uninstallCmd = &cobra.Command{
 	Use:   "uninstall",
 	Short: "uninstalls Netbird service from system",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
+		SetFlagsFromEnvVars()

 		cmd.SetOut(cmd.OutOrStdout())

--- a/client/cmd/ssh.go
+++ b/client/cmd/ssh.go
@@ -1,120 +0,0 @@
-package cmd
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"os"
-	"os/signal"
-	"strings"
-	"syscall"
-
-	log "github.com/sirupsen/logrus"
-	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/client/internal"
-	nbssh "github.com/netbirdio/netbird/client/ssh"
-	"github.com/netbirdio/netbird/util"
-)
-
-var (
-	port int
-	user = "root"
-	host string
-)
-
-var sshCmd = &cobra.Command{
-	Use: "ssh",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return errors.New("requires a host argument")
-		}
-
-		split := strings.Split(args[0], "@")
-		if len(split) == 2 {
-			user = split[0]
-			host = split[1]
-		} else {
-			host = args[0]
-		}
-
-		return nil
-	},
-	Short: "connect to a remote SSH server",
-	RunE: func(cmd *cobra.Command, args []string) error {
-		SetFlagsFromEnvVars(rootCmd)
-		SetFlagsFromEnvVars(cmd)
-
-		cmd.SetOut(cmd.OutOrStdout())
-
-		err := util.InitLog(logLevel, "console")
-		if err != nil {
-			return fmt.Errorf("failed initializing log %v", err)
-		}
-
-		if !util.IsAdmin() {
-			cmd.Printf("error: you must have Administrator privileges to run this command\n")
-			return nil
-		}
-
-		ctx := internal.CtxInitState(cmd.Context())
-
-		config, err := internal.UpdateConfig(internal.ConfigInput{
-			ConfigPath: configPath,
-		})
-		if err != nil {
-			return err
-		}
-
-		sig := make(chan os.Signal, 1)
-		signal.Notify(sig, syscall.SIGTERM, syscall.SIGINT)
-		sshctx, cancel := context.WithCancel(ctx)
-
-		go func() {
-			// blocking
-			if err := runSSH(sshctx, host, []byte(config.SSHKey), cmd); err != nil {
-				log.Print(err)
-			}
-			cancel()
-		}()
-
-		select {
-		case <-sig:
-			cancel()
-		case <-sshctx.Done():
-		}
-
-		return nil
-	},
-}
-
-func runSSH(ctx context.Context, addr string, pemKey []byte, cmd *cobra.Command) error {
-	c, err := nbssh.DialWithKey(fmt.Sprintf("%s:%d", addr, port), user, pemKey)
-	if err != nil {
-		cmd.Printf("Error: %v\n", err)
-		cmd.Printf("Couldn't connect. " +
-			"You might be disconnected from the NetBird network, or the NetBird agent isn't running.\n" +
-			"Run the status command: \n\n" +
-			" netbird status\n\n" +
-			"It might also be that the SSH server is disabled on the agent you are trying to connect to.\n")
-		return nil
-	}
-	go func() {
-		<-ctx.Done()
-		err = c.Close()
-		if err != nil {
-			return
-		}
-	}()
-
-	err = c.OpenTerminal()
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func init() {
-	sshCmd.PersistentFlags().IntVarP(&port, "port", "p", nbssh.DefaultSSHPort, "Sets remote SSH port. Defaults to "+fmt.Sprint(nbssh.DefaultSSHPort))
-}
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -2,434 +2,54 @@ package cmd

 import (
 	"context"
-	"encoding/json"
 	"fmt"
-	"net"
-	"net/netip"
-	"sort"
-	"strings"
-	"time"
+	"github.com/netbirdio/netbird/util"

 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
-	"gopkg.in/yaml.v3"

 	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/peer"
 	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/util"
-	"github.com/netbirdio/netbird/version"
-)
-
-type peerStateDetailOutput struct {
-	FQDN             string           `json:"fqdn" yaml:"fqdn"`
-	IP               string           `json:"netbirdIp" yaml:"netbirdIp"`
-	PubKey           string           `json:"publicKey" yaml:"publicKey"`
-	Status           string           `json:"status" yaml:"status"`
-	LastStatusUpdate time.Time        `json:"lastStatusUpdate" yaml:"lastStatusUpdate"`
-	ConnType         string           `json:"connectionType" yaml:"connectionType"`
-	Direct           bool             `json:"direct" yaml:"direct"`
-	IceCandidateType iceCandidateType `json:"iceCandidateType" yaml:"iceCandidateType"`
-}
-
-type peersStateOutput struct {
-	Total     int                     `json:"total" yaml:"total"`
-	Connected int                     `json:"connected" yaml:"connected"`
-	Details   []peerStateDetailOutput `json:"details" yaml:"details"`
-}
-
-type signalStateOutput struct {
-	URL       string `json:"url" yaml:"url"`
-	Connected bool   `json:"connected" yaml:"connected"`
-}
-
-type managementStateOutput struct {
-	URL       string `json:"url" yaml:"url"`
-	Connected bool   `json:"connected" yaml:"connected"`
-}
-
-type iceCandidateType struct {
-	Local  string `json:"local" yaml:"local"`
-	Remote string `json:"remote" yaml:"remote"`
-}
-
-type statusOutputOverview struct {
-	Peers           peersStateOutput      `json:"peers" yaml:"peers"`
-	CliVersion      string                `json:"cliVersion" yaml:"cliVersion"`
-	DaemonVersion   string                `json:"daemonVersion" yaml:"daemonVersion"`
-	ManagementState managementStateOutput `json:"management" yaml:"management"`
-	SignalState     signalStateOutput     `json:"signal" yaml:"signal"`
-	IP              string                `json:"netbirdIp" yaml:"netbirdIp"`
-	PubKey          string                `json:"publicKey" yaml:"publicKey"`
-	KernelInterface bool                  `json:"usesKernelInterface" yaml:"usesKernelInterface"`
-	FQDN            string                `json:"fqdn" yaml:"fqdn"`
-}
-
-var (
-	detailFlag   bool
-	ipv4Flag     bool
-	jsonFlag     bool
-	yamlFlag     bool
-	ipsFilter    []string
-	statusFilter string
-	ipsFilterMap map[string]struct{}
 )

 var statusCmd = &cobra.Command{
 	Use:   "status",
 	Short: "status of the Netbird Service",
-	RunE:  statusFunc,
-}
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()

-func init() {
-	ipsFilterMap = make(map[string]struct{})
-	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information in human-readable format")
-	statusCmd.PersistentFlags().BoolVar(&jsonFlag, "json", false, "display detailed status information in json format")
-	statusCmd.PersistentFlags().BoolVar(&yamlFlag, "yaml", false, "display detailed status information in yaml format")
-	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.MarkFlagsMutuallyExclusive("detail", "json", "yaml", "ipv4")
-	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g., --filter-by-ips 100.64.0.100,100.64.0.200")
-	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(connected|disconnected), e.g., --filter-by-status connected")
-}
+		cmd.SetOut(cmd.OutOrStdout())

-func statusFunc(cmd *cobra.Command, args []string) error {
-	SetFlagsFromEnvVars(rootCmd)
+		err := util.InitLog(logLevel, "console")
+		if err != nil {
+			return fmt.Errorf("failed initializing log %v", err)
+		}

-	cmd.SetOut(cmd.OutOrStdout())
+		ctx := internal.CtxInitState(context.Background())

-	err := parseFilters()
-	if err != nil {
-		return err
-	}
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			return fmt.Errorf("failed to connect to daemon error: %v\n"+
+				"If the daemon is not running please run: "+
+				"\nnetbird service install \nnetbird service start\n", err)
+		}
+		defer conn.Close()

-	err = util.InitLog(logLevel, "console")
-	if err != nil {
-		return fmt.Errorf("failed initializing log %v", err)
-	}
+		resp, err := proto.NewDaemonServiceClient(conn).Status(cmd.Context(), &proto.StatusRequest{})
+		if err != nil {
+			return fmt.Errorf("status failed: %v", status.Convert(err).Message())
+		}

-	ctx := internal.CtxInitState(context.Background())
+		cmd.Printf("Status: %s\n\n", resp.GetStatus())
+		if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
+
+			cmd.Printf("Run UP command to log in with SSO (interactive login):\n\n" +
+				" netbird up \n\n" +
+				"If you are running a self-hosted version and no SSO provider has been configured in your Management Server,\n" +
+				"you can use a setup-key:\n\n netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>\n\n" +
+				"More info: https://www.netbird.io/docs/overview/setup-keys\n\n")
+		}

-	resp, _ := getStatus(ctx, cmd)
-	if err != nil {
 		return nil
-	}
-
-	if resp.GetStatus() == string(internal.StatusNeedsLogin) || resp.GetStatus() == string(internal.StatusLoginFailed) {
-		cmd.Printf("Daemon status: %s\n\n"+
-			"Run UP command to log in with SSO (interactive login):\n\n"+
-			" netbird up \n\n"+
-			"If you are running a self-hosted version and no SSO provider has been configured in your Management Server,\n"+
-			"you can use a setup-key:\n\n netbird up --management-url <YOUR_MANAGEMENT_URL> --setup-key <YOUR_SETUP_KEY>\n\n"+
-			"More info: https://www.netbird.io/docs/overview/setup-keys\n\n",
-			resp.GetStatus(),
-		)
-		return nil
-	}
-
-	if ipv4Flag {
-		cmd.Print(parseInterfaceIP(resp.GetFullStatus().GetLocalPeerState().GetIP()))
-		return nil
-	}
-
-	outputInformationHolder := convertToStatusOutputOverview(resp)
-
-	statusOutputString := ""
-	switch {
-	case detailFlag:
-		statusOutputString = parseToFullDetailSummary(outputInformationHolder)
-	case jsonFlag:
-		statusOutputString, err = parseToJSON(outputInformationHolder)
-	case yamlFlag:
-		statusOutputString, err = parseToYAML(outputInformationHolder)
-	default:
-		statusOutputString = parseGeneralSummary(outputInformationHolder, false)
-	}
-
-	if err != nil {
-		return err
-	}
-
-	cmd.Print(statusOutputString)
-
-	return nil
-}
-
-func getStatus(ctx context.Context, cmd *cobra.Command) (*proto.StatusResponse, error) {
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		return nil, fmt.Errorf("failed to connect to daemon error: %v\n"+
-			"If the daemon is not running please run: "+
-			"\nnetbird service install \nnetbird service start\n", err)
-	}
-	defer conn.Close()
-
-	resp, err := proto.NewDaemonServiceClient(conn).Status(cmd.Context(), &proto.StatusRequest{GetFullPeerStatus: true})
-	if err != nil {
-		return nil, fmt.Errorf("status failed: %v", status.Convert(err).Message())
-	}
-
-	return resp, nil
-}
-
-func parseFilters() error {
-	switch strings.ToLower(statusFilter) {
-	case "", "disconnected", "connected":
-	default:
-		return fmt.Errorf("wrong status filter, should be one of connected|disconnected, got: %s", statusFilter)
-	}
-
-	if len(ipsFilter) > 0 {
-		for _, addr := range ipsFilter {
-			_, err := netip.ParseAddr(addr)
-			if err != nil {
-				return fmt.Errorf("got an invalid IP address in the filter: address %s, error %s", addr, err)
-			}
-			ipsFilterMap[addr] = struct{}{}
-		}
-	}
-	return nil
-}
-
-func convertToStatusOutputOverview(resp *proto.StatusResponse) statusOutputOverview {
-	pbFullStatus := resp.GetFullStatus()
-
-	managementState := pbFullStatus.GetManagementState()
-	managementOverview := managementStateOutput{
-		URL:       managementState.GetURL(),
-		Connected: managementState.GetConnected(),
-	}
-
-	signalState := pbFullStatus.GetSignalState()
-	signalOverview := signalStateOutput{
-		URL:       signalState.GetURL(),
-		Connected: signalState.GetConnected(),
-	}
-
-	peersOverview := mapPeers(resp.GetFullStatus().GetPeers())
-
-	overview := statusOutputOverview{
-		Peers:           peersOverview,
-		CliVersion:      version.NetbirdVersion(),
-		DaemonVersion:   resp.GetDaemonVersion(),
-		ManagementState: managementOverview,
-		SignalState:     signalOverview,
-		IP:              pbFullStatus.GetLocalPeerState().GetIP(),
-		PubKey:          pbFullStatus.GetLocalPeerState().GetPubKey(),
-		KernelInterface: pbFullStatus.GetLocalPeerState().GetKernelInterface(),
-		FQDN:            pbFullStatus.GetLocalPeerState().GetFqdn(),
-	}
-
-	return overview
-}
-
-func mapPeers(peers []*proto.PeerState) peersStateOutput {
-	var peersStateDetail []peerStateDetailOutput
-	localICE := ""
-	remoteICE := ""
-	connType := ""
-	peersConnected := 0
-	for _, pbPeerState := range peers {
-		isPeerConnected := pbPeerState.ConnStatus == peer.StatusConnected.String()
-		if skipDetailByFilters(pbPeerState, isPeerConnected) {
-			continue
-		}
-		if isPeerConnected {
-			peersConnected = peersConnected + 1
-
-			localICE = pbPeerState.GetLocalIceCandidateType()
-			remoteICE = pbPeerState.GetRemoteIceCandidateType()
-			connType = "P2P"
-			if pbPeerState.Relayed {
-				connType = "Relayed"
-			}
-		}
-
-		timeLocal := pbPeerState.GetConnStatusUpdate().AsTime().Local()
-		peerState := peerStateDetailOutput{
-			IP:               pbPeerState.GetIP(),
-			PubKey:           pbPeerState.GetPubKey(),
-			Status:           pbPeerState.GetConnStatus(),
-			LastStatusUpdate: timeLocal,
-			ConnType:         connType,
-			Direct:           pbPeerState.GetDirect(),
-			IceCandidateType: iceCandidateType{
-				Local:  localICE,
-				Remote: remoteICE,
-			},
-			FQDN: pbPeerState.GetFqdn(),
-		}
-
-		peersStateDetail = append(peersStateDetail, peerState)
-	}
-
-	sortPeersByIP(peersStateDetail)
-
-	peersOverview := peersStateOutput{
-		Total:     len(peersStateDetail),
-		Connected: peersConnected,
-		Details:   peersStateDetail,
-	}
-	return peersOverview
-}
-
-func sortPeersByIP(peersStateDetail []peerStateDetailOutput) {
-	if len(peersStateDetail) > 0 {
-		sort.SliceStable(peersStateDetail, func(i, j int) bool {
-			iAddr, _ := netip.ParseAddr(peersStateDetail[i].IP)
-			jAddr, _ := netip.ParseAddr(peersStateDetail[j].IP)
-			return iAddr.Compare(jAddr) == -1
-		})
-	}
-}
-
-func parseInterfaceIP(interfaceIP string) string {
-	ip, _, err := net.ParseCIDR(interfaceIP)
-	if err != nil {
-		return ""
-	}
-	return fmt.Sprintf("%s\n", ip)
-}
-
-func parseToJSON(overview statusOutputOverview) (string, error) {
-	jsonBytes, err := json.Marshal(overview)
-	if err != nil {
-		return "", fmt.Errorf("json marshal failed")
-	}
-	return string(jsonBytes), err
-}
-
-func parseToYAML(overview statusOutputOverview) (string, error) {
-	yamlBytes, err := yaml.Marshal(overview)
-	if err != nil {
-		return "", fmt.Errorf("yaml marshal failed")
-	}
-	return string(yamlBytes), nil
-}
-
-func parseGeneralSummary(overview statusOutputOverview, showURL bool) string {
-
-	managementConnString := "Disconnected"
-	if overview.ManagementState.Connected {
-		managementConnString = "Connected"
-		if showURL {
-			managementConnString = fmt.Sprintf("%s to %s", managementConnString, overview.ManagementState.URL)
-		}
-	}
-
-	signalConnString := "Disconnected"
-	if overview.SignalState.Connected {
-		signalConnString = "Connected"
-		if showURL {
-			signalConnString = fmt.Sprintf("%s to %s", signalConnString, overview.SignalState.URL)
-		}
-	}
-
-	interfaceTypeString := "Userspace"
-	interfaceIP := overview.IP
-	if overview.KernelInterface {
-		interfaceTypeString = "Kernel"
-	} else if overview.IP == "" {
-		interfaceTypeString = "N/A"
-		interfaceIP = "N/A"
-	}
-
-	peersCountString := fmt.Sprintf("%d/%d Connected", overview.Peers.Connected, overview.Peers.Total)
-
-	summary := fmt.Sprintf(
-		"Daemon version: %s\n"+
-			"CLI version: %s\n"+
-			"Management: %s\n"+
-			"Signal: %s\n"+
-			"FQDN: %s\n"+
-			"NetBird IP: %s\n"+
-			"Interface type: %s\n"+
-			"Peers count: %s\n",
-		overview.DaemonVersion,
-		version.NetbirdVersion(),
-		managementConnString,
-		signalConnString,
-		overview.FQDN,
-		interfaceIP,
-		interfaceTypeString,
-		peersCountString,
-	)
-	return summary
-}
-
-func parseToFullDetailSummary(overview statusOutputOverview) string {
-	parsedPeersString := parsePeers(overview.Peers)
-	summary := parseGeneralSummary(overview, true)
-
-	return fmt.Sprintf(
-		"Peers detail:"+
-			"%s\n"+
-			"%s",
-		parsedPeersString,
-		summary,
-	)
-}
-
-func parsePeers(peers peersStateOutput) string {
-	var (
-		peersString = ""
-	)
-
-	for _, peerState := range peers.Details {
-
-		localICE := "-"
-		if peerState.IceCandidateType.Local != "" {
-			localICE = peerState.IceCandidateType.Local
-		}
-
-		remoteICE := "-"
-		if peerState.IceCandidateType.Remote != "" {
-			remoteICE = peerState.IceCandidateType.Remote
-		}
-
-		peerString := fmt.Sprintf(
-			"\n %s:\n"+
-				"  NetBird IP: %s\n"+
-				"  Public key: %s\n"+
-				"  Status: %s\n"+
-				"  -- detail --\n"+
-				"  Connection type: %s\n"+
-				"  Direct: %t\n"+
-				"  ICE candidate (Local/Remote): %s/%s\n"+
-				"  Last connection update: %s\n",
-			peerState.FQDN,
-			peerState.IP,
-			peerState.PubKey,
-			peerState.Status,
-			peerState.ConnType,
-			peerState.Direct,
-			localICE,
-			remoteICE,
-			peerState.LastStatusUpdate.Format("2006-01-02 15:04:05"),
-		)
-
-		peersString = peersString + peerString
-	}
-	return peersString
-}
-
-func skipDetailByFilters(peerState *proto.PeerState, isConnected bool) bool {
-	statusEval := false
-	ipEval := false
-
-	if statusFilter != "" {
-		lowerStatusFilter := strings.ToLower(statusFilter)
-		if lowerStatusFilter == "disconnected" && isConnected {
-			statusEval = true
-		} else if lowerStatusFilter == "connected" && !isConnected {
-			statusEval = true
-		}
-	}
-
-	if len(ipsFilter) > 0 {
-		_, ok := ipsFilterMap[peerState.IP]
-		if !ok {
-			ipEval = true
-		}
-	}
-	return statusEval || ipEval
+	},
 }
--- a/client/cmd/status_test.go
+++ b/client/cmd/status_test.go
@@ -1,310 +0,0 @@
-package cmd
-
-import (
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/version"
-)
-
-func init() {
-	loc, err := time.LoadLocation("UTC")
-	if err != nil {
-		panic(err)
-	}
-
-	time.Local = loc
-}
-
-var resp = &proto.StatusResponse{
-	Status: "Connected",
-	FullStatus: &proto.FullStatus{
-		Peers: []*proto.PeerState{
-			{
-				IP:                     "192.168.178.101",
-				PubKey:                 "Pubkey1",
-				Fqdn:                   "peer-1.awesome-domain.com",
-				ConnStatus:             "Connected",
-				ConnStatusUpdate:       timestamppb.New(time.Date(2001, time.Month(1), 1, 1, 1, 1, 0, time.UTC)),
-				Relayed:                false,
-				Direct:                 true,
-				LocalIceCandidateType:  "",
-				RemoteIceCandidateType: "",
-			},
-			{
-				IP:                     "192.168.178.102",
-				PubKey:                 "Pubkey2",
-				Fqdn:                   "peer-2.awesome-domain.com",
-				ConnStatus:             "Connected",
-				ConnStatusUpdate:       timestamppb.New(time.Date(2002, time.Month(2), 2, 2, 2, 2, 0, time.UTC)),
-				Relayed:                true,
-				Direct:                 false,
-				LocalIceCandidateType:  "relay",
-				RemoteIceCandidateType: "prflx",
-			},
-		},
-		ManagementState: &proto.ManagementState{
-			URL:       "my-awesome-management.com:443",
-			Connected: true,
-		},
-		SignalState: &proto.SignalState{
-			URL:       "my-awesome-signal.com:443",
-			Connected: true,
-		},
-		LocalPeerState: &proto.LocalPeerState{
-			IP:              "192.168.178.100/16",
-			PubKey:          "Some-Pub-Key",
-			KernelInterface: true,
-			Fqdn:            "some-localhost.awesome-domain.com",
-		},
-	},
-	DaemonVersion: "0.14.1",
-}
-
-var overview = statusOutputOverview{
-	Peers: peersStateOutput{
-		Total:     2,
-		Connected: 2,
-		Details: []peerStateDetailOutput{
-			{
-				IP:               "192.168.178.101",
-				PubKey:           "Pubkey1",
-				FQDN:             "peer-1.awesome-domain.com",
-				Status:           "Connected",
-				LastStatusUpdate: time.Date(2001, 1, 1, 1, 1, 1, 0, time.UTC),
-				ConnType:         "P2P",
-				Direct:           true,
-				IceCandidateType: iceCandidateType{
-					Local:  "",
-					Remote: "",
-				},
-			},
-			{
-				IP:               "192.168.178.102",
-				PubKey:           "Pubkey2",
-				FQDN:             "peer-2.awesome-domain.com",
-				Status:           "Connected",
-				LastStatusUpdate: time.Date(2002, 2, 2, 2, 2, 2, 0, time.UTC),
-				ConnType:         "Relayed",
-				Direct:           false,
-				IceCandidateType: iceCandidateType{
-					Local:  "relay",
-					Remote: "prflx",
-				},
-			},
-		},
-	},
-	CliVersion:    version.NetbirdVersion(),
-	DaemonVersion: "0.14.1",
-	ManagementState: managementStateOutput{
-		URL:       "my-awesome-management.com:443",
-		Connected: true,
-	},
-	SignalState: signalStateOutput{
-		URL:       "my-awesome-signal.com:443",
-		Connected: true,
-	},
-	IP:              "192.168.178.100/16",
-	PubKey:          "Some-Pub-Key",
-	KernelInterface: true,
-	FQDN:            "some-localhost.awesome-domain.com",
-}
-
-func TestConversionFromFullStatusToOutputOverview(t *testing.T) {
-	convertedResult := convertToStatusOutputOverview(resp)
-
-	assert.Equal(t, overview, convertedResult)
-}
-
-func TestSortingOfPeers(t *testing.T) {
-	peers := []peerStateDetailOutput{
-		{
-			IP: "192.168.178.104",
-		},
-		{
-			IP: "192.168.178.102",
-		},
-		{
-			IP: "192.168.178.101",
-		},
-		{
-			IP: "192.168.178.105",
-		},
-		{
-			IP: "192.168.178.103",
-		},
-	}
-
-	sortPeersByIP(peers)
-
-	assert.Equal(t, peers[3].IP, "192.168.178.104")
-}
-
-func TestParsingToJSON(t *testing.T) {
-	json, _ := parseToJSON(overview)
-
-	//@formatter:off
-	expectedJSON := "{\"" +
-		"peers\":" +
-		"{" +
-		"\"total\":2," +
-		"\"connected\":2," +
-		"\"details\":" +
-		"[" +
-		"{" +
-		"\"fqdn\":\"peer-1.awesome-domain.com\"," +
-		"\"netbirdIp\":\"192.168.178.101\"," +
-		"\"publicKey\":\"Pubkey1\"," +
-		"\"status\":\"Connected\"," +
-		"\"lastStatusUpdate\":\"2001-01-01T01:01:01Z\"," +
-		"\"connectionType\":\"P2P\"," +
-		"\"direct\":true," +
-		"\"iceCandidateType\":" +
-		"{" +
-		"\"local\":\"\"," +
-		"\"remote\":\"\"" +
-		"}" +
-		"}," +
-		"{" +
-		"\"fqdn\":\"peer-2.awesome-domain.com\"," +
-		"\"netbirdIp\":\"192.168.178.102\"," +
-		"\"publicKey\":\"Pubkey2\"," +
-		"\"status\":\"Connected\"," +
-		"\"lastStatusUpdate\":\"2002-02-02T02:02:02Z\"," +
-		"\"connectionType\":\"Relayed\"," +
-		"\"direct\":false," +
-		"\"iceCandidateType\":" +
-		"{" +
-		"\"local\":\"relay\"," +
-		"\"remote\":\"prflx\"" +
-		"}" +
-		"}" +
-		"]" +
-		"}," +
-		"\"cliVersion\":\"development\"," +
-		"\"daemonVersion\":\"0.14.1\"," +
-		"\"management\":" +
-		"{" +
-		"\"url\":\"my-awesome-management.com:443\"," +
-		"\"connected\":true" +
-		"}," +
-		"\"signal\":" +
-		"{\"" +
-		"url\":\"my-awesome-signal.com:443\"," +
-		"\"connected\":true" +
-		"}," +
-		"\"netbirdIp\":\"192.168.178.100/16\"," +
-		"\"publicKey\":\"Some-Pub-Key\"," +
-		"\"usesKernelInterface\":true," +
-		"\"fqdn\":\"some-localhost.awesome-domain.com\"" +
-		"}"
-	// @formatter:on
-
-	assert.Equal(t, expectedJSON, json)
-}
-
-func TestParsingToYAML(t *testing.T) {
-	yaml, _ := parseToYAML(overview)
-
-	expectedYAML := "peers:\n" +
-		"    total: 2\n" +
-		"    connected: 2\n" +
-		"    details:\n" +
-		"        - fqdn: peer-1.awesome-domain.com\n" +
-		"          netbirdIp: 192.168.178.101\n" +
-		"          publicKey: Pubkey1\n" +
-		"          status: Connected\n" +
-		"          lastStatusUpdate: 2001-01-01T01:01:01Z\n" +
-		"          connectionType: P2P\n" +
-		"          direct: true\n" +
-		"          iceCandidateType:\n" +
-		"            local: \"\"\n" +
-		"            remote: \"\"\n" +
-		"        - fqdn: peer-2.awesome-domain.com\n" +
-		"          netbirdIp: 192.168.178.102\n" +
-		"          publicKey: Pubkey2\n" +
-		"          status: Connected\n" +
-		"          lastStatusUpdate: 2002-02-02T02:02:02Z\n" +
-		"          connectionType: Relayed\n" +
-		"          direct: false\n" +
-		"          iceCandidateType:\n" +
-		"            local: relay\n" +
-		"            remote: prflx\n" +
-		"cliVersion: development\n" +
-		"daemonVersion: 0.14.1\n" +
-		"management:\n" +
-		"    url: my-awesome-management.com:443\n" +
-		"    connected: true\n" +
-		"signal:\n" +
-		"    url: my-awesome-signal.com:443\n" +
-		"    connected: true\n" +
-		"netbirdIp: 192.168.178.100/16\n" +
-		"publicKey: Some-Pub-Key\n" +
-		"usesKernelInterface: true\n" +
-		"fqdn: some-localhost.awesome-domain.com\n"
-
-	assert.Equal(t, expectedYAML, yaml)
-}
-
-func TestParsingToDetail(t *testing.T) {
-	detail := parseToFullDetailSummary(overview)
-
-	expectedDetail := "Peers detail:\n" +
-		" peer-1.awesome-domain.com:\n" +
-		"  NetBird IP: 192.168.178.101\n" +
-		"  Public key: Pubkey1\n" +
-		"  Status: Connected\n" +
-		"  -- detail --\n" +
-		"  Connection type: P2P\n" +
-		"  Direct: true\n" +
-		"  ICE candidate (Local/Remote): -/-\n" +
-		"  Last connection update: 2001-01-01 01:01:01\n" +
-		"\n" +
-		" peer-2.awesome-domain.com:\n" +
-		"  NetBird IP: 192.168.178.102\n" +
-		"  Public key: Pubkey2\n" +
-		"  Status: Connected\n" +
-		"  -- detail --\n" +
-		"  Connection type: Relayed\n" +
-		"  Direct: false\n" +
-		"  ICE candidate (Local/Remote): relay/prflx\n" +
-		"  Last connection update: 2002-02-02 02:02:02\n" +
-		"\n" +
-		"Daemon version: 0.14.1\n" +
-		"CLI version: development\n" +
-		"Management: Connected to my-awesome-management.com:443\n" +
-		"Signal: Connected to my-awesome-signal.com:443\n" +
-		"FQDN: some-localhost.awesome-domain.com\n" +
-		"NetBird IP: 192.168.178.100/16\n" +
-		"Interface type: Kernel\n" +
-		"Peers count: 2/2 Connected\n"
-
-	assert.Equal(t, expectedDetail, detail)
-}
-
-func TestParsingToShortVersion(t *testing.T) {
-	shortVersion := parseGeneralSummary(overview, false)
-
-	expectedString := "Daemon version: 0.14.1\n" +
-		"CLI version: development\n" +
-		"Management: Connected\n" +
-		"Signal: Connected\n" +
-		"FQDN: some-localhost.awesome-domain.com\n" +
-		"NetBird IP: 192.168.178.100/16\n" +
-		"Interface type: Kernel\n" +
-		"Peers count: 2/2 Connected\n"
-
-	assert.Equal(t, expectedString, shortVersion)
-}
-
-func TestParsingOfIP(t *testing.T) {
-	InterfaceIP := "192.168.178.123/16"
-
-	parsedIP := parseInterfaceIP(InterfaceIP)
-
-	assert.Equal(t, "192.168.178.123\n", parsedIP)
-}
--- a/client/cmd/testutil.go
+++ b/client/cmd/testutil.go
@@ -7,18 +7,15 @@ import (
 	"testing"
 	"time"

-	"github.com/netbirdio/netbird/management/server/activity"
-
 	"github.com/netbirdio/netbird/util"

-	"google.golang.org/grpc"
-
 	clientProto "github.com/netbirdio/netbird/client/proto"
 	client "github.com/netbirdio/netbird/client/server"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	mgmt "github.com/netbirdio/netbird/management/server"
 	sigProto "github.com/netbirdio/netbird/signal/proto"
 	sig "github.com/netbirdio/netbird/signal/server"
+	"google.golang.org/grpc"
 )

 func startTestingServices(t *testing.T) string {
@@ -65,23 +62,18 @@ func startManagement(t *testing.T, config *mgmt.Config) (*grpc.Server, net.Liste
 		t.Fatal(err)
 	}
 	s := grpc.NewServer()
-	store, err := mgmt.NewFileStore(config.Datadir, nil)
+	store, err := mgmt.NewStore(config.Datadir)
 	if err != nil {
 		t.Fatal(err)
 	}

 	peersUpdateManager := mgmt.NewPeersUpdateManager()
-	eventStore := &activity.InMemoryEventStore{}
-	if err != nil {
-		return nil, nil
-	}
-	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil, "", "",
-		eventStore)
+	accountManager, err := mgmt.BuildManager(store, peersUpdateManager, nil)
 	if err != nil {
 		t.Fatal(err)
 	}
 	turnManager := mgmt.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
-	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager, nil)
+	mgmtServer, err := mgmt.NewServer(config, accountManager, peersUpdateManager, turnManager)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -104,8 +96,7 @@ func startClientDaemon(
 	}
 	s := grpc.NewServer()

-	server := client.New(ctx,
-		configPath, "")
+	server := client.New(ctx, managementURL, adminURL, configPath, "")
 	if err := server.Start(); err != nil {
 		t.Fatal(err)
 	}
--- a/client/cmd/up.go
+++ b/client/cmd/up.go
@@ -3,276 +3,123 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"net"
-	"net/netip"
-	"strings"
-
+	"github.com/netbirdio/netbird/client/internal"
+	"github.com/netbirdio/netbird/client/proto"
+	"github.com/netbirdio/netbird/util"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/codes"
 	gstatus "google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/proto"
-	"github.com/netbirdio/netbird/client/system"
-	"github.com/netbirdio/netbird/util"
 )

-const (
-	invalidInputType int = iota
-	ipInputType
-	interfaceInputType
-)
+var upCmd = &cobra.Command{
+	Use:   "up",
+	Short: "install, login and start Netbird client",
+	RunE: func(cmd *cobra.Command, args []string) error {
+		SetFlagsFromEnvVars()

-var (
-	foregroundMode bool
-	upCmd          = &cobra.Command{
-		Use:   "up",
-		Short: "install, login and start Netbird client",
-		RunE:  upFunc,
-	}
-)
+		cmd.SetOut(cmd.OutOrStdout())

-func init() {
-	upCmd.PersistentFlags().BoolVarP(&foregroundMode, "foreground-mode", "F", false, "start service in foreground")
-}
-
-func upFunc(cmd *cobra.Command, args []string) error {
-	SetFlagsFromEnvVars(rootCmd)
-	SetFlagsFromEnvVars(cmd)
-
-	cmd.SetOut(cmd.OutOrStdout())
-
-	err := util.InitLog(logLevel, "console")
-	if err != nil {
-		return fmt.Errorf("failed initializing log %v", err)
-	}
-
-	err = validateNATExternalIPs(natExternalIPs)
-	if err != nil {
-		return err
-	}
-
-	ctx := internal.CtxInitState(cmd.Context())
-
-	if hostName != "" {
-		// nolint
-		ctx = context.WithValue(ctx, system.DeviceNameCtxKey, hostName)
-	}
-
-	if foregroundMode {
-		return runInForegroundMode(ctx, cmd)
-	}
-	return runInDaemonMode(ctx, cmd)
-}
-
-func runInForegroundMode(ctx context.Context, cmd *cobra.Command) error {
-	err := handleRebrand(cmd)
-	if err != nil {
-		return err
-	}
-
-	customDNSAddressConverted, err := parseCustomDNSAddress(cmd.Flag(dnsResolverAddress).Changed)
-	if err != nil {
-		return err
-	}
-
-	ic := internal.ConfigInput{
-		ManagementURL:    managementURL,
-		AdminURL:         adminURL,
-		ConfigPath:       configPath,
-		NATExternalIPs:   natExternalIPs,
-		CustomDNSAddress: customDNSAddressConverted,
-	}
-	if preSharedKey != "" {
-		ic.PreSharedKey = &preSharedKey
-	}
-
-	config, err := internal.UpdateOrCreateConfig(ic)
-	if err != nil {
-		return fmt.Errorf("get config file: %v", err)
-	}
-
-	config, _ = internal.UpdateOldManagementPort(ctx, config, configPath)
-
-	err = foregroundLogin(ctx, cmd, config, setupKey)
-	if err != nil {
-		return fmt.Errorf("foreground login failed: %v", err)
-	}
-
-	var cancel context.CancelFunc
-	ctx, cancel = context.WithCancel(ctx)
-	SetupCloseHandler(ctx, cancel)
-	return internal.RunClient(ctx, config, peer.NewRecorder(config.ManagementURL.String()), nil, nil, nil)
-}
-
-func runInDaemonMode(ctx context.Context, cmd *cobra.Command) error {
-
-	customDNSAddressConverted, err := parseCustomDNSAddress(cmd.Flag(dnsResolverAddress).Changed)
-	if err != nil {
-		return err
-	}
-
-	conn, err := DialClientGRPCServer(ctx, daemonAddr)
-	if err != nil {
-		return fmt.Errorf("failed to connect to daemon error: %v\n"+
-			"If the daemon is not running please run: "+
-			"\nnetbird service install \nnetbird service start\n", err)
-	}
-	defer func() {
-		err := conn.Close()
+		err := util.InitLog(logLevel, "console")
 		if err != nil {
-			log.Warnf("failed closing dameon gRPC client connection %v", err)
-			return
+			return fmt.Errorf("failed initializing log %v", err)
 		}
-	}()

-	client := proto.NewDaemonServiceClient(conn)
+		ctx := internal.CtxInitState(cmd.Context())

-	status, err := client.Status(ctx, &proto.StatusRequest{})
-	if err != nil {
-		return fmt.Errorf("unable to get daemon status: %v", err)
-	}
+		// workaround to run without service
+		if logFile == "console" {
+			err = handleRebrand(cmd)
+			if err != nil {
+				return err
+			}

-	if status.Status == string(internal.StatusConnected) {
-		cmd.Println("Already connected")
-		return nil
-	}
+			config, err := internal.GetConfig(managementURL, adminURL, configPath, preSharedKey)
+			if err != nil {
+				return fmt.Errorf("get config file: %v", err)
+			}

-	loginRequest := proto.LoginRequest{
-		SetupKey:            setupKey,
-		PreSharedKey:        preSharedKey,
-		ManagementUrl:       managementURL,
-		AdminURL:            adminURL,
-		NatExternalIPs:      natExternalIPs,
-		CleanNATExternalIPs: natExternalIPs != nil && len(natExternalIPs) == 0,
-		CustomDNSAddress:    customDNSAddressConverted,
-	}
+			err = foregroundLogin(ctx, cmd, config, setupKey)
+			if err != nil {
+				return fmt.Errorf("foreground login failed: %v", err)
+			}

-	var loginErr error
+			var cancel context.CancelFunc
+			ctx, cancel = context.WithCancel(ctx)
+			SetupCloseHandler(ctx, cancel)
+			return internal.RunClient(ctx, config)
+		}

-	var loginResp *proto.LoginResponse
+		conn, err := DialClientGRPCServer(ctx, daemonAddr)
+		if err != nil {
+			return fmt.Errorf("failed to connect to daemon error: %v\n"+
+				"If the daemon is not running please run: "+
+				"\nnetbird service install \nnetbird service start\n", err)
+		}
+		defer func() {
+			err := conn.Close()
+			if err != nil {
+				log.Warnf("failed closing dameon gRPC client connection %v", err)
+				return
+			}
+		}()

-	err = WithBackOff(func() error {
-		var backOffErr error
-		loginResp, backOffErr = client.Login(ctx, &loginRequest)
-		if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
-			s.Code() == codes.PermissionDenied ||
-			s.Code() == codes.NotFound ||
-			s.Code() == codes.Unimplemented) {
-			loginErr = backOffErr
+		client := proto.NewDaemonServiceClient(conn)
+
+		status, err := client.Status(ctx, &proto.StatusRequest{})
+		if err != nil {
+			return fmt.Errorf("unable to get daemon status: %v", err)
+		}
+
+		if status.Status == string(internal.StatusConnected) {
+			cmd.Println("Already connected")
 			return nil
 		}
-		return backOffErr
-	})
-	if err != nil {
-		return fmt.Errorf("login backoff cycle failed: %v", err)
-	}

-	if loginErr != nil {
-		return fmt.Errorf("login failed: %v", loginErr)
-	}
+		loginRequest := proto.LoginRequest{
+			SetupKey:      setupKey,
+			PreSharedKey:  preSharedKey,
+			ManagementUrl: managementURL,
+		}

-	if loginResp.NeedsSSOLogin {
+		var loginErr error

-		openURL(cmd, loginResp.VerificationURIComplete, loginResp.UserCode)
+		var loginResp *proto.LoginResponse

-		_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
+		err = WithBackOff(func() error {
+			var backOffErr error
+			loginResp, backOffErr = client.Login(ctx, &loginRequest)
+			if s, ok := gstatus.FromError(backOffErr); ok && (s.Code() == codes.InvalidArgument ||
+				s.Code() == codes.PermissionDenied ||
+				s.Code() == codes.NotFound ||
+				s.Code() == codes.Unimplemented) {
+				loginErr = backOffErr
+				return nil
+			}
+			return backOffErr
+		})
 		if err != nil {
-			return fmt.Errorf("waiting sso login failed with: %v", err)
-		}
-	}
-
-	if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
-		return fmt.Errorf("call service up method: %v", err)
-	}
-	cmd.Println("Connected")
-	return nil
-}
-
-func validateNATExternalIPs(list []string) error {
-	for _, element := range list {
-		if element == "" {
-			return fmt.Errorf("empty string is not a valid input for %s", externalIPMapFlag)
+			return fmt.Errorf("login backoff cycle failed: %v", err)
 		}

-		subElements := strings.Split(element, "/")
-		if len(subElements) > 2 {
-			return fmt.Errorf("%s is not a valid input for %s. it should be formated as \"String\" or \"String/String\"", element, externalIPMapFlag)
+		if loginErr != nil {
+			return fmt.Errorf("login failed: %v", loginErr)
 		}

-		if len(subElements) == 1 && !isValidIP(subElements[0]) {
-			return fmt.Errorf("%s is not a valid input for %s. it should be formated as \"IP\" or \"IP/IP\", or \"IP/Interface Name\"", element, externalIPMapFlag)
-		}
+		if loginResp.NeedsSSOLogin {

-		last := 0
-		for _, singleElement := range subElements {
-			inputType, err := validateElement(singleElement)
+			openURL(cmd, loginResp.VerificationURIComplete)
+
+			_, err = client.WaitSSOLogin(ctx, &proto.WaitSSOLoginRequest{UserCode: loginResp.UserCode})
 			if err != nil {
-				return fmt.Errorf("%s is not a valid input for %s. it should be an IP string or a network name", singleElement, externalIPMapFlag)
+				return fmt.Errorf("waiting sso login failed with: %v", err)
 			}
-			if last == interfaceInputType && inputType == interfaceInputType {
-				return fmt.Errorf("%s is not a valid input for %s. it should not contain two interface names", element, externalIPMapFlag)
-			}
-			last = inputType
 		}
-	}
-	return nil
-}

-func validateElement(element string) (int, error) {
-	if isValidIP(element) {
-		return ipInputType, nil
-	}
-	validIface, err := isValidInterface(element)
-	if err != nil {
-		return invalidInputType, fmt.Errorf("unable to validate the network interface name, error: %s", err)
-	}
-
-	if validIface {
-		return interfaceInputType, nil
-	}
-
-	return interfaceInputType, fmt.Errorf("invalid IP or network interface name not found")
-}
-
-func isValidIP(ip string) bool {
-	return net.ParseIP(ip) != nil
-}
-
-func isValidInterface(name string) (bool, error) {
-	netInterfaces, err := net.Interfaces()
-	if err != nil {
-		return false, err
-	}
-	for _, iface := range netInterfaces {
-		if iface.Name == name {
-			return true, nil
+		if _, err := client.Up(ctx, &proto.UpRequest{}); err != nil {
+			return fmt.Errorf("call service up method: %v", err)
 		}
-	}
-	return false, nil
-}
-
-func parseCustomDNSAddress(modified bool) ([]byte, error) {
-	var parsed []byte
-	if modified {
-		if !isValidAddrPort(customDNSAddress) {
-			return nil, fmt.Errorf("%s is invalid, it should be formated as IP:Port string or as an empty string like \"\"", customDNSAddress)
-		}
-		if customDNSAddress == "" && logFile != "console" {
-			parsed = []byte("empty")
-		} else {
-			parsed = []byte(customDNSAddress)
-		}
-	}
-	return parsed, nil
-}
-
-func isValidAddrPort(input string) bool {
-	if input == "" {
-		return true
-	}
-	_, err := netip.ParseAddrPort(input)
-	return err == nil
+		cmd.Println("Connected")
+		return nil
+	},
 }
--- a/client/cmd/version.go
+++ b/client/cmd/version.go
@@ -1,9 +1,8 @@
 package cmd

 import (
+	"github.com/netbirdio/netbird/client/system"
 	"github.com/spf13/cobra"
-
-	"github.com/netbirdio/netbird/version"
 )

 var (
@@ -12,7 +11,7 @@ var (
 		Short: "prints Netbird version",
 		Run: func(cmd *cobra.Command, args []string) {
 			cmd.SetOut(cmd.OutOrStdout())
-			cmd.Println(version.NetbirdVersion())
+			cmd.Println(system.NetbirdVersion())
 		},
 	}
 )
--- a/client/firewall/firewall.go
+++ b/client/firewall/firewall.go
@@ -1,64 +0,0 @@
-package firewall
-
-import (
-	"net"
-)
-
-// Rule abstraction should be implemented by each firewall manager
-//
-// Each firewall type for different OS can use different type
-// of the properties to hold data of the created rule
-type Rule interface {
-	// GetRuleID returns the rule id
-	GetRuleID() string
-}
-
-// RuleDirection is the traffic direction which a rule is applied
-type RuleDirection int
-
-const (
-	// RuleDirectionIN applies to filters that handlers incoming traffic
-	RuleDirectionIN RuleDirection = iota
-	// RuleDirectionOUT applies to filters that handlers outgoing traffic
-	RuleDirectionOUT
-)
-
-// Action is the action to be taken on a rule
-type Action int
-
-const (
-	// ActionUnknown is a unknown action
-	ActionUnknown Action = iota
-	// ActionAccept is the action to accept a packet
-	ActionAccept
-	// ActionDrop is the action to drop a packet
-	ActionDrop
-)
-
-// Manager is the high level abstraction of a firewall manager
-//
-// It declares methods which handle actions required by the
-// Netbird client for ACL and routing functionality
-type Manager interface {
-	// AddFiltering rule to the firewall
-	//
-	// If comment argument is empty firewall manager should set
-	// rule ID as comment for the rule
-	AddFiltering(
-		ip net.IP,
-		proto Protocol,
-		sPort *Port,
-		dPort *Port,
-		direction RuleDirection,
-		action Action,
-		comment string,
-	) (Rule, error)
-
-	// DeleteRule from the firewall by rule definition
-	DeleteRule(rule Rule) error
-
-	// Reset firewall to the default state
-	Reset() error
-
-	// TODO: migrate routemanager firewal actions to this interface
-}
--- a/client/firewall/iptables/manager_linux.go
+++ b/client/firewall/iptables/manager_linux.go
@@ -1,337 +0,0 @@
-package iptables
-
-import (
-	"fmt"
-	"net"
-	"strconv"
-	"sync"
-
-	"github.com/coreos/go-iptables/iptables"
-	"github.com/google/uuid"
-	log "github.com/sirupsen/logrus"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
-)
-
-const (
-	// ChainInputFilterName is the name of the chain that is used for filtering incoming packets
-	ChainInputFilterName = "NETBIRD-ACL-INPUT"
-
-	// ChainOutputFilterName is the name of the chain that is used for filtering outgoing packets
-	ChainOutputFilterName = "NETBIRD-ACL-OUTPUT"
-)
-
-// dropAllDefaultRule in the Netbird chain
-var dropAllDefaultRule = []string{"-j", "DROP"}
-
-// Manager of iptables firewall
-type Manager struct {
-	mutex sync.Mutex
-
-	ipv4Client *iptables.IPTables
-	ipv6Client *iptables.IPTables
-
-	inputDefaultRuleSpecs  []string
-	outputDefaultRuleSpecs []string
-	wgIface                iFaceMapper
-}
-
-// iFaceMapper defines subset methods of interface required for manager
-type iFaceMapper interface {
-	Name() string
-	Address() iface.WGAddress
-}
-
-// Create iptables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
-	m := &Manager{
-		wgIface: wgIface,
-		inputDefaultRuleSpecs: []string{
-			"-i", wgIface.Name(), "-j", ChainInputFilterName, "-s", wgIface.Address().String()},
-		outputDefaultRuleSpecs: []string{
-			"-o", wgIface.Name(), "-j", ChainOutputFilterName, "-d", wgIface.Address().String()},
-	}
-
-	// init clients for booth ipv4 and ipv6
-	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	if err != nil {
-		return nil, fmt.Errorf("iptables is not installed in the system or not supported")
-	}
-	m.ipv4Client = ipv4Client
-
-	ipv6Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
-	if err != nil {
-		log.Errorf("ip6tables is not installed in the system or not supported: %v", err)
-	} else {
-		m.ipv6Client = ipv6Client
-	}
-
-	if err := m.Reset(); err != nil {
-		return nil, fmt.Errorf("failed to reset firewall: %v", err)
-	}
-	return m, nil
-}
-
-// AddFiltering rule to the firewall
-//
-// If comment is empty rule ID is used as comment
-func (m *Manager) AddFiltering(
-	ip net.IP,
-	protocol fw.Protocol,
-	sPort *fw.Port,
-	dPort *fw.Port,
-	direction fw.RuleDirection,
-	action fw.Action,
-	comment string,
-) (fw.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	client, err := m.client(ip)
-	if err != nil {
-		return nil, err
-	}
-
-	var dPortVal, sPortVal string
-	if dPort != nil && dPort.Values != nil {
-		// TODO: we support only one port per rule in current implementation of ACLs
-		dPortVal = strconv.Itoa(dPort.Values[0])
-	}
-	if sPort != nil && sPort.Values != nil {
-		sPortVal = strconv.Itoa(sPort.Values[0])
-	}
-
-	ruleID := uuid.New().String()
-	if comment == "" {
-		comment = ruleID
-	}
-
-	specs := m.filterRuleSpecs(
-		"filter",
-		ip,
-		string(protocol),
-		sPortVal,
-		dPortVal,
-		direction,
-		action,
-		comment,
-	)
-
-	if direction == fw.RuleDirectionOUT {
-		ok, err := client.Exists("filter", ChainOutputFilterName, specs...)
-		if err != nil {
-			return nil, fmt.Errorf("check is output rule already exists: %w", err)
-		}
-		if ok {
-			return nil, fmt.Errorf("input rule already exists")
-		}
-
-		if err := client.Insert("filter", ChainOutputFilterName, 1, specs...); err != nil {
-			return nil, err
-		}
-	} else {
-		ok, err := client.Exists("filter", ChainInputFilterName, specs...)
-		if err != nil {
-			return nil, fmt.Errorf("check is input rule already exists: %w", err)
-		}
-		if ok {
-			return nil, fmt.Errorf("input rule already exists")
-		}
-
-		if err := client.Insert("filter", ChainInputFilterName, 1, specs...); err != nil {
-			return nil, err
-		}
-	}
-
-	return &Rule{
-		id:    ruleID,
-		specs: specs,
-		dst:   direction == fw.RuleDirectionOUT,
-		v6:    ip.To4() == nil,
-	}, nil
-}
-
-// DeleteRule from the firewall by rule definition
-func (m *Manager) DeleteRule(rule fw.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	r, ok := rule.(*Rule)
-	if !ok {
-		return fmt.Errorf("invalid rule type")
-	}
-
-	client := m.ipv4Client
-	if r.v6 {
-		if m.ipv6Client == nil {
-			return fmt.Errorf("ipv6 is not supported")
-		}
-		client = m.ipv6Client
-	}
-
-	if r.dst {
-		return client.Delete("filter", ChainOutputFilterName, r.specs...)
-	}
-	return client.Delete("filter", ChainInputFilterName, r.specs...)
-}
-
-// Reset firewall to the default state
-func (m *Manager) Reset() error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	if err := m.reset(m.ipv4Client, "filter"); err != nil {
-		return fmt.Errorf("clean ipv4 firewall ACL input chain: %w", err)
-	}
-	if m.ipv6Client != nil {
-		if err := m.reset(m.ipv6Client, "filter"); err != nil {
-			return fmt.Errorf("clean ipv6 firewall ACL input chain: %w", err)
-		}
-	}
-
-	return nil
-}
-
-// reset firewall chain, clear it and drop it
-func (m *Manager) reset(client *iptables.IPTables, table string) error {
-	ok, err := client.ChainExists(table, ChainInputFilterName)
-	if err != nil {
-		return fmt.Errorf("failed to check if input chain exists: %w", err)
-	}
-	if ok {
-		if ok, err := client.Exists("filter", "INPUT", m.inputDefaultRuleSpecs...); err != nil {
-			return err
-		} else if ok {
-			if err := client.Delete("filter", "INPUT", m.inputDefaultRuleSpecs...); err != nil {
-				log.WithError(err).Errorf("failed to delete default input rule: %v", err)
-			}
-		}
-	}
-
-	ok, err = client.ChainExists(table, ChainOutputFilterName)
-	if err != nil {
-		return fmt.Errorf("failed to check if output chain exists: %w", err)
-	}
-	if ok {
-		if ok, err := client.Exists("filter", "OUTPUT", m.outputDefaultRuleSpecs...); err != nil {
-			return err
-		} else if ok {
-			if err := client.Delete("filter", "OUTPUT", m.outputDefaultRuleSpecs...); err != nil {
-				log.WithError(err).Errorf("failed to delete default output rule: %v", err)
-			}
-		}
-	}
-
-	if err := client.ClearAndDeleteChain(table, ChainInputFilterName); err != nil {
-		log.Errorf("failed to clear and delete input chain: %v", err)
-		return nil
-	}
-
-	if err := client.ClearAndDeleteChain(table, ChainOutputFilterName); err != nil {
-		log.Errorf("failed to clear and delete input chain: %v", err)
-		return nil
-	}
-
-	return nil
-}
-
-// filterRuleSpecs returns the specs of a filtering rule
-func (m *Manager) filterRuleSpecs(
-	table string, ip net.IP, protocol string, sPort, dPort string,
-	direction fw.RuleDirection, action fw.Action, comment string,
-) (specs []string) {
-	matchByIP := true
-	// don't use IP matching if IP is ip 0.0.0.0
-	if s := ip.String(); s == "0.0.0.0" || s == "::" {
-		matchByIP = false
-	}
-	switch direction {
-	case fw.RuleDirectionIN:
-		if matchByIP {
-			specs = append(specs, "-s", ip.String())
-		}
-	case fw.RuleDirectionOUT:
-		if matchByIP {
-			specs = append(specs, "-d", ip.String())
-		}
-	}
-	if protocol != "all" {
-		specs = append(specs, "-p", protocol)
-	}
-	if sPort != "" {
-		specs = append(specs, "--sport", sPort)
-	}
-	if dPort != "" {
-		specs = append(specs, "--dport", dPort)
-	}
-	specs = append(specs, "-j", m.actionToStr(action))
-	return append(specs, "-m", "comment", "--comment", comment)
-}
-
-// rawClient returns corresponding iptables client for the given ip
-func (m *Manager) rawClient(ip net.IP) (*iptables.IPTables, error) {
-	if ip.To4() != nil {
-		return m.ipv4Client, nil
-	}
-	if m.ipv6Client == nil {
-		return nil, fmt.Errorf("ipv6 is not supported")
-	}
-	return m.ipv6Client, nil
-}
-
-// client returns client with initialized chain and default rules
-func (m *Manager) client(ip net.IP) (*iptables.IPTables, error) {
-	client, err := m.rawClient(ip)
-	if err != nil {
-		return nil, err
-	}
-
-	ok, err := client.ChainExists("filter", ChainInputFilterName)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if chain exists: %w", err)
-	}
-
-	if !ok {
-		if err := client.NewChain("filter", ChainInputFilterName); err != nil {
-			return nil, fmt.Errorf("failed to create input chain: %w", err)
-		}
-
-		if err := client.AppendUnique("filter", ChainInputFilterName, dropAllDefaultRule...); err != nil {
-			return nil, fmt.Errorf("failed to create default drop all in netbird input chain: %w", err)
-		}
-
-		if err := client.AppendUnique("filter", "INPUT", m.inputDefaultRuleSpecs...); err != nil {
-			return nil, fmt.Errorf("failed to create input chain jump rule: %w", err)
-		}
-
-	}
-
-	ok, err = client.ChainExists("filter", ChainOutputFilterName)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check if chain exists: %w", err)
-	}
-
-	if !ok {
-		if err := client.NewChain("filter", ChainOutputFilterName); err != nil {
-			return nil, fmt.Errorf("failed to create output chain: %w", err)
-		}
-
-		if err := client.AppendUnique("filter", ChainOutputFilterName, dropAllDefaultRule...); err != nil {
-			return nil, fmt.Errorf("failed to create default drop all in netbird output chain: %w", err)
-		}
-
-		if err := client.AppendUnique("filter", "OUTPUT", m.outputDefaultRuleSpecs...); err != nil {
-			return nil, fmt.Errorf("failed to create output chain jump rule: %w", err)
-		}
-	}
-
-	return client, nil
-}
-
-func (m *Manager) actionToStr(action fw.Action) string {
-	if action == fw.ActionAccept {
-		return "ACCEPT"
-	}
-	return "DROP"
-}
--- a/client/firewall/iptables/manager_linux_test.go
+++ b/client/firewall/iptables/manager_linux_test.go
@@ -1,180 +0,0 @@
-package iptables
-
-import (
-	"fmt"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/coreos/go-iptables/iptables"
-	"github.com/stretchr/testify/require"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
-)
-
-// iFaceMapper defines subset methods of interface required for manager
-type iFaceMock struct {
-	NameFunc    func() string
-	AddressFunc func() iface.WGAddress
-}
-
-func (i *iFaceMock) Name() string {
-	if i.NameFunc != nil {
-		return i.NameFunc()
-	}
-	panic("NameFunc is not set")
-}
-
-func (i *iFaceMock) Address() iface.WGAddress {
-	if i.AddressFunc != nil {
-		return i.AddressFunc()
-	}
-	panic("AddressFunc is not set")
-}
-
-func TestIptablesManager(t *testing.T) {
-	ipv4Client, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
-	require.NoError(t, err)
-
-	mock := &iFaceMock{
-		NameFunc: func() string {
-			return "lo"
-		},
-		AddressFunc: func() iface.WGAddress {
-			return iface.WGAddress{
-				IP: net.ParseIP("10.20.0.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("10.20.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
-			}
-		},
-	}
-
-	// just check on the local interface
-	manager, err := Create(mock)
-	require.NoError(t, err)
-	time.Sleep(time.Second)
-
-	defer func() {
-		if err := manager.Reset(); err != nil {
-			t.Errorf("clear the manager state: %v", err)
-		}
-		time.Sleep(time.Second)
-	}()
-
-	var rule1 fw.Rule
-	t.Run("add first rule", func(t *testing.T) {
-		ip := net.ParseIP("10.20.0.2")
-		port := &fw.Port{Values: []int{8080}}
-		rule1, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "accept HTTP traffic")
-		require.NoError(t, err, "failed to add rule")
-
-		checkRuleSpecs(t, ipv4Client, ChainOutputFilterName, true, rule1.(*Rule).specs...)
-	})
-
-	var rule2 fw.Rule
-	t.Run("add second rule", func(t *testing.T) {
-		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{
-			Values: []int{8043: 8046},
-		}
-		rule2, err = manager.AddFiltering(
-			ip, "tcp", port, nil, fw.RuleDirectionIN, fw.ActionAccept, "accept HTTPS traffic from ports range")
-		require.NoError(t, err, "failed to add rule")
-
-		checkRuleSpecs(t, ipv4Client, ChainInputFilterName, true, rule2.(*Rule).specs...)
-	})
-
-	t.Run("delete first rule", func(t *testing.T) {
-		if err := manager.DeleteRule(rule1); err != nil {
-			require.NoError(t, err, "failed to delete rule")
-		}
-
-		checkRuleSpecs(t, ipv4Client, ChainOutputFilterName, false, rule1.(*Rule).specs...)
-	})
-
-	t.Run("delete second rule", func(t *testing.T) {
-		if err := manager.DeleteRule(rule2); err != nil {
-			require.NoError(t, err, "failed to delete rule")
-		}
-
-		checkRuleSpecs(t, ipv4Client, ChainInputFilterName, false, rule2.(*Rule).specs...)
-	})
-
-	t.Run("reset check", func(t *testing.T) {
-		// add second rule
-		ip := net.ParseIP("10.20.0.3")
-		port := &fw.Port{Values: []int{5353}}
-		_, err = manager.AddFiltering(ip, "udp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "accept Fake DNS traffic")
-		require.NoError(t, err, "failed to add rule")
-
-		err = manager.Reset()
-		require.NoError(t, err, "failed to reset")
-
-		ok, err := ipv4Client.ChainExists("filter", ChainInputFilterName)
-		require.NoError(t, err, "failed check chain exists")
-
-		if ok {
-			require.NoErrorf(t, err, "chain '%v' still exists after Reset", ChainInputFilterName)
-		}
-	})
-}
-
-func checkRuleSpecs(t *testing.T, ipv4Client *iptables.IPTables, chainName string, mustExists bool, rulespec ...string) {
-	exists, err := ipv4Client.Exists("filter", chainName, rulespec...)
-	require.NoError(t, err, "failed to check rule")
-	require.Falsef(t, !exists && mustExists, "rule '%v' does not exist", rulespec)
-	require.Falsef(t, exists && !mustExists, "rule '%v' exist", rulespec)
-}
-
-func TestIptablesCreatePerformance(t *testing.T) {
-	mock := &iFaceMock{
-		NameFunc: func() string {
-			return "lo"
-		},
-		AddressFunc: func() iface.WGAddress {
-			return iface.WGAddress{
-				IP: net.ParseIP("10.20.0.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("10.20.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
-			}
-		},
-	}
-
-	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
-		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
-			// just check on the local interface
-			manager, err := Create(mock)
-			require.NoError(t, err)
-			time.Sleep(time.Second)
-
-			defer func() {
-				if err := manager.Reset(); err != nil {
-					t.Errorf("clear the manager state: %v", err)
-				}
-				time.Sleep(time.Second)
-			}()
-
-			_, err = manager.client(net.ParseIP("10.20.0.100"))
-			require.NoError(t, err)
-
-			ip := net.ParseIP("10.20.0.100")
-			start := time.Now()
-			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
-				if i%2 == 0 {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "accept HTTP traffic")
-				} else {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "accept HTTP traffic")
-				}
-
-				require.NoError(t, err, "failed to add rule")
-			}
-			t.Logf("execution avg per rule: %s", time.Since(start)/time.Duration(testMax))
-		})
-	}
-}
--- a/client/firewall/iptables/rule.go
+++ b/client/firewall/iptables/rule.go
@@ -1,14 +0,0 @@
-package iptables
-
-// Rule to handle management of rules
-type Rule struct {
-	id    string
-	specs []string
-	dst   bool
-	v6    bool
-}
-
-// GetRuleID returns the rule id
-func (r *Rule) GetRuleID() string {
-	return r.id
-}
--- a/client/firewall/nftables/manager_linux.go
+++ b/client/firewall/nftables/manager_linux.go
@@ -1,511 +0,0 @@
-package nftables
-
-import (
-	"bytes"
-	"encoding/binary"
-	"fmt"
-	"net"
-	"net/netip"
-	"strings"
-	"sync"
-
-	"github.com/google/nftables"
-	"github.com/google/nftables/expr"
-	"github.com/google/uuid"
-	"golang.org/x/sys/unix"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
-)
-
-const (
-	// FilterTableName is the name of the table that is used for filtering by the Netbird client
-	FilterTableName = "netbird-acl"
-
-	// FilterInputChainName is the name of the chain that is used for filtering incoming packets
-	FilterInputChainName = "netbird-acl-input-filter"
-
-	// FilterOutputChainName is the name of the chain that is used for filtering outgoing packets
-	FilterOutputChainName = "netbird-acl-output-filter"
-)
-
-// Manager of iptables firewall
-type Manager struct {
-	mutex sync.Mutex
-
-	conn      *nftables.Conn
-	tableIPv4 *nftables.Table
-	tableIPv6 *nftables.Table
-
-	filterInputChainIPv4  *nftables.Chain
-	filterOutputChainIPv4 *nftables.Chain
-
-	filterInputChainIPv6  *nftables.Chain
-	filterOutputChainIPv6 *nftables.Chain
-
-	wgIface iFaceMapper
-}
-
-// iFaceMapper defines subset methods of interface required for manager
-type iFaceMapper interface {
-	Name() string
-	Address() iface.WGAddress
-}
-
-// Create nftables firewall manager
-func Create(wgIface iFaceMapper) (*Manager, error) {
-	m := &Manager{
-		conn:    &nftables.Conn{},
-		wgIface: wgIface,
-	}
-
-	if err := m.Reset(); err != nil {
-		return nil, err
-	}
-
-	return m, nil
-}
-
-// AddFiltering rule to the firewall
-//
-// If comment argument is empty firewall manager should set
-// rule ID as comment for the rule
-func (m *Manager) AddFiltering(
-	ip net.IP,
-	proto fw.Protocol,
-	sPort *fw.Port,
-	dPort *fw.Port,
-	direction fw.RuleDirection,
-	action fw.Action,
-	comment string,
-) (fw.Rule, error) {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	var (
-		err   error
-		table *nftables.Table
-		chain *nftables.Chain
-	)
-
-	if direction == fw.RuleDirectionOUT {
-		table, chain, err = m.chain(
-			ip,
-			FilterOutputChainName,
-			nftables.ChainHookOutput,
-			nftables.ChainPriorityFilter,
-			nftables.ChainTypeFilter)
-	} else {
-		table, chain, err = m.chain(
-			ip,
-			FilterInputChainName,
-			nftables.ChainHookInput,
-			nftables.ChainPriorityFilter,
-			nftables.ChainTypeFilter)
-	}
-	if err != nil {
-		return nil, err
-	}
-
-	ifaceKey := expr.MetaKeyIIFNAME
-	if direction == fw.RuleDirectionOUT {
-		ifaceKey = expr.MetaKeyOIFNAME
-	}
-	expressions := []expr.Any{
-		&expr.Meta{Key: ifaceKey, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-	}
-
-	if proto != "all" {
-		expressions = append(expressions, &expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       uint32(9),
-			Len:          uint32(1),
-		})
-
-		var protoData []byte
-		switch proto {
-		case fw.ProtocolTCP:
-			protoData = []byte{unix.IPPROTO_TCP}
-		case fw.ProtocolUDP:
-			protoData = []byte{unix.IPPROTO_UDP}
-		case fw.ProtocolICMP:
-			protoData = []byte{unix.IPPROTO_ICMP}
-		default:
-			return nil, fmt.Errorf("unsupported protocol: %s", proto)
-		}
-		expressions = append(expressions, &expr.Cmp{
-			Register: 1,
-			Op:       expr.CmpOpEq,
-			Data:     protoData,
-		})
-	}
-
-	// don't use IP matching if IP is ip 0.0.0.0
-	if s := ip.String(); s != "0.0.0.0" && s != "::" {
-		// source address position
-		var adrLen, adrOffset uint32
-		if ip.To4() == nil {
-			adrLen = 16
-			adrOffset = 8
-		} else {
-			adrLen = 4
-			adrOffset = 12
-		}
-
-		// change to destination address position if need
-		if direction == fw.RuleDirectionOUT {
-			adrOffset += adrLen
-		}
-
-		ipToAdd, _ := netip.AddrFromSlice(ip)
-		add := ipToAdd.Unmap()
-
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseNetworkHeader,
-				Offset:       adrOffset,
-				Len:          adrLen,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     add.AsSlice(),
-			},
-		)
-	}
-
-	if sPort != nil && len(sPort.Values) != 0 {
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseTransportHeader,
-				Offset:       0,
-				Len:          2,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     encodePort(*sPort),
-			},
-		)
-	}
-
-	if dPort != nil && len(dPort.Values) != 0 {
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 1,
-				Base:         expr.PayloadBaseTransportHeader,
-				Offset:       2,
-				Len:          2,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpEq,
-				Register: 1,
-				Data:     encodePort(*dPort),
-			},
-		)
-	}
-
-	if action == fw.ActionAccept {
-		expressions = append(expressions, &expr.Verdict{Kind: expr.VerdictAccept})
-	} else {
-		expressions = append(expressions, &expr.Verdict{Kind: expr.VerdictDrop})
-	}
-
-	id := uuid.New().String()
-	userData := []byte(strings.Join([]string{id, comment}, " "))
-
-	_ = m.conn.InsertRule(&nftables.Rule{
-		Table:    table,
-		Chain:    chain,
-		Position: 0,
-		Exprs:    expressions,
-		UserData: userData,
-	})
-
-	if err := m.conn.Flush(); err != nil {
-		return nil, err
-	}
-
-	list, err := m.conn.GetRules(table, chain)
-	if err != nil {
-		return nil, err
-	}
-
-	// Add the rule to the chain
-	rule := &Rule{id: id}
-	for _, r := range list {
-		if bytes.Equal(r.UserData, userData) {
-			rule.Rule = r
-			break
-		}
-	}
-	if rule.Rule == nil {
-		return nil, fmt.Errorf("rule not found")
-	}
-
-	return rule, nil
-}
-
-// chain returns the chain for the given IP address with specific settings
-func (m *Manager) chain(
-	ip net.IP,
-	name string,
-	hook nftables.ChainHook,
-	priority nftables.ChainPriority,
-	cType nftables.ChainType,
-) (*nftables.Table, *nftables.Chain, error) {
-	var err error
-
-	getChain := func(c *nftables.Chain, tf nftables.TableFamily) (*nftables.Chain, error) {
-		if c != nil {
-			return c, nil
-		}
-		return m.createChainIfNotExists(tf, name, hook, priority, cType)
-	}
-
-	if ip.To4() != nil {
-		if name == FilterInputChainName {
-			m.filterInputChainIPv4, err = getChain(m.filterInputChainIPv4, nftables.TableFamilyIPv4)
-			return m.tableIPv4, m.filterInputChainIPv4, err
-		}
-		m.filterOutputChainIPv4, err = getChain(m.filterOutputChainIPv4, nftables.TableFamilyIPv4)
-		return m.tableIPv4, m.filterOutputChainIPv4, err
-	}
-	if name == FilterInputChainName {
-		m.filterInputChainIPv6, err = getChain(m.filterInputChainIPv6, nftables.TableFamilyIPv6)
-		return m.tableIPv4, m.filterInputChainIPv6, err
-	}
-	m.filterOutputChainIPv6, err = getChain(m.filterOutputChainIPv6, nftables.TableFamilyIPv6)
-	return m.tableIPv4, m.filterOutputChainIPv6, err
-}
-
-// table returns the table for the given family of the IP address
-func (m *Manager) table(family nftables.TableFamily) (*nftables.Table, error) {
-	if family == nftables.TableFamilyIPv4 {
-		if m.tableIPv4 != nil {
-			return m.tableIPv4, nil
-		}
-
-		table, err := m.createTableIfNotExists(nftables.TableFamilyIPv4)
-		if err != nil {
-			return nil, err
-		}
-		m.tableIPv4 = table
-		return m.tableIPv4, nil
-	}
-
-	if m.tableIPv6 != nil {
-		return m.tableIPv6, nil
-	}
-
-	table, err := m.createTableIfNotExists(nftables.TableFamilyIPv6)
-	if err != nil {
-		return nil, err
-	}
-	m.tableIPv6 = table
-	return m.tableIPv6, nil
-}
-
-func (m *Manager) createTableIfNotExists(family nftables.TableFamily) (*nftables.Table, error) {
-	tables, err := m.conn.ListTablesOfFamily(family)
-	if err != nil {
-		return nil, fmt.Errorf("list of tables: %w", err)
-	}
-
-	for _, t := range tables {
-		if t.Name == FilterTableName {
-			return t, nil
-		}
-	}
-
-	return m.conn.AddTable(&nftables.Table{Name: FilterTableName, Family: nftables.TableFamilyIPv4}), nil
-}
-
-func (m *Manager) createChainIfNotExists(
-	family nftables.TableFamily,
-	name string,
-	hooknum nftables.ChainHook,
-	priority nftables.ChainPriority,
-	chainType nftables.ChainType,
-) (*nftables.Chain, error) {
-	table, err := m.table(family)
-	if err != nil {
-		return nil, err
-	}
-
-	chains, err := m.conn.ListChainsOfTableFamily(family)
-	if err != nil {
-		return nil, fmt.Errorf("list of chains: %w", err)
-	}
-
-	for _, c := range chains {
-		if c.Name == name && c.Table.Name == table.Name {
-			return c, nil
-		}
-	}
-
-	polAccept := nftables.ChainPolicyAccept
-	chain := &nftables.Chain{
-		Name:     name,
-		Table:    table,
-		Hooknum:  hooknum,
-		Priority: priority,
-		Type:     chainType,
-		Policy:   &polAccept,
-	}
-
-	chain = m.conn.AddChain(chain)
-
-	ifaceKey := expr.MetaKeyIIFNAME
-	shiftDSTAddr := 0
-	if name == FilterOutputChainName {
-		ifaceKey = expr.MetaKeyOIFNAME
-		shiftDSTAddr = 1
-	}
-
-	expressions := []expr.Any{
-		&expr.Meta{Key: ifaceKey, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-	}
-
-	mask, _ := netip.AddrFromSlice(m.wgIface.Address().Network.Mask)
-	if m.wgIface.Address().IP.To4() == nil {
-		ip, _ := netip.AddrFromSlice(m.wgIface.Address().Network.IP.To16())
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 2,
-				Base:         expr.PayloadBaseNetworkHeader,
-				Offset:       uint32(8 + (16 * shiftDSTAddr)),
-				Len:          16,
-			},
-			&expr.Bitwise{
-				SourceRegister: 2,
-				DestRegister:   2,
-				Len:            16,
-				Xor:            []byte{0x0, 0x0, 0x0, 0x0},
-				Mask:           mask.Unmap().AsSlice(),
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpNeq,
-				Register: 2,
-				Data:     ip.Unmap().AsSlice(),
-			},
-			&expr.Verdict{Kind: expr.VerdictAccept},
-		)
-	} else {
-		ip, _ := netip.AddrFromSlice(m.wgIface.Address().Network.IP.To4())
-		expressions = append(expressions,
-			&expr.Payload{
-				DestRegister: 2,
-				Base:         expr.PayloadBaseNetworkHeader,
-				Offset:       uint32(12 + (4 * shiftDSTAddr)),
-				Len:          4,
-			},
-			&expr.Bitwise{
-				SourceRegister: 2,
-				DestRegister:   2,
-				Len:            4,
-				Xor:            []byte{0x0, 0x0, 0x0, 0x0},
-				Mask:           m.wgIface.Address().Network.Mask,
-			},
-			&expr.Cmp{
-				Op:       expr.CmpOpNeq,
-				Register: 2,
-				Data:     ip.Unmap().AsSlice(),
-			},
-			&expr.Verdict{Kind: expr.VerdictAccept},
-		)
-	}
-
-	_ = m.conn.AddRule(&nftables.Rule{
-		Table: table,
-		Chain: chain,
-		Exprs: expressions,
-	})
-
-	expressions = []expr.Any{
-		&expr.Meta{Key: ifaceKey, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname(m.wgIface.Name()),
-		},
-		&expr.Verdict{Kind: expr.VerdictDrop},
-	}
-	_ = m.conn.AddRule(&nftables.Rule{
-		Table: table,
-		Chain: chain,
-		Exprs: expressions,
-	})
-	if err := m.conn.Flush(); err != nil {
-		return nil, err
-	}
-
-	return chain, nil
-}
-
-// DeleteRule from the firewall by rule definition
-func (m *Manager) DeleteRule(rule fw.Rule) error {
-	nativeRule, ok := rule.(*Rule)
-	if !ok {
-		return fmt.Errorf("invalid rule type")
-	}
-
-	if err := m.conn.DelRule(nativeRule.Rule); err != nil {
-		return err
-	}
-
-	return m.conn.Flush()
-}
-
-// Reset firewall to the default state
-func (m *Manager) Reset() error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	chains, err := m.conn.ListChains()
-	if err != nil {
-		return fmt.Errorf("list of chains: %w", err)
-	}
-	for _, c := range chains {
-		if c.Name == FilterInputChainName || c.Name == FilterOutputChainName {
-			m.conn.DelChain(c)
-		}
-	}
-
-	tables, err := m.conn.ListTables()
-	if err != nil {
-		return fmt.Errorf("list of tables: %w", err)
-	}
-	for _, t := range tables {
-		if t.Name == FilterTableName {
-			m.conn.DelTable(t)
-		}
-	}
-
-	return m.conn.Flush()
-}
-
-func encodePort(port fw.Port) []byte {
-	bs := make([]byte, 2)
-	binary.BigEndian.PutUint16(bs, uint16(port.Values[0]))
-	return bs
-}
-
-func ifname(n string) []byte {
-	b := make([]byte, 16)
-	copy(b, []byte(n+"\x00"))
-	return b
-}
--- a/client/firewall/nftables/manager_linux_test.go
+++ b/client/firewall/nftables/manager_linux_test.go
@@ -1,194 +0,0 @@
-package nftables
-
-import (
-	"fmt"
-	"net"
-	"net/netip"
-	"testing"
-	"time"
-
-	"github.com/google/nftables"
-	"github.com/google/nftables/expr"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/sys/unix"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
-)
-
-// iFaceMapper defines subset methods of interface required for manager
-type iFaceMock struct {
-	NameFunc    func() string
-	AddressFunc func() iface.WGAddress
-}
-
-func (i *iFaceMock) Name() string {
-	if i.NameFunc != nil {
-		return i.NameFunc()
-	}
-	panic("NameFunc is not set")
-}
-
-func (i *iFaceMock) Address() iface.WGAddress {
-	if i.AddressFunc != nil {
-		return i.AddressFunc()
-	}
-	panic("AddressFunc is not set")
-}
-
-func TestNftablesManager(t *testing.T) {
-	mock := &iFaceMock{
-		NameFunc: func() string {
-			return "lo"
-		},
-		AddressFunc: func() iface.WGAddress {
-			return iface.WGAddress{
-				IP: net.ParseIP("100.96.0.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("100.96.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
-			}
-		},
-	}
-
-	// just check on the local interface
-	manager, err := Create(mock)
-	require.NoError(t, err)
-	time.Sleep(time.Second)
-
-	defer func() {
-		err = manager.Reset()
-		require.NoError(t, err, "failed to reset")
-		time.Sleep(time.Second)
-	}()
-
-	ip := net.ParseIP("100.96.0.1")
-
-	testClient := &nftables.Conn{}
-
-	rule, err := manager.AddFiltering(
-		ip,
-		fw.ProtocolTCP,
-		nil,
-		&fw.Port{Values: []int{53}},
-		fw.RuleDirectionIN,
-		fw.ActionDrop,
-		"",
-	)
-	require.NoError(t, err, "failed to add rule")
-
-	rules, err := testClient.GetRules(manager.tableIPv4, manager.filterInputChainIPv4)
-	require.NoError(t, err, "failed to get rules")
-	// test expectations:
-	// 1) regular rule
-	// 2) "accept extra routed traffic rule" for the interface
-	// 3) "drop all rule" for the interface
-	require.Len(t, rules, 3, "expected 3 rules")
-
-	ipToAdd, _ := netip.AddrFromSlice(ip)
-	add := ipToAdd.Unmap()
-	expectedExprs := []expr.Any{
-		&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     ifname("lo"),
-		},
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       uint32(9),
-			Len:          uint32(1),
-		},
-		&expr.Cmp{
-			Register: 1,
-			Op:       expr.CmpOpEq,
-			Data:     []byte{unix.IPPROTO_TCP},
-		},
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseNetworkHeader,
-			Offset:       12,
-			Len:          4,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     add.AsSlice(),
-		},
-		&expr.Payload{
-			DestRegister: 1,
-			Base:         expr.PayloadBaseTransportHeader,
-			Offset:       2,
-			Len:          2,
-		},
-		&expr.Cmp{
-			Op:       expr.CmpOpEq,
-			Register: 1,
-			Data:     []byte{0, 53},
-		},
-		&expr.Verdict{Kind: expr.VerdictDrop},
-	}
-	require.ElementsMatch(t, rules[0].Exprs, expectedExprs, "expected the same expressions")
-
-	err = manager.DeleteRule(rule)
-	require.NoError(t, err, "failed to delete rule")
-
-	rules, err = testClient.GetRules(manager.tableIPv4, manager.filterInputChainIPv4)
-	require.NoError(t, err, "failed to get rules")
-	// test expectations:
-	// 1) "accept extra routed traffic rule" for the interface
-	// 2) "drop all rule" for the interface
-	require.Len(t, rules, 2, "expected 2 rules after deleteion")
-
-	err = manager.Reset()
-	require.NoError(t, err, "failed to reset")
-}
-
-func TestNFtablesCreatePerformance(t *testing.T) {
-	mock := &iFaceMock{
-		NameFunc: func() string {
-			return "lo"
-		},
-		AddressFunc: func() iface.WGAddress {
-			return iface.WGAddress{
-				IP: net.ParseIP("100.96.0.1"),
-				Network: &net.IPNet{
-					IP:   net.ParseIP("100.96.0.0"),
-					Mask: net.IPv4Mask(255, 255, 255, 0),
-				},
-			}
-		},
-	}
-
-	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
-		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
-			// just check on the local interface
-			manager, err := Create(mock)
-			require.NoError(t, err)
-			time.Sleep(time.Second)
-
-			defer func() {
-				if err := manager.Reset(); err != nil {
-					t.Errorf("clear the manager state: %v", err)
-				}
-				time.Sleep(time.Second)
-			}()
-
-			ip := net.ParseIP("10.20.0.100")
-			start := time.Now()
-			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
-				if i%2 == 0 {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "accept HTTP traffic")
-				} else {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "accept HTTP traffic")
-				}
-
-				require.NoError(t, err, "failed to add rule")
-			}
-			t.Logf("execution avg per rule: %s", time.Since(start)/time.Duration(testMax))
-		})
-	}
-}
--- a/client/firewall/nftables/rule_linux.go
+++ b/client/firewall/nftables/rule_linux.go
@@ -1,16 +0,0 @@
-package nftables
-
-import (
-	"github.com/google/nftables"
-)
-
-// Rule to handle management of rules
-type Rule struct {
-	*nftables.Rule
-	id string
-}
-
-// GetRuleID returns the rule id
-func (r *Rule) GetRuleID() string {
-	return r.id
-}
--- a/client/firewall/port.go
+++ b/client/firewall/port.go
@@ -1,30 +0,0 @@
-package firewall
-
-// Protocol is the protocol of the port
-type Protocol string
-
-const (
-	// ProtocolTCP is the TCP protocol
-	ProtocolTCP Protocol = "tcp"
-
-	// ProtocolUDP is the UDP protocol
-	ProtocolUDP Protocol = "udp"
-
-	// ProtocolICMP is the ICMP protocol
-	ProtocolICMP Protocol = "icmp"
-
-	// ProtocolALL cover all supported protocols
-	ProtocolALL Protocol = "all"
-
-	// ProtocolUnknown unknown protocol
-	ProtocolUnknown Protocol = "unknown"
-)
-
-// Port of the address for firewall rule
-type Port struct {
-	// IsRange is true Values contains two values, the first is the start port, the second is the end port
-	IsRange bool
-
-	// Values contains one value for single port, multiple values for the list of ports, or two values for the range of ports
-	Values []int
-}
--- a/client/firewall/uspfilter/rule.go
+++ b/client/firewall/uspfilter/rule.go
@@ -1,30 +0,0 @@
-package uspfilter
-
-import (
-	"net"
-
-	"github.com/google/gopacket"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-)
-
-// Rule to handle management of rules
-type Rule struct {
-	id         string
-	ip         net.IP
-	ipLayer    gopacket.LayerType
-	matchByIP  bool
-	protoLayer gopacket.LayerType
-	direction  fw.RuleDirection
-	sPort      uint16
-	dPort      uint16
-	drop       bool
-	comment    string
-
-	udpHook func([]byte) bool
-}
-
-// GetRuleID returns the rule id
-func (r *Rule) GetRuleID() string {
-	return r.id
-}
--- a/client/firewall/uspfilter/uspfilter.go
+++ b/client/firewall/uspfilter/uspfilter.go
@@ -1,359 +0,0 @@
-package uspfilter
-
-import (
-	"fmt"
-	"net"
-	"sync"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/google/uuid"
-	log "github.com/sirupsen/logrus"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
-)
-
-const layerTypeAll = 0
-
-// IFaceMapper defines subset methods of interface required for manager
-type IFaceMapper interface {
-	SetFilter(iface.PacketFilter) error
-}
-
-// Manager userspace firewall manager
-type Manager struct {
-	outgoingRules []Rule
-	incomingRules []Rule
-	rulesIndex    map[string]int
-	wgNetwork     *net.IPNet
-	decoders      sync.Pool
-
-	mutex sync.RWMutex
-}
-
-// decoder for packages
-type decoder struct {
-	eth     layers.Ethernet
-	ip4     layers.IPv4
-	ip6     layers.IPv6
-	tcp     layers.TCP
-	udp     layers.UDP
-	icmp4   layers.ICMPv4
-	icmp6   layers.ICMPv6
-	decoded []gopacket.LayerType
-	parser  *gopacket.DecodingLayerParser
-}
-
-// Create userspace firewall manager constructor
-func Create(iface IFaceMapper) (*Manager, error) {
-	m := &Manager{
-		rulesIndex: make(map[string]int),
-		decoders: sync.Pool{
-			New: func() any {
-				d := &decoder{
-					decoded: []gopacket.LayerType{},
-				}
-				d.parser = gopacket.NewDecodingLayerParser(
-					layers.LayerTypeIPv4,
-					&d.eth, &d.ip4, &d.ip6, &d.icmp4, &d.icmp6, &d.tcp, &d.udp,
-				)
-				d.parser.IgnoreUnsupported = true
-				return d
-			},
-		},
-	}
-
-	if err := iface.SetFilter(m); err != nil {
-		return nil, err
-	}
-	return m, nil
-}
-
-// AddFiltering rule to the firewall
-//
-// If comment argument is empty firewall manager should set
-// rule ID as comment for the rule
-func (m *Manager) AddFiltering(
-	ip net.IP,
-	proto fw.Protocol,
-	sPort *fw.Port,
-	dPort *fw.Port,
-	direction fw.RuleDirection,
-	action fw.Action,
-	comment string,
-) (fw.Rule, error) {
-	r := Rule{
-		id:        uuid.New().String(),
-		ip:        ip,
-		ipLayer:   layers.LayerTypeIPv6,
-		matchByIP: true,
-		direction: direction,
-		drop:      action == fw.ActionDrop,
-		comment:   comment,
-	}
-	if ipNormalized := ip.To4(); ipNormalized != nil {
-		r.ipLayer = layers.LayerTypeIPv4
-		r.ip = ipNormalized
-	}
-
-	if s := r.ip.String(); s == "0.0.0.0" || s == "::" {
-		r.matchByIP = false
-	}
-
-	if sPort != nil && len(sPort.Values) == 1 {
-		r.sPort = uint16(sPort.Values[0])
-	}
-
-	if dPort != nil && len(dPort.Values) == 1 {
-		r.dPort = uint16(dPort.Values[0])
-	}
-
-	switch proto {
-	case fw.ProtocolTCP:
-		r.protoLayer = layers.LayerTypeTCP
-	case fw.ProtocolUDP:
-		r.protoLayer = layers.LayerTypeUDP
-	case fw.ProtocolICMP:
-		r.protoLayer = layers.LayerTypeICMPv4
-		if r.ipLayer == layers.LayerTypeIPv6 {
-			r.protoLayer = layers.LayerTypeICMPv6
-		}
-	case fw.ProtocolALL:
-		r.protoLayer = layerTypeAll
-	}
-
-	m.mutex.Lock()
-	var p int
-	if direction == fw.RuleDirectionIN {
-		m.incomingRules = append(m.incomingRules, r)
-		p = len(m.incomingRules) - 1
-	} else {
-		m.outgoingRules = append(m.outgoingRules, r)
-		p = len(m.outgoingRules) - 1
-	}
-	m.rulesIndex[r.id] = p
-	m.mutex.Unlock()
-
-	return &r, nil
-}
-
-// DeleteRule from the firewall by rule definition
-func (m *Manager) DeleteRule(rule fw.Rule) error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	r, ok := rule.(*Rule)
-	if !ok {
-		return fmt.Errorf("delete rule: invalid rule type: %T", rule)
-	}
-
-	p, ok := m.rulesIndex[r.id]
-	if !ok {
-		return fmt.Errorf("delete rule: no rule with such id: %v", r.id)
-	}
-	delete(m.rulesIndex, r.id)
-
-	var toUpdate []Rule
-	if r.direction == fw.RuleDirectionIN {
-		m.incomingRules = append(m.incomingRules[:p], m.incomingRules[p+1:]...)
-		toUpdate = m.incomingRules
-	} else {
-		m.outgoingRules = append(m.outgoingRules[:p], m.outgoingRules[p+1:]...)
-		toUpdate = m.outgoingRules
-	}
-
-	for i := 0; i < len(toUpdate); i++ {
-		m.rulesIndex[toUpdate[i].id] = i
-	}
-	return nil
-}
-
-// Reset firewall to the default state
-func (m *Manager) Reset() error {
-	m.mutex.Lock()
-	defer m.mutex.Unlock()
-
-	m.outgoingRules = m.outgoingRules[:0]
-	m.incomingRules = m.incomingRules[:0]
-	m.rulesIndex = make(map[string]int)
-
-	return nil
-}
-
-// DropOutgoing filter outgoing packets
-func (m *Manager) DropOutgoing(packetData []byte) bool {
-	return m.dropFilter(packetData, m.outgoingRules, false)
-}
-
-// DropIncoming filter incoming packets
-func (m *Manager) DropIncoming(packetData []byte) bool {
-	return m.dropFilter(packetData, m.incomingRules, true)
-}
-
-// dropFilter imlements same logic for booth direction of the traffic
-func (m *Manager) dropFilter(packetData []byte, rules []Rule, isIncomingPacket bool) bool {
-	m.mutex.RLock()
-	defer m.mutex.RUnlock()
-
-	d := m.decoders.Get().(*decoder)
-	defer m.decoders.Put(d)
-
-	if err := d.parser.DecodeLayers(packetData, &d.decoded); err != nil {
-		log.Tracef("couldn't decode layer, err: %s", err)
-		return true
-	}
-
-	if len(d.decoded) < 2 {
-		log.Tracef("not enough levels in network packet")
-		return true
-	}
-
-	ipLayer := d.decoded[0]
-
-	switch ipLayer {
-	case layers.LayerTypeIPv4:
-		if !m.wgNetwork.Contains(d.ip4.SrcIP) || !m.wgNetwork.Contains(d.ip4.DstIP) {
-			return false
-		}
-	case layers.LayerTypeIPv6:
-		if !m.wgNetwork.Contains(d.ip6.SrcIP) || !m.wgNetwork.Contains(d.ip6.DstIP) {
-			return false
-		}
-	default:
-		log.Errorf("unknown layer: %v", d.decoded[0])
-		return true
-	}
-	payloadLayer := d.decoded[1]
-
-	// check if IP address match by IP
-	for _, rule := range rules {
-		if rule.matchByIP {
-			switch ipLayer {
-			case layers.LayerTypeIPv4:
-				if isIncomingPacket {
-					if !d.ip4.SrcIP.Equal(rule.ip) {
-						continue
-					}
-				} else {
-					if !d.ip4.DstIP.Equal(rule.ip) {
-						continue
-					}
-				}
-			case layers.LayerTypeIPv6:
-				if isIncomingPacket {
-					if !d.ip6.SrcIP.Equal(rule.ip) {
-						continue
-					}
-				} else {
-					if !d.ip6.DstIP.Equal(rule.ip) {
-						continue
-					}
-				}
-			}
-		}
-
-		if rule.protoLayer == layerTypeAll {
-			return rule.drop
-		}
-
-		if payloadLayer != rule.protoLayer {
-			continue
-		}
-
-		switch payloadLayer {
-		case layers.LayerTypeTCP:
-			if rule.sPort == 0 && rule.dPort == 0 {
-				return rule.drop
-			}
-			if rule.sPort != 0 && rule.sPort == uint16(d.tcp.SrcPort) {
-				return rule.drop
-			}
-			if rule.dPort != 0 && rule.dPort == uint16(d.tcp.DstPort) {
-				return rule.drop
-			}
-		case layers.LayerTypeUDP:
-			// if rule has UDP hook (and if we are here we match this rule)
-			// we ignore rule.drop and call this hook
-			if rule.udpHook != nil {
-				return rule.udpHook(packetData)
-			}
-
-			if rule.sPort == 0 && rule.dPort == 0 {
-				return rule.drop
-			}
-			if rule.sPort != 0 && rule.sPort == uint16(d.udp.SrcPort) {
-				return rule.drop
-			}
-			if rule.dPort != 0 && rule.dPort == uint16(d.udp.DstPort) {
-				return rule.drop
-			}
-			return rule.drop
-		case layers.LayerTypeICMPv4, layers.LayerTypeICMPv6:
-			return rule.drop
-		}
-	}
-
-	// default policy is DROP ALL
-	return true
-}
-
-// SetNetwork of the wireguard interface to which filtering applied
-func (m *Manager) SetNetwork(network *net.IPNet) {
-	m.wgNetwork = network
-}
-
-// AddUDPPacketHook calls hook when UDP packet from given direction matched
-//
-// Hook function returns flag which indicates should be the matched package dropped or not
-func (m *Manager) AddUDPPacketHook(
-	in bool, ip net.IP, dPort uint16, hook func([]byte) bool,
-) string {
-	r := Rule{
-		id:         uuid.New().String(),
-		ip:         ip,
-		protoLayer: layers.LayerTypeUDP,
-		dPort:      dPort,
-		ipLayer:    layers.LayerTypeIPv6,
-		direction:  fw.RuleDirectionOUT,
-		comment:    fmt.Sprintf("UDP Hook direction: %v, ip:%v, dport:%d", in, ip, dPort),
-		udpHook:    hook,
-	}
-
-	if ip.To4() != nil {
-		r.ipLayer = layers.LayerTypeIPv4
-	}
-
-	m.mutex.Lock()
-	var toUpdate []Rule
-	if in {
-		r.direction = fw.RuleDirectionIN
-		m.incomingRules = append([]Rule{r}, m.incomingRules...)
-		toUpdate = m.incomingRules
-	} else {
-		m.outgoingRules = append([]Rule{r}, m.outgoingRules...)
-		toUpdate = m.outgoingRules
-	}
-
-	for i := range toUpdate {
-		m.rulesIndex[toUpdate[i].id] = i
-	}
-	m.mutex.Unlock()
-
-	return r.id
-}
-
-// RemovePacketHook removes packet hook by given ID
-func (m *Manager) RemovePacketHook(hookID string) error {
-	for _, r := range m.incomingRules {
-		if r.id == hookID {
-			return m.DeleteRule(&r)
-		}
-	}
-	for _, r := range m.outgoingRules {
-		if r.id == hookID {
-			return m.DeleteRule(&r)
-		}
-	}
-	return fmt.Errorf("hook with given id not found")
-}
--- a/client/firewall/uspfilter/uspfilter_test.go
+++ b/client/firewall/uspfilter/uspfilter_test.go
@@ -1,407 +0,0 @@
-package uspfilter
-
-import (
-	"fmt"
-	"net"
-	"testing"
-	"time"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/stretchr/testify/require"
-
-	fw "github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/iface"
-)
-
-type IFaceMock struct {
-	SetFilterFunc func(iface.PacketFilter) error
-}
-
-func (i *IFaceMock) SetFilter(iface iface.PacketFilter) error {
-	if i.SetFilterFunc == nil {
-		return fmt.Errorf("not implemented")
-	}
-	return i.SetFilterFunc(iface)
-}
-
-func TestManagerCreate(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock)
-	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
-		return
-	}
-
-	if m == nil {
-		t.Error("Manager is nil")
-	}
-}
-
-func TestManagerAddFiltering(t *testing.T) {
-	isSetFilterCalled := false
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error {
-			isSetFilterCalled = true
-			return nil
-		},
-	}
-
-	m, err := Create(ifaceMock)
-	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
-		return
-	}
-
-	ip := net.ParseIP("192.168.1.1")
-	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
-	direction := fw.RuleDirectionOUT
-	action := fw.ActionDrop
-	comment := "Test rule"
-
-	rule, err := m.AddFiltering(ip, proto, nil, port, direction, action, comment)
-	if err != nil {
-		t.Errorf("failed to add filtering: %v", err)
-		return
-	}
-
-	if rule == nil {
-		t.Error("Rule is nil")
-		return
-	}
-
-	if !isSetFilterCalled {
-		t.Error("SetFilter was not called")
-		return
-	}
-}
-
-func TestManagerDeleteRule(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock)
-	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
-		return
-	}
-
-	ip := net.ParseIP("192.168.1.1")
-	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
-	direction := fw.RuleDirectionOUT
-	action := fw.ActionDrop
-	comment := "Test rule"
-
-	rule, err := m.AddFiltering(ip, proto, nil, port, direction, action, comment)
-	if err != nil {
-		t.Errorf("failed to add filtering: %v", err)
-		return
-	}
-
-	ip = net.ParseIP("192.168.1.1")
-	proto = fw.ProtocolTCP
-	port = &fw.Port{Values: []int{80}}
-	direction = fw.RuleDirectionIN
-	action = fw.ActionDrop
-	comment = "Test rule 2"
-
-	rule2, err := m.AddFiltering(ip, proto, nil, port, direction, action, comment)
-	if err != nil {
-		t.Errorf("failed to add filtering: %v", err)
-		return
-	}
-
-	err = m.DeleteRule(rule)
-	if err != nil {
-		t.Errorf("failed to delete rule: %v", err)
-		return
-	}
-
-	if idx, ok := m.rulesIndex[rule2.GetRuleID()]; !ok || len(m.incomingRules) != 1 || idx != 0 {
-		t.Errorf("rule2 is not in the rulesIndex")
-	}
-
-	err = m.DeleteRule(rule2)
-	if err != nil {
-		t.Errorf("failed to delete rule: %v", err)
-		return
-	}
-
-	if len(m.rulesIndex) != 0 || len(m.incomingRules) != 0 {
-		t.Errorf("rule1 still in the rulesIndex")
-	}
-}
-
-func TestAddUDPPacketHook(t *testing.T) {
-	tests := []struct {
-		name       string
-		in         bool
-		expDir     fw.RuleDirection
-		ip         net.IP
-		dPort      uint16
-		hook       func([]byte) bool
-		expectedID string
-	}{
-		{
-			name:   "Test Outgoing UDP Packet Hook",
-			in:     false,
-			expDir: fw.RuleDirectionOUT,
-			ip:     net.IPv4(10, 168, 0, 1),
-			dPort:  8000,
-			hook:   func([]byte) bool { return true },
-		},
-		{
-			name:   "Test Incoming UDP Packet Hook",
-			in:     true,
-			expDir: fw.RuleDirectionIN,
-			ip:     net.IPv6loopback,
-			dPort:  9000,
-			hook:   func([]byte) bool { return false },
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			manager := &Manager{
-				incomingRules: []Rule{},
-				outgoingRules: []Rule{},
-				rulesIndex:    make(map[string]int),
-			}
-
-			manager.AddUDPPacketHook(tt.in, tt.ip, tt.dPort, tt.hook)
-
-			var addedRule Rule
-			if tt.in {
-				if len(manager.incomingRules) != 1 {
-					t.Errorf("expected 1 incoming rule, got %d", len(manager.incomingRules))
-					return
-				}
-				addedRule = manager.incomingRules[0]
-			} else {
-				if len(manager.outgoingRules) != 1 {
-					t.Errorf("expected 1 outgoing rule, got %d", len(manager.outgoingRules))
-					return
-				}
-				addedRule = manager.outgoingRules[0]
-			}
-
-			if !tt.ip.Equal(addedRule.ip) {
-				t.Errorf("expected ip %s, got %s", tt.ip, addedRule.ip)
-				return
-			}
-			if tt.dPort != addedRule.dPort {
-				t.Errorf("expected dPort %d, got %d", tt.dPort, addedRule.dPort)
-				return
-			}
-			if layers.LayerTypeUDP != addedRule.protoLayer {
-				t.Errorf("expected protoLayer %s, got %s", layers.LayerTypeUDP, addedRule.protoLayer)
-				return
-			}
-			if tt.expDir != addedRule.direction {
-				t.Errorf("expected direction %d, got %d", tt.expDir, addedRule.direction)
-				return
-			}
-			if addedRule.udpHook == nil {
-				t.Errorf("expected udpHook to be set")
-				return
-			}
-
-			// Ensure rulesIndex is correctly updated
-			index, ok := manager.rulesIndex[addedRule.id]
-			if !ok {
-				t.Errorf("expected rule to be in rulesIndex")
-				return
-			}
-			if index != 0 {
-				t.Errorf("expected rule index to be 0, got %d", index)
-				return
-			}
-		})
-	}
-}
-
-func TestManagerReset(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock)
-	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
-		return
-	}
-
-	ip := net.ParseIP("192.168.1.1")
-	proto := fw.ProtocolTCP
-	port := &fw.Port{Values: []int{80}}
-	direction := fw.RuleDirectionOUT
-	action := fw.ActionDrop
-	comment := "Test rule"
-
-	_, err = m.AddFiltering(ip, proto, nil, port, direction, action, comment)
-	if err != nil {
-		t.Errorf("failed to add filtering: %v", err)
-		return
-	}
-
-	err = m.Reset()
-	if err != nil {
-		t.Errorf("failed to reset Manager: %v", err)
-		return
-	}
-
-	if len(m.rulesIndex) != 0 || len(m.outgoingRules) != 0 || len(m.incomingRules) != 0 {
-		t.Errorf("rules is not empty")
-	}
-}
-
-func TestNotMatchByIP(t *testing.T) {
-	ifaceMock := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error { return nil },
-	}
-
-	m, err := Create(ifaceMock)
-	if err != nil {
-		t.Errorf("failed to create Manager: %v", err)
-		return
-	}
-	m.wgNetwork = &net.IPNet{
-		IP:   net.ParseIP("100.10.0.0"),
-		Mask: net.CIDRMask(16, 32),
-	}
-
-	ip := net.ParseIP("0.0.0.0")
-	proto := fw.ProtocolUDP
-	direction := fw.RuleDirectionOUT
-	action := fw.ActionAccept
-	comment := "Test rule"
-
-	_, err = m.AddFiltering(ip, proto, nil, nil, direction, action, comment)
-	if err != nil {
-		t.Errorf("failed to add filtering: %v", err)
-		return
-	}
-
-	ipv4 := &layers.IPv4{
-		TTL:      64,
-		Version:  4,
-		SrcIP:    net.ParseIP("100.10.0.1"),
-		DstIP:    net.ParseIP("100.10.0.100"),
-		Protocol: layers.IPProtocolUDP,
-	}
-	udp := &layers.UDP{
-		SrcPort: 51334,
-		DstPort: 53,
-	}
-
-	if err := udp.SetNetworkLayerForChecksum(ipv4); err != nil {
-		t.Errorf("failed to set network layer for checksum: %v", err)
-		return
-	}
-	payload := gopacket.Payload([]byte("test"))
-
-	buf := gopacket.NewSerializeBuffer()
-	opts := gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-	if err = gopacket.SerializeLayers(buf, opts, ipv4, udp, payload); err != nil {
-		t.Errorf("failed to serialize packet: %v", err)
-		return
-	}
-
-	if m.dropFilter(buf.Bytes(), m.outgoingRules, false) {
-		t.Errorf("expected packet to be accepted")
-		return
-	}
-
-	if err = m.Reset(); err != nil {
-		t.Errorf("failed to reset Manager: %v", err)
-		return
-	}
-}
-
-// TestRemovePacketHook tests the functionality of the RemovePacketHook method
-func TestRemovePacketHook(t *testing.T) {
-	// creating mock iface
-	iface := &IFaceMock{
-		SetFilterFunc: func(iface.PacketFilter) error { return nil },
-	}
-
-	// creating manager instance
-	manager, err := Create(iface)
-	if err != nil {
-		t.Fatalf("Failed to create Manager: %s", err)
-	}
-
-	// Add a UDP packet hook
-	hookFunc := func(data []byte) bool { return true }
-	hookID := manager.AddUDPPacketHook(false, net.IPv4(192, 168, 0, 1), 8080, hookFunc)
-
-	// Assert the hook is added by finding it in the manager's outgoing rules
-	found := false
-	for _, rule := range manager.outgoingRules {
-		if rule.id == hookID {
-			found = true
-			break
-		}
-	}
-
-	if !found {
-		t.Fatalf("The hook was not added properly.")
-	}
-
-	// Now remove the packet hook
-	err = manager.RemovePacketHook(hookID)
-	if err != nil {
-		t.Fatalf("Failed to remove hook: %s", err)
-	}
-
-	// Assert the hook is removed by checking it in the manager's outgoing rules
-	for _, rule := range manager.outgoingRules {
-		if rule.id == hookID {
-			t.Fatalf("The hook was not removed properly.")
-		}
-	}
-}
-
-func TestUSPFilterCreatePerformance(t *testing.T) {
-	for _, testMax := range []int{10, 20, 30, 40, 50, 60, 70, 80, 90, 100, 200, 300, 400, 500, 600, 700, 800, 900, 1000} {
-		t.Run(fmt.Sprintf("Testing %d rules", testMax), func(t *testing.T) {
-			// just check on the local interface
-			ifaceMock := &IFaceMock{
-				SetFilterFunc: func(iface.PacketFilter) error { return nil },
-			}
-			manager, err := Create(ifaceMock)
-			require.NoError(t, err)
-			time.Sleep(time.Second)
-
-			defer func() {
-				if err := manager.Reset(); err != nil {
-					t.Errorf("clear the manager state: %v", err)
-				}
-				time.Sleep(time.Second)
-			}()
-
-			ip := net.ParseIP("10.20.0.100")
-			start := time.Now()
-			for i := 0; i < testMax; i++ {
-				port := &fw.Port{Values: []int{1000 + i}}
-				if i%2 == 0 {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionOUT, fw.ActionAccept, "accept HTTP traffic")
-				} else {
-					_, err = manager.AddFiltering(ip, "tcp", nil, port, fw.RuleDirectionIN, fw.ActionAccept, "accept HTTP traffic")
-				}
-
-				require.NoError(t, err, "failed to add rule")
-			}
-			t.Logf("execution avg per rule: %s", time.Since(start)/time.Duration(testMax))
-		})
-	}
-}
--- a/client/installer.nsis
+++ b/client/installer.nsis
@@ -101,7 +101,6 @@ done:
 Pop $2
 Exch $1
 FunctionEnd
-
 !macro GetAppFromCommand in out
 Push "${in}"
 Call GetAppFromCommand
@@ -118,7 +117,7 @@ Call GetAppFromCommand ; Remove quotes and parameters from UninstCommand
 Pop $0
 Pop $1
 GetFullPathName $2 "$0\.."
-ExecWait '"$0" /S $1 _?=$2'
+ExecWait '"$0" $1 _?=$2'
 Delete "$0" ; Extra cleanup because we used _?=
 RMDir "$2"
 Pop $2
@@ -127,27 +126,30 @@ Pop $0
 !macroend

 Function .onInit
-StrCpy $INSTDIR "${INSTALL_DIR}"
+
+ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wiretrustee" "UninstallString"
+${If} $R0 != ""
+    MessageBox MB_YESNO|MB_ICONQUESTION "Wiretrustee is installed. We must remove it before installing Netbird. Procced?" IDNO noWTUninstOld
+    !insertmacro UninstallPreviousNSIS $R0 "/NoMsgBox"
+    noWTUninstOld:
+${EndIf}
+
 ReadRegStr $R0 HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\$(^NAME)" "UninstallString"
 ${If} $R0 != ""
-    # if silent install jump to uninstall step
-    IfSilent uninstall
-
-    MessageBox MB_YESNO|MB_ICONQUESTION "NetBird is already installed. We must remove it before installing upgrading NetBird. Proceed?" IDNO done IDYES uninstall
-
-    uninstall:
-      !insertmacro UninstallPreviousNSIS $R0 "/NoMsgBox"
-    done:
-
+    MessageBox MB_YESNO|MB_ICONQUESTION "$(^NAME) is already installed. Do you want to remove the previous version?" IDNO noUninstOld
+    !insertmacro UninstallPreviousNSIS $R0 "/NoMsgBox"
+    noUninstOld:
 ${EndIf}
 FunctionEnd
 ######################################################################
 Section -MainProgram
 	${INSTALL_TYPE}
-	# SetOverwrite ifnewer
+	SetOverwrite ifnewer
 	SetOutPath "$INSTDIR"
 	File /r "..\\dist\\netbird_windows_amd64\\"
+
 SectionEnd
+
 ######################################################################

 Section -Icons_Reg
@@ -170,30 +172,24 @@ SetShellVarContext current
 CreateShortCut "$SMPROGRAMS\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
 CreateShortCut "$DESKTOP\${APP_NAME}.lnk" "$INSTDIR\${UI_APP_EXE}"
 SetShellVarContext all
-SectionEnd

-Section -Post
 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service install'
-ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service start'
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service start'
 # sleep a bit for visibility
 Sleep 1000
 SectionEnd
+
 ######################################################################

 Section Uninstall
 ${INSTALL_TYPE}

 ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service stop'
-ExecWait '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
-
+Exec '"$INSTDIR\${MAIN_APP_EXE}" service uninstall'
 # kill ui client
 ExecWait `taskkill /im ${UI_APP_EXE}.exe`
-
 # wait the service uninstall take unblock the executable
 Sleep 3000
-Delete "$INSTDIR\${UI_APP_EXE}"
-Delete "$INSTDIR\${MAIN_APP_EXE}"
-Delete "$INSTDIR\wintun.dll"
 RmDir /r "$INSTDIR"

 SetShellVarContext current
@@ -213,4 +209,4 @@ SetShellVarContext current
   SetOutPath $INSTDIR
   ShellExecAsUser::ShellExecAsUser "" "$DESKTOP\${APP_NAME}.lnk"
 SetShellVarContext all
-FunctionEnd
+FunctionEnd
--- a/client/internal/acl/manager.go
+++ b/client/internal/acl/manager.go
@@ -1,377 +0,0 @@
-package acl
-
-import (
-	"fmt"
-	"net"
-	"strconv"
-	"sync"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/client/ssh"
-	"github.com/netbirdio/netbird/iface"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
-)
-
-// IFaceMapper defines subset methods of interface required for manager
-type IFaceMapper interface {
-	Name() string
-	Address() iface.WGAddress
-	IsUserspaceBind() bool
-	SetFilter(iface.PacketFilter) error
-}
-
-// Manager is a ACL rules manager
-type Manager interface {
-	ApplyFiltering(networkMap *mgmProto.NetworkMap)
-	Stop()
-}
-
-// DefaultManager uses firewall manager to handle
-type DefaultManager struct {
-	manager    firewall.Manager
-	rulesPairs map[string][]firewall.Rule
-	mutex      sync.Mutex
-}
-
-// ApplyFiltering firewall rules to the local firewall manager processed by ACL policy.
-//
-// If allowByDefault is ture it appends allow ALL traffic rules to input and output chains.
-func (d *DefaultManager) ApplyFiltering(networkMap *mgmProto.NetworkMap) {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	if d.manager == nil {
-		log.Debug("firewall manager is not supported, skipping firewall rules")
-		return
-	}
-
-	rules, squashedProtocols := d.squashAcceptRules(networkMap)
-
-	enableSSH := (networkMap.PeerConfig != nil &&
-		networkMap.PeerConfig.SshConfig != nil &&
-		networkMap.PeerConfig.SshConfig.SshEnabled)
-	if _, ok := squashedProtocols[mgmProto.FirewallRule_ALL]; ok {
-		enableSSH = enableSSH && !ok
-	}
-	if _, ok := squashedProtocols[mgmProto.FirewallRule_TCP]; ok {
-		enableSSH = enableSSH && !ok
-	}
-
-	// if TCP protocol rules not squashed and SSH enabled
-	// we add default firewall rule which accepts connection to any peer
-	// in the network by SSH (TCP 22 port).
-	if enableSSH {
-		rules = append(rules, &mgmProto.FirewallRule{
-			PeerIP:    "0.0.0.0",
-			Direction: mgmProto.FirewallRule_IN,
-			Action:    mgmProto.FirewallRule_ACCEPT,
-			Protocol:  mgmProto.FirewallRule_TCP,
-			Port:      strconv.Itoa(ssh.DefaultSSHPort),
-		})
-	}
-
-	// if we got empty rules list but management not set networkMap.FirewallRulesIsEmpty flag
-	// we have old version of management without rules handling, we should allow all traffic
-	if len(networkMap.FirewallRules) == 0 && !networkMap.FirewallRulesIsEmpty {
-		log.Warn("this peer is connected to a NetBird Management service with an older version. Allowing all traffic from connected peers")
-		rules = append(rules,
-			&mgmProto.FirewallRule{
-				PeerIP:    "0.0.0.0",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			&mgmProto.FirewallRule{
-				PeerIP:    "0.0.0.0",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-		)
-	}
-
-	applyFailed := false
-	newRulePairs := make(map[string][]firewall.Rule)
-	for _, r := range rules {
-		rulePair, err := d.protoRuleToFirewallRule(r)
-		if err != nil {
-			log.Errorf("failed to apply firewall rule: %+v, %v", r, err)
-			applyFailed = true
-			break
-		}
-		newRulePairs[rulePair[0].GetRuleID()] = rulePair
-	}
-	if applyFailed {
-		log.Error("failed to apply firewall rules, rollback ACL to previous state")
-		for _, rules := range newRulePairs {
-			for _, rule := range rules {
-				if err := d.manager.DeleteRule(rule); err != nil {
-					log.Errorf("failed to delete new firewall rule (id: %v) during rollback: %v", rule.GetRuleID(), err)
-					continue
-				}
-			}
-		}
-		return
-	}
-
-	for pairID, rules := range d.rulesPairs {
-		if _, ok := newRulePairs[pairID]; !ok {
-			for _, rule := range rules {
-				if err := d.manager.DeleteRule(rule); err != nil {
-					log.Errorf("failed to delete firewall rule: %v", err)
-					continue
-				}
-			}
-			delete(d.rulesPairs, pairID)
-		}
-	}
-	d.rulesPairs = newRulePairs
-}
-
-// Stop ACL controller and clear firewall state
-func (d *DefaultManager) Stop() {
-	d.mutex.Lock()
-	defer d.mutex.Unlock()
-
-	if err := d.manager.Reset(); err != nil {
-		log.WithError(err).Error("reset firewall state")
-	}
-}
-
-func (d *DefaultManager) protoRuleToFirewallRule(r *mgmProto.FirewallRule) ([]firewall.Rule, error) {
-	ip := net.ParseIP(r.PeerIP)
-	if ip == nil {
-		return nil, fmt.Errorf("invalid IP address, skipping firewall rule")
-	}
-
-	protocol := convertToFirewallProtocol(r.Protocol)
-	if protocol == firewall.ProtocolUnknown {
-		return nil, fmt.Errorf("invalid protocol type: %d, skipping firewall rule", r.Protocol)
-	}
-
-	action := convertFirewallAction(r.Action)
-	if action == firewall.ActionUnknown {
-		return nil, fmt.Errorf("invalid action type: %d, skipping firewall rule", r.Action)
-	}
-
-	var port *firewall.Port
-	if r.Port != "" {
-		value, err := strconv.Atoi(r.Port)
-		if err != nil {
-			return nil, fmt.Errorf("invalid port, skipping firewall rule")
-		}
-		port = &firewall.Port{
-			Values: []int{value},
-		}
-	}
-
-	var rules []firewall.Rule
-	var err error
-	switch r.Direction {
-	case mgmProto.FirewallRule_IN:
-		rules, err = d.addInRules(ip, protocol, port, action, "")
-	case mgmProto.FirewallRule_OUT:
-		rules, err = d.addOutRules(ip, protocol, port, action, "")
-	default:
-		return nil, fmt.Errorf("invalid direction, skipping firewall rule")
-	}
-
-	if err != nil {
-		return nil, err
-	}
-
-	d.rulesPairs[rules[0].GetRuleID()] = rules
-	return rules, nil
-}
-
-func (d *DefaultManager) addInRules(ip net.IP, protocol firewall.Protocol, port *firewall.Port, action firewall.Action, comment string) ([]firewall.Rule, error) {
-	var rules []firewall.Rule
-	rule, err := d.manager.AddFiltering(ip, protocol, nil, port, firewall.RuleDirectionIN, action, comment)
-	if err != nil {
-		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
-	}
-	rules = append(rules, rule)
-
-	if shouldSkipInvertedRule(protocol, port) {
-		return rules, nil
-	}
-
-	rule, err = d.manager.AddFiltering(ip, protocol, port, nil, firewall.RuleDirectionOUT, action, comment)
-	if err != nil {
-		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
-	}
-
-	return append(rules, rule), nil
-}
-
-func (d *DefaultManager) addOutRules(ip net.IP, protocol firewall.Protocol, port *firewall.Port, action firewall.Action, comment string) ([]firewall.Rule, error) {
-	var rules []firewall.Rule
-	rule, err := d.manager.AddFiltering(ip, protocol, nil, port, firewall.RuleDirectionOUT, action, comment)
-	if err != nil {
-		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
-	}
-	rules = append(rules, rule)
-
-	if shouldSkipInvertedRule(protocol, port) {
-		return rules, nil
-	}
-
-	rule, err = d.manager.AddFiltering(ip, protocol, port, nil, firewall.RuleDirectionIN, action, comment)
-	if err != nil {
-		return nil, fmt.Errorf("failed to add firewall rule: %v", err)
-	}
-
-	return append(rules, rule), nil
-}
-
-// squashAcceptRules does complex logic to convert many rules which allows connection by traffic type
-// to all peers in the network map to one rule which just accepts that type of the traffic.
-//
-// NOTE: It will not squash two rules for same protocol if one covers all peers in the network,
-// but other has port definitions or has drop policy.
-func (d *DefaultManager) squashAcceptRules(
-	networkMap *mgmProto.NetworkMap,
-) ([]*mgmProto.FirewallRule, map[mgmProto.FirewallRuleProtocol]struct{}) {
-	totalIPs := 0
-	for _, p := range networkMap.RemotePeers {
-		for range p.AllowedIps {
-			totalIPs++
-		}
-	}
-
-	type protoMatch map[mgmProto.FirewallRuleProtocol]map[string]int
-
-	in := protoMatch{}
-	out := protoMatch{}
-
-	// this function we use to do calculation, can we squash the rules by protocol or not.
-	// We summ amount of Peers IP for given protocol we found in original rules list.
-	// But we zeroed the IP's for protocol if:
-	// 1. Any of the rule has DROP action type.
-	// 2. Any of rule contains Port.
-	//
-	// We zeroed this to notify squash function that this protocol can't be squashed.
-	addRuleToCalculationMap := func(i int, r *mgmProto.FirewallRule, protocols protoMatch) {
-		drop := r.Action == mgmProto.FirewallRule_DROP || r.Port != ""
-		if drop {
-			protocols[r.Protocol] = map[string]int{}
-			return
-		}
-		if _, ok := protocols[r.Protocol]; !ok {
-			protocols[r.Protocol] = map[string]int{}
-		}
-		match := protocols[r.Protocol]
-
-		if _, ok := match[r.PeerIP]; ok {
-			return
-		}
-		match[r.PeerIP] = i
-	}
-
-	for i, r := range networkMap.FirewallRules {
-		// calculate squash for different directions
-		if r.Direction == mgmProto.FirewallRule_IN {
-			addRuleToCalculationMap(i, r, in)
-		} else {
-			addRuleToCalculationMap(i, r, out)
-		}
-	}
-
-	// order of squashing by protocol is important
-	// only for ther first element ALL, it must be done first
-	protocolOrders := []mgmProto.FirewallRuleProtocol{
-		mgmProto.FirewallRule_ALL,
-		mgmProto.FirewallRule_ICMP,
-		mgmProto.FirewallRule_TCP,
-		mgmProto.FirewallRule_UDP,
-	}
-
-	// trace which type of protocols was squashed
-	squashedRules := []*mgmProto.FirewallRule{}
-	squashedProtocols := map[mgmProto.FirewallRuleProtocol]struct{}{}
-	squash := func(matches protoMatch, direction mgmProto.FirewallRuleDirection) {
-		for _, protocol := range protocolOrders {
-			if ipset, ok := matches[protocol]; !ok || len(ipset) != totalIPs || len(ipset) < 2 {
-				// don't squash if :
-				// 1. Rules not cover all peers in the network
-				// 2. Rules cover only one peer in the network.
-				continue
-			}
-
-			// add special rule 0.0.0.0 which allows all IP's in our firewall implementations
-			squashedRules = append(squashedRules, &mgmProto.FirewallRule{
-				PeerIP:    "0.0.0.0",
-				Direction: direction,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  protocol,
-			})
-			squashedProtocols[protocol] = struct{}{}
-
-			if protocol == mgmProto.FirewallRule_ALL {
-				// if we have ALL traffic type squashed rule
-				// it allows all other type of traffic, so we can stop processing
-				break
-			}
-		}
-	}
-
-	squash(in, mgmProto.FirewallRule_IN)
-	squash(out, mgmProto.FirewallRule_OUT)
-
-	// if all protocol was squashed everything is allow and we can ignore all other rules
-	if _, ok := squashedProtocols[mgmProto.FirewallRule_ALL]; ok {
-		return squashedRules, squashedProtocols
-	}
-
-	if len(squashedRules) == 0 {
-		return networkMap.FirewallRules, squashedProtocols
-	}
-
-	var rules []*mgmProto.FirewallRule
-	// filter out rules which was squashed from final list
-	// if we also have other not squashed rules.
-	for i, r := range networkMap.FirewallRules {
-		if _, ok := squashedProtocols[r.Protocol]; ok {
-			if m, ok := in[r.Protocol]; ok && m[r.PeerIP] == i {
-				continue
-			} else if m, ok := out[r.Protocol]; ok && m[r.PeerIP] == i {
-				continue
-			}
-		}
-		rules = append(rules, r)
-	}
-
-	return append(rules, squashedRules...), squashedProtocols
-}
-
-func convertToFirewallProtocol(protocol mgmProto.FirewallRuleProtocol) firewall.Protocol {
-	switch protocol {
-	case mgmProto.FirewallRule_TCP:
-		return firewall.ProtocolTCP
-	case mgmProto.FirewallRule_UDP:
-		return firewall.ProtocolUDP
-	case mgmProto.FirewallRule_ICMP:
-		return firewall.ProtocolICMP
-	case mgmProto.FirewallRule_ALL:
-		return firewall.ProtocolALL
-	default:
-		return firewall.ProtocolUnknown
-	}
-}
-
-func shouldSkipInvertedRule(protocol firewall.Protocol, port *firewall.Port) bool {
-	return protocol == firewall.ProtocolALL || protocol == firewall.ProtocolICMP || port == nil
-}
-
-func convertFirewallAction(action mgmProto.FirewallRuleAction) firewall.Action {
-	switch action {
-	case mgmProto.FirewallRule_ACCEPT:
-		return firewall.ActionAccept
-	case mgmProto.FirewallRule_DROP:
-		return firewall.ActionDrop
-	default:
-		return firewall.ActionUnknown
-	}
-}
--- a/client/internal/acl/manager_create.go
+++ b/client/internal/acl/manager_create.go
@@ -1,27 +0,0 @@
-//go:build !linux
-
-package acl
-
-import (
-	"fmt"
-	"runtime"
-
-	"github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter"
-)
-
-// Create creates a firewall manager instance
-func Create(iface IFaceMapper) (manager *DefaultManager, err error) {
-	if iface.IsUserspaceBind() {
-		// use userspace packet filtering firewall
-		fm, err := uspfilter.Create(iface)
-		if err != nil {
-			return nil, err
-		}
-		return &DefaultManager{
-			manager:    fm,
-			rulesPairs: make(map[string][]firewall.Rule),
-		}, nil
-	}
-	return nil, fmt.Errorf("not implemented for this OS: %s", runtime.GOOS)
-}
--- a/client/internal/acl/manager_create_linux.go
+++ b/client/internal/acl/manager_create_linux.go
@@ -1,36 +0,0 @@
-package acl
-
-import (
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/firewall"
-	"github.com/netbirdio/netbird/client/firewall/iptables"
-	"github.com/netbirdio/netbird/client/firewall/nftables"
-	"github.com/netbirdio/netbird/client/firewall/uspfilter"
-)
-
-// Create creates a firewall manager instance for the Linux
-func Create(iface IFaceMapper) (manager *DefaultManager, err error) {
-	var fm firewall.Manager
-	if iface.IsUserspaceBind() {
-		// use userspace packet filtering firewall
-		if fm, err = uspfilter.Create(iface); err != nil {
-			log.Debugf("failed to create userspace filtering firewall: %s", err)
-			return nil, err
-		}
-	} else {
-		if fm, err = nftables.Create(iface); err != nil {
-			log.Debugf("failed to create nftables manager: %s", err)
-			// fallback to iptables
-			if fm, err = iptables.Create(iface); err != nil {
-				log.Errorf("failed to create iptables manager: %s", err)
-				return nil, err
-			}
-		}
-	}
-
-	return &DefaultManager{
-		manager:    fm,
-		rulesPairs: make(map[string][]firewall.Rule),
-	}, nil
-}
--- a/client/internal/acl/manager_test.go
+++ b/client/internal/acl/manager_test.go
@@ -1,330 +0,0 @@
-package acl
-
-import (
-	"testing"
-
-	"github.com/golang/mock/gomock"
-
-	"github.com/netbirdio/netbird/client/internal/acl/mocks"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
-)
-
-func TestDefaultManager(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_TCP,
-				Port:      "80",
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_DROP,
-				Protocol:  mgmProto.FirewallRule_UDP,
-				Port:      "53",
-			},
-		},
-	}
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	iface := mocks.NewMockIFaceMapper(ctrl)
-	iface.EXPECT().IsUserspaceBind().Return(true)
-	// iface.EXPECT().Name().Return("lo")
-	iface.EXPECT().SetFilter(gomock.Any())
-
-	// we receive one rule from the management so for testing purposes ignore it
-	acl, err := Create(iface)
-	if err != nil {
-		t.Errorf("create ACL manager: %v", err)
-		return
-	}
-	defer acl.Stop()
-
-	t.Run("apply firewall rules", func(t *testing.T) {
-		acl.ApplyFiltering(networkMap)
-
-		if len(acl.rulesPairs) != 2 {
-			t.Errorf("firewall rules not applied: %v", acl.rulesPairs)
-			return
-		}
-	})
-
-	t.Run("add extra rules", func(t *testing.T) {
-		// remove first rule
-		networkMap.FirewallRules = networkMap.FirewallRules[1:]
-		networkMap.FirewallRules = append(
-			networkMap.FirewallRules,
-			&mgmProto.FirewallRule{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_DROP,
-				Protocol:  mgmProto.FirewallRule_ICMP,
-			},
-		)
-
-		existedRulesID := map[string]struct{}{}
-		for id := range acl.rulesPairs {
-			existedRulesID[id] = struct{}{}
-		}
-
-		acl.ApplyFiltering(networkMap)
-
-		// we should have one old and one new rule in the existed rules
-		if len(acl.rulesPairs) != 2 {
-			t.Errorf("firewall rules not applied")
-			return
-		}
-
-		// check that old rules was removed
-		for id := range existedRulesID {
-			if _, ok := acl.rulesPairs[id]; ok {
-				t.Errorf("old rule was not removed")
-				return
-			}
-		}
-	})
-
-	t.Run("handle default rules", func(t *testing.T) {
-		networkMap.FirewallRules = networkMap.FirewallRules[:0]
-
-		networkMap.FirewallRulesIsEmpty = true
-		if acl.ApplyFiltering(networkMap); len(acl.rulesPairs) != 0 {
-			t.Errorf("rules should be empty if FirewallRulesIsEmpty is set, got: %v", len(acl.rulesPairs))
-			return
-		}
-
-		networkMap.FirewallRulesIsEmpty = false
-		acl.ApplyFiltering(networkMap)
-		if len(acl.rulesPairs) != 2 {
-			t.Errorf("rules should contain 2 rules if FirewallRulesIsEmpty is not set, got: %v", len(acl.rulesPairs))
-			return
-		}
-	})
-}
-
-func TestDefaultManagerSquashRules(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{AllowedIps: []string{"10.93.0.1"}},
-			{AllowedIps: []string{"10.93.0.2"}},
-			{AllowedIps: []string{"10.93.0.3"}},
-			{AllowedIps: []string{"10.93.0.4"}},
-		},
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-		},
-	}
-
-	manager := &DefaultManager{}
-	rules, _ := manager.squashAcceptRules(networkMap)
-	if len(rules) != 2 {
-		t.Errorf("rules should contain 2, got: %v", rules)
-		return
-	}
-
-	r := rules[0]
-	if r.PeerIP != "0.0.0.0" {
-		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
-		return
-	} else if r.Direction != mgmProto.FirewallRule_IN {
-		t.Errorf("direction should be IN, got: %v", r.Direction)
-		return
-	} else if r.Protocol != mgmProto.FirewallRule_ALL {
-		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
-		return
-	} else if r.Action != mgmProto.FirewallRule_ACCEPT {
-		t.Errorf("action should be ACCEPT, got: %v", r.Action)
-		return
-	}
-
-	r = rules[1]
-	if r.PeerIP != "0.0.0.0" {
-		t.Errorf("IP should be 0.0.0.0, got: %v", r.PeerIP)
-		return
-	} else if r.Direction != mgmProto.FirewallRule_OUT {
-		t.Errorf("direction should be OUT, got: %v", r.Direction)
-		return
-	} else if r.Protocol != mgmProto.FirewallRule_ALL {
-		t.Errorf("protocol should be ALL, got: %v", r.Protocol)
-		return
-	} else if r.Action != mgmProto.FirewallRule_ACCEPT {
-		t.Errorf("action should be ACCEPT, got: %v", r.Action)
-		return
-	}
-}
-
-func TestDefaultManagerSquashRulesNoAffect(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{AllowedIps: []string{"10.93.0.1"}},
-			{AllowedIps: []string{"10.93.0.2"}},
-			{AllowedIps: []string{"10.93.0.3"}},
-			{AllowedIps: []string{"10.93.0.4"}},
-		},
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_ALL,
-			},
-			{
-				PeerIP:    "10.93.0.4",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_UDP,
-			},
-		},
-	}
-
-	manager := &DefaultManager{}
-	if rules, _ := manager.squashAcceptRules(networkMap); len(rules) != len(networkMap.FirewallRules) {
-		t.Errorf("we should got same amount of rules as intput, got %v", len(rules))
-	}
-}
-
-func TestDefaultManagerEnableSSHRules(t *testing.T) {
-	networkMap := &mgmProto.NetworkMap{
-		PeerConfig: &mgmProto.PeerConfig{
-			SshConfig: &mgmProto.SSHConfig{
-				SshEnabled: true,
-			},
-		},
-		RemotePeers: []*mgmProto.RemotePeerConfig{
-			{AllowedIps: []string{"10.93.0.1"}},
-			{AllowedIps: []string{"10.93.0.2"}},
-			{AllowedIps: []string{"10.93.0.3"}},
-		},
-		FirewallRules: []*mgmProto.FirewallRule{
-			{
-				PeerIP:    "10.93.0.1",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.2",
-				Direction: mgmProto.FirewallRule_IN,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_TCP,
-			},
-			{
-				PeerIP:    "10.93.0.3",
-				Direction: mgmProto.FirewallRule_OUT,
-				Action:    mgmProto.FirewallRule_ACCEPT,
-				Protocol:  mgmProto.FirewallRule_UDP,
-			},
-		},
-	}
-
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	iface := mocks.NewMockIFaceMapper(ctrl)
-	iface.EXPECT().IsUserspaceBind().Return(true)
-	// iface.EXPECT().Name().Return("lo")
-	iface.EXPECT().SetFilter(gomock.Any())
-
-	// we receive one rule from the management so for testing purposes ignore it
-	acl, err := Create(iface)
-	if err != nil {
-		t.Errorf("create ACL manager: %v", err)
-		return
-	}
-	defer acl.Stop()
-
-	acl.ApplyFiltering(networkMap)
-
-	if len(acl.rulesPairs) != 4 {
-		t.Errorf("expect 4 rules (last must be SSH), got: %d", len(acl.rulesPairs))
-		return
-	}
-}
--- a/client/internal/acl/mocks/README.md
+++ b/client/internal/acl/mocks/README.md
@@ -1,7 +0,0 @@
-## Mocks
-
-To generate (or refresh) mocks from acl package please install [mockgen](https://github.com/golang/mock).
-Run this command from the `./client/internal/acl` folder to update iface mapper interface mock:
-```bash
-mockgen -destination mocks/iface_mapper.go -package mocks . IFaceMapper
-```
--- a/client/internal/acl/mocks/iface_mapper.go
+++ b/client/internal/acl/mocks/iface_mapper.go
@@ -1,91 +0,0 @@
-// Code generated by MockGen. DO NOT EDIT.
-// Source: github.com/netbirdio/netbird/client/internal/acl (interfaces: IFaceMapper)
-
-// Package mocks is a generated GoMock package.
-package mocks
-
-import (
-	reflect "reflect"
-
-	gomock "github.com/golang/mock/gomock"
-	iface "github.com/netbirdio/netbird/iface"
-)
-
-// MockIFaceMapper is a mock of IFaceMapper interface.
-type MockIFaceMapper struct {
-	ctrl     *gomock.Controller
-	recorder *MockIFaceMapperMockRecorder
-}
-
-// MockIFaceMapperMockRecorder is the mock recorder for MockIFaceMapper.
-type MockIFaceMapperMockRecorder struct {
-	mock *MockIFaceMapper
-}
-
-// NewMockIFaceMapper creates a new mock instance.
-func NewMockIFaceMapper(ctrl *gomock.Controller) *MockIFaceMapper {
-	mock := &MockIFaceMapper{ctrl: ctrl}
-	mock.recorder = &MockIFaceMapperMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockIFaceMapper) EXPECT() *MockIFaceMapperMockRecorder {
-	return m.recorder
-}
-
-// Address mocks base method.
-func (m *MockIFaceMapper) Address() iface.WGAddress {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Address")
-	ret0, _ := ret[0].(iface.WGAddress)
-	return ret0
-}
-
-// Address indicates an expected call of Address.
-func (mr *MockIFaceMapperMockRecorder) Address() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Address", reflect.TypeOf((*MockIFaceMapper)(nil).Address))
-}
-
-// IsUserspaceBind mocks base method.
-func (m *MockIFaceMapper) IsUserspaceBind() bool {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "IsUserspaceBind")
-	ret0, _ := ret[0].(bool)
-	return ret0
-}
-
-// IsUserspaceBind indicates an expected call of IsUserspaceBind.
-func (mr *MockIFaceMapperMockRecorder) IsUserspaceBind() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "IsUserspaceBind", reflect.TypeOf((*MockIFaceMapper)(nil).IsUserspaceBind))
-}
-
-// Name mocks base method.
-func (m *MockIFaceMapper) Name() string {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Name")
-	ret0, _ := ret[0].(string)
-	return ret0
-}
-
-// Name indicates an expected call of Name.
-func (mr *MockIFaceMapperMockRecorder) Name() *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Name", reflect.TypeOf((*MockIFaceMapper)(nil).Name))
-}
-
-// SetFilter mocks base method.
-func (m *MockIFaceMapper) SetFilter(arg0 iface.PacketFilter) error {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "SetFilter", arg0)
-	ret0, _ := ret[0].(error)
-	return ret0
-}
-
-// SetFilter indicates an expected call of SetFilter.
-func (mr *MockIFaceMapperMockRecorder) SetFilter(arg0 interface{}) *gomock.Call {
-	mr.mock.ctrl.T.Helper()
-	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetFilter", reflect.TypeOf((*MockIFaceMapper)(nil).SetFilter), arg0)
-}
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -1,201 +1,106 @@
 package internal

 import (
+	"context"
 	"fmt"
+	mgm "github.com/netbirdio/netbird/management/client"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	"net/url"
 	"os"

-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/iface"
 	"github.com/netbirdio/netbird/util"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 )

-const (
-	// ManagementLegacyPort is the port that was used before by the Management gRPC server.
-	// It is used for backward compatibility now.
-	// NB: hardcoded from github.com/netbirdio/netbird/management/cmd to avoid import
-	ManagementLegacyPort = 33073
-	// DefaultManagementURL points to the NetBird's cloud management endpoint
-	DefaultManagementURL = "https://api.wiretrustee.com:443"
-	// DefaultAdminURL points to NetBird's cloud management console
-	DefaultAdminURL = "https://app.netbird.io:443"
-)
+var managementURLDefault *url.URL

-var defaultInterfaceBlacklist = []string{iface.WgInterfaceDefault, "wt", "utun", "tun0", "zt", "ZeroTier", "wg", "ts",
-	"Tailscale", "tailscale", "docker", "veth", "br-", "lo"}
+func ManagementURLDefault() *url.URL {
+	return managementURLDefault
+}

-// ConfigInput carries configuration changes to the client
-type ConfigInput struct {
-	ManagementURL    string
-	AdminURL         string
-	ConfigPath       string
-	PreSharedKey     *string
-	NATExternalIPs   []string
-	CustomDNSAddress []byte
+func init() {
+	managementURL, err := parseURL("Management URL", "https://api.wiretrustee.com:33073")
+	if err != nil {
+		panic(err)
+	}
+	managementURLDefault = managementURL
 }

 // Config Configuration type
 type Config struct {
 	// Wireguard private key of local peer
-	PrivateKey           string
-	PreSharedKey         string
-	ManagementURL        *url.URL
-	AdminURL             *url.URL
-	WgIface              string
-	WgPort               int
-	IFaceBlackList       []string
-	DisableIPv6Discovery bool
-	// SSHKey is a private SSH key in a PEM format
-	SSHKey string
-
-	// ExternalIP mappings, if different than the host interface IP
-	//
-	//   External IP must not be behind a CGNAT and port-forwarding for incoming UDP packets from WgPort on ExternalIP
-	//   to WgPort on host interface IP must be present. This can take form of single port-forwarding rule, 1:1 DNAT
-	//   mapping ExternalIP to host interface IP, or a NAT DMZ to host interface IP.
-	//
-	//   A single mapping will take the form of: external[/internal]
-	//    external (required): either the external IP address or "stun" to use STUN to determine the external IP address
-	//    internal (optional): either the internal/interface IP address or an interface name
-	//
-	//   examples:
-	//      "12.34.56.78"          => all interfaces IPs will be mapped to external IP of 12.34.56.78
-	//      "12.34.56.78/eth0"     => IPv4 assigned to interface eth0 will be mapped to external IP of 12.34.56.78
-	//      "12.34.56.78/10.1.2.3" => interface IP 10.1.2.3 will be mapped to external IP of 12.34.56.78
-
-	NATExternalIPs []string
-	// CustomDNSAddress sets the DNS resolver listening address in format ip:port
-	CustomDNSAddress string
-}
-
-// ReadConfig read config file and return with Config. If it is not exists create a new with default values
-func ReadConfig(configPath string) (*Config, error) {
-	if configFileIsExists(configPath) {
-		config := &Config{}
-		if _, err := util.ReadJson(configPath, config); err != nil {
-			return nil, err
-		}
-		return config, nil
-	}
-
-	cfg, err := createNewConfig(ConfigInput{ConfigPath: configPath})
-	if err != nil {
-		return nil, err
-	}
-
-	err = WriteOutConfig(configPath, cfg)
-	return cfg, err
-}
-
-// UpdateConfig update existing configuration according to input configuration and return with the configuration
-func UpdateConfig(input ConfigInput) (*Config, error) {
-	if !configFileIsExists(input.ConfigPath) {
-		return nil, status.Errorf(codes.NotFound, "config file doesn't exist")
-	}
-
-	return update(input)
-}
-
-// UpdateOrCreateConfig reads existing config or generates a new one
-func UpdateOrCreateConfig(input ConfigInput) (*Config, error) {
-	if !configFileIsExists(input.ConfigPath) {
-		log.Infof("generating new config %s", input.ConfigPath)
-		cfg, err := createNewConfig(input)
-		if err != nil {
-			return nil, err
-		}
-		err = WriteOutConfig(input.ConfigPath, cfg)
-		return cfg, err
-	}
-
-	if isPreSharedKeyHidden(input.PreSharedKey) {
-		input.PreSharedKey = nil
-	}
-	return update(input)
-}
-
-// CreateInMemoryConfig generate a new config but do not write out it to the store
-func CreateInMemoryConfig(input ConfigInput) (*Config, error) {
-	return createNewConfig(input)
-}
-
-// WriteOutConfig write put the prepared config to the given path
-func WriteOutConfig(path string, config *Config) error {
-	return util.WriteJson(path, config)
+	PrivateKey     string
+	PreSharedKey   string
+	ManagementURL  *url.URL
+	AdminURL       *url.URL
+	WgIface        string
+	IFaceBlackList []string
 }

 // createNewConfig creates a new config generating a new Wireguard key and saving to file
-func createNewConfig(input ConfigInput) (*Config, error) {
+func createNewConfig(managementURL, adminURL, configPath, preSharedKey string) (*Config, error) {
 	wgKey := generateKey()
-	pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
-	if err != nil {
-		return nil, err
-	}
-	config := &Config{
-		SSHKey:               string(pem),
-		PrivateKey:           wgKey,
-		WgIface:              iface.WgInterfaceDefault,
-		WgPort:               iface.DefaultWgPort,
-		IFaceBlackList:       []string{},
-		DisableIPv6Discovery: false,
-		NATExternalIPs:       input.NATExternalIPs,
-		CustomDNSAddress:     string(input.CustomDNSAddress),
-	}
-
-	defaultManagementURL, err := parseURL("Management URL", DefaultManagementURL)
-	if err != nil {
-		return nil, err
-	}
-
-	config.ManagementURL = defaultManagementURL
-	if input.ManagementURL != "" {
-		URL, err := parseURL("Management URL", input.ManagementURL)
+	config := &Config{PrivateKey: wgKey, WgIface: iface.WgInterfaceDefault, IFaceBlackList: []string{}}
+	if managementURL != "" {
+		URL, err := parseURL("Management URL", managementURL)
 		if err != nil {
 			return nil, err
 		}
 		config.ManagementURL = URL
+	} else {
+		config.ManagementURL = managementURLDefault
 	}

-	if input.PreSharedKey != nil {
-		config.PreSharedKey = *input.PreSharedKey
+	if preSharedKey != "" {
+		config.PreSharedKey = preSharedKey
 	}

-	defaultAdminURL, err := parseURL("Admin URL", DefaultAdminURL)
+	config.IFaceBlackList = []string{iface.WgInterfaceDefault, "tun0"}
+
+	err := util.WriteJson(configPath, config)
 	if err != nil {
 		return nil, err
 	}

-	config.AdminURL = defaultAdminURL
-	if input.AdminURL != "" {
-		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
-		if err != nil {
-			return nil, err
-		}
-		config.AdminURL = newURL
-	}
-
-	config.IFaceBlackList = defaultInterfaceBlacklist
 	return config, nil
 }

-func update(input ConfigInput) (*Config, error) {
-	config := &Config{}
+func parseURL(serviceName, managementURL string) (*url.URL, error) {
+	parsedMgmtURL, err := url.ParseRequestURI(managementURL)
+	if err != nil {
+		log.Errorf("failed parsing management URL %s: [%s]", managementURL, err.Error())
+		return nil, err
+	}

-	if _, err := util.ReadJson(input.ConfigPath, config); err != nil {
+	if parsedMgmtURL.Scheme != "https" && parsedMgmtURL.Scheme != "http" {
+		return nil, fmt.Errorf(
+			"invalid %s URL provided %s. Supported format [http|https]://[host]:[port]",
+			serviceName, managementURL)
+	}
+
+	return parsedMgmtURL, err
+}
+
+// ReadConfig reads existing config. In case provided managementURL is not empty overrides the read property
+func ReadConfig(managementURL, adminURL, configPath string, preSharedKey *string) (*Config, error) {
+	config := &Config{}
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		return nil, status.Errorf(codes.NotFound, "config file doesn't exist")
+	}
+
+	if _, err := util.ReadJson(configPath, config); err != nil {
 		return nil, err
 	}

 	refresh := false

-	if input.ManagementURL != "" && config.ManagementURL.String() != input.ManagementURL {
+	if managementURL != "" && config.ManagementURL.String() != managementURL {
 		log.Infof("new Management URL provided, updated to %s (old value %s)",
-			input.ManagementURL, config.ManagementURL)
-		newURL, err := parseURL("Management URL", input.ManagementURL)
+			managementURL, config.ManagementURL)
+		newURL, err := parseURL("Management URL", managementURL)
 		if err != nil {
 			return nil, err
 		}
@@ -203,10 +108,10 @@ func update(input ConfigInput) (*Config, error) {
 		refresh = true
 	}

-	if input.AdminURL != "" && (config.AdminURL == nil || config.AdminURL.String() != input.AdminURL) {
+	if adminURL != "" && (config.AdminURL == nil || config.AdminURL.String() != adminURL) {
 		log.Infof("new Admin Panel URL provided, updated to %s (old value %s)",
-			input.AdminURL, config.AdminURL)
-		newURL, err := parseURL("Admin Panel URL", input.AdminURL)
+			adminURL, config.AdminURL)
+		newURL, err := parseURL("Admin Panel URL", adminURL)
 		if err != nil {
 			return nil, err
 		}
@@ -214,39 +119,16 @@ func update(input ConfigInput) (*Config, error) {
 		refresh = true
 	}

-	if input.PreSharedKey != nil && config.PreSharedKey != *input.PreSharedKey {
+	if preSharedKey != nil && config.PreSharedKey != *preSharedKey {
 		log.Infof("new pre-shared key provided, updated to %s (old value %s)",
-			*input.PreSharedKey, config.PreSharedKey)
-		config.PreSharedKey = *input.PreSharedKey
-		refresh = true
-	}
-
-	if config.SSHKey == "" {
-		pem, err := ssh.GeneratePrivateKey(ssh.ED25519)
-		if err != nil {
-			return nil, err
-		}
-		config.SSHKey = string(pem)
-		refresh = true
-	}
-
-	if config.WgPort == 0 {
-		config.WgPort = iface.DefaultWgPort
-		refresh = true
-	}
-	if input.NATExternalIPs != nil && len(config.NATExternalIPs) != len(input.NATExternalIPs) {
-		config.NATExternalIPs = input.NATExternalIPs
-		refresh = true
-	}
-
-	if input.CustomDNSAddress != nil {
-		config.CustomDNSAddress = string(input.CustomDNSAddress)
+			*preSharedKey, config.PreSharedKey)
+		config.PreSharedKey = *preSharedKey
 		refresh = true
 	}

 	if refresh {
 		// since we have new management URL, we need to update config file
-		if err := util.WriteJson(input.ConfigPath, config); err != nil {
+		if err := util.WriteJson(configPath, config); err != nil {
 			return nil, err
 		}
 	}
@@ -254,32 +136,19 @@ func update(input ConfigInput) (*Config, error) {
 	return config, nil
 }

-// parseURL parses and validates a service URL
-func parseURL(serviceName, serviceURL string) (*url.URL, error) {
-	parsedMgmtURL, err := url.ParseRequestURI(serviceURL)
-	if err != nil {
-		log.Errorf("failed parsing %s URL %s: [%s]", serviceName, serviceURL, err.Error())
-		return nil, err
-	}
-
-	if parsedMgmtURL.Scheme != "https" && parsedMgmtURL.Scheme != "http" {
-		return nil, fmt.Errorf(
-			"invalid %s URL provided %s. Supported format [http|https]://[host]:[port]",
-			serviceName, serviceURL)
-	}
-
-	if parsedMgmtURL.Port() == "" {
-		switch parsedMgmtURL.Scheme {
-		case "https":
-			parsedMgmtURL.Host = parsedMgmtURL.Host + ":443"
-		case "http":
-			parsedMgmtURL.Host = parsedMgmtURL.Host + ":80"
-		default:
-			log.Infof("unable to determine a default port for schema %s in URL %s", parsedMgmtURL.Scheme, serviceURL)
+// GetConfig reads existing config or generates a new one
+func GetConfig(managementURL, adminURL, configPath, preSharedKey string) (*Config, error) {
+	if _, err := os.Stat(configPath); os.IsNotExist(err) {
+		log.Infof("generating new config %s", configPath)
+		return createNewConfig(managementURL, adminURL, configPath, preSharedKey)
+	} else {
+		// don't overwrite pre-shared key if we receive asterisks from UI
+		pk := &preSharedKey
+		if preSharedKey == "**********" {
+			pk = nil
 		}
+		return ReadConfig(managementURL, adminURL, configPath, pk)
 	}
-
-	return parsedMgmtURL, err
 }

 // generateKey generates a new Wireguard private key
@@ -291,15 +160,76 @@ func generateKey() string {
 	return key.String()
 }

-// don't overwrite pre-shared key if we receive asterisks from UI
-func isPreSharedKeyHidden(preSharedKey *string) bool {
-	if preSharedKey != nil && *preSharedKey == "**********" {
-		return true
-	}
-	return false
+// DeviceAuthorizationFlow represents Device Authorization Flow information
+type DeviceAuthorizationFlow struct {
+	Provider       string
+	ProviderConfig ProviderConfig
 }

-func configFileIsExists(path string) bool {
-	_, err := os.Stat(path)
-	return !os.IsNotExist(err)
+// ProviderConfig has all attributes needed to initiate a device authorization flow
+type ProviderConfig struct {
+	// ClientID An IDP application client id
+	ClientID string
+	// ClientSecret An IDP application client secret
+	ClientSecret string
+	// Domain An IDP API domain
+	Domain string
+	// Audience An Audience for to authorization validation
+	Audience string
+}
+
+func GetDeviceAuthorizationFlowInfo(ctx context.Context, config *Config) (DeviceAuthorizationFlow, error) {
+	// validate our peer's Wireguard PRIVATE key
+	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+	if err != nil {
+		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+		return DeviceAuthorizationFlow{}, err
+	}
+
+	var mgmTlsEnabled bool
+	if config.ManagementURL.Scheme == "https" {
+		mgmTlsEnabled = true
+	}
+
+	log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
+	mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
+	if err != nil {
+		log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
+		return DeviceAuthorizationFlow{}, err
+	}
+	log.Debugf("connected to management Service %s", config.ManagementURL.String())
+
+	serverKey, err := mgmClient.GetServerPublicKey()
+	if err != nil {
+		log.Errorf("failed while getting Management Service public key: %v", err)
+		return DeviceAuthorizationFlow{}, err
+	}
+
+	protoDeviceAuthorizationFlow, err := mgmClient.GetDeviceAuthorizationFlow(*serverKey)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
+			log.Warnf("server couldn't find device flow, contact admin: %v", err)
+			return DeviceAuthorizationFlow{}, err
+		} else {
+			log.Errorf("failed to retrieve device flow: %v", err)
+			return DeviceAuthorizationFlow{}, err
+		}
+	}
+
+	err = mgmClient.Close()
+	if err != nil {
+		log.Errorf("failed closing Management Service client: %v", err)
+		return DeviceAuthorizationFlow{}, err
+	}
+
+	return DeviceAuthorizationFlow{
+		Provider: protoDeviceAuthorizationFlow.Provider.String(),
+
+		ProviderConfig: ProviderConfig{
+			Audience:     protoDeviceAuthorizationFlow.ProviderConfig.Audience,
+			ClientID:     protoDeviceAuthorizationFlow.ProviderConfig.ClientID,
+			ClientSecret: protoDeviceAuthorizationFlow.ProviderConfig.ClientSecret,
+			Domain:       protoDeviceAuthorizationFlow.ProviderConfig.Domain,
+		},
+	}, nil
 }
--- a/client/internal/config_test.go
+++ b/client/internal/config_test.go
@@ -10,34 +10,17 @@ import (
 	"github.com/stretchr/testify/assert"
 )

+func TestReadConfig(t *testing.T) {
+}
+
 func TestGetConfig(t *testing.T) {
-	// case 1: new default config has to be generated
-	config, err := UpdateOrCreateConfig(ConfigInput{
-		ConfigPath: filepath.Join(t.TempDir(), "config.json"),
-	})
-
-	if err != nil {
-		return
-	}
-
-	assert.Equal(t, config.ManagementURL.String(), DefaultManagementURL)
-	assert.Equal(t, config.AdminURL.String(), DefaultAdminURL)
-
-	if err != nil {
-		return
-	}
 	managementURL := "https://test.management.url:33071"
-	adminURL := "https://app.admin.url:443"
+	adminURL := "https://app.admin.url"
 	path := filepath.Join(t.TempDir(), "config.json")
 	preSharedKey := "preSharedKey"

-	// case 2: new config has to be generated
-	config, err = UpdateOrCreateConfig(ConfigInput{
-		ManagementURL: managementURL,
-		AdminURL:      adminURL,
-		ConfigPath:    path,
-		PreSharedKey:  &preSharedKey,
-	})
+	// case 1: new config has to be generated
+	config, err := GetConfig(managementURL, adminURL, path, preSharedKey)
 	if err != nil {
 		return
 	}
@@ -49,13 +32,8 @@ func TestGetConfig(t *testing.T) {
 		t.Errorf("config file was expected to be created under path %s", path)
 	}

-	// case 3: existing config -> fetch it
-	config, err = UpdateOrCreateConfig(ConfigInput{
-		ManagementURL: managementURL,
-		AdminURL:      adminURL,
-		ConfigPath:    path,
-		PreSharedKey:  &preSharedKey,
-	})
+	// case 2: existing config -> fetch it
+	config, err = GetConfig(managementURL, adminURL, path, preSharedKey)
 	if err != nil {
 		return
 	}
@@ -63,14 +41,9 @@ func TestGetConfig(t *testing.T) {
 	assert.Equal(t, config.ManagementURL.String(), managementURL)
 	assert.Equal(t, config.PreSharedKey, preSharedKey)

-	// case 4: existing config, but new managementURL has been provided -> update config
+	// case 3: existing config, but new managementURL has been provided -> update config
 	newManagementURL := "https://test.newManagement.url:33071"
-	config, err = UpdateOrCreateConfig(ConfigInput{
-		ManagementURL: newManagementURL,
-		AdminURL:      adminURL,
-		ConfigPath:    path,
-		PreSharedKey:  &preSharedKey,
-	})
+	config, err = GetConfig(newManagementURL, adminURL, path, preSharedKey)
 	if err != nil {
 		return
 	}
@@ -85,40 +58,3 @@ func TestGetConfig(t *testing.T) {
 	}
 	assert.Equal(t, readConf.(*Config).ManagementURL.String(), newManagementURL)
 }
-
-func TestHiddenPreSharedKey(t *testing.T) {
-	hidden := "**********"
-	samplePreSharedKey := "mysecretpresharedkey"
-	tests := []struct {
-		name         string
-		preSharedKey *string
-		want         string
-	}{
-		{"nil", nil, ""},
-		{"hidden", &hidden, ""},
-		{"filled", &samplePreSharedKey, samplePreSharedKey},
-	}
-
-	// generate default cfg
-	cfgFile := filepath.Join(t.TempDir(), "config.json")
-	_, _ = UpdateOrCreateConfig(ConfigInput{
-		ConfigPath: cfgFile,
-	})
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			cfg, err := UpdateOrCreateConfig(ConfigInput{
-				ConfigPath:   cfgFile,
-				PreSharedKey: tt.preSharedKey,
-			})
-
-			if err != nil {
-				t.Fatalf("failed to get cfg: %s", err)
-			}
-
-			if cfg.PreSharedKey != tt.want {
-				t.Fatalf("invalid preshared key: '%s', expected: '%s' ", cfg.PreSharedKey, tt.want)
-			}
-		})
-	}
-}
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -2,35 +2,30 @@ package internal

 import (
 	"context"
-	"fmt"
-	"strings"
 	"time"

-	"github.com/cenkalti/backoff/v4"
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc/codes"
-	gstatus "google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
+
 	"github.com/netbirdio/netbird/iface"
 	mgm "github.com/netbirdio/netbird/management/client"
 	mgmProto "github.com/netbirdio/netbird/management/proto"
 	signal "github.com/netbirdio/netbird/signal/client"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/cenkalti/backoff/v4"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )

 // RunClient with main logic.
-func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status, tunAdapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover, routeListener routemanager.RouteListener) error {
+func RunClient(ctx context.Context, config *Config) error {
 	backOff := &backoff.ExponentialBackOff{
 		InitialInterval:     time.Second,
-		RandomizationFactor: 1,
-		Multiplier:          1.7,
-		MaxInterval:         15 * time.Second,
-		MaxElapsedTime:      3 * 30 * 24 * time.Hour, // 3 months
+		RandomizationFactor: backoff.DefaultRandomizationFactor,
+		Multiplier:          backoff.DefaultMultiplier,
+		MaxInterval:         10 * time.Second,
+		MaxElapsedTime:      24 * 3 * time.Hour, // stop the client after 3 days trying (must be a huge problem, e.g permission denied)
 		Stop:                backoff.Stop,
 		Clock:               backoff.SystemClock,
 	}
@@ -44,23 +39,6 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 	}()

 	wrapErr := state.Wrap
-	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
-	if err != nil {
-		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
-		return wrapErr(err)
-	}
-
-	var mgmTlsEnabled bool
-	if config.ManagementURL.Scheme == "https" {
-		mgmTlsEnabled = true
-	}
-
-	publicSSHKey, err := ssh.GeneratePublicKey([]byte(config.SSHKey))
-	if err != nil {
-		return err
-	}
-
-	defer statusRecorder.ClientStop()
 	operation := func() error {
 		// if context cancelled we not start new backoff cycle
 		select {
@@ -70,60 +48,32 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 		}

 		state.Set(StatusConnecting)
+		// validate our peer's Wireguard PRIVATE key
+		myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
+		if err != nil {
+			log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+			return wrapErr(err)
+		}
+
+		var mgmTlsEnabled bool
+		if config.ManagementURL.Scheme == "https" {
+			mgmTlsEnabled = true
+		}

 		engineCtx, cancel := context.WithCancel(ctx)
-		defer func() {
-			statusRecorder.MarkManagementDisconnected()
-			statusRecorder.CleanLocalPeerState()
-			cancel()
-		}()
-
-		log.Debugf("conecting to the Management service %s", config.ManagementURL.Host)
-		mgmClient, err := mgm.NewClient(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
-		if err != nil {
-			return wrapErr(gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err))
-		}
-		mgmNotifier := statusRecorderToMgmConnStateNotifier(statusRecorder)
-		mgmClient.SetConnStateListener(mgmNotifier)
-
-		log.Debugf("connected to the Management service %s", config.ManagementURL.Host)
-		defer func() {
-			err = mgmClient.Close()
-			if err != nil {
-				log.Warnf("failed to close the Management service client %v", err)
-			}
-		}()
+		defer cancel()

 		// connect (just a connection, no stream yet) and login to Management Service to get an initial global Wiretrustee config
-		loginResp, err := loginToManagement(engineCtx, mgmClient, publicSSHKey)
+		mgmClient, loginResp, err := connectToManagement(engineCtx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 		if err != nil {
 			log.Debug(err)
-			if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
+			if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+				log.Info("peer registration required. Please run `netbird status` for details")
 				state.Set(StatusNeedsLogin)
-				return backoff.Permanent(wrapErr(err)) // unrecoverable error
+				return nil
 			}
 			return wrapErr(err)
 		}
-		statusRecorder.MarkManagementConnected()
-
-		localPeerState := peer.LocalPeerState{
-			IP:              loginResp.GetPeerConfig().GetAddress(),
-			PubKey:          myPrivateKey.PublicKey().String(),
-			KernelInterface: iface.WireGuardModuleIsLoaded(),
-			FQDN:            loginResp.GetPeerConfig().GetFqdn(),
-		}
-
-		statusRecorder.UpdateLocalPeerState(localPeerState)
-
-		signalURL := fmt.Sprintf("%s://%s",
-			strings.ToLower(loginResp.GetWiretrusteeConfig().GetSignal().GetProtocol().String()),
-			loginResp.GetWiretrusteeConfig().GetSignal().GetUri(),
-		)
-
-		statusRecorder.UpdateSignalAddress(signalURL)
-
-		statusRecorder.MarkSignalDisconnected()
-		defer statusRecorder.MarkSignalDisconnected()

 		// with the global Wiretrustee config in hand connect (just a connection, no stream yet) Signal
 		signalClient, err := connectToSignal(engineCtx, loginResp.GetWiretrusteeConfig(), myPrivateKey)
@@ -131,17 +81,6 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 			log.Error(err)
 			return wrapErr(err)
 		}
-		defer func() {
-			err = signalClient.Close()
-			if err != nil {
-				log.Warnf("failed closing Signal service client %v", err)
-			}
-		}()
-
-		signalNotifier := statusRecorderToSignalConnStateNotifier(statusRecorder)
-		signalClient.SetConnStateListener(signalNotifier)
-
-		statusRecorder.MarkSignalConnected()

 		peerConfig := loginResp.GetPeerConfig()

@@ -151,14 +90,7 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 			return wrapErr(err)
 		}

-		// in case of non Android os these variables will be nil
-		md := MobileDependency{
-			TunAdapter:    tunAdapter,
-			IFaceDiscover: iFaceDiscover,
-			RouteListener: routeListener,
-		}
-
-		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig, md, statusRecorder)
+		engine := NewEngine(engineCtx, cancel, signalClient, mgmClient, engineConfig)
 		err = engine.Start()
 		if err != nil {
 			log.Errorf("error while starting Netbird Connection Engine: %s", err)
@@ -168,20 +100,28 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 		log.Print("Netbird engine started, my IP is: ", peerConfig.Address)
 		state.Set(StatusConnected)

-		statusRecorder.ClientStart()
-
 		<-engineCtx.Done()
-		statusRecorder.ClientTeardown()

 		backOff.Reset()

+		err = mgmClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Management Service client %v", err)
+			return wrapErr(err)
+		}
+		err = signalClient.Close()
+		if err != nil {
+			log.Errorf("failed closing Signal Service client %v", err)
+			return wrapErr(err)
+		}
+
 		err = engine.Stop()
 		if err != nil {
 			log.Errorf("failed stopping engine %v", err)
 			return wrapErr(err)
 		}

-		log.Info("stopped NetBird client")
+		log.Info("stopped Netbird client")

 		if _, err := state.Status(); err == ErrResetConnection {
 			return err
@@ -190,12 +130,9 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,
 		return nil
 	}

-	err = backoff.Retry(operation, backOff)
+	err := backoff.Retry(operation, backOff)
 	if err != nil {
-		log.Debugf("exiting client retry loop due to unrecoverable error: %s", err)
-		if s, ok := gstatus.FromError(err); ok && (s.Code() == codes.PermissionDenied) {
-			state.Set(StatusNeedsLogin)
-		}
+		log.Errorf("exiting client retry loop due to unrecoverable error: %s", err)
 		return err
 	}
 	return nil
@@ -203,16 +140,17 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *peer.Status,

 // createEngineConfig converts configuration received from Management Service to EngineConfig
 func createEngineConfig(key wgtypes.Key, config *Config, peerConfig *mgmProto.PeerConfig) (*EngineConfig, error) {
+	iFaceBlackList := make(map[string]struct{})
+	for i := 0; i < len(config.IFaceBlackList); i += 2 {
+		iFaceBlackList[config.IFaceBlackList[i]] = struct{}{}
+	}
+
 	engineConf := &EngineConfig{
-		WgIfaceName:          config.WgIface,
-		WgAddr:               peerConfig.Address,
-		IFaceBlackList:       config.IFaceBlackList,
-		DisableIPv6Discovery: config.DisableIPv6Discovery,
-		WgPrivateKey:         key,
-		WgPort:               config.WgPort,
-		SSHKey:               []byte(config.SSHKey),
-		NATExternalIPs:       config.NATExternalIPs,
-		CustomDNSAddress:     config.CustomDNSAddress,
+		WgIfaceName:    config.WgIface,
+		WgAddr:         peerConfig.Address,
+		IFaceBlackList: iFaceBlackList,
+		WgPrivateKey:   key,
+		WgPort:         iface.DefaultWgPort,
 	}

 	if config.PreSharedKey != "" {
@@ -238,114 +176,33 @@ func connectToSignal(ctx context.Context, wtConfig *mgmProto.WiretrusteeConfig,
 	signalClient, err := signal.NewClient(ctx, wtConfig.Signal.Uri, ourPrivateKey, sigTLSEnabled)
 	if err != nil {
 		log.Errorf("error while connecting to the Signal Exchange Service %s: %s", wtConfig.Signal.Uri, err)
-		return nil, gstatus.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
+		return nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Signal Service : %s", err)
 	}

 	return signalClient, nil
 }

-// loginToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
-func loginToManagement(ctx context.Context, client mgm.Client, pubSSHKey []byte) (*mgmProto.LoginResponse, error) {
+// connectToManagement creates Management Services client, establishes a connection, logs-in and gets a global Wiretrustee config (signal, turn, stun hosts, etc)
+func connectToManagement(ctx context.Context, managementAddr string, ourPrivateKey wgtypes.Key, tlsEnabled bool) (*mgm.GrpcClient, *mgmProto.LoginResponse, error) {
+	log.Debugf("connecting to Management Service %s", managementAddr)
+	client, err := mgm.NewClient(ctx, managementAddr, ourPrivateKey, tlsEnabled)
+	if err != nil {
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed connecting to Management Service : %s", err)
+	}
+	log.Debugf("connected to management server %s", managementAddr)

 	serverPublicKey, err := client.GetServerPublicKey()
 	if err != nil {
-		return nil, gstatus.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
+		return nil, nil, status.Errorf(codes.FailedPrecondition, "failed while getting Management Service public key: %s", err)
 	}

 	sysInfo := system.GetInfo(ctx)
-	loginResp, err := client.Login(*serverPublicKey, sysInfo, pubSSHKey)
+	loginResp, err := client.Login(*serverPublicKey, sysInfo)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}

-	return loginResp, nil
-}
-
-// UpdateOldManagementPort checks whether client can switch to the new Management port 443.
-// If it can switch, then it updates the config and returns a new one. Otherwise, it returns the provided config.
-// The check is performed only for the NetBird's managed version.
-func UpdateOldManagementPort(ctx context.Context, config *Config, configPath string) (*Config, error) {
-
-	defaultManagementURL, err := parseURL("Management URL", DefaultManagementURL)
-	if err != nil {
-		return nil, err
-	}
-
-	if config.ManagementURL.Hostname() != defaultManagementURL.Hostname() {
-		// only do the check for the NetBird's managed version
-		return config, nil
-	}
-
-	var mgmTlsEnabled bool
-	if config.ManagementURL.Scheme == "https" {
-		mgmTlsEnabled = true
-	}
-
-	if !mgmTlsEnabled {
-		// only do the check for HTTPs scheme (the hosted version of the Management service is always HTTPs)
-		return config, nil
-	}
-
-	if mgmTlsEnabled && config.ManagementURL.Port() == fmt.Sprintf("%d", ManagementLegacyPort) {
-
-		newURL, err := parseURL("Management URL", fmt.Sprintf("%s://%s:%d",
-			config.ManagementURL.Scheme, config.ManagementURL.Hostname(), 443))
-		if err != nil {
-			return nil, err
-		}
-		// here we check whether we could switch from the legacy 33073 port to the new 443
-		log.Infof("attempting to switch from the legacy Management URL %s to the new one %s",
-			config.ManagementURL.String(), newURL.String())
-		key, err := wgtypes.ParseKey(config.PrivateKey)
-		if err != nil {
-			log.Infof("couldn't switch to the new Management %s", newURL.String())
-			return config, err
-		}
-
-		client, err := mgm.NewClient(ctx, newURL.Host, key, mgmTlsEnabled)
-		if err != nil {
-			log.Infof("couldn't switch to the new Management %s", newURL.String())
-			return config, err
-		}
-		defer func() {
-			err = client.Close()
-			if err != nil {
-				log.Warnf("failed to close the Management service client %v", err)
-			}
-		}()
-
-		// gRPC check
-		_, err = client.GetServerPublicKey()
-		if err != nil {
-			log.Infof("couldn't switch to the new Management %s", newURL.String())
-			return nil, err
-		}
-
-		// everything is alright => update the config
-		newConfig, err := UpdateConfig(ConfigInput{
-			ManagementURL: newURL.String(),
-			ConfigPath:    configPath,
-		})
-		if err != nil {
-			log.Infof("couldn't switch to the new Management %s", newURL.String())
-			return config, fmt.Errorf("failed updating config file: %v", err)
-		}
-		log.Infof("successfully switched to the new Management URL: %s", newURL.String())
-
-		return newConfig, nil
-	}
-
-	return config, nil
-}
-
-func statusRecorderToMgmConnStateNotifier(statusRecorder *peer.Status) mgm.ConnStateNotifier {
-	var sri interface{} = statusRecorder
-	mgmNotifier, _ := sri.(mgm.ConnStateNotifier)
-	return mgmNotifier
-}
-
-func statusRecorderToSignalConnStateNotifier(statusRecorder *peer.Status) signal.ConnStateNotifier {
-	var sri interface{} = statusRecorder
-	notifier, _ := sri.(signal.ConnStateNotifier)
-	return notifier
+	log.Debugf("peer logged in to Management Service %s", managementAddr)
+
+	return client, loginResp, nil
 }
--- a/client/internal/device_auth.go
+++ b/client/internal/device_auth.go
@@ -1,134 +0,0 @@
-package internal
-
-import (
-	"context"
-	"fmt"
-	"net/url"
-
-	log "github.com/sirupsen/logrus"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-
-	mgm "github.com/netbirdio/netbird/management/client"
-)
-
-// DeviceAuthorizationFlow represents Device Authorization Flow information
-type DeviceAuthorizationFlow struct {
-	Provider       string
-	ProviderConfig ProviderConfig
-}
-
-// ProviderConfig has all attributes needed to initiate a device authorization flow
-type ProviderConfig struct {
-	// ClientID An IDP application client id
-	ClientID string
-	// ClientSecret An IDP application client secret
-	ClientSecret string
-	// Domain An IDP API domain
-	// Deprecated. Use OIDCConfigEndpoint instead
-	Domain string
-	// Audience An Audience for to authorization validation
-	Audience string
-	// TokenEndpoint is the endpoint of an IDP manager where clients can obtain access token
-	TokenEndpoint string
-	// DeviceAuthEndpoint is the endpoint of an IDP manager where clients can obtain device authorization code
-	DeviceAuthEndpoint string
-	// Scopes provides the scopes to be included in the token request
-	Scope string
-	// UseIDToken indicates if the id token should be used for authentication
-	UseIDToken bool
-}
-
-// GetDeviceAuthorizationFlowInfo initialize a DeviceAuthorizationFlow instance and return with it
-func GetDeviceAuthorizationFlowInfo(ctx context.Context, privateKey string, mgmURL *url.URL) (DeviceAuthorizationFlow, error) {
-	// validate our peer's Wireguard PRIVATE key
-	myPrivateKey, err := wgtypes.ParseKey(privateKey)
-	if err != nil {
-		log.Errorf("failed parsing Wireguard key %s: [%s]", privateKey, err.Error())
-		return DeviceAuthorizationFlow{}, err
-	}
-
-	var mgmTLSEnabled bool
-	if mgmURL.Scheme == "https" {
-		mgmTLSEnabled = true
-	}
-
-	log.Debugf("connecting to Management Service %s", mgmURL.String())
-	mgmClient, err := mgm.NewClient(ctx, mgmURL.Host, myPrivateKey, mgmTLSEnabled)
-	if err != nil {
-		log.Errorf("failed connecting to Management Service %s %v", mgmURL.String(), err)
-		return DeviceAuthorizationFlow{}, err
-	}
-	log.Debugf("connected to the Management service %s", mgmURL.String())
-
-	defer func() {
-		err = mgmClient.Close()
-		if err != nil {
-			log.Warnf("failed to close the Management service client %v", err)
-		}
-	}()
-
-	serverKey, err := mgmClient.GetServerPublicKey()
-	if err != nil {
-		log.Errorf("failed while getting Management Service public key: %v", err)
-		return DeviceAuthorizationFlow{}, err
-	}
-
-	protoDeviceAuthorizationFlow, err := mgmClient.GetDeviceAuthorizationFlow(*serverKey)
-	if err != nil {
-		if s, ok := status.FromError(err); ok && s.Code() == codes.NotFound {
-			log.Warnf("server couldn't find device flow, contact admin: %v", err)
-			return DeviceAuthorizationFlow{}, err
-		}
-		log.Errorf("failed to retrieve device flow: %v", err)
-		return DeviceAuthorizationFlow{}, err
-	}
-
-	deviceAuthorizationFlow := DeviceAuthorizationFlow{
-		Provider: protoDeviceAuthorizationFlow.Provider.String(),
-
-		ProviderConfig: ProviderConfig{
-			Audience:           protoDeviceAuthorizationFlow.GetProviderConfig().GetAudience(),
-			ClientID:           protoDeviceAuthorizationFlow.GetProviderConfig().GetClientID(),
-			ClientSecret:       protoDeviceAuthorizationFlow.GetProviderConfig().GetClientSecret(),
-			Domain:             protoDeviceAuthorizationFlow.GetProviderConfig().Domain,
-			TokenEndpoint:      protoDeviceAuthorizationFlow.GetProviderConfig().GetTokenEndpoint(),
-			DeviceAuthEndpoint: protoDeviceAuthorizationFlow.GetProviderConfig().GetDeviceAuthEndpoint(),
-			Scope:              protoDeviceAuthorizationFlow.GetProviderConfig().GetScope(),
-			UseIDToken:         protoDeviceAuthorizationFlow.GetProviderConfig().GetUseIDToken(),
-		},
-	}
-
-	// keep compatibility with older management versions
-	if deviceAuthorizationFlow.ProviderConfig.Scope == "" {
-		deviceAuthorizationFlow.ProviderConfig.Scope = "openid"
-	}
-
-	err = isProviderConfigValid(deviceAuthorizationFlow.ProviderConfig)
-	if err != nil {
-		return DeviceAuthorizationFlow{}, err
-	}
-
-	return deviceAuthorizationFlow, nil
-}
-
-func isProviderConfigValid(config ProviderConfig) error {
-	errorMSGFormat := "invalid provider configuration received from management: %s value is empty. Contact your NetBird administrator"
-	if config.Audience == "" {
-		return fmt.Errorf(errorMSGFormat, "Audience")
-	}
-	if config.ClientID == "" {
-		return fmt.Errorf(errorMSGFormat, "Client ID")
-	}
-	if config.TokenEndpoint == "" {
-		return fmt.Errorf(errorMSGFormat, "Token Endpoint")
-	}
-	if config.DeviceAuthEndpoint == "" {
-		return fmt.Errorf(errorMSGFormat, "Device Auth Endpoint")
-	}
-	if config.Scope == "" {
-		return fmt.Errorf(errorMSGFormat, "Device Auth Scopes")
-	}
-	return nil
-}
--- a/client/internal/dns/dbus_linux.go
+++ b/client/internal/dns/dbus_linux.go
@@ -1,43 +0,0 @@
-//go:build !android
-
-package dns
-
-import (
-	"context"
-	"github.com/godbus/dbus/v5"
-	log "github.com/sirupsen/logrus"
-	"time"
-)
-
-const dbusDefaultFlag = 0
-
-func isDbusListenerRunning(dest string, path dbus.ObjectPath) bool {
-	obj, closeConn, err := getDbusObject(dest, path)
-	if err != nil {
-		return false
-	}
-	defer closeConn()
-
-	ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
-	defer cancel()
-
-	err = obj.CallWithContext(ctx, "org.freedesktop.DBus.Peer.Ping", 0).Store()
-	return err == nil
-}
-
-func getDbusObject(dest string, path dbus.ObjectPath) (dbus.BusObject, func(), error) {
-	conn, err := dbus.SystemBus()
-	if err != nil {
-		return nil, nil, err
-	}
-	obj := conn.Object(dest, path)
-
-	closeFunc := func() {
-		closeErr := conn.Close()
-		if closeErr != nil {
-			log.Warnf("got an error closing dbus connection, err: %s", closeErr)
-		}
-	}
-
-	return obj, closeFunc, nil
-}
--- a/client/internal/dns/file_linux.go
+++ b/client/internal/dns/file_linux.go
@@ -1,162 +0,0 @@
-//go:build !android
-
-package dns
-
-import (
-	"bytes"
-	"fmt"
-	"os"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	fileGeneratedResolvConfContentHeader      = "# Generated by NetBird"
-	fileGeneratedResolvConfSearchBeginContent = "search "
-	fileGeneratedResolvConfContentFormat      = fileGeneratedResolvConfContentHeader +
-		"\n# If needed you can restore the original file by copying back %s\n\nnameserver %s\n" +
-		fileGeneratedResolvConfSearchBeginContent + "%s\n"
-)
-
-const (
-	fileDefaultResolvConfBackupLocation = defaultResolvConfPath + ".original.netbird"
-	fileMaxLineCharsLimit               = 256
-	fileMaxNumberOfSearchDomains        = 6
-)
-
-var fileSearchLineBeginCharCount = len(fileGeneratedResolvConfSearchBeginContent)
-
-type fileConfigurator struct {
-	originalPerms os.FileMode
-}
-
-func newFileConfigurator() (hostManager, error) {
-	return &fileConfigurator{}, nil
-}
-
-func (f *fileConfigurator) supportCustomPort() bool {
-	return false
-}
-
-func (f *fileConfigurator) applyDNSConfig(config hostDNSConfig) error {
-	backupFileExist := false
-	_, err := os.Stat(fileDefaultResolvConfBackupLocation)
-	if err == nil {
-		backupFileExist = true
-	}
-
-	if !config.routeAll {
-		if backupFileExist {
-			err = f.restore()
-			if err != nil {
-				return fmt.Errorf("unable to configure DNS for this peer using file manager without a Primary nameserver group. Restoring the original file return err: %s", err)
-			}
-		}
-		return fmt.Errorf("unable to configure DNS for this peer using file manager without a nameserver group with all domains configured")
-	}
-	managerType, err := getOSDNSManagerType()
-	if err != nil {
-		return err
-	}
-	switch managerType {
-	case fileManager, netbirdManager:
-		if !backupFileExist {
-			err = f.backup()
-			if err != nil {
-				return fmt.Errorf("unable to backup the resolv.conf file")
-			}
-		}
-	default:
-		// todo improve this and maybe restart DNS manager from scratch
-		return fmt.Errorf("something happened and file manager is not your prefered host dns configurator, restart the agent")
-	}
-
-	var searchDomains string
-	appendedDomains := 0
-	for _, dConf := range config.domains {
-		if dConf.matchOnly || dConf.disabled {
-			continue
-		}
-		if appendedDomains >= fileMaxNumberOfSearchDomains {
-			// lets log all skipped domains
-			log.Infof("already appended %d domains to search list. Skipping append of %s domain", fileMaxNumberOfSearchDomains, dConf.domain)
-			continue
-		}
-		if fileSearchLineBeginCharCount+len(searchDomains) > fileMaxLineCharsLimit {
-			// lets log all skipped domains
-			log.Infof("search list line is larger than %d characters. Skipping append of %s domain", fileMaxLineCharsLimit, dConf.domain)
-			continue
-		}
-
-		searchDomains += " " + dConf.domain
-		appendedDomains++
-	}
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)
-	err = writeDNSConfig(content, defaultResolvConfPath, f.originalPerms)
-	if err != nil {
-		err = f.restore()
-		if err != nil {
-			log.Errorf("attempt to restore default file failed with error: %s", err)
-		}
-		return err
-	}
-	log.Infof("created a NetBird managed %s file with your DNS settings. Added %d search domains. Search list: %s", defaultResolvConfPath, appendedDomains, searchDomains)
-	return nil
-}
-
-func (f *fileConfigurator) restoreHostDNS() error {
-	return f.restore()
-}
-
-func (f *fileConfigurator) backup() error {
-	stats, err := os.Stat(defaultResolvConfPath)
-	if err != nil {
-		return fmt.Errorf("got an error while checking stats for %s file. Error: %s", defaultResolvConfPath, err)
-	}
-
-	f.originalPerms = stats.Mode()
-
-	err = copyFile(defaultResolvConfPath, fileDefaultResolvConfBackupLocation)
-	if err != nil {
-		return fmt.Errorf("got error while backing up the %s file. Error: %s", defaultResolvConfPath, err)
-	}
-	return nil
-}
-
-func (f *fileConfigurator) restore() error {
-	err := copyFile(fileDefaultResolvConfBackupLocation, defaultResolvConfPath)
-	if err != nil {
-		return fmt.Errorf("got error while restoring the %s file from %s. Error: %s", defaultResolvConfPath, fileDefaultResolvConfBackupLocation, err)
-	}
-
-	return os.RemoveAll(fileDefaultResolvConfBackupLocation)
-}
-
-func writeDNSConfig(content, fileName string, permissions os.FileMode) error {
-	log.Debugf("creating managed file %s", fileName)
-	var buf bytes.Buffer
-	buf.WriteString(content)
-	err := os.WriteFile(fileName, buf.Bytes(), permissions)
-	if err != nil {
-		return fmt.Errorf("got an creating resolver file %s. Error: %s", fileName, err)
-	}
-	return nil
-}
-
-func copyFile(src, dest string) error {
-	stats, err := os.Stat(src)
-	if err != nil {
-		return fmt.Errorf("got an error while checking stats for %s file when copying it. Error: %s", src, err)
-	}
-
-	bytesRead, err := os.ReadFile(src)
-	if err != nil {
-		return fmt.Errorf("got an error while reading the file %s file for copy. Error: %s", src, err)
-	}
-
-	err = os.WriteFile(dest, bytesRead, stats.Mode())
-	if err != nil {
-		return fmt.Errorf("got an writing the destination file %s for copy. Error: %s", dest, err)
-	}
-	return nil
-}
--- a/client/internal/dns/host.go
+++ b/client/internal/dns/host.go
@@ -1,94 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"strings"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-)
-
-type hostManager interface {
-	applyDNSConfig(config hostDNSConfig) error
-	restoreHostDNS() error
-	supportCustomPort() bool
-}
-
-type hostDNSConfig struct {
-	domains    []domainConfig
-	routeAll   bool
-	serverIP   string
-	serverPort int
-}
-
-type domainConfig struct {
-	disabled  bool
-	domain    string
-	matchOnly bool
-}
-
-type mockHostConfigurator struct {
-	applyDNSConfigFunc    func(config hostDNSConfig) error
-	restoreHostDNSFunc    func() error
-	supportCustomPortFunc func() bool
-}
-
-func (m *mockHostConfigurator) applyDNSConfig(config hostDNSConfig) error {
-	if m.applyDNSConfigFunc != nil {
-		return m.applyDNSConfigFunc(config)
-	}
-	return fmt.Errorf("method applyDNSSettings is not implemented")
-}
-
-func (m *mockHostConfigurator) restoreHostDNS() error {
-	if m.restoreHostDNSFunc != nil {
-		return m.restoreHostDNSFunc()
-	}
-	return fmt.Errorf("method restoreHostDNS is not implemented")
-}
-
-func (m *mockHostConfigurator) supportCustomPort() bool {
-	if m.supportCustomPortFunc != nil {
-		return m.supportCustomPortFunc()
-	}
-	return false
-}
-
-func newNoopHostMocker() hostManager {
-	return &mockHostConfigurator{
-		applyDNSConfigFunc:    func(config hostDNSConfig) error { return nil },
-		restoreHostDNSFunc:    func() error { return nil },
-		supportCustomPortFunc: func() bool { return true },
-	}
-}
-
-func dnsConfigToHostDNSConfig(dnsConfig nbdns.Config, ip string, port int) hostDNSConfig {
-	config := hostDNSConfig{
-		routeAll:   false,
-		serverIP:   ip,
-		serverPort: port,
-	}
-	for _, nsConfig := range dnsConfig.NameServerGroups {
-		if len(nsConfig.NameServers) == 0 {
-			continue
-		}
-		if nsConfig.Primary {
-			config.routeAll = true
-		}
-
-		for _, domain := range nsConfig.Domains {
-			config.domains = append(config.domains, domainConfig{
-				domain:    strings.TrimSuffix(domain, "."),
-				matchOnly: true,
-			})
-		}
-	}
-
-	for _, customZone := range dnsConfig.CustomZones {
-		config.domains = append(config.domains, domainConfig{
-			domain:    strings.TrimSuffix(customZone.Domain, "."),
-			matchOnly: false,
-		})
-	}
-
-	return config
-}
--- a/client/internal/dns/host_android.go
+++ b/client/internal/dns/host_android.go
@@ -1,24 +0,0 @@
-package dns
-
-import (
-	"github.com/netbirdio/netbird/iface"
-)
-
-type androidHostManager struct {
-}
-
-func newHostManager(wgInterface *iface.WGIface) (hostManager, error) {
-	return &androidHostManager{}, nil
-}
-
-func (a androidHostManager) applyDNSConfig(config hostDNSConfig) error {
-	return nil
-}
-
-func (a androidHostManager) restoreHostDNS() error {
-	return nil
-}
-
-func (a androidHostManager) supportCustomPort() bool {
-	return false
-}
--- a/client/internal/dns/host_darwin.go
+++ b/client/internal/dns/host_darwin.go
@@ -1,268 +0,0 @@
-package dns
-
-import (
-	"bufio"
-	"bytes"
-	"fmt"
-	"os/exec"
-	"strconv"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/iface"
-)
-
-const (
-	netbirdDNSStateKeyFormat            = "State:/Network/Service/NetBird-%s/DNS"
-	globalIPv4State                     = "State:/Network/Global/IPv4"
-	primaryServiceSetupKeyFormat        = "Setup:/Network/Service/%s/DNS"
-	keySupplementalMatchDomains         = "SupplementalMatchDomains"
-	keySupplementalMatchDomainsNoSearch = "SupplementalMatchDomainsNoSearch"
-	keyServerAddresses                  = "ServerAddresses"
-	keyServerPort                       = "ServerPort"
-	arraySymbol                         = "* "
-	digitSymbol                         = "# "
-	scutilPath                          = "/usr/sbin/scutil"
-	searchSuffix                        = "Search"
-	matchSuffix                         = "Match"
-)
-
-type systemConfigurator struct {
-	// primaryServiceID primary interface in the system. AKA the interface with the default route
-	primaryServiceID string
-	createdKeys      map[string]struct{}
-}
-
-func newHostManager(_ *iface.WGIface) (hostManager, error) {
-	return &systemConfigurator{
-		createdKeys: make(map[string]struct{}),
-	}, nil
-}
-
-func (s *systemConfigurator) supportCustomPort() bool {
-	return true
-}
-
-func (s *systemConfigurator) applyDNSConfig(config hostDNSConfig) error {
-	var err error
-
-	if config.routeAll {
-		err = s.addDNSSetupForAll(config.serverIP, config.serverPort)
-		if err != nil {
-			return err
-		}
-	} else if s.primaryServiceID != "" {
-		err = s.removeKeyFromSystemConfig(getKeyWithInput(primaryServiceSetupKeyFormat, s.primaryServiceID))
-		if err != nil {
-			return err
-		}
-		s.primaryServiceID = ""
-		log.Infof("removed %s:%d as main DNS resolver for this peer", config.serverIP, config.serverPort)
-	}
-
-	var (
-		searchDomains []string
-		matchDomains  []string
-	)
-
-	for _, dConf := range config.domains {
-		if dConf.disabled {
-			continue
-		}
-		if dConf.matchOnly {
-			matchDomains = append(matchDomains, dConf.domain)
-			continue
-		}
-		searchDomains = append(searchDomains, dConf.domain)
-	}
-
-	matchKey := getKeyWithInput(netbirdDNSStateKeyFormat, matchSuffix)
-	if len(matchDomains) != 0 {
-		err = s.addMatchDomains(matchKey, strings.Join(matchDomains, " "), config.serverIP, config.serverPort)
-	} else {
-		log.Infof("removing match domains from the system")
-		err = s.removeKeyFromSystemConfig(matchKey)
-	}
-	if err != nil {
-		return err
-	}
-
-	searchKey := getKeyWithInput(netbirdDNSStateKeyFormat, searchSuffix)
-	if len(searchDomains) != 0 {
-		err = s.addSearchDomains(searchKey, strings.Join(searchDomains, " "), config.serverIP, config.serverPort)
-	} else {
-		log.Infof("removing search domains from the system")
-		err = s.removeKeyFromSystemConfig(searchKey)
-	}
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (s *systemConfigurator) restoreHostDNS() error {
-	lines := ""
-	for key := range s.createdKeys {
-		lines += buildRemoveKeyOperation(key)
-		keyType := "search"
-		if strings.Contains(key, matchSuffix) {
-			keyType = "match"
-		}
-		log.Infof("removing %s domains from system", keyType)
-	}
-	if s.primaryServiceID != "" {
-		lines += buildRemoveKeyOperation(getKeyWithInput(primaryServiceSetupKeyFormat, s.primaryServiceID))
-		log.Infof("restoring DNS resolver configuration for system")
-	}
-	_, err := runSystemConfigCommand(wrapCommand(lines))
-	if err != nil {
-		log.Errorf("got an error while cleaning the system configuration: %s", err)
-		return err
-	}
-
-	return nil
-}
-
-func (s *systemConfigurator) removeKeyFromSystemConfig(key string) error {
-	line := buildRemoveKeyOperation(key)
-	_, err := runSystemConfigCommand(wrapCommand(line))
-	if err != nil {
-		return err
-	}
-
-	delete(s.createdKeys, key)
-
-	return nil
-}
-
-func (s *systemConfigurator) addSearchDomains(key, domains string, ip string, port int) error {
-	err := s.addDNSState(key, domains, ip, port, true)
-	if err != nil {
-		return err
-	}
-
-	log.Infof("added %d search domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)
-
-	s.createdKeys[key] = struct{}{}
-
-	return nil
-}
-
-func (s *systemConfigurator) addMatchDomains(key, domains, dnsServer string, port int) error {
-	err := s.addDNSState(key, domains, dnsServer, port, false)
-	if err != nil {
-		return err
-	}
-
-	log.Infof("added %d match domains to the state. Domain list: %s", len(strings.Split(domains, " ")), domains)
-
-	s.createdKeys[key] = struct{}{}
-
-	return nil
-}
-
-func (s *systemConfigurator) addDNSState(state, domains, dnsServer string, port int, enableSearch bool) error {
-	noSearch := "1"
-	if enableSearch {
-		noSearch = "0"
-	}
-	lines := buildAddCommandLine(keySupplementalMatchDomains, arraySymbol+domains)
-	lines += buildAddCommandLine(keySupplementalMatchDomainsNoSearch, digitSymbol+noSearch)
-	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer)
-	lines += buildAddCommandLine(keyServerPort, digitSymbol+strconv.Itoa(port))
-
-	addDomainCommand := buildCreateStateWithOperation(state, lines)
-	stdinCommands := wrapCommand(addDomainCommand)
-
-	_, err := runSystemConfigCommand(stdinCommands)
-	if err != nil {
-		return fmt.Errorf("got error while applying state for domains %s, error: %s", domains, err)
-	}
-	return nil
-}
-
-func (s *systemConfigurator) addDNSSetupForAll(dnsServer string, port int) error {
-	primaryServiceKey := s.getPrimaryService()
-	if primaryServiceKey == "" {
-		return fmt.Errorf("couldn't find the primary service key")
-	}
-
-	err := s.addDNSSetup(getKeyWithInput(primaryServiceSetupKeyFormat, primaryServiceKey), dnsServer, port)
-	if err != nil {
-		return err
-	}
-	log.Infof("configured %s:%d as main DNS resolver for this peer", dnsServer, port)
-	s.primaryServiceID = primaryServiceKey
-	return nil
-}
-
-func (s *systemConfigurator) getPrimaryService() string {
-	line := buildCommandLine("show", globalIPv4State, "")
-	stdinCommands := wrapCommand(line)
-	b, err := runSystemConfigCommand(stdinCommands)
-	if err != nil {
-		log.Error("got error while sending the command: ", err)
-		return ""
-	}
-	scanner := bufio.NewScanner(bytes.NewReader(b))
-	for scanner.Scan() {
-		text := scanner.Text()
-		if strings.Contains(text, "PrimaryService") {
-			return strings.TrimSpace(strings.Split(text, ":")[1])
-		}
-	}
-	return ""
-}
-
-func (s *systemConfigurator) addDNSSetup(setupKey, dnsServer string, port int) error {
-	lines := buildAddCommandLine(keySupplementalMatchDomainsNoSearch, digitSymbol+strconv.Itoa(0))
-	lines += buildAddCommandLine(keyServerAddresses, arraySymbol+dnsServer)
-	lines += buildAddCommandLine(keyServerPort, digitSymbol+strconv.Itoa(port))
-	addDomainCommand := buildCreateStateWithOperation(setupKey, lines)
-	stdinCommands := wrapCommand(addDomainCommand)
-	_, err := runSystemConfigCommand(stdinCommands)
-	if err != nil {
-		return fmt.Errorf("got error while applying dns setup, error: %s", err)
-	}
-	return nil
-}
-
-func getKeyWithInput(format, key string) string {
-	return fmt.Sprintf(format, key)
-}
-
-func buildAddCommandLine(key, value string) string {
-	return buildCommandLine("d.add", key, value)
-}
-
-func buildCommandLine(action, key, value string) string {
-	return fmt.Sprintf("%s %s %s\n", action, key, value)
-}
-
-func wrapCommand(commands string) string {
-	return fmt.Sprintf("open\n%s\nquit\n", commands)
-}
-
-func buildRemoveKeyOperation(key string) string {
-	return fmt.Sprintf("remove %s\n", key)
-}
-
-func buildCreateStateWithOperation(state, commands string) string {
-	return buildWriteStateOperation("set", state, commands)
-}
-
-func buildWriteStateOperation(operation, state, commands string) string {
-	return fmt.Sprintf("d.init\n%s %s\n%s\nset %s\n", operation, state, commands, state)
-}
-
-func runSystemConfigCommand(command string) ([]byte, error) {
-	cmd := exec.Command(scutilPath)
-	cmd.Stdin = strings.NewReader(command)
-	out, err := cmd.Output()
-	if err != nil {
-		return nil, fmt.Errorf("got error while running system configuration command: \"%s\", error: %s", command, err)
-	}
-	return out, nil
-}
--- a/client/internal/dns/host_linux.go
+++ b/client/internal/dns/host_linux.go
@@ -1,89 +0,0 @@
-//go:build !android
-
-package dns
-
-import (
-	"bufio"
-	"fmt"
-	"github.com/netbirdio/netbird/iface"
-	log "github.com/sirupsen/logrus"
-	"os"
-	"strings"
-)
-
-const (
-	defaultResolvConfPath = "/etc/resolv.conf"
-)
-
-const (
-	netbirdManager osManagerType = iota
-	fileManager
-	networkManager
-	systemdManager
-	resolvConfManager
-)
-
-type osManagerType int
-
-func newHostManager(wgInterface *iface.WGIface) (hostManager, error) {
-	osManager, err := getOSDNSManagerType()
-	if err != nil {
-		return nil, err
-	}
-
-	log.Debugf("discovered mode is: %d", osManager)
-	switch osManager {
-	case networkManager:
-		return newNetworkManagerDbusConfigurator(wgInterface)
-	case systemdManager:
-		return newSystemdDbusConfigurator(wgInterface)
-	case resolvConfManager:
-		return newResolvConfConfigurator(wgInterface)
-	default:
-		return newFileConfigurator()
-	}
-}
-
-func getOSDNSManagerType() (osManagerType, error) {
-
-	file, err := os.Open(defaultResolvConfPath)
-	if err != nil {
-		return 0, fmt.Errorf("unable to open %s for checking owner, got error: %s", defaultResolvConfPath, err)
-	}
-	defer file.Close()
-
-	scanner := bufio.NewScanner(file)
-	for scanner.Scan() {
-		text := scanner.Text()
-		if len(text) == 0 {
-			continue
-		}
-		if text[0] != '#' {
-			return fileManager, nil
-		}
-		if strings.Contains(text, fileGeneratedResolvConfContentHeader) {
-			return netbirdManager, nil
-		}
-		if strings.Contains(text, "NetworkManager") && isDbusListenerRunning(networkManagerDest, networkManagerDbusObjectNode) && isNetworkManagerSupported() {
-			log.Debugf("is nm running on supported v? %t", isNetworkManagerSupportedVersion())
-			return networkManager, nil
-		}
-		if strings.Contains(text, "systemd-resolved") && isDbusListenerRunning(systemdResolvedDest, systemdDbusObjectNode) {
-			return systemdManager, nil
-		}
-		if strings.Contains(text, "resolvconf") {
-			if isDbusListenerRunning(systemdResolvedDest, systemdDbusObjectNode) {
-				var value string
-				err = getSystemdDbusProperty(systemdDbusResolvConfModeProperty, &value)
-				if err == nil {
-					if value == systemdDbusResolvConfModeForeign {
-						return systemdManager, nil
-					}
-				}
-				log.Errorf("got an error while checking systemd resolv conf mode, error: %s", err)
-			}
-			return resolvConfManager, nil
-		}
-	}
-	return fileManager, nil
-}
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -1,269 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/windows/registry"
-
-	"github.com/netbirdio/netbird/iface"
-)
-
-const (
-	dnsPolicyConfigMatchPath            = "SYSTEM\\CurrentControlSet\\Services\\Dnscache\\Parameters\\DnsPolicyConfig\\NetBird-Match"
-	dnsPolicyConfigVersionKey           = "Version"
-	dnsPolicyConfigVersionValue         = 2
-	dnsPolicyConfigNameKey              = "Name"
-	dnsPolicyConfigGenericDNSServersKey = "GenericDNSServers"
-	dnsPolicyConfigConfigOptionsKey     = "ConfigOptions"
-	dnsPolicyConfigConfigOptionsValue   = 0x8
-)
-
-const (
-	interfaceConfigPath          = "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces"
-	interfaceConfigNameServerKey = "NameServer"
-	interfaceConfigSearchListKey = "SearchList"
-	tcpipParametersPath          = "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters"
-)
-
-type registryConfigurator struct {
-	guid                  string
-	routingAll            bool
-	existingSearchDomains []string
-}
-
-func newHostManager(wgInterface *iface.WGIface) (hostManager, error) {
-	guid, err := wgInterface.GetInterfaceGUIDString()
-	if err != nil {
-		return nil, err
-	}
-	return &registryConfigurator{
-		guid: guid,
-	}, nil
-}
-
-func (s *registryConfigurator) supportCustomPort() bool {
-	return false
-}
-
-func (r *registryConfigurator) applyDNSConfig(config hostDNSConfig) error {
-	var err error
-	if config.routeAll {
-		err = r.addDNSSetupForAll(config.serverIP)
-		if err != nil {
-			return err
-		}
-	} else if r.routingAll {
-		err = r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey)
-		if err != nil {
-			return err
-		}
-		r.routingAll = false
-		log.Infof("removed %s as main DNS forwarder for this peer", config.serverIP)
-	}
-
-	var (
-		searchDomains []string
-		matchDomains  []string
-	)
-
-	for _, dConf := range config.domains {
-		if dConf.disabled {
-			continue
-		}
-		if !dConf.matchOnly {
-			searchDomains = append(searchDomains, dConf.domain)
-		}
-		matchDomains = append(matchDomains, "."+dConf.domain)
-	}
-
-	if len(matchDomains) != 0 {
-		err = r.addDNSMatchPolicy(matchDomains, config.serverIP)
-	} else {
-		err = removeRegistryKeyFromDNSPolicyConfig(dnsPolicyConfigMatchPath)
-	}
-	if err != nil {
-		return err
-	}
-
-	err = r.updateSearchDomains(searchDomains)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (r *registryConfigurator) addDNSSetupForAll(ip string) error {
-	err := r.setInterfaceRegistryKeyStringValue(interfaceConfigNameServerKey, ip)
-	if err != nil {
-		return fmt.Errorf("adding dns setup for all failed with error: %s", err)
-	}
-	r.routingAll = true
-	log.Infof("configured %s:53 as main DNS forwarder for this peer", ip)
-	return nil
-}
-
-func (r *registryConfigurator) addDNSMatchPolicy(domains []string, ip string) error {
-	_, err := registry.OpenKey(registry.LOCAL_MACHINE, dnsPolicyConfigMatchPath, registry.QUERY_VALUE)
-	if err == nil {
-		err = registry.DeleteKey(registry.LOCAL_MACHINE, dnsPolicyConfigMatchPath)
-		if err != nil {
-			return fmt.Errorf("unable to remove existing key from registry, key: HKEY_LOCAL_MACHINE\\%s, error: %s", dnsPolicyConfigMatchPath, err)
-		}
-	}
-
-	regKey, _, err := registry.CreateKey(registry.LOCAL_MACHINE, dnsPolicyConfigMatchPath, registry.SET_VALUE)
-	if err != nil {
-		return fmt.Errorf("unable to create registry key, key: HKEY_LOCAL_MACHINE\\%s, error: %s", dnsPolicyConfigMatchPath, err)
-	}
-
-	err = regKey.SetDWordValue(dnsPolicyConfigVersionKey, dnsPolicyConfigVersionValue)
-	if err != nil {
-		return fmt.Errorf("unable to set registry value for %s, error: %s", dnsPolicyConfigVersionKey, err)
-	}
-
-	err = regKey.SetStringsValue(dnsPolicyConfigNameKey, domains)
-	if err != nil {
-		return fmt.Errorf("unable to set registry value for %s, error: %s", dnsPolicyConfigNameKey, err)
-	}
-
-	err = regKey.SetStringValue(dnsPolicyConfigGenericDNSServersKey, ip)
-	if err != nil {
-		return fmt.Errorf("unable to set registry value for %s, error: %s", dnsPolicyConfigGenericDNSServersKey, err)
-	}
-
-	err = regKey.SetDWordValue(dnsPolicyConfigConfigOptionsKey, dnsPolicyConfigConfigOptionsValue)
-	if err != nil {
-		return fmt.Errorf("unable to set registry value for %s, error: %s", dnsPolicyConfigConfigOptionsKey, err)
-	}
-
-	log.Infof("added %d match domains to the state. Domain list: %s", len(domains), domains)
-
-	return nil
-}
-
-func (r *registryConfigurator) restoreHostDNS() error {
-	err := removeRegistryKeyFromDNSPolicyConfig(dnsPolicyConfigMatchPath)
-	if err != nil {
-		log.Error(err)
-	}
-
-	return r.updateSearchDomains([]string{})
-}
-
-func (r *registryConfigurator) updateSearchDomains(domains []string) error {
-	value, err := getLocalMachineRegistryKeyStringValue(tcpipParametersPath, interfaceConfigSearchListKey)
-	if err != nil {
-		return fmt.Errorf("unable to get current search domains failed with error: %s", err)
-	}
-
-	valueList := strings.Split(value, ",")
-	setExisting := false
-	if len(r.existingSearchDomains) == 0 {
-		r.existingSearchDomains = valueList
-		setExisting = true
-	}
-
-	if len(domains) == 0 && setExisting {
-		log.Infof("added %d search domains to the registry. Domain list: %s", len(domains), domains)
-		return nil
-	}
-
-	newList := append(r.existingSearchDomains, domains...)
-
-	err = setLocalMachineRegistryKeyStringValue(tcpipParametersPath, interfaceConfigSearchListKey, strings.Join(newList, ","))
-	if err != nil {
-		return fmt.Errorf("adding search domain failed with error: %s", err)
-	}
-
-	log.Infof("updated the search domains in the registry with %d domains. Domain list: %s", len(domains), domains)
-
-	return nil
-}
-
-func (r *registryConfigurator) setInterfaceRegistryKeyStringValue(key, value string) error {
-	regKey, err := r.getInterfaceRegistryKey()
-	if err != nil {
-		return err
-	}
-	defer regKey.Close()
-
-	err = regKey.SetStringValue(key, value)
-	if err != nil {
-		return fmt.Errorf("applying key %s with value \"%s\" for interface failed with error: %s", key, value, err)
-	}
-
-	return nil
-}
-
-func (r *registryConfigurator) deleteInterfaceRegistryKeyProperty(propertyKey string) error {
-	regKey, err := r.getInterfaceRegistryKey()
-	if err != nil {
-		return err
-	}
-	defer regKey.Close()
-
-	err = regKey.DeleteValue(propertyKey)
-	if err != nil {
-		return fmt.Errorf("deleting registry key %s for interface failed with error: %s", propertyKey, err)
-	}
-
-	return nil
-}
-
-func (r *registryConfigurator) getInterfaceRegistryKey() (registry.Key, error) {
-	var regKey registry.Key
-
-	regKeyPath := interfaceConfigPath + "\\" + r.guid
-
-	regKey, err := registry.OpenKey(registry.LOCAL_MACHINE, regKeyPath, registry.SET_VALUE)
-	if err != nil {
-		return regKey, fmt.Errorf("unable to open the interface registry key, key: HKEY_LOCAL_MACHINE\\%s, error: %s", regKeyPath, err)
-	}
-
-	return regKey, nil
-}
-
-func removeRegistryKeyFromDNSPolicyConfig(regKeyPath string) error {
-	k, err := registry.OpenKey(registry.LOCAL_MACHINE, regKeyPath, registry.QUERY_VALUE)
-	if err == nil {
-		k.Close()
-		err = registry.DeleteKey(registry.LOCAL_MACHINE, regKeyPath)
-		if err != nil {
-			return fmt.Errorf("unable to remove existing key from registry, key: HKEY_LOCAL_MACHINE\\%s, error: %s", regKeyPath, err)
-		}
-	}
-	return nil
-}
-
-func getLocalMachineRegistryKeyStringValue(keyPath, key string) (string, error) {
-	regKey, err := registry.OpenKey(registry.LOCAL_MACHINE, keyPath, registry.QUERY_VALUE)
-	if err != nil {
-		return "", fmt.Errorf("unable to open existing key from registry, key path: HKEY_LOCAL_MACHINE\\%s, error: %s", keyPath, err)
-	}
-	defer regKey.Close()
-
-	val, _, err := regKey.GetStringValue(key)
-	if err != nil {
-		return "", fmt.Errorf("getting %s value for key path HKEY_LOCAL_MACHINE\\%s failed with error: %s", key, keyPath, err)
-	}
-
-	return val, nil
-}
-
-func setLocalMachineRegistryKeyStringValue(keyPath, key, value string) error {
-	regKey, err := registry.OpenKey(registry.LOCAL_MACHINE, keyPath, registry.SET_VALUE)
-	if err != nil {
-		return fmt.Errorf("unable to open existing key from registry, key path: HKEY_LOCAL_MACHINE\\%s, error: %s", keyPath, err)
-	}
-	defer regKey.Close()
-
-	err = regKey.SetStringValue(key, value)
-	if err != nil {
-		return fmt.Errorf("setting %s value %s for key path HKEY_LOCAL_MACHINE\\%s failed with error: %s", key, value, keyPath, err)
-	}
-
-	return nil
-}
--- a/client/internal/dns/local.go
+++ b/client/internal/dns/local.go
@@ -1,73 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"sync"
-
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-)
-
-type registrationMap map[string]struct{}
-
-type localResolver struct {
-	registeredMap registrationMap
-	records       sync.Map
-}
-
-func (d *localResolver) stop() {
-}
-
-// ServeDNS handles a DNS request
-func (d *localResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	log.Tracef("received question: %#v", r.Question[0])
-	replyMessage := &dns.Msg{}
-	replyMessage.SetReply(r)
-	replyMessage.RecursionAvailable = true
-	replyMessage.Rcode = dns.RcodeSuccess
-
-	response := d.lookupRecord(r)
-	if response != nil {
-		replyMessage.Answer = append(replyMessage.Answer, response)
-	}
-
-	err := w.WriteMsg(replyMessage)
-	if err != nil {
-		log.Debugf("got an error while writing the local resolver response, error: %v", err)
-	}
-}
-
-func (d *localResolver) lookupRecord(r *dns.Msg) dns.RR {
-	question := r.Question[0]
-	record, found := d.records.Load(buildRecordKey(question.Name, question.Qclass, question.Qtype))
-	if !found {
-		return nil
-	}
-
-	return record.(dns.RR)
-}
-
-func (d *localResolver) registerRecord(record nbdns.SimpleRecord) error {
-	fullRecord, err := dns.NewRR(record.String())
-	if err != nil {
-		return err
-	}
-
-	fullRecord.Header().Rdlength = record.Len()
-
-	header := fullRecord.Header()
-	d.records.Store(buildRecordKey(header.Name, header.Class, header.Rrtype), fullRecord)
-
-	return nil
-}
-
-func (d *localResolver) deleteRecord(recordKey string) {
-	d.records.Delete(dns.Fqdn(recordKey))
-}
-
-func buildRecordKey(name string, class, qType uint16) string {
-	key := fmt.Sprintf("%s_%d_%d", name, class, qType)
-	return key
-}
--- a/client/internal/dns/local_test.go
+++ b/client/internal/dns/local_test.go
@@ -1,86 +0,0 @@
-package dns
-
-import (
-	"github.com/miekg/dns"
-	nbdns "github.com/netbirdio/netbird/dns"
-	"strings"
-	"testing"
-)
-
-func TestLocalResolver_ServeDNS(t *testing.T) {
-	recordA := nbdns.SimpleRecord{
-		Name:  "peera.netbird.cloud.",
-		Type:  1,
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "1.2.3.4",
-	}
-
-	recordCNAME := nbdns.SimpleRecord{
-		Name:  "peerb.netbird.cloud.",
-		Type:  5,
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "www.netbird.io",
-	}
-
-	testCases := []struct {
-		name                string
-		inputRecord         nbdns.SimpleRecord
-		inputMSG            *dns.Msg
-		responseShouldBeNil bool
-	}{
-		{
-			name:        "Should Resolve A Record",
-			inputRecord: recordA,
-			inputMSG:    new(dns.Msg).SetQuestion(recordA.Name, dns.TypeA),
-		},
-		{
-			name:        "Should Resolve CNAME Record",
-			inputRecord: recordCNAME,
-			inputMSG:    new(dns.Msg).SetQuestion(recordCNAME.Name, dns.TypeCNAME),
-		},
-		{
-			name:                "Should Not Write When Not Found A Record",
-			inputRecord:         recordA,
-			inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
-			responseShouldBeNil: true,
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			resolver := &localResolver{
-				registeredMap: make(registrationMap),
-			}
-			_ = resolver.registerRecord(testCase.inputRecord)
-			var responseMSG *dns.Msg
-			responseWriter := &mockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			resolver.ServeDNS(responseWriter, testCase.inputMSG)
-
-			if responseMSG == nil || len(responseMSG.Answer) == 0 {
-				if testCase.responseShouldBeNil {
-					return
-				}
-				t.Fatalf("should write a response message")
-			}
-
-			answerString := responseMSG.Answer[0].String()
-			if !strings.Contains(answerString, testCase.inputRecord.Name) {
-				t.Fatalf("answer doesn't contain the same domain name: \nWant: %s\nGot:%s", testCase.name, answerString)
-			}
-			if !strings.Contains(answerString, dns.Type(testCase.inputRecord.Type).String()) {
-				t.Fatalf("answer doesn't contain the correct type: \nWant: %s\nGot:%s", dns.Type(testCase.inputRecord.Type).String(), answerString)
-			}
-			if !strings.Contains(answerString, testCase.inputRecord.RData) {
-				t.Fatalf("answer doesn't contain the same address: \nWant: %s\nGot:%s", testCase.inputRecord.RData, answerString)
-			}
-		})
-	}
-}
--- a/client/internal/dns/mockServer.go
+++ b/client/internal/dns/mockServer.go
@@ -1,39 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	nbdns "github.com/netbirdio/netbird/dns"
-)
-
-// MockServer is the mock instance of a dns server
-type MockServer struct {
-	StartFunc           func()
-	StopFunc            func()
-	UpdateDNSServerFunc func(serial uint64, update nbdns.Config) error
-}
-
-// Start mock implementation of Start from Server interface
-func (m *MockServer) Start() {
-	if m.StartFunc != nil {
-		m.StartFunc()
-	}
-}
-
-// Stop mock implementation of Stop from Server interface
-func (m *MockServer) Stop() {
-	if m.StopFunc != nil {
-		m.StopFunc()
-	}
-}
-
-func (m *MockServer) DnsIP() string {
-	return ""
-}
-
-// UpdateDNSServer mock implementation of UpdateDNSServer from Server interface
-func (m *MockServer) UpdateDNSServer(serial uint64, update nbdns.Config) error {
-	if m.UpdateDNSServerFunc != nil {
-		return m.UpdateDNSServerFunc(serial, update)
-	}
-	return fmt.Errorf("method UpdateDNSServer is not implemented")
-}
--- a/client/internal/dns/mock_test.go
+++ b/client/internal/dns/mock_test.go
@@ -1,26 +0,0 @@
-package dns
-
-import (
-	"net"
-
-	"github.com/miekg/dns"
-)
-
-type mockResponseWriter struct {
-	WriteMsgFunc func(m *dns.Msg) error
-}
-
-func (rw *mockResponseWriter) WriteMsg(m *dns.Msg) error {
-	if rw.WriteMsgFunc != nil {
-		return rw.WriteMsgFunc(m)
-	}
-	return nil
-}
-
-func (rw *mockResponseWriter) LocalAddr() net.Addr       { return nil }
-func (rw *mockResponseWriter) RemoteAddr() net.Addr      { return nil }
-func (rw *mockResponseWriter) Write([]byte) (int, error) { return 0, nil }
-func (rw *mockResponseWriter) Close() error              { return nil }
-func (rw *mockResponseWriter) TsigStatus() error         { return nil }
-func (rw *mockResponseWriter) TsigTimersOnly(bool)       {}
-func (rw *mockResponseWriter) Hijack()                   {}
--- a/client/internal/dns/network_manager_linux.go
+++ b/client/internal/dns/network_manager_linux.go
@@ -1,309 +0,0 @@
-//go:build !android
-
-package dns
-
-import (
-	"context"
-	"encoding/binary"
-	"fmt"
-	"net/netip"
-	"regexp"
-	"time"
-
-	"github.com/godbus/dbus/v5"
-	"github.com/hashicorp/go-version"
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/iface"
-)
-
-const (
-	networkManagerDest                                                              = "org.freedesktop.NetworkManager"
-	networkManagerDbusObjectNode                                                    = "/org/freedesktop/NetworkManager"
-	networkManagerDbusDNSManagerInterface                                           = "org.freedesktop.NetworkManager.DnsManager"
-	networkManagerDbusDNSManagerObjectNode                                          = networkManagerDbusObjectNode + "/DnsManager"
-	networkManagerDbusDNSManagerModeProperty                                        = networkManagerDbusDNSManagerInterface + ".Mode"
-	networkManagerDbusDNSManagerRcManagerProperty                                   = networkManagerDbusDNSManagerInterface + ".RcManager"
-	networkManagerDbusVersionProperty                                               = "org.freedesktop.NetworkManager.Version"
-	networkManagerDbusGetDeviceByIPIfaceMethod                                      = networkManagerDest + ".GetDeviceByIpIface"
-	networkManagerDbusDeviceInterface                                               = "org.freedesktop.NetworkManager.Device"
-	networkManagerDbusDeviceGetAppliedConnectionMethod                              = networkManagerDbusDeviceInterface + ".GetAppliedConnection"
-	networkManagerDbusDeviceReapplyMethod                                           = networkManagerDbusDeviceInterface + ".Reapply"
-	networkManagerDbusDeviceDeleteMethod                                            = networkManagerDbusDeviceInterface + ".Delete"
-	networkManagerDbusDefaultBehaviorFlag              networkManagerConfigBehavior = 0
-	networkManagerDbusIPv4Key                                                       = "ipv4"
-	networkManagerDbusIPv6Key                                                       = "ipv6"
-	networkManagerDbusDNSKey                                                        = "dns"
-	networkManagerDbusDNSSearchKey                                                  = "dns-search"
-	networkManagerDbusDNSPriorityKey                                                = "dns-priority"
-
-	// dns priority doc https://wiki.gnome.org/Projects/NetworkManager/DNS
-	networkManagerDbusPrimaryDNSPriority       int32 = -500
-	networkManagerDbusWithMatchDomainPriority  int32 = 0
-	networkManagerDbusSearchDomainOnlyPriority int32 = 50
-	supportedNetworkManagerVersionConstraint         = ">= 1.16, < 1.28"
-)
-
-type networkManagerDbusConfigurator struct {
-	dbusLinkObject dbus.ObjectPath
-	routingAll     bool
-}
-
-// the types below are based on dbus specification, each field is mapped to a dbus type
-// see https://dbus.freedesktop.org/doc/dbus-specification.html#basic-types for more details on dbus types
-// see https://networkmanager.dev/docs/api/latest/gdbus-org.freedesktop.NetworkManager.Device.html on Network Manager input types
-
-// networkManagerConnSettings maps to a (a{sa{sv}}) dbus output from GetAppliedConnection and input for Reapply methods
-type networkManagerConnSettings map[string]map[string]dbus.Variant
-
-// networkManagerConfigVersion maps to a (t) dbus output from GetAppliedConnection and input for Reapply methods
-type networkManagerConfigVersion uint64
-
-// networkManagerConfigBehavior maps to a (u) dbus input for GetAppliedConnection and Reapply methods
-type networkManagerConfigBehavior uint32
-
-// cleanDeprecatedSettings cleans deprecated settings that still returned by
-// the GetAppliedConnection methods but can't be reApplied
-func (s networkManagerConnSettings) cleanDeprecatedSettings() {
-	for _, key := range []string{"addresses", "routes"} {
-		delete(s[networkManagerDbusIPv4Key], key)
-		delete(s[networkManagerDbusIPv6Key], key)
-	}
-}
-
-func newNetworkManagerDbusConfigurator(wgInterface *iface.WGIface) (hostManager, error) {
-	obj, closeConn, err := getDbusObject(networkManagerDest, networkManagerDbusObjectNode)
-	if err != nil {
-		return nil, err
-	}
-	defer closeConn()
-	var s string
-	err = obj.Call(networkManagerDbusGetDeviceByIPIfaceMethod, dbusDefaultFlag, wgInterface.Name()).Store(&s)
-	if err != nil {
-		return nil, err
-	}
-
-	log.Debugf("got network manager dbus Link Object: %s from net interface %s", s, wgInterface.Name())
-
-	return &networkManagerDbusConfigurator{
-		dbusLinkObject: dbus.ObjectPath(s),
-	}, nil
-}
-
-func (n *networkManagerDbusConfigurator) supportCustomPort() bool {
-	return false
-}
-
-func (n *networkManagerDbusConfigurator) applyDNSConfig(config hostDNSConfig) error {
-	connSettings, configVersion, err := n.getAppliedConnectionSettings()
-	if err != nil {
-		return fmt.Errorf("got an error while retrieving the applied connection settings, error: %s", err)
-	}
-
-	connSettings.cleanDeprecatedSettings()
-
-	dnsIP, err := netip.ParseAddr(config.serverIP)
-	if err != nil {
-		return fmt.Errorf("unable to parse ip address, error: %s", err)
-	}
-	convDNSIP := binary.LittleEndian.Uint32(dnsIP.AsSlice())
-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSKey] = dbus.MakeVariant([]uint32{convDNSIP})
-	var (
-		searchDomains []string
-		matchDomains  []string
-	)
-	for _, dConf := range config.domains {
-		if dConf.disabled {
-			continue
-		}
-		if dConf.matchOnly {
-			matchDomains = append(matchDomains, "~."+dns.Fqdn(dConf.domain))
-			continue
-		}
-		searchDomains = append(searchDomains, dns.Fqdn(dConf.domain))
-	}
-
-	newDomainList := append(searchDomains, matchDomains...)
-
-	priority := networkManagerDbusSearchDomainOnlyPriority
-	switch {
-	case config.routeAll:
-		priority = networkManagerDbusPrimaryDNSPriority
-		newDomainList = append(newDomainList, "~.")
-		if !n.routingAll {
-			log.Infof("configured %s:%d as main DNS forwarder for this peer", config.serverIP, config.serverPort)
-		}
-	case len(matchDomains) > 0:
-		priority = networkManagerDbusWithMatchDomainPriority
-	}
-
-	if priority != networkManagerDbusPrimaryDNSPriority && n.routingAll {
-		log.Infof("removing %s:%d as main DNS forwarder for this peer", config.serverIP, config.serverPort)
-		n.routingAll = false
-	}
-
-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSPriorityKey] = dbus.MakeVariant(priority)
-	connSettings[networkManagerDbusIPv4Key][networkManagerDbusDNSSearchKey] = dbus.MakeVariant(newDomainList)
-
-	log.Infof("adding %d search domains and %d match domains. Search list: %s , Match list: %s", len(searchDomains), len(matchDomains), searchDomains, matchDomains)
-	err = n.reApplyConnectionSettings(connSettings, configVersion)
-	if err != nil {
-		return fmt.Errorf("got an error while reapplying the connection with new settings, error: %s", err)
-	}
-	return nil
-}
-
-func (n *networkManagerDbusConfigurator) restoreHostDNS() error {
-	// once the interface is gone network manager cleans all config associated with it
-	return n.deleteConnectionSettings()
-}
-
-func (n *networkManagerDbusConfigurator) getAppliedConnectionSettings() (networkManagerConnSettings, networkManagerConfigVersion, error) {
-	obj, closeConn, err := getDbusObject(networkManagerDest, n.dbusLinkObject)
-	if err != nil {
-		return nil, 0, fmt.Errorf("got error while attempting to retrieve the applied connection settings, err: %s", err)
-	}
-	defer closeConn()
-
-	ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
-	defer cancel()
-
-	var (
-		connSettings  networkManagerConnSettings
-		configVersion networkManagerConfigVersion
-	)
-
-	err = obj.CallWithContext(ctx, networkManagerDbusDeviceGetAppliedConnectionMethod, dbusDefaultFlag,
-		networkManagerDbusDefaultBehaviorFlag).Store(&connSettings, &configVersion)
-	if err != nil {
-		return nil, 0, fmt.Errorf("got error while calling GetAppliedConnection method with context, err: %s", err)
-	}
-
-	return connSettings, configVersion, nil
-}
-
-func (n *networkManagerDbusConfigurator) reApplyConnectionSettings(connSettings networkManagerConnSettings, configVersion networkManagerConfigVersion) error {
-	obj, closeConn, err := getDbusObject(networkManagerDest, n.dbusLinkObject)
-	if err != nil {
-		return fmt.Errorf("got error while attempting to retrieve the applied connection settings, err: %s", err)
-	}
-	defer closeConn()
-
-	ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
-	defer cancel()
-
-	err = obj.CallWithContext(ctx, networkManagerDbusDeviceReapplyMethod, dbusDefaultFlag,
-		connSettings, configVersion, networkManagerDbusDefaultBehaviorFlag).Store()
-	if err != nil {
-		return fmt.Errorf("got error while calling ReApply method with context, err: %s", err)
-	}
-
-	return nil
-}
-
-func (n *networkManagerDbusConfigurator) deleteConnectionSettings() error {
-	obj, closeConn, err := getDbusObject(networkManagerDest, n.dbusLinkObject)
-	if err != nil {
-		return fmt.Errorf("got error while attempting to retrieve the applied connection settings, err: %s", err)
-	}
-	defer closeConn()
-
-	ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
-	defer cancel()
-
-	err = obj.CallWithContext(ctx, networkManagerDbusDeviceDeleteMethod, dbusDefaultFlag).Store()
-	if err != nil {
-		return fmt.Errorf("got error while calling delete method with context, err: %s", err)
-	}
-
-	return nil
-}
-
-func isNetworkManagerSupported() bool {
-	return isNetworkManagerSupportedVersion() && isNetworkManagerSupportedMode()
-}
-
-func isNetworkManagerSupportedMode() bool {
-	var mode string
-	err := getNetworkManagerDNSProperty(networkManagerDbusDNSManagerModeProperty, &mode)
-	if err != nil {
-		log.Error(err)
-		return false
-	}
-	switch mode {
-	case "dnsmasq", "unbound", "systemd-resolved":
-		return true
-	default:
-		var rcManager string
-		err = getNetworkManagerDNSProperty(networkManagerDbusDNSManagerRcManagerProperty, &rcManager)
-		if err != nil {
-			log.Error(err)
-			return false
-		}
-		if rcManager == "unmanaged" {
-			return false
-		}
-	}
-	return true
-}
-
-func getNetworkManagerDNSProperty(property string, store any) error {
-	obj, closeConn, err := getDbusObject(networkManagerDest, networkManagerDbusDNSManagerObjectNode)
-	if err != nil {
-		return fmt.Errorf("got error while attempting to retrieve the network manager dns manager object, error: %s", err)
-	}
-	defer closeConn()
-
-	v, e := obj.GetProperty(property)
-	if e != nil {
-		return fmt.Errorf("got an error getting property %s: %v", property, e)
-	}
-
-	return v.Store(store)
-}
-
-func isNetworkManagerSupportedVersion() bool {
-	obj, closeConn, err := getDbusObject(networkManagerDest, networkManagerDbusObjectNode)
-	if err != nil {
-		log.Errorf("got error while attempting to get the network manager object, err: %s", err)
-		return false
-	}
-
-	defer closeConn()
-
-	value, err := obj.GetProperty(networkManagerDbusVersionProperty)
-	if err != nil {
-		log.Errorf("unable to retrieve network manager mode, got error: %s", err)
-		return false
-	}
-	versionValue, err := parseVersion(value.Value().(string))
-	if err != nil {
-		return false
-	}
-
-	constraints, err := version.NewConstraint(supportedNetworkManagerVersionConstraint)
-	if err != nil {
-		return false
-	}
-
-	return constraints.Check(versionValue)
-}
-
-func parseVersion(inputVersion string) (*version.Version, error) {
-	reg, err := regexp.Compile(version.SemverRegexpRaw)
-	if err != nil {
-		return nil, err
-	}
-
-	if inputVersion == "" || !reg.MatchString(inputVersion) {
-		return nil, fmt.Errorf("couldn't parse the provided version: Not SemVer")
-	}
-
-	verObj, err := version.NewVersion(inputVersion)
-	if err != nil {
-		return nil, err
-	}
-
-	return verObj, nil
-}
--- a/client/internal/dns/resolvconf_linux.go
+++ b/client/internal/dns/resolvconf_linux.go
@@ -1,92 +0,0 @@
-//go:build !android
-
-package dns
-
-import (
-	"fmt"
-	"os/exec"
-	"strings"
-
-	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/iface"
-)
-
-const resolvconfCommand = "resolvconf"
-
-type resolvconf struct {
-	ifaceName string
-}
-
-func newResolvConfConfigurator(wgInterface *iface.WGIface) (hostManager, error) {
-	return &resolvconf{
-		ifaceName: wgInterface.Name(),
-	}, nil
-}
-
-func (r *resolvconf) supportCustomPort() bool {
-	return false
-}
-
-func (r *resolvconf) applyDNSConfig(config hostDNSConfig) error {
-	var err error
-	if !config.routeAll {
-		err = r.restoreHostDNS()
-		if err != nil {
-			log.Error(err)
-		}
-		return fmt.Errorf("unable to configure DNS for this peer using resolvconf manager without a nameserver group with all domains configured")
-	}
-
-	var searchDomains string
-	appendedDomains := 0
-	for _, dConf := range config.domains {
-		if dConf.matchOnly || dConf.disabled {
-			continue
-		}
-
-		if appendedDomains >= fileMaxNumberOfSearchDomains {
-			// lets log all skipped domains
-			log.Infof("already appended %d domains to search list. Skipping append of %s domain", fileMaxNumberOfSearchDomains, dConf.domain)
-			continue
-		}
-
-		if fileSearchLineBeginCharCount+len(searchDomains) > fileMaxLineCharsLimit {
-			// lets log all skipped domains
-			log.Infof("search list line is larger than %d characters. Skipping append of %s domain", fileMaxLineCharsLimit, dConf.domain)
-			continue
-		}
-
-		searchDomains += " " + dConf.domain
-		appendedDomains++
-	}
-
-	content := fmt.Sprintf(fileGeneratedResolvConfContentFormat, fileDefaultResolvConfBackupLocation, config.serverIP, searchDomains)
-
-	err = r.applyConfig(content)
-	if err != nil {
-		return err
-	}
-
-	log.Infof("added %d search domains. Search list: %s", appendedDomains, searchDomains)
-	return nil
-}
-
-func (r *resolvconf) restoreHostDNS() error {
-	cmd := exec.Command(resolvconfCommand, "-f", "-d", r.ifaceName)
-	_, err := cmd.Output()
-	if err != nil {
-		return fmt.Errorf("got an error while removing resolvconf configuration for %s interface, error: %s", r.ifaceName, err)
-	}
-	return nil
-}
-
-func (r *resolvconf) applyConfig(content string) error {
-	cmd := exec.Command(resolvconfCommand, "-x", "-a", r.ifaceName)
-	cmd.Stdin = strings.NewReader(content)
-	_, err := cmd.Output()
-	if err != nil {
-		return fmt.Errorf("got an error while appying resolvconf configuration for %s interface, error: %s", r.ifaceName, err)
-	}
-	return nil
-}
--- a/client/internal/dns/response_writer.go
+++ b/client/internal/dns/response_writer.go
@@ -1,103 +0,0 @@
-package dns
-
-import (
-	"fmt"
-	"net"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/miekg/dns"
-	"golang.zx2c4.com/wireguard/tun"
-)
-
-type responseWriter struct {
-	local  net.Addr
-	remote net.Addr
-	packet gopacket.Packet
-	device tun.Device
-}
-
-// LocalAddr returns the net.Addr of the server
-func (r *responseWriter) LocalAddr() net.Addr {
-	return r.local
-}
-
-// RemoteAddr returns the net.Addr of the client that sent the current request.
-func (r *responseWriter) RemoteAddr() net.Addr {
-	return r.remote
-}
-
-// WriteMsg writes a reply back to the client.
-func (r *responseWriter) WriteMsg(msg *dns.Msg) error {
-	buff, err := msg.Pack()
-	if err != nil {
-		return err
-	}
-	_, err = r.Write(buff)
-	return err
-}
-
-// Write writes a raw buffer back to the client.
-func (r *responseWriter) Write(data []byte) (int, error) {
-	var ip gopacket.SerializableLayer
-
-	// Get the UDP layer
-	udpLayer := r.packet.Layer(layers.LayerTypeUDP)
-	udp := udpLayer.(*layers.UDP)
-
-	// Swap the source and destination addresses for the response
-	udp.SrcPort, udp.DstPort = udp.DstPort, udp.SrcPort
-
-	// Check if it's an IPv4 packet
-	if ipv4Layer := r.packet.Layer(layers.LayerTypeIPv4); ipv4Layer != nil {
-		ipv4 := ipv4Layer.(*layers.IPv4)
-		ipv4.SrcIP, ipv4.DstIP = ipv4.DstIP, ipv4.SrcIP
-		ip = ipv4
-	} else if ipv6Layer := r.packet.Layer(layers.LayerTypeIPv6); ipv6Layer != nil {
-		ipv6 := ipv6Layer.(*layers.IPv6)
-		ipv6.SrcIP, ipv6.DstIP = ipv6.DstIP, ipv6.SrcIP
-		ip = ipv6
-	}
-
-	if err := udp.SetNetworkLayerForChecksum(ip.(gopacket.NetworkLayer)); err != nil {
-		return 0, fmt.Errorf("failed to set network layer for checksum: %v", err)
-	}
-
-	// Serialize the packet
-	buffer := gopacket.NewSerializeBuffer()
-	options := gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-
-	payload := gopacket.Payload(data)
-	err := gopacket.SerializeLayers(buffer, options, ip, udp, payload)
-	if err != nil {
-		return 0, fmt.Errorf("failed to serialize packet: %v", err)
-	}
-
-	send := buffer.Bytes()
-	sendBuffer := make([]byte, 40, len(send)+40)
-	sendBuffer = append(sendBuffer, send...)
-
-	return r.device.Write([][]byte{sendBuffer}, 40)
-}
-
-// Close closes the connection.
-func (r *responseWriter) Close() error {
-	return nil
-}
-
-// TsigStatus returns the status of the Tsig.
-func (r *responseWriter) TsigStatus() error {
-	return nil
-}
-
-// TsigTimersOnly sets the tsig timers only boolean.
-func (r *responseWriter) TsigTimersOnly(bool) {
-}
-
-// Hijack lets the caller take over the connection.
-// After a call to Hijack(), the DNS package will not do anything with the connection.
-func (r *responseWriter) Hijack() {
-}
--- a/client/internal/dns/response_writer_test.go
+++ b/client/internal/dns/response_writer_test.go
@@ -1,93 +0,0 @@
-package dns
-
-import (
-	"net"
-	"testing"
-
-	"github.com/golang/mock/gomock"
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/miekg/dns"
-
-	"github.com/netbirdio/netbird/iface/mocks"
-)
-
-func TestResponseWriterLocalAddr(t *testing.T) {
-	ctrl := gomock.NewController(t)
-	defer ctrl.Finish()
-
-	device := mocks.NewMockDevice(ctrl)
-	device.EXPECT().Write(gomock.Any(), gomock.Any())
-
-	request := &dns.Msg{
-		Question: []dns.Question{{
-			Name:   "google.com.",
-			Qtype:  dns.TypeA,
-			Qclass: dns.TypeA,
-		}},
-	}
-
-	replyMessage := &dns.Msg{}
-	replyMessage.SetReply(request)
-	replyMessage.RecursionAvailable = true
-	replyMessage.Rcode = dns.RcodeSuccess
-	replyMessage.Answer = []dns.RR{
-		&dns.A{
-			A: net.IPv4(8, 8, 8, 8),
-		},
-	}
-
-	ipv4 := &layers.IPv4{
-		Protocol: layers.IPProtocolUDP,
-		SrcIP:    net.IPv4(127, 0, 0, 1),
-		DstIP:    net.IPv4(127, 0, 0, 2),
-	}
-	udp := &layers.UDP{
-		DstPort: 53,
-		SrcPort: 45223,
-	}
-	if err := udp.SetNetworkLayerForChecksum(ipv4); err != nil {
-		t.Error("failed to set network layer for checksum")
-		return
-	}
-
-	// Serialize the packet
-	buffer := gopacket.NewSerializeBuffer()
-	options := gopacket.SerializeOptions{
-		ComputeChecksums: true,
-		FixLengths:       true,
-	}
-
-	requestData, err := request.Pack()
-	if err != nil {
-		t.Errorf("got an error while packing the request message, error: %v", err)
-		return
-	}
-	payload := gopacket.Payload(requestData)
-
-	if err := gopacket.SerializeLayers(buffer, options, ipv4, udp, payload); err != nil {
-		t.Errorf("failed to serialize packet: %v", err)
-		return
-	}
-
-	rw := &responseWriter{
-		local: &net.UDPAddr{
-			IP:   net.IPv4(127, 0, 0, 1),
-			Port: 55223,
-		},
-		remote: &net.UDPAddr{
-			IP:   net.IPv4(127, 0, 0, 1),
-			Port: 53,
-		},
-		packet: gopacket.NewPacket(
-			buffer.Bytes(),
-			layers.LayerTypeIPv4,
-			gopacket.Default,
-		),
-		device: device,
-	}
-	if err := rw.WriteMsg(replyMessage); err != nil {
-		t.Errorf("got an error while writing the local resolver response, error: %v", err)
-		return
-	}
-}
--- a/client/internal/dns/server.go
+++ b/client/internal/dns/server.go
@@ -1,597 +0,0 @@
-package dns
-
-import (
-	"context"
-	"fmt"
-	"math/big"
-	"net"
-	"net/netip"
-	"runtime"
-	"sync"
-	"time"
-
-	"github.com/google/gopacket"
-	"github.com/google/gopacket/layers"
-	"github.com/miekg/dns"
-	"github.com/mitchellh/hashstructure/v2"
-	log "github.com/sirupsen/logrus"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/iface"
-)
-
-const (
-	defaultPort = 53
-	customPort  = 5053
-	defaultIP   = "127.0.0.1"
-	customIP    = "127.0.0.153"
-)
-
-// Server is a dns server interface
-type Server interface {
-	Start()
-	Stop()
-	DnsIP() string
-	UpdateDNSServer(serial uint64, update nbdns.Config) error
-}
-
-type registeredHandlerMap map[string]handlerWithStop
-
-// DefaultServer dns server object
-type DefaultServer struct {
-	ctx                context.Context
-	ctxCancel          context.CancelFunc
-	mux                sync.Mutex
-	fakeResolverWG     sync.WaitGroup
-	server             *dns.Server
-	dnsMux             *dns.ServeMux
-	dnsMuxMap          registeredHandlerMap
-	localResolver      *localResolver
-	wgInterface        *iface.WGIface
-	hostManager        hostManager
-	updateSerial       uint64
-	listenerIsRunning  bool
-	runtimePort        int
-	runtimeIP          string
-	previousConfigHash uint64
-	currentConfig      hostDNSConfig
-	customAddress      *netip.AddrPort
-	enabled            bool
-}
-
-type handlerWithStop interface {
-	dns.Handler
-	stop()
-}
-
-type muxUpdate struct {
-	domain  string
-	handler handlerWithStop
-}
-
-// NewDefaultServer returns a new dns server
-func NewDefaultServer(ctx context.Context, wgInterface *iface.WGIface, customAddress string, initialDnsCfg *nbdns.Config) (*DefaultServer, error) {
-	mux := dns.NewServeMux()
-
-	var addrPort *netip.AddrPort
-	if customAddress != "" {
-		parsedAddrPort, err := netip.ParseAddrPort(customAddress)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse the custom dns address, got error: %s", err)
-		}
-		addrPort = &parsedAddrPort
-	}
-
-	hostManager, err := newHostManager(wgInterface)
-	if err != nil {
-		return nil, err
-	}
-
-	ctx, stop := context.WithCancel(ctx)
-
-	defaultServer := &DefaultServer{
-		ctx:       ctx,
-		ctxCancel: stop,
-		server: &dns.Server{
-			Net:     "udp",
-			Handler: mux,
-			UDPSize: 65535,
-		},
-		dnsMux:    mux,
-		dnsMuxMap: make(registeredHandlerMap),
-		localResolver: &localResolver{
-			registeredMap: make(registrationMap),
-		},
-		wgInterface:   wgInterface,
-		customAddress: addrPort,
-		hostManager:   hostManager,
-	}
-
-	if initialDnsCfg != nil {
-		defaultServer.enabled = hasValidDnsServer(initialDnsCfg)
-	}
-
-	defaultServer.evalRuntimeAddress()
-	return defaultServer, nil
-}
-
-// Start runs the listener in a go routine
-func (s *DefaultServer) Start() {
-	// nil check required in unit tests
-	if s.wgInterface != nil && s.wgInterface.IsUserspaceBind() {
-		s.fakeResolverWG.Add(1)
-		go func() {
-			s.setListenerStatus(true)
-			defer s.setListenerStatus(false)
-
-			hookID := s.filterDNSTraffic()
-			s.fakeResolverWG.Wait()
-			if err := s.wgInterface.GetFilter().RemovePacketHook(hookID); err != nil {
-				log.Errorf("unable to remove DNS packet hook: %s", err)
-			}
-		}()
-		return
-	}
-
-	log.Debugf("starting dns on %s", s.server.Addr)
-
-	go func() {
-		s.setListenerStatus(true)
-		defer s.setListenerStatus(false)
-
-		err := s.server.ListenAndServe()
-		if err != nil {
-			log.Errorf("dns server running with %d port returned an error: %v. Will not retry", s.runtimePort, err)
-		}
-	}()
-}
-
-func (s *DefaultServer) DnsIP() string {
-	if !s.enabled {
-		return ""
-	}
-	return s.runtimeIP
-}
-
-func (s *DefaultServer) getFirstListenerAvailable() (string, int, error) {
-	ips := []string{defaultIP, customIP}
-	if runtime.GOOS != "darwin" && s.wgInterface != nil {
-		ips = append([]string{s.wgInterface.Address().IP.String()}, ips...)
-	}
-	ports := []int{defaultPort, customPort}
-	for _, port := range ports {
-		for _, ip := range ips {
-			addrString := fmt.Sprintf("%s:%d", ip, port)
-			udpAddr := net.UDPAddrFromAddrPort(netip.MustParseAddrPort(addrString))
-			probeListener, err := net.ListenUDP("udp", udpAddr)
-			if err == nil {
-				err = probeListener.Close()
-				if err != nil {
-					log.Errorf("got an error closing the probe listener, error: %s", err)
-				}
-				return ip, port, nil
-			}
-			log.Warnf("binding dns on %s is not available, error: %s", addrString, err)
-		}
-	}
-	return "", 0, fmt.Errorf("unable to find an unused ip and port combination. IPs tested: %v and ports %v", ips, ports)
-}
-
-func (s *DefaultServer) setListenerStatus(running bool) {
-	s.listenerIsRunning = running
-}
-
-// Stop stops the server
-func (s *DefaultServer) Stop() {
-	s.mux.Lock()
-	defer s.mux.Unlock()
-	s.ctxCancel()
-
-	err := s.hostManager.restoreHostDNS()
-	if err != nil {
-		log.Error(err)
-	}
-
-	if s.wgInterface != nil && s.wgInterface.IsUserspaceBind() && s.listenerIsRunning {
-		s.fakeResolverWG.Done()
-	}
-
-	err = s.stopListener()
-	if err != nil {
-		log.Error(err)
-	}
-}
-
-func (s *DefaultServer) stopListener() error {
-	if !s.listenerIsRunning {
-		return nil
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	err := s.server.ShutdownContext(ctx)
-	if err != nil {
-		return fmt.Errorf("stopping dns server listener returned an error: %v", err)
-	}
-	return nil
-}
-
-// UpdateDNSServer processes an update received from the management service
-func (s *DefaultServer) UpdateDNSServer(serial uint64, update nbdns.Config) error {
-	select {
-	case <-s.ctx.Done():
-		log.Infof("not updating DNS server as context is closed")
-		return s.ctx.Err()
-	default:
-		if serial < s.updateSerial {
-			return fmt.Errorf("not applying dns update, error: "+
-				"network update is %d behind the last applied update", s.updateSerial-serial)
-		}
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		hash, err := hashstructure.Hash(update, hashstructure.FormatV2, &hashstructure.HashOptions{
-			ZeroNil:         true,
-			IgnoreZeroValue: true,
-			SlicesAsSets:    true,
-			UseStringer:     true,
-		})
-		if err != nil {
-			log.Errorf("unable to hash the dns configuration update, got error: %s", err)
-		}
-
-		if s.previousConfigHash == hash {
-			log.Debugf("not applying the dns configuration update as there is nothing new")
-			s.updateSerial = serial
-			return nil
-		}
-
-		if err := s.applyConfiguration(update); err != nil {
-			return err
-		}
-
-		s.updateSerial = serial
-		s.previousConfigHash = hash
-
-		return nil
-	}
-}
-
-func (s *DefaultServer) applyConfiguration(update nbdns.Config) error {
-	// is the service should be disabled, we stop the listener or fake resolver
-	// and proceed with a regular update to clean up the handlers and records
-	if !update.ServiceEnable {
-		if s.wgInterface != nil && s.wgInterface.IsUserspaceBind() {
-			s.fakeResolverWG.Done()
-		} else {
-			if err := s.stopListener(); err != nil {
-				log.Error(err)
-			}
-		}
-	} else if !s.listenerIsRunning {
-		s.Start()
-	}
-
-	localMuxUpdates, localRecords, err := s.buildLocalHandlerUpdate(update.CustomZones)
-	if err != nil {
-		return fmt.Errorf("not applying dns update, error: %v", err)
-	}
-	upstreamMuxUpdates, err := s.buildUpstreamHandlerUpdate(update.NameServerGroups)
-	if err != nil {
-		return fmt.Errorf("not applying dns update, error: %v", err)
-	}
-
-	muxUpdates := append(localMuxUpdates, upstreamMuxUpdates...)
-
-	s.updateMux(muxUpdates)
-	s.updateLocalResolver(localRecords)
-	s.currentConfig = dnsConfigToHostDNSConfig(update, s.runtimeIP, s.runtimePort)
-
-	hostUpdate := s.currentConfig
-	if s.runtimePort != defaultPort && !s.hostManager.supportCustomPort() {
-		log.Warnf("the DNS manager of this peer doesn't support custom port. Disabling primary DNS setup. " +
-			"Learn more at: https://netbird.io/docs/how-to-guides/nameservers#local-resolver")
-		hostUpdate.routeAll = false
-	}
-
-	if err = s.hostManager.applyDNSConfig(hostUpdate); err != nil {
-		log.Error(err)
-	}
-
-	return nil
-}
-
-func (s *DefaultServer) buildLocalHandlerUpdate(customZones []nbdns.CustomZone) ([]muxUpdate, map[string]nbdns.SimpleRecord, error) {
-	var muxUpdates []muxUpdate
-	localRecords := make(map[string]nbdns.SimpleRecord, 0)
-
-	for _, customZone := range customZones {
-
-		if len(customZone.Records) == 0 {
-			return nil, nil, fmt.Errorf("received an empty list of records")
-		}
-
-		muxUpdates = append(muxUpdates, muxUpdate{
-			domain:  customZone.Domain,
-			handler: s.localResolver,
-		})
-
-		for _, record := range customZone.Records {
-			var class uint16 = dns.ClassINET
-			if record.Class != nbdns.DefaultClass {
-				return nil, nil, fmt.Errorf("received an invalid class type: %s", record.Class)
-			}
-			key := buildRecordKey(record.Name, class, uint16(record.Type))
-			localRecords[key] = record
-		}
-	}
-	return muxUpdates, localRecords, nil
-}
-
-func (s *DefaultServer) buildUpstreamHandlerUpdate(nameServerGroups []*nbdns.NameServerGroup) ([]muxUpdate, error) {
-
-	var muxUpdates []muxUpdate
-	for _, nsGroup := range nameServerGroups {
-		if len(nsGroup.NameServers) == 0 {
-			log.Warn("received a nameserver group with empty nameserver list")
-			continue
-		}
-
-		handler := newUpstreamResolver(s.ctx)
-		for _, ns := range nsGroup.NameServers {
-			if ns.NSType != nbdns.UDPNameServerType {
-				log.Warnf("skiping nameserver %s with type %s, this peer supports only %s",
-					ns.IP.String(), ns.NSType.String(), nbdns.UDPNameServerType.String())
-				continue
-			}
-			handler.upstreamServers = append(handler.upstreamServers, getNSHostPort(ns))
-		}
-
-		if len(handler.upstreamServers) == 0 {
-			handler.stop()
-			log.Errorf("received a nameserver group with an invalid nameserver list")
-			continue
-		}
-
-		// when upstream fails to resolve domain several times over all it servers
-		// it will calls this hook to exclude self from the configuration and
-		// reapply DNS settings, but it not touch the original configuration and serial number
-		// because it is temporal deactivation until next try
-		//
-		// after some period defined by upstream it trys to reactivate self by calling this hook
-		// everything we need here is just to re-apply current configuration because it already
-		// contains this upstream settings (temporal deactivation not removed it)
-		handler.deactivate, handler.reactivate = s.upstreamCallbacks(nsGroup, handler)
-
-		if nsGroup.Primary {
-			muxUpdates = append(muxUpdates, muxUpdate{
-				domain:  nbdns.RootZone,
-				handler: handler,
-			})
-			continue
-		}
-
-		if len(nsGroup.Domains) == 0 {
-			handler.stop()
-			return nil, fmt.Errorf("received a non primary nameserver group with an empty domain list")
-		}
-
-		for _, domain := range nsGroup.Domains {
-			if domain == "" {
-				handler.stop()
-				return nil, fmt.Errorf("received a nameserver group with an empty domain element")
-			}
-			muxUpdates = append(muxUpdates, muxUpdate{
-				domain:  domain,
-				handler: handler,
-			})
-		}
-	}
-	return muxUpdates, nil
-}
-
-func (s *DefaultServer) updateMux(muxUpdates []muxUpdate) {
-	muxUpdateMap := make(registeredHandlerMap)
-
-	for _, update := range muxUpdates {
-		s.registerMux(update.domain, update.handler)
-		muxUpdateMap[update.domain] = update.handler
-		if existingHandler, ok := s.dnsMuxMap[update.domain]; ok {
-			existingHandler.stop()
-		}
-	}
-
-	for key, existingHandler := range s.dnsMuxMap {
-		_, found := muxUpdateMap[key]
-		if !found {
-			existingHandler.stop()
-			s.deregisterMux(key)
-		}
-	}
-
-	s.dnsMuxMap = muxUpdateMap
-}
-
-func (s *DefaultServer) updateLocalResolver(update map[string]nbdns.SimpleRecord) {
-	for key := range s.localResolver.registeredMap {
-		_, found := update[key]
-		if !found {
-			s.localResolver.deleteRecord(key)
-		}
-	}
-
-	updatedMap := make(registrationMap)
-	for key, record := range update {
-		err := s.localResolver.registerRecord(record)
-		if err != nil {
-			log.Warnf("got an error while registering the record (%s), error: %v", record.String(), err)
-		}
-		updatedMap[key] = struct{}{}
-	}
-
-	s.localResolver.registeredMap = updatedMap
-}
-
-func getNSHostPort(ns nbdns.NameServer) string {
-	return fmt.Sprintf("%s:%d", ns.IP.String(), ns.Port)
-}
-
-func (s *DefaultServer) registerMux(pattern string, handler dns.Handler) {
-	s.dnsMux.Handle(pattern, handler)
-}
-
-func (s *DefaultServer) deregisterMux(pattern string) {
-	s.dnsMux.HandleRemove(pattern)
-}
-
-// upstreamCallbacks returns two functions, the first one is used to deactivate
-// the upstream resolver from the configuration, the second one is used to
-// reactivate it. Not allowed to call reactivate before deactivate.
-func (s *DefaultServer) upstreamCallbacks(
-	nsGroup *nbdns.NameServerGroup,
-	handler dns.Handler,
-) (deactivate func(), reactivate func()) {
-	var removeIndex map[string]int
-	deactivate = func() {
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		l := log.WithField("nameservers", nsGroup.NameServers)
-		l.Info("temporary deactivate nameservers group due timeout")
-
-		removeIndex = make(map[string]int)
-		for _, domain := range nsGroup.Domains {
-			removeIndex[domain] = -1
-		}
-		if nsGroup.Primary {
-			removeIndex[nbdns.RootZone] = -1
-			s.currentConfig.routeAll = false
-		}
-
-		for i, item := range s.currentConfig.domains {
-			if _, found := removeIndex[item.domain]; found {
-				s.currentConfig.domains[i].disabled = true
-				s.deregisterMux(item.domain)
-				removeIndex[item.domain] = i
-			}
-		}
-		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
-			l.WithError(err).Error("fail to apply nameserver deactivation on the host")
-		}
-	}
-	reactivate = func() {
-		s.mux.Lock()
-		defer s.mux.Unlock()
-
-		for domain, i := range removeIndex {
-			if i == -1 || i >= len(s.currentConfig.domains) || s.currentConfig.domains[i].domain != domain {
-				continue
-			}
-			s.currentConfig.domains[i].disabled = false
-			s.registerMux(domain, handler)
-		}
-
-		l := log.WithField("nameservers", nsGroup.NameServers)
-		l.Debug("reactivate temporary disabled nameserver group")
-
-		if nsGroup.Primary {
-			s.currentConfig.routeAll = true
-		}
-		if err := s.hostManager.applyDNSConfig(s.currentConfig); err != nil {
-			l.WithError(err).Error("reactivate temporary disabled nameserver group, DNS update apply")
-		}
-	}
-	return
-}
-
-func (s *DefaultServer) filterDNSTraffic() string {
-	filter := s.wgInterface.GetFilter()
-	if filter == nil {
-		log.Error("can't set DNS filter, filter not initialized")
-		return ""
-	}
-
-	firstLayerDecoder := layers.LayerTypeIPv4
-	if s.wgInterface.Address().Network.IP.To4() == nil {
-		firstLayerDecoder = layers.LayerTypeIPv6
-	}
-
-	hook := func(packetData []byte) bool {
-		// Decode the packet
-		packet := gopacket.NewPacket(packetData, firstLayerDecoder, gopacket.Default)
-
-		// Get the UDP layer
-		udpLayer := packet.Layer(layers.LayerTypeUDP)
-		udp := udpLayer.(*layers.UDP)
-
-		msg := new(dns.Msg)
-		if err := msg.Unpack(udp.Payload); err != nil {
-			log.Tracef("parse DNS request: %v", err)
-			return true
-		}
-
-		writer := responseWriter{
-			packet: packet,
-			device: s.wgInterface.GetDevice().Device,
-		}
-		go s.dnsMux.ServeDNS(&writer, msg)
-		return true
-	}
-
-	return filter.AddUDPPacketHook(false, net.ParseIP(s.runtimeIP), uint16(s.runtimePort), hook)
-}
-
-func (s *DefaultServer) evalRuntimeAddress() {
-	defer func() {
-		s.server.Addr = fmt.Sprintf("%s:%d", s.runtimeIP, s.runtimePort)
-	}()
-
-	if s.wgInterface != nil && s.wgInterface.IsUserspaceBind() {
-		s.runtimeIP = getLastIPFromNetwork(s.wgInterface.Address().Network, 1)
-		s.runtimePort = defaultPort
-		return
-	}
-
-	if s.customAddress != nil {
-		s.runtimeIP = s.customAddress.Addr().String()
-		s.runtimePort = int(s.customAddress.Port())
-		return
-	}
-
-	ip, port, err := s.getFirstListenerAvailable()
-	if err != nil {
-		log.Error(err)
-		return
-	}
-	s.runtimeIP = ip
-	s.runtimePort = port
-}
-
-func getLastIPFromNetwork(network *net.IPNet, fromEnd int) string {
-	// Calculate the last IP in the CIDR range
-	var endIP net.IP
-	for i := 0; i < len(network.IP); i++ {
-		endIP = append(endIP, network.IP[i]|^network.Mask[i])
-	}
-
-	// convert to big.Int
-	endInt := big.NewInt(0)
-	endInt.SetBytes(endIP)
-
-	// subtract fromEnd from the last ip
-	fromEndBig := big.NewInt(int64(fromEnd))
-	resultInt := big.NewInt(0)
-	resultInt.Sub(endInt, fromEndBig)
-
-	return net.IP(resultInt.Bytes()).String()
-}
-
-func hasValidDnsServer(cfg *nbdns.Config) bool {
-	for _, c := range cfg.NameServerGroups {
-		if c.Primary {
-			return true
-		}
-	}
-	return false
-}
--- a/client/internal/dns/server_test.go
+++ b/client/internal/dns/server_test.go
@@ -1,469 +0,0 @@
-package dns
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/miekg/dns"
-
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/iface"
-)
-
-var zoneRecords = []nbdns.SimpleRecord{
-	{
-		Name:  "peera.netbird.cloud",
-		Type:  1,
-		Class: nbdns.DefaultClass,
-		TTL:   300,
-		RData: "1.2.3.4",
-	},
-}
-
-func TestUpdateDNSServer(t *testing.T) {
-	nameServers := []nbdns.NameServer{
-		{
-			IP:     netip.MustParseAddr("8.8.8.8"),
-			NSType: nbdns.UDPNameServerType,
-			Port:   53,
-		},
-		{
-			IP:     netip.MustParseAddr("8.8.4.4"),
-			NSType: nbdns.UDPNameServerType,
-			Port:   53,
-		},
-	}
-
-	dummyHandler := &localResolver{}
-
-	testCases := []struct {
-		name                string
-		initUpstreamMap     registeredHandlerMap
-		initLocalMap        registrationMap
-		initSerial          uint64
-		inputSerial         uint64
-		inputUpdate         nbdns.Config
-		shouldFail          bool
-		expectedUpstreamMap registeredHandlerMap
-		expectedLocalMap    registrationMap
-	}{
-		{
-			name:            "Initial Config Should Succeed",
-			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registeredHandlerMap),
-			initSerial:      0,
-			inputSerial:     1,
-			inputUpdate: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{
-						Domain:  "netbird.cloud",
-						Records: zoneRecords,
-					},
-				},
-				NameServerGroups: []*nbdns.NameServerGroup{
-					{
-						Domains:     []string{"netbird.io"},
-						NameServers: nameServers,
-					},
-					{
-						NameServers: nameServers,
-						Primary:     true,
-					},
-				},
-			},
-			expectedUpstreamMap: registeredHandlerMap{"netbird.io": dummyHandler, "netbird.cloud": dummyHandler, nbdns.RootZone: dummyHandler},
-			expectedLocalMap:    registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
-		},
-		{
-			name:            "New Config Should Succeed",
-			initLocalMap:    registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap: registeredHandlerMap{buildRecordKey(zoneRecords[0].Name, 1, 1): dummyHandler},
-			initSerial:      0,
-			inputSerial:     1,
-			inputUpdate: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{
-						Domain:  "netbird.cloud",
-						Records: zoneRecords,
-					},
-				},
-				NameServerGroups: []*nbdns.NameServerGroup{
-					{
-						Domains:     []string{"netbird.io"},
-						NameServers: nameServers,
-					},
-				},
-			},
-			expectedUpstreamMap: registeredHandlerMap{"netbird.io": dummyHandler, "netbird.cloud": dummyHandler},
-			expectedLocalMap:    registrationMap{buildRecordKey(zoneRecords[0].Name, 1, 1): struct{}{}},
-		},
-		{
-			name:            "Smaller Config Serial Should Be Skipped",
-			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registeredHandlerMap),
-			initSerial:      2,
-			inputSerial:     1,
-			shouldFail:      true,
-		},
-		{
-			name:            "Empty NS Group Domain Or Not Primary Element Should Fail",
-			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registeredHandlerMap),
-			initSerial:      0,
-			inputSerial:     1,
-			inputUpdate: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{
-						Domain:  "netbird.cloud",
-						Records: zoneRecords,
-					},
-				},
-				NameServerGroups: []*nbdns.NameServerGroup{
-					{
-						NameServers: nameServers,
-					},
-				},
-			},
-			shouldFail: true,
-		},
-		{
-			name:            "Invalid NS Group Nameservers list Should Fail",
-			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registeredHandlerMap),
-			initSerial:      0,
-			inputSerial:     1,
-			inputUpdate: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{
-						Domain:  "netbird.cloud",
-						Records: zoneRecords,
-					},
-				},
-				NameServerGroups: []*nbdns.NameServerGroup{
-					{
-						NameServers: nameServers,
-					},
-				},
-			},
-			shouldFail: true,
-		},
-		{
-			name:            "Invalid Custom Zone Records list Should Fail",
-			initLocalMap:    make(registrationMap),
-			initUpstreamMap: make(registeredHandlerMap),
-			initSerial:      0,
-			inputSerial:     1,
-			inputUpdate: nbdns.Config{
-				ServiceEnable: true,
-				CustomZones: []nbdns.CustomZone{
-					{
-						Domain: "netbird.cloud",
-					},
-				},
-				NameServerGroups: []*nbdns.NameServerGroup{
-					{
-						NameServers: nameServers,
-						Primary:     true,
-					},
-				},
-			},
-			shouldFail: true,
-		},
-		{
-			name:                "Empty Config Should Succeed and Clean Maps",
-			initLocalMap:        registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap:     registeredHandlerMap{zoneRecords[0].Name: dummyHandler},
-			initSerial:          0,
-			inputSerial:         1,
-			inputUpdate:         nbdns.Config{ServiceEnable: true},
-			expectedUpstreamMap: make(registeredHandlerMap),
-			expectedLocalMap:    make(registrationMap),
-		},
-		{
-			name:                "Disabled Service Should clean map",
-			initLocalMap:        registrationMap{"netbird.cloud": struct{}{}},
-			initUpstreamMap:     registeredHandlerMap{zoneRecords[0].Name: dummyHandler},
-			initSerial:          0,
-			inputSerial:         1,
-			inputUpdate:         nbdns.Config{ServiceEnable: false},
-			expectedUpstreamMap: make(registeredHandlerMap),
-			expectedLocalMap:    make(registrationMap),
-		},
-	}
-
-	for n, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			newNet, err := stdnet.NewNet(nil)
-			if err != nil {
-				t.Fatal(err)
-			}
-			wgIface, err := iface.NewWGIFace(fmt.Sprintf("utun230%d", n), fmt.Sprintf("100.66.100.%d/32", n+1), iface.DefaultMTU, nil, newNet)
-			if err != nil {
-				t.Fatal(err)
-			}
-			err = wgIface.Create()
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer func() {
-				err = wgIface.Close()
-				if err != nil {
-					t.Log(err)
-				}
-			}()
-			dnsServer, err := NewDefaultServer(context.Background(), wgIface, "", nil)
-			if err != nil {
-				t.Fatal(err)
-			}
-			defer func() {
-				err = dnsServer.hostManager.restoreHostDNS()
-				if err != nil {
-					t.Log(err)
-				}
-			}()
-
-			dnsServer.dnsMuxMap = testCase.initUpstreamMap
-			dnsServer.localResolver.registeredMap = testCase.initLocalMap
-			dnsServer.updateSerial = testCase.initSerial
-			// pretend we are running
-			dnsServer.listenerIsRunning = true
-			dnsServer.fakeResolverWG.Add(1)
-
-			err = dnsServer.UpdateDNSServer(testCase.inputSerial, testCase.inputUpdate)
-			if err != nil {
-				if testCase.shouldFail {
-					return
-				}
-				t.Fatalf("update dns server should not fail, got error: %v", err)
-			}
-
-			if len(dnsServer.dnsMuxMap) != len(testCase.expectedUpstreamMap) {
-				t.Fatalf("update upstream failed, map size is different than expected, want %d, got %d", len(testCase.expectedUpstreamMap), len(dnsServer.dnsMuxMap))
-			}
-
-			for key := range testCase.expectedUpstreamMap {
-				_, found := dnsServer.dnsMuxMap[key]
-				if !found {
-					t.Fatalf("update upstream failed, key %s was not found in the dnsMuxMap: %#v", key, dnsServer.dnsMuxMap)
-				}
-			}
-
-			if len(dnsServer.localResolver.registeredMap) != len(testCase.expectedLocalMap) {
-				t.Fatalf("update local failed, registered map size is different than expected, want %d, got %d", len(testCase.expectedLocalMap), len(dnsServer.localResolver.registeredMap))
-			}
-
-			for key := range testCase.expectedLocalMap {
-				_, found := dnsServer.localResolver.registeredMap[key]
-				if !found {
-					t.Fatalf("update local failed, key %s was not found in the localResolver.registeredMap: %#v", key, dnsServer.localResolver.registeredMap)
-				}
-			}
-		})
-	}
-}
-
-func TestDNSServerStartStop(t *testing.T) {
-	testCases := []struct {
-		name     string
-		addrPort string
-	}{
-		{
-			name: "Should Pass With Port Discovery",
-		},
-		{
-			name:     "Should Pass With Custom Port",
-			addrPort: "127.0.0.1:3535",
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			dnsServer := getDefaultServerWithNoHostManager(t, testCase.addrPort)
-
-			dnsServer.hostManager = newNoopHostMocker()
-			dnsServer.Start()
-			time.Sleep(100 * time.Millisecond)
-			if !dnsServer.listenerIsRunning {
-				t.Fatal("dns server listener is not running")
-			}
-			defer dnsServer.Stop()
-			err := dnsServer.localResolver.registerRecord(zoneRecords[0])
-			if err != nil {
-				t.Error(err)
-			}
-
-			dnsServer.dnsMux.Handle("netbird.cloud", dnsServer.localResolver)
-
-			resolver := &net.Resolver{
-				PreferGo: true,
-				Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
-					d := net.Dialer{
-						Timeout: time.Second * 5,
-					}
-					addr := fmt.Sprintf("%s:%d", dnsServer.runtimeIP, dnsServer.runtimePort)
-					conn, err := d.DialContext(ctx, network, addr)
-					if err != nil {
-						t.Log(err)
-						// retry test before exit, for slower systems
-						return d.DialContext(ctx, network, addr)
-					}
-
-					return conn, nil
-				},
-			}
-
-			ips, err := resolver.LookupHost(context.Background(), zoneRecords[0].Name)
-			if err != nil {
-				t.Fatalf("failed to connect to the server, error: %v", err)
-			}
-
-			if ips[0] != zoneRecords[0].RData {
-				t.Fatalf("got a different IP from the server: want %s, got %s", zoneRecords[0].RData, ips[0])
-			}
-
-			dnsServer.Stop()
-			ctx, cancel := context.WithTimeout(context.TODO(), time.Second*1)
-			defer cancel()
-			_, err = resolver.LookupHost(ctx, zoneRecords[0].Name)
-			if err == nil {
-				t.Fatalf("we should encounter an error when querying a stopped server")
-			}
-		})
-	}
-}
-
-func TestDNSServerUpstreamDeactivateCallback(t *testing.T) {
-	hostManager := &mockHostConfigurator{}
-	server := DefaultServer{
-		dnsMux: dns.DefaultServeMux,
-		localResolver: &localResolver{
-			registeredMap: make(registrationMap),
-		},
-		hostManager: hostManager,
-		currentConfig: hostDNSConfig{
-			domains: []domainConfig{
-				{false, "domain0", false},
-				{false, "domain1", false},
-				{false, "domain2", false},
-			},
-		},
-	}
-
-	var domainsUpdate string
-	hostManager.applyDNSConfigFunc = func(config hostDNSConfig) error {
-		domains := []string{}
-		for _, item := range config.domains {
-			if item.disabled {
-				continue
-			}
-			domains = append(domains, item.domain)
-		}
-		domainsUpdate = strings.Join(domains, ",")
-		return nil
-	}
-
-	deactivate, reactivate := server.upstreamCallbacks(&nbdns.NameServerGroup{
-		Domains: []string{"domain1"},
-		NameServers: []nbdns.NameServer{
-			{IP: netip.MustParseAddr("8.8.0.0"), NSType: nbdns.UDPNameServerType, Port: 53},
-		},
-	}, nil)
-
-	deactivate()
-	expected := "domain0,domain2"
-	domains := []string{}
-	for _, item := range server.currentConfig.domains {
-		if item.disabled {
-			continue
-		}
-		domains = append(domains, item.domain)
-	}
-	got := strings.Join(domains, ",")
-	if expected != got {
-		t.Errorf("expected domains list: %q, got %q", expected, got)
-	}
-
-	reactivate()
-	expected = "domain0,domain1,domain2"
-	domains = []string{}
-	for _, item := range server.currentConfig.domains {
-		if item.disabled {
-			continue
-		}
-		domains = append(domains, item.domain)
-	}
-	got = strings.Join(domains, ",")
-	if expected != got {
-		t.Errorf("expected domains list: %q, got %q", expected, domainsUpdate)
-	}
-}
-
-func getDefaultServerWithNoHostManager(t *testing.T, addrPort string) *DefaultServer {
-	mux := dns.NewServeMux()
-
-	var parsedAddrPort *netip.AddrPort
-	if addrPort != "" {
-		parsed, err := netip.ParseAddrPort(addrPort)
-		if err != nil {
-			t.Fatal(err)
-		}
-		parsedAddrPort = &parsed
-	}
-
-	dnsServer := &dns.Server{
-		Net:     "udp",
-		Handler: mux,
-		UDPSize: 65535,
-	}
-
-	ctx, cancel := context.WithCancel(context.TODO())
-
-	ds := &DefaultServer{
-		ctx:       ctx,
-		ctxCancel: cancel,
-		server:    dnsServer,
-		dnsMux:    mux,
-		dnsMuxMap: make(registeredHandlerMap),
-		localResolver: &localResolver{
-			registeredMap: make(registrationMap),
-		},
-		customAddress: parsedAddrPort,
-	}
-	ds.evalRuntimeAddress()
-	return ds
-}
-
-func TestGetLastIPFromNetwork(t *testing.T) {
-	tests := []struct {
-		addr string
-		ip   string
-	}{
-		{"2001:db8::/32", "2001:db8:ffff:ffff:ffff:ffff:ffff:fffe"},
-		{"192.168.0.0/30", "192.168.0.2"},
-		{"192.168.0.0/16", "192.168.255.254"},
-		{"192.168.0.0/24", "192.168.0.254"},
-	}
-
-	for _, tt := range tests {
-		_, ipnet, err := net.ParseCIDR(tt.addr)
-		if err != nil {
-			t.Errorf("Error parsing CIDR: %v", err)
-			return
-		}
-
-		lastIP := getLastIPFromNetwork(ipnet, 1)
-		if lastIP != tt.ip {
-			t.Errorf("wrong IP address, expected %s: got %s", tt.ip, lastIP)
-		}
-	}
-}
--- a/client/internal/dns/systemd_linux.go
+++ b/client/internal/dns/systemd_linux.go
@@ -1,217 +0,0 @@
-//go:build !android
-
-package dns
-
-import (
-	"context"
-	"fmt"
-	"net"
-	"net/netip"
-	"time"
-
-	"github.com/godbus/dbus/v5"
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-	"golang.org/x/sys/unix"
-
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/iface"
-)
-
-const (
-	systemdDbusManagerInterface            = "org.freedesktop.resolve1.Manager"
-	systemdResolvedDest                    = "org.freedesktop.resolve1"
-	systemdDbusObjectNode                  = "/org/freedesktop/resolve1"
-	systemdDbusGetLinkMethod               = systemdDbusManagerInterface + ".GetLink"
-	systemdDbusFlushCachesMethod           = systemdDbusManagerInterface + ".FlushCaches"
-	systemdDbusResolvConfModeProperty      = systemdDbusManagerInterface + ".ResolvConfMode"
-	systemdDbusLinkInterface               = "org.freedesktop.resolve1.Link"
-	systemdDbusRevertMethodSuffix          = systemdDbusLinkInterface + ".Revert"
-	systemdDbusSetDNSMethodSuffix          = systemdDbusLinkInterface + ".SetDNS"
-	systemdDbusSetDefaultRouteMethodSuffix = systemdDbusLinkInterface + ".SetDefaultRoute"
-	systemdDbusSetDomainsMethodSuffix      = systemdDbusLinkInterface + ".SetDomains"
-	systemdDbusResolvConfModeForeign       = "foreign"
-)
-
-type systemdDbusConfigurator struct {
-	dbusLinkObject dbus.ObjectPath
-	routingAll     bool
-}
-
-// the types below are based on dbus specification, each field is mapped to a dbus type
-// see https://dbus.freedesktop.org/doc/dbus-specification.html#basic-types for more details on dbus types
-// see https://www.freedesktop.org/software/systemd/man/org.freedesktop.resolve1.html on resolve1 input types
-// systemdDbusDNSInput maps to a (iay) dbus input for SetDNS method
-type systemdDbusDNSInput struct {
-	Family  int32
-	Address []byte
-}
-
-// systemdDbusLinkDomainsInput maps to a (sb) dbus input for SetDomains method
-type systemdDbusLinkDomainsInput struct {
-	Domain    string
-	MatchOnly bool
-}
-
-func newSystemdDbusConfigurator(wgInterface *iface.WGIface) (hostManager, error) {
-	iface, err := net.InterfaceByName(wgInterface.Name())
-	if err != nil {
-		return nil, err
-	}
-
-	obj, closeConn, err := getDbusObject(systemdResolvedDest, systemdDbusObjectNode)
-	if err != nil {
-		return nil, err
-	}
-	defer closeConn()
-
-	var s string
-	err = obj.Call(systemdDbusGetLinkMethod, dbusDefaultFlag, iface.Index).Store(&s)
-	if err != nil {
-		return nil, err
-	}
-
-	log.Debugf("got dbus Link interface: %s from net interface %s and index %d", s, iface.Name, iface.Index)
-
-	return &systemdDbusConfigurator{
-		dbusLinkObject: dbus.ObjectPath(s),
-	}, nil
-}
-
-func (s *systemdDbusConfigurator) supportCustomPort() bool {
-	return true
-}
-
-func (s *systemdDbusConfigurator) applyDNSConfig(config hostDNSConfig) error {
-	parsedIP, err := netip.ParseAddr(config.serverIP)
-	if err != nil {
-		return fmt.Errorf("unable to parse ip address, error: %s", err)
-	}
-	ipAs4 := parsedIP.As4()
-	defaultLinkInput := systemdDbusDNSInput{
-		Family:  unix.AF_INET,
-		Address: ipAs4[:],
-	}
-	err = s.callLinkMethod(systemdDbusSetDNSMethodSuffix, []systemdDbusDNSInput{defaultLinkInput})
-	if err != nil {
-		return fmt.Errorf("setting the interface DNS server %s:%d failed with error: %s", config.serverIP, config.serverPort, err)
-	}
-
-	var (
-		searchDomains []string
-		matchDomains  []string
-		domainsInput  []systemdDbusLinkDomainsInput
-	)
-	for _, dConf := range config.domains {
-		if dConf.disabled {
-			continue
-		}
-		domainsInput = append(domainsInput, systemdDbusLinkDomainsInput{
-			Domain:    dns.Fqdn(dConf.domain),
-			MatchOnly: dConf.matchOnly,
-		})
-
-		if dConf.matchOnly {
-			matchDomains = append(matchDomains, dConf.domain)
-			continue
-		}
-		searchDomains = append(searchDomains, dConf.domain)
-	}
-
-	if config.routeAll {
-		log.Infof("configured %s:%d as main DNS forwarder for this peer", config.serverIP, config.serverPort)
-		err = s.callLinkMethod(systemdDbusSetDefaultRouteMethodSuffix, true)
-		if err != nil {
-			return fmt.Errorf("setting link as default dns router, failed with error: %s", err)
-		}
-		domainsInput = append(domainsInput, systemdDbusLinkDomainsInput{
-			Domain:    nbdns.RootZone,
-			MatchOnly: true,
-		})
-		s.routingAll = true
-	} else if s.routingAll {
-		log.Infof("removing %s:%d as main DNS forwarder for this peer", config.serverIP, config.serverPort)
-	}
-
-	log.Infof("adding %d search domains and %d match domains. Search list: %s , Match list: %s", len(searchDomains), len(matchDomains), searchDomains, matchDomains)
-	err = s.setDomainsForInterface(domainsInput)
-	if err != nil {
-		log.Error(err)
-	}
-	return nil
-}
-
-func (s *systemdDbusConfigurator) setDomainsForInterface(domainsInput []systemdDbusLinkDomainsInput) error {
-	err := s.callLinkMethod(systemdDbusSetDomainsMethodSuffix, domainsInput)
-	if err != nil {
-		return fmt.Errorf("setting domains configuration failed with error: %s", err)
-	}
-	return s.flushCaches()
-}
-
-func (s *systemdDbusConfigurator) restoreHostDNS() error {
-	log.Infof("reverting link settings and flushing cache")
-	if !isDbusListenerRunning(systemdResolvedDest, s.dbusLinkObject) {
-		return nil
-	}
-	err := s.callLinkMethod(systemdDbusRevertMethodSuffix, nil)
-	if err != nil {
-		return fmt.Errorf("unable to revert link configuration, got error: %s", err)
-	}
-	return s.flushCaches()
-}
-
-func (s *systemdDbusConfigurator) flushCaches() error {
-	obj, closeConn, err := getDbusObject(systemdResolvedDest, systemdDbusObjectNode)
-	if err != nil {
-		return fmt.Errorf("got error while attempting to retrieve the object %s, err: %s", systemdDbusObjectNode, err)
-	}
-	defer closeConn()
-	ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
-	defer cancel()
-
-	err = obj.CallWithContext(ctx, systemdDbusFlushCachesMethod, dbusDefaultFlag).Store()
-	if err != nil {
-		return fmt.Errorf("got error while calling the FlushCaches method with context, err: %s", err)
-	}
-
-	return nil
-}
-
-func (s *systemdDbusConfigurator) callLinkMethod(method string, value any) error {
-	obj, closeConn, err := getDbusObject(systemdResolvedDest, s.dbusLinkObject)
-	if err != nil {
-		return fmt.Errorf("got error while attempting to retrieve the object, err: %s", err)
-	}
-	defer closeConn()
-
-	ctx, cancel := context.WithTimeout(context.TODO(), 5*time.Second)
-	defer cancel()
-
-	if value != nil {
-		err = obj.CallWithContext(ctx, method, dbusDefaultFlag, value).Store()
-	} else {
-		err = obj.CallWithContext(ctx, method, dbusDefaultFlag).Store()
-	}
-
-	if err != nil {
-		return fmt.Errorf("got error while calling command with context, err: %s", err)
-	}
-
-	return nil
-}
-
-func getSystemdDbusProperty(property string, store any) error {
-	obj, closeConn, err := getDbusObject(systemdResolvedDest, systemdDbusObjectNode)
-	if err != nil {
-		return fmt.Errorf("got error while attempting to retrieve the systemd dns manager object, error: %s", err)
-	}
-	defer closeConn()
-
-	v, e := obj.GetProperty(property)
-	if e != nil {
-		return fmt.Errorf("got an error getting property %s: %v", property, e)
-	}
-
-	return v.Store(store)
-}
--- a/client/internal/dns/upstream.go
+++ b/client/internal/dns/upstream.go
@@ -1,186 +0,0 @@
-package dns
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net"
-	"sync"
-	"sync/atomic"
-	"time"
-
-	"github.com/cenkalti/backoff/v4"
-	"github.com/miekg/dns"
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	failsTillDeact   = int32(5)
-	reactivatePeriod = 30 * time.Second
-	upstreamTimeout  = 15 * time.Second
-)
-
-type upstreamClient interface {
-	ExchangeContext(ctx context.Context, m *dns.Msg, a string) (r *dns.Msg, rtt time.Duration, err error)
-}
-
-type upstreamResolver struct {
-	ctx              context.Context
-	cancel           context.CancelFunc
-	upstreamClient   upstreamClient
-	upstreamServers  []string
-	disabled         bool
-	failsCount       atomic.Int32
-	failsTillDeact   int32
-	mutex            sync.Mutex
-	reactivatePeriod time.Duration
-	upstreamTimeout  time.Duration
-
-	deactivate func()
-	reactivate func()
-}
-
-func newUpstreamResolver(parentCTX context.Context) *upstreamResolver {
-	ctx, cancel := context.WithCancel(parentCTX)
-	return &upstreamResolver{
-		ctx:              ctx,
-		cancel:           cancel,
-		upstreamClient:   &dns.Client{},
-		upstreamTimeout:  upstreamTimeout,
-		reactivatePeriod: reactivatePeriod,
-		failsTillDeact:   failsTillDeact,
-	}
-}
-
-func (u *upstreamResolver) stop() {
-	log.Debugf("stoping serving DNS for upstreams %s", u.upstreamServers)
-	u.cancel()
-}
-
-// ServeDNS handles a DNS request
-func (u *upstreamResolver) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
-	defer u.checkUpstreamFails()
-
-	log.WithField("question", r.Question[0]).Trace("received an upstream question")
-
-	select {
-	case <-u.ctx.Done():
-		return
-	default:
-	}
-
-	for _, upstream := range u.upstreamServers {
-		ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
-		rm, t, err := u.upstreamClient.ExchangeContext(ctx, r, upstream)
-
-		cancel()
-
-		if err != nil {
-			if err == context.DeadlineExceeded || isTimeout(err) {
-				log.WithError(err).WithField("upstream", upstream).
-					Warn("got an error while connecting to upstream")
-				continue
-			}
-			u.failsCount.Add(1)
-			log.WithError(err).WithField("upstream", upstream).
-				Error("got an error while querying the upstream")
-			return
-		}
-
-		log.Tracef("took %s to query the upstream %s", t, upstream)
-
-		err = w.WriteMsg(rm)
-		if err != nil {
-			log.WithError(err).Error("got an error while writing the upstream resolver response")
-		}
-		// count the fails only if they happen sequentially
-		u.failsCount.Store(0)
-		return
-	}
-	u.failsCount.Add(1)
-	log.Error("all queries to the upstream nameservers failed with timeout")
-}
-
-// checkUpstreamFails counts fails and disables or enables upstream resolving
-//
-// If fails count is greater that failsTillDeact, upstream resolving
-// will be disabled for reactivatePeriod, after that time period fails counter
-// will be reset and upstream will be reactivated.
-func (u *upstreamResolver) checkUpstreamFails() {
-	u.mutex.Lock()
-	defer u.mutex.Unlock()
-
-	if u.failsCount.Load() < u.failsTillDeact || u.disabled {
-		return
-	}
-
-	select {
-	case <-u.ctx.Done():
-		return
-	default:
-		log.Warnf("upstream resolving is disabled for %v", reactivatePeriod)
-		u.deactivate()
-		u.disabled = true
-		go u.waitUntilResponse()
-	}
-}
-
-// waitUntilResponse retries, in an exponential interval, querying the upstream servers until it gets a positive response
-func (u *upstreamResolver) waitUntilResponse() {
-	exponentialBackOff := &backoff.ExponentialBackOff{
-		InitialInterval:     500 * time.Millisecond,
-		RandomizationFactor: 0.5,
-		Multiplier:          1.1,
-		MaxInterval:         u.reactivatePeriod,
-		MaxElapsedTime:      0,
-		Stop:                backoff.Stop,
-		Clock:               backoff.SystemClock,
-	}
-
-	r := new(dns.Msg).SetQuestion("netbird.io.", dns.TypeA)
-
-	operation := func() error {
-		select {
-		case <-u.ctx.Done():
-			return backoff.Permanent(fmt.Errorf("exiting upstream retry loop for upstreams %s: parent context has been canceled", u.upstreamServers))
-		default:
-		}
-
-		var err error
-		for _, upstream := range u.upstreamServers {
-			ctx, cancel := context.WithTimeout(u.ctx, u.upstreamTimeout)
-			_, _, err = u.upstreamClient.ExchangeContext(ctx, r, upstream)
-
-			cancel()
-
-			if err == nil {
-				return nil
-			}
-		}
-
-		log.Tracef("checking connectivity with upstreams %s failed with error: %s. Retrying in %s", err, u.upstreamServers, exponentialBackOff.NextBackOff())
-		return fmt.Errorf("got an error from upstream check call")
-	}
-
-	err := backoff.Retry(operation, exponentialBackOff)
-	if err != nil {
-		log.Warn(err)
-		return
-	}
-
-	log.Infof("upstreams %s are responsive again. Adding them back to system", u.upstreamServers)
-	u.failsCount.Store(0)
-	u.reactivate()
-	u.disabled = false
-}
-
-// isTimeout returns true if the given error is a network timeout error.
-//
-// Copied from k8s.io/apimachinery/pkg/util/net.IsTimeout
-func isTimeout(err error) bool {
-	var neterr net.Error
-	if errors.As(err, &neterr) {
-		return neterr != nil && neterr.Timeout()
-	}
-	return false
-}
--- a/client/internal/dns/upstream_test.go
+++ b/client/internal/dns/upstream_test.go
@@ -1,178 +0,0 @@
-package dns
-
-import (
-	"context"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/miekg/dns"
-)
-
-func TestUpstreamResolver_ServeDNS(t *testing.T) {
-
-	testCases := []struct {
-		name                string
-		inputMSG            *dns.Msg
-		responseShouldBeNil bool
-		InputServers        []string
-		timeout             time.Duration
-		cancelCTX           bool
-		expectedAnswer      string
-	}{
-		{
-			name:           "Should Resolve A Record",
-			inputMSG:       new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA),
-			InputServers:   []string{"8.8.8.8:53", "8.8.4.4:53"},
-			timeout:        upstreamTimeout,
-			expectedAnswer: "1.1.1.1",
-		},
-		{
-			name:           "Should Resolve If First Upstream Times Out",
-			inputMSG:       new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA),
-			InputServers:   []string{"8.0.0.0:53", "8.8.4.4:53"},
-			timeout:        2 * time.Second,
-			expectedAnswer: "1.1.1.1",
-		},
-		{
-			name:                "Should Not Resolve If Can't Connect To Both Servers",
-			inputMSG:            new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA),
-			InputServers:        []string{"8.0.0.0:53", "8.0.0.1:53"},
-			timeout:             200 * time.Millisecond,
-			responseShouldBeNil: true,
-		},
-		{
-			name:                "Should Not Resolve If Parent Context Is Canceled",
-			inputMSG:            new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA),
-			InputServers:        []string{"8.0.0.0:53", "8.8.4.4:53"},
-			cancelCTX:           true,
-			timeout:             upstreamTimeout,
-			responseShouldBeNil: true,
-		},
-		//{
-		//	name:        "Should Resolve CNAME Record",
-		//	inputMSG:    new(dns.Msg).SetQuestion("one.one.one.one", dns.TypeCNAME),
-		//},
-		//{
-		//	name:                "Should Not Write When Not Found A Record",
-		//	inputMSG:            new(dns.Msg).SetQuestion("not.found.com", dns.TypeA),
-		//	responseShouldBeNil: true,
-		//},
-	}
-	// should resolve if first upstream times out
-	// should not write when both fails
-	// should not resolve if parent context is canceled
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			ctx, cancel := context.WithCancel(context.TODO())
-			resolver := newUpstreamResolver(ctx)
-			resolver.upstreamServers = testCase.InputServers
-			resolver.upstreamTimeout = testCase.timeout
-			if testCase.cancelCTX {
-				cancel()
-			} else {
-				defer cancel()
-			}
-
-			var responseMSG *dns.Msg
-			responseWriter := &mockResponseWriter{
-				WriteMsgFunc: func(m *dns.Msg) error {
-					responseMSG = m
-					return nil
-				},
-			}
-
-			resolver.ServeDNS(responseWriter, testCase.inputMSG)
-
-			if responseMSG == nil {
-				if testCase.responseShouldBeNil {
-					return
-				}
-				t.Fatalf("should write a response message")
-			}
-
-			foundAnswer := false
-			for _, answer := range responseMSG.Answer {
-				if strings.Contains(answer.String(), testCase.expectedAnswer) {
-					foundAnswer = true
-					break
-				}
-			}
-
-			if !foundAnswer {
-				t.Errorf("couldn't find the required answer, %s, in the dns response", testCase.expectedAnswer)
-			}
-		})
-	}
-}
-
-type mockUpstreamResolver struct {
-	r   *dns.Msg
-	rtt time.Duration
-	err error
-}
-
-// ExchangeContext mock implementation of ExchangeContext from upstreamResolver
-func (c mockUpstreamResolver) ExchangeContext(_ context.Context, _ *dns.Msg, _ string) (r *dns.Msg, rtt time.Duration, err error) {
-	return c.r, c.rtt, c.err
-}
-
-func TestUpstreamResolver_DeactivationReactivation(t *testing.T) {
-	resolver := &upstreamResolver{
-		ctx: context.TODO(),
-		upstreamClient: &mockUpstreamResolver{
-			err: nil,
-			r:   new(dns.Msg),
-			rtt: time.Millisecond,
-		},
-		upstreamTimeout:  upstreamTimeout,
-		reactivatePeriod: reactivatePeriod,
-		failsTillDeact:   failsTillDeact,
-	}
-	resolver.upstreamServers = []string{"0.0.0.0:-1"}
-	resolver.failsTillDeact = 0
-	resolver.reactivatePeriod = time.Microsecond * 100
-
-	responseWriter := &mockResponseWriter{
-		WriteMsgFunc: func(m *dns.Msg) error { return nil },
-	}
-
-	failed := false
-	resolver.deactivate = func() {
-		failed = true
-	}
-
-	reactivated := false
-	resolver.reactivate = func() {
-		reactivated = true
-	}
-
-	resolver.ServeDNS(responseWriter, new(dns.Msg).SetQuestion("one.one.one.one.", dns.TypeA))
-
-	if !failed {
-		t.Errorf("expected that resolving was deactivated")
-		return
-	}
-
-	if !resolver.disabled {
-		t.Errorf("resolver should be disabled")
-		return
-	}
-
-	time.Sleep(time.Millisecond * 200)
-
-	if !reactivated {
-		t.Errorf("expected that resolving was reactivated")
-		return
-	}
-
-	if resolver.failsCount.Load() != 0 {
-		t.Errorf("fails count after reactivation should be 0")
-		return
-	}
-
-	if resolver.disabled {
-		t.Errorf("should be enabled")
-	}
-}
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
--- a/client/internal/engine_stdnet.go
+++ b/client/internal/engine_stdnet.go
@@ -1,11 +0,0 @@
-//go:build !android
-
-package internal
-
-import (
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-)
-
-func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNet(e.config.IFaceBlackList)
-}
--- a/client/internal/engine_stdnet_android.go
+++ b/client/internal/engine_stdnet_android.go
@@ -1,7 +0,0 @@
-package internal
-
-import "github.com/netbirdio/netbird/client/internal/stdnet"
-
-func (e *Engine) newStdNet() (*stdnet.Net, error) {
-	return stdnet.NewNetWithDiscover(e.mobileDep.IFaceDiscover, e.config.IFaceBlackList)
-}
--- a/client/internal/engine_test.go
+++ b/client/internal/engine_test.go
@@ -4,40 +4,25 @@ import (
 	"context"
 	"fmt"
 	"net"
-	"net/netip"
 	"os"
 	"path/filepath"
 	"runtime"
-	"strings"
 	"sync"
 	"testing"
 	"time"

-	"github.com/pion/transport/v2/stdnet"
-	log "github.com/sirupsen/logrus"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/keepalive"
-
-	"github.com/netbirdio/netbird/client/internal/dns"
-	"github.com/netbirdio/netbird/client/internal/peer"
-	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/ssh"
 	"github.com/netbirdio/netbird/client/system"
-	nbdns "github.com/netbirdio/netbird/dns"
-	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/iface/bind"
 	mgmt "github.com/netbirdio/netbird/management/client"
 	mgmtProto "github.com/netbirdio/netbird/management/proto"
 	"github.com/netbirdio/netbird/management/server"
-	"github.com/netbirdio/netbird/management/server/activity"
-	"github.com/netbirdio/netbird/route"
 	signal "github.com/netbirdio/netbird/signal/client"
 	"github.com/netbirdio/netbird/signal/proto"
 	signalServer "github.com/netbirdio/netbird/signal/server"
 	"github.com/netbirdio/netbird/util"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/keepalive"
 )

 var (
@@ -54,144 +39,6 @@ var (
 	}
 )

-func TestEngine_SSH(t *testing.T) {
-
-	if runtime.GOOS == "windows" {
-		t.Skip("skipping TestEngine_SSH on Windows")
-	}
-
-	key, err := wgtypes.GeneratePrivateKey()
-	if err != nil {
-		t.Fatal(err)
-		return
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
-		WgIfaceName:  "utun101",
-		WgAddr:       "100.64.0.1/24",
-		WgPrivateKey: key,
-		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
-
-	engine.dnsServer = &dns.MockServer{
-		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
-	}
-
-	var sshKeysAdded []string
-	var sshPeersRemoved []string
-
-	sshCtx, cancel := context.WithCancel(context.Background())
-
-	engine.sshServerFunc = func(hostKeyPEM []byte, addr string) (ssh.Server, error) {
-		return &ssh.MockServer{
-			Ctx: sshCtx,
-			StopFunc: func() error {
-				cancel()
-				return nil
-			},
-			StartFunc: func() error {
-				<-ctx.Done()
-				return ctx.Err()
-			},
-			AddAuthorizedKeyFunc: func(peer, newKey string) error {
-				sshKeysAdded = append(sshKeysAdded, newKey)
-				return nil
-			},
-			RemoveAuthorizedKeyFunc: func(peer string) {
-				sshPeersRemoved = append(sshPeersRemoved, peer)
-			},
-		}, nil
-	}
-	err = engine.Start()
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	defer func() {
-		err := engine.Stop()
-		if err != nil {
-			return
-		}
-	}()
-
-	peerWithSSH := &mgmtProto.RemotePeerConfig{
-		WgPubKey:   "MNHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
-		AllowedIps: []string{"100.64.0.21/24"},
-		SshConfig: &mgmtProto.SSHConfig{
-			SshPubKey: []byte("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFATYCqaQw/9id1Qkq3n16JYhDhXraI6Pc1fgB8ynEfQ"),
-		},
-	}
-
-	// SSH server is not enabled so SSH config of a remote peer should be ignored
-	networkMap := &mgmtProto.NetworkMap{
-		Serial:             6,
-		PeerConfig:         nil,
-		RemotePeers:        []*mgmtProto.RemotePeerConfig{peerWithSSH},
-		RemotePeersIsEmpty: false,
-	}
-
-	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assert.Nil(t, engine.sshServer)
-
-	// SSH server is enabled, therefore SSH config should be applied
-	networkMap = &mgmtProto.NetworkMap{
-		Serial: 7,
-		PeerConfig: &mgmtProto.PeerConfig{Address: "100.64.0.1/24",
-			SshConfig: &mgmtProto.SSHConfig{SshEnabled: true}},
-		RemotePeers:        []*mgmtProto.RemotePeerConfig{peerWithSSH},
-		RemotePeersIsEmpty: false,
-	}
-
-	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	time.Sleep(250 * time.Millisecond)
-	assert.NotNil(t, engine.sshServer)
-	assert.Contains(t, sshKeysAdded, "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFATYCqaQw/9id1Qkq3n16JYhDhXraI6Pc1fgB8ynEfQ")
-
-	// now remove peer
-	networkMap = &mgmtProto.NetworkMap{
-		Serial:             8,
-		RemotePeers:        []*mgmtProto.RemotePeerConfig{},
-		RemotePeersIsEmpty: false,
-	}
-
-	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	//time.Sleep(250 * time.Millisecond)
-	assert.NotNil(t, engine.sshServer)
-	assert.Contains(t, sshPeersRemoved, "MNHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=")
-
-	// now disable SSH server
-	networkMap = &mgmtProto.NetworkMap{
-		Serial: 9,
-		PeerConfig: &mgmtProto.PeerConfig{Address: "100.64.0.1/24",
-			SshConfig: &mgmtProto.SSHConfig{SshEnabled: false}},
-		RemotePeers:        []*mgmtProto.RemotePeerConfig{peerWithSSH},
-		RemotePeersIsEmpty: false,
-	}
-
-	err = engine.updateNetworkMap(networkMap)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assert.Nil(t, engine.sshServer)
-
-}
-
 func TestEngine_UpdateNetworkMap(t *testing.T) {
 	// test setup
 	key, err := wgtypes.GeneratePrivateKey()
@@ -204,35 +51,18 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 	defer cancel()

 	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
-		WgIfaceName:  "utun102",
+		WgIfaceName:  "utun100",
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
-	newNet, err := stdnet.NewNet()
-	if err != nil {
-		t.Fatal(err)
-	}
-	engine.wgInterface, err = iface.NewWGIFace("utun102", "100.64.0.1/24", iface.DefaultMTU, nil, newNet)
-	if err != nil {
-		t.Fatal(err)
-	}
-	engine.routeManager = routemanager.NewManager(ctx, key.PublicKey().String(), engine.wgInterface, engine.statusRecorder, nil)
-	engine.dnsServer = &dns.MockServer{
-		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
-	}
-	conn, err := net.ListenUDP("udp4", nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-	engine.udpMux = bind.NewUniversalUDPMuxDefault(bind.UniversalUDPMuxParams{UDPConn: conn})
+	})

 	type testCase struct {
 		name       string
 		networkMap *mgmtProto.NetworkMap

 		expectedLen    int
-		expectedPeers  []*mgmtProto.RemotePeerConfig
+		expectedPeers  []string
 		expectedSerial uint64
 	}

@@ -251,11 +81,6 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		AllowedIps: []string{"100.64.0.12/24"},
 	}

-	modifiedPeer3 := &mgmtProto.RemotePeerConfig{
-		WgPubKey:   "GGHf3Ma6z6mdLbriAJbqhX7+nM/B71lgw2+91q3LfhU=",
-		AllowedIps: []string{"100.64.0.20/24"},
-	}
-
 	case1 := testCase{
 		name: "input with a new peer to add",
 		networkMap: &mgmtProto.NetworkMap{
@@ -267,7 +92,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 			RemotePeersIsEmpty: false,
 		},
 		expectedLen:    1,
-		expectedPeers:  []*mgmtProto.RemotePeerConfig{peer1},
+		expectedPeers:  []string{peer1.GetWgPubKey()},
 		expectedSerial: 1,
 	}

@@ -283,7 +108,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 			RemotePeersIsEmpty: false,
 		},
 		expectedLen:    2,
-		expectedPeers:  []*mgmtProto.RemotePeerConfig{peer1, peer2},
+		expectedPeers:  []string{peer1.GetWgPubKey(), peer2.GetWgPubKey()},
 		expectedSerial: 2,
 	}

@@ -298,7 +123,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 			RemotePeersIsEmpty: false,
 		},
 		expectedLen:    2,
-		expectedPeers:  []*mgmtProto.RemotePeerConfig{peer1, peer2},
+		expectedPeers:  []string{peer1.GetWgPubKey(), peer2.GetWgPubKey()},
 		expectedSerial: 2,
 	}

@@ -313,26 +138,11 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 			RemotePeersIsEmpty: false,
 		},
 		expectedLen:    2,
-		expectedPeers:  []*mgmtProto.RemotePeerConfig{peer2, peer3},
+		expectedPeers:  []string{peer2.GetWgPubKey(), peer3.GetWgPubKey()},
 		expectedSerial: 4,
 	}

 	case5 := testCase{
-		name: "input with one peer to modify",
-		networkMap: &mgmtProto.NetworkMap{
-			Serial:     4,
-			PeerConfig: nil,
-			RemotePeers: []*mgmtProto.RemotePeerConfig{
-				modifiedPeer3, peer2,
-			},
-			RemotePeersIsEmpty: false,
-		},
-		expectedLen:    2,
-		expectedPeers:  []*mgmtProto.RemotePeerConfig{peer2, modifiedPeer3},
-		expectedSerial: 4,
-	}
-
-	case6 := testCase{
 		name: "input with all peers to remove",
 		networkMap: &mgmtProto.NetworkMap{
 			Serial:             5,
@@ -345,7 +155,7 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 		expectedSerial: 5,
 	}

-	for _, c := range []testCase{case1, case2, case3, case4, case5, case6} {
+	for _, c := range []testCase{case1, case2, case3, case4, case5} {
 		t.Run(c.name, func(t *testing.T) {
 			err = engine.updateNetworkMap(c.networkMap)
 			if err != nil {
@@ -362,15 +172,9 @@ func TestEngine_UpdateNetworkMap(t *testing.T) {
 			}

 			for _, p := range c.expectedPeers {
-				conn, ok := engine.peerConns[p.GetWgPubKey()]
-				if !ok {
+				if _, ok := engine.peerConns[p]; !ok {
 					t.Errorf("expecting Engine.peerConns to contain peer %s", p)
 				}
-				expectedAllowedIPs := strings.Join(p.AllowedIps, ",")
-				if conn.GetConf().ProxyConfig.AllowedIps != expectedAllowedIPs {
-					t.Errorf("expecting peer %s to have AllowedIPs= %s, got %s", p.GetWgPubKey(),
-						expectedAllowedIPs, conn.GetConf().ProxyConfig.AllowedIps)
-				}
 			}
 		})
 	}
@@ -400,15 +204,11 @@ func TestEngine_Sync(t *testing.T) {
 	}

 	engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{SyncFunc: syncFunc}, &EngineConfig{
-		WgIfaceName:  "utun103",
+		WgIfaceName:  "utun100",
 		WgAddr:       "100.64.0.1/24",
 		WgPrivateKey: key,
 		WgPort:       33100,
-	}, MobileDependency{}, peer.NewRecorder("https://mgm"))
-
-	engine.dnsServer = &dns.MockServer{
-		UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error { return nil },
-	}
+	})

 	defer func() {
 		err := engine.Stop()
@@ -454,334 +254,12 @@ func TestEngine_Sync(t *testing.T) {
 		default:
 		}

-		if getPeers(engine) == 3 && engine.networkSerial == 10 {
+		if len(engine.GetPeers()) == 3 && engine.networkSerial == 10 {
 			break
 		}
 	}
 }

-func TestEngine_UpdateNetworkMapWithRoutes(t *testing.T) {
-	testCases := []struct {
-		name           string
-		inputErr       error
-		networkMap     *mgmtProto.NetworkMap
-		expectedLen    int
-		expectedRoutes []*route.Route
-		expectedSerial uint64
-	}{
-		{
-			name: "Routes Config Should Be Passed To Manager",
-			networkMap: &mgmtProto.NetworkMap{
-				Serial:             1,
-				PeerConfig:         nil,
-				RemotePeersIsEmpty: false,
-				Routes: []*mgmtProto.Route{
-					{
-						ID:          "a",
-						Network:     "192.168.0.0/24",
-						NetID:       "n1",
-						Peer:        "p1",
-						NetworkType: 1,
-						Masquerade:  false,
-					},
-					{
-						ID:          "b",
-						Network:     "192.168.1.0/24",
-						NetID:       "n2",
-						Peer:        "p1",
-						NetworkType: 1,
-						Masquerade:  false,
-					},
-				},
-			},
-			expectedLen: 2,
-			expectedRoutes: []*route.Route{
-				{
-					ID:          "a",
-					Network:     netip.MustParsePrefix("192.168.0.0/24"),
-					NetID:       "n1",
-					Peer:        "p1",
-					NetworkType: 1,
-					Masquerade:  false,
-				},
-				{
-					ID:          "b",
-					Network:     netip.MustParsePrefix("192.168.1.0/24"),
-					NetID:       "n2",
-					Peer:        "p1",
-					NetworkType: 1,
-					Masquerade:  false,
-				},
-			},
-			expectedSerial: 1,
-		},
-		{
-			name: "Empty Routes Config Should Be Passed",
-			networkMap: &mgmtProto.NetworkMap{
-				Serial:             1,
-				PeerConfig:         nil,
-				RemotePeersIsEmpty: false,
-				Routes:             nil,
-			},
-			expectedLen:    0,
-			expectedRoutes: []*route.Route{},
-			expectedSerial: 1,
-		},
-		{
-			name:     "Error Shouldn't Break Engine",
-			inputErr: fmt.Errorf("mocking error"),
-			networkMap: &mgmtProto.NetworkMap{
-				Serial:             1,
-				PeerConfig:         nil,
-				RemotePeersIsEmpty: false,
-				Routes:             nil,
-			},
-			expectedLen:    0,
-			expectedRoutes: []*route.Route{},
-			expectedSerial: 1,
-		},
-	}
-
-	for n, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			// test setup
-			key, err := wgtypes.GeneratePrivateKey()
-			if err != nil {
-				t.Fatal(err)
-				return
-			}
-
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
-			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)
-
-			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
-				WgIfaceName:  wgIfaceName,
-				WgAddr:       wgAddr,
-				WgPrivateKey: key,
-				WgPort:       33100,
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
-			newNet, err := stdnet.NewNet()
-			if err != nil {
-				t.Fatal(err)
-			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil, newNet)
-			assert.NoError(t, err, "shouldn't return error")
-			input := struct {
-				inputSerial uint64
-				inputRoutes []*route.Route
-			}{}
-
-			mockRouteManager := &routemanager.MockManager{
-				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) error {
-					input.inputSerial = updateSerial
-					input.inputRoutes = newRoutes
-					return testCase.inputErr
-				},
-			}
-
-			engine.routeManager = mockRouteManager
-			engine.dnsServer = &dns.MockServer{}
-
-			defer func() {
-				exitErr := engine.Stop()
-				if exitErr != nil {
-					return
-				}
-			}()
-
-			err = engine.updateNetworkMap(testCase.networkMap)
-			assert.NoError(t, err, "shouldn't return error")
-			assert.Equal(t, testCase.expectedSerial, input.inputSerial, "serial should match")
-			assert.Len(t, input.inputRoutes, testCase.expectedLen, "routes len should match")
-			assert.Equal(t, testCase.expectedRoutes, input.inputRoutes, "routes should match")
-		})
-	}
-}
-
-func TestEngine_UpdateNetworkMapWithDNSUpdate(t *testing.T) {
-	testCases := []struct {
-		name                string
-		inputErr            error
-		networkMap          *mgmtProto.NetworkMap
-		expectedZonesLen    int
-		expectedZones       []nbdns.CustomZone
-		expectedNSGroupsLen int
-		expectedNSGroups    []*nbdns.NameServerGroup
-		expectedSerial      uint64
-	}{
-		{
-			name: "DNS Config Should Be Passed To DNS Server",
-			networkMap: &mgmtProto.NetworkMap{
-				Serial:             1,
-				PeerConfig:         nil,
-				RemotePeersIsEmpty: false,
-				Routes:             nil,
-				DNSConfig: &mgmtProto.DNSConfig{
-					ServiceEnable: true,
-					CustomZones: []*mgmtProto.CustomZone{
-						{
-							Domain: "netbird.cloud.",
-							Records: []*mgmtProto.SimpleRecord{
-								{
-									Name:  "peer-a.netbird.cloud.",
-									Type:  1,
-									Class: nbdns.DefaultClass,
-									TTL:   300,
-									RData: "100.64.0.1",
-								},
-							},
-						},
-					},
-					NameServerGroups: []*mgmtProto.NameServerGroup{
-						{
-							Primary: true,
-							NameServers: []*mgmtProto.NameServer{
-								{
-									IP:     "8.8.8.8",
-									NSType: 1,
-									Port:   53,
-								},
-							},
-						},
-					},
-				},
-			},
-			expectedZonesLen: 1,
-			expectedZones: []nbdns.CustomZone{
-				{
-					Domain: "netbird.cloud.",
-					Records: []nbdns.SimpleRecord{
-						{
-							Name:  "peer-a.netbird.cloud.",
-							Type:  1,
-							Class: nbdns.DefaultClass,
-							TTL:   300,
-							RData: "100.64.0.1",
-						},
-					},
-				},
-			},
-			expectedNSGroupsLen: 1,
-			expectedNSGroups: []*nbdns.NameServerGroup{
-				{
-					Primary: true,
-					NameServers: []nbdns.NameServer{
-						{
-							IP:     netip.MustParseAddr("8.8.8.8"),
-							NSType: 1,
-							Port:   53,
-						},
-					},
-				},
-			},
-			expectedSerial: 1,
-		},
-		{
-			name: "Empty DNS Config Should Be OK",
-			networkMap: &mgmtProto.NetworkMap{
-				Serial:             1,
-				PeerConfig:         nil,
-				RemotePeersIsEmpty: false,
-				Routes:             nil,
-				DNSConfig:          nil,
-			},
-			expectedZonesLen:    0,
-			expectedZones:       []nbdns.CustomZone{},
-			expectedNSGroupsLen: 0,
-			expectedNSGroups:    []*nbdns.NameServerGroup{},
-			expectedSerial:      1,
-		},
-		{
-			name:     "Error Shouldn't Break Engine",
-			inputErr: fmt.Errorf("mocking error"),
-			networkMap: &mgmtProto.NetworkMap{
-				Serial:             1,
-				PeerConfig:         nil,
-				RemotePeersIsEmpty: false,
-				Routes:             nil,
-			},
-			expectedZonesLen:    0,
-			expectedZones:       []nbdns.CustomZone{},
-			expectedNSGroupsLen: 0,
-			expectedNSGroups:    []*nbdns.NameServerGroup{},
-			expectedSerial:      1,
-		},
-	}
-
-	for n, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			// test setup
-			key, err := wgtypes.GeneratePrivateKey()
-			if err != nil {
-				t.Fatal(err)
-				return
-			}
-
-			ctx, cancel := context.WithCancel(context.Background())
-			defer cancel()
-
-			wgIfaceName := fmt.Sprintf("utun%d", 104+n)
-			wgAddr := fmt.Sprintf("100.66.%d.1/24", n)
-
-			engine := NewEngine(ctx, cancel, &signal.MockClient{}, &mgmt.MockClient{}, &EngineConfig{
-				WgIfaceName:  wgIfaceName,
-				WgAddr:       wgAddr,
-				WgPrivateKey: key,
-				WgPort:       33100,
-			}, MobileDependency{}, peer.NewRecorder("https://mgm"))
-			newNet, err := stdnet.NewNet()
-			if err != nil {
-				t.Fatal(err)
-			}
-			engine.wgInterface, err = iface.NewWGIFace(wgIfaceName, wgAddr, iface.DefaultMTU, nil, newNet)
-			assert.NoError(t, err, "shouldn't return error")
-
-			mockRouteManager := &routemanager.MockManager{
-				UpdateRoutesFunc: func(updateSerial uint64, newRoutes []*route.Route) error {
-					return nil
-				},
-			}
-
-			engine.routeManager = mockRouteManager
-
-			input := struct {
-				inputSerial   uint64
-				inputNSGroups []*nbdns.NameServerGroup
-				inputZones    []nbdns.CustomZone
-			}{}
-
-			mockDNSServer := &dns.MockServer{
-				UpdateDNSServerFunc: func(serial uint64, update nbdns.Config) error {
-					input.inputSerial = serial
-					input.inputZones = update.CustomZones
-					input.inputNSGroups = update.NameServerGroups
-					return testCase.inputErr
-				},
-			}
-
-			engine.dnsServer = mockDNSServer
-
-			defer func() {
-				exitErr := engine.Stop()
-				if exitErr != nil {
-					return
-				}
-			}()
-
-			err = engine.updateNetworkMap(testCase.networkMap)
-			assert.NoError(t, err, "shouldn't return error")
-			assert.Equal(t, testCase.expectedSerial, input.inputSerial, "serial should match")
-			assert.Len(t, input.inputNSGroups, testCase.expectedZonesLen, "zones len should match")
-			assert.Equal(t, testCase.expectedZones, input.inputZones, "custom zones should match")
-			assert.Len(t, input.inputNSGroups, testCase.expectedNSGroupsLen, "ns groups len should match")
-			assert.Equal(t, testCase.expectedNSGroups, input.inputNSGroups, "ns groups should match")
-		})
-	}
-}
-
 func TestEngine_MultiplePeers(t *testing.T) {
 	// log.SetLevel(log.DebugLevel)

@@ -802,13 +280,15 @@ func TestEngine_MultiplePeers(t *testing.T) {
 	ctx, cancel := context.WithCancel(CtxInitState(context.Background()))
 	defer cancel()

-	sigServer, signalAddr, err := startSignal()
+	sport := 10010
+	sigServer, err := startSignal(sport)
 	if err != nil {
 		t.Fatal(err)
 		return
 	}
 	defer sigServer.Stop()
-	mgmtServer, mgmtAddr, err := startManagement(dir)
+	mport := 33081
+	mgmtServer, err := startManagement(mport, dir)
 	if err != nil {
 		t.Fatal(err)
 		return
@@ -826,13 +306,12 @@ func TestEngine_MultiplePeers(t *testing.T) {
 	for i := 0; i < numPeers; i++ {
 		j := i
 		go func() {
-			engine, err := createEngine(ctx, cancel, setupKey, j, mgmtAddr, signalAddr)
+			engine, err := createEngine(ctx, cancel, setupKey, j, mport, sport)
 			if err != nil {
 				wg.Done()
 				t.Errorf("unable to create the engine for peer %d with error %v", j, err)
 				return
 			}
-			engine.dnsServer = &dns.MockServer{}
 			mu.Lock()
 			defer mu.Unlock()
 			err = engine.Start()
@@ -869,7 +348,7 @@ loop:
 		case <-ticker.C:
 			totalConnected := 0
 			for _, engine := range engines {
-				totalConnected = totalConnected + getConnectedPeers(engine)
+				totalConnected = totalConnected + len(engine.GetConnectedPeers())
 			}
 			if totalConnected == expectedConnected {
 				log.Infof("total connected=%d", totalConnected)
@@ -880,7 +359,7 @@ loop:
 	}
 	// cleanup test
 	for n, peerEngine := range engines {
-		t.Logf("stopping peer with interface %s from multipeer test, loopIndex %d", peerEngine.wgInterface.Name(), n)
+		t.Logf("stopping peer with interface %s from multipeer test, loopIndex %d", peerEngine.wgInterface.Name, n)
 		errStop := peerEngine.mgmClient.Close()
 		if errStop != nil {
 			log.Infoln("got error trying to close management clients from engine: ", errStop)
@@ -892,84 +371,16 @@ loop:
 	}
 }

-func Test_ParseNATExternalIPMappings(t *testing.T) {
-	ifaceList, err := net.Interfaces()
-	if err != nil {
-		t.Fatalf("could get the interface list, got error: %s", err)
-	}
-
-	var testingIP string
-	var testingInterface string
-
-	for _, iface := range ifaceList {
-		addrList, err := iface.Addrs()
-		if err != nil {
-			t.Fatalf("could get the addr list, got error: %s", err)
-		}
-		for _, addr := range addrList {
-			prefix := netip.MustParsePrefix(addr.String())
-			if prefix.Addr().Is4() && !prefix.Addr().IsLoopback() {
-				testingIP = prefix.Addr().String()
-				testingInterface = iface.Name
-			}
-		}
-	}
-
-	testCases := []struct {
-		name                    string
-		inputMapList            []string
-		inputBlacklistInterface []string
-		expectedOutput          []string
-	}{
-		{
-			name:                    "Parse Valid List Should Be OK",
-			inputBlacklistInterface: defaultInterfaceBlacklist,
-			inputMapList:            []string{"1.1.1.1", "8.8.8.8/" + testingInterface},
-			expectedOutput:          []string{"1.1.1.1", "8.8.8.8/" + testingIP},
-		},
-		{
-			name:                    "Only Interface name Should Return Nil",
-			inputBlacklistInterface: defaultInterfaceBlacklist,
-			inputMapList:            []string{testingInterface},
-			expectedOutput:          nil,
-		},
-		{
-			name:                    "Invalid IP Return Nil",
-			inputBlacklistInterface: defaultInterfaceBlacklist,
-			inputMapList:            []string{"1.1.1.1000"},
-			expectedOutput:          nil,
-		},
-		{
-			name:                    "Invalid Mapping Element Should return Nil",
-			inputBlacklistInterface: defaultInterfaceBlacklist,
-			inputMapList:            []string{"1.1.1.1/10.10.10.1/eth0"},
-			expectedOutput:          nil,
-		},
-	}
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			engine := &Engine{
-				config: &EngineConfig{
-					IFaceBlackList: testCase.inputBlacklistInterface,
-					NATExternalIPs: testCase.inputMapList,
-				},
-			}
-			parsedList := engine.parseNATExternalIPMappings()
-			require.ElementsMatchf(t, testCase.expectedOutput, parsedList, "elements of parsed list should match expected list")
-		})
-	}
-}
-
-func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int, mgmtAddr string, signalAddr string) (*Engine, error) {
+func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey string, i int, mport int, sport int) (*Engine, error) {
 	key, err := wgtypes.GeneratePrivateKey()
 	if err != nil {
 		return nil, err
 	}
-	mgmtClient, err := mgmt.NewClient(ctx, mgmtAddr, key, false)
+	mgmtClient, err := mgmt.NewClient(ctx, fmt.Sprintf("localhost:%d", mport), key, false)
 	if err != nil {
 		return nil, err
 	}
-	signalClient, err := signal.NewClient(ctx, signalAddr, key, false)
+	signalClient, err := signal.NewClient(ctx, fmt.Sprintf("localhost:%d", sport), key, false)
 	if err != nil {
 		return nil, err
 	}
@@ -980,7 +391,7 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 	}

 	info := system.GetInfo(ctx)
-	resp, err := mgmtClient.Register(*publicKey, setupKey, "", info, nil)
+	resp, err := mgmtClient.Register(*publicKey, setupKey, "", info)
 	if err != nil {
 		return nil, err
 	}
@@ -1000,13 +411,13 @@ func createEngine(ctx context.Context, cancel context.CancelFunc, setupKey strin
 		WgPort:       wgPort,
 	}

-	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf, MobileDependency{}, peer.NewRecorder("https://mgm")), nil
+	return NewEngine(ctx, cancel, signalClient, mgmtClient, conf), nil
 }

-func startSignal() (*grpc.Server, string, error) {
+func startSignal(port int) (*grpc.Server, error) {
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))

-	lis, err := net.Listen("tcp", "localhost:0")
+	lis, err := net.Listen("tcp", fmt.Sprintf(":%d", port))
 	if err != nil {
 		log.Fatalf("failed to listen: %v", err)
 	}
@@ -1019,10 +430,10 @@ func startSignal() (*grpc.Server, string, error) {
 		}
 	}()

-	return s, lis.Addr().String(), nil
+	return s, nil
 }

-func startManagement(dataDir string) (*grpc.Server, string, error) {
+func startManagement(port int, dataDir string) (*grpc.Server, error) {
 	config := &server.Config{
 		Stuns:      []*server.Host{},
 		TURNConfig: &server.TURNConfig{},
@@ -1034,29 +445,24 @@ func startManagement(dataDir string) (*grpc.Server, string, error) {
 		HttpConfig: nil,
 	}

-	lis, err := net.Listen("tcp", "localhost:0")
+	lis, err := net.Listen("tcp", fmt.Sprintf("localhost:%d", port))
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}
 	s := grpc.NewServer(grpc.KeepaliveEnforcementPolicy(kaep), grpc.KeepaliveParams(kasp))
-	store, err := server.NewFileStore(config.Datadir, nil)
+	store, err := server.NewStore(config.Datadir)
 	if err != nil {
 		log.Fatalf("failed creating a store: %s: %v", config.Datadir, err)
 	}
 	peersUpdateManager := server.NewPeersUpdateManager()
-	eventStore := &activity.InMemoryEventStore{}
+	accountManager, err := server.BuildManager(store, peersUpdateManager, nil)
 	if err != nil {
-		return nil, "", nil
-	}
-	accountManager, err := server.BuildManager(store, peersUpdateManager, nil, "", "",
-		eventStore)
-	if err != nil {
-		return nil, "", err
+		return nil, err
 	}
 	turnManager := server.NewTimeBasedAuthSecretsManager(peersUpdateManager, config.TURNConfig)
-	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager, nil)
+	mgmtServer, err := server.NewServer(config, accountManager, peersUpdateManager, turnManager)
 	if err != nil {
-		return nil, "", err
+		return nil, err
 	}
 	mgmtProto.RegisterManagementServiceServer(s, mgmtServer)
 	go func() {
@@ -1065,25 +471,5 @@ func startManagement(dataDir string) (*grpc.Server, string, error) {
 		}
 	}()

-	return s, lis.Addr().String(), nil
-}
-
-// getConnectedPeers returns a connection Status or nil if peer connection wasn't found
-func getConnectedPeers(e *Engine) int {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-	i := 0
-	for _, conn := range e.peerConns {
-		if conn.Status() == peer.StatusConnected {
-			i++
-		}
-	}
-	return i
-}
-
-func getPeers(e *Engine) int {
-	e.syncMsgMux.Lock()
-	defer e.syncMsgMux.Unlock()
-
-	return len(e.peerConns)
+	return s, nil
 }
--- a/client/internal/login.go
+++ b/client/internal/login.go
@@ -2,118 +2,80 @@ package internal

 import (
 	"context"
-	"net/url"

 	"github.com/google/uuid"
+	"github.com/netbirdio/netbird/client/system"
+	mgm "github.com/netbirdio/netbird/management/client"
+	mgmProto "github.com/netbirdio/netbird/management/proto"
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
-
-	"github.com/netbirdio/netbird/client/ssh"
-	"github.com/netbirdio/netbird/client/system"
-	mgm "github.com/netbirdio/netbird/management/client"
-	mgmProto "github.com/netbirdio/netbird/management/proto"
 )

-// IsLoginRequired check that the server is support SSO or not
-func IsLoginRequired(ctx context.Context, privateKey string, mgmURL *url.URL, sshKey string) (bool, error) {
-	mgmClient, err := getMgmClient(ctx, privateKey, mgmURL)
-	if err != nil {
-		return false, err
-	}
-	defer func() {
-		err = mgmClient.Close()
-		if err != nil {
-			cStatus, ok := status.FromError(err)
-			if !ok || ok && cStatus.Code() != codes.Canceled {
-				log.Warnf("failed to close the Management service client, err: %v", err)
-			}
-		}
-	}()
-	log.Debugf("connected to the Management service %s", mgmURL.String())
-
-	pubSSHKey, err := ssh.GeneratePublicKey([]byte(sshKey))
-	if err != nil {
-		return false, err
-	}
-
-	_, err = doMgmLogin(ctx, mgmClient, pubSSHKey)
-	if isLoginNeeded(err) {
-		return true, nil
-	}
-	return false, err
-}
-
-// Login or register the client
 func Login(ctx context.Context, config *Config, setupKey string, jwtToken string) error {
-	mgmClient, err := getMgmClient(ctx, config.PrivateKey, config.ManagementURL)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		err = mgmClient.Close()
-		if err != nil {
-			cStatus, ok := status.FromError(err)
-			if !ok || ok && cStatus.Code() != codes.Canceled {
-				log.Warnf("failed to close the Management service client, err: %v", err)
-			}
-		}
-	}()
-	log.Debugf("connected to the Management service %s", config.ManagementURL.String())
-
-	pubSSHKey, err := ssh.GeneratePublicKey([]byte(config.SSHKey))
-	if err != nil {
-		return err
-	}
-
-	serverKey, err := doMgmLogin(ctx, mgmClient, pubSSHKey)
-	if isRegistrationNeeded(err) {
-		log.Debugf("peer registration required")
-		_, err = registerPeer(ctx, *serverKey, mgmClient, setupKey, jwtToken, pubSSHKey)
-		return err
-	}
-
-	return err
-}
-
-func getMgmClient(ctx context.Context, privateKey string, mgmURL *url.URL) (*mgm.GrpcClient, error) {
 	// validate our peer's Wireguard PRIVATE key
-	myPrivateKey, err := wgtypes.ParseKey(privateKey)
+	myPrivateKey, err := wgtypes.ParseKey(config.PrivateKey)
 	if err != nil {
-		log.Errorf("failed parsing Wireguard key %s: [%s]", privateKey, err.Error())
-		return nil, err
+		log.Errorf("failed parsing Wireguard key %s: [%s]", config.PrivateKey, err.Error())
+		return err
 	}

 	var mgmTlsEnabled bool
-	if mgmURL.Scheme == "https" {
+	if config.ManagementURL.Scheme == "https" {
 		mgmTlsEnabled = true
 	}

-	log.Debugf("connecting to the Management service %s", mgmURL.String())
-	mgmClient, err := mgm.NewClient(ctx, mgmURL.Host, myPrivateKey, mgmTlsEnabled)
+	log.Debugf("connecting to Management Service %s", config.ManagementURL.String())
+	mgmClient, err := mgm.NewClient(ctx, config.ManagementURL.Host, myPrivateKey, mgmTlsEnabled)
 	if err != nil {
-		log.Errorf("failed connecting to the Management service %s %v", mgmURL.String(), err)
-		return nil, err
+		log.Errorf("failed connecting to Management Service %s %v", config.ManagementURL.String(), err)
+		return err
 	}
-	return mgmClient, err
-}
+	log.Debugf("connected to management Service %s", config.ManagementURL.String())

-func doMgmLogin(ctx context.Context, mgmClient *mgm.GrpcClient, pubSSHKey []byte) (*wgtypes.Key, error) {
 	serverKey, err := mgmClient.GetServerPublicKey()
 	if err != nil {
 		log.Errorf("failed while getting Management Service public key: %v", err)
-		return nil, err
+		return err
 	}

+	_, err = loginPeer(ctx, *serverKey, mgmClient, setupKey, jwtToken)
+	if err != nil {
+		log.Errorf("failed logging-in peer on Management Service : %v", err)
+		return err
+	}
+
+	err = mgmClient.Close()
+	if err != nil {
+		log.Errorf("failed closing Management Service client: %v", err)
+		return err
+	}
+
+	return nil
+}
+
+// loginPeer attempts to login to Management Service. If peer wasn't registered, tries the registration flow.
+func loginPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string, jwtToken string) (*mgmProto.LoginResponse, error) {
 	sysInfo := system.GetInfo(ctx)
-	_, err = mgmClient.Login(*serverKey, sysInfo, pubSSHKey)
-	return serverKey, err
+	loginResp, err := client.Login(serverPublicKey, sysInfo)
+	if err != nil {
+		if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied {
+			log.Debugf("peer registration required")
+			return registerPeer(ctx, serverPublicKey, client, setupKey, jwtToken)
+		} else {
+			return nil, err
+		}
+	}
+
+	log.Info("peer has successfully logged-in to Management Service")
+
+	return loginResp, nil
 }

 // registerPeer checks whether setupKey was provided via cmd line and if not then it prompts user to enter a key.
 // Otherwise tries to register with the provided setupKey via command line.
-func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string, jwtToken string, pubSSHKey []byte) (*mgmProto.LoginResponse, error) {
+func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.GrpcClient, setupKey string, jwtToken string) (*mgmProto.LoginResponse, error) {
 	validSetupKey, err := uuid.Parse(setupKey)
 	if err != nil && jwtToken == "" {
 		return nil, status.Errorf(codes.InvalidArgument, "invalid setup-key or no sso information provided, err: %v", err)
@@ -121,7 +83,7 @@ func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.

 	log.Debugf("sending peer registration request to Management Service")
 	info := system.GetInfo(ctx)
-	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info, pubSSHKey)
+	loginResp, err := client.Register(serverPublicKey, validSetupKey.String(), jwtToken, info)
 	if err != nil {
 		log.Errorf("failed registering peer %v,%s", err, validSetupKey.String())
 		return nil, err
@@ -131,31 +93,3 @@ func registerPeer(ctx context.Context, serverPublicKey wgtypes.Key, client *mgm.

 	return loginResp, nil
 }
-
-func isLoginNeeded(err error) bool {
-	if err == nil {
-		return false
-	}
-	s, ok := status.FromError(err)
-	if !ok {
-		return false
-	}
-	if s.Code() == codes.InvalidArgument || s.Code() == codes.PermissionDenied {
-		return true
-	}
-	return false
-}
-
-func isRegistrationNeeded(err error) bool {
-	if err == nil {
-		return false
-	}
-	s, ok := status.FromError(err)
-	if !ok {
-		return false
-	}
-	if s.Code() == codes.PermissionDenied {
-		return true
-	}
-	return false
-}
--- a/client/internal/mobile_dependency.go
+++ b/client/internal/mobile_dependency.go
@@ -1,14 +0,0 @@
-package internal
-
-import (
-	"github.com/netbirdio/netbird/client/internal/routemanager"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/iface"
-)
-
-// MobileDependency collect all dependencies for mobile platform
-type MobileDependency struct {
-	TunAdapter    iface.TunAdapter
-	IFaceDiscover stdnet.ExternalIFaceDiscover
-	RouteListener routemanager.RouteListener
-}
--- a/client/internal/oauth.go
+++ b/client/internal/oauth.go
@@ -5,10 +5,8 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io"
+	"io/ioutil"
 	"net/http"
-	"net/url"
-	"reflect"
 	"strings"
 	"time"
 )
@@ -16,6 +14,7 @@ import (
 // OAuthClient is a OAuth client interface for various idp providers
 type OAuthClient interface {
 	RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
+	RotateAccessToken(ctx context.Context, refreshToken string) (TokenInfo, error)
 	WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo, error)
 	GetClientID(ctx context.Context) string
 }
@@ -35,6 +34,15 @@ type DeviceAuthInfo struct {
 	Interval                int    `json:"interval"`
 }

+// TokenInfo holds information of issued access token
+type TokenInfo struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	IDToken      string `json:"id_token"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
 // HostedGrantType grant type for device flow on Hosted
 const (
 	HostedGrantType    = "urn:ietf:params:oauth:grant-type:device_code"
@@ -43,7 +51,12 @@ const (

 // Hosted client
 type Hosted struct {
-	providerConfig ProviderConfig
+	// Hosted API Audience for validation
+	Audience string
+	// Hosted Native application client id
+	ClientID string
+	// Hosted domain
+	Domain string

 	HTTPClient HTTPClient
 }
@@ -52,7 +65,6 @@ type Hosted struct {
 type RequestDeviceCodePayload struct {
 	Audience string `json:"audience"`
 	ClientID string `json:"client_id"`
-	Scope    string `json:"scope"`
 }

 // TokenRequestPayload used for requesting the auth0 token
@@ -72,29 +84,11 @@ type TokenRequestResponse struct {

 // Claims used when validating the access token
 type Claims struct {
-	Audience interface{} `json:"aud"`
-}
-
-// TokenInfo holds information of issued access token
-type TokenInfo struct {
-	AccessToken  string `json:"access_token"`
-	RefreshToken string `json:"refresh_token"`
-	IDToken      string `json:"id_token"`
-	TokenType    string `json:"token_type"`
-	ExpiresIn    int    `json:"expires_in"`
-	UseIDToken   bool   `json:"-"`
-}
-
-// GetTokenToUse returns either the access or id token based on UseIDToken field
-func (t TokenInfo) GetTokenToUse() string {
-	if t.UseIDToken {
-		return t.IDToken
-	}
-	return t.AccessToken
+	Audience string `json:"aud"`
 }

 // NewHostedDeviceFlow returns an Hosted OAuth client
-func NewHostedDeviceFlow(config ProviderConfig) *Hosted {
+func NewHostedDeviceFlow(audience string, clientID string, domain string) *Hosted {
 	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
 	httpTransport.MaxIdleConns = 5

@@ -104,28 +98,36 @@ func NewHostedDeviceFlow(config ProviderConfig) *Hosted {
 	}

 	return &Hosted{
-		providerConfig: config,
-		HTTPClient:     httpClient,
+		Audience:   audience,
+		ClientID:   clientID,
+		Domain:     domain,
+		HTTPClient: httpClient,
 	}
 }

 // GetClientID returns the provider client id
 func (h *Hosted) GetClientID(ctx context.Context) string {
-	return h.providerConfig.ClientID
+	return h.ClientID
 }

 // RequestDeviceCode requests a device code login flow information from Hosted
 func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error) {
-	form := url.Values{}
-	form.Add("client_id", h.providerConfig.ClientID)
-	form.Add("audience", h.providerConfig.Audience)
-	form.Add("scope", h.providerConfig.Scope)
-	req, err := http.NewRequest("POST", h.providerConfig.DeviceAuthEndpoint,
-		strings.NewReader(form.Encode()))
+	url := "https://" + h.Domain + "/oauth/device/code"
+	codePayload := RequestDeviceCodePayload{
+		Audience: h.Audience,
+		ClientID: h.ClientID,
+	}
+	p, err := json.Marshal(codePayload)
+	if err != nil {
+		return DeviceAuthInfo{}, fmt.Errorf("parsing payload failed with error: %v", err)
+	}
+	payload := strings.NewReader(string(p))
+	req, err := http.NewRequest("POST", url, payload)
 	if err != nil {
 		return DeviceAuthInfo{}, fmt.Errorf("creating request failed with error: %v", err)
 	}
-	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+
+	req.Header.Add("content-type", "application/json")

 	res, err := h.HTTPClient.Do(req)
 	if err != nil {
@@ -133,7 +135,7 @@ func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
 	}

 	defer res.Body.Close()
-	body, err := io.ReadAll(res.Body)
+	body, err := ioutil.ReadAll(res.Body)
 	if err != nil {
 		return DeviceAuthInfo{}, fmt.Errorf("reading body failed with error: %v", err)
 	}
@@ -148,56 +150,9 @@ func (h *Hosted) RequestDeviceCode(ctx context.Context) (DeviceAuthInfo, error)
 		return DeviceAuthInfo{}, fmt.Errorf("unmarshaling response failed with error: %v", err)
 	}

-	// Fallback to the verification_uri if the IdP doesn't support verification_uri_complete
-	if deviceCode.VerificationURIComplete == "" {
-		deviceCode.VerificationURIComplete = deviceCode.VerificationURI
-	}
-
 	return deviceCode, err
 }

-func (h *Hosted) requestToken(info DeviceAuthInfo) (TokenRequestResponse, error) {
-	form := url.Values{}
-	form.Add("client_id", h.providerConfig.ClientID)
-	form.Add("grant_type", HostedGrantType)
-	form.Add("device_code", info.DeviceCode)
-	req, err := http.NewRequest("POST", h.providerConfig.TokenEndpoint, strings.NewReader(form.Encode()))
-	if err != nil {
-		return TokenRequestResponse{}, fmt.Errorf("failed to create request access token: %v", err)
-	}
-
-	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
-
-	res, err := h.HTTPClient.Do(req)
-	if err != nil {
-		return TokenRequestResponse{}, fmt.Errorf("failed to request access token with error: %v", err)
-	}
-
-	defer func() {
-		err := res.Body.Close()
-		if err != nil {
-			return
-		}
-	}()
-
-	body, err := io.ReadAll(res.Body)
-	if err != nil {
-		return TokenRequestResponse{}, fmt.Errorf("failed reading access token response body with error: %v", err)
-	}
-
-	if res.StatusCode > 499 {
-		return TokenRequestResponse{}, fmt.Errorf("access token response returned code: %s", string(body))
-	}
-
-	tokenResponse := TokenRequestResponse{}
-	err = json.Unmarshal(body, &tokenResponse)
-	if err != nil {
-		return TokenRequestResponse{}, fmt.Errorf("parsing token response failed with error: %v", err)
-	}
-
-	return tokenResponse, nil
-}
-
 // WaitToken waits user's login and authorize the app. Once the user's authorize
 // it retrieves the access token from Hosted's endpoint and validates it before returning
 func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo, error) {
@@ -208,8 +163,24 @@ func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo,
 		case <-ctx.Done():
 			return TokenInfo{}, ctx.Err()
 		case <-ticker.C:
+			url := "https://" + h.Domain + "/oauth/token"
+			tokenReqPayload := TokenRequestPayload{
+				GrantType:  HostedGrantType,
+				DeviceCode: info.DeviceCode,
+				ClientID:   h.ClientID,
+			}

-			tokenResponse, err := h.requestToken(info)
+			body, statusCode, err := requestToken(h.HTTPClient, url, tokenReqPayload)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("wait for token: %v", err)
+			}
+
+			if statusCode > 499 {
+				return TokenInfo{}, fmt.Errorf("wait token code returned error: %s", string(body))
+			}
+
+			tokenResponse := TokenRequestResponse{}
+			err = json.Unmarshal(body, &tokenResponse)
 			if err != nil {
 				return TokenInfo{}, fmt.Errorf("parsing token response failed with error: %v", err)
 			}
@@ -226,25 +197,88 @@ func (h *Hosted) WaitToken(ctx context.Context, info DeviceAuthInfo) (TokenInfo,
 				return TokenInfo{}, fmt.Errorf(tokenResponse.ErrorDescription)
 			}

+			err = isValidAccessToken(tokenResponse.AccessToken, h.Audience)
+			if err != nil {
+				return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+			}
+
 			tokenInfo := TokenInfo{
 				AccessToken:  tokenResponse.AccessToken,
 				TokenType:    tokenResponse.TokenType,
 				RefreshToken: tokenResponse.RefreshToken,
 				IDToken:      tokenResponse.IDToken,
 				ExpiresIn:    tokenResponse.ExpiresIn,
-				UseIDToken:   h.providerConfig.UseIDToken,
 			}
-
-			err = isValidAccessToken(tokenInfo.GetTokenToUse(), h.providerConfig.Audience)
-			if err != nil {
-				return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
-			}
-
 			return tokenInfo, err
 		}
 	}
 }

+// RotateAccessToken requests a new token using an existing refresh token
+func (h *Hosted) RotateAccessToken(ctx context.Context, refreshToken string) (TokenInfo, error) {
+	url := "https://" + h.Domain + "/oauth/token"
+	tokenReqPayload := TokenRequestPayload{
+		GrantType:    HostedRefreshGrant,
+		ClientID:     h.ClientID,
+		RefreshToken: refreshToken,
+	}
+
+	body, statusCode, err := requestToken(h.HTTPClient, url, tokenReqPayload)
+	if err != nil {
+		return TokenInfo{}, fmt.Errorf("rotate access token: %v", err)
+	}
+
+	if statusCode != 200 {
+		return TokenInfo{}, fmt.Errorf("rotating token returned error: %s", string(body))
+	}
+
+	tokenResponse := TokenRequestResponse{}
+	err = json.Unmarshal(body, &tokenResponse)
+	if err != nil {
+		return TokenInfo{}, fmt.Errorf("parsing token response failed with error: %v", err)
+	}
+
+	err = isValidAccessToken(tokenResponse.AccessToken, h.Audience)
+	if err != nil {
+		return TokenInfo{}, fmt.Errorf("validate access token failed with error: %v", err)
+	}
+
+	tokenInfo := TokenInfo{
+		AccessToken:  tokenResponse.AccessToken,
+		TokenType:    tokenResponse.TokenType,
+		RefreshToken: tokenResponse.RefreshToken,
+		IDToken:      tokenResponse.IDToken,
+		ExpiresIn:    tokenResponse.ExpiresIn,
+	}
+	return tokenInfo, err
+}
+
+func requestToken(client HTTPClient, url string, tokenReqPayload TokenRequestPayload) ([]byte, int, error) {
+	p, err := json.Marshal(tokenReqPayload)
+	if err != nil {
+		return nil, 0, fmt.Errorf("parsing token payload failed with error: %v", err)
+	}
+	payload := strings.NewReader(string(p))
+	req, err := http.NewRequest("POST", url, payload)
+	if err != nil {
+		return nil, 0, fmt.Errorf("creating token request failed with error: %v", err)
+	}
+
+	req.Header.Add("content-type", "application/json")
+
+	res, err := client.Do(req)
+	if err != nil {
+		return nil, 0, fmt.Errorf("doing token request failed with error: %v", err)
+	}
+
+	defer res.Body.Close()
+	body, err := ioutil.ReadAll(res.Body)
+	if err != nil {
+		return nil, 0, fmt.Errorf("reading token body failed with error: %v", err)
+	}
+	return body, res.StatusCode, nil
+}
+
 // isValidAccessToken is a simple validation of the access token
 func isValidAccessToken(token string, audience string) error {
 	if token == "" {
@@ -263,24 +297,9 @@ func isValidAccessToken(token string, audience string) error {
 		return err
 	}

-	if claims.Audience == nil {
-		return fmt.Errorf("required token field audience is absent")
+	if claims.Audience != audience {
+		return fmt.Errorf("invalid audience")
 	}

-	// Audience claim of JWT can be a string or an array of strings
-	typ := reflect.TypeOf(claims.Audience)
-	switch typ.Kind() {
-	case reflect.String:
-		if claims.Audience == audience {
-			return nil
-		}
-	case reflect.Slice:
-		for _, aud := range claims.Audience.([]interface{}) {
-			if audience == aud {
-				return nil
-			}
-		}
-	}
-
-	return fmt.Errorf("invalid JWT token audience field")
+	return nil
 }
--- a/client/internal/oauth_test.go
+++ b/client/internal/oauth_test.go
@@ -2,16 +2,15 @@ package internal

 import (
 	"context"
+	"encoding/json"
 	"fmt"
-	"io"
+	"github.com/golang-jwt/jwt"
+	"github.com/stretchr/testify/require"
+	"io/ioutil"
 	"net/http"
-	"net/url"
 	"strings"
 	"testing"
 	"time"
-
-	"github.com/golang-jwt/jwt"
-	"github.com/stretchr/testify/require"
 )

 type mockHTTPClient struct {
@@ -25,7 +24,7 @@ type mockHTTPClient struct {
 }

 func (c *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
-	body, err := io.ReadAll(req.Body)
+	body, err := ioutil.ReadAll(req.Body)
 	if err == nil {
 		c.reqBody = string(body)
 	}
@@ -34,13 +33,13 @@ func (c *mockHTTPClient) Do(req *http.Request) (*http.Response, error) {
 		c.count++
 		return &http.Response{
 			StatusCode: c.code,
-			Body:       io.NopCloser(strings.NewReader(c.countResBody)),
+			Body:       ioutil.NopCloser(strings.NewReader(c.countResBody)),
 		}, c.err
 	}

 	return &http.Response{
 		StatusCode: c.code,
-		Body:       io.NopCloser(strings.NewReader(c.resBody)),
+		Body:       ioutil.NopCloser(strings.NewReader(c.resBody)),
 	}, c.err
 }

@@ -55,21 +54,15 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 		testingFunc      require.ComparisonAssertionFunc
 		expectedOut      DeviceAuthInfo
 		expectedMSG      string
-		expectPayload    string
+		expectPayload    RequestDeviceCodePayload
 	}

-	expectedAudience := "ok"
-	expectedClientID := "bla"
-	expectedScope := "openid"
-	form := url.Values{}
-	form.Add("audience", expectedAudience)
-	form.Add("client_id", expectedClientID)
-	form.Add("scope", expectedScope)
-	expectPayload := form.Encode()
-
 	testCase1 := test{
-		name:           "Payload Is Valid",
-		expectPayload:  expectPayload,
+		name: "Payload Is Valid",
+		expectPayload: RequestDeviceCodePayload{
+			Audience: "ok",
+			ClientID: "bla",
+		},
 		inputReqCode:   200,
 		testingErrFunc: require.Error,
 		testingFunc:    require.EqualValues,
@@ -81,7 +74,6 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 		testingErrFunc:   require.Error,
 		expectedErrorMSG: "should return error",
 		testingFunc:      require.EqualValues,
-		expectPayload:    expectPayload,
 	}

 	testCase3 := test{
@@ -90,13 +82,15 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 		testingErrFunc:   require.Error,
 		expectedErrorMSG: "should return error",
 		testingFunc:      require.EqualValues,
-		expectPayload:    expectPayload,
 	}
 	testCase4Out := DeviceAuthInfo{ExpiresIn: 10}
 	testCase4 := test{
-		name:           "Got Device Code",
-		inputResBody:   fmt.Sprintf("{\"expires_in\":%d}", testCase4Out.ExpiresIn),
-		expectPayload:  expectPayload,
+		name:         "Got Device Code",
+		inputResBody: fmt.Sprintf("{\"expires_in\":%d}", testCase4Out.ExpiresIn),
+		expectPayload: RequestDeviceCodePayload{
+			Audience: "ok",
+			ClientID: "bla",
+		},
 		inputReqCode:   200,
 		testingErrFunc: require.NoError,
 		testingFunc:    require.EqualValues,
@@ -114,21 +108,18 @@ func TestHosted_RequestDeviceCode(t *testing.T) {
 			}

 			hosted := Hosted{
-				providerConfig: ProviderConfig{
-					Audience:           expectedAudience,
-					ClientID:           expectedClientID,
-					Scope:              expectedScope,
-					TokenEndpoint:      "test.hosted.com/token",
-					DeviceAuthEndpoint: "test.hosted.com/device/auth",
-					UseIDToken:         false,
-				},
+				Audience:   testCase.expectPayload.Audience,
+				ClientID:   testCase.expectPayload.ClientID,
+				Domain:     "test.hosted.com",
 				HTTPClient: &httpClient,
 			}

 			authInfo, err := hosted.RequestDeviceCode(context.TODO())
 			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)

-			require.EqualValues(t, expectPayload, httpClient.reqBody, "payload should match")
+			payload, _ := json.Marshal(testCase.expectPayload)
+
+			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")

 			testCase.testingFunc(t, testCase.expectedOut, authInfo, testCase.expectedMSG)

@@ -152,7 +143,7 @@ func TestHosted_WaitToken(t *testing.T) {
 		testingFunc       require.ComparisonAssertionFunc
 		expectedOut       TokenInfo
 		expectedMSG       string
-		expectPayload     string
+		expectPayload     TokenRequestPayload
 	}

 	defaultInfo := DeviceAuthInfo{
@@ -161,13 +152,11 @@ func TestHosted_WaitToken(t *testing.T) {
 		Interval:   1,
 	}

-	clientID := "test"
-
-	form := url.Values{}
-	form.Add("grant_type", HostedGrantType)
-	form.Add("device_code", defaultInfo.DeviceCode)
-	form.Add("client_id", clientID)
-	tokenReqPayload := form.Encode()
+	tokenReqPayload := TokenRequestPayload{
+		GrantType:  HostedGrantType,
+		DeviceCode: defaultInfo.DeviceCode,
+		ClientID:   "test",
+	}

 	testCase1 := test{
 		name:           "Payload Is Valid",
@@ -279,22 +268,23 @@ func TestHosted_WaitToken(t *testing.T) {
 			}

 			hosted := Hosted{
-				providerConfig: ProviderConfig{
-					Audience:           testCase.inputAudience,
-					ClientID:           clientID,
-					TokenEndpoint:      "test.hosted.com/token",
-					DeviceAuthEndpoint: "test.hosted.com/device/auth",
-					Scope:              "openid",
-					UseIDToken:         false,
-				},
-				HTTPClient: &httpClient}
+				Audience:   testCase.inputAudience,
+				ClientID:   testCase.expectPayload.ClientID,
+				Domain:     "test.hosted.com",
+				HTTPClient: &httpClient,
+			}

 			ctx, cancel := context.WithTimeout(context.TODO(), testCase.inputTimeout)
 			defer cancel()
 			tokenInfo, err := hosted.WaitToken(ctx, testCase.inputInfo)
 			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)

-			require.EqualValues(t, testCase.expectPayload, httpClient.reqBody, "payload should match")
+			var payload []byte
+			var emptyPayload TokenRequestPayload
+			if testCase.expectPayload != emptyPayload {
+				payload, _ = json.Marshal(testCase.expectPayload)
+			}
+			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")

 			testCase.testingFunc(t, testCase.expectedOut, tokenInfo, testCase.expectedMSG)

@@ -303,3 +293,123 @@ func TestHosted_WaitToken(t *testing.T) {
 		})
 	}
 }
+
+func TestHosted_RotateAccessToken(t *testing.T) {
+	type test struct {
+		name             string
+		inputResBody     string
+		inputReqCode     int
+		inputReqError    error
+		inputMaxReqs     int
+		inputInfo        DeviceAuthInfo
+		inputAudience    string
+		testingErrFunc   require.ErrorAssertionFunc
+		expectedErrorMSG string
+		testingFunc      require.ComparisonAssertionFunc
+		expectedOut      TokenInfo
+		expectedMSG      string
+		expectPayload    TokenRequestPayload
+	}
+
+	defaultInfo := DeviceAuthInfo{
+		DeviceCode: "test",
+		ExpiresIn:  10,
+		Interval:   1,
+	}
+
+	tokenReqPayload := TokenRequestPayload{
+		GrantType:    HostedRefreshGrant,
+		ClientID:     "test",
+		RefreshToken: "refresh_test",
+	}
+
+	testCase1 := test{
+		name:           "Payload Is Valid",
+		inputInfo:      defaultInfo,
+		inputReqCode:   200,
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+	}
+
+	testCase2 := test{
+		name:             "Exit On Network Error",
+		inputInfo:        defaultInfo,
+		expectPayload:    tokenReqPayload,
+		inputReqError:    fmt.Errorf("error"),
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	testCase3 := test{
+		name:             "Exit On Non 200 Status Code",
+		inputInfo:        defaultInfo,
+		inputReqCode:     401,
+		expectPayload:    tokenReqPayload,
+		testingErrFunc:   require.Error,
+		expectedErrorMSG: "should return error",
+		testingFunc:      require.EqualValues,
+	}
+
+	audience := "test"
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{"aud": audience})
+	var hmacSampleSecret []byte
+	tokenString, _ := token.SignedString(hmacSampleSecret)
+
+	testCase4 := test{
+		name:           "Exit On Invalid Audience",
+		inputInfo:      defaultInfo,
+		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputReqCode:   200,
+		inputAudience:  "super test",
+		testingErrFunc: require.Error,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+	}
+
+	testCase5 := test{
+		name:           "Received Token Info",
+		inputInfo:      defaultInfo,
+		inputResBody:   fmt.Sprintf("{\"access_token\":\"%s\"}", tokenString),
+		inputReqCode:   200,
+		inputAudience:  audience,
+		testingErrFunc: require.NoError,
+		testingFunc:    require.EqualValues,
+		expectPayload:  tokenReqPayload,
+		expectedOut:    TokenInfo{AccessToken: tokenString},
+	}
+
+	for _, testCase := range []test{testCase1, testCase2, testCase3, testCase4, testCase5} {
+		t.Run(testCase.name, func(t *testing.T) {
+
+			httpClient := mockHTTPClient{
+				resBody: testCase.inputResBody,
+				code:    testCase.inputReqCode,
+				err:     testCase.inputReqError,
+				MaxReqs: testCase.inputMaxReqs,
+			}
+
+			hosted := Hosted{
+				Audience:   testCase.inputAudience,
+				ClientID:   testCase.expectPayload.ClientID,
+				Domain:     "test.hosted.com",
+				HTTPClient: &httpClient,
+			}
+
+			tokenInfo, err := hosted.RotateAccessToken(context.TODO(), testCase.expectPayload.RefreshToken)
+			testCase.testingErrFunc(t, err, testCase.expectedErrorMSG)
+
+			var payload []byte
+			var emptyPayload TokenRequestPayload
+			if testCase.expectPayload != emptyPayload {
+				payload, _ = json.Marshal(testCase.expectPayload)
+			}
+			require.EqualValues(t, string(payload), httpClient.reqBody, "payload should match")
+
+			testCase.testingFunc(t, testCase.expectedOut, tokenInfo, testCase.expectedMSG)
+
+		})
+	}
+}
--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -2,27 +2,15 @@ package peer

 import (
 	"context"
-	"fmt"
+	"github.com/netbirdio/netbird/iface"
+	"golang.zx2c4.com/wireguard/wgctrl"
 	"net"
-	"strings"
 	"sync"
 	"time"

+	"github.com/netbirdio/netbird/client/internal/proxy"
 	"github.com/pion/ice/v2"
 	log "github.com/sirupsen/logrus"
-
-	"github.com/netbirdio/netbird/client/internal/proxy"
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-	"github.com/netbirdio/netbird/iface"
-	"github.com/netbirdio/netbird/iface/bind"
-	signal "github.com/netbirdio/netbird/signal/client"
-	sProto "github.com/netbirdio/netbird/signal/proto"
-	"github.com/netbirdio/netbird/version"
-)
-
-const (
-	iceKeepAliveDefault           = 4 * time.Second
-	iceDisconnectedTimeoutDefault = 6 * time.Second
 )

 // ConnConfig is a peer Connection configuration
@@ -38,8 +26,7 @@ type ConnConfig struct {

 	// InterfaceBlackList is a list of machine interfaces that should be filtered out by ICE Candidate gathering
 	// (e.g. if eth0 is in the list, host candidate of this interface won't be used)
-	InterfaceBlackList   []string
-	DisableIPv6Discovery bool
+	InterfaceBlackList []string

 	Timeout time.Duration

@@ -47,25 +34,6 @@ type ConnConfig struct {

 	UDPMux      ice.UDPMux
 	UDPMuxSrflx ice.UniversalUDPMux
-
-	LocalWgPort int
-
-	NATExternalIPs []string
-
-	// UsesBind indicates whether the WireGuard interface is userspace and uses bind.ICEBind
-	UserspaceBind bool
-}
-
-// OfferAnswer represents a session establishment offer or answer
-type OfferAnswer struct {
-	IceCredentials IceCredentials
-	// WgListenPort is a remote WireGuard listen port.
-	// This field is used when establishing a direct WireGuard connection without any proxy.
-	// We can set the remote peer's endpoint with this port.
-	WgListenPort int
-
-	// Version of NetBird Agent
-	Version string
 }

 // IceCredentials ICE protocol credentials struct
@@ -81,14 +49,13 @@ type Conn struct {
 	// signalCandidate is a handler function to signal remote peer about local connection candidate
 	signalCandidate func(candidate ice.Candidate) error
 	// signalOffer is a handler function to signal remote peer our connection offer (credentials)
-	signalOffer       func(OfferAnswer) error
-	signalAnswer      func(OfferAnswer) error
-	sendSignalMessage func(message *sProto.Message) error
+	signalOffer  func(uFrag string, pwd string) error
+	signalAnswer func(uFrag string, pwd string) error

 	// remoteOffersCh is a channel used to wait for remote credentials to proceed with the connection
-	remoteOffersCh chan OfferAnswer
+	remoteOffersCh chan IceCredentials
 	// remoteAnswerCh is a channel used to wait for remote credentials answer (confirmation of our offer) to proceed with the connection
-	remoteAnswerCh     chan OfferAnswer
+	remoteAnswerCh     chan IceCredentials
 	closeCh            chan struct{}
 	ctx                context.Context
 	notifyDisconnected context.CancelFunc
@@ -96,90 +63,65 @@ type Conn struct {
 	agent  *ice.Agent
 	status ConnStatus

-	statusRecorder *Status
-
-	proxy        proxy.Proxy
-	remoteModeCh chan ModeMessage
-	meta         meta
-
-	adapter       iface.TunAdapter
-	iFaceDiscover stdnet.ExternalIFaceDiscover
-}
-
-// meta holds meta information about a connection
-type meta struct {
-	protoSupport signal.FeaturesSupport
-}
-
-// ModeMessage represents a connection mode chosen by the peer
-type ModeMessage struct {
-	// Direct indicates that it decided to use a direct connection
-	Direct bool
-}
-
-// GetConf returns the connection config
-func (conn *Conn) GetConf() ConnConfig {
-	return conn.config
-}
-
-// UpdateConf updates the connection config
-func (conn *Conn) UpdateConf(conf ConnConfig) {
-	conn.config = conf
+	proxy proxy.Proxy
 }

 // NewConn creates a new not opened Conn to the remote peer.
 // To establish a connection run Conn.Open
-func NewConn(config ConnConfig, statusRecorder *Status, adapter iface.TunAdapter, iFaceDiscover stdnet.ExternalIFaceDiscover) (*Conn, error) {
+func NewConn(config ConnConfig) (*Conn, error) {
 	return &Conn{
 		config:         config,
 		mu:             sync.Mutex{},
 		status:         StatusDisconnected,
 		closeCh:        make(chan struct{}),
-		remoteOffersCh: make(chan OfferAnswer),
-		remoteAnswerCh: make(chan OfferAnswer),
-		statusRecorder: statusRecorder,
-		remoteModeCh:   make(chan ModeMessage, 1),
-		adapter:        adapter,
-		iFaceDiscover:  iFaceDiscover,
+		remoteOffersCh: make(chan IceCredentials),
+		remoteAnswerCh: make(chan IceCredentials),
 	}, nil
 }

+// interfaceFilter is a function passed to ICE Agent to filter out blacklisted interfaces
+func interfaceFilter(blackList []string) func(string) bool {
+	var blackListMap map[string]struct{}
+	if blackList != nil {
+		blackListMap = make(map[string]struct{})
+		for _, s := range blackList {
+			blackListMap[s] = struct{}{}
+		}
+	}
+	return func(iFace string) bool {
+
+		_, ok := blackListMap[iFace]
+		if ok {
+			return false
+		}
+		// look for unlisted Wireguard interfaces
+		wg, err := wgctrl.New()
+		if err != nil {
+			log.Debugf("trying to create a wgctrl client failed with: %v", err)
+		}
+		defer wg.Close()
+
+		_, err = wg.Device(iFace)
+		return err != nil
+	}
+}
+
 func (conn *Conn) reCreateAgent() error {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

 	failedTimeout := 6 * time.Second
-
 	var err error
-	transportNet, err := conn.newStdNet()
-	if err != nil {
-		log.Errorf("failed to create pion's stdnet: %s", err)
-	}
-
-	iceKeepAlive := iceKeepAlive()
-	iceDisconnectedTimeout := iceDisconnectedTimeout()
-
-	agentConfig := &ice.AgentConfig{
-		MulticastDNSMode:    ice.MulticastDNSModeDisabled,
-		NetworkTypes:        []ice.NetworkType{ice.NetworkTypeUDP4, ice.NetworkTypeUDP6},
-		Urls:                conn.config.StunTurn,
-		CandidateTypes:      conn.candidateTypes(),
-		FailedTimeout:       &failedTimeout,
-		InterfaceFilter:     stdnet.InterfaceFilter(conn.config.InterfaceBlackList),
-		UDPMux:              conn.config.UDPMux,
-		UDPMuxSrflx:         conn.config.UDPMuxSrflx,
-		NAT1To1IPs:          conn.config.NATExternalIPs,
-		Net:                 transportNet,
-		DisconnectedTimeout: &iceDisconnectedTimeout,
-		KeepaliveInterval:   &iceKeepAlive,
-	}
-
-	if conn.config.DisableIPv6Discovery {
-		agentConfig.NetworkTypes = []ice.NetworkType{ice.NetworkTypeUDP4}
-	}
-
-	conn.agent, err = ice.NewAgent(agentConfig)
-
+	conn.agent, err = ice.NewAgent(&ice.AgentConfig{
+		MulticastDNSMode: ice.MulticastDNSModeDisabled,
+		NetworkTypes:     []ice.NetworkType{ice.NetworkTypeUDP4},
+		Urls:             conn.config.StunTurn,
+		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
+		FailedTimeout:    &failedTimeout,
+		InterfaceFilter:  interfaceFilter(conn.config.InterfaceBlackList),
+		UDPMux:           conn.config.UDPMux,
+		UDPMuxSrflx:      conn.config.UDPMuxSrflx,
+	})
 	if err != nil {
 		return err
 	}
@@ -202,30 +144,12 @@ func (conn *Conn) reCreateAgent() error {
 	return nil
 }

-func (conn *Conn) candidateTypes() []ice.CandidateType {
-	if hasICEForceRelayConn() {
-		return []ice.CandidateType{ice.CandidateTypeRelay}
-	}
-	return []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay}
-}
-
 // Open opens connection to the remote peer starting ICE candidate gathering process.
 // Blocks until connection has been closed or connection timeout.
 // ConnStatus will be set accordingly
 func (conn *Conn) Open() error {
 	log.Debugf("trying to connect to peer %s", conn.config.Key)

-	peerState := State{PubKey: conn.config.Key}
-
-	peerState.IP = strings.Split(conn.config.ProxyConfig.AllowedIps, "/")[0]
-	peerState.ConnStatusUpdate = time.Now()
-	peerState.ConnStatus = conn.status
-
-	err := conn.statusRecorder.UpdatePeerState(peerState)
-	if err != nil {
-		log.Warnf("erro while updating the state of peer %s,err: %v", conn.config.Key, err)
-	}
-
 	defer func() {
 		err := conn.cleanup()
 		if err != nil {
@@ -234,7 +158,7 @@ func (conn *Conn) Open() error {
 		}
 	}()

-	err = conn.reCreateAgent()
+	err := conn.reCreateAgent()
 	if err != nil {
 		return err
 	}
@@ -249,15 +173,15 @@ func (conn *Conn) Open() error {
 	// Only continue once we got a connection confirmation from the remote peer.
 	// The connection timeout could have happened before a confirmation received from the remote.
 	// The connection could have also been closed externally (e.g. when we received an update from the management that peer shouldn't be connected)
-	var remoteOfferAnswer OfferAnswer
+	var remoteCredentials IceCredentials
 	select {
-	case remoteOfferAnswer = <-conn.remoteOffersCh:
+	case remoteCredentials = <-conn.remoteOffersCh:
 		// received confirmation from the remote peer -> ready to proceed
 		err = conn.sendAnswer()
 		if err != nil {
 			return err
 		}
-	case remoteOfferAnswer = <-conn.remoteAnswerCh:
+	case remoteCredentials = <-conn.remoteAnswerCh:
 	case <-time.After(conn.config.Timeout):
 		return NewConnectionTimeoutError(conn.config.Key, conn.config.Timeout)
 	case <-conn.closeCh:
@@ -265,8 +189,7 @@ func (conn *Conn) Open() error {
 		return NewConnectionClosedError(conn.config.Key)
 	}

-	log.Debugf("received connection confirmation from peer %s running version %s and with remote WireGuard listen port %d",
-		conn.config.Key, remoteOfferAnswer.Version, remoteOfferAnswer.WgListenPort)
+	log.Debugf("received connection confirmation from peer %s", conn.config.Key)

 	// at this point we received offer/answer and we are ready to gather candidates
 	conn.mu.Lock()
@@ -275,15 +198,6 @@ func (conn *Conn) Open() error {
 	defer conn.notifyDisconnected()
 	conn.mu.Unlock()

-	peerState = State{PubKey: conn.config.Key}
-
-	peerState.ConnStatus = conn.status
-	peerState.ConnStatusUpdate = time.Now()
-	err = conn.statusRecorder.UpdatePeerState(peerState)
-	if err != nil {
-		log.Warnf("erro while updating the state of peer %s,err: %v", conn.config.Key, err)
-	}
-
 	err = conn.agent.GatherCandidates()
 	if err != nil {
 		return err
@@ -295,30 +209,25 @@ func (conn *Conn) Open() error {
 	isControlling := conn.config.LocalKey > conn.config.Key
 	var remoteConn *ice.Conn
 	if isControlling {
-		remoteConn, err = conn.agent.Dial(conn.ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		remoteConn, err = conn.agent.Dial(conn.ctx, remoteCredentials.UFrag, remoteCredentials.Pwd)
 	} else {
-		remoteConn, err = conn.agent.Accept(conn.ctx, remoteOfferAnswer.IceCredentials.UFrag, remoteOfferAnswer.IceCredentials.Pwd)
+		remoteConn, err = conn.agent.Accept(conn.ctx, remoteCredentials.UFrag, remoteCredentials.Pwd)
 	}
 	if err != nil {
 		return err
 	}

-	// dynamically set remote WireGuard port is other side specified a different one from the default one
-	remoteWgPort := iface.DefaultWgPort
-	if remoteOfferAnswer.WgListenPort != 0 {
-		remoteWgPort = remoteOfferAnswer.WgListenPort
-	}
-	// the ice connection has been established successfully so we are ready to start the proxy
-	err = conn.startProxy(remoteConn, remoteWgPort)
+	// the connection has been established successfully so we are ready to start the proxy
+	err = conn.startProxy(remoteConn)
 	if err != nil {
 		return err
 	}

-	if conn.proxy.Type() == proxy.TypeDirectNoProxy {
+	if conn.proxy.Type() == proxy.TypeNoProxy {
 		host, _, _ := net.SplitHostPort(remoteConn.LocalAddr().String())
 		rhost, _, _ := net.SplitHostPort(remoteConn.RemoteAddr().String())
 		// direct Wireguard connection
-		log.Infof("directly connected to peer %s [laddr <-> raddr] [%s:%d <-> %s:%d]", conn.config.Key, host, conn.config.LocalWgPort, rhost, remoteWgPort)
+		log.Infof("directly connected to peer %s [laddr <-> raddr] [%s:%d <-> %s:%d]", conn.config.Key, host, iface.DefaultWgPort, rhost, iface.DefaultWgPort)
 	} else {
 		log.Infof("connected to peer %s [laddr <-> raddr] [%s <-> %s]", conn.config.Key, remoteConn.LocalAddr().String(), remoteConn.RemoteAddr().String())
 	}
@@ -334,12 +243,43 @@ func (conn *Conn) Open() error {
 	}
 }

-func isRelayCandidate(candidate ice.Candidate) bool {
-	return candidate.Type() == ice.CandidateTypeRelay
+// useProxy determines whether a direct connection (without a go proxy) is possible
+// There are 3 cases: one of the peers has a public IP or both peers are in the same private network
+// Please note, that this check happens when peers were already able to ping each other using ICE layer.
+func shouldUseProxy(pair *ice.CandidatePair) bool {
+	remoteIP := net.ParseIP(pair.Remote.Address())
+	myIp := net.ParseIP(pair.Local.Address())
+	remoteIsPublic := IsPublicIP(remoteIP)
+	myIsPublic := IsPublicIP(myIp)
+
+	//one of the hosts has a public IP
+	if remoteIsPublic && pair.Remote.Type() == ice.CandidateTypeHost {
+		return false
+	}
+	if myIsPublic && pair.Local.Type() == ice.CandidateTypeHost {
+		return false
+	}
+
+	if pair.Local.Type() == ice.CandidateTypeHost && pair.Remote.Type() == ice.CandidateTypeHost {
+		if !remoteIsPublic && !myIsPublic {
+			//both hosts are in the same private network
+			return false
+		}
+	}
+
+	return true
+}
+
+// IsPublicIP indicates whether IP is public or not.
+func IsPublicIP(ip net.IP) bool {
+	if ip.IsLoopback() || ip.IsLinkLocalUnicast() || ip.IsLinkLocalMulticast() || ip.IsPrivate() {
+		return false
+	}
+	return true
 }

 // startProxy starts proxying traffic from/to local Wireguard and sets connection status to StatusConnected
-func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
+func (conn *Conn) startProxy(remoteConn net.Conn) error {
 	conn.mu.Lock()
 	defer conn.mu.Unlock()

@@ -349,8 +289,13 @@ func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 		return err
 	}

-	peerState := State{PubKey: conn.config.Key}
-	p := conn.getProxy(pair, remoteWgPort)
+	useProxy := shouldUseProxy(pair)
+	var p proxy.Proxy
+	if useProxy {
+		p = proxy.NewWireguardProxy(conn.config.ProxyConfig)
+	} else {
+		p = proxy.NewNoProxy(conn.config.ProxyConfig)
+	}
 	conn.proxy = p
 	err = p.Start(remoteConn)
 	if err != nil {
@@ -359,55 +304,9 @@ func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {

 	conn.status = StatusConnected

-	peerState.ConnStatus = conn.status
-	peerState.ConnStatusUpdate = time.Now()
-	peerState.LocalIceCandidateType = pair.Local.Type().String()
-	peerState.RemoteIceCandidateType = pair.Remote.Type().String()
-	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
-		peerState.Relayed = true
-	}
-	peerState.Direct = p.Type() == proxy.TypeDirectNoProxy || p.Type() == proxy.TypeNoProxy
-
-	err = conn.statusRecorder.UpdatePeerState(peerState)
-	if err != nil {
-		log.Warnf("unable to save peer's state, got error: %v", err)
-	}
-
 	return nil
 }

-// todo rename this method and the proxy package to something more appropriate
-func (conn *Conn) getProxy(pair *ice.CandidatePair, remoteWgPort int) proxy.Proxy {
-	if isRelayCandidate(pair.Local) {
-		return proxy.NewWireGuardProxy(conn.config.ProxyConfig)
-	}
-
-	// To support old version's with direct mode we attempt to punch an additional role with the remote wireguard port
-	go conn.punchRemoteWGPort(pair, remoteWgPort)
-
-	return proxy.NewNoProxy(conn.config.ProxyConfig)
-}
-
-func (conn *Conn) punchRemoteWGPort(pair *ice.CandidatePair, remoteWgPort int) {
-	// wait local endpoint configuration
-	time.Sleep(time.Second)
-	addr, err := net.ResolveUDPAddr("udp", fmt.Sprintf("%s:%d", pair.Remote.Address(), remoteWgPort))
-	if err != nil {
-		log.Warnf("got an error while resolving the udp address, err: %s", err)
-		return
-	}
-
-	mux, ok := conn.config.UDPMuxSrflx.(*bind.UniversalUDPMuxDefault)
-	if !ok {
-		log.Warn("invalid udp mux conversion")
-		return
-	}
-	_, err = mux.GetSharedConn().WriteTo([]byte{0x6e, 0x62}, addr)
-	if err != nil {
-		log.Warnf("got an error while sending the punch packet, err: %s", err)
-	}
-}
-
 // cleanup closes all open resources and sets status to StatusDisconnected
 func (conn *Conn) cleanup() error {
 	log.Debugf("trying to cleanup %s", conn.config.Key)
@@ -437,29 +336,18 @@ func (conn *Conn) cleanup() error {

 	conn.status = StatusDisconnected

-	peerState := State{PubKey: conn.config.Key}
-	peerState.ConnStatus = conn.status
-	peerState.ConnStatusUpdate = time.Now()
-
-	err := conn.statusRecorder.UpdatePeerState(peerState)
-	if err != nil {
-		// pretty common error because by that time Engine can already remove the peer and status won't be available.
-		//todo rethink status updates
-		log.Debugf("error while updating peer's %s state, err: %v", conn.config.Key, err)
-	}
-
 	log.Debugf("cleaned up connection to peer %s", conn.config.Key)

 	return nil
 }

 // SetSignalOffer sets a handler function to be triggered by Conn when a new connection offer has to be signalled to the remote peer
-func (conn *Conn) SetSignalOffer(handler func(offer OfferAnswer) error) {
+func (conn *Conn) SetSignalOffer(handler func(uFrag string, pwd string) error) {
 	conn.signalOffer = handler
 }

 // SetSignalAnswer sets a handler function to be triggered by Conn when a new connection answer has to be signalled to the remote peer
-func (conn *Conn) SetSignalAnswer(handler func(answer OfferAnswer) error) {
+func (conn *Conn) SetSignalAnswer(handler func(uFrag string, pwd string) error) {
 	conn.signalAnswer = handler
 }

@@ -468,17 +356,11 @@ func (conn *Conn) SetSignalCandidate(handler func(candidate ice.Candidate) error
 	conn.signalCandidate = handler
 }

-// SetSendSignalMessage sets a handler function to be triggered by Conn when there is new message to send via signal
-func (conn *Conn) SetSendSignalMessage(handler func(message *sProto.Message) error) {
-	conn.sendSignalMessage = handler
-}
-
 // onICECandidate is a callback attached to an ICE Agent to receive new local connection candidates
 // and then signals them to the remote peer
 func (conn *Conn) onICECandidate(candidate ice.Candidate) {
 	if candidate != nil {
-		// TODO: reported port is incorrect for CandidateTypeHost, makes understanding ICE use via logs confusing as port is ignored
-		log.Debugf("discovered local candidate %s", candidate.String())
+		// log.Debugf("discovered local candidate %s", candidate.String())
 		go func() {
 			err := conn.signalCandidate(candidate)
 			if err != nil {
@@ -510,12 +392,8 @@ func (conn *Conn) sendAnswer() error {
 		return err
 	}

-	log.Debugf("sending answer to %s", conn.config.Key)
-	err = conn.signalAnswer(OfferAnswer{
-		IceCredentials: IceCredentials{localUFrag, localPwd},
-		WgListenPort:   conn.config.LocalWgPort,
-		Version:        version.NetbirdVersion(),
-	})
+	log.Debugf("sending asnwer to %s", conn.config.Key)
+	err = conn.signalAnswer(localUFrag, localPwd)
 	if err != nil {
 		return err
 	}
@@ -532,11 +410,7 @@ func (conn *Conn) sendOffer() error {
 	if err != nil {
 		return err
 	}
-	err = conn.signalOffer(OfferAnswer{
-		IceCredentials: IceCredentials{localUFrag, localPwd},
-		WgListenPort:   conn.config.LocalWgPort,
-		Version:        version.NetbirdVersion(),
-	})
+	err = conn.signalOffer(localUFrag, localPwd)
 	if err != nil {
 		return err
 	}
@@ -563,7 +437,7 @@ func (conn *Conn) Close() error {
 		// before conn.Open() another update from management arrives with peers: [1,2,3,4,5]
 		// engine adds a new Conn for 4 and 5
 		// therefore peer 4 has 2 Conn objects
-		log.Warnf("connection has been already closed or attempted closing not started coonection %s", conn.config.Key)
+		log.Warnf("closing not started coonection %s", conn.config.Key)
 		return NewConnectionAlreadyClosed(conn.config.Key)
 	}
 }
@@ -577,11 +451,11 @@ func (conn *Conn) Status() ConnStatus {

 // OnRemoteOffer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
 // doesn't block, discards the message if connection wasn't ready
-func (conn *Conn) OnRemoteOffer(offer OfferAnswer) bool {
+func (conn *Conn) OnRemoteOffer(remoteAuth IceCredentials) bool {
 	log.Debugf("OnRemoteOffer from peer %s on status %s", conn.config.Key, conn.status.String())

 	select {
-	case conn.remoteOffersCh <- offer:
+	case conn.remoteOffersCh <- remoteAuth:
 		return true
 	default:
 		log.Debugf("OnRemoteOffer skipping message from peer %s on status %s because is not ready", conn.config.Key, conn.status.String())
@@ -592,11 +466,11 @@ func (conn *Conn) OnRemoteOffer(offer OfferAnswer) bool {

 // OnRemoteAnswer handles an offer from the remote peer and returns true if the message was accepted, false otherwise
 // doesn't block, discards the message if connection wasn't ready
-func (conn *Conn) OnRemoteAnswer(answer OfferAnswer) bool {
+func (conn *Conn) OnRemoteAnswer(remoteAuth IceCredentials) bool {
 	log.Debugf("OnRemoteAnswer from peer %s on status %s", conn.config.Key, conn.status.String())

 	select {
-	case conn.remoteAnswerCh <- answer:
+	case conn.remoteAnswerCh <- remoteAuth:
 		return true
 	default:
 		// connection might not be ready yet to receive so we ignore the message
@@ -627,9 +501,3 @@ func (conn *Conn) OnRemoteCandidate(candidate ice.Candidate) {
 func (conn *Conn) GetKey() string {
 	return conn.config.Key
 }
-
-// RegisterProtoSupportMeta register supported proto message in the connection metadata
-func (conn *Conn) RegisterProtoSupportMeta(support []uint32) {
-	protoSupport := signal.ParseFeaturesSupported(support)
-	conn.meta.protoSupport = protoSupport
-}
--- a/client/internal/peer/conn_status.go
+++ b/client/internal/peer/conn_status.go
@@ -1,29 +0,0 @@
-package peer
-
-import log "github.com/sirupsen/logrus"
-
-const (
-	// StatusConnected indicate the peer is in connected state
-	StatusConnected ConnStatus = iota
-	// StatusConnecting indicate the peer is in connecting state
-	StatusConnecting
-	// StatusDisconnected indicate the peer is in disconnected state
-	StatusDisconnected
-)
-
-// ConnStatus describe the status of a peer's connection
-type ConnStatus int
-
-func (s ConnStatus) String() string {
-	switch s {
-	case StatusConnecting:
-		return "Connecting"
-	case StatusConnected:
-		return "Connected"
-	case StatusDisconnected:
-		return "Disconnected"
-	default:
-		log.Errorf("unknown status: %d", s)
-		return "INVALID_PEER_CONNECTION_STATUS"
-	}
-}
--- a/client/internal/peer/conn_status_test.go
+++ b/client/internal/peer/conn_status_test.go
@@ -1,27 +0,0 @@
-package peer
-
-import (
-	"github.com/magiconair/properties/assert"
-	"testing"
-)
-
-func TestConnStatus_String(t *testing.T) {
-
-	tables := []struct {
-		name   string
-		status ConnStatus
-		want   string
-	}{
-		{"StatusConnected", StatusConnected, "Connected"},
-		{"StatusDisconnected", StatusDisconnected, "Disconnected"},
-		{"StatusConnecting", StatusConnecting, "Connecting"},
-	}
-
-	for _, table := range tables {
-		t.Run(table.name, func(t *testing.T) {
-			got := table.status.String()
-			assert.Equal(t, got, table.want, "they should be equal")
-		})
-	}
-
-}
--- a/client/internal/peer/conn_test.go
+++ b/client/internal/peer/conn_test.go
@@ -1,17 +1,12 @@
 package peer

 import (
+	"github.com/magiconair/properties/assert"
+	"github.com/netbirdio/netbird/client/internal/proxy"
+	"github.com/pion/ice/v2"
 	"sync"
 	"testing"
 	"time"
-
-	"github.com/netbirdio/netbird/client/internal/stdnet"
-
-	"github.com/magiconair/properties/assert"
-	"github.com/pion/ice/v2"
-
-	"github.com/netbirdio/netbird/client/internal/proxy"
-	"github.com/netbirdio/netbird/iface"
 )

 var connConf = ConnConfig{
@@ -21,23 +16,10 @@ var connConf = ConnConfig{
 	InterfaceBlackList: nil,
 	Timeout:            time.Second,
 	ProxyConfig:        proxy.Config{},
-	LocalWgPort:        51820,
-}
-
-func TestNewConn_interfaceFilter(t *testing.T) {
-	ignore := []string{iface.WgInterfaceDefault, "tun0", "zt", "ZeroTier", "utun", "wg", "ts",
-		"Tailscale", "tailscale"}
-
-	filter := stdnet.InterfaceFilter(ignore)
-
-	for _, s := range ignore {
-		assert.Equal(t, filter(s), false)
-	}
-
 }

 func TestConn_GetKey(t *testing.T) {
-	conn, err := NewConn(connConf, nil, nil, nil)
+	conn, err := NewConn(connConf)
 	if err != nil {
 		return
 	}
@@ -49,7 +31,7 @@ func TestConn_GetKey(t *testing.T) {

 func TestConn_OnRemoteOffer(t *testing.T) {

-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
+	conn, err := NewConn(connConf)
 	if err != nil {
 		return
 	}
@@ -63,13 +45,9 @@ func TestConn_OnRemoteOffer(t *testing.T) {

 	go func() {
 		for {
-			accepted := conn.OnRemoteOffer(OfferAnswer{
-				IceCredentials: IceCredentials{
-					UFrag: "test",
-					Pwd:   "test",
-				},
-				WgListenPort: 0,
-				Version:      "",
+			accepted := conn.OnRemoteOffer(IceCredentials{
+				UFrag: "test",
+				Pwd:   "test",
 			})
 			if accepted {
 				wg.Done()
@@ -83,7 +61,7 @@ func TestConn_OnRemoteOffer(t *testing.T) {

 func TestConn_OnRemoteAnswer(t *testing.T) {

-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
+	conn, err := NewConn(connConf)
 	if err != nil {
 		return
 	}
@@ -97,13 +75,9 @@ func TestConn_OnRemoteAnswer(t *testing.T) {

 	go func() {
 		for {
-			accepted := conn.OnRemoteAnswer(OfferAnswer{
-				IceCredentials: IceCredentials{
-					UFrag: "test",
-					Pwd:   "test",
-				},
-				WgListenPort: 0,
-				Version:      "",
+			accepted := conn.OnRemoteAnswer(IceCredentials{
+				UFrag: "test",
+				Pwd:   "test",
 			})
 			if accepted {
 				wg.Done()
@@ -116,7 +90,7 @@ func TestConn_OnRemoteAnswer(t *testing.T) {
 }
 func TestConn_Status(t *testing.T) {

-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
+	conn, err := NewConn(connConf)
 	if err != nil {
 		return
 	}
@@ -143,7 +117,7 @@ func TestConn_Status(t *testing.T) {

 func TestConn_Close(t *testing.T) {

-	conn, err := NewConn(connConf, NewRecorder("https://mgm"), nil, nil)
+	conn, err := NewConn(connConf)
 	if err != nil {
 		return
 	}
--- a/client/internal/peer/env_config.go
+++ b/client/internal/peer/env_config.go
@@ -1,53 +0,0 @@
-package peer
-
-import (
-	"os"
-	"strconv"
-	"strings"
-	"time"
-
-	log "github.com/sirupsen/logrus"
-)
-
-const (
-	envICEKeepAliveIntervalSec   = "NB_ICE_KEEP_ALIVE_INTERVAL_SEC"
-	envICEDisconnectedTimeoutSec = "NB_ICE_DISCONNECTED_TIMEOUT_SEC"
-	envICEForceRelayConn         = "NB_ICE_FORCE_RELAY_CONN"
-)
-
-func iceKeepAlive() time.Duration {
-	keepAliveEnv := os.Getenv(envICEKeepAliveIntervalSec)
-	if keepAliveEnv == "" {
-		return iceKeepAliveDefault
-	}
-
-	log.Debugf("setting ICE keep alive interval to %s seconds", keepAliveEnv)
-	keepAliveEnvSec, err := strconv.Atoi(keepAliveEnv)
-	if err != nil {
-		log.Warnf("invalid value %s set for %s, using default %v", keepAliveEnv, envICEKeepAliveIntervalSec, iceKeepAliveDefault)
-		return iceKeepAliveDefault
-	}
-
-	return time.Duration(keepAliveEnvSec) * time.Second
-}
-
-func iceDisconnectedTimeout() time.Duration {
-	disconnectedTimeoutEnv := os.Getenv(envICEDisconnectedTimeoutSec)
-	if disconnectedTimeoutEnv == "" {
-		return iceDisconnectedTimeoutDefault
-	}
-
-	log.Debugf("setting ICE disconnected timeout to %s seconds", disconnectedTimeoutEnv)
-	disconnectedTimeoutSec, err := strconv.Atoi(disconnectedTimeoutEnv)
-	if err != nil {
-		log.Warnf("invalid value %s set for %s, using default %v", disconnectedTimeoutEnv, envICEDisconnectedTimeoutSec, iceDisconnectedTimeoutDefault)
-		return iceDisconnectedTimeoutDefault
-	}
-
-	return time.Duration(disconnectedTimeoutSec) * time.Second
-}
-
-func hasICEForceRelayConn() bool {
-	disconnectedTimeoutEnv := os.Getenv(envICEForceRelayConn)
-	return strings.ToLower(disconnectedTimeoutEnv) == "true"
-}
--- a/client/internal/peer/listener.go
+++ b/client/internal/peer/listener.go
@@ -1,11 +0,0 @@
-package peer
-
-// Listener is a callback type about the NetBird network connection state
-type Listener interface {
-	OnConnected()
-	OnDisconnected()
-	OnConnecting()
-	OnDisconnecting()
-	OnAddressChanged(string, string)
-	OnPeersListChanged(int)
-}
--- a/client/internal/peer/notifier.go
+++ b/client/internal/peer/notifier.go
@@ -1,142 +0,0 @@
-package peer
-
-import (
-	"sync"
-)
-
-const (
-	stateDisconnected = iota
-	stateConnected
-	stateConnecting
-	stateDisconnecting
-)
-
-type notifier struct {
-	serverStateLock    sync.Mutex
-	listenersLock      sync.Mutex
-	listener           Listener
-	currentClientState bool
-	lastNotification   int
-}
-
-func newNotifier() *notifier {
-	return &notifier{}
-}
-
-func (n *notifier) setListener(listener Listener) {
-	n.listenersLock.Lock()
-	defer n.listenersLock.Unlock()
-
-	n.serverStateLock.Lock()
-	n.notifyListener(listener, n.lastNotification)
-	n.serverStateLock.Unlock()
-
-	n.listener = listener
-}
-
-func (n *notifier) removeListener() {
-	n.listenersLock.Lock()
-	defer n.listenersLock.Unlock()
-	n.listener = nil
-}
-
-func (n *notifier) updateServerStates(mgmState bool, signalState bool) {
-	n.serverStateLock.Lock()
-	defer n.serverStateLock.Unlock()
-
-	calculatedState := n.calculateState(mgmState, signalState)
-
-	if !n.isServerStateChanged(calculatedState) {
-		return
-	}
-
-	n.lastNotification = calculatedState
-
-	n.notify(n.lastNotification)
-}
-
-func (n *notifier) clientStart() {
-	n.serverStateLock.Lock()
-	defer n.serverStateLock.Unlock()
-	n.currentClientState = true
-	n.lastNotification = stateConnected
-	n.notify(n.lastNotification)
-}
-
-func (n *notifier) clientStop() {
-	n.serverStateLock.Lock()
-	defer n.serverStateLock.Unlock()
-	n.currentClientState = false
-	n.lastNotification = stateDisconnected
-	n.notify(n.lastNotification)
-}
-
-func (n *notifier) clientTearDown() {
-	n.serverStateLock.Lock()
-	defer n.serverStateLock.Unlock()
-	n.currentClientState = false
-	n.lastNotification = stateDisconnecting
-	n.notify(n.lastNotification)
-}
-
-func (n *notifier) isServerStateChanged(newState int) bool {
-	return n.lastNotification != newState
-}
-
-func (n *notifier) notify(state int) {
-	n.listenersLock.Lock()
-	defer n.listenersLock.Unlock()
-	if n.listener == nil {
-		return
-	}
-	n.notifyListener(n.listener, state)
-}
-
-func (n *notifier) notifyListener(l Listener, state int) {
-	go func() {
-		switch state {
-		case stateDisconnected:
-			l.OnDisconnected()
-		case stateConnected:
-			l.OnConnected()
-		case stateConnecting:
-			l.OnConnecting()
-		case stateDisconnecting:
-			l.OnDisconnecting()
-		}
-	}()
-}
-
-func (n *notifier) calculateState(managementConn, signalConn bool) int {
-	if managementConn && signalConn {
-		return stateConnected
-	}
-
-	if !managementConn && !signalConn {
-		return stateDisconnected
-	}
-
-	if n.lastNotification == stateDisconnecting {
-		return stateDisconnecting
-	}
-
-	return stateConnecting
-}
-
-func (n *notifier) peerListChanged(numOfPeers int) {
-	n.listenersLock.Lock()
-	defer n.listenersLock.Unlock()
-	if n.listener == nil {
-		return
-	}
-	n.listener.OnPeersListChanged(numOfPeers)
-}
-
-func (n *notifier) localAddressChanged(fqdn, address string) {
-	n.listenersLock.Lock()
-	defer n.listenersLock.Unlock()
-	if n.listener == nil {
-		return
-	}
-	n.listener.OnAddressChanged(fqdn, address)
-}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
shatoboar	c86c620016	Fix(auth0) caching Users by accountId	2022-06-03 17:19:31 +02:00
shatoboar	1e444f58c1	Merge remote-tracking branch 'origin' into users_cache	2022-06-03 14:42:06 +02:00
shatoboar	f53990d6c1	WIP idpmanager users_cache by accountId	2022-06-03 14:39:07 +02:00
Misha Bragin	02a6ac44be	Handle Network out of range (#347 )	2022-06-03 14:39:07 +02:00
Misha Bragin	43e472c958	Update links in Start using NetBird (#346 ) * Update links in Start using NetBird * Update internals overview and co structure * Netbird to NetBird	2022-06-03 14:39:07 +02:00
shatoboar	cea5693512	Feat(auth0.go) Cache for users in idpmanager	2022-06-01 21:52:16 +02:00
shatoboar	49ec33504a	Implemented caching logic for auth0	2022-05-31 17:29:51 +02:00