Fix RemoveConnByUfrag

Fix some iface issues
Remove unused code
2026-03-31 22:53:53 -04:00 · 2022-09-08 19:39:05 +02:00 · 2022-09-07 21:59:01 +02:00 · 2022-09-07 21:40:45 +02:00 · 2022-09-07 19:40:34 +02:00 · 2022-09-07 19:02:17 +02:00
43 changed files with 1598 additions and 2064 deletions
--- a/.github/workflows/golang-test-linux.yml
+++ b/.github/workflows/golang-test-linux.yml
@@ -33,55 +33,3 @@ jobs:

      - name: Test
        run: GOARCH=${{ matrix.arch }} go test -exec 'sudo --preserve-env=CI' -timeout 5m -p 1 ./...
-
-  test_client_on_docker:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Install Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.18.x
-
-
-      - name: Cache Go modules
-        uses: actions/cache@v2
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-
-
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Install dependencies
-        run: sudo apt update && sudo apt install -y -q libgtk-3-dev libappindicator3-dev libayatana-appindicator3-dev libgl1-mesa-dev xorg-dev
-
-      - name: Install modules
-        run: go mod tidy
-
-      - name: Generate Iface Test bin
-        run: go test -c -o iface-testing.bin ./iface/...
-
-      - name: Generate RouteManager Test bin
-        run: go test -c -o routemanager-testing.bin ./client/internal/routemanager/...
-
-      - name: Generate Engine Test bin
-        run: go test -c -o engine-testing.bin ./client/internal/*.go
-
-      - name: Generate Peer Test bin
-        run: go test -c -o peer-testing.bin ./client/internal/peer/...
-
-      - run: chmod +x *testing.bin
-
-      - name: Run Iface tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/iface --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/iface-testing.bin
-
-      - name: Run RouteManager tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/routemanager --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/routemanager-testing.bin
-
-      - name: Run Engine tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/engine-testing.bin
-
-      - name: Run Peer tests in docker
-        run: docker run -t --cap-add=NET_ADMIN --privileged --rm -v $PWD:/ci -w /ci/client/internal/peer  --entrypoint /busybox/sh gcr.io/distroless/base:debug -c /ci/peer-testing.bin
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@
   <a href="https://www.codacy.com/gh/netbirdio/netbird/dashboard?utm_source=github.com&amp;utm_medium=referral&amp;utm_content=netbirdio/netbird&amp;utm_campaign=Badge_Grade"><img src="https://app.codacy.com/project/badge/Grade/e3013d046aec44cdb7462c8673b00976"/></a>
    <br>
    <a href="https://join.slack.com/t/netbirdio/shared_invite/zt-vrahf41g-ik1v7fV8du6t0RwxSrJ96A">
-        <img src="https://img.shields.io/badge/slack-@netbird-red.svg?logo=slack"/>
+        <img src="https://img.shields.io/badge/slack-@wiretrustee-red.svg?logo=slack"/>
     </a>    
  </p>
 </div>
@@ -43,20 +43,20 @@ It requires zero configuration effort leaving behind the hassle of opening ports
 NetBird creates an overlay peer-to-peer network connecting machines automatically regardless of their location (home, office, datacenter, container, cloud or edge environments) unifying virtual private network management experience.

 **Key features:**
- \[x] Automatic IP allocation and network management with a Web UI ([separate repo](https://github.com/netbirdio/dashboard))
- \[x] Automatic WireGuard peer (machine) discovery and configuration.
- \[x] Encrypted peer-to-peer connections without a central VPN gateway.
- \[x] Connection relay fallback in case a peer-to-peer connection is not possible.
- \[x] Desktop client applications for Linux, MacOS, and Windows (systray).
- \[x] Multiuser support - sharing network between multiple users.
- \[x] SSO and MFA support. 
- \[x] Multicloud and hybrid-cloud support.
- \[x] Kernel WireGuard usage when possible.
- \[x] Access Controls - groups & rules.
- \[x] Remote SSH access without managing SSH keys.
- \[x] Network Routes.  
-
+-  \[x] Automatic IP allocation and network management with a Web UI ([separate repo](https://github.com/netbirdio/dashboard))
+-  \[x] Automatic WireGuard peer (machine) discovery and configuration.
+-  \[x] Encrypted peer-to-peer connections without a central VPN gateway.
+-  \[x] Connection relay fallback in case a peer-to-peer connection is not possible.
+-  \[x] Desktop client applications for Linux, MacOS, and Windows (systray).
+-  \[x] Multiuser support - sharing network between multiple users.
+-  \[x] SSO and MFA support. 
+-  \[x] Multicloud and hybrid-cloud support.
+-  \[x] Kernel WireGuard usage when possible.
+-  \[x] Access Controls - groups & rules.
+-  \[x] Remote SSH access without managing SSH keys.
+  
 **Coming soon:**
+-  \[ ] Network Routes.
 -  \[ ] Private DNS.
 -  \[ ] Mobile clients.
 -  \[ ] Network Activity Monitoring.
--- a/client/cmd/status.go
+++ b/client/cmd/status.go
@@ -11,7 +11,6 @@ import (
 	"github.com/netbirdio/netbird/util"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
-	"net"
 	"net/netip"
 	"sort"
 	"strings"
@@ -19,7 +18,6 @@ import (

 var (
 	detailFlag   bool
-	ipv4Flag     bool
 	ipsFilter    []string
 	statusFilter string
 	ipsFilterMap map[string]struct{}
@@ -75,7 +73,7 @@ var statusCmd = &cobra.Command{
 		pbFullStatus := resp.GetFullStatus()
 		fullStatus := fromProtoFullStatus(pbFullStatus)

-		cmd.Print(parseFullStatus(fullStatus, detailFlag, daemonStatus, resp.GetDaemonVersion(), ipv4Flag))
+		cmd.Print(parseFullStatus(fullStatus, detailFlag, daemonStatus, resp.GetDaemonVersion()))

 		return nil
 	},
@@ -84,9 +82,8 @@ var statusCmd = &cobra.Command{
 func init() {
 	ipsFilterMap = make(map[string]struct{})
 	statusCmd.PersistentFlags().BoolVarP(&detailFlag, "detail", "d", false, "display detailed status information")
-	statusCmd.PersistentFlags().BoolVar(&ipv4Flag, "ipv4", false, "display only NetBird IPv4 of this peer, e.g., --ipv4 will output 100.64.0.33")
-	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g., --filter-by-ips 100.64.0.100,100.64.0.200")
-	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(connected|disconnected), e.g., --filter-by-status connected")
+	statusCmd.PersistentFlags().StringSliceVar(&ipsFilter, "filter-by-ips", []string{}, "filters the detailed output by a list of one or more IPs, e.g. --filter-by-ips 100.64.0.100,100.64.0.200")
+	statusCmd.PersistentFlags().StringVar(&statusFilter, "filter-by-status", "", "filters the detailed output by connection status(connected|disconnected), e.g. --filter-by-status connected")
 }

 func parseFilters() error {
@@ -145,19 +142,7 @@ func fromProtoFullStatus(pbFullStatus *proto.FullStatus) nbStatus.FullStatus {
 	return fullStatus
 }

-func parseFullStatus(fullStatus nbStatus.FullStatus, printDetail bool, daemonStatus string, daemonVersion string, flag bool) string {
-
-	interfaceIP := fullStatus.LocalPeerState.IP
-
-	ip, _, err := net.ParseCIDR(interfaceIP)
-	if err != nil {
-		return ""
-	}
-
-	if ipv4Flag {
-		return fmt.Sprintf("%s\n", ip)
-	}
-
+func parseFullStatus(fullStatus nbStatus.FullStatus, printDetail bool, daemonStatus string, daemonVersion string) string {
 	var (
 		managementStatusURL  = ""
 		signalStatusURL      = ""
@@ -179,6 +164,8 @@ func parseFullStatus(fullStatus nbStatus.FullStatus, printDetail bool, daemonSta
 		signalConnString = "Connected"
 	}

+	interfaceIP := fullStatus.LocalPeerState.IP
+
 	if fullStatus.LocalPeerState.KernelInterface {
 		interfaceTypeString = "Kernel"
 	} else if fullStatus.LocalPeerState.IP == "" {
--- a/client/hhhh.go
+++ b/client/hhhh.go
@@ -0,0 +1,98 @@
+package main
+
+/*
+import (
+	"flag"
+	"github.com/netbirdio/netbird/iface"
+	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
+	"net"
+	"net/http"
+	_ "net/http/pprof"
+	"time"
+)
+
+var name = flag.String("name", "wg0", "WireGuard interface name")
+var addr = flag.String("addr", "100.64.0.1/24", "interface WireGuard IP addr")
+var key = flag.String("key", "100.64.0.1/24", "WireGuard private key")
+var port = flag.Int("port", 51820, "WireGuard port")
+
+var remoteKey = flag.String("remote-key", "", "remote WireGuard public key")
+var remoteAddr = flag.String("remote-addr", "100.64.0.2/32", "remote WireGuard IP addr")
+var remoteEndpoint = flag.String("remote-endpoint", "127.0.0.1:51820", "remote WireGuard endpoint")
+
+func fff() {
+
+	flag.Parse()
+
+	go func() {
+		log.Println(http.ListenAndServe("localhost:6060", nil))
+	}()
+
+	myKey, err := wgtypes.ParseKey(*key)
+	if err != nil {
+		log.Error(err)
+		return
+	}
+
+	log.Infof("public key and addr [%s] [%s] ", myKey.PublicKey().String(), *addr)
+
+	wgIFace, err := iface.NewWGIFace(*name, *addr, 1280)
+	if err != nil {
+		log.Error(err)
+		return
+	}
+	defer wgIFace.Close()
+
+	// todo wrap into UDPMux
+	sharedSock, _, err := listenNet("udp4", *port)
+	if err != nil {
+		log.Error(err)
+		return
+	}
+	defer sharedSock.Close()
+
+	//	err = wgIFace.Create()
+	err = wgIFace.CreateNew(sharedSock)
+	if err != nil {
+		log.Errorf("failed to create interface %s %v", *name, err)
+		return
+	}
+
+	err = wgIFace.Configure(*key, *port)
+	if err != nil {
+		log.Errorf("failed to configure interface %s %v", *name, err)
+		return
+	}
+
+	ip, err := net.ResolveUDPAddr("udp4", *remoteEndpoint)
+	if err != nil {
+		// handle error
+	}
+
+	err = wgIFace.UpdatePeer(*remoteKey, *remoteAddr, 20*time.Second, ip, nil)
+	if err != nil {
+		log.Errorf("failed to configure remote peer %s %v", *remoteKey, err)
+		return
+	}
+
+	select {}
+
+}
+
+func listenNet(network string, port int) (*net.UDPConn, int, error) {
+	conn, err := net.ListenUDP(network, &net.UDPAddr{Port: port})
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// Retrieve port.
+	laddr := conn.LocalAddr()
+	uaddr, err := net.ResolveUDPAddr(
+		laddr.Network(),
+		laddr.String(),
+	)
+	if err != nil {
+		return nil, 0, err
+	}
+	return conn, uaddr.Port, nil
+}*/
--- a/client/internal/config.go
+++ b/client/internal/config.go
@@ -263,7 +263,7 @@ func GetDeviceAuthorizationFlowInfo(ctx context.Context, config *Config) (Device
 		}
 	}

-	deviceAuthorizationFlow := DeviceAuthorizationFlow{
+	return DeviceAuthorizationFlow{
 		Provider: protoDeviceAuthorizationFlow.Provider.String(),

 		ProviderConfig: ProviderConfig{
@@ -274,32 +274,5 @@ func GetDeviceAuthorizationFlowInfo(ctx context.Context, config *Config) (Device
 			TokenEndpoint:      protoDeviceAuthorizationFlow.GetProviderConfig().GetTokenEndpoint(),
 			DeviceAuthEndpoint: protoDeviceAuthorizationFlow.GetProviderConfig().GetDeviceAuthEndpoint(),
 		},
-	}
-
-	err = isProviderConfigValid(deviceAuthorizationFlow.ProviderConfig)
-	if err != nil {
-		return DeviceAuthorizationFlow{}, err
-	}
-
-	return deviceAuthorizationFlow, nil
-}
-
-func isProviderConfigValid(config ProviderConfig) error {
-	errorMSGFormat := "invalid provider configuration received from management: %s value is empty. Contact your NetBird administrator"
-	if config.Audience == "" {
-		return fmt.Errorf(errorMSGFormat, "Audience")
-	}
-	if config.ClientID == "" {
-		return fmt.Errorf(errorMSGFormat, "Client ID")
-	}
-	if config.ClientSecret == "" {
-		return fmt.Errorf(errorMSGFormat, "Client Secret")
-	}
-	if config.TokenEndpoint == "" {
-		return fmt.Errorf(errorMSGFormat, "Token Endpoint")
-	}
-	if config.DeviceAuthEndpoint == "" {
-		return fmt.Errorf(errorMSGFormat, "Device Auth Endpoint")
-	}
-	return nil
+	}, nil
 }
--- a/client/internal/connect.go
+++ b/client/internal/connect.go
@@ -107,7 +107,7 @@ func RunClient(ctx context.Context, config *Config, statusRecorder *nbStatus.Sta
 		localPeerState := nbStatus.LocalPeerState{
 			IP:              loginResp.GetPeerConfig().GetAddress(),
 			PubKey:          myPrivateKey.PublicKey().String(),
-			KernelInterface: iface.WireguardModuleIsLoaded(),
+			KernelInterface: iface.WireguardModExists(),
 		}

 		statusRecorder.UpdateLocalPeerState(localPeerState)
--- a/client/internal/engine.go
+++ b/client/internal/engine.go
@@ -8,7 +8,6 @@ import (
 	nbstatus "github.com/netbirdio/netbird/client/status"
 	"github.com/netbirdio/netbird/route"
 	"math/rand"
-	"net"
 	"reflect"
 	"runtime"
 	"strings"
@@ -89,10 +88,7 @@ type Engine struct {

 	wgInterface *iface.WGIface

-	udpMux          ice.UDPMux
-	udpMuxSrflx     ice.UniversalUDPMux
-	udpMuxConn      *net.UDPConn
-	udpMuxConnSrflx *net.UDPConn
+	iceMux ice.UniversalUDPMux

 	// networkSerial is the latest CurrentSerial (state ID) of the network sent by the Management service
 	networkSerial uint64
@@ -155,30 +151,6 @@ func (e *Engine) Stop() error {
 		}
 	}

-	if e.udpMux != nil {
-		if err := e.udpMux.Close(); err != nil {
-			log.Debugf("close udp mux: %v", err)
-		}
-	}
-
-	if e.udpMuxSrflx != nil {
-		if err := e.udpMuxSrflx.Close(); err != nil {
-			log.Debugf("close server reflexive udp mux: %v", err)
-		}
-	}
-
-	if e.udpMuxConn != nil {
-		if err := e.udpMuxConn.Close(); err != nil {
-			log.Debugf("close udp mux connection: %v", err)
-		}
-	}
-
-	if e.udpMuxConnSrflx != nil {
-		if err := e.udpMuxConnSrflx.Close(); err != nil {
-			log.Debugf("close server reflexive udp mux connection: %v", err)
-		}
-	}
-
 	if !isNil(e.sshServer) {
 		err := e.sshServer.Stop()
 		if err != nil {
@@ -213,34 +185,34 @@ func (e *Engine) Start() error {
 		return err
 	}

-	e.udpMuxConn, err = net.ListenUDP("udp4", &net.UDPAddr{Port: e.config.UDPMuxPort})
-	if err != nil {
-		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxPort, err.Error())
-		return err
-	}
-
-	e.udpMuxConnSrflx, err = net.ListenUDP("udp4", &net.UDPAddr{Port: e.config.UDPMuxSrflxPort})
-	if err != nil {
-		log.Errorf("failed listening on UDP port %d: [%s]", e.config.UDPMuxSrflxPort, err.Error())
-		return err
-	}
-
-	e.udpMux = ice.NewUDPMuxDefault(ice.UDPMuxParams{UDPConn: e.udpMuxConn})
-	e.udpMuxSrflx = ice.NewUniversalUDPMuxDefault(ice.UniversalUDPMuxParams{UDPConn: e.udpMuxConnSrflx})
-
-	err = e.wgInterface.Create()
+	bind := &iface.ICEBind{}
+	err = e.wgInterface.CreateNew(bind)
 	if err != nil {
 		log.Errorf("failed creating tunnel interface %s: [%s]", wgIfaceName, err.Error())
 		return err
 	}

-	err = e.wgInterface.Configure(myPrivateKey.String(), e.config.WgPort)
+	port, err := e.wgInterface.GetListenPort()
+	if err != nil {
+		return err
+	}
+
+	err = e.wgInterface.Configure(myPrivateKey.String(), *port)
 	if err != nil {
 		log.Errorf("failed configuring Wireguard interface [%s]: %s", wgIfaceName, err.Error())
 		return err
 	}

+	iceMux, err := bind.GetICEMux()
+	if err != nil {
+		return err
+	}
+	e.iceMux = iceMux
+
+	log.Infof("NetBird Engine started listening on WireGuard port %d", *port)
+
 	e.routeManager = routemanager.NewManager(e.ctx, e.config.WgPrivateKey.PublicKey().String(), e.wgInterface, e.statusRecorder)
+	e.config.WgPort = *port

 	e.receiveSignalEvents()
 	e.receiveManagementEvents()
@@ -760,8 +732,8 @@ func (e Engine) createPeerConn(pubKey string, allowedIPs string) (*peer.Conn, er
 		StunTurn:           stunTurn,
 		InterfaceBlackList: e.config.IFaceBlackList,
 		Timeout:            timeout,
-		UDPMux:             e.udpMux,
-		UDPMuxSrflx:        e.udpMuxSrflx,
+		UDPMux:             e.iceMux,
+		UDPMuxSrflx:        e.iceMux,
 		ProxyConfig:        proxyConfig,
 		LocalWgPort:        e.config.WgPort,
 	}
--- a/client/internal/login.go
+++ b/client/internal/login.go
@@ -36,10 +36,7 @@ func Login(ctx context.Context, config *Config, setupKey string, jwtToken string
 	defer func() {
 		err = mgmClient.Close()
 		if err != nil {
-			cStatus, ok := status.FromError(err)
-			if !ok || ok && cStatus.Code() != codes.Canceled {
-				log.Warnf("failed to close the Management service client, err: %v", err)
-			}
+			log.Warnf("failed to close the Management service client %v", err)
 		}
 	}()

--- a/client/internal/peer/conn.go
+++ b/client/internal/peer/conn.go
@@ -147,7 +147,7 @@ func (conn *Conn) reCreateAgent() error {
 		MulticastDNSMode: ice.MulticastDNSModeDisabled,
 		NetworkTypes:     []ice.NetworkType{ice.NetworkTypeUDP4},
 		Urls:             conn.config.StunTurn,
-		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeHost, ice.CandidateTypeServerReflexive, ice.CandidateTypeRelay},
+		CandidateTypes:   []ice.CandidateType{ice.CandidateTypeServerReflexive, ice.CandidateTypeHost, ice.CandidateTypeRelay},
 		FailedTimeout:    &failedTimeout,
 		InterfaceFilter:  interfaceFilter(conn.config.InterfaceBlackList),
 		UDPMux:           conn.config.UDPMux,
@@ -280,14 +280,7 @@ func (conn *Conn) Open() error {
 		return err
 	}

-	if conn.proxy.Type() == proxy.TypeNoProxy {
-		host, _, _ := net.SplitHostPort(remoteConn.LocalAddr().String())
-		rhost, _, _ := net.SplitHostPort(remoteConn.RemoteAddr().String())
-		// direct Wireguard connection
-		log.Infof("directly connected to peer %s [laddr <-> raddr] [%s:%d <-> %s:%d]", conn.config.Key, host, iface.DefaultWgPort, rhost, iface.DefaultWgPort)
-	} else {
-		log.Infof("connected to peer %s [laddr <-> raddr] [%s <-> %s]", conn.config.Key, remoteConn.LocalAddr().String(), remoteConn.RemoteAddr().String())
-	}
+	log.Infof("connected to peer %s [laddr <-> raddr] [%s <-> %s]", conn.config.Key, remoteConn.LocalAddr().String(), remoteConn.RemoteAddr().String())

 	// wait until connection disconnected or has been closed externally (upper layer, e.g. engine)
 	select {
@@ -351,15 +344,16 @@ func (conn *Conn) startProxy(remoteConn net.Conn, remoteWgPort int) error {
 	}

 	peerState := nbStatus.PeerState{PubKey: conn.config.Key}
-	useProxy := shouldUseProxy(pair)
+
 	var p proxy.Proxy
-	if useProxy {
+	if pair.Local.Type() == ice.CandidateTypeRelay || pair.Remote.Type() == ice.CandidateTypeRelay {
 		p = proxy.NewWireguardProxy(conn.config.ProxyConfig)
 		peerState.Direct = false
 	} else {
 		p = proxy.NewNoProxy(conn.config.ProxyConfig, remoteWgPort)
 		peerState.Direct = true
 	}
+
 	conn.proxy = p
 	err = p.Start(remoteConn)
 	if err != nil {
--- a/client/internal/proxy/noproxy.go
+++ b/client/internal/proxy/noproxy.go
@@ -39,7 +39,6 @@ func (p *NoProxy) Start(remoteConn net.Conn) error {
 	if err != nil {
 		return err
 	}
-	addr.Port = p.RemoteWgListenPort
 	err = p.config.WgInterface.UpdatePeer(p.config.RemoteKey, p.config.AllowedIps, DefaultWgKeepAlive,
 		addr, p.config.PreSharedKey)

--- a/client/internal/routemanager/client.go
+++ b/client/internal/routemanager/client.go
@@ -207,7 +207,7 @@ func (c *clientNetwork) recalculateRouteAndUpdatePeerAndSystem() error {
 		err = addToRouteTableIfNoExists(c.network, c.wgInterface.GetAddress().IP.String())
 		if err != nil {
 			return fmt.Errorf("route %s couldn't be added for peer %s, err: %v",
-				c.network.String(), c.wgInterface.GetAddress().IP.String(), err)
+				c.chosenRoute.Network.String(), c.wgInterface.GetAddress().IP.String(), err)
 		}
 	}

--- a/client/internal/routemanager/nftables_linux.go
+++ b/client/internal/routemanager/nftables_linux.go
@@ -84,10 +84,8 @@ func (n *nftablesManager) CleanRoutingRules() {
 	n.mux.Lock()
 	defer n.mux.Unlock()
 	log.Debug("flushing tables")
-	if n.tableIPv4 != nil && n.tableIPv6 != nil {
-		n.conn.FlushTable(n.tableIPv6)
-		n.conn.FlushTable(n.tableIPv4)
-	}
+	n.conn.FlushTable(n.tableIPv6)
+	n.conn.FlushTable(n.tableIPv4)
 	log.Debugf("flushing tables result in: %v error", n.conn.Flush())
 }

--- a/go.mod
+++ b/go.mod
@@ -11,7 +11,7 @@ require (
 	github.com/kardianos/service v1.2.1-0.20210728001519-a323c3813bc7 //keep this version otherwise wiretrustee up command breaks
 	github.com/onsi/ginkgo v1.16.5
 	github.com/onsi/gomega v1.18.1
-	github.com/pion/ice/v2 v2.2.7
+	github.com/pion/ice/v2 v2.1.17
 	github.com/rs/cors v1.8.0
 	github.com/sirupsen/logrus v1.8.1
 	github.com/spf13/cobra v1.3.0
@@ -39,10 +39,14 @@ require (
 	github.com/libp2p/go-netroute v0.2.0
 	github.com/magiconair/properties v1.8.5
 	github.com/patrickmn/go-cache v2.1.0+incompatible
+	github.com/pion/logging v0.2.2
+	github.com/pion/stun v0.3.5
+	github.com/pion/transport v0.13.0
 	github.com/rs/xid v1.3.0
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966
 	github.com/stretchr/testify v1.7.1
-	golang.org/x/net v0.0.0-20220630215102-69896b714898
+	go.uber.org/zap v1.17.0
+	golang.org/x/net v0.0.0-20220513224357-95641704303c
 	golang.org/x/term v0.0.0-20220526004731-065cf7ba2467
 )

@@ -80,13 +84,10 @@ require (
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/oxtoacart/bpool v0.0.0-20190530202638-03653db5a59c // indirect
 	github.com/pegasus-kv/thrift v0.13.0 // indirect
-	github.com/pion/dtls/v2 v2.1.5 // indirect
-	github.com/pion/logging v0.2.2 // indirect
+	github.com/pion/dtls/v2 v2.1.2 // indirect
 	github.com/pion/mdns v0.0.5 // indirect
 	github.com/pion/randutil v0.1.0 // indirect
-	github.com/pion/stun v0.3.5 // indirect
-	github.com/pion/transport v0.13.1 // indirect
-	github.com/pion/turn/v2 v2.0.8 // indirect
+	github.com/pion/turn/v2 v2.0.7 // indirect
 	github.com/pion/udp v0.1.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.12.2 // indirect
@@ -99,6 +100,8 @@ require (
 	github.com/srwiley/rasterx v0.0.0-20200120212402-85cb7272f5e9 // indirect
 	github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df // indirect
 	github.com/yuin/goldmark v1.4.1 // indirect
+	go.uber.org/atomic v1.7.0 // indirect
+	go.uber.org/multierr v1.6.0 // indirect
 	golang.org/x/image v0.0.0-20200430140353-33d19683fad8 // indirect
 	golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
@@ -117,4 +120,6 @@ require (
 	k8s.io/apimachinery v0.23.5 // indirect
 )

+replace github.com/pion/ice/v2 => github.com/wiretrustee/ice/v2 v2.1.21-0.20220218121004-dc81faead4bb
+
 replace github.com/kardianos/service => github.com/netbirdio/service v0.0.0-20220905002524-6ac14ad5ea84
--- a/go.sum
+++ b/go.sum
@@ -505,10 +505,8 @@ github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTK
 github.com/pegasus-kv/thrift v0.13.0 h1:4ESwaNoHImfbHa9RUGJiJZ4hrxorihZHk5aarYwY8d4=
 github.com/pegasus-kv/thrift v0.13.0/go.mod h1:Gl9NT/WHG6ABm6NsrbfE8LiJN0sAyneCrvB4qN4NPqQ=
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pion/dtls/v2 v2.1.5 h1:jlh2vtIyUBShchoTDqpCCqiYCyRFJ/lvf/gQ8TALs+c=
-github.com/pion/dtls/v2 v2.1.5/go.mod h1:BqCE7xPZbPSubGasRoDFJeTsyJtdD1FanJYL0JGheqY=
-github.com/pion/ice/v2 v2.2.7 h1:kG9tux3WdYUSqqqnf+O5zKlpy41PdlvLUBlYJeV2emQ=
-github.com/pion/ice/v2 v2.2.7/go.mod h1:Ckj7cWZ717rtU01YoDQA9ntGWCk95D42uVZ8sI0EL+8=
+github.com/pion/dtls/v2 v2.1.2 h1:22Q1Jk9L++Yo7BIf9130MonNPfPVb+YgdYLeyQotuAA=
+github.com/pion/dtls/v2 v2.1.2/go.mod h1:o6+WvyLDAlXF7YiPB/RlskRoeK+/JtuaZa5emwQcWus=
 github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
 github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms=
 github.com/pion/mdns v0.0.5 h1:Q2oj/JB3NqfzY9xGZ1fPzZzK7sDSD8rZPOvcIQ10BCw=
@@ -518,11 +516,10 @@ github.com/pion/randutil v0.1.0/go.mod h1:XcJrSMMbbMRhASFVOlj/5hQial/Y8oH/HVo7TB
 github.com/pion/stun v0.3.5 h1:uLUCBCkQby4S1cf6CGuR9QrVOKcvUwFeemaC865QHDg=
 github.com/pion/stun v0.3.5/go.mod h1:gDMim+47EeEtfWogA37n6qXZS88L5V6LqFcf+DZA2UA=
 github.com/pion/transport v0.12.2/go.mod h1:N3+vZQD9HlDP5GWkZ85LohxNsDcNgofQmyL6ojX5d8Q=
+github.com/pion/transport v0.13.0 h1:KWTA5ZrQogizzYwPEciGtHPLwpAjE91FgXnyu+Hv2uY=
 github.com/pion/transport v0.13.0/go.mod h1:yxm9uXpK9bpBBWkITk13cLo1y5/ur5VQpG22ny6EP7g=
-github.com/pion/transport v0.13.1 h1:/UH5yLeQtwm2VZIPjxwnNFxjS4DFhyLfS4GlfuKUzfA=
-github.com/pion/transport v0.13.1/go.mod h1:EBxbqzyv+ZrmDb82XswEE0BjfQFtuw1Nu6sjnjWCsGg=
-github.com/pion/turn/v2 v2.0.8 h1:KEstL92OUN3k5k8qxsXHpr7WWfrdp7iJZHx99ud8muw=
-github.com/pion/turn/v2 v2.0.8/go.mod h1:+y7xl719J8bAEVpSXBXvTxStjJv3hbz9YFflvkpcGPw=
+github.com/pion/turn/v2 v2.0.7 h1:SZhc00WDovK6czaN1RSiHqbwANtIO6wfZQsU0m0KNE8=
+github.com/pion/turn/v2 v2.0.7/go.mod h1:+y7xl719J8bAEVpSXBXvTxStjJv3hbz9YFflvkpcGPw=
 github.com/pion/udp v0.1.1 h1:8UAPvyqmsxK8oOjloDk4wUt63TzFe9WEJkg5lChlj7o=
 github.com/pion/udp v0.1.1/go.mod h1:6AFo+CMdKQm7UiA0eUPA8/eVCTx8jBIITLZHc9DWX5M=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -627,6 +624,8 @@ github.com/vishvananda/netlink v1.1.0 h1:1iyaYNBLmP6L0220aDnYQpo1QEV4t4hJ+xEEhhJ
 github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df h1:OviZH7qLw/7ZovXvuNyL3XQl8UFofeikI1NW1Gypu7k=
 github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
+github.com/wiretrustee/ice/v2 v2.1.21-0.20220218121004-dc81faead4bb h1:CU1/+CEeCPvYXgfAyqTJXSQSf6hW3wsWM6Dfz6HkHEQ=
+github.com/wiretrustee/ice/v2 v2.1.21-0.20220218121004-dc81faead4bb/go.mod h1:XT1Nrb4OxbVFPffbQMbq4PaeEkpRLVzdphh3fjrw7DY=
 github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -647,8 +646,11 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
+go.uber.org/atomic v1.7.0 h1:ADUqmZGgLDDfbSL9ZmPxKTybcoEYHgpYfELNoN+7hsw=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/zap v1.17.0 h1:MTjgFu6ZLKvY6Pvaqk97GlxNBuMpV4Hy/3P6tRGlI2U=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -663,7 +665,7 @@ golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211202192323-5770296d904e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220131195533-30dcbda58838/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220513210258-46612604a0f9 h1:NUzdAbFtCJSXU20AOXgeqaUwg8Ypg4MPYmL+d+rsB5c=
 golang.org/x/crypto v0.0.0-20220513210258-46612604a0f9/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -773,10 +775,8 @@ golang.org/x/net v0.0.0-20211208012354-db4efeb81f4b/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20211209124913-491a49abca63/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220531201128-c960675eff93/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.0.0-20220630215102-69896b714898 h1:K7wO6V1IrczY9QOQ2WkVpw4JQSwCd52UsxVEirZUfiw=
-golang.org/x/net v0.0.0-20220630215102-69896b714898/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20220513224357-95641704303c h1:nF9mHSvoKBLkQNQhJZNsc66z2UzAMUbLGjC95CF3pU0=
+golang.org/x/net v0.0.0-20220513224357-95641704303c/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -909,8 +909,6 @@ golang.org/x/sys v0.0.0-20211205182925-97ca703d548d/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211214234402-4825e8c3871d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220608164250-635b8c9b7f68/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664 h1:wEZYwx+kK+KlZ0hpvP2Ls1Xr4+RWnlzGFwPP0aiDjIU=
 golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
--- a/iface/bind.go
+++ b/iface/bind.go
@@ -0,0 +1,185 @@
+package iface
+
+import (
+	"errors"
+	"fmt"
+	"github.com/pion/stun"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/conn"
+	"net"
+	"net/netip"
+	"sync"
+	"syscall"
+)
+
+type ICEBind struct {
+	sharedConn net.PacketConn
+	udpMux     *UniversalUDPMuxDefault
+	iceHostMux *UDPMuxDefault
+
+	mu sync.Mutex // protects following fields
+}
+
+func (b *ICEBind) GetICEMux() (UniversalUDPMux, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.udpMux == nil {
+		return nil, fmt.Errorf("ICEBind has not been initialized yet")
+	}
+
+	return b.udpMux, nil
+}
+
+func (b *ICEBind) GetICEHostMux() (UDPMux, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	if b.iceHostMux == nil {
+		return nil, fmt.Errorf("ICEBind has not been initialized yet")
+	}
+
+	return b.iceHostMux, nil
+}
+
+func (b *ICEBind) Open(uport uint16) ([]conn.ReceiveFunc, uint16, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	if b.sharedConn != nil {
+		return nil, 0, conn.ErrBindAlreadyOpen
+	}
+
+	port := int(uport)
+	ipv4Conn, port, err := listenNet("udp4", port)
+	if err != nil && !errors.Is(err, syscall.EAFNOSUPPORT) {
+		return nil, 0, err
+	}
+	b.sharedConn = ipv4Conn
+	b.udpMux = NewUniversalUDPMuxDefault(UniversalUDPMuxParams{UDPConn: b.sharedConn})
+
+	portAddr1, err := netip.ParseAddrPort(ipv4Conn.LocalAddr().String())
+	if err != nil {
+		return nil, 0, err
+	}
+
+	log.Infof("opened ICEBind on %s", ipv4Conn.LocalAddr().String())
+
+	return []conn.ReceiveFunc{
+			b.makeReceiveIPv4(b.sharedConn),
+		},
+		portAddr1.Port(), nil
+}
+
+func listenNet(network string, port int) (*net.UDPConn, int, error) {
+	conn, err := net.ListenUDP(network, &net.UDPAddr{Port: port})
+	if err != nil {
+		return nil, 0, err
+	}
+
+	// Retrieve port.
+	laddr := conn.LocalAddr()
+	uaddr, err := net.ResolveUDPAddr(
+		laddr.Network(),
+		laddr.String(),
+	)
+	if err != nil {
+		return nil, 0, err
+	}
+	return conn, uaddr.Port, nil
+}
+
+func parseSTUNMessage(raw []byte) (*stun.Message, error) {
+	msg := &stun.Message{
+		Raw: append([]byte{}, raw...),
+	}
+	if err := msg.Decode(); err != nil {
+		return nil, err
+	}
+
+	return msg, nil
+}
+
+func (b *ICEBind) makeReceiveIPv4(c net.PacketConn) conn.ReceiveFunc {
+	return func(buff []byte) (int, conn.Endpoint, error) {
+		n, endpoint, err := c.ReadFrom(buff)
+		if err != nil {
+			return 0, nil, err
+		}
+		e, err := netip.ParseAddrPort(endpoint.String())
+		if err != nil {
+			return 0, nil, err
+		}
+		if !stun.IsMessage(buff[:20]) {
+			// WireGuard traffic
+			return n, (*conn.StdNetEndpoint)(&net.UDPAddr{
+				IP:   e.Addr().AsSlice(),
+				Port: int(e.Port()),
+				Zone: e.Addr().Zone(),
+			}), nil
+		}
+
+		msg, err := parseSTUNMessage(buff[:n])
+		if err != nil {
+			return 0, nil, err
+		}
+
+		err = b.udpMux.HandleSTUNMessage(msg, endpoint)
+		if err != nil {
+			return 0, nil, err
+		}
+		if err != nil {
+			log.Warnf("failed to handle packet")
+		}
+
+		// discard packets because they are STUN related
+		return 0, nil, nil //todo proper return
+	}
+}
+
+func (b *ICEBind) Close() error {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	var err1, err2 error
+	if b.sharedConn != nil {
+		c := b.sharedConn
+		b.sharedConn = nil
+		err1 = c.Close()
+	}
+
+	if b.udpMux != nil {
+		m := b.udpMux
+		b.udpMux = nil
+		err2 = m.Close()
+	}
+
+	if err1 != nil {
+		return err1
+	}
+
+	return err2
+}
+
+// SetMark sets the mark for each packet sent through this Bind.
+// This mark is passed to the kernel as the socket option SO_MARK.
+func (b *ICEBind) SetMark(mark uint32) error {
+	return nil
+}
+
+func (b *ICEBind) Send(buff []byte, endpoint conn.Endpoint) error {
+	nend, ok := endpoint.(*conn.StdNetEndpoint)
+	if !ok {
+		return conn.ErrWrongEndpointType
+	}
+	_, err := b.sharedConn.WriteTo(buff, (*net.UDPAddr)(nend))
+	return err
+}
+
+// ParseEndpoint creates a new endpoint from a string.
+func (b *ICEBind) ParseEndpoint(s string) (ep conn.Endpoint, err error) {
+	e, err := netip.ParseAddrPort(s)
+	return (*conn.StdNetEndpoint)(&net.UDPAddr{
+		IP:   e.Addr().AsSlice(),
+		Port: int(e.Port()),
+		Zone: e.Addr().Zone(),
+	}), err
+}
--- a/iface/configuration.go
+++ b/iface/configuration.go
@@ -55,7 +55,6 @@ func (w *WGIface) Configure(privateKey string, port int) error {
 		PrivateKey:   &key,
 		ReplacePeers: true,
 		FirewallMark: &fwmark,
-		ListenPort:   &port,
 	}

 	err = w.configureDevice(config)
--- a/iface/iface.go
+++ b/iface/iface.go
@@ -2,6 +2,10 @@ package iface

 import (
 	"fmt"
+	log "github.com/sirupsen/logrus"
+	"golang.zx2c4.com/wireguard/conn"
+	"golang.zx2c4.com/wireguard/device"
+	"golang.zx2c4.com/wireguard/tun"
 	"net"
 	"os"
 	"runtime"
@@ -21,6 +25,7 @@ type WGIface struct {
 	Address   WGAddress
 	Interface NetInterface
 	mu        sync.Mutex
+	Bind      *ICEBind
 }

 // WGAddress Wireguard parsed address
@@ -91,3 +96,49 @@ func (w *WGIface) Close() error {

 	return nil
 }
+
+func (w *WGIface) CreateNew(bind conn.Bind) error {
+	w.mu.Lock()
+	defer w.mu.Unlock()
+
+	return w.createWithUserspaceNew(bind)
+}
+
+func (w *WGIface) createWithUserspaceNew(bind conn.Bind) error {
+	tunIface, err := tun.CreateTUN(w.Name, w.MTU)
+	if err != nil {
+		return err
+	}
+
+	w.Interface = tunIface
+
+	// We need to create a wireguard-go device and listen to configuration requests
+	tunDevice := device.NewDevice(tunIface, bind, device.NewLogger(device.LogLevelSilent, "[wiretrustee] "))
+	err = tunDevice.Up()
+	if err != nil {
+		return err
+	}
+	uapi, err := getUAPI(w.Name)
+	if err != nil {
+		return err
+	}
+
+	go func() {
+		for {
+			uapiConn, uapiErr := uapi.Accept()
+			if uapiErr != nil {
+				log.Traceln("uapi Accept failed with error: ", uapiErr)
+				continue
+			}
+			go tunDevice.IpcHandle(uapiConn)
+		}
+	}()
+
+	log.Debugln("UAPI listener started")
+
+	err = w.assignAddr()
+	if err != nil {
+		return err
+	}
+	return nil
+}
--- a/iface/iface_darwin.go
+++ b/iface/iface_darwin.go
@@ -34,7 +34,7 @@ func (w *WGIface) assignAddr() error {
 	return nil
 }

-// WireguardModuleIsLoaded check if we can load wireguard mod (linux only)
-func WireguardModuleIsLoaded() bool {
+// WireguardModExists check if we can load wireguard mod (linux only)
+func WireguardModExists() bool {
 	return false
 }
--- a/iface/iface_linux.go
+++ b/iface/iface_linux.go
@@ -1,32 +1,45 @@
 package iface

 import (
-	"fmt"
+	"errors"
+	"math"
+	"os"
+	"syscall"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/vishvananda/netlink"
-	"os"
 )

 type NativeLink struct {
 	Link *netlink.Link
 }

+// WireguardModExists check if we can load wireguard mod (linux only)
+func WireguardModExists() bool {
+	link := newWGLink("mustnotexist")
+
+	// We willingly try to create a device with an invalid
+	// MTU here as the validation of the MTU will be performed after
+	// the validation of the link kind and hence allows us to check
+	// for the existance of the wireguard module without actually
+	// creating a link.
+	//
+	// As a side-effect, this will also let the kernel lazy-load
+	// the wireguard module.
+	link.attrs.MTU = math.MaxInt
+
+	err := netlink.LinkAdd(link)
+
+	return errors.Is(err, syscall.EINVAL)
+}
+
 // Create creates a new Wireguard interface, sets a given IP and brings it up.
 // Will reuse an existing one.
 func (w *WGIface) Create() error {
 	w.mu.Lock()
 	defer w.mu.Unlock()

-	if WireguardModuleIsLoaded() {
-		log.Info("using kernel WireGuard")
-		return w.createWithKernel()
-	} else {
-		if !tunModuleIsLoaded() {
-			return fmt.Errorf("couldn't check or load tun module")
-		}
-		log.Info("using userspace WireGuard")
-		return w.createWithUserspace()
-	}
+	return w.createWithUserspace()
 }

 // createWithKernel Creates a new Wireguard interface using kernel Wireguard module.
--- a/iface/iface_windows.go
+++ b/iface/iface_windows.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	log "github.com/sirupsen/logrus"
 	"golang.org/x/sys/windows"
+	"golang.zx2c4.com/wireguard/ipc"
 	"golang.zx2c4.com/wireguard/windows/driver"
 	"golang.zx2c4.com/wireguard/windows/tunnel/winipcfg"
 	"net"
@@ -58,7 +59,12 @@ func (w *WGIface) UpdateAddr(newAddr string) error {
 	return w.assignAddr(luid)
 }

-// WireguardModuleIsLoaded check if we can load wireguard mod (linux only)
-func WireguardModuleIsLoaded() bool {
+// WireguardModExists check if we can load wireguard mod (linux only)
+func WireguardModExists() bool {
 	return false
 }
+
+// getUAPI returns a Listener
+func getUAPI(iface string) (net.Listener, error) {
+	return ipc.UAPIListen(iface)
+}
--- a/iface/module_linux.go
+++ b/iface/module_linux.go
@@ -1,349 +0,0 @@
-// Package iface provides wireguard network interface creation and management
-package iface
-
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	log "github.com/sirupsen/logrus"
-	"github.com/vishvananda/netlink"
-	"golang.org/x/sys/unix"
-	"io/fs"
-	"io/ioutil"
-	"math"
-	"os"
-	"path/filepath"
-	"strings"
-	"syscall"
-)
-
-// Holds logic to check existence of kernel modules used by wireguard interfaces
-// Copied from https://github.com/paultag/go-modprobe and
-// https://github.com/pmorjan/kmod
-
-type status int
-
-const (
-	defaultModuleDir        = "/lib/modules"
-	unknown          status = iota
-	unloaded
-	unloading
-	loading
-	live
-	inuse
-)
-
-type module struct {
-	name string
-	path string
-}
-
-var (
-	// ErrModuleNotFound is the error resulting if a module can't be found.
-	ErrModuleNotFound = errors.New("module not found")
-	moduleLibDir      = defaultModuleDir
-	// get the root directory for the kernel modules. If this line panics,
-	// it's because getModuleRoot has failed to get the uname of the running
-	// kernel (likely a non-POSIX system, but maybe a broken kernel?)
-	moduleRoot = getModuleRoot()
-)
-
-// Get the module root (/lib/modules/$(uname -r)/)
-func getModuleRoot() string {
-	uname := unix.Utsname{}
-	if err := unix.Uname(&uname); err != nil {
-		panic(err)
-	}
-
-	i := 0
-	for ; uname.Release[i] != 0; i++ {
-	}
-
-	return filepath.Join(moduleLibDir, string(uname.Release[:i]))
-}
-
-// tunModuleIsLoaded check if tun module exist, if is not attempt to load it
-func tunModuleIsLoaded() bool {
-	_, err := os.Stat("/dev/net/tun")
-	if err == nil {
-		return true
-	}
-
-	log.Infof("couldn't access device /dev/net/tun, go error %v, "+
-		"will attempt to load tun module, if running on container add flag --cap-add=NET_ADMIN", err)
-
-	tunLoaded, err := tryToLoadModule("tun")
-	if err != nil {
-		log.Errorf("unable to find or load tun module, got error: %v", err)
-	}
-	return tunLoaded
-}
-
-// WireguardModuleIsLoaded check if we can load wireguard mod (linux only)
-func WireguardModuleIsLoaded() bool {
-	if canCreateFakeWireguardInterface() {
-		return true
-	}
-
-	loaded, err := tryToLoadModule("wireguard")
-	if err != nil {
-		log.Info(err)
-		return false
-	}
-
-	return loaded
-}
-
-func canCreateFakeWireguardInterface() bool {
-	link := newWGLink("mustnotexist")
-
-	// We willingly try to create a device with an invalid
-	// MTU here as the validation of the MTU will be performed after
-	// the validation of the link kind and hence allows us to check
-	// for the existance of the wireguard module without actually
-	// creating a link.
-	//
-	// As a side-effect, this will also let the kernel lazy-load
-	// the wireguard module.
-	link.attrs.MTU = math.MaxInt
-
-	err := netlink.LinkAdd(link)
-
-	return errors.Is(err, syscall.EINVAL)
-}
-
-func tryToLoadModule(moduleName string) (bool, error) {
-	if isModuleEnabled(moduleName) {
-		return true, nil
-	}
-	modulePath, err := getModulePath(moduleName)
-	if err != nil {
-		return false, fmt.Errorf("couldn't find module path for %s, error: %v", moduleName, err)
-	}
-	if modulePath == "" {
-		return false, nil
-	}
-
-	log.Infof("trying to load %s module", moduleName)
-
-	err = loadModuleWithDependencies(moduleName, modulePath)
-	if err != nil {
-		return false, fmt.Errorf("couldn't load %s module, error: %v", moduleName, err)
-	}
-	return true, nil
-}
-
-func isModuleEnabled(name string) bool {
-	builtin, builtinErr := isBuiltinModule(name)
-	state, statusErr := moduleStatus(name)
-	return (builtinErr == nil && builtin) || (statusErr == nil && state >= loading)
-}
-
-func getModulePath(name string) (string, error) {
-	var foundPath string
-	skipRemainingDirs := false
-
-	err := filepath.WalkDir(
-		moduleRoot,
-		func(path string, info fs.DirEntry, err error) error {
-			if skipRemainingDirs {
-				return fs.SkipDir
-			}
-			if err != nil {
-				// skip broken files
-				return nil
-			}
-
-			if !info.Type().IsRegular() {
-				return nil
-			}
-
-			nameFromPath := pathToName(path)
-			if nameFromPath == name {
-				foundPath = path
-				skipRemainingDirs = true
-			}
-
-			return nil
-		})
-
-	if err != nil {
-		return "", err
-	}
-
-	return foundPath, nil
-}
-
-func pathToName(s string) string {
-	s = filepath.Base(s)
-	for ext := filepath.Ext(s); ext != ""; ext = filepath.Ext(s) {
-		s = strings.TrimSuffix(s, ext)
-	}
-	return cleanName(s)
-}
-
-func cleanName(s string) string {
-	return strings.ReplaceAll(strings.TrimSpace(s), "-", "_")
-}
-
-func isBuiltinModule(name string) (bool, error) {
-	f, err := os.Open(filepath.Join(moduleRoot, "/modules.builtin"))
-	if err != nil {
-		return false, err
-	}
-	defer func() {
-		err := f.Close()
-		if err != nil {
-			log.Errorf("failed closing modules.builtin file, %v", err)
-		}
-	}()
-
-	var found bool
-	scanner := bufio.NewScanner(f)
-	for scanner.Scan() {
-		line := scanner.Text()
-		if pathToName(line) == name {
-			found = true
-			break
-		}
-	}
-	if err := scanner.Err(); err != nil {
-		return false, err
-	}
-	return found, nil
-}
-
-// /proc/modules
-//      name | memory size | reference count | references | state: <Live|Loading|Unloading>
-// 		macvlan 28672 1 macvtap, Live 0x0000000000000000
-func moduleStatus(name string) (status, error) {
-	state := unknown
-	f, err := os.Open("/proc/modules")
-	if err != nil {
-		return state, err
-	}
-	defer func() {
-		err := f.Close()
-		if err != nil {
-			log.Errorf("failed closing /proc/modules file, %v", err)
-		}
-	}()
-
-	state = unloaded
-
-	scanner := bufio.NewScanner(f)
-	for scanner.Scan() {
-		fields := strings.Fields(scanner.Text())
-		if fields[0] == name {
-			if fields[2] != "0" {
-				state = inuse
-				break
-			}
-			switch fields[4] {
-			case "Live":
-				state = live
-			case "Loading":
-				state = loading
-			case "Unloading":
-				state = unloading
-			}
-			break
-		}
-	}
-	if err := scanner.Err(); err != nil {
-		return state, err
-	}
-
-	return state, nil
-}
-
-func loadModuleWithDependencies(name, path string) error {
-	deps, err := getModuleDependencies(name)
-	if err != nil {
-		return fmt.Errorf("couldn't load list of module %s dependecies", name)
-	}
-	for _, dep := range deps {
-		err = loadModule(dep.name, dep.path)
-		if err != nil {
-			return fmt.Errorf("couldn't load dependecy module %s for %s", dep.name, name)
-		}
-	}
-	return loadModule(name, path)
-}
-
-func loadModule(name, path string) error {
-	state, err := moduleStatus(name)
-	if err != nil {
-		return err
-	}
-	if state >= loading {
-		return nil
-	}
-
-	f, err := os.Open(path)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		err := f.Close()
-		if err != nil {
-			log.Errorf("failed closing %s file, %v", path, err)
-		}
-	}()
-
-	// first try finit_module(2), then init_module(2)
-	err = unix.FinitModule(int(f.Fd()), "", 0)
-	if errors.Is(err, unix.ENOSYS) {
-		buf, err := ioutil.ReadAll(f)
-		if err != nil {
-			return err
-		}
-		return unix.InitModule(buf, "")
-	}
-	return err
-}
-
-// getModuleDependencies returns a module dependencies
-func getModuleDependencies(name string) ([]module, error) {
-	f, err := os.Open(filepath.Join(moduleRoot, "/modules.dep"))
-	if err != nil {
-		return nil, err
-	}
-	defer func() {
-		err := f.Close()
-		if err != nil {
-			log.Errorf("failed closing modules.dep file, %v", err)
-		}
-	}()
-
-	var deps []string
-	scanner := bufio.NewScanner(f)
-	for scanner.Scan() {
-		line := scanner.Text()
-		fields := strings.Fields(line)
-		if pathToName(strings.TrimSuffix(fields[0], ":")) == name {
-			deps = fields
-			break
-		}
-	}
-	if err := scanner.Err(); err != nil {
-		return nil, err
-	}
-
-	if len(deps) == 0 {
-		return nil, ErrModuleNotFound
-	}
-	deps[0] = strings.TrimSuffix(deps[0], ":")
-
-	var modules []module
-	for _, v := range deps {
-		if pathToName(v) != name {
-			modules = append(modules, module{
-				name: pathToName(v),
-				path: filepath.Join(moduleRoot, v),
-			})
-		}
-	}
-
-	return modules, nil
-}
--- a/iface/module_linux_test.go
+++ b/iface/module_linux_test.go
@@ -1,221 +0,0 @@
-package iface
-
-import (
-	"bufio"
-	"bytes"
-	"github.com/stretchr/testify/require"
-	"golang.org/x/sys/unix"
-	"io"
-	"io/ioutil"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-)
-
-func TestGetModuleDependencies(t *testing.T) {
-	testCases := []struct {
-		name     string
-		module   string
-		expected []module
-	}{
-		{
-			name:   "Get Single Dependency",
-			module: "bar",
-			expected: []module{
-				{name: "foo", path: "kernel/a/foo.ko"},
-			},
-		},
-		{
-			name:   "Get Multiple Dependencies",
-			module: "baz",
-			expected: []module{
-				{name: "foo", path: "kernel/a/foo.ko"},
-				{name: "bar", path: "kernel/a/bar.ko"},
-			},
-		},
-		{
-			name:     "Get No Dependencies",
-			module:   "foo",
-			expected: []module{},
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			defer resetGlobals()
-			_, _ = createFiles(t)
-			modules, err := getModuleDependencies(testCase.module)
-			require.NoError(t, err)
-
-			expected := testCase.expected
-			for i := range expected {
-				expected[i].path = moduleRoot + "/" + expected[i].path
-			}
-
-			require.ElementsMatchf(t, modules, expected, "returned modules should match")
-		})
-	}
-}
-
-func TestIsBuiltinModule(t *testing.T) {
-	testCases := []struct {
-		name     string
-		module   string
-		expected bool
-	}{
-		{
-			name:     "Built In Should Return True",
-			module:   "foo_bi",
-			expected: true,
-		},
-		{
-			name:     "Not Built In Should Return False",
-			module:   "not_built_in",
-			expected: false,
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			defer resetGlobals()
-			_, _ = createFiles(t)
-
-			isBuiltIn, err := isBuiltinModule(testCase.module)
-			require.NoError(t, err)
-			require.Equal(t, testCase.expected, isBuiltIn)
-		})
-	}
-}
-
-func TestModuleStatus(t *testing.T) {
-	random, err := getRandomLoadedModule(t)
-	if err != nil {
-		t.Fatal("should be able to get random module")
-	}
-	testCases := []struct {
-		name           string
-		module         string
-		shouldBeLoaded bool
-	}{
-		{
-			name:           "Should Return Module Loading Or Greater Status",
-			module:         random,
-			shouldBeLoaded: true,
-		},
-		{
-			name:           "Should Return Module Unloaded Or Lower Status",
-			module:         "not_loaded_module",
-			shouldBeLoaded: false,
-		},
-	}
-
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			defer resetGlobals()
-			_, _ = createFiles(t)
-
-			state, err := moduleStatus(testCase.module)
-			require.NoError(t, err)
-			if testCase.shouldBeLoaded {
-				require.GreaterOrEqual(t, loading, state, "moduleStatus for %s should return state loading", testCase.module)
-			} else {
-				require.Less(t, state, loading, "module should return state unloading or lower")
-			}
-		})
-	}
-}
-
-func resetGlobals() {
-	moduleLibDir = defaultModuleDir
-	moduleRoot = getModuleRoot()
-}
-
-func createFiles(t *testing.T) (string, []module) {
-	writeFile := func(path, text string) {
-		if err := ioutil.WriteFile(path, []byte(text), 0644); err != nil {
-			t.Fatal(err)
-		}
-	}
-	var u unix.Utsname
-	if err := unix.Uname(&u); err != nil {
-		t.Fatal(err)
-	}
-
-	moduleLibDir = t.TempDir()
-
-	moduleRoot = getModuleRoot()
-	if err := os.Mkdir(moduleRoot, 0755); err != nil {
-		t.Fatal(err)
-	}
-
-	text := "kernel/a/foo.ko:\n"
-	text += "kernel/a/bar.ko: kernel/a/foo.ko\n"
-	text += "kernel/a/baz.ko: kernel/a/bar.ko kernel/a/foo.ko\n"
-	writeFile(filepath.Join(moduleRoot, "/modules.dep"), text)
-
-	text = "kernel/a/foo_bi.ko\n"
-	text += "kernel/a/bar-bi.ko.gz\n"
-	writeFile(filepath.Join(moduleRoot, "/modules.builtin"), text)
-
-	modules := []module{
-		{name: "foo", path: "kernel/a/foo.ko"},
-		{name: "bar", path: "kernel/a/bar.ko"},
-		{name: "baz", path: "kernel/a/baz.ko"},
-	}
-	return moduleLibDir, modules
-}
-
-func getRandomLoadedModule(t *testing.T) (string, error) {
-	f, err := os.Open("/proc/modules")
-	if err != nil {
-		return "", err
-	}
-	defer func() {
-		err := f.Close()
-		if err != nil {
-			t.Logf("failed closing /proc/modules file, %v", err)
-		}
-	}()
-	lines, err := lineCounter(f)
-	if err != nil {
-		return "", err
-	}
-	counter := 1
-	midLine := lines / 2
-	modName := ""
-	scanner := bufio.NewScanner(f)
-	for scanner.Scan() {
-		fields := strings.Fields(scanner.Text())
-		if counter == midLine {
-			if fields[4] == "Unloading" {
-				continue
-			}
-			modName = fields[0]
-			break
-		}
-		counter++
-	}
-	if scanner.Err() != nil {
-		return "", scanner.Err()
-	}
-	return modName, nil
-}
-func lineCounter(r io.Reader) (int, error) {
-	buf := make([]byte, 32*1024)
-	count := 0
-	lineSep := []byte{'\n'}
-
-	for {
-		c, err := r.Read(buf)
-		count += bytes.Count(buf[:c], lineSep)
-
-		switch {
-		case err == io.EOF:
-			return count, nil
-
-		case err != nil:
-			return count, err
-		}
-	}
-}
--- a/iface/udp_mux.go
+++ b/iface/udp_mux.go
@@ -0,0 +1,288 @@
+package iface
+
+import (
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"io"
+	"net"
+	"strings"
+	"sync"
+
+	"github.com/pion/logging"
+	"github.com/pion/stun"
+)
+
+const receiveMTU = 8192
+
+// UDPMux allows multiple connections to go over a single UDP port
+type UDPMux interface {
+	io.Closer
+	GetConn(ufrag string) (net.PacketConn, error)
+	RemoveConnByUfrag(ufrag string)
+}
+
+// UDPMuxDefault is an implementation of the interface
+type UDPMuxDefault struct {
+	params UDPMuxParams
+
+	closedChan chan struct{}
+	closeOnce  sync.Once
+
+	// conns is a map of all udpMuxedConn indexed by ufrag|network|candidateType
+	conns map[string]*udpMuxedConn
+
+	addressMapMu sync.RWMutex
+	addressMap   map[string][]*udpMuxedConn
+
+	// buffer pool to recycle buffers for net.UDPAddr encodes/decodes
+	pool *sync.Pool
+
+	mu sync.Mutex
+}
+
+const maxAddrSize = 512
+
+// UDPMuxParams are parameters for UDPMux.
+type UDPMuxParams struct {
+	Logger  logging.LeveledLogger
+	UDPConn net.PacketConn
+}
+
+// NewUDPMuxDefault creates an implementation of UDPMux
+func NewUDPMuxDefault(params UDPMuxParams) *UDPMuxDefault {
+	if params.Logger == nil {
+		params.Logger = logging.NewDefaultLoggerFactory().NewLogger("ice")
+	}
+
+	return &UDPMuxDefault{
+		addressMap: map[string][]*udpMuxedConn{},
+		params:     params,
+		conns:      make(map[string]*udpMuxedConn),
+		closedChan: make(chan struct{}, 1),
+		pool: &sync.Pool{
+			New: func() interface{} {
+				// big enough buffer to fit both packet and address
+				return newBufferHolder(receiveMTU + maxAddrSize)
+			},
+		},
+	}
+}
+
+func (m *UDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
+
+	remoteAddr, ok := addr.(*net.UDPAddr)
+	if !ok {
+		return fmt.Errorf("underlying PacketConn did not return a UDPAddr")
+	}
+
+	// If we have already seen this address dispatch to the appropriate destination
+	// If you are using the same socket for the Host and SRFLX candidates, it might be that there are more than one
+	// muxed connection - one for the SRFLX candidate and the other one for the HOST one.
+	// We will then forward STUN packets to each of these connections.
+	m.addressMapMu.Lock()
+	var destinationConnList []*udpMuxedConn
+	if storedConns, ok := m.addressMap[addr.String()]; ok {
+		for _, conn := range storedConns {
+			destinationConnList = append(destinationConnList, conn)
+		}
+	}
+	m.addressMapMu.Unlock()
+
+	// This block is needed to discover Peer Reflexive Candidates for which we don't know the Endpoint upfront.
+	// However, we can take a username attribute from the STUN message which contains ufrag.
+	// We can use ufrag to identify the destination conn to route packet to.
+	attr, stunAttrErr := msg.Get(stun.AttrUsername)
+	if stunAttrErr == nil {
+		ufrag := strings.Split(string(attr), ":")[0]
+
+		m.mu.Lock()
+		if destinationConn, ok := m.conns[ufrag]; ok {
+			exists := false
+			for _, conn := range destinationConnList {
+				if conn.params.Key == destinationConn.params.Key {
+					exists = true
+					break
+				}
+			}
+			if !exists {
+				destinationConnList = append(destinationConnList, destinationConn)
+			}
+		}
+		m.mu.Unlock()
+	}
+
+	// Forward STUN packets to each destination connections even thought the STUN packet might not belong there.
+	// It will be discarded by the further ICE candidate logic if so.
+	for _, conn := range destinationConnList {
+		if err := conn.writePacket(msg.Raw, remoteAddr); err != nil {
+			log.Errorf("could not write packet: %v", err)
+		}
+	}
+
+	return nil
+}
+
+// LocalAddr returns the listening address of this UDPMuxDefault
+func (m *UDPMuxDefault) LocalAddr() net.Addr {
+	return m.params.UDPConn.LocalAddr()
+}
+
+// GetConn returns a PacketConn given the connection's ufrag and network
+// creates the connection if an existing one can't be found
+func (m *UDPMuxDefault) GetConn(ufrag string) (net.PacketConn, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	log.Debugf("ICE: getting muxed connection for %s", ufrag)
+
+	if m.IsClosed() {
+		return nil, io.ErrClosedPipe
+	}
+
+	if c, ok := m.conns[ufrag]; ok {
+		return c, nil
+	}
+
+	c := m.createMuxedConn(ufrag)
+	go func() {
+		<-c.CloseChannel()
+		m.removeConn(ufrag)
+	}()
+	m.conns[ufrag] = c
+	return c, nil
+}
+
+// RemoveConnByUfrag stops and removes the muxed packet connection
+func (m *UDPMuxDefault) RemoveConnByUfrag(ufrag string) {
+	m.mu.Lock()
+	removedConns := make([]*udpMuxedConn, 0)
+	for key := range m.conns {
+		if key != ufrag {
+			continue
+		}
+
+		c := m.conns[key]
+		delete(m.conns, key)
+		if c != nil {
+			removedConns = append(removedConns, c)
+		}
+	}
+	// keep lock section small to avoid deadlock with conn lock
+	m.mu.Unlock()
+
+	m.addressMapMu.Lock()
+	defer m.addressMapMu.Unlock()
+
+	for _, c := range removedConns {
+		addresses := c.getAddresses()
+		for _, addr := range addresses {
+			if connList, ok := m.addressMap[addr]; ok {
+				var newList []*udpMuxedConn
+				for _, conn := range connList {
+					if conn.params.Key != ufrag {
+						newList = append(newList, conn)
+					}
+				}
+				m.addressMap[addr] = newList
+			}
+		}
+	}
+}
+
+// IsClosed returns true if the mux had been closed
+func (m *UDPMuxDefault) IsClosed() bool {
+	select {
+	case <-m.closedChan:
+		return true
+	default:
+		return false
+	}
+}
+
+// Close the mux, no further connections could be created
+func (m *UDPMuxDefault) Close() error {
+	var err error
+	m.closeOnce.Do(func() {
+		m.mu.Lock()
+		defer m.mu.Unlock()
+
+		for _, c := range m.conns {
+			_ = c.Close()
+		}
+		m.conns = make(map[string]*udpMuxedConn)
+		close(m.closedChan)
+	})
+	return err
+}
+
+func (m *UDPMuxDefault) removeConn(key string) {
+	m.mu.Lock()
+	c := m.conns[key]
+	delete(m.conns, key)
+	// keep lock section small to avoid deadlock with conn lock
+	m.mu.Unlock()
+
+	if c == nil {
+		return
+	}
+
+	m.addressMapMu.Lock()
+	defer m.addressMapMu.Unlock()
+
+	addresses := c.getAddresses()
+	for _, addr := range addresses {
+		if connList, ok := m.addressMap[addr]; ok {
+			var newList []*udpMuxedConn
+			for _, conn := range connList {
+				if conn.params.Key != key {
+					newList = append(newList, conn)
+				}
+			}
+			m.addressMap[addr] = newList
+		}
+	}
+}
+
+func (m *UDPMuxDefault) writeTo(buf []byte, raddr net.Addr) (n int, err error) {
+	return m.params.UDPConn.WriteTo(buf, raddr)
+}
+
+func (m *UDPMuxDefault) registerConnForAddress(conn *udpMuxedConn, addr string) {
+	if m.IsClosed() {
+		return
+	}
+
+	m.addressMapMu.Lock()
+	defer m.addressMapMu.Unlock()
+
+	existing, ok := m.addressMap[addr]
+	if !ok {
+		existing = []*udpMuxedConn{}
+	}
+	existing = append(existing, conn)
+	m.addressMap[addr] = existing
+
+	log.Debugf("ICE: registered %s for %s", addr, conn.params.Key)
+}
+
+func (m *UDPMuxDefault) createMuxedConn(key string) *udpMuxedConn {
+	c := newUDPMuxedConn(&udpMuxedConnParams{
+		Mux:       m,
+		Key:       key,
+		AddrPool:  m.pool,
+		LocalAddr: m.LocalAddr(),
+		Logger:    m.params.Logger,
+	})
+	log.Debugf("ICE: created muxed connection %s for %s", c.LocalAddr().String(), key)
+	return c
+}
+
+type bufferHolder struct {
+	buffer []byte
+}
+
+func newBufferHolder(size int) *bufferHolder {
+	return &bufferHolder{
+		buffer: make([]byte, size),
+	}
+}
--- a/iface/udp_mux_universal.go
+++ b/iface/udp_mux_universal.go
@@ -0,0 +1,235 @@
+package iface
+
+import (
+	"errors"
+	"fmt"
+	log "github.com/sirupsen/logrus"
+	"net"
+	"time"
+
+	"github.com/pion/logging"
+	"github.com/pion/stun"
+)
+
+// UniversalUDPMux allows multiple connections to go over a single UDP port for
+// host, server reflexive and relayed candidates.
+// Actual connection muxing is happening in the UDPMux.
+type UniversalUDPMux interface {
+	UDPMux
+	GetXORMappedAddr(stunAddr net.Addr, deadline time.Duration) (*stun.XORMappedAddress, error)
+	GetRelayedAddr(turnAddr net.Addr, deadline time.Duration) (*net.Addr, error)
+	GetConnForURL(ufrag string, url string) (net.PacketConn, error)
+}
+
+// UniversalUDPMuxDefault handles STUN and TURN servers packets by wrapping the original UDPConn overriding ReadFrom.
+// It the passes packets to the UDPMux that does the actual connection muxing.
+type UniversalUDPMuxDefault struct {
+	*UDPMuxDefault
+	params UniversalUDPMuxParams
+
+	// since we have a shared socket, for srflx candidates it makes sense to have a shared mapped address across all the agents
+	// stun.XORMappedAddress indexed by the STUN server addr
+	xorMappedMap map[string]*xorMapped
+}
+
+// UniversalUDPMuxParams are parameters for UniversalUDPMux server reflexive.
+type UniversalUDPMuxParams struct {
+	Logger                logging.LeveledLogger
+	UDPConn               net.PacketConn
+	XORMappedAddrCacheTTL time.Duration
+}
+
+// NewUniversalUDPMuxDefault creates an implementation of UniversalUDPMux embedding UDPMux
+func NewUniversalUDPMuxDefault(params UniversalUDPMuxParams) *UniversalUDPMuxDefault {
+	if params.Logger == nil {
+		params.Logger = logging.NewDefaultLoggerFactory().NewLogger("ice")
+	}
+	if params.XORMappedAddrCacheTTL == 0 {
+		params.XORMappedAddrCacheTTL = time.Second * 25
+	}
+
+	m := &UniversalUDPMuxDefault{
+		params:       params,
+		xorMappedMap: make(map[string]*xorMapped),
+	}
+
+	// embed UDPMux
+	udpMuxParams := UDPMuxParams{
+		Logger:  params.Logger,
+		UDPConn: m.params.UDPConn,
+	}
+	m.UDPMuxDefault = NewUDPMuxDefault(udpMuxParams)
+
+	return m
+}
+
+// GetRelayedAddr creates relayed connection to the given TURN service and returns the relayed addr.
+// Not implemented yet.
+func (m *UniversalUDPMuxDefault) GetRelayedAddr(turnAddr net.Addr, deadline time.Duration) (*net.Addr, error) {
+	return nil, errors.New("not implemented yet")
+}
+
+// GetConnForURL add uniques to the muxed connection by concatenating ufrag and URL (e.g. STUN URL) to be able to support multiple STUN/TURN servers
+// and return a unique connection per server.
+func (m *UniversalUDPMuxDefault) GetConnForURL(ufrag string, url string) (net.PacketConn, error) {
+	return m.UDPMuxDefault.GetConn(fmt.Sprintf("%s%s", ufrag, url))
+}
+
+func (m *UniversalUDPMuxDefault) HandleSTUNMessage(msg *stun.Message, addr net.Addr) error {
+
+	udpAddr, ok := addr.(*net.UDPAddr)
+	if !ok {
+		// message about this err will be logged in the UDPMux
+		return nil
+	}
+
+	if m.isXORMappedResponse(msg, udpAddr.String()) {
+		err := m.handleXORMappedResponse(udpAddr, msg)
+		if err != nil {
+			log.Debugf("%w: %v", errors.New("failed to get XOR-MAPPED-ADDRESS response"), err)
+			return nil
+		}
+		return nil
+	}
+	return m.UDPMuxDefault.HandleSTUNMessage(msg, addr)
+}
+
+// isXORMappedResponse indicates whether the message is a XORMappedAddress and is coming from the known STUN server.
+func (m *UniversalUDPMuxDefault) isXORMappedResponse(msg *stun.Message, stunAddr string) bool {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	// check first if it is a STUN server address because remote peer can also send similar messages but as a BindingSuccess
+	_, ok := m.xorMappedMap[stunAddr]
+	_, err := msg.Get(stun.AttrXORMappedAddress)
+	return err == nil && ok
+}
+
+// handleXORMappedResponse parses response from the STUN server, extracts XORMappedAddress attribute
+// and set the mapped address for the server
+func (m *UniversalUDPMuxDefault) handleXORMappedResponse(stunAddr *net.UDPAddr, msg *stun.Message) error {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	mappedAddr, ok := m.xorMappedMap[stunAddr.String()]
+	if !ok {
+		return errors.New("no address mapping")
+	}
+
+	var addr stun.XORMappedAddress
+	if err := addr.GetFrom(msg); err != nil {
+		return err
+	}
+
+	m.xorMappedMap[stunAddr.String()] = mappedAddr
+	mappedAddr.SetAddr(&addr)
+
+	return nil
+}
+
+// GetXORMappedAddr returns *stun.XORMappedAddress if already present for a given STUN server.
+// Makes a STUN binding request to discover mapped address otherwise.
+// Blocks until the stun.XORMappedAddress has been discovered or deadline.
+// Method is safe for concurrent use.
+func (m *UniversalUDPMuxDefault) GetXORMappedAddr(serverAddr net.Addr, deadline time.Duration) (*stun.XORMappedAddress, error) {
+	m.mu.Lock()
+	mappedAddr, ok := m.xorMappedMap[serverAddr.String()]
+	// if we already have a mapping for this STUN server (address already received)
+	// and if it is not too old we return it without making a new request to STUN server
+	if ok {
+		if mappedAddr.expired() {
+			mappedAddr.closeWaiters()
+			delete(m.xorMappedMap, serverAddr.String())
+			ok = false
+		} else if mappedAddr.pending() {
+			ok = false
+		}
+	}
+	m.mu.Unlock()
+	if ok {
+		return mappedAddr.addr, nil
+	}
+
+	// otherwise, make a STUN request to discover the address
+	// or wait for already sent request to complete
+	waitAddrReceived, err := m.sendStun(serverAddr)
+	if err != nil {
+		return nil, errors.New("failed to send STUN packet")
+	}
+
+	// block until response was handled by the connWorker routine and XORMappedAddress was updated
+	select {
+	case <-waitAddrReceived:
+		// when channel closed, addr was obtained
+		m.mu.Lock()
+		mappedAddr := *m.xorMappedMap[serverAddr.String()]
+		m.mu.Unlock()
+		if mappedAddr.addr == nil {
+			return nil, errors.New("no address mapping")
+		}
+		return mappedAddr.addr, nil
+	case <-time.After(deadline):
+		return nil, errors.New("timeout while waiting for XORMappedAddr")
+	}
+}
+
+// sendStun sends a STUN request via UDP conn.
+//
+// The returned channel is closed when the STUN response has been received.
+// Method is safe for concurrent use.
+func (m *UniversalUDPMuxDefault) sendStun(serverAddr net.Addr) (chan struct{}, error) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	// if record present in the map, we already sent a STUN request,
+	// just wait when waitAddrReceived will be closed
+	addrMap, ok := m.xorMappedMap[serverAddr.String()]
+	if !ok {
+		addrMap = &xorMapped{
+			expiresAt:        time.Now().Add(m.params.XORMappedAddrCacheTTL),
+			waitAddrReceived: make(chan struct{}),
+		}
+		m.xorMappedMap[serverAddr.String()] = addrMap
+	}
+
+	req, err := stun.Build(stun.BindingRequest, stun.TransactionID)
+	if err != nil {
+		return nil, err
+	}
+
+	if _, err = m.params.UDPConn.WriteTo(req.Raw, serverAddr); err != nil {
+		return nil, err
+	}
+
+	return addrMap.waitAddrReceived, nil
+}
+
+type xorMapped struct {
+	addr             *stun.XORMappedAddress
+	waitAddrReceived chan struct{}
+	expiresAt        time.Time
+}
+
+func (a *xorMapped) closeWaiters() {
+	select {
+	case <-a.waitAddrReceived:
+		// notify was close, ok, that means we received duplicate response
+		// just exit
+		break
+	default:
+		// notify tha twe have a new addr
+		close(a.waitAddrReceived)
+	}
+}
+
+func (a *xorMapped) pending() bool {
+	return a.addr == nil
+}
+
+func (a *xorMapped) expired() bool {
+	return a.expiresAt.Before(time.Now())
+}
+
+func (a *xorMapped) SetAddr(addr *stun.XORMappedAddress) {
+	a.addr = addr
+	a.closeWaiters()
+}
--- a/iface/udp_muxed_conn.go
+++ b/iface/udp_muxed_conn.go
@@ -0,0 +1,246 @@
+package iface
+
+import (
+	"encoding/binary"
+	"io"
+	"net"
+	"sync"
+	"time"
+
+	"github.com/pion/logging"
+	"github.com/pion/transport/packetio"
+)
+
+type udpMuxedConnParams struct {
+	Mux       *UDPMuxDefault
+	AddrPool  *sync.Pool
+	Key       string
+	LocalAddr net.Addr
+	Logger    logging.LeveledLogger
+}
+
+// udpMuxedConn represents a logical packet conn for a single remote as identified by ufrag
+type udpMuxedConn struct {
+	params *udpMuxedConnParams
+	// remote addresses that we have sent to on this conn
+	addresses []string
+
+	// channel holding incoming packets
+	buffer     *packetio.Buffer
+	closedChan chan struct{}
+	closeOnce  sync.Once
+	mu         sync.Mutex
+}
+
+func newUDPMuxedConn(params *udpMuxedConnParams) *udpMuxedConn {
+	p := &udpMuxedConn{
+		params:     params,
+		buffer:     packetio.NewBuffer(),
+		closedChan: make(chan struct{}),
+	}
+
+	return p
+}
+
+func (c *udpMuxedConn) ReadFrom(b []byte) (n int, raddr net.Addr, err error) {
+	buf := c.params.AddrPool.Get().(*bufferHolder)
+	defer c.params.AddrPool.Put(buf)
+
+	// read address
+	total, err := c.buffer.Read(buf.buffer)
+	if err != nil {
+		return 0, nil, err
+	}
+
+	dataLen := int(binary.LittleEndian.Uint16(buf.buffer[:2]))
+	if dataLen > total || dataLen > len(b) {
+		return 0, nil, io.ErrShortBuffer
+	}
+
+	// read data and then address
+	offset := 2
+	copy(b, buf.buffer[offset:offset+dataLen])
+	offset += dataLen
+
+	// read address len & decode address
+	addrLen := int(binary.LittleEndian.Uint16(buf.buffer[offset : offset+2]))
+	offset += 2
+
+	if raddr, err = decodeUDPAddr(buf.buffer[offset : offset+addrLen]); err != nil {
+		return 0, nil, err
+	}
+
+	return dataLen, raddr, nil
+}
+
+func (c *udpMuxedConn) WriteTo(buf []byte, raddr net.Addr) (n int, err error) {
+	if c.isClosed() {
+		return 0, io.ErrClosedPipe
+	}
+	// each time we write to a new address, we'll register it with the mux
+	addr := raddr.String()
+	if !c.containsAddress(addr) {
+		c.addAddress(addr)
+	}
+
+	return c.params.Mux.writeTo(buf, raddr)
+}
+
+func (c *udpMuxedConn) LocalAddr() net.Addr {
+	return c.params.LocalAddr
+}
+
+func (c *udpMuxedConn) SetDeadline(tm time.Time) error {
+	return nil
+}
+
+func (c *udpMuxedConn) SetReadDeadline(tm time.Time) error {
+	return nil
+}
+
+func (c *udpMuxedConn) SetWriteDeadline(tm time.Time) error {
+	return nil
+}
+
+func (c *udpMuxedConn) CloseChannel() <-chan struct{} {
+	return c.closedChan
+}
+
+func (c *udpMuxedConn) Close() error {
+	var err error
+	c.closeOnce.Do(func() {
+		err = c.buffer.Close()
+		close(c.closedChan)
+	})
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	c.addresses = nil
+	return err
+}
+
+func (c *udpMuxedConn) isClosed() bool {
+	select {
+	case <-c.closedChan:
+		return true
+	default:
+		return false
+	}
+}
+
+func (c *udpMuxedConn) getAddresses() []string {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	addresses := make([]string, len(c.addresses))
+	copy(addresses, c.addresses)
+	return addresses
+}
+
+func (c *udpMuxedConn) addAddress(addr string) {
+	c.mu.Lock()
+	c.addresses = append(c.addresses, addr)
+	c.mu.Unlock()
+
+	// map it on mux
+	c.params.Mux.registerConnForAddress(c, addr)
+}
+
+func (c *udpMuxedConn) removeAddress(addr string) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	newAddresses := make([]string, 0, len(c.addresses))
+	for _, a := range c.addresses {
+		if a != addr {
+			newAddresses = append(newAddresses, a)
+		}
+	}
+
+	c.addresses = newAddresses
+}
+
+func (c *udpMuxedConn) containsAddress(addr string) bool {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	for _, a := range c.addresses {
+		if addr == a {
+			return true
+		}
+	}
+	return false
+}
+
+func (c *udpMuxedConn) writePacket(data []byte, addr *net.UDPAddr) error {
+	// write two packets, address and data
+	buf := c.params.AddrPool.Get().(*bufferHolder)
+	defer c.params.AddrPool.Put(buf)
+
+	// format of buffer | data len | data bytes | addr len | addr bytes |
+	if len(buf.buffer) < len(data)+maxAddrSize {
+		return io.ErrShortBuffer
+	}
+	// data len
+	binary.LittleEndian.PutUint16(buf.buffer, uint16(len(data)))
+	offset := 2
+
+	// data
+	copy(buf.buffer[offset:], data)
+	offset += len(data)
+
+	// write address first, leaving room for its length
+	n, err := encodeUDPAddr(addr, buf.buffer[offset+2:])
+	if err != nil {
+		return nil
+	}
+	total := offset + n + 2
+
+	// address len
+	binary.LittleEndian.PutUint16(buf.buffer[offset:], uint16(n))
+
+	if _, err := c.buffer.Write(buf.buffer[:total]); err != nil {
+		return err
+	}
+	return nil
+}
+
+func encodeUDPAddr(addr *net.UDPAddr, buf []byte) (int, error) {
+	ipdata, err := addr.IP.MarshalText()
+	if err != nil {
+		return 0, err
+	}
+	total := 2 + len(ipdata) + 2 + len(addr.Zone)
+	if total > len(buf) {
+		return 0, io.ErrShortBuffer
+	}
+
+	binary.LittleEndian.PutUint16(buf, uint16(len(ipdata)))
+	offset := 2
+	n := copy(buf[offset:], ipdata)
+	offset += n
+	binary.LittleEndian.PutUint16(buf[offset:], uint16(addr.Port))
+	offset += 2
+	copy(buf[offset:], addr.Zone)
+	return total, nil
+}
+
+func decodeUDPAddr(buf []byte) (*net.UDPAddr, error) {
+	addr := net.UDPAddr{}
+
+	offset := 0
+	ipLen := int(binary.LittleEndian.Uint16(buf[:2]))
+	offset += 2
+	// basic bounds checking
+	if ipLen+offset > len(buf) {
+		return nil, io.ErrShortBuffer
+	}
+	if err := addr.IP.UnmarshalText(buf[offset : offset+ipLen]); err != nil {
+		return nil, err
+	}
+	offset += ipLen
+	addr.Port = int(binary.LittleEndian.Uint16(buf[offset : offset+2]))
+	offset += 2
+	zone := make([]byte, len(buf[offset:]))
+	copy(zone, buf[offset:])
+	addr.Zone = string(zone)
+
+	return &addr, nil
+}
--- a/management/client/grpc.go
+++ b/management/client/grpc.go
@@ -109,7 +109,7 @@ func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error
 			return err
 		}

-		stream, err := c.connectToStream(*serverPubKey)
+		cancel, stream, err := c.connectToStream(*serverPubKey)
 		if err != nil {
 			log.Debugf("failed to open Management Service stream: %s", err)
 			if s, ok := gstatus.FromError(err); ok && s.Code() == codes.PermissionDenied {
@@ -117,6 +117,7 @@ func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error
 			}
 			return err
 		}
+		defer cancel()

 		log.Infof("connected to the Management Service stream")

@@ -145,7 +146,7 @@ func (c *GrpcClient) Sync(msgHandler func(msg *proto.SyncResponse) error) error
 	return nil
 }

-func (c *GrpcClient) connectToStream(serverPubKey wgtypes.Key) (proto.ManagementService_SyncClient, error) {
+func (c *GrpcClient) connectToStream(serverPubKey wgtypes.Key) (context.CancelFunc, proto.ManagementService_SyncClient, error) {
 	req := &proto.SyncRequest{}

 	myPrivateKey := c.key
@@ -154,11 +155,16 @@ func (c *GrpcClient) connectToStream(serverPubKey wgtypes.Key) (proto.Management
 	encryptedReq, err := encryption.EncryptMessage(serverPubKey, myPrivateKey, req)
 	if err != nil {
 		log.Errorf("failed encrypting message: %s", err)
-		return nil, err
+		return nil, nil, err
 	}
-
+	ctx, cancel := context.WithCancel(c.ctx)
 	syncReq := &proto.EncryptedMessage{WgPubKey: myPublicKey.String(), Body: encryptedReq}
-	return c.realClient.Sync(c.ctx, syncReq)
+	sync, err := c.realClient.Sync(ctx, syncReq)
+	if err != nil {
+		cancel()
+		return nil, nil, err
+	}
+	return cancel, sync, nil
 }

 func (c *GrpcClient) receiveEvents(stream proto.ManagementService_SyncClient, serverPubKey wgtypes.Key, msgHandler func(msg *proto.SyncResponse) error) error {
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -31,23 +31,20 @@ const (
 type AccountManager interface {
 	GetOrCreateAccountByUser(userId, domain string) (*Account, error)
 	GetAccountByUser(userId string) (*Account, error)
-	CreateSetupKey(
+	AddSetupKey(
 		accountId string,
 		keyName string,
 		keyType SetupKeyType,
 		expiresIn time.Duration,
-		autoGroups []string,
 	) (*SetupKey, error)
-	SaveSetupKey(accountID string, key *SetupKey) (*SetupKey, error)
-	SaveUser(accountID string, key *User) (*UserInfo, error)
-	GetSetupKey(accountID, keyID string) (*SetupKey, error)
+	RevokeSetupKey(accountId string, keyId string) (*SetupKey, error)
+	RenameSetupKey(accountId string, keyId string, newName string) (*SetupKey, error)
 	GetAccountById(accountId string) (*Account, error)
 	GetAccountByUserOrAccountId(userId, accountId, domain string) (*Account, error)
 	GetAccountWithAuthorizationClaims(claims jwtclaims.AuthorizationClaims) (*Account, error)
 	IsUserAdmin(claims jwtclaims.AuthorizationClaims) (bool, error)
 	AccountExists(accountId string) (*bool, error)
 	GetPeer(peerKey string) (*Peer, error)
-	GetPeers(accountID string) ([]*PeerInfo, error)
 	MarkPeerConnected(peerKey string, connected bool) error
 	RenamePeer(accountId string, peerKey string, newName string) (*Peer, error)
 	DeletePeer(accountId string, peerKey string) (*Peer, error)
@@ -58,7 +55,7 @@ type AccountManager interface {
 	AddPeer(setupKey string, userId string, peer *Peer) (*Peer, error)
 	UpdatePeerMeta(peerKey string, meta PeerSystemMeta) error
 	UpdatePeerSSHKey(peerKey string, sshKey string) error
-	GetUsers(accountId string) ([]*UserInfo, error)
+	GetUsersFromAccount(accountId string) ([]*UserInfo, error)
 	GetGroup(accountId, groupID string) (*Group, error)
 	SaveGroup(accountId string, group *Group) error
 	UpdateGroup(accountID string, groupID string, operations []GroupUpdateOperation) (*Group, error)
@@ -78,7 +75,6 @@ type AccountManager interface {
 	UpdateRoute(accountID string, routeID string, operations []RouteUpdateOperation) (*route.Route, error)
 	DeleteRoute(accountID, routeID string) error
 	ListRoutes(accountID string) ([]*route.Route, error)
-	ListSetupKeys(accountID string) ([]*SetupKey, error)
 }

 type DefaultAccountManager struct {
@@ -109,11 +105,10 @@ type Account struct {
 }

 type UserInfo struct {
-	ID         string   `json:"id"`
-	Email      string   `json:"email"`
-	Name       string   `json:"name"`
-	Role       string   `json:"role"`
-	AutoGroups []string `json:"auto_groups"`
+	ID    string `json:"id"`
+	Email string `json:"email"`
+	Name  string `json:"name"`
+	Role  string `json:"role"`
 }

 func (a *Account) Copy() *Account {
@@ -249,6 +244,93 @@ func (am *DefaultAccountManager) warmupIDPCache() error {
 	return nil
 }

+// AddSetupKey generates a new setup key with a given name and type, and adds it to the specified account
+func (am *DefaultAccountManager) AddSetupKey(
+	accountId string,
+	keyName string,
+	keyType SetupKeyType,
+	expiresIn time.Duration,
+) (*SetupKey, error) {
+	am.mux.Lock()
+	defer am.mux.Unlock()
+
+	keyDuration := DefaultSetupKeyDuration
+	if expiresIn != 0 {
+		keyDuration = expiresIn
+	}
+
+	account, err := am.Store.GetAccount(accountId)
+	if err != nil {
+		return nil, status.Errorf(codes.NotFound, "account not found")
+	}
+
+	setupKey := GenerateSetupKey(keyName, keyType, keyDuration)
+	account.SetupKeys[setupKey.Key] = setupKey
+
+	err = am.Store.SaveAccount(account)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed adding account key")
+	}
+
+	return setupKey, nil
+}
+
+// RevokeSetupKey marks SetupKey as revoked - becomes not valid anymore
+func (am *DefaultAccountManager) RevokeSetupKey(accountId string, keyId string) (*SetupKey, error) {
+	am.mux.Lock()
+	defer am.mux.Unlock()
+
+	account, err := am.Store.GetAccount(accountId)
+	if err != nil {
+		return nil, status.Errorf(codes.NotFound, "account not found")
+	}
+
+	setupKey := getAccountSetupKeyById(account, keyId)
+	if setupKey == nil {
+		return nil, status.Errorf(codes.NotFound, "unknown setupKey %s", keyId)
+	}
+
+	keyCopy := setupKey.Copy()
+	keyCopy.Revoked = true
+	account.SetupKeys[keyCopy.Key] = keyCopy
+	err = am.Store.SaveAccount(account)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed adding account key")
+	}
+
+	return keyCopy, nil
+}
+
+// RenameSetupKey renames existing setup key of the specified account.
+func (am *DefaultAccountManager) RenameSetupKey(
+	accountId string,
+	keyId string,
+	newName string,
+) (*SetupKey, error) {
+	am.mux.Lock()
+	defer am.mux.Unlock()
+
+	account, err := am.Store.GetAccount(accountId)
+	if err != nil {
+		return nil, status.Errorf(codes.NotFound, "account not found")
+	}
+
+	setupKey := getAccountSetupKeyById(account, keyId)
+	if setupKey == nil {
+		return nil, status.Errorf(codes.NotFound, "unknown setupKey %s", keyId)
+	}
+
+	keyCopy := setupKey.Copy()
+	keyCopy.Name = newName
+	account.SetupKeys[keyCopy.Key] = keyCopy
+	err = am.Store.SaveAccount(account)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed adding account key")
+	}
+
+	return keyCopy, nil
+}
+
 // GetAccountById returns an existing account using its ID or error (NotFound) if doesn't exist
 func (am *DefaultAccountManager) GetAccountById(accountId string) (*Account, error) {
 	am.mux.Lock()
@@ -303,23 +385,17 @@ func (am *DefaultAccountManager) updateIDPMetadata(userId, accountID string) err
 	return nil
 }

-func (am *DefaultAccountManager) loadFromCache(_ context.Context, accountID interface{}) (interface{}, error) {
-	return am.idpManager.GetAccount(fmt.Sprintf("%v", accountID))
+func mergeLocalAndQueryUser(queried idp.UserData, local User) *UserInfo {
+	return &UserInfo{
+		ID:    local.Id,
+		Email: queried.Email,
+		Name:  queried.Name,
+		Role:  string(local.Role),
+	}
 }

-func (am *DefaultAccountManager) lookupUserInCache(user *User, accountID string) (*idp.UserData, error) {
-	userData, err := am.lookupCache(map[string]*User{user.Id: user}, accountID)
-	if err != nil {
-		return nil, err
-	}
-
-	for _, datum := range userData {
-		if datum.ID == user.Id {
-			return datum, nil
-		}
-	}
-
-	return nil, status.Errorf(codes.NotFound, "user %s not found in the IdP", user.Id)
+func (am *DefaultAccountManager) loadFromCache(_ context.Context, accountID interface{}) (interface{}, error) {
+	return am.idpManager.GetAccount(fmt.Sprintf("%v", accountID))
 }

 func (am *DefaultAccountManager) lookupCache(accountUsers map[string]*User, accountID string) ([]*idp.UserData, error) {
@@ -361,6 +437,46 @@ func (am *DefaultAccountManager) lookupCache(accountUsers map[string]*User, acco
 	return userData, err
 }

+// GetUsersFromAccount performs a batched request for users from IDP by account id
+func (am *DefaultAccountManager) GetUsersFromAccount(accountID string) ([]*UserInfo, error) {
+	account, err := am.GetAccountById(accountID)
+	if err != nil {
+		return nil, err
+	}
+
+	queriedUsers := make([]*idp.UserData, 0)
+	if !isNil(am.idpManager) {
+		queriedUsers, err = am.lookupCache(account.Users, accountID)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	userInfo := make([]*UserInfo, 0)
+
+	// in case of self-hosted, or IDP doesn't return anything, we will return the locally stored userInfo
+	if len(queriedUsers) == 0 {
+		for _, user := range account.Users {
+			userInfo = append(userInfo, &UserInfo{
+				ID:    user.Id,
+				Email: "",
+				Name:  "",
+				Role:  string(user.Role),
+			})
+		}
+		return userInfo, nil
+	}
+
+	for _, queriedUser := range queriedUsers {
+		if localUser, contains := account.Users[queriedUser.ID]; contains {
+			userInfo = append(userInfo, mergeLocalAndQueryUser(*queriedUser, *localUser))
+			log.Debugf("Merged userinfo to send back; %v", userInfo)
+		}
+	}
+
+	return userInfo, nil
+}
+
 // updateAccountDomainAttributes updates the account domain attributes and then, saves the account
 func (am *DefaultAccountManager) updateAccountDomainAttributes(
 	account *Account,
@@ -388,6 +504,7 @@ func (am *DefaultAccountManager) updateAccountDomainAttributes(

 // handleExistingUserAccount handles existing User accounts and update its domain attributes.
 //
+//
 // If there is no primary domain account yet, we set the account as primary for the domain. Otherwise,
 // we compare the account's ID with the domain account ID, and if they don't match, we set the account as
 // non-primary account for the domain. We don't merge accounts at this stage, because of cases when a domain
@@ -571,7 +688,7 @@ func newAccountWithId(accountId, userId, domain string) *Account {

 	setupKeys := make(map[string]*SetupKey)
 	defaultKey := GenerateDefaultSetupKey()
-	oneOffKey := GenerateSetupKey("One-off key", SetupKeyOneOff, DefaultSetupKeyDuration, []string{})
+	oneOffKey := GenerateSetupKey("One-off key", SetupKeyOneOff, DefaultSetupKeyDuration)
 	setupKeys[defaultKey.Key] = defaultKey
 	setupKeys[oneOffKey.Key] = oneOffKey
 	network := NewNetwork()
@@ -596,6 +713,15 @@ func newAccountWithId(accountId, userId, domain string) *Account {
 	return acc
 }

+func getAccountSetupKeyById(acc *Account, keyId string) *SetupKey {
+	for _, k := range acc.SetupKeys {
+		if keyId == k.Id {
+			return k
+		}
+	}
+	return nil
+}
+
 func getAccountSetupKeyByKey(acc *Account, key string) *SetupKey {
 	for _, k := range acc.SetupKeys {
 		if key == k.Key {
--- a/management/server/account_test.go
+++ b/management/server/account_test.go
@@ -847,7 +847,7 @@ func TestGetUsersFromAccount(t *testing.T) {
 		account.Users[user.Id] = user
 	}

-	userInfos, err := manager.GetUsers(accountId)
+	userInfos, err := manager.GetUsersFromAccount(accountId)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/management/server/grpcserver.go
+++ b/management/server/grpcserver.go
@@ -17,7 +17,6 @@ import (
 	log "github.com/sirupsen/logrus"
 	"golang.zx2c4.com/wireguard/wgctrl/wgtypes"
 	"google.golang.org/grpc/codes"
-	gRPCPeer "google.golang.org/grpc/peer"
 	"google.golang.org/grpc/status"
 )

@@ -80,10 +79,7 @@ func (s *GRPCServer) GetServerKey(ctx context.Context, req *proto.Empty) (*proto
 // Sync validates the existence of a connecting peer, sends an initial state (all available for the connecting peers) and
 // notifies the connected peer of any updates (e.g. new peers under the same account)
 func (s *GRPCServer) Sync(req *proto.EncryptedMessage, srv proto.ManagementService_SyncServer) error {
-	p, ok := gRPCPeer.FromContext(srv.Context())
-	if ok {
-		log.Debugf("Sync request from peer [%s] [%s]", req.WgPubKey, p.Addr.String())
-	}
+	log.Debugf("Sync request from peer %s", req.WgPubKey)

 	peerKey, err := wgtypes.ParseKey(req.GetWgPubKey())
 	if err != nil {
@@ -259,10 +255,7 @@ func (s *GRPCServer) registerPeer(peerKey wgtypes.Key, req *proto.LoginRequest)
 // In case it isn't, the endpoint checks whether setup key is provided within the request and tries to register a peer.
 // In case of the successful registration login is also successful
 func (s *GRPCServer) Login(ctx context.Context, req *proto.EncryptedMessage) (*proto.EncryptedMessage, error) {
-	p, ok := gRPCPeer.FromContext(ctx)
-	if ok {
-		log.Debugf("Login request from peer [%s] [%s]", req.WgPubKey, p.Addr.String())
-	}
+	log.Debugf("Login request from peer %s", req.WgPubKey)

 	peerKey, err := wgtypes.ParseKey(req.GetWgPubKey())
 	if err != nil {
--- a/management/server/http/api/openapi.yml
+++ b/management/server/http/api/openapi.yml
@@ -31,45 +31,13 @@ components:
          description: User's name from idp provider
          type: string
        role:
-          description: User's NetBird account role
+          description: User's Netbird account role
          type: string
-        auto_groups:
-          description: Groups to auto-assign to peers registered by this user
-          type: array
-          items:
-            type: string
      required:
      - id
      - email
      - name
      - role
-      - auto_groups
-    UserMinimum:
-      type: object
-      properties:
-        id:
-          description: User ID
-          type: string
-        email:
-          description: User's email address
-          type: string
-        name:
-          description: User's name from idp provider
-          type: string
-    UserRequest:
-      type: object
-      properties:
-        role:
-          description: User's NetBird account role
-          type: string
-        auto_groups:
-          description: Groups to auto-assign to peers registered by this user
-          type: array
-          items:
-            type: string
-      required:
-        - role
-        - auto_groups
    PeerMinimum:
      type: object
      properties:
@@ -122,11 +90,6 @@ components:
            ssh_enabled:
              description: Indicates whether SSH server is enabled on this peer
              type: boolean
-            user:
-              $ref: '#/components/schemas/UserMinimum'
-            host_name:
-              description: Peer's hostname
-              type: string
          required:
          - ip
          - connected
@@ -171,15 +134,6 @@ components:
        state:
          description: Setup key status, "valid", "overused","expired" or "revoked"
          type: string
-        auto_groups:
-          description: Setup key groups to auto-assign to peers registered with this key
-          type: array
-          items:
-            type: string
-        updated_at:
-          description: Setup key last update date
-          type: string
-          format: date-time
      required:
      - id
      - key
@@ -191,8 +145,6 @@ components:
      - used_times
      - last_used
      - state
-      - auto_groups
-      - updated_at
    SetupKeyRequest:
      type: object
      properties:
@@ -208,17 +160,11 @@ components:
        revoked:
          description: Setup key revocation status
          type: boolean
-        auto_groups:
-          description: Setup key groups to auto-assign to peers registered with this key
-          type: array
-          items:
-            type: string
      required:
        - name
        - type
        - expires_in
        - revoked
-        - auto_groups
    GroupMinimum:
      type: object
      properties:
@@ -446,40 +392,6 @@ paths:
          "$ref": "#/components/responses/forbidden"
        '500':
          "$ref": "#/components/responses/internal_error"
-  /api/users/{id}:
-    put:
-      summary: Update information about a User
-      tags: [ Users]
-      security:
-        - BearerAuth: [ ]
-      parameters:
-        - in: path
-          name: id
-          required: true
-          schema:
-            type: string
-          description: The User ID
-      requestBody:
-        description: User update
-        content:
-          'application/json':
-            schema:
-              $ref: '#/components/schemas/UserRequest'
-      responses:
-        '200':
-          description: A User object
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/User'
-        '400':
-          "$ref": "#/components/responses/bad_request"
-        '401':
-          "$ref": "#/components/responses/requires_authentication"
-        '403':
-          "$ref": "#/components/responses/forbidden"
-        '500':
-          "$ref": "#/components/responses/internal_error"
  /api/peers:
    get:
      summary: Returns a list of all peers
--- a/management/server/http/api/types.gen.go
+++ b/management/server/http/api/types.gen.go
@@ -137,9 +137,6 @@ type Peer struct {
 	// Groups that the peer belongs to
 	Groups []GroupMinimum `json:"groups"`

-	// Peer's hostname
-	HostName *string `json:"host_name,omitempty"`
-
 	// Peer ID
 	Id string `json:"id"`

@@ -156,8 +153,7 @@ type Peer struct {
 	Os string `json:"os"`

 	// Indicates whether SSH server is enabled on this peer
-	SshEnabled bool         `json:"ssh_enabled"`
-	User       *UserMinimum `json:"user,omitempty"`
+	SshEnabled bool `json:"ssh_enabled"`

 	// Peer's daemon or cli version
 	Version string `json:"version"`
@@ -303,9 +299,6 @@ type RulePatchOperationPath string

 // SetupKey defines model for SetupKey.
 type SetupKey struct {
-	// Setup key groups to auto-assign to peers registered with this key
-	AutoGroups []string `json:"auto_groups"`
-
 	// Setup Key expiration date
 	Expires time.Time `json:"expires"`

@@ -330,9 +323,6 @@ type SetupKey struct {
 	// Setup key type, one-off for single time usage and reusable
 	Type string `json:"type"`

-	// Setup key last update date
-	UpdatedAt time.Time `json:"updated_at"`
-
 	// Usage count of setup key
 	UsedTimes int `json:"used_times"`

@@ -342,9 +332,6 @@ type SetupKey struct {

 // SetupKeyRequest defines model for SetupKeyRequest.
 type SetupKeyRequest struct {
-	// Setup key groups to auto-assign to peers registered with this key
-	AutoGroups []string `json:"auto_groups"`
-
 	// Expiration time in seconds
 	ExpiresIn int `json:"expires_in"`

@@ -360,9 +347,6 @@ type SetupKeyRequest struct {

 // User defines model for User.
 type User struct {
-	// Groups to auto-assign to peers registered by this user
-	AutoGroups []string `json:"auto_groups"`
-
 	// User's email address
 	Email string `json:"email"`

@@ -372,28 +356,7 @@ type User struct {
 	// User's name from idp provider
 	Name string `json:"name"`

-	// User's NetBird account role
-	Role string `json:"role"`
-}
-
-// UserMinimum defines model for UserMinimum.
-type UserMinimum struct {
-	// User's email address
-	Email *string `json:"email,omitempty"`
-
-	// User ID
-	Id *string `json:"id,omitempty"`
-
-	// User's name from idp provider
-	Name *string `json:"name,omitempty"`
-}
-
-// UserRequest defines model for UserRequest.
-type UserRequest struct {
-	// Groups to auto-assign to peers registered by this user
-	AutoGroups []string `json:"auto_groups"`
-
-	// User's NetBird account role
+	// User's Netbird account role
 	Role string `json:"role"`
 }

@@ -470,9 +433,6 @@ type PostApiSetupKeysJSONBody = SetupKeyRequest
 // PutApiSetupKeysIdJSONBody defines parameters for PutApiSetupKeysId.
 type PutApiSetupKeysIdJSONBody = SetupKeyRequest

-// PutApiUsersIdJSONBody defines parameters for PutApiUsersId.
-type PutApiUsersIdJSONBody = UserRequest
-
 // PostApiGroupsJSONRequestBody defines body for PostApiGroups for application/json ContentType.
 type PostApiGroupsJSONRequestBody PostApiGroupsJSONBody

@@ -508,6 +468,3 @@ type PostApiSetupKeysJSONRequestBody = PostApiSetupKeysJSONBody

 // PutApiSetupKeysIdJSONRequestBody defines body for PutApiSetupKeysId for application/json ContentType.
 type PutApiSetupKeysIdJSONRequestBody = PutApiSetupKeysIdJSONBody
-
-// PutApiUsersIdJSONRequestBody defines body for PutApiUsersId for application/json ContentType.
-type PutApiUsersIdJSONRequestBody = PutApiUsersIdJSONBody
--- a/management/server/http/handler.go
+++ b/management/server/http/handler.go
@@ -39,12 +39,12 @@ func APIHandler(accountManager s.AccountManager, authIssuer string, authAudience
 	apiHandler.HandleFunc("/api/peers/{id}", peersHandler.HandlePeer).
 		Methods("GET", "PUT", "DELETE", "OPTIONS")
 	apiHandler.HandleFunc("/api/users", userHandler.GetUsers).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/api/users/{id}", userHandler.UpdateUser).Methods("PUT", "OPTIONS")
+	apiHandler.HandleFunc("/api/setup-keys", keysHandler.GetKeys).Methods("GET", "POST", "OPTIONS")
+	apiHandler.HandleFunc("/api/setup-keys/{id}", keysHandler.HandleKey).Methods("GET", "PUT", "OPTIONS")

-	apiHandler.HandleFunc("/api/setup-keys", keysHandler.GetAllSetupKeysHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/api/setup-keys", keysHandler.CreateSetupKeyHandler).Methods("POST", "OPTIONS")
-	apiHandler.HandleFunc("/api/setup-keys/{id}", keysHandler.GetSetupKeyHandler).Methods("GET", "OPTIONS")
-	apiHandler.HandleFunc("/api/setup-keys/{id}", keysHandler.UpdateSetupKeyHandler).Methods("PUT", "OPTIONS")
+	apiHandler.HandleFunc("/api/setup-keys", keysHandler.GetKeys).Methods("POST", "OPTIONS")
+	apiHandler.HandleFunc("/api/setup-keys/{id}", keysHandler.HandleKey).
+		Methods("GET", "PUT", "DELETE", "OPTIONS")

 	apiHandler.HandleFunc("/api/rules", rulesHandler.GetAllRulesHandler).Methods("GET", "OPTIONS")
 	apiHandler.HandleFunc("/api/rules", rulesHandler.CreateRuleHandler).Methods("POST", "OPTIONS")
--- a/management/server/http/peers.go
+++ b/management/server/http/peers.go
@@ -11,7 +11,7 @@ import (
 	"net/http"
 )

-// Peers is a handler that returns peers of the account
+//Peers is a handler that returns peers of the account
 type Peers struct {
 	accountManager server.AccountManager
 	authAudience   string
@@ -42,7 +42,7 @@ func (h *Peers) updatePeer(account *server.Account, peer *server.Peer, w http.Re
 		http.Redirect(w, r, "/", http.StatusInternalServerError)
 		return
 	}
-	writeJSONObject(w, toPeerResponse(&server.PeerInfo{Peer: peer}, account))
+	writeJSONObject(w, toPeerResponse(peer, account))
 }

 func (h *Peers) deletePeer(accountId string, peer *server.Peer, w http.ResponseWriter, r *http.Request) {
@@ -83,7 +83,7 @@ func (h *Peers) HandlePeer(w http.ResponseWriter, r *http.Request) {
 		h.updatePeer(account, peer, w, r)
 		return
 	case http.MethodGet:
-		writeJSONObject(w, toPeerResponse(&server.PeerInfo{Peer: peer}, account))
+		writeJSONObject(w, toPeerResponse(peer, account))
 		return

 	default:
@@ -93,34 +93,27 @@ func (h *Peers) HandlePeer(w http.ResponseWriter, r *http.Request) {
 }

 func (h *Peers) GetPeers(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case http.MethodGet:
+		account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
+		if err != nil {
+			log.Error(err)
+			http.Redirect(w, r, "/", http.StatusInternalServerError)
+			return
+		}

-	if r.Method != http.MethodGet {
+		respBody := []*api.Peer{}
+		for _, peer := range account.Peers {
+			respBody = append(respBody, toPeerResponse(peer, account))
+		}
+		writeJSONObject(w, respBody)
+		return
+	default:
 		http.Error(w, "", http.StatusNotFound)
 	}
-
-	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
-	if err != nil {
-		log.Error(err)
-		http.Redirect(w, r, "/", http.StatusInternalServerError)
-		return
-	}
-
-	peers, err := h.accountManager.GetPeers(account.Id)
-	if err != nil {
-		log.Error(err)
-		http.Redirect(w, r, "/", http.StatusInternalServerError)
-		return
-	}
-
-	respBody := []*api.Peer{}
-	for _, peer := range peers {
-		respBody = append(respBody, toPeerResponse(peer, account))
-	}
-	writeJSONObject(w, respBody)
-	return
 }

-func toPeerResponse(peer *server.PeerInfo, account *server.Account) *api.Peer {
+func toPeerResponse(peer *server.Peer, account *server.Account) *api.Peer {
 	var groupsInfo []api.GroupMinimum
 	groupsChecked := make(map[string]struct{})
 	for _, group := range account.Groups {
@@ -130,7 +123,7 @@ func toPeerResponse(peer *server.PeerInfo, account *server.Account) *api.Peer {
 		}
 		groupsChecked[group.ID] = struct{}{}
 		for _, pk := range group.Peers {
-			if pk == peer.Peer.Key {
+			if pk == peer.Key {
 				info := api.GroupMinimum{
 					Id:         group.ID,
 					Name:       group.Name,
@@ -141,26 +134,15 @@ func toPeerResponse(peer *server.PeerInfo, account *server.Account) *api.Peer {
 			}
 		}
 	}
-	resp := &api.Peer{
-		Id:         peer.Peer.IP.String(),
-		Name:       peer.Peer.Name,
-		Ip:         peer.Peer.IP.String(),
-		Connected:  peer.Peer.Status.Connected,
-		LastSeen:   peer.Peer.Status.LastSeen,
-		Os:         fmt.Sprintf("%s %s", peer.Peer.Meta.OS, peer.Peer.Meta.Core),
-		Version:    peer.Peer.Meta.WtVersion,
+	return &api.Peer{
+		Id:         peer.IP.String(),
+		Name:       peer.Name,
+		Ip:         peer.IP.String(),
+		Connected:  peer.Status.Connected,
+		LastSeen:   peer.Status.LastSeen,
+		Os:         fmt.Sprintf("%s %s", peer.Meta.OS, peer.Meta.Core),
+		Version:    peer.Meta.WtVersion,
 		Groups:     groupsInfo,
-		SshEnabled: peer.Peer.SSHEnabled,
-		HostName:   &peer.Peer.Meta.Hostname,
+		SshEnabled: peer.SSHEnabled,
 	}
-
-	if peer.UserInfo != nil {
-		resp.User = &api.UserMinimum{
-			Email: &peer.UserInfo.Email,
-			Id:    &peer.UserInfo.ID,
-			Name:  &peer.UserInfo.Name,
-		}
-	}
-
-	return resp
 }
--- a/management/server/http/routes.go
+++ b/management/server/http/routes.go
@@ -348,11 +348,6 @@ func (h *Routes) DeleteRouteHandler(w http.ResponseWriter, r *http.Request) {

 	err = h.accountManager.DeleteRoute(account.Id, routeID)
 	if err != nil {
-		errStatus, ok := status.FromError(err)
-		if ok && errStatus.Code() == codes.NotFound {
-			http.Error(w, fmt.Sprintf("route %s not found under account %s", routeID, account.Id), http.StatusNotFound)
-			return
-		}
 		log.Errorf("failed delete route %s under account %s %v", routeID, account.Id, err)
 		http.Redirect(w, r, "/", http.StatusInternalServerError)
 		return
--- a/management/server/http/routes_test.go
+++ b/management/server/http/routes_test.go
@@ -78,10 +78,7 @@ func initRoutesTestData() *Routes {
 			SaveRouteFunc: func(_ string, _ *route.Route) error {
 				return nil
 			},
-			DeleteRouteFunc: func(_ string, peerIP string) error {
-				if peerIP != existingRouteID {
-					return status.Errorf(codes.NotFound, "Peer with ID %s not found", peerIP)
-				}
+			DeleteRouteFunc: func(_ string, _ string) error {
 				return nil
 			},
 			GetPeerByIPFunc: func(_ string, peerIP string) (*server.Peer, error) {
@@ -158,7 +155,7 @@ func TestRoutesHandlers(t *testing.T) {
 		{
 			name:           "Get Not Existing Route",
 			requestType:    http.MethodGet,
-			requestPath:    "/api/routes/" + notFoundRouteID,
+			requestPath:    "/api/rules/" + notFoundRouteID,
 			expectedStatus: http.StatusNotFound,
 		},
 		{
@@ -171,7 +168,7 @@ func TestRoutesHandlers(t *testing.T) {
 		{
 			name:           "Delete Not Existing Route",
 			requestType:    http.MethodDelete,
-			requestPath:    "/api/routes/" + notFoundRouteID,
+			requestPath:    "/api/rules/" + notFoundRouteID,
 			expectedStatus: http.StatusNotFound,
 		},
 		{
--- a/management/server/http/setupkeys.go
+++ b/management/server/http/setupkeys.go
@@ -2,7 +2,6 @@ package http

 import (
 	"encoding/json"
-	"fmt"
 	"github.com/gorilla/mux"
 	"github.com/netbirdio/netbird/management/server"
 	"github.com/netbirdio/netbird/management/server/http/api"
@@ -29,17 +28,54 @@ func NewSetupKeysHandler(accountManager server.AccountManager, authAudience stri
 	}
 }

-// CreateSetupKeyHandler is a POST requests that creates a new SetupKey
-func (h *SetupKeys) CreateSetupKeyHandler(w http.ResponseWriter, r *http.Request) {
-	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
+func (h *SetupKeys) updateKey(accountId string, keyId string, w http.ResponseWriter, r *http.Request) {
+	req := &api.PutApiSetupKeysIdJSONRequestBody{}
+	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
-		log.Error(err)
-		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
 	}

+	var key *server.SetupKey
+	if req.Revoked {
+		//handle only if being revoked, don't allow to enable key again for now
+		key, err = h.accountManager.RevokeSetupKey(accountId, keyId)
+		if err != nil {
+			http.Error(w, "failed revoking key", http.StatusInternalServerError)
+			return
+		}
+	}
+	if len(req.Name) != 0 {
+		key, err = h.accountManager.RenameSetupKey(accountId, keyId, req.Name)
+		if err != nil {
+			http.Error(w, "failed renaming key", http.StatusInternalServerError)
+			return
+		}
+	}
+
+	if key != nil {
+		writeSuccess(w, key)
+	}
+}
+
+func (h *SetupKeys) getKey(accountId string, keyId string, w http.ResponseWriter, r *http.Request) {
+	account, err := h.accountManager.GetAccountById(accountId)
+	if err != nil {
+		http.Error(w, "account doesn't exist", http.StatusInternalServerError)
+		return
+	}
+	for _, key := range account.SetupKeys {
+		if key.Id == keyId {
+			writeSuccess(w, key)
+			return
+		}
+	}
+	http.Error(w, "setup key not found", http.StatusNotFound)
+}
+
+func (h *SetupKeys) createKey(accountId string, w http.ResponseWriter, r *http.Request) {
 	req := &api.PostApiSetupKeysJSONRequestBody{}
-	err = json.NewDecoder(r.Body).Decode(&req)
+	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
@@ -59,13 +95,7 @@ func (h *SetupKeys) CreateSetupKeyHandler(w http.ResponseWriter, r *http.Request

 	expiresIn := time.Duration(req.ExpiresIn) * time.Second

-	if req.AutoGroups == nil {
-		req.AutoGroups = []string{}
-	}
-	// newExpiresIn := time.Duration(req.ExpiresIn) * time.Second
-	// newKey.ExpiresAt = time.Now().Add(newExpiresIn)
-	setupKey, err := h.accountManager.CreateSetupKey(account.Id, req.Name, server.SetupKeyType(req.Type), expiresIn,
-		req.AutoGroups)
+	setupKey, err := h.accountManager.AddSetupKey(accountId, req.Name, server.SetupKeyType(req.Type), expiresIn)
 	if err != nil {
 		errStatus, ok := status.FromError(err)
 		if ok && errStatus.Code() == codes.NotFound {
@@ -79,8 +109,7 @@ func (h *SetupKeys) CreateSetupKeyHandler(w http.ResponseWriter, r *http.Request
 	writeSuccess(w, setupKey)
 }

-// GetSetupKeyHandler is a GET request to get a SetupKey by ID
-func (h *SetupKeys) GetSetupKeyHandler(w http.ResponseWriter, r *http.Request) {
+func (h *SetupKeys) HandleKey(w http.ResponseWriter, r *http.Request) {
 	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
 	if err != nil {
 		log.Error(err)
@@ -89,104 +118,55 @@ func (h *SetupKeys) GetSetupKeyHandler(w http.ResponseWriter, r *http.Request) {
 	}

 	vars := mux.Vars(r)
-	keyID := vars["id"]
-	if len(keyID) == 0 {
+	keyId := vars["id"]
+	if len(keyId) == 0 {
 		http.Error(w, "invalid key Id", http.StatusBadRequest)
 		return
 	}

-	key, err := h.accountManager.GetSetupKey(account.Id, keyID)
+	switch r.Method {
+	case http.MethodPut:
+		h.updateKey(account.Id, keyId, w, r)
+		return
+	case http.MethodGet:
+		h.getKey(account.Id, keyId, w, r)
+		return
+	default:
+		http.Error(w, "", http.StatusNotFound)
+	}
+}
+
+func (h *SetupKeys) GetKeys(w http.ResponseWriter, r *http.Request) {
+
+	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
 	if err != nil {
-		errStatus, ok := status.FromError(err)
-		if ok && errStatus.Code() == codes.NotFound {
-			http.Error(w, fmt.Sprintf("setup key %s not found under account %s", keyID, account.Id), http.StatusNotFound)
+		log.Error(err)
+		http.Redirect(w, r, "/", http.StatusInternalServerError)
+		return
+	}
+
+	switch r.Method {
+	case http.MethodPost:
+		h.createKey(account.Id, w, r)
+		return
+	case http.MethodGet:
+		w.WriteHeader(200)
+		w.Header().Set("Content-Type", "application/json")
+
+		respBody := []*api.SetupKey{}
+		for _, key := range account.SetupKeys {
+			respBody = append(respBody, toResponseBody(key))
+		}
+
+		err = json.NewEncoder(w).Encode(respBody)
+		if err != nil {
+			log.Errorf("failed encoding account peers %s: %v", account.Id, err)
+			http.Redirect(w, r, "/", http.StatusInternalServerError)
 			return
 		}
-		log.Errorf("failed getting setup key %s under account %s %v", keyID, account.Id, err)
-		http.Redirect(w, r, "/", http.StatusInternalServerError)
-		return
+	default:
+		http.Error(w, "", http.StatusNotFound)
 	}
-
-	writeSuccess(w, key)
-}
-
-// UpdateSetupKeyHandler is a PUT request to update server.SetupKey
-func (h *SetupKeys) UpdateSetupKeyHandler(w http.ResponseWriter, r *http.Request) {
-	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
-	if err != nil {
-		log.Error(err)
-		http.Redirect(w, r, "/", http.StatusInternalServerError)
-		return
-	}
-
-	vars := mux.Vars(r)
-	keyID := vars["id"]
-	if len(keyID) == 0 {
-		http.Error(w, "invalid key Id", http.StatusBadRequest)
-		return
-	}
-
-	req := &api.PutApiSetupKeysIdJSONRequestBody{}
-	err = json.NewDecoder(r.Body).Decode(&req)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusBadRequest)
-		return
-	}
-
-	if req.Name == "" {
-		http.Error(w, fmt.Sprintf("setup key name field is invalid: %s", req.Name), http.StatusBadRequest)
-		return
-	}
-
-	if req.AutoGroups == nil {
-		http.Error(w, fmt.Sprintf("setup key AutoGroups field is invalid: %s", req.AutoGroups), http.StatusBadRequest)
-		return
-	}
-
-	newKey := &server.SetupKey{}
-	newKey.AutoGroups = req.AutoGroups
-	newKey.Revoked = req.Revoked
-	newKey.Name = req.Name
-	newKey.Id = keyID
-
-	newKey, err = h.accountManager.SaveSetupKey(account.Id, newKey)
-
-	if err != nil {
-		if e, ok := status.FromError(err); ok {
-			switch e.Code() {
-			case codes.NotFound:
-				http.Error(w, fmt.Sprintf("couldn't find setup key for ID %s", keyID), http.StatusNotFound)
-			default:
-				http.Error(w, "failed updating setup key", http.StatusInternalServerError)
-			}
-		}
-		return
-	}
-	writeSuccess(w, newKey)
-}
-
-// GetAllSetupKeysHandler is a GET request that returns a list of SetupKey
-func (h *SetupKeys) GetAllSetupKeysHandler(w http.ResponseWriter, r *http.Request) {
-
-	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
-	if err != nil {
-		log.Error(err)
-		http.Redirect(w, r, "/", http.StatusInternalServerError)
-		return
-	}
-
-	setupKeys, err := h.accountManager.ListSetupKeys(account.Id)
-	if err != nil {
-		log.Error(err)
-		http.Redirect(w, r, "/", http.StatusInternalServerError)
-		return
-	}
-	apiSetupKeys := make([]*api.SetupKey, 0)
-	for _, key := range setupKeys {
-		apiSetupKeys = append(apiSetupKeys, toResponseBody(key))
-	}
-
-	writeJSONObject(w, apiSetupKeys)
 }

 func writeSuccess(w http.ResponseWriter, key *server.SetupKey) {
@@ -210,19 +190,16 @@ func toResponseBody(key *server.SetupKey) *api.SetupKey {
 	} else {
 		state = "valid"
 	}
-
 	return &api.SetupKey{
-		Id:         key.Id,
-		Key:        key.Key,
-		Name:       key.Name,
-		Expires:    key.ExpiresAt,
-		Type:       string(key.Type),
-		Valid:      key.IsValid(),
-		Revoked:    key.Revoked,
-		UsedTimes:  key.UsedTimes,
-		LastUsed:   key.LastUsed,
-		State:      state,
-		AutoGroups: key.AutoGroups,
-		UpdatedAt:  key.UpdatedAt,
+		Id:        key.Id,
+		Key:       key.Key,
+		Name:      key.Name,
+		Expires:   key.ExpiresAt,
+		Type:      string(key.Type),
+		Valid:     key.IsValid(),
+		Revoked:   key.Revoked,
+		UsedTimes: key.UsedTimes,
+		LastUsed:  key.LastUsed,
+		State:     state,
 	}
 }
--- a/management/server/http/setupkeys_test.go
+++ b/management/server/http/setupkeys_test.go
@@ -1,222 +0,0 @@
-package http
-
-import (
-	"bytes"
-	"encoding/json"
-	"fmt"
-	"github.com/gorilla/mux"
-	"github.com/netbirdio/netbird/management/server/http/api"
-	"github.com/stretchr/testify/assert"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"github.com/netbirdio/netbird/management/server/jwtclaims"
-
-	"github.com/netbirdio/netbird/management/server"
-	"github.com/netbirdio/netbird/management/server/mock_server"
-)
-
-const (
-	existingSetupKeyID  = "existingSetupKeyID"
-	newSetupKeyName     = "New Setup Key"
-	updatedSetupKeyName = "KKKey"
-	notFoundSetupKeyID  = "notFoundSetupKeyID"
-)
-
-func initSetupKeysTestMetaData(defaultKey *server.SetupKey, newKey *server.SetupKey, updatedSetupKey *server.SetupKey) *SetupKeys {
-	return &SetupKeys{
-		accountManager: &mock_server.MockAccountManager{
-			GetAccountWithAuthorizationClaimsFunc: func(claims jwtclaims.AuthorizationClaims) (*server.Account, error) {
-				return &server.Account{
-					Id:     testAccountID,
-					Domain: "hotmail.com",
-					SetupKeys: map[string]*server.SetupKey{
-						defaultKey.Key: defaultKey,
-					},
-					Groups: map[string]*server.Group{
-						"group-1": {ID: "group-1", Peers: []string{"A", "B"}},
-						"id-all":  {ID: "id-all", Name: "All"}},
-				}, nil
-			},
-			CreateSetupKeyFunc: func(_ string, keyName string, typ server.SetupKeyType, _ time.Duration, _ []string) (*server.SetupKey, error) {
-				if keyName == newKey.Name || typ != newKey.Type {
-					return newKey, nil
-				}
-				return nil, fmt.Errorf("failed creating setup key")
-			},
-			GetSetupKeyFunc: func(accountID string, keyID string) (*server.SetupKey, error) {
-				switch keyID {
-				case defaultKey.Id:
-					return defaultKey, nil
-				case newKey.Id:
-					return newKey, nil
-				default:
-					return nil, status.Errorf(codes.NotFound, "key %s not found", keyID)
-				}
-			},
-
-			SaveSetupKeyFunc: func(accountID string, key *server.SetupKey) (*server.SetupKey, error) {
-				if key.Id == updatedSetupKey.Id {
-					return updatedSetupKey, nil
-				}
-				return nil, status.Errorf(codes.NotFound, "key %s not found", key.Id)
-			},
-
-			ListSetupKeysFunc: func(accountID string) ([]*server.SetupKey, error) {
-				return []*server.SetupKey{defaultKey}, nil
-			},
-		},
-		authAudience: "",
-		jwtExtractor: jwtclaims.ClaimsExtractor{
-			ExtractClaimsFromRequestContext: func(r *http.Request, authAudience string) jwtclaims.AuthorizationClaims {
-				return jwtclaims.AuthorizationClaims{
-					UserId:    "test_user",
-					Domain:    "hotmail.com",
-					AccountId: testAccountID,
-				}
-			},
-		},
-	}
-}
-
-func TestSetupKeysHandlers(t *testing.T) {
-	defaultSetupKey := server.GenerateDefaultSetupKey()
-	defaultSetupKey.Id = existingSetupKeyID
-
-	newSetupKey := server.GenerateSetupKey(newSetupKeyName, server.SetupKeyReusable, 0, []string{"group-1"})
-	updatedDefaultSetupKey := defaultSetupKey.Copy()
-	updatedDefaultSetupKey.AutoGroups = []string{"group-1"}
-	updatedDefaultSetupKey.Name = updatedSetupKeyName
-	updatedDefaultSetupKey.Revoked = true
-
-	tt := []struct {
-		name              string
-		requestType       string
-		requestPath       string
-		requestBody       io.Reader
-		expectedStatus    int
-		expectedBody      bool
-		expectedSetupKey  *api.SetupKey
-		expectedSetupKeys []*api.SetupKey
-	}{
-		{
-			name:              "Get Setup Keys",
-			requestType:       http.MethodGet,
-			requestPath:       "/api/setup-keys",
-			expectedStatus:    http.StatusOK,
-			expectedBody:      true,
-			expectedSetupKeys: []*api.SetupKey{toResponseBody(defaultSetupKey)},
-		},
-		{
-			name:             "Get Existing Setup Key",
-			requestType:      http.MethodGet,
-			requestPath:      "/api/setup-keys/" + existingSetupKeyID,
-			expectedStatus:   http.StatusOK,
-			expectedBody:     true,
-			expectedSetupKey: toResponseBody(defaultSetupKey),
-		},
-		{
-			name:           "Get Not Existing Setup Key",
-			requestType:    http.MethodGet,
-			requestPath:    "/api/setup-keys/" + notFoundSetupKeyID,
-			expectedStatus: http.StatusNotFound,
-			expectedBody:   false,
-		},
-		{
-			name:        "Create Setup Key",
-			requestType: http.MethodPost,
-			requestPath: "/api/setup-keys",
-			requestBody: bytes.NewBuffer(
-				[]byte(fmt.Sprintf("{\"name\":\"%s\",\"type\":\"%s\"}", newSetupKey.Name, newSetupKey.Type))),
-			expectedStatus:   http.StatusOK,
-			expectedBody:     true,
-			expectedSetupKey: toResponseBody(newSetupKey),
-		},
-		{
-			name:        "Update Setup Key",
-			requestType: http.MethodPut,
-			requestPath: "/api/setup-keys/" + defaultSetupKey.Id,
-			requestBody: bytes.NewBuffer(
-				[]byte(fmt.Sprintf("{\"name\":\"%s\",\"auto_groups\":[\"%s\"], \"revoked\":%v}",
-					updatedDefaultSetupKey.Type,
-					updatedDefaultSetupKey.AutoGroups[0],
-					updatedDefaultSetupKey.Revoked,
-				))),
-			expectedStatus:   http.StatusOK,
-			expectedBody:     true,
-			expectedSetupKey: toResponseBody(updatedDefaultSetupKey),
-		},
-	}
-
-	handler := initSetupKeysTestMetaData(defaultSetupKey, newSetupKey, updatedDefaultSetupKey)
-
-	for _, tc := range tt {
-		t.Run(tc.name, func(t *testing.T) {
-			recorder := httptest.NewRecorder()
-			req := httptest.NewRequest(tc.requestType, tc.requestPath, tc.requestBody)
-
-			router := mux.NewRouter()
-			router.HandleFunc("/api/setup-keys", handler.GetAllSetupKeysHandler).Methods("GET", "OPTIONS")
-			router.HandleFunc("/api/setup-keys", handler.CreateSetupKeyHandler).Methods("POST", "OPTIONS")
-			router.HandleFunc("/api/setup-keys/{id}", handler.GetSetupKeyHandler).Methods("GET", "OPTIONS")
-			router.HandleFunc("/api/setup-keys/{id}", handler.UpdateSetupKeyHandler).Methods("PUT", "OPTIONS")
-			router.ServeHTTP(recorder, req)
-
-			res := recorder.Result()
-			defer res.Body.Close()
-
-			content, err := io.ReadAll(res.Body)
-			if err != nil {
-				t.Fatalf("I don't know what I expected; %v", err)
-			}
-
-			if status := recorder.Code; status != tc.expectedStatus {
-				t.Errorf("handler returned wrong status code: got %v want %v, content: %s",
-					status, tc.expectedStatus, string(content))
-				return
-			}
-
-			if !tc.expectedBody {
-				return
-			}
-
-			if tc.expectedSetupKey != nil {
-				got := &api.SetupKey{}
-				if err = json.Unmarshal(content, &got); err != nil {
-					t.Fatalf("Sent content is not in correct json format; %v", err)
-				}
-				assertKeys(t, got, tc.expectedSetupKey)
-				return
-			}
-
-			if len(tc.expectedSetupKeys) > 0 {
-				var got []*api.SetupKey
-				if err = json.Unmarshal(content, &got); err != nil {
-					t.Fatalf("Sent content is not in correct json format; %v", err)
-				}
-				assertKeys(t, got[0], tc.expectedSetupKeys[0])
-				return
-			}
-
-		})
-	}
-}
-
-func assertKeys(t *testing.T, got *api.SetupKey, expected *api.SetupKey) {
-	// this comparison is done manually because when converting to JSON dates formatted differently
-	// assert.Equal(t, got.UpdatedAt, tc.expectedSetupKey.UpdatedAt) //doesn't work
-	assert.WithinDurationf(t, got.UpdatedAt, expected.UpdatedAt, 0, "")
-	assert.WithinDurationf(t, got.Expires, expected.Expires, 0, "")
-	assert.Equal(t, got.Name, expected.Name)
-	assert.Equal(t, got.Id, expected.Id)
-	assert.Equal(t, got.Key, expected.Key)
-	assert.Equal(t, got.Type, expected.Type)
-	assert.Equal(t, got.UsedTimes, expected.UsedTimes)
-	assert.Equal(t, got.Revoked, expected.Revoked)
-	assert.ElementsMatch(t, got.AutoGroups, expected.AutoGroups)
-}
--- a/management/server/http/users.go
+++ b/management/server/http/users.go
@@ -1,12 +1,7 @@
 package http

 import (
-	"encoding/json"
-	"fmt"
-	"github.com/gorilla/mux"
 	"github.com/netbirdio/netbird/management/server/http/api"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 	"net/http"

 	log "github.com/sirupsen/logrus"
@@ -29,59 +24,6 @@ func NewUserHandler(accountManager server.AccountManager, authAudience string) *
 	}
 }

-// UpdateUser is a PUT requests to update User data
-func (h *UserHandler) UpdateUser(w http.ResponseWriter, r *http.Request) {
-	if r.Method != http.MethodPut {
-		http.Error(w, "", http.StatusBadRequest)
-	}
-
-	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
-	if err != nil {
-		log.Error(err)
-		http.Redirect(w, r, "/", http.StatusInternalServerError)
-		return
-	}
-
-	vars := mux.Vars(r)
-	userID := vars["id"]
-	if len(userID) == 0 {
-		http.Error(w, "invalid user ID", http.StatusBadRequest)
-		return
-	}
-
-	req := &api.PutApiUsersIdJSONRequestBody{}
-	err = json.NewDecoder(r.Body).Decode(&req)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusBadRequest)
-		return
-	}
-
-	userRole := server.StrRoleToUserRole(req.Role)
-	if userRole == server.UserRoleUnknown {
-		http.Error(w, "invalid user role", http.StatusBadRequest)
-		return
-	}
-
-	newUser, err := h.accountManager.SaveUser(account.Id, &server.User{
-		Id:         userID,
-		Role:       userRole,
-		AutoGroups: req.AutoGroups,
-	})
-	if err != nil {
-		if e, ok := status.FromError(err); ok {
-			switch e.Code() {
-			case codes.NotFound:
-				http.Error(w, fmt.Sprintf("couldn't find a user for ID %s", userID), http.StatusNotFound)
-			default:
-				http.Error(w, "failed to update user", http.StatusInternalServerError)
-			}
-		}
-		return
-	}
-	writeJSONObject(w, toUserResponse(newUser))
-
-}
-
 // GetUsers returns a list of users of the account this user belongs to.
 // It also gathers additional user data (like email and name) from the IDP manager.
 func (h *UserHandler) GetUsers(w http.ResponseWriter, r *http.Request) {
@@ -92,11 +34,9 @@ func (h *UserHandler) GetUsers(w http.ResponseWriter, r *http.Request) {
 	account, err := getJWTAccount(h.accountManager, h.jwtExtractor, h.authAudience, r)
 	if err != nil {
 		log.Error(err)
-		http.Redirect(w, r, "/", http.StatusInternalServerError)
-		return
 	}

-	data, err := h.accountManager.GetUsers(account.Id)
+	data, err := h.accountManager.GetUsersFromAccount(account.Id)
 	if err != nil {
 		log.Error(err)
 		http.Redirect(w, r, "/", http.StatusInternalServerError)
@@ -112,17 +52,10 @@ func (h *UserHandler) GetUsers(w http.ResponseWriter, r *http.Request) {
 }

 func toUserResponse(user *server.UserInfo) *api.User {
-
-	autoGroups := user.AutoGroups
-	if autoGroups == nil {
-		autoGroups = []string{}
-	}
-
 	return &api.User{
-		Id:         user.ID,
-		Name:       user.Name,
-		Email:      user.Email,
-		Role:       user.Role,
-		AutoGroups: autoGroups,
+		Id:    user.ID,
+		Name:  user.Name,
+		Email: user.Email,
+		Role:  user.Role,
 	}
 }
--- a/management/server/mock_server/account_mock.go
+++ b/management/server/mock_server/account_mock.go
@@ -12,8 +12,9 @@ import (
 type MockAccountManager struct {
 	GetOrCreateAccountByUserFunc          func(userId, domain string) (*server.Account, error)
 	GetAccountByUserFunc                  func(userId string) (*server.Account, error)
-	CreateSetupKeyFunc                    func(accountId string, keyName string, keyType server.SetupKeyType, expiresIn time.Duration, autoGroups []string) (*server.SetupKey, error)
-	GetSetupKeyFunc                       func(accountID string, keyID string) (*server.SetupKey, error)
+	AddSetupKeyFunc                       func(accountId string, keyName string, keyType server.SetupKeyType, expiresIn time.Duration) (*server.SetupKey, error)
+	RevokeSetupKeyFunc                    func(accountId string, keyId string) (*server.SetupKey, error)
+	RenameSetupKeyFunc                    func(accountId string, keyId string, newName string) (*server.SetupKey, error)
 	GetAccountByIdFunc                    func(accountId string) (*server.Account, error)
 	GetAccountByUserOrAccountIdFunc       func(userId, accountId, domain string) (*server.Account, error)
 	GetAccountWithAuthorizationClaimsFunc func(claims jwtclaims.AuthorizationClaims) (*server.Account, error)
@@ -50,9 +51,6 @@ type MockAccountManager struct {
 	UpdateRouteFunc                       func(accountID string, routeID string, operations []server.RouteUpdateOperation) (*route.Route, error)
 	DeleteRouteFunc                       func(accountID, routeID string) error
 	ListRoutesFunc                        func(accountID string) ([]*route.Route, error)
-	SaveSetupKeyFunc                      func(accountID string, key *server.SetupKey) (*server.SetupKey, error)
-	ListSetupKeysFunc                     func(accountID string) ([]*server.SetupKey, error)
-	SaveUserFunc                          func(accountID string, user *server.User) (*server.UserInfo, error)
 }

 // GetUsersFromAccount mock implementation of GetUsersFromAccount from server.AccountManager interface
@@ -60,7 +58,7 @@ func (am *MockAccountManager) GetUsersFromAccount(accountID string) ([]*server.U
 	if am.GetUsersFromAccountFunc != nil {
 		return am.GetUsersFromAccountFunc(accountID)
 	}
-	return nil, status.Errorf(codes.Unimplemented, "method GetUsers is not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method GetUsersFromAccount is not implemented")
 }

 // GetOrCreateAccountByUser mock implementation of GetOrCreateAccountByUser from server.AccountManager interface
@@ -84,18 +82,40 @@ func (am *MockAccountManager) GetAccountByUser(userId string) (*server.Account,
 	return nil, status.Errorf(codes.Unimplemented, "method GetAccountByUser is not implemented")
 }

-// CreateSetupKey mock implementation of CreateSetupKey from server.AccountManager interface
-func (am *MockAccountManager) CreateSetupKey(
+// AddSetupKey mock implementation of AddSetupKey from server.AccountManager interface
+func (am *MockAccountManager) AddSetupKey(
 	accountId string,
 	keyName string,
 	keyType server.SetupKeyType,
 	expiresIn time.Duration,
-	autoGroups []string,
 ) (*server.SetupKey, error) {
-	if am.CreateSetupKeyFunc != nil {
-		return am.CreateSetupKeyFunc(accountId, keyName, keyType, expiresIn, autoGroups)
+	if am.AddSetupKeyFunc != nil {
+		return am.AddSetupKeyFunc(accountId, keyName, keyType, expiresIn)
 	}
-	return nil, status.Errorf(codes.Unimplemented, "method CreateSetupKey is not implemented")
+	return nil, status.Errorf(codes.Unimplemented, "method AddSetupKey is not implemented")
+}
+
+// RevokeSetupKey mock implementation of RevokeSetupKey from server.AccountManager interface
+func (am *MockAccountManager) RevokeSetupKey(
+	accountId string,
+	keyId string,
+) (*server.SetupKey, error) {
+	if am.RevokeSetupKeyFunc != nil {
+		return am.RevokeSetupKeyFunc(accountId, keyId)
+	}
+	return nil, status.Errorf(codes.Unimplemented, "method RevokeSetupKey is not implemented")
+}
+
+// RenameSetupKey mock implementation of RenameSetupKey from server.AccountManager interface
+func (am *MockAccountManager) RenameSetupKey(
+	accountId string,
+	keyId string,
+	newName string,
+) (*server.SetupKey, error) {
+	if am.RenameSetupKeyFunc != nil {
+		return am.RenameSetupKeyFunc(accountId, keyId, newName)
+	}
+	return nil, status.Errorf(codes.Unimplemented, "method RenameSetupKey is not implemented")
 }

 // GetAccountById mock implementation of GetAccountById from server.AccountManager interface
@@ -395,38 +415,3 @@ func (am *MockAccountManager) ListRoutes(accountID string) ([]*route.Route, erro
 	}
 	return nil, status.Errorf(codes.Unimplemented, "method ListRoutes is not implemented")
 }
-
-// SaveSetupKey mocks SaveSetupKey of the AccountManager interface
-func (am *MockAccountManager) SaveSetupKey(accountID string, key *server.SetupKey) (*server.SetupKey, error) {
-	if am.SaveSetupKeyFunc != nil {
-		return am.SaveSetupKeyFunc(accountID, key)
-	}
-
-	return nil, status.Errorf(codes.Unimplemented, "method SaveSetupKey is not implemented")
-}
-
-// GetSetupKey mocks GetSetupKey of the AccountManager interface
-func (am *MockAccountManager) GetSetupKey(accountID, keyID string) (*server.SetupKey, error) {
-	if am.GetSetupKeyFunc != nil {
-		return am.GetSetupKeyFunc(accountID, keyID)
-	}
-
-	return nil, status.Errorf(codes.Unimplemented, "method GetSetupKey is not implemented")
-}
-
-// ListSetupKeys mocks ListSetupKeys of the AccountManager interface
-func (am *MockAccountManager) ListSetupKeys(accountID string) ([]*server.SetupKey, error) {
-	if am.ListSetupKeysFunc != nil {
-		return am.ListSetupKeysFunc(accountID)
-	}
-
-	return nil, status.Errorf(codes.Unimplemented, "method ListSetupKeys is not implemented")
-}
-
-// SaveUser mocks SaveUser of the AccountManager interface
-func (am *MockAccountManager) SaveUser(accountID string, user *server.User) (*server.UserInfo, error) {
-	if am.SaveUserFunc != nil {
-		return am.SaveUserFunc(accountID, user)
-	}
-	return nil, status.Errorf(codes.Unimplemented, "method SaveUser is not implemented")
-}
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -31,12 +31,6 @@ type PeerStatus struct {
 	Connected bool
 }

-// PeerInfo is a composition of Peer and additional UserInfo
-type PeerInfo struct {
-	Peer     *Peer
-	UserInfo *UserInfo
-}
-
 // Peer represents a machine connected to the network.
 // The Peer is a Wireguard peer identified by a public key
 type Peer struct {
@@ -74,44 +68,6 @@ func (p *Peer) Copy() *Peer {
 	}
 }

-// GetPeers returns a list of Peers belonging to the specified account
-func (am *DefaultAccountManager) GetPeers(accountID string) ([]*PeerInfo, error) {
-	am.mux.Lock()
-	defer am.mux.Unlock()
-
-	account, err := am.Store.GetAccount(accountID)
-	if err != nil {
-		return nil, status.Errorf(codes.NotFound, "account not found")
-	}
-
-	users, err := am.getUsersInfos(account)
-	if err != nil {
-		return nil, err
-	}
-
-	var userMap = make(map[string]*UserInfo)
-	for _, user := range users {
-		userMap[user.ID] = user
-	}
-
-	var peerInfos []*PeerInfo
-	for _, peer := range account.Peers {
-		if peer.UserID == "" {
-			peerInfos = append(peerInfos, &PeerInfo{
-				Peer:     peer,
-				UserInfo: nil,
-			})
-		} else {
-			peerInfos = append(peerInfos, &PeerInfo{
-				Peer:     peer.Copy(),
-				UserInfo: userMap[peer.UserID],
-			})
-		}
-	}
-
-	return peerInfos, nil
-}
-
 // GetPeer returns a peer from a Store
 func (am *DefaultAccountManager) GetPeer(peerKey string) (*Peer, error) {
 	am.mux.Lock()
@@ -338,8 +294,6 @@ func (am *DefaultAccountManager) AddPeer(
 	var account *Account
 	var err error
 	var sk *SetupKey
-	// auto-assign groups that are coming with a SetupKey or a User
-	var groupsToAdd []string
 	if len(upperKey) != 0 {
 		account, err = am.Store.GetAccountBySetupKey(upperKey)
 		if err != nil {
@@ -367,20 +321,11 @@ func (am *DefaultAccountManager) AddPeer(
 			)
 		}

-		groupsToAdd = sk.AutoGroups
-
 	} else if len(userID) != 0 {
 		account, err = am.Store.GetUserAccount(userID)
 		if err != nil {
 			return nil, status.Errorf(codes.NotFound, "unable to register peer, unknown user with ID: %s", userID)
 		}
-		user, ok := account.Users[userID]
-		if !ok {
-			return nil, status.Errorf(codes.NotFound, "unable to register peer, unknown user with ID: %s", userID)
-		}
-
-		groupsToAdd = user.AutoGroups
-
 	} else {
 		// Empty setup key and jwt fail
 		return nil, status.Errorf(codes.InvalidArgument, "no setup key or user id provided")
@@ -416,14 +361,6 @@ func (am *DefaultAccountManager) AddPeer(
 	}
 	group.Peers = append(group.Peers, newPeer.Key)

-	if len(groupsToAdd) > 0 {
-		for _, s := range groupsToAdd {
-			if g, ok := account.Groups[s]; ok && g.Name != "All" {
-				g.Peers = append(g.Peers, newPeer.Key)
-			}
-		}
-	}
-
 	account.Peers[newPeer.Key] = newPeer
 	if len(upperKey) != 0 {
 		account.SetupKeys[sk.Key] = sk.IncrementUsage()
--- a/management/server/setupkey.go
+++ b/management/server/setupkey.go
@@ -1,10 +1,7 @@
 package server

 import (
-	"fmt"
 	"github.com/google/uuid"
-	"google.golang.org/grpc/codes"
-	"google.golang.org/grpc/status"
 	"hash/fnv"
 	"strconv"
 	"strings"
@@ -21,41 +18,8 @@ const (
 	DefaultSetupKeyDuration = 24 * 30 * time.Hour
 	// DefaultSetupKeyName is a default name of the default setup key
 	DefaultSetupKeyName = "Default key"
-
-	// UpdateSetupKeyName indicates a setup key name update operation
-	UpdateSetupKeyName SetupKeyUpdateOperationType = iota
-	// UpdateSetupKeyRevoked indicates a setup key revoked filed update operation
-	UpdateSetupKeyRevoked
-	// UpdateSetupKeyAutoGroups indicates a setup key auto-assign groups update operation
-	UpdateSetupKeyAutoGroups
-	// UpdateSetupKeyExpiresAt indicates a setup key expiration time update operation
-	UpdateSetupKeyExpiresAt
 )

-// SetupKeyUpdateOperationType operation type
-type SetupKeyUpdateOperationType int
-
-func (t SetupKeyUpdateOperationType) String() string {
-	switch t {
-	case UpdateSetupKeyName:
-		return "UpdateSetupKeyName"
-	case UpdateSetupKeyRevoked:
-		return "UpdateSetupKeyRevoked"
-	case UpdateSetupKeyAutoGroups:
-		return "UpdateSetupKeyAutoGroups"
-	case UpdateSetupKeyExpiresAt:
-		return "UpdateSetupKeyExpiresAt"
-	default:
-		return "InvalidOperation"
-	}
-}
-
-// SetupKeyUpdateOperation operation object with type and values to be applied
-type SetupKeyUpdateOperation struct {
-	Type   SetupKeyUpdateOperationType
-	Values []string
-}
-
 // SetupKeyType is the type of setup key
 type SetupKeyType string

@@ -67,40 +31,30 @@ type SetupKey struct {
 	Type      SetupKeyType
 	CreatedAt time.Time
 	ExpiresAt time.Time
-	UpdatedAt time.Time
 	// Revoked indicates whether the key was revoked or not (we don't remove them for tracking purposes)
 	Revoked bool
 	// UsedTimes indicates how many times the key was used
 	UsedTimes int
 	// LastUsed last time the key was used for peer registration
 	LastUsed time.Time
-	// AutoGroups is a list of Group IDs that are auto assigned to a Peer when it uses this key to register
-	AutoGroups []string
 }

-// Copy copies SetupKey to a new object
+//Copy copies SetupKey to a new object
 func (key *SetupKey) Copy() *SetupKey {
-	autoGroups := make([]string, 0)
-	autoGroups = append(autoGroups, key.AutoGroups...)
-	if key.UpdatedAt.IsZero() {
-		key.UpdatedAt = key.CreatedAt
-	}
 	return &SetupKey{
-		Id:         key.Id,
-		Key:        key.Key,
-		Name:       key.Name,
-		Type:       key.Type,
-		CreatedAt:  key.CreatedAt,
-		ExpiresAt:  key.ExpiresAt,
-		UpdatedAt:  key.UpdatedAt,
-		Revoked:    key.Revoked,
-		UsedTimes:  key.UsedTimes,
-		LastUsed:   key.LastUsed,
-		AutoGroups: autoGroups,
+		Id:        key.Id,
+		Key:       key.Key,
+		Name:      key.Name,
+		Type:      key.Type,
+		CreatedAt: key.CreatedAt,
+		ExpiresAt: key.ExpiresAt,
+		Revoked:   key.Revoked,
+		UsedTimes: key.UsedTimes,
+		LastUsed:  key.LastUsed,
 	}
 }

-// IncrementUsage makes a copy of a key, increments the UsedTimes by 1 and sets LastUsed to now
+//IncrementUsage makes a copy of a key, increments the UsedTimes by 1 and sets LastUsed to now
 func (key *SetupKey) IncrementUsage() *SetupKey {
 	c := key.Copy()
 	c.UsedTimes = c.UsedTimes + 1
@@ -129,25 +83,24 @@ func (key *SetupKey) IsOverUsed() bool {
 }

 // GenerateSetupKey generates a new setup key
-func GenerateSetupKey(name string, t SetupKeyType, validFor time.Duration, autoGroups []string) *SetupKey {
+func GenerateSetupKey(name string, t SetupKeyType, validFor time.Duration) *SetupKey {
 	key := strings.ToUpper(uuid.New().String())
+	createdAt := time.Now()
 	return &SetupKey{
-		Id:         strconv.Itoa(int(Hash(key))),
-		Key:        key,
-		Name:       name,
-		Type:       t,
-		CreatedAt:  time.Now(),
-		ExpiresAt:  time.Now().Add(validFor),
-		UpdatedAt:  time.Now(),
-		Revoked:    false,
-		UsedTimes:  0,
-		AutoGroups: autoGroups,
+		Id:        strconv.Itoa(int(Hash(key))),
+		Key:       key,
+		Name:      name,
+		Type:      t,
+		CreatedAt: createdAt,
+		ExpiresAt: createdAt.Add(validFor),
+		Revoked:   false,
+		UsedTimes: 0,
 	}
 }

 // GenerateDefaultSetupKey generates a default setup key
 func GenerateDefaultSetupKey() *SetupKey {
-	return GenerateSetupKey(DefaultSetupKeyName, SetupKeyReusable, DefaultSetupKeyDuration, []string{})
+	return GenerateSetupKey(DefaultSetupKeyName, SetupKeyReusable, DefaultSetupKeyDuration)
 }

 func Hash(s string) uint32 {
@@ -158,127 +111,3 @@ func Hash(s string) uint32 {
 	}
 	return h.Sum32()
 }
-
-// CreateSetupKey generates a new setup key with a given name, type, list of groups IDs to auto-assign to peers registered with this key,
-// and adds it to the specified account. A list of autoGroups IDs can be empty.
-func (am *DefaultAccountManager) CreateSetupKey(accountID string, keyName string, keyType SetupKeyType,
-	expiresIn time.Duration, autoGroups []string) (*SetupKey, error) {
-	am.mux.Lock()
-	defer am.mux.Unlock()
-
-	keyDuration := DefaultSetupKeyDuration
-	if expiresIn != 0 {
-		keyDuration = expiresIn
-	}
-
-	account, err := am.Store.GetAccount(accountID)
-	if err != nil {
-		return nil, status.Errorf(codes.NotFound, "account not found")
-	}
-
-	for _, group := range autoGroups {
-		if _, ok := account.Groups[group]; !ok {
-			return nil, fmt.Errorf("group %s doesn't exist", group)
-		}
-	}
-
-	setupKey := GenerateSetupKey(keyName, keyType, keyDuration, autoGroups)
-	account.SetupKeys[setupKey.Key] = setupKey
-
-	err = am.Store.SaveAccount(account)
-	if err != nil {
-		return nil, status.Errorf(codes.Internal, "failed adding account key")
-	}
-
-	return setupKey, nil
-}
-
-// SaveSetupKey saves the provided SetupKey to the database overriding the existing one.
-// Due to the unique nature of a SetupKey certain properties must not be overwritten
-// (e.g. the key itself, creation date, ID, etc).
-// These properties are overwritten: Name, AutoGroups, Revoked. The rest is copied from the existing key.
-func (am *DefaultAccountManager) SaveSetupKey(accountID string, keyToSave *SetupKey) (*SetupKey, error) {
-	am.mux.Lock()
-	defer am.mux.Unlock()
-
-	if keyToSave == nil {
-		return nil, status.Errorf(codes.InvalidArgument, "provided setup key to update is nil")
-	}
-
-	account, err := am.Store.GetAccount(accountID)
-	if err != nil {
-		return nil, status.Errorf(codes.NotFound, "account not found")
-	}
-
-	var oldKey *SetupKey
-	for _, key := range account.SetupKeys {
-		if key.Id == keyToSave.Id {
-			oldKey = key.Copy()
-			break
-		}
-	}
-	if oldKey == nil {
-		return nil, status.Errorf(codes.NotFound, "setup key not found")
-	}
-
-	// only auto groups, revoked status, and name can be updated for now
-	newKey := oldKey.Copy()
-	newKey.Name = keyToSave.Name
-	newKey.AutoGroups = keyToSave.AutoGroups
-	newKey.Revoked = keyToSave.Revoked
-	newKey.UpdatedAt = time.Now()
-
-	account.SetupKeys[newKey.Key] = newKey
-
-	if err = am.Store.SaveAccount(account); err != nil {
-		return nil, err
-	}
-
-	return newKey, am.updateAccountPeers(account)
-}
-
-// ListSetupKeys returns a list of all setup keys of the account
-func (am *DefaultAccountManager) ListSetupKeys(accountID string) ([]*SetupKey, error) {
-	am.mux.Lock()
-	defer am.mux.Unlock()
-	account, err := am.Store.GetAccount(accountID)
-	if err != nil {
-		return nil, status.Errorf(codes.NotFound, "account not found")
-	}
-
-	keys := make([]*SetupKey, 0, len(account.SetupKeys))
-	for _, key := range account.SetupKeys {
-		keys = append(keys, key.Copy())
-	}
-
-	return keys, nil
-}
-
-// GetSetupKey looks up a SetupKey by KeyID, returns NotFound error if not found.
-func (am *DefaultAccountManager) GetSetupKey(accountID, keyID string) (*SetupKey, error) {
-	am.mux.Lock()
-	defer am.mux.Unlock()
-
-	account, err := am.Store.GetAccount(accountID)
-	if err != nil {
-		return nil, status.Errorf(codes.NotFound, "account not found")
-	}
-
-	var foundKey *SetupKey
-	for _, key := range account.SetupKeys {
-		if key.Id == keyID {
-			foundKey = key.Copy()
-			break
-		}
-	}
-	if foundKey == nil {
-		return nil, status.Errorf(codes.NotFound, "setup key not found")
-	}
-
-	// the UpdatedAt field was introduced later, so there might be that some keys have a Zero value (e.g, null in the store file)
-	if foundKey.UpdatedAt.IsZero() {
-		foundKey.UpdatedAt = foundKey.CreatedAt
-	}
-
-	return foundKey, nil
-}
--- a/management/server/setupkey_test.go
+++ b/management/server/setupkey_test.go
@@ -2,159 +2,23 @@ package server

 import (
 	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
 	"strconv"
 	"testing"
 	"time"
 )

-func TestDefaultAccountManager_SaveSetupKey(t *testing.T) {
-	manager, err := createManager(t)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	userID := "test_user"
-	account, err := manager.GetOrCreateAccountByUser(userID, "")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = manager.SaveGroup(account.Id, &Group{
-		ID:    "group_1",
-		Name:  "group_name_1",
-		Peers: []string{},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	expiresIn := time.Hour
-	keyName := "my-test-key"
-
-	key, err := manager.CreateSetupKey(account.Id, keyName, SetupKeyReusable, expiresIn, []string{})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	autoGroups := []string{"group_1", "group_2"}
-	newKeyName := "my-new-test-key"
-	revoked := true
-	newKey, err := manager.SaveSetupKey(account.Id, &SetupKey{
-		Id:         key.Id,
-		Name:       newKeyName,
-		Revoked:    revoked,
-		AutoGroups: autoGroups,
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	assertKey(t, newKey, newKeyName, revoked, "reusable", 0, key.CreatedAt, key.ExpiresAt,
-		key.Id, time.Now(), autoGroups)
-}
-
-func TestDefaultAccountManager_CreateSetupKey(t *testing.T) {
-	manager, err := createManager(t)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	userID := "test_user"
-	account, err := manager.GetOrCreateAccountByUser(userID, "")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = manager.SaveGroup(account.Id, &Group{
-		ID:    "group_1",
-		Name:  "group_name_1",
-		Peers: []string{},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = manager.SaveGroup(account.Id, &Group{
-		ID:    "group_2",
-		Name:  "group_name_2",
-		Peers: []string{},
-	})
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	type testCase struct {
-		name string
-
-		expectedKeyName   string
-		expectedUsedTimes int
-		expectedType      string
-		expectedGroups    []string
-		expectedCreatedAt time.Time
-		expectedUpdatedAt time.Time
-		expectedExpiresAt time.Time
-		expectedFailure   bool //indicates whether key creation should fail
-	}
-
-	now := time.Now()
-	expiresIn := time.Hour
-	testCase1 := testCase{
-		name:              "Should Create Setup Key successfully",
-		expectedKeyName:   "my-test-key",
-		expectedUsedTimes: 0,
-		expectedType:      "reusable",
-		expectedGroups:    []string{"group_1", "group_2"},
-		expectedCreatedAt: now,
-		expectedUpdatedAt: now,
-		expectedExpiresAt: now.Add(expiresIn),
-		expectedFailure:   false,
-	}
-	testCase2 := testCase{
-		name:            "Create Setup Key should fail because of unexistent group",
-		expectedKeyName: "my-test-key",
-		expectedGroups:  []string{"FAKE"},
-		expectedFailure: true,
-	}
-
-	for _, tCase := range []testCase{testCase1, testCase2} {
-		t.Run(tCase.name, func(t *testing.T) {
-			key, err := manager.CreateSetupKey(account.Id, tCase.expectedKeyName, SetupKeyReusable, expiresIn,
-				tCase.expectedGroups)
-
-			if tCase.expectedFailure {
-				if err == nil {
-					t.Fatal("expected to fail")
-				}
-				return
-			}
-
-			if err != nil {
-				t.Fatal(err)
-			}
-
-			assertKey(t, key, tCase.expectedKeyName, false, tCase.expectedType, tCase.expectedUsedTimes,
-				tCase.expectedCreatedAt, tCase.expectedExpiresAt, strconv.Itoa(int(Hash(key.Key))),
-				tCase.expectedUpdatedAt, tCase.expectedGroups)
-		})
-	}
-
-}
-
 func TestGenerateDefaultSetupKey(t *testing.T) {
 	expectedName := "Default key"
 	expectedRevoke := false
 	expectedType := "reusable"
 	expectedUsedTimes := 0
 	expectedCreatedAt := time.Now()
-	expectedUpdatedAt := time.Now()
 	expectedExpiresAt := time.Now().Add(24 * 30 * time.Hour)
-	var expectedAutoGroups []string

 	key := GenerateDefaultSetupKey()

 	assertKey(t, key, expectedName, expectedRevoke, expectedType, expectedUsedTimes, expectedCreatedAt,
-		expectedExpiresAt, strconv.Itoa(int(Hash(key.Key))), expectedUpdatedAt, expectedAutoGroups)
+		expectedExpiresAt, strconv.Itoa(int(Hash(key.Key))))

 }

@@ -165,44 +29,41 @@ func TestGenerateSetupKey(t *testing.T) {
 	expectedUsedTimes := 0
 	expectedCreatedAt := time.Now()
 	expectedExpiresAt := time.Now().Add(time.Hour)
-	expectedUpdatedAt := time.Now()
-	var expectedAutoGroups []string

-	key := GenerateSetupKey(expectedName, SetupKeyOneOff, time.Hour, []string{})
+	key := GenerateSetupKey(expectedName, SetupKeyOneOff, time.Hour)

-	assertKey(t, key, expectedName, expectedRevoke, expectedType, expectedUsedTimes, expectedCreatedAt,
-		expectedExpiresAt, strconv.Itoa(int(Hash(key.Key))), expectedUpdatedAt, expectedAutoGroups)
+	assertKey(t, key, expectedName, expectedRevoke, expectedType, expectedUsedTimes, expectedCreatedAt, expectedExpiresAt, strconv.Itoa(int(Hash(key.Key))))

 }

 func TestSetupKey_IsValid(t *testing.T) {
-	validKey := GenerateSetupKey("valid key", SetupKeyOneOff, time.Hour, []string{})
+	validKey := GenerateSetupKey("valid key", SetupKeyOneOff, time.Hour)
 	if !validKey.IsValid() {
 		t.Errorf("expected key to be valid, got invalid %v", validKey)
 	}

 	// expired
-	expiredKey := GenerateSetupKey("invalid key", SetupKeyOneOff, -time.Hour, []string{})
+	expiredKey := GenerateSetupKey("invalid key", SetupKeyOneOff, -time.Hour)
 	if expiredKey.IsValid() {
 		t.Errorf("expected key to be invalid due to expiration, got valid %v", expiredKey)
 	}

 	// revoked
-	revokedKey := GenerateSetupKey("invalid key", SetupKeyOneOff, time.Hour, []string{})
+	revokedKey := GenerateSetupKey("invalid key", SetupKeyOneOff, time.Hour)
 	revokedKey.Revoked = true
 	if revokedKey.IsValid() {
 		t.Errorf("expected revoked key to be invalid, got valid %v", revokedKey)
 	}

 	// overused
-	overUsedKey := GenerateSetupKey("invalid key", SetupKeyOneOff, time.Hour, []string{})
+	overUsedKey := GenerateSetupKey("invalid key", SetupKeyOneOff, time.Hour)
 	overUsedKey.UsedTimes = 1
 	if overUsedKey.IsValid() {
 		t.Errorf("expected overused key to be invalid, got valid %v", overUsedKey)
 	}

 	// overused
-	reusableKey := GenerateSetupKey("valid key", SetupKeyReusable, time.Hour, []string{})
+	reusableKey := GenerateSetupKey("valid key", SetupKeyReusable, time.Hour)
 	reusableKey.UsedTimes = 99
 	if !reusableKey.IsValid() {
 		t.Errorf("expected reusable key to be valid when used many times, got valid %v", reusableKey)
@@ -210,8 +71,7 @@ func TestSetupKey_IsValid(t *testing.T) {
 }

 func assertKey(t *testing.T, key *SetupKey, expectedName string, expectedRevoke bool, expectedType string,
-	expectedUsedTimes int, expectedCreatedAt time.Time, expectedExpiresAt time.Time, expectedID string,
-	expectedUpdatedAt time.Time, expectedAutoGroups []string) {
+	expectedUsedTimes int, expectedCreatedAt time.Time, expectedExpiresAt time.Time, expectedID string) {
 	if key.Name != expectedName {
 		t.Errorf("expected setup key to have Name %v, got %v", expectedName, key.Name)
 	}
@@ -232,10 +92,6 @@ func assertKey(t *testing.T, key *SetupKey, expectedName string, expectedRevoke
 		t.Errorf("expected setup key to have ExpiresAt ~ %v, got %v", expectedExpiresAt, key.ExpiresAt)
 	}

-	if key.UpdatedAt.Sub(expectedUpdatedAt).Round(time.Hour) != 0 {
-		t.Errorf("expected setup key to have UpdatedAt ~ %v, got %v", expectedUpdatedAt, key.UpdatedAt)
-	}
-
 	if key.CreatedAt.Sub(expectedCreatedAt).Round(time.Hour) != 0 {
 		t.Errorf("expected setup key to have CreatedAt ~ %v, got %v", expectedCreatedAt, key.CreatedAt)
 	}
@@ -248,19 +104,13 @@ func assertKey(t *testing.T, key *SetupKey, expectedName string, expectedRevoke
 	if key.Id != strconv.Itoa(int(Hash(key.Key))) {
 		t.Errorf("expected key Id t= %v, got %v", expectedID, key.Id)
 	}
-
-	if len(key.AutoGroups) != len(expectedAutoGroups) {
-		t.Errorf("expected key AutoGroups size=%d, got %d", len(expectedAutoGroups), len(key.AutoGroups))
-	}
-	assert.ElementsMatch(t, key.AutoGroups, expectedAutoGroups, "expected key AutoGroups to be equal")
 }

 func TestSetupKey_Copy(t *testing.T) {

-	key := GenerateSetupKey("key name", SetupKeyOneOff, time.Hour, []string{})
+	key := GenerateSetupKey("key name", SetupKeyOneOff, time.Hour)
 	keyCopy := key.Copy()

-	assertKey(t, keyCopy, key.Name, key.Revoked, string(key.Type), key.UsedTimes, key.CreatedAt, key.ExpiresAt, key.Id,
-		key.UpdatedAt, key.AutoGroups)
+	assertKey(t, keyCopy, key.Name, key.Revoked, string(key.Type), key.UsedTimes, key.CreatedAt, key.ExpiresAt, key.Id)

 }
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -2,32 +2,19 @@ package server

 import (
 	"fmt"
-	"github.com/netbirdio/netbird/management/server/idp"
+	"strings"
+
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
-	"strings"

 	"github.com/netbirdio/netbird/management/server/jwtclaims"
 )

 const (
-	UserRoleAdmin   UserRole = "admin"
-	UserRoleUser    UserRole = "user"
-	UserRoleUnknown UserRole = "unknown"
+	UserRoleAdmin UserRole = "admin"
+	UserRoleUser  UserRole = "user"
 )

-// StrRoleToUserRole returns UserRole for a given strRole or UserRoleUnknown if the specified role is unknown
-func StrRoleToUserRole(strRole string) UserRole {
-	switch strings.ToLower(strRole) {
-	case "admin":
-		return UserRoleAdmin
-	case "user":
-		return UserRoleUser
-	default:
-		return UserRoleUnknown
-	}
-}
-
 // UserRole is the role of the User
 type UserRole string

@@ -35,56 +22,20 @@ type UserRole string
 type User struct {
 	Id   string
 	Role UserRole
-	// AutoGroups is a list of Group IDs to auto-assign to peers registered by this user
-	AutoGroups []string
 }

-// toUserInfo converts a User object to a UserInfo object.
-func (u *User) toUserInfo(userData *idp.UserData) (*UserInfo, error) {
-	autoGroups := u.AutoGroups
-	if autoGroups == nil {
-		autoGroups = []string{}
-	}
-
-	if userData == nil {
-		return &UserInfo{
-			ID:         u.Id,
-			Email:      "",
-			Name:       "",
-			Role:       string(u.Role),
-			AutoGroups: u.AutoGroups,
-		}, nil
-	}
-	if userData.ID != u.Id {
-		return nil, fmt.Errorf("wrong UserData provided for user %s", u.Id)
-	}
-
-	return &UserInfo{
-		ID:         u.Id,
-		Email:      userData.Email,
-		Name:       userData.Name,
-		Role:       string(u.Role),
-		AutoGroups: autoGroups,
-	}, nil
-}
-
-// Copy the user
 func (u *User) Copy() *User {
-	autoGroups := []string{}
-	autoGroups = append(autoGroups, u.AutoGroups...)
 	return &User{
-		Id:         u.Id,
-		Role:       u.Role,
-		AutoGroups: autoGroups,
+		Id:   u.Id,
+		Role: u.Role,
 	}
 }

 // NewUser creates a new user
 func NewUser(id string, role UserRole) *User {
 	return &User{
-		Id:         id,
-		Role:       role,
-		AutoGroups: []string{},
+		Id:   id,
+		Role: role,
 	}
 }

@@ -98,55 +49,6 @@ func NewAdminUser(id string) *User {
 	return NewUser(id, UserRoleAdmin)
 }

-// SaveUser saves updates a given user. If the user doesn't exit it will throw status.NotFound error.
-// Only User.AutoGroups field is allowed to be updated for now.
-func (am *DefaultAccountManager) SaveUser(accountID string, update *User) (*UserInfo, error) {
-	am.mux.Lock()
-	defer am.mux.Unlock()
-
-	if update == nil {
-		return nil, status.Errorf(codes.InvalidArgument, "provided user update is nil")
-	}
-
-	account, err := am.Store.GetAccount(accountID)
-	if err != nil {
-		return nil, status.Errorf(codes.NotFound, "account not found")
-	}
-
-	for _, newGroupID := range update.AutoGroups {
-		if _, ok := account.Groups[newGroupID]; !ok {
-			return nil,
-				status.Errorf(codes.InvalidArgument, "provided group ID %s in the user %s update doesn't exist",
-					newGroupID, update.Id)
-		}
-	}
-
-	oldUser := account.Users[update.Id]
-	if oldUser == nil {
-		return nil, status.Errorf(codes.NotFound, "update not found")
-	}
-
-	// only auto groups, revoked status, and name can be updated for now
-	newUser := oldUser.Copy()
-	newUser.AutoGroups = update.AutoGroups
-	newUser.Role = update.Role
-
-	account.Users[newUser.Id] = newUser
-
-	if err = am.Store.SaveAccount(account); err != nil {
-		return nil, err
-	}
-
-	if !isNil(am.idpManager) {
-		userData, err := am.lookupUserInCache(newUser, accountID)
-		if err != nil {
-			return nil, err
-		}
-		return newUser.toUserInfo(userData)
-	}
-	return newUser.toUserInfo(nil)
-}
-
 // GetOrCreateAccountByUser returns an existing account for a given user id or creates a new one if doesn't exist
 func (am *DefaultAccountManager) GetOrCreateAccountByUser(userId, domain string) (*Account, error) {
 	am.mux.Lock()
@@ -206,50 +108,3 @@ func (am *DefaultAccountManager) IsUserAdmin(claims jwtclaims.AuthorizationClaim

 	return user.Role == UserRoleAdmin, nil
 }
-
-func (am *DefaultAccountManager) getUsersInfos(account *Account) ([]*UserInfo, error) {
-	var err error
-	queriedUsers := make([]*idp.UserData, 0)
-	if !isNil(am.idpManager) {
-		queriedUsers, err = am.lookupCache(account.Users, account.Id)
-		if err != nil {
-			return nil, err
-		}
-	}
-
-	userInfos := make([]*UserInfo, 0)
-
-	// in case of self-hosted, or IDP doesn't return anything, we will return the locally stored userInfo
-	if len(queriedUsers) == 0 {
-		for _, user := range account.Users {
-			info, err := user.toUserInfo(nil)
-			if err != nil {
-				return nil, err
-			}
-			userInfos = append(userInfos, info)
-		}
-		return userInfos, nil
-	}
-
-	for _, queriedUser := range queriedUsers {
-		if localUser, contains := account.Users[queriedUser.ID]; contains {
-
-			info, err := localUser.toUserInfo(queriedUser)
-			if err != nil {
-				return nil, err
-			}
-			userInfos = append(userInfos, info)
-		}
-	}
-
-	return userInfos, nil
-}
-
-// GetUsers performs a batched request for users from IDP by account ID
-func (am *DefaultAccountManager) GetUsers(accountID string) ([]*UserInfo, error) {
-	account, err := am.GetAccountById(accountID)
-	if err != nil {
-		return nil, err
-	}
-	return am.getUsersInfos(account)
-}
Author	SHA1	Message	Date
braginini	f07671cf49	Fix RemoveConnByUfrag	2022-09-08 19:39:05 +02:00
braginini	5a504ee6be	Fix some iface issues	2022-09-07 21:59:01 +02:00
braginini	660b2542d2	Remove unused code	2022-09-07 21:40:45 +02:00
braginini	d0ad53b247	Remove unnecessary endpoint map	2022-09-07 19:40:34 +02:00
braginini	2cffe6526a	Add more logging	2022-09-07 19:02:17 +02:00
braginini	dded91235e	Refactor UDP mux to handle STUN only messages	2022-09-07 18:49:15 +02:00
braginini	314f34f916	Single Mux	2022-09-07 18:40:42 +02:00
braginini	eaf985624d	Single Mux	2022-09-07 18:39:58 +02:00
braginini	48b7c6ec3c	Fix TURN issue	2022-09-07 11:17:54 +02:00
braginini	acf271bf25	Merge remote-tracking branch 'origin/main' into feature/interface-bind	2022-09-07 11:09:45 +02:00
braginini	f49c299d77	Check for stun packet with a fixed size	2022-09-06 21:07:21 +02:00
braginini	73b5f8d63b	Proper endpoint log	2022-09-06 20:59:19 +02:00
braginini	6653894691	Remove unused code	2022-09-06 20:55:51 +02:00
braginini	a7facc2d72	Split UDPMux and UniversalUDPMux	2022-09-06 20:54:40 +02:00
braginini	0721b87c56	Split UDPMux and UniversalUDPMux	2022-09-06 20:44:49 +02:00
braginini	2829cce644	Implement ICEBind	2022-09-06 20:06:51 +02:00
braginini	9350c5f8d8	bind	2022-09-05 15:56:36 +02:00
braginini	2ae4c204af	Working single channel bind	2022-09-05 02:03:16 +02:00
braginini	f5e974c04c	Bind test	2022-09-04 22:52:52 +02:00